Session 9 Crosscutting Techniques in Program Specification and Analysis Mark Stobbe October 8,

Outline Hob system –Implementation –Specification –Abstraction Scopes Examples Finishing touch 2

Hob hob. 1. The block in the center of a wheel, from which the spokes radiate, and through which the axle passes; -- called also hub or hob. Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. The goal of the Hob project is to verify sophisticated properties of programs that manipulate complex, heterogenous data structures. 3

Hob system Verify data structures Abstract set specification Different analysis –Flags –Linked data structures (PALE) –Theorem prover (Isabelle) Patrick Lam – February 2007 Implementation is 10,000 lines O’Caml Flags (2000), PALE (700), Theorem prover (1000) 4

Answering question 5 Answer Usage seems to be fairly low, in contrast to the more common specification languages like Z, Spec# and JML. Question The paper talks about the Hob program specification, analysis and verification system and how it is implemented. But can you tell some more about it (about the users, usage, maybe a small example about it)? (Robin)

Hob system Implementation section –code –formats (inter-type declarations) Specification section –interfaces for procedures (requires/modifies/ensures) –defaults Abstraction section –specify the connection between implementation and specification 6

Answering question 7 Answer No. Hob uses a syntactically similar language to Java on statement level and a custom procedure implementation. Common object-oriented features such as inheritance, dynamic dispatch and object-based encapsulation are not supported. Question Does Hob support the OO concept of inheritance? (Martijn)

Answering question 8 Answer Formats describe the necessary fields to define a data structure. These fields can crosscut the data structure itself, but with formats they are centralized to one location. With inter-type declarations in AspectJ this is the same, you can add fields to a class, centralized in one place. Question In paper they state that formats can be viewed as a case of inter-type declarations in AspectJ. Could you indicate what they have in common? (Alesya)

Answering question 9 Answer You have the possibility to define defaults for a whole specification module or use the pointcut notation they defined. Therefore it is entirely in the hands of the programmer what should be defaulted. Notice that this is similar to the pointcuts in AspectJ. Question If you have a lot of defaults specified, doesn't that make it easy to make mistakes (especially in bigger systems)? Either because you think something already has a default or by not realizing that something has a default. In the paper in section 4 they claim the opposite, but I think it all just depends on how clear it is to the programmer, perhaps by tool support. Any thoughts on this? (Christiaan)

Scopes 10

Answering question 11 Answer The places where you invoke a procedure. Question The paper mentions "call sites". What are they? (Martijn)

Flag plugin Abstract interpretation 12 impl module UseList { format Node {} proc use() { Node n1; Node n2; n1 = new Node(); n2 = new Node(); List.add(n1); List.add(n2); List.remove(n2); List.remove(n1); } spec module UseList { proc use() requires List.Content = {} modifies List.Content calls List ensures List.Content’ = {}; } abst module UseList { use plugin "flags"; }

Pointer Assertion Logic Engine 13 impl module DLLIter { format Node { next : Node; prev : Node; } var root, current : Node; proc isEmpty() returns e:bool { return root == null; } proc add(n : Node) {... } proc remove(n : Node) { if (n==current) { current = current.next; } if (n==root) { root = root.next; } Node prv = n.prev, nxt = n.next; if (prv!=null) { prv.next = nxt; } if (nxt!=null) { nxt.prev = prv; } n.next = null; n.prev = null; } proc openIter() { current = root; } proc nextIter() returns n : Node { Node n1 = current; current = current.next; return n1; } proc isLastIter() returns e: bool { return current == null; } proc closeIter() { current = null; } }

14 spec module DLLIter { format Node; specvar Content, Iter : Node set; invariant Iter in Content; proc isEmpty() returns e:bool ensures e’ (|Content’| = 0); proc add(n : Node) requires |n| = 1 & ¬(n in Content) modifies Content ensures (Content’ = Content + n); proc remove(n : Node) requires |n| = 1 & (n in Content) modifies Content, Iter ensures (Content’ = Content - n) & (Iter’ = Iter - n); proc openIter() requires |Iter| = 0 modifies Iter ensures (Iter’ = Content); proc nextIter() returns n : Node requires |Iter| >= 1 modifies Iter ensures |n’| = 1 & (n’ in Iter) & (Iter’ = Iter - n’); proc isLastIter() returns e:bool ensures ¬e (|Iter’| >= 1); proc closeIter() modifies Iter ensures |Iter’| = 0; }

15 abst module DLLIter { use plugin "PALE"; Content = { n : Node | "root n" }; Iter = { n : Node | "current n" }; invariant "type Node = { data next:Node; pointer prev:Node[thisˆNode.next = {prev}]; }"; invariant "data root : Node;"; invariant "pointer current : Node;"; } Final glue… Pointer Assertion Logic Engine

Answering question 16 Answer Hyperslices are similar to aspects. A hyperslice is defined inside a hyperspace and it encapsulates one concern. Hyper/J uses hyperslices to solve the problem of crosscutting functionality. Hyper/J falls in the category of subject-oriented techniques. Question In the paper they mention Hyperslices a couple of times. I don't really know what they are but if you have extra time perhaps you can give a short intro to them to put it in perspective. (Christiaan)

Answering question 17 Answer There is more mathematical approach using superposition. Superposition is a way to reason about first-order logic equations. Most theorem provers nowadays are based on superposition. The idea is to slice the specification in views, which all describe one concern. Together with some first-order logic you can then verify the program according to the specification. Another system is Moxa. Moxa uses crosscutting to cope with the problem of specification aggregation. Basically it is an extended version of the Java Modeling Language (JML) with aspects applied. Question Are there any other methods/techniques for program specification, analysis and verification for Aspect Oriented Programming/AspectJ? (Robin)

Continue answering question 18 Answer There has also been some research into checking aspect-oriented programs. One way described in the paper by S. Krishnamurthi, is to take the verification system for the base program. At each join point where an aspect is applied you keep the state of the verification system and you check this against the aspects specification. Question Are there any other methods/techniques for program specification, analysis and verification for Aspect Oriented Programming/AspectJ? (Robin)

Answering question 19 Answer The paper is a draft. Did you notice the other mistakes in the examples? And, of course, the spelling mistakes? Question In figure 3 in format Cell they have init:bool twice. Do you have any idea why that is? Could this somehow be related to scopes or something? (Christiaan)