Towards Fine-grained Automated Verification of Publish-Subscribe Architectures Luciano Baresi, Carlo Ghezzi, and Luca Mottola Dipartimento di Elettronica ed Informazione—Politecnico di Milano {baresi,ghezzi,mottola}@elet.polimi.it Abstract. The design and validation of distributed applications built on top of Publish-Subscribe infrastructures remain an open problem. Previous efforts adopted finite automata to specify the components’ behavior, and model check- ing to verify global properties. However, existing proposals are far from being applicable in real contexts, as strong simplifications are needed on the underlying Publish-Subscribe infrastructure to make automatic verification feasible. To face this challenge, we propose a novel approach that embeds the asynchronous communication mechanisms of Publish-Subscribe infrastructures within the model checker. This way, Publish-Subscribe primitives become available to the specifi- cation of application components as additional, domain-specific, constructs of the modeling language. With this approach, one can develop a fine-grained model of the Publish-Subscribe infrastructure without incurring in state space explosion problems, thus enabling the automated verification of application components on top of realistic communication infrastructures. 1 Introduction The Publish-Subscribe interaction paradigm is rapidly emerging as an appealing solu- tion to the needs of applications designed for highly-dynamic environments. Using this paradigm, application components subscribe to event patterns and get notified when other components publish events matching their subscriptions. Its asynchronous, im- plicit and multi-point communication style is particularly amenable to those scenarios where application components can be added or removed unpredictably, and the com- munication must be decoupled both in time and in space [1]. Because of this flexibility, Publish-Subscribe infrastructures have been developed for a wide range of application scenarios, from wide-area notification services to wireless sensor networks. However, the high degree of decoupling brings also several drawbacks. In partic- ular, verifying how a federation of independently-written software components inter- connected in such a loosely-coupled manner is often difficult because of the absence of a precise specification of the behavior of the communication infrastructure. Model checking has been proposed as a possible solution, but existing works do not propose a precise characterisation of the different guarantees the underlying Publish-Subscribe infrastructure can provide. For instance, different message delivery policies, reliability guarantees or concurrency models can easily change the final outcome of the verifica- tion effort.