Joe-E is a subset of the Java programming language intended to support programming according to object-capability discipline.[2]
Paradigm | object-capability |
---|---|
Designed by | David A. Wagner, Adrian Mettler, Chip Morningstar, Mark S. Miller |
First appeared | 2004[1] |
Stable release | 2.2.0a
|
Influenced by | |
Java, E | |
Influenced | |
Caja project |
The language is notable for being an early object-capability subset language. It has influenced later subset languages, such as ADsafe and Caja/Cajita, subsets of Javascript.
It is also notable for allowing methods to be verified as functionally pure, based on their method signatures.[3]
The restrictions imposed by the Joe-E verifier include:
- Classes may not have mutable static fields, because these create global state.
- Catching out-of-memory exceptions is prohibited, because doing so allows non-deterministic execution. For the same reason, finally clauses are not allowed.
- Methods in the standard library may be blocked if they are deemed unsafe according to taming rules. For example, the constructor new File(filename) is blocked because it allows unrestricted access to the filesystem.
Cup of Joe is slang for coffee, and so serves as a trademark-avoiding reference to Java. Thus, the name Joe-E is intended to suggest an adaptation of ideas from the E programming language to create a variant of the Java language.
Waterken Server is written in Joe-E.
References
edit- ^ An early reference to Joe-E on the cap-talk mailing list, Mark S. Miller, 2004/11/01, retrieved 2009/11/21.
- ^ Joe-E: A Security-Oriented Subset of Java, Adrian Mettler, David Wagner, and Tyler Close; January 2010.
- ^ Verifiable Functional Purity in Java, Matthew Finifter, Adrian Mettler, Naveen Sastry, David Wagner; October 2008, Conference on Computer and Communications Security.
External links
edit- The Joe-E project on Google Code
- Joe-E language specification