ESC/Java
Sûreté de la programmation orientée objets (NFP101)
ESC/Java
1 Un premier exemple
Exemple 1 (Bag)
1c l a s s Bag {
2i n t [ ] a ;
3i n t n ;
4
5Bag ( i n t [ ] i np ut ) {
6n = i np ut . l e n g t h ;
7a = new i n t [ n ] ;
8System . ar r aycopy ( input , 0 , a , 0 , n ) ;
9}
10
11 i n t extra ctMin ( ) {
12 i n t m = I n t e g e r .MAX_VALUE;
13 i n t mindex = 0 ;
14 f o r ( i n t i = 1 ; i <= n ; i++) {
15 i f ( a [ i ] < m) {
16 mindex = i ;
17 m = a [ i ] ;
18 }
19 }
20 n−−;
21 a [ mindex ] = a [ n ] ;
22 re t u r n m;
23 }
24 }
Erreurs :
Bag.java:6: Warning: Possible null dereference (Null)
n = input.length;
^
Bag.java:15: Warning: Possible null dereference (Null)
if (a[i] < m) {
^
1
Bag.java:15: Warning: Array index possibly too large (IndexTooBig)
if (a[i] < m) {
^
Bag.java:21: Warning: Possible null dereference (Null)
a[mindex] = a[n];
^
Bag.java:21: Warning: Possible negative array index (IndexNegative)
a[mindex] = a[n];
^
5 warnings
Corrections :
Exemple 2 (1er warning)
Bag.java:6: Warning: Possible null dereference (Null)
n = input.length;
^
1//@ r e q u i r e s inpu t != n u l l ;
2Bag ( i n t [ ] i np u t ) {
3n = i np u t . l e n g t h ;
Exemple 3 (2ème warning)
Bag.java:15: Warning: Possible null dereference (Null)
if (a[i] < m) {
^
1c l a s s Bag {
2/∗@ non_null ∗/ i n t [ ] a ;
Exemple 4 (3ème warning)
Bag.java:15: Warning: Array index possibly too large (IndexTooBig)
if (a[i] < m) {
^
1f o r ( i n t i = 0 ; i < n ; i++) {
Exemple 5 (4ème warning)
Bag.java:21: Warning: Possible null dereference (Null)
a[mindex] = a[n];
^
2
Déjà traité (voir le 2ème warning).
Exemple 6 (5ème warning)
Bag.java:21: Warning: Possible negative array index (IndexNegative)
a[mindex] = a[n];
^
1//@ r e q u i r e s n >= 1 ;
2i n t extra ct Mi n ( ) {
Nouveau programme :
Exemple 7 (Bag)
1c l a s s Bag {
2/∗@ non_null ∗/ i n t [ ] a ;
3i n t n ;
4
5//@ r e q u i r e s inpu t != n u l l ;
6Bag ( i n t [ ] i np u t ) {
7n = i np u t . l e n g t h ;
8a = new i n t [ n ] ;
9System . arra ycopy ( input , 0 , a , 0 , n ) ;
10 }
11
12 //@ r e q u i r e s n >= 1 ;
13 i n t extra ct Mi n ( ) {
14 i n t m = I n t e g e r .MAX_VALUE;
15 i n t mindex = 0 ;
16 f o r ( i n t i = 0 ; i < n ; i++) {
17 i f ( a [ i ] < m) {
18 mindex = i ;
19 m = a [ i ] ;
20 }
21 }
22 n−−;
23 a [ mindex ] = a [ n ] ;
24 re t u r n m;
25 }
26 }
Erreur :
Bag.java:17: Warning: Array index possibly too large (IndexTooBig)
if (a[i] < m) {
^
3
Correction :
Exemple 8 (Bag)
1c l a s s Bag {
2/∗@ non_null ∗/ i n t [ ] a ;
3i n t n ;
4//@ i n v a r i a n t 0 <= n & n <= a . l en gt h ;
Programme final :
Exemple 9 (Bag)
1c l a s s Bag {
2/∗@ non_null ∗/ i n t [ ] a ;
3i n t n ;
4//@ i n v a r i a n t 0 <= n && n <= a . l en g th ;
5
6//@ r e q u i r e s inpu t != n u l l ;
7Bag ( i n t [ ] i np u t ) {
8n = i np u t . l e n g t h ;
9a = new i n t [ n ] ;
10 System . arra ycopy ( input , 0 , a , 0 , n ) ;
11 }
12
13 //@ r e q u i r e s n >= 1 ;
14 i n t extra ct Mi n ( ) {
15 i n t m = I n t e g e r .MAX_VALUE;
16 i n t mindex = 0 ;
17 f o r ( i n t i = 0 ; i < n ; i++) {
18 i f ( a [ i ] < m) {
19 mindex = i ;
20 m = a [ i ] ;
21 }
22 }
23 n−−;
24 a [ mindex ] = a [ n ] ;
25 re t u r n m;
26 }
27 }
2 Limitations
Exemple 10 (Cohérence)
1char c ;
2/∗@ assume s != n u l l && ! s . e q u a l s ( " " ) ; @∗/
3c = s . charAt ( 0 ) ;
4/∗@ a s s e r t c = s . charAt ( 0 ) ; @∗/
4
1Object o = n u l l ;
2/∗@ assume o != n u l l ; @∗/
3Obj ec t [ ] a = new S t r i n g [ −5];
4a [ −3] = new I n t e g e r ( 2 ) ;
> escjava2 -q AssumeFalseTest.java
0 warnings
Exemple 11 (Non correction)
1i n t a [ ] = new i n t [ 6 ] ;
2f o r ( i n t i = 0; i <= 6 ; i ++) {
3a [ i ] = i ;
4}
> escjava2 -q Test.java
0 warnings
> escjava2 -Loop 7 -q Test.java
Test.java:15: Warning: Array index possibly too large (IndexTooBig)
a[i] = i;
^
1 warning
Exemple 12 (Incomplétude)
1/∗@ r e q u i r e s i == 5 && j== 3 ;
2@ e ns u r e s \ r e s u l t == 1 5;
3@∗/
4i n t m( i n t i , i n t j ) {
5re t u r n i ∗j ;
6}
Test.java:19: Warning: Postcondition possibly not established (Post)
}
^
Associated declaration is "Test.java", line 14, col 8:
@ ensures \result == 15;
1i n t m( i n t i , i n t j ) {
2/∗@ assume 15 == 5 ∗3 ; @∗/
3re t u r n i ∗j ;
4}
5
1
/
5
100%