The Java Modeling Language (JML) is a
specification language
A specification language is a formal language in computer science used during systems analysis, requirements analysis, and systems design to describe a system at a much higher level than a programming language, which is used to produce the exec ...
for
Java
Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...
programs, using
Hoare style pre- and
postcondition In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions w ...
s and
invariants, that follows the
design by contract
Design by contract (DbC), also known as contract programming, programming by contract and design-by-contract programming, is an approach for designing software.
It prescribes that software designers should define formal, precise and verifiable ...
paradigm. Specifications are written as
Java annotation
In the Java computer programming language, an annotation is a form of syntactic metadata that can be added to Java source code. Class (computer programming), Classes, Method (computer programming), methods, Variable (computer science), variables ...
comments to the source files, which hence can be compiled with any Java
compiler
In computing, a compiler is a computer program that Translator (computing), translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primaril ...
.
Various verification tools, such as a runtime assertion checker and the Extended Static Checker (
ESC/Java) aid development.
Overview
JML is a behavioural interface specification language for Java modules. JML provides
semantics
Semantics is the study of linguistic Meaning (philosophy), meaning. It examines what meaning is, how words get their meaning, and how the meaning of a complex expression depends on its parts. Part of this process involves the distinction betwee ...
to formally describe the behavior of a Java module, preventing ambiguity with regard to the module designers' intentions. JML inherits ideas from
Eiffel,
Larch
Larches are deciduous conifers in the genus ''Larix'', of the family Pinaceae (subfamily Laricoideae). Growing from tall, they are native to the cooler regions of the northern hemisphere, where they are found in lowland forests in the high la ...
and the
Refinement Calculus The refinement calculus is a formalized approach to stepwise refinement for program construction. The required behaviour of the final executable program is specified as an abstract and perhaps non-executable "program", which is then refined by a se ...
, with the goal of providing rigorous formal semantics while still being accessible to any Java programmer. Various tools are available that make use of JML's behavioral specifications. Because specifications can be written as annotations in Java program files, or stored in separate specification files, Java modules with JML specifications can be compiled unchanged with any Java compiler.
Syntax
JML specifications are added to Java code in the form of annotations in comments. Java comments are interpreted as JML annotations when they begin with an @ sign. That is, comments of the form
//@
or
/*@ @*/
Basic JML syntax provides the following keywords
;
requires : Defines a
precondition
In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification.
If a precondition is violated, the effect of the ...
on the
method
Method (, methodos, from μετά/meta "in pursuit or quest of" + ὁδός/hodos "a method, system; a way or manner" of doing, saying, etc.), literally means a pursuit of knowledge, investigation, mode of prosecuting such inquiry, or system. In re ...
that follows.
;
ensures : Defines a
postcondition In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions w ...
on the method that follows.
;
signals : Defines a postcondition for when a given
Exception is thrown by the method that follows.
;
signals_only : Defines what exceptions may be thrown when the given precondition holds.
;
assignable : Defines which fields are allowed to be assigned to by the method that follows.
;
pure : Declares a method to be side effect free (like
assignable \nothing but can also throw exceptions). Furthermore, a pure method is supposed to always either terminate normally or throw an exception.
;
invariant : Defines an
invariant property of the class.
;
loop_invariant : Defines a
loop invariant
In computer science, a loop invariant is a property of a program loop that is true before (and after) each iteration. It is a logical assertion, sometimes checked with a code assertion. Knowing its invariant(s) is essential in understanding th ...
for a loop.
;
also : Combines specification cases and can also declare that a method is inheriting specifications from its supertypes.
;
assert : Defines a JML
assertion.
;
spec_public : Declares a protected or private variable public for specification purposes.
Basic JML also provides the following expressions
;
\result : An identifier for the return value of the method that follows.
;
\old() : A modifier to refer to the value of the
at the time of entry into a method.
;
(\forall ; ; ) : The
universal quantifier
In mathematical logic, a universal quantification is a type of quantifier, a logical constant which is interpreted as "given any", "for all", "for every", or "given an arbitrary element". It expresses that a predicate can be satisfied by e ...
.
;
(\exists ; ; ) : The
existential quantifier
Existentialism is a family of philosophy, philosophical views and inquiry that explore the human individual's struggle to lead an Authenticity (philosophy), authentic life despite the apparent Absurdity#The Absurd, absurdity or incomprehensibili ...
.
;
a > b :
a implies
b
;
a < b :
a is implied by
b
;
a <> b :
a if and only if
b
as well as standard
Java syntax for logical and, or, and not. JML annotations also have access to Java objects, object methods and operators that are within the scope of the method being annotated and that have appropriate visibility. These are combined to provide formal specifications of the properties of classes, fields and methods. For example, an annotated example of a simple banking class may look like
public class BankingExample
{
public static final int MAX_BALANCE = 1000;
private /*@ spec_public @*/ int balance;
private /*@ spec_public @*/ boolean isLocked = false;
//@ public invariant balance >= 0 && balance <= MAX_BALANCE;
//@ assignable balance;
//@ ensures balance 0;
public BankingExample()
{
this.balance = 0;
}
//@ requires 0 < amount && amount + balance < MAX_BALANCE;
//@ assignable balance;
//@ ensures balance \old(balance) + amount;
public void credit(final int amount)
{
this.balance += amount;
}
//@ requires 0 < amount && amount <= balance;
//@ assignable balance;
//@ ensures balance \old(balance) - amount;
public void debit(final int amount)
{
this.balance -= amount;
}
//@ ensures isLocked true;
public void lockAccount()
{
this.isLocked = true;
}
//@ requires !isLocked;
//@ ensures \result balance;
//@ also
//@ requires isLocked;
//@ signals_only BankingException;
public /*@ pure @*/ int getBalance() throws BankingException
{
if (!this.isLocked)
{
return this.balance;
}
else
{
throw new BankingException();
}
}
}
Full documentation of JML syntax is availabl
in the JML Reference Manual
Tool support
A variety of tools provide functionality based on JML annotations. The Iowa State JML tools provide an assertion checking
compiler
In computing, a compiler is a computer program that Translator (computing), translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primaril ...
jmlc which converts JML annotations into runtime assertions, a documentation generator
jmldoc which produces
Javadoc
Javadoc (also capitalized as JavaDoc or javadoc) is an API documentation generator for the Java programming language. Based on information in Java source code, Javadoc generates documentation formatted as HTML and other formats via extensions. ...
documentation augmented with extra information from JML annotations, and a unit test generator
jmlunit which generates
JUnit
JUnit is a test automation framework for the Java programming language. JUnit is often used for unit testing, and is one of the xUnit frameworks.
JUnit is linked as a JAR at compile-time. The latest version of the framework, JUnit 5, resides ...
test code from JML annotations.
Independent groups are working on tools that make use of JML annotations. These include:
*
ESC/Java2br>
an extended static checker which uses JML annotations to perform more rigorous static checking than is otherwise possible.
OpenJMLdeclares itself the successor of ESC/Java2.
Daikon a dynamic invariant generator.
*
KeY, which provides an open source theorem prover with a JML front-end and an
Eclipse
An eclipse is an astronomical event which occurs when an astronomical object or spacecraft is temporarily obscured, by passing into the shadow of another body or by having another body pass between it and the viewer. This alignment of three ...
plug-in
JML Editing with support for
syntax highlighting
Syntax highlighting is a feature of text editors that is used for programming language, programming, scripting language, scripting, or markup language, markup languages, such as HTML. The feature displays text, especially source code, in differe ...
of JML.
Krakatoa a static verification tool based on th
Whyverification platform and using the
Coq
Coenzyme Q10 (CoQ10 ), also known as ubiquinone, is a naturally occurring biochemical cofactor (coenzyme) and an antioxidant produced by the human body. It can also be obtained from dietary sources, such as meat, fish, seed oils, vegetables, ...
proof assistant.
JMLEclipse a plugin for the Eclipse integrated development environment with support for JML syntax and interfaces to various tools that make use of JML annotations.
Sireum/Kiasan a symbolic execution based static analyzer which supports JML as a contract language.
a tool to generate files for running JUnit tests on JML annotated Java files.
TACO an open source program analysis tool that statically checks the compliance of a Java program against its Java Modeling Language specification.
References
*
Gary T. Leavens and Yoonsik Cheon. ''Design by Contract with JML''; Draft tutorial.
*
Gary T. Leavens, Albert L. Baker, and Clyde Ruby. ''JML: A Notation for Detailed Design''; in Haim Kilov,
Bernhard Rumpe, and Ian Simmonds (editors), ''Behavioral Specifications of Businesses and Systems'', Kluwer, 1999, chapter 12, pages 175-188.
*
Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, Joseph Kiniry, Patrice Chalin, and Daniel M. Zimmerman. JML Reference Manual (DRAFT), September 2009
HTML*
Marieke Huisman, Wolfgang Ahrendt, Daniel Bruns, and Martin Hentschel. ''Formal specification with JML''. 2014
download (CC-BY-NC-ND)
External links
JML website
Java platform
Formal specification languages
Articles with example Java code