Fundamentals of Software Engineering

Similar documents
Rigorous Software Development CSCI-GA

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Fully Abstract Operation Contracts

Fundamentals of Software Engineering

Formal Engineering for Industrial Software Development

Software Engineering Techniques

Using JML to protect Java code against SQL injection. Johan Janssen June 26, 2007

Programming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions

Unified Static and Runtime Verification of Object-Oriented Software

Java Programming Language

Introduction to Programming System Design. CSCI 455x (4 Units)

Code Contracts User Manual

Chapter 13 - Inheritance

Masters programmes in Computer Science and Information Systems. Object-Oriented Design and Programming. Sample module entry test xxth December 2013

Rigorous Software Development CSCI-GA

Data Structures and Algorithms

Computing Concepts with Java Essentials

Java 6 'th. Concepts INTERNATIONAL STUDENT VERSION. edition

Unit-testing with JML

CompSci-61B, Data Structures Final Exam

Lecture Notes on Linear Search

Class 32: The Java Collections Framework

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

Object-Oriented Design Lecture 4 CSU 370 Fall 2007 (Pucella) Tuesday, Sep 18, 2007

An Overview of JML Tools and Applications

Java SE 8 Programming

Software Engineering

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

Object Invariants in Dynamic Contexts

CMSC 202H. ArrayList, Multidimensional Arrays

Java Interfaces. Recall: A List Interface. Another Java Interface Example. Interface Notes. Why an interface construct? Interfaces & Java Types

Appendix... B. The Object Constraint

Java Interview Questions and Answers

Getting Started with the Internet Communications Engine

Design by Contract beyond class modelling

A binary search tree or BST is a binary tree that is either empty or in which the data element of each node has a key, and:

SQL DATA DEFINITION: KEY CONSTRAINTS. CS121: Introduction to Relational Database Systems Fall 2015 Lecture 7

Facebook Twitter YouTube Google Plus Website

Case studies: Outline. Requirement Engineering. Case Study: Automated Banking System. UML and Case Studies ITNP090 - Object Oriented Software Design

Lecture 9. Semantic Analysis Scoping and Symbol Table

AP Computer Science Java Subset

The C Programming Language course syllabus associate level

Quotes from Object-Oriented Software Construction

Programming Languages Featherweight Java David Walker

CSC 742 Database Management Systems

Software Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.

Statically Checking API Protocol Conformance with Mined Multi-Object Specifications Companion Report

The Advantages and Disadvantages of Using Natural Language Documentation

Course: Programming II - Abstract Data Types. The ADT Stack. A stack. The ADT Stack and Recursion Slide Number 1

Lecture Notes on Binary Search Trees

Concepts and terminology in the Simula Programming Language

Examples of Design by Contract in Java

Formal Specification and Verification of Avionics Software

CS506 Web Design and Development Solved Online Quiz No. 01

An overview of JML tools and applications

Contents. 9-1 Copyright (c) N. Afshartous

Model Driven Security: Foundations, Tools, and Practice

Organization of DSLE part. Overview of DSLE. Model driven software engineering. Engineering. Tooling. Topics:

Course: Programming II - Abstract Data Types. The ADT Queue. (Bobby, Joe, Sue, Ellen) Add(Ellen) Delete( ) The ADT Queues Slide Number 1

Programming Database lectures for mathema

Lecture Notes on Binary Search Trees

Introduction to Object-Oriented Programming

Testing the Java Card Applet Firewall

Enumerated Types in Java

Part 3: GridWorld Classes and Interfaces

Lab Experience 17. Programming Language Translation

Outline. Computer Science 331. Stack ADT. Definition of a Stack ADT. Stacks. Parenthesis Matching. Mike Jacobson

CS 111 Classes I 1. Software Organization View to this point:

AP Computer Science A - Syllabus Overview of AP Computer Science A Computer Facilities

Rigorous Software Engineering Hoare Logic and Design by Contracts

Project 4 DB A Simple database program

3 Pillars of Object-oriented Programming. Industrial Programming Systems Programming & Scripting. Extending the Example.

Software Development with UML and Java 2 SDJ I2, Spring 2010

1. The memory address of the first element of an array is called A. floor address B. foundation addressc. first address D.

Specification and Analysis of Contracts Lecture 1 Introduction

El Dorado Union High School District Educational Services

The Java Series. Java Essentials I What is Java? Basic Language Constructs. Java Essentials I. What is Java?. Basic Language Constructs Slide 1

Computer Programming I

Moving from CS 61A Scheme to CS 61B Java

Data Structures and Algorithms Lists

Summit Public Schools Summit, New Jersey Grade Level / Content Area: Mathematics Length of Course: 1 Academic Year Curriculum: AP Computer Science A

Exception Handling. Overloaded methods Interfaces Inheritance hierarchies Constructors. OOP: Exception Handling 1

D06 PROGRAMMING with JAVA

Arrays. Atul Prakash Readings: Chapter 10, Downey Sun s Java tutorial on Arrays:

Chapter 1 Fundamentals of Java Programming

Free Java textbook available online. Introduction to the Java programming language. Compilation. A simple java program

Algorithms and Data Structures Written Exam Proposed SOLUTION

Transcription:

Fundamentals of Software Engineering Java Modeling Language - Part II Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hähnle (Chalmers University of Technology, Gothenburg, Sweden) Ina Schaefer FSE 1

JML Expressions Java Expressions boolean JML Expressions (to be completed) each side-effect free boolean Java expression is a boolean JML expression if a and b are boolean JML expressions, and x is a variable of type t, then the following are also boolean JML expressions:!a ( not a ) a && b ( a and b ) a b ( a or b ) Ina Schaefer FSE 2

JML Expressions Java Expressions boolean JML Expressions (to be completed) each side-effect free boolean Java expression is a boolean JML expression if a and b are boolean JML expressions, and x is a variable of type t, then the following are also boolean JML expressions:!a ( not a ) a && b ( a and b ) a b ( a or b ) a ==> b ( a implies b ) a <==> b ( a is equivalent to b )............ Ina Schaefer FSE 3

Beyond boolean Java expressions How to express the following? an array arr only holds values 2 the variable m holds the maximum entry of array arr all Account objects in the array accountproxies are stored at the index corresponding to their respective accountnumber field all created instances of class BankCard have different cardnumbers Ina Schaefer FSE 4

First-order Logic in JML Expressions JML boolean expressions extend Java boolean expressions by: implication equivalence quantification Ina Schaefer FSE 5

boolean JML Expressions boolean JML expressions are defined recursively: boolean JML Expressions each side-effect free boolean Java expression is a boolean JML expression if a and b are boolean JML expressions, and x is a variable of type t, then the following are also boolean JML expressions:!a ( not a ) a && b ( a and b ) a b ( a or b ) a ==> b ( a implies b ) a <==> b ( a is equivalent to b ) (\forall t x; a) ( for all x of type t, a is true ) (\exists t x; a) ( there exists x of type t such that a ) Ina Schaefer FSE 6

boolean JML Expressions boolean JML expressions are defined recursively: boolean JML Expressions each side-effect free boolean Java expression is a boolean JML expression if a and b are boolean JML expressions, and x is a variable of type t, then the following are also boolean JML expressions:!a ( not a ) a && b ( a and b ) a b ( a or b ) a ==> b ( a implies b ) a <==> b ( a is equivalent to b ) (\forall t x; a) ( for all x of type t, a is true ) (\exists t x; a) ( there exists x of type t such that a ) (\forall t x; a; b) ( for all x of type t fulfilling a, b is true ) (\exists t x; a; b) ( there exists an x of type t fulfilling a, such that b ) Ina Schaefer FSE 7

JML Quantifiers in (\forall t x; a; b) (\exists t x; a; b) a called range predicate Ina Schaefer FSE 8

JML Quantifiers in (\forall t x; a; b) (\exists t x; a; b) a called range predicate those forms are redundant: (\forall t x; a; b) equivalent to (\forall t x; a ==> b) (\exists t x; a; b) equivalent to (\exists t x; a && b) Ina Schaefer FSE 9

Pragmatics of Range Predicates (\forall t x; a; b) and (\exists t x; a; b) widely used pragmatics of range predicate: a used to restrict range of x further than t Ina Schaefer FSE 10

Pragmatics of Range Predicates (\forall t x; a; b) and (\exists t x; a; b) widely used pragmatics of range predicate: a used to restrict range of x further than t example: arr is sorted at indexes between 0 and 9 : Ina Schaefer FSE 11

Pragmatics of Range Predicates (\forall t x; a; b) and (\exists t x; a; b) widely used pragmatics of range predicate: a used to restrict range of x further than t example: arr is sorted at indexes between 0 and 9 : (\forall int i,j; Ina Schaefer FSE 12

Pragmatics of Range Predicates (\forall t x; a; b) and (\exists t x; a; b) widely used pragmatics of range predicate: a used to restrict range of x further than t example: arr is sorted at indexes between 0 and 9 : (\forall int i,j; 0<=i && i<j && j<10; Ina Schaefer FSE 13

Pragmatics of Range Predicates (\forall t x; a; b) and (\exists t x; a; b) widely used pragmatics of range predicate: a used to restrict range of x further than t example: arr is sorted at indexes between 0 and 9 : (\forall int i,j; 0<=i && i<j && j<10; arr[i] <= arr[j]) Ina Schaefer FSE 14

Using Quantified JML expressions How to express: an array arr only holds values 2 Ina Schaefer FSE 15

Using Quantified JML expressions How to express: an array arr only holds values 2 (\forall int i; Ina Schaefer FSE 16

Using Quantified JML expressions How to express: an array arr only holds values 2 (\forall int i; 0<=i && i<arr.length; Ina Schaefer FSE 17

Using Quantified JML expressions How to express: an array arr only holds values 2 (\forall int i; 0<=i && i<arr.length; arr[i] <= 2) Ina Schaefer FSE 18

Using Quantified JML expressions How to express: the variable m holds the maximum entry of array arr Ina Schaefer FSE 19

Using Quantified JML expressions How to express: the variable m holds the maximum entry of array arr (\forall int i; 0<=i && i<arr.length; m >= arr[i]) Ina Schaefer FSE 20

Using Quantified JML expressions How to express: the variable m holds the maximum entry of array arr (\forall int i; 0<=i && i<arr.length; m >= arr[i]) is this enough? Ina Schaefer FSE 21

Using Quantified JML expressions How to express: the variable m holds the maximum entry of array arr (\forall int i; 0<=i && i<arr.length; m >= arr[i]) (\exists int i; 0<=i && i<arr.length; m == arr[i]) Ina Schaefer FSE 22

Using Quantified JML expressions How to express: the variable m holds the maximum entry of array arr (\forall int i; 0<=i && i<arr.length; m >= arr[i]) arr.length>0 ==> (\exists int i; 0<=i && i<arr.length; m == arr[i]) Ina Schaefer FSE 23

Using Quantified JML expressions How to express: all Account objects in the array accountproxies are stored at the index corresponding to their respective accountnumber field Ina Schaefer FSE 24

Using Quantified JML expressions How to express: all Account objects in the array accountproxies are stored at the index corresponding to their respective accountnumber field (\forall int i; 0<=i && i<maxaccountnumber; accountproxies[i].accountnumber == i ) Ina Schaefer FSE 25

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers Ina Schaefer FSE 26

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers (\forall BankCard p1, p2; \created(p1) && \created(p2); p1!= p2 ==> p1.cardnumber!= p2.cardnumber) Ina Schaefer FSE 27

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers (\forall BankCard p1, p2; \created(p1) && \created(p2); p1!= p2 ==> p1.cardnumber!= p2.cardnumber) note: JML quantifiers range also over non-created objects Ina Schaefer FSE 28

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers (\forall BankCard p1, p2; \created(p1) && \created(p2); p1!= p2 ==> p1.cardnumber!= p2.cardnumber) note: JML quantifiers range also over non-created objects same for quantifiers in KeY! Ina Schaefer FSE 29

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers (\forall BankCard p1, p2; \created(p1) && \created(p2); p1!= p2 ==> p1.cardnumber!= p2.cardnumber) note: JML quantifiers range also over non-created objects same for quantifiers in KeY! in JML, restrict to created objects with \created Ina Schaefer FSE 30

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers (\forall BankCard p1, p2; \created(p1) && \created(p2); p1!= p2 ==> p1.cardnumber!= p2.cardnumber) note: JML quantifiers range also over non-created objects same for quantifiers in KeY! in JML, restrict to created objects with \created in KeY? Ina Schaefer FSE 31

Using Quantified JML expressions How to express: all created instances of class BankCard have different cardnumbers (\forall BankCard p1, p2; \created(p1) && \created(p2); p1!= p2 ==> p1.cardnumber!= p2.cardnumber) note: JML quantifiers range also over non-created objects same for quantifiers in KeY! in JML, restrict to created objects with \created in KeY? ( coming lecture) Ina Schaefer FSE 32

Example: Specifying LimitedIntegerSet public class LimitedIntegerSet { public final int limit; private int arr[]; private int size = 0; public LimitedIntegerSet(int limit) { this.limit = limit; this.arr = new int[limit]; } public boolean add(int elem) {/*...*/} public void remove(int elem) {/*...*/} public boolean contains(int elem) {/*...*/} // other methods } Ina Schaefer FSE 33

Prerequisites: Adding Specification Modifiers public class LimitedIntegerSet { public final int limit; private /*@ spec_public @*/ int arr[]; private /*@ spec_public @*/ int size = 0; public LimitedIntegerSet(int limit) { this.limit = limit; this.arr = new int[limit]; } public boolean add(int elem) {/*...*/} public void remove(int elem) {/*...*/} public /*@ pure @*/ boolean contains(int elem) {/*...*/} // other methods } Ina Schaefer FSE 34

Specifying contains() public /*@ pure @*/ boolean contains(int elem) {/*...*/} Ina Schaefer FSE 35

Specifying contains() public /*@ pure @*/ boolean contains(int elem) {/*...*/} has no effect on state Ina Schaefer FSE 36

Specifying contains() public /*@ pure @*/ boolean contains(int elem) {/*...*/} has no effect on state how to specify result value? Ina Schaefer FSE 37

Result Values in Postcondition In postconditions, one can use \result to refer to the return value of the method. /*@ public normal_behavior @ ensures \result == Ina Schaefer FSE 38

Result Values in Postcondition In postconditions, one can use \result to refer to the return value of the method. /*@ public normal_behavior @ ensures \result == (\exists int i; @ Ina Schaefer FSE 39

Result Values in Postcondition In postconditions, one can use \result to refer to the return value of the method. /*@ public normal_behavior @ ensures \result == (\exists int i; @ 0 <= i && i < size; @ Ina Schaefer FSE 40

Result Values in Postcondition In postconditions, one can use \result to refer to the return value of the method. /*@ public normal_behavior @ ensures \result == (\exists int i; @ 0 <= i && i < size; @ arr[i] == elem); @*/ public /*@ pure @*/ boolean contains(int elem) {/*...*/} Ina Schaefer FSE 41

Specifying add() (spec-case1) /*@ public normal_behavior @ requires size < limit &&!contains(elem); @ ensures \result == true; @ ensures contains(elem); @ ensures (\forall int e; @ e!= elem; @ contains(e) <==> \old(contains(e))); @ ensures size == \old(size) + 1; @ @ also @ @ <spec-case2> @*/ public boolean add(int elem) {/*...*/} Ina Schaefer FSE 42

Specifying add() (spec-case2) /*@ public normal_behavior @ @ <spec-case1> @ @ also @ @ public normal_behavior @ requires (size == limit) contains(elem); @ ensures \result == false; @ ensures (\forall int e; @ contains(e) <==> \old(contains(e))); @ ensures size == \old(size); @*/ public boolean add(int elem) {/*...*/} Ina Schaefer FSE 43

Specifying remove() /*@ public normal_behavior @ ensures!contains(elem); @ ensures (\forall int e; @ e!= elem; @ contains(e) <==> \old(contains(e))); @ ensures \old(contains(elem)) @ ==> size == \old(size) - 1; @ ensures!\old(contains(elem)) @ ==> size == \old(size); @*/ public void remove(int elem) {/*...*/} Ina Schaefer FSE 44

Specifying Data Constraints So far: JML used to specify method specifics. Ina Schaefer FSE 45

Specifying Data Constraints So far: JML used to specify method specifics. How to specify constraints on class data? Ina Schaefer FSE 46

Specifying Data Constraints So far: JML used to specify method specifics. How to specify constraints on class data, e.g.: consistency of redundant data representations (like indexing) restrictions for efficiency (like sortedness) Ina Schaefer FSE 47

Specifying Data Constraints So far: JML used to specify method specifics. How to specify constraints on class data, e.g.: consistency of redundant data representations (like indexing) restrictions for efficiency (like sortedness) data constraints are global: all methods must preserve them Ina Schaefer FSE 48

Consider LimitedSortedIntegerSet public class LimitedSortedIntegerSet { public final int limit; private int arr[]; private int size = 0; public LimitedSortedIntegerSet(int limit) { this.limit = limit; this.arr = new int[limit]; } public boolean add(int elem) {/*...*/} public void remove(int elem) {/*...*/} public boolean contains(int elem) {/*...*/} // other methods } Ina Schaefer FSE 49

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) Ina Schaefer FSE 50

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? Ina Schaefer FSE 51

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? it assumes sortedness in pre-state Ina Schaefer FSE 52

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? it assumes sortedness in pre-state method add searches first index with bigger element, inserts just before that Ina Schaefer FSE 53

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? it assumes sortedness in pre-state method add searches first index with bigger element, inserts just before that thereby tries to establish sortedness in post-state Ina Schaefer FSE 54

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? it assumes sortedness in pre-state method add searches first index with bigger element, inserts just before that thereby tries to establish sortedness in post-state why is that sufficient? Ina Schaefer FSE 55

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? it assumes sortedness in pre-state method add searches first index with bigger element, inserts just before that thereby tries to establish sortedness in post-state why is that sufficient? it assumes sortedness in pre-state Ina Schaefer FSE 56

Consequence of Sortedness for Implementations method contains can employ binary search (logarithmic complexity) why is that sufficient? it assumes sortedness in pre-state method add searches first index with bigger element, inserts just before that thereby tries to establish sortedness in post-state why is that sufficient? it assumes sortedness in pre-state method remove (accordingly) Ina Schaefer FSE 57

Specifying Sortedness with JML recall class fields: public final int limit; private int arr[]; private int size = 0; sortedness as JML expression: Ina Schaefer FSE 58

Specifying Sortedness with JML recall class fields: public final int limit; private int arr[]; private int size = 0; sortedness as JML expression: (\forall int i; 0 < i && i < size; arr[i-1] <= arr[i]) Ina Schaefer FSE 59

Specifying Sortedness with JML recall class fields: public final int limit; private int arr[]; private int size = 0; sortedness as JML expression: (\forall int i; 0 < i && i < size; arr[i-1] <= arr[i]) (what s the value of this if size < 2?) Ina Schaefer FSE 60

Specifying Sorted contains() can assume sortedness of pre-state Ina Schaefer FSE 61

Specifying Sorted contains() can assume sortedness of pre-state /*@ public normal_behavior @ requires (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @ ensures \result == (\exists int i; @ 0 <= i && i < size; @ arr[i] == elem); @*/ public /*@ pure @*/ boolean contains(int elem) {/*...*/} Ina Schaefer FSE 62

Specifying Sorted contains() can assume sortedness of pre-state /*@ public normal_behavior @ requires (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @ ensures \result == (\exists int i; @ 0 <= i && i < size; @ arr[i] == elem); @*/ public /*@ pure @*/ boolean contains(int elem) {/*...*/} contains() is pure sortedness of post-state trivially ensured Ina Schaefer FSE 63

Specifying Sorted remove() can assume sortedness of pre-state must ensure sortedness of post-state /*@ public normal_behavior @ requires (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @ ensures!contains(elem); @ ensures (\forall int e; @ e!= elem; @ contains(e) <==> \old(contains(e))); @ ensures \old(contains(elem)) @ ==> size == \old(size) - 1; @ ensures!\old(contains(elem)) @ ==> size == \old(size); @ ensures (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @*/ public void remove(int elem) {/*...*/} Ina Schaefer FSE 64

Specifying Sorted add() (spec-case1) /*@ public normal_behavior @ requires (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @ requires size < limit &&!contains(elem); @ ensures \result == true; @ ensures contains(elem); @ ensures (\forall int e; @ e!= elem; @ contains(e) <==> \old(contains(e))); @ ensures size == \old(size) + 1; @ ensures (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @ @ also <spec-case2> @*/ public boolean add(int elem) {/*...*/} Ina Schaefer FSE 65

Specifying Sorted add() (spec-case2) /*@ public normal_behavior @ @ <spec-case1> also @ @ public normal_behavior @ requires (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @ requires (size == limit) contains(elem); @ ensures \result == false; @ ensures (\forall int e; @ contains(e) <==> \old(contains(e))); @ ensures size == \old(size); @ ensures (\forall int i; 0 < i && i < size; @ arr[i-1] <= arr[i]); @*/ public boolean add(int elem) {/*...*/} Ina Schaefer FSE 66

Factor out Sortedness so far: sortedness has swamped our specification Ina Schaefer FSE 67

Factor out Sortedness so far: sortedness has swamped our specification we can do better, using JML Class Invariant construct for specifying data constraints centrally Ina Schaefer FSE 68

Factor out Sortedness so far: sortedness has swamped our specification we can do better, using JML Class Invariant construct for specifying data constraints centrally 1. delete blue and red parts from previous slides 2. add sortedness as JML class invariant instead Ina Schaefer FSE 69

JML Class Invariant public class LimitedSortedIntegerSet { public final int limit; } /*@ public invariant (\forall int i; @ 0 < i && i < size; @ arr[i-1] <= arr[i]); @*/ private /*@ spec_public @*/ int arr[]; private /*@ spec_public @*/ int size = 0; // constructor and methods, // without sortedness in pre/post-conditions Ina Schaefer FSE 70

JML Class Invariant JML class invariant can be placed anywhere in class (contrast: method contract must be in front of its method) custom to place class invariant in front of fields it talks about Ina Schaefer FSE 71

Instance vs. Static Invariants instance invariants can refer to instance fields of this object (unqualified, like size, or qualified with this, like this.size ) JML syntax: instance invariant Ina Schaefer FSE 72

Instance vs. Static Invariants instance invariants can refer to instance fields of this object (unqualified, like size, or qualified with this, like this.size ) JML syntax: instance invariant static invariants cannot refer to instance fields of this object JML syntax: static invariant Ina Schaefer FSE 73

Instance vs. Static Invariants instance invariants can refer to instance fields of this object (unqualified, like size, or qualified with this, like this.size ) JML syntax: instance invariant static invariants cannot refer to instance fields of this object JML syntax: static invariant both can refer to static fields instance fields via explicit reference, like o.size Ina Schaefer FSE 74

Instance vs. Static Invariants instance invariants can refer to instance fields of this object (unqualified, like size, or qualified with this, like this.size ) JML syntax: instance invariant static invariants cannot refer to instance fields of this object JML syntax: static invariant both can refer to static fields instance fields via explicit reference, like o.size in classes: instance is default(static in interfaces) if instance or static is omitted instance invariant! Ina Schaefer FSE 75

Static JML Invariant Example public class BankCard { /*@ public static invariant @ (\forall BankCard p1, p2; @ \created(p1) && \created(p2); @ p1!=p2 ==> p1.cardnumber!=p2.cardnumber) @*/ private /*@ spec_public @*/ int cardnumber; // rest of class follows } Ina Schaefer FSE 76

Recall Specification of enterpin() private /*@ spec_public @*/ BankCard insertedcard = null; private /*@ spec_public @*/ int wrongpincounter = 0; private /*@ spec_public @*/ boolean customerauthenticated = false; /*@ <spec-case1> also <spec-case2> also <spec-case3> @*/ public void enterpin (int pin) {... Ina Schaefer FSE 77

Recall Specification of enterpin() private /*@ spec_public @*/ BankCard insertedcard = null; private /*@ spec_public @*/ int wrongpincounter = 0; private /*@ spec_public @*/ boolean customerauthenticated = false; /*@ <spec-case1> also <spec-case2> also <spec-case3> @*/ public void enterpin (int pin) {... last lecture: all 3 spec-cases were normal_behavior Ina Schaefer FSE 78

Specifying Exceptional Behavior of Methods normal_behavior specification case, with preconditions P, forbids method to throw exceptions if pre-state satisfies P Ina Schaefer FSE 79

Specifying Exceptional Behavior of Methods normal_behavior specification case, with preconditions P, forbids method to throw exceptions if pre-state satisfies P exceptional_behavior specification case, with preconditions P, requires method to throw exceptions if pre-state satisfies P Ina Schaefer FSE 80

Specifying Exceptional Behavior of Methods normal_behavior specification case, with preconditions P, forbids method to throw exceptions if pre-state satisfies P exceptional_behavior specification case, with preconditions P, requires method to throw exceptions if pre-state satisfies P keyword signals specifies post-state, depending on thrown exception Ina Schaefer FSE 81

Specifying Exceptional Behavior of Methods normal_behavior specification case, with preconditions P, forbids method to throw exceptions if pre-state satisfies P exceptional_behavior specification case, with preconditions P, requires method to throw exceptions if pre-state satisfies P keyword signals specifies post-state, depending on thrown exception keyword signals_only limits types of thrown exception Ina Schaefer FSE 82

Completing Specification of enterpin() /*@ <spec-case1> also <spec-case2> also <spec-case3> also @ @ public exceptional_behavior @ requires insertedcard==null; @ signals_only ATMException; @ signals (ATMException)!customerAuthenticated; @*/ public void enterpin (int pin) {... Ina Schaefer FSE 83

Completing Specification of enterpin() /*@ <spec-case1> also <spec-case2> also <spec-case3> also @ @ public exceptional_behavior @ requires insertedcard==null; @ signals_only ATMException; @ signals (ATMException)!customerAuthenticated; @*/ public void enterpin (int pin) {... in case insertedcard==null in pre-state an exception must be thrown it can only be an ATMException ( exceptional_behavior ) ( signals_only ) method must then ensure!customerauthenticated in post-state ( signals ) Ina Schaefer FSE 84

signals_only Clause: General Case an exceptional specification case can have one clause of the form signals_only (E1,..., En); where E1,..., En are exception types Ina Schaefer FSE 85

signals_only Clause: General Case an exceptional specification case can have one clause of the form signals_only (E1,..., En); where E1,..., En are exception types Meaning: if an exception is thrown, it is of type E1 or... or En Ina Schaefer FSE 86

signals Clause: General Case an exceptional specification case can have several clauses of the form signals (E) b; where E is exception type, b is boolean expression Ina Schaefer FSE 87

signals Clause: General Case an exceptional specification case can have several clauses of the form signals (E) b; where E is exception type, b is boolean expression Meaning: if an exception of type E is thrown, b holds in post condition Ina Schaefer FSE 88

