% % GENERATED FROM http://acme.able.cs.cmu.edu % by : anonymous % IP : 216.73.216.171 % at : Wed, 02 Jul 2025 15:22:43 -0400 GMT % % Selection : Entry type = Article (Journal) % @Article{DiscoTectTSE, AUTHOR = {Schmerl, Bradley and Aldrich, Jonathan and Garlan, David and Kazman, Rick and Yan, Hong}, TITLE = {Discovering Architectures from Running Systems}, YEAR = {2006}, MONTH = {July}, JOURNAL = {IEEE Transactions on Software Engineering}, VOLUME = {32}, NUMBER = {7}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/discotect-tse.pdf}, ABSTRACT = {One of the challenging problems for software developers is guaranteeing that a system as built is consistent with its architectural design. In this paper, we describe a technique that uses runtime observations about an executing system to construct an architectural view of the system. In this technique, we develop mappings that exploit regularities in system implementation and architectural style. These mappings describe how low-level system events can be interpreted as more abstract architectural operations and are formally defined using Colored Petri Nets. In this paper, we describe a system, called DiscoTect, that uses these mappings and we introduce the DiscoSTEP mapping language and its formal definition. Two case studies showing the application of DiscoTect suggest that the tool is practical to apply to legacy systems and can dynamically verify conformance to a preexisting architectural specification.}, NOTE = {Also available from IEEE. Appendix A, Appendix B}, KEYWORDS = {DiscoTect, Rainbow, Self-Repair, Software Architecture} } @Article{Poladian2006, AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley and Shaw, Mary}, TITLE = {Task-Based Adaptation for Ubiquitous Computing}, YEAR = {2006}, MONTH = {May}, JOURNAL = {IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, Special Issue on Engineering Autonomic Systems}, VOLUME = {36}, NUMBER = {3}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/tbuc.pdf}, ABSTRACT = {An important domain for autonomic systems is the area of ubiquitous computing: users are increasingly surrounded by technology that is heterogeneous, pervasive, and variable. In this paper we describe our work in developing self-adapting computing infrastructure that automates the configuration and reconfiguration of such environments. Focusing on the engineering issues of self-adaptation in the presence of heterogeneous platforms, legacy applications, mobile users, and resource variable environments, we describe a new approach based on the following key ideas: (a) Explicit representation of user tasks allows us to determine what service qualities are required of a given configuration; (b) Decoupling task and preference specification from the lower level mechanisms that carry out those preferences provides a clean engineering separation of concerns between what is needed and how it is carried out; and (c) Efficient algorithms allow us to calculate in real time near-optimal resource allocations and reallocations for a given task.}, NOTE = {Also available at IEEE Xplore}, KEYWORDS = {Aura, Autonomic Systems, Ubiquitous Computing} } @Article{Garlan2004, AUTHOR = {Garlan, David and Cheng, Shang-Wen and Huang, An-Cheng and Schmerl, Bradley and Steenkiste, Peter}, TITLE = {Rainbow: Architecture-Based Self Adaptation with Reusable Infrastructure}, YEAR = {2004}, MONTH = {October}, JOURNAL = {IEEE Computer}, VOLUME = {37}, NUMBER = {10}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/computer04.pdf}, ABSTRACT = {The Rainbow framework uses software architectures and a reusable infrastructure to support self-adaptation of software systems. The use of external adaptation mechanisms allows the explicit specification of adaptation strategies for multiple system concerns.}, KEYWORDS = {Autonomic Systems, Landmark, Rainbow, Self-adaptation} } @Article{Garlan2002a, AUTHOR = {Garlan, David and Siewiorek, Dan and Smalagic, Asim and Steenkiste, Peter}, TITLE = {Project Aura: Towards Distraction-Free Pervasive Computing}, YEAR = {2002}, MONTH = {April}, JOURNAL = {IEEE Pervasive Computing, special issue on Integrated Pervasive Computing Environments}, VOLUME = {1}, NUMBER = {2}, PAGES = {22-31}, PDF = {http://www.cs.cmu.edu/afs/cs/project/aura/www/docdir/Aura-Perv02.pdf}, ABSTRACT = {The most precious resource in a computer system is no longer its processor, memory, disk, or network, but rather human attention. Aura aims to minimize distractions on a user's attention, creating an environment that adapts to the user's context and needs.}, KEYWORDS = {Aura, Ubiquitous Computing} } @Article{Garlan2002b, AUTHOR = {Garlan, David and Kompanek, Andrew and Cheng, Shang-Wen}, TITLE = {Reconciling the Needs of Architectural Description with Object-Modeling Notations}, YEAR = {2002}, JOURNAL = {Science of Computer Programming}, VOLUME = {44}, PAGES = {23-49}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml01/uml01.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml01/uml01.ps}, ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged. One is to use a specialized notation for architecture - or architecture description language (ADL). The other is to adapt a general-purpose modeling notation, such as UML. The latter has a number of benefits, including familiarity to developers, close mapping to implementations, and commercial tool support. However, it remains an open question as to how best to use object-oriented notations for architectural description, and, indeed, whether they are sufficiently expressive, as currently defined. In this paper we take a systematic look at these questions, examining the space of possible mappings from ADLs into object notations. Specifically, we describe (a) the principle strategies for representing architectural structure in UML; (b) the benefits and limitations of each strategy; and (c) aspects of architectural description that are intrinsically difficult to model in UML using the strategies.}, KEYWORDS = {Software Architecture, UML} } @Article{Sousa2001, AUTHOR = {Sousa, Jo\~{a}o and Garlan, David}, TITLE = {Formal Modeling of the Enterprise JavaBeans Component Integration Framework}, YEAR = {2001}, MONTH = {March}, JOURNAL = {Information and Software Technology}, VOLUME = {43}, NUMBER = {3}, NOTE = {Also available as Technical Report CMU-CS-00-162, Carnegie Mellon University School of Computer Science}, KEYWORDS = {Formal Methods, Software Architecture} } @Article{Kaplan2002, AUTHOR = {Kaplan, Alan and Schmerl, Bradley and Veeraraghaven, Rajesh}, TITLE = {Toward Automated Support for Transparent Interoperable Queries}, YEAR = {2002}, MONTH = {October}, JOURNAL = {Journal of Information Technology and Management}, VOLUME = {3}, NUMBER = {4}, PAGES = {387-406}, URL = {http://www.ingentaconnect.com/content/klu/item/2002/00000003/00000004/05093521;jsessionid=h7vv7b6cf8uk.victoria}, NOTE = {A shorter version of this paper appeared in the Ninth Workshop on Information Technologies and Systems (WITS99)(Charlotte, USA, December 1999)} } @Article{DGJN97, AUTHOR = {Dingel, Jurgen and Garlan, David and Jha, Somesh and Notkin, David}, TITLE = {Towards a formal treatment of implicit invocation using rely/guarantee reasoning}, YEAR = {1998}, JOURNAL = {Formal Aspects of Computing}, VOLUME = {1-}, PAGES = {193-213}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fac98/implinvoc-fac98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fac98/implinvoc-fac98.ps}, ABSTRACT = {Implicit invocation has become an important architectural style for large-scale system design and evolution. This paper addresses the lack of specification and verification formalisms for such systems. A formal computational model for implicit invocation is presented. We develop a verification framework for implicit invocation that is based on Jones' rely/guarantee reasoning for concurrent systems. The application of the framework is illustrated with several examples. The merits and limitations of the rely/guarantee paradigm in the context of implicit invocation systems are also discussed. }, NOTE = {Supersedes CMU-CS-97-153.}, KEYWORDS = {Implicit Invocation, Formal Methods, Software Architecture} } @Article{Monroe97Software, AUTHOR = {Monroe, Robert T. and Kompanek, Andrew and Melton, Ralph and Garlan, David}, TITLE = {Architectural Styles, Design Patterns, and Objects}, YEAR = {1997}, MONTH = {January}, JOURNAL = {IEEE Software}, KEY = {Monroe}, VOLUME = {14}, NUMBER = {1}, PAGES = {43-52}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ObjPatternsArch-ieee97/ObjPatternsArch-ieee97.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ObjPatternsArch-ieee97/ObjPatternsArch-ieee97.ps}, ABSTRACT = {Software system builders are increasingly recognizing the importance of exploiting design knowledge in the engineering of new systems. One way to do this is to define an architectural style for a collection of related systems. The style determines a coherent vocabulary of system design elements and rules for their composition. By structuring the design space for a family of related systems a style can, in principle, drastically simplify the process of building a system, reduce costs of implementation through reusable infrastructure, and improve system integrity through style-specific analyses and checks. Like architectural style, object-oriented design patterns attempt to capture and exploit design knowledge to ease the process of designing software systems and reusing proven designs. There are, however, significant differences in the roles and capabilities of architectural styles and object-oriented design patterns, as there are between architectural design and object-oriented design. In this paper we illustrate the relationship between software architecture and object-oriented design, as well as the relationship between architectural styles and design patterns. We begin by defining our terms and then proceed to compare and contrast the various approaches with examples. }, KEYWORDS = {Architectural Style, Software Architecture} } @Article{Allen97TOSEM, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {A Formal Basis for Architectural Connection}, YEAR = {1997}, MONTH = {July}, JOURNAL = {ACM Transactions on Software Engineering and Methodology}, KEY = {Allen}, VOLUME = {6}, NUMBER = {3}, PAGES = {213-249}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-tosem97-revision/wright-tosem97-revision.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-tosem97-revision/wright-tosem97-revision.ps}, ABSTRACT = {As software systems become more complex the overall system structure -- or software architecture -- becomes a central design problem. An important step towards an engineering discipline of software is a formal basis for describing and analyzing these designs. In this paper we present a formal approach to one aspect of architectural design: the interactions between components. The key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We further provide a formal semantics and show how this leads to a system in which architectural compatibility can be checked in a way analogous to type checking in programming languages. }, KEYWORDS = {Formal Methods, Model Checking, Software Architecture} } @Article{Garlan1997, AUTHOR = {Garlan, David and Tomayko, James and Gluch, David}, TITLE = {Agents of Change: Educating Future Leaders in Software Engineering}, YEAR = {1997}, MONTH = {November}, JOURNAL = {IEEE Computer}, KEYWORDS = {Software Engineering, Education} } @Article{Garlan95TSE-intro, AUTHOR = {Garlan, David and Perry, Dewayne}, TITLE = {Introduction to the Special Issue on Software Architecture}, YEAR = {1995}, MONTH = {April}, JOURNAL = {IEEE Transactions on Software Engineering}, KEY = {Garlan}, VOLUME = {21}, NUMBER = {4}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saintro-tse95/saintro-tse95.pdf}, ABSTRACT = {A critical aspect of the design for any large software system is its gross structure represented as a high-level organization of computational elements and interactions between those elements. Broadly speaking, this is the software architectural level of design. The structure of software has long been recognized as an important issue of concern. However, recently software architecture has begun to emerge as an explicit field of study for software engineering practitioners and researchers. Evidence of this trend is apparent in a large body of recent work in research such as module interface languages, domain specific architectures, architectural description languages, design patterns and handbooks, formal underpinnings for architectural design, and architectural design environments. This IEEE Transactions on Software Engineering Special Issue on Software Architecture presents seven papers that illustrate many of these emerging research areas.}, KEYWORDS = {Software Architecture} } @Article{IEEE1995/reuse, AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John}, TITLE = {Architectural Mismatch: Why Reuse is so Hard}, YEAR = {1995}, JOURNAL = {IEEE Software}, VOLUME = {12}, NUMBER = {6}, PAGES = {17-26}, KEYWORDS = {Software Architecture} } @Article{Abowd1995, AUTHOR = {Abowd, Gregory and Allen, Robert and Garlan, David}, TITLE = {Formalizing Style to Understand Descriptions of Software Architecture}, YEAR = {1995}, MONTH = {October}, JOURNAL = {ACM Transactions on Software Engineering and Methodology}, VOLUME = {4}, NUMBER = {4}, PAGES = {319-364}, PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/styleformalism-tosem95/styleformalism-tosem95.pdf}, PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/styleformalism-tosem95/styleformalism-tosem95.ps}, ABSTRACT = {The software architecture of most systems is usually described informally and diagrammatically by means of boxes and lines. In order for these descriptions to be meaningful, the diagrams are understood by interpreting the boxes and lines in specic, conventionalized ways. The informal, imprecise nature of these interpretations has a number of limitations. In this paper we consider these conventionalized interpretations as architectural styles and provide a formal framework for their uniform denition. In addition to providing a template for precisely dening new architectural styles, this framework allows for analysis within and between dierent architectural styles.}, KEYWORDS = {Architectural Analysis, Architectural Style, Landmark, Software Architecture} } @Article{Garlan2006a, AUTHOR = {Seceleanu, Tiberiu and Garlan, David}, TITLE = {Developing adaptive systems with synchronized architectures}, YEAR = {2006}, MONTH = {November}, JOURNAL = {The Journal of Systems and Software}, VOLUME = {79}, NUMBER = {11}, PAGES = {1514-1526}, URL = {http://dx.doi.org/10.1016/j.jss.2006.03.047}, ABSTRACT = {In this paper we show how to specify and refine self-adapting systems, by employing the state-based formalism called action systems. Assuming a fixed set of possible configurations, we use a recently-introduced synchronization operator to achieve separation of concerns between adaptation policy, fault tolerance and steady-state system execution. Using action systems allows us to apply standard refinement techniques, aimed for correct implementations of higher-level models. We illustrate this idea by applying it to the problem of coping with dynamically-varying user requirements and possible fault situations.}, KEYWORDS = {Autonomic Systems, Software Architecture} } @Article{garlan2007, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {The RADAR Architecture for Personal Cognitive Assistance}, YEAR = {2007}, MONTH = {April}, JOURNAL = {International Journal of Software Engineering and Knowledge Engineering}, VOLUME = {17}, NUMBER = {2}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IJSEKE-paper-submission.pdf}, ABSTRACT = {Current desktop environments provide weak support for carrying out complex user-oriented tasks. Although individual applications are becoming increasingly sophisticated and feature-rich, users must map their high-level goals to the low-level operational vocabulary of applications, and deal with a myriad of routine tasks (such as keeping up with email, keeping calendars and web sites up-to-date, etc.). An alternative vision is that of a personal cognitive assistant. Like a good secretary, such an assistant would help users accomplish their high-level goals, coordinating the use of multiple applications, automatically handling routine tasks, and, most importantly, adapting to the individual needs of a user over time. In this paper we describe the architecture and its implementation for a personal cognitive assistant called RADAR. Key features include (a) extensibility through the use of a plug-in agent architecture (b) transparent integration with legacy applications and data of today?s desktop environments, and (c) extensive use of learning so that the environment adapts to the individual user over time.}, NOTE = {A shorter version of this paper appeared in the 2006 Conference on Software Engineering and Knowledge Engineering (SEKE 2006).}, KEYWORDS = {Personal Assistance, RADAR, Software Architecture} } @Article{RajhansMPM2009, AUTHOR = {Rajhans, Akshay and Cheng, Shang-Wen and Schmerl, Bradley and Garlan, David and Krogh, Bruce and Agbi, Clarence and Bhave, Ajinkya Y.}, TITLE = {An Architectural Approach to the Design and Analysis of Cyber-Physical Systems}, YEAR = {2009}, JOURNAL = {Electronic Communications of the EASST}, VOLUME = {21: Multi-Paradigm Modeling}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/286-855-1-PB.pdf}, ABSTRACT = {This paper presents an extension of existing software architecture tools to model physical systems, their interconnections, and the interactions between physical and cyber components. A new CPS architectural style is introduced to support the principled design and evaluation of alternative architectures for cyber-physical systems (CPSs). The implementation of the CPS architectural style in AcmeStudio includes behavioral annotations on components and connectors using either ?nite state processes (FSP) or linear hybrid automata (LHA) with plug-ins to perform behavior analysis using the Labeled Transition System Analyzer (LTSA) or Polyhedral Hybrid Automata Veri?er (PHAVer), respectively. The CPS architectural style and analysis plug-ins are illustrated with an example. }, KEYWORDS = {Cyberphysical Systems} } @Article{Delisle1990, AUTHOR = {Delisle, Norman and Garlan, David}, TITLE = {A Formal Specification of an Oscilloscope}, YEAR = {1990}, MONTH = {September}, JOURNAL = {IEEE Software}, VOLUME = {7}, NUMBER = {5} } @Article{AANSG08, AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Nahas, Nagi and Schmerl, Bradley and Garlan, David}, TITLE = {Differencing and Merging of Architectural Views}, YEAR = {2008}, MONTH = {March}, JOURNAL = {Automated Software Engineering Journal}, VOLUME = {15}, NUMBER = {1}, ABSTRACT = {Differencing and merging architectural views is an important activity in software engineering. However, existing approaches are still based on restrictive assumptions, such as requiring view elements to have unique identiers or exactly matching types, which is often not the case in many application domains. We propose an approach based on structural information. We generalize a published polynomial-time tree-to-tree correction algorithm that detects inserts, renames and deletes, into a novel algorithm that additionally detects restricted moves. Our algorithm also supports forcing and preventing matches between view elements. We incorporate the algorithm into tools to compare and merge Component-and-Connector (C&C) architectural views. We provide an empirical evaluation of the algorithm. We illustrate the tools using extended examples, and use them to detect and reconcile interesting differences between real architectural views.}, NOTE = {Final version available online at http://dx.doi.org/10.1007/s10515-007-0023-3.}, KEYWORDS = {Acme, ArchJava, Software Architecture} } @Article{Kang2009, AUTHOR = {Kang, Sungwon and Garlan, David}, TITLE = {Valuation of Architecture-based Deterministic Plan for Software Evolution}, YEAR = {2009}, MONTH = {October}, JOURNAL = {The KIPS Transactions: Part D}, VOLUME = {16-D}, NUMBER = {5}, PAGES = {755-566}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/12 J4_200900069_R5-clean copy.pdf}, ABSTRACT = {Software architecture allows us to make many decisions about a software system and analyze it even before it exists in order to make systematic and planned development possible. Similarly, architecture-based software evolution planning makes planned evolution possible by allowing us to make many decisions about evolution of a software system and analyze its evolution at the level of architecture design before software evolution is realized. In this paper, we develop a framework for architecture-based software evolution planning for the class of deterministic evolution plans by defining and relating various essential concepts and developing its valuation mechanism so that a plan with the greatest value among candidate plans can be selected as the optimal plan. A case study is conducted for explicating the framework and exemplifying its usage.} } @Article{Kim2010, AUTHOR = {Kim, Jung Soo and Garlan, David}, TITLE = {Analyzing Architectural Styles}, YEAR = {2010}, JOURNAL = {Journal of Software and Systems}, VOLUME = {83}, NUMBER = {7}, PAGES = {1216-1235}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS-final-revision3.pdf}, ABSTRACT = {The backbone of most software architectures and component integration frameworks is one or more architectural styles that provide a domain-speci c design vocabulary and a set of constraints on how that vocabulary is used. Today's architectural styles are increasingly complex, involving rich vocabularies and numerous constraints. Hence, designing a sound and appropriate style becomes an intellectually challenging activity. Unfortunately, although there are numerous tools to help in the analysis of architectures for individual systems, relatively less work has been done on tools to help in the design of architectural styles. In this paper we address this gap by showing how to map an architectural style, expressed formally in an architectural description language, into a relational model that can then be checked for properties, such as whether a style is consistent, whether a style satis es some predicates over its architectural structure, and whether two styles are compatible for composition.}, KEYWORDS = {Architectural Analysis, Architectural Style} } @Article{2012:Cheng:Stitch, AUTHOR = {Cheng, Shang-Wen and Garlan, David}, TITLE = {Stitch: A Language for Architecture-Based Self-Adaptation}, YEAR = {2012}, MONTH = {December}, JOURNAL = {Journal of Systems and Software, Special Issue on State of the Art in Self-Adaptive Systems}, VOLUME = {85}, NUMBER = {12}, EDITOR = {Weyns, Danny and Andersson, Jesper and Malek, Sam and Schmerl, Bradley}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS-S-11-00544.pdf}, ABSTRACT = {Requirements for high availability in computing systems today demand that systems be self-adaptive to maintain expected qualities-of-service in the presence of system faults, variable environmental conditions, and changing user requirements. Autonomic computing tackles the challenge of automating tasks that humans would otherwise have to perform to achieve this goal. However, existing approaches to autonomic computing lack the ability to capture routine human repair tasks in a way that takes into account the business context that humans use in selecting an appropriate form of adaptation, while dealing with timing delays and uncertainties in outcome of repair actions. In this article, we present Stitch, a language for representing repair strategies within the context of an architecture-based self-adaptation framework. Stitch supports the explicit representation of repair decision trees together with the ability to express business objectives, allowing a self-adaptive system to select a strategy that has optimal utility in a given context, even}, NOTE = {http://dx.doi.org/10.1016/j.jss.2012.02.060 }, KEYWORDS = {Landmark, Rainbow, Self-adaptation, Self-Repair, Stitch} } @Article{Garlan/Mismatch/2009, AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John}, TITLE = {Architectural Mismatch: Why Reuse is Still So Hard}, YEAR = {2009}, MONTH = {July}, JOURNAL = {IEEE Software, 25th-Anniversary Top Picks}, PAGES = {66-69}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/DG+09.pdf}, KEYWORDS = {Software Architecture} } @Article{Barnes/AEVol/2012, AUTHOR = {Barnes, Jeffrey M. and Garlan, David and Schmerl, Bradley}, TITLE = {Evolution styles: foundations and models for software architecture evolution}, YEAR = {2014}, MONTH = {May}, JOURNAL = {Journal of Software and Systems Modeling}, VOLUME = {13}, NUMBER = {2}, PAGES = {649-678}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sosym.pdf}, ABSTRACT = {As new market opportunities, technologies, platforms, and frameworks become available, systems require large-scale and systematic architectural restructuring to accommodate them. Today’s architects have few techniques to help them plan this architecture evolution. In particular, they have little assistance in planning alternative evolution paths, trading off various aspects of the different paths, or knowing best practices for particular domains. In this paper we describe an approach for planning and reasoning about architecture evolution. Our approach focuses on providing architects with the means to model prospective evolution paths and supporting analysis to select among these candidate paths. To demonstrate the usefulness of our approach, we show how it can be applied to an actual architecture evolution. In addition, we present some theoretical results about our evolution path constraint specification language.}, NOTE = {DOI 10.1007/s10270-012-0301-9}, KEYWORDS = {Architecture Evolution, Landmark} } @Article{Rajhans/TAC/2013, AUTHOR = {Rajhans, Akshay and Bhave, Ajinkya Y. and Ruchkin, Ivan and Krogh, Bruce and Garlan, David and Platzer, Andre and Schmerl, Bradley}, TITLE = {Supporting Heterogeneity in Cyber-Physical Systems Architectures}, YEAR = {2014}, MONTH = {December}, JOURNAL = {IEEE Transactions on Automatic Control}, VOLUME = {59}, NUMBER = {12}, PAGES = {3178--3193}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TAS-Dec-2014.pdf}, ABSTRACT = {Cyber-physical systems (CPS) are heterogeneous, because they tightly couple computation, communication and control along with physical dynamics, which are traditionally considered separately. Without a comprehensive modeling formalism, model-based development of CPS involves using a multitude of models in a variety of formalisms that capture various aspects of the system design, such as software design, networking design, physical models, and protocol design. Without a rigorous unifying framework, system integration and integration of the analysis results for various models remains ad hoc. In this paper, we propose a multi-view architecture framework that treats models as views of the underlying system structure and uses structural and semantic mappings to ensure consistency and enable system-level veri?cation from that of the models in a hierarchical and compositional manner. Throughout the paper, the theoretical concepts are illustrated using two examples, an automotive intersection collision avoidance system and a quadrotor.}, NOTE = {Also available at http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6882828}, KEYWORDS = {Cyberphysical Systems, Landmark} } @Article{Kang/2014/IJSEKE, AUTHOR = {Kang, Sungwon and Garlan, David}, TITLE = {Architecture-based planning of software evolution}, YEAR = {2014}, MONTH = {March}, JOURNAL = {International Journal of Software Engineering and Knowledge Engineering}, VOLUME = {24}, NUMBER = {2}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/evolutionPlanning.pdf}, ABSTRACT = {Software architecture allows us to make many decisions about a software system and analyze it even before it has been implemented, so as to make planned development possible. Similarly, architecture-based software evolution planning makes planned evolution possible by allowing us to make many decisions about the evolution of a software system and to analyze its evolution at the level of architecture design before software evolution is realized. In this paper, we develop a framework for architecture-based software evolution planning. It is done by defining various foundational terms and concepts, providing a taxonomy of software evolution plans, and then showing how to calculate values for various types of plans. By identifying and defining constituent foundational concepts, this conceptual framework makes precise the notion of ‘architecture-based software planning’. By developing a value-calculation framework for software evolution plans, it also provides a basis for concrete methods for designing and evaluating evolution plans.