Extensions of the theory of observational purity and a practical design for JML

To prevent erratic behavior during runtime checking, JML only allows assertions to call pure, i.e., side-effect free, methods. However, JML’s notion of purity checking is too conservative. For example, Object’s equals method needs to be used in assertions, but some classes use side effects in their equals method to maintain hidden caches or to trigger lazy evaluation, and so these methods cannot be pure in JML’s sense. To handle such cases JML and similar interface specification languages need a less conservative notion of pure methods. In this paper we apply and slightly extend the existing theory of “observationally pure” methods to JML, and explain our language design. This design is practical and accommodates common uses. Our extension of current theory provides appropriate encapsulation combined with inheritance, invariants, method specifications, frame conditions, secret helper methods, and multiple sets of secret state locations. We also introduce a semantics for static analysis that preserves correctness without imposing non-interference.