advanced jml
play

Advanced JML and more tips and pitfalls David Cok, Joe Kiniry, and - PowerPoint PPT Presentation

Feb 16, 2024 •211 likes •776 views

Advanced JML and more tips and pitfalls David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/ ?? Core

  1. Advanced JML and more tips and pitfalls David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.1/ ??

  2. Core JML Remember the core JML keywords were • requires • ensures • signals • assignable • normal behavior • invariant • non null • pure • \old , \ forall , \ exists , \result David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.2/ ??

  3. More advanced JML features • Visibility • Specifying (im)possibility of exceptions • Assignable clauses and datagroups • Aliasing • Specification inheritance, ensuring behavioural subtyping • Specification-only fields: ghost and mode fields • The semantics of invariant David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.3/ ??

  4. Visibility David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.4/ ??

  5. Visibility JML imposes visibility rules similar to Java, eg. public class Bag { ... private int n; //@ requires n > 0; public int extractMin() { ... } is not type-correct, because public method extractMin refers to private field n . David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.5/ ??

  6. Visibility public int pub; private int priv; //@ requires i <= pub; public void pub1 (int i) { ... } //@ requires i <= pub && i <= priv; private void priv1 (int i) ... //@ requires i <= pub && i <= priv; // WRONG !! public void pub2(int i) { ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.6/ ??

  7. Visibility: spec_public Keyword spec public loosens visibility for specs. Private spec public fields are allowed in public specs, e.g.: public class Bag { ... private /*@ spec public @*/ int n; //@ requires n > 0; public int extractMin() { ... } Exposing private details can be ugly, of course. A nicer, but more advanced alternative is to use public model fields to represent (abstract away from) private implementation details. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.7/ ??

  8. Exceptions and JML David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.8/ ??

  9. Exceptional specifications A method specification can (dis)allow the throwing of exceptions, and specify a exceptional postcondition that should hold in the event an exception is thrown. There are some implicit rules for (dis)allowing exceptions. Warning: exceptional specifications are easy to get wrong. Not allowing any exceptions to be thrown is the simplest approach. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.9/ ??

  10. Exceptions allowed by specs By default, a method is allowed to throw exceptions, but only those listed in its throws clause. So //@ requires 0 <= amount && amount <= balance; public int debit(int amount) throws BankException { ... } has an implicit clause signals (BankException) true; and an implicit clause signals (Exception e) e instanceof BankException; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.10/ ??

  11. Exceptions allowed by specs By default, a method is allowed to throw exceptions, but only those listed in its throws clause. So //@ requires 0 <= amount && amount <= balance; public int debit(int amount) { ... } has an implicit clause signals (Exception) false; NB debit is now not even allowed to throw an unchecked exception, even though Java does not require a throws clause for these. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.11/ ??

  12. Ruling out exceptions To forbid a particular exception SomeException 1. omit it from throws clause (only possible for unchecked exceptions) 2. add an explicit signals (SomeException) false; 3. limit the set of allowed exceptions, use a postcondition such as signals (Exception e) e instanceof E1 || ... || e instanceof En; or, equivalently, us the shorthand for this signals_only E1, ... En; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.12/ ??

  13. Ruling out exceptions To forbid all exceptions 1. omit all exceptions from throws clause (only possible for unchecked exceptions) 2. add an explicit signals (Exception) false; 3. use keyword normal_behavior to rule out all exceptions /*@ normal behavior requires ... ensures ... @*/ normal behavior has implicit signals(Exception)fals David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.13/ ??

  14. may vs must throw an exception Beware of the difference between (1) if P holds, then SomeException is thrown and (2) if SomeException is thrown, then P holds These are easy to confuse! (2) can be expressed with signals , (1) can be expressed with exceptional behavior David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.14/ ??

  15. exceptional_behavior /*@ exceptional_behavior requires amount > balance signals (BankException e) e.getReason.equals("Amount too big") @*/ public int debit(int amount) throws BankException { ... } says a BankException must be thrown if amount > balance normal behavior has implicit ‘ signals(Exception)false ’ exceptional behavior has implicit ‘ ensures false ’ David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.15/ ??

  16. Example /*@ normal_behavior requires amount <= balance; ensures ... also exceptional_behavior requires amount > balance signals (BankException e) ... @*/ public int debit(int amount) throws BankException { ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.16/ ??

  17. Example or, equivalently /*@ requires true; ensures \old(amount<=balance) && ... signals (BankException e) \old(amount>balance) && ... @*/ public int debit(int amount) throws BankException { ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.17/ ??

  18. Exceptional behaviour Moral: to keep things simple, disallow exceptions in specs whenever possible Eg, for public void arraycopy(int[] src, int destOffset, int[] dest, int destOffset, int lengt throws NullPointerException, ArrayIndexOutOfBoundsException write a spec that disallows any throwing of exceptions, and only worry about specifying exceptional behaviour if this is really needed elsewhere. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.18/ ??

  19. Assignable clauses and datagroups David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.19/ ??

  20. Problems with assignable clauses Assignable clauses • tend to expose implementation details private /*@ spec_public @*/ int x; ... //@ assignable x, ....; public void m(...) { .... } • tend to become very long //@ assignable x, y, z[*], ....; • tend to accumulate //@ assignable x, f.x, g.y, h.z[*], ....; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/ ??

  21. Problems with assignable clauses public class Timer { /*@ spec_public @*/ int time_hrs, time_mins, time_secs; /*@ spec_public @*/ int alarm_hrs, alarm_mins, alarm_secs; //@ assignable time_hrs, time_mins, time_secs; public void tick() { ... } //@ assignable alarm_hrs, alarm_mins, alarm_secs ; public void setAlarm(int hrs, int mins, int secs) { ... } } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/ ??

  22. Solution: datagroups public class Timer { //@ public model JMLDatagroup time, alarm; int time_hrs, time_mins, time_secs; //@ in time; int alarm_hrs, alarm_mins, alarm_secs; //@ in alarm; //@ assignable time; public void tick() { ... } //@ assignable alarm; public void setAlarm(int hrs, int mins, int secs) { ... } } time and alarm are model fields, ie. specification-only fields David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.22/ ??

  23. Datagroups Datagroups provide an abstraction mechanism for assignable clauses. There’s a default datagroup objectState defined in Object.java It’s good practice to declare that all instance fields are in objectState David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.23/ ??

  24. Datagroups can be nested public class Timer { //@ public model JMLDatagroup time, alarm;//@ in objectStat int time_hrs, time_mins, time_secs; //@ in time; int alarm_hrs, alarm_mins, alarm_secs; //@ in alarm; //@ assignable time; public void tick() { ... } //@ assignable alarm; public void setAlarm(int hrs, int mins, int secs) { ... } } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.24/ ??

  25. Assignable and arrays Another implementation, using an array of 6 digits to represent hrs:mns:secs public class ArrayTimer { /*@ spec_public @*/ char[] currentTime; //@ invariant currentTime != null; //@ invariant currentTime.length == 6; //@ assignable currentTime[*]; public void tick() { ... } ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.25/ ??

  26. Datagroups and arrays Another implementation, using an array of 6 digits to represent hrs:mns:secs public class ArrayTimer { //@ public model JMLDatagroup time; char[] currentTime; //@ in time; //@ maps currentTime[*] \ into time; //@ invariant currentTime != null; //@ invariant currentTime.length == 6; //@ assignable time; public void tick() { ... } ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.26/ ??

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Nutrition Course Advanced Nutrition Course 6 Week Advanced Nutrition Live Online

Advanced Nutrition Course Advanced Nutrition Course 6 Week Advanced Nutrition Live Online

Advanced Nutrition Course Advanced Nutrition Course 6 Week Advanced Nutrition Live Online Training Course Week 5: Mind Body Connection Advanced Nutrition Course Advanced Nutrition Course Week 3 Recap Understanding emotions

670 views • 15 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides
Advanced Manufacturing @ Forsyth Tech Gary M. Green President Advanced Manufacturing

Advanced Manufacturing @ Forsyth Tech Gary M. Green President Advanced Manufacturing

Advanced Manufacturing @ Forsyth Tech Gary M. Green President Advanced Manufacturing Capabilities Product and Advanced Emerging Industrial Manufacturing Technologies Design Production Advanced Organizational Transportation

132 views • 12 slides
Advanced Learning for Grades 6-12 Highly Capable and Advanced Learning Services Welcome! Who

Advanced Learning for Grades 6-12 Highly Capable and Advanced Learning Services Welcome! Who

Advanced Learning for Grades 6-12 Highly Capable and Advanced Learning Services Welcome! Who are Advanced Learners? Highly Capable Students who perform or show potential for performing at significantly advanced academic levels when

614 views • 12 slides
Advanced Geophysical Classification Projects September 13, 2016 1 Advanced Geophysical

Advanced Geophysical Classification Projects September 13, 2016 1 Advanced Geophysical

Advanced Geophysical Classification Projects September 13, 2016 1 Advanced Geophysical Classification Advanced EMI sensors utilize multiple transmitter and receiver coils to acquire data from numerous angles and positions Rich dataset can

927 views • 8 slides
ADVANCED PLACEMENT The purpose of the Advanced Placement program is to provide the students with

ADVANCED PLACEMENT The purpose of the Advanced Placement program is to provide the students with

ADVANCED PLACEMENT The purpose of the Advanced Placement program is to provide the students with challenging coursework that culminates with an external examination. BENEFITS OF ADVANCED PLACEMENT Possible College Credit Early completion

601 views • 6 slides
Advanced SQL II Advanced Aggregation and OLAP 5DV120 Database System Principles Ume a

Advanced SQL II Advanced Aggregation and OLAP 5DV120 Database System Principles Ume a

Advanced SQL II Advanced Aggregation and OLAP 5DV120 Database System Principles Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Advanced SQL II Advanced

388 views • 35 slides
Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to supplement the Introduction to UNIX slides with extra information on files 1 CIS 218 Advanced UNIX Overview 1 . Access Permissions 2 . Links 2

358 views • 22 slides
BOARD OF MUNICIPAL UTILITIES ADVANCED METERING INFRASTRUCTURE ADVANCED METERING INFRASTRUCTURE

BOARD OF MUNICIPAL UTILITIES ADVANCED METERING INFRASTRUCTURE ADVANCED METERING INFRASTRUCTURE

SIKESTON BOARD OF MUNICIPAL UTILITIES ADVANCED METERING INFRASTRUCTURE ADVANCED METERING INFRASTRUCTURE AMI is an integrated system of advanced meters, communications networks, and data management systems that enables two-way communication

543 views • 7 slides
Chapter: 22 p 22 History and Background IMT-Advanced Time Schedule in ITU LTE

Chapter: 22 p 22 History and Background IMT-Advanced Time Schedule in ITU LTE

3G Evolution Outline Chapter: 22 p 22 History and Background IMT-Advanced Time Schedule in ITU LTE Advanced LTE Ad LTE Advanced d Fundamental requirements for LTE Advanced Payam Amani Extended Requirements Beyond ITU

244 views • 7 slides
Advanced Placement/Dual Enrollment Course Info. Session: February 13, 2020 Advanced Placement

Advanced Placement/Dual Enrollment Course Info. Session: February 13, 2020 Advanced Placement

Advanced Placement/Dual Enrollment Course Info. Session: February 13, 2020 Advanced Placement Program Mr. Anthony Vargas MCPS, Supervisor of Gifted/Talent and Advanced Programs What are the advantages of taking an AP course in high school?

243 views • 21 slides
THE ROLE OF THE ADVANCED CLINICAL PRACTITIONER IN MIDWIFERY Louise Clarke Trainee Advanced

THE ROLE OF THE ADVANCED CLINICAL PRACTITIONER IN MIDWIFERY Louise Clarke Trainee Advanced

THE ROLE OF THE ADVANCED CLINICAL PRACTITIONER IN MIDWIFERY Louise Clarke Trainee Advanced Clinical Practitioner in Complex High risk Maternity Care History of Advanced Clinical practice in Midwifery The four pillars of advanced More

483 views • 16 slides
Advanced Virgo (Report on Advanced Virgo stay)

Advanced Virgo (Report on Advanced Virgo stay)

Advanced Virgo (Report on Advanced Virgo stay) KAGRA Observatory, ICRR, the University of Tokyo (NAGANO Koji) Extended

1.03k views • 67 slides
Regional Leadership Forums on Advanced Illness Care The Coalition To Transform Advanced Care

Regional Leadership Forums on Advanced Illness Care The Coalition To Transform Advanced Care

Regional Leadership Forums on Advanced Illness Care The Coalition To Transform Advanced Care Eugene Washington PCORI Engagement Award C-TACs Vision: all Americans with advanced illness will receive comprehensive, high-quality, person- and

271 views • 11 slides
CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming

CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming

CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming language Awk uses syntax based on grep and sed for handling numbers and text awk provides field level addressability. And within a field (word)

662 views • 40 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS &amp; Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
UNIVERSITY OF CALIFORNIA Economics 134 DEPARTMENT OF ECONOMICS Spring 2018 Professor David

UNIVERSITY OF CALIFORNIA Economics 134 DEPARTMENT OF ECONOMICS Spring 2018 Professor David

UNIVERSITY OF CALIFORNIA Economics 134 DEPARTMENT OF ECONOMICS Spring 2018 Professor David Romer LECTURE 4 REVIEW OF ISLM/MP FRAMEWORK JANUARY 29, 2018 I. T HE ISLM/MP M ODEL A. Overview 1. Introduction 2. Where we are headed 3.

474 views • 36 slides
Chapter 6: Process [&amp; Thread] Synchronization Why is synchronization needed? CSCI [4|6]

Chapter 6: Process [&amp; Thread] Synchronization Why is synchronization needed? CSCI [4|6]

Chapter 6: Process [&amp; Thread] Synchronization Why is synchronization needed? CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating Systems What are critical sections? What are atomic

488 views • 11 slides
Jartege : a Tool for Random Generation of Unit Tests for Java Classes Catherine Oriat LSR/IMAG,

Jartege : a Tool for Random Generation of Unit Tests for Java Classes Catherine Oriat LSR/IMAG,

LSR Jartege : a Tool for Random Generation of Unit Tests for Java Classes Catherine Oriat LSR/IMAG, Grenoble, France (presented by Yves Ledru) SOQUA05, Erfurt, Germany, Sep. 22nd 2005 1 The need for automatic test generation LSR

365 views • 24 slides
Programming with Contracts Juan Pablo Galeotti, Alessandra

Programming with Contracts Juan Pablo Galeotti, Alessandra

Programming with Contracts Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany Contract A (formal) agreement between Method M (callee) Callers

597 views • 42 slides
AIT IT and the SIA By y Kel elly ly Pen ennifer AIT IT and the SIA IA The Standard

AIT IT and the SIA By y Kel elly ly Pen ennifer AIT IT and the SIA IA The Standard

AIT IT and the SIA By y Kel elly ly Pen ennifer AIT IT and the SIA IA The Standard Interconnect Agreement The world of telecommunications is highly regulated and increasingly complex with a multiplicity of telecommunications

490 views • 11 slides
Why Student Loan Debt is Growing the Racial Wealth Gap and How Philanthropy Can Help Thursday,

Why Student Loan Debt is Growing the Racial Wealth Gap and How Philanthropy Can Help Thursday,

Majoring in Debt: Why Student Loan Debt is Growing the Racial Wealth Gap and How Philanthropy Can Help Thursday, October 15 th | 1-2 pm EDT Thank you to our Brief sponsors: AssetFunders.org #AssetFunders SPEAKERS VELVET RAQUAN LISA JENNY

444 views • 22 slides
T hre e Dime nsions Dime nsio n T ime -fra me Stra te g y Org a niza tio na l F ina nc ia

T hre e Dime nsions Dime nsio n T ime -fra me Stra te g y Org a niza tio na l F ina nc ia

T hre e Dime nsions Dime nsio n T ime -fra me Stra te g y Org a niza tio na l F ina nc ia l Me a sure Ob je c tive s Ob je c tive s Distre ss Inte rme d ia te De fe nd a g a inst Ma na g e Curre nt se rvic e s L iq uid F und s

244 views • 8 slides
Bubbles, Crashes &amp; the Financial Cycle: The Limits to Credit Growth Sander van der Hoog and

Bubbles, Crashes &amp; the Financial Cycle: The Limits to Credit Growth Sander van der Hoog and

The Big Questions Eurace@Unibi Model Simulation Results Conclusions Bubbles, Crashes &amp; the Financial Cycle: The Limits to Credit Growth Sander van der Hoog and Herbert Dawid Chair for Economic Theory and Computational Economics Bielefeld

667 views • 31 slides

More recommend