How the design of JML accommodates both runtime assertion checking and formal verification

Specifications that are used in detailed design and in the documentation of existing code are primarily written and read by programmers. However, most formal specification languages either make heavy use of symbolic mathematical operators, which discourages use by programmers, or limit assertions to expressions of the underlying programming language, which makes it difficult to write exact specifications. Moreover, using assertions that are expressions in the underlying programming language can cause problems both in runtime assertion checking and in formal verification, because such expressions can potentially contain side effects. The Java Modeling Language, JML, avoids these problems. It uses a side-effect free subset of Java's expressions to which are added a few mathematical operators (such as the quantifiers \forall and \exists). JML also hides mathematical abstractions, such as sets and sequences, within a library of Java classes. The goal is to allow JML to serve as a common notation for both formal verification and runtime assertion checking; this gives users the benefit of several tools without the cost of changing notations.

[1]  Gary T. Leavens,et al.  Desugaring JML Method Specifications , 2005 .

[2]  H. B. M. Jonkers ISpec: Towards Practical and Sound Interface Specifications , 2000, IFM.

[3]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[4]  Gary T. Leavens,et al.  Safely creating correct subclasses without seeing superclass code , 2000, OOPSLA.

[5]  Heike Wehrheim,et al.  Jass - Java with Assertions , 2001, RV@CAV.

[6]  Pierre Jouvelot,et al.  The Type and Effect Discipline , 1994, Inf. Comput..

[7]  Matthias Felleisen,et al.  Behavioral contracts and behavioral subtyping , 2001, ESEC/FSE-9.

[8]  Stuart H. Zweben,et al.  Part I: the RESOLVE framework and discipline: a research synopsis , 1994, SOEN.

[9]  Peter Gorm Larsen,et al.  Modelling Systems: Practical Tools and Techniques in Software Development , 1998 .

[10]  Ivar Jacobson,et al.  Unified Modeling Language User Guide, The (2nd Edition) (Addison-Wesley Object Technology Series) , 2005 .

[11]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[12]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[13]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[14]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[15]  Gary T. Leavens,et al.  A complete algebraic characterization of behavioral subtyping , 2000, Acta Informatica.

[16]  Bart Jacobs,et al.  Java Program Verification Challenges , 2002, FMCO.

[17]  Bill Harvey,et al.  Specification of behavioral semantics in object-oriented information modeling , 1994, OOPS Messenger.

[18]  Barbara Liskov,et al.  Abstraction and Specification in Program Development , 1986 .

[19]  David K. Gifford,et al.  Integrating functional and imperative programming , 1986, LFP '86.

[20]  Patrice Chalin,et al.  Improving JML: For a Safer and More Effective Language , 2003, FME.

[21]  Gary T. Leavens,et al.  MultiJava: modular open classes and symmetric multiple dispatch for Java , 2000, OOPSLA '00.

[22]  Jeannette M. Wing Writing Larch interface language specifications , 1987, TOPL.

[23]  Gary T. Leavens,et al.  Forcing behavioral subtyping through specification inheritance , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[24]  Fred B. Schneider,et al.  Avoiding the Undefined by Underspecification , 1995, Computer Science Today.

[25]  Lisa Friendly,et al.  The Design of Distributed Hyperlinked Programming Documentation , 1995, IWHD.

[26]  Jeannette M. Wing A TWO-TIERED APPROACH TO SPECIFYING PROGRAMS , 1983 .

[27]  Gary T. Leavens,et al.  Reasoning about object-oriented programs that use subtypes , 1990, OOPSLA/ECOOP '90.

[28]  Curtis Charles Clifton,et al.  MultiJava: Design, implementation, and evaluation of a Java-compatible language supporting modular open classes and symmetric multiple dispatch , 2001 .

[29]  Craig Larman,et al.  Applying UML and Patterns: An Introduction to Object-Oriented Analysis and Design and the Unified Process , 2001 .

[30]  Pierre America,et al.  Designing an Object-Oriented Programming Language with Behavioural Subtyping , 1990, REX Workshop.

[31]  Michael D. Ernst,et al.  Static verification of dynamically detected program invariants: Integrating Daikon and ESC/Java , 2001, RV@CAV.

[32]  Edsger W. Dijkstra,et al.  Predicate Calculus and Program Semantics , 1989, Texts and Monographs in Computer Science.

[33]  Sarfraz Khurshid,et al.  An analyzable annotation language , 2002, OOPSLA '02.

[34]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[35]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[36]  Murali Sitaraman,et al.  Foundations of component-based systems , 2000 .

[37]  Audris Mockus,et al.  Does Code Decay? Assessing the Evidence from Change Management Data , 2001, IEEE Trans. Software Eng..

[38]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[39]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[40]  Fred B. Schneider,et al.  A Logical Approach to Discrete Math , 1993, Texts and Monographs in Computer Science.

[41]  Pierre America,et al.  Inheritance and Subtyping in a Parallel Object-Oriented Language , 1987, ECOOP.

[42]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[43]  Kate Finney,et al.  Mathematical Notation in Formal Specification: Too Difficult for the Masses? , 1996, IEEE Trans. Software Eng..

[44]  Todd Leavens Gary Verifying object-oriented programs that use subtypes , 1989 .

[45]  Gary T. Leavens An Overview of Larch/C++: Behavioral Specifications for C++ Modules , 1996 .

[46]  Bart Jacobs,et al.  JML (poster session): notations and tools supporting detailed design in Java , 2000, OOPSLA '00.

[47]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[48]  David S. Rosenblum Towards A Method Of Programming With Assertions , 1992, International Conference on Software Engineering.

[49]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[50]  K. Rustan M. Leino A myth in the modular specification of programs , 1996 .

[51]  Gary T. Leavens,et al.  The Larch/Smalltalk interface specification language , 1994, TSEM.

[52]  Gary T. Leavens,et al.  JML: notations and tools supporting detailed design in Java , 2000 .

[53]  Frank S. de Boer,et al.  A Tool-Supported Proof System for Multithreaded Java , 2002, FMCO.

[54]  Gary T. Leavens,et al.  A Quick Overview of Larch/C++ , 1994, J. Object Oriented Program..

[55]  Bart Jacobs,et al.  Java Program Verification via a Hoare Logic with Abrupt Termination , 2000, FASE.

[56]  Gary T. Leavens,et al.  Larch Frequently Asked Questions , 2001 .

[57]  Cliff B. Jones,et al.  A logic covering undefinedness in program proofs , 1984, Acta Informatica.

[58]  Peter Müller,et al.  Modular Specification and Verification of Object-Oriented Programs , 2002, Lecture Notes in Computer Science.

[59]  H. B. M. Jonkers Upgrading the Pre- and Postcondition Technique , 1991, VDM Europe.

[60]  Gary T. Leavens,et al.  Modular specification of frame properties in JML , 2003, Concurr. Comput. Pract. Exp..

[61]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[62]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[63]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[64]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML , 2004, CASSIS.

[65]  H. Dieter Rombach Proceedings of the 18th international conference on Software engineering , 1996, ICSE 1996.

[66]  R. Kramer iContract - The Java(tm) Design by Contract(tm) Tool , 1998 .

[67]  Edward Cohen,et al.  Programming in the 1990s: An Introduction to the Calculation of Programs , 1990 .

[68]  John L. Bruno,et al.  jContractor: A Reflective Java Library to Support Design by Contract , 1999, Reflection.

[69]  J. Michael Spivey,et al.  An introduction to Z and formal specifications , 1989, Softw. Eng. J..

[70]  Edsger W. Dijkstra,et al.  Structured programming , 1972, A.P.I.C. Studies in data processing.

[71]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[72]  Stephen H. Edwards,et al.  Part II: specifying components in RESOLVE , 1994, SOEN.

[73]  Leslie Lamport,et al.  Artificial Intelligence and Language Processing ]acques Cohen Editor a Simple Approach to Specifying Concurrent Systems , 2022 .

[74]  Alan Wills,et al.  Capsules and Types in Fresco: Program Verification in Smalltalk , 1991, ECOOP.

[75]  Albert L. Baker,et al.  Enhancing the Pre- and Postcondition Technique for More Expressive Specifications , 1999, World Congress on Formal Methods.

[76]  Cliff B. Jones,et al.  Systematic software development using VDM (2. ed.) , 1990, Prentice Hall International Series in Computer Science.

[77]  Andrew Duncan,et al.  Adding Contracts to Java with Handshake , 1998 .

[78]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[79]  Yoonsik Cheon,et al.  A Runtime Assertion Checker for the Java Modeling Language (JML) , 2003, ICSE 2003.

[80]  Gary T. Leavens,et al.  A Simple and Practical Approach to Unit Testing: The JML and JUnit Way , 2002, ECOOP.

[81]  Ken Arnold,et al.  The Java Programming Language , 1996 .

[82]  Gary T. Leavens,et al.  Specification and verification of object-oriented programs using supertype abstraction , 1995, Acta Informatica.

[83]  Anneke Kleppe,et al.  The object constraint language: precise modeling with UML , 1998 .

[84]  Peter A. Lindsay,et al.  Proof in VDM: A Practitioner's Guide , 1993, Proof in VDM.

[85]  Tony Hoare,et al.  Notes on Data Structuring , 1972 .

[86]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[87]  Gary T. Leavens,et al.  Concepts of behavioral subtyping and a sketch of their extension to component-based systems , 2000 .

[88]  Bertrand Meyer,et al.  Object-Oriented Software Construction, 2nd Edition , 1997 .

[89]  Matthias Felleisen,et al.  Contract Soundness for object-oriented languages , 2001, OOPSLA '01.

[90]  Gary T. Leavens,et al.  Protective Interface Specifications , 1997, Formal Aspects of Computing.

[91]  Karl J. Lieberherr,et al.  Aspect-oriented programming with adaptive methods , 2001, CACM.

[92]  Gary T. Leavens,et al.  Preliminary Design of Larch/C++ , 1992, Larch.

[93]  Bernhard Rumpe,et al.  Behavioral Specifications of Businesses and Systems , 1999, Behavioral Specifications of Businesses and Systems.

[94]  Stephen J. Garland,et al.  Larch: Languages and Tools for Formal Specification , 1993, Texts and Monographs in Computer Science.