Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem.

Published byTriston Elms Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem."— Presentation transcript:

1 1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem

2 2 Aspect Verification Aspect Oriented Programming becomes increasingly important. Aspect Oriented Programming becomes increasingly important. All software cycle stages are expected to be supported. All software cycle stages are expected to be supported. Validation of behavioral properties is especially important. Validation of behavioral properties is especially important.

3 3 Program Verification There are algorithms for verifying complete programs ( expressed as state-machine). There are algorithms for verifying complete programs ( expressed as state-machine). A naive approach would be to compose all advices against the program. A naive approach would be to compose all advices against the program. Problematic: Problematic: Time consuming. Time consuming. Potentially difficult Potentially difficult Requirment – Separate verification Requirment – Separate verification

4 4 Separate verification - Problem setup Interface generated at the program developer side. Interface generated at the program developer side. The advice authors does not receive the program, only the interface. The advice authors does not receive the program, only the interface. Interface Generation Program Developers ProgramPCDsProperties Verification Interface Validation PropertiesAspect Advice Authors

5 5 Backround Aspect-Oriented programming. Aspect-Oriented programming. Model-Checking – a verification technique. Model-Checking – a verification technique.

6 6 Aspect-oriented programming Pointcut designator (PCD) is a language for describing when an advice should apply (describing joinpoints). Here we consider only a subset of the PCD language of AspectJ – expresses patters over the shape of the call stack => function calls are the only joinpoints considered. Here we consider only a subset of the PCD language of AspectJ – expresses patters over the shape of the call stack => function calls are the only joinpoints considered.

7 7 PCD Language PCD are a restricted form of regular expressions PCD are a restricted form of regular expressions Pointcut atom Pointcut atom Call(f) for some function name f Call(f) for some function name f !Call(f) for some function name f !Call(f) for some function name f true true Pointcut element Pointcut element a pointcut atom a pointcut atom a* where a is a pointcut atom. a* where a is a pointcut atom. (e) where e is a pointcut element (e) where e is a pointcut element e1 & e2 where e1 and e2 are pointcut elements e1 & e2 where e1 and e2 are pointcut elements e1 | e2 where e1 and e2 are pointcut elements e1 | e2 where e1 and e2 are pointcut elements Pointcut designator Pointcut designator a point cut element a point cut element (d) where d is a pointcut designator (d) where d is a pointcut designator d1;d2 where d1 and d2 are pointcut designator d1;d2 where d1 and d2 are pointcut designator d1|d2 where d1 and d2 are pointcut designator d1|d2 where d1 and d2 are pointcut designator

8 8 PCD language Cont’ PCD are a restricted form of regular expressions. PCD are a restricted form of regular expressions. A PCD subscribes a set of program states at which it applies ( pointcut). A PCD subscribes a set of program states at which it applies ( pointcut). Example PCD : call(h);true*;call(f);true* describes function h called from the flow of function f. Example PCD : call(h);true*;call(f);true* describes function h called from the flow of function f.

9 9 Aspects An aspect consists of: An aspect consists of: PCD. PCD. Advice. Advice. Advice type ( before, after, around). Advice type ( before, after, around).

10 10 Model Checking – Formal Models Program source code => Program state machine. Program source code => Program state machine. Program state machine represents the control- flow of a program fragment. Program state machine represents the control- flow of a program fragment. State Machine is a tuple <> State Machine is a tuple S – states. S – states. T – included in SxS. T – included in SxS. L – labels of the states. L – labels of the states. s src,s sink – program’s entry and exit states. s src,s sink – program’s entry and exit states. S call,S rtn - Subsets of S. S call,S rtn - Subsets of S.

11 11 Program State Machine Example aaaa b b b bb bb bb b call(f) ret(f) call(h) ret(h) call(g ) ret(g) Program state machine describing a main program which invokes f and then h, while f invokes g. Constructed from source code using inline depth parameter. source sink

12 12 CTL language CTL atoms are propositions that label states. CTL atoms are propositions that label states. Standard combinations by !, ∧∨ Standard combinations by !, ∧∨ Properties of a path is expressed by the operators: Properties of a path is expressed by the operators: G(φ) – φ is true for all states of the path. G(φ) – φ is true for all states of the path. F(φ) – φ is true at some state of the path. F(φ) – φ is true at some state of the path. [φ U ψ] φ is true at all states until a state where ψ is true. [φ U ψ] φ is true at all states until a state where ψ is true. X(φ) – φ is true at the next state. X(φ) – φ is true at the next state. Properties referring to paths leaving a common state is expressed by the operators: Properties referring to paths leaving a common state is expressed by the operators: A – All paths A – All paths E – There Exists a path. E – There Exists a path. For example :A[φ U ψ] For example :A[φ U ψ]

13 13 CTL Model-Checker Input: Input: program state machine program state machine CTL formula φ CTL formula φ Labels each state with all the sub-formulas of φ that are true at that state. Labels each state with all the sub-formulas of φ that are true at that state.

