Lecture Notes in Computer Science 7740 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Javier Cámara Rogério de Lemos Carlo Ghezzi Antónia Lopes (Eds.) Assurances for Self-Adaptive Systems Principles, Models, and Techniques 1 3 VolumeEditors JavierCámara UniversityofCoimbra,DepartmentofInformaticsEngineering 3030-290Coimbra,Portugal E-mail:[email protected] RogériodeLemos UniversityofKent,SchoolofComputing Canterbury,KentCT27NF,UK and CentreforInformaticsandSystems oftheUniversityofCoimbra(CISUC) 3030-290Coimbra,Portugal E-mail:[email protected] CarloGhezzi PolitecnicodiMilano,DipartimentodiElettronicaeInformazione ViaGolgi,42,20133,Milano,Italy E-mail:[email protected] AntóniaLopes UniversityofLisbon,FacultyofSciences CampoGrande,1749-016Lisbon,Portugal E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-36248-4 e-ISBN978-3-642-36249-1 DOI10.1007/978-3-642-36249-1 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2012955856 CRSubjectClassification(1998):D.2.1-2,D.2.4,D.2.11,F.3.1-2,D.3.1-2,C.2.4, D.4.5,D.4.7 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ©Springer-VerlagBerlinHeidelberg2013 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface During the past decade, one of the most important challenges in software engineering has been to face the increasing complexity that affects software- intensive systems, regarding not only their development, but most importantly, theiroperationandmaintenance,whichcannotbeentrustedtohumanoperators because of cost and dependability issues. One of the most successful techniques to date when dealing with these issues is endowing systems with the ability to self-adapt. Such systems monitor themselves at run-time through a variety of probes, reflecting the observed behavior to a control layer that compares it againstamodelofexpectedsystembehavior.Whenanyanomaliesorconditions forimprovementaredetected,theyattempttoaddressthesituation(e.g.,repair a problem, optimize operation) through a set of effectors placed in the system. Despiterecentadvancesinthisarea,onekeyaspectofself-adaptivesystemsthat remains to be tackled in depth is assurances: the provision of evidence that the system satisfies its stated functional and non-functional requirements during its operation in the presence of self-adaptation. ThisbookisoneoftheoutcomesoftheESEC/FSE2011WorkshoponAssur- ancesfor Self-Adaptive Systems (ASAS) held inSzeged,Hungary,in September 2011, which comprised discussions about the fundamental principles, models, methods,techniques,mechanisms,state-of-the-art,andchallengesfor the provi- sionofassurancesinself-adaptivesoftwaresystems.Thebookincludesextended versionsofsome ofthe paperspresentedduring the workshop,aswellas invited papers fromrecognizedexperts.All the papers in this book werepeer-reviewed. The book consists of four parts: “Formal Verification,” “Models and Middle- ware,” “Failure Prediction,” and “Assurance Techniques.” The first part of the book, entitled “Formal Verification,” consists of five papers describing approachesto the formalverificationof systems featuring dif- ferent self-* properties. The first paper by Cordy, Classen, Heymans, Legay, and Schobbens, enti- tled “Model Checking Adaptive Software with Featured Transition Systems,” presentsaformalframeworkformodelingandanalyzingadaptivesystemsbased on featured transition systems, including a model able to capture dynamically changing features in the system and its environment(AFTS), a logic (adaCTL) to express system properties, and algorithms for model checking AFTS models against adaCTL formulae. The second paper by Filieri and Tamburrelli, entitled “Probabilistic Verifi- cation at Runtime for Self-Adaptive Systems,” presents an approach to prob- abilistic verification at run-time for self-adaptive systems based on parametric model checking. Concretely, the authors present a method for the evaluation of the probabilisticlogicR-PCTL onparametricdiscrete-time Markovchainswith rewards that relies on algebraic computation. VI Preface The third paper by Salau¨n, Etchevers, De Palma, Boyer, and Coupaye, entitled “Verification of a Self-Configuration Protocol for Distributed Applica- tions in the Cloud,” discusses the verification of a configuration protocol for distributed applications in the cloud, where multiple components have to be configured concurrently while respecting some dependencies. The authors use formalverificationtocheckthattheprotocolforself-configurationcomplieswith a formal specification of its expected behavior, considering aspects such as the order in which components are started, or the correct order of the messages being exchanged. ThefourthpaperonformalverificationbyNafz,Stegho¨fer,Seebach,andReif, entitled“FormalModelingandVerificationofSelf-OrganizingSystemsBasedon Observer/Controller-Architectures,” presents an approach to formal modeling andcompositionalverificationofself-*systems.Toachievetheirgoal,theauthors buildupontheuseoftheobserver/controllerpatternandaverificationapproach based on rely and guarantee, effectively dividing the verification of the self-* system into two parts: the verification of the functional aspects of the system, and the verification of its self-* features. The approach is illustrated using two different case studies. ThefifthpaperbyPriesterjahn,Steenken,andTichy,entitled“TimedHazard Analysis of Self-Healing Systems,” describes an approachfor the timed analysis of hazards in component-based self-healing systems. The approach enables the assessment of the effectiveness of reconfiguration operations by determining if these can be completed before the system reaches an unsafe state derived from thepropagationofthefaultsthattriggeredthereconfigurationinthefirstplace. Part two of this book, entitled “Models and Middleware,” consists of three papersdescribingapproachesonhow robustnessofautonomousandmobile sys- temscanbeimprovedbyemployingmodel-drivendevelopmentandself-adapting middleware infrastructures. The first paper by Giese and Scha¨fer, entitled “Model-Driven Development ofSafeSelf-OptimizingMechatronicSystemswithMechatronicUML,”describes a model-driven development approach that combines modeling using a syntac- tically and semantically rigorously defined, refined subset of UML and formal verification to deal with safety guarantees in distributed, embedded, real-time systems.Formalverificationisbasedondecompositionandcompositionalmodel checking, which enables the scalability of the approach. The second paper on models, entitled “Model-Based Reasoning for Self- AdaptiveSystems—TheoryandPractice,”bySteinbauerandWotawadiscusses model-basedreasoninganditsapplicationtoself-adaptivesystemsinthecontext of autonomous mobile robots. The paper extends the standard sense-plan-act controlparadigmwith a model-based reasoning engine. The applicability of the proposed approach is demonstrated in the context of a couple of case studies, whichinvolverepairingsoftwareatrun-timeandhandlinghardwarefaultsinthe driving unit of an autonomous mobile robot. The last paper of this part by Baresi, Guinea, and Saeedi, entitled “Achiev- ing Self-Adaptation Through Dynamic Group Management” discusses a self- Preface VII adapting middleware infrastructure that exploits the group abstraction to pro- vide designers with powerful means to tackle the design and operation of large, dynamic softwaresystems.The middleware is evaluated in the context of a self- adaptive industrialized greenhouse. Part three of the book covers “Failure Prediction” and includes two papers on how system reconfiguration can be affected by failure prediction. In the first paper of this part, entitled “Accurate Proactive Adaptation of Service-Oriented Systems,” Metzger, Sammodi, and Pohl review solutions for measuringand ensuringthe accuracyof online service quality predictions.They analyze their applicability in the context of third-party services, identify some shortcomings, and propose online testing as an alternative approach to achieve accuracy.The conclusionwas that obtaining accurate online quality predictions is still a challenging endeavor. Thesecondpaper“FailureAvoidanceinConfigurableSystemsThroughFea- ture Locality” by Garvin, Cohen, and Dwyer proposes a framework for failure avoidance by reconfiguration in which the framework models individual failure dependenceonthesystemconfiguration,sincethesemodelscanbelearnedmore quicklyandwithlesseffort.Inordertopredictthebehavioroffailuresaccording tohistoricfailuremodels,thepaperexploitsatendencyforfailurestodependon similar combinations of features. The conclusion is that the adopted technique performs quite well preventing and reconfiguring away from those failures that it targets. Partfour ofthe book on“AssuranceTechniques”contains twopapers cover- ing a wide range of techniques. The first paper of this part, entitled “Emerging Techniques for the Engi- neering of Self-Adaptive High-Integrity Software,” by Calinescu, provides an overviewonemergingtechniquesfortheengineeringofself-adaptivehigh-integrity software. It proposes a service-based architecture that aims to integrate these techniques, and discusses opportunities for future research. Thesecondpaper“AssuranceofSelf-AdaptiveControllersfortheCloud,”by Gambi, Toffetti, and Pezz´e, discusses the assurance of self-adaptive controllers for the Cloud, and proposes a taxonomy of controllers based on the supported assurancelevel.Thefocusofthepaperisontheinfrastructureasaservice(IaaS) layer that takes care of allocating resources to applications. The authors iden- tify two main dimensions for obtaining assurances for self-adaptive controllers, the target levels of assurance and adaptability, and propose a classification of self-adaptive controllers induced by these two dimensions. They also identify combinations of design-time and run-time elements that reach a good compro- mise between assurance and adaptability, and distinguish some outliers that come from particular choices or uses. Althoughthepapersinthisbookhavecoveredawiderangeoftopicsregard- ing assurances for self-adaptive systems, one could still identify several chal- lenges associated with the field, just to name some: combine development-time rationale with run-time decision making, select and deploy during run-time the appropriate verification and validation tools and techniques for the generation VIII Preface ofevidence,andanalyzethe collectedevidence inordertobuild argumentsthat should be evaluated against the goals of the system. Moreover, as the system evolves,itmayrequiredifferentdegreesofassurance,thus oneneedsto consider thattheseassurancesneedtobedynamicallyprovideddependingonthechanges that may affect the system, its goals, or the context in which it operates. Nev- ertheless, we hope that this book will prove valuable for both practitioners and researchersworking in the area of assurances for self-adaptive systems, and will be a stepping stone for future research. Wewouldliketothankalltheauthorsofthebookchaptersfortheirexcellent contributions,the participantsoftheESEC/FSE2011WorkshoponAssurances for Self-Adaptive Systems (ASAS) for their inspiring participation in moving this field forward, and Alfred Hofmann and his team at Springer for helping us topublishthisbook.Lastbutnotleast,wedeeplyappreciatethegreateffortsof the following expert reviewers who helped us ensure that the contributions are of high quality: L. Baresi, R. Calinescu, A. Classen, M. Cohen, C.E. da Silva, V.DeFlorio,N.DePalma,M.Dwyer,H.Giese,L.Grunske,S.Guinea,A.Legay, A. Metzger, R. Mirandola, M. Pezz`e, P. Saeedi, G. Salau¨n, B. Schmerl, P.-Y. Schobbens, H. Seebach, G. Steinbauer, G. Tamburrelli, M. Tichy, G. Toffetti, M. Vieira, F. Wotawa, and several anonymous reviewers. November 2012 Javier C´amara Rog´erio de Lemos Carlo Ghezzi Anto´nia Lopes Table of Contents Part I: Formal Verification Model Checking Adaptive Software with Featured Transition Systems ........................................................ 1 Maxime Cordy, Andreas Classen, Patrick Heymans, Axel Legay, and Pierre-Yves Schobbens Probabilistic Verification at Runtime for Self-Adaptive Systems........ 30 Antonio Filieri and Giordano Tamburrelli VerificationofaSelf-configurationProtocolforDistributedApplications in the Cloud .................................................... 60 Gwen Salau¨n, Xavier Etchevers, Noel De Palma, Fabienne Boyer, and Thierry Coupaye Formal Modeling and Verification of Self-* Systems Based on Observer/Controller-Architectures ................................. 80 Florian Nafz, Jan-Philipp Stegho¨fer, Hella Seebach, and Wolfgang Reif Timed Hazard Analysis of Self-healing Systems ...................... 112 Claudia Priesterjahn, Dominik Steenken, and Matthias Tichy Part II: Models and Middleware Model-Driven Development of Safe Self-optimizing Mechatronic Systems with MechatronicUML.................................... 152 Holger Giese and Wilhelm Scha¨fer Model-Based Reasoning for Self-Adaptive Systems – Theory and Practice ........................................................ 187 Gerald Steinbauer and Franz Wotawa Achieving Self-adaptation through Dynamic Group Management....... 214 Luciano Baresi, Sam Guinea, and Panteha Saeedi Part III: Failure Prediction Accurate Proactive Adaptation of Service-Oriented Systems ........... 240 Andreas Metzger, Osama Sammodi, and Klaus Pohl Failure Avoidance in Configurable Systems through Feature Locality ... 266 Brady J. Garvin, Myra B. Cohen, and Matthew B. Dwyer X Table of Contents Part IV: Assurance Techniques Emerging Techniques for the Engineering of Self-Adaptive High-Integrity Software ........................................... 297 Radu Calinescu Assurance of Self-adaptive Controllers for the Cloud.................. 311 Alessio Gambi, Giovanni Toffetti, and Mauro Pezz`e Author Index.................................................. 341 Model Checking Adaptive Software with Featured Transition Systems Maxime Cordy1,(cid:2), Andreas Classen1, Patrick Heymans2, Axel Legay3, and Pierre-Yves Schobbens1 1 PreCISE Research Center, University of Namur,Belgium {mcr,acs,pys}@info.fundp.ac.be 2 PreCISE Research Center, University of Namur,Belgium INRIALille-Nord Europe– Universit Lille 1, France LIFL – CNRS, France [email protected] 3 INRIARennes, France Aalborg University,Denmark Universityof Li`ege, Belgium [email protected] Abstract. We propose to see adaptive systems as systems with highly dynamicfeatures.Wemodelasfeaturesboththereconfigurationsofthe system, but also the changes of theenvironment, such as failure modes. The resilience of the system can then be defined as the fact that the system can select an adequate reconfiguration for each possible change of the environment. We must take into account that reconfiguration is often a major undertaking for the system: it has a high cost and it might make functions of the system unavailable for some time. These constraints are domain-specific. In this paper, we therefore provide a modelling language to describe these aspects, and a property language to describe the requirements on the adaptive system. We design algo- rithms that determine how the system must reconfigure itself to satisfy its intended requirements. 1 Introduction Our society increasingly entrusts computerized systems with complex and criti- cal tasks. These systems have to be adapted, or adapt themselves, to a rapidly evolvingenvironment,while accomplishingtheir tasksreliably. Due to the short reaction times required, some of these adaptations have to be performed auto- matically,leadingtoself-adaptive systems.Suchsystemsareusually architected in two levels: The base level manages the basic tasks of the system. It has a simple design that allows rapid response times, but does not allow to respond to exceptional conditions. For instance, a satellite control system is in charge of maintaining the attitude of the satellite so that the solar panels face the sun. It (cid:2) FNRSResearch Fellow. J.Ca´maraetal.(Eds.):AssurancesforSelf-AdaptiveSystems,LNCS7740,pp.1–29,2013. (cid:2)c Springer-VerlagBerlinHeidelberg2013