Download Introduction to JML

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
Document related concepts
no text concepts found
Transcript 
Introduction to JML
Erik Poll
Radboud University Nijmegen
JML – p.1/35
Overview
• The specification language JML
Only a subset, but this subset does cover the most used
features of the language.
• Some of the tools for JML, in particular
1. runtime assertion checking using jmlc/jmlrac
2. extended static checking using ESC/Java2
• Demo of ESC/Java2
JML – p.2/35
JML by Gary Leavens et al.
Formal specification language for Java
• to specify behaviour of Java classes
• to record design &implementation decisions
by adding assertions to Java source code, eg
• preconditions
• postconditions
• invariants
as in Eiffel (Design by Contract), but more expressive.
Goal: JML should be easy to use for any Java programmer.
JML – p.3/35
JML
To make JML easy to use & understand:
• Properties specified as comments in .java source file,
between /*@ . . . @*/, or after //@
(or in a separate file, if you don’t have the source code, eg. of some API)
• Properties are specified in Java syntax, namely as
Java boolean expressions,
• extended with a few operators (\old, \forall,
\result, . . . ).
• using a few keywords (requires, ensures,
invariant, pure, non null, . . . )
JML – p.4/35
Example JML specification
public class IntegerSet {
...
byte[] a; /* The array a is sorted */
...
JML – p.5/35
Example JML specification
public class IntegerSet {
...
byte[] a; /* The array a is sorted */
/*@ invariant
(\forall int i; 0 <= i && i < a.length-1;
a[i] < a[i+1]);
@*/
...
JML – p.6/35
Informal vs Formal
The informal comment “The array a is sorted” and formal
JML invariant
(\forall int i; 0 <= i && i < a.length-1;
a[i] < a[i+1])
document the same property, but
• JML spec has a precise meaning. (Eg. < not <=)
• Precise syntax & semantics allows tool support:
• runtime assertion checking: executing code and
testing all assertions for a given set of inputs
• verification: proving that assertions are never
violated, for all possible inputs
JML – p.7/35
The JML specification language
JML – p.8/35
Running example
public class BankAccount {
final static int MAX_BALANCE = 1000;
int balance;
int debit(int amount) {
balance = balance - amount;
return balance; }
int credit(int amount) {
balance = balance + amount;
return balance; }
public int getBalance(){ return balance; }
...
JML – p.9/35
requires
Pre-condition for method can be specified using requires:
/*@ requires amount >= 0;
@*/
public int debit(int amount) {
...
}
Anyone calling debit has to guarantee the pre-condition.
JML – p.10/35
ensures
Post-condition for method can be specified using ensures:
/*@ requires amount >= 0;
ensures balance == \old(balance)-amount &&
\result == balance;
@*/
public int debit(int amount) {
...
}
Anyone calling debit can assume postcondition (if method
terminates normally, ie. does not throw exception)
\old(...) has obvious meaning
JML – p.11/35
Design-by-Contract
Pre- and postcondition define a contract between a class
and its clients:
• Client must ensure precondition and may assume
postcondition
• Method may assume precondition and must ensure
postcondition
Eg, in the example specs for debit, it is the obligation of the
client to ensure that amount is positive. The requires clause
makes this explicit.
JML – p.12/35
requires, ensures
JML specs can be as strong or as weak as you want.
/*@ requires amount >= 0;
ensures true;
@*/
public int debit(int amount) {
...
}
Default postcondition “ensures true” can be omitted.
Idem for default precondition “requires true”.
JML – p.13/35
invariant
Invariants (aka class invariants) are properties that must be
maintained by all methods, e.g.,
public class BankAccount {
final static int MAX_BAL = 1000;
int balance;
/*@ invariant 0 <= balance &&
balance <= MAX_BAL;
@*/
...
Invariants are implicitly included in all pre- and
postconditions.
Invariants must also be preserved if exception is thrown!
JML – p.14/35
invariant
Another example, from an implementation of a file system:
public class Directory {
private File[] files;
/*@ invariant
files != null
&&
(\forall int i; 0 <= i && i < files.length;
files[i] != null &&
files[i].getParent() == this
@*/
JML – p.15/35
invariant
• Invariants often document important design decisions.
• Making them explicit helps in understanding the code.
• Invariants often lead to pre-conditions:
Eg. in the BankAccount example, the precondition
amount <= balance is needed to preserve the
invariant 0 <= balance
JML – p.16/35
non_null
Many invariants, pre- and postconditions are about
references not being null. non_null is a convenient
short-hand for these.
public class Directory {
private /*@ non null @*/ File[] files;
void createSubdir(/*@ non null @*/ String name){
...
Directory /*@ non null @*/ getParent(){
...
JML – p.17/35
assert
An assert clause specifies a property that should hold at
some point in the code, e.g.,
if (i <= 0 || j
...
} else if (j <
//@ assert
...
} else {
//@ assert
...
}
< 0) {
5) {
i > 0 && 0 < j && j < 5;
i > 0 && j > 5;
JML – p.18/35
assert
JML keyword assert now also in Java (since Java 1.4).
Still, assert in JML is more expressive, for example in
...
for (n = 0; n < a.length; n++)
if (a[n]==null) break;
/*@ assert (\forall int i; 0 <= i && i < n;
a[i] != null);
@*/
JML – p.19/35
signals
Exceptional postconditions can also be specified.
/*@ requires amount >= 0;
ensures true;
signals (BankAccountException e)
amount > balance
&&
balance == \old(balance) &&
e.getReason()==AMOUNT_TOO_BIG;
@*/
public int debit(int amount) { ... }
The implementation given earlier does not meet this specification.
JML – p.20/35
pure
A method without side-effects is called pure.
public /*@ pure @*/ int getBalance(){...
