FORMAL MODELING OF BEHAVIORAL PROPERTIES TO
SUPPORT CORRECT BY DESIGN PUBLISH/SUBSCRIBE
ARCHITECTURAL STYLES
Ikbel Krichen, Imen Loulou and Ahmed Hadj Kacem
University of Sfax, ENIS, Research Unit ReDCAD, B.P.W., 3038 Sfax, Tunisia
Keywords:
Software architecture, Publish/subscribe style, Correct by design, Formal specification, Behavioral properties.
Abstract:
We propose in this paper a formal modeling approach of behavioral properties of publish/subscribe architec-
tural styles. We extend P/S-CoM formal approach that concentrates only on correctly design the structures of
publish/subscribe styles and deals with dynamic views. We put the emphasis on the state notion for component
types. Moreover, we focus on behavioral properties including lossless of exchanged events, delivery semantics
and ordering of notifications. These properties are coded in Z notation.
1 INTRODUCTION
Publish/subscribe architectural styles (PSAS) are in-
creasingly used in the large-scale distributed and co-
operative applications. This is due to its dynamic na-
ture, scalability and interaction model based on three-
dimensional decoupling (Eugster et al., 2003). The
interaction among the component types of this style
(producer, consumer, prod/cons and event-service)
depends on its structure and its behavior. The cor-
rect by design of PSAS is important in order to en-
sure that the architectures with which they are compli-
ant, operate reliably. This design requires the use of
formal methods as they provide exact semantics and
eliminate ambiguities. Using the construction method
is interesting since it promotes reuse by composing
reusable modules and guides the designers to easily
conceive correct architectural styles.
P/S-CoM formal approach (Loulou et al., 2010)
helps designers build the structures of SPAS by com-
posing reusable communication schemas but does not
propose the modeling of behavioral properties. The
obtaining of only correct structures is not sufficient
for modeling PSAS and generating correct implemen-
tations. In this paper, we extend P/S-CoM approach
by integrating the behavioral view. This extension in-
cludes the definition of the state of component types
and behavioral properties: lossless of events, delivery
semantics and ordering of notifications. Establishing
a correct PSAS at design level will be done by com-
posing the extended and new schemas.
The rest of this paper is structured as follows: Sec-
tion 2 provides a general overview of the P/S-CoM
formal approach. Section 3 describes our P/S-CoM
extension approach. Section 4 presents the related
work. Section 5 concludes this paper and presents fu-
ture work directions.
2 P/S-COM APPROACH
P/S-CoM (Loulou et al., 2010) is a formal approach
that provides the correct modeling of PSAS struc-
tures. It consists in composing reusable communica-
tion schemas and respecting a set of composition rules
coded in Z notation and proved with the Z-Eves theo-
rem prover. Z is a standard and formal language. It is
based on the set of theory and the first-order predicate
logic. It describes states and operations with schemas.
A schema has a name, a declarative part which de-
fines data, and a predicative part which enumerates
constraints.
Among the provided communication schemas,
D
C1 represents an example of communication be-
tween a distributed event-service and consumers
where one link of communication push is considered.
Its formal specification is described with the follow-
ing generic schema D
C1[Consumer, EvDispatcher].
The declarative part contains a set (F) of consumers
and dispatchers, PushD and PushDD links as rela-
tions. In the predicativepart, [Pred−1] and [Pred−2]
describe inclusions of sets using domain (dom) and
286
Krichen I., Loulou I. and Hadj Kacem A..
FORMAL MODELING OF BEHAVIORAL PROPERTIES TO SUPPORT CORRECT BY DESIGN PUBLISH/SUBSCRIBE ARCHITECTURAL STYLES.
DOI: 10.5220/0003495402860289
In Proceedings of the 6th International Conference on Software and Database Technologies (ICSOFT-2011), pages 286-289
ISBN: 978-989-8425-77-5
Copyright
c
2011 SCITEPRESS (Science and Technology Publications, Lda.)
range (ran) operators. [Pred − 3] expresses the in-
verse relationship (∼). [Pred − 4] states that all the
dispatchers have to be connected. [Pred− 5] requires
that every consumer has a single access point in the
network of dispatchers.
