Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2

  • Patrice Chalin
  • Joseph R. Kiniry
  • Gary T. Leavens
  • Erik Poll
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4111)

Abstract

Many state-based specification languages, including the Java Modeling Language (JML), contain at their core specification constructs familiar to most undergraduates: e.g., assertions, pre- and postconditions, and invariants. Unfortunately, these constructs are not sufficiently expressive to permit formal modular verification of programs written in modern object-oriented languages like Java. The necessary extra constructs for specifying an object-oriented module include (perhaps the less familiar) frame properties, datagroups, and ghost and model fields. These constructs help specifiers deal with potential problems related to, for example, unexpected side effects, aliasing, class invariants, inheritance, and lack of information hiding. This tutorial paper focuses on JML’s realization of these constructs, explaining their meaning while illustrating how they can be used to address the stated problems.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [ABB+05]
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, P.H.: The KeY tool. Software and System Modeling 4, 32–54 (2005)CrossRefGoogle Scholar
  2. [Ame90]
    America, P.: Designing an object-oriented language with behavioural subtyping. In: de Bakker, J.W., Rozenberg, G., de Roever, W.-P. (eds.) REX 1990. LNCS, vol. 489, pp. 60–90. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  3. [BCC+05]
    Burdy, L., Cheon, Y., Cok, D.R., Ernst, M., Kiniry, J.R., Leavens, G.T., Leino, K.R.M., Poll, E.: An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer (STTT) 7(3), 212–232 (2005)Google Scholar
  4. [BDF+04]
    Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. Journal of Object Technology 3(6), 27–56 (2004)CrossRefGoogle Scholar
  5. [BFMW01]
    Bartetzko, D., Fischer, C., Möller, M., Wehrheim, H.: Jass — Java with assertions. In: Workshop on Runtime Verification at CAV 2001 (2001); Published in ENTCS, Havelund, K., Rosu G. (eds.) vol. 55(2) (2001)Google Scholar
  6. [BJ01]
    van den Berg, J., Jacobs, B.: The LOOP compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) ETAPS 2001 and TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. [BLS04]
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. [BMR95]
    Borgida, A., Mylopoulos, J., Reiter, R.: On the frame problem in procedure specifications. IEEE Transactions on Software Engineering 21(10), 785–798 (1995)CrossRefGoogle Scholar
  9. [BRL03]
    Burdy, L., Requet, A., Lanet, J.-L.: Java applet correctness: A developer-oriented approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 422–439. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. [BSS04]
    Barnett, M., Naumann Wolfram Schulte, D.A., Sun, Q.: 99.44% pure: Useful abstractions in specification. In: Formal Techniques for Java-like Programs (FTfJP 2004), pp. 11–19 (May 2004), http://www.cs.ru.nl/ftfjp/2004/Purity.pdf
  11. [Cha06]
    Chalin, P.: Towards support for non-null types and non-null-by-default in Java. In: Formal Techniques for Java-like Programs (FTfJP) (to appear, 2006)Google Scholar
  12. [CK04]
    Cok, D.R., Kiniry, J.R.: ESC/Java2: Uniting ESC/Java and JML. Technical report, University of Nijmegen, NIII Technical Report NIII-R0413 (2004)Google Scholar
  13. [CL02]
    Cheon, Y., Leavens, G.T.: A runtime assertion checker for the Java Modeling Language (JML). In: Arabnia, H.R., Mun, Y. (eds.) The International Conference on Software Engineering Research and Practice (SERP 2002), June 2002, pp. 322–328. CSREA Press (2002)Google Scholar
  14. [CLSE05]
    Cheon, Y., Leavens, G.T., Sitaraman, M., Edwards, S.: Model variables: Cleanly supporting abstraction in design by contract. Software:Practice and Experience 35(6), 583–599 (2005)CrossRefGoogle Scholar
  15. [Cok05]
    David R. Cok. Reasoning with specifications containing method calls in JML. Journal of Object Technology, 4(8):77–103, 2005.CrossRefGoogle Scholar
  16. [DL96]
    Dhara, K.K., Leavens, G.T.: Forcing behavioral subtyping through specification inheritance. In: 18th International Conference on Software Engineering, pp. 258–267. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  17. [DM05]
    Darvas, Á., Müller, P.: Reasoning about method calls in JML Specifications. In: Formal Techniques for Java-like Programs (FTfJP) (2005)Google Scholar
  18. [HK00]
    Huizing, K., Kuiper, R.: Verification of object-oriented programs using class invariants. In: Maibaum, T.S.E. (ed.) ETAPS 2000 and FASE 2000. LNCS, vol. 1783, pp. 208–221. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. [Hoa69]
    Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of the ACM 12(10), 576–583 (1969)MATHCrossRefGoogle Scholar
  20. [Hoa72]
    Hoare, C.A.R.: Proof of correctness of data representations. Acta Informatica 1(4), 271–281 (1972)MATHCrossRefGoogle Scholar
  21. [JLPS05]
    Jacobs, B., Leino, K.R.M., Piessens, F., Schulte, W.: Safe concurrency for aggregate objects with invariants. In: IEEE International Conference on Software Engineering (SEFM 2005), pp. 137–147. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  22. [Jon03]
    Jones, C.B.: The early search for tractable ways of reasoning about programs. IEEE Annals of the History of Computing 25(2), 26–49 (2003)CrossRefMathSciNetGoogle Scholar
  23. [LBR06]
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06-rev29, Iowa State University, Department of Computer Science; (January 2006) (to appear) ( ACM SIGSOFT Software Engineering Notes)Google Scholar
  24. [LC05]
    Leavens, G.T., Cheon, Y.: Design by Contract with JML (2005) Draft, available from jmlspecs.org
  25. [LCC+05]
    Leavens, G.T., Cheon, Y., Clifton, C., Ruby, C., Cok, D.R.: How the design of JML accommodates both runtime assertion checking and formal verification. Science of Computer Programming 55(1–3), 185–208 (2005)MATHCrossRefMathSciNetGoogle Scholar
  26. [LD00]
    Leavens, G.T., Dhara, K.K.: Concepts of behavioral subtyping and a sketch of their extension to component-based systems. In: Leavens, G.T., Sitaraman, M. (eds.) Foundations of Component-Based Systems, ch. 6, pp. 113–135. Cambridge University Press, Cambridge (2000)Google Scholar
  27. [Lea90]
    Leavens, G.T.: Modular verification of object-oriented programs with subtypes. Technical Report 90–09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011 (July 1990), Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu
  28. [Lei98]
    Rustan, K., Leino, M.: Data groups: Specifying the modification of extended state. In: OOPSLA 1998 Conference Proceedings. ACM SIGPLAN Notices, vol. 33(10), pp. 144–153. ACM, New York (1998)Google Scholar
  29. [LG01]
    Liskov, B., Guttag, J.: Program Development in Java. The MIT Press, Cambridge (2001)Google Scholar
  30. [Lis88]
    Liskov, B.: Data abstraction and hierarchy. ACM SIGPLAN Notices 23(5), 17–34 (1988); Revised version of the keynote address given at OOPSLA 1987Google Scholar
  31. [LM06]
    Leino, K.R.M., Müller, P.: A verification methodology for model fields. In: Sestoft, P. (ed.) ESOP 2006. LNCS, vol. 3924, pp. 115–130. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. [LPC+06]
    Leavens, G.T., Poll, E., Clifton, C., Cheon, Y., Ruby, C., Cok, D.R., Müller, P., Kiniry, J.R., Chalin, P.: JML Reference Manual. Department of Computer Science, Iowa State University (January 2006), Available from: http://www.jmlspecs.org
  33. [LW94]
    Liskov, B., Wing, J.: A behavioral notion of subtyping. ACM Transactions on Programming Languages and Systems 16(6), 1811–1841 (1994)CrossRefGoogle Scholar
  34. [LW95]
    Leavens, G.T., Weihl, W.E.: Specification and verification of object-oriented programs using supertype abstraction. Acta Informatica 32(8), 705–778 (1995)MATHMathSciNetGoogle Scholar
  35. [Mey92]
    Meyer, B.: Applying “Design by Contract”. Computer 25(10), 40–51 (1992)CrossRefGoogle Scholar
  36. [Mey97]
    Meyer, B.: Object-oriented Software Construction, 2nd edn. Prentice Hall, New York (1997)MATHGoogle Scholar
  37. [MHKL05]
    Middelkoop, R., Huizing, C., Kuiper, R., Luit, E.: Cooperation-based invariants for OO languages. In: Proceedings of the International Workshop on Formal Aspects of Component Software (FACS 2005) (2005)Google Scholar
  38. [MM02]
    Mitchell, R., McKim, J.: Design by Contract by Example. Addison-Wesley, Indianapolis (2002)Google Scholar
  39. [Mor94]
    Morgan, C.: Programming from Specifications, 2nd edn. Prentice Hall International, Hempstead (1994)MATHGoogle Scholar
  40. [MPH00]
    Meyer, J., Poetzsch-Heffter, A.: An architecture for interactive program provers. In: Schwartzbach, M.I., Graf, S. (eds.) ETAPS 2000 and TACAS 2000. LNCS, vol. 1785, pp. 63–77. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  41. [MPHL03]
    Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular specification of frame properties in JML. Concurrency, Computation Practice and Experience 15, 117–154 (2003)MATHCrossRefGoogle Scholar
  42. [MPHL05]
    P. Müller, A. Poetzsch-Heffter, G.T. Leavens. Modular invariants for layered object structures. Technical Report 424, ETH Zurich (March 2005)Google Scholar
  43. [MPMU04]
    Marché, C., Paulin-Mohring, C., Urbain, X.: The Krakatoa tool for certification of Java/JavaCard programs annotated in JML. Journal of Logic and Algebraic Programming 58(1–2), 89–106 (2004)MATHCrossRefGoogle Scholar
  44. [Nau05]
    Naumann, D.A.: Observational purity and encapsulation. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 190–204. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  45. [NVP98]
    Noble, J., Vitek, J., Potter, J.: Flexible alias protection. In: Jul, E. (ed.) ECOOP 1998. LNCS, vol. 1445, pp. 158–185. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  46. [PH97]
    Poetzsch-Heffter, A.: Specification and verification of object-oriented programs. Habilitation thesis, Technical University of Munich (January 1997)Google Scholar
  47. [RL00]
    Ruby, C., Leavens, G.T.: Safely creating correct subclasses without seeing superclass code. In: OOPSLA 2000 Conference on Object-Oriented Programming, Systems, Languages, and Applications, Minneapolis, Minnesota. ACM SIGPLAN Notices, vol. 35(10), pp. 208–228 (October 2000)Google Scholar
  48. [Ros92]
    Rosenblum, D.S.: Towards a method of programming with assertions. In: Proceedings of the 14th International Conference on Software Engineering, pp. 92–104 (May 1992)Google Scholar
  49. [Ros95]
    Rosenblum, D.S.: A practical approach to programming with assertions. IEEE Transactions on Software Engineering 21(1), 19–31 (1995)CrossRefGoogle Scholar
  50. [Szy98]
    Szyperski, C.: Component Software. Addison-Wesley, Reading (1998)Google Scholar
  51. [Win90]
    Wing, J.M.: A specifier’s introduction to formal methods. Computer 23(9), 8–24 (1990)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Patrice Chalin
    • 1
  • Joseph R. Kiniry
    • 2
  • Gary T. Leavens
    • 3
  • Erik Poll
    • 4
  1. 1.Concordia UniversityMontréal, QuébecCanada
  2. 2.University College DublinIreland
  3. 3.Iowa State UniversityAmesUSA
  4. 4.Radboud University Nijmegenthe Netherlands

Personalised recommendations