1 / 90

The Java Modeling Language

The Java Modeling Language. Based on: Gary T. Leavens, et al., JML Tutorial at OOPSLA 2009 . Gary. T Leavens, et al., Preliminary Design of JML: A Behavioral Interface Specification Language for Java, ACM SIGSOFT Software Engineering Notes , 31(3):1-38, May, 2006. 1. 1. 1. Outline.

lucie
Download Presentation

The Java Modeling Language

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Java Modeling Language Based on: Gary T. Leavens, et al., JML Tutorial at OOPSLA 2009. Gary. T Leavens, et al., Preliminary Design of JML: A Behavioral Interface Specification Language for Java, ACM SIGSOFT Software Engineering Notes, 31(3):1-38, May, 2006. 1 1 1

  2. Outline • JML overview • Reading and writing JML specifications • Abstraction in specification • Subtyping and specification inheritance 2 2 2

  3. Overview of JML • Java Modeling Language (JML) • Formal • Sequential Java • Functional behavior of APIs • JML’s goals • Practical, effective for detailed designs • Inter-module interfaces • Classes and interfaces • Data (fields) • Methods • Existing code • Wide range of tools 3 3 3

  4. Basic Approach of JML “Eiffel + Larch for Java” Hoare-style (contracts) Method pre- and post-conditions Invariants 4 4 4

  5. First JML Specification public class ArrayOps { private /*@ spec_public @*/ Object[] a; //@ public invariant 0 < a.length; /*@ requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 5 5 5

  6. Field Specification with spec_public public class ArrayOps { private /*@ spec_public @*/ Object[] a; //@ public invariant 0 < a.length; /*@ requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 6 6 6

  7. Class Invariant public class ArrayOps { private /*@ spec_public @*/ Object[] a; //@ public invariant 0 < a.length; /*@ requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 7 7 7

  8. Method Specification public class ArrayOps { private /*@ spec_public @*/ Object[] a; //@ public invariant 0 < a.length; /*@ requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 8 8 8

  9. Interface Specification JML Specification Syntactic Interface Functional Behavior Java Code 9

  10. Interface Specification /*@ requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr); requires 0 < arr.length; ensures this.a == arr; public void init(Object[] arr); public void init(Object[] arr) { this.a = arr; } 10

  11. Comparison with Other Formal Specification Languages Like … but for Java VDM, but OO features Eiffel, but Features for formal verification Spec#, but Different invariant methodology More features for formal verification Unlike OCL and Z More Java-like syntax Tailored to Java semantics 11

  12. Many Tools, One Language 12

  13. How JML Tools Complement Each Other • Different strengths: • Runtime checking — real errors • Static checking — better coverage • Verification — guarantees • Usual ordering: • Runtime checker (jmlc and jmlunit) • Extended Static Checking (ESC/Java2) • Verification tool (e.g., KeY, JACK, Jive) 13

  14. Outline JML overview Reading and writing JML specifications Abstraction in specification Subtyping and specification inheritance 14 14 14

  15. JML Annotations • Not Java annotations (starting with @) • JML annotation comments • Line starting with //@ • Between /*@ and @*/, ignoring @’s starting lines 15

  16. Most Important JML Keywords • Top-level in classes and interfaces: • invariant • spec_public • nullable • For methods and constructors: • requires • ensures • assignable • pure 16

  17. Example: BoundedStack • Specify bounded stacks of objects • Steps • Data and invariant • Constructor • Methods like push, pop, and top 17

  18. BoundedStack’s Data and Invariant public class BoundedStack { private /*@ spec_public nullable@*/ Object[] elems; private /*@ spec_public@*/ int size = 0; //@ public invariant 0 <= size; /*@ public invariant elems != null @ && (\forall int i; @ size <= i && i < elems.length; @ elems[i] == null); @*/ 18

  19. BoundedStack’s Constructor /*@requires 0 < n; @ assignable elems; @ ensures elems.length == n; @*/ public BoundedStack(int n) { elems = new Object[n]; } 19

  20. BoundedStack’s push Method /*@requires size < elems.length - 1; @ assignable elems[size], size; @ ensures size == \old(size + 1); @ ensures elems[size - 1] == x; @ ensures_redundantly @ (\forall int i; 0 <= i && i < size - 1;elems[i] == \old(elems[i])); @*/ public void push(Object x) { elems[size] = x; size++; } 20

  21. BoundedStack’s pop Method /*@requires 0 < size; @ assignable size, elems[size - 1]; @ ensures size == \old(size - 1); @ ensures_redundantly @elems[size] == null && @ (\forall int i; 0 <= i && i < size - 1;elems[i] == \old(elems[i])); @*/ public void pop() { size--; elems[size] = null; } 21

  22. BoundedStack’s top Method /*@requires 0 < size; @ assignable \nothing; @ ensures \result ==elems[size - 1]; @*/ public /*@ pure @*/ void top() { return elems[size – 1]; } 22

  23. JML Keywords Used • spec_public • Public visibility • Only public for specification purposes • nullable • field (and array elements) may be null • Default is non_null • invariant must be: • True at end of constructor • Preserved by each method (except for helper methods) 23

  24. JML Keywords Used • requires clause: • Precondition • Obligation on callers, after parameter passing • Assumed by implementor • ensures clause: • Postcondition • Obligation on implementor, at return • Assumed by caller 24

  25. Semantics of requires and ensures 25

  26. Semantics of requires and ensures 26

  27. Semantics of requires and ensures 27

  28. JML Keywords Used • assignable • Frame axiom • Locations (fields) in pre-state • New object fields not covered • Mostly checked statically • Synonyms: modifies, modifiable • pure • No side effects • Implies assignable \nothing • Allows method’s use in specifications 28

  29. Assignable Is a Shorthand assignable gender; ensures gender.equals(g); means ensures \only_assigned(gender) && gender.equals(g); 29

  30. JML Keywords Used • Redundant clauses (ensures_redundantly) • Alerts reader • States something to prove • Must be implied by: • ensures clauses, • assignable clause, • invariant, and • JML semantics. • Also requires_redundantly, etc. 30

  31. Multiple Clauses Semantics: requires P; requires Q; is equivalent to: requires P && Q; Similarly for ensures, invariant. Note: checkers give more specific messages with multiple clauses. 31

  32. Defaults for Omitted Clauses • invariant true; • requires true; • assignable \everything; • ensures true; 32

  33. Expression Keywords • \result = method’s return value. • \old(E) = pre-state value of E. • (\forall T x; P; Q) = {Q | x T P} • (\exists T x; P; Q) = {Q | xT P} • (\min T x; P; E) = min{E | x T P} • (\sum T x; P; E) = {E | x T P} • (\num_of T x; P; Q) = {1 | x T P  Q} • … 33

  34. Steps for Specifying a Type for Public Clients • Specify data (spec_public fields) • Specify a public invariant • Specify each public method using: • requires • assignable (or pure) • ensures 34

  35. Exercise • Specify the following stack methods • int capacity(): capacity of this stack? • int size(): no. of elements? • boolean isEmpty(): has no element? • int search(Object o): 1-based position of given object in this stack? private /*@ spec_public nullable@*/ Object[] elems; private /*@ spec_public@*/ int size = 0; 35

  36. Solution //@ ensures \result == elems.length; public /*@ pure *@/ int capacity() { …} //@ ensures \result == size; public /*@ pure *@/ int size()() { …} //@ ensures \result == (size == 0); public /*@ pure *@/ booleanisEmpty() { …} private /*@ spec_public nullable@*/ Object[] elems; private /*@ spec_public@*/ int size = 0; 36

  37. Solution //*@ ensures (\existsint i; i >= 0 && i < size; elems[i] == o) ? \result > 0 && \result <= size && elems[\result] == o : \result == 0 @*// public /*@ pure *@/ int search(Object o) { …} Q: the first (or last) from the top? private /*@ spec_public nullable@*/ Object[] elems; private /*@ spec_public@*/ int size = 0; 37

  38. Exercise: BagOfInt Specify the following public class BagOfInt { private int[] a; private int n; /** Initialize to contain input’s elements. */ public BagOfInt(int[] input); /** Return the multiplicity of i. */ public int occurrences(int i); /** Return and delete the minimum element. */ public int extractMin(); } 38

  39. Solution: Data and Constructor public class BagOfInt { /** Elements. */ private /*@ spec_public non_null @*/ int[] a; /** Number of active elements in a. */ private /*@ spec_public @*/ int n; //@ public invariant 0 <= n && n <= a.length; /** Initialize to contain input’s elements. */ /*@ assignable a, n; @ ensures n == input.length; @ ensures (\forall int i; 0 <= i && i < n; a[i] == input[i]); @*/ public BagOfInt(/*@ non_null @*/ int[] input); 39

  40. Solution: Methods /** Returnthe multiplicity of i. */ /*@ ensures \result == (\num_of int j; 0 <= j && j < n; a[j] == i); @*/ public /*@ pure @*/ int occurrences(int i); /** Returnand delete the minimum element. */ /*@ requires 0 < n; @ assignable n, a, a[*]; @ ensures n == \old(n - 1); @ ensures \result == \old((\min int j; 0 <= j && j < n; a[j])); @ ensures (\forall int j; 0 <= j && j < \old(n); @ (\old(a[j]) != \result ==> @ occurrences(\old(a[j])) == \old(occurrences(a[j]))) || @ (\old(a[j]) == \result ==> @occurrences(\old(a[j])) == \old(occurrences(a[j]) - 1))); @*/ public int extractMin(); 40

  41. Exercise Q: What’s wrong with this and how to fix it? Hint: Undefinedness public class ScreenPoint { private /*@ spec_public@*/ int x, y; //@ public invariant 0 <= x && 0 <= y; //@ requires 0 <= cs[0] && 0 <= cs[1]; //@ assignable x, y; //@ ensures x == cs[0] && y == cs[1]; public ScreenPoint(int[] cs) { x = cs[0]; y = cs[1]; } 41

  42. Solution A: Undefined expression public class ScreenPoint { private/*@ spec_public@*/ intx, y; //@ public invariant 0 <= x && 0 <= y; //@ requires 2 <= cs.length; //@ requires 0 <= cs[0] && 0 <= cs[1]; //@ assignable x, y; //@ ensuresx == cs[0] && y == cs[1]; public ScreenPoint(int[] cs) { x = cs[0]; y = cs[1]; } 42

  43. Writing Protective Specifications • Clauses evaluated left to right • Short-circuit operators can prevent evaluation • G && P, G || P • G ==>P, G <==P • Use multiple clauses (equivalent to &&) 43

  44. Multiple Specification Cases • For different preconditions • May overlap • Used to specify exceptions • Used with specification inheritance 44

  45. Example private /*@ spec_public@*/ int age; /*@ requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a > 150; @ assignable \nothing; @ ensures age == \old(age); @*/ public void setAge(int a) { if (0 <= a && a <= 150) age = a; } 45

  46. Semantics of Multiple Cases 46

  47. Meaning of “also” Rewrite to conjoin (frame must be the same). private /*@ spec_public@*/ int age; /*@ requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a > 150; @ assignable \nothing; @assignable age; @ ensures age == \old(age) && only_assigned(\nothing); @*/ public void setAge(int a) { if (0 <= a && a <= 150) age = a; } 47

  48. Meaning of “also” requires (0 <= a && a <= 150) || (a < 0 || a > 150); assignable age; ensures \old(0 <= a && a <= 150) ==>(age == a); ensures \old(a < 0 || a > 150) ==> (age == \old(age) && \only_assigned(\nothing)); 48

  49. Views of Multiple Cases • Client can verify by: • Picking one spec case • Assert precondition • Assume frame and postcondition • Picking several cases • Compute their join • Assert joined precondition • Assume frame and joined postcondition • Implementor can: • Verify each case, or • Verify their join 49

  50. Specifying Exceptions • Use features such as • exceptional_behavior spec cases • signals_only clause • signals clause

More Related