Politecnico di Milano Advanced Topics in Software Engineering
- Slides: 47
Politecnico di Milano Advanced Topics in Software Engineering JML in a Nutshell Domenico Bianculli & Alessandro Monguzzi {bianculli, alessandro. monguzzi}@gmail. com June 16 th, 2005 Rev. 1. 3 1
JML in a Nutshell Outline • • What is JML? Syntax Specification cases Advanced topics Running example Tools Related works 2
JML in a Nutshell What is JML? • Java Modeling Language • A behavior interface specification language (BISL) describes: – modules interface – modules behaviour • evolution of Hoare-style specification • based on Design by Contract 3
JML in a Nutshell Syntax • Annotations • Expressions • Quantification 4
JML in a Nutshell Syntax: annotations • Specification written as annotation comments • Single line: //@ … specification … • Multiline: /*@ … specification… @ … @*/ • Informal: //@(* informal description *) 5
JML in a Nutshell Syntax: expressions • Expression used in JML annotations cannot have side effects. – No use of =, ++, -- … – Can only call pure methods • Extended version of Java expressions Expression a ==> b a <==> b Meaning a implies b a follows from b a if and only if b a <=!=> b old(E) result not (a if and only if b) value of E in pre-state result of method call 6
JML in a Nutshell Syntax: quantification • universal & existential (forall, exists) declaration /*@ forall int x; @ x >= 0 && x < a. lenght-1; @ a[x-1] <= a[x]; body @*/ range • general quantifiers (sum, product, min, max) • numeric quantifier (num_of) 7
JML in a Nutshell Preconditions • Say what must be true when calling a method • Introduced by requires clause /*@requires x>= 0; @. . . @*/ public double sqrt(double x); 8
JML in a Nutshell Normal postconditions • Say what must be true when a method returns normally (i. e. without throwing exceptions) • Introduced by ensures clause /*@ requires x>= 0; @ ensures x - result * result <= 0. 0001; @*/ public double sqrt(double x); • Input parameters in postconditions are always evaluated in pre-state x ≡ old(x) 9
JML in a Nutshell Exceptional postconditions • Say what must be true when a method throws an exception of type T Introduced by signals clause /*@ requires x>= 0; @ ensures x - result * result <= 0. 0001; @ signals (Illegal. Argument. Exception ex) @ ex. get. Message() != null && !(x >=0. 0); @*/ public double sqrt(double x); 10
JML in a Nutshell More on exceptional postconditions (1) • Note that signal clause does not say which exceptions must be thrown • It just only says “… if an exception of (sub)type T is thrown, then its predicate must hold” and not viceversa. • The signals_only clause specifies what exceptions may be thrown, and implicitly the ones which cannot be thrown. 11
JML in a Nutshell More on exceptional postconditions (2) • To say that an exception must be thrown in some situations, exclude that situations from other signals clauses and from all ensures clauses /*@ requires true; @ ensures x>=0 &&… @ signals (Exception e) @ x<0 && … @*/ public int foo(int x) throws Exceptions; • More on this topic later… 12
JML in a Nutshell Semantics • Meaning of JML method specification – A method is called in a state (pre-state) where the precondition is satisfied; otherwise, nothing is guaranteed, including the termination of the call – If a method is called in a proper prestate, then there are two possible outcomes (post-state) of method’s execution: normal and exceptional 13
JML in a Nutshell Kinds of specification & specification cases • Specification cases – Lightweight – Heavyweight • Behaviour • Normal Behaviour • Exceptional Behaviour 14
JML in a Nutshell Heavyweight vs lightweight specs Heavyweight • Assumes users giving full specification • Omitted clauses are abbreviations • Useful formal verification Lightweight • Don’t assume user is giving full specification • Minimize annotation burden • Omitted clauses are not_specified • Useful for RAC and docs 15
JML in a Nutshell Additional Clauses diverge says that a method may not return to its caller when allows concurrency aspects of a method assignable lists non local variables that can be assigned in the method body; limits methods possible side effects capture lists object refs that can be retained after the method return duration specifies the maximum time needed to process a method call accessible lists memory locations that methods may access callable lists methods that can be called by the method under specification 16
JML in a Nutshell Heavyweight specs: behavior /*@ behavior @ requires P; @ diverges D; @ assignable A; @ when W; @ ensures Q; @ signals (E 1 e 1) R 1; @. . . @ signals (En en) Rn; @ accessible C; @ callable p(); @*/ 17
JML in a Nutshell Heavyweight specs: normal behavior • It is a behavior specification case with signals clause implicitly defined as signals (java. lang. Exception) false; • guarantees normal termination no exception may be thrown 18
JML in a Nutshell Heavyweight specs: exceptional behavior • It is a behavior specification case with ensures clause implicitly defined as ensures false; • Guarantees that the method throws an exception 19
JML in a Nutshell Multiple cases specs • Normal and exceptional spec cases may be combined /*@ public normal_behavior @ requires !the. Stack. is. Empty(); @ assignable size, the. Stack; @ ensures @ the. Stack. equals(old(the. Stack. trailer())) @ && result == old(the. Stack. first()); @ also @ public exceptional_behavior @ requires the. Stack. is. Empty(); @ assignable nothing; @ signals_only Illegal. State. Exception; @*/ public Object pop(); 20
JML in a Nutshell Class invariants • Properties that must hold in all visible states of an object //@ public invariant x != null && !name. equals(“”); • Static or Instance invariants • Implicitly included in preconditions and normal and exceptional postconditions • Do not hold for methods declared with clause helper • private invariants state Rep Invariant 21
JML in a Nutshell Loop (in)variants • Loop statements can be annotated with loop invariants and variant functions. • Help in proving partial and total correctness of the loop statement long sum = 0; int[] a = new int[100]; int i = a. length; /*@ mantaining -1 <= i && i <= a. length; @ mantaining sum == @ (sum int j; i <= j && 0 <= j @ && j <= a. length; a[j]); @ decreasing i; @*/ while (--i>=0) sum += a[i]; 22
JML in a Nutshell Assertions • An assertion is a predicate that must always be true //@ assert i>0 • w. r. t. Java 1. 4+ assert JML assertions cannot have any sideeffects and can use JML expressions. 23
JML in a Nutshell History Constraints • “Relationships that should hold for the combination of each visible state and any visible state that occurs later in the program execution” • Used to constrain the way the values change over time int a; //@ constraint a == old(a); boolean[] b; //@ constraint b. lenght >= old(b. lenght); 24
JML in a Nutshell Advanced Topics • Model fields – Model methods and types – Fields visibility • • • Abstract models Purity Data groups Specification inheritance Refinement 25
JML in a Nutshell Model fields • Represents a field or a variable used only in specification • Describes abstract values of objects • They can be mapped on a concrete field using keyword represents public class Math. Foo { //@ public model eps private float error; //@ private represents eps <- error; } 26
JML in a Nutshell Visibility • JML imposes visibility rules similar to Java • Keyword spec_public loosens visibility for specs. Private spec_public fields are allowed in public specs. private /*@ spec_public @*/ double x = 0. 0; //@requires !Double. is. Na. N(x+dx) public void move. X(double dx){… • Not a good practice! You are exposing internal representation! 27
JML in a Nutshell Abstract models • JML provides a Java class library for specification purposes • Package org. jmlspecs. model – Collections: sequence, set, bag – Algebric functions and relations – Exceptions and iterators • Almost all are immutable objects with pure methods • Can be used during RAC • Users can define their own models 28
JML in a Nutshell Purity • A pure method is a method without side effects (assignable nothing) • It is declared with the modifier pure • A class is pure if all its methods are pure • Only pure method are allowed in specifications 29
