this issue.
PCA to Markov Decision Processes
A PCA automatically has the semantics of a Markov Decision Process (MDP), because for each state we have a non-deterministic choice over probability distributions for the successive state. A PCA can therefore easily be converted to the textual representation of an MDP as input for quantitative analysis software, such as PRISM.
2.4.3.2 Scenario modelling
As mentioned in the previous section, the composition operator on PCA is abhorrent and furthermore there is no tool support at present. Under these conditions, we choose not to model any of the scenarios using PCA, as quite frankly, the resulting MDP does not convey that much comprehensible information, and the manual construction would be unwieldy.
2.4.3.3 Advantages and disadvantages
Again, there is much overlap between the features of ordinary Reo and those of discrete-time probabilistic Reo connectors. Although we haveincrementalityfor these Reo connectors, we do not necessarily have compositionality. The SPCA fragment enjoys compositionality, but recall that composition in PCA is not generally associative. Scalabilityis retained as we still have the same method of connecting smaller channels and connectors via nodes.
It is difficult to know whether the formalism supports compositional reasoning, although we have made promising progress in showing this for SPCA. As forreusability, these connectors could be reused although we have to distinguish connectors consisting of the same topology of channels, but with different probabilistic information.
As for continuous-time probabilistic Reo connectors, we haveevolutionin the sense that connectors can be moved around and connected to different components. There is also likely to be support for the alteration of probabilistic values over time through the use of online verification techniques.
There is currently no tool support for discrete-time probabilistic Reo connectors. This is probably because of the lack of compositionality of PCA and the incredibly complex method of trying to join PCA together.
In summary, although discrete-time probabilistic Reo connectors offer us many useful features for modelling discrete events such as failures, the shortcomings in the formalism, namely the lack of com-positionality and the cumbersome join operators, make it rather difficult to deal with. However, we still gain quite a bit of expressivity by just considering SPCA, which is more well behaved, so it is always a possibility to just deal with this fragment.
by the approach. For instance, this is the case for the connector algebra in [27], where compositionality is in general supported only on the subset of similarly typed connectors. “Partially” is also used for the reusabilitydimension to indicate that the connector models abstract connectors that cannot be reusable in any context, but they can be reusable under specific conditions (e.g., port-role compatibility). Clearly, this dimension also accounts for the different meanings that can be given to the notion of context, e.g., other connectors, system components, or both of them. For example, this is the case for the connector algebra in [27] but also for the role-glue connectors in WRIGHT (by Allen and Garlan). Note that being partially reusable, instead of completely reusable, is not always a complete limitation. In fact, although the contexts of reuse are sometimes limited, correctness of the reuse may be achieved by construction.
Approach Compositionality Incrementality Scalability Compositional reasoning
Role-glue connectors in WRIGHT Maybe No No Yes
Reo connectors as ABTs Yes Yes Yes Yes
Connectors as Kell calculus processes Yes Yes Yes Yes
BIP connectors Partially Yes Yes Maybe
Bigraphical Reactive System connectors Yes Yes Yes Maybe partially
Reo connectors with QoS as CA Yes Yes Yes Yes
Reo connectors as QIA Yes Yes Yes Partially
Reo connectors as PCA Partially Yes Yes Partially
Table 2.1: Summary of the evaluation results of existing formalisms (Part 1)
Approach Reusability Evolution
Role-glue connectors in WRIGHT Partially No
Reo connectors as ABTs Yes Partially
Connectors as Kell calculus processes Partially Yes
BIP connectors Partially No
Bigraphical Reactive System connectors Yes Yes
Reo connectors with QoS as CA Yes Partially
Reo connectors as QIA Yes Partially
Reo connectors as PCA Yes Partially
Table 2.2: Summary of the evaluation results of existing formalisms (Part 2)
Approach Non-functional properties Tool support
Role-glue connectors in WRIGHT No Yes
Reo connectors as ABTs No Yes
Connectors as Kell calculus processes No No
BIP connectors No Yes
Bigraphical Reactive System connectors No On the way
Reo connectors with QoS as CA Yes, Q-algebras Yes
Reo connectors as QIA Yes, stochastic rates Yes
Reo connectors as PCA Yes, discrete probability No
Table 2.3: Summary of the evaluation results of existing formalisms (Part 3)
Considering the above tables, we can conclude that none of the formalisms considered in Chapter 2 fulfils all eight dimensions of interest for CONNECT. Defining an appropriate connector algebra will be our main task in the next stage.
In addition to the eight dimensions, usability of the future connector algebra is an important issue. For example, we have used Reo to model the procedure for clients to browse products in the market in the popcorn scenario11, in order to have a deeper insight of Reo. The Reo model is shown in Figure 2.35.
The client sends a request to the market from its output port, and the market receives it from its input port.
Then the market returns the catalogue from the output port and the client receives it from the input port.
The CONNECTors “Market Interface” and “Client Interface” represent the external behaviour of the market and the client respectively. They can also be seen as the partial view of the components. Note that the client can receive the response only after it issues a request, and the market can send out the response only after it obtains the request. The FIFO buffers and SyncDrain channels in these two CONNECTors
11The detail of this scenario can be seen in the deliverable D1.1 [2].
Figure 2.35: The Reo model for the browse procedure in the popcorn scenario
guarantee the above orders. The “CONNECTor” in the figure is a CONNECTor synthesised on the fly by the enabler to allow the communication. In this small example, it simply transmits the request and the response. During the modelling exercise, we realised that the notation used to model the scenario is quite complex and sometimes unintuitive (e.g., using the FIFO buffer to implement the data flow order). Thus, practitioners may be discouraged from using Reo.
3 Quantitative verification
As CONNECTors often work in a highly dynamic and distributed environment, they could behave in an unreliable way. For instance, a CONNECTor in the popcorn scenario may not always transmit a re-sponse message successfully to clients due to competition on available channels, interfere with other CONNECTors, etc. In many cases, unreliable behaviours can be formalised as probabilistic behaviours, such as the percentage of successful transmissions on average.
This chapter is devoted to quantitative verification for CONNECTors, i.e., the verification of their prob-abilistic behaviours, aiming to establish the probability of some event occurring, or the expected time or reward until a certain state is reached. In this chapter, we are focusing on quantitative models based on labelled transition systems, since they are common to the main CONNECTwork packages, including syn-thesis and learning. We thus assume that there is an effective translation from the high-level connector algebra formalism to a low-level transition system. For instance, Section 2.4.2 presented an approach for converting QIA to CTMCs, which will be introduced in Section 3.1.2, and Section 2.4.3 explained that PCA is indeed an MDP.
Section 3.1 gives an overview ofclassical stochastic models, temporal logic formalisms and model-checking algorithms for offline verification, which rely on identifying all possible system states to estab-lish probabilistic properties. This also includes one of our contributions in the project: new abstraction-refinement techniques devised and implemented for probabilistic real-time systems. Section 3.2 deals with non-functional characteristics of CONNECTors, usually arising from QoS requirements, that are ex-pressible withrewardsand the corresponding verification algorithms. The last two sections in this chapter describe new research results from WP2. In Section 3.3, we propose a compositional approach to handle verification of large systems which we aim to apply to CONNECTors. In Section 3.4, we discuss an online verification method (also known as run-time monitoring and adaptation), which employs offline verification using models and properties that are generated at run-time. This online method can be seen as a starting point for a model-checking approach to property verification for evolving connectors, which is relevant to dependability assurance in WP5.