The Java Modeling Language JML

Similar documents
The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Formal Specification and Verification

Formale Entwicklung objektorientierter Software

Formal Methods for Java

Java Modelling Language (JML) References

Java Modelling Language (JML) References

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Rigorous Software Development CSCI-GA

Overview The Java Modeling Language (Part 1) Related Work

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

Advanced JML Erik Poll Radboud University Nijmegen

The Java Modeling Language (Part 2)

The Java Modeling Language (Part 1)

Formal Methods for Software Development

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Assertions, pre/postconditions

Java Modeling Language (JML)

Executing JML Specifications of Java Card Applications: A Case Study

Specification tips and pitfalls

Program Verification (6EC version only)

Formal Specification and Verification

Advances in Programming Languages

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

JML. Java Modeling Language

5. Specification and Checking

Preliminary Design of JML:

Testing Library Specifications by Verifying Conformance Tests

Preliminary Design of JML:

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Advances in Programming Languages

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Verifying Java Programs Verifying Java Programs with KeY

Verification of JML Generic Types with Yices

Jive/JML Generating Proof Obligations From JML Specifications

Preliminary Design of JML:

Advances in Programming Languages

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Preliminary Design of JML:

Formal Specification with the Java Modeling Language

5.5 Behavioral Subtyping

TRIAL EXAM C Software Engineering using Formal Methods TDA293 / DIT270

Verifying Java Programs with KeY

Verification Condition Generation

Formal Methods for Java

Testing, Debugging, and Verification

An introduction to formal specifications and JML. Invariant properties

Non-null References by Default in the Java Modeling Language

Formal Methods for Software Development

Formal Methods for Java

Verifying JML specifications with model fields

Checking Program Properties with ESC/Java

Object Ownership in Program Verification

Introduction to the Java Modeling Language

ESC/Java2 Use and Features

Static program checking and verification

ESC/Java2 Use and Features

A Run-time Assertion Checker for Java using JML

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Adding native specifications to JML

Property Specifications

Fundamentals of Software Engineering

Lecture 10 Design by Contract

Formal Systems II: Applications

The Java Modeling Language a Basis for Static and Dynamic Verification

Formal methods What are they? Uses Tools Application to software development

Preliminary Design of JML: A Behavioral Interface Specication. Language for Java. Gary T. Leavens, Albert L. Baker and Clyde Ruby.

From Event-B Models to Dafny Code Contracts

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

Formal Methods for Java

Safely Creating Correct Subclasses without Seeing Superclass Code

Specifying and Verifying a Decimal Representation in Java for Smart Cards

JML What are model fields? Translation to JavaDL Demo. JML Model Fields. Christian Engel. ITI, Universität Karlsruhe. 08.

Java: advanced object-oriented features

Advances in Programming Languages

Verifying Java Programs Verifying Java Programs with KeY

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Discussion of Design Alternatives for JML Java 5 Annotations

Safely Creating Correct Subclasses without Seeing Superclass Code

Fortgeschrittene objektorientierte Programmierung (Advanced Object-Oriented Programming)

JASS Java with ASSertions Detlef Bartetzko, Clemens Fischer, Michael Möller, Heike Wehrheim. Presented by Florian Froese (froesef)

Runtime Checking for Program Verification Systems

Specification and Verification of Garbage Collector by Java Modeling Language

Information Hiding and Visibility in Interface Specifications

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

On the Interplay between the Semantics of Java s Finally Clauses and the JML Run-Time Checker

Integrating verification in programming languages

Chapter 4 Defining Classes I

Outline. iterator review iterator implementation the Java foreach statement testing

Types of Specifications

Design by Contract and JML: concepts and tools

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

n Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition

Java Primer 1: Types, Classes and Operators

Java ByteCode Specification Language(BCSL) and how to compile JML to BCSL. Mariela Pavlova March 10, 2006

The Use of JML in Embedded Real-Time Systems

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Transcription:

The Java Modeling Language JML Néstor Cataño ncatano@puj.edu.co Faculty of Engineering Pontificia Universidad Javeriana The Java Modelling Language JML p.1/47

Lecture Plan 1. An Introduction to JML 2. JML s Specification Pragmas 3. JML s Advanced Features 4. JML Specification Examples 5. Tool Support for JML The Java Modelling Language JML p.2/47

Lecture Plan 1. An Introduction to JML 2. JML s Specification Pragmas 3. JML s Advanced Features 4. JML Specification Examples 5. Tool Support for JML The Java Modelling Language JML p.3/47

The Java Modeling Language Formal specification language for Java programs record design and implementation decisions specify behaviour of classes JML specifications describe interfaces (names and static information found in Java declarations) behaviour (how classes and interfaces act when used) The Java Modelling Language JML p.4/47

JML s Goals Easy to understand for any Java programmer Notation close to Java syntax The Java Modelling Language JML p.5/47

JML s Goals Easy to understand for any Java programmer Notation close to Java syntax Rigorous and formal A formal semantics for JML exists The Java Modelling Language JML p.5/47

JML s Goals Easy to understand for any Java programmer Notation close to Java syntax Rigorous and formal A formal semantics for JML exists Amenable to tool support KRAKATOA, JACK, ESC/JAVA, JML, LOOP The Java Modelling Language JML p.5/47

JML s Goals Easy to understand for any Java programmer Notation close to Java syntax Rigorous and formal A formal semantics for JML exists Amenable to tool support KRAKATOA, JACK, ESC/JAVA, JML, LOOP Practical, effective for detailed designs The Java Modelling Language JML p.5/47

JML Notation JML specifications Predicates in First-Order Logic Java boolean expressions Specification-purpose boolean JML constructs Specifications are added between /*@... @*/ or after //@ in Java code preconditions postconditions invariants The Java Modelling Language JML p.6/47

JML Operators Java logical operators (, &&,!) Java relational and bitwise operators (<, <=,..., <<,>>) Logical forward and reverse implication (==>, <==) Logical equivalence and non-equivalence (<==>, <=!=>) Universal and existential quantification (\forall, \exists) The Java Modelling Language JML p.7/47

JML Predicates JML predicates are expressed in first order logic, constructed using side-effect-free Java booleans, extended with a few operators (\old, \result, \forall, \exists, \max, etc.), and using a few keywords (requires, ensures, invariant, etc.) The Java Modelling Language JML p.8/47

JML by Example public class IntMathOps { // 1 // 2 /*@ public normal behavior // 3 @ requires y >= 0; // 4 @ assignable \nothing; // 5 @ ensures 0 <= \result && // 6 @ \result * \result <= y && // 7 @ y < (\reult + 1) * (\result + 1); // 8 @*/ // 9 public static int isqrt(int y) //10 { //11 return (int) Math.sqrt(y); //12 //13 //14 The Java Modelling Language JML p.9/47

JML by Example requires. It is used for specifying preconditions. ensures. It is used for specifying postconditions. normal behavior. The method terminates normally, without throwing an exception. exceptional behavior. The method throws an exception. behavior. The method may terminate normally or abruptly. The Java Modelling Language JML p.10/47

Lightweight Specifications They do not use a behavior keyword They are written in individual lines after //@ They are typical of ESC/JAVA public class IntMathOps3 { //@ requires y >= 0; public static int isqrt(int y) { return (int) Math.sqrt(y); The Java Modelling Language JML p.11/47

Lightweight Specifications If a requires keyword is missed, a requires true; specification is assumed If a assignable keyword is missed, an assignable \everything; specification is assumed If a ensures keyword is missed, an ensures true; specification is assumed The Java Modelling Language JML p.12/47

JML and Design-by-Contract Methods pre- and postconditions define a contract between the method (the class) and the caller of the method This contract stipulates that 1. Methods may assume preconditions and must ensure postconditions 2. Clients must ensure preconditions and may assume postconditions The Java Modelling Language JML p.13/47

Contracts and Proof Obligations class Decimal { int intpart, decpart; //@ invariant decpart >= 0; /*@ requires m!= null; @ ensures decpart == m.decpart && @ intpart == \old(intpart); @*/ void setdecimal(decimal m) { decpart = m.decpart; The Java Modelling Language JML p.14/47

Contracts and Proof Obligations For method setdecimal : If m!= null and m.decpart >= 0 then decpart == m.decpart, and intpart == \old(intpart) The Java Modelling Language JML p.15/47

Contracts and Proof Obligations For method setdecimal : If m!= null and m.decpart >= 0 then decpart == m.decpart, and For the caller : intpart == \old(intpart) o!= null and o.decpart >= 0 must be true in every place where the method call setdecimal(o) is made setdecimal s postcondition may be assumed in those places The Java Modelling Language JML p.15/47

Contracts and Proof Obligations For method setdecimal : If m!= null and m.decpart >= 0 then decpart == m.decpart, and For the caller : intpart == \old(intpart) o!= null and o.decpart >= 0 must be true in every place where the method call setdecimal(o) is made setdecimal s postcondition may be assumed in those places Additionally : decpart >= 0 must be an invariant of Decimal class The Java Modelling Language JML p.15/47

Lecture Plan 1. An Introduction to JML 2. JML s Specification Pragmas 3. JML s Advanced Features 4. JML Specification Examples 5. Tool Support for JML The Java Modelling Language JML p.16/47

Lecture Plan 1. An Introduction to JML 2. JML s Specification Pragmas 3. JML s Advanced Features 4. JML Specification Examples 5. Tool Support for JML The Java Modelling Language JML p.17/47

Java Card s Decimal class public class Decimal extends Object { public static final short MAX_DECIMAL_NUMBER = (short) 32767; public static final short PRECISION = (short) 1000; private short intpart = (short) 0; private short decpart = (short) 0; public Decimal setvalue(decimal d) throws DecimalException { return setvalue(d.getintpart(),d.getdecpart()); public Decimal setvalue(short i, short d) throws DecimalException { if(i < 0 d < 0) decimal_exception.throwit(decimal_overflow); intpart = i; decpart = d; return this;... The Java Modelling Language JML p.18/47

\forall and \exists (\forall int i; a[i]!= null); (\forall int i; (0 <= i && i < length) ==> src[srcoff + i] == dest[destoff + i]); (\exists int i; (0 <= i && i < length) && (\forall int j; (0 <= j && j < i) ==> src[srcoff+j] == dest[destoff+j])); The Java Modelling Language JML p.19/47

assert assert P P must hold at certain point in a method body P is a valid JML first-order logic property The Java Modelling Language JML p.20/47

assert if (i <= 0 j < 0) {... else if (j < 5) { //@ assert i > 0 && 0 < j && j < 5;... else { //@ assert i > 0 && j > 5;... The Java Modelling Language JML p.21/47

spec_public JML does not allow private fields in public specifications Putting /*@ spec public @*/ before a private field declaration causes the field to be included in the scope of every specification The Java Modelling Language JML p.22/47

spec_public public class Decimal extends Object { public static final short MAX_DECIMAL_NUMBER = (short) 32767; public static final short PRECISION = (short) 1000; /*@ spec public @*/ private short intpart = (short) 0; /*@ spec public @*/ private short decpart = (short) 0;... The Java Modelling Language JML p.23/47

requires, ensures and normal_behavior requires R. method precondition R ensures Q method postcondition Q Q must hold if method terminates normally, i.e., without throwing a java.lang.exception normal behavior (total correctness) If precondition holds in the pre-state then method terminates in a normal state, and normal post-condition holds in this state The Java Modelling Language JML p.24/47

requires, ensures and normal_behavior public class Decimal extends Object { /*@ normal behavior; @ requires i>=0 && d>=0; @ ensures intpart == i && decpart == d; @*/ public Decimal setvalue(short i, short d) throws DecimalException { if(i < 0 d < 0) Exception.throwIt(DECIMAL_OVERFLOW); intpart = i; decpart = d; return this; The Java Modelling Language JML p.25/47

signals, exceptional_behavior signals (E e) R exceptional postcondition R R must hold if method throws an exception e that is a subclass of E exceptional behavior (total correctness) If precondition holds in the pre-state then method will always terminate in a exceptional state throwing a java.lang.exception, and the exceptional post-condition will hod in that state The Java Modelling Language JML p.26/47

signals and exceptional_behavior public class Decimal extends Object { /*@ exceptional behavior; @ requires i < 0 d < 0; @ signals (DecimalException e) true; @*/ public Decimal setvalue(short i, short d) throws DecimalException { if(i < 0 d < 0) Exception.throwIt(DECIMAL_OVERFLOW); intpart = i; decpart = d; return this; The Java Modelling Language JML p.27/47

assignable assignable L method may only modify the set of memory locations denoted by L any other location not listed may therefore not be modified this is true for both normal and exceptional postconditons The Java Modelling Language JML p.28/47

assignable public class Decimal extends Object { /*@ normal behavior; @ requires i>=0 && d>=0; @ assignable intpart, decpart; @ ensures true; @*/ public Decimal setvalue(short i, short d) throws DecimalException { if(i < 0 d < 0) Exception.throwIt(DECIMAL_OVERFLOW); intpart = i; decpart = d; return this; The Java Modelling Language JML p.29/47

model, in, and represents model fields specification purpose fields do not exist as program variables used to write abstract specifications can be mentioned in assignable specifications in declares that an abstract value is related to some others abstract or concrete values used in checking assignable specifications The Java Modelling Language JML p.30/47

model, in, and represents represents clauses make the relation between abstract and concrete values explicit relation may be functional, <-, or relational such that The Java Modelling Language JML p.31/47

model, in, and represents public class Decimal extends Object {... public short intpart = (short) 0; //@ in decimal; public short decpart = (short) 0; //@ in decimal; /*@ model int decimal; @ represents decimal <- intpart * PRECISION + decpart; @*/... decimal is a function over intpart, PRECISION and decpart If intpart or decpart is modified, then decimal is modified The Java Modelling Language JML p.32/47

model, in, and represents public class Decimal extends Object {... public short intpart = (short) 0; //@ in decimal; public short decpart = (short) 0; //@ in decimal; /*@ model int decimal; @ represents decimal <- intpart * PRECISION + decpart; @*/ /*@ behavior @ requires true; @ assignable decimal; @ ensures decimal == i * PRECISION + d; @ signals (DecimalException e) i<0 d<0; @*/ public Decimal setvalue(short i, short d) throws DecimalException {... The Java Modelling Language JML p.33/47

\old and \fresh \old(e) value of expression e in the pre-state \fresh(x) x is not null x was not allocated in the pre-state \old and \fresh can only be used in normal or exceptional postconditions The Java Modelling Language JML p.34/47

\old and \fresh /*@ behavior @ requires true; @ assignable decimal; @ ensures decimal == i * PRECISION + d; @ signals (DecimalException e) (i<0 d<0) && @ decimal == \old(decimal) && @ \fresh(e); @*/ public Decimal setvalue(short i, short d) throws DecimalException {... The Java Modelling Language JML p.35/47

\result represents the value returned by a method has the same type as the method return type can only be used in normal or exceptional postconditions The Java Modelling Language JML p.36/47

\result /*@ normal behavior @ requires true; @ ensures \result <==> @ (\exists int i; i>=0 && i<max DATA && data[i]==cur); @*/ boolean contens(byte cur) { boolean resu = false; byte i = (byte)0; boolean found = false; while(i < MAX_DATA &&! resu) { if(data[i] == cur) resu = true; else i++; return resu; The Java Modelling Language JML p.37/47

pure methods in JML specifications must be side-effects free for instance, x++, y=x+1, are not allowed in JML specs a side-effects free method is called pure pure methods are implicitly assignable\nothing; The Java Modelling Language JML p.38/47

pure public class Decimal extends Object { //@ assignable \nothing; public short getintpart(){ return intpart; The Java Modelling Language JML p.39/47

pure public class Decimal extends Object { public /*@ pure @*/ short getintpart(){ return intpart; The Java Modelling Language JML p.40/47

invariant it must hold in all visible state Beginning and end of any method invocation End of a constructor invocation it is implicitly assumed at the beginning of a method declaration it does not have to hold during the execution of a method, so it can temporally be broken The Java Modelling Language JML p.41/47

invariant public class Decimal extends Object { public static final short MAX_DECIMAL_NUMBER = (short) 32767; public static final short PRECISION = (short) 1000; public short intpart = (short) 0; public short decpart = (short) 0; /*@ invariant 0 <= intpart && intpart <= MAX DECIMAL NUMBER && @ 0 <= decpart && decpart < PRECISION; @*/... The Java Modelling Language JML p.42/47

non_null replaces an invariant specification about an object being non-null useful short-hand for many purposes The Java Modelling Language JML p.43/47

non_null public class SalerID extends Object implements PartnerID {... //@ invariant data!= null; public byte[] data = new byte[id_length];... The Java Modelling Language JML p.44/47

non_null public class SalerID extends Object implements PartnerID {... public /*@ non null @*/ byte[] data = new byte[id_length];... The Java Modelling Language JML p.45/47

Recapitulation \forall, \exists assert requires, ensures, signals normal behavior, exceptional behavior assignable model, represents \old, \fresh \result pure invariant, non null The Java Modelling Language JML p.46/47

Resources JML s Web-site http://www.jmlspecs.org The JML Tool (G. Leavens et al.) http://sourceforge.net/project/showfiles.php?group_id=65346 The ESC/JAVA Tool (K. Leino et al., J. Kiniry et al.) http://secure.ucd.ie/products/opensource/escjava2/ The KRAKATOA Tool (Ch. Paulin et al.) http://krakatoa.lri.fr/ The JACK Tool (J.-L. Lanet et al.) http://www-sop.inria.fr/everest/soft/jack/jack.html The Java Modelling Language JML p.47/47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback