Academia.eduAcademia.edu

Java Program Verification Challenges

Profile image of Joseph KiniryJoseph Kiniry

2003, Formal Methods for Components and …

visibility

description

21 pages

link

1 file

AI-generated Abstract

This paper addresses the challenges faced in the verification of Java programs, particularly highlighting the inadequacies of traditional examples and methodologies. It presents contemporary verification examples utilizing Java and the JM L specification language, reflecting modern programming practices and addressing semantical issues. The paper aims to provide a more relevant and practical collection of verification cases that can be verified through various advanced tools, while underscoring the importance of class invariants in program specification.

Figures (3)

Related papers

A Type-Theoretic Memory Model for Verification of Sequential Java Programs
Marieke Huisman

Lecture Notes in Computer Science, 2000

This paper explains the details of the memory model underlying the verification of sequential Java programs in the "LOOP" project ([14,20]). The building blocks of this memory are cells, which are untyped in the sense that they can store the contents of the fields of an arbitrary Java object. The main memory is modeled as three infinite series of such cells, one for storing instance variables on a heap, one for local variables and parameters on a stack, and and one for static (or class) variables. Verification on the basis of this memory model is illustrated both in PVS and in Isabelle/HOL, via several examples of Java programs, involving various subtleties of the language (wrt. memory storage).

View PDFchevron_right
The Krakatoa tool for Deductive Verification of Java Programs
Jean-christophe Filliâtre

Available fr om http://krakatoa. lri. fr/ws, 2009

View PDFchevron_right
Towards verification of Java programs in VerICS
Bozena Wozna-Szczesniak

VerICS is a tool for the automated verification of timed automata and protocols written in both the Intermediate Language and the specification language Estelle. Recently, the tool has been extended to work with Timed Automata with Discrete Data and with multi-agent systems. This paper presents a prototype Timed Automata with Discrete Data model of Java programs. In addition, we show how to use the model together with the verification core of VerICS to validate the well-known alternating bit protocol written in Java.

View PDFchevron_right
An approach to program verification
Raymond Yeh

The proceedings of the thirteenth design automation conference on Design automation - DAC '76, NO. 13, 1976

View PDFchevron_right
Runtime Verification of Java Programs for Scenario-Based Specifications
zhao jianhua

Lecture Notes in Computer Science, 2006

In this paper, we use UML sequence diagrams as scenariobased specifications, and give the solution to runtime verification of Java programs for the safety consistency and the mandatory consistency. The safety consistency requires that any forbidden scenario described by a given sequence diagram never happens during the execution of a program, and the mandatory consistency requires that if a reference scenario described by the given sequence diagrams occurs during the execution of a program, it must immediately adhere to a scenario described by the other given sequence diagram. In the solution, we first instrument the program under verification so as to gather the program execution traces related to a given scenario-based specification; then we drive the instrumented program by random test cases so as to generate the program execution traces; last we check if the collected program execution traces satisfy the given specification. Our work leads to a testing tool which may proceed in a fully automatic and pushbutton fashion.

View PDFchevron_right
Automatic Program Verification III: A Methodology for Verifying Programs
David Luckham

National Technical Infornation Servici U. S. DEPARTMENT OF COMMERCE ' ■ mim mCLAüüIl IED SECURITY CLASSIFICATION OF THIS PAGEfHT,», D.I. Enl.r.rfJ lhe_paper investigates msthods for applying an on-line interactive vtnlication system derigned to prove properties or PASCAL programs. The methodology is intended to provide techniques for developing a debugged and verified version startin,: from a program, that (a) is possibly unfinished in some respects, (b) may not satisfy the given specmcations, e.g., may contain bugs, (c) may have incomplete documentation, (d) may be written in non-standard ways, e.g.. may depend on user-defined data structures. The methodology involves (i) interactive application of a verification condition generator, an algebraic simplifier and a theorem-prcver; Uij techniques for describing data structures, type constraints, and properties of programs and subprograms (i.e. lower level procedures); [Hi the use of (abstract) data types in structuring programs and proofs. Within each unit (i.e. segment of a problem), the interactive use is aimea at reducing verification conditions to manageable proportions so that the non-trivial factors may be analysed. Analysis of verification conditions attempts to localize errors in the program logic, to extend assertions inside the program, to spotlight additional assumptions on program subfunctions (beyond those already specified oy the programmer), and to generate appropriate lemmas that allow a verification to be completed. Methods for structuring correctness proofs are discussed that are similar to those of "structured programming-, A detailed case study of a pattern matching algorithm illustrating the various aspects of the methodology (including the role played by the user) is given. ii UNCLASSIFIED SECURITY CLASSIFICATION OF THIS PAGEfirh»n Oaf« Km.r.dJ " wmm'*^^*'*

View PDFchevron_right
Specification and verification challenges for sequential object-oriented programs
Gary Leavens

Formal Aspects of Computing, 2007

The state of knowledge in how to specify sequential programs in object-oriented languages such as Java and C# and the state of the art in automated verification tools for such programs have made measurable progress in the last several years. This paper describes several remaining challenges and approaches to their solution.

View PDFchevron_right
Proving Programs Correct Using Plain Old Java Types
Corin Pitcher

2009

Tools for constructing proofs of correctness of programs have a long history of development in the research community, but have often faced difficulty in being widely deployed in software development tools. In this paper, we demonstrate that the off-the-shelf Java type system is already powerful enough to encode non-trivial proofs of correctness using propositional Hoare preconditions and postconditions.

View PDFchevron_right
Program Verification: Fundamental Issues in Computer Science
Terry L Rankin

1993

Series Preface. Prologue Computer Science and Philosophy T.R. Colburn. Part I: The Mathematical Paradigm. Towards a Mathematical Science of Computation J. McCarthy. Proof of Algorithms by General Snapshots P. Naur. Assigning Meanings to Programs R.W. Floyd. An Axiomatic Basis for Computer Programming C.A.R. Hoare. Part II: Elaborating the Paradigm. First Steps towards Inferential Programming W.L. Sherlis, D.S. Scott. Mathematics of Programming C.A.R. Hoare. On Formalism in Specifications B. Meyer. Formalization in Program Development P. Naur. Part III: Challenges, Limits, and Alternatives. Formalism and Prototyping in the Software Process B.I. Blum. Outline of a Paradigm Change in Software Engineering C. Floyd. The Place of Strictly Defined Notation in Human Insight P. Naur. Limits of Correctness in Computers B.C. Smith. Part IV: Focus on Formal Verification. Social Processes and Proofs of Theorems and Programs R.A. Demillok, R.J. Lipton, A.J. Perlis. Program Verification: The Very ...

View PDFchevron_right
Towards Verification of Java Programs in perICS
Andrzej Zbrzezny

Fundamenta Informaticae, 2008

VerICS is a tool for the automated verification of timed automata and protocols written in both the Intermediate Language and the specification language Estelle. Recently, the tool has been extended to work with Timed Automata with Discrete Data and with multi-agent systems. This paper presents a prototype Timed Automata with Discrete Data model of Java programs. In addition, we show how to use the model together with the verification core of VerICS to validate the well-known alternating bit protocol written in Java.

View PDFchevron_right
PDF hosted at the Radboud Repository of the Radboud University Nijmegen The version of the following full text has not yet been defined or was untraceable and may differ from the publisher's version. For additional information about this publication click this link. http://hdl.handle.net/2066/19280 Please be advised that this information was generated on 2015-08-08 and may be subject to change. Java Program Verification Challenges B.P.F. Jacobs, J.R. Kiniry, M.E. Warnier Nijmegen Institute for Computing and Information Sciences/ NIII-R0310 March 2003 N ijm egen Institute fo r C o m puting and Inform ation S cie nce s F aculty o f S cience C a th olic U n iversity o f Nijm egen T oern oo iveld 1 6 5 25 ED N ijm egen T he N etherlands Java P rogram V erification C hallenges* B a r t J a c o b s , J o s e p h K in iry , M a r ti j n W a r n ie r D e p . C o m p . S e i., U n iv . N ijm e g e n , P .O . B o x 9 0 1 0 , 6 5 0 0 G L N ijm e g e n , T h e N e th e r la n d s , {bart,k i niry,warnier }<Dcs .kun.nl http: //www. cs .kun.nl/~{bart .kiniry,warnier} A b s t r a c t . T h i s p a p e r a i m s t o r a is e t h e le v e l o f v e r if ic a tio n c h a lle n g e s b y p r e s e n ti n g a c o l le c tio n o f s e q u e n ti a l J a v a p r o g r a m s w i t h c o r r e c tn e s s a n ­ n o t a t i o n s f o r m u l a t e d in .1X11.. T h e e m p h a s i s lie s m o r e o n t h e u n d e r l y i n g s e m a n t ic a l is s u e s t h a n o n v e r if ic a tio n . K e y w o r d s : J a v a , p r o g r a m s p e c if ic a ti o n , v e r if ic a ti o n C la s s ific a t io n : 68Q55, 68Q60 (A M S ’00); D.1 .5 , D.2 .4 , F .3 .1 ( C R ’98). 1 Introduction In t h e s t u d y o f (s e q u e n tia l) p r o g r a m v e rif ic a tio n o n e u s u a lly e n c o u n te r s t h e s a m e e x a m p le s o v e r a n d o v e r a g a in (e .g ., s ta c k s , lis ts , a l t e r n a t i n g b i t p r o to c o l, s o r tin g fu n c tio n s , e tc .) , o fte n g o in g b a c k t o c la s s ic t e x t s lik e [1 1 ,1 4 ,1 5 ]. T h e s e e x a m p le s ty p ic a lly u s e a n a b s t r a c t p r o g r a m m in g la n g u a g e w ith o n ly a fe w c o n s tr u c ts , a n d t h e lo g ic fo r e x p r e s s in g t h e p r o g r a m p r o p e r t ie s (o r s p e c if ic a tio n s ) is so m e v a r ia tio n o n f ir s t o r d e r lo g ic . W h ile th e s e a b s t r a c t fo r m a lis m s w e re u s e fu l a t t h e tim e f o r e x p la in in g t h e m a in id e a s in t h i s fie ld , t h e y a r e n o t v e r y h e lp fu l t o d a y w h e n i t c o m e s t o a c tu a l p r o g r a m v e r if ic a tio n f o r m o d e r n p r o g r a m m in g a n d s p e c if ic a tio n la n g u a g e s . T h e a im o f t h i s p a p e r is t o g iv e a n u p d a t e d c o lle c tio n o f p r o g r a m v e r if ic a tio n e x a m p le s . T h e y a r e f o r m u la te d in J a v a [13], a n d u s e t h e s p e c if ic a tio n la n g u a g e J M L [1 9 ,2 1 ]. T h e e x a m p le s p r e s e n te d b e lo w a r e b a s e d o n o u r e x p e rie n c e w ith t h e L O O P to o l [3] o v e r t h e p a s t fiv e y e a rs . A lth o u g h t h e e x a m p le s h a v e a c tu a l ly b e e n v e rifie d , t h e p a r t i c u l a r v e r if ic a tio n te c h n o lo g y b a s e d o n t h e L O O P to o l d o e s n o t p la y a n i m p o r t a n t rô le : w e s h a ll fo c u s o n t h e u n d e r ly in g s e m a n tic a l is s u e s . T h e e x a m p le s m a y in p r in c ip le a ls o b e v e rifie d v ia a n o t h e r a p p r o a c h , lik e th o s e o f J a c k [6 ], J iv e [23], K r a k a t o a [10], a n d K e Y [2]. W e s h a ll in d ic a te w h e n s t a t i c c h e c k in g w ith t h e E S C / J a v a [12] to o l b rin g s u p in te r e s tin g s e m a n tic a l is s u e s in o u r e x a m p le s 1. W h e n E S C / J a v a c h e c k s a n a n n o t a t e d p r o g r a m , i t r e t u r n s o n e o f t h r e e r e s u lts . T h e r e s u lt “p a s s e d ” in d ic a te s t h a t E S C / J a v a b e lie v e s t h e i m p le m e n ta tio n o f a m e th o d fu lfills it s s p e c ific a ­ tio n ; in t h a t c a s e w e ’ll s a y E S C / J a v a a c c e p ts t h e in p u t. A r e s u lt o f “w a r n in g ” in d ic a te s t h a t a n e r r o r p o t e n t i a l l y e x is ts in t h e p r o g r a m b u t E S C / J a v a w a s T o a p p e a r in t h e L N C S p r o c e e d in g s o f F M C O 2002. 1 W e u s e t h e f in a l b i n a r y r e le a s e (v . 1.2.4, 27 S e p t e m b e r 2001) o f E S C / J a v a . u n a b le t o p ro v e its e x is te n c e d e f in itiv e ly (e .g ., a c o u n te r - e x a m p le o r i n s t r u c ­ t i o n t r a c e ) . F in a lly , t h e m e s s a g e “e r r o r ” in d ic a te s a sp e c ific b u g in t h e p r o ­ g r a m , ty p ic a lly a p o t e n t i a l r u n - ti m e v io la tio n lik e a N u l l P o i n t e r E x c e p t i o n o r a n A r r a y I n d e x O u t O f B o i in d s E x c e p t i o n . O f c o u r s e t h e e x a m p le s b e lo w d o n o t c o v e r a ll p o s s ib le to p ic s . F o r in s ta n c e , f lo a tin g p o in t c o m p u t a t i o n s a n d m u l ti - t h r e a d i n g 2 a r e n o t c o v e re d . In g e n e ra l, o u r w o rk h a s fo c u s e d o n J a v a fo r s m a r t c a r d s a n d s e v e ra l e x a m p le s s te m fro m t h a t a r e a . O t h e r e x a m p le s a r e t a k e n fr o m w o rk o f c o lle a g u e s [4], f r o m e a r lie r p u b lic a tio n s , o r fr o m t e s t s e ts t h a t w e h a v e b e e n u s in g in te r n a lly . T h e y c o v e r a r e a s o n a b le p a r t o f t h e s e m a n tic s o f J a v a a n d J M L . M o s t o f t h e e x a m p le s c a n b e t r a n s l a t e d e a s ily in o t h e r p r o g r a m m in g la n g u a g e s . T h e e x a m p le s d o n o t in v o lv e s e m a n tic a l c o n tro v e rs ie s , a s d is c u s s e d fo r in s ta n c e in [5]. T h e s e e x a m p le s a r e n o t m e a n t t o b e c a n o n ic a l o r p ro s c r ip tiv e ; t h e y s im p ly g iv e a fla v o r o f t h e le v e l o f c o m p le te n e s s ( a n d th u s , c o m p le x ity ) n e c e s s a r y t o c o v e r m o d e r n p r o g r a m m in g la n g u a g e s e m a n tic s . T h e v e r if ic a tio n e x a m p le s a r e o r g a n is e d in t h e fo llo w in g c a te g o rie s . — — — — — — C o n tr o l flow a n d side-eflfects O v e rflo w a n d b itw is e o p e r a tio n s S ta t ic in itia liz a tio n I n h e r ita n c e N o n - te r m in a tio n S p e c ific a tio n is su e s T h e o r g a n iz a tio n o f t h e p a p e r ro u g h ly fo llo w s t h i s c a te g o r iz a tio n . E a c h e x a m p le is a c c o m p a n ie d b y a s h o r t e x p la n a tio n o f w h y t h e e x a m p le is in te r e s tin g a n d t h e c h a lle n g e s in v o lv e d . B u t f ir s t w e b rie fly d e s c rib e t h e s p e c if ic a tio n la n g u a g e J M L . 2 JML T h e J a v a M o d e lin g L a n g u a g e , J M L [19], is a b e h a v io r a l in te r f a c e s p e c if ic a tio n la n g u a g e d e s ig n e d t o s p e c ify J a v a m o d u le s . I t c a n b e u s e d fo r c la s s e s a s a w h o le , v ia c la s s in v a r ia n ts a n d c o n s tr a in ts , a n d f o r t h e in d iv id u a l m e th o d s o f a c la s s , v ia m e th o d s p e c if ic a tio n s c o n s is tin g o f p re -, p o s t- a n d fr a m e - c o n d itio n s (a s s ig n a b le c la u s e s ). In p a r ti c u la r , i t is a ls o p o s s ib le w ith in a m e th o d s p e c if ic a tio n t o d e s c rib e if a p a r t i c u l a r e x c e p tio n m a y o c c u r a n d w h ic h p o s t- c o n d itio n r e s u lts in t h a t c a s e . J M L a n n o t a t i o n s a r e t o b e u n d e r s to o d a s p r e d ic a te s , w h ic h s h o u ld h o ld fo r t h e a s s o c ia te d J a v a c o d e . T h e s e a n n o t a t i o n s a r e in c lu d e d in t h e J a v a s o u rc e files a s s p e c ia l c o m m e n ts i n d ic a te d b y / / ® , o r e n c lo s e d b e tw e e n / * 0 a n d * / . T h e y a r e re c o g n is e d b y s p e c ia l to o ls lik e t h e J M L r u n - tim e c h e c k e r [9], t h e L O O P c o m p ile r, a n d t h e K r a k a t o a v e r if ic a tio n c o n d itio n g e n e r a to r . C la s s in v a r ia n ts a n d c o n s t r a in t s a r e d e s c r ib e d a s fo llo w s. @ invariant < predicate> @ constraint < relation> @* / 2 F o r a m e f a - t h e o r y o n m u l t i t h r e a d e d J a v a p r o g r a m s s e e [1] in t h i s v o lu m e . A n in v a r ia n t is t h u s a p r e d ic a te o n t h e u n d e r ly in g s t a t e s p a c e . I t m u s t h o ld a f te r t e r m i n a t i o n o f c o n s tr u c to r s , a n d a ls o a f te r t e r m i n a t i o n ( b o th n o r m a l a n d e x c e p tio n a l) o f m e th o d s , p ro v id e d i t h o ld s b e fo re . T h u s , in v a r ia n ts a r e im p lic itly a d d e d t o p o s tc o n d itio n s o f m e th o d s a n d c o n s tr u c to r s , a n d t o p r e c o n d itio n s o f n o r m a l ( n o n - c o n s tr u c to r ) m e th o d s . A c o n s t r a in t is a r e la tio n b e tw e e n tw o s t a t e s , e x p r e s s in g w h a t s h o u ld h o ld a b o u t t h e p r e - s t a t e a n d p o s t - s t a t e o f a ll m e th o d s . In t h i s p a p e r w e u s e n o c o n s t r a in t s , a n d o n ly o n e in v a r ia n t (in S u b s e c tio n 3 .6 ). H o w e v e r, in p r a c tic e t h e y c o n ta in i m p o r t a n t in f o r m a tio n . N e x t w e g iv e a n e x a m p le J M L m e th o d s p e c if ic a tio n o f s o m e m e th o d m ( ) . /*@ behavior 2 @ 4 @ @ 6 @ @* / requires < p r e c o n d i t i o n >; a s s i g n a b l e C i te m s t h a t can be m o d i f i e d > ; e n s u r e s C n o r m a l p o s t c o n d i t i o n >; p u b lic signals (E) < e x c e p t i o n a l p o s t c o n d i t i o n >; v o id m ( ) S u c h m e th o d s p e c if ic a tio n s m a y b e u n d e r s to o d a s a n e x te n s io n o f c o r r e c tn e s s t r ip le s { P } m { Q } u s e d in H o a r e lo g ic , b e c a u s e t h e y a llo w b o t h n o r m a l a n d e x c e p ­ t i o n a l t e r m i n a t i o n . M o re o v e r, t h e p o s tc o n d itio n s in J M L a r e r e la tio n s , b e c a u s e t h e p r e - s t a t e , i n d ic a te d b y \ o l d ( — ) , m a y o c c u r. W e s h a ll see m a n y m e th o d s p e c if ic a tio n s b e lo w . J M L is in te n d e d t o b e u s a b le b y J a v a p r o g r a m m e r s . I t s s y n ta x is th e r e f o r e v e r y m u c h lik e J a v a . H o w e v e r, it h a s a fe w a d d i t i o n a l k e y w o rd s , s u c h a s ==> (fo r im p lic a tio n ) , \ o l d (fo r e v a lu a tio n in t h e p r e - s t a t e ) , \ r e s u l t (fo r t h e r e tu r n v a lu e o f a m e th o d , if a n y ) , a n d \ f o r a l l a n d \ e x i s t s (fo r q u a n tif ic a tio n ) . T h is p a p e r w ill n o t p a y m u c h a t t e n t i o n t o t h e s e m a n tic s o f J M L ( in te r e s te d r e a d e r s s h o u ld se e [21] fo r s u c h ). H o p e fu lly , m o s t o f t h e J M L a s s e r tio n s a r e s e lf- e x p la n a to ry . H o w e v e r, t h e r e a r e t h r e e p o in ts t h a t w e w o u ld lik e t o m e n tio n . — In p rin c ip le , e x p r e s s io n s w ith in a s s e r tio n s (s u c h a s a n a r r a y a c c e s s a [ i ] ) m a y th r o w e x c e p tio n s . T h e J M L a p p r o a c h , se e [21], is t o t u r n s u c h e x c e p tio n s in to a r b i t r a r y v a lu e s . O f c o u r s e , o n e s h o u ld t r y t o a v o id s u c h e x c e p tio n s b y in c lu d in g a p p r o p r i a t e r e q u ir e m e n ts . F o r in s ta n c e , fo r t h e e x p r e s s io n a [ i ] o n e s h o u ld a d d a ! = n u l l && i >= 0 && i < a . l e n g t h , in c a s e t h i s is n o t a lr e a d y c le a r fr o m t h e c o n te x t. T h is is w h a t w e s h a ll a lw a y s d o . — J M L u s e s t h e s u b ty p e s e m a n tic s fo r i n h e r ita n c e , se e [22]. T h is m e a n s t h a t o v e r rid in g m e th o d s in s u b c la s s e s s h o u ld s till s a tis f y t h e s p e c if ic a tio n s o f t h e o v e r r id d e n a n c e s to r s in s u p e r c la s s e s . T h is is a n o n - tr iv ia l r e s tr ic t io n , b u t o n e w h ic h is e s s e n tia l in r e a s o n in g a b o u t m e th o d s in a n o b j e c t- o r ie n te d s e ttin g . H o w e v e r, it d o e s n o t h o ld fo r a ll o u r e x a m p le s (se e fo r i n s ta n c e S u b s e c ­ tio n 3 .8 ). In t h a t c a s e w e s im p ly w r ite n o s p e c if ic a tio n a t a ll fo r t h e re le v a n t m e th o d s . — J M L m e th o d s p e c if ic a tio n s fo r m p r o o f o b lig a tio n s . B u t a ls o , o n c e p ro v e d , t h e y c a n b e u s e d in c o r r e c tn e s s p ro o f s o f o t h e r m e th o d s . In t h a t c a s e o n e f ir s t h a s t o e s ta b lis h t h e p r e c o n d itio n a n d in v a r ia n t o f t h e m e th o d t h a t is c a lle d , a n d s u b s e q u e n tly o n e c a n u s e t h e p o s tc o n d itio n in t h e r e m a in d e r o f t h e v e r if ic a tio n (w h ic h w ill r e ly h e a v ily o n t h e c a lle d m e t h o d ’s a s s ig n a b le c la u s e ). A n a l t e r n a t iv e a p p r o a c h is t o re a s o n n o t w ith t h e s p e c if ic a tio n , b u t w ith t h e im p le m e n ta tio n o f t h e m e th o d t h a t is c a lle d 3. B a s ic a lly , t h i s m e a n s t h a t t h e b o d y o f t h e c a lle d m e th o d g e ts s u b s t i t u t e d a t t h e a p p r o p r i a t e p la c e . H o w ­ e v e r, t h i s m a y le a d t o d u p lic a tio n o f v e r if ic a tio n w o rk , a n d m a k e s p ro o fs m o re v u ln e r a b le t o i m p le m e n ta tio n c h a n g e s . B u t if n o s p e c if ic a tio n is a v a ila b le (see t h e p r e v io u s p o in t) , o n e m a y b e fo rc e d t o r e a s o n w ith t h e im p le m e n ta tio n . In t h e e x a m p le s b e lo w w e s h a ll see illu s t r a ti o n s o f m e th o d c a lls w h ic h a r e u s e d b o t h b y s p e c if ic a tio n a n d b y im p le m e n ta tio n . F o r r e a d e r s u n f a m ilia r w ith J M L , t h i s p a p e r m a y h o p e f u lly s e rv e a s a n i n t r o ­ d u c tio n v ia e x a m p le s . M o re a d v a n c e d u s e o f J M L in s p e c ify in g A P I - c o m p o n e n ts m a y b e f o u n d fo r i n s ta n c e in [24]4. 3 V erification challenges T h is s e c tio n d e s c rib e s o u r J a v a —J M L e x a m p le s in s e v e ra l s u b s e c tio n s . O u r e x ­ p la n a t i o n s fo c u s o n t h e ( s e m a n tic ) is s u e s in v o lv e d , a n d n o t s o m u c h o n t h e a c tu a l c o d e s n ip p e ts . T h e y s h o u ld b e r e la tiv e ly s e lf- e x p la n a to r y . 3.1 A lia s in g a n d fie ld acce s s O u r f ir s t e x a m p le , s e e n in F ig u r e 1, m ig h t s e e m t r i v i a l t o s o m e r e a d e r s . T h e r e t u r n e x p r e s s io n o f t h e m e th o d A l i a s . m ( ) re fe re n c e s t h e v a lu e o f t h e fie ld i o f t h e o b je c t c v a lu e v ia a n a lia s e d r e fe r e n c e t o its e lf in t h e fie ld a . W e p r e s e n t t h i s e x a m p le b e c a u s e i t r e p r e s e n ts (in o u r v ie w ) t h e b a r e m in im u m n e c e s s a r y t o m o d e l a la n g u a g e lik e J a v a . E S C / J a v a h a s n o p r o b le m v e rify in g t h i s p r o g r a m . E i t h e r t h e i m p le m e n ta tio n o r s p e c if ic a tio n o f t h e c o n s t r u c to r o f c la s s C c a n b e u s e d t o v e rify m e th o d A l i a s . m ( ) . 3.2 Sid e - e ffe c ts in e x p r e s s io n s O n e o f t h e m o s t c o m m o n a b s t r a c t i o n s in p r o g r a m v e r if ic a tio n is t o o m it sid e e ffe c ts fr o m e x p r e s s io n s in t h e p r o g r a m m in g la n g u a g e . T h is is a s e r io u s r e s tr ic ­ tio n . F ig u r e 2 c o n ta in s a n ic e a n d s im p le e x a m p le fr o m [4] w h e re s u c h sid e -e ffe c ts p la y a c r u c ia l rô le , in c o m b in a tio n w ith t h e lo g ic a l o p e r a to r s . R e c a ll t h a t in J a v a t h e r e a r e tw o d is ju n c tio n s (I a n d I I) a n d tw o c o n ju n c tio n s (& a n d &&). T h e d o u b le v e rs io n s ( I I a n d &&) a r e t h e s o -c a lle d c o n d itio n a l o p e r a to r s : t h e i r s e c o n d a r g u m e n t is o n ly e v a lu a te d if t h e f ir s t o n e is fa ls e (for I I ) o r t r u e (fo r &&). 3 T h i s o n ly w o r k s if o n e a c t u a l l y k n o w s t h e r u n - t i m e t y p e o f t h e o b j e c t o n w h ic h t h e m e t h o d is c a lle d . 4 S e e a ls o o n t h e w e b a t www. cs .kun.nl/~erikpoll/publications/jc211_specs .html f o r a s p e c if ic a tio n o f t h e J a v a A P I f o r s m a r t c a r d s . c la s s 2 C { C a ; in t i ; /*® norm al-behavior 4 e s @ requires @ assignable @ ensures true ; a , i ; a = = null && i = = 1; @*/ io C() { n u ll ; a = i = 1; } } 12 c la s s Alias { i4 /*® norm al-behavior @ requires ie @ assignable @ ensures true ; \nothing; \re su lt = = 4; ®* / 18 in t m () { 20 C c = 22 c .a = c . i = re turn ne w C ( ) ; c ; 2; c . i + c .a . i ; } 24 } F ig . 1 . A lia s in g v i a F i e l d R e fe r e n c e s . In cas e t h e fie ld b in F ig u r e 2 is t r u e , m e t h o d m () y ie lds f ( ) V - if ( ) = fals e a n d - if ( ) A f ( ) = tr ue , g o in g a g a in s t s t a n d a r d lo g ic a l r ule s . T h e v e r ific a t io n o f t h e s pe c ific a t io n for m e t h o d m () m a y us e e ith e r t h e im ­ p le m e n t a t io n or t h e s pe c ific a t io n o f f ( ) . 3 .3 B r e a k in g o u t o f a lo o p W h ile a n d for lo o p s a r e t y p ic a lly us e d fo r g o in g t h r o u g h a n e n u m e r a t io n , for in s t a n c e t o fin d or m o d ify a n e n t r y m e e t in g a s pe cific c o n d it io n . U p o n h it t in g t h is e ntr y , t h e lo o p m a y be a b o r t e d v ia a b r e a k s ta t e m e n t . T h is pr e s e nts a c ha lle ng e for t h e u n d e r ly in g c o nt r o l flo w s e m a ntic s . F ig u r e 3 pr e s e nts a s im p le e x a m p le o f a for lo o p t h a t goe s t h r o u g h a n a r ­ r a y o f inte ge r s in o r d e r t o c ha n g e t h e s ign o f t h e fir s t n e g a tive e ntr y. T he t w o line s o f Ja v a c o de a r e a n n o t a t e d w it h t h e lo o p in v a r ia n t , w it h JML- k e y w o r d m a in t a in in g s t a t in g w h a t h o ld s w h ile g o in g t h r o u g h t h e lo o p , a n d t h e lo o p v a r ia n t , w it h JML- k e y w o r d d e c r e a s in g . T h e lo o p v a r ia n t is a m a p p in g t o t h e n a t u r a l n u m b e r s w h ic h de cr e as e s w it h e ve r y lo o p cycle . It is us e d in v e r ific a tio n s t o s ho w t h a t t h e r e p e t it io n t e r m in a t e s . b o o lea n b = tr u e ; b o o lea n re s u l t 1 , result 2 : 2 /* ® 4 e norm al-behavior @ requires @ assignable @ ensures true ; b; b = = !\old(b) && \ r e s u l t = = b; @*/ s b o o le a n io/*@ f() { b re tu rn !b ; = b; } norm al-behavior @ requires i2 @ assignable e ns ur e s i4 @ @ true ; b, resultl , result2; ( \ o l d ( b ) = = > I r e s u l t l && r e s u l t 2 ) & & ( ! \ o l d ( b ) = = > r e s u l t l && r e s u l t 2 ) ; @*/ ie v o id m( ) { resultl = f ( ) || ! £ () ; result2 = ! £ ( ) & & £ ( ) ; } F ig . 2. S id e - e f f e c ts a n d C o n d i t i o n a l L o g ic a l O p e r a t o r s . T h e r e s ult o f E S C / J a v a o n t h is p r o g r a m is n o t ve r y in te r e s tin g b e c a us e o f its lim it e d h a n d lin g o f loops : t h e y a r e e x e c ute d (s y m b o lic a lly ) o n ly onc e b y d e fa u lt . In ge ne r a l, t h is m a y in d ic a t e a b a s ic p r o b le m w it h t h e in v a r ia n t , b u t t h e c ove r age is fa r fr o m c o m p le t e 5. 3 .4 C a tc h in g e x c e p tio n s T y p ic a l o f Ja v a is its s y s te m a tic us e o f e x c e pt io ns , v ia its s t a te m e n ts fo r t h r o w in g a n d c a t c h in g . T h e y r e quir e a s uit a b le c o nt r o l flo w s e m a ntic s . S p e c ia l c ar e is ne e de d fo r t h e ‘fin a lly ’ p a r t o f a try- catch- finally c o n s t r u c t io n . F ig u r e 4 c o n ta in s a s im p le e x a m p le (a d a p t e d fr o m [17]) t h a t c o m b ine s m a n y a s pe c ts . T he s ub tle p o in t is t h a t t h e a s s ig n m e n t m+ =10 in t h e fin a lly b lo c k w ill s t ill be e x e c ute d, d e s pite t h e e a r lie r r e t u r n s ta te m e nt s , b u t ha s n o e ffe ct o n t h e va lue t h a t is r e tu r ne d . T h e r e a s o n is t h a t t h is v a lue is b o u n d e ar lie r . 3 .5 B itw is e o p e r a tio n s O u r ne x t e x a m p le in F ig u r e 5 is n o t o f t h e s or t one find s in t e x t b o o k s o n p r o g r a m v e r ific a tio n . B u t it is a g o o d e x a m p le o f t h e u g ly c o de t h a t v e r ific a t io n t o o ls ha ve t o d e a l w it h in p r a c tic e , s p e c ific a lly in Ja v a C a r d a p p le t s 6. It involve s a “c o m m a n d ” b y te cmd w h ic h is s p lit in t w o p a r t s : t h e fir s t t hr e e , a n d la s t five b it s . De p e n d in g o n the s e p a r t s , a m o d e fie ld is g ive n a n a p p r o p r ia t e va lue . T h is 5 A s a n a s id e : E S C / J a v a h a s d if f ic u lty w i t h t h i s e x a m p l e d u e t o l i m i t a t i o n s in i t s p a r s e r a s q u a n t i f i e d e x p r e s s io n s c a n n o t b e u s e d in t e r n a r y o p e r a t i o n s . I f w e r e w r i te t h e s p e c if ic a ti o n o f negatefirst a s a c o n j u c ti o n o f d is j o i n t im p l i c a t i o n s , E S C / J a v a a c c e p ts t h e p r o g r a m . 6 E S C / J a v a d o e s n o t h a n d l e a b itw is e o p e r a t o r lik e s ig n e d r i g h t s h if t (> >) c o r r e c tly . i n t [] ia ; 2 /* ® 4 e s norm al-behavior @ requires @ assignable @ ensures 12 != null; ia [* ] ; \fo ra ll @ (\o ld (ia[i]) @ (// @ io ia i int < i; 0 < = i && is the first \fo ra ll int j; position 0 < = ? ( i a [ i] = = —\ o l d ( i a [ i ] ) ) @ : ( ia [ i ] = = \ o l d ( ia [ i ] ) ) ; /*® i 4 w ith j && j @ ®* / v o id n e g a t e f i r s t ( ) i < ia . le n g th = = > 0 && < negative i == > value \o ld ( ia [j ]) > = { m aintaining i > = 0 && i <= (\fo ra ll ie @ @ ( i a [ j ] > = 0 & & i a [ j ] = = \ o l d ( i a [ j ] ) ) ) ; i a . length — i ; 18 ®* / decreasing f o r ( i n t i = 0; i < if ( ia [ i ] < 0) 20 int i a . l e n g t h && @ j; ia . le n g th ; { ia [ i ] = 0 < = i++) j && j < i ==> { —ia [ i ] ; break; } } } F ig . 3. B r e a k in g o u t o f a R e p e t i t i o n . in t m; 2 /* ® 4 e norm al-behavior ® requires @ assignable @ ensures @ 8 true ; m; \re su lt = = &&m = = ((d = = \ o l d (m) 0) + ? \old(m ) : \old(m ) / d) 10; ®*/ in t io i2 r e t u r n f i n a l l y ( in t d ) { try { re tu rn m / d; } c a tc h ( E x c e p tio n e) { r e tu r n m / f in a lly { m + = 10; } (d+1); } } F ig . 4 . R e t u r n w i t h i n tr y - c a t c h - f i n a ll y . h a p p e n s in a ne s te d s w it c h . T h e s p e c ific a t io n is h e lp ful be c a us e it te lls in d e c im a l n o t a t io n w h a t is g o in g on. 3 .6 C la ss in v a r ia n ts a n d c a llb a c k s Cla s s in v a r ia n t s ar e e x tr e m e ly us e ful in s pe c ific a t io n , be c a us e t h e y o fte n m a k e e x p lic it w h a t p r o g r a m m e r s ha ve in t h e b a c k o f t h e ir m in d w h ile w r it in g t h e ir 0)) s t a t ic fin a l by te ! ACT ION ().