NEERENGI AUTOMATED TRANSLATION OF VDM-SL TO JML-ANNOTATED JAVA Electrical and Computer Engineering Technical Report ECE-TR-29 DATA SHEET Title: Automated translation of VDM-SL to JML-annotated Java Subtitle: Electrical and Computer Engineering Series title and no.: Technical report ECE-TR-29 Author: Peter W. V. Tran-Jørgensen Department of Engineering – Electrical and Computer Engineering, Aarhus University Internet version: The report is available in electronic format (pdf) at the Department of Engineering website http://www.eng.au.dk. Publisher: Aarhus University© URL: http://www.eng.au.dk Year of publication: 2017 Pages: 384 Editing completed: February 2017 Abstract: When a system specified using the Vienna Development Method (VDM) is realised using code-generation, no guarantees are currently made about the correctness of the generated code. In this technical report, we improve code-generation of VDM models by taking contract-based elements such as invariants and pre- and postconditions into account during the code-generation process. The contract-based elements of the Vienna Development Method Specification Language (VDM-SL) are translated into corresponding constructs in the Java Modelling Language (JML) and used to validate the generated code against the properties of the VDM model. VDM-SL and JML are both Design-by-Contract (DbC) languages, with the difference that VDM-SL supports abstract modelling and system specification, while JML is used for detailed specification of Java classes and interfaces. We describe the semantic differences between the contract-based elements of VDM-SL and JML and formulate the translation as a set of rules. We further demonstrate how dynamic JML assertion checks can be used to ensure the consistency of VDM’s subtypes when a model is code-generated. The translator is fully automated and produces JML-annotated Java programs that can be checked for correctness using JML tools. Specifically, it is shown how such analysis can be performed using the OpenJML runtime assertion checker. The translation is demonstrated using a case study example of an Automated Teller Machine and several other VDM-SL models, which have been used to validate and asses the translation. Keywords: Design-by-Contract, Formal methods, VDM, Java, JML, Code-generation Please cite as: Peter W. V. Tran-Jørgensen, 2017. Automated translation of VDM-SL to JML-annotated Java. Department of Engineering, Aarhus University. Denmark. 384 pp. - Technical report ECE-TR-29 Cover image: Peter W. V. Tran-Jørgensen. ISSN: 2245-2087 Reproduction permitted provided the source is explicitly acknowledged. AUTOMATED TRANSLATION OF VDM-SL TO JML-ANNOTATED JAVA Peter W. V. Tran-Jørgensen Aarhus University, Department of Engineering Abstract When a system specified using the Vienna Development Method (VDM) is realised using code- generation, no guarantees are currently made about the correctness of the generated code. In this technical report, we improve code-generation of VDM models by taking contract-based elements such as invariants and pre- and postconditions into account during the code-generation process. The contract-based elements of the Vienna Development Method Specification Language (VDM-SL) are translated into corresponding constructs in the Java Modelling Language (JML) and used to validate the generated code against the properties of the VDM model. VDM-SL and JML are both Design-by-Contract (DbC) languages, with the difference that VDM-SL supports abstract modelling and system specification, while JML is used for detailed specification of Java classes and interfaces. We describe the semantic differences between the contract-based elements of VDM-SL and JML and formulate the translation as a set of rules. We further demonstrate how dynamic JML assertion checks can be used to ensure the consistency of VDM’s subtypes when a model is code-generated. The translator is fully automated and produces JML- annotated Java programs that can be checked for correctness using JML tools. Specifically, it is shown how such analysis can be performed using the OpenJML runtime assertion checker. The translation is demonstrated using a case study example of an Automated Teller Machine and several other VDM-SL models, which have been used to validate and asses the translation. Table of Contents Table of Contentsi Chapter 1 Introduction1 1.1 The tool implementation .............................. 1 1.2 About this technical report............................. 2 Chapter 2 The Translation3 2.1 Introduction..................................... 3 2.2 Design-by-Contract (DbC) with the Vienna Development Method Specification Language (VDM-SL) and the Java Modeling Language (JML).......... 4 2.3 The implementation of the JML translator..................... 9 2.4 Case study example................................. 10 2.5 Translating VDM-SL contracts to JML....................... 13 2.6 Checking the Vienna Development Method (VDM) types using JML . 24 2.7 Other aspects of VDM-SL affecting the JML-generation ............. 32 2.8 Translation assessment............................... 37 2.9 Related work .................................... 38 2.10 Conclusion and future plans ............................ 39 A The Automated Teller Machine (ATM) model 41 B The code-generated ATM model 47 C Validation of the translation rules 77 C.1 Map.vdmsl ..................................... 77 C.2 Seq.vdmsl...................................... 80 C.3 Set.vdmsl...................................... 83 C.4 AtomicStateInvViolation.vdmsl .......................... 87 C.5 AtomicStateInvNoViolation.vdmsl......................... 90 C.6 InvChecksOnFlagInOtherModule.vdmsl...................... 93 C.7 AtomicRecUnion.vdmsl .............................. 99 C.8 NamedTypeInvValues.vdmsl............................ 105 C.9 NamedTypeInvMapUpdate.vdmsl ......................... 107 C.10 NamedTypeInvSeqUpdate.vdmsl.......................... 109 C.11 RecursionConservativeChecking.vdmsl ...................... 111 C.12 NamedTypeInvLocalDecls.vdmsl.......................... 115 C.13 NamedTypeInvReturn.vdmsl............................ 117 C.14 NamedTypeInvMethodParam.vdmsl........................ 121 C.15 NamedTypeInvNullAllowed.vdmsl......................... 123 C.16 NamedTypeMadeOptional.vdmsl.......................... 125 i Table of Contents C.17 NamedTypeInvAsssignments.vdmsl ........................ 127 C.18 CaseExp.vdmsl................................... 132 C.19 TernaryIf.vdmsl................................... 134 C.20 LetBeStStm.vdmsl ................................. 138 C.21 LetBeStExp.vdmsl ................................. 140 C.22 RealParamNil.vdmsl ................................ 142 C.23 QuoteAssignNil.vdmsl ............................... 144 C.24 NatParamNil.vdmsl................................. 146 C.25 CharReturnNil.vdmsl................................ 148 C.26 Nat1InitWithZero.vdmsl .............................. 149 C.27 IntAssignNonInt.vdmsl............................... 151 C.28 BoolReturnNil.vdmsl................................ 152 C.29 RatAssignBool.vdmsl................................ 154 C.30 TokenAssignNil.vdmsl ............................... 156 C.31 RecLet.vdmsl.................................... 157 C.32 TupLet.vdmsl.................................... 161 C.33 RecParam.vdmsl .................................. 163 C.34 TupParam.vdmsl .................................. 166 C.35 SeqNat1BoolMaskedAsNamedTypeInv.vdmsl................... 168 C.36 SeqOfNatNilElem.vdmsl.............................. 170 C.37 Seq1EvenNatsMaskedAsNamedTypeInv.vdmsl .................. 172 C.38 Seq1AssignEmptySet.vdmsl ............................ 174 C.39 SeqEven.vdmsl................................... 176 C.40 RecUnion.vdmsl .................................. 178 C.41 Simple.vdmsl.................................... 183 C.42 AtomicRecUnion.vdmsl .............................. 187 C.43 SetEvenNamedTypeInv.vdmsl ........................... 192 C.44 SetOfNat.vdmsl................................... 194 C.45 SetPassNil.vdmsl.................................. 196 C.46 RecTypesUnion.vdmsl ............................... 198 C.47 OptionalBasicUnion.vdmsl............................. 203 C.48 RecWithRecFieldUpdate.vdmsl .......................... 205 C.49 RecWithRecFieldAtomicViolation.vdmsl ..................... 216 C.50 CharUnionEven.vdmsl ............................... 228 C.51 RecWithRecFieldAtomicNoViolation.vdmsl.................... 230 C.52 RecInRecInAtomic.vdmsl ............................. 238 C.53 NamedTypeInvUnionTypeRec.vdmsl........................ 246 C.54 RecWithMapOfRec.vdmsl ............................. 266 C.55 RecInRecInvViolation.vdmsl............................ 272 C.56 MaskedRecNamedTypeInv.vdmsl ......................... 285 C.57 MaskedRecInvViolated.vdmsl ........................... 296 C.58 ModifyRecInMap.vdmsl .............................. 314 C.59 Bool.vdmsl ..................................... 320 C.60 Real.vdmsl ..................................... 321 C.61 String.vdmsl..................................... 323 C.62 Quote.vdmsl..................................... 324 C.63 Int.vdmsl ...................................... 326 C.64 Nil.vdmsl ...................................... 327 C.65 Char.vdmsl ..................................... 329 ii Table of Contents C.66 StateInitViolatesInv.vdmsl ............................. 331 C.67 RecTypeDefInv.vdmsl ............................... 334 C.68 StateInv.vdmsl.................................... 338 C.69 PostCond.vdmsl..................................