11

Verifying Aspect Advice Verifying Aspect Advice ModularlyModularly

By:Shiram Krishnamurthi By:Shiram Krishnamurthi

Kathi FislerKathi FislerMichael GreenbergMichael Greenberg

Presented by:Iddit ShalemPresented by:Iddit Shalem

22

Aspect VerificationAspect Verification

Aspect Oriented Programming becomes Aspect Oriented Programming becomes increasingly important.increasingly important.

All software cycle stages are expected to be All software cycle stages are expected to be supported.supported.

Validation of behavioral properties is Validation of behavioral properties is especially important. especially important.

33

Program VerificationProgram Verification

There are algorithms for verifying complete There are algorithms for verifying complete programs ( expressed as state-machine).programs ( expressed as state-machine).

A naive approach would be to compose all A naive approach would be to compose all advices against the program .advices against the program .

Problematic:Problematic: Time consuming . Time consuming . Potentially difficult Potentially difficult

Requirment – Separate verificationRequirment – Separate verification

44

Separate verification - Problem Separate verification - Problem setupsetup

Interface generated at the program developer side.Interface generated at the program developer side. The advice authors does not receive the program, The advice authors does not receive the program,

only the interface.only the interface.

Interface Generation

Program Developers

Program PCDs Properties

VerificationInterface

Validation

Properties Aspect

Advice Authors

55

BackroundBackround

Aspect-Oriented programming .Aspect-Oriented programming . Model-Checking – a verification technique.Model-Checking – a verification technique.

66

Aspect-oriented programmingAspect-oriented programming

Pointcut designator (PCD) is a language for Pointcut designator (PCD) is a language for describing when an advice should apply describing when an advice should apply (describing joinpoints).(describing joinpoints).

Here we consider only a subset of the PCD Here we consider only a subset of the PCD language of AspectJ – expresses patters over language of AspectJ – expresses patters over the shape of the call stack => function calls are the shape of the call stack => function calls are the only joinpoints considered.the only joinpoints considered.

77

PCD LanguagePCD Language

PCD are a restricted form of regular expressionsPCD are a restricted form of regular expressions Pointcut atomPointcut atom

Call(f)Call(f) for some function name f for some function name f !Call(f)!Call(f) for some function name f for some function name f truetrue

Pointcut elementPointcut element a pointcut atoma pointcut atom a*a* where a is a pointcut atom. where a is a pointcut atom. (e) (e) where e is a pointcut elementwhere e is a pointcut element e1 & e2 e1 & e2 where e1 and e2 are pointcut elementswhere e1 and e2 are pointcut elements e1 | e2 e1 | e2 where e1 and e2 are pointcut elementswhere e1 and e2 are pointcut elements

Pointcut designatorPointcut designator a point cut elementa point cut element (d) (d) where d is a pointcut designatorwhere d is a pointcut designator d1;d2d1;d2 where d1 and d2 are pointcut designator where d1 and d2 are pointcut designator d1|d2d1|d2 where d1 and d2 are pointcut designator where d1 and d2 are pointcut designator

88

PCD language Cont’PCD language Cont’

PCD are a restricted form of regular PCD are a restricted form of regular expressions.expressions.

A PCD subscribes a set of program states at A PCD subscribes a set of program states at which it applies ( pointcut).which it applies ( pointcut).

Example PCD : Example PCD : call(h);true*;call(f);true*call(h);true*;call(f);true*describes function h called from the flow of describes function h called from the flow of function f.function f.

99

AspectsAspects

An aspect consists of:An aspect consists of: PCD.PCD. Advice.Advice. Advice type ( before, after , around).Advice type ( before, after , around).

1010

Model Checking – Formal ModelsModel Checking – Formal Models

Program source code => Program state machine.Program source code => Program state machine. Program state machineProgram state machine represents the control- represents the control-

flow of a program fragment.flow of a program fragment. State Machine is a tuple <State Machine is a tuple <S,T,L,ssrc,ssink,Scall,Srtn>>

S – states.S – states. T – included in SxS.T – included in SxS. L – labels of the states.L – labels of the states. sssrcsrc,s,ssinksink – program’s entry and exit states. – program’s entry and exit states. SScallcall,S,Srtnrtn - Subsets of S. - Subsets of S.

1111

Program State Machine ExampleProgram State Machine Examplea a a a

b

b

b

b b

b b

b b

b

call(f)

ret(f)

call(h)

ret(h)

call(g)

ret(g)

Program state machine describing a main program which invokes f and then h, while f invokes g.

Constructed from source code using inline depth parameter.

source

sink

1212

CTL languageCTL language CTL atoms are propositions that label states. CTL atoms are propositions that label states. Standard combinations by !,Standard combinations by !,∧∨∧∨ Properties of a Properties of a pathpath is expressed by the operators: is expressed by the operators:

G(G(φφ) – ) – φφ is true for all states of the path. is true for all states of the path. F(F(φφ) – ) – φφ is true at some state of the path. is true at some state of the path. [[φφ U U ψψ]] φφ is true at all states until a state where is true at all states until a state where ψψ is true. is true. X(X(φφ) – ) – φφ is true at the next state. is true at the next state.

Properties referring to Properties referring to pathspaths leaving a common state is leaving a common state is expressed by the operators:expressed by the operators: A – A – AAll pathsll paths E – There E – There EExists a path.xists a path.

For example :A[For example :A[φφ U U ψψ]]

1313

CTL Model-CheckerCTL Model-Checker

Input:Input: program state machineprogram state machine CTL formula CTL formula φφ

Labels each state with all the sub-formulas of Labels each state with all the sub-formulas of φφ that are true at that state. that are true at that state.

1414

Modular verification of AspectsModular verification of Aspects

The presented techniqe is very limited.The presented techniqe is very limited. Verifies only property preservation.Verifies only property preservation. Supports spectative aspects only.Supports spectative aspects only.

1515

Modular verification of AspectsModular verification of Aspects

Input:Input: Aspects Aspects Property ( CTL Formula) that holds for the main program.Property ( CTL Formula) that holds for the main program. Interface to the program. ( the labeled state-machine, Interface to the program. ( the labeled state-machine,

including only function call , return, source and sink including only function call , return, source and sink states).states).

What to do:What to do: Identify states that satisfy PCDs.Identify states that satisfy PCDs. Verify the advice (only) when applied at the relevant point-Verify the advice (only) when applied at the relevant point-

cuts.cuts.

1616

Aspect Verification ProcessAspect Verification Processa a

a a

b b

b b

b b

b b

b

ret(f)

call(h)

ret(h)

ret(g)

a b

a b

call(f)

call(g)

Advice A:

call(h)

ret(h)

source

sink

ΦΦ = AG(A[aUb]) = AG(A[aUb])

P: call(g);true*P: call(g);true*

1717

Aspect Verification ProcessAspect Verification Processa a

a a

b b

b b

b b

b b

b

ret(f)

call(h)

ret(h)

ret(g)

a b

a b

call(f)

call(g)

Advice A:

call(h)

ret(h)

source

sink

ΦΦ = AG(A[aUb]) = AG(A[aUb])

P: call(g);true*P: call(g);true*Q: call(h);true*; call(f);true*Q: call(h);true*; call(f);true*

Before1 Before2

After2 After1

propositions

Propositions

sub-formulas

b

bA[aUb],AG(A[aUb])

in

out

1818

Aspect Verification Process Aspect Verification Process

Assuming pointcuts are markedAssuming pointcuts are marked Add ‘in’/’out’ states to the adviceAdd ‘in’/’out’ states to the advice Mark the advice ‘out’ state with all the labels Mark the advice ‘out’ state with all the labels

from After2 ( or Before2)from After2 ( or Before2) Mark the advice ‘in‘ state with propositions of Mark the advice ‘in‘ state with propositions of

After1 ( Before1).After1 ( Before1). Preform model checking on the advice alonePreform model checking on the advice alone If the advice passed the validation, the If the advice passed the validation, the

composed program satisfy the property.composed program satisfy the property.

1919

Around Advice VerificationAround Advice Verification

Two cases for around adviceTwo cases for around advice Calling proceed()Calling proceed() Not calling proceed().Not calling proceed().

2020

Around Advice Calling ProceedAround Advice Calling Proceed

a a

b bret(g)

call(g)Before1

After2

Before2

After1

Base Program Around Advice

src

sink

proceed

Around1

Around2

propositions

Propositions

sub-formulas

a

b

a

b

2121

Around Advice Not Calling ProceedAround Advice Not Calling Proceed

Around without proceed can bypass existing states. Around without proceed can bypass existing states.

no b

Φ = AF(b)

b

Can invalidate a label copied to the advice out state.Can invalidate a label copied to the advice out state.

2222

Around Advice Not Calling ProceedAround Advice Not Calling Proceed

This problem arises only under the conditions:This problem arises only under the conditions: Formulas that capture eventual behavior.Formulas that capture eventual behavior. There is a path from the function return state to the call There is a path from the function return state to the call

state.state. Fix :Fix :

Add more formulas to the interface to be validated.Add more formulas to the interface to be validated. When ever a model checker labels call state and return When ever a model checker labels call state and return

state with an eventual property, needs to add a formula state with an eventual property, needs to add a formula that checks if this property is discharged before reaching that checks if this property is discharged before reaching the return state. In example case A((!return) U b). the return state. In example case A((!return) U b).

If this formula succeeds at the call state of the base If this formula succeeds at the call state of the base program, the formula is included in the interface for the program, the formula is included in the interface for the call state to be checked against the advice.call state to be checked against the advice.

2323

Identifying Pointcut States From Identifying Pointcut States From PCDsPCDs

a a

a a

b b

b b

b b

b b

b

ret(f)

call(h)

ret(h)

ret(g)

a b

a b

call(f)

call(g)

Advice A:

call(h)

ret(h)

source

sink

ΦΦ = AG(A[aUb]) = AG(A[aUb])

P: call(g);true*P: call(g);true*Q: call(h);true*; call(f);true*Q: call(h);true*; call(f);true*

Before1 Before2

After2 After1

2424

Identifying Pointcut States From Identifying Pointcut States From PCDsPCDs

First Suggestion.First Suggestion. PDCs are regular terms.PDCs are regular terms. Use the cross-product between the PCD state machine and Use the cross-product between the PCD state machine and

the program state machine.the program state machine. To identify pointcuts in advice, mark the advice ‘in’ state To identify pointcuts in advice, mark the advice ‘in’ state

with the PCD state.with the PCD state. Problems:Problems:

PCD state machine more complicated than the PCDPCD state machine more complicated than the PCD We expand the states in the tested system.We expand the states in the tested system.

2525

Identifying Pointcut States From Identifying Pointcut States From PCDs – Avoiding cross productsPCDs – Avoiding cross products

We can express a PCD by CTL expression.We can express a PCD by CTL expression. Reverse all edges in the program state machineReverse all edges in the program state machine We can identify the point-cut states, byWe can identify the point-cut states, by Model- Model-

CheckingChecking the PCD CTL formula. the PCD CTL formula.

2626

ExampleExample call(h); true*;call(f);true*;call(h); true*;call(f);true*; Call(f)

Call(h)

ret(h)

ret(f)

Call(h)

ret(h)

Identifying pointcut states from PCD by Identifying pointcut states from PCD by Model CheckingModel Checking

2727

ExampleExample call(h); true*;call(f);true*;call(h); true*;call(f);true*; call(h) call(h) ∧ ∧ E ( true U call(f) )E ( true U call(f) ) True for the pointcput states.True for the pointcput states. But what are all the states where But what are all the states where

the formula becomes true?the formula becomes true? Where is the problem?Where is the problem?

Call(f)

Call(h)

ret(h)

ret(f)

Call(h)

ret(h)

Identifying pointcut states from PCD by Identifying pointcut states from PCD by Model CheckingModel Checking

before1before2

2828

Identifying pointcut states from Identifying pointcut states from PCDs PCDs

Translate PCD into a CTL formulaTranslate PCD into a CTL formula Reverse the program state machine graph.Reverse the program state machine graph. Redirect edges outgoing function return states, Redirect edges outgoing function return states,

to the successor state of the corresponding call to the successor state of the corresponding call state.state.

Model check the new graphModel check the new graph Formula becomes true only on pointcut states.Formula becomes true only on pointcut states.

2929

Call(f)

Call(h)

ret(h)

ret(f)

Call(h)

ret(h)

Identifying pointcut within adviceIdentifying pointcut within advice

before1before2

Adivce type : Before

PCD: call(g);true*;call(f);true*

Call(g)

ret(g)

Aspect A

3030

Call(f)

Call(h)

ret(h)

ret(f)

Call(h)

ret(h)

Identifying pointcut within adviceIdentifying pointcut within advice

before1before2

Adivce type : Before

PCD: call(g);true*;call(f);true*

Call(g)

ret(g)

Aspect A

call(g) E ( true U call(f) )∧call(g) E ( true U call(f) )∧

E(true U call(f))

3131

Identifying pointcut states from Identifying pointcut states from PCDs - SummaryPCDs - Summary

How will we identify pointcuts within an How will we identify pointcuts within an advice? advice?

Copy labels, relevant to the CTL formula, to Copy labels, relevant to the CTL formula, to the source of the advicethe source of the advice

Preform model checking for identifying Preform model checking for identifying pointcut on the advice.pointcut on the advice.

3232

ConclusionsConclusions

We’ve seen a techniqueWe’ve seen a technique identifies pointcutsidentifies pointcuts Given all pointcuts, verifies properties, checked on Given all pointcuts, verifies properties, checked on

the base program, are reserved in the presence of the base program, are reserved in the presence of advices.advices.

Modular verification - separate verification, Modular verification - separate verification, between the base program and the applied between the base program and the applied advicesadvices

3333

Future explorationFuture exploration

Preserving properties. What about new Preserving properties. What about new properties we want to check only for the properties we want to check only for the advices.advices.

Spectative aspects supported only.Spectative aspects supported only. Limited PCD language .Limited PCD language . Each advice may be validated many times Each advice may be validated many times

( maybe once per each state in the point cut ( maybe once per each state in the point cut that advises it.that advises it.