Skip to main content
SpringerLink
Log in

Further Lessons from the JML Project

  • Chapter
  • First Online:
The Logic of Software. A Tasting Menu of Formal Methods

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13360))

Abstract

JML is an ambitious project in formal specification and verification that has aimed to bring value to Java programmers. As an international, cooperative effort, JML has been a uniting force, bringing together tools such as KeY, OpenJML, and many others. Specification language designers can learn much from the experience gathered by the JML team. The lessons of the JML project can be useful to others designing specification languages and tools, not only for object-oriented languages such as Java, but more generally.

G. T. Leavens—Much of the early work on JML was supported by the US National Science Foundation and carried out while Leavens was at Iowa State University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The date of Leavens’s visit to DEC SRC is unclear, but was probably in 1998.

  2. 2.

    In fact, the JastAdd Java compiler has not kept up with Java’s evolution, although JastAdd itself provides the capability to do so.

  3. 3.

    For validity, a library should also be verified against its specifications, but we are more concerned with verifying client code in this section.

  4. 4.

    The figure shows the sets of pre-states and post-states as connected, but that is just for convenience in the figure; it is not necessary or required by JML.

  5. 5.

    The figure shows the method as delivering a connected set of post-states, but again that is not necessary.

  6. 6.

    An alternative solution, which could be used if one is designing a new programming language from scratch [129], is to design all types to have a value semantics.

  7. 7.

    The reason given for not allowing a loosening of preconditions in an overriding method is that “The run-time checks evoked by the method contract are thus also inherited.” [11, p. 56]. However with client-aware-checking of preconditions [135], the precondition of the receiver’s static type are checked at call sites, which allows JML’s more flexible form of specification inheritance to still enforce precondition checks based on static type information at call sites as would be done in Spec#.

References

  1. Ahrendt, W.: The Java Modeling Language - a basis for static and dynamic verification, June 2018. https://youtu.be/9ItK0jxJ0oQ

  2. Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification - The KeY Book. LNCS, vol. 10001. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49812-6

    Book  Google Scholar 

  3. Banerjee, A., Naumann, D.A.: Local reasoning for global invariants, part ii: dynamic boundaries. J. ACM 60(3), 19:1–19:73 (2013). https://doi.org/10.1145/2485981. http://doi.acm.org/10.1145/2485981

  4. Banerjee, A., Naumann, D.A., Rosenberg, S.: Local reasoning for global invariants, part i: region logic. J. ACM 60(3), 18:1–18:56 (2013). https://doi.org/10.1145/2485982. http://doi.acm.org/10.1145/2485982

  5. Bao, Y.: Reasoning about frame properties in object-oriented programs. Technical report, CS-TR-17-05, Computer Science, University of Central Florida, Orlando, Florida, December 2017. The author’s dissertation. https://goo.gl/WZGMiB

  6. Bao, Y., Leavens, G.T.: A methodology for invariants, framing, and subtyping in JML. In: Müller, P., Schaefer, I. (eds.) Principled Software Development, pp. 19–39. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98047-8_2

    Chapter  Google Scholar 

  7. Bao, Y., Leavens, G.T., Ernst, G.: Unifying separation logic and region logic to allow interoperability. Form. Asp. Comput. 30, 381–441 (2018). https://doi.org/10.1007/s00165-018-0455-5

  8. Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison Wesley, New York (2003)

    Google Scholar 

  9. Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006). https://doi.org/10.1007/11804192_17

    Chapter  Google Scholar 

  10. Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. J. Object Technol. 3(6), 27–56 (2004). http://tinyurl.com/m2a8j

  11. Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: an overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30569-9_3

    Chapter  Google Scholar 

  12. Barringer, H., Cheng, J.H., Jones, C.B.: A logic covering undefinedness in program proofs. Acta Informatica 21(3), 251–269 (1984)

    Article  MathSciNet  Google Scholar 

  13. Baudin, P., et al.: ACSL: ANSI C Specification Language (2008ff). http://frama-c.com/download/acsl_1.4.pdf

  14. Baudin, P., et al.: The dogged pursuit of bug-free C programs: the Frama-C software analysis platform. Commun. ACM 64(8), 56–68 (2021). https://doi.org/10.1145/3470569

  15. Beckert, B.: A dynamic logic for Java Card. In: Drossopoulou, S., Eisenbach, S., Jacobs, B., Leavens, G.T., Müller, P., Poetzsch-Heffter, A. (eds.) Workshop on Formal Techniques for Java Programs (FTfJP). Technical report 269, Fernuniversität Hagen (2000)

    Google Scholar 

  16. Beckert, B., Hähnle, R., Schmitt, P.H.: Verification of Object-Oriented Software: The KeY Approach. LNCS, vol. 4334. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-69061-0

    Book  MATH  Google Scholar 

  17. van den Berg, J., Jacobs, B.: The loop compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45319-9_21

    Chapter  Google Scholar 

  18. van den Berg, J., Poll, E., Jacobs, B.: First steps in formalising JML: exceptions in predicates. In: Drossopoulou, S., Eisenbach, S., Jacobs, B., Leavens, G.T., Müller, P., Poetzsch-Heffter, A. (eds.) Formal Techniques for Java Programs. Proceedings of the ECOOP’00 Workshop. Technical report, Fernuniversität Hagen (2000). http://www.cs.ru.nl/~erikpoll/publications/ftfjp00.ps.gz

  19. Blanc, R., Kuncak, V., Kneuss, E., Suter, P.: An overview of the leon verification system: verification by translation to recursive functions. In: Proceedings of the 4th Workshop on Scala. SCALA 2013. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2489837.2489838

  20. Bobot, F., Filliâtre, J.C., Marché, C., Paskevich, A.: Why3: shepherd your herd of provers. In: Boogie 2011: First International Workshop on Intermediate Verification Languages, pp. 53–64. Wrocław, Poland (2011). https://hal.inria.fr/hal-00790310

  21. Boerman, J., Huisman, M., Joosten, S.: Reasoning about JML: differences between KeY and OpenJML. In: Furia, C.A., Winter, K. (eds.) IFM 2018. LNCS, vol. 11023, pp. 30–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98938-9_3

    Chapter  Google Scholar 

  22. Borgida, A., Mylopoulos, J., Reiter, R.: On the frame problem in procedure specifications. IEEE Trans. Softw. Eng. 21(10), 785–798 (1995). http://doi.ieeecomputersociety.org/10.1109/32.469460

  23. Breunesse, C.B., Poll, E.: Verifying JML specifications with model fields. In: Formal Techniques for Java-like Programs (FTfJP), pp. 51–60. No. 408 in Technical report, ETH Zurich, July 2003. http://www.cs.ru.nl/~erikpoll/publications/ftfjp03.pdf

  24. Büchi, M., Weck, W.: A plea for grey-box components. In: Leavens, G.T., Sitaraman, M. (eds.) Foundations of Component-Based Systems Workshop. University of Central Florida (1997). https://www.cs.ucf.edu/~leavens/FoCBS/buechi.html

  25. Burdy, L., et al.: An overview of JML tools and applications. In: Arts, T., Fokkink, W. (eds.) Eighth International Workshop on Formal Methods for Industrial Critical Systems (FMICS 2003). Electronic Notes in Theoretical Computer Science (ENTCS), vol. 80, pp. 73–89. Elsevier (2003). http://www.sciencedirect.com/science/journal/15710661

  26. Chalin, P.: Back to basics: language support and semantics of basic infinite integer types in JML and Larch. Technical report, CU-CS 2002–003.1, Computer Science Department, Concordia University (2002). http://www.cs.concordia.ca/~faculty/chalin/papers/TR-CU-CS-2002-003.1.pdf

  27. Chalin, P.: Improving JML: for a safer and more effective language. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 440–461. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45236-2_25http://www.springerlink.com/content/26cpmd9b3vbgd2et

    Chapter  Google Scholar 

  28. Chalin, P.: Logical foundations of program assertions: What do practitioners want? In: Proceedings of the 3rd International Conference on Software Engineering and Formal Method (SEFM). IEEE Computer Society, Los Alamitos, California (2005). http://www.cs.concordia.ca/~chalin/papers/TR-2005-002-r2.pdf

  29. Chalin, P.: Towards support for non-null types and non-null-by default in Java. In: Workshop on Formal Techniques for Java-like Programs (FTfJP) (2006). http://www.disi.unige.it/person/AnconaD/FTfJP06/paper03.pdf

  30. Chalin, P.: A sound assertion semantics for the dependable systems evoluation verifying compiler. In: International Conference on Software Engineering (ICSE), Los Alamitos, California, pp. 23–33. IEEE, May 2007. http://dx.doi.org/10.1109/ICSE.2007.9

  31. Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond assertions: advanced specification and verification with JML and ESC/Java2. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 342–363. Springer, Heidelberg (2006). https://doi.org/10.1007/11804192_16https://tinyurl.com/3z2vk55n

    Chapter  Google Scholar 

  32. Chalin, P., Rioux, F.: Non-null references by default in the Java modeling language. In: Proceedings of the Workshop on the Specification and Verification of Component-Based Systems (SAVCBS 2005). ACM Software Engineering Notes, vol. 31, no. 2. ACM (2005)

    Google Scholar 

  33. Chen, Y., Cheng, B.H.C.: A semantic foundation for specification matching. In: Leavens, G.T., Sitaraman, M. (eds.) Foundations of Component-Based Systems, pp. 91–109. Cambridge University Press, New York (2000)

    Google Scholar 

  34. Cheng, J.H., Jones, C.B.: On the usability of logics which handle partial functions. In: Morgan, C., Woodcock, J.C.P. (eds.) Proceedings of the Third Refinement Workshop. Workshops in Computing Series, pp. 51–69. Springer, Berlin (1991)

    Google Scholar 

  35. Cheon, Y., Leavens, G.T.: A quick overview of Larch/C++. J. Object-Oriented Program. 7(6), 39–49 (1994)

    Google Scholar 

  36. Cheon, Y., Leavens, G.T.: A runtime assertion checker for the Java modeling language (JML). In: Arabnia, H.R., Mun, Y. (eds.) Proceedings of the International Conference on Software Engineering Research and Practice (SERP 2002), Las Vegas, Nevada, USA, 24–27 June 2002, pp. 322–328. CSREA Press (2002). ftp://ftp.cs.iastate.edu/pub/techreports/TR02-05/TR.pdf

  37. Cheon, Y., Leavens, G.T.: A simple and practical approach to unit testing: the JML and JUnit way. In: Magnusson, B. (ed.) ECOOP 2002. LNCS, vol. 2374, pp. 231–255. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-47993-7_10https://tinyurl.com/4tk2nzzd

    Chapter  Google Scholar 

  38. Clarke, D.G., Noble, J., Potter, J.M.: Simple ownership types for object containment. In: Knudsen, J.L. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 53–76. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45337-7_4

    Chapter  Google Scholar 

  39. Clifton, C.: MultiJava: design, implementation, and evaluation of a Java-compatible language supporting modular open classes and symmetric multiple dispatch. Technical report, 01-10, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, November 2001. ftp://ftp.cs.iastate.edu/pub/techreports/TR01-10/TR.pdf. The author’s masters thesis

  40. Cok, D.R.: OpenJML: JML for Java 7 by extending OpenJDK. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 472–479. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_35

    Chapter  Google Scholar 

  41. Cok, D.R.: (2018). http://www.openjml.org

  42. Cok, D.R.: Reasoning about functional programming in Java and C++. In: Companion Proceedings for the ISSTA/ECOOP 2018 Workshops, ISSTA 2018, pp. 37–39. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3236454.3236483

  43. Cok, D.R.: JML and OpenJML for Java 16. In: Proceedings of the 23rd ACM International Workshop on Formal Techniques for Java-like Programs, FTfJP 2021, pp. 65–67. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3464971.3468417

  44. Cok, D.R., Kiniry, J.: ESC/Java2: uniting ESC/Java and JML. progress and issues in building and using ESC/Java2 and a report on a case study involving the use of ESC/Java2 to verify portions of an internet voting tally system, May 2004. Presented at CASSIS 2004 and submitted for publication

    Google Scholar 

  45. Cok, D.R., Kiniry, J.R.: ESC/Java2: uniting ESC/Java and JML. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 108–128. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30569-9_6

    Chapter  Google Scholar 

  46. Cok, D.R., Leavens, G.T., Ulbrich, M.: Java Modeling Language (JML) Reference Manual, 2nd edn (2022, in progress). https://www.openjml.org/documentation/JML_Reference_Manual.pdf

  47. Cok, D.R., Tasiran, S.: Practical methods for reasoning about java 8’s functional programming features. In: Piskac, R., Rümmer, P. (eds.) VSTTE 2018. LNCS, vol. 11294, pp. 267–278. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03592-1_15

    Chapter  Google Scholar 

  48. Damm, W., Josko, B.: A sound and relatively complete Hoare-logic for a language with higher type procedures. Acta Informatica 20(1), 59–101 (1983). http://dx.doi.org/10.1007/BF00264295

  49. DeLine, R., Leino, K.R.M.: BoogiePL: a typed procedural language for checking object-oriented programs. Technical report, MSR-TR-2005-70, Microsoft Research (2005). ftp://ftp.research.microsoft.com/pub/tr/TR-2005-70.pdf

  50. Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. SRC Research Report 159, Compaq Systems Research Center, 130 Lytton Ave., Palo Alto, December 1998

    Google Scholar 

  51. Dhara, K.K., Leavens, G.T.: Forcing behavioral subtyping through specification inheritance. In: Proceedings of the 18th International Conference on Software Engineering, Berlin, Germany, pp. 258–267. IEEE Computer Society Press, Los Alamitos (1996). http://doi.ieeecomputersociety.org/10.1109/ICSE.1996.493421. A corrected version is ISU CS TR #95-20c. http://tinyurl.com/s2krg

  52. Dijkstra, E.W.: Guarded commands, nondeterminancy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)

    Article  Google Scholar 

  53. Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall Inc, Englewood Cliffs (1976)

    MATH  Google Scholar 

  54. Dillig, I., Dillig, T., Li, B., McMillan, K.: Inductive invariant generation via abductive inference. In: Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2013, pp. 443–456. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2509136.2509511

  55. Drossopoulou, S., Francalanza, A., Müller, P., Summers, A.J.: A unified framework for verification techniques for object invariants. In: Vitek, J. (ed.) ECOOP 2008. LNCS, vol. 5142, pp. 412–437. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70592-5_18

    Chapter  Google Scholar 

  56. Drossopoulou, S., Francalanza, A., Müller, P.: A unified framework for verification techniques for object invariants. In: International Workshop on Foundations of Object-Oriented Languages (FOOL 2008) (2008). http://fool08.kuis.kyoto-u.ac.jp/drossopoulou.pdf

  57. Ekman, T., Hedin, G.: The JastAdd system – modular extensible compiler construction. Sci. Comput. Program. 69(1–3), 14–26 (2007). https://doi.org/10.1016/j.scico.2007.02.003

    Article  MathSciNet  MATH  Google Scholar 

  58. EPFL, Lausanne, Switzerland: Stainless Verification Framework (2022). https://epfl-lara.github.io/stainless/intro.html

  59. Ernst, G.W., Navlakha, J.K., Ogden, W.F.: Verification of programs with procedure-type parameters. Acta Informatica 18(2), 149–169 (1982)

    Article  MathSciNet  Google Scholar 

  60. Ernst, M., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. IEEE Trans. Softw. Eng. 27(2), 99–123 (2001). http://doi.ieeecomputersociety.org/10.1109/32.908957

  61. Ernst, M., et al.: Daikon website. https://plse.cs.washington.edu/daikon/. Accessed Sept 2021

  62. Filliâtre, J.-C., Paskevich, A.: Why3 — where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37036-6_8

    Chapter  Google Scholar 

  63. Findler, R.B., Felleisen, M.: Contract soundness for object-oriented languages. In: OOPSLA 2001 Conference Proceedings. Object-Oriented Programming, Systems, Languages, and Applications, 14–18 October 2001, Tampa Bay, Florida, USA, pp. 1–15. ACM, New York (2001)

    Google Scholar 

  64. Fitzgerald, J., Larsen, P.G.: Modelling Systems: Practical Tools in Software Development. Cambridge University Press, Cambridge (1998)

    MATH  Google Scholar 

  65. Flanagan, C., Leino, K.R.M.: Houdini, an annotation assistant for ESC/Java. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 500–517. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45251-6_29http://www.springerlink.com/content/nxukfdgg7623q3a9

    Chapter  Google Scholar 

  66. (2011ff). https://frama-c.com

  67. Gosling, J., Joy, B., Steele, G.: The Java Language Specification. The Java Series. Addison-Wesley, Reading (1996). http://www.aw.com/cp/javaseries.html

  68. de Gouw, S., Rot, J., de Boer, F.S., Bubel, R., Hähnle, R.: OpenJDK’s Java.utils.Collection.sort() is broken: the good, the bad and the worst case. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 273–289. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_16

    Chapter  Google Scholar 

  69. Gulwani, S., Srivastava, S., Venkatesan, R.: Program analysis as constraint solving. In: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2008, pp. 281–292. Association for Computing Machinery, New York (2008). https://doi.org/10.1145/1375581.1375616

  70. Guttag, J.V., Horning, J.J.: Report on the larch shared language. Sci. Comput. Program. 6(2), 103–134 (1986)

    Article  Google Scholar 

  71. Guttag, J.V., Horning, J.J., Garland, S.J., Jones, K.D., Modet, A., Wing, J.M.: Larch: Languages and Tools for Formal Specification. Springer, New York (1993). https://doi.org/10.1007/978-1-4612-2704-5

    Book  Google Scholar 

  72. Guttag, J.V., Horning, J.J., Wing, J.M.: The Larch family of specification languages. IEEE Softw. 2(5), 24–36 (1985)

    Article  Google Scholar 

  73. Haddad, G., Leavens, G.T.: Extensible dynamic analysis for JML: a case study with loop annotations. Technical report, CS-TR-08-05, School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, Florida, April 2008

    Google Scholar 

  74. Haddad, G., Leavens, G.T.: Specifying subtypes in safety critical Java programs. Concurr. Comput. Pract. Exp. 25(16), 2290–2306 (2013)

    Google Scholar 

  75. Hall, A.: Seven myths of formal methods. IEEE Softw. 7(5), 11–19 (1990)

    Article  Google Scholar 

  76. Hamza, J., Voirol, N., Kunčak, V.: System FR: formalized foundations for the Stainless verifier. Proc. ACM Program. Lang. 3(OOPSLA) (2019). https://doi.org/10.1145/3360592

  77. Hatcliff, J., Leavens, G.T., Leino, K.R.M., Müller, P., Parkinson, M.: Behavioral interface specification languages. ACM Comput. Surv. 44(3), 16:1–16:58 (2012). https://doi.org/10.1145/2187671.2187678. http://doi.acm.org/10.1145/2187671.2187678

  78. Hoder, K., Kovács, L., Voronkov, A.: Invariant generation in vampire. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 60–64. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_7

    Chapter  Google Scholar 

  79. Hubbers, E., Oostdijk, M., Poll, E.: From finite state machines to provably correct JavaCard applets. In: Workshop of IFIP WG 11.2 - Small Systems Security. IFIP (2003). http://www.cs.ru.nl/~erikpoll/publications/sec03.pdf

  80. Huisman, M., Jacobs, B.: Java program verification via a hoare logic with abrupt termination. In: Maibaum, T. (ed.) FASE 2000. LNCS, vol. 1783, pp. 284–303. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46428-X_20

    Chapter  Google Scholar 

  81. Hussain, F., Leavens, G.T.: temporaljmlc: a JML runtime assertion checker extension for specification and checking of temporal properties. Technical report, CS-TR-10-08, UCF, Department of EECS, Orlando, Florida, July 2010

    Google Scholar 

  82. Ishtiaq, S.S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2001, pp. 14–26. ACM, New York (2001). http://doi.acm.org/10.1145/360204.375719

  83. Jacobs, B., van den Berg, J., Huisman, M., van Berkum, M., Hensel, U., Tews, H.: Reasoning about Java classes (preliminary report). In: OOPSLA 1998 Conference Proceedings. ACM SIGPLAN Notices, vol. 33, no. 10, pp. 329–340. ACM, October 1998

    Google Scholar 

  84. Jacobs, B., Kiniry, J., Warnier, M.: Java program verification challenges. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2002. LNCS, vol. 2852, pp. 202–219. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39656-7_8

    Chapter  Google Scholar 

  85. Jacobs, B., Meijer, H., Poll, E.: VerifiCard: a European project for smart card verification. Newsletter 5 of the Dutch Association for Theoretical Computer Science (NVTI) (2001). https://repository.ubn.ru.nl/bitstream/handle/2066/130369/130369.pdf

  86. Jones, C.B.: Program specification and verification in VDM. Technical report, UMCS-86-10-5, Department of Computer Science, University of Manchester, Manchester M13 9PL, England, November 1986

    Google Scholar 

  87. Jones, C.B.: Systematic software development using VDM. International Series in Computer Science, Prentice-Hall Inc., Englewood Cliffs (1986)

    MATH  Google Scholar 

  88. The KeY project. https://www.key-project.org. Accessed Sept 2021

  89. Leavens, G.T.: An overview of Larch/C++: behavioral specifications for C++ modules. In: Kilov, H., Harvey, W. (eds.) Specification of Behavioral Semantics in Object-Oriented Information Modeling, chap. 8, pp. 121–142. Kluwer Academic Publishers, Boston (1996). An extended version is TR #96-01d, Department of Computer Science, Iowa State University, Ames, Iowa, 50011

    Google Scholar 

  90. Leavens, G.T.: JML’s rich, inherited specifications for behavioral subtypes. In: Liu, Z., He, J. (eds.) ICFEM 2006. LNCS, vol. 4260, pp. 2–34. Springer, Heidelberg (2006). https://doi.org/10.1007/11901433_2

    Chapter  Google Scholar 

  91. Leavens, G.T., Baker, A.L.: Enhancing the pre- and postcondition technique for more expressive specifications. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1709, pp. 1087–1106. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48118-4_8

    Chapter  Google Scholar 

  92. Leavens, G.T., Baker, A.L., Ruby, C.: JML: a Java modeling language. In: Formal Underpinnings of Java Workshop (at OOPSLA 1998), October 1998. http://www-dse.doc.ic.ac.uk/~sue/oopsla/cfp.html

  93. Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: a behavioral interface specification language for Java. ACM SIGSOFT Softw. Eng. Notes 31(3), 1–38 (2006). http://doi.acm.org/10.1145/1127878.1127884

  94. Leavens, G.T., Clifton, C.: Lessons from the JML project. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 134–143. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69149-5_15

    Chapter  Google Scholar 

  95. Leavens, G.T., Leino, K.R.M., Müller, P.: Specification and verification challenges for sequential object-oriented programs. Formal Aspects Comput. 19(2), 159–189 (2007). http://dx.doi.org/10.1007/s00165-007-0026-7

  96. Leavens, G.T., Müller, P.: Information hiding and visibility in interface specifications. In: International Conference on Software Engineering (ICSE), Los Alamitos, California, pp. 385–395. IEEE, May 2007. http://dx.doi.org/10.1109/ICSE.2007.44

