Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Method and Constructor Declarations
Method-Decl
Model Methods and Constructors
Pure Methods and Constructors
Helper Methods and Constructors
Method Specifications
Basic Concepts in Method Specification
Organization of Method Specifications
Access Control in Specification Cases
Lightweight Specification Cases Syntax
Heavyweight Specification Cases
Behavior Specification Cases
Semantics of Flat Behavior Specification Cases
Semantics of Non-Helper Methods
Semantics of Helper Methods and Constructors
Semantics of Nested Behavior Specification Cases
Normal Behavior Specification Cases
Exceptional Behavior Specification Cases
Method Specification Clauses
Data Groups
[[[ Needs Discussion -Default Data Groups ]]]
Static Data Group Inclusions
Result-Expression ::= \Result
Forward and Reverse Implication Operators
Redundant Implications and Redundantly Clauses
Method of Specifying for Subclasses
Augmenting Method Declarations
Multimethods
References

JML reference manual

Profile image of Joseph KiniryJoseph Kiniry

2008

Abstract

The nonterminal java-literal represents Java literals which are taken without change from Java [Gosling-Joy-Steele96]. Various authors refer to "model types" when they really mean "types with modifier pure that are used for modeling." Such a usage is contrary to JML's notion of a type with a model modifier. The following is the syntax of modifiers.

Related papers

How the design of JML accommodates both runtime assertion checking and formal verification
G. Leavens

Science of Computer Programming, 2005

Specifications that are used in detailed design and in the documentation of existing code are primarily written and read by programmers. However, most formal specification languages either make heavy use of symbolic mathematical operators, which discourages use by programmers, or limit assertions to expressions of the underlying programming language, which makes it difficult to write complete specifications. Moreover, using assertions that are expressions in the underlying programming language can cause problems both in runtime assertion checking and in formal verification, because such expressions can potentially contain side effects. The Java Modeling Language, JML, avoids these problems. It uses a side-effect free subset of Java's expressions to which are added a few mathematical operators (such as the quantifiers \forall and \exists). JML also hides mathematical abstractions, such as sets and sequences, within a library of Java classes. The goal is to allow JML to serve as a common notation for both formal verification and runtime assertion checking; this gives users the benefit of several tools without the cost of changing notations.

View PDFchevron_right
Reasoning About JML: Differences Between KeY and OpenJML
Jan Boerman

Lecture Notes in Computer Science, 2018

To increase the impact and capabilities of formal verification, it should be possible to apply different verification techniques on the same specification. However, this can only be achieved if verification tools agree on the syntax and underlying semantics of the specification language and unfortunately, in practice, this is often not the case. In this paper, we concentrate on one particular example, namely Java programs annotated with JML, and we present a case study in understanding differences in the treatment of these specifications. Concretely, we take a collection of JML-annotated programs, that we tried to reverify using KeY and OpenJML. This effort led to a list of syntactical and semantical differences in the JML support between KeY and OpenJML. We discuss these differences, and then derive some general principles on how to improve interoperability between verification tools, based on the experiences from this case study.

View PDFchevron_right
Modular specification of frame properties in JML
Ruurd Kuiper

Concurrency and Computation: Practice and Experience, 2003

We present a modular specification technique for frame properties. The technique uses modifies clauses and abstract fields with declared dependencies. Modularity is guaranteed by a programming model that restricts aliasing, and by modularity requirements for dependencies. For concreteness, we adapt this technique to the Java Modeling Language, JML.

View PDFchevron_right
Preliminary design of JML
G. Leavens

ACM SIGSOFT Software Engineering Notes, 2006

JML is a behavioral interface specification language tailored to Java(TM). Besides pre-and postconditions, it also allows assertions to be intermixed with Java code; these aid verification and debugging. JML is designed to be used by working software engineers; to do this it follows Eiffel in using Java expressions in assertions. JML combines this idea from Eiffel with the model-based approach to specifications, typified by VDM and Larch, which results in greater expressiveness. Other expressiveness advantages over Eiffel include quantifiers, specification-only variables, and frame conditions. This paper discusses the goals of JML, the overall approach, and describes the basic features of the language through examples. It is intended for readers who have some familiarity with both Java and behavioral specification using preand postconditions.

View PDFchevron_right
JML Reference Manual DRAFT, $Revision: 1.235 $ $Date: 2008/07/17 20:40:09 $
Daniel M Zimmerman

2011

Permission is granted for you to make copies of this manual for educational and scholarly purposes, and for commercial use in specifying software, but the copies may not be sold or otherwise used for direct commercial advantage; this permission is granted provided that this copyright and permission notice is preserved on all copies. All other rights reserved. Version Information: @(#) $Id: jmlrefman.texinfo,v 1.235 2008/07/17 20:40:09 wdietl Exp $ i

View PDFchevron_right
Design by Contract with JML
Gary Leavens

2006

This document gives a tutorial introduction to the Java Modeling Language (JML), and explains how JML can be used as a powerful design by contract (DBC) tool for Java. JML is a formal behavioral interface specification language for Java that contains the essential notations used in DBC as a subset. The basic concepts of DBC are explained with a particular emphasis on how to use JML notations to specify Java classes and interfaces. JML tools such as JML compiler (jmlc) are also introduced, with examples of their use.

View PDFchevron_right
Demonstration of jml tools
Gary Leavens

The Java Modeling language (JML) is a behavioral interface specification language tailored to Java. This demonstration presents some of the basic tools for generating and browsing documentation, runtime assertion checking, and unit testing.

View PDFchevron_right
An Overview of JML Tools and Applications
Joseph Kiniry

International Journal on …, 2005

View PDFchevron_right
JAVA -BASIC SYNTAX
Sai Manideep

When we consider a Java program it can be defined as a collect ion of object s t hat communicat e via invoking each ot her's met hods. Let us now briefly look int o what do class, object , met hods and inst ance variables mean.

View PDFchevron_right
On model typing
Jean-Marc Jézéquel

Software & Systems Modeling, 2007

Abstract Where object-oriented languages deal with objects as described by classes, model-driven development uses models, as graphs of interconnected objects, described by metamodels. A number of new languages have been and continue to be developed for this model-based paradigm, both for model transformation and for general programming using models. Many of these use single-object approaches to typing, derived from solutions found in object-oriented systems, while others use metamodels as model types, but without a ...

View PDFchevron_right

References (197)

  1. 1 Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  2. 2 Specification Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  3. 3 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  4. 4 JML Primary Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.1 \result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.2 \old and \pre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.3 \not_assigned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.4 \not_modified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.5 \only_accessed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.6 \only_assigned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.7 \only_called . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.8 \only_captured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.
  5. 9 \fresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  6. 4.10 \reach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.11 \duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.12 \space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.13 \working_space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.14 \nonnullelements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.15 Informal Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.16 \typeof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.17 \elemtype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.18 \type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  7. 4.19 \lockset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  8. 4.20 \max . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.21 \is_initialized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.22 \invariant_for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.23 \lblneg and \lblpos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  9. 4.24 Quantified Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.24.1 Universal and Existential Quantifiers . . . . . . . . . . . . .
  10. 4.24.2 Generalized Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . .
  11. 4.24.3 Numerical Quantifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.24.4 Executability of Quantified Expressions. . . . . . . . . . .
  12. 4.24.5 Modifiers for Bound Variables . . . . . . . . . . . . . . . . . . . .
  13. 4.24.6 Quantifying over Reference Types . . . . . . . . . . . . . . . .
  14. 5 Set Comprehensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  15. 6 JML Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.6.1 Subtype operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.6.2 Equivalence and Inequivalence Operators . . . . . . . . . . . . . . .
  16. 6.3 Forward and Reverse Implication Operators . . . . . . . . . . . .
  17. Lockset Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  18. Store Refs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v 12 Statements and Annotation Statements . . 12.1 Local Declaration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  19. 1.1 Modifiers for Local Declarations . . . . . . . . . . . . . . . . . . . . . . . .
  20. 2 Loop Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.1 Loop Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.2 Loop Variant Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  21. Assert Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  22. 4 JML Annotation Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  23. Assume Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4.2 Set Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4.3 Refining Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4.4 Unreachable Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  24. 4.5 Debug Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4.6 Hence By Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  25. Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.1 Redundant Implications and Redundantly Clauses . . . . . . . . . . .
  26. 2 Redundant Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  27. Model Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.1 Ideas Behind Model Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.2 Extracting Model Program Specifications. . . . . . . . . . . . . . . . . . . . 14.3 Details of Model Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.4 Nondeterministic Choice Statement . . . . . . . . . . . . . . . . . . . . . . . . . 14.5 Nondeterministic If Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  28. 6 Specification Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.6.1 Continues Clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.6.2 Breaks Clause. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.6.3 Returns Clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Specification for Subtypes . . . . . . . . . . . . . . . . . . 15.1 Method of Specifying for Subclasses . . . . . . . . . . . . . . . . . . . . . . . . . 15.2 Code Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  29. Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.1 File Name Suffixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2 Using Separate Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.3 Refinement Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.4 Type Checking Refinements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.5 Refinement Viewpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.5.1 Default Constructor Refinement . . . . . . . . . . . . . . . . . . . . . . . .
  30. MultiJava Extensions to JML . . . . . . . . . . . . . 17.1 Augmenting Method Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . .
  31. 2 MultiMethods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi 18 Universe Type System. . . . . . . . . . . . . . . . . . . . . .
  32. 1 Basic Concepts of Universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2 Rep and Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  33. 3 Readonly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.4 Ownership Modifiers for Array Types . . . . . . . . . . . . . . . . . . . . . . .
  34. 5 Default Ownership Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.6 Ownership Type Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.6.1 Ownership Subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  35. 6.2 Ownership Typing for Expressions . . . . . . . . . . . . . . . . . . . . .
  36. 7 Casts and Ownership Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  37. Safe Math Extensions . . . . . . . . . . . . . . . . . . . . . .
  38. 1 \bigint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  39. 2 \real . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  40. Deprecated and Replaced Syntax. . . . . . . . . .
  41. 1 Deprecated Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.1.1 Deprecated Represents Clause Syntax . . . . . . . . . . . . . . . . . .
  42. 1.2 Deprecated File Name Suffixes . . . . . . . . . . . . . . . . . . . . . . . . .
  43. 2 Replaced Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bibliography
  44. Pierre America. Inheritance and Subtyping in a Parallel Object-Oriented Lan- guage. In Jean Bezivin and others (eds.), ECOOP '87, European Conference on Object-Oriented Programming, Paris, France. Lecture Notes in Computer Science, Vol. 276 (Springer-Verlag, NY), pages 234-242.
  45. Arnold-Gosling-Holmes00]
  46. Ken Arnold, James Gosling, and David Holmes. The Java Programming Lan- guage Third Edition. The Java Series. Addison-Wesley, Reading, MA, 2000.
  47. Working Paper for Draft Proposed International Standard for Information Sys- tems -Programming Language C++. CBEMA, 1250 Eye Street NW, Suite 200, Washington DC 20005, April 28, 1995. (Obtained by anonymous ftp to research.att.com, directory dist/c++std/WP.)
  48. R. J. R. Back. A calculus of refinements for program derivations. Acta Infor- matica, 25(6):593-624, August 1988. [Back-vonWright89a]
  49. R. J. R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J. W. de Bakker, et al, (eds.), Stepwise Refine- ment of Distributed Systems, Models, Formalisms, Correctness, REX Work- shop, Mook, The Netherlands, May/June 1989, pages 42-66. Volume 430 of Lecture Notes Computer Science, Spring-Verlag, 1989. [Back-vonWright98]
  50. Ralph-Johan Back and Joakim von Wright. Refinement Calculus: A Systematic Introduction. Springer-Verlag, 1998. [Borgida-etal95] Alex Borgida, John Mylopoulos, and Raymond Reiter. On the Frame Prob- lem in Procedure Specifications. IEEE Transactions on Software Engineering, 21(10):785-798, October 1995.
  51. John Boyland. Alias burying: Unique variables without destructive reads. Software-Practice and Experience, 31(6):533-553, May 2001. [Buechi-Weck00] Martin Büchi and Wolfgang Weck. The Greybox Approach: When Blackbox Specifications Hide Too Much. Technical Report 297, Turku Centre for Com- puter Science, August 1999. 'http://www.tucs.abo.fi/publications/techreports/TR297.html'.
  52. Martin Büchi. Safe Language Mechanisms for Modularization and Concur- rency. Ph.D. Thesis, Turku Center for Computer Science, May 2000. TUCS Dissertations No. 28. [Burdy-etal03] Lilian Burdy, Yoonsik Cheon, David Cok, Michael Ernst, Joe Kiniry, Gary T. Leavens, K. Rustan M. Leino, and Erik Poll. An overview of JML tools and applications. Dept. of Computer Science, University of Nijmegen, TR NIII-R0309, 2003. 'http://www.eecs.ucf.edu/~leavens/JML/OldReleases/jml-white-paper.pdf'.
  53. Patrice Chalin. JML Support for Primitive Arbitrary Precision Numeric Types: Definition and Semantics. Journal of Object Technology, 3(6):57-79, June 2004. Available from 'http://www.jot.fm/issues/issue_2004_06/article3'
  54. Patrice Chalin. A Sound Assertion Semantics for the Dependable Systems Evolution Verifying Compiler. Proceedings of the International Conference on Software Engineering (ICSE), Minneapolis, MN, USA, 2007. [Chalin-Rioux05] Patrice Chalin and Frederic Rioux. Non-null References by Default in the Java Modeling Language. In Proceedings of the Workshop on the Specification and Verification of Component-Based Systems (SAVCBS'05), Lisbon, Portugal. September, 2005. An updated version is available as Department of Computer Science, Concordia University, ENCS-CSE TR 2005-004, December 2005, which is available from the URL 'http://www.cs.concordia.ca/~chalin/papers/TR-2005-004-r3.2.pdf'. [Cheon-Leavens02] Yoonsik Cheon and Gary T. Leavens. A Simple and Practical Approach to Unit Testing: The JML and JUnit Way. In ECOOP 2002 -Object-Oriented Programming, 16th European Conference, Malaga, Spain, pages 231-255.
  55. Cheon-Leavens02b] Yoonsik Cheon and Gary T. Leavens. A Runtime Assertion Checker for the Java Modeling Language (JML). In Hamid R. Arabnia and Youngsong Mun (eds.), Proceedings of the International Conference on Software Engineering Research and Practice (SERP '02), Las Vegas, Nevada, USA, pages 322-328. CSREA Press, June 2002. Also Department of Computer Science, Iowa State University, TR #02-05, March 2002, which is available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR02-05/TR.pdf'.
  56. Cheon-etal05] Yoonsik Cheon, Gary T. Leavens, Murali Sitaraman, and Stephen Edwards. Model Variables: Cleanly Supporting Abstraction in Design By Contract. Software-Practice and Experience, 35(6):583-599, May 2005. Also Department of Computer Science, Iowa State University, TR 03-10, March 2003. 'ftp://ftp.cs.iastate.edu/pub/techreports/TR03-10/TR.pdf'.
  57. Yoonsik Cheon. A Runtime Assertion Checker for the Java Modeling Language. Department of Computer Science, Iowa State University, TR 03-09, April, 2003. 'ftp://ftp.cs.iastate.edu/pub/techreports/TR03-09/TR.pdf' [Clifton-etal00] Curtis Clifton, Gary T. Leavens, Craig Chambers, and Todd Millstein. Mul- tiJava: Modular Open Classes and Symmetric Multiple Dispatch for Java. In OOPSLA 2000 Conference on Object-Oriented Programming, Systems, Lan- guages, and Applications, Minneapolis, Minnesota (ACM SIGPLAN Notices, 35(10):130-145, October 2000).
  58. Edward Cohen. Programming in the 1990s: An Introduction to the Calculation of Programs. Springer-Verlag, New York, N.Y., 1990.
  59. James C. Corbett, Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. Pasareanu, Robby, and Hongjun Zheng. Bandera: Extracting Finite-State Models from Java Source Code. In S. Brookes and M. Main and A. Melton and M. Mislove (eds.), Proceedings of the 22nd International Conference on Software Engineering, pp. 439-448, ACM Press, 2000. [Dhara-Leavens94b]
  60. Krishna Kishore Dhara and Gary T. Leavens. Weak Behavioral Subtyping for Types with Mutable Objects. In S. Brookes and M. Main and A. Melton and M. Mislove (eds.), Mathematical Foundations of Programming Semantics, Eleventh Annual Conference, Volume 1 of Electronic Notes in Computer Science, Else- vier, 1995. 'http://www.sciencedirect.com/science/journal/15710661'.
  61. Dhara-Leavens96] Krishna Kishore Dhara and Gary T. Leavens. Forcing Behavioral Subtyping Through Specification Inheritance. In Proceedings 18th International Confer- ence on Software Engineering, Berlin, Germany, pages 258-267. IEEE 1996. An extended version is Department of Computer Science, Iowa State Univer- sity, TR #95-20b, December 1995, which is available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR95-20/TR.ps.Z'.
  62. Krishna Kishore Dhara. Behavioral Subtyping in Object-Oriented Languages. Ph.D. Thesis, Department of Computer Science, Iowa State University. Also Technical Report TR #97-09, May 1997. Available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR97-09/TR.ps.gz'. [Dietl-Drossopoulou-Mueller07]
  63. Werner Dietl, Sophia Drossopoulou and Peter Müller. Generic Universe Types. In E. Ernst, editor, European Conference on Object-Oriented Programming (ECOOP) pages 28-53, 2007. Available from 'http://sct.inf.ethz.ch/publications/getpdf.php?bibname=Own&id=DietlDrossopoulouMu [Dietl-Mueller04] Werner Dietl and Peter Müller. Exceptions in ownership type systems. In E. Poll, editor, Formal Techniques for Java-like Programs pages 49-54, 2004. Available from 'http://sct.inf.ethz.ch/publications/getpdf.php?bibname=Own&id=DietlMueller04.pdf'. [Dietl-Mueller05] Werner Dietl and Peter Müller. Universes: Lightweight Ownership for JML. Journal of Object Technology, 4(8):5-32, October 2005. Available from 'http://www.jot.fm/issues/issue_2005_10/article1.pdf'. [Dietl-Mueller-Schregenberger08]
  64. Werner Dietl, Peter Müller and Daniel Schregenberger. Universe Type System -Quick-Reference. Available from 'http://sct.inf.ethz.ch/research/universes/tools/juts-quickref.pdf'.
  65. Edsger W. Dijkstra. A Discipline of Programming (Prentice-Hall, Englewood Cliffs, N.J., 1976).
  66. Stephen H. Edwards, Wayne D. Heym, Timothy J. Long, Murali Sitaraman, and Bruce W. Weide. Part II: Specifying Components in RESOLVE. ACM SIGSOFT Software Engineering Notes, 19(4):29-39, October 1994. [Ernst-etal01]
  67. Michael D. Ernst, Jake Cockrell, William G. Griswold, and David Notkin. Dy- namically discovering likely program invariants to support program evolution. IEEE Transactions on Software Engineering, 27(2):1-25, February 2001. [Fitzgerald-Larsen98] John Fitzgerald and Peter Gorm Larsen. Modelling Systems: Practical Tools and Techniques in Software Development. Cambridge University Press, Cam- bridge, UK, 1998. [Gosling-etal00] James Gosling, Bill Joy, Guy Steele, and Gilad Bracha. The Java Language Specification Second Edition. The Java Series. Addison-Wesley, Boston, MA, 2000. [Gries-Schneider95]
  68. David Gries and Fred B. Schneider. Avoiding the Undefined by Underspecifi- cation. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, volume 1000 of Lecture Notes in Computer Science, pages 366-373. Springer-Verlag, New York, N.Y., 1995. [Guttag-Horning-Wing85b]
  69. John V. Guttag and James J. Horning and Jeannette M. Wing. The Larch Family of Specification Languages. IEEE Software, 2(5):24-36, September 1985. [Guttag-Horning93]
  70. John V. Guttag and James J. Horning with S.J. Garland, K.D. Jones, A. Modet and J.M. Wing. Larch: Languages and Tools for Formal Specification (Springer- Verlag, NY, 1993).
  71. Anthony Hall. Seven Myths of Formal Methods. IEEE Software, 7(5):11-19, September 1990.
  72. I. Hayes (ed.), Specification Case Studies, second edition (Prentice-Hall, Engle- wood Cliffs, N.J., 1990).
  73. Wim H. Hesselink. Programs, Recursion, and Unbounded Choice (Cambridge University Press, Cambridge, UK, 1992).
  74. C. A. R. Hoare. An Axiomatic Basis for Computer Programming. Comm. ACM, 12(10):576-583, October 1969.
  75. C. A. R. Hoare. Proof of correctness of data representations. Acta Informatica, 1(4):271-281, 1972.
  76. Marieke Huisman. Reasoning about JAVA programs in higher order logic with PVS and Isabelle. IPA dissertation series, 2001-03. Ph.D. dissertation, Univer- sity of Nijmegen, 2001.
  77. International Standards Organization. Information Technology -Programming Languages, Their Environments and System Software Interfaces -Vienna Devel- opment Method -Specification Language -Part 1: Base language. International Standard ISO/IEC 13817-1, December, 1996. [Khurshid-Marinov-Jackson02] Sarfraz Khurshid and Darko Marinov and Daniel Jackson. An Analyzable An- notation Language. In Proceedings of OOPSLA '02 Conference on Object- Oriented Programming, Languages, Systems, and Applications. (ACM SIG- PLAN Notices, 37(11):231-245, October 2002).
  78. Jacobs-etal98] Bart Jacobs, Joachim van den Berg, Marieke Huisman, Martijn van Berkum, Ulrich Hensel, and Hendrik Tews. Reasoning about Java Classes (Preliminary Report) In OOPSLA '98 Proceedings (ACM SIGPLAN Notices, 33(10):329-490, October 1998).
  79. Cliff B. Jones. Systematic Software Development Using VDM. International Se- ries in Computer Science. Prentice Hall, Englewood Cliffs, N.J., second edition, 1990.
  80. C.B. Jones, Partial functions and logics: A warning. Information Processing Letters, 54(2):65-67, 1995. [Kiczales-Lamping92] Gregor Kiczales and John Lamping. Issues in the Design and Documentation of Class Libraries. In Andreas Paepcke (ed.), OOPSLA '92 Proceedings (ACM SIGPLAN Notices, 27(10):435-451, October 1992).
  81. Joseph R. Kiniry and David R. Cok. ESC/Java2: Uniting ESC/Java and JML: Progress and issues in building and using ESC/Java2 and a report on a case study involving the use of ESC/Java2 to verify portions of an Internet voting tally system. In Marieke Huisman (ed.), CASSIS 2004 -Construction and Analysis of Safe, Secure and Interoperable Smart devices, Marseille, France, 2004, Proceedings, volume 3362 of Lecture Notes in Computer Science, pages 108-128. Springer-Verlag, 2004. [Krone-Ogden-Sitaraman03]
  82. Joan Krone, William F. Ogden, Murali Sitaraman. Modular Verification of Performance Constraints. Technical Report RSRG-03-04, Department of Computer Science, Clemson University, May, 2003. Available from 'http://www.cs.clemson.edu/~resolve/reports/RSRG-03-04.pdf'
  83. Leslie Lamport. A Simple Approach to Specifying Concurrent Systems. CACM, 32(1):32-45, January 1989.
  84. Gary T. Leavens. Larch frequently asked questions. Version 1.110. Available in 'http://www.eecs.ucf.edu/~leavens/larch-faq.html', May 2000.
  85. Gary T. Leavens and Albert L. Baker. Enhancing the pre-and postcondition technique for more expressive specifications. In Jeannette M. Wing, Jim Wood- cock, and Jim Davies, editors, FM'99 -Formal Methods: World Congress on Formal Methods in the Development of Computing Systems, Toulouse, France, September 1999, Proceedings, volume 1709 of Lecture Notes in Computer Sci- ence, pages 1087-1106. Springer-Verlag, 1999. [Leavens-Baker-Ruby99]
  86. Gary T. Leavens, Albert L. Baker, and Clyde Ruby. JML: a Notation for Detailed Design. In Haim Kilov, Bernhard Rumpe, and Ian Simmonds (editors), Behavioral Specifications for Businesses and Systems, chapter 12, pages 175- 188. [Leavens-Baker-Ruby06]
  87. Gary T. Leavens, Albert L. Baker, and Clyde Ruby. Preliminary Design of JML: A Behavioral Interface Specification Language for Java. ACM SIGSOFT Software Engineering Notes, 31(3):1-38, March 2006. 'http://doi.acm.org/10.1145/1127878.1127884'. Also Iowa State Univer- sity, Department of Computer Science, TR #98-06-rev29, January 2006, which is available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR98-06/TR.pdf'.
  88. Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. December, 2006, which is available from the URL 'http://www.jmlspecs.org/jmldbc.pdf'.
  89. Gary T. Leavens and Krishna Kishore Dhara. Concepts of Behavioral Subtyp- ing and a Sketch of Their Extension to Component-Based Systems. In Gary T. Leavens and Murali Sitaraman (eds.), Foundations of Component-Based Sys- tems, Cambridge University Press, 2000, pp. 113-135. 'http://www.eecs.ucf.edu/~leavens/FoCBS-book/06-leavens-dhara.pdf' [Leavens-etal05]
  90. G. T. Leavens, Y. Cheon, C. Clifton, C. Ruby, and D. R. Cok. How the design of JML accommodates both runtime assertion checking and formal verification Science of Computer Programming, 55(1-3):185-208, 2005. [Leavens-Mueller07] Gary T. Leavens and Peter Müller. Information Hiding and Vis- ibility in Interface Specifications. In International Conference on Software Engineering (ICSE), pages 385-395, IEEE, 2007. 'http://dx.doi.org/10.1109/ICSE.2007.44' [Leavens-Naumann06]
  91. Gary T. Leavens and David A. Naumann. Behavioral Subtyping, Specification Inheritance, and Modular Reasoning. Department of Computer Science, TR \#06-20b, July 2006, revised August, September 2006. Available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR90-09/TR.pdf'.
  92. Gary T. Leavens and William E. Weihl. Reasoning about Object-oriented Pro- grams that use Subtypes (extended abstract). In N. Meyrowitz (ed.), OOPSLA ECOOP '90 Proceedings (ACM SIGPLAN Notices, 25(10):212-223, October 1990).
  93. Gary T. Leavens and William E. Weihl. Specification and Verification of Object-Oriented Programs Using Supertype Abstraction. Acta Informatica, 32(8):705-778, November 1995.
  94. Gary T. Leavens and Jeannette M. Wing. Protective interface specifications. Formal Aspects of Computing, 10(1):590-75, January 1998.
  95. Gary T. Leavens. Modular Verification of Object-Oriented Programs with Sub- types. Department of Computer Science, Iowa State University (Ames, Iowa, 50011), TR 90-09, July 1990. Available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR90-09/TR.ps.Z'.
  96. Gary T. Leavens. Modular Specification and Verification of Object-Oriented Programs. IEEE Software, 8(4):72-80, July 1991.
  97. Gary T. Leavens. An Overview of Larch/C++: Behavioral Specifications for C++ Modules. In Haim Kilov and William Harvey (editors), Specification of Behavioral Semantics in Object-Oriented Information Modeling (Kluwer Aca- demic Publishers, 1996), Chapter 8, pages 121-142. An extended version is Department of Computer Science, Iowa State University, TR #96-01c, July 1996, which is available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR96-01/TR.ps.Z'.
  98. Gary T. Leavens. Larch/C++ Reference Manual. Version 5.14. Available in 'http://www.eecs.ucf.edu/~leavens/larchc++.html', October 1997.
  99. Gary T. Leavens. JML's Rich, Inherited Specifications for Behavioral Subtypes. In Zhiming Liu and He Jifeng (eds), Proceedings, International Conference on Formal Engineering Methods (ICFEM'06), Macao, China, pages 2-36. Volume 4260 of Lecture Notes in Computer Science, Springer-Verlag, 2006. Also De- partment of Computer Science, Iowa State University, TR \#06-22, August 2006. 'ftp://ftp.cs.iastate.edu/pub/techreports/TR06-22/TR.pdf'
  100. Henry. F. Ledgard. A Human Engineered Variant of BNF. ACM SIGPLAN Notices, 15(10):57-62, October 1980. [Leino-Nelson-Saxe00]
  101. K. Rustan M. Leino, Greg Nelson, and James B. Saxe. ESC/Java User's Man- ual. Technical Note 2000-02, Systems Research Center, October, 2000. [Leino-etal00]
  102. K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. Extended Static Checking. Web page at 'http://research.compaq.com/SRC/esc/Esc.html'.
  103. K. Rustan M. Leino. Towards Reliable Modular Programs. PhD thesis, Cali- fornia Institute of Technology, January 1995. Available from the URL 'ftp://ftp.cs.caltech.edu/tr/cs-tr-95-03.ps.Z'.
  104. K. Rustan M. Leino. A myth in the modular specification of programs. KRML 63, November 1995. Obtained from the author (rustan@pa.dec.com).
  105. K. Rustan M. Leino. Data groups: Specifying the modification of extended state. OOPSLA '98 Conference Proceedings. (ACM SIGPLAN Notices, 33(10):144-153, October 1998).
  106. Richard Allen Lerner. Specifying Objects of Concurrent Systems. School of Computer Science, Carnegie Mellon University, CMU-CS-91-131, May 1991. Available from the URL 'ftp://ftp.cs.cmu.edu/afs/cs.cmu.edu/project/larch/ftp/thesis.ps.Z'. [Liskov-Guttag86] Barbara Liskov and John Guttag. Abstraction and Specification in Program Development (MIT Press, Cambridge, Mass., 1986).
  107. Barbara Liskov and Jeannette M. Wing. Specifications and their use in defin- ing subtypes. In Andreas Paepcke, editor, OOPSLA '93 Proceedings. (ACM SIGPLAN Notices 28(10):16-28, October, 1993.)
  108. Liskov-Wing94] Barbara Liskov and Jeannette M. Wing. A Behavioral Notion of Subtyping. ACM Transactions on Programming Languages and Systems, 16(6):1811-1841, November 1994.
  109. Bertrand Meyer. Applying "design by contract". Computer, 25(10):40-51, October 1992.
  110. Bertrand Meyer. Eiffel: The Language. Object-Oriented Series. Prentice Hall, New York, N.Y., 1992.
  111. Bertrand Meyer. Object-oriented Software Construction. Prentice Hall, New York, N.Y., second edition, 1997. [Morgan-Vickers94] Carroll Morgan and Trevor Vickers. On the refinement calculus. Springer- Verlag, New York, N.Y., 1994.
  112. Carroll Morgan. Programming from Specifications, second edition (Prentice- Hall, 1994).
  113. Joseph~M. Morris. A theoretical basis for stepwise refinement and the program- ming calculus. Science of Computer Programming, 9(3):287-306, December 1987. [Mueller-Poetzsch-Heffter00] Peter Müller and Arnd Poetzsch-Heffter. Modular Specification and Verification Techniques for Object-Oriented Software Components. In Gary T. Leavens and Murali Sitaraman (eds.), Foundations of Component-Based Systems, pages 137- 159. Cambridge University Press, 2000. [Mueller-Poetzsch-Heffter00a] Peter Müller and Arnd Poetzsch-Heffter. A Type System for Controlling Rep- resentation Exposure in Java. In S. Drossopoulou, et al. (eds.), Formal Tech- niques for Java Programs, 2000. Technical Report 269, Fernuniversität Hagen, Available from 'http://www.informatik.fernuni-hagen.de/pi5/publications.html' [Mueller-Poetzsch-Heffter01a] Peter Müller and Arnd Poetzsch-Heffter. Universes: A Type System for Alias and Dependency Control. Technical Report 279, Fernuniversität Hagen, 2001. Available from 'http://www.informatik.fernuni-hagen.de/pi5/publications.html' [Mueller-Poetzsch-Heffter-Leavens03]
  114. Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leavens. Modular Specifica- tion of Frame Properties in JML. Concurrency and Computation: Practice and Experience, 15(2):117-154, February 2003. Also Technical Report TR #02-02, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, February 2002. Available from 'ftp://ftp.cs.iastate.edu/pub/techreports/TR02-02/TR.pdf' [Mueller-Poetzsch-Heffter-Leavens06]
  115. Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leavens. Modular Invariants for Layered Object Structures. Science of Computer Programming, 62(3):253- 286, October 2006. 'http://dx.doi.org/10.1016/j.scico.2006.03.001' Also Technical Report 424, ETH Zürich, October 2003, revised March 2004, March 2005. Available from 'ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/4xx/424.pdf'
  116. Peter Müller. Modular Specification and Verification of Object-Oriented Pro- grams. Volume 2262 of Lecture Notes in Computer Science, Springer-Verlag, 2002.
  117. Greg Nelson. A Generalization of Dijkstra's Calculus. ACM Transactions on Programming Languages and Systems, 11(4):517-561, October 1989. [Noble-Vitek-Potter98]
  118. James Noble, Jan Vitek, and John Potter. Flexible Alias Protection. In Eric Jul (ed.), ECOOP '98 -Object-Oriented Programming, 12th European Conference, Brussels, Belgium, pages volume 1445 of Lecture Notes in Computer Science, pages 158-185. Springer-Verlag, New York, N.Y., 1998.
  119. D. L. Parnas. On the Criteria to be Used in Decomposing Systems into Modules. Comm. ACM, 15(12):1053-1058, December 1972. [Poetzsch-Heffter97] Arnd Poetzsch-Heffter. Specification and Verification of Object-Oriented Programs. Habilitationsschrift, Technische Universitaet Muenchen, 1997. Available from the URL 'http://wwweickel.informatik.tu-muenchen.de/persons/poetzsch/habil.ps.gz'. [Jacobs-Poll01] Bart Jacobs and Eric Poll. A Logic for the Java Modeling Language JML. In Fundamental Approaches to Software Engineering (FASE'2001), Genova, Italy, 2001. Volume 2029 of Lecture Notes in Computer Science, Springer-Verlag, 2001. 'http://www.cs.kun.nl/~erikpoll/publications/jmllogic.html' [Raghavan-Leavens05] Arun D. Raghavan and Gary T. Leavens. Desugaring JML Method Specifica- tions. Technical Report #00-03a, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, April, 2000, revised May 2005. Available in 'ftp://ftp.cs.iastate.edu/pub/techreports/TR00-03/TR.ps.gz'.
  120. F. Rioux and P. Chalin. Effective and Efficient Runtime Assertion Checking for JML Through Strong Validity. Proceedings of the 9th Workshop on Formal Techniques for Java-like Programs (FTfJP'07), Berlin, Germany, 2007. [Rodriguez-etal05] Edwin Rodriguez, Matthew B. Dwyer, Cormac Flanagan, John Hatcliff, Gary T. Leavens, Robby. Extending JML for Modular Specification and Verification of Multi-Threaded Programs. In Andrew P. Black (ed.), ECOOP 2005 -Object- Oriented Programming 19th European Conference, Glasgow, UK, pages 551- 576. Volume 3586 of Lecture Notes in Computer Science, Springer Verlag, July 2005.
  121. David S. Rosenblum. A practical approach to programming with assertions. IEEE Transactions on Software Engineering, 21(1):19-31, January 1995. [Ruby-Leavens00] Clyde Ruby and Gary T. Leavens. Safely Creating Correct Subclasses with- out Seeing Superclass Code. In OOPSLA 2000 Conference on Object-Oriented Programming, Systems, Languages, and Applications, Minneapolis, Minnesota. (ACM SIGPLAN Notices, 35(10):208-228, October, 2000.) Also Technical Re- port #00-05d, Department of Computer Science, Iowa State University, Ames, Iowa, 50011. April 2000, revised April, June, July 2000. Available in 'ftp://ftp.cs.iastate.edu/pub/techreports/TR00-05/TR.ps.gz'.
  122. Clyde Dwain Ruby. Modular subclass verification: safely creating correct sub- classes without superclass code. Ph.D. Thesis, Department of Computer Sci- ence, Iowa State University. Also Technical Report #06-34, December 2006. Available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR06-34/TR.pdf'. [Salcianu-Rinard05] Alexandru Salcianu and Martin Rinard. Purity and Side Effect Analysis for Java Programs. In Proceedings of the 6th International Conference on Veri- fication, Model Checking and Abstract Interpretation. Paris, France January 2005. Available in 'http://www.mit.edu/~salcianu/publications/vmcai05-purity.pdf' [Shaner-Leavens-Naumann07]
  123. Steve M. Shaner, Gary T. Leavens, and David A. Naumann. Modular Ver- ification of Higher-Order Methods with Mandatory Calls Specified by Model Programs Department of Computer Science, Iowa State University, TR #07- 04a, March 2007, revised April 2007, which is available from the URL 'ftp://ftp.cs.iastate.edu/pub/techreports/TR07-04/TR.pdf'.
  124. J. Michael Spivey. The Z Notation: A Reference Manual, second edition, (Prentice-Hall, Englewood Cliffs, N.J., 1992).
  125. Steyaert-etal96] Patrick Steyaert, Carine Lucas, Kim Mens, and Theo D'Hondt. Issues in the Design and Documentation of Class Libraries. In OOPSLA '96 Proceedings. (ACM SIGPLAN Notices, 31(10):268-285, October, 1996.)
  126. Yang Meng Tan. Formal Specification Techniques for Engineering Modular C Programs. International Series in Software Engineering (Kluwer Academic Publishers, Boston, 1995). Also published as Formal Specification Techniques for Promoting Software Modularity, Enhancing Documentation, and Testing Specifications. Technical Report TR-619, MIT Lab. for Comp. Sci., June 1994.
  127. David A. Watt. Programming Language Syntax and Semantics. Prentice Hall, International Series in Computer Science, New York, 1991.
  128. Alan Wills. Specification in Fresco. In Susan Stepney and Rosalind Barden and David Cooper (eds.), Object Orientation in Z, chapter 11, pages 127-135.
  129. Springer-Verlag, Workshops in Computing Series, Cambridge CB2 1LQ, UK, 1992.
  130. Jeannette Marie Wing. A Two-Tiered Approach to Specifying Programs Tech- nical Report TR-299, Mass. Institute of Technology, Laboratory for Computer Science, 1983.
  131. Jeannette M. Wing. Writing Larch Interface Language Specifications. ACM Transactions on Programming Languages and Systems, 9(1):1-24, January 1987.
  132. Jeannette M. Wing. A Specifier's Introduction to Formal Methods. Computer, 23(9):8-24, September 1990. blank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 BNF notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 body of a quantifier . . . . . . . . . . . . . . . . . . . . . . . . . . 100 body, in quantifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 body, of method, in refinements . . . . . . . . . . . . . . . 128 body, of quantifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 body, of refining statement . . . . . . . . . . . . . . . . . . . 111 boolean . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 89 boolean-literal, defined. . . . . . . . . . . . . . . . . . . . . . . . . 32 boolean-literal, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
  133. Borgida . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 bound variable, in quantifier . . . . . . . . . . . . . . . . . . . 99 bound variables, modifiers for . . . . . . . . . . . . . . . . . 101 bound-var-modifiers, defined . . . . . . . . . . . . . . . . . . 101 bound-var-modifiers, used . . . . . . . . . . . . . . . . . . 74, 99
  134. Boyland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 break. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 105 break, loops containing . . . . . . . . . . . . . . . . . . . . . . . 108 breaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 123 breaks-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . . 123 breaks-clause, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 breaks-keyword, defined . . . . . . . . . . . . . . . . . . . . . . 123 breaks-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . . 123 breaks_redundantly . . . . . . . . . . . . . . . . . . . . . . 30, 123
  135. British, spelling of behavior . . . . . . . . . . . . . . . . . . . . 66
  136. Büchi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
  137. Buechi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 built-in-type, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 89 built-in-type, used . . . . . . . . . . . . . . . . . . . . . . . . . 49, 89
  138. Burdy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 6, 7 byte . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 89
  139. C c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
  140. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 C++-style-comment, defined . . . . . . . . . . . . . . . . . . . . 27 C++-style-comment, used . . . . . . . . . . . . . . . . . . . . . .
  141. C-Style comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
  142. C-style-body, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 27
  143. C-style-body, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
  144. C-style-comment, defined . . . . . . . . . . . . . . . . . . . . . .
  145. C-style-comment, used . . . . . . . . . . . . . . . . . . . . . . . . . 27
  146. C-style-end, defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
  147. C-style-end, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 call, post-state of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 call, pre-state of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 callable . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 67, 69, 83 callable clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 callable clause, omitted . . . . . . . . . . . . . . . . . . . . . . . . 83 callable-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . . 83 callable-clause, used. . . . . . . . . . . . . . . . . . . . . . . 64, 122 callable-keyword, defined . . . . . . . . . . . . . . . . . . . . . . 83 callable-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . . 83 callable-methods-list, defined . . . . . . . . . . . . . . . . . . 83 callable-methods-list, used . . . . . . . . . . . . . . . . . . . . . 83 callable_redundantly . . . . . . . . . . . . . . . . . . . . 30, 83 captured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 G generalized quantifier . . . . . . . . . . . . . . . . . . . . . . . . . 100 generic-spec-body, defined . . . . . . . . . . . . . . . . . . . . . 64 generic-spec-body, used . . . . . . . . . . . . . . . . . . . . . . . . 64 generic-spec-case, defined . . . . . . . . . . . . . . . . . . . . . . 64 generic-spec-case, used . . . . . . . . . . . . . . 64, 66, 71, 72 generic-spec-case-seq, defined . . . . . . . . . . . . . . . . . . 64 generic-spec-case-seq, used . . . . . . . . . . . . . . . . . . . . . 64 generic-spec-statement-body, defined . . . . . . . . . . 122 generic-spec-statement-body, used . . . . . . . . . . . . 122 generic-spec-statement-body-seq, defined . . . . . . 122 generic-spec-statement-case, defined . . . . . . . . . . 122 generic-spec-statement-case, used . . . . . . . . 111, 122 generic-spec-statement-case-seq, used . . . . . . . . . 122 ghost . . . . . . . . . . . . . . . . . . . . . . 11, 30, 39, 41, 48, 106 ghost and static, in interfaces . . . . . . . . . . . . . . . . . . 42 ghost features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 ghost fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 ghost fields, and namespace . . . . . . . . . . . . . . . . . . . . 11 ghost fields, in interfaces . . . . . . . . . . . . . . . . . . . . . . . 42 ghost vs. model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 ghost, modifier in refinement . . . . . . . . . . . . 128, 129
  148. GhostLocals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 goals, of JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 7 Gosling . . . . . . . . . . . . . . . 1, 12, 15, 32, 35, 37, 38, 40 goto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 grammar notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 grammar, conventions for lists . . . . . . . . . . . . . . . . . 25 grammar, start rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
  149. Greene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 grey-box specification . . . . . . . . . . . . . . . . . . . . . . . . . 119
  150. Gries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 group, data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 group-list, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 86, 87 group-list, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86, 87 group-name, defined . . . . . . . . . . . . . . . . . . . . . . . 86, 87 group-name, used . . . . . . . . . . . . . . . . . . . . . . . . . . 86, 87 group-name-prefix, defined . . . . . . . . . . . . . . . . . . . . . 86 group-name-prefix, used . . . . . . . . . . . . . . . . . . . . . . . 86 guarded-statement, defined . . . . . . . . . . . . . . . . . . . 121 guarded-statement, used . . . . . . . . . . . . . . . . . . . . . . 121 guarded-statements, defined . . . . . . . . . . . . . . . . . . 121 guarded-statements, used . . . . . . . . . . . . . . . . . . . . . 121 guidelines, for writing assertions . . . . . . . . . . . . . . . 15
  151. Guttag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 5, 7, 8
  152. H Hall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 handbook, for LSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
  153. Handbook, for LSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 handler, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 has . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
  154. Hayes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2, 8
  155. Heavyweight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 heavyweight example . . . . . . . . . . . . . . . . . . . . . . . . . 117 heavyweight specification . . . . . . . . . . . . . . . . . . . . 4, 12 heavyweight specification case . . . . . . . . . . . . . . . . . 66 heavyweight specification, vs. lightweight . . . . . . . . 4 heavyweight-spec-case, defined . . . . . . . . . . . . . . . . . 66 heavyweight-spec-case, used. . . . . . . . . . . . . . . . . . . . 63 helper . . . . . . . . . . . . . . . . . . . . . . 30, 39, 42, 48, 52, 54 helper constructor, and invariants . . . . . . . . . . . . . . 52 helper method, and invariants . . . . . . . . . . . . . . . . . 52 helper, and invariants . . . . . . . . . . . . . . . . . . . . . . . . . . 42 helper, and private . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 hence-by-keyword, defined . . . . . . . . . . . . . . . . . . . . 113 hence-by-keyword, used . . . . . . . . . . . . . . . . . . . . . . . 113 hence-by-statement, defined . . . . . . . . . . . . . . . . . . 113 hence-by-statement, used . . . . . . . . . . . . . . . . . . . . . 110 hence_by . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 113 hence_by_redundantly . . . . . . . . . . . . . . . . . . . 30, 113 hex-digit, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 hex-digit, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 hex-integer-literal, defined . . . . . . . . . . . . . . . . . . . . . 32 hex-integer-literal, used . . . . . . . . . . . . . . . . . . . . . . . . 32 hex-numeral, defined. . . . . . . . . . . . . . . . . . . . . . . . . . . 32 hex-numeral, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 higher-order method specification . . . . . . . . . . . . . 119 history constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 history constraints, vs. helper . . . . . . . . . . . . . . . . . . 42 history-constraint, defined . . . . . . . . . . . . . . . . . . . . . 56 history-constraint, used . . . . . . . . . . . . . . . . . . . . . . . . 51
  156. Hoare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8, 11
  157. Holmes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
  158. Horning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 7, 8
  159. Huisman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  160. I ident, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 ident, used . . . 26, 36, 37, 44, 45, 48, 56, 60, 61, 76, 86, 87, 89, 91, 99, 102, 104, 105, 106, 123
  161. ident, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 if . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 60, 83, 84, 105 ignored-at-in-annotation, defined . . . . . . . . . . . . . . . 28 immutable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 immutable, vs. pure . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 implementation of interfaces . . . . . . . . . . . . . . . . . . . 37 implements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 37 implements, for classes . . . . . . . . . . . . . . . . . . . . . . . . . 38 implements-clause, defined . . . . . . . . . . . . . . . . . . . . . 37 implements-clause, used . . . . . . . . . . . . . . . . . . . . . . . 37 implication, redundant . . . . . . . . . . . . . . . . . . . . . . . 115 implication, see ==> . . . . . . . . . . . . . . . . . . . . . . . . . . 103 implications, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 115 implications, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 implicitly nullable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ImplicitOld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . implies-expr, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . implies-expr, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . implies-non-backward-expr, defined . . . . . . . . . . . . implies-non-backward-expr, used . . . . . . . . . . . . . . . implies_that. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, import. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, import definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . import, model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . import-definition, defined . . . . . . . . . . . . . . . . . . . . . . import-definition, used . . . . . . . . . . . . . . . . . . . . . . . . . in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, in-group-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . in-group-clause, used . . . . . . . . . . . . . . . . . . . . . . . . . . in-keyword, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . in-keyword, used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . in_redundantly . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, inclusive-or-expr, defined . . . . . . . . . . . . . . . . . . . . . . inclusive-or-expr, used . . . . . . . . . . . . . . . . . . . . . . . . . InconsistentMethodSpec . . . . . . . . . . . . . . . . . . . . . . InconsistentMethodSpec2 . . . . . . . . . . . . . . . . . . . . . infinite precision numeric types . . . . . . . . . . . . . . . influences, on JML evolution . . . . . . . . . . . . . . . . . . . . informal descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . informal-description, defined . . . . . . . . . . . . . . . . . . . informal-description, used . . . . . . . . . . . . . 26, 90, information hiding, in assignable clauses . . . . . . . inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . inheritance, multiple . . . . . . . . . . . . . . . . . . . . . . . . . . . inheritance, of JML features . . . . . . . . . . . . . . . . . . . inheritance, of model methods from interfaces . . inheritance, of specifications . . . . . . . . . . . . . . . . . . . inherits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . initialization, specification that a class is . . . . . . . initializer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . initializer, and refinement . . . . . . . . . . . . . . . . . initializer, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 48, initializer, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . initializer, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . initializer, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . initializer-list, defined . . . . . . . . . . . . . . . . . . . . . . . . . . initializer-list, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . initializers, and refinement . . . . . . . . . . . . . . . . . . . . initializers, for fields field . . . . . . . . . . . . . . . . . . . . . initially . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, initially, clause and refinement . . . . . . . . . . . . . initially-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . initially-clause, used . . . . . . . . . . . . . . . . . . . . . . . . . . . instance . . . . . . . . . . . . . . . . 14, 30, 39, 42, 49, 55, instance constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . instance features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . instance invariant . . . . . . . . . . . . . . . . . . . . . . . . . . 52, instance vs. final, in interfaces . . . . . . . . . . . . . . . . . instance vs. static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . instanceof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, instanceof, and ownership types . . . . . . . . . . . . . instanceof, default ownership modifiers for. . .
  162. J Jackson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
  163. Jacobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7, 9
  164. Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 'java' filename suffix . . . . . . . . . . . . . . . . . . . . . . . . . Java modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Java reserved words . . . . . . . . . . . . . . . . . . . . . . . . . . . Java virtual machine error, and method semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  165. Java vs. JML-only names, resolving conflicts . . . java-literal, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . java-literal, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 26, java-operator, defined . . . . . . . . . . . . . . . . . . . . . . . . . . java-operator, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . java-reserved-word, defined . . . . . . . . . . . . . . . . . . . . java-reserved-word, used . . . . . . . . . . . . . . . . . . . . . . . java-separator, defined . . . . . . . . . . . . . . . . . . . . . . . . . java-separator, used . . . . . . . . . . . . . . . . . . . . . . . . . . . java-special-symbol, defined . . . . . . . . . . . . . . . . . . . . java-special-symbol, used . . . . . . . . . . . . . . . . . . . . . . java-universe-reserved, defined . . . . . . . . . . . . . . . . . java.lang.Class, and \TYPE . . . . . . . . . . . . . . . . . . java.lang.Class, vs. \type() . . . . . . . . . . . . . . . . . javadoc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 'jml' filename suffix . . . . . . . . . . . . . . . . . . . . . . . . . . JML keywords, where recognized. . . . . . . . . . . . . . . JML status and plans . . . . . . . . . . . . . . . . . . . . . . . . . . . JML web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  166. JML, evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  167. JML, plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  168. JML, status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-annotation-statement, defined. . . . . . . . . . . . . jml-annotation-statement, used . . . . . . . . . . . . . . . jml-compound-statement, defined . . . . . . . . . . . . . jml-compound-statement, used . . . . . . . . . . . . . . . . jml-data-group-clause, defined . . . . . . . . . . . . . . . . . jml-data-group-clause, used . . . . . . . . . . . . . . . . . . . . jml-declaration, defined . . . . . . . . . . . . . . . . . . . . . . . . jml-declaration, used . . . . . . . . . . . . . . . . . . . . . . . . . . jml-keyword, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-modifier, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-modifier, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . JML-only vs. Java names, resolving conflicts . . . jml-predicate-keyword, defined . . . . . . . . . . . . . . . . . jml-predicate-keyword, used . . . . . . . . . . . . . . . . . . . jml-primary, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-primary, used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-special-symbol, defined . . . . . . . . . . . . . . . . . . . . jml-special-symbol, used . . . . . . . . . . . . . . . . . . . . . . . jml-specs, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-specs, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-statement, defined . . . . . . . . . . . . . . . . . . . . . . . . jml-statement, used. . . . . . . . . . . . . . . . . . . . . . . . . . . jml-tag, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-tag, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jml-universe-keyword, defined . . . . . . . . . . . . . . . . . . jml-universe-keyword, used . . . . . . . . . . . . . . . . . . . . jml-universe-pkeyword, defined . . . . . . . . . . . . . . . . . jml-universe-pkeyword, used . . . . . . . . . . . . . . . . . . . jml-var-assertion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . maps-into-clause, used . . . . . . . . . . . . . . . . . . . . . 86, 87 maps-keyword, defined . . . . . . . . . . . . . . . . . . . . . . . . . 87 maps-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 maps-member-ref-expr, defined. . . . . . . . . . . . . . . . . 87 maps-member-ref-expr, used . . . . . . . . . . . . . . . . . . . 87 maps-spec-array-dim, defined . . . . . . . . . . . . . . . . . . 87 maps-spec-array-dim, used . . . . . . . . . . . . . . . . . . . . . 87 maps_redundantly . . . . . . . . . . . . . . . . . . . . . . . . . 30, 87
  169. Marinov . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 matching, of implemetations to model programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 max of a set of lock objects . . . . . . . . . . . . . . . . . . . . 98 max-expression, defined . . . . . . . . . . . . . . . . . . . . . . . . 98 max-expression, used . . . . . . . . . . . . . . . . . . . . . . . . . . 90 maximum, see \max. . . . . . . . . . . . . . . . . . . . . . . . . . . 100 meaning of expressions in JML. . . . . . . . . . . . . . . . . 15 measured by clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 measured-by-keyword, defined . . . . . . . . . . . . . . . . . 83 measured-by-keyword, used . . . . . . . . . . . . . . . . . . . . 83 measured-clause, defined . . . . . . . . . . . . . . . . . . . . . . . 83 measured-clause, used . . . . . . . . . . . . . . . . . . . . . 64, 122 measured_by . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 67, 83 measured_by_redundantly . . . . . . . . . . . . . . . . . 30, 83 member-decl, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 44 member-decl, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 member-field-ref, defined . . . . . . . . . . . . . . . . . . . . . . . 87 member-field-ref, used . . . . . . . . . . . . . . . . . . . . . . . . . 87 method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 44, 132 method body, in refinements . . . . . . . . . . . . . . . . . . 128 method call, space used by . . . . . . . . . . . . . . . . . . . . . 96 method calls, and invariants . . . . . . . . . . . . . . . . . . . 52 method calls, and ownership typing rules . . . . . 138 method declaration, refining . . . . . . . . . . . . . . . . . . 128 method refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 method specification . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 method specification semantics, and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 method specification, omitted . . . . . . . . . . . . . . . . . . 65 method, behavior of . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 method, helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 method, model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 method, pure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 method-body, defined. . . . . . . . . . . . . . . . . . . . . . . . . . 44 method-body, used . . . . . . . . . . . . . . . . . . . . . . . 44, 132 method-decl, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 method-decl, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 method-head, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 44 method-head, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 method-name, defined . . . . . . . . . . . . . . . . . . . . . . . . . 56 method-name, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 method-name-list, defined . . . . . . . . . . . . . . . . . . . . . 56 method-name-list, used . . . . . . . . . . . . . . . . . 56, 83, 94 method-or-constructor-keyword, defined . . . . . . . . 44 method-or-constructor-keyword, used . . . . . . . . . . 44 method-ref, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 method-ref, used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 method-ref-rest, defined. . . . . . . . . . . . . . . . . . . . . . . . 56 method-ref-rest, used . . . . . . . . . . . . . . . . . . . . . . . . . . 56 method-ref-start, defined. . . . . . . . . . . . . . . . . . . . . . . method-ref-start, used . . . . . . . . . . . . . . . . . . . . . . . . . method-specification, defined . . . . . . . . . . . . . . . . . . method-specification, in documentation comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . method-specification, used . . . . . . . . . 28, 44, 49, methodology, and JML . . . . . . . . . . . . . . . . . . . . . . . . .
  170. Meyer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 5, microsyntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . microsyntax, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . minimum, see \min . . . . . . . . . . . . . . . . . . . . . . . . . . . model . . . . . . . . . . . . . 3, 11, 30, 36, 38, 39, 41, 45, model and final . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model and pure, constructors . . . . . . . . . . . . . . . . . . model and pure, methods . . . . . . . . . . . . . . . . . . . . . . model and static, in interfaces . . . . . . . . . . . . . . . . . model classes, vs. pure classes . . . . . . . . . . . . . . . . . . model constructor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model features, and namespace issues . . . . . . . . . . model field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3, model fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model fields, from spec_protected. . . . . . . . . . . . . model fields, from spec_public . . . . . . . . . . . . . . . . model fields, in interfaces . . . . . . . . . . . . . . . . . . . . . . model fields, of an ADT . . . . . . . . . . . . . . . . . . . . . . . . model import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model import definition . . . . . . . . . . . . . . . . . . . . . . . . model import, vs. import . . . . . . . . . . . . . . . . . . . . . . model method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11, model method, in refinements . . . . . . . . . . . . . . . . . model methods, vs. pure methods . . . . . . . . . . . . . . model program, ideas behind . . . . . . . . . . . . . . . . . model program, matching of . . . . . . . . . . . . . . . . . . model program, via extract . . . . . . . . . . . . . . . . . . . model type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model type, vs. pure type used for modeling. . . . model vs. ghost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model, in refinements . . . . . . . . . . . . . . . . . . . . . . . . . model, meaning of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . model, modifier in refinement . . . . . . . . . . . . . . . . . model, type definition modifier . . . . . . . . . . . . . . . . . model-oriented specification . . . . . . . . . . . . . . . . . . . . . model-prog-statement, defined . . . . . . . . . . . . . . . . model-prog-statement, used . . . . . . . . . . . . . . . . . . . model-program, defined . . . . . . . . . . . . . . . . . . . . . . . model-program, used . . . . . . . . . . . . . . . . . . . . . . . . . . model_program . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, modifiable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, modifiable clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . modifiable clause, omitted . . . . . . . . . . . . . . . . . . . . . modifiable_redundantly . . . . . . . . . . . . . . . . . . 30, modifier ordering, suggested . . . . . . . . . . . . . . . . . . . modifier, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . modifier, general description of. . . . . . . . . . . . . . . . . modifier, pure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . modifier, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . modifiers for bound variables . . . . . . . . . . . . . . . . . normal_example . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 117 normal_example, used . . . . . . . . . . . . . . . . . . . . . . . . 117 not-assigned-expression, defined . . . . . . . . . . . . . . . . 92 not-assigned-expression, used . . . . . . . . . . . . . . . . . . 90 not-modified-expression, defined . . . . . . . . . . . . . . . 93 not-modified-expression, used . . . . . . . . . . . . . . . . . . 90 notation, and methodology. . . . . . . . . . . . . . . . . . . . . . 6 notations, grammar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 notations, syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 nowarn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26, 30 nowarn-label, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 26 nowarn-label, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 nowarn-label-list, defined . . . . . . . . . . . . . . . . . . . . . . 26 nowarn-label-list, used . . . . . . . . . . . . . . . . . . . . . . . . . 26 nowarn-pragma, defined . . . . . . . . . . . . . . . . . . . . . . . 26 nowarn-pragma, used . . . . . . . . . . . . . . . . . . . . . . . . . . 26 NSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 null . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 32, 89, 102 null-literal, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 null-literal, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 nullable . . . . . . . . . . . . . 16, 30, 39, 43, 102, 106, 167 nullable, explicitly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 nullable, implicitly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 nullable, modifier in refinement . . . . . . . . . . . . . . 128 nullable_by_default . . . . . . . . . . . . . 30, 39, 43, 167 numeric types, arbitrary precision. . . . . . . . . . . . . 140 numerical quantifier, see \num_of . . . . . . . . . . . . . 101
  171. O object invariant, alternative terms for . . . . . . . . . . 55 octal-digit, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 octal-digit, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 octal-escape, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 octal-escape, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 octal-integer-literal, defined . . . . . . . . . . . . . . . . . . . . 32 octal-integer-literal, used. . . . . . . . . . . . . . . . . . . . . . . 32 octal-numeral, defined . . . . . . . . . . . . . . . . . . . . . . . . . 32 octal-numeral, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 old . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 67, 68, 74 old-expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 old-expression, defined . . . . . . . . . . . . . . . . . . . . . . . . . 91 old-expression, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 old-var-declarator, defined . . . . . . . . . . . . . . . . . . . . . 74 old-var-declarator, used . . . . . . . . . . . . . . . . . . . . . . . . 74 old-var-decls, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 74 old-var-decls, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 omitted specification, meaning of . . . . . . . . . . . . . . 65 only-accessed-expression, defined . . . . . . . . . . . . . . . 93 only-assigned-expression, defined . . . . . . . . . . . . . . . 94 only-called-expression, defined . . . . . . . . . . . . . . . . . 94 only-captured-expression, defined . . . . . . . . . . . . . . 95 open classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 operator precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 operator, of LSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 operators, added to JML . . . . . . . . . . . . . . . . . . . . . 103 optional elements in syntax . . . . . . . . . . . . . . . . . . . . 25 or . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 121 overriding method, meaning of omitted specification for . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 overriding methods, and pure . . . . . . . . . . . . . . . . . . 39 owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 owner-as-modifier property . . . . . . . . . . . . . . . . . . . 134 ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 ownership context . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 ownership context, root . . . . . . . . . . . . . . . . . . . . . . . 134 ownership modifiers for array types . . . . . . . . . . . 136 ownership modifiers for types, defaults . . . . . . . . 137 ownership types and type checking . . . . . . . . . . . . 138 ownership types, and subtyping . . . . . . . . . . . . . . . 138 ownership-modifier, defined . . . . . . . . . . . . . . . . . . . 133 ownership-modifier, used . . . . . . . . . . . . . . . . . 106, 133 ownership-modifiers, defined . . . . . . . . . . . . . . . . . . 133 ownership-modifiers, used . . . . . . . . . . . . . . . . . . . . . . 49
  172. P package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 36 package definition, satisfaction of . . . . . . . . . . . . . . 36 package definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 package visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 package-definition, defined . . . . . . . . . . . . . . . . . . . . . 36 package-definition, used . . . . . . . . . . . . . . . . . . . . . . . . 35 paragraph-tag, defined . . . . . . . . . . . . . . . . . . . . . . . . . 29 paragraph-tag, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 param-declaration, defined . . . . . . . . . . . . . . . . . . . . . 45 param-declaration, used . . . . . . . . . . . . . . . . . . . 45, 105 param-declaration-list, defined . . . . . . . . . . . . . . . . . 45 param-declaration-list, used . . . . . . . . . . . . . . . . . . . . 45 param-disambig, defined . . . . . . . . . . . . . . . . . . . . . . . 56 param-disambig, used . . . . . . . . . . . . . . . . . . . . . . . . . . 56 param-disambig-list, defined . . . . . . . . . . . . . . . . . . . 56 param-disambig-list, used . . . . . . . . . . . . . . . . . . . . . . 56 param-modifier, defined . . . . . . . . . . . . . . . . . . . . . . . . 45 param-modifier, used . . . . . . . . . . . . . . . . . . . . . 45, 132
  173. Parnas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 partial correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 133, 134, 135 plans, for JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
  174. Poetzsch-Heffter . . . . . . . . . . . . . . . 9, 53, 54, 133, 134
  175. Poll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 portability, and language levels . . . . . . . . . . . . . . . . 17 possibly-annotated-loop, defined . . . . . . . . . . . . . . 106 possibly-annotated-loop, used . . . . . . . . . . . . . . . . . 105 post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 75 post-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 post_redundantly . . . . . . . . . . . . . . . . . . . . . . . . . 30, 75 postcondition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 5, 8 postcondition, exceptional . . . . . . . . . . . . . . . 2, 76, 78 postcondition, normal . . . . . . . . . . . . . . . . . . . . . . . 2, 75 postcondition, via non_null . . . . . . . . . . . . . . . . . . . 44 postfix-expr, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 postfix-expr, used . . . . . . . . . . . . . . . . . . . . . . . . . 89, 102
  176. Potter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53, 134 refinement of field declarations . . . . . . . . . . . . . . . . 128 refinement of methods . . . . . . . . . . . . . . . . . . . . . . . . 127 refinement, of model program specification . . . . 119 refines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 126 refining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 111 refining method declaration . . . . . . . . . . . . . . . . . . . 128 refining statement . . . . . . . . . . . . . . . . . . . . . . . 111, 120 refining-statement, defined . . . . . . . . . . . . . . . . . . . . 111 refining-statement, used . . . . . . . . . . . . . . . . . . . . . . 110 reflection in assertions . . . . . . . . . . . . . . . . . . . . . . . . . 98 reflection, vs. \bigint and \real . . . . . . . . . . . . . 140 relational abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . 59 relational-expr, defined . . . . . . . . . . . . . . . . . . . . . . . . 89 relational-expr, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 rep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 133, 134 repeated elements in syntax . . . . . . . . . . . . . . . . . . . . 25 replaced syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 representation exposure . . . . . . . . . . . . . . . . . . . 39, 134 represents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 59 represents-clause, defined . . . . . . . . . . . . . . . . . 59, 141 represents-clause, used . . . . . . . . . . . . . . . . . . . . . . . . . 51 represents-keyword, defined . . . . . . . . . . . . . . . . . . . . 59 represents-keyword, used . . . . . . . . . . . . . . . . . . 59, 141 represents_redundantly . . . . . . . . . . . . . . . . . . 30, 59 requires . . . . . . . . . . . . . . . . . . . . . 4, 15, 30, 67, 68, 75 requires clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 requires clause, omitted . . . . . . . . . . . . . . . . . . . . . . . . 75 requires-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . 75 requires-clause, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 requires-keyword, defined . . . . . . . . . . . . . . . . . . . . . . 75 requires-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . . 75 requires_redundantly . . . . . . . . . . . . . . . . . . . . 30, 75 resend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 reserved words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 reserved-ownership-modifier, defined . . . . . . . . . . 133 reserved-ownership-modifier, used . . . . . . . . . . . . . 133 resources, specification of . . . . . . . . . . . . . . . . . . . . . . 96 result-expression, defined . . . . . . . . . . . . . . . . . . . . . . 91 result-expression, used . . . . . . . . . . . . . . . . . . . . . . . . . 90 return . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 105 return, carriage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 123 returns-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . 123 returns-clause, used . . . . . . . . . . . . . . . . . . . . . . . . . . 122 returns-keyword, defined . . . . . . . . . . . . . . . . . . . . . . 123 returns-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . 123 returns_redundantly . . . . . . . . . . . . . . . . . . . . 30, 123 reverse implication, see <== . . . . . . . . . . . . . . . . . . . 103
  177. Rinard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
  178. Rioux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
  179. Rockwell International Corporation . . . . . . . . . . . . .
  180. Rodriguez . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 root ownership context . . . . . . . . . . . . . . . . . . . . . . . 134
  181. Rosenblum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
  182. Ruby . . . . . . . . . . . . . . 1, 4, 7, 12, 14, 15, 45, 117, 124
  183. RuntimeException, and default signals clause . .
  184. S Salcianu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . same field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . same method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . satisfaction of a package definition . . . . . . . . . . . . . Saxe . . . . . . . . . . . . . . . . . . . . . . . . 1, 14, 28, 42, 49, Schneider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . semantics of non-helper method specifications . . semantics, of examples . . . . . . . . . . . . . . . . . . . . . . . . separating code and specification . . . . . . . . . . . . . separating specification and code . . . . . . . . . . . . . sequence vs. list, in grammar . . . . . . . . . . . . . . . . . . sequential behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, set comprehension . . . . . . . . . . . . . . . . . . . . . . . . . . . . set-comprehension, defined. . . . . . . . . . . . . . . . . . . . set-comprehension, used . . . . . . . . . . . . . . . . . . . . . . . set-statement, defined . . . . . . . . . . . . . . . . . . . . . . . . set-statement, used . . . . . . . . . . . . . . . . . . . . . . . . . . . Shaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . shift-expr, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . shift-expr, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . shift-op, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . shift-op, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . short . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, sign, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sign, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . signals. . . . . . . . . . . . . . . . . . . . . . . . . 30, 67, 69, 76, signals clause, default for . . . . . . . . . . . . . . . . . . . . . . signals clause, omitted . . . . . . . . . . . . . . . . . . . . . . . . . signals vs. signals_only . . . . . . . . . . . . . . . . . . . . . signals-clause, defined. . . . . . . . . . . . . . . . . . . . . . . . . . signals-clause, used . . . . . . . . . . . . . . . . . . . . . . . 64, signals-keyword, defined . . . . . . . . . . . . . . . . . . . . . . . signals-keyword, used . . . . . . . . . . . . . . . . . . . . . . . . . . signals-only-clause, defined . . . . . . . . . . . . . . . . . . . . . signals-only-clause, used . . . . . . . . . . . . . . . . . . . . . . signals-only-clauses, multiple . . . . . . . . . . . . . . . . . . signals-only-keyword, defined . . . . . . . . . . . . . . . . . . signals-only-keyword, used . . . . . . . . . . . . . . . . . . . . . signals_only . . . . . . . . . . . . . . . . . . . 30, 67, 69, 73, signals_only, default for . . . . . . . . . . . . . . . . . . . . . . signals only, in comparing specifications . . . . . . signals_only_redundantly . . . . . . . . . . . . . . . . 30, signals_redundantly . . . . . . . . . . . . . . . . . . . . . . 30, SignalsClause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . signed-integer, defined . . . . . . . . . . . . . . . . . . . . . . . . . signed-integer, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . simple-spec-body, defined . . . . . . . . . . . . . . . . . . . . . . simple-spec-body, used . . . . . . . . . . . . . . . . . . . . 64, simple-spec-body-clause, defined . . . . . . . . . . . . . . . simple-spec-body-clause, used . . . . . . . . . . . . . . . . . . simple-spec-statement-body, defined . . . . . . . . . . simple-spec-statement-body, used . . . . . . . . . . . . . simple-spec-statement-clause, defined . . . . . . . . . simple-spec-statement-clause, used . . . . . . . . . . . . single line comment, see C++-Style comment . . . single quote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . single-character, defined . . . . . . . . . . . . . . . . . . . . . . . 32 single-character, used . . . . . . . . . . . . . . . . . . . . . . . . . . 32 space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 space, specification of . . . . . . . . . . . . . . . . . . . . . . . . . . 96 space, taken up by an object . . . . . . . . . . . . . . . . . . . 96 space-expression, defined. . . . . . . . . . . . . . . . . . . . . . . 96 space-expression, used . . . . . . . . . . . . . . . . . . . . . . . . . 90 spaces, defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 spaces, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 spec-array-initializer, defined . . . . . . . . . . . . . . . . . . . 99 spec-array-initializer, used . . . . . . . . . . . . . . . . . . . . . 99 spec-array-ref-expr, defined . . . . . . . . . . . . . . . . . . . 104 spec-array-ref-expr, used . . . . . . . . . . . . . . . . . . 87, 104 spec-case, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 spec-case, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 spec-case-seq, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 62 spec-case-seq, used . . . . . . . . . . . . . . . . . . . . . . . . 62, 115 spec-expression, defined . . . . . . . . . . . . . . . . . . . . . . . . 88 spec-expression, used . . . . 59, 83, 84, 88, 91, 95, 96, 97, 98, 99, 104, 109, 141 spec-expression-list, defined . . . . . . . . . . . . . . . . . . . . 88 spec-expression-list, used . . . . . . . . . . . . . . . . . . . 61, 95 spec-header, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 spec-header, used . . . . . . . . . . . . . . . . . . . . 64, 117, 122 spec-initializer, defined . . . . . . . . . . . . . . . . . . . . . . . . 99 spec-initializer, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 spec-quantified-expr, defined . . . . . . . . . . . . . . . . . . . 99 spec-quantified-expr, used. . . . . . . . . . . . . . . . . . . . . . 90 spec-statement, defined . . . . . . . . . . . . . . . . . . . . . . . 122 spec-statement, used . . . . . . . . . . . . . . . . . . . . . 111, 121 spec-var-decls, defined . . . . . . . . . . . . . . . . . . . . . . . . . 74 spec-var-decls, used . . . . . . . . . . . . . . . . . . 64, 117, 122 spec-variable-declarator, defined . . . . . . . . . . . . . . . 99 spec-variable-declarator, used . . . . . . . . . . . . . . . . . . 99 spec-variable-declarators, defined. . . . . . . . . . . . . . . 99 spec-variable-declarators, used . . . . . . . . . . . . . . . . . 74 spec_bigint_math . . . . . . . . . . . . . . 30, 38, 39, 42, 43 spec_java_math . . . . . . . . . . . . . . . . 30, 38, 39, 42, 43 spec_protected . . . . . . . . . . . . . . . . . . 2, 14, 30, 39, 41 spec_protected, as a model field shorthand . . . 14 spec_protected, modifier in refinement . . . . . . . 128 spec_public . . . . . . . . . . . . . . . . . . . . . 2, 14, 30, 39, 41 spec_public, as a model field shorthand . . . . . . . 14 spec_public, modifier in refinement . . . . . . . . . . 128 spec_safe_math . . . . . . . . . . . . . . . . 30, 38, 39, 42, 43 special symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 special-symbol, defined . . . . . . . . . . . . . . . . . . . . . . . . 32 special-symbol, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 specializer, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 specializer, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 specification for subtypes . . . . . . . . . . . . . . . . . . . . . 124 specification statement . . . . . . . . . . . . . . . . . . . . . . . 120 specification, completely omitted . . . . . . . . . . . . . . . 65 specification, completeness of . . . . . . . . . . . . . . . . . . . 4 specification, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 specification, heavyweight. . . . . . . . . . . . . . . . . . . . . . 12 specification, in refining statement . . . . . . . . . . . . 111 specification, lightweight . . . . . . . . . . . . . . . . . . . . . . . 12 specification, of interface behavior . . . . . . . . . . . . . . . specification, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . specification-only type . . . . . . . . . . . . . . . . . . . . . . . . . specifications for non-helper methods, semantics of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . specifications inheritance . . . . . . . . . . . . . . . . . . . . . . specifying examples. . . . . . . . . . . . . . . . . . . . . . . . . . . Spivey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2, stars-non-close, defined . . . . . . . . . . . . . . . . . . . . . . . . stars-non-close, used . . . . . . . . . . . . . . . . . . . . . . . . . . . stars-non-slash, defined . . . . . . . . . . . . . . . . . . . . . . . . stars-non-slash, used . . . . . . . . . . . . . . . . . . . . . . . . . . . start rule, in JML grammar . . . . . . . . . . . . . . . . . . . .
  185. Stata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, state, post-state of a call . . . . . . . . . . . . . . . . . . . . . . . state, pre-state of a call . . . . . . . . . . . . . . . . . . . . . . . . state, visible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . statement, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . statement, refining . . . . . . . . . . . . . . . . . . . . . . . . . . . statement, used . . . . . . . . . . . . . . . . 105, 106, 111, static . . . . . . . . . . . . . . . . . . . . . . 14, 30, 39, 49, 55, static constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . static features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . static invariant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52, static, modifier in refinement . . . . . . . . . . . 127, static_initializer . . . . . . . . . . . . . . . . . . . . . . . . . . static_initializer, and refinement . . . . . . . . . static_initializer, used . . . . . . . . . . . . . . . . . . . . . status, of JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  186. Steele . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Steyaert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . store-ref, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . store-ref, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82, store-ref-expression, defined . . . . . . . . . . . . . . . . . . . store-ref-expression, used . . . . . . . . . . . . . 59, 104, store-ref-keyword, defined . . . . . . . . . . . . . . . . . . . . . store-ref-keyword, used . . . . . . . . . . . . . . . . . . . . 83, store-ref-list, defined . . . . . . . . . . . . . . . . . . . . . . . . . . store-ref-list, used . . . . . . . . . . . 82, 83, 92, 93, 94, store-ref-name, defined . . . . . . . . . . . . . . . . . . . . . . . store-ref-name, used . . . . . . . . . . . . . . . . . . . . . . . . . . store-ref-name-suffix, defined. . . . . . . . . . . . . . . . . . store-ref-name-suffix, used . . . . . . . . . . . . . . . . . . . . strictfp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, string-literal, defined. . . . . . . . . . . . . . . . . . . . . . . . . . . string-literal, used . . . . . . . . . . . . . . . . . . . . . . . . 32, strong validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subclass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subclassing_contract, replaced by code_contract . . . . . . . . . . . . . . . . . . . . . . . . . . subtype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subtype relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subtype, for an interface . . . . . . . . . . . . . . . . . . . . . . . subtype, of an interface . . . . . . . . . . . . . . . . . . . . . . . . subtypes, specification for . . . . . . . . . . . . . . . . . . . . subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . subtyping, for arrays, with ownership types . . . subtyping, for ownership types . . . . . . . . . . . . . . . . suffixes, of filenames . . . . . . . . . . . . . . . . . . . . . . . . . . 126
  187. SumArrayLoop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 summation, see \sum . . . . . . . . . . . . . . . . . . . . . . . . . 100 super . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 56, 86, 89, 104 superclass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 supertypes, specification of . . . . . . . . . . . . . . . . . . . 124 switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 105 switch-body, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 105 switch-body, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 switch-label, defined . . . . . . . . . . . . . . . . . . . . . . . . . . 105 switch-label, used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 switch-label-seq, defined . . . . . . . . . . . . . . . . . . . . . . 105 switch-label-seq, used . . . . . . . . . . . . . . . . . . . . . . . . . 105 switch-statement, defined . . . . . . . . . . . . . . . . . . . . . 105 switch-statement, used. . . . . . . . . . . . . . . . . . . . . . . . 105 synchronized . . . . . . . . . . . . . . . . . . . . . . . . . 30, 39, 105 syntax notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 syntax options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 syntax, deprecated . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 syntax, replaced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
  188. T tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26, 32 table of precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 tagged-paragraph, defined . . . . . . . . . . . . . . . . . . . . . 28 tagged-paragraph, used . . . . . . . . . . . . . . . . . . . . . . . . 28
  189. Tan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 target-label, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 terminal symbols, notation . . . . . . . . . . . . . . . . . . . . . 25 termination, of pure methods . . . . . . . . . . . . . . . . . . 46 terminology, for invariants . . . . . . . . . . . . . . . . . . . . . 55 this . . . . . . . . . . . . . . . 30, 55, 56, 58, 86, 89, 104, 135 this, and rep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 thread, specifying locks held by . . . . . . . . . . . . . . . . 98 threads, specification of . . . . . . . . . . . . . . . . . . . . . . . . . 6 throw. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 105 throws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 44, 79 throws-clause, defined . . . . . . . . . . . . . . . . . . . . . . . . . 44 throws-clause, used . . . . . . . . . . . . . . . . . . . . . . . 44, 132 time, specification of . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 time, virtual machine cycle . . . . . . . . . . . . . . . . . . . . 96 token, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 token, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 tool support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 tools and annotations . . . . . . . . . . . . . . . . . . . . . . . . . . 28 tools, advice for builders of . . . . . . . . . . . . . . . . . . . . 17 top-level-definition, defined . . . . . . . . . . . . . . . . . . . . 35 top-level-definition, used . . . . . . . . . . . . . . . . . . . . . . . 35 total correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 trait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 trait function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 transient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 39 true . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 32, 89 try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 105 try-block, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 try-block, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 two-valued logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 type checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 type checking, with ownership types . . . . . . . . . . 138 type definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 type specs, for declarations . . . . . . . . . . . . . . . . . . . . 49 type system, Universe . . . . . . . . . . . . . . . . . . . . . . . . 133 type, abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 type, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 type, modifiers for declarations of . . . . . . . . . . . . . . 38 type, specifying in a declaration. . . . . . . . . . . . . . . . 49 type, used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49, 89, 98 type-definition, defined . . . . . . . . . . . . . . . . . . . . . . . . 37 type-definition, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 type-expression, defined. . . . . . . . . . . . . . . . . . . . . . . . 98 type-expression, used . . . . . . . . . . . . . . . . . . . . . . . . . . 90 type-spec, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 type-spec, used . . . . . 44, 45, 48, 56, 74, 89, 99, 102, 132 typeof expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 typeof-expression, defined . . . . . . . . . . . . . . . . . . . . . . 97 typeof-expression, used . . . . . . . . . . . . . . . . . . . . . . . . 90 types, comparing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 types, marking in expressions . . . . . . . . . . . . . . . . . . 98
  190. U unary-expr, defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 unary-expr, used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 unary-expr-not-plus-minus, defined . . . . . . . . . . . . . 89 unary-expr-not-plus-minus, used . . . . . . . . . . . . . . . 89 undefinedness, in expression evaluation . . . . . . . . . 15 underspecified total functions . . . . . . . . . . . . . . . . . . 15 unicode-escape, defined . . . . . . . . . . . . . . . . . . . . . . . . 32 unicode-escape, used . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 uninitialized . . . . . . . . . . . . . . . . . . . . . . . . . 30, 39, 42
  191. Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Universe keywords, where recognized . . . . . . . . . . . 30 universe type system . . . . . . . . . . . . . . . . . . . . . . . . . 133 Universe type system . . . . . . . . . . . . . . . . . . . . . . . . . 133 Universe type system syntax . . . . . . . . . . . . . . . . . . . 30 Universe type system, basic concepts. . . . . . . . . . 134 universe type system, options for . . . . . . . . . . . . . 133 unreachable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 112 unreachable-statement, defined . . . . . . . . . . . . . . . 112 unreachable-statement, used . . . . . . . . . . . . . . . . . . 110 usefulness, of JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 uses, of JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 utility, of JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  192. V validity, of assertions . . . . . . . . . . . . . . . . . . . . . . . . . . 15 validity, strong . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 value, abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 value-specializer, defined . . . . . . . . . . . . . . . . . . . . . . 132 value-specializer, used . . . . . . . . . . . . . . . . . . . . . . . . 132
  193. van den Berg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 variable-declarator, defined . . . . . . . . . . . . . . . . . . . . 48 variable-declarator, used . . . . . . . . . . . . . . . . . . . . . . . 48 variable-declarators, defined . . . . . . . . . . . . . . . . . . . 48 variable-declarators, used . . . . . . . . . . . . . . . . . . . . . . 48 variable-decls, defined . . . . . . . . . . . . . . . . . . . . . . . . . 48 variable-decls, used . . . . . . . . . . . . . . . . . . . . . . . 48, 105 variable-definition, defined . . . . . . . . . . . . . . . . . . . . . 48 variable-definition, used . . . . . . . . . . . . . . . . . . . . . . . . 44 variant-function, defined . . . . . . . . . . . . . . . . . . . . . . 109 variant-function, used . . . . . . . . . . . . . . . . . . . . . . . . 106 VDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  194. VDM-SL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 vertical tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
  195. Vickers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 virtual machine cycle time . . . . . . . . . . . . . . . . . . . . . 96 visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7, 12 visibility, in JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 visibility, in lightweight specifications . . . . . . . . . . 14 visibility, in method specifications . . . . . . . . . . . . . . 63 visible state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 visible state, for a type . . . . . . . . . . . . . . . . . . . . . . . . 52
  196. Vitek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53, 134 vocabulary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 void . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 89 void and pure methods . . . . . . . . . . . . . . . . . . . . . . . . 47 volatile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 39
  197. von Wright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8, 119

Related papers

Adding native specifications to JML
Julien Charles

2006

In the specification language JML we can see pure methods as a way to express user-defined predicates that will simplify the annotations. We take this idea a step further in allowing to only declare these predicates in JML without giving an explicit definition. The explicit definition is done directly in the language to which the Java program and the specifications are translated. To this end we introduce a new keyword to JML, the keyword native. To facilitate these definitions we have enabled the user to define also native types in the same way. In this paper we will describe these new constructs as well as their implementation in Jack, and their application to JML's libraries and model fields.

View PDFchevron_right
JML: A Notation for Detailed Design
Gary Leavens

Behavioral Specifications of Businesses and Systems, 1999

View PDFchevron_right
JML’s Rich, Inherited Specifications for Behavioral Subtypes
G. Leavens

Lecture Notes in Computer Science, 2006

The Java Modeling Language (JML) is used to specify detailed designs for Java classes and interfaces. It has a particularly rich set of features for specifying methods. This paper describes those features, with particular emphasis on the features related to specification inheritance. It shows how specification inheritance in JML forces behavioral subtyping, through a discussion of semantics and examples. It also describes a notion of modular reasoning based on static type information, supertype abstraction, which is made valid in JML by methodological restrictions on invariants, history constraints, and initially clauses and by behavioral subtyping.

View PDFchevron_right
Desugaring JML Method Specifications
Gary Leavens

2000

JML, which stands for &quot;Java Modeling Language,&quot; is a behavioral interface specification lan- guage (BISL) designed to specify Java modules. JML features a great deal of syntactic sugar that is designed to make specifications more expressive. This paper presents a desugaring process that boils down all of the syntactic sugars in JML into a much simpler form. This desugaring will

View PDFchevron_right
An overview of JML tools and applications1
Dermot Cochran

2003

The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source files. The aim of JML is to provide a specification language that is easy to use for Java programmers and that is supported by a wide range of tools for specification typechecking, runtime debugging, static analysis, and verification.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved