Java Modelling Language (JML) References

Similar documents
Java Modelling Language (JML) References

JML. Java Modeling Language

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Formale Entwicklung objektorientierter Software

Advances in Programming Languages

Formal Specification and Verification

The Java Modeling Language JML

CHAPTER 6. Slide 6.1 TESTING

Canica: An IDE for the Java Modeling Language

Static program checking and verification

Design by Contract with JML

Design by Contract and JML: concepts and tools

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Adding native specifications to JML

Formal Methods for Java

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Specification and Verification of Garbage Collector by Java Modeling Language

Overview The Java Modeling Language (Part 1) Related Work

Java Modeling Language (JML)

Advances in Programming Languages

An overview of JML tools and applications

Advances in Programming Languages

The Java Modeling Language (Part 1)

Program Verification (6EC version only)

Advances in Programming Languages

Assertions, pre/postconditions

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

The JML and JUnit Way of Unit Testing and its Implementation

ESC/Java2 Use and Features

ESC/Java2 Use and Features

The Use of JML in Embedded Real-Time Systems

Verifying JML specifications with model fields

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Karsten Sohr Center for Computing Technologies Universität Bremen, Germany

Formal Methods for Java

The Krakatoa Verification Tool

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

The Krakatoa Verification Tool

Verifying Java Programs

An overview of JML tools and applications

Formally Proved Anti-tearing Properties of Embedded C Code

A Simple and Practical Approach to Unit Testing: The JML and JUnit Way

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

A Simple and Practical Approach to Unit Testing: The JML and JUnit Way

A Small Survey of Java Specification Languages *

Reasoning about JML: Differences between KeY and OpenJML

Checking Program Properties with ESC/Java

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

A Simple and Practical Approach to Unit Testing: The JML and JUnit Way

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

Accessible Formal Methods: A Study of the Java Modeling Language

Java Bytecode Specification and Verification

Specification tips and pitfalls

Verification Condition Generation

Formal Methods for Java

Reasoning about Java Programs with Aliasing and Frame Conditions

The Why/Krakatoa/Caduceus Platform for Deductive Program Verication

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

An introduction to formal specifications and JML. Invariant properties

Formal methods What are they? Uses Tools Application to software development

Testing Library Specifications by Verifying Conformance Tests

Rigorous Software Development CSCI-GA

n Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition

Automated Random Testing to Detect Specification-Code Inconsistencies

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Implementation of Refining Statements in OpenJML and Verification of Higher Order Methods with Model Program Specifications

Verifying Java Programs Verifying Java Programs with KeY

A Java Reference Model of Transacted Memory for Smart Cards

Specification of a transacted memory for smart cards in Java and JML

Verification of JML Generic Types with Yices

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Introduction to the Java Modeling Language

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Preliminary Design of JML:

Preliminary Design of JML:

Formal Methods for Java

Formal Verification of Floating-Point programs

A Fitness Function to Find Feasible Sequences of Method Calls for Evolutionary Testing of Object-Oriented Programs

On the Interplay between the Semantics of Java s Finally Clauses and the JML Run-Time Checker

Lecture 10 Design by Contract

Analysis of Software Artifacts

Sound reasoning about unchecked exceptions

Java ByteCode Specification Language(BCSL) and how to compile JML to BCSL. Mariela Pavlova March 10, 2006

Verifying Java Programs with KeY

The Java Modeling Language (Part 2)

Faithful mapping of model classes to mathematical structures

FAKULTÄT FÜR INFORMATIK

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Effective and Efficient Runtime Assertion Checking for JML Through Strong Validity

JML s Rich, Inherited Specifications for Behavioral Subtypes

CSC Advanced Object Oriented Programming, Spring Specification

Information Hiding and Visibility in Interface Specifications

Automatic Generation of Program Specifications

Modular verification of static class invariants

Bounded Verification of Voting Software

Transcription:

Java Modelling Language (JML) References G. T. Leavens and Y. Cheon. Design by Contract with JML, August 2005. L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G. T. Leavens, K. R. M. Leino, and E. Poll. An Overview of JML Tools and Applications. In International Journal on Software Tools for Technology Transfer, 7(3):212 232, 2005. C. Marché, C. Paulin-Mohring, and X. Urbain. The Krakatoa Tool for Cerification of Java/JavaCard Programs Annotated in JML. In Journal of Logic and Algebraic Programming, 58(1-2):89-106, 2004. www.jmlspecs.org G. T. Leavens, A. L. Baker, and C. Ruby. Preliminary Design of JML: A Behavioral Interface Specification Language for Java. Department of Computer Science, Iowa State University, TR #98-06-rev28, July 2005. P. Chalin, J. R. Kiniry, G. T. Leavens, and E. Poll. Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2. In Formal Methods for Components and Objects 2005, Revised Lectures, pages 342-363, Spinger Verlag LNCS Volume 4111, 2006. krakatoa.lri.fr 1

JML as a Design by Contract (DBC) Tool A contract between a program (Java class) and its clients. A precondition specifies the client s (user of the program) obligation (i.e., guarantees that must be met before calling a method). A postcondition specifies the implementor s obligation (i.e., guarantees properties that hold after execution). Contracts are executable, i.e., can be checked by tools. 2

Example Java Class public class Person { private String name; private int weight; public String tostring() { return "Person(\"" + name + "\"," + weight + ")"; } public int getweight() { return weight; } public void addkgs(int kgs) { if (kgs >= 0) { weight += kgs; } else { throw new IllegalArgumentException(); } } public Person(String n) { name = n; weight = 0; } } 3

4 Specifying the addkgs Method /*@ requires kgs >= 0; @ requires weight + kgs >= 0; @ ensures weight == \old(weight) + kgs; @*/ public void addkgs(int kgs) { weight += kgs; }

5 Alternate Specification and Implementation of addkgs /*@ requires weight + kgs >= 0; @ ensures kgs >=0 && weight == \old(weight) + kgs; @ signals_only IllegalArgumentException; @ signals (IllegalArgumentException) kgs < 0; @*/ public void addkgs(int kgs) { if (kgs >= 0) { weight += kgs; } else { throw new IllegalArgumentException(); } }

6 Information Hiding and Invariants public class Person { private /*@ spec_public non_null @*/ String name; private /*@ spec_public @*/ int weight; /*@ public invariant!name.equals("") @ && weight >= 0; @*/

7 Remaining Code and Specifications of Person Class //@ ensures \result!= null; public String tostring() { return "Person(\"" + name + "\"," + weight + ")"; } //@ ensures \result == weight; public /*@ pure @*/ int getweight() { return weight; } /*@ requires n!= null &&!n.equals(""); @ ensures n.equals(name) @ && weight == 0; @*/ public Person(String n) { name = n; weight = 0; }

8 Model Fields If we want to change the code: public class Person { private /*@ spec_public non_null @*/ String name; to become: public class Person { private /*@ non_null @*/ String fullname; then we can add: //@ public model non_null String name; //@ private represents name <- fullname;

9 Dutch National Flag Example public class Flag { public static final int BLUE = 1, WHITE = 2, RED = 3; //@ public normal_behavior //@ ensures \result <==> //@ (i == BLUE i == WHITE i == RED); public static /*@ pure @*/ boolean iscolor(int i); public int t[]; //@ public invariant t!= null && //@ (\forall int k; //@ 0 <= k && k < t.length; iscolor(t[k]));

10 /*@ public normal_behavior @ requires 0 <= i && i <= j && j <= t.length ; @ ensures \result <==> (\forall int k; i <= k && k < j; t[k] == c); @*/ private /*@ pure @*/ boolean ismonochrome(int i, int j, int c); /*@ public normal_behavior @ requires 0 <= i && i < t.length && 0 <= j && j < t.length; @ modifiable t[i],t[j]; @ ensures t[i] == \old(t[j]) && t[j] == \old(t[i]); @*/ private void swap(int i, int j);

