Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.

Slides:

Advertisements

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Advertisements

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 5 Disclaimer. These notes are derived from notes originally.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.

272: Software Engineering Fall 2012

Korat Automated Testing Based on Java Predicates Chandrasekhar Boyapati, Sarfraz Khurshid, Darko Marinov MIT ISSTA 2002 Rome, Italy.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

1 Design by Contract with JML CS 3331 Fall 2009 Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. Available from

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

ITEC200 Week02 Program Correctness and Efficiency.

Overview of Java (continue). Announcements You should have access to your repositories and HW0 If you have problems getting HW0, let me know If you’ve.

An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Chapter 8 Exceptions. Topics Errors and Exceptions try-catch throwing Exceptions Exception propagation Assertions.

Static and Dynamic Contract Verifiers For Java Hongming Liu.

Managed Assertions : language-neutral behavioral contracts for components 2 nd Rotor Workshop 25 April 2003 Nam Tran Monash University

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

Using JML Runtime Assertion Checking to Automate Metamorphic Testing in Applications without Test Oracles Christian Murphy, Kuang Shen, Gail Kaiser Columbia.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Software Quality: Testing and Verification II. 2 1.A failure is an unacceptable behaviour exhibited by a system — The frequency of failures measures software.

Chapter 10 Classes Continued

Adding Contracts to Ada Ehud Lamm Adding Design By Contract to Ada.

Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.

Computer Science 340 Software Design & Testing Design By Contract.

Ranga Rodrigo. Class is central to object oriented programming.

Liang, Introduction to Java Programming, Seventh Edition, (c) 2009 Pearson Education, Inc. All rights reserved Chapter 18 Exception Handling.

MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )

A Safety-Critical Java Technology Compatibility Kit Hans Søndergaard Stephan Korsholm VIA University College, Horsens, Denmark & Anders P. Ravn Aalborg.

1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.

111 The Java Modeling Language Based on: Gary T. Leavens, et al., JML Tutorial at OOPSLA Gary. T Leavens, et al., Preliminary Design of JML: A Behavioral.

Computer Science and Engineering College of Engineering The Ohio State University Interfaces The credit for these slides goes to Professor Paul Sivilotti.

2000 Jordan Anastasiade. All rights reserved. 1 Class In this lesson you will be learning about: Class. Inheritance. Polymorphism. Nested and.

Tammy Dahlgren with Tom Epperly, Scott Kohn, and Gary Kumfert Center for Applied Scientific Computing Common Component Architecture Working Group October.

Design by Contract in Java Concept and Comparison.

111 Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract,

P.R. James © P.Chalin et al.1 An Integrated Verification Environment for JML: Architecture and Early Results Patrice Chalin, Perry R. James, and George.

Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.

A Survey on Java Modeling Languages Gergely Kovásznai,Eszterházy Károly College Wolfgang Schreiner,Johannes Kepler University Gábor Kusper,Eszterházy Károly.

Design by Contract Ranga Rodrigo based on Mark Priestley's Lectures.

1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.

Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.

 In the java programming language, a keyword is one of 50 reserved words which have a predefined meaning in the language; because of this,

L13: Design by Contract Definition Reliability Correctness Pre- and post-condition Asserts and Exceptions Weak & Strong Conditions Class invariants Conditions.

SWE 4743 Abstract Data Types Richard Gesick. SWE Abstract Data Types Object-oriented design is based on the theory of abstract data types Domain.

Ceg860 (Prasad)L17IT1 Inheritance Techniques Subcontracting Anchored Types.

Java Programming, Second Edition Chapter Twelve Advanced Inheritance Concepts.

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.

Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.

DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.

Object Design More Design Patterns Object Constraint Language Object Design Specifying Interfaces Review Exam 2 CEN 4010 Class 18 – 11/03.

Lecture 5:Interfaces and Abstract Classes Michael Hsu CSULA.

Lecture 6:Interfaces and Abstract Classes Michael Hsu CSULA.

Lecture 5:Interfaces and Abstract Classes

SWEN421 – Lecture 3 Building High Integrity Software with SPARK Ada

Accessible Formal Methods A Study of the Java Modeling Language

The Java Modeling Language

Java Programming Language

Programming Languages 2nd edition Tucker and Noonan

Hoare-style program verification

Java Modeling Language (JML)

Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.

Computer Science 340 Software Design & Testing

Programming Languages 2nd edition Tucker and Noonan

Programming Languages 2nd edition Tucker and Noonan

Generics, Lambdas and Reflection

Presentation transcript:

Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27,

Dept. of Computer ScienceIowa State University 2 Motivation Goal –To improve quality of software by using formal interface specifications Reality –Formal specifications seldom used in practice, due to Lack of immediate, tangible payoff to programmers … Contribution: runtime assertion checking –Practical debugging (and testing) tool –Brings benefits of writing formal specifications to programmers

Dept. of Computer ScienceIowa State University 3 Related Work Eiffel –Integrates executable specs into programming language, often called Design by Contract (DBC) –But, hard to write complete, abstract specifications No purity checking No quantified expressions No specification-only fields, methods, and types No immutable version of collection types DBC Tools for Java –Jass, iContract, Handshake, jContractor, Contact Java, etc. –Same problem as Eiffel

Dept. of Computer ScienceIowa State University 4 Outline Java Modeling Language (JML) General approach Translating JML specifications –JML expressions –Method specifications –Inheritance of specifications –Interface specifications –Model specifications Conclusion

Dept. of Computer ScienceIowa State University 5 An Overview of JML Java Modeling Language (JML) –Formal behavioral interface specification language for Java –Hoare-style pre- and postconditions –Influenced by Eiffel and model-oriented specification languages such as VDM and Larch –Can write complete interface specifications

Dept. of Computer ScienceIowa State University 6 An Overview of JML (Cont.) public interface Stack { model Object[] elems; old int len = requires e != modifies ensures elems.length == len + 1 elems[0] == e (\forall int i; 0 <= i && i < elems[i+1] == void push(Object e); } Example in JML

Dept. of Computer ScienceIowa State University 7 General Approach Runtime assertion checking –JML assertions into runtime check code –Transparent (except for performance) unless assertions are violated jmlc Stack.javaStack.class jml-runtime.jar JVM

Dept. of Computer ScienceIowa State University 8 Translating JML Expressions JML Expressions –Side-effect free subset of Java expressions Challenges –Undefinedness (due to runtime errors, exceptions, non-executable clauses, etc.) –Quantified expressions (\forall, \exists, \sum, etc.)

Dept. of Computer ScienceIowa State University 9 Undefinedness of Expressions JML semantics –Arbitrary expressible value (of correct type) –E.g., a[i] != null Goals –To catch as many errors as possible –To be faithful to the JML semantics

Dept. of Computer ScienceIowa State University 10 Undefinedness (Cont.) Approach: Local, contextual interpretation –Interpreted locally by the smallest, enclosing boolean expression –Boolean value determined contextually –E.g., true for “a[i] != null” requires !(a[i] != null); void foo(int i) { /* … */ }

Dept. of Computer ScienceIowa State University 11 Quantified Expressions Quantifiers in JML –Universal and existential (\forall and \exists) –Generalized (\sum, \product, \min, and \max) –Numerical (\num_of) Extensible framework –Type extent-based approach –Static analysis approach

Dept. of Computer ScienceIowa State University 12 Static Analysis Approach Collections for reference types (\forall Student p; ta.contains(p) || ra.contains(p); p.credits() <= 12) Intervals for numeric types (\sum int x; x > 1 && x < 5; x) Enumeration for boolean type

Dept. of Computer ScienceIowa State University 13 Translating Method Specifications Method specifications in JML –Rich set of syntactic sugars Multiple clauses Nested specifications Case analysis, etc. Approach –Desugaring specifications –Assertion check methods Precondition check methods Postcondition check methods (normal and exceptional) Invariant check methods, etc. –Wrapper methods

Dept. of Computer ScienceIowa State University 14 Wrapper Methods } checkInv$m(); // I checkPre$m(…); // P T m(…) { requires P; ensures Q; signals S; invariant I; T m(…) { body; try try { } original$m(…); checkPost$m(…); // Q } if (…) { check$Inv(); } // I } catch (Throwable e) { } finally { checkXPost$m(…); // S catch (JMLAssertionException e) { … }

Dept. of Computer ScienceIowa State University 15 Inheritance of Specifications Specification inheritance –Through subclassing, interfaces, and refinement Challenge –Existence of supertype’s assertion check methods is not known at compile time (e.g., due to separate compilation)

Dept. of Computer ScienceIowa State University 16 Inheritance of Specifications (cont.) Approach –Dynamic delegation using Java’s reflection facility 1.Check local assertions 2.Check inherited assertions, i.e., for each supertype, 2.1 Look up corresponding assertion check method 2.2 Invoke the target method 2.3 Combine the result appropriately 3.Report an assertion violation based on the combined result

Dept. of Computer ScienceIowa State University 17 Interface Specifications Problem –Can’t add assertion check methods to interfaces Surrogate classes –Static inner classes of interfaces –Responsible for checking assertions in interfaces > Checker interface I C static delegation dynamic delegation

Dept. of Computer ScienceIowa State University 18 Model Specifications for ADTs JML model fields, methods, and types –Specification-purpose fields, methods, and types Model fields –Can be accompanied with abstraction functions public class StackImpl implements Stack { private java.util.List contents; public depends elems <- private represents elems <- /* … */ }

Dept. of Computer ScienceIowa State University 19 Model Specifications (Cont.) Model field access methods –Generated from specific form of “represents” clauses –Calculate abstract (specification) values from concrete (program) values –Replaces model fields appearing in assertions // generated from “represents elems <- contents.toArray();” public Object[] model$elems() { return contents.toArray(); }

Dept. of Computer ScienceIowa State University 20 Conclusion JML runtime assertion checker –Executes many quantified expressions –Supports specification inheritance –Works with abstract specifications –Thus, provides a practical, formal specification-based debugging (and testing) tool to Java programmers JML distribution available from