Results 1  10
of
45
Ownership Confinement Ensures Representation Independence for ObjectOriented Programs
, 2002
"... This paper formulates representation independence for classes, in an imperative, objectoriented language with pointers, subclassing and dynamic dispatch, class oriented visibility control, recursive types and methods, and a simple form of module. An instance of a class is considered to implement an ..."
Abstract

Cited by 72 (32 self)
 Add to MetaCart
This paper formulates representation independence for classes, in an imperative, objectoriented language with pointers, subclassing and dynamic dispatch, class oriented visibility control, recursive types and methods, and a simple form of module. An instance of a class is considered to implement an abstraction using private fields and socalled representation objects. Encapsulation of representation objects is expressed by a restriction, called confinement, on aliasing. Representation independence is proved for programs satisfying the confinement condition. A static analysis is given for confinement that accepts common designs such as the observer and factory patterns. The formalization takes into account not only the usual interface between a client and a class that provides an abstraction but also the interface (often called "protected") between the class and its subclasses
Refinement Calculus, Part I: Sequential Nondeterministic Programs
 STEPWISE REFINEMENT OF DISTRIBUTED SYSTEMS: MODELS, FORMALISMS, CORRECTNESS. PROCEEDINGS. 1989, VOLUME 430 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1989
"... A lattice theoretic framework for the calculus of program refinement is presented. Specifications and program statements are combined into a single (infinitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakes ..."
Abstract

Cited by 63 (3 self)
 Add to MetaCart
A lattice theoretic framework for the calculus of program refinement is presented. Specifications and program statements are combined into a single (infinitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakest precondition calculus is extended to cover this larger class of statements and a gametheoretic interpretation is given for these constructs. The language is complete, in the sense that every monotonic predicate transformer can be expressed in it. The usual program constructs can be defined as derived notions in this language. The notion of inverse statements is defined and its use in formalizing the notion of data refinement is shown.
Products in the Refinement Calculus
, 1999
"... We study program states that are described as tuples, i.e., product state spaces. Modeling programs as predicate transformers, we define a product operator on program statements that describes the independent execution of statements on disjoint state spaces. The algebraic properties of this product ..."
Abstract

Cited by 36 (2 self)
 Add to MetaCart
We study program states that are described as tuples, i.e., product state spaces. Modeling programs as predicate transformers, we define a product operator on program statements that describes the independent execution of statements on disjoint state spaces. The algebraic properties of this product operator are studied, in particular the basic monotonicity and distributivity properties that the operator has, and their applications. We also consider how to extend the state space by adding new state components, and show how this is modeled using the product operator. Finally, we show how products are useful to formulate data refinement, both as a general concept and as a technique for replacing local state components of program blocks.
The Refinement Calculator: Proof Support for Program Refinement
 Formal Methods Pacific ’97
, 1997
"... . We describe the Refinement Calculator, a tool which supports ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
(Show Context)
. We describe the Refinement Calculator, a tool which supports
A CSP Approach To Action Systems
, 1992
"... The communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an eventbased approach to distributed computing. The actionsystem formalism, introduced by Back & KurkiSuonio [BKS83], is a statebased approach to distributed computing. Using weakestprecondition formula ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
(Show Context)
The communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an eventbased approach to distributed computing. The actionsystem formalism, introduced by Back & KurkiSuonio [BKS83], is a statebased approach to distributed computing. Using weakestprecondition formulae, Morgan [Mor90a] has defined a correspondence between action systems and the failuresdivergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of [Mor90a], Woodcock & Morgan [WM90] have shown that simulation is sound and complete in the CSP failuresdivergences model. In this thesis, Morgan's correspondence is extended to the CSP infinitetraces model [Ros88] in order to deal more properly with unbounded nondeterminism. It is shown that simulation is sound in the infinitetraces model, though completeness is lost in certain cases. The new correspondence is then extended to include a notion of internal action. This allows the ...
Typesafe twolevel data transformation
 Number 4085 in LNCS
, 2006
"... Abstract. A twolevel data transformation consists of a typelevel transformation of a data format coupled with valuelevel transformations of data instances corresponding to that format. Examples of twolevel data transformations include XML schema evolution coupled with document migration, and dat ..."
Abstract

Cited by 22 (15 self)
 Add to MetaCart
(Show Context)
Abstract. A twolevel data transformation consists of a typelevel transformation of a data format coupled with valuelevel transformations of data instances corresponding to that format. Examples of twolevel data transformations include XML schema evolution coupled with document migration, and data mappings used for interoperability and persistence. We provide a formal treatment of twolevel data transformations that is typesafe in the sense that the wellformedness of the valuelevel transformations with respect to the typelevel transformation is guarded by a strong type system. We rely on various techniques for generic functional programming to implement the formalization in Haskell. The formalization addresses various twolevel transformation scenarios, covering fully automated as well as userdriven transformations, and allowing transformations that are informationpreserving or not. In each case, twolevel transformations are disciplined by onestep transformation rules and typelevel transformations induce valuelevel transformations. We demonstrate an example hierarchicalrelational mapping and subsequent migration of relational data induced by hierarchical format evolution. Keywords: Twolevel transformation, Program calculation, Refinement calculus, Strategic term rewriting, Generalized abstract datatypes, Generic programming,
Strongly typed rewriting for coupled software transformation
 Proc. 7th Int. Workshop on RuleBased Programming (RULE 2006), ENTCS
, 2006
"... Coupled transformations occur in software evolution when multiple artifacts must be modified in such a way that they remain consistent with each other. An important example involves the coupled transformation of a data type, its instances, and the programs that consume or produce it. Previously, we ..."
Abstract

Cited by 22 (8 self)
 Add to MetaCart
(Show Context)
Coupled transformations occur in software evolution when multiple artifacts must be modified in such a way that they remain consistent with each other. An important example involves the coupled transformation of a data type, its instances, and the programs that consume or produce it. Previously, we have provided a formal treatment of transformation of the first two: data types and instances. The treatment involved the construction of typesafe, typechanging strategic rewrite systems. In this paper, we extend our treatment to the transformation of corresponding data processing programs. The key insight underlying the extension is that both data migration functions and data processors can be represented typesafely by a generalized abstract data type (GADT). These representations are then subjected to program calculation rules, harnessed in typesafe, typepreserving strategic rewrite systems. For ease of calculation, we use pointfree representations and corresponding calculation rules. Thus, coupled transformations are carried out in two steps. First, a typechanging rewrite system is applied to a source type to obtain a target type together with (representations of) migration functions between source and target. Then, a typepreserving rewrite system is applied to the composition of a migration function and a data processor on the source (or target) type to obtain a data processor on the target (or source) type. All rewrites are typesafe. Key words: Program transformation, term rewriting, strategic programming, generalized abstract datatypes, data refinement.
Generic pointfree lenses
 In International Conference on Mathematics of Program Construction (MPC), Québec City, QC
, 2010
"... Abstract. Lenses are one the most popular approaches to define bidirectional transformations between data models. A bidirectional transformation with viewupdate, denoted a lens, encompasses the definition of a forward transformation projecting concrete models into abstract views, together with a ba ..."
Abstract

Cited by 18 (10 self)
 Add to MetaCart
Abstract. Lenses are one the most popular approaches to define bidirectional transformations between data models. A bidirectional transformation with viewupdate, denoted a lens, encompasses the definition of a forward transformation projecting concrete models into abstract views, together with a backward transformation instructing how to translate an abstract view to an update over concrete models. In this paper we show that most of the standard pointfree combinators can be lifted to lenses with suitable backward semantics, allowing us to use the pointfree style to define powerful bidirectional transformations by composition. We also demonstrate how to define generic lenses over arbitrary inductive data types by lifting standard recursion patterns, like folds or unfolds. To exemplify the power of this approach, we “lensify ” some standard functions over naturals and lists, which are tricky to define directly “byhand ” using explicit recursion.
A Tool for Data Refinement
, 1997
"... We describe a tool for data refinement based on the Refinement Calculator. The tool supports the calculational approach to data refinement. As a consequence of the program calculation, a refinement theorem is automatically derived. The operation of the tool is illustrated with a case study. ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
We describe a tool for data refinement based on the Refinement Calculator. The tool supports the calculational approach to data refinement. As a consequence of the program calculation, a refinement theorem is automatically derived. The operation of the tool is illustrated with a case study.
Basic theorems about security
 Journal of Computer Security
, 1992
"... We build a mathematical structure in which we can ask questions about the methods for achieving security properties, such as confidentiality and integrity, and functionality properties, such as safety and liveness. The structure allows us to consider many different choices for the meaning of “confid ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
We build a mathematical structure in which we can ask questions about the methods for achieving security properties, such as confidentiality and integrity, and functionality properties, such as safety and liveness. The structure allows us to consider many different choices for the meaning of “confidentiality” and “integrity ” and so on, and to compare and contrast security properties with functionality properties.