Exercise1QuestionsExercise2IntroductiontoJML PracticeSheet8(HintsandComments) AdvancedAspectsofObject-OrientedProgramming(SS2011)

Prof. Dr. A. Poetzsch-Heffter Dipl.-Inform. Kathrin Geilmann

University of Kaiserslautern Department of Computer Science Software Technology Group

Advanced Aspects of Object-Oriented Programming (SS 2011) Practice Sheet 8 (Hints and Comments)

Exercise 1 Questions

Exercise 2 Introduction to JML

a) • Advantages

– Formal Specifications are precise, therefor they avoid the ambiguities of natural languages.

– Formal Specifications can be executable. This allows a (semi-) automatical verification (→ theoreme provers, tools like boogie, etc.).

– Enforces “Think before you code”. The developer has to think about the precise meaning of the inter- faces he uses, this allows to detect errors and problem quite early in the development process.

• Disadvantage

– Formal Specifications are more di ffi cult to write than code, because they need more knowledge about mathematics, abstraction, etc.

– Another language to learn.

– Formal specifications can be longer than descriptions in natural languages or than the specified source.

– Every method is written twice, once in den specification language and once in code.

– Problem: How to decide, that a specification is complete / precise enough?

b) - c) -

d)

/∗@ n o n _ n u l l @∗/ / / p a r t o f t h e c l a s s i n v a r i a n t , o t h e r w i s e e x t r a c t M i n f a i l s . i n t[ ] a ;

i n t n ;

/ /@ i n v a r i a n t 0 < n && n <= a . l e n g t h ; / / n+1 i s a v a l i d i n d e x i n a [ ] /∗@ r e q u i r e s i n p u t != n u l l ;

@ a s s i g n a b l e n , a ;

@ e n s u r e s n == i n p u t . l e n g t h &&

@ (\f o r a l l i n t i ; 0 <= i && i < i n p u t . l e n g t h ; a [ i ] == i n p u t [ i ] ) &&

@ a . l e n g t h == i n p u t . l e n g t h ;

@

∗/

B e h a e l t e r ( i n t[ ] i n p u t ) { n = i n p u t . l e n g t h ; a = new i n t[ n ] ;

S y s t e m . a r r a y c o p y ( i n p u t , 0 , a , 0 , n ) ; }

/∗@ r e q u i r e s 0 < n ;

@ a s s i g n a b l e n , a ;

@ e n s u r e s \r e s u l t == (\min i n t i ; 0 <= i && i < \o l d ( n ) ; \o l d ( a [ i ] ) ) ;

∗/

i n t e x t r a c t M i n ( ) {

i n t m = I n t e g e r . MAX_VALUE;

i n t mindex = 0 ;

/∗@ m a i n t a i n i n g m >= (\min i n t j ; 0 <= j && j < a . l e n g t h ; a [ j ] ) ;

∗/

f o r (i n t i = 0 ; i < n ; i++) { i f ( a [ i ] <m) {

mindex = i ;

m= a [ i ] ; }

} n− −;

a [ mindex ] = a [ n ] ; r e t u r n m;

} }

e) Add n < old(n) to the postcondition of extractMin or use a history constraint like constraint n < old(n) f) Translate the documentation of the class ByteArrayInputStream directly into jml.

p u b l i c c l a s s B y t e A r r a y I n p u t S t r e a m e x t e n d s I n p u t S t r e a m { p r o t e c t e d /∗@ s p e c _ p u b l i c n o n _ n u l l @∗/ b y t e[ ] b u f ; p r o t e c t e d /∗@ s p e c _ p u b l i c @∗/ i n t c o u n t ;

p r o t e c t e d /∗@ s p e c _ p u b l i c @∗/ i n t mark ;

p r o t e c t e d /∗@ s p e c _ p u b l i c @∗/ i n t p o s ; /∗@ p u b l i c i n v a r i a n t ( c o u n t>=0&& c o u n t<=b u f . l e n g t h ) &&

@ ( mark>=0 && mark<=c o u n t ) &&

@ ( pos>=0 && pos<=c o u n t ) ;

