modeling and analysis of architectural exceptions
DESCRIPTION
Modeling and Analysis of Architectural Exceptions. Fernando Castor Filho Patrick Henrique da S. Brito {fernando}@ic.unicamp.br {patrick.silva}@ic.unicamp.br Cecília Mary F. Rubira {cmrubira}@ic.unicamp.br FM’2005 Workshop on Rigorous Engineering of Fault-Tolerant Systems - PowerPoint PPT PresentationTRANSCRIPT
Institute of Computing – UNICAMP - Brazil
Modeling and Analysis ofArchitectural Exceptions
Fernando Castor Filho Patrick Henrique da S. Brito {fernando}@ic.unicamp.br {patrick.silva}@ic.unicamp.br
Cecília Mary F. Rubira{cmrubira}@ic.unicamp.br
FM’2005 Workshop on Rigorous Engineering of Fault-Tolerant SystemsREFT’2005, Newcastle upon Tyne, July 19th 2005
REFT'2005 - July 19th 2005 2
Exception Handling
Popular mechanism for structuring forward error recovery in software systemsExceptions can be derived incrementally at different phases of development: Requirements Architecture Detailed Design Implementation
REFT'2005 - July 19th 2005 3
Exception Handling
Popular mechanism for structuring forward error recovery in software systemsExceptions can be derived incrementally at different phases of development: Requirements Architecture Detailed Design Implementation
REFT'2005 - July 19th 2005 4
Exceptions at the Architectural Level
A system’s exceptional activity should be addressed since the early phases of development
In recent years, many approaches combining software architecture and exception handling have been proposed
There hasn’t been much focus on the description of exceptions at the architectural level This may be required for systems with strict
dependability requirements such as commercial applications, control systems, and so on.
REFT'2005 - July 19th 2005 5
An Air-Traffic Control System Example
M&C Console
G.A.M
Local/Group A.M.
ATC Console
A.S.O.U
O/S E. A. S.
Network Operating System
Processor I/O Devices
Attachments
Exceptions
Exceptions
Exceptions
Exceptions
Exceptions
Source: Bass, Clements, and Kazman, SoftwareArchitecture in Practice, 2nd Edition, 2003.
Exceptions
REFT'2005 - July 19th 2005 6
... Some Interesting questions...
What does a double-headed arrow mean?
What are the exceptions that each component signals and handles?
Are there any relevant cause-effect relationships?
Is this analyzable?
REFT'2005 - July 19th 2005 7
Problem
To describe software architectures so that it is possible to reason about the flow of exceptions at the architectural level
REFT'2005 - July 19th 2005 8
Requirements of the Solution
1. Easy to use (pictorial representation)2. Integrated with the concept of
architectural style3. Precise (unambiguous)4. Analyzable5. Capable of expressing rules of
existing exception handling models
REFT'2005 - July 19th 2005 9
Alloy Design Language
Lightweight formal methodSimilar to Z (less expressive but supports automated analysis) Support for complex data structures Declarative
Alloy constraint analyzerEasy to useRequirements 3-5
REFT'2005 - July 19th 2005 10
Proposed Framework: Aereal
Architecture Description Extended
with ExceptionsTranslationArch. Description
+Exception Flow
View
“Normal” Architectural
Styles“Exceptional” Architectural
Styles
REFT'2005 - July 19th 2005 11
Proposed Framework: Aereal
• Documentation
• Analysis of stylistic constraints
Architecture Description Extended
with ExceptionsTranslationArch. Description
+Exception Flow
View
“Normal” Architectural
Styles“Exceptional” Architectural
Styles
REFT'2005 - July 19th 2005 12
Proposed Framework: Aereal
• Exception flow analysis
Architecture Description Extended
with ExceptionsTranslationArch. Description
+Exception Flow
View
“Normal” Architectural
Styles“Exceptional” Architectural
Styles
REFT'2005 - July 19th 2005 13
Proposed Framework: Aereal
TranslationArch. Description+
Exception Flow View
Architecture Description Extended
with Exceptions
ACME
Alloy
“Normal” Architectural
Styles“Exceptional” Architectural
Styles
REFT'2005 - July 19th 2005 14
Elements of the Model Components:
SignalsRaisesEncountersHandlesSignalsToCatchesFromPortMap…
Ducts:SignalsRaisesEncountersCatchesFromSignalsTo…
Exceptions
REFT'2005 - July 19th 2005 15
An Example
CoalFeederController
AirFlowController
Duct1
REFT'2005 - July 19th 2005 16
An ExampleGENERIC MODEL
sig Component { Signals : Exception->Duct, SignalsTo : set Duct, …}sig Duct { Encounters : set Exception, CatchesFrom : one Component …}
INSTANTIATION
sig AirFlowCtr extends Component {}sig Duct1 extends Duct {}sig AirFlowActuatorTimeout extends Exception {}fact SystemStructure { AirFlowCtr.SignalsTo = Duct1 Duct1.CatchesFrom = AirFlowCtr… }fact ExceptionFlow { AirFlowCtr.Signals= AirFlowActuatorTimeout->Duct1 Duct1.Encounters = AirFlowActuatorTimeout… }
REFT'2005 - July 19th 2005 17
Properties of Interest
Basic EH mechanism propertiesDesirable EH propertiesApplication-specific properties
Verified using the Alloy Analyzer Violations of properties generate
graphical counter-examples
REFT'2005 - July 19th 2005 18
Examples of PropertiesExceptions encountered by a component and not handled or propagated are signaledIf a component raises an exception, it must also signal the exceptionThe exceptions encountered by a component are all the exceptions signaled by ducts in the components CatchesFrom setNo useless handlers
REFT'2005 - July 19th 2005 19
Example: No useless handlers
pred no_useless_handlers() { all C : Component | all D : C.CatchesFrom | D.(C.Handles) in D.(C.Encounters) && D.(C.Encounters)<:(D.(C.Propagates))=D.
(C.Propagates)}
REFT'2005 - July 19th 2005 20
Future Directions
Model coordinated exception handlingTechnical report describing the whole modelExtend the implementation of Aereal in order to automatically compute the sets of exceptions that are caught and signaled