Component and connector (C&C) models are used in many application domains of software engineering, from cyberphysical and embedded systems to web services and enterprise applications. The structure of C&C models consists of components at different containment levels, their typed interaction points, and connectors between them [ 13 ]. In addition to functional properties, extra-functional properties (EFPs) play an important role in the development of C&C models [ 6 ], [ 19 ]–[ 21 ]. Important examples of EFPs include worst-caseexecution-time (WCET), memory and power consumption, security properties, and traceability [ 1 ], [ 16 ], [ 18 ].

Recently, we have presented a non-invasive technique for adding EFPs to C&C models by means of tagging languages [ 12 ]. Importantly, this technique requires no changes to the meta-model of the C&C language. In addition, we have suggested a generic structure for EFP consistency rules based on selection, aggregation, and comparison operators. Conceptually, a consistency rule states for a C&C element and an EFP whether the EFP value is consistent with the EFP values of other C&C elements. Technically, consistency rules are constraints that are satisfied iff the EFP value is consistent. Consistency is determined by comparison to aggregated EFP values of related C&C elements as defined by the selection, aggregation, and comparison operators of consistency rules.

In this paper we are interested in the concrete formalization of EFP consistency rules and in their automated analysis. We propose to leverage the popular and expressive Object Constraint Language [ 25 ] (OCL) and its analysis capabilities for the definition and analysis of EFP consistency of C&C models.

Our first contribution is a C&C-specific extension of OCL. The extension allows the definition of C&C consistency constraints based on clean mathematical C&C definitions; all implementation specific details, such as more complex types from the meta-model or abstract-syntax representations are abstracted away by providing C&C specific OCL configurations and powerful type-inference mechanisms when checking consistency.

Our second contribution extends OCL with support for measurement units and an automatic mechanism to produce witnesses for EFP consistency checking results. First, many EFPs, describing physical properties of C&C models, e.g., WCET, power consumption, or memory usage, contain physical units, e.g., seconds, Watts, or sizes. Thus, to enable domain experts define EFP consistency rules, a constraint language for EFPs naturally should support automatic unit comparison and conversion . Second, our previously defined mathematical framework [ 12 ] structures the definition of consistency rules. This general structure allows to automatically generate positive and negative witnesses for consistency checking results. These witnesses intuitively demonstrate the reasons for consistency or inconsistency of a C&C model.

Our third contribution is an initial evaluation of checking EFP consistency of an industrial sized C&C model. Specifically, we used our tool to verify four selected consistency rules on an industrial sized Autonomous Driver Assistance System (ADAS) model. The ADAS model consists of about 1,400 components and 4,500 ports, and 2,800 tagged EFP values. Our examples and evaluation show that (i) our OCL based approached is expressive enough for defining complex consistency constraints, and (ii) that the performance of our implementation for checking these consistency rules scales to large models.

In the next section we present a running example. Sect. III gives background on C&C models and consistency rules of EFPs. Sect. IV and Sect. V present our OCL framework and example constraints, Sect. VI presents the implementation, and Sect. VII presents a case study in which the framework is used. Sect. VIII present related work, and Sect. IX concludes.

component type instance name block of component type WBalloonSens consists of various components: a temperature sensor (component instance temp of component type Temp), two GPS sensors (component instances gps1 and gps2 of component type GPS), and a controller (component instance controller of component type Controller). The controller periodically pushes sensor data to another system in order to save it. The position of the balloon is important for recovery after landing. Position data from GPS is pushed to an antenna system, which relays the position to ground control.

One EFP in our running example is power consumption (tag power). The component types and the component instances in Fig. 1 are tagged with estimated power consumption, e.g., the component type GPS is tagged with power=2500mW and its component instance gps1 is tagged with power=2W. The weather balloon will be running on a limited power supply and power consumption has to be budgeted carefully. Hence, the sensor block is required to consume at most 5W (see power property of component type WBalloonSens in Fig. 1). Based on this extra-functional property of the parent component requirements for subcomponent types are added: Temp consumes at most 400mW , the GPS sensors GPS 2500mW each, and the controller 10mW .

However, the declaration of power consumption EFPs in this model is inconsistent. The subcomponents require 5410mW when only 5W are defined by component type WBalloonSens (note that it would be consistent when taking the component instances and not types into account, which together consume 4910mW ).

Another EFP in our running example is the worst-caseexecution-time (WCET, tag wcet) of components. As we assume independent execution of all components and the WCET of each subcomponent is less than the WCET of component type WBalloonSens, the WCET EFPs are consistent.

