A Runtime Assertion Checker for the Java Modeling Language Yoonsik Cheon Iowa State University
Total Page:16
File Type:pdf, Size:1020Kb
Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 2003 A runtime assertion checker for the Java Modeling Language Yoonsik Cheon Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Part of the Computer Sciences Commons Recommended Citation Cheon, Yoonsik, "A runtime assertion checker for the Java Modeling Language " (2003). Retrospective Theses and Dissertations. 570. https://lib.dr.iastate.edu/rtd/570 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A runtime assertion checker for the Java Modeling Language by Yoonsik Cheon A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Science Program of Study Committee: Gary T. Leavens, Major Professor Les Miller Robyn R. Lutz Don L. Pigozzi Clifford Bergman Iowa State University Ames, Iowa 2003 Copyright © Yoonsik Cheon, 2003. All rights reserved. UMI Number: 3085895 Copyright 2003 by Cheon, Yoonsik All rights reserved. UMI UMI Microform 3085895 Copyright 2003 by ProQuest Information and Learning Company. All rights reserved. This microform edition is protected against unauthorized copying under Title 17, United States Code. ProQuest Information and Learning Company 300 North Zeeb Road P.O. Box 1346 Ann Arbor, Ml 48106-1346 ii Graduate College Iowa State University This is to certify that the doctoral dissertation of Yoonsik Cheon has met the dissertation requirements of Iowa State University Signature was redacted for privacy. Majot rrofessor Signature was redacted for privacy. For the Major Program iii TABLE OF CONTENTS LIST OF TABLES ix LIST OF FIGURES x ACKNOWLEDGEMENTS xiv ABSTRACT xv 1 INTRODUCTION 1 1.1 Background 1 1.1.1 Runtime Assertion Checking 3 1.1.2 The Java Modeling Language 5 1.2 Objectives 7 1.3 The Problem 9 1.3.1 Semantic Discrepancies between JML and Java 9 1.3.2 Advanced Features of JML 10 1.3.3 Research Scope 12 1.4 Approach 12 1.4.1 What, Where, and When to Check? 12 1.4.2 Assertion Blocks, Methods, and Classes 14 1.4.3 Local, Contextual Interpretation 16 1.4.4 Dynamic Delegation 16 1.4.5 Access Methods 17 1.5 Implementation 18 1.5.1 The JML Compiler 19 iv 1.5.2 Reporting Assertion Violations 21 1.6 Application — Specifications as Test Oracles 22 1.7 Contributions 24 1.8 Outline 25 2 AN OVERVIEW OF JML 27 2.1 Introduction 27 2.2 Assertions and Expressions 29 2.3 Method Specifications 31 2.3.1 Specification Clauses 31 2.3.2 Heavyweight versus Lightweight 32 2.3.3 Syntactic Sugars 33 2.3.4 Privacy of Specifications 34 2.3.5 Semantics 34 2.4 Type Specifications 35 2.4.1 Invariants 35 2.4.2 Constraints 36 2.4.3 Abstract Specifications 37 2.5 Inheritance of Specifications 38 2.6 An Example 39 2.7 Discussion 42 3 EXPRESSIONS AND ASSERTIONS 44 3.1 Introduction 44 3.1.1 Notations 46 3.2 The Undefinedness Problem 48 3.2.1 An Example 49 3.2.2 Demonic versus Angelic 50 3.2.3 Contextual Interpretation 50 3.2.4 Translation Rules 52 V 3.2.5 Non-executable Constructs 57 3.3 Quantified Expressions 59 3.3.1 Abstract Syntax Extended 59 3.3.2 Semantic Clarification 59 3.3.3 Pattern-based Static Analysis 61 3.4 Related Work 64 3.4.1 Undefinedness 64 3.4.2 Quantified Expressions 66 3.5 Discussion 69 3.5.1 Anomaly of Contextual Interpretation 69 3.5.2 Referring to Pre-state Expressions 70 3.5.3 Other Approaches to Quantifiers 71 3.6 Summary 72 4 METHOD SPECIFICATIONS 73 4.1 Introduction 73 4.1.1 Reporting Assertion Violations 75 4.1.2 Translation Scheme 76 4.1.3 Wrapper Approach 78 4.1.4 Outline 79 4.2 Desugaring Specifications 80 4.2.1 Eliminating Old Variables 83 4.2.2 Eliminating Old Expressions 84 4.3 Wrapper Methods 84 4.4 Precondition Methods . 87 4.5 Postcondition Methods 89 4.5.1 Normal Postconditions 89 4.5.2 Exceptional Postconditions 90 4.6 Pre-state Expressions 94 vi 4.7 In-line Assertions 96 4.7.1 Assertions, Assumptions, and Reasons 96 4.7.2 Unreachable Statements 98 4.7.3 Set Statements 98 4.7.4 Loop Invariants and Variants 99 4.8 Discussion 104 4.8.1 Privacy of Method Specifications 104 4.8.2 Constructors and Finalizers 105 4.8.3 Initializers 106 5 TYPE SPECIFICATIONS 107 5.1 Introduction 107 5.2 Invariants Ill 5.3 Constraints 112 5.3.1 Old Expressions 112 5.3.2 Nested Method Calls 115 5.3.3 Method-specific Constraints 117 5.4 Wrapper Methods Revisited 119 5.5 Specifications for Interfaces 119 5.6 Discussion 122 5.6.1 Limitations 122 5.6.2 Establishing Static Invariants 123 5.6.3 Privacy of Specifications 124 6 INHERITANCE OF SPECIFICATIONS 126 6.1 Introduction 126 6.1.1 Challenges 127 6.1.2 Approach 128 6.1.3 Delegation Approach 128 6.2 Method Specifications 130 vii 6.2.1 Immediate Supertypes for Specification Inheritance 131 6.2.2 Preconditions 132 6.2.3 Normal Postconditions 135 6.2.4 Exceptional Postconditions 135 6.3 Invariants 137 6.4 Constraints 139 6.4.1 Weak Behavioral Subtyping 141 6.5 Specifications for Interfaces 143 6.5.1 Propagating Assertion Calls to Superinterfaces 148 6.5.2 Lazy Initialization of Surrogate Maps 150 6.6 An Example 150 6.7 Discussion 151 6.7.1 Anomaly of Specification Inheritance 152 6.7.2 Checking Behavioral Subtyping 155 6.7.3 Refinement 155 7 ABSTRACT SPECIFICATIONS 158 7.1 Introduction 159 7.1.1 Abstraction in JML 159 7.1.2 General Approach 159 7.2 Model Fields 161 7.2.1 Model Field Access Methods 161 7.2.2 Assertions with Model Fields 162 7.2.3 Inheritance 164 7.3 Interface Model Fields 166 7.3.1 Inheritance 167 7.3.2 Details of the Approach 171 7.3.3 An Example 174 7.4 Ghost Fields 177 viii 7.5 Model Methods 179 7.6 Discussion 183 8 APPLICATION — UNIT TESTING WITH JML 185 8.1 Introduction 185 8.1.1 The Problem 186 8.1.2 Approach 187 8.1.3 Outline 188 8.2 Assumptions About the Specification Language 189 8.2.1 The Runtime Assertion Checker 190 8.3 Assumptions About the Testing Framework 191 8.4 Test Oracle Generation 193 8.4.1 Deciding Test Outcomes 193 8.4.2 Setting Up Test Cases 195 8.4.3 Test Methods 198 8.4.4 Test Classes 200 8.5 Test Execution 200 8.5.1 Supplying Test Cases 200 8.5.2 Running the Tests 201 8.6 Related Work 205 8.7 Summary 207 9 CONCLUSION 209 9.1 Future Work 209 9.2 Summary 211 ix LIST OF TABLES Table 2.1 JML's extension to Java's expressions 30 Table 2.2 Method specification clauses 31 Table 3.1 Translation contexts for expressions 52 X LIST OF FIGURES Figure 1.1 Compilation-based approach to runtime assertion checking 19 Figure 1.2 Architecture of the JML compiler 20 Figure 2.1 Example JML specification 28 Figure 2.2 Desugaring specification cases 33 Figure 2.3 Desugaring nested specifications 34 Figure 2.4 Specification of the class StackAsArray 40 Figure 3.1 Abstract syntax of JML expressions and sample translation rule. ... 47 Figure 3.2 JML specification with potential undefinedness 48 Figure 3.3 Translating field reference expressions 53 Figure 3.4 Translating method call expressions 55 Figure 3.5 Translating equivalence, implication, and negation expressions 56 Figure 3.6 Translating conditional expressions 57 Figure 3.7 Translating equality expressions 58 Figure 3.8 Extended abstract syntax of JML expressions 59 Figure 3.9 Translating the universal quantifier 63 Figure 4.1 Class hierarchy of assertion violation errors 77 Figure 4.2 Control flow of the wrapper approach 80 Figure 4.3 General structure of wrapper methods 86 Figure 4.4 General structure of precondition methods 88 Figure 4.5 General structure of normal postcondition methods 90 Figure 4.6 Method specifications with signals clauses 91 xi Figure 4.7 General structure of exceptional postcondition methods (part 1). 92 Figure 4.8 General structure of exceptional postcondition methods (part 2). 93 Figure 4.9 Evaluating old expressions 95 Figure 4.10 Example of old variables 95 Figure 4.11 Translating assert and assume statements 97 Figure 4.12 Ghost fields and set statements 99 Figure 4.13 Translating set statements 99 Figure 4.14 Translating loop invariants and variants for while statements 101 Figure 4.15 Translating loop invariants and variants for do statements 103 Figure 4.16 Translating loop invariants and variants for for statements 104 Figure 5.1 Control flow for checking type assertions 109 Figure 5.2 Instance and static invariant methods Ill Figure 5.3 Instance and static constraint methods 113 Figure 5.4 Evaluating old expressions appearing in constraints 114 Figure 5.5 Constraints and nested method calls 115 Figure 5.6 Referring to correct pre-state values in nested assertion checking. 116 Figure 5.7 Old value stacks generated by the JML compiler 116 Figure 5.8 Extended and new constraint methods for method-specific constraints.