introduction to jml
play

Introduction to JML Erik Poll, Joe Kiniry, David Cok University of - PowerPoint PPT Presentation

Feb 01, 2024 •759 likes •1.22k views

Introduction to JML Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - ESC/Java2 Tutorial - June 2004 - JML p.1/34 Outline of this talk What this set of slides aims to do introduction to JML

  1. Introduction to JML Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.1/34

  2. Outline of this talk What this set of slides aims to do • introduction to JML • provide overview of tool support for JML (jmlrac, jmlunit, escjava) • explain idea of extended static checking and difference with runtime assertion checking • some more ESC/Java2 tips Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.2/34

  3. The Java Modeling Language JML www.jmlspecs.org Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.3/34

  4. JML by Gary Leavens et al. Formal specification language for Java • to specify behaviour of Java classes • to record design &implementation decisions by adding assertions to Java source code, eg • preconditions • postconditions • invariants as in Eiffel (Design by Contract), but more expressive. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.4/34

  5. JML by Gary Leavens et al. Formal specification language for Java • to specify behaviour of Java classes • to record design &implementation decisions by adding assertions to Java source code, eg • preconditions • postconditions • invariants as in Eiffel (Design by Contract), but more expressive. Goal: JML should be easy to use for any Java programmer. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.4/34

  6. JML To make JML easy to use: • JML assertions are added as comments in .java file, between /*@ . . . @*/ , or after //@ , • Properties are specified as Java boolean expressions, extended with a few operators ( \ old, \ forall, \ result, . . . ). • using a few keywords ( requires , ensures , signals , assignable , pure , invariant , non null , . . . ) Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.5/34

  7. requires, ensures Pre- and post-conditions for method can be specified. /*@ requires amount >= 0; ensures balance == \ old(balance)-amount && \ result == balance; @*/ public int debit(int amount) { ... } Here \ old(balance) refers to the value of balance before execution of the method. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.6/34

  8. requires, ensures JML specs can be as strong or as weak as you want. /*@ requires amount >= 0; ensures true; @*/ public int debit(int amount) { ... } This default postcondition “ ensures true ” can be omitted. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.7/34

  9. Design-by-Contract Pre- and postconditions define a contract between a class and its clients: • Client must ensure precondition and may assume postcondition • Method may assume precondition and must ensure postcondition Eg, in the example specs for debit , it is the obligation of the client to ensure that amount is positive. The requires clause makes this explicit. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.8/34

  10. signals Exceptional postconditions can also be specified. /*@ requires amount >= 0; ensures true; signals (ISOException e) amount > balance && balance == \ old(balance) && e.getReason()==AMOUNT_TOO_BIG; @*/ public int debit(int amount) { ... } Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.9/34

  11. signals Exceptions are allowed by default, i.e. the default signals clause is signals (Exception) true; To rule them out, add an explicit signals (Exception) false; or use the keyword normal_behavior /*@ normal behavior requires ... ensures ... @*/ Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.10/34

  12. invariant Invariants (aka class invariants) are properties that must be maintained by all methods, e.g., public class Wallet { public static final short MAX_BAL = 1000; private short balance; /*@ invariant 0 <= balance && balance <= MAX_BAL; @*/ ... Invariants are implicitly included in all pre- and postconditions. Invariants must also be preserved if exception is thrown! Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.11/34

  13. invariant Invariants document design decisions, e.g., public class Directory { private File[] files; /*@ invariant files != null && ( \ forall int i; 0 <= i && i < files.length; ; files[i] != null && files[i].getParent() == this); @*/ Making them explicit helps in understanding the code. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.12/34

  14. non_null Many invariants, pre- and postconditions are about references not being null . non_null is a convenient short-hand for these. public class Directory { private /*@ non null @*/ File[] files; void createSubdir(/*@ non null @*/ String name) { ... Directory /*@ non null @*/ getParent() { ... Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.13/34

  15. assert An assert clause specifies a property that should hold at some point in the code, e.g., if (i <= 0 || j < 0) { ... } else if (j < 5) { //@ assert i > 0 && 0 < j && j < 5; ... } else { //@ assert i > 0 && j > 5; ... } Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.14/34

  16. assert JML keyword assert now also in Java (since Java 1.4). Still, assert in JML is more expressive, for example in ... for (n = 0; n < a.length; n++) if (a[n]==null) break; /*@ assert ( \ forall int i; 0 <= i && i < n; a[i] != null); @*/ Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.15/34

  17. assignable Frame properties limit possible side-effects of methods. /*@ requires amount >= 0; assignable balance; ensures balance == \ old(balance)-amount; @*/ public int debit(int amount) { ... E.g., debit can only assign to the field balance . NB this does not follow from the post-condition. Default assignable clause: assignable \ everything . Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.16/34

  18. pure A method without side-effects is called pure. public /*@ pure @*/ int getBalance() { ... Directory /*@ pure non null @*/ getParent() { ... Pure method are implicitly assignable \ nothing . Only pure methods can be used in specifications. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.17/34

  19. visibility JML supports the standard Java visibilities: public int pub; private int priv; //@ requires i <= pub; public void pub1 (int i) { ... } //@ requires i <= pub && i <= priv; private void priv1 (int i) ... //@ requires i <= pub && i <= priv; // WRONG !! public void pub2(int i) { ... } Specs of public methods may not refer to private fields. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.18/34

  20. visibility: spec_public Keyword spec public loosens visibility for specs. Private spec public fields are allowed in public specs, e.g.: public int pub; private /*@ spec public @*/ int priv; //@ requires i <= pub && i <= priv; // OK public void pub2(int i) { ... } Exposing private details is ugly, of course. A nicer, but more advanced alternative in JML is to use public model fields to represent (abstract away from) private implementation details. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.19/34

  21. Tools for JML Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.20/34

  22. tools for JML • parsing and typechecking Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.21/34

  23. tools for JML • parsing and typechecking • runtime assertion checking: test for violations of assertions during execution jmlrac Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.21/34

  24. tools for JML • parsing and typechecking • runtime assertion checking: test for violations of assertions during execution jmlrac • extended static checking: prove that contracts are never violated at compile-time ESC/Java2 This is program verification, not just testing. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.21/34

  25. runtime assertion checking jmlrac compiler by Gary Leavens et al. at Iowa State Univ. • translates JML assertions into runtime checks: during execution, all assertions are tested and any violation of an assertion produces an Error. Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.22/34

  26. runtime assertion checking jmlrac compiler by Gary Leavens et al. at Iowa State Univ. • translates JML assertions into runtime checks: during execution, all assertions are tested and any violation of an assertion produces an Error. • cheap & easy to do as part of existing testing practice • better testing, because more properties are tested, at more places in the code Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.22/34

  27. runtime assertion checking jmlrac compiler by Gary Leavens et al. at Iowa State Univ. • translates JML assertions into runtime checks: during execution, all assertions are tested and any violation of an assertion produces an Error. • cheap & easy to do as part of existing testing practice • better testing, because more properties are tested, at more places in the code Of course, an assertion violation can be an error in code or an error in specification . Erik Poll - ESC/Java2 Tutorial - June 2004 - JML – p.22/34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

TRAINING COURSE ON SOCIAL PROTECTION &amp; FORMALIZATION TRINIDAD AND TOBAGO MARCH 15, 2017 INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION Design of the NIS Assistance from the

547 views • 23 slides
INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

Patterns of variation in the expression of case and agreement Andrs Brny Leiden University Centre for Linguistics 9 November 2019, BaSIS Workshop a.barany@hum.leidenuniv.nl INTRODUCTION Introduction 2/42 INTRODUCTION

1.37k views • 42 slides
Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures Definition and concepts Process and product properties Principles SE Approaches Motivation Software and the economy The economies of

1.03k views • 49 slides
Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1 https://www.cdc.gov/std/stats17/infographic.htm Introduction Epidemiology in Western Colorado CPHE Surveillance Data Report, May 2018 Chlamydia Epidemiology in Western

977 views • 39 slides
DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every meeting (2) Some ideas of diagrams for section 7.1 (Introduction) of TP. Giles Barr 25 Jan 2018, Pembroke College On DUNE, the reality is there is a

474 views • 10 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout World Wide

387 views • 14 slides
14 Introduction Introduction Bad guys can put malware into Example: hosts

14 Introduction Introduction Bad guys can put malware into Example: hosts

Introduction Introduction source Encapsulation ISO/OSI reference model message M application segment H t H t M transport network datagram H n H n H t M presentation: allow applications to frame link H l H n H t M interpret

583 views • 4 slides
Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout

322 views • 8 slides
Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Introduction Zynq Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL Processing System Processor Peripherals Data Buses AXI Bus Conclusion BTE5380 - Embedded Systems Octobre 2014 Andreas Habegger

1.81k views • 30 slides
2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04 Project References S E 5 PART.1 SMILE5 Introduction M I L Introduction STORION-SMILE5 Residential Energy Storage System Inverter 5kW Output Input

1.06k views • 25 slides
Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an application server? Why use an application server? Course introduction Services provided by CICS How CICS applications are defined Scaling CICS to meet

1.84k views • 146 slides
Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic building blocks Node Links (relationship between nodes) Spatial information Network data

584 views • 9 slides
Introduction Introduction (1) Main argument of the paper: universities are not only

Introduction Introduction (1) Main argument of the paper: universities are not only

Le jugement des pairs comme outil de management des universits Peer-review as a management tool Christine Musselin (CSO, Sciences Po et CNRS) Avril 2013, Lirrsistible ascension du capitalisme acadmique Introduction Introduction (1)

590 views • 28 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of the brand new JA-100 alarm system Visions Basic architecture System components Setting Help us with final validations You are the FIRST ones

1.69k views • 111 slides
Verification-Aided Regression Testing Fabrizio Pastore 1 Leonardo Mariani 1 arinen 2 Grigory

Verification-Aided Regression Testing Fabrizio Pastore 1 Leonardo Mariani 1 arinen 2 Grigory

Verification-Aided Regression Testing Fabrizio Pastore 1 Leonardo Mariani 1 arinen 2 Grigory Fedyukovich 2 Antti E. J. Hyv Natasha Sharygina 2 Ondrej Sery 2 Stephan Sehestedt 3 Ali Muhammed 4 1 University of Milano-Bicocca, Italy 2 University of

670 views • 14 slides
Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 , Raluca Lefticaru 1 , Ignacio Prez-Hurtado 2 , Mario J. Prez-Jimnez 2 , Cristina Tudose 1 1 University of Pitesti 2 University of Sevilla

578 views • 23 slides
Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl

Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl

Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl Seminar 16172 Falk Howar (TU Clausthal) Learning RAs Dagstuhl Seminar 16172 1 / 22 Scenario: Verification of Component-based Systems Environment

618 views • 35 slides
Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University

Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University

Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University University of Victoria www.csc.ncsu.edu/faculty/xie www.ece.uvic.ca/~ahmed xie@csc.ncsu.edu ahmed@uvic.ca Some slides are adapted from KDD 06 tutorial

1.39k views • 120 slides
The Mobius Program Verification Environment Recent Advances in Extended Static Checking Joe

The Mobius Program Verification Environment Recent Advances in Extended Static Checking Joe

The Mobius Program Verification Environment Recent Advances in Extended Static Checking Joe Kiniry, University College Dublin Joe Kiniry, University College Dublin http://mobius.inria.fr/ http://mobius.inria.fr/ Contract n IST 015905

534 views • 21 slides
The Use of JML in Embedded Real-Time Systems Joseph Kiniry Technical University of Denmark

The Use of JML in Embedded Real-Time Systems Joseph Kiniry Technical University of Denmark

The Use of JML in Embedded Real-Time Systems Joseph Kiniry Technical University of Denmark JTRES 2012 24 October 2012 Acknowledgements Some content based on an OOPSLA tutorial by: Gary T. Leavens, Curtis Clifton, Hridesh Rajan, and

773 views • 41 slides
Dynamic Shape and Data Structure Analysis in Java Presented by Sokhom Pheng (Supervised by

Dynamic Shape and Data Structure Analysis in Java Presented by Sokhom Pheng (Supervised by

Dynamic Shape and Data Structure Analysis in Java Presented by Sokhom Pheng (Supervised by Clark Verbrugge) McGill University October 17 th 2005 Outline Introduction &amp; Contribution Design Challenges Experimental Results

683 views • 44 slides
Preventing errors before they happen: Lightweight verification via pluggable type-checking

Preventing errors before they happen: Lightweight verification via pluggable type-checking

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing errors before they happen: Lightweight verification via pluggable type-checking Michael D. Ernst University of Washington (Seattle, WA, USA) University of Buenos

600 views • 48 slides

More recommend