View
226
Download
0
Category
Preview:
Citation preview
1
Alloy-based Lightweight Verificationfor Aspect-oriented Architecture
Naoyasu Ubayashi (Kyushu Institute of Technology)Yuki Sato (Kyushu Institute of Technology)Akihiro Sakai (Kyushu University)Tetsuo Tamai (University of Tokyo)
August 20, 2007
SERA 2008
2
Aspect-oriented Programming
AOP is a programming paradigm in which crosscutting concerns are modularized as aspects.
Display updating
after (FigureElement fe): (call(void set*(..)) && target(fe) { fe.display.update(fe); }
advice
pointcut
AspectJ
Problem
A concern considered crosscutting in one situation might be primary in others. It is not desirable to fix a certain concern as either primary or crosscutting.
It is not easy to understand the overall behavior of a woven program.
3
Our previous work [ASE’07]
A new interface mechanism called Weaving-interface
A new AOP language called ccJava Weaving-interface can be regarded as
an ADL (Architecture Description Language)
All concerns are described as class components.
This ADL can describe how to compose (weave) these components.
But, programming-level idea …
Display Point Line
Today’s Talk: Verifiable AO MDD
Not only programming-level but also design-level notion
ADL for bridging the gaps between architectural design and implementation
4
Architectural Design
Weaving-interface
Java
Designs and verifies an architecture represented by a set of weaving-interfaces
(Alloy-based architecture verification)
Implements verified weaving interfaces
5
Outline
1. Motivation2. AO verifiable MDD3. Architecture verification based on Alloy4. Related work5. Conclusion
7
Example --- Figure editor
interface Shape { public void moveBy(int dx, int dy);}
class Point implements Shape { int x, y; public int getX() { return x; } public int getY() { return y; } public void setX(int x) { this.x = x; } public void setY(int y) { this.y = y; } public void moveBy(int dx, int dy) { x += dx; y += dy; }}
class Line implements Shape { Point p1, p2; public Point getP1() { return p1; } public Point getP2() { return p2; } public void setP1(Point p1) { this.p1 = p1; } public void setP2(Point p2){ this.p2 = p2; } public void moveBy(int dx, int dy) { p1.x += dx; p1.y += dy; p2.x += dx; p2.y += dy; }}
class Display { public static void update() { /* the detail is ommited */ }}
Three concern components are woven together by component and connector architecture based on weaving-interface.
ComponentComponent
ComponentComponent
ComponentComponent
8
AO weaving based oncomponent-connector architecture
classDisplay
classPoint
classLine
classLogging
wDisplay wPoint wLine
wLogging
redraw + changeComponentComponent
Weaving-interfaceWeaving-interface
ConnectorConnector
class Pointimplements Shape { int x, y; public int getX() { return x; } public int getY() { return y; } public void setX(int x) { this.x = x; } public void setY(int y) { this.y = y; } public void moveBy(int dx, int dy) { x += dx; y += dy; }}
change
redraw
class Display { public static void update() { }}
9
ccJava – AOP language for supporting Weaving-interface
public w_interface wPoint {pointcut change():execution(void setX(int)) ||execution(void setY(int)) ||execution(void moveBy(int, int));import before(), after() returning, around() : change();}
public w_interface wLine {pointcut change():execution(void setP1(Point)) ||execution(void setP2(Point)) ||execution(void moveBy(int, int));import before(), after() returning, around() : change();}
public w_interface wDisplay {pointcut redraw(): execution(void update());import before(), after() returning : redraw();export redraw();} weave {
class Point implements wPoint; class Line implements wLine; class Display implements wDisplay;
connect(port1:wDisplay.redraw, port2:{wPoint || wLine}.change) { after() returning : port2 { port1.proceed(); }}
ConnectorConnector
Port Definition
Port Connection
CoordinationCode
Weaving-interfaceWeaving-interface
Coordination TypeBeforeAfter
Aroundintroduce
Connector descriptions depend on only weaving-interfaces.
Architecture can be represented byWeaving-interface + connector.
Weaving-interface+Connector
is a kind of
ADL
10
Problems
Although Weaving-interface enables a programmer to describe AO architecture, there is a gap between architecture design and implementation.
Verifiable AO MDD
ccModeler & ccJava
12
Architectural Design
Weaving-interface
Java
ccModeler
ccJava
Designs and verifies an architecture represented by a set of weaving-interfaces
Implements verified weaving interfaces
Architecture Design & verification
Refinement
Alloy
Alloy is a simple structural modeling language based on relational logic.
The Alloy analyzer, a tool for Alloy, can automatically generate instances of invariants, simulate the execution of operations, and check user-specified properties of a model.
14
Lightweight Formal Methods
Although neither soundness nor completeness is guaranteed, it makes more sense to sacrifice the capability of finding proofs for the capability of reliably detecting errors.
We use Alloy as a design debugger !
15
Weaving-Interface meta modeldescribed in Alloy
abstract sig WeavingInterface { importType : set Advice, import : set Pointcut, export : set Pointcut}
abstract sig Advice {}one sig Before, After, Around extends Advice {}
abstract sig Pointcut {}
abstract sig Implement { class : set Class, weavingInterface : set WeavingInterface}
abstract sig Connect { port1 : set WeavingInterface, port2 : set WeavingInterface, connectionType : Advice}
ConcernComponent
(class)
ConcernComponent
(class)
weaving I/F
connector
weaving I/F
16
Translationfrom weaving-interface into Alloy (1)
Alloy
public w_interface wPoint { pointcut change(): execution(voidsetX(int)) || execution(voidsetY(int)) || execution(voidmoveBy(int, int)); import before(), after() returning, around() : change();}
public w_interface wDisplay { pointcut redraw(): execution(void update()); import before(), after() returning : redraw(); export redraw();}
one sig noPct, setX, setY, moveBy extends Pointcut {}
one sig WPoint extends WeavingInterface {}fact{ WPoint.importType= { Before } + { After } + { Around } WPoint.import= { setX } + { setY } + { moveBy } WPoint.export= { noPct }}
one sig update extends Pointcut {}one sig WDisplay extends WeavingInterface {}fact{ WDisplay.importType = { Before } + { After } WDisplay.import = { update } WDisplay.export = { update }}
Weaving-interface Alloy
17
Translationfrom weaving-interface into Alloy (2)
weave { class Point implements wPoint; class Display implements wDisplay;Connect( port1:wDisplay.redraw, port2:{wPoint || wLine}.change) { after() returning : port2 { port1.proceed(); }}
one sig Weave { implement : set Implement, connect : set Connect}fact { Weave.implement = { PointImplementsWPoint } + { DisplayImplementsWDisplay } Weave.connect = { WDisplayToWPoint } }
one sig PointImplementsWPoint extends Implement {}one sig Point extends Class {}fact{ PointImplementsWPoint.class = { Point } PointImplementsWPoint.weavingInterface = { WPoint }}
one sig DisplayImplementsWDisplay extends Implement {}one sig Display extends Class {}fact{ DisplayImplementsWDisplay.class = { Display } DisplayImplementsWDisplay.weavingInterface = { WDisplay }}
one sig WDisplayToWPoint extends Connect {}fact{ WDisplayToWPoint.port1 = { WDisplay } WDisplayToWPoint.port2 = { WPoint } WDisplayToWPoint.connectionType = { After }}
Weaving-interface
Alloy
[Architecture verification 1]Consistency of architecture design
19
Checking the consistency between permitted advice-types declared in wPoint and real advice specified in a connect statement
assert checkConnectionType { all t : WDisplayToWPoint.connectionType | t in WDisplayToWPoint.port2.importType}
The Alloy analyzer generates counterexamples.
WPoint.importType = { Before } + { After } + {Around }
The Alloy analyzer terminates normally.
WPoint.importType = { Before } + { Around }
Generated counterexample
20
after advice specified in a connectstatement is not included in the available advice-types declared in wPoint.
[Architecture verification 2]Intention of modeler
21
assert checkImportedMethod { log in WDisplayToWPoint.port1.export}
assert checkImportedMethod { update in WDisplayToWPoint.port1.export}
OKError
21
classDisplay
classPoint
classLine
classLogging
wDisplay wPoint wLine
wLogging
redraw + change
change
redraw
Architecture verification &Refinement
22
Architectural Design
Weaving-interface
Java
Designs and verifies an architecture represented by a set of weaving-interfaces
Implements verified weaving interfaces
Architecture verification
Refinement
Related work (1)
AAIF: Aspect-aware interface [Kiczales 2005] Open modules [Aldrich 2005] Crosscutting programming interface (XPI)
[Sullivan 2005]An interface is determined only once thecomplete system is known
Point implements FigureElement void setX(int): DisplayUpdating - after returning DisplayUpdating.change();
Aspects can be woven to only exposed program points.Open modules support crosscutting within only one class.
An interface for specifying rules for designing aspects and classes
public aspect XPointChange {/* The purpose of … */ pointcut change(): execution(void Point.setX(int)) || …}
Our Approach
Software Architecture !!
25
Related work (2)
ArchJava [Aldrich, 2002] an extension to Java that seamlessly
unifies software architecture with implementation.
Our Approach
Interface mechanism shared by both architectural design
and implementation
Recommended