Defending Against Software Engineering Quagmire: JML

1
Defending Against Quagmire and Failure JML in
Formal Analysis

• The New Java Modeling Language (JML) System
  Addresses the Essence of the Software Problem.

by Christopher Balz 7/3/2004
2
JML Is for You.

• JML specifies modules and works with general
  specification languages
• Have you ever worked on a team with individuals
  implementing pieces that do not fit together, and
  that thus must be re-engineered to work?
• JML is the first to automate your program testing
  using a runtime assertion checker.
• JML is an exciting advance towards automatic
  programming.

3
JML A Practical Specification Language

• JML builds on the Larch Eiffel traditions.
• Built for specifying program modules, as
  distinguished from whole systems.
• JML replaces Larchs math notations by taking
  Eiffels approach for reduced learning curve.
• JML can specify precise conditions for
  exceptions.
• JML comes with a powerful toolset.

4
JML Tools Fill Practicality Gap

• Other specification languages (Z, B notation)
  specify entire systems.
• Reaching actual code is difficult from these
  languages.
• jmlunit, jmlc, and jmldoc dynamically connect
  specification and actual code.

5
JML Specification With Implementation

• Specification is and should be distinct from
  implementation.
• But specification can be used to check
  implementation.
• JML with its tools automatically generates and
  runs unit tests from JUnit, and more.

6
Specification With Implementation How and What

• jmlunit specified module behavior is monitored
  at runtime to determine test pass or fail.
• JMLs jmlc and jmldoc make enforced up-to-date
  documentation.
• Specification of private and protected elements.
• Allows effective implementation of extending
  classes.
• JML will offer even more soon.

7
My Experience with JML

• Read the main JML System documentation.
• For the PET v2 system, implemented a simple
  specification and a few pre- and post- condition
  module checks.
• Ran jmlunit tool on code to generate JUnit tests.
• Performed dry-run runtime assertion checking.
• My skill level still rates as beginner with JML!

8
Drilling Down JML Code Fig. 1

• The power sets of the whole system are defined
• public class PetCycleForm
• extends JFrame
• /_at_
• _at_ public ghost JMLObjectSet JMLLifecycles
  new JMLObjectSet()
• _at_ public ghost JMLObjectSet
  JMLLifecyclePhases new JMLObjectSet()
• _at_ public ghost JMLObjectSet JMLProjects
  new JMLObjectSet()
• _at_ public invariant JMLLifecycles ! null
  JMLLifecyclePhases ! null
• _at_/

9
Drilling Down JML Code Fig. 2

• public class ProjectPhases
• private ArrayList moPD_BOs new ArrayList()
• private ProjectPhasesDO moPP_DO new
  ProjectPhasesDO()
• /_at_
• _at_ public ghost JMLObjectSet
  JMLProjectPhases new JMLObjectSet()
• _at_ public ghost JMLObjectSet
  JMLProjectDeliverables new JMLObjectSet()
• _at_ public ghost JMLObjectSet
  JMLLifeCycleDeliverables new JMLObjectSet()
• _at_ public invariant JMLLifeCycleDeliverables
  ! null
• _at_ public initially ( See 'PetCycleForm'
  for power set definitions.
• _at_ JMLProjectDeliverables
  contains the set of ProjectDeliverables
• _at_ belonging to the
  current ProjectPhase and JMLLifeCycleDeliverables
• _at_ contains the set of
  LifeCycleDeliverables belonging to the current
• _at_ phase. )
• _at_/

10
Drilling Down JML Code Fig. 3

• JML checks pre- and post- conditions at a Java
  method
• From ProjectPhases.java
• /_at_
• _at_ requires aoPD_BO ! null
  !JMLProjectDeliverables.has(aoPD_BO)
• _at_
  JMLLifeCycleDeliverables.has(aoPD_BO)
• _at_ ensures JMLProjectDeliverables.has(aoPD_BO
  )
• _at_/
• public boolean createPD(ProjectDeliverable
  aoPD_BO)

11
JML Tomorrow

• The JML system finished in February 2004.
• Automatic generation of test data is next for
  jmlunit.
• Already adequate documentation will be improved.
• Already easy-to-use GUI tools will be improved.

12
JML and The Essence of the Software Problem

• Fred Brooks No Silver Bullet Essence and
  Accidents of Software Engineering.
• Automatic programming a false hope.
• Too many implementation choices the
  generalization barrier
• JML powerfully enables software quality.
• JML breaks through the generalization barrier!
• Solidly connects code to specification through
  runtime test.
• But leaves many implementation choices.

13
JML and the Immediate Future

• Improved Quality
• Increased ability to test (white box and black
  box) and to take test-first approach.
• More accurate and effective documentation.
• Traversing Quagmire Mozilla.
• Sinking into Failure Netscape.
• Improved Efficiency
• Microsoft Massive resources.
• Build big-company software with small-company
  resources.

14
JML and System Development
High-Level Specification
Low-Level Specification
Z, B
Shorthands
UML
IDEs
JML
Components (J2EE, .NET, Others)
Implementation Code
15
JML and the Future

• Automatic programming 30,000 above the
  quagmire.
• JML offers a new kind of abstraction to specify
  implementation, floating just above
  implementation.
• But implementation must be informed as well from
  the use case/whole-system (high-level).
• Z, B enable specific whole-system view.
• IDE and component (e.G., J2EE) state-of-the-art
  already make many implementation choices.
• Gap still exists between IDE tip and JML tip.
• A.I. techniques can make the remaining
  implementation choices.

16
JML and You

• JML represents a genuinely new, exciting approach
  to software development.
• JML is ready for use, is free, and will be
  improving.
• JML can make your work much more fun, effective,
  and easier.
• Visit http//jmlspecs.org