The Kestrel Interactive Development System (KIDS) provides automated sup- port for the development of correct and efficient programs from formal specifications.

Object-oriented programming languages promise to improve programmer productivity by supporting abstract data types, inheritance, and message passing directly within the language. Unfortunately, traditional implementations of object-oriented language features, particularly message passing, have been much slower than traditional implementations of their non-object-oriented counterparts: the fastest existing implementation of Smalltalk-80 runs at only a tenth the speed of an optimizing C implementation. The dearth of suitable implementation technology has forced most object-oriented languages to be designed as hybrids with traditional non-object-oriented languages, complicating the languages and making programs harder to extend and reuse. This dissertation describes a collection of implementation techniques that can improve the run-time performance of object-oriented languages, in hopes of reducing the need for hybrid languages and encouraging wider spread of purely object-oriented langu...

Software is being applied in an ever-increasing number of areas. Computer programs and systems are becoming more complex and consisting of more delicately interconnected components. Errors surfacing in programs are still a conspicuous and costly problem. It's about time we employ some techniques that guide us toward higher reliability of practical programs. The goal of this thesis is just that. This thesis presents a theory for verifying programs based on Dijkstra's weakestprecondition calculus. A variety of program paradigms used in practice, such as exceptions, procedures, object orientation, and modularity, are dealt with. The thesis sheds new light on the theory behind programs with exceptions. It develops an elegant algebra, and shows it to be the foundation on which the semantics of exceptions rests. It develops a trace semantics for programs with exceptions, from which the weakest-precondition semantics is derived. It also proves a theorem on programming methodology relating to ...

How can a computer program developer ensure that a program actually implements its intended purpose? This article describes a method for checking the correctness of certain types of computer programs. The method is used commercially in the development of programs implemented as integrated circuits and is applicable to the development of “control-intensive ” software programs as well. “Divide-and-conquer ” techniques central to this method apply to a broad range of program verification methodologies. Classical methods for testing and quality control no longer are sufficient to protect us from communication network collapses, fatalities from medical machinery malfunction, rocket guidance failure, or a half-billion dollar commercial loss due to incorrect arithmetic in a popular integrated circuit. These sensational examples are only the headline cases. Behind them are multitudes of mundane programs whose failures merely infuriate their users and cause increased costs to their producers. A source of such problems is the growth in program complexity. The more a program controls, the more types of interactions it supports. For example, the telephone “call-forwarding ” service (forwarding incoming calls to a customer-designated number) interacts with the “billing ” program that must determine whether the forwarding number or the calling number gets charged for the additional connection to the customer-designated number. At the same time, call-forwarding interacts with the “connection ” program that deals with the issue of

This report summarises the results of the discussions of a working group on model transformation of the Dagstuhl Seminar on Language Engineering for Model-Driven Software Development. The main contribution is a taxonomy of model transformation. This taxonomy can be used to help developers in deciding which model transformation approach is best suited to deal with a particular problem.

Aspect-oriented programming is a promising paradigm that challenges traditional notions of program modularity. Despite its increasing acceptance, aspects have been documented to suffer limited reuse, hard to predict behavior, and difficult modular reasoning. We develop an algebraic model that relates aspects to program transformations and uncovers aspect composition as a significant source of the problems mentioned. We propose an alternative model of composition that eliminates these problems, preserves the power of aspects, and lays an algebraic foundation on which to build and understand AOP tools. 1

A lattice theoretic framework for the calculus of program refinement is presented. Specifications and program statements are combined into a single (infinitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakest precondition calculus is extended to cover this larger class of statements and a game-theoretic interpretation is given for these constructs. The language is complete, in the sense that every monotonic predicate transformer can be expressed in it. The usual program constructs can be defined as derived notions in this language. The notion of inverse statements is defined and its use in formalizing the notion of data refinement is shown.

A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees to provide in return. This paper presents a proof technique that permits us to infer that a program P satisfies a rely/guarantee specification R oe G, given that we know P satisfies a finite collection of rely/guarantee specifications R i oe G i ; (i 2 I). The utility of the proof technique is illustrated by using it to derive global liveness properties of a system of concurrent processes from a collection of local liveness properties satisfied by the component processes. The use of the proof rule as a design principle, and the possibility of its incorporation into a formal logic of rely/guarantee assertions, is also discussed. 1 Introduction A rely/guarantee specification for a program P...

An approach to dynamically updating a computer pro-gram, i.e., updating while it is executing, is presented. Dynamic updating is crucial in applications where the cost of stopping and restarting the program makes doing so impractical. The presented system works with programs written in procedural languages such as Pascal and C. It is assumed that computer programs are written in a top-down manner consistent with good software engineering practices. Also assumed is that the underlying computer system logically provides a network-wide sparse virtual address space. Using these assumptions, it is possible to update computer programs with minimum interruption to the running program. By partitioning the address space into a num-ber of version spaces, the handling of multiple simulta-neous updates is possible. This allows one update to begin before previous updates complete. Via appropri-ate mapping mechanisms, old versions of procedures may call new procedures and maintain consistency. An overview of the design and implementation of a working prototype updating system is discussed and a sample updating session is illustrated. 1.

Two programming paradigms are gaining attention in the overlapping fields of software product lines (SPLs) and incremental software development (ISD). Feature-oriented programming (FOP) aims at large-scale compositional programming and feature modularity in SPLs using ISD. Aspect-oriented programming (AOP) focuses on the modularization of crosscutting concerns in complex software. Although feature modules, the main abstraction mechanisms of FOP, perform well in implementing large-scale software building blocks, they are incapable of modularizing certain kinds of crosscutting concerns. This weakness is exactly the strength of aspects, the main abstraction mechanisms of AOP. We contribute a systematic evaluation and comparison of FOP and AOP. It reveals that aspects and feature modules are complementary techniques. Consequently, we propose the symbiosis of FOP and AOP and aspectual feature modules (AFMs), a programming technique that integrates feature modules and aspects. We provide a set of tools that support implementing AFMs on top of Java and C++. We apply AFMs to a nontrivial case study demonstrating their practical applicability and to justify our design choices.