JML. Java Modeling Language

Transcription

1 JML Java Modeling Language

2 Overview About the JML Project DBC Design By Contract JML concepts, examples, syntax and capabilities Basics Exceptions Invariants Assertions Quantifiers Other keywords JML hiding Main tools Comprehensive example Summary 2

3 JML Open source Gary T. Leavens s group at the University of Central Florida (formerly Iowa State University Yoonsik Cheon s group at University of Texas at El Paso University College Dublin Many others 3

4 JML Uses As a common language for: Research projects and tools (ESC/JAVA) Several formal verification tools (LOOP, JACK, KRAKATOA, Jive and KeY) In the industry: in financial applications on Java smart cards For verifying some security properties on computer based voting systems 4

5 DBC Design By Contract Each part of a program has a contract with the rest of the program: Requirements What does a method require from it s caller? Assurances What does this method ensure? 5

6 DBC Design By Contract Advantages: Method s responsibilities are given explicitly (depends on how good it is indicated) Forces the programmer to write exactly what the method does and needs (and therefore think things over ) Assigns blame Specifies who s to blame for not keeping the contract 6

7 DBC Design By Contract Coding advantages: Allows avoiding constantly checking validity of arguments as those checks are enforced by the spec JMLc compiles the contract as a part of the program as well as compiling the java class JMLrac runs the compiled program taking into consideration the compiled contracts Gives a specific view of what the code does without revealing it 7

8 Syntax Pre-condition: requires <boolean_expression>; Post-condition: ensures <boolean_expression>; 8

9 JML Syntax Example requires x>=0.0; (x, \result*\result, public static double sqrt(double x) { /* */ 9

10 JML Syntax Example requires x>=0.0; (x, \result*\result, public static double sqrt(double x) { /* */ A static method of class JMLDouble tests whether the relative difference of the first 2 double arguments is within the given epsilon, the third argument. 10

11 JML Syntax Example import org.jmlspecs.models.jmldouble; requires x>=0.0; (x, \result*\result, public static double sqrt(double x) { /* */ 11

12 No space here JML Syntax Example requires x>=0.0; (x, \result*\result, No space here public static double sqrt(double x) { /* */ 12

13 What is missing What if the user can t guarantee to impose the method s requirements? In other words, what if we would like the method to deal with bad input rather then the spec. (which won t always be a part of the running program)? 13

14 Exceptions JML allows the specification of what exceptions a method may throw Done by using JML s signals_only or signals clause Syntax: //@ signals (<exception>) <boolean_expression>; 14

15 Exceptions JML allows the specification of what exceptions a method may throw Done by using JML s signals_only clause Example: //@ signals_only IllegalArgumentException; 15

16 Exceptions JML allows the specification of what exceptions a method may throw Example of using signals : /*@ (x, \result*\result, signals (Exception e) x < 0 (e instanceof public static double sqrt(double x); 16

17 Exceptions signals Allows stating the condition for throwing the exception signals_only Allows specifying a list of thrown exceptions separated by, Post Conditions are discarded when an exception is thrown 17

18 Exceptions Rule out exceptions: signals (Exception) false; Or use: normal_behavior requires Exceptions mentioned in throws clause are allowed be default 18

19 Invariants An invariant is a property that is always true when control is not in object s scope Allows defining acceptable states and consistency Syntax: //@ invariant <boolean_expression>; 19

20 Invariants An invariant is a property that is always true when control is not in object s scope Allows defining acceptable states and consistency Example ( name and weight are members of some class): //@ public invariant!name.equals("") && weight >= 0; 20

21 Invariants Assure that name is always not null, example: private String name; 21

22 Assertions An assert clause specifies a property that should hold at the point of assertion (as opposed to invariant clause) 22

23 Assertions Example: if (i<=0 j<0) { else if (j<5) { //@ assert i>0 && 0<j && j<5; else { //@ assert i>0 && j>5; 23

24 Quantifiers Universal and existentials: \forall and \exists General: \sum, \product, \min and \max Numeric: \num_of 24

25 Binary search example We would like to write a method that uses binary search to find requested value. What do we need? 25

26 Binary search example requires a!=null && (\forall int i; 0<i && i<a.length; int binarysearch(int[] a, int x) { 26

27 Binary search example Complexity of binary search is supposed to be O(log(n)) Checking that we are eligible to use it is of linear complexity Tearing out JML specs is easy 27

28 pure and assignable Specifying a method that has no side effects: public /*@ int get(){ Limit side effects of methods: /*@ assignable balance; ensures balance ==\old(balance)-amount; public int decrease(int amount) { Meaning the value of balance before the change 28

29 Expressions JML extensions to java: Syntax Meaning a ==> b a implies b a <== b b implies a a <==> b a iff b a <=!=> b!(a <==> b) JML does not allow operators that have side effects such as = etc. Can only call pure methods 29

30 JML hiding JML does not allow private java fields to be used in public specifications A public invariant or method specifications can only mention public fields in that class Adding annotation spec_public allows public specs to treat private fields as public Example: private /*@ int variable; Allows a public method s spec to address member variable 30

31 Main Tools Assertion checking compiler JMLC Runtime assertion checker JMLRAC Unit testing tool JMLUNIT Enhanced version of javadoc JMLDOC 31

32 Goals: JMLC Executable JML compiler Performs parsing and type checking Compile JML annotated files with runtime assertion checks Processes JML specifications (e.g..spec files) How it works: Sets up the CLASSPATH Generates runtime assertion enabled JVM bytecode in each class file for each of the Java files 32

33 How to use JMLC: jmlc *.java jmlc -Q *.java Output: *.class files JMLC Executable JML compiler 33

34 34 JMLRAC Executable JML runtime assertion checker Goals: Run Java programs compiled with the JML runtime assertion checker compiler How it Works: Sets CLASSPATH to allow access to org.jmlspecs.jmlunit and org.jmlspecs.models The JML/bin/jmlruntime.jar file is added to the bootclass path Runs the java program with parameters

35 35 JMLRAC Executable JML runtime assertion checker How to use JMLRAC: jmlrac filename Output: If everything goes well whatever the program does If not: Exception in thread "main" org.jmlspecs.jmlrac.runtime.jmlentrypreconditionerror: by method Person.Person at Person.checkPre$$init$$Person(Person.java:877) at Person.<init>(Person.java:50) at MainClass.main(MainClass.java:3)

36 JMLRAC and JMLC Cheap and easy to do (spare time) Gives better feedback and better testing More properties tested at more places in the code 36

37 JMLUNIT Executable Goal: Generate file for running JUnit tests on JML annotated Java files How it works: Sets CLASSPATH Runs the Java class org.jmlspecs.jmlunit.main 37

38 JMLUNIT Executable How to use JMLUNIT on a single class: jmlunit name.java Output: Files ending with (1 of every kind): _JML_Test.java The test to be run by using JUnit or jml-junit _JML_TestData.java This file should be edited by the user 38

39 JMLUNIT and JML-JUNIT This comment is found throughout the file ending with _JML_TestData.java : // replace this comment with test data if desired Run can be done by executing JUnit regularly, but JML/bin/jmlruntime.jar and JML/bin/jmljunitruntime.jar must be added to the CLASSPATH Automated script that does it for you: jml-junit name_jml_test Where name is replaced by the name of the class 39

40 JMLDOC Executable Goal: Generate HTML (web) pages from JML annotated Java and JML files Similar to Javadoc, but jmldoc understands JML specifications, and includes this information in the generated HTML pages How it works: As before sets the CLASSPATH Runs the Java class org.jmlspecs.jmldoc.main 40

41 JMLDOC Executable How to use JMLDOC: jmldoc *.java Output: Use the above command to create this files: allclasses-frame.html, allclasses-noframe.html, constant-values.html, deprecated-list.html, etc. JMLDOC also type checks the JML specifications to some extent and combines annotations across refinement files 41

42 Comprehensive Example class Person public class Person { private String name; private int weight; public String tostring() { return "Person(\"" + name + "\"," + weight + ")"; public int getweight() { return weight; public void addkgs(int kgs) { if (kgs >= 0) { weight += kgs; else { throw new IllegalArgumentException(); public Person(String n) { name = n; weight = 0; 42

43 Comprehensive Example class Person public class Person { private /*@ spec_public String name; private /*@ int weight; /*@ public Overriding /*@ ensures \result!= && (* \result is a form of this person public String tostring() { return "Person(\"" + name + "\"," + weight + ")"; //@ ensures \result == weight; public int getweight() { return weight; Each person has a name We would like to ensure returning something And add a comment that describes what we are doing Simply return weight not that simple spec_public /*@ requires kgs >= ensures weight == \old(weight + public void addkgs(int kgs) { kgs must be positive if (kgs >= 0) { What do we promise? weight += kgs; else { throw new IllegalArgumentException(); /*@ requires n!= null ensures && weight == public Person(String n) { name = n; weight = 0; What is required? What is needed? 43

44 Comprehensive Example class Person public class Person { private String lastname; public boolean UpdateLastName(String lastname) { if (lastname==null) { return false; this.lastname = lastname; return true; public String GetLastName() { if (lastname!= null) return lastname; return ""; 44

45 Comprehensive Example class Person public class Person { private /*@ spec_public String lastname; We will use this throughout our public specs. It can be null at the beginning /*@ ensures (lastname == null ==> (this.lastname == \old(this.lastname) && \result == && (lastname!= null ==> (this.lastname == lastname && \result == public boolean UpdateLastName(/*@ String lastname) { if (lastname==null) { return false; If the given argument is null no changes will be made and false will be returned, If not lastname is updated and true is returned //@ assert lastname!= null; this.lastname = lastname; return true; By default, objects can t be null supposed to be fixed it later editions of JML Double check ourselves 45

46 Comprehensive Example class PersonMain public class PersonMain { public static void main(string [] argv) { Person person = new Person("Israel"); System.out.println("Before adding last name:"); System.out.println(person); person.updatelastname("israeli"); System.out.println("After adding last name"); System.out.println(person + " " + person.getlastname()); person.updatelastname(null); System.out.println("After trying to change it to null:"); System.out.println(person + " " + person.getlastname()); 46

47 Comprehensive Example jmlc -Q person.java yield: File "Person.java", line 35, character 12 warning: Entire clause will be dropped since JmlInformalExpression is not executable. Nevertheless, the output file Person.class is created javac PersonMain.java yield PersonMain.class 47

48 Comprehensive Example Running with jmlrac : >jmlrac PersonMain Before adding last name: Person("Israel",0) After adding last name: Person("Israel",0) Israeli After trying to change it to null: Person("Israel",0) Israeli 48

49 Comprehensive Example public boolean String lastname) { if (lastname==null) { // return false; Put under comment //@ assert lastname!= null; this.lastname = lastname; return true; Running it now yields: >jmlrac PersonMain Before adding last name: Person("Israel",0) After adding last name Person("Israel",0) Israeli Exception in thread "main" org.jmlspecs.jmlrac.runtime.jmlasserterror: ASSERT: b y method Person.UpdateLastName at Person.internal$UpdateLastName(Person.java:144) at Person.UpdateLastName(Person.java:1152) at PersonMain.main(PersonMain.java:34) 49

50 Comprehensive Example Running JMLDOC yields: 50

51 51 Comprehensive Example

52 52 Comprehensive Example

53 JML vs. Pathfinder JML Uses comments for design of specs Currently dos not cope with multi-threading Pathfinder Hard to tear out from project All about multithreading 53

54 A Few More Points Contracts can by as weak or as strong as you choose ESC/JAVA2 is an extension that finds violations before actually running the program All tools have versions for Windows, Unix/Linux and Cygwin JMLC can compile file types (other than *.java) used by JML such as *.refines-java and more There is much more to cover Inheritance for example Not the most convenient tool seen here 54

55 Links Home Articles ftp://ftp.cs.iastate.edu/pub/leavens/jml/jmldbc.pdf Slide shows