Research ArticleAutomatic Analysis of Complex Interactions inMicroservice Systems
Fei Dai Hao Chen Zhenping Qiang Zhihong Liang Bi Huang and Leiguang Wang
School of Big Data and Intelligence Engineering Southwest Forestry University Kunming China
Correspondence should be addressed to Zhenping Qiang qzplucky163com
Received 3 December 2019 Revised 2 February 2020 Accepted 7 February 2020 Published 31 March 2020
Guest Editor Xuyun Zhang
Copyright copy 2020 Fei Dai et al-is is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Interactions in microservice systems are complex due to three dimensions numerous asynchronous interactions the diversity ofasynchronous communication and unbounded buffers Analyzing such complex interactions is challenging In this paper wepropose an approach for interaction analysis using model checking techniques which is supported by the Process Analysis Toolkit(PAT) tool First we use Labeled Transition Systems (LTSs) to model interaction behaviors in microservice systems as sequencesof send actions under synchronous and asynchronous communications Second we introduce a notion of correctness calledldquointeraction soundnessrdquo which is considered as a minimal requirement for microservice systems -ird we propose an encodingof LTSs into the CSP process algebra for automatic verification of the property interaction soundness -e experimental resultsshow that our approach can automatically and effectively identify interaction faults in microservice systems
1 Introduction
-e cloud computing paradigm [1ndash3] and edge computingparadigm [4ndash6] enable us to utilize ITresources flexibly-istrend not only drives many software systems tomigrate frommonolithic architecture to microservice architecture [7] butalso attracts more andmore research focuses on how to buildldquocloud-nativerdquo [8] applications
Microservice architecture [9] can be used to develop asingle application composed of a set of microservicesCompared with traditional web services these microservicesare much more fine-grained and are independently devel-oped and deployed [3] -ese characteristics of microservicearchitecture are particularly suitable for losing coupling andupdating systems running on cloud infrastructures [10]
-e interactions in microservice systems are complex dueto three dimensions numerous asynchronous interactionsthe diversity of asynchronous communication and un-bounded buffers First the execution of a microservice systemmay involve numerous interactions among microservicesMost of these interactions are asynchronous because syn-chronous interactions may cause the multiplicative effect ofdowntime [11 12] For example Netflixrsquos online servicesystem involves 5 billion service invocations per day [13]
-ese asynchronous interactions may cause unexpected se-quences of messages during execution Second under point-to-point semantics there are at least two asynchronouscommunications with FIFO buffers [14] namely peer-to-peercommunication and mailbox communication Microservicesystems can be realized by the two different asynchronouscommunication models Compared with the mailbox se-mantics the peer-to-peer semantics causes the interactiontopology to be amuch complex graph-ird because the sizesof the buffers of microservice systems are not known a prioritheir sizes are often considered to be unbounded Micro-service systems with unbounded buffers may exhibit infinitestate space such that the reachability problem of such systemsis known to be undecidable [15]
-e complexity of interactions in microservice systemsposes great challenges to analyzing because missing or im-proper coordination among microservices may cause inter-action faults -e results of the industrial survey in [10] showthat interaction faults are common in microservice systems
Although there are a few papers on microservice systems[16] most of them focus on debugging [10 11 17ndash19]deployment [20 21] composition [22] architecture [23]and adaptation [24] However there is little research on theinteraction analysis of microservice systems A basic and
HindawiComplexityVolume 2020 Article ID 2128793 12 pageshttpsdoiorg10115520202128793
effective technique for analyzing interactions in micro-service systems is synchronizability analysis [25ndash27] Asystem is synchronizable if it sends actions which remain thesame for both the asynchronous communication and syn-chronous communication However recent research showssynchronizability is undecidable [14]
In this paper we propose an approach for interactionanalysis using model checking techniques which is sup-ported by the Process Analysis Toolkit (PAT) [28] tool Suchan analysis approach enables us to effectively and auto-matically identify interaction faults of microservice systemsOur contribution can be summarized as follows
(i) We model complex interactions in microservicesystems under synchronous and peer-to-peerasynchronous communications
(ii) We introduce a notion of correctness called ldquoin-teraction soundnessrdquo which is considered as aminimal requirement for microservice systems
(iii) We automatically verify the property interactionsoundness usingmodel checking techniques under thesupport of the Process Analysis Toolkit (PAT) tool
Moreover we propose an encoding of LTSs into theCSP process algebra We choose CSP because it isequipped with the PAT tool which offers the PAT simulatorfor state space generation and the PAT verifier for propertyverification In particular when the PAT verifier returns notvalid using model checking it gives us the counterexamplewhich is very useful to fix faults
-e rest of this paper is organized as follows Section 2discusses related work Section 3 presents some formaldefinitions used throughout this paper Section 4 formallydefines the interaction behaviors of microservice systemsunder synchronous and peer-to-peer asynchronous com-munications Section 5 introduces a notion of interactionsoundness and verifies the property using model checkingtechniques based on CSP encoding Section 6 discusses theimplementation of our approach and experimental resultsSection 7 concludes this paper
2 Related Work
-ere has been some research on debugging microservicesystems In [10] the authors conducted an industrial surveyto show three main faults in microservice systems namelyinternal faults interaction faults and environment faults In[11 17] the authors proposed a novel approach fordebugging microservice systems In [18] the authors dis-cussed complex live testing strategies for microservice sys-tems In [19] the authors proposed a new approach to testperformance of each microservice participating in amicroservice system All these studies can be used to testmicroservice systems However our work focuses on ana-lyzing interactions in microservice systems
-ere are some other studies on microservice systems In[20] the authors proposed an approach to modeling andmanaging deployment costs for microservice systems In [21]the authors discussed how to improve the performance of a
microservice architecture In [22] the authors proposed anapproach to integrate microservices based on Linked Data In[23] the authors presented a tool for generating and managingmodels of microservice architecture In [24] the authors dis-cussed how to balance the granularity of a microservice ar-chitecture However all these methods cannot be used toanalyze interactions in microservice systems
To the best of our knowledge we are the first to analyzecomplex interactions in microservice systems
3 Preliminaries
In this section we present some definitions used throughoutthis paper
Definition 1 (labeled transition system) A labeled transitionsystem is a tuple LTS (S s0 F A Δ) where
(i) S is a set of states(ii) s0 isin S is the initial state(iii) F sube S is a set of final states(iv) A is a set of labels(v) Δsube S times A times S is a transition relation
For the sake of simplicity we use r⟶a s to denote (r as) isinΔ
CSP is an extension of CSP (communicating se-quential processes) [29] In this paper we use CSP formicroservice system verification In essence CPS is aformal method which integrates state-based specificationand event-based specification -e following is a BNFdescription of the CSP process expression More details ofCSP can be found in [30]
PStop in-action
|Skip terminal|e⟶P prefix|chexp⟶P channel input|chexp⟶ P channel output|PX hiding|P Q sequential composition|P[]X external choice|PΠX internal choice|if b P else Q conditional choice|[b]P guarded process|P||Q parallel composition|P|||Q interleaving|PΔQ interrupting|ref(Q) process referencing
where P and Q are processes e is an event X is a set of eventnames (eg e1 e2) b is a Boolean expression ch is achannel exp is an expression and x is a variable [28]
-e syntax of LTL formulas are defined as follows Moredetails of LTL can be found in [29]
F e | prop | [] F | ltgt F | X F | F1 U F2 | F1 R F2
where e is an event prop is a predefined proposition F F1and F2 are three LTL formulas [] denotes ldquoalwaysrdquo ltgt
2 Complexity
denotes ldquoeventuallyrdquo X denotes ldquonextrdquo U denotes ldquountilrdquoand R denotes ldquoreleaserdquo
4 Interaction Behavior Model
In this section we introduce a formal model (see Figure 1) formodeling complex interactions in microservice systems Inour model microservices with unbounded buffers commu-nicate asynchronously with each other and interactions in amicroservice system can be viewed as sequences of sendactions because receive actions which consume messagesfrom buffers are considered as local invisible actions
Figure 1 illustrates the three communicating micro-servicesMS1MS2 andMS3 with messages a b c and d thatare from the example in [8] -e initial states of eachmicroservice are subscripted with 0 and marked with in-coming half-arrows -e final states of each microservice aremarked with double circles Each transition of eachmicroservice is labeled with send action (exclamationmarks) or receive message action (question marks) -ebuffers are in red lines and marked with i and j where idenotes the sender and j denotes the receiver For examplethe buffer12 denotes the buffer of MS2 which is used to storeincoming messages sent from MS1 Note that each buffer isan FIFO message queue
When we further consider asynchronous messaging inFigure 1 there are two different semantics for the point-to-point asynchronous communication namely peer-to-peercommunication and mailbox communication -e mailboxcommunication shown in Figure 2 requires all messages sentto MS1 from the other microservices are stored in a buffer(ie a message queue) that is specific to MS1 -e peer-to-peer communication requires each message sent from amicroserviceMS1 to another microserviceMS2 is stored in abuffer in an FIFO fashion which is specific to the pair (MS1MS2) In other words each participating microservice of amicroservice system is equipped with many buffers fordifferent incoming messages from other microservices Inthis paper we focus on peer-to-peer communication
Based on the analysis above we first use finite LTSs tomodel the behaviors of individual microservices -en wemove to model the asynchronous interaction behaviors ofmicroservice systems both with unbounded buffers and withbounded buffers (say k) Finally we model the synchronousinteraction behaviors of microservice systems based on theasynchronous interaction behaviors
Definition 2 (message set) A message set M is a tuple (Σ psrc dst)
(i) Σ is a finite set of letters(ii) pge 1 is a nonnegative integer number which de-
notes the number of participating microservices(iii) src and dst are functions that associate message
m isinΣ to nonnegative integer numbers src(m)nedst(m) isin 1 2 p
We often use mi⟶j for a message m such that src(m) iand dst(m) j
Definition 3 (microservice) A microservice MS is a labeledtransition system (S s0 F M δ) where
(i) S is the finite set of states(ii) s0 is the initial state(iii) Fsube S is the finite set of final states(iv) M is a message set(v) δ sube Stimes (Mcup ε)times S is the transition relation
A transition τ isin δ can be one of the following three types
(1) A send-transition (s1 m1⟶2 s2) which denotes thatthe microservice MS1 sends out a message m1⟶2 toanother microservice MS2 where m1⟶2 isinM
(2) A receive-transition (s1 m1⟶2 s2) which denotesthat the microservice MS1 consumes a messagem1⟶2 where m1⟶2 isinM
(3) An ε-transition (s1 ε s2) which denotes the invisibleaction of MS1
We often use si⟶mirarrj
sj to denote that (si mi⟶j sj)
41 Asynchronous Interaction Behaviors of MicroserviceSystems
Definition 4 (asynchronous interaction behavior of amicroservice system with unbounded buffers) An asyn-chronous interaction behavior of a microservice system withunbounded buffers over a set of microservices (MS1 MS2 MSn) whereMSi (Si s0i FiMi δi) andMi (Σi pi srcidsti) is denoted by a labeled transition system Ba (C c0 FM Δ) (possible infinite state) where
(i) CsubeQ1 times S1 timesQ2 times S2 Qn times Sn is the set of statessuch that foralli isin 1 2 nQi (bufferji) where forallj isin1 2 nandine jandbufferjisube (Mj)lowast
(iii) FsubeC is the set of final states such thatforallf isin F (([ ] [ ] [ ])1113980radicradicradicradicradicradic11139791113978radicradicradicradicradicradic1113981
nminus1
f1 ([ ] [ ] [ ])1113980radicradicradicradicradicradic11139791113978radicradicradicradicradicradic1113981nminus1
mbufferkj(v) forallk l isin 1 2 nkne iandlne jandkne
l⟹ bufferklprime bufferkl[receive action]
(c) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk(iii) forallk isin 1 2 n Qk
primeQk[internal action]
According to Definition 4 microservices with un-bounded buffers participating in a microservice system caninteract with each other under the peer-to-peer semantics-e states (C) of a composite service consisting of nmicroservices are described by each microservicersquo localstate and its respective buffers Each microservice has n minus 1unbounded buffers WhenMS1 sends a message m to MS2the message will be inserted to the tail of the buffer12 which
is specific to the pair (MS1 MS2) and then MS2 canconsume this message from the head of its buffer12 -esend action (item 4a) is nonblocking and involves a sendera receiver and receiverrsquos buffer After the senderMSi sendsa message m to the receiver MSj the state of the sender ischanged (4a-ii) the message will be inserted to the tail ofthe bufferij which is specific to the pair (MSi MSj) (4a-iv)and the other buffers do not change (4a-v) -e receivemessage action (item 4b) is blocking and local whichinvolves only a receiver After the receive message action isexecuted the state of the message receiver is changed (4b-ii) the message at the head of the buffer of the receiver isconsumed (4b-ii) and the other buffers do not change (4b-v) -e epsilon-labeled transition (item 4c) is internalactions and can simply change the local state of amicroservice
Moreover if we set Qi (bufferi) and keep others un-changed in Definition 4 the semantics of asynchronouscommunication is changed to the mailbox communication-erefore the mailbox communication is a special case ofthe peer-to-peer communication
-e interaction behavior of a microservice system de-pends on not only the order in which send actions areexecuted but also the size of each microservicersquos buffers [31]
s01 s11a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
MS1
MS3
MS2
Buffer13Buffer31
Buffer32
Buffer23
Buffer21
Buffer12
s31s21
s03 s13 s23
s12 s22 s32
s02 s42 s52
Figure 1 -e formal model of complex interactions in microservice systems under the peer-to-peer communication
a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2
a1rarr2
c1rarr3
c3rarr2 d2rarr1
MS1
MS3
MS2
Buffer1
Buffer3 Buffer2
s01 s11 s31s21
s03s13 s23
s12 s22 s32
s02 s42 s52
Figure 2 -e mailbox communication
4 Complexity
When buffers are unbounded interaction behavior may beinfinite
We define the asynchronous interaction behavior ofmicroservice systems with bounded buffers in the followingwhere each participating microservice has buffers of size k
Definition 5 (asynchronous interaction behavior of amicroservice system with buffers of size k) -e asyn-chronous interaction behavior of a microservice system withbuffers of size k is denoted by a labeled transition systemBk
a (C c0 F MΔ) and described by augmenting condi-tion (a) in Definition 4 to include the conditionQj (q1 qjminus1qj+1 qn) |qj|lt k where |qi| denotes the length of thebuffers for microservice MSi
In a microservice system with buffers of size k the sendactions are blocked if the receiverrsquos buffer contains k mes-sages -erefore the interaction behavior of a microservicesystem with buffers of size k is finite
Figure 3(a) illustrates the asynchronous interactionbehavior of the microservice system with buffers of size 2shown in Figure 1 under the peer-to-peer communication-e initial state is denoted by c0 (([] []) s01 ([] []) s02 ([][]) s03) (ie each microservice is in its initial state and all thebuffers are empty) After MS1 sends the message a to thebuffer12 of MS2 the system evolves from c0 to c1 and thebuffer12 contains a -en MS2 consumes the ldquomatchingrdquomessage a at the head of its buffer12 the system evolves fromc1 to c3 and the message a is removed from the buffer12
Figure 3(b) illustrates the asynchronous interaction be-havior of themicroservice systemwith buffers of size 2 shown inFigure 1 under the mailbox communication -e initial state isc0 (([] []) s01 ([] []) s02 ([] []) s03) and the final state is c10
42 Synchronous Interaction Behaviors of MicroserviceSystems In synchronous communication every send actionis executed followed by a receive action ie the micro-services interact synchronously It seems that each micro-service of a microservice system has buffers of size 0
Definition 6 (synchronous behavior of a microservicessystem) A synchronous behavior of a microservices systemover a set of microservices (MS1 MS2 MSn) whereMSi MSi (Si s0i Fi Mi δi) and Mi (Σi pi srci dsti) isdenoted by a labeled transition system Bs (C c0 F M Δ)where
(i) Csube S1 times S2 middot middot middot times Sn is the set of states(ii) c0 isinC is the initial state(iii) FsubeC is the set of final states such that forallf isin F (f1 f2
fn) where fi isinMSimiddotFi(iv) McupiMi is the set of messages(v) ΔsubeCtimes (Mcup ε)timesC for c (s1 s2 sn) and
[synchronous send-receive action](b) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk[internal action]
Figure 4 illustrates the synchronous behavior of amicroservice system shown in Figure 1 -e behavior of thesystem have transitions a1⟶2 followed by a1⟶2 followedby b1⟶2 and followed by c3⟶2
5 Interaction Soundness-Based Verification
Given a microservice system one crucial problem is to checkwhether the interaction behavior is correct In this paper wecheck whether the interaction behavior of a microservicesystem satisfies a minimal requirement for correctness usingmodel-checking techniques -e whole process includes thefollowing three steps
(1) We introduce a notion of correctness called lsquointer-action soundnessrsquo which is considered as a minimalrequirement for microservice systems
(2) We present an encoding of the interaction behaviorinto the CSP process
(3) We translate the property interaction soundness intoLTL formulas such that we can verify this propertyusing model-checking techniques under the supportby the PAT verifier
51 Interaction Soundness Let us further analyze theasynchronous interaction behavior of a microservice systemwith buffers of size 2 shown in Figure 3(a) When the ex-ecution of the microservice system is along the sequence ofsend and receive actions circled by a red dashed line theterminating state is c17 which denotes that each participatingmicroservice reaches its corresponding final state but themessage queue buffer12 of MS1 and the message queuebuffer21 of MS2 are not empty In other words there is aninteraction fault which causes messages a1⟶2 and d1⟶2 notto be consumed correctly
In Figure 5 we take a snapshot of the system in c17-ereare two messages a1⟶2 in buffer12 of MS1 and one messaged1⟶2 in buffer21 of MS2
Based on the above analysis we use the interactioncorrectness criterion as a minimal requirement anymicroservice system should satisfy In particular the re-quirement is described as follows
For any case the microservice system will terminateeventually and the moment the system terminates the ter-minating state is the final state
Definition 7 (interaction soundness under synchronouscommunication) A microservice system Bs (M C F c0 Δ)is interaction soundness under synchronous communica-tion if and only if the following condition is satisfied
Figure 3 -e asynchronous interaction behavior of the microservice system with buffers of size 2 shown in Figure 1 (a) -e peer-to-peercommunication (b) -e mailbox communication
