Patrice Chalin

Beyond assertions: advanced specification and verification with JML and ESC/Java2

Many state-based specification languages, including the Java Modeling Language (JML), contain at their core specification constructs familiar to most undergraduates: e.g., assertions, pre- and postconditions, and invariants. Unfortunately, these constructs are not sufficiently expressive to permit formal modular verification of programs written in modern object-oriented languages like Java. The necessary extra constructs for specifying an object-oriented module include (perhaps the less familiar) frame properties, datagroups, and ghost and model fields. These constructs help specifiers deal with potential problems related to, for example, unexpected side effects, aliasing, class invariants, inheritance, and lack of information hiding. This tutorial paper focuses on JMLs realization of these constructs, explaining their meaning while illustrating how they can be used to address the stated problems.

Non-null references by default in java: alleviating the nullity annotation burden

With Java 5 annotations, we note a marked increase in tools that statically detect potential null dereferences. To be effective such tools require that developers annotate declarations with nullity modifiers and have annotated API libraries. Unfortunately, in our experience specifying moderately large code bases, the use of non-null annotations is more labor intensive than it should be. Motivated by this experience, we conducted an empirical study of 5 open source projects totaling 700 KLOC which confirms that on average, 3/4 of declarations are meant to be non-null, by design. Guided by these results, we propose adopting a non-null-by-default semantics. This new default has advantages of better matching general practice, lightening developer annotation burden and being safer. We adapted the Eclipse JDT Core to support the new semantics, including the ability to read the extensive API library specifications written in the Java Modeling Language (JML). Issues of backwards compatibility are addressed.

Towards an industrial grade IVE for Java and next generation research platform for JML

Tool support for the Java Modeling Language (JML) is a very pressing problem. A main issue with current tools is their architecture; the cost of keeping up with the evolution of Java is prohibitively high, e.g., Java 5 has yet to be fully supported. This paper presents JmlEclipse, an Integrated Verification Environment (IVE) for JML that builds upon Eclipse’s support for Java, enhancing it with preliminary versions of Runtime Assertion Checking (RAC), Extended Static Checking (ESC), Full Static Program Verification (FSPV), and symbolic execution. To our knowledge, JmlEclipse is the first IVE to support such a full range of verification techniques for a mainstream language. We present the original tool architecture as well as an improved design based on use of the JML Intermediate Representation (JIR), which helps decouple JmlEclipse from the internals of its base compiler. As a result, we believe that JmlEclipse is easier to maintain and extend. Use of JIR as a tool exchange format is also described.

Are practitioners writing contracts

For decades now, modular design methodologies have helped software engineers cope with the size and complexity of modern-day industrial applications. To be truly effective though, it is essential that module interfaces be rigorously specified. Design by Contract (DBC) is an increasingly popular method of interface specification for object-oriented systems. Many researchers are actively adding support for DBC to various languages such as Ada, Java and C#. Are these research efforts justified? Does having support for DBC mean that developers will make use of it? We present the results of an empirical study measuring the proportion of assertion statements used in Eiffel contracts. The study results indicate that programmers using Eiffel (the only active language with built-in support for DBC) tend to write assertions in a proportion that is higher than for other languages.

Practical extensions for task models

The current set of temporal operators is insufficient to make effective use of task models as specifications for user interfaces. Moreover, the predominant monolithic task tree structure does not scale well for sizable applications. In order to overcome these shortcomings, a small collection of practical extensions for task models is proposed. In particular, we define new temporal operators (stop, non-deterministic choice, deterministic choice and instance iteration), concepts in support of modularization and a high-level task diagram notation. Finally, we introduce a new concept for expressing cooperative task models that distinguishes between different roles as well as between actors fulfilling these roles.

