Rigorous Software Development CSCI-GA 3033-009

Similar documents
Rigorous Software Engineering Hoare Logic and Design by Contracts

Design by Contract beyond class modelling

Rigorous Software Development CSCI-GA

Java Memory Model: Content

Stack Allocation. Run-Time Data Structures. Static Structures

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Specification and Analysis of Contracts Lecture 1 Introduction

An overview of JML tools and applications

Using JML to protect Java code against SQL injection. Johan Janssen June 26, 2007

An Overview of JML Tools and Applications

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

Computing Concepts with Java Essentials

On the Relation between Design Contracts and Errors: A Software Development Strategy

Comp 411 Principles of Programming Languages Lecture 34 Semantics of OO Languages. Corky Cartwright Swarat Chaudhuri November 30, 20111

An overview of JML tools and applications

Examples of Design by Contract in Java

Getting Started with the Internet Communications Engine

COMP 356 Programming Language Structures Notes for Chapter 10 of Concepts of Programming Languages Implementing Subprograms.

Software Engineering Techniques

Tool-Assisted Unit-Test Generation and Selection Based on Operational Abstractions

Outline of this lecture G52CON: Concepts of Concurrency

Translating to Java. Translation. Input. Many Level Translations. read, get, input, ask, request. Requirements Design Algorithm Java Machine Language

Programming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions

Programming by Contract vs. Defensive Programming: A Comparison of Run-time Performance and Complexity

Rigorous Software Development CSCI-GA

Unit-testing with JML

Course: Programming II - Abstract Data Types. The ADT Stack. A stack. The ADT Stack and Recursion Slide Number 1

Run-Time Assertion Checking and Monitoring Java Programs

Glossary of Object Oriented Terms

Hoare-Style Monitors for Java

Checking Access to Protected Members in the Java Virtual Machine

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

Java 6 'th. Concepts INTERNATIONAL STUDENT VERSION. edition

Outline. Computer Science 331. Stack ADT. Definition of a Stack ADT. Stacks. Parenthesis Matching. Mike Jacobson

Appendix... B. The Object Constraint

Java Programming Language

Formal Specification and Verification of Avionics Software

How To Write A Contract Guided System Development (Contract Guided Development) In Java (Java) (For A Free Download)

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Semester Review. CSC 301, Fall 2015

GContracts Programming by Contract with Groovy. Andre Steingress

Design by Contract for Web Services: Architecture, Guidelines, and Mappings

AP Computer Science Java Subset

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

Introducing Formal Methods. Software Engineering and Formal Methods

Fully Abstract Operation Contracts

Introducing Variance into the Java Programming Language DRAFT

Java Interfaces. Recall: A List Interface. Another Java Interface Example. Interface Notes. Why an interface construct? Interfaces & Java Types

Towards Contract-based Testing of Web Services

Object Oriented Software Design

Monitoring Java Code Using ConGu

Formally speaking: How to apply OCL

Agile Specification-Driven Development

Object Oriented Software Design II

Code Contracts User Manual

A Framework for the Semantics of Behavioral Contracts

Quotes from Object-Oriented Software Construction

Exception Handling. Overloaded methods Interfaces Inheritance hierarchies Constructors. OOP: Exception Handling 1

Boolean Expressions, Conditions, Loops, and Enumerations. Precedence Rules (from highest to lowest priority)

Resurrecting Ada s Rendez-Vous in Java

VDM vs. Programming Language Extensions or their Integration

Software Construction

Konzepte objektorientierter Programmierung

Applications of formal verification for secure Cloud environments at CEA LIST

Software Specification and Testing

Model Driven Security: Foundations, Tools, and Practice

Programming Language Rankings. Lecture 15: Type Inference, polymorphism & Type Classes. Top Combined. Tiobe Index. CSC 131! Fall, 2014!

History OOP languages Year Language 1967 Simula Smalltalk

Lecture 9. Semantic Analysis Scoping and Symbol Table

Object-Oriented Design Lecture 4 CSU 370 Fall 2007 (Pucella) Tuesday, Sep 18, 2007

Construct by Contract: Construct by Contract: An Approach for Developing Reliable Software

Parallel Programming

Lecture 12: Abstract data types

C Compiler Targeting the Java Virtual Machine

Moving from CS 61A Scheme to CS 61B Java

Fundamentals of Java Programming

Handout 1. Introduction to Java programming language. Java primitive types and operations. Reading keyboard Input using class Scanner.

Lecture Notes on Linear Search

Lecture 6: Semaphores and Monitors

INF5140: Specification and Verification of Parallel Systems

MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.

Static vs. Dynamic. Lecture 10: Static Semantics Overview 1. Typical Semantic Errors: Java, C++ Typical Tasks of the Semantic Analyzer

Transcription:

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 5 Disclaimer. These notes are derived from notes originally developed by Joseph Kiniry, Gary Leavens, Erik Poll, David Cok, Cesare Tinelli, and Jochen Hoenicke. They are copyrighted material and may not be used in other course settings outside of New York University in their current form or modified form without the express written permission of one of the copyright holders.

Exploiting Design Information Alloy provides a means for expressing properties of designs Early design refinement saves time Ultimately, we want this effort to impact the quality of implementations How can we transfer design information to the code? State information (multiplicities, invariants, ) Operations information (pre, post, frame conditions, )

Design by Contract A method that emphasizes the precise description of interface semantics not just syntax, e.g., signatures (names, types, visibility modifiers) but run-time behavior, e.g., effects of a method call Supported by tools that allow semantic properties of the design to be propagated to the code support various forms of validation of those properties, e.g., run-time and static checking

History Term Design by Contract was first coined by Bertrand Meyer in the context of the Eiffel language Basic ideas and techniques go back to pioneering work of Alan Turing (1949) Robert Floyd (1967) Tony Hoare (1969) Edsger Dijkstra (1975)

Basic Idea Software is viewed as a system of communicating components (objects) all interaction is governed by contracts contracts are precise specifications of mutual obligation between components

Contracts Two parties are involved in a contract The supplier performs a task The client requests that the task be performed Each party has obligations receives some benefits Contracts specify those obligations and benefits Contracts are bi-directional both parties are obligated by them

Contract Example: Air Travel Client (Traveler) Obligation check in 30 minutes before boarding <3 small carry-ons pay for ticket Benefit reach destination Supplier (Airline) Obligation take traveler to destination Benefit don t need to wait for late travelers don t need to store arbitrary amounts of luggage money

Contract Example: Air Travel Client (Traveler) Obligation check in 30 minutes before boarding <3 small carry-ons pay for ticket Benefit reach destination Supplier (Airline) Obligation take traveler to destination Benefit don t need to wait for late travelers don t need to store arbitrary amounts of luggage money

Contracts Specify what should be done not how it should be done they are implementation independent This same idea can be applied to software using the building blocks we have already learned in Alloy pre conditions post conditions frame conditions invariants

Taking a Flight (Java Syntax) class Flight { /*@ requires time < this.takeoff 30 && @ l.number < 3 && @ p in this.ticketed; @ ensures \result = this.destination; @*/ Destination takeflight(person p, Luggage l) { } }

Specification or Implementation Language Why not both? Refinement methodology rather than develop signatures alone develop contract specification analyze client-supplier consistency fill in implementation details check that code satisfies contract Natural progression from design to code

Executable Specifications Specification language is a subset of the implementation language contracts are written in the programming language itself and translated into executable code by the compiler enables easy run-time checking of contracts

Java Example: Stack Data Structure class Mystack { private Object[] elems; private int top, size; public MyStack (int s) {... } public void push (Object obj) {... } public Object pop() {... } public boolean isempty() {... } public boolean isfull() {... } }

Java Example: Stack Data Structure /*@ invariant top >= -1 && top < size && size = elems.length(); @*/ class Mystack { private Object[] elems; private int top, size;... }

Java Example: Stack Data Structure class Mystack { private Object[] elems; private int top, size;... /*@ requires!isfull(); @ ensures top == \old(top) + 1 && @ elem[top] == obj; @*/ public void push (Object obj) {... }... public boolean isfull() {... } }

Java Example: Stack Data Structure class Mystack { private Object[] elems; private int top, size;... /*@ requires!isempty(); @ ensures top == \old(top) - 1 && @ \result == elem[\old(top)]; @*/ public Object pop() {... }... public boolean isempty() {... } }

Java Example: Stack Data Structure class Mystack { private Object[] elems; private int top, size;... /*@ ensures \result <==> top = -1; @*/ public boolean isempty() {... } }

Source Specifications Pre/post conditions (Side-effect free) Boolean expressions in the host language What about all of the expressive power we have in, e.g., Alloy? Balance expressive power against checkability Balance abstractness against language mapping No one right choice Different tools take different approaches

Important Issues Contract enforcement code is executed It should be side-effect free If not, then contracts change behavior! Frame conditions Explicitly mention what can change Default: anything can change Failed contract conditions Most approaches will abort the execution How can we continue?

Contract Inheritance Inheritance in most OO languages Sub-type can be used in place of super-type Sub-type provides at least the capability of super-type Sub-types weaken the pre-condition Require no more than the super-type Implicit or of inherited pre-conditions Sub-types strengthen the post-condition Guarantee at least as much as the super-type Implicit and of inherited post-conditions Invariants are treated the same as post-conditions

Languages with DbC Support Eiffel SPARK (Ada) Spec# (C#) Java Java Modeling Language (JML) icontract, JContract, Jass, Jahob,.NET languages: Code Contracts C/C++: VCC, Frama-C, Research languages: Daphne, Chalice, Hob,

Java Modeling Language (JML) JML is a behavioral interface specification language (BISL) for Java. Proposed by G. Leavens, A. Baker, C. Ruby: JML: A Notation for Detailed Design, 1999 Combines ideas from two approaches: Eiffel with its built-in language for Design by Contract Larch/C++ a BISL for C++

The Roots of JML Ideas from Eiffel: Executable pre and post-condition for runtime assertion checking Uses Java syntax (with a few extensions). Operator \old to refer to the pre-state in the postcondition. Ideas from Larch: Describe the state transformation behavior of a method Model Abstract Data Types (ADT)

