Architectural Reasoning in ArchJava Jonathan Aldrich Craig Chambers David Notkin University of Washington ECOOP ‘02, 13 June 2002.

Slides:

Advertisements

Similar presentations

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Advertisements

Towards a Practical Composition Language Oscar Nierstrasz Software Composition Group University of Bern.

Alternate Software Development Methodologies

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Chess Review May 8, 2003 Berkeley, CA Classes and Inheritance in Actor- Oriented Models Stephen Neuendorffer Edward Lee UC Berkeley.

Architecture-driven Modeling and Analysis By David Garlan and Bradley Schmerl Presented by Charita Feldman.

Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.

Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

21-February-2003cse Architecture © 2003 University of Washington1 Architecture CSE 403, Winter 2003 Software Engineering

Software Engineering CSE470: Requirements Analysis 1 Requirements Analysis Defining the WHAT.

PowerPoint Presentation for Dennis, Wixom & Tegarden Systems Analysis and Design Copyright 2001 © John Wiley & Sons, Inc. All rights reserved. Slide 1.

A Type System for Expressive Security Policies David Walker Cornell University.

ArchJava Connecting Software Architecture to Implementation Jonathan Aldrich Craig Chambers David Notkin University of Washington ICSE ‘02, May 22, 2002.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Design Patterns.

Chapter 10 Class and Method Design

ArchJava A software architecture tool –components –connections –constraints on how components interact Implementation must conform to architecture.

Data Abstraction and Object- Oriented Programming CS351 – Programming Paradigms.

CS 2511 Fall  Abstraction Abstract class Interfaces  Encapsulation Access Specifiers Data Hiding  Inheritance  Polymorphism.

Reuse Activities Selecting Design Patterns and Components

Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.

A Formal Model of Modularity in Aspect-Oriented Programming Jonathan Aldrich : Objects and Aspects Carnegie Mellon University.

Architectural Design.

“Enhancing Reuse with Information Hiding” ITT Proceedings of the Workshop on Reusability in Programming, 1983 Reprinted in Software Reusability, Volume.

Architecture-Based Runtime Software Evolution Peyman Oreizy, Nenad Medvidovic & Richard N. Taylor.

Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.

SOFTWARE DESIGN AND ARCHITECTURE LECTURE 07. Review Architectural Representation – Using UML – Using ADL.

An Introduction to Design Patterns. Introduction Promote reuse. Use the experiences of software developers. A shared library/lingo used by developers.

Ævol : A Tool for Planning Architecture Evolution David Garlan & Bradley Schmerl Carnegie Mellon University.

WSMX Execution Semantics Executable Software Specification Eyal Oren DERI

POSL (Principles of Software Languages) Gr. Kyushu Institute of Technology, Japan Pointcut-based Architectural Interface.

Approaching a Problem Where do we start? How do we proceed?

JCMP: Linking Architecture with Component Building Guoqing Xu, Zongyuan Yang and Haitao Huang Software Engineering Lab, East China Normal University SACT-01,

Chapter 18 Object Database Management Systems. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc. All rights reserved. Outline Motivation for object.

Modeling Component-based Software Systems with UML 2.0 George T. Edwards Jaiganesh Balasubramanian Arvind S. Krishna Vanderbilt University Nashville, TN.

OOP: Encapsulation,Abstraction & Polymorphism. What is Encapsulation Described as a protective barrier that prevents the code and data being randomly.

Asynchronous Components with Futures: Semantics, Specification, and Proofs in a Theorem Prover Components (Distributed) Futures Formalisations (and proofs)

© 2006 ITT Educational Services Inc. SE350 System Analysis for Software Engineers: Unit 10 Slide 1 Chapter 13 Finalizing Design Specifications.

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.

CS 501: Software Engineering Fall 1999 Lecture 12 System Architecture III Distributed Objects.

Object-Oriented Modeling: Static Models. Object-Oriented Modeling Model the system as interacting objects Model the system as interacting objects Match.

SOFTWARE DESIGN AND ARCHITECTURE LECTURE 13. Review Shared Data Software Architectures – Black board Style architecture.

Modeling Highly Dynamic Software Architectures

Featherweight Generic Ownership Alex Potanin, James Noble Victoria University of Wellington Dave Clarke CWI, Netherlands Robert Biddle Carlton University.

© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.

Slide 1 Systems Analysis and Design With UML 2.0 An Object-Oriented Approach, Second Edition Chapter 2: Introduction to Object-Oriented Systems Analysis.

CS536 Types 1. Roadmap Back from our LR Parsing Detour Name analysis – Static v dynamic – Scope Today – Type checking 2 Scanner Parser Tokens Semantic.

1 Unified Modeling Language, Version 2.0 Chapter 2.

Advanced Object-oriented Design Patterns Creational Design Patterns.

1 5/18/2007ã 2007, Spencer Rugaber Acme Architectural interchange language – CMU and ISI Extensible Tool support –AcmeStudio.

Chapter 13 Finalizing Design Specifications

Chapter 18 Object Database Management Systems. Outline Motivation for object database management Object-oriented principles Architectures for object database.

SwE 455 Tutorial. What is Evolve? Evolve is a tool for defining components and connecting them together to form new components. Also provides a runtime.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

PowerPoint Presentation for Dennis, Wixom, & Tegarden Systems Analysis and Design with UML, 3rd Edition Copyright © 2009 John Wiley & Sons, Inc. All rights.

PowerPoint Presentation for Dennis, Wixom, & Tegarden Systems Analysis and Design with UML, 5th Edition Copyright © 2015 John Wiley & Sons, Inc. All rights.

2000 Research Overview Dr. Kim Mens Programming Technology Lab Vrije Universiteit Brussel.

Object Design More Design Patterns Object Constraint Language Object Design Specifying Interfaces Review Exam 2 CEN 4010 Class 18 – 11/03.

Software Connectors. What is a Software Connector? 2 What is Connector? – Architectural element that models Interactions among components Rules that govern.

LECTURE 10 Semantic Analysis. REVIEW So far, we’ve covered the following: Compilation methods: compilation vs. interpretation. The overall compilation.

Introduction to Design Patterns

Software Quality Engineering

TIM 58 Chapter 8: Class and Method Design

Logical architecture refinement

Multiple Aspect Modeling of the Synchronous Language Signal

Objects and Aspects: What we’ve seen so far

Computer Science 340 Software Design & Testing

UML  UML stands for Unified Modeling Language. It is a standard which is mainly used for creating object- oriented, meaningful documentation models for.

Presentation transcript:

Architectural Reasoning in ArchJava Jonathan Aldrich Craig Chambers David Notkin University of Washington ECOOP ‘02, 13 June 2002

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava2 Software Architecture High-level system structure [GS93,PW92] –Components and connections Automated analysis Support program evolution –Source of defect –Effect of change –Invariants to preserve

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava3 Architecture and Implementation Inconsistency caused by evolution –Architecture documentation becomes obsolete Problems –Suprises –Misunderstandings lead to defects –Untrusted architecture won’t be used

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava4 Architecture and Implementation Does code conform to architecture? Communication integrity [LV95,MQR95] –All communication is documented Interfaces and connectivity –Enables effective architectural reasoning Quickly learn how components fit together Local information is sufficient

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava5 ArchJava Specifies architecture within Java code Verifies control flow architecture –Statically checked (except for casts, as in Java) –Code and architecture evolve together Is flexible –Supports dynamically changing architectures –Allows common implementation techniques Case study on a 12,000-line program –Evaluates expressiveness, benefits, limitations

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava6 A Parser Component public component class Parser { Component class Defines architectural object Must obey architectural constraints

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava7 A Parser Component public component class Parser { public port in { requires Token nextToken(); } public port out { provides AST parse(); } Components communicate through Ports A two-way interface Define provided and required methods

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava8 A Parser Component public component class Parser { public port in { requires Token nextToken(); } public port out { provides AST parse(); } Ordinary (non-component) objects Passed between components Sharing is permitted Can use just as in Java

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava9 A Parser Component public component class Parser { public port in { requires Token nextToken(); } public port out { provides AST parse(); } AST parse() { Token tok=in.nextToken(); return parseExpr(tok); } AST parseExpr(Token tok) {... }... } Can fill in architecture with ordinary Java code

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava10 Hierarchical Composition public component class Compiler { private final Scanner scanner = new Scanner(); private final Parser parser = new Parser(); private final CodeGen codegen = new CodeGen(); Subcomponents –Component instances inside another component –Communicate through connected ports

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava11 Hierarchical Composition public component class Compiler { private final Scanner scanner = new Scanner(); private final Parser parser = new Parser(); private final CodeGen codegen = new CodeGen(); connect scanner.out, parser.in; connect parser.out, codegen.in; Connections –Bind required methods to provided methods

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava12 Evaluation Questions Does ArchJava guarantee communication integrity? Is ArchJava expressive enough for real systems? What are the benefits and limitations of ArchJava?

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava13 A component may only communicate with the components it is connected to in the architecture ArchJava enforces integrity for control flow No method calls permitted from one component to another except –From a parent to its nested subcomponents –Through connections in the architecture Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava14 A component may only communicate with the components it is connected to in the architecture ArchJava enforces integrity for control flow No method calls permitted from one component to another except –From a parent to its immediate subcomponents –Through connections in the architecture Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava15 A component may only communicate with the components it is connected to in the architecture ArchJava enforces integrity for control flow Other communication paths –Shared data (current work) –Run-time system Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava16 Architecture allows –Calls between connected components Control Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava17 Architecture allows –Calls between connected components –Calls from a parent to its immediate subcomponents Control Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava18 Architecture allows –Calls between connected components –Calls from a parent to its immediate subcomponents Architecture forbids –External calls to subcomponents – Control Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava19 Architecture allows –Calls between connected components –Calls from a parent to its immediate subcomponents Architecture forbids –External calls to subcomponents –Calls between unconnected subcomponents Control Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava20 Architecture allows –Calls between connected components –Calls from a parent to its immediate subcomponents Architecture forbids –External calls to subcomponents –Calls between unconnected subcomponents –Calls violating architectural hierarchy Benefit: local reasoning about control flow Control Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava21 Architecture allows –Calls between connected components –Calls from a parent to its immediate subcomponents Architecture forbids –External calls to subcomponents –Calls between unconnected subcomponents –Calls violating architectural hierarchy Benefit: local reasoning about control flow Control Communication Integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava22 Why Not Use Modules? Implicit Invocation Example –Jiazzi [MFH01] : strong encapsulation, module linking –Action object is passed down pipeline –Invocations through action violate architecture Other issues –First-class functions –Dynamic architectures –Instance encapsulation

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava23 Why Not Use Modules? Implicit Invocation Example –Jiazzi [MFH01] : strong encapsulation, module linking –Action object is passed down pipeline –Invocations through action violate architecture Other issues –First-class functions –Dynamic architectures –Instance encapsulation

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava24 Why Not Use Modules? Implicit Invocation Example –Jiazzi [MFH01] : strong encapsulation, module linking –Action object is passed down pipeline –Invocations through action violate architecture Other issues –First-class functions –Dynamic architectures –Instance encapsulation

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava25 Why Not Use Modules? Implicit Invocation Example –Jiazzi [MFH01] : strong encapsulation, module linking –Action object is passed down pipeline –Invocations through action violate architecture Other issues –First-class functions –Dynamic architectures –Instance encapsulation

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava26 Why Not Use Modules? Implicit Invocation Example –Jiazzi [MFH01] : strong encapsulation, module linking –Action object is passed down pipeline –Invocations through action violate architecture Other issues –First-class functions (like Actions) –Instance encapsulation (2 compiler example) –Dynamically changing architectures

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava27 Action Example in ArchJava Classes can’t refer to components –Action can’t store reference to scanner component Components can share Action –Allows communication through side effects current work: specify & enforce this –Type system prevents control flow through Action X

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava28 Enforcing Communication Integrity Communication integrity for direct method calls –Can only call self or subcomponents Invariant –All component-typed references in a component (and called objects) are to self or subcomponents –Key lemma in integrity proof Enforcement –No component types in port interfaces –No fields of component type in objects

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava29 Enforcing Communication Integrity What about casts? –Store components in data structures –But, data structures can be shared –Downcasts could violate communication integrity Solution: additional dynamic check –Components store parent –Casted object or its parent must be this

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava30 Other Integrity Issues Dynamically changing architectures –Patterns specify permissible connections –Dependent types Relate a connection to a component instance Restrictions on inheritance, inner classes –e.g., components may not implement interfaces –Reasonable in component libraries Relax to use existing Java libraries –Investigating ways to relax restrictions safely

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava31 ArchFJ : A Formal Framework Based on Featherweight Java [OOPSLA 99] –Includes components, ports, connections Benefits –Precise semantics –Shows how integrity is enforced Proven: –Type safety –Control communication integrity

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava32 Evaluation Questions Does ArchJava guarantee control communication integrity? –Yes, using the type system Is ArchJava expressive enough for real systems? What are the benefits and limitations of ArchJava? Two case studies –12,000 lines of Java code each –Asked developer to draw architecture –Tried to specify architecture in ArchJava

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava33 Evaluation Questions Does ArchJava guarantee control communication integrity? –Yes, using the type system Is ArchJava expressive enough for real systems? What are the benefits and limitations of ArchJava? Case study: Taprats –12,000 lines of Java code –Two challenges Drawn by original developer Dynamic changes

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava34

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava35 Architectural Comparison

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava36 ArchJava Architecture Architecture shows design characteristics –Pipeline of components –Dynamically created –Largely independent Architecture matches intuition –But ArchJava guarantees correctness! Architecture evolves with implementation

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava37 Evaluation Questions Does ArchJava guarantee control communication integrity? –Yes Is ArchJava expressive enough for real systems? –Yes (validated by 2 other case studies) Three experiments –Understanding Aphyds communication –Refactoring Aphdys –Reparing a defect

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava38 Evaluation Questions Does ArchJava guarantee control communication integrity? –Yes Is ArchJava expressive enough for real systems? –Yes (validated by 2 other case studies) What are the benefits and limitations of ArchJava?

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava39 render.getView().setTheta(t); PreviewPanel coupled to RenderPanel –Depends on View representation of RenderPanel –Programs are fragile, change is difficult Law of Demeter [Lieberherr et al.] –Design guideline –“Only talk with your neighbors” PreviewPanel RenderPanel RenderView Coupling in Taprats

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava40 Taprats in ArchJava render.getView().setTheta(t); Control communication integrity –Components only talk with connected components Compile-time error in ArchJava –PreviewPanel can only reference local connections –Call through architecture, reducing coupling Hypothesis: Enforcing communication integrity helps to reduce system coupling RenderPanel PreviewPanel RenderView

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava41 Taprats in ArchJava render.getView().setTheta(t); Control communication integrity –Components only talk with connected components Compile-time error in ArchJava –PreviewPanel can only reference local connections –Call through architecture, reducing coupling Hypothesis: Enforcing communication integrity helps to reduce system coupling RenderPanel PreviewPanel RenderView

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava42 Taprats in ArchJava render.getView().setTheta(t); Control communication integrity –Components only talk with connected components Compile-time error in ArchJava –PreviewPanel can only reference local connections –Call through architecture, reducing coupling Hypothesis: Enforcing communication integrity helps to reduce system coupling RenderPanel PreviewPanel RenderView

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava43 Case Study Summary Successful overall –Expressed dynamic architecture –Made design explicit –Reduced coupling –Low cost (5 hours, 500 lines of additional code) Lessons Learned –Some unnecessary casts –Creation slightly awkward

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava44 Case Study Summary Successful overall –Expressed dynamic architecture –Made design explicit –Reduced coupling –Low cost (5 hours, 500 lines of additional code) Directions for improvement –Some unnecessary casts –Creation slightly awkward

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava45 More in paper Formalization of language & properties Architectural design principles Architectural refactoring patterns Comparison to earlier case study

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava46 Current and Future Work ICSE ’02 –ArchJava language design –Case study with static architecture ECOOP: communication integrity & dynamic architecture OOPSLA ’02 –Specification of data sharing ownership type system [Clarke et al.] Extend ML-style modules to enforce architecture Refine language design –Distributed systems, flexible connectors

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava47 Conclusion ArchJava integrates architecture with Java code Control communication integrity –Keeps architecture and code synchronized Initial experience –ArchJava expresses dynamically changing architectures –ArchJava may improve program structure Download the ArchJava compiler and tools

13 June 2002Jonathan Aldrich - ECOOP '02 - ArchJava48 Limitations of ArchJava Some idioms are awkward –Implicit invocation architectures –Dynamic component creation and connection –Some extra casts Architecture is very concrete –Connections must be method calls Can’t express all architectural properties –Data sharing (partial solution: OOPSLA ‘02) –Others (temporal protocols, styles, etc.)