Specification with JML

1
Specification with JML

• Formal Methods se304/cs407

2
Overview

• JML Review
• JML Keywords
• Requirements Exploration (informal)
• Formal Specification
• Implementation
• Bounded Binary Tree Example

3
JML Review

• JML is a specification language
• Specify the model
• Specify method contracts
• JML is a rich specification language
• DbC is a style that is supported by JML
• Reference Manual
• http//www.cs.iastate.edu/leavens/JML/jmlrefman/

4
Modeling Keywords

• model
• Attributes of the spec NOT Java Code
• //_at_ public model int i
• invariant
• A Predicate over the attributes
• //_at_ invariant 0 lt i

5
Java Model Keywords

• non_null
• Attributes that are NEVER null
• private /_at_ non_null _at_/ Object a
• spec_public
• Private attributes that are used in Spec
• private /_at_ spec_public _at_/ int size

6
DbC Keywords

• requires
• Predicate assumed true by the method
• //_at_ requires size lt maxSize
• ensures
• Predicated guaranteed by the method
• //_at_ ensures a !null
• also
• Used for Behavioural Subtyping (outside the scope
  of this course)

7
Valuation Keywords

• old
• The value of an attribute before the method call
• //_at_ ensures size gt \old(size)
• result
• The value returned by the method
• //_at_ ensures \result size-1

8
Quantifier Keywords

• exists
• Predicate is true of at least one value
• //_at_ \exists i 0lti ilt50 i10
• forall
• Predicate is true for all values
• //_at_ \forall i 0lti ilt10 iilt100

9
Exception Keywords

• signals
• If the method generates an Exception,
• this predicate will hold
• //_at_ signals (Exception e)
• //_at_ size\old(size)
• normal_behaviour
• The method never generates an exception
• //_at_ normal_behaviour
• //_at_ (contract goes here)

10
Requirements Exploration

• Given a one sentence description of something
• gt Expand into a full english description
• If you never heard the concept, would you
  understand the description
• If you make assumptions about the description,
  state them completely
• Use precise meanings when appropriate

11
Formal Specification

• The informal specification is refined, making
  decisions about the precise meaning
• Document decisions
• It constrains the infromal spec, not the code
• Different code could implement the formal spec
• Should show structure of the class abstractly
• Should make clear what needs to be coded
• Should be unambiguous

12
Implementation

• Code that implements the specification
• Obeys the spec plus efficiency gain if possible
• It should be clear how the implementation relates
  to the specification
• It should be clear what decisions were made
• You only need to implement what you are asked to.
• If it makes sense, add what else should be
  included

13
Bounded Binary Tree

• A bounded binary tree is tree of fixed size in
  which each node has at most two children.
• The left node value is less than the parents
  value
• The right node value is greater than the parents

14
Bounded Binary Tree Spec 1

• A BoundedBinaryTree is a collection of data
• It has an upper limit on how many items
• It stores the data in an order defined by
• leftNode.value lt value lt rightNode.value
• gt Design Decision No repeated elements
• It should support Comparable objects
• gt Design Decision No other type checking

15
Bounded Binary Tree Spec 2

• It supports the following operations
• insert(Comparable object)
• The Object should not already be in the tree
• The Object should be in the tree after insertion
• The tree should be larger
• remove(Comparable object)
• The Object should already be in the tree
• The Object should not be in the tree after
  removal
• The tree should be smaller
• size
• The number of objects in the tree