How the Design of JML Accomodates Both Runtime Assertion Checking and Formal Verification

Specifications that are used in detailed design and in the documentation of existing code are primarily written and read by programmers. However, most formal specification languages either make heavy use of symbolic mathematical operators, which discourages use by programmers, or limit assertions to expressions of the underlying programming language, which makes it difficult to write complete specifications. Moreover, using assertions that are expressions in the underlying programming language can cause problems both in runtime assertion checking and in formal verification, because such expressions can potentially contain side effects. The Java Modeling Language, JML, avoids these problems. It uses a side-effect free subset of Java’s expressions to which are added a few mathematical operators (such as the quantifiers ∖forall and ∖exists). JML also hides mathematical abstractions, such as sets and sequences, within a library of Java classes. The goal is to allow JML to serve as a common notation for both formal verification and runtime assertion checking; this gives users the benefit of several tools without the cost of changing notations.

[1]  H. B. M. Jonkers ISpec: Towards Practical and Sound Interface Specifications , 2000, IFM.

[2]  Gary T. Leavens,et al.  Protective Interface Specifications , 1997, Formal Aspects of Computing.

[3]  Karl J. Lieberherr,et al.  Aspect-oriented programming with adaptive methods , 2001, CACM.

[4]  Gary T. Leavens,et al.  Preliminary Design of Larch/C++ , 1992, Larch.

[5]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[6]  Peter Gorm Larsen,et al.  Modelling Systems: Practical Tools and Techniques in Software Development , 1998 .

[7]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[8]  Clyde Ruby Safely creating correct subclasses without seeing superclass code , 2000, OOPSLA Addendum.

[9]  Yoonsik Cheon,et al.  A Runtime Assertion Checker for the Java Modeling Language (JML) , 2003, ICSE 2003.

[10]  David K. Gifford,et al.  Integrating functional and imperative programming , 1986, LFP '86.

[11]  Patrice Chalin,et al.  Improving JML: For a Safer and More Effective Language , 2003, FME.

[12]  Gary T. Leavens,et al.  MultiJava: modular open classes and symmetric multiple dispatch for Java , 2000, OOPSLA '00.

[13]  Jeannette M. Wing Writing Larch interface language specifications , 1987, TOPL.

[14]  Gary T. Leavens,et al.  Forcing behavioral subtyping through specification inheritance , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[15]  Fred B. Schneider,et al.  Avoiding the Undefined by Underspecification , 1995, Computer Science Today.

[16]  강문설 [서평]「The Unified Modeling Language User Guide」 , 1999 .

[17]  Lisa Friendly,et al.  The Design of Distributed Hyperlinked Programming Documentation , 1995, IWHD.

[18]  H. B. M. Jonkers Upgrading the Pre- and Postcondition Technique , 1991, VDM Europe.

[19]  Gary T. Leavens,et al.  Modular specification of frame properties in JML , 2003, Concurr. Comput. Pract. Exp..

[20]  John L. Bruno,et al.  jContractor: A Reflective Java Library to Support Design by Contract , 1999, Reflection.

[21]  Heike Wehrheim,et al.  Jass - Java with Assertions , 2001, RV@CAV.

[22]  Stuart H. Zweben,et al.  Part I: the RESOLVE framework and discipline: a research synopsis , 1994, SOEN.

[23]  Gary T. Leavens,et al.  A Simple and Practical Approach to Unit Testing: The JML and JUnit Way , 2002, ECOOP.

[24]  Jan Madey,et al.  The Z notation: A reference manual , 1990 .

[25]  Pierre America,et al.  Designing an Object-Oriented Programming Language with Behavioural Subtyping , 1990, REX Workshop.

[26]  Michael D. Ernst,et al.  Static verification of dynamically detected program invariants: Integrating Daikon and ESC/Java , 2001, RV@CAV.

[27]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[28]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[29]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[30]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML , 2004, CASSIS.

[31]  J. Michael Spivey,et al.  An introduction to Z and formal specifications , 1989, Softw. Eng. J..

[32]  Matthias Felleisen,et al.  Behavioral contracts and behavioral subtyping , 2001, ESEC/FSE-9.

[33]  Gary T. Leavens An Overview of Larch/C++: Behavioral Specifications for C++ Modules , 1996 .

[34]  Stephen J. Garland,et al.  Larch: Languages and Tools for Formal Specification , 1993, Texts and Monographs in Computer Science.

[35]  Mary Beth Rosson,et al.  Proceedings of the 15th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications , 2000, Conference on Object-Oriented Programming Systems, Languages, and Applications.

[36]  Bo Stig Hansen,et al.  Information technology - Programming languages, their environments and system software interfaces: Vienna DevelopmentMethod - Specification Language - Part 1: Base language , 1996 .

[37]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[38]  Gary T. Leavens,et al.  A Quick Overview of Larch/C++ , 1994, J. Object Oriented Program..

[39]  Bart Jacobs,et al.  Java Program Verification via a Hoare Logic with Abrupt Termination , 2000, FASE.

[40]  Gary T. Leavens,et al.  Larch Frequently Asked Questions , 2001 .

[41]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[42]  Bart Jacobs,et al.  JML (poster session): notations and tools supporting detailed design in Java , 2000, OOPSLA '00.

[43]  Cliff B. Jones,et al.  A logic covering undefinedness in program proofs , 1984, Acta Informatica.

[44]  Pierre Jouvelot,et al.  The type and effect discipline , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[45]  Gary T. Leavens Modular specification and verification of object-oriented programs , 1991, IEEE Software.

[46]  Gary T. Leavens,et al.  A complete algebraic characterization of behavioral subtyping , 2000, Acta Informatica.

[47]  Bart Jacobs,et al.  Java Program Verification Challenges , 2002, FMCO.

[48]  Jeannette M. Wing A TWO-TIERED APPROACH TO SPECIFYING PROGRAMS , 1983 .

[49]  Gary T. Leavens,et al.  Reasoning about object-oriented programs that use subtypes , 1990, OOPSLA/ECOOP '90.

[50]  Craig Larman,et al.  Applying UML and Patterns: An Introduction to Object-Oriented Analysis and Design and the Unified Process , 2001 .

[51]  Cliff B. Jones,et al.  Systematic software development using VDM (2. ed.) , 1990, Prentice Hall International Series in Computer Science.

[52]  Andrew Duncan,et al.  Adding Contracts to Java with Handshake , 1998 .

[53]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[54]  Stephen H. Edwards,et al.  Part II: specifying components in RESOLVE , 1994, SOEN.

[55]  Pierre America,et al.  Inheritance and Subtyping in a Parallel Object-Oriented Language , 1987, ECOOP.

[56]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[57]  Frank S. de Boer,et al.  A Tool-Supported Proof System for Multithreaded Java , 2002, FMCO.

[58]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[59]  David S. Rosenblum Towards A Method Of Programming With Assertions , 1992, International Conference on Software Engineering.

[60]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[61]  K. Rustan M. Leino A myth in the modular specification of programs , 1996 .

[62]  Anneke Kleppe,et al.  The object constraint language: precise modeling with UML , 1998 .

[63]  K. Rustan M. Leino,et al.  ESC/Java User's Manual , 2000 .

[64]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[65]  David Holmes,et al.  The Java Programming Language, Third Edition , 2000 .

[66]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[67]  Fred B. Schneider,et al.  A Logical Approach to Discrete Math , 1993, Texts and Monographs in Computer Science.

[68]  Tony Hoare,et al.  Notes on Data Structuring , 1972 .

[69]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[70]  Gary T. Leavens,et al.  Concepts of behavioral subtyping and a sketch of their extension to component-based systems , 2000 .

[71]  Bertrand Meyer,et al.  Object-Oriented Software Construction, 2nd Edition , 1997 .

[72]  Matthias Felleisen,et al.  Contract Soundness for object-oriented languages , 2001, OOPSLA '01.

[73]  R. Kramer iContract - The Java(tm) Design by Contract(tm) Tool , 1998 .

[74]  Edward Cohen,et al.  Programming in the 1990s: An Introduction to the Calculation of Programs , 1990 .

[75]  Peter A. Lindsay,et al.  Proof in VDM: A Practitioner's Guide , 1993, Proof in VDM.

[76]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[77]  Marieke Huisman,et al.  Reasoning about Java programs in higher order logic using PVS and Isabelle , 2001 .

[78]  Curtis Charles Clifton,et al.  MultiJava: Design, implementation, and evaluation of a Java-compatible language supporting modular open classes and symmetric multiple dispatch , 2001 .

[79]  Gary T. Leavens,et al.  Larch/C++ Reference Manual , 1999 .

[80]  Sarfraz Khurshid,et al.  An analyzable annotation language , 2002, OOPSLA '02.

[81]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[82]  Leslie Lamport,et al.  Artificial Intelligence and Language Processing ]acques Cohen Editor a Simple Approach to Specifying Concurrent Systems , 2022 .

[83]  Alan Wills,et al.  Capsules and Types in Fresco: Program Verification in Smalltalk , 1991, ECOOP.

[84]  Albert L. Baker,et al.  Enhancing the Pre- and Postcondition Technique for More Expressive Specifications , 1999, World Congress on Formal Methods.

[85]  Gary T. Leavens,et al.  The Larch/Smalltalk interface specification language , 1994, TSEM.

[86]  Gary T. Leavens,et al.  JML: notations and tools supporting detailed design in Java , 2000 .

[87]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[88]  Kate Finney,et al.  Mathematical Notation in Formal Specification: Too Difficult for the Masses? , 1996, IEEE Trans. Software Eng..

[89]  V. Stavridou,et al.  Abstraction and specification in program development , 1988 .

[90]  Todd Leavens Gary Verifying object-oriented programs that use subtypes , 1989 .

[91]  Edsger W. Dijkstra,et al.  Predicate Calculus and Program Semantics , 1989, Texts and Monographs in Computer Science.

[92]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.