How To Troubleshoot Collaboration Apps for the Modern Connected Worker
Modeling and Testing When Unpredictability Becomes the Pattern
1. 1
On Modeling and Testing!
When Unpredictability Becomes the Pattern
Benoit Baudry and Benoit Combemale
(with the help and the slides of Mathieu Acher, Olivier Barais, Arnaud
Blouin, Johann Bourcier, Jean-Marc Jézéquel, and Noël Plouzeau)
Keynote at CIEL 2013, April 2nd, 2013
http://people.irisa.fr/Benoit.Combemale/ciel2013
2. Triskell research group
2
Triskell team (env. 40 people)
- 8 faculty members
- 1 Research Engineer
- ~20 PhD students
- ~3 Software Engineers
- ~2 Post doc
5. Our vision:
Aspect Oriented Model Driven Engineering
5
Distribution
Fault tolerance
Security
Functional behavior
Book
state : String
User
borrow
return
deliver
setDamaged
reser
ve
Use case model
Platform
Model
Design
Model
Code
Model
AOMDE = Pleonasm because
a Model is an Abstraction of an Aspect
of Reality for a given Purpose
Change one Aspect and
Automatically Re-Weave:
From Software Product Lines…
..to Dynamically Adaptive Systems
"DSLs are far more prevalent
than anticipated"
[Hutchinson et al., ICSE’11]
6. The Kermeta Language Workbench [SoSyM’13]
• Offer a generic solution covering most model manipulation needs
• Goals:
• Design of DSML: modular and safe
• Implementation of DSML: scalable, interoperable and efficient @ runtime
Editors
(textuals, graphicals, …)
Documentation generators
Test generators
Simulators
Analyzers
Refactoring
Checkers
(static & dynamics)
Translators
Compilers
Code generators
Etc.
7. The Kermeta Language Workbench [SoSyM’13]
• Modular design of DSMLs
• One meta-language per language concern (require)
• Ecore, OCL, Kermeta Action Language
• But also: QVTo, fUML, Alf, Ket, Xsd…
• Static introduction mechanism (aspect)
• Efficient implementation of DSMLs
• Mashup of the meta-languages to efficient bytecode
• Integrated with third-party tools (EMF compliant)
• Current investigations: precise metamodeling, modeling in the
large, language family, multi-platforms, model comprehension…
MDE for SLE; and SLE for MDE
-
7
13. Context
• Complex (Adaptive) Software-intensive Systems
• Cyber-Physical Systems,
• System of Systems, Ultra Large-scale System,
• Smart City, Smart Building, Home automation,
• Internet of Services, and Internet of Things…
Openness (from requirements to runtime)
The whole life cycle of systems are unpredictable!
How fit systematic “patterns” introduced by SE approaches?
Future of Modeling and Testing?
13
15. The vision shaped!
15
"In Yellowstone's geyser basins,
unpredictability is the pattern.
Old Faithful's relatively predictable intervals
are the exception."
16. Objectives of the talk
• Propose a vision for modeling and testing,
where unpredictability IS the pattern
• Explore the relationships between research
fields and provide an original corresponding
survey
• Present some of the current relative challenges,
projects, initiatives, standards, etc.
16
Subjective authors' point of view * !!
