Accessible Formal Methods A Study of the Java Modeling Language

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.
1 Design by Contract with JML CS 3331 Fall 2009 Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. Available from
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Software Testing and Quality Assurance
JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Page 1 Building Reliable Component-based Systems Chapter 6 - Semantic Integrity in Component Based Development Chapter 6 Semantic Integrity in Component.
Software Quality: Testing and Verification II. 2 1.A failure is an unacceptable behaviour exhibited by a system — The frequency of failures measures software.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.
Ranga Rodrigo. Class is central to object oriented programming.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.
1 Chapter One A First Program Using C#. 2 Objectives Learn about programming tasks Learn object-oriented programming concepts Learn about the C# programming.
A Safety-Critical Java Technology Compatibility Kit Hans Søndergaard Stephan Korsholm VIA University College, Horsens, Denmark & Anders P. Ravn Aalborg.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
P Object type and wrapper classes p Object methods p Generic classes p Interfaces and iterators Generic Programming Data Structures and Other Objects Using.
111 The Java Modeling Language Based on: Gary T. Leavens, et al., JML Tutorial at OOPSLA Gary. T Leavens, et al., Preliminary Design of JML: A Behavioral.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
P.R. James © P.Chalin et al.1 An Integrated Verification Environment for JML: Architecture and Early Results Patrice Chalin, Perry R. James, and George.
Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.
A Survey on Java Modeling Languages Gergely Kovásznai,Eszterházy Károly College Wolfgang Schreiner,Johannes Kepler University Gábor Kusper,Eszterházy Károly.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Semantics In Text: Chapter 3.
Pre- and postconditions, Using assertions and exceptions 1 Pre- and postconditions Using assertions and exceptions.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 ESC/Java2 Extended Static Checker for Java Dat ă primire laborator: Lab 1 Dat ă predare laborator:
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Defensive Programming. Good programming practices that protect you from your own programming mistakes, as well as those of others – Assertions – Parameter.
Announcements Assignment 2 Out Today Quiz today - so I need to shut up at 4:25 1.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
26-27/05/2016 An incremental approach to Formal verification for Java applications Teodor Parvanov May ‘16, Sofia 1.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 Tools for JML jmlc & jmlrac Dat ă primire laborator: Lab 1 Dat ă predare laborator: Lab 2.
Extended Static Checking for Java
Advanced Programing practices
Testing Verification and the Joy of Breaking Code
Testing Tutorial 7.
Logger, Assert and Invariants
Chapter 8 – Software Testing
Topics: jGRASP editor ideosyncrasies assert debugger.
Testing and Debugging.
CSE 143 Error Handling [Section 2.8] 3/30/98 CSE 143.
Design by Contract Fall 2016 Version.
Java Programming Language
Slides by Steve Armstrong LeTourneau University Longview, TX
CSC 143 Error Handling Kinds of errors: invalid input vs programming bugs How to handle: Bugs: use assert to trap during testing Bad data: should never.
Hoare-style program verification
Defining Classes and Methods
Algorithm and Ambiguity
Defining Classes and Methods
Java Modeling Language (JML)
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Oriented Design and Abstract Data Type
RAC Support for JML on Eclipse Platform
EECE.2160 ECE Application Programming
Java Annotations for Invariant Specification
Programming Languages 2nd edition Tucker and Noonan
Requirement Validation
Presentation transcript:

Accessible Formal Methods A Study of the Java Modeling Language Mike Rawding Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Outline Project Selection and Goals JML Background Introduction to JML OpenJML Some Examples (Demo) Specifying StringBuilder Results Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Project Selection Took a course on Formal Methods JML struck me as usable/practical Originally planned to specify and check existing software Decided to specify part of the standard library Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 JML Background Introduced 1999 by Gary Leavens (Iowa State University) Saw a need for a Java specific specification language Outlined the language first Produced original tools jmlc and jmlunit ESC/Java was adapted for JML Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Format JML lives within special Java comments starting with ‘@’ //@ /*@ */ Specifications may be written directly in line with source code (.java) or in a stand alone specification file (.jml) Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Method Interfaces Preconditions what is required as the method begins execution Postconditions what is the guaranteed outcome of this method Side Effects what may this method change (e.g. state) Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 User Object String name int age int numLogins The usual setters/getters Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Preconditions Predicates defined with the requires clause Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Postconditions Predicates defined with the ensures clause Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Side Effects Defined with the assignable clause Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Side Effects If a method never has side effects, it may be marked pure Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Side Effects Specifications may not cause side effects May not assign variables May only call pure methods Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Visibility Specifications have visibility just like other Java elements May be implied or explicit Not allowed to reveal fields that are more restricted than the specification Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Multiple Behaviors Multiple behaviors may be defined based on preconditions Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Class Invariants Predicates defined with the invariant keyword Must hold for all visible states Universal preconditions and postconditions Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 OpenJML Previous tools are dead jmlc jmlunit JMLUnitNG jmldoc ESC/Java ESC/Java2 OpenJML current toolkit for dealing with JML Eclipse Plugin and Command Line Interface JML type checking Runtime Assertion Checking (RAC) Extended Static Checking (ESC) Mike Rawding - SUNY Polytechnic Institute - May 2017

Adding Library Specifications When checking new specifications, JML assumes existing specifications to be true If no specification is given, no assumptions can be made When working with unspecified libraries user will get lots of JML errors Can be hard to tell if their new code is really flawed (misusing a library) Mike Rawding - SUNY Polytechnic Institute - May 2017

Adding Library Specifications Above all else, specifications must be accurate Other specifications depend on this As complete as possible Ideally specify all possible behaviors of methods Mike Rawding - SUNY Polytechnic Institute - May 2017

Adding Library Specifications Start with invariants Take advantage of lightweight specifications and iterate over adding more detail Must create a driver program that uses (and misuses) all methods Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Demo Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Results Added StringBuilder support to OpenJML All specifications and drivers demonstrating their correctness have been submitted to the owner of the OpenJML project Expected to be merged into the general JML spec repository Demonstrated usability of JML Provided feedback and bug reports to OpenJML project Mike Rawding - SUNY Polytechnic Institute - May 2017

Mike Rawding - SUNY Polytechnic Institute - May 2017 Bugs Reported ESC reports errors with incorrect line numbers During ESC, user unable to maintain focus on console ESC error dereferencing arguments in specifications even if the behavior clause has defined them as not null An identifier with public visibility may not be used in a invariant clause with package visibility RAC does not correctly check side effects RAC causes Java exceptions when accessing hidden attributes that have been marked spec_public ESC may behave differently depending on order of code OpenJML bug #502 Mike Rawding - SUNY Polytechnic Institute - May 2017

Enhancements Suggested Better error reporting on compile errors Error code 4, internal JML error A console tab the contains only output from previous RAC/ESC During ESC, user unable to maintain focus on console Add warning that indicates if a failure is based on an unspecified method (still concerning, but less likely to be a legitimate error) Integrating JMLDoc with OpenJML would be extremely useful Mike Rawding - SUNY Polytechnic Institute - May 2017

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.