Abstract
JML is an ambitious project in formal specification and verification that has aimed to bring value to Java programmers. As an international, cooperative effort, JML has been a uniting force, bringing together tools such as KeY, OpenJML, and many others. Specification language designers can learn much from the experience gathered by the JML team. The lessons of the JML project can be useful to others designing specification languages and tools, not only for object-oriented languages such as Java, but more generally.
G. T. Leavens—Much of the early work on JML was supported by the US National Science Foundation and carried out while Leavens was at Iowa State University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The date of Leavens’s visit to DEC SRC is unclear, but was probably in 1998.
- 2.
In fact, the JastAdd Java compiler has not kept up with Java’s evolution, although JastAdd itself provides the capability to do so.
- 3.
For validity, a library should also be verified against its specifications, but we are more concerned with verifying client code in this section.
- 4.
The figure shows the sets of pre-states and post-states as connected, but that is just for convenience in the figure; it is not necessary or required by JML.
- 5.
The figure shows the method as delivering a connected set of post-states, but again that is not necessary.
- 6.
An alternative solution, which could be used if one is designing a new programming language from scratch [129], is to design all types to have a value semantics.
- 7.
The reason given for not allowing a loosening of preconditions in an overriding method is that “The run-time checks evoked by the method contract are thus also inherited.” [11, p. 56]. However with client-aware-checking of preconditions [135], the precondition of the receiver’s static type are checked at call sites, which allows JML’s more flexible form of specification inheritance to still enforce precondition checks based on static type information at call sites as would be done in Spec#.
References
Ahrendt, W.: The Java Modeling Language - a basis for static and dynamic verification, June 2018. https://youtu.be/9ItK0jxJ0oQ
Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification - The KeY Book. LNCS, vol. 10001. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49812-6
Banerjee, A., Naumann, D.A.: Local reasoning for global invariants, part ii: dynamic boundaries. J. ACM 60(3), 19:1–19:73 (2013). https://doi.org/10.1145/2485981. http://doi.acm.org/10.1145/2485981
Banerjee, A., Naumann, D.A., Rosenberg, S.: Local reasoning for global invariants, part i: region logic. J. ACM 60(3), 18:1–18:56 (2013). https://doi.org/10.1145/2485982. http://doi.acm.org/10.1145/2485982
Bao, Y.: Reasoning about frame properties in object-oriented programs. Technical report, CS-TR-17-05, Computer Science, University of Central Florida, Orlando, Florida, December 2017. The author’s dissertation. https://goo.gl/WZGMiB
Bao, Y., Leavens, G.T.: A methodology for invariants, framing, and subtyping in JML. In: Müller, P., Schaefer, I. (eds.) Principled Software Development, pp. 19–39. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98047-8_2
Bao, Y., Leavens, G.T., Ernst, G.: Unifying separation logic and region logic to allow interoperability. Form. Asp. Comput. 30, 381–441 (2018). https://doi.org/10.1007/s00165-018-0455-5
Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison Wesley, New York (2003)
Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006). https://doi.org/10.1007/11804192_17
Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. J. Object Technol. 3(6), 27–56 (2004). http://tinyurl.com/m2a8j
Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: an overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30569-9_3
Barringer, H., Cheng, J.H., Jones, C.B.: A logic covering undefinedness in program proofs. Acta Informatica 21(3), 251–269 (1984)
Baudin, P., et al.: ACSL: ANSI C Specification Language (2008ff). http://frama-c.com/download/acsl_1.4.pdf
Baudin, P., et al.: The dogged pursuit of bug-free C programs: the Frama-C software analysis platform. Commun. ACM 64(8), 56–68 (2021). https://doi.org/10.1145/3470569
