Formale Entwicklung objektorientierter Software

Size: px

Start display at page:

Download "Formale Entwicklung objektorientierter Software"

Myles Melton
5 years ago
Views:

1 Formale Entwicklung objektorientierter Software Praktikum im Wintersemester 2008/2009 Prof. P. H. Schmitt Christian Engel, Benjamin Weiß Institut für Theoretische Informatik Universität Karlsruhe 5. November 2008

2 More on JML Formale Entwicklung objektorientierter Software 5. November / 12

3 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): Formale Entwicklung objektorientierter Software 5. November / 12

4 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition Formale Entwicklung objektorientierter Software 5. November / 12

5 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Formale Entwicklung objektorientierter Software 5. November / 12

6 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Interface documentation, blame assignment Formale Entwicklung objektorientierter Software 5. November / 12

7 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Interface documentation, blame assignment Natural language specs are very important Formale Entwicklung objektorientierter Software 5. November / 12

8 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Interface documentation, blame assignment Natural language specs are very important But this course s focus: formal specifications, i.e., contracts described in a mathematically precise language (JML) Formale Entwicklung objektorientierter Software 5. November / 12

9 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Interface documentation, blame assignment Natural language specs are very important But this course s focus: formal specifications, i.e., contracts described in a mathematically precise language (JML) higher degree of precision Formale Entwicklung objektorientierter Software 5. November / 12

10 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Interface documentation, blame assignment Natural language specs are very important But this course s focus: formal specifications, i.e., contracts described in a mathematically precise language (JML) higher degree of precision automation of program analysis of various kinds (runtime assertion checking, static verification) Formale Entwicklung objektorientierter Software 5. November / 12

11 Design by Contract Idea Specifications fix a contract between caller and callee of a method (between client and implementor of a module): If caller guarantees precondition then callee guarantees certain outcome Interface documentation, blame assignment Natural language specs are very important But this course s focus: formal specifications, i.e., contracts described in a mathematically precise language (JML) higher degree of precision automation of program analysis of various kinds (runtime assertion checking, static verification) Errors in specifications are at least as common as errors in code, but their discovery gives deep insights in (mis)conceptions of the system Formale Entwicklung objektorientierter Software 5. November / 12

12 JML Annotations public requires pin == ensures public void enterpin (int pin) {... Formale Entwicklung objektorientierter Software 5. November / 12

13 JML Annotations public requires pin == ensures public void enterpin (int pin) {... Java comments as first character are JML specifications Formale Entwicklung objektorientierter Software 5. November / 12

14 JML Annotations public requires pin == ensures public void enterpin (int pin) {... Java comments as first character are JML specifications Within a JML annotation, is ignored: if it is the first (non-white) character in the line Formale Entwicklung objektorientierter Software 5. November / 12

15 JML Annotations public requires pin == ensures public void enterpin (int pin) {... Java comments as first character are JML specifications Within a JML annotation, is ignored: if it is the first (non-white) character in the line if it is the last character before */. Formale Entwicklung objektorientierter Software 5. November / 12

16 JML Annotations public requires pin == ensures public void enterpin (int pin) {... Java comments as first character are JML specifications Within a JML annotation, is ignored: if it is the first (non-white) character in the line if it is the last character before */. The s are not required, but it s a convention to use them. Formale Entwicklung objektorientierter Software 5. November / 12

17 JML Annotations public requires pin == ensures public void enterpin (int pin) {... //hello! Java comments as first character are JML specifications Within a JML annotation, is ignored: if it is the first (non-white) character in the line if it is the last character before */. The s are not required, but it s a convention to use them. JML specifications may themselves contain comments Formale Entwicklung objektorientierter Software 5. November / 12

18 Method Contracts requires assignable diverges ensures signals_only signals(e e) T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

19 Method Contracts requires r; //what is the caller s assignable diverges ensures signals_only signals(e e) T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

20 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges ensures signals_only signals(e e) T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

21 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures signals_only signals(e e) T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

22 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures e; //what must hold on normal signals_only signals(e e) T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

23 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures e; //what must hold on normal signals_only E1,...,En; //what exc-types may be signals(e e) T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

24 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures e; //what must hold on normal signals_only E1,...,En; //what exc-types may be signals(e e) s; //what must hold when an E is T m(...); Formale Entwicklung objektorientierter Software 5. November / 12

25 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures e; //what must hold on normal signals_only E1,...,En; //what exc-types may be signals(e e) s; //what must hold when an E is T m(...); Abbreviations normal behavior = signals(exception) false; Formale Entwicklung objektorientierter Software 5. November / 12

26 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures e; //what must hold on normal signals_only E1,...,En; //what exc-types may be signals(e e) s; //what must hold when an E is T m(...); Abbreviations normal behavior = signals(exception) false; exceptional behavior = ensures false; Formale Entwicklung objektorientierter Software 5. November / 12

27 Method Contracts requires r; //what is the caller s assignable a; //which locations may be assigned by diverges d; //when may m ensures e; //what must hold on normal signals_only E1,...,En; //what exc-types may be signals(e e) s; //what must hold when an E is T m(...); Abbreviations normal behavior = signals(exception) false; exceptional behavior = ensures false; keyword also separates the contracts of a method Formale Entwicklung objektorientierter Software 5. November / 12

28 Class Invariants invariant i; Formale Entwicklung objektorientierter Software 5. November / 12

29 Class Invariants invariant i; can be placed anywhere in a class (or interface) Formale Entwicklung objektorientierter Software 5. November / 12

30 Class Invariants invariant i; can be placed anywhere in a class (or interface) express global consistency properties (not specific to a particular method) Formale Entwicklung objektorientierter Software 5. November / 12

31 Class Invariants invariant i; can be placed anywhere in a class (or interface) express global consistency properties (not specific to a particular method) must hold always (cf. visible state semantics, observed state semantics) Formale Entwicklung objektorientierter Software 5. November / 12

32 Class Invariants invariant i; can be placed anywhere in a class (or interface) express global consistency properties (not specific to a particular method) must hold always (cf. visible state semantics, observed state semantics) instance invariants can, static invariants cannot refer to this Formale Entwicklung objektorientierter Software 5. November / 12

33 Class Invariants invariant i; can be placed anywhere in a class (or interface) express global consistency properties (not specific to a particular method) must hold always (cf. visible state semantics, observed state semantics) instance invariants can, static invariants cannot refer to this default: instance within classes, static within interfaces Formale Entwicklung objektorientierter Software 5. November / 12

34 Expressions All Java expressions without side-effects Formale Entwicklung objektorientierter Software 5. November / 12

35 Expressions All Java expressions without side-effects ==>, <==>: implication, equivalence Formale Entwicklung objektorientierter Software 5. November / 12

36 Expressions All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists Formale Entwicklung objektorientierter Software 5. November / 12

37 Expressions All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max Formale Entwicklung objektorientierter Software 5. November / 12

38 Expressions All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions Formale Entwicklung objektorientierter Software 5. November / 12

39 Expressions All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions \result: referring to return value in postconditions Formale Entwicklung objektorientierter Software 5. November / 12

40 Expressions All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions \result: referring to return value in postconditions Example (\forall int i; 0<=i && i<\result.length; \result[i]>0) Formale Entwicklung objektorientierter Software 5. November / 12

41 Expressions Example All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions \result: referring to return value in postconditions (\forall int i; 0<=i && i<\result.length; \result[i]>0) equivalent to (\forall int i; 0<=i && i<\result.length ==> \result[i]>0) Formale Entwicklung objektorientierter Software 5. November / 12

42 Expressions Example All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions \result: referring to return value in postconditions (\forall int i; 0<=i && i<\result.length; \result[i]>0) equivalent to (\forall int i; 0<=i && i<\result.length ==> \result[i]>0) (\exists int i; 0<=i && i<\result.length; \result[i]>0) Formale Entwicklung objektorientierter Software 5. November / 12

43 Expressions Example All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions \result: referring to return value in postconditions (\forall int i; 0<=i && i<\result.length; \result[i]>0) equivalent to (\forall int i; 0<=i && i<\result.length ==> \result[i]>0) (\exists int i; 0<=i && i<\result.length; \result[i]>0) equivalent to (\exists int i; 0<=i && i<\result.length && \result[i]>0) Formale Entwicklung objektorientierter Software 5. November / 12

44 Expressions Example All Java expressions without side-effects ==>, <==>: implication, equivalence \forall, \exists \num of, \sum, \product, \min, \max \old(...): referring to pre-state in postconditions \result: referring to return value in postconditions (\forall int i; 0<=i && i<\result.length; \result[i]>0) equivalent to (\forall int i; 0<=i && i<\result.length ==> \result[i]>0) (\exists int i; 0<=i && i<\result.length; \result[i]>0) equivalent to (\exists int i; 0<=i && i<\result.length && \result[i]>0) Formale Entwicklung objektorientierter Software 5. November / 12

45 assignable expressions Comma-separated list of: e.f (where f a field) Formale Entwicklung objektorientierter Software 5. November / 12

46 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) Formale Entwicklung objektorientierter Software 5. November / 12

47 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Formale Entwicklung objektorientierter Software 5. November / 12

48 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { } Formale Entwicklung objektorientierter Software 5. November / 12

49 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { C tmp = x; tmp.i = 27; x = y; x.i = 27; } Formale Entwicklung objektorientierter Software 5. November / 12

50 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { C tmp = x; //allowed (local variable) tmp.i = 27; x = y; x.i = 27; } Formale Entwicklung objektorientierter Software 5. November / 12

51 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { C tmp = x; //allowed (local variable) tmp.i = 27; //allowed (in assignable clause) x = y; x.i = 27; } Formale Entwicklung objektorientierter Software 5. November / 12

52 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { C tmp = x; //allowed (local variable) tmp.i = 27; //allowed (in assignable clause) x = y; //allowed (in assignable clause) x.i = 27; } Formale Entwicklung objektorientierter Software 5. November / 12

53 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { C tmp = x; //allowed (local variable) tmp.i = 27; //allowed (in assignable clause) x = y; //allowed (in assignable clause) x.i = 27; //forbidden (not local, not in assignable) } Formale Entwicklung objektorientierter Software 5. November / 12

54 assignable expressions Comma-separated list of: e.f (where f a field) a[*], a[x..y] (where a an array expression) \nothing, \everything (default) Example C x, y; //@ assignable x, x.i; void m() { C tmp = x; //allowed (local variable) tmp.i = 27; //allowed (in assignable clause) x = y; //allowed (in assignable clause) x.i = 27; //forbidden (not local, not in assignable) } assignable clauses are always evaluated in the pre-state! Formale Entwicklung objektorientierter Software 5. November / 12

55 Other JML Features Java visibility modifiers, spec public modifier Formale Entwicklung objektorientierter Software 5. November / 12

56 Other JML Features Java visibility modifiers, spec public modifier pure modifier ( diverges false; + assignable \nothing; ) Formale Entwicklung objektorientierter Software 5. November / 12

57 Other JML Features Java visibility modifiers, spec public modifier pure modifier ( diverges false; + assignable \nothing; ) model methods, model fields Formale Entwicklung objektorientierter Software 5. November / 12

58 Other JML Features Java visibility modifiers, spec public modifier pure modifier ( diverges false; + assignable \nothing; ) model methods, model fields assertions //@ assert e; Formale Entwicklung objektorientierter Software 5. November / 12

59 Other JML Features Java visibility modifiers, spec public modifier pure modifier ( diverges false; + assignable \nothing; ) model methods, model fields assertions //@ assert e; specification inheritance Formale Entwicklung objektorientierter Software 5. November / 12

60 Other JML Features Java visibility modifiers, spec public modifier pure modifier ( diverges false; + assignable \nothing; ) model methods, model fields assertions //@ assert e; specification inheritance many more... Formale Entwicklung objektorientierter Software 5. November / 12

61 Nullity JML has modifiers non null and nullable Formale Entwicklung objektorientierter Software 5. November / 12

62 Nullity JML has modifiers non null and nullable private Object x; Formale Entwicklung objektorientierter Software 5. November / 12

63 Nullity JML has modifiers non null and nullable private Object x; implicit invariant added to class: invariant x!= null; Formale Entwicklung objektorientierter Software 5. November / 12

64 Nullity JML has modifiers non null and nullable private Object x; implicit invariant added to class: invariant x!= null; void Object p); Formale Entwicklung objektorientierter Software 5. November / 12

65 Nullity JML has modifiers non null and nullable private Object x; implicit invariant added to class: invariant x!= null; void Object p); implicit precondition added to all contracts: requires p!= null; Formale Entwicklung objektorientierter Software 5. November / 12

66 Nullity JML has modifiers non null and nullable private Object x; implicit invariant added to class: invariant x!= null; void Object p); implicit precondition added to all contracts: requires p!= null; Object m(); Formale Entwicklung objektorientierter Software 5. November / 12

67 Nullity JML has modifiers non null and nullable private Object x; implicit invariant added to class: invariant x!= null; void Object p); implicit precondition added to all contracts: requires p!= null; Object m(); implicit postcondition added to all contracts: ensures \result!= null; Formale Entwicklung objektorientierter Software 5. November / 12

68 Nullity JML has modifiers non null and nullable private Object x; implicit invariant added to class: invariant x!= null; void Object p); implicit precondition added to all contracts: requires p!= null; Object m(); implicit postcondition added to all contracts: ensures \result!= null; non null is the default! If something may be null, you have to declare it nullable explicitly. Formale Entwicklung objektorientierter Software 5. November / 12

69 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker Formale Entwicklung objektorientierter Software 5. November / 12

70 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) Formale Entwicklung objektorientierter Software 5. November / 12

71 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks Formale Entwicklung objektorientierter Software 5. November / 12

72 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks jmlunit: unit testing (like JUnit) Formale Entwicklung objektorientierter Software 5. November / 12

73 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks jmlunit: unit testing (like JUnit) ESC/Java2: leightweight static verification Formale Entwicklung objektorientierter Software 5. November / 12

74 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks jmlunit: unit testing (like JUnit) ESC/Java2: leightweight static verification KeY: full static verification Formale Entwicklung objektorientierter Software 5. November / 12

75 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks jmlunit: unit testing (like JUnit) ESC/Java2: leightweight static verification KeY: full static verification green: tools that you may find helpful for this course Formale Entwicklung objektorientierter Software 5. November / 12

76 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks jmlunit: unit testing (like JUnit) ESC/Java2: leightweight static verification KeY: full static verification green: tools that you may find helpful for this course blue: tools explicitly used in this course Formale Entwicklung objektorientierter Software 5. November / 12

77 JML Tools Many tools support JML (see JML homepage). Among them: jml: JML syntax checker jmldoc: code documentation (like Javadoc) jmlc: compiles Java+JML into bytecode with assertion checks jmlunit: unit testing (like JUnit) ESC/Java2: leightweight static verification KeY: full static verification green: tools that you may find helpful for this course blue: tools explicitly used in this course The tools do not yet support the new features of Java 5! e.g.: no generics, no enums, no enhanced for-loops, no autoboxing Formale Entwicklung objektorientierter Software 5. November / 12

78 THE Formale Entwicklung objektorientierter Software 5. November / 12

79 THE END Formale Entwicklung objektorientierter Software 5. November / 12

Formal Specification and Verification

Formal Specification and Verification Formal Specification, Part III Bernhard Beckert Adaptation of slides by Wolfgang Ahrendt Chalmers University, Gothenburg, Sweden Formal Specification and Verification: