alloy-based lightweight verification for aspect-oriented architecture naoyasu ubayashi(kyushu...

27
Alloy-based Lightweight Verification for Aspect-oriented Architecture Naoyasu Ubayashi (Kyushu Institute of Technology) Yuki Sato (Kyushu Institute of Technology) Akihiro Sakai (Kyushu University) Tetsuo Tamai (University of Tokyo) August 20, 2007 SERA 2008 1

Upload: vivien-richardson

Post on 18-Jan-2016

226 views

Category:

Documents


0 download

TRANSCRIPT

1

Alloy-based Lightweight Verificationfor Aspect-oriented Architecture

Naoyasu Ubayashi (Kyushu Institute of Technology)Yuki Sato (Kyushu Institute of Technology)Akihiro Sakai (Kyushu University)Tetsuo Tamai (University of Tokyo)

August 20, 2007

SERA 2008

2

Aspect-oriented Programming

AOP is a programming paradigm in which crosscutting concerns are modularized as aspects.

Display updating

after (FigureElement fe): (call(void set*(..)) && target(fe) { fe.display.update(fe); }

advice

pointcut

AspectJ

Problem

A concern considered crosscutting in one situation might be primary in others. It is not desirable to fix a certain concern as either primary or crosscutting.

It is not easy to understand the overall behavior of a woven program.

3

Our previous work [ASE’07]

A new interface mechanism called Weaving-interface

A new AOP language called ccJava Weaving-interface can be regarded as

an ADL (Architecture Description Language)

All concerns are described as class components.

This ADL can describe how to compose (weave) these components.

But, programming-level idea …

Display Point Line

Today’s Talk: Verifiable AO MDD

Not only programming-level but also design-level notion

ADL for bridging the gaps between architectural design and implementation

4

Architectural Design

Weaving-interface

Java

Designs and verifies an architecture represented by a set of weaving-interfaces

(Alloy-based architecture verification)

Implements verified weaving interfaces

5

Outline

1. Motivation2. AO verifiable MDD3. Architecture verification based on Alloy4. Related work5. Conclusion

6

1. Motivation

7

Example --- Figure editor

interface Shape { public void moveBy(int dx, int dy);}

class Point implements Shape { int x, y; public int getX() { return x; } public int getY() { return y; } public void setX(int x) { this.x = x; } public void setY(int y) { this.y = y; } public void moveBy(int dx, int dy) { x += dx; y += dy; }}

class Line implements Shape { Point p1, p2; public Point getP1() { return p1; } public Point getP2() { return p2; } public void setP1(Point p1) { this.p1 = p1; } public void setP2(Point p2){ this.p2 = p2; } public void moveBy(int dx, int dy) { p1.x += dx; p1.y += dy; p2.x += dx; p2.y += dy; }}

class Display { public static void update() { /* the detail is ommited */ }}

Three concern components are woven together by component and connector architecture based on weaving-interface.

ComponentComponent

ComponentComponent

ComponentComponent

8

AO weaving based oncomponent-connector architecture

classDisplay

classPoint

classLine

classLogging

wDisplay wPoint wLine

wLogging

redraw + changeComponentComponent

Weaving-interfaceWeaving-interface

ConnectorConnector

class Pointimplements Shape { int x, y; public int getX() { return x; } public int getY() { return y; } public void setX(int x) { this.x = x; } public void setY(int y) { this.y = y; } public void moveBy(int dx, int dy) { x += dx; y += dy; }}

change

redraw

class Display { public static void update() { }}

9

ccJava – AOP language for supporting Weaving-interface

public w_interface wPoint {pointcut change():execution(void setX(int)) ||execution(void setY(int)) ||execution(void moveBy(int, int));import before(), after() returning, around() : change();}

public w_interface wLine {pointcut change():execution(void setP1(Point)) ||execution(void setP2(Point)) ||execution(void moveBy(int, int));import before(), after() returning, around() : change();}

public w_interface wDisplay {pointcut redraw(): execution(void update());import before(), after() returning : redraw();export redraw();} weave {

class Point implements wPoint; class Line implements wLine; class Display implements wDisplay;

connect(port1:wDisplay.redraw, port2:{wPoint || wLine}.change) { after() returning : port2 { port1.proceed(); }}

ConnectorConnector

Port Definition

Port Connection

CoordinationCode

Weaving-interfaceWeaving-interface

Coordination TypeBeforeAfter

Aroundintroduce

Connector descriptions depend on only weaving-interfaces.

Architecture can be represented byWeaving-interface + connector.

Weaving-interface+Connector

is a kind of

ADL

10

Problems

Although Weaving-interface enables a programmer to describe AO architecture, there is a gap between architecture design and implementation.

Verifiable AO MDD

11

2. Verifiable AO MDD

ccModeler & ccJava

12

Architectural Design

Weaving-interface

Java

ccModeler

ccJava

Designs and verifies an architecture represented by a set of weaving-interfaces

Implements verified weaving interfaces

Architecture Design & verification

Refinement

13

3. Architecture verification based on Alloy

Alloy

Alloy is a simple structural modeling language based on relational logic.

The Alloy analyzer, a tool for Alloy, can automatically generate instances of invariants, simulate the execution of operations, and check user-specified properties of a model.

14

Lightweight Formal Methods

Although neither soundness nor completeness is guaranteed, it makes more sense to sacrifice the capability of finding proofs for the capability of reliably detecting errors.

We use Alloy as a design debugger !

15

Weaving-Interface meta modeldescribed in Alloy

abstract sig WeavingInterface { importType : set Advice, import : set Pointcut, export : set Pointcut}

abstract sig Advice {}one sig Before, After, Around extends Advice {}

abstract sig Pointcut {}

abstract sig Implement { class : set Class, weavingInterface : set WeavingInterface}

abstract sig Connect { port1 : set WeavingInterface, port2 : set WeavingInterface, connectionType : Advice}

ConcernComponent

(class)

ConcernComponent

(class)

weaving I/F

connector

weaving I/F

16

Translationfrom weaving-interface into Alloy (1)

Alloy

public w_interface wPoint { pointcut change(): execution(voidsetX(int)) || execution(voidsetY(int)) || execution(voidmoveBy(int, int)); import before(), after() returning, around() : change();}

public w_interface wDisplay { pointcut redraw(): execution(void update()); import before(), after() returning : redraw(); export redraw();}

one sig noPct, setX, setY, moveBy extends Pointcut {}

one sig WPoint extends WeavingInterface {}fact{ WPoint.importType= { Before } + { After } + { Around } WPoint.import= { setX } + { setY } + { moveBy } WPoint.export= { noPct }}

one sig update extends Pointcut {}one sig WDisplay extends WeavingInterface {}fact{ WDisplay.importType = { Before } + { After } WDisplay.import = { update } WDisplay.export = { update }}

Weaving-interface Alloy

17

Translationfrom weaving-interface into Alloy (2)

weave { class Point implements wPoint; class Display implements wDisplay;Connect( port1:wDisplay.redraw, port2:{wPoint || wLine}.change) { after() returning : port2 { port1.proceed(); }}

one sig Weave { implement : set Implement, connect : set Connect}fact { Weave.implement = { PointImplementsWPoint } + { DisplayImplementsWDisplay } Weave.connect = { WDisplayToWPoint } }

one sig PointImplementsWPoint extends Implement {}one sig Point extends Class {}fact{ PointImplementsWPoint.class = { Point } PointImplementsWPoint.weavingInterface = { WPoint }}

one sig DisplayImplementsWDisplay extends Implement {}one sig Display extends Class {}fact{ DisplayImplementsWDisplay.class = { Display } DisplayImplementsWDisplay.weavingInterface = { WDisplay }}

one sig WDisplayToWPoint extends Connect {}fact{ WDisplayToWPoint.port1 = { WDisplay } WDisplayToWPoint.port2 = { WPoint } WDisplayToWPoint.connectionType = { After }}

Weaving-interface

Alloy

18

Architecture verification

Consistency of architecture design Intention of Modeler

[Architecture verification 1]Consistency of architecture design

19

Checking the consistency between permitted advice-types declared in wPoint and real advice specified in a connect statement

assert checkConnectionType { all t : WDisplayToWPoint.connectionType | t in WDisplayToWPoint.port2.importType}

The Alloy analyzer generates counterexamples.

WPoint.importType = { Before } + { After } + {Around }

The Alloy analyzer terminates normally.

WPoint.importType = { Before } + { Around }

Generated counterexample

20

after advice specified in a connectstatement is not included in the available advice-types declared in wPoint.

[Architecture verification 2]Intention of modeler

21

assert checkImportedMethod { log in WDisplayToWPoint.port1.export}

assert checkImportedMethod { update in WDisplayToWPoint.port1.export}

OKError

21

classDisplay

classPoint

classLine

classLogging

wDisplay wPoint wLine

wLogging

redraw + change

change

redraw

Architecture verification &Refinement

22

Architectural Design

Weaving-interface

Java

Designs and verifies an architecture represented by a set of weaving-interfaces

Implements verified weaving interfaces

Architecture verification

Refinement

23

4. Related work

Related work (1)

AAIF: Aspect-aware interface [Kiczales 2005] Open modules [Aldrich 2005] Crosscutting programming interface (XPI)

[Sullivan 2005]An interface is determined only once thecomplete system is known

Point implements FigureElement void setX(int): DisplayUpdating - after returning DisplayUpdating.change();

Aspects can be woven to only exposed program points.Open modules support crosscutting within only one class.

An interface for specifying rules for designing aspects and classes

public aspect XPointChange {/* The purpose of … */ pointcut change(): execution(void Point.setX(int)) || …}

Our Approach

Software Architecture !!

25

Related work (2)

ArchJava [Aldrich, 2002] an extension to Java that seamlessly

unifies software architecture with implementation.

Our Approach

Interface mechanism shared by both architectural design

and implementation

26

5. Conclusion

27

Conclusion

Alloy-based lightweight approach for checking whether the weaving based on the component-and-connector architecture is correct.

By enforcing the architecture verified by Alloy to the class implementation, we can construct a reliable system.