Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accessible Formal Methods A Study of the Java Modeling Language

Published byPatrick Barker Modified over 5 years ago

Similar presentations

Presentation on theme: "Accessible Formal Methods A Study of the Java Modeling Language"— Presentation transcript:

1 Accessible Formal Methods A Study of the Java Modeling Language
Mike Rawding Mike Rawding - SUNY Polytechnic Institute - May 2017

2 Mike Rawding - SUNY Polytechnic Institute - May 2017
Outline Project Selection and Goals JML Background Introduction to JML OpenJML Some Examples (Demo) Specifying StringBuilder Results Mike Rawding - SUNY Polytechnic Institute - May 2017

3 Mike Rawding - SUNY Polytechnic Institute - May 2017
Project Selection Took a course on Formal Methods JML struck me as usable/practical Originally planned to specify and check existing software Decided to specify part of the standard library Mike Rawding - SUNY Polytechnic Institute - May 2017

4 Mike Rawding - SUNY Polytechnic Institute - May 2017
JML Background Introduced 1999 by Gary Leavens (Iowa State University) Saw a need for a Java specific specification language Outlined the language first Produced original tools jmlc and jmlunit ESC/Java was adapted for JML Mike Rawding - SUNY Polytechnic Institute - May 2017

5 Mike Rawding - SUNY Polytechnic Institute - May 2017
Format JML lives within special Java comments starting with */ Specifications may be written directly in line with source code (.java) or in a stand alone specification file (.jml) Mike Rawding - SUNY Polytechnic Institute - May 2017

6 Mike Rawding - SUNY Polytechnic Institute - May 2017
Method Interfaces Preconditions what is required as the method begins execution Postconditions what is the guaranteed outcome of this method Side Effects what may this method change (e.g. state) Mike Rawding - SUNY Polytechnic Institute - May 2017

7 Mike Rawding - SUNY Polytechnic Institute - May 2017
User Object String name int age int numLogins The usual setters/getters Mike Rawding - SUNY Polytechnic Institute - May 2017

8 Mike Rawding - SUNY Polytechnic Institute - May 2017
Preconditions Predicates defined with the requires clause Mike Rawding - SUNY Polytechnic Institute - May 2017

9 Mike Rawding - SUNY Polytechnic Institute - May 2017
Postconditions Predicates defined with the ensures clause Mike Rawding - SUNY Polytechnic Institute - May 2017

10 Mike Rawding - SUNY Polytechnic Institute - May 2017
Side Effects Defined with the assignable clause Mike Rawding - SUNY Polytechnic Institute - May 2017

11 Mike Rawding - SUNY Polytechnic Institute - May 2017
Side Effects If a method never has side effects, it may be marked pure Mike Rawding - SUNY Polytechnic Institute - May 2017

12 Mike Rawding - SUNY Polytechnic Institute - May 2017
Side Effects Specifications may not cause side effects May not assign variables May only call pure methods Mike Rawding - SUNY Polytechnic Institute - May 2017

13 Mike Rawding - SUNY Polytechnic Institute - May 2017
Visibility Specifications have visibility just like other Java elements May be implied or explicit Not allowed to reveal fields that are more restricted than the specification Mike Rawding - SUNY Polytechnic Institute - May 2017

14 Mike Rawding - SUNY Polytechnic Institute - May 2017
Multiple Behaviors Multiple behaviors may be defined based on preconditions Mike Rawding - SUNY Polytechnic Institute - May 2017

15 Mike Rawding - SUNY Polytechnic Institute - May 2017
Class Invariants Predicates defined with the invariant keyword Must hold for all visible states Universal preconditions and postconditions Mike Rawding - SUNY Polytechnic Institute - May 2017

16 Mike Rawding - SUNY Polytechnic Institute - May 2017
OpenJML Previous tools are dead jmlc jmlunit JMLUnitNG jmldoc ESC/Java ESC/Java2 OpenJML current toolkit for dealing with JML Eclipse Plugin and Command Line Interface JML type checking Runtime Assertion Checking (RAC) Extended Static Checking (ESC) Mike Rawding - SUNY Polytechnic Institute - May 2017

17 Adding Library Specifications
When checking new specifications, JML assumes existing specifications to be true If no specification is given, no assumptions can be made When working with unspecified libraries user will get lots of JML errors Can be hard to tell if their new code is really flawed (misusing a library) Mike Rawding - SUNY Polytechnic Institute - May 2017

18 Adding Library Specifications
Above all else, specifications must be accurate Other specifications depend on this As complete as possible Ideally specify all possible behaviors of methods Mike Rawding - SUNY Polytechnic Institute - May 2017

19 Adding Library Specifications
Start with invariants Take advantage of lightweight specifications and iterate over adding more detail Must create a driver program that uses (and misuses) all methods Mike Rawding - SUNY Polytechnic Institute - May 2017

20 Mike Rawding - SUNY Polytechnic Institute - May 2017
Demo Mike Rawding - SUNY Polytechnic Institute - May 2017

21 Mike Rawding - SUNY Polytechnic Institute - May 2017
Results Added StringBuilder support to OpenJML All specifications and drivers demonstrating their correctness have been submitted to the owner of the OpenJML project Expected to be merged into the general JML spec repository Demonstrated usability of JML Provided feedback and bug reports to OpenJML project Mike Rawding - SUNY Polytechnic Institute - May 2017

22 Mike Rawding - SUNY Polytechnic Institute - May 2017
Bugs Reported ESC reports errors with incorrect line numbers During ESC, user unable to maintain focus on console ESC error dereferencing arguments in specifications even if the behavior clause has defined them as not null An identifier with public visibility may not be used in a invariant clause with package visibility RAC does not correctly check side effects RAC causes Java exceptions when accessing hidden attributes that have been marked spec_public ESC may behave differently depending on order of code OpenJML bug #502 Mike Rawding - SUNY Polytechnic Institute - May 2017

23 Enhancements Suggested
Better error reporting on compile errors Error code 4, internal JML error A console tab the contains only output from previous RAC/ESC During ESC, user unable to maintain focus on console Add warning that indicates if a failure is based on an unspecified method (still concerning, but less likely to be a legitimate error) Integrating JMLDoc with OpenJML would be extremely useful Mike Rawding - SUNY Polytechnic Institute - May 2017

Download ppt "Accessible Formal Methods A Study of the Java Modeling Language"

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.

Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.

Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.
1 Design by Contract with JML CS 3331 Fall 2009 Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. Available from

1 Design by Contract with JML CS 3331 Fall 2009 Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. Available from
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.

An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.

JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Page 1 Building Reliable Component-based Systems Chapter 6 - Semantic Integrity in Component Based Development Chapter 6 Semantic Integrity in Component.

Page 1 Building Reliable Component-based Systems Chapter 6 - Semantic Integrity in Component Based Development Chapter 6 Semantic Integrity in Component.
Software Quality: Testing and Verification II. 2 1.A failure is an unacceptable behaviour exhibited by a system — The frequency of failures measures software.

Software Quality: Testing and Verification II. 2 1.A failure is an unacceptable behaviour exhibited by a system — The frequency of failures measures software.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Subclasses and Subtypes CMPS 2143. Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.

Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.
Ranga Rodrigo. Class is central to object oriented programming.

Ranga Rodrigo. Class is central to object oriented programming.

Similar presentations

Ads by Google