fundamentals of software engineering - java modeling language
TRANSCRIPT
![Page 1: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/1.jpg)
Fundamentals of Software EngineeringJava Modeling Language - Part II
Ina Schaefer
Institute for Software Systems EngineeringTU Braunschweig, Germany
Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hahnle
(Chalmers University of Technology, Gothenburg, Sweden)
Ina Schaefer FSE 1
![Page 2: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/2.jpg)
JML Expressions 6= Java Expressions
boolean JML Expressions (to be completed)
• each side-effect free boolean Java expression is a boolean JMLexpression
• if a and b are boolean JML expressions, and x is a variableof type t, then the following are also boolean JML expressions:
I !a (“not a”)I a && b (“a and b”)I a || b (“a or b”)
I a ==> b (“a implies b”)I a <==> b (“a is equivalent to b”)I ...I ...I ...I ...
Ina Schaefer FSE 2
![Page 3: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/3.jpg)
JML Expressions 6= Java Expressions
boolean JML Expressions (to be completed)
• each side-effect free boolean Java expression is a boolean JMLexpression
• if a and b are boolean JML expressions, and x is a variableof type t, then the following are also boolean JML expressions:
I !a (“not a”)I a && b (“a and b”)I a || b (“a or b”)I a ==> b (“a implies b”)I a <==> b (“a is equivalent to b”)I ...I ...I ...I ...
Ina Schaefer FSE 3
![Page 4: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/4.jpg)
Beyond boolean Java expressions
How to express the following?
• an array arr only holds values ≤ 2
• the variable m holds the maximum entry of array arr
• all Account objects in the array accountProxies are stored at theindex corresponding to their respective accountNumber field
• all created instances of class BankCard have different cardNumbers
Ina Schaefer FSE 4
![Page 5: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/5.jpg)
First-order Logic in JML Expressions
JML boolean expressions extend Java boolean expressions by:
• implication
• equivalence
• quantification
Ina Schaefer FSE 5
![Page 6: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/6.jpg)
boolean JML Expressions
boolean JML expressions are defined recursively:
boolean JML Expressions
• each side-effect free boolean Java expression is a boolean JMLexpression
• if a and b are boolean JML expressions, and x is a variableof type t, then the following are also boolean JML expressions:
I !a (“not a”)I a && b (“a and b”)I a || b (“a or b”)I a ==> b (“a implies b”)I a <==> b (“a is equivalent to b”)I (\forall t x; a) (“for all x of type t, a is true”)I (\exists t x; a) (“there exists x of type t such that a”)
I (\forall t x; a; b) (“for all x of type t fulfilling a, b is true”)I (\exists t x; a; b) (“there exists an x of type t fulfilling a,
such that b”)
Ina Schaefer FSE 6
![Page 7: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/7.jpg)
boolean JML Expressions
boolean JML expressions are defined recursively:
boolean JML Expressions
• each side-effect free boolean Java expression is a boolean JMLexpression
• if a and b are boolean JML expressions, and x is a variableof type t, then the following are also boolean JML expressions:
I !a (“not a”)I a && b (“a and b”)I a || b (“a or b”)I a ==> b (“a implies b”)I a <==> b (“a is equivalent to b”)I (\forall t x; a) (“for all x of type t, a is true”)I (\exists t x; a) (“there exists x of type t such that a”)I (\forall t x; a; b) (“for all x of type t fulfilling a, b is true”)I (\exists t x; a; b) (“there exists an x of type t fulfilling a,
such that b”)
Ina Schaefer FSE 7
![Page 8: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/8.jpg)
JML Quantifiers
in
(\forall t x; a; b)
(\exists t x; a; b)
a called “range predicate”
those forms are redundant:
(\forall t x; a; b)equivalent to
(\forall t x; a ==> b)
(\exists t x; a; b)equivalent to
(\exists t x; a && b)
Ina Schaefer FSE 8
![Page 9: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/9.jpg)
JML Quantifiers
in
(\forall t x; a; b)
(\exists t x; a; b)
a called “range predicate”
those forms are redundant:
(\forall t x; a; b)equivalent to
(\forall t x; a ==> b)
(\exists t x; a; b)equivalent to
(\exists t x; a && b)
Ina Schaefer FSE 9
![Page 10: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/10.jpg)
Pragmatics of Range Predicates
(\forall t x; a; b) and (\exists t x; a; b)
widely used
pragmatics of range predicate:
a used to restrict range of x further than t
example: “arr is sorted at indexes between 0 and 9”:
(\forall int i,j; 0<=i && i<j && j<10; arr[i] <= arr[j])
Ina Schaefer FSE 10
![Page 11: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/11.jpg)
Pragmatics of Range Predicates
(\forall t x; a; b) and (\exists t x; a; b)
widely used
pragmatics of range predicate:
a used to restrict range of x further than t
example: “arr is sorted at indexes between 0 and 9”:
(\forall int i,j; 0<=i && i<j && j<10; arr[i] <= arr[j])
Ina Schaefer FSE 11
![Page 12: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/12.jpg)
Pragmatics of Range Predicates
(\forall t x; a; b) and (\exists t x; a; b)
widely used
pragmatics of range predicate:
a used to restrict range of x further than t
example: “arr is sorted at indexes between 0 and 9”:
(\forall int i,j;
0<=i && i<j && j<10; arr[i] <= arr[j])
Ina Schaefer FSE 12
![Page 13: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/13.jpg)
Pragmatics of Range Predicates
(\forall t x; a; b) and (\exists t x; a; b)
widely used
pragmatics of range predicate:
a used to restrict range of x further than t
example: “arr is sorted at indexes between 0 and 9”:
(\forall int i,j; 0<=i && i<j && j<10;
arr[i] <= arr[j])
Ina Schaefer FSE 13
![Page 14: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/14.jpg)
Pragmatics of Range Predicates
(\forall t x; a; b) and (\exists t x; a; b)
widely used
pragmatics of range predicate:
a used to restrict range of x further than t
example: “arr is sorted at indexes between 0 and 9”:
(\forall int i,j; 0<=i && i<j && j<10; arr[i] <= arr[j])
Ina Schaefer FSE 14
![Page 15: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/15.jpg)
Using Quantified JML expressions
How to express:
• an array arr only holds values ≤ 2
(\forall int i; 0<=i && i<arr.length; arr[i] <= 2)
Ina Schaefer FSE 15
![Page 16: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/16.jpg)
Using Quantified JML expressions
How to express:
• an array arr only holds values ≤ 2
(\forall int i;
0<=i && i<arr.length; arr[i] <= 2)
Ina Schaefer FSE 16
![Page 17: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/17.jpg)
Using Quantified JML expressions
How to express:
• an array arr only holds values ≤ 2
(\forall int i; 0<=i && i<arr.length;
arr[i] <= 2)
Ina Schaefer FSE 17
![Page 18: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/18.jpg)
Using Quantified JML expressions
How to express:
• an array arr only holds values ≤ 2
(\forall int i; 0<=i && i<arr.length; arr[i] <= 2)
Ina Schaefer FSE 18
![Page 19: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/19.jpg)
Using Quantified JML expressions
How to express:
• the variable m holds the maximum entry of array arr
(\forall int i; 0<=i && i<arr.length; m >= arr[i])
is this enough?arr.length>0 ==>
(\exists int i; 0<=i && i<arr.length; m == arr[i])
Ina Schaefer FSE 19
![Page 20: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/20.jpg)
Using Quantified JML expressions
How to express:
• the variable m holds the maximum entry of array arr
(\forall int i; 0<=i && i<arr.length; m >= arr[i])
is this enough?
arr.length>0 ==>
(\exists int i; 0<=i && i<arr.length; m == arr[i])
Ina Schaefer FSE 20
![Page 21: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/21.jpg)
Using Quantified JML expressions
How to express:
• the variable m holds the maximum entry of array arr
(\forall int i; 0<=i && i<arr.length; m >= arr[i])
is this enough?
arr.length>0 ==>
(\exists int i; 0<=i && i<arr.length; m == arr[i])
Ina Schaefer FSE 21
![Page 22: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/22.jpg)
Using Quantified JML expressions
How to express:
• the variable m holds the maximum entry of array arr
(\forall int i; 0<=i && i<arr.length; m >= arr[i])
is this enough?arr.length>0 ==>
(\exists int i; 0<=i && i<arr.length; m == arr[i])
Ina Schaefer FSE 22
![Page 23: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/23.jpg)
Using Quantified JML expressions
How to express:
• the variable m holds the maximum entry of array arr
(\forall int i; 0<=i && i<arr.length; m >= arr[i])
is this enough?
arr.length>0 ==>
(\exists int i; 0<=i && i<arr.length; m == arr[i])
Ina Schaefer FSE 23
![Page 24: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/24.jpg)
Using Quantified JML expressions
How to express:
• all Account objects in the array accountProxies are stored at theindex corresponding to their respective accountNumber field
(\forall int i; 0<=i && i<maxAccountNumber;accountProxies[i].accountNumber == i )
Ina Schaefer FSE 24
![Page 25: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/25.jpg)
Using Quantified JML expressions
How to express:
• all Account objects in the array accountProxies are stored at theindex corresponding to their respective accountNumber field
(\forall int i; 0<=i && i<maxAccountNumber;accountProxies[i].accountNumber == i )
Ina Schaefer FSE 25
![Page 26: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/26.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY? (⇒ coming lecture)
Ina Schaefer FSE 26
![Page 27: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/27.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY? (⇒ coming lecture)
Ina Schaefer FSE 27
![Page 28: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/28.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY? (⇒ coming lecture)
Ina Schaefer FSE 28
![Page 29: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/29.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY? (⇒ coming lecture)
Ina Schaefer FSE 29
![Page 30: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/30.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY? (⇒ coming lecture)
Ina Schaefer FSE 30
![Page 31: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/31.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY?
(⇒ coming lecture)
Ina Schaefer FSE 31
![Page 32: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/32.jpg)
Using Quantified JML expressions
How to express:
• all created instances of class BankCard have different cardNumbers
(\forall BankCard p1, p2;\created(p1) && \created(p2);p1 != p2 ==> p1.cardNumber != p2.cardNumber)
note:
• JML quantifiers range also over non-created objects
• same for quantifiers in KeY!
• in JML, restrict to created objects with \created
• in KeY? (⇒ coming lecture)
Ina Schaefer FSE 32
![Page 33: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/33.jpg)
Example: Specifying LimitedIntegerSet
public class LimitedIntegerSet {public final int limit;private int arr[];private int size = 0;
public LimitedIntegerSet(int limit) {this.limit = limit;this.arr = new int[limit];
}public boolean add(int elem) {/*...*/}
public void remove(int elem) {/*...*/}
public boolean contains(int elem) {/*...*/}
// other methods
}Ina Schaefer FSE 33
![Page 34: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/34.jpg)
Prerequisites: Adding Specification Modifiers
public class LimitedIntegerSet {public final int limit;private /*@ spec_public @*/ int arr[];private /*@ spec_public @*/ int size = 0;
public LimitedIntegerSet(int limit) {this.limit = limit;this.arr = new int[limit];
}public boolean add(int elem) {/*...*/}
public void remove(int elem) {/*...*/}
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
// other methods
}Ina Schaefer FSE 34
![Page 35: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/35.jpg)
Specifying contains()
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
has no effect on state
how to specify result value?
Ina Schaefer FSE 35
![Page 36: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/36.jpg)
Specifying contains()
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
has no effect on state
how to specify result value?
Ina Schaefer FSE 36
![Page 37: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/37.jpg)
Specifying contains()
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
has no effect on state
how to specify result value?
Ina Schaefer FSE 37
![Page 38: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/38.jpg)
Result Values in Postcondition
In postconditions,one can use ‘\result’ to refer to the return value of the method.
/*@ public normal_behavior
@ ensures \result ==
(\exists int i;@ 0 <= i && i < size;@ arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
Ina Schaefer FSE 38
![Page 39: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/39.jpg)
Result Values in Postcondition
In postconditions,one can use ‘\result’ to refer to the return value of the method.
/*@ public normal_behavior
@ ensures \result == (\exists int i;@
0 <= i && i < size;@ arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
Ina Schaefer FSE 39
![Page 40: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/40.jpg)
Result Values in Postcondition
In postconditions,one can use ‘\result’ to refer to the return value of the method.
/*@ public normal_behavior
@ ensures \result == (\exists int i;@ 0 <= i && i < size;@
arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
Ina Schaefer FSE 40
![Page 41: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/41.jpg)
Result Values in Postcondition
In postconditions,one can use ‘\result’ to refer to the return value of the method.
/*@ public normal_behavior
@ ensures \result == (\exists int i;@ 0 <= i && i < size;@ arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
Ina Schaefer FSE 41
![Page 42: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/42.jpg)
Specifying add() (spec-case1)
/*@ public normal_behavior
@ requires size < limit && !contains(elem);@ ensures \result == true;@ ensures contains(elem);@ ensures (\forall int e;@ e != elem;@ contains(e) <==> \old(contains(e)));@ ensures size == \old(size) + 1;@@ also
@@ <spec-case2>
@*/public boolean add(int elem) {/*...*/}
Ina Schaefer FSE 42
![Page 43: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/43.jpg)
Specifying add() (spec-case2)
/*@ public normal_behavior
@@ <spec-case1>
@@ also
@@ public normal_behavior
@ requires (size == limit) || contains(elem);@ ensures \result == false;@ ensures (\forall int e;@ contains(e) <==> \old(contains(e)));@ ensures size == \old(size);@*/
public boolean add(int elem) {/*...*/}
Ina Schaefer FSE 43
![Page 44: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/44.jpg)
Specifying remove()
/*@ public normal_behavior
@ ensures !contains(elem);@ ensures (\forall int e;@ e != elem;@ contains(e) <==> \old(contains(e)));@ ensures \old(contains(elem))@ ==> size == \old(size) - 1;@ ensures !\old(contains(elem))@ ==> size == \old(size);@*/
public void remove(int elem) {/*...*/}
Ina Schaefer FSE 44
![Page 45: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/45.jpg)
Specifying Data Constraints
So far:JML used to specify method specifics.
How to specify constraints on class data, e.g.:
• consistency of redundant data representations (like indexing)
• restrictions for efficiency (like sortedness)
data constraints are global:all methods must preserve them
Ina Schaefer FSE 45
![Page 46: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/46.jpg)
Specifying Data Constraints
So far:JML used to specify method specifics.
How to specify constraints on class data?
, e.g.:
• consistency of redundant data representations (like indexing)
• restrictions for efficiency (like sortedness)
data constraints are global:all methods must preserve them
Ina Schaefer FSE 46
![Page 47: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/47.jpg)
Specifying Data Constraints
So far:JML used to specify method specifics.
How to specify constraints on class data, e.g.:
• consistency of redundant data representations (like indexing)
• restrictions for efficiency (like sortedness)
data constraints are global:all methods must preserve them
Ina Schaefer FSE 47
![Page 48: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/48.jpg)
Specifying Data Constraints
So far:JML used to specify method specifics.
How to specify constraints on class data, e.g.:
• consistency of redundant data representations (like indexing)
• restrictions for efficiency (like sortedness)
data constraints are global:all methods must preserve them
Ina Schaefer FSE 48
![Page 49: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/49.jpg)
Consider LimitedSortedIntegerSet
public class LimitedSortedIntegerSet {public final int limit;private int arr[];private int size = 0;
public LimitedSortedIntegerSet(int limit) {this.limit = limit;this.arr = new int[limit];
}public boolean add(int elem) {/*...*/}
public void remove(int elem) {/*...*/}
public boolean contains(int elem) {/*...*/}
// other methods
}Ina Schaefer FSE 49
![Page 50: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/50.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 50
![Page 51: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/51.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 51
![Page 52: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/52.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 52
![Page 53: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/53.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 53
![Page 54: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/54.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 54
![Page 55: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/55.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 55
![Page 56: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/56.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 56
![Page 57: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/57.jpg)
Consequence of Sortedness for Implementations
method contains
• can employ binary search (logarithmic complexity)
• why is that sufficient?
• it assumes sortedness in pre-state
method add
• searches first index with bigger element, inserts just before that
• thereby tries to establish sortedness in post-state
• why is that sufficient?
• it assumes sortedness in pre-state
method remove
• (accordingly)
Ina Schaefer FSE 57
![Page 58: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/58.jpg)
Specifying Sortedness with JML
recall class fields:
public final int limit;private int arr[];private int size = 0;
sortedness as JML expression:
(\forall int i; 0 < i && i < size;arr[i-1] <= arr[i])
(what’s the value of this if size < 2?)
Ina Schaefer FSE 58
![Page 59: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/59.jpg)
Specifying Sortedness with JML
recall class fields:
public final int limit;private int arr[];private int size = 0;
sortedness as JML expression:
(\forall int i; 0 < i && i < size;arr[i-1] <= arr[i])
(what’s the value of this if size < 2?)
Ina Schaefer FSE 59
![Page 60: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/60.jpg)
Specifying Sortedness with JML
recall class fields:
public final int limit;private int arr[];private int size = 0;
sortedness as JML expression:
(\forall int i; 0 < i && i < size;arr[i-1] <= arr[i])
(what’s the value of this if size < 2?)
Ina Schaefer FSE 60
![Page 61: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/61.jpg)
Specifying Sorted contains()
can assume sortedness of pre-state
/*@ public normal_behavior
@ requires (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@ ensures \result == (\exists int i;@ 0 <= i && i < size;@ arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
contains() is pure⇒ sortedness of post-state trivially ensured
Ina Schaefer FSE 61
![Page 62: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/62.jpg)
Specifying Sorted contains()
can assume sortedness of pre-state
/*@ public normal_behavior
@ requires (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@ ensures \result == (\exists int i;@ 0 <= i && i < size;@ arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
contains() is pure⇒ sortedness of post-state trivially ensured
Ina Schaefer FSE 62
![Page 63: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/63.jpg)
Specifying Sorted contains()
can assume sortedness of pre-state
/*@ public normal_behavior
@ requires (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@ ensures \result == (\exists int i;@ 0 <= i && i < size;@ arr[i] == elem);@*/
public /*@ pure @*/ boolean contains(int elem) {/*...*/}
contains() is pure⇒ sortedness of post-state trivially ensured
Ina Schaefer FSE 63
![Page 64: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/64.jpg)
Specifying Sorted remove()
can assume sortedness of pre-statemust ensure sortedness of post-state
/*@ public normal_behavior
@ requires (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@ ensures !contains(elem);@ ensures (\forall int e;@ e != elem;@ contains(e) <==> \old(contains(e)));@ ensures \old(contains(elem))@ ==> size == \old(size) - 1;@ ensures !\old(contains(elem))@ ==> size == \old(size);@ ensures (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@*/
public void remove(int elem) {/*...*/}Ina Schaefer FSE 64
![Page 65: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/65.jpg)
Specifying Sorted add() (spec-case1)
/*@ public normal_behavior
@ requires (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@ requires size < limit && !contains(elem);@ ensures \result == true;@ ensures contains(elem);@ ensures (\forall int e;@ e != elem;@ contains(e) <==> \old(contains(e)));@ ensures size == \old(size) + 1;@ ensures (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@@ also <spec-case2>
@*/public boolean add(int elem) {/*...*/}
Ina Schaefer FSE 65
![Page 66: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/66.jpg)
Specifying Sorted add() (spec-case2)
/*@ public normal_behavior
@@ <spec-case1> also
@@ public normal_behavior
@ requires (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@ requires (size == limit) || contains(elem);@ ensures \result == false;@ ensures (\forall int e;@ contains(e) <==> \old(contains(e)));@ ensures size == \old(size);@ ensures (\forall int i; 0 < i && i < size;@ arr[i-1] <= arr[i]);@*/
public boolean add(int elem) {/*...*/}
Ina Schaefer FSE 66
![Page 67: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/67.jpg)
Factor out Sortedness
so far: ‘sortedness’ has swamped our specification
we can do better, using
JML Class Invariant
construct for specifying data constraints centrally
1. delete blue and red parts from previous slides
2. add ‘sortedness’ as JML class invariant instead
Ina Schaefer FSE 67
![Page 68: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/68.jpg)
Factor out Sortedness
so far: ‘sortedness’ has swamped our specification
we can do better, using
JML Class Invariant
construct for specifying data constraints centrally
1. delete blue and red parts from previous slides
2. add ‘sortedness’ as JML class invariant instead
Ina Schaefer FSE 68
![Page 69: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/69.jpg)
Factor out Sortedness
so far: ‘sortedness’ has swamped our specification
we can do better, using
JML Class Invariant
construct for specifying data constraints centrally
1. delete blue and red parts from previous slides
2. add ‘sortedness’ as JML class invariant instead
Ina Schaefer FSE 69
![Page 70: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/70.jpg)
JML Class Invariant
public class LimitedSortedIntegerSet {
public final int limit;
/*@ public invariant (\forall int i;@ 0 < i && i < size;@ arr[i-1] <= arr[i]);@*/
private /*@ spec_public @*/ int arr[];private /*@ spec_public @*/ int size = 0;
// constructor and methods,
// without sortedness in pre/post-conditions
}
Ina Schaefer FSE 70
![Page 71: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/71.jpg)
JML Class Invariant
• JML class invariant can be placed anywhere in class
• (contrast: method contract must be in front of its method)
• custom to place class invariant in front of fields it talks about
Ina Schaefer FSE 71
![Page 72: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/72.jpg)
Instance vs. Static Invariants
instance invariantscan refer to instance fields of this object
(unqualified, like ‘size’, or qualified with ‘this’, like ‘this.size’)JML syntax: instance invariant
static invariantscannot refer to instance fields of this objectJML syntax: static invariant
bothcan refer to– static fields– instance fields via explicit reference, like ‘o.size’
in classes: instance is default(static in interfaces)if instance or static is omitted ⇒ instance invariant!
Ina Schaefer FSE 72
![Page 73: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/73.jpg)
Instance vs. Static Invariants
instance invariantscan refer to instance fields of this object
(unqualified, like ‘size’, or qualified with ‘this’, like ‘this.size’)JML syntax: instance invariant
static invariantscannot refer to instance fields of this objectJML syntax: static invariant
bothcan refer to– static fields– instance fields via explicit reference, like ‘o.size’
in classes: instance is default(static in interfaces)if instance or static is omitted ⇒ instance invariant!
Ina Schaefer FSE 73
![Page 74: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/74.jpg)
Instance vs. Static Invariants
instance invariantscan refer to instance fields of this object
(unqualified, like ‘size’, or qualified with ‘this’, like ‘this.size’)JML syntax: instance invariant
static invariantscannot refer to instance fields of this objectJML syntax: static invariant
bothcan refer to– static fields– instance fields via explicit reference, like ‘o.size’
in classes: instance is default(static in interfaces)if instance or static is omitted ⇒ instance invariant!
Ina Schaefer FSE 74
![Page 75: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/75.jpg)
Instance vs. Static Invariants
instance invariantscan refer to instance fields of this object
(unqualified, like ‘size’, or qualified with ‘this’, like ‘this.size’)JML syntax: instance invariant
static invariantscannot refer to instance fields of this objectJML syntax: static invariant
bothcan refer to– static fields– instance fields via explicit reference, like ‘o.size’
in classes: instance is default(static in interfaces)if instance or static is omitted ⇒ instance invariant!
Ina Schaefer FSE 75
![Page 76: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/76.jpg)
Static JML Invariant Example
public class BankCard {
/*@ public static invariant
@ (\forall BankCard p1, p2;@ \created(p1) && \created(p2);@ p1!=p2 ==> p1.cardNumber!=p2.cardNumber)@*/
private /*@ spec_public @*/ int cardNumber;
// rest of class follows
}
Ina Schaefer FSE 76
![Page 77: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/77.jpg)
Recall Specification of enterPIN()
private /*@ spec_public @*/ BankCard insertedCard = null;private /*@ spec_public @*/ int wrongPINCounter = 0;private /*@ spec_public @*/ boolean customerAuthenticated
= false;
/*@ <spec-case1> also <spec-case2> also <spec-case3>
@*/public void enterPIN (int pin) { ...
last lecture:all 3 spec-cases were normal_behavior
Ina Schaefer FSE 77
![Page 78: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/78.jpg)
Recall Specification of enterPIN()
private /*@ spec_public @*/ BankCard insertedCard = null;private /*@ spec_public @*/ int wrongPINCounter = 0;private /*@ spec_public @*/ boolean customerAuthenticated
= false;
/*@ <spec-case1> also <spec-case2> also <spec-case3>
@*/public void enterPIN (int pin) { ...
last lecture:all 3 spec-cases were normal_behavior
Ina Schaefer FSE 78
![Page 79: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/79.jpg)
Specifying Exceptional Behavior of Methods
normal_behavior specification case, with preconditions P,forbids method to throw exceptions if pre-state satisfies P
exceptional_behavior specification case, with preconditions P,requires method to throw exceptions if pre-state satisfies P
keyword signals specifies post-state, depending on thrown exception
keyword signals_only limits types of thrown exception
Ina Schaefer FSE 79
![Page 80: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/80.jpg)
Specifying Exceptional Behavior of Methods
normal_behavior specification case, with preconditions P,forbids method to throw exceptions if pre-state satisfies P
exceptional_behavior specification case, with preconditions P,requires method to throw exceptions if pre-state satisfies P
keyword signals specifies post-state, depending on thrown exception
keyword signals_only limits types of thrown exception
Ina Schaefer FSE 80
![Page 81: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/81.jpg)
Specifying Exceptional Behavior of Methods
normal_behavior specification case, with preconditions P,forbids method to throw exceptions if pre-state satisfies P
exceptional_behavior specification case, with preconditions P,requires method to throw exceptions if pre-state satisfies P
keyword signals specifies post-state, depending on thrown exception
keyword signals_only limits types of thrown exception
Ina Schaefer FSE 81
![Page 82: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/82.jpg)
Specifying Exceptional Behavior of Methods
normal_behavior specification case, with preconditions P,forbids method to throw exceptions if pre-state satisfies P
exceptional_behavior specification case, with preconditions P,requires method to throw exceptions if pre-state satisfies P
keyword signals specifies post-state, depending on thrown exception
keyword signals_only limits types of thrown exception
Ina Schaefer FSE 82
![Page 83: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/83.jpg)
Completing Specification of enterPIN()
/*@ <spec-case1> also <spec-case2> also <spec-case3> also
@@ public exceptional_behavior
@ requires insertedCard==null;@ signals_only ATMException;@ signals (ATMException) !customerAuthenticated;@*/
public void enterPIN (int pin) { ...
in case insertedCard==null in pre-state
• an exception must be thrown (‘exceptional_behavior’)
• it can only be an ATMException (‘signals_only’)
• method must then ensure !customerAuthenticated in post-state(‘signals’)
Ina Schaefer FSE 83
![Page 84: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/84.jpg)
Completing Specification of enterPIN()
/*@ <spec-case1> also <spec-case2> also <spec-case3> also
@@ public exceptional_behavior
@ requires insertedCard==null;@ signals_only ATMException;@ signals (ATMException) !customerAuthenticated;@*/
public void enterPIN (int pin) { ...
in case insertedCard==null in pre-state
• an exception must be thrown (‘exceptional_behavior’)
• it can only be an ATMException (‘signals_only’)
• method must then ensure !customerAuthenticated in post-state(‘signals’)
Ina Schaefer FSE 84
![Page 85: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/85.jpg)
signals_only Clause: General Case
an exceptional specification case can have one clause of the form
signals_only (E1,..., En);
where E1,..., En are exception types
Meaning:
if an exception is thrown, it is of type E1 or ... or En
Ina Schaefer FSE 85
![Page 86: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/86.jpg)
signals_only Clause: General Case
an exceptional specification case can have one clause of the form
signals_only (E1,..., En);
where E1,..., En are exception types
Meaning:
if an exception is thrown, it is of type E1 or ... or En
Ina Schaefer FSE 86
![Page 87: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/87.jpg)
signals Clause: General Case
an exceptional specification case can have several clauses of the form
signals (E) b;
where E is exception type, b is boolean expression
Meaning:
if an exception of type E is thrown, b holds in post condition
Ina Schaefer FSE 87
![Page 88: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/88.jpg)
signals Clause: General Case
an exceptional specification case can have several clauses of the form
signals (E) b;
where E is exception type, b is boolean expression
Meaning:
if an exception of type E is thrown, b holds in post condition
Ina Schaefer FSE 88
![Page 89: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/89.jpg)
Allowing Non-Termination
by default, both:
• normal_behavior
• exceptional_behavior
specification cases enforce termination
in each specification case, non-termination can be permitted via theclause
diverges true;
Meaning:
given the precondition of the specification case holds in pre-state,the method may or may not terminate
Ina Schaefer FSE 89
![Page 90: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/90.jpg)
Allowing Non-Termination
by default, both:
• normal_behavior
• exceptional_behavior
specification cases enforce termination
in each specification case, non-termination can be permitted via theclause
diverges true;
Meaning:
given the precondition of the specification case holds in pre-state,the method may or may not terminate
Ina Schaefer FSE 90
![Page 91: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/91.jpg)
Allowing Non-Termination
by default, both:
• normal_behavior
• exceptional_behavior
specification cases enforce termination
in each specification case, non-termination can be permitted via theclause
diverges true;
Meaning:
given the precondition of the specification case holds in pre-state,the method may or may not terminate
Ina Schaefer FSE 91
![Page 92: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/92.jpg)
Further Modifiers: non_null and nullable
JML extends the Java modifiers by further modifiers:
• class fields
• method parameters
• method return types
can be declared as
• nullable: may or may not be null
• non_null: must not be null
Ina Schaefer FSE 92
![Page 93: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/93.jpg)
non_null: Examples
private /*@ spec_public non_null @*/ String name;
implicit invariant‘public invariant name != null;’added to class
public void insertCard(/*@ non_null @*/ BankCard card) {..
implicit precondition‘requires card != null;’added to each specification case of insertCard
public /*@ non_null @*/ String toString()
implicit postcondition‘ensures \result != null;’added to each specification case of toString
Ina Schaefer FSE 93
![Page 94: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/94.jpg)
non_null is default in JML!
⇒ same effect even without explicit ‘non null’s
private /*@ spec_public @*/ String name;
implicit invariant‘public invariant name != null;’added to class
public void insertCard(BankCard card) {..
implicit precondition‘requires card != null;’added to each specification case of insertCard
public String toString()
implicit postcondition‘ensures \result != null;’added to each specification case of toString
Ina Schaefer FSE 94
![Page 95: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/95.jpg)
nullable: Examples
To prevent such pre/post-conditions and invariants: ‘nullable’
private /*@ spec_public nullable @*/ String name;
no implicit invariant added
public void insertCard(/*@ nullable @*/ BankCard card) {..
no implicit precondition added
public /*@ nullable @*/ String toString()
no implicit postcondition added to specification cases of toString
Ina Schaefer FSE 95
![Page 96: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/96.jpg)
LinkedList: non_null or nullable?
public class LinkedList {private Object elem;private LinkedList next;....
In JML this means:
• all elements in the list are non_null
• the list is cyclic, or infinite!
Ina Schaefer FSE 96
![Page 97: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/97.jpg)
LinkedList: non_null or nullable?
public class LinkedList {private Object elem;private LinkedList next;....
In JML this means:
• all elements in the list are non_null
• the list is cyclic, or infinite!
Ina Schaefer FSE 97
![Page 98: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/98.jpg)
LinkedList: non_null or nullable?
public class LinkedList {private Object elem;private LinkedList next;....
In JML this means:
• all elements in the list are non_null
• the list is cyclic, or infinite!
Ina Schaefer FSE 98
![Page 99: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/99.jpg)
LinkedList: non_null or nullable?
Repair:
public class LinkedList {private Object elem;private /*@ nullable @*/ LinkedList next;....
⇒ Now, the list is allowed to end somewhere!
Ina Schaefer FSE 99
![Page 100: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/100.jpg)
Final Remark on non_null and nullable
non_null as default in JML only since a few years.
⇒ Older JML tutorial or articles may not use the non null by defaultsemantics.
Ina Schaefer FSE 100
![Page 101: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/101.jpg)
JML and Inheritance
All JML contracts, i.e.
• specification cases
• class invariants
are inherited down from superclasses to subclasses.
A class has to fulfill all contracts of its superclasses.
in addition, the subclass may add further specification cases,starting with also:
/*@ also
@@ <subclass-specific-spec-cases>
@*/public void method () { ...
Ina Schaefer FSE 101
![Page 102: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/102.jpg)
Tools
Many tools support JML (see http://www.jmlspecs.org).
On the course website you find a link how to install a JML checker foreclipse that works with newer Java versions.
Ina Schaefer FSE 102
![Page 103: Fundamentals of Software Engineering - Java Modeling Language](https://reader031.vdocument.in/reader031/viewer/2022021617/620ad858102c842150361c95/html5/thumbnails/103.jpg)
Literature for this Lecture
essential reading:
in KeY Book A. Roth and Peter H. Schmitt: Formal Specification.Chapter 5 only sections 5.1, 5.3, In: B. Beckert, R. Hahnle, andP. Schmitt, editors. Verification of Object-Oriented Software: TheKeY Approach, vol 4334 of LNCS. Springer, 2006.
further reading, all available atwww.eecs.ucf.edu/~leavens/JML/documentation.shtml:
JML Reference Manual Gary T. Leavens, Erik Poll, Curtis Clifton,Yoonsik Cheon, Clyde Ruby, David Cok, Peter Muller, andJoseph Kiniry.JML Reference Manual
JML Tutorial Gary T. Leavens, Yoonsik Cheon.Design by Contract with JML
JML Overview Gary T. Leavens, Albert L. Baker, and Clyde Ruby.JML: A Notation for Detailed Design
Ina Schaefer FSE 103