Formal Methods for Java

Similar documents
Formal Methods for Java

Formal Methods for Java

Formal Methods for Java

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Static program checking and verification

Formal Methods for Java

Java Modelling Language (JML) References

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Formal Methods for Java

Advances in Programming Languages

Design by Contract and JML: concepts and tools

Formal Methods for Java

JML. Java Modeling Language

Formale Entwicklung objektorientierter Software

The Use of JML in Embedded Real-Time Systems

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Formal Specification and Verification

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Advances in Programming Languages

Java Modeling Language (JML)

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

Overview The Java Modeling Language (Part 1) Related Work

Program Verification (6EC version only)

Advances in Programming Languages

Introduction to the Java Modeling Language

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Non-null References by Default in the Java Modeling Language

Checking Program Properties with ESC/Java

Rigorous Software Development CSCI-GA

Formal Methods for Java

The Java Modeling Language (Part 1)

The Java Modeling Language JML

Automatic Generation of Program Specifications

MTV: METHODS & TOOLS 4 VERIFICATION MASTER COMPUTER SCIENCE MARIEKE HUISMAN: STUDY ADVISOR MY NAME: JACO VAN DE POL

Verifying Java Programs Verifying Java Programs with KeY

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Verification Condition Generation

JML s Rich, Inherited Specifications for Behavioral Subtypes

Canica: An IDE for the Java Modeling Language

Verifying Java Programs with KeY

Verifying Java Programs Verifying Java Programs with KeY

Fundamentals of Software Engineering

Recap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany

Property Specifications

Testing Library Specifications by Verifying Conformance Tests

Advances in Programming Languages

Proof Carrying Code(PCC)

An overview of JML tools and applications

Specification of a transacted memory for smart cards in Java and JML

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

JML and ESC/Java2 Homework Exercises

Lecture 10 Design by Contract

Java Modelling Language (JML) References

Verifying JML specifications with model fields

Lectures 20, 21: Axiomatic Semantics

Formal Systems II: Applications

Preliminary Design of JML:

A Small Survey of Java Specification Languages *

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Program Verification. Aarti Gupta

Testing, Debugging, and Verification

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Verifying Java Programs

Dafny: An Automatic Program Verifier for Functional Correctness Paper by K. Rustan M. Leino (Microsoft Research)

Preliminary Design of JML:

Formal Methods for Java

Formal Methods in Software Development

Reasoning About Imperative Programs. COS 441 Slides 10

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

From OCL to Propositional and First-order Logic: Part I

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Formal Specification and Verification

Integrating verification in programming languages

Specification and Verification of Garbage Collector by Java Modeling Language

III lecture: Contracts and Abstract Data Types. An obligation from last lecture... An obligation from last lecture... (2) January/February 2013

Compiler Verification meets Cross-Language Linking via Data Abstraction

ESC/Java2 Use and Features

The Pointer Assertion Logic Engine

1 Introduction. 3 Syntax

ESC/Java2 Use and Features

Hoare triples. Floyd-Hoare Logic, Separation Logic

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

TRIAL EXAM C Software Engineering using Formal Methods TDA293 / DIT270

Extended Static Checking for Java

Testing, Debugging, Program Verification

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

9.5 Equivalence Relations

CITS5501 Software Testing and Quality Assurance Formal methods

Chapter 1. Introduction

Adding native specifications to JML

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Karsten Sohr Center for Computing Technologies Universität Bremen, Germany

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Safety Critical Java. Language Standards and Analysis Techniques for Java in Safety Critical applications. aicas GmbH

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Towards a GUI for Program Verification with KeY. Master of Science Thesis in the Programme Software Engineering and Technology

Transcription:

Formal Methods for Java Lecture 30: Conclusion Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg Feb 17, 2012 Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 1 / 21

Topics Lecture Topics 1 Introduction to JML and JLS 2 3 Operational Semantics 4 5 JML 6 7 ESC/Java 8 10 Ownership/Friendship and Invariants 11 12 Sequent Calculus and Dynamic Logic 13 18 Proving with KeY 19 22 Jahob 23 29 Java Pathfinder Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 2 / 21

Motivations Quality Leads to better understood code. Different view point reveals bugs. Formal proof can rule out bugs entirely. Productivity Error detection in early stages of development. Modular specifications allow reuse of components. Documentation, maintenance. Automatic test case generation. Clearer specification leads to better software. Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 3 / 21

Operational Semantics for Java Idea: define transition system for Java Definition (Transition System) A transition system (TS) is a structure TS = (Q, Act, ), where Q is a set of states, Act a set of actions, Q Act Q the transition relation. Q reflects the current dynamic state (heap and local variables). Act is the executed code. Idea from: D. v. Oheimb, T. Nipkow, Machine-checking the Java specification: Proving type-safety, 1999 Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 4 / 21

State of a Java Program The state of a Java program consists of a flow component and valuations for local and global (heap) variables. Q = Flow Heap Local Flow ::= Norm Ret Exc Address Heap = Address Class seq Value Local = Identifier Value Value = Z, Address Z A state is denoted as q = (flow, heap, lcl), where flow : Flow, heap : Heap and lcl : Local. Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 5 / 21

