An overview of JML tools and applications

  • Lilian Burdy
  • Yoonsik Cheon
  • David R. Cok
  • Michael D. Ernst
  • Joseph R. Kiniry
  • Gary T. Leavens
  • K. Rustan M. Leino
  • Erik Poll
Special section on formal methods for industrial critical systems

Abstract

The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source files. The aim of JML is to provide a specification language that is easy to use for Java programmers and that is supported by a wide range of tools for specification typechecking, runtime debugging, static analysis, and verification.

This paper gives an overview of the main ideas behind JML, details about JML’s wide range of tools, and a glimpse into existing applications of JML.

Keywords

Java Formal specification Assertion checking Program verification Design by Contract  

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ahrendt W, Baar T, Beckert B, Bubel R, Giese M, Hähnle R, Menzel W, Mostowski W, Roth A, Schlager S, Schmitt PH (2004) The KeY tool. Softw Syst Model (in press)Google Scholar
  2. 2.
    Amey P, Chapman R (2002) Industrial strength exception freedom. In: ACM SigAda 2002, pp 1–9Google Scholar
  3. 3.
    Antoy S, Hamlet D (2000) Automatically checking an implementation against its formal specification. IEEE Trans Softw Eng 26(1):55–69CrossRefGoogle Scholar
  4. 4.
    Barnes J (2003) High integrity software: the SPARK approach to safety and security. Addison-Wesley, Reading, MAGoogle Scholar
  5. 5.
    Barnett M, DeLine R, Fähndrich M, Leino KRM, Schulte W (2004) Verification of object-oriented programs with invariants. J Object Technol 3(6):27–56CrossRefGoogle Scholar
  6. 6.
    Barnett M, Leino KRM, Schulte W (2004) The Spec# programming system: An overview. In: Construction and analysis of safe, secure and interoperable smart devices (CASSIS). Lecture notes in computer science, vol . Springer, Berlin Heidelberg New York (in press)Google Scholar
  7. 7.
    Barnett M, Naumann D (2004) Friends need a bit more: maintaining invariants over shared state. In: Kozen D (ed) Mathematics of program construction. Lecture notes in computer science, vol 3125. Springer, Berlin Heidelberg New York, pp 54–84Google Scholar
  8. 8.
    Barnett M, Naumann DA, Schulte W, Sun Q (2004) 99.44% pure: useful abstractions in specifications. In: Formal techniques for Java-like programs. Proceedings of the ECOOP’2004 workshop. Technical Report NIII-R0426, University of Nijmegen, pp 11–18Google Scholar
  9. 9.
    Bartetzko D, Fischer C, Möller M, Wehrheim H (2001) Jass – Java with assertions. In: Havelund K, Rosu G (eds) Workshop on runtime verification at CAV’01. Electronic notes in theoretical computer science, vol 55(2)Google Scholar
  10. 10.
    Beck K, Gamma E (1998) Test infected: programmers love writing tests. Java Rep 3(7):37–50Google Scholar
  11. 11.
    van den Berg J, Jacobs B (2001) The LOOP compiler for Java and JML. In: Margaria T, Yi W (eds) TACAS’01. Lecture notes in computer science, vol 2031. Springer, Berlin Heidelberg New York, pp 299–312Google Scholar
  12. 12.
    Breunesse C-B, van den Berg J, Jacobs B (2002) Specifying and verifying a decimal representation in Java for smart cards. In: Kirchner H, Ringeissen C (eds) AMAST’02. Lecture notes in computer science, vol 2422. Springer, Berlin Heidelberg New York, pp 304–318Google Scholar
  13. 13.
    Breunesse C-B, Cataño N, Huisman M, Jacobs B (2003) Formal methods for smart cards: an experience report. Technical report, University of Nijmegen. NIII Technical Report NIII-R0316.Google Scholar
  14. 14.
    Brun Y, Ernst MD (2004) Finding latent code errors via machine learning over program executions. In: Proceedings of the 26th international conference on software engineering (ICSE’04), Edinburgh, UK, 26–28 May 2004Google Scholar
  15. 15.
    Burdy L, Requet A, Lanet J-L (2003) Java applet correctness: a developer-oriented approach. In: Mandrioli D, Araki K, Gnesi S (ed) FME 2003. Lecture notes in computer science, vol 2805. Springer, Berlin Heidelberg New York, pp 422–439Google Scholar
  16. 16.
    Cataño N, Huisman M (2002) Formal specification of Gemplus’s electronic purse case study. In: Eriksson LH, Lindsay PA (eds) FME 2002. Lecture notes in computer science, vol 2391. Springer, Berlin Heidelberg New York, pp 272–289Google Scholar
  17. 17.
    Cataño N, Huisman M (2003) CHASE: A static checker for JML’s assignable clause. In: Zuck LD, Attie PC, Cortesi A, Mukhopadhyay S (eds) VMCAI: Verification, model checking, and abstract interpretation. Lecture notes in computer science, vol 2575. Springer, Berlin Heidelberg New York, pp 26–40Google Scholar
  18. 18.
    Chalin P (2004) JML support for primitive arbitrary precision numeric types: definition and semantics. J Object Technol 3(6):57–79CrossRefGoogle Scholar
  19. 19.
    Cheon Y (2003) A runtime assertion checker for the Java Modeling Language. Technical Report 03-09, Department of Computer Science, Iowa State University, Ames, IA, April. Author’s PhD dissertation. archives.cs.iastate.eduGoogle Scholar
  20. 20.
    Cheon Y, Leavens GT (1994) The Larch/Smalltalk interface specification language. ACM Trans Softw Eng Methodol 3(3):221–253CrossRefGoogle Scholar
  21. 21.
    Cheon Y, Leavens GT (2002) A runtime assertion checker for the Java Modeling Language (JML). In: Arabnia HR, Mun Y (eds) International conference on software engineering research and practice (SERP ’02). CSREA Press, Las Vegas, pp 322–328Google Scholar
  22. 22.
    Cheon Y, Leavens GT (2002) A simple and practical approach to unit testing: the JML and JUnit way. In: Magnusson B (ed) ECOOP 2002. Lecture notes in computer science, vol 2374. Springer, Berlin Heidelberg New York, pp 231–255Google Scholar
  23. 23.
    Cheon Y, Leavens GT, Sitaraman M, Edwards S (2003) Model variables: cleanly supporting abstraction in design by contract. Technical Report 03-10, Department of Computer Science, Iowa State University, Ames, Iowa, April 2003Google Scholar
  24. 24.
    Clifton C (2001) MultiJava: design, implementation, and evaluation of a Java-compatible language supporting modular open classes and symmetric multiple dispatch. Technical Report 01-10, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, November 2001. Available from www.multijava.orgGoogle Scholar
  25. 25.
    Cok DR (2004) Reasoning with specifications containing method calls in jml. In: Formal techniques for Java-like programs. Proceedings of the ECOOP’2004 Workshop. Technical Report NIII-R0426, University of Nijmegen, The Netherlands, pp 41–48Google Scholar
  26. 26.
    Detlefs D, Nelson G, Saxe JB (2003) Simplify: a theorem prover for program checking. Technical Report HPL-2003-148, HP Labs, July 2003Google Scholar
  27. 27.
    Detlefs DL, Leino KRM, Nelson G, Saxe JB (1998) Extended static checking. Research Report 159, Compaq Systems Research Center, December 1998Google Scholar
  28. 28.
    Dhara KK, Leavens GT (1996) Forcing behavioral subtyping through specification inheritance. In: 18th international conference on software engineering. IEEE Press, New York, pp 258–267Google Scholar
  29. 29.
    Dodoo N, Donovan A, Lin L, Ernst MD (2002) Selecting predicates for implications in program analysis, 16 March 2002. Draft. http://pag.lcs.mit.edu/∼mernst/pubs/ invariants-implications.psGoogle Scholar
  30. 30.
    Dodoo N, Lin L, Ernst MD (2003) Selecting, refining, and evaluating predicates for program analysis. Technical Report MIT-LCS-TR-914, Massachusetts Institute of Technology, Laboratory for Computer Science, Cambridge, MA, 21 July 2003Google Scholar
  31. 31.
    Ernst MD (2000) Dynamically Discovering Likely Program Invariants. PhD thesis, Department of Computer Science and Engineering, University of Washington, Seattle, WAGoogle Scholar
  32. 32.
    Ernst MD, Cockrell J, Griswold WG, Notkin D (2001) Dynamically discovering likely program invariants to support program evolution. IEEE Trans Softw Eng 27(2):1–25MathSciNetCrossRefGoogle Scholar
  33. 33.
    Ernst MD, Czeisler A, Griswold WG, Notkin D (2000) Quickly detecting relevant program invariants. In: Proceedings of the 22nd international conference on software engineering (ICSE 2000), pp 449–458Google Scholar
  34. 34.
    Flanagan C, Joshi R, Leino KRM (2001) Annotation inference for modular checkers. Inf Process Lett 77(2–4):97–108Google Scholar
  35. 35.
    Flanagan C, Leino KRM (2001) Houdini, an annotation assistant for ESC/Java. In: Oliveira JN, Zave P (eds) FME 2001. Lecture notes in computer science, vol 2021. Springer, Berlin Heidelberg New York, pp 500–517Google Scholar
  36. 36.
    Flanagan C, Leino KRM, Lillibridge M, Nelson G, Saxe JB, Stata R (2002) Extended static checking for Java. In: ACM SIGPLAN 2002 conference on programming language design and implementation (PLDI’2002), pp 234–245Google Scholar
  37. 37.
    Flanagan C, Saxe JB (2001) Avoiding exponential explosion: generating compact verification conditions. In: Conference record of the 28th annual ACM symposium on principles of programming languages, January 2001. ACM Press, New York, pp 193–205,Google Scholar
  38. 38.
    Friendly L (1995) The design of distributed hyperlinked programming documentation. In: Fraïssè S, Garzotto F, Isakowitz T, Nanard J, Nanard M (eds) IWHD’95. Springer, Berlin Heidelberg New York, pp 151–173Google Scholar
  39. 39.
    Groce A, Visser W (2003) What went wrong: explaining counterexamples. In: 10th international SPIN workshop on model checking of software, Portland, OR, 9–10 May 2003, pp 121–135Google Scholar
  40. 40.
    Gupta N, Heidepriem ZV (2003) A new structural coverage criterion for dynamic detection of program invariants. In: Proceedings of the 13th annual international conference on automated software engineering (ASE 2003), Montreal, 8–10 October 2003Google Scholar
  41. 41.
    Guttag JV, Horning JJ (1993) Larch: languages and tools for formal specification. Springer, Berlin Heidelberg New YorkGoogle Scholar
  42. 42.
    Hamie A (2004) Translating the Object Constraint Language into the Java Modeling Language. In: Proceedings of the 2004 ACM symposium on applied computing (SAC’2004). ACM Press, New York, pp 1531–1535Google Scholar
  43. 43.
    Hangal S, Lam MS (2002) Tracking down software bugs using automatic anomaly detection. In: Proceedings of the 24th international conference on software engineering (ICSE’02), Orlando, FL, 22–24 May 2002, pp 291–301Google Scholar
  44. 44.
    Harder M, Mellen J, Ernst MD (2003) Improving test suites via operational abstraction. In: Proceedings of the 25th international conference on software engineering (ICSE’03), Portland, OR, 6–8 May 2003, pp 60–71Google Scholar
  45. 45.
    Henkel J, Diwan A (2003) Discovering algebraic specifications from Java classes. In: 15th European conference on object-oriented programming (ECOOP 2003), Darmstadt, Germany, 23–22 July 2003Google Scholar
  46. 46.
    Jacobs B, Kiniry J, Warnier M (2003) Java program verification challenges. In: FMCO 2002. Lecture notes in computer science, vol 2852. Springer, Berlin Heidelberg New York, pp 202–219Google Scholar
  47. 47.
    Jacobs B (2004) Weakest precondition reasoning for Java programs with JML annotations. J Logic Algebr Programm 58(1–2):61–88Google Scholar
  48. 48.
    Jacobs B, Oostdijk M, Warnier M (2004) Source code verification of a secure payment applet. J Logic Algebr Programm 58(1–2):107–120Google Scholar
  49. 49.
    Jacobs B, Poll E (2001) A logic for the Java Modeling Language JML. In: Hussmann H (ed) Fundamental approaches to software engineering (FASE). Lecture notes in computer science, vol 2029. Springer, Berlin Heidelberg New York, pp 284–299Google Scholar
  50. 50.
    Jacobs B, Poll E (2004) Java program verification at Nijmegen: developments and perspective. In: International symposium on software security (ISSS’2003). Lecture notes in computer science, vol 3233. Springer, Berlin Heidelberg New York, pp 134–153Google Scholar
  51. 51.
    Jacobs B, van den Berg J, Huisman M, van Berkum M, Hensel U, Tews H (1998) Reasoning about Java classes (preliminary report). In: OOPSLA’98, ACM SIGPLAN Notices. ACM Press, New York, 33(10):329–340Google Scholar
  52. 52.
    Jones CB (1990) Systematic Software Development Using VDM. International series in computer science, 2nd edn. Prentice-Hall, Englewood Cliffs, NJGoogle Scholar
  53. 53.
    Kataoka Y, Ernst MD, Griswold WG, Notkin D (2001) Automated support for program refactoring using invariants. In: Proceedings of the international conference on software maintenance (ICSM 2001), Florence, Italy, 6–10 November 2001, pp 736–743Google Scholar
  54. 54.
    Kiniry JR, Cok DR (2004) ESC/Java2: Uniting ESC/Java and JML: progress and issues in building and using ESC/Java2 and a report on a case study involving the use of ESC/Java2 to verify portions of an Internet voting tally system. In: Construction and analysis of safe, secure and interoperable smart devices (CASSIS). Lecture notes in computer science, vol . Springer, Berlin Heidelberg New York (in press)Google Scholar
  55. 55.
    Kramer R (1998) iContract – the Java design by contract tool. TOOLS 26: Technology of object-oriented languages and systems, Los Alamitos, CA, pp 295–307Google Scholar
  56. 56.
    Leavens GT (1996) An overview of Larch/C++: behavioral specifications for C++ modules. In: Kilov H, Harvey W (eds) Specification of behavioral semantics in object-oriented information modeling, Chap 8. Kluwer, Boston, pp 121–142. An extended version is TR #96-01d, Department of Computer Science, Iowa State University, Ames, IowaGoogle Scholar
  57. 57.
    Leavens GT, Baker AL, Ruby C (1999) JML: A notation for detailed design. In: Kilov H, Rumpe B, Simmonds I (eds) Behavioral specifications of businesses and systems. Kluwer, Boston, pp 175–188Google Scholar
  58. 58.
    Leavens GT, Baker AL, Ruby C (2003) Preliminary design of JML: a behavioral interface specification language for Java. Technical Report 98-06u, Department of Computer Science, Iowa State University, Ames, IA, April 2003Google Scholar
  59. 59.
    Leavens GT, Cheon Y, Clifton C, Ruby C, Cok DR (2003) How the design of JML accommodates both runtime assertion checking and formal verification. In: FMCO 2002. Lecture notes in computer science, vol 2852. Springer, Berlin Heidelberg New York, pp 262–284. Also appears as technical report TR03-04, Department of Computer Science, Iowa State University, Ames, IAGoogle Scholar
  60. 60.
    Leino KRM (2000) Extended static checking: A ten-year perspective. In: Wilhelm R (ed) Informatics – 10 years back, 10 years ahead. Lecture notes in computer science, vol 2000. Springer, Berlin Heidelberg New YorkGoogle Scholar
  61. 61.
    Leino KRM (2004) Efficient weakest preconditions. Technical Report MSR-TR-2004-34, Microsoft Research, Redmond, WA, April 2004Google Scholar
  62. 62.
    Leino KRM, Millstein T, Saxe JB (2004) Generating error traces from verification-condition counterexamples. Sci Comput Programm (in press)Google Scholar
  63. 63.
    Leino KRM, Müller P (2004) Object invariants in dynamic contexts. In: 18th European conference object-oriented programming, (ECOOP 2004), Olso, Norway, 16–18 June 2004, pp 491–516Google Scholar
  64. 64.
    Leino KRM, Nelson G, Saxe JB (2000) ESC/Java user’s manual. Technical Note 2000-002, Compaq SRC, OctoberGoogle Scholar
  65. 65.
    Leino KRM, Saxe JB, Stata R (1999) Checking Java programs via guarded commands. Technical Note 1999-002, Compaq SRC, MayGoogle Scholar
  66. 66.
    Liblit B, Aiken A, Zheng AX, Jordan MI (2003) Bug isolation via remote program sampling. In: Proceedings of the ACM SIGPLAN 2003 conference on programming language design and implementation, San Diego, 9–11 June 2003, pp 141–154Google Scholar
  67. 67.
    Lin L, Ernst MD (2004) Improving adaptability via program steering. In: Proceedings of the 2004 international symposium on software testing and analysis (ISSTA 2004), Boston, 12–14 July 2004Google Scholar
  68. 68.
    Liskov B, Wing J (1994) A behavioral notion of subtyping. ACM Trans Programm Lang Syst 16(6):1811–1841CrossRefGoogle Scholar
  69. 69.
    Marché C, Paulin-Mohring C, Urbain X (2004) The Krakatoa tool for certification of Java/JavaCard programs annotated in JML. J Logic Algebr Programm 58(1–2):89–106Google Scholar
  70. 70.
    Mariani L, Pezzè M (2004) A technique for verifying component-based software. In: International workshop on test and analysis of component based systems, Barcelona, Spain, 27–28 March 2004Google Scholar
  71. 71.
    McCamant S, Ernst MD (2003) Predicting problems caused by component upgrades. In: Proceedings of the 10th European conference on software engineering and the 11th ACM SIGSOFT symposium on the foundations of software engineering, Helsinki, Finland, 3–5 September 2003, pp 287–296Google Scholar
  72. 72.
    McCamant S, Ernst MD (2004) Early identification of incompatibilities in multi-component upgrades. In: 18th European conference on object-oriented programming, (ECOOP 2004), Olso, Norway, 16–18 June 2004Google Scholar
  73. 73.
    Meyer B (1997) Object-oriented software construction, 2nd edn. Prentice-Hall, Englewood Cliffs, NJGoogle Scholar
  74. 74.
    Meyer J, Poetzsch-Heffter A (2000) An architecture for interactive program provers. In: Graf S, Schwartzbach M (eds) TACAS’00. Lecture notes in computer science, vol 1785. Springer, Berlin Heidelberg New York, pp 63–77Google Scholar
  75. 75.
    Morgan C (1994) Programming from specifications, 2nd edn. Prentice-Hall International, Hempstead, UKGoogle Scholar
  76. 76.
    Müller P, Poetzsch-Heffter A, Leavens GT (2003) Modular specification of frame properties in JML. Concurrency Comput Pract Experience 15(2):117–154CrossRefGoogle Scholar
  77. 77.
    Müller P, Poetzsch-Heffter A, Leavens GT (2003) Modular invariants for object structures. Technical Report 424, ETH Zurich, OctoberGoogle Scholar
  78. 78.
    Ne Win T, Ernst MD (2002) Verifying distributed algorithms via dynamic analysis and theorem proving. Technical Report 841, Massachusetts Institute of Technology, Laboratory for Computer Science, Cambridge, MA, 25 May 2002Google Scholar
  79. 79.
    Ne Win T, Ernst MD, Garland SJ, Kırlı D, Lynch N (2004) Using simulated execution in verifying distributed algorithms. Int J Softw Tools Technol Transfer 6(1):67–76CrossRefGoogle Scholar
  80. 80.
    Nimmer JW, Ernst MD (2002) Automatic generation of program specifications. In: International symposium on software testing and analysis (ISSTA 2002), Rome, Italy, pp 232–242Google Scholar
  81. 81.