@∗/

/∗@ r e q u i r e s b !=n u l l ;

@ a s s i g n a b l e b u f , pos , c o u n t , mark ;

@ e n s u r e s b u f==b &&

@ p o s==0 &&

@ c o u n t==b . l e n g t h &&

@ mark==0;

@∗/

p u b l i c B y t e A r r a y I n p u t S t r e a m (b y t e[ ] b ) ; /∗@ r e q u i r e s b !=n u l l &&

@ o f f s e t>=0 &&

@ l e n g t h>=0 &&

@ a s s i g n a b l e b u f , pos , c o u n t , mark ;

@ e n s u r e s b u f==b &&

@ p o s==o f f s e t &&

@ c o u n t==( o f f s e t+l e n g t h<b u f . l e n g t h ) ? o f f s e t+l e n g t h : b u f . l e n g t h &&

@ mark==o f f s e t ;

@∗/

p u b l i c B y t e A r r a y I n p u t S t r e a m (b y t e[ ] b , i n t o f f s e t , i n t l e n g t h ) ; /∗@ r e q u i r e s t r u e ;

@ e n s u r e s \r e s u l t==( c o u n t−p o s ) ;

@∗/

p u b l i c /∗@ p u r e @∗/ i n t a v a i l a b l e ( ) ; /∗@ r e q u i r e s t r u e ;

@ e n s u r e s t r u e ;

@∗/

p u b l i c v o i d /∗@ p u r e @∗/ c l o s e ( ) t h r o w s I O E x c e p t i o n ; /∗@ r e q u i r e s t r u e ;

@ a s s i g n a b l e mark ;

@ e n s u r e s mark==p o s ;

@∗/

p u b l i c v o i d mark (i n t r e a d A h e a d L i m i t ) ; /∗@ r e q u i r e s t r u e ;

@ e n s u r e s \r e s u l t==t r u e ;

@∗/

p u b l i c b o o l e a n /∗@ p u r e @∗/ m a r k S u p p o r t e d ( ) ; /∗@ r e q u i r e s t r u e ;

@ a s s i g n a b l e p o s ;

@ e n s u r e s a v a i l a b l e ( )==0 => (\r e s u l t==−1&& p o s==\o l d ( p o s ) ) &&

@ a v a i l a b l e ( )>0 => ( (\r e s u l t==b u f [ p o s ] && p o s==\o l d ( p o s )+1 ) &&

@ \r e s u l t>=0&& \r e s u l t<=2 5 5 ) ;

@∗/

p u b l i c i n t r e a d ( ) ; /∗@ r e q u i r e s b !=n u l l &&

@ o f f>=0 &&

@ l e n>=0 &&

@ ( o f f+l e n )<b . l e n g t h ;

@ a s s i g n a b l e p o s ;

@ e n s u r e s a v a i l a b l e ( )==0 => (\r e s u l t==−1&& p o s==\o l d ( p o s ) ) &&

@ a v a i l a b l e ( )>0 => ( (\r e s u l t==( l e n<a v a i l a b l e ( ) ) ? l e n : a v a i l a b l e ( ) &&

@ p o s==\o l d ( p o s )+ \r e s u l t ) &&

@ (\f o r a l l i n t k ; 0<k && k<\r e s u l t ; b u f [ o f f+k ]==b [ o f f+k ] ) ) ;

@∗/

p u b l i c i n t r e a d (b y t e[ ] b , i n t o f f , i n t l e n ) ; /∗@ r e q u i r e s t r u e ;

@ a s s i g n a b l e p o s ;

@ e n s u r e s p o s==mark ;

@∗/

p u b l i c v o i d r e s e t ( ) ; /∗@ r e q u i r e s n>=0;

@ a s s i g n a b l e p o s ;

@ e n s u r e s \r e s u l t==( a v a i l a b l e ( )<n ) ? a v a i l a b l e ( ) : n &&

@ p o s==\o l d ( p o s )+ \r e s u l t ;

@∗/

p u b l i c l o n g s k i p (l o n g n ) ; }

2