Key Java JML proover passes this algorithm that reads a specific array element which triggers a NullPointerException? it should fail instead

Question

I'm tyring to better understand the limits of the Key proover for Java. I have come up with a scenario where a specific array element will trigger a null pointer exception. When I run this through the proover it passes. Any idea why this is? It should fail as the null pointer will be thrown at array element 86454. Please note "normal_behaviour" means that it should terminate without exceptions.

/*@ 
 @ normal_behaviour
 @ requires true;
 @ ensures \result == 7;
 @*/ 
public static int tmp() {
    Object[] arr = new Object[999999];
    arr[86454] = new Integer(6);
    for (int i=0;i<999999;i++){
        if (arr[i]!=null && arr[i].equals(new Integer(6))){
            throw new NullPointerException();
        }
    }
    return 7;
}

Answer 1

Your specification only covers the normal behaviour, and not the exceptional case.

Normal behaviour means, that all post-condition have to be adhered, after the method is executed. Therefore, there exists a return value, and you are allowed to access it (\result). For the exceptional case, your requires clause would not be well-defined.

If you want to the specify the case, when an exception occurs you should use exceptional_behavior and in the case you want to show the "exception-freeness" use behavior. Both in conjunction with a signals clause. For example, use the following to show the exception-freeness:

/*@ public behavior 
    requires true; 
    signals (Exception e) false;
*/

This contract can not fulfilled by a method, which could throw an exception.

Please refer to Chapter 7 (especially "7.3.3 Semantics of Normal Behavior Specification Cases") of the key book.