JML is a behavioral interface specification language tailored to Java(TM). Besides pre- and postconditions, it also allows assertions to be intermixed with Java code; these aid verification and debugging. JML is designed to be used by working software engineers; to do this it follows Eiffel in using Java expressions in assertions. JML combines this idea from Eiffel with the model-based approach to specifications, typified by VDM and Larch, which results in greater expressiveness. Other expressiveness advantages over Eiffel include quantifiers, specification-only variables, and frame conditions. This paper discusses the goals of JML, the overall approach, and describes the basic features of the language through examples. It is intended for readers who have some familiarity with both Java and behavioral specification using pre- and postconditions. Copyright c ○ 1998-2005 Iowa State University This paper is part of JML and is distributed under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. 1

The type and effect discipline is a new framework for reconstructing the principal type and the minimal effect of expressions in implicitly typed polymorphic functional languages that support imperative constructs. The type and effect discipline outperforms other polymorphic type systems. Just as types abstract collections of concrete values, effects denote imperative operations on regions. Regions abstract sets of possibly aliased memory locations. Effects are used to control type generalization in the presence of imperative constructs while regions delimit observable side-effects. The observable effects of an expression range over the regions that are free in its type environment and its type; effects related to local data structures can be discarded during type reconstruction. The type of an expression can be generalized with respect to the variables that are not free in the type environment or in the observable effect. 1 Introduction Type inference [12] is the process that automa...

A proof of the soundness of Tofte's imperative type discipline with respect to a structured operational semantics is given. The presentation is based on a semantic formalism that combines the benefits of the approaches considered by Wright and Felleisen, and by Tofte, leading to a particularly simple proof of soundness of Tofte's type discipline.

We describe a type system and typed semantics that use a hierarchy of monads to describe and delimit a variety of effects, including non-termination, exceptions, and state, in a call-by-value functional language. The type system and semantics can be used to organize and justify avariety of optimizing transformations in the presence of effects. In addition, we describe a simple monad inferencing algorithm that computes the minimum effect for each subexpression of a program, and provides more accurate effects information than local syntactic methods.

The goal of program analysis is to determine automatically properties of the run-time behavior of a program. Tools of software development, such as compilers, program-verification systems, and program-comprehension systems, are in large part based on program analyses. Most semantics-based program analyses model the runtime behavior of a program as a trace of execution states and compute a property of these states. Typically, this property is drawn from a predetermined language of semantic information, such as aliasing descriptions or types of values. The standard methodology of program analysis is to construct the property as a fixed point, a single execution step at a time. We explain that these ubiquitous methodological choices---the a priori choice of the describable program properties and the use of a fixed-point computation---have some fundamental limitations and can result in poor precision. In this dissertation, we present a different approach to semantics-based program analysis...

We present atype reconstruction algorithm for SCIR [10], atype system for a language with syntactic control of interference. SCIR guarantees that terms of passive type do not cause any side e ects, and that distinct identi ers do not interfere. A reconstruction algorithm for this type system must deal with di erent kinds (passive and general) and di erent uses of identi ers (passive and active). In particular, there may not be a unique choice of kinds for type variables. Our work extends SCIR typings with kind constraints. We show that principal type schemes exist for this extended system and outline an algorithm for computing them. 1

iii Acknowledgements vi 1

pour obtenir le dipl^ome d'Habilitation a Diriger des Recherches en Sciences de l'Universite de Paris XI. Pour completement apprecier le contenu de ces recherches, le lecteur pourra se reporter avec pro t au texte complet des articles donnes en annexe. 1 Remerciements L'ensemble de ces travaux n'aurait pu ^etre ce qu'il est sans le concours de nombreux chercheurs et amis qu'il m'est un plaisir de remercier ici: Au Centre de Recherche en Informatique (CRI) de l'Ecole des Mines de Paris, mon colocataire