The Java Modeling Language

The Java Modeling Language
Based on: Gary T. Leavens, et al., JML Tutorial at OOPSLA 2009. Gary. T Leavens, et al., Preliminary Design of JML: A Behavioral Interface Specification Language for Java, ACM SIGSOFT Software Engineering Notes, 31(3):1-38, May, 2006.

Outline JML overview Reading and writing JML specifications
Abstraction in specification Subtyping and specification inheritance 2 2 2

Overview of JML Java Modeling Language (JML) JML’s goals Formal
Sequential Java Functional behavior of APIs JML’s goals Practical, effective for detailed designs Inter-module interfaces Classes and interfaces Data (fields) Methods Existing code Wide range of tools 3 3 3

Basic Approach of JML “Eiffel + Larch for Java”
Hoare-style (contracts) Method pre- and post-conditions Invariants 4 4 4

First JML Specification
public class ArrayOps { private Object[] a; public invariant 0 < a.length; requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 5 5 5

Field Specification with spec_public
public class ArrayOps { private Object[] a; public invariant 0 < a.length; requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 6 6 6

Class Invariant public class ArrayOps {
private Object[] a; public invariant 0 < a.length; requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 7 7 7

Method Specification public class ArrayOps {
private Object[] a; public invariant 0 < a.length; requires 0 < arr.length; @ ensures this.a == arr; @*/ public void init(Object[] arr) { this.a = arr; } 8 8 8

Interface Specification
JML Specification Syntactic Interface Functional Behavior Java Code 9

Interface Specification
requires 0 < arr.length; @ ensures this.a == public void init(Object[] arr); requires 0 < arr.length; ensures this.a == arr; public void init(Object[] arr); public void init(Object[] arr) { this.a = arr; } 10

Comparison with Other Formal Specification Languages
Like … but for Java VDM, but OO features Eiffel, but Features for formal verification Spec#, but Different invariant methodology More features for formal verification Unlike OCL and Z More Java-like syntax Tailored to Java semantics 11

Many Tools, One Language
12

How JML Tools Complement Each Other
Different strengths: Runtime checking — real errors Static checking — better coverage Verification — guarantees Usual ordering: Runtime checker (jmlc and jmlunit) Extended Static Checking (ESC/Java2) Verification tool (e.g., KeY, JACK, Jive) 13

JML Annotations Not Java annotations (starting with @)
JML annotation comments Line starting with Between starting lines 15

Most Important JML Keywords
Top-level in classes and interfaces: invariant spec_public nullable For methods and constructors: requires ensures assignable pure 16

Example: BoundedStack
Specify bounded stacks of objects Steps Data and invariant Constructor Methods like push, pop, and top 17

BoundedStack’s Data and Invariant
public class BoundedStack { private spec_public Object[] elems; private int size = 0; public invariant 0 <= size; public invariant elems != null @ && (\forall int i; @ size <= i && i < elems.length; @ elems[i] == null); @*/ Nullable for elems itself or its elements? size <= elems.length? 18

BoundedStack’s Constructor
requires 0 < n; @ assignable elems; @ ensures elems.length == n; @*/ public BoundedStack(int n) { elems = new Object[n]; } 19

BoundedStack’s push Method
requires size < elems.length - 1; @ assignable elems[size], size; @ ensures size == \old(size + 1); @ ensures elems[size - 1] == x; @ ensures_redundantly @ (\forall int i; 0 <= i && i < size - 1; elems[i] == \old(elems[i])); @*/ public void push(Object x) { elems[size] = x; size++; } 20

BoundedStack’s pop Method
requires 0 < size; @ assignable size, elems[size - 1]; @ ensures size == \old(size - 1); @ ensures_redundantly @ elems[size] == null && @ (\forall int i; 0 <= i && i < size - 1; elems[i] == \old(elems[i])); @*/ public void pop() { size--; elems[size] = null; } 21

BoundedStack’s top Method
requires 0 < size; @ assignable \nothing; @ ensures \result == elems[size - 1]; @*/ public Object top() { return elems[size – 1]; } 22

JML Keywords Used spec_public nullable invariant must be:
Public visibility Only for specification purposes nullable field (and array elements) may be null Default is non_null invariant must be: True at end of constructor Preserved by each method (except for helper methods) 23

JML Keywords Used requires clause: ensures clause: Precondition
Obligation on callers, after parameter passing Assumed by implementor ensures clause: Postcondition Obligation on implementor, at return Assumed by caller 24

Semantics of requires and ensures
25

26

27

JML Keywords Used (Cont.)
assignable Frame axiom Locations (fields) in pre-state New object fields not covered Mostly checked statically Synonyms: modifies, modifiable pure No side effects Implies assignable \nothing Allows method’s use in specifications 28

Assignable Is a Shorthand
assignable gender; ensures gender.equals(g); means ensures \only_assigned(gender) && gender.equals(g); 29

JML Keywords Used (Cont.)
Redundant clauses (ensures_redundantly) Alerts reader States something to prove Must be implied by: ensures clauses, assignable clause, invariant, and JML semantics. Also requires_redundantly, etc. 30

Multiple Clauses Semantics: is equivalent to:
requires P; requires Q; is equivalent to: requires P && Q; Similarly for ensures, invariant. Note: checkers give more specific messages with multiple clauses. 31

Defaults for Omitted Clauses
invariant true; requires true; assignable \everything; ensures true; 32

Expression Keywords \result = method’s return value.
\old(E) = pre-state value of E. (\forall T x; P; Q) = {Q | x  T  P} (\exists T x; P; Q) = {Q | x  T  P} (\min T x; P; E) = min{E | x  T  P} (\sum T x; P; E) = {E | x  T  P} (\num_of T x; P; Q) = {1 | x  T  P  Q} … 33

Steps for Specifying a Type for Public Clients
Specify data (spec_public fields) Specify a public invariant Specify each public method using: requires assignable (or pure) ensures 34

Exercise Specify the following stack methods
int capacity(): capacity of this stack? int size(): no. of elements? boolean isEmpty(): has no element? int search(Object o): 1-based position of given object in this stack? private spec_public Object[] elems; private int size = 0; 35

Solution //@ ensures \result == elems.length;
public pure int capacity() { …} ensures \result == size; public pure int size()() { …} ensures \result == (size == 0); public pure boolean isEmpty() { …} private spec_public Object[] elems; private int size = 0; 36

Solution /** Return a 1-based position of given object in this stack. */ ensures (\exists int i; i >= 0 && i < size; elems[i] == o) ? \result > 0 && \result <= size && elems[\result - 1] == o : \result == public pure int search(Object o) { …} Q: the first (or last) from the top? private spec_public Object[] elems; private int size = 0; 37

Exercise: BagOfInt Specify the following. public class BagOfInt {
private int[] a; private int n; // number of elements contained in a /** Initialize to contain input’s elements. */ public BagOfInt(int[] input); /** Return the multiplicity of i. */ public int occurrences(int i); // Hint: use (\num_of T x, P; Q) /** Return and delete the minimum element. */ public int extractMin(); } 38

Solution: Data and Constructor
public class BagOfInt { /** Elements. */ private spec_public int[] a; /** Number of active elements in a. */ private int n; public invariant 0 <= n && n <= a.length; /** Initialize to contain input’s elements. */ assignable a, n; @ ensures n == input.length; @ ensures (\forall int i; 0 <= i && i < n; a[i] == public int[] input); non_null for int array? 39

Solution: Methods /** Return the multiplicity of i. */
ensures \result == (\num_of int j; 0 <= j && j < n; a[j] == public int occurrences(int i); /** Return and delete the minimum element. */ requires n > 0; @ assignable n, a, a[*]; @ ensures n == \old(n - 1); @ ensures \result == \old((\min int j; 0 <= j && j < n; a[j])); @ ensures (\forall int j; 0 <= j && j < \old(n); @ (\old(a[j]) != \result ==> @ occurrences(\old(a[j])) == \old(occurrences(a[j]))) && @ (\old(a[j]) == \result ==> @ occurrences(\old(a[j])) == \old(occurrences(a[j]) - 1))); @*/ public int extractMin(); 40

Thought: Using Java 8 Streams
Problem JML quantifiers (\forall and \exists) for arrays and collections Low level assertions (long and less readable), e.g., (\exists int i; i >= 0 && i < size; elems[i] == obj) High-level abstractions like OCL collection iterators? Use Java 8 streams and lambda expressions E.g., Stream.of(elems).matchAny(e -> e == obj) Concise and more readable assertions Refer to Java 8 Stream API Q: Effectiveness and comparison with OCL? 41

Java 8 Stream API boolean allMatch(predicate)
boolean anyMatch(predicate) boolean nonMatch(predicate) Stream<T> filter(predicate) Stream<R> map(mapper) Stream<R> flatMap(mapper) Optional<T> reduce(identity, accumulator) Optional<T> reduce(identity, accumulator, combiner) Optional<T> findAny() Optional<T> findFirst() Optional<T> max(comparator) Optional<T> min(comparator) … 42