D C1[Consumer, EvDispatcher]
C : FConsumer
D : F EvDispatcher
PushD : EvDispatcher ↔ Consumer
PushDD : EvDispatcher ↔ EvDispatcher
domPushD ⊆ D ∧ ranPushD ⊆ C [Pred-1]
domPushDD ⊆ D ∧ ranPushDD ⊆ D [Pred-2]
PushDD = PushDD
∼
[Pred-3]
∀x, y : D | x 6= y
• ∃T : seqEvDispatcher
| ranT ⊆ D ∧ x ∈ ranT ∧ y ∈ ranT
• ∀i : N | 1 ≤ i ∧ i+ 1 ≤ #T
• (Ti, T(i+ 1)) ∈ PushDD [Pred-4]
∀c : C • (∃
1
d : D
• d ∈ dom(PushD⊲ {c})) [Pred-5]
3 P/S-COM EXTENSION
In this section, we describe the extension that we
made on the P/S-CoM communication schemas and
the behavioral properties. Obtained communication
schemas (new ones and extended ones) can be com-
posed in order to get PSAS considering structural and
behavioral views.
3.1 Event Types and Matching
Functions
Various events are exchanged between publishers
(producer or prod/cons), subscribers (consumer or
prod/cons) and event dispatchers (EvDispatcher) en-
tities. We distinguish three types of events: EVENT
for notification, SUB EVENT for subscription and
ADV EVENT for advertisement (Figure 1). Ev-
ery EVENT can be marked by a stamp. Every
SUB EVENT can be assigned with a priority by its
subscriber. Since we are not interested, here, in the
specification details of these event types, we introduce
them as basic types.
Figure 1: Event Types.
We represent Advertising and Filtering matching
functions as relations. The first one is used to verify
that a produced event corresponds to an advertisement
[R1]. The second one is used to verify if an event
notification matches a given subscription [R2].
Advertising : EVENT ↔ ADV EVENT [R1]
Filtering : EVENT ↔ SUB EVENT [R2]
3.2 State of the Component Types
We characterize here the state of each pub-
lish/susbcribe component type. The state can be
changed whenever an event is generated or received.
The state of the subscribers (resp. publishers) de-
pends on the subscriptions (resp. advertisements and
notifications) that he generated and the notifications
that he received. He stores these event types. He can-
not generate twice the same subscription (resp. no-
tification and advertisement) but he can receive or
not the notifications which match his subscriptions.
In this paper, we are interested in modeling pub-
lish/subscribe architectures where notifications are
not persistent. Thus, every event dispatcher stores
only the exchanged advertisements and subscriptions
in routing tables. It also maintains the source of each
subscription. Given the lack of space, we present only
the formal specification of the consumers state:
State Cons[Consumer]
Sub EventsC : Consumer ↔ SUB EVENT
Notif EventsC : Consumer ↔ seqEVENT
∀c : Consumer | c ∈ domNotif EventsC
• ∀ T, H : seqEVENT
• (c, T) ∈ Notif EventsC
∧ (c, H) ∈ Notif EventsC ⇒ T = H [Pred-1]
∀c : Consumer; J : seqEVENT
| (c, J) ∈ Notif EventsC
• ∀e : EVENT | e ∈ ranJ • ∃ s : SUB EVENT
• s ∈ ran({e}⊳ Filtering)
∧ s ∈ ran({c} ⊳ Sub EventsC) [Pred-2]
In the declarative part, Sub EventsC relation rep-
resents the subscriptions retained at corresponding
consumer. Notif EventsC relation states the se-
quences of notifications received by consumers. With
seq, a consumer has a sequence of ordered notifica-
tions which their duplication is allowed. In the pred-
icative part, we indicate that every consumer has a
unique sequence of notifications [Pred − 1] and ev-
ery notification received by a given consumer, corre-
sponds to at least one of his subscriptions [Pred− 2].
3.3 Refinement of P/S-CoM
Communication Schemas
In order to consider behavioral properties, we refine
FORMAL MODELING OF BEHAVIORAL PROPERTIES TO SUPPORT CORRECT BY DESIGN
PUBLISH/SUBSCRIBE ARCHITECTURAL STYLES
287
P/S-CoM communication schemas and we get new
reusable schemas as it is described in Figure 2. We put
the name of the concerned communication schema
and the state of the component types in the declara-
tive part, and some constraints in the predicative part.
Figure 2: Refinement method of P/S-CoM schemas.
Among the P/S-CoM communication schemas,
we refine D C1 (section 2) and obtain the following
Z specification:
ref D C1[Consumer, EvDispatcher]
D C1[Consumer, EvDispatcher]
State Cons[Consumer]
D State EvD[EvDispatcher, Consumer, Prod Cons]
domSub EventsC ⊆ C ∧ domNotif EventsC ⊆ C
∧ domSubC EventsD ⊆ D [Pred-1]
{c : Consumer | ∀ d : EvDispatcher; s : SUB EVENT
• (d, (c, s)) ∈ SubC EventsD} ⊆ ranPushD
[Pred-2]
∀d1, d2 : D; s : SUB EVENT
| (d1, (d2, s)) ∈ Sub EventsDD
• (d1, d2) ∈ PushDD [Pred-3]
∀d : EvDispatcher
| d ∈ domPushDD ∧ d 6∈ domPushD
• SubC EventsD = ∅ [Pred-4]
In the declarative part, we invoke the D C1
schema, the state of the consumers and the distributed
event-service specification. In the predicative part,
[Pred − 2] stipulates that the consumers from which
an event dispatcher received their subscriptions are
connected to this event dispatcher. [Pred − 3] states
that every two dispatchers which exchange subscrip-
tions are directly connected. [Pred − 4] defines that
every event dispatcher that is not directly connected
to a consumer, can receive only subscriptions issued
by the neighbor dispatchers.
3.4 A Formal Approach for Designing
Behavioral Properties
In this section, we present the adopted approach for
specifying behavioral properties in Z notation. We
distinguish local and global properties.
3.4.1 Local Properties
We aim at ensuring the lossless of exchanged adver-
tisements (resp. subscriptions) among the publishers
(resp. subscribers) and the event-service. Since these
properties represent interactions between the event-
service and the clients (publishers and subscribers),
they can be integrated in the refined communication
schemas. We extended them as it is described in Fig-
ure 3. We declare in the declarative part the name of
the refined schema, and we define constraints in the
predicative part.
Figure 3: The local properties specification.
3.4.2 Global Properties
We model the delivery semantics and the ordering
of notifications as global properties. They repre-
sent interactions between publishers and subscribers.
We propose new communication schemas as it is de-
scribed in Figure 4. We invoke the state of the con-
cerned clients in the declarative part, and behavioral
constraints in the predicative part.
Figure 4: The global properties specification.
The delivery process of notifications is ensured by
the event-service following some semantics such as at
most once, at least once, exactly once and best effort
(Mahambre et al., 2007). These policies are used for
setting the number of notification’s instances received
per interested subscriber. Concerning the ordering of
notifications, it is interesting to establish a relation-
ship between the order according to which event no-
tifications are sent and the order in which they are re-
ceived. We adopt three techniques: pair-wise FIFO,
priority and total ordering (Mahambre et al., 2007).
Given the lack of space, we reveal the Z specifica-
tion of the pair-wise FIFO ordering, among the local
and global properties. Following this ordering, the
notifications should be received in the same order of
their generation. In the case of a style containing pro-
ducers and consumers, we can ensure the pair-wise
FIFO ordering by the use of the following schema:
ICSOFT 2011 - 6th International Conference on Software and Data Technologies
288
FifoPairWiseOrder P C[Producer, Consumer]
State Prod[Producer]
State Cons[Consumer]
∀p : Producer | p ∈ domProd EventsP
• ∃S : iseqEVENT | {S} = Prod EventsP(| {p} |)
• #S = 1 ⇒ (S1).stamp = 1 [Pred-1]
∀p : Producer; F : iseqEVENT
| p ∈ domProd EventsP
∧ {F} = Prod EventsP(| {p} |) ∧ #F > 1
• ∀i,j : domF | j = i+ 1
• (Fj).stamp = 1+ (Fi).stamp [Pred-2]
∀c : Consumer; R : seqEVENT
| c ∈ domNotif EventsC
∧ {R} = Notif EventsC(| {c} |) ∧ #R > 1
• ∀i,j : domR | j = i+ 1
• (Ri).stamp ≤ (Rj).stamp [Pred-3]
The declarative part contains the state of produc-
ers and consumers. In the predicative part, [Pred − 1]
states that the first notification issued by every pro-
ducer has a stamp equal to one. [Pred − 2] expresses
that the stamp is used to incrementally mark the notifi-
cations originating from a single producer. [Pred − 3]
describes that the marked stamps will be used for or-
dering notifications on the consumer side.
3.5 Proving Consistency
We proved the consistency of the extended P/S-CoM
schemas (state of components and behavioral prop-
erties). We instantiated the “initialization theorem”
(Woodcock and Davies, 1996) for all the specifica-
tions and we implemented the proofs under the Z-
EVES theorem prover.
4 RELATED WORK
In the literature, only the P/S-CoM formal approach
focuses on the generic modeling of correct PSAS
and uses the construction method. However, this ap-
proach is interested only in modeling the structural
view. Concerning the formal modeling of the be-
havioral properties of the publish/subscribe systems,
Mahambre et al. (Mahambre et al., 2007) and Bal-
doni et al. (Baldoni et al., 2003) propose the for-
mal modeling of service guarantees with mathemat-
ical equations. The first work includes delivery se-
mantics and message ordering whereas the second
work stresses minimality and completeness proper-
ties considered as delivery semantics, too. However,
these works do not promote the correct by design of
PSAS and the use of the construction method. Some
publish/subscribe middlewares support to behavioral
properties as QoS guarantees. Jedi and Ready (Ma-
hambre et al., 2007) provide mechanisms for the
ordering of notifications and ensure the lossless of
events. In addition, Ready adopt some delivery se-
mantics for notifications. As standardized specifi-
cation, we mention DDS (Data-Distribution Service)
(OMG, 2007) that defines configurable QoS (priority,
order of notifications, ...) and programming model for
distributed systems. Though these works and specifi-
cation provide behavioral properties as QoS, they are
handled at runtime level. At design level, our work
leverages on the P/S-CoM approach by augmenting it
with behavioral view including the state of the com-
ponent types and some behavioral properties.
5 CONCLUSIONS
In this paper, we proposed the integration of behav-
ioral view into P/S-CoM approach. We formally
model the state of publish/subscribe component types
and behavioral properties (lossless of events, delivery
semantics and ordering of notifications) in Z notation.
For future work, we currently design a methodology
for composing the new communication schemas and
develop a GUI as an eclipse plugin. Several other is-
sues require further investigations. First, we project to
incorporate other behavioral properties and the tem-
poral aspect. Second, we plan to integrate a process
algebra language in order to check and validate these
behavioral properties. Third, it is interesting to in-
spect the presented approach with applications.
REFERENCES
Baldoni, R., Contenti, M., Piergiovanni, S. T., and Vir-
gillito, A. (2003). Modelling publish/subscribe
communication systems: Towards a formal ap-
proach. Object-Oriented Real-Time Dependable Sys-
tems, IEEE International Workshop on, 0:304.
Eugster, P. T., Felber, P. A., Guerraoui, R., and Kermarrec,
A.-M. (2003). The many faces of publish/subscribe.
ACM Computing Surveys, 35(2):114–131.
Loulou, I., Jmaiel, M., Drira, K., and Kacem, A. H. (2010).
P/S-CoM: Building correct by design publish/ sub-
scribe architectural styles with safe reconfiguration.
Journal of Systems and Software, 83(3):412–428.
Mahambre, S. P., Kumar S.D., M., and Bellur, U. (2007). A
taxonomy of qos-aware, adaptive event-dissemination
middleware. IEEE Internet Computing, 11(4):35–44.
OMG (2007). Data distribution service for real-time sys-
tems, version 1.2, 2007. http://www.omg.org/spec/
DDS/1.2/PDF/.
Woodcock, J. and Davies, J. (1996). Using Z: specifica-
tion, refinement, and proof. Prentice-Hall, Inc., Upper
Saddle River, NJ, USA.
FORMAL MODELING OF BEHAVIORAL PROPERTIES TO SUPPORT CORRECT BY DESIGN
PUBLISH/SUBSCRIBE ARCHITECTURAL STYLES
289