Java Modeling Language (JML) Homepage: http://www.jmlspecs.org/ Release can be downloaded from http://sourceforge.net/projects/jmlspecs/files Includes many useful tools for testing and analysis of contracts JML compiler JML runtime assertion checker, Many additional third party tools available

JML: Tool Support Run-time checking and dynamic analysis: JML tools AJML Daikon Automated test case generation: JML tools Korat, Sireum/Kiasan KeY/TestGen Static checking and static analysis: ESC/Java 2 JForge Formal verification: JACK KeY Documentation generation: jmldoc (JML tools)

JML Example: Factorial Is this method correct? public static int factorial(int n) { int result = n; while (--n > 0) result *= n; return result; } We need a specification!

JML Syntax: Method Specifications In JML a method contract precedes the method in special comments /*@... @*/. requires formula: The specification only applies if formula holds when method called. Otherwise behavior of method is undefined. ensures formula: If the method exits normally, formula has to hold.

JML Syntax: Formulas A JML formula is a Java Boolean expression. The following list shows some operators of JML that do not exists in Java: \old(expression): the value of expression before the method was called (used in ensures clauses) \result: the return value (used in ensures clauses). F ==> G: states that F implies G. This is an abbreviation for!f G. \forall Type t; condition; formula: states that formula holds for all t of type Type that satisfy condition.

JML Example: Factorial /*@ requires n >= 0; @ ensures \result == n! ; @*/ public static int factorial(int n) { int result = n; while (--n > 0) } result *= n; return result; Is this method correct? No: case n=0 gives wrong result. But factorial! is not an inbuilt operator.

JML Example: Factorial Solutions (1): Weakening the specification /*@ requires n >= 0; @ ensures \result >= 1; @*/ public static int factorial(int n) { int result = n; while (--n > 0) result *= n; return result; } + Simple Specification + Catches the error Cannot find all potential errors Gives no hint, what the function computes

/*@ requires n >= 0; @ ensures \result == fact(n); @*/ public static int factorial(int n) { int result = 1; while (n > 0) result *= n--; return result; } JML Example: Factorial Solutions (2): Using pure Java methods /*@ requires n >= 0; @ ensures (n == 0 ==> \result == 1) && @ (n > 0 ==> \result == n*fact(n-1)); */ public static @pure int fact(int n) { return n <= 0? 1 : n*fact(n-1); } Pure methods must not have side-effects and must always terminate. They can be used in specifications:

Partial vs. Full Specifications Giving a full specification is not always practical. Code is repeated in the specification. Errors in the code may also be in the specification.

Semantics of Java Programs The Java Language Specification (JLS) 3rd edition gives semantics to Java programs The document has 684 pages. 118 pages to define semantics of expression. 42 pages to define semantics of method invocation. Semantics is only defined by prosa text.

Example: What does this program print? class A { public static int x = B.x + 1; } class B { public static int x = A.x + 1; } class C { public static void main(string[] p) { System.err.println("A: " + A.x + ", B: " + B.x); } }

Example: What does this program print? JLS, chapter 12.4.1 When Initialization Occurs : A class T will be initialized immediately before the first occurrence of any one of the following: T is a class and an instance of T is created. T is a class and a static method declared by T is invoked. A static field declared by T is assigned. A static field declared by T is used and the field is not a constant variable. T is a top-level class, and an assert statement lexically nested within T is executed.

Example: What does this program print? JLS, chapter 12.4.2 Detailed Initialization Procedure : The procedure for initializing a class or interface is then as follows: 1. Synchronize on the Class object that represents the class or interface to be initialized. This involves waiting until the current thread can obtain the lock for that object. 2.... 3. If initialization is in progress for the class or interface by the current thread, then this must be a recursive request for initialization. Release the lock on the Class object and complete normally. 4. 8.... 9. Next, execute either the class variable initializers and static initializers of the class, or the field initializers of the interface, in textual order, as though they were a single block, except that final class variables and fields of interfaces whose values are compile-time constants are initialized first. 10....

Example: What does this program print? class A { public static int x = B.x + 1; } class B { public static int x = A.x + 1; } class C { public static void main(string[] p) { System.err.println("A: " + A.x + ", B: " + B.x); } }

Example: What does this program print? If we run class C : 1) main-method of class C first accesses A.x. 2) Class A is initialized. The lock for A is taken. 3) Static initializer of A runs and accesses B.x. 4) Class B is initialized. The lock for B is taken. 5) Static initializer of B runs and accesses A.x. 6) Class A is still locked by current thread (recursive initialization). Therefore, initialization returns immediately. 7) The value of A.x is still 0 (section 12.3.2 and 4.12.5), so B.x is set to 1. 8) Initialization of B finishes. 9) The value of A.x is now set to 2. 10) The program prints A: 2, B: 1.

Further Reading Material Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML G. Leavens et al.. JML Reference Manual (DRAFT), July 2011 J. Gosling et al.: The Java Language Specification (third edition) T. Lindholm, F. Yellin: The Java Virtual Machine Specification (second edition)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information