Politecnico di Milano Advanced Topics in Software Engineering

1
Politecnico di MilanoAdvanced Topics in Software
Engineering

• JML in a Nutshell

Domenico Bianculli Alessandro Monguzzi
bianculli, alessandro.monguzzi_at_gmail.com
June 16th, 2005
Rev. 1.3
2
Outline

• What is JML?
• Syntax
• Specification cases
• Advanced topics
• Running example
• Tools
• Related works

3
What is JML?

• Java Modeling Language
• A behavior interface specification language
  (BISL)
• describes
• modules interface
• modules behaviour
• evolution of Hoare-style specification
• based on Design by Contract

4
Syntax

• Annotations
• Expressions
• Quantification

5
Syntax annotations

• Specification written as annotation comments
• Single line//_at_ specification
• Multiline/_at_ specification _at_ _at_/
• Informal//_at_( informal description )

6
Syntax expressions

• Expression used in JML annotations cannot have
  side effects.
• No use of , , , --
• Can only call pure methods
• Extended version of Java expressions

7
Syntax quantification

• universal existential (\forall,\exists)
• /_at_ \forall int x
• _at_ x gt 0 x lt a.lenght-1
• _at_ ax-1 lt ax
• _at_/
• general quantifiers (\sum, \product, \min, \max)
• numeric quantifier(\num_of)

declaration
range
body
8
Preconditions

• Say what must be true when calling a method
• Introduced by requires clause
• /_at_requires xgt 0
• _at_...
• _at_/
• public double sqrt(double x)

9
Normal postconditions

• Say what must be true when a method returns
  normally(i.e. without throwing exceptions)
• Introduced by ensures clause
• /_at_ requires xgt 0
• _at_ ensures x - \result \result lt 0.0001
• _at_/
• public double sqrt(double x)
• Input parameters in postconditions are always
  evaluated in pre-statex \old(x)

10
Exceptional postconditions

• Say what must be true when a method throws an
  exception of type TIntroduced by signals clause
• /_at_ requires xgt 0
• _at_ ensures x - \result \result lt 0.0001
• _at_ signals (IllegalArgumentException ex)
• _at_ ex.getMessage() ! null !(x gt0.0)
• _at_/
• public double sqrt(double x)

11
More on exceptional postconditions (1)

• Note that signal clause does not say which
  exceptions must be thrown
• It just only says if an exception of (sub)type
  T is thrown, then its predicate must hold and
  not viceversa.
• The signals_only clause specifies what exceptions
  may be thrown, and implicitly the ones which
  cannot be thrown.

12
More on exceptional postconditions (2)

• To say that an exception must be thrown in some
  situations, exclude that situations from other
  signals clauses and from all ensures clauses/_at_
  requires true _at_ ensures xgt0 _at_ signals
  (Exception e) _at_ xlt0 _at_/public int
  foo(int x) throws Exceptions
• More on this topic later

13
Semantics

• Meaning of JML method specification
• A method is called in a state (pre-state) where
  the precondition is satisfied otherwise, nothing
  is guaranteed, including the termination of the
  call
• If a method is called in a proper pre-state, then
  there are two possible outcomes (post-state) of
  methods execution normal and exceptional

14
Kinds of specification specification cases

• Specification cases
• Lightweight
• Heavyweight
• Behaviour
• Normal Behaviour
• Exceptional Behaviour

15
Heavyweight vs lightweight specs

• Heavyweight
• Assumes users giving full specification
• Omitted clauses are abbreviations
• Useful for formal verification

• Lightweight
• Dont assume user is giving full specification
• Minimize annotation burden
• Omitted clauses are \not_specified
• Useful for RAC and docs

16
Additional Clauses
17
Heavyweight specs behavior

• /_at_ behavior
• _at_ requires P
• _at_ diverges D
• _at_ assignable A
• _at_ when W
• _at_ ensures Q
• _at_ signals (E1 e1) R1
• _at_ ...
• _at_ signals (En en) Rn
• _at_ accessible C
• _at_ callable p()
• _at_/

18
Heavyweight specsnormal behavior

• It is a behavior specification case with signals
  clause implicitly defined as signals
  (java.lang.Exception) false
• guarantees normal termination ? no exception may
  be thrown

19
Heavyweight specsexceptional behavior

• It is a behavior specification case with ensures
  clause implicitly defined as ensures false
• Guarantees that the method throws an exception

20
Multiple cases specs

• Normal and exceptional spec cases may be
  combined
• /_at_ public normal_behavior
• _at_ requires !theStack.isEmpty()
• _at_ assignable size, theStack
• _at_ ensures
• _at_ theStack.equals(\old(theStack.trailer()))
• _at_ \result \old(theStack.first())
• _at_ also
• _at_ public exceptional_behavior
• _at_ requires theStack.isEmpty()
• _at_ assignable \nothing
• _at_ signals_only IllegalStateException
• _at_/
• public Object pop()

21
Class invariants

• Properties that must hold in all visible states
  of an object//_at_ public invariant x ! null
  !name.equals()
• Static or Instance invariants
• Implicitly included in preconditions and normal
  and exceptional postconditions
• Do not hold for methods declared with clause
  helper
• private invariants state Rep Invariant

22
Loop (in)variants

• Loop statements can be annotated with loop
  invariants and variant functions.
• Help in proving partial and total correctness of
  the loop statementlong sum 0int a new
  int100int i a.length/_at_ mantaining -1 lt
  i i lt a.length _at_ mantaining sum _at_
  (\sum int j i lt j 0 lt j _at_
  j lt a.length aj) _at_ decreasing i
  _at_/while (--igt0) sum ai

23
Assertions

• An assertion is a predicate that must always be
  true//_at_ assert igt0
• w.r.t. Java 1.4 assert JML assertions cannot
  have any side-effects and can use JML expressions.

24
History Constraints

• Relationships that should hold for the
  combination of each visible state and any visible
  state that occurs later in the program execution
• Used to constrain the way the values change over
  time
• int a
• //_at_ constraint a \old(a)
• boolean b
• //_at_ constraint b.lenght gt \old(b.lenght)

25
Advanced Topics

• Model fields
• Model methods and types
• Fields visibility
• Abstract models
• Purity
• Data groups
• Specification inheritance
• Refinement

26
Model fields

• Represents a field or a variable used only in
  specification
• Describes abstract values of objects
• They can be mapped on a concrete field using
  keyword represents
• public class MathFoo
• //_at_ public model eps
• private float error
• //_at_ private represents eps lt- error

27
Visibility

• JML imposes visibility rules similar to Java
• Keyword spec_public loosens visibility for specs.
  Private spec_public fields are allowed in public
  specs.
• private /_at_ spec_public _at_/ double x
  0.0//_at_requires !Double.isNaN(xdx)public void
  moveX(double dx)
• Not a good practice! You are exposing internal
  representation!

28
Abstract models

• JML provides a Java class library for
  specification purposes
• Package org.jmlspecs.model
• Collections sequence, set, bag
• Algebric functions and relations
• Exceptions and iterators
• Almost all are immutable objects with pure
  methods
• Can be used during RAC
• Users can define their own models

29
Purity

• A pure method is a method without side effects
  (\assignable nothing)
• It is declared with the modifier pure
• A class is pure if all its methods are pure
• Only pure method are allowed in specifications

30
Data groups

• A set of model and concrete fields to which you
  refer by a specific name
• A declaration of a model field automatically
  creates a data group with the same name of the
  model field
• The main purpose of a data group is to refer to
  the elements of this set without exposing their
  internal representation
• Locations members of a data group may be assigned
  during the executions of methods that have
  permission to assign to the data group
• /_at_ public model int size
• _at_ public model JMLObjectSequence theStack
• _at_ in size
• _at_/

31
Specification inheritance

• A subclass inherits specifications of its
  superclass and of its implemented interfaces
• All instance model fields
• Instance method specifications
• Instance invariants and instance history
  constraints
• Specifications of a superclass are conjuncted
  with new specs with the clause also
• Support behavioural notion of subtyping,
  accordingly to Liskovs substitution principle
• preconditions are disjoined
• postconditions are conjoined as n (old(prei) -gt
  posti)
• invariants are conjoined

32
Refinement files

• Specifications can be separated from
  implementations
• Specs are written in a file Foo.java-refined
• Implementation is written in file Foo.java which
  contains the clause //_at_ refine Foo.java-refined
• Useful for adding specifications to existing code

33
Example IntSet

• Informal specificationIntSets are unbounded
  sets of integers with operations to create a new
  empty IntSet, test whether a given integer is an
  element of an IntSet, and add or remove
  elements.

34
IntSet à la Liskov (1)

• public interface IntSet
• public void insert(int x)
• //MODIFIES this
• //EFFECTS Adds x to the elements of this
• public void remove(int x)
• //MODIFIES this
• //EFFECTS Removes x from this
• public boolean isIn(int x)
• //EFFECTS If x is in this returns true, else
  returns false.

Mutator
Mutator
Observer
35
IntSet à la Liskov (2)

• public class IntSetAs_list implements IntSet
• private Vector els
• public IntSetAs_list()
• //EFFECTS Initializes this to be empty.
• els new Vector()
• Abstraction FunctionAF(c) c.els.get(i).intValu
  e 0 lt i lt c.els.size
• Representation Invariantc.els ! null for all
  integers i (0 lt i lt c.els.size gt c.els.get(i)
  is an Integer) for all integers i, j (0lt i
  lt j lt c.els.size gt c.els.get(i).intValue !
  c.els.get(j).intValue)

36
IntSet in JML (1)

• public interface IntSet
• /_at_ public model instance JMLValueSet theSet
• _at_ public initially theSet ! null
  theSet.isEmpty()
• _at_ public instance invariant theSet ! null
  
• _at_ (\forall JMLType e theSet.has(e)
  
• _at_ e instanceof
  JMLInteger)
• _at_/
• / Insert the given integer into this set. /
  
• /_at_ public normal_behavior
• _at_ assignable theSet
• _at_ ensures theSet.equals(\old(theSet.insert(new
  JMLInteger(elem))))
• _at_/
• public void insert(int elem)
• / Tell if the argument is in this set. /
• /_at_ public normal_behavior
• _at_ ensures \result theSet.has(new
  JMLInteger(elem))
• _at_/
• public /_at_ pure _at_/ boolean isIn(int elem)
• / Remove the given integer from this set. /
  

Model Field
Abstract Invariant
37
IntSet in JML (2)

• import java.util.
• //_at_ model import org.jmlspecs.models.
• public class IntegerSetAsList implements IntSet
• private Vector els
• //_at_ in theSet
• /_at_ private invariant els ! null
• _at_ (\forall int i 0lti iltels.size()
  els.get(i) ! null
• _at_ els.get(i) instanceof Integer
• _at_ (\forall int j0 iltj jltels.size()
  els.get(i) ! els.get(j)))
• _at_/
• //_at_ private represents theSet lt-
  abstractValue()
• / Return the abstract value of this
  IntegerSetAsList. /
• /_at_ _at_ private pure model JMLValueSet
  abstractValue()
• _at_ JMLValueSet ret new JMLValueSet()
• _at_ Iterator iter els.iterator()
• _at_ while (iter.hasNext())
• _at_ ret ret.insert(new
  JMLInteger((Integer)

Rep Invariant
Abstraction Function
38
IntSet in JML (3)

• / Initialize this set to be the empty set. /
• /_at_ public normal_behavior
• _at_ assignable theSet
• _at_ ensures theSet ! null theSet.isEmpty()
• _at_/
• public IntegerSetAsList()
• els new Vector()
• public /_at_ pure _at_/ boolean isIn(int i)
• return els.contains(new Integer(i))
• public void insert(int i)
• els.add(new Integer(i))
• public void remove(int i)
• els.remove(new Integer(i))

39
Tools

• Parsing Typechecking
• Runtime assertion checking
• Testing
• Documentation
• Extended static checking
• Program verification

40
jmlc

• The JML compiler
• Translates Java code with JML assertions into
  bytecode
• Adds runtime checks
• During execution, all assertions are tested and
  any violation of an assertion produces an Error
  (uses jmlrac script).

41
jmlunit

• Inserts support for JML within JUnit
• Writes out a JUnit test oracle for given Java
  files
• Specifications are used to check whether tested
  code runs properly ? Tests are only as good as
  the quality of the specifications!

42
jmldoc

• Produces HTML pages with API and JML
  specifications for Java classes

43
ESC/Java

• Extended Static Checker for Java
• Tries to prove correctness of specifications at
  compile-time, fully automatically
• Not sound it may miss an error that is actually
  present
• Not complete it may warn of errors that are
  impossible
• It finds a lot of potential bugs quickly
• NullPointer, ArrayIndexOutOfBounds, ClassCast

44
LOOP

• Logic of Object Oriented Programming, project of
  University of Nijmegen
• Based on a formalization of Java and JML
  semantics in the theorem prover PVS
• LOOP compiler translates JML annotations in PVS
  proof obligations, to be proved interactively

45
Related Works

• Early programming languages
• Gypsy
• Alphard
• Euclid
• CLU
• DBC based
• Eiffel
• SPARK
• B method
• OCL from UML
• Spec

46
Conclusions

• Strenghts
• Easy to learn
• Source code is the formal model
• Gradual introduction
• Support for legacy code
• Wide range of tools

• Weakenesses
• No support for
• concurrency
• object invariants within callbacks
• modeling alias relationships
• Strong definition of pure methods
• many constraints

47
References

• www.jmlspec.org