\ F. = A C T IO N T H R E E p r iv a t e /* ® spec_public ®*/ 1, ACT ION T WO = 2, 3 , ACT ION F O l' li = = by te 4; m ode; t /* ® i behavior @ requires true ; @ assignable m ode; ! @ ensures , @ @ : @ @ ((cmd & 0x07 ) != 0 H (cm d != 0 && cmd != 16)) y @ @ &fe ((cmd & 0x07) != 4 I I (cm d != 4 && cmd != 20)); i ®* / @ v o id i i : i i i i signals ( cmd = = 0 & & m o d e = = A C T I O N .O N E ) || (cm d = = (cm d = = 16 & & m o d e = = A C T 1 0 N _ T W 0 ) 4 & & m o d e = = A C T IO N _ T H R E E ) | j || (cm d = = 2 0 & & m o d e = = ACT ION FOUR ) ; (Exception) s e le c tm o d e ( by te b y te cm dl = cm d) throw s E xception (byte)(cm d & 0x07), cm d2 = { (byte)(cm d > > 3); s w it c h ( c m d l ) { c a s e 0 x 0 0 : s w it c h ( c m d 2 ) { c a s e 0 x 0 0 : m o d e = A C T IO N _ O N E ; b r e a k ; c a s e 0 x 0 2 : m o d e = A C T IO N .T W O ; b r e a k ; d e f a u lt : th r o w ne w E x c e p t i o n ( ) ; } break ; c a s e 0 x 0 4 : s w it c h ( c m d 2 ) { c a s e 0 x 0 0 : m o d e = ACT ION II Hi F.F.: b r e a k ; c a s e 0 x 0 2 : m o d e = ACT ION l- 'Ol'H : b r e a k ; d e f a u lt : th r o w ne w E x c e p t i o n ( ) ; } break ; d e f a u lt : t h r o w ne w E x c e p t i o n ( ) ; } / / ... m o re code F ig . 5. T y p i c a l M o d e S e le c tio n B a s e d o n C o m m a n d B y te . c ode . A t y p ic a l e x a m p le is: “inte g e r i is a lw a y s non- ze r o” (s o t h a t one c a n s afe ly d iv id e b y i) . T he s t a n d a r d s e m a n tic s fo r clas s in v a r ia n t s is: w h e n a n in v a r ia n t h o ld s in t h e pr e - s tate o f a (no n - c o n s t r uc to r ) m e t h o d , it m u s t a ls o h o ld in t h e pos t- s ta te . N o te t h a t t h is pos t- s ta te c a n r e s ult fr o m e ith e r n o r m a l or e x c e pt io n a l t e r m in a t io n . An in v a r ia n t m a y t h u s be t e m p o r a r ily b r o k e n w it h in a m e t h o d b o d y , as lo n g as it is r e - e s ta blis he d a t t h e e nd . A s im p le e x a m p le is m e t h o d d e c r e m e n t k in F ig u r e 6. T h in g s b e c o m e m o r e c o m p lic a t e d w h e n ins id e s uc h a m e t h o d b o d y t h e clas s in v a r ia n t is b r o k e n a n d a n o t h e r m e t h o d is c a lle d . T h e c ur r e n t o b je c t t h i s is t h e n le ft in a n in c o ns is t e n t s ta te . T h is is e s p e c ia lly p r o b le m a t ic if c o n t r o l r e t ur n s a t s ome la t e r s ta ge t o t h e c ur r e n t o b je c t . T h is r e - e ntr a nce or c a llb a c k p h e n o m e n o n is dis c us s e d for in s t a n c e in [25, Se c tions 5.4 a n d 5.5] . T he c o m m o n ly a d o p t e d s o lu t io n t o t h is p r o b le m is t o r e q uir e t h a t t h e in v a r ia n t o f this is e s t a b lis h e d be for e a m e t h o d c a ll. He nc e t h e p r o o f o b lig a t io n in a m e t h o d c a ll a.m() involve s t h e in v a r ia n t s o f b o t h t h e c a lle r (this) a n d t h e c alle e (a). T h is s e m a n tic s is in c o r p o r a t e d in t h e t r a n s la t io n p e r fo r m e d b y t h e L O O P t o o l. T he r e for e we c a n not pr o ve t h e s pe c ific a t io n for t h e m e t h o d incrementk in F ig u r e 6. How e ve r , a p r o o f u s in g t h e im p le m e n t a t io n s o f m e t h o d go a n d decrementk is po s s ib le , if we m a k e t h e a d d it io n a l a s s u m p t io n s t h a t t h e r un - t im e t y p e o f t h e fie ld b is a c t u a lly B, a n d t h a t t h e m e t h o d incrementk is e x e c ute d on a n o b je c t o f clas s A. T he s e r e s t r ic tio n s a r e ne e de d be c a us e if, fo r in s t a n c e , fie ld b h a s a s ubc la s s o f B as r un - t im e t y p e , a diffe r e nt im p le m e n t a t io n w ill ha ve t o be us e d if t h e m e t h o d go is o ve r r id d e n in t h e s ubc la s s . E S C / J a v a w a r ns a b o u t t h e p o t e n t ia l fo r in v a r ia n t v io la t io n d u r in g t h e c a ll­ ba c k. An o t h e r is s ue r e la t e d t o clas s in v a r ia n t is w he th e r or n o t t h e y s h o u ld be m a in t a in e d b y priv ate m e t h o d s . J M L doe s r e quir e t h is , b u t a llow s a s pe c ia l c a t e g o r y o f s o- calle d ‘h e lp e r ’ m e t h o d s w h ic h ne e d n o t m a in t a in in v a r ia n ts . We d o n ’t dis c us s t h is m a t t e r fu r t h e r . 3 .7 S ta tic in itia liz a t io n F ig u r e 7 s hows a n e x a m p le o f s t a t ic in it ia liz a t io n in Ja v a (due t o J a n Be r g s tr a ). In Ja v a a clas s is in it ia liz e d a t its fir s t active us e (see [13] ). T h is m e a n s t h a t clas s in it ia liz a t io n in Ja v a is la zy, s o t h a t t h e r e s ult o f in it ia liz a t io n d e p e n d s o n t h e o r d e r in w h ic h clas s e s a r e in it ia liz e d . T h e r a t h e r s ick e x a m p le in F ig ­ ur e 7 s hows w h a t h a p p e n s w h e n t w o clas s e s , w h ic h a r e n o t ye t in it ia lize d , ha ve s t a t ic fie lds r e fe r r ing t o e ac h o t he r . In t h e s pe c ific a t io n we us e a ne w ke y w o r d \static_f ields_of in t h e a s s ig na b le c la us e . It is s y n t a c tic s ug a r fo r a ll s t a tic fie lds o f t h e clas s . T h e fir s t a s s ig n m e n t in t h e b o d y o f m e t h o d m () t r ig g e r s t h e in it ia liz a t io n o f clas s Cl, w h ic h in t u r n t r igg e r s t h e in it ia liz a t io n o f clas s C2. T h e r e s ult o f t h e w ho le in it ia liz a t io n is , fo r in s t a n c e , t h a t s t a t ic fie ld C2.b2 ge ts va lue false a s s ig ne d t o it . T h is c a n be s e e n w h e n one r e a lize s t h a t t h e b o o le a n s t a t ic fie lds fr o m clas s Cl in it ia lly ge t t h e d e fa u lt va lue false. S ub s e q ue n t ly , clas s C2 be c ome s in it ia liz e d a n d its fie lds a ls o g e t t h e d e fa u lt v a lue false. N o w t h e a s s ig nm e n t s in clas s C2 a r e c a r r ie d o ut : d2 is s e t t o true a n d b2 is s e t t o false. N o te t h a t dl is s t ill false a t t h is s ta ge . F in a lly t h e a s s ig nm e nt s t o fie lds in clas s Cl t a k e p la c e , b o t h r e s u lt in g in va lue true. On e c a n see t h a t t h e o r d e r o f in it ia liz a t io n s is im p o r t a n t . W h e n t h e fir s t t w o a s s ig n m e n t s in t h e m e t h o d b o d y o f m () a r e s w it c h e d , clas s C2 w ill be in it ia lize d be for e clas s Cl r e s u lt in g in a ll fie lds g e t t in g va lue true. E S C / J a v a c a n n o t h a n d le t h is e x a m p le as it c a n n o t r e a s o n a b o u t s t a t ic in it ia l­ iza t io n . It p r o v id e s n o w a r n in g s for p o t e n t ia l r un - t im e e r r or s in s t a t ic in it ia lize r s or in in it ia lize r s for s t a t ic fie lds . 2 c la s s A { p r iv a t e /* @ spec_public @*/ i n t k, m; B b; 4 /*® invariant k + m = = /*® norm al-behavior 0 ; ®* / 6 s io ® requires true ; @ assignable k , m; @ ensures k = = \o ld ( k ) — l & & m = = \ o l d (m) + 1; @*/ i2 v o id i4 /*® decrementk () requires ie @ assignable 18 @ ®* / v o id } 22 c la s s 26 ensures increm entk != k, null; m; true ; () { k + + ; b .g o ( t h is ) ; m ---- ; } norm al-behavior @ requires @ assignable @ ensures @ != arg . k , arg null ; a r g . m; arg .k = = \old(arg.k) — 1 && arg .m = = \ o l d ( a r g .m) + 1; ®* / 28 v o id 30 b B { /*® 24 k ---- ; m + + ; } norm al-behavior @ 20 { g o (A a r g ) { arg . d ec rem e ntk ( ) ; } } F ig . 6. C a llb a c k w i t h B r o k e n I n v a r i a n t . 3 .8 O v e r lo a d in g a n d d y n a m ic m e t h o d in v o c a tio n T he e x a m p le in F ig u r e 8 is u s u a lly a t t r ib u t e d t o K im Br uc e . It a ddr e s s e s a n is s ue w h ic h is o fte n t h o u g h t o f as c o n fus in g in p r o g r a m m in g w it h la n g u a g e s w h ic h s u p p o r t in h e r it a n c e . W h e n o v e r r id ing a m e t h o d t h e r un - t im e t y p e o f a n o b je c t de c ide s w h ic h m e t h o d is c a lle d . T h is p h e n o m e n a is a ls o c a lle d late - binding. In t h e e x a m p le t hr e e d iffe r e nt o b je c t s a r e c r e a t e d , a n d t h e q u e s t io n is w h ic h equal m e t h o d w ill be c a lle d. N o tic e t h a t t h e equal m e t h o d s ha ve n o s p e c ific a tions . Ac c o r d in g t o t h e J M L s e m a n tic s , t h e equal m e t h o d in clas s Point s h o u ld a ls o s a t is fy t h e s pe c ific a t io n fr o m t h e equal m e t h o d in clas s ColorPoint. T h is ma ke s it im p o s s ib le t o pr o ve a pr e cis e s pe c ific a t io n o f t h e equal m e t h o d in clas s Point. T he r e for e we p r o ve d t h e s pe c ific a t io n o f m e t h o d m() b y us in g t h e im p le m e n t a t io n s o f t h e equal m e th o d s . T h e r e s ult t h a t m o s t p r o g r a m m e r s fin d s u r p r is ing c ome s fr o m t h e a s s ig n m e nt r8 = p2.equal(cp). T h e s t a t ic t y p e o f t h e e x pr e s s ion p2 is Point, s o t h a t 2 c la s s C { s t a t i c b o o le a n 4 re su ltl, result2, result3 , result4 ; / *® n o r m a l - b e h a v i o r ! \ i s _ i n i t i a 1i z e d ( C ) &f c e @ @ @ !\is_ in itia liz e d (C l) !\is_ in itialized (C 2 ); &f c s @ assignable \ s t a t ic _fie ld s _o f( C ) , @ \ s t a t i c _ f i e l d s _ o f ( C l ), \ s t a t i c _f i e 1 d s _ o f ( C 2 ) ; io requires @ @ ensures ®* / s t a t ic 12 i4 resultl && !result2 && r e s u lt3 && r e s u l t 4 v o id m ( ) { resultl = C l.bl ; result2 = C2 . b2 ; result3 = C l.d l ; result4 = C2.d2; } 16 } 18 20 22 c la s s C l { s t a t i c b o o le a n s t a t i c b o o le a n = C 2 . d2 ; dl = true ; d2 = true ; b2 = } c la s s C 2 { s t a t i c b o o le a n s t a t i c b o o le a n 28 bl C l .dl } F ig . 7. S t a t i c I n i t ia li z a ti o n . a c c o r d in g t o t h e fir s t s te p in pr o c e s s ing a m e t h o d in v o c a t io n a t c o m pile - t im e ([ 13, S e c tio n 15.12.1] ), t h e e q u a l m e t h o d o f P o in t is us e d. 3 .9 I n h e r ita n c e T h e p r o g r a m in F ig u r e 9 is fr o m [16] a n d was o r ig in a lly s ugge s te d b y Jo a c h im v a n d e n Be r g . O n fir s t in s p e c t io n it looks like t h e m e t h o d t e s t Q w ill lo o p for e ve r . T h e m e t h o d t e s t Q c a lls m e t h o d m () fr o m clas s C, w h ic h c a lls m e t h o d m () fr o m clas s In h e r it a n c e , s inc e ‘t h is ’ ha s r un tim e - ty p e In h e r it a n c e . Du e t o t h e s u b t y p e s e m a n tic s us e d in J M L for in h e r it a n c e , we c a n n o t w r it e s pe c ific a t io ns for b o t h o f t h e m () m e t h o d s w it h w h ic h we c a n r e a s on. T he r e fo r e we c a n o n ly pr o ve t h e s pe c ific a t io n o f m e t h o d t e s t Q b y u s in g t h e m e t h o d im p le m e n t a t io n s . c la s s P o i n t { in t e q u a l ( P o i n t x) re tu rn { 1; } } c la s s C o l o r P o i n t e x t e n d s P o i n t { in t e q u a l ( C o l o r P o i n t x ) { r e t u r n 2; } } in t r l,r 2 ,r 3 ,r 4 ,r 5 ,r 6 ,r 7 ,r 8 ,r 9 ; /*® norm al-behavior @ requires ® assignable @ ensures true ; rl , rl r 2 , r 3 , r 4 , r5 , r6 , r7 , r8 , = = 1 && r2 = = 1 && r3 = = 1 && @ r4 = = 1 && r5 = = 1 && r6 = = 1 && @ r7 = = 1 && r8 = = 1 && r9 = = r9 ; 2; @*/ v o id m ( ) { Point pl = ne w P o in t (); ne w C o l o r P o i n t ( ) ; C o l o r P o i n t cp = ne w C o l o r P o i n t ( ) ; r l = p l . e q u a l( pl ) r2 = p l . equ al ( p 2 ) r3 = p 2 . e q u a l ( p l ) r4 = p 2 . e qua l ( p 2 ) r5 = c p . eq u a l ( p l ) r6 = c p . e q u a l ( p 2 ) r 7 = p l . e q u a l ( cp ) r 8 = p 2 . e q u a l ( c p ) r 9 = c p . e q u a l ( c p ) Point p2 = F ig . 8. O v e r lo a d in g a n d D y n a m i c M e t h o d I n v o c a tio n . c la s s C { v o id m ( ) t h r o w s E xception { m(); } } c la s s I n h e r i t a n c e e x t e n d s C { v o id m ( ) t h r o w s E x c e p t i o n /*@ { throw ne w E x c e p t i o n ( ) ; } exceptional-behavior @ @ @ requires true ; assignable \nothing; sig n a ls ( E xception ) tru e ; @*/ v o id te st() throw s E xception { s u p e r .m ( ) ; } F ig . 9. O v e r r i d in g a n d D y n a m i c T y p e s . 3 .1 0 N o n -te r m in a t io n T h e e x a m p le in F ig u r e 10 (due t o Ce e s - Ba r t Br e une s s e ) s hows a p r o g r a m t h a t doe s n o t t e r m in a t e . class Diverges} 2 /* © b e h av io r @ requires 4 true ; @ assignable \nothing; e @ ensures false ; @ signals (Exception s © div erg es e) false; true ; @*/ public void m ( ) { for (byte b = B y t e . M IN _V A L U E ; b < = Byte .MAX.VALUE; b++) io i2 ; } 14 } Fig. 10. A P r o g r a m t h a t d o e s n o t T e r m i n a t e . T he s pe c ific a t io n as s e r ts t h a t t h e p r o g r a m doe s n o t t e r m in a t e n o r m a lly or w it h a n e x c e pt io n. T h e J M L ke y w o r d diverges fo llow e d b y t h e p r e d ic a te true in d ic a t e s t h a t t h e p r o g r a m fa ils t o t e r m in a t e . T he r e a de r c a n e a s ily see t h a t t h is p r o g r a m doe s n o t t e r m in a t e . Sinc e Byte .MAX.VALUE + 1 = Byte.MIN.VALUE t h e g u a r d in t h e for lo o p w ill ne ve r fa il. N o te t h a t in o r d e r t o ve r ify t h is p r o g r a m b o t h o ve r flo w ing a n d n o n - t e r m in a t io n ha ve t o be m o d e le d a p p r o p r ia t e ly . E S C / J a v a doe s n o t h a n d le n o n - t e r m in a t io n . 3 .1 1 S p e c ific a tio n T he fin a l e x a m p le e x e mplifie s t w o c o m m o n p la c e c o m p lic a t io n s in r e a s o n in g a b o u t “r e a l w o r ld ” Ja v a . Re p r e s e n ta t io n s o f in t e g r a l ty pe s (e .g., int, short, byte, e tc .) in Ja v a ar e fin it e . A r e vie w o f a n n o t a t e d p r o g r a m s t h a t us e in t e g r a l ty pe s in d ic a t e s t h a t s pe c ific a t io ns a r e o fte n w r it t e n w it h in fin it e n u m e r ic m o d e ls in m in d [7]. P r o ­ g r a m m e r s s e e m t o t h in k a b o u t t h e is s ue s o f ove r flow (a n d un d e r flo w , in t h e cas e o f flo a t in g p o in t n u m b e r s ) in p r o g r a m c ode , b u t n o t in s pe c ific a tio ns . Ad d it io n a lly , it is o fte n t h e cas e t h a t s pe c ific a t io ns us e fu n c t io n a l m e t h o d in v o c a tio n s . Me t h o d s w h ic h ha ve n o s ide - e ffects in t h e p r o g r a m ar e c a lle d c a lle d “p u r e ” m e t h o d s in J M L a n d “que r ie s ” in t h e Eiffe l a n d U M L c o m m u n it ie s 7 . T he e x a m p le in F ig u r e 11 h ig h lig h t s b o t h c o m p lic a t io n s , as it us e s m e t h o d in v o c a t io n s in a s pe c ific a t io n a n d in t e g r a l va lue s t h a t c a n p o t e n t ia lly ove r flow. T he m e t h o d isqrt(), w h ic h c o m p u t e s a n in te g e r s qua r e r o o t o f its in p u t , is in s p ir e d b y a s pe c ific a t io n (see F ig u r e 12) o f a s im ila r fu n c t io n in c lu d e d w it h e a r ly J M L r e le as e s [20]. 7 T h e r e is s ti ll d e b a t e in t h e c o m m u n it y a b o u t t h e m e a n in g o f “p u r e ” . M a n y J a v a m e t h o d s , f o r e x a m p le , w h ic h c l a im t o h a v e n o s id e -e f fe c ts , a n d t h u s s h o u l d b e p u r e , a c t u a l l y d o m o d if y t h e s t a t e d u e t o c a c h i n g , la z y e v a lu a ti o n , e tc . /* ® n o r m a l - b e h a v i o r 2 4 @ requires @ assignable @ ensures true ; \nothing; \re su lt = = ((x @ 0 || I n t e g e r .M IN _ V A L U E ) ? x : —x ) ; ®* / 6 /*@ p u r e s if io/*@ i2 i4 16 > = x = = @*/ in t i a b s ( i n t x ) { < 0 ) r e t u r n —x ; e ls e r e t u r n (x } norm al-behavior @ requires @ assignable @ ensures 0 && x < = x > = 2147390966; \nothing; i a b s ( \ r e s u l t ) < 46340 & & @ \resu lt @ x < ( ia b s (\ r e s u lt ) + ®* / in t i s q r t ( in t in t is x; count /*® 20 22 x ) = * \ result < = x && 1) * ( i a b s ( \ r e s u l t ) + 1); { 0, s u m = m aintaining 1; 0 < = c o u n t && @ count < 46340 & & @ count * @ sum = = @ decreasing x — count ; { c o u n t + + ; sum + = count (count < = x && + 1) * (count + 1); 2 * count + 1; ®* / 24 w h i le ( s u m < = x ) re tu rn count ; 26 } } F ig . 1 1 . D e p e n d e n t S p e c i f ic a tio n s a n d I n t e g r a l T y p e s . /* ® norm al-behavior @ requires @ ensures x > = 0; M a th . a b s ( \ r e s u l t ) < = @ \resu lt Q x @ < * \re su lt x && < = x && (Math. a b s ( \ r e s u l t ) + 1) (Math. a b s ( \ r e s u l t ) 1); + * ®*/ F ig . 12. J M L S p e c i f i c a t io n o f I n te g e r S q u a r e R o o t f r o m [20]. N o t e t h a t t h e i a b s Q m e t h o d in F ig u r e 11 is us e d in t h e s pe c ific a t io n o f isqrtO t o s t ip u la t e t h a t b o t h t h e n e g a tive a n d t h e p o s it ive s qua r e r o o t ar e a n a c c e p ta b le r e t u r n v a lue , as a ll we c ar e a b o u t is its m a g n it u d e . Ac t u a lly , o u r im p le m e n t a t io n o f i s q r t Q o n ly c o m p u t e s t h e p o s it ive inte g e r s qua r e r o o t. T h e o r ig in a l s pe c ific a t io n in c lu d e d in e a r ly J M L r e le as e s is p r o v id e d in F ig ­ ur e 12. T h is s pe c ific a t io n us e s t h e M a t h . a b s Q m e t h o d in s t e a d o f o u r i a b s Q m e t h o d . We us e o u r o w n e qu iv a le nt im p le m e n t a t io n o f s qua r e r o o t o u t o f c o n ­ ve nie nc e , n o t ne ce s s ity. T he d e fin it io n o f J M L s ta te s t h a t e x pr e s s ions in t h e r e quir e s a n d e ns ur e s c la us e s a r e t o be in te r p r e te d in t h e s e m a n tic s o f Ja v a . Co ns e q ue n tly , a v a lid im ­ p le m e n t a t io n o f t h e s pe c ific a t io n in F ig u r e 12 is p e r m it t e d t o r e t u r n In t e g e r MIN.VALUE w h e n x is 0 (as a lr e a d y n o t e d in [20]). T h is s ur p r is in g s it u a t io n e x is ts be c a us e J a v a ’s in t e g r a l a r e b o u n d e d a n d be ­ c aus e t h e d e fin it io n o f u n a r y n e g a t io n in t h e Ja v a La n g u a g e S p e c ific a tio n is s o m e w h a t une x p e c t e d . Be c a us e in t e g r a l ty p e s a r e b o u n d e d , e x pr e s s ions in t h e p o s t c o n d it io n , s pe cif­ ic a lly t h e m u lt ip lic a t io n o p e r a t io n s , c a n ove r flow. A d d it io n a lly , t h e t w o im p le ­ m e n t a t io n s o f inte g e r a b s o lu t e v a lue b o t h r e t u r n a v a lue o f I n t e g e r . MIN.VALUE w h e n pa s s e d I n t e g e r . MIN_VALUE. W h ile t h is is t h e d o c u m e n t e d b e h a v io r o f j a v a . l a n g . M a t h . a b s ( in t ) , it is o fte n o ve r looke d b y p r o g r a m m e r s be c a us e t h e y pr e s um e t h a t a fu n c t io n as m a t h e m a t ic a lly u n c o m p lic a t e d as a b s o lu t e v a lue w ill p r o d u c e u n s u r p r is in g , m a t h e m a t ic a lly c o r r e c t r e s ults for a ll in p u t . T he a b s o lu t e v a lue o f I n t e g e r . MIN.VALUE is e q u a l t o it s e lf be c a us e M a t h . a b s ( ) is im p le m e n t e d w it h J a v a ’s u n a r y n e g a t io n o p e r a t o r T h is o p e r a t o r , de fine d in S e c tio n 15.15.4 o f t h e Ja v a La n g u a g e S p e c ific a t io n , s ile n t ly ove r flows w he n a p p lie d t o m a x im a l n e g a t iv e inte g e r or lo n g [13]8. T he p r e c o n d it io n o f i s q r t Q in F ig u r e 11 is e x p la in e d in F ig u r e 13. We w is h t o e ns ur e t h a t n o o p e r a t io n , e ith e r in t h e im p le m e n t a t io n o f i s q r t Q or in its s p e c ific a t io n , ove r flows . T he c r it ic a l s it u a t io n t h a t caus e s a n ove r flow is w h e n we a t t e m p t t o t a k e a n in te g e r s qua r e r o o t o f a ve r y la r g e n u m b e r . In p a r t ic u la r , if we a t t e m p t t o e v a lua t e t h e p o s t c o n d it io n o f i s q r t Q fo r va lue s o f x la r g e r t h a n 2,1 4 7 ,3 9 0 ,9 6 6 a n ove r flow ta ke s pla c e . T he s m a ll b u t c r itic a l in te r v a l be tw e e n th e p r e c o n d it io n ’s b o u n d 2 ,1 4 7 ,3 9 0 ,9 6 6 a n d I n t e g e r . MAX.VALUE = 2 ,1 4 7 ,4 8 3 ,6 4 7 is in d ic a t e d b y t h e d a r k in te r v a l o n t h e r ig h t o f F ig u r e 13: t o c he ck t h e p o s t c o n d i­ t io n , t h e p r o s p e c tiv e r o o t (th e a r r o w la b e le d 1) m u s t be d e te r m in e d , one is a d d e d t o its va lue (a r r o w 2 ), a n d t h e r e s ult is s q ua r e d (a r r o w 3 ). T h is fin a l r e s ult w ill t h u s ove r flow. In d e e d , (4 6 ,3 4 0 + l ) 2 > 2 ,1 4 7 ,4 8 3 ,6 4 7 . 0 1. F i g . 1 3 . T h e P o s itiv e I n te g e r s . 8 I n t e r e s ti n g l y , t h e d o c u m e n t a t i o n f o r j a v a . l a n g . M a th , a b s ( ) d i d n o t r e f le c t t h i s f a c t u n t i l t h e 1.1 r e le a s e o f J a v a . T h e e r r o ne o us n a t u r e o f a s pe c ific a t io n in v o lv in g p o t e n t ia l ove r flows s ho u ld b e c o m e c le a r w h e n one ve r ifie s t h e m e t h o d u s in g a n a p p r o p r ia t e bit- le ve l r e pr e ­ s e n t a t io n o f in t e g r a l t y p e s [18]. U n fo r t u n a t e ly , s uc h e r r or s ar e n o t a t a ll a p p a r e n t , e ve n w h e n p e r fo r m in g e x te ns ive u n it t e s t in g , be c a us e t h e b o u n d a r y c o n d it io n s for a r it h m e t ic e x pr e s s ions , like t h e t h ir d t e r m o f t h e p o s t c o n d it io n o f i s q r t Q in F ig u r e 11, a r e r a r e ly a u t o m a t ic a lly d e r iv a b le , a n d fu ll s tate - s pace cove r a ge is s im p ly t o o c o m p u t a t io n a lly e x pe ns ive . S p e c ific a t io ns in v o lv in g in t e g r a l t y p e s , a n d t h u s p o t e n t ia l ove r flows , a r e fre ­ q u e n t ly s e e n in a p p lic a t io n d o m a in s t h a t invo lve n u m e r ic c o m p u t a t io n b o t h c o m p le x (e .g., s c ie ntific c o m p u t a t io n , c o m p u t e r g r a ph ic s , e m b e d d e d de vic e s , e tc .) a n d r e la tiv e ly s im p le (e .g., c ur r e n c y a n d b a n k in g ). T h e fo r m e r c a t e g o r y a r e o b v io u s ly c h a lle n g in g d ue t o t h e c o m p le x it y o f t h e r e la t e d d a t a - s tr uc t ur e s , a lg o r it h m s , a n d t h e ir s pe c ific a t io ns , a n d t h e la t t e r ar e p r o b le m a t ic b e c a us e it is th e r e t h a t im p le m e n t a t io n v io la t io n s h a ve e gr e gious (fin a n c ia l) cons e que nc e s . T h is s pe c ific a t io n rais e s t h e q ue s tio n : W h a t is t h e a p p r o p r ia t e m o d e l for a r it h ­ m e tic s pe c ific a t io ns 9? An o t h e r c ha lle ng e h ig h lig h t e d b y t h is e x a m p le m ig h t be c a lle d “fo r m a lis m c o m ple t e ne s s ” . M a n y s e m a n tic fo r m a lis m s o f m o d e r n p r o g r a m m in g la n g ua g e s like Ja v a d o n o t a t t e m p t t o s pe c ify t h e s e m a n tic s o f c o m p lic a t e d fe a tur e s like m e t h o d in v o c a t io n . E v e n fe we r a t t e m p t t o in c o r p o r a t e s uc h s e m a n tic s in m e t h o d s pe c ific a t io ns , as us e d he r e . F o r e x a m p le , E S C / J a v a is u n a b le t o d e a l w it h t h is e x a m p le b e c a us e o f s uc h in te r d e p e nd e nc ie s . T h is is a s ig n ific a n t lim it a t io n as m a n y , if n o t m o s t , m e t h o d s p e c ific a t io ns r e ly u p o n p u r e or J M L he lpe r m e t h o d s . T h is is a ls o a w e a kne s s o f t h e L O O P t o o l, as d e a lin g w it h (pur e ) m e t h o d c a lls in s pe c ific a t io ns is t e d io u s in v e r ific a tio n s 10. In ge ne r a l, t h e s e m a n tic s o f m e t h o d in v o c a t io n in s pe c ific a tio ns is s t ill a n u n c le a r is s ue a t t h is t im e . 4 C o n c lu s io n s T he s t a r t in g p o in t o f t h is p a p e r is t h e o b s e r v a tio n t h a t t h e c la s s ic a l e x a m p le s in (s e q ue n tia l) p r o g r a m v e r ific a t io n ar e n o lo ng e r ve r y r e le va nt in t o d a y ’s c o nt e x t. T h e y ne e d t o be u p d a t e d in t w o d im e ns io ns : la n g u a g e c o m p le x it y a n d s ize . T h is p a p e r focus e s o n c o m p le x ity , b y p r e s e n ting a ne w s erie s o f c ha lle ng e s , w r it t e n in Ja v a , w it h cor r e c tne s s a s s e r tio ns e xpr e s s e d in J M L . T he e x a m p le s in c o r p o r a t e s ome o f t h e u g ly d e t a ils t h a t one e nc o unt e r s in r e al- wor ld p r o g r a m s , a n d t h a t a n y r e a s o na b le s e m a n tic s s h o u ld be a b le t o h a n d le . T he fa c t t h a t the s e e x a m p le p r o g r a m s ar e s m a ll doe s n o t m e a n t h a t we t h in k s ize is u n im p o r t a n t . O n t h e c o nt r a r y , onc e a r e a s o n a b ly b r o a d s e m a n tic s p e c t r u m is cove r e d, t h e n e x t c ha lle ng e is t o s cale u p o n e ’s p r o g r a m v e r ific a t io n t e c h n ique s t o la r g e r p r o g r a m s . W it h o u r t o o ls we a r e c u r r e n t ly v e r ify ing p r o g r a m s w it h h u n d r e d s o f line s o f code . 9 W e d o n o t h a v e a n s w e r s f o r t h e s e q u e s t io n s , t h o u g h in v e s t i g a ti o n s a r e u n d e r w a y [8]. 10 T h e v e r if ic a tio n o f t h e m e t h o d i s q r t O t h e a b s o lu te v a lu e m e th o d i a b s Q . f r o m F ig u r e 11 u s e s t h e i m p l e m e n t a t i o n o f R eferences 1. E r i k a A b r a h a m M u m m , P r a n k S . d e B o e r , W i l l e m - P a u l d e R o e v e r , a n d M a r t i n S te ffe n . A T o o l - s u p p o r t e d P r o o f S y s t e m f o r M u l t i t h r e a d e d J a v a . I n proceedings, FMCO 2002 L e c t. N o te s C o m p . S ci. S p r in g e r , B e r lin , 200 3. 2. W . A h r e n d t , T h . B a a r , B . B e c k e r t , R . B u b e l, M . G ie s e , R . H ä h n l e , W . M e n z e l, W . M o s to w s k i, A . R o t h , S. S c h la g e r , a n d P .H . S c h m i t t . T h e K e Y to o l . T e c h n ic a l R e p o r t 2 0 0 3 -5 , C h a l m e r s a n d G ö te b o r g U n iv e r s it y , 20 03 . h t t p : / / i l 2 www.i r a . u k a . d e / ~ k e y . 3. J . v a n d e n B e r g a n d B . J a c o b s . T h e L O O P c o m p ile r f o r J a v a a n d J M L . I n T . M a r g a r i a a n d W . Y i, e d i to r s , System,s., Tools and Algorithms for the Construction and Analysis of n u m b e r 2031 in L e c t. N o t e s C o m p . S c i., p a g e s 2 9 9 - 3 1 2 . S p r in g e r , B e r lin , 2001. 4. J . B e r g s t r a a n d M . L o o ts . E m p i r i c a l s e m a n t i c s f o r o b j e c t - o r i e n t e d p r o g r a m s . A r ­ tif ic ia l I n te l lig e n c e P r e p r i n t S e r ie s n r . 0 0 7 , D e p . P h ilo s o p h y , U t r e c h t U n iv . h t t p : / / p r e p r i n t s . p h i l . u u . n l / a i p s / , 1999. 5. E . B ö r g e r a n d W . S c h u lte . and Tools, I n i t i a l i z a t i o n p r o b le m s in J a v a . Software — Concepts 2 0 ( 4 ), 1999. 6. L ilia n B u r d y , J e a n - L o u is L a n e t , a n d A n t o i n e R e q u e t . J A C K ( J a v a A p p l e t C o r ­ r e c tn e s s K i t ) , 2 0 0 2 . w w w . g e m p l u s . c o m / s m a r t / r _ d / t r e n d s / j a c k . h t m l . 7. P . C h a lin . B a c k t o b a s ic s : L a n g u a g e s u p p o r t a n d s e m a n t i c s o f b a s ic in f i n it e in te g e r t y p e s in J M L a n d L a r c h . T e c h n ic a l R e p o r t 2 0 0 2 .0 0 3 .1 , C o m p u t e r S c ie n c e D e p a r t ­ m e n t , C o n c o r d i a U n iv e r s ity , 200 2. w w w .c s . c o n c o r d i a . c a / " f a c u l t y / c h a i i n / . 8. P . C h a lin . I m p r o v i n g J M L : F o r a s a f e r a n d m o r e e f f e c tiv e la n g u a g e . T e c h n ic a l R e p o r t 2 0 0 3 -0 0 1 .1 , C o m p u t e r S c ie n c e D e p a r t m e n t , C o n c o r d i a U n iv e r s it y , M a r c h 200 3. 9. Y . C h e o n a n d G .T . L e a v e n s . A r u n t i m e a s s e r t i o n c h e c k e r f o r t h e J a v a M o d e lin g I n H .R . A r a b n i a a n d Y . M u n , e d i t o r s , International Confer­ ence on Software Engineering Research and Practice (SERF ’02)., p a g e s 3 2 2 - 3 2 8 . L a n g u a g e (JM L ). C S R E A P r e s s , L a s V e g a s , 2 00 2. 10. E . C o n t e je a n , J . D u p r a t , J . - C . F i l li â tr e , C . M a r c h é , C . P a u l in - M o h r i n g , a n d X . U r ­ b a in . T h e K r a k a t o a to o l f o r J M L / J a v a p r o g r a m c e r t if ic a t io n . A v a ila b le v i a t h e K r a k a t o a h o m e p a g e a t w w w . l r i . f r / ~ m a r c h e / k r a k a t o a / , O c t o b e r 20 02. 11. E .W . D i j k s t r a . A Discipline of Programming. P r e n t i c e H a ll, 1976. 12. C . F l a n a g a n , K .R .M . L e in o , M . L illib r id g e , G . N e ls o n , J . B . S a x e , a n d R . S t a t a . I n Proceedings of the 2002 AC M SIG PLAN Conference on Programming Language Design and Implementation (PLDI), v o l­ u m e 3 7 (5 ) o f SIG PLAN Notices, p a g e s 2 3 4 - 2 4 5 . A C M , 2 002 . J . G o s lin g , B . J o y , G . S te e le , a n d G . B r a c h a . The Java Language Specification Second Edition. T h e J a v a S e rie s . A d d is o n - W e s le y , 2 00 0. E x t e n d e d s t a t i c c h e c k in g f o r J a v a . 13. h ttp ://ja v a .s u n .c o m /d o c s /b o o k s /jI s /s e c o n d _ e d itio n /h tm l/ j .title .d o c .h tm l. 14. D . G rie s . The Science of Programming. S p r in g e r , 1981. 15. C .A .R . H o a r e . A n a x i o m a t i c b a s is f o r c o m p u t e r p r o g r a m m in g . Commun. ACM , 1 2 :5 7 6 - 5 8 0 , 58 3 , 1969. 16. M . H u i s m a n a n d B . J a c o b s . I n h e r i t a n c e in h i g h e r o r d e r lo g ic : M o d e lin g a n d r e a ­ s o n in g . I n M . A a g a a r d a n d J . H a r r i s o n , e d i to r s , Logics, 2000 . Theorem Proving in Higher Order n u m b e r 186 9 in L e c t. N o te s C o m p . S c i., p a g e s 3 0 1 - 3 1 9 . S p r in g e r , B e r lin , 17. B . J a c o b s . A f o r m a li s a ti o n o f J a v a ’s e x c e p t io n m e c h a n is m . Programming Languages and Systems (ESOP), In D . S a n d s , e d ito r, n u m b e r 20 2 8 in L e c t. N o t e s C o m p . S c i., p a g e s 2 8 4 - 3 0 1 . S p r in g e r , B e r l in , 2 00 1. 18. B . J a c o b s . J a v a ’s i n t e g r a l t y p e s in P V S . M a n u s c r ip t, http ://ww w .c s .kun.nl/~bart/PAPERS/, 2 003 . 19. G .T . L e a v e n s , A .L . B a k e r , a n d C . R u b y . J M L : A n o t a t i o n f o r d e t a i l e d d e s ig n . I n H . K ilo v a n d B . R u m p e , e d i t o r s , Behavioral Specifications of Business and System,s., p a g e s 1 7 5 - 1 8 8 . K lu w e r , 1999. 20. G .T . L e a v e n s , A .L . B a k e r , a n d C . R u b y . P r e l i m i n a r y d e s ig n o f J M L : A b e h a v i o r a l i n t e r f a c e s p e c if ic a ti o n la n g u a g e f o r J a v a . T e c h n . R e p . 9 8 -0 6 , D e p . o f C o m p . S ci., I o w a S t a t e U n iv . http://www.cs.iastate.edu/~leavens/JML.html, 1999. 21. G .T . L e a v e n s , E . P o ll, C . C lif to n , Y . C h e o n , a n d C . R u b y . J M L r e f e r e n c e m a n u a l (d ra ft). www.jmlspecs.org, 2002. 22. B . L is k o v a n d J .M . W i n g . A b e h a v io r a l n o t i o n o f s u b ty p i n g . AC M Trans, on Prog. Lang. & Syst., 7 ( 1 6 ( 6 ) ) : 1 8 1 1 - 1 8 4 1 , 1994. 23. J . M e y e r a n d A . P o e tz s c h - H e f f te r . A n a r c h i t e c t u r e f o r i n t e r a c t i v e p r o g r a m p r o v e r s . I n S. G r a f a n d M . S c h w a r tz b a c h , e d i t o r s , and Analysis of System,s., Tools and Algorithms for the Construction n u m b e r 17 85 in L e c t. N o t e s C o m p . S c i., p a g e s 6 3 - 7 7 . S p r in g e r , B e r l in , 20 00 . 24. E . P o ll, J . v a n d e n B e rg , a n d B . J a c o b s . S p e c i f ic a t io n o f t h e J a v a C a r d A P I in J M L . Smart Card Research, and Advanced Application, p a g e s 1 3 5 - 1 5 4 . K lu w e r A c a d . P u b l ., 2 00 0. C . S z y p e r s k i. Component Software. A d d is o n - W e s le y , 1998. I n J . D o m in g o - F e r r e r , D . C h a n , a n d A . W a t s o n , e d i t o r s , 25.

Related topics

Java Programming