Team Pop Art

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Aspect-oriented programming

Participants : S. Djoko Djoko, R. Douence, P. Fradet [ contact person ] , A. Girault.

The goal of Aspect-Oriented Programming ( AOP ) is to isolate aspects (such as security, synchronization, or error handling) which cross-cut the program basic functionality and whose implementation usually yields tangled code. In AOP , such aspects are specified separately and integrated into the program by an automatic transformation process called weaving .

Although this new paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOP addresses these issues by studying foundational issues (semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal properties.

Aspects preserving properties

Aspect Oriented Programming can arbitrarily distort the semantics of programs. In particular, weaving can invalidate crucial safety and liveness properties of the base program. We have identified categories of aspects that preserve some classes of properties  [Oops!] . It is sufficient to check that an aspect belong to a specific category to know which properties will remain satisfied by woven programs.

Our categories of aspects, inspired by Katz's, comprise observers, aborters and confiners. Observers do not modify the base program's state and control-flow ( e.g. , persistence, profiling and debugging aspects). Aborters are observers which may also abort executions ( e.g. , security aspects). Confiners only ensure that executions remain in the reachable states of the base program (optimization or fault-tolerance aspects). These categories are defined precisely based on a language independent abstract semantics framework  [Oops!] .

The corresponding classes of properties are defined as subsets of LTL for deterministic programs (CTL* for non-deterministic ones). We have formally proved that, for any program, the weaving of any aspect in a category preserves any property in the related class.

We are currently working on the design, for each category of aspects, of a domain-specific aspect language ensuring that any aspect written is that language belongs to the corresponding category ( e.g. , observers, aborters, etc). These languages would guarantee the preservation of key properties by construction.

This work is the central topic of Simplice Djoko Djoko's PhD thesis. It is conducted within the Formal Methods Lab of the network of excellence AOSD-Europe (see section  8.3.2 ) in collaboration with Rémi Douence from the Obasco project team at École des Mines de Nantes.

Resource management and aspects of availability

We have studied the use of aspect-oriented programming for resource management with the aim of enforcing availability properties  [Oops!] . Our technique permits to keep resource management and availability issues separate from the rest of the system.

We propose a domain-specific aspect language in order to prevent denials of service caused by resource management ( e.g. , starvation, deadlocks, etc.). Availability aspects specify time or frequency limits in the allocation of resources. They can be seen as formal temporal properties on execution traces that specify availability policies. For example, a constraint may be that a program does not retain a resource more than n seconds or that it does not allocate the resource R1 less than n seconds after it has released the resource R2 .

The semantics of base programs and aspects are expressed as timed automata . The automaton representing a program specifies a superset of all possible (timed) execution traces whereas the automaton representing an aspect specifies a set of desired/allowed (timed) execution traces. Weaving can be seen as a product of two timed automata ( i.e. , the intersection of execution traces) which restricts the execution of the base program to the behaviors allowed by the aspect.

The main advantage of such a more formal approach is two-fold:

This research was part of Stéphane Hong Tuan Ha's PhD thesis from the Lande project team at Irisa / Inria -Rennes and supervised by Pascal Fradet.

Fault tolerance aspects for real-time software

Here, our objective is to design an aspect language for specifying fault tolerance as well as efficient techniques based on static analysis, program transformation and/or instrumentation to weave them into real-time programs.

As a first step, we have studied the implementation of specific fault tolerance techniques in real-time embedded systems using program transformation  [Oops!] . The fault-intolerant initial system consists of a set of independent periodic tasks scheduled onto a set of fail-silent processors. The tasks are automatically transformed such that, assuming the availability of an additional spare processor, the resulting system tolerates one failure at a time. Failure detection is implemented using heartbeating, and failure masking using checkpointing and roll-back. These techniques are described and implemented by automatic program transformations of the tasks' source programs. The proposed formal approach to fault tolerance by program transformation highlights the benefits of separation of concerns.

The second step, is to design an aspect language allowing users to specify and tune a wider range of fault tolerance techniques. For example, the user may want to use checkpointing, code or data replication at different places of the same program. For checkpointing, the user may also want to specify the subset of variables which must be saved. The definition of an aspect language to specify such choices is under completion.

This line of research is related to the Alidecs project (see section  8.2.1 ).


Logo Inria