    Nimmer JW, Ernst MD (2002) Invariant inference for static checking: an empirical evaluation. In: ACM SIGSOFT 10th international symposium on the foundations of software engineering (FSE 2002), pp 11–20Google Scholar
  82. 82.
    Owre S, Rajan S, Rushby JM, Shankar N, Srivas M (1996) PVS: Combining specification, proof checking, and model checking. In: Alur R, Henzinger TA (eds) Computer aided verification. Lecture notes in computer science, vol 1102. Springer, Berlin Heidelberg New York, pp 411–414Google Scholar
  83. 83.
    Perkins JH, Ernst MD (2004) Efficient incremental algorithms for dynamic detection of likely invariants. In: ACM SIGSOFT 12th international symposium on the foundations of software engineering (FSE 2004), Newport Beach, CA, November 2004Google Scholar
  84. 84.
    Peters DK, Lorge Parnas D (1998) Using test oracles generated from program documentation. IEEE Trans Softw Eng 24(3):161–173CrossRefGoogle Scholar
  85. 85.
    Poll E, Hartel P, de Jong E (2002) A Java reference model of transacted memory for smart cards. In: Conference on smart card research and advanced application (CARDIS’2002). USENIX, pp 75–86Google Scholar
  86. 86.
    Poll E, van den Berg J, Jacobs B (2001) Formal specification of the Java Card API in JML: the APDU class. Comput Netw 36(4):407–421CrossRefGoogle Scholar
  87. 87.
    Pytlik B, Renieris M, Krishnamurthi S, Reiss SP (2003) Automated fault localization using potential invariants. In: 5th international workshop on automated and algorithmic debugging (AADEBUG’2003), Ghent, Belgium, 8–10 September 2003Google Scholar
  88. 88.
    Raghavan AD (2000) Design of a JML documentation generator. Technical Report 00-12, Department of Computer Science, Iowa State University, Ames, IA, JulyGoogle Scholar
  89. 89.
    Raz O, Koopman P, Shaw M (2002) Semantic anomaly detection in online data sources. In: Proceedings of the 24th international conference on software engineering (ICSE’02), Orlando, FL, 22–24 May 2002, pp 302–312Google Scholar
  90. 90.
    Rumbaugh J, Jacobson I, Booch G (1998) The Unified Modeling Language reference manual. Addison-Wesley, Reading, MAGoogle Scholar
  91. 91.
    Warmer J, Kleppe A (1999) The Object Constraint Language: precise modeling with UML. Addison-Wesley, Reading, MAGoogle Scholar
  92. 92.
    Xie T, Notkin D (2002) Checking inside the black box: regression fault exposure and localization based on value spectra differences. Technical Report UW-CSE-02-12-04, University of Washington Department of Computer Science and Engineering, Seattle, WA, DecemberGoogle Scholar
  93. 93.
    Xie T, Notkin D (2003) Tool-assisted unit test selection based on operational violations. In: Proceedings of the 13th annual international conference on automated software engineering (ASE 2003), Montreal, 8–10 October 2003Google Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  • Lilian Burdy
    • 1
  • Yoonsik Cheon
    • 2
  • David R. Cok
    • 3
  • Michael D. Ernst
    • 4
  • Joseph R. Kiniry
    • 5
  • Gary T. Leavens
    • 6
  • K. Rustan M. Leino
    • 7
  • Erik Poll
    • 5
  1. 1.INRIASophia-AntipolisFrance
  2. 2.Dept. of Computer ScienceUniversity of Texas at El PasoEl PasoUSA
  3. 3.R&D LaboratoriesEastman Kodak CompanyRochesterUSA
  4. 4.Computer Science & Artificial Intelligence LabMITCambridgeUSA
  5. 5.Dept. of Computer ScienceUniversity of NijmegenNijmegenThe Netherlands
  6. 6.Dept. of Computer ScienceIowa State UniversityAmesUSA
  7. 7.Microsoft ResearchRedmondUSA

Personalised recommendations