Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg
description
Transcript of Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg
11
Verifying Aspect Advice Verifying Aspect Advice ModularlyModularly
By:Shiram Krishnamurthi By:Shiram Krishnamurthi
Kathi FislerKathi FislerMichael GreenbergMichael Greenberg
Presented by:Iddit ShalemPresented by:Iddit Shalem
22
Aspect VerificationAspect Verification
Aspect Oriented Programming becomes Aspect Oriented Programming becomes increasingly important.increasingly important.
All software cycle stages are expected to be All software cycle stages are expected to be supported.supported.
Validation of behavioral properties is Validation of behavioral properties is especially important. especially important.
33
Program VerificationProgram Verification
There are algorithms for verifying complete There are algorithms for verifying complete programs ( expressed as state-machine).programs ( expressed as state-machine).
A naive approach would be to compose all A naive approach would be to compose all advices against the program .advices against the program .
Problematic:Problematic: Time consuming . Time consuming . Potentially difficult Potentially difficult
Requirment – Separate verificationRequirment – Separate verification
44
Separate verification - Problem Separate verification - Problem setupsetup
Interface generated at the program developer side.Interface generated at the program developer side. The advice authors does not receive the program, The advice authors does not receive the program,
only the interface.only the interface.
Interface Generation
Program Developers
Program PCDs Properties
VerificationInterface
Validation
Properties Aspect
Advice Authors
55
BackroundBackround
Aspect-Oriented programming .Aspect-Oriented programming . Model-Checking – a verification technique.Model-Checking – a verification technique.
66
Aspect-oriented programmingAspect-oriented programming
Pointcut designator (PCD) is a language for Pointcut designator (PCD) is a language for describing when an advice should apply describing when an advice should apply (describing joinpoints).(describing joinpoints).
Here we consider only a subset of the PCD Here we consider only a subset of the PCD language of AspectJ – expresses patters over language of AspectJ – expresses patters over the shape of the call stack => function calls are the shape of the call stack => function calls are the only joinpoints considered.the only joinpoints considered.
77
PCD LanguagePCD Language
PCD are a restricted form of regular expressionsPCD are a restricted form of regular expressions Pointcut atomPointcut atom
Call(f)Call(f) for some function name f for some function name f !Call(f)!Call(f) for some function name f for some function name f truetrue
Pointcut elementPointcut element a pointcut atoma pointcut atom a*a* where a is a pointcut atom. where a is a pointcut atom. (e) (e) where e is a pointcut elementwhere e is a pointcut element e1 & e2 e1 & e2 where e1 and e2 are pointcut elementswhere e1 and e2 are pointcut elements e1 | e2 e1 | e2 where e1 and e2 are pointcut elementswhere e1 and e2 are pointcut elements
Pointcut designatorPointcut designator a point cut elementa point cut element (d) (d) where d is a pointcut designatorwhere d is a pointcut designator d1;d2d1;d2 where d1 and d2 are pointcut designator where d1 and d2 are pointcut designator d1|d2d1|d2 where d1 and d2 are pointcut designator where d1 and d2 are pointcut designator
88
PCD language Cont’PCD language Cont’
PCD are a restricted form of regular PCD are a restricted form of regular expressions.expressions.
A PCD subscribes a set of program states at A PCD subscribes a set of program states at which it applies ( pointcut).which it applies ( pointcut).
Example PCD : Example PCD : call(h);true*;call(f);true*call(h);true*;call(f);true*describes function h called from the flow of describes function h called from the flow of function f.function f.
99
AspectsAspects
An aspect consists of:An aspect consists of: PCD.PCD. Advice.Advice. Advice type ( before, after , around).Advice type ( before, after , around).
1010
Model Checking – Formal ModelsModel Checking – Formal Models
Program source code => Program state machine.Program source code => Program state machine. Program state machineProgram state machine represents the control- represents the control-
flow of a program fragment.flow of a program fragment. State Machine is a tuple <State Machine is a tuple <S,T,L,ssrc,ssink,Scall,Srtn>>
S – states.S – states. T – included in SxS.T – included in SxS. L – labels of the states.L – labels of the states. sssrcsrc,s,ssinksink – program’s entry and exit states. – program’s entry and exit states. SScallcall,S,Srtnrtn - Subsets of S. - Subsets of S.
1111
Program State Machine ExampleProgram State Machine Examplea a a a
b
b
b
b b
b b
b b
b
call(f)
ret(f)
call(h)
ret(h)
call(g)
ret(g)
Program state machine describing a main program which invokes f and then h, while f invokes g.
Constructed from source code using inline depth parameter.
source
sink
1212
CTL languageCTL language CTL atoms are propositions that label states. CTL atoms are propositions that label states. Standard combinations by !,Standard combinations by !,∧∨∧∨ Properties of a Properties of a pathpath is expressed by the operators: is expressed by the operators:
G(G(φφ) – ) – φφ is true for all states of the path. is true for all states of the path. F(F(φφ) – ) – φφ is true at some state of the path. is true at some state of the path. [[φφ U U ψψ]] φφ is true at all states until a state where is true at all states until a state where ψψ is true. is true. X(X(φφ) – ) – φφ is true at the next state. is true at the next state.
Properties referring to Properties referring to pathspaths leaving a common state is leaving a common state is expressed by the operators:expressed by the operators: A – A – AAll pathsll paths E – There E – There EExists a path.xists a path.
For example :A[For example :A[φφ U U ψψ]]
1313
CTL Model-CheckerCTL Model-Checker
Input:Input: program state machineprogram state machine CTL formula CTL formula φφ
Labels each state with all the sub-formulas of Labels each state with all the sub-formulas of φφ that are true at that state. that are true at that state.
1414
Modular verification of AspectsModular verification of Aspects
The presented techniqe is very limited.The presented techniqe is very limited. Verifies only property preservation.Verifies only property preservation. Supports spectative aspects only.Supports spectative aspects only.
1515
Modular verification of AspectsModular verification of Aspects
Input:Input: Aspects Aspects Property ( CTL Formula) that holds for the main program.Property ( CTL Formula) that holds for the main program. Interface to the program. ( the labeled state-machine, Interface to the program. ( the labeled state-machine,
including only function call , return, source and sink including only function call , return, source and sink states).states).
What to do:What to do: Identify states that satisfy PCDs.Identify states that satisfy PCDs. Verify the advice (only) when applied at the relevant point-Verify the advice (only) when applied at the relevant point-
cuts.cuts.
1616
Aspect Verification ProcessAspect Verification Processa a
a a
b b
b b
b b
b b
b
ret(f)
call(h)
ret(h)
ret(g)
a b
a b
call(f)
call(g)
Advice A:
call(h)
ret(h)
source
sink
ΦΦ = AG(A[aUb]) = AG(A[aUb])
P: call(g);true*P: call(g);true*
1717
Aspect Verification ProcessAspect Verification Processa a
a a
b b
b b
b b
b b
b
ret(f)
call(h)
ret(h)
ret(g)
a b
a b
call(f)
call(g)
Advice A:
call(h)
ret(h)
source
sink
ΦΦ = AG(A[aUb]) = AG(A[aUb])
P: call(g);true*P: call(g);true*Q: call(h);true*; call(f);true*Q: call(h);true*; call(f);true*
Before1 Before2
After2 After1
propositions
Propositions
sub-formulas
b
bA[aUb],AG(A[aUb])
in
out
1818
Aspect Verification Process Aspect Verification Process
Assuming pointcuts are markedAssuming pointcuts are marked Add ‘in’/’out’ states to the adviceAdd ‘in’/’out’ states to the advice Mark the advice ‘out’ state with all the labels Mark the advice ‘out’ state with all the labels
from After2 ( or Before2)from After2 ( or Before2) Mark the advice ‘in‘ state with propositions of Mark the advice ‘in‘ state with propositions of
After1 ( Before1).After1 ( Before1). Preform model checking on the advice alonePreform model checking on the advice alone If the advice passed the validation, the If the advice passed the validation, the
composed program satisfy the property.composed program satisfy the property.
1919
Around Advice VerificationAround Advice Verification
Two cases for around adviceTwo cases for around advice Calling proceed()Calling proceed() Not calling proceed().Not calling proceed().
2020
Around Advice Calling ProceedAround Advice Calling Proceed
a a
b bret(g)
call(g)Before1
After2
Before2
After1
Base Program Around Advice
src
sink
proceed
Around1
Around2
propositions
Propositions
sub-formulas
a
b
a
b
2121
Around Advice Not Calling ProceedAround Advice Not Calling Proceed
Around without proceed can bypass existing states. Around without proceed can bypass existing states.
no b
Φ = AF(b)
b
Can invalidate a label copied to the advice out state.Can invalidate a label copied to the advice out state.
2222
Around Advice Not Calling ProceedAround Advice Not Calling Proceed
This problem arises only under the conditions:This problem arises only under the conditions: Formulas that capture eventual behavior.Formulas that capture eventual behavior. There is a path from the function return state to the call There is a path from the function return state to the call
state.state. Fix :Fix :
Add more formulas to the interface to be validated.Add more formulas to the interface to be validated. When ever a model checker labels call state and return When ever a model checker labels call state and return
state with an eventual property, needs to add a formula state with an eventual property, needs to add a formula that checks if this property is discharged before reaching that checks if this property is discharged before reaching the return state. In example case A((!return) U b). the return state. In example case A((!return) U b).
If this formula succeeds at the call state of the base If this formula succeeds at the call state of the base program, the formula is included in the interface for the program, the formula is included in the interface for the call state to be checked against the advice.call state to be checked against the advice.
2323
Identifying Pointcut States From Identifying Pointcut States From PCDsPCDs
a a
a a
b b
b b
b b
b b
b
ret(f)
call(h)
ret(h)
ret(g)
a b
a b
call(f)
call(g)
Advice A:
call(h)
ret(h)
source
sink
ΦΦ = AG(A[aUb]) = AG(A[aUb])
P: call(g);true*P: call(g);true*Q: call(h);true*; call(f);true*Q: call(h);true*; call(f);true*
Before1 Before2
After2 After1
2424
Identifying Pointcut States From Identifying Pointcut States From PCDsPCDs
First Suggestion.First Suggestion. PDCs are regular terms.PDCs are regular terms. Use the cross-product between the PCD state machine and Use the cross-product between the PCD state machine and
the program state machine.the program state machine. To identify pointcuts in advice, mark the advice ‘in’ state To identify pointcuts in advice, mark the advice ‘in’ state
with the PCD state.with the PCD state. Problems:Problems:
PCD state machine more complicated than the PCDPCD state machine more complicated than the PCD We expand the states in the tested system.We expand the states in the tested system.
2525
Identifying Pointcut States From Identifying Pointcut States From PCDs – Avoiding cross productsPCDs – Avoiding cross products
We can express a PCD by CTL expression.We can express a PCD by CTL expression. Reverse all edges in the program state machineReverse all edges in the program state machine We can identify the point-cut states, byWe can identify the point-cut states, by Model- Model-
CheckingChecking the PCD CTL formula. the PCD CTL formula.
2626
ExampleExample call(h); true*;call(f);true*;call(h); true*;call(f);true*; Call(f)
Call(h)
ret(h)
ret(f)
Call(h)
ret(h)
Identifying pointcut states from PCD by Identifying pointcut states from PCD by Model CheckingModel Checking
2727
ExampleExample call(h); true*;call(f);true*;call(h); true*;call(f);true*; call(h) call(h) ∧ ∧ E ( true U call(f) )E ( true U call(f) ) True for the pointcput states.True for the pointcput states. But what are all the states where But what are all the states where
the formula becomes true?the formula becomes true? Where is the problem?Where is the problem?
Call(f)
Call(h)
ret(h)
ret(f)
Call(h)
ret(h)
Identifying pointcut states from PCD by Identifying pointcut states from PCD by Model CheckingModel Checking
before1before2
2828
Identifying pointcut states from Identifying pointcut states from PCDs PCDs
Translate PCD into a CTL formulaTranslate PCD into a CTL formula Reverse the program state machine graph.Reverse the program state machine graph. Redirect edges outgoing function return states, Redirect edges outgoing function return states,
to the successor state of the corresponding call to the successor state of the corresponding call state.state.
Model check the new graphModel check the new graph Formula becomes true only on pointcut states.Formula becomes true only on pointcut states.
2929
Call(f)
Call(h)
ret(h)
ret(f)
Call(h)
ret(h)
Identifying pointcut within adviceIdentifying pointcut within advice
before1before2
Adivce type : Before
PCD: call(g);true*;call(f);true*
Call(g)
ret(g)
Aspect A
3030
Call(f)
Call(h)
ret(h)
ret(f)
Call(h)
ret(h)
Identifying pointcut within adviceIdentifying pointcut within advice
before1before2
Adivce type : Before
PCD: call(g);true*;call(f);true*
Call(g)
ret(g)
Aspect A
call(g) E ( true U call(f) )∧call(g) E ( true U call(f) )∧
E(true U call(f))
3131
Identifying pointcut states from Identifying pointcut states from PCDs - SummaryPCDs - Summary
How will we identify pointcuts within an How will we identify pointcuts within an advice? advice?
Copy labels, relevant to the CTL formula, to Copy labels, relevant to the CTL formula, to the source of the advicethe source of the advice
Preform model checking for identifying Preform model checking for identifying pointcut on the advice.pointcut on the advice.
3232
ConclusionsConclusions
We’ve seen a techniqueWe’ve seen a technique identifies pointcutsidentifies pointcuts Given all pointcuts, verifies properties, checked on Given all pointcuts, verifies properties, checked on
the base program, are reserved in the presence of the base program, are reserved in the presence of advices.advices.
Modular verification - separate verification, Modular verification - separate verification, between the base program and the applied between the base program and the applied advicesadvices
3333
Future explorationFuture exploration
Preserving properties. What about new Preserving properties. What about new properties we want to check only for the properties we want to check only for the advices.advices.
Spectative aspects supported only.Spectative aspects supported only. Limited PCD language .Limited PCD language . Each advice may be validated many times Each advice may be validated many times
( maybe once per each state in the point cut ( maybe once per each state in the point cut that advises it.that advises it.