11 /*@ public normal_behavior @ modifiable t[*]; @ ensures @ (\exists int b,r; ismonochrome(0,b,blue) && @ ismonochrome(b,r,white) && @ ismonochrome(r,t.length,red)); @*/ public void flag()

12 { int b = 0, i = 0, r = t.length; /*@ loop_invariant @ (\forall int k; @ 0 <= k && k < t.length; iscolor(t[k])) && @ 0 <= b && b <= i && i <= r && r <= t.length && @ ismonochrome(0,b,blue) && @ ismonochrome(b,i,white) && @ ismonochrome(r,t.length,red); @ decreases r - i; @*/ while (i < r) { switch (t[i]) { case BLUE: swap(b++, i++); break; case WHITE: i++; break; case RED: swap(--r, i); break; }}}}

13 Advantages of JML good documentation assigns responsibility For example, if a precondition doesn t hold, then client is responsible for fixing method call. modularity of reasoning In flag example, specifications of called methods are used to prove correctness of main method. Reading specifications helps understand code (but only covers what is in specification). specify intent and allow freedom in implementation details

Tools [Burdy et. al.] discusses 4 categories 1. Runtime Assertion Checking and Testing jmlc most widely used tool compiles and inserts code for checking preconditions, postconditions, and invariants goal is to debug both specifications and programs suggested use involves several steps 1 specify preconditions for normal behavior 2 define class invariants 3 describe normal postconditions 4 document exceptions and add exceptional postconditions jmlunit generates JUnit test cases that rely on the JML runtime assertion checker violating precondition not necessarily an error satisfying precondition, but violating postcondition indicates error 14

15 2. Static Checking and Verification ESC/Java automatic checks of simple assertions and common errors such as dereferencing null, array index out of bounds, casting errors uses automatic theorem prover called Simplify ESC/Java2: updated version that handles current version of JML and increases amount of JML features that can be checked LOOP: formalizes semantics of Java and JML can handle a much larger class of properties if automatic proof is not possible, can use PVS theorem prover interactively

16 Notes: JACK: an environment for Java and Java Card program verification using JML annotations Note: Java Card is a dialect of Java designed for programming smart cards, adapted to limitations and does not support floating point numbers, strings, object cloning, or threads Eclipse plug-in that allows hookup to various automatic and interactive provers Krakatoa (to be discussed further later): checks full specifications for most of JML formalizes semantics of Java and JML interactive theorem prover Coq used to complete the proofs Executable code is not affected by static checks. Dynamic checks require adding code that can affect efficiency. If full static verification is completed (e.g., via Krakatoa), then dynamic checking (via jmlc) is not needed.

3. Generating Specifications Daikon: invariant detector, finds operational abstractions, provides assistance in creating specifications Houdini: tries to supply missing annotations to eliminate ESC/Java warnings, new annotations verified by ESC/Java 4. Documentation jmldoc: builds human-readable HTML pages from JML annotations 17

18 Case Study: Electronic Purse on Smart Card Reference [16] of [Burdy et. al.]. Uses ESC/Java. Debit, credit, and currency change operations were annotated, along with the methods they use. Key generation and authorization not considered. Specification was lightweight. Functional specification describes behavior, but not of more complex code involving loops. 42 java classes involved; 432kB of Java (736kB with JML annotations); project length was 3 months. Some results: Lightweight specification does not allow full verification, but nevertheless, some important errors in implementation were discovered. Also, parts of code never reached were discovered (and could be removed).

19 Case Study Conclusions Lightweight formal verification (in this case using ESC/Java) can provide: formal specifications of an application checking of implementation by tools, increasing the confidence in the correctness of the implementation The problems that we have found probably also would have been found by doing thorough testing, but using theorem proving techniques one is sure not to forget some cases, without having to put much effort in developing test scenarios. Also, writing the formal specifications forces one to think very precisely about the intended behaviour of programs, which helps in finding errors.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback