Scenario-Based Modeling and Programming of Distributed Systems (Extended Abstract) Joel Greenyer1[0000−0003−0347−0158] FHDW Hannover, 30173 Hannover, Germany Abstract. Software systems become increasingly distributed and inter- connected. Single functions are usually realized by the interaction of mul- tiple components, while single components participate in fulfilling mul- tiple functions. During early development, engineers often design new functionalities by first taking an inter-component, interaction-oriented perspective, which must be mapped to a single-component implementa- tion perspective later. This extended abstract reviews past and ongoing work on scenario-based modeling and programming techniques, which support engineers in this process. We also discuss new opportunities for applying these techniques as well as open research challenges. Keywords: Scenario-Based Design · Reactive Systems · Behavioral Programming 1 Introduction From micro-services information systems to cyber-physical systems-of-systems, software-intensive systems become increasingly distributed and interconnected. In these systems, single functions are usually realized by the interaction of mul- tiple components, while single components often participate in fulfilling multi- ple functions. During the design of these systems, engineers often first take a birds-eye, inter-component view on how components shall interact in order to fulfill a certain function. Typically sequence diagrams or interaction overview diagrams are modeled during this phase to support design decision-making and communication. At some stage, these inter-component models must be mapped to specifications and, finally, implementations of the individual components. Scenario-based modeling techniques aim at supporting engineers in this pro- cess. One goal of these techniques is to facilitate the transition from inter- component- to component-specific behavior specifications, and doing so itera- tively. The second goal is to support the engineer with behavior analysis tech- niques already during the inter-component behavior modeling stage, so that engineers can make more informed early design decisions. Copyright © 2021 for this paper by its authors. Use permitted under Creative Com- mons License Attribution 4.0 International (CC BY 4.0). 242 J. Greenyer In this extended abstract, we give a brief review of the existing work in this context, with a pinch of personal experience and opinion. In particular, we cover own past and current work on the Scenario Modeling Language (SML) and the Scenario Modeling Language for Kotlin (SMLK), a Kotlin-based internal DSL for scenario-based programming. Concluding, we discuss open research directions. 2 Related Work Early research on scenario-based modeling was centered around Message Se- quence Charts (MSC) [26], which also influenced UML Sequence Diagrams. A number of approaches suggested techniques for deriving state-based models from individual MSCs [31, 39] and high-level MSCs [30], which are MSCs extended with control-flow constructs. Other approaches considered deriving state-based models in a setting where multiple MSC diagrams could be active at the same time [29, 34], and it was soon recognized that there needed to be a way to de- scribe constraints how scenarios are allowed to overlap. Some approaches used event pre- and post-conditions [40], others required the definition of the com- ponent states within the scenarios [8, 9], temporal logic constraints [4, 37, 38]. or proposed modeling positive and negative scenarios [24]. Addressing the problem of specifying overlapping scenarios, Damm and Harel introduced Live Sequence Charts (LSC) [5], which recognized that there is a difference between scenarios that should be possible to occur, and scenarios that express rules on the behavior that must always be satisfied. These scenario kinds are called existential resp. universal scenarios. Moreover, in universal scenarios it should be possible to distinguish between events that must occur and events that may occur or act as triggers for subsequent must-occur events. These are called hot (must occur) resp. cold (may occur) events. Likewise, hot and cold conditions can model mandatory- or interrupt conditions. Based on LSC, the Play-In/Play-Out approach was developed [21]. with the vision to interactively “play” with a system to teach it possible, allowed, or for- bidden behaviors, in the form of LSC diagrams. These LSC specification can then be executed using the Play-Out algorithm. There were numerous approaches to synthesize state-based models from LSC specifications [2, 20, 32, 33], and check- ing whether this is at all possible; combinations of must-happen and must-not- happen requirements can render LSC specifications unrealizable, meaning that no implementation of the specification exists. Our own work included realizability- checkig and synthesis techniques for timed LSC specifications [10, 18], and LSC- based product line specifications [12, 19]. Also the Petri Nets community sug- gested analysis techniques for LSCs, for example analyzing LSC specifications by mapping to Colored Petri Nets (CPN) [27] or by a procedure for composing Petri Nets from LSC-inspired Petri Net fragments [7]. With Behavioral Programming (BP) [23], the idea of LSCs was transferred to general-purpose programming languages, for example Java, JavaScript or C++. BP allows programmers to program behavior by loosely coupled behav- ioral threads (b-threads), where each b-thread can add behavior or constrain the behavior of other b-threads, allowing for a flexible composition of behavior. Scenario-Based Modeling and Programming of Distributed Systems 243 3 Scenario Modeling Language (SML) With the goal of extending existing LSC modeling techniques and experiment- ing with analysis algorithms, we developed the textual Scenario Modeling Lan- guage (SML), along with the Eclipse/EMF-based tool suite ScenarioTools. We chose a textual language for improved usability over a graphical notation. SML extends LSC with the capability to model assume/guarantee specifica- tions, where guarantee scenarios specify how a system must react to environ- ment events and assumption scenarios specify how the environment behaves. This gives SML an expressive power comparable GR(1) [1], a subset of LTL. A GR(1) specification is an implications of two generalized Büchi properties. For example, we can specify that cars must always be able to pass crosswalks in a traffic system assuming that each crosswalk is always eventually free of pedes- trians. ScenarioTools implements a GR(1) game solving algorithm [3] for realizability checking and controller synthesis. Moreover, SML extends previous LSC modeling techniques with features for modeling dynamic topology systems, which are systems with evolving structure [14]. Figure 1 shows an example of a Car-to-X system for coordinating cars that approach an obstacle blocking one lane of a two-lane road. The left illustrates two example scenarios with their SML counterpart shown on the right. SML speci- fications are typed over a domain class model (top right). For a more extensive description of SML and the example, we refer to the original paper [14]. approaching approaching obstacle on narrow obstacle on passage lane blocked lane obstacle control Domain class model Scenario 1 “Dashboard of the car approaching on the blocked lane shows STOP or GO” guarantee scenario CarGetsSignalBeforeReachingObstacle bindings [oc = cp.obstacleCtrl] { before obstacle is cp -> car.approachingObstacle() reached 2 alternative { obstacle control 3 show stop strict oc -> car.enteringAllowed } or { or go strict oc -> car.enteringDisallowed } approaching an obstacle 1 SML cp -> car.obstacleReached() on the blocked lane Scenarios } Scenario 2 “Control station checks for car approaching guarantee scenario CarRegistersAtObstacle on the blocked lane whether entering is allowed or not” bindings [oc = cp.obstacleCtrl] { is narrow area free? 3 cp -> car.approachingObstacle() entering strict urgent car -> oc.register() (any car registered for approach from 2 (Dis)Allowed 4 5 alternative [oc.passingCar == null] { the other side?) register obstacle control strict urgent oc -> oc.setPassingCar(car) show stop strict urgent oc -> car.enteringAllowed() or go } or [oc.passingCar != null] { strict urgent oc -> oc.waitingCars.add(car) strict urgent oc -> car.enteringDisallowed() approaching an obstacle 1 } on the blocked lane } Fig. 1. Car-to-X SML specification example 244 J. Greenyer Based on ScenarioTools, we experimented with different analysis tech- niques, for example symbolic execution [17], or automatic repair techniques [36]. 4 Some Lessons Learned The work on ScenarioTools and various examples [11, 13, 15, 16] has taught us several lessons: 1. LSC-/SML-style specification techniques indeed offer an intuitive way of modeling reactive behavior. They are more flexible and requirements-oriented than state-based models, but also more easily comprehensible than temporal logics due to offering a more step-by-step modeling style. 2. Constructs that forbid behavior should be used sparingly and carefully, as otherwise contradictions will be introduced easily. Strict messages (or hot messages in LSC), which are messages that, when enabled, forbid events appearing elsewhere in the scenario, are harmful in bigger scenarios, because one quickly looses the understanding in what constraints they actually imply. It is better to specify forbidden messages explicitly. 3. Simulation and formal realizability checking techniques are helpful in finding specification flaws. And specification flaws, just like bugs in other programs, are guaranteed to be introduced sooner or later. 4. For complex problems, it is difficult to understand the output generated by realizability checks. Even with interactive counter-play-out techniques that help the user by simulation to understand how the environment can force a violation, it may be difficult to understand the cause of the problem. 5. It is difficult to trust formal checks alone. Even if realizability checking re- turns a positive result, it is often difficult to understand which behaviors are or are not possible under the specification. The pragmatic approach is to specify tests that exercise intended use cases beginning-to-end. We suggest a test-driven approach, where scenarios are added just to a degree that satisfies the next test case. This way, it is possible to arrive at a specification with a trust that all use cases are covered. When changes break previous tests, it is immediately clear what change affected which steps of which previous use cases. Test-driven specification can be combined with realizability check- ing. The latter may uncover problematic cases that are not covered by the tests, for example untested combinations of inputs that lead to unforeseen combinations of active scenarios. 5 Scenario Modeling Language for Kotlin (SMLK) Even though significant work went into building SML and tool support in Sce- narioTools, we felt that eventually these tool developments would not help to make scenario-based modeling techniques better accepted in practice. SML and ScenarioTools could not fulfill the following requirements: Scenario-Based Modeling and Programming of Distributed Systems 245 1. Provide richer means for programming within the scenarios: For example, doing things like filtering a list or querying complex conditions, can be done with ScenarioTools, but only indirectly by calling external methods. SML is extensible, but extending it to a fully-fledged programming language would be a major effort. 2. Better integration with other libraries or frameworks: Integrating the ScenarioTools execution engine with external frameworks, such as a driving simulator or Android apps [15], is possible, but requires a cumber- some development of integration layers. 3. Lightweight and fast execution: The ScenarioTools execution engine is heavy-weight as it depends on EMF. Moreover, because the engine is based on the interpretation of SML/EMF models, it has a relatively high memory footprint and sometimes initial startup times of a few seconds. In addressing these requirements, we created an SML-like internal DSL in Java [28], based on the behavioral programming framework for Java, BPJ [22]. The approach, however, was too verbose. A few years later, Kotlin struck our attention, mainly for two reasons: First, Kotlin supports co-routines, which are lightweight threads that are less resource-intensive than Java threads. There- fore, they seemed a natural candidate for executing many concurrent scenarios. Second, Kotlin provides many features for building concise internal DSLs 1 . Exploiting these features, we created the Scenario Modeling Language for Kotlin (SMLK)2 . In SMLK, multiple scenarios can be executed as a scenario program. Following the behavioral programming approach [23] a scenario pro- gram is executed as follows: The active scenarios execute their code indepen- dently until they reach synchronization points where each scenario can requests, wait-for or forbid events from happening. A central event selection algorithm se- lects an event that is requested by at least one scenario and not forbidden by any other scenario. All scenarios requesting or waiting for that event are then noti- fied and can again independently execute their behavior until reaching the next synchronization point. This process is repeated until all scenarios terminate. Figure 2 shows an example of an SMLK scenario for a simple hierarchical name lookup system: a client can send a request to a server to obtain the name for a user ID. If the requested server does not have any name stored locally for the given user ID, it will request servers one hierarchy level below. If one of the servers has the name, it will be returned upwards in the hierarchy to the requesting client. Otherwise the client receives an “unknown” response. The shown scenario may be triggered for multiple servers in a server hierarchy. The client-server interaction illustration to the left of Fig. 2 is a screenshot from a JavaFX-based interaction animator application that animates the mes- sage interaction between objects3 . 1 see for example 2 see 3 the animator project Git repository: smlk-animator/; the hierarchical name lookup system example Git repository: 246 J. Greenyer scenario(Server::getUserName.symbolicEvent()){ // trigger: server receives getUserName req. val requestingClient = it.sender as IClient val userID = it.parameters[0] as String val server = it.receiver val userName = server.userIDToUserNameProperty[userID] if(userName != null){ request(server sends requestingClient.serverResponse("$userID:$userName")) }else{ for(slaveServer in server.slaveServers){ request(server sends slaveServer.getUserName(userID)) val responseEvent = waitFor(server receives IClient::serverResponse) val responseValue = responseEvent.parameters[0] as String if (!responseValue.endsWith("")) { request(server sends requestingClient.serverResponse(responseValue)) terminate() // do not wait for further slave server responses } } request(server sends requestingClient.serverResponse("$userID:")) } } Fig. 2. An example SMLK scenario of a simple hierarchical name lookup system with interaction animator UI screenshot SMLK integrates with JUnit and supports a test-driven scenario-specification methodology [42,44] and combining inter-component scenarios with component- specific scenarios [41, 43]. SMLK can also be used to specify traffic scenarios, similar to OpenSCE- NARIO4 or Traffic Sequence Charts [6], which are aimed at modeling tests for autonomous vehicles. Figure 3 shows a composed SMLK scenario that specifies a simple traffic scenario of one vehicle overtaking and then cutting a second vehicle 5 . Here, SMLK is integrated with SUMO; the box on the right of Fig. 3 shows snapshots of the resulting visual simulation output produced by SUMO. This example shall demonstrate the flexibility that SMLK offers in composing such scenarios: The main scenario cutIn starts by waiting until the overtaking vehicle approaches the second vehicle. This is performed by a sub-scenario wait- UntilDistanceSmallerThan that, as a parameter, can receive a scenario that is executed in each step while waiting for the distance condition to render true. Here, this is used to ensure that the overtaking vehicle is faster than the vehicle to be overtaken. The distance is calculated by a sub-scenario getDistance that waits for the vehicles’ position events, and then returns the difference. Of course, multiple such scenarios can be executed in parallel to direct and coordinate the movement of many vehicles. 6 Conclusion and Open Research Challenges We hope that we could provide an interesting, albeit self-biased, overview on the past work on and current state of scenario-based modeling techniques. Further 4 5 inspired by OpenSCENARIO_BS-1-2_User-Guide_V1-0-0.html#_cut_in Scenario-Based Modeling and Programming of Distributed Systems 247 suspend fun Scenario.cutIn( overtakingVehicle: SumoVehicle, overtakenVehicle : SumoVehicle, overtakingDistance : Double, cutInDistance : Double, ...) { waitUntilDistanceSmallerThan(overtakenVehicle, overtakingVehicle, overtakingDistance){ val overtakenVehicleSpeed = waitFor(overtakenVehicle.getSpeed()).result()!! request (overtakingVehicle.setSpeed(overtakenVehicleSpeed + overtakingSpeedDelta)) } request(overtakingVehicle.changeLane(1)) waitUntilDistanceSmallerThan(overtakenVehicle, overtakingVehicle, passingDistance) waitUntilDistanceGreaterThan(overtakenVehicle, overtakingVehicle, cutInDistance) request(overtakingVehicle.changeLane(0)) accelerateVehicle(overtakingVehicle, slowSpeed, slowDownDuration, slowDuration) } suspend fun Scenario.waitUntilDistanceSmallerThan( v1: SumoVehicle, v2:SumoVehicle, ... distance: Double, nestedBehavior: suspend Scenario.() -> Unit = {}) { ... do { val currentDistance = abs(getDistance(v1, v2)) ... nestedBehavior.invoke(this) } while(currentDistance >= distance) } suspend fun Scenario.getDistance(v1: SumoVehicle, v2:SumoVehicle) : Double { val executedEvents = unordered( waitedForEvents = v1.getLanePosition() union v2.getLanePosition()) as List> return executedEvents[0].result() as Double - executedEvents[1].result() as Double } ... Fig. 3. An example of composing SMLK scenario for specifying traffic scenarios that can be executed in the SUMO traffic simulator research is yet required to evaluate and improve these techniques. We conclude with a list of three interesting research directions: 1. Evaluation using larger-scale case studies: The existing literature of scenario-based modeling/programming techniques only reports on small- and medium-size case studies. It is time to exercise the development of more complex distributed cyber-physical systems or micro-service systems in order to reflect on the strengths and weaknesses of scenario-based techniques. 2. Improve realizability checking techniques and comprehensibility of the results: We highlighted the benefit and problems of formal realizability checking techniques. There are different ways in which these techniques could be improved. For example, could synthesized strategies or counter-strategies be presented to the user in more concise forms instead of producing huge state graph models? Could program repair techniques be applied in order to suggest scenario specification repairs if realizability checking fails? 3. Specify and simulate traffic scenarios for testing autonomous sys- tems: This seems a fitting area for applying scenario-based specification techniques as they support a step-by-step operational description of what shall happen in some places while also allowing for a more abstract, non- deterministic specification of behavior elsewhere. Tailoring tests for autono- mous vehicles that effectively and efficiently test behaviors of interest and support assessing residual risks [25, 35] is a great challenge. Could controller synthesis and learning techniques support test engineers in this process? 248 J. Acknowledgements The work on SML, ScenarioTools and the modeling and analysis of dynamic topology systems was funded by grant no. 1258 of the German- Israeli Foundation for Scientific Research and Development (GIF). The work was the result of a fruitful collaboration notably with David Harel, Assaf Marron, Shlomi Steinberg, Daniel Gritzner, Nils Glade, Timo Gutjahr, Florian König, Eric Wete, Jianwei Shi, and Larissa Chazette. The work on test-driven scenario specification employing SMLK is the result of a collaboration with Carsten Wiecher. Integrating SMLK with SUMO for traffic system specifications was supported by Maximilian Hölscher. 