JML tool-supported specification for Java Erik Poll Radboud University Nijmegen
|
|
- Norah Cummings
- 6 years ago
- Views:
Transcription
1 JML tool-supported specification for Java Erik Poll Radboud University Nijmegen Erik Poll - JML p.1/41
2 Overview The specification language JML Tools for JML, in particular runtime assertion checking using jmlc and jmlrac extended static checking using ESC/Java2 Erik Poll - JML p.2/41
3 Java Modeling Language Erik Poll - JML p.3/41
4 Formal specification language for Java to specify behaviour of Java classes JML by Gary Leavens et al. to record design/implementation decisions by adding assertions to Java source code, eg preconditions postconditions invariants as in Eiffel (Design-by-Contract), but much more expressive. Erik Poll - JML p.4/41
5 Formal specification language for Java to specify behaviour of Java classes JML by Gary Leavens et al. to record design/implementation decisions by adding assertions to Java source code, eg preconditions postconditions invariants as in Eiffel (Design-by-Contract), but much more expressive. Goal: JML should be easy to use for any Java programmer. Erik Poll - JML p.4/41
6 JML To make JML easy to use: JML assertions are added as comments in.java file, or after Properties are specified in Java-like syntax: as Java boolean expressions, extended with a few operators. Erik Poll - JML p.5/41
7 Pre- and postconditions Pre- and post-conditions for methods, eg. requires amount >= 0; ensures balance == \old(balance)-amount && \result == public int debit(int amount) {... } \old(x) is the value of x before execution of the method. Erik Poll - JML p.6/41
8 Pre- and postconditions Specification is difficult! (We can only hope for incomplete specs!) JML specs can be as weak as you want, eg. requires amount >= ensures true; public int debit(int amount) { }... Default postcondition ensures true can be omitted. Idem for default precondition requires true. Erik Poll - JML p.7/41
9 Design-by-Contract Pre- and postconditions define a contract between a class and its clients: Client must ensure precondition and may assume postcondition Method may assume precondition and must ensure postcondition Eg, in the example specs for debit, it is the obligation of the client to ensure that amount is positive. Documenting preconditions making these obligations explicit can prevent problems due to lack of input validation. Erik Poll - JML p.8/41
10 Invariants Invariants are properties that must be established by all constructors and maintained by all methods, eg public class BankAccount { public static final short MAX_BAL = 1000; private short balance; /*@ invariant 0 <= && balance <= MAX_BAL; Intuitively: invariants included in all preconditions and all postconditions. Erik Poll - JML p.9/41
11 Invariants often document design decisions. Invariants Making them explicit helps in understanding the code. In larger programs, often the only interesting properties (to begin) to specify are invariants Invariants often lead to pre-conditions: Eg. in the BankAccount example, the precondition amount <= balance is needed to preserve the invariant 0 <= balance Erik Poll - JML p.10/41
12 Exceptional postconditions signals clauses specify when exceptions may be thrown requires amount >= 0; ensures true; signals (DebitException e) amount > balance && balance == public int debit(int amount) {... Erik Poll - JML p.11/41
13 non_null Common invariants, pre- and postconditions are about references not being null public class Directory { private File[] files; //@ invariant files!= null; //@ requires name!= null; void createsubdir(string name){...} //@ ensures \result!= null; Directory getparent(){...} Erik Poll - JML p.12/41
14 non_null non_null is a convenient short-hand for these. public class Directory { private /*@ non File[] files; void createsubdir(/*@ non String name){ Directory /*@ non getparent(){...} (Note that this is almost like typing.) Erik Poll - JML p.13/41
15 assert clauses An assert clause specifies a property that should hold at some point in the code, eg. if (i <= 0 j < 0) {... } else if (j < 5) { //@ assert i > 0 && 0 < j && j < 5;... } else { //@ assert i > 0 && j > 5;... } assert now included in Java (since Java 1.4) Erik Poll - JML p.14/41
16 pure Pure methods are methods without side-effects: public int getbalance(){... Pure methods and only pure methods can be used in JML specifications. Erik Poll - JML p.15/41
17 That s all, folks! This covers what you need to know to start using JML! Keywords: requires, ensures, invariant, signals, assert Modifiers: non_null, pure Operators: \result, \old, ==>, \forall Erik Poll - JML p.16/41
18 Tools for JML Erik Poll - JML p.17/41
19 Tools for checking JML Erik Poll - JML p.18/41
20 parsing and typechecking Tools for checking JML Erik Poll - JML p.18/41
21 parsing and typechecking and jmldoc Tools for checking JML Erik Poll - JML p.18/41
22 parsing and typechecking and jmldoc Tools for checking JML runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) Erik Poll - JML p.18/41
23 parsing and typechecking and jmldoc Tools for checking JML runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) verification: prove (at compile-time) that contracts are never violated Erik Poll - JML p.18/41
24 parsing and typechecking and jmldoc Tools for checking JML runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) verification: prove (at compile-time) that contracts are never violated automatic verification of simple properties interactive verification of complex properties Erik Poll - JML p.18/41
25 Tools for checking JML parsing and typechecking and jmldoc runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) verification: prove (at compile-time) that contracts are never violated automatic verification of simple properties extended static checker ESC/Java(2) (Compaq) (Kodak/Nijmegen) interactive verification of complex properties Erik Poll - JML p.18/41
26 Tools for checking JML parsing and typechecking and jmldoc runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) verification: prove (at compile-time) that contracts are never violated automatic verification of simple properties extended static checker ESC/Java(2) (Compaq) (Kodak/Nijmegen) interactive verification of complex properties LOOP tool (Nijmegen) Erik Poll - JML p.18/41
27 Tools for checking JML parsing and typechecking and jmldoc runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) verification: prove (at compile-time) that contracts are never violated automatic verification of simple properties extended static checker ESC/Java(2) (Compaq) (Kodak/Nijmegen) JACK (Gemplus/INRIA) interactive verification of complex properties LOOP tool (Nijmegen) Erik Poll - JML p.18/41
28 parsing and typechecking and jmldoc Tools for checking JML runtime assertion checking: test for violations of assertions during execution, jmlrac (Iowa Univ.) verification: prove (at compile-time) that contracts are never violated automatic verification of simple properties extended static checker ESC/Java(2) (Compaq) (Kodak/Nijmegen) JACK (Gemplus/INRIA) interactive verification of complex properties LOOP tool (Nijmegen) Jive (Kaiserslautern+ETH Zürich), Krakatoa (INRIA) KeY (Karlsruhe/Koblenz/Göteborg) Erik Poll - JML p.18/41
29 Tools for checking JML model checking of multi-threaded Java code by Bogor (Kansas State Univ.) Support for concurrency in JML is in its infancy! Erik Poll - JML p.19/41
30 Tools for JML The most interesting tools for industrial use today: runtime assertion checking with jmlc & jmlrac execute code and test all assertions for a given set of inputs extended static checking with ESC/Java(2) verify aka prove that assertions are never violated, for all possible inputs Erik Poll - JML p.20/41
31 Runtime assertion checking with jmlc and jmlrac Erik Poll - JML p.21/41
32 jmlc & jmlrac jmlc compiles.java file with JML assertions to.class file with runtime checks jmlrac can execute these.class files during execution, all assertions are then tested and any violation of an assertion produces an Error Erik Poll - JML p.22/41
33 jmlc & jmlrac jmlc compiles.java file with JML assertions to.class file with runtime checks jmlrac can execute these.class files during execution, all assertions are then tested and any violation of an assertion produces an Error Of course, an assertion violation can be error in code or error in specification... Erik Poll - JML p.22/41
34 jmlc & jmlrac jmlc compiles.java file with JML assertions to.class file with runtime checks jmlrac can execute these.class files during execution, all assertions are then tested and any violation of an assertion produces an Error Of course, an assertion violation can be error in code or error in specification... jmlunit combines jmlc/jmlrac with jmlunit. Erik Poll - JML p.22/41
35 jmlrac vs conventional testing Better testing, because more properties are tested, at more places in the code Eg. Invariant violated in line 8000 after 1 minute instead of NullPointerException in line 2000 after 4 minutes Information about cause of problem, rather than effect. Erik Poll - JML p.23/41
36 jmlrac vs conventional testing Some testcode generated automatically by jmlc. Eg signals (Exception) balance == \old(balance); public int debit(int amount) {... jmlrac will test that if debit throws an exception, the balance hasn t changed, and all invariants still hold. jmlrac checks \forall if the domain of quantification is finite Erik Poll - JML p.24/41
37 jmlrac vs conventional testing Less work to come up with test scenarios With rich specs, test scenarios only have to provide inputs but not the expected outputs. Erik Poll - JML p.25/41
38 ESC/Java(2) : Extended static checking Erik Poll - JML p.26/41
39 ESC/Java(2) ESC/Java by Rustan Leino et. al. at DEC/Compaq/HP ESC/Java2 by David Cok (Kodak) and Joe Kiniry (Nijmegen/UCD) Erik Poll - JML p.27/41
40 ESC/Java(2) ESC/Java by Rustan Leino et. al. at DEC/Compaq/HP ESC/Java2 by David Cok (Kodak) and Joe Kiniry (Nijmegen/UCD) extended static checking = lightweight program verification: ESC/Java tries to prove correctness of specifications, at compile-time, fully automatically Erik Poll - JML p.27/41
41 ESC/Java(2) ESC/Java by Rustan Leino et. al. at DEC/Compaq/HP ESC/Java2 by David Cok (Kodak) and Joe Kiniry (Nijmegen/UCD) extended static checking = lightweight program verification: ESC/Java tries to prove correctness of specifications, at compile-time, fully automatically User never has to interact with the back-end theorem prover (Simplify) Erik Poll - JML p.27/41
42 ESC/Java(2) ESC/Java by Rustan Leino et. al. at DEC/Compaq/HP ESC/Java2 by David Cok (Kodak) and Joe Kiniry (Nijmegen/UCD) extended static checking = lightweight program verification: ESC/Java tries to prove correctness of specifications, at compile-time, fully automatically User never has to interact with the back-end theorem prover (Simplify) not sound, not complete, but aim is to find lots of potential bugs quickly Erik Poll - JML p.27/41
43 What is extended static checking? log(effort) program verification LOOP,KeY, Jive extended static checking ESC/Java(2) static checking FindBugs, Fortify,... bugs found Erik Poll - JML p.28/41
44 ESC/Java is not complete ESC/Java may produce warnings about correct programs. requires 0 < ensures @*/ (\exists int x,y,z; pow(x,n)+pow(y,n) == pow(z,n)); public static boolean fermat(double n) { } return (n==2); Warning: postcondition possibly not satisfied (Typically, the theorem prover times out in complicated cases.) Erik Poll - JML p.29/41
45 ESC/Java is not sound ESC/Java may fail to produce warning about incorrect program. public class Positive{ private int n = 1; //@ invariant n > 0; } public void increase(){ n++; } ESC/Java(2) produces no warning, but increase may break the invariant, namely if n is Erik Poll - JML p.30/41
46 ESC/Java is not sound ESC/Java may fail to produce warning about incorrect program. public class Positive{ private int n = 1; //@ invariant n > 0; } public void increase(){ n++; } ESC/Java(2) produces no warning, but increase may break the invariant, namely if n is More fundamental challenge: sound modular verification for OO programs with invariants. Erik Poll - JML p.31/41
47 The goal is finding bugs. ESC/Java is useful Unsoundness and incompleteness just means we cannot find all bugs, and we have some false positives. ESC/Java(2) is good at proving absence of runtime exceptions (eg Null-, ArrayIndexOutOfBounds-, ClassCast-) and verifying relatively simple properties. Erik Poll - JML p.32/41
48 Using ESC/Java(2) The first big problem in any attempt at program verification: what do we want to verify anyway? Erik Poll - JML p.33/41
49 Using ESC/Java(2) The first big problem in any attempt at program verification: what do we want to verify anyway? Good places to start: 1. prove no runtime exceptions can occur Erik Poll - JML p.33/41
50 Using ESC/Java(2) The first big problem in any attempt at program verification: what do we want to verify anyway? Good places to start: 1. prove no runtime exceptions can occur 2. verify additional crucial invariants Erik Poll - JML p.33/41
51 Using ESC/Java(2) The first big problem in any attempt at program verification: what do we want to verify anyway? Good places to start: 1. prove no runtime exceptions can occur 2. verify additional crucial invariants In fact, verification of 1. will require many invariants to be specified. Erik Poll - JML p.33/41
52 Using ESC/Java(2) Cost of using ESC/Java is proportional to size of code, as code needs to be annotated size of API used, as API methods used may have to be specified We (and the OOTI students here at TU/e) succesfully applied ESC/Java(2) to Java Card smart card applets (1000 s of loc). Erik Poll - JML p.34/41
53 Conclusions Erik Poll - JML p.35/41
54 Potential strong points of JML Easy to learn: syntax & semantics very close to Java Erik Poll - JML p.36/41
55 Potential strong points of JML Easy to learn: syntax & semantics very close to Java No need for a formal model: the Java source code is the formal model Erik Poll - JML p.36/41
56 Potential strong points of JML Easy to learn: syntax & semantics very close to Java No need for a formal model: the Java source code is the formal model Consequently: use of JML can be introduced gradually JML can be used for existing (legacy) code & APIs Erik Poll - JML p.36/41
57 Potential strong points of JML Easy to learn: syntax & semantics very close to Java No need for a formal model: the Java source code is the formal model Consequently: use of JML can be introduced gradually JML can be used for existing (legacy) code & APIs But: JML does not provide or impose any design methodology, as UML, B, VDM,... do Erik Poll - JML p.36/41
58 Tools for JML Runtime assertion checking low cost & effort easy to do as part of normal testing Erik Poll - JML p.37/41
59 Tools for JML Runtime assertion checking low cost & effort easy to do as part of normal testing Extended checking with ESC/Java much higher effort higher assurance: independent of any test suite verifying a property forces you to specify all the invariants and API contracts that it relies on Erik Poll - JML p.37/41
60 Related Work Spec# for C# by Microsoft Research SparkAda by Praxis Critical Systems Ltd. jcontract tool for Java by Parasoft EauClaire for C by Brian Chess (now at Fortify... ) OCL specification language for UML Erik Poll - JML p.38/41
61 Choosing which properties to specify up to which level of detail using which tools so that JML specs are cost-effective. The challenge in using JML cost more detailed formal specs, higher level of assurance, more bugs found Erik Poll - JML p.39/41
62 Pointers More info about JML: Some papers gentle intro Design by Contract with JML by Gary Leavens and Yoonsik Cheon white paper An overview of JML tools and applications by lots of people Erik Poll - JML p.40/41
Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen
Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/30
More informationJML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material
Métodos Formais em Engenharia de Software JML José Carlos Bacelar Almeida Departamento de Informática Universidade do Minho MI, Braga 2008 Outline Design by Contract and JML Design by Contract Java Modeling
More informationESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen
ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen Erik Poll - JML p.1/19 Extended static checker for Java ESC/Java by Rustan Leino et.al. Extension ESC/Java2 by David Cok
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company
ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/?? ESC/Java Extended static checker by Rustan Leino et.al.
More informationAssertions & Design-by-Contract using JML Erik Poll University of Nijmegen
Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen Erik Poll - JML p.1/39 Overview Assertions Design-by-Contract for Java using JML Contracts and Inheritance Tools for JML Demo
More informationJava Modelling Language (JML) References
Java Modelling Language (JML) References G. T. Leavens and Y. Cheon. Design by Contract with JML, August 2005. L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G. T. Leavens, K. R. M. Leino, and E. Poll.
More informationESC/Java2 Use and Features
ESC/Java2 Use and Features The ESC/Java2 tool David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2
More informationESC/Java2 Use and Features
ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial
More informationDesign by Contract and JML: concepts and tools
Métodos Formais em Engenharia de Software Design by Contract and JML: concepts and tools José Carlos Bacelar Almeida Departamento de Informática Universidade do Minho MI/MEI 2008/2009 1 Talk Outline Design
More informationJML. Java Modeling Language
JML Java Modeling Language Overview About the JML Project DBC Design By Contract JML concepts, examples, syntax and capabilities Basics Exceptions Invariants Assertions Quantifiers Other keywords JML hiding
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationThe JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23
The JML Tool Néstor Cataño ncatano@puj.edu.co Faculty of Engineering Pontificia Universidad Javeriana The JML Tool p.1/23 Tools for JML 1. Parsing and type-checking 2. Checking assertions at runtime 3.
More informationAdvances in Programming Languages
O T Y H Advances in Programming Languages APL8: ESC/Java2 David Aspinall (including slides by Ian Stark and material adapted from ESC/Java2 tutorial by David Cok, Joe Kiniry and Erik Poll) School of Informatics
More informationAdvanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll
Advanced JML and more tips and pitfalls David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2
More informationESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen
ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial
More informationAdvances in Programming Languages
T O Y H Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Thursday 21 January 2010
More informationFormal Specification and Verification
Formal Specification and Verification Formal Specification, Part III Bernhard Beckert Adaptation of slides by Wolfgang Ahrendt Chalmers University, Gothenburg, Sweden Formal Specification and Verification:
More informationESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen
ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/??
More informationThe Java Modeling Language JML
The Java Modeling Language JML Néstor Cataño ncatano@puj.edu.co Faculty of Engineering Pontificia Universidad Javeriana The Java Modelling Language JML p.1/47 Lecture Plan 1. An Introduction to JML 2.
More informationFormal Methods for Java
Formal Methods for Java Lecture 30: Conclusion Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg Feb 17, 2012 Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 1 / 21 Topics
More informationOOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen
OOP Design by Contract Carsten Schuermann Kasper Østerbye IT University Copenhagen 1 Today's schedule Design by Contract why the term contract what design issue is captured, and why bother what is a pre-condition
More informationAdvances in Programming Languages
Advances in Programming Languages Lecture 12: Practical Tools for Java Correctness Ian Stark School of Informatics The University of Edinburgh Friday 31 November 2014 Semester 1 Week 7 http://www.inf.ed.ac.uk/teaching/courses/apl
More informationAn overview of JML tools and applications
Int J Softw Tools Technol Transfer (2004) / Digital Object Identifier (DOI) 10.1007/s10009-004-0167-4 An overview of JML tools and applications Lilian Burdy 1,YoonsikCheon 2,DavidR.Cok 3, Michael D. Ernst
More informationFormale Entwicklung objektorientierter Software
Formale Entwicklung objektorientierter Software Praktikum im Wintersemester 2008/2009 Prof. P. H. Schmitt Christian Engel, Benjamin Weiß Institut für Theoretische Informatik Universität Karlsruhe 5. November
More informationSpecification of a transacted memory for smart cards in Java and JML
Specification of a transacted memory for smart cards in Java and JML Erik Poll University of Nijmegen, NL Pieter Hartel Eduard de Jong Joint work with University of Twente Sun Microsystems Transacted Memory
More informationOverview The Java Modeling Language (Part 1) Related Work
Overview The Java Modeling Language (Part 1) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationSpecification tips and pitfalls
Specification tips and pitfalls David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML
More informationA Java Reference Model of Transacted Memory for Smart Cards
Erik Poll p.1/23 A Java Reference Model of Transacted Memory for Smart Cards Erik Poll University of Nijmegen Joint work with Pieter Hartel Eduard de Jong University of Twente Sun Microsystems Erik Poll
More informationAdvances in Programming Languages
T O Y H Advances in Programming Languages APL14: Practical tools for Java Correctness David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Friday 12 November
More informationJava Modeling Language (JML)
CIS 771: Software Specifications Introduction to JML Java Modeling Language (JML) A behavioral interface specification language for Java supporting design-by-contract (DBC)... invented by Gary T. Leavens
More informationJava Modelling Language (JML) References
Java Modelling Language (JML) References www.jmlspecs.org G. T. Leavens and Y. Cheon, Design by Contract with JML, August 2005. C. Marché, C. Paulin-Mohring, and X. Urbain, The Krakatoa Tool for Cerification
More informationAdvanced JML Erik Poll Radboud University Nijmegen
JML p.1/23 Advanced JML Erik Poll Radboud University Nijmegen JML p.2/23 Core JML Remember the core JML keywords were requires ensures signals invariant non null pure \old, \forall, \result JML p.3/23
More informationVerifying JML specifications with model fields
Verifying JML specifications with model fields Cees-Bart Breunesse and Erik Poll Department of Computer Science, University of Nijmegen Abstract. The specification language JML (Java Modeling Language)
More informationThe Java Modeling Language (Part 1)
The Java Modeling Language (Part 1) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationProgramming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany
Programming with Contracts Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany Contract A (formal) agreement between Method M (callee) Callers of M Rights Responsabilities Rights Responsabilities
More informationIntegrating verification in programming languages
Integrating verification in programming languages Thomas Jensen, INRIA Seminar INRIA Rennes, 04/11/2015 Collège de France Chaire Algorithmes, machines et langages x / y Types For division to make sense,
More informationJML and ESC/Java2 Homework Exercises
This document contains a set of homework exercises for those that wish to learn JML and ESC/Java2. It was begun by Joseph R. Kiniry in May 2004 for the tutorial Design by Contract and
More informationA Small Survey of Java Specification Languages *
Proceedings of the 8 th International Conference on Applied Informatics Eger, Hungary, January 27 30, 2010. Vol. 2. pp. 409 416. A Small Survey of Java Specification Languages * Gábor Kusper a, Gergely
