Institute of Computing – UNICAMP - Brazil

Modeling and Analysis ofArchitectural Exceptions

Fernando Castor Filho Patrick Henrique da S. Brito {fernando}@ic.unicamp.br {patrick.silva}@ic.unicamp.br

Cecília Mary F. Rubira{cmrubira}@ic.unicamp.br

FM’2005 Workshop on Rigorous Engineering of Fault-Tolerant SystemsREFT’2005, Newcastle upon Tyne, July 19th 2005

REFT'2005 - July 19th 2005 2

Exception Handling

Popular mechanism for structuring forward error recovery in software systemsExceptions can be derived incrementally at different phases of development: Requirements Architecture Detailed Design Implementation

REFT'2005 - July 19th 2005 3

Exception Handling

Popular mechanism for structuring forward error recovery in software systemsExceptions can be derived incrementally at different phases of development: Requirements Architecture Detailed Design Implementation

REFT'2005 - July 19th 2005 4

Exceptions at the Architectural Level

A system’s exceptional activity should be addressed since the early phases of development

In recent years, many approaches combining software architecture and exception handling have been proposed

There hasn’t been much focus on the description of exceptions at the architectural level This may be required for systems with strict

dependability requirements such as commercial applications, control systems, and so on.

REFT'2005 - July 19th 2005 5

An Air-Traffic Control System Example

M&C Console

G.A.M

Local/Group A.M.

ATC Console

A.S.O.U

O/S E. A. S.

Network Operating System

Processor I/O Devices

Attachments

Exceptions

Exceptions

Exceptions

Exceptions

Exceptions

Source: Bass, Clements, and Kazman, SoftwareArchitecture in Practice, 2nd Edition, 2003.

Exceptions

REFT'2005 - July 19th 2005 6

... Some Interesting questions...

What does a double-headed arrow mean?

What are the exceptions that each component signals and handles?

Are there any relevant cause-effect relationships?

Is this analyzable?

REFT'2005 - July 19th 2005 7

Problem

To describe software architectures so that it is possible to reason about the flow of exceptions at the architectural level

REFT'2005 - July 19th 2005 8

Requirements of the Solution

1. Easy to use (pictorial representation)2. Integrated with the concept of

architectural style3. Precise (unambiguous)4. Analyzable5. Capable of expressing rules of

existing exception handling models

REFT'2005 - July 19th 2005 9

Alloy Design Language

Lightweight formal methodSimilar to Z (less expressive but supports automated analysis) Support for complex data structures Declarative

Alloy constraint analyzerEasy to useRequirements 3-5

REFT'2005 - July 19th 2005 10

Proposed Framework: Aereal

Architecture Description Extended

with ExceptionsTranslationArch. Description

+Exception Flow

View

“Normal” Architectural

Styles“Exceptional” Architectural

Styles

REFT'2005 - July 19th 2005 11

Proposed Framework: Aereal

• Documentation

• Analysis of stylistic constraints

Architecture Description Extended

with ExceptionsTranslationArch. Description

+Exception Flow

View

“Normal” Architectural

Styles“Exceptional” Architectural

Styles

REFT'2005 - July 19th 2005 12

Proposed Framework: Aereal

• Exception flow analysis

Architecture Description Extended

with ExceptionsTranslationArch. Description

+Exception Flow

View

“Normal” Architectural

Styles“Exceptional” Architectural

Styles

REFT'2005 - July 19th 2005 13

Proposed Framework: Aereal

TranslationArch. Description+

Exception Flow View

Architecture Description Extended

with Exceptions

ACME

Alloy

“Normal” Architectural

Styles“Exceptional” Architectural

Styles

REFT'2005 - July 19th 2005 14

Elements of the Model Components:

SignalsRaisesEncountersHandlesSignalsToCatchesFromPortMap…

Ducts:SignalsRaisesEncountersCatchesFromSignalsTo…

Exceptions

REFT'2005 - July 19th 2005 15

An Example

CoalFeederController

AirFlowController

Duct1

REFT'2005 - July 19th 2005 16

An ExampleGENERIC MODEL

sig Component { Signals : Exception->Duct, SignalsTo : set Duct, …}sig Duct { Encounters : set Exception, CatchesFrom : one Component …}

INSTANTIATION

sig AirFlowCtr extends Component {}sig Duct1 extends Duct {}sig AirFlowActuatorTimeout extends Exception {}fact SystemStructure { AirFlowCtr.SignalsTo = Duct1 Duct1.CatchesFrom = AirFlowCtr… }fact ExceptionFlow { AirFlowCtr.Signals= AirFlowActuatorTimeout->Duct1 Duct1.Encounters = AirFlowActuatorTimeout… }

REFT'2005 - July 19th 2005 17

Properties of Interest

Basic EH mechanism propertiesDesirable EH propertiesApplication-specific properties

Verified using the Alloy Analyzer Violations of properties generate

graphical counter-examples

REFT'2005 - July 19th 2005 18

Examples of PropertiesExceptions encountered by a component and not handled or propagated are signaledIf a component raises an exception, it must also signal the exceptionThe exceptions encountered by a component are all the exceptions signaled by ducts in the components CatchesFrom setNo useless handlers

REFT'2005 - July 19th 2005 19

Example: No useless handlers

pred no_useless_handlers() { all C : Component | all D : C.CatchesFrom | D.(C.Handles) in D.(C.Encounters) && D.(C.Encounters)<:(D.(C.Propagates))=D.

(C.Propagates)}

REFT'2005 - July 19th 2005 20

Future Directions

Model coordinated exception handlingTechnical report describing the whole modelExtend the implementation of Aereal in order to automatically compute the sets of exceptions that are caught and signaled

REFT'2005 - July 19th 2005 21

Thank You!Contact information:

Fernando Castor Filhofernando@ic.unicamp.br

fernando.castor@newcastle.ac.uk