Example: Ship public class Ship {
Place 0..1 0..* public class Ship { private final List<Place> places; // Q: Meaning? why? sufficient? public invariant (\forall int i; 0 <= i && i < places.size(); @ places.get(i).getShip() == this); @*/ public invariant places.stream().matchAll(p -> p.getShip() == this); // Q: A row of consecutive places, either horizontally or vertically? 43

Question for You What’s wrong with this and how to fix it?
Hint: Undefinedness public class ScreenPoint { private int x, y; public invariant 0 <= x && 0 <= y; requires 0 <= cs[0] && 0 <= cs[1]; assignable x, y; ensures x == cs[0] && y == cs[1]; public ScreenPoint(int[] cs) { x = cs[0]; y = cs[1]; } 44

Solution A: Undefined expression public class ScreenPoint {
private int x, y; public invariant 0 <= x && 0 <= y; requires 2 <= cs.length; requires 0 <= cs[0] && 0 <= cs[1]; assignable x, y; ensures x == cs[0] && y == cs[1]; public ScreenPoint(int[] cs) { x = cs[0]; y = cs[1]; } 45

Writing Protective Specifications
Clauses evaluated left to right Short-circuit operators can prevent evaluation G && P, G || P G ==> P, G <== P (implication and backward implication) Use multiple clauses (equivalent to &&) 46

Multiple Specification Cases
For different preconditions May overlap Used to specify exceptions Used with specification inheritance 47

Example private /*@ spec_public @*/ int age;
requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a > 150; @ assignable \nothing; @ ensures age == \old(age); @*/ public void setAge(int a) { if (0 <= a && a <= 150) age = a; } 48

Semantics of Multiple Cases
49

Meaning of “also” Rewrite to conjoin (frame must be the same).
private int age; requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a > 150; @ assignable \nothing; @ ensures age == \old(age) && only_assigned(\nothing); @*/ public void setAge(int a) { if (0 <= a && a <= 150) age = a; } 50

Meaning of “also” requires (0 <= a && a <= 150) || (a < 0 || a > 150); assignable age; ensures \old(0 <= a && a <= 150) ==> (age == a); ensures \old(a < 0 || a > 150) ==> (age == \old(age) && \only_assigned(\nothing)); 51

Views of Multiple Cases
Client can verify by: Picking one spec case Assert precondition Assume frame and postcondition Picking several cases Compute their join Assert joined precondition Assume frame and joined postcondition Implementor can: Verify each case, or Verify their join 52

Specifying Exceptions
Use features such as exceptional_behavior spec cases signals_only clause signals clause

Example public class Actor { private /*@ spec_public @*/ int age;
private int fate; public invariant 0 <= age && age <= fate; 54

Example /*@ public normal_behavior @ requires age < fate - 1;
@ assignable age; @ ensures age == \old(age+1); @ also @ public exceptional_behavior @ requires age == fate - 1; @ signals_only DeathException; @ signals (DeathException e) age == fate; @*/ public void older() throws DeathException 55

signals (Exception) false;
Example public normal_behavior @ requires age < fate - 1; @ assignable age; @ ensures age == \old(age+1); @ also @ public exceptional_behavior @ requires age == fate - 1; @ signals_only DeathException; @ signals (DeathException e) age == fate; @*/ public void older() throws DeathException semantics: signals (Exception) false; semantics: ensures false; Lightweight vs. heavyweight specs: \not_specified as default

Exercise: Using Multiple Cases
Specify the 3x + 1 or “hailstone” function, h, such that: h(n) = (3 *n + 1)/2, if n > 0 and is odd n / 2, if n > 0 and is even and h is undefined on negative numbers. (Collatz conjecture: you shall always eventually reach 1 by repeating the process.) 57

Solution /*@ requires 0 < n; @ requires n % 2 != 0;
@ ensures \result == (3*n+1)/2; @ also @ requires 0 < n; @ requires n % 2 == 0; @ ensures \result == n/2; @*/ public static int h(int n) 58

Solution Using Nesting
requires 0 < n; @ {| requires n % 2 != 0; @ ensures \result == (3*n+1)/2; @ also @ requires n % 2 == 0; @ ensures \result == n/2; @ |} @*/ public static int h(int n) 59

Exercise: Ship Specify the addPlace() method. public class Ship {
0..1 0..* Specify the addPlace() method. public class Ship { private final List<Place> places; /** Append the given place to the list of places on which this ship is placed. */ public void addPlace(Place place) { if (!places.contains(place)) { places.add(place); } if (place.ship() != this) { place.placeShip(this); } } public class Place { private spec_public Ship ship; 60

