Publications
183 results found
Nahabedian L, Braberman V, D'Ippolito N, et al., 2016, Assured and correct dynamic update of controllers, 11th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS '16), Publisher: ACM, Pages: 96-107
In many application domains, continuous operation is a desirable attribute for software-intensive systems. As the environment or system requirements change, so the system should change and adapt without stopping or unduly disturbing its operation. There is, therefore, a need for sound engineering techniques that can cope with dynamic change. In this paper we address the problem of dynamic update of controllers in reactive systems when the specification (environment assumptions, requirements and interface) of the current system changes. We present a general approach to specifying correctness criteria for dynamic update and a technique for automatically computing a controller that handles the transition from the old to the new specification, assuring that the system will reach a state in which such a transition can correctly occur. Indeed, using controller synthesis we show how to automatically build a controller that guarantees both progress towards update and safe update. Seven case studies have been implemented to validate the approach.
Alrajeh D, Russo A, Uchitel S, et al., 2016, Logic-based learning in software engineering, 38th IEEE/ACM International Conference on Software Engineering Companion (ICSE), Publisher: IEEE, Pages: 892-893
In recent years, research efforts have been directed towards the use of Machine Learning (ML) techniques to support and automate activities such as program repair, specification mining and risk assessment. The focus has largely been on techniques for classification, clustering and regression. Although beneficial, these do not produce a declarative, interpretable representation of the learned information. Hence, they cannot readily be used to inform, revise and elaborate software models. On the other hand, recent advances in ML have witnessed the emergence of new logic-based learning approaches that differ from traditional ML in that their output is represented in a declarative, rule-based manner, making them well-suited for many software engineering tasks.In this technical briefing, we will introduce the audience to the latest advances in logic-based learning, give an overview of how logic-based learning systems can successfully provide automated support to a variety of software engineering tasks, demonstrate the application to two real case studies from the domain of requirements engineering and software design and highlight future challenges and directions.
Alrajeh D, Lamsweerde A, Kramer J, et al., 2016, Risk-driven revision of requirements models, 38th International Conference on Software Engineering (ICSE '16), Publisher: Association for Computing Machinery, Pages: 855-865, ISSN: 0270-5257
Requirements incompleteness is often the result of unanticipated adverse conditions which prevent the software and its environment from behaving as expected. These conditions represent risks that can cause severe software failures. The identification and resolution of such risks is therefore a crucial step towards requirements completeness. Obstacle analysis is a goal-driven form of risk analysis that aims at detecting missing conditions that can obstruct goals from being satisfied in a given domain, and resolving them.This paper proposes an approach for automatically revising goals that may be under-specified or (partially) wrong to resolve obstructions in a given domain. The approach deploys a learning-based revision methodology in which obstructed goals in a goal model are iteratively revised from traces exemplifying obstruction and non-obstruction occurrences. Our revision methodology computes domain-consistent, obstruction-free revisions that are automatically propagated to other goals in the model in order to preserve the correctness of goal models whilst guaranteeing minimal change to the original model. We present the formal foundations of our learning-based approach, and show that it preserves the properties of our formal framework. We validate it against the benchmarking case study of the London Ambulance Service.
Ciolek D, Braberman V, D'Ippolito N, et al., 2016, Interaction Models and Automated Control under Partial Observable Environments, IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, Vol: 43, Pages: 19-33, ISSN: 0098-5589
The problem of automatically constructing a software component such that when executed in a given environment satisfies a goal, is recurrent in software engineering. Controller synthesis is a field which fits into this vision. In this paper we study controller synthesis for partially observable LTS models. We exploit the link between partially observable control and non-determinism and show that, unlike fully observable LTS or Kripke structure control problems, in this setting the existence of a solution depends on the interaction model between the controller-to-be and its environment. We identify two interaction models, namely Interface Automata and Weak Interface Automata, define appropriate control problems and describe synthesis algorithms for each of them.
Pavese E, Braberman V, Uchitel S, 2016, Less is More: Estimating Probabilistic Rewards over Partial System Explorations, ACM Transactions on Software Engineering and Methodology, Vol: 25, ISSN: 1557-7392
Model-based reliability estimation of systems can provide useful insights early in the development process.However, computational complexity of estimating metrics such as mean time to first failure (MTTF),turnaround time (TAT), or other domain-based quantitative measures can be prohibitive both in time, spaceand precision. In this paper we present an alternative to exhaustive model exploration–as in probabilisticmodel checking–and partial random exploration–as in statistical model checking. Our hypothesis is thata (carefully crafted) partial systematic exploration of a system model can provide better bounds for thesequantitative model metrics at lower computation cost. We present a novel automated technique for metricestimation that combines simulation, invariant inference and probabilistic model checking. Simulationproduces a probabilistically relevant set of traces from which a state invariant is inferred. The invariantcharacterises a partial model which is then exhaustively explored using probabilistic model checking. Wereport on experiments that suggest that metric estimation using this technique (for both fully probabilisticmodels and those exhibiting non-determinism) can be more effective than (full model) probabilistic andstatistical model checking especially for system models where the events of interest are rare.
Pavese E, Braberman V, Uchitel S, 2016, Probabilistic Interface Automata, IEEE Transactions on Software Engineering, Vol: 42, Pages: 843-865, ISSN: 0098-5589
System specifications have long been expressed through automata-based languages, which allow for compositional construction of complex models and enable automated verification techniques such as model checking. Automata-based verification has been extensively used in the analysis of systems, where they are able to provide yes/no answers to queries regarding their temporal properties. Probabilistic modelling and checking aim at enriching this binary, qualitative information with quantitative information, more suitable to approaches such as reliability engineering. Compositional construction of software specifications reduces the specification effort, allowing the engineer to focus on specifying individual component behaviour to then analyse the composite system behaviour. Compositional construction also reduces the validation effort, since the validity of the composite specification should be dependent on the validity of the components. These component models are smaller and thus easier to validate. Compositional construction poses additional challenges in a probabilistic setting. Numerical annotations of probabilistically independent events must be contrasted against estimations or measurements, taking care of not compounding this quantification with exogenous factors, in particular the behaviour of other system components. Thus, the validity of compositionally constructed system specifications requires that the validated probabilistic behaviour of each component continues to be preserved in the composite system. However, existing probabilistic automata-based formalisms do not support specification of non-deterministic and probabilistic component behaviour which, when observed through logics such as pCTL, is preserved in the composite system. In this paper we present a probabilistic extension to Interface Automata which preserves pCTL properties under probabilistic fairness by ensuring a probabilistic branching simulation between component and composite automata. T-
Uchitel S, Braberman VA, D'Ippolito N, 2016, Runtime Controller Synthesis for Self-Adaptation: Be Discrete! (Keynote), 11th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), Publisher: IEEE, Pages: 1-3
Colson K, Dupuis R, Montrieux L, et al., 2016, Reusable Self-Adaptation through Bidirectional Programming, 11th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), Publisher: IEEE, Pages: 4-15
Czemerinski H, Braberman V, Uchitel S, 2015, Behaviour abstraction adequacy criteria for API call protocol testing, Software Testing Verification & Reliability, Vol: 26, Pages: 211-244, ISSN: 1099-1689
Code artefacts that have non-trivial requirements with respect to the ordering in which their methods or procedures ought to be called are common and appear, for instance, in the form of API implementations and objects. Testing such code artefacts to gain confidence that they conform to their intended protocols is an important and challenging problem. This paper proposes conformance testing adequacy criteria based on covering an abstraction of the intended behaviour's semantics. Thus, the criteria are independent of the specification language and structure used to describe the intended protocol and the language used to implement it. As a consequence, the results may be of use to black box conformance testing approaches in general. Experimental results show that the criteria are a good predictor for fault detection for protocol conformance and for classical structural coverage criteria such as statement and branch coverage. They also show that the division of the domain derived from the criterion produces subdomains such that most of its inputs are fault revealing.
D'Ippolito N, Braberman V, Sykes D, et al., 2015, Robust degradation and enhancement of robot mission behaviour in unpredictable environments, 1st International Workshop on Control Theory for Software Engineering (CTSE 2015), Publisher: Association for Computing Machinery, Pages: 26-33
Temporal logic based approaches that automatically generate controllers have been shown to be useful for mission level planning of motion, surveillance and navigation, among others. These approaches critically rely on the validity of the environment models used for synthesis. Yet simplifying assumptions are inevitable to reduce complexity and provide mission-level guarantees; no plan can guarantee results in a model of a world in which everything can go wrong. In this paper, we show how our approach, which reduces reliance on a single model by introducing a stack of models, can endow systems with incremental guarantees based on increasingly strengthened assumptions, supporting graceful degradation when the environment does not behave as expected, and progressive enhancement when it does.
Braberman V, D'Ippolito N, Kramer J, et al., 2015, MORPH: a reference architecture for configuration and behaviour self-adaptation, 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Publisher: Association for Computing Machinery, Pages: 9-16
An architectural approach to self-adaptive systems involves runtime change of system configuration (i.e., the system's components, their bindings and operational parameters) and behaviour update (i.e., component orchestration). Thus, dynamic reconfiguration and discrete event control theory are at the heart of architectural adaptation. Although controlling configuration and behaviour at runtime has been discussed and applied to architectural adaptation, architectures for self-adaptive systems often compound these two aspects reducing the potential for adaptability. In this paper we propose a reference architecture that allows for coordinated yet transparent and independent adaptation of system configuration and behaviour.
Duarte LM, Kramer J, Uchitel S, 2015, Using contexts to extract models from code, Software & Systems Modeling, Vol: 16, Pages: 523-557, ISSN: 1619-1366
Behaviour models facilitate the understanding and analysis of software systems by providing an abstract view of their behaviours and also by enabling the use of validation and verification techniques to detect errors. However, depending on the size and complexity of these systems, constructing models may not be a trivial task, even for experienced developers. Model extraction techniques can automatically obtain models from existing code, thus reducing the effort and expertise required of engineers and helping avoid errors often present in manually constructed models. Existing approaches for model extraction often fail to produce faithful models, either because they only consider static information, which may include infeasible behaviours, or because they are based only on dynamic information, thus relying on observed executions, which usually results in incomplete models. This paper describes a model extraction approach based on the concept of contexts, which are abstractions of concrete states of a program, combining static and dynamic information. Contexts merge some of the advantages of using either type of information and, by their combination, can overcome some of their problems. The approach is partially implemented by a tool called LTS Extractor, which translates information collected from execution traces produced by instrumented Java code to labelled transition systems (LTS), which can be analysed in an existing verification tool. Results from case studies are presented and discussed, showing that, considering a certain level of abstraction and a set of execution traces, the produced models are correct descriptions of the programs from which they were extracted. Thus, they can be used for a variety of analyses, such as program understanding, validation, verification, and evolution.
Alrajeh D, Kramer J, Russo A, et al., 2015, Automated Support for Diagnosis and Repair, Commun. ACM, Vol: 58, Pages: 65-72, ISSN: 0001-0782
D'Ippolito N, Braberman V, Piterman N, et al., 2014, Controllability in partial and uncertain environments, 14th International Conference on Application of Concurrency to System Design, Publisher: IEEE, Pages: 52-61, ISSN: 1550-4808
Controller synthesis is a well studied problem that attempts to automatically generate an operational behaviour model of the system-to-be that satisfies a given goal when deployed in a given domain model that behaves according to specified assumptions. A limitation of many controller synthesis techniques is that they require complete descriptions of the problem domain. This is limiting in the context of modern incremental development processes when a fully described problem domain is unavailable, undesirable or uneconomical. Previous work on Modal Transition Systems (MTS) control problems exists, however it is restricted to deterministic MTSs and deterministic Labelled Transition Systems (LTS) implementations. In this paper we study the Modal Transition System Control Problem in its full generality, allowing for nondeterministic MTSs modelling the environment's behaviour and nondeterministic LTS implementations. Given an nondeterministic MTS we ask if all, none or some of the nondeterministic LTSs it describes admit an LTS controller that guarantees a given property. We show a technique that solves effectively the MTS realisability problem and it can be, in some cases, reduced to deterministic control problems. In all cases the MTS realisability problem is in same complexity class as the corresponding LTS problem.
D'ippolito N, braberman V, Kramer J, et al., 2014, Hope for the best, prepare for the worst: multi-tier control for adaptive systems, 36th International Conference on Software Engineering, Publisher: ACM, Pages: 688-699
Most approaches for adaptive systems rely on models, particularly behaviour or architecture models, which describe the system and the environment in which it operates. One of the difficulties in creating such models is uncertainty about the accuracy and completeness of the models. Engineers therefore make assumptions which may prove to be invalid at runtime. In this paper we introduce a rigorous, tiered framework for combining behaviour models, each with different associated assumptions and risks. These models are used to generate operational strategies, through techniques such controller synthesis, which are then executed concurrently at runtime. We show that our framework can be used to adapt the functional behaviour of the system: through graceful degradation when the assumptions of a higher level model are broken, and through progressive enhancement when those assumptions are satisfied or restored.
Krka I, D'Ippolito N, Medvidović N, et al., 2014, Revisiting compatibility of input-output modal transition systems, Pages: 367-381, ISSN: 0302-9743
Modern software systems are typically built of components that communicate through their external interfaces. The external behavior of a component can be effectively described using finite state automata-based formalisms. Such component models can then used for varied analyses. For example, interface automata, which model the behavior of components in terms of component states and transitions between them, can be used to check whether the resulting system is compatible. By contrast, partial-behavior modeling formalisms, such as modal transition systems, can be used to capture and then verify properties of sets of prospective component implementations that satisfy an incomplete requirements specification. In this paper, we study how pairwise compatibility should be defined for partial-behavior models. To this end, we describe the limitations of the existing compatibility definitions, propose a set of novel compatibility notions for modal interface automata, and propose efficient, correct, and complete compatibility checking procedures © 2014 Springer International Publishing Switzerland.
Krka I, D'Ippolito N, Medvidovic N, et al., 2014, Revisiting Compatibility of Input-Output Modal Transition Systems, 19th International Symposium on Formal Methods (FM), Publisher: SPRINGER-VERLAG BERLIN, Pages: 367-381, ISSN: 0302-9743
- Author Web Link
- Cite
- Citations: 1
Degiovanni R, Alrajeh D, Aguirre N, et al., 2014, Automated Goal Operationalisation Based on Interpolation and SAT Solving, Publisher: ACM, Pages: 129-139
Uchitel S, Alrajeh D, Ben-David S, et al., 2013, Supporting incremental behaviour model elaboration, Computer Science - Research and Development, Vol: 28, Pages: 279-293, ISSN: 1865-2034
Behaviour model construction remains a difficult and labour intensive task which hinders the adoption of model-based methods by practitioners. We believe one reason for this is the mismatch between traditional approaches and current software development process best practices which include iterative development, adoption of use-case and scenario-based techniques and viewpoint- or stakeholder-based analysis; practices which require modelling and analysis in the presence of partial information about system behaviour. Our objective is to address the limitations of behaviour modelling and analysis by shifting the focus from traditional behaviour models and verification techniques that require full behaviour information to partial behaviour models and analysis techniques, that drive model elaboration rather than asserting adequacy. We aim to develop sound theory, techniques and tools that facilitate the construction of partial behaviour models through model synthesis, enable partial behaviour model analysis and provide feedback that prompts incremental elaboration of partial models. In this paper we present how the different research threads that we have and currently are developing help pursue this vision as part of the "Partial Behaviour Modelling - Foundations for Iterative Model Based Software Engineering" Starting Grant funded by the ERC. We cover partial behaviour modelling theory and construction, controller synthesis, automated diagnosis and refinement, and behaviour validation. © 2012 Springer-Verlag Berlin Heidelberg.
Ben-David S, Chechik M, Uchitel S, 2013, Merging partial behaviour models with different vocabularies, Pages: 91-105, ISSN: 0302-9743
Modal transition systems (MTSs) and their variants such as Disjunctive MTSs (DMTSs) have been extensively studied as a formalism for partial behaviour model specification. Their semantics is in terms of implementations, which are fully specified behaviour models in the form of Labelled Transition Systems. A natural operation for these models is that of merge, which should yield a partial model which characterizes all common implementations. Merging has been studied for models with the same vocabularies; however, to enable composition of specifications from different viewpoints, merging of models with different vocabularies must be supported as well. In this paper, we first prove that DMTSs are not closed under merge for models with different vocabularies. We then define an extension to DMTS called rDMTS, for which we describe a first exact algorithm for merging partial models, provided they satisfy an easily checkable compatibility condition. © 2013 Springer-Verlag.
de Caso G, Braberman V, Garbervetsky D, et al., 2013, Enabledness-Based Program Abstractions for Behavior Validation, ACM Transactions on Software Engineering and Methodology, Vol: 22, ISSN: 1557-7392
D'ppolito N, Braberman V, Piterman N, et al., 2013, Synthesizing nonanomalous event-based controllers for liveness goals, ACM Transactions on Software Engineering and Methodology, Vol: 22, ISSN: 1049-331X
Sibay G, Braberman V, Uchitel S, et al., 2013, Synthesising Modal Transition Systems from Triggered Scenarios, IEEE Transactions on Software Engineering, ISSN: 0098-5589
Pavese E, Braberman V, Uchitel S, 2013, Automated Reliability Estimation over Partial Systematic Explorations, 35th International Conference on Software Engineering (ICSE), Publisher: IEEE, Pages: 602-611
- Author Web Link
- Cite
- Citations: 6
Czemerinski H, Braberman V, Uchitel S, 2013, Behaviour Abstraction Coverage as Black-Box Adequacy Criteria, 6th IEEE International Conference on Software Testing, Verification and Validation (ICST), Publisher: IEEE COMPUTER SOC, Pages: 222-231
- Author Web Link
- Cite
- Citations: 4
Braberman V, D'Ippolito N, Piterman N, et al., 2013, Controller Synthesis: From Modelling to Enactment, 35th International Conference on Software Engineering (ICSE), Publisher: IEEE, Pages: 1347-1350
- Author Web Link
- Cite
- Citations: 17
Sibay GE, Uchitel S, Braberman V, et al., 2012, Distribution of modal transition systems, Pages: 403-417, ISSN: 0302-9743
In order to capture all permissible implementations, partial models of component based systems are given as at the system level. However, iterative refinement by engineers is often more convenient at the component level. In this paper, we address the problem of decomposing partial behaviour models from a single monolithic model to a component-wise model. Specifically, given a Modal Transition System (MTS) M and component interfaces (the set of actions each component can control/monitor), can MTSs M 1..., M n matching the component interfaces be produced such that independent refinement of each M i will lead to a component Labelled Transition Systems (LTS) I i such that composing the I i s result in a system LTS that is a refinement of M? We show that a sound and complete distribution can be built when the MTS to be distributed is deterministic, transition modalities are consistent and the LTS determined by its possible transitions is distributable. © 2012 Springer-Verlag.
D'Ippolito N, Braberman V, Piterman N, et al., 2012, The modal transition system control problem, Pages: 155-170, ISSN: 0302-9743
Controller synthesis is a well studied problem that attempts to automatically generate an operational behaviour model of the systemto- be such that when deployed in a given domain model that behaves according to specified assumptions satisfies a given goal. A limitation of known controller synthesis techniques is that they require complete descriptions of the problem domain. This is limiting in the context of modern incremental development processes when a fully described problem domain is unavailable, undesirable or uneconomical. In this paper we study the controller synthesis problem when there is partial behaviour information about the problem domain. More specifically, we define and study the controller realisability problem for domains described as Modal Transition Systems (MTS). An MTS is a partial behaviour model that compactly represents a set of complete behaviour models in the form of Labelled Transition Systems (LTS). Given an MTS we ask if all, none or some of the LTS it describes admit an LTS controller that guarantees a given property. We show a technique that solves effectively the MTS realisability problem and is in the same complexity class as the corresponding LTS problem. © 2012 Springer-Verlag.
Alrajeh D, Russo A, Uchitel S, et al., 2012, Integrating model checking and inductive logic programming, Pages: 45-60, ISSN: 0302-9743
Inductive Logic Programming can be used to provide automated support to help correct the errors identified by model checking, which in turn provides the relevant context for learning hypotheses that are meaningful within the domain of interest. Model checking and Inductive Logic Programming can thus be seen as two complementary approaches with much to gain from their integration. In this paper we present a general framework for such an integration, discuss its main characteristics and present an overview of its application. © 2012 Springer-Verlag Berlin Heidelberg.
De Caso G, Braberman V, Garbervetsky D, et al., 2012, Abstractions for validation in action, Pages: 192-218, ISSN: 0302-9743
Many software engineering artefacts, such as source code or specifications, define a set of operations and impose restrictions to the ordering on which they have to be invoked. Enabledness Preserving Abstractions (EPAs) are concise representations of the behaviour space for such artefacts. In this paper, we exemplify how EPAs might be used for validation of software engineering artefacts by showing the use of EPAs to support some programming tasks on a simple C# class. © 2012 Springer-Verlag.
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.