In this paper we study the fragile base class problem. This problem occurs in open object-oriented systems employing code inheritance as an implementation reuse mechanism. System developers unaware of extensions to the system developed by its users may produce a seemingly acceptable revision of a base class which may damage its extensions. The fragile

The refinement calculus for the development of programs from specifications is well suited to mechanised support. We review the requirements for tool support of refinement as gleaned from our experience with a number of existing refinement tools, and report on the design and implementation of a new tool to support refinement based on these requirements. The main features of the new tool are close integration of refinement and proof in a single tool (the same mechanism is used for both), good management of the refinement context, an extensible theory base that allows the tool to be adapted to new application domains, and a flexible user interface.

. Embedded real-time programs can be succinctly specified using timed traces. Each sequentially executed statement acts to define a distinct trace segment. An elegant way of defining the effect of such statements is as trace `coercers' that impose constraints on existing, but underspecified, traces. Unfortunately this model fails the usual refinement calculus feasibility test. Here we overcome this by proving that the coercive model is equivalent to a trace `extending' model that does pass the test. The proof is itself interesting because it adopts non-standard data refinement techniques. 1 Introduction The overall behaviour of an embedded real-time program is most succinctly specified using timed traces which record the value of each system variable at each moment in time. Ideally, each such trace requirement should then be refinable to a sequence of actions on consecutive trace segments that collectively achieve the total desired trace. A number of ways of sequentially con...

A program can be refined either by transforming the whole program or by refining one of its components. The refinement of a component is, for the main part, independent of the remainder of the program. However, refinement of a component can depend on the context of the component for information about the variables that are in scope and what their types are. The refinement can also take advantage of additional information, such as any precondition the component can assume. The aim of this paper is to introduce a technique, which we call program window inference, to handle such contextual information during derivations in the refinement calculus. The idea is borrowed from a technique, called window inference, for handling context in theorem proving. Window inference is the primary proof paradigm of the Ergo proof editor. This tool has been extended to mechanize refinement using program window inference.

In this paper we study the problem of semantic substitutability of objects. First we give semantics of classes, objects and inheritance in the presence of dynamic binding. For this purpose we extend Cook and Palsberg's denotational semantics of stateless classes and inheritance by adding state. We build our theory on the basis of the refinement calculus, which is a logic framework for reasoning about conformance of programs to their specifications and program refinement. We derive class refinement from the notion of abstract data type refinement as a criterion of object substitutability. We illustrate our model of classes and objects with an example and show how refinement between classes can be proved in practice.