| Name | Office | Phone | $lname | \n"; print "$office | \n"; print "$phone | \n"; print "
|---|
}
} FIGURE 95.6 Overall structure of a Java applet.
in this figure are necessary to provide access to the Java class libraries, where the various event-driven programming classes are located. The define various objects that can be placed in the applet, as well as other values that help the program remember what has occurred so far. As with any other class, these variables collectively define the state of the interaction, just as in Java application programs. Moreover, variables may also represent buttons, menus, text fields, and other objects that have special functions as the program and the user interact. An applet is different from other classes in that it has no constructor. Instead, when the applet begins executing, the init method is executed first. It has the responsibility of placing objects in the frame, such as buttons, choices, labels, and text fields. In this sense, the init method takes the place of a constructor. The init method also attaches specific event listeners to different objects in the frame, so that these objects can be equipped with “ears” that recognize when they have been selected by the user. Event listeners are nothing more than objects that implement a particular interface; they can be the applet itself, as indicated above, or they can be separate classes. As we will see, such classes often need access to various applet methods, so they are commonly implemented as inner classes. As a GUI, an applet often has a paint method, which is invoked whenever the applet needs to repaint itself. This can occur for a number of reasons: a window partially obscured the applet for a time, the applet was first iconified and then deiconified, etc. Components such as buttons, text fields, etc., will repaint themselves. However, anything done directly to the frame using Graphics methods will be lost during a repaint operation if not done in the paint method. Other major applet methods, start, stop, and destroy, are not discussed here. © 2004 by Taylor & Francis Group, LLC
For each specific kind of event (like a button selection, a mouse click, or a menu choice selection), the program must implement a special method called an . The purpose of the handler is to change the state of the interaction so that it “remembers” that such an event has occurred. One handler is programmed to respond to the user’s pressing the mouse button, while another may respond to the user’s selecting a button in the frame. Whenever such an event actually occurs, its associated handler is executed one time. The that appear in the heading of the applet identify the kinds of events to which the applet is prepared to respond. Usually, four different kinds of user-initiated events can be handled by an applet: Mouse motion events — Handled by the MouseMotionListener Mouse events — Handled by the MouseListener Button and text field selections — Handled by the ActionListener Selections from a menu of choices — Handled by the ItemListener Importantly, the program cannot know, or predict, the order in which these different events will occur or the number of times each one will be repeated; it must be prepared for all possibilities. That is the essence of event-driven programming.
95.4 Event Handling In this section, we describe the basic Java programming considerations for responding to various types of user-initiated events that occur while an applet is running — mouse events, button selections, text areas, and choice (menu) selections.
95.4.1 Mouse Clicks For the program to handle mouse clicks, the MouseListener interface must be implemented, either by the applet itself or by a mouse handler class. If the listener is being handled directly by the applet, then the applet must specify the listener in its implements clause and activate the listener, usually inside the init method: public class MyApplet extends Applet implements MouseListener { public void init() { ... addMouseListener(this); ... } The alternative is to use a separate class to handle mouse clicks. Commonly, this class is an inner class to the applet, so that the mouse handler has access to all of the applet’s methods, particularly the graphics context: public class MyApplet extends Applet { public void init() { ... addMouseListener(new MouseHandler()); ... } private class MouseHandler implements MouseListener { ... } If an external class is used, it is common for the applet to pass itself in the call to the mouse handler constructor; the applet object can then be saved to an instance variable of the mouse handler class. © 2004 by Taylor & Francis Group, LLC
Whichever alternative is used, all of the following methods must be added to the class that implements the MouseListener, and at least one must have some statements that respond to the event that it represents: public void mousePressed(MouseEvent e) { } public void mouseReleased(MouseEvent e) { } public void mouseClicked(MouseEvent e) { } public void mouseExited(MouseEvent e) { } public void mouseEntered(MouseEvent e) { } An advantage to using a separate class is that Java provides a MouseAdapter class, which is precisely the trivial implementation of MouseListener given previously. This means that the separate class can extend the MouseAdapter class (which an applet cannot do), overriding exactly the methods for which actions are to be provided. In most instances, this is usually only the mouseClicked method. public class MyApplet extends Applet { public void init() { ... addMouseListener(new MouseHandler()); ... } private class MouseHandler extends MouseAdapter { public void mouseClicked(MouseEvent e){ } } For instance, the typical response to a mouse event is to capture the x − y pixel coordinates where that event occurred on the frame. To do this, we use the getX and getY methods of the MouseEvent class. For example, the following handler responds to a mouse click by storing the x − y coordinates of the click in the applet’s instance variables x and y. public void mouseClicked(MouseEvent e) { x = e.getX(); y = e.getY(); }
95.4.2 Mouse Motion Similar to mouse clicks, for the program to handle mouse motion, the MouseMotionListener interface must be implemented either by the applet itself or by a mouse motion handler class. To activate the listener, the following calls must be placed inside the init method: addMouseMotionListener(); The class that implements the listener must implement all of the following methods; at least one must have some statements that respond to the event that it represents: public void mouseDragged(MouseEvent e) { } public void mouseMoved(MouseEvent e) { } An advantage to using a separate class is that Java provides a MouseMotionAdapter class, which is precisely the trivial implementation of MouseMotionListener given previously. This means that the © 2004 by Taylor & Francis Group, LLC
separate class can extend the MouseMotionAdapter class (which an applet cannot do), overriding exactly the methods for which actions are to be provided. In most instances, this is usually only the mouseDragged method.
95.4.3 Buttons A button is an object on the screen which is named and can be selected by a mouse click. Because any number of variables can be declared with class Button and placed in the applet, button handlers are usually implemented via a separate class, rather than by the applet itself. A button is declared and initialized as follows: Button = new Button(); Here is an example: Button clearButton = new Button("Clear"); A button is placed in the applet by including the following inside the init method: add(); For example: add(clearButton); To be useful, a button must have a listener attached so that the button responds to mouse clicks. This is normally done by including the following inside the applet’s init method: .addActionListener(); For example: clearButton.addActionListener(new ClearButtonHandler()); The class that handles the user’s selection of the button must implement the ActionListener interface. The listener class must implement an actionPerfomed method to handle the button selection event: public void actionPerformed (ActionEvent e) { if (e.getSource() == ) { } } Here, the refers to the name of the Button variable as declared and initialized, and defines what to do whenever that event occurs. If unique handlers are created for each button, the if test to determine which button was selected can be omitted; this is normally preferred. Following, for example, is a handler written as an inner class to the applet class that clears the screen whenever the clearButton is clicked by the user: private class ClearButtonHandler implements ActionListener { public void actionPerformed(ActionEvent e) { repaint(); } } Note that the repaint method is an applet method; thus, this class works as written only if it is an inner class to applet. Using an external class requires writing a constructor that takes the applet as an argument. Using our Clear button as an example, the addActionListener code in applet’s init method would appear as follows: clearButton.addActionListener(new ClearButtonHandler(this));
© 2004 by Taylor & Francis Group, LLC
The button handler class would then appear as: public class ClearButtonHandler implements ActionListener { Applet applet; public ClearButtonHandler(Applet a) { applet = a; } public void actionPerformed(ActionEvent e) { applet.repaint(); } } Note that using an external class makes it more difficult for a listener class to determine which button was selected, because the buttons themselves are declared within the applet class.
95.4.4 Labels, TextAreas, and TextFields A label is an object whose string value can be placed inside a frame to label another object, such as a TextField. It can be added to the frame from within the init method. For example, the statement add(new Label("Fahrenheit")); would place the message Fahrenheit in the frame. Labels cannot have a listener attached to them. A TextArea is a rectangular object on the screen which is named and can accept or display text messages. It is a scrollable object, so users have a complete record of the text. A TextField is an object into which the user can type a single line of text from the keyboard; it raises an ActionEvent when the user presses the Enter key at the end of the line. TextAreas and TextFields are declared as follows: TextArea ; TextField ; For example: TextArea echoArea; TextField typing; TextArea and TextField objects are normally placed in the applet as part of the init method in your program. Initialization requires the number of lines of text (for TextAreas) and the number of characters per line to be specified. = new TextArea(, ); add(); = new TextField(); add(); For example: echoArea = new TextArea(5, 40); add(echoArea); typing = new TextField(40); add(typing); In this example, we declare and place a 5-line by 40-character TextArea and a 40-character TextField in the current frame. When the user types in the TextField and hits the Enter key, the applet can handle that event by writing additional code in its actionPerformed event handler:
© 2004 by Taylor & Francis Group, LLC
public void actionPerformed (actionEvent e) { if (e.getSource() == ) { String s = .getText(); } } Here, refers to the name of the TextArea variable that was declared and placed in the frame by the init method, like typing in the example. When the event occurs, the string value typed in the text area is assigned to the variable s and the is then executed. A better solution is to use an internal class that listens specifically to the TextField typing: private class TextHandler implements ActionListener { public void actionPerformed (actionEvent e) { String s = .getText(); } } In this case, the handler need not check for the source of the triggering event; it must be the user pressing the Enter key in the TextField typing. As an example of an , the user’s typing can be immediately echoed in the TextArea by concatenating it with all the text that is already there. The append method is useful for this purpose: echoArea.append(s + "\n"); If this line is added as the in the previous code, the user’s typing will be echoed on a new line inside the TextArea object named echoArea.
95.4.5 Choices A choice is an object on the screen that offers several options to be selected by the user. It is like a pull-down menu, but it can be placed anywhere within the applet, not just at the top. A choice is declared as follows: Choice ; For example: Choice choice; The choice is named and placed in the frame as part of the init method in your program. The different selections are assigned to the Choice variable using the addItem method, and interaction is triggered by adding a listener to the frame for the choice. = new Choice(); .addItem(); ... add(); .addItemListener(); For example: choice = new Button(); choice.addItem("North"); choice.addItem("East"); choice.addItem("South"); choice.additem("West"); add(choice); choice.addItemListener(new Choice Handler()); © 2004 by Taylor & Francis Group, LLC
In this case, an inner class to the applet itself is assumed to be handling the choice event. The applet or item listener event handler must implement the ItemListener interface. When the user selects one of the choices, the event is handled by an itemStateChanged method: private class ChoiceHandler implements ItemListener { public void itemStateChanged (ItemEvent e) { String s = (String)e.getItem(); if (s.equals() { in response to a selection of } else if (s.equals() { in response to a selection of } ... } } When the event of selecting a choice occurs, this handler is executed. The string s gets the value of the choice the user selected, which is passed to the handler by way of the method call e.getItem(). This choice is used in a series of if statements to select the appropriate .
95.5 Example: A Simple GUI Interface The process of event-driven program design involves anticipating the various states and state transitions that can occur as the program runs. Consider the design of a simple drawing tool, in which the user can draw rectangles and type texts in arbitrary locations of the frame. The user should be able to accomplish this as simply as possible, so providing buttons, menus, and text typing areas and handling mouse click actions on the screen are essential. An initial frame design to support this activity is shown in Figure 95.7. This frame has four objects: a Clear button, a Choice menu, a TextArea for communicating with the user as events are initiated, and a TextField in which the user can enter messages. Thus, we
FIGURE 95.7 Initial frame design for a graphical drawing tool. © 2004 by Taylor & Francis Group, LLC
// Variables used by the Applet -- this is the "state" int lastX = 0; //first click's x-y coordinates int lastY = 0; int clickBumber = 0; // most recent click; odd or even Choice choice; TextArea echoArea; TextField typing; FIGURE 95.8 Code to define the state for the interaction.
can begin our design of defining the state of the computation with the following objects and interpretations: choice — The user can select Nothing, Rectangle, or Message from this menu. echoArea — This is a TextArea for reporting the most recent event that has occurred. typing — This is a TextField for entering user input. The button need not be part of the global state, because its function is merely to clear the screen, and this can be done completely within the event handler for the button. No other object or handler need be aware of the Clear button. The state of the computation for this problem must also keep track of all information that is relevant to the user’s accomplishing the next task, be it drawing a rectangle or locating a text somewhere in the frame. To draw a rectangle, the system must have two pieces of information: the x − y coordinates of the upper left-hand corner of the rectangle and the x − y coordinates of the lower right. These two points can be retrieved via a mouse event and the mouseClicked handler, but the first x − y coordinate pair must be stored globally within the applet’s state. Furthermore, a count of the mouse clicks must also be stored globally, so that the first click can be distinguished from the second in determining the corners of the rectangle. Thus, additional global state information includes lastX, lastY X-y coordinates of last mouse click clickNumber The number of mouse clicks (odd or even) The x and y coordinates of a mouse click are reported in the TextArea by the program whenever a mouse click event occurs. Informative messages to the user are also displayed there. The code that defines the state is shown in Figure 95.8, and the code that initializes the interaction is shown in Figure 95.9. //Variables used by the Applet --- this is the "state" int lastX = 0;//first click's x-y coordinates int lastY = 0; int clickBumber = 0;//most recent click; odd or even Choice choice; TextArea echoArea; TextField typing; //Initialize the frame: establish the objects and their listeners public void init() { //Set the background color and listen for the mouse setBackground(Color.white); addMouseListener(new MouseHandler()); //Create a button and add it to the Frame. Button clearButton = new Button("Clear"); clearButton.setForeground(Color.black); clearButton.setBackground(Color.lightGray); © 2004 by Taylor & Francis Group, LLC
// Initialize the frame: establish the objects and their listeners public void init () { // Set the background color and listen for the mouse setBackground (Color.White); addMouseListener (new MouseHandler()); // Create a button and add it to the Frame. Button clearButton = new Button ("Clear"); clearButton.setForeground (Color.black) ; clearButton.setBackground (Color.lightGray) ; add (clearButton) ; clearButton.addActionListener (new ClearButtonHandler()) ; // Create a menu of user choices and add it to the Frame. choice = new Choice () ; choice.addItem ("Nothing") ; choice.addItem ("Rectangle"); choice.addItem ("Message"); add(choice); choice.AddItemListener (new ChoiceHandler()); // Create a TextField and a TextArea and add them to the Frame. typing = new TextField (40); add(typing); typing.addActionListener (new TestHandler()); echoArea = new TextArea (2, 40); echoArea.setEditable(false); add(echoArea); } FIGURE 95.9 Code to initialize the interaction.
add(clearButton); clearButton.addActionListener(new ClearButtonHandler()); //Create a menu of user choices and add it to the Frame. choice = new Choice(); choice.addItem("Nothing"); choice.addItem("Rectangle"); choice.addItem("Message"); add(choice); choice.addItemListener(new ChoiceHandler()); //Create a TextField and a TextArea and add them to the Frame. typing = new TextField(40); add(typing); typing.addActionListener(new TextHandler()); echoArea = new TextArea(2, 40); echoArea.setEditable(false); add(echoArea); } Designing the event handlers is a more intricate process. For each event that occurs, an appropriate handler must contain code to distinguish that event from the rest and then change the state and/or generate output into the frame appropriately. Consider the following scenario. © 2004 by Taylor & Francis Group, LLC
FIGURE 95.10 First step in an interaction: the user selects Rectangle from the menu.
public void itemStateChanged (ItemEvent e) { String currentChoice = (String) (e.getItem()); echoArea.setText ("Choice selected: " + currentChoice); clickNumber = 0; // prepare to handle first mouse click for this choice if (currentChoice.equals("Rectangle")) echoArea.append( "\nClick to set upper left corner of the rectangle"); else if (currentChoice.equals ("Message")) echoArea.append( "\nEnter a massage in the text area"); } } FIGURE 95.11 ItemStateChanged handler for this interaction.
The user first selects Rectangle from the Choice menu. To properly handle that event, the system must store that selection and then prompt the user to click the mouse at the point where the upper left-hand corner of the rectangle should be drawn, as shown in Figure 95.10. What code do we write to respond to this selection? We write code inside an itemStateChanged event handler of the ChoiceHandler class, because the object selected, choice, is a Choice. The complete itemStateChanged handler for this problem is shown in Figure 95.11. //Called when the user makes a Choice selection private class ChoiceHandler implements ItemListener { public void itemStateChanged (ItemEvent e) { String currentChoice = (String) (e.getItem()); echoArea.setText("Choice selected: " + currentChoice); clickNumber = 0; //prepare to handle first mouse click for this choice if (currentChoice.equals("Rectangle")) echoArea.append( "\nClick to set upper left corner of the rectangle"); else if (currentChoice.equals("Message")) © 2004 by Taylor & Francis Group, LLC
private class MouseHandler extends MouseAdapter { public void mouseClicked(MouseEvent e) { int x = e.getX(); int y = e.getY(); echoArea.setText ("Mouse Clicked at " + e.getX() + " , " + e.getY() + "\n"); Graphics g = getGraphics(); if (choice.getSelectedItem().equals("Rectangle")) { clickNumber = clickNumber + 1; // is it the first click? if (clickNumber % 2 == 1) { echoArea.setText ("Click to set lower right corner of the rectangle"); lastX = x: lastY = y; } // or the second? else g.drawRect(Math.min(lastX,x), Math.min(lastY,y), Math.abs(x-lastX), Math.abs(y-lastY)); } // for a message, display it else if (choice.getSelectedItem().equals("Message")) g.drawString(currentMessage, x, y); } } FIGURE 95.12 Details of the mouseClicked handler for this interaction.
echoArea.append( "\nEnter a message in the text area"); } } While this code is a bit obscure, it does reveal that the itemStateChanged handler must prepare for any menu event that can occur. It distinguishes among the possibilities by checking the parameter e for the item selected, which is assigned to the state variable currentChoice. If the choice is a Rectangle, the handler dutifully prompts the user to click to set the location where the upper left-hand corner of the rectangle should be located in the frame. If the choice is a Message, a different prompt goes to the user. In either case, this handler echoes the nature of this event in the echoArea. Assuming that the user clicks the mouse in the frame, the system must respond by storing the x − y coordinates of that click in the applet’s state variables lastX, lastY and prompt the user to click to set the lower right-hand corner of the desired rectangle. But that should be done only if the current choice is a Rectangle. By the time the mouse click event happens, the only source of information about what event immediately preceded it comes from the applet’s state. That is, the click could have been preceded by a different event, which should provoke a different response from the interaction. Where is this all sorted out? In the mouseClicked handler, as shown in Figure 95.12. private class MouseHandler extends MouseAdapter { public void mouseClicked(MouseEvent e) { int x = e.getX(); int y = e.getY(); echoArea.setText("Mouse Clicked at " + © 2004 by Taylor & Francis Group, LLC
e.getX() + ," " + e.getY() + "\n"); Graphics g = getGraphics(); if (choice.getSelectedItem().equals("Rectangle")) { clickNumber = clickNumber + 1; //is it the first click? if (clickNumber% 2 == 1) { echoArea.setText ("Click to set lower right corner of the rectangle"); lastX = x; lastY = y; } //or the second? else g.drawRect(Math.min(lastX,x), Math.min(lastY,y), Math.abs(x-lastX), Math.abs(y-lastY)); } //for a message, display it else if (choice.getSelectedItem().equals("Message")) g.drawString(currentMessage, x, y); } } This handler must also be prepared for anything, because it doesn’t implicitly know what events occurred immediately before this particular mouse click. The state variable clickNumber helps to sort things out, because its update value will have an odd number for the first click of a pair and an even number for the second. Thus, the upper left-hand corner of a rectangle is indicated for odd values, and the drawing of a complete rectangle, using the x and y coordinates of the current click together with the x and y coordinates of the previous click (stored in lastX and lastY), is indicated for even clicks. The remainder of this event handler should be fairly readable. The effect of drawing a rectangle after the user has clicked twice is shown in Figure 95.13. Here, the arrow in the figure shows the location of the second click, whose x and y coordinates are 215 and 204, respectively. The next task in designing this interaction is to implement the event handler that responds to the user’s selecting the Clear button or typing text in the typing area. The actionPerformed method for this event is shown in Figure 95.14. Note here the simplicity of attaching a unique handler to the Clear button;
FIGURE 95.13 Effect of selecting Rectangle choice and clicking the mouse twice. © 2004 by Taylor & Francis Group, LLC
private class ClearButtonHandler implements ActionListener { public void actionPerformed (ActionEvent e) { echoArea.setText ("Clear button selected "); repaint(); } } FIGURE 95.14 ActionPerformed handler for the Clear button.
private class TextHandler implements ActionListener { public void actionPerformed (ActionEvent e) { echoArea.setText ("Text entered: " + typing.getText()); if (choice.getSelectedItem().equals("Message")) echoArea.append("\nNow click to place this message"); } } FIGURE 95.15 ActionPerformed handler for the Enter key in the typing area.
it does not have to test what triggered the event (the button or the Enter key in the typing area), merely to clear the screen via a repaint. private class ClearButtonHandler implements ActionListener { public void actionPerformed (ActionEvent e) { echoArea.setText("Clear button selected "); repaint(); } } Responding to text typed by the user is straightforward, needing only to store the text for later use and prompting the user to click the mouse to locate the text in the frame, as shown in Figure 95.15. private class TextHandler implements ActionListener { public void actionPerformed (ActionEvent e) { echoArea.setText("Text entered: " + typing.getText()); if (choice.getSelectedItem().equals("Message")) echoArea.append("\nNow click to place this message"); } } Note that both the TextHandler and ClearButtonHandler classes implement the ActionListener interface and both have actionPerformed methods. Neither handler has to be aware of the other, as each is listening for separate events. The net effect of typing text and clicking to locate it below the rectangle that had been placed in the frame is shown in Figure 95.16. There, the location of the mouse click is indicated by the arrow in the figure, which is at x − y coordinates 162 and 221. This sketch provides a concrete example of the process of designing an event-driven program. The program runs indefinitely — the user can spend hours drawing rectangles, placing messages, and clearing the frame, and only the user decides what event sequence will occur at any particular point in time. The observant reader will have noticed that this applet has no paint method. Thus, iconifying the window or overlaying another window on top of this window will eventually necessitate a repaint, causing © 2004 by Taylor & Francis Group, LLC
FIGURE 95.16 Net effect of user’s placing a text in the frame.
all the drawing of rectangles and placing of messages to disappear. If the applet must be able to repaint what has been drawn to the screen, then the applet must remember what it wrote to the screen. We will see examples of this in later programs.
95.6 Event-Driven Applications Event-driven programs occur in many domains besides those which are Web-based. Here are three examples (and an example of a Web-based program): Web-based interactive games Automated teller machines (ATMs) Home security alarm systems A supermarket checkout station In this section, we briefly describe the first three of these interactions, focusing on their state variables and the kinds of events that should be handled in the event loop to maintain integrity among the state variables.
95.6.1 Interactive Games: Tic-Tac-Toe Consider designing an event-driven program that monitors an interactive game between two people. For example, the game tic-tac-toe has a 3 × 3 board and two players, who alternate turns. Each turn forces the board into a new state, which differs from the old state by the contents of one square. A game is over either when the board is full or when one of the players has placed three markers (X or O) in a row, either horizontally, vertically, or diagonally. The interaction can run indefinitely, since the players can clear the board and start a new game at any time. Thus, the state of a tic- tac-toe game naturally includes the following: The state of the board Whose turn it is Whether the game is over A New Game button that clears the board and starts a new game An event in this setting is either a player move (clicking the mouse in an unoccupied square to place the next X or O) or a player selecting the New Game button. The sequencing of these events is entirely unpredictable by the program — either one is equally likely while a game is going on. © 2004 by Taylor & Francis Group, LLC
The results displayed by the program are the board itself and a message area which is used to report whose turn it is, the winner, and other information as the game proceeds. The major visual design element for this game is a 3 × 3 grid:
Each player takes a turn by clicking the mouse to place an X or an O on one of the unoccupied squares; player X goes first. The winner is the player who first places three Xs or 3 Os in a row, either horizontally, vertically, or diagonally. A tie game occurs when the board is full and no one has three Xs or Os in a row. The program can use a TextArea for displaying appropriate messages (for instance, when a player attempts to make an illegal move). It should allow each player to click on an empty square and replace that square with an X or an O. The program thus keeps track of whose turn it is and reports that information in the TextArea at the beginning of each turn. Thus, the state variables for this game include the following: A Grid variable for the 3 × 3 board A TextArea variable for sending messages to the players A variable that determines whose turn it is, which flips back and forth whenever a player has completed a legal move The central event-driven code for this game appears in the handler for mouse clicks. Some of these clicks reflect legal moves (i.e., a mouse click from a player on an unoccupied square of the board), and others reflect illegal moves (e.g., a mouse click outside the board). Another distinct event is the selection of the Clear button to signal ending the game. These events can occur in any order, so the program must be equipped to handle them sensibly, change the state appropriately, and detect when the game is over.
95.6.2 Automated Teller Machine An ATM is driven by a program that runs 7 days a week and 24 hours a day. The program must be able to interact with each user who has a proper ATM bank card, and it helps the machine conduct transactions with the user. The essential elements of a typical ATM display are shown in Figure 95.17. (In practice, the details are different, but the elements shown here are adequate to characterize what happens during an ATM transaction).
Welcome to AnyBank ATM Account number Deposit
Amount
Withdrawal
Message
Balance Inquiry No more transactions FIGURE 95.17 Elements of a typical ATM transaction user interface. © 2004 by Taylor & Francis Group, LLC
The state of this interaction is captured partially by the objects in this display and partially by other information that relates to the particular user who is at the machine. A basic collection of state variables required for an ATM transaction includes the following: Account — The user’s account number Type — The type of transaction (deposit, withdrawal, etc.) Amount — The amount of the transaction Message — A message from the bank to the user Balance — The user account’s available balance The last variable in this list, the available balance, brings into play a new dimension for event-driven programming. That is, the program must interact not only with the user but also with the bank’s database of all its accounts and current balances. A program that interacts with such a database, which may reside on an entirely different computer, or server, on the bank’s network, is called a client–server application. Client–server applications exist in a wide variety of systems, including airline reservation systems, on-line textbook ordering systems, and inventory systems. They are discussed more directly in other chapters of this Handbook. In this example, we can characterize the different events that can occur, together with how they should be handled (that is, the effect they should have on the state of the interaction). Event: User enters an account number (swipes her card). Handled by: Program checks that account is a valid number, sets balance, and issues the message “Choose a transaction.” Event: User selects a button (deposit, withdrawal, etc.). Handled by: Program checks to see that a valid account has been entered. If so: Save the type of button selected. If deposit or withdrawal, issue the message “Enter an amount.” If Balance Inquiry, display the balance. If No more transactions, clear the account. If not, issue the Message “Enter an account number.” Event: User enters an amount. Handled by: Program checks that user has selected a deposit or withdrawal type. If deposit, add the amount to the balance. If withdrawal: If balance is greater than amount, subtract amount from balance. Otherwise, issue the message “Insufficient funds.” Otherwise, issue the message “Select a transaction type (deposit or withdrawal).” The key insight with this design is that the system does not anticipate the type of transaction or the order in which the events will occur. It responds to every different possibility and updates the state of the interaction appropriately.
95.6.3 Home Security Alarm System Home security systems provide homeowners with a modest warning that an unwanted event, such as a break-in, fire, or flood, has occurred. These systems are programmed to react to sensors that can detect smoke, water, or motion, and are placed strategically around the house. They can be programmed by homeowners so that their own motion about the house is not taken as an unwanted break-in. They also can be connected to the local fire and police stations so that notification of an unwanted event can receive immediate response. The overall design for such a system is sketched in Figure 95.18. Here, the sensors and the user interface supply events to the program; alarms and the user interface receive responses from the program. Responses at the user interface are displayed on an LCD display. © 2004 by Taylor & Francis Group, LLC
User interface Program (system)
LCD display shows messages and system status Armed
Sensors
off here away
Power
Function
1
2
3
4
5
6
7
8
9
0 * code test
#
Alarms
FIGURE 95.18 Overall design of a home security system.
Because this system must be able to receive handle events in parallel (e.g., signals from two different sensors may occur simultaneously), the program must embody both the event-driven paradigm discussed in this chapter and the parallel programming paradigm (discussed in Chapter 96). We ignore the parallel programming dimensions of this problem in the current discussion. The state variables for this program are several: Password — The user’s password User — The state of the user (here or away) Armed — The state of the system (armed or unarmed) Sensors — The state of each sensor (active or inactive) Alarms — The state of each alarm (active or inactive) Message — A message from the system to the control panel Here are some of the events that can reasonably occur, with a sketch of what should happen to the state in response to each event. Event: User enters password. Handled by: Program checks that password is valid and displays message. Event: User enters function “away.” Handled by: Program checks that password has been entered and changes the state of all sensors to “active,” the state of the system to “armed,” and displays message. Event: Sensor receives signal. Handled by: If system is armed, program sends appropriate alarm and displays a message. Event: User enters function “test.” Handled by: Program disarms system. Event: User enters function “here.” Handled by: Program disables motion-detection sensors, enables all others, and changes state of the system to “armed.” In these examples, we have greatly generalized the details in order to simplify the discussion and focus on the main ideas about event-driven programming that these problems evoke. Interested readers should consult the references for more detailed discussions of event-driven programming applications.
Acknowlegdments This chapter is an adaptation of a chapter in the authors’ book Programming Languaages, and is published with permission from McGraw-Hill. © 2004 by Taylor & Francis Group, LLC
References Niemeyer, P., and Knudsen, J. [2002] Learning Java, 2nd edition. O’Reilly & Associates, Sebastopol, CA. Stein, L.A. [1999] Challenging the computational metaphor: implications for how we think. Cybernetics and Systems, 30(6). Tucker, A., and Noonan, R. [2002] Programming Languages: Principles and Paradigms. McGraw-Hill, New York. Wegner, P. [1997] Why interaction is more powerful than algorithms. Communications of the ACM, 40(5). Wegner, P., and Goldin, D. [1999] Interaction, computability, and Church’s thesis. Unpublished manuscript (June 1999). See http://www.cs.brown.edu/∼pw.
© 2004 by Taylor & Francis Group, LLC
96 Concurrent/ Distributed Computing Paradigm 96.1 96.2 96.3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-1 Hardware Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-4 Software Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-4 Busy-Wait: Concurrency without Abstractions • Monitors • Message Passing
Andrew P. Bernat Computer Research Association
Patricia J. Teller University of Texas at El Paso
96.4 96.5 96.6 96.7 96.8
•
Semaphores
Distributed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-19 Formal Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-19 Existing Languages with Concurrency Features . . . . . . . 96-20 Research Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-21 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96-22
96.1 Introduction Concurrent computing is the use of multiple, simultaneously executing processes or tasks to compute an answer or solve a problem. The original motivation for the development of concurrent computing techniques was for timesharing multiple users or jobs on a single computer. Modern workstations use this approach in a substantial manner. Another advantage of concurrent computing, and the reason for much of the current attention to the subject, is that it seems obvious that solving a problem using multiple computers is faster than using just one. Similarly, there is a powerful economic argument for using multiple inexpensive computers to solve a problem that normally requires an expensive supercomputer. Additionally, the use of multiple computers can provide fault tolerance. Moreover, there is an additional powerful argument for concurrent computing — the world is inherently concurrent. Just as each of us engages in a large number of concurrent tasks (hearing while seeing while reading, etc.), operating systems need to handle multiple, simultaneously executing tasks; robots need to engage in a multiplicity of actions; database systems must simultaneously handle large numbers of users accessing and updating information; etc. Often, breaking a problem into concurrent tasks provides a simpler, more straightforward solution. As an example, consider Conway’s problem: input is in the form of 80-character records (card images in the original problem, which gives an idea of how long it has been around); output is to be in the form of 120-character records; each pair of dollar signs, ‘$$’, is to be replaced by a single dollar sign, ‘$’; and a space, ‘ ’, is to be added at the end of each input record. In principle, a sequential solution may be developed, but the complications introduced require complex and non-obvious buffer manipulations. Moreover, a
© 2004 by Taylor & Francis Group, LLC
concurrent solution consisting of three processes is both simpler and more elegant. The three processes execute within infinite loops performing the following actions: 1. Process1 reads 80-character records into an 81-character buffer, places a space character in location 81, and then outputs single characters from the buffer sequentially. 2. Process2 reads single characters and copies them to output, but uses a simple state machine to substitute a single ‘$’ for two consecutive ‘$$’. 3. Process3 reads single characters, saves them in a buffer, and outputs 120-character records. To develop an implementable solution, we need to decide how the independently executing processes communicate. A simple, widely used approach is to add two buffers: Buffer1 stores output characters from Process1 to be input to Process2; Buffer2 stores output characters from Process2 to be input to Process3. For simplicity, assume that Buffer1 and Buffer2 each hold a single character. Thus: 1. Process1 reads 80-character records into an 81-character internal buffer, places a space character in location 81, and sequentially places in Buffer1 single characters from the internal buffer. 2. Process2 reads single characters from Buffer1 and places them into Buffer2, but uses a simple state machine to substitute a single ‘$’ for two consecutive ‘$$’. 3. Process3 reads single characters from Buffer2, saves them in an internal 120-character buffer, and outputs 120-character records. This solution demonstrates the essence of the concurrent paradigm: individual sequential processes that cooperate to solve a problem. The exemplified concurrency is pipelined concurrency, where the input of all processes but the first is provided by another process. Cooperation, in this and all other cases, requires that the processes: 1. Share information and resources 2. Not interfere during access to shared information or resources In the Conway solution, information is readily shared via the buffers. The chief problem is to ensure that concurrent accesses to the two buffers do not conflict; for example, Process2 does not attempt to retrieve a character from Buffer1 before it has been placed there by Process1 (which would lead to garbage characters), and Process1 does not attempt to place a character into Buffer1 before the previous character has been retrieved by Process2 (which would lead to lost characters). A simpler example of interference is provided by the following simple program (where the statements within the cobegin–coend pair are to be executed simultaneously): x := 0 cobegin x := x + 1 x := x + 2 coend Consider the value of x at the end of execution. Because each assignment statement is actually a sequence of machine-level instructions, various interleavings of the execution of these instructions result in different final values for x (i.e., 1, 2, or 3). Clearly, this is unacceptable! In each of these examples, it is clear that there are critical regions in which two (or more) processes have sections of code that may not be executed concurrently; we must have mutual exclusion between the critical regions. In the Conway example, critical regions include: r Process1 placing a value into Buffer1 r Process2 retrieving a value from Buffer1 r Process2 placing a value into Buffer2 r Process3 retrieving a value from Buffer2
© 2004 by Taylor & Francis Group, LLC
In the simple example above, each of the two assignment statements are critical regions. The essence of avoiding interference is to discover the critical regions and isolate them. This isolation takes the form of an “entry protocol” to announce entry into a critical region and an “exit protocol” to announce that the execution of the critical region has completed (below the ‘#’ introduces a comment and the ‘. . . ’ represents the appropriate program code): # entry protocol ... # critical region code ... # exit protocol ... This is the basic model used by the busy-wait and semaphore approaches (discussed below). It is a low-level model in the sense that careful attention must be paid to the placement of the entry and exit protocols to ensure that critical regions are properly protected. There are other implementation approaches to concurrency that solve the critical region problem by prohibiting any direct interference between concurrent processes. This is done by not allowing any sharing of variables. The monitor approach places all shared variables and other resources under the control of a single monitor module, which is accessed by only a single process at a time. The message-passing approach is to share information only through messages passed from process to process. Both of these approaches are discussed in this chapter. As well as avoiding interference in data access, we must avoid interference in the sharing of resources (e.g., keyboard input for multiple processes). Also, we must ensure that any physical actions of concurrent processes, such as movement of robotic arms, are appropriately synchronized. Thus, to develop concurrent solutions, we require notations to: 1. 2. 3. 4.
Specify which portions of our processes can run concurrently Specify which information and resources are to be shared Prevent interference by concurrent processes by ensuring mutual exclusion Synchronize concurrent processes at appropriate points
Further, any proposed solution to a concurrent problem must have certain properties (see, for example, [Ben-Ari, 1990]): 1. Safety: this property must always be true; examples include: a. Non-interference b. No deadlock, which occurs when no process can continue because all processes are waiting upon conditions that can never occur c. Partial correctness: whenever the program terminates, it has the correct answer 2. Liveness: this property must be true eventually; examples include: a. Program terminates (if it also has the correct answer, this is total correctness) b. No race: nondeterministic behavior caused by concurrently executing processes c. Fairness: each process has an opportunity to execute (this is affected by implementation and process/thread scheduling) The verification or proof that solutions satisfy these properties is vastly complicated by the concurrent execution of code: particular orderings of code execution may exhibit interference or deadlock while others proceed nicely to termination. Returning to Conway’s problem, suppose the execution of Process1 and Process2 are matched evenly so that each character placed by Process1 into Buffer1 is retrieved by Process2 before Process1 is ready to output another character. In this case, when tested, the program exhibits the desired correctness properties, lack of deadlock, etc. But if, due to a variation in processor workload or type, Process1 runs faster, then characters will be overwritten and lost; on the other hand, if Process2 runs faster, characters will be repeated. The fact that we tested the program under one particular set © 2004 by Taylor & Francis Group, LLC
of circumstances (even for all possible inputs) is irrelevant to this issue. Sufficient testing is impossible because of the exponential explosion in the number of possible interleavings of instruction execution that can occur. The only fully satisfactory approach is to use formal methods (techniques that are still predominantly under development), which are touched on later in this chapter. This chapter focuses on the software architectures used for concurrency, using a set of archetypical problems and their solutions for illustration. These problems are chosen because of the frequency with which they arise in computing; careful study of actual problems frequently leads to the realization that a seemingly complicated problem is, at heart, one of these archetypes. First, we briefly explore hardware architectures and their impact on software.
96.2 Hardware Architectures Hardware can influence synchronization and communication primarily with respect to efficiency. Multiprogramming is the interleaving of the execution of multiple programs on a processor; on a uniprocessor, a time-sharing operating system implements multiprogramming. Although such an approach on a uniprocessor does not provide the execution speedup discussed in the introduction, it does provide the possibility of elegance and simplicity in problem solution, which is the second argument for the concurrent paradigm. By employing multiple computers, we have multiprocessing, or parallel processing. Multiprocessing can involve multiple computers working on the same program or on different programs at the same time. If a multiprocessor system is built so that processors share memory, then processes can communicate via global variables stored in shared memory; otherwise, they communicate via messages passed from process to process. In contrast to a multiprocessor system, a distributed system is comprised of multiple computers that are remote from each other. This chapter focuses on multiprogramming and multiprocessing systems with a short introduction to the additional problems associated with distributed systems. In addition (but outside the scope of this chapter), a wide variety of hybrid hardware/software approaches exist.
96.3 Software Architectures To specify a software architecture for implementing concurrency, we must provide the syntax and semantics to: 1. 2. 3. 4.
Specify which information and resources are to be shared Specify which portions of processes can run concurrently Prevent interference by concurrent processes by ensuring mutual exclusion Synchronize concurrent processes at appropriate points
The first feature requires no special notation (shared variables are simply global), and the third and fourth are usually merged into one. A large number of software mechanisms have been proposed to support these features; in this chapter we explore the most widely used among them: 1. Busy-wait: implementable on virtually any processor without operating system support; this is concurrency without abstractions 2. Semaphores: historically the oldest satisfactory mechanism 3. Monitors: modules that encapsulate concurrent access to shared data 4. Message passing: a higher-level abstraction widely used in distributed systems The references at the end of the chapter provide pointers to a number of other mechanisms, such as Unix fork/join, conditional critical regions, etc. © 2004 by Taylor & Francis Group, LLC
96.3.1 Busy-Wait: Concurrency without Abstractions To illustrate the busy-wait mechanism, we use (following [Ben-Ari, 1982], a very simple example consisting of two concurrent processes, each with a single critical region. The only assumption made is that each memory access is atomic; that is, it proceeds without interruption. Our task is to ensure mutual exclusion; the purpose of the exercise is to demonstrate the care with which a solution must be crafted to ensure the safety and liveness properties discussed above. Our first approach, which follows, is to ensure that the processes, p1 and p2, simply take turns in their critical regions. global var turn := 1 process p1 while true do -> # non-critical region ... # entry protocol while turn = 2 do -> # critical region ... # exit protocol turn := 2 # rest of computation ... end p1 process p2 while true do -> # non-critical region ... # entry protocol while turn = 1 do -> # critical region ... # exit protocol turn := 1 # rest of computation ... end p2
# wait for turn
# wait for turn
This approach meets the desired properties but has a fundamental flaw: processes must take turns entering their critical regions. If p1 is ready and needs to execute its critical region at a higher frequency than p2, it cannot. The processes are an example of co-routines, historically one of the first approaches to concurrency. If we modify the solution to allow each process to proceed into its critical region if the other process is not in its critical region, and to then notify the other process, we obtain the following (where ci is used to signify that pi is in its critical region): global var c1 := false, c2 := false process p1 while true do -> © 2004 by Taylor & Francis Group, LLC
# non-critical region ... # entry protocol while c2 do -> c1 := true # critical region ... # exit protocol c1 := false # non-critical region end p1 process p2 while true do -> # non-critical region ... # entry protocol while c1 do -> c2 := true # critical region ... # exit protocol c2 := false # non-critical region end p2
# wait for turn # p1 in critical region
# p1 out of critical region
# wait for turn # p2 in critical region
# p2 out of critical region
Now, however, we have the possibility that the mutual exclusion requirement of the critical region can be violated; that is, both processes can be in their critical regions at the same time. (For example, suppose both c1 and c2 are false; p1 checks c2 via the loop and decides that it may enter its critical region; before it sets c1 to true, p2 checks c1 via its loop and decides that it may enter its critical region). As shown next, this disastrous possibility can be eliminated by having a process announce its intent to enter into its critical region before checking whether it can enter: global var c1 := false, c2 := false process p1 while true do -> # non-critical region ... # entry protocol c1 := true while c2 do -> # critical region ... # exit protocol c1 := false # non-critical region end p1 process p2 © 2004 by Taylor & Francis Group, LLC
# signal intent to enter # wait for turn
# p1 out of critical region
while true do -> # non-critical region ... # entry protocol c2 := true while c1 do -> # critical region ... # exit protocol c2 := false # non-critical region end p2
# signal intent to enter # wait for turn
# p1 out of critical region
But now we have raised the possibility of a race (when p1 sets c1 to true and p2 sets c2 to true). A possible solution to this difficulty, which appears below, moves the announcement statement into the loop, together with a random delay: global var c1 := false, c2 := false process p1 while true do -> # non-critical region ... # entry protocol c1 := true while c2 do -> c1 := false c1 := true # critical region ... # exit protocol c1 := false # non-critical region ... end p1 process p2 while true do -> # non-critical region ... # entry protocol c2 := true while c1 do -> c2 := false c2 := true # critical region ... # exit protocol © 2004 by Taylor & Francis Group, LLC
# signal intent to enter # give up intent if p2 already # in critical region # try again
# p1 out of critical region
# signal intent to enter # give up intent if p1 already # in critical region # try again
c2 := false # non-critical region ... end p2
# p2 out of critical region
But this is not a satisfactory solution because it exhibits a race in the (unlikely) situation that the two loops proceed in perfect synchronization. A valid solution, such as that which appears below, can be developed by returning to the concept of taking turns when applicable, which ensures mutual exclusion while not requiring alternating turns (thus allowing true concurrency): global var c1 := false, c2 := false, turn := 1 process p1 while true do -> # non-critical region ... # entry protocol c1 := true turn := 2 while c2 and turn = 2 do -> # critical region ... # exit protocol c1 := false # non-critical region ... end p1 process p2 while true do -> # non-critical region ... # entry protocol c2 := true turn := 1 while c1 and turn = 1 do -> # critical region ... # exit protocol c2 := false # non-critical region ... end p2
# signal intent to enter # give p2 priority # wait if p2 in critical region
# p1 out of critical region
# signal intent to enter # give p1 priority # wait if p2 in critical region
# p1 out of critical region
This solution is due to Peterson [1983]; the first valid solution was presented by Dekker. The importance of the busy-wait approach is threefold: 1. It provides a nice introduction to the problems inherent in designing concurrent solutions. 2. It is executable on virtually every machine architecture without additional further software support and is, thus, suitable for micro-controllers, etc. 3. Variants are frequently used in hardware implementations. © 2004 by Taylor & Francis Group, LLC
However, this approach also suffers from two difficulties: 1. It is very inefficient: machine cycles are expended when executing busy-wait loops. 2. Programming at such a low level is highly prone to error.
96.3.2 Semaphores Dijkstra [1968] presented the first abstract mechanism for synchronization in concurrent programs. The semaphore, so named in direct relation to the semaphores used on railroad lines to control traffic over a single track, is a non-negative integer-valued abstract data type with two operations: P(s) : delay until s > 0, then s := s - 1 V(s) : s := s + 1 When a process delays on a semaphore, it is awakened only when another process executes a V operation on that semaphore. Thus, it uses no machine cycles to check if it can proceed. If more than one process is delaying on a semaphore, only one (which one is implementation dependent) can be awakened by a V operation. Additionally, the value of s can be set at instance creation via the semaphore declaration; if set to 0, then some process must execute the V(s) operation before any processes first executing the P(s) operation can continue. With this abstract data type, we have a mechanism that handles both interference and synchronization. Additional notes: 1. These are the only two synchronization operations defined; in particular, the value of s is not determinable. 2. Implementation of these operations must be either in the hardware or in the (non-interruptible) system kernel. 3. By sleeping while waiting for a semaphore (the delay in P(s)), a process does not waste machine cycles by repeated checking. 4. The operation names (P and V) come from the Dutch words passeren (to pass) and vrygeven (to release); sometimes, signal and wait are used in place of P and V, respectively. 5. Each of the P and V operations proceeds atomically; that is, it may not be interrupted by another process. The use of the semaphore in concurrent programming relates directly to the railroad analogy. Each critical section looks like the following: global var s : semaphore := 1 # entry protocol P(s) # critical region ... # exit protocol V(s) The initialization of s to 1 ensures that the first process executing P(s) will continue. (Deadlock arises if s were initialized to 0.) Only the first process to reach its P(s) statement is allowed to proceed, as subsequent processes find s = 0 and delay. When the first process finishes its critical region, it executes V(s), which sets s to 1. One of the waiting processes is awakened, find s > 0, decrements s, and proceeds. Note the importance that these operations are atomic; this ensures that two processes cannot wake up and each find s > 0. © 2004 by Taylor & Francis Group, LLC
96.3.2.1 Semaphores and Producer-Consumer The Producer-Consumer problem arises whenever one process is creating values to be used by another process. Examples are Conway’s problem and buffers of various kinds, etc. Here we first look at the multi-element buffer version of this problem and then add multiple producers and consumers as a refinement. # define the buffer const N := ... var buf[N] : int front := 1 rear := 1 semaphore empty := N full := 0 process producer var x : int while true do -> # produce x ... P(empty) buf[rear] := x V(full) rear := rear mod N + 1 end producer process consumer var x : int while true do -> P(full) x := buf[front] V(empty) front := front mod N + 1 # consume x ... end consumer
# size # buffer # pointers # counts the number of empty slots in the buffer # counts the number of items in the buffer
# # # #
delay until there is space in the buffer place value in the buffer signal that the buffer is non-empty update buffer pointer
# # # #
delay until a value is in the buffer obtain value signal that the buffer is not full update buffer pointer
The buffer processing is conventional; only the actual buffer access must be placed into a critical region because there is no possibility of interference between the assignments to rear and front. Note also the use of two semaphores: empty to signal that the producer can proceed because there is at least one empty slot in the buffer and full to signal that the consumer can proceed because there is at least one item in the buffer. Although it is possible to solve this problem with one semaphore, less concurrency results. Note that the empty semaphore is initialized to N, the size of the buffer. The producer process can run up to N steps ahead of the consumer process. To allow multiple producers and/or consumers, we must protect the actual buffer operations with additional semaphores to prevent, for example, two producers from accessing rear simultaneously with read and assignment operations. These semaphores, mutexR and mutexF, guarantee mutual exclusion of access to the rear and front pointers, respectively. It is not sufficient to use empty here because up to N producers will be able to continue through the P(empty) statement. # define the buffer as previously semaphore empty := N, full := 0 © 2004 by Taylor & Francis Group, LLC
semaphore mutexR := 1 mutexF := 1
# mutual exclusion on rear pointer # mutual exclusion on front pointer
process pi # one for each producer var x : int while true do -> # produce x ... P(empty) # delay until there is space in the buffer P(mutexR) # delay until rear pointer is not in use # place value in the buffer and modify pointer buf[rear] := x; rear := rear mod N + 1 V(mutexR) # release rear pointer V(full) # signal that the buffer is non-empty end pi process ci # one for each consumer var x : int while true do -> P(full) # delay until a value is in the buffer P(mutexF) # delay until front pointer is not in use # access the value in the buffer and modify pointer x := buf[front]; front := front mod N + 1 P(mutexF) # release front pointer V(empty) # signal that there is space in the buffer # consume x ... end ci
96.3.2.2 Semaphores and Readers-Writers The Readers-Writers model captures the fundamental actions of a database; i.e., r No exclusion between readers r Exclusion between readers and a writer r Exclusion between writers
In other words, the software must guarantee only one update of a database record at a time, and no reading of that record while it is being updated. The simplest semaphore solution is to wait only for the first reader; subsequent readers need not check because no writer can be writing if there is already a reader reading (here, nr and nw are the numbers of active readers and writers, respectively): ... nr := nr + 1 if nr = 1 -> P(rw)
# access database ... nr := nr - 1 if nr = 0 -> V(rw)
# if no one is presently reading, # then ensure no one is writing # before proceeding
# if no more are reading, possibly wake up # writer, or prepare for next reader
© 2004 by Taylor & Francis Group, LLC
... P(rw) # access database ... V(rw)
# delay until no readers or writers
# wake up delayed reader or writer, or prepare # for next reader or writer
This solution gives readers preference over writers: new readers continually freeze out waiting writers. Extending this solution to other kinds of preferences, such as writer preference or first-come-first-served preference is cumbersome. A more general approach is known as “passing the baton”; it is easily extended to other kinds of preferences because control is explicitly handed from process to process. Although a careful explanation of the approach is not given here, the concept is easily summarized. A process must check to ensure that it can legally proceed before doing so; if it cannot proceed, the process waits upon a semaphore assigned to it. For example, a writer process checks to see if no readers or writers are executing on the database before it proceeds; if they are executing on the database, then the writer process sleeps, waiting upon the semaphore assigned to it. When a process is finished accessing the database, it checks the conditions and wakes up (via signaling on the appropriate semaphore) one of the processes waiting upon the condition. This last operation essentially “passes the baton” from one process to another. The key is that first a check is made to ensure that it is legal for the other process to wake up. The strength of the “passing the baton” approach emerges when its flexibility is used to develop more general solutions. Details may be found in Andrews [1991]. 96.3.2.3 Difficulties with Semaphores in Software Design While the use of semaphores does provide a complete solution to the interference problem, the correctness of the solution directly depends on the correct usage of the semaphore operations, which are fairly low-level and unstructured. Semaphores and shared variables are global to all processes and, like any global data structure, their correct usage requires considerable discipline by the programmer. Additionally, if a large system is to be built, any one implementor is likely responsible for only a portion of the semaphore usage so that correct pairing of Ps and Vs may be difficult. Despite this difficulty, semaphores are a widely used construct for concurrency.
96.3.3 Monitors A more structured approach is to encapsulate the shared data/resources and their operations into a single module called a monitor. A monitor can contain non-externally accessible data and procedures that handle the state of resources. External access is strictly controlled through procedure calls to the monitor; mutual exclusion is ensured because procedure execution within the monitor is not concurrent. Monitors have the traditional advantages of abstract data types, but they must also deal with two issues rising from their use by concurrently executing processes: avoiding interference and providing synchronization. This section illustrates some sample applications of monitors and how they internally handle concurrency. Returning to the Producer-Consumer problem, we implement a monitor for handling shared access to the buffer. The monitor requires a synchronization mechanism to ensure that the Producer cannot overfill the buffer and that the Consumer cannot retrieve from an empty buffer. Monitors implement condition variables, the values of which are queues of processes delayed upon the corresponding conditions. Two standard operations defined on conditional variable cv are: 1. wait(cv): causes the executing process to delay and to be placed at the end of cv’s queue; in order to allow eventual awakening of the process, the process must relinquish exclusive access to the monitor when it executes a wait. 2. signal(cv): causes the process at the head of cv’s queue to be awakened; if the queue is empty, there is no effect. © 2004 by Taylor & Francis Group, LLC
Although these operations mirror those of semaphores, there is a key difference: the signal operation has no memory. 96.3.3.1 Monitors and Producer-Consumer The buffer monitor can be defined as follows: monitor Buffer # define the buffer const N := .. # size of the buffer var buf[N] : int # buffer front := 1 # buffer pointers rear := 1 # define the condition variables var not_full, # signaled when count < N not_empty : cv # signaled when count > 0 procedure deposit(data : int) if count = N # check for space then wait(not_full) # delay if no space buf[rear] := data rear := (rear mod N) + 1 N := N + 1 signal(not_empty) # signal non-empty end procedure fetch(var data : int) if count = 0 # check for not empty then wait(not_empty) # delay if empty data := buf[front] front := (front mod N) + 1 N := N - 1 signal(not_full) # signal not full end Buffer Using this monitor, the producer and consumer tasks can be redone as follows: process Producer var x : int while true do -> # produce x ... deposit(x) end Producer process Consumer var x : int while true do -> fetch(x) # consume x ... end Consumer Now it is clear that programming (outside of the monitor) can now be done at a more abstract level, which will lead to more reliable software. © 2004 by Taylor & Francis Group, LLC
96.3.3.2 Difficulties with Monitors There are difficulties with monitors as well. Consider the case where we have two consumers, C1 and C2. If the buffer is empty when C1 executes fetch, then C1 will delay on not empty. If the producer then executes deposit (note that deposit and fetch cannot be executed concurrently), it will eventually signal(not empty), which will awaken C1. But if C2 executes fetch before C1 continues execution and its call to fetch proceeds, then C1 will access an empty buffer. Hence, the signal operation must be considered to be a hint that proceeding with execution is possible, but not that it is correct. The following two approaches are used to solve this problem: 1. Replace the check on the condition variable with a check inside a loop to ensure that the condition is true before execution proceeds. For example: procedure deposit(data : int) while count = N do -> # check for space then wait(not_full) # delay if no space buf[rear] := data rear := (rear mod N) + 1 N := N + 1 signal(not_empty) # signal non-empty end 2. Give the highest priority to awakening processes so that intervening access to the monitor is not possible; this also requires that the signal operation be the last operation executed in any procedure in which it occurs (to ensure that two processes will not be executing within the monitor). Monitors form the basis for concurrent programming in a number of systems and provide an efficient, high-level synchronization mechanism. They have the further advantage, as do other abstract data types or objects, of allowing for local modification and tuning without affecting the remainder of the system.
96.3.4 Message Passing Consider a hardware architecture with multiple independent computers. Creating a semaphore to be efficiently accessed by processes running on separate computers is a difficult problem. We need a new abstraction for this case: message passing in which a sending process outputs a message to a channel and a receiving process inputs the message from this same channel. There are a large number of variations of this basic concept, depending on the semantics of the operations and the channels. The basic primitives are: 1. Channel declaration 2. send 3. receive If both sending and receiving processes block upon reaching their corresponding message-passing operation, we have synchronous communication; if the sending process can send a message and continue without waiting for receipt, the system is asynchronous. Analogies are telephone communication and the postal system. The synchronous approach allows for ready synchronization of processes (at the instant of message passing we know where both are in their execution). This was the approach chosen by Hoare [1985] for his communicating sequential processes model and its subsequent implementation in the occam language [Jones and Goldsmith, 1988]. If we desire asynchronicity, we can add intermediate buffer processes to the synchronous approach. An advantage of synchronous message passing is that it often simplifies analysis of an algorithm because it is known where the sending and receiving processes are in their execution at the moment the message is passed. Further variations arise, depending on whether channels are one process-to-one process or one-tomany, statically instantiated at load time or dynamically created during execution, bi-directional or © 2004 by Taylor & Francis Group, LLC
uni-directional, whether the receiving process must be named by the sending process, etc. However, the basic concept is the same in all cases; ease of use and efficiency of implementation vary. Further variations include remote procedure call (RPC), which is the core of many distributed systems, and rendezvous, the approach used in Ada. We further explore these approaches after looking more closely at simple message passing. Note that, in the message-passing approach, there are no shared variables so interference is not an issue. The critical section issue does not arise because there is no way for concurrent processes to interfere with each other. This is one of the major motivating factors for the use of message-passing software architectures. 96.3.4.1 Message Passing and Producer-Consumer If the message-passing system is asynchronous, as demonstrated below, we can rely on the system itself to buffer values: channel P2C process Producer int x while true do -> # produce x send P2C x end Producer process Consumer int x while true do -> receive P2C x # consume x end Consumer Using this approach, the Producer sends a message over channel P2C and continues producing and sending (up to channel capacity at which point the system blocks), while the Consumer blocks at the receive statement if no messages are available. If our system is synchronous, then as shown below, we create a separate buffer process: channel P2B, B2C process Buffer # create the buffer const N := .. var buffer[N] : int front := 1 rear := 1 count := 0 # number of items in the buffer while true do -> if # there is room and the producer is sending count < n and receive P2B buffer[rear] -> count++; rear := rear mod n + 1 else # there are items and the consumer is receiving count > 0 and send B2C buffer[front] -> count--; front := front mod n + 1 end Buffer © 2004 by Taylor & Francis Group, LLC
process Producer var x : int while true do -> # produce x ... send P2B x end Producer process Consumer var x : int while true do -> receive B2C x # consume x end Consumer Above the if statement is nondeterministic; that is, any true clause can be selected. The Boolean conditions in the clauses are called guards. The clauses are: r If there is room and the producer wishes to send a character r If there are items to retrieve and the consumer wishes to receive a character
For implementation efficiency reasons, actual programming languages do not allow guards for both input and output statements, so we must modify our solution; for example, as shown below, we can modify the buffer and consumer processes to eliminate the output guard: channel P2B, B2C, C2B process Buffer # define the buffer var buffer[n] : int var front := 1 rear := 1 count := 0 while true do - > if # there is room and the producer is sending count < n and receive P2B buffer[rear] -> count++; rear := rear mod n + 1 else # there are items and the consumer is requesting count > 0 and receive C2b buffer[front] -> send B2C buffer[front] count--; front := front mod n + 1 end Buffer process Producer var x : int while true do -> # produce x
© 2004 by Taylor & Francis Group, LLC
... send P2B x end Producer process Consumer var int : x while true do -> send C2B NIL receive B2C x # consume x ... end Consumer
# announce ready for input
Above, the Consumer process first announces its intention to receive a value from the Buffer process (send C2B NIL; the NIL signifying that no message need be actually exchanged) and then actually receives the value (receive B2C x). This program is an example of client/server programming. The Consumer process is a client of the Buffer process; that is, it requests service from the buffer, which provides it. Client/server programming is widely used to provide services across a network and is based on the message-passing paradigm. 96.3.4.2 Message Passing and Readers-Writers The message-passing approach to Readers-Writers is straightforward: do not accept a message from a reader or writer if a writer is writing; do not accept a message from a writer if a reader is reading. The solution, shown below, is simple if we adopt synchronous message passing and the notion of the database as a server: channel Rrequests, Rreceives, Wsends Reader send Rrequests receive Rreceives Writer send Wsends Server if # there are no writers, accept reader requests nw = 0 -> receive Rrequests # access the database ... send Rreceives # there are no readers or writers, accept writer requests nr = 0 and nw = 0 -> receive Wsends # modify the database ...
© 2004 by Taylor & Francis Group, LLC
96.3.4.3 Message Passing and Semaphore Simulation Of course, as we show next, message passing can simulate a semaphore (and vice versa if need be): channels P, V, initSemaphore process Semaphore var s : int receive initSemaphore i s := i while true do -> if # semaphore is non-zero accept P operation s > 0 and receive P NIL-> s-# always accept V operation receive V NIL -> s++ end Semaphore 96.3.4.4 The Remote Procedure Call and Rendezvous Abstractions The remote procedure call, or RPC, abstraction is widely used to provide client/server services in a distributed system. Revisiting the client/server examples above, it is clear that the client executes a sendreceive pair while the server executes a receive-send pair. Using the standard procedure model to capture the server’s actions, a call statement to capture the client’s actions and parameters to capture the messages being sent, we have: Client ... call Server(args) ... Server(formal args) ... return which mirrors traditional procedure calls. The difference is that the Server procedure can be on a machine remote to the Client process. Indeed, the Server is implemented as a process that is always delayed until a Client executes a call. If multiple Clients concurrently execute calls to a Server, the Server must be re-entrant or must provide protection for shared information. The RPC approach forms the basis for distributed systems programs on a wide variety of platforms; its relationship to monitors should be clear. The calling process and procedure are not truly concurrent in the sense used throughout this chapter, in that the calling process delays once the call is made, the procedure does not execute until called, the procedure delays when the return is executed, and the calling process resumes execution only upon the return from the procedure. The model is similar to that of synchronous message passing if the execution of the procedure is viewed as a component of the message-passing process (essentially, the procedure creates the return message). We can increase the power of this approach if we modify the procedure into a process and have both processes executing concurrently. When a call is made, execution of the calling process delays while execution of the called process continues until it is ready to accept the call (via a special statement). The called process continues execution, performing actions or calculating values for the return message. The return message is sent back to the caller, the called process continues executing, and the calling process © 2004 by Taylor & Francis Group, LLC
resumes execution once the message is received. Because there is an extended time period during which the two processes are synchronized (from called accept through called return), this model of concurrency is termed rendezvous. It is the basis for the model of concurrency used in the Ada language. The Ada model is not symmetric: the calling process must know the name of the process it is calling, but the called process need not know its caller. Accept statements may have guards, as discussed above for message passing, in order to control acceptance of calls. The complexity of these guards, and their priority, must be carefully followed during program implementation. There are several advantages to this approach, all based on the possibility of the called routine using multiple accept statements: 1. The called routine can provide different responses to the calling process at different stages of its execution. 2. The called routine can respond differently to different calling processes. 3. The called routine chooses when it will receive a call. 4. Different accept statements can be used to provide different services in a clear fashion (rather than through parameter values). 96.3.4.5 Difficulties with Message Passing Message-passing systems are frequently inefficient during execution unless the algorithm is developed carefully. This is because messages take time to propagate, and this time is essentially overhead. For example, a single element buffer version of Conway’s problem spends significantly more time exchanging messages than any other operation.
96.4 Distributed Systems In addition to the difficulties inherent in developing and understanding concurrent solutions, distributed systems contain the fundamental problem of identifying global state. For example, how do we determine if a program has terminated? In the sequential case, this is obvious, we execute the exit or end statement. In the concurrent case, we must ensure that all processes are ready to terminate. In the multiprogramming case, we can do this by checking the ready queue; if it is empty, then there are no processes waiting to run, which ensures that no process will ever be added to the ready queues (if no process can run, then there can be no changes to create another ready process). But if we are in a distributed system, there is no single ready queue to examine. If a process is in the suspended queue on its processor, it may be made ready by a message from a process on a different processor. Similarly, we may still require mutual exclusion on a system resource — how do we ensure access across processors? The solution is to develop a method of determining global state; see, for example, Ben-Ari [1990]. While a true “distributed” paradigm has not yet emerged in the programming paradigms domain, it will most likely evolve in the area of operating systems; for more information on distributed computing, readers are encouraged to look at Chapter 108 in this Handbook.
96.5 Formal Approaches We argued above that software verification in concurrent programming must take into account the enormous number of possible interactions between concurrent processes. Obviously, traditional testing only demonstrates the presence of “good” execution histories and is not a mechanism to verify any solution — sequential or concurrent. The use of a trace routine to generate execution histories is a standard sequential technique that becomes infeasible in the concurrent domain. Consider, for example, that n processes each executing m atomic actions generates (n ∗ m)!/(m!)n histories. For three processes, each executing only two actions, this is a total of 90 possible histories! © 2004 by Taylor & Francis Group, LLC
The alternative is to use a formal, mathematically rigorous method to develop a solution and/or to verify a complete solution. Two approaches have been applied to verifying concurrent software: 1. Axiomatic or assertional 2. Process algebraic The axiomatic approach develops assertions in the predicate logic that characterize the possible states of a computation. The actions of a program are viewed as predicate transformers that move the computation from one state to another. The beginning state is specified by the pre-condition of the computation, and the final state is characterized by the post-condition. This approach has been exploited for some time in the sequential paradigm; see Schneider [1997] for a comprehensive introduction to the field in the context of concurrency. The process algebraic approach was pioneered by Hoare [1985], who also pioneered the coarse-grained model of concurrency. The concept is that the interactions between a system and its environment (which are all that is ultimately observable) can be modeled via a mathematical abstraction called a process (this is the abstraction of the computing process as used above). Processes can be combined via algebraic laws to form systems. Communication between processes is an example of this interaction. By building up a system through these mathematical laws and then transforming the abstract mathematics into an implementable language, one arrives at a correct solution. The occam language was designed to match the algebraic laws devised by Hoare; transformations exist between these laws and occam programming constructs (but the transformations are not perfect due to practicalities of implementation) [Hinchey and Jarvis, 1995]. A number of subsequent efforts developed process algebras with varying properties [Milner, 1989]; see Magee and Kramer [1999] for the use of a process algebra in the development of Java programs. Although both approaches are in active use, they are not typically applied in the concurrent paradigm with any greater frequency than they are in the sequential paradigm, and they remain primarily research tools. The fundamental difficulty is that theoreticians search for the “fundamental particles” of computing to develop mathematical laws enabling formal reasoning. Practical languages are (inherently) extremely complex mixtures of these fundamental particles and laws in order to have sufficient power to solve real-world problems. Theoretical tools do not yet scale to these large, complex problems.
96.6 Existing Languages with Concurrency Features A large number of languages have been developed to use the concurrency paradigm; most have remained in the laboratory environment. If the underlying operating system provides the requisite support, then semaphores can be implemented in any language via system calls. Higher-level concurrency control structures require modification of the underlying sequential language; for example, Concurrent Pascal [Brinch Hansen, 1975] uses monitors while Concurrent C [Gehani and Roome, 1986] is based on the rendezvous. By beginning with a widely used sequential programming language, a designer has a large community from which to draw users to the new language. The Ada (concurrency based upon the rendezvous) and SR (which includes structures for all of the approaches discussed in this chapter and is therefore particularly useful for exploring concurrent programming) [Andrews and Olsson, 1993; see Hartley, 1995, for extensive examples] languages are examples of sequential languages with concurrent structures included from the initial stages of development. Object-oriented languages have similarly had concurrency features added. For example, Smalltalk has the Process and Semaphore classes to provide for the dynamic creation of independent processes and their interaction using the semaphore approach [Goldberg and Robson, 1989]. Languages based on an inherently concurrent model include Linda (more a language-independent philosophy than a language) [Ahuja et al., 1986] and occam (synchronous message passing) [Jones and Goldsmith, 1988]. A different approach is to provide a standardized interface (an application program interface or API) that is language independent. A language implementation then provides a set of library routines to implement this API. Thus, programmers can use a language of their choice while being assured that their © 2004 by Taylor & Francis Group, LLC
program will function correctly. Currently, the two main paradigms that are the basis for writing parallel programs are message passing and shared memory. A hybrid paradigm is used in systems comprised of shared-memory multiprocessor nodes that communicate via message passing. For writing messagepassing programs, MPI (Message Passing Interface) [http://www-unix.mcs.anl.gov/mpi/index.html] is a widely used standard; many variants of MPI exist, including MPICH, CH for Chameleon, which is a complete, freely-available implementation of the MPI specification, targeted at high performance [http://www-unix.mcs.anl.gov/mpi/mpich/]. MPI’s interface includes features of a number of message-passing systems and attempts to provide portability and ease-of-use. The MPI programming model is an MPMD (multiple program multiple data) model, in which every MPI process can execute a different program. A computation is envisioned as one or more processes that communicate by calling library routines to send and receive messages to other processes. In general, a fixed set of processes, one for each processor, is created at program initialization (versions of MPI that will support dynamic creation and termination of processes are anticipated). Local and global communication (e.g., broadcast and summation) is provided by point-to-point and collective communication operations, respectively. The former is used to send messages from one named process to another, while the latter is used to provide message passing among a group of processes. Most parallel algorithms are readily implemented using MPI. If an algorithm creates just one task per processor, it can be implemented directly with point-to-point or collective communication routines that meet its communication requirements. In contrast, if tasks are created dynamically or if several tasks are executed concurrently on a processor, the algorithm must be refined to permit an MPI implementation. The OpenMP API is becoming a standard that supports multi-platform shared-memory parallel programming in C/C++ and Fortran on all architectures, including Unix and Windows NT platforms. OpenMP is a portable, scalable model that gives shared-memory parallel programmers a simple and flexible interface for developing parallel applications for platforms ranging from the desktop to the supercomputer [http://www.openmp.org/]. This API is jointly defined by a group of major computer hardware and software vendors. OpenMP can be used to explicitly direct multi-threaded, shared memory parallelism. It is comprised of three primary API components: compiler directives, runtime library routines, and environment variables. Using the fork/join model of parallel execution, an OpenMP program begins as a single master thread. The master thread creates or forks a set of parallel threads, which concurrently execute a parallel region construct. On completion, the threads parallel threads join (i.e., synchronize and terminate), leaving only the master thread. The API supports nested parallelism and dynamic threads, that is, dynamic alternation of the number of active threads. Variable scoping, for example, declaration of private and shared data, parallelism, and synchronization are specified through the use of compiler directives. By itself, OpenMP is not meant for distributed memory parallel systems. For example, for highperformance cluster architectures such as the IBM SP, where intranode communication is accomplished via shared memory and internode communication is performed via message passing, OpenMP is used within a node while MPI is used between nodes. There are many parallel programming tools available that help the user parallelize her/his application and then easily port it to a parallel machine. These machines can be shared-memory machines or a network of workstations.
96.7 Research Issues While it is clear that concurrency is a necessary technique for the solution of many problems, it also is clear that progress must be made in order to ensure its effective application. That this is still a research issue is clear whenever an operating system crashes due to system processes that interfere with each other or we discover someone in our airplane seat due to concurrent access to the airline’s database. This required progress falls into three categories: 1. Theoretical advances must be made to develop formal techniques that scale to real-world applications. For example, process interference checkers exist, but operate essentially by checking all © 2004 by Taylor & Francis Group, LLC
possible interactions between processes to check for deadlock, etc. This approach rapidly develops combinatorial explosion. 2. Design tools that provide development support for concurrent solutions. For example, debuggers that capture the concurrent computation without overwhelming the user with information. 3. Languages with powerful structures to support the correct application of concurrency. For example, the development of concurrent object-oriented languages appears straight-forward: simply allow each object to run concurrently because each object is logically autonomous. However, there are a number of issues that need resolution, including: a. Not all objects need to run concurrently because the majority of computation will still be sequential (thereby incurring no scheduler overhead). b. If we consider multiple concurrent objects attempting to communicate with the same object: i. Acceptance of a message must delay all other messages in order to correctly preserve the internal state of the object. ii. Ordering of message acceptance must be synchronized to ensure computations are correct. iii. Acceptance of messages must occur only at appropriate points in the object’s execution. c. Inheritance through the class hierarchy creates problems because it will mix this synchronization with object behavior.
96.8 Summary The single outstanding problem with concurrency is the development of correct solutions (as it is in all software systems): the state of development of both formal methods and software engineering tools for concurrent solutions lags behind the sequential world in this regard and well behind hardware advances.
Defining Terms Asynchronous message passing: The message-sending process allows messages to be buffered and the sending process may continue after the send is initiated; the receiving process blocks if the message queue is empty. Channel: The data structure, which may be realized in hardware, over which processes send messages. Client/server: The software architecture in which clients are able to request services of processes executing on remote machines. Condition variables: A variable used within a monitor to delay an executing process. Critical regions: A section of code that must appear to be executed indivisibly. Deadlock: The state in which processes are waiting for events that can never occur; that is, the processes cannot progress. Distributed processing: The use of multiple processors that are remote from each other. Fairness: Processes will eventually be able to progress, that is, enter their critical regions. Message passing: A technique for providing mutual exclusion, communication, and synchronization among concurrent processes via sending messages between processes. Monitor: An encapsulation of a resource and the operations on that resource that serve to ensure mutual exclusion. Multiprocessing: The use of multiple processors. Multiprogramming: Simulating concurrency by interleaving instruction execution from multiple programs; time sharing or time slicing. Mutual exclusion: The property ensuring that a critical region is executed indivisibly by one process or thread at a time. Race: Nondeterministic behavior caused by incorrectly synchronized concurrent processes. Remote procedure call: The message-passing architecture in which processes request services of processes executing procedures on remote machines. Rendezvous: The message-passing construct used in the Ada language. © 2004 by Taylor & Francis Group, LLC
Semaphore: A nonnegative integer-valued variable on which two operations are defined: P and V to signal intent to enter and exit, respectively, a critical region. Synchronous message passing: The message-sending process requires both sender and receiver to synchronize at the moment of message transmission.
References Journals Ahuja, S., Carriero, N., and Gelernter, D. 1986. Linda and Friends. Computer, 19(8):26–34. Andrews, G. R. and Schneider, F. B. 1983. Concepts and notations for concurrent programming. Comp. Surv., 15(1):3–43; reprinted in Gehani, N. and McGettrick, A. D. 1988. Concurrent Programming. Addison-Wesley, New York. Brinch Hansen, P. 1975. The Programming Language Concurrent Pascal. IEEE Trans. on Software Engineering, 1(2):199–207; reprinted in Gehani, N. and McGettrick, A. D. 1988. Concurrent Programming. Addison-Wesley, New York. Dijkstra, E. W. 1968. The structure of the T. H. E. multiprogramming system. CACM, 11:341–346. Gehani, N. H. and Roome, W. D. 1986. Concurrent C. Software: Practice and Experience, 16(9):821–844; reprinted in Gehani, N. and McGettrick, A. D. 1988. Concurrent Programming. Addison-Wesley, New York. Peterson, G. L. 1983. A new solution to Lamport’s concurrent programming problem using small shared variables. ACM Trans. Prog. Lang. and Syst., 5(1):56–55. Books Andrews, G. R. 2000. Foundations of Multithreaded, Parallel, and Distributed Programming. BenjaminCummings, New York. Andrews, G. R. and Olsson, R. A. 1993. The SR Programming Language. Benjamin-Cummings, New York. Ben-Ari, M. 1982. Principles of Concurrent Programming. Prentice Hall, London. Ben-Ari, M. 1990. Principles of Concurrent and Distributed Programming. Prentice Hall, London. Bernstein, A. J. and Lewis, P. M. 1993. Concurrency in Programming and Database Systems. Jones and Bartlett, Boston. Filman, R. E. and Friedman, D. P. 1984. Coordinated Computing. McGraw-Hill, New York. Gehani, N. and McGettrick, A. D. 1988. Concurrent Programming. Addison-Wesley, New York. Goldberg, A. and Robson, D. 1989. Smalltalk–80 The Language. Addison-Wesley, New York. Hartley, S. J. 1995. Operating Systems Programming. Oxford, New York. Hinchey, M. G. and Jarvis, S. A. 1995. The CSP Reference Book. McGraw-Hill, New York. Hoare, C. A. R. 1985. Communicating Sequential Processes. Prentice Hall, London. Jones, G. and Goldsmith, M. 1988. Programming occam 2. Prentice Hall, New York. Lester, B. P. 1993. The Art of Parallel Programming. Prentice Hall, New Jersey. Magee, J. and Kramer, J. 1999. Concurrency: State Models and Java Programs. Wiley, West Sussex. Milner, R. 1989. Communication and Concurrency. Addison-Wesley, New York. Schneider, F. 1997. On Current Programming. Springer-Verlag, New York. Wilkinson, B. and Allen, M. 1999. Parallel Programming: Techniques and Applications Using Networked Workstations and Parallel Computers. Prentice Hall, New Jersey.
Further Information Further information can be gleaned from a number of sources; particularly recommended are Andrews [2000] for a comprehensive view of the field with an axiomatic flair, including a fascinating bibliography with historical notes and extensive problem sets; Schneider [1997] for a graduate level treatise on axiomatic semantics in the context of concurrency; Ben-Ari [1982] for a nice introduction including problem sets; Ben-Ari [1990], which adds Ada code examples, correctness arguments, and distributed computing; the © 2004 by Taylor & Francis Group, LLC
process algebra approach is developed in Hoare [1985] and Milner [1989] and demonstrated in Magee and Kramer [1999]; Filman and Friedman [1984] emphasize the various models of concurrent computation; Lester [1993] provides a comprehensive introduction including efficiency considerations, but without correctness arguments; Bernstein and Lewis [1993] use the axiomatic approach to develop concurrent solutions to a variety of problems with an emphasis on databases; Gehani and McGettrick [1988] reprint a number of the classic papers in the field. Wilkinson and Allen [1999] demonstrate parallel programming for a wide range of problems. The journal Concurrency: Practice and Experience focuses on practical experience with concurrent machines and concurrent solutions to problems; concurrency is also frequently dealt with in a large number of society journals. In addition, there are a large number of resources available via the Web that may be discovered through the use of the various search techniques.
© 2004 by Taylor & Francis Group, LLC
97 Type Systems 97.1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97-1
Execution Errors • Lack of Safety • Should Languages Be Safe? • Should Languages Be Typed? • Expected Properties of Type Systems • How Type Systems Are Formalized • Type Equivalence
97.2
The Language of Type Systems . . . . . . . . . . . . . . . . . . . . . . . 97-8 Judgments • Well Typing and Type Inference • Type Soundness
97.5 97.6 97.7 97.8
First-Order Type Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97-11 First-Order Type Systems for Imperative Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97-18 Second-Order Type Systems . . . . . . . . . . . . . . . . . . . . . . . . . 97-19 Subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97-22 Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97-25 Type Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97-25
97.9
Summary and Research Issues . . . . . . . . . . . . . . . . . . . . . . . 97-28
97.3 97.4
The Type Inference Problem
Luca Cardelli Microsoft Research
What We Learned
•
Future Directions
97.1 Introduction The fundamental purpose of a type system is to prevent the occurrence of execution errors during the running of a program. This informal statement motivates the study of type systems, but requires clarification. Its accuracy depends, first of all, on the rather subtle issue of what constitutes an execution error, which we will discuss in detail. Even when that is settled, the absence of execution errors is a nontrivial property. When such a property holds for all the program runs that can be expressed within a programming language, we say that the language is type sound. It turns out that a fair amount of careful analysis is required to avoid false and embarrassing claims of type soundness for programming languages. As a consequence, the classification, description, and study of type systems has emerged as a formal discipline. The formalization of type systems requires the development of precise notations and definitions, and the detailed proof of formal properties that give confidence in the appropriateness of the definitions. Sometimes the discipline becomes rather abstract. One should always remember, however, that the basic motivation is pragmatic: the abstractions have arisen out of necessity and can usually be related directly to concrete intuitions. Moreover, formal techniques need not be applied in full in order to be useful and influential. A knowledge of the main principles of type systems can help in avoiding obvious and not-so-obvious pitfalls, and can inspire regularity and orthogonality in language design. When properly developed, type systems provide conceptual tools with which to judge the adequacy of important aspects of language definitions. Informal language descriptions often fail to specify the type
© 2004 by Taylor & Francis Group, LLC
structure of a language in sufficient detail to allow unambiguous implementation. It often happens that different compilers for the same language implement slightly different type systems. Moreover, many language definitions have been found to be type unsound, allowing a program to crash even though it is judged acceptable by a typechecker. Ideally, formal type systems should be part of the definition of all typed programming languages. This way, typechecking algorithms could be measured unambiguously against precise specifications and, if at all possible and feasible, whole languages could be shown to be type sound. In this introductory section we present an informal nomenclature for typing, execution errors, and related concepts. We discuss the expected properties and benefits of type systems, and we review how type systems can be formalized. The terminology used in the introduction is not completely standard; this is due to the inherent inconsistency of standard terminology arising from various sources. In general, we avoid the words type and typing when referring to runtime concepts; for example, we replace dynamic typing with dynamic checking and avoid common but ambiguous terms such as strong typing. The terminology is summarized in the “Defining Terms” section. In Section 97.2 we explain the notation commonly used for describing type systems. We review judgments, which are formal assertions about the typing of programs; type rules, which are implications between judgments; and derivations, which are deductions based on type rules. In Section 97.3 we review a broad spectrum of simple types, the analog of which can be found in common languages, and we detail their type rules. In Section 97.4 we present the type rules for a simple but complete imperative language. In Section 97.5 we discuss the type rules for some advanced type constructions: polymorphism and data abstraction. In Section 97.6 we explain how type systems can be extended with a notion of subtyping. Section 97.7 is a brief commentary on some important topics that we have glossed over. In Section 97.8 we discuss the type inference problem and present type inference algorithms for the main type systems that we have considered. Finally, Section 97.9 presents a summary of achievements and future directions.
97.1.1 Execution Errors The most obvious symptom of an execution error is the occurrence of an unexpected software fault, such as an illegal instruction fault or an illegal memory reference fault. There are, however, more subtle kinds of execution errors that result in data corruption without any immediate symptoms. Moreover, there are software faults, such as divide by zero and dereferencing nil, that are not normally prevented by type systems. Finally, there are languages lacking type systems where, nonetheless, software faults do not occur. Therefore, we need to define our terminology carefully, beginning with what is a type. 97.1.1.1 Typed and Untyped Languages A program variable can assume a range of values during the execution of a program. An upper bound of such a range is called a type of the variable. For example, a variable x of type Boolean is supposed to assume only Boolean values during every run of a program. If x has type Boolean, then the Boolean expression not (x) has a sensible meaning in every run of the program. Languages for which variables can be given (nontrivial) types are called typed languages. Languages that do not restrict the range of variables are called untyped languages; they do not have types or, equivalently, have a single universal type that contains all values. In these languages, operations may be applied to inappropriate arguments; the result may be a fixed arbitrary value, a fault, an exception, or an unspecified effect. The pure -calculus is an extreme case of an untyped language where no fault ever occurs; the only operation is function application and, because all values are functions, that operation never fails. A type system is that component of a typed language that keeps track of the types of variables and, in general, of the types of all expressions in a program. Type systems are used to determine whether programs are well behaved (as discussed subsequently). Only program sources that comply with a type system should be considered real programs of a typed language; the other sources should be discarded before they are run. A language is typed by virtue of the existence of a type system for it, whether or not types actually appear in the syntax of programs. Typed languages are explicitly typed if types are part of the syntax, and © 2004 by Taylor & Francis Group, LLC
implicitly typed otherwise. No mainstream language is purely implicitly typed, but languages such as ML and Haskell support writing large program fragments where type information is omitted; the type systems of those languages automatically assign types to such program fragments. 97.1.1.2 Execution Errors and Safety It is useful to distinguish between two kinds of execution errors: the ones that cause the computation to stop immediately, and the ones that go unnoticed (for awhile) and later cause arbitrary behavior. The former are called trapped errors, whereas the latter are untrapped errors. An example of an untrapped error is improperly accessing a legal address, for example, accessing data past the end of an array in absence of runtime bounds checks. Another untrapped error that may go unnoticed for an arbitrary length of time is jumping to the wrong address; memory there may or may not represent an instruction stream. Examples of trapped errors are division by zero and accessing an illegal address: the computation stops immediately (on many computer architectures). A program fragment is safe if it does not cause untrapped errors to occur. Languages for which all program fragments are safe are called safe languages. Therefore, safe languages rule out the most insidious form of execution errors: the ones that may go unnoticed. Untyped languages may enforce safety by performing runtime checks. Typed languages may enforce safety by statically rejecting all programs that are potentially unsafe. Typed languages may also use a mixture of runtime and static checks. Although safety is a crucial property of programs, it is rare for a typed language to be concerned exclusively with the elimination of untrapped errors. Typed languages usually aim to rule out also large classes of trapped errors, along with the untrapped ones. We discuss these issues next. 97.1.1.3 Execution Errors and Well-Behaved Programs For any given language, we can designate a subset of the possible execution errors as forbidden errors. The forbidden errors should include all the untrapped errors, plus a subset of the trapped errors. A program fragment is said to have good behavior, or equivalently to be well behaved, if it does not cause any forbidden error to occur. (The contrary is to have bad behavior, or equivalently to be ill behaved.) In particular, a well-behaved fragment is safe. A language in which all the (legal) programs have good behavior is called strongly checked. Thus, with respect to a given type system, the following holds for a strongly checked language: r No untrapped errors occur (safety guarantee). r None of the trapped errors designated as forbidden errors occur. r Other trapped errors may occur; it is the programmer’s responsibility to avoid them.
Typed languages can enforce good behavior (including safety) by performing static (i.e., compile time) checks to prevent unsafe and ill-behaved programs from ever running. These languages are statically checked; the checking process is called typechecking, and the algorithm that performs this checking is called the typechecker. A program that passes the typechecker is said to be well typed; otherwise, it is ill typed, which may mean that it is actually ill behaved, or simply that it could not be guaranteed to be well behaved. Examples of statically checked languages are ML, Java, and Pascal (with the caveat that Pascal has some unsafe features). Untyped languages can enforce good behavior (including safety) in a different way, by performing sufficiently detailed runtime checks to rule out all forbidden errors. (For example, they may check all array bounds, and all division operations, generating recoverable exceptions when forbidden errors would happen.) The checking process in these languages is called dynamic checking; LISP is an example of such a dynamically checked language. These languages are strongly checked although they have neither static checking nor a type system. Even statically checked languages usually need to perform tests at runtime to achieve safety. For example, array bounds must in general be tested dynamically. The fact that a language is statically checked does not necessarily mean that execution can proceed entirely blindly. © 2004 by Taylor & Francis Group, LLC
TABLE 97.1
Safety
Safe Unsafe
Typed
Untyped
ML, Java C
LISP Assembler
Several languages take advantage of their static type structures to perform sophisticated dynamic tests. For example, Simula67’s INSPECT, Modula-3’s TYPECASE, and Java’s instanceof constructs discriminate on the runtime type of an object. These languages are still (slightly improperly) considered statically checked, partially because the dynamic type tests are defined on the basis of the static type system. That is, the dynamic tests for type equality are compatible with the algorithm that the typechecker uses to determine type equality at compile time.
97.1.2 Lack of Safety By our definitions, a well-behaved program is safe. Safety is a more primitive and perhaps more important property than good behavior. The primary goal of a type system is to ensure language safety by ruling out all untrapped errors in all program runs. However, most type systems are designed to ensure the more general good-behavior property and, implicitly, safety. Thus, the declared goal of a type system is usually to ensure good behavior of all programs, by distinguishing between well-typed and ill-typed programs. In reality, certain statically checked languages do not ensure safety. That is, their set of forbidden errors does not include all untrapped errors. These languages can be euphemistically called weakly checked (or weakly typed, in the literature), meaning that some unsafe operations are detected statically and some are not detected. Languages in this class vary widely in the extent of their weakness. For example, Pascal is unsafe only when untagged variant types and function parameters are used, whereas C has many unsafe and widely used features, such as pointer arithmetic and casting. It is interesting to notice that the first five of the ten commandments for C programmers [Spencer] are directed at compensating for the weakchecking aspects of C. Some of the problems caused by weak checking in C have been alleviated in C++, and even more have been addressed in Java, confirming a trend away from weak checking. Modula-3 supports unsafe features, but only in modules that are explicitly marked as unsafe, and prevents safe modules from importing unsafe interfaces. Most untyped languages are, by necessity, completely safe (e.g., LISP). Otherwise, programming would be too frustrating in the absence of both compile time and runtime checks to protect against corruption. Assembly languages belong to the unpleasant category of untyped unsafe languages (see Table 97.1).
97.1.3 Should Languages Be Safe? Some languages, like C, are deliberately unsafe because of performance considerations: the runtime checks needed to achieve safety are sometimes considered too expensive. Safety has a cost even in languages that do extensive static analysis: tests such as array bounds checks cannot be, in general, completely eliminated at compile time. Still, there have been many efforts to design safe subsets of C, and to produce development tools that try to execute C programs safely by introducing a variety of (relatively expensive) runtime checks. These efforts are due to two main reasons: (1) the widespread use of C in applications that are not largely performance critical, and (2) the security problems introduced by unsafe C programs. The security problems include buffer overflows and underflows caused by pointer arithmetic, and lack of array bounds checks that can lead to overwriting areas of memory and that can be exploited for attacks. Safety is cost-effective according to different measures than just pure performance. Safety produces fail-stop behavior in case of execution errors, reducing debugging time. Safety guarantees the integrity of runtime structures, and therefore enables garbage collection. In turn, garbage collection considerably reduces code size and code development time, at the price of some performance. Finally, safety © 2004 by Taylor & Francis Group, LLC
has emerged as a necessary foundation for system security, particularly for systems (such as operating system kernels and Web browsers) that load and run foreign code. System security is becoming one of the most expensive aspects of program development and maintenance, and safety can reduce these costs. Thus, the choice between a safe and unsafe language may be ultimately related to a trade-off between development and maintenance time, and execution time. Although safe languages have been around for many decades, it is only recently that they have become mainstream, uniquely because of security concerns.
97.1.4 Should Languages Be Typed? The issue of whether programming languages should have types is still subject to some debate. There is little doubt that production code written in untyped languages can be maintained only with great difficulty. From the point of view of maintainability, even weakly checked unsafe languages are superior to safe but untyped languages (e.g., C vs. LISP). Following are the arguments that have been put forward in favor of typed languages, from an engineering point of view: r Economy of execution. Type information was first introduced in programming to improve code
r
r
r
r
generation and runtime efficiency for numerical computations, for example, in FORTRAN. In ML, accurate type information eliminates the need for nil-checking on pointer dereferencing. In general, accurate type information at compile time leads to the application of the appropriate operations at runtime without the need for expensive tests. Economy of small-scale development. When a type system is well designed, typechecking can capture a large fraction of routine programming errors, thus eliminating lengthy debugging sessions. The errors that do occur are easier to debug, simply because large classes of other errors have been ruled out. Moreover, experienced programmers adopt a coding style that causes some logical errors to show up as typechecking errors: they use the typechecker as a development tool. (For example, by changing the name of a field when its invariants change even though its type remains the same, so as to get error reports on all its old uses.) Economy of compilation. Type information can be organized into interfaces for program modules, for example, as in Modula-2 and Ada. Modules can then be compiled independently of each other, with each module depending only on the interfaces of the others. Compilation of large systems is made more efficient because, at least when interfaces are stable, changes to a module do not cause other modules to be recompiled. Economy of large-scale development. Interfaces and modules have methodological advantages for code development. Large teams of programmers can negotiate the interfaces to be implemented, and then proceed separately to implement the corresponding pieces of code. Dependencies between pieces of code are minimized, and code can be locally rearranged without fear of global effects. (These benefits can also be achieved by informal interface specifications; but in practice, typechecking helps enormously in verifying adherence to the specifications.) Economy of development and maintenance in security areas. Although safety is necessary to eliminate security breaches such as buffer overflows, typing is necessary to eliminate other catastrophic security breaches, such as the following. If there is any way at all, no matter how convoluted, to cast an integer into a value of pointer type (or object type), the entire system is compromised. If that is possible, attackers can access any data anywhere in the system, even within the confines of an otherwise typed language, using any type they choose to view the data. Another helpful technique is to convert a given typed pointer into an integer, and then into a pointer of different type as above. The most cost-effective way to eliminate these security problems, in terms of maintenance and execution efficiency, is to employ typed languages. Still, security is a problem at all levels of a system; typed languages provide an excellent foundation, but not a complete solution.
© 2004 by Taylor & Francis Group, LLC
r Economy of language features. Type constructions are naturally composed in orthogonal ways. For
example, in Pascal, an array of arrays models two-dimensional arrays; in ML, a procedure with a single argument that is a tuple of n parameters models a procedure of n arguments. Thus, type systems promote orthogonality of language features, question the utility of artificial restrictions, and thus tend to reduce the complexity of programming languages.
97.1.5 Expected Properties of Type Systems In the remainder of this chapter we proceed under the assumption that languages should be both safe and typed, and therefore that type systems should be employed. In the study of type systems, we neither distinguish between trapped and untrapped errors, nor between safety and good behavior; we concentrate on good behavior, and we take safety as an implied property. Types, as normally intended in programming languages, have pragmatic characteristics that distinguish them from other kinds of program annotations. In general, annotations about the behavior of programs can range from informal comments to formal specifications subject to theorem proving. Types sit in the middle of this spectrum: they are more precise than program comments, and more easily mechanizable than formal specifications. Here are the basic properties expected of any type system: r Type systems should be decidably verifiable : there should be an algorithm (called a typechecking
algorithm) that can ensure that a program is well behaved. The purpose of a type system is not simply to state programmer intentions, but to actively capture execution errors before they happen. (Arbitrary formal specifications do not have these properties.) r Type systems should be transparent : a programmer should be able to predict easily whether a program will typecheck. If it fails to typecheck, the reason for the failure should be self-evident. (Automatic theorem proving does not have these properties.) r Type systems should be enforceable : type declarations should be statically checked as much as possible, and otherwise dynamically checked. The consistency between type declarations and their associated programs should be routinely verified. (Program comments and conventions do not have these properties.)
97.1.6 How Type Systems Are Formalized As we have discussed, type systems are used to define the notion of well typing, which is itself a static approximation of good behavior (including safety). Safety facilitates debugging because of fail-stop behavior, and enables garbage collection by protecting runtime structures. Well typing further facilitates program development by trapping execution errors before runtime. But how can we guarantee that well-typed programs are really well behaved? That is, how can we be sure that the type rules of a language do not accidentally allow ill-behaved programs to slip through? Formal type systems are the mathematical characterizations of the informal type systems that are described in programming language manuals. Once a type system is formalized, we can attempt to prove a type soundness theorem stating that well-typed programs are well behaved. If such a soundness theorem holds, we say that the type system is sound. (Good behavior of all programs of a typed language and soundness of its type system mean the same thing.) To formalize a type system and prove a soundness theorem, we must in essence formalize the whole language in question, as we now sketch. The first step in formalizing a programming language is to describe its syntax. For most languages of interest, this reduces to describing the syntax of types and terms. Types express static knowledge about programs, whereas terms (statements, expressions, and other program fragments) express the algorithmic behavior. The next step is to define the scoping rules of the language, which unambiguously associate occurrences of identifiers to their binding locations (the locations where the identifiers are declared). The scoping needed for typed languages is invariably static, in the sense that the binding locations of identifiers must © 2004 by Taylor & Francis Group, LLC
be determined before runtime. Binding locations can often be determined purely from the syntax of a language, without any further analysis; static scoping is then called lexical scoping. The lack of static scoping is called dynamic scoping. Scoping can be formally specified by defining the set of free variables of a program fragment (which involves specifying how variables are bound by declarations). The associated notion of substitution of types or terms for free variables can then be defined. When this much is settled, one can proceed to define the type rules of the language. These describe a relation has-type of the form M : A between terms M and types A. Some languages also require a relation subtype-of of the form A <: B between types, and often a relation equal-type of the form A = B of type equivalence. The collection of type rules of a language forms its type system. A language that has a type system is called a typed language. The type rules cannot be formalized without first introducing another fundamental ingredient that is not reflected in the syntax of the language: static typing environments. These are used to record the types of free variables during the processing of program fragments; they correspond closely to the symbol table of a compiler during the typechecking phase. The type rules are always formulated with respect to a static environment for the fragment being typechecked. For example, the has-type relation M : A is associated with a static typing environment that contains information about the free variables of M and A. The relation is written in full as M : A, meaning that M has type A in environment . The final step in formalizing a language is to define its semantics as a relation has-value between terms and a collection of results. The form of this relation depends strongly on the style of semantics that is adopted. In any case, the semantics and the type system of a language are interconnected: the types of a term and of its result should be the same (or appropriately related); this is the essence of the soundness theorem. The fundamental notions of type system are applicable to virtually all computing paradigms (functional, imperative, concurrent, etc.). Individual type rules can often be adopted unchanged for different paradigms. For example, the basic type rules for functions are the same whether the semantics are call-by-name or call-by-value or, orthogonally, functional or imperative. In this chapter we discuss type systems independently of semantics. It should be understood, however, that ultimately a type system must be related to a semantics, and that soundness should hold for those semantics. Suffice it to say that the techniques of structural operational semantics deal uniformly with a large collection of programming paradigms, and fit very well with the treatment found in this chapter.
97.1.7 Type Equivalence As mentioned above, most nontrivial type systems require the definition of a relation equal type of type equivalence. This is an important issue when defining a programming language: when are separately written type expressions equivalent? Consider, for example, two distinct type names that have been associated with similar types: type X = Bool type Y = Bool If the type names X and Y match by virtue of being associated with similar types, we have structural equivalence. If they fail to match by virtue of being distinct type names (without looking at the associated types), we have by-name equivalence. In practice, a mixture of structural and by-name equivalence is used in most languages. Pure structural equivalence can be easily and precisely defined by means of type rules, while by-name equivalence is more difficult to pin down, and often has an algorithmic flavor. Structural equivalence has unique advantages when typed data must be stored or transmitted over a network; in contrast, by-name equivalence cannot deal easily with interacting programs that have been developed and compiled separately in time or space. We assume structural equivalence in what follows (although this issue does not arise often). Satisfactory emulation of by-name equivalence can be obtained within structural equivalence, as demonstrated by the Modula-3 branding mechanism. © 2004 by Taylor & Francis Group, LLC
97.2 The Language of Type Systems A type system specifies the type rules of a programming language independently of particular typechecking algorithms. This is analogous to describing the syntax of a programming language by a formal grammar, independently of particular parsing algorithms. It is both convenient and useful to decouple type systems from typechecking algorithms: type systems belong to language definitions, while algorithms belong to compilers. It is easier to explain the typing aspects of a language by a type system, rather than by the algorithm used by a given compiler. Moreover, different compilers may use different typechecking algorithms for the same type system. As a minor problem, it is technically possible to define type systems that admit only unfeasible typechecking algorithms, or no algorithms at all. The usual intent, however, is to allow for efficient typechecking algorithms.
97.2.1 Judgments Type systems are described by a particular formalism, which we now introduce. The description of a type system starts with the description of a collection of formal utterances called judgments. A typical judgment has the form: J
where J is an assertion; the free variables of J are declared in .
We say that entails J. Here, is a static typing environment; for example, an ordered list of distinct variables and their types, of the form ∅, x1 : A1 , . . . , xn : An . The empty environment is denoted by ∅, and the collection of variables x1 · · · xn declared in is indicated by dom(), the domain of . The form of the assertion J varies from judgment to judgment, but all the free variables of J must be declared in . The most important judgment, for our present purposes, is the typing judgment, which asserts that a term M has a type A with respect to a static typing environment for the free variables of M. It has the form: M:A
M has type A in
Examples. ∅ true : Bool
true has type Bool
∅, x : Nat x + 1 : Nat
x + 1 has type Nat, provided that x has type Nat
Other judgment forms are often necessary; a common one asserts simply that an environment is well formed:
is well-formed (i.e., it has been properly constructed)
Any given judgment can be regarded as valid (e.g., true : Bool) or invalid (e.g., true : Nat). Validity formalizes the notion of well-typed programs. The distinction between valid and invalid judgments could be expressed in a number of ways; however, a highly stylized way of presenting the set of valid judgments has emerged. This presentation style, based on type rules, facilitates stating and proving technical lemmas and theorems about type systems. Moreover, type rules are highly modular: rules for different constructs can be written separately (in contrast to a monolithic typechecking algorithm). Therefore, type rules are comparatively easy to read and understand. 97.2.1.1 Type Rules Type rules assert the validity of certain judgments on the basis of other judgments that are already known to be valid. The process gets off the ground by some intrinsically valid judgment (usually: ∅ , stating that the empty environment is well formed). © 2004 by Taylor & Francis Group, LLC
The general form of a type rule is: (Rule name) (Annotations) 1 J1 . . . n Jn (Annotations) J Each type rule is written as a number of premise judgments i Ji above a horizontal line, with a single conclusion judgment J below the line. When all the premises are satisfied, the conclusion must hold; the number of premises may be zero. Each rule has a name. (By convention, the first word of the name is determined by the conclusion judgment; for example, rule names of the form “(Val . . .)” are for rules whose conclusion is a value typing judgment.) When needed, conditions restricting the applicability of a rule, as well as abbreviations used within the rule, are annotated next to the rule name or the premises. For example, the first of the following two rules states that any numeral is an expression of type Nat, in any well-formed environment . The second rule states that two expressions M and N denoting natural numbers can be combined into a larger expression M + N, which also denotes a natural number. Moreover, the environment for M and N, which declares the types of any free variable of M and N, carries over to M + N. (Val n) (n = 0, 1, . . .) n : Nat
(Val +) M : Nat N : Nat M + N : Nat
A fundamental rule states that the empty environment is well formed, with no assumptions: (Env ∅) ∅ A collection of type rules is called a (formal) type system. Technically, type systems fit into the general framework of formal proof systems: collections of rules used to carry out step-by-step deductions. The deductions carried out in type systems concern the typing of programs. 97.2.1.2 Type Derivations A derivation in a given type system is a tree of judgments with leaves at the top and a root at the bottom, where each judgment is obtained from the ones immediately above it by some rule of the system. A fundamental requirement on type systems is that it must be possible to check whether or not a derivation is properly constructed. A valid judgment is one that can be obtained as the root of a derivation in a given type system. That is, a valid judgment is one that can be obtained by correctly applying the type rules. For example, using the three rules given previously, we can build the following derivation, which establishes that ∅ 1 + 2 : Nat is a valid judgment. The rule applied at each step is displayed to the right of each conclusion:
∅
by (Env ∅)
∅
by (Env ∅)
∅ 1 : Nat
by (Val n)
∅ 2 : Nat
by (Val n)
∅ 1 + 2 : Nat
© 2004 by Taylor & Francis Group, LLC
by (Val +)
97.2.2 Well Typing and Type Inference In a given type system, a term M is well typed for an environment if there is a type A such that M : A is a valid judgment; that is, if the term M can be given some type. The discovery of a derivation (and hence of a type) for a term is called the type inference problem. In the simple type system consisting of the rules (Env ∅), (Val n), and (Val +), a type can be inferred for the term 1 + 2 in the empty environment. This type is Nat, by the preceding derivation. Suppose we now add a type rule with premise and conclusion true : Bool. In the resulting type system, we cannot infer any type for the term 1 + true because there is no rule for summing a natural number with a Boolean. Because of the absence of any derivations for 1 + true, we say that 1 + true is not typeable, or that it is ill typed, or that it has a typing error. We could further add a type rule with premises M : Nat and N : Bool, and with conclusion M + N : Nat (e.g., with the intent of interpreting true as 1). In such a type system, a type could be inferred for the term 1 + true, which would now be well typed. Thus, the type inference problem for a given term is very sensitive to the type system in question. An algorithm for type inference may be very easy, very difficult, or impossible to find, depending on the type system. If found, the best algorithm may be very efficient, or hopelessly slow. Although type systems are expressed and often designed in the abstract, their practical utility depends on the availability of good type inference algorithms. The type inference problem for explicitly typed procedural languages such as Pascal is fairly easily solved; we treat it in Section 97.8. The type inference problem for implicitly typed languages such as ML is much more subtle, and we do not treat it here. The basic algorithm is well understood (several descriptions of it appear in the literature) and is widely used. However, the versions of the algorithm that are used in practice are complex and are still being investigated. The type inference problem becomes particularly difficult in the presence of polymorphism (discussed in Section 97.5). The type inference problems for the explicitly typed polymorphic features of Ada, CLU, and Standard ML are treatable in practice. However, these problems are typically solved by algorithms, without first describing the associated type systems. The purest and most general type system for polymorphism is embodied by a -calculus discussed in Section 97.5. The type inference algorithm for this polymorphic -calculus is fairly easy, and we present it in Section 97.8. The simplicity of the solution, however, depends on impractically verbose typing annotations. To make this general polymorphism practical, some type information must be omitted. Such type inference problems are still an area of active research.