Engineers can easily add EFP tags and EFP consistency rules as OCL constraints, which our tool automatically verifies. 1component WBalloonSens { 2 ports in Byte[] controlSig, 3 out Byte[] dataSave, 4 out Byte[] dataAntenna; 5 component Controller controller; 6 component GPS gps1, gps2; 7 component Temperature temp; 8 ... 9 connect controller.antenna -> dataAntenna; 10 connect gps1.loc -> controller.loc1; } e v a S a tad Fig. 2: Definitions of WBalloonSens from Fig. 1 top component definition is instantiated once with instance name wBalloonSens

This section presents our first contribution: a C&C-specific extension of OCL.

We start with an example. The top part in Fig. 3 presents an OCL invariant expressing that the source and target ports of a connector have the same data type (l. 3). Typically, OCL constraints are written against a concrete metamodel; this, however, makes the OCL constraints dependent on a specific language implementation. As an example, our C&C language implementation MontiArc provides references to all connectors in a C&C model by: List<ConnectorSymbol> connectors = globalScope.resolve(ConnectorSymbol.KIND) [ 14 ]. A 1QM = 0, ASIL A = 1, ASIL B = 2, ASIL C = 3, ASIL D = 4 2directSubCmpPaths(cmp) computes the set of all paths from a subcomponent of cmp to an output port of cmp. 1 import CnCExt; 2 ocl ruleConnectorSamePortType { 3 context Con con inv: con.src.type == con.tgt.type } CnCExt.conf 5import de.monticore.lang.montiarc._symboltable.*; 6import static de. … .montiarc.helper.GraphFunctions.*; 7rewrite "Con" -> "ConnectorSymbol"; 8rewrite "src" -> "getSourcePort()"; 9rewrite "tgt" -> "getTargetPort()"; 10rewrite "type" -> "getType()"; 11… language-implementation-specific OCL constraint would reference the type ConnectorSymbol in Fig. 3, l. 3 rather than the general C&C type Con from Def. 1.

To address this problem, we decided to extend our OCL implementation to support importing of configuration files. A configuration file serves as a bridge from the mathematical definitions to the implementation-specific classes. Configuration files contain rewrite rules that rewrite names of C&C elements from Def. 1 and Def. 2 to implementation-specific OCL expressions. This concept is generic and extensible to multiple target implementations. The C&C model OCL constraints can be reused with different C&C meta-models as long all rewrite rules can be expressed using corresponding meta-model-specific OCL expressions.

The bottom part in Fig. 3 shows an excerpt of our MontiArc specific configuration file, which provides C&C specific functions in OCL constraints. It imports all required, implementation-specific Java classes (Fig. 3, bottom, l. 5) and contains rewrite rules (ll.7-10), similar to C preprocessor’s #define macros, to map C&C domain names to implementation-specific names. In addition to rewrite rules, the configuration file imports and provides graph functions (Fig. 3, bottom, l. 6) with C&C specific method implementations. For example, the function paths computes all C&C elements (components, ports, and connectors) on a path connecting an input to an output port. As another example, these graph functions can easily express the OCL invariant that each output port depends on at least one input port.

The complete configuration file for rewriting C&C concepts into MontiArc concepts consists of 11 rewrite rules and imports 12 helper functions for use in C&C model specific constraints. There are two kinds of helper functions. The first kind consists of graph-based functions that return a graph or chains of C&C elements connected (directly or indirectly) by two given C&C elements; they come in different versions to return only specific C&C elements (e.g., only components, or only components and ports), to avoid creating large graphs with unnecessary elements and accelerate the verification process. The second kind of helper functions are mathematical helper functions for EFPs such as min, max, sum, prod, union, or intersection. 1import CnCExt; 2import EFPExt; 3ocl ruleInstPower { 4 context Cmp cmp inv: // checks: ∈ 5 let 6 selectedValue = cmp.CType; // selection: ≔ ( ) ∈ 7 aggregatedValue = max(cmp.power, 0W);// aggregation: ≔ . 8 in consider maximum value of the power tags, and “0W” if power tag is missing 109 agmgirne(gsaetleedcVtaelduVeal<u=e.power,+ooW); } // comparison: ≤ . Fig. 4: OCL constraint for instantiation consistency of EFP power (Rule 1) 1// positive witness for checking: shows if positive or negative witness 2// ocl "ruleInstPower.ocl" on model "WBalloonSens.ma" 34/c/omapgognreengtatWeBdalvlaolouneSeinns m{odel: 2 W aggregateducsoveamfluuplelefsox,r 5 component GPS { /* tags power = 2500 mW] */ } calculations 6 component GPS gps1 /* tags power = 2 W */ ; } eavnadluCa&teCdmOoCdLelconstraint pwriitnnteesdswisitha avlalltidagCs&uCsemdoindethl,e aggregation

This section presents our second contribution: extending OCL with support for measurement units in order to allow modeling of EFP consistency constraints in OCL and to automatically generate witnesses for OCL constraint consistency or inconsistency. The OCL constraints follow the selection, aggregation, and comparison structure of EFP value consistency rules (Def. 3) we introduced in [ 12 ].

