Symbolic Animation of JML Specifications * Fabrice Bouquet, Fr´ ed´ eric Dadeau, Bruno Legeard, and Mark Utting Laboratoire d’Informatique (LIFC), Universit´ e de Franche-Comt´ e, CNRS - INRIA, 16, route de Gray - 25030 Besan¸ con cedex, France {bouquet, dadeau, legeard, utting}@lifc.univ-fcomte.fr Abstract. This paper presents a model-based framework for the sym- bolic animation of object-oriented specifications. A customized set-theo- retic solver is used to simulate the execution of the system and han- dle constraints on state variables. We define a framework for animating object-oriented specifications with dynamic object creations, interactions and inheritance. We show how this technique can be applied to Java Modeling Language (JML) specifications, making it possible to animate Java programs that only contain method interfaces and no code! Keywords: Java Modeling Language, JML, model-based, object-oriented, symbolic animation. 1 Introduction The use of formal models is a common practice in the software design process. A variety of modeling languages, such as B [1], Z [15], and UML [14] enriched with OCL [17] constraints, are available for specifying and analyzing systems before they are implemented. JML (Java Modeling Language) [9] is a relatively recent modeling language that is targeted at specifying Java classes and interfaces. It is an extension of Java which allows formal specifications to be written within the Java comment syntax. It allows invariants to be added to constrain the class variables and preconditions and postconditions to be added to Java methods to describe their behavior. This paper describes an animation framework for JML, implemented in a tool, which can assist specifiers to validate their JML specifications. When developing a formal model of a system, it is important to be able to both verify and validate the model. Verification involves checking various proper- ties of the model itself, to ensure that it is consistent, well-typed, that invariants are preserved, etc. On the other hand, validation involves checking the model against the informal system requirements, to ensure that the desired behavior has been specified. Animation is one of the most important techniques for vali- dating models. Animation consists of simulating the execution of the system, by * This work has been realized within the GECCOO project of program “ACI S´ ecurit´ e Informatique” supported by the French Ministry of Research and New Technologies. J.S. Fitzgerald, I.J. Hayes, and A. Tarlecki (Eds.): FM 2005, LNCS 3582, pp. 75–90, 2005. c  Springer-Verlag Berlin Heidelberg 2005