. Amidst rocketing numbers of enthusiastic Java programmers and internet applet users, there is growing concern about the security of executing Java code produced by external, unknown sources. Rather than waiting to find out empirically what damage Java programs do, we aim to examine first the language and then the environment looking for points of weakness. A proof of the soundness of the Java type system is a first, necessary step towards demonstrating which Java programs won't compromise computer security. We consider a type safe subset of Java describing primitive types, classes, inheritance, instance variables and methods, interfaces, shadowing, dynamic method binding, object creation, null and arrays. We argue that for this subset the type system is sound, by proving that program execution preserves the types, up to subclasses/subinterfaces. 1 Introduction Before the first complete Java language description was available [13] use of the language was extremely widespread and the ...

iii To Cindy,

Generic programming in C++ is characterized by the use of template parameters to represent abstract data types (or "concepts"). However, the C++ language itself does not provide a mechanism for explicitly handling concepts. As a result, it can be difficult to insure that a concrete type meets the requirements of the concept it is supposed to represent. Error messages resulting from incorrect use of a concrete type can be particularly difficult to decipher. In this paper we present techniques to check parameters in generic C++ libraries. Our techniques use standard C++ and introduce no run-time overhead.

Design patterns are distilled from many real systems to catalog common programming practice. We have analyzed several published design patterns and looked for patterns of working around constraints of the implementation language. Some object-oriented design patterns are distorted or overly complicated because of the lack of supporting language constructs or mechanisms. Welay a groundwork of generalpurpose language constructs and mechanisms that, if provided by a statically typed, object-oriented language, would better support the implementation of design patterns and, thus, benefit the construction of many real systems. In particular, our catalog of language constructs includes subtyping separate from inheritance, lexically scoped closure objects independent of classes, and multimethod dispatch. The proposed constructs and mechanisms are not radically new, but rather are adopted from a varietyof languages and combined in a new, orthogonal manner. We argue that by describing design patterns in terms of the proposed constructs and mechanisms, pattern descriptions become simpler and, therefore, accessible to a larger number of language communities. Constructs and mechanisms lacking in a particular language can be implemented using paradigmatic idioms.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

We argue that the Java type system is sound, by proving a subject reduction theorem. We define a subset of Java, a language which is safe and which reflects the most essential features of Java, a term rewriting system for the operational semantics and a type inference system to describe compile time type checking. We prove that program execution preserves the types, up to the subclass/subinterface relationship. 1 Introduction 1.1 Motivation Java [17] is a rapidly spreading programming language which aims to support safe distributed programming on the Internet. According to its developers[17], it is a "simple robust object-oriented platform independent multi-threaded dynamic general purpose programming environment. It's best for creating applets and applications for the Internet, intranets and any other complex, distributed network." Even before the first complete language description was available [14] use of the language was extremely widespread and the rate of increase in usage is ...

In this paper we overview the design and implementation of a language extension to C++ for abstracting types and for decoupling subtyping and inheritance. This extension gives the user more of the flexibility of dynamic typing while retaining the efficiency and security of static typing. We discuss the syntax and semantics of this language extension, show examples of its use, and present and analyze the cost of three different implementation techniques: a preprocessor to a C++ compiler, an implementation in the front end of a C++ compiler, and a low-level back-end based implementation.

this paper does not obey the subsumption rule. For instance, the type of aPhil.like is Phil, but the type of pascal.like

In Java, an interface specifies public abstract methods and associated public constants. Conformance of a class to an interface is by name. We propose to allow structural conformance to interfaces: Any class or interface that declares or implements each method in a target interface conforms structurally to the interface, and any expression of the source class or interface type can be used where a value of the target interface type is expected. We argue that structural conformance results in a major gain in flexibility in situations that require retroactive abstraction over types.

Software often goes through a variety of extensions during its lifetime: adding new fields or new variants to a data structure, retroactively creating new type abstractions, and adding new operations on a data structure. As characterized by the extensibility problem, it should be possible to apply any combination of these types of extensions in any order. Mainstream