Beckert, B.: A dynamic logic for Java Card. In: Drossopoulou, S., Eisenbach, S., Jacobs, B., Leavens, G.T., Müller, P., Poetzsch-Heffter, A. (eds.) Workshop on Formal Techniques for Java Programs (FTfJP). Technical report 269, Fernuniversität Hagen (2000)
Beckert, B., Hähnle, R., Schmitt, P.H.: Verification of Object-Oriented Software: The KeY Approach. LNCS, vol. 4334. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-69061-0
van den Berg, J., Jacobs, B.: The loop compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45319-9_21
van den Berg, J., Poll, E., Jacobs, B.: First steps in formalising JML: exceptions in predicates. In: Drossopoulou, S., Eisenbach, S., Jacobs, B., Leavens, G.T., Müller, P., Poetzsch-Heffter, A. (eds.) Formal Techniques for Java Programs. Proceedings of the ECOOP’00 Workshop. Technical report, Fernuniversität Hagen (2000). http://www.cs.ru.nl/~erikpoll/publications/ftfjp00.ps.gz
Blanc, R., Kuncak, V., Kneuss, E., Suter, P.: An overview of the leon verification system: verification by translation to recursive functions. In: Proceedings of the 4th Workshop on Scala. SCALA 2013. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2489837.2489838
Bobot, F., Filliâtre, J.C., Marché, C., Paskevich, A.: Why3: shepherd your herd of provers. In: Boogie 2011: First International Workshop on Intermediate Verification Languages, pp. 53–64. Wrocław, Poland (2011). https://hal.inria.fr/hal-00790310
Boerman, J., Huisman, M., Joosten, S.: Reasoning about JML: differences between KeY and OpenJML. In: Furia, C.A., Winter, K. (eds.) IFM 2018. LNCS, vol. 11023, pp. 30–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98938-9_3
Borgida, A., Mylopoulos, J., Reiter, R.: On the frame problem in procedure specifications. IEEE Trans. Softw. Eng. 21(10), 785–798 (1995). http://doi.ieeecomputersociety.org/10.1109/32.469460
Breunesse, C.B., Poll, E.: Verifying JML specifications with model fields. In: Formal Techniques for Java-like Programs (FTfJP), pp. 51–60. No. 408 in Technical report, ETH Zurich, July 2003. http://www.cs.ru.nl/~erikpoll/publications/ftfjp03.pdf
Büchi, M., Weck, W.: A plea for grey-box components. In: Leavens, G.T., Sitaraman, M. (eds.) Foundations of Component-Based Systems Workshop. University of Central Florida (1997). https://www.cs.ucf.edu/~leavens/FoCBS/buechi.html
Burdy, L., et al.: An overview of JML tools and applications. In: Arts, T., Fokkink, W. (eds.) Eighth International Workshop on Formal Methods for Industrial Critical Systems (FMICS 2003). Electronic Notes in Theoretical Computer Science (ENTCS), vol. 80, pp. 73–89. Elsevier (2003). http://www.sciencedirect.com/science/journal/15710661
Chalin, P.: Back to basics: language support and semantics of basic infinite integer types in JML and Larch. Technical report, CU-CS 2002–003.1, Computer Science Department, Concordia University (2002). http://www.cs.concordia.ca/~faculty/chalin/papers/TR-CU-CS-2002-003.1.pdf
Chalin, P.: Improving JML: for a safer and more effective language. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 440–461. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45236-2_25http://www.springerlink.com/content/26cpmd9b3vbgd2et
Chalin, P.: Logical foundations of program assertions: What do practitioners want? In: Proceedings of the 3rd International Conference on Software Engineering and Formal Method (SEFM). IEEE Computer Society, Los Alamitos, California (2005). http://www.cs.concordia.ca/~chalin/papers/TR-2005-002-r2.pdf
Chalin, P.: Towards support for non-null types and non-null-by default in Java. In: Workshop on Formal Techniques for Java-like Programs (FTfJP) (2006). http://www.disi.unige.it/person/AnconaD/FTfJP06/paper03.pdf
Chalin, P.: A sound assertion semantics for the dependable systems evoluation verifying compiler. In: International Conference on Software Engineering (ICSE), Los Alamitos, California, pp. 23–33. IEEE, May 2007. http://dx.doi.org/10.1109/ICSE.2007.9
Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond assertions: advanced specification and verification with JML and ESC/Java2. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 342–363. Springer, Heidelberg (2006). https://doi.org/10.1007/11804192_16https://tinyurl.com/3z2vk55n
Chalin, P., Rioux, F.: Non-null references by default in the Java modeling language. In: Proceedings of the Workshop on the Specification and Verification of Component-Based Systems (SAVCBS 2005). ACM Software Engineering Notes, vol. 31, no. 2. ACM (2005)
Chen, Y., Cheng, B.H.C.: A semantic foundation for specification matching. In: Leavens, G.T., Sitaraman, M. (eds.) Foundations of Component-Based Systems, pp. 91–109. Cambridge University Press, New York (2000)
Cheng, J.H., Jones, C.B.: On the usability of logics which handle partial functions. In: Morgan, C., Woodcock, J.C.P. (eds.) Proceedings of the Third Refinement Workshop. Workshops in Computing Series, pp. 51–69. Springer, Berlin (1991)
Cheon, Y., Leavens, G.T.: A quick overview of Larch/C++. J. Object-Oriented Program. 7(6), 39–49 (1994)
Cheon, Y., Leavens, G.T.: A runtime assertion checker for the Java modeling language (JML). In: Arabnia, H.R., Mun, Y. (eds.) Proceedings of the International Conference on Software Engineering Research and Practice (SERP 2002), Las Vegas, Nevada, USA, 24–27 June 2002, pp. 322–328. CSREA Press (2002). ftp://ftp.cs.iastate.edu/pub/techreports/TR02-05/TR.pdf
Cheon, Y., Leavens, G.T.: A simple and practical approach to unit testing: the JML and JUnit way. In: Magnusson, B. (ed.) ECOOP 2002. LNCS, vol. 2374, pp. 231–255. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-47993-7_10https://tinyurl.com/4tk2nzzd
Clarke, D.G., Noble, J., Potter, J.M.: Simple ownership types for object containment. In: Knudsen, J.L. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 53–76. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45337-7_4
Clifton, C.: MultiJava: design, implementation, and evaluation of a Java-compatible language supporting modular open classes and symmetric multiple dispatch. Technical report, 01-10, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, November 2001. ftp://ftp.cs.iastate.edu/pub/techreports/TR01-10/TR.pdf. The author’s masters thesis
Cok, D.R.: OpenJML: JML for Java 7 by extending OpenJDK. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 472–479. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_35
Cok, D.R.: (2018). http://www.openjml.org
Cok, D.R.: Reasoning about functional programming in Java and C++. In: Companion Proceedings for the ISSTA/ECOOP 2018 Workshops, ISSTA 2018, pp. 37–39. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3236454.3236483
Cok, D.R.: JML and OpenJML for Java 16. In: Proceedings of the 23rd ACM International Workshop on Formal Techniques for Java-like Programs, FTfJP 2021, pp. 65–67. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3464971.3468417
Cok, D.R., Kiniry, J.: ESC/Java2: uniting ESC/Java and JML. progress and issues in building and using ESC/Java2 and a report on a case study involving the use of ESC/Java2 to verify portions of an internet voting tally system, May 2004. Presented at CASSIS 2004 and submitted for publication
Cok, D.R., Kiniry, J.R.: ESC/Java2: uniting ESC/Java and JML. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 108–128. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30569-9_6
Cok, D.R., Leavens, G.T., Ulbrich, M.: Java Modeling Language (JML) Reference Manual, 2nd edn (2022, in progress). https://www.openjml.org/documentation/JML_Reference_Manual.pdf
Cok, D.R., Tasiran, S.: Practical methods for reasoning about java 8’s functional programming features. In: Piskac, R., Rümmer, P. (eds.) VSTTE 2018. LNCS, vol. 11294, pp. 267–278. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03592-1_15
Damm, W., Josko, B.: A sound and relatively complete Hoare-logic for a language with higher type procedures. Acta Informatica 20(1), 59–101 (1983). http://dx.doi.org/10.1007/BF00264295
DeLine, R., Leino, K.R.M.: BoogiePL: a typed procedural language for checking object-oriented programs. Technical report, MSR-TR-2005-70, Microsoft Research (2005). ftp://ftp.research.microsoft.com/pub/tr/TR-2005-70.pdf
Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. SRC Research Report 159, Compaq Systems Research Center, 130 Lytton Ave., Palo Alto, December 1998
Dhara, K.K., Leavens, G.T.: Forcing behavioral subtyping through specification inheritance. In: Proceedings of the 18th International Conference on Software Engineering, Berlin, Germany, pp. 258–267. IEEE Computer Society Press, Los Alamitos (1996). http://doi.ieeecomputersociety.org/10.1109/ICSE.1996.493421. A corrected version is ISU CS TR #95-20c. http://tinyurl.com/s2krg
Dijkstra, E.W.: Guarded commands, nondeterminancy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)
Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall Inc, Englewood Cliffs (1976)
Dillig, I., Dillig, T., Li, B., McMillan, K.: Inductive invariant generation via abductive inference. In: Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2013, pp. 443–456. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2509136.2509511
Drossopoulou, S., Francalanza, A., Müller, P., Summers, A.J.: A unified framework for verification techniques for object invariants. In: Vitek, J. (ed.) ECOOP 2008. LNCS, vol. 5142, pp. 412–437. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70592-5_18
Drossopoulou, S., Francalanza, A., Müller, P.: A unified framework for verification techniques for object invariants. In: International Workshop on Foundations of Object-Oriented Languages (FOOL 2008) (2008). http://fool08.kuis.kyoto-u.ac.jp/drossopoulou.pdf
Ekman, T., Hedin, G.: The JastAdd system – modular extensible compiler construction. Sci. Comput. Program. 69(1–3), 14–26 (2007). https://doi.org/10.1016/j.scico.2007.02.003
EPFL, Lausanne, Switzerland: Stainless Verification Framework (2022). https://epfl-lara.github.io/stainless/intro.html
Ernst, G.W., Navlakha, J.K., Ogden, W.F.: Verification of programs with procedure-type parameters. Acta Informatica 18(2), 149–169 (1982)
Ernst, M., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. IEEE Trans. Softw. Eng. 27(2), 99–123 (2001). http://doi.ieeecomputersociety.org/10.1109/32.908957
Ernst, M., et al.: Daikon website. https://plse.cs.washington.edu/daikon/. Accessed Sept 2021
Filliâtre, J.-C., Paskevich, A.: Why3 — where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37036-6_8
Findler, R.B., Felleisen, M.: Contract soundness for object-oriented languages. In: OOPSLA 2001 Conference Proceedings. Object-Oriented Programming, Systems, Languages, and Applications, 14–18 October 2001, Tampa Bay, Florida, USA, pp. 1–15. ACM, New York (2001)
Fitzgerald, J., Larsen, P.G.: Modelling Systems: Practical Tools in Software Development. Cambridge University Press, Cambridge (1998)
Flanagan, C., Leino, K.R.M.: Houdini, an annotation assistant for ESC/Java. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 500–517. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45251-6_29http://www.springerlink.com/content/nxukfdgg7623q3a9
(2011ff). https://frama-c.com
Gosling, J., Joy, B., Steele, G.: The Java Language Specification. The Java Series. Addison-Wesley, Reading (1996). http://www.aw.com/cp/javaseries.html
de Gouw, S., Rot, J., de Boer, F.S., Bubel, R., Hähnle, R.: OpenJDK’s Java.utils.Collection.sort() is broken: the good, the bad and the worst case. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 273–289. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_16
Gulwani, S., Srivastava, S., Venkatesan, R.: Program analysis as constraint solving. In: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2008, pp. 281–292. Association for Computing Machinery, New York (2008). https://doi.org/10.1145/1375581.1375616
Guttag, J.V., Horning, J.J.: Report on the larch shared language. Sci. Comput. Program. 6(2), 103–134 (1986)
Guttag, J.V., Horning, J.J., Garland, S.J., Jones, K.D., Modet, A., Wing, J.M.: Larch: Languages and Tools for Formal Specification. Springer, New York (1993). https://doi.org/10.1007/978-1-4612-2704-5
Guttag, J.V., Horning, J.J., Wing, J.M.: The Larch family of specification languages. IEEE Softw. 2(5), 24–36 (1985)
Haddad, G., Leavens, G.T.: Extensible dynamic analysis for JML: a case study with loop annotations. Technical report, CS-TR-08-05, School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, Florida, April 2008
Haddad, G., Leavens, G.T.: Specifying subtypes in safety critical Java programs. Concurr. Comput. Pract. Exp. 25(16), 2290–2306 (2013)
Hall, A.: Seven myths of formal methods. IEEE Softw. 7(5), 11–19 (1990)
Hamza, J., Voirol, N., Kunčak, V.: System FR: formalized foundations for the Stainless verifier. Proc. ACM Program. Lang. 3(OOPSLA) (2019). https://doi.org/10.1145/3360592
Hatcliff, J., Leavens, G.T., Leino, K.R.M., Müller, P., Parkinson, M.: Behavioral interface specification languages. ACM Comput. Surv. 44(3), 16:1–16:58 (2012). https://doi.org/10.1145/2187671.2187678. http://doi.acm.org/10.1145/2187671.2187678
Hoder, K., Kovács, L., Voronkov, A.: Invariant generation in vampire. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 60–64. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_7
Hubbers, E., Oostdijk, M., Poll, E.: From finite state machines to provably correct JavaCard applets. In: Workshop of IFIP WG 11.2 - Small Systems Security. IFIP (2003). http://www.cs.ru.nl/~erikpoll/publications/sec03.pdf
Huisman, M., Jacobs, B.: Java program verification via a hoare logic with abrupt termination. In: Maibaum, T. (ed.) FASE 2000. LNCS, vol. 1783, pp. 284–303. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46428-X_20
Hussain, F., Leavens, G.T.: temporaljmlc: a JML runtime assertion checker extension for specification and checking of temporal properties. Technical report, CS-TR-10-08, UCF, Department of EECS, Orlando, Florida, July 2010
Ishtiaq, S.S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2001, pp. 14–26. ACM, New York (2001). http://doi.acm.org/10.1145/360204.375719
Jacobs, B., van den Berg, J., Huisman, M., van Berkum, M., Hensel, U., Tews, H.: Reasoning about Java classes (preliminary report). In: OOPSLA 1998 Conference Proceedings. ACM SIGPLAN Notices, vol. 33, no. 10, pp. 329–340. ACM, October 1998
Jacobs, B., Kiniry, J., Warnier, M.: Java program verification challenges. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2002. LNCS, vol. 2852, pp. 202–219. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39656-7_8
Jacobs, B., Meijer, H., Poll, E.: VerifiCard: a European project for smart card verification. Newsletter 5 of the Dutch Association for Theoretical Computer Science (NVTI) (2001). https://repository.ubn.ru.nl/bitstream/handle/2066/130369/130369.pdf
Jones, C.B.: Program specification and verification in VDM. Technical report, UMCS-86-10-5, Department of Computer Science, University of Manchester, Manchester M13 9PL, England, November 1986
Jones, C.B.: Systematic software development using VDM. International Series in Computer Science, Prentice-Hall Inc., Englewood Cliffs (1986)
The KeY project. https://www.key-project.org. Accessed Sept 2021
Leavens, G.T.: An overview of Larch/C++: behavioral specifications for C++ modules. In: Kilov, H., Harvey, W. (eds.) Specification of Behavioral Semantics in Object-Oriented Information Modeling, chap. 8, pp. 121–142. Kluwer Academic Publishers, Boston (1996). An extended version is TR #96-01d, Department of Computer Science, Iowa State University, Ames, Iowa, 50011
Leavens, G.T.: JML’s rich, inherited specifications for behavioral subtypes. In: Liu, Z., He, J. (eds.) ICFEM 2006. LNCS, vol. 4260, pp. 2–34. Springer, Heidelberg (2006). https://doi.org/10.1007/11901433_2
Leavens, G.T., Baker, A.L.: Enhancing the pre- and postcondition technique for more expressive specifications. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1709, pp. 1087–1106. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48118-4_8
Leavens, G.T., Baker, A.L., Ruby, C.: JML: a Java modeling language. In: Formal Underpinnings of Java Workshop (at OOPSLA 1998), October 1998. http://www-dse.doc.ic.ac.uk/~sue/oopsla/cfp.html
Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: a behavioral interface specification language for Java. ACM SIGSOFT Softw. Eng. Notes 31(3), 1–38 (2006). http://doi.acm.org/10.1145/1127878.1127884
Leavens, G.T., Clifton, C.: Lessons from the JML project. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 134–143. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69149-5_15
Leavens, G.T., Leino, K.R.M., Müller, P.: Specification and verification challenges for sequential object-oriented programs. Formal Aspects Comput. 19(2), 159–189 (2007). http://dx.doi.org/10.1007/s00165-007-0026-7
Leavens, G.T., Müller, P.: Information hiding and visibility in interface specifications. In: International Conference on Software Engineering (ICSE), Los Alamitos, California, pp. 385–395. IEEE, May 2007. http://dx.doi.org/10.1109/ICSE.2007.44
Leavens, G.T., Naumann, D.A.: Behavioral subtyping, specification inheritance, and modular reasoning. TOPLAS 37(4), 13:1–13:88 (2015). https://doi.org/10.1145/2766446. http://doi.acm.org/10.1145/2766446
Leavens, G.T., Naumann, D.A., Rosenberg, S.: Preliminary definition of Core JML. CS Report 2006-07, Stevens Institute of Technology, September 2006. http://www.cs.stevens.edu/~naumann/publications/SIT-TR-2006-07.pdf
Leavens, G.T., et al.: JML Reference Manual, May 2008. http://www.jmlspecs.org
Leavens, G.T., Weihl, W.E.: Reasoning about object-oriented programs that use subtypes (extended abstract). In: Meyrowitz, N. (ed.) OOPSLA ECOOP 1990 Proceedings. ACM SIGPLAN Notices, vol. 25, no. 10, pp. 212–223. ACM (1990). http://doi.acm.org/10.1145/97945.97970
Leavens, G.T., Weihl, W.E.: Specification and verification of object-oriented programs using supertype abstraction. Acta Informatica 32(8), 705–778 (1995). http://dx.doi.org/10.1007/BF01178658
Leavens, G.T., Wing, J.M.: Protective interface specifications. Formal Aspects Comput. 10(1), 59–75 (1998). http://dx.doi.org/10.1007/PL00003926
Leino, K.R.M.: Specification and verification of object-oriented software (2008). http://research.microsoft.com/en-us/um/people/leino/papers/krml190.pdf. Lecture notes from Marktoberdorf Internation Summer School. http://research.microsoft.com/en-us/um/people/leino/papers/krml190.pdf
Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17511-4_20
Leino, K.R.M., Ford, R.L., Cok, D.R.: Dafny reference manual, July 2021. https://github.com/dafny-lang/dafny/blob/master/docs/DafnyRef/out/DafnyRef.pdf
Leino, K.R.M., Monahan, R.: Reasoning about comprehensions with first-order SMT solvers. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 615–622. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1529282.1529411
Leino, K.R.M., Monahan, R.: Dafny meets the verification benchmarks challenge. In: Leavens, G.T., O’Hearn, P., Rajamani, S.K. (eds.) VSTTE 2010. LNCS, vol. 6217, pp. 112–126. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15057-9_8
Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 491–515. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24851-4_22http://www.springerlink.com/content/ttfnjg36yq64pah8
Leino, K.R.M., Müller, P.: Modular verification of static class invariants. In: Fitzgerald, J., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 26–42. Springer, Heidelberg (2005). https://doi.org/10.1007/11526841_4https://tinyurl.com/4xfc2989
Leino, K.R.M., et al.: Dafny github site. https://github.com/dafny-lang/dafny. Accessed Sept 2021
Marché, C., Paulin-Mohring, C., Urbain, X.: The KRAKATOA tool for certification of JAVA/JAVACARD programs annotated in JML. J. Logic Algebraic Program. 58(1–2), 89–106 (2004). http://dx.doi.org/10.1016/j.jlap.2003.07.006
Meyer, B.: Object-Oriented Software Construction, vol. 2. Prentice Hall, New York (1997)
Müller, P.: Modular Specification and Verification of Object-Oriented Programs. LNCS, vol. 2262. Springer, Berlin (2002). https://doi.org/10.1007/3-540-45651-1http://tinyurl.com/jtwot
Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular specification of frame properties in JML. Concurr. Comput. Pract. Exp. 15(2), 117–154 (2003). https://doi.org/10.1002/cpe.713. ftp://ftp.cs.iastate.edu/pub/techreports/TR02-02/TR.pdf
Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular invariants for layered object structures. Sci. Comput. Program. 62(3), 253–286 (2006). http://dx.doi.org/10.1016/j.scico.2006.03.001
Naumann, D.A.: Observational purity and encapsulation. Theor. Comput. Sci. 376(3), 205–224 (2007)
Nilizadeh, A.: Test overfitting: challenges, approaches, and measurements. Technical report, University of Central Florida, Computer Science (2021)
Nilizadeh, A.: Automated program repair and test overfitting: measurements and approaches using formal methods. In: 2022 15th IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE (2022, in press)
Nilizadeh, A., Calvo, M., Leavens, G.T., Cok, D.R.: Generating counterexamples in the form of unit tests from Hoare-style verification attempts. In: IEEE/ACM 10th International Conference on Formal Methods in Software Engineering (FormaliSE). IEEE (2022, in press)
Nilizadeh, A., Calvo, M., Leavens, G.T., Le, X.B.D.: More reliable test suites for dynamic APR by using counterexamples. In: 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE), Los Altos, pp. 208–219. IEEE (2021). https://doi.org/10.1109/ISSRE52982.2021.00032
Nilizadeh, A., Leavens, G.T.: Be realistic: automated program repair is a combination of undecidable problems. In: 2022 IEEE/ACM International Workshop on Automated Program Repair (APR). IEEE (2022, in press)
Nilizadeh, A., Leavens, G.T., Le, X.B.D., Păsăreanu, C.S., Cok, D.R.: Exploring true test overfitting in dynamic automated program repair using formal methods. In: 2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST), Los Altos, pp. 229–240. IEEE (2021). https://tinyurl.com/bn3ecw98
Nilizadeh, A., Leavens, G.T., Păsăreanu, C.S.: Using a guided fuzzer and preconditions to achieve branch coverage with valid inputs. In: Loulergue, F., Wotawa, F. (eds.) TAP 2021. LNCS, vol. 12740, pp. 72–84. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-79379-1_5https://tinyurl.com/4xzxxrn2
Nimmer, J.W., Ernst, M.D.: Static verification of dynamically detected program invariants: integrating daikon and ESC/Java. In: Proceedings of RV’01, First Workshop on Runtime Verification. Elsevier (2001). http://dx.doi.org/10.1016/S1571-0661(04)00256-7
Noble, J., Vitek, J., Potter, J.: Flexible alias protection. In: Jul, E. (ed.) ECOOP 1998. LNCS, vol. 1445, pp. 158–185. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054091
Oracle: OpenJDK (2021). http://openjdk.java.net/. Accessed Sept 2021
Owre, S., Rushby, J.M., Shankar, N.: PVS: a prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-55602-8_217
Pearce, D.J.: JPure: a modular purity system for java. In: Knoop, J. (ed.) CC 2011. LNCS, vol. 6601, pp. 104–123. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19861-8_7
Pearce, D.J., Groves, L.: Whiley: a platform for research in software verification. In: Erwig, M., Paige, R.F., Van Wyk, E. (eds.) SLE 2013. LNCS, vol. 8225, pp. 238–248. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02654-1_13
Poll, E., van den Berg, J., Jacobs, B.: Specification of the JavaCard API in JML. In: Domingo-Ferrer, J., Chan, D., Watson, A. (eds.) Smart Card Research and Advanced Application Conference (CARDIS 2000), pp. 135–154. Kluwer Academic Publishers (2000)
Raghavan, A.D.: Design of a JML documentation generator. Technical report, 00-12, Iowa State University, Department of Computer Science, July 2000. ftp://ftp.cs.iastate.edu/pub/techreports/TR00-12/TR.ps.gz
Rajan, H., Nguyen, T.N., Leavens, G.T., Dyer, R.: Inferring behavioral specifications from large-scale repositories by leveraging collective intelligence. In: ICSE 2015: The 37th International Conference on Software Engineering: NIER Track, pp. 579–582, May 2015. https://tinyurl.com/jpemux34
Rebêlo, H.: AspectJML website (2021). https://www.cin.ufpe.br/~hemr/aspectjml/. Accessed Sept 2021
Rebêlo, H., et al.: AspectJML: modular specification and runtime checking for crosscutting contracts. In: Proceedings of the 13th International Conference on Modularity, MODULARITY 2014, pp. 157–168. ACM, New York (2014). https://doi.org/10.1145/2577080.2577084. http://doi.acm.org/10.1145/2577080.2577084
Rebêlo, H., Leavens, G.T., Lima, R.M.: Client-aware checking and information hiding in interface specifications with JML/Ajmlc. In: Proceedings of the 2013 Companion Publication for Conference on Systems, Programming, & Applications: Software for Humanity, SPLASH 2013, pp. 11–12. ACM, New York (2013). https://doi.org/10.1145/2508075.2514569.. http://doi.acm.org/10.1145/2508075.2514569
Rebêlo, H., Soares, S., Lima, R., Ferreira, L., Cornélio, M.: Implementing Java modeling language contracts with AspectJ. In: SAC 2008: Proceedings of the 2008 ACM Symposium on Applied computing, pp. 228–233. ACM, New York (2008). http://doi.acm.org/10.1145/1363686.1363745
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings of the Seventeenth Annual IEEE Symposium on Logic in Computer Science, Los Alamitos, California, pp. 55–74. IEEE Computer Society Press (2002). http://dx.doi.org/10.1109/LICS.2002.1029817
Schmitt, P.H.: A short history of KeY. In: Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Ulbrich, M. (eds.) Deductive Software Verification: Future Perspectives. LNCS, vol. 12345, pp. 3–18. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64354-6_1https://tinyurl.com/3xbrdwbr
Shaner, S.M., Leavens, G.T., Naumann, D.A.: Modular verification of higher-order methods with mandatory calls specified by model programs. In: International Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), Montreal, Canada, pp. 351–367. ACM, New York (2007). http://doi.acm.org/10.1145/1297027.1297053. http://doi.acm.org/10.1145/1297027.1297053
Sharma, R., Dillig, I., Dillig, T., Aiken, A.: Simplifying loop invariant generation using splitter predicates. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 703–719. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_57
Singleton, J.L., Leavens, G.T., Rajan, H., Cok, D.: Poster: an algorithm and tool to infer practical postconditions. In: 2018 ACM/IEEE 40th International Conference on Software Engineering: Companion Proceedings, Gothenburg, Sweden, pp. 313–314. ACM (2018). https://doi.org/10.1145/3183440.3194986
Smans, J., Jacobs, B., Piessens, F.: Implicit dynamic frames. In: Huisman, M. (ed.) Formal Techniques for Java-like Programs (FTfJP 2008), pp. 1–12. Radboud University, Nijmegen, Technical report ICIS-R08013, Radboud University (2008)
Svendsen, K., Birkedal, L., Parkinson, M.: Verifying generics and delegates. ECOOP 2010 - Object-oriented Programming, p. 175 (2010)
Wills, A.: Capsules and types in fresco: program validation in smalltalk. In: America, P. (ed.) ECOOP 1991: European Conference on Object Oriented Programming. LNCS, vol. 512, pp. 59–76. Springer, New York (1991). http://dx.doi.org/10.1007/BFb0057015
Wills, A.: Specification in fresco. In: Stepney, S., Barden, R., Cooper, D. (eds.) Object Orientation in Z, chap. 11, pp. 127–135. Workshops in Computing, Springer, Cambridge CB2 1LQ, UK (1992)
Wills, A.: Refinement in fresco. In: Lano, K., Houghton, H. (eds.) Object-Oriented Specification Case Studies, chap. 9, pp. 184–201. The Object-Oriented Series. Prentice-Hall, Englewood Cliffs (1994)
Wing, J.M.: A two-tiered approach to specifying programs. Technical report, TR-299, Massachusetts Institute of Technology, Laboratory for Computer Science (1983)
Wolff, F., Bílý, A., Matheja, C., Müller, P., Summers, A.J.: Modular specification and verification of closures in Rust. Proc. ACM Program. Lang. 5(OOPSLA) (2021). https://doi.org/10.1145/3485522
Acknowledgments
Thanks to David Pearce for comments on an earlier draft of this paper. Thanks to all participants in the JML project (many of whom are named above). Thanks to the US National Science Foundation for funding early work on JML through several grants (at Iowa State University).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Leavens, G.T., Cok, D.R., Nilizadeh, A. (2022). Further Lessons from the JML Project. In: Ahrendt, W., Beckert, B., Bubel, R., Johnsen, E.B. (eds) The Logic of Software. A Tasting Menu of Formal Methods. Lecture Notes in Computer Science, vol 13360. Springer, Cham. https://doi.org/10.1007/978-3-031-08166-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-08166-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08165-1
Online ISBN: 978-3-031-08166-8
eBook Packages: Computer ScienceComputer Science (R0)