Modular Reasoning in Aspect-oriented Languages Tim Molderez Ansymo Antwerp Systems and Software Modelling.

Slides:

Advertisements

Similar presentations

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Advertisements

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

The Substitution Principle SWE 332 – Fall Liskov Substitution Principle In any client code, if subtype object is substituted for supertype object,

Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.

ASTA Aspect Software Testing Assistant Juha Gustafsson, Juha Taina, Jukka Viljamaa University of Helsinki.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Modularization.

Overview of AspectJ Aspect Oriented Software Development Seminar Technion presented by Oren Mishali.

1 Inheritance. 2 One class inherits from another if it describes a specialized subset of objects Terminology: inheritschild class subclass –the class.

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

ASPECT ORIENTED SOFTWARE DEVELOPMENT Prepared By: Ebru Doğan.

University of British Columbia Software Practices Lab CAS Seminar 06 Fluid AJ - A Simple Fluid AOP Tool Terry Hon Gregor Kiczales.

© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel

Aspect Oriented Programming Written by Michael Beder.

Harmless Advice Daniel S Dantas Princeton University with Prof. David Walker.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.

A Formal Model of Modularity in Aspect-Oriented Programming Jonathan Aldrich : Objects and Aspects Carnegie Mellon University.

Component-Based Software Engineering Components and Interfaces Paul Krause.

Ranga Rodrigo. Class is central to object oriented programming.

1 Aspects and Modularity: The Hope and the Challenge Jonathan Aldrich Institute for Software Research International School of Computer Science Carnegie.

Taming Obliviousness in Aspects with Data-flow Analysis and Design by Contract Tim Molderez and Dirk Janssens Ansymo Antwerp Systems and Software Modelling.

Introduction to AOP.

Modular Reasoning in Aspect-oriented Languages Tim Molderez Promotor: prof. dr. Dirk Janssens Ansymo Antwerp Systems and Software Modelling.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Introduction to Aspect Oriented Programming Presented By: Kotaiah Choudary. Ravipati M.Tech IInd Year. School of Info. Tech.

Aspect Oriented Programming (AOP) in.NET Brent Krueger 12/20/13.

1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.

Aspect Oriented Programming Razieh Asadi University of Science & Technology Mazandran Babol Aspect Component Based Software Engineering (ACBSE)

VERIFICATION OF ASPECT ORIENTED MODELS BY DON MARTIN JAYASHREE VENKIPURAM PATHANGI PIYUSH SRIVASTAVA REFERENCES F. Mostefaoui and J. Vachon,” Design level.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development 1.

AOSD1 Aspect-Oriented Software Design Karl Lieberherr Theo Skotiniotis.

AOP-1 Aspect Oriented Programming. AOP-2 Aspects of AOP and Related Tools Limitation of OO Separation of Concerns Aspect Oriented programming AspectJ.

1 Proving aspect-oriented programming laws Leonardo Cole Paulo Borba Alexandre Mota Informatics Center Federal University of.

Topic 1 Object Oriented Programming. 1-2 Objectives To review the concepts and terminology of object-oriented programming To discuss some features of.

Inter-Type Declarations in AspectJ Awais Rashid Steffen Zschaler © Awais Rashid, Steffen Zschaler 2009.

Demeter Aspects We study techniques for the emerging area of Aspect-Oriented Software Development and focus on the following areas:  Aspectual Collaborations.

Applying Translucid Contracts for Modular Reasoning about Aspect and Object Oriented Events Mehdi Bagherzadeh Gary T. Leavens Robert Dyer Foundations of.

Chapter 8: Aspect Oriented Programming Omar Meqdadi SE 3860 Lecture 8 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Object-Oriented Programming Chapter Chapter

Introduction to Object-Oriented Programming Lesson 2.

ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.

Towards an Aspect-oriented Language Module: Aspects for Petri Nets Tim Molderez, Bart Meyers, Dirk Janssens and Hans Vangheluwe Ansymo Antwerp Systems.

问题 Code scattering Blocks of duplicated code Blocks of complementary code, and different modules implementing complementary parts of the concern Code.

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.

R R R A Brief Introduction to Aspect-Oriented Programming.

1 Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte ECOOP 2003.

DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.

Aspect-Oriented Software Development (AOSD)

 Description of Inheritance  Base Class Object  Subclass, Subtype, and Substitutability  Forms of Inheritance  Modifiers and Inheritance  The Benefits.

Interfaces CMSC 202. Public Interfaces Objects define their interaction with the outside world through the their public interface. A class' public interface.

CSE 332: C++ Exceptions Motivation for C++ Exceptions Void Number:: operator/= (const double denom) { if (denom == 0.0) { // what to do here? } m_value.

Component-Based Software Engineering Components and Interfaces Paul Krause and Sotiris Moschoyiannis.

Component Based Software Engineering

Aspect-Oriented Programming with the Eclipse AspectJ plug-in

Type Abstraction SWE Spring 2009.

Design by Contract Fall 2016 Version.

Java Modeling Language (JML)

Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.

Type Abstraction SWE Spring 2013.

CMSC 202 Exceptions.

Design Contracts and Errors A Software Development Strategy

Presentation transcript:

Modular Reasoning in Aspect-oriented Languages Tim Molderez Ansymo Antwerp Systems and Software Modelling

Aspect-oriented programming (AOP)  Typically extension of object-oriented language  Aims to improve separation of concerns by modularizing crosscutting concerns  Crosscutting concerns: Scattered in several places Tangled with other concerns Examples: logging, authentication, caching, profiling, … 2

A (stereo)typical example: logging 3 class Logger { … after bankLog: call(* Bank.do*(..)) { log.write(stuff); } … } advice pointcut (specifies a set of “join points”) kind (before/after/around) name body After every call to Bank.do*(…), update the log * Not AspectJ code; this is ContractAJ

Another example: authentication 4 class Security{ … around auth: call(* Bank.do*(Account acc,..)) { if(isLoggedIn(acc.getOwner())) { proceed(acc); } … } calls Bank.do* Execute advice instead of Bank.do*

AOP and obliviousness  Obliviousness: Advice is executed implicitly 5 I’m calling silver bullet! With AOP, we can implement crosscutting concerns independent of everything else! AOP considered harmful! An advice could break my existing code at any time! Chill out you guys! There’s a middle ground here.

Modular reasoning  The ability to reason about a module’s behaviour, considering only the module itself (and anything it explicitly refers to)  In imperative languages: no surprises…  In OOP: All classes must be behavioral subtypes (LSP)  … but what about AOP? 6

Modular reasoning  To benefit from obliviousness, advice may not cause any surprising behaviour. 7

Modular reasoning in OOP 8 Bird.fly pre post Duck.fly pre’ post’ Bird bird = new Duck(); bird.fly(); What the developer sees:What happens at runtime: time

Modular reasoning in OOP  To avoid surprising behaviour, the Liskov substitution principle should be respected.  All classes should be behavioural subtypes: Precondition may not be strengthened Postcondition may not be weakened Invariants must be preserved 9

Modular reasoning in AOP 10 Bank.doTransfer pre post Security.auth pre’ post’ What the developer sees:What happens at runtime: time bank.doTransfer(acc1,acc2,50); Proceed: Bank.doTransfer

Modular reasoning in AOP  Similar to OOP, if all advice are seen as around advice: An advice effectively substitutes for whatever it advises.  Advice substitution principle (ASP): Advice’s precondition may not be stronger than the precondition of the advised join point Postcondition may not be weakened Invariant must be preserved 11

So.. that’s all there is to it?  Yes*  *.. well, there are some big buts (and I cannot lie) Before and after advice Higher-order advice Multiple advice sharing join points Quantification Call and execution pointcuts What if you can’t satisfy the advice substitution principle?  Quantification  Call and execution pointcuts  Before and after advice …… 12

Before and after advice  Before advice Slightly different than around advice: postconditions refer to the moment before the implicit proceed call, instead of after. Advice postconditions may not invalidate the preconditions of X.y  After advice Preconditions refer to the moment after the implicit proceed call. Advice preconditions can rely on the postconditions of X.y 13 Before advice Implicit proceed pre post Implicit proceed After advice pre post

Special cases  Principle also applies if: Multiple advice share join points Advice intercept advice executions  Example Advice 1,2 and 3 only need to comply with Method’s contracts Meta-advice complies with Advice 3’s contracts 14 Advice 1 Advice 2 Meta-advice Advice 3 Method

Quantification  ASP defined in terms of a single join point  However, pointcuts are a quantification mechanism and can match with many different join points An advice may need to comply with many different contracts (e.g. Bank.do* can match with several methods..) Complying with the ASP becomes more difficult as the number of contracts grows Scaling problem can be mitigated using contract enforcement tools, as well as using definitions of observers/spectators 15

What if you can’t satisfy the ASP? 16 class Security { if(isLoggedIn()){proc}else{true} around auth: call(* Bank.do*(Account acc,..)) { if(isLoggedIn(acc.getOwner())) { proceed(acc); } … } ASP violation: This postcondition is weaker than the postcondition of Bank.do* ASP violation cannot be prevented : The advice’s very purpose is to block (the postcondition of) Bank.do* when necessary.

Restoring modular reasoning with clause 17 class Bank a1.m >= old(a1.m)-m=a1.m && Security.auth, Transaction.commit void doTransfer(Account a1, Account a2, int m) { … } … } Explicitly expecting to be advised by Security.auth and Transaction.commit (in that added to all Bank.do* methods

Quantification  Doesn’t the act of adding all clauses cancel out the benefits of quantification? Yes, if you like to add the clauses manually. In annotations can be generated fully automatically. In ContractAJ: You can easily introduce a quantification mechanism to add clauses in the right places.  Sidenote: It goes to show that programming concerns more than just the language; the tools around it can be a crucial component too. 18

Overriding advice  Overriding only has purpose when you expect one thing, but another thing is executed.  Nobody expects the Spanish inq execution of advice! .. unless clause is used.  The Authentication.auth could be filled in by e.g. RemoteAuthentication.auth  Satisfies the open-closed principle 19

Effective specifications  Presence of clause Makes callers aware of the listed advice Effectively changes the pre/postconditions that must be taken into account when calling the method, aka the “effective pre/postconditions” Likewise, listed advice become aware of each other too, as the effective pre/postcondition of proceed calls changes too  Intuition behind effective pre/postcondition: Pre/postcondition of the first advice that will be executed, as far as you can tell statically 20

Effective specifications 21 Find the next advice that will be executed; dynamic parts of pointcuts become part of the specification! Fill in each occurrence of the proc keyword (with the next advice) Before/after advice must include implicit proceed call

Effective specifications.. can be much simpler if none of the pointcuts have dynamic parts: (which is the more common case) 22

Soundness  Modular reasoning is guaranteed (for pre-and postconditions) if: All bodies correctly implement their own specifications (, but they can assume modular reasoning). All classes are behavioural subtypes. All advice satisfy either the ASP, or are correctly mentioned in clause. ASP-compliant advice have a lower precedence than the others.  Proof by induction on reduction length Consider all possible ways a body can be reached from a method/proceed call 23

Dynamic enforcement  Contract enforcement advice check all contracts at runtime and throw an exception when the approach is not satisfied.  Simple, but not exhaustive  AspectJ implementation: 24

Static enforcement  Work in progress (see Luis’s internship & thesis)  Core problem: Determine whether one contract is weaker/stronger than another  Can be done with an SMT solver (Z3) by converting contracts to SMT-lib format  pre super && !pre sub should not have a solution 25

Frame conditions  Basic pre/postconditions and invariants don’t cut it to perform formal verification.  Frame conditions: Aside from what a body will do, it should also be specified what the body will not do.  Typically defined clauses, which list only those variables that might change. 26

Inferring frame conditions  Built on top of Ekeko and Soot  Flow-sensitive: Traverse CFG of each body, keeping track of aliases and modifications  Path-insensitive: Information is merged when if/while branches join  Incremental: Only update what’s necessary  Modular: Okay to assume modular reasoning 27

Frame conditions in AOP  Frame conditions can be used for multiple purposes Detect which fields an ASP-compliant advice is allowed to modify Detect which properties a proceed call can preserve Detect which advice can be executed concurrent to the body being advised 28

Summary  An approach to modular reasoning in AOP: Advice subsitution clause  The approach is sound, and can be enforced both dynamically and statically. 29 Modular reasoning in AOP is possible; there is a useful middle ground.