Allowing Non-Termination by default, both: normal_behavior exceptional_behavior specification cases enforce termination Ina Schaefer FSE 89

Allowing Non-Termination by default, both: normal_behavior exceptional_behavior specification cases enforce termination in each specification case, non-termination can be permitted via the clause diverges true; Ina Schaefer FSE 90

Allowing Non-Termination by default, both: normal_behavior exceptional_behavior specification cases enforce termination in each specification case, non-termination can be permitted via the clause diverges true; Meaning: given the precondition of the specification case holds in pre-state, the method may or may not terminate Ina Schaefer FSE 91

Further Modifiers: non_null and nullable JML extends the Java modifiers by further modifiers: class fields method parameters method return types can be declared as nullable: may or may not be null non_null: must not be null Ina Schaefer FSE 92

non_null: Examples private /*@ spec_public non_null @*/ String name; implicit invariant public invariant name!= null; added to class public void insertcard(/*@ non_null @*/ BankCard card) {.. implicit precondition requires card!= null; added to each specification case of insertcard public /*@ non_null @*/ String tostring() implicit postcondition ensures \result!= null; added to each specification case of tostring Ina Schaefer FSE 93

non_null is default in JML! same effect even without explicit non null s private /*@ spec_public @*/ String name; implicit invariant public invariant name!= null; added to class public void insertcard(bankcard card) {.. implicit precondition requires card!= null; added to each specification case of insertcard public String tostring() implicit postcondition ensures \result!= null; added to each specification case of tostring Ina Schaefer FSE 94

nullable: Examples To prevent such pre/post-conditions and invariants: nullable private /*@ spec_public nullable @*/ String name; no implicit invariant added public void insertcard(/*@ nullable @*/ BankCard card) {.. no implicit precondition added public /*@ nullable @*/ String tostring() no implicit postcondition added to specification cases of tostring Ina Schaefer FSE 95

LinkedList: non_null or nullable? public class LinkedList { private Object elem; private LinkedList next;... In JML this means: Ina Schaefer FSE 96

LinkedList: non_null or nullable? public class LinkedList { private Object elem; private LinkedList next;... In JML this means: all elements in the list are non_null Ina Schaefer FSE 97

LinkedList: non_null or nullable? public class LinkedList { private Object elem; private LinkedList next;... In JML this means: all elements in the list are non_null the list is cyclic, or infinite! Ina Schaefer FSE 98

LinkedList: non_null or nullable? Repair: public class LinkedList { private Object elem; private /*@ nullable @*/ LinkedList next;... Now, the list is allowed to end somewhere! Ina Schaefer FSE 99

Final Remark on non_null and nullable non_null as default in JML only since a few years. Older JML tutorial or articles may not use the non null by default semantics. Ina Schaefer FSE 100

JML and Inheritance All JML contracts, i.e. specification cases class invariants are inherited down from superclasses to subclasses. A class has to fulfill all contracts of its superclasses. in addition, the subclass may add further specification cases, starting with also: /*@ also @ @ <subclass-specific-spec-cases> @*/ public void method () {... Ina Schaefer FSE 101

Tools Many tools support JML (see http://www.jmlspecs.org). On the course website you find a link how to install a JML checker for eclipse that works with newer Java versions. Ina Schaefer FSE 102

Literature for this Lecture essential reading: in KeY Book A. Roth and Peter H. Schmitt: Formal Specification. Chapter 5 only sections 5.1, 5.3, In: B. Beckert, R. Hähnle, and P. Schmitt, editors. Verification of Object-Oriented Software: The KeY Approach, vol 4334 of LNCS. Springer, 2006. further reading, all available at www.eecs.ucf.edu/~leavens/jml/documentation.shtml: JML Reference Manual Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, and Joseph Kiniry. JML Reference Manual JML Tutorial Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML JML Overview Gary T. Leavens, Albert L. Baker, and Clyde Ruby. JML: A Notation for Detailed Design Ina Schaefer FSE 103

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information