ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Similar documents
ESC/Java2 Use and Features

ESC/Java2 Use and Features

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Specification tips and pitfalls

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Advances in Programming Languages

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Static program checking and verification

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Advanced JML Erik Poll Radboud University Nijmegen

Program Verification (6EC version only)

objects

The Provers of ESC/Java2

Formal Specification and Verification

Java Modelling Language (JML) References

Extended Static Checking for Java

JML. Java Modeling Language

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

The Java Modeling Language (Part 2)

Testing Library Specifications by Verifying Conformance Tests

Non-null References by Default in the Java Modeling Language

The Java Modeling Language JML

Checking Program Properties with ESC/Java

Design by Contract and JML: concepts and tools

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Advances in Programming Languages

Advances in Programming Languages

Analysis of Software Artifacts

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Chapter 4 Java Language Fundamentals

Formale Entwicklung objektorientierter Software

An overview of JML tools and applications

A Java Reference Model of Transacted Memory for Smart Cards

CS 61B Data Structures and Programming Methodology. July 3, 2008 David Sun

Java Modeling Language (JML)

C++ Inheritance and Encapsulation

Using Type Annotations to Improve Your Code

From JML to BCSL (Draft Version)

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Adding native specifications to JML

Cover Page. The handle holds various files of this Leiden University dissertation

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Exceptions and Libraries

OVERRIDING. 7/11/2015 Budditha Hettige 82

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

COMP6700/2140 Packages, Modules and Jigsaw

Module Road Map. 7. Version Control with Subversion Introduction Terminology

CSC207H: Software Design. Java + OOP. CSC207 Winter 2018

Atelier Java - J1. Marwan Burelle. EPITA Première Année Cycle Ingénieur.

CS11 Advanced Java. Winter Lecture 2

Advances in Programming Languages

UC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Full Verification of the KOA Tally System

JML and ESC/Java2 Homework Exercises

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Formal Methods for Java

5.5 Behavioral Subtyping

Assertions. Assertions - Example

Static Semantics. Winter /3/ Hal Perkins & UW CSE I-1

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Programming Assignment III

JML Template Generation

Verifying Java Programs

Code verification. CSE 331 University of Washington. Michael Ernst

CSCE3193: Programming Paradigms

Java Modelling Language (JML) References

Toward Instant Gradeification

Reachability Analysis for Annotated Code

CnC: Check n Crash. Combining static checking and testing. Christoph Csallner and Yannis Smaragdakis

CS 220: Introduction to Parallel Computing. Arrays. Lecture 4

Integrating verification in programming languages

Java Classes. Produced by. Introduction to the Java Programming Language. Eamonn de Leastar

The Java Modeling Language (Part 1)

Formal Specification and Verification

CS/ENGRD 2110 SPRING Lecture 5: Local vars; Inside-out rule; constructors

Specification of a transacted memory for smart cards in Java and JML

Java How to Program, 10/e. Copyright by Pearson Education, Inc. All Rights Reserved.

Rigorous Software Development CSCI-GA

Introduction to Programming Using Java (98-388)

Overview The Java Modeling Language (Part 1) Related Work

Certification In Java Language Course Course Content

The Use of JML in Embedded Real-Time Systems

Object-Oriented Programming, Part 2

C++ Inheritance and Encapsulation

12/22/11. Java How to Program, 9/e. public must be stored in a file that has the same name as the class and ends with the.java file-name extension.

Java: advanced object-oriented features

AP Computer Science Chapter 10 Implementing and Using Classes Study Guide

A Small Survey of Java Specification Languages *

Formal Techniques for Java-like Programs (FTfJP)

The Checker Framework Manual

Object Ownership in Program Verification

Detecting and preventing null pointer errors with pluggable type-checking

Formal Methods for Java

Transcription:

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/??

The ESC/Java2 tool David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.2/??

Structure of ESC/Java2 ESC/Java2 consists of a parsing phase (syntax checks), typechecking phase (type and usage checks), static checking phase (reasoning to find potential bugs) - runs a behind-the-scenes prover called Simplify Parsing and typechecking produce cautions or errors. Static checking produces warnings. The focus of ESC/Java2 is on static checking, but reports of bugs, unreported errors, confusing messages, documentation or behavior, and even just email about your application and degree of success are Very Welcome. [and Caution: this is still an alpha release] David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.3/??

Running ESC/Java2 Download the binary distribution from http://www.cs.kun.nl/sos/research/escjava Untar the distribution and follow the instructions in README.release about setting environment variables. Run the tool by doing one of the following: Run a script in the release: escjava2 or escj.bat Run the tool directly with java -cp esctools2.jar escjava.main, but then you need to be sure to provide values for the -simplify and -specs options. Run a GUI version of the tool by double-clicking the release version of esctools2.jar Run a GUI version of the tool by executing it with java -jar esctools2.jar (in which case you can add options). David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.4/??

Supported platforms ESC/Java2 is supported on Linux MacOSX Cygwin on Windows Windows (but there are some environment issues still to be resolved) Solaris (in principle - we are not testing there) Note that the tool itself is relatively portable Java, but the underlying prover is a Modula-3 application that must be compiled and supplied for each platform. Help with platform-dependence issues is welcome. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.5/??

Environment The application relies on the environment having a Simplify executable (such as Simplify-1.5.4.macosx) for your platform, typically in the same directory as the application s jar file; the SIMPLIFY environment variable set to the name of the executable for this platform; a set of specifications for Java system files - by default these are bundled into the application jar file, but they are also in jmlspecs.jar. The scripts prefer that the variable ESCTOOLS_RELEASE be set to the directory containing the release. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.6/??

Command-line options The items on the command-line are either options and their arguments or input entries. Some commonly used options (see the documentation for more): -help - prints a usage message -quiet - turns off informational messages (e.g. progress messages) -nowarn - turns off a warning -classpath - sets the path to find referenced classes [best if it contains. ] -specs - sets the path to library specification files -simplify - provides the path to the simplify executable -f - the argument is a file containing command-line arguments -nocheck - parse and typecheck but no verification -routine - restricts checking to a single routine -eajava, -eajml - enables checking of Java assertions -counterexample - gives detailed information about a warning David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.7/??

Input entries The input entries on the command-line are those classes that are actually checked. Many other classes may be referenced for class definitions or specifications - these are found on the classpath (or sourcepath or specspath). file names - of java or specification files (relative to the current directory) directories - processes all java or specification files (relative to the current directory) package - (fully qualified name) - found on the classpath class - (fully qualified name) - found on the classpath list - (prefaced by -list) - a file containing input entries David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.8/??

Specification files Specifications may be added directly to.java files Specifications may alternatively be added to specification files. No method bodies No field initializers Recommended suffix:.refines-java Recommend a refines annotation (see documentation) Must also be on the classpath David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.9/??

Specification file example package java.lang; import java.lang.reflect.*; import java.io.inputstream; public final class Class implements java.io.serializable { private Class(); /*@ also public normal_behavior @ ensures \result!= null &&!\result.equals("") @ && (* \result is the name of this class object *); @*/ public /*@ pure @*/ String tostring();... David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.10/??

Bag demo David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.11/??

modular reasoning ESC/Java2 reasons about every method individually. So in class A{ byte[] b; public void n() { b = new byte[20]; } public void m() { n(); b[0] = 2;... } ESC/Java2 warns that b[0] may be a null dereference here, even though you can see that it won t be. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.12/??

modular reasoning To stop ESC/Java2 complaining: add a postcondition class A{ byte[] b; //@ ensures b!= null && b.length = 20; public void n() { a = new byte[20]; } public void m() { n(); b[0] = 2;... } So: property of method that is relied on has to be made explicit. Also: subclasses that override methods have to preserve these. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.13/??

modular reasoning Similarly, ESC/Java will complain about b[0] = 2 in class A{ byte[] b; public void A() { b = new byte[20]; } public void m() { b[0] = 2;... } Maybe you can see that this is a spurious warning, though this will be harder than in the previous example: you ll have to inspect all constructors and all methods. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.14/??

modular reasoning To stop ESC/Java2 complaining here: add an invariant class A{ byte[] b; //@ invariant b!= null && b.length == 20; // or weaker property for b.length? public void A() { b = new byte[20]; } public void m() { b[0] = 2;... } So again: properties you rely on have to be made explicit. And again: subclasses have to preserve these properties. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.15/??

assume Alternative to stop ESC/Java2 complaining: add an assumption:... //@ assume b!= null && b.length > 0; b[0] = 2;... Especially useful during development, when you re still trying to discover hidden assumptions, or when ESC/Java2 s reasoning power is too weak. (requires can be understood as a form of assume.) David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.16/??

need for assignable clauses class A{ byte[] b;... public void m() {... b = new byte[3]; //@ assert b!= null; // ok! o.n(...); //@ assert b!= null; // ok?... } What does ESC/Java need to know about o.n to check the second assert? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.17/??

need for assignable clauses class A{ byte[] b;... public void m() {... b = new byte[3]; //@ assert b!= null; // ok! o.n(b); //@ assert b!= null; // ok?... } A detailed spec for o.n might give a postcondition saying that b is not null. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.18/??

need for assignable clauses class A{ byte[] b;... public void m() {... b = new byte[3]; //@ assert b!= null; // ok! o.n(); //@ assert b!= null; // ok?... } If the postcondition of o.n doesn t tell us b won t be not null and can t be expected to we need the assignable clause to tell us that o.n won t affect b. Declaring o.n as pure would solve the problem. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.19/??

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback