A specification language is a formal language used in computer science.Unlike most programming languages, which are directly executable formal languages used to implement a system, specification languages are used during systems analysis, requirements analysis and systems design.Specification...
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
Hoare logic is a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. It was proposed in 1969 by the British computer scientist and logician C. A. R. Hoare, and subsequently refined by Hoare and other researchers...
In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....
In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself...
In computer science, a predicate is called an invariant to a sequence of operations provided that: if the predicate is true before starting the sequence, then it is true at the end of the sequence.-Use:...
An annotation, in the Java computer programming language, is a special form of syntactic metadata that can be added to Java source code. Classes, methods, variables, parameters and packages may be annotated...
comments to the source files, which hence can be compiled with any Java compiler
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
.
Various verification tools, such as a runtime assertion checker and the Extended Static Checker (ESC/Java
ESC/Java
ESC/Java , the "Extended Static Checker for Java," is a programming tool that attempts to find common run-time errors in Java programs at compile time...
) aid development.
Overview
JML is a behavioural interface specification language for Java modules. JML provides semantics
Semantics
Semantics is the study of meaning. It focuses on the relation between signifiers, such as words, phrases, signs and symbols, and what they stand for, their denotata....
to formally describe the behavior of a Java module, preventing ambiguity with regard to the module designers' intentions. JML inherits ideas from Eiffel
Eiffel (programming language)
Eiffel is an ISO-standardized, object-oriented programming language designed by Bertrand Meyer and Eiffel Software. The design of the language is closely connected with the Eiffel programming method...
The Larch family of formal specification languages are intended for the precise specification of computing systems. They allow the clean specification of computer programs and the formulation of proofs about program behavior....
Refinement calculus is a formalized approach to stepwise refinement for program construction. The required behaviour of the final executable program is specified as an abstract and perhaps non-executable "program", which is then refined by a series of correctness-preserving transformations into an...
, with the goal of providing rigorous formal semantics while still being accessible to any Java programmer. Various tools are available that make use of JML's behavioral specifications. Because specifications can be written as annotations in Java program files, or stored in separate specification files, Java modules with JML specifications can be compiled unchanged with any Java compiler.
Syntax
JML specifications are added to Java code in the form of annotations in comments. Java comments are interpreted as JML annotations when they begin with an @ sign. That is, comments of the form
In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....
In object-oriented programming, a method is a subroutine associated with a class. Methods define the behavior to be exhibited by instances of the associated class at program run time...
In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself...
on the method that follows. signals : Defines a postcondition for when a given Exception
Exception handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....
is thrown by the method that follows. signals_only : Defines what exceptions may be thrown when the given precondition holds. assignable : Defines which fields are allowed to be assigned to by the method that follows. pure : Declares a method to be side effect free (this shorthand for assignable \nothing). invariant : Defines an invariant property of the class
Class invariant
In computer programming, specifically object-oriented programming, a class invariant is an invariant used to constrain objects of a class. Methods of the class should preserve the invariant. The class invariant constrains the state stored in the object....
. also : Combines specification cases and can also declare that a method is inheriting specifications from its supertypes. assert : Defines a JML assertion
Assertion (computing)
In computer programming, an assertion is a predicate placed in a program to indicate that the developer thinks that the predicate is always true at that place.For example, the following code contains two assertions:...
. spec_public : Declares a protected or private variable public for specification purposes.
Basic JML also provides the following expressions
\result : An identifier for the return value of the method that follows. \old() : A modifier to refer to the value of the at the time of entry into a method. (\forall ; ; ) : The universal quantifier. (\exists ; ; ) : The existential quantifier. a
> b
: a implies b a < b : a is implied by b a <> b : a if and only if b
The syntax of the Java programming language is a set of rules which defines how a Java program is written and interpreted.The syntax is mostly derived from C and C++. Unlike C++, Java is almost exclusively an object-oriented language. There are no global functions or variables, all code belongs to...
for logical and, or, and not. JML annotations also have access to Java objects, object methods and operators that are within the scope of the method being annotated and that have appropriate visibility. These are combined to provide formal specifications of the properties of classes, fields and methods. For example, an annotated example of a simple banking class may look like
public class BankingExample
{
public static final int MAX_BALANCE = 1000;
private /*@ spec_public @*/ int balance;
private /*@ spec_public @*/ boolean isLocked = false;
//@ public invariant balance >= 0 && balance <= MAX_BALANCE;
A variety of tools provide functionality based on JML annotations. The Iowa State JML tools provide an assertion checking compiler
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
jmlc which converts JML annotations into runtime assertions, a documentation generator jmldoc which produces Javadoc
Javadoc
Javadoc is a documentation generator from Sun Microsystems for generating API documentation in HTML format from Java source code.The "doc comments" format used by Javadoc is the de facto industry standard for documenting Java classes. Some IDEs, such as Netbeans and Eclipse automatically generate...
documentation augmented with extra information from JML annotations, and a unit test generator jmlunit which generates JUnit
JUnit
JUnit is a unit testing framework for the Java programming language. JUnit has been important in the development of test-driven development, and is one of a family of unit testing frameworks collectively known as xUnit that originated with SUnit....
testing frameworks from JML annotations.
Independent groups are working on tools that make use of JML annotations. These include:
The KeY tool is used in formal verification of Java programs.It accepts both specifications written in JML or OCL to Java source files. These are transformed into theorems of dynamic logic and then compared against program semantics which are likewise defined in terms of dynamic logic. KeY is...
, which provides a theorem prover with a JML front-end;
Krakatoa, a static verification tool based on the Why verification platform and using the Coq
Coq
In computer science, Coq is an interactive theorem prover. It allows the expression of mathematical assertions, mechanically checks proofs of these assertions, helps to find formal proofs, and extracts a certified program from the constructive proof of its formal specification...
