Clyde Ruby’s research while affiliated with Iowa State University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (14)


Preliminary design of JML
  • Article
  • Full-text available

May 2006

·

204 Reads

·

253 Citations

ACM SIGSOFT Software Engineering Notes

·

Albert L. Baker

·

Clyde Ruby

JML is a behavioral interface specification language tailored to Java(TM). Besides pre- and postconditions, it also allows assertions to be intermixed with Java code; these aid verification and debugging. JML is designed to be used by working software engineers; to do this it follows Eiffel in using Java expressions in assertions. JML combines this idea from Eiffel with the model-based approach to specifications, typified by VDM and Larch, which results in greater expressiveness. Other expressiveness advantages over Eiffel include quantifiers, specification-only variables, and frame conditions.This paper discusses the goals of JML, the overall approach, and describes the basic features of the language through examples. It is intended for readers who have some familiarity with both Java and behavioral specification using pre- and postconditions.

Download


JML reference manual

May 2004

·

547 Reads

·

109 Citations

this document. The specification of the method largest is given on lines 7 through 15. Line 7 says that this is a public, normal behavior specification. JML permits several di#erent specifications for a given method, which can be of di#erent privacy levels [Ruby-Leavens00]. The modifier public says that the specification is intended for the use of clients. (If the privacy modifier had been protected, for example, then the specification would have been intended for subclasses.) The keyword normal_behavior tells JML several things. First, it says that the specification is a heavyweight method specification, as opposed to a lightweight method specification like that given on line 17. A heavyweight specification uses one of JML's behavior keywords, Another way to declare a specification-only field is to use the ghost modifier ([[[Add pxref]]])


How the design of JML accommodates both runtime assertion checking and formal verification

January 2003

·

92 Reads

·

172 Citations

Science of Computer Programming

Specifications that are used in detailed design and in the doc-umentation of existing code are primarily written and read by program-mers. However, most formal specification languages either make heavy use of symbolic mathematical operators, which discourages use by pro-grammers, or limit assertions to expressions of the underlying program-ming language, which makes it difficult to write complete specifications. Moreover, using assertions that are expressions in the underlying pro-gramming language can cause problems both in runtime assertion check-ing and in formal verification, because such expressions can potentially contain side effects. The Java Modeling Language, JML, avoids these problems. It uses a side-effect free subset of Java's expressions to which are added a few mathematical operators (such as the quantifiers \forall and \exists). JML also hides mathematical abstractions, such as sets and sequences, within a library of Java classes. The goal is to allow JML to serve as a common notation for both formal verification and runtime assertion checking; this gives users the benefit of several tools without the cost of changing notations.


How the Design of JML Accomodates Both Runtime Assertion Checking and Formal Verification.

November 2002

·

78 Reads

·

141 Citations

Science of Computer Programming

Specifications that are used in detailed design and in the documentation of existing code are primarily written and read by programmers. However, most formal specification languages either make heavy use of symbolic mathematical operators, which discourages use by programmers, or limit assertions to expressions of the underlying programming language, which makes it difficult to write exact specifications. Moreover, using assertions that are expressions in the underlying programming language can cause problems both in runtime assertion checking and in formal verification, because such expressions can potentially contain side effects. The Java Modeling Language, JML, avoids these problems. It uses a side-effect free subset of Java’s expressions to which are added a few mathematical operators (such as the quantifiers ⧹forall and ⧹exists). JML also hides mathematical abstractions, such as sets and sequences, within a library of Java classes. The goal is to allow JML to serve as a common notation for both formal verification and runtime assertion checking; this gives users the benefit of several tools without the cost of changing notations.



Preliminary Design of JML: A Behavioral Interface Specification Language for Java

May 1999

·

267 Reads

·

686 Citations

JML is a behavioral interface specification language tailored to Java. It also allows assertions to be intermixed with Java code, as an aid to verification and debugging. JML is designed to be used by working software engineers, and requires only modest mathematical training. To achieve this goal, JML uses Eiffel-style assertion syntax combined with the model-based approach to specifications typified by VDM and Larch. However, JML supports quantifiers, specification-only variables, frame conditions, and other enhancements that make it more expressive for specification than Eiffel. This paper discusses the goals of JML, the overall approach, and describes the language through examples. It is intended for readers who have some familiarity with both Java and behavioral specification using pre- and postconditions. 1 Introduction JML stands for "Java Modeling Language." JML is a behavioral interface specification language (BISL) [46] designed to specify Java [1, 9] modules. Java ...


JML: a Java Modeling Language

October 1998

·

635 Reads

·

98 Citations

JML is a behavioral interface specification language tailored to Java. It also allows assertions to be intermixed with Java code, as an aid to verification and debugging. JML is designed to be used by working software engineers, and requires only modest mathematical training. To achieve this goal, JML uses Eiffel-style assertion syntax combined with the model-based approach to specifications typified by VDM and Larch. However, JML supports quantifiers, specification-only variables, frame conditions, and other enhancements that make it more expressive for specification than Eiffel. This paper discusses the goals of JML, the overall approach, and prospects for giving JML a formal semantics through a verification logic. 1 Introduction JML [23], which stands for "Java Modeling Language," is a behavioral interface specification language (BISL) [44] designed to specify Java [2, 9] modules. Java modules are classes and interfaces. A behavioral interface specification describes both ...