Motivating Example Specify the remove method given below.
Q: Meaning of the second invariant? public class SetOfObject { private spec_public Object[] a; /** Number of active elements in a. */ private int n; public invariant 0 <= n && n <= a.length; public invariant @ (\forall int i; 0 <= i && i < n; @ (\forall int j; 0 <= j && j < n; i != j ==> a[i] != /** Remove the argument from this set. */ public void remove(Object o); non_null for int array? 62

Solution Q: How to know the new set has no other elements?
requires (\exists int i; 0 <= i && i < n; a[i] == o); @ assignable n, a, a[*]; @ ensures n == \old(n - 1); @ ensures (\forall int i; 0 <= i && i < \old(n); @ (\old(a[i]) == o ==> !(\exists int j; 0 <= j && j < n; a[j] == o) && @ (\old(a[i]) != o ==> (\exists int j; 0 <= j && j < n; a[j] == o); @*/ public void remove(Object o); Long and hard to read and understand! Implementation details exposed! 63

Better but still low level; manipulation of concrete representation
Better Solution requires has(o); @ assignable n, a, a[*]; @ ensures n == \old(n - 1); @ ensures (\forall int i; 0 <= i && i < \old(n); @ (\old(a[i]) == o ==> !has(o)) && @ (\old(a[i]) != o ==> has(o)) @*/ public void remove(Object o); ensures \result == (\exists int i; 0 <= i && i < n; a[i] == o); public void has(Object o); Better but still low level; manipulation of concrete representation 64

Need to rewrite all assertions!
Another Problem Q: What happens if a representation is changed? public class SetOfObject { private spec_public Object[] a; ArrayList<Object> list; /** Number of active elements in a. */ private int n; public invariant 0 <= n && n <= a.length; public invariant @ (\forall int i; 0 <= i && i < n; @ (\forall int j; 0 <= j && j < n; i != j ==> a[i] != /** Remove the argument from this set. */ public void remove(Object o); Need to rewrite all assertions! non_null for int array? 65

Writing Abstract Specification: Key Idea
public T m; abstract state (representation) requires Q(m); public void remove(Object o); <<use>> abstraction function m = f(a, n) Evaluation: Q(f(a,n)) non_null for int array? private Object[] a; private int n; <<use>> requires P(a, n); public void remove(Object o); concrete state (representation)

Solution Using Abstraction
Abstract specification using model fields (abstract values) Q: Advantages? public class SetOfObject { public model JMLObjectSet theSet; private Object[] a; in theSet; private int n; in theSet; private represents theSet <- JMLObjectSet.convertFrom(a, n); requires theSet.has(o); // o  theSet @ assignable theSet; @ ensures theSet.equals(\old(theSet.remove(o))); // theSet’ = theSet – {o} @*/ public void remove(Object o); Model field Data group Abstraction function non_null for int array?

Why Use Abstraction in Specification?
Ease of maintenance by information hiding Readability: Avoid quantifiers Repeated expressions Specify when no fields available Java “interfaces”

Features Supporting Abstraction
model fields and represents clauses pure model methods pure methods protected invariants, spec cases, etc. private invariants, spec cases, etc. model classes (JMLObjectSet, etc.)

Model Fields for Data Abstraction
Just for specification Abstraction of Java fields Value from represents

Model Methods Q: What’s wrong with the following specification and how to fix it? Ship Place 0..1 0..* public class Ship { private final List<Place> places; ensures \result == places; public Iterable places() { return places; } 71

Model Methods (Cont.) public class Ship {
private final List<Place> places; ensures \result == places; ensures toList(\result).equals(places); public Iterable<Place> places() { … } public static pure model <T> List<T> toList(Iterable<T> iter) { @ ArrayList<List> result = new ArrayList<>(); @ for(T t: iter) { @ result.add(t); @ } @ return result; @ } @*/ } 72

Exercise: Stack Revisited
Rewrite the specification of BoundedStack using model fields. public class BoundedStack { private Object[] elems; private int size; // num of elems contained public BoundedStack(int capacity) { … } public void push(Object o) { … } public void pop() { … } public Object top() { … } public int search(Object o) { … } … } non_null for int array?

Model Fields In Interfaces
public interface Gendered { public model instance String gender; ensures \result == gender.equals("female"); public boolean isFemale(); } Note a new JML modifier instance because it defaults to static in interfaces.

Represents Clauses Use an in clause to specify a data group.
public class Animal implements Gendered { protected boolean gen; in gender; protected represents gender <- (gen ? "female" : "male"); public boolean isFemale() { return gen; } Use an in clause to specify a data group. Protected represents clause (abstraction function). Specification inheritance.

Correctness with Model Fields

Example of Using Model Fields
Q: Is Animal’s constructor (below) correct? protected boolean gen; in gender; protected represents gender <- (gen ? "female" : "male"); requires g.equals("female") || g.equals("male"); @ assignable gender; @ ensures public Animal(final String g) { gen = g.equals("female"); }

Example of Using Model Fields
Q: Is Animal’s constructor (below) correct? protected boolean gen; in gender; protected represents gender <- (gen ? "female" : "male"); requires g.equals("female") || g.equals("male"); @ assignable gender; @ ensures public Animal(final String g) { gen = g.equals("female"); } Yes!

Semantics of spec_public
protected int age = 0; shorthand for: public model int age; protected int _age = 0; in age; protected represents age <- _age; and rewriting Java code to use _age.

Data Groups for Assignable Clauses
Each field is a data group Membership by in clauses Model field’s group contains fields used in its represents

Data Groups and Assignable Picture

The Semantics of Assignable
assignable x, y; means: method only assigns to (concrete) members of DG(x)  DG(y). Q: What does “assignable gender;” mean?

In Clauses for Declarations
private T x; in g; Immediately follows declaration Same visibility as declaration JML ensures that: If f  DG(g), then g visible where f is. If f and g visible, can tell if f  DG(g).

Type-Level Specification Features
Model fields, in, represents invariant initially constraint

Initially Clauses Hold in constructor post-states
Basis for datatype induction import java.util.*; public class Patient extends Person { public invariant 0 <= age && age <= 150; protected List log; public initially log.size() == 0;

History Constraints Relate pre-states and post-states
Justifies inductive step in datatype induction import java.util.*; public class Patient extends Person { protected List log; public constraint log.size() >= \old(log.size()); @ public constraint (\forall int i; 0 <= i && i < \old(log.size()); @ log.get(i).equals(\old(log.get(i)))); @*/

Exercise Specify a bounded counter class by writing invariant, initially, and history constraints. Start with an initial value 0. Return to 0 when it reaches the maximum value, 100. public class BoundedCounter { private int value; /** Increment this counter by one. */ public void increment() { …}

Helper Methods and Constructors
A helper method or constructor is: private Exempt from invariants and history constraints Cannot assume them Need not establish them

Problems Duplication of specifications in subtypes
Modular verification when use: Subtyping, and Dynamic dispatch

Specification Inheritance Approach
Instance fields Type specifications Invariants Initially clauses History constraints Instance methods Method specification cases

Multiple Inheritance Example

Age, NormalSetAge, and ExceptionalSetAge
public interface Age { model instance int age; } public interface NormalSetAge implements Age { requires 0 <= a && a <= 150; @ assignable age; @ ensures age == public void setAge(int a); public interface ExceptionalSetAge implements Age { requires a < 0 || a > 150; @ assignable \nothing; @ ensures age ==

What About Animal’s setAge Method?
It’s both. Should obey both specifications.

Single Inheritance Q: What is the specification of Animal’s isFemale method? public interface Gendered { ensures \result == gender.equals("female"); public boolean isFemale(); } public class Animal implements Gendered { public boolean isFemale() { return gen;

Adding to Specification in Subtype
Use the “also” keyword. import java.util.*; public class Patient extends Person { protected boolean ageDiscount = false; in age; also @ requires (0 <= a && a <= 150) || (a < 0 || a > 150); @ ensures 65 <= age ==> public void setAge(final int a) { super.setAge(a); if (65 <= age) { ageDiscount = true; } }

Method Specification Inheritance
Q: What is the extended specification of Patient’s setAge method? A: The join of the 3 spec cases shown previously Q: What is the extended specification of Patient’s setAge method? A: The join of the 3 spec cases shown previously requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a < 10; @ ensures age == also @ requires (0 <= a && a <= 150) || (a < 0 || a > 150); @ ensures 65 <= age ==> requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a < 10; @ ensures age == also @ requires (0 <= a && a <= 150) || (a < 0 || a > 150); @ ensures 65 <= age ==>

Avoiding Duplication of Preconditions
Use \same in the requires clause requires 0 <= a && a <= 150; @ assignable age; @ ensures age == a; @ also @ requires a < 0 || a < 10; @ ensures age == also @ requires \same; @ ensures 65 <= age ==>

The Java Modeling Language

Similar presentations

Presentation on theme: "The Java Modeling Language"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

The Java Modeling Language

Similar presentations

Presentation on theme: "The Java Modeling Language"— Presentation transcript:

Similar presentations

About project

Feedback