Pure methods – and only pure methods – can be used in
JML specifications.
JML – p.21/35
assignable
Frame properties limit possible side-effects of methods.
/*@
requires amount >= 0;
assignable balance;
ensures balance == \old(balance)-amount;
@*/
public int debit(int amount) {
...
E.g., debit can only assign to the field balance.
NB this does not follow from the post-condition.
Assignable clauses are only needed to allow modular
verification of code, by tools like ESC/Java(2).
Pure methods are assignable \nothing.
JML – p.22/35
JML recap
The JML keywords discussed so far:
• requires
• ensures
• signals
• invariant
• non null
• pure
• \old, code\forall, \exists, \result
This is all you need to know to get started!
JML – p.23/35
Tools for JML
JML – p.24/35
Tools for JML
A formal language allows tool support.
1. Parsing and typechecking
Typos in JML specs are detected, typos in comments are not.
2. Runtime assertion checking
test for violations of assertions during execution
with the tool jmlrac
3. Extended static checking ie. automated program
verification
prove that contracts are never violated at compile-time
with the tool ESC/Java2
4. Interactive program verification:
more about that later
JML – p.25/35
Runtime assertion checking
jmlrac compiler by Gary Leavens & Yoonsik Cheon
• translates JML assertions into runtime checks:
during execution, all assertions are tested and
any violation of an assertion produces an
Error.
• cheap & easy to do as part of existing testing practice
• better testing, because more properties are tested, at
more places in the code
Of course, an assertion violation can be an error in code or
an error in specification.
The jmlunit tool combines jmlrac and unit testing.
JML – p.26/35
Runtime assertion checking
jmlrac can generate complicated test-code for free. E.g., for
/*@ ...
signals (Exception)
balance == \old(balance);
@*/
public int debit(int amount) { ... }
it will test that if debit throws an exception, the balance
hasn’t changed, and all invariants still hold.
jmlrac even checks \forall if the domain of quantification is
finite.
JML – p.27/35
Extended static checking
ESC/Java(2) by Rustan Leino et al.
• tries to prove correctness of specifications,
at compile-time, fully automatically
• not complete: ESC/Java may warn of errors that can
not occur, or time-out
• not sound: ESC/Java may miss an error that can occur
• but finds lots of potential bugs quickly
• good at proving absence of runtime exceptions (eg
Null-, ArrayIndexOutOfBounds-, ClassCast-) and verifying
relatively simple properties.
JML – p.28/35
Extended static checking vs runtime checking
Important differences:
• ESC/Java2 checks specs at compile-time,
jmlrac checks specs at run-time
• ESC/Java2 proves correctness of specs,
jmlrac only tests correctness of specs.
• ESC/Java2 provides higher degree of confidence,
but at a much higher price.
• Academics mainly interested in ESC/Java2,
industrials mainly interested in jmlrac.
JML – p.29/35
Extended static checking vs runtime checking
One of the assertions below is wrong:
if (i <= 0 || j < 0) {
...
} else if (j < 5) {
//@ assert i > 0 && 0 < j && j < 5;
...
} else {
//@ assert i > 0 && j > 5;
...
}
Runtime assertion checking may detect this with a
comprehensive test suite.
ESC/Java2 will detect this at compile-time.
JML – p.30/35
More JML tools
• javadoc-style documentation: jmldoc
• Eclipse plugin
• Other red verification tools:
• LOOP tool + PVS (Nijmegen)
• JACK (Gemplus/INRIA)
• Krakatoa tool + Coq (INRIA)
These tools (also) aim at interactive verification of
complex properties, whereas ESC/Java2 aims at
automatic verification of relatively simple properties.
• runtime detection of invariants: Daikon (Michael Ernst,
MIT)
• model-checking multi-threaded programs: Bogor
(Kansas State Univ.)
JML – p.31/35
Related Work
• jContract tool for Java by Parasoft
• Spec# for C# by Microsoft
• SparkAda - subset of Ada by Praxis Critical Systems
Ltd.
• OCL specification language for UML
JML – p.32/35
Conclusions
• JML (relatively) easy to use and understand, using
familiar syntax
• JML specs added to source code, so
• easy to use incrementally
• no need to construct a separate model
• but. . . maybe lower level that other formal models
JML – p.33/35
Some papers about (using) JML
• Introduction to JML language:
Design by Contract with JML by Leavens and Cheon
• An overview of JML tools and applications by lots of
people
• Experience report about using JML:
Formal specification of the Java Card API in JML: the
APDU class by Poll, van den Berg, and Jacobs
• Experience report about using ESC/Java:
Formal specification of Gemplus’s electronic purse
case study by Cataño and Huisman
JML – p.34/35
Related documents
From the OCL to JML - Department of Computer Science
From the OCL to JML - Department of Computer Science
Checking the DataOutputStream Java Standard Class Homework
Checking the DataOutputStream Java Standard Class Homework
Java for dummies”
Java for dummies”
Software System Verification and Validation Laboratory Assignment 1
Software System Verification and Validation Laboratory Assignment 1
Merit+ Circle Geometry Practice #6
Merit+ Circle Geometry Practice #6
A Safety-Critical Java Technology Compatibility Kit
A Safety-Critical Java Technology Compatibility Kit
JML - UTEP Computer Science
JML - UTEP Computer Science
KENDRIYA VIDYALAYA NEW CANTT ALLAHABAD SESSION
KENDRIYA VIDYALAYA NEW CANTT ALLAHABAD SESSION
Propagation of JML non-null annotations in Java programs
Propagation of JML non-null annotations in Java programs
Statements and expressions
Statements and expressions
The ESC/Java2 tool
The ESC/Java2 tool
Introduction: Apoptosis – programmed cell death significantly
Introduction: Apoptosis – programmed cell death significantly