XCD - An Architecture Description Language

Software architecture description languages (ADL) have been proposed as a way to properly specify the architectures of complex software systems, in a way that allows both communication among the different stakeholders and an early analysis of these systems for a number of properties. However, practitioners seem to have shunned the ADL developed in academia and mainly use other modeling languages, that were not originally created for describing architectures. In a recent survey, practitioners have expressed a wish for analyzing their architectures (esp. for non-functional properties) and at the same time expressed their dissatisfaction with existing ADL, finding that the formal notations they use have a learning curve that they perceive as being too steep.

We propose a new ADL, called XCD, that attempts to address these issues. To this end, XCD is a formal language, allowing the formal analysis of systems. In its current form, it focuses on safety and liveness properties (deadlocks, etc.), leaving support for non-functional properties, such as reliability or performance, for later. In order to avoid imposing a steep learning curve on practitioners, XCD follows a Design-by-Contract (DbC) approach. DbC has the advantage of allowing practitioners to express formal models in a notation that resembles the programming languages they use. DbC has in fact already been embraced by practitioners, who so far use it mainly for improving their testing methods. XCD specifications can be translated to ProMeLa so as to verify that (i) provided services local interaction constraints are satisfied, (ii) provided services functional pre-conditions are complete, (iii) there are no race-conditions, (iv) event buffer sizes suffice, and (v) there is no global deadlock. Without formally analyzable architectures errors can remain undiscovered for a long time and cost too much to repair.

Visual XCD has just been released - click

XCD's Evolution

XCD builds on our earlier attempts at developing such an architecture description language. In our early work, XCD was influenced more from BIP’s separation of behaviour, interaction, and control, and thereby introduced three main architectural elements: components, connectors, and control strategies (papers 1 to 4). Control strategies are essentially extra role constraints specified externally to the connector roles, allowing to experiment with different design solutions without modifying connectors. Moreover, I used the Finite State Process (FSP) process algebra to define the formal mapping of XCD elements that allows formal verification via the LTSA model checker.

Our publications [4,5,9,10,11] have been produced from our initial work.

In our final work, we have simplified the main notions, no longer having "control strategies" – they can already be represented by connectors. Moreover, we have extended the language to better support designers (e.g. enumerated types, interval values, helper functions, asynchronous interaction, or indeed composite components that were not supported in my initial FSP encoding and tool). I have also replaced FSP with SPIN’s ProMeLa language, as encoding asynchronous interaction and method/event parameters in FSP required too much effort. SPIN has also a more powerful model checker than FSP’s LTSA – partly because it does not attempt to construct the state-space of each process as it is defined but only does so on-the-fly, as needed. SPIN’s code availability also helped us in better understanding the use of some constructs and slightly optimising my models.

Our publications [1,2,3,6,7,8] have been produced from our final work.

XCD's Translation tool

XCD's translation tool performs the following operations for a given XCD architecture specification. It firstly checks for the syntactical correctness. Then, if no syntax error is found, the tool checks whether the XCD architecture is well-defined or not. If the XCD architecture is well-defined, then, the tool translates the syntactically correct and well-defined XCD architecture into a ProMeLa model.

The latest version of the tool can be downloaded from here.

Instructions for running the tool:

1- Download and install SPIN from its website : http://spinroot.com/spin/whatispin.html.

2- Download and install the XCD tool (xcd.jar) from the above given link.

3- Save your XCD specification into a file with ".xcd" extension.

4- Place the tool jar file inside the same directory as your specification file, and then, run the command

"java -jar xcd.jar fileName.xcd".

This command produces a folder "src-gen" which includes a set of ProMeLa files representing the ProMeLa model of your XCD specification.

5- Run either ISPIN GUI of SPIN or use command line.

If ispin is used, you need to input the

"configuration.pml" file of the "src-gen"

It corresponds to the system configuration that you are supposed to speficfy as part of your XCD specification.

6- If you use command line, use the following SPIN verification commands for verifying the "configuration.pml".

$ spin -a configuration.pml

$ gcc -O2 -DMEMLIM=7024 -o pan pan.c

$ ./pan

For more information about using SPIN for verifying ProMeLa models, please refer to the http://spinroot.com/spin/Man/Roadmap.html

Some Applications of XCD

XCD and its tool have been used to specify and verify a number of real-system case studies. Below, we give the XCD architecture specifications and the translated ProMeLa models of these case-studies.

Gas Station