Annotations on Java typesJSR 308 working document |
This document is available in PDF format at https://checkerframework.org/jsr308/java-annotation-design.pdf.
The JSR 308 webpage is https://checkerframework.org/jsr308/. It contains the latest version of this document, along with other information such as links to the prototype implementation.
Contents:
We propose an extension to Java's annotation system [Bra04a] that permits annotations to appear on any use of a type. (By contrast, Java SE 6 permits annotations to appear only on class/method/field/variable declarations; our proposal is backward-compatible and continues to permit those annotations.) Such a generalization removes arbitrary limitations of Java's annotation system, and it enables new uses of annotations. The proposal also notes a few other possible extensions to annotations (see Section 7).
This document specifies the syntax of extended Java annotations, but it makes no commitment as to their semantics. As with Java's existing annotations [Bra04a], the semantics is dependent on annotation processors (compiler plug-ins), and not every annotation is necessarily sensible in every location where it is syntactically permitted to appear. This proposal is compatible with existing annotations, such as those specified in JSR 250, “Common Annotations for the Java Platform” [Mor06], and JSR 305, “Annotations for Software Defect Detection” [Pug06].
This proposal does not change the compile-time, load-time, or run-time semantics of Java. It does not change the abilities of Java annotation processors as defined in JSR 269 [Dar06]. The proposal merely makes annotations more general — and thus more useful for their current purposes, and also usable for new purposes that are compatible with the original vision for annotations [Bra04a].
JSR 308 “Annotations on Java Types” [EC06] has the goal of refining the ideas presented here. This proposal serves as a starting point for the JSR 308 expert group, but the expert group has the freedom to modify this proposal or to explore other approaches.
This document first motivates annotations on types by presenting one possible use, type qualifiers (Section 2). Then, it proposes minor changes to the Java language annotation syntax (Section 3) and class file format (Section 4). Section 5 describes the modifications to the JDK necessitated by the Java and class file changes, and Section 6 discusses how these changes will be tested. The document concludes with discussion of other annotations that may be included in future revisions of JSR 308 (Section 7), logistical matters relating to incorporation in the Sun JDK (Section 8), issues that are out of scope for JSR 308 (Section 9), and related work (Section 10).
One example use of annotation on types is to create custom type qualifiers for Java, such as @NonNull, @ReadOnly, @Interned, or @Tainted. Type qualifiers are modifiers that provide extra information about a type or variable. A designer can define new type qualifiers using Java annotations, and can provide compiler plug-ins to check their semantics (for instance, by issuing lint-like warnings during compilation). A programmer can then use these type qualifiers throughout a program to obtain additional guarantees at compile time about the program. The type system defined by the type qualifiers does not change Java semantics, nor is it used by the Java compiler or run-time system. Rather, it is used by the cheking tool, which can be viewed as performing type-checking on this richer type system. (The qualified type is usually treated as a subtype or a supertype of the unqualified type.) Type qualifiers can help prevent errors and make possible a variety of program analyses. Since they are user-defined, developers can create and use the type qualifiers that are most appropriate for their software.
A system for custom type qualifiers requires extensions to Java's annotation system, described in this document; the existing Java SE 6 annotations are inadequate. Similarly to type qualifiers, other pluggable type systems [Bra04b] and similar lint-like checkers also require these extensions to Java's annotation system.
Our key goal is to create a type qualifier system that is compatible with the Java language, VM, and toolchain. Previous proposals for Java type qualifiers are incompatible with the existing Java language and tools, are too inexpressive, or both. The use of annotations for custom type qualifiers has a number of benefits over new Java keywords or special comments. First, Java already implements annotations, and Java SE 6 features a framework for compile-time annotation processing. This allows our system to build upon existing stable mechanisms and integrate with the Java toolchain, and it promotes the maintainability and simplicity of our modifications. Second, since annotations do not affect the runtime semantics of a program, applications written with custom type qualifiers are backward-compatible with the vanilla JDK. No modifications to the virtual machine are necessary.
The ability to place annotations on arbitrary occurrences of a type improves the expressiveness of annotations, which has many benefits for Java programmers. Here we mention just one use that is enabled by extended annotations, namely the creation of type qualifiers. (Figure 1 gives an example of the use of type qualifiers.)
As an example of how our system might be used, consider a @NonNull type qualifier that signifies that a variable should never be assigned null [Det96, Eva96, DLNS98, FL03, CMM05]. A programmer can annotate any use of a type with the @NonNull annotation. A compiler plug-in would check that a @NonNull variable is never assigned a possibly-null value, thus enforcing the @NonNull type system.
1 @DefaultAnnotation(@NonNull) 2 class DAG { 3 4 Set<Edge> edges; 5 6 // ... 7 8 List<Vertex> getNeighbors(@Interned @Readonly Vertex v) @Readonly { 9 List<Vertex> neighbors = new LinkedList<Vertex>(); 10 for (Edge e : edges) 11 if (e.from() == v) 12 neighbors.add(e.to()); 13 return neighbors; 14 } 15 }
@Readonly is another example of a useful type qualifier [BE04, TE05, GF05, KT01, SW01, PBKM00]. Similar to C's const, an object's internal state may not be modified through references that are declared @Readonly. A type qualifier designer would create a compiler plug-in (an annotation processor) to check the semantics of @Readonly. For instance, a method may only be called on a @Readonly object if the method was declared with a @Readonly receiver. @Readonly's immutability guarantee can help developers avoid accidental modifications, which are often manifested as run-time errors. An immutability annotation can also improve performance. For example, a programmer can indicate that a particular method (or all methods) on an Enterprise JavaBean is readonly, using the Access Intents mechanism of WebSphere Application Server.
Additional examples of useful type qualifiers abound. We mention just a few others. C uses the const, volatile, and restrict type qualifiers. Type qualifiers YY for two-digit year strings and YYYY for four-digit year strings helped to detect, then verify the absence of, Y2K errors [EFA99]. Type qualifiers can indicate data that originated from an untrustworthy source [PØ95, VS97]; examples for C include user vs. kernel indicating user-space and kernel-space pointers in order to prevent attacks on operating systems [JW04], and tainted for strings that originated in user input and that should not be used as a format string [STFW01]. A localizable qualifier can indicate where translation of user-visible messages should be performed; similarly, annotations can indicate other properties of its contents, such as the format or encoding of a string. An interned qualifier can indicate which objects have been converted to canonical form and thus may be compared via object equality. Type qualifiers such as unique and unaliased can express properties about pointers and aliases [Eva96, CMM05]; other qualifiers can detect and prevent deadlock in concurrent programs [FTA02, AFKT03]. Flow-sensitive type qualifiers [FTA02] can express typestate properties such as whether a file is in the open, read, write, readwrite, or closed state, and can guarantee that a file is opened for reading before it is read, etc. The Vault language's type guards and capability states are similar [DF01].
In Java SE 6, annotations can be written only on method parameters and the declarations of packages, classes, methods, fields, and local variables.
Our system extends Java to allow annotations on any use of a type. Our system uses a simple prefix syntax for type annotations: the annotation appears before the type, as in @NonNull String. There are two exceptions to this general rule: a method receiver (this) annotation appears after the parameter list, and annotations on other than the top level of a multi-dimensional array do not all appear before the array type (see Section 3.5).
The following list gives examples of how annotations are written in the source, according to the simple prefix rule explained in Section 3.1.
(The specific annotation names, such as @NonNull, are examples only; this document does not propose any annotations, merely specifying where they can appear in Java code.)
Map<@NonNull String, @NonEmpty List<@Readonly Document>> files;
o.<@NonNull String>m("...");
class Folder<F extends @Existing File> { ... } Collection<? super @Existing File>
class UnmodifiableList<T> implements @Readonly List<@Readonly T> { ... }
void monitorTemperature() throws @Critical TemperatureException { ... }
myString = (@NonNull String) myObject;
boolean isNonNull = myString instanceof @NonNull String;
new @NonEmpty @Readonly List<String>(myNonEmptyStringSet)
For generic constructors (JLS §8.8.4), the annotation follows the explicit type arguments (JLS §15.9):
new <String> @Interned MyObject()
public int size() @Readonly { ... } public void write() @Writable throws IOException { ... }
Class<@NonNull String> c = @NonNull String.class;
Document[@Readonly][] docs4 = new Document[@Readonly 2][12]; Document[][@Readonly] docs5 = new Document[2][@Readonly 12];
This syntax permits independent annotations for each distinct level of array, and for the elements; see Section 3.5 for alternative syntaxes.
These annotations are necessary in order to fully specify Java classes and methods.
There is no need for new syntax for annotations on types in declarations, because Java syntax already permits an annotation there, as in
@NonNegative int balance;
where @NonNegative applies to the field type int, not to the whole variable declaration nor to the variable itself. As another example, in
@Deprecated @NonNull Dimension getSize() { ... }
@Deprecated applies to the method (because Deprecated is meta-annotated with ElementType.METHOD) and @NonNull applies to the return type (because NonNull is meta-annotated with ElementType.TYPE). The meta-annotation is written by the author of the annotation, as in
@Target({ElementType.METHOD, ...}) public @interface Deprecated { ... } @Target(ElementType.TYPE) public @interface NonNull { ... }
Java 6 already requires the compiler to read and enforce the Target meta-annotation.
The compiler applies the annotation to every target that is consistent with its meta-annotation. This means that, for certain syntactic locations, which target (Java construct) is being annotated depends on the annotation. The order of annotations is not used to disambiguate; @NonNull @Deprecated Dimension getSize() has the same meaning but is poor style. (An annotation processor could warn about this order, just as tools warn about modifiers — such as final static — that are not written in the order recommended by Sun.)
Different syntaxes are possible, in which declaration and type annotations appear in different locations in the grammar. Such a syntax is warranted in two circumstances. (1) If programmers find it confusing to determine which construct an annotation applies to, and the alternate syntax is clearer overall. (2) If there exist annotations that can apply equally well to both methods and return value types (or to both types and variable declarations, etc.), and that have different semantics in the two situations. Both circumstances are poor style, and we have not yet found examples of such annotations. Another argument for the alternate syntax is that the grammar should be maximally flexible to permit unforeseen future uses of such annotations. This must be traded off against readability and usability for important known common cases.
We now expand on how some of the annotations on types may be used. Each of these uses is either impossible or extremely inconvenient in the absence of the new locations for annotations proposed in this document. For brevity, we do not give examples of uses for every type annotation. It is worthwhile to permit annotations on all uses of types (even those for which no immediate use is apparent) for consistency, expressiveness, and support of unforeseen future uses.
Here are three examples of uses for annotations on array levels:
For example, this receiver annotation
Dimension getSize() @Readonly { ... }
indicates that getSize does not modify its receiver. This is different than an annotation on the return type (which would appear before the method declaration), which indicates that the client may not modify the returned Dimension. This is also different than an annotation on the method (such as JML's pure annotation), which indicates that the method has no side effects at all.
As with annotations on formal parameters (which are already permitted by Java), annotations on the receiver do not affect the Java signature, compile-time resolution of overloading, or run-time resolution of overriding. The Java type of every receiver in a class is the same — but their annotations, and thus their qualified type in a type qualifier framework, may differ.
The primary purpose of annotations on type casts is to prevent, not to enable, run-time checks. For example, an annotation processor could prohibit code such as this:
@Readonly Object x = new Date(); ... (Date) x ... // annotation processor error due to casting away @Readonly
This cast uses x as a non-@Readonly object, which changes its type and would require a run-time mechanism to enforce type safety. By contrast, an annotation processor would permit a use such as
@Readonly Object x = new Date(); ... (@Readonly Date) x ... // legal; use of @Readonly has no run-time effect
which preserves the annotation part of the type and thus guarantees type safety without run-time checks.
Another potential use for annotations on type casts is — like ordinary Java casts — to provide the compiler with information that is beyond the ability of its typing rules. An annotation processing tool could trust such type casts, perhaps issuing a warning to remind users to verify their safety by hand. An alternative approach would be to check the type cast dynamically, as Java casts are, but we do not endorse such an approach, because annotations are not intended to change the run-time behavior of a Java program. (For example, annotations, like return values, are not part of the Java signature, so they do not affect compile-time resolution of overloading nor run-time resolution of overriding.)
As with type cast annotations, the presence of an annotation on a type test does not imply a run-time test. The intention is that an annotation processor would require the annotation parts of the type and of the argument (the expression being tested) to be the same. This permits the idiom
if (x instanceof T) { ... (T) x ... }
to be used with the same type T in both occurrences; by contrast, using different types in the type test and the type cast would be confusing.
Because annotations are not intended to change the run-time behavior of a Java program, this proposal does not endorse dynamical type tests to determine that a qualifier is present on a type. In the implementation, there is no run-time representation of the annotations on an object's type, so such a test would be impossible to implement, even if it were desired; there is no danger that a qualifier on the type test will change the run-time behavior.
These annotations also provide a convenient way to alias otherwise cumbersome types. For instance, a programmer might declare
final class MyStringMap extends @Readonly Map<@NonNull String, @NonEmpty List<@NonNull @Readonly String>> {}
so that MyStringMap may be used in place of the full, unpalatable supertype.
Not every type system (or other system using annotations) may utilize every possible annotation location. For example, a system that fully specifies type qualifiers in signatures but infers them for implementations [GF05] may not need annotations on typecasts, object creation, local variables, or certain other locations. Other systems may forbid top-level (non-type-argument, non-array) annotations on object creation (new) expressions, such as new @Interned Object(). However, the annotation system proposed here is expressive enough to handle arbitrary type qualifiers.
As discussed in Section 3.4, it is desirable to be able to independently annotate both the element type and each distinct level of a nested array. We have not yet settled on a syntax for such annotations, however; this section presents several proposals.
For the array syntax, there are two choices to make. First, where should array annotations appear?
Second, should an annotation on a set of brackets refer to the array or the elements? Taking the within-the-brackets syntax as an example, would @NonNull Document[@Readonly] mean that the array is @Readonly and contains @NonNull elements, or that the array is @NonNull and contains @Readonly elements? (For the fully postfix syntax, the second question is moot: the only sensible choice is for the annotation on the brackets to refer to the array, not the elements.)
Here are some principles that an ideal syntax would satisfy.
@A List<@B Object> // @A refers to List @A List<@B Object>[@C] // @A refers to array, @C refers to ListAnother way of stating this principle is that one part of a declaration should describe a type that is part of the declared type; one should not have to shuffle around the annotations to
given a type declaration, one can look at a subpart of the declaration and see the type of a
the type of a subpart of
@A T[@B] arr1, arr2[@C];Likewise, the Ts should have the same annotations for v3 and arr4:
@A T v3, arr4[@B][@C];And, these three declarations should mean the same thing:
@A T[@B] arr5[@C]; @A T[@B][@C] arr6; @A T arr7[@B][@C];
If an annotation on brackets refers to the array, then the syntax violates principle 3. If an annotation on brackets refers to the elements, then the syntax violates principles 1 and 2.
Here are several proposals for the syntax of such array annotations.
In the examples below, we use the following variables.
An annotation before the entire array type binds to the member type that it abuts; @Readonly Document[][] can be interpreted as (@Readonly Document)[][].
An annotation within brackets refers to the array that is accessed using those brackets.
The type of elements of @A Object[@B][@C] is @A Object[@C].
The example variables would be declared as follows:
@Readonly Document[] array_of_rodocs; Document[@Readonly] roarray_of_docs; @Readonly Document[][] array_of_array_of_rodocs = new Document[2][12]; Document[@Readonly][] array_of_roarray_of_docs = new Document[@Readonly 2][12]; Document[][@Readonly] roarray_of_array_of_docs = new Document[2][@Readonly 12];
An annotation before the entire array type refers to the (reference to the) top-level array itself; @Readonly Document[][] docs4 indicates that the array is non-modifiable (not that the Documents in it are non-modifiable).
An annotation within brackets applies to the elements that are accessed using those brackets.
The type of elements of @A Object[@B][@C] is @B Object[@C].
The example variables would be declared as follows:
@Readonly Document[] roarray_of_docs; Document[@Readonly] array_of_rodocs; @Readonly Document[][] roarray_of_array_of_docs = new Document[2][12]; Document[@Readonly][] array_of_roarray_of_docs = new Document[@Readonly 2][12]; Document[][@Readonly] array_of_array_of_rodocs = new Document[2][@Readonly 12];
The type of elements of @A Object @B [] @C [] is @B Object @C [].
The example variables would be declared as follows:
@Readonly Document[] roarray_of_docs; Document @Readonly [] array_of_rodocs; @Readonly Document[][] array_of_array_of_rodocs = new Document[2][12]; Document @Readonly [][] roarray_of_array_of_docs = new Document @Readonly [2][12]; Document[] @Readonly [] array_of_roarray_of_rodocs = new Document[2] @Readonly [12];
The type of elements of @A Object[] @B [] @C is @B Object[] @C.
Possible disadvantage: Prefix notation may be more natural to Java programmers, as it is used in other places in the Java syntax.
The example variables would be declared as follows:
@Readonly Document[] roarray_of_docs; Document[] @Readonly array_of_rodocs; @Readonly Document[][] roarray_of_array_of_docs = new Document[2][12]; Document[] @Readonly [] array_of_roarray_of_docs = new Document[2] @Readonly [12]; Document[][] @Readonly array_of_array_of_rodocs = new Document[2][12] @Readonly;
It is also possible to imagine array annotations that do not require new locations for the annotations. The advantage of this is that there is no new syntax. A disadvantage is that the array level annotations are syntactically separated from the array levels themselves, so the meaning may not be as clear.
// dimension 1 and 2 of the array are annotated @ArrayAnnots({ @ArrayAnnot(i=1, value={Readonly.class}), @ArrayAnnot(i=2, value={Readonly.class}) }) Object[][][] arr;or use the order in which the annotations are given.
@ArrayAnnots({ @ArrayAnnot({Readonly.class}), @ArrayAnnot({Readonly.class}) }) Object[][] arr2; @ArrayAnnots({ @Readonly, @Readonly }) Object[][] arr2;The latter syntax is less convenient when not every level of the array is being annotated, or when multiple annotations are put on an array. (This document should give examples of those situations.)
// In each case, the elements in the array are readonly // dimension 0 has no annotation // dimensions 1 and 2 are also readonly @ReadonlyDims({1,2}) @Readonly Object[][][] roa; @Dims({1,2}, @Readonly) @Readonly Object[][][] roa;One advantage of this syntax over the one that gives an array of annotations is that each annotation is given independently, so it will be easier for tools to insert, delete, or conditionally display a given annotation. However, the array of annotations more closely mirrors the syntax of the array declaration itself.
Java annotations (including the extended annotations) must be stored in the class file for two reasons. First, annotated signatures (public members) must be available to tools that read class files, such as a compiler (really, an annotation processor or type-checking plug-in [Dar06]) when compiling a client of the class file. Second, annotated method bodies must be present to permit verification of the correctness of the annotated signatures in the class files; this is necessary to give confidence in an entire system, since class files may originate from any source.
This document proposes conventions for storing the annotations described in Section 3, as well as for storing local variable annotations, which are permitted in Java syntax but currently discarded by the compiler. Class files already store annotations in the form of “attributes” [Bra04a, LY]. JVMs ignore unknown attributes. For backward compatibility, we use new attributes for storing the type annotations. In other words, our proposal merely reserves the names of a few attributes and specifies their layout. Our proposal does not alter the way that existing annotations on classes, methods, method parameters, and fields are stored in the class file. Class files generated from programs that use no new annotations will be identical to those generated by a standard Java SE 6 (that is, pre-extended-annotations) compiler. Furthermore, the bytecode array will be identical between two programs that differ only in their annotations. Attributes have no effect on the bytecode array, because they exist outside it; however, they can represent properties of it by referring to the bytecode (including specific instructions, or bytecode offsets).
In Java SE 6, annotations are stored in the class file in attributes of the classes, fields, or methods they target. Attributes are sections of the class file that associate data with a program element (a method's bytecodes, for instance, are stored in a Code attribute). The RuntimeVisibleAnnotations attribute is used for annotations that are accessible at runtime using reflection, and the RuntimeInvisibleAnnotations attribute is used for annotations that are not accessible at runtime. These attributes contain arrays of annotation structure elements, which in turn contain arrays of element_value pairs. The element_value pairs store the names and values of an annotation's arguments.
Our proposal introduces two new attributes: RuntimeVisibleTypeAnnotations and RuntimeInvisibleTypeAnnotations. These attributes are structurally identical to the RuntimeVisibleAnnotations and RuntimeInvisibleAnnotations attributes described above with one exception: rather than an array of annotation elements, RuntimeVisibleTypeAnnotations and RuntimeInvisibleTypeAnnotations contain an array of extended_annotation elements, which are described in section 4.1 below.
The Runtime[In]visibleTypeAnnotations attributes store annotations written in the new locations described in Section 3, and on local variables. For annotations on the type of a field, the field_info structure (see JVMS3 §4.6) corresponding to that field stores the Runtime[In]visibleTypeAnnotations attributes. For annotations on types in method signatures or bodies, the method_info structure (see JVMS3 §4.7) that corresponds to the annotations' containing method stores the Runtime[In]visibleTypeAnnotations attributes. For annotations on class type parameter bounds and class extends/implements types, the attributes structure (see JVMS3 §4.2) stores the Runtime[In]visibleTypeAnnotations attributes.
The extended_annotation structure has the following format, which adds target_type and reference_info to the annotation structure defined in JVMS3 §4.8.15:
extended_annotation { u2 type_index; u2 num_element_value_pairs; { u2 element_name_index; element_value value; } element_value_pairs[num_element_value_pairs]; u1 target_type; // new in our proposal { ... } reference_info; // new in our proposal }
We briefly recap the fields of annotation, which are described in in JVMS3 §4.8.15.
The following sections describe the fields of the extended_annotation structure that differ from annotation.
The target_type field denotes the type of program element that the annotation targets. As described above, annotations in any of the following locations are written to Runtime[In]visibleTypeAnnotations attributes in the class file:
The corresponding values for each of these cases are shown in Figure 2. Some locations are assigned numbers even though annotations in those locations are prohibited or are actually written to Runtime[In]visibleAnnotations or Runtime[In]visibleParameterAnnotations. While those locations will never appear in a target_type field, including them in the enumeration may be convenient for software that processes extended annotations. They are marked * in Figure 2.
Annotation Target target_type Value typecast 0x00 typecast generic/array 0x01 type test (instanceof) 0x02 type test (instanceof) generic/array 0x03 object creation (new) 0x04 object creation (new) generic/array 0x05 method receiver 0x06 method receiver generic/array 0x07* local variable 0x08 local variable generic/array 0x09 method return type 0x0A* method return type generic/array 0x0B method parameter 0x0C* method parameter generic/array 0x0D field 0x0E* field generic/array 0x0F class type parameter bound 0x10 class type parameter bound generic/array 0x11 method type parameter bound 0x12 method type parameter bound generic/array 0x13 class extends/implements 0x14 class extends/implements generic/array 0x15 exception type in throws 0x16 exception type in throws generic/array 0x17*
The reference_info field is used to reference the annotation's target in bytecode. The contents of the reference_info field is determined by the value of target_type.
When the annotation's target is a typecast, an instanceof expression, or a new expression, reference_info has the following structure:
{ u2 offset; } reference_info;
The offset field denotes the offset (i.e., within the bytecodes of the containing method) of the checkcast bytecode emitted for the typecast, the instanceof bytecode emitted for the type tests, or of the new bytecode emitted for the object creation expression.
For annotated typecasts, the attribute may be attached to a checkcast bytecode, or to any other bytecode. The rationale for this is that the Java compiler is permitted to omit checkcast bytecodes for typecasts that are guaranteed to be no-ops. For example, a cast from String to @NonNull String may be a no-op for the underlying Java type system (which sees a cast from String String). If the compiler omits the checkcast bytecode, the @NonNull attribute would be attached to the (last) bytecode that creates the target expression instead. This approach permits code generation for existing compilers to be unaffected.
See the end of this section (page ??) for handling of generic type arguments and arrays.
When the annotation's target is a local variable, reference_info has the following structure:
{ u2 start_pc; u2 length; u2 index; } reference_info;
The start_pc and length fields specify the variable's live range in the bytecodes of the local variable's containing method (from offset start_pc to offset start_pc + length). The index field stores the local variable's index in that method. These fields are similar to those of the optional LocalVariableTable attribute defined in JVMS3 §4.8.13.
Storing local variable annotations in the class file raises certain challenges. For example, live ranges are not isomorphic to local variables. Further, a local variable with no live range may not appear in the class file (but it is also irrelevant to the program).
When the annotation's target is a method receiver, reference_info is empty.
When the annotation's target is a bound of a type parameter of a class or method, reference_info has the following structure:
{ u1 param_index; u1 bound_index; } reference_info;
param_index specifies the index of the type parameter, while bound_index specifies the index of the bound. Consider the following example:
<T extends @A Object & @B Comparable, U extends @C Cloneable>
Here @A has param_index 0 and bound_index 0, @B has param_index 0 and bound_index 1, and @C has param_index 1 and bound_index 0.
When the annotation's target is a type in an extends or implements clause, reference_info has the following structure:
{ u1 type_index; } reference_info;
type_index specifies the index of the type in the clause: -1 (255) is used if the annotation is on the superclass type, and the value i is used if the annotation is on the ith superinterface type.
When the annotation's target is a type in a throws clause, reference_info has the following structure:
{ u1 type_index; } reference_info
type_index specifies the index of the exception type in the clause: the value i denotes an annotation on the ith exception type.
When the annotation's target is a generic type argument or array type, reference_info contains what it normally would for the raw type (e.g., offset for an annotation on a type argument in a typecast), plus the following fields at the end:
u2 location_length; u1 location[location_length];
The location_length field specifies the number of elements in the variable-length location field. location encodes which type argument or array element the annotation targets. Specifically, the ith item in location denotes the index of the type argument or array dimension at the ith level of the hierarchy. Figure 3 shows the values of the location_length and location fields for the annotations in a sample field declaration.
Declaration: @A Map<@B Comparable<@C Object[@D][@E][@F]>, @G List<@H Document>>
Annotation location_length location @A not applicable @B 1 0 @C 2 0, 0 @D 3 0, 0, 0 @E 3 0, 0, 1 @F 3 0, 0, 2 @G 1 1 @H 2 1, 0
This section indicates the tools and specifications that must be modified in order for the Java language and tools to support JSR 308. The implementation of extended annotations builds on the existing framework for Java annotations.
The syntax extensions described in Section 3 require the javac Java compiler to accept annotations in the proposed locations and to add them to the program's AST. The relevant AST node classes must also be modified to store these annotations.
Javac's -Xprint functionality reads a .class file and prints the interface (class declarations with signatures of all fields and methods). This must be updated to print the extended annotations as well. (The -Xprint functionality is similar to javap, but cannot provide any information about bytecodes or method bodies, because it is implemented internally as an annotation processor.)
When creating bridge methods (an implementation strategy used when the erased signature of the actual method being invoked differs from that of the compile-time method declaration [GJSB05, §15.12.4.5]), annotations should be copied from the method being invoked. (Right now, javac doesn't copy/transfer any annotations from original methods to the bridge methods; that is probably a bug in javac.)
When generating .class files, the compiler must emit the attributes described in Section 4.
The compiler is required to preserve annotations in the class file. More precisely, if a programmer places an annotation (with class file or runtime retention) on the type of an expression, then the annotation must be present, in the compiled class file, on the type of the compiled representation of that expression. This may change the compiler implementation of certain optimizations, such as common subexpression elimination, but this restriction on the compiler implementation is unobjectionable for three reasons.
The Tree API, which exposes the AST (including annotations) to authors of annotation processors (compile-time plug-ins), must be updated to reflect the modifications made to the internal AST node classes described in Section 3.
The JSR 269 annotation processing API must be modified so that the process method (currently invoked only on class, field, and method annotations) is also invoked on annotations on every annotatable location.1
Annotation processors specified by the -processor compiler option run after class members are resolved but before method bodies are resolved. Resolution (also called “attribution”) determines type information; thus, a JSR 269 annotation processor has access to the types of fields and method return and parameters, but not types for local variables and expressions, which a type-checking plug-in needs in order to check variable uses. We will add a new -typeprocessor compiler option that specifies an annotation processor that runs after resolution/attribution, and which can therefore depend on knowing the types of all expressions.
Like reflection, the JSR 269 (annotation processing) model does not represent constructs below the method level, such as individual statements and expressions. Therefore, it needs to be updated only with respect to annotations on class member declarations. The JSR 269 model, javax.lang.model.*, already has some classes representing annotations; see https://docs.oracle.com/javase/6/docs/api/javax/lang/model/element/package-summary.html. The annotation processing API in javax.annotation.processing must also be revised.
The java.lang.reflect.* and java.lang.Class APIs give access to annotations on public API elements such as classes, method signatures, etc. They must be updated to give the same access to the new extended annotations.
For example, to parallel the existing Method.getAnnotations (for the return value) and Method.getParameterAnnotations (for the formal parameters), we would add Method.getReceiverAnnotation (for the receiver this). Reflection gives no access to method implementations, so we will not provide access to annotations on casts (or other annotations inside a method body), type parameter names, or similar implementation details.
Suppose that a method is declared as:
@NonEmpty List<@Interned String> foo(@NonNull List<@Opened File> files) @Readonly {...}
Then Method.getAnnotations() returns the @NonEmpty annotation, just as in Java SE 6, and likewise Method.getParameterAnnotations() returns the @NonNull annotation. New method Method.getReceiverAnnotations() returns the @Readonly annotation. We have not yet decided how to provide reflective access to annotations on generic types in a method's signature, such as the instances of @Interned and @Opened above.
The Mirror API com.sun.mirror.* need not be updated, as it has been superseded by JSR 269 [Dar06].
No modifications to the virtual machine are necessary.
The javap disassembler must be updated to recognize the new class file format and to output annotations.
The pack200/unpack200 tool should preserve the new attributes through a compress-decompress cycle.
Javadoc must output annotations at the new locations when those are part of the public API, such as in a method signature.
Similar modifications need to be made to tools outside the Sun JDK, such as IDEs (Eclipse, IDEA, JBuilder, jEdit, NetBeans), other tools that manipulate Java code (grammars for CUP, javacc), and tools that manipulate class files (ASM, BCEL). These changes need to be made by the authors of the respective tools.
A separate document, “Custom type qualifiers via annotations on Java types” (https://checkerframework.org/jsr308/java-type-qualifiers.pdf), explores implementation strategies for annotation processors that act as type-checking compiler plug-ins. It is not germane to this proposal, both because this proposal does not concern itself with annotation semantics and because writing such plug-ins does not require any changes beyond those described here.
A separate document, “Annotation File Specification” (https://checkerframework.org/jsr308/annotation-file-format.pdf), describes a textual format for annotations that is independent of .java or .class files. This textual format can represent annotations for libraries that cannot or should not be modified. We have built tools for manipulating annotations, including extracting annotations from and inserting annotations in .java and .class files. That file format is not part of this proposal for extending Java's annotations; it is better viewed as an implementation detail of our tools.
The Java Language Specification needs to be updated. A separate document will one day contain a list of all the changes. (The list of changes would be too long to include in this document, and would not succinctly convey the implications of the changes.) Finding all the places that mention annotations is a good start.
One nonobvious place is in places like section 9.6.1.5, where the description of @codeSuppressWarnings states “If a program declaration is annotated …” and the use of “declaration” must be changed to “element” or “construct” or some similar word.
The Java Virtual Machine Specification (JVMS) needs to be updated to describe the Runtime{Inv,V}isibleTypeAnnotations attributes. This section, or a separate document, will one day contain a list of all the changes. Since the third edition of JVMS [LY] has not yet been published, the changes must work from the document titled “revisions to `The class file Format' ”, which this document calls “JVMS3” and is available at https://docs.oracle.com/javase/specs/jvms/se5.0/ClassFileFormat-Java5.pdf.
The JSR will ship with a test suite (known as a TCK, or Technology Compatibility Kit).
Each tool that needs to be tested appears in Section 5; the TCK will include tests for each of them.
For each modified tool, we will test backward compatibility by passing all of its existing tests. (We may need to modify a few of them, for instance those that depend on specific bytecodes that are created by the compiler.)
We will test most other functionality by creating a set of Java programs that include annotations in every possible location. For instance, this can be used to test all aspects of the compiler (parsing, code generation, -Xprint).
We will provide multiple annotation processors (including at least one for checking @NonNull and one for checking @Interned) that utilize the new annotations, along with a test suite for each one. Each annotation processor's test suite consists of annotated code, along with expected output from the given annotation processor. Since the annotation processors utilize all aspects of our changes, this serves as an additional end-to-end test of the JSR 308 implementation. As a side benefit, the annotation processors will be useful in their own right, will thereby illustrate the utility of JSR 308, and will serve as examples for people who wish to create their own type-checking plug-ins.
The Expert Group will consider whether the proposal should extend annotations in a few other ways that are not directly related to annotations on types. This is especially true if the additional changes are small, that there is no better time to add such an annotation, and the new syntax would permit unanticipated future uses. Two examples follow, for which the proposal does not currently include a detailed design.
Currently, array-valued annotations can be clumsy to write:
@Resources({ @Resource(name = "db1", type = DataSource.class) @Resource(name = "db2", type = DataSource.class) }) public class MyClass { ... }
Likewise, it may be desirable for some (but not all) annotations to be specified more than once at a single location. A cleaner syntax like
@Resource(name = "db1", type = DataSource.class) @Resource(name = "db2", type = DataSource.class) public class MyClass { ... }
may be desirable for both purposes.
Java does not currently permit annotations on statements. Annotations on statements (or on some subset of statements, such as blocks or loops) could be useful for properties such as atomicity/concurrency. Such an extension would require defining both Java syntax and a convention for storing the information in the class file.
The JSR for annotations on Java types should be included under the Java SE 7 umbrella JSR (which lists the JSRs that are part of the Java SE 7 release). However, it should be a separate JSR because it needs a separate expert group. The expert group will have overlap with any others dealing with other added language features that might be annotatable (such as method-reference types or closures), to check impact.
The specification and the TCK will be freely available, most likely licensed under terms that permit arbitrary use. The prototype implementation is built on the OpenJDK Java implementation and is publicly available; our goal is to have our changes incorporated into the official OpenJDK release.
To ease the transition from standard Java SE 6 code to code with the extended annotations, the prototype implementation recognizes the extended annotations when surrounded by comment markers:
/*@Readonly*/ Object x;
This permits use of both standard Java SE 6 tools and the new annotations even before Java SE 7 is released. However, it is not part of the proposal, and the final Java SE 7 implementation will not recognize the new annotations when embedded in comments.
This section of the document discusses several issues that are not in scope for JSR 308.
The annotation type java.lang.annotation.Inherited (JLS §9.6.1.3) indicates that annotations on a class C corresponding to a given annotation type are inherited by subclasses of C. This implies that annotations on interfaces are not inherited, nor are annotations on members (methods, constructors, fields, etc.). It might be useful to provide a more fine-grained mechanism that applies different rules to classes, methods, fields, etc., or even to specify inheritance of annotations from interfaces. These semantic issue are out of the scope of JSR 308 but may be taken up by JSR 305 (“Annotations for Software Defect Detection” [Pug06]).
Specifying a default for annotations can reduce code size and (when used carefully and sparingly) increase code readability. For instance, Figure 1 uses @DefaultAnnotation(@NonNull) to avoid the clutter of 5 @NonNull annotations. This could be extended with optional arguments, such as
@DefaultAnnotation(@MyAnnotation(myarg="foo"), locations={ElementType.LOCAL_VARIABLE})
Defaults for annotations are a semantic issue that is out of the scope of JSR 308. It will be taken up by JSR 305 (“Annotations for Software Defect Detection” [Pug06]).
An issue for JSR 260 (Javadoc) and JSR 305 (Annotation semantics) is how inherited and defaulted annotations are handled in Javadoc: whether they are written out in full, or in some abbreviated form. Just as too many annotations may clutter source code, similar clutter-reduction ideas may need to be applied to Javadoc.
It is not a goal that JSR 308 is the last annotation-related JSR. It is acceptable to leave some issues to future language designers, just as JSR 175 (the previous annotations JSR [Bra04a]) did. It is a goal not to unnecessarily close off realistic future avenues of extension.
Annotating a type cast indicates a property of a value (the result of an expression). This is different than annotating the expression itself, which indicates some property of the entire computation, such as that it should be performed atomically, that it acquires no locks, or that it should be formatted specially by an IDE. JSR 308 does not support expression annotations, because we have not yet discovered compelling use cases for them that cannot be equally well supported by statement annotations. (A minor inconvenience is that the use of statement annotations may require the programmer to create a new statement for the expression to be annotated.)
Arbitrary values can be annotated using an annotation on a cast:
(@Language("SQL") String) "select * from foo"
A possible shorthand would be to permit the Java type to be implicit:
(@Language("SQL")) "select * from foo"
Or even to drop the parentheses:
@Language("SQL") "select * from foo"
This syntax expresses an expression annotation, not a type annotation. This may be acceptable, because whether an annotation applies to expressions or to types is clear from the annotation's documentation and its @Target meta-annotation. This is similar to how it is determined whether an annotation applies to a type or to a declaration (Section 3.3). However, the appearance of the type in this case reinforces that the annotation is on the type, and the benefit of omitting the type in the cast seems relatively minor, so for now JSR 308 does not permit the shorthand. (Also, depending on the syntax for array level annotations, there might be confusion with whether Object[@X 2] means that the array level has annotation X or that it's shorthand for Object[(@X int) 2]; similar confusion might occur the array length is a more complex expression.)
Section 2.1 gave many examples of how type qualifiers have been used in the past.
C#'s attributes [ECM06, chap. 24] play the same role as Java's annotations: they attach metadata to specific parts of a program, and are carried through to the compiled bytecode representation, where they can be accessed via reflection. The syntax is different: C# uses [AnnotationName] or [AnnotationName: data] where Java uses @AnnotationName or @AnnotationName(data); C# uses AttributeUsageAttribute where Java uses Target; and so forth. However, C# permits metadata on generic arguments, and C# permits multiple metadata instances of the same type to appear at a given location.
Like Java, C# does not permit metadata on elements within a method body. (The “[a]C#” language [CCC05], whose name is pronounced “annotated C sharp”, is an extension to C# that permits annotation of statements and code blocks.)
Harmon and Klefstad [HK07] propose a standard for worst-case execution time annotations.
Pechtchanski's dissertation [Pec03] uses annotations in the aid of dynamic program optimization. Pechtchanski implemented an extension to the Jikes compiler that supports stylized comments, and uses these annotations on classes, fields, methods, formals, local variable declarations, object creation (new) expressions, method invocations (calls), and program points (empty statements). The annotations are propagated by the compiler to the class file.
Mathias Ricken's LAPT-javac (https://ricken.us/research/laptjavac/) is a version of javac (version 1.5.0_06) that encodes annotations on local variables in the class file, in new Runtime{Inv,V}isibleLocalVariableAnnotations attributes. The class file format of LAPT-javac differs from that proposed in this document.
The Java Modeling Language, JML [LBR06], is a behavioral modeling language for writing specifications for Java code. It uses stylized comments as annotations, some of which apply to types.
Ownership types [CPN98, Boy04, Cla01, CD02, PNCB06, NPHV98, DM05, LM04, LP06] permit programmers to control aliasing and access among objects. Ownership types can be expressed with type annotations and have been applied to program verification [LM04, Mül02, MPHL06], thread synchronization [BLR02, JPLS05], memory management [ACG+06, BSBR03], and representation independence [BN02].
Matt Papi designed and implemented the JSR 308 compiler, and contributed substantially to the JSR 308 design.
The members of the JSR 308 mailing list (https://types.cs.washington.edu/list-archives/jsr308/) provided valuable comments and suggestions. We welcome additional feedback.
At the 5th annual JCP Program Awards (in May 2007), JSR 308 received the Most Innovative Java SE/EE JSR of the Year award.