Specification Facets for More Precise, Focused Documentation

April 1997

·

40 Reads

·

3 Citations

Specification languages could aid reuse to a larger extent if they could document all important facets of software, not just functional behavior. Since a specification language designer cannot know exactly what aspects of a piece of software will be important, users should be able to do "metaspecification"; that is, users should be able to declare new facets, and then use these facets to specify their software. Examples of facets that users might want to specify include time and space usage, safety considerations, aliasing, error checking, the user interface, etc. Keywords: reuse, formal specification languages, metaspecification, facets, expressiveness Workshop Goals: learning what can be done to aid reuse; networking; understanding and advancing the state-of-the-art in formal methods; finding new problems Working Groups: Rigorous Behavioral Specification as an Aid to Reuse, Design Guidelines for Reuse, Reuse and OO Methods, Reuse and Formal Methods, Leavens- 1 1 Backgroun...


JML: A Notation for Detailed Design

February 1970

·

229 Reads

·

456 Citations

JML is a behavioral interface specification language tailored to Java. It is designed to be written and read by working software engineers, and should require only modest mathematical training. It uses Eiffel-style syntax combined with model-based semantics, as in VDM and Larch. JML supports quantifiers, specification-only variables, and other enhancements that make it more expressive for specification than Eiffel and easier to use than VDM and Larch. JML [Leavens-Baker-Ruby00], which stands for "Java Modeling Language," is a behavioral interface specification language (BISL) [Wing87] designed to specify Java [Arnold-Gosling98] [GoslingJoy -Steele96] modules. Java modules are classes and interfaces. A behavioral interface specification describes both the details of a module's interface with clients, and its behavior from the client's point of view. Such specifications are not good for the specification of whole programs, but are good for recording detailed design decisions or do...


Citations (13)


... JML [73,74,72,19] is a specification language for a detailed design of Java modules. ...

Reference:

Security and self-healability enforcement of dynamic components in a service-oriented system
Preliminary design of JML: A notation for detailed design
  • Citing Article

... We leverage Gospel [6], a tool-agnostic OCaml specification language that serves as a common ground for the communication between dynamic and static methods. Gospel is strongly inspired by other behavioral specification languages [17], namely SPARK [3], JML [22], and ACSL [1] which can also be used both for dynamic and static analysis of code. ...

Preliminary design of JML

ACM SIGSOFT Software Engineering Notes

... The requires and ensures clauses specify the method's precondition 2 and postcondition, respectively. The keyword also separates specification cases, each of which describes the behavior of the program when its precondition holds [30], [67]. Furthermore, the assignable clause shows which elements can be changed in each specification case. ...

JML: Notations and tools supporting detailed design in Java

... The Extended Static Checker for Java (ESC/Java) [68] and its later successor (ESC/Java2) is perhaps one of the most influential tools in the area of verifying compilers [38,48]. The tool essentially provides a verifying compiler for Java programs whose specifications are given as annotations in a subset of the Java Modelling Language (JML) [38,39,99]. JML provides a standard notation for expressing contracts in Java, and the following illustrates a simple method in JML which ESC/Java verifies as correct: § ¤ / * @ requires n >= 0; @ ensures \result >= 0; @ * / public static int method(int n) { int i = 0; / * @ maintaining i >= \old(i); * / while(i < n) { i = i + 1; } return i; } ¦ ¥ ...

How the design of JML accommodates both runtime assertion checking and formal verification

Science of Computer Programming

... Achieving full combination of static and dynamic analyses is known to be an important challenge in the field of formal methods [23]. Different specification styles, targeting different back-end tools (e.g., automated solvers, interactive proof assistants, or execution monitors), and the question of how to make the two analyses agree on a common semantics, makes it a non-trivial task to readily combine the two approaches. ...

How the Design of JML Accomodates Both Runtime Assertion Checking and Formal Verification.
  • Citing Conference Paper
  • November 2002

Science of Computer Programming

... 1. obtain an approximate logical characterization by unrolling loops to a fixed depth; 2. annotate loops with loop invariants, which allows KeY's symbolic execution engine to give a complete characterization of the method. [29] to verify termination and generate a logical specification for the program state during and after the loop [4]. This specification can then be used to characterize the overall result of the program precisely. ...

JML reference manual

... Ajmlc takes an input code written in the Java Modeling Language (JML) [17, 18] and generates AspectJ aspects to check the JML specifications at runtime. Unlike the classical JML compiler, jmlc [19], ajmlc does not use Java's reflection facilities, and thus can also be applied to constrained environments such as Java ME applications . In order to optimize the generated AspectJ code, we draw on the work of Cole and Borba [5]. ...

Both Runtime Assertion Checking
  • Citing Article
  • June 2004

... In considering the material at hand for component comprehension , we discussed the case, when speciications are available as an almost ideal situation. However, whether it is a myth and/or a fact, formal speciications 30, p 2303] are often criticized to be hard to understand 10] or not containing all important facets a software developer is interested in 14]. Some of the properties, formal speciications are criticized for (e.g. the lacking connection to other representational forms, either upstream or downstream in the software development process) might not pertain in our case. ...

Specification Facets for More Precise, Focused Documentation

... These modiiers specify if and how a method should be used in other parts of an application. It is well-known that some methods may be deined for internal usage only and therefore should be diferentiated from the ones that are available publicly [33,25,34,28]. Visibility modiiers also deine whether a method can be overridden. ...

Safely Creating Correct Subclasses without Seeing Superclass Code

ACM SIGPLAN Notices