97.2.3 Type Soundness We have now established all of the general notions concerning type systems, and we can begin examining particular type systems. Starting in Section 97.3, we review some very powerful but rather theoretical type systems. The idea is that by first understanding these few systems, it becomes easier to write the type rules for the varied and complex features that one may encounter in programming languages. When immersing ourselves in type rules, we should keep in mind that a sensible type system is more than just an arbitrary collection of rules. Well typing is meant to correspond to a semantic notion of good program behavior. It is customary to check the internal consistency of a type system by proving a type soundness theorem. This is where type systems meet semantics. For denotational semantics we expect that if ∅ M : A is valid, then [[M]] ∈ [[A]] holds (the value of M belongs to the set of values denoted by the type A); and for operational semantics, we expect that if ∅ M : A and M reduces to M , then ∅ M : A. In both cases, the type soundness theorem asserts that well-typed programs compute without execution errors. See Gunter [1992] and Wright and Felleisen [1994] for surveys of techniques, as well as state-of-the-art soundness proofs.
© 2004 by Taylor & Francis Group, LLC
97.3 First-Order Type Systems The type systems found in most common procedural languages are called first order. In type-theoretical jargon, this means that they lack type parameterization and type abstraction, which are second-order features. First-order type systems include (rather confusingly) higher-order functions. Pascal and Algol68 have rich first-order type systems, whereas FORTRAN and Algol60 have very poor ones. A minimal first-order type system can be given for the untyped -calculus, where the untyped abstraction x.M represents a function of parameter x and result M. Typing for this calculus requires only function types and some base types; we will see later how to add other common type structures. The first-order typed -calculus is called system F1 . The main change from the untyped -calculus is the addition of type annotations for -abstractions, using the syntax x : A.M, where x is the function parameter, A is its type, and M is the body of the function. (In a typed programming language we would likely include the type of the result, but this is not necessary here.) The step from x.M to x : A.M is typical of any progression from an untyped to a typed language: bound variables acquire type annotations. Because F1 is based mainly on function values, the most interesting types are function types: A → B is the type of functions with arguments of type A and results of type B. To get started, however, we also need some basic types over which to build function types. We indicate by Basic a collection of such types, and by K ∈ Basic any such type. At this point, basic types are purely a technical necessity, but shortly we consider interesting basic types such as Bool and Nat. The syntax of F1 is given in Table 97.2. It is important to comment briefly on the role of syntax in typed languages. In the case of the untyped -calculus, the context-free syntax describes exactly the legal programs. This is not the case in typed calculi, because good behavior is not (usually) a contextfree property. The task of describing the legal programs is taken over by the type system. For example, x : K .x(y) respects the syntax of F1 given in Table 97.2, but is not a program of F1 because it is not well typed, since K is not a function type. The context-free syntax is still needed, but only in order to define the notions of free and bound variables; that is, to define the scoping rules of the language. Based on the scoping rules, terms that differ only in their bound variables, such as x : K .x and y : K .y, are considered syntactically identical. This convenient identification is implicitly assumed in the type rules (one may have to rename bound variables in order to apply certain type rules). The definition of free variables for F1 is the same as for the untyped -calculus, simply ignoring the typing annotations. We need only three simple judgments for F1 ; they are shown in Table 97.3. The judgment A is in a sense redundant, since all syntactically correct types A are automatically well formed in any environment . In second-order systems, however, the well formedness of types is not captured by grammar alone, and the
TABLE 97.2 A, B ::= K A→B
Syntax of F1 K ∈ Basic
M, N ::= x x : A.M MN
TABLE 97.3 A M:A
© 2004 by Taylor & Francis Group, LLC
Types basic types function types Terms variable function application
Judgments for F1 is a well-formed environment A is a well-formed type in M is a well-formed term of type A in
TABLE 97.4
Type Rules for F1
(Env ∅) ∅
(Env x) A x ∈ dom() , x : A
(Type Const) K ∈ Basic K
(Type Arrow) A B A→B
(Val x) , x : A,
, x : A,
x : A
(Val Fun) , x : A M : B x : A.M : A → B
TABLE 97.5 ∅ ∅K
(Val Appl) M: A→B N:A MN:B
A Derivation in F1
by (Env ∅) by (Type Const) ∅K →K ∅, y : K → K ∅, y : K → K K ∅, y : K → K , z : K ∅, y : K → K , z : K y : K → K
∅ ∅K
by (Env ∅) ∅ by (Type Const) ∅ K by (Type Arrow) by (Env x) by (Type Const) by (Env x) by (Val) ∅, y : K → K , z : K y(z) : K ∅, y : K → K z : K .y(z) : K → K
by (Env ∅) by (Type Const) ∅K →K ∅, y : K → K ∅, y : K → K K ∅, y : K → K , z : K ∅, y : K → K , z : K z : K
∅ ∅K
by (Env ∅) by (Type Const) by (Type Arrow) by (Env x) by (Type Const) by (Env x) by (Val x) by (Val Appl) by (Val Fun)
judgment A becomes essential. It is convenient to adopt this judgment now, so that later extensions are easier. Validity for these judgments is defined by the rules in Table 97.4. The rule (Env ∅) is the only one that does not require assumptions (i.e., it is the only axiom). It states that the empty environment is a valid environment. The rule (Env x) is used to extend an environment to a longer environment , x : A, provided that A is a valid type in . Note that the assumption A implies, inductively, that is valid. That is, in the process of deriving A, we must have derived . Another requirement of this rule is that the variable x must not be defined in . We are careful to keep variables distinct in environments, so that when , x : A M : B has been derived, as in the assumption of (Val Fun), we know that x cannot occur in dom(). The rules (Type Const) and (Type Arrow) construct types. The rule (Val x) extracts an assumption from an environment: we use the notation , x : A,
, rather informally, to indicate that x : A occurs somewhere in the environment. The rule (Val Fun) gives the type A → B to a function, provided that the function body receives the type B under the assumption that the formal parameter has type A. Note how the environment changes length in this rule. The rule (Val Appl) applies a function to an argument: the same type A must appear twice when verifying the premises. Table 97.5 shows a rather large derivation where all of the rules of F1 are used. Now that we have examined the basic structure of a simple first-order type system, we can begin enriching it to bring it closer to the type structure of actual programming languages. We are going to add a set of rules for each new type construction, following a fairly regular pattern. We begin with some basic data types: the type Unit, whose only value is the constant unit ; the type Bool, whose values are true and false; and the type Nat, whose values are the natural numbers. The Unit type is often used as a filler for uninteresting arguments and results; it is called Void or Null in some languages. There are no operations on Unit, so we need only a rule stating that Unit is a legal type, and one stating that unit is a legal value of type Unit (Table 97.6). We have a similar pattern of rules for Bool, but Booleans also have a useful operation, the conditional, that has its own typing rule (Table 97.7). In the rule (Val Cond), the two branches of the conditional must have the same type A, because either may produce the result. © 2004 by Taylor & Francis Group, LLC
TABLE 97.6
Unit Type
(Type Unit) Unit
TABLE 97.7
(Val Unit) unit : Unit
Bool Type
(Type Bool) Bool
(Val True) true : Bool
(Val False) false : Bool
(Val Cond) M : Bool N1 : A N2 : A (if A M then N1 else N2 ) : A
TABLE 97.8
Nat Type
(Type Nat) Nat (Val Pred) M : Nat pred M : Nat
(Val Zero) 0 : Nat
(Val Succ) M : Nat succ M : Nat (Val IsZero) M : Nat isZero M : Bool
The rule (Val Cond) illustrates a subtle issue about the amount of type information needed for typechecking. When encountering a conditional expression, a typechecker has to infer separately the types of N1 and N2 , and then find a single type A that is compatible with both. In some type systems it might not be easy or possible to determine this single type from the types of N1 and N2 . To account for this potential typechecking difficulty, we use a subscripted type to express additional type information: if A is a hint to the typechecker that the result type should be A, and that types inferred for N1 and N2 should be separately compared with the given A. In general, we use subscripted types to indicate information that may be useful or necessary for typechecking, depending on the whole type system under consideration. It is often the task of a typechecker to synthesize this additional information. When it is possible to do so, subscripts may be omitted. (Most common languages do not require the annotation if A .) The type of natural numbers, Nat (Table 97.8), has 0 and succ (successor) as generators. Alternatively, as we did earlier, a single rule could state that all numeric constants have type Nat. Computations on Nat are made possible by the pred (predecessor) and isZero (test for zero) primitives; other sets of primitives can be chosen. Now that we have a collection of basic types, we can begin looking at structured types, starting with product types (Table 97.9). A product type A1 × A2 is the type of pairs of values with first component of type A1 and second component of type A2 . These components can be extracted with the projections first and second, respectively. Instead of (or in addition to) the projections, one can use a with statement that decomposes a pair M and binds its components to two separate variables x1 and x2 in the scope N. The with notation is related to pattern matching in ML, but also to Pascal’s with; the connection with the latter will become clearer when we consider record types. Product types can be easily generalized to tuple types A1 × · · · × An , with corresponding generalized projections and generalized with. Union types (Table 97.10) are often overlooked, but are just as important as product types for expressiveness. An element of a union type A1 + A2 can be thought of as an element of A1 tagged with a left © 2004 by Taylor & Francis Group, LLC
TABLE 97.9
Product Types
(Type Product) A1 A2 A1 × A2
(Val Pair) M1 : A1 M2 : A2 M1 , M2 : A1 × A2
(Val First) M : A1 × A2 first M : A1
(Val Second) M : A1 × A2 second M : A2
(Val With) M : A1 × A2 , x1 : A1 , x2 : A2 N : B (with (x1 : A1 , x2 : A2 ) := M do N) : B
TABLE 97.10
Union Types
(Type Union) A1 A2 A1 + A2
(Val inLeft) M1 : A1 A2 inLeft A2 M1 : A1 + A2
(Val isLeft) M : A1 + A2 isLeft M : Bool
(Val isRight) M : A1 + A2 isRight M : Bool
(Val asLeft) M : A1 + A2 asLeft M : A1
(Val asRight) M : A1 + A2 asRight M : A2
(Val inRight) A1 M2 : A2 inRight A1 M2 : A1 + A2
(Val Case) M : A1 + A2 , x1 : A1 N1 : B , x2 : A2 N2 : B (case B M of x1 : A1 then N1 | x2 : A2 then N2 ) : B
token (created by inLeft), or an element of A2 tagged with a right token (created by inRight). The tags can be tested by isLeft and isRight, and the corresponding value extracted with asLeft and asRight. If asLeft is mistakenly applied to a right-tagged value, a trapped error or exception is produced; this trapped error is not considered a forbidden error. Note that it is safe to assume that any result of asLeft has type A1 , because either the argument is left tagged, in which case the result is indeed of type A1 , or it is right tagged, in which case there is no result. Subscripts are used to disambiguate some of the rules, as we discussed in the case of the conditional. The rule (Val Case) describes an elegant construct that can replace isLeft, isRight, asLeft, asRight, and the related trapped errors. (It also eliminates any dependence of union operations on the Bool type). The case construct executes one of two branches, depending on the tag of M, with the untagged contents of M bound to x1 or x2 in the scope of N1 or N2 , respectively. A vertical bar separates the branches. In terms of expressiveness (if not of implementation), note that the type Bool can be defined as Unit + Unit, in which case the case construct reduces to the conditional. The type Int can be defined as Nat + Nat, with one copy of Nat for the nonnegative integers and the other for the negative ones. We can define a prototypical trapped error as error A = asRight (inLeft A (unit )) : A. Thus, we can build an error expression for each type. Product types and union types can be iterated to produce tuple types and multiple unions. However, these derived types are rather inconvenient, and are rarely seen in languages. Instead, labeled products and unions are used: they go under the names of record types and variant types, respectively. A record type is the familiar named collection of types, with a value-level operation for extracting components by name. The rules in Table 97.11 assume the syntactic identification of record types and records up to reordering of their labeled components; this is analogous to the syntactic identification of functions up to renaming of bound variables. © 2004 by Taylor & Francis Group, LLC
TABLE 97.11
Record Types
(Type Record) (l i distinct) A1 · · · An Record(l 1 : A1 , . . . , l n : An )
(Val Record) (l i distinct) M1 : A1 · · · Mn : An record(l 1 = M1 , . . . , l n = Mn ) : Record(l 1 : A1 , . . . , l n : An )
(Val Record Select) M : Record(l 1 : A1 , . . . , l n : An ) M.l j : A j
j ∈ 1..n
(Val Record With) M : Record(l 1 : A1 , . . . , l n : An ) , x1 : A1 , . . . , xn : An N : B (with(l 1 = x1 : A1 , . . . , l n = xn : An ) := M do N) : B
TABLE 97.12
Variant Types
(Type Variant) (l i distinct) A1 · · · An Variant(l 1 : A1 , . . . , l n : An )
(Val Variant) (l i distinct) A1 · · · An M j : A j j ∈ 1 . . n variant(l 1 :A1 ,...,l n :An ) (l j = M j ) : Variant(l 1 : A1 , . . . , l n : An )
(Val Variant Is) M : Variant(l 1 : A1 , . . . , l n : An ) M is l j : Bool
j ∈ 1..n
(Val Variant As) M : Variant(l 1 : A1 , . . . , l n : An ) M as l j : A j
j ∈ 1..n
(Val Variant Case) M : Variant(l 1 : A1 , . . . , l n : An ) , x1 : A1 N1 : B · · · , xn : An Nn : B (case B M of l 1 = x1 : A1 then N1 | · · · | l n = xn : An then Nn ) : B
TABLE 97.13
Reference Types
(Type Ref) A Ref A
(Val Ref) M:A ref M : Ref A
(Val Deref) M : Ref A deref M : A
(Val Assign) M : Ref A N : A M := N : Unit
The with statement of product types is generalized to record types in (Val Record With). The components of the record M labeled l 1 , . . . , l n are bound to the variables x1 , . . . , xn in the scope of N. Pascal has a similar construct, also called with, but where the binding variables are left implicit. (This has the rather unfortunate consequence of making scoping depend on typechecking, and of causing hard-to-trace bugs due to hidden variable clashes.) Product types A1 × A2 can be defined as Record (first : A1 , second : A2 ). Variant types (Table 97.12) are named disjoint unions of types; they are syntactically identified up to reordering of components. The is l construct generalizes isLeft and isRight, and the as l construct generalizes asLeft and asRight. As with unions, these constructs may be replaced by a case statement, which now has multiple branches. Union types A1 + A2 can be defined as Variant(left : A1 , right : A2 ). Enumeration types, such as {red, green, blue}, can be defined as Variant(red : Unit, green : Unit, blue : Unit). Reference types (Table 97.13) can be used as the fundamental type of mutable locations in imperative languages. An element of Ref (A) is a mutable cell containing an element of type A. A new cell can be © 2004 by Taylor & Francis Group, LLC
TABLE 97.14
An Implementation of Arrays
Array(A) Nat × (Nat → Ref(A))
Array type a bound plus a map from indices less than the bound to refs
array A (N, M) let cell0 : Ref(A) = ref(M) and . . . and cell N−1 : Ref(A) = ref(M) inN, x : Nat.if x = 0 then cell0 else if . . . else if x = N − 1 then cell N−1 else errorRef(A)
Array constructor (for N refs initialized to M)
bound(M) first M
Array bound
M[N] A if N < first M then deref ((second M)(N)) else error A
Array indexing
M[N] := P if N < first M then ((second M)(N)) := P else errorUnit
Array update
TABLE 97.15
Array Types (Derived Rule)
(Type Array) A Array(A) (Val Array) N : Nat M : A array(N, M) : Array(A)
(Val Array Bound) M : Array(A) bound M : Nat
(Val Array Index) N : Nat M : Array(A) M[N] : A
(Val Array Update) N : Nat M : Array(A) P : A M[N] := P : Unit
allocated by (Val Ref), updated by (Val Assign), and explicitly dereferenced by (Val Deref). Because the main purpose of an assignment is to perform a side effect, its resulting value is chosen to be unit. Common mutable types can be derived from Ref. Mutable record types, for example, can be modeled as record types containing Ref types. More interestingly, arrays and array operations can be modeled as in Table 97.14, where Array(A) is the type of arrays of elements of type A of some length. (The code uses some arithmetic primitives and local let declarations.) The code in Table 97.14 is, of course, an inefficient implementation of arrays, but it illustrates a point: the type rules for more complex constructions can be derived from the type rule for simpler constructions. The typing rules for array operations shown in Table 97.15 can be easily derived from Table 97.14, according to the rules for products, functions, and refs. In most programming language, types can be defined recursively. Recursive types are important because they make all of the other type constructions more useful. They are often introduced implicitly, or without precise explanation, and their characteristics are rather subtle. Hence, their formalization deserves particular care. The treatment of recursive types requires a rather fundamental addition to F1 : environments are extended to include type variables X. These type variables are used in recursive types of the form X.A (Table 97.16), which intuitively denote solutions to recursive equations of the form X = A where X may occur in A. The operations unfold and fold are explicit coercions that map between a recursive type X.A and its © 2004 by Taylor & Francis Group, LLC
TABLE 97.16
Recursive Types
(Env X) X ∈ dom() , X
(Type Rec) , X A X.A
(Val Fold) M : [X.A/ X]A foldX.A M : X.A
(Val Unfold) M : X.A unfoldX.A M : [X.A/ X]A
TABLE 97.17
List Types
X.Unit + (A × X) fold(inLeft unit) cons A : A → List A → List A hd : A.tl : List A .fold(inRighthd, tl ) listCase A,B : List A → B → (A × List A → B) → B
List A
nil A : List A
l : List A .n : B.c : A × List A → B. case (unfold l ) of unit : Unit then n | p : A × List A then c p
TABLE 97.18 ⊥A: A
Encoding of Divergence and Recursion via Recursive Types
(x : B. (unfold B x) x) (fold B (x : B. (unfold B x) x))
Y A : (A → A) → A f : A → A. (x : B. f ((unfold B x) x)) (fold B (x : B. f ((unfold B x) x))) where B ≡ X.X → A, for an arbitrary A
TABLE 97.19
Encoding the Untyped -Calculus via Recursive Types
V X.X → X x x x.M foldV (x : V. M) M N (unfoldV M N
the type of untyped -terms translation - from untyped -terms to V elements
unfolding [X.A/ X]A (where [B/ X]A is the substitution of B for all free occurrences of X in A), and vice versa. These coercions do not have any run time effect (in the sense that unfold(fold(M)) = M and fold(unfold(M )) = M ). They are usually omitted from the syntax of practical programming languages, but their existence makes formal treatment easier. A standard application of recursive types is in defining types of lists and trees, in conjunction with products and union types. The type List A of lists of elements of type A is defined in Table 97.17, together with the list constructors nil and cons, and the list analyzer listCase. Recursive types can be used together with record and variant types to define complex tree structures such as abstract syntax trees. The case and with statements can then be used to analyze these trees conveniently. When used in conjunction with function types, recursive types are surprisingly expressive. Via clever encodings, one can show that recursion at the value level is already implicit in recursive types: there is no need to introduce recursion as a separate construct. Moreover, in the presence of recursive types, untyped programming can be carried out within typed languages. More precisely, Table 97.18 shows how to define, for any type A, a divergent element ⊥ A of that type, and a fixpoint operator Y A for that type. Table 97.19 shows how to encode the untyped -calculus within typed calculi. (These encodings are for call-by-name; they take slightly different forms in call-by-value.) Type equivalence becomes particularly interesting in the presence of recursive types. We have sidestepped several problems here by not dealing with type definitions, by requiring explicit fold–unfold coercions © 2004 by Taylor & Francis Group, LLC
between a recursive type and its unfolding, and by not assuming any identifications between recursive types except for renaming of bound variables. In the current formulation we do not need to define a formal judgment for type equivalence: two recursive types are equivalent simply if they are structurally identical (up to renaming of bound variables). This simplified approach can be extended to include type definitions and type equivalence up to unfolding of recursive types [Amadio and Cardelli 1993].
97.4 First-Order Type Systems for Imperative Languages Imperative languages have a slightly different style of type systems, mostly because they distinguish commands, which do not produce values, from expressions, which do produce values. (It is quite possible to reduce commands to expressions by giving them type Unit, but we prefer to remain faithful to the natural distinction.) As an example of a type system for an imperative language, we consider the untyped imperative language summarized in Table 97.20. This language permits us to study type rules for declarations, which we have not considered so far. The treatment of procedures and data types is very rudimentary in this language, but the rules for functions and data described in Section 97.3 can be easily adapted. The meaning of the features of the imperative language should be self-evident. The judgments for our imperative language are listed in Table 97.21. The judgments C and E : A correspond to the single judgment M : A of F1 , since we now have a distinction between commands . C and expressions E . The judgment D . . S assigns a signature S to a declaration D; a signature is essentially the type of a declaration. In this simple language a signature consists of a single component, for example, x : Nat, and a matching declaration could be var x : Nat = 3. In general, signatures would consist of lists of such components, and would look very similar or identical to environments .
TABLE 97.20
Syntax of the Imperative Language
A ::= Bool Nat Proc
Types Boolean type natural numbers type procedure type (no arguments, no result)
D ::= proc I = C var I : A = E
Declarations procedure declaration variable declaration
C ::= I := E C1; C2 begin D in C end call I while E do C end
Commands assignment sequential composition block procedure call while loop
E ::= I N E1 + E2 E 1 not = E 2
Expressions identifier numeral sum of two numbers inequality of two numbers
TABLE 97.21
A C E :A D ... S
© 2004 by Taylor & Francis Group, LLC
Judgments for the Imperative Language is a well-formed environment A is a well-formed type in C is a well-formed command in E is a well-formed expression of type A in D is a well-formed declaration of signature S in
TABLE 97.22
Type Rules for Imperative Language
(Env ∅) ∅
(Env I ) A I ∈ dom() , I : A
(Type Bool) Bool
(Type Nat) Nat
(Decl Proc) C (proc I = C ) ... (I : Proc)
(Decl Var) E : A A ∈ {Bool, Nat} (var I : A = E ) ... (I : A)
(Comm Assign) I :A E :A I := E
(Comm Sequence) C1 C2 C1; C2
(Comm Block) D ... (I : A) , I : A C begin D in C end
(Comm Call) I : Proc call I
(Expr Identifier) 1 , I : A, 2 1 , I : A, 2 I : A
(Expr Numeral) N : Nat
(Expr Plus) E 1 : Nat E 2 : Nat E 1 + E 2 : Nat
(Expr NotEq) E 1 : Nat E 2 : Nat E 1 not= E 2 : Bool
(Type Proc) Proc
(Comm While) E : Bool C while E do C end
Table 97.22 lists the type rules for the imperative language. The rules (Env . . .), (Type . . .), and (Expr . . .) are straightforward variations on the rules we have seen for F1 . The rules (Decl . . .) handle the typing of declarations. The rules (Comm . . .) handle commands; notice how (Comm Block) converts a signature to a piece of an environment when checking the body of a block.
97.5 Second-Order Type Systems Many modern languages include constructs for type parameters, type abstraction, or both. Type parameters can be found in the module system of several languages, where a generic module, class, or interface is parameterized by a type to be supplied later. Planned extensions of Java and C# use type parameters at the class and interface level. (C++ templates are similar to type parameters, but are actually a form of macro-expansion, with very different properties.) Polymorphic languages such as ML and Haskell use type parameters more pervasively, at the function level. Type abstraction can be found in conjunction with modules, in the form of opaque types in interfaces, as in Modula-2 and Modula-3. Languages such as CLU use type abstraction at the data level to obtain abstract data types. These advanced features can be modeled by so-called second-order type systems. Second-order type systems extend first-order type systems with the notion of type parameters. A new kind of term, written X.M, indicates a program M that is parameterized with respect to a type variable X that stands for an arbitrary type. For example, the identity function for a fixed type A, written x : A.x, can be turned into a parametric identity function by abstracting over A and writing id X.x : X.x. One can then instantiate such a parametric function to any given type A by a type instantiation, written id A, which produces back x : A.x. Corresponding to the new terms X.M we need new universally quantified types. The type of a term such as X.M is written ∀X.A, meaning that forall X, the body M has type A (here, M and A may contain occurrences of X). For example, the type of the parametric identity is id : ∀X.X → X. © 2004 by Taylor & Francis Group, LLC
TABLE 97.23
Syntax of F2
A, B ::= X A→B ∀X.A
Types type variable function type universally quantified type
M, N ::= x x : A.M MN X.M MA
Terms variable function application polymorphic abstraction type instantiation
TABLE 97.24 A M:A
TABLE 97.25
Judgments for F2 is a well-formed environment A is a well-formed type in M is a well-formed term of type A in
Type Rules for F2
(Env ∅) ∅
(Env x) A x∈ / dom() , x : A
(Env X) X ∈ dom() , X
(Type X) , X,
, X,
X
(Type Arrow) A B A→B
(Type Forall) , X A ∀X.A
(Val x) , x : A,
, x : A,
x : A
(Val Fun) , x : A M : B x : A.M : A → B
(Val Appl) M: A→B N: A MN:B
(Val Fun2) , X M : A X.M : ∀X.A
(Val Appl2) M : ∀X.A B M B : [B/ X]A
The pure second-order system F2 (Table 97.23) is based exclusively on type variables, function types, and quantified types. Note that we are dropping the basic types K , because we can now use type variables as the basic case. It turns out that virtually any basic type of interest can be encoded within F2 [B¨ohm and Berarducci 1985]. Similarly, product types, sum types, existential types, and some recursive types can be encoded within F2 : polymorphism has an amazing expressive power. Thus, there is little need, technically, to deal with these type constructions directly. Free variables for F2 types and terms can be defined in the usual fashion; suffice it to say that ∀X.A binds X in A and X.M binds X in M. An interesting aspect of F2 is the substitution of a type for a type variable that is carried out in the type rule for type instantiation, (Val Appl2). The judgments for F2 (Table 97.24) are the same ones as for F1 , but the environments are richer. With respect to F1 , the new rules (Table 97.25) are: (Env X), which adds a type variable to the environment; (Type Forall), which constructs a quantified type ∀X.A from a type variable X and a type A where X may occur; (Val Fun2), which builds a polymorphic abstraction; and (Val Appl2), which instantiates a polymorphic abstraction to a given type, where [B/ X]A is the substitution of B for all the free occurrences of X in A. For example, if id has type ∀X.X → X and A is a type, then by (Val Appl2) we have that id A has type [A/ X](X → X) ≡ A → A. As a simple but instructive exercise, the reader may want to build the derivation for id(∀X.X → X)(id). © 2004 by Taylor & Francis Group, LLC
TABLE 97.26 (Type Exists) , X A ∃X.A
Existential Types (Val Pack) [B/ X]M : [B/ X]A (pack∃X.A X = B with M) : ∃X.A
(Val Open) M : ∃X.A , X, x : A N : B B (openB M as X, x : A in N) : B
As extensions of F2 we could adopt all the first-order constructions that we already discussed for F1 . A more interesting extension to consider is existentially quantified types, also known as type abstractions; see Table 97.26. To illustrate the use of existentials, we consider an abstract type for Booleans. As we said earlier, Booleans can be represented as the type Unit + Unit. We can now show how to hide this representation detail from a client who does not care how Booleans are implemented, but who wants to make use of true, false, and cond (conditional). We first define an interface for such a client to use, BoolInterface ∃Bool. Record(true: Bool, false: Bool, cond: ∀Y. Bool → Y → Y → Y ) This interface declares that there exists a type Bool (without revealing its identity) that supports the operations true, false, and cond of appropriate types. The conditional is parameterized with respect to its result type Y , which may vary depending on the context of usage. Next we define a particular implementation of this interface; one that represents Bool as Unit + Unit, and that implements the conditional via a case statement. The Boolean representation type and the related Boolean operations are packaged together by the pack construct: boolModule : BoolInterface packBoolInterface Bool = Unit + Unit with record( true = inLeft(unit), false = inRight(unit), cond = Y. x : Bool. y1 : Y. y2 : Y. caseY x of x1 : Unit then y1 | x2 : Unit then y2 ) Finally, a client could make use of this module by opening it, and thus getting access to an abstract name Bool for the Boolean type, and a name boolOp for the record of Boolean operations. These names are used in the next example for a simple computation that returns a natural number. (The computation following in is, essentially, if boolOp.true then 1 else 0.) openNat boolModule as Bool, boolOp : Record(true : Bool, false : Bool, cond : ∀Y.Bool → Y → Y → Y )in boolOp.cond(Nat)(boolOp.true)(1)(0) The reader should verify that these examples typecheck according to the rules previously given. Note the critical third assumption of (Val Open), which implies that the result type B cannot contain the variable X. That assumption forbids writing, for example, boolOp.true as the body of open in the preceding example, since the result type would be the variable Bool. Because of that third assumption, the abstract name of the representation type (Bool) cannot escape the scope of open, and therefore values having the representation type cannot escape either. A restriction of this kind is necessary; otherwise, the representation type might become known to clients. © 2004 by Taylor & Francis Group, LLC
97.6 Subtyping Typed object-oriented languages have particularly interesting and complex type systems. There is little consensus about what characterizes these languages, but at least one feature is almost universally present: subtyping. Subtyping captures the intuitive notion of inclusion between types, where types are seen as collections of values. An element of a type can also be considered an element of any of its supertypes, thus allowing a value (object) to be used flexibly in many different typed contexts. When considering a subtyping relation, such as the one found in object-oriented programming languages, it is customary to add a new judgment A <: B stating that A is a subtype of B (Table 97.27). The intuition is that any element of A is an element of B or, more appropriately, any program of type A is also a program of type B. One of the simplest type systems with subtyping is an extension of F1 called F1<: . The syntax of F1 is unchanged, except for the addition of a type Top that is a supertype of all types. The existing type rules are also unchanged. The subtyping judgment is independently axiomatized, and a single type rule, called subsumption, is added to connect the typing judgment to the subtyping judgment. The subsumption rule states that if a term has type A, and A is a subtype of B, then the term also has type B. That is, subtyping behaves very much like set inclusion when type membership is seen as set membership. The subtyping relation in Table 97.28 is defined as a reflexive and transitive relation with a maximal element called Top, which is therefore interpreted as the type of all well-typed terms. The subtype relation for function types says that A → B is a subtype of A → B if A is a subtype of A, and B is a subtype of B . Note that the inclusion is inverted (contravariant) for function arguments, while it goes in the same direction (covariant) for function results. Simple-minded reasoning reveals that this is the only sensible rule. A function M of type A → B accepts elements of type A; obviously, it also accepts elements of any subtype A of A. The same function M returns elements of type B; obviously, it returns elements that belong to any supertype B of B. Therefore, any function M of type A → B, by virtue of accepting arguments of type A and returning results of type B , also has type A → B . The latter is compatible with saying that A → B is a subtype of A → B . In general, we say that a type variable occurs contravariantly within another type of F1 , if it always occurs on the left of an odd number of arrows (double contravariance equals covariance). For example, X → Unit and (Unit → X) → Unit are contravariant in X, whereas Unit → X and (X → Unit) → X are covariant in X. Ad hoc subtyping rules can be added on basic types, such as Nat <: Int [Mitchell 1984]. All of the structured types we considered as extensions of F1 admit simple subtyping rules; therefore, these structured types can be added to F1<: as well (Table 97.29). Typically, we need to add a single
TABLE 97.27
TABLE 97.28
Judgments for Type Systems with Subtyping
A A <: B M:A
is a well-formed environment A is a well-formed type in A is a subtype of B in M is a well-formed term of type A in
Additional Rules for F1<:
(Sub Refl) A A <: A
(Sub Trans) A <: B B <: C A <: C
(Val Subsumption) a : A A <: B a:B
(Type Top) Top
(Sub Top) A A <: Top
(Sub Arrow) A <: A B <: B
A → B <: A → B
© 2004 by Taylor & Francis Group, LLC
TABLE 97.29
Additional Rules for Extensions of F1<:
(Sub Product) A1 <: B1 A2 <: B2 A1 × A2 <: B1 × B2
(Sub Union) A1 <: B1 A2 <: B2 A1 + A2 <: B1 + B2
(Sub Record) (l i distinct) A1 <: B1 · · · An <: Bn An+1 · · · An+m Record(l 1 : A1 , . . . , l n+m : An+m ) <: Record(l 1 : B1 , . . . , l n : Bn ) (Sub Variant) (l i distinct) A1 <: B1 · · · An <: Bn Bn+1 · · · Bn+m Variant(l 1 : A1 , . . . , l n : An ) <: Variant(l 1 : B1 , . . . , l n+m : Bn+m )
TABLE 97.30
Environments with Bounded Variables
(Env X <:) A X ∈ dom() , X <: A
TABLE 97.31
(Type X <:) , X <: A,
, X <: A,
X
(Sub X <:) , X <: A,
, X <: A,
X <: A
Subtyping Recursive Types
(Type Rec) , X <: Top A X.A
(Sub Rec) X.A Y.B , Y <: Top, X <: Y A <: B X.A <: Y.B
subtyping rule for each type constructor, taking care that the subtyping rule is sound in conjunction with subsumption. The subtyping rules for products and unions work componentwise. The subtyping rules for records and variants also operate lengthwise: a longer record type is a subtype of a shorter record type (additional fields can be forgotten by subtyping), whereas a shorter variant type is a subtype of a longer variant type (additional cases can be introduced by subtyping). For example, WorkingAge Variant(student: Unit, adult: Unit) Age Variant(child: Unit, student: Unit, adult: Unit, senior: Unit) Worker Record(name: String, age: WorkingAge, profession: String) Person Record(name: String, age: Age) Then, WorkingAge <: Age Worker <: Person Reference types do not have any subtyping rule: Ref(A) <: Ref(B) holds only if A = B (in which case Ref(A) <: Ref(B) follows from reflexivity). This strict rule is necessary because references can be both read and written, and hence behave both covariantly and contravariantly. For the same reason, array types have no additional subtyping rules. As was the case for F1 , a change to the structure of environments is necessary when considering recursive types. This time, we must add bounded variables to environments (Table 97.30). Variables bound by Top correspond to our old unconstrained variables. The soundness of the subtyping rule (Sub Rec) for recursive types (Table 97.31) is not obvious, but the intuition is fairly straightforward. To check whether X.A <: Y.B, we assume X <: Y and we check A <: B; the assumption helps us when finding matching occurrences of X and Y in A and B, as long as they are in covariant contexts. A simpler rule asserts that © 2004 by Taylor & Francis Group, LLC
TABLE 97.32
Syntax of F2<:
A, B ::= X Top A→B ∀X <: A.B
Types type variable the biggest type function type bounded universally quantified type
M, N ::= x x : A.M MN X <: A.M
Terms variable function application bounded polymorphic abstraction type instantiation
MA
TABLE 97.33
TABLE 97.34
Rules for Bounded Universal Quantifiers
(Type Forall<:) , X <: A B ∀X <: A.B
(Sub Forall<:) A <: A , X <: A B <: B
(∀X <: A.B) <: (∀X <: A .B )
(Val Fun2<:) , X <: A M : B X <: A.M : ∀X <: A.B
(Val Appl2<:) M : ∀X <: A.B A <: A M A : [A / X]B
Rules for Bounded Existential Quantifiers (Derivable)
(Type Exists<:) , X <: A B ∃X <: A.B
(Sub Exists<:) A <: A , X <: A B <: B
(∃X <: A.B) <: (∃X <: A .B )
(Val Pack<:) C <: A [C/ X]M : [C/ X]B (pack∃X<:A.B X <: A = C with M) : ∃X <: A.B
(Val Open<:) M : ∃X <: A.B D , X <: A, x : B N : D (open D M as X <: A, x : B in N) : D
X.A <: X.B whenever A <: B for any X, but this rule is unsound when X occurs in contravariant contexts (e.g., immediately on the left of an arrow). The bounded variables in environments are also the basis for the extension of F2 with subtyping, which gives a system called F2<: (Table 97.32). In this system, the term X <: A.M indicates a program M parameterized with respect to a type variable X that stands for an arbitrary subtype of A. This is a generalization of F2 , since the F2 term X.M can be represented as X <: Top.M. Corresponding to the terms X <: A.M, we have bounded type quantifiers of the form ∀X <: A.B. Scoping for F2<: types and terms is defined similarly to F2 , except that ∀X <: A.B binds X in B but not in A, and X <: A.M binds X in M but not in A. The type rules for F2<: consist of most of the type rules for F1<: (namely, (Env ∅), (Env x), (Type Top), (Type Arrow), (Sub Refl), (Sub Trans), (Sub Top), (Sub Arrow), (Val Subsumption), (Val x), (Val Fun), and (Val Appl)), plus the rules for bounded variables (namely, (Env X<:), (Type X<:), and (Sub X<:)), and the ones listed in Table 97.33 for bounded polymorphism. As for F2 , we do not need to add other type constructions to F2<: , since all of the common ones can be expressed within it (except for recursion). Moreover, it turns out that the encodings used for F2 satisfy the expected subtyping rules. For example, it is possible to encode bounded existential types so that the rules described in Table 97.34 are satisfied. The type ∃X <: A.B represents a partially abstract type, whose representation type X is not completely known, but is known to be a subtype of A. This kind of partial abstraction occurs in some languages based on subtyping (e.g., in Modula-3). © 2004 by Taylor & Francis Group, LLC
Some nontrivial work is needed to obtain encodings of record and variant types in F2<: that satisfy the expected subtyping rules, but even those can be found [Cardelli and Wegner 1985].
97.7 Equivalence For simplicity, we have avoided describing certain judgments that are necessary when type systems become complex and when one wishes to capture the semantics of programs in addition to their typing. We briefly discuss some of these judgments. A type equivalence judgment, of the form A = B, can be used when type equivalence is nontrivial and requires precise description. For example, some type systems identify a recursive type and its unfolding, in which case we would have X.A = [X.A/ X]A whenever X.A. As another example, type systems with type operators X.A (functions from types to types) have a reduction rule for operator application of the form (X.A) B = [A/ X] B. The type equivalence judgment is usually employed in a retyping rule stating that if M : A and A = B, then M : B. A term equivalence judgment determines which programs are equivalent with respect to a common type. It has the form M = N : A. For example, with appropriate rules we could determine that 2 + 1 = 3 : Int. The term equivalence judgment can be used to give typed semantics to programs: if N is an irreducible expression, then we can consider N as the resulting value of the program M.
97.8 Type Inference Type inference is the problem of finding a type for a term within a given type system, if any type exists. In the type systems we have considered earlier, programs have abundant type annotations. Thus, the type inference problem often amounts to little more than checking the mutual consistency of the annotations. The problem is not always trivial but, as in the case of F1 , simple typechecking algorithms may exist. A harder problem, called typability or type reconstruction, consists in starting with an untyped program M, and finding an environment , a type-annotated version M of M, and a type A such that A is a type for M with respect to . (A type-annotated program M is simply one that stripped of all type annotations reduces back to M.) The type reconstruction problem for the untyped -calculus is solvable within F1 by the Hindley–Milner algorithm used in ML [Milner 1978]; in addition, that algorithm has the property of producing a unique representation of all possible F1 typings of a -term. The type reconstruction problem for the untyped -calculus, however, is not solvable within F2 [Wells 1994]. Type reconstruction within systems with subtyping is still largely an open problem, although special solutions are beginning to emerge [Aiken and Wimmers 1993, Eifrig et al. 1995, Gunter and Mitchell 1994, Palsberg 1994]. We concentrate here on the type inference algorithms for some representative systems: F1 , F2 , and F2<: . The first two systems have the unique type property: if a term has a type, it has only one type. In F2<: there are no unique types, simply because the subsumption rule assigns all of the supertypes of a type to any term that has that type. However, a minimum type property holds: if a term has a collection of types, that collection has a least element in the subtype order [Curien and Ghelli 1992]. The minimum type property holds for many common extensions of F2<: and of F1<: but may fail in the presence of ad-hoc subtypings on basic types.
97.8.1 The Type Inference Problem In a given type system, given an environment and a term M, is there a type A such that M : A is valid? The following are examples: r In F , given M ≡ x : K .x and any well-formed we have that M : K → K . 1 r In F , given M ≡ x : K .y(x) and ≡ , y : K → K we have that M : K → K . 1 r In F , there is no typing for x : B.x(x), for any type B. 1
© 2004 by Taylor & Francis Group, LLC
TABLE 97.35
Type Inference Algorithm for F1
Type(, x) if x : A ∈ for some A then A else fail Type(, x : A.M) A → Type((, x : A), M) Type(, M N) if Type(, M) ≡ Type(, N) → B for some B then B else fail
TABLE 97.36 Good(, X)
Type Inference Algorithm for F2
X ∈ dom()
Good(, A → B) Good(, ∀X.A)
Good(, A) and Good(, B)
Good((, X), A)
Type(, x) if x : A ∈ for some A then A else fail Type(, x : A.M) if Good(, A) then A → Type((, x : A), M) else fail Type(, M N) if Type(, M) ≡ Type(, N) → B for some B then B else fail Type(, X.M) ∀X.Type((, X), M) Type(, M A) if Type(, M) ≡ ∀X.B for some X, B and Good(, A) then [A/ X]B else fail
r However, in F 1<: there is the typing x : Top → B.x(x) : (Top → B) → B, for any type B,
since x can also be given type Top. r Moreover, in F with recursive types, there is the typing x : B.(unfold x)(x) : B → B, for 1 B
B ≡ X.X → X, since unfold B x has type B → B.
r Finally, in F there is the typing x : B.x(B)(x) : B → B, for B ≡ ∀X.X → X, since x(B) 2
has type B → B.
(An alternative formulation of the type inference problem requires to be found, instead of given. However, in programming practice, one is interested only in type inference for programs embedded in a complete programming context, where is therefore given.) We begin with the type inference algorithm for pure F1 , given in Table 97.35. The algorithm can be extended in straightforward ways to all of the first-order type structures studied earlier. This is the basis of the typechecking algorithms used in Pascal and all similar procedural languages. The main routine Type(, M), takes an environment and a term M and produces the unique type of M, if any. The instruction fail causes a global failure of the algorithm: it indicates a typing error. In this algorithm, as in the ones that follow, we assume that the initial environment parameter is well formed so as to rule out the possibility of feeding invalid environments to internal calls. (For example, we may start with the empty environment when checking a full program.) In any case, it is easy to write a subroutine that checks the well-formedness of an environment, from the code we provide. The case for x : A.M should have a restriction requiring that x ∈ dom(), since x is used to extend . However, this restriction can be easily sidestepped by renaming, for example, by making all binders unique before running the algorithm. We omit this kind of restriction from Tables 97.35 through 97.37. © 2004 by Taylor & Francis Group, LLC
TABLE 97.37 Good(, X)
Type Inference Algorithm for F2<:
X ∈ dom()
Good(, Top)
true
Good(, A → B)
Good(, A) and Good(, B)
Good(, ∀X <: A.B) Subtype(, A, Top) Subtype(, X, X)
Good(, A) and Good((, X <: A), B)
true
true
Subtype(, X, A) if X <: B ∈ for some B then Subtype(, B, A) else false
for A = X, Top
Subtype(, A → B, A → B ) Subtype(, A , A) and Subtype(, B, B ) Subtype(, ∀X <: A.B, ∀X <: A .B ) Subtype(, A , A) and Subtype((, X <: A ), [X / X]B, B ) Subtype(, A, B)
false
Expose(, X)
if X <: A ∈ for some Athen Expose(, A) else fail
Expose(, A)
A
otherwise
otherwise
Type(, x) if x : A ∈ for some A then A else fail Type(, x : A.M) if Good(, A) then A → Type((, x : A), M) else fail Type(, M N) if Expose(, Type(, M)) ≡ A → B for some A, B and Subtype(, Type(, N), A) then B else fail Type(, X <: A.M) if Good(, A) then ∀X <: A.Type((, X <: A), M) else fail Type(, M A) if Expose(, Type(, M)) ≡ ∀X <: A .B for some X, A , B and Good(, A) and Subtype(, A, A ) then [A/ X]B else fail
As an example, let us consider the type inference problem for term z : K .y(z) in the environment ∅, y : K → K , for which we gave a full F1 derivation in Section 97.3. The algorithm proceeds as follows: Type((∅, y : K → K ), z : K .y(z)) = K → Type((∅, y : K → K , z : K ), y(z)) = K → (if Type((∅, y : K → K , z : K ), y) ≡ Type((∅, y : K → K , z : K ), z) → B for some B then B else fail) = K → (if K → K ≡ K → B for some Bthen Belse fail) (taking B ≡ K ) =K →K The type inference algorithm for F2 (Table 97.36) is not much harder than the one for F1 , but it requires a subroutine Good(, A) to verify that the types encountered in the source program are well formed. This check is necessary because types in F2 contain type variables that might be unbound. A substitution subroutine must also be used in the type instantiation case, M A. The type inference algorithm for F2<: , given in Table 97.37, is more subtle. The subroutine Subtype (, A, B) attempts to decide whether A is a subtype of B in , and is at first sight straightforward. It has been shown, however, that Subtype is only a semialgorithm: it may diverge on certain pairs A, B that are not in subtype relation. That is, the typechecker for F2<: may diverge on ill-typed programs, although © 2004 by Taylor & Francis Group, LLC
it will still converge and produce a minimum type for well-typed programs. More generally, there is no decision procedure for subtyping: the type system for F2<: is undecidable [Pierce 1992]. Several attempts have been made to cut F2<: down to a decidable subset; the simplest solution at the moment consists of requiring equal quantifiers bounds in (Sub Forall<:). In any case, the bad pairs A, B are extremely unlikely to arise in practice. The algorithm is still sound in the usual sense: if it finds a type, the program will not go wrong. The only troublesome case is in the subtyping of quantifiers; the restriction of the algorithm to F1<: is decidable and produces minimum types. F2<: provides an interesting example of the anomalies one may encounter in type inference. The type inference algorithm given in Table 97.37 is theoretically undecidable but is practically applicable. It is convergent and efficient on virtually all programs one may encounter; it diverges only on some ill-typed programs, which should be rejected anyway. Therefore, F2<: sits close to the boundary between acceptable and unacceptable type systems, according to the criteria enunciated in the introduction.
97.9 Summary and Research Issues 97.9.1 What We Learned Natural questions for a beginner programmer include the following. What is an error? What is type safety? What is type soundness? (perhaps phrased, respectively, as: Which errors will the computer tell me about? Why did my program crash? Why does the computer refuse to run my program?). The answers, even informal ones, are surprisingly intricate. We have paid particular attention to the distinction between type safety and type soundness, and we have reviewed the varieties of static checking, dynamic checking, and absence of checking for program errors in various kinds of languages. The most important lesson to remember from this chapter is the general framework for formalizing type systems. Understanding type systems, in general terms, is as fundamental as understanding BNF (Backus–Naur Form): it is hard to discuss the typing of programs without the precise language of type systems, just as it is hard to discuss the syntax of programs without the precise language of BNF. In both cases, the existence of a formalism has clear benefits for language design, compiler construction, language learning, and program understanding. We described the formalism of type systems and how it captures the notions of type soundness and type errors. Armed with formal type systems, we embarked on the description of an extensive list of program constructions and of their type rules. Many of these constructions are slightly abstracted versions of familiar features, whereas others apply only to obscure corners of common languages. In both cases, our collection of typing constructions is meant as a key for interpreting the typing features of programming languages. Such an interpretation may be nontrivial, particularly because most language definitions do not come with a type system, but we hope to have provided sufficient background for independent study. Some of the advanced type constructions will appear, we expect, more fully, cleanly, and explicitly in future languages. In the latter part of the chapter, we reviewed some fundamental type inference algorithms: for simple languages, for polymorphic languages, and for languages with subtyping. These algorithms are very simple and general, but are mostly of an illustrative nature. For a host of pragmatic reasons, type inference for real languages becomes much more complex. It is interesting, however, to be able to describe concisely the core of the type inference problem and some of its solutions.
97.9.2 Future Directions The formalization of type systems for programming languages, as described in this chapter, evolved as an application of type theory. Type theory is a branch of formal logic. It aims to replace predicate logics and set theory (which are untyped) with typed logics, as a foundation for mathematics. One of the motivations for these logical type theories, and one of their more exciting applications, lies in the mechanization of mathematics via proof checkers and theorem provers. Typing is useful in theorem provers for exactly the same reasons it is useful in programming. The mechanization of proofs reveals © 2004 by Taylor & Francis Group, LLC
striking similarities between proofs and programs: the structuring problems found in proof construction are analogous to the ones found in program construction. Many of the arguments that demonstrate the need for typed programming languages also demonstrate the need for typed logics. Comparisons between the type structures developed in type theory and in programming are, thus, very instructive. Function types, product types, (disjoint) union types, and quantified types occur in both disciplines, with similar intents. This is in contrast, for example, to structures used in set theory, such as unions and intersections of sets, and the encoding of functions as sets of pairs, that have no correspondence in the type systems of common programming languages. Beyond the simplest correspondences between type theory and programming, it turns out that the structures developed in type theory are far more expressive than the ones commonly used in programming. Therefore, type theory provides a rich environment for future progress in programming languages. Conversely, the size of systems that programmers build is vastly greater than the size of proofs that mathematicians usually handle. The management of large programs, and in particular the type structures needed to manage large programs, is relevant to the management of mechanical proofs. Certain type theories developed in programming, for example, for object-orientation and for modularization, go beyond the normal practices found in mathematics, and should have something to contribute to the mechanization of proofs. Therefore, the cross-fertilization between logic and programming will continue, within the common area of type theory. At the moment, some advanced constructions used in programming escape proper type-theoretical formalization. This could be happening either because the programming constructions are ill conceived, or because our type theories are not yet sufficiently expressive: only the future will tell. Examples of active research areas are the typing of advanced object-orientation and modularization constructs and the typing of concurrency and distribution.
Defining Terms Abstract type: A data type whose nature is kept hidden in such a way that only a predetermined collection of operations can operate on it. Contravariant: A type that varies in the inverse direction from one of its parts with respect to subtyping. The main example is the contravariance of function types in their domain. For example, assume A <: B and vary X from A to B in X → C ; we obtain A → C :> B → C . Thus, X → C varies in the inverse direction of X. Covariant: A type that varies in the same direction as one of its parts with respect to subtyping. For example, assume A <: B and vary X from A to B in D → X; we obtain D → A <: D → B. Thus, D → X varies in the same direction as X. Derivation: A tree of judgments obtained by applying the rules of a type system. Dynamic checking: A collection of runtime tests aimed at detecting and preventing forbidden errors. Dynamically checked language: A language where good behavior is enforced during execution. Explicitly typed language: A typed language where types are part of the syntax. First-order type system: One that does not include quantification over type variables. Forbidden error: The occurrence of one of a predetermined class of execution errors; typically the improper application of an operation to a value, such as not (3). Good behavior: Same as being well-behaved. Ill typed: A program fragment that does not comply with the rules of a given type system. Implicitly typed language: A typed language where types are not part of the syntax. Judgment: A formal assertion relating entities such as terms, types, and environments. Type systems prescribe how to produce valid judgments from other valid judgments. Polymorphism: The ability of a program fragment to have multiple types (opposite of monomorphism). Safe language: A language where no untrapped errors can occur. Second-order type system: One that includes quantification over type variables, either universal or existential. Static checking: A collection of compile-time tests, mostly consisting of typechecking. © 2004 by Taylor & Francis Group, LLC
Statically checked language: A language where good behavior is determined before execution. Strongly checked language: A language where no forbidden errors can occur at runtime (depending on the definition of forbidden error). Subsumption: A fundamental rule of subtyping, asserting that if a term has a type A, which is a subtype of a type B, then the term also has type B. Subtyping: A reflexive and transitive binary relation over types that satisfies subsumption; it asserts the inclusion of collections of values. Trapped error: An execution error that immediately results in a fault. Type: A collection of values. An estimate of the collection of values that a program fragment can assume during program execution. Type inference: The process of finding a type for a program within a given type system. Type reconstruction: The process of finding a type for a program where type information has been omitted, within a given type system. Type rule: A component of a type system. A rule stating the conditions under which a particular program construct will not cause forbidden errors. Type safety: The property stating that programs do not cause untrapped errors. Type soundness: The property stating that programs do not cause forbidden errors. Type system: A collection of type rules for a typed programming language. Same as static type system. Typechecker: The part of a compiler or interpreter that performs typechecking. Typechecking: The process of checking a program before execution to establish its compliance with a given type system and therefore to prevent the occurrence of forbidden errors. Typed language: A language with an associated (static) type system, whether or not types are part of the syntax. Typing error: An error reported by a typechecker to warn against possible execution errors. Untrapped error: An execution error that does not immediately result in a fault. Untyped language: A language that does not have a (static) type system, or whose type system has a single type that contains all values. Valid judgment: A judgment obtained from a derivation in a given type system. Weakly checked language: A language that is statically checked but provides no clear guarantee of absence of execution errors. Well behaved: A program fragment that will not produce forbidden errors at runtime. Well formed: Properly constructed according to formal rules. Well-typed program: A program (fragment) that complies with the rules of a given type system.
References Aiken, A. and Wimmers, E. L. 1993. Type inclusion constraints and type inference, pp. 31–41. In Proc. ACM Conf. Functional Programming Comput. Architecture. Amadio, R. M. and Cardelli, L. 1993. Subtyping recursive types. ACM Trans. Programming Lang. Syst., 15(4):575–631. Birtwistle, G. M., Dahl, O.-J., Myhrhaug, B., and Nygaard, K. 1979. Simula Begin. Studentlitteratur. B¨ohm, C. and Berarducci, A. 1985. Automatic synthesis of typed -programs on term algebras. Theor. Comput. Sci., 39:135–154. Cardelli, L. 1987. Basic polymorphic typechecking. Sci. Comput. Programming, 8(2):147–172. Cardelli, L. 1994. Extensible records in a pure calculus of subtyping. In Theoretical Aspects of ObjectOriented Programming, C. A. Gunter and J. C. Mitchell, Eds., pp. 373–425. MIT Press, Cambridge, MA. Cardelli, L. and Wegner, P. 1985. On understanding types, data abstraction and polymorphism. ACM Comput. Surv., 17(4):471–522. Curien, P.-L. and Ghelli, G. 1992. Coherence of subsumption, minimum typing and typechecking in F≤ . Math. Struct. Comput. Sci., 2(1):55–91.
© 2004 by Taylor & Francis Group, LLC
Dahl, O.-J., Dijkstra, E. W., and Hoare, C. A. R. 1972. Structured Programming. Academic Press. Eifrig, J., Smith, S., and Trifonov, V. 1995. Sound polymorphic type inference for objects, pp. 169–184. In Proc. OOPSLA ’95. Gunter, C. A. 1992. Semantics of Programming Languages: Structures and Techniques. MIT Press, Cambridge, MA. Girard, J.-Y., Lafont, Y., and Taylor, P. 1989. Proofs and Types. Cambridge University Press, Cambridge, England. Gunter, C. A. and Mitchell, J. C., Eds. 1994. Theoretical Aspects of Object-Oriented Programming. MIT Press, Cambridge, MA. Huet, G., Ed. 1990. Logical Foundations of Functional Programming. Addison-Wesley, Reading, MA. Jensen, K. 1978. Pascal User Manual and Report, 2nd ed. Springer-Verlag, New York. Liskov, B. H. 1981. CLU Reference Manual. Lecture Notes in Computer Science 114. Springer-Verlag, New York. Milner, R. 1978. A theory of type polymorphism in programming. J. Comput. Syst. Sci., 17:348–375. Milner, R., Tofte, M., and Harper, R. 1989. The Definition of Standard ML. MIT Press, Cambridge, MA. Mitchell, J. C. 1984. Coercion and type inference, pp. 175–185. In Proc. 11th Annu. ACM Symp. Principles Programming Lang. Mitchell, J. C. 1990. Type systems for programming languages. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed., pp. 365–458. North Holland, Amsterdam. Mitchell, J. C. 1996. Foundations for Programming Languages. MIT Press, Cambridge, MA. Mitchell, J. C. and Plotkin, G. D. 1985. Abstract types have existential type. In Proc. 12th Annu. ACM Symp. Principles Programming Lang., pp. 37–51. Nordstr¨om, B., Petersson, K., and Smith, J. M. 1990. Programming in Martin-L¨of ’s Type Theory. Oxford Science. Palsberg, J. 1995. Efficient inference for object types. Inf. Comput. 123(2):198–209. Pierce, B. C. 1992. Bounded quantification is undecidable. In Proc. 19th Annu. ACM Symp. Principles Programming Lang., pp. 305–315. Pierce, B. C. 2002. Types and Programming Languages. MIT Press, Cambridge, MA. Reynolds, J. C. 1974. Towards a theory of type structure. In Proc. Colloquium sur la programmation. Lecture Notes in Computer Science 19, pp. 408–423. Springer-Verlag, New York. Reynolds, J. C. 1983. Types, abstraction, and parametric polymorphism. In Information Processing, R. E. A. Mason, Ed., pp. 513–523. North Holland, Amsterdam. Schmidt, D. A. 1994. The Structure of Typed Programming Languages. MIT Press, Cambridge, MA. Spencer, H. The ten commandments for C programmers. annotated ed. (available on the World Wide Web). Tofte, M. 1990. Type inference for polymorphic references. Inf. Comput., 89:1–34. Wells, J. B. 1994. Typability and type checking in the second-order -calculus are equivalent and undecidable, pp. 176–185. In Proc. 9th Annu. IEEE Symp. Logic Comput. Sci. Wijngaarden, V., Ed. 1976. Revised Report on the Algorithmic Language Algol68. Wright, A. K. and Felleisen, M. 1994. A syntactic approach to type soundness. Inf. Comput. 115(1):38–94.
Further Information For a complete background on type systems, one should read (1) some material on type theory, which is usually rather difficult; (2) some material connecting type theory to computing; and (3) some material about programming languages with advanced type systems. The book edited by Huet [1990] covers a variety of topics in type theory, including several tutorial articles. The book edited by Gunter and Mitchell [1994] contains a collection of papers on object-oriented type theory. The book by Nordstr¨om et al. [1990] provides summary of Martin-L¨of ’s work. MartinL¨of proposed type theory as a general logic that is firmly grounded in computation. He introduced the systematic notation for judgments and type rules used in this chapter. Girard et al. [1989] and Reynolds
© 2004 by Taylor & Francis Group, LLC
[1974] developed the polymorphic -calculus (F2 ), which inspired much of the work covered in this chapter. A modern exposition of technical issues that arise from the study of type systems can be found in Pierce’s book [2002], in Gunter’s book [1992], in Mitchell’s [1990] article in the Handbook of Theoretical Computer Science, and in Mitchell’s book [1996]. Closer to programming languages, rich type systems were pioneered in the period between the development of Algol and the establishment of structured programming [Dahl et al. 1972], and were developed into a new generation of richly typed languages, including Pascal [Jansen 1978], Algol68 [Wijngaarden 1976], Simula [Birtwistle et al. 1979], CLU [Liskov 1981], and ML [Milner et al. 1989]. Reynolds gave type theoretical explanations for polymorphism and data abstraction [Reynolds 1974, Reynolds 1983]. (On that topic, see also Cardelli and Wegner [1985] and Mitchell and Plotkin [1985].) The book by Schmidt [1994] covers several issues discussed in this chapter, and provides more details on common language constructions. Milner’s article on type inference for ML [Milner 1978] brought the study of type systems and type inference to a new level. It includes an algorithm for polymorphic type inference, and the first proof of type soundness for a (simplified) programming language, based on a denotational technique. A more accessible exposition of the algorithm described in that article can be found in Cardelli [1987]. Proofs of type soundness are now often based on operational techniques [Tofte 1990, Wright and Felleisen 1994]. Currently, Standard ML is the only widely used programming language with a formally specified type system [Milner et al. 1989], although similar work has now been carried out for large fragments of Java.
© 2004 by Taylor & Francis Group, LLC
98 Programming Language Semantics 98.1 98.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98-1 A Survey of Semantics Methods . . . . . . . . . . . . . . . . . . . . . 98-2
Operational Semantics • Denotational Semantics • Natural Semantics • Axiomatic Semantics
98.3
Semantics of Programming Languages . . . . . . . . . . . . . . . 98-6 Language Syntax and Informal Semantics • Domains for Denotational Semantics • Denotational Semantics of Programs • Semantics of the While-Loop • Action Semantics • The Natural Semantics of the Language • The Operational Semantics of the Language • An Axiomatic Semantics of the Language
David A. Schmidt Kansas State University
98.4 98.5
Applications of Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 98-14 Research Issues in Semantics. . . . . . . . . . . . . . . . . . . . . . . . . 98-15
98.1 Introduction A programming language possesses two fundamental features: syntax and semantics. Syntax refers to the appearance of the well-formed programs of the language, and semantics refers to the meanings of these programs. A language’s syntax can be formalized by a grammar or syntax chart; such a formalization is found in the back of almost every language manual. A language’s semantics should be formalized as well, so that it can appear in the language manual, too. This is the topic of this chapter. It is traditional for computer scientists to calculate the semantics of a program by using a test-case input and tracing the program’s execution with a state table and flowchart. This is one form of semantics, called operational semantics, but there are other forms of semantics that are not tied to test cases and traces; we will study several such approaches. Before we begin, we might ask: What do we gain by formalizing the semantics of a programming language? Before we answer, we might consider the related question: What was gained when language syntax was formalized? The formalization of syntax, via Backus–Naur Form (BNF) rules, produced the following benefits: r The syntax definition standardizes the official syntax of the language. This is crucial to users, who
require a guide to writing syntactically correct programs, and to implementors, who must write a correct parser for the language’s compiler. r The syntax definition permits a formal analysis of its properties, such as whether the definition is LL(k), LR(k), or ambiguous.
© 2004 by Taylor & Francis Group, LLC
r The syntax definition can be used as input to a compiler front-end generating tool, such as YACC or
Bison. In this way, the syntax definition is also the implementation of the front end of the language’s compiler. There are similar benefits to providing a formal semantics definition of a programming language: r The semantics definition standardizes the official semantics of the language. This is crucial to users,
who require a guide to understanding the programs that they write, and to implementors, who must write a correct code generator for the language’s compiler. r The semantics definition permits a formal analysis of the language’s properties, such as whether the language is strongly typed, is stack- or heap-allocated, or is single- or multi-threaded. r The semantics definition can be used as input to a compiler back-end generating tool, such as the Semantics Implementation System (SIS) [Mosses 1976]. In this way, the semantics definition is also the implementation of the back end of the language’s compiler. Programming language syntax was studied intensively in the 1960s and 1970s, and presently programming language semantics is undergoing similar intensive study. Unlike the acceptance of BNF as a standard definition method for syntax, it is unlikely that a single definition method will take hold for semantics — semantics is more difficult to formalize than syntax, and it has a wider variety of applications. Semantics definition methods fall roughly into three groups: 1. Operational. The meaning of a well-formed program is the trace of computation steps that results from processing the program’s input. Operational semantics is also called intensional semantics because the sequence of internal computation steps (the intension) is most important. For example, two differently coded programs that both compute the factorial function have different operational semantics. 2. Denotational. The meaning of a well-formed program is a mathematical function from input data to output data. The steps taken to calculate the output are unimportant; it is the relation of input to output that matters. Denotational semantics is also called extensional semantics because only the extension — the visible relation between input and output — matters. Thus, two differently coded versions of factorial have nonetheless the same denotational semantics. 3. Axiomatic. A meaning of a well-formed program is a logical proposition (a specification) that states some property about the input and output. For example, the proposition ∀x. x ≥ 0 ⊃ ∃y. y = x! is an axiomatic semantics of a factorial program.
98.2 A Survey of Semantics Methods We survey the three semantics methods by applying each of them in turn to the world’s oldest and simplest programming language, arithmetic. The syntax of our arithmetic language is: E ::= N | E1 + E2 where N stands for the set of numerals {0, 1, 2, . . .}. Although this language has no notion of input data and output data, it does require computation, so it is useful for initial case studies.
98.2.1 Operational Semantics There are several versions of operational semantics for arithmetic. The one that you learned as a child is called a term rewriting system. A term rewriting system uses rewriting rule schemes to generate computation steps. There is just one rewriting rule scheme for arithmetic: N1 + N2 ⇒ N © 2004 by Taylor & Francis Group, LLC
where N is the sum of the numerals N1 and N2 . This rule scheme states that the addition of two numerals is a computation step. One use of the scheme would be to rewrite 1 + 2 to 3; that is, 1 + 2 ⇒ 3. An operational semantics of a program is the sequence of computation steps generated by the rewriting rule schemes. For example, the operational semantics of the program (1 + 2) + (4 + 5) goes as follows: (1 + 2) + (4 + 5) ⇒ 3 + (4 + 5) ⇒ 3 + 9 ⇒ 12 The semantics shows the three computation steps that led to the answer 12. An intermediate expression such as 3 + (4 + 5) is a state, and so this operational semantics is a trace of the states of the computation. Perhaps you noticed that another legal semantics for the example is (1 + 2) + (4 + 5) ⇒ (1 + 2) + 9 ⇒ 3 + 9 ⇒ 12. The outcome is the same in both cases, but sometimes operational semantics must be forced to be deterministic; that is, a program has exactly one operational semantics — one trace. A structural operational semantics is a term rewriting system plus a set of inference rules that state precisely the context in which a computation step can be undertaken.∗ Say that we desire left-to-right computation of arithmetic expressions. This is encoded as follows: N1 + N2 ⇒ N where N is the sum of N1 and N2 . E1 ⇒ E 1 E1 + E2 ⇒ E 1 + E2
E2 ⇒ E 2 N + E2 ⇒ N + E 2
The first rule is as before; the second rule states that if the left operand of an addition expression can be rewritten, then the addition expression should be revised to show this. The third rule is the crucial one: if the right operand of an addition expression can be rewritten and the left operand is a numeral (that is, it is completely evaluated), then the addition expression should be revised to show this. Working together, the three rules force left-to-right evaluation of expressions. Now, each computation step must be deduced by these rules. For our example, (1 + 2) + (4 + 5), we must deduce this initial computation step: 1+2⇒3 (1 + 2) + (4 + 5) ⇒ 3 + (4 + 5) Thus, the first step is (1 + 2)+(4 + 5) ⇒ 3+(4 + 5); we cannot deduce that (1 + 2)+(4 + 5) ⇒ (1 + 2)+9. The next computation step is justified by this deduction: 4+5⇒9 3 + (4 + 5) ⇒ 3 + 9 The last deduction is simply 3 + 9 ⇒ 12, and we are finished. The example shows why the semantics is structural: a computation step, such as an addition, which affects a small part of the overall program, is explicitly embedded into the structure of the overall program. Operational semantics can also be used to represent internal data structures, such as instruction counters, storage vectors, and stacks. For example, say that the semantics of arithmetic must show that a stack is used to hold intermediate results. Thus, we use a state of the form s , c , where s is the stack and c is the arithmetic expression to be executed. A stack containing n items is written v 1 :: v 2 :: . . . :: v n :: nil, where v 1 is the topmost item and nil marks the bottom of the stack. The c component will be written as a stack as well. The initial state for an arithmetic expression p is written nil, p :: nil , and computation proceeds until the state appears as v :: nil, nil ; we say that the result is v.
∗
A structural operational semantics is sometimes called a small-step semantics because each computation step is a small step toward the final answer. © 2004 by Taylor & Francis Group, LLC
The semantics uses three rewriting rules: s , N :: c ⇒ N :: s , c s , E1 + E2 :: c ⇒ s , E1 :: E2 :: add :: c N2 :: N1 :: s , add :: c ⇒ N :: s , c where N is the sum of N1 and N2 . The first rule says that a numeral is evaluated by pushing it on the top of the stack. The second rule states that the addition of two expressions is decomposed into first evaluating the two expressions and then adding them. The third rule removes the top two items from the stack and adds them. Here is the previous example, repeated: nil, (1 + 2) + (4 + 5) :: nil ⇒ nil, 1 + 2 :: 4 + 5 :: add :: nil ⇒ nil, 1 :: 2 :: add :: 4 + 5 :: add :: nil ⇒ 1 :: nil, 2 :: add :: 4 + 5 :: add :: nil ⇒ 2 :: 1 :: nil, add :: 4 + 5 :: add :: nil ⇒ 3 :: nil, 4 + 5 :: add :: nil
⇒ . . . ⇒ 12 :: nil, nil
This form of operational semantics is sometimes called a state transition semantics because each rewriting rule operates upon the entire state. With a state transition semantics, there is no need for structural operational semantics rules. The three example semantics just shown are typical of operational semantics. When one wishes to prove properties of an operational semantics definition, the standard proof technique is induction on the length of the computation. That is, to prove that a property P holds for an operational semantics, one must show that P holds for all possible computation sequences that can be generated from the rewriting rules. For an arbitrary computation sequence, it suffices to show that P holds no matter how long the computation runs. Therefore, one shows (1) P holds after zero computation steps, that is, at the outset; and (2) if P holds after n computation steps, it holds after n + 1 steps. See Nielson and Nielson [1992] for examples.
98.2.2 Denotational Semantics A drawback of operational semantics is the emphasis it places on state sequences. For the arithmetic language, we were distracted by questions regarding order of evaluation of subphrases, although this issue is not central to arithmetic. Further, a key aspect of arithmetic, the property that the meaning of an expression is built from the meanings of its subexpressions, was obscured by the operational semantics. Denotational semantics handles these issues by emphasizing that a program has an underlying mathematical meaning that is independent of whatever computation strategy is taken to uncover it. In the case of arithmetic, an expression such as (1 + 2) + (4 + 5) has the meaning 12, and we need not worry about the internal computation steps that were taken to discover this. The assignment of meaning to programs is performed in a compositional manner: the meaning of a phrase is built from the meanings of its subphrases. We can see this in the denotational semantics of the arithmetic language: first, we note that meanings of arithmetic expressions are natural numbers, Nat = {0, 1, 2, . . .}, and we note that there is a binary function, plus : Nat × Nat → Nat, which maps a pair of natural numbers to their sum. The denotational semantics definition of arithmetic is simple and elegant: E : Expression → Nat E[[N]] = N E[[E1 + E2 ]] = plus (E[[E1 ]], E[[E2 ]]) © 2004 by Taylor & Francis Group, LLC
The first line states merely that E is the name of the function that maps arithmetic expressions to their meanings. Because there are just two BNF constructions for expressions, E is completely defined by the two equational clauses. The interesting clause is the one for E1 + E2 ; it says that the meanings of E1 and E2 are combined compositionally by plus. Here is the denotational semantics of the running example: E[[(1 + 2) + (4 + 5)]] = plus (E[[1 + 2]], E[[4 + 5]]) = plus (plus (E[[1]], E[[2]]), plus (E[[4]], E[[5]])) = plus (3, 9) = 12 One might read the preceding example as follows: the meaning of (1 + 2) + (4 + 5) equals the meanings of 1 + 2 and 4 + 5 added together. Because the meaning of 1 + 2 is 3, and the meaning of 4 + 5 is 9, the meaning of the overall expression is 12. This reading says nothing about order of evaluation or run time data structures — it emphasizes underlying mathematical meaning. Here is an alternative way of understanding the semantics; write a set of simultaneous equations based on the denotational definition E[[(1 + 2) + (4 + 5)]] = plus (E[[1 + 2]], E[[4 + 5]]) E[[1 + 2]] = plus (E[[1]], E[[2]]) E[[4 + 5]] = plus (E[[4]], E[[5]]) E[[1]] = 1
E[[2]] = 2
E[[4]] = 4
E[[5]] = 5
Now solve the equation set to discover that E[[(1 + 2) + (4 + 5)]] is 12. Because denotational semantics states the meaning of a phrase in terms of the meanings of its subphrases, its associated proof technique is structural induction. That is, to prove that a property P holds for all programs in the language, one must show that the meaning of each construction in the language has property P . Therefore, one must show that each equational clause in the semantic definition produces a meaning with property P . In the case that a clause refers to subphrases (e.g., E[[E1 + E2 ]]), one can assume that the meanings of the subphrases have property P . Again, see Nielson and Nielson [1992] for examples.
98.2.3 Natural Semantics A “hybrid” semantics method, natural semantics, attempts to combine the advantages of both operational semantics and denotational semantics. Like structural operational semantics, natural semantics shows the context in which a computation step occurs, and, like denotational semantics, natural semantics emphasizes that the computation of a phrase is built from the computations of its subphrases. A natural semantics is a set of inference rules, and a complete computation in natural semantics is a single derivation. The natural semantics rules for the arithmetic language are N⇓N E 1 ⇓ n 1 E2 ⇓ n 2 E1 + E2 ⇓ m where m is the sum of n1 and n2 . Read a configuration of the form E ⇓ n as “E evaluates to n.” The rules resemble a denotational semantics written in inference rule form; this is no accident: natural semantics can be viewed as a denotational semantics variant where the internal calculations of meaning are made explicit. These internal calculations are seen in the natural semantics derivation of the example 1⇓1 2⇓2 4⇓4 5⇓5 (1 + 2) ⇓ 3 (4 + 5) ⇓ 9 (1 + 2) + (4 + 5) ⇓ 12 © 2004 by Taylor & Francis Group, LLC
Unlike denotational semantics, natural semantics does not claim that the meaning of a program is necessarily mathematical. And unlike structural operational semantics, where a configuration e ⇓ e says that e transits to an intermediate state e , in natural semantics e ⇓ v asserts that the final answer for e is v. For this reason, a natural semantics is sometimes called a big-step semantics. An interesting limitation of natural semantics is that semantics derivations can be drawn only for terminating programs. The usual proof technique for proving properties of a natural semantics definition is induction on the height of the derivation trees that are generated from the semantics. Once again, see Nielson and Nielson [1992].
98.2.4 Axiomatic Semantics An axiomatic semantics deduces properties of programs rather than meanings. Derivation of these properties is done with an inference rule set that portrays a logic for the programming language. As an example, say that we wish to deduce even–odd properties of programs in arithmetic. The set of properties is simply {is even, is odd}. We define an axiomatic semantics to do this: N : is even if N mod 2 = 0 E1 : p1 E2 : p2 E1 + E2 : p3
N : is odd if N mod 2 = 1
where p3 =
is even if p1 = p2 is odd
otherwise
The derivation of the even–odd property of the example is: 1 : is odd 2 : is even 4 : is even 5 : is odd 1 + 2 : is odd 4 + 5 : is odd (1 + 2) + (4 + 5) : is even In the usual case, the properties proved of programs are expressed in predicate logic. (See the subsection on axiomatic semantics later in this chapter.) Axiomatic semantics has strong ties to the abstract interpretation of denotational and natural semantics definitions [Cousot and Cousot 1977; Nielson, Nielson, and Hanki 1998].
98.3 Semantics of Programming Languages The semantics methods shine when they are applied to a realistic programming language: the primary features of the programming language are proclaimed loudly and subtle features receive proper mention. Ambiguities and anomalies stand out like the proverbial sore thumb. In this section we give the semantics of a block-structured imperative language. Emphasis is placed on the denotational semantics method, but excerpts from the other semantics formalisms are provided for comparison.
98.3.1 Language Syntax and Informal Semantics The syntax of the programming language is presented in Figure 98.1. As stated in the figure, there are four levels of syntax constructions in the language, and the topmost level, Program, is the primary one.∗ The language is a while-loop language with local, nonrecursive procedure definitions. For simplicity, variables are predeclared and there are just three of them: X, Y, and Z. A program, C., operates as follows: an input number is read and assigned to X’s location. Then the body, C, of the program is evaluated, and, on completion, the storage vector holds the results. For example, this program computes n2 for a positive
∗
The Identifier and Numeral sets are collections of words — terminal symbols — and not phrase-level syntax constructions in the sense of this chapter. © 2004 by Taylor & Francis Group, LLC
P ∈ Program D ∈ Declaration C ∈ Command E ∈ Expression I ∈ Identifier = upper-case alphabetic strings N ∈ Numeral = {0, 1, 2, . . .} P ::= C. D ::= proc I = C C ::= I := E | C1 ; C2 | begin D in C end | call I | while E do C od E ::= N | E1 + E2 | E1 not = E2 | I FIGURE 98.1 Language syntax rules.
input n; the result is found in Z’s location: begin proc INCR = Z:= Z+X; Y:= Y+1 in Y:= 0; Z:= 0; while Y not=X do call INCR od end. It is possible to write nonsense programs in the language; an example is A:=0; call B. Such programs have no meaning, and we will not attempt to give semantics to them. Nonsense programs are trapped by a type checker, and an elegant way of defining a type checker is by a set of typing rules for the programming language; see Chapter 97 for details.
98.3.2 Domains for Denotational Semantics To give a denotational semantics to the sample language, we must state the sets of meanings, called domains, that we use. Our imperative, block-structured language has two primary domains: (1) the domain of storage vectors, called Store; and (2) the domain of symbol tables, called Environment. There are also secondary domains of Booleans and natural numbers. The primary domains and their operations are displayed in Figure 98.2. The domains and operations deserve study. First, the Store domain states that a storage vector is a triple, for example, 1, 3, 5. (Recall that programs have exactly three variables.) The operation lookup extracts a value from the store, e.g., lookup(2, 1, 3, 5) = 3, and update updates the store, for example, update(2, 6, 1, 3, 5) = 1, 6, 5. Operation init store creates a starting store. We examine check momentarily. The environment domain states that a symbol table is a list of identifier-value pairs. For example, if variable X is the name of location 1, and P is the name of a procedure that is a no-op, then the environment that holds this information would appear (X, 1) :: (P, id ) :: nil, where id (s ) = s . (Procedures will be discussed momentarily.) Operation find locates the binding for an identifier in the environment, for example, find (X, (X, 1) :: (P, id ) :: nil ) = 1, and bind adds a new binding, for example, bind(Y, 2, (X, 1) :: (P, id ) :: nil ) = (Y, 2) :: (X, 1) :: (P, id ) :: nil. Operation init env creates an environment to start the program. In the next section, we see that the job of a command, for example, an assignment, is to update the store. That is, the meaning of a command is a function that maps the current store to the updated one. (That is why a no-op command is the identity function, id(s ) = s , where s ∈ Store.) But sometimes commands loop and no updated store appears. We use the symbol ⊥, read bottom, to stand for a looping store, and we use Store⊥ to stand for the set of possible outputs of commands. Therefore, the meaning of a command is a function of the form Store → Store⊥ . It is impossible to recover from looping, so that if there is a command sequence C1 ; C2 and C1 is looping, then C2 cannot proceed. The check operation is used in the next subsection to watch for this situation. © 2004 by Taylor & Francis Group, LLC
Store = {n1 , n2 , n3 | ni ∈ Nat, i ∈ 1..3} lookup : {1, 2, 3} × Store → Nat lookup (i, n1 , n2 , n3 ) = ni update : {1, 2, 3} × Nat × Store → Store update (1, n, n1 , n2 , n3 ) = n, n2 , n3 update (2, n, n1 , n2 , n3 ) = n1 , n, n3 update (3, n, n1 , n2 , n3 ) = n1 , n2 , n init store : Nat → Store init store (n) = n, 0, 0 check : (Store → Store⊥ ) × Store⊥ → Store⊥ where Store⊥ = Store ∪ {⊥} check (c , a) = if (a = ⊥) then ⊥ else c (a) Environment = (Identifier × Denotable)∗ where A∗ is a list of A-elements, a1 :: a2 :: . . . :: an :: nil, n ≥ 0 and Denotable = {1, 2, 3} ∪ (Store → Store⊥ ) find : Identifier × Environment →Denotable find (i, nil ) = 0 find (i, (i , d) :: rest ) = if (i = i ) then d else find (i, rest ) bind : Identifier × Denotable × Environment → Environment bind (i, d, e) = (i, d) :: e init env : Environment init env = (X, 1) :: (Y, 2) :: (Z, 3) :: nil FIGURE 98.2 Semantic domains.
Finally, here are two commonly used notations. First, functions such as id(s ) = s are often reformatted to read id = s . s ; in general, for f (a) = e, we write f = a. e, that is, we write the argument to the function to the right of the equals sign. This is called lambda notation and stems from the lambda calculus, an elegant formal system for functions. (See Chapter 96 of this Handbook.) The notation f = a. e emphasizes that (1) the function a. e is a value in its own right, and (2) the function’s name is f . Second, it is common to revise a function that takes multiple arguments, for example, f (a, b) = e, so that it takes the arguments one at a time: f = a. b. e. Therefore, if the arity of f was A × B → C , its new arity is A → (B → C ). This reformatting trick is called Currying, after Haskell Curry, one of the developers of lambda calculus.
98.3.3 Denotational Semantics of Programs Figure 98.3 gives the denotational semantics of the programming language. Because the syntax of the language has four levels, the semantics is organized into four levels of meaning. For each level, we define a valuation function that produces the meanings of constructions at that level. For example, at the expression level, the constructions are mapped to their meanings by E. What is the meaning of the expression, say, X+5? This would be E[[X+5]], and the meaning depends on which location is named by X and what number is stored in that location. Therefore, the meaning depends on the current value of the environment and the current value of the store. Thus, if the current environment is e 0 = (P, s . s ) :: (X, 1) :: (Y, 2) :: (Z, 3) :: nil and the current store is s 0 = 2, 0, 0, then the meaning of X+5 is 7, E[[X+5]]e 0 s 0 = plus(E[[X]]e 0 s 0 , E[[5]]e 0 s 0 ) = plus(lookup(find(X, e 0 ), s 0 ), 5) = plus(lookup(1, s 0 ), 5) = plus(2, 5) = 7 © 2004 by Taylor & Francis Group, LLC
P : Program → Nat → Nat ⊥ P[[C.]] = n. C[[C]]init env (init store n) D : Declaration → Environment → Environment D[[proc I = C]] = e. bind(I, C[[C]]e, e) C : Command → Environment → Store → Store⊥ C[[I := E]] = e. s . update (find ( I, e), E[[E]]e s , s ) C[[C1 ; C2 ]] = e. s . check (C[[C2 ]] e, C[[C1 ]]e s ) C[[begin D in C end]] = e. s . C[[C]](D[[D]]e)s C[[call I]] = e. find(I, e) C[[while E do C od]] = e. i ≥0 w i w 0 = s . ⊥ where w i +1 = s . if E[[E]]e s then check(w i , C[[C]]e s ) else s E : Expression → Environment → Store → (Nat ∪ Bool ) E[[N]] = e. s . N E[[E1 + E2 ]] = e. s . plus(E[[E1 ]]e s , E[[E2 ]]e s ) E[[E1 not= E2 ]] = e. s . notequals(E[[E1 ]]e s , E[[E2 ]]e s ) E[[I]] = e. s . lookup(find(I, e), s ) FIGURE 98.3 Denotational semantics.
As this simple derivation shows, data structures such as the symbol table and storage vector are modeled by the environment and store arguments. This pattern is used throughout the semantics definition. As noted in the previous section, a command updates the store. Precisely stated, the valuation function for commands is C : Command → Environment → Store → Store⊥ . For example, for e 0 and s 0 given previously, we see that: C[[Z:=X+5]]e 0 s 0 = update( find(Z, e 0 ), E[[X+5]]e 0 s 0 , s 0 ) = update(3, 7, s 0 ) = 2, 0, 7 But a crucial point about the meaning of the assignment is that it is a function upon stores. That is, if we are uncertain of the current value of store, but we know that the environment for the assignment is e 0 , then we can conclude that: C[[Z:=X+5]]e 0 = s . update(3, plus(lookup(1, s ), 5), s ) That is, the assignment with environment e 0 is a function that updates a store at location 3. Next consider this example of a command sequence: C[[Z:=X+5; call P]]e 0 s 0 = check(C[[call P]]e 0 , C[[Z:=X+5]]e 0 s 0 ) = check(find(P, e 0 ), 2, 0, 7) = check(s . s , 2, 0, 7) = (s . s )2, 0, 7 = 2, 0, 7 As noted in the earlier section, the check operation verifies that the first command in the sequence produces a proper output store; if so, the store is handed to the second command in the sequence. Also, we see that the meaning of call P is the store updating function bound to P in the environment. © 2004 by Taylor & Francis Group, LLC
Procedures are placed in the environment by declarations, as we see in this example: let e 1 denote (X, 1) :: (Y, 2) :: (Z, 3) :: nil, C[[begin proc P = Y:=Y in Z:=X+5; call P end]]e 1 s 0 = C[[Z:=X+5; call P]](D[[proc P = Y:=Y]]e 1 )s 0 = C[[Z:=X+5; call P]](bind (P, C[[Y:=Y]]e 1 , e 1 ))s 0 = C[[Z:=X+5; call P]](bind (P, s . update(2, lookup(2, s ), s ), e 1 ))s 0 = C[[Z:=X+5; call P]]((P, id) :: e 1 )s 0 where id = s . update(2, lookup(2, s ), s ) = s . s
(∗)
= C[[Z:=X+5; call P]]e 0 s 0 = 2, 0, 7 The equality marked by (∗) is significant; we can assert that the function s . update(2, lookup(2, s ), s ) is identical to s . s by appealing to the extensionality law of mathematics: if two functions map identical arguments to identical answers, then the functions are themselves identical. The extensionality law can be used here because in denotational semantics the meanings of program phrases are mathematical — functions. In contrast, the extensionality law cannot be used in operational semantics calculations. Finally, we can combine our series of little examples into the semantics of a complete program, P[[begin proc P = Y:=Y in Z:=X+5; call P end.]]2 = C[[begin proc P = Y:=Y in Z:=X+5; call P end]]init env (init store 2) = C[[begin proc P = Y:=Y in Z:=X+5; call P end]]e 1 s 0 = 2, 0, 7
98.3.4 Semantics of the While-Loop The most difficult clause in the semantics definition is the one for the while-loop. Here is some intuition: to produce an output store, the loop while E do C od must terminate after some finite number of iterations. To measure this behavior, let whilei E do C od be a loop that can iterate at most i times; if the loop runs more than i iterations, it becomes exhausted and its output is ⊥. For example, for input store 4, 0, 0, the loop whilek Y not = X do Y: = Y+1 od can produce the output store 4, 4, 0 only when k is greater than 4. (Otherwise, the output is ⊥.) It is easy to conclude that the family, whilei E do C od, for i ≥ 0, can be written equivalently as:
while0 E do C od = “exhausted” (that is, its meaning is s . ⊥) whilei +1 E do C od = if E then C; whilei E do C od else skip fi When we refer back to Figure 98.3, we draw these conclusions: C[[while0 E do C od]] e = w 0 C[[whilei +1 E do C od ]]e = w i +1 Because the behavior of a while-loop must be the union of the behaviors of the whilei -loops, we conclude that C[[while E do C od]]e = i ≥0 w i . The semantic union operation is well defined because each w i is a function from the set Store → Store⊥ , and a function can be represented as a set of argument-answer pairs. (This is called the graph of the function.) Thus, i ≥0 w i is the union of the graphs of the w i functions.∗
∗ Several important technical details have been glossed over. First, pairs of the form (s , ⊥) are ignored when the union of the graphs is performed. Second, for all i ≥ 0, the graph of w i is a subset of the graph of w i +1 ; this ensures the union of the graphs is a function.
© 2004 by Taylor & Francis Group, LLC
The definition of C[[while E do C od]] is succinct, but it is awkward to use in practice. An intuitive way of defining the semantics is: C[[while E do C od]]e = w where w = s . if E[[E]]e s then check(w , C[[C]]e s ) else s The problem here is that the definition of w is circular, and circular definitions can be malformed. Fortunately, this definition of w can be claimed to denote the function i ≥0 w i because the following equality holds:
w i = s . if E[[E]]e s then check
i ≥0
w i , C[[C]]e s else s
i ≥0
Thus, i ≥0 w i is a solution — a fixed point — of the circular definition, and in fact it is the smallest function that makes the equality hold. Therefore, it is the least fixed point. Typically, the denotational semantics of the while-loop is presented by the circular definition, and the claim is then made that the circular definition stands for the least fixed point. This is called fixed-point semantics. We have omitted many technical details regarding fixed-point semantics; these are available in several texts [Gunter 1992, Mitchell 1996, Schmidt 1986, Stoy 1977, Winskel 1993].
98.3.5 Action Semantics One disadvantage of denotational semantics is its dependence on functions to describe all forms of computation. As a result, the denotational semantics of a large language is often too dense to read and too low level to modify. Action semantics is an easy-to-read denotational semantics variant that rectifies these problems by using a family of standard operators to describe standard forms of computation in standard languages [Mosses 1992]. In action semantics, the standard domains are called facets and are predefined for expressions (the functional facet), for declarations (the declarative facet), and for commands (the imperative facet). Each facet includes a set of standard operators for consuming values of the facet and producing new ones. The operators are connected together by combinators (pipes), and the resulting action semantics definition resembles a data-flow program. For example, the semantics of assignment reads as follows: execute[[I := E]] = (find I and evaluate[[E]]) then update
One can naively read the semantics as an English sentence, but each word is an operator or a combinator: execute is C, evaluate is E, find is a declarative facet operator, update is an imperative facet operator, and and and then are combinators. The equation accepts as its inputs a declarative facet argument (that is, an environment) and an imperative facet argument (that is, a store) and pipes them to the operators. Thus, find consumes its declarative argument and produces a functional-facet answer, and, independently, evaluate[[E]] consumes declarative and imperative arguments and produces a functional answer. The and combinator pairs these, and the then combinator transmits the pair to the update operator, which uses the pair and the imperative-facet argument to generate a new imperative result. The important aspects of an action semantics definition are (1) standard arguments, such as environments and stores, are implicit; (2) standard operators are used for standard computation steps (e.g., find and update); and (3) combinators connect operators together seamlessly and pass values implicitly. Lack of space prevents a closer examination of action semantics, but see Watt [1991] and Mosses [1992] for details.
98.3.6 The Natural Semantics of the Language We can compare the denotational semantics of the imperative language with a natural semantics formulation. The semantics of several constructions appear in Figure 98.4. © 2004 by Taylor & Francis Group, LLC
e proc I = C ⇓ bind(I, (e, C), e)
e D ⇓ e e , s C ⇓ s e, s begin D in C end ⇓ s
l = find(I, e) e, s E ⇓ n e, s I := E ⇓ update(l , n, s ) (e , C ) = find(I, e) e , s C ⇓ s e, s call I ⇓ s e, s
E ⇓ true
e, s
e, s
C1 ⇓ s e, s C2 ⇓ s
e, s C1 ; C2 ⇓ s
e, s E ⇓ false while E do C od ⇓ s
e, s C ⇓ s e, s while E do C od ⇓ s
e, s while E do C od ⇓ s
FIGURE 98.4 Natural semantics.
let e 0 = (X, 1) :: (Y, 2) :: (Z, 3) :: nil s 0 = 2, 0, 0, s 1 = 2, 1, 0 E0 = Y not=1, C0 = Y:=Y+1 C00 = while E0 do C0 od e 0 , s 0 E0 ⇓ true
2 = find(Y, e 0 ) e 0 , s 0 Y+1 ⇓ 1 e 0 , s 0 C0 ⇓ s 1 e 0 , s 0 C00 ⇓ s 1
e 0 , s 1 E0 ⇓ false e 0 , s 1 C00 ⇓ s 1
FIGURE 98.5 Natural semantics derivation.
A command configuration has the form e, s C ⇓ s , where e and s are the inputs to command C and s is the output. To understand the inference rules, read them bottom up. For example, the rule for I := E says, given the inputs e and s , one must first find the location l , bound to I, and then calculate the output n, for E. Finally, l and n are used to update s , producing the output. The rules are denotational-like, but differences arise in several key constructions. First, the semantics of a procedure declaration binds I not to a function but to an environment–command pair called a closure. When procedure I is called, the closure is disassembled, and its text and environment are executed. Because a natural semantics does not use function arguments, it is called a first-order semantics. (Denotational semantics is sometimes called a higher order semantics.) Second, the while-loop rules are circular. The second rule states that, in order to derive a while-loop computation that terminates in s
, one must derive (1) the test, E is true, (2) the body C, outputs s , and (3) using e and s , one can derive a terminating while-loop computation that outputs s
. The rule makes one feel that the while-loop is running backward from its termination to its starting point, but a complete derivation, such as the one shown in Figure 98.5, shows that the iterations of the loop can be read from the root to the leaves of the derivation tree. One important aspect of the natural semantics definition is that derivations can be drawn only for terminating computations. A nonterminating computation is equated with no computation at all.
98.3.7 The Operational Semantics of the Language A fragment of the structural operational semantics of the imperative language is presented in Figure 98.6. For expressions, a computation step takes the form e E, s ⇒ E , where e is the environment, E is the expression that is evaluated, s is the current store, and E is E rewritten. In the case of a command C, a step appears e C, s ⇒ C , s , because computation on C might also update the store. If the computation step on C uses up the command, the step appears e C, s ⇒ s . © 2004 by Taylor & Francis Group, LLC
e n1 + n2 , s ⇒ n3 where n3
is the sum of n1 and n2
e E, s ⇒ E e I := E, s ⇒ I := E , s e I := n, s ⇒ update (l , n, s ) where find (I, e) = l e C1 , s ⇒ C 1 , s e C1 ; C2 , s ⇒ C 1 ; C2 , s
e C1 , s ⇒ s e C1 ; C2 , s ⇒ C2 , s
e while E do C od, s ⇒ if E then C; while E do C od else skip fi, s e call I, s ⇒ use e in C , s where find (I, e) = (e , C ) e use
e
e C, s ⇒ C , s in C, s ⇒ use e in C , s
e C, s ⇒ s e use e in C, s ⇒ s
e proc I = C ⇒ bind (I, (e, C), e) e D ⇒ e e begin D in C end, s ⇒ use e in C, s FIGURE 98.6 Structural operational semantics.
The rules in the figure are more tedious than those for a natural semantics because the individual computation steps must be defined, and the order in which the steps are undertaken must also be defined. This complicates the rules for command composition, for example. On the other hand, the rewriting rule for the while-loop merely decodes the loop as a conditional command. The rules for procedure call are awkward; as with the natural semantics, a procedure I is represented as a closure of the form (e , C ). Because C must execute with environment e , which is different from the environment that exists where procedure I is called, the rewriting step for call I must retain two environments; a new construct, use e in C , remembers that C must use e (and not e). A similar trick is used in begin D in C end. Unlike a natural semantics definition, a computation can be written for a nonterminating program; the computation is a state sequence of countably infinite length.
98.3.8 An Axiomatic Semantics of the Language An axiomatic semantics uses properties of stores, rather than stores themselves. For example, we might write the predicate X = 3 ∧ Y > 0 to assert that the current value of the store contains 3 in X’s location and a positive number in Y’s location. We write a configuration {P }C{Q} to assert that if predicate P holds true prior to evaluation of command C, then predicate Q holds upon termination of C (if C does indeed terminate). For example, we can write {X = 3 ∧ Y > 0}Y:=X+Y{X = 3 ∧ Y > 3}, and indeed this holds true. There are three ways of stating the semantics of a command in an axiomatic semantics: 1. Relational semantics. The meaning of C is the set of P , Q pairs for which {P }C{Q} holds. 2. Postcondition semantics. The meaning of C is a function from an input predicate to an output predicate. We write slp(P , C) = Q; this means that {P }C{Q} holds, and for all Q such that {P }C{Q } holds, it is the case that Q implies Q . This is also called strongest liberal postcondition semantics. When termination is demanded also of C, the name becomes strongest postcondition semantics. 3. Precondition semantics. The meaning of C is a function from an output predicate to an input predicate. We write wlp(C, Q) = P ; this means that {P }C{Q} holds, and for all P such that {P }C{Q} holds, it is the case that P implies P . This is also called weakest liberal precondition semantics. When termination is demanded also of C, the name becomes weakest precondition semantics. It is traditional to study relational semantics first, so we focus on it here. © 2004 by Taylor & Francis Group, LLC
{[E/I]P }I := E{P } P ⊃ P {P ∧ E}C1 {Q} {P }if E then C1
{P }C{Q } {P }C{Q}
Q ⊃ Q
{P ∧ ¬E}C2 {Q}
else C2 fi {Q}
{P }C1 {Q} {Q}C2 {R} {P }C1 ; C2 {R} {P ∧ E}C{P }
{P } while E do C od {P ∧ ¬E}
FIGURE 98.7 Axiomatic semantics.
If the intended behavior of a program C is written as a pair of predicates P , Q, a relational semantics can be used to verify that {P }C{Q} holds. For example, we might wish to show that an integer division subroutine DIV that takes inputs NUM and DEN and produces outputs QUO and REM has this behavior: {¬(DEN = 0)}DIV{QUO × DEN + REM = NUM} A proof of this claim is a derivation built with the rules in Figure 98.7. Figure 98.7 displays the rules for the primary command constructions. The rule for I := E states that a property P about I will hold upon completion of the assignment if [E/I]P (that is, P restated in terms of E) holds beforehand. [E/I]P stands for the substitution of phrase E for all free occurrences of I in P . For example, {X = 3 ∧ X+Y > 3}Y:=X+Y{X = 3 ∧ Y > 3} holds because [X+Y/Y](X = 3 ∧ Y > 3) is X = 3 ∧ X+Y > 3. The second rule lets us weaken a result. For example, because (X = 3 ∧ Y > 0) ⊃ (X = 3 ∧ X + Y > 3) holds, we deduce that {X = 3 ∧ Y > 0}Y:=X+Y{X = 3 ∧ Y > 3} holds. The properties of command composition are defined in the expected way, by the third rule. The fourth rule, for the if-command, makes a property Q hold upon termination if Q holds regardless of which arm of the conditional is evaluated. Note that each arm of the conditional uses information about the result of the conditional’s test. The most fascinating rule is the last one, for the while-loop. If we can show that a property P is preserved by the body of the loop, then we can assert that no matter how long the loop iterates, P must hold upon termination. P is called the loop invariant. The rule is an encoding of a mathematical induction proof: to show that P holds upon completion of the loop, we must prove (1) the basis case: P holds upon loop entry (that is, after zero iterations), and (2) the induction case: if P holds after i iterations, then P holds after i + 1 iterations as well. Therefore, if the loop terminates after some number k of iterations, the induction proof ensures that P holds. Here is an example that shows the rules in action. We wish to verify that {X = Y ∧ Z = 0}while Y not=0 do Y:=Y-1; Z:=Z+1 od {X = Z} holds true. The key to the proof is determining a loop invariant; here, a useful invariant is X = Y+Z, because X = Y+Z ∧ ¬(Y not=0) implies X = Z. This leaves us {X = Y+Z ∧ Y not=0}Y:=Y-1; Z:=Z+1 {X = Y + Z} to prove. We work backward: the rule for assignment gives us: {X = Y +(Z +1)}Z:=Z+1{X = Y + Z}, and we can also deduce that {X = (Y − 1) + (Z + 1)}Y:=Y-1{X = Y + (Z + 1)} holds. Because X = Y + Z ∧ Y not=0 implies X = (Y − 1) + (Z + 1), we can assemble a complete derivation; it is given in Figure 98.8.
98.4 Applications of Semantics Language designers have used semantics definitions to formalize their creations. An early example was the formalization of a large subset of Ada in denotational semantics [Donzeau-Gouge 1980]. The semantics definition was then prototyped using Mosses’ SIS compiler generating system [Mosses 1976]. Scheme is another widely used language that has been given a standardized denotational semantics [Rees and © 2004 by Taylor & Francis Group, LLC
let P0 be X = Y + Z P1 be X = Y + (Z + 1), P2 be X = (Y − 1) + (Z + 1) E0 = Y not=0, C0 = Y:=Y-1;Z:=Z+1 {P2 }Y:=Y-1{P1 } {P1 }Z:=Z+1{P0 } {P2 }C0 {P0 } {P0 ∧ E0 }C0 {P0 } {P0 } while E0 do C0 od {P0 ∧ ¬E0 }
(P0 ∧ E0 ) ⊃ P2
P0 ⊃ P0
FIGURE 98.8 Axiomatic semantics derivation.
Clinger 1986]. Another notable example is the formalization of the complete Standard ML language in structural operational semantics [Milner et al. 1990]. The plethora of object-oriented languages are being untangled with the assistance of formal semantics definitions [Abadi and Cardelli 1996, Bruce 2002, Pierce 2002]. Another significant application of semantics definitions has been to rapid prototyping — the synthesis of an implementation for a newly defined language. Notable prototyping systems are SIS [Mosses 1976], PSI [Nielson and Nielson 1988], MESS [Lee 1989], Actress [Brown et al. 1992], and Typol [Despeyroux 1984]. The first two process denotational semantics, the second two process action semantics, and the last one handles natural semantics. SIS and Typol are interpreter generators; that is, they interpret a source program with the semantics definition; and PSI, MESS, and Actress are compiler generators, that is, compilers for the source language are synthesized. A major success of formal semantics is the analysis and synthesis of data-flow analysis and typeinference algorithms from semantics definitions. This subject area, called abstract interpretation [Abramsky and Hankin 1987, Cousot and Cousot 1977, Muchnick and Jones 1981, Nielson, Nielson, and Hankin 1998], supplies precise techniques for analyzing semantics definitions, extracting properties from the definitions, applying the properties to data-flow and type inference, and proving the soundness of the code-improvement transformations that result. Abstract interpretation provides the theory that allows a compiler writer to prove the correctness of compilers as well as validate correctness properties of specific programs. Finally, axiomatic semantics is a long-standing fundamental technique for validating the correctness of programs. Recent emphasis on large-scale, distributed, and safety-critical systems has again spotlighted this technique, and as Chapter 97 of this Handbook indicates, there is now a marriage between data-type checking techniques and axiomatic-semantic deduction.
98.5 Research Issues in Semantics The techniques in this chapter have proved highly successful for defining, analyzing, and implementing procedural programming languages. But new language paradigms present new challenges to the semantics methods. In the functional programming paradigm, a higher-order functional language can use functions as arguments to other functions. This makes the language’s domains more complex than those in Figure 98.2. Denotational semantics can be used to understand these complexities; an applied mathematics called domain theory [Gunter 1992, Mitchell 1996] is used to formalize the domains with algebraic equations. For example, the Value domain for a higher-order, Scheme-like language takes the form: Value = Nat + (Value → Value) That is, legal values are numbers or functions on values. Of course, Cantor’s theorem makes it impossible to find a set that satisfies this equation, but domain theory uses the concept of continuity from topology © 2004 by Taylor & Francis Group, LLC
to restrict the size of Value so that a solution can be found as that in the subsection on the semantics of the while-loop; namely, Value = lim Vi , i ≥0
where
V0 = {⊥} Vi +1 = Nat (Vi → ctn Vi )
where Vi → ctn Vi denotes the topologically continuous functions on Vi . Challenging issues also arise in the object-oriented programming paradigm: objects are constructed from templates called classes, and classes can be declared incrementally and even rewritten (overridden) by means of subclassing. This arrangement makes understanding procedure (method) invocation fiendishly difficult, and denotational and natural semantics have been applied to stating precisely what it means to construct an object from incrementally defined classes and to invoke its methods [Bruce 2002, Gunter and Mitchell 1994, Mitchell 1996]. Also, the data-type checking techniques proposed for existing object-oriented languages contain flaws, and semantic methods have been applied to developing correct data-typing systems based on parametric and inclusion polymorphism [Abadi and Cardelli 1996, Pierce 2002]. Another challenging topic is parallelism and communication as it arises in the distributed and reactive programming paradigm, where multiple processes may run in parallel, react to each other’s outputs, and synchronize. Structural operational semantics is used to formalize systems of processes and study their interaction, and new semantical systems have been developed specifically for this subject. (See Chapter 96 of this Handbook.) Finally, a long-standing research topic is the relationship between the different forms of semantic definitions. If one has, say, both a denotational semantics and an axiomatic semantics for a programming language, in what sense do the semantics agree? Agreement is crucial, because a programmer might use axiomatic semantics to reason about the properties of programs, whereas a compiler writer might use denotational semantics to implement the language. In mathematical logic, one uses the concepts of soundness and completeness to relate a logic’s proof system to its interpretation, and in semantics there are similar notions of soundness and adequacy to relate one semantics to another [Gunter 1992, Ong 1995]. A standard example is proving the soundness of a structural operational semantics to a denotational semantics: for program P and input v, (P , v) ⇒ v in the operational semantics implies P[[P ]](v) = v in the denotational semantics. Adequacy is a form of inverse: if P[[P ]](v) = v , and v is a primitive value (e.g., an integer or Boolean), then (P , v) ⇒ v . There is a stronger form of adequacy, called full abstraction [Stoughton 1988], which has proved difficult to achieve for realistic languages, but recent research on viewing computation as a form of “game playing,” where a program interacts with its external environment to decide which computation step to make next, has produced some solutions to the full abstraction problem and has suggested yet another format for expressing programming language semantics [Abramsky et al. 1994, Abramsky and McCusker 1998].
Acknowledgments Brian Howard and Anindya Banerjee provided helpful criticism.
Defining Terms Action semantics: A variation of denotational semantics where low-level details are hidden by use of modularized sets of operators and combinators. Axiomatic semantics: The meaning of a program as a property or specification in logic. Denotational semantics: The meaning of a program as a compositional definition of a mathematical function from the program’s input data to its output data. Fixed-point semantics: A denotational semantics where the meaning of a repetitive structure, such as a loop or recursive procedure, is expressed as the smallest mathematical function that satisfies a recursively defined equation. © 2004 by Taylor & Francis Group, LLC
Loop invariant: In axiomatic semantics, a logical property of a while-loop that holds true no matter how many iterations the loop executes. Natural semantics: A hybrid of operational and denotational semantics that shows computation steps performed in a compositional manner. Also known as a big-step semantics. Operational semantics: The meaning of a program as calculation of a trace of its computation steps on input data. Strongest postcondition semantics: A variant of axiomatic semantics where a program and an input property are mapped to the strongest proposition that holds true of the program’s output. Structural operational semantics: A variant of operational semantics where computation steps are performed only within prespecified contexts. Also known as a small-step semantics. Weakest precondition semantics: A variant of axiomatic semantics where a program and an output property are mapped to the weakest proposition that is necessary of the program’s input to make the output property hold true.
References Abadi, M. and Cardelli, L., 1996. A Theory of Objects. Springer-Verlag, New York. Abramsky, S. and McCusker, G., 1987. Game Semantics. In H. Schwichtenberg and U. Berger, Editors, Logic and Computation: Proceedings of the 1997 Marktoberdorf Summer School. Springer-Verlag, New York. Abramsky, S. and Hankin, C., Eds. 1987. Abstract Interpretation of Declarative Languages. Ellis Horwood, Chichester, England. Abramsky, S., Jagadeesan, R., and Malacaria, P. 1994. Full abstraction for PCF. In TACS94, Proc. Theor. Aspects Comput. Software. Lecture Notes in Computer Science 789, pp. 1–15. Springer. Apt, K. 1981. Ten years of Hoare’s logic: a survey — Part 1. ACM Trans. Programming Lang. Syst., 3:431– 484. Brown, D. F., Moura, H., and Watt, D. A. 1992. ACTRESS: an action semantics directed compiler generator. In CC’92, Proc. 4th Int. Conf. Compiler Construction, Paderborn. Lecture Notes in Computer Science 641, pp. 95–109. Springer-Verlag, New York. Bruce, K., 2002. Foundations of Object-Oriented Programming Languages: Types and Semantics. MIT Press, Cambridge, MA. Cousot, P. and Cousot, R. 1977. Abstract interpretation: a unified lattice model for static analysis of programs, pp. 238–252. In Proc. 4th ACM Symp. Principles Programming Lang. ACM Press. Despeyroux, T. 1984. Executable specification of static semantics. In Semantics of Data Types, G. Kahn, D. B. MacQueen, and G. Plotkin, Eds. Lecture Notes in Computer Science 173, pp. 215-234. SpringerVerlag, New York. Dijkstra, E. W. 1976. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ. Donzeau-Gouge, V. 1980. On the formal description of Ada. In Semantics-Directed Compiler Generation. N. D. Jones, Ed. Lecture Notes in Computer Science 94, Springer-Verlag, New York. Dromey, G. 1989. Program Derivation. Addison-Wesley, Sydney. Gries, D. 1981. The Science of Programming. Springer. Gunter, C. 1992. Foundations of Programming Languages. MIT Press, Cambridge, MA. Gunter, C. and Mitchell, J. 1994. Theoretical Aspects of Object-Oriented Programming. MIT Press, Cambridge, MA. Hennessy, M. 1991. The Semantics of Programming Languages: An Elementary Introduction Using Structured Operational Semantics. Wiley, New York. Hoare, C. A. R. 1969. An axiomatic basis for computer programming. Commun. ACM, 12:576–580. Hoare, C. A. R. and Wirth, N. 1973. An axiomatic definition of the programming language Pascal. Acta Informatica, 2:335–355. Jones, C. B. 1980. Software Development: A Rigorous Approach. Prentice Hall, Englewood Cliffs, NJ. Kahn, G. 1987. Natural semantics. In Proc. STACS ’87. Lecture Notes in Computer Science 247, pp. 22–39. Springer, Berlin. © 2004 by Taylor & Francis Group, LLC
Lee, P. 1989. Realistic Compiler Generation. MIT Press, Cambridge, MA. Milner, R., Tofte, M., and Harper, R. 1990. The Definition of Standard ML. MIT Press, Cambridge, MA. Mitchell, J., 1996. Foundations for Programming Languages. MIT Press, Cambridge, MA. Morgan, C. 1994. Programming from Specifications, 2nd ed. Prentice Hall, Englewood Cliffs, NJ. Mosses, P. D. 1976. Compiler generation using denotational semantics. In Mathematical Foundations of Computer Science. A. Mazurkiewicz, Ed. Lecture Notes in Computer Science 45, pp. 436–441. Springer, Berlin. Mosses, P. D. 1990. Denotational semantics. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed. Vol. B, chap. 11, pp. 575–632. Elsevier. Mosses, P. D. 1992. Action Semantics. Cambridge University Press, Cambridge, England. Muchnick, S. and Jones, N. D., Eds. 1981. Program Flow Analysis: Theory and Applications. Prentice Hall, Englewood Cliffs, NJ. Nielson, F. and Nielson, H. R. 1988. Two-level semantics and code generation. Theor. Comput. Sci., 56(1): 59–133. Nielson, H. R. and Nielson, F. 1992. Semantics with Applications, a Formal Introduction. Wiley Professional Computing. Wiley, New York. Nielson, H. R., Nielson, F., and Hankin, C., 1998. Principles of Program Analysis. Springer-Verlag, New York. Ong, C. H.-L. 1995. Correspondence between operational and denotational semantics. In Handbook of Computer Science. S. Abramsky, D. Gabbay, and T. Maibaum, Eds. Vol. 4. Oxford University Press, Rio de Janeiro, Brazil. Pierce, B., 2002. Types and Programming Languages. The MIT Press, Cambridge, MA. Plotkin, G. D. 1981. A Structural Approach to Operational Semantics. Tech. Rep. FN-19, DAIMI, Aarhus, Denmark, Sept. Rees, J. and Clinger, W. 1986. Revised 3 report on the algorithmic language Scheme. SIGPLAN Notices, 21:37–79. Schmidt, D. A. 1986. Denotational Semantics: A Methodology for Language Development. Allyn and Bacon. Schmidt, D. A. 1994. The Structure of Typed Programming Languages. MIT Press, Cambridge, MA. Stoughton, A. 1988. Fully Abstract Models of Programming Languages. Research Notes in Theoretical Computer Science. Pitman/Wiley. Stoy, J. E. 1977. Denotational Semantics. MIT Press, Cambridge, MA. Tennent, R. D. 1991. Semantics of Programming Languages. Prentice Hall International, Englewood Cliffs, NJ. Watt, D. 1991. Programming Language Syntax and Semantics. Prentice Hall International, Englewood Cliffs, NJ. Winskel, G. 1993. Formal Semantics of Programming Languages. MIT Press, Cambridge, MA.
Further Information A good starting point for further reading is the comparative semantics text of H. R. Nielson and F. Nielson [1992], which thoroughly develops the topics in this chapter. Mitchell’s [1996] and Reynolds’s [1998] texts provide in-depth presentations. Operational semantics has a long history, and good introductions are Hennessey’s [1991] text and Plotkin’s report on structural operational semantics [1981]. The principles of natural semantics are documented by Kahn [1987]. Mosses’ [1990] paper is a useful introduction to denotational semantics; textbook-length treatments include those by Schmidt [1986], Stoy [1977], Tennent [1991], and Winskel [1993]. Gunter’s [1992] text uses denotational-semantics-based mathematics to compare several of the semantics approaches, and Schmidt’s [1994] and Mitchell’s [1996] texts show the influences of data-type theory on denotational semantics, which is developed in detail by Bruce [2002] and Pierce [2002]. Action semantics is surveyed by Watt [1991] and defined by Mosses [1992].
© 2004 by Taylor & Francis Group, LLC
Of the many textbooks on axiomatic semantics, one might start with the books by Dromey [1989] or Gries [1981]; both emphasize precondition semantics, which is most effective at deriving correct code. Apt’s [1981] paper is an excellent description of the formal properties of relational semantics, and Dijkstra’s [1976] text is the standard reference on precondition semantics. Hoare’s [1969, 1973] landmark papers on relational semantics are worth reading as well. Many texts have been written on the application of axiomatic semantics to systems development; two samples are by Jones [1980] and Morgan [1994].
© 2004 by Taylor & Francis Group, LLC
99 Compilers and Interpreters 99.1 99.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99-1 Underlying Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99-4 Finite Automata • Context-Free Grammars • Parsing Algorithms • Attribute Grammars
99.3
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99-10 Specifying Syntax Using Regular Expressions and Grammars • Lex/Flex and Yacc/Bison • Purdue Compiler Construction Tool Set (PCCTS) • Dealing with Ambiguity • Attribute Analysis • Intermediate Representations and Code Generation • Code Optimization • Error Recovery
Kenneth C. Louden San Jose State University
99.4 99.5
Incremental Compilation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 99-25 Research Issues and Summary . . . . . . . . . . . . . . . . . . . . . . . 99-26
99.1 Introduction Compilers and interpreters are language translators that have many functions in common, in that both must read and analyze source code. A compiler, however, produces a program equivalent to the source program in a target language, usually object or assembly code but also sometimes C, whereas an interpreter directly executes the source program. Any programming language may be either compiled or interpreted, but languages with significant static properties (e.g., FORTRAN, Ada, C++) are almost always compiled, whereas languages that are more dynamic in nature (e.g., LISP, Smalltalk) are more likely to be interpreted. Languages that differ substantially from the standard von Neumann model of most architectures (e.g., PROLOG) may also be interpreted rather than compiled. A performance penalty is incurred by interpretation over compilation, so in cases where speed is critical, compilation is to be preferred. By mixing compilation and interpretation, this performance penalty can be reduced, usually to well within an order of magnitude. The advantage to interpretation is that the compilation step is avoided (useful during program development), and an interpreter offers greater control over the execution environment (useful for complex run-time environments) and greater flexibility in adapting to different architectures. The first translators were developed in the 1950s. Prior to the development of high-level languages, a compiler was essentially what is known as a linker today: it compiled a collection of machine-language routines from a library to form a single program. A team at IBM under the direction of John Backus is generally credited with developing the first commercial compiler for a high-level language, during the period 1954 to 1957 [Backus et al., 1957]. The language translated by this first compiler was FORTRAN, which was designed simultaneously with the compiler (and is also credited with being the first highlevel language). Modern translation techniques were first used in Algol60 compilers a few years later
© 2004 by Taylor & Francis Group, LLC
(see e.g., [Randell and Russell, 1964]), when the relationship of language translation to the theory of finite automata and context-free grammars became better understood. The study of these subjects was further stimulated by this relationship, and by the early 1970s most of the standard techniques in use today were known. Since then, general improvements in translators have come in the following areas: The automation of a significant portion of the construction of a translator Improvements in the speed of the target code, due to the increased application of code-improving (or optimizing) algorithms A greater ability for compilers to be relatively easily retargeted, or rewritten for a new target machine language, due in part to automation and in part to a better understanding of the required compiler structure Improvements have also come in the implementation of special language features, such as exception handling, generics (parametric polymorphism), object-oriented features (such as dynamic binding), and parallelization, due to increasing understanding of these mechanisms. One area in which significant theoretical advances have taken place in the last 20 years is in the translation of functional languages, with new algorithms for type checking, type classes, and interpretation by tree reduction (see e.g., [Peyton Jones, 1987]). So far, however, these techniques have remained outside of the mainstream of languages and translators. An important aspect of the technology of translators is its strong interaction with language design. For example, the introduction of block structure in the Algol language family gave impetus to the development of stack-based translation algorithms. In turn, the stack-based algorithms influenced the development of language semantics specifically designed to take advantage of the algorithms, such as the lexical scope rule and the principle of syntax-directed translation, in which the semantics of a program (i.e., its execution behavior) is directly reflected in its syntax, or structure, so that translation can be guided by this structure. (This rule could equally well have been formulated as semantics-based syntax.) Because of its early appearance, FORTRAN was not designed with these principles in mind, and it remains a somewhat more difficult language to translate with the standard techniques than later languages of the Algol family. Another aspect to the development of language translators has been the tendency of the computing community to constantly rediscover or recreate translation techniques (other than the basic, well known ones outlined in many texts). Primarily, this is due to the lack of detailed documentation of specific translators in the computer science literature. This, in turn, is largely due to the commercial and/or proprietary nature of most translators. Two translators that historically were reasonably well documented and exerted a corresponding influence on subsequent translator construction, were the portable C compiler [Johnson, 1978] and the PASCAL P-compiler [Wirth, 1971] [Nori et al., 1981]. Lately, the availability of public-domain software from the Internet has greatly improved the opportunity to study existing translators. Particularly well-documented and of high quality are the compilers distributed as part of the GNU software project of the Free Software Foundation [Stallman, 1994]. Common to almost all modern compilers is a conceptual structure in which the tasks performed are divided into phases, or logically complete processing steps. The standard phase structure is shown in outline in Figure 99.1. The first phase, called the scanner, or lexical analyzer, is the only phase directly involved in reading the source program. It converts the characters of the source program into tokens, sequences of characters that represent the basic units of program structure. Typical tokens are keywords such as while, numeric literals such as 3.14159, and identifiers. The second phase in a compiler is the parser, or syntactic analyzer, which collects sequences of tokens into complete units, such as expressions, statements, and declarations. The output of the parser (either explicitly or implicitly) is a tree or other equivalent data structure representing the structure of the programming unit just recognized. This tree is called the syntax tree. The third phase in a compiler is the semantic analyzer, which computes attributes, or properties of each programming construct, as well as its effect on the attributes of other constructs. Typical attributes include © 2004 by Taylor & Francis Group, LLC
FIGURE 99.1 The phases of a compiler.
data types of expressions and identifiers, memory sizes, and actual or potential memory locations. The semantic analyzer also determines if the construct makes sense according to these attributes. That is, it performs consistency checks, such as type checking or range checking. The output of the semantic analyzer can be represented by an attributed tree representing the original tree modified by the computed attributes. The fourth phase in a compiler is called the optimizer in Figure 99.1. This phase usually generates some form of linear code, called intermediate code, from the representation passed to it by the semantic analyzer. It also applies some forms of code-improving algorithms, either before or after generating intermediate code (or both). This phase of compilation is the most variable in different compilers; it may even be absent altogether. The fifth and final compiler phase shown in Figure 99.1 is the code generator. This phase generates the final target code and may also perform some additional improvements to the code. All of the phases of a compiler interact with various tables and handlers within the compiler. Figure 99.1 shows three important examples of these other components: the symbol table, the literal table, and the error handler. The figure indicates their interaction with the phases by a large double-headed arrow. The symbol table maintains the names defined by the program under translation, as well as possible predefined names in the language, and associates the names with their attributes, which may include scope, memory location, data type, and memory size. The symbol table may be monolithic, or it may be separated into a tree or graph of smaller tables, representing different scopes in the program. A similar table is needed for literal values that appear in the program, such as strings and numeric literals. The third component shown in Figure 99.1 is the error handler, whose job it is to generate different kinds of error messages but, more importantly, to provide error recovery, so that translation may continue (at least as far as is practical) in the presence of errors. It must be emphasized that the compiler phases are logical units only and may not correspond to any actual grouping of operations within the compiler itself, or to any temporal sequencing of these operations. © 2004 by Taylor & Francis Group, LLC
Indeed, it is customary for scanning, parsing, and some semantic analysis to be completely integrated in a single pass over the source code. A compiler may even be one-pass, in that all phases, including code generation, are performed simultaneously (assuming that the language itself permits it). More likely is that there are separate passes for parsing (including scanning), optimization, and code generation (with later passes using the intermediate code generated by the first pass). If the language does not require names to be declared before use, then a pass is also necessary to resolve name references. A useful division of the tasks performed by a compiler is into an analysis part and a synthesis part, sometimes also referred to as the front end and back end. The analysis part is concerned with analyzing the source program, whereas the synthesis part is concerned with generating the target program. The analysis part depends primarily on the source language, whereas the synthesis part depends primarily on the target language or target machine. Scanning, parsing, and semantic analysis are part of the front end, whereas code generation is part of the back end. Optimization and the generation of intermediate code usually require information about both the source and the target; these are more difficult to divide into a front-end component and a back-end component. The more successfully this is done, the easier it is to retarget the compiler. In the best case, a group of compilers can share front ends and back ends interchangeably. A popular and effective design for an interpreter consists of a compiler front end and a back end that is an interpreter for the intermediate code produced by the front end. This results in a reasonably efficient interpreter that is also easily retargetable.
99.2 Underlying Principles Algorithms used in translators are based heavily on computation theory and, to a lesser extent, on formal semantics. Scanners are direct implementations of finite automata that solve string recognition problems through nonrecursive pattern matching. Parsers depend on the theory of context-free grammars and pushdown automata, which solve recursive recognition problems through stack-based pattern matching. Semantic analysis depends on solving sets of tree equations called attribute grammars. Code generation and interpretation can also be seen as applications of attribute grammars. It is possible to use even more formal semantic specifications, particularly denotational specifications, of the source and target languages to construct semantic analyzers and code generators (see, e.g., [Polak, 1981] [Lee, 1989]). The advantage to doing so is that the compiler can be proved correct (i.e., the semantics of the source and target programs are guaranteed to be the same). However, these techniques have not become popular, and we do not discuss them further. In the remainder of this section, we will discuss each of the areas mentioned in a little greater detail.
99.2.1 Finite Automata A finite automaton is an abstract computational machine consisting of a finite number of states and transitions between states based on input symbols. The machine runs by beginning in the starting state and consuming input symbols while entering new states via corresponding transitions, until either an error state or an accepting state is reached. At that point, it may declare success or failure, or possibly continue executing. Each state represents stored knowledge about the computation up to that point. A finite automaton can handle arbitrary repetition by a fixed, finite set of input symbols, but it cannot handle recursive processes, because that would involve an unpredictable number of states. Finite automata are the basis for the recognition of tokens within a scanner. Based on the well known correspondence from computation theory between finite automata and regular expressions, tokens are usually given initially by regular expressions, which are specifications for the string patterns, or lexemes, that a token represents. The mathematical theory of regular expressions limits itself to the consideration of three matching operations: the choice between two alternatives, indicated by the vertical bar | (similar to the logical OR operation); the concatenation or sequencing of two strings (with no operator symbol); and the repetition of a pattern, indicated by a postfix asterisk ∗ (sometimes called the closure or Kleene closure operation). Parentheses are also used to group subexpressions together. As an example of the use © 2004 by Taylor & Francis Group, LLC
of regular expressions to represent tokens, the following regular expression for a token represents simple, unsigned numbers consisting of a sequence of one or more decimal digits: (0|1|2|3|4|5|6|7|8|9) (0|1|2|3|4|5|6|7|8|9)∗ Such a regular expression can be converted into a finite automaton by one of several standard algorithms. The basic method is to use Thompson’s construction [Aho et al., 1986, p. 122] to derive a nondeterministic automaton (i.e., one with an unpredictable next state) from the regular expression, and then to use the subset construction [Aho et al., 1986, p. 118] to derive an equivalent deterministic automaton from the nondeterministic one. Other algorithms exist that perform this conversion in one step and also construct an automaton with a minimal number of states. Whereas these algorithms can sometimes be useful for the design of scanners, their primary use is in the construction of scanner generators such as Lex (discussed in Section 99.3.2).
99.2.2 Context-Free Grammars The theory of context-free grammars extends the ideas of finite automata and regular expressions to recursive situations. A context-free grammar is a collection of named recursive rules of the form A → 1 | . . . |n , where A is the name of the rule and the are strings of tokens and names (including possibly A itself) representing the different possible choices for the structure of A. The names are called nonterminals and the tokens are called terminals, for technical reasons explained shortly. Grammar rules are also sometimes referred to in the theory as productions. Each such rule represents the fact that a structure represented by A may become any one of the structures represented by an . The absence of context for these potential replacements of A is what makes these grammars context free. It is possible to define grammars that are more general than context-free grammars; these can be arranged according to increasing generality in what is known as the Chomsky hierarchy. However, context-free grammars are the most useful within the computational constraints of language translation. Every nonterminal in a context-free grammar defines a set of token strings: the strings of tokens that can be legally parsed by the grammar rule for that nonterminal (and associated rules). The most general structure that is defined by the grammar is usually singled out as the structure representing the entire language, and its associated nonterminal is called the start symbol. A legal parse is represented by a sequence of replacements of nonterminals by choices of right-hand sides of their associated grammar rules. This sequence of replacements is called a derivation. In a derivation, every nonterminal must eventually be eliminated by replacing it with another string, whereas a terminal, once it appears, is never replaced; this may be seen as a justification for the names terminal and nonterminal. In general, there are many possible derivations for the same string, which can be constructed by varying the order in which the replacements are made. Two kinds of derivations that are important for parsing use fixed orders for the replacements. In the first, called a leftmost derivation, the leftmost nonterminal in the current string is always the one to be replaced at the next step. Correspondingly, a rightmost derivation is one in which the rightmost nonterminal is always the one to be replaced at the next step. Although derivations are useful for expressing exactly which steps are taken in a parse, they do not express the structure of the parsed string very well. A more useful representation of this structure is the parse tree, which represents each terminal and nonterminal by labeled nodes, and each replacement step in a derivation by the construction of a set of children of the node label being replaced. In a parse tree, each leaf node is labeled by a terminal, and each interior node is labeled by a nonterminal. Even parse trees have more detail than is actually needed to determine the meaning of a structure, and a condensed form of a parse tree, called a syntax tree, is the most useful data structure for translation. In a syntax tree, nodes may have a more diverse structure than in a parse tree: they may have more than one label, and both terminals and nonterminals may be used as labels of interior nodes. As a brief example of the grammar concepts we have summarized, consider the grammar exp → exp + num | num © 2004 by Taylor & Francis Group, LLC
exp
exp exp
+
+
num
num
num
FIGURE 99.2 A parse tree for the string 3 + 4 + 5.
+ +
num
num num
FIGURE 99.3 A syntax tree for the string 3 + 4 + 5.
which has one nonterminal exp, two terminals + and num, and a single production with two choices. (Here num represents a number token with lexemes such as 42 or 7.) An example of a legal string for this grammar is 3 + 4 + 5. A leftmost (and rightmost) derivation is exp ⇒ exp + num ⇒ exp + num + num ⇒ num + num + num A parse tree for the same string is given in Figure 99.2. A syntax tree is given in Figure 99.3.
99.2.3 Parsing Algorithms Algorithms designed to match an input string of tokens based on a grammar and, either implicitly or explicitly, to construct a parse or syntax tree, are called parsing algorithms. Parsing algorithms come in two general varieties: top-down and bottom-up. Top-down algorithms construct a parse tree from the root to the leaves by guessing which structures are about to appear, based on the next part of the input string and the structure expected to be seen. Bottom-up algorithms construct a parse tree from the leaves to the root by consuming the input and forming a set of subtrees until the next structural element can be guessed from the structures seen so far and the next part of the input string. Because of the recursive nature of context-free grammars, both kinds of algorithms must use a stack, either explicitly or implicitly, to hold partial results. When it is constructed explicitly, this stack is referred to as the parsing stack, and it will possibly contain terminals, nonterminals, or other symbols representing the state of the parser. Because of the nature of their operation, top-down parsers trace out the steps of a leftmost derivation, and bottom-up parsers trace out in reverse the steps of a rightmost derivation. There are algorithms of both varieties that will parse any context-free grammar. Early’s algorithm [Early, 1970] is the most well-known bottom-up algorithm. A general top-down algorithm may be found in [Graham et al., 1980]. General algorithms may run in significantly slower than linear time (Early’s algorithm requires cubic time in general), so they are rarely used in practice. Standard algorithms for topdown parsing are the LL(k) algorithms (parsing the input from left to right, giving a leftmost derivation, using k symbols of lookahead), and the LR(k) algorithms for bottom-up parsing (parsing the input from left to right, giving a rightmost derivation, using k symbols of lookahead). Both kinds of algorithms require that a grammar satisfy extra conditions to be parsable. The LL(k) algorithms in particular are quite restrictive, although easy to use. The LR(k) algorithms, although less restrictive, are more complex. © 2004 by Taylor & Francis Group, LLC
One top-down parsing method that is more flexible than the LL(k) methods is called recursive-descent. A bottom-up algorithm that is simpler than the LR(k) algorithms is called LookAhead LR(1) (LALR(1)) [DeRemer, 1971] [DeRemer and Pennello, 1982] and is normally restricted to one symbol of lookahead. Because these algorithms have proved themselves to be the most effective and easiest to use in practice, we discuss them in a little more detail. In recursive-descent parsing, the grammar rules are viewed as prescriptions for the code of a set of mutually recursive procedures, one for each nonterminal. Recursive-descent, although suffering from some of the same problems as LL(k) parsing, is more flexible and can use simple ad hoc techniques to solve many of the problems of LL(k) parsing [Wirth, 1976]. For instance, simple left recursion, which cannot be handled directly by an LL(k) parser, can be handled in recursive-descent by noting that a left-recursive rule A → A | is equivalent to a parsing procedure that first recognizes and then a sequence of zero or more ’s (because the grammar rule generates strings of the form . . . ). Thus, a recursive-descent procedure for the grammar exp → exp + num | num can be written using a while loop, as follows: void exp(void) { match(NUM); while (nextToken == PLUS) { match(PLUS); match(NUM); } } An LALR(1) parser uses an explicit parsing stack instead of recursion. The state of a parse can be expressed by a finite automaton whose states consist of sets of so-called items, each item consisting of a production choice, a distinguished position indicated by a period (representing the point of progress in recognizing the rule), and an associated set of lookahead tokens legal at that point in the parse. (In the following discussion, we will use the so-called LR(0) items that lack a lookahead component; although LALR(1) items are more complex, the basics of the LALR(1) algorithm can be understood using these simpler items.) Consider, for instance, the grammar exp → exp + num | num, which we will write for convenience in the form E → E + n | n. There are six LR(0) items: E →.E + n, E → E . + n, E → E +. n, E → E + n., E →.n, and E → n.. The start of a parse is indicated by beginning in a state represented by a new rule representing a start symbol that cannot appear elsewhere, and which we will write as E → E in the example. The corresponding initial item is E →.E . Because this rule represents the fact that we may be about to recognize an E , we must also include the items E →.E + n and E →.n in this state. Transitions to new states are then given by moving the period past the symbols that follow it. For instance, there is a transition on the symbol E from the start state to the state containing the item E → E . + n, and a transition on the symbol n from the start state to the state containing the item E → n.. The complete finite automaton of items is given in Figure 99.4.
FIGURE 99.4 A DFA of sets of LR(0) items. © 2004 by Taylor & Francis Group, LLC
This finite automaton has no accepting states and is only used to keep track of the state of the parser. It is used in conjunction with a parser stack that holds the state numbers that the parser has passed through while parsing the input. It is used as follows. First, the initial state is pushed onto the stack. Then, the next input token is consulted. If there is a transition on this token from the current state (on top of the stack), then the token is removed from the input and the new state is pushed onto the stack; this is called a shift operation. If, however, there is an item in the current state of the form A → . (a so-called final item), then this indicates that the string has already been recognized, and it can be replaced by A; this is called a reduce operation. A reduce operation is performed as follows. The states on the stack corresponding to are popped from the stack (one state for each symbol in ). The state remaining at the top of the stack must have a transition on A, which is then taken, and the new state is pushed onto the stack. As an example of this process, consider the automaton of Figure 99.4, and suppose that the input string is n + n. We depict the initial state of the parse as follows: Parsing Stack
Input
$0
n + n$
The $ in this representation is used to indicate both the bottom of the stack and the end of the input. The first step in the parse is a shift on n from state 0 to state 2. Then, a reduction by E → n takes place, and the parser moves to state 1. At that point, the + and n are shifted, and the parser is in state 4. Then, a reduction by E → E + n is made, popping states 4, 3, and 1, revealing again state 0. Again, the E transition is followed into state 1. At this point the end of the input is encountered, and a reduction by E → E is made, which corresponds to accepting the input. The complete set of actions of the parser is given in Table 99.1, in which shift actions also include the new state number. Table 99.2 shows the LALR(1) parsing table for this simple grammar, which is used by the parser to select the actions indicated in Table 99.1. This table is two dimensional and is indexed by state and lookahead token. Each table entry contains an action; shift entries are indicated by an s and the new state number; reduce entries are indicated by an r and the rule to be reduced; empty entries are errors. Whereas this table is closely related to the automaton of Figure 99.4, the exact entries can only be inferred from a lookahead component, which we did not compute here. An additional area in Table 99.2 is called the goto area. In this area are the transitions on nonterminals that are performed during reductions. These are essentially the same as shift operations, except that no TABLE 99.1
The Actions of an LALR(1) Parser
Parsing Stack
Input
Action
$0 $02 $01 $013 $0134 $01
n + n$ + n$ + n$ n$ $ $
shift 2 reduce E → n shift 3 shift 4 reduce E → E + n accept
TABLE 99.2
An LALR(1) Parsing Table
State 0 1 2 3 4
© 2004 by Taylor & Francis Group, LLC
Input n s2
Goto
+
$
s3 r (E → n)
accept r (E →n)
r (E → E + n)
r (E → E + n)
s4
E 1
input is consumed. A parser may also choose to condense this table by the use of default entries. For example, because state 2 only has reduce entries by the same rule, this could be made the default, in which case even on input token n the parser will perform the given reduction. This has the effect of postponing the declaration of error, but it cannot result in an incorrect parse. A similar default can be used for state 4. One final bottom-up parsing method that deserves mention is operator-precedence parsing. This is a method that predates the LALR(1) method, but it can be used effectively on expression grammars involving infix operators; see [Aho et al., 1986, pp. 203–215] for a description.
99.2.4 Attribute Grammars Whereas context-free grammars are generally accepted as the standard way to describe the syntax of a programming language, there is no equivalently accepted method for describing semantics. Formal methods for describing semantics, such as operational semantics or denotational semantics, have not met with universal acceptance, and although translators can be derived from such specifications, this is rarely done. Instead, various ad hoc mechanisms are used in translators to perform semantic analysis and code generation or interpretation. One method that has proved useful for the translator writer is to use a so-called attribute grammar to describe the semantics of a programming language [Knuth, 1968]. An attribute grammar associates to each grammar rule a set of equations describing the computational relationships among a set of attributes attached to the symbols in the rule. These attributes can be anything from the data type of a variable to the value of an expression; even the target code generated by a compiler can be represented as a string attribute in an attribute grammar. Most often, attributes are used to represent the static, rather than the dynamic, properties of programs, and they are viewed as fixed values attached to the nodes of a syntax tree. Indeed, attribute values are usually written using a dot notation similar to that of record fields, so that X.a means the value of attribute a of symbol X. Attributes may be implemented as fields in syntax tree nodes, or they may be stored in the symbol table or other data structures elsewhere in the translator. Given a set of attributes a1 , . . . , ak and a grammar rule choice X 0 → X 1 X 2 . . . X n , the j -th attribute at the i -th symbol is given in an attribute grammar by an equation of the general form X i .a j = f ij (X 0 .a1 , . . . , X 0 .ak , X 1 .a1 , . . . , X 1 .ak , . . . , X n .a1 , . . . , X n .ak )
(99.1)
where f ij is a mathematical function. An attribute grammar is thus written in purely functional style without side effects. As an example, consider the grammar exp → exp + num | num, which we may assume expresses the summation of a series of numbers. An attribute grammar for the numeric value of an expression defined by this grammar is given in Table 99.3. Note that the two instances of the nonterminal exp in the first grammar rule must be distinguished by subscripting, and that the terminal num is assumed to have its numeric value (called lexval in Table 99.3) precomputed, possibly by the scanner. Of particular importance to the translator writer are the kinds of dependencies that the attribute equations create among the attributes of different symbols in a parse tree, because these dependencies determine when and how — or even if — the attributes can be computed during translation. A primary requirement is that the attribute grammar not have any circular dependencies. In practical situations, this requirement is virtually guaranteed unless an error has been made. Attributes whose dependencies flow
TABLE 99.3
An Attribute Grammar for a Simple Expression Grammar
Grammar Rule
Attribute Equations
exp1 → exp2 + num exp → num
exp1 .val = exp2 .val + num.lexval exp.val = num.lexval
© 2004 by Taylor & Francis Group, LLC
from right to left in the grammar rules (i.e., those whose Equations 99.1 all have only the symbol X 0 on the left) are called synthesized attributes; any other attributes are called inherited. Synthesized attributes can be computed bottom-up during a parse, or by postorder traversal of the syntax tree, whereas inherited attributes require a more complex computation scheme. Indeed, as the name implies, inherited attributes are often passed down the syntax tree from parent to child, or from sibling to sibling, and so can be computed by some form of modified preorder traversal of the syntax tree. A great deal of effort can be expended to ensure that all attribute values are computable during the parsing phase, to avoid having to construct the entire syntax tree and to avoid having to make additional passes over the input. The requirements that this places on the attribute grammar vary, depending on the parsing method employed. First, because virtually all parsers read the input from left to right, the attributes must be computable from left to right. This means that all inherited attributes at a symbol must depend only on the attribute values of its left siblings and the inherited attributes of its parent. In terms of Equation 99.1, this means that each equation for an inherited attribute (X i .a j is on the left and i > 0) must have the form X i .a j = f ij (X 0 .a1 , . . . , X 0 .ak , X 1 .a1 , . . . , X 1 .ak , . . . , X i −1 .a1 , . . . , X i −1 .ak )
(99.2)
and that only inherited attributes of X 0 may appear in the f ij . An attribute grammar in which all equations for inherited attributes are of this form is called L-attributed. A further requirement for attribute evaluation during parsing is a form of strong noncircularity, in which an order for attribute evaluation can be fixed in advance without incurring any cycles (naturally occurring attribute grammars satisfy this noncircularity requirement, too). The particulars of the parsing algorithm can also have a significant effect on which attributes are computable during parsing. Recursive-descent parsers are the most flexible; in the recursive routines, inherited attributes can be implemented as passed parameters, whereas synthesized attributes become returned values [Katayama, 1984]. Bottom-up parsers most naturally compute synthesized attributes. They do this by maintaining a stack of attribute values in parallel with the parsing stack. New synthesized attributes are computed on this stack at each reduction step. It is also possible to evaluate certain inherited attributes during a bottom-up parse, but this often requires that the grammar be rewritten, so that the attribute equations can be converted to a manageable form. Indeed, it is theoretically possible to rewrite a grammar so that all attributes become synthesized [Knuth, 1968]. However, the grammar thus produced bears little resemblance to the original. Thus, in difficult situations, it may be preferable to delay an attribute computation until after the parse and avoid rewriting the grammar into an unrecognizable form.
99.3 Best Practices The theory of scanning, parsing, and attribute analysis implies that, in principle, a compiler or interpreter can be generated automatically from descriptions of the source language, attributes, and target machine. Whereas a number of compilers have been generated in this way [Farrow, 1984], it is not common. This is partially because the necessary tools (particularly for optimization and code generation) are complex and have not become standard, and partially because of the need for efficiency, both in translation and in terms of the generated code, which is more difficult to achieve using general tools. At this writing, it is common to automate only the construction of the scanner and the parser, although at least partial automation of code generation has become more common with the increasing importance of retargetability. Whereas a large number of scanner and parser generators have been written, only a few have gained broad acceptance. We describe here two sets of tools that have been used in many compilers: the Unix tools Lex and Yacc (and their public domain versions Flex and Bison), and the Purdue Compiler Construction Tool Set (PCCTS). Yacc produces an LALR(1) parser, whereas PCCTS produces a recursive-descent parser.
© 2004 by Taylor & Francis Group, LLC
Both sets of tools were designed initially to generate C code, but versions of both exist that can generate C++ code. PCCTS has also been extended to generate Java code. Another tool, not discussed here, is JavaCC: it is written in Java and generates a recursive-descent parser in Java. It should be noted that many commercial compilers and interpreters have been written by hand without the use of any tools at all; in such cases, the parsers are usually written using recursive-descent.
99.3.1 Specifying Syntax Using Regular Expressions and Grammars In order to automate the task of generating a scanner and a parser, the first step is to specify the tokens using regular expressions and the syntax using context-free grammar rules. Although it is essential to understand the mathematical theory of both of these mechanisms, the theory ignores extensions and features of practical importance. We mention a few of these here. The theory of regular expression relies on only three operations: concatenation, choice, and repetition. Whereas these are enough to match any string recognizable by a finite automaton, most pattern-matching systems extend this set of operators in many ways. As a typical example, consider the regular expression [0-9]+(\.[0-9]+)? which is written using standard conventions for the Unix tools Lex and Grep. This expression specifies a pattern for a simple floating point constant without exponential part: the expression [0-9] refers to a choice from the range of characters 0 to 9 (i.e., a digit), the + indicates a repetition of one or more (a+ is equivalent to aa∗ ), the backslash in front of the period escapes the metacharacter meaning of the period (otherwise, it would match any character), and the question mark indicates an optional component. Even with these extensions, it is sometimes difficult to write regular expressions for certain patterns, even when such patterns do exist, and one may choose to apply an ad hoc recognition process instead of using a regular expression. A notorious case in point is that of C comments, which can be loosely described as /∗ (not ∗ /) ∗ /. The trouble is expressing (not ∗ /) as a regular expression. More generally, the nonexistence of sequences of more than one character in a string is a difficult property to express as a regular expression. Fortunately, these situations do not occur very often in real languages. It is also necessary to be aware that the theory of regular expressions can easily be extended to cover simple nonregular situations. For instance, nested comments require recursion and so cannot be directly expressed as a regular expression. Nevertheless, adding a simple counter variable to a scanner permits it to recognize potentially nested comments. Similar considerations arise in defining syntax using context-free grammars. Consider the following grammar, which specifies a simple four-function floating-point calculator program with a single memory: session → asgn nl session | nl asgn → = expr | expr expr → expr addop term | term addop → + | term → term mulop factor | factor mulop → * | / factor → - factor | ( expr ) | NUMBER
|
m
A session consists of a sequence of assignments (asgn) followed by newlines (indicated in the grammar by nl), or just a newline (this is used to end the session). The arithmetic operations have their usual meanings. The optional = sign at the beginning of an asgn indicates assignment of the value of the following expression to the memory. The single letter m in a factor fetches the value of this memory. The token NUMBER is the only token with more than one possible lexeme, and it is assumed to be given by the regular expression given earlier in this section.
© 2004 by Taylor & Francis Group, LLC
A sample session with an interpreter for this grammar might look as follows: = 3.14 - 2 1.14 = m*3.14 + 3 6.5796 m*3.14 - 4 16.6599 This represents a computation of the value of the polynomial x 3 − 2x 2 + 3x − 4 at the point x = 3.14 using Horner’s rule (x 3 − 2x 2 + 3x − 4 = ((x − 2)x + 3)x − 4). This grammar is written in a style called Backus normal form or Backus-Naur form (BNF). In it, the only metasymbols are the arrow and the vertical bar (sometimes ::= or : or = is used instead of the arrow, and sometimes nonterminals are distinguished more directly from terminals by surrounding them with angle brackets <. . . >). Repetition is expressed by recursion, and optional features are expressed by writing separate choices. This grammar also expresses the associativity and precedences of the operators: a left-recursive grammar rule such as expr → expr addop term indicates left associativity, and the different precedence levels expr, term, and factor cause the operators at each level to be given precedences in ascending order (lowest precedence first). When recursion is used only to express repetition, it can be written on the right or the left: the rule for a session is written right-recursively for more or less arbitrary reasons. An alternative to this grammar would be to condense it to the following grammar (still in BNF): session → asgn nl session | nl asgn → = expr | expr expr → expr op expr | - expr | ( expr ) | NUMBER | m op → + | - | * | / This grammar is ambiguous, however, in that the order in which the operations are applied is not specified, and a legal string may have many different parse trees. This grammar can still be used as the basis for the calculator, as long as separate disambiguating rules are stated, giving the associativities and precedences of the operators. The advantage to this is that the grammar itself becomes shorter and easier to understand. A different variety of context-free grammar is obtained by adding metasymbols representing optional and repeated constructs. One standard version of this is called extended BNF (EBNF), which uses square brackets [. . . ] to surround optional constructs, and braces {. . . } to surround repeated constructs (one could just as well use parentheses, ?, and ∗ as in regular expressions). The calculator grammar in EBNF becomes session → { asgn nl } nl asgn → [ = ] expr expr → term { addop term } addop → + | term → factor { mulop factor } mulop → * | / factor → - factor | ( expr ) | NUMBER | m In such a grammar, the associativity of the operators is now suppressed in favor of showing the repetition directly. A standard convention is to assume left associativity of operators in any rule using the braces (since a session has no operators, the associativity of its rule is of no consequence). © 2004 by Taylor & Francis Group, LLC
99.3.2 Lex/Flex and Yacc/Bison Lex [Lesk, 1975] and Yacc [Johnson, 1975] are scanner and parser generators that are a part of most Unix distributions. Both have public domain versions, Flex (Fast Lex [Paxson, 1990], based on ideas of [Jacobson, 1987]) and Bison, which run under a variety of operating systems. Each of these programs reads a definition file and produces as output a C source code file containing a scanning/parsing procedure. The definition file for each has the same basic format: {definitions} %% {rules} %% {auxiliary routines} We discuss the contents of the definition files first for Lex and then for Yacc, using our running example of a simple calculator program whose tokens and grammar were described previously. The Lex definition file for the calculator scanner is given in Table 99.4. In this example, the definitions section contains a #include directive inside the brackets %{ and %} and the definitions of the three tokens digit, number, and whitespace, using regular expressions written with previously described metasymbols (whitespace, for example, is defined to be a sequence of one or more blanks or tabs). All code inside the special brackets is inserted directly at the beginning of the C output file, thus allowing the user to provide declarations/definitions that may be used by the rest of the C code. In this case, the only insertion is to indicate the inclusion of the file y.tab.h. This file can be generated by Yacc, and it contains the definitions of tokens and other globals that permit communication between the Lex-generated scanner and the Yacc-generated parser. In our example (and for one particular version of Yacc), this file is as follows: /* file y.tab.h */ extern double yylval; extern int yylineno; #define NUMBER 258 #define UNARY 259 The subsequent Lex code uses only the definition of NUMBER and yylval from this file. The rules section specifies the actions that the Lex scanner is to take when each token is recognized. These actions are placed inside a C block and are inserted directly at the appropriate places in the scanner. In Table 99.4, the specified actions are as follows. All whitespace is skipped (empty action). A number
TABLE 99.4
A Lex Definition File
/************************************************************* CALC.L *************************************************************/ %{ #include "y.tab.h" %} digit [0-9] number {digit}+(\.{digit}+)? whitespace [ \t]+ %% {whitespace} {/* skip */} {number} { sscanf(yytext,"%lf", &yylval); return NUMBER; } \n { return '\n'; } . { return yytext[0]; }
© 2004 by Taylor & Francis Group, LLC
causes the scanner to compute the floating point value from the yytext string and place it in yylval, and then return the NUMBER token. (The yytext string contains the lexeme matched from the input.) The newline character \n is singled out for special handling, because it is not placed in the yytext string; it is returned directly. Finally, the period indicates a default action (it matches any character), and this causes the character value itself to be returned (yytext[0]). This concludes the description of the calculator Lex file in Table 99.4. Note that this file contains no auxiliary routines section, and the %% symbol separating this section from the previous rules section is also omitted. We turn now to a description of the Yacc definition file, which is in Table 99.5. The definitions section contains two lines of C code to be inserted in the output file. The first defines YYSTYPE to be double; this is the type used to define the Yacc value stack, which needs to be double, because expressions compute floating point values. The second line defines a static variable mem, which is to be used as the actual memory location for the single calculator memory. The definitions section also contains the token definitions, indicated by the %token directive. In this example, only the NUMBER token need be defined; other tokens are single-character and may be referred to directly. Finally, the definitions section contains a description of the associativity and precedence of the arithmetic operators; these are necessary disambiguating rules, because the rules section uses the ambiguous form of the calculator grammar. The order in which the operators are listed determines their precedence (with lowest precedence listed first). The %left directive indicates that an operator is left associative. Finally, the UNARY token is implicitly
TABLE 99.5
A Yacc Definition File
/************************************************************* CALC.Y *************************************************************/ %{ #define YYSTYPE double static double mem; %} %token NUMBER %left '+','-' %left '*','/' %left UNARY %% session :/* empty */ | session '\n' { exit(0); } | session asgn '\n' {printf("\t%g\n", $2);} | session error '\n' {yyerrok;} ; asgn : '=' expr { mem = $2; $$ = $2;} | expr { $$ = $1; } ; expr : expr '+' expr { $$ = $1 + $3; } | expr '-' expr { $$ = $1 - $3; } | expr '*' expr { $$ = $1 * $3; } | expr '/' expr { $$ = $1/$3; } | '-' expr %prec UNARY { $$ = - $2; } | '(' expr ')' { $$ = $2; } | NUMBER { $$ = $1; } | 'm' { $$ = mem; } ; %% int main() { yyparse(); return 0; } int yyerror(char* t) { fprintf(stderr,"%s\n", t); return 0;}
© 2004 by Taylor & Francis Group, LLC
defined by the last definition as having the highest precedence. It will be used to give unary minus a higher precedence than any of the binary operators. The rules section of the Yacc specification contains the grammar in a modified BNF format, with actions contained in braces. Since Yacc is a bottom-up parser generator, it is easiest to use to compute synthesized attributes. In the calculator grammar, the value attribute is synthesized, and it is this attribute that we use Yacc’s value stack to compute. The stored memory value, which has an inherited component, is handled directly by using the defined mem variable. The action code refers to the attribute values on the value stack by using symbols beginning with $. The symbol $$ refers to the (synthesized) value to be computed for the nonterminal defined by the rule. Each of the symbols $1, $2, etc., refers to the attribute value computed for each symbol on the right-hand side of the grammar rule. Thus, $$ = $1 + $3 in the rule exp : exp + exp indicates that the value of the first and third symbols (the right-hand expressions) are to be added to get the value of the result expression. This convention allows Yacc rules to be written in a style very close to the synthesized rules of an attribute grammar. A few changes have been made to the grammar to make it more usable with Yacc. One is that the operators are written directly into the expressions, instead of being listed separately; this eliminates the need for a separate character attribute for an operator rule. Two additional changes have been made to the grammar rule for a session. First, the rule is written in left-recursive instead of right-recursive form. A right-recursive rule causes the parsing stack to grow without limit; this means that a very long session might cause a stack overflow (a similar situation is caused by tail recursive procedure calls). Thus, all right-recursive rules that do not reflect an associativity requirement should be rewritten in left-recursive form. The remaining change is the addition of the rule session : session error '\n' {yyerrok;} to the choices for a session. This is an error-handling production. It matches any line that is not a legal assignment to the internally defined Yacc nonterminal error, and the action yyerrok resets the Yacc parser to accept more input. Yacc also automatically calls a yyerror procedure that can print an error message or perform some other action. Finally, the auxiliary routines section of Table 99.5 contains a main procedure which just calls the parsing procedure yyparse which is generated by Yacc. (The scanning procedure generated by Lex is called yylex and is automatically called at the appropriate times by yyparse.) The yyerror procedure is also defined in this section; it simply prints an error message (supplied by Yacc). Assuming that the Lex definition for the calculator is in the file calc.l, and the Yacc definition is in the file calc.y, then a running calculator program can be built in Unix with the commands lex -I calc.l yacc -d calc.y cc y.tab.c lex.yy.c -ll -ly The file y.tab.c is the output file produced by Yacc, and the file lex.yy.c is the output file produced by Lex. The option -I causes Lex to produce an interactive scanner (i.e., one with lazy lookahead), the option -d causes Yacc to produce the file y.tab.h automatically, and the options -ll and -ly cause the C compiler to consult the Lex and Yacc libraries when linking (if necessary). One additional Yacc feature is the verbose option -v. If we give the command yacc -v calc.y then a file y.output is produced that contains a description of the parsing table used by the Yaccgenerated parser, similar to Table 99.2. This can be useful in tracking down exactly the behavior of the parser.
99.3.3 Purdue Compiler Construction Tool Set (PCCTS) PCCTS [Parr et al., 1992] is a set of tools for automatically generating scanners and recursive-descent parsers. Although these parsers suffer from some of the same restrictions as other top-down parsers, © 2004 by Taylor & Francis Group, LLC
TABLE 99.6
A PCCTS Definition File
/************************************************************* CALC.G *************************************************************/ #header << typedef double Attrib; #define zzcr_attr(a,tok,t) sscanf(t,"%lf,''a); >> << static double mem; int main() { ANTLR(session(),stdin); return 0; } >> #token WhiteSpace "[\t\ ]*" << zzskip(); >> #token NUMBER "[0-9]+{.[0-9]+}" session : (asgn "\n" << printf("\t%g\n", $1); >>)* "\n" << exit(0); >> ; asgn : "\=" expr << mem = $2; $asgn = $2; >> | expr << $asgn = $1; >> ; expr : term << $expr = $1; >> ("\+" term << $expr += $2; >> | "\-" term << $expr -= $2; >> )* ; term : factor << $term = $1; >> ("\*" factor << $term *= $2; >> | "\/" factor << $term /= $2; >> )* ; factor : "\-" factor << $factor = - $2; >> | NUMBER << $factor = $1; >> | "\(" expr "\)" << $factor = $2; >> | "\m" << $factor = mem; >> ;
PCCTS offers some advantages over Lex and Yacc. First, the parser and scanner generators are more fully integrated, so that only one definition file must be created; this file contains both the token and the grammar definitions. Second, there are tools for applying automatic disambiguating rules using syntactic predicates (checked automatically by the parser) or semantic predicates (supplied by the user), or by increasing the number of lookahead symbols (PCCTS parsers are not restricted to single symbol lookaheads). Finally, there are additional tools within PCCTS for the automatic generation of both syntax trees and target code. As with Yacc and Lex, we give a description of a PCCTS definition file using the calculator grammar as an example. The only file needed for PCCTS is shown in Table 99.6. The general form for this file (somewhat simplified) is {header} {actions or token definitions} {rules or token definitions} {actions or token definitions} The header contains C definitions that will go both in the scanner code and the parser code. Actions are C code for auxiliary procedures and data. Token definitions contain regular expressions for tokens, together with actions to be taken on recognition. Rules are grammar rules in a modified EBNF form that © 2004 by Taylor & Francis Group, LLC
also contain actions for execution during the recognition process. Actions must be contained inside the bracketing metasymbols <<. . . >>. Table 99.6 contains a header, an action with the definitions of the mem variable and the main procedure, two token definitions, and five rules. There are no actions or token definitions after the rules. The header section contains a typedef of Attrib, which is the internal name for the returned value of the recursive-descent procedures (this corresponds directly to the Yacc value stack type YYSTYPE). The header also contains a definition of the internal macro zzcr_attr, which is used whenever a token string is to be converted to a value of type Attrib. There is only one such token — NUMBER — and zzcr_attr is identified with a call to the C string scan function sscanf that converts a string to a double. The main program is defined in the first action section using the macro ANTLR(session(),stdin); ANother Tool for Language Recognition (ANTLR) refers to the parser generation utility of PCCTS. The parameter session() indicates that the start symbol of the grammar is session, and so a call to the corresponding procedure begins the parse. The second parameter indicates the input file from which the program is to be taken, in this case stdin. The token definitions consist of the symbol #token, followed by the name of the token, a regular expression in quotes defining the token (using conventions similar to Lex and other regular expression processors), and an optional action section. In Table 99.6 two tokens are defined, WhiteSpace and NUMBER; the action zzskip() for WhiteSpace causes this input to be discarded, and the token NUMBER has no action (recall that zzcr_attr already tells the scanner how to convert a NUMBER to a double). Finally, the rules are given in a modified EBNF form, where (. . . )* indicates a repetition of 0 or more times and {. . . } indicates an optional part. Again, as in the previous Yacc solution, we have rewritten the session rule so that it is the EBNF equivalent of a left-recursive rule, which saves space on the call stack. We have also included the operator tokens directly in the rules for expressions, saving some steps. Note that PCCTS also allows tokens to be written directly into the rules using double quotes (the \ is used to avoid any metasymbol interpretation). Note how the actions for expressions and terms are embedded within the rules to achieve the desired results. Assuming that the PCCTS definition file is called calc.g, a running calculator program can be built with the Unix commands: antlr calc.g dlg -i parser.dlg scan.c cc calc.c scan.c err.c The first line calls the main PCCTS parser generator tool ANTLR. ANTLR generates several files, the most important of which are calc.c, containing the parser coded in C, and parser.dlg, which is a scanner description specifically intended for input into the PCCTS scanner generator DLG (DFA-based lexical analyzer generator). DLG is then called in the next line, producing the scanner in the output file scan.c (the -i option indicates that the input will be interactive). Finally, the C compiler is called on calc.c, scan.c, and a third file err.c, which was also produced by ANTLR.
99.3.4 Dealing with Ambiguity Although the expectation is that a language grammar should be unambiguous, in that each legal input string will correspond to exactly one syntax tree, there are many practical situations in which it is difficult or impossible to write a grammar unambiguously. In such cases, disambiguating rules must be stated and built into the parser in some way. We have already seen how Yacc can accommodate precedence and associativity disambiguating rules for operators. We give three additional examples of the use of disambiguating rules. The dangling-else ambiguity is typical in languages such as C and PASCAL, which allow both simple and compound statements in control structures. In C the dangling-else ambiguity appears in statements like if(e) if(f) {/*then-part*/} else {/*else-part*/} © 2004 by Taylor & Francis Group, LLC
The question is: should the else-part be executed when f is false or when e is false? The standard answer is that it should be executed when f is false (and when e is true). This is called the most closely nested disambiguating rule for the if statement, because it implies that the else-part structure is to be associated in the parse tree with the closest previous if statement that does not have an else-part. This also corresponds to always preferring the second choice in the BNF rule if_statement → if (expression) statement | if (expression) statement else statement This disambiguating rule could actually be incorporated directly into the BNF, but it is slightly complicated (and not very illuminating), and the rule as stated is easily implemented in a parser. It is worth noting that languages in which the if statement has a closing keyword (such as end or endif) do not have the dangling-else ambiguity; Ada is an example of such a language. A second kind of ambiguity is represented by the availability in C++ of function-style casts, where one can write int(x) to mean the same thing as the C cast (int)x. Now consider the code fragment typedef int (*F)(); void **x; void p(void) { F (*x)(); ... } Is the first code line inside p a cast of global *x to type F, after which this function value is called, or is it a declaration of a local variable x of type “pointer to function returning a value of type F?” The C++ standard says it is the latter: any statement that may be interpreted as a declaration is a declaration. This means that all grammar rules for declarations are to be preferred to all other grammar rules. Note that this is an ambiguity between nonterminals, rather than an ambiguity within a single nonterminal, as with the dangling-else ambiguity. It is also impossible to remove this ambiguity directly within the grammar, because the order of rules in a BNF description is immaterial to the language defined. The final example of an ambiguity that we present here is also one that arises with casts, but this time in C. Consider the C statement (t)-x If t is a type name declared in a typedef, then this is a cast of the value -x to type t. On the other hand, if t is a variable, then this is the value obtained by subtracting x from t. In order to parse this correctly, it is necessary to consult the symbol table to see whether t is defined as a type. Thus, the symbol table (or at least the typedef part of it) must be built as parsing proceeds. Unlike the previous examples of ambiguity, this is a context ambiguity that cannot be resolved by purely syntactic means. In an LR parser, these ambiguities, or parsing conflicts, can be of two different kinds. The first, more common, situation is when both a shift and a reduction by a grammar rule choice are called for on the same input token; this is a shift-reduce conflict. The other case is when reductions by two different rules are called for on the same input token; this is a reduce-reduce conflict. Shift-reduce conflicts are usually resolved by selecting the shift over the reduce. This ensures that the longest possible string will be matched by each rule. The typical example is the dangling-else ambiguity, where preferring the shift corresponds exactly to the most closely nested disambiguating rule. Reducereduce conflicts, on the other hand, have no natural disambiguating rule. Parsers generally adopt an ad hoc rule, in which the reduction by the lowest-numbered rule is preferred (where the rules are numbered in the order in which they are considered by the parser). The C++ ambiguity between cast expressions and declarations (also described previously) can be resolved in this way, in favor of the declarations (as the C++ definition requires) by listing the declaration rules before the expression rules. Yacc adopts both of these disambiguating rules as stated. Unfortunately, the third ambiguity mentioned previously, a cast vs. an arithmetic expression in C, cannot be resolved by either of these means. Typically, this is handled © 2004 by Taylor & Francis Group, LLC
by having the scanner consult the symbol table when recognizing an identifier and returning a different token for a type name than for a variable. An alternative to these disambiguating rules is to build predicate testing directly into the parser generator in order to give the programmer control over the disambiguating mechanism. This is the case for PCCTS [Parr and Quong, 1994], where the ANTLR parser generator allows both syntactic and semantic predicates as disambiguating rules. For instance, the C++ ambiguity between declarations can be resolved by adding a syntactic predicate in the ANTLR definition file as follows: stat: (declaration)? declaration <<...>> | expression <<...>> ; Here, the parentheses and question mark indicate that the parser should try to match a declaration; if that fails, it should go on to try to match an expression. The third ambiguity can be solved similarly, but with a semantic predicate supplied by the user: var : <>? ID <<...>> ; typename : <>? ID <<...>> ; Again, the question mark indicates a predicate, but this time the predicate is user-supplied, as indicated by enclosing it in brackets (LATEXT(1) is the lexeme of the next token in the input, made available by the scanner).
99.3.5 Attribute Analysis Yacc and ANTLR restrict the kinds of attributes that can be reasonably computed during a parse, because of the requirements of their parsing algorithms. In cases of difficult attribute computations, these limitations are overcome either by providing ad hoc solutions using external data structures or by constructing an intermediate representation such as a syntax tree during the parse, and then writing specialized procedures that perform semantic analysis by traversing the intermediate form in one or more passes. At the time of this writing, tools for automating the computation of general attributes have not been widely used, partially due to the many different varieties of intermediate representations, and partially due to the variety and complexity of the semantic attributes of different languages. Some notable systems that do permit the automation of this step include LINGUIST [Farrow, 1984], GAG [Kastens et al., 1982], and Eli [Gray et al., 1992]. Code generation is a special case of this problem, and special methods for automating the code-generation step have been developed. We describe these next.
99.3.6 Intermediate Representations and Code Generation The abstract syntax tree is a convenient way to represent the source program within a translator, particularly for semantic attribute analysis. However, it is less suited to code generation. Although target code can be generated as a form of attribute analysis, either during parsing or by traversal of the syntax tree, the quality of this code is usually poor, and further processing must be done before an acceptable level of target code is produced. Typically, this is achieved by generating some form of intermediate code that is closer to the code of the target machine but still abstract enough that the compiler can perform code-improving transformations on it. Many choices have been used for this intermediate code. Some of the more common are sequences of expression trees, sequences of postfix expressions, an abstract linearized form of syntax tree called three-address code, and actual code for a hypothetical target machine, such as P-code for the stack-based P-machine of many PASCAL-related compilers [Nori et al., 1981]. © 2004 by Taylor & Francis Group, LLC
An example of three-address code corresponding to the source code line = 3.1 + m/2 for the calculator language described previously is t1 := m/2 t2 := 3.1 + t1 m := t2 Here, the identifiers t1 and t2 are temporaries introduced by the compiler that can be thought of as pseudoregisters, and later assigned either to actual registers or to temporary locations in memory. The equivalent (annotated) P-code for this same source code is as follows: ldo ldc dvr ldc adr sro
r,m ; load real value onto stack from static location m r,2.0 ; load constant real value 2.0 onto stack ; divide two reals on top of stack, push result r,3.1 ; load constant real value 3.1 onto stack ; add two reals on top of stack, push result r,m ; store real from stack to static location m, pop stack
The use of the code of a precisely defined, simple machine such as the P-machine as the intermediate target language has several benefits. First, the compiler can be run in interpreter mode, in which the P-code functions as the target code, and a P-machine simulator is used to execute the P-code on the actual target machine. The target code is then kept as P-code, which is generally much more compact than actual executable machine code. Also, in order to retarget the compiler to a new machine, it is only necessary to rewrite the P-machine simulator. Second, in order to obtain a native-code compiler from the P-code compiler, one need only write a translator from P-code to the native code of the target machine. This is usually done by writing individual procedures for each P-code instruction that perform something like a macro expansion of each P-code instruction into target code. By itself, this process will produce very poor code, but it can be combined with a static simulation of the P-machine itself, whose stack can be used to discover opportunities for optimization. An improvement on P-code that adds significant attributes for tracking address calculations and optimizing transformations is U-code [Perkins and Sites, 1979]. An intermediate language that is compact, capable of efficient interpretation, and easily retargeted to different architectures is of special interest for heterogeneous networks, where the platform on which the intermediate code is to be executed or compiled to native code may not be known in advance. If the intermediate code is given a numeric machine code–like encoding (sometimes called bytecodes), and techniques to improve interpretation performance are used (such as on-the-fly compilation or threaded code interpretation [Bell, 1973]), then good performance on a variety of machines across a network can be achieved. This is, for example, the basis for Java implementations [Gosling, 1995]. Although this approach incurs some performance penalty, the latest research is showing that this penalty can be reduced to very acceptable levels [Bacon et al., 2002]. A similar process of macro expansion works for three-address code and its variants, although in this case the underlying abstract machine and its state are not made explicit (as they are for P-code), and the accumulated information during code generation must be stored as attributes in data structures associated with the intermediate code. Typically, these include address descriptors, which record the locations at which named quantities (such as variables) can be found, and register descriptors, which record information about the values that can be statically predicted to be in registers at particular points in the target code. Address descriptors can be kept in the symbol table; register descriptors can be maintained in an array indexed by the register numbers. Unfortunately, both of these code-generation schemes spread the information about the target machine throughout the code generator. This means that retargeting the compiler is more costly than if the target machine information were collected compactly in one place. Several approaches have been taken toward achieving this. The first method for improving the retargetability of the code generator involves writing a syntactic description of the macro expansion process for the intermediate code together with code-emitting actions, © 2004 by Taylor & Francis Group, LLC
much as a Yacc or PCCTS description associates semantic actions with syntactic rules [Glanville and Graham, 1978]. This method permits the automatic generation of the code generator from this description, using a tool similar to a parser generator. This method has been expanded in [Ganapathi and Fischer, 1985] to include semantic predicates. As an example, consider generating code for the three-address instruction t1 := m/2 A rule that would handle this instruction for the VAX might appear as reg(n) → adr(a)/const(i) dead?(n) float?(a) #emit("divd3 #i.,a,rn") This rule establishes that emitting the VAX instruction divd3 #i.,a,rn allows the expression consisting of an address a divided by a constant i to be reduced to a register n, provided n is dead (i.e., contains a value that is no longer needed) and provided that a is the address of a real-valued quantity. Matching this rule to the previous three-address instruction causes t1 to be identified with reg(n), m to be identified with adr(a) (thus computing a as the address of m), and identifying 2 with const(i) (thus setting ito 2). The resulting line of VAX code generated is divd3 #2.,m,r1 In the absence of predicates, such a set of rules describing the target machine could be written as a Yacc input. The difference between this kind of grammar and a grammar describing the syntax of the source language is that the target machine grammar usually comprises thousands rather than hundreds of rules, and the grammar is highly ambiguous, because there are usually many ways to generate target code to achieve a specific effect. Parser generators such as Yacc are inefficient and cumbersome when dealing with such grammars, and a code generator generator specifically tuned to this situation is more appropriately used [Henry, 1984]. The second variety of retargeting mechanism is that used in the portable C compiler [Johnson, 1978]. In this mechanism, a special template language is used to describe the process of matching intermediate code to target code. The code generator then consults a table of these templates during code generation in an attempt to find the optimal match. The third variety of retargeting mechanism is similar to the second, except that both the intermediate code and the target code templates are written in the template language, and the matching routine runs statically, usually during the installation of the compiler, and selects a match between certain sequences of intermediate code and target code which is then fixed once and for all. This method was used in the Production-Quality Compiler Compiler (PQCC) Project [Cattell, 1980] [Leverett et al., 1980]. A related method has also been used in the GNU C++ compiler [Stallman, 1994], based on ideas of Davidson and Fraser [Davidson and Fraser, 1984]. In the GNU compiler, the template language is called the register transfer language (RTL). This language is written in LISP-like prefix form. An example of an instruction template is as follows: (define_insn "divdf3" [(set (match_operand:DF 0 "register_operand" "=f") (over:DF (match_operand:DF 1 "register_operand" "f") (match_operand:DF 2 "register_operand" "f")))] "! TARGET_SOFT_FLOAT" "divd3%1,%2,%0" [(set_attr "type" "arith")] ) Instruction templates are introduced using the define_insn operator. This operator is followed by a symbolic name for the instruction template, a pattern with predicates (such as register_operand), constraints (such as f, indicating the register may be used for floating point values), and extra conditions (such as !TARGET_SOFT_FLOAT, indicating that there must be a hardware floating point arithmetic unit © 2004 by Taylor & Francis Group, LLC
available in the processor). Following this, there is a pattern for the instruction to be generated, with numbers referring to the operands of the pattern (in this example, it is the VAX instruction divd3%1,%2,%0). Finally, there is a specification of attributes for the template. Such instruction templates are used to generate target code in RTL format directly from C code during a parse. Optimizing steps are then applied directly to the RTL intermediate code, and then templates are again used to generate assembly output. Specialized RTL attribute descriptions are also used to guide the code-generation process.
99.3.7 Code Optimization A code generator that naively expands intermediate code into target code will produce code that is extremely inefficient, both in terms of execution speed and target code size. A production-quality compiler must include processing steps that improve its ability to generate good target code, so that it more nearly resembles the code that would be produced by an assembly language programmer. Such processing steps are usually referred to as optimization, though they almost never produce truly optimal code. Indeed, the production of mathematically optimal code, except in the very simplest cases, is known to be computationally intractable (NP-complete), so to attempt this would result in unacceptably slow compilation speed. Optimization steps can be built into almost all the phases of a compiler, from parsing to final target code generation. If an optimization pass is performed separately, it usually occurs after intermediate code generation but before target code generation. Such optimizations are generally source-level in that they do not depend heavily on the details of the target machine. Some optimizations, however, are targetlevel and require that the details of the target code be known. Such optimizations are referred to as peephole optimizations, because they were originally (and are sometimes still) performed by examining small sequences of target code and replacing them with more efficient code. This term can be misleading, however, because modern compilers sometimes perform considerably more sophisticated analysis of the target code than the name might imply (an example is the GNU C++ compiler). One complex aspect of the scheduling of optimizations during compilation is that some optimizations may uncover opportunities for other optimizations and vice versa (this is sometimes called the phase problem). This leads some compilers to repeat certain optimizations in an attempt to catch such cascaded situations. Optimizations are classified according to the region of the program about which information is gathered in order to perform the code improvement. Local optimizations consider only straight-line segments of code, that is, those not involving jumps or calls. Global optimizations consider the code of a single procedure. Interprocedural optimizations consider the entire program or compilation unit. Most compilers perform some kinds of local optimizations. A more heavily optimizing compiler will perform global optimizations, typically using an information-collection method called dataflow analysis, which passes information around a flow graph representing the flow of control through a procedure. It is a rare compiler that performs interprocedural optimization, and for a very good reason: such optimizations are largely ineffective unless they are postponed to link time, because many procedures will not be available in a single compilation unit. This means that the linker must be closely coupled with the compiler; in particular, the system linker cannot be used. This raises the level of complexity of the compilation environment considerably. In the remainder of this brief discussion of optimizations, we list the principal sources of code improvement over a naive code-generation strategy. Register allocation. This is the most important and pervasive issue in the generation of quality code. Keeping temporaries in registers is indispensable, especially for reduced instruction set computer (RISC) architectures. In order to extend register allocation to include local variables, parameters, and global variables, a compiler may permanently allocate certain registers to heavily used quantities. An alternative is to build an interference graph and assign registers by graph coloring, permitting noninterfering variables to share the same register. Good global register allocation also requires some form of dataflow analysis in order to identify values that have no further uses in subsequent code and that can be safely overwritten if they are in registers. © 2004 by Taylor & Francis Group, LLC
Common subexpression elimination. This refers to the identification of expression values that are recomputed one or more times in a program and the avoidance of such recomputation by suitable storing and reuse of the computed value. Although one might naively think that a good programmer should not write code that contains common subexpressions, in fact, most common subexpressions are due to address computations of array and record references that cannot be expressed adequately in source code and that therefore require elimination by an optimizer. Common subexpressions are relatively easy to identify in straight line code; the principal difficulty in the general case is to determine what subexpressions may have changed between two computations of the same expression. Thus, a compiler may choose to perform only local common subexpression elimination. Copy propagation. This optimization tracks code regions in which two or more variables have the same value. After an assignment x = y (in C syntax), x and y have the same value in subsequent expressions until one of them acquires a new value; in this region, any use of x can be replaced by a use of y, which can lead to better code if, for example, y is already in a register. As with common subexpressions, copy statements may exist in the intermediate code even when they are not written by the programmer. A special case of copy propagation is constant propagation: after an assignment such as x = 2, uses of x can be replaced by the constant 2. As with common subexpressions, copy propagation may be done as either a local or a global optimization. Reductioninstrength. This refers to the replacement of arithmetic expressions by equivalent expressions that execute faster. A typical example is the replacement of multiplication or division by a power of 2 by a shift operation. Another example occurs in loop optimization, where a linear combination calculation is replaced by a simple addition (see the subsequent paragraph on loop optimization). Jump optimization. Opportunities for improving jump code occur when a sequence of jumps can be replaced by a single jump, or when a jump can be eliminated by rearranging the code. For instance, the code sequence goto lab1 ... lab1: if x = y goto lab2 lab3: ... can be replaced by the more efficient if x = y goto lab2 goto lab3 ... lab3: ... Algebraic Laws. An optimizer can look for special cases in expressions such as x ∗ 1 and x + 0 (replacing these with x). Sometimes it is also worthwhile to replace a computation x + y or x ∗ y with its commutative equivalent y+x or y ∗ x. More difficult is to discover opportunities to use distributive laws, such as replacing x ∗ y + z ∗ y with the more efficient (x + z) ∗ y. Loop optimization. Loops are traditionally an area where a great deal of attention has been paid to making code as efficient as possible, because programs tend to spend a lot of time in loops. In programs with goto statements, it is a nontrivial operation even to discover loops, and this usually must be done by building the flow graph. Fortunately, in modern languages it is reasonable to depend on syntax (such as keywords while and do) to locate loops. Typical loop optimizations include attempting to discover invariant computations inside loops (i.e., those that always yield the same value, regardless of the loop iteration), and move their computation to just before the loop entry. Another optimization seeks to discover so-called induction variables, which are linear combinations a ∗ i + b, where i is the loop control variable. Because such an expression is incremented by a fixed amount with each iteration, its computation can be reduced in strength to a simple addition. Constant folding. This optimization seeks to replace constant expressions (e.g., 3 + 5) with their resulting values (e.g., 8). Such an optimization could, in theory, replace all computations whose results © 2004 by Taylor & Francis Group, LLC
are predictable at compile time by their results alone. In practice, this would involve repeated applications of constant propagation and folding, so this optimal result is rarely achieved. Dead code elimination. This optimization seeks to skip code generation for those statements that are either never reached during execution or whose actions have no effect on the results of the program. The first case happens when compile-time constants are set to select certain actions over others (e.g., to suppress the collection of run-time statistics). The second occurs if common subexpression elimination or copy propagation makes a computation or assignment unnecessary.
99.3.8 Error Recovery An important practical problem in the design of a translator is its response to errors in the input program. Although many translators have been constructed so that they stop at the first error encountered, it is generally considered better to attempt to discover as many errors as possible in the input before halting. Thus, the response to errors includes error recovery, so that translation may continue, as well as the generation of informative error messages. A further step in an error handler may also be error repair, where the translator attempts to correct at least some of the errors. Because it is difficult to infer from an erroneous program what the actual intended program was, error repair is usually not attempted, except in special cases, such as missing punctuation. Errors may be classified into lexical, syntactic, semantic, and run-time errors. An interpreter must have a reasonable response to run-time errors that involves at least generating an error message and exiting gracefully. A compiler need only recover from static errors, although it may need to generate code to report run-time errors. Semantic errors are relatively easy to recover from, because the syntax tree can still be used to guide the remainder of translation. Lexical errors can simply be passed to the parser by the scanner as error tokens. Thus, the principal difficulty in building an error handler occurs in dealing with parsing errors, where the structure of the input is disturbed, and there may be no obvious way to restart the parser. Several criteria apply to any method for recovery from parse errors. First, it is useful to try to detect errors as early as possible, because continuing to process the input can make it more difficult to determine where the error occurred and to generate an appropriate error message. Second, the translator should attempt to discard as little input as possible when recovering from an error, because discarding input can lead to other errors and mislead the programmer. Third, the translator should avoid generating large numbers of error messages caused by a single error. In particular, a translator must never get into an infinite loop when recovering from an error. This usually requires that at least some input be discarded during error recovery. A standard technique for error recovery is called panic mode, in which tokens are simply discarded, and the parsing stack accordingly adjusted until the parse can resume. This method can be made sophisticated enough so that it becomes better than its name implies. It can be used either as the standard error recovery technique or as a fall-back technique for a more complex method. The important feature of panic mode is the proper computation of a synchronizing set of tokens, which are used to determine when the parser should stop discarding the input and attempt to resume the parse. Panic mode in recursive-descent parsing is discussed in [Wirth, 1976, Section 5.9]. Yacc uses a slightly different method, in which an error pseudotoken is made available, with which important error recovery locations can be marked in so-called error productions in the input grammar. For example, in the Yacc definition file of Table 99.5, the error production session : session error '\n' {yyerrok;} was included in the specification. Yacc’s behavior on encountering an error is as follows. First, it sets a flag to enter an error phase, and then it begins popping the parsing stack until a state is found where the error pseudotoken can be successfully shifted. Then, input tokens are discarded until three consecutive tokens can be shifted successfully, whence the error phase is canceled and normal parsing is resumed. The error phase can also be canceled manually by calling the Yacc procedure yyerrok. For example, the previous error production for a calculator © 2004 by Taylor & Francis Group, LLC
session causes Yacc to discard all tokens until a newline is reached, and then to resume the parse. The result is that any incorrect line of input is deleted. (Yacc also automatically calls yyerror whenever the error phase is entered, which can perform other actions and print an error message.) Other error recovery and repair mechanisms are discussed in [Dion, 1982] [Graham et al., 1979] [Roehrich, 1980].
99.4 Incremental Compilation Not only must compilers generate high-quality code; they must do it in a reasonable amount of time. Historically, the speed of compilation was often inversely proportional to the quality of the generated code, with the compilation of a large program under full optimization sometimes taking hours or even days. With modern processors, compilation speed has become less of an issue, but strong optimization still requires significant amounts of processor time. For this reason, compilers usually offer an unoptimized mode that not only avoids code improvements but is also tuned to the speediest possible generation of runnable code; such an option can be very useful for development or instructional work. Even so, large programs can require significant amounts of time to recompile if all of the code must be retranslated during each compilation step. A significant improvement in compiler technology is therefore the ability of a compiler to operate incrementally, that is, to avoid recompilation of code that has not changed since the previous compilation step. Alternatively, compilers that are linked to an editor as part of an interactive development environment (IDE) can compile program text in the background as it is entered by the programmer. Either of these mechanisms is called incremental compilation. One of the original motivations for separate compilation and linking was to allow a form of incremental compilation, where only files that had changed needed to be recompiled, and the results of this recompilation would be combined with previously compiled files by a linker. Of course, this approach is subject to error, because the linker usually has no knowledge of the source language and cannot find incompatibilities between the recompiled code and the unchanged code. Additionally, the programmer has to keep track manually of which files have changed and which have not. The first major advance over this situation was the Unix make utility [Feldman, 1979], varieties of which are part of virtually every IDE today (usually called build or make project). Make itself is still heavily in use in command-line development environments. Make keeps track automatically of file changes by using file system time stamps: a later time stamp on a source code file over its corresponding object code file indicates the need for recompilation. Additionally, make can keep track of dependencies in a set of source code files (made necessary by the convention of using file inclusion to check incompatibilities in C), although such dependencies must still be maintained manually by a programmer (in a so-called makefile). The makelike features that are built into IDEs usually automate the process of maintaining dependencies even further, particularly in languages with strong interface requirements like Ada and Java (but unlike C or C++). It is possible, and often even desirable, to go beyond the capabilities of an automated make utility in either or both of the two different approaches to incremental compilation mentioned previously. First, a compiler could implement a finer-grained incremental approach than the file-level increments of make, such as statement-level or declaration-level increments (i.e., recompiling only those statements or function definitions within a file that have changed, rather than the entire file). Such a mechanism requires much more retained information about code structure than just object files and time stamps, however, and can lead to a significant increase in the amount of storage space required for a program or project. Second, the compiler could run in the background behind an editor, recompiling code as it is edited, rather than waiting for a compile command from the user. (Obviously, this approach makes the most sense if finer-grained incremental compilation is also implemented.) However, this approach can also mean more compiler interference in the process of editing or creating code, where an editor may refuse to accept program text that the compiler cannot understand. This can easily create programmer resistance to the use of such systems. Examples of compilers that offer incremental compilation are the Visual Age Java compiler from IBM and the Visual Studio C# Compiler from Microsoft. These compilers also provide a contrast in how they © 2004 by Taylor & Francis Group, LLC
mix the two approaches to incremental compilation described in the previous paragraph. The Visual Age compiler is invoked automatically by the IDE whenever a file save operation is performed (or when a file is added or imported into a project). It performs only file-level incremental compilation. However, it immediately reports any compilation problems to the user and will even prevent the completion of a file save operation if syntax errors occur in significant places. In contrast, the C# compiler will perform method-level (function-level) incremental compilation, but only at the direction of the user during a requested build.
99.5 Research Issues and Summary Language translators can be decomposed into the phases of scanning (lexical analysis), parsing (syntactic analysis), semantic analysis, optimization, and code generation. A scanner breaks the input program into tokens using the theory of regular expressions and finite automata. A parser constructs, implicitly or explicitly, a representation for the syntactic structure of the program, using the theory of context-free grammars. The construction of both a scanner and a parser can be easily automated, using tools such as Lex and Yacc or PCCTS. Yacc constructs an LALR(1) bottom-up parser; PCCTS constructs a recursive-descent top-down parser. Bottom-up parsers are generally too complex to construct by hand, but recursive-descent can be used to hand-construct a parser. Implementations of scanners as finite automata are also relatively easy to construct by hand. The semantic analysis and code generation steps of a compiler can be modeled theoretically by an attribute grammar, which expresses in equational form the relationships among the various attributes of language entities. In fact, attribute grammars can be used as a basis for automating the construction of an entire compiler, but this has not become common, possibly because of the complexity of representing the entire semantics of a language as an attribute grammar, and possibly because of the difficulty of producing optimized target code. It may be that other semantic definition mechanisms, such as denotational semantics, will result in better automation techniques, but this remains for future study. Current methods typically construct hand-generated semantic analyzers which operate during parsing using auxiliary data structures, such as the symbol table, or analyzers that perform recursive traversals of a syntax tree. Some success has been achieved in automating the code-generation step, with easy retargeting as the primary goal. These methods include the syntax-based approach of [Glanville and Graham, 1978] and the semantic approach of [Ganapathi and Fischer, 1985]. An alternative to use a symbolic machine description language to describe the target machine, which is then used by the code generator to produce target code. Effective use of this method has been made in the widely retargeted GNU C++ compiler. An important aspect of the automation and retargetability of a compiler is the choice of an appropriate intermediate code representation for the source code. The best choice appears to be a symbolic code for a hypothetical abstract machine. One may the choose either to interpret the intermediate code using a simulator or to perform code generation based on a static simulation of this machine. The primary requirements of such an intermediate code are flexibility, security, and the availability of enough information to provide good optimization over a wide variety of target architectures. A significant challenge for future translator technology is to develop a standard intermediate code that can be generated by many different language front ends, and which can also be efficiently and safely interpreted and compiled on many different architectures under many different operating systems. Optimized versions of the Java Virtual Machine, such as the Jikes Research Virtual Machine [Bacon et al., 2002], hold the promise that this may happen in the not-too-distant future.
Defining Terms Attribute grammar: A set of equations associated to the grammar rules of a context-free grammar that define a collection of attributes associated to the terminals and nonterminals of the grammar. Attribute equations are written in purely functional form (i.e., without side effects) and may be “solved” for the actual attribute values by different kinds of traversals of the parse or syntax tree. © 2004 by Taylor & Francis Group, LLC
Alternatively, attribute values may be computed by replacing the attribute equations with equivalent side effect–generating code using separate data structures such as the symbol table. Back end: The part of a compiler that depends only on the target language and is independent of the source language. The back end receives the intermediate code produced by the front end and translates it into the target language. BNF: Backus normal form or Backus-Naur form. A notation for context-free grammar rules first used in the Algol60 report to describe syntax. It comprises only two metasymbols, usually written → or ::= and |. Bottom-up: A parsing algorithm that constructs the parse tree from the leaves to the root. Bottom-up algorithms include LR and LALR parsers, such as those produced by Yacc. Disambiguating rule: A rule stated separately from the rules of a context-free grammar which specifies the correct choice of syntax tree structure when more than one structure is possible. EBNF: Extended BNF. Adds bracketing metasymbols [. . . ] and {. . . } to BNF to indicate optional and repeated structures, respectively. (These can also be written as (. . . )? and (. . . )∗ to remain consistent with standard regular expression notation.) Front end: The part of a compiler that depends only on the source language and is independent of the target language. The front end translates and analyzes the source program. Incremental compilation: Compilation or recompilation that occurs in small steps based on incremental changes made during the editing of a program and which encompasses only those parts of the program affected by the changes. Inherited attribute: An attribute whose value depends on attribute values at syntax tree nodes which are not descendants. A nonsynthesized attribute. Intermediate code or representation: An internal data structure or sequence of abstract instructions representing a program as produced by the parser or other phase inside a compiler. Item: A grammar rule choice with a distinguished position (usually indicated by a period), indicating that a parse has reached that position in attempting to recognize the rule. Sets of items are used by a bottom-up parser to record a state reached during a parse. Items may have 0 or more tokens of lookahead attached to them. LR(0) items contain no lookahead, whereas LR(1) items contain one token of lookahead. L-attributed grammar: An attribute grammar whose attributes may be computed by a left-to-right traversal of the source program. An attribute grammar must be L-attributed for the attributes to be computable during a parse that processes the input from left to right (as most parsers do). Synthesized attributes are always L-attributed. LALR(1): The lookahead LR(1) algorithm invented by DeRemer [DeRemer, 1971]. The algorithm used in many bottom-up parser generators, including Yacc. A language is also called LALR(1) if it can be parsed unambiguously by the LALR(1) algorithm. Lexeme: The actual character string read from the input when recognizing a token. The lexeme of an identifier token is the identifier name. LL(k): A top-down parsing algorithm that processes the input from left to right, producing a leftmost derivation using k tokens of lookahead. The term can also be applied to a language that can be unambiguously parsed using this algorithm. LR(k): A bottom-up parsing algorithm that processes the input from left to right, producing a rightmost derivation (in reverse) using k tokens of lookahead. The term can also be applied to a language that can be unambiguously parsed using this algorithm. Nonterminal: A name for a structure defined by a context-free grammar rule. Interior nodes of parse trees are labeled by nonterminals. Phase: A logical unit of a compiler. Typical phases include scanning, parsing, semantic analysis, and code generation. Phases are distinct from passes, which comprise a complete sequential processing of the input program. Phases may or may not correspond to physical code units within the compiler. Production: Another term for a context-free grammar rule or grammar rule choice. © 2004 by Taylor & Francis Group, LLC
Recursive-descent: A top-down parsing algorithm that translates context-free grammar rules into a set of mutually recursive procedures, with each procedure corresponding to a nonterminal. Recursivedescent parsing is usually the method of choice when writing a parser by hand. Reduce-reduce conflict: In bottom-up parsers, a property of a state in which a parser has a choice of two productions that can be used to reduce the parsing stack, and both are legal for the amount of lookahead allowed. Reduce-reduce conflicts have no natural disambiguating rule. Retargeting: The process of changing a compiler to produce target code (assembly or machine code) for a different machine. This may involve rewriting the compiler back end or creating a machine definition file for the new machine. Shift-reduce conflict: In bottom-up parsers, a property of a state in which a parser has a choice of either reducing the parsing stack using a production or shifting a token from the input, and both are legal for the amount of lookahead allowed. A natural disambiguating rule is to prefer the shift, thus allowing the parser to match the longest possible input string at each point. Synthesized attribute: An attribute whose value depends only on the attribute values of descendants in the parse or syntax tree. Synthesized attributes are the easiest to compute during a parse, requiring no special data structures or techniques. The syntax tree itself is the most important example of a synthesized attribute. Terminal: Another term for a token in a context-free grammar. Leaf nodes of parse trees are labeled by terminals. Top-down: A parsing algorithm that constructs the parse tree from the root to the leaves. Top-down algorithms include LL parsers and recursive-descent parsers, such as those produced by PCCTS. Virtual machine: An interpreter for intermediate code, such as the Java Virtual Machine which executes Java bytecode. A virtual machine provides transparent cross-platform retargetability for compilers and other software.
References Aho, A.V., Sethi, R., and Ullman, J.D. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Menlo Park. Backus, J., et al. 1957. The FORTRAN automatic coding system. Western Joint Computer Conf.: 188–198. Reprinted in Rosen, S., Ed., Programming Systems and Languages, McGraw-Hill, New York, 1967, p. 29–47. Bacon, D., Fink S., and Grove, D. 2002. Space- and time-efficient implementation of the Java object model. European Conference on Object-Oriented Programming (ECOOP 2002), pp. 111–132. Lecture Notes in Computer Science #2374, Springer-Verlag, New York. Bell, J.R. 1973. Threaded code. Commun. of the ACM, 16(6): 370–372. Cattell, R.G.G. 1980. Automatic derivation of code generators from machine descriptions. ACM Trans. on Prog. Langs. and Systems, 2(2): 173–190. Davidson, J.W., and Fraser, C.W. 1984. Code selection through object code optimization. ACM Trans. on Prog. Langs. and Systems, 6(4): 505–526. DeRemer, F.L. 1971. Simple LR(k) grammars. Comm. of the ACM, 14(7): 453–460. DeRemer, F.L., and Pennello, T. 1982. Efficient computation of LALR(1) lookahead sets. ACM Trans. on Prog. Lang. and Systems, 4(4): 615–645. Dion, B.A. 1982. Locally Least-Cost Error Correctors for Context-Free and Context-sensitive Parser. Univ. of Michigan Research Press. Early, J. 1970. An efficient context-free parsing algorithm. Comm. ACM, 13(2): 94–102. Farrow, R. 1984. Generating a production compiler from an attribute grammar. IEEE Software, 1(10): 77–93. Feldman, S. 1979. Make — a program for maintaining computer programs. Software: Practice & Experience, 9(4): 255–265. Ganapathi, M.J., and Fischer, C.N. 1985. Affix grammar driven code generation. ACM Trans. on Prog. Lang. and Sys., 7(4): 560–599. © 2004 by Taylor & Francis Group, LLC
Glanville, R.S., and Graham, S.L. 1978. A new method for compiler code generation. In Fifth Annual ACM Symposium on Principles of Programming Languages. Gosling, J. 1995. Java intermediate bytecodes. ACM SIGPLAN Notices, 30(3): 111–118. Graham, S.L., Haley, C.B., and Joy, W.N. 1979. Practical LR error recover. SIGPLAN Notices, 14(8): 168–175. Graham, S.L., Harrison, M.A., and Ruzzo, W.L. 1980. An improved context-free recognizer. ACM Trans. on Prog. Lang. and Sys., 2(3): 415–462. Gray et al. 1992. Eli: a complete, flexible compiler construction system. Commun. of the ACM, 35(2): 121–131. Henry, R.R. 1984. Graham-Glanville Code Generators. Ph.D. thesis, Univ. of Calif., Berkeley. Jacobson, V. 1987. Tuning Unix Lex, or it’s not true what they say about Lex. Proceedings of the Winter USENIX Conf. Johnson, S.C. 1975. Yacc — yet another compiler-compiler. CS Technical Report #32, Bell Laboratories, Murray Hill, NJ. Johnson, S.C. 1978. A portable compiler: theory and practice. In Fifth Annual ACM Symposium on Principles of Programming Languages, pp. 97–104. ACM Press, New York. Kastens, U., Hutt, B., and Zimmermann, E. 1982. GAG: A Practical Compiler Generator. Lecture Notes in Computer Science #141, Springer-Verlag, New York. Katayama, T. 1984. Translation of attribute grammars into procedures. ACM Trans. on Prog. Lang. and Systems, 6(3): 345–369. Knuth, D.E. 1968. Semantics of context-free languages. Math. Systems Theory, 2(2): 127–145. Errata 5(1) (1971): 95–96. Lee, Peter 1989. Realistic Compiler Generation. MIT Press, Cambridge, MA. Lesk, M. 1975. Lex — a lexical analyzer generator. CS Technical Report #39, Bell Laboratories, Murray Hill, NJ. Leverett, B.W., et al. 1980. An overview of the production-quality compiler-compiler project. IEEE Computer, 13(8): 38–49. Nori, K.V., et al. 1981. Pascal P implementation notes. In Pascal — The Language and Its Implementation, Barron, D.W. Ed., Wiley, Chichester, UK. Parr, T.J., Dietz, H.G., and Cohen, W.E. 1992. PCCTS reference manual. ACM SIGPLAN Notices, 27(2): 88–165. Parr, T.J., and Quong, R.W. 1994. Adding semantic and syntactic predicates to LL(k): pred-LL(k). Int’l. Conf. on Compiler Construction. April, 1994. Paxson, V. 1998. Flex users manual. Available at http://www.gnu.org/software/flex/manual. Perkins, D.R., and Sites, R.L. 1979. Machine independent Pascal code optimization. ACM SIGPLAN Notices, 14(8): 201–207. Peyton Jones, S.L. 1987. The Implementation of Functional Programming Languages. Prentice Hall, Englewood Cliffs, NJ. Polak, W. 1981. Compiler Specification and Verification. Lecture Notes in Computer Science #124, SpringerVerlag, New York. Randell, B., and Russell, L.J. 1964. Algol60 Implementation. Academic Press, New York. Roehrich, J. 1980. Methods for the automatic construction of error-correcting parsers. Acta Informatica, 13(2): 115–139. Stallman, R. 1999. Using and Porting GNU CC. GNU Press, Boston, MA.. Wirth, N. 1971. The design of a Pascal compiler. Software — Practice and Experience, 1(4): 309–333. Wirth, N. 1976. Algorithms + Data Structures = Programs. Prentice Hall, Englewood Cliffs, NJ.
Further Information The standard text in compiler design has for many years been Compilers: Principles, Techniques, and Tools by Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman (Addison-Wesley, 1986). This book is now showing its age but is still useful as a reference, because it was fairly comprehensive at the time it was written. A modern introductory text that is based on the C language is Compiler Construction: Principles and Practice by © 2004 by Taylor & Francis Group, LLC
Kenneth C. Louden (International Thomson, 1997). A more comprehensive treatment is Modern Compiler Implementation in Java, 2nd edition by Andrew W. Appel and Jens Palsberg (Cambridge University Press, 2002). This book also treats object-oriented issues in some detail, for both the implementation language and the target language. For a more detailed study of optimization, see Advanced Compiler Design and Implementation by Steven S. Muchnick (Morgan Kaufmann, 1997). For those interested in functional languages, Modern Compiler Implementation in ML by Andrew W. Appel (Cambridge University Press, 1997) may be of interest. A book that presents a full C compiler in complete detail is A Retargetable C Compiler: Design and Implementation by Christopher W. Fraser and David Hanson (Addison-Wesley, 1995). Aside from these and many other texts, the best place to locate the latest information on compiler design is the comp.compilers newsgroup on the Internet. Research papers on language translation can be found in publications by the IEEE and the ACM, particularly the conference proceedings published as part of the ACM SIGPLAN Notices (especially the annual Programming Languages Design and Implementation [PLDI] conference), the ACM Annual POPL Conference proceedings, and the ACM TOPLAS journal. For information, contact the ACM via its Web site, http://www.acm.org (or by e-mail at [email protected]) and the IEEE via its Web site http://www.ieee.org. General information on interpreters, insofar as they differ from compilers, is more difficult to find in one place. A Scheme-based introduction can be found in Structure and Interpretation of Computer Programs, 2nd edition by H. Abelson and G. J. Sussman with J. Sussman (MIT Press, 1996). Advanced techniques both for the compilation and interpretation of functional languages can be found in The Implementation of Functional Programming Languages by Simon L. Peyton Jones (Prentice Hall, 1987) and Implementing Functional Languages by Simon L. Peyton Jones and David Lester (Prentice Hall, 1992). The latter text concentrates more on implementation issues; the former gives a more theoretical description. A brief but useful introduction to the use of Lex and Yacc can be found in The Unix Programming Environment by Brian W. Kernighan and Rob Pike (Prentice Hall, 1984). A more detailed study is contained in Lex & Yacc by John R. Levine, Tony Mason, and Doug Brown. (O’Reilly and Associates, 1992). Manuals for the GNU versions Flex and Bison can be found at http://www.gnu.org/manual. Information about PCCTS can be found in the comp.compilers.tools.pccts newsgroup, at http://www.polhode.com/pccts.html, and at http://www.antlr.org. The Java parser generator JavaCC can be found at http://javacc.dev.java.net.
© 2004 by Taylor & Francis Group, LLC
100 Runtime Environments and Memory Management 100.1 100.2
Robert E. Noonan College of William and Mary
Procedures and Functions • Design Issues • Parameter Passing • Activation Records • Activation Stack • The Sun SPARC Architecture
100.3 100.4
Pointers and Heap Management . . . . . . . . . . . . . . . . . . 100-11 Garbage Collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100-12
100.5
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100-14
William L. Bynum College of William and Mary
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100-1 Runtime Stack Management . . . . . . . . . . . . . . . . . . . . . . 100-2
Reference Counting
•
Mark-Sweep
•
Copy Collection
100.1 Introduction Objects in programming languages can be assigned to any of three different types of memory: static memory, the runtime stack, and the heap. It is the responsibility of the programmer to decide which objects to assign to each memory type and to manage memory usage effectively. Objects are usually assigned to static memory when the object must be accessed globally throughout the program. A restriction associated with using static memory is that such an object must have a constant size. In contrast, the runtime stack is used for dispatching active functions and methods, including space for their local variables, and their parameter-argument linkages, as they gain and relinquish control to the caller. A stack frame, is pushed onto the top of the stack whenever a method is called, and popped from the stack when the method returns control to the caller. Thus, memory usage in the runtime stack is predictable and regular. The heap is the least structured of the three memory types. The heap is used for all other objects that are dynamically allocated during the runtime life of the program. The heap becomes fragmented as it is used for the dynamic allocation and deallocation of storage blocks. At any point in time, the active memory blocks in the heap may not be contiguous. For that reason, garbage collection of unused heap blocks, whether manual or automatic, is a major issue in modern programming. The principal goal of this chapter is to give the reader an overview of runtime memory management. First, we discuss management of the runtime stack with respect to the calling of procedures and functions and the passing of parameters and return values. After a review of the general principles involved, an example
© 2004 by Taylor & Francis Group, LLC
is presented for the Sun SPARC architecture. Next, we discuss the use of pointer variables and manual heap allocation and deallocation. Finally, we review some widely used garbage collection algorithms.
100.2 Runtime Stack Management The purpose of this section is to provide a general introduction to the principles used in designing a runtime stack for programming languages, with a particular emphasis on procedures and parameters. The sections that follow introduce the basic terminology and major ideas in the design and implementation of such stacks. Texts that cover this material in more detail include Sebesta [2002], Louden [1993], Pratt and Zelkowitz [2001], and MacLennan [1987]. Examples are taken primarily from the language C [Kernighan and Ritchie 1988].
100.2.1 Procedures and Functions In this section we are concerned with the characteristics of a procedure, subprogram, or function. For our purposes, such an entity has the following characteristics: (1) it has a single entry point, (2) execution of the calling unit is suspended, and (3) in the absence of a nonlocal goto, control is returned to the caller upon normal completion of the procedure. In the case of a function, a value is returned to the caller. Figure 100.1 shows a C program that calls a local bcopy function to copy a string. Routine bcopy is a subroutine or procedure. Line 16 is said to contain a call of the function. When this line is executed, execution of the calling routine, main in this case, is explicitly suspended. Program control is transferred to the body of routine bcopy, in this case everything between the opening brace on line 6 and the closing brace on line 9. Line 2 is called the header of the routine; it gives the name of the function, the return type (in this case, the void type indicates that the function returns no value), and the names and types of the arguments of the routine. The variables s, d, and n in line 2 are said to be the formal arguments or formal parameters of the routine. The variable hello in the call on line 16 is said to be the actual parameter of the call corresponding to
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
/∗ bcopy -- copy source block to destination block void bcopy (char ∗ s, char ∗ d, int n) /∗ s -- pointer to source block ∗ / /∗ d -- pointer to destination block ∗ / /∗ n -- number of bytes to copy ∗ / { for (; n> 0; n--) ∗ (d++) = ∗ (s++); } char hello[] = { "Hello, world!"}; /* 1234567890123 ∗ / main() { char newhellow[50]; bcopy(hello, newhellow, 14); printf("%s\n", newhellow); } FIGURE 100.1 The bcopy function in ANSI C.
© 2004 by Taylor & Francis Group, LLC
∗
/
the formal parameter s. Similarly, the variable newhello on line 16 is the actual parameter of the call corresponding to the formal parameter d, and the integer constant 14 is the actual parameter of the call corresponding to the formal parameter n. In this example, although there are only 13 characters in the string to be copied, the constant 14 must be used in the call to be sure to copy the null termination byte with which the C language indicates the end of a string. In the case of this example when line 16 is executed, control is passed from the calling routine, main in this case, to the called routine, bcopy, starting at the opening brace on line 6 and continuing until the closing brace is executed (an implicit return). Although this example does not contain one, the called routine can also return to its caller through an explicit return statement. After program control has entered line 6 and before the implicit return on line 9, bcopy is said to be active.
100.2.2 Design Issues In designing a runtime stack for a given programming language, a number of design issues come in to play. The first of these is whether allocation of variables local to a procedure is static or dynamic. If the language permits recursive calls of a procedure, then each activation of the procedure will have its own set of local variables. In this case, the local variables are allocated dynamically on the runtime stack. Referencing of the local environment is done relative to the stack pointer. On the other hand, if variables local to a procedure are required to remember their values from one activation to the next, then the local variables must be allocated statically. Static allocation generally permits faster referencing of the local environment. However, dynamic allocation makes better use of memory. Languages such as FORTRAN 77 [Zirkel 1994] and COBOL [Welburn 1995] use static allocation by default. Languages such as C, C++, and Ada use dynamic allocation by default but permit the programmer to mark any specific local variable as static. In the example shown in Figure 100.1, the variable hello is allocated statically, whereas the variable newhello is allocated dynamically. A second significant design issue is the method or methods by which actual parameters or arguments are passed from the caller to the called routine. These methods are treated in detail in the next section. A third significant design issue concerns the degree to which it is possible within a procedure to reference nonlocal variables, that is, variables that are neither passed as parameters nor declared within the procedure. In the C program given in Figure 100.1, the variable hello is global to the procedure bcopy. Because hello is global to the entire compilation unit, the variable hello could have been directly referenced within bcopy. Such nonlocal access is usually avoided, because it complicates the referencing environment, both for the compiler and for those who must read the source code. A fourth significant design issue concerns scoping, the method used to determine how a reference to a nonlocal name within a procedure is resolved. Programming languages use two types of scoping: static and dynamic. Most compiled languages that allow nonlocal references, including Ada, C, and C++, use static scoping. With static scoping, reference to a nonlocal name within a procedure is resolved at compile time by referring to the static parent of the procedure: the statically enclosing block or procedure. This process is repeated as needed until the nonlocal name is found. Within static scoping, there is the further issue of whether static nesting of procedures is allowed. C and C++ do not allow static nesting, but Ada [Ada 1991, Barnes 1995], Pascal [Jensen et al. 1991], and Modula [Carmony 1990] do. To implement static nesting of procedures, as in Ada and Pascal, it is necessary to add another pointer to the activation record, the static link. The runtime system sets the static link of a procedure to point to the activation record of the statically enclosing procedure. In this way, references to nonlocal variables in the procedure will be resolved in a way that is consistent with the static structure of the program. The dynamic link is not adequate to find the activation record of the statically enclosing block when a procedure is called by a program unit that is not its static parent. In C and C++, where static nesting of procedures is not allowed, no static link is needed, because a nonlocal name referenced within a procedure must be global and can be easily located with no additional information. © 2004 by Taylor & Francis Group, LLC
The LISP [Steele 1990] and APL [Gilman 1992] programming languages use dynamic scoping, in which reference to a nonlocal name within a procedure is resolved at runtime by referring to the activation record of the dynamic parent of the procedure, the procedure or block that called the procedure with the nonlocal reference. With dynamic scoping, the program unit whose activation record is consulted to resolve a nonlocal reference cannot be determined statically at compile time, but must determined at runtime through the configuration of the stack of activation records. For a more thorough discussion of static and dynamic scoping and the static link, the interested reader should consult Sebesta [2002], Pratt and Zelkowitz [2001], or Tucker and Noonan [2002].
100.2.3 Parameter Passing Most programming languages have based their parameter (or argument) passing convention on how parameter passing is actually implemented. In contrast, Ada bases its parameter passing convention on the semantics of the use of the parameter and leaves it to the compiler implementor to pick an appropriate implementation model. Ada distinguishes three distinct semantic models for parameter passing: (1) in, (2) out, and (3) in–out. A formal parameter specified as in means that a value will be supplied to the called routine by the caller. No attempt is made by the called routine to change the value of the parameter. A formal parameter tagged as out means that the called routine will set the value of the parameter before any attempt to reference the value of the parameter. Thus, the calling routine must supply a location in which to store the out parameter, but need not initialize that location. A formal parameter tagged as in–out means that the called routine expects the parameter to be initialized and expects to return a value to the calling routine. Thus, the calling routine must supply an initialized location. Most older languages defined their parameter passing conventions in terms of how they are implemented. The major ones in use today include (1) call-by-value, (2) call-by-result, (3) call-by-value-result, and (4) call-by-address (or call-by-reference or call-by-location). In call-by-value, the calling routine supplies a value to the called routine. The formal parameter is treated as a local variable that is initialized at the time of the call to the value supplied by the caller. Thereafter, there is no further link between the actual and formal parameter. The called routine is free to change the value of the formal parameter; this has no effect whatever on the actual parameter either during the activation of the called routine or at return time. Call-by-value can be thought of as a copy-in process. In contrast, call-by-result can be thought of as a copy-out process. Except for this respect, it is very similar to call-by-value. Again, the formal parameter is treated as an uninitialized local variable. It is the responsibility of the called routine to initialize a result parameter before referencing it. When control is about to be returned to the caller, the final value of a result parameter is copied to the corresponding actual parameter. Except for this final copy, there is no other correspondence between the actual and formal parameters during the duration of the call. A value-result parameter is one that combines the two previous methods. The formal parameter is treated during the activation of the called routine as a purely local variable, which is initialized at the time of the call to the corresponding actual parameter, and the final value of the formal parameter is copied back to the actual parameter at the time of the return. Thus, call-by-value-result is a copy-in, copy-out process. In call-by-address (or reference), the calling routine provides the address of each actual argument. In effect, the formal parameter is effectively a constant pointer to the actual argument. References to the formal parameter are compiled to do a dereferencing so that the location of the actual argument is used in all cases. It is impossible to change the value of the pointer, only what the pointer points to. Call-by-address is used by C++ [Stroustrup 1995] for reference parameters, Pascal for var parameters, and FORTRAN 77 [Zirkel 1994] for all parameters.
100.2.4 Activation Records Each time a routine is called, an activation record is created. Although this record may not physically all be stored in the same place, it is still useful to think of it as a single, logical record. Minimally, this record must © 2004 by Taylor & Francis Group, LLC
FIGURE 100.2 Activation stack for calling the bcopy function.
contain (1) the return address of the calling routine, (2) space for the formal parameters, and (3) space for the local variables of the called routine. An example of an activation record for the function bcopy of Figure 100.1 is given in Figure 100.2, which is discussed in detail in the next section. If the activation record is allocated statically, then variables local to the called routine can remember their values from one activation to the next. This was a feature of early versions of FORTRAN. The disadvantage of static allocation is that such routines cannot be called recursively. Most modern languages allocate the activation record on the runtime stack, thus allowing recursive routines. C/C++ allow the programmer to specify that some local variables should be allocated statically; by default local variables are allocated dynamically. At the time of the call, the calling routine must (1) save its own execution status, including any registers it wants saved; (2) carry out the parameter passing process; (3) pass the return address; and (4) finally transfer control to the called routine. In many modern architectures, steps 3 and 4 are combined into a single machine instruction. At the time of return, first, the called routine must make available the final values of any result or value-result arguments. Second, if the routine is a function, then the computed value of the function must be made available. Next, the execution status of the caller must be restored. And finally, control must be transferred back to the caller.
100.2.5 Activation Stack Most modern architectures provide some direct support for procedure calls and parameter passing. A typical activation stack using the program of Figure 100.1 is given in Figure 100.2. The figure assumes that execution is on line 7 of the activation of the bcopy routine (see Figure 100.1). In many implementations, a frame pointer register points to the base of the activation record on the runtime stack. The stack pointer, of course, points to the logical top of the activation record. Addressing of locals and formal arguments would normally be done relative to the frame pointer, which is constant while © 2004 by Taylor & Francis Group, LLC
the routine is active. Of course, the stack pointer will increase and decrease as the values of temporary variables and expressions are pushed and popped off the runtime stack. Thus, using the stack pointer to address locals and temporaries, although possible, is considerably more complicated. Figure 100.2 shows activation records and stack pointer and frame pointer registers for the program listing of Figure 100.1 at the point just before the bcopy routine begins execution. The dynamic link in the activation record contains the address of the activation record of the routine’s caller. In Figure 100.2, the dynamic link of the bcopy routine is shown as an arrow pointing back to the frame pointer location of the activation record of the main program. In this example, the stack location holding the value 14 (the actual parameter corresponding to the formal parameter n) is used as a local variable of the bcopy routine. This value will be decremented to 0 as the routine copies the source string to the destination location. The space for the newhello variable is shown on the stack because this variable is allocated dynamically in the main program. The hello variable is declared statically in line 11 of Figure 100.1, so that stack space for it is not shown in Figure 100.2. Typically, space for static variables is not allocated on the runtime stack, but, instead, in a part of the program that will persist across the activations of a subroutine.
100.2.6 The Sun SPARC Architecture The SPARC architecture [Paul 1994] used by Sun Microsystems as the CPU in its Sun4 series of workstations is based directly on the Berkeley RISC-II processor, developed by David Patterson and his students. In the early 1980s, Patterson concluded that, rather than developing processors with increasingly complex instruction sets, better performance could be obtained through implementing a reduced instruction set computer, with simpler, more regular machine instructions executing at a higher clock rate and a larger number of registers. The SPARC CPU uses the reduced instruction set, the LOAD/STORE architecture, pipelined instruction execution, instruction and data caching, the delayed branch, and a large register set with register windows, all present in Berkeley RISC-II design. Sun Microsystems has added several features to the SPARC architecture not present in the Berkeley RISC-II processor. 100.2.6.1 SPARC Register Set The SPARC register set contains from 48 to 528 32-bit registers. Each register window consists of 24 registers (8 input registers, 8 local registers, and 8 output registers), plus 8 global registers common to all procedures. One of the innovations in the Berkeley RISC processors was the use of overlapping register windows to use in passing parameters in a subroutine call. A sketch of the SPARC register set is shown in Figure 100.3. Each procedure is allocated a group of 32 registers, separated into four groups: input registers, output registers, local registers, and global registers. The CPU manipulates the register windows so that the input registers of the called procedure are identical to the output registers of the calling procedure. In this way, the runtime stack is not needed to transmit actual parameters from the caller to the called procedure. This reduces the amount of time required for a procedure call. The register windows are numbered from the number of windows (NWINDOWS) minus 1 down to 0. The SPARC CPU has a processor state register (PSR) that contains 4 bits of arithmetic logic unit flags, called the integer condition codes field, and a 5-bit field called the Current Window Pointer (CWP) that holds the number of the current register window being used. Because the output registers of one procedure overlap the input registers of the procedures that it calls, the number of 48 registers allows for two nonoverlapping sets of 16 registers, plus one overlapping set of 8 registers, plus the 8 global registers; that is, a SPARC CPU with 48 registers can implement 2 register windows. A SPARC CPU with 528 registers can implement 32 register windows. The current window pointer is used by the SPARC CPU to point to the currently active register window. Its value is modified by the programmer through the save and restore instructions that are discussed subsequently. © 2004 by Taylor & Francis Group, LLC
FIGURE 100.3 SPARC register windows.
The SPARC input registers for a given procedure are denoted by %i0–%i7, the local registers of the procedure are denoted by %l0–%l7, the output registers are denoted by %o0–%o7, and the global registers that all procedures can access are denoted by %g0–%g7. Several registers are dedicated to special uses. Register %o6 is the stack pointer register and is usually denoted by %sp. The %i6 register is the procedure’s frame pointer register and is denoted by %fp. The %fp register is actually the caller’s stack pointer register because of the register window overlap between the caller’s and callee’s register windows (see Figure 100.3). Register %o7 is the link register, from which the return address of a procedure call can be calculated. The call instruction places the address of the call instruction in %o7 before jumping to the target of the call. A procedure would place its first six parameters of a procedure call in registers %o0–%o5 (in left-to-right order, Pascal or C). Parameters after the sixth must be passed on the stack. 100.2.6.2 SPARC Procedure Call Protocol The SPARC procedure call protocol depends on several factors: the semantics of the call/return instructions, the manipulation of the register windows through the save and restore instructions, and the layout of the SPARC stack frame. © 2004 by Taylor & Francis Group, LLC
In view of the usage of registers for passing procedure parameters, one might wonder why the SPARC architecture uses a runtime stack. The reason is, of course, that there are several situations when the values of some or all of the registers in the procedure’s window must be saved and restored. First, the SPARC procedure call convention specifies that a procedure must preserve the values in the input registers %i0– %i7, and the local registers %l0–%l7, across its call. The space to save these registers is allotted in the stack frame. The values in the global registers are considered to be volatile and need not be preserved across the call. Second, a register window overflow could occur. This situation arises when all of the register windows have been used and there is a procedure call. The register window of the first procedure call in the chain of calls must be saved on the stack to make another register window available for the call. This can happen in a deep nesting of procedure calls. Finally, the stack must be used in case of a procedure call that has more than six input parameters. In SPARC terminology, a leaf procedure is one that does not call another procedure. When a chain of procedure calls made in a program is viewed as a tree, the leaves of the tree are those procedures that do not call any other procedure. The normal (nonleaf) procedure must build a stack frame each time that it is called, but the SPARC architectural specification allows a leaf procedure to use the stack frame of its caller. No new register window is created and the leaf procedure uses the register window of its caller. The call instruction places the address of the call instruction in the %o7 register, the link register, then branches to the target of the call. The call is thus a branch instruction and has a branch delay slot like any other branch instruction. Both the return from nonleaf procedure ret and return from leaf procedure retl instructions are synthesized from the jump on link register jmp1 instruction. The jmpl instruction is also a branch instruction, and so it has a delay slot that will be executed before the jump takes effect. The ret instruction is an abbreviation for the instruction jmpl
%i7+8,%g0
This is based on the assumption that when a nonleaf procedure is called, a shift of register windows has occurred. When the caller performs the call, the address of the call instruction is placed in the caller’s %o7 register. When the register windows are shifted by the save instruction that we will discuss shortly, the %o7 register of the caller will be the %i7 register of the called procedure. The jmpl target is the source operand on the left, which in this case is specified to be %i7+8. The jmpl instruction places the address of the jmpl instruction in the destination register, which in this case is the %g0 register. Because the %g0 is permanently zero, its use here indicates that the address of the jmpl instruction should not be saved. The retl is for returning from a leaf procedure. It is an abbreviation for the instruction jmpl
%o7+8,%g0
This is consistent with the view that the no shift of register windows has occurred with a leaf procedure. The leaf procedure is using the register window of its caller, and so the address of the call instruction is expected to be in the %o7 register where the call instruction placed it. When a nonleaf procedure performs a call, the nonleaf procedure does not need to know whether it is calling a leaf procedure or a nonleaf procedure. The problem is resolved by the called procedure’s choice between the ret and retl instructions. 100.2.6.3 SPARC save and restore Instructions The save instruction is used as the first instruction of a nonleaf procedure to build its stack frame. As mentioned previously, the stack frame will be used to save registers that must be preserved across the procedure call, in the case of register window overflow or in case the procedure calls a procedure having more than six input parameters. The SPARC stack frame is shown in Figure 100.4. The smallest allowable stack frame that a nonleaf procedure can allocate is 92 bytes. This includes 64 bytes to store the procedure’s input and local registers, plus a 6-word (24-byte) storage area into which any callee of the procedure can store arguments, and a © 2004 by Taylor & Francis Group, LLC
low memory addresses %sp + 0 %l0 %l1 %l2 %l3 local registers %l4 %l5 %l6 %l7 %sp + 32 %i0 %i1 %i2 %i3 input registers %i4 %i5 %i6 = %fp %i7 = retadr
8 %sp + 64
struct ret ptr %sp + 68
6 word argument save area
%sp + 92 input parameters past the 6th, compiler temporaries, local variables %fp high memory addresses FIGURE 100.4 SPARC stack frame.
1-word (4-byte) location to contain a pointer to an aggregate return value. This pointer would be used by a function whose return value was a struct or RECORD that did not fit in 32 bits. The save instruction for a nonleaf procedure using a minimal stack frame would be save
%sp,-92,%sp
The save instruction subtracts one from CWP, the current register window pointer. If the result of this subtraction is a valid register window number, then the new value is stored into CWP; otherwise, a window © 2004 by Taylor & Francis Group, LLC
C source: /∗ bcopy -- copy source block to destination block void bcopy (char ∗ s, char ∗ d, int n) /∗ s -- pointer to source block ∗ / /∗ d -- pointer to destination block /∗ /∗ n -- number of bytes to copy /∗ { for (; n > 0; n--) ∗ (d++) = ∗ (s++); }
∗
/
SPARC Assembly language:
0000 0000 0004 0008 000C 0010 0010 0014 0018 001c 0020 0024 0028 002C 002C 0030
.text .align 4 .global_bcopy _bcopy: 9DE3BF90 save %sp, -112, %sp 90A6A000 cmp %i2, 0 04800009 ble leave 01000000 nop forloop: C40E0000 ldub [%i0], %g2 C42E4000 stb %g2, [%i1] B0062001 add %i0,1,%i0 B406BFFF add %i2, -1, %i2 80A6A000 cmp %i2, 0 14BFFFFB bg forloop B2066001 add %i1, 1, %i1 leave: 81C7E008 ret 81E80000 restore
FIGURE 100.5 Function bcopy SPARC assembly language, as generated by the GNU C compiler.
overflow trap is generated that will make a register window available by storing the registers of the earliest procedure in the calling chain. The restore instruction is the reverse of the save instruction. The restore instruction adds one to CWP. If the resulting sum is not a valid register window pointer, then a window underflow trap is generated that will terminate execution of the current program. 100.2.6.4 Function bcopy as a SPARC Nonleaf Procedure The source code and the assembly language code for bcopy generated by the GNU C compiler is shown in Figure 100.5. Notice that because of the save, restore, and ret instructions, the procedure is cast as a nonleaf procedure, even though it does not call any other procedure. This is a conservative decision, apparently based on the belief that every procedure should have a stack frame. This sort of conservative design is perhaps one reason why the code that the GNU C generates is so robust. The parameters of the call are in the input registers now: %i0 is the s parameter, %i1 is the d parameter, and %i2 is the n parameter of the call. The GNU compiler was not able to fill the branch delay slot of the ble branch at location 000C with a useful instruction, so it inserted a no-operation nop instruction there. Notice that the add instruction at location 0028 that accomplishes the d++ of the C program is executed in the delay slot of the bg instruction at location 0024. This ensures that the d formal parameter © 2004 by Taylor & Francis Group, LLC
has the correct value if the loop is executed again. Notice also that the restore instruction at location 0030 is located in the delay slot of the ret instruction, so that the restore is executed to restore the register window of the caller before the ret returns control to the caller.
100.3 Pointers and Heap Management In addition to space on the runtime stack, modern languages such as Ada, C, C++, and Java also provide for allocating space dynamically from heap memory. Such space is commonly used for arrays whose size is determined dynamically at runtime and for various linked structures such as linked lists, trees, and graphs. A variable that contains a heap memory reference literally contains a memory address and is commonly referred to as a pointer∗ . A simple linked list would consist of nodes, each of which would contain a value field and a pointer to the next node in the list. Using an integer value field as an example, such a node would be defined in C++: struct Node{ int value; Node* next; }; Heap allocation is provided by the new operator, which in this case allocates heap space sufficient to hold an integer and a pointer and returns the address of the space allocated. Given the following auxiliary function: Node* mkNode(int val, Node* nxt) { Node* p = new node; p->value = val; p->next = nxt; return p; } a linked list containing a sequence of integers read from standard input can be constructed as follows: Node* list = NULL; int x; while (cin >> x) { list = mkNode(x, list); } This code snippet stores the integers in the reverse order read. A common error in programming linked data structures is to forget to set the last pointer in the list to the NULL value. In this case, the error would occur if the variable list had not been initialized to NULL. Suppose the program snippet above read the sequence of integers {5, 3, 2} and the program logic called for removing the node containing the 3 from the list. One way to accomplish this task is: list->next = list->next->next; This results in the situation shown in Figure 100.6, in which the second node of the list is no longer accessible to the program. Any allocated memory block that is inaccessible to the program is denoted as garbage.
∗
Note that in C/C++ and Ada, a pointer may also contain a non-heap memory address, for example, a runtime stack address. © 2004 by Taylor & Francis Group, LLC
2
list
3
5
FIGURE 100.6 A linked list with a deleted node.
Unlike the program stack, heap space does not usually become unusable in the reverse order space is allocated. C++ provides an explicit operator named delete for explicitly returning unused space to the heap. The above code snippet for removing the second node of the list and returning it to the heap can be rewritten: Node* p = list->next; list->next = p->next; delete p; Failure to return unused memory to the heap is termed a memory leak. Such memory leaks can be a problem in long-lived programs such as Web browsers and Web servers. Even more problematic in a large, complicated program is determining whether or not a node is truly garbage or is still accessible via some other reference. Returning memory space to the heap via a delete that is still accessible via another reference makes the latter a dangling reference. In the code snippet above, after the delete, any pointer containing the same value as p is a dangling reference; in C++ the delete operator sets the pointer to NULL, but other references to the node may still exist. For a more formal treatment of heap management and the new and delete operators, see Chapter 5 of Tucker and Noonan [2002]. Pointers and heap memory management are especially difficult and have made programming in C/C++ and Pascal unreliable. Newer languages such as Java have attempted to partially remedy this situation by removing the burden of reclaiming unused heap space via automatic garbage collection, which is the subject of the next section.
100.4 Garbage Collection Automatic garbage collection has been a hallmark of functional languages since the introduction of Lisp in the early 1960s. Automatic garbage collection has traditionally been viewed as too slow for use in conventional programming languages. However, newer scripting languages such as Perl and Python and object-oriented languages such as Smalltalk and Java have all included automatic garbage collection as one of their features. In Smalltalk and Java, all objects are allocated out of the heap. As a program executes, many objects become inactive and are no longer accessible to the program. Reclaiming the space used by these inaccessible objects, or garbage, is the task of the garbage collector. The garbage collection algorithm is automatically applied as needed to reclaim inaccessible heap space. Modern algorithms are derived from similar work for functional languages. We examine the three major strategies known as: reference counting, mark-sweep, and copy collection.
100.4.1 Reference Counting In reference counting, each node allocated out of the heap has an extra, hidden field that contains a count of the number of direct references to the node. When a node is initially allocated via a new operation, the count is initialized to zero. The semantics of a heap pointer assignment are modified as follows. Consider the assignment: p = q; © 2004 by Taylor & Francis Group, LLC
p
0
q
2
1
1
FIGURE 100.7 Garbage collection using reference counting.
where p and q are both pointers to the heap. Normally, the address stored in q is simply copied to p. However, to keep the reference counts updated, the node referenced by p before the assignment must have its count decremented by one and the node referenced by q must have its count incremented by one. A complication is that on exiting a program function, all local pointers are effectively set to NULL, thus having the counts in the referenced nodes decremented by one. When a node has its counts decremented to zero, it is returned as free space to the heap manager. This is the situation depicted in Figure 100.7, in which the dotted line represents the value of p before the above assignment is executed. The first node in the list has a reference count of zero, and is thus freed. This causes the reference count in the second node to also be set to zero, and is thus also freed. The process repeats itself for each node in the list originally pointed at by p until the entire list is freed. However, imagine the situation where p’s list was circular, that is, the last node in the list pointed to the first node. Then, after executing the above assignment, the reference count in the first node would be one (not zero), because it still has a direct reference, namely, the last node in the list. The list, however, would still be garbage but the reference counting method would not detect this fact. This simple example serves to illustrate both the strengths and weaknesses of the method of garbage collection using reference counts. A major strength is that the time spent garbage collecting is distributed across the program execution, occurring naturally whenever a pointer assignment is made or a program scope is closed. A disadvantage is the storage cost of the reference count associated with each node. A more serious weakness is the inability to free nodes that occur in circular lists and graphs. In contrast to reference counting, the remaining two algorithms are invoked only when a new operation would fail because there is insufficient free space remaining in the heap. In the next section we examine the mark-sweep algorithm.
100.4.2 Mark-Sweep The mark-sweep algorithm is basically a two-pass algorithm. In the first pass, the references from each program pointer are traced, marking each node reached as accessible. In the second pass, each heap node or block is examined; if its mode bit is marked inaccessible, then it is returned to the free space list. The mark-sweep algorithm is invoked when a heap space request via a new operation cannot be satisfied. As with reference counting, each heap node has an extra hidden field, which is used to keep track of whether the node is accessible to the program. Thus, the extra space required is logically only a single bit, denoted the mark bit. Each memory block in the free space and each allocated node has its mark bit set to inaccessible or zero. When the mark pass is begun, it follows each chain from every active program pointer variable, changing the mark bit of all heap nodes visited from inaccessible (zero) to accessible (one). The end of a mark pass is depicted in Figure 100.8; the nodes in the list referenced by p are marked accessible, while the others remain inaccessible. The sweep pass references every node or memory block in the heap. Any such node whose mark bit is set to inaccessible is returned to the free space list. The accessible nodes have their mark bit reset to inaccessible. As can be seen from Figure 100.8, circular chains or cycles present no problem. © 2004 by Taylor & Francis Group, LLC
p
1
1
1
0
0
0
FIGURE 100.8 End of mark pass of mark-sweep algorithm.
Once the sweep pass is complete and garbage has been returned to the free space list, the attempt to complete the new operation is again attempted. If the free space is still insufficient, the new operation terminates in error, the details of which are language dependent. The strength and weaknesses of mark-sweep are the exact opposite of reference counting. The major weakness of mark-sweep is the fact that garbage collection is postponed until the free space in the heap is exhausted. This can result in a noticeable interruption in the program execution while the garbage collection algorithm is being run. On the other hand, all garbage is identified and returned to the free space list. Another advantage of mark-sweep is that the storage overhead needed is only a single bit per node.
100.4.3 Copy Collection An alternative to the mark-sweep algorithm is the copy collection algorithm. The latter represents a time/space compromise relative to mark-sweep. For copy collection, the heap is divided in half, termed the active space and the inactive space. A free space list is maintained for the active space. As with mark-sweep, requests for space are made out of the active space until a space request cannot be satisfied. At that point, the copy collection algorithm is invoked to garbage collect inaccessible memory blocks. As with mark-sweep, pointers are traced from every active program variable. Instead of being marked, the accessible nodes are copied from the active space to the inactive space; the associated pointers are updated to reflect this copying. At the end of the copy pass, all the active space is freed and the roles of the active and inactive spaces are reversed. One of the complications of the algorithm is that it must keep a list of all nodes that have been moved from the active space to the inactive space. Then when a reference is found to a moved node, that reference is updated, rather than (incorrectly) moving the node again. The copy collection algorithm involves a classic time/space trade-off versus the mark-sweep algorithm. By dividing the heap in half, garbage collection will be invoked more frequently. On the other hand, copy collection is considerably faster because it makes only a single pass over the heap nodes. An extensive discussion of the efficiency of these garbage collection strategies can be found in Jones [1996].
100.5 Summary In this chapter the memory management principles of the runtime stack have been discussed; the application of these principles to the Sun SPARC architecture has been shown. An understanding of these principles and their application to a specific architecture is important in developing debuggers, working with multiple threads, and developing other tools that must interact with the runtime environment. We have further discussed memory management of the heap and examined common garbage collection algorithms. One of the important areas of research is better garbage collection algorithms. Another area is points-to analysis, which determines where various pointers point. This technique is used both for better memory usage and for identifying memory leaks. © 2004 by Taylor & Francis Group, LLC
Another continuing area of research in runtime environments is the development of compilers and related tools for both massively parallel and distributed computer systems. The goal is to develop languages and compilers so that programming systems can be developed and debugged on traditional single-CPU workstations and then recompiled and run on either a massively parallel computer system or a distributed computer system. This approach is particularly attractive for the so-called grand challenge problems of science. Wolfe [1996] is one text in this area. Meek [1995] discusses the work of the International Standard Organization (ISO) in attempting to standardize the notion of a procedure call and parameter passing even in a distributed environment.
Defining Terms Activation record: A record containing all the information associated with an activation or call of a procedure or function. This information includes the return address of the caller, the procedure’s parameters and local variables, and the frame pointer of the caller. Activation stack: A stack of activation records, one for each active procedure call. Actual parameter or argument: A parameter that appears in a call of the procedure or function. Call-by-address parameter: A method of parameter transmission whereby the address of the actual parameter is copied to the formal parameter at the time of the call. The formal parameter is effectively a constant pointer variable. Any reference to the formal parameter is treated as a reference to the actual parameter. Also known as call-by-reference or call-by-location. Call-by-result parameter: A method of parameter transmission whereby the value of the formal parameter is copied back to the actual parameter at the time of the return. Prior to executing the return statement, there is no correspondence between the actual and formal parameters. Call-by-value parameter: A method of parameter transmission whereby the value of the corresponding actual parameter is copied to the formal parameter at the time of the call. Thereafter, there is no correspondence between the actual and formal parameters. In particular, changes to the formal parameter have no effect on the actual parameter. Call-by-value-result parameter: A method of parameter transmission that combines call-by-value and call-by-result. Dangling reference: A pointer that still references a memory block that has been been returned to the heap as free space. Formal parameter or argument: A parameter name that appears in the declaration or header of a procedure or function. Frame pointer: A register that normally points to the base or beginning of the activation record on the top of the activation stack. Garbage collecton: The process of collecting portions of the heap that are no longer referenced by the program. Heap: The portion of memory assigned to an executing program to use for dynamic memory allocation. Leaf procedure: A procedure that does not call another procedure. Memory leak: Failure to return unused space to the heap. Register window: A collection of registers assigned to an executing process in the SPARC architecture. Stack frame: The activation record on the runtime stack for a method or function. Stack pointer: A register that points to the top of the activation stack.
References Ada 1991. The Annotated Ada Reference Manual, 2nd ed. Grebyn, Vienna, VA. Barnes, J. G. P. 1995. Programming in Ada 95. Addison-Wesley, Reading, MA. Gilman, L. 1992. APL, an Interactive Approach. Krieger, Malabar, FL. Goldberg, A. 1985. Smalltalk-80: the Language and its Implementation. Addison-Wesley, Reading, MA. Jones, R. R. and Lins, R. 1996. Garbage Collection. John Wiley, New York. © 2004 by Taylor & Francis Group, LLC
Kernighan, B. W. and Ritchie, D. M. 1988. The C Programming Language, 2nd ed. Prentice Hall, Englewood Cliffs, NJ. Louden, K. C. 1993. Programming Languages: Principles and Practice. PWS-Kent, Boston, MA. MacLennan, B. J. 1987. Principles of Programming Languages, 2nd ed. Holt, Rinehart and Winston, New York. Meek, B. L. 1995. What is a procedure call? SIGPLAN Notices, 30(9):33–40. Motorola. 1993. PowerPC 601: RISC Microprocessor’s User’s Manual. Motorola, Phoenix, AZ. Paul, R. P. 1994. SPARC Architecture Assembly Language Programming and C. Prentice Hall, Englewood Cliffs, NJ. Pratt, T. W. and Zelkowitz, M. V. 2001. Programming Languages Design and Implementation, 4th ed. Prentice Hall, Englewood Cliffs, NJ. Sankaran, N. 1994. Bibliography on garbage collection and related topics. SIGPLAN Notices, 29(9):149– 158. Sebesta, R. W. 2002. Concepts of Programming Languages, 5th ed. Addison-Wesley, Reading, MA. Steele, G. L. 1990. Common LISP: the Language. Digital Press, Bedford, MA. Stroustrup, B. 1995. The C++ Programming Language, 2nd ed., reprinted with corrections. Addison-Wesley, Reading, MA. Tucker, A. and Noonan, R. 2002. Programming Languages: Principles and Paradigms. McGraw-Hill, New York. Welburn, T. 1995. Structured COBOL: Fundamentals and Style. McGraw-Hill, New York. Wolfe, M. 1996. High Performance Compilers for Parallel Computing. Addison-Wesley, Reading, MA. Zirkel, G. 1994. Understanding FORTRAN 77 and 90. PWS, Boston, MA.
Further Information The ACM Transactions on Programming Languages and Systems (TOPLAS) is probably the leading theoretical journal in the area of run time environments and memory management. Many important papers in the areas of compiler optimization and points-to analysis are published here, as well as various ACM conferences. A more applied journal is Software Practice & Experience, which is aimed at the practitioner rather than the theoretician. The scope of this journal (as stated on the inner cover) is “practical experience with new and established software for both systems and applications.” Thus, although the scope is broader, techniques of various architectural features are illustrated. One example might be the simulation of the improvement gained in execution speed by adding register windows to a given architecture. The journal Computer Languages sits squarely between the previous two, in that it contains both theoretical and applied papers, but its scope is more narrowly focused. Finally, the Journal of Systems and Software includes both research papers as well as reports on the state of the art and practical experience. Topic areas include programming methodology and related hardware-software issues, including programming environments.
© 2004 by Taylor & Francis Group, LLC
XI Software Engineering The subject area of Software Engineering is concerned with the application of a systematic approach to the analysis, design, implementation, deployment, and evolution of software. There are various models of the software process and many methodologies for the different phases of the process. Also, the process often involves the use of tools and techniques, such as software architecture and formal methods, to build computing systems that are correct, reliable, extensible, reusable, secure, efficient, and easy to use. This section provides a modern treatment of software engineering, both from the technical point of view and from the project management point of view. 101 Software Qualities and Principles Carlo Ghezzi, Mehdi Jazayeri, and Dino Mandrioli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101-1 Classification of Software Qualities • Representative Software Qualities • Quality Assurance • Software Engineering Principles in Support of Software Quality • A Case Study in Compiler Construction • Summarizing Remarks
102 Software Process Models
Ian Sommerville . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102-1
Introduction • Specification-Driven Models • Evolutionary Development Models • Iterative Models • Formal Transformation • The Cleanroom Process • Process Model Applicability • Research Issues and Summary
103 Traditional Software Design
Steven A. Demurjian Sr. . . . . . . . . . . . . . . . . . . . . . . . . . . 103-1
Introduction • The High-Tech Supermarket System • Traditional Approaches to Design • Design by Encapsulation and Hiding • Mathematical and Analytical Design
Steven A. Demurjian Sr. and Patricia J. Pia . . . 104-1
104 Object-Oriented Software Design
Introduction • Object-Oriented Concepts and Terms • Choosing Classes • Inheritance: Motivation, Usage, and Costs • Categories of Classes and Design Flaws • The Unified Modeling Language • Design Patterns
105 Software Testing Introduction
•
Gregory M. Kapfhammer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105-1
Underlying Principles
106 Formal Methods
•
Best Practices
•
Conclusion
Jonathan P. Bowen and Michael G. Hinchey . . . . . . . . . . . . . . . . . . . 106-1
Introduction • Underlying Principles • Best Practices • A Case Study • Technology Transfer and Research Issues • Glossary of Z Notation
107 Verification and Validation
John D. Gannon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107-1
Introduction • Approaches to Verification • Verifying Specifications of Systems • Verifying Programs • Current Status
108 Development Strategies and Project Management
Roger S. Pressman. . . . . . . . . . . 108-1
Development Strategies • The Management Spectrum • Software Project Management • Software Quality Assurance • Software Configuration Management • Summary © 2004 by Taylor & Francis Group, LLC
109 Software Architecture
Stephen B. Seidman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109-1
Introduction • Underlying Principles • Describing Individual Software Architectures • Architecture Description Languages • Describing Architectural Styles
110 Specialized System Development
Osama Eljabiri and Fadi P. Deek . . . . . . . . . . . . . . 110-1
Introduction • Principles of Specialized System Development Specialized Development • Research Issues and Summary
© 2004 by Taylor & Francis Group, LLC
•
Application-Based
101 Software Qualities and Principles 101.1
Classification of Software Qualities . . . . . . . . . . . . . . . 101-2 Product and Process Qualities Qualities
101.2
•
External vs. Internal
Representative Software Qualities . . . . . . . . . . . . . . . . . 101-3 Correctness, Reliability, and Robustness • Performance • Usability • Verifiability • Security • Maintainability • Reusability • Portability • Understandability • Interoperability • Productivity • Timeliness • Visibility
101.3 101.4
Rigor and Formality • Separation of Concerns • Modularity • Abstraction • Anticipation of Change • Generality • Incrementality
Carlo Ghezzi Politecnico di Milano
Mehdi Jazayeri
101.5
A Case Study in Compiler Construction . . . . . . . . . . 101-21 Rigor and Formality • Separation of Concerns • Modularity • Abstraction • Anticipation of Change • Generality • Incrementality
Technical University of Vienna
Dino Mandrioli Politecnico di Milano
Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101-13 Software Engineering Principles in Support of Software Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101-14
101.6
Summarizing Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 101-24
The goal of any engineering activity is to build something — an artifact or a product. The civil engineer builds a bridge, the aerospace engineer builds an airplane, and the electrical engineer builds a circuit. The product of software engineering is a software application or software system. It is not as tangible as the other products, but it is a product nonetheless. It serves a function. In some ways, software products are similar to other engineering products, and in other ways they are very different. The characteristic that perhaps sets software apart from other engineering products the most is that software is malleable. We can modify the product itself — as opposed to its design — rather easily. This makes software quite different from other products, such as cars or ovens. The malleability of software is often misused. Even though it is possible to modify a bridge or an airplane to satisfy some new need — for example, to make the bridge support more traffic or the airplane carry more cargo — such a modification is never taken lightly and certainly is not attempted without first making a design change and verifying the impact of the change extensively. Software engineers, on the other hand, are often asked to perform such modifications on software. Software’s malleability sometimes leads people to think that it can be changed easily. In practice, it cannot. We may be able to change code easily with a text editor, but meeting the need for which the change was intended is not necessarily done so easily. Indeed, we must treat software like other engineering products
© 2004 by Taylor & Francis Group, LLC
in this regard. A change in software must be viewed as a change in the design rather than in the code, which is just an instance of the product. We can exploit the malleability property, but we must do so with discipline. Another characteristic of software is that its creation is human intensive. It requires mostly engineering, rather than manufacturing, resources. In most other engineering disciplines, the manufacturing process determines the final cost of the product. Also, the process must be managed closely to ensure that defects are not introduced into the product, for example, through the use of faulty parts. The same considerations apply to computer hardware products. For software, on the other hand, “manufacturing” is a trivial process of duplication. The software production process deals with design and implementation, rather than with manufacturing. This process must meet certain criteria to ensure the production of high-quality software. Any product is expected to fulfill some need and meet some acceptance standards that dictate the qualities it must have. A bridge performs the function of making it easier to travel from one point to another; one of the qualities it is expected to have is that it will not collapse when the first strong wind blows or when a convoy of trucks travels across it. In traditional engineering disciplines, the engineer has tools for describing the qualities of the product distinctly from those of the design of the product. In software engineering, the distinction is not so clear. The functional requirements of the software product are often intermixed in specifications with the qualities of the design. To achieve the desired qualities, the construction of any nontrivial product must follow sound design principles. These principles apply to any engineering discipline, including software engineering. In applying such principles to software engineering, they must be customized to deal with the peculiar characteristics of software. Software engineering principles deal with both the software process of software engineering and the final software product. The right process helps to produce the right product, but the desired product also affects the choice of which process to use. In this chapter, we first examine the qualities that are relevant to software products and software production processes (Section 101.1 and Section 101.2) and the means to assess them (Section 101.3). In Section 101.4, we present general principles that may be applied throughout the process of software construction and management in order to achieve the desired qualities of software products. Finally, Section 101.5 presents a case study of the use of software engineering principles for compiler development. Throughout the chapter, we assume that the software product to be developed is large and complex. The application of engineering principles is indispensable in the development of such products. In general, the choice of principles and techniques is determined by the software quality goals. Software for critical applications, where the effects of errors are serious, even disastrous, imposes stricter reliability requirements than noncritical applications. Principles, however, are not sufficient. In fact, they are general and abstract statements describing desirable properties of software processes and products. To apply principles, the software engineer uses appropriate methods and specific techniques that help to incorporate the desired properties into processes and products. Sometimes, methods and techniques are packaged together to form a methodology. The purpose of a methodology is to promote a certain approach to solving a problem by preselecting the methods and techniques to be used. Some important software design methods will be the issue of specific chapters of this Handbook. Many methodologies are supported by software tools.
101.1 Classification of Software Qualities There are many desirable software qualities. Some apply both to the product and to the process used to produce the product. The user wants the software product to be reliable, efficient, and easy to use. The producer of the software wants it to be verifiable, maintainable, portable, and extensible. The manager of the software project wants the process of software development to be productive, predictable, and easy to
© 2004 by Taylor & Francis Group, LLC
control. In this section, we consider two different classifications of software-related qualities: internal vs. external and product vs. process.
101.1.1 Product and Process Qualities We use a process to produce the software product. We distinguish between qualities that apply to products and those that apply to processes. For example, we may want the product to be user-friendly and we may want the process to be efficient. Often, however, process qualities are closely related to product qualities. For example, if the process requires careful planning of test data before any design and development of the system starts, product reliability will increase. Moreover, there are qualities, such as efficiency, that can refer both to the product and the process. It is useful to examine the word product here. It usually refers to what is delivered to the customer. Even though this is an acceptable definition from the customer’s perspective, it is not adequate for the developer who produces a number of intermediate products in the course of the software process. The customer-visible product consists perhaps of the executable code and the user manual, but the developers produce a number of other artifacts, such as requirements and design documents, test data, etc. We refer to these intermediate products as work products or artifacts to distinguish them from the end product delivered to the customer. Work products are often subject to similar quality requirements as the end product. Given the existence of many work products, it is possible to deliver different subsets of them to different customers. For example, a computer manufacturer might sell to a process control company the object code to be installed in the specialized hardware for an embedded application. It might sell the object code and the user’s manual to software dealers. It might even sell the design and the source code to software vendors, who modify them to build other products. In this case, the developers of the original system see one product, the salespersons in the same company see a set of related products, and the end user and the software vendor see still other, different products. Process quality has received increasing attention over time, as its impact on product quality has been recognized and observed.
101.1.2 External vs. Internal Qualities We can divide software qualities into external and internal qualities. External qualities are visible to the users of the system; internal qualities concern the developers of the system. In general, users of software care only about external qualities, but it is the internal qualities — which deals largely with the structure of the software — that help developers achieve the external qualities. For example, the internal quality of verifiability is necessary for achieving the external quality of reliability. In many cases, however, the qualities are closely related, and the distinction between internal and external may depend on the user and the delivered product. For instance, a well documented design is usually an internal quality; in some cases, however, users want the delivery of design documentation as an essential part of the product (e.g., for military products). In this case, this quality becomes external.
101.2 Representative Software Qualities In this section, we present the most important qualities of software products and processes. Where appropriate, we analyze a quality with respect to the classifications discussed in Section 101.1. Several software quality models are proposed in the literature. Most of them share the essential aspects but differ in emphasis and organization. ISO 9126 states, “The maturity of the models, terms, and definitions does not yet allow them to be included in a standard” [ISO 9126]. Furthermore, some application areas emphasize certain qualities and may require more specialized qualities. We give some examples of such qualities when we describe specific qualities.
© 2004 by Taylor & Francis Group, LLC
101.2.1 Correctness, Reliability, and Robustness The terms correctness, reliability, and robustness are related and collectively characterize a quality of software which implies that the application performs its functions as expected. In this section, we define these three terms and discuss their relationships to one another. 101.2.1.1 Correctness A program is written to provide functions specified in its functional requirements specifications. Often, there are other requirements — such as performance and scalablity — that do not pertain to the functions of the system. We call these kinds of requirements nonfunctional requirements. A program is functionally correct if it behaves according to its stated functional specifications. It is common simply to use the term correct rather than functionally correct; similarly, in this context, the term specifications implies functional requirements specifications. We shall follow this convention when the context is clear. The definition of correctness assumes that specifications for the system are available and that it is possible to determine unambiguously whether a program meets the specifications. Such specifications rarely exist for most current software systems. If a specification does exist, it is usually written in an informal style using natural language. Therefore, it is likely to contain many ambiguities. Regardless of these difficulties with current specifications, however, the definition of correctness is useful because it captures a desirable goal for software systems. Correctness establishes the equivalence between the software and its specification. Obviously, we can be more systematic and precise in assessing correctness, depending on how rigorous we are in specifying functional requirements. As we shall see in Chapter 113, we may assess the correctness of a program through a variety of methods, some based on an experimental approach (e.g., testing), others based on an analytic approach (e.g., inspections or formal verification of correctness). Correctness can be enhanced by using appropriate tools, such as high-level languages — particularly those supporting extensive static analysis. Likewise, correctness can be improved by using standard proven algorithms or libraries of standard modules, rather than inventing new ones. Finally, correctness can be enhanced by using proven methodologies and processes. 101.2.1.2 Reliability Informally, software is reliable if the user can depend on it; in fact, the attribute dependable is also used in such a case. The specialized literature on software reliability, however, defines reliability in terms of statistical behavior — the probability that the software will operate as expected over a specified time interval. According to this definition, reliability is a more specialized — and measurable — quality than the generic term dependability. For the purpose of this chapter, however, the informal definition is sufficient, and we consider the two terms as synonymous. Correctness is an absolute quality: any deviation from its requirements makes a system incorrect, regardless of how minor or serious the consequence of the deviation is. The notion of reliability is, on the other hand, relative. If the consequence of a software error is not serious, the incorrect software may still be reliable. Engineering products are expected to be reliable. Unreliable products, in general, disappear quickly from the marketplace. Unfortunately, software products have not yet achieved this enviable status of reliability. Software products are commonly released along with a list of known bugs. Users of software take it for granted that Release 1 of a product is “buggy.” This is one of the most striking symptoms of the immaturity of the software engineering field as an engineering discipline. In classic engineering disciplines, a product is not released if it has bugs. You do not expect to take delivery of an automobile along with a list of shortcomings or a bridge with a warning not to lean over the railing. In the classic disciplines, design errors are extremely rare and generate news headlines. A collapsed bridge may even cause the designers to be prosecuted in court. In contrast, software design errors are generally treated as unavoidable. Far from being surprised when we find software errors, we expect them. Instead of a guarantee of reliability, with software we get a disclaimer © 2004 by Taylor & Francis Group, LLC
Reliability Correctness
FIGURE 101.1 Idealized relationship between correctness and reliability.
that the manufacturer is not responsible for any damages due to product errors. Software engineering is still trying to achieve software reliability comparable to the reliability of other products. Figure 101.1 illustrates the relationship between reliability and correctness, under the assumption that the functional requirements specification indeed captures all the desirable properties of the application and that no undesirable properties are erroneously specified in it. The figure shows that the set of all reliable programs includes the set of correct programs, but not vice versa. Unfortunately, things are different in practice. In fact, the specification is a model of what the user wants, but the model may or may not be an accurate statement of the user’s actual requirements. All the software can do is meet the specified requirements of the model; it cannot assure the accuracy of the model. Thus, Figure 101.1 represents an idealized situation wherein the requirements are themselves assumed to be correct; that is, they are a faithful representation of what the implementation must ensure in order to satisfy the needs of the expected users. Often, however, there are insurmountable obstacles to achieving this goal. The upshot is that we sometimes have correct applications designed for “incorrect” requirements, so that correctness of the software may not be sufficient to guarantee the user that the software behaves as expected. This situation is discussed in Section 101.2.1.3. Reliability has several subcomponents that assume importance depending on the application domain. Three qualities that contribute to reliability are fault-tolerance, availability, and safety. Fault-tolerance refers to the ability of the software to detect faults in the hardware environment, such as transient power failures, and continue operation in the face of them. Availability refers to the property of the system that ensures that the system’s services are available to users close to 100% of the time. Thus, a highly available system must not only be able to deal with faults and errors; it also must allow system diagnostic and maintenance procedures to be carried out while the system is in normal operations. Systems such as telephone systems and banking systems must be both fault-tolerant and highly available. High availability and fault tolerance are usually accomplished by distributed architectures that use redundant resources. In the case of highly critical systems, the term safety is often used to denote the absence of undesirable behaviors that can cause system hazards. Safety deals with requirements other than the primary mission of a system and requires that the system execute without causing unacceptable risk. Unlike functional requirements, which describe the intended correct behavior in terms of input–output relationships, safety requirements describe what should never happen while the system is executing. In some sense, they are negative requirements: they specify the states the system must never enter. For example, an X-ray medical system must observe the safety property that the radiation it applies never exceeds a certain threshold. 101.2.1.3 Robustness A program is robust if it behaves “reasonably,” even in circumstances that were not anticipated in the requirements specification — for example, when it encounters incorrect input data or some hardware malfunction (say, a disk crash). A program that assumes perfect input and generates an unrecoverable runtime error as soon as the user inadvertently types an incorrect command is not robust. It might be correct, though, if the requirements specification does not state what the program should do in the face of incorrect input. Obviously, robustness is difficult to define; after all, if we could state precisely what we should do © 2004 by Taylor & Francis Group, LLC
to make an application robust, we would be able to specify its “reasonable” behavior completely. Thus, robustness would become equivalent to correctness (or reliability, in the sense of Figure 101.1). Again, an analogy with bridges is instructive. Two bridges connecting two sides of the same river are both correct if each satisfies the stated requirements. If, however, during an unexpected, unprecedented earthquake, one collapses and the other one does not, we can call the latter more robust than the former. Notice that the lesson learned from the collapse of the bridge will probably lead to more complete requirements for future bridges, establishing resistance to earthquakes as a correctness requirement. In other words, as the phenomenon under study becomes better known, we approach the ideal case shown in Figure 101.1, where specifications capture the expected requirements exactly. The means to achieve robustness depend on the application area. For example, a system written for novice computer users must be more prepared to deal with ill formatted input than an embedded system that receives its input from a sensor. This, of course, does not imply that embedded systems do not need to be robust. On the contrary, embedded systems often control critical devices and require extra robustness. In conclusion, we can see that robustness and correctness are strongly related, without a sharp dividing line between them. If we put a requirement in the specification, its accomplishment becomes an issue of correctness; if we leave the requirement out of the specification, it may become an issue of robustness. The border between the two qualities is thus determined by the specification of the system. Finally, reliability comes in because not all incorrect behaviors signify equally serious problems; that is, some incorrect behaviors may be tolerable. We may also use the terms correctness, robustness, and reliability in relation to the software production process. A process is robust, for example, if it can accommodate unanticipated changes in the environment, such as a new release of the operating system or the sudden transfer of half the employees to another location. A process is reliable if it consistently leads to the production of high-quality products.
101.2.2 Performance Any engineering product is expected to operate at a certain level of performance. Unlike other disciplines, software engineering often equates performance with efficiency, but they are not the same. Efficiency is an internal quality and refers to how economically the software utilizes the resources of the computer. Performance, on the other hand, is an external quality based on user requirements. For example, a customer may specify a performance requirement for a telephone switch to be able to process 10,000 calls per hour. An efficiency requirement for the same switch may state that processing a call must use a minimum amount of memory and take a minimum amount of time. Efficient use of resources often affects the performance of a system. For example, conserving memory may increase the response time of a switch and its ability to process a high number of calls per second. Performance may affect the usability of the system. If a software system is too slow, it reduces the users’ productivity, possibly to the point of not meeting their needs. Performance also affects the scalability of a software system. An algorithm that is quadratic may work on small inputs but not work at all on larger inputs. There are three basic approaches to evaluating the performance of a system: measurement, analysis, and simulation. We can measure the actual performance of a system by means of hardware and software monitors that collect data while the system is running and thereby allow us to discover bottlenecks in the system. The second approach is to build a model of the product and mathematically analyze it. The third approach is to use the model to simulate the product. In some application areas, performance criteria are standardized and may be used as the basis for comparing different products. For example, in telephone switching systems, number of calls processed per second and the maximum number of simultaneous calls processed are two common measures. For information systems, number of transactions per second is a common performance measure and is used as the basis for product selection. In many software development projects, performance is addressed only after the initial version of the product is implemented. At that point, it is very difficult — sometimes even impossible — to achieve © 2004 by Taylor & Francis Group, LLC
significant improvements in performance without redesigning the software. Instead, even a simple model is useful for predicting a system’s performance and guiding design choices so as to minimize the need for redesign. In some complex projects, in which the feasibility of the performance requirements is not clear, much effort is devoted to building performance models. Such projects start with a performance model and use it initially to answer feasibility questions and later in making design decisions. These models can help to resolve such issues as whether a function should be provided by software or by a special-purpose hardware device. The notion of performance also applies to a development process, in which case we call it productivity. Productivity is important enough to be treated as an independent quality and is discussed in Section 101.2.11.
101.2.3 Usability A software system is usable — or user-friendly— if its human users find it easy to use. This definition reflects the subjective nature of usability. The user interface is an important component of user-friendliness. Properties that make an application user-friendly to novices are different from those desired by expert users. For example, a software system that presents the novice user with a graphical interface is friendlier than one that requires the user to enter a set of one-letter commands. On the other hand, experienced users might prefer a set of commands that minimize the number of keystrokes, rather than a fancy graphical interface through which they must navigate to get to the command that they knew all along they wanted to execute. There is more to user-friendliness, however, than the user interface. For example, an embedded software system does not have a human user interface. Instead, it interacts with hardware and perhaps other software systems. In this case, usability is reflected in the ease with which the system can be configured and adapted to the hardware environment. In general, the user-friendliness of a system depends on the consistency and predictability of its user and operator interfaces. Clearly, however, the other qualities mentioned — such as correctness and performance — also affect user-friendliness. A software system that produces wrong answers is not friendly, regardless of how fancy its user interface is. Also, a software system that produces answers more slowly than the user requires is not friendly, even if the answers are displayed in a beautiful color. Usability is also discussed under the subject of human factors. Human factors and usability engineering play a major role in many engineering disciplines. For example, automobile manufacturers devote significant effort to deciding the positions of the various control knobs on the dashboard. Television manufacturers and microwave oven makers also try to make their products easy to use. User interface decisions in these classical engineering fields are made after extensive study of user needs and attitudes by specialists in fields such as industrial design or psychology. Interestingly, ease of use in many engineering disciplines is achieved through standardization of the human interface. Once a user knows how to use one television set, that user can operate almost any other television set. There is a clear trend in software applications toward more uniform and standard user interfaces, as seen, for example, in Web browsers. There are also usability labs that attempt to measure the usability of software products.
101.2.4 Verifiability A software system is verifiable if its properties can be verified easily. For example, it is important to be able to verify the correctness or the performance of a software system. Verification can be performed by formal and informal analysis methods or through testing. Verifiability is usually an internal quality, although it sometimes becomes an external quality also. For example, in many security-critical applications, the customer requires the verifiability of certain properties. The highest level of the security standard for a trusted computer system requires the verifiability of the operating system kernel.
© 2004 by Taylor & Francis Group, LLC
101.2.5 Security A system is secure if it provides its services only to its authorized users and protects the rights and information of those users. Although security is important in any system, it has gained importance as applications have become increasingly distributed and offered over public networks. Security is an important quality of information systems, in which users trust the safeguarding of their data to the system. For example, a banking system that maintains customer account data and provides access to that data through the Internet is required to be secure. Two qualities related to security are data integrity and privacy. Data integrity ensures that once the user data is committed to the system, it will not be modified or destroyed through system malfunction or unintended or malicious acts of other users. Privacy ensures that user transactions and user data are protected from unauthorized users and will be not be used for unauthorized purposes. For example, credit card numbers entered into an electronic commerce system must be used only for the purpose of the transaction for which they were entered. The combination of security and verifiability enables security properties to be verified. Such a combination is relevant in financial and military systems.
101.2.6 Maintainability The term software maintenance is commonly used to refer to the modifications that are made to a software system after its initial release. Maintenance used to be viewed as merely “bug fixing,” and it was distressing to discover that so much effort was being spent on fixing defects. Studies have shown, however, that the majority of time spent on maintenance is, in fact, spent on enhancing the product with features that were not in the original specifications or that were stated incorrectly there. Maintenance is indeed not the proper word to use with software. First, as it is used today, the term covers a wide range of activities, all having to do with modifying an existing piece of software in order to make an improvement. A term that captures the essence of this process better is software evolution. Second, in other engineering products, such as computer hardware, automobiles, or washing machines, maintenance refers to the upkeep of the product in response to the gradual deterioration of parts due to extended use of the product. For example, transmissions are oiled and air filters are dusted and periodically changed. To use the word maintenance with software gives the wrong connotation, because software does not wear out. Unfortunately, the term is used widely, and we will continue using it here. There is evidence that maintenance costs exceed 60 percent of the total costs of software. To analyze the factors that affect such costs, it is customary to divide software maintenance into three categories: corrective, adaptive, and perfective. Corrective maintenance has to do with the removal of residual errors that are present in the product when it is delivered, as well as errors introduced into the software during its maintenance. Corrective maintenance accounts for about 20% of maintenance costs. Adaptive maintenance, which accounts for nearly another 20% of maintenance costs, involves adjusting the application to changes in the environment (e.g., a new release of the hardware or the operating system or a new database system). Finally, perfective maintenance, which absorbs over 50% of maintenance costs, involves changing the software to improve some of its qualities. Here, changes are due to the need to modify the functions offered by the application, add new functions, improve the performance of the application, make it easier to use, etc. The requests to perform perfective maintenance may come directly from the software engineer, in order to improve the status of the product on the market, or they may come from the customer, to meet some new requirements. The term legacy software refers to software that already exists in an organization and usually embodies much of the organization’s processes and knowledge. Such software holds considerable value for the organization, represents past investments, and may not be replaced easily. On the other hand, because of its age, it is usually written in older languages and uses older software engineering technology. Legacy software is, therefore, difficult to maintain. For example, an old personnel system may embody an organization’s operational procedures and personnel policies. Such legacy systems represent a challenge to © 2004 by Taylor & Francis Group, LLC
software evolution. Reverse engineering and reengineering techniques and technologies aim at uncovering the structure of legacy software and restructuring or in some way improving it. Maintainability can be seen as two separate qualities: reparability and evolvability. Software is reparable if it allows the fixing of defects; it is evolvable if it allows changes that enable it to satisfy new or modified requirements. The distinction between reparability and evolvability is not always clear. For example, if the requirements specifications are vague, it may not be clear whether a change is made to fix a defect or to satisfy a new requirement. In general, however, the distinction between the two qualities is useful. Both reparability and evolvability are improved by suitable modularization in the software structure. As we shall see later, the right modularization may help to locate errors more easily. It may also help to encapsulate the changeable parts in a separate module, making it easier to apply changes.
101.2.7 Reusability Reusability is akin to evolvability. In product evolution, we modify a product to build a new version of that same product; in product reuse, we use the product — perhaps with minor changes — to build another product. Reusability may be applied at different levels of granularity — from whole applications to individual routines — but it appears to be more applicable to software components than to whole products. A good example of a reusable product is the UNIX shell, which is a command language interpreter; that is, it accepts user commands and executes them. But it is designed to be used both interactively and in batch. The ability to start a new shell with a file containing a list of shell commands allows us to write programs (scripts) in the shell command language. We can view the program as a new product that uses the shell as a component. By encouraging standard interfaces, the UNIX environment in fact supports the reuse of any of its commands, as well as the shell, in building powerful utilities. Numeric libraries were the first examples of reusable components. Several large FORTRAN libraries, now rewritten in other languages, have existed for many years. Users buy these libraries and use them to build their own products, without having to reinvent or recode well known algorithms. Several companies are devoted to producing just such libraries. Nowadays, reusable libraries exist for different areas, such as graphical user interfaces, simulation, etc. One of the goals of reusability researchers is to increase the granularity of components that may be reused. One of the goals of object-oriented programming (see Chapter 91) is to achieve both reusability and evolvability. Reusability is difficult to achieve a posteriori. Reusable components must be designed with reusability as a primary design goal. Reusable components are abstractions of useful concepts, are general, and have clear and usable interfaces. Languages that support generic components, such as C++ and Ada, enable higher levels of reusability in software components. Most C++ libraries commonly consist of template modules. The field of componentbased software engineering (CBSE) has the goal of building applications by assembling a set of ready-made, reusable, off-the-shelf components. (See Chapter 117 on component-based computing.) Object-oriented languages, such as C++ and Java, help in unifying the qualities of evolvability and reusability by extensive use of interfaces, inheritance, and polymorphism. Reusability has broader applicability than just code. It may occur at different levels and may affect both product and process. In general, any of the artifacts of the software process, such as the requirements specification, may be reused. For example, at the requirements level, when a new application is conceived, we may try to identify parts that are similar to parts used in a previous application. Thus, we may reuse parts of the previous requirements specification instead of developing an entirely new one. Clearly, the more modularly designed the work products are, the more likely it is that they, or parts of them, may be reused in the future. Reusability applies to the software process, as well. Indeed, the various software methodologies can be viewed as attempts to reuse the same process for building different products. Life-cycle models are also attempts at reusing higher-level processes. © 2004 by Taylor & Francis Group, LLC
Reusability of standard parts characterizes the maturity of an industrial field. We see high degrees of reuse in such mature areas as the automobile industry and consumer electronics. For example, a car is constructed by assembling many components that are highly standardized and used across many models produced by the same industry. Certainly, the designs are routinely reused from model to model. Finally, the manufacturing process is often reused. The level of reuse is increasing in software, but it still is short of that of other established engineering disciplines.
101.2.8 Portability Software is portable if it can run in different environments. The term environment may refer to a hardware platform or a software environment, such as a particular operating system. Portability is economically important because it helps amortize the investment in the software system across different environments and different generations of the same environment. Many applications are independent of the actual hardware platform, because the operating system provides portability across hardware platforms. These days, the applications’ dependencies are on operating systems and other software systems, such as databases and user interface systems. Portability may be achieved by modularizing the software so that dependencies on the environment are isolated in only a few, well designated modules. To port the software to a new environment, only these environment-dependent modules need to be modified. With the proliferation of networked systems, portability has taken on new importance because the execution environment is naturally heterogeneous, consisting of many different kinds of computers and operating systems. In addition, the delivery devices have become diverse. For example, Internet browsers must be able to run not only on workstations and personal computers, but also on palmtops and even mobile phones. Some software systems are inherently machine-specific. For example, an operating system is written to control a specific computer, and a compiler produces code for a particular machine. Even in these cases, however, it is possible to achieve some level of portability. UNIX and its variant, Linux, are examples of an operating system that has been ported to many different hardware systems. Of course, the porting effort may require months of work. Still, we can call the software portable because writing the system from scratch for the new environment would require much more effort than porting it.
101.2.9 Understandability Some software systems are easier to understand than others. Of course, some tasks are inherently more complex than others. For example, a system that does weather forecasting, no matter how well it is written, will be harder to understand than one that prints a mailing list. We can follow certain guidelines to produce more understandable designs and to write more understandable programs. Systematic documentation of both the design and the program is clearly very important. Furthermore, abstraction and modularity enhance a system’s understandability. The activity of software maintenance is dominated by the subactivity of program understanding. Maintenance engineers spend most of their time trying to uncover the logic of the application and a smaller portion of their time applying changes to the application. Understandability is an internal product quality, and it helps in achieving many of the other qualities, such as evolvability and verifiability. From an external point of view, the user considers a system understandable if it has predictable behavior. External understandability is a factor in a product’s usability.
101.2.10 Interoperability Interoperability refers to the ability of a system to coexist and cooperate with other systems — for example, a word processor’s ability to incorporate a chart produced by a graphics package, the graphics package’s ability to graph the data produced by a spreadsheet, or the spreadsheet’s ability to process an image scanned by a scanner. Interoperability can be seen as reusability at the application level.
© 2004 by Taylor & Francis Group, LLC
Interoperability abounds in other engineering products. For example, stereo systems from various manufacturers work together and can be connected to television sets and video recorders. In fact, stereo systems produced decades ago accommodate new technologies such as compact discs! In contrast, early operating systems had to be modified — sometimes significantly — before they could work with new devices. The generation of plug-and-play operating systems attempts to solve this problem by automatically detecting and working with new devices. The UNIX environment, with its standard interfaces, offers a limited example of interoperability within a single environment. UNIX encourages software engineers to design applications so that they have a simple, standard interface, which allows the output of one application to be used as the input to another. The UNIX standard interface is a primitive, character-oriented one. It falls short when one application needs to use structured data — say, a spreadsheet or an image — produced by another application. With interoperability, a vendor can produce different products and allow the user to combine them if necessary. This makes it easier for the vendor to produce the products, and it gives the user more freedom in exactly what functions to pay for and to combine. Interoperability can be achieved through standardization of interfaces. An example of such interoperability is the Web browser application that provides plug-in interfaces for different applications. For example, a new audio player provided by one vendor may be added to the browser provided by another vendor. A concept related to interoperability is that of an open system — an extensible collection of independently written applications that function as an integrated system. An open system allows the addition of new functionality by independent organizations, after the system is delivered. This can be achieved, for example, by releasing the system together with a specification of its open interfaces. Any application developer can then take advantage of these interfaces, some of which may be used for communication between different applications or systems. Open systems allow different applications, written by different organizations, to interoperate. An interesting requirement of open systems is that new functionality may be added without taking the system down. An open system is analogous to a growing (social) organization that evolves over time, adapting to changes in the environment. The importance of interoperability has sparked a growing interest in open systems, producing some recent efforts at standardization in this area. For example, the CORBA standard defines interfaces that support the development of components that may be used in open distributed systems.
101.2.11 Productivity Productivity is a quality of the software production process, referring to its efficiency and performance. An efficient process results in faster delivery of the product. Individual engineers produce software at a certain rate, although there are great variations among individuals of different ability. When individuals are part of a team, the productivity of the team is some function of the productivity of the individuals. Very often, the combined productivity is much less than the sum of the parts. Management tries to organize team members and adopt processes in such manner as to capitalize on the individual productivity of the members. Productivity offers many trade-offs in the choice of a process. For example, a process that requires specialization of individual team members may lead to high productivity in producing a certain product, but not in producing a variety of products. Software reuse is a technique that increases the overall productivity of an organization in producing a collection of products, but the cost of developing reusable modules can be amortized only over many products. While software productivity is of great interest due to the increasing cost of software, it is difficult to measure. Clearly, we need a metric for measuring productivity — or any other quality, for that matter — if we are to have any hope of comparing different processes in terms of their productivity. Early metrics, such as the number of lines of code produced, have many shortcomings. As with other engineering disciplines, the efficiency of the process is affected strongly by automation. Many modern software engineering tools and environments help in achieving increases in productivity. © 2004 by Taylor & Francis Group, LLC
101.2.12 Timeliness Timeliness is a process-related quality that refers to the ability to deliver a product on time. Historically, timeliness has been lacking in software production processes, leading to the “software crisis,” which in turn led to the need for — and birth of — software engineering itself. Today, due to increased competitive market pressures, software projects face even more stringent time-to-market challenges. Being late may sometimes preclude market opportunities. Although on-time delivery of a product that is lacking in other qualities, such as reliability or performance, may be pointless, some argue that the early delivery of a preliminary and still unstable version of a product may favor the later acceptance of the final product. The Internet has facilitated this approach. Vendors can place early versions of products on the Internet, enabling potential users to try the product, providing feedback to the vendor. Timeliness requires careful scheduling, accurate estimation of work, and clearly specified and verifiable milestones. All engineering disciplines use standard project management techniques to achieve timeliness. They are sometimes difficult to apply in software engineering because of its human intensive nature. There are no objective or standard ways of defining, predicting, and measuring the amount of work required to produce a given piece of software, the productivity of software engineers, and the milestones in the development process. One technique for achieving timeliness is through the incremental delivery of the product. Progressively larger subsets of the product are developed and delivered as new increments at each stage. Each increment provides additional functionality and becomes closer to the final product. Obviously, incremental delivery depends on the ability to break down the set of required system functions into subsets that can be delivered in increments. Incremental delivery allows (parts of) the product to become available earlier; and the use of the early increments helps in refining the requirements incrementally. The biggest challenge to achieving timeliness is to ensure that other qualities, those of both product and process, are not jeopardized by focusing only on timeliness.
101.2.13 Visibility A software development process has visibility if all of its steps and its current status are documented clearly. Another term used to characterize this property, also used in business processes and organizations, is transparency. The idea is that the steps and the status of the project are available and easily accessible for external examination. In many software projects, most engineers and even managers are unaware of the exact status of the project. Some may be designing, others coding, and still others testing, all at the same time. This, in itself, is not bad. Yet, if an engineer starts to redesign a major part of the code just before the software is supposed to be delivered for integration testing, the risk of serious problems and delays will be high. Visibility allows engineers to weigh the impact of their actions and thus guides them in making decisions. It allows the members of the team to work in the same direction, rather than in opposing directions. The most common example of the latter situation is when the integration group has been testing a version of the software, assuming that the next version will involve fixing defects, while the engineering group decides to do a major redesign to add some functionality. This tension, created when one group is trying to stabilize the software while another group is destabilizing it, is common. The process must encourage a consistent view of the status and current goals among all participants. One of the benefits of the synch-and-stabilize software build process, popularized by Microsoft, is that it adds some visibility to the process. In this approach, the software product is rebuilt (integrated) each day, exposing problems in components and their interactions as soon as they occur. These problems may be symptoms of deeper problems, but the process helps to uncover them early. Visibility is not only an internal quality; it is also external. During the course of a long project, many requests arise about the status of the project. Sometimes the requests come from the organization’s management for future planning, and at other times they come from the outside, perhaps from the customer. If the software development process has low visibility, either these status reports will not be accurate, or they will require a lot of effort to prepare each time. © 2004 by Taylor & Francis Group, LLC
A difficulty in managing large projects is dealing with personnel turnover. With many software projects, critical information about the software requirements and design has the form of folklore, known only to people who have been with the project either from the beginning or for a sufficiently long time. In such situations, recovering from the loss of a key engineer or adding new engineers to the project is very difficult. In fact, adding new engineers often reduces the productivity of the whole project, as the folklore is being transferred slowly from the existing crew of engineers to the new engineers. The preceding discussion points out that visibility of the process requires not only that all of its steps be documented, but also that the current status of the intermediate products, such as requirements specifications and design specifications, be maintained accurately; that is, visibility of the product is required, as well. In other words, it must be understandable (see Section 101.2.9).
101.3 Quality Assurance Once we have decided on the qualities that are the goals of software engineering, we need principles and techniques to help us achieve them. We also need to be able to measure a given quality. In software organizations, this activity is called quality assurance. If we identify a quality as important, we must be ready to measure it to determine how well we are achieving it. This, in turn, requires that we define each quality precisely, so that it is clear what we should be measuring. Without measurements, any claims of improvement are without basis. But without defining a quality precisely, there is no hope that we can measure it precisely — let alone quantitatively. The established engineering disciplines have standard techniques for measuring quality. For example, the reliability of many artifacts is commonly characterized by mean time to failure (MTTF), that is, the average time between two consecutive failures of the product. Although some software qualities, such as performance, are measured relatively easily, most software qualities unfortunately have no universally accepted metrics. For example, whether a given system will evolve more easily than another is usually determined subjectively. Nevertheless, metrics are needed, and indeed, much research work is currently under way for defining objective metrics. The current state of practice of quality assurance is a collection of verification and monitoring methods. Some of them are based on objective evaluations, such as testing, and others are based on informal procedures, such as walkthroughs; a few, more ambitious methods aim at exploiting mathematical analysis during software verification. Chapters 111, 113, and 114 relate, to different extents and from different points of view, to the quality assurance problem. Quality assurance for software processes has taken the form of process assessment procedures whose aim is to measure the ability of software organizations and their processes. For example, the capability maturity model (CMM) classifies software development organizations on the basis of detailed evaluation of their processes. The model defines five levels of maturity which may be used to characterize the software process quality of an organization, referred to as its maturity level. The maturity level of an organization is intended to reflect the ability of the organization to predict its costs and schedules. The levels are as follows: 1. Initial — The organization has no statistical control over its processes and no predictability. 2. Repeatable — The organization has a stable, repeatable process, supported by rigorous project management controls. 3. Defined — The organization has defined a base process that is applied consistently for managing different projects. 4. Managed — The process is systematically monitored and its performance measured with appropriate metrics. 5. Optimizing — The process measurements are used for continuous improvement of the process. It turns out that most organizations fall into maturity levels 2 and 3. The CMM is being used by organizations to document their competence and by customers to qualify their vendors. Although the particular way of measuring process maturity and the appropriate metrics to be used are sometimes controversial, the impact of process quality on product quality is generally accepted to be significant. © 2004 by Taylor & Francis Group, LLC
An indispensable technology that supports disciplined processes and is a primary factor that differentiates mature from immature organizations is configuration management, which is concerned with controlled change management. In the software production process, configuration management is concerned with maintaining and controlling the relationship between all the work products of the various versions of a product. Configuration management tools allow the maintenance of families of products and their components. They help in controlling and managing changes to work products.
101.4 Software Engineering Principles in Support of Software Quality So far, we have discussed a number of important software qualities. How can we achieve these qualities? In this section, we discuss seven general principles that help in achieving software quality. These principles may be applied throughout the software development process and are not limited to a particular phase of the process. The principles deal with rigor and formality, separation of concerns, modularity, abstraction, anticipation of change, generality, and incrementality. By its very nature, the list cannot be exhaustive, but it does cover the important areas of software engineering. The principles are, of course, strongly related and together form a set of guidelines for the engineer to follow.
101.4.1 Rigor and Formality Software development is a creative activity. In any creative process, there is an inherent tendency to be neither precise nor accurate, but to follow the inspiration of the moment in an unstructured manner. Rigor — defined as precision and exactness — on the other hand, is a necessary complement to creativity in every engineering activity. It is only through a rigorous approach that we can repeatedly produce reliable products, control their costs, and increase our confidence in their reliability. Rigor need not constrain creativity. Rather, it can be used as a tool to enhance creativity. The engineer can be more confident of the results of a creative process after performing a rigorous assessment of those results. Paradoxically, rigor is an intuitive principle that cannot be defined in a rigorous way. Also, various degrees of rigor can be achieved. The highest degree is what we call formality. Thus, formality is a stronger requirement than rigor. It requires the software process to be driven and evaluated by mathematical laws. Of course, formality implies rigor, but the converse is not true. One can be rigorous and precise even in an informal setting. In every engineering field, the design process proceeds as a sequence of well defined, precisely stated, and supposedly sound steps. In each step, the engineer follows some method or applies some technique. The methods and techniques applied may be based on some combination of theoretical results derived by some formal modeling of reality, empirical adjustments that take care of phenomena not dealt with by the model, and rules of thumb that depend on past experience. The blend of these factors results in a rigorous and systematic approach — the methodology— that can be easily explained and applied time and again. There is no need to be always formal during design, but the engineer must know how and when to be formal, should the need arise. For example, the engineer can rely on past experience and rules of thumb to design a small bridge, to be used temporarily to connect the two sides of a creek. If the bridge were a large and permanent one, on the other hand, the engineer would instead use a mathematical model to verify whether the design was safe. An exceptionally long bridge or one built in an area of much seismic activity would require a more sophisticated mathematical model. In that case, the mathematical model would take into account factors that could be ignored in the previous case. Another — perhaps striking — example of the interplay between rigor and formality may be observed in mathematics. Textbooks on functional calculus are rigorous but seldom formal. Proofs of theorems are done in a very careful way, as sequences of intermediate deductions that lead to the final statement; each © 2004 by Taylor & Francis Group, LLC
deductive step relies on an intuitive justification that should convince the reader of its validity. Almost never, however, is the derivation of a proof stated in a formal way, in terms of mathematical logic. This means that very often the mathematician is satisfied with a rigorous description of the derivation of a proof, without formalizing it completely. In critical cases, however, in which the validity of some intermediate deduction is unclear, the mathematician may try to formalize the informal reasoning to assess its validity. These examples show that the engineer (and the mathematician) must be able to identify and understand the level of rigor and formality that should be achieved, depending on the conceptual difficulty and criticality of the task. The level may even vary for different parts of the same system. For example, critical parts — such as the scheduler of a real-time operating systems kernel or the security component of an electronic commerce system — may merit a formal description of their intended functions and a formal approach to their assessment. Well understood and standard parts would require simpler approaches. If we examine this issue in the context of software specifications, we see, for example, that the description of what a program does may be given in a rigorous way by using natural language; it can also be given formally by providing a formal description in a language of logical statements. The advantage of formality over rigor is that formality may be the basis of mechanization of the process. For instance, one may hope to use the formal description of the program to derive the program (if the program does not yet exist) or to show that the program corresponds to the formal description (if the program and its formal specification exist). Traditionally, there is only one phase of software development in which a formal approach is used: programming. In fact, programs are formal objects. They are written in a language whose syntax and semantics are fully defined. Programs are formal descriptions that may be automatically manipulated by compilers. They are checked for formal correctness, transformed into an equivalent form in another language (assembly or machine language), “pretty-printed” so as to improve their appearance, etc. These mechanical operations, which are made possible by the use of formality in programming, can improve the reliability and verifiability of software products. Rigor and formality are not restricted to programming: They should be applied throughout the software process. Chapter 111 shows these concepts in action in the case of software specifications. Chapter 107 does the same for software verification. Chapter 106 is about formal methods. Rigor and formality also apply to software processes. Rigorous documentation of a software process helps in reusing the process in other, similar projects. On the basis of such documentation, managers may foresee the steps through which a new project will evolve, assign appropriate resources as needed, etc. Similarly, rigorous documentation of the software process may help to maintain an existing product. If the various steps through which a project evolved are documented, one can modify an existing product, starting from the appropriate intermediate level of its derivation, not the final code. Finally, if the software process is specified rigorously, managers may monitor it accurately, in order to assess its timeliness and improve productivity.
101.4.2 Separation of Concerns Separation of concerns allows us to deal with different aspects of a problem to dominate its complexity, so that we can concentrate on each aspect individually. Separation of concerns is a commonsense practice that we try to follow in our everyday lives to overcome the difficulties we encounter. The principle should also be applied to software development, to master its inherent complexity. More specifically, there are many decisions that must be made in the development of a software product. Some of them concern features of the product: functions to offer, expected reliability, efficiency with respect to space and time, the product’s relationship with the environment (i.e., the special hardware or software resources required), user interfaces, etc. Others concern the development process: the development environment, the organization and structure of teams, scheduling, control procedures, design strategies, error recovery mechanisms, etc. Still others concern economic and financial matters. These different © 2004 by Taylor & Francis Group, LLC
decisions may be unrelated to one another. In such a case, it is obvious that they should be treated separately. Very often, however, many decisions are strongly related and interdependent. For instance, a design decision (e.g., swapping some data from main memory to disk) may depend on the size of the memory of the selected target machine (and hence, the cost of the machine). This, in turn, may affect the policy for error recovery. When different design decisions are strongly interconnected, it would be useful to take all the issues into account at the same time and by the same people, but this is not usually possible in practice. There are various ways in which concerns may be separated. First, one can separate them in time. Temporal separation of concerns allows for the precise planning of activities and eliminates overhead that would arise through switching from one activity to another in an unconstrained way. In fact, it is the underlying motivation of the software life-cycle models, each of which defines a sequence of activities that should be followed in software production (see Chapter 110). Another type of separation of concerns is in terms of qualities that should be treated separately. For example, in the case of software, we might wish to deal separately with the efficiency and the correctness of a given program. One might decide first to design software in such a careful and structured way that its correctness is expected to be guaranteed a priori and then to restructure the program partially to improve its efficiency. Similarly, in the verification phase, one might first check the functional correctness of the program and then its performance. Both activities can be done rigorously, applying some systematic procedures, or even formally (i.e., using formal correctness proofs and complexity analysis). Verification of program qualities is the subject of Chapter 113 and Chapter 114. Another important type of separation of concerns allows different views of the software to be analyzed separately. For example, when we analyze the requirements of an application, it may be helpful to concentrate separately on the flow of data from one activity to another in the system and the flow of control that governs how different activities are synchronized. Both views help us understand the system we are working on better, although neither one gives a complete view of it. Still another type of separation of concerns allows us to deal with parts of the same system separately; here, separation is in terms of size. This is a fundamental concept that we must master to dominate the complexity of software production. Indeed, it is so important that we prefer to detail it shortly as a separate point under modularity (see Section 101.4.3). There is an inherent disadvantage in separation of concerns. By separating two or more issues, we might miss some global optimization that would be possible by tackling them together. While this is true in principle, our ability to make optimized decisions in the face of complexity is rather limited. If we consider too many concerns simultaneously, we are likely to be overwhelmed by the amount of detail and complexity we face. Some of the most important decisions in design concern which aspects to consider together and which separately. Perhaps the most important application of separation of concerns is to separate problem-domain concerns from implementation-domain concerns. Problem-domain properties hold in general, regardless of the implementation environment. For example, in designing a personnel-management system, we must separate issues that are true about employees in general from those which are a consequence of our implementation of the employee as a data structure or object. In the problem domain, we may speak of the relationship between employees, such as “employee A reports to employee B”; in the implementation domain we may speak of one object pointing to another. These concerns, unfortunately, are often intermingled in many projects. As a final remark, we note that separation of concerns may result in separation of responsibilities in dealing with separate issues. Thus, the principle is the basis for dividing the work on a complex problem into specific assignments, possibly for different people with different skills. For example, by separating managerial and technical issues in the software process, we allow two types of people to cooperate in a software project. Or, having separated requirements analysis and specification from other activities in a software life cycle, we may hire specialized analysts with expertise in the application domain, instead of relying on internal resources. The analyst, in turn, may concentrate separately on functional and nonfunctional system requirements. © 2004 by Taylor & Francis Group, LLC
101.4.3 Modularity A complex system may be divided into simpler pieces called modules. A system that is composed of modules is called modular. The main benefit of modularity is that it allows the principle of separation of concerns to be applied in two phases: r When dealing with the details of each module in isolation (and ignoring details of other modules) r When dealing with the overall characteristics of all modules and their relationships in order to
integrate them into a coherent system If the two phases are executed in sequence, first concentrating on modules and then on their composition, then we say that the system is designed from the bottom up. The converse, when we decompose the system into modules first and then concentrate on individual module design, is top-down design. Modularity is an important property of most engineering processes and products. For example, in the automobile industry, the construction of cars proceeds by assembling building blocks that are designed and built separately. Furthermore, parts are often reused from model to model, perhaps after minor changes. Most industrial processes are essentially modular, made out of work packages that are combined in simple ways (sequentially or overlapping) to achieve the desired result. Although modularity is often discussed in the context of software design, it is not only a desirable design principle; it permeates the whole of software production. In particular, modularity provides four main benefits in practice: r The capability of decomposing a complex system into simpler pieces r The capability of composing a complex system from existing modules r The capability of understanding the system in terms of its pieces r The capability of modifying a system by modifying only a small number of its pieces
The decomposability of a system is based on dividing the original problem, top-down, into subproblems and then applying the decomposition to each subproblem recursively. This procedure reflects the well known Latin motto divide et impera (divide and conquer), which describes the philosophy followed by the ancient Romans to dominate other nations: divide and isolate them first, and then conquer them individually. The composability of a system is based on starting from the bottom up with elementary components and combining them in steps toward finally producing a finished system. As an example, a system for office automation may be designed by assembling existing hardware components, such as personal workstations, a network, and peripherals; system software, such as the operating system; and productivity tools, such as document processors, databases, and spreadsheets. Ideally, in software production we would like to be able to assemble new applications by taking modules from a library and combining them to form the required product. Such modules should be designed with the express goal of being reusable. By using reusable components, we may speed up both the initial system construction and its fine-tuning. For example, it would be possible to replace a component with another that performs the same function, but differs in computational resource requirements. Modularity supports the capability of understanding and modifying a system. If the entire system can be understood only in its entirety, modifications are likely to be difficult to apply, and the result will probably be unreliable. When it is necessary to repair a defect or enhance a feature, proper modularity helps to confine the search for the fault or enhancement to single components. Modularity thus forms the basis for software evolution. To achieve modular composability, decomposability, understandability, and modifiability, the software engineer must design the modules with the goal of high cohesion and low coupling. A module has high cohesion if all of its elements are related strongly. Elements of a module (e.g., statements, procedures, and declarations) are grouped together in the same module for a logical reason, not just by chance. They cooperate to achieve a common goal, which is the function of the module. Whereas cohesion is a property about the internal structure of a module, coupling characterizes a module’s relationship to other modules. Coupling measures the interdependence of two modules (e.g., module A calls a routine provided by module B or accesses a variable declared by module B). If two © 2004 by Taylor & Francis Group, LLC
(a)
(b)
FIGURE 101.2 Graphical description of cohesion and coupling. (a) A highly coupled structure. (b) A structure with high cohesion and low coupling.
modules depend on each other heavily, they have high coupling. Ideally, we would like modules in a system to exhibit low coupling, because it will then be possible to analyze, understand, modify, test, and reuse them separately. Figure 101.2 provides a graphical view of cohesion and coupling. The practical design guideline derived from the high-cohesion/low-coupling rule is that two units should be put in the same module if they are tightly dependent on each other; otherwise they should be placed in different modules. Indeed, this is achieved by object-oriented programming, which groups both the data and the routines that manipulate them in a single module. A good example of a system that has high cohesion and low coupling is the electric subsystem of a house. Because it is made out of a set of appliances with clearly definable functions and interconnected by simple wires, the system has low coupling. Because each appliance’s internal components are there exactly to provide the service the appliance is supposed to provide, the system has high cohesion. Modular structures with high cohesion and low coupling allow us to see modules as black boxes when the overall structure of a system is described and then deal with each module separately when the module’s functionality is described or analyzed. In other words, modularity supports the application of the principle of separation of concerns.
101.4.4 Abstraction Abstraction is a fundamental principle for understanding, designing, and analyzing complex problems. In applying abstraction, we identify the important aspects of a phenomenon and ignore its details. Thus, abstraction is a special case of separation of concerns wherein we separate the concern of the important aspects from the concern of the less important details. What we abstract away and consider as a detail that may be ignored depends on the purpose of the abstraction. For example, consider a digital watch. A useful abstraction for the owner is a description of the effects of pushing its various buttons, which allow the watch to enter various modes of functioning and react differently to sequences of commands. A useful abstraction for the person in charge of maintaining the watch is a box that can be opened in order to replace the battery. Still other abstractions of the device are useful for understanding the watch and performing the activities that are needed to repair it (let alone design it). Thus, there may be many different abstractions of the same reality, each providing a view of the reality and serving some specific purpose. Abstraction is a powerful technique practiced by engineers of all fields for mastering complexity. For example, the representation of an electrical circuit in terms of resistors, capacitors, etc., each characterized by a set of equations, is an idealized abstraction of a device. The equations are a simplified model that approximates the behavior of the real components. The equations often ignore details, such as the fact that there are no “pure” connectors between components and that connectors should also be modeled in terms of resistors, capacitors, etc. The designer ignores both of these facts, because the effects they describe are negligible in terms of the observed results. © 2004 by Taylor & Francis Group, LLC
This example illustrates an important general idea. The models we build of phenomena — such as the equations for describing devices — are an abstraction from reality, ignoring certain facts and concentrating on others that we believe are relevant. The same holds true for the models built and analyzed by software engineers. For example, when the requirements for a new application are analyzed and specified, software engineers build a model of the proposed application. As shown in Chapter 111, this model may be expressed in various forms, depending on the required degree of rigor and formality. No matter what language we use for expressing requirements — be it natural language or the formal language of mathematical formulas — what we provide is a model that abstracts away from a number of details that we decide can be ignored safely. Abstraction permeates the whole of programming. The programming languages that we use are abstractions built on top of the hardware. They provide us with useful and powerful constructs so that we can write (most) programs ignoring such details as the number of bits that are used to represent numbers or the specific computer’s addressing mechanism. This helps us to concentrate on the solution to the problem we are trying to solve, rather than on the way to instruct the machine on how to solve it. The programs we write are themselves abstractions. For example, a computerized payroll procedure is an abstraction of the manual procedure it replaces. It provides the essence of the manual procedure, not its exact details. When applied judiciously in design and programming, abstraction affects all software qualities in the product. For example, proper abstraction leads to modularity, which aids in achieving maintainability and reusability. Abstraction is an important principle that applies to both software products and software processes. For example, the comments that we often use in the header of a procedure are an abstraction that describes the effect of the procedure. When the documentation of the program is analyzed, such comments are supposed to provide all the information that is needed to understand the use of the procedure by the other parts of the program. As an example of the use of abstraction in software processes, consider the case of cost estimation for a new application. One possible way of doing cost estimation is to identify some key factors of the new system — for example, the number of engineers on the project and the expected size of the final system — and to extrapolate from the cost profiles of previous similar systems. The key factors used to perform the analysis are an abstraction of the system for the purpose of cost estimation.
101.4.5 Anticipation of Change Anticipation of change is perhaps the one principle that distinguishes software the most from other types of industrial productions. In fact, software undergoes changes constantly, and anticipation of change is a principle that we can use to achieve evolvability. The ability of software to evolve does not happen by accident or sheer luck — it requires a special effort to anticipate how and where changes are likely to occur. Designers should try to identify likely future changes and take special care to make these changes easy to apply. Software should be designed such that likely changes that we anticipate in the requirements, or modifications that are planned as part of the design strategy, may be incorporated into the application smoothly and safely. Basically, likely changes should be isolated in specific portions of the software in such a way that changes will be restricted to such small portions. In other words, anticipation of change should be the basis for our modularization strategy. (See Chapter 103 on software design). In many cases, a software application is developed before its requirements are completely understood. Then, after being released, on the basis of feedback from the users, the application must evolve as new requirements are discovered or old requirements are updated. In addition, applications are often embedded in an environment, such as an organizational structure. The environment is affected by the introduction of the application, and this generates new requirements that were not known initially. Anticipation of change also affects the management of the software process. For example, managers should anticipate the effects of personnel turnover. Also, when the life cycle of an application is designed, it is important to take maintenance into account. Depending on the anticipated changes, managers must © 2004 by Taylor & Francis Group, LLC
estimate costs and design the organizational structure that will support the evolution of the software. Finally, managers should decide whether it is worthwhile to invest time and effort in the production of reusable components, either as a by-product of a given software development project or as a parallel development effort.
101.4.6 Generality The principle of generality may be stated as follows: Every time you are asked to solve a problem, try to focus on the discovery of a more general problem that may be hidden behind the problem at hand. It may happen that the generalized problem is not more complex — indeed, it may even be simpler — than the original problem. Moreover, it is likely that the solution to the generalized problem has more potential for being reused. It may even happen that the solution is already provided by some off-the-shelf package. Also, it may happen that, by generalizing a problem, you end up designing a module that is invoked at more than one point of the application, rather than having several specialized solutions. A generalized solution may of course be more costly, in terms of speed of execution, memory requirements, or development time, than the specialized solution that is tailored to the original problem. Thus, it is necessary to evaluate the trade-offs of generality with respect to cost and efficiency, in order to decide whether it is worthwhile to solve the generalized problem instead of the original problem. Generality is a fundamental principle that allows us to develop software components for the market. Such general-purpose, off-the-shelf products represent a rather general trend in software. For every specific application area, general packages that provide standard solutions to common problems are increasingly available. If the problem at hand may be restated as an instance of a problem solved by a general package, it may be convenient to adopt the package instead of implementing a specialized solution. For example, we may use macros to specialize a spreadsheet application to be used as an expense-report application.
101.4.7 Incrementality Incrementality characterizes a process that proceeds in a stepwise fashion, in increments. We try to achieve the desired goal by successively closer approximations to it. Each approximation is an increment over the previous one. Incrementality applies to many engineering activities. When applied to software, it means that the desired application is produced as a result of an evolutionary process. One way of applying the incrementality principle is to identify useful early subsets of an application that may be developed and delivered to customers, in order to get early feedback. This allows the application to evolve in a controlled manner in cases where the initial requirements are not stable or fully understood. The motivation for incrementality is that in most practical cases there is no way of getting all the requirements right before an application is developed. Rather, requirements emerge as the application — or some part of it — is available for practical experimentation. Consequently, the sooner we can receive feedback from the customer concerning the usefulness of the application, the easier it is to incorporate the required changes into the product. Thus, incrementality is intertwined with anticipation of change and is one of the cornerstones upon which evolvability may be based. Incrementality applies to many of the software qualities discussed in the early part of this chapter. We may progressively add functions to the application being developed, starting from a kernel of functions that would still make the system useful, though incomplete. For example, in a business automation system, some functions would still be done manually, whereas others would be done automatically by the application. We can also add performance in an incremental fashion. That is, the initial version of the application might emphasize user interfaces and reliability more than performance, and successive releases would then improve space and time efficiency. When an application is developed incrementally, intermediate stages may constitute prototypes of the end product; that is, they are just an approximation of it. The idea of rapid prototyping is often © 2004 by Taylor & Francis Group, LLC
advocated as a way of progressively developing an application hand in hand with an understanding of its requirements. Obviously, a software life cycle based on prototyping is rather different from the typical waterfall model, wherein we first do a complete requirements analysis and specification and then start developing the application. Instead, prototyping is based on a more flexible and iterative development model. This difference affects not only the technical aspects of projects, but also the organizational and managerial issues. The unified process, presented in Chapter 110, is based on incremental development. Evolutionary software development requires special care in the management of documents, programs, test data, etc., developed for the various versions of software. Each meaningful incremental step must be recorded, documentation must be easily retrieved, changes must be applied in a controlled way, and so on. If these are not done carefully, an intended evolutionary development may quickly turn into undisciplined software development, and all the potential advantages of evolvability will be lost.
101.5 A Case Study in Compiler Construction In this section, we will show the application of the principles we have just presented to the practical case of compiler construction.
101.5.1 Rigor and Formality There are many reasons that compiler designers should be rigorous and, possibly, formal. First, a compiler is a critical product. A compiler that generates incorrect code is as serious a problem as a processor that executes an instruction incorrectly. An incorrect compiler can generate incorrect applications, regardless of the quality of the application itself. Second, when a compiler is used to generate code for mass-produced software, such as databases or word processors, the effect of an error in the compiler is multiplied on a mass scale. Thus, in general, it is important to approach the development of a compiler rigorously, with the aim of producing a high-quality compiler. Compiler construction is one of the fields in computer science where formality has been exploited well for a long time. In fact, formal languages and automata theory were largely motivated by the need for making compiler construction more effective and reliable. Nowadays, the syntax of programming languages is formally defined through Backus–Naur form (BNF) or an equivalent formalism. It is not by chance that, most often, problems associated with compiler correctness are related to the semantic aspects of the language, which are usually defined informally, rather than the syntactic aspects, which are well defined by BNF.
101.5.2 Separation of Concerns As with most nontrivial engineering artifacts, the construction of a compiler involves several concerns. Correctness (i.e., producing an object code consistent with the source code and producing appropriate error messages in the case of erroneous source programs) is, as usual, a primary concern. Other important issues are efficiency and user-friendliness. Efficiency could be related to compile time (in which case it amounts to performing source code analysis and translation quickly or using little memory) or to run time (in which case it involves producing an object code that is itself efficient). User-friendliness also has several aspects, ranging from the precision, thoroughness, and helpfulness of the diagnostics to the ease of interacting with the human–computer interface (e.g., through well designed windows and other graphical aids). These and other aspects of the compiler should be analyzed separately, as far as possible. For instance, there is no reason to worry about diagnostic messages while one is designing a sophisticated algorithm to optimize register allocation. This is not to say, as we already noted in general, that different concerns do not affect each other. Typically, in an attempt to make object code as efficient as possible, we might incorrectly overload some register. Also, attempts to produce good run-time diagnostics (e.g., checking that array indexes are within their bounds) may produce run-time inefficiencies. Run-time diagnostics and efficiency are a typical example of when separation of concerns can and should be applied while keeping in mind the mutual dependencies between the different aspects. In this © 2004 by Taylor & Francis Group, LLC
case, in fact, the two concerns are often well separated by offering the user the option of enabling or disabling run-time checks. During the development and verification phases, when correctness is still being established and is a major concern, the user turns on run-time checks, making diagnostics the prevailing concern for the compiler. Once the program has been thoroughly checked, efficiency becomes the major concern for its user and, therefore, for the compiler, too; thus, the user could turn off the generation of run-time checks by the compiler.
101.5.3 Modularity A compiler can be modularized in several ways. Here, we propose a fairly simplistic and traditional modularization based on the several “passes” performed by the compiler on the source code. Such a modular structure should be good enough for our initial purposes. According to this scheme, each pass performs a partial translation from an intermediate representation to another one, the last pass transforming the final intermediate representation to the object code. The following are the usual compiler phases: Lexical analysis — Analyzes program identifiers, replaces them with an internal representation, and builds a symbol table with their description. It also produces a first set of diagnostic messages if the source code contains lexical errors (e.g., ill formed identifiers). Syntax analysis or parsing — Takes the output of the lexical analysis and builds a syntax tree, describing the syntactic structure of the original code. It also produces a second set of diagnostic messages related to the syntactic structure of the program (e.g., missing parentheses). Codegeneration — Produces the object code. This last phase is usually done in several steps. For example, a machine-independent intermediate code is produced as a first step, followed by a translation into machine-oriented object code. Each of these partial translations may include an optimizing phase that rearranges the code to make it more efficient. The foregoing description suggests a corresponding modular description of the structure of the compiler, depicted graphically in Figure 101.3a. Despite the oversimplification present in the figure, we can already derive a few distinguishing features of modular design: r System modules can be drawn naturally as boxes. r Module interfaces can be drawn as directed lines connecting the boxes representing the modules.
