This module provides contract annotations that support the specification of class-invariants,
pre- and post-conditions on Groovy classes and interfaces, loop invariants on
for, while, and do-while loops, and frame conditions declaring which fields a method may modify.
Special support is provided so that post-conditions may refer to the old value of variables
or to the result value associated with calling a method.
1. Applying @Invariant, @Requires and @Ensures
With Groovy contracts in your classpath, contracts can be applied on a Groovy
class or interface by using one of the annotations found in the groovy.contracts
package.
package acme
import groovy.contracts.*
@Invariant({ speed() >= 0 })
class Rocket {
int speed = 0
boolean started = true
@Requires({ isStarted() })
@Ensures({ old.speed < speed })
def accelerate(inc) { speed += inc }
def speed() { speed }
}
def r = new Rocket()
r.accelerate(5)
2. Enabling contracts with @Contracted
Contract processing is opt-in. By default, classes that simply mention the contract annotations
will have them processed; the @Contracted marker is used when you want to make the opt-in
explicit at the package level, or when you want to apply contract processing to a type that
doesn’t itself carry any contract annotations (for example, an empty class whose contract
comes entirely from inherited interfaces).
@Contracted may be placed on a package declaration (in a package-info.groovy /
package-info.java) to enable contract processing across every type in that package:
@Contracted
package com.acme.banking
import groovy.contracts.*
or on an individual type:
@Contracted
class Account { /* ... */ }
Once enabled, runtime assertion checking still honours the JVM’s -ea / -da flags;
@Contracted controls whether the AST transforms generate assertion code at compile time,
not whether the resulting assertions execute at run time.
3. More Features
Groovy contracts supports the following feature set:
-
definition of class invariants, pre- and post-conditions via @Invariant, @Requires and @Ensures
-
definition of loop invariants on
for,while, anddo-whileloops via @Invariant -
declaration of frame conditions (which fields a method may modify) via @Modifies
-
declaration of loop and recursion termination measures via @Decreases
-
inheritance of class invariants, pre- and post-conditions of concrete predecessor classes
-
inheritance of class invariants, pre- and post-conditions in implemented interfaces
-
usage of old and result variable in post-condition assertions
-
assertion injection in Plain Old Groovy Objects (POGOs)
-
human-readable assertion messages, based on Groovy power asserts
-
enabling contracts at package- or class-level with @Contracted
-
enable or disable contract checking with Java’s -ea and -da VM parameters
-
annotation contracts: a way to reuse reappearing contract elements in a project domain model
-
detection of circular assertion method calls
4. The Stack Example
Currently, Groovy contracts supports 3 annotations: @Invariant, @Requires and @Ensures – all of them work as annotations with closures, where closures allow you to specify arbitrary code pieces as annotation parameters:
import groovy.contracts.*
@Invariant({ elements != null })
class Stack<T> {
List<T> elements
@Ensures({ is_empty() })
def Stack() {
elements = []
}
@Requires({ preElements?.size() > 0 })
@Ensures({ !is_empty() })
def Stack(List<T> preElements) {
elements = preElements
}
boolean is_empty() {
elements.isEmpty()
}
@Requires({ !is_empty() })
T last_item() {
elements.get(count() - 1)
}
def count() {
elements.size()
}
@Ensures({ result == true ? count() > 0 : count() >= 0 })
boolean has(T item) {
elements.contains(item)
}
@Ensures({ last_item() == item })
def push(T item) {
elements.add(item)
}
@Requires({ !is_empty() })
@Ensures({ last_item() == item })
def replace(T item) {
remove()
elements.add(item)
}
@Requires({ !is_empty() })
@Ensures({ result != null })
T remove() {
elements.remove(count() - 1)
}
String toString() { elements.toString() }
}
def stack = new Stack<Integer>()
The example above specifies a class-invariant and methods with pre- and post-conditions. Note, that preconditions may reference method arguments and post-conditions have access to the method’s result with the result variable and old instance variables values with old.
Indeed, Groovy AST transformations change these assertion annotations into Java assertion statements (can be turned on and off with a JVM param) and inject them at appropriate places, e.g. class-invariants are used to check an object’s state before and after each method call.
5. Annotation closure rules
-
Invariants should reference class fields only.
-
Preconditions may reference class fields and arguments.
-
Postconditions may reference class fields, arguments, the
resultand the old value of class fields using the syntaxold.fieldname.
Old values of class fields will only be stored where Groovy
contracts knows how to make a copy. Currently, this means
fields with a Cloneable class type, primitives, the primitive
wrapper types, BigInteger, BigDecimal, and G/Strings.
6. Use within scripts
Currently, Groovy contracts intentionally doesn’t support scripts, but you can use them with JEP-445 compatible scripts from Groovy 5 as shown in this example:
import groovy.contracts.*
import org.apache.groovy.contracts.*
import static groovy.test.GroovyAssert.shouldFail
@Requires({ arg > 0 })
@Ensures({ result < arg })
def sqrt(arg) { Math.sqrt(arg) }
def main() {
assert sqrt(4) == 2
shouldFail(PreconditionViolation) { sqrt(-1) }
}
You could even place an @Invariant annotation on the main method
and it will be moved to the generated script class.
7. Loop Invariants
In addition to class-level invariants, @Invariant can be placed directly on
for, while, and do-while loops. A loop invariant is a condition that must
hold at the start of each iteration. If the condition is violated, a
LoopInvariantViolation (a subclass of AssertionError) is thrown.
This is inspired by design-by-contract constructs found in languages like Dafny and Eiffel.
7.1. For loop
import groovy.contracts.Invariant
int sum = 0
@Invariant({ 0 <= i && i <= 4 })
for (int i in 0..4) {
sum += i
}
assert sum == 10
7.2. While loop
import groovy.contracts.Invariant
int n = 10
@Invariant({ n >= 0 })
while (n > 0) {
n--
}
assert n == 0
7.3. Multiple invariants
Multiple @Invariant annotations can be stacked on a single loop, and each
condition is checked independently at the start of every iteration:
import groovy.contracts.Invariant
int sum = 0
@Invariant({ sum >= 0 })
@Invariant({ sum <= 100 })
for (int i in 1..5) {
sum += i
}
assert sum == 15
7.4. Rules for loop invariant closures
-
The closure should be a boolean expression (or multiple expressions).
-
The closure may reference any variables visible in the enclosing scope, including the loop variable.
-
Assignment operators and state-changing postfix/prefix operators are not supported inside the closure.
8. Termination with @Decreases
@Decreases declares a termination measure (a variant): a value that must
strictly decrease through a well-founded sequence, guaranteeing progress towards
termination. It applies in two places:
-
on a loop (
for/while/do-while) — the measure must decrease on every iteration; and -
on a method — the measure must decrease on every recursive re-entry.
In both cases the closure must yield a value whose successive values form a strictly decreasing, well-founded sequence. Two value shapes are supported:
-
A single
Comparablevalue — usually numeric — that strictly decreases on every iteration. If the value is also aNumber, it must additionally remain non-negative. -
A
ListofComparableelements, compared lexicographically: the first position at which consecutive values differ must show a strict decrease, and earlier positions must be equal. This is the natural way to express termination for nested loops (e.g. `[i, j]`).
If the variant fails to decrease (or a numeric scalar variant becomes negative),
a LoopVariantViolation is thrown for a loop and a RecursionVariantViolation
for a method (both subclasses of AssertionError).
This is inspired by similar constructs in design-by-contract languages such as Dafny and Eiffel.
@Decreases is incubating in Groovy 6.0.0. The contract — in particular
the scalar non-negativity rule and the lexicographic shape for List variants —
may be relaxed or extended in a future release based on usage feedback.
|
8.1. While loop
import groovy.contracts.Decreases
int n = 10
@Decreases({ n })
while (n > 0) {
n--
}
assert n == 0
8.2. For loop
import groovy.contracts.Decreases
int remaining = 5
@Decreases({ remaining })
for (int i = 0; i < 5; i++) {
remaining--
}
assert remaining == 0
8.3. Lexicographic (tuple) variants
For nested loops where no single counter strictly decreases on every iteration,
return a List whose elements form a tuple compared lexicographically. In the
example below the outer counter stays equal while the inner one decreases, then
the outer one decreases and the inner one is allowed to reset:
import groovy.contracts.Decreases
int outer = 2, inner = 3
@Decreases({ [outer, inner] })
while (outer > 0) {
if (inner > 0) {
inner--
} else {
outer--
inner = 3
}
}
assert outer == 0
8.4. Recursive methods
On a method, the measure is a function of the method’s parameters and must strictly
decrease on every recursive re-entry — the recursion analogue of a loop variant.
At runtime the value is captured on entry and compared against the nearest enclosing
invocation of the same method (per thread); a non-decreasing or negative measure throws
a RecursionVariantViolation, turning a non-terminating recursion into an immediate,
localised error rather than a StackOverflowError:
import groovy.contracts.Decreases
@Decreases({ n }) // strictly decreases on every recursive call
int factorial(int n) {
n <= 1 ? 1 : n * factorial(n - 1)
}
assert factorial(5) == 120
The bookkeeping is per method and per thread, so it also handles mutual recursion
(each participant must decrease its own measure on its own re-entry) and recursion
through callbacks. Like @Requires/@Ensures, a method @Decreases is inherited:
an override that does not redeclare it inherits its parent’s measure (with the parent’s
parameter names re-mapped to the override’s); an override may declare its own
@Decreases to refine it.
8.5. Rules for @Decreases closures
-
The closure must return a
Comparablevalue or aListofComparableelements. -
For a loop, the value is evaluated at the start and end of each iteration; for a method, on each entry. The new value must be strictly less than the previous one (lexicographically, for
Listvariants). -
For numeric scalar variants, the value must also remain
>= 0. This non-negativity rule does not apply to non-NumberComparablevalues (e.g. `String`) or toListvariants. -
A loop measure may reference any variable visible in the enclosing scope; a method measure is over the method’s parameters (it is evaluated on entry, so it cannot reference the method’s
result). -
Checks honour the JVM’s
-ea/-daassertion configuration for the enclosing class, as preconditions and postconditions do. -
Recursion measure inheritance currently requires the parent to be compiled in the same unit; an override of a method from a precompiled (binary) supertype is not yet instrumented.
9. Frame Conditions with @Modifies
The @Modifies annotation declares which fields or parameters a method is allowed to modify.
All other state is implicitly declared unchanged. This is known as a frame condition in
design-by-contract terminology, inspired by similar constructs in Dafny and JML.
@Modifies does not generate runtime assertion code — it serves as a specification
for humans and tools (including AI) to reason about what a method changes.
9.1. Basic usage
Use this.fieldName to declare that a field may be modified:
@Modifies({ this.items })
void addItem(String item) {
items.add(item)
}
For multiple fields, use a list expression:
@Modifies({ [this.items, this.count] })
void addAndCount(String item) {
items.add(item)
count++
}
Or use multiple @Modifies annotations (via @Repeatable):
@Modifies({ this.items })
@Modifies({ this.count })
void addAndCount(String item) { ... }
9.2. Parameter references
Method parameters can also be declared as modifiable:
@Modifies({ arr })
void fillArray(int[] arr) {
for (int i = 0; i < arr.length; i++) {
arr[i] = i
}
}
9.3. Interaction with @Ensures
When both @Modifies and @Ensures are present on a method, a compile-time check
ensures that the old variable in the postcondition only references fields declared
in @Modifies. Referencing a field via old that is not in the modification set
produces a compile error:
@Modifies({ this.items })
@Ensures({ old -> old.items.size() < items.size() }) // OK: items is declared
void addItem(String item) { ... }
@Modifies({ this.items })
@Ensures({ old -> old.count == count }) // ERROR: count not declared in @Modifies
void addItem(String item) { ... }
9.4. Compile-time validation
The @Modifies annotation validates at compile time that:
-
Field references (
this.fieldName) refer to fields that exist on the class. -
Parameter references refer to actual parameters of the method.
-
If
@Ensuresis also present,old.fieldNamereferences only access fields declared in@Modifies.
9.5. Rules for @Modifies closures
-
The closure must contain a single field reference (
this.field), parameter reference (param), or a list of such references. -
Field references use the
this.fieldNamesyntax. -
Parameter references use the bare parameter name.
-
The closure is not executed at runtime — it is only analyzed at compile time.
9.6. Verifying method bodies with ModifiesChecker
While @Modifies alone is a compile-time-checked specification (validating field/parameter
existence and @Ensures consistency), it does not verify the method body itself. For that,
the groovy-typecheckers module provides the ModifiesChecker type checking extension:
@TypeChecked(extensions = 'groovy.typecheckers.ModifiesChecker')
When enabled, the checker verifies that method bodies only modify fields declared in
@Modifies, and that method calls on non-modifiable receivers use only non-mutating
operations. See the Type Checkers documentation for details.