物件導向軟體之架構(Object-Oriented Software Construction)探討

Model checking of linear temporal logic (LTL) specifications with respect to pushdown systems has been shown to be a useful tool for analysis of programs with potentially recursive procedures. LTL, however, can specify only regular properties, and properties such as correctness of procedures with respect to pre and post conditions, that require matching of calls and returns, are not regular. We introduce a temporal logic of calls and returns (CaRet) for specification and algorithmic verification of correctness requirements of structured programs. The formulas of CaRet are interpreted over sequences of propositional valuations tagged with special symbols call and ret. Besides the standard global temporal modalities, CaRet admits the abstract-next operator that allows a path to jump from a call to the matching return. This operator can be used to specify a variety of non-regular properties such as partial and total correctness of program blocks with respect to pre and post conditions. The abstract versions of the other temporal modalities can be used to specify regular properties of local paths within a procedure that skip over calls to other procedures. CaRet also admits the caller modality that jumps to the most recent pending call, and such caller modalities allow specification of a variety of security properties that involve inspection of the call-stack. Even though verifying context-free properties of pushdown systems is undecidable, we show that model checking CaRet formulas against a pushdown model is decidable. We present a tableau construction that reduces our model checking problem to the emptiness problem for a Buchi pushdown system. The complexity of model checking CaRet formulas is the same as that of checking LTL formulas, namely, polynomial in the model and singly exponential in the size of the specification.

https://repository.upenn.edu/cgi/viewcontent.cgi?article=1186&context=cis_papers

A Temporal Logic of Nested Calls and Returns

Extensively class tested, this text takes an innovative approach to explaining the process of software testing: it defines testing as the process of applying a few well-defined, general-purpose test criteria to a structure or model of the software. The structure of the text directly reflects the pedagogical approach and incorporates the latest innovations in testing, including techniques to test modern types of software such as OO, web applications, and embedded software.

/pdf/introduction-to-software-testing-454uueymyx.pdf

Introduction to Software Testing

Introduction to Software Testing: List of Figures

https://homes.cs.washington.edu/~mernst/pubs/daikon-tool-scp2007.pdf

The Daikon system for dynamic detection of likely invariants

The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source files. The aim of JML is to provide a specification language that is easy to use for Java programmers and that is supported by a wide range of tools for specification typechecking, runtime debugging, static analysis, and verification.This paper gives an overview of the main ideas behind JML, details about JML’s wide range of tools, and a glimpse into existing applications of JML.

/pdf/an-overview-of-jml-tools-and-applications-2fifrvfs17.pdf

An overview of JML tools and applications

http://www.cs.utep.edu/cheon/data/jml-tools-fmics03.pdf

This paper presents experiments on formal validation of Java applets. It describes a tool that has been developed at the Gemplus Research Labs. This tool allows to formally prove Java classes annotated with JML, an annotation language for Java that provides a framework for specifying class invariants and methods behaviours. The foundations and the main features of the tool are presented. The most innovative part of the tool is that it is tailored to be used by Java programmers, without any particular background in formal methods. To reduce the difficulty of using formal techniques, it aims to provide a user-friendly interface which hides to developers most of the formal features and provides a "Java style view" of lemmas.

Java Applet Correctness: A Developer-Oriented Approach

We describe the main features of JACK (Java Applet Correctness Kit), a tool for the validation of Java applications, annotated with JML specifications. JACK has been especially designed to improve the quality of trusted personal device applications. JACK is fully integrated with the IDE Eclipse, and provides an easily accessible user interface. In particular, it allows to inspect the generated proof obligations in a Java syntax, and to trace them back to the source code that gave rise to them. Further, JACK provides support for annotation generation, and for interactive verification. The whole platform works both for source code and for bytecode, which makes it particularly suitable for a proof carrying code scenario.

/pdf/jack-a-tool-for-validation-of-security-and-behaviour-of-java-2uh8e69tev.pdf

JACK: a tool for validation of security and behaviour of Java applications

Smart card applications often handle privacy-sensitive information, and therefore must obey certain security policies. Typically, such policies are described as high-level security properties, stating for example that no pin verification must take place within a transaction.

/pdf/enforcing-high-level-security-properties-for-applets-4mr3aqrajh.pdf

Lilian Burdy

Papers

An overview of JML tools and applications

An overview of JML tools and applications

Java Applet Correctness: A Developer-Oriented Approach

JACK: a tool for validation of security and behaviour of Java applications

Enforcing High-Level Security Properties for Applets