Reasoning, specification, and verification of Aspect-Oriented (AO) programs presents unique challenges especially as such programs evolve over time. Components, base-code and aspects alike, may be easily added, removed, interchanged, or presently unavailable at unpredictable frequencies. Consequently, modular reasoning of such programs is highly attractive as it enables tractable evolution, otherwise necessitating that the entire program be reexamined each time a component is changed. It is well known, however, that modular reasoning about AO programs is difficult. In this paper, we present our ongoing work in constructing a rely-guarantee style reasoning system for the Aspect-Oriented Programming (AOP) paradigm, adopting a trace-based approach to deal with the plug-n-play nature inherent to these programs, thus easing AOP evolution.
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Enforcing Behavioral Constraints in Evolving Aspect-Oriented Programs
1. Enforcing Behavioral Constraints in
Evolving
Aspect-Oriented Programs
Raffi Khatchadourian1*, Johan Dovland2, and Neelam Soundarajan1
1The Ohio State University, USA
2University of Oslo, Norway
*Partially administered during visit to Lancaster University, UK
4. Introduction
• AOP enables modular implementation of cross-
cutting concerns.
• Both formal and informal reasoning about AOP
presents unique challenges especially in respect to
evolution.
5. Introduction
• AOP enables modular implementation of cross-
cutting concerns.
• Both formal and informal reasoning about AOP
presents unique challenges especially in respect to
evolution.
• As components enter, exit, and re-enter software,
conclusions about behavior of components may be
invalidated.
16. What We Want
• Desire a compositional reasoning approach, however
the invasive nature of AOP makes this difficult.
17. What We Want
• Desire a compositional reasoning approach, however
the invasive nature of AOP makes this difficult.
• In the worst case, changes made to a single
component require reexamining the entire program.
19. Questions
• Can we draw meaningful conclusions about
component code without considering the actual
advice code?
20. Questions
• Can we draw meaningful conclusions about
component code without considering the actual
advice code?
• Can we specify the behavior of components without
any particular advice in mind?
21. Questions
• Can we draw meaningful conclusions about
component code without considering the actual
advice code?
• Can we specify the behavior of components without
any particular advice in mind?
• Can we parameterize specifications over all possibly
applicable aspects?
22. Questions
• Can we draw meaningful conclusions about
component code without considering the actual
advice code?
• Can we specify the behavior of components without
any particular advice in mind?
• Can we parameterize specifications over all possibly
applicable aspects?
• Can we suitably constrain the behavior of aspects as
the software evolves?
25. Hiding Behind Interfaces
• Using interface is
one answer (e.g.,
XPIs, Open
Modules)
• But it would be
nice to have a way
to derive the
enriched behavior
of the base plus the
aspects at compile
time.
28. Insight
• AO programs inherently enjoy plug-n-play
capabilities [Laddad03]
• Crosscutting features can be plugged-in to enrich the
behavior of advised components.
29. Insight
• AO programs inherently enjoy plug-n-play
capabilities [Laddad03]
• Crosscutting features can be plugged-in to enrich the
behavior of advised components.
• Likewise, can we specify components so that we can
derive their behaviors in a similar fashion?
42. Obstacles
• Usefulness
• Is it possible to draw meaningful conclusions from
such incomplete information?
43. Obstacles
• Usefulness
• Is it possible to draw meaningful conclusions from
such incomplete information?
• Obliviousness
44. Obstacles
• Usefulness
• Is it possible to draw meaningful conclusions from
such incomplete information?
• Obliviousness
• Specifications contain “slots” for applications of
crosscutting concerns.
50. Obstacles
• Abstraction
• Competing forces:
• Specs abstract internal details components,
aspects directly manipulate them.
• Composition
• Which pegs go into which holes?
51. Obstacles
• Abstraction
• Competing forces:
• Specs abstract internal details components,
aspects directly manipulate them.
• Composition
• Which pegs go into which holes?
• How to deal with dynamic and lexical pointcuts?
52. Obstacles
• Abstraction
• Competing forces:
• Specs abstract internal details components,
aspects directly manipulate them.
• Composition
• Which pegs go into which holes?
• How to deal with dynamic and lexical pointcuts?
• Complexity
53. Obstacles
• Abstraction
• Competing forces:
• Specs abstract internal details components,
aspects directly manipulate them.
• Composition
• Which pegs go into which holes?
• How to deal with dynamic and lexical pointcuts?
• Complexity
• What if no advice is applicable?
57. Tackling Specification Complexity
• May need to make assumptions about the behavior of
evolving components.
• Specification pointcuts
• Pointcut interfaces [Gudmundson01] annotated
with behavioral specifications.
58. Tackling Specification Complexity
• May need to make assumptions about the behavior of
evolving components.
• Specification pointcuts
• Pointcut interfaces [Gudmundson01] annotated
with behavioral specifications.
• “Exported” internal semantic events within the
component.
59. Tackling Specification Complexity
• May need to make assumptions about the behavior of
evolving components.
• Specification pointcuts
• Pointcut interfaces [Gudmundson01] annotated
with behavioral specifications.
• “Exported” internal semantic events within the
component.
• Adopt a rely-guarantee approach [Xu97] from
concurrent programming to constrain the behavior
of all possibly applicable advice using a rely clause.
60. Tackling Specification Complexity
• May need to make assumptions about the behavior of
evolving components.
• Specification pointcuts
• Pointcut interfaces [Gudmundson01] annotated
with behavioral specifications.
• “Exported” internal semantic events within the
component.
• Adopt a rely-guarantee approach [Xu97] from
concurrent programming to constrain the behavior
of all possibly applicable advice using a rely clause.
• A guar clause may be used to constrain components.
61. Review of R/G for AOP [Khatchadourian07,
Soundarajan07]
the set of all variables of
σ the program
states in which each
σi , σj , ... variable has a particular
value
69. The state at a point in the execution
of a component is σa.
!a
Aspect
!b
70. The state at a point in the execution
of a component is σa.
!a
Aspect
!b
The state when the class gets control
back from an aspect is σb.
71. The state at a point in the execution
of a component is σa.
!a
Aspect
rely(σa, σb)
!b
The state when the class gets control
back from an aspect is σb.
78. Deriving Effective Behavior
• Constraining parameterized behavior reduces
complexity, but ...
• How are formal parameters expressed?
79. Deriving Effective Behavior
• Constraining parameterized behavior reduces
complexity, but ...
• How are formal parameters expressed?
• How are actual parameters deduced?
80. Deriving Effective Behavior
• Constraining parameterized behavior reduces
complexity, but ...
• How are formal parameters expressed?
• How are actual parameters deduced?
• How are the specifications composed?
81. Deriving Effective Behavior
• Constraining parameterized behavior reduces
complexity, but ...
• How are formal parameters expressed?
• How are actual parameters deduced?
• How are the specifications composed?
• Aspects are typically used to enrich the behavior of
the an underlying component.
82. Deriving Effective Behavior
• Constraining parameterized behavior reduces
complexity, but ...
• How are formal parameters expressed?
• How are actual parameters deduced?
• How are the specifications composed?
• Aspects are typically used to enrich the behavior of
the an underlying component.
• Thus, we want to deriving the actual behavior of
components with the aspects.
84. Join Point Traces
• A Join Point Trace (JPT) variable is introduced to
track the flow-of-control through various join points
within a component.
85. Join Point Traces
• A Join Point Trace (JPT) variable is introduced to
track the flow-of-control through various join points
within a component.
• A JPT is used as a parameter over the actions of all
possibly applicable aspects.
86. Join Point Traces
• A Join Point Trace (JPT) variable is introduced to
track the flow-of-control through various join points
within a component.
• A JPT is used as a parameter over the actions of all
possibly applicable aspects.
• Method post-conditions will references to the JPT.
87. Join Point Traces
• A Join Point Trace (JPT) variable is introduced to
track the flow-of-control through various join points
within a component.
• A JPT is used as a parameter over the actions of all
possibly applicable aspects.
• Method post-conditions will references to the JPT.
• Informally, a JPT is used to refer to the actions and
resulting values taken by advice at certain join point.
89. Elements of the JPT
• The JPT is composed of several components that are
associated with each join point.
90. Elements of the JPT
• The JPT is composed of several components that are
associated with each join point.
• Just as there are different kinds of join points (e.g.,
call, execution), there different kinds of JPT
entries.
91. JPT Method Call Completion Element
(oid , mid , aid , args, res, σ, σ )
92. JPT Method Call Completion Element
(oid , mid , aid , args, res, σ, σ )
Called Object
93. JPT Method Call Completion Element
Called
Method
(oid , mid , aid , args, res, σ, σ )
Called Object
94. JPT Method Call Completion Element
Called
Method
(oid , mid , aid , args, res, σ, σ )
Applicable
Called Object
Aspect
95. JPT Method Call Completion Element
Called Argument
Method Values
(oid , mid , aid , args, res, σ, σ )
Applicable
Called Object
Aspect
96. JPT Method Call Completion Element
Called Argument
Method Values
(oid , mid , aid , args, res, σ, σ )
Applicable Method
Called Object Return Value
Aspect
99. JPT Method Call Completion Element
State Vectors
σ, σ
σ[oid] State of object oid after
completion of method mid
100. JPT Method Call Completion Element
State Vectors
σ, σ
σ[oid] State of object oid after
completion of method mid
σ [oid] State of object oid after
completion of aspect aid
101. JPT Method Call Completion Element
State Vectors
σ, σ
σ[oid] State of object oid after
completion of method mid
σ [oid] State of object oid after
completion of aspect aid
No applicable advice =⇒ σ = σ
145. Conclusion
• On-going work (hopefully thesis worthy! ;) )
• Complete formal model (suggestions here?)
• Sound axiomatic proof system
146. Conclusion
• On-going work (hopefully thesis worthy! ;) )
• Complete formal model (suggestions here?)
• Sound axiomatic proof system
• Curbing notational complexity via predicates.
147. Conclusion
• On-going work (hopefully thesis worthy! ;) )
• Complete formal model (suggestions here?)
• Sound axiomatic proof system
• Curbing notational complexity via predicates.
• Integration with IDE/theorem provers.
148. Conclusion
• On-going work (hopefully thesis worthy! ;) )
• Complete formal model (suggestions here?)
• Sound axiomatic proof system
• Curbing notational complexity via predicates.
• Integration with IDE/theorem provers.
• Complement the Eclipse AJDT with a behavioral
cross reference view?
149. Conclusion
• On-going work (hopefully thesis worthy! ;) )
• Complete formal model (suggestions here?)
• Sound axiomatic proof system
• Curbing notational complexity via predicates.
• Integration with IDE/theorem provers.
• Complement the Eclipse AJDT with a behavioral
cross reference view?
• Integration with languages (e.g., via annotated
pointcuts, JML)