Many state-based specification languages, including the Java Modeling Language (JML), contain at their core specification constructs familiar to most undergraduates: e.g., assertions, pre-and postconditions, and invariants. Unfortunately, these constructs are not sufficiently expressive to permit formal modular verification of programs written in modern object-oriented languages like Java. The necessary extra constructs for specifying an object-oriented module include (perhaps the less familiar) frame properties, datagroups, and ghost and model fields. These constructs help specifiers deal with potential problems related to, for example, unexpected side effects, aliasing, class invariants, inheritance, and lack of information hiding. This tutorial paper focuses on JML's realization of these constructs, explaining their meaning while illustrating how they can be used to address the stated problems. public class DigitalDisplayClock { 2 //@ public model long _time; 3 //@ private represents _time = getSecond()+getMinute()*60+getHour()*60*60; 4 5 //@ protected invariant time.length == 6; 6 //@ protected invariant 0 <= time[0] && time[0] <= 9; // sec 7 //@ protected invariant 0 <= time[1] && time[1] <= 5; // sec 8 //@ protected invariant 0 <= time[2] && time[2] <= 9; // min 9 //@ protected invariant 0 <= time[3] && time[3] <= 5; // min 10 //@ protected invariant 0 <= time[4] && time[4] <= 9; // hr 11 //@ protected invariant 0 <= time[5] && time[5] <= 2; // hr 12 //@ protected invariant time[5] == 2 ==> time[4] <= 3; // hr 13 protected /*@ non_null rep @*/ int[] time; // NB rep modifier 14 /*@ pure @*/ public DigitalDisplayClock() { 15 { time = new rep int [6]; } // NB rep modifier 16 17 //@ ensures 0 <= \result && \result <= 23; 18 public /*@ pure @*/ int getHour() { return time[5]*10 + time[4]; } 19 20 //@ ensures 0 <= \result && \result <= 59; 21 public /*@ pure @*/ int getMinute() { return time[3]*10 + time[2]; } 22
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.