It is an individual exercise. It will be marked (with ok/pass/not ok scores), and doing it is obligatory and required to pass the course.
There will be the opportunity to get help doing this assignment in a special lab session slot; time and place will be announced by email and Blackboard.
NB have a look at the Java code samples and a first stab at the exercise before showing up here, so that you can make the most of the available help. It should then not be a problem to finish the exercise in a couple of hours.
Email your solutions (ie. the annotated Java files) to erikpoll at cs.ru.nl with subject JML. Please mark any lines in the code that you have changed, with a comment like // CHANGED . Restrict changes in the code to the minimum that is required to correct things.
NB follow these instructions for handing in: Provide the annotated files in two attachments, named BagYourName.java and AmountYourName.java, where YourName is your full name, and also put your name in the Java files. If your name is missing I cannot mark things. Don't zip or tar these attachments, to save us a lot of hassle unzipping and untarring. It seems F-Secure is causing trouble with .java attachments; if so you may have to zip or tar your results.
ESC/Java2 is an automated program verification tool (aka extended static checker) for Java programs. It implements a Hoare logic for reasoning over Java programs that have been annotated with JML specifications. These specifications express for instance preconditions, postconditions, and invariants, and can be added as assertions to the program code. Essentially, ESC/Java2 computes weakest preconditions of methods, and then sends the resulting proof obligiations to an automated theorem prover. The user never get to see these proof obligations or the back-end theorem prover; instead, the tool gives feedback over which assertions it could not prove.
ESC/Java2 is installed in /vol/practica/softwaresecurity. To run the tool on some file A.java, give the command
/vol/practica/softwaresecurity/ESCJava/escjava2 A.java
You can SSH to lilo.science.ru.nl or stitch.science.ru.nl and run the tool there. For this you need your faculty (Science) login, which - unfortunately - is different from your Blackboard login. For TUe students: if you don't have a Science login, we can provide a temporary one.
For the Linux-challenged: you can SSH to the Linux servers from any Windows PC above using putty (download here) or bitvise ssh client (aka tunnelier) (download here). Tunnelier is more convenient, as it also provides the possibility to copy files over between the machines (using sftp). There are two ways to then do the assignment:
Start up in Ubuntu Linux, and follow instructions as above.
On any of the Windows machines in the computer rooms in the Huygens building, ESC/Java2 is installed in T:\softwaresecurity. To run the tool on some file A.java, open a command window by selecting
Start -> (All) Programs -> Accessories -> Command Prompt
then go to the directory where A.java is (using cd) and type in the command
T:\softwaresecurity\ESC\escj.bat A.java
Download and unpack ESC.zip and try to get it working. You will have to edit escj.bat to provide the correct path names: the last line of escj.bat should be
"ESC\j2sdk1.4.2_12\bin\Java.exe" -Dsimplify="ESC\Simplify-1.5.4.exe"
-classpath "ESC\esctools2.jar" escjava.Main -classpath
"ESC\jmlspecs.jar" -classpath . %ESCJ_STDARGS% %ESCJ_ARGS%
where ESC is the directory into which you unpacked the zip.
Alternatively, you can try Kevin Valk's improved batch file
which automatically looks for a correct Java version.
Rumour has it that this works with JDK 1.5(.0.22), but not
with JDK 1.7(.0.21). Your mileage may vary...
You should specify the two classes with JML and run ESC/Java2 to verify these specifications. Simply put, you have to run ESC/Java2 on these files, and, if the tool produces some warning,In the end, ESC/Java2 should run without any complaints on the annotated code. ESC/Java2 complains (among other things) if it thinks a runtime exception may occur, say a NullPointerException, so if ESC/Java2 runs without complaints this means it has verified that no runtime exceptions can occur.to make the warning go away. You have to use your own best judgement to choose between these two options. There are some deliberate bugs in the code for you to detect, with the help of the tool. Don't change the code when there is no real bug in it.
- either add annotation to the code (eg to document invariants, preconditions, or postconditions)
- or fix bugs in the code
For Amount.java you must also formally specify the invariants that are discussed in the file in JML, which will reveal some additional problems in the code.
More detailed instructions are given in the Java files. Read these!!!!!!!!!
The only JML keywords you'll need to use for this are requires, invariant, and ensures. If you want, you can also use non_null as an abbreviation and experiment with other features.
The ESC/Java2 tool has many command line options. The most useful ones are
Some hints to keep you out of trouble with the tool: