Team Pop Art

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Aspect-oriented programming

Participants : Simplice Djoko Djoko, Pascal Fradet [ contact person ] , Alain Girault, Nafees Qamar.

The goal of Aspect-Oriented Programming ( AOP ) is to isolate aspects (such as security, synchronization, or error handling) which cross-cut the program basic functionality and whose implementation usually yields tangled code. In AOP , such aspects are specified separately and integrated into the program by an automatic transformation process called weaving .

Although this paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOP addresses these issues by studying foundational issues (semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal properties.

Aspects preserving properties

Aspect Oriented Programming can arbitrarily distort the semantics of programs. In particular, weaving can invalidate crucial safety and liveness properties of the base program.

We have identified categories of aspects that preserve some classes of properties  [17] . It is sufficient to check that an aspect belongs to a specific category to know a large class of properties that will preserved by weaving. Our categories of aspects comprise, among others, observers, aborters, and confiners. Observers do not modify the base program's state and control-flow ( e.g. , persistence, profiling, and debugging aspects). Aborters are observers which may also abort executions ( e.g. , security aspects). Confiners only ensure that the executions remain in the set of reachable states of the base program ( e.g. , optimization or fault-tolerance aspects). These categories are defined formally based on a language independent abstract semantic framework. The classes of properties are defined as subsets of LTL for deterministic programs and CTL* for non-deterministic ones. We have formally proved that, for any program, the weaving of any aspect in a category preserves any property in the related class.

In a second step, we have designed for each aspect category a specialized aspect language which ensures that any aspect written in that language belongs to the corresponding category  [18] . These languages preserve the corresponding classes of properties by construction. The aspect languages share the same expressive pointcut language and are designed w.r.t. a common imperative base language.

This work is the central topic of Simplice Djoko Djoko's PhD thesis which should be defended in the beginning of 2009. It was conducted within the Formal Methods Lab of the network of excellence AOSD-Europe (see Section  8.3.4 ) in collaboration with Rémi Douence from the Obasco project team at École des Mines de Nantes.

Resource management and aspects of availability

We have studied the use of aspect-oriented programming for resource management with the aim of enforcing availability properties  [30] . Our technique allows us to keep resource management and availability issues separate from the rest of the system.

We have proposed a domain-specific aspect language aimed at preventing denial of service caused by resource management ( e.g. , starvation, deadlocks, etc.). The aspects specify time or frequency limits in the allocation of resources. They can be seen as formal temporal properties on execution traces that specify availability policies. The semantics of base programs and aspects are expressed as timed automata . The automaton representing a program specifies a superset of all possible (timed) execution traces whereas the automaton representing an aspect specifies a set of desired/allowed (timed) execution traces. Weaving can be seen as a product of two timed automata ( i.e. , the intersection of execution traces) which restricts the execution of the base program to the behaviors allowed by the aspect. The main advantage of such a formal approach is two-fold:

Fault tolerance aspects for real-time software

Here, our objective is to design a domain-specific language for specifying fault tolerance aspects as well as efficient techniques based on static analysis, program transformation and/or instrumentation to weave them into real-time programs.

As a first step, we have studied the implementation of specific fault tolerance techniques in real-time embedded systems using program transformation  [11] . The fault-intolerant initial system consists of a set of independent periodic tasks scheduled onto a set of fail-silent processors. The tasks are automatically transformed such that, assuming the availability of an additional spare processor, the resulting system tolerates one failure at a time. Failure detection is implemented using heartbeating, and failure masking using checkpointing and roll-back. These techniques are described and implemented by automatic program transformations of the tasks' source programs. The proposed formal approach to fault tolerance by program transformation highlights the benefits of separation of concerns.

The second step is to design an aspect language allowing users to specify and tune a wider range of fault tolerance techniques. For example, the user may want to use checkpointing, code or data replication at different places of the same program. For checkpointing, the user may also want to specify the subset of variables which must be saved. We are currently working on the definition of an aspect language allowing the designer to specify such choices. This work is conducted in collaboration with T. Ayav from Izmir University.


Logo Inria