Formal Specification and Verification

Similar documents
Formal Methods for Software Development

Formal Methods for Software Development

Formale Entwicklung objektorientierter Software

The Java Modeling Language a Basis for Static and Dynamic Verification

Testing, Debugging, and Verification

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

The Java Modeling Language JML

Java Modelling Language (JML) References

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

JML. Java Modeling Language

Overview The Java Modeling Language (Part 1) Related Work

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Advances in Programming Languages

Advanced JML Erik Poll Radboud University Nijmegen

The Java Modeling Language (Part 1)

Verifying JML specifications with model fields

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Formal Specification and Verification

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

The Java Modeling Language (Part 2)

Formal Specification with the Java Modeling Language

Advances in Programming Languages

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

Program Verification (6EC version only)

Rigorous Software Development CSCI-GA

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Specification tips and pitfalls

Advances in Programming Languages

From JML to BCSL (Draft Version)

ESC/Java2 Use and Features

ESC/Java2 Use and Features

Java Modeling Language (JML)

Canica: An IDE for the Java Modeling Language

Testing, Debugging, Program Verification

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Java Modelling Language (JML) References

Static program checking and verification

Formal Methods for Java

Testing Library Specifications by Verifying Conformance Tests

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Formal Methods for Java

Java ByteCode Specification Language(BCSL) and how to compile JML to BCSL. Mariela Pavlova March 10, 2006

Formal Methods for Java

Fundamentals of Software Engineering

Formal Methods for Java

Verifying Java Programs Verifying Java Programs with KeY

Design by Contract and JML: concepts and tools

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Fundamentals of Software Engineering

The Use of JML in Embedded Real-Time Systems

Design by Contract with JML

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Formal Specification and Verification

Introduction to the Java Modeling Language

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Runtime Checking for Program Verification Systems

Verifying Java Programs with KeY

A Small Survey of Java Specification Languages *

Verification Condition Generation

A runtime assertion checker for the Java Modeling Language

Model Variables: Cleanly Supporting Abstraction in Design By Contract

An introduction to formal specifications and JML. Invariant properties

Lecture 10 Design by Contract

CS 161 Computer Security

Verifying Java Programs Verifying Java Programs with KeY

UC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara

Towards Combined Static and Runtime Verification of Distributed Software

Specification and Verification of Garbage Collector by Java Modeling Language

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Integration of Java Generics Into The jmle Tool Within The Eclipse IDE

Advances in Programming Languages

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

A Java Reference Model of Transacted Memory for Smart Cards

The JML and JUnit Way of Unit Testing and its Implementation

JML What are model fields? Translation to JavaDL Demo. JML Model Fields. Christian Engel. ITI, Universität Karlsruhe. 08.

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

5.5 Behavioral Subtyping

Verifying Java Programs

Assertions, pre/postconditions

A Library-Based Approach to Translating OCL Constraints to JML Assertions for Runtime Checking

Formal Systems II: Applications

A Fitness Function to Find Feasible Sequences of Method Calls for Evolutionary Testing of Object-Oriented Programs

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

Property Specifications

Adding native specifications to JML

Preliminary Design of JML:

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

Java Framework Implementing Design Patterns by the Use of JML and Contract4J

Java: advanced object-oriented features

Karsten Sohr Center for Computing Technologies Universität Bremen, Germany

Non-null References by Default in the Java Modeling Language

Desugaring JML Method Specifications

Automated Random Testing to Detect Specification-Code Inconsistencies

Preliminary Design of JML:

Preliminary Design of JML:

Abstract Classes. Abstract Classes a and Interfaces. Class Shape Hierarchy. Problem AND Requirements. Abstract Classes.

Transcription:

Formal Specification and Verification Formal Specification, Part III Bernhard Beckert Adaptation of slides by Wolfgang Ahrendt Chalmers University, Gothenburg, Sweden Formal Specification and Verification: Formal Specification 1 / 71

Java Modeling Language (JML) JML is a specification language tailored to Java. General Philosophy Integrate specification and implementation in one single language. JML is not external to Java JML is Formal Specification and Verification: Formal Specification 2 / 71

Java Modeling Language (JML) JML is a specification language tailored to Java. General Philosophy Integrate specification and implementation in one single language. JML is not external to Java JML is Java Formal Specification and Verification: Formal Specification 2 / 71

Java Modeling Language (JML) JML is a specification language tailored to Java. General Philosophy Integrate specification and implementation in one single language. JML is not external to Java JML is Java + FO Logic + pre/post-conditions, invariants + more... Formal Specification and Verification: Formal Specification 2 / 71

Java Modeling Language (JML) JML is a specification language tailored to Java. General Philosophy Integrate specification and implementation in one single language. JML is not external to Java JML is Java + FO Logic + pre/post-conditions, invariants + more... Formal Specification and Verification: Formal Specification 2 / 71

Java Modeling Language (JML) JML is a specification language tailored to Java. General Philosophy Integrate specification and implementation in one single language. JML is not external to Java JML is Java + FO Logic + pre/post-conditions, invariants + more... Formal Specification and Verification: Formal Specification 2 / 71

JML Annotations JML extends Java by annotations. JML annotations include: preconditions postconditions intermediate assertions class invariants additional modifiers specification-only field declarations specification-only field conditions specification-only field assignments... : in this course, : not in this course Formal Specification and Verification: Formal Specification 3 / 71

JML/Java integration JML annotations are attached to Java programs by writing them directly into the Java source code files! But to not confuse the Java compiler: JML annotations live in in special comments, ignored by Java, but recognised by JML. Formal Specification and Verification: Formal Specification 4 / 71

JML/Java integration JML annotations are attached to Java programs by writing them directly into the Java source code files! But to not confuse the Java compiler: JML annotations live in in special comments, ignored by Java, but recognised by JML. Formal Specification and Verification: Formal Specification 4 / 71

JML Example 1 from the file ATM.java. /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (.... Formal Specification and Verification: Formal Specification 6 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... Everything between /* and */ is invisible for Java. Formal Specification and Verification: Formal Specification 8 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... But: A Java comment with @ as its first character is not a comment for JML. (Non-Java) JML annotations appear in Java comments starting with @. How about // comments? Formal Specification and Verification: Formal Specification 10 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... But: A Java comment with @ as its first character is not a comment for JML. (Non-Java) JML annotations appear in Java comments starting with @. How about // comments? Formal Specification and Verification: Formal Specification 10 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... But: A Java comment with @ as its first character is not a comment for JML. (Non-Java) JML annotations appear in Java comments starting with @. How about // comments? Formal Specification and Verification: Formal Specification 10 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... But: A Java comment with @ as its first character is not a comment for JML. (Non-Java) JML annotations appear in Java comments starting with @. How about // comments? Formal Specification and Verification: Formal Specification 10 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... is equivalent to: //@ public normal_behavior //@ requires!customerauthenticated; //@ requires pin == insertedcard.correctpin; //@ ensures customerauthenticated; public void enterpin (int pin) { if (... Formal Specification and Verification: Formal Specification 12 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... What about the intermediate @ s? Within a JML annotation, a @ is ignored: if it is the first (non-white) character in the line if it is the last character before */. The blue @ s are not required, but it s a convention to use them. Formal Specification and Verification: Formal Specification 14 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... What about the intermediate @ s? Within a JML annotation, a @ is ignored: if it is the first (non-white) character in the line if it is the last character before */. The blue @ s are not required, but it s a convention to use them. Formal Specification and Verification: Formal Specification 14 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... What about the intermediate @ s? Within a JML annotation, a @ is ignored: if it is the first (non-white) character in the line if it is the last character before */. The blue @ s are not required, but it s a convention to use them. Formal Specification and Verification: Formal Specification 14 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This is a public specification case, meaning it: 1 is visible from all classes and interfaces 2 can only mention public fields/methods of this class 2. is normally a problem. Solution later in the lecture. In this course: only public specifications. Formal Specification and Verification: Formal Specification 16 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This is a public specification case, meaning it: 1 is visible from all classes and interfaces 2 can only mention public fields/methods of this class 2. is normally a problem. Solution later in the lecture. In this course: only public specifications. Formal Specification and Verification: Formal Specification 16 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This is a public specification case, meaning it: 1 is visible from all classes and interfaces 2 can only mention public fields/methods of this class 2. is normally a problem. Solution later in the lecture. In this course: only public specifications. Formal Specification and Verification: Formal Specification 16 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... Each keyword ending on behavior opens a specification case. normal_behavior opens a normal behavior specification case : The method guarantees normal termination if the caller guarantees all preconditions of this specification case. Formal Specification and Verification: Formal Specification 18 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This specification case has two preconditions (marked by requires) 1!customerAuthenticated 2 pin == insertedcard.correctpin Here, the preconditions are boolean Java expressions. In general, pre/postconditions and invariants are boolean JML expressions. Formal Specification and Verification: Formal Specification 20 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This specification case has two preconditions (marked by requires) 1!customerAuthenticated 2 pin == insertedcard.correctpin Here, the preconditions are boolean Java expressions. In general, pre/postconditions and invariants are boolean JML expressions. Formal Specification and Verification: Formal Specification 20 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ This specifies only the case where both preconditions are true in the prestate. I.e., the above is equivalent to: /*@ public normal_behavior @ requires (!customerauthenticated @ && pin == insertedcard.correctpin ); @ ensures customerauthenticated; @*/ Formal Specification and Verification: Formal Specification 22 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This specification case has one postcondition (marked by ensures) customerauthenticated Again, the postcondition is a boolean Java expressions. Again, in general pre/postconditions and invariants are boolean JML expressions. Formal Specification and Verification: Formal Specification 24 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @*/ public void enterpin (int pin) { if (... This specification case has one postcondition (marked by ensures) customerauthenticated Again, the postcondition is a boolean Java expressions. Again, in general pre/postconditions and invariants are boolean JML expressions. Formal Specification and Verification: Formal Specification 24 / 71

Discussion Example 1 /*@ public normal_behavior @ requires!customerauthenticated; @ requires pin == insertedcard.correctpin; @ ensures customerauthenticated; @ @ also @ @ public normal_behavior @ requires!customerauthenticated; @ requires pin!= insertedcard.correctpin; @ requires wrongpincounter < 2; @ ensures wrongpincounter == \old(wrongpincounter) + 1; @*/ public void enterpin (int pin) { if (... Formal Specification and Verification: Formal Specification 26 / 71 Different specification cases are connected by also.

Discussion Example 1 /*@ <spec-case1> also @ @ public normal_behavior @ requires!customerauthenticated; @ requires pin!= insertedcard.correctpin; @ requires wrongpincounter < 2; @ ensures wrongpincounter == \old(wrongpincounter) + 1; @*/ public void enterpin (int pin) {... Now, for the first time, we have a JML expression which is not a Java expression. \old(e ) is: E evaluated in the prestate of enterpin. E can be any (arbitrarily complicated) Java/JML expression. Formal Specification and Verification: Formal Specification 28 / 71

Discussion Example 1 /*@ <spec-case1> also <spec-case2> also @ @ public normal_behavior @ requires insertedcard!= null; @ requires!customerauthenticated; @ requires pin!= insertedcard.correctpin; @ requires wrongpincounter >= 2; @ ensures insertedcard == null; @ ensures \old(insertedcard).invalid; @*/ public void enterpin (int pin) {... Ths specification case has two postconditions, stating that: Given the above preconditions, enterpin guarantees: (insertedcard == null && \old(insertedcard).invalid) Formal Specification and Verification: Formal Specification 30 / 71

JML Modifiers JML extends the Java modifiers by additional modifiers. The most important ones are: spec public pure Aim: admitting more class elements to be used in JML expressions. Formal Specification and Verification: Formal Specification 31 / 71

JML Modifiers: spec public In Example 1 (enterpin), pre- and postconditions made heavy use of class fields. But: public specifications can only talk about public fields. Not desired: make all fields public. Solution: keep the fields private/protected make those needed for specification spec public private /*@ spec_public @*/ boolean customerauthenticated; private /*@ spec_public @*/ int wrongpincounter; Formal Specification and Verification: Formal Specification 33 / 71

JML Modifiers: spec public In Example 1 (enterpin), pre- and postconditions made heavy use of class fields. But: public specifications can only talk about public fields. Not desired: make all fields public. Solution: keep the fields private/protected make those needed for specification spec public private /*@ spec_public @*/ boolean customerauthenticated; private /*@ spec_public @*/ int wrongpincounter; Formal Specification and Verification: Formal Specification 33 / 71

JML Modifiers: spec public In Example 1 (enterpin), pre- and postconditions made heavy use of class fields. But: public specifications can only talk about public fields. Not desired: make all fields public. Solution: keep the fields private/protected make those needed for specification spec public private /*@ spec_public @*/ boolean customerauthenticated; private /*@ spec_public @*/ int wrongpincounter; Formal Specification and Verification: Formal Specification 33 / 71

JML Modifiers: pure It can be handy to use method calls in JML annotations. Examples: o1.equals(o2) li.contains(elem) li1.max() < li2.min() This is allowed if, and only if, the method call is guaranteed to have no side effects. In JML, you can specify methods to be pure : public /*@ pure @*/ int max() {... The pure modifier puts an additional obligation on the implementer (no to use side effects), but allows to use the method in annotations. Formal Specification and Verification: Formal Specification 35 / 71

JML Expressions and FO Logic So far: pre/postconditions did not use first-order logic formulae, but simply boolean Java expressions. But: last lecture motivated the need for more powerful features, foremost quantification 1. many specification frameworks employ formulas of some logic Not so JML! Design decision taken in JML Instead of going from Java boolean expressions to a more expressive logic, make the boolean expressions more expressive themselves. 1 see List::set() Formal Specification and Verification: Formal Specification 36 / 71

JML Expressions and FO Logic So far: pre/postconditions did not use first-order logic formulae, but simply boolean Java expressions. But: last lecture motivated the need for more powerful features, foremost quantification 1. many specification frameworks employ formulas of some logic Not so JML! Design decision taken in JML Instead of going from Java boolean expressions to a more expressive logic, make the boolean expressions more expressive themselves. 1 see List::set() Formal Specification and Verification: Formal Specification 36 / 71

JML Expressions and FO Logic JML boolean expressions extend Java boolean expressions by: implication quantification (more...) Instead of a formula being valid, or not valid, in a certain model, we speak about a boolean expression being true or false in a certain state. Formal Specification and Verification: Formal Specification 37 / 71

boolean JML Expressions boolean JML expressions are defined recursively: Formulae each side-effect free boolean Java expression is a boolean JML expression if a and b are boolean JML expressions, and x is a variable of type t, then the following are also boolean JML expressions:!a ( not a ) a && b ( a and b ) a b ( a or b ) a ==> b ( a implies b ) a <==> b ( a is equivalent to b ) (\forall t x; a) ( for all x of type t is true ) (\exists t x; a) ( there exists x of type t such that a ) (\forall t x; a; b) ( for all x of type t fulfilling a, b is true ) (\exists t x; a; b) ( there exists x of type t fulfilling a, such that b ) Formal Specification and Verification: Formal Specification 39 / 71

boolean JML Expressions boolean JML expressions are defined recursively: Formulae each side-effect free boolean Java expression is a boolean JML expression if a and b are boolean JML expressions, and x is a variable of type t, then the following are also boolean JML expressions:!a ( not a ) a && b ( a and b ) a b ( a or b ) a ==> b ( a implies b ) a <==> b ( a is equivalent to b ) (\forall t x; a) ( for all x of type t is true ) (\exists t x; a) ( there exists x of type t such that a ) (\forall t x; a; b) ( for all x of type t fulfilling a, b is true ) (\exists t x; a; b) ( there exists x of type t fulfilling a, such that b ) Formal Specification and Verification: Formal Specification 39 / 71

JML Quantifiers In the two last quantifier expressions: (\forall t x; a; b) and (\exists t x; a; b) a is called the range predicate These forms are redundant: (\forall t x; a; b) is equivalent to (\forall t x; a ==> b) and (\exists t x; a; b) is equivalent to (\exists t x; a && b) Formal Specification and Verification: Formal Specification 41 / 71

Pragmatics of Range Predicates Even if the forms (\forall t x; a; b) and (\exists t x; a; b) are redundant, they are widely used. Pragmatics of the range predicate: a is used to restrict the range of x further than its type t does. (\forall int i,j; 0 <= i && i < j && j < 10; a[i] < a[j]) says that a is sorted at indexes between 0 and 9. The quantifiers for i and j range over values making the expression between ; and ; true. Formal Specification and Verification: Formal Specification 43 / 71

Generalized Quantifiers JML offers generalised quantifiers: \max \min \product \sum returning the maximum, minimum, product, or sum of the values of the expressions given, where the variables satisfy the given range. Examples (all formulae are true): (\sum int i; 0 <= i && i < 5; i) == 0 + 1 + 2 + 3 + 4 (\product int i; 0 < i && i < 5; i) == 1 * 2 * 3 * 4 (\max int i; 0 <= i && i < 5; i) == 4 (\min int i; 0 <= i && i < 5; i-1) == -1 Formal Specification and Verification: Formal Specification 45 / 71

Result Values in Postcondition /*@ public normal_behavior @ ensures (\forall int j; j >= 0 && j < a.length; @ \result >= a[j]); @*/ public static /*@ pure @*/ int max(int[] a) { if (... In a postcondition: one can use \result to refer to the return value of the method. But is the above postcondition sufficient? Formal Specification and Verification: Formal Specification 47 / 71

Result Values in Postcondition /*@ public normal_behavior @ ensures (\forall int j; j >= 0 && j < a.length; @ \result >= a[j]); @*/ public static /*@ pure @*/ int max(int[] a) { if (... In a postcondition: one can use \result to refer to the return value of the method. But is the above postcondition sufficient? Formal Specification and Verification: Formal Specification 47 / 71

Result Values in Postcondition /*@ public normal_behavior @ ensures (\forall int j; j >= 0 && j < a.length; @ \result >= a[j]); @*/ public static /*@ pure @*/ int max(int[] a) { if (... In a postcondition: one can use \result to refer to the return value of the method. But is the above postcondition sufficient? Formal Specification and Verification: Formal Specification 47 / 71

Result Values in Postcondition /*@ public normal_behavior @ ensures (\forall int j; j >= 0 && j < a.length; @ \result >= a[j]); @ ensures a.length > 0 ==> @ (\exists int j; j >= 0 && j < a.length; @ \result == a[j]); @*/ public static /*@ pure @*/ int max(int[] a) { if (... Formal Specification and Verification: Formal Specification 49 / 71

JML Invariants So far: attached pre/postconditions to methods. Now: attaching invariants to classes. We are free where to put it in the class (potentially close to fields the invariant talks about). Formal Specification and Verification: Formal Specification 50 / 71

JML Invariants: Example /*@ public invariant @ accountproxies!= null; @ public invariant @ accountproxies.length == maxaccountnumber; @ public invariant @ (\forall int i; i >= 0 && i < maxaccountnumber; @ ( accountproxies[i] == null @ @ accountproxies[i].accountnumber == i )); @*/ private /*@ spec_public nullable@*/ final OfflineAccountProxy[] accountproxies = new OfflineAccountProxy [maxaccountnumber]; Formal Specification and Verification: Formal Specification 52 / 71

non null and nullable JML extends the Java modifiers by further modifiers: class fields method parameters method return types can be declared as nullable: may or may not be null non_null: must not be null Formal Specification and Verification: Formal Specification 54 / 71

non null: Examples private /*@ spec_public non_null @*/ String name; invariant public invariant name!= null; implicitly added to class public void insertcard(/*@ non_null @*/ BankCard card) {.. precondition requires card!= null; implicitly added to each specification case of insertcard public /*@ non_null @*/ String tostring() postcondition ensures \result!= null; implicitly added to each specification case of tostring Formal Specification and Verification: Formal Specification 56 / 71

non null is default in JML! same effect even without explicit non null s private /*@ spec_public @*/ String name; invariant public invariant name!= null; implicitly added to class public void insertcard(bankcard card) {.. precondition requires card!= null; implicitly added to each specification case of insertcard public String tostring() postcondition ensures \result!= null; implicitly added to each specification case of tostring Formal Specification and Verification: Formal Specification 58 / 71

nullable: Examples To prevent such pre/post conditions and invariants: nullable private /*@ spec_public nullable @*/ String name; no implicit invariant added public void insertcard(/*@ nullable @*/ BankCard card) {.. no implicit precondition added public /*@ nullable @*/ String tostring() no implicit postcondition added to specification cases of tostring Formal Specification and Verification: Formal Specification 60 / 71

LinkedList: non null or nullable? public class LinkedList { private Object elem; private LinkedList next;... In JML this means: all elements in the list are non_null the list is cyclic, or infinite! Formal Specification and Verification: Formal Specification 62 / 71

LinkedList: non null or nullable? public class LinkedList { private Object elem; private LinkedList next;... In JML this means: all elements in the list are non_null the list is cyclic, or infinite! Formal Specification and Verification: Formal Specification 62 / 71

LinkedList: non null or nullable? public class LinkedList { private Object elem; private LinkedList next;... In JML this means: all elements in the list are non_null the list is cyclic, or infinite! Formal Specification and Verification: Formal Specification 62 / 71

LinkedList: non null or nullable? Repair: public class LinkedList { private Object elem; private /*@ nullable @*/ LinkedList next;... Now, the list is allowed to end somewhere! Formal Specification and Verification: Formal Specification 64 / 71

Final Remark on non null and nullable non null as default in JML is fairly new. Not yet well reflected in literature and tools. Formal Specification and Verification: Formal Specification 66 / 71

JML and Inheritance All JML contracts, i.e. specification cases class invariants are inherited down from superclasses to subclasses. A class has to fulfill all contracts of its superclasses. Recall the hashcode problem from lecture 6. Formal Specification and Verification: Formal Specification 67 / 71

Literature This was an intro into JML essentials. Two tutorial papers: Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML Gary T. Leavens, Albert L. Baker, and Clyde Ruby. JML: A Notation for Detailed Design Both go beyond today s lecture, but that doesn t hurt. The reference manual, for look-up: Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, and Joseph Kiniry. JML Reference Manual all available at www.eecs.ucf.edu/~leavens/jml/documentation.shtml Formal Specification and Verification: Formal Specification 69 / 71

Tools Many tools support JML (see www.eecs.ucf.edu/~leavens/jml/). Most basic tool set: jml, a syntax and type checker jmlc, JML/Java compiler. Compile runtime assertion checks into the code. jmldoc, like javadoc for Java + JML jmlunit, unit testing based on JML We recommend to use jml to check the syntax. Formal Specification and Verification: Formal Specification 71 / 71

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback