# JML Tutorial - Exercises - Verifying Method Calls

## Verifying Method Calls Exercises Key:

### Verifying Method Calls Tutorial

**Question 1**

**Write two functions that perform the following: an function that adds two integer arrays and a function that returns true if the arrays to be added are of the same size. Use the following function headers to help you. Determine the specifications needed to verify your functions.**

```
public int[] addArrays(int[] a, int[] b);
public boolean sameSize(int[] a, int[] b);
```

**Answer and Explanation:**
We are tasked with writing a program that adds two integer arrays, we will break up this process into two functions. The `addArrays()`

will take in two integer arrays `a`

and `b`

and will add their elements if they are the same size. The `sameSize()`

will also take in the arrays `a`

and `b`

and check if they have the same length. Given this information we can write something like the following program:

```
public int[] addArrays(int[] a, int[] b) {
if(sameSize(a, b)) {
int[] newArr = new int[a.length];
for(int i = 0; i < a.length; i++) {
newArr[i] = a[i] + b[i];
}
return newArr;
}
return new int[0];
}
public boolean sameSize(int[] a, int[] b) {
return a.length == b.length;
}
```

The `addArrays()`

function calls `sameSize()`

, and if `a.length == b.length`

a new integer array `newArr`

is created of size `a.length`

. Note, that it could also be of the size `b.length`

, it doesn’t really matter since we have determined at this point they are the same size. After creating `newArr`

there is a for-loop that runs for the length of `a`

and will store `a[i] + b[i]`

at `newArr[i]`

. If `a`

and `b`

are NOT the same size the function will return an empty integer array which is written as `new int[0]`

. The `sameSize()`

function simply returns the result of checking if `a.length == b.length`

, that is to say it will return true if `a`

and `b`

are the same length, and false otherwise.

Now that we have written the code, what preconditions and postconditions should be included? Well, first let’s write any JML specifications for `sameSize()`

as it is a more straightforward function. For `sameSize()`

we can ensure that the result will always be equivalent to whether `a.length == b.length`

(i.e true or false). So we might write something like the following for `sameSize()`

```
public int[] addArrays(int[] a, int[] b) {
if(sameSize(a, b)) {
int[] newArr = new int[a.length];
for(int i = 0; i < a.length; i++) {
newArr[i] = a[i] + b[i];
}
return newArr;
}
return new int[0];
}
//@ ensures \result <==> (a.length == b.length);
public boolean sameSize(int[] a, int[] b) {
return a.length == b.length;
}
```

As for the `addArrays()`

function let’s think about what preconditions we might want to require; we are adding the elements from `a`

and `b`

and any time we are dealing with integer arithmetic we want to make sure we remain in the size of type `int`

. So we can use the `forall`

clause to check that `a[i] + b[i] <= Integer.MAX_VALUE`

. Additionally, since the function will return an empty array if `a`

and `b`

aren’t the same size we can ensure two things to be true. The `\result`

will have the length equal to that of either array `a`

or `b`

. Secondly, if `a`

and `b`

aren’t the same length then `\result`

will be empty and have the length of zero.

Note: We can write more complex `ensures`

clauses that would actually check if the function `addArrays()`

returns an array whose elements are equal to that of `a[i] + b[i]`

, but that would require the use of loop invariant which we will get into in the “Specifying Loops” tutorial. Additionally, as we move on you will see better ways of handling exceptions and different method behaviors, but for now we can write something like the following:

```
//@ requires (\forall int j; 0 <= j < a.length; a[j]+b[j] <= Integer.MAX_VALUE);
//@ ensures \result.length == a.length || \result.length == 0;
//@ pure
public int[] addArrays(int[] a, int[] b) {
if(sameSize(a, b)) {
int[] newArr = new int[a.length];
for(int i = 0; i < a.length; i++) {
newArr[i] = a[i] + b[i];
}
return newArr;
}
return new int[0];
}
//@ ensures \result <==> (a.length == b.length);
public boolean sameSize(int[] a, int[] b) {
return a.length == b.length;
}
```

Now, since we are dealing with a for-loop we also have to include an assume statement so we don’t run into any issues going out-of-bounds. Additionally, since we’re adding `a[i] + b[i]`

we need to account for potential overflow errors like we did in our precondition, so let’s also include an assume statement that handles this.

```
//@ requires (\forall int j; 0 <= j < a.length; a[j]+b[j] <= Integer.MAX_VALUE);
//@ ensures \result.length == a.length || \result.length == 0;
//@ pure
public int[] addArrays(int[] a, int[] b) {
if(sameSize(a, b)) {
int[] newArr = new int[a.length];
for(int i = 0; i < a.length; i++) {
//@ assume 0 <= i < a.length;
//@ assume Integer.MIN_VALUE < a[i] + b[i] <= Integer.MAX_VALUE;
newArr[i] = a[i] + b[i];
}
return newArr;
}
return new int[0];
}
//@ ensures \result <==> (a.length == b.length);
public boolean sameSize(int[] a, int[] b) {
return a.length == b.length;
}
```

Now that we have included everything from past tutorials, what new specifications do we need after reading “Method Calls?” Recall how a method call is verified; at the call site the precondition of the called method is asserted, and then the callee’s postconditions are assumed. In our program we only have one preconditions for the caller function `addArrays()`

which we’ve already accounted for, and one postcondition for the callee function `sameSize()`

. So we can write the following:

```
//@ requires (\forall int j; 0 <= j < a.length; a[j]+b[j] <= Integer.MAX_VALUE);
//@ ensures \result.length == a.length || \result.length == 0;
//@ pure
public int[] addArrays(int[] a, int[] b) {
if(sameSize(a, b)) {
//@ assert sameSize(a, b);
int[] newArr = new int[a.length];
for(int i = 0; i < a.length; i++) {
//@ assume 0 <= i < a.length;
//@ assume Integer.MIN_VALUE < a[i] + b[i] <= Integer.MAX_VALUE;
newArr[i] = a[i] + b[i];
}
return newArr;
}
return new int[0];
}
//@ ensures \result <==> (a.length == b.length);
public boolean sameSize(int[] a, int[] b) {
return a.length == b.length;
}
```

**Learning Objective:**
The goal of this exercise is to see if the student understands how to verify method calls. This is a rather simple example, so the student should be able to identify the statements needed to verify functions. The exercise also checks that the student understands and can utilize information from past exercises as well. It also checks if the student can also identify all specifications needed - not just those used for verifying method calls.

**Question 2**

**The program below is checking whether the user has enough material for an area given the dimensions of the area and the amount of material the user has. However, the program is unable to be verified; determine where in the specifications it is failing, and fix it.**

```
//@ ensures \result <==> (area(w, h) > materialSqFt);
public boolean enoughMaterial(int materialSqFt, int w, int h) {
int area = area(w, h);
return (area > materialSqFt);
}
//@ ensures \result > 0;
//@ ensures \result >= w;
//@ ensures \result >= h;
//@ pure
public int area(int w, int h) {
int A = w*h;
return A;
}
```

**Answer and Explanation:**
The program above is unable to be verified with its current specifications; let’s break it down and see where the issues lie. The first function `enoughMaterial()`

takes in three integer variables `materialSqFt`

, `w`

, and `h`

. It then creates an integer `area`

which is set equal to the function `area(w,h)`

. If we drop down to the `area()`

function we see that the code is the same as we’ve seen in past exercises, and simply finds the rectangular area given `w`

and `h`

and returns it. After `area(w,h)`

is called in `enoughMaterial()`

, the function checks if the `area > materialSqFt`

. In the event that `area > materialSqFt`

it returns false, otherwise it returns true.

First, we can see that there will be an overflow error in the function `area()`

unless we include a precondition that checks that `0 <= w <= Integer.MAX_VALUE`

and `0 <= b <= Integer.MAX_VALUE`

. Otherwise, all our preconditions and postconditions for the two functions look good.

However, since `enoughMaterial()`

calls `area()`

we need to include some `assume`

and `assert`

statements to verify the two methods. Again we know the process for any function is
at the call site assert the precondition of the called method, and then assume the callee’s postconditions. So what might we include in the program above?

Let’s start in the function `area()`

; after we include that `w`

and `h`

need to be greater than zero, and less than or equal `Integer.MAX_VALUE`

, we would need to assume this in the function. We would also want to assume that `w*h <= Integer.MAX_VALUE`

so we don’t get any overflow errors. After the body of the function and before the return statement, we want to include an `assert`

statement that asserts our area postconditions. Now, back to the `enoughMaterial()`

function, in this function we want to `assume`

its preconditions, and `assert`

its postconditions. However, before we call `area()`

we want to assert `area()`

’s precondtions, and then `assume`

its postconditions after the call. So we can write something like this to verify the program:

```
//@ requires materialSqFt > 0;
//@ requires 0 < w <= Integer.MAX_VALUE & 0 < h <= Integer.MAX_VALUE;
//@ ensures \result <==> (area(w, h) > materialSqFt);
public boolean enoughMaterial(int materialSqFt, int w, int h) {
//@ assume materialSqFt > 0 && 0 < w <= Integer.MAX_VALUE & 0 < h <= Integer.MAX_VALUE;
//@ assert 0 < w <= Integer.MAX_VALUE && 0 < h <= Integer.MAX_VALUE;
int area = area(w, h);
//@ assume area > 0 && area >= w && area >= h;
//@ assert (area > materialSqFt);
return (area > materialSqFt);
}
//@ requires 0 < w <= Integer.MAX_VALUE & 0 < h <= Integer.MAX_VALUE;
//@ ensures \result > 0;
//@ ensures \result >= w;
//@ ensures \result >= h;
//@ pure
public int area(int w, int h) {
//@ assume 0 < w <= Integer.MAX_VALUE & 0 < h <= Integer.MAX_VALUE;
//@ assume w*h <= Integer.MAX_VALUE;
int A = w*h;
//@ assert A > 0 && A >= w && A >= h;
return A;
}
```

**Learning Objective:**
The goal of this exercise is to show the student the necessity of verifying method calls. This exercise is much more complex than the first exercise, and shows that the program cannot be verified without out `assume`

and `assert`

statements of the pre and postconditions. We want the student to get more comfortable with the process of verifying method calls, and understand it follows the same process every time.