The KOA remote voting system: a summary of work to date

Remote internet voting incorporates many of the core challenges of trusted global computing. In this paper, we present the Kiezen op Afstand (KOA) system. KOA is a Free Software, remote voting system developed for the Dutch government in 2003/2004. In addition to being Open Source, it is also partially formally specified and verified. This paper summarises the work carried out to date on the KOA system. It charts the evolution of the system, from its initial conception by the Dutch Government, through to its current status. It also describes a roadmap of milestones towards completing its next release: a Free Software, general-purpose, formally specified and verified internet voting system, that incorporates Proof Carrying Code technology for software update and allows trustworthy voting from a mobile phone. We propose that the KOA system should be used as an experimental platform for research in electronic and internet voting; we are not saying that we have solved any of the major problems inherent in voting with computers.

Non-null references by default in the Java modeling language

Based on our experiences and those of our peers, we hypothesized that in Java code, the majority of declarations that are of reference types are meant to be non-null. Unfortunately, the Java Modeling Language (JML), like most interface specification and object-oriented programming languages, assumes that such declarations are possibly-null by default. As a consequence, developers need to write specifications that are more verbose than necessary in order to accurately document their module interfaces. In practice, this results in module interfaces being left incompletely and inaccurately specified. In this paper we present the results of a study that confirms our hypothesis. Hence, we propose an adaptation to JML that preserves its language design goals and that allows developers to specify that declarations of reference types are to be interpreted as non-null by default. We explain how this default is safer and results in less writing on the part of specifiers than null-by-default. The paper also reports on an implementation of the proposal in some of the JML tools.

Integrating Static Checking and Interactive Verification: Supporting Multiple Theories and Provers in Verification

Automatic verification by means of extended static checking (ESC) has seen some success in industry and academia due to its lightweight and easy-to-use nature. Unfortunately, ESC comes at a cost: a host of logical and practical completeness and soundness issues. Interactive verification technology, on the other hand, is usually complete and sound, but requires a large amount of mathematical and practical expertise. Most programmers can be expected to use automatic, but not interactive, verification. The focus of this proposal is to integrate these two approaches into a single theoretical and practical framework, leveraging the benefits of each approach.

Improving JML: For a Safer and More Effective Language

An unusually high number of published JML specifications are invalid or inconsistent, including cases from the security critical area of smart card applications. We claim that these specification errors are due to a mismatch between user expectations and the current JML semantics of expressions over numeric types. At the heart of the problem is JML’s language design decision to assign to arithmetic operators the same semantics as in Java. Consequently, JML arithmetic is bounded in precision and more importantly loss of precision occurs stealthily. After a short discussion of JML language design goals and objectives, we introduce JMLa, an adaptation of JML supporting primitive arbitrary precision numeric types. To support our claim that the identified specification errors are due to JML’s divergence from user expectations, we demonstrate that the invalidities and inconsistencies disappear under JMLa semantics with either no, or minor syntactic changes to the specifications. Other advantages of JMLa are illustrated including safety – how it allows an automated static checker like ESC/Java to detect more specification and implementation errors. We also briefly illustrate how these issues are applicable to other assertion-based languages like Eiffel.

BLESS: Formal Specification and Verification of Behaviors for Embedded Systems with Software

Recent experience in the avionics sector has demonstrated the benefits of using rigorous system architectural models, such as those supported by the standard Architectural and Analysis Definition Language (AADL), to ensure that multi-organization composition and integration tasks are successful. Despite its ability to capture interface signatures and system properties, such as scheduling periods and communication latencies as model attributes, AADL lacks a formal interface specification language, a formal semantics for component behavioral descriptions, and tools for reasoning about the compliance of behaviors to interface contracts. In this paper we introduce the Behavioral Language for Embedded Systems with Software (BLESS)—a behavioral interface specification language and proof environment for AADL. BLESS enables engineers to specify contracts on AADL components that capture both functional and timing properties. BLESS provides a formal semantics for AADL behavioral descriptions and automatic generation of verification conditions that, when proven by the BLESS proof tool, establish that behavioral descriptions conform to AADL contracts. We report on the application of BLESS to a collection of embedded system examples, including definition of multiple modes of a pacemaker.