JML Tutorial - Exercises - Arithmetic
Arithmetic Exercises Key:
Arithmetic Tutorial
Question 1
Given the function below determine the strongest preconditions needed to verify the function.
public class ArithmeticExample1 {
//@ spec_public
private int sum;
//@ ensures 0 < sum < Integer.MAX_VALUE;
public void sumThreeNums(int n1, int n2, int n3) {
sum = n1 + n2 + n3;
}
}
Asnwer and Explanation:
First let’s break down the code. The function sumThreeNums() takes in three integer variables n1, n2, and n3 and will add them together and set the global variable sum equal to the result. We are given our postoncdition of the function which states that sum must be greater than zero and less than Integer.MAX_VALUE. Integer.MAX_VALUE is simply a variable of the class Integer that is the largest possible value of type int. If we were to run this code using OpenJML we would get many warnings concerning the Arithmetic Operation Range. What this means is essentially OpenJML cannot verify that the function will not have any overflow or underflow errors when it passes in all possible inputs. So we need to tell OpenJML what our range of n1, n2, and n3 can be.
Given the postcondition that sum must be less than Integer.MAX_VALUE we can determine that all of our integers passed in must also be less than Integer.MAX_VALUE otherwise one variable on it’s own will cause an overflow error because it could be greater than the largest value of type int. Additionally, we are told that sum must be greater than zero, so we also need to reflect this in our requirements for out integer variables passed in. As such, we can write something like the following:
public class ArithmeticExample1 {
//@ spec_public
private int sum;
//@ requires 0 < n1 < Integer.MAX_VALUE;
//@ requires 0 < n2 < Integer.MAX_VALUE;
//@ requires 0 < n3 < Integer.MAX_VALUE;
//@ ensures 0 < sum < Integer.MAX_VALUE;
public void sumThreeNums(int n1, int n2, int n3){
sum = n1 + n2 + n3;
}
}
While we might think we are done, we are not. OpenJML still cannot verify tht adding all of these numbers together won’t cause and overflow or underflow error so let’s take care of that. Let’s take a look at what sum is equal to in our function. In our function sum = n1 + n2 + n3, therefore, we need to make sure that n1 + n2 + n3 is less than Integer.MAX_VALUE. We might say (n1 + n2 + n3) < Integer.MAX_VALUE but this on its own isn’t really doing anything we haven’t said. Let’s rework it to be n1 < Integer.MAX_VALUE/(n2 + n3) which we know is valid because of Alegrba. However, now OpenJML cannot verify that n2 + n3 isn’t greater than or equal to Integer.MAX_VALUE so we need to check that n2 < Integer.MAX_VALUE/n3. Note, we don’t have to worry about dividing by zero since we explicitly stated that our numbers are greater than zero - if we didn’t do this it would cause warnings of possible divisions by zero.
Also, note that we are modifying the memory of global variable sum and should therefore specify this in our speicifations. That being said, let’s write the following:
public class ArithmeticExample1 {
//@ spec_public
private int sum;
//@ requires 0 < n1 < Integer.MAX_VALUE;
//@ requires 0 < n2 < Integer.MAX_VALUE;
//@ requires 0 < n3 < Integer.MAX_VALUE;
//@ requires n2 < Integer.MAX_VALUE/n3;
//@ requires n1 < Integer.MAX_VALUE/(n2 + n3);
//@ assigns sum;
//@ ensures 0 < sum < Integer.MAX_VALUE;
public void sumThreeNums(int n1, int n2, int n3){
sum = n1 + n2 + n3;
}
}
Learning Objective:
The goal of this exercise is to make the student more comfortable with handling potential overflow and underflow errors. We want the student to be aware the while the compiler will not throw any errors about overflow/underflow errors, OpenJML will test all possible inputs and therefore if the student doesn’t specify the range of their variables it won’t verify. We also introduce the student to Integer.MAX_VALUE and ask them to think critically about the steps needed to verify the function. The student should recongize that in order for n1 + n2 + n3 to be less than Integer.MAX_VALUE we need to make sure that n2 + n3 is less than Integer.MAX_VALUE. This exercise also gives the student more experience with the assigns clause.
Question 2
(a) The function given below is unable to be verified; determine where in the specifications it is failing, and fix it.
//@ spec_public
private int playerHealth;
//@ requires dmg <= 0;
//@ requires 0 < playerHealth;
public int updatePlayerHealth(int dmg) {
if(playerHealth > dmg) {
return (playerHealth - dmg);
}else {
return 0;
}
}
Asnwer and Explanation:
First let’s assess what the current preconditions are requiring of both playerHealth and dmg. The first precondition requires that dmg be a negative number. Next, the program requires that playerHealth be greater than or equal to zero. Now, within the function we check if playerHealth is greater than dmg, and if it is we return playerHealth - dmg, otherwise we return zero - since the player would be dead if their health is less than the dmg attack or zero.
Can you determine the error in the preconditions given the code? Notice how we require that dmg be negative but we return playerHealth - dmg, which would mean we are actually returning playerHealth - (-dmg) = playerHealth + dmg (since dmg has to be negative). This would cause an error since we would now potentially have an overflow error since we are adding dmg to playerHealth and playerHealth is not bounded with Integer.MAX_VALUE. To fix this we need to require that dmg be a positive number since it is we are subtracting dmg from playerHealth. So we write the following:
//@ spec_public
private int playerHealth;
//@ requires 0 <= dmg < Integer.MAX_VALUE;
//@ requires 0 < playerHealth;
public int updatePlayerHealth(int dmg) {
if(playerHealth > dmg) {
return (playerHealth - dmg);
}else {
return 0;
}
}
(b) How could you edit the code to verify the function with the original specification?
Asnwer and Explanation:
To keep the original preconditions without errors we would have to make a small edit to the code. The original problem with the function was that playerHealth - (-dmg) = playerHealth + dmg. So if we want to require that dmg be negative we need to change the return to playerHealth + dmg so that playerHealth + (-dmg) = playerHealth - dmg. So we can write the following:
//@ spec_public
private int playerHealth;
// @ requires dmg <= 0;
//@ requires 0 < playerHealth;
public int updatePlayerHealth(int dmg) {
if(playerHealth > dmg) {
return (playerHealth + dmg);
}else {
return 0;
}
}
Learning Objective:
The goal of this exercise is to see if the student understands how they need to account for OpenJML testing all possible inputs that conform to the preconditions. While the exercises focuses on using the correct opteration we want to show the student how not using the correct operation would cause error. Given the preconditions and the code in part (a) the student needs to recognize that since OpenJML will test negative values for dmg it will cause overflow warnings because with the code it returns playerHealth + dmg. Additionally, in part (b) we want to see if the student understands how the original precondition can still be used to have the same result if the code makes sense with the input OpenJML passes in. At this point in the students studies they have seen numerous examples of potential overflow errors and how to handle them, so this should be an easier exercise.