Download presentation
Presentation is loading. Please wait.
1
An Extensible Contract Verifier for AspectJ
2nd Asian Workshop on Aspect-Oriented Software Development (AOAsia2) An Extensible Contract Verifier for AspectJ Suguru Shinotsuka (Kyushu Institute of Technology) Naoyasu Ubayashi (Kyushu Institute of Technology) Hideaki Shinomi (IBM Japan Ltd.) Tetsuo Tamai (University of Tokyo) September 19, 2006
2
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Introduction Aspect-Oriented Programming (AOP) Class A Class A method method weaving Aspect advice Class B Class B method method weaving Object-Oriented Programming Aspect-Oriented Programming Suguru SHINOTSUKA
3
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Introduction Problem in weaving method method We cannot know method behavior only by looking method body. behavior to be known in implementation behavior after weaving easygoing program revision unexpected errors by weaving Suguru SHINOTSUKA
4
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Introduction Our approach We can specify how program behavior should be changed during weaving. Contract for weaving method method its verification method It is effective to verify the correctness of weaving. weaving However… The predicates are not always enough for every verification cases. COW (COntract Writing language) A solution of the problem behavior change Behavior has no red part. Behavior has a red part. specification in predicate logic an extensible contract verifier of COW Primitive predicates are provided. e.g., call (statement, method) Suguru SHINOTSUKA
5
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Reminder Outline Problem in Weaving COW Contract Verifier Related Work & Future Work Conclusion Suguru SHINOTSUKA
6
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Problem in Weaving Problem Example class Line { Point p1, p2; void moveBy(int dx, int dy) { p1.x += dx; p1.y += dy; p2.x += dx; p2.y += dy; Display.redrawLine(this); } class Line { Point p1, p2; void moveBy(int dx, int dy) { p1.x += dx; p1.y += dy; p2.x += dx; p2.y += dy; } class Line { Point p1, p2; void moveBy(int dx, int dy) { p1.moveBy(dx, dy); p2.moveBy(dx, dy); Display.redrawLine(this); } class Line { Point p1, p2; void moveBy(int dx, int dy) { p1.moveBy(dx, dy); p2.moveBy(dx, dy); } Redrawing the p1 and the p2 points ⇒ Method behavior is changed by the revision. ⇒ incorrect weaving Line - p1, p2: Point weaving weaving Point - x, y: int aspect LineObserver { after(Line l): execution(* Line.moveBy(..)) && target (l) { Display.redrawLine(l); } redraw Display redraw class Point { int x, y; void moveBy(int dx, int dy) { x += dx; y += dy; Display.redrawPoint(this); } class Point { int x, y; void moveBy(int dx, int dy) { x += dx; y += dy; } aspect PointObserver { after(Point p): execution(* Point.moveBy(..)) && target (p) { Display.redrawPoint(p); } weaving Suguru SHINOTSUKA
7
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
COW COW is a method for verifying the correctness of weaving. We specify a property of control and data flow before and after weaving. - by using predicate logic. - Primitive predicates are provided. We can verify whether this specification is satisfied. We call these specifications: - Pre-condition (requires) - Post-condition (ensures) - Invariant (invariant) Contract between class and aspects. weaving = mechanism for changing method behavior correctness of weaving = correctness of method behavior before and after weaving method behavior ≒ property of control and data flow how behavior changes = behavior before and after weaving Suguru SHINOTSUKA
8
COW COW (COntract Writing language) language for describing contracts
contract LineContract restricts Line { define redrawingPoint() { target(t) && entry(t, e) && controlFlow(t, s, e) && call(s, void Display.redrawPoint(Point)) } define redrawingLine() { && call(s, void Display.redrawLine(Line)) define redrawingNothing() { ! redrawingPoint() && ! redrawingLine() define redrawingLineOnly () { redrawingLine() && ! redrawingPoint() void moveBy(int, int) { requires(redrawingNothing()); ensures(redrawingLineOnly()); language for describing contracts before weave(pre-condition): redrawing nothing after weave(post-condition): redrawing line only Line.moveBy() call of Display.redrawPoint Line.moveBy() call of Display.redrawLine Suguru SHINOTSUKA
9
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
COW Primitive Predicates Predicate Meanings owner (x, t) x is an actuator, a field, an inner class of type t. target (a) An actuator a is a target of constraint. source (a) An advice a is woven to the target actuator. method (a) Actuator a is a method. constructor (a) Actuator a is a constructor. beforeAdvice (a) Actuator a is a before-advice. afterAdvice (a) Actuator a is an after-advice. aroundAdvice (a) Actuator a is an around-advice. field (v) Symbol v is a class field. enumerator (v) Symbol v is an enumerator. parameter (v) Symbol v is an actuator’s formal parameter. Predicate Meanings variable (v) Symbol v is a local variable. entry (a, s) The entry statement of an actuator a is s. call (s, a) Statement s calls an actuator a. return (s) s is a returning statement. write (s, v) Statement s writes to a symbol v. read (s, v) Statement s reads a symbol v. defuse (s, dv, sv) At statement s, symbol dv is written using symbol sv. controlFlow (a, g, s) In control flow under an actuator a, statement g can be reached from a statement s. dataFlow (a, d, dv, s, sv) In data flow under an actuator a, s symbol dv in a statement d can be reached from a symbol sv in a statement s. equal (x, y) x equals y. Suguru SHINOTSUKA
10
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
COW Towards Contract Extension However… It is useful to extend the verification facility of COW. COW’s verification facility is not always enough. COW ⇒ We can verify whether a change of program behavior is correct. But a developer wants to verify the correctness of weaving in every case. e.g., - Can we verify whether program structure is correctly changed by intertype weaving? - Can we specify program behavior completely? By extending the primitive predicates, the facility can be extended. We developed an extensible contract verifier that enables a developer to extend the primitive predicates. Suguru SHINOTSUKA
11
Contract Verifier Implementation Outline control flow graph in a
program analysis result Strategy - Executing program analysis for Java / AspectJ source code. - Verifying whether contract conditions in COW satisfies the information from the program analysis. contract conditions Prolog facts Prolog questions primitive predicate definition e.g., the controlFlow primitive predicate contract LineContract restricts Line { define redrawingPoint() { target(t) && entry(t, e) && controlFlow(t, s, e) && call(s, void Display.redrawPoint(Point)) } define redrawingLine() { && call(s, void Display.redrawLine(Line)) define redrawingNothing() { ! redrawingPoint() && ! redrawingLine() define redrawingLineOnly () { redrawingLine() && ! redrawingPoint() void moveBy(int, int) { requires(redrawingNothing()); ensures(redrawingLineOnly()); redrawingPoint :- target(T), entry(T, E), controlFlow(T, S, E), call(S, ‘void Display.redrawPoint(Point)’). S1: Point.moveBy() entry(Point.moveBy(), S1) next(S1, S2) Prolog rules redrawingLine :- target(T), entry(T, E), controlFlow(T, S, E), call(S, ‘void Display.redrawLine(Line)’). S2: x += dx def(Point.x), use(dx) controlFlow(Scope, Goal, Start) :- traverse(Scope, Goal, Start, []). traverse(Scope, Goal, Start, Visited) :- next(Start, Next, ScopeList), member(Scope, ScopeList), \+member(Next, Visited), Next = Goal. traverse(Scope, Goal, Next, [Next | Visited]). next(S2, S3) redrawingNothing :- \+ redrawingPoint, \+ redrawingLine. S3: y += dy def(Point.y), use(dy) next(S3, S4) By using Prolog interpreter, this verification is realized. - Translating the program analysis results to Prolog facts. - Translating the contract conditions to Prolog questions. - Giving primitive predicate definitions as Prolog rules. redrawingLineOnly :- redrawingLine, \+ redrawingPoint. S4: Display.redrawPoint(this) call(S4, void Display.redrawPoint(Point)) | ?- redrawingNothing. | ?- redrawingLineOnly. Suguru SHINOTSUKA
12
Contract Verifier Extension Mechanism
To verify whether a primitive predicate is satisfied, the follows are needed: AA-lib extension part - Prolog facts used for verifying whether the primitive predicate is satisfied Primitive predicate factory + toFacts (r: ProgramAnalysisResult): PrologFacts + toRule (): PrologRule - Prolog rules for verifying whether the primitive predicate is satisfied by the Prolog facts Java AspectJ structure structure S1: Point.moveBy() next(S1, S2) factory class object controlFlow(Scope, Goal, Start) :- traverse(Scope, Goal, Start, []). traverse(Scope, Goal, Start, Visited) :- next(Start, Next, ScopeList), member(Scope, ScopeList), \+member(Next, Visited), Next = Goal. traverse(Scope, Goal, Next, [Next | Visited]). S2: x += dx Program analysis result next(S2, S3) We developed the contract verifier that enables such the extension. flow graph flow graph Prolog rule and facts S3: y += dy before weave after weave CAVE COW If a developer can add implementation for generating these facts and rules to the contract verifier, the developer can extend primitive predicates. next(S3, S4) Primitive predicate database GNU Prolog Prolog questions S4: Display.redrawPoint(this) verification result Suguru SHINOTSUKA
13
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Contract Verifier Primitive Predicate Extension How to extend primitive predicates by using the primitive predicate factory: Explanation example: adding new primitive predicate for describing class inheritance relation PrologFacts toFacts(ProgramAnalysisResult r) { PrologFacts facts = new PrologFacts(); for (ClassInheritance i: r.getStructure().getInheritances()) { PrologConstant superClass = Translation.toPrologConstant(i.getSuperClass()); PrologConstant subClass = Translation.toPrologConstant(i.getSubClass()); PrologFact fact = new PrologFact(“directExtends”, subClass, superClass); facts.add(fact); } return facts; public static void main(String[] args) { CowCompiler c = new CowCompiler(args); PrimitivePredicateSet predicates = c.getPrimitivePredicateSet(); predicates.add(new ExtendsPredicateFactory()); c.setPrimitivePredicateSet(predicates); c.start(); } PrologRule toRule() { PrologRule rule = Translation.toPrologRule( “extends(Subclass, Superclass) :-” + “ directExtends(Subclass, Superclass).” + “ directExtends(Subclass0, Superclass),” + “ extends(Subclass, Subclass0).”); return rule; } A We implement the predicate factory class to: C directly extends A ⇒ extends (C, A) step1, map the part of program analysis result to the directExtends facts (by the toFacts method). Facts and rules in Prolog for verifying the extends predicate are: B C extends(Subclass, SuperClass) :- directExtends(Subclass, Superclass). extends(Subclass, Superclass) :- directExtends(Subclass0, Superclass), extends(Subclass, Subclass0). -step2, generate the Prolog rules of the extends predicate (by the toRule method). directExtends(‘B’, ‘A’). directExtends(‘C’, ‘A’). directExtends(‘D’, ‘C’). D indirectly extends A ⇒ extends (D, A) D factory class that we implemented -step3, adding factory object to the verifier Suguru SHINOTSUKA
14
Related Work & Future Work
Testing and verification approaches based on contracts: AspectJ can be extended by using abc, an extensible AspectJ compiler. At present time, we cannot determine which approach is better. - Information Hiding Interfaces for Aspect-Oriented Design [K. Sullivan, FSE 2005] - Cona: aspects for contracts and contracts for aspects [T. Skotiniotis, OOPSLA 2004] COW: - verification method using a language for verification - based on predicate logic Verification language based on predicate logic can be extended by using the contract verifier that we proposed. -- a method for specifying rules for designing classes and aspects -- a method for testing whether method behavior is correct -- The rules can be described by using pointcut language of AspectJ. -- inserting testing code based on DbC by using aspects verification method using AspectJ - based on pointcut language In the future, we will try to extend both AspectJ and COW and examine the effectiveness of these approaches. Suguru SHINOTSUKA
15
Suguru SHINOTSUKA <sinotuka@minnie.ai.kyutech.ac.jp>
Conclusion We have proposed COW as a method for verifying the correctness of weaving and we proposed an extensible implementation of the COW compiler. A developer can extend the verification facility of COW. We believe that the extensibility is useful for verifying the correctness of weaving in various cases. Suguru SHINOTSUKA
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.