Java Modeling Language (JML)

Similar documents
Formale Entwicklung objektorientierter Software

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Java Modelling Language (JML) References

Program Verification (6EC version only)

Advances in Programming Languages

The Java Modeling Language JML

Advances in Programming Languages

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Formal Specification and Verification

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Static program checking and verification

JML. Java Modeling Language

Advances in Programming Languages

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Formal Methods for Java

Non-null References by Default in the Java Modeling Language

The Java Modeling Language (Part 2)

Lecture 10 Design by Contract

Overview The Java Modeling Language (Part 1) Related Work

Advances in Programming Languages

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Testing Library Specifications by Verifying Conformance Tests

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Assertions, pre/postconditions

The Java Modeling Language (Part 1)

Analysis of Software Artifacts

JML s Rich, Inherited Specifications for Behavioral Subtypes

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Java Modelling Language (JML) References

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Formal methods What are they? Uses Tools Application to software development

UC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara

Enforcing Information Hiding in Interface Specifications: with The AspectJML specification language. A Client Aware checking Approach

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Testing, Debugging, and Verification

An introduction to formal specifications and JML. Invariant properties

A Java Reference Model of Transacted Memory for Smart Cards

Effective and Efficient Runtime Assertion Checking for JML Through Strong Validity

Runtime Checking for Program Verification Systems

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Formal Methods for Java

JML and ESC/Java2 Homework Exercises

Testing, Debugging, Program Verification

Introduction to the Java Modeling Language

NEER ENGI AUTOMATED TRANSLATION OF VDM-SL TO JML-ANNOTATED JAVA. Electrical and Computer Engineering Technical Report ECE-TR-29

Checking Program Properties with ESC/Java

Softwaretechnik. Lecture 08: Testing and Debugging Overview. Peter Thiemann SS University of Freiburg, Germany

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

EXAMINATIONS 2009 END-OF-YEAR. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering

Specification of a transacted memory for smart cards in Java and JML

Softwaretechnik. Lecture 08: Testing and Debugging Overview. Peter Thiemann SS University of Freiburg, Germany

CITS5501 Software Testing and Quality Assurance Formal methods

LINEAR INSERTION SORT

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Lecture 9 / Tutorial 8 Software Contracts

Formal Methods for Software Development

ESC/Java2 Use and Features

Formal Methods for Java

ESC/Java2 Use and Features

CSC Advanced Object Oriented Programming, Spring Specification

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

An Annotated Language

Static Analysis in Practice

Formal Methods for Software Development

Code verification. CSE 331 University of Washington. Michael Ernst

Jive/JML Generating Proof Obligations From JML Specifications

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

Rigorous Software Development CSCI-GA

A Simple and Practical Approach to Unit Testing: The JML and JUnit Way

Safety SPL/2010 SPL/20 1

Property Specifications

Design by Contract with JML

Formal Specification with the Java Modeling Language

Classes, interfaces, & documentation. Review of basic building blocks

Control flow in Eiffel

Fundamentals of Software Engineering

Self-checking software insert specifications about the intent of a system

Reachability Analysis for Annotated Code

Lecture Notes: Hoare Logic

Enhancing the Alloy Analyzer with Patterns of Analysis

Research Paper on Implementation of OCL Constraints in JAVA

Combining Design by Contract and Inference Rules of Programming Logic towards Software Reliability

CS 215 Software Design Homework 3 Due: February 28, 11:30 PM

Specification and Verification of Garbage Collector by Java Modeling Language

Lecture 8 Data Structures

Homework #1, on the class web pages later today

Lecture 18 Restoring Invariants

Modular verification of static class invariants

Verifying JML specifications with model fields

Lecture 10 Notes Linked Lists

Design by Contract and JML: concepts and tools

Formal Specification and Verification

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Formal Methods for Java

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Cover Page. The handle holds various files of this Leiden University dissertation

CS 161 Computer Security

A Simple and Practical Approach to Unit Testing: The JML and JUnit Way

A runtime assertion checker for the Java Modeling Language

Transcription:

CIS 771: Software Specifications Introduction to JML Java Modeling Language (JML) A behavioral interface specification language for Java supporting design-by-contract (DBC)... invented by Gary T. Leavens in the 90s the de facto Java specification language in formal methods research community over 100 research papers and 30 groups

Alloy, OCL, and JML JML features invariants, pre/postconditions, etc. a code-level specification language... less abstract than Alloy and OCL based on Java... more familiar to software developer... do not need to learn a completely different formalism supported by various tools/techniques e.g., runtime checkers, static analyzers Overview of JML Features Type specifications: invariants, etc. Method specifications: pre/postconditions, frame conditions, etc. Specification expressions: Java expressions + JML-specific constructs... we ll focus on lightweight specifications Note: throughout the lecture, we ll refer to sections of the JML Reference Manual using the following form: ( section number)

JML Specifications... are written inside Java comments immediately before Java program elements newline comments of the form: //@... block comments: /*@... @*/ multi-line block comments: /*@... @... @*/ note: no space between /* (or //) and @ Type Specifications ( 8) User-defined types in Java are classes and interfaces JML supports specification of types public class Container { //@ invariant this.data!= null; Object data;... the above is instance invariant constraining object field values

Invariants ( 8.2) Invariants can be instance (default) or static static inv. constrains class static fields instance inv. constrains object fields... we ll focus only on instance invariants Instance invariants should be established by non-helper constructors preserved by non-helper instance methods /*@ helper @*/ marks helper methods Method Specifications ( 9)... we ll only consider lightweight specification cases ( 9.4) Method (or constructor) clauses preconditions: requires clauses ( 9.9.2) postconditions: ensures clauses ( 9.9.3) frame conditions: assignable clauses ( 9.9.9) etc.

requires Clause ( 9.9.2) requires clause specifies method preconditions public class Container { //@ invariant this.data!= null; Object data; //@ requires data!= null; public Container(Object data) { this.data = data;... ensures Clause ( 9.9.3) ensures clause specifies method postconditions public class Container {... //@ ensures \result == this.data; public Object getdata() { return this.data;... \result is a JML expression for denoting a method s return value ( 11.4.1)

ensures Clause ( 9.9.3) postconditions may refer to old values (i.e., values at the method entry point) /*@ requires other!= null; @ ensures this.data == \old(other.data) @ && other.data == \old(this.data); @*/ public void swap(container other) { Object temp = this.data; this.data = other.data; other.data = temp; \old() is a JML-specific expression for retrieving old values ( 11.4.2) assignable Clause ( 9.9.9) assignable clause specifies the frame condition of a method specifying what may be changed /*@ requires other!= null; @ assignable this.data, other.data; @ ensures this.data == \old(other.data) @ && other.data == \old(this.data); @*/ public void swap(container other) { Object temp = this.data; this.data = other.data; other.data = temp;... in lightweight specification, its unspecified

Variable Nullity ( 6.2.12) Variable nullity is a source of problem in many Java programs... causes NullPointerException By default, JML assumes all variables have non-null values (as invariants) /*@ nullable @*/ can be used at variable declarations to indicate otherwise, e.g., public void swap(/*@ nullable @*/ Container other)... i.e., /*@ non_null @*/ is the default good practice: always explicitly specify one way or the other for documentation purposes For You To Do Revise the Container example to use JML nullable or non_null modifiers on appropriate variable declarations... can all non-null-ness variable preconditions safely be replaced to use the non_null modifier? Think about the possible input states of the Container.swap() method... is there a subtle input state that you do not expect but its contract still holds?

JML Tools Many research tools have been developed for JML documentation, e.g., JMLDoc runtime checking, e.g., JML RAC static analyzer, e.g., ESC/Java, Kiasan model checking, e.g., Bandera/Bogor theorem proving, e.g., JACK, LOOP... in this course, we will use Kiasan Why use JML? Java only supports assertion statement... not until Java 1.4 JML offers syntactic sugars for embedding assertions at various program points requires: assertions at method entry points ensures: assertions at (normal) method exit points invariant: assertions at method entry and exit points

Why use JML? Software developers usually write design intentions/ contracts informally in Java documentation comments parameter x is not null object field y must not be negative etc.... it cannot be leveraged for checking the programs outdated contract are undetected clients may not read documentation contracts in a natural language are often ambiguous JML provides a way to have checkable documentation Why not just use assert? Often times, the same conditions should be checked at multiple program points thus, it is tedious to just use Java s assert statement... we might miss placing assertions at some places (Murphy s law) Developers usually do not write assertions in code... assertions are mostly used for testing

Why not just use assert? Assertions polute codebase What about error handling? Java offers feature to disable assertions implemented as a conditional if (!$assertiondisabled) { // check assertion... but they are still in the compiled code Error Handling Tools can be developed to for JML to handle assertion errors during testing or analysis, test reports can be generated during deployment, error feedback can be accumulated in a remote database ask users whether to send feedback... Separation of Concerns (SoC)

Looking ahead... In the future, you will be asked to write contracts Companies such as Microsoft are already moving in such direction Spec# programming system http://research.microsoft.com/projects/specsharp/ Code Contract: DBC for.net http://research.microsoft.com/projects/contracts/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback