Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) An overview of JML tools and applications Lilian Burdy1, Yoonsik Cheon2, David R. Cok3, Michael D. Ernst4, Joseph R. Kiniry5, Gary T. Leavens6?, K. Rustan M. Leino7, Erik Poll5 1 INRIA, Sophia-Antipolis, France 2 Dept. of Computer Science, University of Texas at El Paso, El Paso, Texas, USA 3 Eastman Kodak Company, R&D Laboratories, Rochester, New York, USA 4 Computer Science & Artificial Intelligence Lab, MIT, Cambridge, Massachusetts, USA 5 Dept. of Computer Science, University of Nijmegen, Nijmegen, the Netherlands 6 Dept. of Computer Science, Iowa State University, Ames, Iowa, USA 7 Microsoft Research, Redmond, Washington, USA Received: date / Revised version: date Abstract. The Java Modeling Language (JML) can be on users; instead, JML should be able to document Java used to specify the detailed design of Java classes and programs designed in any manner. interfaces by adding annotations to Java source files. The The work on JML was started by aim of JML is to provide a specification language that is Gary Leavens and his colleagues and easy to use for Java programmers and that is supported students at Iowa State University. It by a wide range of tools for specification type-checking, has since grown into a cooperative, runtime debugging, static analysis, and verification. open effort. Several groups worldwide This paper gives an overview of the main ideas be- are now building tools that support hind JML, the different groups collaborating to provide the JML notation and are involved tools for JML, and the existing applications of JML. with the ongoing design of JML. For Thus far, most applications have focused on code for an up-to-date list, see the JML website, www.jmlspecs. programming smartcards written in the Java Card di- org. The open, cooperative nature of the JML effort is alect of Java. important both for tool developers and users, and we welcome participation by others. For potential users, the fact that there are several tools supporting the same notation is clearly an advantage. For tool developers, 1 Introduction using a common syntax and semantics can make it much easier to get users interested. After all, one of the biggest JML [46,47], the Java Modeling Language, is useful for hurdles to using a new specification-centric tool is often specifying detailed designs of Java classes and interfaces. the lack of familiarity with the associated specification JML is a behavioral interface specification language for language. Java; that is, it specifies both the behavior and the syn- tactic interface of Java code. The syntactic interface of a The next section introduces the JML notation. Sec- Java class or interface consists of its method signatures, tions 3 through 6 then discuss the tools currently avail- the names and types of its fields, etc. This is what is able for JML in more detail. Section 7 discusses the ap- commonly meant by an application programming inter- plications of JML in the domain of Java Card, the Java face (API). The behavior of such an API can be pre- dialect for programming smartcards. Section 8 discusses cisely documented in JML annotations; these describe some related languages and tools, and Section 9 con- the intended way that programmers should use the API. cludes. In terms of behavior, JML can detail, for example, the preconditions and postconditions for methods as well as class invariants, in the Design by Contract style. 2 The JML Notation An important goal for the design of JML is that it should be easily understandable by Java programmers. JML blends Eiffel’s Design by Contract approach [54] This is achieved by staying as close as possible to Java with the Larch tradition [34,16,45] (both of which share syntax and semantics. Another important design goal is features and ideas with VDM [42]).1 Because JML sup- that JML not impose any particular design methodology 1 JML also has takes some features from the refinement calculus ? Supported in part by US NSF grants CCR-0097907 and CCR- [55], which we do not discuss in this paper. 0113181 2 Burdy et. al.: An overview of JML tools and applications ports quantifiers such as \forall and \exists, and be- as sets, sequences, and relations. It is similar to li- cause JML allows model (i.e., specification-only) fields braries of mathematical concepts found in VDM, Z, and methods, specifications can easily be made more LSL, or OCL, but allows such concepts to be used di- precise and complete than is typical for Eiffel software. rectly in assertions, since they are embodied as Java However, like Eiffel, JML uses Java’s expression syntax objects. in assertions, so that JML’s notation is easier for pro- – The semantics of JML prevents side-effects in asser- grammers to learn than notations based on a language- tions. This both allows assertion checks to be used independent specification language, such as the Larch safely during debugging, and supports mathemati- Shared Language [47,48] or OCL [69]. cal reasoning about assertions. This semantics works Figure 1 gives an example of a JML specification that conservatively, by allowing a method to only be used illustrates its main features. JML assertions are written in assertions only if it is declared as pure, meaning as special annotation comments in Java code, either after the method does not have any side-effects and does //@ or between /*@ ... @*/, so that they are ignored not perform any input or output [47]. For example, by Java compilers but can be used by tools that sup- if there is a method getBalance() that is declared port JML. Within annotation comments JML extends as pure, the Java syntax with several keywords—in the example /*@ pure @*/ int getBalance() { ... } in Figure 1, the JML keywords invariant, requires, then this method can be used in the specification assignable, ensures, and signals are used. It also ex- instead of the field balance. tends Java’s expression syntax with several operators— – Finally, JML supports all the Java modifiers (public, in the example \forall, \old, and \result are used; protected, and private) for expressing visibility. these begin with a backslash so they do not clash with For example, invariants can be declared protected existing Java identifiers. if they are not observable by clients but intended for The central ingredients of a JML specification are use by programmers of subclasses. (Technically, the preconditions (given in requires clauses), postcondi- invariants and method specifications in the Purse ex- tions (given in ensures clauses), and invariants. These ample of Figure 1 have default or package visibility, are all expressed as boolean expressions in JML’s exten- and thus would only be visible to code in the same sion to Java’s expression syntax. package.) In addition to normal postconditions, the language also supports exceptional postconditions, specified using signals clauses. These can be used to specify what must 3 Tools for JML be true when a method throws an exception. For exam- ple, the signals clause in Figure 1 specifies that debit For a specification language, just as for a programming may throw a PurseException and that the balance will language, a range of tools is necessary to address the not change in that case (as specified by the use of the various needs of the specification language’s users such \old keyword). as reading, writing, and checking JML annotations. The assignable clause for the method debit spec- The most basic tool support for JML is parsing and ifies a frame condition, namely that debit will assign typechecking. This already provides the first benefit of only to the balance field. Although not a traditional JML annotations over informal comments, as it will catch part of design by contract languages like Eiffel, such any typos, type incompatibilities, references to names frame conditions are essential for verification of code that no longer exist, etc. The JML checker (jml) de- when using some of the tools described later. veloped at Iowa State University performs parsing and There are many additional features of JML that are and typechecking of Java programs and their JML an- not used in the example in Figure 1. We briefly discuss notations, but in fact most of the other tools mentioned the most important of these below. below incorporate this functionality. The rest of this paper describes the various tools – Model variables, which play the role of abstract val- that are currently available for JML. The following cat- ues for abstract data types [19], allow specifications egorization serves also as an organization for the imme- that hide implementation details. For example, if in- diately following sections of this paper. We distinguish stead of a class Purse, we were specifying an inter- tools for checking of assertions at runtime, tools for stat- face PurseInterface, we could introduce the bal- ically checking of assertions (at or before compile-time), ance as such a model variable. A class implementing tools for generating specifications, and tools for docu- this interface could then specify how this model field mentation. is related to the class’s particular representation of balance. 3.1 Runtime assertion checking and testing – JML comes with an extensive library that provides Java types that can be used for describing behavior One way of checking the correctness of JML specifica- mathematically. This library includes such concepts tions is by runtime assertion checking, i.e., simply run- Burdy et. al.: An overview of JML tools and applications 3 public class