Advances in Programming Languages

Similar documents
Advances in Programming Languages

Advances in Programming Languages

Advances in Programming Languages

Java Modelling Language (JML) References

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Formale Entwicklung objektorientierter Software

Overview The Java Modeling Language (Part 1) Related Work

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

The Java Modeling Language (Part 1)

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Checking Program Properties with ESC/Java

Static program checking and verification

Formal Specification and Verification

JML. Java Modeling Language

Formal Methods for Java

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Formal Methods for Java

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

The Use of JML in Embedded Real-Time Systems

Program Verification (6EC version only)

The Java Modeling Language JML

Verification Condition Generation

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Java Modeling Language (JML)

Verifying Java Programs Verifying Java Programs with KeY

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

An Annotated Language

Lecture 10 Design by Contract

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

A Small Survey of Java Specification Languages *

An overview of JML tools and applications

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Verifying Java Programs Verifying Java Programs with KeY

CS 161 Computer Security

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Testing, Debugging, and Verification

hwu-logo.png 1 class Rational { 2 int numerator ; int denominator ; 4 public Rational ( int numerator, int denominator ) {

Formal methods What are they? Uses Tools Application to software development

Code Contracts in C#

Hoare triples. Floyd-Hoare Logic, Separation Logic

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Analysis of Software Artifacts

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Verifying Java Programs with KeY

Specification of a transacted memory for smart cards in Java and JML

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

JML and ESC/Java2 Homework Exercises

CITS5501 Software Testing and Quality Assurance Formal methods

Formal Methods in Software Development

CS 132 Exam #1 - Study Suggestions

Deductive Program Verification with Why3, Past and Future

Canica: An IDE for the Java Modeling Language

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Automatic Generation of Program Specifications

Cover Page. The handle holds various files of this Leiden University dissertation

Hardware versus software

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

A Java Reference Model of Transacted Memory for Smart Cards

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

JML s Rich, Inherited Specifications for Behavioral Subtypes

An introduction to formal specifications and JML. Invariant properties

Verification Condition Generation via Theorem Proving

Formal Methods. CITS5501 Software Testing and Quality Assurance

Java Modelling Language (JML) References

Proof Carrying Code(PCC)

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

Formal Verification. Lecture 10

ESC/Java2 Use and Features

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Ambientes de Desenvolvimento Avançados

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

CIS 890: Safety Critical Systems

Verifying Java Programs

ESC/Java2 Use and Features

Runtime Checking for Program Verification Systems

Testing, Debugging, Program Verification

Outline. iterator review iterator implementation the Java foreach statement testing

Assertions. Assertions - Example

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Testing Library Specifications by Verifying Conformance Tests

FAKULTÄT FÜR INFORMATIK

Introduction to the Java Modeling Language

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Why. an intermediate language for deductive program verification

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Distributed Systems Programming (F21DS1) Formal Verification

Spark verification features

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Formal Specification and Verification

Design by Contract and JML: concepts and tools

Lecture 11 Lecture 11 Nov 5, 2014

Self-checking software insert specifications about the intent of a system

Agenda. More on the Unified Modeling Language. UML diagram types. Packages

The design of a programming language for provably correct programs: success and failure

Lecture 5 - Axiomatic semantics

The Java Modeling Language (Part 2)

Transcription:

T O Y H Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Thursday 21 January 2010 Semester 2 Week 2 E H U N I V E R S I T http://www.inf.ed.ac.uk/teaching/courses/apl F E D I N B U R G

Topic: Some Formal Verification This is the second of four lectures about techniques and tools for formal verification, specifically: Hoare logic JML: The Java Modeling Language ESC/Java 2: The Extended Static Checker for Java Certifying correctness: approaches and examples

Outline 1 Introduction 2 Samples of JML 3 JML Tools

Outline 1 Introduction 2 Samples of JML 3 JML Tools

Hoare Logic (recap) Hoare assertions {P} C {Q} state that if precondition P holds before running code C then postcondition Q will hold afterwards. Assertions {P} C {Q} can be derived using Hoare rules; they may also be tested against a semantics {P} C {Q}. This allows logical reasoning about program behaviour: notably in formal specification and verification. Hoare assertions are widely used in tools and languages for formal methods. (e.g. Praxis SPARK Examiner) Assertions may be strengthened to contracts for code, placing obligations on both caller and called. (e.g. Eiffel)

Model-based specification Modeling (sic) is an abstraction technique for system design and specification. A model is a representation of the desired system. A formal model is one that has a precise description in a formal language. A model differs from an implementation in that it might: capture only some aspects of the system (e.g., interfaces); be partial, leaving some parts unspecified; not be executable. An implementation of the system can be compared to the model. Sometimes the model is iteratively refined to give the implementation. Sample applications of modeling in computer software development: VDM the Vienna Development Method. B the B language and B method. Extended ML the extension of Standard ML with specifications. OCL the Object Constraint Language extension of UML.

The Java Modeling Language The Java Modeling Language, JML, combines model-based and contract approaches to specification. Some design features: The specification lives close to the code Within the Java source, in annotation comments / @...@ / Uses Java syntax and expressions Rather than a separate specification language. Common language for many tools and analysis Tools add their own extensions, and ignore those of others. Web site: jmlspecs.org

Outline 1 Introduction 2 Samples of JML 3 JML Tools

JML: basics public class Account { public int credit; / @ requires credit > amount && amount > 0; @ ensures credit > 0 && credit == \old(credit) amount; @ / public int withdraw(int amount) {... } } JML conditions combine logical formulae (&&,==) with Java expressions (credit, amount). Expressions must be pure: no side-effects. There are also visibility controls, glossed over in these examples: credit ought not to be public!

JML: exceptions public class Account { public int credit; / @ requires credit > amount && amount > 0; @ ensures credit > 0 && credit == \old(credit) amount; @ signals (RefusedException) credit == \old(credit); @ / public int withdraw throws RefusedException (int amount) {... } } Where ensures speaks about normal termination, signals specifies properties of the state after exceptional termination.

JML: logical formulae public class IntArray { public int[] contents; / @ requires (\forall int i,j; @ 0<i && i<j && j<contents.length; @ contents[i] <= contents[j]); @ @ ensures contents[\result] == value \result == 1; @ / public int search (int value) {... } } The search routine requires that array contents be sorted on entry. This would, for example, be necessary if it used binary chop to locate value.

JML: class invariants public class IntArray { public int[] contents; / @ invariant (\forall int i,j; @ 0<i && i<j && j<contents.length; @ contents[i] <= contents[j]); @ / / @ ensures contents[\result] == value \result == 1 @ / public int search (int value) {... } } Now contents must be sorted whenever it is visible to clients of IntArray.

JML: assumptions and assertions / @ assume j j < contents.length @ / contents[j j] = j;... a[0] = complexcomputation(a,v); / @ assert (\forall int i; 1<i && i<10; a[0] < a[i]) @ / An assumption may help a static analysis tool. An assertion must always be checked. (Remember that assertions are also available in plain Java itself via the assert statement, see http://java.sun.com/j2se/1.5.0/docs/guide/language/assert.html).

JML: models and ghosts public class IntArray { public int[] contents; } / @ model int total; @ represents total = arraysum(contents) @ / / @ ghost int cursor; @ set cursor = contents.length / 2 @ /... A model field represents some property of the model that does not appear explicitly in the implementation. A ghost field is a local variable used only by other parts of the specification.

JML: model methods and classes / @ ensures \result = (\sum int i; 0<i && i<a.length; a[i]) @ @ public model int arraysum(int[] a); @ / / @ public model class JMLSet {... } @ / Specifications may refer to model methods and even entire model classes to represent and manipulate desired system properties. JML provides specifications for the standard Java classes, as well as a library of model classes for mathematical constructions like sets, bags, integers and reals (i.e. of arbitrary size and precision).

Outline 1 Introduction 2 Samples of JML 3 JML Tools

JML tools: running and testing JML annotations can be used to drive various runtime checks. jmlc is a compiler which inserts runtime tests for every assertion; if an assertion fails, an error message provides static and dynamic information about the failure. jmlunit creates test classes for JUnit based on preconditions, postconditions and invariants. These automatically exercise and test assertions made in the code. JML annotations also provide formal documentation: jmldoc generates human-readable web pages from JML specifications, extending the existing javadoc tool.

JML tools: static analysis The ESC/Java 2 framework carries out a range of static checks on Java programs. These include formal verification of JML annotations using a fully-automated theorem prover. Controversially, the checker is neither sound nor complete: it warns about many potential bugs, but not all actual bugs. This is by design: the aim is to find many possible bugs, quickly. The LOOP tool also attempts to verify JML specifications. Some can be done automatically; where this is not possible it provides proof obligations for the interactive PVS theorem prover. The JACK tool generates proof obligations from JML annotations on Java and JavaCard programs; these can then be tackled with a variety of automatic and semi-automatic theorem provers.

More tools KeY is dynamic logic tool with a JML front end. Krakatoa is another verification tool accepting JML. Houdini will suggest JML annotations and test them with ESC/Java. Daikon analyses program runs to suggest likely JML invariants. OpenJML and related new projects are aimed at Java 5 and beyond. Finally: Spec# is to C# as ESC/Java 2 is to Java.

Summary The Java Modeling Language JML combines model-based and contract specification Annotations within code: requires, ensures,... Provides model fields, methods and classes. Common input language for many tools: runtime checks, static analyses, test generators, invariant guessers, etc.

Homework The next lecture will be on ESC/Java 2. Meanwhile you should try using JML. Install some JML tools. Download the Common (formerly ISU) JML Tools from http://www.jmlspecs.org/oldreleases/. Note: these tools require Java 1.4. Develop a simple recipe card application using JML. design a few classes for representing ingredients, amounts and recipes; start specifying gradually: add simple pre-conditions to methods; write tests by composing methods; see where your code needs additional requires, ensures or (sometimes) assume annotations; consider useful object invariants to constrain fields. Post snippets and questions on the blog to discuss.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback