Recent Trends in OO Modelling Languages

Similar documents
Advances in Programming Languages

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Overview The Java Modeling Language (Part 1) Related Work

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Formal Methods for Java

An Annotated Language

The Java Modeling Language (Part 2)

Verification Condition Generation

The Java Modeling Language JML

Advances in Programming Languages

The Java Modeling Language (Part 1)

Program Verification (6EC version only)

Runtime Checking for Program Verification Systems

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

JML s Rich, Inherited Specifications for Behavioral Subtypes

JML What are model fields? Translation to JavaDL Demo. JML Model Fields. Christian Engel. ITI, Universität Karlsruhe. 08.

Towards Combined Static and Runtime Verification of Distributed Software

Integrating verification in programming languages

hijac UTP Semantics for Safety-Critical Java University of York hijac Workshop 15 November 2011

Fortgeschrittene objektorientierte Programmierung (Advanced Object-Oriented Programming)

Informal Semantics of Data. semantic specification names (identifiers) attributes binding declarations scope rules visibility

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Architectural design: the coordination perspective

A Sound Operational Semantics for Circus

Test Case Generation by OCL Mutation and Constraint Solving

TIME-BASED CONSTRAINTS IN THE OBJECT CONSTRAINT LANGUAGE OCL

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Automatic Transformation from Requirements Models to Executable Prototypes

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Java Modelling Language (JML) References

Shared Variables and Interference

Formal Specification and Verification

Testing Library Specifications by Verifying Conformance Tests

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Automatic Verification of Computer Programs

Chapter 3. Describing Syntax and Semantics ISBN

Shared Variables and Interference

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Specification of a transacted memory for smart cards in Java and JML

Research Collection. Reusable mathematical models. Master Thesis. ETH Library. Author(s): Widmer, Tobias K. Publication Date: 2004

Faithful mapping of model classes to mathematical structures

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

JML in Feature-Oriented Programming

Science of Computer Programming. Refinement and verification in component-based model-driven design

Lecture 10 Design by Contract

Advances in Programming Languages

Testing, Debugging, and Verification

5.5 Behavioral Subtyping

Prototyping System Requirements Model

Specifying and Verifying Programs (Part 2)

Verifying Java Programs Verifying Java Programs with KeY

Chapter 3 (part 3) Describing Syntax and Semantics

Formal Methods. CITS5501 Software Testing and Quality Assurance

A Type System for the Relational Calculus of Object Systems

Why. an intermediate language for deductive program verification

Formale Entwicklung objektorientierter Software

Dynamic Dispatch for Method Contracts Through Abstract Predicates

JPred-P 2. Josh Choi, Michael Welch {joshchoi,

Lectures 20, 21: Axiomatic Semantics

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Programming Languages Third Edition

Cover Page. The handle holds various files of this Leiden University dissertation

Modeling, Testing and Executing Reo Connectors with the. Reo, Eclipse Coordination Tools

Verifying Java Programs Verifying Java Programs with KeY

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

A Fitness Function to Find Feasible Sequences of Method Calls for Evolutionary Testing of Object-Oriented Programs

Axiomatic Specification. Al-Said, Apcar, Jerejian

Formal Methods for Java

Graph Representation of Sessions and Pipelines for Structured Service Programming

Preliminary Design of JML: A Behavioral Interface Specication. Language for Java. Gary T. Leavens, Albert L. Baker and Clyde Ruby.

Modeling and Verification of Connectors in Complex Systems

Operational Semantics for Model Checking Circus

Generating JML Specifications from Alloy Expressions

The Rule of Constancy(Derived Frame Rule)

Hoare Logic: Proving Programs Correct

Java Modeling Language (JML)

From Event-B Models to Dafny Code Contracts

Chapter 3. Describing Syntax and Semantics

the Common Algebraic Specification Language

Preliminary Design of JML:

Fundamentals of Software Engineering

Preliminary Design of JML:

Verification of Control Systems using Circus

OO Design Principles

Lecture 11 Lecture 11 Nov 5, 2014

A Small Survey of Java Specification Languages *

LOGIC AND DISCRETE MATHEMATICS

Validation of Requirement Models by Automatic Prototyping

Inter-process communication (IPC)

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Verifying Java Programs with KeY

Automatic Test Case Generation for OCL: a Mutation Approach

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Lecture 4. First order logic is a formal notation for mathematics which involves:

Operational Semantics. One-Slide Summary. Lecture Outline

Guarded Operations, Refinement and Simulation

Transcription:

JML,, Institute for Software Technology Graz University of Technology Graz, Austria United Nations University International Institute for Software Technology Macao S.A.R. China Overture 2006

Outline JML 1 JML 2 3 4

Java Modelling Language (JML) inspired by VDM + Larch +... Design by Contract: abstraction level lower than VDM++ but not that low: model fields (e.g. to specify interfaces) refinement and retrieve functions sets, sequences and maps for modelling Undefinedness: all function applications denote Original motivation: theorem provers need this semantics ICFEM 2006: G. Leavens reconsiders this (Patrice Chaline). VDM s notation is more elegant!

Alarm System JML Classes AlarmSystem Qualification Alarm Period Expert (Description) Methods experttopage expertisonduty numberofexperts

Declarations of the Methods R6: public int numberofexperts(period p); R7: public Period[] expertisonduty(expert e); R8: public Expert experttopage(alarm a, Period p);

Alarm System: Schedule R1 implies a kind of schedule: /*@ public model instance JMLObjectToObjectRelation schedule; @ public invariant @ (\forall JMLType dv, rv; schedule.has(dv,rv); @ dv instanceof Period && @ rv instanceof Expert); @*/

Alarm System: Alarms /*@ public model instance JMLValueSet alarms; @ public invariant @ (\forall JMLType e; schedule.has(e); @ e instanceof Alarm); @*/

Alarm System: Invariant At any period experts need to be on duty who can cope with any possible alarm! /*@ public invariant @ (\forall Alarm a; alarms.has(a); @ (\forall JMLType per; schedule.isdefinedat(per); @ qualificationok(schedule.elementimage(per), @ a.needed))); @*/

Auxiliary Function JML Auxiliary function to make the invariant more readable: /*@ public model pure boolean qualificationok(jmlobjectset exs, Qualification q) { return (\exists Expert ex; exs.has(ex); (\exists int i; 0 <= i && i < ex.quali.length; ex.quali[i] == (q))); } @*/ but, JML does not allow this.

Auxiliary Function JML Auxiliary function to make the invariant more readable: /*@ public model pure boolean qualificationok(jmlobjectset exs, Qualification q) { return (\exists Expert ex; exs.has(ex); (\exists int i; 0 <= i && i < ex.quali.length; ex.quali[i] == (q))); } @*/ but, JML does not allow this.

Corrected Auxiliary Function playing a trick: /*@ ensures (\exists Expert ex; exs.has(ex); @ (\exists int i; 0 <= i && i < ex.quali.length; @ ex.quali[i] == q)); public model pure boolean qualificationok(jmlobjectset exs, Qualification q) { return true; } @*/

Method 1 JML /*@ requires schedule.isdefinedat(p); @ ensures \result == schedule.elementimage(p).size(); @*/ public int numberofexperts(period p);

Method 2 JML Calculating the result using a SetComprehension: /*@ @ ensures \result == @ (new JMLObjectSet @ {Period p schedule.domain().has(p) && @ schedule.has(p,e)}).toarray(); @*/ public Period[] expertisonduty(expert e);

Method 3 JML Implicit result specification: /*@ requires schedule.isdefinedat(p) && alarms.has(a); @ ensures @ schedule.has(p,\result) && @ (\exists int i; i >= 0 && i < \result.quali.length; @ \result.quali[i] == a.needed); @*/ public Expert experttopage(alarm a, Period p);

: Refinement of Component and Object Systems UNU-IIST: Liu Zhiming, He Jifeng et al. based on UTP: Hoare and He s Unifying Theories of Programming (as Woodcock s Circus) Methods are modelled as (guarded) UTP designs: execution is relation btw. states of a program. provides refinement calculus in relational or predicate transformer semantics (weakest-precondition) reactive designs add a Boolean variable wait guarded designs set wait true if guard is false Interfaces: collection of features (field and method declarations) Contract: Interface, Init, Methods, Protocol Undefinedness: not explicitly handled

UTP: Theory of Designs Designs Let p and Q be predicates not containing ok or ok and p having only undecorated variables. p Q = df (ok p) (ok Q) A design is a relation whose predicate is (or could be) expressed in this form. Refinement Correctness is defined via implication: v,w, A P S, for all P with alphabet A. we write [P S] or S P

UTP: Theory of Designs Designs Let p and Q be predicates not containing ok or ok and p having only undecorated variables. p Q = df (ok p) (ok Q) A design is a relation whose predicate is (or could be) expressed in this form. Refinement Correctness is defined via implication: v,w, A P S, for all P with alphabet A. we write [P S] or S P

Refinement of Pre-Postconditions Theorem [(p 1 Q 1 ) (p 2 Q 2 )] iff [p 2 p 1 ] and [(p 2 Q 1 ) Q 2 ] Like in VDM: preconditions are weakened and postconditions are strengthened.

= REO + Creol FW6 project: CWI, Oslo, UNU-IIST, Uppsala et al. modelling and simulation of evolving component networks Components Collections of Creol Classes (Oslo) Type-safe runtime class upgrades Interfaces Operational Semantics in Maude Glue REO networks: a calculus of mobile channels (CWI) Glue will be a special component Undefinedness in Maude: via sorts extended with undefined terms (kinds) and conditional membership (no logic)

= REO + Creol FW6 project: CWI, Oslo, UNU-IIST, Uppsala et al. modelling and simulation of evolving component networks Components Collections of Creol Classes (Oslo) Type-safe runtime class upgrades Interfaces Operational Semantics in Maude Glue REO networks: a calculus of mobile channels (CWI) Glue will be a special component Undefinedness in Maude: via sorts extended with undefined terms (kinds) and conditional membership (no logic)

= REO + Creol FW6 project: CWI, Oslo, UNU-IIST, Uppsala et al. modelling and simulation of evolving component networks Components Collections of Creol Classes (Oslo) Type-safe runtime class upgrades Interfaces Operational Semantics in Maude Glue REO networks: a calculus of mobile channels (CWI) Glue will be a special component Undefinedness in Maude: via sorts extended with undefined terms (kinds) and conditional membership (no logic)

= REO + Creol FW6 project: CWI, Oslo, UNU-IIST, Uppsala et al. modelling and simulation of evolving component networks Components Collections of Creol Classes (Oslo) Type-safe runtime class upgrades Interfaces Operational Semantics in Maude Glue REO networks: a calculus of mobile channels (CWI) Glue will be a special component Undefinedness in Maude: via sorts extended with undefined terms (kinds) and conditional membership (no logic)

: REO JML by Farhad Arbab et al., CWI paradigm for composition of software components based on mobile channels motivation: compositional construction of glue code dogma: exogenious coordination (coordination from outside) like in dataflow models (e.g. Unix pipes).

: REO Connectors atomic connector: channels two directed ends: source and sink (read and write data) identity, dynamic creation, mobile channel types: synchronous, asynchronous (buffered), lossy, fifo, set, etc. connector: set of channels organised in a graph: nodes are channel ends, edges are channels source, sink and mixed nodes. node operations: read from sink nodes, write to source nodes, move node to new location, hide a node, etc.

JML What kind of challenges are JML,, to VDM? How to react to these challenges? Generating VDM to Java + JML? VDM++ semantics in (UTP) VDM++ interpreter in Maude? Adding REO-connectors to VDM++

JML What kind of challenges are JML,, to VDM? How to react to these challenges? Generating VDM to Java + JML? VDM++ semantics in (UTP) VDM++ interpreter in Maude? Adding REO-connectors to VDM++

JML What kind of challenges are JML,, to VDM? How to react to these challenges? Generating VDM to Java + JML? VDM++ semantics in (UTP) VDM++ interpreter in Maude? Adding REO-connectors to VDM++

JML What kind of challenges are JML,, to VDM? How to react to these challenges? Generating VDM to Java + JML? VDM++ semantics in (UTP) VDM++ interpreter in Maude? Adding REO-connectors to VDM++

JML What kind of challenges are JML,, to VDM? How to react to these challenges? Generating VDM to Java + JML? VDM++ semantics in (UTP) VDM++ interpreter in Maude? Adding REO-connectors to VDM++

JML What kind of challenges are JML,, to VDM? How to react to these challenges? Generating VDM to Java + JML? VDM++ semantics in (UTP) VDM++ interpreter in Maude? Adding REO-connectors to VDM++

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback