Planning for Software System Recovery by Knowing Design Limitations of Cloud-native Patterns

Context. Application designers use cloud-native architectural patterns such as Circuit Breaker that come with third-party implementations to improve overall system reliability. Problem. Important quality decisions are hidden in the codebase and are usually not documented by third-party implementations. Runtime changes may invalidate, e.g., pattern's decision assumption(s) and cause the reliant service to face unacceptable quality degradation with no recovery plan. Objective. The primary goal of this study is to derive important quality decisions of patterns independent of a particular implementation. Method. To achieve our objective, we perform exploratory research on two architectural patterns, (1) Circuit Breaker and (2) Event Sourcing, which come with different third-party implementations and that application designers often use. We formally specify the design and the guarantees of each pattern using Temporal Logic of Actions (TLA) and verify the guarantees, which guide us in deriving important quality decisions. Result. To show the usefulness of our method, we systematically generate failure scenarios for third-party implementations of Circuit Breaker and Event Sourcing patterns that compromise Hystrix' and Kafka's guarantees on preventing further degradation of protected services and the loss of committed messages, respectively. Conclusion. The result suggests that important quality decisions derived from formal models of the patterns help application designers prepare for unacceptable system quality degradation by knowing when a third-party implementation of the architectural patterns fails to maintain its guarantees.