Exercises with JML and ESC/Java2
(More teaching material for JML is available in
JML sourceforge wiki.
In particular, Cormac Flanagan's
Quicksort homework exercise might be a nice
follow-up exercise to give students.)
Exercises with JML and ESC/Java2
Below are three exercises using the formal specification language
JML
and the program verification tool
ESC/Java2.
The exercises can be done by undergraduate students without
any prior exposure to formal methods
and only basic knowledge of Java.
The exercises all involve making design decisions explicit by means of JML
preconditions and invariants, in the Design-By-Contract style. The aim of the
exercises is to experience how making implicit assumptions explicit as
preconditions and invariants can help us to detect program bugs, in this case
using the automated program verification tool ESC/Java2.
The specification language JML
The exercises require only minimal knowledge of JML
(of Java, for that matter). The only JML keywords you need to know are
- requires for preconditions
- invariant for invariants (by which we mean class invariants aka object invariants, not
loop invariants)
- ensures for postconditions
These keywords (plus a few more that you won't really need for these
exercises) are explained in these slides.
The program verification tool ESC/Java2
ESC/Java2
is an automated program verification tool (aka extended static checker)
for Java programs. Information on downloading and installing it is
available from the
ESC/Java2 webpage.
(Thanks to Joe Kiniry for keeping
ESC/Java(2) alive!)
Students here in Nijmegen
can use ESC/Java2 on the department computers.
The exercises
There are three exercises to try:
Some hints to keep you out of trouble with the tool:
- Only look at the first warning that ESC/Java2 produces, and ignore the
others, until you've managed to get rid of this first one.
-
The only JML keywords you'll need are
requires,
invariant, and
ensures.
If you want, you can also use
non_null
as an abbreviation and experiment with other features.
- Don't use the Java shorthand x+=10 for x = x+10.
- Whenever possible, split invariants than contain conjunctions into
several smaller invariants. The tool then provides better feedback.
So instead of
//@ invariant A && B;
write
//@ invariant A;
//@ invariant B;
The same goes for preconditions (aka requires clauses).
- If the tool complains of invariant violations, it produces a lot of
information that is hard to interpret. The crucial information to look
at is
- the line number saying which invariant is
violated, and
- the line number saying where this
invariant is violated.
NB beware that calling a method on some object
may break the invariant of another object. For instance,
in the taxpayer exercise, calling a method
on a TaxPayer may break the invariant of his or her spouse.
Reflection
Some questions to consider
- In the end, do you think that you found all problems?
Are you certain now that the code is correct?
- Can you think of ways in which the tool or the specification
language could be improved?
- Instead of the tool we used, can you think of other ways (formal or informal,
tool-supported or not) to find the problems that the tool found? If so,
would these alternatives
-
find fewer of the problems, the same, or more?
-
find problems sooner or later than the current approach?
-
require more work or less work?
-
provide you with more confidence or less
confidence that the code is correct?