Obliviousness,ModularReasoning,andtheBehavioralSubtypingAnalogyCurtisC - PDF document

Obliviousness,ModularReasoning,andtheBehavioralSubtypingAnalogyCurtisCliftonandGaryT.Leavens1IowaStateUniversity,226AtanasoHall,AmesIA50011,USA,fcclifton,leavensg@cs.iastate.edu,WWWhomepage:http://www.cs.iastate.edu/~fcclifton,leavensgAbstract.TheobliviousnesspropertyofAspectJ-likelanguagescon- ictswiththeabilitytoreasonaboutprogramsinamodularfashion.Thiscanmakedebuggingandmaintenancedicult.Inobject-orientedprogramming,thedisciplineofbehavioralsubtypingallowsonetoreasonaboutprogramsmodularly,despitetheobliviousna-tureofdynamicbinding;however,itisnotclearwhatdisciplinewouldhelpprogrammersinAspectJ-likelanguagesobtainmodularreasoning.Behavioralsubtypingwasbornoutofthestoriesprogrammersweretellingintheirobject-orientedprogramsandhowtheyreasonedaboutthem.ProgrammersuseAspectJ-likelanguagestotellwhatwecall\su-perimposition"and\adaptation"stories.Thus,adisciplineofmodularreasoningforanAspectJ-likelanguagemustaccountforbothsortsofstories.WedescribethemodularreasoningproblemforAspectJ-likelanguages.Wedonotyethaveasolution,butconciselyarticulatetheissuesinvolved.1IntroductionMuchoftheworkonaspect-orientedprogramminglanguagesreferstotheworkofParnas[31].Parnasarguesthatthemodulesintowhichasystemisdecom-posedshouldprovidebenetsinthreeareas(p.1054):Thebenetsexpectedofmodularprogrammingare:1.managerial|developmenttimeshouldbeshortenedbecausesepa-rategroupswouldworkoneachmodulewithlittleneedforcommu-nication;2.product exibility|itshouldbepossibletomakedrasticchangestoonemodulewithoutaneedtochangeothers;3.comprehensibility|itshouldbepossibletostudythesystemonemoduleatatime.Thewholesystemcanthereforebebetterdesignedbecauseitisbetterunderstood.Itseemsclearthataspect-orientedlanguagesprovidemanybenetsrelatedtoParnas'ssecondpoint[13,18].Amongthesebenetsareareductionintangling webeginbydeninganotionofmodularreasoningthatcorrespondstoParnas'scomprehensibilitybenet.Modularreasoningistheprocessofunderstandingasystem(orprovingprop-ertiesaboutit)onemoduleatatime.AlanguagesupportsmodularreasoningiftheactionsofamoduleMwritteninthatlanguagecanbeunderstoodbasedsolelyonthecodecontainedinMandthecodesurroundingM,alongwiththesignatureandbehaviorofanymodulesreferredtobythatcode.Thenotionofamoduleandthesurroundingcodeforamodulearedeterminedbytheprogram-minglanguage.InJava,wemightconsideracompilationunittobeamodule,andinstandardJavanocodesurroundsamodule3.Code,C,referstoamoduleNifCexplicitlynamesN,ifCislexicallynestedwithinN,orifNisastandardmoduleinaxedplace(suchasObjectinJava).Weusecontractstospecifythecode'sbehavior.Inthemostconcretecase,thecontractisthemethod'scode,butweprefertothinkofmoreabstractcontracts.Thesecanbewritteninaformalspecicationlanguage[21,25],orinformallybywritingcommentssuchas\Thismethodreturnstrueifthegivenleexists".Ourinterestinmodularreasoninginaspect-orientedprogramminglanguagesismotivatedinpartbyourinitialworkoncombiningMultiJava[6,8]andJML[21].3TheProblem:UndisciplinedObliviousnessIntypicalobject-orientedlanguages,thedynamictypeofthereceiverobjectisusedtoselecttheappropriatemethodtoinvokeforagivenmessagesend.Suchdynamicselectionofthetargetmethodcanpreventmodularreasoning.Forexample,considerthedeclarationofPointinFigure1anditsmethod,move.The//@-commentsbeforemove'sdeclarationgiveitsbehavioralspecicationinJML.{Theclause\requirestrue"saysthatclientsarenotobligedtoestablishanyprecondition.{Theclause\assignablepos"saysthattheposeldofthereceiverobjectmaybechangedbythemethod,butnotanyotherlocations.{Theclause\ensures..."saysthat,aftermovereturns,thevaluereturnedbygetPos()isequaltothesumofthedistargumentandthevaluereturnedbygetPos()beforemovewascalled.SupposeanobjectofstatictypePointispassedtoamethodclient,asinFigure2.Ifmodularreasoningissound,thentheprogrammercanreasonabouttheinvocationofmovebasedonitsspecicationinPoint.Thatis,iftherstassertioninFigure2holds,thenthesecondassertionisvalidbasedonthespecicationofPoint'smovemethod.Thedenitionofmodularreasoning 3Anotherinterpretationof\module"and\surroundingcode"inJavamightbethatatypedeclarationisamodule,and,fornestedtypedeclarations,thecodefortheenclosingtypedeclarationisthesurroundingcode. requiresthattheprogrammershouldnothavetoconsiderpossiblesubtypesofPointwhendoingthisreasoning,sincetheyarenotmentionedintheclientcode.However,bysubsumption,aninstanceofanunseensubtypeofPoint,sayRightMovingPoint,maybepassedtoclient.Whatif(asinFigure3)RightMovingPointoverridesmethodmove,buttheoverridedoesnotsatisfythespecicationofmoveinPoint?Thenmodularreasoningsuchasthatdescribedforclientisnotvalid.UsingFigure3,aftertheclient'sinvocationofp.move(-10),p.getPos()returns10,not-10asasserted.Theconceptofbehavioralsubtypingrestoressoundmodularreasoningbyim-posingthespecicationofPointonallitssubtypes[11,22,24].Thus,RightMov-ingPointdoesnotcorrectlyimplementabehavioralsubtypeofPoint,becauseitsimplementationdoesnotsatisfythespecicationofmoveinPoint.Behavioralsubtypingisoftendescribedbysayingthatthebehaviorofasubtypeshouldnotbesurprising,withrespecttothespeciedbehaviorofasupertype.publicclassRightMovingPointextendsPointfpublicvoidmove(intdist)fif(dist0)super.move(-dist);elsesuper.move(dist);ggFig.3.ARightMovingPointclassAspointedoutbyFilmanandFriedman[14],subtypingwithsubsumption,asabove,isanexampleofobliviousness.Aspect-orientedprogramminglanguagesallowprogrammersmuchgreaterlatitudeindeningobliviousbehaviors.3.1Non-modularReasoninginAspectJNextweshowthat,justasmodularreasoningisnotageneralpropertyofobject-orientedprogramminglanguagesintheabsenceofbehavioralsubtyping,modularreasoningisnotageneralpropertyofAspectJ.Wedothisbyconsideringanaspect-orientedextensiontoourPointexample.Figure4givesanaspect,MoveLimiting,thatmodiesthebehaviorofPointinstancesinthesamewayasRightMovingPoint.MoveLimitingdeclaresapieceofaround-advice.ThisadviceinterceptscallstoPoint'smovemethod.Ifthear-gumentpassedtotheclientisnegative,then,justasinRightMovingPoint,controlproceedstoPoint'smovemethodwiththeparametersettotheabsolutevalueoftheoriginalparameter.AswithRightMovingPoint,theclientpro-grammer'sreasoning,asindicatedbytheassertstatementsinFigure2,isnotcorrectinthepresenceoftheMoveLimitingaspect. storiesareanalogoustothestoriestoldwithsubtypesinobject-orientedlan-guages;bothseektoenhanceexistingbehaviorwithoutintroducingsurprisingbehavior.Inthebehavioralsubtypingliterature,notintroducing\surprisingbehavior"meansthatanoverridingmethodcannotcontradictthespeciedbehaviorofthemethoditoverrides.Suchmethodscan,however,introducenewbehaviorinar-easthatareunspeciedinthesupertype.Theclassicexampleisthespecicationofadrawmethodforshapes.ThemethodisunderspeciedintheShapesuper-type,whichallowsoverridingmethodsinRectangleandCircletospecializeitsbehaviorinappropriateways.Onewaytothinkaboutbehavioralsubtypingisthatanoverridingmethodinheritsthespecicationofthesupertypemethodthatitoverrides[12].Thisforcestheoverridingmethodtoobeythesupertype'sspecication.Inanas-pectdesignedforsuperimposition,theanalogousrequirementwouldbethattheadvicemustobeythespecicationsofthecodethatitadvises.AdaptationStoriesAdaptationstoriesareaboutmodifyingthebehaviorofexistingprogramswithoutchangingtheircode.Thesestoriescomeintwostyles:{Localadaptationstoriesareaboutchangingthebehaviorofasubsetofaprogramasviewedbyotherclientcodewithintheprogram.Anexampleoflocaladaptationisanaspectforpersistence,wheresomecodemustexplicitlyestablishlinkstoadatabasewhiletheremainderoftheprogrambenetsfrompersistencewithoutanyexplicitchangestoitscode[32].{Globaladaptationstoriesareaboutchangingthebehaviorofanentirepro-gramasviewedbyusersoftheprogram.Forexample,usinganaspecttoaddauthenticationtoanexistingwebserverwouldbeaglobaladaptationstory[19][20,Ch.10].Globaladaptationsaredistinguishedinthatnopartoftheadaptedprogramreliesonthepresenceoftheadaptation.Incontrasttoaspectsdesignedforsuperimposition,programmersexpectaspectsdesignedforadaptationtochangethebehaviorofthemodulestheyadvise.Adaptationstoriescanbetoldinobject-orientedlanguages.Sometimesthisisdoneusingsubclassing,butthisviolatesthebehavioralsubtypingdisciplineandisgenerallydiscouraged[5,pp.71{77][23,26].Instead,therecommendedapproachistouseawrapperclasswhoseinstancescontainareferencetotheobjecttobeadapted[15,pp.139{150,175{184].Thespecierofthewrapperclass\startsfromscratch";shecanprovidewhateverbehaviorisneeded,inde-pendentoftheoriginalclass'sspecication.Thiswrapperapproachsacricestheobliviousnessofdynamicbindingtoachievemodularreasoning;aclientofthewrapperclasscanreasonusingthewrapperclass'sspecication.Itmaybethecasethatasimilarsacriceofobliviousnessisneededformodularreasoninginaspect-orientedprogramminglanguages.Likethewrappedclass,theadaptedcodecouldremainoblivioustotheadaptationaspect.Butlikethecodethatusesthewrapperclass,perhapsthecodethatreliesonthe 4.2DataRestrictionsAcomplementaryintermediateapproachistorestrictthedatathatmaybemod-iedbyadvice.Thisisexempliedinobject-orientedprogramminglanguagesbytheworkonvariousownershiptypesystems[2,27{29].Thesetypesystemsareprimarilyconcernedwithrestrictingaliasingtopromotedataencapsulation,andhencemodularreasoning.AnanalogousapproachforAspectJ-likelanguagesmightbetolimitthestatethatmaybemutatedbyadvicetojustthatstatethatitowns.Suchalimitationisstaticallycheckable,butrequiresadditionalannotationsinthesourcecode.However,theseannotationoertheadditionalbenetofcontrollingsomeeectsofaliasing.5SummaryandFutureWorkThereisaparallelbetweentheobliviousnessofdynamicbindinginobject-orientedlanguagesandthatofadvicebindinginaspect-orientedlanguages[14].Wehaveshownthatthisparallelprovokesausefulanalogybetweenreasoninginthetwostyles.Wehavedemonstratedthatbothsortsofobliviousnesscanpreventmodularreasoning,asdemonstratedbytheMoveLimitingaspectandthe(non-behavioral)subtypeRightMovingPoint.Behavioralsubtypingaddsmodularreasoningtoobject-orientedprogram-minglanguages.TheproblemistondasimilarprogrammingdisciplineforAspectJ-likelanguages.Wehavedescribedtwosortsofstoriesthatprogram-merstellabouthowtheyuseAspectJ:superimpositionandadaptationstories.Thesestoriesprovideconstraintsonsolutionstothemodularreasoningproblem,inthatacompletelyviablesolutionshouldsupportbothkinds.Thebehavioralsubtypinganalogyseemstobearichoneforthinkingabouttherelationshipbetweenobject-orientedlanguagesandAspectJ-likelanguages.Despitetheabsenceofasolutiontothemodularreasoningproblem,wehopethatotherresearcherswillbenetfromthebehavioralsubtypinganalogy.Su-perimpositionandadaptationstoriesseemtocharacterizehowaspect-orientedprogramminglanguagesareactuallyused.Wehopethatthischaracterizationwillprovideusefulconstraintsinthedesignofnewaspect-orientedlangaugesandreasoningmechanisms.Inadditiontoconsideringwhatbehavioralsubtypingmaysayaboutaspect-orientedprogramming,itmightbeinterestingtoconsiderwhethertheanalogyworksinreverse.Canaspect-orientedprogrammingprovidenewinsightontheearlierworkonobject-orientedlanguages?Ourfutureworkistoformalizethemodularreasoningproblemandinvesti-gatethesolutionspacebybuildingacorecalculusforanAspectJ-likelanguagewithsupportformodularreasoning.Ourinitialstepstowardsthiscalculusareavailableinatechnicalreport[9],thoughthatworkdoesnotincludemodular-ityfeatures.Ournextstepistoextendthecalculuswithsuchfeatures.Afterprovingtheappropriatemodularityproperties,wewillthenextendthecalculustoafull-scaleprogramminglanguage. Europeansoftwareengineeringconferenceheldjointlywith9thACMSIGSOFTsymposiumonFoundationsofsoftwareengineering,Vienna,Austria.11.K.K.DharaandG.T.Leavens.Weakbehavioralsubtypingfortypeswithmutableobjects.InS.Brookes,M.Main,A.Melton,andM.Mislove,editors,MathematicalFoundationsofProgrammingSemantics,EleventhAnnualConference,volume1ofElectronicNotesinTheoreticalComputerScience.Elsevier,1995.Availablefromhttp://www.elsevier.nl/locate/entcs/volume1.html.12.K.K.DharaandG.T.Leavens.Forcingbehavioralsubtypingthroughspecicationinheritance.InProceedingsofthe18thInternationalConferenceonSoftwareEn-gineering,Berlin,Germany,pages258{267.IEEEComputerSocietyPress,Mar.1996.AcorrectedversionisIowaStateUniversity,Dept.ofComputerScienceTR#95-20c.13.T.Elrad,R.E.Filman,andA.Bader.Aspect-orientedprogramming:Introduction.Commun.ACM,44(10):29{32,Oct.2001.14.R.E.FilmanandD.P.Friedman.Aspect-orientedprogrammingisquanticationandobliviousness.InM.Aksit,S.Clarke,T.Elrad,andR.E.Filman,editors,Aspect-OrientedSoftwareDevelopment.Addison-Wesley,Reading,MA,toappear.15.E.Gamma,R.Helm,R.Johnson,andJ.Vlissides.DesignPatterns:ElementsofReusableObject-OrientedSoftware.Addison-Wesley,Reading,Mass.,1995.16.J.Gosling,B.Joy,G.Steele,andG.Bracha.TheJavaLanguageSpecicationSecondEdition.TheJavaSeries.Addison-Wesley,Boston,Mass.,2000.17.G.Kiczales,E.Hilsdale,J.Hugunin,M.Kersten,J.Palm,andW.Griswold.GettingstartedwithAspectJ.Commun.ACM,44(10):59{65,Oct.2001.18.G.Kiczales,E.Hilsdale,J.Hugunin,M.Kersten,J.Palm,andW.G.Griswold.AnoverviewofAspectJ.InJ.L.Knudsen,editor,ECOOP2001|Object-OrientedProgramming15thEuropeanConference,BudapestHungary,volume2072ofLec-tureNotesinComputerScience,pages327{353.Springer-Verlag,Berlin,June2001.19.I.Kiselev.Aspect-OrientedProgrammingwithAspectJ.SamsPublishing,Indi-anapolis,2003.20.R.Laddad.AspectJinAction.ManningPublicationsCo.,Grennwich,Conn.,2003.21.G.T.Leavens,A.L.Baker,andC.Ruby.PreliminarydesignofJML:AbehavioralinterfacespecicationlanguageforJava.TechnicalReport98-06t,IowaStateUniversity,DepartmentofComputerScience,June2002.Seewww.jmlspecs.org.22.G.T.LeavensandW.E.Weihl.Reasoningaboutobject-orientedprogramsthatusesubtypes(extendedabstract).InN.Meyrowitz,editor,OOPSLAECOOP'90Proceedings,volume25(10)ofACMSIGPLANNotices,pages212{223.ACM,Oct.1990.23.B.LiskovandJ.Guttag.ProgramDevelopmentinJava.TheMITPress,Cam-bridge,Mass.,2001.24.B.LiskovandJ.Wing.Abehavioralnotionofsubtyping.ACMTrans.Prog.Lang.Syst.,16(6):1811{1841,Nov.1994.25.B.Meyer.Eiel:TheLanguage.Object-OrientedSeries.PrenticeHall,NewYork,NY,1992.26.B.Meyer.Object-orientedSoftwareConstruction.PrenticeHall,NewYork,NY,secondedition,1997.27.P.Muller.ModularSpecicationandVericationofObject-OrientedPrograms,volume2262ofLectureNotesinComputerScience.Springer-Verlag,2002.Theauthor'sPh.D.Thesis.Availablefromhttp://www.informatik.fernuni-hagen.de/import/pi5/publications.html.