  97. Leavens, G.T., Naumann, D.A.: Behavioral subtyping, specification inheritance, and modular reasoning. TOPLAS 37(4), 13:1–13:88 (2015). https://doi.org/10.1145/2766446. http://doi.acm.org/10.1145/2766446

  98. Leavens, G.T., Naumann, D.A., Rosenberg, S.: Preliminary definition of Core JML. CS Report 2006-07, Stevens Institute of Technology, September 2006. http://www.cs.stevens.edu/~naumann/publications/SIT-TR-2006-07.pdf

  99. Leavens, G.T., et al.: JML Reference Manual, May 2008. http://www.jmlspecs.org

  100. Leavens, G.T., Weihl, W.E.: Reasoning about object-oriented programs that use subtypes (extended abstract). In: Meyrowitz, N. (ed.) OOPSLA ECOOP 1990 Proceedings. ACM SIGPLAN Notices, vol. 25, no. 10, pp. 212–223. ACM (1990). http://doi.acm.org/10.1145/97945.97970

  101. Leavens, G.T., Weihl, W.E.: Specification and verification of object-oriented programs using supertype abstraction. Acta Informatica 32(8), 705–778 (1995). http://dx.doi.org/10.1007/BF01178658

  102. Leavens, G.T., Wing, J.M.: Protective interface specifications. Formal Aspects Comput. 10(1), 59–75 (1998). http://dx.doi.org/10.1007/PL00003926

  103. Leino, K.R.M.: Specification and verification of object-oriented software (2008). http://research.microsoft.com/en-us/um/people/leino/papers/krml190.pdf. Lecture notes from Marktoberdorf Internation Summer School. http://research.microsoft.com/en-us/um/people/leino/papers/krml190.pdf

  104. Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17511-4_20

    Chapter  MATH  Google Scholar 

  105. Leino, K.R.M., Ford, R.L., Cok, D.R.: Dafny reference manual, July 2021. https://github.com/dafny-lang/dafny/blob/master/docs/DafnyRef/out/DafnyRef.pdf

  106. Leino, K.R.M., Monahan, R.: Reasoning about comprehensions with first-order SMT solvers. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 615–622. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1529282.1529411

  107. Leino, K.R.M., Monahan, R.: Dafny meets the verification benchmarks challenge. In: Leavens, G.T., O’Hearn, P., Rajamani, S.K. (eds.) VSTTE 2010. LNCS, vol. 6217, pp. 112–126. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15057-9_8

    Chapter  Google Scholar 

  108. Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 491–515. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24851-4_22http://www.springerlink.com/content/ttfnjg36yq64pah8

    Chapter  Google Scholar 

  109. Leino, K.R.M., Müller, P.: Modular verification of static class invariants. In: Fitzgerald, J., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 26–42. Springer, Heidelberg (2005). https://doi.org/10.1007/11526841_4https://tinyurl.com/4xfc2989

    Chapter  Google Scholar 

  110. Leino, K.R.M., et al.: Dafny github site. https://github.com/dafny-lang/dafny. Accessed Sept 2021

  111. Marché, C., Paulin-Mohring, C., Urbain, X.: The KRAKATOA tool for certification of JAVA/JAVACARD programs annotated in JML. J. Logic Algebraic Program. 58(1–2), 89–106 (2004). http://dx.doi.org/10.1016/j.jlap.2003.07.006

  112. Meyer, B.: Object-Oriented Software Construction, vol. 2. Prentice Hall, New York (1997)

    MATH  Google Scholar 

  113. Müller, P.: Modular Specification and Verification of Object-Oriented Programs. LNCS, vol. 2262. Springer, Berlin (2002). https://doi.org/10.1007/3-540-45651-1http://tinyurl.com/jtwot

    Book  MATH  Google Scholar 

  114. Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular specification of frame properties in JML. Concurr. Comput. Pract. Exp. 15(2), 117–154 (2003). https://doi.org/10.1002/cpe.713. ftp://ftp.cs.iastate.edu/pub/techreports/TR02-02/TR.pdf

  115. Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular invariants for layered object structures. Sci. Comput. Program. 62(3), 253–286 (2006). http://dx.doi.org/10.1016/j.scico.2006.03.001

  116. Naumann, D.A.: Observational purity and encapsulation. Theor. Comput. Sci. 376(3), 205–224 (2007)

    Article  MathSciNet  Google Scholar 

  117. Nilizadeh, A.: Test overfitting: challenges, approaches, and measurements. Technical report, University of Central Florida, Computer Science (2021)

    Google Scholar 

  118. Nilizadeh, A.: Automated program repair and test overfitting: measurements and approaches using formal methods. In: 2022 15th IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE (2022, in press)

    Google Scholar 

  119. Nilizadeh, A., Calvo, M., Leavens, G.T., Cok, D.R.: Generating counterexamples in the form of unit tests from Hoare-style verification attempts. In: IEEE/ACM 10th International Conference on Formal Methods in Software Engineering (FormaliSE). IEEE (2022, in press)

    Google Scholar 

  120. Nilizadeh, A., Calvo, M., Leavens, G.T., Le, X.B.D.: More reliable test suites for dynamic APR by using counterexamples. In: 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE), Los Altos, pp. 208–219. IEEE (2021). https://doi.org/10.1109/ISSRE52982.2021.00032

  121. Nilizadeh, A., Leavens, G.T.: Be realistic: automated program repair is a combination of undecidable problems. In: 2022 IEEE/ACM International Workshop on Automated Program Repair (APR). IEEE (2022, in press)

    Google Scholar 

  122. Nilizadeh, A., Leavens, G.T., Le, X.B.D., Păsăreanu, C.S., Cok, D.R.: Exploring true test overfitting in dynamic automated program repair using formal methods. In: 2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST), Los Altos, pp. 229–240. IEEE (2021). https://tinyurl.com/bn3ecw98

  123. Nilizadeh, A., Leavens, G.T., Păsăreanu, C.S.: Using a guided fuzzer and preconditions to achieve branch coverage with valid inputs. In: Loulergue, F., Wotawa, F. (eds.) TAP 2021. LNCS, vol. 12740, pp. 72–84. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-79379-1_5https://tinyurl.com/4xzxxrn2

    Chapter  Google Scholar 

  124. Nimmer, J.W., Ernst, M.D.: Static verification of dynamically detected program invariants: integrating daikon and ESC/Java. In: Proceedings of RV’01, First Workshop on Runtime Verification. Elsevier (2001). http://dx.doi.org/10.1016/S1571-0661(04)00256-7

  125. Noble, J., Vitek, J., Potter, J.: Flexible alias protection. In: Jul, E. (ed.) ECOOP 1998. LNCS, vol. 1445, pp. 158–185. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054091

    Chapter  Google Scholar 

  126. Oracle: OpenJDK (2021). http://openjdk.java.net/. Accessed Sept 2021

  127. Owre, S., Rushby, J.M., Shankar, N.: PVS: a prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-55602-8_217

    Chapter  Google Scholar 

  128. Pearce, D.J.: JPure: a modular purity system for java. In: Knoop, J. (ed.) CC 2011. LNCS, vol. 6601, pp. 104–123. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19861-8_7

    Chapter  Google Scholar 

  129. Pearce, D.J., Groves, L.: Whiley: a platform for research in software verification. In: Erwig, M., Paige, R.F., Van Wyk, E. (eds.) SLE 2013. LNCS, vol. 8225, pp. 238–248. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02654-1_13

    Chapter  Google Scholar 

  130. Poll, E., van den Berg, J., Jacobs, B.: Specification of the JavaCard API in JML. In: Domingo-Ferrer, J., Chan, D., Watson, A. (eds.) Smart Card Research and Advanced Application Conference (CARDIS 2000), pp. 135–154. Kluwer Academic Publishers (2000)

    Google Scholar 

  131. Raghavan, A.D.: Design of a JML documentation generator. Technical report, 00-12, Iowa State University, Department of Computer Science, July 2000. ftp://ftp.cs.iastate.edu/pub/techreports/TR00-12/TR.ps.gz

  132. Rajan, H., Nguyen, T.N., Leavens, G.T., Dyer, R.: Inferring behavioral specifications from large-scale repositories by leveraging collective intelligence. In: ICSE 2015: The 37th International Conference on Software Engineering: NIER Track, pp. 579–582, May 2015. https://tinyurl.com/jpemux34

  133. Rebêlo, H.: AspectJML website (2021). https://www.cin.ufpe.br/~hemr/aspectjml/. Accessed Sept 2021

  134. Rebêlo, H., et al.: AspectJML: modular specification and runtime checking for crosscutting contracts. In: Proceedings of the 13th International Conference on Modularity, MODULARITY 2014, pp. 157–168. ACM, New York (2014). https://doi.org/10.1145/2577080.2577084. http://doi.acm.org/10.1145/2577080.2577084

  135. Rebêlo, H., Leavens, G.T., Lima, R.M.: Client-aware checking and information hiding in interface specifications with JML/Ajmlc. In: Proceedings of the 2013 Companion Publication for Conference on Systems, Programming, & Applications: Software for Humanity, SPLASH 2013, pp. 11–12. ACM, New York (2013). https://doi.org/10.1145/2508075.2514569.. http://doi.acm.org/10.1145/2508075.2514569

  136. Rebêlo, H., Soares, S., Lima, R., Ferreira, L., Cornélio, M.: Implementing Java modeling language contracts with AspectJ. In: SAC 2008: Proceedings of the 2008 ACM Symposium on Applied computing, pp. 228–233. ACM, New York (2008). http://doi.acm.org/10.1145/1363686.1363745

  137. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings of the Seventeenth Annual IEEE Symposium on Logic in Computer Science, Los Alamitos, California, pp. 55–74. IEEE Computer Society Press (2002). http://dx.doi.org/10.1109/LICS.2002.1029817

  138. Schmitt, P.H.: A short history of KeY. In: Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Ulbrich, M. (eds.) Deductive Software Verification: Future Perspectives. LNCS, vol. 12345, pp. 3–18. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64354-6_1https://tinyurl.com/3xbrdwbr

    Chapter  Google Scholar 

  139. Shaner, S.M., Leavens, G.T., Naumann, D.A.: Modular verification of higher-order methods with mandatory calls specified by model programs. In: International Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), Montreal, Canada, pp. 351–367. ACM, New York (2007). http://doi.acm.org/10.1145/1297027.1297053. http://doi.acm.org/10.1145/1297027.1297053

  140. Sharma, R., Dillig, I., Dillig, T., Aiken, A.: Simplifying loop invariant generation using splitter predicates. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 703–719. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_57

    Chapter  Google Scholar 

  141. Singleton, J.L., Leavens, G.T., Rajan, H., Cok, D.: Poster: an algorithm and tool to infer practical postconditions. In: 2018 ACM/IEEE 40th International Conference on Software Engineering: Companion Proceedings, Gothenburg, Sweden, pp. 313–314. ACM (2018). https://doi.org/10.1145/3183440.3194986

  142. Smans, J., Jacobs, B., Piessens, F.: Implicit dynamic frames. In: Huisman, M. (ed.) Formal Techniques for Java-like Programs (FTfJP 2008), pp. 1–12. Radboud University, Nijmegen, Technical report ICIS-R08013, Radboud University (2008)

    Google Scholar 

  143. Svendsen, K., Birkedal, L., Parkinson, M.: Verifying generics and delegates. ECOOP 2010 - Object-oriented Programming, p. 175 (2010)

    Google Scholar 

  144. Wills, A.: Capsules and types in fresco: program validation in smalltalk. In: America, P. (ed.) ECOOP 1991: European Conference on Object Oriented Programming. LNCS, vol. 512, pp. 59–76. Springer, New York (1991). http://dx.doi.org/10.1007/BFb0057015

  145. Wills, A.: Specification in fresco. In: Stepney, S., Barden, R., Cooper, D. (eds.) Object Orientation in Z, chap. 11, pp. 127–135. Workshops in Computing, Springer, Cambridge CB2 1LQ, UK (1992)

    Google Scholar 

  146. Wills, A.: Refinement in fresco. In: Lano, K., Houghton, H. (eds.) Object-Oriented Specification Case Studies, chap. 9, pp. 184–201. The Object-Oriented Series. Prentice-Hall, Englewood Cliffs (1994)

    Google Scholar 

  147. Wing, J.M.: A two-tiered approach to specifying programs. Technical report, TR-299, Massachusetts Institute of Technology, Laboratory for Computer Science (1983)

    Google Scholar 

  148. Wolff, F., Bílý, A., Matheja, C., Müller, P., Summers, A.J.: Modular specification and verification of closures in Rust. Proc. ACM Program. Lang. 5(OOPSLA) (2021). https://doi.org/10.1145/3485522

Download references

Acknowledgments

Thanks to David Pearce for comments on an earlier draft of this paper. Thanks to all participants in the JML project (many of whom are named above). Thanks to the US National Science Foundation for funding early work on JML through several grants (at Iowa State University).

Author information

Authors and Affiliations

  1. University of Central Florida, Orlando, FL, USA

    Gary T. Leavens & Amirfarhad Nilizadeh

  2. Safer Software Consulting, Rochester, NY, USA

    David R. Cok

Authors
  1. Gary T. Leavens
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David R. Cok
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Amirfarhad Nilizadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gary T. Leavens .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Wolfgang Ahrendt

  2. Karlsruhe Institute of Technology, Karlsruhe, Germany

    Bernhard Beckert

  3. TU Darmstadt, Darmstadt, Germany

    Richard Bubel

  4. University of Oslo, Oslo, Norway

    Einar Broch Johnsen

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Leavens, G.T., Cok, D.R., Nilizadeh, A. (2022). Further Lessons from the JML Project. In: Ahrendt, W., Beckert, B., Bubel, R., Johnsen, E.B. (eds) The Logic of Software. A Tasting Menu of Formal Methods. Lecture Notes in Computer Science, vol 13360. Springer, Cham. https://doi.org/10.1007/978-3-031-08166-8_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08166-8_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08165-1

  • Online ISBN: 978-3-031-08166-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation