Proof Obligation Generator for Jive/JMLGhislain FournyMarch 11th, 2005
Proof Obligation GeneratorIntroductionThe new version of Jive: why JMLEnvironment of the PO GeneratorData Flow InterfacesHow it works: an animated exampleStructure of a JML documentThe Proof Obligation AccumulatorThe exampleComplementsSugarsVariable declarationsNested Specifications
1.1. Why JML?
A comment in natural language/* o should not be null@returnstrue of o already was in the set.Ensures that the final set is the formerone with o as member and that noneof the members is modified. */boolean add(Object o)
And what a computer understands
boolean add(Object o)o should not set. Ensures that the final set is theFormer one wito as member andthat none of the Members is
First-order logic
boolean add(Object o)pre onullpost result=(o aSet(this,$^)) aSet(this,$) = {0} aSet(this,$^) Object X: inRepSet(X,this,$^) unchanged(X,$,$^)
What you actually want a non-mathematician programmer to write
boolean add(Object o)o should not set. Ensures that the final set is theFormer one wito as member andthat none of the Members is
JML as excellent compromiseJavaJMLFirst-order logicAssemblyEnglishGerman
A comment in JML//@invariant modelSet!=null;
/*@public normal_behavior @requires o!=null; @assignable o,modelSet; @ensures \result == \old(modelSet.contains(o)); @ensures modelSet == \old(modelSet.add(o)); @*/public boolean add(Object o);All invariants of all classes in INV($)
1.2. External architecture
POG Environment: Data FlowJML-AnnotatedProgramAbstract SyntaxTreeJML Parser(and Checker)Proof ObligationGeneratorExpressionTreeKatjaTerm or FormulaProof ObligationAccumulatorOld expressionsHashmapLogicalVariableRegistryTriplesExpressionTransformer
POG Environment: External InterfacesProof ObligationGeneratorKatjaTerm, FormulaMJ and JMLAbstract Syntax TreeOld ExpressionsHashmapProof ObligationAccumulatorLogical VariableRegistryTriplesExpressionTransformer
2.1. An animated example
Iterating on types
Iterating on types
Iterating on methods____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
Class C {}
Iterating on methods____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
Class C {}
Iterating on methods
Iterating on specifications/*@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ----------------------------------------------------------------------------------------------------
@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ----------------------------------------------------------------------------------------------------
@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/
public static int isqrt(int y) {return (int) Math.sqrt(y);}
Iterating on specifications
Specification: A closer look
The method referenceAn external method computesa method reference, hereIntMathOps:isqrt.
2.2. The Proof Obligation Accumulator
The Proof Obligation AccumulatorGeneration of a brand new Proof Obligation on which we can then work.IntMathOps:isqrttruetrue
The Proof Obligation AccumulatorHoare TripleIntMathOps:isqrttruetrue
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
No assignable locationsloc.alive(ref(loc),S) $(loc)=S(loc)S=$
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
Old expressionsyExpressionWhat we want to compute in the prestateA \old expression has been found!Either \old()Or parameter
Old expressionsyLogical VariableHow we can recall this value in the poststate.
Old expressionsy!x0 is used here
Old expressions=!x0
Old expressions
We are done!public static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
2.3. Signal clauses
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/(ExcV)
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/(ExcV)
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/=Exc
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/
3.1. Some sugars
Some sugarspublic /*@ non_null @*/ Integer isqrt(int y);/*@ @ @ @ @ @*/
Some sugarspublic /*@ non_null @*/ Integer isqrt(int y);/*@ @ @ ensures \result!=null @ @ @*/
Some sugarspublic int isqrt(/*@ non_null @*/ Integer y);/*@ @ @ @ @ @*/
Some sugarspublic int isqrt(/*@ non_null @*/ Integer y);/*@ @ @ requires y!=null @ @ @*/
Some sugarspublic /*@ pure @*/ int isqrt(int y);/*@ @ @ @ @ @*/
Some sugarspublic /*@ pure @*/ int isqrt(int y);/*@ @ requires true; @ assignable \nothing; @*/Additional and independentSpecification
3.2. Variable declaration
Old variable declarationpublic void method(Iterator i);
/*@ @ @ old int alter_i= expr; @ @ @*/alter_i =
Forall variable declarationpublic void method(Iterator i);
/*@ @ @ forall int var; @ @ @*/
3.2. Nested Specification
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
ConclusionPOG implementedDebugging phase (JUnit testing)Formatted outputProof obligation Visualizer
Thank you for your attention!dm: ksznm!
Assignable locations
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
To add or not to add class invariants?
Top Related