DOCSLIB.ORG

Introduction to JML the Java Modeling Language

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Introduction to JML the Java Modeling Language Goal: JML should be easy to use for any Java programmer. Outline of this tutorial First • introduction to JML Introduction to JML • overview of tool support for JML, esp. runtime assertion checking (using jmlrac) and extended static David Cok, Joe Kiniry, and Erik Poll checking ESC/Java2 Then Eastman Kodak Company, University College Dublin, • ESC/Java2: Use and Features and Radboud University Nijmegen • ESC/Java2: Warnings • Specification tips and pitfalls • Advanced JML: more tips and pitfalls interspersed with demos. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.1/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.2/30 JML by Gary Leavens et al. Formal specification language for Java • to specify behaviour of Java classes • to record design &implementation decisions The Java Modeling Language by adding assertions to Java source code, eg • preconditions JML • postconditions • invariants www.jmlspecs.org as in Eiffel (Design by Contract), but more expressive. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.3/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.4/30 JML by Gary Leavens et al. JML Formal specification language for Java To make JML easy to use: to specify behaviour of Java classes • • JML assertions are added as comments in .java file, • to record design &implementation decisions between /*@ . @*/, or after //@, by adding assertions to Java source code, eg • Properties are specified as Java boolean expressions, extended with a few operators (nold, nforall, nresult, • preconditions . ). • postconditions • using a few keywords (requires, ensures, • invariants signals, assignable, pure, invariant, non null, . ) as in Eiffel (Design by Contract), but more expressive. Goal: JML should be easy to use for any Java programmer. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.4/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.5/30 requires, ensures requires, ensures Pre- and post-conditions for method can be specified. JML specs can be as strong or as weak as you want. /*@ requires amount >= 0; /*@ requires amount >= 0; ensures balance == nold(balance-amount) && ensures true; nresult == balance; @*/ @*/ public int debit(int amount) f public int debit(int amount) f ... ... g g This default postcondition “ensures true” can be Here nold(balance) refers to the value of balance omitted. before execution of the method. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.6/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.7/30 Design-by-Contract signals Pre- and postconditions define a contract between a class Exceptional postconditions can also be specified. and its clients: • Client must ensure precondition and may assume /*@ requires amount >= 0; postcondition ensures true; • Method may assume precondition and must ensure signals (BankException e) postcondition amount > balance && balance == nold(balance) && Eg, in the example specs for debit, it is the obligation of the client to ensure that amount is positive. The requires e.getReason().equals("Amount too big"); clause makes this explicit. @*/ public int debit(int amount) throws BankException f ... g David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.8/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.9/30 signals invariant Exceptions mentioned in throws clause are allowed by Invariants (aka class invariants) are properties that must be default. To change this, there are three options: maintained by all methods, e.g., • To rule out all exceptions, use a normal_behavior public class Wallet f public static final short MAX_BAL = 1000; /*@ normal behavior private short balance; requires ... /*@ invariant 0 <= balance && ensures ... balance <= MAX_BAL; @*/ @*/ • To rule out particular exception E, add ... Invariants are implicitly included in all pre- and signals (E) false; postconditions. • To allow only some exceptions, add Invariants must also be preserved if exception is thrown! signals_only E1, ..., E2; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.10/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.11/30 invariant non_null Invariants document design decisions, e.g., Many invariants, pre- and postconditions are about references not being null. non_null is a convenient public class Directory f short-hand for these. private File[] files; public class Directory f /*@ invariant files != null private /*@ non null @*/ File[] files; && (nforall int i; 0 <= i && i < files.length; void createSubdir(/*@ non null @*/ String name)f ; files[i] != null && ... files[i].getParent() == this); @*/ /*@ non null @*/ Directory getParent()f ... Making them explicit helps in understanding the code. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.12/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.13/30 assert assert An assert clause specifies a property that should hold at JML keyword assert now also in Java (since Java 1.4). some point in the code, e.g., Still, assert in JML is more expressive, for example in if (i <= 0 || j < 0) f ... ... for (n = 0; n < a.length; n++) else if (j < 5) g f if (a[n]==null) break; //@ assert i > 0 && 0 < j && j < 5; /*@ assert (nforall int i; 0 <= i && i < n; ... a[i] != null); g else f @*/ //@ assert i > 0 && j > 5; ... g David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.14/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.15/30 assignable pure Frame properties limit possible side-effects of methods. A method without side-effects is called pure. /*@ requires amount >= 0; assignable balance; public /*@ pure @*/ int getBalance()f... ensures balance == nold(balance)-amount; @*/ Directory /*@ pure non null @*/ getParent()f...g public int debit(int amount) f g ... Pure method are implicitly assignable nnothing. E.g., debit can only assign to the field balance. Pure methods, and only pure methods, can be used in NB this does not follow from the post-condition. specifications, eg. Default assignable clause: assignable neverything. //@ invariant 0<=getBalance() && getBalance()<=MAX_BALANCE; David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.16/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.17/30 JML recap The JML keywords discussed so far: • requires • ensures • signals • assignable Tools for JML • normal behavior • invariant • non null • pure • nold, nforall, nexists, nresult This is all you need to know to get started! David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.18/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.19/30 • runtime assertion checking: test for violations of assertions during execution jmlrac • extended static checking ie. automated program • extended static checking ie. automated program verification: verification: prove that contracts are never violated at compile-time prove that contracts are never violated at compile-time ESC/Java2 ESC/Java2 This is program verification, not just testing. This is program verification, not just testing. • cheap & easy to do as part of existing testing practice • better testing and better feedback, because more properties are tested, at more places in the code Eg, “Invariant violated in line 8000” after 1 minute instead of “NullPointerException in line 2000” after 4 minutes Of course, an assertion violation can be an error in code or an error in specification. The jmlunit tool combines jmlrac and unit testing. tools for JML tools for JML • parsing and typechecking • parsing and typechecking • runtime assertion checking: test for violations of assertions during execution jmlrac David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/30 tools for JML runtime assertion checking jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at • parsing and typechecking Iowa State Univ. • runtime assertion checking: • translates JML assertions into runtime checks: test for violations of assertions during execution during execution, all assertions are tested and jmlrac any violation of an assertion produces an • extended static checking ie. automated program Error. verification: prove that contracts are never violated at compile-time ESC/Java2 This is program verification, not just testing. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.20/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/30 Eg, “Invariant violated in line 8000” after 1 minute instead of “NullPointerException in line 2000” after 4 minutes Of course, an assertion violation can be an error in code or Of course, an assertion violation can be an error in code or an error in specification. an error in specification. The jmlunit tool combines jmlrac and unit testing. The jmlunit tool combines jmlrac and unit testing. The jmlunit tool combines jmlrac and unit testing. runtime assertion checking runtime assertion checking jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at Iowa State Univ. Iowa State Univ. • translates JML assertions into runtime checks: • translates JML assertions into runtime checks: during execution, all assertions are tested and during execution, all assertions are tested and any violation of an assertion produces an any violation of an assertion produces an Error. Error. • cheap & easy to do as part of existing testing practice • cheap & easy to do as part of existing testing practice • better testing and better feedback, because more • better testing and better feedback, because more properties are tested, at more places in the code properties are tested, at more places in the code Eg, “Invariant violated in line 8000” after 1 minute instead of “NullPointerException in line 2000” after 4 minutes David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/30 David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial – p.21/30 runtime assertion checking runtime assertion checking jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al. at jmlrac compiler by Gary Leavens, Yoonsik Cheon, et al.
Load more

Recommended publications
  • The Java Modeling Language
    The Java Modeling Language Software Fiável Mestrado em Engenharia Informática Mestrado em Informática Faculdade de Ciências da Universidade de Lisboa 2015/2016 Vasco T. Vasconcelos, Antónia Lopes Software Fiável The Java Modeling Language Contracts I The key ingredient of Design by contract, software design methodology promoted by Bertrand Meyer and the Eiffel programming language in 1986. I Inspired by assertions of Hoare logic, contracts place special obligations on both clients and suppliers of a procedure or method. I What does a method require from it’s caller? I What does the method ensure? Software Fiável The Java Modeling Language DBC DBC key idea is to associate a specification with every software element. These specifications (or contracts) govern the interaction of the element with the rest of the world. I Forces the programmer to write exactly what the method does and needs I No need to program defensively (defensive checks can be exensive and increases the complexity of the code of the method and worsen its maintainability) I Assigns blame: specifies who is to blame for not keeping the contract I Provides a standard way to document classes: client programmers are provided with a proper description of the interface properties of a class that is stripped of all implementation information but retains the essential usage information: the contract. Software Fiável The Java Modeling Language Language support for Contracts Language support for contracts exists in different forms: I Eiffel is an object-oriented language that includes contracts I JML adds contracts to the Java language. JML specifications are conventional Java boolean expressions, with a few extensions I Spec# adds contracts to C# I Code Contracts is an API (part of .NET) to author contracts In this course we focus on JML.
    [Show full text]
  • Génération Automatique De Tests Unitaires Avec Praspel, Un Langage De Spécification Pour PHP the Art of Contract-Based Testing in PHP with Praspel
    CORE Metadata, citation and similar papers at core.ac.uk Provided by HAL - Université de Franche-Comté G´en´erationautomatique de tests unitaires avec Praspel, un langage de sp´ecificationpour PHP Ivan Enderlin To cite this version: Ivan Enderlin. G´en´eration automatique de tests unitaires avec Praspel, un langage de sp´ecificationpour PHP. Informatique et langage [cs.CL]. Universit´ede Franche-Comt´e,2014. Fran¸cais. <NNT : 2014BESA2067>. <tel-01093355v2> HAL Id: tel-01093355 https://hal.inria.fr/tel-01093355v2 Submitted on 19 Oct 2016 HAL is a multi-disciplinary open access L'archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destin´eeau d´ep^otet `ala diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publi´esou non, lished or not. The documents may come from ´emanant des ´etablissements d'enseignement et de teaching and research institutions in France or recherche fran¸caisou ´etrangers,des laboratoires abroad, or from public or private research centers. publics ou priv´es. Thèse de Doctorat école doctorale sciences pour l’ingénieur et microtechniques UNIVERSITÉ DE FRANCHE-COMTÉ No X X X THÈSE présentée par Ivan Enderlin pour obtenir le Grade de Docteur de l’Université de Franche-Comté K 8 k Génération automatique de tests unitaires avec Praspel, un langage de spécification pour PHP The Art of Contract-based Testing in PHP with Praspel Spécialité Informatique Instituts Femto-ST (département DISC) et INRIA (laboratoire LORIA) Soutenue publiquement
    [Show full text]
  • The Java Modeling Language
    The Java Modeling language JML Erik Poll Digital Security Radboud University Nijmegen JML • formal specification language for sequential Java by Gary Leavens et. al. – to specify behaviour of Java classes & interfaces – to record detailed design decisions by adding annotations to Java source code in Design-By- Contract style, using eg. pre/postconditions and invariants • Design goal: meant to be usable by any Java programmer Lots of info on http://www.jmlspecs.org Erik Poll, JML introduction - CHARTER meeting - 2 to make JML easy to use • JML annotations added as special Java comments, between /*@ .. @*/ or after //@ • JML specs can be in .java files, or in separate .jml files • Properties specified using Java syntax, extended with some operators \old( ), \result, \forall, \exists, ==> , .. and some keywords requires, ensures, invariant, .... Erik Poll, JML introduction - CHARTER meeting - 3 JML example public class ePurse{ private int balance; //@ invariant 0 <= balance && balance < 500; //@ requires amount >= 0; //@ ensures balance <= \old(balance); public debit(int amount) { if (amount > balance) { throw (new BankException("No way"));} balance = balance – amount; } Erik Poll, JML introduction - CHARTER meeting - 4 What can you do with this? • documentation/specification – record detailed design decisions & document assumptions (and hence obligations!) – precise, unambiguous documentation • parsed & type checked • use tools for – runtime assertion checking • eg when testing code – compile time (static) analyses • up to full formal program
    [Show full text]
  • You Say 'JML' ? Wikipedia (En)
    You say 'JML' ? Wikipedia (en) PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Mon, 06 Jan 2014 09:58:42 UTC Contents Articles Java Modeling Language 1 Design by contract 5 Formal methods 10 References Article Sources and Contributors 15 Image Sources, Licenses and Contributors 16 Article Licenses License 17 Java Modeling Language 1 Java Modeling Language The Java Modeling Language (JML) is a specification language for Java programs, using Hoare style pre- and postconditions and invariants, that follows the design by contract paradigm. Specifications are written as Java annotation comments to the source files, which hence can be compiled with any Java compiler. Various verification tools, such as a runtime assertion checker and the Extended Static Checker (ESC/Java) aid development. Overview JML is a behavioural interface specification language for Java modules. JML provides semantics to formally describe the behavior of a Java module, preventing ambiguity with regard to the module designers' intentions. JML inherits ideas from Eiffel, Larch and the Refinement Calculus, with the goal of providing rigorous formal semantics while still being accessible to any Java programmer. Various tools are available that make use of JML's behavioral specifications. Because specifications can be written as annotations in Java program files, or stored in separate specification files, Java modules with JML specifications can be compiled unchanged with any Java compiler. Syntax JML specifications are added to Java code in the form of annotations in comments. Java comments are interpreted as JML annotations when they begin with an @ sign.
    [Show full text]
  • A Runtime Assertion Checker for the Java Modeling Language Yoonsik Cheon Iowa State University
    Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 2003 A runtime assertion checker for the Java Modeling Language Yoonsik Cheon Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Part of the Computer Sciences Commons Recommended Citation Cheon, Yoonsik, "A runtime assertion checker for the Java Modeling Language " (2003). Retrospective Theses and Dissertations. 570. https://lib.dr.iastate.edu/rtd/570 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A runtime assertion checker for the Java Modeling Language by Yoonsik Cheon A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Science Program of Study Committee: Gary T. Leavens, Major Professor Les Miller Robyn R. Lutz Don L. Pigozzi Clifford Bergman Iowa State University Ames, Iowa 2003 Copyright © Yoonsik Cheon, 2003. All rights reserved. UMI Number: 3085895 Copyright 2003 by Cheon, Yoonsik All rights reserved. UMI UMI Microform 3085895 Copyright 2003 by ProQuest Information and Learning Company. All rights reserved. This microform edition is protected against unauthorized copying under Title 17, United States Code. ProQuest Information and Learning Company 300 North Zeeb Road P.O. Box 1346 Ann Arbor, Ml 48106-1346 ii Graduate College Iowa State University This is to certify that the doctoral dissertation of Yoonsik Cheon has met the dissertation requirements of Iowa State University Signature was redacted for privacy.
    [Show full text]
  • A SpecistCation Language Design for the Java Modeling Language
    Computer Science Technical Reports Computer Science 2008 A Specification Language Design for the Java Modeling Language (JML) Using Java 5 Annotations Kristina B. Taylor Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/cs_techreports Part of the Software Engineering Commons Recommended Citation Taylor, Kristina B., "A Specification Language Design for the Java Modeling Language (JML) Using Java 5 Annotations" (2008). Computer Science Technical Reports. 307. http://lib.dr.iastate.edu/cs_techreports/307 This Article is brought to you for free and open access by the Computer Science at Iowa State University Digital Repository. It has been accepted for inclusion in Computer Science Technical Reports by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A Specification Language Design for the Java Modeling Language (JML) Using Java 5 Annotations Abstract Design by contract specification languages help programmers write their intentions for a piece of code in a formal mathematical language. Most programming languages do not have built-in syntax for such specifications, so many design by contract languages place specifications in comments. The aJ va Modeling Language (JML) is one such specification language for Java that uses comments to specify contracts. However, starting with version 5, Java has introduced annotations, a syntactical structure to place metadata in various places in the code. This thesis proposes an initial design to writing JML contracts in the Java 5 annotation syntax and evaluates several criteria in the areas of specification languages and Java language design: whether these annotations are expressive enough to take advantage of annotation simplicity and tool support, and whether the annotation syntax is expressive enough to support handling a large specification language such as JML.
    [Show full text]
  • Adapting the Java Modeling Language for Java 5 Annotations Kristina B
    Computer Science Technical Reports Computer Science 4-2008 Adapting the Java Modeling Language for Java 5 Annotations Kristina B. Taylor Iowa State University Johannes Rieken Iowa State University Gary T. Leavens Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/cs_techreports Part of the Software Engineering Commons Recommended Citation Taylor, Kristina B.; Rieken, Johannes; and Leavens, Gary T., "Adapting the Java Modeling Language for Java 5 Annotations" (2008). Computer Science Technical Reports. 310. http://lib.dr.iastate.edu/cs_techreports/310 This Article is brought to you for free and open access by the Computer Science at Iowa State University Digital Repository. It has been accepted for inclusion in Computer Science Technical Reports by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Adapting the Java Modeling Language for Java 5 Annotations Abstract The aJ va Modeling Language (JML) is a formal specification language for Java that allows to express intended behavior through assertions. Currently, users must embed these assertions in Java comments, which complicates parsing and hinders tool support, leading to poor usability. This paper describes a set of proposed Java 5 annotations which reflect current JML assertions and provides for better tool support. We consider three alternative designs for such annotations and explain why the chosen design is preferred. This syntax is designed to support both a design-by-contract subset of JML, and to be extensible to the full language. We demonstrate that by building two tools: Modern Jass, which provides almost-native support for design by contract, and a prototype that works with a much larger set of JML.
    [Show full text]
  • A Logic for the Java Modeling Language JML
    A Logic for the Java Modeling Language JML Bart Jacobs and Erik Poll Dept. Computer Science, Univ. Nijmegen, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands. bart,erikpoll @cs.kun.nl http://www.cs.kun.nl/∼ bart,erikpoll f g f g Abstract. This paper describes a specialised logic for proving speci- fications in the Java Modeling Language (JML). JML is an interface specification language for Java. It allows assertions like invariants, con- straints, pre- and post-conditions, and modifiable clauses as annotations to Java classes, in a design-by-contract style. Within the LOOP project at the University of Nijmegen JML is used for specification and verifi- cation of Java programs. A special compiler has been developed which translates Java classes together with their JML annotations into logical theories for a theorem prover (PVS or Isabelle). The logic for JML that will be described here consists of tailor-made proof rules in the higher order logic of the back-end theorem prover for verifying translated JML specifications. The rules efficiently combine partial and total correctness (like in Hoare logic) for all possible termination modes in Java, in a single correctness formula. 1 Introduction JML (for Java Modeling Language) [15, 14] is a specification language tailored to Java, primarily developed at Iowa State University. It allows assertions to be included in Java code, specifying for instance pre- and postconditions and invariants in the style of Eiffel and the design-by-contract approach [18]. JML has been integrated with the specification language used for ESC/Java, the extended static checker developed at Compaq System Research Center [17, 27].
    [Show full text]
  • Design by Contract with JML
    Design by Contract with JML § Design by contract § Java Modeling Language (JML) § Formal specifications in JML § JML tools – JML compiler (jmlc) Thanks to Gary Leavens for allowing us to adapt his lecture notes. CS3331 Fall 2003 1 Design by Contract (DBC) § A way of recording: – Details of method responsibilities – Avoiding constantly checking arguments – Assigning blame across interfaces CS3331 Fall 2003 2 Contracts in Software /*@ requires x >= 0.0; @ ensures JMLDouble.approximatelyEqualTo(x, @ \result * \result, eps); @*/ public static double sqrt(double x) { … } Obligations Rights Client Passes non-negative Gets square number root approximation Computes and Assumes argument Implementor returns square root is non-negative CS3331 Fall 2003 3 Pre and Postconditions § Definition – A method’s precondition says what must be true to call it. – A method’s normal postcondition says what is true when it returns normally (i.e., without throwing an exception). – A method’s exceptional postcondition says what is true when a method throws an exception. /*@ signals (IllegalArgumentException e) x < 0; @*/ CS3331 Fall 2003 4 Relational Model of Methods § Can think of a method as a relation: Inputs ↔ Outputs precondition 0 0 postcondition … … 10 100 -10 … … Input Output CS3331 Fall 2003 5 Contracts as Documentation § For each method say: – What it requires (if anything), and – What it ensures. § Contracts are: – More abstract than code, – Not necessarily constructive, – Often machine checkable, so can help with debugging, and – Machine checkable contracts can always be up-to- date. CS3331 Fall 2003 6 Abstraction by Specification § A contract can be satisfied in many ways: E.g., for square root: – Linear search – Binary search – Newton’s method – … § These will have varying non-functional properties – Efficiency – Memory usage § So, a contract abstracts from all these implementations, and thus can change implementations later.
    [Show full text]
  • Praspel: Contract-Driven Testing for PHP Using Realistic Domains Ivan Enderlin, Fabrice Bouquet, Frédéric Dadeau, Alain Giorgetti
    Praspel: Contract-Driven Testing for PHP using Realistic Domains Ivan Enderlin, Fabrice Bouquet, Frédéric Dadeau, Alain Giorgetti To cite this version: Ivan Enderlin, Fabrice Bouquet, Frédéric Dadeau, Alain Giorgetti. Praspel: Contract-Driven Testing for PHP using Realistic Domains. [Research Report] RR-8592, INRIA. 2014, pp.39. hal-01061900 HAL Id: hal-01061900 https://hal.inria.fr/hal-01061900 Submitted on 8 Sep 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Praspel: Contract-Driven Testing for PHP using Realistic Domains Ivan Enderlin, Fabrice Bouquet, Frédéric Dadeau, Alain Giorgetti RESEARCH REPORT N° 8592 September 2014 Project-Team Cassis ISSN 0249-6399 ISRN INRIA/RR--8592--FR+ENG Praspel: Contract-Driven Testing for PHP using Realistic Domains Ivan Enderlin∗, Fabrice Bouquet∗, Frédéric Dadeau∗, Alain Giorgetti∗ Project-Team Cassis Research Report n° 8592 — September 2014 — 36 pages Abstract: We present an integrated contract-based testing framework for PHP. It relies on a behavioral interface specification language called Praspel, for PHP Realistic Annotation and Specification Language. Using Praspel developers can easily annotate their PHP scripts with formal contracts, namely class invariants, and method pre- and postconditions. These contracts describe assertions either by predicates or by assigning realistic domains to data.
    [Show full text]
  • Formal Specification with the Java Modeling Language
    Chapter 7 Formal Specification with the Java Modeling Language Marieke Huisman, Wolfgang Ahrendt, Daniel Grahl, and Martin Hentschel This text is a general, self contained, and tool independent introduction into the Java Modeling Language, JML. It appears in a book about the KeY approach and tool, because JML is the dominating starting point of KeY style Java verification. However, this chapter does not depend on KeY, nor any other specific tool, nor on any specific verification methodology. With this text, the authors aim to provide, for the time being, the definitive, general JML tutorial. Other chapters in this book discuss the particular usage of JML in KeY style verification.1 In this chapter, however, we only refer to KeY in very few places, without relying on it. This introduction is written for all readers with an interest in formal specification of software in general, and anyone who wants to learn about the JML approach to specification in particular. A preliminary version of this chapter appeared as a technical report [Huisman et al., 2014]. Introduction The Java Modeling Language, JML, is an increasingly popular specification language for Java software, that has been developed as a community effort since 1999. The nature of such a project entails that language details change, sometimes rapidly, over time and there is no ultimate reference for JML. Fortunately, for the items that we address in this introduction, the syntax and semantics are for the greatest part already settled by Leavens et al.[2013]. Basic design decisions have been described in [Leavens et al., 2006b],2 who outline these three overall goals: • “JML must be able to document the interfaces and behavior of existing software, regardless of the analyses and design methods to create it.
    [Show full text]
  • An Overview of JML Tools and Applications
    An overview of JML tools and applications www.jmlspecs.org Lilian Burdy a, Yoonsik Cheon c,1, David Cok b, Michael Ernst d, Joe Kiniry e, Gary T. Leavens c,1, K. Rustan M. Leino f, Erik Poll e,2 a GEMPLUS Research Lab, G´emenos, France b Eastman Kodak Company, R&D Laboratories, Rochester, New York, USA c Dept. of Computer Science, Iowa State University, Ames, Iowa, USA d MIT Lab for Computer Science, Cambridge, Massachusetts, USA e Dept. of Computer Science, University of Nijmegen, Nijmegen, the Netherlands f Microsoft Research, Redmond, WA, USA Abstract The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source files. The aim of JML is to provide a specification language that is easy to use for Java program- mers and that is supported by a wide range of tools for specification type-checking, runtime debugging, static analysis, and verification. This paper gives an overview of the main ideas behind JML, the different groups collaborating to provide tools for JML, and the existing applications of JML. Thus far, most applications have focused on code for programming smartcards written in the Java Card dialect of Java. Key words: formal methods, formal specification, Java, runtime assertion checking, static checking, program verification 1 Introduction JML [23,24], which stands for “Java Modeling Language”, is useful for spec- ifying detailed designs of Java classes and interfaces. JML is a behavioral interface specification language for Java; that is, it specifies the behavior and the syntactic interface of Java code.
    [Show full text]