Session 9
Crosscutting Techniques in Program
Specification and Analysis
Mark Stobbe
October 8, 2007
1
Outline
• Hob system
– Implementation
– Specification
– Abstraction
• Scopes
• Examples
• Finishing touch
2
Hob
hob. 1. The block in the center of a wheel, from which the spokes
radiate, and through which the axle passes; -- called also hub or
hob.
Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc.
The goal of the Hob project is to verify sophisticated properties of
programs that manipulate complex, heterogenous data structures.
3
Hob system
• Verify data structures
• Abstract set specification
• Different analysis
– Flags
– Linked data structures (PALE)
– Theorem prover (Isabelle)
• Patrick Lam – February 2007
• Implementation is 10,000 lines O’Caml
Flags (2000), PALE (700), Theorem prover (1000)
4
Answering question
Question
The paper talks about the Hob program specification, analysis and
verification system and how it is implemented. But can you tell some
more about it (about the users, usage, maybe a small example about it)?
(Robin)
Answer
Usage seems to be fairly low, in contrast to the more common specification
languages like Z, Spec# and JML.
5
Hob system
• Implementation section
– code
– formats (inter-type declarations)
• Specification section
– interfaces for procedures
(requires/modifies/ensures)
– defaults
• Abstraction section
– specify the connection between
implementation and specification
6
Answering question
Question
Does Hob support the OO concept of inheritance? (Martijn)
Answer
No. Hob uses a syntactically similar language to Java on statement level and a
custom procedure implementation. Common object-oriented features such as
inheritance, dynamic dispatch and object-based encapsulation are not supported.
7
Answering question
Question
In paper they state that formats can be viewed as a case of inter-type
declarations in AspectJ. Could you indicate what they have in common?
(Alesya)
Answer
Formats describe the necessary fields to define a data structure. These fields can
crosscut the data structure itself, but with formats they are centralized to one
location. With inter-type declarations in AspectJ this is the same, you can add
fields to a class, centralized in one place.
8
Answering question
Question
If you have a lot of defaults specified, doesn't that make it easy to
make mistakes (especially in bigger systems)? Either because you think
something already has a default or by not realizing that something has a
default. In the paper in section 4 they claim the opposite, but I think it
all just depends on how clear it is to the programmer, perhaps by tool
support. Any thoughts on this? (Christiaan)
Answer
You have the possibility to define defaults for a whole specification module or use
the pointcut notation they defined. Therefore it is entirely in the hands of the
programmer what should be defaulted. Notice that this is similar to the pointcuts
in AspectJ.
9
Scopes
10
Answering question
Question
The paper mentions "call sites". What are they? (Martijn)
Answer
The places where you invoke a procedure.
11
Flag plugin
• Abstract interpretation
impl module UseList
{
format Node {}
proc use() {
Node n1;
Node n2;
n1 = new Node();
n2 = new Node();
List.add(n1);
List.add(n2);
List.remove(n2);
List.remove(n1);
}
}
spec module UseList
{
proc use()
requires List.Content = {}
modifies List.Content
calls List
ensures List.Content’ = {};
}
abst module UseList
{ use plugin "flags"; }
12
Pointer Assertion Logic Engine
impl module DLLIter {
format Node { next : Node; prev : Node; }
var root, current : Node;
proc isEmpty() returns e:bool { return root == null; }
proc add(n : Node) { ... }
proc remove(n : Node) {
if (n==current) { current = current.next; }
if (n==root) { root = root.next; }
Node prv = n.prev, nxt = n.next;
if (prv!=null) { prv.next = nxt; }
if (nxt!=null) { nxt.prev = prv; }
n.next = null; n.prev = null;
}
proc openIter() { current = root; }
proc nextIter() returns n : Node
{ Node n1 = current; current = current.next; return n1; }
proc isLastIter() returns e: bool { return current == null; }
proc closeIter() { current = null; }
}
13
spec module DLLIter {
format Node;
specvar Content, Iter : Node set;
invariant Iter in Content;
proc isEmpty() returns e:bool
ensures e’ <=> (|Content’| = 0);
proc add(n : Node)
requires |n| = 1 & ¬(n in Content)
modifies Content
ensures (Content’ = Content + n);
proc remove(n : Node)
requires |n| = 1 & (n in Content)
modifies Content, Iter
ensures (Content’ = Content - n) & (Iter’ = Iter - n);
proc openIter()
requires |Iter| = 0
modifies Iter
ensures (Iter’ = Content);
proc nextIter() returns n : Node
requires |Iter| >= 1
modifies Iter
ensures |n’| = 1 & (n’ in Iter) & (Iter’ = Iter - n’);
proc isLastIter() returns e:bool
ensures ¬e <=> (|Iter’| >= 1);
proc closeIter()
modifies Iter
ensures |Iter’| = 0;
}
14
Pointer Assertion Logic Engine
• Final glue…
abst module DLLIter
{
use plugin "PALE";
Content = { n : Node | "root<next*>n" };
Iter = { n : Node | "current<next*>n" };
invariant "type Node = {
data next:Node;
pointer prev:Node[thisˆNode.next = {prev}]; }";
invariant "data root : Node;";
invariant "pointer current : Node;";
}
15
Answering question
Question
In the paper they mention Hyperslices a couple of times. I don't really
know what they are but if you have extra time perhaps you can give a short
intro to them to put it in perspective. (Christiaan)
Answer
Hyperslices are similar to aspects. A hyperslice is defined inside a hyperspace and
it encapsulates one concern. Hyper/J uses hyperslices to solve the problem of
crosscutting functionality. Hyper/J falls in the category of subject-oriented
techniques.
16
Answering question
Question
Are there any other methods/techniques for program specification,
analysis and verification for Aspect Oriented Programming/AspectJ?
(Robin)
Answer
There is more mathematical approach using superposition. Superposition is
a way to reason about first-order logic equations. Most theorem provers
nowadays are based on superposition. The idea is to slice the specification
in views, which all describe one concern. Together with some first-order logic
you can then verify the program according to the specification.
Another system is Moxa. Moxa uses crosscutting to cope with the problem of
specification aggregation. Basically it is an extended version of the Java Modeling
Language (JML) with aspects applied.
17
Continue answering question
Question
Are there any other methods/techniques for program specification,
analysis and verification for Aspect Oriented Programming/AspectJ?
(Robin)
Answer
There has also been some research into checking aspect-oriented programs. One
way described in the paper by S. Krishnamurthi, is to take the verification system
for the base program. At each join point where an aspect is applied you keep the
state of the verification system and you check this against the aspects
specification.
18
Answering question
Question
In figure 3 in format Cell they have init:bool twice. Do you have any
idea why that is? Could this somehow be related to scopes or something?
(Christiaan)
Answer
The paper is a draft. Did you notice the other mistakes in the examples? And, of
course, the spelling mistakes?
19