The Java Modeling Language (Part 2)

Similar documents
JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Overview The Java Modeling Language (Part 1) Related Work

The Java Modeling Language JML

The Java Modeling Language (Part 1)

Advanced JML Erik Poll Radboud University Nijmegen

Rigorous Software Development CSCI-GA

Formal Specification and Verification

Formale Entwicklung objektorientierter Software

Verifying JML specifications with model fields

Specifying and Verifying Programs (Part 2)

Verifying Java Programs Verifying Java Programs with KeY

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Verifying Java Programs with KeY

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Verifying Java Programs Verifying Java Programs with KeY

JML What are model fields? Translation to JavaDL Demo. JML Model Fields. Christian Engel. ITI, Universität Karlsruhe. 08.

Specification tips and pitfalls

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Inheritance 2. Inheritance 2. Wolfgang Schreiner Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria

Java Modeling Language (JML)

Modular specification of frame properties in JML

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Formal Methods for Java

ESC/Java2 Use and Features

5. Specification and Checking

Jive/JML Generating Proof Obligations From JML Specifications

ESC/Java2 Use and Features

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Department of Computer Science 226 Atanasoff Hall Iowa State University Ames, Iowa , USA

Testing, Debugging, and Verification

Advances in Programming Languages

Advances in Programming Languages

Program Verification (6EC version only)

Abstract Data Types. Abstract Data Types

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

JML. Java Modeling Language

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Testing Library Specifications by Verifying Conformance Tests

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Preliminary Design of JML:

Formal Methods for Java

Formal Methods for Software Development

Why Design by Contract! CS 619 Introduction to OO Design and Development. Design by Contract. Fall 2012

Formal Methods for Software Development

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Analysis of Software Artifacts

Computer Science 1 Ah

Java Modelling Language (JML) References

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

JML and Aspects: The Benefits of

Type Hierarchy. Comp-303 : Programming Techniques Lecture 9. Alexandre Denault Computer Science McGill University Winter 2004

Java Modelling Language (JML) References

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

5.5 Behavioral Subtyping

Preliminary Design of JML:

Formal Methods in Software Development

Verifying Java Programs

CS-XXX: Graduate Programming Languages. Lecture 22 Class-Based Object-Oriented Programming. Dan Grossman 2012

JML in Feature-Oriented Programming

Code Reuse: Inheritance

CS/ENGRD 2110 FALL Lecture 7: Interfaces and Abstract Classes

JML s Rich, Inherited Specifications for Behavioral Subtypes

Formal Specification and Verification

CMSC131. Inheritance. Object. When we talked about Object, I mentioned that all Java classes are "built" on top of that.

A Run-time Assertion Checker for Java using JML

A Small Survey of Java Specification Languages *

Preliminary Design of JML:

Review sheet for Final Exam (List of objectives for this course)

CS/ENGRD 2110 SPRING Lecture 7: Interfaces and Abstract Classes

3.Constructors and Destructors. Develop cpp program to implement constructor and destructor.

CMPSCI 187: Programming With Data Structures. Lecture 12: Implementing Stacks With Linked Lists 5 October 2011

Assertions. Assertions - Example

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Testing, Debugging, Program Verification

Objects and Classes. Objects and Classes

+ Abstract Data Types

double d0, d1, d2, d3; double * dp = new double[4]; double da[4];

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

CS/ENGRD 2110 SPRING 2018

Formal Methods for Java

Object-oriented Programming. Object-oriented Programming

Objectives for this class meeting. 1. Conduct review of core concepts concerning contracts and pre/post conditions

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

Checking the Conformance of Java Classes Against Algebraic Specifications

CS 112 Introduction to Computing II. Wayne Snyder Computer Science Department Boston University

Advances in Programming Languages

Type Hierarchy. Lecture 6: OOP, autumn 2003

CPS 506 Comparative Programming Languages. Programming Language

UNIT 3 ARRAYS, RECURSION, AND COMPLEXITY CHAPTER 11 CLASSES CONTINUED

Object Oriented Programming: In this course we began an introduction to programming from an object-oriented approach.

Exercise 3 Subtyping and Behavioral Subtyping October 13, 2017

Argument Passing All primitive data types (int etc.) are passed by value and all reference types (arrays, strings, objects) are used through refs.

Computer Science CS221 Test 2 Name. 1. Give a definition of the following terms, and include a brief example. a) Big Oh

Chapter 11. Categories of languages that support OOP: 1. OOP support is added to an existing language

Exceptions and Design

hwu-logo.png 1 class Rational { 2 int numerator ; int denominator ; 4 public Rational ( int numerator, int denominator ) {

Code Contracts in C#

Chapter 4.!Data Abstraction: The Walls! 2011 Pearson Addison-Wesley. All rights reserved 4-1

Safely Creating Correct Subclasses without Seeing Superclass Code

Transcription:

The Java Modeling Language (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang Schreiner http://www.risc.jku.at 1/58

JML Class Specifications Object invariants and history constraints. non null, invariant, constraint. Public versus private behavior. private normal behavior. Model fields and model representations. model, represents. Data groups. in, maps...\into. Class refinements. refines. Support for programming in the large. Wolfgang Schreiner http://www.risc.jku.at 2/58

1. Basic Class Specifications 2. Classes for Modeling 3. Model-based Class Specifications 4. Rounding Things Up Wolfgang Schreiner http://www.risc.jku.at 3/58

A Java Class class IntStack int[] stack; int number; final int N = 10; IntStack() stack = new int[n]; number = 0; boolean isempty() return number == 0; void push(int e) if (number == stack.length) resize(); stack[number] = e; number = number+1; int pop() number = number-1; return stack[number]; void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Wolfgang Schreiner http://www.risc.jku.at 4/58

Object Invariants class IntStack /*@ non_null @*/ int[] stack; int number; //@ invariant 0 <= number && number <= stack.length;... A object invariant must hold before and after each method call. Variable annotated by non null must not be null. Clause invariant specifies a general object invariant. Private /*@ helper @*/ method need not maintain invariant. Every object invariant is automatically added to the pre- and to the postcondition of every (non-helper) method. Wolfgang Schreiner http://www.risc.jku.at 5/58

History Constraints class IntStack... // no method touches elements below the top of stack /*@ constraint (\forall int i; 0 <= i && i < number-1; @ stack[i] == \old(stack[i])); @*/... A history constraint must hold for the pre/post-state pair of every method call. A constraint condition may use \old to refer to the pre-state. Every history constraint is added to the post-condition of every method. Wolfgang Schreiner http://www.risc.jku.at 6/58

Light-Weight Specification class IntStack // V1... final int N = 10; /*@ ensures stack.length == N @ && number == 0; @*/ IntStack() stack = new int[n]; number = 0; /*@ ensures \result <==> @ number == 0; @*/ boolean isempty() return number == 0; /*@ ensures number == \old(number)+1 @ && stack[number-1] == e; @*/ void push(int e) if (number == stack.length) resize(); stack[number] = e; number = number+1; /*@ requires number > 0; @ ensures number == \old(number)-1 @ && \result == stack[number]; @*/ int pop() number = number-1; return stack[number];... Wolfgang Schreiner http://www.risc.jku.at 7/58

Light-Weight Specification (Contd)... /*@ ensures stack.length > \old(stack.length) @ && number == \old(number) @ && (\forall int i; @ 0 <= i && i < number; @ stack[i] == \old(stack[i])); @*/ void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Problem: stack implementation is externally visible. Wolfgang Schreiner http://www.risc.jku.at 8/58

Private Implementation vs Public Interface class IntStack private int stack[]; private int number; private final int N = 10; public IntStack()... public boolean isempty()... public void push(int e)... public int pop()... private void resize()... Only selected methods should belong to the public interface. Wolfgang Schreiner http://www.risc.jku.at 9/58

Problem with Light-Weight Specification class IntStack private int stack[]; private int number; private final int N = 10; /*@ ensures stack.length == N @ && number == 0; @*/ public IntStack()...... jml -Q IntStack.java... Field "stack" (private visibility) can not be referenced in a specification context of "package" visibility [JML] Wolfgang Schreiner http://www.risc.jku.at 10/58

Visibility of Specifications Every JML specification has a visibility level. Analogous to Java visibility levels. Default, private, protected, public. Light-weight specifications: default visibility. Similar to public but restricted to package level. A specification may only access fields within its visibility. Only private specifications may access private fields. Hack: mark private field as /* spec public */. Heavy-weight specifications: visibility explicitly specified. public normal behavior, private normal behavior. Need to use heavy-weight specifications. Wolfgang Schreiner http://www.risc.jku.at 11/58

Heavy-Weight Specification class IntStack // V2 private /*@ non_null @*/ int[] stack; private int number; /*@ private invariant 0 <= number @ && number <= stack.length; @*/ /*@ private constraint @ (\forall int i; @ 0 <= i && i < number-1; @ stack[i] == \old(stack[i])); @*/ private final int N = 10; /*@ private normal_behavior @ assignable stack, number; @ ensures stack.length == N @ && number == 0; @*/ public IntStack() stack = new int[n]; number = 0; /*@ private normal_behavior @ assignable \nothing; @ ensures \result <==> @ number == 0; @*/ public /*@ pure @*/ boolean isempty() return number == 0;... Wolfgang Schreiner http://www.risc.jku.at 12/58

Heavy-Weight Specification (Contd)... /*@ private normal_behavior @ assignable stack, stack[*], number; @ ensures number == \old(number)+1 @ && stack[number-1] == e; @*/ public void push(int e) if (number == stack.length) resize(); stack[number] = e; number = number+1; /*@ private normal_behavior @ requires number > 0; @ assignable number; @ ensures number == \old(number)-1 @ && \result == stack[number]; @*/ public int pop() number = number-1; return stack[number]; /*@ private normal_behavior @ assignable stack; @ ensures \fresh(stack) @ && stack.length > @ \old(stack.length) @ && number == \old(number) @ && (\forall int i; @ 0 <= i && i < number; @ stack[i] == \old(stack[i])); private void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Wolfgang Schreiner http://www.risc.jku.at 13/58

Heavy-Weight Specification: Considerations Visibility of invariants and history constraints. private invariant, private constraint. Explicit frame conditions recommended: assignable. Default: assignable \everything. New predicate: \fresh(stack). stack is newly allocated after resize(). Thus assignment stack[number] ==... in push is legal. Otherwise possible that stack refers after resize() to existing array. Rule: assignment to location is legal in method if location appears in method assignable clause or if location is newly allocated in method. Wolfgang Schreiner http://www.risc.jku.at 14/58

Private versus Public Specifications Let us assess the current situation. We have constructed a private specification. Refers to the private variables of the class. Can be used in the context of the class implementation. Cannot be used as a contract between the user and the implementor of the class. For use as a contract, we need a public specification. May refer only to public class interface. But this interface may be too restricted to express the desired behavior of the class. We need a possibility to extend the public class interface for the purpose of specifying the behavior of the class. Wolfgang Schreiner http://www.risc.jku.at 15/58

1. Basic Class Specifications 2. Classes for Modeling 3. Model-based Class Specifications 4. Rounding Things Up Wolfgang Schreiner http://www.risc.jku.at 16/58

Model Fields class C //@ model T x; //@ represents x <- E;... interface I //@ instance model T x; //@ represents x <- E;... A model field is a specification-only field. Considered as a normal field for the purpose of reasoning. Actually not provided by the implementation. In an interface, an instance model field, is considered a field of every class implementing the interface. A represents clause associates the model field to an implementation expression. Describes how model field can be computed from actual fields. Wolfgang Schreiner http://www.risc.jku.at 17/58

Example class IntStack private /*@ non_null @*/ int[] stack; private int number; //@ model int len; //@ represents len <- stack.length; //@ invariant 0 <= number && number <= len; /*@ ensures len == N && number == 0; @*/ IntStack() stack = new int[n]; number = 0;... Wolfgang Schreiner http://www.risc.jku.at 18/58

Class Specifications and Abstract Datatypes How to specify the public behavior of a class (concrete datatype) C? First mathematically axiomatize an abstract datatype. Type name A and names of operations on A. Laws ( axioms ) that the operations must obey. Then define C and an abstraction function a : C A Maps a program object of type C to a mathematical object A. Has as its inverse a concretization relation c A C. x C : c(a(x),x) y A : c(y,x) x = a(y). Specify the methods of C in terms of the operations of A. Instead of variable x of type C use term a(x) of type A. Thus C becomes related to the well understood A. Must prove that the methods satisfy the laws of the operations of A. C.A.R. Hoare, 1972: Proof of Correctness of Data Representations. Wolfgang Schreiner http://www.risc.jku.at 19/58

An Abstract Datatype The abstract datatype integer stack. Sort S. Operations empty : S, push : Z S S, isempty : S B, top : S Z, pop : S S. s,s S,x,x Z : empty push(x, s); push(x,s) = push(x,s ) x = x s = s ; isempty(empty) = true, isempty(push(x, s)) = false; top(push(x, s)) = x; pop(push(x, s)) = s. Wolfgang Schreiner http://www.risc.jku.at 20/58

A Method Specification Assume concrete type Stack and abstraction function a : Stack S. Input s : Stack. Input condition: isempty(a(s)) = false. Output s : Stack. Output condition: a(s ) = pop(a(s)). The concrete method behaves like the abstract operation pop. Wolfgang Schreiner http://www.risc.jku.at 21/58

An Abstract Datatype in JML public /*@ pure @*/ class IntStackModel // IntStackModel() is default constructor //@ public model boolean isempty(); //@ public model IntStackModel push(int e); //@ public model int top(); //@ public model IntStackModel pop(); /*@ axiom @ (\forall IntStackModel s, s2; s!= null && s2!= null; @ (\forall int e, e2; ; @!new IntStackModel().equals(s.push(e)) && @ (s.push(e).equals(s2.push(e2)) ==> s.equals(s2) && e == e2) && @ new IntStackModel().isempty() && @!s.push(e).isempty() && @ e == s.push(e).top() && @ s.equals(s.push(e).pop()))); @*/ Wolfgang Schreiner http://www.risc.jku.at 22/58

An Abstract Datatype in JML (Contd) A class tagged as pure contains only pure methods. Convenient shortcut for classes describing abstract datatypes. A model method is a specification-only method. Just for reasoning, no implementation provided. Typically pure (but need not be). Behavior described by axioms (or by model programs). IntStackModel is a class for modeling. Intended for supporting specifications. May use model methods without implementations. Just for reasoning, no runtime checking possible. May also provide method implementations. Also runtime checking possible. The JML tool suite comes with a library of pre-defined classes for modeling (but also for executing). Wolfgang Schreiner http://www.risc.jku.at 23/58

JML Classes for Modeling Package org.jmlspecs.models.*. Directory /zvol/formal/jml/org/jmlspecs/models. Container types: JMLObjectSet, JMLObjectBag, JMLObjectSequence,... Numerical types: JMLInfiniteIntegerClass, JMLFiniteIntegerClass,... Most classes contain method implementations. Useful for runtime checking. Usage primarily by model import. Not linked to classes when compiled with javac. //@ model import org.jmlspecs.models.*; For examples, see Leavens et al, 2004: Preliminary Design of JML. Wolfgang Schreiner http://www.risc.jku.at 24/58

JML Model Classes // file "IntStackModel.jml" /*@ public pure model class IntStackModel @ @ public model IntStackModel(); @ public model boolean isempty(); @ public model IntStackModel push(int e); @ public model int top(); @ public model IntStackModel pop(); @ @ public axiom... @ @*/ A model class is a specification-only class. Just for reasoning, no implementation provided. Wolfgang Schreiner http://www.risc.jku.at 25/58

1. Basic Class Specifications 2. Classes for Modeling 3. Model-based Class Specifications 4. Rounding Things Up Wolfgang Schreiner http://www.risc.jku.at 26/58

Specifying the Public Behavior of a Class There are different styles to specify the public behavior of a class. Specify the public behavior in the class itself. Class adds the public behavior to its private behavior. Specify the public behavior in an abstract class. Class inherits from this abstract class. Specify the public behavior in an interface. Class implements this interface. Specify the public behavior in an JML specification file. Class refines this specification. We will investigate these alternatives in turn. Wolfgang Schreiner http://www.risc.jku.at 27/58

Public Behavior in Class class IntStack // V3... // private int[] stack, int number; /*@ private invariant @ 0 <= number @ && number <= stack.length; /*@ private constraint @ (\forall int i; @ 0 <= i && i < number-1; @ stack[i] == \old(stack[i])); @*/ /*@ public model @ non_null IntStackModel stackm; @ represents stackm <- tomodel(); @ public model @ pure IntStackModel tomodel(); @*/ /*@ public normal_behavior @ assignable stackm; @ ensures stackm.isempty(); @ also private normal_behavior @ assignable stack, number; @ ensures stack.length == N @ && number == 0; @*/ public IntStack() stack = new int[n]; number = 0; //@ nowarn Post;... Wolfgang Schreiner http://www.risc.jku.at 28/58

Public Behavior in Class: Considerations model pure IntstackModel tomodel() Pure function to convert this object to IntStackModel. Implementation remains unspecified (later). also... Combine public behavior and private behavior. Method must satisfy each behavior. Problem with assignable clause of public behavior (later). nowarn Post Since implementation of tomodel is unspecified, ESC/Java2 cannot check postcondition of public behavior. Unfortunately this also prevents checking of private behavior. Wolfgang Schreiner http://www.risc.jku.at 29/58

Public Behavior in Class (Contd)... /*@ public normal_behavior @ assignable \nothing; @ ensures \result <==> @ stackm.isempty(); @ also private normal_behavior @ assignable \nothing; @ ensures \result <==> @ number == 0; @*/ public /*@ pure @*/ boolean isempty() return number == 0; //@ nowarn Post; /*@ public normal_behavior @ assignable stackm; @ ensures stackm == @ \old(stackm.push(e)); @ also private normal_behavior @ assignable @ stack, stack[*], number; @ ensures number == @ \old(number)+1 @ && stack[number-1] == e; @*/ public void push(int e) if (number == stack.length) resize(); stack[number] = e; number = number+1; //@ nowarn Post;... Wolfgang Schreiner http://www.risc.jku.at 30/58

Public Behavior in Class (Contd 2)... /*@ public normal_behavior @ requires!stackm.isempty(); @ assignable stackm; @ ensures @ \result == \old(stackm.top()) @ && stackm == \old(stackm.pop()); @ also private normal_behavior @ requires number > 0; @ assignable number; @ ensures number == \old(number)-1 @ && \result == stack[number]; @*/ public int pop() //@ assume number > 0; number = number-1; return stack[number]; //@ nowarn Post; /*@ private normal_behavior @ assignable stack; @ ensures \fresh(stack) @ && stack.length > @ \old(stack.length) @ && number == \old(number) @ && (\forall int i; @ 0 <= i && i < number; @ stack[i] == @ \old(stack[i])); @*/ private void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Wolfgang Schreiner http://www.risc.jku.at 31/58

Public Behavior in Class: Considerations assume number > 0 in pop() ESC/Java2 complains. Due to the lack of the implementation of abstraction function, this cannot be deduced from the precondition of the public behavior. No separation of public and private behavior. Both mixed in same file. A messy solution. Wolfgang Schreiner http://www.risc.jku.at 32/58

Frame Condition of Public Behavior /*@ public normal_behavior @ assignable stackm; @ ensures stackm.isempty(); @ also private normal_behavior @... @*/ public IntStack() stack = new int[n]; number = 0; //@ nowarn Post; assignable stackm Frame condition says that only model field stackm may be changed. But actually concrete fields stack and number are changed. ESC/Java2 complains. Need to relate model fields to concrete fields. Wolfgang Schreiner http://www.risc.jku.at 33/58

Data Groups private /*@ non_null @*/ int[] stack; //@ in stackm; //@ maps stack[*] \into stackm; private int number; //@ in stackm; Declaration of field stackm also introduces a data group stackm. A data group is a set of storage locations. Initially, only the location of the declared variable is in data group. An assignable clause actually refers to data groups. All storage locations in referenced data group may be changed. A data group may be extended. in stackm adds declared variable to data group stackm. maps stack[*] \into stackm adds all elements of array stack. By incorporation into the data group stackm, the variable stack, all elements of stack and number may change, when stackm may change. Wolfgang Schreiner http://www.risc.jku.at 34/58

Implementation of Abstraction Function We have not yet defined the abstraction function tomodel(). /*@ public pure model IntStackModel tomodel() @ @ IntStackModel m = new IntStackModel(); @ for (int i = 0; i < number; i++) @ m = m.push(stack[i]); @ return m; @ @*/ Practically useful for runtime checking. Any reference to model variable stackm is replaced by tomodel(). Requires an implementation of (the methods of) IntStackModel. Principially useful for verification. Requires a specification of tomodel which uniquely determines stackm from stack and number. Reasoner must be strong enough (ESC/Java2 is not). Wolfgang Schreiner http://www.risc.jku.at 35/58

Specification of Abstraction Function /*@ also private normal_behavior @ ensures \result!= null @ && \result.length() == number @ && (\forall int i; 0 <= i && i < number; @ \result.elemat(i) == stack[number-i-1]); @ public pure model IntStackModel tomodel() @ @ IntStackModel m = new IntStackModel(); @ for (int i = 0; i < number; i++) @ m = m.push(stack[i]); @ return m; @ @*/ Relates the elements of stackm to those of stack. Wolfgang Schreiner http://www.risc.jku.at 36/58

Generalization of Model Type class IntStackModel... //@ public model int length(); //@ public model int elemat(int i); /*@ public axiom @ (\forall IntStackModel s; s!= null; @ (\forall int e, i; ; @ new IntStackModel().length() == 0 && @ s.push(e).length() == 1+s.length() && @ s.elemat(0) == s.top() && @ s.elemat(i+1) == s.pop().elemat(i))); @*/ Recursive definition of length and of elemat. Wolfgang Schreiner http://www.risc.jku.at 37/58

Public Behavior in Abstract Class public abstract class IntStackBase // V4 /*@ public model @ non_null IntStackModel stackm; @ represents stackm <- tomodel(); @ public model @ pure IntStackModel tomodel(); @*/ /*@ public normal_behavior @ assignable stackm; @ ensures stackm.isempty(); @*/ public IntStackBase () //@ nowarn Post, Invariant; // called by subclass constructor /*@ public normal_behavior @ ensures \result <==> @ stackm.isempty(); @*/ public abstract /*@ pure @*/ boolean isempty(); /*@ public normal_behavior @ assignable stackm; @ ensures stackm == @ \old(stackm.push(e)); @*/ public abstract void push(int e); /*@ public normal_behavior @ requires!isempty(); @ assignable stackm; @ ensures \result == @ \old(stackm.top()) @ && stackm == @ \old(stackm.pop()); @*/ public abstract int pop(); Wolfgang Schreiner http://www.risc.jku.at 38/58

Public Behavior in Abstract Class (Contd) class IntStack extends IntStackBase private /*@ non_null @*/ int[] stack; //@ in stackm; //@ maps stack[*] \into stackm; private int number; //@ in stackm; /*@ private invariant @ 0 <= number @ && number <= stack.length; @*/ /*@ private constraint @ (\forall int i; @ 0 <= i && i < number-1; @ stack[i] == \old(stack[i])); @*/ /*@ private normal_behavior @ assignable stackm, @ stack, number; @ ensures stack.length == N @ && number == 0; @ also public normal_behavior @ assignable stackm; @ ensures stackm.isempty(); @*/ public IntStack() stack = new int[n]; number = 0; //@ nowarn Post, Invariant;... private final int N = 10; Wolfgang Schreiner http://www.risc.jku.at 39/58

Public Behavior in Abstract Class (Contd 2)... /*@ also private normal_behavior @ assignable \nothing; @ ensures \result <==> number == 0; @*/ public /*@ pure @*/ boolean isempty() return number == 0; //@ nowarn Post, Invariant; /*@ also private normal_behavior @ assignable stack, stack[*], number; @ ensures number == @ \old(number)+1 @ && stack[number-1] == e; @*/ public void push(int e) if (number == stack.length) resize(); stack[number] = e; number = number+1; //@ nowarn Post, Invariant; /*@ also private normal_behavior @ requires number > 0; @ assignable number; @ ensures number == @ \old(number)-1 @ && \result == @ stack[number]; @*/ public int pop() //@ assume number > 0; number = number-1; return stack[number]; //@ nowarn Post, Invariant;... Wolfgang Schreiner http://www.risc.jku.at 40/58

Public Behavior in Abstract Class (Contd 3)... /*@ private normal_behavior @ assignable stack; @ ensures \fresh(stack) @ && stack.length > \old(stack.length) @ && number == \old(number) @ && (\forall int i; @ 0 <= i && i < number; @ stack[i] == \old(stack[i])); @*/ private void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Wolfgang Schreiner http://www.risc.jku.at 41/58

Public Behavior in Abs.Class: Considerations Clear separation of behaviors. Public behavior in abstract superclass. Private behavior in concrete subclass. model stackm Model field inherited by any subclass of abstract class. Constructor must be specified in abstract class. Abstract class always has default constructor. also private normal behavior Extension of public behavior by private behavior. assignable stackm,... in constructor IntStack() Frame condition of private behavior! Constructor IntStack() calls constructor InstStackBase(). Quite clean solution. Wolfgang Schreiner http://www.risc.jku.at 42/58

Public Behavior in Interface public interface IntStackInterface // V5 /*@ @ public instance model @ non_null IntStackModel stackm; @ represents stackm <- tomodel(); @ public model @ pure IntStackModel tomodel(); @*/ /*@ public normal_behavior @ assignable \nothing; @ ensures \result <==> @ stackm.isempty(); @*/ public /*@ pure @*/ boolean isempty(); /*@ public normal_behavior @ assignable stackm; @ ensures stackm == @ \old(stackm.push(e)); @*/ public void push(int e); /*@ public normal_behavior @ requires!stackm.isempty(); @ assignable stackm; @ ensures \result == @ \old(stackm.top()) @ && stackm == @ \old(stackm.pop()); @*/ public int pop(); Wolfgang Schreiner http://www.risc.jku.at 43/58

Public Behavior in Interface (Contd) class IntStack implements IntStackInterface private /*@ non_null @*/ int[] stack; //@ in stackm; //@ maps stack[*] \into stackm; private int number; //@ in stackm; /*@ private invariant 0 <= number @ && number <= stack.length; */ /*@ private constraint @ (\forall int i; @ 0 <= i && i < number-1; @ stack[i] == \old(stack[i])); @*/ /*@ private normal_behavior @ assignable stack, number; @ ensures stack.length == N @ && number == 0; @ also public normal_behavior @ assignable stackm; @ ensures stackm.isempty(); @*/ public IntStack() stack = new int[n]; number = 0; //@ nowarn Post, Invariant;... private final int N = 10; Wolfgang Schreiner http://www.risc.jku.at 44/58

Public Behavior in Interface (Contd 2)... /*@ also private normal_behavior @ assignable \nothing; @ ensures \result <==> number == 0; @*/ public /*@ pure @*/ boolean isempty() return number == 0; //@ nowarn Post, Invariant; /*@ also private normal_behavior @ assignable stack, stack[*], number; @ ensures number == \old(number)+1 @ && stack[number-1] == e; @*/ public void push(int e) if (number == stack.length)2 resize(); stack[number] = e; number = number+1; //@ nowarn Post, Invariant; /*@ also private normal_behavior @ requires number > 0; @ assignable number; @ ensures number == @ \old(number)-1 @ && \result == stack[number]; @*/ public int pop() //@ assume number > 0; number = number-1; return stack[number]; //@ nowarn Post, Invariant;... Wolfgang Schreiner http://www.risc.jku.at 45/58

Public Behavior in Interface (Contd 3)... /*@ private normal_behavior @ assignable stack; @ ensures \fresh(stack) @ && stack.length > \old(stack.length) @ && number == \old(number) @ && (\forall int i; @ 0 <= i && i < number; @ stack[i] == \old(stack[i])); @*/ private void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Wolfgang Schreiner http://www.risc.jku.at 46/58

Public Behavior in Interface: Considerations Clear separation of behaviors. Public behavior in interface. Private behavior in class. instance model stackm Model field of any class implementing the interface. No constructor in interface possible. Both public and private behavior of constructor specified in class. also private normal behavior Extension of public behavior specified in interface by private behavior. Rather clean solution. Wolfgang Schreiner http://www.risc.jku.at 47/58

Public Behavior in JML Specification File // V6, file "IntStack.jml" public class IntStack /*@ public model @ non_null IntStackModel stackm; @ represents stackm <- tomodel(); @ public model @ pure IntStackModel tomodel(); @*/ /*@ public normal_behavior @ assignable stackm; @ ensures stackm.isempty(); @*/ public IntStack(); /*@ public normal_behavior @ assignable \nothing; @ ensures \result <==> stackm.isempty(); @*/ public /*@ pure @*/ boolean isempty(); /*@ public normal_behavior @ assignable stackm; @ ensures stackm == @ \old(stackm.push(e)); @*/ public void push(int e); /*@ public normal_behavior @ requires!stackm.isempty(); @ assignable stackm; @ ensures \result == @ \old(stackm.top()) @ && stackm == @ \old(stackm.pop()); @*/ public int pop(); Wolfgang Schreiner http://www.risc.jku.at 48/58

Public Behavior in JML Spec. File (Contd) //@ refine "IntStack.jml"; class IntStack private /*@ non_null @*/ int[] stack; //@ in stackm; //@ maps stack[*] \into stackm; private int number; //@ in stackm; /*@ private invariant 0 <= number @ && number <= stack.length; @*/ /*@ private constraint @ (\forall int i; @ 0 <= i && i < number-1; @ stack[i] == \old(stack[i])); @*/ private final int N = 10; /*@ also private normal_behavior @ assignable stack, number; @ ensures stack.length == N @ && number == 0; @*/ public IntStack() stack = new int[n]; number = 0; //@ nowarn Post, Invariant; /*@ also private normal_behavior @ assignable \nothing; @ ensures \result <==> @ number == 0; @*/ public /*@ pure @*/ boolean isempty() return number == 0; //@ nowarn Post, Invariant;... Wolfgang Schreiner http://www.risc.jku.at 49/58

Public Behavior in JML Spec. File (Contd 2) /*@ also private normal_behavior @ assignable stack, stack[*], number; @ ensures number == \old(number)+1 @ && stack[number-1] == e; @*/ public void push(int e) if (number == stack.length) resize(); stack[number] = e; number = number+1; //@ nowarn Post, Invariant; /*@ also private normal_behavior @ requires number > 0; @ assignable number; @ ensures number == \old(number)-1 @ && \result == stack[number]; @*/ public int pop() //@ assume number>0; number = number-1; return stack[number]; //@ nowarn Post, Invariant; /*@ private normal_behavior @ assignable stack; @ ensures \fresh(stack) @ && stack.length > @ \old(stack.length) @ && number == \old(number) @ && (\forall int i; @ 0 <= i && i < number; @ stack[i] == \old(stack[i])); private void resize() int s[] = new int[2*stack.length+1]; for (int i=0; i<stack.length; i++) s[i] = stack[i]; stack = s; Wolfgang Schreiner http://www.risc.jku.at 50/58

Public Behavior in JML File: Considerations Clear separation of behaviors. Public behavior in JML specification file. Private behavior in Java implementation file. model stackm Model field of any class refining the specification. Also constructor specification in JML file. Only private behavior of constructor in implementation file. refine "IntStack.jml All entities specified in specification file IntStack.jml must be implemented in implementation file IntStack.java. also private normal behavior Extension of public behavior specified in JML file by private behavior. Very clean solution. Wolfgang Schreiner http://www.risc.jku.at 51/58

1. Basic Class Specifications 2. Classes for Modeling 3. Model-based Class Specifications 4. Rounding Things Up Wolfgang Schreiner http://www.risc.jku.at 52/58

Desugaring Specifications A normal behavior specification is translated as follows. public normal behavior requires P; assignable V; ensures Q; public behavior requires P; assignable V; ensures Q; signals (Exception e) false; The method does not throw an exception. Wolfgang Schreiner http://www.risc.jku.at 53/58

Desugaring Specifications (Contd) A exceptional behavior specification is translated as follows. public exceptional behavior requires P; assignable V; signals (E e) Q; public behavior requires P; assignable V; ensures false; signals (E e) Q; The method does not return normally. Wolfgang Schreiner http://www.risc.jku.at 54/58

Desugaring Specifications (Contd 2) Two public behavior specifications are combined as follows. public behavior requires P1; assignable V1; ensures Q1; signals (E1 e) R1; also public behavior requires P2; assignable V2; ensures Q2; signals (E2 e) R2; public behavior requires P1 P2; assignable V1 if P1, V2 if P2; ensures (\old(p1) ==> Q1) && (\old(p2) ==> Q2); signals (E1 e1) \old(p1) && R1; signals (E2 e2) \old(p2) && R2; Basically the same for combining a public and a private behavior. Wolfgang Schreiner http://www.risc.jku.at 55/58

The Meaning of a Specification public behavior requires P; assignable V if M,...; ensures Q; signals (E1 e1) R1;... The method may be called, if P holds on the pre-state. The conditions of multiple requires clauses are disjoined by. The method may change V, if M holds. And so on for the other variables in the assignable clause. If the method returns normally, Q holds on the pre/post-state pair. The conditions of multiple ensures clauses are conjoined by &&. If the method throws an exception of type E1, R1 holds on the pre/post-state pair. And so on for the other signals clauses. Wolfgang Schreiner http://www.risc.jku.at 56/58

Specifications and Subtyping Combining specifications works also for subtyping. If a class C 2 inherits from a class C 1, C 2 inherits all non-private entities of C 1. If C 2 overrides some non-private method m of C 1, C 2 combines C 1 s non-private behavior specification of m with its own behavior specification of m. This is why the new behavior specification of m in C 2 must begin with also. Thus an object of type C 2 behaves like an object of type C 1. C 2 specifies a behavioral subtype of C 1. Thus we can say a C 2 object is a C 1 object. Wolfgang Schreiner http://www.risc.jku.at 57/58

Further Features of JML Not covered in this course... Specification shortcuts \nonnullelements, \not modified,... Redundant specifications and examples. ensures redundantly, invariant redundantly, represents redundantly, implies that, for example,... Non-functional specifications. Execution time, execution space, methods invoked,... Concurrency. Experimental support of MultiJava.... JML is (perhaps too) large and still evolving (latest version: May 2013). Wolfgang Schreiner http://www.risc.jku.at 58/58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback