1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem.

Slides:



Advertisements
Similar presentations
Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
Advertisements

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Theory Of Automata By Dr. MM Alam
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.
Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.
Software Design Process A Process is a set of related and (sequenced) tasks that transforms a set of input to a set of output. Inputs Outputs Design Process.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
1 Midterm I review Reading: Chapters Test Details In class, Wednesday, Feb. 25, :10pm-4pm Comprehensive Closed book, closed notes.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Lectures on Network Flows
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.
Witness and Counterexample Li Tan Oct. 15, 2002.
Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.
Specification and Verification of Aspects Shmuel Katz.
Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel
More on AspectJ. aspect MoveTracking { private static boolean _flag = false; public static boolean testAndClear() { boolean result = _flag; _flag = false;
Witness and Counterexample Li Tan Oct. 15, 2002.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Translating from LTL to automata. 2 Why translating? Want to write the specification in some logic. Want to check that an automaton (or a Kripke structure)
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
Prof. Bodik CS 164 Lecture 16, Fall Global Optimization Lecture 16.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Software Design Processes and Management
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
Aspect Oriented Programming Scott Nykl CSSE 411 Senior Seminar.
Verifying Interactive Web Programs Daniel R. Licata Shriram Krishnamurthi Brown University.
CS6133 Software Specification and Verification
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
AOP-1 Aspect Oriented Programming. AOP-2 Aspects of AOP and Related Tools Limitation of OO Separation of Concerns Aspect Oriented programming AspectJ.
Rewriting Logic Model of Compositional Abstraction of Aspect-Oriented Software FOAL '10Mar. 15, 2010 Yasuyuki Tahara, Akihiko Ohsuga The University of.
Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Demeter Aspects We study techniques for the emerging area of Aspect-Oriented Software Development and focus on the following areas:  Aspectual Collaborations.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Verification & Validation By: Amir Masoud Gharehbaghi
Methods of Software Development Karl Lieberherr Spring 2007.
Integration Testing Beyond unit testing. 2 Testing in the V-Model Requirements Detailed Design Module implementation Unit test Integration test System.
Quality Assurance in the Presence of Variability Kim Lauenroth, Andreas Metzger, Klaus Pohl Institute for Computer Science and Business Information Systems.
Features of AOP languages AOP languages have the following main elements: –a join point model (JPM) wrt base PL –a specification language for expressing.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
15-820A 1 LTL Model Checking A Flavio Lerda.
Principles of Programming & Software Engineering
Basic concepts of Model Checking
Transition Graphs.
About the Presentations
Lectures on Network Flows
Demeter Aspects Who We Are Aspectual Collaborations
Aspect Validation: Connecting Aspects and Formal Methods
CSCI1600: Embedded and Real Time Software
Optimizations using SSA
CSCI1600: Embedded and Real Time Software
Translating Linear Temporal Logic into Büchi Automata
Presentation transcript:

1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem

2 Aspect Verification Aspect Oriented Programming becomes increasingly important. Aspect Oriented Programming becomes increasingly important. All software cycle stages are expected to be supported. All software cycle stages are expected to be supported. Validation of behavioral properties is especially important. Validation of behavioral properties is especially important.

3 Program Verification There are algorithms for verifying complete programs ( expressed as state-machine). There are algorithms for verifying complete programs ( expressed as state-machine). A naive approach would be to compose all advices against the program. A naive approach would be to compose all advices against the program. Problematic: Problematic: Time consuming. Time consuming. Potentially difficult Potentially difficult Requirment – Separate verification Requirment – Separate verification

4 Separate verification - Problem setup Interface generated at the program developer side. Interface generated at the program developer side. The advice authors does not receive the program, only the interface. The advice authors does not receive the program, only the interface. Interface Generation Program Developers ProgramPCDsProperties Verification Interface Validation PropertiesAspect Advice Authors

5 Backround Aspect-Oriented programming. Aspect-Oriented programming. Model-Checking – a verification technique. Model-Checking – a verification technique.

6 Aspect-oriented programming Pointcut designator (PCD) is a language for describing when an advice should apply (describing joinpoints). Here we consider only a subset of the PCD language of AspectJ – expresses patters over the shape of the call stack => function calls are the only joinpoints considered. Here we consider only a subset of the PCD language of AspectJ – expresses patters over the shape of the call stack => function calls are the only joinpoints considered.

7 PCD Language PCD are a restricted form of regular expressions PCD are a restricted form of regular expressions Pointcut atom Pointcut atom Call(f) for some function name f Call(f) for some function name f !Call(f) for some function name f !Call(f) for some function name f true true Pointcut element Pointcut element a pointcut atom a pointcut atom a* where a is a pointcut atom. a* where a is a pointcut atom. (e) where e is a pointcut element (e) where e is a pointcut element e1 & e2 where e1 and e2 are pointcut elements e1 & e2 where e1 and e2 are pointcut elements e1 | e2 where e1 and e2 are pointcut elements e1 | e2 where e1 and e2 are pointcut elements Pointcut designator Pointcut designator a point cut element a point cut element (d) where d is a pointcut designator (d) where d is a pointcut designator d1;d2 where d1 and d2 are pointcut designator d1;d2 where d1 and d2 are pointcut designator d1|d2 where d1 and d2 are pointcut designator d1|d2 where d1 and d2 are pointcut designator

8 PCD language Cont’ PCD are a restricted form of regular expressions. PCD are a restricted form of regular expressions. A PCD subscribes a set of program states at which it applies ( pointcut). A PCD subscribes a set of program states at which it applies ( pointcut). Example PCD : call(h);true*;call(f);true* describes function h called from the flow of function f. Example PCD : call(h);true*;call(f);true* describes function h called from the flow of function f.

9 Aspects An aspect consists of: An aspect consists of: PCD. PCD. Advice. Advice. Advice type ( before, after, around). Advice type ( before, after, around).

10 Model Checking – Formal Models Program source code => Program state machine. Program source code => Program state machine. Program state machine represents the control- flow of a program fragment. Program state machine represents the control- flow of a program fragment. State Machine is a tuple <> State Machine is a tuple S – states. S – states. T – included in SxS. T – included in SxS. L – labels of the states. L – labels of the states. s src,s sink – program’s entry and exit states. s src,s sink – program’s entry and exit states. S call,S rtn - Subsets of S. S call,S rtn - Subsets of S.

11 Program State Machine Example aaaa b b b bb bb bb b call(f) ret(f) call(h) ret(h) call(g ) ret(g) Program state machine describing a main program which invokes f and then h, while f invokes g. Constructed from source code using inline depth parameter. source sink

12 CTL language CTL atoms are propositions that label states. CTL atoms are propositions that label states. Standard combinations by !, ∧∨ Standard combinations by !, ∧∨ Properties of a path is expressed by the operators: Properties of a path is expressed by the operators: G(φ) – φ is true for all states of the path. G(φ) – φ is true for all states of the path. F(φ) – φ is true at some state of the path. F(φ) – φ is true at some state of the path. [φ U ψ] φ is true at all states until a state where ψ is true. [φ U ψ] φ is true at all states until a state where ψ is true. X(φ) – φ is true at the next state. X(φ) – φ is true at the next state. Properties referring to paths leaving a common state is expressed by the operators: Properties referring to paths leaving a common state is expressed by the operators: A – All paths A – All paths E – There Exists a path. E – There Exists a path. For example :A[φ U ψ] For example :A[φ U ψ]

13 CTL Model-Checker Input: Input: program state machine program state machine CTL formula φ CTL formula φ Labels each state with all the sub-formulas of φ that are true at that state. Labels each state with all the sub-formulas of φ that are true at that state.

14 Modular verification of Aspects The presented techniqe is very limited. The presented techniqe is very limited. Verifies only property preservation. Verifies only property preservation. Supports spectative aspects only. Supports spectative aspects only.

15 Modular verification of Aspects Input: Input: Aspects Aspects Property ( CTL Formula) that holds for the main program. Property ( CTL Formula) that holds for the main program. Interface to the program. ( the labeled state-machine, including only function call, return, source and sink states). Interface to the program. ( the labeled state-machine, including only function call, return, source and sink states). What to do: What to do: Identify states that satisfy PCDs. Identify states that satisfy PCDs. Verify the advice (only) when applied at the relevant point- cuts. Verify the advice (only) when applied at the relevant point- cuts.

16 Aspect Verification Process aa aa bb bb bb bb b ret(f) call(h) ret(h) ret(g) ab ab call(f) call(g) Advice A: call(h) ret(h) source sink Φ = AG(A[aUb]) P: call(g);true*

17 Aspect Verification Process aa aa bb bb bb bb b ret(f) call(h) ret(h) ret(g) ab ab call(f) call(g) Advice A: call(h) ret(h) source sink Φ = AG(A[aUb]) P: call(g);true* Q: call(h);true*; call(f);true* Before1 Befor e 2 After2 After1 propositions Propositions sub-formulas b b A[aUb], AG(A[aUb]) in out

18 Aspect Verification Process Assuming pointcuts are marked Assuming pointcuts are marked Add ‘in’/’out’ states to the advice Add ‘in’/’out’ states to the advice Mark the advice ‘out’ state with all the labels from After2 ( or Before2) Mark the advice ‘out’ state with all the labels from After2 ( or Before2) Mark the advice ‘in‘ state with propositions of After1 ( Before1). Mark the advice ‘in‘ state with propositions of After1 ( Before1). Preform model checking on the advice alone Preform model checking on the advice alone If the advice passed the validation, the composed program satisfy the property. If the advice passed the validation, the composed program satisfy the property.

19 Around Advice Verification Two cases for around advice Two cases for around advice Calling proceed() Calling proceed() Not calling proceed(). Not calling proceed().

20 Around Advice Calling Proceed aa bb ret(g) call(g) Before1 After2 Befor e 2 After1 Base ProgramAround Advice src sink proceed Around1 Around2 propositions Propositions sub-formulas a b a b

21 Around Advice Not Calling Proceed Around without proceed can bypass existing states. Around without proceed can bypass existing states. no b Φ = AF(b) b  Can invalidate a label copied to the advice out state.

22 Around Advice Not Calling Proceed This problem arises only under the conditions: This problem arises only under the conditions: Formulas that capture eventual behavior. Formulas that capture eventual behavior. There is a path from the function return state to the call state. There is a path from the function return state to the call state. Fix : Fix : Add more formulas to the interface to be validated. Add more formulas to the interface to be validated. When ever a model checker labels call state and return state with an eventual property, needs to add a formula that checks if this property is discharged before reaching the return state. In example case A((!return) U b). When ever a model checker labels call state and return state with an eventual property, needs to add a formula that checks if this property is discharged before reaching the return state. In example case A((!return) U b). If this formula succeeds at the call state of the base program, the formula is included in the interface for the call state to be checked against the advice. If this formula succeeds at the call state of the base program, the formula is included in the interface for the call state to be checked against the advice.

23 Identifying Pointcut States From PCDs aa aa bb bb bb bb b ret(f) call(h) ret(h) ret(g) ab ab call(f) call(g) Advice A: call(h) ret(h) source sink Φ = AG(A[aUb]) P: call(g);true* Q: call(h);true*; call(f);true* Before1 Befor e 2 After2 After1

24 Identifying Pointcut States From PCDs First Suggestion. First Suggestion. PDCs are regular terms. PDCs are regular terms. Use the cross-product between the PCD state machine and the program state machine. Use the cross-product between the PCD state machine and the program state machine. To identify pointcuts in advice, mark the advice ‘in’ state with the PCD state. To identify pointcuts in advice, mark the advice ‘in’ state with the PCD state. Problems: Problems: PCD state machine more complicated than the PCD PCD state machine more complicated than the PCD We expand the states in the tested system. We expand the states in the tested system.

25 Identifying Pointcut States From PCDs – Avoiding cross products We can express a PCD by CTL expression. We can express a PCD by CTL expression. Reverse all edges in the program state machine Reverse all edges in the program state machine We can identify the point-cut states, by Model- Checking the PCD CTL formula. We can identify the point-cut states, by Model- Checking the PCD CTL formula.

26 Example Example call(h); true*;call(f);true*; call(h); true*;call(f);true*; Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut states from PCD by Model Checking

27 Example Example call(h); true*;call(f);true*; call(h); true*;call(f);true*; call(h) ∧ E ( true U call(f) ) call(h) ∧ E ( true U call(f) ) True for the pointcput states. True for the pointcput states. But what are all the states where the formula becomes true? But what are all the states where the formula becomes true? Where is the problem? Where is the problem? Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut states from PCD by Model Checking before1 before2

28 Identifying pointcut states from PCDs Translate PCD into a CTL formula Translate PCD into a CTL formula Reverse the program state machine graph. Reverse the program state machine graph. Redirect edges outgoing function return states, to the successor state of the corresponding call state. Redirect edges outgoing function return states, to the successor state of the corresponding call state. Model check the new graph Model check the new graph Formula becomes true only on pointcut states. Formula becomes true only on pointcut states.

29 Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut within advice before1 before2 Adivce type : Before PCD: call(g);true*;call(f);true* Call(g) ret(g) Aspect A

30 Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut within advice before1 before2 Adivce type : Before PCD: call(g);true*;call(f);true* Call(g) ret(g) Aspect A call(g) ∧ E ( true U call(f) ) call(g) ∧ E ( true U call(f) ) E(true U call(f))

31 Identifying pointcut states from PCDs - Summary How will we identify pointcuts within an advice? How will we identify pointcuts within an advice? Copy labels, relevant to the CTL formula, to the source of the advice Copy labels, relevant to the CTL formula, to the source of the advice Preform model checking for identifying pointcut on the advice. Preform model checking for identifying pointcut on the advice.

32 Conclusions We’ve seen a technique We’ve seen a technique identifies pointcuts identifies pointcuts Given all pointcuts, verifies properties, checked on the base program, are reserved in the presence of advices. Given all pointcuts, verifies properties, checked on the base program, are reserved in the presence of advices. Modular verification - separate verification, between the base program and the applied advices Modular verification - separate verification, between the base program and the applied advices

33 Future exploration Preserving properties. What about new properties we want to check only for the advices. Preserving properties. What about new properties we want to check only for the advices. Spectative aspects supported only. Spectative aspects supported only. Limited PCD language. Limited PCD language. Each advice may be validated many times ( maybe once per each state in the point cut that advises it. Each advice may be validated many times ( maybe once per each state in the point cut that advises it.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.