Rules of Operational Semantics... and many more. (Norm, heap, lcl) e 1 v 1 q q e 2 v 2 q (Norm, heap, lcl) e 1*e 2 (v 1 v 2 ) mod 2 32 q (Norm, heap, lcl) st 1 q q st 2 q (Norm, heap, lcl) st 1;st 2 q (Norm, heap, lcl) e v q q bl 1 q (Norm, heap, lcl) if(e) bl 1elsebl 2 q, where v 0 Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 6 / 21

Rules for Exceptions (Norm, heap, lcl) e v (Norm, heap, lcl ) (Norm, heap, lcl) throw e (Exc(v), heap, lcl ) A null-pointer dereference works like a throw statement: q (Norm, heap, lcl) e 0 q throw new NullPointerException() q (Norm, heap, lcl) e.fld v q, where v is some arbitrary value Propagating exceptions: (flow, heap, lcl) α (flow, heap, lcl), where flow Norm Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 7 / 21

JML Web pages Unit tests jmldoc jmlunit JML Annotated Java public class ArrayOps { private /*@ spec_public @*/ Object[] a; //@ public invariant 0 < a.length; /*@ requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(object[] arr) { this.a = arr; } } Warnings ESC/Java2 Daikon Data trace file XVP Class file jmlc Bogor Model checking JACK, Jive, Krakatoa, KeY, LOOP Correctness proof Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 8 / 21

The Java Modelling Language (JML) JML is a behavioral interface specification language (BISL) for Java Proposed by G. Leavens, A. Baker, C. Ruby: JML: A Notation for Detailed Design, 1999 It combines ideas from two approaches: Eiffel with it s built-in language for Design by Contract (DBC) Larch/C++ a BISL for C++ Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 9 / 21

Tools for JML http://www.jmlspecs.org/ Release can be downloaded from http://sourceforge.net/projects/jmlspecs/files JML compiler (jmlc) JML runtime assertion checker (jmlrac) External Tools: ESC/Java KeY and many more... Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 10 / 21

Run-time Checking with jmlrac Advantages of run-time checking: Easy to use. Supports a large sub-language of JML. No false warnings. Disadvantages of run-time checking: Coverage only as good as test cases that are used. Does not prove absence of errors. Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 11 / 21

Static Checking with ESC/Java Advantages of static checking: Easy to use. No test cases needed. Better coverage than runtime checking. Can detect missing specification. Disadvantages of static checking: Only a small subset of JML supported. Many spurious warnings (not complete). Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 12 / 21

Theorem Proving with KeY Advantages of static checking: Prove of correctness. Both sound and complete (modulo Peano Axioms). Disadvantages of static checking: Very difficult to use. Can require interactive proving. Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 13 / 21

Model-checking with Java Pathfinder Advantages of model-checking: Almost as easy as testing. More exhaustive than simple testing. Disadvantages of model-checking: State explosion problem. Runtime vs. coverage. Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 14 / 21

Suggested order 1 Run-time checking, e.g. jmlrac and jmlunit. 2 Static checking, e.g. ESC/Java. 3 Model-checking, e.g. Java Pathfinder 4 Theorem proving, e.g. KeY. Ensures that most bugs are already found before starting with theorem proving. Some prefer doing static checking before run-time checking (no test cases needed). Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 15 / 21

JML Keywords Recall the meaning of the following Keywords: requires ensures assignable signals/signals_only behavior/also normal_behavior/exceptional_behavior pure invariant loop_invariant/decreases nullable/non_null spec_public model/ghost represents/in assert/assume Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 16 / 21

The Invariant Problem public class SomeClass { /*@ invariant inv; @*/ /*@ requires P; @ ensures Q; @*/ public void dosomething() { } } assume(p); assume(inv);...code of dosomething... assert(q); assert(inv); public class OtherClass { public void caller(someobject o) {...some other code... } } assert(p); o.dosomething(); assume(q); Only sound if invariant cannot be invalidated. E.g., with the pack/unpack mechanism. Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 17 / 21

Sequent Calculus and Dynamic Logic φ 1, φ 2 = ψ 1, ψ 2 What are the rules of sequent calculus? Are they sound/complete? Hoare-Triples vs. φ = α ψ and φ = [α]ψ What is the meaning of α φ? What are the rules for dynamic logic? What is the while invariant with variant rule? Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 18 / 21

Jahob What is Jahob? Difference to ESC/Java? Difference to KeY? What does Jahob internally? How are the verification conditions generated? How are they checked? Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 19 / 21

Java Pathfinder What is Model-Checking? Difference to ESC/Java and Jahob? Difference to KeY? How can we write our own listeners? How can we use choice generators? What is partial order reduction? Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 20 / 21

What should you have learned How to give formal semantics to Java/JML (e.g. operational semantics). How to give pre-/post-conditions in JML. What is the relation between assume, assert and ensures, requires? What is run-time checking? Why is it useful? What are the limits? What is static checking (ESC/Java)? Why useful? What are the limits? What are the problems of class invariants and how to solve them. What is soundness and completeness? How does it apply to software verification. How to prove with KeY-System. How can loops be checked? How can verification conditions be generated from a program with assumes and asserts? How can these verification conditions be proven? Which tools exist? Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 21 / 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback