Enforcing Information Hiding in Interface Specifications: with The AspectJML specification language. A Client Aware checking Approach

Transcription

1 Enforcing Information Hiding in Interface Specifications: with The AspectJML specification language A Client Aware checking Approach Henrique Rebêlo Universidade Federal de Pernambuco Brazil Gary T. Leavens University of Central Florida USA

2 What is information hiding?

3 How to abstract away the details? Copyright 1994 Extracted from Booch s OOAD book

4 Copyright 1994 Extracted from Booch s OOAD book Black box abstraction

5 Parnas Whatever is likely to change! Hiding the secret of a module behind an interface

6 Abstraction is an important key Copyright 2004 Extracted from McConnell s Code Complete book

7 Encapsulation helps in the process Copyright 2004 Extracted from McConnell s Code Complete book

8 Is Encapsulation equivalent to Information Hiding?

9 Think about these examples class EncapsulationWithoutInformationHiding { private ArrayList list = new ArrayList(); public ArrayList getlist() { return this.list; class InformationHidingWithoutEncapsulation { public List list = new ArrayList();

10 Avoid exposure implementation details Copyright 1994 Extracted from Booch s OOAD book

11 Information hiding for other artifacts (Leavens and Muller. ICSE, 2007) Visibility modifiers on specifications Some specifications hidden from some clients Some specifications say more to privileged clients class Package { //@ public model JMLDouble pweight; private double weight; //@ private represents weight = pweight; /*@ public requires weight <= ensures this.pweight == private requires weight <= ensures this.weight == weight; public void setweight(double weight) { this.weight = weight; /* other methods omitted */

12 Design by Contract Specifications (contracts) in OO programming Language preconditions postconditions decrement is -- Decrease counter by one. require item > 0 ensure item = old item - 1

13 Running example (Package delivery system)

14 Delivery package classes Package, Gift Package Package * Courier Coupon Package Courier... setweight(double) setsize(double, double) resize(double, double) containssize(double, double) GiftPackage setweight(double) setsize(double, double) CouponPackage setweight(double) setsize(double, double)

15 Package contracts with a DbC language class Package { /* intentionally public */ public double weight; public void setweight(double weight <= this.weight == weight; { this.weight = weight; Package setweight( ) * Courier /* other methods omitted */ GiftPackage 2 CouponPackage setsize( ) setsize( ) containssize( ) setweight( ) setsize( ) resize( ) containssize( ) setweight( )

16 Consider the following Package s client Written by Cathy class ClientClass { public void clientmeth(package p) { p.setweight(5); RAC Written by Alice class Package { /* intentionally public */ public double weight; public void setweight(double weight <= this.weight == weight; { this.weight = weight + 1; /* other methods omitted */ PostconditionError: this.weight is 6.0 weight is 5.0

17 Consider now the following change by Alice class Package { private double weight; public void setweight(double weight <= this.weight == weight; { this.weight = weight; Package setweight( ) * Courier /* other methods omitted */ GiftPackage 2 CouponPackage setsize( ) resize( ) containssize( ) setweight( ) setsize( ) resize( ) containssize( ) setweight( )

18 But now RAC breaks information hiding! Written by Cathy class ClientClass { public void clientmeth(package p) { p.setweight(5); Written by Alice class Package { private double weight; public void setweight(double weight <= this.weight == weight; { this.weight = weight + 1; /* other methods omitted */ RAC PostconditionError: this.weight is 6.0 weight is 5.0

19 Kiczales: Beyond the black box

20 Do DbC languages present this information hiding problem?

21

22 In this scenario, we can say that

23 standard DbC/RAC tools are NOT Effective + Useful

24 But the DbC language JML starting fixing the problem

25 Java modeling language JML Formal specification language for Java behavioral specification of Java modules Adopts design by contract based on Hoarestyle with assertions pre, postconditions and invariants {P C {Q Main goal Improve functional software correctness of Java programs

26

27 Kinds of clients in Java and JML private client class C class F class A package clients public clients class D extends C class E extends C class B protected clients

28 Package contracts with JML class Package { //@ public model JMLDouble pweight; private double weight; //@ private represents weight = pweight; /*@ public requires weight <= ensures this.pweight == private requires weight <= ensures this.weight == weight; public void setweight(double weight) { this.weight = weight; Package setweight( ) GiftPackage 2 * Courier CouponPackage /* other methods omitted */ setsize( ) resize( ) containssize( ) setweight( ) setsize( ) resize( ) containssize( ) setweight( )

29 JML RAC still breaks information hiding! Written by Cathy class ClientClass { public void clientmeth(package p) { p.setweight(5); RAC Written by Alice class Package { //@ public model JMLDouble pweight; private double weight; //@ private represents weight = pweight; /*@ public requires weight <= ensures this.pweight == private requires weight <= ensures this.weight == weight; public void setweight(double weight) { this.weight = weight + 1; /* other methods omitted */ JMLPostconditionError: when this.weight is 6.0 weight is 5.0

30 The problem can become even worse

31 Package contracts for subtypes class Package { //@ public model JMLDouble pweight; protected double weight; //@ protected represents weight = pweight; /*@ public requires weight <= ensures this.pweight == protected requires weight <= ensures this.weight == weight; public void setweight(double weight) { this.weight = weight; /* other methods omitted */ Package setweight( ) GiftPackage setsize( ) resize( ) containssize( ) setweight( ) 2 * Courier CouponPackage setsize( ) resize( ) containssize( ) setweight( )

32 JML RAC misses a precondition violation! Written by Cathy class ClientClass { public void clientmeth(package p) { p.setweight(8); RAC Written by Alice class Package { //@ public model JMLDouble pweight; protected double weight; //@ protected represents weight = pweight; /*@ public requires weight <= ensures this.pweight == protected requires weight <= ensures this.weight == weight; public void setweight(double weight) { this.weight = weight; /* other methods omitted */ Returns successfully! class GiftPackage extends Package {

33 JML/RAC is NOT Effective + Useful

34 Unanswered questions can arise What happened with RAC? Did Alice specified correctly? Did I provide the right specifications? Alice Cathy Did Cathy associated the right specs during RAC?

35 This is caused by the

36 supplier side instrumentation of contracts in JML and any other RAC class Package { //@ public model JMLDouble pweight; protected double weight; //@ protected represents weight = pweight; /*@ public requires weight <= ensures this.pweight == protected requires weight <= ensures this.weight == weight; public void setweight(double weight) { this.weight = weight; class Package { public void setweight(double weight) { //@ assume w <= 5 w <= 8 ; this.weight = weight; //@ assert this.pweight == weight && this.weight == weight; /* other methods omitted */ /* other methods omitted */

37 Information hiding problem statement we say that a RAC compiler that checks specifications based at supplier side as overly dynamic

38 The AspectJML Language is one solution to the illustrated problem

39 Client aware checking approach class GiftPackage extends Package { public void setweight(double w){ class Courier public void deliver(double w){ class OtherClient{ void clientmeth(package p) { p.setweight(-1); p.sety(-1); void helper( ) { class Package { /*@ public requires w <= ensures this.pweight == protected requires w <= ensures this.weight == public void setweight(double w) { CAC cuts through clients with proper runtime checks Runtime checking itself is modular based on privacy kind of clients

40 Harrison & Harold Ossher on Subjectivity object plant nestable predator nectar plant insect plant maple cherry locust pine dandelion bird woodsman maple cherry pine dandelion bird woodsman hardwood softwood tree nontree object Copyright 1993 IBM Corporation

41 Grady Booch on Subjectivity

42 CAC implementation with AspectJML JML annotated Java source files Class.class Advice OOP AOP Classes Advice W e a v e r Class.class Advice Aspects with JML features

43 To hide or not to hide? class GiftPackage extends Package { public void setweight(double w){ class Courier public void deliver(double w){ class OtherClient{ void clientmeth(package p) { p.setweight(-1); p.sety(-1); void helper( ) { class Package { /*@ public requires w <= ensures this.pweight == protected requires w <= ensures this.weight == public void setweight(double w) { CAC cuts through clients with proper runtime checks Runtime checking itself is modular based on privacy kind of clients

44 Future work Find case studies More study on the problems caused by overly dynamic checking dynamic dispatch

45 AspectJML/CAC in action

46 Dedicated to the Memory of Robert France