introduction to jml
play

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman - PowerPoint PPT Presentation

Jan 20, 2023 •622 likes •1.06k views

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/ ?? Outline of this tutorial

  1. Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.1/ ??

  2. Outline of this tutorial First • introduction to JML • overview of tool support for JML, esp. runtime assertion checking (using jmlrac) and extended static checking ESC/Java2 Then • ESC/Java2: Use and Features • ESC/Java2: Warnings • Specification tips and pitfalls • Advanced JML: more tips and pitfalls interspersed with demos. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.2/ ??

  3. The Java Modeling Language JML www.jmlspecs.org David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.3/ ??

  4. JML by Gary Leavens et al. Formal specification language for Java • to specify behaviour of Java classes • to record design &implementation decisions by adding assertions to Java source code, eg • preconditions • postconditions • invariants as in Eiffel (Design by Contract), but more expressive. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.4/ ??

  5. JML by Gary Leavens et al. Formal specification language for Java • to specify behaviour of Java classes • to record design &implementation decisions by adding assertions to Java source code, eg • preconditions • postconditions • invariants as in Eiffel (Design by Contract), but more expressive. Goal: JML should be easy to use for any Java programmer. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.4/ ??

  6. JML To make JML easy to use: • JML assertions are added as comments in .java file, between /*@ . . . @*/ , or after //@ , • Properties are specified as Java boolean expressions, extended with a few operators ( \ old, \ forall, \ result, . . . ). • using a few keywords ( requires , ensures , signals , assignable , pure , invariant , non null , . . . ) David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.5/ ??

  7. requires, ensures Pre- and post-conditions for method can be specified. /*@ requires amount >= 0; ensures balance == \ old(balance-amount) && \ result == balance; @*/ public int debit(int amount) { ... } Here \ old(balance) refers to the value of balance before execution of the method. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.6/ ??

  8. requires, ensures JML specs can be as strong or as weak as you want. /*@ requires amount >= 0; ensures true; @*/ public int debit(int amount) { ... } This default postcondition “ ensures true ” can be omitted. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.7/ ??

  9. Design-by-Contract Pre- and postconditions define a contract between a class and its clients: • Client must ensure precondition and may assume postcondition • Method may assume precondition and must ensure postcondition Eg, in the example specs for debit , it is the obligation of the client to ensure that amount is positive. The requires clause makes this explicit. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.8/ ??

  10. signals Exceptional postconditions can also be specified. /*@ requires amount >= 0; ensures true; signals (BankException e) amount > balance && balance == \ old(balance) && e.getReason().equals("Amount too bi @*/ public int debit(int amount) throws BankExceptio ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.9/ ??

  11. signals Exceptions mentioned in throws clause are allowed by default. To change this, there are three options: • To rule out all exceptions, use a normal_behavior /*@ normal behavior requires ... ensures ... @*/ • To rule out particular exception E , add signals (E) false; • To allow only some exceptions , add signals_only E1, ..., E2; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.10/ ??

  12. invariant Invariants (aka class invariants) are properties that must be maintained by all methods, e.g., public class Wallet { public static final short MAX_BAL = 1000; private short balance; /*@ invariant 0 <= balance && balance <= MAX_BAL; @*/ ... Invariants are implicitly included in all pre- and postconditions. Invariants must also be preserved if exception is thrown! David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.11/ ??

  13. invariant Invariants document design decisions, e.g., public class Directory { private File[] files; /*@ invariant files != null && ( \ forall int i; 0 <= i && i < files.length; ; files[i] != null && files[i].getParent() == this) @*/ Making them explicit helps in understanding the code. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.12/ ??

  14. non_null Many invariants, pre- and postconditions are about references not being null . non_null is a convenient short-hand for these. public class Directory { private /*@ non null @*/ File[] files; void createSubdir(/*@ non null @*/ String name) { ... /*@ non null @*/ Directory getParent() { ... David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.13/ ??

  15. assert An assert clause specifies a property that should hold at some point in the code, e.g., if (i <= 0 || j < 0) { ... } else if (j < 5) { //@ assert i > 0 && 0 < j && j < 5; ... } else { //@ assert i > 0 && j > 5; ... } David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.14/ ??

  16. assert JML keyword assert now also in Java (since Java 1.4). Still, assert in JML is more expressive, for example in ... for (n = 0; n < a.length; n++) if (a[n]==null) break; /*@ assert ( \ forall int i; 0 <= i && i < n; a[i] != null); @*/ David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.15/ ??

  17. assignable Frame properties limit possible side-effects of methods. /*@ requires amount >= 0; assignable balance; ensures balance == \ old(balance)-amount; @*/ public int debit(int amount) { } ... E.g., debit can only assign to the field balance . NB this does not follow from the post-condition. Default assignable clause: assignable \ everything . David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.16/ ??

  18. pure A method without side-effects is called pure. public /*@ pure @*/ int getBalance() { ... Directory /*@ pure non null @*/ getParent() { ... } Pure method are implicitly assignable \ nothing . Pure methods, and only pure methods, can be used in specifications, eg. //@ invariant 0<=getBalance() && getBalance()<=MAX_BALANCE; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.17/ ??

  19. JML recap The JML keywords discussed so far: • requires • ensures • signals • assignable • normal behavior • invariant • non null • pure • \ old , \ forall , \ exists , \ result This is all you need to know to get started! David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.18/ ??

  20. Tools for JML David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.19/ ??

  21. tools for JML • parsing and typechecking David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/ ??

  22. tools for JML • parsing and typechecking • runtime assertion checking: test for violations of assertions during execution jmlrac David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/ ??

  23. tools for JML • parsing and typechecking • runtime assertion checking: test for violations of assertions during execution jmlrac • extended static checking ie. automated program verification: prove that contracts are never violated at compile-time ESC/Java2 This is program verification, not just testing. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/ ??

  24. runtime assertion checking jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at Iowa State Univ. • translates JML assertions into runtime checks: during execution, all assertions are tested and any violation of an assertion produces an Error. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/ ??

  25. runtime assertion checking jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at Iowa State Univ. • translates JML assertions into runtime checks: during execution, all assertions are tested and any violation of an assertion produces an Error. • cheap & easy to do as part of existing testing practice • better testing and better feedback, because more properties are tested, at more places in the code David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/ ??

  26. runtime assertion checking jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at Iowa State Univ. • translates JML assertions into runtime checks: during execution, all assertions are tested and any violation of an assertion produces an Error. • cheap & easy to do as part of existing testing practice • better testing and better feedback, because more properties are tested, at more places in the code Eg, “Invariant violated in line 8000” after 1 minute instead of “NullPointerException in line 2000” after 4 minutes David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/ ??

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

TRAINING COURSE ON SOCIAL PROTECTION &amp; FORMALIZATION TRINIDAD AND TOBAGO MARCH 15, 2017 INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION Design of the NIS Assistance from the

547 views • 23 slides
INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

Patterns of variation in the expression of case and agreement Andrs Brny Leiden University Centre for Linguistics 9 November 2019, BaSIS Workshop a.barany@hum.leidenuniv.nl INTRODUCTION Introduction 2/42 INTRODUCTION

1.37k views • 42 slides
Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures Definition and concepts Process and product properties Principles SE Approaches Motivation Software and the economy The economies of

1.03k views • 49 slides
Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1 https://www.cdc.gov/std/stats17/infographic.htm Introduction Epidemiology in Western Colorado CPHE Surveillance Data Report, May 2018 Chlamydia Epidemiology in Western

977 views • 39 slides
DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every meeting (2) Some ideas of diagrams for section 7.1 (Introduction) of TP. Giles Barr 25 Jan 2018, Pembroke College On DUNE, the reality is there is a

474 views • 10 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout World Wide

387 views • 14 slides
14 Introduction Introduction Bad guys can put malware into Example: hosts

14 Introduction Introduction Bad guys can put malware into Example: hosts

Introduction Introduction source Encapsulation ISO/OSI reference model message M application segment H t H t M transport network datagram H n H n H t M presentation: allow applications to frame link H l H n H t M interpret

583 views • 4 slides
Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout

322 views • 8 slides
Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Introduction Zynq Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL Processing System Processor Peripherals Data Buses AXI Bus Conclusion BTE5380 - Embedded Systems Octobre 2014 Andreas Habegger

1.81k views • 30 slides
2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04 Project References S E 5 PART.1 SMILE5 Introduction M I L Introduction STORION-SMILE5 Residential Energy Storage System Inverter 5kW Output Input

1.06k views • 25 slides
Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an application server? Why use an application server? Course introduction Services provided by CICS How CICS applications are defined Scaling CICS to meet

1.84k views • 146 slides
Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic building blocks Node Links (relationship between nodes) Spatial information Network data

584 views • 9 slides
Introduction Introduction (1) Main argument of the paper: universities are not only

Introduction Introduction (1) Main argument of the paper: universities are not only

Le jugement des pairs comme outil de management des universits Peer-review as a management tool Christine Musselin (CSO, Sciences Po et CNRS) Avril 2013, Lirrsistible ascension du capitalisme acadmique Introduction Introduction (1)

590 views • 28 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of the brand new JA-100 alarm system Visions Basic architecture System components Setting Help us with final validations You are the FIRST ones

1.69k views • 111 slides
Chad Aldeman Bellwether Education Partners @ChadAldeman Design Objectives Simplicity Clarity

Chad Aldeman Bellwether Education Partners @ChadAldeman Design Objectives Simplicity Clarity

Chad Aldeman Bellwether Education Partners @ChadAldeman Design Objectives Simplicity Clarity Fairness Test scores used as a screen Achievement and growth indices Equal weight for each grade and subject Focus on lowest-performing

1.45k views • 68 slides
Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 .

Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 .

Problem Overall Architecture Evaluation Conclusion Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 . Tamberi 2 F F 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

311 views • 29 slides
The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw

The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw

The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw Department of Computer Science University of Leicester September 4, 2010 B ACKGROUND Test Adequacy Assessing the ability of a test set to identify

295 views • 25 slides
First Experiments with Data Driven Conjecturing Karel Chvalovsk, Thibault Gauthier, and Josef

First Experiments with Data Driven Conjecturing Karel Chvalovsk, Thibault Gauthier, and Josef

First Experiments with Data Driven Conjecturing Karel Chvalovsk, Thibault Gauthier, and Josef Urban CIIRC CTU Conjecturing some bits from history There have been various attempts, e.g., Wang in the late 1950s novel and

540 views • 15 slides
Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University

Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University

Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University University of Victoria www.csc.ncsu.edu/faculty/xie www.ece.uvic.ca/~ahmed xie@csc.ncsu.edu ahmed@uvic.ca Some slides are adapted from KDD 06 tutorial

1.39k views • 120 slides
Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl

Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl

Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl Seminar 16172 Falk Howar (TU Clausthal) Learning RAs Dagstuhl Seminar 16172 1 / 22 Scenario: Verification of Component-based Systems Environment

618 views • 35 slides
Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 , Raluca Lefticaru 1 , Ignacio Prez-Hurtado 2 , Mario J. Prez-Jimnez 2 , Cristina Tudose 1 1 University of Pitesti 2 University of Sevilla

578 views • 23 slides
Verification-Aided Regression Testing Fabrizio Pastore 1 Leonardo Mariani 1 arinen 2 Grigory

Verification-Aided Regression Testing Fabrizio Pastore 1 Leonardo Mariani 1 arinen 2 Grigory

Verification-Aided Regression Testing Fabrizio Pastore 1 Leonardo Mariani 1 arinen 2 Grigory Fedyukovich 2 Antti E. J. Hyv Natasha Sharygina 2 Ondrej Sery 2 Stephan Sehestedt 3 Ali Muhammed 4 1 University of Milano-Bicocca, Italy 2 University of

670 views • 14 slides

More recommend