Reasoning About JML: Differences Between KeY and OpenJML

Abstract: To increase the impact and capabilities of formal verification, it should be possible to apply different verification techniques on the same specification. However, this can only be achieved if verification tools agree on the syntax and underlying semantics of the specification language and unfortunately, in practice, this is often not the case. In this paper, we concentrate on one particular example, namely Java programs annotated with JML, and we present a case study in understanding differences in the treat… Show more

“…The common specification languages Java Modelling Language (JML) [19] and the ANSI/ISO-C specification Language (ACSL) [4] are designed to be applicable in different verification scenarios (e.g., deductive verification and runtime assertion checking). Even for these limited scopes, coming up with an indisputable, common language semantics is difficult (the runtime semantics of ACSL differs from that for deductive verification [21], and verification tools differ in how they verify JML specifications [6]).…”

The VerifyThis Collaborative Long Term Challenge

“…The common specification languages Java Modelling Language (JML) [19] and the ANSI/ISO-C specification Language (ACSL) [4] are designed to be applicable in different verification scenarios (e.g., deductive verification and runtime assertion checking). Even for these limited scopes, coming up with an indisputable, common language semantics is difficult (the runtime semantics of ACSL differs from that for deductive verification [21], and verification tools differ in how they verify JML specifications [6]).…”

The VerifyThis Collaborative Long Term Challenge

Further Lessons from the JML Project

Verifying Functional Correctness Properties at the Level of Java Bytecode