JML in a Nutshell Data groups • A set of model and concrete fields to which you refer by a specific name • A declaration of a model field automatically creates a data group with the same name of the model field • The main purpose of a data group is to refer to the elements of this set without exposing their internal representation • Locations members of a data group may be assigned during the executions of methods that have permission to assign to the data group /*@ public model int size; @ public model JMLObject. Sequence the. Stack; @ in size; @*/ 30
JML in a Nutshell Specification inheritance • A subclass inherits specifications of its superclass and of its implemented interfaces – All instance model fields – Instance method specifications – Instance invariants and instance history constraints • Specifications of a superclass are conjuncted with new specs with the clause also • Support behavioural notion of subtyping, accordingly to Liskov’s substitution principle: – preconditions are disjoined – postconditions are conjoined as ∩ (old(prei) -> posti) – invariants are conjoined 31
JML in a Nutshell Refinement files • Specifications can be separated from implementations • Specs are written in a file Foo. javarefined • Implementation is written in file Foo. java which contains the clause //@ refine “Foo. java-refined” • Useful for adding specifications to existing code 32
JML in a Nutshell Example: Int. Set • Informal specification “Int. Sets are unbounded sets of integers with operations to create a new empty Int. Set, test whether a given integer is an element of an Int. Set, and add or remove elements. ” 33
JML in a Nutshell Int. Set à la Liskov (1) public interface Int. Set { Mutator public void insert(int x) //MODIFIES: this //EFFECTS: Adds x to the elements of this public void remove(int x) Mutator //MODIFIES: this //EFFECTS: Removes x from this public boolean is. In(int x) Observer //EFFECTS: If x is in this returns true, else returns false. } 34
JML in a Nutshell Int. Set à la Liskov (2) public class Int. Set. As_list implements Int. Set{ … private Vector els; public Int. Set. As_list(){ //EFFECTS: Initializes this to be empty. els = new Vector(); } … } • Abstraction Function AF(c) = {c. els. get(i). int. Value | 0 <= i < c. els. size} • Representation Invariant c. els != null && for all integers i (0 <= i < c. els. size => c. els. get(i) is an Integer) && for all integers i, j | (0<= i < j < c. els. size => c. els. get(i). int. Value != c. els. get(j). int. Value) 35
JML in a Nutshell Int. Set in JML (1) public interface Int. Set { /*@ public model instance JMLValue. Set the. Set; Model Field @ public initially the. Set != null && the. Set. is. Empty(); @ public instance invariant the. Set != null @ && (forall JMLType e; the. Set. has(e); Abstract Invariant @ e instanceof JMLInteger); @*/ /** Insert the given integer into this set. */ /*@ public normal_behavior @ assignable the. Set; @ ensures the. Set. equals(old(the. Set. insert(new JMLInteger(elem)))); @*/ public void insert(int elem); /** Tell if the argument is in this set. */ /*@ public normal_behavior @ ensures result == the. Set. has(new JMLInteger(elem)); @*/ public /*@ pure @*/ boolean is. In(int elem); /** Remove the given integer from this set. */ /*@ public normal_behavior @ assignable the. Set; @ ensures the. Set. equals( old(the. Set. remove(new JMLInteger(elem))) ); @*/ public void remove(int elem); } 36
JML in a Nutshell Int. Set in JML (2) import java. util. *; //@ model import org. jmlspecs. models. *; public class Integer. Set. As. List implements Int. Set { private Vector els; //@ in the. Set; /*@ @ @*/ Rep Invariant private invariant els != null && (forall int i; 0<=i && i<els. size(); els. get(i) != null && els. get(i) instanceof Integer && (forall int j=0; i<j && j<els. size(); els. get(i) != els. get(j))); //@ private represents the. Set <- abstract. Value(); /** Return the abstract value of this Integer. Set. As. List. */ /*@ @ private pure model JMLValue. Set abstract. Value() { @ JMLValue. Set ret = new JMLValue. Set(); @ Iterator iter = els. iterator(); Abstraction @ while (iter. has. Next()) { @ ret = ret. insert(new JMLInteger((Integer) @ iter. next())); @ } @ return ret; @} @*/ Function 37
JML in a Nutshell Int. Set in JML (3) /** Initialize this set to be the empty set. */ /*@ public normal_behavior @ assignable the. Set; @ ensures the. Set != null && the. Set. is. Empty(); @*/ public Integer. Set. As. List() { els = new Vector(); } public /*@ pure @*/ boolean is. In(int i) { return els. contains(new Integer(i)); } public void insert(int i) { els. add(new Integer(i)); } public void remove(int i) { els. remove(new Integer(i)); } 38
JML in a Nutshell Tools • • • Parsing & Typechecking Runtime assertion checking Testing Documentation Extended static checking Program verification 39
JML in a Nutshell jmlc • The JML compiler • Translates Java code with JML assertions into bytecode • Adds runtime checks: – During execution, all assertions are tested any violation of an assertion produces an Error (uses jmlrac script). 40
JML in a Nutshell jmlunit • Inserts support for JML within JUnit • Writes out a JUnit test oracle for given Java files • Specifications are used to check whether tested code runs properly Tests are only as good as the quality of the specifications! 41
JML in a Nutshell jmldoc • Produces HTML pages with API and JML specifications for Java classes 42
JML in a Nutshell ESC/Java • Extended Static Checker for Java • Tries to prove correctness of specifications at compile-time, fully automatically • Not sound: it may miss an error that is actually present • Not complete: it may warn of errors that are impossible • It finds a lot of potential bugs quickly: – Null. Pointer, Array. Index. Out. Of. Bounds, Class. Cast… 43
JML in a Nutshell LOOP • Logic of Object Oriented Programming, project of University of Nijmegen • Based on a formalization of Java and JML semantics in theorem prover PVS • LOOP compiler translates JML annotations in PVS proof obligations, to be proved interactively 44
JML in a Nutshell Related Works • Early programming languages – – Gypsy Alphard Euclid CLU • DBC based – Eiffel – SPARK – B method • OCL from UML • Spec# 45
JML in a Nutshell Conclusions Strenghts • Easy to learn • Source code is the formal model – Gradual introduction – Support for legacy code • Wide range of tools Weakenesses • No support for: – concurrency – object invariants within callbacks – modeling alias relationships • Strong definition of pure methods: – many constraints 46
JML in a Nutshell References www. jmlspec. org 47
Advanced topics in software engineering
Software engineering important topics
Special topics in software engineering
Politecnico virgen de la altagracia
Haggen dazz
Liceopolitecnicodeovalle.cl
Ovalle.edufacil
Tartaglia triangolo
Angelo tartaglia politecnico torino
Carlo naldi politecnico torino
Politecnico di torni
Logo politecnico di bari
Liceo politecnico ciencia y tecnologia
Escuela de economia ipn
Angular advanced topics
Advanced topics in angular
Advanced c topics
Advanced topics in web development
Android advanced topics
Advanced topics in computer science
Computer based system engineering
Forward engineering and reverse engineering
Software maintenance process models ppt
What is software implementation in software engineering
Metrics computer science
Types of software crisis
Software measurement and metrics
Real time software design in software engineering
Software design fundamentals in software engineering
Engineering drawing chapter 1
Engineering management topics
Engineering meeting topics
Financial engineering thesis topics
Software project management topics
Vts-0fxyt-e -site:youtube.com
Software security topics
Advanced machine engineering
Industrial design
Advanced engineering electromagnetics
Advanced engineering mathematics
Advanced engineering mathematics
Engineering mathematics
Differentiation of complex numbers
Advanced engineering mathematics dennis g zill 4th edition
Advanced software development
Expansion time variable is declared as
Advanced software testing concepts
Cse 598 advanced software analysis and design