}, NOTE = {DOI: 10.1142/S0218194014500090}, KEYWORDS = {Architecture Evolution} } @Article{Camara:2016:ALS:2872308.2774222, AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David and Schmerl, Bradley}, TITLE = {Analyzing Latency-Aware Self-Adaptation Using Stochastic Games and Simulations}, YEAR = {2016}, MONTH = {February}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems (TAAS) - Special Section on Best Papers from SEAMS 2014 and Regular Articles}, VOLUME = {10}, NUMBER = {4}, PAGES = {23:1--23:28}, ADDRESS = {New York, NY, USA}, PUBLISHER = {ACM}, URL = {http://doi.acm.org/10.1145/2774222}, ABSTRACT = {Self-adaptive systems must decide which adaptations to apply and when. In reactive approaches, adaptations are chosen and executed after some issue in the system has been detected (e.g., unforeseen attacks or failures). In proactive approaches, predictions are used to prepare the system for some future event (e.g., traffic spikes during holidays). In both cases, the choice of adaptation is based on the estimated impact it will have on the system. Current decision-making approaches assume that the impact will be instantaneous, whereas it is common that adaptations take time to produce their impact. Ignoring this latency is problematic because adaptations may not achieve their effect in time for a predicted event. Furthermore, lower impact but quicker adaptations may be ignored altogether, even if over time the accrued impact is actually higher. In this article, we introduce a novel approach to choosing adaptations that considers these latencies. To show how this improves adaptation decisions, we use a two-pronged approach: (i) model checking of Stochastic Multiplayer Games (SMGs) enables us to understand best- and worst-case scenarios of optimal latency-aware and non-latency-aware adaptation without the need to develop specific adaptation algorithms. However, since SMGs do not provide an algorithm to make choices at runtime, we propose a (ii) latency-aware adaptation algorithm to make decisions at runtime. Simulations are used to explore more detailed adaptation behavior and to check if the performance of the algorithm falls within the bounds predicted by SMGs. Our results show that latency awareness improves adaptation outcomes and also allows a larger set of adaptations to be exploited.}, NOTE = {ISSN 1556-4665}, KEYWORDS = {Latency-aware, Self-adaptation, Stochastic Games} } @Article{Camara/ISS/2015, AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Garlan, David and Gomes, Pedro and Schmerl, Bradley and Ventura, Rafael}, TITLE = {Incorporating Architecture-Based Self-Adaptation into an Adaptive Industrial Software System}, YEAR = {2015}, JOURNAL = {Journal of Systems and Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ABSA-DCASc.pdf}, ABSTRACT = {Complex software-intensive systems are increasingly relied upon for all kinds of activities in society, leading to the requirement that these systems should be resilient to changes that may occur to the system, its environment, or its goals. Traditionally, resilience has been achieved either through: (i) low-level mechanisms embedded in the implementation (e.g., exception handling, timeouts, redundancies), which are unable to detect subtle but important anomalies (e.g., progressive performance degradation); or (ii) human oversight, which is costly and unreliable. Architecture-based self-adaptation (ABSA) is regarded as a promising approach to improve the resilience and reduce the development/operation costs of such systems. Although researchers have illustrated the benefits of ABSA through a number of small-scale case studies, it remains to be seen whether ABSA is truly effective in handling changes at run-time in industrial-scale systems. In this paper, we report on our experience applying an ABSA framework (Rainbow) to a large-scale commercial software system, called Data Acquisition and Control Service (DCAS), which is used to monitor and manage highly populated networks of devices in renewable energy production plants. In the approach followed, we have replaced some of the existing adaptive mechanisms embedded in DCAS by those advocated by ABSA proponents. This has allowed us to assess the development costs associated with the reengineering of adaptive mechanisms when using an ABSA solution, and to make effective comparisons, in terms of operational performance, between a baseline industrial system and one that uses ABSA. Our results show that using the ABSA concepts as embodied in Rainbow enabled an independent team of developers to: (i) effectively implement the adaptation behavior required from such industrial systems; and (ii) obtain important benefits in terms of maintainability and extensibility of adaptation mechanisms.}, NOTE = {Available on-line http://dx.doi.org/10.1016/j.jss.2015.09.021}, KEYWORDS = {Rainbow, Self-adaptation, Software Engineering} } @Article{Camara:2016:50, AUTHOR = {C\'{a}mara, Javier and Lopes, Ant\'{o}nia and Garlan, David and Schmerl, Bradley}, TITLE = {Adaptation impact and environment models for architecture-based self-adaptive systems}, YEAR = {2016}, JOURNAL = {Science of Computer Programming, Special issue of the 11th International Symposium on Formal Aspects of Component Software }, VOLUME = {127}, PAGES = {50-75}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/LGC-IMCamara_2016_50.pdf}, ABSTRACT = {Self-adaptive systems have the ability to adapt their behavior to dynamic operating conditions. In reaction to changes in the environment, these systems determine the appropriate corrective actions based in part on information about which action will have the best impact on the system. Existing models used to describe the impact of adaptations are either unable to capture the underlying uncertainty and variability of such dynamic environments, or are not compositional and described at a level of abstraction too low to scale in terms of specification effort required for non-trivial systems. In this paper, we address these shortcomings by describing an approach to the specification of impact models based on architectural system descriptions, which at the same time allows us to represent both variability and uncertainty in the outcome of adaptations, hence improving the selection of the best corrective action. The core of our approach is a language equipped with a formal semantics defined in terms of Discrete Time Markov Chains that enables us to describe both the impact of adaptation tactics, as well as the assumptions about the environment. To validate our approach, we show how employing our language can improve the accuracy of predictions used for decision-making in the Rainbow framework for architecture-based self-adaptation.}, NOTE = {doi:10.1016/j.scico.2015.12.006}, KEYWORDS = {Self-adaptation, uncertainty} } @Article{2016/Franco/JSS, AUTHOR = {Franco, Jo\~{a}o and Correia, Francisco and Barbosa, Raul and Zenha-Rela, Mario and Schmerl, Bradley and Garlan, David}, TITLE = {Improving Self-Adaptation Planning through Software Architecture-based Stochastic Modeling}, YEAR = {2016}, MONTH = {May}, JOURNAL = {Journal of Systems and Software}, VOLUME = {115}, PAGES = {42-60}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/images.pdf}, ABSTRACT = {The ever-growing complexity of software systems makes it increasingly challenging to foresee at design time all interactions between a system and its environment. Most self-adaptive systems trigger adaptations through operators that are statically confi gured for specifi c environment and system conditions. However, in the occurrence of uncertain conditions, self-adaptive decisions may not be eff ective and might lead to a disruption of the desired non-functional attributes. To address this, we propose an approach that improves the planning stage by predicting the outcome of each strategy. In detail, we automatically derive a stochastic model from a formal architecture description of the managed system with the changes imposed by each strategy. Such information is used to optimize the self-adaptation decisions to ful fill the desired quality goals. To assess the eff ectiveness of our approach we apply it to a cloud-based news system and predicted the reliability for each possible adaptation strategy. The results obtained from our approach are compared to a representative static planning algorithm as well as to an oracle that always makes the ideal decision. Experiments show that our method improves both availability and cost when compared to the static planning algorithm, while being close to the oracle. Our approach may therefore be used to optimize self-adaptation planning.}, KEYWORDS = {Self-adaptation} } @Article{2017:Camara:Resilience, AUTHOR = {C\'{a}mara, Javier and de Lemos, Rog\'{e}rio and Laranjeiro, Nuno and Ventura, Rafael and Vieira, Marco}, TITLE = {Robustness-Driven Resilience Evaluation of Self-Adaptive Systems}, YEAR = {2017}, JOURNAL = {IEEE Transactions on Dependable and Secure Computing }, VOLUME = {14}, NUMBER = {1}, PAGES = {50-64}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RD-RE-SAS-TDSC.pdf}, ABSTRACT = {An increasingly important requirement for certain classes of software-intensive systems is the ability to self-adapt their structure and behavior at run-time when reacting to changes that may occur to the system, its environment, or its goals. A major challenge related to self-adaptive software systems is the ability to provide assurances of their resilience when facing changes. Since in these systems, the components that act as controllers of a target system incorporate highly complex software, there is the need to analyze the impact that controller failures might have on the services delivered by the system. In this paper, we present a novel approach for evaluating the resilience of self-adaptive software systems by applying robustness testing techniques to the controller to uncover failures that can affect system resilience. The approach for evaluating resilience, which is based on probabilistic model checking, quantifies the probability of satisfaction of system properties when the target system is subject to controller failures. The feasibility of the proposed approach is evaluated in the context of an industrial middleware system used to monitor and manage highly populated networks of devices, which was implemented using the Rainbow framework for architecture-based self-adaptation.}, KEYWORDS = {Assurance, Landmark, Rainbow, Resilience, Self-adaptation} } @Article{2018/Moreno/FlexibleLatency, AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Flexible and Efficient Decision-Making for Proactive Latency-Aware Self-Adaptation}, YEAR = {2018}, MONTH = {May}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, VOLUME = {13}, NUMBER = {1}, ABSTRACT = {Proactive latency-aware adaptation is an approach for self-adaptive systems that considers both the current and anticipated adaptation needs when making adaptation decisions, taking into account the latency of the available adaptation tactics. Since this is a problem of selecting adaptation actions in the context of the probabilistic behavior of the environment, Markov decision processes (MDP) are a suitable approach. However, given all the possible interactions between the different and possibly concurrent adaptation tactics, the system, and the environment, constructing the MDP is a complex task. Probabilistic model checking has been used to deal with this problem, but it requires constructing the MDP every time an adaptation decision is made to incorporate the latest predictions of the environment behavior. In this article, we describe PLA-SDP, an approach that eliminates that run-time overhead by constructing most of the MDP offine. At run time, the adaptation decision is made by solving the MDP through stochastic dynamic programming, weaving in the environment model as the solution is computed. We also present extensions that support different notions of utility, such as maximizing reward gain subject to the satisfaction of a probabilistic constraint, making PLA-SDP applicable to systems with different kinds of adaptation goals.}, NOTE = {https://doi.org/10.1145/3149180}, KEYWORDS = {Latency-aware, Self-adaptation} } @Article{2018:Camara:UncertaintyReduction, AUTHOR = {C\'{a}mara, Javier and Peng, Wenxin and Garlan, David and Schmerl, Bradley}, TITLE = {Reasoning about Sensing Uncertainty and its Reduction in Decision-Making for Self-Adaptation}, YEAR = {2018}, MONTH = {1 December}, JOURNAL = {Science of Computer Programming}, VOLUME = {167}, PAGES = {51-69}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/scp-uncertainty.pdf}, ABSTRACT = {Adaptive systems are expected to adapt to unanticipated run-time events using imperfect information about themselves, their environment, and goals. This entails handling the effects of uncertainties in decision-making, which are not always considered as a first-class concern. This paper contributes a formal analysis technique that explicitly considers uncertainty in sensing when reasoning about the best way to adapt, together with uncertainty reduction mechanisms to improve system utility. We illustrate our approach on a Denial of Service (DoS) attack scenario and present results that demonstrate the benefits of uncertainty-aware decision-making in comparison to using an uncertainty-ignorant approach, both in the presence and absence of uncertainty reduction mechanisms.}, KEYWORDS = {Formal Methods, Self-adaptation} } @Article{2019:Camara:Synthesis, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Synthesizing Tradeoff Spaces of Quantitative Guarantees for Families of Software Systems}, YEAR = {2019}, MONTH = {June}, JOURNAL = {Journal of Systems and Software}, VOLUME = {152}, PAGES = {33-49}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CGS-JSS19.pdf}, ABSTRACT = {Designing software in a way that guarantees run-time behavior while achieving an acceptable balance among multiple quality attributes is an open problem. Providing guarantees about the satisfaction of the same requirements under uncertain environments is even more challenging. Tools and techniques to inform engineers about poorly-understood design spaces in the presence of uncertainty are needed, so that engineers can explore the design space, especially when tradeoffs are crucial. To tackle this problem, we describe an approach that combines synthesis of spaces of system design alternatives from formal specifications of architectural styles with probabilistic formal verification. The main contribution of this paper is a formal framework for specification-driven synthesis and analysis of design spaces that provides formal guarantees about the correctness of system behaviors and satisfies quantitative properties (e.g., defined over system qualities) subject to uncertainty, which is treated as a first-class entity. We illustrate our approach in two case studies: a service-based adaptive system and a mobile robotics architecture. Our results show how the framework can provide useful insights into how average case probabilistic guarantees can differ from worst case guarantees, emphasizing the relevance of combining quantitative formal verification methods with structural synthesis, in contrast with techniques based on simulation and dynamic analysis that can only provide estimates about average case probabilistic properties.}, NOTE = {https://doi.org/10.1016/j.jss.2019.02.055}, KEYWORDS = {Architectural Analysis, Architectural Style, Assurance} } @Article{2018/MOSAICO, AUTHOR = {C\'{a}mara, Javier and Schmerl, Bradley and Moreno, Gabriel A. and Garlan, David}, TITLE = {MOSAICO: Offline Synthesis of Adaptation Strategy Repertoires with Flexible Trade-Offs}, YEAR = {2018}, MONTH = {September}, JOURNAL = {Automated Software Engineering}, VOLUME = {25}, NUMBER = {3}, PAGES = { 595–626}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Cámara2018_Article_MOSAICOOfflineSynthesisOfAdapt.pdf}, ABSTRACT = {Self-adaptation improves the resilience of software-intensive systems, enabling them to adapt their structure and behavior to run-time changes (e.g., in workload and resource availability). Many of these approaches reason about the best way of adapting by synthesizing adaptation plans online via planning or model checking tools. This method enables the exploration of a rich solution space, but optimal solutions and other guarantees (e.g., constraint satisfaction) are computationally costly, resulting in long planning times during which changes may invalidate plans. An alternative to online planning involves selecting at run time the adaptation best suited to the current system and environment conditions from among a predefined repertoire of adaptation strategies that capture repair and optimization tasks. This method does not incur run-time overhead but requires additional effort from engineers, who have to specify strategies and lack support to systematically assess their quality. In this article, we present MOSAICO, an approach for offline synthesis of adaptation strategy repertoires that makes a novel use of discrete abstractions of the state space to flexibly adapt extra-functional behavior in a scalable manner. The approach supports making trade-offs: (i) among multiple extra-functional concerns, and (ii) between computation time and adaptation quality (varying abstraction resolution). Our results show a remarkable improvement on system qualities in contrast to manually-specified repertoires. More interestingly, moderate increments in abstraction resolution can lead to pronounced quality improvements, whereas high resolutions yield only negligible improvement over medium resolutions.}, NOTE = {Springer Link}, KEYWORDS = {Formal Methods, Planning, Rainbow, Self-adaptation} } @Article{Mead:SEE:2018, AUTHOR = {Mead, Nancy and Garlan, David and Shaw, Mary}, TITLE = {Half a Century of Software Engineering Education: The CMU Exemplar}, YEAR = {2018}, MONTH = {September}, JOURNAL = {IEEE Software, Special Issue on 50th Anniversary of Software Engineering}, VOLUME = {35}, NUMBER = {5}, PAGES = {25 -- 31}, URL = {https://ieeexplore.ieee.org/document/8409913}, ABSTRACT = {Now, more than ever, the software profession needs rigorous software engineering education based on enduring principles. This must reach the increasing diversity of the developer community and the diverse paths the developer takes into the profession. }, NOTE = {Issue received the 2018 APEX Award of Excellence}, KEYWORDS = {Education, Software Engineering} } @Article{2019:IEEESoftware:BRASS, AUTHOR = {Aldrich, Jonathan and Garlan, David and K\"astner, Christian and Le Goues, Claire and Mohseni-Kabir, Anahita and Ruchkin, Ivan and Samuel, Selva and Schmerl, Bradley and Timperley, Christopher Steven and Veloso, Manuela and Voysey, Ian and Biswas, Joydeep and Guha, Arjun and Holtz, Jarrett and C\'{a}mara, Javier and Jamshidi, Pooyan}, TITLE = {Model-Based Adaptation for Robotics Software}, YEAR = {2019}, MONTH = {March}, JOURNAL = {IEEE Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/brass-mars-ieee-software2019.pdf}, ABSTRACT = {We have developed model-based adaptation, an approach that leverages models of software and its environment to enable automated adaptation. The goal of our approach is to build long-lasting mobile software systems that can effectively adapt to changes in their environment.}, KEYWORDS = {Self-adaptation} } @Article{Bozhinoski:JSA:2019, AUTHOR = {Bozhinoski, Darko and Garlan, David and Malavolta, Ivano and Pelliccione, Patrizio}, TITLE = {Managing safety and mission completion via collective run-time adaptation}, YEAR = {2019}, JOURNAL = {Journal of Systems Architecture}, VOLUME = {95}, PAGES = {19--35}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SYSARC1584_201902001602722101.pdf}, ABSTRACT = {Mobile Multi-Robot Systems (MMRSs) are an emerging class of systems that are composed of a team of robots, various devices (like movable cameras, sensors) which collaborate with each other to accomplish defined missions. Moreover, these systems must operate in dynamic and potentially uncontrollable and unknown environments that might compromise the safety of the system and the completion of the defined mission. A model of the environment describing, e.g., obstacles, no-fly zones, wind and weather conditions might be available, however, the assumption that such a model is both correct and complete is often wrong. In this paper, we describe an approach that supports execution of missions at run time. It addresses collective adaptation problems in a decentralized fashion, and enables the addition of new entities in the system at any time. Moreover, it is based on two adaptation resolution methods: one for (potentially partial) resolution of mission-related issues and one for full resolution of safety-related issues.}, KEYWORDS = {Self-adaptation} } @Article{Adepu:ExpInd:2022, AUTHOR = {Adepu, Sridhar and Li, Nianyu and Kang, Eunsuk and Garlan, David}, TITLE = {Modeling and Analysis of Explanation for Secure Industrial Control Systems}, YEAR = {2022}, MONTH = {July}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Explanation_for_Secure_Industrial_Control_System.pdf}, ABSTRACT = {Many self-adaptive systems benefit from human involvement and oversight, where a human operator can provide expertise not available to the system and detect problems that the system is unaware of. One way of achieving this synergy is by placing the human operator on the loop – i.e., providing supervisory oversight and intervening in the case of questionable adaptation decisions. To make such interaction effective, an explanation can play an important role in allowing the human operator to understand why the system is making certain decisions and improve the level of knowledge that the operator has about the system. This, in turn, may improve the operator’s capability to intervene and if necessarily, override the decisions being made by the system. However, explanations may incur costs, in terms of delay in actions and the possibility that a human may make a bad judgement. Hence, it is not always obvious whether an explanation will improve overall utility and, if so, what kind of explanation should be provided to the operator. In this work, we define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under which they are warranted. Specifically, we characterize explanations in terms of explanation content, effect, and cost. We then present a dynamic system adaptation approach that leverages a probabilistic reasoning technique to determine when an explanation should be used in order to improve overall system utility. We evaluate our explanation framework in the context of a realistic industrial control system with adaptive behaviors.}, NOTE = {https://dl.acm.org/doi/10.1145/3557898}, KEYWORDS = {Explainable Software, Formal Methods, Self-adaptation} } @Article{2019:Nabor:Microservice, AUTHOR = {Mendon\c{c}a, Nabor C. and Jamshidi, Pooyan and Garlan, David and Pahl, Claus}, TITLE = {Developing Self-Adaptive Microservice Systems: Challenges and Directions}, YEAR = {2019}, MONTH = {26 November}, JOURNAL = {IEEE Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/1910.07660.pdf}, ABSTRACT = {A self-adaptive system can dynamically monitor and adapt its behavior to preserve or enhance its quality attributes under uncertain operating conditions. This article identifies key challenges for the development of microservice applications as self-adaptive systems, using a cloud-based intelligent video surveillance application as a motivating example. It also suggests potential new directions for addressing most of the identified challenges by leveraging existing microservice practices and technologies.}, KEYWORDS = {Self-adaptation} } @Article{2021:ROSArch:JSS, AUTHOR = {Malavolta, Ivano and Lewis, Grace A. and Schmerl, Bradley and Lago, Patricia and Garlan, David}, TITLE = {Mining Guidelines for Architecting Robotics Software}, YEAR = {2021}, MONTH = {August}, JOURNAL = {Journal of Systems and Software}, VOLUME = {178}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS_ROS_2020.pdf}, ABSTRACT = {Context. The Robot Operating System (ROS) is the de-facto standard for robotics software.However, ROS-based systems are getting larger and more complex and could benefit from good software architecture practices.Goal. We aim at (i) unveiling the state-of-the-practice in terms of targeted quality attributes and architecture documentation in ROS-based systems, and (ii) providing empirically-grounded guidance to roboticists about how to properly architect ROS-based systems.Method. We designed and conducted an observational study where we (i) built a dataset of335 GitHub repositories containing real open-source ROS-based systems, and (ii) mined the repositories to extract and synthesize quantitative and qualitative findings about how roboticists are architecting ROS-based systems.Results. First, we extracted an empirically-grounded overview of the state of the practice for architecting and documenting ROS-based systems. Second, we synthesized a catalog of 47architecting guidelines for ROS-based systems. Third, the extracted guidelines were validated by119 roboticists working on real-world open-source ROS-based systems.Conclusions. Roboticists can use our architecting guidelines for applying good design principles to develop robots that meet quality requirements, and researchers can use our results as evidence-based indications about how real-world ROS systems are architected today, thus inspiring future research contributions}, NOTE = {https://doi.org/10.1016/j.jss.2021.110969}, KEYWORDS = {Software Architecture} } @Article{2020:REACT-ION, AUTHOR = {Pfannm\"{u}ller, Martin and Breitbach, Martin and Weckesser, Marcus and Becker, Christian and Schmerl, Bradley and Sch\"{u}rr, Andy and Krupitzer, Christian}, TITLE = {REACT-ION: A Model-based Runtime Environment for Situation-aware Adaptations}, YEAR = {2020}, MONTH = {December}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, VOLUME = {15}, NUMBER = {4}, PAGES = {1-29}, ABSTRACT = {Trends such as the Internet of Things lead to a growing number of networked devices and to a variety of communication systems. Adding self-adaptive capabilities to these communication systems is one approach to reducing administrative effort and coping with changing execution contexts. Existing frameworks can help reducing development effort but are neither tailored toward the use in communication systems nor easily usable without knowledge in self-adaptive systems development. Accordingly, in previous work, we proposed REACT, a reusable, model-based runtime environment to complement communication systems with adaptive behavior. REACT addresses heterogeneity and distribution aspects of such systems and reduces development effort. In this article, we propose REACT-ION—an extension of REACT for situation awareness. REACT-ION offers a context management module that is able to acquire, store, disseminate, and reason on context data. The context management module is the basis for (i) proactive adaptation with REACT-ION and (ii) self-improvement of the underlying feedback loop. REACT-ION can be used to optimize adaptation decisions at runtime based on the current situation. Therefore, it can cope with uncertainty and situations that were not foreseeable at design time. We show and evaluate in two case studies how REACT-ION’s situation awareness enables proactive adaptation and self-improvement.}, KEYWORDS = {Cyberphysical Systems, Self-adaptation, Self-awareness & Adaptation} } @Article{Wohlrab2021negotiation, AUTHOR = {Wohlrab, Rebekka and Garlan, David}, TITLE = {A Negotiation Support System for Defining Utility Functions for Multi-Stakeholder Self-Adaptive Systems}, YEAR = {2022}, JOURNAL = {Requirements Engineering}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/2021_Wohlrab_utility_negotiation_accepted.pdf}, ABSTRACT = {For realistic self-adaptive systems, multiple quality attributes need to be considered and traded off against each other. These quality attributes are commonly encoded in a utility function, for instance, a weighted sum of relevant objectives. Utility functions are typically subject to a set of constraints, i.e., hard requirements that should not be violated by the system. The research agenda for requirements engineering for self-adaptive systems has raised the need for decision-making techniques that consider the trade-offs and priorities of multiple objectives. Human stakeholders need to be engaged in the decision-making process so that constraints and the relative importance of each objective can be correctly elicited. This paper presents a method that supports multiple stakeholders in eliciting constraints, prioritizing relevant quality attributes, negotiating priorities, and giving input to define utility functions for self-adaptive systems. We developed tool support in the form of a blackboard system that aggregates information by different stakeholders, detects conflicts, proposes mechanisms to reach an agreement, and generates a utility function. We performed a think-aloud study with 14 participants to investigate negotiation processes and assess the approach’s understandability and user satisfaction. Our study sheds light on how humans reason about and how they negotiate around quality attributes. The mechanisms for conflict detection and resolution were perceived as very useful. Overall, our approach was found to make the process of utility function definition more understandable and transparent.}, NOTE = {https://doi.org/10.1007/s00766-021-00368-y}, KEYWORDS = {Explainable Software, Self-adaptation} } @Article{2022:SoSym:UIP, AUTHOR = {C\'{a}mara, Javier and Troya, Javier and Vallecillo, Antonio and Bencomo, Nelly and Calinescu, Radu and Cheng, Betty H.C. and Garlan, David and Schmerl, Bradley}, TITLE = {The uncertainty interaction problem in self-adaptive systems}, YEAR = {2022}, MONTH = {August}, JOURNAL = {Software System and Modelling}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Sosym2022.pdf}, ABSTRACT = {The problem of mitigating uncertainty in self-adaptation has driven much of the research proposed in the area of software engineering for self-adaptive systems in the last decade. Although many solutions have already been proposed, most of them tend to tackle specific types, sources, and dimensions of uncertainty (e.g., in goals, resources, adaptation functions) in isolation. A special concern are the aspects associated with uncertainty modeling in an integrated fashion. Different uncertainties are rarely independent and often compound, affecting the satisfaction of goals and other system properties in subtle and often unpredictable ways. Hence, there is still limited understanding about the specific ways in which uncertainties from various sources interact and ultimately affect the properties of self-adaptive, software-intensive systems. In this SoSym expert voice, we introduce the Uncertainty Interaction Problem as a way to better qualify the scope of the challenges with respect to representing different types of uncertainty while capturing their interaction in models employed to reason about self-adaptation. We contribute a characterization of the problem and discuss its relevance in the context of case studies taken from two representative application domains. We posit that the Uncertainty Interaction Problem should drive future research in software engineering for autonomous and self-adaptive systems, and therefore, contribute to evolving uncertainty modeling towards holistic approaches that would enable the construction of more resilient self-adaptive systems.}, NOTE = {Expert Voice Paper (https://doi.org/10.1007/s10270-022-01037-6)}, KEYWORDS = {Self-adaptation, uncertainty} } @Article{2022:JSS:ExpSAS, AUTHOR = {Wohlrab, Rebekka and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Explaining quality attribute tradeoffs in automated planning for self-adaptive systems}, YEAR = {2022}, MONTH = {October}, JOURNAL = {The Journal of Systems and Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/xplanqasas.pdf}, ABSTRACT = {Self-adaptive systems commonly operate in heterogeneous contexts and need to consider multiple quality attributes. Human stakeholders often express their quality preferences by defining utility func- tions, which are used by self-adaptive systems to automatically generate adaptation plans. However, the adaptation space of realistic systems is large and it is obscure how utility functions impact the generated adaptation behavior, as well as structural, behavioral, and quality constraints. Moreover, human stakeholders are often not aware of the underlying tradeoffs between quality attributes. To address this issue, we present an approach that uses machine learning techniques (dimensionality reduction, clustering, and decision tree learning) to explain the reasoning behind automated planning. Our approach focuses on the tradeoffs between quality attributes and how the choice of weights in utility functions results in different plans being generated. We help humans understand quality attribute tradeoffs, identify key decisions in adaptation behavior, and explore how differences in utility functions result in different adaptation alternatives. We present two systems to demonstrate the approach’s applicability and consider its potential application to 24 exemplar self-adaptive systems. Moreover, we describe our assessment of the tradeoff between the information reduction and the amount of explained variance retained by the results obtained with our approach.}, KEYWORDS = {Explainable Software, Planning, Self-adaptation} } @Article{2022:JSS:Extra, AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley}, TITLE = {ExTrA: Explaining architectural design tradeoff spaces via dimensionality reduction.}, YEAR = {2022}, MONTH = {December}, JOURNAL = {Journal of Systems and Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ExTrA__Explaining_Architectural_Design_Tradeoff_Spaces_via_Dimensionality_Reduction.pdf}, ABSTRACT = {In software design, guaranteeing the correctness of run-time system behavior while achieving an acceptable balance among multiple quality attributes remains a challenging problem. Moreover, providing guarantees about the satisfaction of those requirements when systems are subject to uncertain environments is even more challenging. While recent developments in architectural analysis techniques can assist architects in exploring the satisfaction of quantitative guarantees across the design space, existing approaches are still limited because they do not explicitly link design decisions to satisfaction of quality requirements. Furthermore, the amount of information they yield can be overwhelming to a human designer, making it difficult to see the forest for the trees. In this paper we present ExTrA (Explaining Tradeoffs of software Architecture design spaces), an approach to analyzing architectural design spaces that addresses these limitations and provides a basis for explaining design tradeoffs. Our approach employs dimensionality reduction techniques employed in machine learning pipelines like Principal Component Analysis (PCA) and Decision Tree Learning (DTL) to enable architects to understand how design decisions contribute to the satisfaction of extra-functional properties across the design space. Our results show feasibility of the approach in two case studies and evidence that combining complementary techniques like PCA and DTL is a viable approach to facilitate comprehension of tradeoffs in poorly-understood design spaces.}, NOTE = {https://doi.org/10.1016/j.jss.2022.111578}, KEYWORDS = {Architectural Analysis, Explainable Software} } @Article{2023:FM:IEEE, AUTHOR = {C\'{a}mara, Javier and Garlan, David}, TITLE = {A study on the impact of repetition of formative assessments in a formal methods course for professional software engineers}, YEAR = {2023}, JOURNAL = {IEEE Software}, ABSTRACT = {Although tests are traditionally used as mandatory summative assessments at the end of the instruction period and their purpose is measuring how well a student has learned a given subject, they can also play an important role in formative assessment when they are employed as an instrument to aid in the acquisition and retention of knowledge. This study evaluates the role of tests as weekly formative assessments and investigates the impact of their repetition (i.e., administering the same test more than once) on academic performance of students in a postgraduate formal methods course for professional software engineers. Our hypothesis is that repetition in formative assessments leads to increased academic performance, as well as to an improvement in the effectiveness of gauging student progress. Based on an analysis of data from a population of 194 students that took the course during the period 2013-2017, we report results that point at the validity of our hypothesis.}, NOTE = {doi: 10.1109/MS.2023.3291400}, KEYWORDS = {Education, Formal Methods} } @Article{IEEE:CaRE:2023, AUTHOR = {Hossen, Md Abir and Kharade, Sonam and Schmerl, Bradley and C\'{a}mara, Javier and O\'Kane, Jason M. and Czaplinski, Ellen C. and Dzurilla, Katherine A. and Garlan, David and Jamshidi, Pooyan}, TITLE = {CaRE: Finding Root Causes of Configuration Issues in Highly-Configurable Robots}, YEAR = {2023}, MONTH = {May}, JOURNAL = {IEEE Robotics and Automation Letters}, PAGES = {1-8}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CaRE_Finding_Root_Causes_of_Configuration_Issues_in_Highly-Configurable_Robots.pdf}, ABSTRACT = {Robotic systems have subsystems with a combinatorially large configuration space and hundreds or thousands of possible software and hardware configuration options interacting non-trivially. The configurable parameters are set to target specific objectives, but they can cause functional faults when incorrectly configured. Finding the root cause of such faults is challenging due to the exponentially large configuration space and the dependencies between the robot's configuration settings and performance. This paper proposes CaRE —a method for diagnosing the root cause of functional faults through the lens of causality. CaRE abstracts the causal relationships between various configuration options and the robot's performance objectives by learning a causal structure and estimating the causal effects of options on robot performance indicators. We demonstrate CaRE 's efficacy by finding the root cause of the observed functional faults and validating the diagnosed root cause by conducting experiments in both physical robots ( Husky and Turtlebot 3 ) and in simulation ( Gazebo ). Furthermore, we demonstrate that the causal models learned from robots in simulation (e.g., Husky in Gazebo ) are transferable to physical robots across different platforms (e.g., Husky and Turtlebot 3 ).}, NOTE = {doi: 10.1109/LRA.2023.3280810} } @Article{Camara:Expl:IEEESoftware:2024, AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley}, TITLE = {Focusing on What Matters: Explaining Quality Tradeoffs in Software-Intensive Systems via Dimensionality Reduction}, YEAR = {2024}, MONTH = {January}, JOURNAL = {IEEE Software}, VOLUME = {41}, PAGES = {64-73}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IEEE_Software__Tradeoff_Focused_ExplanationsCamara_Expl_IEEESoftware_2024.pdf}, ABSTRACT = {Building and operating software-intensive systems often involves exploring decision spaces made up of large numbers of variables and complex relations among them. Understanding such spaces is often overwhelming to human decision makers, who have limited capacity to digest large amounts of information, making it difficult to distinguish the forest through the trees. In this article, we report on our experience in which we used dimensionality reduction techniques to enable decision makers in different domains (software architecture, smart manufacturing, automated planning for service robots) to focus on the elements of the decision space that explain most of the quality variation, filtering out noise, and thus reducing cognitive complexity.}, NOTE = {DOI: https://doi.ieeecomputersociety.org/10.1109/MS.2023.3320689}, KEYWORDS = {Explainable Software, Planning, Self-adaptation, Software Architecture} } @Article{2024:Hossen:CURE, AUTHOR = {Hossen, Md Abir and Kharade, Sonam and O\'Kane, Jason M. and Schmerl, Bradley and Garlan, David and Jamshidi, Pooyan}, TITLE = {CURE: Simulation-Augmented Auto-Tuning in Robotics}, YEAR = {2025}, MONTH = {March}, JOURNAL = {IEEE Transactions on Robotics}, ABSTRACT = {Robotic systems are typically composed of vari- ous subsystems, such as localization and navigation, each en- compassing numerous configurable components (e.g., selecting different planning algorithms). Once an algorithm has been selected for a component, its associated configuration options must be set to the appropriate values. Configuration options across the system stack interact non-trivially. Finding optimal configurations for highly configurable robots to achieve desired performance poses a significant challenge due to the interactions between configuration options across software and hardware that result in an exponentially large and complex configuration space. These challenges are further compounded by the need for transferability between different environments and robotic platforms. Data efficient optimization algorithms (e.g., Bayesian optimization) have been increasingly employed to automate the tuning of configurable parameters in cyber-physical systems. However, such optimization algorithms converge at later stages, often after exhausting the allocated budget (e.g., optimization steps, allotted time) and lacking transferability. This paper proposes CURE—a method that identifies causally relevant con- figuration options, enabling the optimization process to operate in a reduced search space, thereby enabling faster optimization of robot performance. CURE abstracts the causal relationships between various configuration options and robot performance objectives by learning a causal model in the source (a low-cost environment such as the Gazebo simulator) and applying the learned knowledge to perform optimization in the target (e.g., Turtlebot 3 physical robot). We demonstrate the effectiveness and transferability of CURE by conducting experiments that involve varying degrees of deployment changes in both physical robots and simulation}, KEYWORDS = {Cyberphysical Systems, Machine Learning, Robot Adaptation, Self-adaptation} } @Article{Sousa:2024:Security, AUTHOR = {Sousa, Bruno and Dias, Duarte and Antunes, Nuno and C\'{a}mara, Javier and Wagner, Ryan and Schmerl, Bradley and Garlan, David and Fidalgo, Pedro}, TITLE = {MONDEO-Tactics5G: Multistage botnet detection and tactics for 5G/6G networks}, YEAR = {2024}, MONTH = {May}, JOURNAL = {Computers & Security}, VOLUME = {140}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MONDEO_AIDA.pdf}, ABSTRACT = {Mobile malware is a malicious code specifically designed to target mobile devices to perform multiple types of fraud. The number of attacks reported each day is increasing constantly and is causing an impact not only at the end-user level but also at the network operator level. Malware like FluBot contributes to identity theft and data loss but also enables remote Command & Control (C2) operations, which can instrument infected devices to conduct Distributed Denial of Service (DDoS) attacks. Current mobile device-installed solutions are not effective, as the end user can ignore security warnings or install malicious software. This article designs and evaluates MONDEO-Tactics5G - a multistage botnet detection mechanism that does not require software installation on end-user devices, together with tactics for 5G network operators to manage infected devices. We conducted an evaluation that demonstrates high accuracy in detecting FluBot malware, and in the different adaptation strategies to reduce the risk of DDoS while minimising the impact on the clients' satisfaction by avoiding disrupting established sessions.}, NOTE = {https://doi.org/10.1016/j.cose.2024.103768}, KEYWORDS = {Rainbow} } @Article{Casimira:TAAS:2024, AUTHOR = {Casimiro, Maria and Soares, Diogo and Garlan, David and Rodrigues, Luis and Romano, Paolo}, TITLE = {Self-Adapting Machine Learning-based Systems via a Probabilistic Model Checking Framework}, YEAR = {2024}, MONTH = {March}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_TAAS_journal_extension_CR.pdf}, ABSTRACT = {This paper focuses on the problem of optimizing system utility of Machine-Learning (ML) based systems in the presence of ML mispredictions. This is achieved via the use of self-adaptive systems and through the execution of adaptation tactics, such as model retraining, which operate at the level of individual ML components. To address this problem, we propose a probabilistic modeling framework that reasons about the cost/benefit trade-offs associated with adapting ML components. The key idea of the proposed approach is to decouple the problems of estimating (i) the expected performance improvement after adaptation and (ii) the impact of ML adaptation on overall system utility. We apply the proposed framework to engineer a self-adaptive ML-based fraud-detection system, which we evaluate using a publicly-available, real fraud detection data-set. We initially consider a scenario in which information on model’s quality is immediately available. Next we relax this assumption by integrating (and extending) state-of-the-art techniques for estimating model’s quality in the proposed framework. We show that by predicting the system utility stemming from retraining a ML component, the probabilistic model checker can generate adaptation strategies that are significantly closer to the optimal, as compared against baselines such as periodic or reactive retraining.}, KEYWORDS = {Machine Learning, Model Checking, Self-adaptation} } @Article{SPE:2024:Mendonca, AUTHOR = {Aderaldo, Carlos and Costa, Thiago M. and Vasconcelos, Davi M. and Mendon\c{c}a, Nabor C. and C\'{a}mara, Javier and Garlan, David}, TITLE = {A Declarative Approach and Benchmark Tool for Controlled Evaluation of Microservice Resiliency Patterns}, YEAR = {2024}, MONTH = {August}, JOURNAL = {Software Practice and Experience}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/spe2023-resilence-bench-accepted.pdf}, ABSTRACT = {Microservice developers increasingly use resiliency patterns such as Retry and Circuit Breaker to cope with remote services that are likely to fail. However, there is still little research on how the invocation delays typically introduced by those resiliency patterns may impact application performance under varying workloads and failure scenarios. This paper presents a novel approach and benchmark tool for experimentally evaluating the performance impact of existing resiliency patterns in a controlled setting. The main novelty of this approach resides in the ability to declaratively specify and automatically generate multiple testing scenarios involving different resiliency patterns, which one can implement using any programming language and resilience library. The paper illustrates the benefits of the proposed approach and tool by reporting on an experimental study of the performance impact of the Retry and Circuit Breaker resiliency patterns in two mainstream programming languages (C# and Java) using two popular resilience libraries (Polly and Resilience4j), under multiple service workloads and failure rates. Our results show that, under low to moderate failure rates, both resiliency patterns effectively reduce the load over the application’s target service with barely any impact on the application’s performance. However, as the failure rate increases, both patterns significantly degrade the application’s performance, with their effect varying depending on the service’s workload and the patterns’ programming language and resilience library.}, KEYWORDS = {Resilience} } @Article{2024:GM:All, AUTHOR = {Chen, Hongrui and Joglekar, Aditya and Rubenstein, Zack and Schmerl, Bradley and Fedder, Gary and De Nijs, Jan and Garlan, David and Smith, Stephen and Burak Kara, Levant}, TITLE = {Generative Manufacturing: A requirements and resource-driven approach to part making}, YEAR = {2025}, MONTH = {June}, JOURNAL = {Computers in Industry}, VOLUME = {168}, ABSTRACT = {Advances in CAD and CAM have enabled engineers and design teams to digitally design parts with unprecedented ease. Software solutions now come with a range of modules for optimizing designs for performance requirements, generating instructions for manufacturing, and digitally tracking the entire process from design to procurement in the form of product life-cycle management tools. However, existing solutions force design teams and corporations to take a primarily serial approach where manufacturing and procurement decisions are largely contingent on design, rather than being an integral part of the design process. In this work, we propose a new approach to part making where design, manufacturing, and supply chain requirements and resources can be jointly considered and optimized. We present the Generative Manufacturing compiler that accepts as input the following: 1) An engineering part requirements specification that includes quantities such as loads, domain envelope, mass, and compliance, 2) A business part requirements specification that includes production volume, cost, and lead time, 3) Contextual knowledge about the current manufacturing state such as availability of relevant manufacturing equipment, materials, and workforce, both locally and through the supply chain. Based on these factors, the compiler generates and evaluates manufacturing process alternatives and the optimal derivative designs that are implied by each process, and enables a user guided iterative exploration of the design space. As part of our initial implementation of this compiler, we demonstrate the effectiveness of our approach on examples of a cantilever beam problem and a rocket engine mount problem and showcase its utility in creating and selecting optimal solutions according to the requirements and resources.}, KEYWORDS = {Explainable Software} }