c0a1rarr2 a1rarr2 b1rarr3 c3rarr2
c1 c2 c3 c4
Figure 4 -e synchronous interaction behavior of the microservice system shown in Figure 1
6 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
effective technique for analyzing interactions in micro-service systems is synchronizability analysis [25ndash27] Asystem is synchronizable if it sends actions which remain thesame for both the asynchronous communication and syn-chronous communication However recent research showssynchronizability is undecidable [14]
In this paper we propose an approach for interactionanalysis using model checking techniques which is sup-ported by the Process Analysis Toolkit (PAT) [28] tool Suchan analysis approach enables us to effectively and auto-matically identify interaction faults of microservice systemsOur contribution can be summarized as follows
(i) We model complex interactions in microservicesystems under synchronous and peer-to-peerasynchronous communications
(ii) We introduce a notion of correctness called ldquoin-teraction soundnessrdquo which is considered as aminimal requirement for microservice systems
(iii) We automatically verify the property interactionsoundness usingmodel checking techniques under thesupport of the Process Analysis Toolkit (PAT) tool
Moreover we propose an encoding of LTSs into theCSP process algebra We choose CSP because it isequipped with the PAT tool which offers the PAT simulatorfor state space generation and the PAT verifier for propertyverification In particular when the PAT verifier returns notvalid using model checking it gives us the counterexamplewhich is very useful to fix faults
-e rest of this paper is organized as follows Section 2discusses related work Section 3 presents some formaldefinitions used throughout this paper Section 4 formallydefines the interaction behaviors of microservice systemsunder synchronous and peer-to-peer asynchronous com-munications Section 5 introduces a notion of interactionsoundness and verifies the property using model checkingtechniques based on CSP encoding Section 6 discusses theimplementation of our approach and experimental resultsSection 7 concludes this paper
2 Related Work
-ere has been some research on debugging microservicesystems In [10] the authors conducted an industrial surveyto show three main faults in microservice systems namelyinternal faults interaction faults and environment faults In[11 17] the authors proposed a novel approach fordebugging microservice systems In [18] the authors dis-cussed complex live testing strategies for microservice sys-tems In [19] the authors proposed a new approach to testperformance of each microservice participating in amicroservice system All these studies can be used to testmicroservice systems However our work focuses on ana-lyzing interactions in microservice systems
-ere are some other studies on microservice systems In[20] the authors proposed an approach to modeling andmanaging deployment costs for microservice systems In [21]the authors discussed how to improve the performance of a
microservice architecture In [22] the authors proposed anapproach to integrate microservices based on Linked Data In[23] the authors presented a tool for generating and managingmodels of microservice architecture In [24] the authors dis-cussed how to balance the granularity of a microservice ar-chitecture However all these methods cannot be used toanalyze interactions in microservice systems
To the best of our knowledge we are the first to analyzecomplex interactions in microservice systems
3 Preliminaries
In this section we present some definitions used throughoutthis paper
Definition 1 (labeled transition system) A labeled transitionsystem is a tuple LTS (S s0 F A Δ) where
(i) S is a set of states(ii) s0 isin S is the initial state(iii) F sube S is a set of final states(iv) A is a set of labels(v) Δsube S times A times S is a transition relation
For the sake of simplicity we use r⟶a s to denote (r as) isinΔ
CSP is an extension of CSP (communicating se-quential processes) [29] In this paper we use CSP formicroservice system verification In essence CPS is aformal method which integrates state-based specificationand event-based specification -e following is a BNFdescription of the CSP process expression More details ofCSP can be found in [30]
PStop in-action
|Skip terminal|e⟶P prefix|chexp⟶P channel input|chexp⟶ P channel output|PX hiding|P Q sequential composition|P[]X external choice|PΠX internal choice|if b P else Q conditional choice|[b]P guarded process|P||Q parallel composition|P|||Q interleaving|PΔQ interrupting|ref(Q) process referencing
where P and Q are processes e is an event X is a set of eventnames (eg e1 e2) b is a Boolean expression ch is achannel exp is an expression and x is a variable [28]
-e syntax of LTL formulas are defined as follows Moredetails of LTL can be found in [29]
F e | prop | [] F | ltgt F | X F | F1 U F2 | F1 R F2
where e is an event prop is a predefined proposition F F1and F2 are three LTL formulas [] denotes ldquoalwaysrdquo ltgt
2 Complexity
denotes ldquoeventuallyrdquo X denotes ldquonextrdquo U denotes ldquountilrdquoand R denotes ldquoreleaserdquo
4 Interaction Behavior Model
In this section we introduce a formal model (see Figure 1) formodeling complex interactions in microservice systems Inour model microservices with unbounded buffers commu-nicate asynchronously with each other and interactions in amicroservice system can be viewed as sequences of sendactions because receive actions which consume messagesfrom buffers are considered as local invisible actions
Figure 1 illustrates the three communicating micro-servicesMS1MS2 andMS3 with messages a b c and d thatare from the example in [8] -e initial states of eachmicroservice are subscripted with 0 and marked with in-coming half-arrows -e final states of each microservice aremarked with double circles Each transition of eachmicroservice is labeled with send action (exclamationmarks) or receive message action (question marks) -ebuffers are in red lines and marked with i and j where idenotes the sender and j denotes the receiver For examplethe buffer12 denotes the buffer of MS2 which is used to storeincoming messages sent from MS1 Note that each buffer isan FIFO message queue
When we further consider asynchronous messaging inFigure 1 there are two different semantics for the point-to-point asynchronous communication namely peer-to-peercommunication and mailbox communication -e mailboxcommunication shown in Figure 2 requires all messages sentto MS1 from the other microservices are stored in a buffer(ie a message queue) that is specific to MS1 -e peer-to-peer communication requires each message sent from amicroserviceMS1 to another microserviceMS2 is stored in abuffer in an FIFO fashion which is specific to the pair (MS1MS2) In other words each participating microservice of amicroservice system is equipped with many buffers fordifferent incoming messages from other microservices Inthis paper we focus on peer-to-peer communication
Based on the analysis above we first use finite LTSs tomodel the behaviors of individual microservices -en wemove to model the asynchronous interaction behaviors ofmicroservice systems both with unbounded buffers and withbounded buffers (say k) Finally we model the synchronousinteraction behaviors of microservice systems based on theasynchronous interaction behaviors
Definition 2 (message set) A message set M is a tuple (Σ psrc dst)
(i) Σ is a finite set of letters(ii) pge 1 is a nonnegative integer number which de-
notes the number of participating microservices(iii) src and dst are functions that associate message
m isinΣ to nonnegative integer numbers src(m)nedst(m) isin 1 2 p
We often use mi⟶j for a message m such that src(m) iand dst(m) j
Definition 3 (microservice) A microservice MS is a labeledtransition system (S s0 F M δ) where
(i) S is the finite set of states(ii) s0 is the initial state(iii) Fsube S is the finite set of final states(iv) M is a message set(v) δ sube Stimes (Mcup ε)times S is the transition relation
A transition τ isin δ can be one of the following three types
(1) A send-transition (s1 m1⟶2 s2) which denotes thatthe microservice MS1 sends out a message m1⟶2 toanother microservice MS2 where m1⟶2 isinM
(2) A receive-transition (s1 m1⟶2 s2) which denotesthat the microservice MS1 consumes a messagem1⟶2 where m1⟶2 isinM
(3) An ε-transition (s1 ε s2) which denotes the invisibleaction of MS1
We often use si⟶mirarrj
sj to denote that (si mi⟶j sj)
41 Asynchronous Interaction Behaviors of MicroserviceSystems
Definition 4 (asynchronous interaction behavior of amicroservice system with unbounded buffers) An asyn-chronous interaction behavior of a microservice system withunbounded buffers over a set of microservices (MS1 MS2 MSn) whereMSi (Si s0i FiMi δi) andMi (Σi pi srcidsti) is denoted by a labeled transition system Ba (C c0 FM Δ) (possible infinite state) where
(i) CsubeQ1 times S1 timesQ2 times S2 Qn times Sn is the set of statessuch that foralli isin 1 2 nQi (bufferji) where forallj isin1 2 nandine jandbufferjisube (Mj)lowast
(iii) FsubeC is the set of final states such thatforallf isin F (([ ] [ ] [ ])1113980radicradicradicradicradicradic11139791113978radicradicradicradicradicradic1113981
nminus1
f1 ([ ] [ ] [ ])1113980radicradicradicradicradicradic11139791113978radicradicradicradicradicradic1113981nminus1
mbufferkj(v) forallk l isin 1 2 nkne iandlne jandkne
l⟹ bufferklprime bufferkl[receive action]
(c) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk(iii) forallk isin 1 2 n Qk
primeQk[internal action]
According to Definition 4 microservices with un-bounded buffers participating in a microservice system caninteract with each other under the peer-to-peer semantics-e states (C) of a composite service consisting of nmicroservices are described by each microservicersquo localstate and its respective buffers Each microservice has n minus 1unbounded buffers WhenMS1 sends a message m to MS2the message will be inserted to the tail of the buffer12 which
is specific to the pair (MS1 MS2) and then MS2 canconsume this message from the head of its buffer12 -esend action (item 4a) is nonblocking and involves a sendera receiver and receiverrsquos buffer After the senderMSi sendsa message m to the receiver MSj the state of the sender ischanged (4a-ii) the message will be inserted to the tail ofthe bufferij which is specific to the pair (MSi MSj) (4a-iv)and the other buffers do not change (4a-v) -e receivemessage action (item 4b) is blocking and local whichinvolves only a receiver After the receive message action isexecuted the state of the message receiver is changed (4b-ii) the message at the head of the buffer of the receiver isconsumed (4b-ii) and the other buffers do not change (4b-v) -e epsilon-labeled transition (item 4c) is internalactions and can simply change the local state of amicroservice
Moreover if we set Qi (bufferi) and keep others un-changed in Definition 4 the semantics of asynchronouscommunication is changed to the mailbox communication-erefore the mailbox communication is a special case ofthe peer-to-peer communication
-e interaction behavior of a microservice system de-pends on not only the order in which send actions areexecuted but also the size of each microservicersquos buffers [31]
s01 s11a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
MS1
MS3
MS2
Buffer13Buffer31
Buffer32
Buffer23
Buffer21
Buffer12
s31s21
s03 s13 s23
s12 s22 s32
s02 s42 s52
Figure 1 -e formal model of complex interactions in microservice systems under the peer-to-peer communication
a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2
a1rarr2
c1rarr3
c3rarr2 d2rarr1
MS1
MS3
MS2
Buffer1
Buffer3 Buffer2
s01 s11 s31s21
s03s13 s23
s12 s22 s32
s02 s42 s52
Figure 2 -e mailbox communication
4 Complexity
When buffers are unbounded interaction behavior may beinfinite
We define the asynchronous interaction behavior ofmicroservice systems with bounded buffers in the followingwhere each participating microservice has buffers of size k
Definition 5 (asynchronous interaction behavior of amicroservice system with buffers of size k) -e asyn-chronous interaction behavior of a microservice system withbuffers of size k is denoted by a labeled transition systemBk
a (C c0 F MΔ) and described by augmenting condi-tion (a) in Definition 4 to include the conditionQj (q1 qjminus1qj+1 qn) |qj|lt k where |qi| denotes the length of thebuffers for microservice MSi
In a microservice system with buffers of size k the sendactions are blocked if the receiverrsquos buffer contains k mes-sages -erefore the interaction behavior of a microservicesystem with buffers of size k is finite
Figure 3(a) illustrates the asynchronous interactionbehavior of the microservice system with buffers of size 2shown in Figure 1 under the peer-to-peer communication-e initial state is denoted by c0 (([] []) s01 ([] []) s02 ([][]) s03) (ie each microservice is in its initial state and all thebuffers are empty) After MS1 sends the message a to thebuffer12 of MS2 the system evolves from c0 to c1 and thebuffer12 contains a -en MS2 consumes the ldquomatchingrdquomessage a at the head of its buffer12 the system evolves fromc1 to c3 and the message a is removed from the buffer12
Figure 3(b) illustrates the asynchronous interaction be-havior of themicroservice systemwith buffers of size 2 shown inFigure 1 under the mailbox communication -e initial state isc0 (([] []) s01 ([] []) s02 ([] []) s03) and the final state is c10
42 Synchronous Interaction Behaviors of MicroserviceSystems In synchronous communication every send actionis executed followed by a receive action ie the micro-services interact synchronously It seems that each micro-service of a microservice system has buffers of size 0
Definition 6 (synchronous behavior of a microservicessystem) A synchronous behavior of a microservices systemover a set of microservices (MS1 MS2 MSn) whereMSi MSi (Si s0i Fi Mi δi) and Mi (Σi pi srci dsti) isdenoted by a labeled transition system Bs (C c0 F M Δ)where
(i) Csube S1 times S2 middot middot middot times Sn is the set of states(ii) c0 isinC is the initial state(iii) FsubeC is the set of final states such that forallf isin F (f1 f2
fn) where fi isinMSimiddotFi(iv) McupiMi is the set of messages(v) ΔsubeCtimes (Mcup ε)timesC for c (s1 s2 sn) and
[synchronous send-receive action](b) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk[internal action]
Figure 4 illustrates the synchronous behavior of amicroservice system shown in Figure 1 -e behavior of thesystem have transitions a1⟶2 followed by a1⟶2 followedby b1⟶2 and followed by c3⟶2
5 Interaction Soundness-Based Verification
Given a microservice system one crucial problem is to checkwhether the interaction behavior is correct In this paper wecheck whether the interaction behavior of a microservicesystem satisfies a minimal requirement for correctness usingmodel-checking techniques -e whole process includes thefollowing three steps
(1) We introduce a notion of correctness called lsquointer-action soundnessrsquo which is considered as a minimalrequirement for microservice systems
(2) We present an encoding of the interaction behaviorinto the CSP process
(3) We translate the property interaction soundness intoLTL formulas such that we can verify this propertyusing model-checking techniques under the supportby the PAT verifier
51 Interaction Soundness Let us further analyze theasynchronous interaction behavior of a microservice systemwith buffers of size 2 shown in Figure 3(a) When the ex-ecution of the microservice system is along the sequence ofsend and receive actions circled by a red dashed line theterminating state is c17 which denotes that each participatingmicroservice reaches its corresponding final state but themessage queue buffer12 of MS1 and the message queuebuffer21 of MS2 are not empty In other words there is aninteraction fault which causes messages a1⟶2 and d1⟶2 notto be consumed correctly
In Figure 5 we take a snapshot of the system in c17-ereare two messages a1⟶2 in buffer12 of MS1 and one messaged1⟶2 in buffer21 of MS2
Based on the above analysis we use the interactioncorrectness criterion as a minimal requirement anymicroservice system should satisfy In particular the re-quirement is described as follows
For any case the microservice system will terminateeventually and the moment the system terminates the ter-minating state is the final state
Definition 7 (interaction soundness under synchronouscommunication) A microservice system Bs (M C F c0 Δ)is interaction soundness under synchronous communica-tion if and only if the following condition is satisfied
Figure 3 -e asynchronous interaction behavior of the microservice system with buffers of size 2 shown in Figure 1 (a) -e peer-to-peercommunication (b) -e mailbox communication
c0a1rarr2 a1rarr2 b1rarr3 c3rarr2
c1 c2 c3 c4
Figure 4 -e synchronous interaction behavior of the microservice system shown in Figure 1
6 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
denotes ldquoeventuallyrdquo X denotes ldquonextrdquo U denotes ldquountilrdquoand R denotes ldquoreleaserdquo
4 Interaction Behavior Model
In this section we introduce a formal model (see Figure 1) formodeling complex interactions in microservice systems Inour model microservices with unbounded buffers commu-nicate asynchronously with each other and interactions in amicroservice system can be viewed as sequences of sendactions because receive actions which consume messagesfrom buffers are considered as local invisible actions
Figure 1 illustrates the three communicating micro-servicesMS1MS2 andMS3 with messages a b c and d thatare from the example in [8] -e initial states of eachmicroservice are subscripted with 0 and marked with in-coming half-arrows -e final states of each microservice aremarked with double circles Each transition of eachmicroservice is labeled with send action (exclamationmarks) or receive message action (question marks) -ebuffers are in red lines and marked with i and j where idenotes the sender and j denotes the receiver For examplethe buffer12 denotes the buffer of MS2 which is used to storeincoming messages sent from MS1 Note that each buffer isan FIFO message queue
When we further consider asynchronous messaging inFigure 1 there are two different semantics for the point-to-point asynchronous communication namely peer-to-peercommunication and mailbox communication -e mailboxcommunication shown in Figure 2 requires all messages sentto MS1 from the other microservices are stored in a buffer(ie a message queue) that is specific to MS1 -e peer-to-peer communication requires each message sent from amicroserviceMS1 to another microserviceMS2 is stored in abuffer in an FIFO fashion which is specific to the pair (MS1MS2) In other words each participating microservice of amicroservice system is equipped with many buffers fordifferent incoming messages from other microservices Inthis paper we focus on peer-to-peer communication
Based on the analysis above we first use finite LTSs tomodel the behaviors of individual microservices -en wemove to model the asynchronous interaction behaviors ofmicroservice systems both with unbounded buffers and withbounded buffers (say k) Finally we model the synchronousinteraction behaviors of microservice systems based on theasynchronous interaction behaviors
Definition 2 (message set) A message set M is a tuple (Σ psrc dst)
(i) Σ is a finite set of letters(ii) pge 1 is a nonnegative integer number which de-
notes the number of participating microservices(iii) src and dst are functions that associate message
m isinΣ to nonnegative integer numbers src(m)nedst(m) isin 1 2 p
We often use mi⟶j for a message m such that src(m) iand dst(m) j
Definition 3 (microservice) A microservice MS is a labeledtransition system (S s0 F M δ) where
(i) S is the finite set of states(ii) s0 is the initial state(iii) Fsube S is the finite set of final states(iv) M is a message set(v) δ sube Stimes (Mcup ε)times S is the transition relation
A transition τ isin δ can be one of the following three types
(1) A send-transition (s1 m1⟶2 s2) which denotes thatthe microservice MS1 sends out a message m1⟶2 toanother microservice MS2 where m1⟶2 isinM
(2) A receive-transition (s1 m1⟶2 s2) which denotesthat the microservice MS1 consumes a messagem1⟶2 where m1⟶2 isinM
(3) An ε-transition (s1 ε s2) which denotes the invisibleaction of MS1
We often use si⟶mirarrj
sj to denote that (si mi⟶j sj)
41 Asynchronous Interaction Behaviors of MicroserviceSystems
Definition 4 (asynchronous interaction behavior of amicroservice system with unbounded buffers) An asyn-chronous interaction behavior of a microservice system withunbounded buffers over a set of microservices (MS1 MS2 MSn) whereMSi (Si s0i FiMi δi) andMi (Σi pi srcidsti) is denoted by a labeled transition system Ba (C c0 FM Δ) (possible infinite state) where
(i) CsubeQ1 times S1 timesQ2 times S2 Qn times Sn is the set of statessuch that foralli isin 1 2 nQi (bufferji) where forallj isin1 2 nandine jandbufferjisube (Mj)lowast
(iii) FsubeC is the set of final states such thatforallf isin F (([ ] [ ] [ ])1113980radicradicradicradicradicradic11139791113978radicradicradicradicradicradic1113981
nminus1
f1 ([ ] [ ] [ ])1113980radicradicradicradicradicradic11139791113978radicradicradicradicradicradic1113981nminus1
mbufferkj(v) forallk l isin 1 2 nkne iandlne jandkne
l⟹ bufferklprime bufferkl[receive action]
(c) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk(iii) forallk isin 1 2 n Qk
primeQk[internal action]
According to Definition 4 microservices with un-bounded buffers participating in a microservice system caninteract with each other under the peer-to-peer semantics-e states (C) of a composite service consisting of nmicroservices are described by each microservicersquo localstate and its respective buffers Each microservice has n minus 1unbounded buffers WhenMS1 sends a message m to MS2the message will be inserted to the tail of the buffer12 which
is specific to the pair (MS1 MS2) and then MS2 canconsume this message from the head of its buffer12 -esend action (item 4a) is nonblocking and involves a sendera receiver and receiverrsquos buffer After the senderMSi sendsa message m to the receiver MSj the state of the sender ischanged (4a-ii) the message will be inserted to the tail ofthe bufferij which is specific to the pair (MSi MSj) (4a-iv)and the other buffers do not change (4a-v) -e receivemessage action (item 4b) is blocking and local whichinvolves only a receiver After the receive message action isexecuted the state of the message receiver is changed (4b-ii) the message at the head of the buffer of the receiver isconsumed (4b-ii) and the other buffers do not change (4b-v) -e epsilon-labeled transition (item 4c) is internalactions and can simply change the local state of amicroservice
Moreover if we set Qi (bufferi) and keep others un-changed in Definition 4 the semantics of asynchronouscommunication is changed to the mailbox communication-erefore the mailbox communication is a special case ofthe peer-to-peer communication
-e interaction behavior of a microservice system de-pends on not only the order in which send actions areexecuted but also the size of each microservicersquos buffers [31]
s01 s11a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
MS1
MS3
MS2
Buffer13Buffer31
Buffer32
Buffer23
Buffer21
Buffer12
s31s21
s03 s13 s23
s12 s22 s32
s02 s42 s52
Figure 1 -e formal model of complex interactions in microservice systems under the peer-to-peer communication
a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2
a1rarr2
c1rarr3
c3rarr2 d2rarr1
MS1
MS3
MS2
Buffer1
Buffer3 Buffer2
s01 s11 s31s21
s03s13 s23
s12 s22 s32
s02 s42 s52
Figure 2 -e mailbox communication
4 Complexity
When buffers are unbounded interaction behavior may beinfinite
We define the asynchronous interaction behavior ofmicroservice systems with bounded buffers in the followingwhere each participating microservice has buffers of size k
Definition 5 (asynchronous interaction behavior of amicroservice system with buffers of size k) -e asyn-chronous interaction behavior of a microservice system withbuffers of size k is denoted by a labeled transition systemBk
a (C c0 F MΔ) and described by augmenting condi-tion (a) in Definition 4 to include the conditionQj (q1 qjminus1qj+1 qn) |qj|lt k where |qi| denotes the length of thebuffers for microservice MSi
In a microservice system with buffers of size k the sendactions are blocked if the receiverrsquos buffer contains k mes-sages -erefore the interaction behavior of a microservicesystem with buffers of size k is finite
Figure 3(a) illustrates the asynchronous interactionbehavior of the microservice system with buffers of size 2shown in Figure 1 under the peer-to-peer communication-e initial state is denoted by c0 (([] []) s01 ([] []) s02 ([][]) s03) (ie each microservice is in its initial state and all thebuffers are empty) After MS1 sends the message a to thebuffer12 of MS2 the system evolves from c0 to c1 and thebuffer12 contains a -en MS2 consumes the ldquomatchingrdquomessage a at the head of its buffer12 the system evolves fromc1 to c3 and the message a is removed from the buffer12
Figure 3(b) illustrates the asynchronous interaction be-havior of themicroservice systemwith buffers of size 2 shown inFigure 1 under the mailbox communication -e initial state isc0 (([] []) s01 ([] []) s02 ([] []) s03) and the final state is c10
42 Synchronous Interaction Behaviors of MicroserviceSystems In synchronous communication every send actionis executed followed by a receive action ie the micro-services interact synchronously It seems that each micro-service of a microservice system has buffers of size 0
Definition 6 (synchronous behavior of a microservicessystem) A synchronous behavior of a microservices systemover a set of microservices (MS1 MS2 MSn) whereMSi MSi (Si s0i Fi Mi δi) and Mi (Σi pi srci dsti) isdenoted by a labeled transition system Bs (C c0 F M Δ)where
(i) Csube S1 times S2 middot middot middot times Sn is the set of states(ii) c0 isinC is the initial state(iii) FsubeC is the set of final states such that forallf isin F (f1 f2
fn) where fi isinMSimiddotFi(iv) McupiMi is the set of messages(v) ΔsubeCtimes (Mcup ε)timesC for c (s1 s2 sn) and
[synchronous send-receive action](b) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk[internal action]
Figure 4 illustrates the synchronous behavior of amicroservice system shown in Figure 1 -e behavior of thesystem have transitions a1⟶2 followed by a1⟶2 followedby b1⟶2 and followed by c3⟶2
5 Interaction Soundness-Based Verification
Given a microservice system one crucial problem is to checkwhether the interaction behavior is correct In this paper wecheck whether the interaction behavior of a microservicesystem satisfies a minimal requirement for correctness usingmodel-checking techniques -e whole process includes thefollowing three steps
(1) We introduce a notion of correctness called lsquointer-action soundnessrsquo which is considered as a minimalrequirement for microservice systems
(2) We present an encoding of the interaction behaviorinto the CSP process
(3) We translate the property interaction soundness intoLTL formulas such that we can verify this propertyusing model-checking techniques under the supportby the PAT verifier
51 Interaction Soundness Let us further analyze theasynchronous interaction behavior of a microservice systemwith buffers of size 2 shown in Figure 3(a) When the ex-ecution of the microservice system is along the sequence ofsend and receive actions circled by a red dashed line theterminating state is c17 which denotes that each participatingmicroservice reaches its corresponding final state but themessage queue buffer12 of MS1 and the message queuebuffer21 of MS2 are not empty In other words there is aninteraction fault which causes messages a1⟶2 and d1⟶2 notto be consumed correctly
In Figure 5 we take a snapshot of the system in c17-ereare two messages a1⟶2 in buffer12 of MS1 and one messaged1⟶2 in buffer21 of MS2
Based on the above analysis we use the interactioncorrectness criterion as a minimal requirement anymicroservice system should satisfy In particular the re-quirement is described as follows
For any case the microservice system will terminateeventually and the moment the system terminates the ter-minating state is the final state
Definition 7 (interaction soundness under synchronouscommunication) A microservice system Bs (M C F c0 Δ)is interaction soundness under synchronous communica-tion if and only if the following condition is satisfied
Figure 3 -e asynchronous interaction behavior of the microservice system with buffers of size 2 shown in Figure 1 (a) -e peer-to-peercommunication (b) -e mailbox communication
c0a1rarr2 a1rarr2 b1rarr3 c3rarr2
c1 c2 c3 c4
Figure 4 -e synchronous interaction behavior of the microservice system shown in Figure 1
6 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
mbufferkj(v) forallk l isin 1 2 nkne iandlne jandkne
l⟹ bufferklprime bufferkl[receive action]
(c) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk(iii) forallk isin 1 2 n Qk
primeQk[internal action]
According to Definition 4 microservices with un-bounded buffers participating in a microservice system caninteract with each other under the peer-to-peer semantics-e states (C) of a composite service consisting of nmicroservices are described by each microservicersquo localstate and its respective buffers Each microservice has n minus 1unbounded buffers WhenMS1 sends a message m to MS2the message will be inserted to the tail of the buffer12 which
is specific to the pair (MS1 MS2) and then MS2 canconsume this message from the head of its buffer12 -esend action (item 4a) is nonblocking and involves a sendera receiver and receiverrsquos buffer After the senderMSi sendsa message m to the receiver MSj the state of the sender ischanged (4a-ii) the message will be inserted to the tail ofthe bufferij which is specific to the pair (MSi MSj) (4a-iv)and the other buffers do not change (4a-v) -e receivemessage action (item 4b) is blocking and local whichinvolves only a receiver After the receive message action isexecuted the state of the message receiver is changed (4b-ii) the message at the head of the buffer of the receiver isconsumed (4b-ii) and the other buffers do not change (4b-v) -e epsilon-labeled transition (item 4c) is internalactions and can simply change the local state of amicroservice
Moreover if we set Qi (bufferi) and keep others un-changed in Definition 4 the semantics of asynchronouscommunication is changed to the mailbox communication-erefore the mailbox communication is a special case ofthe peer-to-peer communication
-e interaction behavior of a microservice system de-pends on not only the order in which send actions areexecuted but also the size of each microservicersquos buffers [31]
s01 s11a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
MS1
MS3
MS2
Buffer13Buffer31
Buffer32
Buffer23
Buffer21
Buffer12
s31s21
s03 s13 s23
s12 s22 s32
s02 s42 s52
Figure 1 -e formal model of complex interactions in microservice systems under the peer-to-peer communication
a1rarr2 a1rarr2 b1rarr3
b1rarr3 c3rarr2
a1rarr2
a1rarr2
c1rarr3
c3rarr2 d2rarr1
MS1
MS3
MS2
Buffer1
Buffer3 Buffer2
s01 s11 s31s21
s03s13 s23
s12 s22 s32
s02 s42 s52
Figure 2 -e mailbox communication
4 Complexity
When buffers are unbounded interaction behavior may beinfinite
We define the asynchronous interaction behavior ofmicroservice systems with bounded buffers in the followingwhere each participating microservice has buffers of size k
Definition 5 (asynchronous interaction behavior of amicroservice system with buffers of size k) -e asyn-chronous interaction behavior of a microservice system withbuffers of size k is denoted by a labeled transition systemBk
a (C c0 F MΔ) and described by augmenting condi-tion (a) in Definition 4 to include the conditionQj (q1 qjminus1qj+1 qn) |qj|lt k where |qi| denotes the length of thebuffers for microservice MSi
In a microservice system with buffers of size k the sendactions are blocked if the receiverrsquos buffer contains k mes-sages -erefore the interaction behavior of a microservicesystem with buffers of size k is finite
Figure 3(a) illustrates the asynchronous interactionbehavior of the microservice system with buffers of size 2shown in Figure 1 under the peer-to-peer communication-e initial state is denoted by c0 (([] []) s01 ([] []) s02 ([][]) s03) (ie each microservice is in its initial state and all thebuffers are empty) After MS1 sends the message a to thebuffer12 of MS2 the system evolves from c0 to c1 and thebuffer12 contains a -en MS2 consumes the ldquomatchingrdquomessage a at the head of its buffer12 the system evolves fromc1 to c3 and the message a is removed from the buffer12
Figure 3(b) illustrates the asynchronous interaction be-havior of themicroservice systemwith buffers of size 2 shown inFigure 1 under the mailbox communication -e initial state isc0 (([] []) s01 ([] []) s02 ([] []) s03) and the final state is c10
42 Synchronous Interaction Behaviors of MicroserviceSystems In synchronous communication every send actionis executed followed by a receive action ie the micro-services interact synchronously It seems that each micro-service of a microservice system has buffers of size 0
Definition 6 (synchronous behavior of a microservicessystem) A synchronous behavior of a microservices systemover a set of microservices (MS1 MS2 MSn) whereMSi MSi (Si s0i Fi Mi δi) and Mi (Σi pi srci dsti) isdenoted by a labeled transition system Bs (C c0 F M Δ)where
(i) Csube S1 times S2 middot middot middot times Sn is the set of states(ii) c0 isinC is the initial state(iii) FsubeC is the set of final states such that forallf isin F (f1 f2
fn) where fi isinMSimiddotFi(iv) McupiMi is the set of messages(v) ΔsubeCtimes (Mcup ε)timesC for c (s1 s2 sn) and
[synchronous send-receive action](b) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk[internal action]
Figure 4 illustrates the synchronous behavior of amicroservice system shown in Figure 1 -e behavior of thesystem have transitions a1⟶2 followed by a1⟶2 followedby b1⟶2 and followed by c3⟶2
5 Interaction Soundness-Based Verification
Given a microservice system one crucial problem is to checkwhether the interaction behavior is correct In this paper wecheck whether the interaction behavior of a microservicesystem satisfies a minimal requirement for correctness usingmodel-checking techniques -e whole process includes thefollowing three steps
(1) We introduce a notion of correctness called lsquointer-action soundnessrsquo which is considered as a minimalrequirement for microservice systems
(2) We present an encoding of the interaction behaviorinto the CSP process
(3) We translate the property interaction soundness intoLTL formulas such that we can verify this propertyusing model-checking techniques under the supportby the PAT verifier
51 Interaction Soundness Let us further analyze theasynchronous interaction behavior of a microservice systemwith buffers of size 2 shown in Figure 3(a) When the ex-ecution of the microservice system is along the sequence ofsend and receive actions circled by a red dashed line theterminating state is c17 which denotes that each participatingmicroservice reaches its corresponding final state but themessage queue buffer12 of MS1 and the message queuebuffer21 of MS2 are not empty In other words there is aninteraction fault which causes messages a1⟶2 and d1⟶2 notto be consumed correctly
In Figure 5 we take a snapshot of the system in c17-ereare two messages a1⟶2 in buffer12 of MS1 and one messaged1⟶2 in buffer21 of MS2
Based on the above analysis we use the interactioncorrectness criterion as a minimal requirement anymicroservice system should satisfy In particular the re-quirement is described as follows
For any case the microservice system will terminateeventually and the moment the system terminates the ter-minating state is the final state
Definition 7 (interaction soundness under synchronouscommunication) A microservice system Bs (M C F c0 Δ)is interaction soundness under synchronous communica-tion if and only if the following condition is satisfied
Figure 3 -e asynchronous interaction behavior of the microservice system with buffers of size 2 shown in Figure 1 (a) -e peer-to-peercommunication (b) -e mailbox communication
c0a1rarr2 a1rarr2 b1rarr3 c3rarr2
c1 c2 c3 c4
Figure 4 -e synchronous interaction behavior of the microservice system shown in Figure 1
6 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
When buffers are unbounded interaction behavior may beinfinite
We define the asynchronous interaction behavior ofmicroservice systems with bounded buffers in the followingwhere each participating microservice has buffers of size k
Definition 5 (asynchronous interaction behavior of amicroservice system with buffers of size k) -e asyn-chronous interaction behavior of a microservice system withbuffers of size k is denoted by a labeled transition systemBk
a (C c0 F MΔ) and described by augmenting condi-tion (a) in Definition 4 to include the conditionQj (q1 qjminus1qj+1 qn) |qj|lt k where |qi| denotes the length of thebuffers for microservice MSi
In a microservice system with buffers of size k the sendactions are blocked if the receiverrsquos buffer contains k mes-sages -erefore the interaction behavior of a microservicesystem with buffers of size k is finite
Figure 3(a) illustrates the asynchronous interactionbehavior of the microservice system with buffers of size 2shown in Figure 1 under the peer-to-peer communication-e initial state is denoted by c0 (([] []) s01 ([] []) s02 ([][]) s03) (ie each microservice is in its initial state and all thebuffers are empty) After MS1 sends the message a to thebuffer12 of MS2 the system evolves from c0 to c1 and thebuffer12 contains a -en MS2 consumes the ldquomatchingrdquomessage a at the head of its buffer12 the system evolves fromc1 to c3 and the message a is removed from the buffer12
Figure 3(b) illustrates the asynchronous interaction be-havior of themicroservice systemwith buffers of size 2 shown inFigure 1 under the mailbox communication -e initial state isc0 (([] []) s01 ([] []) s02 ([] []) s03) and the final state is c10
42 Synchronous Interaction Behaviors of MicroserviceSystems In synchronous communication every send actionis executed followed by a receive action ie the micro-services interact synchronously It seems that each micro-service of a microservice system has buffers of size 0
Definition 6 (synchronous behavior of a microservicessystem) A synchronous behavior of a microservices systemover a set of microservices (MS1 MS2 MSn) whereMSi MSi (Si s0i Fi Mi δi) and Mi (Σi pi srci dsti) isdenoted by a labeled transition system Bs (C c0 F M Δ)where
(i) Csube S1 times S2 middot middot middot times Sn is the set of states(ii) c0 isinC is the initial state(iii) FsubeC is the set of final states such that forallf isin F (f1 f2
fn) where fi isinMSimiddotFi(iv) McupiMi is the set of messages(v) ΔsubeCtimes (Mcup ε)timesC for c (s1 s2 sn) and
[synchronous send-receive action](b) c⟶ε cprime isin Δ if existi j isin 1 2 n(i) si⟶ε si
prime isin δi(ii) forallk isin 1 2 n kne i⟹ sk
prime sk[internal action]
Figure 4 illustrates the synchronous behavior of amicroservice system shown in Figure 1 -e behavior of thesystem have transitions a1⟶2 followed by a1⟶2 followedby b1⟶2 and followed by c3⟶2
5 Interaction Soundness-Based Verification
Given a microservice system one crucial problem is to checkwhether the interaction behavior is correct In this paper wecheck whether the interaction behavior of a microservicesystem satisfies a minimal requirement for correctness usingmodel-checking techniques -e whole process includes thefollowing three steps
(1) We introduce a notion of correctness called lsquointer-action soundnessrsquo which is considered as a minimalrequirement for microservice systems
(2) We present an encoding of the interaction behaviorinto the CSP process
(3) We translate the property interaction soundness intoLTL formulas such that we can verify this propertyusing model-checking techniques under the supportby the PAT verifier
51 Interaction Soundness Let us further analyze theasynchronous interaction behavior of a microservice systemwith buffers of size 2 shown in Figure 3(a) When the ex-ecution of the microservice system is along the sequence ofsend and receive actions circled by a red dashed line theterminating state is c17 which denotes that each participatingmicroservice reaches its corresponding final state but themessage queue buffer12 of MS1 and the message queuebuffer21 of MS2 are not empty In other words there is aninteraction fault which causes messages a1⟶2 and d1⟶2 notto be consumed correctly
In Figure 5 we take a snapshot of the system in c17-ereare two messages a1⟶2 in buffer12 of MS1 and one messaged1⟶2 in buffer21 of MS2
Based on the above analysis we use the interactioncorrectness criterion as a minimal requirement anymicroservice system should satisfy In particular the re-quirement is described as follows
For any case the microservice system will terminateeventually and the moment the system terminates the ter-minating state is the final state
Definition 7 (interaction soundness under synchronouscommunication) A microservice system Bs (M C F c0 Δ)is interaction soundness under synchronous communica-tion if and only if the following condition is satisfied
Figure 3 -e asynchronous interaction behavior of the microservice system with buffers of size 2 shown in Figure 1 (a) -e peer-to-peercommunication (b) -e mailbox communication
c0a1rarr2 a1rarr2 b1rarr3 c3rarr2
c1 c2 c3 c4
Figure 4 -e synchronous interaction behavior of the microservice system shown in Figure 1
6 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
Figure 3 -e asynchronous interaction behavior of the microservice system with buffers of size 2 shown in Figure 1 (a) -e peer-to-peercommunication (b) -e mailbox communication
c0a1rarr2 a1rarr2 b1rarr3 c3rarr2
c1 c2 c3 c4
Figure 4 -e synchronous interaction behavior of the microservice system shown in Figure 1
6 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
forallc isin Cand c0⟶mirarrj
c1⟶mkrarrl
middot middot middot⟶morarrp
c1113874 1113875⟹ c⟶m
irarrj
n+1cn+1⟶
mirarrj
n+1middot middot middot⟶
morarrp
0cx1113888 1113889and cx isin F (1)
Definition 8 (interaction soundness under unboundedasynchronous communication or k-bounded asynchronouscommunication) A microservice system Ba (M C F c0 Δ)or Bk
a (C c0 F MΔ) is interaction soundness underunbounded asynchronous communication or k-bounded
asynchronous communication if and only if the followingcondition is satisfied
For every state c reachable from the initial state c0 thereexists a transition sequence leading from state c to a finalstate cx Formally
-e difference between Definitions 7 and 8 is that thestates of the former are described in terms of local states ofthe participating microservices while the states of the latterare described in terms of local states of the participatingmicroservices and their respective buffers
52 CPS Encoding for the Behaviors of Microservice SystemsWe first discuss how to encode an asynchronous interactionbehavior of a microservice system as a CSP process -enwe discuss how to encode a synchronous interactionbehavior
-e CSP process encoding an asynchronous interactionbehavior of a microservice system mainly includes thefollowing three steps
(1) Encodes all the transitions in each microservice asevents in CSP For example the send-transition (s1
m1⟶2 s2) is encoded as an event m and the receive-transition (s1 m1⟶2 s2) is encoded as an event m
(2) Encodes the order in which the adjacent transitionsare executed as prefix or external choice in CSP Forexample the order in which the microservice MS1executes transitions in Figure 1 is a1⟶2 followed bya1⟶2 and b1⟶2 which can be encoded as a-gta-gtb-gt Skip without considering buffers
(3) Encodes peer-to-peer asynchronous communica-tion In CSP the channel can be used to encode abuffer Because each buffer is specific to the pair(sender receiver) in the peer-to-peer asynchronouscommunication we use the process bufferijm⟶P
to denote that the senderMSi sends the messagem tothe bufferij of the receiverMSj Conversely we use theprocess bufferij[x m]m⟶P to denote that thereceiver MSj consumes the message m from its
b1rarr3 c3rarr2
a1rarr2 c1rarr3
c3rarr2
a1rarr2
d2rarr1
a1rarr2
a1rarr2 a1rarr2
d2rarr1
a1rarr2 b1rarr3
MS1
MS3
MS2
Buffer13 Buffer31
Buffer32
Buffer21
Buffer12
Buffer23
s01 s11 s31s21
s03 s13 s23
s02 s42 s52
s12 s22 s32
Figure 5 A snapshot of a microservice system in c17
Complexity 7
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
bufferij where the expression [x m] is used tocheck whether the top element in the bufferij is thematching message m
Given a microservice system Ba (M C F c0 Δ) over aset of microservices MS1 MS2 MSn we generate theCSP process by using Algorithm 1
Function gen_buffers generates all the buffers in amicroservice system
gen buffers Ba middot C( 1113857 bufferij
11138681113868111386811138681113868foralli j isin 1 2 n 1113882 1113883
(3)
Function gen_message_variable generates message var-iables in a microservice system
gen message variable Ba middot M( 1113857 1 2 Mtotal1113868111386811138681113868
Function trace() obtains a set of sequences of send andreceive messages on any path from the initial state s0
trace M1( 1113857 sort σi( 11138571113868111386811138681113868 forallm isinM1 middot M m isin σi1113966 1113967 (5)
where the function sort(σi) sorts the messages on the path bytheir execution order
For a message m1⟶2 isinM function action(m1⟶2)mdenotes the message and function type(m1⟶2) denotesthe message type
Let m n and p be separately the number of micro-services the max number of the traces and the max numberof messages on a branch -e worst time complexity ofAlgorithm 1 is (mlowast nlowast p)
Example 1 For the microservice system with buffers of size2 shown in Figure 3 the CSP process is shown below
-e bufferschannel buffer12 2channel buffer13 2channel buffer21 2channel buffer23 2channel buffer31 2channel buffer32 2-e messagesvar a 1var b 2var c 3var d 4-e process of each participatingmicroservicePMS1() buffer12a⟶ buffer12a⟶ buffer13b⟶ SkipPMS2() buffer12 1⟶ buffer12 1⟶ buffer323⟶ Skip[]buffer32 3⟶ buffer21d⟶ SkipPMS3() buffer132⟶ buffer32c⟶ Skip
-e process of an asynchronous interaction be-havior of a microservice system System() PMS1()|||PMS2()|||PMS3()
Because synchronous communication is a special case ofasynchronous communication (ie the size of buffer is set to0) the CSP process of a synchronous behavior can begenerated by using Algorithm 1 except setting the size ofbufferij to be 0
53 LTLFormulas of Interaction Soundness After generatingthe CSP process of a microservice system using Algorithm1 we can generate the state space of the CSP process usingthe PATsimulator and verify temporal logic properties usingthe PATverifier-us we need to translate Definitions 7 and8 into LTL formulas
-e property interaction soundness under synchronouscommunication can be defined as follows
where cempty is channel operation which is a Booleanfunction to test whether the asynchronous channel is emptyor not and bufferij is channel specific to the pair (MSi MSj)which denotes the buffer of a microservice MSj
Example 2 For the microservice system with buffers of size3 shown in Figure 3 the LTL formula of the property in-teraction soundness is defined as follows
61 Implementation Our approach is completely auto-mated First we have implemented an encoder which takes amicroservice system as input and outputs the correspondingCSP process Second once the CSP process is obtained wecan generate the state space of the asynchronous interactionbehavior of the microservice system using the PATsimulator
8 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
which is defined in an LTS -ird we verify whether thegenerated state space satisfies the property interactionsoundness using the PAT verifier
-e generated asynchronous interaction behavior of themicroservice system with buffers of size 3 shown in Figure 1is shown in Figure 6 using the PAT simulator -e verifi-cation result shown in Figure 7 returns not valid whichmeans that the microservice system with buffers of size 3 hasan interaction fault
62 Experiments To validate our approach we use 10 casesobtained from the literature We choose these cases becausethe literature is representative All cases were carried out ona PC with 250GHz Processor and 8GB of RAM runningWindows 10
Table 1 shows the experimental results for all the caseswe conducted -e table gives for each case the number ofparticipating microservices (MSs) involved in a micro-service system the number of messages (Ms) the size ofthe LTS of the synchronous interaction behaviors of amicroservice system (Bs) the verification result undersynchronous communication (IRa) (ldquominusrdquo denotes that thesystem is not interaction sound and ldquo+rdquo denotes that thesystem is interaction sound) the size of the LTS of theasynchronous interaction behaviors of a microservicesystem with buffers of size k (Bk
a) and the verificationresult under k-bounded asynchronous communication(IRs)
Out of the 10 cases presented in Table 1 7 cases can beinteraction sound under synchronous communication egsee cases Ca-02 Ca-03 Ca-04 Ca-06 Ca-07 Ca-08 and
Input a microservice system Ba (C c0 F M Δ)Output a CSP process(1) buffer12 buffernminus1n gen_buffers(BamiddotC)(2) set buffer12 buffernminus1nrsquos size(3) gen_message_variable(BamiddotM)(4) for MSi isin (MS1 MS2 MSn) do(5) σ1 σn trace(MSi)(6) for σj isin (σ1 σn) do(7) z 1(8) while (m getHead(σj))null(9) if type(m) ldquordquo(10) Pz() buffersrc(m)_dst(m)action(m)⟶ Pz+1()(11) else(12) Pz() buffersrc(m)_dst(m)[xz action(m)]action(m)⟶ Pz+1()(13) z z+ 1(14) end if(15) end while(16) PMSi()P1()(17) end for(18) end for(19) System () PMS1()|||PMS1()||| |||PMSn()
ALGORITHM 1 Encoding an asynchronous interaction behavior
Figure 6 A snapshot of the asynchronous interaction behavior using the PAT simulator
Complexity 9
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
Ca-10 In 7 cases microservice systems with buffers of size 3are not interaction sound eg see cases Ca-01 Ca-02 Ca-03Ca-05 Ca-06 Ca-09 and Ca-10
From Table 1 we can further see that (1) in each casethe LTS of the asynchronous interaction behavior of amicroservice system is bigger than that of the synchronousinteraction behavior ie the asynchronous interactionbehavior is more complex than the synchronous interac-tion behavior (2) the asynchronous interaction behavior ofsome microservice systems is stable ie once the size of theLTS of the asynchronous interaction behavior remainsunchanged for a buffer bound eg see cases Ca-04 Ca-07Ca-08 Ca-09 and Ca-10 -is property on the system iscalled stable which is proposed in [40] (3) when somemicroservice systems with buffers of size 1 are interactionsound it does not mean that the systems with buffers of sizek (k gt 1) are also interaction sound eg see the case Ca-10(4) during the experiments Case-5 faces the state spaceexplosion problem ldquoToo largerdquo means that the PAT
simulator is forced to stop due to the huge state space size(gt300 states)
7 Conclusion and Future Work
In this paper we introduce a formal model for modelingcomplex interactions of microservice systems and verifywhether these systems satisfy a minimal requirement forcorrectness using model-checking techniques We have usedLTLs to model complex interactions of microservice systemsunder synchronous and asynchronous communications andintroduced a notion of correctness called ldquointeractionsoundnessrdquo which is considered as a minimal requirementfor microservice systems We automatically verified theproperty interaction soundness under the support of thePAT tool Experiments showed that many cases have in-teraction faults
Our future work is to investigate whether our resultsstand for mailbox communication eg each microservice is
Table 1 Verification results for all cases
Id DescriptionNumber Bs B1
a B2a B3
a
|MSs| |Ms| LTS(|T||S|) IRa LTS(|T||S|) IRs LTS(|T||S|) IRs LTS(|T||S|) IRs
Ca-01 [33] Booking system 4 7 (1011) minus (2329) minus (2431) minus (2431) minus
Ca-02 [34] Train station 4 8 (1113) + (4476) minus (64122) minus (84168) minus
Ca-03 [32] Protocol 3 3 (714) + (2662) minus (3591) minus (44120) minus
Ca-04 [35] Online shopping 3 6 (77) + (1313) + (1313) + (1313) +Ca-05 [36] Cloud application 4 5 (610) minus (96240) minus Too large minus Too large minus
Ca-06 [37] Figure 2 3 3 (33) + (1014) minus (1524) minus (2034) minus
Ca-07 [38] Figure 1 4 5 (1114) + (2843) + (2843) + (2843) +Ca-08 [15] Composition 2 2 5 (56) + (1011) + (1011) + (1011) +Ca-09 [39] Figure 8 3 3 (76) minus (1620) minus (1620) minus (1620) minus
Ca-10 [14] Figure 1 3 4 (65) + (1315) + (2026) minus (2026) minus
Figure 7 A snapshot of the verification result using the PAT verifier
10 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
equipped with one buffer which is used to store incomingmessages from the other microservices
Data Availability
-e data used to support the findings of this study are in-cluded within the article
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
-is work was supported in part by the project of NationalNatural Science Foundation of China (Grant nos 61702442and 61862065) and the Application Basic Research Project inYunnan Province (Grant no 2018FB105)
References
[1] X Xu Q Liu Y Luo et al ldquoA computation offloadingmethod over big data for IoT-enabled cloud-edge com-putingrdquo Future Generation Computer Systems vol 95pp 522ndash533 2019
[2] L Qi Y Chen Y Yuan S Fu X Zhang and X L Xu ldquoAQoS-aware virtual machine scheduling method for energyconservation in cloud-based cyber-physical systemsrdquo WorldWide Web 2019
[3] X Xu Y Xue L Qi et al ldquoAn edge computing-enabledcomputation offloading method with privacy preservation forinternet of connected vehiclesrdquo Future Generation ComputerSystems vol 96 pp 89ndash100 2019
[4] X Xu X Zhang H Gao Y Xue L Qi and W Dou ldquoBe-Come blockchain-enabled computation offloading for IoT inmobile edge computingrdquo IEEE Transactions on IndustrialInformatics vol 16 no 6 pp 4187ndash4195 2020
[5] X Xu C He Z Xu L Qi S Wan andM Z A Bhuiyan ldquoJointoptimization of offloading utility and privacy for edge com-puting enabled IoTrdquo IEEE Internet ofGings Journal p 1 2019
[6] X Xu Y Chen X Zhang Q Liu X Liu and L Qi ldquoAblockchain-based computation offloading method for edgecomputing in 5G networksrdquo Software Practice and Experi-ence 2019
[7] V Heorhiadi S Rajagopalan H Jamjoom M K Reiter andV Sekar ldquoGremlin systematic resilience testing of micro-servicesrdquo in Proceedings of the 36th IEEE InternationalConference on Distributed Computing Systems ICDCSpp 57ndash66 Nara Japan June 2016
[8] J Lewis andM Fowler ldquoMicroservices a definition of this newarchitectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[9] A Balalaie A Heydarnoori and P Jamshidi ldquoMicroservicesarchitecture enables DevOps migration to a cloud-nativearchitecturerdquo IEEE Software vol 33 no 3 pp 42ndash52 2016
[10] X Zhou X Peng T Xie et al ldquoFault analysis and debuggingof microservice systems industrial survey benchmark systemand empirical studyrdquo IEEE Transactions on Software Engi-neering p 1 2018
[11] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystems with parallel optimizationrdquo IEEE Transactions onServices Computing p 1 2019
[12] J Lewis and M Fowler ldquoMicroservices a definition of thisnew architectural termrdquo 2014 httpmartinfowlercomarticlesmicroserviceshtml
[13] A Deb ldquoApplication delivery service challenges inmicroservices-based applicationsrdquo 2016 httpwwwthefabricnetcomapplication-delivery-servicechallenges-in-microservices-based-applications
[14] F Alaina and E Lozes ldquoSynchronizability of communicating finitestate machines is not decidablerdquo in Proceedings of the 44th In-ternational Colloquium on Automata Languages and Program-ming ICALP 2017 vol 122 pp 1ndash14 Warsaw Poland 2017
[15] X Fu T Bultan and J Su ldquoSynchronizability of conversationsamong web servicesrdquo IEEE Transactions on Software Engi-neering vol 31 no 12 pp 1042ndash1055 2005
[16] X Zhou X Peng T Xie et al ldquoPoster benchmarkingmicroservice systems for software engineering researchrdquo inProceedings of the International Conference on Software En-gineering Companion Proceedings (ICSErsquo18) pp 323-324Gothenburg Sweden 2018
[17] X Zhou X Peng T Xie et al ldquoDelta debugging microservicesystemsrdquo in Proceedings of the 33rd ACMIEEE InternationalConference on Automated Software Engineering pp 802ndash807New York NY USA 2018
[18] G Schermann D Schoni P Leitner and H C Gall ldquoBifrostsupporting continuous deployment with automated enact-ment of multi-phase live testing strategiesrdquo in Proceedings ofthe 17th International Middleware Conference p 12 TrentoItaly December 2016
[19] A de Camargo I L Salvadori R dos Santos Mello andF Siqueira ldquoAn architecture to automate performance tests onmicroservicesrdquo inProceedings of the 18th International Conferenceon Information Integration and Web-Based Applications andServices iiWAS 2016 pp 422ndash429 Singapore November 2016
[20] P Leitner J Cito and E Stockli ldquoModelling and managingdeployment costs of microservice-based cloud applicationsrdquoin Proceedings of the 9th International Conference on Utilityand Cloud Computing UCC 2016 pp 165ndash174 ShanghaiChina December 2016
[21] S Klock J M E M van der Werf J P Guelen and S JansenldquoWorkload-based clustering of coherent feature sets inmicroservice architecturesrdquo in Proceedings of the 2017 IEEEInternational Conference on Software Architecture ICSA 2017pp 11ndash20 Gothenburg Sweden April 2017
[22] I L Salvadori A Huf R dos Santos Mello and F SiqueiraldquoPublishing linked data through semantic microservices com-positionrdquo in Proceedings of the 18th International Conference onInformation Integration and Web-Based Applications and Ser-vices iiWAS 2016 pp 443ndash452 Singapore November 2016
[23] G Granchelli M Cardarelli P D Francesco I MalavoltaL Iovino and A D S Microart ldquoA software architecturerecovery tool for maintaining microservice-based systemsrdquo inProceedings of the 2017 IEEE International Conference onSoftware Architecture Workshops ICSA Workshops 2017pp 298ndash302 Gothenburg Sweden April 2017
[24] S Hassan and R Bahsoon ldquoMicroservices and their designtradeoffs a self-adaptive roadmaprdquo in Proceedings of the 2016IEEE International Conference on Services Computing SCC2016 pp 813ndash818 San Francisco CA USA June 2016
[25] S Basu and T Bultan ldquoChoreography conformance viasynchronizabilityrdquo in Proceedings of the 20th InternationalConference on World Wide Web pp 795ndash804 HyderabadIndia March 2011
[26] S Basu T Bultan and M Ouederni ldquoSynchronizability forverification of asynchronously communicating systemsrdquo in
Complexity 11
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
12 Complexity
Proceedings of the International Workshop on VerificationModel Checking and Abstract Interpretation pp 56ndash71 LongIsland NY USA 2012
[27] S Basu and T Bultan ldquoOn deciding synchronizability forasynchronously communicating systemsrdquo Georetical Com-puter Science vol 656 pp 60ndash75 2016
[28] J Sun Y Liu and J Dong ldquoModel checking CSP revisitedintroducing a process analysis toolkitrdquo in Proceedings of the2008 International Symposium on Leveraging Applications ofFormal Methods Verification and Validation pp 307ndash322Porto Sani Greece 2008
[29] J Sun Y Liu J Dong and C Chen ldquoIntegrating specificationand programs for system modeling and verificationrdquo inProceedings of the 3rd IEEE International Symposium onGeoretical Aspects of Software Engineering (TASE 2009)pp 127ndash135 Tianjin China July 2009
[30] C A R Hoare ldquoCommunicating sequential processesrdquo In-ternational Series in Computer Science Prentice-Hall UpperSaddle River NJ USA 1985
[31] S Basu T Bultan and M Ouederni ldquoDeciding choreographyrealizabilityrdquo ACM SIGPLAN Notices vol 47 no 1pp 191ndash202 2012
[32] X Fu T Bultan and J Su ldquoConversation protocols a for-malism for specification and verification of reactive electronicservicesrdquo Georetical Computer Science vol 328 no 1-2pp 19ndash37 2004
[33] P Poizat ldquoChecking the realizability of BPMN 20 choreogra-phiesrdquo in Proceedings of the 2012 ACM Symposium on AppliedComputing ACM Trento Italy pp 1927ndash1934 March 2012
[34] G Salaun T Bultan and N Roohi ldquoRealizability of chore-ographies using process algebra encodingsrdquo IEEE Transac-tions on Services Computing vol 5 no 3 pp 290ndash304 2012
[35] T Bultan ldquoModeling interactions of web softwarerdquo in Pro-ceedings of the 2006 International Workshop on AutomatedSpecification and Verification of Web Systems IEEE PaphosCyprus pp 45ndash52 November 2006
[36] M Gudemann G Salaun and M Ouederni ldquoCounterex-ample guided synthesis of monitors for realizability en-forcementrdquo Automated Technology for Verification andAnalysis vol 7561 pp 238ndash253 2012
[37] M Ouederni G Salaun and T Bultan ldquoCompatibilitychecking for asynchronously communicating softwarerdquoFormal Aspects of Component Software pp 310ndash328 SpringerBerlin Germany 2013
[38] G Decker and M Weske ldquoLocal enforceability in interactionpetri netsrdquo in Proceedings of the 5th International Conferenceon Business Process Management pp 305ndash319 BrisbaneAustralia September 2007
[39] T Bultan F Chris and F Xiang ldquoA tool for choreographyanalysis using collaboration diagramsrdquo in Proceedings of the7th IEEE International Conference on Web Services (ICWS2009) pp 856ndash863 Los Angeles CA USA July 2009
[40] S Basu and T Bultan ldquoAutomatic verification of interactionsin asynchronous systems with unbounded buffersrdquo in Pro-ceedings of the 29th ACMIEEE International Conference onAutomated Software Engineering ASErsquo14 pp 743ndash754 VstersSweden September 2014
