Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

Similar documents
Advanced JML Erik Poll Radboud University Nijmegen

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

ESC/Java2 Use and Features

Specification tips and pitfalls

ESC/Java2 Use and Features

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Advances in Programming Languages

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

The Java Modeling Language JML

Program Verification (6EC version only)

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Rigorous Software Development CSCI-GA

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Formal Specification and Verification

Formale Entwicklung objektorientierter Software

objects

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Java Modelling Language (JML) References

The Use of JML in Embedded Real-Time Systems

Formal Methods for Software Development

Formal Methods for Java

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

The Java Modeling Language (Part 2)

Formal Methods for Java

Formal Specification and Verification

JML. Java Modeling Language

Non-null References by Default in the Java Modeling Language

Verifying JML specifications with model fields

Java Modelling Language (JML) References

Introduction to the Java Modeling Language

5.5 Behavioral Subtyping

Object Ownership in Program Verification

Testing Library Specifications by Verifying Conformance Tests

Checking Program Properties with ESC/Java

Advances in Programming Languages

Formal Methods for Java

Design by Contract and JML: concepts and tools

Advances in Programming Languages

6.005 Elements of Software Construction Fall 2008

JML and ESC/Java2 Homework Exercises

Specification of a transacted memory for smart cards in Java and JML

C++ Inheritance and Encapsulation

Advances in Programming Languages

Verification Condition Generation

CSE 341, Autumn 2015, Ruby Introduction Summary

Lecture 4: Procedure Specifications

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Discussion of Design Alternatives for JML Java 5 Annotations

Subclassing for ADTs Implementation

Overview The Java Modeling Language (Part 1) Related Work

OO Design Principles

III lecture: Contracts and Abstract Data Types. An obligation from last lecture... An obligation from last lecture... (2) January/February 2013

Midlet Navigation Graphs in JML

Analysis of Software Artifacts

17 Multiple Inheritance and ADT Extensions

Object-Oriented Languages and Object-Oriented Design. Ghezzi&Jazayeri: OO Languages 1

Static program checking and verification

Chapter 4 Defining Classes I

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Chapter 9. Exception Handling. Copyright 2016 Pearson Inc. All rights reserved.

The Java Modeling Language a Basis for Static and Dynamic Verification

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Information Hiding and Visibility in Interface Specifications

CSC Advanced Object Oriented Programming, Spring Specification

Comp 249 Programming Methodology Chapter 9 Exception Handling

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

5. Specification and Checking

Formal methods What are they? Uses Tools Application to software development

The Java Modeling Language (Part 1)

Goal of lecture. Object-oriented Programming. Context of discussion. Message of lecture

16 Multiple Inheritance and Extending ADTs

CS 251 Intermediate Programming Methods and Classes

CS 251 Intermediate Programming Methods and More

Lecture Notes on Contracts

Safely Creating Correct Subclasses without Seeing Superclass Code

Testing, Debugging, and Verification

Jive/JML Generating Proof Obligations From JML Specifications

Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2

Formal Methods for Java

Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2

Safely Creating Correct Subclasses without Seeing Superclass Code

From JML to BCSL (Draft Version)

Data abstractions: ADTs Invariants, Abstraction function. Lecture 4: OOP, autumn 2003

Concepts of Programming Languages

Fortgeschrittene objektorientierte Programmierung (Advanced Object-Oriented Programming)

Implementing a List in Java. CSE 143 Java. Just an Illusion? List Interface (review) Using an Array to Implement a List.

JML s Rich, Inherited Specifications for Behavioral Subtypes

CSE331 Autumn 2011 Midterm Examination October 28, 2011

CMSC 132: Object-Oriented Programming II

NEER ENGI AUTOMATED TRANSLATION OF VDM-SL TO JML-ANNOTATED JAVA. Electrical and Computer Engineering Technical Report ECE-TR-29

Rules and syntax for inheritance. The boring stuff

Formal Specification with the Java Modeling Language

The Sun s Java Certification and its Possible Role in the Joint Teaching Material

Modular Verification of Higher-Order Methods with Mandatory Calls Specified by Model Programs

CS 161 Computer Security

Transcription:

Advanced JML and more tips and pitfalls David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/??

Core JML Remember the core JML keywords were requires ensures signals assignable normal behavior invariant non null pure \old, \forall, \exists, \result David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.2/??

Visibility More advanced JML features Specifying (im)possibility of exceptions Assignable clauses and datagroups Aliasing Specification inheritance, ensuring behavioural subtyping Specification-only fields: ghost and mode fields The semantics of invariant David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.3/??

Visibility David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.4/??

Visibility JML imposes visibility rules similar to Java, eg. public class Bag{... private int n; //@ requires n > 0; public int extractmin(){... } is not type-correct, because public method extractmin refers to private field n. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.5/??

Visibility public int pub; private int priv; //@ requires i <= pub; public void pub1 (int i) {... } //@ requires i <= pub && i <= priv; private void priv1 (int i)... //@ requires i <= pub && i <= priv; // WRONG!! public void pub2(int i) {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.6/??

Visibility: spec_public Keyword spec public loosens visibility for specs. Private spec public fields are allowed in public specs, e.g.: public class Bag{... private /*@ spec public @*/ int n; //@ requires n > 0; public int extractmin(){... } Exposing private details can be ugly, of course. A nicer, but more advanced alternative is to use public model fields to represent (abstract away from) private implementation details. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.7/??

Exceptions and JML David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.8/??

Exceptional specifications A method specification can (dis)allow the throwing of exceptions, and specify a exceptional postcondition that should hold in the event an exception is thrown. There are some implicit rules for (dis)allowing exceptions. Warning: exceptional specifications are easy to get wrong. Not allowing any exceptions to be thrown is the simplest approach. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.9/??

Exceptions allowed by specs By default, a method is allowed to throw exceptions, but only those listed in its throws clause. So //@ requires 0 <= amount && amount <= balance; public int debit(int amount) {... } throws BankException has an implicit clause signals (BankException) true; and an implicit clause signals (Exception e) e instanceof BankException; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.10/??

Exceptions allowed by specs By default, a method is allowed to throw exceptions, but only those listed in its throws clause. So //@ requires 0 <= amount && amount <= balance; public int debit(int amount) {... } has an implicit clause signals (Exception) false; NB debit is now not even allowed to throw an unchecked exception, even though Java does not require a throws clause for these. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.11/??

Ruling out exceptions To forbid a particular exception SomeException 1. omit it from throws clause (only possible for unchecked exceptions) 2. add an explicit signals (SomeException) false; 3. limit the set of allowed exceptions, use a postcondition such as signals (Exception e) e instanceof E1... e instanceof En; or, equivalently, us the shorthand for this signals_only E1,... En; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.12/??

Ruling out exceptions To forbid all exceptions 1. omit all exceptions from throws clause (only possible for unchecked exceptions) 2. add an explicit signals (Exception) false; 3. use keyword normal_behavior to rule out all exceptions /*@ normal behavior @*/ requires... ensures... normal behavior has implicit signals(exception)fals David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.13/??

Beware of the difference between and may vs must throw an exception (1) if P holds, then SomeException is thrown (2) if SomeException is thrown, then P holds These are easy to confuse! (2) can be expressed with signals, (1) can be expressed with exceptional behavior David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.14/??

/*@ exceptional_behavior @*/ requires amount > balance signals (BankException e) exceptional_behavior e.getreason.equals("amount too big") public int debit(int amount) throws BankException {... } says a BankException must be thrown if amount > balance normal behavior has implicit signals(exception)false exceptional behavior has implicit ensures false David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.15/??

/*@ normal_behavior also @*/ requires amount <= balance; ensures... exceptional_behavior requires amount > balance signals (BankException e)... Example public int debit(int amount) throws BankException {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.16/??

Example or, equivalently /*@ requires true; @*/ ensures \old(amount<=balance) &&... signals (BankException e) \old(amount>balance) &&... public int debit(int amount) throws BankException {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.17/??

Exceptional behaviour Moral: to keep things simple, disallow exceptions in specs whenever possible Eg, for public void arraycopy(int[] src, int destoffset, int[] dest, int destoffset, int leng throws NullPointerException, ArrayIndexOutOfBoundsException write a spec that disallows any throwing of exceptions, and only worry about specifying exceptional behaviour if this is really needed elsewhere. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.18/??

Assignable clauses and datagroups David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.19/??

Assignable clauses Problems with assignable clauses tend to expose implementation details private /*@ spec_public @*/ int x;... //@ assignable x,...; public void m(...) {...} tend to become very long //@ assignable x, y, z[*],...; tend to accumulate //@ assignable x, f.x, g.y, h.z[*],...; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.20/??

Problems with assignable clauses public class Timer{ /*@ spec_public @*/ int time_hrs, time_mins, time_secs; /*@ spec_public @*/ int alarm_hrs, alarm_mins, alarm_secs //@ assignable time_hrs, time_mins, public void tick() {... } time_secs; } //@ assignable alarm_hrs, alarm_mins, alarm_secs ; public void setalarm(int hrs, int mins, int secs) {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.21/??

Solution: datagroups public class Timer{ //@ public model JMLDatagroup time, alarm; int time_hrs, time_mins, time_secs; //@ in time; int alarm_hrs, alarm_mins, alarm_secs; //@ in alarm; //@ assignable time; public void tick() {... } } //@ assignable alarm; public void setalarm(int hrs, int mins, int secs) {... } time and alarm are model fields, ie. specification-only fields David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.22/??

Datagroups provide an abstraction mechanism for assignable clauses. Datagroups There s a default datagroup objectstate defined in Object.java It s good practice to declare that all instance fields are in objectstate David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.23/??

Datagroups can be nested public class Timer{ //@ public model JMLDatagroup time, alarm;//@ in objectsta int time_hrs, time_mins, time_secs; //@ in time; int alarm_hrs, alarm_mins, alarm_secs; //@ in alarm; //@ assignable time; public void tick() {... } //@ assignable alarm; public void setalarm(int hrs, int mins, int secs) {... } } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.24/??

Assignable and arrays Another implementation, using an array of 6 digits to represent hrs:mns:secs public class ArrayTimer{ /*@ spec_public @*/ char[] currenttime; //@ invariant currenttime!= null; //@ invariant currenttime.length == 6; //@ assignable currenttime[*]; public void tick() {... } }... David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.25/??

Datagroups and arrays Another implementation, using an array of 6 digits to represent hrs:mns:secs public class ArrayTimer{ //@ public model JMLDatagroup time; char[] currenttime; //@ in time; //@ maps currenttime[*] \into time; //@ invariant currenttime!= null; //@ invariant currenttime.length == 6; //@ assignable time; public void tick() {... } }... David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.26/??

Datagroups and interfaces Datagroups are convenient in specs for interfaces. public interface TimerInterface{ //@ model instance public JMLDatagroup time, alarm; } //@ assignable time; public void tick(); //@ assignable alarm; public void setalarm(int hrs, int mins, int secs); Classes implementing this interface are free to choose which fields are in the datagroups. Keyword instance is needed, because fields in interfaces are by default static fields in Java. Interfaces in Java do not have instance fields, but in JML they can have model instance fields David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.27/??

The problem with assignable clauses Despite the abstraction possibilities offered by datagroups, assignable clauses remain a bottlecneck both in program specification and in program verification. Note that the proof obligation corresponding to an assignable clause is a very complicated one, involving a quantification over all fields not mentioned in the assignable clause David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.28/??

Aliasing (revisited) David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.29/??

Aliasing Aliasing is the root of all evil, for anyone trying to verify imperative programs. The ArrayTimer class just earlier is another nice example to illustrate this. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.30/??

ArrayTimer example Recall implementation using an array of 6 digits to represent hrs:mns:secs public class ArrayTimer{ char[] currenttime; char[] alarmtime; //@ invariant currenttime!= null; //@ invariant currenttime.length == 6; //@ invariant alarmtime!= null; //@ invariant alarmtime.length == 6; public void tick() {... } } public void setalarm(...) {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.31/??

ArrayTimer example Things will go wrong if different instances of ArrayTimer share the same alarmtime array, ie. o.alarmtime == o.alarmtime for some o!=o ESC/Java2 may notice this, produce a correct, but puzzling, warning. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.32/??

ArrayTimer example To rule out such aliasing of eg. alarmtime fields: public class ArrayTimer{ char[] currenttime; //@ invariant currenttime.owner == this;... public ArrayTimer(...){...; currenttime = new char[6]; //@ set currenttime.owner == this;... } (owner is a so-called ghost field, more about that later) David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.33/??

ArrayTimer example Things will go wrong if an instance of ArrayTimer aliases its alarmtime to its currenttime, ie. o.alarmtime == o.currenttime ESC/Java2 may notice this, produce a correct, but puzzling warning. You should add //@ invariant alarmtime!= currenttime; to rule out such aliasing. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.34/??

Specification-only fields: ghost and model fields David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.35/??

Ghost fields Sometimes it is convenient to introduce an extra field, only for the purpose of specification (aka auxiliary variable). A ghost field is like a normal field, except that it can only be used in specifications. A special set command can be used to assign a value to a ghost field. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.36/??

Ghost fields - example Suppose the informal spec of class SimpleProtocol { public void start() {... } public void stop() {... } } says that stop() may only be invoked after start(), and vice versa. This can be expressed using a ghost field, to represent the state of the protocol. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.37/??

class SimpleProtocol { //@ public ghost boolean started; Ghost fields - example //@ requires!started; //@ assignable started; //@ ensures started; public void start() {... //@ set started = true; } //@ requires started; //@ assignable started; //@ ensures!started; public void stop() {... //@ set started = false; } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.38/??

Ghost fields - example Maybe the object has some internal state that that records if protocols is in progress, eg. class SimpleProtocol { //@ private ProtocolStack st;... public void start() {... st = new ProtocolStack(...);... } public void stop() {... st = null;... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.39/??

Ghost fields - example There may be a relation between the ghost field and some other field(s), eg. class SimpleProtocol { private ProtocolStack st; //@ public ghost boolean started; //@ invariant started <==> (st!=null); //@ requires!started; //@ assignable started; //@ ensures started; public void start() {... } //@ requires started; //@ assignable started; //@ ensures!started; public void stop() {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.40/??

Ghost fields - example We could now get rid of the ghost field, and write class SimpleProtocol { private /*@ spec public @*/ ProtocolStack st; //@ requires //@ assignable st; st==null; //@ ensures st!=null; public void start() {... } //@ requires //@ assignable st; //@ ensures st!=null; st==null; public void stop() {... } but this is ugly and exposes implementation details. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.41/??

Solution: use a model field class SimpleProtocol { private ProtocolStack st; Model fields - example //@ public model boolean started; //@ private represents started = (st!= null); //@ requires!started; //@ assigable started; //@ ensures started; public void start() {... } //@ requires started; //@ assigable started; //@ ensures!started; public void stop() {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.42/??

Model fields - example A model field also provided an associated datagroup class SimpleProtocol { private ProtocolStack st; //@ in started; //@ public model boolean started; //@ private represents started = (st!= null); //@ requires!started; //@ assigable started; //@ ensures started; public void start() {... } //@ requires started; //@ assigable started; //@ ensures!started; public void stop() {... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.43/??

Model vs ghost fields Difference between ghost and model may be confusing! Both exist only in JML specification, and not in the code. Ghost Ghost field is like a normal field. You can assign to it, using set, in JML annotations. Model Model field is an abstract field. Model field is a convenient abbreviation. You cannot assign to it. Model field changes its value whenever the representation changes. Model field is like abstract value for ADT (algebraic data type), represent clause is like representation function. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.44/??

Invariants David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.45/??

Invariants Invariants aka class invariants are a common & very useful notion. In larger programs, the (only) interesting thing to specify are the invariants. However, the semantics is trickier than expected! Invariant is implicitly included in pre- and postconditions of method, and in postcondition of constructors. But there s more... In fact, invariants are a hot research topic. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.46/??

When should an invariant hold? public class A { B b; int i=2; //@ invariant i >= 0 //@ ensures \result >=0; public /*@ pure @*/ int get(){ return i; } public void m(){ i--;... ; // invariant possibly broken i++; } An invariant can temporarily be broken. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.47/??

When should an invariant hold? public class A { B b; int i=2; //@ invariant i >= 0 //@ ensures \result >=0; public /*@ pure @*/ int get(){ return i; } public void m(){ i--; b.m(...); // invariant possibly broken i++; } This may lead to problems if invocation of b.m involves an invoking on the current object. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.48/??

When should an invariant hold? Eg, suppose public class B {... public void m(a a){... int j = a.get(); //@ assert i>=0;... } The spec of get() suggests the assertion will be true. But if get() is invoked when a s invariant is broken, all bets are off. This is known as the call-back problem. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.49/??

Solution to the call-back problem: When should an invariant hold? A method invariant should hold in all so-called visible states, which are all beginning and end states of method invocations So there s more to invariants than just adding them to preand postconditons. NB all invariants of all objects should hold in visible states; this clearly imposes impossible proof obligations. ESC/Java2 looks only at the invariants of some objects; this is a source of unsoundness. Modular verification techniques for invariants are a challenge, and still a hot topic of research. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.50/??

When should an invariant hold? Sometimes you do want to invoke a method at a program point where the invariant is broken. To do this without ESC/Java2 complaining: David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.51/??

When should an invariant hold? Sometimes you do want to invoke a method at a program point where the invariant is broken. To do this without ESC/Java2 complaining: A private method can be declared as helper method private /*@ helper @*/ void m() {... } Invariants do not have to hold when such a helper method is called. Effectively, such methods are in-lined in verifications David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.52/??

When should an invariant hold? Sometimes you do want to invoke a method at a program point where the invariant is broken. To do this without ESC/Java2 complaining: A private method can be declared as helper method private /*@ helper @*/ void m() {... } Invariants do not have to hold when such a helper method is called. Effectively, such methods are in-lined in verifications add //@ nowarn Invariant in the line where this method call occurs. NB this is unsafe, and a possible source of unsoundness! David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.53/??

public class SortedLinkedList { private int i; private LinkedList next; //@ invariant i > next.i; More problems with invariants public /*@ pure @*/ int getvalue(){ return i; } public /*@ pure @*/ int getnext(){ return next; } public /*@ pure @*/ int getvalue(){ return i; } public void inc() { i++; } } inc won t break this object s invariant, but may break the invariant of the object who has this object as it s next. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.54/??

More problems with invariants The essence of the problem is that the invariant of one object o may depend on the state of another object o. When verifying the methods of o, we have no way of knowing if these may break invariants given in other classes... This is one of the sources of unsoundness of ESC/Java(2), and most approaches to modular verification of OO programs to date. Only recently workable approaches for modular verification of invariants have been proposed, and the last word has not been said on this. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.55/??

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback