An Overview of JML Tools and Applications

This article appears in Software Tools for Technology Transfer. The original version is available at www.springerlink.com

An overview of JML tools and applications

Lilian Burdy1, Yoonsik Cheon2, David R. Cok3, Michael D. Ernst4, Joseph R. Kiniry5, Gary T. Leavens6?, K. Rustan M. Leino7, Erik Poll5

1 INRIA, Sophia-Antipolis, France 2 Dept. of Computer Science, University of Texas at El Paso, El Paso, Texas, USA 3 Eastman Kodak Company, R&D Laboratories, Rochester, New York, USA 4 Computer Science & Artiﬁcial Intelligence Lab, MIT, Cambridge, Massachusetts, USA 5 Dept. of Computer Science, University of Nijmegen, Nijmegen, the Netherlands 6 Dept. of Computer Science, Iowa State University, Ames, Iowa, USA 7 Microsoft Research, Redmond, Washington, USA

Received: date / Revised version: date

Abstract. The Java Modeling Language (JML) can be The work on JML was started by Gary Leavens and used to specify the detailed design of Java classes and his colleagues and students at Iowa State University. It interfaces by adding annotations to Java source files. The has since grown into a cooperative, open effort. Several aim of JML is to provide a specification language that is groups worldwide are now building tools that support easy to use for Java programmers and that is supported the JML notation and are involved with the ongoing by a wide range of tools for specification type-checking, design of JML. For an up-to-date list, see the JML web- runtime debugging, static analysis, and verification. site, www.jmlspecs.org. The open, cooperative nature This paper gives an overview of the main ideas be- of the JML effort is important both for tool developers hind JML, details about JML’s wide range of tools, and and users, and we welcome participation by others. For a glimpse into existing applications of JML. potential users, the fact that there are several tools supporting the same notation is clearly an advantage. For tool developers, using a common syntax and semantics can make it much easier to get users interested. After all, 1 Introduction one of the biggest hurdles to using a new specification- centric tool is often the lack of familiarity with the as- JML [57,58], the Java Modeling Language, is useful for sociated specification language. specifying detailed designs of Java classes and interfaces. JML is a behavioral interface specification language for The next section introduces the Java; that is, it specifies both the behavior and the syn- JML notation. Sections 3 through 7 tactic interface of Java code. The syntactic interface of a then discuss the tools currently avail- Java class or interface consists of its method signatures, able for JML in more detail. Section 8 the names and types of its fields, etc. This is what is discusses the applications of JML in commonly meant by an application programming inter- the domain of Java Card, the Java face (API). The behavior of such an API can be pre- dialect for programming smartcards. cisely documented in JML annotations; these describe Section 9 discusses some related lan- the intended way that programmers should use the API. guages and tools, and Section 10 con- In terms of behavior, JML can detail, for example, the cludes. preconditions and postconditions for methods as well as class invariants, in the Design by Contract style [73]. An important goal for the design of JML is that it 2 The JML Notation should be easily understandable by Java programmers. This is achieved by staying as close as possible to Java JML blends Eiffel’s Design by Contract approach [73] syntax and semantics. Another important design goal is with the Larch tradition [41,20,56] (both of which share that JML not impose any particular design methodology features and ideas with VDM [52]).1 Because JML sup- on users; instead, JML should be able to document Java ports quantifiers such as \forall and \exists, and be- programs designed in any manner. cause JML allows model (i.e., specification-only) fields

? Supported in part by US NSF grants CCR-0097907 and CCR- 1 JML also has takes some features from the refinement calculus 0113181 [75], which we do not discuss in this paper. 2 Burdy et al.: An overview of JML tools and applications and methods, specifications can easily be made more braries of mathematical concepts found in VDM, Z, precise and complete than is typical for Eiffel software. LSL, or OCL, but allows such concepts to be used di- However, following Eiffel’s use of its expression syntax in rectly in assertions, since they are embodied as Java assertions, JML uses Java’s expression syntax in asser- objects. tions; this makes JML’s notation easier for programmers – The semantics of JML forbids side-effects in asser- to learn than notations based on a language-independent tions. This both allows assertion checks to be used specification language, such as the Larch Shared Lan- safely during debugging and supports mathemati- guage [58,59] or OCL [91]. cal reasoning about assertions. This semantics works Figure 1 gives an example of a JML specification that conservatively, by allowing a method to be used in illustrates its main features. JML assertions are written assertions only if it is declared as pure, meaning the as special annotation comments in Java code, either after method does not have any side-effects and does not //@ or between /*@ ... @*/, so that they are ignored perform any input or output [58]. For example, if by Java compilers but can be used by tools that sup- there is a method getBalance() that is declared as port JML. Within annotation comments, JML extends pure, the Java syntax with several keywords—in the example /*@ pure @*/ int getBalance() { ... } in Figure 1, the JML keywords invariant, requires, assignable, ensures, and signals are used. It also ex- then this method can be used in the specification tends Java’s expression syntax with several operators— instead of the field balance. in the example \forall, \old, and \result are used; – Finally, JML supports the Java modifiers (private, these begin with a backslash so they do not clash with protected, and public) that control visibility of existing Java identifiers. specifications. For example, an invariant can be de- The central ingredients of a JML specification are clared to be protected if it is not observable by preconditions (given in requires clauses), postcondi- clients but is intended for use by programmers of tions (given in ensures clauses), and invariants. These subclasses. (Technically the invariants and method are all expressed as boolean expressions in JML’s exten- specifications in the Purse example of Figure 1 have sion to Java’s expression syntax. default or package visibility, and thus would only be In addition to normal postconditions, the language visible to code in the same package.) also supports exceptional postconditions, specified using clauses. These can be used to specify what signals 3 Tools for JML must be true when a method throws an exception. For example, the signals clause in Figure 1’s debit method specifies that debit may throw a PurseException and For a specification language, just as for a programming that the balance will not change in that case (as specified language, a range of tools is necessary to address the by the use of the \old keyword). various needs of the specification language’s users such The assignable clause for the method debit spec- as reading, writing, and checking JML annotations. ifies a frame condition, namely that debit will assign The most basic tool support for JML is parsing and only to the balance field. Although not a traditional typechecking. This already provides an advantage over part of Design by Contract languages like Eiffel, such informal comments, as parsing and typechecking will frame conditions are essential for verification of code catch any typos, type incompatibilities, references to when using some of the tools described later. names that no longer exist, etc. The JML checker (jml) developed at Iowa State University performs parsing and There are many additional features of JML that are typechecking of Java programs and their JML annota- not used in the example in Figure 1. We briefly discuss tions, and most of the other tools mentioned below in- the most important of these below. corporate this functionality. – Model variables, which play the role of abstract val- The rest of this paper describes the various tools ues for abstract data types [23], allow specifications that are currently available for JML. The following cat- that hide implementation details. For example, if in- egorization serves also as an organization for the imme- stead of a class Purse, we were specifying an inter- diately following sections of this paper. We distinguish face PurseInterface, we could introduce the bal- tools for checking of assertions at runtime, tools for stat- ance as such a model variable. A class implementing ically checking of assertions (at or before compile-time), this interface could then specify how this model field tools for generating specifications, and tools for docu- is related to the class’s particular representation of mentation. balance. – JML comes with an extensive library that provides 3.1 Runtime assertion checking and testing Java types that can be used for describing behavior mathematically. This library includes such concepts One way of checking the correctness of JML specifica- as sets, sequences, and relations. It is similar to li- tions is by runtime assertion checking, i.e., simply run- Burdy et al.: An overview of JML tools and applications 3

public class Purse {

final int MAX_BALANCE; int balance; //@ invariant 0 <= balance && balance <= MAX_BALANCE;

byte[] pin; /*@ invariant pin != null && pin.length == 4 @ && (\forall int i; 0 <= i && i < 4; @ 0 <= pin[i] && pin[i] <= 9); @*/

/*@ requires amount >= 0; @ assignable balance; @ ensures balance == \old(balance) - amount @ && \result == balance; @ signals (PurseException) balance == \old(balance); @*/ int debit(int amount) throws PurseException { if (amount <= balance) { balance -= amount; return balance; } else { throw new PurseException("overdrawn by " + amount); } }

/*@ requires p != null && p.length >= 4; @ assignable \nothing; @ ensures \result <==> (\forall int i; 0 <= i && i < 4; @ pin[i] == p[i]); @*/ boolean checkPin(byte[] p) { boolean res = true; for (int i=0; i < 4; i++) { res = res && pin[i] == p[i]; } return res; }

/*@ requires 0 < mb && 0 <= b && b <= mb @ && p != null && p.length == 4 @ && (\forall int i; 0 <= i && i < 4; @ 0 <= p[i] && p[i] <= 9); @ assignable MAX_BALANCE, balance, pin; @ ensures MAX_BALANCE == mb && balance == b @ && (\forall int i; 0 <= i && i < 4; p[i] == pin[i]); @*/ Purse(int mb, int b, byte[] p) { MAX_BALANCE = mb; balance = b; pin = (byte[]) p.clone(); } } Fig. 1. Example JML specification ning the Java code and testing for violations of JML as- 3.2 Static checking and verification sertions. Such runtime assertion checks are accomplished by using the JML compiler jmlc (Section 4.1). More ambitious than testing if the code satisfies the specifications at runtime is verifying that the code satisfies its specification statically. This can give more assurance in the correctness of code as it establishes the correctness for all possible execution paths, whereas run- Given that one often wants to do runtime assertion time assertion checking is limited by the execution paths checking in the testing phase, there is also a jmlunit tool exercised by the test suite being used. Of course, correct- (Section 4.2), which combines runtime assertion checking ness of a program with respect to a given specification is with unit testing. not decidable in general. Any verification tool must trade 4 Burdy et al.: An overview of JML tools and applications off the level of automation it offers (i.e., the ability to 4.1 Runtime Assertion Checking dispense with user interaction) and the complexity of the properties and code that it can handle. There are several 4.1.1 Overview and Goals tools for statically checking or verifying JML assertions, providing different levels of automation and supporting The goal of the JML compiler, jmlc, also known as the different levels of expressivity in specifications: runtime assertion checker, is to find inconsistencies be- – The program checker ESC/Java (Section 5.1) can tween specifications and code by executing assertions at automatically detect certain common errors in Java runtime. The overall approach is to find such inconsis- code and check relatively simple assertions. tencies dynamically, by executing JML’s assertions while – ESC/Java2 (Section 5.2) extends ESC/Java to sup- the program runs and notifying the user of any assertion port more of the JML syntax and to add other func- violations. As with other runtime assertion checkers, one tionality. normally hopes to find that the code is incorrect with re- – The LOOP tool (Section 5.3) translates code anno- spect to the specification. However, it may also be that tated with JML specifications to proof obligations the specification itself is incorrect (with respect to what that one can then try to prove using the theorem the user has in mind), but the code is correct. Find- prover PVS. The LOOP tool can handle more com- ing problems in specifications is important for keeping plex specifications and code than automatic checkers the specifications accurate and up-to-date; this solves a like ESC/Java can, but at the price of more user common problem with informal documentation, which interaction. cannot be mechanically checked against the program. – The program checker JACK (Section 5.4) offers simi- An important requirement for the runtime assertion lar functionality to ESC/Java, but is more ambitious checker is that it be good at isolating problems, in the in attempting real program verification. sense that users of the tool should be able to quickly pinpoint what in either the code or specifications must 3.3 Generating specifications be changed to correct an inconsistency. For this purpose, jmlc must provide information that is helpful for users. This includes both static information, such as what parts In addition to these tools for checking specifications, of the specification were violated and where in the pro- there are also tools that help a developer write JML gram the violation was detected, as well as dynamic in- specifications, with the aim of reducing the cost and ef- formation about the values of variables and what method fort of producing JML specifications: calls led to the violation (a stack backtrace). – The Daikon tool (Section 6.1) infers likely invariants It is also helpful, for isolating problems, if the runtime by observing the runtime behavior of a program. assertion checker can execute as large a subset of the – The Houdini tool (Section 6.2) postulates annota- JML language as possible. tions for code, then uses ESC/Java to check them. The runtime assertion checker must also be trustwor- – The jmlspec tool can produce a skeleton of a spec- thy, in the sense that it must not generate false reports ification file from Java source and can compare the of assertion violations. That is, every assertion violation interfaces of two different files for consistency. must be a report of an assertion that is false, according to the JML semantics. In meeting this goal, the runtime 3.4 Documentation assertion checker can fail to report assertions that might be false. For example, JML includes a way to write in- Finally, in spite of all the tools mentioned above, ulti- formal descriptions in assertions; these informal descrip- mately human beings must read and understand JML tions are merely pieces of English text, and so only a hu- specifications. Since JML specifications are also meant man reader can decide whether they are true or false. If to be read and written by ordinary Java programmers, it the runtime assertion checker were to assume some par- is important to support the conventional ways that these ticular truth value for these it might report an assertion programmers create and use documentation. The jml- violation when none actually existed. In such cases it is doc tool (Section 7.1) produces browsable HTML pages better for the runtime assertion checker to not report a containing both the API and the specifications for Java violation. Similarly, it is also acceptable for the runtime code, in the style of pages generated by javadoc [38]. assertion checker to not execute some parts of assertions, especially in postconditions. However, not being able to execute some precondition could cause a method to fail 4 Runtime Assertion Checking and Testing unexpectedly; thus jmlc should give a warning for non- executable preconditions. In summary, it is better if the The most obvious way to use JML annotations is to test runtime assertion checker can execute all assertions and them at runtime and report any detected violations. In find all assertion violations, but this is a goal that can this section we discuss two tools, jmlc and jmlunit, that be incrementally approached during the development of work this way. the tool. Burdy et al.: An overview of JML tools and applications 5

An important goal of the runtime assertion checker is jmlc on the example is straightforward; the user simply that its work should be transparent when no assertions tells the tool to compile the Purse.java file and then are violated. That is, except for time and space mea- runs a test driver using jmlrac as the virtual machine. surements, a correct program compiled with jmlc should The jmlrac command is a version of the java command behave just as if compiled with a normal Java compiler. that knows about the necessary runtime libraries for run- The transparency of runtime assertion checking is aided time assertion checking. Assertion violations are printed by JML’s design, as assertions are not allowed to have as messages on the console. We discuss details of this any side-effects [59]. kind of testing in Section 4.2.3. Although jmlc does not have to be used with any particular methodology, there are some general ideas for 4.1.4 Experience using such tools that are helpful for beginners [73]. A basic technique for using the runtime assertion checker The runtime assertion checker is one of the most widely is to first specify preconditions for the normal behavior used JML tools. It has been used on several case stud- of methods. This is easily done and helps ensure that ies. One of the most demanding of these case studies all methods are called in expected states. For debugging is the checking of the built-in model types for JML it- purposes, it is also important to add toString methods self, which have very rich and complete specifications. It to all types involved, so that jmlc can display object has been used in several undergraduate classes, but in values in violation messages. Following this, one could those cases it has also been used for simple, Design by define invariants that describe the legal states of objects Contract style, specifications. It has also been used in of each class (see Section 6.1 for more on this topic). To several of the other case studies mentioned in the rest help debug implementations, one can then advance to of this paper. It seems to be helpful to use the runtime describing normal postconditions for methods. If one is assertion checker before doing serious program verifica- describing a library for untrusted clients, it may also be tion, to make sure that the easily found bugs are removed useful to document when various exceptions are thrown before spending the effort to do verification. by writing exceptional postconditions. In sum, the JML compiler brings programming benefits to formal interface specifications by allowing Java 4.1.2 Design of the Tool programmers to use JML specifications as practical and effective tools for debugging, testing, and Design by Con- The JML compiler was developed at Iowa State Univer- tract. sity as an extension to the MultiJava compiler [24]. It compiles Java programs annotated with JML specifica- 4.1.5 Future Work tions into Java bytecode [19,21]. The compiled bytecode includes instructions that check JML specifications such One of the main issues in the future work on jmlc is im- as preconditions, normal and exceptional postconditions, proving both the speed of compilation and the speed of invariants, and history constraints. executing runtime assertion checks. For the latter, there Because the JML language provides such a rich set seem to be several simple things that can be done to im- of specification facilities, it presents new challenges in prove execution speed. For example, caching the values runtime assertion checking. One of these challenges that of model fields instead of recomputing them in several the current tool meets is supporting abstract specifica- places within an assertion would be helpful. tions written in terms of specification-only declarations Another direction for future work is being pursued such as model fields, ghost fields, and model methods. at Virginia Tech by Stephen Edwards and his student This aspect of the JML compiler represents a significant Roy Tan. They are building a version of the JML com- advance over the state of the art in runtime assertion piler that produces separate bytecode files for the nor- checking as represented by Design by Contract tools such mal code and for a runtime assertion checking wrapper. as Eiffel [73] or by Java tools such as iContract [55] or Separating the runtime assertion checking code into this Jass [9]. Other advances over such tools include (stateful) wrapper has several advantages. In particular, decisions interface specifications, multiple inheritance of specifica- about what classes should be checked can be made while tions from interfaces, various forms of quantifiers and set the program executes. It will also enable the addition of comprehension notation, support for strong and weak runtime checks to code for which the source code is not behavioral subtyping [68,28], and a contextual interpre- available. tation of undefinedness [21]. 4.1.6 Availability 4.1.3 Example The runtime assertion checker is part of the main JML The specifications and code in Figure 1 were debugged toolset available via www.jmlspecs.org, which is devel- using the runtime assertion checker in combination with oped as an open source project hosted at SourceForge. the unit testing tool described in Section 4.2.3. Using net. 6 Burdy et al.: An overview of JML tools and applications

4.2 Unit Testing and fresh byte arrays (such as null, new byte[] {}, new byte[] {0,0,0}, and new byte[] {0, 0, 0, 0}). To 4.2.1 Overview and Goals run the tests, one first compiles the classes being tested with jmlc (using a special option to flag unhandled and A formal specification can be viewed as a test oracle [84, unspecified exceptions as errors); then the classes pro- 3], and JML’s runtime assertion checker can be used as duced by jmlunit are compiled with a normal Java com- the decision procedure for the test oracle [22]. This idea piler; finally one executes the automatically-generated has been implemented as a unit testing tool for Java, driver class, Purse JML Test, using jmlrac. jmlunit, by combining JML with the popular unit testing If all the annotations are removed from Figure 1, then tool JUnit [10]. the unit testing process described in the previous para- The main goal of the jmlunit tool is to significantly graph does not detect any errors. This is because the automate unit testing of Java code. More specifically, unit testing tool is only testing for violations of asser- the goal is to free the programmer from writing the code tions and, if there are no assertions, then no violations that decides whether unit tests pass or fail. are detected. This illustrates the important observation that the quality of the testing that jmlunit provides is 4.2.2 Design of the Tool only as good as the specifications. Consider a version of Figure 1 that only includes the The jmlunit tool, developed at Iowa State University, preconditions of the methods and the constructor, but generates JUnit test classes that rely on the JML run- omits the invariants, the frame axioms, and all the nor- time assertion checker. The test classes send messages mal and exceptional postconditions. Testing of Purse to objects of the Java classes under test. The testing produces 11 failures, all of which are similar to that code catches assertion violation errors from such method shown in Figure 2. (Printing of Purse objects is handled calls to decide if the test data violate the precondition by adding the obvious toString method to the code in of the method under test; such assertion violation er- Figure 1.) rors do not constitute test failures. When the method This error is the result of not specifying (i.e., delet- under test satisfies its precondition, but otherwise has ing) the exceptional postconditions of the debit method. an assertion violation, then the implementation failed to It shows that the condition in an exceptional postcondi- meet its specification, and hence the test data detects tion can be alternatively considered as the negation of a failure [22]. In other words, the generated test code a precondition for normal behavior; which makes sense, serves as a test oracle whose behavior is derived from because throwing an exception is not normal behavior. the specified behavior of the class being tested. If the precondition of the debit method is changed to The user is still responsible for generating test data; the following: however, the generated test classes make it easy for the user to supply this data. The tool comes with a frame- amount >= 0 && amount <= balance work that includes sample test data for the built-in Java value types. This framework allows one to combine, fil- then all of these failures go away. This also happens if ter, and compose test data in several different ways to the debit method has the exceptional postcondition re- create a variety of tests. In addition, the user can supply stored from Figure 1, which tells the runtime assertion handwritten JUnit test methods if desired. Such hand- checker that such exceptions are expected. written tests are useful for exploring combinations of This kind of testing is also effective at finding various method calls that the automatic testing ignores. omissions in preconditions. For example, if the precondition in the checkPin method or the constructor that 4.2.3 Example specifies that the array must be of an appropriate length is omitted, then the tests will encounter failures. In this subsection we discuss runtime assertion check- Checking preconditions will not show places where ing and unit testing with jmlunit, based on Figure 1. the code is wrong, unless one method in the code calls To do unit testing with jmlunit, one first runs the jm- another incorrectly. For the most part, errors in code are lunit tool on the Purse.java file (technically, one has revealed by adding either invariants or postconditions. to use an option to tell the tool to test methods and If we add the invariants back into the version of Purse, constructors with package visibility). This produces a but still leave out the postconditions, then testing can file, Purse JML TestData.java, into which test data is detect omitted initialization of the MAX BALANCE field in placed, and another file Purse JML Test.java, which the constructor (although Java itself detects missing ini- contains a driver to run the tests. In the first file we tializations of final fields, so for JML to detect this error, supplied data of the various types used as arguments to one also has to omit the final attribute from that field). the methods being tested; this consists of integers (0, Similarly, with the invariants, the constructor’s precon- 1, -1, -22, etc.), Purse objects (such as null and new dition must have the first line shown in Figure 1, or many Purse(1,1,p), where p is a 4-element array of bytes), violations of the first invariant in the figure occur. Burdy et al.: An overview of JML tools and applications 7

1) debit(Purse_JML_Test$TestDebit)junit.framework.AssertionFailedError: Method ’debit’ applied to Receiver: Purse(max=1, bal=0, pin={0123}) Argument amount: 1 Caused by: org.jmlspecs.jmlrac.runtime.JMLExceptionalPostconditionError: by method Purse.debit regarding specifications at File "Purse.java", line 9, character 17, when ’jml$e’ is PurseException: overdrawn by 1 at Purse.checkXPost$debit$Purse(Purse.java:256) at Purse.debit(Purse.java:347) Fig. 2. Example output from testing with jmlunit.

Adding postconditions from Figure 1 allows many 4.2.6 Availability other errors in coding to be detected. For example, with all the postconditions restored, omissions of initializa- jmlunit is part of the main JML toolset. This toolset is tions of the balance and pin fields are detected. The available via www.jmlspecs.org. It has been developed postconditions can also detect incorrect coding in the as an open source project hosted at SourceForge.net. loop of the checkPin method, but doing so requires test data for byte arrays that differ in only the positions not checked by the code; we had to add such data to our 5 Static Checking and Verification initial set of test data, since the original test data did not detect these errors. Figuring out the right test data In this section, we describe several tools for statically to add in this case was subtle and could easily have been checking—or verifying—JML annotations, providing dif- missed. ferent degrees of rigor and automation.

4.2.4 Experience 5.1 Extended Static Checking with ESC/Java

Our experience shows that the tool allows one to per- 5.1.1 Overview and Goals form unit testing with minimal coding effort and detects many kinds of errors. Ironically, about half of our test The ESC/Java tool [36], originally developed at Compaq failures were caused by specification errors, which shows Research, performs what is called extended static check- that the approach is also useful for debugging specifica- ing [27,60], compile-time checking that goes well beyond tions. In addition, the tool can report assertion coverage type checking. It can check relatively simple assertions information, identifying assertions that are always true and can check for certain kinds of common errors in Java or always false, and thus indicating deficiencies in the code, such as dereferencing null, indexing an array out- set of test cases. However, the approach requires specifi- side its bounds, or casting a reference to an impermissi- cations to be fairly complete descriptions of the desired ble type. ESC/Java supports a subset of JML. For this behavior, as the quality of the generated test oracles de- subset it checks the consistency between the code and pends on the quality of the specifications. Thus, the ap- the given JML annotations. The user’s interaction with proach trades the effort one might spend in writing test ESC/Java is quite similar to the interaction with a com- cases for effort spent in writing formal specifications. piler’s type checker: the user includes JML annotations in the code and runs the tool, and the tool responds with 4.2.5 Future Work a list of possible errors in the program.

JML/JUnit testing is limited in that it only detects prob- 5.1.2 Design of the Tool lems that are the result of single method or constructor calls. Thus test data has to be carefully crafted so JML annotations affect ESC/Java in two ways. First, that the method is applied to objects in states that will the given JML annotations help ESC/Java suppress spu- fully exercise it. This process would be easier if the test rious warning messages. For example, in Figure 1, the drivers would apply several methods in sequence to var- constructor’s precondition p != null lets ESC/Java de- ious pieces of data. One alternative for doing this would termine that the dereference of p in the constructor’s be to generate such sequences of method calls automat- body is valid, and thus no null-dereference warning is ically. (An experimental version of Daikon can do this.) produced. Second, annotations make ESC/Java do addi- Another alternative is to augment JML with facilities tional checks. For example, when checking a caller of the to write specifications for blocks of example code to be Purse constructor, the precondition p != null causes used in testing. ESC/Java to emit a warning if the actual parameter 8 Burdy et al.: An overview of JML tools and applications for p may be passed in as null. In these two ways, the one using ESC/Java’s dialect of JML and one using the use of JML annotations enables ESC/Java to produce full JML language, was becoming a lot of work. warnings not at the source locations where errors man- ifest themselves at runtime, but at the source locations 5.1.5 Availability where the errors are committed. An interesting property of ESC/Java is that it is nei- The final binary release (version 1.2.4) of ESC/Java is ther sound nor complete; that is, it neither warns about available from Compaq/HP’s web site: www.research. all errors, nor does it warn only about actual errors. compaq.com/downloads.html. The source code (includ- This is a deliberate design choice: the aim is to increase ing that of related tools, e.g. Houdini, Calvin, and Sim- the cost-effectiveness of the tool. In some situations, con- plify) is available as well. This source code release is ob- vincing a mechanical checker of the absence of some par- scurely named the “Java Programming Toolkit Source ticular error may require a large number of JML anno- Release.” ESC/Java only runs on x86 machines with tations (consider, for example, a hypothetical program Linux and Microsoft Windows, Sun’s SPARC with So- that dereferences null if four of the program’s large- laris, and Alpha processors with Hewlett-Packard’s Tru64 valued integer variables satisfy the equation in Fermat’s Unix. Last Theorem). To make the tool more cost-effective, it may therefore be prudent to ignore the possibility of 5.2 ESC/Java2 certain errors, which is what ESC/Java has been designed to do. The ESC/Java User’s Manual [64] contains 5.2.1 Overview and Goals a list of all cases of unsoundness and incompleteness in ESC/Java. Development of version 1 of ESC/Java had ceased by Under the hood, ESC/Java is powered by detailed the time the Compaq Systems Research Center became program semantics and an automatic (non-interactive) part of HP Labs, where it was later dissolved. Conse- theorem prover, Simplify [26]. ESC/Java translates a quently, Cok and Kiniry have in progress a version 2 of given JML-annotated program into verification condi- ESC/Java, built on the source code release provided by tions [65,37,61]. Verification conditions are logical for- Compaq and HP. This version has the following goals: mulas that are valid if and only if the program is free – to migrate the code base of ESC/Java and the code of the kinds of errors being analyzed. Any verification- accepted by ESC/Java to Java 1.4; condition counterexamples found by the theorem prover – to update ESC/Java to accept annotations consis- are turned into programmer-sensible warning messages, tent with the current version of JML; including the kind and source location of each potential – to increase the amount of JML that is checked, while error [62]. The User’s Manual for ESC/Java [64] also remaining true to the original engineering goals of provides a detailed description of the semantics of JML ESC/Java. annotations, as they pertain to ESC/Java. 5.2.2 Design of the Tool 5.1.3 Example ESC/Java2 follows the design of ESC/Java. In addition, We refrain from giving details of an ESC/Java example ESC/Java2 , like ESC/Java, recognizes that the state-of- here. Instead, we describe an example in the context of the-art of static checking is such that not all mismatches ESC/Java’s successor, ESC/Java2 , in Section 5.2.3. between code and specifications are reported by static checking tools; that is, there are aspects which are un- 5.1.4 Experience sound, typically because some of the Java semantics are not yet fully modeled. Similarly, some generated warn- The first major experience with ESC/Java was to ap- ings are not actually errors in the program; that is, there ply the tool to the sources of its own front end, over 40 are aspects which are incomplete, typically because cur- KLOC of Java. This source was “fully annotated”, mean- rent theorem provers are insufficiently powerful. It is a ing that enough specifications were given for ESC/Java goal of all such tools, including ESC/Java2 , to be as to check the front end for run-time errors (like null sound and complete as is possible within reasonable en- dereferences and array-index bounds errors) and spec- gineering limits, but since no existing tools fully model ification violations (like precondition violations) with- or fully prove full multi-threaded Java (indeed, portions out producing any warnings. This and some other early of the semantics of the language are still being debated), experiences are described in the ESC/Java overview pa- the authors of both ESC/Java and ESC/Java2 believe per [36]. that it is in the interests of users to be explicit about the Applications to Java Card are discussed in Section 8. known sources of unsoundness and incompleteness. The experience applying ESC/Java to Java Card was ESC/Java2 does include improvements to ESC/Java one of the motivations for the work on ESC/Java2 , as in the following areas, while retaining backwards com- maintaining different versions of the API specification, patibility in all but a few features: Burdy et al.: An overview of JML tools and applications 9

– It parses Java 1.4 (ESC/Java only parsed Java 1.3). LOOP and JACK (and ESC/Java2 with the -loopSafe In particular ESC/Java2 handles the Java assert switch) handle loops soundly, but then require users to statement. A tool option allows the user to choose supply loop invariants. For this case, the loop invariant whether Java assert statements are treated as state- as illustrated in Figure 4 would have to be given. ments that may throw exceptions (per the Java semantics) or whether they are treated like assert 5.2.4 Experience statements in JML, which are checked by the static checker. The first major partial verification using ESC/Java2 was – It handles the current binary format for Java classes. done in early 2004 when the Dutch Parliament decided – It parses all of current JML. This is a somewhat mov- in 2003 to construct an Internet-based remote voting ing target, since JML is the subject of ongoing dis- system for use by Dutch expatriates. The SoS group at cussion and research. Nevertheless the core part of the University of Nijmegen was part of an expert review JML is stable and that is the portion that ESC/Java2 panel for the system and also performed a black-box attempts to statically check. Some of the more eso- network and system security evaluation of this system teric features of JML (e.g. model programs) are only in late 2003. They also were responsible for designing, parsed and are ignored for purposes of static check- implementing, and verifying the vote tally subsystem ing. of this system in early 2004. This implementation used – It allows specifications to be placed in (multiple) files JML and ESC/Java2 extensively. separate from the implementation, using JML’s re- ESC/Java2 made a very positive impression on the finement features. ESC/Java2 makes checks by com- SoS developers. Its increased capabilities as compared bining all available specifications and implementa- to Compaq ESC/Java, particularly with regards to han- tions. It also checks these specifications for consis- dling the full JML language, the ability to reason with tency. models and specifications with pure methods, are very – It follows the JML semantics for specification inher- impressive. And, while the tool is still classified as an itance. The constructs specific to ESC/Java version “alpha” release, we found it to be quite robust (per- 1 (also_requires, etc.) were dropped. haps unsurprising given its history, the use of JML and – It enlarges the set of JML features that are statically ESC/Java2 in and on its own source code, and the fact checked, most importantly: that it is passed through seven alpha releases thus far). – Pure methods, which may be included in annota- But there are still a number of issues with ESC/Java2 tions; and JML that were highlighted by this verification effort – Most aspects of assignable clauses; and are discussed in another paper [54]. – Model fields, with the associated represents, in and maps annotations. 5.2.5 Future Work

5.2.3 Example There are a number of major areas of development of ESC/Java2 that will improve overall usability of the tool, As an example, if the second invariant in Figure 1 is besides performance improvements. omitted and the current ESC/Java2 tool is applied to – The use of model variables and method calls in anno- the source code, the warnings shown in Figure 3 are pro- tation expressions. Model variables are an important duced. The warning messages indicate the likely problem abstraction mechanism in writing specifications and and the source code location that violates the implicit model methods allow much more readable and com- or explicit specification, namely, in this case, the implicit pact specifications [23]. This is a current topic of re- specification that the left-hand operand of the derefer- search and experimentation; most of what is needed ence operation must not be a null reference and that the to support these features is a part of the current al- index of an array reference must be less than the array pha release of ESC/Java2 [25]. length. – Checking of the frame conditions specified by JML’s If ESC/Java2 is applied to Purse.java as it stands assignable clause (also known as modifies). It is an (using a current version of JML’s specifications for Java acknowledged unsoundness of ESC/Java that these system classes), a warning will be produced reflecting are not checked and faulty assignable clauses can the fact that the specifications of the behavior of clone be a subtle source of errors. ESC/Java2 checks most are not yet completed. aspects of assignable clauses. However, the default A source of unsoundness in ESC/Java(2) that is rel- assignable clause in JML specifications is that ev- evant in the Purse example is its handling of loops: erything is potentially modified; this interpretation by default, it will not attempt verification of the loop is not currently implemented. in checkPin, but simply unroll it once. This makes it – Arithmetic. JML needs to have available for specifi- easy for the programmer, who doesn’t have to supply a cations both mathematical integers and reals as well loop invariant, but it may also miss errors. In contrast, as the finite-precision approximations that are used 10 Burdy et al.: An overview of JML tools and applications

Purse.java:31: Warning: Possible null dereference (Null) for (int i=0; i < 4; i++) { res = res && pin[i] == p[i]; } ^ ------Purse.java:31: Warning: Array index possibly too large (IndexTooBig) for (int i=0; i < 4; i++) { res = res && pin[i] == p[i]; } ^ Fig. 3. Example ESC/Java2 warnings

in computer programs. There is some initial work [18] using an associated Hoare logic [49] and weakest-pre- incorporating these into JML but as yet no axioma- condition calculus [47] for Java and JML, both of which tization that enables reasoning with ESC/Java2 . have been formalized in PVS. A difference between LOOP and both ESC/Java(2) The most significant aspect of future work, however, and JACK (see Section 5.4 for the JACK tool) is that is experimentation with specification and static checking it provides a so-called shallow embedding of Java and of larger, more varied, and real-world bodies of source JML in PVS, defining a formal denotational semantics code. Such experimentation is needed to verify that JML of both Java and JML in PVS. This has its advantages. has the facilities that are needed for realistic specifica- The Hoare logic and wp-calculi that are used have been tions and that static checking tools such as ESC/Java2 completely formalized and proven sound with respect are capable of providing a benefit to working program- to these semantics in PVS, whereas both ESC/Java(2) mers. and JACK directly rely on an axiomatic semantics. Also, our semantics of Java in PVS is still (symbolically) ex- 5.2.6 Availability ecutable to a degree, as it lets PVS evaluate the de- notation of a program. This has been very useful in the An alpha version of ESC/Java2 is available from http: extensive testing and debugging of our formal semantics, //www.cs.kun.nl/sos/research/escjava. The tool is where we compared the results of the normal execution a Java program that is fairly platform-independent, but of a Java program, i.e. the result of executing its byte- it uses the Simplify prover, which is only available on code on a Java VM, and the symbolic execution of its Linux, Windows, Solaris, and MacOSX platforms. semantics in PVS.

5.3 Program Veriﬁcation with LOOP 5.3.3 Example

5.3.1 Overview and Goals Using the LOOP tool to verify the example in Figure 1 fails for the constructor, as it did for ESC/Java, because The LOOP project at the University of Nijmegen started the specifications of the behavior of clone are incom- out as an exploration of the semantics of object-oriented plete. The verification of the methods is fully automatic languages in general, and Java in particular. Only later using LOOP, using its weakest precondition calculus, did it evolve to investigate verification of JML-annotated except that the verification of checkPin needs manual Java. For a detailed overview of the LOOP project we interaction in PVS to supply the loop invariant, as the refer to [50]. tool doesn’t handle JML’s loop_invariant yet.

5.3.2 Design of the Tool 5.3.4 Experience

The project began with the formalization of a denota- Case studies with the LOOP tool are discussed in [12,46, tional semantics of sequential Java [51] in the language 48]. Verification of JML-annotated code with the LOOP of the theorem prover PVS [82]. An associated compiler, tool (especially the required interactive theorem proving called the LOOP tool [11], was developed, which trans- with PVS) can be very labor-intensive, but allows verifi- lates any given sequential Java class into PVS theories cation of more complicated properties than can be han- describing its semantics. In order to conveniently use this dled by fully automated extended static checking using as a basis for the specification and verification of Java ESC/Java. Because of this labor-intensive nature, one code, the LOOP tool was then extended to also provide will typically first want to use other, less labor-intensive, a formal semantics of JML, so that the tool now trans- approaches, such as runtime assertion checking or ex- lates JML-annotated Java code into proof obligations for tended static checking, to remove some of the errors in PVS, which one can try to prove interactively, in PVS. the code or specifications before turning to the LOOP These proof obligations are expressed as a special kind of tool. Experiences with such a combined approach are Hoare statements about methods, and they are proved described in [13]. The possibility to do this is an impor- Burdy et al.: An overview of JML tools and applications 11 tant —if not crucial— advantage of using a specification grated as a plug-in to the Eclipse2 IDE. This plug-in language that is supported by a range of tools. allows users to generate proof obligations, to run the The LOOP tool generates a single proof obligation automatic provers, and to inspect the generated lem- for each method and constructor, expressed as a Hoare mas. To facilitate this last task, JACK provides a ded- statement. It does not, as commonly done in verification icated proof obligation viewer. This viewer presents the condition generators, split this up into smaller verifica- proof obligations as execution paths within the program, tion conditions. Instead, this splitting up is done inside highlighting the source code relevant to the proof obli- the theorem prover PVS, using dedicated proof strate- gations. Moreover, goals and hypotheses are displayed gies. A disadvantage of this is that the size of proof obli- in a Java/JML-like notation. The user can then work gations that can be comfortably handled in PVS has within its current development tool, add the JML anno- become a bottleneck. tations and check partially the correctness of the code in a familiar environment. 5.3.5 Future Work JACK ’s core is an implementation, in Java, of a weakest precondition calculus. This ensures proof obliga- Ongoing work on the LOOP tool includes support for tion generation without user interaction. Following this the different forms of arithmetic as proposed in [18] and step, automatic provers are used to prove the generated investigations into proving information flow properties. lemmas. Users then have to check whether any remain- The longer term plans for the LOOP tool are currently ing lemmas are valid or not. To reduce the remaining not clear. costly manual task – creating the JML annotation assertions – we have developed and integrated in JACK a 5.3.6 Availability prototype that annotates source code with assertions by propagation of pre and post conditions. This is a way to The LOOP tool is not publicly available, simply because reduce the cost of using JML, since, at the moment, the it is not easy to use without intensive user support and main issue when using JACK is the time spent annotat- documentation that we cannot provide. Actually, LOOP ing classes. itself is easy enough to use — it is simply a compiler that JACK is not based on a formalization of Java as outputs PVS — but dealing with the large and numer- LOOP is; thus one cannot easily prove the formal cor- ous PVS theories it outputs requires considerable (PVS) rectness of the tool, and the implementation of the weak- expertise. est precondition calculus can contain bugs. Nevertheless, the aim of the tool is to be complete and sound (i.e. to generate all proof obligations that are valid if and only if 5.4 Static Verification with JACK the application respects its formalization). So, users can choose to check partially the correctness of their applica- 5.4.1 Overview and Goals tion by just reviewing the unproved proof obligations, or they can also prove all the proof obligations using an in- The JACK [15] tool was initially developed at the re- teractive theorem prover, thereby obtaining a complete search lab of Gemplus, a manufacturer of smartcards and assurance on the development correctness. smartcard software. Further development is now happen- JACK provides an interface to automatic theorem ing at INRIA. JACK aims to provide an environment provers. Currently, the prover of the Atelier B toolkit, for Java and Java Card program verification using JML Simplify (the prover used in ESC/Java), and PVS are annotations. It implements a fully automated weakest integrated. These provers are integrated as plug-ins in precondition calculus in order to generate proof obli- JACK . Since JACK is based on an intermediate lemma gations from JML-annotated Java sources. Those proof formulation language, it is quite easy to integrate new obligations can then be discharged using different theo- provers by implementing a translator from this interme- rem provers. diate language to the prover input. Interfacing several The main design goals are an easily accessible user provers increases the automatic proof ratio. This also al- interface, a high degree of automation, a high correctness lows people to prove any remaining lemmas interactively assurance, and prover independence. in their preferred prover. The actually interfaced automatic provers can usu- 5.4.2 Design of the Tool ally automatically prove up to 90% of the proof obligations. The remaining ones have to be proved outside of The main goal of JACK is that it should be usable by JACK , using the classical B proof tool, PVS, or the Coq normal Java developers, allowing them to validate their proof assistant. However, JACK is meant to be used by own code, following, in this way, the JML philosophy. Java developers, who cannot be expected to use a proof Thus, care has been taken to hide the mathematical for- assistant. Therefore, in addition to the proved and un- mulation of the underlying concepts. To allow developers to work in a familiar environment, JACK is inte- 2 http://www.eclipse.org 12 Burdy et al.: An overview of JML tools and applications proved states, JACK adds a checked state, which allows 5.4.6 Availability developers to indicate that they have manually checked the proof obligation. In order to better handle those JACK is currently not publicly available. cases, other different approaches could be investigated, such as integration with test tools such as jmlunit, integration of other proof assistants, or perhaps support 6 Generating Specifications from a proof-expert team. Apart from checking that implementations meet specifi- 5.4.3 Example cations, a considerable barrier to entry in the use of any The code of the class given in the Figure 1 was proved formal specification language is writing specifications in using JACK . To generate proof obligations automati- the first place. The JML tools discussed so far assume cally, loop invariants have to be given explicitly in the the existence of a JML specification, and leave the task code. Here, the JML annotation of Figure 4 is added of writing it to the programmer. This task can be time- in the body of the method checkPin before the for consuming, tedious, and error-prone, so tools that can statement. When this annotation is added, one can run help in this task can be of great benefit. JACK , which then calculates proof obligations automatically and proves them using the automated provers. 6.1 Invariant Detection with Daikon Here, only three proof obligations remain unproved due to, yet again, the lack of complete specification of the 6.1.1 Overview and Goals clone() method in the constructor. The Daikon invariant detector [31,32] is a tool that pro- 5.4.4 Experience vides assistance in creating a specification. Daikon outputs observed program properties in JML syntax (as well Like ESC/Java, JACK tries to hide the complications of as other output formats) and automatically inserts them the underlying theorem prover from the user, by provid- into a target program. ing a push-button tool that normal Java developers, and not just formal methods experts, can and would like to use. We believe that this may be a way to let non-experts 6.1.2 Design of the Tool venture into the world of formal verification. ESC/Java, LOOP, and JACK all use (or, in the The Daikon tool dynamically detects likely program in- case of LOOP, have the option of using) a weakest pre- variants. In other words, given program executions, it condition calculus to generate verification conditions. reports properties that were true over those executions. ESC/Java and LOOP generate one verification condi- The set of reported properties is also known as an option per method implementation, whereas JACK gener- erational abstraction. Dynamic invariant detection op- ates roughly one verification condition per syntactic code erates by observing values that a program computes path through the code. So each of JACK ’s verification at runtime, generalizing over those values, and report- conditions is smaller than those generated by ESC/Java ing the resulting properties. The properties reported by and LOOP. On the other hand, JACK may generate Daikon encompass numbers (x <= y, y == ax + b), col- a very large number of verification conditions. Though lections (mytree.contains(x), mylist.isSorted()), point- it generates just one verification condition per method, ers (n == n.next.prev), and implications (p != null ESC/Java factors its verification conditions differently ==> p.value > x); a complete list appears in the Daikon than the other two tools (see [37,61]) and therefore is user manual. able to keep the one verification condition reasonably Like any dynamic analysis, the accuracy of the in- small. More important than size, verification conditions ferred invariants depends in part on the quality and com- generated by ESC/Java often let the theorem prover pleteness of the test cases, and other executions may fal- avoid redundant work. JACK ’s approach has the ad- sify some of the reported properties. (Furthermore, the vantage that it is easy to pass the different verification actual behavior of the program is not necessarily the conditions to different theorem provers. same as its intended behavior.) However, Daikon uses static analysis, statistical tests, and other mechanisms 5.4.5 Future Work to reduce the number of false positives [33]. Even if a property is not true in general, Daikon’s output provides To increase the automation of this validation phase, we valuable information about the test suite over which the are currently thinking of interfacing JACK with a coun- program was run. Combining invariant detection with terexample detector or runtime test generator. We are a static verifier such as ESC/Java helps to overcome also still investigating the annotation generation and the problems of both techniques: the unsoundness of the propagation techniques since we consider that it can be dynamic analysis and the static analysis’s need for an- a way to reduce the cost of using the tool. notations. Burdy et al.: An overview of JML tools and applications 13

//@ loop_invariant 0 <= i <= 5; //@ loop_invariant res == (\forall int j; 0 <= j && j < i; pin[j] == p[j]); Fig. 4. Loop invariant

6.1.3 Example enhancements to the language-specific front ends, but no significant changes to Daikon proper. Another in- In order to apply Daikon to a program, a user runs an strumentation enhancement that we are pursuing is re- instrumented version of the program to create a data placing the current Java instrumenter (which performs trace file, then runs Daikon over the data trace file to a source-to-source translation) by one that is embed- produce likely invariants. The instrumented version of ded in the Java Virtual machine and works on compiled the program contains, at program points such as proce- Java programs. This change will simplify using Daikon dure entries and exits, code that writes the values of all by reducing the work required of a user. Finally, mak- variables in scope to a trace file. In some cases (as for ing Daikon work online — taking data from a running Daikon’s C front end), the instrumentation is performed program rather than from a trace file — will reduce the automatically on a compiled executable by a special run- number of steps to 1, which is the same as currently re- time system. In other cases (as for Daikon’s Java front quired to run any Java program (via the java command). end), the user runs a source-to-source translator that Our main research thrust is not to improve Daikon instruments the program, then runs the instrumented itself, but to find more uses for the operational abstrac- program in place of the original. tions that it produces. Linking it to verification tools Given a simple test suite that creates 1000 random from the JML toolset is just one application; some oth- Purse objects and invokes debit on each one, the Daikon ers were noted above in Section 6.1.4. tool automatically generates the annotations of Figure 1, except that the current version of Daikon does not gen- 6.1.6 Availability erate JML’s signals clauses. Daikon’s output is correct JML that is parseable by the JML toolset. Daikon is publicly available, in both source and compiled form, from http://pag.csail.mit.edu/daikon/. 6.1.4 Experience Daikon includes front ends for Java, C, Perl, and other languages and input formats. Even with modest test suites, Daikon’s output is re- Several other implementations of dynamic invariant markably accurate. In one set of experiments [80], over detection exist [43,87,45]. However, they do not produce 90% of the properties that it reported were verifiable by output in JML format, they are not publicly available, ESC/Java (the other properties were true, but were be- and they check and report only a small fraction of the yond the capabilities of ESC/Java), and it reported over properties that Daikon does [83]. 90% of the properties that ESC/Java needed in order to complete its verification. For example, if Daikon generated 100 properties, users had only to delete less than 6.2 Inferring annotations with Houdini 10 properties and to add another 10 properties in order to have a verifiable set of properties. In another experi- 6.2.1 Overview and Goals ment [81], users who were provided with Daikon output (even from unrealistically bad test suites) performed sta- An obstacle to using program verification tools such as tistically significantly better on a program verification ESC/Java on legacy code is the lack of annotations in task than did users who did not have such assistance. such a program. The warnings more likely point out In addition to aiding the task of static checking as missing annotations than errors in the code. The Hou- described above, operational abstractions generated by dini tool [35,34] attempts to alleviate this problem by the Daikon invariant detector have been used to generate supplying many of the missing annotations. and improve test suites [44,93,40], automate theorem- proving [78,79], identify refactoring opportunities [53], 6.2.2 Design of the Tool aid program analysis [29,30], choose modalities [67], pre- dict incompatibilities in component upgrades [71,72], de- Houdini works by making up candidate annotations for tect anomalies and bugs [89,43,87,14,70], and isolate er- the given program. Such candidate annotations compare rors [92,39,66], among other uses. fields and array lengths to -1, 0, 1, constants used in array constructors, null, true, and false (depending 6.1.5 Future Work on the type of the field), and indicate that arrays and sub-arrays contain no null elements. To find which of As noted above, Daikon does not generate JML signals the candidate annotations hold for the program, Hou- clauses for exceptional method exits. Doing so requires dini repeatedly invokes ESC/Java, removing those can- 14 Burdy et al.: An overview of JML tools and applications didate annotations that ESC/Java finds to be inconsis- ings it can suppress. Future work might consider apply- tent with the code. When all remaining candidate an- ing more static analysis or dynamic profiling to improve notations are consistent with the code, Houdini invokes the initial set of candidate annotations. ESC/Java a final time to produce warnings that are then Second, to reduce the number of warnings produced, presented to the user. Houdini thus retains the precision it is important for Houdini to infer good class invari- of ESC/Java, trading quick turnaround for a reduced ants. Even in the cases where Houdini’s candidate set annotation effort. includes the necessary invariants, Houdini may fail to Note that any user-supplied JML annotations in the infer them because the first point at which they hold is program still get used by Houdini, since they become unknown. For example, ESC/Java generally checks that part of each invocation of ESC/Java. Thus, the benefits an object’s invariant has been established before the ob- of using JML annotations are the same for Houdini as for ject’s constructor invokes any method on the object. But ESC/Java, but Houdini can find program errors from a the purpose of such a method invocation is sometimes smaller set of user-supplied JML annotations. to help establish the object’s invariant in the first place. In an attempt to improve this situation, Houdini uses a 6.2.3 Example special mode of ESC/Java, where ESC/Java inlines any method call from a constructor. This mode allows Hou- If the class in Figure 1 is given to Houdini without dini to infer better invariants, but sometimes produces any annotations, then Houdini will produce a number enormous verification conditions in ESC/Java. Future of candidate annotations, including the invariants 0 <= work might find a better solution to this problem. balance and 1 <= balance and the Purse-constructor Third, to avoid forcing users to write loop invariants, preconditions 0 <= b and 1 <= b. If the given program ESC/Java by default analyzes only a fixed number of contains a call to the Purse constructor that passes in 0 unrollings of each loop. If the loop is known always to for b, then the candidate precondition 1 <= b is refuted go through more iterations than are unrolled (for exam- and removed. Since the constructor assigns b to balance, ple, if a for loop iterates exactly 10 times, where 10 the candidate invariant 1 <= balance will then eventu- is a constant mentioned in the loop head), then the ef- ally also become refuted. fect is that ESC/Java’s analysis doesn’t ever reach the Houdini will also include balance <= MAX BALANCE other side of the loop. This may be acceptable in a man- among many other candidate annotations, but will not ual application of ESC/Java, since ESC/Java performs include, for example, the universal quantifications shown modular checking method by method, and therefore the in Figure 1. checking of other methods is unaffected. However, for Houdini, whose inference is more like that of a whole- 6.2.4 Experience program analysis, this situation can have a paralyzing effect on the entire program analysis. Houdini side steps Houdini has been applied to a number of real applica- this situation by using a special mode of ESC/Java, tion programs, the initial account of which is reported where ESC/Java in effect introduces a jump from its in [35]. For each of the applications, Houdini (in concert last unrolling of the loop until after the loop. This is with ESC/Java) was able to find errors. The number of much better for Houdini, but it also introduces execu- warnings produced was generally larger than the num- tion paths that don’t exist in the given program, which ber of warnings inspected by a user. For example, in the leads to other problems. Perhaps there are better solu- 36-KLOC program “Cobalt” [35], only 200 of the 540 tions. warnings were inspected by a user, though this inspection revealed 8 errors. In the largest program to which 6.2.6 Availability Houdini was applied, a systems administration tool com- prising 500 KLOC of Java, the number of warnings produced was too large to be particularly useful, though an Work on the Houdini tool petered out in 2001 with the inspection of 10 of the warnings still revealed 2 program transformation of the Compaq Systems Research Center. errors. The experience with Houdini, albeit limited, sug- The sources of the final version of Houdini are available gests that it is possible for a user to inspect a program in the ESC/Java source distribution, named the “Java for errors at a rate of upwards of 1000 LOC per hour. Programming Toolkit Source Release”, at http://www. research.compaq.com/downloads.html. 6.2.5 Future Work

Though Houdini has found real errors, some problems 7 Documentation make the tool less eﬀective than one would like. We men- tion three such problems here. First, Houdini’s simple strategy for producing candi- Generating human-readable web pages from JML spec- date annotations limits the number of ESC/Java warn- iﬁcations is accomplished by the jmldoc tool. Burdy et al.: An overview of JML tools and applications 15

7.1 jmldoc 7.1.4 Experience

7.1.1 Overview and Goals The main experience we have with jmldoc is in documentation of packages that ship with JML, such as JML’s The goal of the jmldoc tool is to produce HTML pages built-in types for modeling and its samples, and with like those produced by the javadoc tool, but including documentation of parts of the Java standard libraries. information from JML annotations as well. JML allows While these are used by JML users on a daily basis, specifications to be spread across a number of refinement there have been no formal case studies of the usefulness files. This is essential, for example, in the case that the of jmldoc. Informal reports, however, have been positive. Java source code may not be modified to include specifications directly in the source code. Even within one file, 7.1.5 Future Work the specifications relevant to the class may be spread throughout the file, making easy spotting of a relevant The tool is being maintained as part of the JML toolset, invariant difficult. Also, JML enforces behavioral inher- but not being extended further other than to keep pace itance, in which an overriding method must satisfy the with changes in the definition of JML itself. Extensive specification of the methods it overrides. Accordingly, maintenance is also needed to keep pace with changes jmldoc includes in the HTML representation of the spec- in the doclet API with each new version of Java. As ifications of a method the specifications of the methods it happens, the portions of the doclet API that are ex- it overrides. By combining and grouping these specifica- tended by jmldoc have been changing significantly even tions appropriately, jmldoc makes them more accessible between minor releases of javadoc. If this rate of change to the programmer. Particularly for those accustomed continues, the JML project may need to seek an alter- to browsing the javadoc documentation of an API, the native design that is not tied as closely to the current inclusion of the additional specifications in a formal no- appearance of javadoc documentation in order to lessen tation as provided by jmldoc is expected to be a conve- the maintenance burden. nience. 7.1.6 Availability 7.1.2 Design of the Tool

The jmldoc tool is designed to leverage as much of both The jmldoc tool was authored by David Cok along the the JML tools and the javadoc tool as possible. It uses lines of the goals espoused by Raghavan [88]. It is part of the classes of the JML checker to parse, typecheck, and the main JML toolset available via www.jmlspecs.org, provide an AST that includes specifications of each class which is developed as an open source project hosted at and method being documented. The javadoc tool pro- SourceForge.net. vides a doclet API that allows some reuse of the javadoc framework. Many of the contributed doclets use the provided classes to parse valid Java source code with javadoc 8 Applications of JML to Java Card comments and then to do checks or alternative processing on those files, such as producing PDF rather than Although JML is able to specify arbitrary sequential HTML or checking that all methods do indeed have Java programs, most of the serious applications of JML javadoc comments. The jmldoc tool instead alters (by and JML tools up to now have targeted Java Card. derivation) the mechanism that generates the HTML Java CardTM is a dialect of Java specifically designed pages in order that the output will contain in addition for the programming of the latest generation of smart- information about the JML annotations in the source cards. Java Card is adapted to the hardware limitations files, as provided by the JML-generated AST. In this of smartcards; for instance, it does not support floating way, the jmldoc tool remains consistent with the other point numbers, strings, object cloning3, or threads. JML tools in their handling of the JML language, but Java Card is a well-suited target for the application it also produces HTML pages consistent with other cur- of formal methods. It is a relatively simple language rent javadoc documentation and with that produced by with a restricted API. Moreover, Java Card programs, the javadoc tool itself. Aside from accepting additional called applets, are small, typically on the order of several command-line options appropriate to JML, jmldoc is in- KBytes of bytecode. Additionally, correctness of Java tended to be a drop-in replacement for javadoc. Card programs is of crucial importance, since they are used in sensitive applications, e.g. as bank cards, iden- 7.1.3 Example tity cards, and in mobile phones. Furthermore, once such

An example of jmldoc’s output is shown in Figure 5; 3 The fact that Java Card does not have cloning means that a it shows the current output produced for the method version of the Purse example in Figure 1 rewritten to Java Card rather than Java does verify using ESC/Java, LOOP, or JACK . HashMap.size as currently speciﬁed by JML speciﬁca- Indeed, the absence of clone in Java Card is a reason why dealing tions for Java system classes. with clone has not been a priority in these tools. 16 Burdy et al.: An overview of JML tools and applications

Fig. 5. Example jmldoc output smartcards are issued, it is difficult, if not impossible, to consumer products, such as mobile phones and PDAs, is fix any software errors. also an interesting application domain for JML. JML, and several tools for JML, have been used for Java Card, especially in the context of the EU-supported project VerifiCard (www.verificard.org). 9 Related Work JML has been used to write a formal specification of almost the entire Java Card API [86]. This experience has shown that JML is expressive enough to specify 9.1 Java non-trivial existing API classes. The runtime assertion checker has been used to specify and verify a component Many runtime assertion checkers for Java exist, for ex- of a smartcard operating system [85]. ample Jass, iContract, and Parasoft’s jContract, to name ESC/Java has been used with great success to verify just a few. Each of these tools has its own specification a realistic example of an electronic purse implementation language, thus specifications written for one tool do not in Java Card [16]. This case study was instrumental in work in any other tool. And while some of these tools convincing industrial users of the usefulness of JML and support higher-level constructs such as quantifiers, all feasibility of automated program checking by ESC/Java are quite primitive when compared to JML. For exam- for Java Card applets. In fact, this case study provided ple, none include support for purity specification and the motivation for the development of the JACK tool checking, model methods, refinements, or unit test inte- discussed earlier, which is specifically designed for Java gration. The developers of Jass have expressed interest Card programs. One of the classes of the electronic purse in moving to JML as their specification language. has also been verified using the LOOP tool [12]. An The ChAsE tool [17] is a static checker for JML’s overview of the work on this electronic purse, and the assignable clauses. It performs a syntactic check on way in which ESC/Java and LOOP can be used to com- such clauses, which, in the spirit of ESC/Java, is nei- plement each other, is given in [13]. ther sound nor complete, but which spots many mis- As witnessed by the development of the JACK tool takes made in the user’s assignable clauses. ChAsE was by Gemplus, Java Card smartcard programs may be developed to complement the functionality missing in one of the niche markets where formal methods have other tools: not checking assignable clauses was one of a promising future. Here, the cost that companies are the sources of unsoundness of ESC/Java. Also, assign- willing to pay to ensure the absence of certain kinds of able clauses are not checked by the runtime assertion bugs is quite high. It seems that, given the current state checker, making errors in assignable clauses hard to de- of the art, using static checking techniques to ensure tect. The functionality to check assignable clauses is now relatively simple properties (e.g., that no runtime ex- incorporated in ESC/Java2 . Also, the JML runtime as- ception ever reaches the top-level without being caught) sertion checker has started to incorporate some of this seems to provide an acceptable return-on-investment. It functionality. should be noted that the very simplicity of Java Card is In addition to ESC/Java(2), LOOP, and JACK , sev- not without its drawbacks. In particular, the details of eral other tools exist for the verification of Java code, its very primitive communication with smartcards (via for instance Krakatoa [69], Jive [74], and KeY [1]. The a byte array buffer) is not easily abstracted away from. Krakatoa tool also uses JML as specification language; it It will be interesting to investigate if J2ME (Java 2 Mi- produces proof obligations for the theorem prover Coq. cro Edition), which targets a wider range of electronic It is planned that Jive will also start supporting JML. Burdy et al.: An overview of JML tools and applications 17

The KeY tool uses OCL instead as its specification lan- also has obvious advantages when it comes to syntax, guage, and is integrated with a commercial CASE tool. semantics, and expressivity. Because JML sticks to the Java syntax and typing rules, a typical Java programmer 9.2 Other languages will prefer JML notation over OCL notation, and, for instance, prefer to write (in JML): SPARK (www.sparkada.com, [4]) is an initiative similar invariant pin != null && pin.length == 5; to JML in many respects, but much more mature, and targeting Ada rather than Java. SPARK (which stands rather than the OCL: for Spade Ada Kernel) is a language designed for pro- inv: pin <> null and pin->size() = 5 gramming high-integrity systems. It is a subset of Ada95 (with no object references and subclasses, for example) JML supports all the Java modifiers such as static, enriched with annotations to enable tool support. This private, public, etc., and these can be used to record includes tools for data- and information-flow analysis, detailed design decisions for different readers. Further- and for code verification, in particular to ensure the ab- more, there are legal Java expressions that can be used sence of runtime exceptions [2]. Spark has been success- in JML specifications but that cannot be expressed in fully used to construct high-integrity systems that have OCL. been certified using the Common Criteria, the ISO stan- More significant than these limitations, or differences dard for the certification of information technology secu- in syntax, are differences in semantics. JML builds on rity. SPARK and the associated tools are marketed by the (well-defined) semantics of Java. So, for instance, Praxis Critical Systems Ltd., demonstrating that this equals has the same meaning in JML and Java, as does technology is commercially viable. ==, and the same rules for overriding, overloading, and A more recent initiative that is very similar to JML hiding apply. One cannot expect this for OCL, although is Spec# [6]. The Spec# language extends C# with efforts to define a semantics for OCL are underway. contract specifications, analogously to the way JML ex- In all, we believe that a language like JML, which tends Java. The Spec# compiler then introduces runtime is tailored to Java, is better suited for recording the de- checks for the declared specifications (akin to jmlc), and tailed design of Java programs than a generic language the Boogie program verifier tries to prove these speci- like OCL. Even if one uses UML in the development of fications statically using an automatic theorem prover a Java application, it may be better to use JML rather (akin the tools described in Section 5). One difference than OCL for the specification of object constraints, es- between Spec# and JML is that Spec# builds in a new pecially in the later stages of the development. There methodology for object invariants [5,63,7], trading re- has been work on automatically translating OCL to JML strictions on the kinds of programs that can be written [42]. for a sound modular reasoning technique.

9.3 OCL: UML’s constraint language 10 Conclusions

Despite the similarity in the acronyms, JML is very dif- We believe that JML presents a promising opportunity ferent in its aims from UML [90]. The most basic differ- to gently introduce formal specification into industrial ence is that the UML aims to cover all phases of anal- practice. It has the following strong points: ysis and design with many notations, and it tries to be independent of programming language, while JML only 1. JML is easy to learn for any Java programmer, since deals with detailed designs (for APIs) and is tied to Java. its syntax and semantics are very close to Java. We The model in JML refers to abstract, specification-only believe this a crucial advantage, as a big hurdle to fields that can be used to describe the behavior of vari- introducing formal methods in industry is often that ous types. By contrast, the model of UML refers to the people are not willing, or do not have the time, to general modeling process (analysis and design) and is learn yet another language. not limited to abstractions of individual types. 2. There is no need to invest in the construction of a JML does have some things in common with the Ob- formal model before one can use JML. Or rather: the ject Constraint Language (OCL) [91], which is part of source code is the formal model. This brings further the UML standard. Like JML, OCL can be used to spec- advantages: ify invariants and pre- and postconditions. An important – It is easy to introduce the use of JML gradually, difference is that JML explicitly targets Java, whereas simply by adding the odd assertion to some Java OCL is not specific to any one programming language. code. One could say that JML is related to Java in the same – JML can be used for existing (legacy) code and way that OCL is related to UML. APIs. Indeed, most applications of JML and its JML clearly has the disadvantage that it can not be tools to date have involved existing APIs and used for, say, C++ programs, whereas OCL can. But it code. 18 Burdy et al.: An overview of JML tools and applications

– There is no discrepancy between the actual code One important aspect of future work is experiment- and the formal model. In traditional applications ing with the use JML for specification of real-world code of formal methods there is often a gap between and APIs, and using the associated tools. There has the formal model and the actual implementation, been a lot of work on producing JML specifications of which means that some bugs in the implementa- the Java system libraries (these can be downloaded from tion cannot be found, because they are not part www.jmlspecs.org), but more work is needed. of the formal model, and, conversely, some prob- Using JML to specify real-world code raises many lems discovered in the formal model may not be interesting issues. For instance, JML allows pure meth- relevant for the implementation. ods to be used in annotations, where pure methods are 3. There is a growing availability of a wide range of tool defined as those which have no side-effects. But this is support for JML. a very strict definition, which can be impractical when writing specifications, as many methods (including some Unlike B, JML does not impose a particular design in core Java libraries) that programmers intuitively as- methodology on its users. Unlike UML, VDM, and Z, sume to be pure are not pure, due to unobservable and JML is tailored to specifying both the syntactic interface benevolent side-effects [59]. Work continues on a better of Java code and its behavior. Therefore, JML is better and more useful definition of purity, e.g. [8]. suited than these alternative languages for documenting With more tools supporting JML, and the specifica- the detailed design of existing Java programs. tion language JML growing in complexity due to the dif- As a common notation shared by many tools, JML ferent features that are useful for the different tools, one offers users multiple tools supporting the same notation. important challenge is maintaining agreement on the se- This frees users from having to learn a whole new lan- mantics of the language between the different tools. One guage before they can start using a new tool. The shared thing that has become very clear in the course of devel- notation also helps the economics both for users and tool oping JML is that precisely defining the semantics of a builders. Any industrial use of formal methods will have specification language such as JML is very tricky. to be economically justified, by comparing the costs (the More generally, there are several fundamental issues extra time and effort spent) against the benefits (im- in the specification of object-oriented systems that are provements in quality, number of bugs found). Having still active topics of investigation. The notion of object a range of tools, offering different levels of assurance invariant is tricky in the presence of callbacks [5,7,63, at different costs, makes it much easier to start using 77]. Another largely open issue is how concurrency prop- JML. One can begin with a technique that requires the erties should be specified. least time and effort (perhaps runtime assertion check- As always in imperative programming, aliasing is a ing) and then move to more labor-intensive techniques if major source of complications, and an important source and when that seems worthwhile, until one has reached a of bugs. For example, in the example in Figure 1 it is combination of tools and techniques that is cost-effective probably important that in the constructor the field pin for a particular situation. is not simply aliased to the argument p, but that a new Using any of the tools for static checking or verifi- array is created. However, the current specification does cation requires formal specifications of the APIs of any not demand this. JML should offer practical ways to system libraries used, and the cost of developing such constrain potential aliasing. A first proposal is given in specifications is very high. Indeed, the largest case study [76]. to date in using JML for specification is the ongoing work The subtleties involved in such open problems are ev- in developing specifications for substantial parts of the idenced by the slightly different ways in which different Java system libraries. Being able to reuse these same tools approach these problems. This reflects the research specifications for different tools is an important advan- (as opposed to industrial development) focus of most of tage. those involved in JML and its tools. Nevertheless, JML seems to be successful in providing a common notation and a semantics that is, at least for a growing core sub- Future Work set, shared by many tools, and as a common notation, JML is already proving to be useful to both tool devel- There are still many opportunities for further develop- opers and users. ment of both the JML language and its tools. For instance, we would also like to see support for JML in Acknowledgements. Despite our long list of co-authors, still integrated development environments (such as Eclipse) more people have been involved in developing the tools dis- and integration with other kinds of static checkers. cussed in this paper, including Joachim van den Berg, Ab- A major recent extension to JML concerns the sup- hay Bhorkar, Kristina Boysen, Cees-Bart Breunesse, Néstor port for different forms of arithmetic, providing normal Cataño,Patrice Chalin, Curtis Clifton, Kui Dai, Werner Di- mathematical integers in addition to Java’s n-bit 2’s- etl, Marko van Dooren, Cormac Flanagan, Mark Lillibridge, complements integers [18]. Marieke Huisman, Bart Jacobs, Jean-Louis Lanet, Todd Mill- Burdy et al.: An overview of JML tools and applications 19 stein, Peter Mueller, Greg Nelson, Jeremy Nimmer, Carlos 14. Yuriy Brun and Michael D. Ernst. Finding latent code Pacheco, Arun Raghavan, Antoine Requet, Frederic Rioux, errors via machine learning over program executions. Clyde Ruby, Jim Saxe, Raymie Stata, Roy Tan, and Martijn In ICSE’04, Proceedings of the 26th International Con- Warnier. Thanks to Raymie Stata for his initiative in getting ference on Software Engineering, Edinburgh, Scotland, the JML and ESC/Java projects to agree on a common syn- May 26–28, 2004. tax, and to Michael Möller for the logo. Work on the JML 15. Lilian Burdy, Antoine Requet, and Jean-Louis Lanet. tools at Iowa State builds on the MultiJava compiler written Java applet correctness: A developer-oriented approach. by Curtis Clifton as an adaptation of the Kopi Java compiler. In D. Mandrioli K. Araki, S. Gnesi, editor, FME 2003, volume 2805 of LNCS, pages 422–439. Springer–Verlag, 2003. References 16. NéstorCatañoand Marieke Huisman. Formal specification of Gemplus’s electronic purse case study. In L. H. 1. W. Ahrendt, Th. Baar, B. Beckert, R. Bubel, M. Giese, Eriksson and P. A. Lindsay, editors, FME 2002, volume R. Hähnle, W. Menzel, W. Mostowski, A. Roth, LNCS 2391, pages 272–289. Springer–Verlag, 2002. S. Schlager, and P. H. Schmitt. The KeY tool. Soft- 17. NéstorCatañoand Marieke Huisman. CHASE: A static ware and System Modeling, 2004. To appear. checker for JML’s assignable clause. In Lenore D. 2. Peter Amey and Roderick Chapman. Industrial strength Zuck, Paul C. Attie, Agostino Cortesi, and Supratik exception freedom. In ACM SigAda 2002, pages 1–9. Mukhopadhyay, editors, VMCAI: Verification, Model ACM, 2002. Checking, and Abstract Interpretation, volume 2575 of 3. Sergio Antoy and Dick Hamlet. Automatically checking LNCS, pages 26–40. Springer–Verlag, 2003. an implementation against its formal specification. IEEE 18. Patrice Chalin. JML support for primitive arbitrary pre- Transactions on Software Engineering, 26(1):55–69, Jan- cision numeric types: Definition and semantics. Journal uary 2000. of Object Technology, 3(6):57–79, 2004. 4. John Barnes. High Integrity Software: The SPARK Ap- 19. Yoonsik Cheon. A runtime assertion checker for the Java proach to Safety and Security. Addison Wesley, 2003. Modeling Language. Technical Report 03-09, Depart- 5. Mike Barnett, Robert DeLine, Manuel Fähndrich, ment of Computer Science, Iowa State University, Ames, K. Rustan M. Leino, and Wolfram Schulte. Verification IA, April 2003. The author’s Ph.D. dissertation. Avail- of object-oriented programs with invariants. Journal of able from archives.cs.iastate.edu. Object Technology, 3(6):27–56, 2004. 20. Yoonsik Cheon and Gary T. Leavens. The 6. Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. Larch/Smalltalk interface specification language. ACM The Spec# programming system: An overview. In Con- Transactions on Software Engineering and Methodology, struction and Analysis of Safe, Secure and Interoperable 3(3):221–253, July 1994. Smart devices (CASSIS), LNCS, 2004. To appear. 21. Yoonsik Cheon and Gary T. Leavens. A runtime as- 7. Mike Barnett and David Naumann. Friends need a bit sertion checker for the Java Modeling Language (JML). more: Maintaining invariants over shared state. In Dex- In Hamid R. Arabnia and Youngsong Mun, editors, the ter Kozen, editor, Mathematics of Program Construction, International Conference on Software Engineering Re- volume 3125 of LNCS, pages 54–84. Springer, July 2004. search and Practice (SERP ’02), pages 322–328. CSREA 8. Mike Barnett, David A. Naumann, Wolfram Schulte, and Press, June 2002. Qi Sun. 99.44% pure: Useful abstractions in specifi- 22. Yoonsik Cheon and Gary T. Leavens. A simple and prac- cations. In Formal Techniques for Java-like Programs. tical approach to unit testing: The JML and JUnit way. Proceedings of the ECOOP’2004 Workshop, pages 11– In Boris Magnusson, editor, ECOOP 2002, volume 2374 18, 2004. Technical Report NIII-R0426, University of of LNCS, pages 231–255. Springer–Verlag, June 2002. Nijmegen. 23. Yoonsik Cheon, Gary T. Leavens, Murali Sitaraman, and 9. D. Bartetzko, C. Fischer, M. Möller, and H. Wehrheim. Stephen Edwards. Model variables: Cleanly supporting Jass — Java with assertions. In Workshop on Runtime abstraction in design by contract. Technical Report 03- Verification at CAV’01, 2001. Published in ENTCS, K. 10, Department of Computer Science, Iowa State Uni- Havelund and G. Rosu (eds.), 55(2), 2001. versity, April 2003. 10. Kent Beck and Erich Gamma. Test infected: Program- 24. Curtis Clifton. MultiJava: Design, implementation, and mers love writing tests. Java Report, 3(7):37–50, 1998. evaluation of a Java-compatible language supporting 11. Joachim van den Berg and Bart Jacobs. The LOOP modular open classes and symmetric multiple dispatch. compiler for Java and JML. In T. Margaria and W. Yi, Technical Report 01-10, Department of Computer Sci- editors, TACAS’01, number 2031 in LNCS, pages 299– ence, Iowa State University, Ames, Iowa, 50011, Novem- 312. Springer–Verlag, 2001. ber 2001. Available from www.multijava.org. 12. Cees-Bart Breunesse, Joachim van den Berg, and Bart 25. David R. Cok. Reasoning with specifications containing Jacobs. Specifying and verifying a decimal representation method calls in jml. In Formal Techniques for Java-like in Java for smart cards. In H. Kirchner and C. Ringeis- Programs. Proceedings of the ECOOP’2004 Workshop, sen, editors, AMAST’02, number 2422 in LNCS, pages pages 41–48, 2004. Technical Report NIII-R0426, Uni- 304–318. Springer–Verlag, 2002. versity of Nijmegen. 13. Cess-Bart Breunesse, NéstorCataño,Marieke Huisman, 26. David Detlefs, Greg Nelson, and James B. Saxe. Sim- and Bart Jacobs. Formal methods for smart cards: an plify: A theorem prover for program checking. Technical experience report. Technical report, University of Ni- Report HPL-2003-148, HP Labs, July 2003. jmegen, 2003. NIII Technical Report NIII-R0316. To 27. David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and appear in Science of Computer Programming, Elsevier. James B. Saxe. Extended static checking. Research Re- 20 Burdy et al.: An overview of JML tools and applications

port 159, Compaq Systems Research Center, December 42. Ali Hamie. Translating the Object Constraint Language 1998. into the Java Modeling Language. In Symposium on 28. Krishna Kishore Dhara and Gary T. Leavens. Forcing Applied Computing. Proceedings of the 2004 ACM sym- behavioral subtyping through specification inheritance. posium on applied computing (SAC’2004), pages 1531– In 18th International Conference on Software Engineer- 1535. ACM, 2004. ing, pages 258–267. IEEE Computer Society Press, 1996. 43. Sudheendra Hangal and Monica S. Lam. Tracking down 29. Nii Dodoo, Alan Donovan, Lee Lin, and Michael D. software bugs using automatic anomaly detection. In Ernst. Selecting predicates for implications in program ICSE’02, Proceedings of the 24th International Confer- analysis, March 16, 2002. Draft. http://pag.lcs.mit. ence on Software Engineering, pages 291–301, Orlando, edu/~mernst/pubs/invariants-implications.ps. Florida, May 22–24, 2002. 30. Nii Dodoo, Lee Lin, and Michael D. Ernst. Selecting, 44. Michael Harder, Jeff Mellen, and Michael D. Ernst. refining, and evaluating predicates for program analysis. Improving test suites via operational abstraction. In Technical Report MIT-LCS-TR-914, Massachusetts In- ICSE’03, Proceedings of the 25th International Confer- stitute of Technology, Laboratory for Computer Science, ence on Software Engineering, pages 60–71, Portland, Cambridge, MA, July 21, 2003. Oregon, May 6–8, 2003. 31. Michael D. Ernst. Dynamically Discovering Likely Pro- 45. Johannes Henkel and Amer Diwan. Discovering alge- gram Invariants. PhD thesis, University of Washington braic specifications from Java classes. In ECOOP 2003 Department of Computer Science and Engineering, Seat- — Object-Oriented Programming, 15th European Con- tle, Washington, August 2000. ference, Darmstadt, Germany, July 23–25, 2003. 32. Michael D. Ernst, Jake Cockrell, William G. Griswold, 46. B. Jacobs, J. Kiniry, and M. Warnier. Java program and David Notkin. Dynamically discovering likely pro- verification challenges. In FMCO 2002, volume 2852 of gram invariants to support program evolution. IEEE LNCS, pages 202–219. Springer–Verlag, 2003. Transactions on Software Engineering, 27(2):1–25, 2001. 47. Bart Jacobs. Weakest precondition reasoning for Java 33. Michael D. Ernst, Adam Czeisler, William G. Griswold, programs with JML annotations. Journal of Logic and and David Notkin. Quickly detecting relevant program Algebraic Programming, 58(1-2):61–88, 2004. 48. Bart Jacobs, Martijn Oostdijk, and Martijn Warnier. invariants. In ICSE 2000, Proceedings of the 22nd In- Source Code Verification of a Secure Payment Applet. ternational Conference on Software Engineering, pages Journ. of Logic and Algebraic Programming, 58(1-2):107– 449–458, 2000. 120, 2004. 34. Cormac Flanagan, Rajeev Joshi, and K. Rustan M. 49. Bart Jacobs and Erik Poll. A logic for the Java Model- Leino. Annotation inference for modular checkers. In- ing Language JML. In H. Hussmann, editor, Fundamen- formation Processing Letters, 77(2–4):97–108, February tal Approaches to Software Engineering (FASE), volume 2001. 2029 of LNCS, pages 284–299. Springer–Verlag, 2001. 35. Cormac Flanagan and K. Rustan M. Leino. Houdini, an 50. Bart Jacobs and Erik Poll. Java program verification annotation assistant for ESC/Java. In J. N. Oliveira and at Nijmegen: Developments and perspective. In Inter- P. Zave, editors, FME 2001, volume LNCS 2021, pages national Symposium on Software Security (ISSS’2003), 500–517. Springer–Verlag, 2001. number 3233 in LNCS, pages 134–153. Springer–Verlag, 36. Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, 2004. Greg Nelson, James B. Saxe, and Raymie Stata. Ex- 51. Bart Jacobs, Joachim van den Berg, Marieke Huisman, tended static checking for Java. In ACM SIGPLAN 2002 Martijn van Berkum, Ulrich Hensel, and Hendrik Tews. Conference on Programming Language Design and Im- Reasoning about Java classes (preliminary report). In plementation (PLDI’2002), pages 234–245, 2002. OOPSLA’98, volume 33(10) of ACM SIGPLAN Notices, 37. Cormac Flanagan and James B. Saxe. Avoiding expo- pages 329–340. ACM, October 1998. nential explosion: Generating compact verification con- 52. Cliff B. Jones. Systematic Software Development Using ditions. In Conference Record of the 28th Annual ACM VDM. International Series in Computer Science. Prentice Symposium on Principles of Programming Languages, Hall, Englewood Cliffs, N.J., second edition, 1990. pages 193–205. ACM, January 2001. 53. Yoshio Kataoka, Michael D. Ernst, William G. Griswold, 38. Lisa Friendly. The design of distributed hyperlinked and David Notkin. Automated support for program programming documentation. In S. Fraïssè, F. Gar- refactoring using invariants. In ICSM 2001, Proceed- zotto, T. Isakowitz, J. Nanard, and M. Nanard, editors, ings of the International Conference on Software Main- IWHD’95, pages 151–173. Springer–Verlag, 1995. tenance, pages 736–743, Florence, Italy, November 6–10, 39. Alex Groce and Willem Visser. What went wrong: Ex- 2001. plaining counterexamples. In 10th International SPIN 54. Joseph R. Kiniry and David R. Cok. ESC/Java2: Uniting Workshop on Model Checking of Software, pages 121– ESC/Java and JML: Progress and issues in building and 135, Portland, Oregon, May 9–10, 2003. using ESC/Java2 and a report on a case study involving 40. Neelam Gupta and Zachary V. Heidepriem. A new struc- the use of ESC/Java2 to verify portions of an internet tural coverage criterion for dynamic detection of program voting tally system. In Construction and Analysis of invariants. In Proceedings of the 13th Annual Interna- Safe, Secure and Interoperable Smart devices (CASSIS), tional Conference on Automated Software Engineering LNCS. Springer–Verlag, 2004. To appear. (ASE 2003), Montreal, Canada, October 8–10, 2003. 55. Reto Kramer. iContract – the Java design by con- 41. John V. Guttag, James J. Horning, et al. Larch: Lan- tract tool. TOOLS 26: Technology of Object-Oriented guages and Tools for Formal Specification. Springer– Languages and Systems, Los Alamitos, California, pages Verlag, New York, NY, 1993. 295–307, 1998. Burdy et al.: An overview of JML tools and applications 21

56. Gary T. Leavens. An overview of Larch/C++: Behav- 70. Leonardo Mariani and Mauro Pezzè. A technique for ver- ioral specifications for C++ modules. In Haim Kilov ifying component-based software. In International Work- and William Harvey, editors, Specification of Behav- shop on Test and Analysis of Component Based Systems, ioral Semantics in Object-Oriented Information Model- Barcelona, Spain, March 27–28, 2004. ing, chapter 8, pages 121–142. Kluwer Academic Publish- 71. Stephen McCamant and Michael D. Ernst. Predicting ers, Boston, 1996. An extended version is TR #96-01d, problems caused by component upgrades. In Proceedings Department of Computer Science, Iowa State University, of the 10th European Software Engineering Conference Ames, Iowa, 50011. and the 11th ACM SIGSOFT Symposium on the Founda- 57. Gary T. Leavens, Albert L. Baker, and Clyde Ruby. tions of Software Engineering, pages 287–296, Helsinki, JML: A notation for detailed design. In Haim Kilov, Finland, September 3–5, 2003. Bernhard Rumpe, and Ian Simmonds, editors, Behav- 72. Stephen McCamant and Michael D. Ernst. Early identifi- ioral Specifications of Businesses and Systems, pages cation of incompatibilities in multi-component upgrades. 175–188. Kluwer Academic Publishers, Boston, 1999. In ECOOP 2004 — Object-Oriented Programming, 18th 58. Gary T. Leavens, Albert L. Baker, and Clyde Ruby. Pre- European Conference, Olso, Norway, June 16–18, 2004. liminary design of JML: A behavioral interface specifica- 73. Bertrand Meyer. Object-oriented Software Construction. tion language for Java. Technical Report 98-06u, Iowa Prentice Hall, New York, NY, second edition, 1997. State University, Department of Computer Science, April 74. J. Meyer and A. Poetzsch-Heffter. An architecture 2003. for interactive program provers. In S. Graf and 59. Gary T. Leavens, Yoonsik Cheon, Curtis Clifton, Clyde M. Schwartzbach, editors, TACAS’00, number 1785 in Ruby, and David R. Cok. How the design of JML accom- LNCS, pages 63–77. Springer, Berlin, 2000. modates both runtime assertion checking and formal ver- 75. Carroll Morgan. Programming from Specifications: Sec- ification. In FMCO 2002, volume 2852 of LNCS, pages ond Edition. Prentice Hall International, Hempstead, 262–284. Springer–Verlag, 2003. Also appears as tech- UK, 1994. nical report TR03-04, Dept. of Computer Science, Iowa 76. P. Müller, A. Poetzsch-Heffter, and G.T. Leavens. Modu- State University. lar specification of frame properties in JML. Concurrency 60. K. Rustan M. Leino. Extended static checking: A and Computation: Practice and Experience, 15(2):117– ten-year perspective. In Reinhard Wilhelm, editor, 154, 2003. Informatics—10 Years Back, 10 Years Ahead, volume 77. Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leav- 2000 of LNCS. Springer–Verlag, 2000. ens. Modular invariants for object structures. Technical 61. K. Rustan M. Leino. Efficient weakest preconditions. Report 424, ETH Zurich, October 2003. Technical Report MSR-TR-2004-34, Microsoft Research, 78. Toh Ne Win and Michael D. Ernst. Verifying distributed April 2004. algorithms via dynamic analysis and theorem proving. 62. K. Rustan M. Leino, Todd Millstein, and James B. Saxe. Technical Report 841, Massachusetts Institute of Tech- Generating error traces from verification-condition coun- nology, Laboratory for Computer Science, Cambridge, terexamples. Science of Computer Programming, 2004. MA, May 25, 2002. To appear. 79. Toh Ne Win, Michael D. Ernst, Stephen J. Garland, Dil- 63. K. Rustan M. Leino and Peter Mller. Object invariants in sun Kırlı, and Nancy Lynch. Using simulated execution dynamic contexts. In ECOOP 2004 — Object-Oriented in verifying distributed algorithms. Software Tools for Programming, 18th European Conference, pages 491–516, Technology Transfer, 6(1):67–76, 2004. Olso, Norway, June 16–18, 2004. 80. Jeremy W. Nimmer and Michael D. Ernst. Automatic 64. K. Rustan M. Leino, Greg Nelson, and James B. Saxe. generation of program specifications. In ISSTA 2002, ESC/Java user’s manual. Technical Note 2000-002, Com- International Symposium on Software Testing and Anal- paq SRC, October 2000. ysis, pages 232–242, Rome, Italy, 2002. 65. K. Rustan M. Leino, James B. Saxe, and Raymie Stata. 81. Jeremy W. Nimmer and Michael D. Ernst. Invariant Checking Java programs via guarded commands. Tech- inference for static checking: An empirical evaluation. In nical Note 1999-002, Compaq SRC, May 1999. ACM SIGSOFT 10th International Symposium on the 66. Ben Liblit, Alex Aiken, Alice X. Zheng, and Michael I. Foundations of Software Engineering (FSE 2002), pages Jordan. Bug isolation via remote program sampling. 11–20, 2002. In Proceedings of the ACM SIGPLAN 2003 Conference 82. S. Owre, S. Rajan, J.M. Rushby, N. Shankar, and M. Sri- on Programming Language Design and Implementation, vas. PVS: Combining specification, proof checking, and pages 141–154, San Diego, CA, June 9–11, 2003. model checking. In R. Alur and T.A. Henzinger, editors, 67. Lee Lin and Michael D. Ernst. Improving adaptability Computer Aided Verification, number 1102 in LNCS, via program steering. In ISSTA 2004, Proceedings of the pages 411–414. Springer–Verlag, 1996. 2004 International Symposium on Software Testing and 83. Jeff H. Perkins and Michael D. Ernst. Efficient incremen- Analysis, Boston, MA, USA, July 12–14, 2004. tal algorithms for dynamic detection of likely invariants. 68. Barbara Liskov and Jeannette Wing. A behavioral notion In ACM SIGSOFT 12th International Symposium on the of subtyping. ACM Transactions on Programming Lan- Foundations of Software Engineering (FSE 2004), New- guages and Systems, 16(6):1811–1841, November 1994. port Beach, CA, USA, November 2004. 69. C. Marché,C. Paulin-Mohring, and X. Urbain. The 84. Dennis K. Peters and David Lorge Parnas. Using test Krakatoa tool for certification of Java/JavaCard pro- oracles generated from program documentation. IEEE grams annotated in JML. Journal of Logic and Algebraic Transactions on Software Engineering, 24(3):161–173, Programming, 58(1-2):89–106, 2004. 1998. 22 Burdy et al.: An overview of JML tools and applications

85. Erik Poll, Pieter Hartel, and Eduard de Jong. A Java reference model of transacted memory for smart cards. In Smart Card Research and Advanced Application Con- ference (CARDIS’2002), pages 75–86. USENIX, 2002. 86. Erik Poll, Joachim van den Berg, and Bart Jacobs. For- mal specification of the Java Card API in JML: the APDU class. Computer Networks, 36(4):407–421, 2001. 87. Brock Pytlik, Manos Renieris, Shriram Krishnamurthi, and Steven P. Reiss. Automated fault localization using potential invariants. In AADEBUG’2003, Fifth Interna- tional Workshop on Automated and Algorithmic Debug- ging, Ghent, Belgium, September8–10, 2003. 88. Arun D. Raghavan. Design of a JML documentation generator. Technical Report 00-12, Iowa State Univer- sity, Department of Computer Science, July 2000. 89. Orna Raz, Philip Koopman, and Mary Shaw. Se- mantic anomaly detection in online data sources. In ICSE’02, Proceedings of the 24th International Confer- ence on Software Engineering, pages 302–312, Orlando, Florida, May 22–24, 2002. 90. Jim Rumbaugh, Ivar Jacobson, and Grady Booch. The Unified Modeling Language Reference Manual. Addison- Wesley Publishing Company, 1998. 91. Jos Warmer and Anneke Kleppe. The Object Constraint Language: Precise Modeling with UML. Addison-Wesley Publishing Company, 1999. 92. Tao Xie and David Notkin. Checking inside the black box: Regression fault exposure and localization based on value spectra differences. Technical Report UW-CSE- 02-12-04, University of Washington Department of Com- puter Science and Engineering, Seattle, WA, USA, De- cember 2002. 93. Tao Xie and David Notkin. Tool-assisted unit test selec- tion based on operational violations. In Proceedings of the 13th Annual International Conference on Automated Software Engineering (ASE 2003), Montreal, Canada, October 8–10, 2003.