Andrzej Wasowski

IT University of Copenhagen · Computer Science

As robotic systems such as autonomous cars and delivery drones assume greater roles and responsibilities within society, the likelihood and impact of catastrophic software failure within those systems is increased. To aid researchers in the development of new methods to measure and assure the safety and quality of robotics software, we systematical...

We summarize our article published in IEEE Transactions on Software Engineering [Gh23]. Robotics systems are complex and software-intensive cyber-physical systems performing increasingly complex tasks in our everyday life. The software controlling robots is typically realized with specific software architectures, allowing to structure the software...

This tutorial discusses meta-modeling in the tooling infrastructure (technological space) Eclipse Modeling Framework (EMF). We create the abstract syntax (meta-model) of a language, and generate Java code from it, illustrated with an example from the book Domain Specific Languages -- Effective Modeling, Automation, and Reuse.

Robots in many domains need to plan and make decisions under uncertainty; for example, autonomous underwater vehicles (AUVs) gathering data in environments inaccessible to humans, need to perform automated task planning. Planning problems are typically solved by risk-neutral optimization maximizing a single objective, such as limited time or energy...

Data analysis has high value both for commercial and research purposes. However, disclosing analysis results may pose severe privacy risk to individuals. Privug is a method to quantify privacy risks of data analytics programs by analyzing their source code. The method uses probability distributions to model attacker knowledge and Bayesian inference...

Autonomous robots combine skills to form increasingly complex behaviors, called missions. While skills are often programmed at a relatively low abstraction level, their coordination is architecturally separated and often expressed in higher-level languages or frameworks. State machines have been the go-to language to model behavior for decades, but...

Data analysis has high value both for commercial and research purposes. However, disclosing analysis results may pose severe privacy risk to individuals. Privug is a method to quantify privacy risks of data analytics programs by analyzing their source code. The method uses probability distributions to model attacker knowledge and Bayesian inference...

The development process for reinforcement learning applications is still exploratory rather than systematic. This exploratory nature reduces reuse of specifications between applications and increases the chances of introducing programming errors. This paper takes a step towards systematizing the development of reinforcement learning applications. W...

We present a new symbolic execution semantics of probabilistic programs that include observe statements and sampling from continuous distributions. Building on Kozen's seminal work, this symbolic semantics consists of a countable collection of measurable functions, along with a partition of the state space. We use the new semantics to provide a ful...

This tutorial briefly introduces class-modeling as necessary for meta-modeling. We introduce the basic concepts, including classes and relationships, upon the simple class-modeling language Ecore, which is a dialect of UML class models, and which implements the MOF standard. The tutorial complements the book Domain Specific Languages -- Effective M...

Analysis of genetic data opens up many opportunities for medical and scientific advances. The use of phenotypic information and polygenic risk scores to analyze genetic data is widespread. Most work on genetic privacy focuses on basic genetic data such as SNP values and specific genotypes. In this paper, we introduce a novel methodology to quantify...

A specification theory combines notions of specifications and implementations with a satisfaction relation, a refinement relation and a set of operators supporting stepwise design. We develop a complete specification framework for real-time systems using Timed I/O Automata as the specification formalism, with the semantics expressed in terms of Tim...

Software bots fulfill an important role in collective software development, and their adoption by developers promises increased productivity. Past research has identified that bots that communicate too often can irritate developers, which affects the utility of the bot. However, it is not clear what other properties of human-bot collaboration affec...

An important notation for expressing domain models is feature models. Feature models are a simple, tree-based modeling notation that allows features and their constraints to be expressed. The latter restrict the valid combinations of features or express relations among features.

Models and meta-models, algebraic data types and values, XML schemas and files, class and instance diagrams, YAML files—all these abstractsyntax specification methods are clearly important for you as a language designer. At the same time, the end-users, especially domain experts who are not programmers, tend to find them unnatural and cumbersome to...

You want to design a DSL to boost software development, evolution, or customization in some domain. In the first step, you need to clarify what are the key relevant aspects of this domain, in a process known as domain analysis and meta-modeling. During the analysis, we identify the relevant concepts and relationships between them. During meta-model...

In Chapter 3, we have discussed how to use generalization, containment, cardinality constraints, and associations to control the set of legal instances of a model. Nevertheless, when working on your own models, you must have arrived at situations when capturing the exact set of desirable instances using a class diagram was either impossible or cumb...

Type systems are a common complement to structural constraints in enforcing static semantics on a program text, and are particularly useful if you need to track recursive properties on inductive syntax types (meta-models with cycles over containment relations). In this chapter, our goal is to explain what types and type systems are, to show how to...

In the last two chapters, we discussed the use of MDSE techniques for realizing software product lines. More specifically, we described the realization of variability in traditionally developed systems and focused on variability of source code to customize it to particular needs. Let us now discuss the other direction: using product line techniques...

We will now look at the application of MDSE for so-called software product lines—portfolios of software variants in a particular application domain. We will discuss the systematic engineering of product lines using methods and tools from the field of software product line engineering (SPLE). This field advocates the creation of configurable softwar...

Even though building interpreters is often the cheapest and the easiest way to implement dynamic semantics, we need alternatives when architectural or performance requirements rule that out. Demands on execution speed, throughput, parallelization, low memory consumption, access locality, security or available programming languages and libraries may...

So far, we focused on defining the syntax of DSLs in efficient ways. We worked with abstract and concrete syntax. We have seen tools that can transform syntax definitions (meta-models and grammars in our case) not only into model editors, but into a whole infrastructure for processing models that adhere to the syntax definition.

In the previous chapters, we have focused on the construction of external domain-specific languages. Their development follows a compiler-like pipeline architecture, with clearly separated design artifacts: concrete and abstract syntax, types and constraints, an interpreter or a generator. Building external DSLs might feel like reimplementing large...

Code generators (Chapter 9) and interpreters are the primary ways to give DSLs a dynamic semantics, to breath meaning into syntax. DSL interpreters are tools that translate the input language piece-by-piece on the fly, like a human simultaneous translator from Danish to German during an interview or a press conference.

Using models to design complex systems is common in many engineering disciplines, including architecture (buildings), civil engineering (roads and bridges), automotive engineering (cars), and avionics (airplanes). Models have an ever-growing list of applications. Engineers build them to assess system properties before prototyping or to steer constr...

Our goal is to automate the development of software in a given domain by using models to describe its essential characteristics and producing applications using code generation and interpretation.

The semantics of probabilistic languages has been extensively studied, but specification languages for their properties have received little attention. This paper introduces the probabilistic dynamic logic pDL, a specification logic for programs in the probabilistic guarded command language (pGCL) of McIver and Morgan. The proposed logic pDL can ex...

Analysis of genetic data opens up many opportunities for medical and scientific advances. The use of phenotypic information and polygenic risk scores to analyze genetic data is widespread. Most work on genetic privacy focuses on basic genetic data such as SNP values and specific genotypes. In this paper, we introduce a novel methodology to quantify...

-1 The Linux Kernel is a world-class operating system controlling most of our computing infrastructure: mobile devices, Internet routers and services, and most of the supercomputers. Linux is also an example of low-level software with no comprehensive regression test suite (for good reasons). The kernel’s tremendous societal importance imposes stri...

Autonomous robots combine a variety of skills to form increasingly complex behaviors called missions. While the skills are often programmed at a relatively low level of abstraction, their coordination is architecturally separated and often expressed in higher-level languages or frameworks. State Machines have been the go-to modeling language for de...

The semantics of probabilistic languages has been extensively studied, but specification languages for their properties have received little attention. This paper introduces the probabilistic dynamic logic pDL, a specification logic for programs in the probabilistic guarded command language (pGCL) of McIver and Morgan. The proposed logic pDL can ex...

Known attempts to build autonomous robots rely on complex control architectures, usually implemented with the Robot Operating System (ROS). Runtime adaptation is needed in these systems, to cope with component failures and with contingencies arising from dynamic environments – otherwise these affect the reliability and quality of the mission execut...

Pull requests facilitate inclusion and improvement of contributions in distributed software projects, especially in open source communities. An author makes a pull request to present a contribution as a candidate for inclusion in a code base. The request is inspected by maintainers and reviewers. The initiated process of review and collaborative im...

Disclosure of data analytics results has important scientific and commercial justifications. However, no data shall be disclosed without a diligent investigation of risks for privacy of subjects. Privug is a tool-supported method to explore information leakage properties of data analytics and anonymization programs. In Privug, we reinterpret a prog...

Disclosure of data analytics results has important scientific and commercial justifications. However, no data shall be disclosed without a diligent investigation of risks for privacy of subjects. Privug is a tool-supported method to explore information leakage properties of data analytics and anonymization programs. In Privug, we reinterpret a prog...

High-level transformation languages like Rascal include expressive features for manipulating large abstract syntax trees: first-class traversals, expressive pattern matching, backtracking, and generalized iterators. We present the design and implementation of an abstract interpretation tool, Rabit, for verifying inductive type and shape properties...

Disclosure of data analytics results has important scientific and commercial justifications. However, no data shall be disclosed without a diligent investigation of risks for privacy of subjects. Privug is a tool-supported method to explore information leakage properties of data analytics and anonymization programs. In Privug, we reinterpret a prog...

https://arxiv.org/abs/2010.09145 | Known attempts to build autonomous robots rely on complex control architectures, often implemented with the Robot Operating System platform (ROS). These architectures need to be dynamically adaptable in order to cope with changing environment conditions, new mission requirements or component failures. The implem...

Autonomous robots combine a variety of skills to form increasingly complex behaviors called missions. While the skills are often programmed at a relatively low level of abstraction, their coordination is architecturally separated and often expressed in higher-level languages or frameworks. Recently, the language of Behavior Trees gained attention a...

Participatory Action Research (PAR) is an established method to implement change in organizations. However, it cannot be applied in the open source (FOSS) communities, without adaptation to their particularities, especially to the specific control mechanisms developed in FOSS. FOSS communities are self-managed, and rely on consensus to reach decisi...

Participatory Action Research (PAR) is an established method to implement change in organizations. However, it cannot be applied in the open source (FOSS) communities, without adaptation to their particularities, especially to the specific control mechanisms developed in FOSS. FOSS communities are self-managed, and rely on consensus to reach decisi...

System families (Software Product Lines) are becoming omnipresent in application areas ranging from embedded system domains to system-level software and communication protocols. Software Product Line methods and architectures allow effective building many custom variants of a software system in these domains. In many of the applications, their rigo...

High-level transformation languages like Rascal include expressive features for manipulating large abstract syntax trees: first-class traversals, expressive pattern matching, backtracking and generalized iterators. We present the design and implementation of an abstract interpretation tool, Rabit, for verifying inductive type and shape properties f...

Building a static analyser for a real language involves modeling of large domains capturing the many available data types. To scale domain design and support efficient development of project-specific analyzers, it is desirable to be able to build, extend, and change abstractions in a systematic and modular fashion. We present a framework for modula...

A dependency bug is a software fault that manifests itself when accessing an unavailable asset. Dependency bugs are pervasive and we all hate them. This paper presents a case study of dependency bugs in the Robot Operating System (ROS), applying mixed methods: a qualitative investigation of 78 dependency bug reports, a quantitative analysis of 1354...

Background: The adoption of Free/Libre and Open Source Software (FOSS) by institutions is significantly increasing, and so is the affiliated participation (the participation of industry engineers in open source communities as part of their jobs). Aims: This study is an investigation into affiliated participation in FOSS communities. So far, little...

Background: The adoption of Free/Libre and Open Source Software (FOSS) by institutions is significantly increasing, and so is the affiliated participation (the participation of industry engineers in open source communities as part of their jobs). Aims: This study is an investigation into affiliated participation in FOSS communities. So far, little...

Variability models allow effective building of many custom model variants for various configurations. Lifted model checking for a variability model is capable of verifying all its variants simultaneously in a single run by exploiting the similarities between the variants. The computational cost of lifted model checking still greatly depends on the...

Many software systems are today variational: they are built as program families or Software Product Lines. They can produce a potentially huge number of related programs, known as products or variants, by selecting suitable configuration options (features) at compile time. Many such program families are safety critical, yet the appropriate tools on...

Variability models allow effective building of many custom model variants for various configurations. Lifted model checking for a variability model is capable of verifying all its variants simultaneously in a single run by exploiting the similarities between the variants. The computational cost of lifted model checking still greatly depends on the...

Anonymization is viewed as a solution to over-exposure of personal information in a data-driven society. Yet how organizations apply anonymization techniques to data for regulatory, ethical or commercial reasons remains underexplored. We investigate how such measures are applied in organizations, asking whether anonymization practices are used, wha...

In Model-Driven Software Development, models are automatically processed to support the creation, build, and execution of systems. A large variety of dedicated model-transformation languages exists, promising to efficiently realize the automated processing of models. To investigate the actual benefit of using such specialized languages, we performe...

High-level transformation languages like Rascal include expressive features for manipulating large abstract syntax trees: first-class traversals, expressive pattern matching, backtracking and generalized iterators. We present the design and implementation of an abstract interpretation tool, Rabit, for verifying inductive type and shape properties f...

Embedded software is growing fast in size and complexity, leading to intimate mixture of complex architectures and complex control. Consequently, software specification requires modeling both structures and behaviour of systems. Unfortunately, existing languages do not integrate these aspects well, usually prioritizing one of them. It is common to...

Many software systems today are configurable, offering customization of functionality by feature selection. Understanding how performance varies in terms of feature selection is key for selecting appropriate configurations that meet a set of given requirements. Due to a huge configuration space and the possibly high cost of performance measurement,...

ROS (Robot Operating System) is an open source community in robotics that is developing standard robotics operating system facilities such as hardware abstraction, low-level device control, communication middleware, and a wide range of software components for robotics functionality. This paper studies the quality assurance practices of the ROS comm...

Family-based (lifted) static analysis for “highly configurable programs” (program families) is capable of analyzing all variants at once without generating any of them explicitly. It takes as input only the common code base, which encodes all variants of a program family, and produces precise analysis results corresponding to all variants. However,...

Variability-sensitive verification pursues effective analysis of the exponentially many variants of a program family. Several variability-aware techniques have been proposed, but researchers still lack examples of concrete bugs induced by variability, occurring in real large-scale systems. A collection of real world bugs is needed to evaluate tool...

Many software systems are variational: they can be configured to meet diverse sets of requirements. They can produce a (potentially huge) number of related systems, known as products or variants, by systematically reusing common parts. For variational models (variational systems or families of related systems), specialized family-based model checki...

Variational systems (system families) allow effective building of many custom system variants for various configurations. Lifted (family-based) verification is capable of verifying all variants of the family simultaneously, in a single run, by exploiting the similarities between the variants. These algorithms scale much better than the simple enume...

We use timed I/O automata based timed games to synthesize task-level reconfiguration services for cost-effective fault tolerance in a case study. The case study shows that state-space explosion is a severe problem for timed games. By applying suitable abstractions, we dramatically improve the scalability. However, timed I/O automata do not facilita...

Variational systems are ubiquitous in many application areas today. They use features to control presence and absence of system functionality. One challenge in the development of variational systems is their formal analysis and verification. Researchers have addressed this problem by designing aggregate so-called family-based verification algorithm...

Context. Variability-intensive programs (program families) appear in many application areas and for many reasons today. Different family members, called variants, are derived by switching statically configurable options (features) on and off, while reuse of the common code is maximized. Inquiry. Verification of program families is challenging since...

Software tends to suffer from simple resource mis-manipulation bugs, such as double-locks. Code scanners are used extensively to remove these bugs from projects like the Linux kernel. Yet, these tools are not effective when the manipulation of resources spans multiple functions. We present a shape-and-effect analysis for C, that enables efficient a...

For program families (Software Product Lines), specially designed variability-aware static (dataflow) analyses allow analyzing all variants (products) of the family, simultaneously, in a single run without generating any of the variants explicitly. They are also known as lifted or family-based analyses. The variability-aware analyses may be too cos...

Transformations form an important part of developing domain specific languages, where they are used to provide semantics for typing and evaluation. Yet, few solutions exist for verifying transformations written in expressive high-level transformation languages. We take a step towards that goal, by developing a general symbolic execution technique t...

Software projects embrace variability to increase adaptability and to lower cost; however, others blame variability for increasing complexity and making reasoning about programs more difficult. We carry out a controlled experiment to quantify the impact of variability on debugging of preprocessor-based programs. We measure speed and precision for b...

Software product line (SPL) engineering facilitates development of entire families of software products with systematic reuse. Model driven SPLs use models in the design and development process. In the safety critical domain, validation of models and testing of code increases the quality of the products altogether. However, to maintain this trustwo...

In order to get insight into challenges with quality in highly-configurable software, we analyze one of the largest open source projects, the Linux kernel, and quantify basic properties of configuration-related warnings. We automatically analyze more than 20 thousand valid and distinct random configurations, in a computation that lasted more than a...

This book constitutes the proceedings of the 12th European Conference on Modelling Foundations and Applications, ECMFA 2016, held as part of STAF 2016, in Vienna, Austria, in July 2016. The 16 papers presented in this volume were carefully reviewed and selected from 47 submissions. The committee decided to accept 16 papers, 12 papers for the Founda...

Many software systems are variational: they can be configured to meet diverse sets of requirements. Variability is found in both communication protocols and discrete controllers of embedded systems. In these areas, model checking is an important verification technique. For variational models (systems with variability), specialized family-based mode...

Model checking provides a convenient way to check whether a given software system is correct with respect to a set of relevant semantic properties. To use a model checker like SPIN [5], the software system must be modelled as a transition system (TS). Afterwards, the model checker can check the correctness of the translated TS by exhaustively explo...

Family-based (lifted) data-flow analysis for Software Product Lines (SPLs) is capable of analyzing all valid products (variants) without generating any of them explicitly. It takes as input only the common code base, which encodes all variants of a SPL, and produces analysis results corresponding to all variants. However, the computational cost of...

Variant-rich software systems offer a large degree of customization, allowing users to configure the target system according to their preferences and needs. Facing high degrees of variability, these systems often employ variability models to explicitly capture user-configurable features (e.g., systems options) and the constraints they impose. The e...

A recent line of work lifts particular verification and analysis methods to Software Product Lines (SPL). In an effort to generalize such case-by-case approaches, we develop a systematic methodology for lifting single-program analyses to SPLs using abstract interpretation. Abstract interpretation is a classical framework for deriving static analyse...

Family-based (lifted) data-flow analysis for Software Product Lines (SPLs) is capable of analyzing all valid products (variants) without generating any of them explicitly. It takes as input only the common code base, which encodes all variants of a SPL, and produces analysis results corresponding to all variants. However, the computational cost of...

Task-level reconfiguration techniques in automotive applications aim to reallocate tasks to computation cores during failures to guarantee that the desired functionality is still delivered. We consider a class of mixed-criticality asymmetric multi-core systems inspired by our collaboration with a leading automotive manufacturing company, for which...

Introducing automated formal methods for large industrial real-time systems is an important research challenge. We propose timed process automata (TPA) for modeling and analysis of time-critical systems which can be open, hierarchical, and dynamic. The model offers two essential features for large industrial systems: (i) compositional modeling with...

In recent years, quantitative security techniques have been providing effective measures of the security of a system against an attacker. Such techniques usually assume that the system produces a finite amount of observations based on a finite amount of secret bits and terminates, and the attack is based on these observations. By modeling systems w...