Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download JML - UTEP Computer Science
Document related concepts
no text concepts found
Transcript
A Runtime Assertion
Checker for
the Java Modeling
Language (JML)
Yoonsik Cheon and Gary T. Leavens
SERP 2002, June 24-27, 2002
www.jmlspecs.org
Dept. of Computer Science
Motivation
Goal
– To improve quality of software by using formal
interface specifications
Reality
– Formal specifications seldom used in practice, due to
• Lack of immediate, tangible payoff to programmers
• …
Contribution: runtime assertion checking
– Practical debugging (and testing) tool
– Brings benefits of writing formal specifications to
programmers
Dept. of Computer Science
2
Iowa State University
Related Work
Eiffel
– Integrates executable specs into programming
language, often called Design by Contract (DBC)
– But, hard to write complete, abstract specifications
•
•
•
•
No purity checking
No quantified expressions
No specification-only fields, methods, and types
No immutable version of collection types
DBC Tools for Java
– Jass, iContract, Handshake, jContractor, Contact
Java, etc.
– Same problem as Eiffel
Dept. of Computer Science
3
Iowa State University
Outline
Java Modeling Language (JML)
General approach
Translating JML specifications
–
–
–
–
–
JML expressions
Method specifications
Inheritance of specifications
Interface specifications
Model specifications
Conclusion
Dept. of Computer Science
4
Iowa State University
An Overview of JML
Java Modeling Language (JML)
– Formal behavioral interface specification language for
Java
– Hoare-style pre- and postconditions
– Influenced by Eiffel and model-oriented specification
languages such as VDM and Larch
– Can write complete interface specifications
Dept. of Computer Science
5
Iowa State University
An Overview of JML (Cont.)
Example in JML
public interface Stack {
//@ model Object[] elems;
/*@ old int len = elems.length;
@ requires e != null;
@ modifies elems;
@ ensures elems.length == len + 1 &&
@
elems[0] == e &&
@
(\forall int i; 0 <= i && i < len;
@
elems[i+1] == \old(elems[i]));
@*/
void push(Object e);
}
Dept. of Computer Science
6
Iowa State University
General Approach
Runtime assertion checking
– JML assertions into runtime check code
– Transparent (except for performance) unless
assertions are violated
jml-runtime.jar
Stack.java
Stack.class
jmlc
Dept. of Computer Science
JVM
7
Iowa State University
Translating JML Expressions
JML Expressions
– Side-effect free subset of Java expressions
Challenges
– Undefinedness (due to runtime errors, exceptions,
non-executable clauses, etc.)
– Quantified expressions (\forall, \exists, \sum, etc.)
Dept. of Computer Science
8
Iowa State University
Undefinedness of Expressions
JML semantics
– Arbitrary expressible value (of correct type)
– E.g., a[i] != null
Goals
– To catch as many errors as possible
– To be faithful to the JML semantics
Dept. of Computer Science
9
Iowa State University
Undefinedness (Cont.)
Approach: Local, contextual interpretation
– Interpreted locally by the smallest, enclosing boolean
expression
– Boolean value determined contextually
– E.g., true for “a[i] != null”
//@ requires !(a[i] != null);
void foo(int i) { /* … */ }
Dept. of Computer Science
10
Iowa State University
Quantified Expressions
Quantifiers in JML
– Universal and existential (\forall and \exists)
– Generalized (\sum, \product, \min, and \max)
– Numerical (\num_of)
Extensible framework
– Type extent-based approach
– Static analysis approach
Dept. of Computer Science
11
Iowa State University
Static Analysis Approach
Collections for reference types
(\forall Student p; ta.contains(p) || ra.contains(p);
p.credits() <= 12)
Intervals for numeric types
(\sum int x; x > 1 && x < 5; x)
Enumeration for boolean type
Dept. of Computer Science
12
Iowa State University
Translating Method Specifications
Method specifications in JML
– Rich set of syntactic sugars
• Multiple clauses
• Nested specifications
• Case analysis, etc.
Approach
– Desugaring specifications
– Assertion check methods
• Precondition check methods
• Postcondition check methods (normal and exceptional)
• Invariant check methods, etc.
– Wrapper methods
Dept. of Computer Science
13
Iowa State University
Wrapper Methods
T m(…) {
checkPre$m(…); // P
//@ invariant I;
checkInv$m(); // I
//@ requires P;
try {
original$m(…);
//@ ensures Q;
checkPost$m(…); // Q
}
catch (JMLAssertionException e) {
…
}
catch (Throwable e) {
//@ signals S;
T m(…) {
body;
}
checkXPost$m(…); // S
}
finally {
if (…) { check$Inv(); } // I
}
}
Dept. of Computer Science
14
Iowa State University
Inheritance of Specifications
Specification inheritance
– Through subclassing, interfaces, and refinement
Challenge
– Existence of supertype’s assertion check methods is
not known at compile time (e.g., due to separate
compilation)
Dept. of Computer Science
15
Iowa State University
Inheritance of Specifications (cont.)
Approach
–
Dynamic delegation using Java’s reflection facility
1. Check local assertions
2. Check inherited assertions, i.e., for each supertype,
2.1 Look up corresponding assertion check method
2.2 Invoke the target method
2.3 Combine the result appropriately
3. Report an assertion violation based on the combined result
Dept. of Computer Science
16
Iowa State University
Interface Specifications
Problem
– Can’t add assertion check methods to interfaces
Surrogate classes
– Static inner classes of interfaces
– Responsible for checking assertions in interfaces
interface
I
static delegation
C
<<inner>>
Checker
dynamic delegation
Dept. of Computer Science
17
Iowa State University
Model Specifications for ADTs
JML model fields, methods, and types
– Specification-purpose fields, methods, and types
Model fields
– Can be accompanied with abstraction functions
public class StackImpl implements Stack {
private java.util.List contents;
/*@ public depends elems <- contents;
@ private represents elems <- contents.toArray();
@*/
/* … */
}
Dept. of Computer Science
18
Iowa State University
Model Specifications (Cont.)
Model field access methods
– Generated from specific form of “represents” clauses
– Calculate abstract (specification) values from concrete
(program) values
– Replaces model fields appearing in assertions
// generated from “represents elems <- contents.toArray();”
public Object[] model$elems() {
return contents.toArray();
}
Dept. of Computer Science
19
Iowa State University
Conclusion
JML runtime assertion checker
–
–
–
–
Executes many quantified expressions
Supports specification inheritance
Works with abstract specifications
Thus, provides a practical, formal specification-based
debugging (and testing) tool to Java programmers
JML distribution available from
www.jmlspecs.org
Dept. of Computer Science
20
Iowa State University