More informationHow the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification
Computer Science Technical Reports Computer Science 3-2004 How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification Gary T. Leavens Iowa State University Yoonsik Cheon
More informationFormal Methods for Java
Formal Methods for Java Lecture 1: Introduction Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg October 26, 2011 Jochen Hoenicke (Software Engineering) Formal Methods for Java October
More informationCanica: An IDE for the Java Modeling Language
Canica: An IDE for the Java Modeling Language Angelica B. Perez, Yoonsik Cheon, and Ann Q. Gates TR #06-36 August 2006 Keywords: Integrated development environment, specification tool, programming tool,
More informationThe Use of JML in Embedded Real-Time Systems
The Use of JML in Embedded Real-Time Systems Joseph Kiniry Technical University of Denmark JTRES 2012 24 October 2012 Acknowledgements Some content based on an OOPSLA tutorial by: Gary T. Leavens, Curtis
More informationAn overview of JML tools and applications
An overview of JML tools and applications www.jmlspecs.org Lilian Burdy a, Yoonsik Cheon c,1, David Cok b, Michael Ernst d, Joe Kiniry e, Gary T. Leavens c,1, K. Rustan M. Leino f, Erik Poll e,2 a GEMPLUS
More informationLecture 10 Design by Contract
CS 5959 Writing Solid Code Fall 2015 Nov-23 Lecture 10 Design by Contract Zvonimir Rakamarić University of Utah Design by Contract Also called assume-guarantee reasoning Developers annotate software components
More informationKarsten Sohr Center for Computing Technologies Universität Bremen, Germany
Towards Formal Specification and Verification of a Role-Based Authorization Engine using JML [Position paper] Tanveer Mustafa Center for Computing Technologies Universität Bremen, Germany tanveer@tzi.de
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationHow the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification
How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification Gary T. Leavens, Yoonsik Cheon, Curtis Clifton, Clyde Ruby, and David R. Cok TR #03-04a March 2003, revised March
More informationFormal Specification and Verification
Formal Specification and Verification Proof Obligations Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification and Verification:
More informationobjects
/*@ immutable @*/ objects Erik Poll SoS group (aka the LOOP group) Radboud University Nijmegen KeY workshop June 2005 yet another JML keyword... Java provides final ie. immutable - fields What about immutable
More informationUC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara
CS189A - Capstone Christopher Kruegel Department of Computer Science http://www.cs.ucsb.edu/~chris/ Design by Contract Design by Contract and the language that implements the Design by Contract principles
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationSpecification and Verification of Garbage Collector by Java Modeling Language
Specification and Verification of Garbage Collector by Java Modeling Language Wenhui Sun, Yuting Sun, Zhifei Zhang Department of Computer Science and Technology Beijing Jiaotong University Beijing, China
More informationJava ByteCode Specification Language(BCSL) and how to compile JML to BCSL. Mariela Pavlova March 10, 2006
Java ByteCode Specification Language(BCSL) and how to compile JML to BCSL Mariela Pavlova March 10, 2006 1 1 Introduction This document is an overview of a bytecode level specification language, called
More informationAn Aspect-Oriented Approach. Henrique Rebêlo Informatics Center
An Aspect-Oriented Approach to implement JML Features Henrique Rebêlo Informatics Center Federal University of Pernambuco Summary jmlc problems bigger code, slower code, no suppport for Java ME, and bad
More informationMotivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken
Spec# Andreas Vida Motivation Correct and maintainable software Cost effective software production Implicit assumptions easily broken Need more formal f specification Integration into a popular language
More informationESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar
ESC/Java 2 Extended Static Checker for Java 2 B y K ats man Andrey S oftware E ngineering S em inar 2 0 0 8 Background ESC/Java - Original development by Compaq Systems Research Center (1997) as a successor
More informationChecking Program Properties with ESC/Java
Checking Program Properties with ESC/Java 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich 1 ESC/Java A checker for Java programs Finds null pointers, array dereferences Checks Hoare logic
More informationJML Class Specifications The Java Modeling Language (Part 2) A Java Class
JML Class Specifications The Java Modeling Language (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria
More informationVerifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite
Verifying Java Programs Verifying Java Programs Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at
More informationVerifying Java Programs
Verifying Java Programs Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at
More informationAssertions, pre/postconditions
Programming as a contract Assertions, pre/postconditions Assertions: Section 4.2 in Savitch (p. 239) Specifying what each method does q Specify it in a comment before method's header Precondition q What
More informationThe Java Modeling Language (Part 2)
The Java Modeling Language (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationAutomatic Generation of Program Specifications
Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1 Synopsis Specifications are useful
More informationJML s Rich, Inherited Specifications for Behavioral Subtypes
JML s Rich, Inherited Specifications for Behavioral Subtypes Gary T. Leavens TR #06-22 August 11, 2006 Keywords: Supertype abstraction, behavioral subtype, behavioral subtyping, modularity, specification
More informationContents. Program 1. Java s Integral Types in PVS (p.4 of 37)
Java s Integral Types in PVS Bart Jacobs bart@cs.kun.nl www.cs.kun.nl/ bart www.verificard.org. Dep. Computer Science, Univ. Nijmegen, NL Contents I. Example programs II. Integral types in Java (implementations)
More informationDesign by Contract with JML
Design by Contract with JML Gary T. Leavens and Yoonsik Cheon August 16, 2006 Abstract This document gives a tutorial introduction to the Java Modeling Language (JML), and explains how JML can be used
More informationFormal Methods for Java
Formal Methods for Java Lecture 6: Introduction to JML Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg May 15, 2017 Jochen Hoenicke (Software Engineering) Formal Methods for Java
More informationModular verification of static class invariants
Modular verification of static class invariants K. Rustan M. Leino 1 and Peter Müller 2 1 Microsoft Research, Redmond, WA, USA, leino@microsoft.com 2 ETH Zürich, Switzerland, peter.mueller@inf.ethz.ch
More informationFull Verification of the KOA Tally System
Final Year Project Final Report A thesis submitted in part fulfilment of the degree of BSc. (Hons.) in Computer Science with the supervision of Dr. Joseph Kiniry and moderated by Mr. John Dunnion. Department
More informationAdding native specifications to JML
Adding native specifications to JML Julien Charles INRIA Sophia-Antipolis, France Julien.Charles@sophia.inria.fr Abstract. In the specification language JML we can see pure methods as a way to express
More informationPreliminary Design of JML:
Preliminary Design of JML: A Behavioral Interface Specification Language for Java by Gary T. Leavens, Albert L. Baker, and Clyde Ruby TR #98-06t June 1998, revised July, November 1998, January, April,
More informationAsserting Expectations. Your Submissions. Oral Exams
Asserting Expectations Andreas Zeller 1 Your Submissions Program must behave exactly as specified (i.e., input, output, flags, etc.) Program must use recent Python 2 version (i.e., Python 2.6 installed
More informationCombining Design by Contract and Inference Rules of Programming Logic towards Software Reliability
Combining Design by Contract and Inference Rules of Programming Logic towards Software Reliability Nuha Aldausari*, Cui Zhang and Jun Dai Department of Computer Science, California State University, Sacramento,
More informationOn the Interplay between the Semantics of Java s Finally Clauses and the JML Run-Time Checker
On the Interplay between the Semantics of Java s Finally Clauses and the JML Run-Time Checker M. Huisman University of Twente Netherlands ABSTRACT This paper discusses how a subtle interaction between
More informationHomework #1, on the class web pages later today
Assertions Reading assignment A. J. Offutt, A Practical System for Mutation Testing: Help for the Common Programmer, Proceedings of the 12th International Conference on Testing Computer Software, Washington,
More informationFAKULTÄT FÜR INFORMATIK
FAKULTÄT FÜR INFORMATIK DER TECHNISCHEN UNIVERSITÄT MÜNCHEN Master-Seminar Software Verification Author: Lukas Erlacher Advisor: Prof. Andrey Rybalchenko, Dr. Corneliu Popeea Submission: April, 2013 Contents
More informationTesting Library Specifications by Verifying Conformance Tests
Testing Library Specifications by Verifying Conformance Tests Joseph R. Kiniry, Daniel M. Zimmerman, Ralph Hyland ITU Copenhagen, UW Tacoma, UCD Dublin 6th International Conference on Tests & Proofs Prague,
More informationIntroduction to the Java Modeling Language
Introduction to the Java Modeling Language Modular Specification and Verification for Java Gary T. Leavens 1 Curtis Clifton 2 Hridesh Rajan 3 Robby 4 1 School of Electrical Engineering and Computer Science,
More informationPreliminary Design of JML:
Preliminary Design of JML: A Behavioral Interface Specification Language for Java by Gary T. Leavens, Albert L. Baker, and Clyde Ruby TR #98-06z June 1998, revised July, November 1998, January, April,
More informationTowards imperative modules: reasoning about invariants and sharing of mutable state
Towards imperative modules: reasoning about invariants and sharing of mutable state David A. Naumann Joint work with Mike Barnett and Anindya Banerjee Stevens Institute of Technology Supported by NSF CCR-0208984,
More informationAn introduction to formal specifications and JML. Invariant properties
An introduction to formal specifications and JML Invariant properties Yves Ledru Université Grenoble-1 Laboratoire d Informatique de Grenoble Yves.Ledru@imag.fr 2013 Page 1 Invariant properties Invariants
More informationOverview of the KeY System
22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 Overview of the KeY System Copyright 2007-8 Reiner Hähnle and Cesare Tinelli. Notes originally developed by Reiner Hähnle
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationReasoning about Java Programs with Aliasing and Frame Conditions
Reasoning about Java Programs with Aliasing and Frame Conditions Claude Marché and Christine Paulin-Mohring PCRI: LRI (Université Paris-Sud & CNRS UMR 8623), INRIA Futurs Bât. 490, Université Paris-Sud
More informationReasoning about Object Structures Using Ownership
Reasoning about Object Structures Using Ownership Peter Müller ETH Zurich, Switzerland Peter.Mueller@inf.ethz.ch Abstract. Many well-established concepts of object-oriented programming work for individual
More informationVerifying Java Programs with KeY
Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang
More informationA Library-Based Approach to Translating OCL Constraints to JML Assertions for Runtime Checking
A Library-Based Approach to Translating OCL Constraints to JML Assertions for Runtime Checking Carmen Avila, Guillermo Flores, Jr., and Yoonsik Cheon TR #08-05 February 2008; revised May 2008 Keywords:
More informationTesting, Debugging, and Verification
Testing, Debugging, and Verification Formal Specification, Part II Srinivas Pinisetty 23 November 2017 Introduction Today: Introduction to Dafny: An imperative language with integrated support for formal
More informationMTV: METHODS & TOOLS 4 VERIFICATION MASTER COMPUTER SCIENCE MARIEKE HUISMAN: STUDY ADVISOR MY NAME: JACO VAN DE POL
MTV: METHODS & TOOLS 4 VERIFICATION MASTER COMPUTER SCIENCE MARIEKE HUISMAN: STUDY ADVISOR MY NAME: JACO VAN DE POL OVERVIEW Motivation Program Tools and Techniques Why choose MTV? (or avoid it) MoTiVation:
More informationRigorous Software Development CSCI-GA
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 6 Disclaimer. These notes are derived from notes originally developed by Jochen Hoenicke. They are copyrighted
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationSelf-checking software insert specifications about the intent of a system
Assertions Reading assignment A. J. Offutt, A Practical System for Mutation Testing: Help for the Common Programmer, Proceedings of the 12th International Conference on Testing Computer Software, Washington,
More informationEffective and Efficient Runtime Assertion Checking for JML Through Strong Validity
Effective and Efficient Runtime Assertion Checking for JML Through Strong Validity Frederic Rioux and Patrice Chalin Dependable Software Research Group, Dept. of Computer Science and Software Engineering,
More informationFrom JML to BCSL (Draft Version)
From JML to BCSL (Draft Version) Lilian Burdy, Mariela Pavlova July 18, 2005 Contents 1 Introduction 3 2 General Conditions 3 2.1 Restrictions on the Java compiler.................. 3 3 Class annotation
More informationJava: advanced object-oriented features
Chair of Software Engineering Carlo A. Furia, Marco Piccioni, Bertrand Meyer Java: advanced object-oriented features Chair of Software Engineering Carlo A. Furia, Marco Piccioni, Bertrand Meyer Packages
More informationNon-null References by Default in the Java Modeling Language
Non-null References by Default in the Java Modeling Language Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering Department Concordia University Montreal,
More informationJive/JML Generating Proof Obligations From JML Specifications
Jive/JML Generating Proof Obligations From JML Specifications Ghislain Fourny gfourny@student.ethz.ch Swiss Federal Institute of Technology Zurich Software Component Technology Group Semester Project March
More informationFaithful mapping of model classes to mathematical structures
Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zurich adam.darvas@inf.ethz.ch Peter Müller Microsoft Research mueller@microsoft.com Abstract Abstraction techniques are indispensable
More information