Java Modeling Language

The Java Modeling Language (JML) follows the design by contract paradigm. It is a specification language for Java programs, using .

There are various verification tools for JML, such as a runtime assertion checker and the Extended Static Checker (ESC/Java).

Overview

JML is a behavioural interface specification language for Java modules. This means that JML provides semantics to formally describe the behaviour of a Java module, removing potential ambiguity with regard to the module designers' intentions. JML inherits ideas from Eiffel, Larch and the Refinement Calculus, with the goal of providing rigorous formal semantics while still being accessible to any Java programmer. Specifications can be written as annotations in Java program files, or stored in separate specification files. Various tools are available that make use of the extra behavioural information that JML specifications provide, and, because JML annotations take the form of Java comments, whether embedded in Java code or in separate files, Java modules with JML specifications can be compiled unchanged with any Java compiler.

Syntax

JML specifications are added to Java code in the form of annotations in comments. Java comments are interpreted as JML annotations when they begin with an @ sign. That is, comments of the form

//@

or

/*@ @*/

Basic JML syntax provides the following keywords

; requires : Defines a precondition on the method that follows.; ensures : Defines a postcondition on the method that follows.; signals : Defines a condition on when a given Exception can be thrown by the method that follows.; assignable : Defines which fields are allowed to be assigned to by the method that follows.; pure : Declares a method to be side effect free (this shorthand for assignable othing).; invariant : Defines an invariant property of the class.; also : Declares that a method should inherit conditions from its supertypes.; assert : Defines a JML assertion.

Basic JML also provides the following expressions

; esult : An identifier for the return value of the method that follows.; old() : A modifier to refer to the value of variable at the time of entry into a method.; forall : The universal quantifier.; exists : The existential quantifier.; a => b : The logical construct a implies b; a <=> b : The logical construct a if and only if b

as well as standard Java syntax for logical and, or, and not. JML annotations also have access to Java objects, object methods and operators that are within the scope of the method being annotated. These are combined to provide formal specifications of the properties of classes, fields and methods. For example, an annotated example of a simple banking class may look like

public class BankingExample { public static final int MAX_BALANCE = 1000; private int balance; private boolean isLocked = false; //@ invariant balance >= 0 && balance <= MAX_BALANCE; //@ assignable balance; //@ ensures balance = 0; public BankingExample() { ... } //@ requires amount > 0; //@ ensures balance = old(balance) + amount; //@ assignable balance; public void credit(int amount) { ... } //@ requires amount > 0; //@ ensures balance = old(balance) - amount; //@ assignable balance public void debit(int amount) { ... } //@ ensures isLocked = true; public void lockAccount() { ... } //@ signals (BankingException e) isLocked; public /*@ pure @*/ int getBalance() throws BankingException { ... } }

Full documentation (as of 2005, currently still in development) of JML syntax is available [http://www.cs.iastate.edu/~leavens/JML/jmlrefman/jmlrefman_toc.html] .

Tool Support

There are a variety of tools that provide functionality based on JML annotations. The Iowa State JML tools provide an assertion checking compiler jmlc which converts JML annotations into runtime assertions, a documentation generator jmldoc which produces Javadoc documentation augmented with extra information from JML annotations, and a unit test generator jmlunit which generates JUnit testing frameworks from JML annotations.

In addition to the Iowa State JML tools a number of independent groups are working on tools that make use of JML annotations. These include:
* [http://secure.ucd.ie/products/opensource/ESCJava2/ ESC/Java2] , an extended static checker which uses JML annotations to perform more rigorous static checking than is otherwise possible;
* [http://pag.csail.mit.edu/daikon/ Daikon] , a dynamic invariant generator;
* KeY, which provides a theorem prover with a JML front-end;
* [http://www.lri.fr/~marche/krakatoa/ Krakatoa] , a theorem prover using the Coq proof assistant;
* [http://jmleclipse.projects.cis.ksu.edu/ JMLeclipse] , a plugin for the Eclipse integrated development environment with support for JML syntax and interfaces to various tools that make use of JML annotations.

References

* Gary T. Leavens, Yoonsik Cheon. Design by Contract with JML. Draft tutorial.
* Gary T. Leavens, Albert L. Baker, and Clyde Ruby. JML: A Notation for Detailed Design. In Haim Kilov, Bernhard Rumpe, and Ian Simmonds (editors), Behavioral Specifications of Businesses and Systems, chapter 12, pages 175-188. Kluwer, 1999.

External links

* [http://www.jmlspecs.org/ JML website]