UP | HOME
../../ 2015-07-20

Java Modeling Language JML

Table of Contents

1 Design by Contract View point

1.1 Goals

  1. Assigning blame across interfaces
  2. Details of method responsibilities

1.2 Information Hiding by Contracts

  1. A contract can be satisfied in many ways
    1. a method can have many implementation satisfying the contract;
    2. Different performances (time, space, etc);
  2. A contract hides the implementation details
    1. We can change implementations.
    2. Caller's code Will work for any implementation that satisfies the contract

1.3 Techniques

  1. Strongest Class invariant
  2. Weakest Pre-conditions requires for public methods
    1. The called method assumes precondition holds
    2. Avoiding constantly checking arguments
    3. The caller guarantees precondition holds
  3. Strongest Post-conditions ensures for public methods
    1. The called guarantees postcondition
    2. The caller is guaranteed postcondition

2 Java Modeling Language (JML) Overview

  1. http://jmlspecs.sourceforge.net/
  2. JML is a behavioral (functionality) interface specification language
  3. Annotation language captures programmer design decisions
  4. JML is contained in annotations
    1. //@ JML annotation
    2. /*@ JML annotation @*/
    3. javac will ignore these
  5. JML annotation is a Java boolean expression …
    1. without any side effects
    2. extended with \old, \result
    3. extended with \forall, \exists
    4. JML keywords: requires, ensures, invariant
    5. JML keywords: pure, nonnull, assignable, signals
  6. JML annotation includes model fields

2.1 No Side Effects

  1. No use of =, ++, --, …
  2. Can only call pure methods.

2.2 Java extended syntax in JML

  1. a ==> b stands for a implies b
  2. a <==> b stands for a iff b
  3. a <=!=> b stands for !(a <==> b)
  4. \old(E) stands for the value of E in pre-state
  5. \result stands for the result of method

2.3 Quantifiers

  1. Universal ∀ JML \forall and existential ∃ JML \exists
  2. General quantifiers (\sum, \product, \min, \max)
  3. Numeric quantifier (\num_of)
  4. Ex: (\forall Student s; juniors.contains(s); s.getAdvisor() != null)

2.4 Java example source code files with JML annotations

  1. ./jml-one-page-ex-1.pdf
  2. ./jml-one-page-ex-2.pdf
  3. Patrice Chalin, et al., "Beyond Assertions", http://www.eecs.ucf.edu/~leavens/JML/fmco.pdf (Overview of JML tools) 2004. Required Reading.

2.5 Non-Null

  1. To state that some references must not be null
  2. private /*@ non null @*/ File[] files;
  3. void createSubdir(/*@ non null @*/ String name) { ... }

2.6 Java assert

  1. assert Expression1 ; where Expression1 is a boolean expression. When the system runs the assertion, it evaluates Expression1 and if it is false throws an AssertionError with no detail message.
  2. assert Expression1 : Expression2 ; where Expression1 is a boolean expression. Expression2 is an expression that has a value. The AssertionError constructor uses the string value of Expression2 to generate a detailed message.

2.7 JML assert

  1. //@ assert i > 0 && 0 < j && j < 5;
  2. //@ assert (\forall int i; 0 <= i && i < n; a[i] != null);
  3. keyword assert also in Java (since Java 1.4)
  4. assert in JML is more powerful

2.8 assignable

  1. Frame properties limit possible side-effects of methods.
  2. //@ requires amount >= 0;
  3. //@ assignable balance;
  4. //@ ensures balance == \old(balance) - amount;
  5. public int debit(int amount) { ... }
  6. debit can only assign to the field balance.
    NB this does not follow from the post-condition.
  7. //@ assignable \everything
  8. //@ assignable \nothing

2.9 pure

  1. A method without side-effects is said to be pure
  2. public /*@ pure @*/ int getBalance() { ... }
  3. Pure methods have implicitly assignable \nothing
  4. Pure methods, and only pure methods, can be used in specifications:
  5. //@ invariant 0 <= getBalance() && getBalance() <= MAX_BALANCE

3 Model Variables

  1. variables to be used only in specifications
  2. Given value only by represents clauses

4 Tools for JML

4.1 JML compiler

  1. perform JML checks at runtime;
  2. low overhead;
  3. jmlrac http://www.eecs.ucf.edu/~leavens/JML2/docs/man/jmlrac.html
  4. jmlc http://www.eecs.ucf.edu/~leavens/JML2/docs/man/jmlc.html

4.2 ESC/Java2

  1. http://kindsoftware.com/products/opensource/ESCJava2/
    1. Improve the current software engineering process
    2. Can prove JML assertions at compile time.
    3. Effort must be made by the developer
    4. So far, only possible for small programs
  2. Input: a Java program annotated with JML assertions
  3. Powered by program semantics and automatic theorem proving
  4. Automatically check if the assertions are always true;
  5. Statically without any user interaction
  6. Reason about non-trivial properties (not just type-correctness)
  7. Its warnings are intended to be interpreted by the author of the program
  8. It does not find all the errors, but reduces the cost of finding some of them early

4.3 JACK: Java Applet Correctness Kit

  1. http://www-sop.inria.fr/everest/soft/Jack/jack.html

5 JML Readings

  1. Gary T. Leavens and Yoonsik Cheon, "Design by Contract with JML", http://www.jmlspecs.org/jmldbc.pdf, 2006. Compare with Meyers paper. Recommended Reading
  2. Patrice Chalin, et al., "Beyond Assertions", http://www.eecs.ucf.edu/~leavens/JML/fmco.pdf (Overview of JML tools) 2004. Required Reading.
  3. There are several JML plugins that you can discover through a web search.

6 References

  1. http://goverily.org/ Rather than requiring that programs be verified in separate a posteriori analysis, Verily supports construction via a series of Recipes, which are properties of an application that are enforced at compile time. Recommended Visit.
  2. http://types.cs.washington.edu/checker-framework/ The Checker Framework enhances Java’s type system to make it more powerful and useful. This lets software developers detect and prevent errors in their Java programs. The Checker Framework includes compiler plug-ins ("checkers") that find bugs or verify their absence. It also permits you to write your own compiler plug-ins. Recommended Visit.
  3. http://openjml.org/ The Java Modeling Language (JML) is a language used to describe the functional behavior of Java classes and methods. http://sourceforge.net/projects/jmlspecs/ Recommended Visit.
  4. JML plugins for IntelliJ and Eclipse exist, but … ; e.g., ./eclipse-jml-plugin-slides.pdf
  5. OpenJML: Software verification for Java 7 using JML, OpenJDK, and Eclipse David R. Cok GrammaTech, Inc. Ithaca, NY, USA cok@frontiernet.net http://arxiv.org/pdf/1404.6608.pdf, 2014. Recommended Reading.
Copyright © 2015 • www.wright.edu/~pmateti • 2015-07-20