Java Modeling Language JML
1 Overview
- JML is a behavioral (functionality) interface specification language
- Annotation language captures programmer design decisions
- JML is contained in annotations
//@ JML annotation
/*@ JML annotation @*/
javac will ignore these
- JML annotation is a Java boolean expression …
- without any side effects
- extended with
\old, \result
- extended with
\forall, \exists
- JML keywords:
requires, ensures, invariant
- JML keywords:
pure, nonnull, assignable, signals
- JML annotation includes
model fields
1.1 No Side Effects
- No use of
=, ++, --, …
- Can only call pure methods.
1.2 Java Extended Syntax in JML
a ==> b stands for a implies b
a <==> b stands for a iff b
- a <=!=> b stands for !(a <==> b)
\old(E) stands for the value of E in pre-state
\result stands for the result of method
1.3 Quantifiers
- Universal ∀ JML
\forall and existential ∃ JML \exists
- General quantifiers (
\sum, \product, \min, \max)
- Numeric quantifier (
\num_of)
- Ex:
(\forall Student s; juniors.contains(s); s.getAdvisor() != null)
1.4 Java Example Source Code Files with JML Annotations
1.5 Non-Null
- To state that some references must not be
null …
private /*@ non null @*/ File[] files;
void createSubdir(/*@ non null @*/ String name) { ... }
1.6 Java assert
assert Expression1 ; where Expression1 is a boolean
expression. When the system runs the assertion, it evaluates
Expression1 and if it is false throws an AssertionError with no
detail message.
assert Expression1 : Expression2 ; where Expression1 is a boolean
expression. Expression2 is an expression that has a value. The
AssertionError constructor uses the string value of Expression2 to
generate a detailed message.
1.7 JML assert
//@ assert i > 0 && 0 < j && j < 5;
//@ assert (\forall int i; 0 <= i && i < n; a[i] != null);
- keyword assert also in Java (since Java 1.4)
- assert in JML is more powerful
1.8 assignable
- Frame properties limit possible side-effects of methods.
//@ requires amount >= 0;
//@ assignable balance;
//@ ensures balance == \old(balance) - amount;
public int debit(int amount) { ... }
debit can only assign to the field balance.
NB this does not follow from the post-condition.
//@ assignable \everything
//@ assignable \nothing
1.9 pure
- A method without side-effects is said to be
pure
public /*@ pure @*/ int getBalance() { ... }
- Pure methods have implicitly
assignable \nothing
- Pure methods, and only pure methods, can be used in
specifications:
//@ invariant 0 <= getBalance() && getBalance() <= MAX_BALANCE
1.10 Model Variables
- variables to be used only in specifications
- Given value only by
represents clauses
2 Tools for JML
2.2 ESC/Java2
- http://kindsoftware.com/products/opensource/ESCJava2/
- Improve the current software engineering process
- Can prove JML assertions at compile time.
- Effort must be made by the developer
- So far, only possible for small programs
- Input: a Java program annotated with JML assertions
- Powered by program semantics and automatic theorem proving
- Automatically check if the assertions are always true;
- Statically without any user interaction
- Reason about non-trivial properties (not just type-correctness)
- Its warnings are intended to be interpreted by the author of the
program
- It does not find all the errors, but reduces the cost of
finding some of them early
2.3 JACK: Java Applet Correctness Kit