7.3.1 Formal representation of component-based systems

As already mentioned, component-based systems are formalized by a kind of ontology defined by a set of relation symbols, the signature τ_CBSD, and an axiomatic system ϕ_CBSD. τ_CBSD defines which relation symbols can be used as predicates to form logical statements about component-based systems; ϕ_CBSD defines general constraints that pertain in such systems. A dedicated component-based system is therefore represented by a set of entities representing elements of the system and a mapping of the available relation symbols of τ_CBSD onto relations over the set of entities. In the following, we speak of τ_CBSD-structures as relational structures using relation symbols from τ_CBSD, and of systems if a structure additionally conforms to the axioms from ϕ_CBSD.

The upper part of Figure 7.3 shows a relational structure modeling a very simple component-based system. The relation Component^s, for example, is the corresponding relation for the relation symbol Component in the system s and reflects the set of components in the system.³

Figure 7.4 illustrates a cutout of τ_CBSD graphically as a UML class diagram. Classes can be interpreted as unary relation symbols of τ_CBSD, whereas associations are interpreted as having a binary relationship. Furthermore, the diagram also visualizes “typing” axioms of ϕ_CBSD by specialization and the types at association ends. For example, the specialization between Class and OOClassifier represents the axiom

$\forall x:\mathit{Class}\left(x\right)\to \mathit{OOClassifier}\left(x\right)$

and the association providesInterface implies the axiom

$\forall x\forall y:\mathit{providesInterface}\left(x,y\right)\to \mathit{Component}\left(x\right)\wedge \mathit{Interface}\left(y\right)$

The multiplicities of associations can also be translated into axioms for the minimal or maximal number of tuples in a relation for a fixed tuple component.

The depicted cutout of τ_CBSD models the organization of components and interfaces into packages, as well as the internal structures. Component and Interface stand for components and interfaces, respectively, and are contained in packages (Package). Interfaces contain a set of signatures (Signature), indicating the methods that an implementation must provide, and members (Member), or attributes. As these features are also provided by classes (Class), they are defined in a common superclass OOClassifier. The different relations modeled by hasX, definesX, and inheritsX reflect the different possibilities for relating signatures or members to classifiers by inheritance or defining; the set of all available signatures of one classifier, for example, is addressed by hasSignature, which is the union of definesSignature and inheritsSignature. Interfaces are provided and required by components, as modeled by providesInterface and requiresInterface.

Classes are interpreted as component-local classifiers that implement those interfaces that the component provides. The internal structure of components is reflected in parts (Part, related by encapsulates) that can be typed by components or classes (because Component and Class are specializations of Type). Special parts are Ports. Provided ports (ProvidedPort) are parts that are accessible from the environment of a component; required ports can be understood as place holders usable in the specification of a component, indicating a reference to a port that has to be provided by a different component at runtime. In contrast to ports, inner parts (InnerPart) are not accessible from outside a component. Ports are connected by connectors (Connector), which represent links between objects at runtime. Connectors are directed from connectorSource to connectorTarget, which are also parts. If the connected parts are ports, for example, the location of the parts where the ports are located must be idenfitified prior to connecting two component-typed inner parts of a component. This is modeled by sourceContext and targetContext. The specification of a whole system is done by SystemConfigurations that are structured the same way as components by parts (see relation configurationParts), only differing in the fact that all parts must be typed by components, not classes.

Constraints like this are also part of Φ_CBSD. The example of system configuration parts that need to be typed by components can be expressed by the following axiom:

$\forall x\forall y:\left(\mathit{InnerPart}\left(x\right)\wedge \mathit{SystemConfiguration}\left(y\right)\wedge \mathit{configurationPart}\left(y,x\right)\to \forall z:\left(\mathit{hasType}\left(x,z\right)\to \mathit{Component}\left(z\right)\right)\right)$

τ_CBSD and Φ_CBSD furthermore define the behavior specification of component-based systems contained in MethodBody. The relevant relation symbols formalize control flow graphs (Allen, 1970) and different types of statement nodes such as instance creation and destruction, asynchronous and synchronous communication, and the assignment of references. For the sake of brevity, we omit the details and refer the reader to Herold (2011).

7.3.2 Formal representation of models

As mentioned above, models are represented as first-order logic τ_CBSD-statements; these are statements that use relation symbols from τ_CBSD among others. This means that additional relation symbols can be defined and used if necessary. As an example of a statement representing a model, consider the UML design model cutout of Common Component Modeling Example (CoCoME) depicted in Figure 7.8. It shows that the component StoreGUI requires the interface StoreIF. This informal statement can be translated to a first-order logic statement over τ_CBSD-structures:

$\mathit{Component}\left(e_{\mathit{StoreGUI}}\right)\wedge \mathit{Interface}\left(e_{\mathit{StoreIF}}\right)\wedge \mathit{requiresInterface}\left(e_{\mathit{StoreGUI}},e_{\mathit{StoreIF}}\right)$

whereas e_x is the entity representing the element x in the model. In the following, we will denote with ϕ_M the set of τ_CBSD-statements for a model M. Logical statements are evaluated over relational structures as introduced, and we will denote by S(ϕ_M) the set of systems that fulfill the set of formulas ϕ_M.

7.3.3 Conformance of models

It is obvious that conformance between architecture and design cannot be defined as classical refinement relation stating that every satisfying system of the design model must also satisfy the architectural model. The statements for the design model are local, hence every extension of a satisfying system s satisfies the design model, too. If s also satisfies the architectural model, this does not necessarily have to be the case for every extension. Consider an architectural design model describing components A, B, and C that are correctly dependent on each other with regard to the layer modeled by the architecture. A component D can be added to the system,⁴ destroying the correct layering.

Instead of claiming that every satisfying system of the design is also a system for the architecture, the constraint for conformance is weakened to a certain subset of satisfying systems: Only the minimal systems of the design (or the implementation) have to also satisfy the statements of the architecture (see Figure 7.5). A system is called minimal for a set of logical statements if it satisfies the set of statements, and no element or relationship could be removed from the system without losing this property.

Unfortunately, the set of minimal systems can be infinitely large. Consider the extensional statement Component(StoreGUI). There is a single minimal satisfying structure, containing only one entity in the set of components. But unfortunately, the axioms of Φ_CBSD mention that components must be nested in packages, hence every system consisting of the single component StoreGUI in a package is a minimal system—infinitely many.

Therefore we make three restricting assumptions that have to be valid for models that can be checked for conformance. If all of these are valid for a model M, there is a unique minimal system for M, as follows:

1. Extensional statements of M are conjunctions of facts. This means that they are conjunctions of terms of the form Pred(e₁,…,e_n) where Pred is an n-ary predicate and e_i refers to entities.

2. A structure that satisfies ϕ_M^ext also satisfies ϕ_M^int. This means that a model satisfies its own constraints.

3. Every minimal structure satisfies the axioms of Φ_CBSD, that is, minimal structures are also minimal systems.

There is at most one minimal structure for statements described in (1). Assumption (2) ensures that if this unique minimal model for the extensional part of a model exists, it is also a satisfying structure for the whole model. Assumption (3) finally ensures that the minimal structure is a minimal system.

The prototype presented in the following section implements conformance checking following this definition and these assumptions. Note that a minimal model for the extensional statement can be generated and that the assumptions can be checked by model checking.

7.3.4 Prototypical implementation

To evaluate the approach to architectural conformance checking, a prototypical tool called ArCh has been implemented. It is based on a realization using logic knowledge representation systems like Prolog or Powerloom (Information Sciences Institute, 2006). The overall structure and functionality of ArCh is depicted in Figure 7.6. The tool concept is integrated into Eclipse.⁵

The main component of ArCh is the Architecture Conformance Checking Framework. It realizes the functionality of conformance checking based upon the definition explained in Section 7.3.3. It also defines an internal representation of relational structures as used in the proposed approach. This is used by the wrapper interface to define a standardized interface to structures conforming to τ_CBSD. Another interface, the backend interface, encapsulates the specific knowledge representation system and keeps the implementation interchangeable.

Different wrappers encapsulate instances of different meta-models (or programming languages) and provide a τ_CBSD-view onto models (or source code) that need to be checked. Currently, UML and Java are supported as well as simple examples of architecture description languages. Note that in the scenario described in this chapter, no separate meta-model for an architectural model of CoCoME has been defined; instead, two instances of a UML wrapper have been used, one responsible for the architectural model written in UML.⁶ For arbitrary meta-models following the MOF (OMG (Object Management Group), 2006), plugins generated by EMF can be used to access models (Steinberg et al., 2009).

At the moment, the transformation of MOF-conforming meta-models is realized programmatically by navigating the model's structure through the API provided by EMF. One of the next development steps will be to replace the programmatic transformation with model transformations that create the internally used data model from EMF models. The transformation for Java has been realized as a programmatic transformation using the Eclipse development tools that provide an API to the abstract syntax tree of Java source code.

The transformation definitions, that is, the queries representing the logical sentences for the architectural rules that a meta-model element implies, are stored separately and serve as input for the corresponding wrapper. The framework also supports loading queries from libraries in which common queries can be stored for reuse.

The framework forwards the relational structures representing the models as merged structure to the connected backend that represents it specifically for the implementation as logical knowledge base. As of yet, an implementation for third-party system Powerloom has been realized. Architectural rules are represented as logical queries and executed by the knowledge representation system in the process of conformance checking. The source for rule definitions can be any source for strings. In the case of the wrapper for layered architectures, a simple text file is attached to wrapper instances during their initialization. It contains a comma-separated list of entries of the form

< meta model element >,<rule-def >,<rule-desc >

< meta model element > refers to the element of the meta-model for which the rule is generated, < rule-def > contains the rule definition, and < rule-desc > is an informal description of the rule definition. The actual rule definition is PowerLoom query code. For example, the entry

“Layer”,
“(illegalLayerDependencies ?this ?toLayer ?srcElem ?trgElem)”,
“Actual layer dependencies are not compliant with intended ones!”

reflects basically the top-level statement of the architectural rule described in Section 7.4.1.2. Figure 7.7 shows the result dialog of ArCh checking a modified CoCoME system in which a logging component was added to the application layer. As the logging component is used in the entire inventory subsystem, the dependencies cause architectural violations.

The prototype can either be used interactively or in a batch-like mode as part of an automated process. In the first mode (also shown by the screenshot in Figure 7.7), the user can configure the set of related artifacts, for example, the architecture of the system and the folder of Java source code, and check this set for architectural conformance. In batch mode, ArCh can be integrated into an automatic build process, such as a nightly build, and generate reports about architectural conformance of the system. This allows continuous and effective checking of architectural conformance.

7.4.1 The common component modeling example

The CoCoME is a system that has been developed for a comparative study of component-based development approaches (Rausch et al., 2008). The system, also called Trading System for short, supports basic business processes in retail stores like supermarkets. The Trading System covers two functional areas: It supports the process of selling goods at cash desks, and it helps with the management of inventory, including ordering new goods, determining low stocks, and so forth.

7.4.1.1 Architectural aspects of CoCoME

The Inventory subsystem of CoCoME is a kind of typical information system. It is structured according to the common Three-Layer-Architecture (Fowler, 2002) that defines a data layer, an application layer, and the graphical user interface (GUI) layer from bottom to top. While the GUI layer is responsible for user interaction, that is, presenting data and receiving user input, the application layer realizes business logic. The data layer is responsible for creating, reading, updating, and deleting data from persistent storages like databases. The layering in the case of CoCoME is strict, which means that the GUI layer may access the application layer but not the persistence layer directly.

As already mentioned, the layering of a system groups the components of the system hierarchically. In general, however, the allowed usage relations are specified in addition explicitly because normally a general right for upper layers to use every layer below is not desirable, for example, in strict layerings. Hence, the following informal constraints have to hold for layers in general:

• A layer L may only use functionality of L itself or

• L may use functionality of layer M (L ≠ M) if L is at a higher level than M and L is explicitly modeled to be allowed to use M.

Hence, a layer in general imposes the architectural rule that the content of a layer may depend only on content of the layer itself, or content in layers that the containing layer is explicitly allowed to depend on. A dependency in component-based systems exists in the following cases:

• Usage between components and interfaces, that is, components providing or requiring an interface, makes a component depend on the interface signature.

• Specialization between interfaces leads to a usage relation between the specializing and the generalized interface.

• Usage of interfaces. An interface using another interface as method argument type or return type, or as type of a reference.

• Method calls. The implementation of a component calls a method at another component (e.g., connected via a connector to a required port) synchronously. Because of the non-blocking behavior of asynchronous communication, the calling component does not depend on the “correct” behavior of the method invoked.

Figure 7.8 depicts a cutout of the CoCoME architecture and design models and shows a violation of this architectural aspect.

Another architectural aspect affects the application layer interface that is accessed via a network in the CoCoME system. One way of accessing a remote interface is via remote method invocation using middleware that includes marshaling and unmarshaling of calls. Due to these mechanisms, each call of a remote object's method, like reading object attribute values or navigating references to associated objects, causes overhead for this kind of communication (Fowler, 2002).

A common solution to this problem is the use of data transfer objects (Fowler, 2002). Instead of passing references to the web of persisted objects to the GUI layer, the required fragment of this web is copied into transfer objects. These copies are transferred to the GUI layer via the network; the GUI, running at a remote client computer, gets its own local and hence efficiently accessible copy of persisted data. We therefore also say that a component handling the passing of data the manner described provides an interface with copy semantics (in contrast to reference semantics). This concept is also an important part of service-oriented architectures (Krafzig et al., 2004).

The informal architectural rule defined by this concept is:

• The client of a service-oriented layer may connect only to interfaces that are declared service interfaces.

• A service interface is an interface providing service methods only. Those methods use only transfer object classes or primitive types as parameter types or result types. Each call of a service method returns a new copy of data, that is, a new instance of the transfer object class. This ensures that two different clients do not share a single instance as returned value.

• A transfer object class contains only attributes of primitive types or other transfer objects classes; a transfer object never refers to an object that is not a transfer object. Especially objects from the domain model are not allowed.

Figure 7.9 shows a fictitious violation of this concept in the CoCoME system.

As mentioned above, the components of the Cash Desk System interact by causing and reacting to events. The event of scanning a product bar code (which is raised by the bar code scanner) causes reactions of other components: The running total is updated and visualized on the cash box display, and the receipt printer prints another entry of the sale. Such a system is also said to have an event-driven architecture (Yochem et al., 2009). A common way of realizing an event-driven architecture is to use the Event Channel pattern (Buschmann et al., 1996), a special variant of the Publisher-Subscriber pattern (Gamma et al., 1995).

In CoCoME, there are actually two kinds of event channels. Each single cash desk has a separate channel connecting the software controllers for the single devices; the channel is for the communication among them and the communication with the cash desk application. For the whole cash desk line, there exists an event channel with which the single cash desk applications register as publishers; the already mentioned application layer component StoreApp of the inventory system registers as subscriber. The cash desks publish SaleRegisteredEvents onto this channel, indicating that a sale process is finished. As a reaction to this event, the inventory system updates the amounts of goods in the inventory. Figure 7.10 depicts this structure and shows also a violation of the following rules that apply:

• There are two kinds of components in the considered subsystem: event channels and participants. The latter are publishers or subscribers (or both).

• Components interact by raising events modeled as a specific kind of type and reacting to them.

• Participants connected to the same event channel are not allowed to communicate directly with each other.

• Participants commit events to the event channel, which ensures that these events are forwarded to the other participants at some point. This happens decoupled from the original commit call to provide an asynchronous communication between participants.

7.4.1.2 The architectural rules of CoCoME

The proposed architecture conformance checking approach has been applied to check a design model of CoCoME described in Rausch et al. (2008) and refined in Herold (2011). The architecture of CoCoME was modeled using UML with architectural profiles that captured the relevant concepts. Figure 7.11 depicts the stereotypes used for CoCoME. The stereotype Group extends packages and reflects “virtual” groups of elements as outlined in Zdun and Avgeriou (2008). The Layer stereotype specializes Group and adds a level attribute reflecting the position of the stereotyped package in the layer hierarchy. A further specialization of Layer is ServiceOrientedLayer marking layers with copy semantics interface. The allowed usage relationships can be modeled by dependencies stereotyped with isAllowedToUse. The stereotype mapsToPackage extends the meta-class Dependency of the UML meta-model. It indicates which packages' contents are part of the “virtual group”; in our example, this relationship indicates by which packages a layer is manifested. The stereotypes EventChannel, Subscriber, and Publisher are used to model the event-based architecture; they extend Property because they label parts of subsystems modeling the single component instances of a subsystem playing one or more of the three roles in event-based architectures.

For the sake of brevity, we will only consider the architectural layer aspect and will give a detailed description of the transformation for this aspect only. The stereotype Layer is transformed as follows:

$T^{\mathit{UML},\mathit{arch}}\left(\mathit{Layer}\right):=\left(\left\{\mathit{Layer}\left(\mathit{this}\right)\right\},\left\{\mathit{\neg illegal}\mathit{Dependencies}\mathit{From}\mathit{Layer}\left(\mathit{this}\right)\right\}\right)$

whereas the second statement constitutes an architectural rule, it basically states that there are no dependencies allowed that are not covered by parallel isAllowedToUse dependencies in the architectural model (see Figure 7.8), that is, there exist dependencies that do not conform to an existing isAllowedToUse tuple:

$\mathit{illegal}\mathit{Dependencies}\mathit{From}\mathit{Layer}\left(g\right):=\exists g^{\prime }:\left(\mathit{group}\mathit{Dependency}\left(g,g^{\prime }\right)\wedge \overline{\mathit{is}\mathit{Allowed}\mathit{To}\mathit{Use}\left(g,g^{\prime }\right)}\wedge g\ne g^{\prime }\right)$

A group dependency between g and g′ exists if g contains an element that depends on an element contained in g′.

$\mathit{group}\mathit{Dependency}\left(g,g^{\prime }\right):=\exists e\exists e^{\prime }:\left(\mathit{in}\mathit{Group}\left(e,g\right)\wedge \mathit{in}\mathit{Group}\left(e^{\prime },g^{\prime }\right)\wedge \mathit{depends}\mathit{On}\left(e,e^{\prime }\right)\right)$

Whereas inGroup reflects the containment relationship. An element is contained in a group if it is directly contained in a package that the group maps to, or one of the package's subpackages. This also means that elements of groups are either components or interfaces, the only elements that are contained in packages by the definitions of τ_CBSD:

$\begin{array}{l}\mathit{inGroup}\left(e,g\right):=\exists p\\ :(\mathit{mapsToPackage}\left(g,p\right)\wedge \left(\mathit{containsComponen}{t}^{+}\left(p,e\right)\vee \mathit{containsInterfac}{e}^{+}\left(p,e\right)\right))\end{array}$

dependsOn(e,e′) is a container for the different possibilities of how single elements in a component-based system can depend on each other. It is defined as

$\mathit{dependsOn}\left(e,e^{\prime }\right):=\underset{i=1,\dots ,8}{\vee }\mathit{dependsO}{n}_i\left(e,e^{\prime }\right)$

The complete refinement of this sentence and the overall rule for layers can be found in Herold (2011). For example, to express that an interface e depends on another interface f if it uses f as type of a member, we can define

$\mathit{dependsO}{n}_1\left(e,f\right):=\mathit{Interface}\left(e\right)\wedge \mathit{Interface}\left(f\right)\wedge \exists m:\left(\mathit{hasMember}\left(e,m\right)\wedge \mathit{hasType}\left(m,f\right)\right)$

7.4.1.3 Results of checking the architectural rules of CoCoME

The architectural layering of CoCoME implies the following architectural rules that need to be checked:

$\begin{array}{l}\{\neg \mathit{illegalDependenciesFromLayer}\left(e_{\mathit{GUILayer}}\right),\\ \neg \mathit{illegalDependenciesFromLayer}\left(e_{\mathit{ApplicationLayer}}\right),\\ \neg \mathit{illegalDependenciesFromLayer}\left(e_{\mathit{DataLayer}}\right)\}\end{array}$

We will not go into the details of the evaluation of these rules. But informally, every layer is mapped onto one package in a design model or code. GUI layer components, that is, components contained in the GUI package, use only other GUI components or transfer object interfaces and services that are both defined at the application layer. No dependencies can be detected between elements of a layer and any layer above, and therefore no illegal dependencies can be detected. Moreover, event channels are properly used and are the only communication path in the cash desk subsystem.

However, an architectural violation has been detected for the application layer interface. This is the case because of the component StoreApp depicted in Figure 7.12, which is instantiated in the application layer. A component instantiated in the GUI layer connects to this component via its port storeIf. However, this port also provides the interface connecting the component to an event channel. Hence, it does not hold that the all components in the application layer are accessible by services only. In fact, the result that the approach notices a violation of the architecture makes sense. The accessed object, the port storeIf, appears as a service implementation by the fact that only the interface StoreIf is visible to the GUI; however, the non-service methods of the object could be retrieved, for example, by reflection.

7.4.3 Results

The case studies have shown us encouraging results. The approach provided the required flexibility to express very different aspects of software architecture from general patterns such as layering to domain-specific concepts of a reference architecture. We were able to check architectural for different architecture meta-models as well as different “implementations” of the architecture in forms of UML models or Java source code.

The detected architecture violations were in all cases relevant matches that revealed more or less severe cases of eroded architectures. In a single case we found false positives that in all cases were results of incomplete or wrong formalizations of informally described architecture concepts that could be corrected together with the responsible software architects of the software system.

The applied prototype showed satisfying performance in the case studies. It took about one minute to check the mentioned Register Factory application or to check large layered systems. This performance is sufficient for a batch-like checking process, for example, as an integrated part of a nightly build of a software system. If a more interactive mode of operation is required, for example, for instant feedback to the programmer from getting shown compiler errors in modern IDEs, the performance must be improved.

7.5.1 Contribution and limitations

The ontology defined by τ_CBSD and Φ_CBSD describes component-based systems in great detail, such that architectural rules have great expressiveness. It enables software architectures to describe rules restricting type structures like inheritance; the inner structure of types such as components, interfaces, and classes; the configuration of component-based systems; and the control flow graphs of methods as specifications of component behavior. The framework, however, allows this ontology to be extended by relation symbols to introduce new architectural concepts such as layers. Extensions to τ_CBSD are considered in the definition of conformance and can be introduced technically through wrappers. We implemented a prototype that is able to check architectural rules as defined above applying the logical knowledge representation system, PowerLoom.

Compared with existing approaches (cf. Section 7.2), the proposed approach combines the advantages of query language-based approaches and reflexion modeling. While the first have great expressiveness, their integration into model-based approaches is not provided by current tool support. This is improved by the proposed approach because the definition of architectural rules can be easily integrated with arbitrary meta-models. Other query-based approaches, to our best knowledge, do not have this property.

On the other hand, reflexion modeling approaches already provide high-level models of systems but are limited in their expressiveness to components and dependencies. The proposed approach allows software architects to add full first-order logic rules in a customizable way to arbitrary high-level models of software systems. Rules like those regarding the usage of transfer objects are not possible with reflexion modeling approaches.

From the perspective of architecture modeling, the proposed approach makes a practical contribution insofar as it allows extending the extensional description that existing architecture description or modeling languages provide by intensional constraints requiring checking across a set of refining artifacts of arbitrary types. Hence, the proposed approach supports the requirements of architectural conformance checking as described in Section 7.1 more exhaustively than does the state of the art.

The approach provides a potentially powerful solution with regard to the support for different meta-models. At the conceptual level, we can conclude that different meta-models are supported by the approach as far as there can be given a meaningful transformation definition specifying how to transform an instance of the meta-model into a set of corresponding τ_CBSD-statements. The effort of defining such a transformation is low in cases in which the modeling language itself contains component-based concepts and the mapping onto the τ_CBSD-ontology is simple. However, in every case, the architectural rules are defined independently of any meta-model to be checked, providing flexibility in this point.

At the implementation level, the effort of implementing a document wrapper must be achieved, which adds to the effort of defining the conceptual transformation. Although the transformation is implemented manually and procedurally, and the effort could probably be reduced by using model transformation techniques, the effort involved in wrapper development is relatively small: The implemented UML wrapper takes about 800 lines of code.

As always with common ontologies, there is a certain trade-off in the definition of τ_CBSD. Special characteristics and less strict constraints of single component models might not be expressed in τ_CBSD. For example, UML allows both providing and requiring ports at the same time (which is not allowed in τ_CBSD). As consequence, architectural rules must abstract from such component model-specific properties.

The representation of behavior as control flow graphs and the transformation of behavioral models into such structures might also limit the field of application of the proposed approach. The representation is strongly influenced from object-oriented systems in which behavior is specified by implementing methods. A mapping of other behavior specification techniques, for instance, contract specifications, might be difficult to realize.

The formulation of logical rules and their expressiveness is always limited by the applied logic and the set of available predicates, that is, the signature. First-order logics have proved expressive enough for the analyzed architectural rules; nevertheless, the developed ontology τ_CBSD/Φ_CBSD lacks a certain expressiveness, especially for rules/statements referring to the behavioral aspects. In fact, concepts like program traces, call sequences, and other runtime constructs are missing.

Moreover, this approach does not check quality attributes of the software architecture directly because there is no way to specify them. As mentioned in the introduction, however, the quality of a system is influenced negatively by architecture erosion that can be detected and avoided by architecture conformance checking. Hence, the proposed approach can help to enforce a software architecture that ensures certain quality attributes and, hence, to indirectly support these quality attributes.

PowerLoom provides good query performance with respect to execution time. To evaluate performance for larger systems, some test series were executed. The tests included the implementation of the architectural rules for layers as discussed above. The checked models were UML design models and a layered architecture defining three layers with strict layering. The design models consisted of a defined number of components as depicted in Table 7.1; for each test series, randomly generated models of different sizes were generated. In addition to the components, the same number of interfaces was generated that provided and required relations in such a way that components were providing one to two interfaces and requiring two interfaces on average; these connected components and interfaced randomly. Moreover, components and interfaces were uniformly distributed to packages, and hence indirectly to layers. Tests were executed on a common desktop PC.

The results show that the worst-case complexity of PowerLoom in querying, which is exponential, does not affect checking the rule for layers; time consumption exhibits a quadratic growth with the size of the design model. The absolute numbers, however, show that the prototype delivers checking results in a reasonable time, at least for use cases in which checks are not permanently required (such as “in-line conformance checking” during programming).

The prototypical realization shows that, although the approach can be applied in practical relevant cases, it will be extended to support more requirements from real-life industrial projects. Currently, we are working on a better integration of third-party components into the conformance checking process that includes development of a wrapper for Java bytecode, definition of exceptions of rules, for example, to allow single (third-party) components to “violate” architectural rules, and a prioritization/classification of rules to distinguish different level of strictness for architectural rules. These features will require more information to be given in the specification of architectural rules, such as a list of exceptions or strictness classification, but will not affect the applied formalisms.

7.5.2 Future work

To further improve the practical relevance of the approach, architectural rules (and also design rules) should be defined and collected in a reusable catalogue of rules. This catalogue could be used by developers of document wrappers and would in general reduce the barriers to the application of architectural conformance checking. A reasonable starting point might be the formalization of the rules that patterns of popular pattern catalogues define (see, e.g., Buschmann et al., 1996). Of course, such general catalogues will be specialized in general in projects and companies applying them and tailoring them to specific needs. Hence, it is important that architects are equipped with good methodical knowledge and tools to specify architectural rules. What notation could be used to intuitively formulate architectural rules requires further investigation.

Checking architectural compliance and detecting violations of rules are only the first step in exhaustive conformance management tool support. Hence, this approach can and should be extended by refactoring and reengineering techniques. Given that software systems are large and inherently complex, resolving violations and re-establishing compliance are difficult tasks, too. Experiences from consistency management show that automatic resolution of inconsistencies is possible only to a certain degree and must often be complemented by opportunities to manually influence inconsistency repairing (Becker et al., 2007).

Further investigations can be made into the logical formalism that should be applied to architectural conformance checking. So far, first-order logics are applied whose principal undecidability leads to some restriction in the applied PowerLoom knowledge representation and reasoning system. There is always a trade-off between the expressiveness of the language and the efficiency of checking logical statements. We will investigate whether description logics (Baader et al., 2010) would be an appropriate alternative. We will also investigate temporal logics (Gabbay et al., 2000) that could be applied to address behavioral aspects of architectural rules more efficiently. Tools like Maude (Clavel et al., 2007), which allows rewriting logic specification and programming, could be interesting alternatives for integrating flexible logics into architectural conformance checking, especially when it comes to behavioral aspects. Maude could thus be an interesting backend implementation alternative for ArCh.

7.5.3 Summary

The proposed approach allows the realization of architecture conformance checking tools that are flexible with regard to supported meta-models and to variability of architectural rules. An implementation framework allows such tools to be easily adapted to new meta-models, such that existing compliance checking functionality can be easily enhanced to new models without the need to modify existing architectural rules. It is not only possible to easily integrate meta-models whose instances need to conform to some architectural model; meta-models for architecture description defining rules can also be easily integrated.

The solution enables the specification and checking of architectural rules with the expressiveness of full first-order logics. In combination with the easy integration of models into the process of checking, the resulting basis allows significantly more powerful support for architectural conformance checking in MDSD in the future compared with the state of the art. It can hence help better to avoid architecture erosion and the loss of quality that might come with this effect.