jml-akom

advertisement
Java Modeling Language
Research Seminars on Software Reuse
Alan Kelon Oliveira de Moraes
<alan@kelon.org>
Summary


Motivation
Design by ContractTM


Java Modeling Language



Some Approaches for DbC
JML Tools
Conclusions
References
2
Motivation
3
What is a component?

A software component is a unit of composition with
contractually specified interfaces and explicit context
dependencies only. A software component can be
independently deployed and is subject to third-party
composition [Szyperski, 2002]
4
[Jézéquel and Meyer, 1997] Design by
Contract: The Lessons of Ariane

On June 4, 1996, the maiden flight of the European
Ariane 5 launcher crashed, about 40 seconds after
takeoff.
$ 500 million software error
The exception was due to a floating point error during
a conversion from a 64-bit floating-point value,
representing the flight’s “horizontal bias,” to a 16-bit
signed integer
You can’t blame management, the language, the
design and the implementation
But you really have to blame reuse specification
Reuse without a precise, rigorous
specification mechanism is a risk of
potentially disastrous proportions.




5
[Alvaro et al., 2005] Software Component
Certification: A Survey

Software components certification is still immature
6
[Meyer, 1998] Providing Trusted Components
to the Industry

Test, test, and retest


The implicit motto of much of the industry, is expensive and
wasteful.
The Trusted Component Project1 proposes to apply a
mix of formal and informal approaches:






Design by contract
Formal validation
OO and reuse techniques
Global public scrutiny
Extensive testing
Metrics efforts
1: http://www.trusted-components.org/
7
What we need?
1.
2.
3.
Theory
Implementation
Tools
8
How to build/assure
reliable components?
9
Design by ContractTM

Software Quality key concerns [Meyer, 1997]:





Reliability: correctness and robustness
Modularity: extendibility and reusability
Compatibility, portability, easy of use, efficiency, timeliness,
economy, functionality
The key factor for reliability is Design by Contract.
Bolstad (2004) states: “DbC is a step on the road
toward quality software”
10
Design by ContractTM



View the relationship between a supplier and its clients
as a formal agreement, expressing each party’s rights
and obligations [Meyer, 1997]
The term Design by Contract first appeared in 1986
[Meyer, 1986] (republished as [Meyer, 1992]), but
formal verification dates back from 1969 [Hoare,
1969]
Brings the specification to source code and make it
explicit
11
Correctness property

Correctness is a relative notion
public void f(int y) {
x = y + 1;
}
?


A software is correct when it is in accordance with its
specification
So is reasonable to use the word consistent software
instead of correct software
[Hoare, 1969]
12
Precondition and Postcondition

Let A be some operation, a correctness formula is an
expression of the form
{P} A {Q}

Any execution of A, starting in a state where P holds,
will terminate in a state where Q holds
E.g.: {x >= 9} x = x+ 5 {x>= 13}
[Hoare, 1969]
13
Precondition and Postcondition
[Meyer, 1997]
14
Class invariants


There is also a need for expressing global properties of
the instances of a class, which must be preserved by
all routines
Invariant rule

An assertion I is a correct class invariant for a class C if and
only if it meets the following two conditions:


Every creation procedure of C, when applied to arguments
satisfying its precondition in a state where the attributes have
their default values, yields a state satisfying I.
Every exported routine of the class, when applied to arguments
and a state satisfying both I and the routine’s precondition, yields
a state satisfying I.
[Meyer, 1997]
15
Assertion


An assertion is an expression involving some entities
of the software, and stating a property that these
entities may satisfy at certain stages of software
execution
A runtime assertion violation is the manifestation of a
bug in the software


A precondition violation is a bug in the client
A postcondition is a bug in the supplier
[Meyer, 1997]
16
Non-redundancy principle


Under no circumstances shall the body of a routine
ever test for the routine’s precondition -> No defensive
programming
However Firesmith (1999) argues that defensive
programming is the right approach to software
development:




Decreases message coupling
Better supports encapsulation
Eliminates concurrency bugs
Eliminates redundant code by reusing precondition checking
code.
[Meyer, 1997]
17
Some Approaches for DbC
18
Eiffel

Eiffel language has a native language support for DbC



[Meyer, 1992a] Applying "Design by Contract“
[Meyer, 1992b] Eiffel: the language
[Meyer, 1997] Object-oriented software construction
19
[Warmer and Kleppe, 1999] The object constraint
language: precise modeling with UML.

OCL (Object Constraint Language) is a textual specification language to adorn UML
diagrams and make a UML model far more semantically precise, detailed and thus
productive (i.e., subject to automated processing leading to code).









Formal language with well-defined semantics based on set theory and first-order
predicate logic
Object-oriented functional language: constructors syntactically combined using functional
nesting and object-oriented navigation in expressions that take objects and/or object
collections as parameters and evaluates to an object and/or an object collection as return
value
Strongly typed language where all expression and sub-expression has a well-defined
type that can be an UML primitive data type, a UML model classifier or a collection of
these
Semantics of an expression defined by its type mapping
Declarative language that specifies what properties the software under construction must
satisfy, not how it shall satisfy them
Side effect free language that cannot alter model elements, but only specify relations
between them (some possibly new but not created by OCL expressions)
Pure specification language that cannot alone execute nor program models but only
describe them
Both a constraint and query language for UML models
There is mappings from OCL to JML [Hamie, 2002]
20
iContract



[Kramer, 1998] iContract - The Java(tm) Design by
Contract(tm) Tool.
Converts from special comments (@pre, @post,
@invariant) to assertion check code that is inserted
into the source-code.
OCL complaint


Supports universal and existential quantifiers in contract
expressions.
It seems to be a good project, but a dead one
21
jContractor




[Karaorman et al., 1999] jContractor: A Reflective Java
Library to Support Design by Contract.
Use of reflection to implement contract at runtime
Last release on 2003
Source code available at
http://jcontractor.sourceforge.net/
22
Contract4J



Uses Java 5 Annotations and/or a JavaBean-like
convention
Generates AspectJ code, however Balzer and
colleagues (2005) argues that aspects can’t implement
contracts…
Source code available at http://www.contract4j.org/
23
Java Modeling Language
24
[Leavens and Cheon, 2005] Design by
Contract with JML

JML is a formal behavioral interface specification
language for Java that contains the essential notations
used in DbC as a subset
25
[Leavens and Cheon, 2005] Design by
Contract with JML

JML uses Java’s notation in assertions that it is easier
for programmers to learn and less intimidating than
languages that use special purpose mathematical
notations.
26
[Leavens and Cheon, 2005] Design by
Contract with JML

In JML, specifications are simple annotation comments
[Leavens et al, 1999]



/*@ … @*/
//@
Unlike normal code comments, a formal specification
in JML is (usually) machine checkable, and so can help
with debugging.
27
JML Syntax [Leavens et al., 1998] [Leavens et
al, 1999] [Leavens and Cheon, 2005]

Precondition


Postcondition


\old(E)
Using private fields in specifications


\result
Previous expression value


/*@ invariant E @*/
Operation’s result


/*@ ensures E; @*/
Invariant


/*@ requires E; @*/
private /*@ spec_public @*/ Type property;
Fields not null

Private /*@ not_null @*/ Type property;
28
JML Syntax

Quantifiers

Iterating over all variables


Verifying if exist variables


(\forall T x; R(x); P(x))
(\exists T x; R(x); P(x))
Num of elements

\num_of
29
Special method annotations

Pure method:




/*@ pure *@/ ReturnType methodName()
A method is pure if it has no side-effects on the program’s
state
Only pure methods are allowed in assertions
Helper method



private /*@ helper @*/ ReturnType methodName()
However, in JML, constructors and methods declared with the
modifier helper are exempted from having to satisfy
invariants.
Such helper methods must be private
30
An Example
class Location {
/** The pathname of a file. */
private /*@ spec_public non_null @*/ String path;
/** Initializes this Location.
* @param fullpath the full pathname
* to the file.
*/
//@ requires fullpath != null;
//@ assignable path;
//@ ensures path.equals(fullpath);
public Location(String fullpath) {
path = fullpath;
}
31
An Example
/** Returns the associated file */
//@ ensures \result != null;
private File getFile() {
if (fileCache == null) {
fileCache = new File(path);
}
return fileCache;
}
32
An Example
/** Is the file readable? */
//@ ensures \result == getFile().canRead();
public /*@ pure @*/ boolean readable() {
return getFile().canRead();
}
/** Copies this location's file
* to the given location's file.
*/
/*@ requires loc != null;
@ ensures \result != null;
@ ensures \result.equals(modTime())
@ && loc.modTime().equals(modTime());
@*/
public Date copyTo(Location loc) throws IOException {… }
33
[Burdy et al., 2003] An overview of JML tools
and applications
JML Tools
34
[Cheon and Leavens, 2002] A Runtime Assertion
Checker for the Java Modeling Language (JML)

jmlc: JML Compiler, a.k.a. runtime assertion checker





“Compiles” the specification into a bytecode
It is slow
jmlrac runs programs compiled with jmlc
The most used tools
They don’t work with Java 5
35
[Flanagan et al., 2002] Extended static
checking for Java.




Extended Static Checking/Java (ESC/Java) developed
by Compaq
Helps a lot while programming
It is neither sound nor complete; that is, it neither
warns about all errors, nor does it warn only about
actual errors.
Eclipse plug-in didn’t work.
36
[Cheon and Leavens, 2002] A Simple and Practical
Approach to Unit Testing: The JML and JUnit Way




jmlunit is a simple and effective technique that
automates the generation of oracles for unit testing
classes from specifications
The developer must only provide the data
[Tan and Edwards, 2004] Experiences evaluating the
effectiveness of JML-JUnit testing
It doesn’t work with Java 5
37
[Raghavan, 2000] Design of a JML
documentation generator



jmldoc is a javadoc specification generator
It is very slow
They don’t work with Java 5
38
Conclusions



Design by Contract is a worth technique to assure
component quality
It is not easy to write postconditions
There are much research on JML, but it isn’t widely
accepted in industry:

“So far we haven't had much industrial use, primarily because
tool support isn't very good”
Gary T. Leavens


Some users: Java Smart Cards in Europe, Fulcrum
Microsystems, Apple's WebObjects frameworks, Kodak and
Compaq
Among the existing DbC tools for Java, JML is the most
suitable for use
39
References







Jézéquel, J. and Meyer, B. 1997. Design by Contract: The Lessons of Ariane.
Computer 30, 1 (Jan. 1997), 129-130.
Alvaro, A.; de Almeida, E.S.; de Lemos Meira, S.R., "Software Component
Certification: A Survey," Software Engineering and Advanced Applications, 2005.
31st EUROMICRO Conference on , vol., no.pp. 106- 113, 30-03 Aug. 2005
Meyer, B. 1992. Applying "Design by Contract". Computer 25, 10 (Oct. 1992), 4051.
Meyer, B. 1997. Object-oriented software construction (2nd ed.). Prentice-Hall,
Inc.
Balzer, S., Eugster, P. and Meyer, B. 2005. Can aspects implement contracts?. In
Proceedings of RISE Workshop (Rapid Integration of Software Engineering
techniques), Heraklion, Crete, Greece, September 2005, to appear as SpringerVerlag Lecture Notes in Computer Science, 2005.
Meyer, B., Mingins, C., and Schmidt, H. 1998. Providing Trusted Components to
the Industry. Computer 31, 5 (May. 1998), 104-105.
Kramer, R. 1998. iContract - The Java(tm) Design by Contract(tm) Tool. In
Proceedings of the Technology of Object-Oriented Languages and Systems
(August 03 - 07, 1998). TOOLS. IEEE Computer Society, Washington, DC, 295.
40
References





Karaorman, M., Hölzle, U., and Bruno, J. L. 1999. jContractor: A
Reflective Java Library to Support Design by Contract. In Proceedings of
the Second international Conference on Meta-Level Architectures and
Reflection (July 19 - 21, 1999). P. Cointe, Ed. Lecture Notes In Computer
Science, vol. 1616. Springer-Verlag, London, 175-196.
Leavens, G. T. and Cheon, Y. Design by Contract with JML, available at
ftp://ftp.cs.iastate.edu/pub/leavens/JML/jmldbc.pdf
Firesmith, D. G. 1999. A Comparison of Defensive Development and
Design by Contract. In Proceedings of the Technology of Object-Oriented
Languages and Systems (August 01 - 05, 1999). TOOLS. IEEE Computer
Society, Washington, DC, 258.
G. T. Leavens, A. L. Baker, and C. Ruby. JML: A notation for detailed
design. In H. Kilov, B. Rumpe, and I. Simmonds, editors, Behavioral
Specifications of Businesses and Systems, pages 175-188. Kluwer
Academic Publishers, Boston, 1999.
Gary T. Leavens, Albert L. Baker, and Clyde Ruby. Preliminary Design of
JML: A Behavioral Interface Specification Language for Java. Department
of Computer Science, Iowa State University, TR #98-06-rev28, June
1998
41
References




Meyer, B. 1992 Eiffel: the language. Prentice-Hall, Inc.
Burdy, L., Cheon, Y., Cok, D., Ernst, M., Kiniry, J., Leavens, G.T., Rustan,
K., Leino, M. and Poll, E., An overview of JML tools and applications.
Workshop on Formal Methods for Industrial Critical Systems (FMICS),
2003.
Yoonsik Cheon and Gary T. Leavens. A Runtime Assertion Checker for the
Java Modeling Language (JML). In Hamid R. Arabnia and Youngsong Mun
(eds.), International Conference on Software Engineering Research and
Practice (SERP '02), Las Vegas, Nevada. CSREA Press, June 2002, pages
322-328.
Yoonsik Cheon and Gary T. Leavens. A Simple and Practical Approach to
Unit Testing: The JML and JUnit Way. In Boris Magnusson (ed.), ECOOP
2002 -- Object-Oriented Programming, 16th European Conference,
Malaga, Spain, June 2002, Proceedings. Volume 2374 of Lecture Notes in
Computer Science, Springer Verlag, 2002, pages 231-255.
42
References








Arun D. Raghavan. Design of a JML documentation generator. Technical Report 0012, Iowa State University, Department of Computer Science, July 2000.
Bolstad, M., "Design by contract: a simple technique for improving the quality of
software," Users Group Conference, 2004. Proceedings , vol., no.pp. 303- 307, 711 June 2004
Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B.
Saxe, and Raymie Stata. Extended static checking for Java. In Proceedings of the
2002 ACM SIGPLAN Conference on Programming Language Design and
Implementation (PLDI), volume 37(5) of SIGPLAN Notices, pages 234-245. ACM,
May 2002.
Ali Hamie. Towards Verifying Java Realizations of OCL-Constrained Design Models
Using JML. In 6th IASTED International Conference on Software Engineering and
Applications, MIT, Cambridge, USA, 2002.
Warmer, J. and Kleppe, A. 1999 The object constraint language: precise modeling
with UML. Addison-Wesley Longman Publishing Co., Inc.
Meyer, B. 1986. Design by Contract, Technical Report TR-EI-12/CO, Interactive
Software Engineering Inc.
Hoare, C. A. 1969. An axiomatic basis for computer programming. Commun. ACM
12, 10 (Oct. 1969), 576-580.
Szyperski, C. 2002 Component Software: Beyond Object-Oriented Programming.
2nd. Addison-Wesley Longman Publishing Co., Inc.
43
Download