An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.

Slides:

Advertisements

Similar presentations

Where Agile Meets Formal Methods

Advertisements

Modular Verification of Higher-Order Methods in JML Gary T. Leavens, Steve Shaner, and David A. Naumann Support from US NSF grant CCF

Advanced programming tools at Microsoft

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Security of JavaCard smart card applets Erik Poll University of Nijmegen

Automata-Based Programming Technology Extension for Generation of JML Annotated Java Card Code Andrey Klebanov, CTD, SPb SU ITMO supervised by Anatoly.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 5 Disclaimer. These notes are derived from notes originally.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.

272: Software Engineering Fall 2012

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.

Securing Java applets Erik Poll Security of Systems (SOS) group University of Nijmegen

272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lecture 3: Java Modeling Language and Extended Static Checking.

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

Software Quality: Testing and Verification II. 2 1.A failure is an unacceptable behaviour exhibited by a system — The frequency of failures measures software.

JML TOOLS REVIEW & EVALUATION Chris Grosshans Mark Lewis-Prazen.

Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.

Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.

A Safety-Critical Java Technology Compatibility Kit Hans Søndergaard Stephan Korsholm VIA University College, Horsens, Denmark & Anders P. Ravn Aalborg.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Designing Programming Languages to Improve Software Quality David J. Pearce Software Quality New Zealand, August

A Novel Approach to Unit Test: The Aspect-Oriented Way Guoqing Xu and Zongyuan Yang Software Engineering Lab (SEL) East China Normal University

Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.

Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.

Formal specification of Gemplus’ electronic purse case study Néstor Cataño & Marieke Huisman INRIA Sophia-Antipolis {ncatano,

P.R. James © P.Chalin et al.1 An Integrated Verification Environment for JML: Architecture and Early Results Patrice Chalin, Perry R. James, and George.

Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.

A Survey on Java Modeling Languages Gergely Kovásznai,Eszterházy Károly College Wolfgang Schreiner,Johannes Kepler University Gábor Kusper,Eszterházy Károly.

© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.

Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.

Demo of Scalable Pluggable Types Michael Ernst MIT Dagstuhl Seminar “Scalable Program Analysis” April 17, 2008.

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.

Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 ESC/Java2 Extended Static Checker for Java Dat ă primire laborator: Lab 1 Dat ă predare laborator:

ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.

1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.

Runtime Assertion Checking Support for JML on Eclipse Platform Amritam Sarcar Department of Computer Science University of Texas at El Paso, 500 W. University.

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.

Project Proposal A JML compiler on Eclipse Platform Amritam Sarcar CS5381.

Preventing bugs with pluggable type-checking Michael Ernst MIT

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

Extended Static Checking for Java

Accessible Formal Methods A Study of the Java Modeling Language

Formally Specified Monitoring of Temporal Properties

Hoare-style program verification

Java Modeling Language (JML)

Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.

Computer Science 340 Software Design & Testing

Programming Languages 2nd edition Tucker and Noonan

Presentation transcript:

An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft Joe Kiniry, Erik Poll Nijmegen Univ.

Erik PollJML tools & applications2 Overview 1.The JML language 2.Tools for JML 3.Applications 4.Conclusions

1. The JML language

Erik PollJML tools & applications4 Java Modeling Language Initiative of Gary Leavens [Iowa State Univ.] Behavioural Interface Specification Language for Java: annotations added to Java programs, expressing pre-, postconditions, invariants... Inspired by Eiffel (Design-by-Contract) & Larch Main design goal: easy to learn –simple extension of Java’s syntax

Erik PollJML tools & applications5 JML example private int balance; final static int MAX_BALANCE; invariant 0 <= balance && balance <

Erik PollJML tools & applications6 JML example requires amount >= 0; assignable balance; ensures balance == \old(balance) – amount; signals (PurseException) balance == public void debit(int amount) {.... }

Erik PollJML tools & applications7 JML example private byte[] pin; private byte appletState; invariant appletState == PERSONALIZED == > pin != null && pin.length == 4 && (\forall int i; 0 <= i && i < 4 ; 0 <= pin[i] && pin[i] <=

2. Tools for JML

Erik PollJML tools & applications9 Tools for JML tools for reading & writing specs tools for generating specs tools for checking implementation against specs

Erik PollJML tools & applications10 Tools for reading & writing specs parsing & typechecking (as part of other tools) jmldoc: javadoc for JML

Erik PollJML tools & applications11 Tools for generating specs Invariant detection using Daikon [Michael Ernst, MIT] Daikon observes execution of code to detect likely invariants

Erik PollJML tools & applications12 Tools for checking specs (I) Runtime assertion checker [Gary Leavens et al., Iowa State Univ.] tests if specs are violated at runtime –not so exciting for academia, but appealing to industry –well-specified code is easy to test ! runtime checker handles \forall and \old –jmlunit: tool combining runtime checking with unit testing

Erik PollJML tools & applications13 Tools for checking specs (II) Extended static checker ESC/Java [Rustan Leino et al., ex-Compaq] automatic verification of simple properties –not sound, not complete, but finds lots of bugs quickly –eg. can “prove” absence of NullPointer- and ArrayIndexOutOfBoundsExceptions Chase tool [Nestor Cataño, INRIA] remedies one important source of unsoundness

Erik PollJML tools & applications14 Tools for checking specs (III) “Real” program verification JACK tool [Gemplus] automatic verification of JML-annotated code Inspired by ESC/Java, integrated with Eclipse LOOP tool [Nijmegen] interactive verification of JML-annotated code Krakatoa tool [INRIA/Orsay] for interactive verification now also supports JML

Erik PollJML tools & applications15 Tools for checking specs There is a range of tools offering different levels of assurance at different costs (ie. time & effort): –runtime assertion checking –extended static checking using ESC/Java –automatic verification using JACK –interactive verification using LOOP, Krakatoa

3. Applications

Erik PollJML tools & applications17 JavaCard Subset of a superset of Java for programming smart cards –no floats, no threads, limited API, optional gc,... +support for allocation in EEPROM or RAM Ideal target for formal methods small programs, written in simple language, using small API, whose correctness is critical highest levels of security evaluation standards require use of formal methods (Common Criteria)

Erik PollJML tools & applications18 Applications of JML to JavaCard as part of project Writing JML specs of JavaCard API [Cardis’00] Checking applets using ESC/Java [FME’02] –1000’s of lines of code Verifying applets using LOOP [AMAST’02] –100’s of lines of code Runtime checking part of smartcard OS [Cardis’02]

4. Conclusions

Erik PollJML tools & applications20 Assertion-based languages promising way to use formal methods in industry Familiar syntax and semantics No need for formal model (code is formal model) Easy to introduce use incrementally NB: JML does not provide or impose any design methodolody

Erik PollJML tools & applications21 What to specify ? Detailed functional specs often too difficult Just establishing weak specs, eg. requires.... ensures true; signals (NullPointerException) false; often suffices to expose most invariants Invariants make explicit many design decisions that are typically undocumented

Erik PollJML tools & applications22 Using JML for JavaCard applets For smartcard applets, verifying simple “safety” properties (eg. absence of certain exceptions) with JACK or ESC/Java has good return-on- investment Verification has found errors not found during testing Using JML tools to help manual code reviews when certifying code ?

Erik PollJML tools & applications23 JML Lots of ongoing work and open issues about JML, eg. –tricky questions about semantics –concurrency ? –alias control & ownership models ? Agreeing on common syntax & semantics is hard work! (witnessed by upcoming patch of ESC/Java) Most tools just support subsets of JML JML as standard or as vehicle for research ?

Erik PollJML tools & applications24 JML Having a common specification language supported by different tools important benefit –for individual tool builders, and –for users JML is an open collaborative effort, and we welcome cooperation with others

More info: