Slides of the presentation I gave at ICSE'11 in Hawaii. The paper is available on my website: http://damiencassou.seasidehosting.st/

1. Leveraging Software Architecturesto Guide and Verify the Development of Sense/Compute/Control Applications Damien Cassou1,2, Emilie Balland1, Charles Consel1, Julia Lawall3 1Phoenix, INRIA, France 2Software Architecture Group, HPI, Germany 3APL, DIKU, Denmark

2. Contributions A design language to specify a software system A compiler to process such specification for the verification of safety properties the guidance of the implementation the conformance 2 Context: Sense/Compute/Control software systems

3. Sense/Compute/Control (SCC)Software System Environment Compute Sense 3 Control

4. 4 Sense/Compute/Control (SCC)Software System aileron, engine Control Compute direction Sense GPS, flight plan

5. 5 Sense/Compute/Control (SCC)Software System alarm triggering Control Environment Compute intrusion? Sense motion detection

7. home automation

8. tier-system monitoring

9. robotics

10. …6 Sense/Compute/Control (SCC)Software Systems Environment [Taylor et al., Software Architecture: Foundations, Theory, and Practice, 2009]

11. The SCC Architectural Style sources sensors actuators actions orders control operators Environment refined information context operators raw data 7 [Chen et al., Context aggregation and dissemination in ubiquitous computing, WMCSA’02] [Edwards et al., Architecture-driven self-adaptation and self-management in robotics, SEAMS’09]

12. The SCC Architectural Style 8 sources actuators sensors actions Control orders control operators Sense Environment Compute refined information context operators raw data

13. 9 Environment Interface Application Logic sources actuators sensors actions control operators Environment context operators

14. 10 The SCC Architectural Style control operators Information use Information refinement context operators

16. a compiler Objectives to verify safety properties to guide implementation to ensure conformance

17. Compiling a Design Design Language abstract Design concrete Design 12

18. Compiling a Design Design Language abstract generated Design Compiler Software system defeats guidance and verification concrete Design 13

19. Compiling a Design Design Language abstract generated Design Compiler Software system mixes design and implementation generated concrete Software System Design Compiler 14

20. Compiling a Design Design Language abstract generated Software system Design Compiler generated Compiler Software System Design generated concrete Software System Design Compiler 15

21. Our Approach Design language GPL Compiler Design GPL programming framework developer’s code 16

22. Our Approach verification Developer’s code Compiler Programming framework Design 17

23. Our Approach verification Developer’s code Compiler Programming framework Design 18

24. Our Approach verification by construction Developer’s code Compiler Programming framework Design 19

25. 20 Diving Into the Design Language sources actuators sensors actions alarm triggering control operators Environment intrusion? context operators motion detection

26. 21 sources actuators sensors actions control operators context operators

27. 22 sources actuators sensors actuators actions control operators control operators context operators context operators sensors

28. design language dedicated to SCC actuators context Intrusion as Boolean { context BuildingLocked; context Presence; } control operators 23 Boolean Intrusion context operators Boolean Boolean Presence Building Locked sensors

29. 24 keycode motion Keypad MotionSensor actuators control operators Boolean Intrusion context operators Boolean Boolean Presence Building Locked Boolean Integer sensors

30. 25 keycode motion Keypad MotionSensor Alarm actuators OnOff control operators IntrusionManager controller IntrusionManager{ context Intrusion; action OnOff on Alarm; } Intrusion Boolean Boolean Presence Building Locked Boolean Integer sensors

31. keycode motion image Alarm Mailer Keypad Keypad MotionSensor Camera actuators OnOff Send UpdateSt control operators IntrusionManager SecurityManager Boolean Intrusion File context operators Boolean Boolean Scene Image Presence Building Locked 26 File Boolean Integer sensors

32. actuators control operators context operators 27 Intrusion Presence Building Locked sensors

33. 28 Interaction Description event 3 Intrusion Intrusion request event 2 Presence Building Locked 1 Building Locked Presence multiple interpretations event 1 request 3 Intrusion Intrusion request event 2 request request 1 2 Building Locked Building Locked 2 Presence Presence

34. 29 Interaction Description event 3 Intrusion request too abstract! event 2 1 Building Locked Presence multiple interpretations event 1 request 3 Intrusion Intrusion request event 2 request request 1 2 Building Locked Building Locked 2 Presence Presence

35. Interaction Contracts 1 request Main 1 Activation condition 30

36. Interaction Contracts source Sensor 3 event Main 1 Activation condition event 2 Data requirement 1 request 2 3 Emission 2 request Context Operator3 Context Operator2 31

37. Interaction Contracts 3 Intrusion 1 Activation condition context Intrusion asBoolean { context Presence; context BuildingLocked; interaction { whenprovided Presence get BuildingLocked maybepublish } } 2 Data requirement 2 1 32 3 Emission Building Locked Presence 1 2 3

38. Compiling a Design 33 Developer’s code Programming framework Compiler Design

40. each interaction contract to an abstract method constrained with type declarations34

42. parameters

43. return type1 1 Data requirement 2 1 2 3 Emission 3 3

44. Code Generation 36 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

45. Code Generation 37 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

46. Code Generation 38 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

47. Code Generation 39 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

48. Code Generation 40 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

49. Code Generation 41 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

50. Code Generation 42 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

51. Code Generation 43 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

52. Code Generation 44 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

53. Code Generation 45 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

54. Code Generation 46 Alarm Mailer controller IntrusionManager{ context Intrusion; contextSceneImage; interaction { whenprovided Intrusion getSceneImage do OnOff on Alarm,Send on Mailer } } OnOff Send IntrusionManager Boolean File Intrusion Scene Image abstractclassAbstractIntrusionManager { abstract Actions onIntrusion( boolean intrusion, SceneImagesceneImage, Select select); protectedfinalclass Actions { … } protectedfinalclass Select { … } protectedfinalclassSceneImage { … } } generated framework code

55. Implementation abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } 47 Alarm Mailer OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

56. Implementation 48 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

57. Implementation 49 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

58. Implementation 50 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

59. Implementation 51 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

60. Implementation 52 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

61. Implementation 53 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

62. Implementation 54 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

63. Implementation 55 Alarm Mailer abstractclassAbstractIntrusionManager { abstract ActionsonIntrusion( boolean intrusion, SceneImagesceneImage, Select select); } OnOff Send IntrusionManager generated framework code Boolean File Intrusion Scene Image classIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

65. leverage code completionclassIntrusionManagerextendsAbstractIntrusionManager { ActionsonIntrusion(boolean intrusion, SceneImagesceneImage, Select select){ if (intrusion) { Actions actions; actions = select.alarms().all().on(); Mailer mailer = select.mailers().anyOne(); File image = sceneImage.get(); actions.add(mailer.send(“Intrusion !”, “admin”, image)); return actions; } } developer code

66. Summary A design language dedicated to specifying SCC software systems A compiler to process such specification for the guidance of the implementation the conformance 57

67. Status Report Implementation using standard language tools Java, ANTLR, StringTemplate Safety property verification generation of Promela specifications e.g., interaction invariants Several application domains avionics: simulated auto-pilot and AR drone building automation: light, fire, security, newscast, etc. misc.: web-server monitoring, home messenger, etc. Ongoing empirical evaluation with both students and professional software engineers http://diasuite.inria.fr Damien Cassou, Emilie Balland, Charles Consel, Julia Lawall

68. 59

69. Facilitating Evolution eases developer’s work by showing mismatches leveraging development tools ensures conformance 60

70. Productivity 61 ➡ 76% actually executed

71. Code Generation 3 boolean motion MotionSensor Presence 1 2 3 <⇑MotionSensor.motion; ⇓MotionSensor.motion; ⇑ self > boolean 1 2 abstractclassAbstractPresence { abstractbooleanonMotionFromMotionSensor( boolean motion, Select select); } 62 1 2 3 1 generated framework code

72. Implementation 3 boolean motion MotionSensor Presence 2 boolean 1 abstractclassAbstractPresence { abstractbooleanonNewMotionFromMotionSensor( boolean motion, Select select); } generated framework code class Presence extendsAbstractPresence { booleanonMotionFromMotionSensor(boolean motion, Select select) { if (motion) return true; MotionSensors sensors = select.motionSensors().all(); for (MotionSensor sensor : sensors) if (sensor.getMotion()) return true; return false; } } developer code 63

73. A Research Vehicle This work is part of a larger research project with 7 PhDs leveraging the frameworks QoS (FASE’11) security (ICPS’09, DAIS’11) error-handling (OOPSLA’10) virtual testing (Mobiquitous’10 and ‘09) SIP (ICC’10, ICIN’09, IPTComm’08) end-user programming (DSLWC’09) 64

74. Limitations Applies only to new projects Applies only to Sense/Compute/Control Requires architects to learn a new language Imposes small run-time overhead 65