* No possible damage for your health
17. On Modeling and Testing!
When Unpredictability Becomes the Pattern
17
Unpredictability
as a Pattern
Imposed
Unpredictability
Heterogeneity
Management
Variability
Management
Chosen
Unpredictability
Software
Diversification
19. Model Driven Engineering…
19
Distribution
« Service Provider
Manager »
Notification
Alternate Manager
« Recovery Block
Manager »
Complaint
Recovery Block
Manager
« Service
Provider
Manager »
Notification
Manager
« Service Provider
Manager »
Complaint Alternate
Manager
« Service
Provider
Manager »
Complaint
Manager
« Acceptance
Test Manager »
Notification
Acceptance Test
Manager
« Acceptance
Test Manager »
Complaint
Acceptance Test
Manager
« Recovery
Block Manager »
Notification
Recovery Block
Manager
« Client »
User Citizen
Manager
Fault tolerance
Roles
Activities
Views
Contexts
Security
Functional behavior
Book
state : StringUser
borrow
return
deliver
setDamaged
reser
ve
Use case model
Platform
Model
Design
Model
Code
Model
20. MDE… to Support Variability @ Design Time
20
Distribution
« Service Provider
Manager »
Notification
Alternate Manager
« Recovery Block
Manager »
Complaint
Recovery Block
Manager
« Service
Provider
Manager »
Notification
Manager
« Service Provider
Manager »
Complaint Alternate
Manager
« Service
Provider
Manager »
Complaint
Manager
« Acceptance
Test Manager »
Notification
Acceptance Test
Manager
« Acceptance
Test Manager »
Complaint
Acceptance Test
Manager
« Recovery
Block Manager »
Notification
Recovery Block
Manager
« Client »
User Citizen
Manager
Fault tolerance
Roles
Activities
Views
Contexts
Security
Functional behavior
Book
state : StringUser
borrow
return
deliver
setDamaged
reser
ve
Use case model
Platform
Model
Design
Model
Code
Model
34. MDE… to Support Variability @ Run Time
34
Distribution
« Service Provider
Manager »
Notification
Alternate Manager
« Recovery Block
Manager »
Complaint
Recovery Block
Manager
« Service
Provider
Manager »
Notification
Manager
« Service Provider
Manager »
Complaint Alternate
Manager
« Service
Provider
Manager »
Complaint
Manager
« Acceptance
Test Manager »
Notification
Acceptance Test
Manager
« Acceptance
Test Manager »
Complaint
Acceptance Test
Manager
« Recovery
Block Manager »
Notification
Recovery Block
Manager
« Client »
User Citizen
Manager
Fault tolerance
Roles
Activities
Views
Contexts
Security
Functional behavior
Book
state : StringUser
borrow
return
deliver
setDamaged
reser
ve
Use case model
Platform
Model
Design
Model
Code
Model
Change one Aspect and
Automatically Re-Weave:
From AORE, SPL to DAS
35. Example of Home-automation!
Many Different Needs 1/2
Picture(from(http://www.apt.gc.ca(
• Living(at(home(
• Motion(troubles(
• Memory(loss(
• Speaks(French((only)(
• Home(equiped(with(:(
• LonWorks((lights)(
• Velux((shutters)(
Mrs. Dupont
35
40. Towards more complex DDAS
• Distributed Dynamic Adaptive Software (DDAS)
development:
• Adaptation logic often embedded into application logic
• Adaptation logic hard-coded using low-level APIs
• Readability, maintainability, and communication with other
stakeholder not easy
• Exponential growth of possible configurations
• Convergence with Dynamic Software Product Lines
• N features, N tending to be larger and larger
• 2N potential program configurations, 2N x (2N-1) transitions
40
41. " Explosion of the number of possible configurations of Entimid
# 1014 possible configurations! $ 1028 transitions!
" Dynamic Adaptation
# Evolution of the handicap
# Houses should be configured remotely
# No service interruption
" Reliability
# Safe migration path from a valid configuration to another valid
configuration
# Performance issue (time) not critical
Challenges
41
42. • Focus on variability, not on configurations
• Build (derive) configurations when needed
• JIT, On demand at runtime, caching…
• Validate configurations before actual adaptation
• Automate the reconfiguration process
Hyper-Agility with a DSPL Approach
42
43. Variability and SE
43
Component Based
Software Engineering
Dynamic Adaptation
Aspect-Oriented
Modeling
[Medvidovic et al’02]
[Kiczales et al’97]
OSGi, Fractal,!
OpenCOM, etc
[France et al’04]
[Rashid et al’02]
[Taylor et al’09]
[Garlan et al.'04]
[Oreizy et al.'98]
[Huebscher et al'08]
[Heineman
et al’01]
[Crnkovic et al’02]
44. Handling Variability with MDE
• (D)SPL approach to tame
• The combinatorial explosion of configurations
• The quadratic explosion of transitions
• AOM to automatically build configuration
• Runtime validation before adapting the running system
• Simple roll-back
• Models@Runtime to automate reconfiguration
• Generation of safe reconfiguration scripts 44
46. 46
Architecture Metamodel
- component, port, binding, etc
- invariants
Reflection model
(source)
Woven model
(target)
Conforms to
Analyzer The running system
adapts
Strong synchronization
introspection + listeners
Delayed synchronization
Validation
Reasoning)
Context info.
Context
model
Design-
models
Models@runtime: !
Using MDE technology at runtime
47. (FP7 STREP) DiVA Technical Approach
• Separate the application-specific functionality from the
adaptation concerns in requirements: (D)SPL
• Feature Model, decorated with Quality Attributes
• Reasoner works with (context x Feature Model QA)
• Associate fragments of architecture to Features
• aka advice, + where it can be woven: aka pointcut
• Model driven techniques
• used to raise the level of abstraction of the model of the context
• updated with CEP
• model composition (aspect weaving)
• To compose new architectures on the fly
• Model Based Validation
• automatic generation of platform reconfiguration script
47
48. % Heterogeneity management with notion of NodeType
% Java Node, Dalvik Node, Arduino Node, Cloud Node (Jails/*BSD, JCloud, mini-
cloud, EC2)
% Component-based
% Component, Port, Channel, Node, Group, ...
% Actor semantics on each port to separate component behavior
% Communication semantics between components using channels
% Hot (re-)deploy & provisioning
% Models@Runtime in a Distributed Context
% Shared model representation for distributed nodes
% Offline & online operation, compute@Model level, apply @Runtime
% Reconfiguration using platform mecanisns, from classLoader, DLL to reflashing
% Publications
% A Dynamic Component Model for Cyber Physical Systems François Fouquet; Olivier Barais; Noël Plouzeau; Jean-Marc Jézéquel;
Brice Morin; Franck Fleurey 15th Int. ACM SIGSOFT Symposium on Component Based Software Engineering, Jul 2012, Italy.
% Dissemination of reconfiguration policies on mesh networks François Fouquet; Erwan Daubert; Noël Plouzeau; Olivier Barais;
Johann Bourcier; Jean-Marc Jézéquel DAIS 2012, Jun 2012, Stockholm, Sweden.
48
Model@Runtime platform !
for distributed dynamic adaptive system
(kevoree.org)
49. Model@Runtime platform !
for distributed dynamic adaptive system
• From low power
nodes…
• Arduino
• … to Clouds
• EC2 etc.
• DAUM platform
• Tactical
Information
System
• for civil security
• Sensors on
firefighters,
tablets, cloud…
Triskell private heterogeneous cloud
49
(kevoree.org)
52. Complex Software-Intensive Systems
• deal with multiple concerns
require global analysis and execution
• integrate heterogeneous parts
require global service
• manage evolution of concerns and the emergence
of new concerns
require evolution and creation of tools and methods for
software development
52
56. MDE… to Support Heterogeneity
Distribution
« Service Provider
Manager »
Notification
Alternate Manager
« Recovery Block
Manager »
Complaint
Recovery Block
Manager
« Service
Provider
Manager »
Notification
Manager
« Service Provider
Manager »
Complaint Alternate
Manager
« Service
Provider
Manager »
Complaint
Manager
« Acceptance
Test Manager »
Notification
Acceptance Test
Manager
« Acceptance
Test Manager »
Complaint
Acceptance Test
Manager
« Recovery
Block Manager »
Notification
Recovery Block
Manager
« Client »
User Citizen
Manager
Fault tolerance
Roles
Activities
Views
Contexts
Security
Functional behavior
Book
state : StringUser
borrow
return
deliver
setDamaged
reser
ve
Use case model
Platform
Model
Design
Model
Code
Model
Change one Aspect and
Automatically Re-Weave:
From AORE, SPL to DAS
56
AOMDE = Pleonasm because
a Model is an Abstraction of an
Aspect of Reality for a given Purpose
57. Aspect Oriented Modeling
• Separation of concerns in a model
• A concern is not necessarily cross-cutting
• Model composition
• Build a global view from a set of concern models
• AOM is a wide domain
• Captures a large variety of modeling practices
• A large number of composition approaches (e.g., Kompose,
ModMap, Geko, SmartAdapter@Runtime…)
58. (Naive) MDA vs. (AO) MDE
• From Transformation to Composition
• Similar to goto vs. proper loop concept in language
• Or assembly language vs. high-level languages
59. => Software Language Engineering
• The separation of concerns…
Modularization [Parnas72] to allow the structure of the product to resemble
the structure of the organization that designed it [Conway68]
• … at the language level
Domain-Specific (Modeling) Language (DSML) should serve to implement a
solution in terms of a problem (socio-technical coordination [Herbsleb07]).
• requires to manage the interactions between languages
to avoid social isolation and non sharing information (as observed for example
in the use of APIs [Souza04])
59
60. At some point in the software lifecycle…
• Interoperable and Collaborative Models
60
The Village Metaphor
A. Vallecillo. “A Journey through the Secret Life of Models“.
Dagstuhl seminar on Model Engineering of Complex Systems (MECS), Aug. 2008.
61. Across the software life cycle…
• Executable, Composable and Intuitive Models (i.e.,
runware) from design to run time
the two-way tunnel-digging
61
The tunnel digging analogy
[Harel et al., SoSyM’12]
62. Challenges
• Model Driven Engineering
& Software Language Engineering
• Language relationships should be capitalized
from transformation to composition
• Global model coordination and analysis
from design to runtime
62
63. Executable Metamodeling
• Effective environments for the design and
implementation of executable domain specific
languages (e.g., Kermeta at Inria)
• BUT these environments do not allow the
integration of heterogeneous models of
computation (concurrence, communication…)
63
64. Models of Computation
• Effective environments to deal with the execution
and analysis of models based on heterogeneous
models of computation (e.g., Ptolemy at UC
Berkeley, ModHel’X at Supélec)
• BUT these environments do not allow adaptation
to specific business/application domains
64
65. Heterogeneity and SE
65
Metamodeling
Global Software Engineering
Models of
Computation
[Schmidt'06]
[Winskel’87]
[Karsai’03]
[Lee and
Sangiovanni’98]
[Eker et al.’03]
[Jantsch'04]
[Lédeczi'01]
[Clarke'02]
[Atkinson'06]
[Straw’04]
[Herbsleb'01]
[Souza'04]
[Conway’68]
[Boehm’84]
69. The GEMOC Initiative is born!
An open initiative to
• coordinate (between members)
• disseminate (on behalf the members)
worldwide R&D efforts on the globalization of
modeling languages
http://gemoc.org
• Funded by complementary and successive projects
• IP left to PCA of each projects
69
70. ANR INS GEMOC (2012-2016)
"A Language Workbench for Heterogeneous Modeling and Analysis of
Complex Software-Intensive Systems »
Tools and methods for the definition and coordination of
executable heterogeneous modeling languages over
heterogeneous models of computation
http://gemoc.org/ins
71. GlobalDSL 2013
First International Workshop on
The Globalization of Domain Specific Languages
July 2nd, 2013, Montpellier, France
co-located with ECMFA, ECOOP and ECSA 2013
• Topics of interest include composability, interoperability, modularity,
reuse, and variability of programming/modeling languages
• Submit on Easychair before April 8, 2013!
http://gemoc.org/globaldsl2013
71
72. From imposed to chosen Unpredictability
72
Domain
System
Variability
Domain
Domain
Domain
System
Heterogeneity
Software diversification to operationalize
unpredictability from design to runtime
74. N-version programming
74
version 1
version 2
version 3
version 1
version 2
version 3
input
vote
output
Algirdas Avizienis: The N-Version Approach to Fault-Tolerant
Software. IEEE Trans. Software Eng. 11(12): 1491-1501 (1985)
Safety
76. Instruction set randomization
76
Encryption Key
Compile
Load
In memory
Execution
Decryption Key
Randomized instruction set emulation!
EG Barrantes, DH Ackley, S Forrest, D Stefanović!
ACM Transactions on Information and System Security (TISSEC) 8 (1), 3-40
Security
78. Loop perforation
• unsound transformation
• still useful
78
source
code
instrumented
binary
Compile
In memory
Execution
Instrumentation
running
program
Monitoring and
perforation
Sasa Misailovic, Stelios Sidiroglou, Henry Hoffmann, Martin C. Rinard
Quality of service profiling. ICSE (1) 2010: 25-34
QoS
79. Test cases diversity
• In a large set of test cases
• select the ones that are most diverse
• intuition: they’re more likely to test different parts of the
program
• trade-off testing cost / bug detection
79
Hadi Hemmati, Lionel C. Briand, Andrea Arcuri, Shaukat Ali: An enhanced test case selection
approach for model-based testing: an industrial case study. SIGSOFT FSE 2010: 267-276
Fault Detection
81. Software diversity
• is diverse
• moves from static to dynamic diversity
• expanding scope
• from safety-critical systems
• to open and flexible systems
• but
• diversification strategy is fixed at design time
• diversity is local
From Software Diversity to Software Diversification
81
82. Ecology and SE
82
Randomization
Unsound transformations
SBSE
[Rinard’04]
[Misailovic’10]
[Berger’06]
[Demsky’06]
[Forrest’94]
[Forrest’97]
[Smith’93]
[Kc’03]
[Barrantes05]
[Hemmati’10]
[Harman’07]
83. DIVERSIFY
• Can the theories of biodiversity emergence
and organization support theories of software
diversification?
• Goal: analyze and operationalize automatic
software diversification
• In interaction with ecologists
www.diversify-project.eu
83
84. Conclusion
• Unpredictability should be a pattern in SE
• Agile ( Software Development )
vs. ( Agile Software ) Development
• Recent work on modeling and testing are going
in this way ; in particular:
• Variability modeling and model composition to manage
unpredictability
• software diversification to operationalize unpredictability
84
85. Our Vision
85
Modeling and Testing Foundations
Diversity
Heterogeneity
Variability
From Design to Runtime