JML — Java Modeling Language

A Quick Reference for JML, the Java specification language.

Federico Haag
3 min readNov 25, 2017

--

Table of Contents

  1. What is JML
  2. JML Statements
  3. JML conditions syntax

1. What is JML

The Java Modelling Language (JML) is a specification language for Java.

JML follows the Design-by-Contract Programming Paradigm: this means that it describes pre/post conditions of code that must be respected in order to get the correct and expected behavior.

The JML code is evaluated by JML Program Verification Tools (the most famous is OpenJML) that checks if the Java code meets or not the given JML rules. By a more formal point of view: Evaluating JML means checking if the java code violates the contract (see contract programming).

2. JML Statements

As JML is still not officially supported by Java, all the JML statements must be written inside comments.

JML statements are always referred to a specific Java Class (or method), so they must be written inside of the main class brackets. When they refer to a specific method, they must be written inside the method brackets just below the declaration (before variables and methods declaration).

Common JML statements

  • //@assignable: list of variables (divided by comma) that can change value during method execution (=mutable variables). If no mutable variables exist in the class, use the reserved keyword \nothing
  • //@requires: preconditions of method — see JML conditions syntax
  • //@ensures: postconditions of method — see JML conditions syntax
  • //@signals: describes an exception that the method could throw and the conditions on which it happens — see JML conditions syntax
  • //@pure: declares that the method is an observer, meaning that does not change any values of the class variables. Note: pure methods are implicitly //@assignable: \nothing
  • //@also: the method inherits specifications from its supertypes

Invariants

Invariants specify conditions that are satisfied at the beginning and end of any method invocation and at the end of constructor invocation.

An invariant can be public or private, depending on which type of variables and methods it uses (only public => public invariant; at least one private => private invariant).

Important Notice: Invariants do not have to hold during the execution of a method but they can temporally be broken.

Typical Abstract Object

It is used when the structure of the class is not enough to describe entirely the pre/post conditions and it is needed a backup object that helps to describe in JML everything is needed. This object must be described in //@spec_public .

3. JML conditions syntax

JML conditions are the conditions needed into the //@requires , //@ensures and //@invariant statements.

Conditions are written in Hoare logic (the commonly known logic) and must always be able to return a boolean (true/false).

Java methods like .equals() , .containsAll() , .subList(), etc can be used to enrich the conditions.

If a condition is too much complex to be formalized, human-language can be used; in that case the JML Program Verification Tool will always mark it as “satisfied” . This fact makes usage of human-language into JML conditions quite useless. The only good usage is in order to achieve better comprehension between who writes the pre/post conditions and who actually implements the code.

JML syntax provides also special quantifiers and operators:

Quantifiers

  • \forall variable; condition; statement means that for all values of “variable” that soddisfy the “condition”, “statement” is true.
  • \exists variable; range; statement return true if exists at least one value for “variable” into the “range” (optional) that makes true the “statement”. On the contrary, returns false.
  • \numof variable; condition returns the number of times “variable” satisfy “condition”
  • condition ? if_true : if_false generally known as ternary operator, it can be used also in JML statements

Note: “condition” and “statement” follow the “JML conditions syntax” explained in the previous paragraph.

Operators

  • \result is the value returned by the method it’s being described
  • \old(statement) the statement inside the brackets uses the old variables, meaning that uses the variables’ values as they were before method execution
  • \sum,\product,\result ,\result …work in progress…
Programming
Java
Software Development

--

--

Federico Haag

Written by Federico Haag

114 Followers

Software Engineer, Ex-Amazon

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams