Java Modeling Language (JML) and ESC/Java

Outline
What is the Java Modeling Language? JML tutorial; JML tools;
ESC/JAVA;

Marco Zennaro CS 294-3 Fall 2004

References; JML / ESC/Java Demos;

10/27/2004

JML and ESC/Java 2

Outline
What is the Java Modeling Language? JML tutorial; JML tools;
ESC/JAVA;

Formal specification languages

C.S. have invented many formal languages to model software and specify properties about these models with techniques to verify these properties; Formal languages guarantee:
Precision (no ambiguity); Certainty (modulo modeling errors); Automation (automatic verification tools);
Erik Poll. Introduction to JML, a notation to formally specifying Java programs. 2004

References; JML / ESC/Java Demos;

10/27/2004

JML and ESC/Java 2

10/27/2004

JML and ESC/Java 2

Java Modeling Language

A formal behavioral interface specification language for Java:
to specify behaviour of java classes; to record design/implementation decisions;

Java Modeling Language

Design by contract for Java:
More expressive than Eiffel; Easier to use for the programmer than Larch:
Uses Java boolean expression (extended with some operators);

By adding assertions to Java source code:

Preconditions, postconditions, invariants, etc
Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML, 2004 Erik Pool. Introduction to JML [], 2004
10/27/2004 JML and ESC/Java 2 5

Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML, 2004 Erik Pool. Introduction to JML, 2004
10/27/2004 JML and ESC/Java 2 6

JML history
Created at Iowa University (Leavens, Cheon); Soon became an international effort:
University of Nijmegen (Poll, Van den Berg); HP (f.k.a. Compaq) SRC group (Leino, Nelson); Kodak (Cok);
10/27/2004 JML and ESC/Java 2 7

Design by Contract (DBC)

A way of recording:
Details of method responsibilities Avoiding constantly checking arguments Assigning blame across interfaces

The caller must ensure precondition holds while the called must ensure postconditions on exit; The caller may assume postcondition while the called may assume preconditions;
Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML, 2004
10/27/2004 JML and ESC/Java 2 8

Pre, Postconditions and Invariants

Definition
A methods precondition says what must be true to call it. A methods normal postcondition says what is true when it returns normally (i.e., without throwing an exception). A methods exceptional postcondition says what is true when a method throws an exception. An invariant is a property that is always true of an objects state (when control is not inside the objects methods).

Contracts as Documentation
For each method say:
What it requires (if anything), and What it ensures.

Contracts are:
More abstract than code, Often machine checkable, so can help with debugging, and Machine checkable contracts can always be up-to-date.
10/27/2004 JML and ESC/Java 2 10

10/27/2004

JML and ESC/Java 2

Abstraction by contracts
A contract can be satisfied in many ways:
a method can have many implementation satisfying the contract; Different performances (time, space, etc);

Modularity
Typical OO code is modular;
source.close(); dest.close(); getFile().setLastModified(loc.modTime().getTime());

A contract abstracts from the implementation details; Hence we can change implementations later.
10/27/2004 JML and ESC/Java 2 11

We should be able to take advantage of the code modularity even in specifying / prove code properties.
10/27/2004 JML and ESC/Java 2 12

Rules for Reasoning

Caller code
Must work for every implementation that satisfies the contract, and Can thus only use the contract (not the code!), i.e.,
Must establish precondition, and Gets to assume the postcondition

Contracts and Intent

Code makes a poor contract, because cant separate:
What is intended (contract) What is an implementation decision
E.g., if deposit_into_account() rounds to the cent, can that be changed in the next release?

Called code

By contrast, contracts:
Allow vendors to specify intent, Allow vendors freedom to change details, and Tell clients what they can count on.
13 10/27/2004 JML and ESC/Java 2 14

Must satisfy contract, i.e.,

But can do anything permitted by it.

10/27/2004 JML and ESC/Java 2

Gets to assume precondition Must establish postcondition

Outline
What is the Java Modeling Language? JML tutorial; JML tools;
ESC/JAVA;

Introduction to JML
JML specifications are contained in annotations, which are comments like:
//@ or /*@ @ @*/
At-signs (@) on the beginning of lines are ignored within annotations.

References; JML / ESC/Java Demos;

10/27/2004

JML and ESC/Java 2

15

10/27/2004

JML and ESC/Java 2

16

Informal Description
An informal description looks like:
(* some text describing a property *) It is treated as a boolean value by JML, and Allows
Escape from formality, and Organize English as contracts.

Formal Specifications
Formal assertions are written as Java expressions, but:
Cannot have side effects
No use of =, ++, --, etc., and Can only call pure methods.
Syntax \result a ==> b a <== b a <==> b a <=!=> b \old(E)
17 10/27/2004

Can use some extensions to Java:

Meaning result of method call a implies b b implies a a iff b !(a <==> b) value of E in pre-state
JML and ESC/Java 2 18

public class Account { /*@ requires (* x is positive *); @ ensures \result >= 0 && @ (* \result is the updated balance after the deposit*) @*/ public static double deposit_into_account(double x) { } }
10/27/2004 JML and ESC/Java 2

Example (pre and post cond.)

/*@ requires x >= 0.0; ensures JMLDouble.approximatelyEqualTo(\result, \old(balance) + x, eps); @*/ public static double deposit_into_account(double x) { }

Example (ex. postcond.)

/*@ requires x >= 0.0; ensures JMLDouble.approximatelyEqualTo(balance, \old(balance) + x, eps); exsures (Exception e) \old(x) > DEPOSIT_LIMIT && balance == \old(balance) && e.getReason() == AMOUNT_TOO_BIG; @*/ public static double deposit_into_account(double x) throws

Obligations caller called Passes non-negative number Update balance Adding x to it

JML and ESC/Java 2

Rights Gets updated balance Assumes argument is non-negative

19

Trade-off between preconditions and exceptional postconditions;

10/27/2004

10/27/2004

JML and ESC/Java 2

20

Example (invariant)
// File: Account.java public class Account { private /*@ spec_public non_null @*/ String accountNumber; private /*@ spec_public @*/ double balance; //@ public invariant !accountNumber.equals() && balance >= 0; //@ ensures \result == balance; public double getBalance(); /*@ ensures balance >= 0 && balance == \old(balance + deposit); exsures (Exception e) x > DEPOSIT_LIMIT && balance == \old(balance) && e.getReason() == AMOUNT_TOO_BIG; @*/ public void deposit_into_account(int kgs); /*@ requires !n.equals(); ensures n.equals(accountNumber) && balance == 0; @*/ public Account(/*@ non_null @*/ String n); JML and ESC/Java 2 21 10/27/2004

Quantifiers
JML supports several forms of quantifiers
Universal and existential (\forall and \exists) General quantifiers (\sum, \product, \min, \max) Numeric quantifier (\num_of)
(\forall Student s; juniors.contains(s); s.getAdvisor() != null) (\forall Student s; juniors.contains(s) ==> s.getAdvisor() != null)

} 10/27/2004

JML and ESC/Java 2

22

Model Variables
Are specification only variables
Like domain-level constructs Given value only by represents clauses: Information hiding; Data abstraction;
name abstract (model)

Example

class Counter { model n: int;

method Increment() modifies only n; ensures old(n) + 1 = n; method Decrement() modifies only n; ensures old(n) = n + 1; }
23 10/27/2004 JML and ESC/Java 2 24

represented by fullName
10/27/2004

concrete (real)

JML and ESC/Java 2

Example

class Counter { model n: int; private a: int; private b: int; representation n is a b; method Increment() modifies only n; ensures old(n) + 1 = n; { a := a + 1 } method Decrement() modifies only n; ensures old(n) = n + 1; { b := b + 1 }
JML and ESC/Java 2 25

Outline
What is the Java Modeling Language? Introduction to JML syntax and semantic; JML tools;
ESC/JAVA;

References; JML / ESC/Java Demo;

10/27/2004 JML and ESC/Java 2 26

}
10/27/2004

Tools for JML

JML compiler (jmlc/jmlrac):
perform JML checks at runtime; low-cost;

ESC vision
Increased programmer productivity and program reliability through increased rigor:
Record design decisions; Utilize automatic checking; Detect errors and improve maintainability;

Extended static checker (ESC/Java2):

prove JML assertions at compile time; higher cost; possible for small program or subsystems;

Etc
10/27/2004 JML and ESC/Java 2 27

R. Leino, Hoare-style program verification, May 2004

10/27/2004 JML and ESC/Java 2 28

ESC vision
Improve the current software engineering process developing practical tools; It is NOT program verification, it is like a type checker:
its warnings are intended to be interpreted by the author of the program; It does not find all the errors, but reduce the process cost finding some of them early; We are interested in failed proof only;
D. Detlefs, R. Leino, G.Nelson, J. Saxe. Extended Static Checking,1998.
10/27/2004 JML and ESC/Java 2 29

ESC vision
Take a program annotated with assertions. Consider a tool capable of: Automatically check if the assertions are always true; Statically without any user input; Reason about non-trivial properties (not just type-correctness);
J. Kiniri, ESC/Java 2, extended static checking for Java, 2004
10/27/2004 JML and ESC/Java 2 30

ESC
An Extended Static Checker tries to prove the correctness of specifications, at compile-time, fully automatically, but: ESC/Java is neither sound or complete but It find lots of bugs quickly;
J. Kiniri, ESC/Java 2, extended static checking for Java, 2004
10/27/2004 JML and ESC/Java 2 31

ESC implementation

D. Detlefs, R. Leino, G. Nelson, J. Saxe, Extended Static Checking, 1998

10/27/2004 JML and ESC/Java 2 32

ESC unsoundness
Sources of unsoundness: User-controlled:
Use of assume, no warn and axiom pragmas;

ESC/Java
Built at Compaq SRC
ESC/Java 2 built by Joe Kiniry (U. Nijmegen) and David Cok (Kodak)

Input: Java + user-supplied annotations

annotations are subset of JML;

Un-controlled:
Interdependent pragmas; Loops; Aliasing;
J. Kiniri, ESC/Java 2, extended static checking for Java, 2004
10/27/2004 JML and ESC/Java 2 33

Annotation language captures programmer design decisions Powered by program semantics and automatic theorem proving Performs modular checking
10/27/2004 JML and ESC/Java 2 34

Outline
What is the Java Modeling Language? JML tutorial; JML tools;
ESC/JAVA;

JML References
Papers:
Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML, 2004; Lilian Burdy, Yoonsik Cheon, David Cok, Michael Ernst, Joe Kiniry, Gary T. Leavens, K. Rustan M. Leino, and Erik Poll. An overview of JML tools and applications, 2003; Gary T. Leavens, K. Rustan M. Leino, Erik Poll, Clyde Ruby, and Bart Jacobs. JML: notations and tools supporting detailed design in Java, 2000; Presentations:

References; JML / ESC/Java Demos;

People:
Gary Leavens @ Iowa university; Erik Pol @ University of Nijmegen;

Web-sites:
http://www.jmlspecs.org;
10/27/2004 JML and ESC/Java 2 35 10/27/2004 JML and ESC/Java 2 36

ESC/JAVA 2 references
Papers:
D. Detlefs, R. Leino, G. Nelson, J. Saxe. Extended Static Checking.1998. R. Leino, G. Nelson, J.Saxe. ESC/Java User's Manual. 2000

Outline
What is the Java Modeling Language? JML tutorial; JML tools;
ESC/JAVA;

People:
Rustan Leino @ University of Washington; David Cok @ Kodak; Joe Kiniri @ University of Nijmegen.
10/27/2004 JML and ESC/Java 2 37

References; JML / ESC/Java Demos;

10/27/2004

JML and ESC/Java 2

38