A Runtime Assertion Checker for the Java Modeling Language Yoonsik Cheon Iowa State University
Total Page:16
File Type:pdf, Size:1020Kb
Computer Science Technical Reports Computer Science 4-2003 A Runtime Assertion Checker for the Java Modeling Language Yoonsik Cheon Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/cs_techreports Part of the Software Engineering Commons Recommended Citation Cheon, Yoonsik, "A Runtime Assertion Checker for the Java Modeling Language" (2003). Computer Science Technical Reports. 308. http://lib.dr.iastate.edu/cs_techreports/308 This Article is brought to you for free and open access by the Computer Science at Iowa State University Digital Repository. It has been accepted for inclusion in Computer Science Technical Reports by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A Runtime Assertion Checker for the Java Modeling Language Abstract JML compiler to translate Java programs annotated with JML specifications into Java bytecode. The ompc iled bytecode transparently checks JML specifications at runtime. The JML ompc iler supports separate and modular compilation. The ppra oach brings programming benefits uchs as debugging and testing to BISLs and also helps programmers to use BISLs in their daily programming. A set of translation rules are defined from JML expressions into assertion checking code. The translation rules handle various kinds of undefinedness, such as runtime exceptions and non-executable constructs, in such a way as to both satisfy the standard rules of logic and detect as many assertion violations as possible. The rules also support various forms of quantifiers. Specification-only declarations such as model fields, ghost fields, and model methods are translated into access methods; e.g., an access method for a model field is an abstraction function that calculates an abstract value from the program state. The specification state of a stateful interface, due to specification-only fields such as ghost fields, is represented as a separate assertion class. Thus, an object's specification state is distributed over the object itself and one assertion object for each interface that its class implements. Assertion checking is also distributed in that a subtype delegates the responsibility of checking inherited specifications to its supertypes (or the assertion classes of its superinterfaces). The delegation approach supports multiple inheritance, and is modular. Finally, the effectiveness and practicality of runtime assertion checking is demonstrated by applying it to program testing. An approach is implemented that significantly automates unit testing. The eyk idea of the approach is to view interface specifications as test oracles and to use the runtime assertion checker as the decision procedure of the test oracles. The ppra oach also shows that the runtime assertion checker can be an effective framework for developing specification-based tools. Keywords documentation, formal methods, inheritance of specifications, programming by contract, runtime assertion checking, specification language, tools, unit testing, Java language, JML compiler, JML language Disciplines Software Engineering This article is available at Iowa State University Digital Repository: http://lib.dr.iastate.edu/cs_techreports/308 A Runtime Assertion Checker for the Java Modeling Language Yoonsik Cheon TR #03-09 April 2003 Keywords: documentation, formal methods, inheritance of speci¯cations, programming by con- tract, runtime assertion checking, speci¯cation language, tools, unit testing, Java language, JML compiler, JML language. 2001 CR Categories: D.2.1 [Software Engineering] Requirements/ Speci¯cations | languages, tools, JML; D.2.2 [Software Engineering] Design Tools and Techniques | modules and interfaces, object-oriented design methods; D.2.4 [Software Engineering] Software/Program Veri¯cation | As- sertion checkers, class invariants, correctness proofs, formal methods, programming by contract, reli- ability, tools, validation, JML; D.3.2 [Programming Languages] Language Classi¯cations | Object- oriented languages; F.3.1 [Logics and Meanings of Programs] Specifying and Verifying and Reasoning about Programs | Assertions, invariants, logics of programs, mechanical veri¯cation, pre- and post- conditions, speci¯cation techniques. Copyright °c 2003 by Yoonsik Cheon. All rights reserved. Department of Computer Science 226 Atanaso® Hall Iowa State University Ames, Iowa 50011-1041, USA Contents Acknowledgements vii Abstract viii 1 Introduction 1 1.1 Background . 1 1.1.1 Runtime Assertion Checking . 2 1.1.2 The Java Modeling Language . 3 1.2 Objectives . 4 1.3 The Problem . 5 1.3.1 Semantic Discrepancies between JML and Java . 6 1.3.2 Advanced Features of JML . 6 1.3.3 Research Scope . 7 1.4 Approach . 7 1.4.1 What, Where, and When to Check? . 7 1.4.2 Assertion Blocks, Methods, and Classes . 8 1.4.3 Local Contextual Interpretation . 9 1.4.4 Dynamic Delegation . 9 1.4.5 Access Methods . 10 1.5 Implementation . 10 1.5.1 The JML Compiler . 11 1.5.2 Reporting Assertion Violations . 12 1.6 Application | Speci¯cations as Test Oracles . 13 1.7 Contributions . 14 1.8 Outline . 14 2 An Overview of JML 16 2.1 Introduction . 16 2.2 Assertions and Expressions . 17 2.3 Method Speci¯cations . 18 2.3.1 Speci¯cation Clauses . 18 2.3.2 Heavyweight versus Lightweight . 19 2.3.3 Syntactic Sugars . 19 2.3.4 Privacy of Speci¯cations . 20 2.3.5 Semantics . 21 2.4 Type Speci¯cations . 21 2.4.1 Invariants . 21 2.4.2 Constraints . 21 2.4.3 Abstract Speci¯cations . 22 2.5 Inheritance of Speci¯cations . 22 i 2.6 An Example . 23 2.7 Discussion . 25 3 Expressions and Assertions 27 3.1 Introduction . 27 3.1.1 Notations . 28 3.2 The Unde¯nedness Problem . 29 3.2.1 An Example . 29 3.2.2 Demonic versus Angelic . 30 3.2.3 Contextual Interpretation . 31 3.2.4 Translation Rules . 32 3.2.5 Non-executable Constructs . 35 3.3 Quanti¯ed Expressions . 36 3.3.1 Abstract Syntax Extended . 36 3.3.2 Semantic Clari¯cation . 37 3.3.3 Pattern-based Static Analysis . 37 3.4 Related Work . 39 3.4.1 Unde¯nedness . 39 3.4.2 Quanti¯ed Expressions . 40 3.5 Discussion . 42 3.5.1 Anomaly of Contextual Interpretation . 42 3.5.2 Referring to Pre-state Expressions . 43 3.5.3 Other Approaches to Quanti¯ers . 43 3.6 Summary . 43 4 Method Speci¯cations 45 4.1 Introduction . 45 4.1.1 Reporting Assertion Violations . 46 4.1.2 Translation Scheme . 47 4.1.3 Wrapper Approach . 48 4.1.4 Outline . 49 4.2 Desugaring Speci¯cations . 49 4.2.1 Eliminating Old Variables . 51 4.2.2 Eliminating Old Expressions . 51 4.3 Wrapper Methods . 51 4.4 Precondition Methods . 53 4.5 Postcondition Methods . 54 4.5.1 Normal Postconditions . 54 4.5.2 Exceptional Postconditions . 55 4.6 Pre-state Expressions . 57 4.7 In-line Assertions . 59 4.7.1 Assertions, Assumptions, and Reasons . 59 4.7.2 Unreachable Statements . 60 4.7.3 Set Statements . 60 4.7.4 Loop Invariants and Variants . 61 4.8 Discussion . 64 4.8.1 Privacy of Method Speci¯cations . 64 4.8.2 Constructors and Finalizers . 65 4.8.3 Initializers . 65 ii 5 Type Speci¯cations 66 5.1 Introduction . 66 5.2 Invariants . ..