14 14 Modular verification of Aspects The presented techniqe is very limited. The presented techniqe is very limited. Verifies only property preservation. Verifies only property preservation. Supports spectative aspects only. Supports spectative aspects only.

15 15 Modular verification of Aspects Input: Input: Aspects Aspects Property ( CTL Formula) that holds for the main program. Property ( CTL Formula) that holds for the main program. Interface to the program. ( the labeled state-machine, including only function call, return, source and sink states). Interface to the program. ( the labeled state-machine, including only function call, return, source and sink states). What to do: What to do: Identify states that satisfy PCDs. Identify states that satisfy PCDs. Verify the advice (only) when applied at the relevant point- cuts. Verify the advice (only) when applied at the relevant point- cuts.

16 16 Aspect Verification Process aa aa bb bb bb bb b ret(f) call(h) ret(h) ret(g) ab ab call(f) call(g) Advice A: call(h) ret(h) source sink Φ = AG(A[aUb]) P: call(g);true*

17 17 Aspect Verification Process aa aa bb bb bb bb b ret(f) call(h) ret(h) ret(g) ab ab call(f) call(g) Advice A: call(h) ret(h) source sink Φ = AG(A[aUb]) P: call(g);true* Q: call(h);true*; call(f);true* Before1 Befor e 2 After2 After1 propositions Propositions sub-formulas b b A[aUb], AG(A[aUb]) in out

18 18 Aspect Verification Process Assuming pointcuts are marked Assuming pointcuts are marked Add ‘in’/’out’ states to the advice Add ‘in’/’out’ states to the advice Mark the advice ‘out’ state with all the labels from After2 ( or Before2) Mark the advice ‘out’ state with all the labels from After2 ( or Before2) Mark the advice ‘in‘ state with propositions of After1 ( Before1). Mark the advice ‘in‘ state with propositions of After1 ( Before1). Preform model checking on the advice alone Preform model checking on the advice alone If the advice passed the validation, the composed program satisfy the property. If the advice passed the validation, the composed program satisfy the property.

19 19 Around Advice Verification Two cases for around advice Two cases for around advice Calling proceed() Calling proceed() Not calling proceed(). Not calling proceed().

20 20 Around Advice Calling Proceed aa bb ret(g) call(g) Before1 After2 Befor e 2 After1 Base ProgramAround Advice src sink proceed Around1 Around2 propositions Propositions sub-formulas a b a b

21 21 Around Advice Not Calling Proceed Around without proceed can bypass existing states. Around without proceed can bypass existing states. no b Φ = AF(b) b  Can invalidate a label copied to the advice out state.

22 22 Around Advice Not Calling Proceed This problem arises only under the conditions: This problem arises only under the conditions: Formulas that capture eventual behavior. Formulas that capture eventual behavior. There is a path from the function return state to the call state. There is a path from the function return state to the call state. Fix : Fix : Add more formulas to the interface to be validated. Add more formulas to the interface to be validated. When ever a model checker labels call state and return state with an eventual property, needs to add a formula that checks if this property is discharged before reaching the return state. In example case A((!return) U b). When ever a model checker labels call state and return state with an eventual property, needs to add a formula that checks if this property is discharged before reaching the return state. In example case A((!return) U b). If this formula succeeds at the call state of the base program, the formula is included in the interface for the call state to be checked against the advice. If this formula succeeds at the call state of the base program, the formula is included in the interface for the call state to be checked against the advice.

23 23 Identifying Pointcut States From PCDs aa aa bb bb bb bb b ret(f) call(h) ret(h) ret(g) ab ab call(f) call(g) Advice A: call(h) ret(h) source sink Φ = AG(A[aUb]) P: call(g);true* Q: call(h);true*; call(f);true* Before1 Befor e 2 After2 After1

24 24 Identifying Pointcut States From PCDs First Suggestion. First Suggestion. PDCs are regular terms. PDCs are regular terms. Use the cross-product between the PCD state machine and the program state machine. Use the cross-product between the PCD state machine and the program state machine. To identify pointcuts in advice, mark the advice ‘in’ state with the PCD state. To identify pointcuts in advice, mark the advice ‘in’ state with the PCD state. Problems: Problems: PCD state machine more complicated than the PCD PCD state machine more complicated than the PCD We expand the states in the tested system. We expand the states in the tested system.

25 25 Identifying Pointcut States From PCDs – Avoiding cross products We can express a PCD by CTL expression. We can express a PCD by CTL expression. Reverse all edges in the program state machine Reverse all edges in the program state machine We can identify the point-cut states, by Model- Checking the PCD CTL formula. We can identify the point-cut states, by Model- Checking the PCD CTL formula.

26 26 Example Example call(h); true*;call(f);true*; call(h); true*;call(f);true*; Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut states from PCD by Model Checking

27 27 Example Example call(h); true*;call(f);true*; call(h); true*;call(f);true*; call(h) ∧ E ( true U call(f) ) call(h) ∧ E ( true U call(f) ) True for the pointcput states. True for the pointcput states. But what are all the states where the formula becomes true? But what are all the states where the formula becomes true? Where is the problem? Where is the problem? Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut states from PCD by Model Checking before1 before2

28 28 Identifying pointcut states from PCDs Translate PCD into a CTL formula Translate PCD into a CTL formula Reverse the program state machine graph. Reverse the program state machine graph. Redirect edges outgoing function return states, to the successor state of the corresponding call state. Redirect edges outgoing function return states, to the successor state of the corresponding call state. Model check the new graph Model check the new graph Formula becomes true only on pointcut states. Formula becomes true only on pointcut states.

29 29 Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut within advice before1 before2 Adivce type : Before PCD: call(g);true*;call(f);true* Call(g) ret(g) Aspect A

30 30 Call(f) Call(h) ret(h) ret(f) Call(h) ret(h) Identifying pointcut within advice before1 before2 Adivce type : Before PCD: call(g);true*;call(f);true* Call(g) ret(g) Aspect A call(g) ∧ E ( true U call(f) ) call(g) ∧ E ( true U call(f) ) E(true U call(f))

31 31 Identifying pointcut states from PCDs - Summary How will we identify pointcuts within an advice? How will we identify pointcuts within an advice? Copy labels, relevant to the CTL formula, to the source of the advice Copy labels, relevant to the CTL formula, to the source of the advice Preform model checking for identifying pointcut on the advice. Preform model checking for identifying pointcut on the advice.

32 32 Conclusions We’ve seen a technique We’ve seen a technique identifies pointcuts identifies pointcuts Given all pointcuts, verifies properties, checked on the base program, are reserved in the presence of advices. Given all pointcuts, verifies properties, checked on the base program, are reserved in the presence of advices. Modular verification - separate verification, between the base program and the applied advices Modular verification - separate verification, between the base program and the applied advices

33 33 Future exploration Preserving properties. What about new properties we want to check only for the advices. Preserving properties. What about new properties we want to check only for the advices. Spectative aspects supported only. Spectative aspects supported only. Limited PCD language. Limited PCD language. Each advice may be validated many times ( maybe once per each state in the point cut that advises it. Each advice may be validated many times ( maybe once per each state in the point cut that advises it.

Download ppt "1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem."

Similar presentations

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Theory Of Automata By Dr. MM Alam

Theory Of Automata By Dr. MM Alam
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.

Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.
Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.

Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.
Software Design Process A Process is a set of related and (sequenced) tasks that transforms a set of input to a set of output. Inputs Outputs Design Process.

Software Design Process A Process is a set of related and (sequenced) tasks that transforms a set of input to a set of output. Inputs Outputs Design Process.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
1 Midterm I review Reading: Chapters 1-4. 2 Test Details In class, Wednesday, Feb. 25, 2015 3:10pm-4pm Comprehensive Closed book, closed notes.

1 Midterm I review Reading: Chapters Test Details In class, Wednesday, Feb. 25, :10pm-4pm Comprehensive Closed book, closed notes.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Lectures on Network Flows

Lectures on Network Flows
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.

Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.

Similar presentations

Ads by Google