Joe-E

Joe-E
Paradigmobject-capability
Designed byDavid A. Wagner, Adrian Mettler, Chip Morningstar, Mark S. Miller
First appeared2004[1]
Stable release
2.2.0a
Influenced by
Java, E
Influenced
Caja project

Joe-E is a subset of the Java programming language intended to support programming according to object-capability discipline.[2]

The language is notable for being an early object-capability subset language. It has influenced later subset languages, such as ADsafe and Caja/Cajita, subsets of Javascript.

It is also notable for allowing methods to be verified as functionally pure, based on their method signatures.[3]

The restrictions imposed by the Joe-E verifier include:

  • Classes may not have mutable static fields, because these create global state.
  • Catching out-of-memory exceptions is prohibited, because doing so allows non-deterministic execution. For the same reason, finally clauses are not allowed.
  • Methods in the standard library may be blocked if they are deemed unsafe according to taming rules. For example, the constructor new File(filename) is blocked because it allows unrestricted access to the filesystem.

Cup of Joe is slang for coffee, and so serves as a trademark-avoiding reference to Java. Thus, the name Joe-E is intended to suggest an adaptation of ideas from the E programming language to create a variant of the Java language.

Waterken Server is written in Joe-E.

References

  1. ^ An early reference to Joe-E on the cap-talk mailing list, Mark S. Miller, 2004/11/01, retrieved 2009/11/21.
  2. ^ Joe-E: A Security-Oriented Subset of Java, Adrian Mettler, David Wagner, and Tyler Close; January 2010.
  3. ^ Verifiable Functional Purity in Java, Matthew Finifter, Adrian Mettler, Naveen Sastry, David Wagner; October 2008, Conference on Computer and Communications Security.