It is an individual exercise. It won't be marked, but doing it is obligatory and required to pass the course.
There will be the opportunity to get help doing this assignment on May 27 in HG00.023, 10:30-12:30 and 13:30-15:30. Fabian van den Broek and Wojciech Mostowksi will be there to help. For non-Nijmegen students we will provide user accounts.
NB have a look at the Java code samples and a first stab at the exercise before showing up here, so that you can make the most of the available help. It should then not be a problem to finish the exercise well within 2 hours.
Otherwise, email your solutions (ie. the annotated Java files) to Fabian van den Broek (f.vandenbroek at cs.ru.nl) with subject [SS] ESC by June 3. NB Provide the annotated files in two attachements, named BagYourName.java and AmountYourName.java, where YourName is your full name, and also put your name in the Java file. Please don't zip or tar these attachments, to save us a lot of unzipping and untarring.
ESC/Java2 is an automated program verification tool (aka extended static checker) for Java programs. It implements a Hoare logic for reasoning over Java programs that have been annotated with JML specifications. These specifications express for instance preconditions, postconditions, and invariants, and can be added as assertions to the program code. Essentially, ESC/Java2 computes weakest preconditions of methods, and then sends the resulting proof obligiations to the automated theorem prover Simplify. The user never get to see these proof obligations or the back-end theorem prover; instead, the tool gives feedback over which assertions it could not prove.
ESC/Java2 is installed in /vol/practica/softwaresecurity. To run the tool on some file A.java, give the command
/vol/practica/softwaresecurity/ESCJava/escjava2 A.java
ESC/Java2 is installed in T:\softwaresecurity. To run the tool on some file A.java, open a command window by selecting
Start -> Programs -> Accessories -> Command Prompt
then go to the directory where A.java is (using cd) and type in the command
T:\softwaresecurity\ESC\escj.bat A.java
If you prefer running the tool on your own computer, ESC/Java2 can be downloaded here. (Don't be scared to give your email address; we won't use it to spam you.) Just get binary of the latest release. The tool runs on just about any platform: Windows, Mac, Linux and UNIX, and comes with lots of documentation. I always use it from the command line, but there is also a simple Swing GUI front-end.
If you're using Windows, you will have to edit escj.bat to provide the correct path names: the last line of escj.bat should be
"C:\j2sdk1.4.2_12\bin\Java.exe" -Dsimplify="C:\ESCJava 2\Simplify-1.5.4.exe"
-classpath "C:\ESCJava 2\esctools2.jar" escjava.Main -classpath
"C:\ESCJava 2\jmlspecs.jar" -classpath . %ESCJ_STDARGS% %ESCJ_ARGS%
if you installed ESC/Java2 in "C:\ESCJava 2" and Java in "C:\j2sdk1.4.2_12"
If you're using Linux or MacOS, use the script escjava2 to run the tool.
For Amount.java you must also try to formalise the informal invariant that is discussed in the file in JML, which should reveal some problems in the code.
In the end, ESC/Java2 should run without any complaints on the annotated code. ESC/Java2 complains (among other things) if it thinks a runtime exception may occur, say a NullPointerException, so if ESC/Java2 runs without complaints this means it has verified that no runtime exceptions can occur.
More detailed instructions are given in the Java files. Read these!
The only JML keywords you'll need to use for this are requires, invariant, and ensures. If you want, you can also use non_null as an abbreviation and experiment with other features.
The ESC/Java2 tool has many command line options. The most useful ones are
Some hints to keep you out of trouble with the tool: