Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002 www.jmlspecs.org Dept. of Computer Science Motivation Goal – To improve quality of software by using formal interface specifications Reality – Formal specifications seldom used in practice, due to • Lack of immediate, tangible payoff to programmers • … Contribution: runtime assertion checking – Practical debugging (and testing) tool – Brings benefits of writing formal specifications to programmers Dept. of Computer Science 2 Iowa State University Related Work Eiffel – Integrates executable specs into programming language, often called Design by Contract (DBC) – But, hard to write complete, abstract specifications • • • • No purity checking No quantified expressions No specification-only fields, methods, and types No immutable version of collection types DBC Tools for Java – Jass, iContract, Handshake, jContractor, Contact Java, etc. – Same problem as Eiffel Dept. of Computer Science 3 Iowa State University Outline Java Modeling Language (JML) General approach Translating JML specifications – – – – – JML expressions Method specifications Inheritance of specifications Interface specifications Model specifications Conclusion Dept. of Computer Science 4 Iowa State University An Overview of JML Java Modeling Language (JML) – Formal behavioral interface specification language for Java – Hoare-style pre- and postconditions – Influenced by Eiffel and model-oriented specification languages such as VDM and Larch – Can write complete interface specifications Dept. of Computer Science 5 Iowa State University An Overview of JML (Cont.) Example in JML public interface Stack { //@ model Object[] elems; /*@ old int len = elems.length; @ requires e != null; @ modifies elems; @ ensures elems.length == len + 1 && @ elems[0] == e && @ (\forall int i; 0 <= i && i < len; @ elems[i+1] == \old(elems[i])); @*/ void push(Object e); } Dept. of Computer Science 6 Iowa State University General Approach Runtime assertion checking – JML assertions into runtime check code – Transparent (except for performance) unless assertions are violated jml-runtime.jar Stack.java Stack.class jmlc Dept. of Computer Science JVM 7 Iowa State University Translating JML Expressions JML Expressions – Side-effect free subset of Java expressions Challenges – Undefinedness (due to runtime errors, exceptions, non-executable clauses, etc.) – Quantified expressions (\forall, \exists, \sum, etc.) Dept. of Computer Science 8 Iowa State University Undefinedness of Expressions JML semantics – Arbitrary expressible value (of correct type) – E.g., a[i] != null Goals – To catch as many errors as possible – To be faithful to the JML semantics Dept. of Computer Science 9 Iowa State University Undefinedness (Cont.) Approach: Local, contextual interpretation – Interpreted locally by the smallest, enclosing boolean expression – Boolean value determined contextually – E.g., true for “a[i] != null” //@ requires !(a[i] != null); void foo(int i) { /* … */ } Dept. of Computer Science 10 Iowa State University Quantified Expressions Quantifiers in JML – Universal and existential (\forall and \exists) – Generalized (\sum, \product, \min, and \max) – Numerical (\num_of) Extensible framework – Type extent-based approach – Static analysis approach Dept. of Computer Science 11 Iowa State University Static Analysis Approach Collections for reference types (\forall Student p; ta.contains(p) || ra.contains(p); p.credits() <= 12) Intervals for numeric types (\sum int x; x > 1 && x < 5; x) Enumeration for boolean type Dept. of Computer Science 12 Iowa State University Translating Method Specifications Method specifications in JML – Rich set of syntactic sugars • Multiple clauses • Nested specifications • Case analysis, etc. Approach – Desugaring specifications – Assertion check methods • Precondition check methods • Postcondition check methods (normal and exceptional) • Invariant check methods, etc. – Wrapper methods Dept. of Computer Science 13 Iowa State University Wrapper Methods T m(…) { checkPre$m(…); // P //@ invariant I; checkInv$m(); // I //@ requires P; try { original$m(…); //@ ensures Q; checkPost$m(…); // Q } catch (JMLAssertionException e) { … } catch (Throwable e) { //@ signals S; T m(…) { body; } checkXPost$m(…); // S } finally { if (…) { check$Inv(); } // I } } Dept. of Computer Science 14 Iowa State University Inheritance of Specifications Specification inheritance – Through subclassing, interfaces, and refinement Challenge – Existence of supertype’s assertion check methods is not known at compile time (e.g., due to separate compilation) Dept. of Computer Science 15 Iowa State University Inheritance of Specifications (cont.) Approach – Dynamic delegation using Java’s reflection facility 1. Check local assertions 2. Check inherited assertions, i.e., for each supertype, 2.1 Look up corresponding assertion check method 2.2 Invoke the target method 2.3 Combine the result appropriately 3. Report an assertion violation based on the combined result Dept. of Computer Science 16 Iowa State University Interface Specifications Problem – Can’t add assertion check methods to interfaces Surrogate classes – Static inner classes of interfaces – Responsible for checking assertions in interfaces interface I static delegation C <<inner>> Checker dynamic delegation Dept. of Computer Science 17 Iowa State University Model Specifications for ADTs JML model fields, methods, and types – Specification-purpose fields, methods, and types Model fields – Can be accompanied with abstraction functions public class StackImpl implements Stack { private java.util.List contents; /*@ public depends elems <- contents; @ private represents elems <- contents.toArray(); @*/ /* … */ } Dept. of Computer Science 18 Iowa State University Model Specifications (Cont.) Model field access methods – Generated from specific form of “represents” clauses – Calculate abstract (specification) values from concrete (program) values – Replaces model fields appearing in assertions // generated from “represents elems <- contents.toArray();” public Object[] model$elems() { return contents.toArray(); } Dept. of Computer Science 19 Iowa State University Conclusion JML runtime assertion checker – – – – Executes many quantified expressions Supports specification inheritance Works with abstract specifications Thus, provides a practical, formal specification-based debugging (and testing) tool to Java programmers JML distribution available from www.jmlspecs.org Dept. of Computer Science 20 Iowa State University