We structure this section by examples presenting different features of our OCL framework. The examples we show are an OCL constraint for InstPower (Rule 1) with a generated positive witness, an OCL constraint for CompPower (Rule 3) with a generated negative witness, and finally an OCL constraint for WCET Multi Core (Rule 6), which is the most complex example based on connection properties of C&C models.

Our consistency verification tool takes a textual MontiArc C&C model, EFP tag files tagging the C&C model, and an OCL constraint as input. The verification process is fully automated and consists of the following steps: (1) process the textual model (parsing text to an AST and creating symbol table) using the MontiCore framework [ 9 ]; (2) process the textual OCL constraint; (3) execute all rewrite rules of all imported configuration files; (4) generate Java code from the OCL constraint based on the AST and symbol table; and (5) execute the generated Java code to check the C&C model for consistency and to generate witnesses.

One challenge for implementing the generation of Java code from OCL was that while OCL is a type-less language, Java requires types for every declaration. Our generator infers the variable types from OCL by looking up the return types of invoked functions and propagating these types through nested List constructs (e.g., ll. 7-9 in Fig. 8).

Another challenge was adding a unit concept to OCL. Many EFPs contain values with measurement units. Thus we developed an additional language SIUnit, which our OCL implementation extends. SIUnit is capable of parsing imperial, SI, and unofficial SI units [ 26 ] with metric prefixes and derived constructs, e.g., 28:2km=h and 9:81m s 2. It supports additional symbols for plus and minus infinity. For unit conversions we use the JScience framework.

RQ1 Does our framework scale to large industry provided

C&C models? RQ2 Which steps of automated EFP value consistency checking are most time consuming?

Acme [ 5 ] allows one to specify first-order predicates on the structure of architectures, dealing, e.g., with connectedness of components. Our extension of OCL for C&C models provides similar features. However, to the best of our knowledge the constraint language of Acme does not support EFPs.

Grunske [ 6 ] presents an evaluation framework for EFPs, consisting of four elements. We focus on defining and checking consistency rules rather than on evaluation of EFPs. Nevertheless, Grunske [ 6 ] also observed the need for a general language to formulate evaluation of different EFP types.

Sentilles et al. [ 21 ] present a meta-model for integrating non-functional properties into C&C models. They focus on handling multiple EFPs for the same entity and did not implement rules for EFP consistency.

Cicchetti et al. [ 2 ] introduce a framework for evolution of EFP values and present, as an example, how the change of the WCET of a component requires updating the WCET of its parent component. To define validity conditions, they use the Epsilon Validation Language [ 27 ], which is similar to OCL. It is possible to extend our framework to support similar evolution scenarios.

Leveque and Sentilles [ 10 ] present refinement of EFPs through instantiation and subtyping of components. Engineers can use OCL constraints to filter EFP attributes of components. The OCL constraints are written against the meta-model of the C&C implementation. We use C&C-specific OCL constraints to define consistency rules beyond component EFP refinement.

Finally, Sapienza et al. [ 20 ] present EFP consistency rules for component composition. The tools used in [ 20 ] and a related case study [ 22 ] go beyond information stored with model elements, e.g., they measure EFP values by simulation. It is unclear whether their approach can be easily extended to additional or alternative EFP constraints.

We presented an OCL framework and tool for the description and verification of consistency rules of EFPs in C&C models. The work includes a C&C-specific extension of OCL with native support for measurement units, and an automatic mechanism for verifying consistency and producing witnesses for EFP consistency checking results. We implemented the approach within the MontiCore framework for the C&C modeling language MontiArc. Our initial evaluation on an industrial sized model shows that it is expressive and scales to large C&C models. Our framework works for comparable extra-functional properties, these include quantitative properties (e.g., worstcase execution time, power, or memory consumption) and qualitative properties (e.g., traceability, portability flags, ASIL security, or encryption levels).

Acknowledgements This research was supported by a Grant from the GIF, the German-Israeli Foundation for Scientific Research and Development.