2nd Asian Workshop on Aspect-Oriented Software Development (AOAsia2)
An Extensible Contract
Verifier for AspectJ
Suguru Shinotsuka (Kyushu Institute of Technology)
Naoyasu Ubayashi (Kyushu Institute of Technology)
Hideaki Shinomi
(IBM Japan Ltd.)
Tetsuo Tamai
(University of Tokyo)
September 19, 2006
Introduction

Aspect-Oriented Programming (AOP)
Class A
method
Class A
method
weaving
Aspect
advice
Class B
method
Class B
method
weaving
Object-Oriented Programming
Suguru SHINOTSUKA Aspect-Oriented Programming
<[email protected]>
2
Introduction

Problem in weaving
method
method
We cannot know method behavior only by looking method body.
behavior to be known in implementation
easygoing program revision
behavior after weaving
unexpected errors by weaving
Suguru SHINOTSUKA
<[email protected]>
3
Introduction

Our approach
We can specify how program behavior should be changed during weaving.
Contract for weaving
method
its verification method
method
However…
It is effective to verify
the correctness of weaving.
weaving
The predicates are not always enough for every verification cases.
COW (COntract
Writing language)
A solution of the problem
Behavior has no red part.
behavior change
Behavior has a red part.
specification in predicate logic
an extensible contract verifier of COW
Primitive predicates are provided.
e.g., call (statement, method)
Suguru SHINOTSUKA
<[email protected]>
4
Reminder Outline

Problem in Weaving

COW

Contract Verifier

Related Work & Future Work

Conclusion
Suguru SHINOTSUKA
<[email protected]>
5
Problem in Weaving

Problem Example
class Line {
Point p1, p2;
void moveBy(int dx, int dy) {
classp1.x
Line+=
{ dx; p1.y += dy;
p2.x
+=and
dx; the
p2.y p2
+= dy;
p1,
p2;
Redrawing Point
the
p1
points
}void
Display.redrawLine(this);
moveBy(int
dx,
dy)
{
⇒ Method }behavior
is changed
byint
the
revision.
} p1.moveBy(dx, dy);
⇒ incorrect
} weaving
p2.moveBy(dx, dy);
class Line {
Point p1, p2;
void moveBy(int dx, int dy) {
Line
p1.moveBy(dx, dy);
- p1, p2: Point
p2.moveBy(dx, dy);
Display.redrawLine(this);
}
weaving
Point
}
redraw
- x, y: int
Display
redraw
class Point {
int x, y;
void moveBy(int dx, int dy) {
x += dx; y += dy;
} Display.redrawPoint(this);
} }
}
}
weaving
aspect
} LineObserver {
after(Line l):
execution(* Line.moveBy(..)) && target (l)
{
Display.redrawLine(l);
}
}
aspect PointObserver {
after(Point p):
weaving
execution(* Point.moveBy(..)) && target (p)
{
Display.redrawPoint(p);
Suguru SHINOTSUKA
}
<[email protected]>
}
6
COW

COW is a method for verifying the correctness of weaving.
We
specify
We
acall
property
these
specifications:
controlmethod
and data
flow
weaving
= mechanism
forof
changing
behavior
before and- after
weaving. (requires)
Pre-condition
- by using- predicate
logic.(ensures)
Post-condition
- Primitive- Invariant
predicates
(invariant)
are provided.
correctness
method of
behavior
weaving
≒ =property
correctness
of control
of method
and data
behavior
flow before
after weaving
how behavior changesand
= behavior
before and after weaving
Contract between class and aspects.
We can verify whether this specification is satisfied.
Suguru SHINOTSUKA
<[email protected]>
7
COW

COW (COntract Writing language)
before weave（pre-condition）： redrawing nothing
contract LineContract restricts Line {
after weave（post-condition）： redrawing line only
define redrawingPoint() {
target(t) && entry(t, e) && controlFlow(t, s, e)
&& call(s, void Display.redrawPoint(Point))
}
Line.moveBy()
define redrawingLine() {
target(t) && entry(t, e) && controlFlow(t, s, e)
&& call(s, void Display.redrawLine(Line))
}
define redrawingNothing() {
! redrawingPoint() && ! redrawingLine()
}
call
call of
of Display.redrawPoint
Display.redrawLine
define redrawingLineOnly () {
redrawingLine() && ! redrawingPoint()
}
void moveBy(int, int) {
requires(redrawingNothing());
ensures(redrawingLineOnly());
}
Suguru SHINOTSUKA
8
}
<[email protected]>
language for describing contracts
COW

Primitive Predicates
Predicate
Meanings
Predicate
owner (x, t)
x is an actuator, a field, an inner
class of type t.
target (a)
An actuator a is a target of
constraint.
source (a)
An advice a is woven to the target
actuator.
Meanings
variable (v)
Symbol v is a local variable.
entry (a, s)
The entry statement of an actuator a is s.
call (s, a)
Statement s calls an actuator a.
return (s)
s is a returning statement.
write (s, v)
Statement s writes to a symbol v.
method (a)
Actuator a is a method.
read (s, v)
Statement s reads a symbol v.
constructor (a)
Actuator a is a constructor.
defuse (s, dv, sv)
beforeAdvice (a)
Actuator a is a before-advice.
At statement s, symbol dv is written using
symbol sv.
afterAdvice (a)
Actuator a is an after-advice.
controlFlow (a, g, s)
aroundAdvice (a)
Actuator a is an around-advice.
In control flow under an actuator a,
statement g can be reached from a
statement s.
field (v)
Symbol v is a class field.
dataFlow (a, d, dv, s, sv)
enumerator (v)
Symbol v is an enumerator.
In data flow under an actuator a, s symbol
dv in a statement d can be reached from a
symbol sv in a statement s.
parameter (v)
Symbol v is an actuator’s formal
parameter.
equal (x, y)
x equals y.
Suguru SHINOTSUKA
<[email protected]>
9
COW

Towards Contract Extension
However…
COW’s
It
is useful
verification
to extendfacility
the verification
is not always
facility
enough.
of COW.
COW ⇒ We can verify whether a change of program behavior is correct.
But a developer
e.g.,
wants to verify the correctness of weaving in every case.
- Can we
whether
programthe
structure
is correctly
changed
By extending
theverify
primitive
predicates,
facility can
be extended.
by intertype weaving?
We developed
anspecify
extensible
contract
verifiercompletely?
that enables a developer
- Can we
program
behavior
to extend the primitive predicates.
Suguru SHINOTSUKA
<[email protected]>
10
Contract Verifier

Implementation Outline
control flow graph in a
Strategy
contract
conditions
Prolog
Prolog
facts
questions
primitive
predicate
definition
program
analysis
result
- Executing
program
analysis
for
Java
/
AspectJ
source
code.
contract
restricts Line
{
e.g.,LineContract
the controlFlow
primitive
predicate:- target(T), entry(T, E),
redrawingPoint
define redrawingPoint()
{
- Verifying whether
contract conditions
in COW
satisfies
controlFlow(T,
S, E),the information
target(t) && entry(t, e) && controlFlow(t,call(S,
s, e) ‘void Display.redrawPoint(Point)’).
from the program
analysis.
S1:
Point.moveBy() entry(Point.moveBy(), S1)
&& call(s, void Display.redrawPoint(Point))
} next(S1, S2)
:- target(T), entry(T, E),
define redrawingLine()
{
Prolog
rules redrawingLine
controlFlow(T,
S, E),
target(t) && entry(t,
&& controlFlow(t,
s, e)
S2: xe)+=
dxStart)
def(Point.x),
use(dx)
controlFlow(Scope,
Goal,
:call(S,
‘void
Display.redrawLine(Line)’).
&& call(s, void Display.redrawLine(Line))
traverse(Scope,
Goal, Start, []).
next(S2,
S3)
}
traverse(Scope,
Goal,
:define redrawingNothing() { Start, Visited)
redrawingNothing
:S3:Next,
y +=
dy def(Point.y),
next(Start,
use(dy)＼+ redrawingLine.
! redrawingPoint()
&&
!ScopeList),
redrawingLine()
＼+ redrawingPoint,
member(Scope, ScopeList),
}
next(S3,
S4)
＼+member(Next,
Visited),
define
redrawingLineOnly
() { this verification
redrawingLineOnly
:By using
Prolog
interpreter,
is realized.
Next
=
Goal.
redrawingLine()
&&
!
redrawingPoint()
S4:
Display.redrawPoint(this)
redrawingLine, ＼+ redrawingPoint.
traverse(Scope,
Goal, Start,
Visited)results
:- Translating
the program
analysis
to Prolog facts.
}
next(Start,int)
Next,
call(S4,
void
Display.redrawPoint(Point))
void moveBy(int,
{ ScopeList),
- Translating
the
contract
conditions
Prolog
questions.
| ?- to
redrawingNothing.
member(Scope,
ScopeList),
requires(redrawingNothing());
＼+member(Next,
Visited),
- Givingensures(redrawingLineOnly());
primitive
predicate
definitions
as Prolog rules.
| ?- redrawingLineOnly.
}
}
traverse(Scope, Goal, Next, [Next | Visited]).
Suguru SHINOTSUKA
<[email protected]>
11
Contract Verifier

Extension Mechanism
To verify whether
a primitive predicate is satisfied, the
followspart
are needed:
AA-lib
extension
- Prolog facts used for verifying whetherPrimitive
the primitive
predicate factory
predicate is satisfied
Java
AspectJ
COW
+ toFacts (r: ProgramAnalysisResult): PrologFacts
whether
the ():
primitive
predicate
+ toRule
PrologRule
- Prolog rulesstructure
for verifying
S1:Prolog
Point.moveBy()
is satisfied by the
facts
next(S1, S2)
factory class object
controlFlow(Scope, Goal, Start) :xProgram
+= dx
traverse(Scope,S2:
Goal,
Start,
[]).
analysis result
traverse(Scope, Goal, Start, Visited) :next(S2,
S3)
next(Start,
Next,
ScopeList),
We developed
contract
verifier
that enables such the extension.
flow graph the
flow graph
member(Scope, ScopeList),
Prolog rule and facts
S3:Visited),
y += dy
before weave ＼+member(Next,
after weave
CAVE
Next
= Goal.
If a developer can
next(S3,
add
implementation
S4)
for generating these facts and rules
traverse(Scope, Goal, Start, GNU
Visited)
:Prolog
to the contract
verifier,
the
developer
can
extend primitive predicates.
next(Start,
Next,
ScopeList),
S4:
Display.redrawPoint(this)
Primitive predicate
Prolog questions
structure
member(Scope, ScopeList),
＼+member(Next, Visited),
traverse(Scope, Goal, Next, [Next | Visited]).
database
verification result
Suguru SHINOTSUKA
<[email protected]>
12
Contract Verifier

Primitive Predicate Extension
HowExplanation
to extend primitive
example:predicates by using the primitive predicate factory:
adding new primitive predicate for describing class inheritance relation
PrologFacts
public PrologRule
static
toFacts(ProgramAnalysisResult
void main(String[]
toRule() { args) { r) {
PrologFacts
CowCompiler
PrologRule
facts = cnew
= new
rule
PrologFacts();
=
CowCompiler(args);
Translation.toPrologRule(
“extends(Subclass,ASuperclass) :-” +
for (ClassInheritance
PrimitivePredicateSet
directExtends(Subclass,
i: r.getStructure().getInheritances())
predicates
= c.getPrimitivePredicateSet();
+{class
CSuperclass).”
directly
extends
A⇒
We“ implement
the predicate
factory
to:extends (C, A)
PrologConstant
predicates.add(new
“extends(Subclass,
superClass
ExtendsPredicateFactory());
= Translation.toPrologConstant(i.getSuperClass());
Superclass) :-” +
-step1,
map =the
part of program
analysis
result to the
PrologConstant
c.setPrimitivePredicateSet(predicates);
“ directExtends(Subclass0,
subClass
Translation.toPrologConstant(i.getSubClass());
Superclass),”
+
B in Prolog
C
Facts
and
rules
for
verifying
the
extends
predicate are:
PrologFact fact
“ extends(Subclass,
= new
PrologFact(“directExtends”,
Subclass0).”);
subClass,
superClass);
directExtends
facts (by the
toFacts
method).
facts.add(fact);
c.start();
extends(Subclass, SuperClass) :} }
return
rule;
-step2, generate
the Prolog
rules of the extends
predicate
directExtends(Subclass,
Superclass).
directExtends(‘B’,
‘A’).
}
D
D indirectly
extends A ⇒(by
extends
(D, A) method).
the toRule
‘A’).
returndirectExtends(‘C’,
facts;
factory
class Superclass)
that we implemented
extends(Subclass,
:directExtends(‘D’,
‘C’).
}
directExtends(Subclass0, Superclass),
-step3, adding factory object
to the verifier
extends(Subclass,
Subclass0).
Suguru SHINOTSUKA
<[email protected]>
13
Related Work & Future Work
Related
Future Work
Work
Testing and verification approaches based on contracts:
AspectJ can be extended by using abc, an extensible AspectJ compiler.
At present time, we cannot determine
which approach
is better. for aspects
--Information
Hiding
Interfaces
for Aspect-Oriented
Design
Cona: aspects
for contracts
and
contracts
[K.
FSE
2005] 2004]
[T. Sullivan,
Skotiniotis,
OOPSLA
COW:
Verification
language
based on
predicate
logic can
be extended
by
----a amethod
for
specifying
rules
for
designing
classes
and aspects
method
for
testing
whether
method
behavior
is
correct
- verification
method
using
language
for verification
using
the contract
verifier
thatawe
proposed.
The rules
can be described
by using pointcut language of AspectJ.
- --based
on predicate
logic based
-- inserting
testing code
on DbC by using aspects
- verification method using AspectJ
In the future, we will try to extend both AspectJ and COW
- based on pointcut language
and examine the effectiveness of these approaches.
Suguru SHINOTSUKA
<[email protected]>
14
Conclusion
We have proposed COW as a method for verifying the correctness of weaving
and we proposed an extensible implementation of the COW compiler.
A developer can extend the verification facility of COW.
We believe that the extensibility is useful for verifying the correctness of
weaving in various cases.
Suguru SHINOTSUKA
<[email protected]>
15