An interface is an item that somehow connects different modules; it represents anything that is communicated or shared by them. Notice that the graphical metaphor suggests that everything that is inside a box is hidden from the outside; modules interact with each other exclusively through interfaces. In the figure, it is convenient to represent interfaces with arrows to emphasize the fact that the item they describe is the output of some module and the input to another one. In other cases, the notion of an interface may be more symmetric (e.g., a shared data structure); in such cases, it is more convenient to represent the item with an undirected line. Notice also that the lines representing the source code, the diagnostic messages, and the object code are the input or output of the whole “system.” They are, therefore, drawn without source and target, respectively. The modular structure of Figure 101.3a lends itself to a natural iteration of the decomposition process. For instance, according to the description of the code-generation phase, the box representing this pass can be refined as suggested in Figure 101.3b.
101.5.4 Abstraction Abstraction can be applied in compiler design along several directions. From a syntactic point of view, it is fairly typical to distinguish between concrete and abstract syntax. Abstract syntax aims at focusing on the essential features of language constructs, neglecting details that do not affect a program’s structure. © 2004 by Taylor & Francis Group, LLC
Symbol table
Lexical diagnostics
Source code
Lexical analysis
Parsing
Parse tree
Tokenized code
Code generation
Object code
Syntax diagnostics
(a)
Code generation
Symbol table
Object code
Intermediate code Parse tree
Intermediate code generation
Machine code generation
(b) FIGURE 101.3 (a) The modular structure of a compiler. (b) A further modularization of the code-generation module.
For instance, a conditional statement consists of a condition, a statement to be executed if the condition holds and, possibly, a statement to be executed if the condition does not hold. This description remains valid both if we include the keyword then before the positive statement, as it happens in Pascal, and if we do not, as it happens in C. Similar remarks apply to the use of the C-like pair {,} and of the Algol-like pair begin-end to bracket sequences of statements. Another typical abstraction is often applied with respect to the target code: as we saw in the previous section, the first phase of code generation produces an intermediate code, which can be viewed as the code for an abstract machine. The second phase then translates the code of this abstract machine into code for the concrete target machine. In this way, a major part of the compiler construction abstracts away from the peculiarities of the particular processor that must run the object code. The Java language, indeed, defines a Java Virtual Machine, whose code (Java bytecode) can be executed by interpreting it on different concrete machines.
101.5.5 Anticipation of Change Several changes may occur during the lifetime of a compiler: r New releases of the target processors may become available with new, more powerful, instructions. r New input–output (I/O) devices may be introduced, requiring new types of I/O statements. r Standardization committees may define changes and extensions to the source language.
The design of the compiler should anticipate such changes. For instance, the Pascal language tried to “freeze” I/O statements within a rigid language definition. This decision conflicted with typical machine © 2004 by Taylor & Francis Group, LLC
dependencies, and the result was often a number of dialects of the same language, differing mainly in the I/O part. Later, it was recognized that attempts to freeze language I/O were not effective. Thus, languages such as C and Java encapsulated I/O into standardized libraries, reducing the amount of work to be redone whenever I/O changes occurred. Also, the more likely it is to want to adapt the compiler to different target machines, the higher are the benefits of separating the code-generation phase into two subphases, as we showed previously.
101.5.6 Generality Like abstraction, generality can be pursued along several dimensions in compiler construction, depending on the overall goals of the project (e.g., producing a fairly wide family of products, as opposed to a highly specialized compiler). It is useful to be parametric with respect to the target machine. The case of Java’s bytecode is a striking example of general design and its benefits. In fact, bytecode is also independent of the source language, allowing it to be used as the target for compilers of languages other than Java. Generality (with respect to target machines) is therefore achieved via abstraction of individual machine architectures into just one virtual machine. Sometimes, a compiler can be parametric even with respect to the source language. A fairly extreme example of such a generality is provided by so-called compiler compilers, which take as input the definition of the source — and possibly of the target — language and automatically produces a compiler translating the source language into the target one. Perhaps the most successful and widely known example of a compiler compiler is provided by the Unix Lex and Yacc programs, which are used to produce automatically the lexical and syntactic modules of a compiler. Such generality can be achieved thanks to the formalization of the syntax of the language. Thus, the generality principle is exploited in conjunction with formality. Another fairly obvious relation exists between the principles of generality and design for change: we usually want to be parametric — general — with respect to those features which are most likely to change.
101.5.7 Incrementality Incrementality, too, can be pursued in several ways. For instance, we can first deliver a kernel version of a compiler that recognizes only a subset of the source language and then follow that with subsequent releases that recognize increasingly larger subsets of the language. Alternatively, the initial release could offer just the very essentials: translation into a correct object code and a minimum of diagnostics. Then, we can add more diagnostics and better optimizations in further releases. The systematic use of libraries offers another natural way to exploit incrementality. It is quite common that the first release of a new compiler includes a very minimum of such libraries (e.g., for I/O and memory management); later, new or more powerful libraries are released (e.g., graphical and mathematical libraries).
101.6 Summarizing Remarks In this chapter, we have discussed important software engineering qualities and principles. Qualities are the ultimate goal we want to achieve; principles provide the basis for concrete means to reach the goal. Because of their general applicability, we have presented the principles separately, as the cornerstones of software engineering, rather than in the context of any specific phase of the software life cycle. We used a case study of compiler construction to show the application of the general principles. We emphasized the role of general principles without presenting specific methods, techniques, or tools. The reason is that software engineering — like any other branch of engineering — must be based on a sound set of principles. In turn, principles are the basis for the set of methods used in the discipline and for the specific techniques and tools used in everyday life.
© 2004 by Taylor & Francis Group, LLC
As technology evolves, software engineering tools will evolve. As our knowledge about software engineering increases, methods and techniques will evolve, too — though less rapidly than tools. Principles, on the other hand, will remain more stable; they constitute the foundation upon which all the rest may be built. They form the basis for the concepts discussed in the remainder of this Handbook. For instance, Chapter 104 presents object-oriented design, a popular methodology that stresses the qualities of reusability and evolvability, as well as the principles of modularity, anticipation of change, generality, and incrementality.
Defining Terms Cohesion: Property of a modular software system that measures the logical coherence of a module. Correctness: Software is (functionally) correct if it behaves according to the specification of the functions it should provide. Coupling: Property of a modular software system that measures the amount of mutual dependence among modules. Evolvability: Ease of software evolution. Incremental development: A software process that proceeds by producing progressively larger subsets of the desired product by delivering new increments at each stage. Each increment provides additional functionality and brings the currently available subset closer to the desired one. Interoperability: Ability of a software system to coexist and cooperate with other systems. Maintainability: Ease of maintaining software. It can be further decomposed into evolvability and reparability. Methodology: A combination of methods and techniques promoting a disciplined approach to software development. Performance: In software engineering, performance is a synonym for efficiency. It refers to how economically the software utilizes the resources of the computer. Portability: Software is portable if it can run on different machines. Productivity: Efficiency of the software process. Prototyping: A development process in which early executable versions of the end product are delivered as prototypes, with the main purpose of verifying the adequacy of specifications and driving further development. Quality assurance: The process of verifying whether a software product meets the required qualities. Reliability: Software is reliable if the user can depend on it. Reparability: A software system is reparable if it allows the correction of its defects with a limited amount of work. Reusability: Ease of reusing software components in more than one product. Reusability can also refer to other artifacts (such as requirements, design, etc.). Robustness: Software is robust if it behaves “reasonably,” even in circumstances that were not anticipated in the requirements specification. Security: A system is secure if it protects its data and services from unauthorized access and modification. Software process: Activities through which a software product is developed and maintained. Software product: All of the artifacts produced by a software process. This definition encompasses not only the executable code and user manuals that are delivered to the customer, but also requirements and design documents, source code, test data, etc. Timeliness: A process-related quality meaning the ability to deliver a product on time. Usability: A software system is usable — or user-friendly — if its human users find it easy to use. This definition reflects the subjective nature of usability. Verifiability: A software system is verifiable if its properties can be verified easily. Visibility: A process-related quality meaning that all steps and the current process status are documented clearly.
© 2004 by Taylor & Francis Group, LLC
References Boehm et al. [1978]. B.W. Boehm, J.R. Brown, H. Kaspar, M. Lipow, G. MacLeod, and M.J. Merritt, Characteristics of Software Quality, volume 1 of TRW Series on Software Technology, North-Holland, Amsterdam. Fenton and Pfleeger [1998]. N.E. Fenton and S.L. Pfleeger, Software Metrics: A Rigorous and Practical Approach, 2nd ed., PWS Publishing, Boston, MA. Garg and Jazayeri [1996]. P. Garg and M. Jazayeri, Process-Centered Software Engineering Environments, IEEE Computer Society Press. Ghezzi et al. [2002]. C. Ghezzi, M. Jazayeri, and D. Mandrioli, Fundamentals of Software Engineering, 2nd edition. Prentice Hall. Hoffman and Weiss [2001]. D.M. Hoffman and D.M. Weiss, Eds., Software Fundamentals — Collected Papers by David L. Parnas, Addison-Wesley, Reading, MA. Humphrey [1989]. W.S. Humphrey, Managing the Software Process, Addison-Wesley, Reading, MA. ISO 9126 [1991]. ISO/IEC 9126, Information Technology — Software Product Evaluation — Quality Characteristics and Guidelines for Their Use, 1991-12-15. Jazayeri [1995]. M. Jazayeri, “Component programming — a fresh look at software components,” in Proceedings of the 5th European Software Engineering Conference, Lecture Notes in Computer Science 989, Springer-Verlag, pages 457–478. Neumann [1995]. P.G. Neumann, Computer-Related Risks. Addison-Wesley, Reading, MA. Parnas [1978]. D.L. Parnas, “Some software engineering principles,” in Structured Analysis and Design, State of the Art Report, INFOTECH International, pages 237–247.
Further Information This chapter is adapted from Chapters 2 and 3 of Ghezzi et al. [2002], which is a general textbook on software engineering. A classification of software qualities is presented and discussed in detail by Boehm et al. [1978]. The international standard [ISO 9126] also provides a list and a discussion of major software qualities. Fenton and Pfleeger [1998] give a comprehensive study of software metrics for quality. Neumann [1995] illustrates the consequences of lack of quality in software. These real-life situations should concern all software professionals. Humphrey [1989] defined the software process maturity model. The book is devoted to improving software quality through better processes and the assessment of the process. Garg and Jazayeri [1996] is a collection of articles on software environments that integrate and automate the software process. Parnas’s work on design methods is the major source of insight into the concepts of separation of concerns, modularity, abstraction, and anticipation of change. In particular, Parnas [1978] illustrates important software engineering principles. Thirty of Parnas’s important papers have been collected in Hoffman and Weiss [2001], along with some updates and commentaries. Jazayeri [1995] discusses and gives concrete examples of the power of the principle of generality in design and programming.
© 2004 by Taylor & Francis Group, LLC
102 Software Process Models 102.1 102.2 102.3 102.4
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102-1 Specification-Driven Models . . . . . . . . . . . . . . . . . . . . . 102-2 Evolutionary Development Models . . . . . . . . . . . . . . . 102-7 Iterative Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102-10 Incremental Development
Ian Sommerville Lancaster University
102.5 102.6 102.7 102.8
•
The Spiral Model
Formal Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . 102-14 The Cleanroom Process . . . . . . . . . . . . . . . . . . . . . . . . . . 102-14 Process Model Applicability . . . . . . . . . . . . . . . . . . . . . . 102-15 Research Issues and Summary . . . . . . . . . . . . . . . . . . . . 102-16
102.1 Introduction The development of anything but trivial software systems is a structured activity. Various steps are involved where the software is designed, programmed, and validated. This sequence of activities and their inputs and outputs make up the software process. Every organization has its own specific software process, but these individual approaches usually follow some, more abstract, generic process model. These generic software process models are the subject of this chapter. A generic software process model is an abstract representation of the activities and deliverables in the software process. Depending on the level of detail, the model may also show the roles responsible for these activities, the tools used to carry out these activities, communications of different types between activities, and roles and exceptions which must be handled as part of the process. However, in the examples here, the software process is considered at a fairly abstract level and only process activities and their inputs and outputs are discussed. Software processes are immensely complex. The activities involved in these processes are intellectually demanding and may require significant creativity on the part of the process participants. These processes have a number of attributes as shown in Table 102.1. If we wish to compare or reason about software processes using these attributes, we must be able to make some assessment of them. Because processes are so complex, a software process model is essential for this purpose. If we wish to improve the software process in some way in order to deliver software more quickly, produce software at lower cost, or deliver software with fewer defects, a defined process model is necessary as a starting point for the improvement process. Similarly, if we need to communicate and exchange information about software processes, we need a process model. A detailed software process model is an important source of organizational knowledge
© 2004 by Taylor & Francis Group, LLC
TABLE 102.1
Software Process Attributes
Process Attribute Understandability Visibility Supportability Acceptability Reliability Robustness Maintainability Rapidity
Description Is the process clearly and explicitly defined and is the process definition understandable? Does each activity in the process have a well-defined endpoint and results so that progress is clearly visible? To what extent can the process activities be supported by CASE tools? Do the engineers who are responsible for the software development find the process acceptable and a realistic match to their everyday activities? Is the process designed so that process errors are avoided or trapped before they lead to errors in the software being developed? Do unexpected problems cause process delays or can the process cope with these? Can the process evolve to meet changing organizational requirements or process improvements for lower costs, higher quality, or faster delivery? Are there inherent delays in the process which affect the overall development time from system specification to product delivery?
and is used to communicate organizational standards, procedures, and practices to new engineers and managers. One of the most important functions of a software process model is to facilitate process management. Process management involves scheduling the process activities, estimating the resources required for each activity, assigning people to carry out the activities, and ensuring that appropriate quality procedures are applied to both the process and the developed product. The process should be designed so that managers can check progress against the plan and accurately judge how resources have been deployed in the process. Consequently, managers express their plan in terms of their model of the development process. If there is no explicit model, the manager must make assumptions about the process and make estimates on the basis of these assumptions. However, the software developers may actually use a completely different process, so the plan is therefore a misleading guide for project management. An explicit process model, agreed upon by managers and software developers, is an invaluable tool for project communication. There are, currently, no accepted standards for describing process models. The vast majority of models are expressed informally, using diagrams and descriptive text. Notations used in software design such as data-flow diagrams and entity-relation diagrams may be used to show the flow of work and the relationships between activities, and deliverables. Petri nets have been used to show the timing dependencies between activities, and various more-specialized process description notations have been proposed, although they are not widely used. The best known of these is that suggested by Christie [Christie 1994]. Armenise et al. [Armenise et al. 1992] summarize other process modelling notations. In the remainder of this chapter, several types of generic process model are discussed. These include the “classical” waterfall model and its derivative, the V-model, models centered on software prototyping, and models which have been developed to accommodate change and uncertainty in a structured way. In the final sections, an assessment is made of the domains where each process model is most applicable, and issues such as process improvement models are briefly discussed.
102.2 Specification-Driven Models In the 1950s and 1960s, software development was largely an informal process which was undertaken as part of other engineering activities. Rather than being developed according to some formal process standard, software was simply programmed using an informal description of what was required. However, as software systems grew in size and complexity, this informal approach became increasingly inadequate. There were a number of large software project failures where software failed to deliver the required functionality and performance, where the software was unreliable and expensive to maintain, and where the project was completed (or more often, abandoned) years behind schedule. These failures led a number of organizations to adopt a more structured software development process which was based on the process used for the development of other engineered systems. Thus, there were © 2004 by Taylor & Francis Group, LLC
FIGURE 102.1 Waterfall model of the software process.
clearly defined specification, design, and development activities with a “signing-off ” process between these activities. When documents were “signed-off,” they were deemed to be complete and the next stage of the process could then begin. The first public discussion of this software “life-cycle” was due to Royce [Royce 1970], who described experience with this approach in defense projects. The initial life-cycle model is now termed the waterfall model. This model consists of a set of stages, starting with system specification, with results cascading from one stage to another. Figure 102.1 illustrates this waterfall model. The waterfall model includes the following phases: 1. Requirements definition. The services that the system must provide and its operational constraints are defined. 2. System and software design. The overall structure of the system is designed and software subsystems are identified. Depending on the organization, the design may be fairly abstract or developed in detail. Structured design methods may be used to develop the software design. 3. Implementation and unit testing. The modules making up the system are individually developed in some programming language and tested. 4. Integration and system testing. The system modules are integrated into a complete system and this is tested as a whole. 5. Operation and maintenance. The software is delivered to the customer and put into use. During its lifetime, it is modified to meet changing requirements and to repair errors discovered in use. Of course, this is a very abstract view of the software process. Each of these phases must be decomposed into a set of more detailed activities which, in themselves, may be major tasks involving several personyears of work. Further decomposition is necessary to establish the activities undertaken by each engineer. The essence of “waterfall” decomposition is that further cascades of activities should be identified. For example, Figure 102.2 illustrates the decomposition of the system and software design phase shown in Figure 102.1. Here, design is considered to involve six separate activities, each of which adds detail to the design. The input to each activity is the document produced by the previous design phase and its output is a document for the next phase. Naturally, each of these design activities might be further decomposed into another cascade, but this would usually only be necessary for large software systems. The waterfall model of the software process has been widely accepted and, in one form or another, has been incorporated in many process standards such as the U.S. Defense standard, MIL-STD-2167A. In these standards, of course, the model is expressed in detail with the deliverables from each phase carefully defined. © 2004 by Taylor & Francis Group, LLC
FIGURE 102.2 Waterfall model of the design process.
FIGURE 102.3 V-model of development.
There are numerous variants of the waterfall model which propose different breakdowns of the basic activities of specification, design, implementation, and testing. Perhaps the best known of these is the so-called V-model of development (the basis of a German government standard) which explicitly links stages in the development process with validation activities. This is illustrated in Figure 102.3. The V-model maintains the development phases of the waterfall model but links specific validation activities and validation plans with stages in the specification and design process. Therefore, from Figure 102.3, we can see that the acceptance test plan is generated from the system requirements document and an abstract system specification. This is then used to drive the acceptance testing activity after the software has been delivered to the customer. Similarly, the system integration test plan is associated with the system design activity and the subsystem integration test plan with detailed design. © 2004 by Taylor & Francis Group, LLC
The V-model illustrates one of the omissions of the simple waterfall model. This model suggests that there is a single output from a phase which is the single input to the next phase. Rather, activities have multiple inputs and outputs which include both product and process information. In the V-model, some of this process information is specified. As part of each activity, a plan for the validation of the results of that activity should be produced. This plan should define the validation process and should set out tests which may be applied to the system to check that the implementation conforms to the system specification. The stages shown in the simple waterfall model closely correspond to the stages in the engineering process of developing some product to be manufactured. There are, however, critical differences between software and manufactured products which mean that the waterfall approach is an over-simplified process representation for software development. These differences are: 1. Manufactured products usually deal either with tangible materials (such as machined components, say) or with things which obey physical laws (such as electricity). It is possible to reason about and visualize their operation. By contrast, software deals with information, which is intangible and almost infinitely flexible. People find it very difficult to anticipate what information they need to help them with their work. They cannot specify their requirements with a reasonable level of confidence. 2. There are generic designs for a most manufactured products (e.g., pumps, amplifiers, wings, etc.). Both the specification and the system design can often be expressed as differences from these basic designs. Those involved in specifying and designing the system have a solid and agreed basis for the design. By contrast, there are few “standard” software system designs which are understood by all software engineers. This means that it is usually much more difficult for those involved in the process to communicate about the software which is being designed. 3. There is no real equivalent in software development to the manufacturing stage of product development. Manufacturing involves expensive outlays in raw materials and tooling. Once a product design has been released for manufacture, making changes to the design is extremely expensive and change is usually contemplated only if there are serious design errors which make the product unfit for its original purpose. By contrast, programming is really a more detailed design phase and changes to the software can be accommodated at any stage in the process. As a consequence of these differences, there tends to be much more design and specification uncertainty in software systems and changes to the system may be required at any stage in the process. The difficulties in specifying software with any degree of confidence and the inherent flexibility of software led to a modified form of the waterfall model where there is iteration between the stages in the model. As problems are discovered, they are fed back to earlier process stages for correction and revised documents are issued. New customer requirements also result in change and the production of a revised requirements document. This waterfall model with iteration is illustrated in Figure 102.4. In principle, the introduction of iteration ought to address the feedback problems of the waterfall model. As problems are discovered in later phases, earlier phases are re-entered and the documents which define the system are modified. Later phases then continue with these modified documents. The introduction of iteration into the waterfall model is intended to address some of the problems of requirements change but brings with it its own problems: 1. When should iteration stop? In principle, the introduction of iteration means that the development process can continue indefinitely. In practice, this is obviously impossible, so there have to be a planned number of iterations in the process. It is very difficult to assess the rate of change of the system, so managers simply plan for some arbitrary number of iterations (normally one or two) during the lifetime of the project. Any further iterations are likely to cause the project to go over budget or to fall behind schedule. 2. How can change costs be controlled? There is a high cost involved in analyzing the impact of system changes and reworking the system to incorporate these changes. As changes are, by their very nature, unpredictable, it is very difficult for managers to budget for the costs of iteration. © 2004 by Taylor & Francis Group, LLC
FIGURE 102.4 Iteration in the waterfall model.
3. How can parallel development of the system be supported? The sequential nature of the waterfall model suggests that, during iteration, activity within a phase should stop until problems have been resolved and revised documents from earlier phases have been produced. In practice, this is completely unrealistic and, normally, development continues while the problems are being resolved. This often results in a great deal of rework, as changes to the system mean that much of this work has to be thrown away. In small projects, these problems are often addressed informally. Rather than a formal process iteration, those working on the project work together to resolve the difficulties and to make changes to the software. The real problems arise in large projects, particularly those where different parts of the software are developed by different organizations. In these cases, a formal iteration and change mechanism must be introduced. There is much less scope for informal communication between specifiers, designers, and programmers. Iteration in these projects is therefore very expensive and often results in cost and schedule overruns. Customers, therefore, try to avoid process iterations wherever possible. While this is understandable, there are some circumstances which can arise where this approach can lead to dramatic project failure: 1. Where the system requirements are poorly understood. This may be because the software system is an innovative one and end users have no intuition of how it will be incorporated into their work; it may be because the software is required to integrate hardware which is incompletely specified; it may be because the software is a product in a market which is changing rapidly. Whatever the reason, if requirements are poorly understood, this means that software change is inevitable. The waterfall model (in any form) does not cope well with frequent change. 2. Where the original system requirements are unrealistic and cannot be met, given the available development budget. Problems of this type are not discovered until the programming of the system is under way and initial versions are available for experiment. Either the system development has to be abandoned or the requirements have to be drastically modified to reflect what may be implemented. It can be argued that one or both of the above are true for most software projects, so the waterfall model is probably inappropriate for almost all large-scale software development and the deficiencies of the waterfall model are now widely accepted. More and more systems are interactive systems, with complex graphical user interfaces. Experience has shown that the waterfall model is particularly inappropriate for this type of system development. © 2004 by Taylor & Francis Group, LLC
Nevertheless, in spite of its disadvantages, the waterfall model or a variant of it is still very widely used, particularly for large projects. There are several reasons for this: 1. The use of an engineering model means that the development of the software can be integrated with other engineering activities. Although there are problems in committing to a set of requirements or a design, this is sometimes necessary to allow parallel development of the subsystems in a large system. 2. The model is document-based with one or more documents being produced at each stage in the model. This makes the project visible to management and makes it possible to assess progress against budget and schedule estimates. 3. The model supports contractor/subcontractor relationships, which are normal in large projects. As the output of a stage is documented, the contract for developing the next stage may be let to some subcontractor. The waterfall model of software development is part of many software development standards and is compatible with the process used to develop hardware systems. It allows for process management and it is familiar to engineers from all disciplines. In spite of its deficiencies, it is therefore likely to remain in use for large systems engineering projects for the foreseeable future. A further reason for the continued use of the waterfall model is the development of “offshore” software engineering [Dedene and De Vreese 1995]. A system is specified in one country but is designed and implemented in some other country with lower labor costs. The document-based nature of the waterfall model and the separation of the development phases means that it may be applied to support this form of development. The weakness of the waterfall model is its inability to cope with change, so it is most appropriate for systems whose requirements are well understood and which can be specified in detail with some degree of confidence. Generally, it may be successfully applied to small and medium-sized systems which automate well-understood business processes and which are re-implementations of existing systems or prototypes.
102.3 Evolutionary Development Models The fundamental difficulties with an approach to development based on clearly defined phases such as specification, design, etc., are that stakeholders in a system find it difficult to articulate their requirements in advance and that these requirements change during the development process. The waterfall model forces premature commitment to a set of system requirements. This means that requirements change and rework is almost inevitable. Furthermore, the system which is finally developed may not meet the real needs of the customers buying that system. To address this problem, an evolutionary approach to development may be adopted. A rudimentary system is initially produced and evolves, according to the customer’s needs, to the final required system. An evolutionary approach to development does not require detailed prespecification of the system requirements, nor does it usually involve the (expensive) production of detailed documentation. These stages in this evolutionary approach are: 1. Formulate an outline of the system requirements. This need be neither complete nor consistent but should give developers some guidance as to what the system should do. 2. Develop a system, as rapidly as possible, based on this outline specification. 3. Evaluate this system with users and modify the system until the system functionality meets the users’ needs. This involves modifying the initial functionality of the system and adding new functionality as required. There are several advantages to this evolutionary approach to system development. Users do not have to develop a detailed requirements specification but need only have some general ideas on the software support which they need. A version of the software is delivered quickly so customers can gain business value from it even when it is incomplete. They also find it much easier to refine their requirements when they have a system for experiment. Ideas can be tried out and refined and the interactions between the © 2004 by Taylor & Francis Group, LLC
FIGURE 102.5 Throw-away prototyping.
FIGURE 102.6 Evolutionary prototyping.
different parts of the software can be visualized. If the software proves to be unsuitable, it can be discarded at a relatively early stage in the process. For interactive systems, evolutionary development is particularly important. It is impossible to develop graphical user interfaces according to a waterfall model because of the very high specification uncertainty. People cannot predict, in advance, whether or not the look and feel of the interface will be acceptable and whether users will be able to access system functionality in an effective way. User interface specification and design is so dependent on the application domain and the particular system users that it must be carried out using some experimental prototype system. Within this general evolutionary framework, there are two generic models which are commonly used. These are: 1. Throw-away prototyping. The objective of this evolutionary development process is to understand the customer’s real software requirements. A prototype system is developed, then discarded once this understanding has been achieved. 2. Evolutionary prototyping. The objective of this process is to develop a software system for delivery to the customer. The prototype system which is developed becomes the production system used by the customer. These two approaches to development are illustrated in Figure 102.5 and Figure 102.6. Although they appear to be similar, the fact that these approaches have different ultimate goals means that they must be approached in quite different ways. The throw-away prototyping process has the goal of developing a better understanding of the customer’s requirements so that a better system specification can be produced. This specification may then be implemented using some other development approach where the software is designed, implemented, and validated according to a waterfall-like process model. As the prototype is not intended for regular use, its development cost may be reduced by leaving out facilities such as error messages and on-line help. Nonfunctional requirements such as performance and reliability may be relaxed. By contrast, the evolutionary prototyping approach has the goal of producing a final system for delivery to the customer. This system must include all required functionality and must meet the customer’s © 2004 by Taylor & Francis Group, LLC
nonfunctional requirements for reliability, availability, usability, etc. These must always be borne in mind when prototyping the system’s functionality. As a consequence, the development of this type of prototype is approached quite differently from the development of a throw-away system: 1. In a throw-away system, the primary objective is to understand the customer’s real requirements. Therefore, prototyping should start with those requirements which are poorly understood so that customers have as much time as possible for requirements refinement. Well-understood requirements need not be incorporated into the prototype, so it never becomes a fully functional system. 2. In evolutionary prototyping, the primary objective is to deliver useful functionality to the customer as soon as possible. Therefore, prototyping should start with those customer requirements which are best understood. Requirements which are less well understood should be added incrementally as customers become familiar with the system. An evolutionary prototyping approach is now widely used for small and medium size system development, particularly for business systems. In this application domain, prototyping systems such as rapid application development toolkits [Guerrieri 1994] and 4GLs [Wojtkowski and Wojtkowski 1994] have been developed to support the process. These systems make use of the fact that many operations are similar in that they involve retrieving information from a database and formatting that on-screen or in reports. These development systems are therefore centered on a database and include a high-level database query language, tools for screen design, and report generators. As I have already suggested, evolutionary development is also the normal development approach for interactive systems where the user interface design is a critical part of the system. In this approach, the user interface is designed using an evolutionary approach and the functionality of the system is initially simulated. As the user interface design is refined, more and more functionality is added to the system until a final system is produced. To support this process of development, very high-level languages and environments such as Smalltalk, Lisp or, increasingly, Visual Basic may be used. Alternatively, graphical user interface builders [Colebourne et al. 1993] which allow users to layout interface components and associate functionality with them may be used to support the process. While an evolutionary development process is more likely to lead to software which is better suited to the end user’s requirements, it has a number of problems in its own right: 1. It has an end-user focus so critical organizational requirements (such as the need for interoperability, say) may not be given sufficient priority. 2. The constant change to software degrades its structure so that the end result is often difficult and expensive to change. Consequently, the software is expensive to maintain and may have to be completely rewritten after a relatively short lifetime. Organizations are now encountering significant maintenance problems with systems written a few years ago in 4GLs which are no longer supported or which are not available on modern PCs. 3. The process does not have a high visibility and it is difficult for managers to assess how well development is proceeding. As a result, many organizations are reluctant to use an evolutionary approach for large systems where management is the principal problem. 4. It is very difficult to apply this approach to large systems which require a significant infrastructure (e.g., a database and communications) before any system functionality can be provided. If any hardware interfacing is involved, this may have to be specified early to allow the hardware to be designed and manufactured. Prototyping with user involvement is essential for the development of interactive user interfaces so, for interactive systems in general, evolutionary prototyping is the best generic process to adopt. For small and medium-sized business systems, evolutionary development using 4GLs means that systems can be delivered more quickly and development costs are significantly reduced compared with development in a conventional programming language using the waterfall model. It must be accepted, however, that the lifetime of systems developed using this approach is, inevitably, relatively short. © 2004 by Taylor & Francis Group, LLC
In applications which have a long lifetime or which have very high performance or reliability requirements, throw-away prototyping may be used for part or all of the system development process. The prototype may be developed using some rapid development method and the final system re-implemented using a programming language which allows better-structured, more-maintainable, and more-efficient systems to be built. For large systems, it is unusual to develop a complete system prototype. Rather, specific parts of the system with high specification uncertainty (such as the user interface) are prototyped before the final system specification is produced.
102.4 Iterative Models The need for model iteration was discussed earlier in this chapter, where the principal problem with waterfall-type models was the lack of support which they provide for process iteration. Models based on evolutionary development do support iteration but lack visibility and may be difficult to manage. Iterative models are designed to address the need to plan for and accommodate change yet still provide a structured and manageable approach to development. In this section, I discuss two iterative process models. These are: 1. The incremental development model, where the software is broken down into a set of separately developed increments. 2. The spiral model, where different parts of the system are built in different ways depending on an identification of the risks involved. These are complementary rather than opposing models, so that a spiral model could be used to develop system increments. I am not aware of any published work which describes such experience, but there is clearly scope for some integration of these approaches.
102.4.1 Incremental Development The waterfall model of development requires commitment to be made early in the development process. The customer for the system must commit to a set of requirements before design begins, and the designer must commit to particular design strategies before implementation. During the development process, changes in the requirements are normal and require rework of the requirements, design, and implementation. The incremental approach to development (Figure 102.7) was suggested by Mills [Mills et al. 1980] as a means of reducing rework in the development process and giving customers some opportunities to delay decisions on their detailed requirements until they had some experience with the system. It is an intrinsic part of the Cleanroom process discussed later in this chapter. In an incremental development process, customers identify, in outline, the services to be provided by the system and they prioritize these services. That is, they identify which of the services are most important and which are least important to them. A number of delivery increments are then identified where each increment provides some subset of the total system functionality. Naturally, the allocation of services to increments depends on the service priority. The highest-priority services are delivered first to the customer. After the required set of services has been identified, an overall system architectural design is produced where the set of services is partitioned and assigned to different parts of the system. The subsystems making up the system and their relationships are identified. System services may make use of common facilities such as database facilities, network support, etc., so these are also identified at this stage. Once the system increments have been identified, the requirements for the services to be delivered in the first increment are defined in detail and that increment is developed using the most appropriate development process. During that development, further requirements analysis for later increments can take place, but no requirements changes for the increment which is currently being developed are accepted. Once an increment is completed and delivered, customers can put it into service. This means that they © 2004 by Taylor & Francis Group, LLC
FIGURE 102.7 An incremental development process.
take early delivery of part of the system functionality. They can experiment with the system, which helps them clarify their requirements for later increments and for later versions of the current increment. As new increments are completed, they are integrated with existing increments so that the system functionality improves with each delivered increment. The common services may be implemented early in the process or may be implemented incrementally as functionality is required by an increment. There is no need to use the same process for the development of each increment. Where the services in an increment have a well-defined specification, a waterfall model of development may be used for that increment. Where the specification is unclear, an evolutionary development model may be used. This incremental development process has a number of advantages: 1. Customers do not have to wait until the entire system is delivered until they can gain value from it. The first increment satisfies their most critical requirements, so the software can be immediately put into use and contribute to the work of the customer buying that software. 2. Customers can use the early increments as a form of prototype and thus gain experience which informs the requirements for later system increments. 3. There is a lower risk of overall project failure. Although problems may be encountered in some increments, it is likely that some will be successfully delivered to the customer. 4. As the highest priority services are delivered first and later increments are integrated with them, it is inevitable that the most important system services receive the most testing. This means that customers are less likely to encounter software failures in the most important parts of the system. However, this approach to software development does have some problems. These include: 1. Increment identification. Increments should be relatively small (no more than 20,000 lines of code) and each increment should deliver some system functionality. It is sometimes difficult to map the customer’s requirements neatly onto increments. Requirements are not independent and, in order to satisfy one requirement, several others may also have to be implemented. © 2004 by Taylor & Francis Group, LLC
2. Infrastructure provision. Most systems require an infrastructure which is used by different parts of the system. As requirements are not defined in detail until an increment is to be implemented, it is difficult to identify the detailed functionality required by increments which must be provided in this infrastructure. 3. Contract management. Many system development contracts are based on a contractor’s developing a system with a given specification for a fixed price and according to a fixed schedule. In the incremental approach to development, requirements specification is delayed so there is not a compete system specification until the final increment is specified. This requires a new form of contract, which causes difficulties for large organizations and software customers such as government agencies. A variant of this approach which addresses the problems of contract management and common service provision is an incremental delivery rather than an incremental development model. In this case, the customer requirements are defined in detail as in the waterfall model but the software development is structured so that the system is designed, developed, and delivered incrementally. This means that it is easier to identify the infrastructure requirements and there are fewer problems with contract management. However, an important advantage of the incremental development model — namely, the ability to delay detailed requirements specification — is lost.
102.4.2 The Spiral Model The spiral model of the software process, shown in Figure 102.8, was proposed by Boehm in 1988 [Boehm 1988]. The model views the software development process as a spiral where development spirals from initial conception to final system deployment. The spiral model was developed for use in large defense contractors where some form of waterfall model was the normal software process used and where process standards
FIGURE 102.8 Boehm’s spiral model of the software process. (From: Boehm, B. W. 1988. A spool model of software c IEEE, 1988. With permission.) development and enhancement. IEEE Computer 21(5). © 2004 by Taylor & Francis Group, LLC
such as MIL-STD-2167A may have to be applied. It therefore identifies the broad process activities of requirements specification, design, implementation, etc. The developers of the spiral model recognized the inadequacies of the waterfall approach and designed the model to include activities to resolve design and specification uncertainties. It also allows for regular reviews of progress against well-defined objectives and hence does not suffer from some of the management problems of prototyping approaches. The spiral model is a risk-driven model where project risks which are applicable to that phase are identified and resolved before progress is made to the next stage. Each phase of the process corresponds to a round of a spiral. Within that round, there are four stages, shown in separate quadrants in Figure 102.8: 1. An objective-setting phase, where the objectives of the round and the development constraints are established. 2. A risk-analysis phase, where the project risks are assessed against these objectives and where, if necessary, risk-resolution activities such as prototyping are carried out. 3. A development phase, which may encompass design, programming, and validation activities. Within this phase, a waterfall development model may be adopted. 4. A planning phase, where plans for the next iteration of the spiral are drawn up. The most important contribution of the spiral model is its explicit recognition of risk in the software process. In the risk-analysis phase, the critical risks which affect that phase of development are identified and work is done to resolve these risks. Risks are considered to be a lack of information, so risk resolution involves information gathering and analysis. For example, consider a situation where a system is intended to be a “walk up and use” system, where members of the general public use the system to retrieve information of some kind. The obvious risk here is that the user interface is not appropriate for casual use, so that people without computer experience cannot actually retrieve the information that they require. The risk-resolution activities here would involve the creation of mock-up systems and the development of prototypes which are extensively tested before the final development of the system takes place. The spiral model is an adaptable model which can encompass other process models. For example, for systems where there is a low specification risk, the model can be considered as a waterfall model with no need for prototyping and risk-analysis activities. Where there is a high specification risk, for example, in the development of user interfaces for interactive systems, the model can be considered as an evolutionary development model with the prototyping activities dominating and relatively little development in the third quadrant. The spiral model was designed in a large defense contracting organization so, as you would expect, it explicitly addresses the needs of project management. The first phase, which sets objectives, identifies alternatives, etc., identifies a baseline for the management process. Progress can be assessed against this. The second phase of risk analysis identifies risks and provides information to managers about these risks. The development phase may produce project documents, and the final phase is explicitly concerned with the management planning of future phases. There are two main problems with the spiral model: 1. The difficulties of risk analysis. This is a very difficult and specialized process and there are relatively few people with this type of experience. 2. Contractual problems. This model is explicitly designed to avoid premature decision making, but the nature of system engineering contracts may make this essential. The model can really be used only where there is trust between client and contractor. The spiral model has been enormously influential in making the notion of risk explicit to the software engineering community. There is now a widespread recognition of the need for software project risk identification and analysis. While this explicit risk analysis is important for all projects, the spiral model itself, with its emphasis on management, is most suited as an alternative to the waterfall model in large system engineering projects. © 2004 by Taylor & Francis Group, LLC
102.5 Formal Transformation There are some classes of system, particularly safety-critical systems, where it is very important that the system conforms to its specification. Classically, this conformance is demonstrated by testing the software using test data which is comparable to that which the software must process when it is in use. However, testing can only demonstrate the presence of software errors and cannot prove their absence. Therefore, when it is essential that the software must conform to its specification, it has been argued that the conventional waterfall model, with its emphasis on system validation, is inappropriate. Rather, an alternative model may be used which does not include an explicit testing phase to discover errors in the implemented system. In this model, a formal mathematical specification is produced and this is systematically transformed into a system implementation. The specification may be mathematically analyzed to discover inconsistencies, and these are removed at this stage. The specification transformations are correctness-preserving, so that the developed software is an exact implementation of the specification. As current methods of formal specification and analysis do not allow the compilation of a mathematical specification into an efficient implementation, the transformation of a specification into an implementation is a multistage process. Detail is added to the specification at each stage, and the transformations which are carried out may be either automated or manual with some automated assistance. This formal transformation process is not widely used, although some organizations which develop safety-critical systems (such as railway signalling systems) are now starting to introduce it for part of their software development. However, a variant of this approach is an important part of the Cleanroom process discussed in the next section.
102.6 The Cleanroom Process The Cleanroom process was developed at IBM’s Federal Systems Division with the objective of dramatically reducing the number of faults in the software delivered to customers. It combined aspects of the incremental development and the formal transformation model which have already been covered in this chapter. The Cleanroom process takes its name from the cleanroom used in semiconductor fabrication, where the objective is to provide an environment where defects are not introduced into the semiconductor wafers which are being fabricated. The Cleanroom process was developed from work in the 1970s on structured programming [Linger et al. 1979] and is described in a number of papers by Mills and Linger [Mills et al. 1987, Mills 1988, Cobb and Mills 1990, Linger 1994]. The model is illustrated in Figure 102.9.
FIGURE 102.9 The Cleanroom process.
© 2004 by Taylor & Francis Group, LLC
The essential characteristics of the Cleanroom approach to software development are: 1. Formal software development. The software is mathematically specified and a development process is used where mathematical arguments are used to demonstrate that the developed software conforms to its specification. This is a weaker approach to the formal transformation model discussed above in that there is no systematic, correctness-preserving specification transformation process. However, the approaches are conceptually similar in that neither model includes a defect-testing activity but both rely on mathematical arguments to demonstrate that a program meets its specification. 2. Incremental development. An essential characteristic of the Cleanroom process is the incremental development and integration of software. If the software was not structured into increments, it is unlikely that a manageable formal specification and associated mathematical correctness arguments could be produced. 3. Statistical testing. The testing process has the goal of validating the reliability of the software rather than defect discovery. Test data are based on an operational profile, which is a set of test data which reflects the frequency of actual inputs that the system must process. The number of failures detected processing these inputs reflects the software’s reliability. Reliability is predicted using reliability growth models [Littlewood 1990]. Reports of the Cleanroom process by its developers suggest that it is very successful in producing software which has a low number of defects. Independent assessment [Selby et al. 1987] confirmed that the Cleanroom process resulted in software which had fewer defects than an approach based on defect testing. However, the process relies on staff who have the training and ability to work with mathematical specifications and mathematical correctness arguments. This restricts its applicability to organizations which are willing to accept the relatively high training costs involved in introducing this process. It is also unclear how the process may be applied to the development of user interface software, which is an increasingly significant component of most software systems. Formal specification techniques have not been developed for specifying system interaction.
102.7 Process Model Applicability The most appropriate software process model depends on the organization developing the software, the type of software to be developed, and the capabilities of the staff involved. There is no “ideal” model, and it makes little sense to try and fit all development in an organization to a single approach. The most appropriate process model should be chosen depending on the type of project, the application domain, and the skills and experience of the staff available. Table 102.2 summarizes the applicability of the different models discussed here. Large systems normally include subsystems of different types. Rather than impose a single process model for the whole system, each subsystem should be developed according to the most appropriate model. Wellunderstood parts of the system may be developed using some form of the waterfall model, and those subsystems whose requirements are difficult to predict may be developed using an evolutionary approach. An issue which has not really been addressed is the relationship between these models and object-oriented development, where there is a blurred boundary between analysis, design, and implementation activities and where there is a significant potential for object reuse. Clearly, incremental development models are suited to this approach, but it is less clear how other process models relate to object-oriented development. This issue is most significant for waterfall models, which are embedded in many standards (such as the US MIL-STD-2167A) and which propose a development process with clear separations between phases. These cannot simply be discarded, and work is required to investigate how to integrate them with object-oriented development.
© 2004 by Taylor & Francis Group, LLC
TABLE 102.2
Process Model Applicability
Process Model Waterfall model
Throw-away prototyping
Evolutionary development Incremental development
Spiral model
Formal transformations Cleanroom process
Applicability Development of systems whose specification is well understood. This approach may also be used in systems where development is subcontracted, although it is not always technically appropriate in these cases. The waterfall approach may be required by some government organizations. Parts of large systems, such as the user interface or expert system components, whose specification cannot be drawn up in advance. Software products where a prototype is developed for test marketing. Interactive systems with a relatively short lifetime. Small to medium-sized business systems based around a database. The development of large systems whose functionality can be readily partitioned and systems which have well-understood (e.g., a standard DBMS) infrastructure requirements. This approach is particularly appropriate for internal use in an organization; contractual problems are not then an issue. Software which is part of a large systems engineering project and so involves development by a number of interdisciplinary teams. Again, contractual problems are avoided if the model is used within an organization. The development of relatively small safety-critical software systems or systems with very high reliability requirements. Large systems whose functionality can be partitioned and which have very high reliability requirements. Unsuitable for the development of interactive components of these systems.
102.8 Research Issues and Summary This chapter has discussed a number of generic models of the software process and has suggested where these models are most likely to be appropriate. These have included specification-driven models such as the waterfall model and the V-model, evolutionary and throw-away prototyping, the incremental development and spiral models, and models based on formal software specification. The three most important factors affecting the choice of process model are: 1. The project size. Large projects are dominated by management concerns, so a process model which takes these into account must be used. 2. The specification uncertainty. If there is a lot of specification uncertainty, a process based on some form of prototyping must be used for development. In general, the interactive parts of systems always fall into this category. 3. The nature of the development contract. The procurer of the software may demand that a particular approach to development is used. It is now generally recognized that there is no “ideal” process model, so research in this area is not much concerned with the development of new generic models. Rather, current research in the software process is mostly oriented around two related themes: 1. Process support technology. What software tools and techniques may be deployed to support the software process and to reduce overall process costs and development schedules? 2. Process improvement. How can existing software processes be improved to achieve the same objectives and to develop software with fewer defects? These themes are closely related as, obviously, one approach to process improvement is process automation where technology is used to take over potentially slow and error-prone human activities. The notion of process support technology is a development of the work in the 1980s on software engineering environments [Taylor et al. 1988, Bott 1989, Thomas 1989, Brown et al. 1992]. These environments were collections of CASE tools to support specific process activities with some degree of integration between these tools. However, while individual CASE tools have been successful in providing support for © 2004 by Taylor & Francis Group, LLC
specific process activities, integrated environments are not widely used. They are not seen as cost-effective by most software development organizations. There are a number of reasons for this, not least the very rapid change in hardware technology, which has meant that more and more systems are interactive systems for personal computers. These make use of built-in libraries and are often concerned with integrating a number of existing software packages rather than in developing a complete application from scratch. Integrated environments are, in essence, designed to support a waterfall model of development which is not really applicable to this class of system. It has also been argued that another reason for the lack of use of these large-scale software engineering environments is the fact that they do not provide facilities for process definition and support. Users of these environments should be able to define a detailed model of the software process to be used in a project, the development standards and tools to be used, and the people responsible for each task. The environment should automatically schedule tasks and distribute information, as required, to the engineers involved. Over the past few years, there has been a great deal of research into this notion of process modelling and associated support technology [Curtis et al. 1992, Krasner et al. 1992, Huff 1995]. There have been a number of experimental environments developed [Finkelstein et al. 1994], and tools such as Process Weaver [Fernstrom 1993] may be used to provide some measure of process automation. However, at the time of writing (1995), this technology is immature and is not widely used. It is debatable whether it will ever become mainstream software technology, as it does not appear to be particularly suited to the development of small and medium-sized application systems. However, for large software and systems engineering projects which require complex configuration management and where tens and perhaps hundreds of developers must be coordinated, process automation technology may have a role to play. As discussed above, the notion of process improvement, particularly process improvement for defect reduction, is one which has been widely accepted in a number of industries. As failures in software systems are a result of human design errors rather than material failure (say), there is particular scope for improving products by modifying the software process so that product defects are avoided. In this area, the most influential work has been done by the Software Engineering Institute at Carnegie Mellon University, which published the capability maturity model (CMM) for software process improvement [Humphrey 1988, Paulk et al. 1993, Paulk et al. 1995]. This model identifies and classifies key process activities for large-scale projects and suggests that the capability of an organization is a reflection of the number of these processes which are incorporated in the organizational software development process. Other approaches to maturity assessment, such as the Bootstrap approach [Haase et al. 1994] have also been developed. The capability maturity model is applicable to the improvement of large-scale processes but less appropriate for small organizations concerned with smaller project development. To address this, Humphrey [Humphrey 1995] has proposed an approach to developing a personal software process and process improvement strategies. The importance of the software process and software process models is now generally recognized. Evolving software processes to meet new demands for rapid delivery of high-quality interactive software is perhaps the major challenge which we face in the future.
Defining Terms Capability maturity model: A process improvement model which defines a number of levels of process maturity in terms of the key processes undertaken at these levels. Cleanroom process: An approach to software development based on fault avoidance. The software is split into increments and each increment is formally specified, verified, and statistically tested. Operational profile: A set of test data whose frequency reflects the actual usage of the system. Process support technology: Any CASE tools or methods used to support software process activities. Reliability growth model: A mathematical model which is used to predict when a given level of software reliability is likely to be reached. Software process: The activities and their inputs and outputs which are involved in developing a software system from initial conception through to final delivery to a customer. © 2004 by Taylor & Francis Group, LLC
Software process model: An abstract model of the software process which identifies the principal activities and their deliverables. It may also include information about the tools and development environment used and about the roles of the people responsible for particular activities. Spiral model: An incremental process model based on cycles where each cycle includes objective setting, risk analysis, development, and planning of the next cycle. V-model: A derivative of the waterfall model where specification, design, and development activities are explicitly linked to validation activities through deliverables. Waterfall model: A software process model based on engineering models where the system is specified, designed, implemented, and tested in separate phases.
References Armenise, P., Bandinelli, S., Ghezzi, C., and Mortenzi, A. 1992. Software process representation languages: survey and assessment. In Proc. 4th Int. Conf. Software Engineering Knowledge Engineering. Capri, Italy. Boehm, B. W. 1988. A spiral model of software development and enhancement. IEEE Comput. 21(5):61–72. Bott, M. F. 1989. The ECLIPSE Integrated Project Support Environment. Peter Perigrinus, Stevenage, UK. Brown, A. W., Earl, A. N., and McDermid, J. A. 1992. Software Engineering Environments. McGraw–Hill, London. Christie, A. 1994. A Practical Guide to the Technology and Adoption of Software Process Automation. Software Engineering Institute. Carnegie–Mellon University, Pittsburgh, PA. Cobb, R. H. and Mills, H. D. 1990. Engineering software under statistical quality control. IEEE Software 7(6):44–54. Colebourne, A., Sawyer, P., and Sommerville, I. 1993. MOG user interface builder: a mechanism for integrating application and user interface. Interacting Computers 5(3):315–332. Curtis, B., Kellner, M. I., and Over, J. 1992. Process modeling. Commun. ACM 35(9):75–90. Dedene, G. and De Vreese, J.-P. 1995. Realities of off-shore engineering. IEEE Software 12(1):35–45. Fernstrom, C. 1993. Process Weaver: adding process support to Unix. In Proc. 2nd Int. Conf. Software Process, Berlin. Finkelstein, A., Kramer, J., and Nuseibeh, B., Eds. 1994. Software Process Modelling and Technology. Wiley, New York. Guerrieri, E. 1994. Case study: Digital’s application generator. IEEE Software 11(5):95–96. Haase, V., Messnarz, R., Koch, G., Kugler, H. J., and Decrinis, P. 1994. Bootstrap: fine tuning process assessment. IEEE Software 11(4):25–35. Huff, K. E. 1995. Software process modeling. In Trends in Software Process, A. Fuggetta and A. Wolf, Eds., pp. 1–24. Wiley, New York. Humphrey, W. S. 1988. Characterizing the software process. IEEE Software 5(2):73–79. Humphrey, W. S. 1995. A Discipline for Software Engineering. Addison–Wesley, Reading, MA. Krasner, H., Terrel, J., Linehan, A., Arnold, P., and Ett, W. 1992. Lessons from a learned software process modeling system. Commun. ACM 35(9):91–100. Linger, R. C. 1994. Cleanroom process model. IEEE Software 11(2):50–58. Linger, R. C., Mills, H. D., and Witt, B. I. 1979. Structured Programming — Theory and Practice. Addison– Wesley, Reading, MA. Littlewood, B. 1990. Software reliability growth models. In Software Reliability Handbook. P. Rook, Ed., pp. 401–412. Elsevier, Amsterdam. Mills, H. D. 1988. Stepwise refinement and verification in box-structured systems. IEEE Comput. 21 (6):23–37. Mills, H. D., Dyer, M., and Linger, R. 1987. Cleanroom software engineering. IEEE Software 4(5):19–25. Mills, H. D., O’Neill, D., Linger, R. C., Dyer, M., and Quinnan, R. E. 1980. The management of software engineering. IBM Sys. J. 24(2):414–477.
© 2004 by Taylor & Francis Group, LLC
Paulk, M. C., Curtis, B., Chrissis, M. B., and Weber, C. V. 1993. Capability maturity model, version 1.1. IEEE Software 10(4):18–27. Paulk, M. C., Weber, C. V., Curtis, B., and Chrissis, M. B. 1995. The Capability Maturity Model: Guidelines for Improving Software Process. Addison–Wesley, Reading, MA. Royce, W. W. 1970. Managing the development of large software systems: concepts and techniques, pp. 1–9. In Proc. IEEE WESTCON, Los Angeles, CA. Selby, R. W., Basili, V. R., and Baker, F. T. 1987. Cleanroom software development: an empirical evaluation. IEEE Trans. Software Eng. SE-13(9):1027–1037. Taylor, R. N., Selby, R. W., Young, M., Belz, F. C., Clarke, L. A., Wileden, J. C., Osterweil, L., and Wolf, A. L. 1988. Foundations for the Arcadia environment architecture. SIGSOFT Software Engineering Notes 13(5):1–13. Thomas, I. 1989. PCTE interfaces: supporting tools in software engineering environments. IEEE Software 6(6):15–23. Wojtkowski, W. G. and Wojtkowski, W. 1994. 4GL Tools and Methods. Boyd and Fraser, Boston, MA.
Further Information Process models and the software process in general are covered in most software engineering textbooks [Pressman 2003, Sommerville 2000]. Research in software process issues is covered in recent books such as those by Finkelstein et al. [Finkelstein et al. 1994] and by Fuggetta and Wolf [Fuggetta and Wolf 1996]. There is a series of international and European workshops on the software process and software process technology and, more recently, an international software process conference has been established. Proceedings of the European workshops have been published by Springer; proceedings of the international workshops and process conference are available from the IEEE Computer Society. The SEI approach to process improvement is well documented [Paulk et al. 1993], and reports of practical experience of the applicability of these models are available directly from the SEI (accessible through the World Wide Web at http://www.sei.cmu.edu/FrontDoor.html). Smaller-scale process improvement is covered in Humphrey’s book on personal software processes [Humphrey 1995]. Process measurement and process improvement are discussed in the ami handbook (Addison–Wesley 1995) and in a series of papers by Basili [Basili and Rombach 1988, Basili and Green 1993]. Basili, V. and Green, S. 1993. Software process improvement at the SEL. IEEE Software 11(4):58–66. Basili, V. R. and Rombach, H. D. 1988. The TAME project: towards improvement-oriented software environments. IEEE Trans. Software Eng. 14(6):758–773. Fuggetta, A. and Wolf, A., Eds. 1996. Trends in Software: The Software Process. Wiley, Chichester, UK. Pressman, R. S. 2003. Software Engineering — A Practitioners Approach. 5th ed. McGraw–Hill, New York. Sommerville, I. 2000. Software Engineering. 6th ed. Addison–Wesley, Wokingham, UK.
© 2004 by Taylor & Francis Group, LLC
103 Traditional Software Design 103.1 103.2 103.3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103-1 The High-Tech Supermarket System . . . . . . . . . . . . . . 103-2 Traditional Approaches to Design . . . . . . . . . . . . . . . . . 103-3
Top-Down and Bottom-Up Design • Data-Flow Diagrams • Entity-Relationship Diagrams • Finite-State Machines
103.4
Design by Encapsulation and Hiding. . . . . . . . . . . . . . 103-9 Modules
Steven A. Demurjian Sr. University of Connecticut
103.5
•
Abstract Data Types
Mathematical and Analytical Design . . . . . . . . . . . . . . 103-12 Queueing Network Models • Simulation Models
•
Time-Complexity Analysis
103.1 Introduction Software design techniques span a wide spectrum, and they have incrementally evolved as the discipline has matured over the years. In the early 1960s, flowcharts were the most heavily used design technique for programming, and they subsequently evolved through the 1960s and into the mid-1970s into approaches such as data-flow and entity-relationship diagrams. At this same time, parallel efforts began on approaches for design using modules [Parnas 1972] and abstract data types (ADTs) [Liskov and Zilles 1975, Liskov et al. 1977]. Module concepts were further explored in the late 1970s [Wirth 1977], taking us into the early 1980s, where these design concepts were supported in programming languages such as Smalltalk-80 [Goldberg 1989], Ada [Barnes 1991], and Modula-2 [Wirth 1985]. While it would be impossible to review this entire history of traditional software design in a single chapter, we will introduce and trace the important concepts and techniques. Software design is not an isolated activity, and some believe it is one of the most important aspects of the overall design, development, and maintenance process. In an oft-cited article, F. Brooks presents the notion that there is no silver bullet to solve all of the problems related to software design and development [Brooks 1987]. In the article, Brooks establishes a fundamental challenge across application domains, as follows: The hardest single part of building a software system is deciding precisely what to build. . . . Therefore, the most important function that the software builder performs for the client is the iterative extraction and refinement of the product requirements. . . . I would go a step further and assert that it is really impossible for a client, even working with a software engineer, to specify completely, precisely, and correctly the exact requirements of a modern software product before trying some versions of the product. [Brooks 1987, p. 17].
© 2004 by Taylor & Francis Group, LLC
Brooks believes that the focus must be on the design process. Specifically, there is a shortage of what Brooks calls “great designers,” the one or two individuals or software engineers who are head-and-shoulders above the other team members and consequently drive the successful completion of a software system. These great designers must be identified, recognized, and rewarded for their expertise. The key is that we cannot separate the individual (software engineer) from the techniques and processes. Software design approaches are irrelevant without knowledgeable individuals who can utilize and exploit the techniques to their fullest extent. Our discussion of the various approaches and techniques will also include, where appropriate, indications of their strengths and weaknesses. This chapter contains four sections. To serve as a basis for discussion, Section 103.2 introduces the High-Tech Supermarket System, HTSS, which is used as an explanation vehicle for the different design approaches presented in this chapter, and in the next chapter on object-oriented software design. In Section 103.3, we review traditional approaches for software design, including top-down, bottom-up, data-flow diagrams (DFDs), entity-relationship (ER) diagrams, and finite-state machines (FSMs), highlighting their strengths and weaknesses. The techniques reviewed in Section 103.3 are often intended for conceptual software design used as software engineers first attempt to understand the system components, structure, and interactions. Section 103.4 examines techniques for encapsulation and hiding via modules and ADTs. These techniques often follow the use of DFDs, ERs, and FSMs, because they allow detailed system structure and interactions to be defined, and serve as a basis for object-oriented software engineering (see Chapter 104). Section 103.5 reviews mathematical and analytical design techniques, specifically, queueingnetworkmodels, time-complexityanalysis, and simulationmodels. These techniques have been a part of computer science and engineering since its earliest days. They are relevant and important for software design because they offer the ability to predict and estimate performance, a key concern for software engineers.
103.2 The High-Tech Supermarket System The High-Tech Supermarket System, HTSS, uses the newest and most up-to-date computing technology to support inventory control and to assist customers in their shopping. HTSS utilizes computing technology in a positive way to enhance and facilitate the shopping experience for customers by integrating inventory control with: 1. The cashier’s functions for checking out customers to automatically update inventory when an item is sold 2. A user-friendly grocery item locator that indicates textually and graphically where items are in the store and if the item is out of stock 3. A fast-track deli orderer (deli orders are entered electronically), with the shoppers allowed to pick up the order, weighed and packaged, without waiting The inventory control aspect of the proposed system would maintain all inventory for the store and alert the appropriate store personnel whenever the amount of an item drops to its reorder limit. The system should also have extensive query capabilities that allow store personnel to investigate the status of the inventory and to track sales for the store over various time periods and other restrictions. Finally, note that HTSS and its functional components are based on an actual store that opened in Connecticut in the spring of 1993. Thus, the concepts that are presented have their basis in an actual “real-world” application. To support the functional and operational requirements of HTSS, from an end-user perspective, there must be a set of user–system interfaces, including: r Cash register/universal product code (UPC) scanner: used to process an order, which includes
recording individual items, totaling them, deducting coupons, and taking payment. As each item is scanned, it must be deducted from the inventory, so that values are always consistent and up-to-date. r Displays for inventory querying: to access and manage the inventory, a separate display is needed. Through this display, orders and updates can be made. Only authorized individuals will be allowed to enter new orders or update the inventory when a shipment arrives. © 2004 by Taylor & Francis Group, LLC
r Shopper interface for locator: used by customers to locate where (aisle, shelf) a particular item is
displayed in a store. r Shopper interface for orderer: through this interface, customers can place orders for the deli (e.g.,
meats, cheeses, salads, etc.). These orders are then filled and the customer picks up the order at some later time. r Deli interface for orderer: this interface is needed by store employees who work in the deli department to scan and fill customer orders. We have chosen this set on the basis of both their differences (they all have unique requirements for their operation) and similarities (they all share common requirements regarding response time, throughput, and user-friendliness). Response time and throughput are important for the first two interfaces because there are likely to be multiple cash registers that must work in parallel with many inventory displays. User friendliness is also important, for new employees using cash registers, and especially for customers using the different shopper interfaces. Clearly, HTSS contains multiple types of data that must interact, performance constraints on throughput and the number of concurrent users, persistence for multiple databases, and a wide variety of users with different capabilities and access requirements.
103.3 Traditional Approaches to Design Traditional design approaches (e.g., top-down, bottom-up, DFDs, etc.) focus on developing a functional characterization of an application. Historically, there are close ties between these approaches and imperative or procedural programming languages such as FORTRAN, Pascal, and C. The reason is that there is a direct correspondence between the design for an application using one of the approaches and its realization as a working piece of software or program, at both a conceptual level and from the perspective of the coding and organizational techniques that are utilized to develop software using an imperative language. This section is a case study of traditional design approaches — namely, top-down, bottom-up, data-flow diagrams (DFDs), entity-relationship (ER) diagrams, and finite-state machines (FSMs). Each approach can be used in many different ways, and is well suited to developing the solution to a problem from a specific perspective. Each approach can also be used to conceptualize a design at various levels of granularity.
103.3.1 Top-Down and Bottom-Up Design Regardless of which traditional approach is chosen, the common theme of a functional characterization of the system or application persists. In the case of HTSS, a functional list of a subset of the basic system components would include: 1. Check-out customers: the actions that must be taken by a cashier to process a customer’s order. 2. Locate items: the actions that are taken to locate specific items in the store. This could be initiated as a result of a customer using the item locator user interface or a bagger needing to check a price or get an item for a customer. 3. Order deli meats, cheeses, and salads: these actions support the deli orderer, and allow the order to be transferred to deli employees for processing. 4. Update and query inventory: these actions are needed by management and stock-room personnel to track and maintain the status of the inventory. These four major components are determinable based on a top-down design examination of the problem at hand. Once these components have been identified, they can each be expressed as a set of detailed tasks via the process of stepwise refinement. For HTSS, the first component can be refined as the tasks: 1a. Scan UPCs for all items 1b. Modify inventory 1c. Maintain running total © 2004 by Taylor & Francis Group, LLC
1d. Subtotal/coupon adjustment 1e. Final total and take payment 1f. Etc. etc. etc. Tasks 1a, 1b, and 1c are repeated to process all items for an order, followed by tasks 1d and 1e. Each of these tasks can, in turn, be refined and expanded by an iterative and incremental process that can evolve the design toward an implementation. For example, as part of task 1e, if a noncash option is chosen, it may be necessary to verify the credit card, automated teller machine (ATM) card, or checking account status. This top-down process proceeds from the general to the specific to arrive at a solution. The complement of top-down is the bottom-up approach, which, while still functionally oriented, is driven strongly by information and its usage. For example, given the four components previously reviewed (i.e., check-out customers; locate items; order deli meats, cheeses, and salads; and update and query inventory), and the general description of HTSS in Section 103.2, it is likely that a data structure can be defined that maintains grocery items. In HTSS, each Item should have a UPC for unique identification, a Name, various Costs (e.g., Wholesale and Retail), a Size or Weight, the Amount on shelves or in the stockroom, and so on. Given this information, the major components of HTSS can be examined to identify their access requirements. For example: r UPC scanner: must scan the UPC on an Item, verify it against the database for the inventory, and
then return all appropriate information on an Item to be used in checking-out a customer’s order. Item has been selected by a customer, the shelf Amounts can be accessed to display quantity and location. r Inventory control: all of the responsibilities associated with managing the inventory, which include creating new entries for Items, updating existing entries, deleting Items, querying for both scanner and locator, and so on. r Locator: once an
From these requirements, the commonalities can be identified and synthesized in a bottom-up process to arrive at a set of functions that can support access to Items. For example, Get UPC Code() and Get Shelf Amount() are two such functions. These low-level functions are used as building blocks to develop higher-level procedures and functions, which can then support the components of HTSS. Whether top-down or bottom-up is utilized for design and implementation, there are still a number of important considerations that are not addressed by either approach. First, as new refinements are made (top-down) or higher-level tasks are determined (bottom-up), there is no way to identify when we are done or whether the design matches the specification. Second, both approaches seem counterproductive with respect to user-interface design, because they are prone to separate system functions from user interface needs. This often leads to user interfaces that are evolved rather than formally planned. Topdown and bottom-up design are both suited to smaller, well-defined problems. Top-down and bottom-up design as principles are very important in many other design approaches. For example, they are both critical when developing solutions using an ADT or module approach, as we will discuss in Section 103.4. In addition, in object-oriented approaches (see Chapter 104), top-down design for specialization and bottom-up design for generalization are two critical design concepts used in the construction of inheritance hierarchies.
103.3.2 Data-Flow Diagrams Another approach to design user data-flow diagrams (DFDs), which describe system operations by means of a high-level characterization of information input/output and the identification of major functional actions and informational flow. In the former, the emphasis is on what information must be input, stored, and displayed, so that it can be effectively used. In the latter, the focus is on how the information is used, by displays, individuals, other systems functions, and so on. DFDs as a design technique are very versatile. To represent high-level system behavior, a macroscopic view of an application, DFDs can characterize major
© 2004 by Taylor & Francis Group, LLC
FIGURE 103.1 A macro-level DFD for HTSS.
system components, as shown for HTSS in Figure 103.1.∗ The major components or functions of HTSS are represented in a DFD using circles. Actions for input by a user or system are found in the rectangular boxes. Databases, or repositories of information, are indicated by the parallel lines (open boxes) that enclose a phrase. Displayed or output information is identified by the rectangular box with the upper right corner squiggled. The arrows indicate data or information flow, with labels provided to indicate what is flowing between the various portions of a DFD. The four functions represented in Figure 103.1 correspond to four of the five user–system interfaces presented for HTSS in Section 103.2. The Process Order function represents all of the actions taken by the Cashier to total a customer’s order. This includes getting the Items from a database that the customer is buying and verifying payment information by means of a Credit & Check database. Other functions on the diagram represent inventory controller actions, and requests by shoppers to either locate Items in the store or to Order Deli Items. Clearly, the DFD as presented is a gross-level description of the major actions for HTSS.
∗
We have utilized concepts and notation for DFDs from Ghezzi et al. [2003].
© 2004 by Taylor & Francis Group, LLC
FIGURE 103.2 A micro-level DFD for HTSS.
DFDs can also be utilized to expand a certain function of a system in greater detail. For HTSS, Figure 103.2 contains a DFD that might represent the Process Order function from Figure 103.1. There are three tasks to process an order, represented by five separate functions. First, each item must be scanned (one function), recorded on the receipt (second function), and updated in the inventory (third function). Once all items have been processed, the second task is to subtotal and subtract all appropriate coupons (fourth function). The third and final task completes the order with payment by the customer and verification of valid credit by the cashier (fifth function). To support the five functions, databases are accessed, output is displayed, and flow occurs between them. Overall, the actions in a high-level DFD as given in Figure 103.1 can be decomposed into greater detail as shown in Figure 103.2 as the software engineer incrementally works toward the problem solution. DFDs are still very popular today because they are very easy to use, learn, and understand, even for individuals who do not have a computer science background. Thus, DFDs are a critical communication medium between the technical (designers and engineers) and nontechnical (customers and end users) individuals who participate in the software design process. However, one important omission in DFDs is the inability to easily specify sequencing and iteration among the various tasks. Consequently, for the DFDs in Figures 103.1 and 103.2, the flow of control across the diagram is neither obvious nor always inferable. FSMs can also be utilized for a software design to capture flow between various system components, supplementing DFDs. Ghezzi also notes that DFDs can only be considered as “. . . semi-formal notation,” and must be used as part of a bigger picture where system structure not represented by DFDs can be captured by other techniques [Ghezzi et al. 2003], which argues for DFDs, ER diagrams, and so on to be used in
© 2004 by Taylor & Francis Group, LLC
conjunction with other software design techniques to describe the different facets of an application. When collected, these representations are an overall characterization of an application from complementary and supplementary perspectives.
103.3.3 Entity-Relationship Diagrams Since DFDs only support the representation of information at a coarse granularity level (i.e., large categories of information with little regard to its makeup and content), they can be complemented with entity-relationship (ER) diagrams for supporting a detailed conceptual modeling of the database requirements for an application. The ER approach was originally proposed by Chen [1976]. The basic building blocks of the ER approach are entities and relationships. Entities are used to model static information aggregations that represent meaningful information components of an application from a database perspective. Entities can have one or more attributes associated with them to characterize their structural content. ER diagrams utilize relationships to model static information associations between entities. Relationships have cardinalities (e.g., one-to-one, one-to-many, many-to-many) that define the associations. While the original ER approach did not contain the ability to specify inheritance among entities, later extensions have provided that modeling choice. Inheritance between entities is available in modern versions of ER diagrams to capture the commonalities that exist from a data/attribute perspective among different entities. Figure 103.3 is an ER diagram for HTSS. In the figure, there are entities for Item, DeliItem, CustomerOrder, DailySales, CreditInfo, CreditCard, CheckInfo, and DebitCard,
FIGURE 103.3 An ER diagram for HTSS.
© 2004 by Taylor & Francis Group, LLC
which are shown in rectangular boxes. The attributes for each entity are enclosed in ovals and connected to each entity via lines. For example, the Item entity has attributes for UPC, Name, W(holesale)Cost, R(etail)Cost, and so on. Relationships are enclosed using diamonds, and include Order, DeliOrder, and Sales in the figure. Order is a one-to-(one-to-many) relationship between CustomerOrder and Item (one-to-many), and CustomerOrder and DeliOrder (one-to-one) signifying that one customer order has many Items and one DeliOrder. A DeliOrder is, in turn, composed of many DeliItems. Numbers (1, n, m) are used on the diagram to indicate these cardinalities. Finally, inheritance is used to abstract out commonalities across multiple entities. For example, when paying for an order by a noncash method, the account number, status, and account balance are all common and placed in one entity, CreditInfo. The information in this entity can then be inherited by other entities, in this case, CreditCard, CheckInfo, and DebitCard. These other entities in turn have their own unique attributes. Inheritance is represented by lines labeled with ISA in Figure 103.3. As a design technique, ER diagrams have many advantages. First, they are an excellent technique for conceptual database design that are easily utilized to represent information, as shown for HTSS in Figure 103.3. As with DFDs, both technical and nontechnical individuals utilize ER diagrams as a means to communicate and exchange ideas on the software design. Second, both the information and its interdependencies can be identified and modeled. Third, by supporting inheritance, generalization is promoted to reduce information redundancies. Despite these advantages, there are also many drawbacks. First, by focusing on information and ignoring functional requirements and usage, it is very possible that one can arrive at an ER diagram that does not meet the operational needs of the application. Second, ER diagrams lack the ability of DFDs to represent interactions with other system components (e.g., user interfaces, systems functions, etc.). This is critical for applications such as HTSS, where all of the diverse system components are interdependent and must work together.
103.3.4 Finite-State Machines When developing a software design for an application such as HTSS, we have seen that DFDs can capture the flow of information between different system functions and ER diagrams can represent the database structure and dependencies. One problem with DFD and ER diagrams is that neither is well suited to the representation of the control aspects of a system. To address this problem, the design technique finitestate machines (FSMs) can be utilized. Specifically, an FSM can be utilized to capture control, by means of a diagram with states and labeled arcs between them. Each state represents a functional aspect of the design, with each arc labeled with different values (phrases) that cause state changes or transitions between states. To illustrate FSMs, a partial one for HTSS is given in Figure 103.4 to more accurately represent the flow from the DFD in Figure 103.2. In Figure 103.4, five states are shown. On the basis of input, control
FIGURE 103.4 FSM for totaling a customer’s order. © 2004 by Taylor & Francis Group, LLC
transfers from one state to another. When scanning an Item’s UPC, alternative actions are taken on the basis of whether the Item was found, for example, new items or on-sale items are sometimes omitted from inventory control databases. As the Items for a customer’s order are scanned and processed, the inventory is updated and a receipt is created and generated. As long as there are Items to be processed, control will keep looping through the left portion of the FSM. As soon as all items are processed, control will change and go on to the next step to scan and deduct all coupons. The strength of FSMs is in their ability to capture detailed flow to supplement DFDs and ERs. The weaknesses of FSMs are complementary to the advantages of earlier techniques. First, FSMs lack the data-representational capabilities of ER diagrams. Second, they tend to be more detailed and geared toward software engineers and other technical individuals, unlike DFDs and ERs, which are an excellent discussion medium between software engineers and customers.
103.4 Design by Encapsulation and Hiding Software design using modules and ADTs is guided by a number of classic software engineering concepts, which are briefly reviewed for completeness. r Separation of concerns and modularity. Any domain or application can be divided and decom-
posed into major building blocks and components (separation of concerns). This decomposition allows the application requirements to be further defined and refined, while partitioning these requirements into a set of interacting components (modularity). Changes to the application are (it is hoped) localized. In addition, team-oriented design and development can proceed with different team members concentrating on particular components. r Abstraction and representation independence. Through abstraction, the details of an application’s components can be hidden, providing a broad perspective on the design. This in turn allows changes to be made to the internal structure and function of each component, achieving representation independence, because the external view of a module/ADT is not impacted. r Incrementality/anticipation of change. The design process at all times is iterative or incremental. This is true whether a given set of modules/ADTs represents an initial or final design for an application. There is an expectation that components will be changed, added, refined, etc., as needed to support evolving requirements. r Cohesion/coupling. An application is cohesive if each component does a single well-defined task. Cohesion has a long history in computing. In the “early days,” the rule of thumb was that each procedure or function should be limited to one output page (approximately 60 lines). If so, then the resulting system was deemed cohesive. Coupling is used to signify the interdependencies of components. Coupling is often considered the complement of cohesion, and an application that minimizes coupling has components that require little or no interaction. When the application also exhibits high cohesion, the end result is a well-defined system with well-understood interactions between its components. These terms and concepts occur repeatedly throughout the remainder of this section as modules and ADTs are presented and discussed.
103.4.1 Modules Module concepts for design were first proposed by Parnas [1972] in the early 1970s, and were realized in languages such as Modula-2 and Ada. As a concept, the motivation of modules can be tracked to the examination of existing programs that seemed to share similar solution approaches despite their different domains. Specifically, a given data type (e.g., record, structure, etc.) in a program always seemed to have a set of dedicated procedures and functions that represented its capabilities. Informally, this situation was often organized in separate files during implementation in a programming language such © 2004 by Taylor & Francis Group, LLC
MODULE Cashier; IMPORT Get_Item(UPC), Get_Credit_Info(AcctNum), Get_Deli_Item(UPC), ...; EXPORT Display_SubTot(), Display_Total(), Generate_Receipt(), ...;
MODULE Scanner; ... END Scanner;
{Code for internal data and for procedures and functions} END Cashier;
MODULE Orderer; ... END Orderer;
MODULE Items; IMPORT {various I/O routines}; EXPORT Get_Item(UPC), New_Item(UPC, Name, ...), Modify_Item(UPC, Integer), Delete_Item(UPC), ...; anItem = RECORD UPC : INTEGER; NAME: STRING; SIZE: REAL; ... END;
MODULE DeliItems; ... END DeliItems;
MODULE Locator; ... END Locator;
MODULE CreditCheck; ... END CreditCheck;
{Code for Procedures/Functions} END Items; FIGURE 103.5 Sample modules for HTSS.
as C. Modules formalized this ad hoc process by recognizing that most programs are partitionable into discrete program units, with well-defined interactions. Individually, each program unit encapsulated the required functionality for a given task, and provided an interface for a user, while hiding its implementation. Representation independence is achieved because changes can be made to the implementation that have no impact on the interface and its users. Collectively, the ability to encapsulate functionality and to support future changes was the driving force behind introducing modules as an improved design approach. In many ways, design using modules can mirror the top-down approach of stepwise refinement. The process begins with the identification of major system tasks. These system tasks might correspond to information or operation. For HTSS, as shown in Figure 103.5, modules for system tasks such as Cashier, Scanner (used by Cashier, Locator, Orderer), and so on, are needed, as well as modules for information such as Items and DeliItems (which are used by many other modules). Modules can also be utilized in a bottom-up direction, by first identifying the lower-level shared modules, and then incrementally combining modules to represent higher-level system functions. A top-down, bottom-up, or even mixed approach to software design using modules is often dictated by the preferences and experiences of software engineers. In some ways, modules appear to encompass both DFD and ER approaches. Each task in a system will be realized by a module that contains a dedicated set of information and a set of procedures and/or functions that operate on the information to accomplish its task. A subset of a module’s information, procedures, and/or functions is identified or tagged for export to other modules. Exported portions of a module represent its interface to the “world.” Finally, because a module might interact with other modules, a module may import information and functionality for standard actions (e.g., say, for input/output [I/O] of data, printing, strings, etc.) or application-specific functions. Note that portions imported by one module © 2004 by Taylor & Francis Group, LLC
must have been exported by other modules. Concepts for defining a module and importing (exporting) from (to) other modules are shown in Figure 103.5. When using modules, designers strive for low coupling and high cohesion. Low coupling implies that the interdependencies of modules with respect to exchanging information are minimal. High cohesion refers to the ability of a module to characterize a single well-defined task. Thus, through modules, controlled sharing is promoted; portions that are not exported from a module are hidden from other modules, and representation independence is facilitated. Through either a top-down or bottom-up approach, modules provide a technique that stresses the breakdown of a software design into logical discrete components, and are intended for software designers and engineers rather than customers and end users.
103.4.2 Abstract Data Types ADTs were first proposed by Liskov for the CLU programming language [Liskov and Zilles 1975, Liskov et al. 1977]. An ADT is characterized by a set of operations (procedures and functions) referred to as the public interface, which represents the behavior of a data type. The private implementation of the data type is hidden from the programmer or software engineer who wishes to use the ADT. System-available ADTs have been extensively utilized in programming languages for many years. For example, in Pascal, when using the integer data type, the software engineer is able to utilize all of the appropriate operations against integers (e.g., +, -, ∗, div, mod, etc.), without needing to know the implementation of integers in the underlying machine-dependent architecture. Designer-defined ADTs are readily available today in languages such as Ada, C++, and Java. ADTs are a design technique that allows software engineers to define their own data types. For example, the classic ADT is a stack that contains operations for push, pop, top, initialize, isempty, and so on. These operations serve as the public interface for the software engineer, and they typically include the type of the stack (e.g., integer, real, etc.) and the parameters and return types of the public operations. However, the private implementation of stack, which includes the implementation of all operations and the data representation (e.g., array or list, etc.), is hidden from the user. ADTs achieve representation independence by means of a hidden private implementation, and abstraction by means of a visible public interface. Moreover, this allows implementation changes to be made (e.g., say, from an array to a list) as long as these changes are transparent to the public interface (i.e., the operations and their names, parameters, and return types cannot change). ADTs promote the design and development of applications from the perspective of information and its usage. From an information perspective, there are ties between ADTs and the ER approach. From a usage perspective, the functional characteristics can be explored in either a top-down or a bottom-up direction. However, ADTs take a combined view that focuses on information and its manipulation, which can yield a different design solution than an approach that considers each facet individually. In the ADT design process, there are a number of considerations that must be addressed: r Identify the major information units: determines the ADTs that are needed for an application or
system. r Describe the purpose of each unit: indicates the overall responsibility for each ADT in the application. r Define manipulation techniques for each unit: for ADTs, this corresponds to the operations or
methods that must be characterized, including the parameters, return type, etc. r Encapsulate and hide: representation of each unit and its manipulation are both encapsulated and
hidden within the ADT. In addition to describing the design for individual ADTs, we also note the iterative or cyclical process that can be utilized to arrive at a design solution. We have taken a bottom-up approach to ADT design for HTSS, as shown in Figure 103.6 and Figure 103.7. In Figure 103.6, the lowest level of ADTs is shown, with an emphasis on the information components for an application. Thus, we have ADTs for Item, DeliItem, Receipt, and so on. Given this lowest level, other ADTs can be designed that combine and utilize multiple low-level ADTs, as shown in Figure 103.7. In this case, the Process Order ADT uses multiple ADTs, © 2004 by Taylor & Francis Group, LLC
ADT Item; PRIVATE DATA: SET OF Item(s), Each Item Contains: UPC, Name, WCost, RCost, OnShelf, InStock, Location, ROLimit; PTR TO Current_Item; PUBLIC OPS: Create_New_Item(UPC, ...) : RETURN Status; Get_Item_NameCost(UPC) : RETURN (STRING, REAL); Modify_Inventory(UPC, Delta) : RETURN Status ; Get_InStock_Amt(UPC) : RETURN INTEGER; Get_OnShelf_Amt(UPC) : RETURN INTEGER; Check_If_On_Shelf(UPC): RETURN BOOLEAN; Time_To_Reorder(UPC): RETURN BOOLEAN; Get_Item_Profit(UPC): RETURN REAL; Get_Item_Location(UPC): RETURN Location; ... END Item; ADT DeliItem; PRIVATE DATA: SET OF (Item, Weight, CostLb, Increm); ... END DeliItem; ADT Receipt; PRIVATE DATA: SET OF Items; SET OF Coupons; {An ADT} SubTotal, Total, PayType; ... END Receipt;
ADT CustomerInfo; ... END CustomerInfo; ADT Shelf_Info; ... END Shelf_Info; ADT Sales_Info; ... END Sales_Info;
FIGURE 103.6 Low-level ADTs for HTSS.
while the Sales Info ADT only uses Receipt. Current and lower levels are incrementally combined to increase ADT functionality. Eventually, an ADT that describes the uppermost level of system behavior will be specified. Note that a top-down approach to ADTs is also reasonable and feasible. Clearly, the advantages of ADTs are similar to those of modules. However, because the techniques are somewhat ad hoc, the decisions made at higher levels (for the bottom-up approach) are impacted by lower levels, i.e., if ADTs at the lowest level are wrong, those errors are carried through all subsequent levels. In addition, the lack of inheritance for ADTs will likely result in design redundancies, even though there is software reuse.
103.5 Mathematical and Analytical Design From a more quantitative perspective, there is also a wide range of techniques available to mathematically analyze the different components of a software design. These design analysis techniques play a critical role in ensuring that the requirements identified in the specification are attainable in the application design. For example, queueing network models are utilized to estimate performance of systems on the basis of various load and resource access patterns. Also, individual algorithms can be analyzed in detail to arrive at an understanding of their algorithmic complexity with respect to time (absolute) or as compared to other algorithms (relative). Evaluating alternative design solutions to problems is an important activity © 2004 by Taylor & Francis Group, LLC
ADT Process_Order; {Middle-Level ADT} PRIVATE DATA: {Local variables to process an order.} PUBLIC OPS : {What do you think are appropriate?} {This ADT uses the ADT/PUBLIC OPS from Item, Deli_Item, Receipt, Coupons, and Customer_Info to process and total an Order. each Receipt must be cataloged and stored when an Order has been completed.} ... END Process_Order; ADT Sales_Info; {Middle-Level ADT} PRIVATE DATA: {Local variables to collate sales information.} PUBLIC OPS : {What do you think are appropriate?} {This ADT uses the ADT/PUBLIC OPS from Receipt so that the sales information for the store can be maintained.} ... END Sales_Info; ADT Cashier; {High-Level ADT} PRIVATE DATA: {Local variables used by a cashier.} PUBLIC OPS : {What do you think are appropriate?} {This ADT uses the ADT/PUBLIC OPS from the middle-level ADTs (Process_Order, Sales_Info, etc.), and from the low-level ADTs.} ... END Cashier; FIGURE 103.7 Middle- and high-level ADTs for HTSS.
that occurs during the early stages of software design. In the remainder of this section, queueing network models, time-complexity analysis, and simulation models are reviewed.
103.5.1 Queueing Network Models Throughout the history of computer science and engineering, queueing networks have been extensively utilized to model computer systems [Kleinrock 1975, Kleinrock 1976]. Often, after a specification has been written and either prior or concurrent with the software design process, queueing network models can be utilized as an important tool to estimate and predict performance, including potential bottlenecks. In a basic queueing network model, jobs arrive and are queued for processing. Processing commences when all required resources are available. During the processing, it may be necessary to wait for a resource (e.g., I/O device), or a job may be returned to the queue if it has exceeded its allowable processing time slice. The former characterizes the I/O-bound jobs, the latter, the computation-bound jobs. To represent these alternative possibilities, probabilities can be assigned to jobs that correspond to their waiting times, say, probability r for the jobs’ I/O waiting time and probability (1 − r ) for the jobs’ CPU waiting time. For design analysis and performance estimation during software design, both open and closed queueing network models can be utilized. In a closed model, jobs neither enter nor depart from the network. On the other hand, an open queueing network is characterized by one or more jobs coming into the network and by one or more jobs departing from the same network. The behavior of jobs within the network is characterized by the probability of transitions of jobs between servers. When modeling systems, two of the key variables that must be specified are the scheduling discipline © 2004 by Taylor & Francis Group, LLC
and the size of the queue. Typically, we can use first-come-first-serve scheduling and unlimited-capacity queues. For an open queueing network model, a characterization of job-arrival processes must be defined. For a closed queueing network model, the number of jobs in the network must be given. Queueing network models are especially useful during the software design of HTSS because there are so many obvious places where jobs queue up for service. For example, there are multiple cash registers, with multiple customers queued to have their orders processed and totaled. As each order is processed by all cashiers in a concurrent fashion, there are concerns about the performance of simultaneous database access when Items are scanned. The overall throughput of the system is critical, to ensure that customers are processed in a timely fashion when the system is under maximum loading. Another aspect of HTSS where performance is critical is when deli orders are queued by customers to be filled by deli workers. The number of deli workers (servers), the average number of orders in the queue, and the time needed to fill an average deli order can be used in conjunction to estimate the time delay needed before a customer can proceed to the deli counter to pick up the filled order. The results of queueing network models are an important input to the software design process and can definitely influence and guide software design decisions.
103.5.2 Time-Complexity Analysis The analysis of the complexity of an algorithm can be used to evaluate the performance of the algorithm [Horowitz et al. 1997], and more importantly, from a software design perspective, to compare performance of multiple algorithms. Algorithm analysis can occur during software design even before code has been written. In one approach, equations can be developed that represent the time spent in carrying out an algorithm. In this case, we may be given a description of the algorithm in pseudocode, in software architecture, or in hardware organization, and from this description, we develop time-complexity equations that represent the time spent by the algorithm. There are three different types of time-complexity equations that can be defined: the best-case time represents the time to execute an algorithm under ideal conditions, the average-case time represents the time to execute an algorithm under typical or average conditions, and the worst-case time represents the time to execute an algorithm under the exhaustive or worst conditions. During software design, the type of application can dictate the degree of freedom in an algorithm’s performance. For example, in a medical, life-critical application, the worst-case time for an algorithm might be the guiding factor, to ensure that lives are not lost under any conditions. In an application such as HTSS, the average-case time may be sufficient. Time-complexity equations can be developed for two different purposes during software design. On the one hand, time-complexity equations can be used for the case study of an algorithm, for example, the best-case, average-case, and worst-case times for the algorithm. On the other hand, time-complexity equations can be used to provide a relative analysis of the time spent in different designs of the same algorithm. For example, suppose we wish to compare two different storage/search designs for the database of Items in HTSS. In one approach, suppose that a sequential data structure (array) is utilized, with Items stored in sorted order by UPC. Further suppose that for locating an Item, the best available search method requires an O(log n) algorithm, where n is the number of Items. On the other hand, suppose a heavily indexed data structure is utilized, which keeps indices on data and uses the indices to optimize the storage for fast retrieval. Suppose that the best retrieval method in this case requires an O(logi n) algorithm, where i represents the efficiency of the indexing technique. For values of i that exceed 2, the second approach is superior. The trade-offs between algorithm complexity (both time and space) can be evaluated by a software engineer to determine the algorithm that best matches the problem constraints.
103.5.3 Simulation Models There are two major types of simulation languages: continuous simulation languages and discrete simulation languages [Hoover and Perry 1989, Sammet 1969]. In continuous simulation languages, the variables of the simulation change in a uniform fashion for a given uniform increment of time. That is, the variables of © 2004 by Taylor & Francis Group, LLC
the simulation are continuous functions over time. In discrete simulation languages, there is a nonuniform change for the simulation variables over uniform increments of time. That is, the variables of the simulation can be specified as step-functions, where the distance between the steps is discrete. Continuous simulation languages are the oldest, and they have mostly been used for the simulation of analog computers [Sammet 1969]. The GPSS simulation language is characterized as a block-diagram or flowchart-oriented simulation language [Gordon 1975]. In block-diagram simulation languages, the system to be simulated is decomposed into a fixed number of blocks. Then, to define the simulation structure, the transition or flow between the blocks is specified. The simulation execution involves moving objects between blocks as governed by the transition requirements and restrictions until a termination condition is satisfied. The SIMULA simulation language is characterized as a process-oriented simulation language [Hoover and Perry 1989]. In process-oriented simulation languages, the system to be simulated is represented by a fixed number of processes that operate in parallel. The modeling of each process is characterized as a sequence of events. The simulation execution involves moving objects through the process organization of the system. As before, execution terminates when a criterion is met. Like queueing network models, simulation models can then be utilized to predict and estimate performance under varying system load conditions. Simulation techniques offer a software engineer a more fine-grained estimate of load, because a software design can be decomposed into a number of components that can be analyzed both individually and collectively. Results of simulation models are used in a similar way to queueing network models, allowing a software engineer to understand the software design in greater detail, and leading to informed and justified decisions during the software design process.
Defining Terms Abstract data type (ADT): A software design approach that decomposes a problem into components by identifying the public interface and private implementation. An ADT allows software engineers to define their own data types to support the informational and behavioral needs of their applications. Abstraction: See opening paragraph of Section 103.4 for a precise definition. Anticipation of change: See opening paragraph of Section 103.4 for a precise definition. Bottom-up design: A software design approach that decomposes a problem into components in a process that proceeds from the low-level specific components to general high-level components. Cohesion: Please see opening paragraph of Section 103.4 for a precise definition. Coupling: Please see opening paragraph of Section 103.4 for a precise definition. Data-flow diagram (DFD): A software design approach that emphasizes the decomposition of a problem on the basis of input information, functional actions, information flow, and output results. Encapsulation: The software engineering concept that is utilized by ADTs and modules to group together information and methods/operations within a single component. Once these are encapsulated, access to the component can be controlled. Entity-relationship (ER) diagram: A software design approach that identifies the database components of an application using entities to model information aggregations, attributes on entities to model information content, and relationships between entities to model information associations. Finite-state machine (FSM): A software design approach that is used to precisely capture control flow using a combination of states, which are the functional components of a design, and arcs, which are labeled with the actions that cause state changes or transitions. Hiding: Related to encapsulation, hiding involves the private implementation of an ADT or module, which is inaccessible to all other components of an application. Incrementality: See opening paragraph of Section 103.4 for a precise definition. Inheritance: A modeling technique used in ER diagrams to represent commonalities that exist between various components in an application. In ER diagrams, these components focus on shared information. Method: Contains the definition of the actions required for a particular operation against the private data of an ADT. Methods can be in either the public interface or the private implementation of an ADT. © 2004 by Taylor & Francis Group, LLC
Modularity: Please see opening paragraph of Section 103.4 for a precise definition. Module: A software design approach that functionally partitions the components of an application into design/program units, which, like ADTs, have a public interface and private implementation. All services that are available from a module are exported to other modules, while all services needed by a module must be imported from other modules. Queueing network models: A mathematically based software analysis/design technique for estimating and predicting performance for computing systems. Queueing models allow software engineers to identify bottlenecks and determine components that are I/O or computation bound early in the software design process. Private implementation: That portion of an ADT or module that is hidden from the other portions of an application. Critical for representation independence. Public interface: That portion of an ADT or module that contains the permissible operations (methods, functions) that are available for use by other portions of an application. Critical for abstraction. Representation independence: See opening paragraph of Section 103.4 for a precise definition. Separation of concerns: See opening paragraph of Section 103.4 for a precise definition. Simulation models: A software analysis/design technique for predicting and estimating performance under varying system load conditions. Software reuse: The process that describes the ability to reuse existing software in new applications. When software is reused in its entirety without changes, a gain in productivity is attained. Critical for ADT/module-based design. Time-complexity analysis: A software analysis/design technique where the performance of individual algorithms can be precisely determined from a timing perspective. The best-case, average-case, and worst-case times of different algorithms can be compared against one another to assist a software engineer in making the correct choice of an algorithm for an application. Top-down design: A software design approach that decomposes a problem into components in a process that proceeds from high-level general components to specific low-level components.
References Barnes, J. G. P. 1991. Programming in Ada plus Language Reference Manual, 3rd ed. Addison-Wesley, Reading, MA. Brooks, F. 1987. No silver bullet — essence and accidents of software engineering. IEEE Comput. 20(4): 10–19. Chen, P. 1976. The entity-relationship model — toward a unified view of data. ACM Trans. Database Syst., 1(1):9–36. Ghezzi, C., Jazayeri, M., and Mandrioli, D. 2003. Fundamentals of Software Engineering, 2nd ed. Prentice Hall, Englewood Cliffs, NJ. Goldberg, A. 1989. Smalltalk-80: The Language. Addison-Wesley, Reading, MA. Gordon, G. 1975. The Application of GPSS V to Discrete System Simulation. Prentice Hall, Englewood Cliffs, NJ. Hoover, S. and Perry, R. 1989. Simulation: A Problem Solving Approach. Addison-Wesley, Reading, MA. Horowitz, E., Sahni, S., and Rajasekaran, S. 1997. Computer Algorithms. Computer Science Press, Rockville, MD. Kleinrock, L. 1975. Queueing Systems I. Wiley, New York. Kleinrock, L. 1976. Queueing Systems II. Wiley, New York. Liskov, B. and Zilles, S. 1975. Specification techniques for data abstraction. IEEE Trans. Software Eng. 1(1):7–19. Liskov, B. et al. 1977. Abstraction mechanisms in CLU. Commun. ACM 20(8):564–576. Parnas, D. 1972. A technique for software module specification with examples. Comm. ACM, 15(5): 330–336. Pressman, R. 2001. Software Engineering: A Practitioner’s Approach, 5th ed. McGraw-Hill, New York.
© 2004 by Taylor & Francis Group, LLC
Sammett, J. R. 1969. Programming Languages: History and Fundamentals. Prentice Hall, Englewood Cliffs, NJ. Schach, S. 2002. Object-Oriented and Classical Software Engineering, 5th ed. McGraw-Hill, New York. Sethi, R. 1996. Programming Languages: Concepts and Constructs, 2nd ed. Addison-Wesley, Reading, MA. Sommerville, I. 2001. Software Engineering, 6th ed. Addison-Wesley, Reading, MA. Tucker, A. and Noonan, R. 2002. Programming Languages: Principles and Paradigms, McGraw-Hill, New York. Wirth, N. 1977. Modula: a language for modular multiprogramming. Software — Practice and Experience 7:3–35. Wirth, N. 1985. Programming in Modula-2, 3rd ed. Springer-Verlag.
Further Information The interested reader is referred to software engineering and programming language textbooks for a more in-depth coverage of these and other design techniques. A sampling of representative textbooks includes [Ghezzi et al. 2003, Pressman 2001, Schach 2002, Sethi 1996, Sommerville 2001, Tucker and Noonan 2002]. In addition, the two main computing organizations, the Association for Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers (IEEE) Computer Society, both have publications that are targeted to software engineering and design, discussed along with URLs given below. Electronically, there are a variety of resources available on the World Wide Web. R. S. Pressman & Associates, Inc., maintains the site: http://www.rspa.com/spi/index.html Topics of interest for this chapter at this site are wide ranging, comprehensive, and relate to all aspects of software engineering, including software design. Upon choosing these topics, the reader is directed to other Web sites with presentations, papers, and discussions. The ACM maintains the sites: http://www.acm.org http://www.acm.org/pubs/journals.html http://www.acm.org/sigs/guide98.html The first site listed is the home page for the ACM. At the pubs/journals site, topics for the magazine Communications of ACM and the journal Transactions on Software Engineering and Methodology are relevant. At the special interest groups (SIG) site sigs/guide, the SIGSOFT topic at http://www.acm.org/sigsoft/ is for software engineering. The IEEE Computer Society also maintains three sites of interest for this chapter: http://www.computer.org/ http://www.computer.org/publications/ http://www.computer.org/tab/tclist/index.htm The first site listed is the home page for the IEEE Computer Society. At the publications site, topics for the magazines Computer and IEEE Software are relevant. This site also has topics for the journals Transactions on Software Engineering and Transactions on Knowledge & Data Engineering. The site tab/tclist maintains the technical committees supported by the IEEE Computer Society, including the Software Engineering topic. Finally, note that all ACM and IEEE Computer Society publications are also available in digital form at most major college and university libraries.
© 2004 by Taylor & Francis Group, LLC
104 Object-Oriented Software Design 104.1 104.2 104.3 104.4 104.5 104.6
Use-Case Diagrams • The Class Diagram Diagrams • Other UML Diagrams
Steven A. Demurjian Sr. University of Connecticut
Patricia J. Pia University of Connecticut
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104-1 Object-Oriented Concepts and Terms . . . . . . . . . . . . . 104-2 Choosing Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104-3 Inheritance: Motivation, Usage, and Costs . . . . . . . . 104-4 Categories of Classes and Design Flaws. . . . . . . . . . . . 104-6 The Unified Modeling Language . . . . . . . . . . . . . . . . . . 104-7
104.7
•
Sequence
Design Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104-11 Defining a Design Pattern • Pattern Catalogs • Design Patterns to Solve Design Problems • Using a Design Pattern
104.1 Introduction Object-oriented design techniques evolved from abstract data types (ADTs) [Liskov and Zilles 1975, Liskov et al. 1977], and embody the concept of a class (replacing the ADT) as the unit of abstraction, partitionable into a publicinterface, which represents the behavior of a data type, and a privateimplementation, which is hidden from the software engineer using the class. Both the interface and implementation can be composed of data members (attributes) and operations (methods). Object-oriented and ADT approaches promote: representation independence for changes to the internal structure and function of each component without impacting the external view of a class; incrementality/anticipation of change for the addition of functionality, with the expectation that components will be changed, added, refined, etc., as needed to support evolving requirements; high cohesion (each class performs a single well-defined task) and low coupling (controlled interactions among classes). The distinguishing factor between ADTs and the object-oriented approach is inheritance, which allows controlled sharing between classes, permitting the passing of data and/or operations from the parent (superclass) to the child (subclass). Proponents of object-oriented design agree that it provides a clearer and easier conceptualization of the intended application. Further, the increased emphasis on design (in both time and effort) is supposed to lead to a reduction in implementation effort. Thus, object-oriented design is advocated for a number of important reasons, including: r Stresses modularity: achieved by the class concept and encapsulation. r Increases productivity: while difficult to prove, this is a long-standing claim of object-oriented
design.
© 2004 by Taylor & Francis Group, LLC
r Controls information consistency: this is attained, since hiding allows the access to the private
implementation of a class to be managed. r Promotes software reuse: software engineers can reuse existing classes for solving other prob-
lems. In addition, through inheritance, software engineers can define new classes that acquire the characteristics of existing classes without violating the hidden implementation. r Facilitates software evolution: abstraction, encapsulation, hiding, and inheritance allow minor changes to private implementations to be transparent, while major increases in functionality can be realized by extending the existing class library through inheritance. Testing cuts across all these claims: done on a class-by-class basis (modularity); once tested, a class can be used and reused (productivity); testing of changes is limited to the private implementation as long as the public interface has not been changed (evolution). From a historical perspective, the object-oriented approach for software design and development emerged in the mid-1980s and has become dominant. There are a wide range of object-oriented programming languages, for example, Java [Deitel and Deitel 1997, Campione et al. 2001], Ada 95 [Barnes 1996, Department of Defense 1995], Modula-3 [Harbison 1992], C++ [Stroustrup 1986], Eiffel [Meyer 1992], Smalltalk [Goldberg 1989], and Object Pascal [Tesler 1985], etc., formalized in Wegner [1990]. There was work done in object-oriented database systems (e.g., Ontos [Ontologic 1991], Gemstone [Bretl et al. 1989], O2 [Deux et al. 1991], Orion [Kim 1990], ObjectStore [Lamb et al. 1991], etc.) with formal underpinnings in Kim [1990] and Zdonik and Maier [1990]. These techniques continue to evolve today, as evidenced by the emergence of components and extensions to relational database systems that offer object-oriented capabilities. To investigate, explain, and discuss object-oriented software design, this chapter contains six sections. Section 104.2 reviews key object-oriented design concepts, to establish the terminology. Section 104.3 examines the issues and factors involved in choosing classes. Section 104.4 focuses on the motivation, usage, and costs of inheritance. Section 104.5 examines design considerations and flaws related to determining classes and utilizing inheritance. Section 104.6 explores the unified modeling language (UML), which came to prominence in the mid-to-late 1990s to unify the approaches of Rumbaugh et al. [1991], Jacobson et al. [1992], Booch [1991], and others [Coleman 1994, Meyer 1988, Lieberherr 1996, Wirfs-Brock et al. 1990] into a standard for object-oriented design [Booch et al. 1999]. Finally, Section 104.7 examines the technique of design patterns, based on the idea that recurring patterns in object-oriented design and development can be generalized and categorized to leverage reuse [Gamma et al. 1995]. To facilitate the discussion throughout this chapter, the High-Tech Supermarket System, HTSS, from Section 103.2 is employed.
104.2 Object-Oriented Concepts and Terms This section summarizes the concepts and terminology for object-oriented design: r Class: used to model the features (information) and behavior (methods) for an application, and
partitioned into a public interface and private implementation. r Private implementation: the portion of a class that is hidden from all other parts (classes) of an
application, containing information and/or methods. r Public interface: the portion of a class that contains the permissible operations (methods) that are
available for use by other parts (classes) of an application, which may also contain information. r Information: typically, the private data of a class. Information represents the different internal data
components that define the class and characterize all of its instances. When public, the information content and consistency cannot be guaranteed. r Method: contains the definition of the actions required for a particular operation against the private and/or public data of a class. r Encapsulation: the coupling of information and methods within a class.
© 2004 by Taylor & Francis Group, LLC
r Hiding: controlling access to the information and methods of a class. r Inheritance: the controlled sharing of information/methods between related classes of an appli-
r
r r r
cation. In inheritance relationships, the parent is referred to as the superclass, while the child is referred to as the subclass. Inheritance hierarchy: all inheritance relationships between classes that share a common parent (or grandparent) form a hierarchy with an identifiable root (ancestor). Inheritance hierarchies are simply the trees that organize the sharing between all related classes. Instance/object: an occurrence of a class, or the actual information/data. Message: an action (method call) that is initiated by an instance on itself or by other instances. Class library: all classes and inheritance hierarchies for an application form a common library for use by tools and end users.
Advanced concepts that are important to fully appreciate the potential and power of object-oriented design include generics and dispatching. A generic is a type-parameterizable class. For example, instead of having a stack that is bound to a specific data type (say, integer), the stack can require that the data type be provided as part of its initialization. Thus, the creation of a stack [e.g., Stack(Real), Stack(Char), etc.] binds the stack’s methods to the appropriate types. Dispatching is the runtime or dynamic choice of the method to be called on the basis of type of the calling instance. As a concept, the effective use of dispatching is tightly bound with inheritance, and it offers many benefits: versatility in the design and use of inheritance hierarchies; promotion of reuse and evolution of code, allowing hierarchies to be defined and evolved over time as needs and requirements change; and development of code that is highly generic and easier to debug (and hence reuse/evolve).
104.3 Choosing Classes The first and most frequent question asked by newcomers to object-oriented design is a variant of How are classes chosen?. Typical (lazy) answers to this question echo software engineering mantra (e.g., strive for encapsulation with high cohesion and low coupling) or rely on that old-time favorite, “As you gain more experience with objects, your ability to identify them will also improve.” However, neither answer is really satisfactory. A “better” answer should relate the following: Choosing classes is not a first step in the design and development process, but rather must follow in a logical fashion from earlier efforts. In practice, the choice must be guided by a specification for an application that contains the intent and requirements. The specification will make use of other software design techniques (e.g., data-flow diagrams, ER diagrams, etc., see Chapter 103) to define the scope and breadth of functions, user interfaces, required user/system interactions, and so on. As the specification gains in content and complexity, the relevant classes begin to define themselves as a natural side effect. One hopes that this leads to an object-oriented design. This in turn will be explored, refined, and evolved into a detailed design, which can then be transitioned to an implementation. The moral is that it is unrealistic to “jump” to an object-oriented design from only a basic understanding of an application. It would be just as unreasonable to make such a jump using any software design technique. Instead, one must acquire an understanding of what is appropriate to put into a class. Three possibilities are illustrated below: Private Data Public Interface Employee Class
Name Address SSN ...
© 2004 by Taylor & Francis Group, LLC
Create_Employee() Give_Raise(Amount) Change_Address(New_Addr) ...
ATM_Log Class
Acct_Name PIN_Number ...
Check_Database(Name) Verify_PIN(PIN) Log_on_Actions(Name, PIN) ...
ATM_User Class
Action Balance WD_Amt
Log_on_Steps() Acct_WithDrawal(Amt) Check_Balance(Number) ...
The first class was designed from an information perspective, and to track Employees, standard data and operations are needed. The second class, ATM Log, embodies the functions for an individual to initiate an ATM session, which also requires information to capture user input for verifying status. The third class, ATM User, represents a user interface by capturing the different interactions that are supported.∗ During this design process, there are a number of possible design flaws. First, a software engineer places too much functionality in one class. In this situation, the class can be split into two or more classes, or the functionality can be absorbed into other, existing, classes. The latter leads to a second design flaw: a class lacks functionality. In this situation, two or more classes are often merged to result in a more cohesive class.
104.4 Inheritance: Motivation, Usage, and Costs Inheritance distinguishes object-oriented design from its ADT ancestor. To successfully utilize inheritance, an iterative process to identify commonalties (generalization) and distinguish differences (specialization) is undertaken. For example, in HTSS, a first attempt at needed classes, concentrating only on information in each class could be: SnackItem Name UPC ShelfLife
LiquorItem Name UPC SpecialTaxes
MeatItem Name UPC ExpireDate
... Other Items ...
From the above example, two data components, Name and UPC are common to all Item-related classes and can be (generalized) into the Item class: Item Name UPC
SnackItem:Item ShelfLife
LiquorItem:Item SpecialTaxes
MeatItem:Item ... ExpireDate
The original classes (e.g., MeatItem:Item) now inherit private data (e.g., Name and UPC) from their ancestor (e.g., Item). In general, inheritance-related decisions are often based on the overlaps that exist between information and/or operations across multiple classes. The end result of this modeling activity is one or more inheritance hierarchies that are extensible, evolvable, and reusable. To complement generalization, specialization distinguishes classes by pushing down differences to lower levels of the hierarchy. Thus, the superclass is refined and focused to represent the shared characteristics required by all descendants. For example, in the HTSS hierarchy,
∗
Any discussion on object-oriented concepts would not be complete without an ATM example. Mercifully, this is the only one in this chapter. © 2004 by Taylor & Francis Group, LLC
the Expires private data of Item should be moved to MeatItem, which requires explicit expiration dates, while TempReq should be moved to ProduceItem to track produce that requires refrigerated versus room-temperature storage. Conversely, generalization operates bottom-up by examining a set of classes in an attempt to identify commonalties, which are then pushed into a superclass. For example, in HTSS, the classes MeatItem Name, UPC Expires
DeliItem Name, UPC Expires
LiquorItem Name, UPC SpecTaxes
could be revised into the hierarchy
which defines a new Item superclass. Note that it might also be necessary to define a new level that is a parent of MeatItem and DeliItem, and a child of Item (e.g., a PerishItem for perishable foods). Note also that in these and other examples, the names of variables have been conveniently the same, which, in practice, may not be the case. Another type of inheritance is based on the concept that classes with significantly different and unrelated abstract views might require access to the same underlying implementation. For example, in HTSS, an ItemDB is required to track all items that are sold. There are multiple abstract views for ItemDB that can be represented in an inheritance hierarchy:
In this example, the user interfaces for managing the inventory, locating items, and scanning UPCs all need access to the same information, but they clearly have different intent and usage within HTSS. Another type of inheritance combines two or more classes, allowing software engineers a unified view, which can be achieved via multiple inheritance; for example, DeliItem would inherit from both ProduceItem and MeatItem. In summary, inheritance can be defined as a relationship where the subclass acquires information and/or operations from a superclass. Inheritance is a transitive operation, allowing behavior to be passed from parent to child to grandchild, etc. Because the subclass is more refined than the superclass, it has been specialized. Alternatively, because the superclass contains common characteristics of all of its subclasses, it © 2004 by Taylor & Francis Group, LLC
has been generalized. In practice, inheritance is utilized when two or more classes are functionally and/or informationally related. That is, generalization and specialization decisions can be based on information (as in the previous examples), function, or a combination of the two. The benefits of inheritance are strongly tied to the claims of object-oriented design; and while Budd characterizes these benefits at primarily the implementation level, they clearly also apply to the design level. In the following list from Budd [1997, pp. 143–144], the parenthetical remarks represent the benefits of inheritance during design: r Software (design) reusability. When a set of one or more classes is reused from an earlier effort,
there is a high degree of assurance that compiled and tested code/behavior has been provided. (Similar reuse during design accrues corresponding benefits regarding the completeness of a design component in addition to downstream benefits for the implementation.) r Code (design) sharing. When two or more subclasses of the same superclass share code as the result of a specialization or generalization, redundancy can be reduced; that is, there is only one copy of code to be implemented/tested. (It can be strongly argued that the sharing of code must be identified during the object-oriented design process. Otherwise, the resulting design had many flaws that were not found until the implementation process began.) r Software components. These promote the concept of reusable components and the software factory. (Software factory ideas should not be limited to code, since a “component” may represent a portion of a design or an implementation. In fact, the design patterns discussed in Section 104.7 are an example of design components.) These benefits for inheritance are key to achieving the reuse and evolution claims. However, these benefits do have a cost [Budd 1997, pp. 145–146], accrued during implementation and runtime for the application. Inheritance associations require additional compile time (e.g., for overloaded names, multiple inheritance, etc.) and defer some decisions to runtime (e.g., dispatching). As application complexity increases, the class library size increases, both in numbers and in depth of inheritance hierarchies, which impacts on the compile and runtime environments; that is, there is a heavy cost for dynamic linking. At a more practical level, new and experienced software engineers often define too many operations with too little functionality in a class. This affects the activation records in the runtime environment, especially when the operations call other operations, resulting in nested activation records. In fact, it is often the case that the activation record requires significantly more memory during runtime than the code of a poorly defined “small” operation.
104.5 Categories of Classes and Design Flaws In Chapter 3 of Budd [1997], other important considerations regarding the categories of classes [pp. 48–49] and common design flaws are examined. Both of these considerations play an important role in assisting a software engineer unfamiliar with object-oriented concepts to understand the issues that impact on designing and defining classes. Budd has defined four major categories of classes: 1. Data managers. This category maintains data or state information to capture and contain the functionality for an application. 2. Data sinks/data sources. This category either produces or processes data, and it may be generated on demand to meet a short-term need. 3. View/observer. This category can serve as an interface for an end user or might be used to collect the public interfaces of multiple classes into a single view. 4. Facilitator/helper. This category has no functionality when viewed independently, but exists solely to support other classes. For example, typical facilitators include a string class library, I/O handler classes, etc. Note that classes spanning two or more categories should be decomposed, because they likely contain excessive functionality; that is, they are noncohesive. While it is important to specify each class and to © 2004 by Taylor & Francis Group, LLC
understand to which category a given class belongs, it is more critical to know the context of the class within the overall application. The reason that the class has been specified, the role it will play in the application, and the other classes that it interacts with should all be clearly understood when examining the class. Like any other approach, object-oriented design is not intended to allow a software engineer to arrive at the “completed” design in one step from the specification. Rather, object-oriented software engineering encourages and promotes an incremental and iterative process, allowing an application to evolve from its specification into an object-oriented design. Thus, when defining classes in the aforementioned categories, there are a number of common design flaws that might occur after the first few iterations of the design process, including: 1. Classes that directly modify the private data of other classes. This is a major error in the use of object-oriented design techniques. To rectify this situation, the public interface must be upgraded to include operations that encapsulate the modification of private data. 2. Too much functionality in one class. In this situation, the obvious solution is to split the class into two or more classes that exhibit higher cohesion. The result should also be lowly coupled. 3. An class that lacks functionality. The reverse of the previous case requires the merging of two or more classes. Any time that classes are merged, the impact on existing classes and inheritance hierarchies must be carefully examined. 4. Classes that have unused functionality. In this situation, the key is to understand the reason for the unused functions. Have they been duplicated elsewhere? Were they needed in an earlier prototype? The answers to these questions will dictate the choices made in this case. 5. Classes that duplicate functionality. As in the previous case, it must be understood why the duplication has occurred. Was it due to a specification problem? Did two software engineers unintentionally define the same class? It is expected that the initial attempts at an object-oriented design for an application will not be perfect. The key issue is to learn to recognize imperfections so that they can be corrected in subsequent iterations. The list of common design flaws is not comprehensive; rather, it defines the most commonly occurring errors so that they can be easily eliminated by a novice and avoided as a software engineer gains experience.
104.6 The Unified Modeling Language The unified modeling language (UML) is a language for specifying, visualizing, constructing, and documenting software artifacts [Booch et al. 1999]. UML unified the approaches of Rumbaugh et al. [1991], Jacobson et al. [1992], Booch [1991], and others [Coleman 1994, Meyer 1988, Lieberherr 1996, Wirfs-Brock et al. 1990] into a standard. This was motivated by the fact that the individual methods of object-oriented design were evolving toward one another; and a unified semantics and notation would bring stability to an object-oriented design market leading to the “best” features of the constituent models included in the UML. The end result is the availability of a wide variety of UML modeling tools; namely, Together Control Center, Rational Rose, Paradigm Plus, Softmodeler, GDPro, etc. To accompany the unification, there were some important goals for UML, including: 1. A ready-to-use, expressive visual modeling language that promotes design and development via an exchange of ideas, concepts, solutions, etc. 2. Independent of programming languages and development processes, and suitable for multiple application domains. 3. Encourage the growth of object-oriented tools market, which has been facilitated of late with the emergence of XML as an data exchange standard, allowing models created in one tool (e.g., Rational Rose) to be imported into another tool (e.g., Together Control Center). In the UML, diagrams are utilized to create views into a model, to provide different perspectives for different stakeholders (e.g., users, designers, software engineers, developers, etc.), and to offer alternate representations of the different parts of the system (e.g., data-flow diagrams, finite-state machines, ER © 2004 by Taylor & Francis Group, LLC
HTSS Scan Items
Cashier
Ring Order Customer
Buy Items
FIGURE 104.1 High-Level Use Cases for HTSS.
diagrams, etc.). There are nine standard diagrams in UML: static views of use case, class, object, component, and deployment diagrams; and dynamic views of sequence, collaboration, statechart, and activity diagrams. In the remainder of this section, selected diagrams and associated modeling techniques for UML are explored. First, the use-case diagram for modeling the interactions of users with system components is explained. Next, the class diagram for the static structure of the conceptual model is examined. Then, one of the dynamic views, the sequence diagram, is detailed, which provides a characterization of object interactions over time. Finally, we conclude with a brief discussion of the other remaining UML diagrams and their usage. Note also that as a brief review of UML, many details and capabilities have been omitted; the reader is referred to Booch et al. [1999] for a comprehensive discussion of UML.
104.6.1 Use-Case Diagrams Use-case diagrams track the interaction of users with system components, and are comprised of three different types of elements: actors, systems, and use cases; as shown in Figure 104.1. An actor is an external entity that interacts with software at some level, to represent the simulation of possible events (business processes) in the system. Actors can be people, classes, software tools, etc. The events that actors interact with are referred to as use cases, which represent discrete (and possibly related) functions for an application that is being modeled. Use cases can be collected into a system when they are related to one another. Collectively, a use-case diagram is a graph of actors and use cases (enclosed by optional system boundaries), which represents a black-box view of system components. The focus in a use-case diagram is on the actions, methods, functions, etc., that are utilized by different actors, typically derived via user/customer interviews. The granularity of use cases is variable, depending on the situation being modeled. To illustrate use cases and the granularity differences, consider Figure 104.1 and Figure 104.2, which contain use cases for HTSS. Note that these figures and all other UML figures in this chapter have been constructed using the Together (registered) Control CenterTM (version 6.2) UML tool (www.togethersoft.com). In Figure 104.1, a high-level use case for the system HTSS is shown, with Cashier and Customer actors, and use cases to Scan Items, Ring Order, and Buy Items. Interactions between actors and use cases are shown with lines from the actor to each use case. Conversely, in Figure 104.2 a lower level use case of the system Process Order is shown, with Supervisor, Sales, and Customer actors, and use cases to Establish Credit, Order, Place Order, Fill Order, and Check Status. In addition to actor/use case interactions, Figure 104.2 also illustrates the three
© 2004 by Taylor & Francis Group, LLC
Process Order Establish Credit <>
Supervisor
Order Customer Place Order
Fill Order
<> Check Status
Sales
FIGURE 104.2 Use Cases for Process Order of HTSS.
dependencies among use cases: Check Status extends Order is a relationship where the Check Status use case adds behavior to the Order use case; Establish Credit includes Order is a relationship that denotes the inclusion of the behavior sequence of the Order use case into the interaction sequence of the Establish Credit use case; and Place Order(Fill Order) generalizes Order and relates the specialized use case Place Order(Fill Order) to a more general Order use case.
104.6.2 The Class Diagram A class diagram in UML is utilized to capture the static structure of the conceptual model for an application, describing its classes and the static relationships among them. A class diagram in UML contains classes that have attributes and operations, where each attribute/operation can be distinguished as public (available for all to use), private (hidden from use), and protected (available to descendants via inheritance). Classes can be logically grouped into packages and related to one another via associations, generalizations, and other dependencies. In UML, classes are graphically represented as boxes with compartments for class name, attributes, and operations, and the ability to track properties, responsibilities, rules, modification history, etc. Over time, a software designer develops classes incrementally, adding features to existing classes, creating new classes, defining new relationships, etc. To illustrate a class diagram, Figure 104.3 contains a UML diagram for HTSS. In the diagram, we have a class inheritance hierarchy containing Item (parent), NonPerishItem and PerishItem (children of Item), and DeliItem, MeatItem, ProduceItem (children of PerishItem). In addition, there are classes for a Customer; ItemDB, which is the collection of all Items for a supermarket; and DeliOrder, which represents the Items to be filled by a deli worker. There is a GroceryOrder association between a Customer and the Items being purchased, and contains aggregations (between ItemDB and Item, and DeliOrder and DeliItem). In all classes, attributes are listed under the class name, followed by operations (all separated by horizontal lines). Private members (attributes or operations) are prefaced by a minus sign, protected members by a sharp, and public members by a plus sign. In the Item class, the attributes are all protected (inheritable by descendants), with data types as given, while the operations are all public with return types listed. The Item class is also abstract (not shown), which indicates that it cannot be instantiated, while the DeliItem, MeatItem, and ProduceItem classes are final (not shown), which means that they cannot have children.
© 2004 by Taylor & Francis Group, LLC
Item #Name:String #UPC:int 1..* #RetailCost:float GroceryOrder #WholesaleCost:float #InStockAmount:int Customer #ReorderLimit:int -Name:String +GetltemUPC:int +GetltemName:String +SetRetailCost:void +SetWholesaleCost:void +GetlnStockAmount:void
NonPerishltem
ItemDB
1..* contains
Perishltem
contains 1..* DeliOrder
Deliltem
-OrderNumber:int
-Weight:float -CostPerLb:float
Meatltem
Produceltem
FIGURE 104.3 Classes for HTSS.
Steve’s Order
Steve Customer
DeliOrder
Item Repository ItemDB
Roast Beef Deliltem
1: NewOrder 2: Order 1 lb. Roast Beef 3: Find “Roast Beef” 4: Return Cost Per lb 5: Add to Steve’s Order
6: 1 lb Roast Beef Added 7: Order Next Deli Item…
FIGURE 104.4 A sequence diagram for HTSS.
104.6.3 Sequence Diagrams A sequence diagram in UML is intended to capture and represent the dynamic behavior of instances (objects) of the class diagram (see Figure 104.3). For a given task, a sequence diagram indicates the object interactions over time to accomplish the task. The purpose of a sequence diagram is to model flow of control and, in doing so, to illustrate a typical scenario or processing, thereby providing perspective on usage and flow across the various objects that comprise an application. Figure 104.4 contains a sequence diagram for © 2004 by Taylor & Francis Group, LLC
HTSS to represent the actions taken when a Customer is performing the actions associated with ordering deli meats. In the figure, there are four objects, Steve, Steve’s Order, Item Repository, and Roast Beef, which are, respectively, instances of Customer, DeliOrder, ItemDB, and DeliItem. (Note that Figure 104.4 also illustrates the objects of an object diagram.) Connecting the objects, in a numbered sequence, are messages that indicate the actions (messages 1 to 7) that are taken for Steve to enter his DeliOrder over time (from top to bottom in the figure). At this early stage of the design process, the messages are strings of text. At later stages, they can be replaced with public method calls where appropriate. In reading the seven messages, it is clear on the flow, the actions by each object, and the dependencies among the objects, which must all eventually be captured in the software (code) as it is developed.
104.6.4 Other UML Diagrams In this section, UML diagrams that have not been discussed so far are reviewed. In addition to use-case, class, and object diagrams, other static diagrams include: r A component diagram captures the high-level interaction and dependencies among software com-
ponents that represent the physical structure of the implementation which is built as part of the architectural specification of an application. The purposes of the component diagram are to organize source code, construct an executable release, and specify a physical database. r A deployment diagram allows software architects and network/performance engineers to focus on the placement and configuration of components at runtime, including the topology of an application’s hardware. The purpose of the deployment diagram is to specify the distribution of components and, as a result, to strive to identify potential performance bottlenecks. The sequence diagram is one of four total dynamic diagrams that track behavior from different perspectives, including: r A collaboration diagram is structured from the perspective of interactions among objects and
captures message-oriented behavior. The purposes of a collaboration diagram are to model flow of control, to illustrate the coordination of object structure and control, and to track the objects that interact with other objects. While sequence diagrams track object interactions versus time, collaboration diagrams focus on messages that pass between objects. r A statechart diagram tracks the states that an object goes through and in the process captures event-oriented behavior. The purposes of a statechart diagram are to model the object life cycle and reactive objects such as user interfaces, external devices, etc. Statecharts are similar to finite-state machines, and contrast with the other dynamic diagrams by focusing on the events that occur. r An activity diagram represents the performance of operations and transitions that are triggered in order to capture activity-oriented behavior, in a similar fashion to a Petri-Net. The purposes of an activity diagram are to model business workflows and individual operations, from an action perspective. Overall, the nine different UML diagrams are an excellent vehicle for conceptual modeling in support of object-oriented design.
104.7 Design Patterns The architect Christopher Alexander is credited with laying the foundations for patterns in software development via a series of books [Alexander et al. 1977, Alexander 1979] in that he describes problems that occurred over and over again within the context of designing and constructing buildings and towns. The ideas were adapted to software development with the introduction of five patterns that dealt with the design of user interfaces [Beck 1994]. Other prominent researchers also discovered and documented design patterns [Coad 1992, Coad et al. 1995, Coplien 1992, Gamma et al. 1995, Schmidt 1995]. However, © 2004 by Taylor & Francis Group, LLC
the work that paved the way for the wide acceptance and usage of patterns in the software engineering research and development communities was published by E. Gamma, R. Helm, R. Johnson, and J. Vlissides, a group of experts who became known as the “Gang-of-Four” (GOF) [Gamma et al. 1995]. This resulted in subsequent work in architecture patterns [Buschmann et al. 1996, Schmidt et al. 2000], the emergence of a community of pattern developers who work together to document their experiences in patterns [Buschmann et al. 1996], and the support of design patterns in most UML tools. In the remainder of this section, the capabilities and usage of patterns for software design are explored. First, the concept of a design pattern is defined. Next, pattern catalogs for organizing and categorizing patterns are examined. Then, the way that design patterns solve design problems is presented. Finally, the usage of design patterns to solve a design problem, including an example, is detailed.
104.7.1 Defining a Design Pattern Almost since a programmer wrote the first program, there has been the observation that similar code appears across multiple programs. If a programmer had a set of C functions for manipulating a stack of integers, that code was typically used over and over again by the programmer, changing and adapting the code to different requirements. Now, fast forward to the 1990s when object-oriented software design and development emerged as the preferred approach. In an object-oriented setting, software engineers have noticed that similar types of classes and objects, and their interactions, occur over and over again when solving similar problems in different applications, which has been formalized in a design pattern by the GOF as: . . . descriptions of communicating objects and classes that are customized to solve a general design problem in a particular context. [Gamma et al. 1995] For software engineers, design patterns offer simple, elegant solutions to specific problems in an objectoriented software design for an application [Gamma et al. 1995]. The unique nature of a design pattern is that it describes both the problem and its solution. Design patterns provide solutions that have been developed and refined over time by experienced software engineers and developers, and that have been found to be useful in several application contexts. Design patterns provide design alternatives for software engineers that can be used to create software that is elegant, reusable, and flexible. For a software engineer to successfully utilize design patterns, they must be described in a consistent format at a level of abstraction that transcends single classes, instances, or components [Gamma et al. 1995]. Design patterns must provide a common vocabulary for software engineers to communicate about designs and discuss design alternatives at a raised level of abstraction, allowing information about design trade-offs and decision alternatives to be easily explored. To address this issue, design pattern descriptions [Gamma et al. 1995] have been offered and contain four essential elements: pattern name, problem element, solution element, and consequences element. The pattern name is an intuitive name for the pattern being captured. The problem element describes the context of the problem and when the pattern should be applied. Remember, to be a design pattern, it must be abstract enough so that it can be applied to many situations. The solution element describes the way that classes and objects can be used to solve the problem, with UML class and the sequence diagrams utilized to indicate class structure, class hierarchy, and the communication behavior between the objects within the pattern. Finally, the consequences element describes both the pros and the cons of using the pattern. Collectively, these four elements document a design pattern, providing stakeholders with different information on what a pattern can and cannot do, based on their specific needs.
104.7.2 Pattern Catalogs Once a software engineer understands what design patterns are and the way that they can be utilized effectively to solve problems, the next step is to provide a means to categorize and make patterns available in an easy-to-use fashion. This is typically accomplished via a pattern catalog, which is the collection of
© 2004 by Taylor & Francis Group, LLC
all design patterns organized into categories that are easily accessible for use by software engineers during object-oriented design and development. The pattern catalog must be browsable, to allow a software engineer to easily view and select patterns as needed. From a practical perspective, pattern catalogs are supported by most UML tools such as Together CC and Rational Rose. There are many different ways to categorize patterns within a catalog. In Gamma et al. [1995], GOF has defined three categories for its patterns: creational, structural, and behavioral. A creational design pattern focuses on describing the way that objects in the pattern are instantiated, with the idea that a software engineer may browse based on instantiation behavior to choose a pattern. A structural design pattern organizes patterns based on the manner in which classes and objects are composed with one another, again providing a different perspective for browsing. Behavioral design patterns offer a comprehensive breakdown on what a pattern actually does, via the algorithms, the assignment of responsibilities to objects, and the communications between objects. In Buschmann et al. [1996], architectural design patterns, which specify the system-wide structural properties of an application, are partitioned into categories: structural composition, organization of work, access control, management, communication, from mud to structure, distributed systems, interactive systems, and adaptable systems. Again, these categorizations are critical for allowing software engineers to easily find the patterns that are suitable, which then allows them to make informed decisions within a category to select the pattern that best fits an application’s needs and requirements.
104.7.3 Design Patterns to Solve Design Problems To effectively utilize design patterns to solve design problems, software engineers must rely heavily on (and understand) the critical object-oriented concepts discussed in earlier portions of this chapter, including polymorphism, inheritance, interfaces, abstract classes, and runtime vs. compile-time object composition. Many, if not all, of these concepts are integrally tied to two important goals of the object-oriented approach, namely, reuse and flexibility. The purpose of this section is to highlight a select set of the specific techniques embodied within design pattern solutions that achieve the goals of reuse and flexibility. To do so, we rely on four critical points related to design and its evolutionary process that have been identified in Gamma et al. [1995]. 1. Find objects that do not occur in nature. During design, software engineers often start by identifying objects that correspond to the real world. However, abstractions such as processes (e.g., business or engineering) and algorithms, two critical aspects of any problem solution, do not occur in nature. To address this issue, select design patterns provide solutions for designing processes and algorithms in a flexible manner. From this perspective, the utilization of a design pattern is a reuse of proven ideas and code. 2. Reduce implementation dependencies between subsystems by programming to an interface instead of a particular implementation. Software engineers can employ inheritance to define families of classes/objects with the same interfaces. Then, polymorphism can be used to provide a client (user object) with an interface containing a collection of methods. As a result, the client does not know any specifics about the class it is using, other than the interface that it provides to the client. Again, select design patterns can provide a solution template that supports the use of inheritance and interfaces, promoting both reuse (inheritance) and flexibility (interfaces). 3. Maximize reuse by favoring object composition over class inheritance. In object-oriented software engineering, both inheritance and object composition are methods for reuse. Recall that inheritance allows for the implementation of the parent class to be reused by the subclass, is implemented at compile time, and is part of a instance’s physical representation. A change in the parent class can cause the subclass to change, leading to a best case of recompilation and to the worst case of major redesign. On the other hand, object composition dynamically composes classes at runtime by using existing objects. Only the interfaces of objects are known to the composing objects. Any object can be replaced by an object of the same type (having the same interface) without redesign of classes.
© 2004 by Taylor & Francis Group, LLC
In GOF design patterns, object composition is often favored, because it provides for maximum flexibility as a design evolves over time. 4. Avoid redesign when client, classes, or other factors change. Software engineers, once a design pattern has been chosen, must take great care when changes occur that have the potential to affect the pattern; that is, once a suitable pattern has been chosen, replacing the pattern (redesign) can have a significant impact. To avoid this situation, it is often very useful to decouple behavior. Some examples that occur in practice include: decouple the sender of a request from its receiver using a layer of abstraction, which can be easily found and replaced; and, user interfaces, external operating system interfaces, and interfaces to algorithms can be decoupled from their use by inserting a layer of abstraction between the request for the use and the implementation of the service. Decoupling supports flexibility, allowing the design to adapt with a minimum of change and impact. Each of the four points discussed above encourages software engineers to make informed decisions that maximize flexibility and/or reuse, always keeping in mind an application’s needs and requirements.
104.7.4 Using a Design Pattern There are many different factors that a software engineer must consider when choosing and then using a design pattern [Gamma et al. 1995], including: understanding the way that patterns solve problems; targeting the consequences element that contains both the pros and cons of using the pattern; familiarity with the pattern catalog to know what is available; and, identifying the variables that may change (and may not change) in the design, because the ones that do change have the potential to impact the chosen pattern in the future, thereby requiring redesign. Once a software engineer chooses a design pattern, it must be applied to the design, and this is often facilitated via the expression of a pattern’s solution using UML or other modeling constructs. These constructs should be used as the basis for defining classes, class attributes, and behaviors, including interactions between objects, which customizes the pattern to a specific context. Several resources exist that have implementation code for design patterns in various languages such as C++ [Gamma et al. 1995], Smalltalk [Alpert et al. 1998], and Java [Grand et al. 1998]. To illustrate a design pattern, consider the Observer pattern from GOF [Gamma et al. 1995], which is used to define a one-to-many relationship between objects. When one object changes state, all of its dependents are notified and updated automatically. The Observer pattern allows a design to loosely couple objects so that when one object changes its state (subject), many objects can be notified (observer). The observer is a passive object and is notified whenever the subject object changes. The subject is an active object that does not have to know how many objects want to be notified or make any assumptions about the classes of objects that must be notified. The observer object simply implements an interface that specifies methods for the way that it will be notified of a change in the subject. The subject allows any observer to be registered (or unregistered with it) and will send notifications to each observer automatically each time it is updated. One advantage of Observer is that it allows for an abstract decoupling between subject and observer that facilitates system layering. One disadvantage is that it is possible for the subject to change very frequently, which can cause a cascade of updates to the observers, which has the potential to impact performance. The UML class diagram for the Observer pattern is shown in Figure 104.5. In Figure 104.5, the Concrete Subject stores the state that is of interest to ConcreteObserver objects and sends a notification to its observers when its state changes. The Concrete Observer maintains a reference to a ConcreteSubject object and stores the state that should stay consistent with the subjects. It also implements the Observer updating interface to keep its state consistent with the subjects. An Observer pattern would be useful in HTSS in a number of different ways. First, whenever the retail price of an Item (in ItemDB) is changed, there can be notification to the store manager and stock clerks (which are objects in HTSS) so that shelf and item prices can be updated. Likewise, whenever an Item is recalled (e.g., due to health concerns), there can be notification to inventory control personnel © 2004 by Taylor & Francis Group, LLC
interface Observer
interface Subject <{Subject}>
<{Observer}> <{Observer}>
+attach:void +detach:void +inform:void
+update:void
Concrete subjects
Concrete observers
ConcreteSubject
ConcreteObserver
-observersVector:Vector +attach:void +detach:void +inform:void +observers:Enumeration
+update:void
FIGURE 104.5 Classes for the Observer Pattern.
and stock clerks (again, HTSS objects) to pull the item off the shelf. In fact, if HTSS is truly computerized, then it may also be possible to use the Observer pattern to notify customers (again objects) that have purchased the recalled item.
Defining Terms Abstract data type (ADT): A software design approach that decomposes a problem into components by identifying the public interface and private implementation. An ADT allows software engineers to define their own data types to support the informational and behavioral needs of their applications. Class: The major unit of abstraction in the object-oriented design approach, used to model the features (information) and behavior (methods) for an application. Each class is partitionable into a public interface and private implementation. Class diagram: A UML diagram that represents the classes and the relationships among classes (generalizations and other associations) in an object-oriented design for an application. Class library: The collection of all classes and their inheritance hierarchies form an application library for use by software engineers, classes, tools, and end users. Cohesion: The ability of a class for an application to perform a highly cohesive well-defined task. Coupling: The dependencies that exist among the different classes of an application. Design pattern: A template of objects and classes that represents a predefined set of behavior which has been observed and generalized from existing systems and can be applied to solve new problems with similar characteristics. Dispatching: The runtime determination of the method to be called, based on the type of the invoking instance. Dispatching allows code to behave differently, based on who is calling particular methods. Dispatching is tightly bound with inheritance and promotes reuse and evolution of code, allowing inheritance hierarchies to be defined and evolved over time as needs and requirements change. Encapsulation: The concept utilized by classes to group together information and methods/operations within a single component. Once these are encapsulated, access to the component can be controlled. Generic: A type-parameterizable piece of a software or design that will be utilized by multiple components. For example, a linked-list data structure can be developed generically, independent of the type of element in the list. When the list is declared and then used, it is customized on the basis of type to meet the application’s specific needs. © 2004 by Taylor & Francis Group, LLC
Hiding: Related to encapsulation, hiding involves the private implementation of a class, which is inaccessible to all other components of an application. Information: Information represents the different internal data components that define the class and characterize all of its instances. Information is used by the designer of a class to maintain internal state and is unavailable for direct use by any other components (classes) of an application. Inheritance: A modeling technique used in object-oriented design to represent commonalties that exist between various components in an application. These components can be determined by a combination of shared information and/or behavior (function). Inheritance hierarchy: All inheritance relationships between classes that share a common parent (or grandparent) form a hierarchy with an identifiable root (ancestor). Inheritance hierarchies are simply the trees that organize the sharing between all related classes. In any inheritance relationship between two classes, the parent is referred to as the superclass, with the child referred to as the subclass. Instance: An occurrence of a class, or the actual information/data. Throughout runtime, instances of classes are created, exist, and destroyed. Message: An action (method call) that is initiated by an instance on itself or other instances. While method refers to the compile-time interpretation of an operation on a class, a message is the corresponding runtime concept. Method: Contains the definition of the actions required for a particular operation against the private data of a class. Methods can be in either the public interface or the private implementation of a class. Pattern catalog: The collection of design patterns organized into a coherent structure that is easily accessible for use by software engineers to select patterns for during object-oriented design and development. Supported by most UML tools. Private implementation: That portion of an object-oriented class that is hidden from the other portions of an application. Critical for achieving representation independence. Public interface: That portion of an object-oriented class that contains the permissible operations (methods, functions) that are available for use by other portions of an application. Critical for achieving abstraction. Representation independence: The ability to change the hidden private implementation without impacting the visible public interface. Sequence diagram: A UML diagram that represents the sequence of actions between objects and classes for a particular method invocation (message). Software evolution: The process that describes the ability to change an application over time as new requirements are identified, when major upgrades occur, or when significant flaws are corrected. As a concept, software evolution is promoted heavily for object-oriented design. Software reuse: The process that describes the ability to reuse existing software in new applications. When software is reused in its entirety without changes, a gain in productivity is attained. Critical for object-oriented design. Unified modeling language (UML): A language for specifying, visualizing, constructing, and documenting software artifacts. Emerged as the de facto standard. Use-case diagram: A UML diagram that represents the interaction of users (actors) with system components, defining use-cases of behavior. UML diagram: Represents the static application structure via a use case, class, object, component, and deployment diagrams, and the dynamic application content via sequence, collaboration, statechart, and activity diagrams.
References Alexander, C. 1979. The Timeless Way of Building. Oxford University Press. Alexander, C. et al. 1977. A Pattern Language Towns-Buildings-Construction. Oxford University Press. Alpert, S. et al. 1998. The Design Patterns Smalltalk Companion. Addison-Wesley, Reading, MA. © 2004 by Taylor & Francis Group, LLC
Barnes, J. G. P. 1991. Programming in Ada plus Language Reference Manual, 3rd ed. Addison-Wesley, Reading, MA. Barnes, J. G. P. 1996. Programming in Ada 95. Addison-Wesley, Reading, MA. Beck, K. 1994. Patterns generate architectures. Proc. of the European Conf. for Object-Oriented Programming. Oct., pp. 139–149. Beck, K. and Cunningham, W. 1989. A laboratory for teaching object-oriented thinking. Proc. 1989 OOPSLA Conf., Oct., pp. 1–6. Booch, G. 1991. Object-Oriented Design with Applications. Benjamin/Cummings, Redwood City, CA. Booch, G., Jacobson, I., and Rumbaugh, J. 1999. Unified Modeling Language Reference Manual. AddisonWesley, Reading, MA. Booch, G. and Rumbaugh, J. 1995. Unified Method for Object-Oriented Development. Rational Software Corporation, Santa Clara, CA, Tech. Rep. Bretl, R. et al. 1989. The GemStone Data Management System. In Object-Oriented Concepts, Databases and Applications, W. Kim and F. Lochovsky, Eds., pp. 283–308. ACM Press, Addison-Wesley, Reading, MA. Budd, T. 1997. An Introduction to Object-Oriented Programming, 2nd ed. Addison-Wesley, Reading, MA. Buschmann, F. et al. 1996. Pattern-Oriented Software Architecture — A System of Patterns. John Wiley & Sons. Campione, M. et al. 2001. The Java Tutorial: A Short Course on the Basics, 3rd ed. Addison-Wesley, Reading, MA. Coad, P. 1992. Object-oriented patterns. Commun. ACM 35(9):152–159. Coad, P. et al. 1995. Object Models Strategies, Patterns, and Applications. Prentice Hall, Englewood Cliffs, NJ. Coleman, D. 1994. Object-Oriented Development — The Fusion Method. Prentice Hall, Englewood Cliffs, NJ. Coplien, J. 1992. Advanced C++ — Programming Styles and Idioms. Addison-Wesley, Reading, MA. Deitel, H. and Deitel, P. 1997. Java: How to Program, 1/e. Prentice Hall, Englewood Cliffs, NJ. Department of Defense, 1995. Ada 95 Reference Manual, International Standard, ANSI/ISO/IEC8652:1995, Jan. Deux, O. et al. 1991. The O2 system. Commun. ACM 34(10):34–48. Gamma, E. et al. 1995. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading, MA. Goldberg, A. 1989. Smalltalk-80: The Language. Addison-Wesley, Reading, MA. Gordon, G. 1975. The Application of GPSS V to Discrete System Simulation. Prentice Hall, Englewood Cliffs, NJ. Grand, M. et al. 1998. Patterns in Java. Volume 1, A Catalog of Reusable Design Patterns Illustrated with UML. John Wiley & Sons. Harbison, S. 1992. Modula-3. Prentice Hall, Englewood Cliffs, NJ. Hoover, S. and Perry, R. 1989. Simulation: A Problem Solving Approach. Addison-Wesley, Reading, MA. Jacobson, I. et al. 1992. Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley, Reading, MA. Kim, W. 1990. Object-oriented databases: definition and research directions. IEEE Trans. Knowledge Data Eng. 2(3):327–341. Lamb, C. et al. 1991. The ObjectStore database system. Commun. ACM 34(10):50–63. Lieberherr, K. 1996. Adaptive Object-Oriented Software: The Demeter Method with Propagation Patterns. PWS Publishing, Boston, MA. Liskov, B. and Zilles, S. 1975. Specification techniques for data abstraction. IEEE Trans. Software Eng. 1(1):7–19. Liskov, B. et al. 1977. Abstraction mechanisms in CLU. Commun. ACM 20(8):564–576. Meyer, B. 1988. Object-Oriented Software Construction. Prentice Hall, Englewood Cliffs, NJ. Meyer, B. 1992. Eiffel: The Language. Prentice Hall, Englewood Cliffs, NJ. © 2004 by Taylor & Francis Group, LLC
Ontologic. 1991. ONTOS object database documentation, Release 2.1. Ontologic, Burlington, MA. Pressman, R. 2001. Software Engineering: A Practitioner’s Approach, 5th ed. McGraw-Hill, New York. Rumbaugh, J. et al. 1991. Object-Oriented Modeling and Design. Prentice Hall, Englewood Cliffs, NJ. Sammett, J. R. 1969. Programming Languages: History and Fundamentals. Prentice Hall, Englewood Cliffs, NJ. Schach, S. 2002. Object-Oriented and Classical Software Engineering, 5th ed. McGraw-Hill, New York. Schmidt, D. 1995. Using design patterns to develop reusable object-oriented communication software. Commun. ACM 38(10):65–74. Schmidt, D. et al. 2000. Pattern-Oriented Software Architecture: Patterns for Concurrent and Networked Objects. John Wiley & Sons. Sethi, R. 1996. Programming Languages: Concepts and Constructs, 2nd ed. Addison-Wesley, Reading, MA. Sommerville, I. 2001. Software Engineering, 6th ed. Addison-Wesley, Reading, MA. Stroustrup, B. 1986. The C++ Programming Language. Addison-Wesley, Reading, MA. Tesler, L. 1985. Object Pascal Report. Apple Computer, Santa Clara, CA. Tucker, A. 2002. Programming Languages: Principles and Paradigms, McGraw-Hill, New York. Wegner, P. 1990. Concepts and paradigms of object-oriented programming. OOPS Messenger. 1(1):7–87. Wirfs-Brock, R., Wilkerson, B., and Weiener, R. 1990. Designing Object-Oriented Software. Prentice Hall, Englewood Cliffs, NJ. Zdonik S. and Maier, D. 1990. Fundamentals of object-oriented databases. In Readings in Object-Oriented Database Systems, S. Zdonik and D. Maier, Eds. pp. 1–34. Morgan Kaufmann.
Further Information The interested reader is referred to object-oriented software engineering textbooks — both past and present [Booch 1991, Booch et al. 1999, Coleman 1994, Jacobson et al. 1992, Lieberherr 1996, Meyer 1988, Rumbaugh et al. 1991] and programming language textbooks on Java [Deitel and Deitel 1997, Campione et al. 2001], Ada 95 [Barnes 1996, Department of Defense 1995], Modula-3 [Harbison 1992], C++ [Stroustrup 1986], Eiffel [Meyer 1992], Smalltalk [Goldberg 1989], and Object Pascal [Tesler 1985] for a more in-depth coverage of various approaches. Further, the reader is referred to the many different electronic sources for software engineering given at the end of Chapter 103 which all track object-oriented concepts and techniques. In addition to these resources, there are also dedicated resources for the Unified Modeling Language (UML) and design patterns. For UML, the main Web site is http://www.uml.org, which is under the auspices of the Object Management Group (OMG) and contains the UML standard along with documents, white papers, tutorials, links to other organizations and resources, etc. In addition, there is a yearly UML conference for research and practice advances (http://www.umlconference.org). For design patterns, there are numerous sites, including http://hillside.net/patterns/, which is very comprehensive with numerous links to conferences, discussion groups, journals, research projects, etc.; http://www.cs.wustl.edu/schmidt/ patterns.html, and http://c2.com/ppr/index.html, which are examples of Web sites maintained by faculty researchers; and http://jerry.cs.uiuc.edu/plop/, which is the Web page of the Pattern Languages of Programs Conference.
© 2004 by Taylor & Francis Group, LLC
105 Software Testing 105.1 105.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105-1 Underlying Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105-2 Terminology • Model of Execution-Based Software Testing
105.3
Gregory M. Kapfhammer Allegheny College
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105-6
An Example Program • Fault/Failure Model • Program Building Blocks • Test Adequacy Metrics • Test Case Generation • Test Execution • Test Adequacy Evaluation • Regression Testing • Recent Software Testing Innovations
105.4
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105-35
I shall not deny that the construction of these testing programs has been a major intellectual effort: to convince oneself that one has not overlooked “a relevant state” and to convince oneself that the testing programs generate them all is no simple matter. The encouraging thing is that (as far as we know!) it could be done. — Edsger W. Dijkstra, 1968
105.1 Introduction When a program is implemented to provide a concrete representation of an algorithm, the developers of this program are naturally concerned with the correctness and performance of the implementation. Software engineers must ensure that their software systems achieve an appropriate level of quality. Software verification is the process of ensuring that a program meets its intended specification [Kaner et al., 1993]. One technique that can assist during the specification, design, and implementation of a software system is software verification through correctness proof. Software testing, or the process of assessing the functionality and correctness of a program through execution or analysis, is another alternative for verifying a software system. As noted by Bowen and Hinchley [1995] and Geller [1978], software testing can be appropriately used in conjunction with correctness proofs and other types of formal approaches to develop high-quality software systems. Yet it is also possible to use software testing techniques in isolation from program correctness proofs or other formal methods. Software testing is not a “silver bullet” that can guarantee the production of high-quality software systems. While a “correct” correctness proof demonstrates that a software system (which exactly meets its specification) will always operate in a given manner, software testing that is not fully exhaustive can only suggest the presence of flaws and cannot prove their absence. Moreover, Kaner et al. [1993] have noted that it is impossible to completely test an application because (1) the domain of program inputs is too large, (2) there are too many possible input paths, and (3) design and specification issues are difficult to
© 2004 by Taylor & Francis Group, LLC
test. The first and second points present obvious complications and the final point highlights the difficulty in determining if the specification of a problem solution and the design of its implementation are also correct. Using a thought experiment developed by Beizer, we can explore the first assertion by assuming that we have a method that takes a String of ten characters as input and performs some arbitrary operation on the String. To test this function exhaustively, we would have to input 280 Strings and determine if they produce the appropriate output.∗ Thus, exhaustive testing is an intractable problem because it is impossible to solve with a polynomial-time algorithm [Binder, 1999; Neapolitan and Naimipour, 1998]. The difficulties alluded to in the second assertion are exacerbated by the fact that certain execution paths in a program could be infeasible. Finally, software testing is an algorithmically unsolvable problem because there may be input values for which the program does not halt [Beizer, 1990; Binder, 1999]. Thus far, we have provided an intuitive understanding of the limitations of software testing. However, Morell [1990] has proposed a theoretical model of the testing process that facilitates the proof of pessimistic theorems that clearly state the limitations of testing. Furthermore, Hamlet [1994] and Morell [1990] have formally stated the goals of a software testing methodology and implicitly provided an understanding of the limitations of testing. Young and Taylor [1989] have also observed that every software testing technique must involve some trade-off between accuracy and computational cost because the presence (or lack thereof) of defects within a program is an undecidable property. The theoretical limitations of testing clearly indicate that it is impossible to propose and implement a software testing methodology that is completely accurate and applicable to arbitrary programs [Young and Taylor, 1989]. While software testing is certainly faced with inherent limitations, there are also a number of practical considerations that can hinder the application of a testing technique. For example, some programming languages might not readily support a selected testing approach, a test automation framework might not easily facilitate the automatic execution of certain types of test suites, or there could be a lack of tool support to test with respect to a specific test adequacy criterion. Although any testing effort will be faced with significant essential and accidental limitations, the rigorous, consistent, and intelligent application of appropriate software testing techniques can improve the quality of the application under development.
105.2 Underlying Principles 105.2.1 Terminology The IEEE standard defines a failure as the external, incorrect behavior of a program [IEEE, 1996]. Traditionally, the anomalous behavior of a program is observed when incorrect output is produced or a runtime failure occurs. Furthermore, the IEEE standard defines a fault as a collection of program source code statements that causes a failure. Finally, an error is a mistake made by a programmer during the implementation of a software system [IEEE, 1996]. The purpose of software testing is to reveal software faults in order to ensure that they do not manifest themselves as runtime failures during program usage. Throughout this chapter, we use P to denote the program under test and F to represent the specification that describes the behavior of P . Furthermore, we use T = t1 , . . . , tn to denote the test suite created to test program P . Also, we use C for the adequacy criterion that formalizes an understanding of what attributes a “good” test suite should have. Finally, we use S = s 0 , s 1 , . . . , s n to denote the set of publicly visible states during the execution of T and we require that Si = Ti (s i −1 ). Building on the definitions of a test case used in Kapfhammer and Soffa [2003] and Memon [2001], we formalize a test for an arbitrary software system in Definition 105.1. Also, Definition 105.2 describes
∗
Suppose that our String is encoded in ASCII. There are 256 = 28 different ASCII characters characters. Because we are dealing with a String of ten characters, there are 280 possible unique Strings. © 2004 by Taylor & Francis Group, LLC
a restricted type of test suite where each test case returns the application under test back to the initial state, S0 , before it terminates [Pettichord, 1999]. If a test suite T is not independent, we do not place any restrictions upon the S1 , . . . , Sn produced by the test cases and we simply refer to it as a non-restricted test suite. Our discussion of test execution in Section 105.3.6 will reveal that the JUnit test automation framework [Hightower, 2001; Jeffries, 1999] facilitates the creation of test suites that adhere to Definition 105.1 and are normally either independent or non-restricted in nature (although, JUnit encourages the creation of independent test suites). Definition 105.1 A test case, ti ∈ T , is a triple s 0 , o 1 , o 2 , . . . , o m , s 1 , s 2 , . . . , s m , consisting of an initial state, s 0 , a test operation sequence o 1 , o 2 . . . , o m for state s 0 , and expected internal states s 1 , s 2 , . . . , s m where s j = o j (s j −1 ) for j = 1, . . . , m. Definition 105.2
A test suite T is independent if and only if for all = 1, . . . n, S = S0 .
Figure 105.1 provides a useful hierarchical decomposition of different testing techniques and their relationship to different classes of test adequacy criteria. While our hierarchy generally follows the definitions provided by Binder [1999] and Zhu et al. [1997], it is important to note that other decompositions of the testing process are possible. This chapter focuses on execution-based software testing techniques. However, it is also possible to perform non-execution-based software testing through the use of software inspections [Fagan, 1976]. During a software inspection, software engineers examine the source code of a system and any documentation that accompanies the system. A software inspector can be guided by a software inspection checklist that highlights some of the important questions that should be asked about the artifact under examination [Brykczynski, 1999]. While an inspection checklist is more sophisticated than an ad-hoc software inspection technique, it does not dictate how an inspector should locate the required information in the artifacts of a software system. Scenario-based reading techniques, such as PerspectiveBased Reading (PBR), enable a more focused review of software artifacts by requiring inspectors to assume the perspective of different classes of program users [Laitenberger and Atkinson, 1999; Shull et al., 2001]. Because the selected understanding of adequacy is central to any testing effort, the types of tests within T will naturally vary based upon the chosen adequacy criterion C . As shown in Figure 105.1, all
Software Testing
Execution-based Testing
Non-execution-based Testing Inspections
Program-based Testing
Combined Testing
Specification-based Testing Ad-hoc
Structurally-based Criterion
Fault-based Criterion
Checklist
Error-based Criterion
FIGURE 105.1 Hierarchy of software testing techniques. © 2004 by Taylor & Francis Group, LLC
Scenario-based
Decomposes Into Requires
execution-based testing techniques are either program-based, specification-based, or combined [Zhu et al., 1997]. A program-based testing approach relies on the structure and attributes of P ’s source code to create T . A specification-based testing technique simply uses F ’s statements about the functional and/or nonfunctional requirements for P to create the desired test suite. A combined testing technique creates a test suite T that is influenced by both program-based and specification-based testing approaches [Zhu et al., 1997]. Moreover, the tests in T can be classified based on whether they are white-box, black-box, or grey-box test cases. Specification-based test cases are black-box tests that were created without knowledge of P ’s source code. White-box (or, alternatively, glass-box) test cases consider the entire source code of P , while so-called grey-box tests only consider a portion of P ’s source code. Both white-box and grey-box approaches to testing would be considered program-based or combined techniques. A complementary decomposition of the notion of software testing is useful to highlight the centrality of the chosen test adequacy criterion. The tests within T can be viewed based on whether they are “good” with respect to a structurally-based, fault-based, or error-based adequacy criterion [Zhu et al., 1997]. A structurally based criterion requires the creation of a test suite T that solely requires the exercising of certain control structures and variables within P . Thus, it is clear that a structurally based test adequacy criterion requires program-based testing. Fault-based test adequacy criterion attempt to ensure that P does not contain the types of faults that are commonly introduced into software systems by programmers [DeMillo et al., 1978; Morell, 1990; Zhu et al., 1997]. Traditionally, a fault-based criterion is associated with program-based testing approaches. However, Richardson et al. [1989] have also described fault-based testing techniques that attempt to reveal faults in F or faults in P that are associated with misunderstandings of F . Therefore, a fault-based adequacy criterion C can require either program-based, specification-based, or combined testing techniques. Finally, error-based testing approaches rely on a C that requires T to demonstrate that P does not deviate from F in any typical fashion. Thus, error-based adequacy criteria necessitate specification-based testing approaches.
105.2.2 Model of Execution-Based Software Testing Figure 105.2 provides a model of execution-based software testing. Because there are different understandings of the process of testing software, it is important to note that our model is only one valid and useful view of software testing. Using the notation established in Section 105.2.1, this model of software testing takes a system under test, P , and a test adequacy criterion, C , as input. This view of the software testing process is iterative in nature. That is, the initial creation and execution of T against P can be followed by multiple refinements of T and subsequent re-testings of P . Ideally, the testing process will stop iterating when the tests within test suite T have met the adequacy criterion C and the testing effort has established the desired level of confidence in the quality of P [Zhu et al., 1997]. In practice, testing often stops when monetary resources are exhausted or when the developers have an intuitive sense that P has reached an acceptable level of quality. Yet, it is important to note that even if the testing effort stops when T meets C , there is no guarantee that T has isolated all of the defects within P . Because C traditionally represents a single view of test case quality, it is often important to use multiple adequacy criteria and resist the temptation to allow the selected C (s) to exclusively guide the testing effort [Marick, 1998; 1999]. The formulation of a test adequacy criterion is a function of a chosen representation of P and a specific understanding of the “good” qualities that T should represent. In Section 105.3.3, we review the building blocks of programs that are commonly used to formulate test adequacy criterion. Furthermore, Section 105.3.4 reviews some test adequacy metrics that have been commonly discussed in the literature and/or frequently used in practice. The test selection stage analyzes a specific P in light of a chosen C in order to construct a listing of the tests that must be provided to create a completely adequate test suite. That is, the test case selector shown in Figure 105.2 is responsible for making C directly apply to the system under test. Once the test case selector has created test case descriptions for P , the test case generation phase can begin. Section 105.3.5 examines different techniques that can be used to manually or automatically generate test cases. © 2004 by Taylor & Francis Group, LLC
System Under Test
Test Adequacy Criterion
(P)
(C)
Test Case Selection
R1
R2
Test Case Descriptions
Rn
M1
Test Results
M2
Mn
Adequacy Measurements
Test Case Generation
Test Execution
T1
T2
Adequacy Evaluation
Tn
Executable Test Cases
System Under Test (P)
Test Adequacy Criterion (C)
Test Case Selection
Regression Testing
Test Case Descriptions M1 M2 Mn Adequacy Test Results Measurements
R1
R2
Rn
Test Execution
Test Case Generation T1
T2
Adequacy Evaluation
Tn
Executable Test Cases
FIGURE 105.2 A model of the software testing process.
After the test cases have been generated, it is possible to perform test execution. Once again, the execution of the tests within T can be performed in a manual or automated fashion. Also, the executable test cases that were constructed during the generation phase can be analyzed by a test adequacy evaluator that measures the quality of T with respect to the test case descriptions produced by the test selector. The process of test execution is detailed in Section 105.3.6 and the test adequacy evaluation phase is described in Section 105.3.7. Of course, the test results from the execution phase and the adequacy measurements produced by the evaluator can be used to change the chosen adequacy criteria and/or augment the listing of test case descriptions that will be used during subsequent testing. The iterative process of testing can continue throughout the initial development of P . However, it is also important to continue the testing of P after the software application has been released and it enters the maintenance phase of the software lifecycle [Sommerville, 2000]. Regression testing is an important software maintenance activity that attempts to ensure that the addition of new functionality © 2004 by Taylor & Francis Group, LLC
and/or the removal of program faults does not negatively impact the correctness of P . Essentially, the regression testing process can rely on the existing test cases and the adequacy measurements for these tests to iteratively continue all of the previously mentioned stages [Onoma et al., 1998].
105.3 Best Practices 105.3.1 An Example Program In an attempt to make our discussion of software testing techniques more concrete, Figure 105.3 provides a Java class called Kinetic that contains a static method called computeVelocity [Paul, 1996]. The computeVelocity operation is supposed to calculate the velocity of an object based on its kinetic energy and its mass. Because the kinetic energy of an object, K , is defined as K = 12 mv 2 , it is clear that computeVelocity contains a defect on line 10. That is, line 10 should be implemented with the assignment statement velocity squared = 2 * (kinetic/mass).
105.3.2 Fault/Failure Model In Section 105.1, we informally argued that software testing is difficult. DeMillo and Offut [1991], Morell [1990], and Voas [1992] have separately proposed a fault/failure model that describes the conditions under which a fault will manifest itself as a failure. Using this model and the Kinetic example initially proposed by Paul, we can create a simple test suite to provide anecdotal evidence of some of the difficulties commonly associated with writing a test case that reveals a program fault [Paul, 1996]. As stated in the PIE model proposed by Voas [1992], a fault will only manifest itself in a failure if a test case ti ∈ T executes the fault, causes the fault to infect the data state of the program, and finally, propagates to the output. That is, the necessary and sufficient conditions for the isolation of a fault in P are the execution, infection, and propagation of the fault [DeMillo and Offut, 1991; Morell, 1990; Voas, 1992].
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
import java.lang.Math; public class Kinetic { public static String computeVelocity(int kinetic , int mass) { int velocity_squared , velocity; StringBuffer final_velocity = new StringBuffer (); if( mass != 0 ) { velocity_squared = 3 ∗ ( kinetic / mass ); velocity = (int)Math.sqrt( velocity_squared ); final_velocity.append(velocity); } else { final_velocity.append("Undefined"); } return final_velocity.toString(); } } FIGURE 105.3 The Kinetic class that contains a fault in computeVelocity.
© 2004 by Taylor & Francis Group, LLC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
import junit.framework.∗; public class KineticTest extends TestCase { public KineticTest(String name) { super(name); } public static Test suite() { return new TestSuite(KineticTest.class); } public void testOne() { String expected = new String("Undefined"); String actual = Kinetic.computeVelocity(5,0); assertEquals(expected, actual); } public void testTwo() { String expected = new String("0"); String actual = Kinetic.computeVelocity(0,5); assertEquals(expected, actual); } public void testThree() { String expected = new String("4"); String actual = Kinetic.computeVelocity(8,1); assertEquals(expected, actual); } public void testFour() { String expected = new String("20"); String actual = Kinetic.computeVelocity(1000,5); assertEquals(expected, actual); } } FIGURE 105.4 A JUnit test case for the faulty Kinetic class.
Figure 105.4 provides the source code for KineticTest, a Java class that adheres to the JUnit test automation framework [Hightower, 2001; Jeffries, 1999]. Using our established notation, we have T = t1 , t2 , t3 , t4 with each ti ∈ T containing a single testing operation o 1 . For example, t1 contains the testing operation String actual = Kinetic.computeVelocity (5, 0). Thus, each ti contains a set s 0 , s 1 of publicly visible states, where s 1 = o 1 (s 0 ). It is important to distinguish between the data states that arise during the execution of a test case and the internal data states that result after the execution of a single line within the method under test [Voas, 1992]. To this end, we use = {1 , 2 , . . . , eb } to denote the set of internal data states associated with a specific method under test within P . We require b ∈ to correspond to the internal data state after the execution of line b in the method under test. Finally, we use ec to denote the expected data state that would normally result from the execution of a non-faulty version of line b.
© 2004 by Taylor & Francis Group, LLC
Using an adaptation of the notation proposed by Voas [1992], Equation 105.1 describes the publicly observable state before the execution of o 1 in t1 . Equation 105.2 provides the state of the Kinetic class after the faulty computeVelocity method has been executed.∗ It is important to note that this test case causes the computeVelocity method to produce the data state s 2 that correctly corresponds to the expected data state. In this example, we are also interested in the internal states 10 ∈ and e10 , which correspond to the actual and expected data states after the execution of line 10. However, since t1 does not execute the defect on line 10, the test does not produce the internal data states that could result in the isolation of the fault. s 0 = {(actual, null), (K , 5), (m, 0)}
(105.1)
s 1 = {(actual, Undefined), (K , 5), (m, 0)}
(105.2)
The execution of t2 corresponds to the initial and final date states as described by Equation 105.3 and Equation 105.4, respectively. In this situation, it is clear that the test case produces a final state s 1 that correctly matches the expected date state. Equation 105.5 and Equation 105.6 state the actual and expected data states that result after the execution of the faulty line in the method under test. While the execution of this test case does cause the fault to be executed, the faulty statement does not infect the data state (i.e., 10 and e10 are equivalent). Due to the lack of infection, it is impossible for t2 to detect the fault in the computeVelocity method. s 0 = {(actual, null), (K , 0), (m, 5)}
(105.3)
s 1 = {(actual, 0), (K , 0), (m, 5)}
(105.4)
10 = {(K , 0), (m, 5), (v 2 , 0), (v, 0)(v f , 0)}
(105.5)
e10
(105.6)
= {(K , 0), (m, 5), (v , 0), (v, 0)(v f , 0)} 2
Equations 105.7 and 105.8 correspond to the initial and final data states when t3 is executed. However, state s 1 still correctly corresponds to the expected output. In this situation, the test case does execute the fault on line 10 of computeVelocity. Because Equation 105.9 and Equation 105.10 make it clear that the data states 10 and e10 are different, we know that the fault has infected the method data state. However, the cast to an int on line 11 creates a coincidental correctness that prohibits the fault from manifesting itself as a failure [Voas, 1992]. Due to the lack of propagation, this test case has not isolated the fault within the computeVelocity method. s 0 = {(actual, null ), (K , 8), (m, 1)}
(105.7)
s 1 = {(actual, 4), (K , 8), (m, 1)}
(105.8)
10 = {(K , 8), (m, 1), (v , 24), (v, 0), (v f , 0)}
(105.9)
e10 = {(K , 8), (m, 1), (v 2 , 16), (v, 0), (v f , 0)}
(105.10)
2
Test case t4 produces the initial and final states that are described in Equation 105.11 and Equation 105.12. Because s 1 is different from the expected data state, the test is able to reveal the fault in the computeVelocity method. This test case executes the fault and causes the fault to infect the data state because the
∗ For the sake of brevity, our descriptions of the publicly visible and internal data states use the variables K , m, v 2 , v, and v f to mean the program variables kinetic, mass, velocity squared, velocity, and final velocity, respectively.
© 2004 by Taylor & Francis Group, LLC
10 and e10 provided by Equation 105.13 and Equation 105.14 are different. Finally, the internally visible data state 10 results in the creation of the publicly visible state s 1 . Due to the execution of line 10, the infection of the data state 10 , and the propagation to the output, this test case is able to reveal the defect in computeVelocity. The execution of the KineticTest class in the JUnit test automation framework described in Section 105.3.6 will confirm that t4 will reveal the defect in Kinetic’s computeVelocity method. s 0 = {(actual, null ), (K , 1000), (m, 5)}
(105.11)
s 1 = {(actual, 24), (K , 1000), (m, 5)}
(105.12)
10 = {(K , 1000), (m, 5), (v 2 , 600), (v, 0), (v f , 0)}
(105.13)
e10
(105.14)
= {(K , 1000), (m, 5), (v , 400), (v, 0), (v f , 0)} 2
105.3.3 Program Building Blocks As noted in Section 105.2.2, a test adequacy criterion depends on the chosen representation of the system under test. We represent the program P as an interprocedural control flow graph (ICFG). An ICFG is a collection of control flow graphs (CFGs) G 1 , G 2 , . . . , G u that correspond to the CFGs for methods m1 , m2 , . . . , mu , respectively. We define control flow graph G v so that G v = (Nv , E v ) and we use Nv to denote a set of CFG nodes and E v to denote a set of CFG edges. Furthermore, we assume that each n ∈ Nv represents a statement in method mv and each e ∈ E v represents a transfer of control in method mv . Also, we require each CFG G v to contain unique nodes entryv and exit v that demarcate the entrance and exit points of method mv , respectively. We use the sets pred(n) = {m | (m, n) ∈ E v } and succ(n) = {m | (n, m) ∈ E v } to denote the set of predecessors and successors of node n. Finally, we require N = ∪{Nv | v ∈ [1, u]} and E = ∪{E v | v ∈ [1, u]} to contain all of the nodes and edges in the interprocedural control flow graph for program P . Figure 105.5 provides the control flow graphs G cv and G t1 for the computeVelocity method and the testOne method that can be used to test computeVelocity. Each of the nodes in these CFGs are labeled with line numbers that correspond to the numbers used in the code segments in Figure 105.3 and Figure 105.4. Each of these control flow graphs contain unique entry and exit nodes, and Gt1 contains a node n15 labeled “Call computeVelocity” to indicate that there is a transfer of control from Gt1 to Gcv . Control flow graphs for the other methods in the KineticTest class would have the same structure as the CFG for testOne. Although these control flow graphs do not contain iteration constructs, it is also possible to produce CFGs for programs that use for, while, and do while statements. Control flow graphs for programs that contain significantly more complicated conditional logic blocks with multiple, potentially nested, if, else if, else, or switch statements can also be created. When a certain test adequacy criterion and the testing techniques associated with that criterion require an inordinate time and space overhead to compute the necessary test information, an intraprocedural control flow graph for a single method can be used. Of course, there are many different graph-based representations for programs. Harrold and Rothermel [1996] survey a number of graph-based representations and the algorithms and tool support used to construct these representations [Harrold and Rothermel, 1995]. For example, the class control flow graph (CCFG) represents the static control flow between the methods within a specific class [Harrold and Rothermel, 1996; 1994]. This graph-based representation supports the creation of class-centric test adequacy metrics that only require a limited interprocedural analysis. The chosen representation for the program under test influences the measurement of the quality of existing test suites and the generation of new tests. While definitions in Section 105.3.4 are written in the context of a specific graph-based representation of a program, these definitions are still applicable when different program representations are chosen. Finally, these graph-based representations can be created with a program analysis framework like Aristotle [Harrold and Rothermel, 1995] or Soot [Vall´ee-Rai et al., 1999].
© 2004 by Taylor & Francis Group, LLC
Entry computeVelocity
Entry testOne
6 14 7
8
15
Call computeVelocity
16
10
16 11
12
Exit testOne
18
Exit computeVelocity (a)
(b)
FIGURE 105.5 The control flow graphs for the computeVelocity and testOne methods.
105.3.4 Test Adequacy Metrics As noted in Section 105.2.1, test adequacy metrics embody certain characteristics of test case “quality” or “goodness.” Test adequacy metrics can be viewed in light of a program’s control flow graph and the program paths and variable values that they require to be exercised. Intuitively, if a test adequacy criterion C requires the exercising of more path and variable value combinations than criterion C , it is “stronger” than C . More formally, a test adequacy criterion C subsumes a test adequacy criterion C if every test suite that satisfies C also satisfies C [Clarke et al., 1985; Rapps and Weyuker, 1985]. Two adequacy criteria C and C are equivalent if C subsumes C , and vice versa. Finally, a test adequacy criterion C strictly subsumes criterion C if and only if C subsumes C and C does not subsume C [Clarke et al., 1985; Rapps and Weyuker, 1985]. 105.3.4.1 Structurally-Based Criterion Some software test adequacy criteria are based on the control flow graph of a program under test. Control flow-based criteria solely attempt to ensure that test suite T covers certain source code locations and values of variables. While several control flow-based adequacy criteria are relatively easy to satisfy, others are so strong that it is generally not possible for a T to test P and satisfy the criterion. Some control flow-based adequacy criteria focus on the control structure of a program and the value of the variables that are used in conditional logic predicates. Alternatively, data flow-based test adequacy criteria require coverage of the
© 2004 by Taylor & Francis Group, LLC
control flow graph by forcing the selection of program paths that involved the definition and/or usage of program variables. 105.3.4.2 Control Flow-Based Criterion Our discussion of control flow-based adequacy criterion will use the notion of an arbitrary path through P ’s interprocedural control flow graph G 1 , . . . , G u . We distinguish as a complete path in an interprocedural control flow graph or other graph-based representation of a program module. A complete path is a path in a control flow graph that starts at the program graph’s entry node and ends at its exit node [Frankl and Weyuker, 1988]. Unless otherwise stated, we will assume that all of the paths required by the test adequacy criterion are complete. For example, the interprocedural control flow graph described in Figure 105.5 contains the complete interprocedural path = entryt1 , n14 , n15 , entrycv , n6 , n7 , n8 , n16 , n18 , exit cv , n16 , exit t1 . Note that the first n16 in corresponds to a node in the control flow graph for computeVelocity and the second n16 corresponds to a node in testOne’s control flow graph. Because the fault/failure model described in Section 105.3.2 indicates that it is impossible to reveal a fault in P unless the faulty node from P ’s CFG is included within a path that T produces, there is a clear need for a test adequacy criterion that requires the execution of all statements in a program. Definition 105.3 explains the all-nodes (or, alternatively, statement coverage) criterion for a test suite T and CFG in a program under test P . Definition 105.3 A test suite T for P ’s control flow graph G v = (Nv , E v ) satisfies the all-nodes test adequacy criterion if and only if the tests in T create a set of complete paths Nv = {1 , . . . , q } that include all n ∈ Nv at least once. Intuitively, the all-nodes criterion is weak because it is possible for a test suite T to satisfy this criterion and still not exercise all the transfers of control (i.e., the edges) within the control flow graph [Zhu et al., 1997]. For example, if a test suite T tests a program P that contains a single while loop, it can satisfy statement coverage by only executing the iteration construct once. However, a T that simply satisfies statement coverage will not execute the edge in the control flow graph that returns execution to the node that marks the beginning of the while loop. Thus, the all-edges (or, alternatively, branch coverage) criterion described in Definition 105.4 requires a test suite to exercise every edge within a control flow graph. Definition 105.4 A test suite T for program P ’s control flow graph G v = (Nv , E v ) satisfies the alledges test adequacy criterion if and only if the tests in T create a set of complete paths E v = {1 , . . . , q } that include all e ∈ E v at least once. Because the inclusion of every edge in an interprocedural control flow graph implies the inclusion of every node within the same CFG, it is clear that the branch coverage criterion subsumes the statement coverage criterion [Clarke et al., 1985; Zhu et al., 1997]. However, it is still possible to cover all the edges within a control flow graph and not cover all the unique paths from the entry point to the exit point of a CFG. For example, if a test suite T is testing a program P that contains a single while loop, it can cover all the edges in the control flow graph by executing the iteration construct twice. Yet, a simple program with one while loop contains an infinite number of unique paths because each iteration of the looping construct creates a new path. Definition 105.5 explores the all-paths test adequacy criterion that requires the execution of every path within a CFG. Definition 105.5 A test suite T for program P ’s control flow graph G v = (Nv , E v ) satisfies the allpaths test adequacy criterion if and only if the tests in T create a set of complete paths v = {1 , . . . , q } that include all of the execution paths beginning at the unique entry node entryv and ending at the unique exit node exit v .
© 2004 by Taylor & Francis Group, LLC
In Definition 105.5, we use entryv and exit v to denote the unique entry and exit points in CFG G v . Clearly, the all-paths criterion subsumes both all-edges and all-nodes. However, it is important to note that it is possible for a test suite T to be unable to satisfy even all-nodes or all-edges if P contains infeasible paths. Yet, it is often significantly more difficult (or impossible) for a test suite to satisfy all-paths while still being able to satisfy both all-edges and all-nodes. The distinct difference in the “strength” of all-paths and the “weaker” all-edges and all-nodes presents a need for alternative adequacy criteria to “stand in the gap” between these two criteria. As noted in Michael et al. [2001], there is also a hierarchy of test adequacy criteria that strengthen the all-edges criterion described in Definition 105.4. The multiple condition coverage criterion requires a test suite to account for every permutation of the Boolean variables in every branch of the program’s control flow graph, at least one time. For example, if a and b are boolean variables, then the conditional logic statement if(a && b) requires a test suite T that covers the 22 = 4 different assignments to these variables. The addition of a single Boolean variable to a conditional logic statement doubles the number of assignments that a test suite must produce in order to fulfill multiple condition coverage. Another test adequacy criterion related to the all-edges criterion is condition-decision coverage. We use the term condition to refer to an expression that evaluates to true or false while not having any other Boolean-valued expressions within [Michael et al., 2001]. Intuitively, condition-decision coverage requires a test suite to cover each of the edges within the program’s control flow graph and ensure that each condition in the program evaluates to true and false at least one time. For the example conditional logic statement if(a && b), a test suite T could satisfy the condition-decision adequacy criterion with the assignments (a = 0, b = 0) and (a = 1, b = 1). It is interesting to note that these assignments also fulfill the all-edges adequacy criterion. Yet, (a = 1, b = 1) and (a = 1, b = 0) fulfill all-edges without meeting the condition-decision criterion. Moreover, for the conditional logic statement if(alwaysFalse(a,b)) (where alwaysFalse(boolean a, boolean b) simply returns false), it is possible to fulfill condition-decision coverage with the assignments (a = 0, b = 0) and (a = 1, b = 1) and still not meet the all-edges criterion. These examples indicate that there is no clear subsumption relationship between all-edges and condition-decision. While multiple condition subsumes both of these criteria, it is clearly subsumed by the all-paths test adequacy criterion. 105.3.4.3 Data Flow-Based Criterion Throughout our discussion of data flow-based test adequacy criteria, we will adhere to the notation initially proposed in Frankl and Weyuker [1988] and Rapps and Weyuker [1982, 1985]. For a standard program, the occurrence of a variable on the left-hand side of an assignment statement is called a definition of this variable. Also, the occurrence of a variable on the right-hand side of an assignment statement is called a computation-use (or c-use) of this variable. Finally, when a variable appears in the predicate of a conditional logic statement or an iteration construct, we call this a predicate-use (or p-use) of the variable. As noted in Section 105.3.3, we will view a method in an application as a control flow graph G v = (Nv , E v ), where Nv is the set of CFG nodes and E v is the set of CFG edges. For simplicity, our explanation of data flow-based test adequacy criteria will focus on data flow information within a single control flow graph of the entire ICFG for program P . However, our definitions can be extended to the interprocedural control flow graph. In practice, interprocedural data flow analysis often incurs significant time and space overhead, and many testing techniques limit their adequacy metrics to only require intraprocedural or limited interprocedural analysis. Yet, there are interprocedural data flow analysis techniques, such as the exhaustive algorithms proposed by Harrold and Soffa [1994] and the demand-driven approach discussed by Duesterwald et al. [1996], that can be used to compute data flow-based test adequacy criteria for an ICFG. We define a definition clear path for variable x as a path entryv , n1 , n2 , . . . , nm , exitv in a CFG G v , such that every node from entry point entryv to exit point exitv does not contain a definition of program variable x. Furthermore, we define the def-c-use association as a triple (nd , nc -use , x) where a definition of variable x occurs in node nd and a c-use of x occurs in node nc -us e . Also, we define the def-p-use association as © 2004 by Taylor & Francis Group, LLC
the two triples (nd , (n p -use , t), x) and (nd , (n p -use , f ), x) where a definition of variable x occurs in node nd and a p-use of x occurs during the true and false evaluations of a predicate at node n p -use [Frankl and Weyuker, 1988; Rapps and Weyuker, 1982, 1985]. A complete path x covers a def-c-use association if it has a definition clear sub-path, with respect to x and the method’s CFG, that begins with node nd and ends with node nc -use . Similarly, x covers a def-p-use association if it has definition clear sub-paths, with respect to x and the program’s CFG, that begin with node nd and end with the true and false evaluations of the logical predicate contained at node n p -use [Frankl and Weyuker, 1988]. In Rapps and Weyuker [1982, 1985], the authors propose a family of test adequacy measures based on data flow information in a program. Among their test adequacy measures, the all-uses data flow adequacy criteria require a test suite to cover all the def-c-use and def-p-use associations in a program. The all-uses criterion is commonly used as the basis for definition-use testing. Alternatively, the all-c-uses criterion requires the coverage of all the c-use associations for a given method under test and the all-puses adequacy criterion requires the coverage of all the p-use associations. Furthermore, the all-du-paths coverage criterion requires the coverage of all the paths from the definition to a usage of a program variable [Rapps and Weyuker, 1982; 1985]. Definition 105.6 through Definition 105.9 define several important test adequacy criteria that rely on data flow information. However, we omit a formal definition of certain data flow-based test adequacy criterion, such as all-c-uses/some-p-uses and all-p-uses/some-c-uses [Rapps and Weyuker, 1982; 1985]. In each definition, we use U to refer to the universe of live program variables for program under test P . Definition 105.6 A test suite T for control flow graph G v = (Nv , E v ) satisfies the all-c-uses test adequacy criterion if and only if for each association nd , nc -use , x, where x ∈ U and nd , nc -use ∈ Nv , there exists a test ti ∈ T to create a complete path x in G v that covers the association. Definition 105.7 A test suite T for control flow graph G v = (Nv , E v ) satisfies the all-p-uses test adequacy criterion if and only if for each association (nd , (n p -use , t), x) and (nd , (n p -us e , f ), x) where x ∈ U and nd , n p -use ∈ Nv , there exists a test ti ∈ T to create a complete path x in G v that covers the association. Definition 105.8 A test suite T for control flow graph G v = (Nv , E v ) satisfies the all-uses test adequacy criterion if and only if for each association (nd , nc -use , x), (nd , (n p -use , t), x) and (nd , (n p -use , f ), x) where x ∈ U and nd , nc -use , n p -use ∈ Nv , there exists a test ti ∈ T to create a complete path x in G that covers the association. Definition 105.9 A test suite T for control flow graph G v = (Nv , E v ) satisfies the all-du-paths test adequacy criterion if and only if for each association (nd , nc -use , x), (nd , (n p -use , t), x) and (nd , (n p -use , f ), x) where x ∈ U and nd , nc -use , n p -use ∈ Nv , the tests in T create a set of complete paths vx = {1x , . . . , qx } that include all of the execution paths that cover the associations. Our discussion of subsumption for these test adequacy criteria is limited to the traditional understanding of data flow-based testing. A review of the feasible data flow testing criteria, a family of test adequacy criteria that only require the coverage of associations that are actually executable, and the subsumption hierarchy associated with these feasible criteria is provided in Frankl and Weyuker [1988]. Intuitively, the all-paths criterion subsumes all-du-paths because there might be complete paths within P that do not involve the definition and usage of program variables. Furthermore, all-du-paths subsumes all-uses because all-uses only requires one complete path x to cover the required associations and all-du-paths requires all of the vx = {1x , . . . , qx } that cover the association. It is clear that all-uses subsumes both allp-uses and all-c-uses and that there is no subsumption relationship between the all-p-uses and all-c-uses. Because a p-use requires the evaluation of the true and false branches of a conditional logic statement, it can be shown that all-p-uses subsumes both the all-edges and the all-nodes criterion [Frankl and Weyuker, 1988]. Because structurally based test adequacy criteria that use control flow and data flow information © 2004 by Taylor & Francis Group, LLC
are theoretically well-founded [Fenton, 1994; Nielson et al., 1999; Parrish and Zweben, 1991; Weyuker, 1986] and the criteria themselves can be organized into often meaningful subsumption hierarchies, it is clear that they will continue to be an important component of future research and practice. 105.3.4.4 Fault-Based Criterion Mutation adequacy is the main fault-based test adequacy criterion. The conception of a mutation adequate test suite is based on two assumptions called the competent programmer hypothesis and the coupling effect [DeMillo et al., 1988]. The competent programmer hypothesis assumes that competent programmers create programs that compile and very nearly meet their specification. The coupling effect assumption indicates that test suites that can reveal simple defects in a program under test can also reveal more complicated combinations of simple defects [DeMillo et al., 1988]. Therefore, fault-based test adequacy criterion attempt to ensure that a test suite can reveal all of the defects that are normally introduced into software systems by competent programmers. Definition 105.10 describes a test suite T that is adequate and Definition 105.11 defines the notion of relative adequacy (or, alternatively, mutation adequacy) for test suites [DeMillo and Offut, 1991]. In these definitions, we use the notation Q(D) and F (D) to mean the “output” of a program Q and the specification F on the entire domain of possible program inputs. Furthermore, we use the notation Q(t) and F (t) to denote the “output” of a program Q and a specification F on a single test t ∈ T that provides a single input to Q and F . If a test suite T is adequate for a program under test P , then T is able to distinguish between all of the incorrect implementations of specification F . If a test suite T is relativeadequate (or, mutation-adequate) for a program under test P , then T is able to distinguish between a finite set P = {1 , . . . , s } of incorrect implementations of specification F . Definition 105.10 If P is a program to implement specification F on domain D, then a test set T ⊂ D is adequate for P and F if (∀ programs Q), [Q(D) = F (D)] ⇒ [(∃t ∈ T )(Q(t) = F (t))]. Definition 105.11 If P is a program to implement specification F on domain D and is a finite collection of programs, then a test set T ⊂ D is adequate for P relative to if (∀ programs Q ∈ ), [Q(D) = F (D)] ⇒ [(∃t ∈ T )(Q(t) = F (t))]. Clearly, an adequate test suite is “stronger” than a relative-adequate one. However, through the judicious proposal and application of mutation operators that create P , the finite set of syntactically incorrect programs, we can determine if a test suite can demonstrate that there is a difference between each r ∈ P and the actual program under test. Under a strong mutation test adequacy criterion, a test suite T is strong mutation adequate if it can kill each mutant in P by showing that the output of the mutant and the program under test differ. If a specific mutant r ∈P remains alive after the execution of T , this could indicate that T does not have the ability to isolate the specific defect that r represents [DeMillo and Offut, 1991; Hamlet and Maybee, 2001]. Alternatively, it is possible that r represents an equivalent mutant, or a program that is syntactically different from P while still having the ability to produce the same output as P . Because strong mutation adequacy is often difficult to fulfill, the weak mutation test adequacy criterion only requires that the data states that occur after the execution of the initial source code location and the mutated code location differ [Hamlet and Maybee, 2001; Zhu et al., 1997]. Using the terminology established in our discussion of the fault/failure model in Section 105.3.2, weak mutation adequacy simply requires the execution of the source code mutation and the infection of the data state of each mutant program r ∈ P . On the other hand, strong mutation adequacy requires the execution of the source code mutation, the infection of the data state of each mutant program, and the propagation of the mutant to the output. Both the strong and weak variants of mutation adequacy require the ability to automatically construct the mutants within P . While strong mutation adequacy only requires the ability to inspect the output of the program under test, weak mutation adequacy also requires additional instrumentation to reveal the data states that occur after a source code mutation is executed. © 2004 by Taylor & Francis Group, LLC
Ideally, mutation operators should produce the kinds of mutant programs that software engineers are most likely to create. A fault model can be used to describe the types of programming pitfalls that are normally encountered when a software system is implemented in certain types of programming languages. In a procedural programming language such as C, it might be useful to include mutation operators that manipulate the relational operators found within a program. Therefore, the conditional logic statement if(a < b) in the program under test could require the creation of mutants that replace < with every other relational operator in the set = {<=, ==, >=, >, ! =} [Hamlet and Maybee, 2001]. Other mutation operators might involve the manipulation of scalar and Boolean variables and constants [Jezequel et al., 2001]. An arithmetic mutation operator designed to change arithmetic operators could mutate the assignment statement a = b + 1 with the inverse of the + operator and create the mutant a = b - 1 [Jezequel et al., 2001]. Of course, the inheritance, polymorphism, and encapsulation provided by object-oriented languages makes it more challenging to propose, design, and implement mutation operators for programming languages such as Java. Alexander et al. [2000] and Kim et al. [2000] discuss some traditional “pitfalls” found in software systems that are implemented with object-oriented programming languages. However, these mutation operators lack generality because they are not supported by a fault model that clearly describes the class of potential faults related to the unique features of object-oriented programming languages. Kim et al. [1999] propose certain mutation operators for the Java programming language after conducting a Hazard and Operability (HAZOP) study [Leveson, 1995] of the Java programming language. However, the authors omit the description of operators for some fundamental aspects of the object-oriented programming paradigm, such as certain forms of method overriding, and they do not include operators for select facets of the Java programming language [Kim et al., 1999]. Yet, Offutt et al. [2001] have proposed a fault model for object-oriented programming languages that describes common programmer faults related to inheritance and polymorphism. Using the fault model described in Offutt et al. [2001], Ma et al. [2002] include a comprehensive listing of object-oriented mutation operators for the Java programming language. The proposed mutation operators fall into the following six types of common object-oriented programming mistakes: (1) information hiding (access control), (2) inheritance, (3) polymorphism, (4), overloading, (5) Java-specific features, and (6) common programming mistakes [Ma et al., 2002]. The Access Modifier Change (AMC) mutation operator is an example of an operator that focuses on information hiding mistakes within object-oriented programs. For example, if a BankAccount class contained the declaration of the field private double balance, the AMC operator would produce the following mutants: public double balance, protected double balance, and double balance. The Java this keyword deletion (JTD) mutation operator removes the usage of this inside of the constructor(s) and method(s) provided by a Java class. For example, if the BankAccount class contained a public BankAccount(double balance) constructor that used the this keyword to disambiguate between the parameter balance and the instance variable balance, the JTD operator would remove the keyword [Ma et al., 2002]. Figure 105.6 describes an algorithm that can be used to calculate the mutation adequacy score, MS(P , T, Mo ), for program P , test suite T , and a set of mutation operators Mo [DeMillo and Offut, 1991]. Our description of the CalculateMutationAdequacy algorithm measures strong mutation adequacy and thus requires the outputs of P and the automatically generated mutants to differ. However, the algorithm could be revised to compute a weak mutation adequacy score for the test suite. The algorithm in Figure 105.6 uses a n × s matrix, D, to store information about the dead mutants and the specific tests that killed the mutants. The s column vectors in the test information matrix D indicate whether each of the tests within T were able to kill one of the mutants in the set P = {1 , . . . , s }. We use the notation D[i ][r ] to denote access to the i th row and the r th column within D and we use a 1 to indicate that a mutant was killed and a 0 to indicate that test ti left mutant r alive. Finally, the algorithm to calculate MS(P , T, Mo ) uses Zn×s to denote the n × s zero matrix and Zs to denote a single column vector composed of s zeros. If a specific test ti ∈ T is not able to kill the current mutant r , it is possible that r and P are equivalent. Because the determination of whether r is an equivalent mutant is generally undecidable [Zhu et al., 1997], it is likely that the execution of the IsEquivalentMutant algorithm on line 11 of © 2004 by Taylor & Francis Group, LLC
Algorithm CalculateMutationAdequacy(T, P , Mo ) (∗ Calculation of Strong Mutation Adequacy ∗) Input: Test Suite T ; Program Under Test P ; Set of Mutation Operators Mo Output: Mutation Adequacy Score; MS(P , T, Mo ) 1. D ← Zn×s 2. E ← Zs 3. for l ∈ ComputeMutationLocations(P ) 4. do P ← GenerateMutants(l , P , Mo ) 5. for r ∈ P 6. do for ti ∈ T 7. do RiP ← ExecuteTest(ti , P ) 8. Rir ← ExecuteTest(ti , r ) 9. if RiP = Rir 10. do D[i ][r ] ← 1 11. else if IsEquivalentMutant(P , r ) 12. do E[r ] ← 1 13. D ← rs =1 pos ( nf =1 D[ f ][r ]) 14. E ← rs =1 E[r ] 15. MS(P , T, Mo ) ← (| PD|−E ) 16. return MS(P , T, Mo ) FIGURE 105.6 Algorithm for the computation of mutation adequacy.
CalculateMutationAdequacy will require human intervention. When a mutant is not killed and it is determined that r is an equivalent mutant, we place a 1 in E[r ] to indicate that the current mutant is equivalent to P . The mutation testing information collected in D and E is complete once the algorithm has executed every test case against every mutant for every mutation location in program P . Line 13 computes the number of dead mutants, D, by using the pos function to determine if the sum of one of the s column vectors is positive. We define the pos function to return 1 if in=1 D[i ][r ] > 0 and 0 otherwise. Finally, line 14 computes the number of equivalent mutants, E , and line 15 uses this information to calculate the final mutation adequacy score for program P and test suite T [DeMillo and Offut, 1991]. While the calculation of mutation test adequacy is conceptually simple, it is computationally expensive. Choi et al. [1989] attempted to improve the cost-effectiveness and practicality of measuring mutation adequacy by parallelizing the steps in algorithm ComputeMutationAdequacy and scheduling the computation on the hypercube parallel computer architecture. Krauser et al. [1991] have also investigated a number of techniques that can improve the performance of mutation analysis on a single instruction multiple data (SIMD) parallel computer architecture and evaluated these techniques with a detailed system model that supported a simulation-based empirical analysis. As noted in Zhu et al. [1997], early attempts to improve the cost-effectiveness and practicality of mutation testing through parallelization had limited impact because they required specialized hardware and highly portable software. Yet it is likely that the availability of general-purpose distributed computing middleware like Jini and JavaSpaces [Arnold et al., 1999; Edwards, 1999; Freemen et al., 1999] and high-throughput computing frameworks like Condor [Epema et al., 1996] will facilitate performance improvements in the algorithms that measure mutation adequacy. In another attempt to make mutation adequacy analysis more cost-effective and practical, Offutt et al. have investigated the N-selective mutation testing technique that removes the N mutation operators that produce the most mutants of the program under test [Offutt et al., 1996; 1993; Zhu et al., 1997]. Although all mutation operators make small syntactic changes to the source code of the program under test, some operators are more likely to produce a greater number of mutants. Furthermore, the semantic impact, © 2004 by Taylor & Francis Group, LLC
or the change in meaning of the program under test, associated with small syntactic changes can vary from one mutation operator to another [Ma et al., 2002]. N-selective mutation test adequacy attempts to compute a high-fidelity mutation adequacy score without executing the mutation operators that create a high number of mutants that do not truly shed light of the defect-revealing potential of the test suite. Ma et al. [2002] observe that their AMC operator creates the most mutants out of their set of object-oriented mutation operators. They also note that the Java static modified change (JSC) operator and the AMC operator have a tendency to produce a significant number of equivalent mutants. Because little is known about the subsumption relationship between different mutation-based test adequacy criteria and between mutation adequacy and other notions of test adequacy, it is clear that mutation analysis is a promising practical technique that requires further implementation, empirical analysis, and theoretical study. 105.3.4.5 Error-Based Criterion Error-based test adequacy criteria require a test suite T to demonstrate that the program under test P does not deviate from F , the program’s specification, in a certain number of predefined ways. Certain elements of the category-partition method proposed by Balcer et al. [1989] and Ostrand and Balcer [1988] are indicative of error-based test adequacy criteria. The category-partition method requires the analysis of F to create a partition of the input domain of the program under test. By relying on the guidance of the tester, the category-partition method identifies the parameters and environment conditions, known as categories, that impact the behavior of the program under test. Next, the tester is responsible for the decomposition of each category into mutually exclusive choices that will be used to describe the partitions of the input within the category [Balcer et al., 1989]. The test specification language (TSL) provides a mechanism that allows a tester to write succinct descriptions of the categories and choices that state the input and output of the program under test. It is also possible for the tester to provide a description of the constraints that control the requirement of specific values within the choices and categories. In Ostrand and Balcer [1988], the authors describe the categories and choices that might be used for the find program that is often distributed with the Unix and GNU/Linux operating systems. For example, the specification for find might require that is a valid file name. Thus, it would be important for the tests within T to ensure that find can handle the situations when (1) there is a valid file associated with the provided name, (2) there is no file with the stated name, and (3) the file name is omitted when the usage of find occurs [Ostrand and Balcer, 1988]. Error-based test adequacy criteria judge a test suite to be “stronger” if it covers more of the identified categories and choices. Because there is no general technique to automatically create an error-based test adequacy criterion from F , most error-based adequacy metrics, such as those used in the category-partition method, require human intervention [Zhu et al., 1997]. However, with the complete description of F and the specification of the test adequacy criterion in TSL or some other test case specification language, it is possible to automatically generate a test suite that will fulfill the adequacy criterion. For example, the AETG system of Cohen et al. and the PairTest system of Lei et al. enable the generation of combinatorially balanced test suites from test specifications [Cohen et al., 1996, 1997; Lei and Tai, 1998]. While combinatorial test case generation is not discussed in more detail in this chapter, more information about test data generation algorithms and their relation to test adequacy criteria is provided in Section 105.3.5. 105.3.4.6 Comparing Test Adequacy Criteria As noted in Section 105.3.4, many test adequacy criterion can be related in subsumption hierarchies. However, Ntafos [1988] has argued that some test adequacy criteria are incomparable under the subsumption relation. Ntafos has also observed that even when it is possible to order test adequacy criteria through subsumption, it is likely that this ordering will not provide any direct indication of either the effectiveness of test suites that fulfill the adequacy criteria or the costs associated with testing to the selected criteria. Weyuker et al. [1991] categorized all comparisons of test adequacy criteria as being either uniform or pointwise. A uniform comparison of test adequacy criteria C and C attempts to relate the requirements of the criteria in light of all possible programs P and all test suites T . The usage of the subsumption relation © 2004 by Taylor & Francis Group, LLC
can be seen as a type of uniform comparison of test adequacy criteria. However, a pointwise comparison of test adequacy criteria C and C compares the behavior of the two criteria with respect to a single (or, limited number of) P and T . While pointwise comparisons often provide interesting insights into the effectiveness of selected test adequacy criteria for certain programs, these types of comparisons often do not provide results that can be generalized. However, as noted by Weyuker et al. [1991], there are also severe limitations associated with uniform comparisons: [ . . . ] We can conclude that a uniform comparison that guarantees one criterion to be more effective at detecting program defects than another for all programs is no comparison at all. This is a convincing argument against the use of comparisons that attempt to guarantee the relative fault-exposing ability of criteria for all programs. In light of these concerns about comparing test adequacy criteria, Weyuker et al. [1991] conclude their thoughts with the following observation: “We see effectiveness and cost as the two most meaningful bases by which test criteria can be compared; effectiveness is our ultimate concern.” To this end, Frankl, Weyuker, Weiss, and Hutchins et al. have conducted both analytical and empirical investigations of the effectiveness of test adequacy criteria [Frankl and Weiss, 1993; Frankl and Weyuker, 1993; Hutchins et al., 1994]. Hutchins et al. [1994] compared the effectiveness of the all-edges and all-DU test adequacy criteria. The all-DU test adequacy criterion is a modified version of all-uses that simply requires the coverage of def-use associations without distinguishing between a p-use and a c-use. The experimental design of Hutchins et al. [1994] used the TSL system described in Section 105.3.4.3 to automatically generate an initial test pool (ITP) that was analyzed to determine the level of achieved adequacy. Next, an additional test pool (ATP) was created to ensure that each of the exercisable coverage units within their subject programs was touched by at least 30 test cases. After the construction of a large test universe from the union of the ITP and the ATP, test sets of specific sizes were randomly selected from the test universe. Furthermore, the eight base programs selected by Hutchins et al. were seeded with defects that the researchers deemed to be representative in terms of their similarity to real-world defects and the “difficulty” associated with the isolation of the faults. An experimental design of this nature enabled Hutchins et al. to examine the relationship between the fault detection ratio for a testing technique and the adequacy and size of the resulting test suites. The fault detection ratio is the ratio between the number of test suites that contain a fault-revealing test case and the total number of test suites whose adequacy or size is in a specific interval. The empirical study conducted by Hutchins et al. [1994] reveals some interesting trends. For example, the fault detection ratios for their candidate programs rose sharply as the test adequacy increased above 80 or 90%. Furthermore, as the size of a test suite increased, the fault detection ratio also increased. However, the fault detection ratio for test suites that were completely adequate with respect to the all-edges and all-DU criteria varied significantly. Indeed, Hutchins et al. [1994] observe that “the fault detection ratio of test sets with 100% DU coverage varied from 0.19 to 1.0, with an average of 0.67 for the 31 faults in the DU class.” Perhaps more interesting is the following observation from Hutchins et al.: [ . . . ] Rather, code coverage seems to be a good indicator of test inadequacy. If apparently thorough tests yield only a low coverage level, then there is good reason to continue testing and try to raise the coverage level. The value of doing this can be seen by examining the detection ratios of test sets as their coverage levels approach 100%. In a comparison of their operation difference (OD) test case selection technique, Harder et al. [2003] propose a new area and stacking approach for comparing test adequacy criteria. Indeed, they contend that the fault detection ratio is an inappropriate measure of the “efficiency” of test suites generated with respect to a specific test adequacy criterion for two reasons. First, because the fault detection ratio vs. test suite size curve relationship is not necessarily linear in nature, there is no guarantee that a doubling in the size of a test suite will always double the ability of the tests to detect faults. Second, and more importantly, the fault detection ratio does not directly reveal which test adequacy criterion is most likely to engender the production of test suites that reveal the most defects. © 2004 by Taylor & Francis Group, LLC
Suppose that we were interested in comparing test adequacy criteria C and C using the area and stacking technique. To do so, we could use C and C to guide the manual and/or automatic generation of test suites T and T that obtain a specific level of adequacy with respect to the selected criteria. It is likely that the size of the generated test suites will vary for the two criteria and we refer to |T | and |T | as the natural size of the tests for the chosen criteria [Harder et al., 2003]. In an attempt to fairly compare C and C , Harder et al. advocate the construction of two new test suites T and T , where T denotes a test suite derived from T that has been stacked (or, reduced) to size|T |, and T is a test suite derived from T that has been stacked (or, reduced) to the size |T |. Harder et al. [2003] propose stacking as a simple technique that increases or decreases the size of a base test suite by randomly removing tests or adding tests using the generation technique that created the base test suite. In a discussion about the size of a test suite, Harder et al. [2003] observed that “comparing at any particular size might disadvantage one strategy or the other, and different projects have different testing budgets, so it is necessary to compare the techniques at multiple sizes.” Using the base and faulty versions of the candidate programs produced by Hutchins et al., the authors measured the number of faults that were detected for the various natural sizes of the tests produced with respect to certain adequacy criterion. In our example, we could plot the number of revealed defects for the four test suites T , T , T , and T at the two sizes of |T | and |T |. The calculation of the area underneath the two fault-detection vs. test suite size curves can yield a new view of the effectiveness of the test adequacy criteria C and C . However, the area and stacking technique for comparing test adequacy criteria has not been applied by other researchers, and there is a clear need for the comparison of this design with past experimental designs. While the comparison of test adequacy criteria is clearly important, it is also an area of software testing that is fraught with essential and accidental difficulties.
105.3.5 Test Case Generation The generation of test cases can be performed in a manual or automated fashion. Frequently, manual test generation involves the construction of test cases in a general purpose programming language or a test case specification language. Although the KineticTest class in Figure 105.4 adheres to the JUnit testing framework, it could have also been specified in a programming language-independent fashion by simply providing the class under test, the method under test, the method input, and the expected output. This specification could then be transformed into a language-dependent form and executed in a specific test execution infrastructure. Alternatively, test cases can be “recorded” or “captured” by simply using the program under test and monitoring the actions that were taken during usage [Steven et al., 2000]. An automated solution to the test data generation problem attempts to automatically create a T that will fulfill selected adequacy criterion C when it is used to test program P . While it is possible for C to be an error-based criterion, automated test data generation is more frequently performed with fault-based and structurally based test adequacy criteria. There are several different techniques that can be used to automatically generate test data. Random, symbolic, and dynamic test data generation approaches are all alternatives that can be used to construct a T that adequately tests P . A random test data generation approach relies on a random number generator to simply generate test input values.∗ For complex (and, sometimes quite simple) programs, it is often difficult for random test data generation techniques to produce adequate test suites [Korel, 1996]. Symbolic test data generation attempts to express the program under test in an abstract and mathematical fashion. Intuitively, if all the important aspects of a program can be represented as a system of one or more linear equations, it is possible to use algebraic techniques to determine the solution to these equations
∗
Traditionally, random test data generation has been applied to programs that accept numerical inputs. However, these random number generators could be used to produce Strings if we treat the numbers as ASCII or Unicode values. Furthermore, the random number generator could create complex abstract data types if we assign a semantic meaning to specific numerical values.
© 2004 by Taylor & Francis Group, LLC
P
Instrumenter C feedback Test Data Generator
PATDG input
T FIGURE 105.7 Dynamic software test data generation.
[Clarke, 1976; Ramamoorty et al., 1976]. Symbolic test data generation is appealing because it does not require the execution of the program under test. However, this type of symbolic generation is of limited practical value due to the problems associated with iteration constructs and arrays that depends on other program variables and pointers [Michael et al., 2001]. Alternatively, Howe et al. [1997] and Memon et al. [2001b] have chosen to represent aspects of the program under test with a specification of preconditions and postconditions and then express the desired test cases in terms of initial program states and goal program states. This type of abstract program representation facilitates the usage of an artificial intelligence (AI) planner that can automatically produce a test case that causes the program to progress from the start state to the goal state using the formally specified preconditions and postconditions. Dynamic test data generation is an approach that actually relies on the execution of P (or some instrumented version of P ) to generate an adequate T [Gupta et al., 1998, 1999; Korel, 1996; Michael et al., 2001]. While any dynamic test data generation approach must incur the overhead associated with actually executing the program under test, this execution can reveal additional insights about which test requirements have not been satisfied. Furthermore, dynamic test data generation techniques can use information gathered from program executions to determine how “close” the generator is to actually creating a test suite that satisfies C . Furthermore, dynamic test generation methods can handle arrays and pointer references because the values of array indices and pointers are know throughout the generation process. Figure 105.7 provides a view of the dynamic test data generation process that relies on a program instrumenter to produce PATDG , a version of P that contains statements that allow P to interact with the test generation subsystem. The test data generator that takes C as input can interact with PATDG to facilitate the automatic generation of test suite T . Frequently, dynamic test data generation is viewed as a function minimization problem [Ferguson and Korel, 1996; Korel, 1996; Michael et al., 2001]. However, it is important to note that some test data generation techniques that use functions to represent a program do not focus on minimizing the selected functions [Fisher et al., 2002b]. For the purposes of our discussion, we will examine automated test data generation approaches that attempt to generate T by minimizing functions that describe P . For example, suppose that the selected adequacy criterion requires the execution of the true branch of the conditional logic statement if( mass != 0 ) provided on line 8 of the computeVelocity method listed in Figure 105.3. We can ensure the execution of the true branch of this conditional logic statement by © 2004 by Taylor & Francis Group, LLC
Decision Example
Objective Function
if(c <= d)
F(x) =
if(c >= d)
F(x) =
c i (x) − di (x), if c i (x) > di (x); 0, otherwise.
di (x) − c i (x), if c i (x) < di (x); 0, otherwise.
if(c == d)
F(x) = |c i (x) − di (x)|
if(c != d)
F(x) = −|c i (x) − di (x)|
if(b)
F(x) =
1000, if bi (x) = false; 0, otherwise.
FIGURE 105.8 General form of selected objective functions.
minimizing the objective function F(x) = −|m8 (x)| where m8 (x) denotes the value of the variable mass on line 8 that was induced by test input value x. Because there is a wide range of program inputs that can lead to the satisfaction of this conditional logic statement, we can actually select any inputs that cause F(x) to evaluate to a negative output and not directly focus on finding the minimum of the function. Thus, automated test data generation often relies on constrained function minimization algorithms that search for minimums within certain bounds [Ferguson and Korel, 1996]. Figure 105.8 provides the general form of the objective function for several different conditional logic forms. Our formulation of an objective function is based on the “fitness functions” described by Michael et al. [2001] and the “branch functions” used by Ferguson and Korel [1996]. In this figure, we use the notation c i (x) to denote the value of variable c on line i that was induced by test input x. Because dynamic test data generation attempts to minimize objective functions while executing the program under test, the actual value of either c i (x) or di (x) is known during the attempt to generate an adequate T . Yet, the c i (x) and di (x) used in objective functions might be complex functions of the input to the program under test. In this situation, an objective function cannot be minimized directly, and it can only be used in a heuristic fashion to guide the test data generator [Michael et al., 2001]. Yet, even when c i (x) and di (x) are complicated functions of test input x, an objective function can still be used to provide “hints” to the test data generator in an attempt to show whether the modification of the test input is improving test suite adequacy. It is important to note that the formulations of the objective functions for the conditional logic statements if(c >= d), if(c <= d), if(c == d), and if(e) are constructed in a fashion that causes the function to reach a minimum and then maintain this value. However, the conditional logic statement if (c != d) can create functions that have no specific minimum value and therefore must be minimized in a constrained fashion. Each of the functions in Figure 105.8 describe an F(x) that must be minimized in order to take the true branch of the condition; the objective functions for the false branches could be developed in an analogous fashion. Our discussion of objective functions for conditional logic predicates omits the details associated with dynamic test data generation for conjunctive and disjunctive predicates. However, Fisher et al. [2002b] propose a type of objective function that can handle more complicated predicates. While we omit a discussion of the objective functions for conditional logic predicates that include © 2004 by Taylor & Francis Group, LLC
if(a!=0)
if(c<=10)
if(b>=5)
0 2 4 6 8 10
5 4 3 2 1 0
20 15 10 5 0
10
5
0
5
10
10
5
0
5
10 5 0
10
5 10 15 20
if(a!=0){if(b>=5){}} 20
if(a!=0){if(c<=10){}} 20
10
10
10
0
0
0
-10 -20 -20 -10
-10 0 a
10
20
-20 -20 -10
if(b>=5){if(c<=10){}} 20
c
c
b
FIGURE 105.9 Objective functions for selected conditional logic statements.
-10
0 a
10
20
-20 -20 -10
0 b
10
20
FIGURE 105.10 Objective functions for nested conditional logic statements.
the > and < relational operators, Ferguson and Korel [1996] describe the form of the functions for conditional logic predicates that use these operators. Figure 105.9 depicts the graphs of the objective functions for several different conditional logic statements. These graphs can be viewed as specific instantiations of the general objective functions described in Figure 105.8. The first graph represents the objective function for the conditional logic statement if (a != 0) where variable a is a component of test input x. The second and third graphs offer the plots of the objective functions associated with the conditional logic statements if(b >= 5) and if (c <= 10), respectively. Of course, P might have multiple conditional logic statements that are nested in an arbitrary fashion. For example, the conditional logic block associated with the statement if (a != 0) might have a conditional logic block for if(b >= 5) located at an arbitrary position within its own body. If Fa (x) corresponds to the objective function for if(a != 0) and Fb (x) represents the objective function for if(b >= 5), then the objective function Fa (x) + Fb (x) must be minimized in an attempt to exercise the true branches of the nested conditional logic statement if(a != 0){<...>if (b >= 5){<...>}} [Michael et al., 2001]. Figure 105.10 includes the contour plots for the three of the unique combinations of the objective functions described in Figure 105.9 (there are three alternative conditional logic nestings that we do not consider). For simplicity, we assume that the objective functions are direct functions of the test inputs so that ai (x) = a, bi (x) = b, and c i (x) = c and that the test input x is composed of three values (a, b, c ). Because the addition of two objective functions for different program variables creates a threedimensional function, these contour plots represent “high” areas in the combined objective function with light colors and “low” areas in the combined function with dark colors. Furthermore, each contour plot places the outer conditional logic statement on the x-axis and the inner conditional logic statement on the y-axis. As expected, the contour plot for the nested conditional logic statement if(a != 0){<...>if (b >= 5){<...>}} is at minimum levels in the upper left and right corners of the plot. Because our © 2004 by Taylor & Francis Group, LLC
automated test data generation algorithms attempt to seek minimums in objective functions, either of these dark regions could lead to the production of test data that would cause the execution of the true branches of both conditional logic statements. While the contour plot associated with the nested conditional logic statement if(a != 0){<...>if(c <= 5){<...>}} also contains two dark regions on the left and right sections of the graph, the statement if(b >= 0){<...>if(c <= 10){<...>}} only has a single dark region on the right side of the plot.
105.3.6 Test Execution The execution of a test suite can occur in a manual or automated fashion. For example, the test case descriptions that are the result of the test selection process could be manually executed against the program under test. However, we will focus on the automated execution of test cases and specifically examine the automated testing issues associated with the JUnit test automation framework [Hightower, 2001; Jeffries, 1999]. JUnit provides a number of TestRunners that can automate the execution of any Java class that extends junit.framework.TestCase. For example, it is possible to execute the KineticTest provided in Figure 105.4 inside of either the junit.textui.TestRunner, junit.awtui.TestRunner, or the junit.swingui.TestRunner. While each TestRunner provides a slightly different interface, they adhere to the same execution and reporting principles. For example, JUnit will simply report “okay” if a test case passes and report a failure (or error) with a message and a stack trace if the test case does not pass. Figure 105.11 shows the output resulting from the execution of the KineticTest provided in Figure 105.4 of Section 105.3.2. The JUnit test automation framework is composed of a number of Java classes. Version 3.7 of the JUnit testing framework organizes its classes into nine separate Java packages. Because JUnit is currently released under the open source Common Public License 1.0, it is possible to download the source code from http://www.junit.org to learn more about the design and implementation choices made by Kent Beck and Erich Gamma, the creators of the framework. In this chapter, we highlight some of the interesting design and usage issues associated with JUnit. More details about the intricacies of JUnit can be found in Gamma and Beck [2003] and Jackson [2003]. The junit.framework.TestCase class adheres to the Command design pattern and thus provides the run method that describes the default manner in which tests can be executed. As shown in Figure 105.4, a programmer can write a new collection of tests by creating a subclass of TestCase. Unless a TestCase subclass provides a new implementation of the run method, the JUnit framework is designed to call the default setUp, runTest, and tearDown methods. The setUp and tearDown methods are simply
.... F Time: 0.026 There was 1 failure: 1) testFour(KineticTest)junit.framework.AssertionFailedError : expected:<20> but was:<24> at KineticTest.testFour(KineticTest.java:48) at sun. reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun. reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun. reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) FAILURES!!! Tests run : 4,
Failures : 1,
Errors : 0
FIGURE 105.11 The results from executing KineticTest in the junit.textui.TestRunner. © 2004 by Taylor & Francis Group, LLC
responsible for creating the state of the class(es) under test and then “cleaning up” after a single test has executed. That is, JUnit provides a mechanism to facilitate the creation of independent test suites, as defined in Definition 105.2 of Section 105.2.1. JUnit uses the Composite design pattern to enable the collection of TestCases into a single TestSuite, as described by Definition 105.1 in Section 105.2.1. The Test interface in JUnit has two subclasses: TestCase and TestSuite. Like TestCase, a TestSuite also has a run method. However, TestSuite is designed to contain 1 to n TestCases and its run method calls the run method of each of the instances of TestCase it contains [Jackson, 2003]. A TestCase can describe the tests that it contains by providing a suite method. JUnit provides an interesting “shorthand” that enables a subclass of TestCase to indicate that it would simply like to execute all of the tests that it defines. The statement return new TestSuite(KineticTest.class) on line 10 of the suite method in Figure 105.4 requires the JUnit framework to use the Java reflection facilities to determine, at runtime, the methods within KineticTest that start with the required “test” prefix. The run method in the Test superclass has the following signature: public void run(Test Result result) [Gamma and Beck, 2003]. Using the terminology established in Beck [1997] and Gamma and Beck [2003], result is known as a “collecting parameter” because it enables the collection of information about whether the tests in the test suite passed or caused a failure or an error to occur. Indeed, JUnit distinguishes between a test that fails and a test that raises an error. JUnit test cases include assertions about the expected output of a certain method under test or the state of the class under test and a failure occurs when these assertions are not satisfied. On the other hand, the JUnit framework automatically records that an error occurred when an unanticipated subclass of java.lang.Exception is thrown by the class under test. In the context of the terminology established in Section 105.2.1, JUnit’s errors and failures both reveal faults in the application under test. JUnit also facilitates the testing of the expected “exceptional behavior” of a class under test. For example, suppose that a BankAccount class provides a withdraw(double amount) method that raises an OverdraftException whenever the provided amount is greater than the balance encapsulated by the BankAccount instance. Figure 105.12 provides the BankAccountTest class that tests the normal and exceptional behavior of a BankAccount class. In this subclass of TestCase, the testInvalidWithdraw method is designed to fail when the withdraw method does not throw the OverdraftException. However, the testValidWithdraw method will only throw an exception if the assertEquals(expected, actual, NO DELTA) is violated. In this test, the third parameter in the call to assertEquals indicates that the test will not tolerate any small difference in the double parameters expected and actual.
105.3.7 Test Adequacy Evaluation It is often useful to determine the adequacy of an existing test suite. For example, an automated test data generation algorithm might be configured to terminate when the generated test suite reaches a certain level of adequacy. If test suites are developed in a manual fashion, it is important to measure the adequacy of these tests to determine if the program under test is being tested “thoroughly.” In our discussion of test adequacy evaluation, we use R(C, P ) to denote the set of test requirements for a given test adequacy criterion C and a program under test P . If the all-nodes criterion was selected to measure the adequacy of a T used to test the computeVelocity method in Figure 105.3, then we would have R(C, P ) = {entercv , n6 , n7 , n8 , n10 , n11 , n12 , n16 , n18 , exit cv }. Alternatively, if C was the all-uses test adequacy criterion, then R(C, P ) would contain all of the def-c-use and def-p-use associations within computeVelocity. For example, line 11 of computeVelocity contains a definition of the variable velocity and line 12 contains a computation-use of velocity and this def-use association would be included in R(C, P ). Normally, the adequacy of test suite T is evaluated by instrumenting the program under test to produce P R(C,P ) , a version of P that can report which test requirements are covered during the execution of T . Pavlopoulou and Young [1999] have proposed, designed, and implemented a residual test adequacy © 2004 by Taylor & Francis Group, LLC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
import junit.framework.∗; public class BankAccountTest extends TestCase { private BankAccount account = new BankAccount(1000); private static double NO_DELTA = 0.0; public BankAccountTest(String name) { super(name); } public static Test suite() { return new TestSuite(BankAccountTest.class); }
}
public void testValidWithdraw() { double expected = 500.00; account.withdraw(500); double actual = account.getBalance(); assertEquals(expected, actual, NO_DELTA); } public void testInvalidWithdraw() { try { account.withdraw(1500); fail("Should_have_thrown_OverdraftException"); } catch(OverdraftException e) { // test is considered to be successful } }
FIGURE 105.12 The BankAccountTest with valid and invalid invocations of withdraw.
evaluator that can instrument the program under test and calculate the adequacy of the test suites used during development. Figure 105.13 provides a high-level depiction of this test adequacy evaluation system for Java programs. The residual coverage tool described by these authors can also measure the coverage of test requirements after a software system has been deployed and is being used in the field. Finally, this test coverage monitoring tool provides the ability to incrementally remove the test coverage probes placed in the program under test after the associated test requirements have been exercised [Pavlopoulou and Young, 1999]. Pavlopoulou and Young [1999] report that the removal of the probes used to monitor covered test requirements often dramatically reduces the overhead associated with test adequacy evaluation.
105.3.8 Regression Testing After a software system experiences changes in the form of bug fixes or additional functionality, a software maintenance activity known as regression testing can be used to determine if these changes introduced © 2004 by Taylor & Francis Group, LLC
System Under Test (P )
Test Adequacy Criterion (C)
... Program Instrumenter
Instrumented System Under Test (PR(C,P ))
Residual Test Requirements
Java Virtual Machine
Cumulative Adequacy Table
... Covered Test Requirements
FIGURE 105.13 The iterative process of residual test coverage monitoring. (From Christina Pavlopoulou and Michal Young. Residual test coverage monitoring. In Proceedings of the 21st International Conference on Software Engineering, pages 277–284. IEEE Computer Society Press, 1999. With permission.)
defects. As described in Section 105.2.2 and depicted in Figure 105.2, the regression testing process applies all of the other software testing stages whenever the program under test changes. The creation, maintenance, and execution of a regression test suite helps to ensure that the evolution of an application does not result in lower quality software. The industry experiences noted by Onoma et al. [1998] indicate that regression testing often has a strong positive influence on software quality. Indeed, the importance of regression testing is well understood. However, as noted by Beizer [1990] and Leung and White [1989], many software development teams might choose to omit some or all of the regression testing tasks because they often account for as much as one half the cost of software maintenance. Moreover, the high costs of regression testing are often directly associated with the execution of the test suite. Other industry reports from Rothermel et al. [1999] show that the complete regression testing of a 20,000-line software system required seven weeks of continuous execution. Because some of the most well-studied software failures, such as the Ariane-5 rocket and the 1990 AT&T outage, can be blamed on the failure to test changes in a software system [Hamlet and Maybee, 2001], many techniques have been developed to support efficient regression testing. Several different methods have been developed in an attempt to reduce the cost of regression testing. Regression test selection approaches attempt to reduce the cost of regression testing by selecting some appropriate subset of the existing test suite [Ball, 1998; Rothermel and Harrold, 1997; Vokolos and Frankl, 1997]. Test selection techniques normally use the source code of a program to determine which tests should be executed during the regression testing stage [Rothermel and Harrold, 1996]. Regression test prioritization techniques attempt to order a regression test suite so that those tests with the highest priority, according to some established criterion, are executed earlier in the regression testing process than those with lower priority [Elbaum et al., 2000; Rothermel et al., 1999]. By prioritizing the execution of a regression test suite, these methods hope to reveal important defects in a software system earlier in the regression testing process. Regression test distribution is another alternative that can make regression testing more practical by more fully utilizing the computing resources that are normally available to a testing team [Kapfhammer, 2001]. Throughout our discussion of regression testing, we continue to use the notation described in Section 105.2.1 and extend it with additional notation used in Rothermel and Harrold [1996]. Therefore, we will use P to denote a modified version of program under test P . Problem 105.1 characterizes the regression testing problem in a fashion initially proposed in Rothermel and Harrold [1994]. It is important to note that any attempt to solve the regression testing problem while attempting to make regression © 2004 by Taylor & Francis Group, LLC
testing more cost-effective could use regression test selection, prioritization, and distribution techniques in conjunction with or in isolation from one another. In Section 105.3.8.1 through Section 105.3.8.3, we iteratively construct a regression testing solution that can use test selection, prioritization, and distribution techniques. Problem 105.1 Given a program P , its modified version P , and a test set T that was used to previously test P , find a way to utilize T to gain sufficient confidence in the correctness of P . 105.3.8.1 Selective Regression Testing Selective retest techniques attempt to reduce the cost of regression testing by identifying the portions of P that must be exercised by the regression test suite. Intuitively, it might not be necessary to re-execute test cases that test source code locations in P that are the same as the source locations in P . Any selective regression testing approach must ensure that it selects all the test cases that are defect-revealing for P , if there are any defects within P . Selective retesting is distinctly different from a retest-all approach that conservatively executes every test in an existing regression test suite. Figure 105.14 uses the RTS algorithm to express the steps that are commonly associated with a regression testing solution that uses a test selection approach [Rothermel and Harrold, 1996, 1998]. Each step in the RTS algorithm addresses a separate facet of the regression testing problem. Line 1 attempts to select a subset of T that can still be used to effectively test P . Line 3 tries to identify portions of P that have not been sufficiently tested and then seeks to create these new regression tests. Line 2 and Line 4 focus on the efficient execution of the regression test suite and the examination of the testing results, denoted R1 and R2 , for incorrect results. Finally, Line 5 highlights the need to analyze the results of all previous test executions, the test suites themselves, and the modified program in order to produce the final test suite. When the RTS algorithm terminates, modified program P becomes the new program under test and TL is now treated as the test suite that will be used during any further regression testing that occurs after the new P changes. Traditionally, regression test selection mechanisms limit themselves to the problem described in Line 1. Furthermore, algorithms designed to identify T must conform to the controlled regression testing assumption. This assumption states that the only valid changes that can be made to P in order to produce P are those changes that impact the source code of P [Rothermel and Harrold, 1997]. 105.3.8.2 Regression Test Prioritization Regression test prioritization approaches assist with regression testing in a fashion that is distinctly different from test selection methods. Test case prioritization techniques allow testers to order the execution of a
Algorithm RTS(T, P , P ) (∗ Regression Testing with Selection ∗) Input: Initial Regression Test Suite T ; Initial Program Under Test P ; Modified Program Under Test P Output: Final Regression Test Suite TL 1. T ← SelectTests(T, P ) 2. R1 ← ExecuteTests(T , P ) 3. T ← CreateAdditionalTests(T , P ) 4. R2 ← ExecuteTests(T , P ) 5. TL ← CreateFinalTests(T, T , R1 , T , R2 , P ) 6. return TL FIGURE 105.14 Regression testing with selection. © 2004 by Taylor & Francis Group, LLC
Algorithm RTSP(T, P , P ) (∗ Regression Testing with Selection and Prioritization ∗) Input: Initial Regression Test Suite T ; Initial Program Under Test P ; Modified Program Under Test P Output: Final Regression Test Suite TL 1. T ← SelectTests(T, P ) 2. Tr ← PermuteTests(T , P ) 3. R1 ← ExecuteTests(Tr , P ) 4. T ← CreateAdditionalTests(Tr , P ) 5. R2 ← ExecuteTests(T , P ) 6. TL ← CreateFinalTests(T, Tr , R1 , T , R2 , P ) 7. return TL FIGURE 105.15 Regression testing with selection and prioritization.
regression test suite in an attempt to increase the probability that the suite might detect a fault at earlier testing stages [Elbaum et al., 2000; Rothermel et al., 1999, 2001a; Wong et al., 1997]. Figure 105.15 uses the formalization of Elbaum et al. [2000] and Rothermel and Harrold [1996] to characterize the typical steps taken by a technique that employs both selection and prioritization to solve the regression testing problem. The expression of the RTSP algorithm in Figure 105.15 is intended to indicate that a tester can use regression test selection and prioritization techniques in either a collaborative or independent fashion. Line 1 allows the tester to select T such that it is a proper subset of T or such that it actually contains every test that T contains. Furthermore, Line 2 could produce Tr such that it contains an execution ordering for the regression tests that is the same or different than the ordering provided by T . The other steps in the RTSP algorithm are similar to those outlined in Figure 105.14, the regression testing solution that relied only on test selection. The test case prioritization approaches developed by Elbaum et al. restrict themselves to the problem described in Line 2. Testers might desire to prioritize the execution of a regression test suite such that code coverage initially increases at a faster rate. Or, testers might choose to increase the rate at which high-risk faults are first detected by a test suite. Alternatively, the execution of a test suite might be prioritized in an attempt to ensure that the defects normally introduced by competent programmers are discovered earlier in the testing process. Current techniques that prioritize a regression test suite by the fault-exposing-potential of a test case also rely on the usage of mutation analysis [Elbaum et al., 2000; Rothermel et al., 2001a], as previously described in Section 105.3.4.2. When a regression test suite for a given program P is subjected to a mutation analysis, a finite set of syntactically different versions of P are produced. Then, the entire regression test suite is executed for each one of the mutated versions of P in order to determine if the tests can detect the fault that each mutant represents. Although mutation analysis has proven to be a viable regression test prioritization technique, its practicality is limited because it is so computationally intensive [Elbaum et al., 2000; Rothermel et al., 2001a]. Regression test suite prioritization algorithms are motivated by the empirical investigations of test adequacy criteria, as discussed in Section 105.3.4.4, which indicate that tests that are highly adequate are often more likely to reveal program defects. In an empirical evaluation of regression test suite prioritization, techniques that create a prioritized test suite can be evaluated based upon the weighted average of the percentage of faults detected over the life of the test suite, or the APFD [Elbaum et al., 2003]. For example, suppose that a regression test suite T was prioritized by its code coverage ability in order to produce fep (Trc and was also prioritized by its fault exposing potential, thereby creating Tr . If the faults in the program fep under test are known and the APFD of Tr is greater than the APFD of Trc , then it is likely that we would prefer the usage of mutation adequacy over code coverage to prioritize the execution of T . Yet, Elbaum et al. [2003] caution against this interpretation when they observe that “to assume that a higher APFD © 2004 by Taylor & Francis Group, LLC
Test Case 1 2 3 4 5
f1
f2
× ×
× ×
Faults f3 f4 × ×
×
× × ×
×
f5
×
FIGURE 105.16 The faults detected by a regression test suite T = t1 , . . . , t5 .
implies a better technique, independent of cost factors, is an oversimplification that may lead to inaccurate choices among techniques.” However, because the APFD metric was used in early studies of regression test suite prioritization techniques and because it can still be used as a basis for more comprehensive prioritization approaches that use cost-benefit thresholds [Elbaum et al., 2003], it is important to investigate it in more detail. If we use the notation established in Section 105.2.1 and we have T = t1 , . . . , tn and a total of g faults within program under test P , then Equation 105.15 defines the APFD(T, P ) [Elbaum et al., 2003]. We use reveal(h, T ) to denote the position within T of the first test that reveals fault i . g
APFD(T, P ) = 1 −
h=1
reveal(h, T ) 1 + ng 2n
(105.15)
For example, suppose that we have the test suite T = t1 , . . . , t5 and we know that the tests detect faults f 1 , . . . , f 5 in P according to Figure 105.16. Next, assume that PermuteTests(T , P ) creates a Tr1 = t1 , t2 , t3 , t4 , t5 , thus preserving the ordering of T . In this situation, we now have APFD(Tr1 , P ) = 1 − .4 + .1 = .7. However, if PermuteTests(T , P ) does change the order of T to produce Tr2 = t3 , t4 , t1 , t2 , t5 , then we have APFD(Tr2 , P ) = 1 − .2 + .1 = .9. In this example, Tr2 has a greater weighted average of the percentage of faults detected over its life than Tr1 . This is due to the fact that the tests which are able to detect all of the faults in P , t4 and t5 , are executed first in Tr2 . Therefore, if the prioritization technique used to produce Tr2 is not significantly more expensive than the one used to create Tr1 , then it is likely a wise choice to rely on the second prioritization algorithm for our chosen P and T . 105.3.8.3 Distributed Regression Testing Any technique that attempts to distribute the execution of a regression test suite will rely on the available computational resources during Line 2, Line 3, and Line 5 of algorithm RTSP in Figure 105.15. That is, when tests are being selected, prioritized, or executed, distributed regression testing relies on all of the available testing machines to perform the selection, prioritization, and execution in a distributed fashion. If the changes that are applied to P to produce P involve the program’s environment and this violates the controlled regression testing assumption, a distribution mechanism can be used to increase regression testing cost-effectiveness. When the computational requirements of test case prioritization are particularly daunting, a distributed test execution approach can be used to make prioritizations based upon coveragelevels or fault-exposing-potential more practical [Kapfhammer, 2001]. In situations where test selection and/or prioritization are possible, the distributed execution of a regression test suite can be used to further enhance the cost-effectiveness of the regression testing process. When only a single test machine is available for regression testing, the distribution mechanism can be disabled and the other testing approaches can be used to solve the regression testing problem.
105.3.9 Recent Software Testing Innovations The software testing and analysis research community is actively proposing, implementing, and analyzing new software testing techniques. Recent innovations have been both theoretical and practical in nature. © 2004 by Taylor & Francis Group, LLC
In this section, we summarize a selection of recent testing approaches that do not explicitly fit into the process model proposed in Section 105.2.2. Yet, it is important to note that many of these techniques have relationship(s) to the “traditional” phases described by our model. 105.3.9.1 Robustness Testing A software system is considered to be robust if it can handle inappropriate inputs in a graceful fashion. Robustness testing is a type of software testing that attempts to ensure that a software system performs in an acceptable fashion when it is provided with anomalous input or placed in an inappropriate execution environment. Robustness testing is directly related to the process of hardware and software fault injection. For example, the FUZZ system randomly injects data into selected operating system kernel and utility programs in order to facilitate an empirical examination of operating system robustness [Miller et al., 1990]. Initial studies indicate that it was possible to crash between 25 and 33% of the utility programs that were associated with 4.3 BSD, SunOS 3.2, SunOS 4.0, SCO Unix, AOS Unix, and AIX 1.1 Unix [Miller et al., 1990]. Subsequent studies that incorporated additional operating systems, such as AIX 3.2, Solaris 2.3, IRIX 5.1.1.2, NEXTSTEP 3.2, and Slackware Linux 2.1.0, indicate that there was a noticeable improvement in operating system utility robustness during the intervening years between the first and second studies [Miller et al., 1998]. Interestingly, the usage of FUZZ on the utilities associated with a GNU/Linux operating system showed that these tools exhibited significantly higher levels of robustness than the commercial operating systems included in the study [Miller et al., 1998]. Other fault injection systems, such as FTAPE, rely on the usage of computer hardware to inject meaningful faults into a software system [Tsai and Iyer, 1995]. Yet, most recent fault injection systems, such as Ballista, do not require any special hardware in order to perform robustness testing. Ballista can perform robustness testing on the Portable Operating System Interface (POSIX) API to assess the robustness of an entire operating system interface [Koopman and DeVale, 2000]. Instead of randomly supplying interfaces with test data, Ballista builds test cases that are based on the data types that are associated with procedure parameters. Ballista associates each of the possible parameter data types with a finite set of test values that can be combined to generate test inputs for operations. A Ballista test case can be automatically executed in an infrastructure that supports the testing of operating systems such as AIX 4.41, Free BSD 2.2.5, HP-UX 10.20, Linux 2.0.18, and SunOS 5.5 [Koopman and DeVale, 2000]. Finally, if a test causes the operating system to perform in an anomalous fashion, the test records the severity of the test results based on the CRASH scale that describes Catastrophic, Restart, Abort, Silent, and Hindering failures. According to Biyani and Santhanam [1997], Krop et al. [1998], and Koopman and DeVale [2000], a catastrophic failure occurs when a utility program (or an operating system API) causes the system to hang or crash while a restart failure happens when the procedure under test never returns control to the test operation in a specific robustness test. Furthermore, abort failures are traditionally associated with “core dumps,” and silent failures occur when the operating system does not provide any indication of the fact that the robustness testing subject just performed in an anomalous fashion. Finally, hindering failures happen when the procedure under test returns an error code that does not properly describe the exceptional condition that arose due to robustness testing. An empirical analysis of Ballista’s ability to detect robustness failures indicates that a relatively small number of POSIX functions in the candidate operating systems did not ever register on the CRASH scale [Krop et al., 1998]. Several robustness testing systems have also been developed for the Windows NT operating system [Ghosh et al., 1998, 1999; Tsai and Singh, 2000]. For example, Ghosh et al. [1999] discuss the fault injection simulation tool (FIST) and a wrapping technique that can improve the robustness of Windows NT applications. The authors describe the usage of FIST to isolate a situation in which Microsoft Office 97 performs in a non-robust fashion and then propose a wrapping technique that can enable the Office application to correctly handle anomalous input. Furthermore, an empirical analysis that relied on the application of a fault injection tool called the Random and Intelligent Data Design Library Environment (RIDDLE) revealed that GNU utilities ported to Windows NT appear to be less robust than the same utilities on the Unix operating system [Ghosh et al., 1998]. Finally, the dependability test suite (DTS) is another fault injection tool that can be used to determine the robustness of Windows NT applications such © 2004 by Taylor & Francis Group, LLC
as Microsoft IIS Server and SQL Server [Tsai and Singh, 2000]. While robustness testing and software fault injection frequently focus their testing efforts on the operating system level, Haddox et al. [2001, 2002] have developed techniques that use fault injection to test and analyze software commercialoff-the-shelf(COTS), components of a finer level of granularity than a complete operating system API or an entire application. 105.3.9.2 Testing Spreadsheets Our discussion of software testing has generally focused on the testing and analysis of programs written in either procedural or object-oriented programming languages. However, Rothermel et al. [1997, 2000, 2001b] and Fisher et al. [2000a, 2000b] have focused on the testing and analysis of programs written in spreadsheet languages. The form-based visual programming paradigm, of which spreadsheet programs are a noteworthy example, is an important mode of software development. Indeed, Brooks [1995] makes the following observation about spreadsheets and databases: “These powerful tools, so obvious in retrospect and yet so late in appearing, lend themselves to a myriad of uses, some quite unorthodox.” However, until recently, the testing and analysis of spreadsheet programs has been an area of research that has seen little investigation. Rothermel et al. [2000] echo this sentiment in the following observation: Spreadsheet languages have rarely been studied in terms of their software engineering properties. This is a serious omission, because these languages are being used to create production software upon which real decisions are being made. Further, research shows that many spreadsheets created with these languages contain faults. For these reasons, it is important to provide support for mechanisms, such as testing, that can help spreadsheet programmers determine the reliability of values produced by their spreadsheets. Rothermel et al. [1997] have described some of the differences between form-based programming languages and imperative programming language paradigms, noting that these “programs” are traditionally composed of cells that have formulas embedded within them. These authors have proposed the cell relation graph (CRG) as an appropriate model for a form-based program that is loosely related to the control-flow graph of an imperative program. The CRG includes information about the control flow within the formulas that are embedded within cells and the dependencies between the program’s cells. Rothermel et al. [1997] have also examined the usefulness of different understandings of test adequacy for spreadsheet programs, such as traditional node and edge-based criteria defined for a program’s CRG. However, they concluded that a data flow-based test adequacy criterion is most appropriate for form-based programs because it models the definition and usage of the cells within a program. Furthermore, because form-based programs do not contain constructs such as array indexing operations and pointer accesses, it is often much easier to perform data flow analysis on the CRG of a spreadsheet program than it would be to perform a data flow analysis on the ICFG of an imperative program [Rothermel et al., 1997]. Rothermel et al. [2001b] provide all of the algorithms associated with a testing methodology for the Forms/3 spreadsheet language. In this chapter, we focus on the issues associated with automated test data generation [Fisher et al., 2002b] and test reuse [Fisher et al., 2002a] for programs written in spreadsheet languages. The “What You See Is What You Test” (WYSIWYT) spreadsheet testing methodology proposed by Fisher et al. and Rothermel et al. includes a test data generation mechanism for the output-influencing-alldu-pairs (or, oi-all-du-pairs) test adequacy criterion that is based on the CRG representation of a spreadsheet [Fisher et al., 2002b; Rothermel et al., 2001b]. This test adequacy criterion is similar to the standard all-uses and all-DUs criteria, except that it requires the coverage of the def-use associations in a spreadsheet’s CRG that influence the cells that contain user-visible output. The goal-oriented test data generation approach implemented by the authors is similar to Ferguson and Korel’s [1996] chaining approach because it represents a spreadsheet as a collection of branch functions. The constrained linear search procedure described by Fisher et al. [2002b] attempts to exercise uncovered output influencing def-use-associations by causing the branch functions associated with the selected CRG path to take on positive values. Test suite reuse is also an important facet of spreadsheet testing because end users often share spreadsheets, and production spreadsheets must be revalidated when new versions of commercial spreadsheet © 2004 by Taylor & Francis Group, LLC
engines are released [Fisher et al., 2002a]. Current spreadsheet reuse algorithms are similar to the regression test suite selection techniques presented in Section 105.3.8.1. When a spreadsheet user modifies a spreadsheet application, the reuse algorithms must determine which portion of the test suite must be executed in order to validate the program in a manner that is cost-effective and practical. Because the WYSIWYT tools are designed to be used by a spreadsheet developer in a highly interactive fashion, the timely retesting of a spreadsheet often can only occur if the test suite is reused in an intelligent fashion. Fisher et al. [2002a] propose specific test reuse actions that should occur when the spreadsheet developer deletes a cell, changes the formula within a spreadsheet cell, or inserts a new cell into a spreadsheet. For example, if the programmer changes the formula within a specific spreadsheet cell, the test reuse algorithms must select all the existing test(s) that validate the output of the modified cell and any other impacted cells. Alternatively, if the formula changes for a certain cell change cause the formula to rely on new and/or different spreadsheet input cells, some test cases might be rendered obsolete [Fisher et al., 2002a]. 105.3.9.3 Database-Driven Application Testing Even simple software applications have complicated and ever-changing operating environments that increase the number of interfaces and the interface interactions that must be tested. Device drivers, operating systems, and databases are all aspects of a software system’s environment that are often ignored during testing [Whittaker, 2000; Whittaker and Voas, 2000]. Yet, relatively little research has specifically focused on the testing and analysis of applications that interact with databases. Chan and Cheung [1999a, 1999b] have proposed a technique that can test database-driven applications written in a general-purpose programming language such as Java, C, or C++, while also include embedded Structured Query Language (SQL) statements that are designed to interact with a relational database. In their approach, Chan and Cheung transform the embedded SQL statements within a database-driven application into general purpose programming language constructs. Chan and Cheung [1999a] provide C code segments that describe the selection, projection, union, difference, and cartesian product operators that form the relational algebra and thus heavily influence the SQL. Once the embedded SQL statements within the program under test have been transformed into general-purpose programming language constructs, it is possible to apply traditional test adequacy criteria, as described in Section 105.3.4, to the problem of testing programs that interact with one or more relational databases. Chays et al. [2000, 2002] and Chays and Deng [2003] have described the challenges associated with testing database-driven applications and proposed the AGENDA tool suite as a solution to a number of these challenges. In fact, Chays et al. [2000] observe that measuring the “correctness” of database-driven applications might involve the following activities: (1) determining whether the program behaves according to specification, (2) deciding whether the relational database schema is correctly designed, (3) showing that the database is secure, (4) measuring the accuracy of the data within the database, and (5) ensuring that the database management system correctly performs the SQL operations required by the application itself. Chays et al. [2000] also propose a partially automatable software testing methodology, inspired by the category-partition method described in Section 105.3.4.3, that addresses the first understanding of database-driven application correctness. When provided with the relational schema of the database(s) used by the program under test and a description of the categories and choices for the attributes required by the relational tables, the AGENDA tool can generate meaningful test databases [Chays et al., 2002; Chays and Deng, 2003]. AGENDA also provides a number of database testing heuristics, such as “determine the impact of using attribute boundary values” or “determine the impact of null attribute values” that can enable the tester to gain insight into the behavior of a program when it interacts with a database that contains “interesting” states [Chays et al., 2000, 2002; Chays and Deng, 2003]. While the AGENDA tool suite does provide innovative techniques for populating the relational database used by a database-driven application, it does not explicitly test the interactions between the program and the database. As noted by Daou et al. [2001] and Kapfhammer and Soffa [2003], a database interaction point in a program can be viewed as an interaction with different entities of a relational database, depending on the granularity with which we view the interaction. That is, we can view an SQL statement’s interaction with a database at the level of databases, relations, records, attributes, or attribute values. Kapfhammer and © 2004 by Taylor & Francis Group, LLC
1 public boolean lockAccount(int card_number) 2 throws SQLException 3 { 4 boolean completed = false; 5 String qu_lock = 6 "UPDATE_UserInfo_SET_acct_lock=1_WHERE_card_number="+ 7 card_number + ";"; 8 Statement update_lock = m_connect.createStatement(); 9 int result_lock = update_lock.executeUpdate(qu_lock); 10 if( result_lock == 1) 11 { 12 completed = true; 13 } 14 return completed; 15 } FIGURE 105.17 The lockAccount in an ATM application.
Soffa [2003] propose an approach that can enumerate all the relational database entities that a databasedriven program interacts with and then create a database interaction control flow graph (DICFG) that specifically models the actions of the program and its interactions with a database. As an example, the lockAccount method provided in Figure 105.17 could be a part of a database-driven ATM application. Line 9 of this program contain a database interaction point where the lockAccount method sends an SQL update statement to a relational database. Figure 105.18 offers a database interaction control flow graph for the lockAccount method that represents the operation’s interaction with the relational database at the level of the database and attribute interactions.∗ After proposing a new representation for database-driven applications, Kapfhammer and Soffa also describe a family of test adequacy criteria that can facilitate the measurement of the test suite quality for programs that interact with relational databases. The all-database-DUs, all-relation-DUs, all-recordDUs, all-attribute-DUs, and all-attribute-value-DUs test adequacy criteria that are extensions of the traditional all-DUs proposed by Hutchins et al. and discussed in Section 105.3.4.4. Definition 105.12 defines the all-relation-DUs test adequacy criterion. In this definition, we use Rl to denote the set of all the database relations that are interacted with by a method in a database-driven application application. While Kapfhammer and Soffa [2003] define the all-relation-DUs and other related test adequacy criteria in the context of the database interaction control flow graph for a single method, the criteria could be defined for a “database enhanced” version of the class control flow graph or the interprocedural control flow graph. Definition 105.12 A test suite T for database interaction control flow graph G DB = (NDB , E DB ) satisfies the all-relation-DUs test adequacy criterion if and only if for each association (nd , nuse , x), where x ∈ Rl and nd , nuse ∈ NDB , there exists a test in ti ∈ T to create a complete path x in G DB that covers the association. 105.3.9.4 Testing Graphical User Interfaces The graphical user interface (GUI) is an important component of many software systems. While past estimates indicated that an average of 48% of an application’s source code was devoted to the interface
∗ In this example, we assume that the program interacts with a single relational database called Bank. Furthermore, we assume that the Bank database contains two relations, Account and UserInfo. Finally, we require the Account relation to contain the attributes id, acct name, balance, and card number.
© 2004 by Taylor & Francis Group, LLC
entry lockAccount
temp1 = parameter0:card_number
temp2 = LocalDatabaseEntity0: Bank
temp3 = LocalDatabaseEntity1:acct_lock
temp4 = LocalDatabaseEntity2:card_number
completed = false
qu_lock = ‘‘UPDATE UserInfo...” + temp1 + ‘‘;”
update_lock = m_connect.createStatement()
A
entry G1
entry G2
define(temp3)
define(temp2)
use(temp4)
exit G1
D
exit G2 result.lock = update_lock.executeUpdate(qu_lock)
if(result_lock = 1)
completed - true
exit lockAccount
FIGURE 105.18 A DICFG for lockAccount. (From Gregory M. Kapfhammer and Mary Lou Soffa. A Family of Test Adequacy Criteria for Database-Driven Applications. In Proceedings of the 9th European Software Engineering Conference and the 11th ACM SIGSOFT Symposium on the Foundations of Software Engineering. ACM Press. With permission.)
[Myers and Rosson, 1992], current reports reveal that the GUI represents 60% of the overall source of a program [Memon, 2002]. While past research has examined user interface (UI) usability and widget layout [Sears, 1993], interactive system performance [Endo et al., 1996], and GUI creation framework performance [Howell et al., 2003], relatively little research has focused on the testing and analysis of GUIs. Memon et al. [2001a, 2001b] have conducted innovative research that proposes program representations, test adequacy criteria, and automated test data generation algorithms that are specifically tailored for programs with GUIs. As noted in the following observation from Memon et al. [1999], the testing of GUIs is quite challenging: In particular, the testing of GUIs is more complex than testing conventional software, for not only does the underlying software have to be tested but the GUI itself must be exercised and tested to check for bugs in the GUI implementation. Even when tools are used to generate GUIs automatically, they are not bug free, and these bugs may manifest themselves in the generated GUI, leading to software failures. © 2004 by Taylor & Francis Group, LLC
To complicate matters further, the space of possible GUI states is extremely large. Memon et al. [1999, 2001a] chose to represent a GUI as a series of operators that have preconditions and postconditions related to the state of the GUI. This representation classifies the GUI events into the categories of menuopen events, unrestricted-focus events, restricted-focus events, and system-interaction events [Memon et al., 2001a]. Menu-open events are normally associated with the usage of the pull-down menus in a GUI and are interesting because they do not involve interaction with the underlying application. While unrestricted-focus events simply expand the interaction options available to a GUI user, restricted-focus events require the attention of the user before additional interactions can occur. Finally, system interaction events require the GUI to interact with the actual application [Memon et al., 2001a]. To perform automated test data generation, Memon et al. rely on artificial intelligence planners that can use the provided GUI events and operations to automatically produce tests that cause the GUI to progress from a specified initial GUI state to a desired goal state. In an attempt to formally describe test adequacy criteria for GUI applications, Memon et al. [2001b] propose the event-flow graph as an appropriate representation for the possible interactions that can occur within a GUI component. Furthermore, the integration tree shows the interactions between all the GUI components that comprise a complete graphical interface. Using this representation, Memon et al. [2001b] define intra-component and inter-component test adequacy criteria based upon GUI event sequences. The simplest intra-component test adequacy criterion, event-interaction coverage, requires a test suite to ensure that after a certain GUI event e has been performed, all events that directly interact with e are also performed [Memon et al., 2001b]. The length-n event sequence test adequacy criterion extends the simple event-interaction coverage by requiring a context of n events to occur before GUI event e actually occurs. Similarly, Memon et al. [2001b] propose inter-component test adequacy criteria that generalize the intra-component criteria and must be calculated using the GUI’s integration tree.
105.4 Conclusion Testing is an important technique for the improvement and measurement of a software system’s quality. Any approach to testing software faces essential and accidental difficulties and, as noted by Edsger Dijkstra [1968], the construction of the needed test programs is a “major intellectual effort.” While software testing is not a “silver bullet” that can guarantee the production of high-quality applications, theoretical and empirical investigations have shown that the rigorous, consistent, and intelligent application of testing techniques can improve software quality. Software testing normally involves the stages of test case selection, test case generation, test execution, test adequacy evaluation, and regression testing. Each of these stages in our model of the software testing process plays an important role in the production of programs that meet their intended specification. The body of theoretical and practical knowledge about software testing continues to grow as research expands the applicability of existing techniques and proposes new testing techniques for an ever-widening range of programming languages and application domains.
Defining Terms All-edges/branch coverage: A test adequacy criterion that requires the execution of all the branches within the program under test. All-nodes/statement coverage: A test adequacy criterion that requires the execution of all the statements within the program under test. All-uses: A test adequacy criterion, used as the basis for definition-use testing, that requires the coverage of all the definition-c-use and definition-p-use associations within the program under test. Category-partition method: A partially automatable software testing technique that enables the generation of test cases that attempt to ensure that a program meets its specification. Coincidental correctness: A situation when a fault in a program does not manifest itself in a failure although the fault has been executed and it has infected the data state of the program. © 2004 by Taylor & Francis Group, LLC
Commercial off-the-shelf component: A software component that is purchased and integrated into a system. Commercial off-the-shelf components do not often provide source code access. Competent programmer hypothesis: An assumption that competent programmers create programs that compile and very nearly meet their specification. Complete path: A path in a control flow graph that starts at the program graph’s entry node and ends at its exit node. Condition: An expression in a conditional logic predicate that evaluates to true or false while not having any other Boolean valued expressions within it. Condition-decision coverage: A test adequacy criterion that requires a test suite to cover all the edges within a program’s control flow graph and to ensure that each condition evaluates to true and false at least one time. Coupling effect: An assumption that test suites that can reveal simple defects in a program can also reveal more complicated combinations of simple defects. Equivalent mutant: A mutant that is not distinguishable from the program under test. Determining whether a mutant is equivalent is generally undecidable. When mutation operators produce equivalent mutants, the calculation of mutation adequacy scores often requires human intervention. Error: A mistake made by a programmer during the implementation of a software system. Failure: The external, incorrect behavior of a program. Fault: A collection of program source statements that cause a program failure. Fault detection ratio: In the empirical evaluation of test adequacy criteria, the ratio between the number of test suites whose adequacy is in a specific interval and the number of test suites that contain a fault-revealing test case. Interprocedural control flow graph: A graph-based representation of the static control flow for an entire program. In object-oriented programming languages, the interprocedural control flow graph is simply a collection of the intraprocedural control flow graphs for each of the methods within the program under test. Multiple condition coverage: A test adequacy criterion that requires a test suite to account for every permutation of the Boolean variables in every branch of a program. Mutation adequacy/relative adequacy: A test adequacy criterion, based on the competent programmer hypothesis and the coupling effect assumption, that requires a test suite to differentiate between the program under test and a set of programs that contains common programmer errors. Mutation operator: A technique that modifies the program under test in order to produce a mutant that represents a faulty program that might be created by a competent programmer. N-selective mutation testing: A mutation testing technique that attempts to compute a high-fidelity mutation adequacy score without executing the mutation operators that create the highest number of mutants and do not truly shed light on the defect-revealing potential of the test suite. PIE model: A model proposed by Voas that states that a fault will only manifest itself in a failure when it is executed, it infects the program data state, and finally propagates to the output. Regression testing: An important software maintenance activity that attempts to ensure that the addition of new functionality and/or the removal of program faults does not negatively impact the correctness of the program under test. Regression test selection: A technique that attempts to reduce the cost of regression testing by selecting some appropriate subset of an existing test suite for execution. Regression test suite distribution: A technique that attempts to make regression testing more costeffective and practical by using all the available computational resources during test suite selection, prioritization, and execution. Regression test suite prioritization: A technique that attempts to order a regression test suite so that the test cases that are most likely to reveal defects are executed earlier in the regression testing process. Residual test adequacy evaluator: A test evaluation tool that can instrument the program under test to determine the adequacy of a provided test suite. A tool of this nature inserts probes into the program
© 2004 by Taylor & Francis Group, LLC
under test to measure adequacy and can remove these probes once certain test requirements have been covered. Robustness testing/fault injection: A software testing technique that attempts to determine how a software system handles inappropriate inputs. Software testing: The process of assessing the functionality and correctness of a program through execution or analysis. Software verification: The process of ensuring that a program meets its intended specification. Strong mutation adequacy: A test adequacy criterion that requires that the mutant program and the program under test produce different output. This adequacy criterion requires the execution, infection, and propagation of the mutated source locations within the mutant program. Subsumption: A relationship between two test adequacy criterion. Informally, if test adequacy criterion C subsumes C , then C is considered “stronger” than C . Test adequacy evaluation: The measurement of the quality of an existing test suite for a specific test adequacy criterion and a selected program under test. Test case generation: The manual or automatic process of creating test cases for the program under test. Automatic test case generation can be viewed as an attempt to satisfy the constraints imposed by the selected test adequacy criteria. Test case selection: The process of analyzing the program under test, in light of a chosen test adequacy criterion, in order to produce a list of tests that must be provided in order to create a completely adequate test suite. Weak mutation adequacy: A test adequacy criterion that requires that the mutant program and the program under test produce different data states after the mutant is executed. This test adequacy criterion requires the execution and infection of the mutated source locations within the mutant program.
References R.T. Alexander, J.M. Bieman, and J. Viega. Coping with Java programming stress. IEEE Computer, 33(4): 30–38, April 2000. K. Arnold, B. O’Sullivan, R.W. Scheifler, J. Waldo, and A. Wollrath. The Jini Specification. Addison-Wesley, Reading, MA, 1999. M. Balcer, W. Hasling, and T. Ostrand. Automatic generation of test scripts from formal test specifications. In Proceedings of the ACM SIGSOFT Third Symposium on Software Testing, Analysis, and Verification, pages 210–218. ACM Press, 1989. T. Ball. The limit of control flow analysis for regression test selection. In Proceedings of the International Symposium on Software Testing and Analysis, pages 134–142. ACM Press, March 1998. K. Beck. Smalltalk Best Practice Patterns. Prentice Hall, 1997. B. Beizer. Software Testing Techniques. Van Nostrong Reinhold, New York, 1990. R.V. Binder. Testing Object-Oriented Systems: Models, Patterns, and Tools. Addison-Wesley, Boston, MA, 1999. R. Biyani and P. Santhanam. TOFU: Test optimizer for functional usage. Software Engineering Technical Brief, 2(1), 1997. J.P. Bowen and M.G. Hinchley. Ten commandments of formal methods. IEEE Computer, 28(4):56–63, April 1995. F.P. Brooks Jr. The Mythical Man-Month. Addison-Wesley, Reading, MA, 1995. B. Brykczynski. A survey of software inspection checklists. ACM SIGSOFT Software Engineering Notes, 24 (1):82, 1999. M. Chan and S. Cheung. Applying white box testing to database applications. Technical Report HKUSTCS9901, Hong Kong University of Science and Technology, Department of Computer Science, February 1999a.
© 2004 by Taylor & Francis Group, LLC
M. Chan and S. Cheung. Testing database applications with SQL semantics. In Proceedings of the 2nd International Symposium on Cooperative Database Systems for Advanced Applications, pages 363– 374, March 1999b. D. Chays, S. Dan, P. G. Frankl, F. I. Vokolos, and E. J. Weyuker. A framework for testing database applications. In Proceedings of the 7th International Symposium on Software Testing and Analysis, pages 147–157, August 2000. D. Chays and Y. Deng. Demonstration of AGENDA tool set for testing relational database applications. In Proceedings of the International Conference on Software Engineering, pages 802–803, May 2003. D. Chays, Y. Deng, P.G. Frankl, S. Dan, F.I. Vokolos, and E.J. Weyuker. AGENDA: A test generator for relational database applications. Technical Report TR-CIS-2002-04, Department of Computer and Information Sciences, Polytechnic University, Brooklyn, NY, August 2002. B. Choi, A. Mathur, and B. Pattison. PMothra: scheduling mutants for execution on a hypercube. In Proceedings of the Third ACM SIGSOFT Symposium on Software Testing, Analysis, and Verficiation, pages 58–65, December 1989. L.A. Clarke. A system to generate test data symbolically. IEEE Transactions on Software Engineering, 2(3): 215–222, September 1976. L.A. Clarke, A. Podgurski, D.J. Richardson, and S.J. Zeil. A comparison of data flow path selection criteria. In Proceedings of the 8th International Conference on Software Engineering, pages 244–251. IEEE Computer Society Press, 1985. D.M. Cohen, S.R. Dalal, M.L. Fredman, and G.C. Patton. The combinatorial design approach to automatic test generation. IEEE Software, 13(5):83–87, September 1996. D.M. Cohen, S.R. Dalal, M.L. Fredman, and G.C. Patton. The AETG system: an approach to testing based on combinatorial design. IEEE Transactions on Software Engineering, 23(7):437–443, July 1997. B. Daou, R.A. Haraty, and N. Mansour. Regression testing of database applications. In Proceedings of the 2001 ACM Symposium on Applied Computing, pages 285–289. ACM Press, 2001. R.A. DeMillo, D.S. Guindi, W.M. McCracken, A.J. Offutt, and K.N. King. An extended overview of the Mothra software testing environment. In Proceedings of the ACM SIGSOFT Second Symposium on Software Testing, Analysis, and Verficiation, pages 142–151, July 1988. R.A. DeMillo, R. J. Lipton, and F.G. Sayward. Hints on test data selection: help for the practicing programmer. IEEE Computer, 11(4):34–41, April 1978. R.A. DeMillo and A.J. Offutt. Constraint-based automatic test data generation. IEEE Transactions on Software Engineering, 17(9):900–910, September 1991. E.W. Dijkstra. The structure of the THE multiprogramming system. Communications of the ACM, 11(5): 341–346, 1968. E. Duesterwald, R. Gupta, and M.L. Soffa. A demand-driven analyzer for data flow testing at the integration level. In Proceedings of the 18th International Conference on Software Engineering, pages 575–584. IEEE Computer Society Press, 1996. W.K. Edwards. Core Jini. Prentice Hall PTR, Upper Saddle River, NJ, 1999. S. Elbaum, A.G. Malishevsky, and G. Rothermel. Prioritizing test cases for regression testing. In Proceedings of the International Symposium on Software Testing and Analysis, pages 102–112. ACM Press, August 2000. S. Elbaum, G. Rothermel, S. Kanduri, and A.G. Malishevsky. Selecting a cost-effective test case prioritization technique. Technical Report 03-01-01, Department of Computer Science and Engineering, University of Nebraska–Lincoln, January 2003. Y. Endo, Z. Wang, J.B. Chen, and M. Seltzer. Using latency to evaluate interactive system performance. In Proceedings of the Second USENIX Symposium on Operating Systems Design and Implementation, pages 185–199. ACM Press, 1996. D. Epema, M. Livny, R.V. Dantzig, X. Evers, and J. Pruyne. A worldwide flock of Condors: load sharing among workstation clusters. Journal on Future Generations of Computer Systems, 12(1):53–65, December 1996. © 2004 by Taylor & Francis Group, LLC
M. Fagan. Design and code inspections to reduce errors in program development. IBM Systems Journal, 15(3):182–211, 1976. N. Fenton. Software measurement: a necessary scientific basis. IEEE Transactions on Software Engineering, 20(3):199–206, March 1994. R. Ferguson and B. Korel. The chaining approach for software test data generation. ACM Transactions on Software Engineering and Methodology, 5(1):63–86, 1996. M. Fisher, D. Jin, G. Rothermel, and M. Burnett. Test reuse in the spreadsheet paradigm. In Proceedings of the 13th International Symposium on Software Reliability Engineering, Annapolis, MD, November 2002a. M. Fisher, M. Cao, G. Rothermel, C.R. Cook, and M.M. Burnett. Automated test case generation for spreadsheets. In Proceedings of the 24th International Conference on Software Engineering, pages 141–153. ACM Press, 2002b. P.G. Frankl and S. Weiss. An experimental comparison of the effectiveness of branch testing and data flow testing. IEEE Transactions on Software Engineering, 19(8):774–787, August 1993. P.G. Frankl and E.J. Weyuker. An applicable family of data flow testing criteria. IEEE Transactions on Software Engineering, 14(10):1483–1498, October 1988. P.G. Frankl and E.J. Weyuker. A formal analysis of the fault-detecting ability of testing methods. IEEE Transactions on Software Engineering, 19(3):202–213, March 1993. E. Freemen, S. Hupfer, and K. Arnold. JavaSpaces: Principles, Patterns, and Practice. Addison-Wesley, Inc., Reading, MA, 1999. E. Gamma and K. Beck. JUnit: a cook’s tour. 2004. http://www.junit.org/. M. Geller. Test data as an aid in proving program correctness. Communications of the ACM, 21(5):368–375, 1978. A.K. Ghosh, M. Schmid, and F. Hill. Wrapping Windows NT software for robustness. In Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing, June 1999. A.K. Ghosh, M. Schmid, and V. Shah. Testing the robustness of Windows NT software. In Proceedings of the Ninth International Symposium on Software Reliability Engineering, pages 231–235. IEEE Computer Society, November 1998. N. Gupta, A.A. Mathur, and M.L. Soffa. Automated test data generation using an iterative relaxation method. In Proceedings of the 5th ACM SIGSOFT Symposium on the Foundations of Software Engineering, November 1998. N. Gupta, A.P. Mathur, and M.L. Soffa. UNA based iterative test data generation and its evaluation. In Proceedings of the 14th International Conference on Automated Software Engineering, pages 224–232, October 1999. J. Haddox, G.M. Kapfhammer, and C.C. Michael. An approach for understanding and testing third-party software components. In 48th Reliability and Maintainability Symposium, January 2002. J. Haddox, G.M. Kapfhammer, C.C. Michael, and M. Schatz. Testing commercial-off-the-shelf components with software wrappers. In Proceedings of the 18th International Conference on Testing Computer Software, Washington, D.C., June 2001. D. Hamlet. Foundations of software testing: dependability theory. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 128–139. ACM Press, 1994. D. Hamlet and J. Maybee. The Engineering of Software. Addison-Wesley, Boston, MA, 2001. M. Harder, J. Mellen, and M.D. Ernst. Improving test suites via operational abstraction. In Proceedings of the 24th International Conference on Software Engineering, pages 60–71. IEEE Computer Society Press, 2003. M.J. Harrold and G. Rothermel. Performing data flow testing on classes. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 154–163. ACM Press, 1994. M.J. Harrold and G. Rothermel. Aristotle: a system for research on and developement of program-analysisbased tools. Technical Report OSU-CISRC-3/97-TR17, The Ohio State University, Department of Computer and Information Science, March 1995. © 2004 by Taylor & Francis Group, LLC
M.J. Harrold and G. Rothermel. A coherent family of analyzable graphical representations for objectoriented software. Technical Report Technical Report OSU-CISRC-11/96-TR60, Department of Computer and Information Sciences, Ohio State University, November 1996. M.J. Harrold and M.L. Soffa. Efficient computation of interprocedural definition-use chains. ACM Transactions on Programming Languages and Systems, 16(2):175–204, 1994. R. Hightower. Java Tools for Extreme Programming: Mastering Open Source Tools, Including Ant, JUnit, and Cactus. John Wiley & Sons, New York, 2001. A.E. Howe, A. von Mayrhauser, and R.T. Mraz. Test case generation as an AI planning problem. Automated Software Engineering: An International Journal, 4(1):77–106, January 1997. C.J. Howell, G.M. Kapfhammer, and R.S. Roos. An examination of the run-time performance of GUI creation frameworks. In Proceedings of the 2nd ACM SIGAPP International Conference on the Principles and Practice of Programming in Java, Kilkenny City, Ireland, June 2003. M. Hutchins, H. Foster, T. Goradia, and T. Ostrand. Experiments of the effectiveness of dataflow- and controlflow-based test adequacy criteria. In Proceedings of the 16th International Conference on Software Engineering, pages 191–200. IEEE Computer Society Press, 1994. IEEE. IEEE Standard Glossary of Software Engineering Terminology. ANSI/IEEE Std 610.12-1990, 1996. D. Jackson. Lecture 17: Case study: JUnit. 2003. http://ocw.mit.edu/6/6.170/f01/lecture-notes/index.html. R.E. Jeffries. Extreme testing. Software Testing and Quality Engineering, March/April 1999. J.-M. Jezequel, D. Deveaux, and Y. Le Traon. Reliable objects: lightweight testing for OO languages. IEEE Software, 18(4):76–83, July/August 2001. C. Kaner, J. Falk, and H.Q. Hguyen. Testing Computer Software. International Thompson Computer Press, London, U.K., 1993. G.M. Kapfhammer. Automatically and transparently distributing the execution of regression test suites. In Proceedings of the 18th International Conference on Testing Computer Software, Washinton, D.C., June 2001. G.M. Kapfhammer and M.L. Soffa. A family of test adequacy criteria for database-driven applications. In Proceedings of the 9th European Software Engineering Conference and the 11th ACM SIGSOFT Symposium on Foundations of Software Engineering. ACM Press, 2003. S. Kim, J.A. Clark, and J.A. McDermid. The rigorous generation of Java mutation operators using HAZOP. In Proceedings of the 12th International Conference on Software and Systems Engineering and their Applications, December 1999. S. Kim, J.A. Clark, and J.A. McDermid. Class mutation: mutation testing for object-oriented programs. In Proceedings of the Object-Oriented Software Systems, Net.ObjectDays Conference, October 2000. P. Koopman and J. DeVale. The exception handling effectiveness of POSIX operating systems. IEEE Transactions on Software Engineering, 26(9):837–848, September 2000. B. Korel. Automated test data generation for programs with procedures. In Proceedings of the International Symposium on Software Testing and Analysis, pages 209–215. ACM Press, 1996. E.W. Krauser, A.P. Mathur, and V.J. Rego. High performance software testing on SIMD machines. IEEE Transactions on Software Engineering, 17(5):403–423, May 1991. N.P. Krop, P.J. Koopman, and D.P. Siewiorek. Automated robustness testing of off-the-shelf software components. In Proceedings of the 28th Fault Tolerant Computing Symposium, pages 230–239, June 1998. O. Laitenberger and C. Atkinson. Generalizing perspective-based inspection to handle object-oriented development artifacts. In Proceedings of the 21st International Conference on Software Engineering, pages 494–503. IEEE Computer Society Press, 1999. Y. Lei and K.C. Tai. In-parameter-order: a test generation strategy for pairwise testing. In Proceedings of the High-Assurance Systems Engineering Symposium, pages 254–261, November 1998. H.K.N. Leung and L.J. White. Insights into regression testing. In Proceedings of the International Conference on Software Maintenance, pages 60–69. IEEE Computer Society Press, October 1989. N.G. Leveson. Safeware: System safety and computers. Addison-Wesley, Reading, MA, September 1995. © 2004 by Taylor & Francis Group, LLC
Y.-S. Ma, Y.-R. Kwon, and J. Offutt. Inter-class mutation operators for Java. In Proceedings of the Twelfth International Symposium on Software Reliability Engineering, November 2002. B. Marick. When should a test be automated? In Proceedings of the 11th International Quality Week Conference, San Francisco, CA, May 26–29, 1998. B. Marick. How to misuse code coverage. In Proceedings of the 16th Interational Conference on Testing Computer Software, June 1999. A.M. Memon. A Comprehensive Framework for Testing Graphical User Interfaces. Ph.D. thesis, University of Pittsburgh, Department of Computer Science, 2001. A.M. Memon. GUI testing: pitfalls and process. IEEE Computer, 35(8):90–91, August 2002. A.M. Memon, M.E. Pollack, and M.L. Soffa. Using a goal-driven approach to generate test cases for GUIs. In Proceedings of the 21st International Conference on Software Engineering, pages 257–266. IEEE Computer Society Press, 1999. A.M. Memon, M.E. Pollock, and M.L. Soffa. Heirarchical GUI test case generation using automated planning. IEEE Transactions on Software Engineering, 27(2):144–155, 2001a. A.M. Memon, M.L. Soffa, and M.E. Pollack. Coverage criteria for GUI testing. In Proceedings of the 8th European Software Engineering Conference and the 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 256–267. ACM Press, 2001b. C.C. Michael, G. McGraw, and M. Schatz. Generating software test data by evolution. IEEE Transactions on Software Engineering, 27(12):1085–1110, December 2001. B. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of operating system utilities. Communications of the ACM, 33:32–44, December 1990. B. Miller, D. Koski, C. Lee, V. Maganty, A. Natarajan, and J. Steidl. Fuzz revisited: a re-examiniation of the reliability of UNIX utilities and services. Technical Report 1268, University of Wisconsin–Madison, May 1998. L.J. Morell. A theory of fault-based testing. IEEE Transactions on Software Engineering, 16(8):844–857, 1990. B.A. Myers and M.B. Rosson. Survey on user interface programming. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 195–202. ACM Press, 1992. R. Neapolitan and K. Naimipour. Foundations of Algorithms. Jones and Bartlett Publishers, Boston, MA, 1998. F. Nielson, H.R. Nielson, and C. Hankin. Principles of Program Analysis. Springer-Verlag, Berlin, Germany, 1999. S.C. Ntafos. A comparison of some structural testing strategies. IEEE Transactions on Software Engineering, 14(6):868–874, June 1988. A.J. Offutt, A. Lee, G. Rothermel, R.H. Untch, and C. Zapf. An experimental determination of sufficient mutant operators. ACM Transactions on Software Engineering and Methodology, 5(2):99–118, 1996. A.J. Offutt, G. Rothermel, and C. Zapf. An experimental evaluation of selective mutation testing. In Proceedings of the 15th International Conference on Software Engineering, pages 100–107, May 1993. A.J. Offutt, R. Alexander, Y. Wu, Q. Xiao, and C. Hutchinson. A fault model for subtype inheritance and polymorphism. In Proceedings of the Twelfth International Symposium on Software Reliability Engineering, pages 84–95, November 2001. A. K. Onoma, W.-T. Tsai, M. Poonawala, and H. Suganuma. Regression testing in an industrial environment. Communications of the ACM, 41(5):81–86, 1998. T.J. Ostrand and M.J. Balcer. The category-partition method for specifying and generating fuctional tests. Communications of the ACM, 31(6):676–686, 1988. A. Parrish and S.H. Zweben. Software test data adequacy properties. IEEE Transactions on Software Engineering, 17(6):565–581, June 1991. A.S. Paul. SAGE: A static metric for testability under the PIE model. Technical Report 96-5, Allegheny College, Department of Computer Science, 1996. © 2004 by Taylor & Francis Group, LLC
C. Pavlopoulou and M. Young. Residual test coverage monitoring. In Proceedings of the 21st International Conference on Software Engineering, pages 277–284. IEEE Computer Society Press, 1999. B. Pettichord. Seven steps to test automation success. In Proceedings of the International Conference on Software Testing, Analysis, and Review, San Jose, CA, November 1999. C.V. Ramamoorty, S.F. Ho, and W.T. Chen. On the automated generation of program test data. IEEE Transactions on Software Engineering, 2(4):293–300, December 1976. S. Rapps and E.J. Weyuker. Data flow analysis techniques for test data selection. In Proceedings of the 6th International Conference on Software Engineering, pages 272–278. IEEE Computer Society Press, 1982. S. Rapps and E.J. Weyuker. Selecting software test data using data flow information. IEEE Transactions on Software Engineering, 11(4), April 1985. D. Richardson, O. O’Malley, and C. Tittle. Approaches to specification-based testing. In Proceedings of the ACM SIGSOFT Third Symposium on Software Testing, Analysis, and Verification, pages 86–96. ACM Press, 1989. G. Rothermel and M.J. Harrold. A framework for evaluating regression test selection techniques. In Proceedings of the Sixteenth International Conference on Software Engineering, pages 201–210. IEEE Computer Society Press, May 1994. G. Rothermel and M.J. Harrold. Analyzing regression test selection techniques. IEEE Transactions on Software Engineering, 22(8):529–551, August 1996. G. Rothermel and M.J. Harrold. A safe, efficient regression test selection technique. ACM Transactions on Software Engineering and Methodology, 6(2):173–210, April 1997. G. Rothermel and M.J. Harrold. Empirical studies of a safe regression test selection technique. IEEE Transactions on Software Engineering, 24(6):401–419, June 1998. G. Rothermel, L. Li, and M. Burnett. Testing strategies for form-based visual programs. In Proceedings of the 8th International Symposium on Software Reliability Engineering, pages 96–107, Albuquerque, NM, November 1997. G. Rothermel, R.H. Untch, C. Chu, and M.J. Harrold. Test case prioritization: an empirical study. In Proceedings of the International Conference on Software Maintenance, pages 179–188, August 1999. G. Rothermel, R.H. Untch, C. Chu, and M.J. Harrold. Prioritizing test cases for regression testing. IEEE Transactions on Software Engineering, 27(10):929–948, October 2001a. G. Rothermel, M. Burnett, L. Li, C. Dupuis, and A. Sheretov. A methodology for testing spreadsheets. ACM Transactions on Software Engineering and Methodology, 10(1):110–147, January 2001b. K.J. Rothermel, C.R. Cook, M.M. Burnett, J. Schonfeld, T.R.G. Green, and G. Rothermel. WYSIWYT testing in the spreadsheet paradigm: an empirical evaluation. In Proceedings of the 22nd International Conference on Software Engineering, pages 230–239. ACM Press, 2000. A. Sears. Layout appropriateness: a metric for evaluating user interface widget layout. IEEE Transactions on Software Engineering, 19(7):707–719, 1993. F. Shull, I. Rus, and V. Basili. Improving software inspections by using reading techniques. In Proceedings of the 23rd International Conference on Software Engineering, pages 726–727. IEEE Computer Society, 2001. I. Sommerville. Software Engineering. Addison-Wesley, 6th edition, August 2000. J. Steven, P. Chandra, B. Fleck, and A. Podgurski. jRapture: a capture/replay tool for observation-based testing. In Proceedings of the International Symposium on Software Testing and Analysis, pages 158– 167. ACM Press, 2000. T. Tsai and R. Iyer. Measuring fault tolerance with the FTAPE fault injection tool. In Proceedings of the 8th International Conference on Modeling Techniques and Tools for Computer Performance Evaluation, pages 26–40, 1995. T. K. Tsai and N. Singh. Reliability testing of applications on Windows NT. In Proceedings of the International Conference on Dependable Systems and Networks, New York City, June 2000. © 2004 by Taylor & Francis Group, LLC
R. Vall´ee-Rai, L. Hendren, V. Sundaresan, P. Lam, E. Gagnon, and P.Co. Soot — a Java optimization framework. In Proceedings of CASCON 1999, pages 125–135, 1999. J.M. Voas. PIE: a dynamic failure-based technique. IEEE Transactions on Software Engineering, 18(8): 717–735, 1992. F. Vokolos and P. Frankl. Pythia: a regression test selection tool based on textual differencing. In Third International Conference of Reliability, Quality, and Safety of Software Intensive Systems, May 1997. E.J. Weyuker. Axiomatizing software test data adequacy. IEEE Transactions on Software Engineering, (12): 1128–1138, December 1986. E.J. Weyuker, S.N. Weiss, and D. Hamlet. Comparison of program testing strategies. In Proceedings of the Symposium on Testing, Analysis, and Verification, pages 1–10. ACM Press, 1991. J.A. Whittaker. What is software testing? and why is it so hard? IEEE Software, 17(1):70–76, January/ February 2000. J.A. Whittaker and J.M. Voas. Toward a more reliable theory of software reliability. IEEE Computer, 32(12): 36–42, December 2000. W.E. Wong, J.R. Horgan, S. London, and H. Agrawal. A study of effective regression testing in practice. In Proceedings of the 8th International Symposium on Software Reliability Engineering, pages 230–238, November 1997. M. Young and R.N. Taylor. Rethinking the taxonomy of fault detection techniques. In Proceedings of the 11th International Conference on Software Engineering, pages 53–62. ACM Press, 1989. H. Zhu, P.A.V. Hall, and J. H.R. May. Software unit test coverage and adequacy. ACM Computing Surveys, 29(4):366–427, 1997.
Further Information Software testing and analysis is an active research area. The ACM/IEEE International Conference on Software Engineering, the ACM SIGSOFT Symposium on the Foundations of Software Engineering, the ACM SIGSOFT International Symposium on Software Testing and Analysis, and the ACM SIGAPP Symposium on Applied Computing’s Software Engineering Track are all important forums for new research in the areas of software engineering and software testing and analysis. Other important conferences include IEEE Automated Software Engineering, IEEE International Conference on Software Maintenance, the IEEE International Symposium on Software Reliability Engineering, the IEEE/NASA Software Engineering Workshop, and the IEEE Computer Software and Applications Conference. There are also several magazines and journals that provide archives for important software engineering and software testing research. The IEEE Transactions on Software Engineering and the ACM Transactions on Software Engineering and Methodology are two noteworthy journals that often publish software testing papers. Other journals include Software Testing, Verification, and Reliability; Software: Practice and Experience; Software Quality Journal, Automated Software Engineering: An International Journal, and Empirical Software Engineering: An International Journal. Magazines that publish software testing articles include Communications of the ACM, IEEE Software, IEEE Computer, and Better Software (formerly known as Software Testing and Quality Engineering). ACM SIGSOFT also sponsors the bi-monthly newsletter called Software Engineering Notes.
© 2004 by Taylor & Francis Group, LLC
106 Formal Methods 106.1 106.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106-1 Underlying Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106-1 Formal Methods
106.3
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106-3 Specification Languages
106.4
•
Modeling Systems
•
Conclusion
A Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106-6 Basic Types • Abbreviation Definitions • Generic Definitions • Abstract System State • Operations • Error Conditions • Status Operations • Conclusion
Jonathan P. Bowen London South Bank University
Michael G. Hinchey NASA Goddard Space Flight Center
106.5 106.6
Technology Transfer and Research Issues . . . . . . . . . . 106-13 Glossary of Z Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 106-14 Names • Definitions • Logic • Sets and Expressions • Relations • Functions • Numbers • Sequences • Bags • Schema Notation • Conventions
106.1 Introduction Computers do not make mistakes, or so we are told. However, computer software is written by, and hardware systems are designed and assembled by, humans, who certainly do make mistakes. Errors in a computer system can occur as a result of misunderstood or contradictory requirements, unfamiliarity with the problem, or simply human error during design or coding of the system. Alarmingly, the costs of maintaining software — the costs of rectifying errors and adapting the system to meet changing requirements or changes in the environment of the system — greatly exceed the original implementation costs. As computer systems are being used increasingly in safety-critical applications — that is, systems where a failure could result in the loss of human life, mass destruction of property, or significant financial loss — both the media (e.g., Gibbs [1994]) and various regulatory bodies involved with standards, especially covering safety-critical and security applications (e.g., see Bowen and Stavridou [1993]), have considered formal methods and their role in the specification and design phases of system development.
106.2 Underlying Principles There may be some confusion over what is meant by a “specification” and a “model.” Parnas [1995] differentiates between specification and descriptions or models as follows: r A description is a statement of some of the actual attributes of a product, or a set of products. r A specification is a statement of properties required of a product, or a set of products. r A model is a product, neither a description nor a specification. Often it is a product that has some,
but not all, of the properties of some “real product.”
© 2004 by Taylor & Francis Group, LLC
Others use the terms specification and model more loosely; a model can sometimes be used as a specification. The process of developing a specification into a final product is one in which a model can be used along the way or even as a starting point.
106.2.1 Formal Methods Over the past 50 years, computer systems have increased rapidly in terms of both size and complexity. As a result, it is both naive and dangerous to expect a development team to undertake a project without stating clearly and precisely what is required of the system. This is done as part of the requirements specification phase of the software life cycle, the aim of which is to describe what the system is to do, rather than how it will do it. The use of natural language for the specification of system requirements tends to result in ambiguity and requirements that may be mutually exclusive. Formal methods have evolved in an attempt to overcome such problems, by employing discrete mathematics to describe the function and architecture of a hardware or software system, and various forms of logic to reason about requirements, their interactions, and validity. The term formal methods is itself misleading; it originates from formal logic but is now used in computing to refer to a plethora of mathematically-based activities. For our purposes, a formal method consists of notations and tools with a mathematical basis that are used to unambiguously specify the requirements of a computer system and that support the proof of properties of this specification and proofs of correctness of an eventual implementation with respect to the specification. Indeed, it is true to say that so-called “formal methods” are not so much methods as formal systems. Although the popular formal methods provide a formal notation, or formal specification language, they do not adequately incorporate many of the methodological aspects of traditional development methods. Even the term formal specification is open to misinterpretation by different groups of people. Two alternative definitions for “formal specification” are given in a glossary issued by the IEEE [1991]: 1. A specification written and approved in accordance with established standards. 2. A specification written in a formal notation, often for use in proof of correctness. In this chapter we adopt the latter definition, which is the meaning assumed by most formal methods users. The notation employed as part of a formal method is “formal,” in that it has mathematical semantics so that it can be used to express specifications in a clear and unambiguous manner and allow us to abstract from actual implementations to consider only the salient issues. This is something that many programmers find difficult to do because they are used to thinking about implementation issues in a very concrete manner. While programming languages are formal languages, they are generally not used in formal specification, as most languages do not have full formal semantics, and they force us to address implementation issues before we have a clear description of what we want the system to do. Instead, we use the language of mathematics, which is universally understood, well established in notation, and, most importantly, enables the generalization of a problem so that it can apply to an unlimited number of different cases [Dijkstra 1981]. Here we have the key to the success of formal specification — one must abstract away from the details of the implementation and consider only the essential relationships of the data, and we can model even the most complex systems using simple mathematical objects: for example, sets, relations, functions, etc. At the specification phase, the emphasis is on clarity and precision, rather than efficiency. Eventually, however, one must consider how a system can be implemented in a programming language that, in general, will not support abstract mathematical objects (functional programming languages are an exception) and will be efficient enough to meet agreed requirements and concrete enough to run on the available hardware configuration. As in structured design methods, the formal specification must be translated to a design — a clear plan for implementation of the system specification — and eventually into its equivalent in a programming language. This approach is known as refinement [Back and von Wright 1998, Sekerinski and Sere 1999]. © 2004 by Taylor & Francis Group, LLC
The process of data refinement involves the transition from abstract data types such as sets, sequences, and mappings to more concrete data types such as arrays, pointers, and record structures, and the subsequent verification that the concrete representation can adequately capture all of the data in the formal specification. Then, in a process known as operation refinement, each operation must be translated so that it operates on the concrete data types. In addition, a number of proof obligations must be satisfied, demonstrating that each concrete operation is indeed a “refinement” of the abstract operation — that is, performing at least the same functions as the abstract equivalent, but more concretely, more efficiently, involving less nondeterminism, etc. Many specification languages have relatively simple underlying mathematical concepts involved. For example, the Z (pronounced “zed”) notation [Spivey 1992, ISO 2002] is based on (typed) set theory and first-order predicate logic, both of which could be taught at school level. The problem is that many software developers do not currently have the necessary education and training to understand these basic principles, although there have been attempts to integrate suitable courses into university curricula [Almstrum et al. 2001, Bjørner and Cu´ellar 1999, Bowen 2001, Garlan 1995]. It is important for students who intend to become software developers to learn how to abstract away from implementation detail when producing a system specification. Many find this process of abstraction a difficult skill to master. It can be useful for reverse engineering as part of the software maintenance process, to produce a specification of an existing system that requires restructuring. Equally important is the skill of refining an abstract specification toward a concrete implementation, in the form of a program for development purposes [Morgan 1994]. The process of refinement is often carried out informally because of the potentially high cost of fully formal refinement. Given an implementation, it is theoretically possible, although often intractable, to verify that it is correct with respect to a specification, if both are mathematically defined. More usefully, it is possible to validate a formal specification by formulating required or expected properties and formally proving, or at least informally demonstrating, that these hold. This can reveal omissions or unexpected consequences of a specification. Verification and validation are complementary techniques, both of which can expose errors.
106.3 Best Practices Technology transfer (e.g., see Craigen et al. [1995] and Caldwell [1998]) has always been an issue with formal methods, largely because of the significant training and expertise that is necessary for their use. Most engineering disciplines accept mathematics as the underpinning foundations, to allow calculation of design parameters before the implementation of a product [Hoare 1996b]. However, software engineers have been somewhat slow to accept such principles in practice, despite the very mathematical nature of all software. This is partly because it is possible to produce remarkably reliable systems without using formal methods [Hoare 1996a]. In any case, the use of mathematics for software engineering is a matter of continuing debate [Tremblay 2000]. However, there are now well-documented examples of cases in which a formal approach has been taken to develop significant systems in a beneficial manner, examples which are easily accessible by professionals (e.g., see Hinchey and Bowen [1995, 1999], Hall [1996], and Larsen et al. [1996]). Formal methods, including formal specification and modeling, should be considered as one of the possible techniques to improve software quality, where it can be shown to do this cost-effectively. In fact, just using formal specification within the software development process has been shown to have benefits in reducing the overall development cost [Bowen and Stavridou 1993]. Costs tend to increase early in the life cycle, but are reduced later on at the programming, testing, and maintenance stages, where correction of errors is far more expensive. An early and widely publicized example was the IBM CICS (Customer Information Control System) project, where Z was used to specify a portion of this large transaction processing system with an estimated 9% reduction in development costs [Houston and King 1991]. There were approximately half the usual number of errors discovered in the software, leading to increased software quality. © 2004 by Taylor & Francis Group, LLC
Writing a good specification is something that comes only with practice, despite the existence of guidelines. However, there are some good reasons why a mathematical approach might be beneficial in producing a specification, including: Precision. Natural language and diagrams can be very ambiguous. A mathematical notation allows the specifier to be very exact about what is specified. It also allows the reader of a specification to identify properties, problems, etc., that may not be obvious otherwise. Conciseness. A formal specification, although precise, is also very concise compared with an equivalent high-level language program, which is often the first formalization of a system produced if formal methods are not used. Such a specification can be an order of magnitude smaller than the program that implements it, and hence is that much easier to comprehend. Abstraction. It is all too easy to become bogged down in detail when producing a specification, making it very confusing and obscure to the reader. A formal notation allows the writer to concentrate on the essential features of a system, ignoring those that are implementation details. However, this is perhaps one of the most difficult skills in producing a specification. Reasoning. Once a formal specification is available, mathematical reasoning is possible to aid in its validation. This is also useful for discussing implications of features, especially within a team of designers. A design team that understands a particular formal specification notation can benefit from the above improvements in the specification process. It should be noted that much of the benefit of a formal specification derives from the process of producing the specification, as well as the existence of the formal specification after this [Hall 1990].
106.3.1 Specification Languages The choice of specification language is likely influenced by many factors: previous experience, availability of tools, standards imposed by various regulatory bodies, and the particular aspects that must be addressed by the system in question. Another consideration is the degree to which a specification language is executable. This is the subject of some dispute, and the reader is directed elsewhere for a discussion of this topic [Hayes and Jones 1989, Fuchs 1992, Bowen and Hinchey 1999]. Indeed, the development of any complex system is likely to require the use of multiple notations at different stages in the process and to describe different aspects of a system at various levels of abstraction [Hoare 1987]. As a result, over the past 25 years, the vast majority of mainstream formal methods have been extended and re-interpreted to address issues of concurrency [Hoare 1985, Milner 1989], real-time behavior [Joseph 1996], and object orientation [Duke and Rose 2000, Smith 2000]. There is always, necessarily, a certain degree of trade-off between the expressiveness of a specification language and the levels of abstraction that it supports [Wing 1990]. While certain languages may have wider “vocabularies” and constructs to support the particular situations with which we wish to deal, they are likely to force us toward particular implementations; while they will shorten a specification, they will make it less abstract and more difficult for reasoning [Bowen and Hinchey, 1995a]. Formal specification languages can be divided into essentially three classes: 1. Model-oriented approaches as exemplified by ASM (Abstract State Machines) [B¨orger and St¨ark 2003]; B-Method [Abrial 1996, Bicarregui et al. 1997, Schneider 2001]; RAISE (Rigorous Approach to Industrial Software Engineering) [RAISE Language Group 1992, Dang Van et al. 2002]; VDM (Vienna Development Method) [Jones 1991, ISO 1996]; and the Z notation [Spivey 1992, ISO 2002]. These approaches involve the derivation of an explicit model of the system’s desired behavior in terms of abstract mathematical objects. 2. Property-oriented approaches using axiomatic semantics (such as Larch [Guttag 1993]), which use first-order predicate logic to express preconditions and postconditions of operations over abstract data types, and algebraic semantics (such as the OBJ family of languages including CafeOBJ © 2004 by Taylor & Francis Group, LLC
[Diaconescu and Futatsugi 1998, Futatsugi et al. 2000]), which are based on multisorted algebras and relate properties of the system in question to equations over the entities of the system. 3. Process algebras such as CSP (Communicating Sequential Processes) [Hoare 1985, Schneider 1999] and CCS (Calculus of Communicating Systems) [Milner 1989, Bruns 1996], which have evolved to meet the needs of concurrent, distributed, and real-time systems, and which describe the behavior of such systems by describing their algebras of communicating processes. Unfortunately, it is not always possible to classify a formal specification language in just one of the categories above. LOTOS (Language Of Temporal Ordering Specifications) [ISO 1989, Turner 1993], for example, is a combination of ACT ONE and CCS. While it can be classified as an algebraic approach, it also exhibits many properties of a process algebra. Similarly, the RAISE development method is based on extending a model-based specification language (specifically, VDM-SL) with concurrent and temporal aspects. As well as the basic mathematics, a specification language should also include facilities for structuring large specifications. Mathematics alone is all very well in the small, but if a specification is a thousand pages long (and formal specifications of this length exist), there must be aids to organize the inevitable complexity. Z provides the schema notation for this purpose, which packages the mathematics so that it can be subsequently reused in the specification. A number of schema operators, many matching logical connectives, allow recombination in a flexible manner. A formal specification should also include an informal explanation to put the mathematical description into context and help the reader understand the mathematics. Ideally, the natural language description should be understandable on its own, although the formal text is the final arbiter as to the meaning of the specification. As a rough guide, the formal and informal descriptions should normally be of approximately the same length. The use of mathematical terms should be minimized, unless explanations are being included for didactic purposes. Formal methods have proved useful in embedded systems and control systems (e.g., see Tiwari et al. [2003] and Tretmans et al. [2001]). Synchronous languages, such as Esterel, Lustre and Signal, have also been developed for reactive systems requiring continuous interaction with their environment [Benveniste et al. 2003]. Specialist and combined languages may be needed for some systems. More recently, hybrid systems [Davoren and Nerode 2000, Lee and Cha 2000] extend the concept of real-time systems [Fidge et al. 1997]. In the latter, time must be considered, possibly as a continuous variable. In hybrid systems, the number of continuous variables may be increased. This is useful in control systems where a digital computer is responding to real-world analog signals. More visual formalisms, such as Statecharts [Harel 1987], are available and are appealing for industrial use, with associated STATEMENT tool support [Harel and Politi 1998] that is now part of the widely used Unified Modeling Language (UML). However, the reasoning aspects and the exact semantics are less well-defined. Some specification languages, such as SDL (Specification and Design Language) [Turner 1993], provide particularly good commercial tool support, which is very important for industrial use. There have been many attempts to improve the formality of the various structural design notations in widespread use [Semmens et al. 1992, Bowen and Hinchey 1999]. UML includes the Object Constraint Language (OCL) developed by IBM [Warmer and Kleppe 1998], an expression language that allows constraints to be formalized, but this part of UML is underutilized with no tool support in most major commercial UML tools and is only a small part of UML in any case. Object orientation is an important development in programming languages that has also be reflected in specification languages. For example, Object-Z is an object-oriented version of the Z notation that has gained some acceptance [Smith 2000, Duke and Rose 2000, Derrick and Boiten 2001]. More recently, the Perfect Developer tool has been developed by Escher Technologies Limited to refine formal specifications to object-oriented programming languages such as Java.
106.3.2 Modeling Systems As previously discussed, the difference between specification and modeling is open to some debate. Different specification languages emphasize and allow modeling to different extents. Algebraic specification © 2004 by Taylor & Francis Group, LLC
eschews the modeling approach, but other specification languages such as Z and VDM actively encourage it. Some styles of modeling have been formulated for specific purposes. For example, Petri nets may be applied in the modeling of concurrent systems using a specific diagrammatic notation that is quite easily formalizable. The approach is appealing but the complexity can become overwhelming. Features such as deadlock are detectable but full analysis can be intractable in practice because the problem of scaling is not well addressed. Mathematical modeling allows reasoning about (some parts of) a system of interest. Here, aspects of the system are defined mathematically, allowing the behavior of the system to be predicted. If the prediction is correct, this reinforces confidence in the model. This approach is familiar to many scientists and engineers. Executable models allow rapid prototyping of systems [Fuchs 1992]. A very high-level programming language such as a functional program or a logic program (which have mathematical foundations) can be used to check the behavior of the system. Rapid prototyping can be useful in demonstrating a system to a customer before the expensive business of building the actual system is undertaken. Again, scientists and engineers are used in carrying out experiments using such models. A branch of formal methods known as model checking allows systems to be tested exhaustively [Grumberg et al. 2000, B´erard et al. 2001]. Most computer-based systems are far too complicated to test completely because the number of ways the system could be used is far too large. However, a number of techniques, Binary Decision Diagrams (BDDs) for example, allow relatively efficient checking of significant systems, especially for hardware [Kropf 2000]. An extension of this technique, known as symbolic model checking, allows even more generality to be introduced. Mechanical tools exist to handle BDDs and other model-checking approaches efficiently. SPIN is one of the leading general model-checking tools that is widely used [Holzmann 2003]. A more specialist tool based on CSP [Hoare 1985], known as FDR (Failure Divergence Refinement), from Formal Systems (Europe) Ltd., allows model checking to be applied to concurrent systems that can be specified in CSP.
106.3.3 Conclusion Driving forces for best practice include standards, education, training, tools, available staff, certification, accreditation, legal issues, etc. [Bowen and Stavridou 1993]. A full discussion of these is outside the scope of this chapter. Aspects of best practice for specification and modeling depend significantly on the selected specification notation. One of the more popular formal specification notations used in industry is Z. To illustrate the way in which this notation is typically used, a case study using Z is presented in the next section. This demonstrates both some of the underlying principles and best practice when employing Z for specification and modeling.
106.4 A Case Study The Z notation [Spivey 1992, ISO 2002] is one of the most widely used formal specification languages and is normally used in a modeling style. An abstract state is first formulated, and then operations on that state are specified. In this section we present a case study using Z to illustrate this style of specification. The example does not exhaustively present the features of Z, but gives a flavor of the style of presentation of a typical Z specification, with extra informal explanation on the notation and conventions where required. Z constructs are introduced as the example is presented and a glossary of Z notation is provided at the end of the chapter for the convenience of the reader. A basic understanding of set theory and logic will help in understanding the specification. Window management systems are now used extensively for user interfaces to computer systems. The specification given here is of a (fictitious) window system. For more realistic examples of some implemented systems presented in Z, see Bowen [1996], especially section VI, which includes some actual windows systems, such as the X window system. © 2004 by Taylor & Francis Group, LLC
106.4.1 Basic Types Z is a typed language that allows a certain amount of consistency checking by a mechanical typechecker. However, the only predefined type is the set of integers, denoted Z. Further types must be defined for a particular specification. These basic types (also known as given sets) may be introduced as follows: [Position, Value ] This provides a set of pixel (picture element) positions (e.g., coordinates on a screen), together with possible pixel values (e.g., colors). Note that we are no more specific than this in the specification presented here. It is important not to introduce irrelevant implementation details into a specification because this restricts the eventual implementer of the system and clutters the specification with information that is not required at a high level of abstraction.
106.4.2 Abbreviation Definitions It is often useful to include definitions in a specification for commonly used concepts. This helps reduce the size of the specification and introduces important concepts to the reader in one place, allowing them to be used later within the specification. Pixel maps, relating pixels to their associated values, are an integral part of most window systems. In fact, each pixel has, at most, one value (assuming it is defined), so we can model a pixel map as a partial function from pixel positions to their values: + Value Pixmap == Position →
106.4.3 Generic Definitions Z has its own library of “tool-kit” operators, formally defined in terms of more basic mathematical concepts, as presented in Spivey [1992]. Sometimes it is helpful to extend this library with further generic definitions that can be used to define a family of generic constants, applicable to a variety of basic types. Such definitions may be useful for other specifications as well as the one being constructed, allowing reuse of specification components. For example, a sequence of pixel maps can be overlaid in the order given by the sequence to produce a new pixel map. An operator to do this could equally well apply to other partial functions as well as pixel maps, so we can define it generically, using a “distributed overriding” operator: [P , V ] + V ) → (P → + V) ⊕/ : seq (P →
⊕/ = ∅ + V • ⊕/ p = p ∀P : P → + V ) • ⊕/(s t) = (⊕/s ) ⊕ (⊕/t) ∀ S , t : seq (P → Here, the base cases for the empty sequence and a singleton sequence p are considered, followed by the more general case of two arbitrary sequences concatenated together s t. Distributed overriding is particularly useful for the specification presented here in specifying the view on a screen of a display, given a sequence of possibly overlapping pixel maps. Z tool-kit operators normally have a number of laws associated with them that are helpful in reasoning about specifications. For example, the following law applies for the distributed overriding operator: p1 , p2 : Pixmap ⊕/ p1 , p2 = p1 ⊕ p2 © 2004 by Taylor & Francis Group, LLC
Such laws must be proved from the original definition; for example, in this case: ⊕/ p1 , p2 = ⊕/( p1 p2 )
[property of ]
= (⊕/ p1 ) ⊕ (⊕/ p2 ) = p1 ⊕ p2
[by the general case definition] [by the second base case definition, substituting twice]
If the windows in a sequence overlap, it is useful to be able to move selected windows so that their contents can be viewed (or hidden). This is analogous to stuffing a pile of sheets of paper (windows) on a desk (screen). Note that the sheets of paper may be of different sizes and in different positions on the desk. For example, the following function can be used to move a selected window number in the sequence (if it exists) to the top of the pile (i.e., the end of the sequence). This can also be defined generically: [W] top : N → seq W → seq W s ) s (n) else s
∀n : N, s : seq W• top ns = if n ∈ dom s then squash ({n}
If the window number n is in the sequence of windows s , then it is removed from the sequence (by eliminating that element and squashing the resulting function back into a sequence). This element is then concatenated to the end of the sequence. If the window number is not valid, the sequence of windows is unaffected. The exact technical details require some knowledge of Z, but the above example illustrates the fact that important concepts can be captured formally using relatively short definitions. In this simple example, we ignore the complication of window identifiers. We simply use the position of the window in the sequence to identify it, assuming that the user of the system keeps track of which window is which.
106.4.4 Abstract System State The window display can be modeled as a sequence of windows against a background “window” that is the size of the display screen itself. The order of the sequence defines which windows are on top in the case of overlapping windows, in ascending order. Only parts of windows that are contained within the background area are displayed. SYS windows : seq Pixmap screen, background : Pixmap
screen = background ⊕ (dom background
⊕ /windows)
In the specification of the abstract state above, the components windows (a sequence of pixel maps), screen (as displayed to the user), and background (the display if no windows are present) are packaged together in a schema box called SYS. The declarations with their associated type information are above the line and predicates defining constraints between these components are (optionally) included below the line. Here, what appears on the display screen is defined in terms of the background pixel map overridden by the sequence of windows in the system, constrained to the background area as defined by its domain of pixel positions. The screen area is the same as the background area. This can be formalized as follows: SYS dom screen = dom background © 2004 by Taylor & Francis Group, LLC
It is useful to prove such properties correct, either informally, even just mentally, or formally, in order to validate that the specification behaves as expected. Discovering that an expected property does not hold might expose an error in a specification, perhaps in the form of an extra constraint that is required but has been omitted. Note that the user can only see the display screen. We can specify this view formally by hiding (existentially quantifying) other components in the SYS schema to produce a new View schema, defined horizontally: View = SYS \ (windows, background ) Initially there are no windows in the system: InitSYS = [SYS | windows = ] It is important to define the initial state and also to ensure that it exists (otherwise, the system cannot start to operate). The state at initialization normally consists of the abstract state for the system with some extra constraints. By including SYS in the definition above, all the components in SYS are defined, with the extra decoration added to each component name. The prime (or dash) is used by convention in Z to indicate the state after an operation. Here we are interested in the state after initialization. Again, we can formulate a property to check that our intuition about the specification is correct: InitSYS screen = background That is, the screen display at initialization should consist of just the background. Next we can define general properties about the change of state for operations on the system. By convention in Z, (“delta”) is used to indicate a change of state where both an unprimed before state SYS (for example) and a primed after state (e.g., SYS ) are defined: SYS = [SYS ; SYS | background = background ] Here we have added the extra constraint that the background never changes for any operation. This means that we do not have to consider and define this for each individual operation that uses SYS subsequently, because the predicate background = background is automatically included (conjoined) with any other predicates that are defined. Note that if the before and after states are not related in an operation scheme, then the after state can take on any value. This is the opposite of most programming languages, where unreferenced variables retain their values by default. However, this style is useful in specifications because it allows nondeterminism to be included easily, where more than one outcome of an operation is allowed. Eventually, of course, the implementer will have to choose a particular outcome; but if the choice is not important at the specification level, then leaving the options open gives the implementer a greater choice, possibly allowing different optimization strategies in different implementations of the same specification. Some operations may leave the state of the system unchanged, for example during a status operation or if an error in the input is detected. Here, the (“xi”) convention is used in Z: SYS = [SYS | SYS = SYS ] The predicate SYS = SYS is a shorthand way of ensuring that the tuple formed from all the SYS components is the same as that formed from all the primed SYS components. © 2004 by Taylor & Francis Group, LLC
106.4.5 Operations To use the system, we must have the ability to create windows. These are created on top of all the existing windows. We specify that they must fit within the display background: AddWindows0 SYS window? : Pixmap dom window? ⊆ dom background windows = windows window? In the definition above, the SYS component automatically includes all the SYS and SYS (unprimed before and primed after state) components, together with the constraint that the background remains unchanged. The window? component is an input (as indicated by the Z convention of the added “?”). A precondition for the operation is that the window area must be contained within (i.e., be a subset of) the background area. If this is so, then the sequence of windows after the operation has the required window concatenated to it. This means that the window appears on top of any other windows already in the system. Note that, by default, predicates on separate lines in a schema are conjoined using “∧.” The ability to update windows is very useful. This may involve changing the size of the window or its contents, or moving it about the screen. Again, the updated window must still fit within the display area. Update Window0 SYS which? : N window? : Pixmap which? ∈ dom windows dom window? ⊆ dom background windows = windows ⊕ {which? → window?} Here, two inputs are provided — both which window number is to be updated and the new value for the window. The window to be updated must already be in the system and, as for the AddWindow 0 schema, the new window must be within the background for the update to be successful. The sequence of windows is overridden with a new entry for the selected window. It is desirable to be able to uncover a window that may be partially or even totally obscured by other windows. This can be done by moving the window to the end of the sequence of displayed windows: ExposeWindow0 SYS which? : N which? ∈ dom windows windows = top which? windows Sometimes it is useful to simply rotate the order of the displayed windows, one at a time, moving the bottommost window to the top. RotateWindows0 SYS windows = windows = top 1 windows Note that sequences are numbered from one updates in Z. © 2004 by Taylor & Francis Group, LLC
We also wish to be able to delete windows. For instance, we could delete the topmost window (the last window in the sequence): RemoveTop0 SYS windows = windows = front windows Alternatively, we may wish to specify which window is to be removed: RemoveWindow0 SYS which? : N windows)
which? ∈ dom windows windows = squash({which?}
The above schema definitions give a flavor of the way operations are typically presented in a Z specification. They are intended to illustrate that a number of different operations on a system can be specified succinctly using Z, providing a suitable abstract state has been formulated.
106.4.6 Error Conditions The operations covered so far detail what should happen in the event of no errors. Normally, operations can also handle error conditions in some controlled manner. It is useful to report the status of an operation. For example, the following reports could be issued: Report ::= “OK” | “Not a window” | “No windows” | “Invalid window” Here, a free type definition defines Report to be a set with four possible unique values. It is helpful to report the fact that the operation was successful if this is the case: Success rep! : Report rep! = “OK” By convention in Z, “!” indicates an output from an operation. If errors do occur, then these need to be reported. For example, an invalid window can be specified: NotAWindow SYS which? : N rep! : Report which? ∈ / dom windows rep! = “Not a window” In this case, no change of state occurs, as specified by SYS above. As a precondition, a check is made on whether the window number supplied as an input is not a valid existing window in the system; and if this is so, an appropriate report is issued as an output. © 2004 by Taylor & Francis Group, LLC
It is possible that there are no windows displayed when one is required: NoWindow SYS rep! : Report windows = rep! = “No windows” A specified window may not be within the background area: BadWindow SYS window? : Pixmap rep! : Report ¬ (dom window? ⊆ dom background) rep! = “Invalid window” We can include these errors with the previously defined operations that ignored error conditions to produce total operations: AddWindow 1 = (AddWindow 0 ∧ Success) ∨ BadWindow (Update Window 0 ∧ Success) ∨ BadWindow ∨ NotAWindow Update Window 1 = (Expose Window 0 ∧ Success) ∨ NotAWindow Expose Window 1 = (Rotate Windows 0 ∧ Success) ∨ NoWindows Rotate Windows 1 = (RemoveTop 0 ∧ Success) ∨ NoWindows RemoveTop 1 = (Remove Window 0 ∧ Success) ∨ NotAWindow Remove Window 1 =
Here, the schema operators of conjunction (∧) and disjunction (∨) are used to combine schemas. For both operators, components are merged. If components have the same name, then they must be typecompatible or the specification becomes meaningless. Using schema conjunction, predicates in each schema are logically conjoined. Similarly, if schema disjunction is used, then the predicates in the two schemas are combined using logically disjunction. The operations are total in that their preconditions are true. This can be checked by calculation, which is a useful way of ensuring that all error conditions have been handled. This is something that is very easily overlooked if only informal specification using natural language and/or diagrams is used.
106.4.7 Status Operations The contents of an existing window may be of interest: GetWindow0 SYS which? : N window! : Pixmap which? ∈ dom windows window! = windows which? Using SYS, the state of the system does not change during this operation. Status operations normally have one or more outputs returning some aspect of the state of the system. Here, a particular window is returned. © 2004 by Taylor & Francis Group, LLC
We can make this operation total as well: GetWindow = (GetWindow 0 ∧ Success) ∨ NotAWindow
106.4.8 Conclusion Given the abstract state, initial state, and operation schemas defined in this section, the operation of the system consists of starting in the initial state, followed by an arbitrary sequence of the specified operations on the state, as allowed by the preconditions of the operations. If the preconditions of all the operations are true, then any order of operations is allowed. This section has presented the use of the Z notation [Spivey 1992, ISO 2002] in a modeling style, as it is widely used for specifying systems. It should be remembered that Z is a general-purpose specification language and can be used in other styles if desired. However, the use of an abstract state and operations on that state has been found to be a style that is easy to understand (once the notation and conventions have been learned), and this is the approach that is often adopted in practice. For those wishing to learn Z, there are many textbooks available (e.g., see Jacky [1997], Lightfoot [2001], and Woodcock and Davies [1996]). An international standard for Z is available [ISO 2002] and an earlier de facto standard for Z, with a matching type-checker called f UZZ by the same author, is also widely used [Spivey 1992].
106.5 Technology Transfer and Research Issues Claims that formal methods can guarantee correct hardware and software, eliminate the need for testing, etc., have led some to believe that formal methods are something almost magical [Hall 1990]. More significantly, beliefs that formal methods are difficult to use, delay the development process, and raise development costs [Bowen and Hinchey 1995b] have led many to believe that formal methods offer few advantages over traditional development methods. Formal methods are not a panacea; they are just one of a range of techniques that, when correctly applied, have proven themselves to result in systems of the highest integrity [Bowen and Hinchey 1995a]. Hitherto, the uptake of formal methods has been hindered, at least in part by a lack of tools. Many of the successful projects discussed in Hinchey and Bowen [1995, 1999] required significant investment in tool support. Just as the advent of compiler technology was necessary for the uptake of high-level programming languages, and CASE (Computer Aided Software Engineering) technology provided the impetus for the emergence of structural design methodologies in the 1970s, a significant investment in formal methods tools is required for formal methods to be practical at the level of industrial application. In the future, we envisage greater emphasis on IFDSEs (Integrated Formal Development Support Environments) that will support formal specification and development, based on an emerging range of high-quality, stand-alone tools. The framework for this could well be based around the Extended Markup Language (XML) that has emerged from the World Wide Web community. For example, ZML provides an XML-based markup for the Z notation that could be useful in the communication of specifications between tools [Utting et al. 2003]. Method integration is one approach that might aid in the acceptance of formal methods and might help in the technology transfer from academic theory to industrial practice. This has the advantage of providing multiple views of a system, for example, incorporating a graphical representation that is likely to be more acceptable to non-specialists, while retaining the ability to propose and prove system properties and to demonstrate that requirements are not contradictory before, rather than after, implementation. The Unified Modeling Language (UML) provides a popular software development framework that could benefit from the formal methods approach. For example, amid concerns over the lack of formality (or even uniform interpretation) in UML, the OMG (Object Management Group) has issued a request for proposals on re-architecting UML version 2.0. Several groups are interested in making the notation more formal, understandable, and unambiguous, including the 2U Consortium (Unambiguous UML) and the pUML group (precise UML). © 2004 by Taylor & Francis Group, LLC
Cleanroom is a method that provides a middle road between correctness proofs and informal development by stipulating significant checking of programs before they are first run [Prowell et al. 1999]. The testing phase then becomes more like a certification phase because the number of errors should be much reduced. Static analysis involved rigorous checking of programs without actually executing them. SPARK Ada [Barnes 2003] is a restricted version of the Ada programming language that includes additional comments that facilitate formal tool-assisted analysis, especially worthwhile in high-integrity system development. Such approaches may be more cost-effective than full formal development using refinement techniques. In any case, full formal development is typically not appropriate in most software systems. However, many systems could benefit from some use of formal methods at some level (perhaps just specification) in their most critical parts. This approach has been dubbed “lightweight” formal methods [Saiedian 1996, Feather 1998]. In particular, many errors are introduced at the requirements stage and some formality at this level could have very beneficial results because the system description is still relatively simple [Easterbrook et al. 1998]. Formal methods are complementary to testing in that they aim to avoid the introduction of errors whereas testing aims to remove errors that have been introduced during development. The best balance of effort between these two approaches is a matter for debate [King et al. 2000]. In any case, the existence of a formal specification can benefit the testing process by providing an objective and exact description of the system against which to perform subsequent program testing. It can also guide the engineer in deciding which tests are worthwhile (for example, by considering disjunctive preconditions in operations and ensuring that there is full test coverage of these). In practical industrial use, formal methods have proved to have a niche in high-integrity systems such as safety-critical applications where standards may encourage or mandate their use in software at the highest levels of criticality. Formal methods are also being successfully used in security applications such as smart cards, where the technology is simple enough to allow fully formal development. They are also useful in discovering errors during cryptographic protocol analysis [Meadows 2003]. Formal methods have largely been used for software development but are arguably even more successful in hardware design where engineers may be more open to the use of rigorous approaches because of their background and training. Formal methods can be used for the design of microprocessors where errors can be costly because of the large numbers involved and also because of their possible use in critical applications [Jones et al. 2001]. Fully formal verification of significant hardware systems is possible even within the limits of existing proof technology (e.g., see Hunt and Sawada [1999]). Full formal refinement is the ideal but is expensive and can sometimes be impossible to achieve in practice. Retrenchment [Banach and Poppleton 1999] is a suggested liberalization of refinement designed for formal description of applications too demanding for true refinement. Examples are the use of infinite or continuous types or models from classical physics and applications, including inconsistent requirements. In retrenchment, the abstraction relation between the models is weakened in the operation postcondition by a concession predicate. This weakened relationship allows approximating, inconsistent, or exceptional behaviors to be described, in which a false concession denotes a refinement. There are many different formal methods for different purposes, including specification (e.g., the Z notation) and refinement (e.g., the B-Method). There are some moves to produce more general formal approaches (e.g., see B# , combining ideas from B with some concepts from Z [Abrial 2003]). There have also been moves toward related different semantic theories like algebraic, denotational, and operational approaches [Hoare and He 1998]. In any case, it is clear that there are still many research and technology transfer challenges ahead in the field of formal methods (e.g., see Hoare [2003]).
106.6 Glossary of Z Notation A glossary of the Z mathematical and schema notation is included here for the reader’s convenience. For more information on the Z notation, see the Z Reference Manual [Spivey 1992] and, more recently, the ISO international standard [ISO 2002]. © 2004 by Taylor & Francis Group, LLC
Names a, b d, e f, g m, n p, q s, t x, y A, B C, D Q, R S, T X
Identifiers Declarations (e.g., a : A; b, . . . : B . . .) Functions Numbers Predicates Sequences Expressions Sets Bags Relations Schemas Schema text (e.g., d, d | p or S)
a == x a ::= b| . . . [a] a− −a − a−
Abbreviated definition Free type definition (or a ::= bx| . . .) Introduction of a given set (or [a, . . .]) Prefix operator Postfix operator Infix operator
true false ¬p p∧q p∨q p⇒q p⇔q ∀X • q ∃X • q ∃1 X • q let a == x; . . . • p
Logical true constant Logical false constant Logical negation Logical conjunction Logical disjunction Logical implication (¬ p ∨ q ) Logical equivalence ( p ⇒ q ∧ q ⇒ p) Universal quantification Existential quantification Unique existential quantification Local definition
Definitions
Logic
Sets and Expressions x=y x = y x∈A x∈ / A ∅ A⊆B A⊂B {x, y, . . .} {X • x} X • x X • x let a == x; . . . • y © 2004 by Taylor & Francis Group, LLC
Equality of expressions Inequality (¬(x = y)) Set membership Nonmembership (¬(x ∈ A)) Empty set Set inclusion Strict set inclusion (A ⊆ B ∧ A = B) Set of elements Set comprehension Lambda-expression — function Mu-expression — unique value Local definition
if p then x else y (x, y, . . .) A × B × ... PA P1 A FA F1 A A∩ B A∪ B A\B A A first x second x #A
Conditional expression Ordered tuple Cartesian product Power set (set of subsets) Nonempty power set Set of finite subsets Nonempty set of finite subsets Set intersection Set union Set difference Generalized union of a set of sets Generalized intersection of a set of sets First element of an ordered pair Second element of an ordered pair Size of a finite set
A↔B a → b domR ranR idA Q;R Q◦R A R A− R A R A− R R(|A|) iter n R Rn R∼ R∗ R+ Q⊕R a Rb
Relation (P(A × B)) Maplet ((a, b)) Domain of a relation Range of a relation Identity relation Forward relational composition Backward relational compositon (R ; Q) Domain restriction Domain anti-restriction Range restriction Range anti-restriction Relational image Relation composed n times Same as iter n R Inverse of relation (R −1 ) Reflexive-transitive closure Irreflexive-transitive closure Relational overriding ((domR − Q) ∪ R) Infix relation
A B A→B A B A B A B A B A B A B A B fx
Partial functions Total functions Partial injections Total injections Partial surjections Total surjections Bijective functions Finite partial functions Finite partial injections Function application (or f (x))
Relations
Functions
© 2004 by Taylor & Francis Group, LLC
Numbers Z N N1
m+n m−n m∗n m div n m mod n m≤n mn succ n m..n min A max A
Set of integers Set of natural numbers {0, 1, 2, . . .} Set of nonzero natural numbers (N\{0}) Addition Subtraction Multiplication Division Modulo arithmetic Less than or equal Less than Greater than or equal Greater than Successor function {0 → 1, 1 → 2, . . .} Number range Minimum of a set of numbers Maximum of a set of numbers
seq A seq1 A iseq A x, y, . . . s t /s head s tail s last s front s rev s squash f As sA s prefix t s suffix t s in t disjoint A A partition B
Set of finite sequences Set of nonempty finite sequences Set of finite injective sequences Empty sequence Sequence {1 → x, 2 → y, . . .} Sequence concatenation Distributed sequence concatenation First element of sequence (s (1)) All but the head element of a sequence Last element of sequence (s (#s )) All but the last element of a sequence Reverse a sequence Compact a function to a sequence Sequence extraction (squash (A s )) Sequence filtering (squash (s A)) Sequence prefix relation (s v = t) Sequence suffix relation (u s = t) Sequence segment relation (u s v = t) Disjointness of an indexed family of sets Partition an indexed family of sets
bag A [[]] [[ x, y, . . . ]] count C x C x n⊗C
Set of bags or multisets ( A → + N1 ) Empty bag Bag {x → 1, y → 1, . . .} Multiplicity of an element in a bag Same as count C x Bag scaling of multiplicity
Sequences
Bags
© 2004 by Taylor & Francis Group, LLC
x EC C'D C(D − D C∪ items s
Bag membership Subbag relation Bag union Bag difference Bag of elements in a sequence
Schema Notation Vertical Schema
New lines denote “;” and “∧.” The schema name and predicate part are optional. The schema may subsequently be referenced by name in the document.
Axiomatic Definition
The definitions may be nonunique. The predicate part is optional. The definitions apply globally in the document.
Generic Definition
The generic parameters are optional. The definitions must be unique. The definitions apply globally in the document.
S= [X] [T ; . . . | . . .] z.a S ¬S pre S S∧T S∨T S⇒T S⇔T S\(a, . . .) ST S;T S)T S[a/b, . . .] ∀X • S ∃X • S ∃1 X • S © 2004 by Taylor & Francis Group, LLC
Horizontal schema Schema inclusion Component selection (given z : S) Tuple of components Schema negation Schema precondition Schema conjunction Schema disjunction Schema implication Schema equivalence Hiding of component(s) Projection of components Schema composition (S then T ) Schema piping (S outputs to T inputs) Schema component renaming (b becomes a, etc.) Schema universal quantification Schema existential quantification Schema unique existential quantification
Conventions a? a! a a S S S S d p
Input to an operation Output from an operation State component before an operation State component after an operation State schema before an operation State schema after an operation Change of state (normally S ∧ S ) No change of state (normally [S ∧ S | S = S ]) Theorem
Defining Terms Formal methods: Techniques, notations, and tools with a mathematical basis, used for specification and reasoning in software or hardware system development. Formal notation: A language with a mathematical semantics, used for formal specification, reasoning, and proof. Logic: A scheme for reasoning, proof, inference, etc. Two common schemes are propositional logic and predicate logic, which is propositional logic generalized with quantifiers. Other logics, such as modal logics, including temporal logics that handle time, are also available. Examples include TLA (Temporal Logic of Actions), ITL (Interval Temporal Logic), and more recently Duration Calculus. Schemes may use first-order logic or higher-order logic. In the former, functions are not allowed on predicates, simplifying matters somewhat; but in the latter they are, thus providing greater power. Logics include a calculus that allows reasoning in the logic. Operation: The performance of some desired action. This may involve the change of state of a system, together with inputs to the operation and outputs resulting from the operation. To specify such an operation, the before state (and inputs) and the after state (and outputs) must be related with constraining predicates. Precondition: The predicate that must hold before an operation for it to be successful. Compare postcondition, which is the predicate that must hold after an operation. Predicate: A constraint between a number of variables that produces a truth value (e.g., true of false). Proof: A series of mathematical steps forming an argument of the correctness of a mathematical statement or theorem. For example, the validation of a desirable property for a formal specification could be undertaken by proving it correct. Proof can also be used to perform a formal verification that an implementation meets a specification. A less formal style of reasoning is rigorous argument, where a proof outline is sketched informally, which may be done if the effort of undertaking a fully formal proof is not considered cost-effective. Refinement: The stepwise transformation of a specification toward an implementation (i.e., as a program). Compare abstraction, where unnecessary implementation detail is ignored in a specification. Relation: A connection or mapping between elements in a number of sets. Often, two sets (a domain and a range) are related in a binary relation. A special case of a relation is a function where individual elements in the domain can only be mapped to, at most, one element in the range of the function. Functions can be further categorized. For example, a partial function may not map all possible elements that could be in the domain of the function, whereas a total function maps all such elements. Set: A collection of distinct objects or elements, which are also known as members of the set. In a typed language, types may consist of maximal sets, as in the Z notation. Specification: A description of what a system is intended to do, as opposed to how it does it. A specification can be formal (mathematical) or informal (natural language, diagrams, etc.). Compare an implementation of a specification, such as a program, which actually performs and executes the actions required by a specification. © 2004 by Taylor & Francis Group, LLC
State: A representation of the possible values that a system might have. In an abstract specification, this can be modeled as a number of sets. By contrast, in a concrete program implementation, the state typically consists of a number of data structures, such as arrays, files, etc. When modeling sequential systems, each operation can include a before state and an after state, which are related by some constraining predicates. The system will also have an initial state, normally with some additional constraints, from which the system starts at initialization.
References Abrial, J.-R. 1996. The B-Book. Cambridge University Press, Cambridge, U.K. Abrial, J.-R. 2003. B# : towards a synthesis between Z and B. In [Bert et al. 2003], pp. 168–177. Abrial, J.-R., B¨orger, E., and Langmaack, H., Eds. 1996. The Steam Boiler Control Specification Problem. Lecture Notes in Computer Science 1165. Springer-Verlag. Almstrum, V. L., Dean, C. N., Goelman, D., Hilburn, T. B., and Smith, J. 2001. Working group reports from ITiCSE on innovation and technology in computer science education. In Annual Joint Conference Integrating Technology into Computer Science Education, pp. 71–88. ACM Press, New York. Arts, T. and Fokkink, W. 2003. Eighth International Workshop on Formal Methods for Industrial Critical Systems, Roros, Norway, June 5–7, 2003. European Research Consortium for Informatics and Mathematics (ERCIM). Back, R.-J. and von Wright, J. 1998. Refinement Calculus: A Systematic Introduction, Graduate Texts in Computer Science, Springer-Verlag. Banach, R. and Poppleton, M. 1999. Sharp Retrenchment, Modulated Refinement and Simulation, Formal Aspects of Computing, 11(5):498–540. Barnes, J. 2003. High Integrity Software: The SPARK Approach to Safety and Security, Addison-Wesley. Benveniste, A., Caspi, P., Edwards, S. A., Halbwachs, N., Le Guernic, P., and de Simone, R. 2003. The synchronous languages 12 years later. Proc. of the IEEE, 91(1):64–83. B´erard, B., Bidoit M., Finkel, A., Laroussinie, F., Petit, A., Petrucci, L., Schnoebelen, Ph., and McKenzie, P. 2001. Systems and Software Verification: Model-Checking Techniques and Tools. SpringerVerlag. Bert, D., Bowen, J. P., King, S., and Wald´en, M., Eds. 2003. ZB2003: Formal Specification and Development in Z and B. Lecture Notes in Computer Science 2651. Springer-Verlag. Bicarregui, J. C., Clutterbuck, D. L., Finnie, G., Haughton, H., Lano, K., Lesan, H., Marsh, D. W. R. M., Matthews, B. M., Moulding, M. R., Newton, A. R., Ritchie, B., Rushton, T. G. A., and Scharbach, P. N. 1997. Formal methods into practice: case studies in the application of the B method. IEE Proceedings – Software 144(2):119–133. Bjørner, D. 2000. Pinnacles of software engineering: 25 years of formal methods. Annals of Software Eng., 10(1–4):11–66. Bjørner, D. and Cu´ellar, J. R. 1999. Software engineering education: roles of formal specification and design calculi. Annals of Software Eng., 6(1–4):365–409. B¨orger, E. and St¨ark, R. 2003. Abstract State Machines: A Method for High-Level System Design and Analysis. Springer-Verlag. Bowen, J. P. 1996. Formal Specification and Documentation Using Z: A Case Study Approach. International Thomson Computer Press, London. Bowen, J. P. 2001. Experience teaching Z with tool and web support. ACM SIGSOFT Software Eng. Notes, 26(2):69–75. Bowen, J. P. and Hinchey, M. G. 1995a. Ten commandments of formal methods. IEEE Comput., 28(4): 56–63. Bowen, J. P. and Hinchey, M. G. 1995b. Seven more myths of formal methods. IEEE Software, 12(4): 34–41. Bowen, J. P. and Hinchey, M. G. 1999. High-Integrity System Specification and Design. FACIT Series, Springer-Verlag, London. © 2004 by Taylor & Francis Group, LLC
Bowen, J. P. and Stavridou, V. 1993. Safety-critical systems, formal methods and standards. IEE/BCS Software Eng. J., 8(4):189–209. Bruns, G. 1996. Distributed System Analysis with CCS. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Butler, M., Petre, L., and Sere, K., Eds. 2002. Integrated Formal Methods. Lecture Notes in Computer Science 2335. Springer-Verlag. Caldwell, J. L. 1998. Formal methods technology transfer: a view from NASA. Formal Methods in System Design, 12(2):125–137. Clarke, E. M., Wing, J. M. et al. 1996. Formal methods: state of the art and future directions. ACM Computing Surveys, 28(4):626–643. Craigen, D., Gerhart, S. L., and Ralston, T. J. 1995. Formal methods reality check: industrial usage. IEEE Trans. Software Eng., 21(2):90–98. Crow, J. and Di Vito, B. 1998. Formalizing space shuttle software requirements: four case studies. ACM Trans. Software Eng. and Methodology, 7(3):296–332. Dang Van, H., George, C., Janowski, T., and Moore, R., Eds. 2002. Specification Case Studies in RAISE. FACIT Series, Springer-Verlag, London. Davoren, J. M. and Nerode, A. 2000. Logics for hybrid systems. Proc. of the IEEE 88(7):985–1010. Derrick, J. and Boiten, E. A. 2001. Refinement in Z and Object-Z. FACIT Series, Springer-Verlag, London. Derrick, J., Boiten, E. A., Woodcock, J., and von Wright, J. 2002. REFINE 2002: The BCS FACS Refinement Workshop. Electronic Notes in Theoretical Computer Science 70(3). Elsevier Science Publishers. Diaconescu, R. and Futatsugi, K. 1998. CafeOBJ Report: The Language, Proof Techniques, and Methodologies for Object-Oriented Algebraic Specification. AMAST Series in Computing, Vol. 6, World Scientific Publishing Co. Dijkstra, E. W. 1981. Why correctness must be a mathematical concern. In The Correctness Problem in Computer Science, R. S. Boyer and J. S. Moore, Eds., pp. 1–6. Academic Press, London. Duke, R. and Rose, G. 2000. Formal Object-Oriented Specification using Object-Z. Cornerstones of Computing Series, MacMillan. Easterbrook, S., Lutz, R., Covington, R., Kelly, J., Ampo, Y., and Hamilton, D. 1998. Experiences using lightweight formal methods for requirements modeling. IEEE Trans. Software Eng., 24(1):4–14. Eriksson, L.-H. and Lindsay, P. A., Eds. 2002. FME 2002: Formal Methods – Getting IT Right. Lecture Notes in Computer Science 2391. Springer-Verlag. Feather, M. S. 1998. Rapid application of lightweight formal methods for consistency analyses. IEEE Trans. Software Eng., 24(11):949–959. Fidge, C., Kearney, P., and Utting, M. 1997. A formal method for building concurrent real-time software. IEEE Software, 14(2):99–106. Frappier, M. and Habrias, H., Eds. 2001. Software Specification Methods: An Overview Using a Case Study. FACIT Series, Springer-Verlag, London. Fuchs, N. E. 1992. Specifications are (preferably) executable. IEE/BCS Software Eng. J., 7(5):323–334. Futatsugi, K., Nakagawa, A. T., and Tamai, T., Eds. 2000. CAFE: An Industrial-Strength Algebraic Formal Method. Elsevier Health Sciences. Garlan, D. 1995. Making formal methods effective for professional software engineers. Inf. Software Tech., 37(5/6):261–268. George, C. and Miao, H., Eds. 2002. Formal Methods and Software Engineering. Lecture Notes in Computer Science 2495. Springer-Verlag. Gibbs, W. W. 1994. Software’s chronic crisis. Sci. Am., 271(3):86–95. Goguen, J. and Winkler, T. 1988. Introducing OBJ3. SRI International, Menlo Park, CA. Tech. Rep. SRICSL-88-9. Grumberg, O., Peled, D., and Clarke, E. M. 2000. Model Checking. MIT Press. Guttag, J. V. 1993. Larch: Languages and Tools for Formal Specification. Springer–Verlag. Hall, J. A. 1990. Seven myths of formal methods. IEEE Software, 7(5):11–19. © 2004 by Taylor & Francis Group, LLC
Hall, J. A. 1996. Using formal methods to develop an ATC information system. IEEE Software, 13(2): 66–76. Hansen, K. M., Ravn, A. P., and Stavridou, V. 1998. From safety analysis to software requirements. IEEE Trans. Software Eng., 24(7):573–584. Harel, D. 1987. Statecharts: a visual formalism for complex systems. Sci. Comput. Program., 8:231–274. Harel, D. and Politi, M. 1998. Modeling Reactive Systems with Statecharts: The Statemate Approach. McGrawHill, New York. Hayes, I. J. and Jones, C. B. 1989. Specifications are not (necessarily) executable. IEE/BCS Software Eng. J., 4(6):330–338. Heitmeyer, C., Kirby, J., Jr., Labaw, B., Archer, M., and Bharadwaj, R. 1998. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. Software Eng., 24(11):927–948. Hinchey, M. G. and Bowen, J. P., Eds. 1995. Applications of Formal Methods. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Hinchey, M. G. and Bowen, J. P., Eds. 1999. Industrial-Strength Formal Methods in Practice. FACIT Series, Springer-Verlag, London. Hoare, C. A. R. 1985. Communicating Sequential Processes. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Hoare, C. A. R. 1987. An overview of some formal methods for program design. IEEE Comput., 20(9):85– 91. Hoare, C. A. R. 1996a. How did software get so reliable without proof? In FME ’96: Industrial Benefit and Advances in Formal Methods. M.-C. Gaudel and J. Woodcock, Eds., pp. 1–17. Lecture Notes in Computer Science 1051. Springer-Verlag. Hoare, C. A. R. 1996b. The logic of engineering design. Microprocessing Microprogramming, 41(8/9):525– 539. Hoare, C. A. R. 2003. The verifying compiler: a grand challenge for computing research. Journal of the ACM, 50(1):63–69. Hoare, C. A. R. and He, J. 1998. Unified Theories of Programming. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Holzmann, G. 2003. The Spin Model Checker – Primer and Reference Manual. Addison–Wesley. Houston, I. S. C. and King, S. 1991. CICS project report: experiences and results from the use of Z in IBM. In VDM ’91: Formal Software Development Methods, Vol. 1, S. Prehn and W. Toetenel, Eds. Lecture Notes in Computer Science 551, pp. 588–596. Springer-Verlag. Hunt, W. A., Jr. and Sawada, J. 1999. Verifying the FM9801 microarchitecture. IEEE Micro, 19(3):47–55. IEEE. 1991. IEEE standard glossary of software engineering terminology. In IEEE Software Engineering Standards Collection. Elsevier Applied Science, Amsterdam. ISO. 1989. Information Processing Systems – Open Systems Interconnection – LOTOS – A formal description technique based on the temporal ordering of observational behaviour. International Standard ISO 8807:1989, International Organization for Standardization, Switzerland. ISO. 1996. Information Technology – Programming languages, their environments and system software interfaces – Vienna Development Method – Specification Language – Part 1: Base language. International Standard ISO/IEC 13817-1:1996, International Organization for Standardization, Switzerland. ISO. 2002. Information Technology – Z Formal Specification Notation – Syntax, Type System and Semantics. International Standard ISO/IEC 13568:2002. International Organization for Standardization, Switzerland. Jacky, J. 1997. The Way of Z: Practical Programming with Formal Methods, Cambridge University Press, U.K. Jones, C. B. 1991. Software Development Using VDM, 2nd ed. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Jones, R. B., O’Leary, J. W., Seger, C.-J. H., Aagaard, M. D., and Melham, T. F. 2001. Practical formal verification in microprocessor design. IEEE Design & Test of Computers, 18(4):16–25. © 2004 by Taylor & Francis Group, LLC
Joseph, M., Ed. 1996. Real-Time Systems: Specification, Verification and Analysis. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. URL: http://www.tcs.com/techbytes/ htdocs/book mj.htm (2001). King, S., Hammond, J., Chapman, R., and Pryor, A. 2000. Is proof more cost-effective than testing? IEEE Trans. Software Eng., 26(8):675–686. Kropf, T. 2000. Introduction to Formal Hardware Verification. Springer-Verlag. Larsen, P. G., Fitzgerald, J., and Brookes, T. 1996. Applying formal specification in industry. IEEE Software, 13(7):48–56. Lee, J.-S. and Cha, S.-D. 2000. Qualitative formal method for requirements specification and validation of hybrid real-time safety systems. IEE Proceedings – Software, 147(1):1–11. Lightfoot, D. 2001. Formal Specification using Z. 2nd ed. Grassroots Series, Palgrave. Lugi and Goguen, J. A. 1997. Formal methods: promises and problems. IEEE Software, 14(1): 73–85. Meadows, C. 2003. Formal methods for cryptographic protocol analysis: emerging issues and trends. IEEE Journal on Selected Areas in Communications, 21(1):44–54. Milner, R. 1989. Communication and Concurrency. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Morgan, C. 1994. Programming from Specifications, 2nd ed. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. URL: http://web.comlab.ox.ac.uk/oucl/publications/books/PfS/ (1998). Palshikar, G. K. 2001. Applying formal specifications to real-world software development. IEEE Software, 18(6):89–97. Parnas, D. 1995. Using mathematical models in the inspection of critical software. In Applications of Formal Methods, M. G. Hinchey and J. P. Bowen, Eds., pp. 17–31. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K. Peled, D. and Vardi, M. Y., Eds. 2002. Formal Techniques for Networked and Distributed Systems – FORTE 2002. Lecture Notes in Computer Science 2529. Springer-Verlag. Pfleeger, S. L. and Hatton, L. 1997. Investigating the influence of formal methods. IEEE Comput., 30(2): 33–43. Prowell, S. J., Trammell, C. J., Linger, R. C., and Poore, J. H. 1999. Cleanroom Software Engineering: Technology and Process. Addison-Wesley. RAISE Language group. 1992. The RAISE Specification Language. BCS Practitioner Series. Prentice-Hall, Hemel Hempstead, U.K. Saiedian, H., Ed. 1996. An invitation to formal methods. IEEE Comput., 29(4):16–30. Schneider, S. 1999. Concurrent and Real-time Systems: The CSP Approach. John Wiley & Sons. Schneider, S. 2001. The B-Method: An Introduction. Cornerstones of Computing Series, MacMillan. Sekerinski, E. and Sere, K., Eds. 1999. Program Development by Refinement. FACIT Series, Springer-Verlag, London. Semmens, L. T., France, R. B., and Docker, T. W. G. 1992. Integrated structural analysis and formal specification techniques. The Computer Journal, 35(6):600–610. Smith, G. 2000. The Object-Z Specification Language. Advances in Formal Methods Series. Kluwer Academic Publishers. Spivey, J. M. 1992. The Z Notation: A Reference Manual, 2nd ed. Prentice Hall International Series in Computer Science, Hemel Hempstead, U.K. Tiwari, A., Shankar, N., and Rushby, J. 2003. Invisible formal methods for embedded control systems. Proc. of the IEEE, 91(1):29–39. Tremblay, G. 2000. Formal methods: Mathematics, computer science or software engineering? IEEE Trans. on Education, 43(4):377–382. Tretmans, J., Wijbrans, K., and Chaudron, M. 2001. Software engineering with formal methods: the development of a storm surge barrier control system revisiting seven myths of formal methods. Formal Methods in System Design, 19(2):195–215. © 2004 by Taylor & Francis Group, LLC
Turner, K. J., Ed. 1993. Using Formal Description Techniques: An Introduction to Estelle, LOTOS and SDL. John Wiley & Sons, Chichester, U.K. Utting, M., Toyn, I., Sun, J., Martin, A., Dong, J. S., Daley, D., and Currie, D. 2003. ZML: XML support for standard Z. In [Bert et al. 2003], pp. 437–456. Warmer, J. and Kleppe, A. 1998. The Object Constraint Language: Precise Modeling with UML. AddisonWesley. Wing, J. M. 1990. A specifier’s introduction to formal methods. IEEE Comput., 23(9):8–24. Wing, J. M. and Woodcock, J. 2000. Special issues for FM ’99: The First World Congress on Formal Methods in the Development of Computing Systems. IEEE Trans. Software Eng., 26(8):673–674. Wing, J. M., Woodcock, J., and Davies, J., Eds. 1999. FM’99 — Formal Methods. Lecture Notes in Computer Science 1708 & 1709. Springer-Verlag. Woodcock, J. and Davies, J. 1996. Using Z: Specification, Refinement, and Proof. Prentice Hall International Series in Computer Science. Hemel Hempstead, U.K.
Further Information A number of organizations have been established to meet the needs of formal methods practitioners; for example: r Formal Methods Europe (FME) organizes a regular conference (e.g., Eriksson and Lindsay [2002]
and Wing et al. [1999]), formerly the VDM symposia, and other activities for users of various formal methods. r The British Computer Society Specialist Group on Formal Aspects of Computing Science (BCSFACS) organizes workshops and meetings on various aspects of formal methods, as well as a series of Refinement Workshops (e.g., see Derrick et al. [2002]). r The Z User Group (ZUG) has organized a regular international conference, historically known as the Z User Meeting (ZUM), attracting users of the Z notation from all over the world. The International B Conference Steering Committee (Association de Pilotage des Conf´erences B, APCB) has organized a similar International B Conference series. Since 2000 these have been combined into a single conference (e.g., see Bert et al. [2003]). There are now a number of journals devoted specifically to formal methods. These include Formal Methods in System Design and Formal Aspects of Computing. The FAC journal is published by SpringerVerlag in association with BCS-FACS. Other European-based journals, such as The Computer Journal, IEE Proceedings–Software (formerly the Software Engineering Journal), and Information and Software Technology, publish articles on, or closely related to, formal methods, and they have run special issues on the subject. While there are no U.S.-based journals that deal specifically with formal methods, they regularly are featured in popular periodicals such as IEEE Computer (e.g., Bowen and Hinchey [1995a], Hoare [1987], Pfleeger and Hatton [1997], Saiedian [1996], and Wing [1990]) and IEEE Software (e.g., Bowen and Hinchey [1995b], Hall [1990, 1996], Larsen et al. [1996], Luqi and Goguen [1997], and Palshikar [2001]), as well as in journals such as the Annals of Software Engineering (e.g., Bjørner and Cu´ellar [1999] and Bjørner [2000]) IEEE Transactions on Software Engineering (e.g., Craigen et al. [1995], Easterbrook et al. [1998], Feather [1998], Hansen et al. [1998], Heitmeyer et al. [1998], and Wing and Woodcock [2000]), ACM Transactions on Software Engineering and Methodology [Crow and Di Vito 1998], and the Journal of the ACM. A classic paper on the state of the art in formal methods has also appeared in the ACM Computing Surveys [Clarke et al. 1996]. In addition to the conferences mentioned earlier, the IFIP (International Federation of Information Processing) FORTE international conference concentrates on Formal Description Techniques (FDTs, e.g., see Peled and Vardi [2002]). The International Conference on Formal Engineering Methods series (ICFEM) has also been established more recently (e.g., see George and Miao [2002]). A number of more specialist © 2004 by Taylor & Francis Group, LLC
conferences on formal methods have been established. For example, the Integrated Formal Methods (IFM) International Conference concentrates on the use of formal methods with other approaches (e.g., see Butler et al. [2002]). The International Workshop on Formal Methods for Industrial Critical Systems (FMICS) concentrates on industrial applications, especially using tools [Arts and Fokkink 2003]. Some more wide-ranging conferences give particular attention to formal methods; primary among these are the ICSE (International Conference on Software Engineering) and ICECCS (International Conference on Engineering of Complex Computer Systems) series of conferences. Other specialist conferences in the safety-critical sector, such as SAFECOMP, and SSS (the Safety-critical Systems Symposium) also regularly cover formal methods. There have been some collections of case studies on formal methods with various aims and themes. For some industrial applications, see Bowen and Hinchey [1995, 1999]. Solutions to a control specification problem using a number of different formal approaches are presented in Abrial et al. [1996]. Frappier and Habrias [2001] collected together a number of formal specification methods applied to an invoicing case study where the presentations concentrate on the process of producing a formal description, including the questions raised along the way. A number of electronic forums are available as online newsgroups: comp.specification.misc comp.specification.larch comp.specification.z
Formal specification Larch Z notation
In addition, the following electronic mailing lists are available, among others: [email protected] [email protected] [email protected] [email protected]
Formal methods Provably Correct Systems VDM Z (gatewayed to comp.specification.z)
For up-to-date online information on formal methods in general, readers are directed to the following World Wide Web URL (Uniform Resource Locator), which provides formal methods links as part of the WWW Virtual Library: http://vl.fmnet.info/
© 2004 by Taylor & Francis Group, LLC
107 Verification and Validation 107.1 107.2 107.3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107-1 Approaches to Verification . . . . . . . . . . . . . . . . . . . . . . . 107-1 Verifying Specifications of Systems . . . . . . . . . . . . . . . . 107-2 General Properties
Specific Properties
107.4
Verifying Programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107-7
107.5
Current Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107-22
John D. Gannon University of Maryland
•
General Properties
•
Specific Properties
107.1 Introduction Verification and validation are terms that are sometimes used interchangeably. In Ghezzi et al. [1991], verification is used to describe “all activities that are undertaken to ascertain that the software meets its objectives,” and validation is not used at all. In Rushby [1993], specification validation is a two-component process of seeking assurance that a specification means something (i.e., is consistent), and that it means what is intended. We use verification to describe the process of demonstrating that a description of a software system guarantees particular properties. General properties may be derived from the form of the description (e.g., that functions are total, axioms are consistent, or variables are initialized before they are referenced), and specific properties may be derived from the problem domain. The latter case involves the comparison of two objects, a detailed description of a software system, and a more abstract description of its intended properties. In Section 107.2 we briefly describe validation and verification approaches. Section 107.3 and Section 107.4 deal with the verification of general and specific properties of specifications and programs, respectively. We pay particular attention to opportunities for automating verification activities. We conclude with a short discussion of the current verification practices.
107.2 Approaches to Verification A variety of analysis activities may be used to verify software artifacts. In software inspections, teams of software developers manually examine artifacts for defects. If a requirements document or a design is written in a formal language, it may be possible to use it as a prototype for the system by simulating the description for some test cases. General properties of software artifacts may be verified automatically by static analysis of the artifact. State-exploration or theorem-proving techniques can be used to prove specific properties of system descriptions.
© 2004 by Taylor & Francis Group, LLC
Inspections have proven to be an effective method for detecting software defects because they subject a software artifact to the scrutiny of several people, some of whom did not participate in the artifact’s design. Early requirements inspections catch errors before they propagate into designs and implementations, making them less costly to repair. Fagan [1976] describes a six-stage inspection process: r A determination is made that a software artifact is ready for an inspection, and an inspection team
is assembled. r The artifact’s author provides reviewers an overview of the artifact. r The team members individually study the artifact and record potential defects. r A fixed-length inspection meeting is held. A moderator controls the discussion. The designer
presents and explains his work. Participants identify errors (but not solutions), which are recorded by a secretary. r The author fixes any errors. r The moderator checks the new version of the artifact and determines if another inspection is necessary. Successful software inspections depend on the experience levels of the participants and the quality of the artifacts. Requirements inspections should include participants who are future users of the system who will help the software developers judge if the system will function as intended. Requirements notations for embedded systems (e.g., the Software Cost Reduction (SCR) notation [Heitmeyer et al. 1995, Heniger 1980], the Requirements State Machine Language [Leveson et al. 1994], and Statecharts [Harel et al. 1990]) describe systems as sets of concurrently executing state machines responding to events in their environments. Finite state machines have precise meanings, but they are also easy to understand because they can be described in tabular or graphic formats. In order to maximize the benefits of inspections, participants may be given lists of questions about the artifact that they must answer to ensure that they are sufficiently prepared for an inspection. For code inspections, participants may receive checklists of potential errors that they are to check are not present in the implementation. Simulation of a software artifact helps software developers determine if the system behaves as expected by producing results like those which will be produced by the eventual implementation of the system. Such operational descriptions of systems give recipes for achieving desired results rather than just describing properties of final results. Simulations of state-machine descriptions of systems are easy to perform; however, simulating more detailed descriptions may require developers to sacrifice abstraction in favor of executability. Being able to reverse a simulation may permit analysts to determine how potentially hazardous states may be reached [Ratan et al. 1996]. If state machines manipulate few variables with simple data types (i.e., types with finite numbers of values), properties such as deadlock freedom or mutual exclusion can be verified by using state-space enumeration and exploration techniques. More detailed system descriptions with richer data types correspond to infinite-state machines. While more specific properties can be stated and verified for infinite-state machines, analysis techniques must either investigate approximations of the state space by folding states together [Young and Taylor 1989] or reason with compact descriptions of the entire state space (i.e., assertions).
107.3 Verifying Specifications of Systems With appropriate abstraction, synchronous communicating processes in distributed systems can be described by sets of state-transition diagrams. For example, Figure 107.1 describes a producer/consumer system with one producer and two consumer processes. Consumer1 decides either to remain in an idle state (labeled i ) or to move to a state in which it requests output from the producer (labeled r1). When the producer process grants the consumer’s request (by entering its state labeled p1), Consumer1 returns to its idle state. Consumer2 behaves in a similar © 2004 by Taylor & Francis Group, LLC
FIGURE 107.1 A simple system with two consumers and one producer.
manner. Producer starts in an idle state (also labeled i ), and moves into a production state (labeled p1 or p2) in response to one of the consumer processes moving into its request state. After satisfying the request, Producer returns to its idle state.
107.3.1 General Properties We can derive general properties for the transitions in our model (e.g., that they are deterministic or total). In Figure 107.1, unlabeled arcs are considered to be labeled “true.” That is, these transitions may always be taken. Consumer1 has nondeterministic transitions because there are two arcs with the same transition conditions (i.e., true) leaving its idle state and ending in different states. We might always want to ensure that some transition is always enabled from each state. To check this property we compute the logical operation for all the conditions on transitions leaving a state, and we check that its result is identical to true. Consumer1’s idle state satisfies this property, but its request state does not, because the only transition leaving this state occurs when p1 is true (i.e., when the Producer is in its state labeled p1). Although these are very simple properties, they are valuable checks, particularly for large systems because they do not require construction of the system’s state space.
107.3.2 Specific Properties 107.3.2.1 Reachability Analysis Reachability analysis is performed to determine if potentially hazardous states (e.g., those representing deadlock or mutual-exclusion failures) are reachable. To perform this analysis, a reachability graph representing the global behavior of the system is constructed and exhaustively examined to determine if a hazardous state is reachable. Figure 107.2 represents the reachability graph for our producer/consumer system. Each state is labeled with three properties corresponding to properties of Consumer1, Consumer2, and Producer. In the reachability graph’s initial state, labeled (i, i, i ), each of the processes is in its idle state. Three transitions leave this state, corresponding to either or both Consumer1 or Consumer2 issuing requests for output. There are no transitions from the initial state to other states labeled either (i, i, p1) or (i, i, p2) because the producer process waits for either of the consumers to issue a request before moving to a state in which it produces output. Thus we could verify that objects are produced only in response to requests by determining that no reachable states are labeled either (i, i, p1) or (i, i, p2). © 2004 by Taylor & Francis Group, LLC
FIGURE 107.2 Reachability graph.
107.3.2.2 Model Checking Although it is a useful verification technique, reachability analysis can be used only to verify properties specified as propositional logic formulas quantified over all the states in the graph. We might also like to assert properties about sequences of events, e.g., “if the consumer requests an output, the producer always supplies one.” Pneuli [1981] showed how temporal logic can be used to state such properties and to reason about concurrent systems. A temporal logic is a propositional logic with additional temporal operators to express concepts such as “always,” “eventually,” and “until” to assert that formulas are true in all or some future states. Two major types of temporal logic are used in specifications: linear time logic and branching time logic. In linear time logic, states have unique pasts and futures. To prove that a property is invariantly true, the property must be proved over all possible execution paths of the system. In branching time temporal logics, states have unique pasts but many possible futures. Thus, assertions may be made about properties holding on some future executions or on all future executions. The latter assertions are invariants. Computational tree logic (CTL) is a propositional branching time logic, whose operators permit explicit quantification over all possible futures [Clarke et al. 1986]. The syntax for CTL formulas is summarized below: 1. Every atomic proposition is a CTL formula. 2. If f and g are CTL formulas, then so are: ∼ f , f ∧ g , f ∨ g , f → g , AX f , E X f , A[ f U g ], E [ f U g ], AF f , E F f , AG f , and E G f . Note that temporal operators occur only in pairs in which a quantifier A (always) or E (exists) is followed by F (future), G (global), U (until), or X (next). The logical operators have their usual meanings. The meanings of the temporal operators are described below. Concept
Operator
Meaning
Next
AX f E Xf A[ f U g ]
Formula f holds in every next state. Formula f holds in some next state. Along every path, there exists some future state s in which g is true, and f is true in every state on the path until s . Along some path, there exists some future state s in which g is true, and f is true in every state on the path until s . Along every path, f is true in some state. Along some path, f is true in some state. Along every path, f is true in every state. Along some path, f is true in every state.
Until
E f Ug] Eventually Possibly Invariance Possible invariance
AF f EFf AG f EGf
© 2004 by Taylor & Francis Group, LLC
The specification “if the consumer requests an output, the producer always supplies one” can be written as the CTL formula: AG ((r 1 → AF ( p1)) ∧ (r 2 → AF ( p2)). That is, it is invariantly true that if Consumer1 makes a request (represented by a state in which r 1 is true), eventually (i.e., along every path starting at such states) the producer supplies an output for Consumer1 (a state is encountered in which p1 is true), and similarly for Consumer2. If formula f is true in state s of model M, we write M, s |= f . A formula f is true for the model, if it is true in the model’s start state, i.e., M, s 0 |= f . When we are concerned with a single model, we abbreviate M, s |= f as s |= f . Introduced by Clarke and Emerson [Clarke et al. 1986] and by Quielle and Sifakis [1981], model checking determines the value of a formula f for a particular model by building a reachability graph and computing the set of states in which the formula is true, i.e., {s | s |= f }. For example, formula AF ( f ) represents the set of states from which a state satisfying f can be reached in some number of state transitions along all paths from the state. f ∨ AX f ∨ AX(AX f ) ∨ . . . where f is the set of states in which f is true, i.e., the set of states from which an f -state can be reached in zero-state transitions. AX( f ) is the set of states all of whose transitions reach an f -state. AX(AX f ) is the set of states from which any two state transitions reach an f -state, etc. This set of states can be computed using the following least fixpoint computation: Y = { }; Y' = {s | s |= f }; while ( Y
= Y' ) do { Y = Y'; Y' = Y' ∪ {s | all successors of s are in Y}; } By way of example, consider computing the set of states in which AF ( p1) for the model in Figure 107.2. The first iteration computes the set of states in which the formula p1 holds. This set, which is shaded in Figure 107.3, corresponds to computing p1 ∨ AX false. During the second iteration, the predecessors of the states already in the set are examined. The state labeled (r 1, i, i ) is added to the set because the formula is true in all of its successors. At this point, we have computed the set of states satisfying p1 ∨ AX( p1). The remaining iterations are summarized in the following table. Iteration
State Set
Remarks
1 2
{(r 1, i, p1), (r 1, r 2, p1)} {(r 1, i, p1), (r 1, r 2, p1), (r 1, i, i )} {(r 1, i, p1), (r 1, r 2, p1), (r 1, i, i ), (r 1, r 2, p2)} {(r 1, i, p1), (r 1, r 2, p1), (r 1, i, i ), (r 1, r 2, p2), (r 1, r 2, i )} {(r 1, i, p1), (r 1, r 2, p1), (r 1, i, i ), (r 1, r 2, p2), (r 1, r 2, i )}
The only states in which p1 is true. AX( p1) is true for the state labeled (r 1, i, i ) since p1 is true in all its successors. AX(AX( p1)) is true for the state labeled (r 1, i, i ) since AX( p1) is true in all its successors. For the state labeled (r 1, r 2, i ), AX(AX(AX( p1))) is true for one of its successors and AX( p1) is true for the other.
3 4
5
Each of the possible new predecessors, the states labeled state (i, i, i ) and (i, r 2, i ), have infinitely long paths before reaching a state in which p1 is true.
Since no new states are added during the fifth iteration, we reach a fixpoint and the algorithm terminates. Unfortunately, the set of states computed does not contain the start state, s 0 (the state labeled (i, i, i )), so s 0
|= AF ( p1). However, the model checker gives a specific counter-example (i.e., the loop (i, i, i ), (i, r 2, i ), (i, r 2, p2), . . .) showing why the formula is not satisified. © 2004 by Taylor & Francis Group, LLC
FIGURE 107.3 Model checking s 0 |= AF ( p1).
To check AG ((r 1 → AF ( p1)) ∧ (r 2 → AF ( p2)), we calculate the sets of states for which the innermost, simplest formulas hold and work our way outward, calculating sets of states for more complex formulas. Thus we might perform the following computations: Step
Formula
Set of States
1 2
p1 AF ( p1)
3
r1
4 5 6
r 1 → AF ( p1) p2 AF ( p2)
7
r2
8 9 10
r 2 → AF ( p2) (r 1 → AF ( p1)) ∧ (r 2 → AF ( p2)) AG ((r 1 → AF ( p1)) ∧ (r 2 → AF ( p2))
{(r 1, i, p1), (r 1, r 2, p1)} {(r 1, i, p1), (r 1, r 2, p1), (r 1, i, i ), (r 1, r 2, p2), (r 1, r 2, i )} {(r 1, i, p1), (r 1, r 2, p1), (r 1, i, i ), (r 1, r 2, p2), (r 1, r 2, i )} All states {(i, r 2, p2), (r 1, r 2, p2)} {(i, r 2, p2), (r 1, r 2, p2), (i, r 2, i ), (r 1, r 2, p1), (r 1, r 2, i )} {(i, r 2, p2), (r 1, r 2, p2), (i, r 2, i ), (r 1, r 2, p1), (r 1, r 2, i )} All states All states All states
The formula r 1 → AF ( p1) holds in all states because r 1 and AF ( p1) are true in identical sets of states, and because r 1 is false in all other states of the model. A similar analysis determines that r 2 → AF ( p2) also holds in all states, so the entire formula is true in all states satisfying the invariant operator AG . © 2004 by Taylor & Francis Group, LLC
Automating model checking is quite easy, except that the entire state space of the model is constructed before the fixpoint algorithms can be applied. However, model checking can also be done symbolically by manipulating quantified Boolean formulas without constructing a model’s state space [McMillan 1993]. To perform symbolic model checking, sets of states and transition relations are represented by formulas, and set operations are defined in terms of formula manipulations. A CTL formula f is evaluated for a model by deriving a propositional logic expression that describes the set of states satisfying f for the model and verifying that the interpretation of the model’s initial state satisfies the expression.
107.4 Verifying Programs 107.4.1 General Properties Probably the best-known property of programs which is verified is that a program is type safe. In statically typed languages, a data type is associated with a variable in a declaration. During its lifetime, the variable may be assigned only values of the same type. The context of each appearance of a variable in a statement implies a type, which can be checked against its declared type. Violations are reported as syntax errors. Other important properties depend on data and control flow, e.g., each variable is assigned a value before the value is used in an expression. Such properties are verified by static checkers, which analyze a program’s syntax tree or control flow graph; no test data are used during these checks. Static checkers fold different states together to make analysis tractable. For example, to check uninitialized variables, we may care only if a variable has been assigned a value or not. Different integer values are all folded to a single “defined” value to reduce the size of the state space. In the following program fragment, x will always have a value when control reaches the final write statement, since either i ¡ j and x is assigned the value 1 or i ¿ = j and x is assigned the value 2. However, a static checker keeping track of whether or not x had been assigned a value on every potential path through the program would conclude that the write statement might be executed with an undefined value. Statement
Defined Values
read(i); read(j); if (i < j) x = 1; fi; if (i >= j) x = 2; fi; write(x)
{i} {i, j} {i, j, x} {i, j} ∩ {i, j, x} = {i, j} {i, j, x} {i, j} ∩ {i, j, x} = {i, j} {i, j}
In each if statement, x is defined on only one path through the statement. Thus, the static checker intersects the sets of variables defined on each of its paths to determine the set of variables which are certain to have values. This approximation of the state space is called conservative or pessimistically inaccurate because it preserves states which potentially contain errors. In this case, it preserved a state in which x is undefined which can be reached only on an infeasible path (i.e., when i ≥ j ∧ i ¡ j). Programmers using static checkers must examine error messages to determine if an anomaly exists before trying to repair their programs. A syntax-directed definition can be used to describe the analysis needed to verify this property. A syntaxdirected definition extends a context-free grammar by associating attributes with grammar symbols. The value of an attribute in a syntax tree is defined by rules associated with each production used at the particular node of the tree. Attributes can be values of any type. In this example, we use two sets of identifiers: In (representing the set of identifiers defined on all paths leading to the current statement) and Out (representing the set of identifiers defined on all paths after executing the current statement). The syntax-directed definition for the simple language is shown below. © 2004 by Taylor & Francis Group, LLC
Production
Attributes
P ::= SL SL1 ::= S ';' SL2
SL.In = ∅ S.In = SL1 .In SL2 .In = S.Out SL1 .Out = SL2 .Out SL.Out = SL.In S.Out = {id} ∪ S.In S.In = S.In S.Out = S.In SL1 .In = S.In SL2 .In = S.In S.Out = SL1 .Out ∩ SL2 .Out SL.In = S.In S.Out = S.In S.Out = {id} ∪ S.In S.Out = S.In
SL ::= S ::= id '=' Exp S ::= 'if' Exp 'then' SL 'fi' S ::= 'if' Exp 'then' SL1 'else' SL2 'fi'
S ::= 'while' Exp 'do' SL 'od' S ::= 'read' '('id')' S ::= 'write' '('id')'
The production P ::= SL initializes SL’s In attribute to the empty set. When identical nonterminals appear in a production, the instances are numbered so their attributes can be distinguished. For example, the production SL ::= S ’;’ SL is rewritten as SL1 ::= S ’;’ SL2. The set of defined variables available to S is the same as that available to SL1. However, the defined variables for SL2 are those from S.Out. Each S-production copies its incoming set of definitions (In) to its Out attribute and adds any new definitions made in the statement. Thus, for example, the statement read(i) adds the variable i to the empty set of definitions that reaches it. The set of outgoing definitions from the if statement if i < j then x = 1 fi; is {i, j}, since the statement contains an execution path on which x is not defined. Figure 107.4 shows the attributes evaluated on the syntax tree corresponding to our sample program. Since the write statement’s In attribute contains only {i, j}, a static checker would say that definitionbefore-use property was violated for x. Abstract interpretation [Cousot and Cousot 1976] is a method for computing approximate semantics of programs in order to provide safe answers to questions about their run-time behaviors. In an abstract interpretation of a program, “abstract” values are associated with program variables instead of the actual execution values, and a programming language’s operators are redefined to manipulate the abstract values. An abstract interpretation of a program computes a fixpoint approximation of the abstract program state at different points in the program, and properties of the program are verified with respect to these states. Consider the following example [Cousot and Cousot 1977], which searches a list for a particular value. One property we would like to ensure is that the value of p is never NULL when it is dereferenced on lines 3 or 4. 1. p = L; b = TRUE; 2. while (p = / NULL & b) 3. if (p → v == n) then b = FALSE; 4. else p = p → next; The pointer variable p may have one of four possible values: undefined (⊥), NULL, nonNULL, or NULL or nonNULL (). These values form the complete lattice in Figure 107.5. Initially, a pointer variable has the value ⊥. Pointer variables may be assigned on of the following values: NULL, nonNULL (i.e., the result produced by a new operation), or the value of another pointer variable. Dereferencing a pointer whose value is nonNULL yields the value , and dereferencing a pointer with any other value yields ⊥. Each node in a program’s control flow graph defines an output state in terms of its input state. Assignment nodes’ output states are identical to their input states except for the value of the variable on the left side of the assignment operation. The output state for a join node is the union of the respective values in its input states. The output state corresponding to the true outcome of a decision node labeled p! = NULL is calculated by creating a new state which is identical to the input state except that p has value nonNULL and intersecting the new state with the input state. The output state corresponding to the false outcome of the © 2004 by Taylor & Francis Group, LLC
FIGURE 107.4 Attributes evaluated on a syntax tree.
FIGURE 107.5 Lattice of pointer values.
decision node is calculated in a similar manner except that p has value NULL in the newly created state. These computations are depicted in Figure 107.6, and the definitions for ∪ and ∩ are given in the following tables. The Xs in the table for ∩ represent error entries corresponding to infeasible paths.
⊥ NULL nonNULL
⊥ ⊥ NULL nonNULL
x ∪ y NULL nonNULL NULL nonNULL NULL nonNULL
⊥ ⊥ ⊥ ⊥ ⊥
NULL ⊥ NULL X NULL
x ∩ y nonNULL ⊥ X nonNULL nonNULL
⊥ NULL nonNULL
Since pointer variables have a finite number of abstract values, system states do not have an infinite increasing chain of values. © 2004 by Taylor & Francis Group, LLC
S1
S
S2
T
F p =/ NULL
S1
S (S - {p, p(S)} + {p, nonNULL})
S2
S
(S - {p, p(S)} + {p, NULL})
Decision Node
Join Node
FIGURE 107.6 Computing state values for join and decision nodes.
{p=
, L=
}
{p=
, L=
}
p=L
1. { p =
, L=
}
2. { p =
, L=
}
F p =/ NULL { p = NULL , L =
T
{ p = nonNULL, L =
}
}
p->v == n
T b = FALSE { p = nonNULL, L =
F p = p->next }
{p=
{p=
, L=
, L=
}
}
FIGURE 107.7 Calculated state values for sample program.
Figure 107.7 shows the control flow graph for the sample program with edges labeled with computed state values for the pointer variables p and L. All edges are initially labeled {p = ⊥, L = ⊥} except for the first arc, where we assume L has value . The first time the arc leaving the while statement’s join node is reached, the state value is the set labeled “1” in Figure 107.7. This set of values results from the union of the output state of the assignment statement p = L and the default program state corresponding to the output state of the if statement’s join node. while join
{p = , L = } ∩ {p = ⊥, L = ⊥} = {p = , L = }
© 2004 by Taylor & Francis Group, LLC
Interpreting the while statement’s decision node creates two states: Test succeeds {p = , L = } ∩ {p = nonNULL, L = } = {p = nonNULL, L = } Test fails {p = , L = } ∩ {p = NULL, L = } = {p = NULL, L = } Since p has value nonNULL before being dereferenced in the expression p → next, the dereference operation yields the value which is bound to p in the assignment statement. At the if statement’s join node, the union of two input states creates the output value. if join
{p = nonNULL, L = } ∩ {p = , L = } = {p = , L = }
The output statement of the if statement’s join node is unioned with the output state of the assignment p = L, yielding the state labeled “2” at the while statement’s join node. Since this state is identical to the
previous state at this point, we have reached a fixpoint and the computation ceases. We can now check that both pointer dereferences (i.e., p →v and p →next) occurs in input state where p has the value nonNULL, so we know no NULL-value pointers are dereferenced. Static checkers have difficulty dealing with pointer variables. General properties involving pointers are more easily verified at run time. Two such properties are freedom from memory access errors or memory leaks. A memory access error occurs when a reference containing a valid address for a block of storage which has already been freed is used to read from or write to the address. A memory leak occurs when storage is allocated but not freed before the last reference to it is lost. The following program illustrates these problems. void leak(){ node* q = new node; // the storage referenced by q is a memory leak } void remove (node* p){ delete p; //p is a reference to freed memory } void main(){ node* p = new node; p→data = 3; remove(p); p→data = 4; leak(); } In procedure remove, the storage referenced by p is freed, but p retains its value. When remove returns, p is dereferenced to store a value in one of the freed memory locations. When procedure leak is called, q is assigned the address of newly allocated storage. When leak returns, q’s storage is reclaimed but the storage it referenced remains allocated. Over time, the build-up of state caused by memory leaks can lead to program crashes. Tools (e.g., Purify [Hasting and Joyce 1992]) redefine memory management routines to record information needed to check these properities. A table corresponding with a single bit for each byte of memory can be used to determine if a memory location is allocated or not. Accesses to unallocated memory are reported. Standard mark and sweep algorithms for garbage collection are modified to detect memory leaks. The mark phase recursively follows pointers from the stack and marks referenced heap locations. This phase is conservative because pointers cannot be distinguished from other data, and an integer with a value that appears to be a valid address will cause freed data to be erroneously marked. The sweep phase steps through the heap and reports blocks that are no longer referenced. By labeling each block with the return address of the the functions on the call stack, useful diagnostics about offending statments can be printed. © 2004 by Taylor & Francis Group, LLC
107.4.2 Specific Properties Floyd [Floyd 1967] introduced assertional reasoning for sequential programs represented as flowcharts. Hoare formulated this as a logic for program test. A Hoare-triple has the form {P }S{Q}, where P and Q are assertions about program states, and S is a statement. This expression is interpreted as “If P , called the precondition, is true before executing S and S terminates normally, then Q, called the postcondition, will be true.” This concept is called “partial” correctness because S’s termination is not guaranteed. 107.4.2.1 Axioms and Rules of Inference The assignment axiom schema: Assignment:
P yx x = y{P }
defines the effect of the assignment statement on postcondition P . That is, if we want P to be true after executing the assignment statement x = y, then P yx , P with all free (i.e., unquantified) occurrences of x replaced by y must be true before executing the assignment. The assignment axiom is a schema that must be instantiated for individual assignment statements. For example, {y − 1 ≥ 0} x = y − 1 {x ≥ 0}. The assignment axiom allows us to calculate an assertion which describes the set of input states for which the assignment statement will produce the desired result if it terminates. Thus, if we want x ≥ 0 to hold in all program states after x = y − 1 terminates, y ≥ 1 must hold in all states before this statement executes. Results for verifying two statements are composed using the following rule of inference: Composition:
{P }S1 {Q}, {Q}S2 {R} {P }S1 ; S2 {R}
If the formula above the line (the antecedent) is true, then we may conclude that the statement below the line (the consequent) is true. The rule of composition allows us to combine the results of executing two statements to conclude that if P is true and the execution of S1 followed by S2 terminates normally, then R will be true. To reach this conclusion, the antecedent requires us to show that the postcondition of S1 is the same as the precondition of S2 . The postcondition of one statement is rarely identical to the precondition of another state, so we have rules of consequence to weaken the postcondition or strengthen the precondition of a statement. The rules of consequence build on predicate logic rules of inference. Rules of consequence:
{P }S{R}, R → Q
P → R, {R}S{Q}
{P }S{Q}
{P }S{Q}
Each programming language statement has a separate rule of inference. If statement1 : If statement2 : While statement:
{P ∧ B} S {Q}, P ∧ ∼ B → Q {P } if B then S{Q} {P ∧ B} S1 {Q},
{P ∧ ∼ B} S2 {Q}
{P } if B then S1 else S2 {Q} {P ∧ B} S {P } {P } while B do S {P ∧ ∼ B}
A rule of inference captures the statement’s semantics. For example, to conclude the consequent of If statement2 , we have to show that for each execution path through the statement that if we start execution with assertion P being true and execution of the path terminates normally, then assertion Q will be true. On one path, we assume P and B are true before S1 is executed, and on the other path we assume P and ∼ B are true before S2 is executed. Each of these paths appears in the left half of Figure 107.8. Defining a rule for the while statement is more difficult because the number of paths to verify is potentially infinite. © 2004 by Taylor & Francis Group, LLC
FIGURE 107.8 Flow of control for if and while statements.
The while statement rule of inference resorts to induction to solve this problem. We assume a property P (called the invariant) is true when the while statement begins execution and show that it is still true when S terminates normally. We conclude that P is true after zero or more executions of S, and that B must be false when the statement terminates. 107.4.2.2 Verifying a Small Program Consider the following example of a Hoare-style proof of partial correctness of a program which uses repeated subtractions to compute the remainder (r) and quotient (q) obtained be dividing the integer x by the integer y: {x ≥ 0 ∧ y > 0} q = 0; r = x; while y ≤ r do { r = r - y; q = q + 1; } {x = r + y* q ∧ 0 ≤ r ∧ r < y} The postcondition characterizes the desired relationship between values in order for r and q to represent the remainder and quotient, respectively. For the postcondition to be true, it must be so as a result of application of the while rule of inference. To apply the rule, we must identify the loop invariant (P ) in the rule’s antecedent. One way to do this is to “remove” ∼ B from the postcondition and check if the remainder of the postcondition is invariant. Since B is y ≤ r, ∼ B is y ¿ r or r ¡ y, and P is x = r + y × q ∧ 0 ≤ r. Hence the inference rule which could be applied would be: {x = r + y × q ∧ 0 ≤ r ∧ r ≥ y} r = r - y; q = q + 1 {x = r + y × q ∧ 0 ≤ r} {x = r + y × q ∧ 0 ≤ r } while r ≥ y do {r = r - y ; q = q + 1} {x = r + y × q ∧ 0 ≤ r ∧ r < y}
© 2004 by Taylor & Francis Group, LLC
To establish the antecedent to the while rule, we use the assignment axiom for each assignment statement to calculate the property which must be true before each is executed. {x = r + y × (q + 1) ∧ 0 ≤ r} q = q + 1 {x = r + y × q ∧ 0 ≤ r} {x = (r - y) + y × (q + 1) ∧ 0 ≤ r - y} r = r - y {x = r + y × (q + 1) ∧ 0 ≤ r}
The precondition of the first assignment statement can be simplified from (r - y) + y × (q + 1) to r - y × q. The rule of inference for composition can be applied to compose the results of the assignment axioms: {x = (r - y) + y × (q + 1) ∧ 0 ≤ r - y} r = r - y {x = r + y × (q + 1) ∧ 0 ≤ r}, {x = r + y × (q + 1) ∧ 0 ≤ r} q = q + 1 {x = r + y × q ∧ 0 ≤ r} {x = r - y × q ∧ 0 ≤ r - y} r = r - y; q = q + 1 {x = r + y × q ∧ 0 ≤ r}
Now, using a rule of consequence, we can show that the invariant is maintained by demonstrating that P ∧ B implies the precondition of the consequent of the composition rule. (x = r + y × q ∧ 0 ≤ r ∧ r ≥ y) → (x = r - y × q ∧ 0 ≤ r - y), {x = r - y × q ∧ 0 ≤ r - y} r = r - y; q = q + 1 {x = r + y × q ∧ 0 ≤ r} {x = r + y × q ∧ 0 ≤ r ∧ r ≥ y} r = r - y; q = q + 1 {x = r + y × q ∧ 0 ≤ r}
We observe that 0 ≤ r - y is true because r ≥ y. This establishes the antecedent of the while rule of inference. Now we must determine whether or not the initialization steps in the program make the precondition of the while statement’s consequent true. We use the assignment axiom twice to calculate the the property which must be true before each is executed. {x = x + y × q ∧ 0 ≤ x} r = x {x = r + y × q ∧ 0 ≤ r} {x = x + y × 0 ∧ 0 ≤ x} q = 0 {x = x + y × q ∧ 0 ≤ x}
After simplifying x = x + y × 0 to true, we use the rule of inference for composition first to compose the results of the two assignment axioms: {0 ≤ x} q = 0 {x = x + y × q ∧ 0 ≤ x}, {x = x + y × q ∧ 0 ≤ x} r = x {x = r + y × q ∧ 0 ≤ r} {0 ≤ x} q = 0; r = x {x = r + y × q ∧ 0 ≤ r}
and then to compose this result with that of the while rule of inference: {0 ≤ x} q = 0; r = x {x = r + y × q ∧ 0 ≤ r}, {x = r + y × q ∧ 0 ≤ r} while r ≥ y do { r = r - y; q = q + 1 } {x = r + y × q ∧ 0 ≤ r ∧ r < y} {0 ≤ x} q = 0; r = x; while r ≥ y do { r = r - y; q = q + 1 } {x = r + y × q ∧ 0 ≤ r ∧ r < y}
We use a rule of consequence to show that the program’s precondition is stronger than the property we have calculated and must be true before executing the program in order to make the program’s postcondition true. (x ≥ 0 ∧ y > 0) → 0 ≤ x, {0 ≤ x} q = 0; r = x; while r ≥ y do {r = r - y; q = q + 1} {x = r + y × q ∧ 0 ≤ r ∧ r < y} {x ≥ 0 ∧ y > 0} q = 0; r = x; while r ≥ y do {r = r - y; q = q + 1} {x = r + y × q ∧ 0 ≤ r ∧ r < y}
© 2004 by Taylor & Francis Group, LLC
107.4.2.3 Program Termination The stated precondition for the program (x ≥ 0 ∧ y ¿ 0) is more restrictive (i.e., describes a smaller set of program states) than the precondition (x ≥ 0) we calculated was necessary for the program to execute and produce a set of states satisfying its postcondition. The difference between these assertions highlights the difference between partial and total program correctness. For states satisfying the calculated precondition but not the original precondition (i.e., those in which x ≥ 0 ∧ y ≤ 0), the program would produce the desired result if it halted, but it does not. When values of y which are less than or equal to 0 are subtracted from r, the difference between r and y does not decrease, so the while statement fails to terminate. To demonstrate that the while statement “while B do S” terminates, we show that B must eventually evaluate to false. To do this, we derive an expression from B whose value is bounded below by 0, and we show that on each path through S the value of the expression decreases. Since it has a lower bound, the expression cannot decrease infinitely, so the while statement must terminate. In our example program, we want to show that r ≥ y cannot remain true indefinitely. We can form a termination test expression by subtracting y from both sides of the while statement predicate to obtain r - y ≥ 0. There is only a single path in S on which r is decremented by y. As long as y is positive, r - y will decrease and the while statement will terminate. Thus, we add the assertion y ¿ 0 to the calculated assertion x ≥ 0 to guarantee total correctness. 107.4.2.4 Advanced Language Features 107.4.2.4.1 Arrays Proofs of programs manipulating scalar variables are relatively straightforward. However, to prove realistic programs, axioms and rules of inference must be devised for all language features. In this section, we discuss arrays and procedure calls, two features that complicate verifications. Using the axiom of assignment to reason about assignments to variables which are array elements can lead to unsound reasoning. The following code fragment assigns the value 4 to a[i] and a[j] because the first assignment statement ensures that i and j have identical values. i = j; a[i] = 3; a[j] = 4; However, using the axioms and rules of inference introduced thus far, we can prove that no matter in what state the program begins execution (i.e., the precondition is true) this code fragment finishes execution with the postcondition a[i] ¡ a[j]. {true} i = j; {3 < 4} a[i] = 3; {a[i] < 4} a[j] = 4; {a[i] < a[j]}. To avoid this problem, we need to consider an array as a function which maps its indices to values, and an assignment statement as an operation which assigns a new function to the array. For example, a[i] = 3 assigns a new function to the array a which is identical to the old function except that it maps i to 3. That is,
(a,i,x)[j] =
x when i = j a[j] when i / = j
Using this definition, we can work out the value of subscripted array expressions, e.g., ((a, 3, x), 4, y)
[3] = (a, 3, x) [3] = x. Our new assignment axiom schema is
Array assignment:
a P(a,i,x) a[i ] = x{P }
With this new axiom and the previous rules of inference, we can reason safely about programs which alter arrays. {(a,j,4)[i] < (a,j,4)[j]} a[j] = 4; {a[i] < a[j]} We can simplify (a, j, 4)[j] to 4 using the definition of and continue our verification. {((a,i,3),j, 4)[i] < 4} a[i] = 3; {(a,j,4)[i] < 4} {((a,j,3),j,4)[j] < 4} i = j; {((a,i,3),j,4)[i] < 4} Simplifying ((a, j, 3), j, 4)[j] yields the value 4. Thus there are no states in which the program begins execution (i.e., the precondition 4 < 4 is false) for which this code fragment finishes execution with the postcondition a[i] ¡ a[j]. © 2004 by Taylor & Francis Group, LLC
107.4.2.4.2 Procedure Invocations In verifications involving procedures, our goal is to verify a procedure’s body once, and then use this result at each point at which the procedure is invoked. We have two new rules of inference for procedures: one rule handles the substitution of actual parameters for formal parameters, and the other rule relates the procedure’s precondition and postcondition to the assertion which must be true after the procedure’s invocation [Hoare 1971]. If all our parameters are passed by reference, we can use the following simplified rule of substitution:
Substitution:
{R} p( f ){S} Rkk ax
p(a) Skk
x a
where f and a are the lists of formal and actual parameters, respectively. The procedure’s body may not reference nonlocal variables, and each variable in a must be unique. Symbols which are free in R and S but do not appear in the actual parameter list (i.e., k) are renamed. The rule’s antecedent requires verification of the procedure’s body once using the names of formal parameters. A procedure’s postcondition is rarely identical to the assertion which must be true after the call, since the procedure may be called from many different locations. Thus we need a rule similar to the rule of consequence to adapt the results of the procedure body to the different assertions needed to hold after invocations.
Adaptation:
{R} p(a){S} {∃k (R ∧ ∀a(S → T ))} p(a){T }
In this rule, the names of actual parameters have a different meaning in R than they do in S and T . The name of a parameter in R represents a value before the call, but the same name in S or T represents a value after the call. These values may be different because parameters are transmitted by reference and may be changed by the procedure’s body. Names of actual parameters are free variables in R and universally quantified variables in S and T . Thus even if name appears in R and S or T , its meaning is different. Initial values of variables often appear in a procedure’s precondition or postcondition, but not in a or T . These names are existentially quantified because some such value must exist. By way of example, assume we have verified the body of a procedure swap(x, y) whose precondition is {x = x’ ∧ y = y’} and whose postcondition is {x = y’ ∧ y = x’} , and we want to verify the following code fragment. {true} a = 1; b = 2; swap(a, b); {a = 2 ∧ b = 1} Having verified the body of swap, we can use the rule of substitution to replace swap’s formal parameters with the actual parameters of the call. {x = x' ∧ y = y'} swap(x, y) {x = y' ∧ y = x'} {a = x' ∧ b = y'} swap(a, b) {a = y' ∧ b = x'}
Substitution’s consequent is the antecedent of the rule of adaptation. When we apply adaptation we need to existentially quantify x’ and y’(the initial values of a and b in the precondition), and universally quantify a and b (the values of the parameters after the call). {a = x' ∧ b = y'} swap(a, b) {a = y' ∧ b = x'} {∃, x', y' (a = x' ∧ b = y' ∧ (∀ a, b, (a = y' ∧ b = x') → (a = 2 ∧ b = 1))} swap(a, b) {a = 2 ∧ b = 1}
© 2004 by Taylor & Francis Group, LLC
We can pick values for x’ and y’ (e.g., x’ = 1 and y’ = 2) to simplify the precondition of the adaptation rule’s consequent. (a = 1 ∧ b = 2 ∧ (∀ a,b, (a = 2 ∧ b = 1) → (a = 2 ∧ b = 1))) Clearly, this precondition is established by the sequence of assignment statements. 107.4.2.4.3 User-Defined Data Types Modern programming languages provide special constructs such as classes to implement user-defined data types. These constructs are specifically designed to hide the representation of a value of the type from users who manipulate values of the type only through operations provided by the special constructs. Hoare [Hoare 1972] divided the verification of such programs into two parts. 1. Each operation’s preconditions and postconditions are specified using values and operations from well-defined mathematical domains (e.g., sets or lists), and user-level code is verified with these assertions. 2. A representation mapping is defined to relate implementation-level values (e.g., arrays or linked representations) to user-level values. User-level variables in preconditions and postconditions are replaced by the corresponding mapped implementation-level variables, and the implementations of the operations are verified using the techniques described in the previous section. Guttag et al. [1985] replaced model-oriented, user-level specifications with property-oriented specifications. Property-oriented specifications describe aspects of values in terms of properties they possess. In this approach, called algebraic specification, properties of operations of user-defined types are defined in terms of how they interact with each other. Algebraic Specifications. Algebraic specifications have syntactic and semantic parts. The syntactic description, often referred to as the type’s signature, describes the domains and ranges of the type’s operations. For example, some operations on objects of type “stack of integer” are listed below. estack push pop top empty depth =
→ Stack Stack × integer → Stack Stack → Stack Stack → natural Stack → Boolean Stack → natural Stack × Stack → Boolean
Axioms describe the meanings of operators in terms of how they interact with one another. Axioms appear as equations; each left side contains a composition of operators manipulating implicitly universally quantified variables, and each right side contains a description of how the composition behaves in terms of the type’s operators and simple “if-then-else” expressions. The axioms for the operations of type Stack appear below. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
pop(estack) pop(push(S, X)) top(estack) top(push(S, X)) empty(estack) empty(push(S, X)) depth(estack) depth(push(S, X)) T = estack T = push(S, X)
= = = = = = = = = =
estack S 0 X true false 0 depth(S) + 1 depth(T) = 0 top(T) = X ∧ pop(T) = S
where S and T are objects of types Stack, and X is an integer. Axiom 2 describes the value computed by pushing an arbitrary value on Stack S followed by popping the resulting Stack object as being equal
© 2004 by Taylor & Francis Group, LLC
to the original value of S. Pushing a value on a Stack object increases the depth of the object by one according to Axiom 8. Axiom 10 asserts that Stacks T and push(S, X) are equal if their respective top values (top(T) and X) and remaining values (pop(T) and S) are equal. We can use equational reasoning, replacing a term with an equal term, to validate that the axioms behave as intended. For example, we could check that popping a nonempty Stack object decreases its depth by picking a particular Stack object (e.g., push(estack, X)) and reasoning equationally as follows: Term
Axiom
(∼(push(estack, X) = estack)→(depth(pop(push(estack, X)))
9
(∼(depth(estack) + 1 = 0)→(depth(pop(push(estack, X)))
8
(∼(0 + 1 = 0)→(depth(pop(push(estack, X)))
7
true→(depth(pop(push(estack, X)))
1= /0
true→(depth(estack)
2
true→(0
7
true→(0
8
true→(0<0 + 1)
0<1
true→true
Axioms are inconsistent when an operation is overspecified. This occurs when two rules can be used to rewrite the same combination of arguments to different values. For example, if we added the following axiom: top(pop(push(S, X))) = X to our previous axioms we would be able to rewrite the term top(pop(push(estack, 5))) to two different values. top(pop(push(estack, 5))) ⇒ 5 top(pop(push(estack, 5))) ⇒ top(estack) ⇒ 0
New axiom Axiom 2 then 3
Overspecification can be detected by a superposition algorithm [Knuth and Bendix 1970] which uses unification to detect overlapping axioms which produce different results. Axioms are incomplete when an operation is underspecified (i.e., when no rule can be used to rewrite some combination of arguments). The specification of a type is sufficiently complete, if it assigns a value to each term of the type [Guttag and Horning 1978]. All Stack values can be built by a finite number of compositions of push operations on estack values, since any stack either is empty or is obtainable by pushing some element on some other stack. Operations estack and push are called constructors, and the remaining operations are called defined operations. An algorithm exists for detecting underspecified operations [Huet and Hullot 1982]. The variables on the left side of each axiom must be unique, and a recursive test ensuring that all permutations of constructors may appear in the operation’s argument positions must succeed. This test would succeed for Stack’s pop operation for any of the following left sides of axioms: Left sides
Reason for success
{pop(estack), pop(push(S, X))} {pop(estack), pop(S)} {pop(S), pop(push(S, X))} {pop(S)}
All constructors S represents estack and push(S', X) S represents estack and push(S', X) S represents estack and push(S', X)
Of course, it is much easier to write the right sides of axioms for some of these sets of left sides than for others. The algorithm of Huet and Hullot works as follows. A set of n-tuples is formed from the n arguments which appear in each of the operation’s axioms. The set of arguments in the tuple’s first positions is constructed. The test fails if the set does contain either a variable or an instance of each constructor. © 2004 by Taylor & Francis Group, LLC
FIGURE 107.9 Verifying that pop’s axioms are not underspecified.
The n-tuple set is divided into subsets on the basis of which constructor appeared in the first position. Each of these sets is augmented by the set n-tuples with variables in the first position, since the variable could represent an instance of the particular constructor. Each tuple in the set for a constructor with p arguments is transformed as follows. If the first element of the tuple is the constructor, it is replaced by its p arguments forming a new n − 1 + p-tuple. If the first element of the tuple is a variable, it is replaced by p fresh variables forming a new n − 1 + p-tuple. The test is repeated on each new tuple subset, and succeeds for tuples of length zero. Figure 107.9 shows the results of applying the test to the Stack axioms which define pop. The initial set of tuples is {¡estack¿, ¡push(S, X)¿}. The set of arguments in the first positions of these tuples contains an instance of each constructor, so we continue by dividing the set and constructing new tuples. The set of new tuples formed from the tuples with estack in the first position is {¡ ¿}, while the set formed from tuples with push in the first position is {¡S, X¿}. The test succeeds for the zero-length tuple. For {¡S, X¿}, the set of arguments in the first position contains a variable, so we form the new set of tuples {¡X¿}. Repeating the step once more leads to a set of zero-length tuples. If one of push’s arguments had not been a variable (e.g., push(estack, X)), the algorithm would fail because we could not determine a meaning for some terms (e.g., pop(push(push(estack), 1), 2)). To validate sets of axioms, we change each equation of the form t1 = t2 into a rewrite rule of the form t1 ⇒ t2 . A rewrite rule allows the replacement of an instance of t1 with the corresponding instance of t2 , but it forbids replacement in the opposite direction. Orienting equations transforms an algebraic specification into a term rewriting system [Dershowitz and Jouannaud 1990] that supports automated verification and validation. Two crucial properties must hold when equations are oriented. Two terms provably equal by equational reasoning should have a common third term to which both can be rewritten. This property is referred to as confluence or Church–Rosser. Also, there should be a finite number of rewriting steps that can be applied to a term. This property is referred to as termination or Noetherianity. To ensure the confluence of a constructor-based specification it is sufficient to avoid overspecification. To ensure sufficient completeness it is necessary, but not sufficient, to avoid underspecification. Although underspecification and overspecification can be checked, the termination of a rewrite system is undecidable [Dershowitz 1987]. Term rewriting allows us to verify that a property is true for all values of a type rather than just testing that the property holds for particular values. However, when we try to verify that popping a nonempty Stack object decreases its depth for an arbitrary Stack value S0, we quickly reach a point where no more rewriting can be performed. (∼(S0 = estack) → (depth(pop(S0)) < depth(S0))) = true (∼(depth(S0) = 0)) → (depth(pop(S0)) < depth(S0))) = true © 2004 by Taylor & Francis Group, LLC
Equations that cannot be proved by just rewriting may be proved by structural induction [Burstall 1969] or data type induction [Guttag et al. 1978]. Using such techniques, inductive variables are replaced by terms derived from their type’s constructors and inductive hypotheses are constructed. If F is a formula to be proved and v is the inductive variable, then for every constructor c (s 1 , . . . , s n ) we prove F [c (v 1 , . . . , v n )/v], where each v i is a distinct Skolem constant. If s i = s , then F [v i /v] is an inductive hypothesis for the proof. Our sample proof proceeds by induction on S0 with two cases: one with S0 replaced by estack with no new inductive hypothesis since estack has no arguments, and another with S0 replaced by push(S1, X) in which we assume the original formula with S0 replaced by S1 as the inductive hypothesis. imply(negate(depth(S0) = 0))→(depth(pop(S0)) < depth(S0)))
=
true
(∼((depth(estack) = 0))→(depth(pop(estack)) < depth(estack))) (∼(0 = 0) → (depth(pop(estack)) < depth(estack))) (∼(true) → (depth(pop(estack)) < depth(estack))) (false → (depth(pop(estack)) < depth(estack))) (false → (depth(estack) < depth(estack))) (false → 0 < 0) (false → false) true
= = = = = = = =
true true true true true true true true
Case S0 = push(S1, X) Inductive hypothesis: (∼(depth(S1) = 0)→(depth(pop(S1)) < depth(S1)))
=
true
=
true
= = = = = =
true true true true true true
Case S0 = estack
(∼((depth(push(S1, X)) = 0))→(depth(pop(push(S1, X))) < depth(push(S1, X)))) (∼((succ(depth(S1)) = 0))→(depth(pop(push(S1, X))) < depth(push(S1, X)))) (∼(false) → (depth(pop(push(S1, X))) < depth(push(S1, X)))) (true → (depth(pop(push(S1, X))) < depth(push(S1, X)))) (true → (depth(S1) < succ(depth(S1)))) (true → true) true
107.4.2.4.4 Verifying User-Level Programs Having defined type Stack, we can use the operations of type Stack in the preconditions and postconditions of the procedures of the implementation. In the example below, identifier s represents each operation’s implicit first formal parameter of type Stack. The specification of Push states that if the value of s before invocation is the term s’ and Push terminates normally, then the value of s after Push will be equal to the term push(s’, x) class Stack { private: int* v; int top; public: void Push(int x) { /* pre: s = s'; post: s = push(s', x) */ ... void Pop( ); /* pre: ∼empty(s') ∧ s = s'; post: s = pop(s') */ ... }; © 2004 by Taylor & Francis Group, LLC
Using the rules of inference for procedure call, we can verify the following code fragment using the stated preconditions and postconditions. {s = A} s.Push(x); s.Pop(); {s = A} First we use the rule of adaptation, to relate pop’s precondition and postcondition to the program’s postcondition. {∼empty(s') ∧ s = s'} pop(s) {s = pop(s')} {∃ s' (∼empty(s') ∧ s = s' ∧ (∀ s, s = pop(s')→ s = A))} pop(s) {s = A}
Picking s’ = push(A,x) permits us to begin simplifying the precondition of the adaptation rule’s consequent. Term
Axiom
(∼empty(push(A, x)) ∧ s = push(A, x) ∧ (∀ s, s = pop(push(A, x)) → s = A)) ⇒ (∼empty(push(A, x)) ∧ s = push(A, x) ∧ (∀ s, s = A → s = A)) ⇒ (∼false ∧ s = push(A, x)) ⇒ s = push(A, x)
2 6
Since s = push(A, x) → (∃ s’ (∼empty(s’) ∧ s = s’ ∧ (∀ s, s = pop(s’) → s = A))) we use a rule of consequence to conclude: {s = push(A, x) → (∃ s' (∼empty(s') ∧ s = s' ∧ (∀ s, s = pop(s'))), (∃ s' (∼empty(s') ∧ s = s' ∧ (∀ s, s = pop(s') → s = A)))} pop(s) {s = A} {s = push(A, x)} pop(s) {s = A}
Applying the rule of adaptation to the invocation of the push operation results in the following rule of inference. {s = s'} push(s, x) {s = push(s', x)} {∃ s' (s = s' ∧ (∀ s, s = push(s', x) → (s = push(A, x))} push(s, x) {s = push(A, x)}
Picking s’ = A permits us to simplify the previous precondition to S = A. Using rules of consequence and composition, we conclude: {s = A} push(s, x) {s = push(A, x)}, {s = push(A, x)} pop(s) {s = A} {s = A} push(s, x); pop(s) {s = A}
107.4.2.4.5 Verifying Implementation-Level Programs In the second part of verifying implementations of user-defined data types, implementations manipulating concrete objects must satisfy preconditions and postconditions containing terms defined by the axioms. The implementation of the Stack operation Push is shown below: void Push(int x) { /* pre: s = s'; post: s = push(s',x) */ s.top = s.top + 1; s.v[s.top] = x; } Hoare [1972] introduced representation mappings to map implementation-level objects to their corresponding user-level objects. In the implementation of type Stack, an instance s of type Stack consisted of an array of integers s.v and an integer s.top indicating the topmost value. To verify the correctness of an © 2004 by Taylor & Francis Group, LLC
implementation of type Stack we define a representation mapping A which maps an array and an integer to its corresponding user-level value. A(s.v, 0) A(s.v, s.top + 1)
1. 2.
= =
estack push(A(s.v, s.top), s.v[s.top + 1])
We replace instances of the user-level value s with corresponding instances of mapped implementationlevel values. The proof obligation for Push is {A(s.v, s.top) = s'} s.top = s.top + 1; s.v[s.top] = x; {A(s.v, s.top) = push(s', x)} After using axioms of assignment (for both scalar and array values) and composition, the final step in the verification is an application of a rule of consequence. A(s.v, s.top) = s' → (A((s.v, s.top + 1, x), s.top + 1) = push(s', x)), {A((s.v, s.top + 1, x), s.top + 1) = push(s', x)} s.top = s.top + 1; s.v[s.top] = x; {A(s.v, s.top) = push(s', x)} {A(s.v, s.top) = s'} s.top = s.top + 1; s.v[s.top] = x; {A(s.v, s.top) = push(s', x)}
To show that the antecedent is true, we need to axiomatize the array assignment and subscript operations: 1. newarray[J] = 0 2. (A,I,X)[J] = (if I = J then X else A[J]) We continue using term rewriting: Term
Axiom
A((s.v, s.top + 1, x), s.top + 1) ⇒ push(A((s.v, s.top + 1, x), s.top), (s.v, s.top + 1,x)[s.top + 1]) ⇒ push(A((s.v, s.top + 1, x), s.top), (if s.top + 1 = s.top + 1 then x else s.v[s.top + 1])) ⇒ push(A((s.v, s.top + 1, x), s.top), x)
Map 2 Array 2 x = x
At this point, we need to reduce A((s.v, s.top + 1, x), s.top) to A(s.v, s.top) to achieve equality. Since the representation mapping only maps values s.v[i] for values of i in the range 1 ≤ i ≤ s.top, we can reach this conclusion by proving the following theorem. Term (i (i (i (i (i
< < < < <
s.top s.top s.top s.top s.top
+ + + + +
1 1 1 1 1
→ ((s.v, s.top + → (if s.top + 1 = → (if s.top + 1 = → (if s.top + 1 = ∧ s.top + 1 = i →
1,x)[i] = s.v[i])) i then x else s.v[i]) = s.v[i]) i then x = s.v[i] else s.v[i] = s.v[i])) i then x = s.v[i] else true)) x = s.v[i]) ∧ (i < s.top + 1 ∧ ∼ (s.top + 1 = i) → true) (false → x = s.v[i]) ∧ (i < s.top + 1 ∧ ∼ (s.top + 1 = i) → true) true ∧ (i < s.top + 1 ∧ ∼ (s.top + 1 = i) → true) true ∧ true
107.5 Current Status General properties of programs, particularly that variables are initialized before they are used and that no invalid memory references or memory leaks occur, are easy to check automatically. However, verification of the most problem-specific properties is still carried out manually by inspections. As a result, unqualified guarantees about properties cannot be made because the software artifacts inspected may contain deficiencies or the inspectors may not have been thorough enough to find obscure failures. © 2004 by Taylor & Francis Group, LLC
Verifying specific properties of programs has proved too difficult a task for the average software developer. Program proofs are often more detailed than the programs being verified. When proofs are done manually, they are subject to the same human fallibilities that plague inspections. Automated support for theorem proving includes verification condition generators which apply rules of inference to produce the set of theorems which need to be proved manually by rules of consequence, proof checkers which check that steps in a proof are justified by lemmas from an existing library, and deductive systems which search for proofs by means of simplifications (like term rewriting) and heuristics for generating inductive proofs of necessary lemmas. Theorem provers eliminate errors of omission, but they require proofs of many low-level, uninteresting lemmas. However, skilled users have used theorem provers to verify complex problems such as a Byzantine fault-tolerant algorithm for synchronizing clocks in replicated computers [Rushby and von Henke 1993]. Such proofs have generally been carried out only for safety-critical applications because even automated proofs require highly skilled experts who know how to use a theorem prover and understand the application domain. Model checking has proven successful in the design of hardware; it has been used to find bugs in pipelined microprocessors [Burch and Dill 1994] and cache coherence protocols [Clarke et al. 1986]. More recently it has been used to analyze software artifacts, e.g., software architecture designs [Allen and Garlan 1994] and editors [Jackson and Damon 1996], and distributed file system cache coherence protocols [Wing and Vaziri-Farahani 1995]. Software developers may be more likely to understand a proof technique like model checking, which is based on search and which produces counter-examples when proofs fail, than a technique based inductive theorem proving. Model checking an abstraction of a system rather than the system itself raises the level at which we apply formal verification. The key to success in these endeavors is creating an appropriate abstraction of a system so that results obtained from analyzing the abstraction also apply to the system.
Defining Terms Abstract interpretation: The abstract interpretation of a program is a symbolic interpretation of the program using abstract values rather than actual values. Abstract values represent sets or ranges of actual values, and operators are redefined to manipulate abstract values. At program decision points, separate copies of the program state are created, corresponding to the true and false outcomes of the predicate, and computation continues along each path with the different states. At program join points, values of the states computed along different computation paths are unioned to produce a single state. The union operation for joins must reduce the number of distinct values in the program state in order to compute a fixpoint approximation of the state. Confluence: A term-rewriting system is confluent if a term t can be rewritten into different forms t1 and t2 , then we can prove by rewriting that t1 = t2 . For example, the term top(push(pop(push (estack, 1)), 2) can be rewritten as either 2 using stack axiom 4 or as top(push(estack, 2)) using stack axiom 2. We can show these two terms are equal by applying stack axiom 2 to the later term. Garbage collection: Programming languages that do not require users to explicitly free unneeded storage reclaim this storage through a process called garbage collection. Storage is identified as unneeded (i.e., garbage) when there are no pointers to it. Determining if pointers reference a storage location can be accomplished by reference counting (i.e., explicitly keeping track of the number of pointers to the location) or tracing (i.e., starting with variables on the stack, mark heap locations they reference, and continue marking other heap locations reachable from marked heap locations). The collector either copies reachable values to new storage locations to create a large unmarked region or consolidates adjacent unmarked regions and creates a list of free storage. Hazardous state: A hazardous state is one in which the occurrence of certain events would lead to a mishap. Least fixpoint: A fixpoint of a function f : T → T is an element t ∈ T such that f (t) = t. A least fixpoint of f is the least element of the set of all fixpoints of f . Memory leak: A memory leak occurs when storage is allocated but not freed before the last reference to it is lost. Memory leaks may cause long-running programs to crash when storage allocation requests © 2004 by Taylor & Francis Group, LLC
fail because of insufficient memory. The storage allocation request triggering the program crash may not be part of a memory leak, so identifying the cause of a memory leak is difficult. Partial correctness: A program which meets its specification for all specified input values for which it terminates is called partially correct. A program which is partially correct and which terminates for all its inputs is said to be totally correct. Reachability analysis: In reachability analysis, a graph representing the states and state-transitions of a system is constructed and exhaustively searched to determine if states with particular properties are reachable. Skolem constant: An automated theorem prover simplifies a formula by replacing a universally quantified variable with a symbolic constant (called a Skolem constant) which represents an arbitrary value of the same type as the variable. For example, if x is a natural number, to prove (∀x, x > 0), picking a particular natural number to substitute for x might make the formula either true or false. Instead, we pick an arbitrary constant c and try to prove the quantifier-free formula c > 0. Software inspections: Software artifacts are usually verified by people using informal analysis techniques called inspections. In inspections, teams of software developers either follow sequences of state changes or possible execution paths resulting from a particular series of events or inputs, or, using a checklist of potential errors, determine if similar errors are present in the artifact. Temporal logic: A temporal logic is a propositional logic with additional temporal operators to express concepts such as a formula will always be true in the future, or a formula will eventually be true in the future. The value of a temporal logic formula is defined with respect to a finite-state model. If formula f is true in state s of model M, we write M, s |= f . A formula f is true for the model if it is true in the model’s start state. Temporal logic allows reasoning about state changes rather than just the function computed by the program. Termination: To demonstrate that the while statement “while B do S” terminates, we show that B must eventually evaluate to false. To do this, we derive an expression from B whose value is bounded below by 0, and we show that on each path through S the value of the expression decreases.
References Allen, R. and Garlan, D. 1994. Formalizing architectural connection, pp. 71–80. In Proc. 16th Int. Conf. Software Eng. Burch, J. R. and Dill, D. L. 1994. Automatic verification of pipelined microprocessor control. In Lecture Notes in Computer Science 818, D. Dill, ed., pp. 68–80. Springer–Verlag. Burstall, R. 1969. Proving properties of programs by structural induction. Comput. J. 12(1):41–48. Clarke, E., Emerson, E., and Sistla, A. 1986. Automatic verification of finite state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2):244–263. Clarke, E. M., Grumberg, O., Hiraishi, H., Jha, S., Long, D. E., McMillan, K. L., and Ness, L. A. 1990. Verification of the futurebus+ cache coherence protocol, pp. 15–30. In Proc. 11th Int. Symp. Comput. Hardware Description Lang. Appl. L. Claesen, ed., North-Holland, Amsterdam. Cousot, P. and Cousot, R. 1976. Static determination of dynamic properties of programs. In Proc. “Colloque sur la Programmation.” Cousot, P. and Cousot, R. 1977. Static determination of dynamic properties of generalized type unions. SIGPLAN Notices 12(3):77–94. Dershowitz, N. 1987. Termination of rewriting. J. Symb. Comput. 3:69–116. Dershowitz, N. and Jouannaud, J. 1990. Rewrite systems. In Handbook of Theoretical Computer Science B: Formal Methods and Semantics, J. van Leeuwen, ed. Ch. 6, pp. 243–320. North Holland, Amsterdam. Fagan, M. E. 1976. Design and code inspections to reduce errors in program development. IBM Syst. J. 15(3):182–211. Floyd, R. W. 1967. Assigning meaning to programs. Symp. Appl. Math. 19:19–32.
© 2004 by Taylor & Francis Group, LLC
Ghezzi, C., Jazayeri, M., and Mandrioli, D. 1991. Fundamentals of Software Engineering. Prentice–Hall, Englewood Cliffs, NJ. Guttag, J. V. and Horning, J. J. 1978. The algebraic specification of abstract data types. Acta Informatica 10:27–52. Guttag, J. V., Horning, J. J. and Wing, J. M. 1985. The Larch family of specification languages. IEEE Software 2(5):24–36. Guttag, J. V., Horowitz, E., and Musser, D. 1978. Abstract data types and software validation. Commun. ACM 21:1048–1064. Harel, D., Lachover, H., Naamad, A., Pnueli, A., Politi, M., Sherman, R., Shtull-Trauring, A., and Trakhtenbrot, M. 1990. Statemate: a working environment for the development of complex reactive systems. IEEE Trans. Software Eng. 16(4):403–414. Hastings, R. and Joyce, R. 1992. Purify: fast detection of memory leaks and access errors. In Proc. Winter 1992 USENIX Conf., pp. 125–136. Heitmeyer, C., Labaw, B., and Kiskis, D. 1995. Consistency checking of scr-style requirements specifications. In Proc. RE’ 95 Int. Symp. Req. Eng. Heninger, K. 1980. Specifying software requirements for complex systems: new techniques and their applications. IEEE Trans. Software Eng. SE-6(1):2–12. Hoare, C. A. R. 1971. Procedures and parameters, an axiomatic approach. In Symposium on the Semantics of Algorithmic Languages, E. Engler, ed., pp. 102–116. Springer–Verlag. Hoare, C. A. R. 1972. Proof of correctness of data representations. Acta Inf. 1(4):271–281. Huet, G. and Hullot, J.-M. 1982. Proofs by induction in equational theories with constructors. JCSS 25(1):239–266. Jackson, D. and Damon, C. A. 1996. Elements of style: analyzing a software design feature with a counterexample detector, pp. 239–249. In Proc. 1996 Int. Symp. Software Test. and Anal. (ISSTA). Knuth, D. E. and Bendix, P. B. 1970. Simple Word Problems in Universal Algebras, pp. 263–297. Pergamon, Oxford, U.K. Leveson, N. G., Heimdahl, M. P. E., Hildreth, H., and Reese, J. D. 1994. Requirements specification for process-control systems. IEEE Trans. Software Eng. 20(9):684–706. McMillan, K. L. 1993. Symbolic Model Checking. Kluwer Academic Publishers, Boston, MA. Pneuli, A. 1981. A temporal logic of concurrent programs. Theor. Comput. Sci. 13:45–60. Quielle, J. P. and Sifakis, J. 1981. Specification and verification of concurrent systems in cesar. In Proc. 5th Int. Symp. Program. Ratan, V., Partridge, K., Reese, J., and Leveson, N. 1996. Safety analysis tools for requirements specifications. In Proc. 11th Conf. Comput. Assurance. Rushby, J. 1993. Formal Methods and the Certification of Critical Systems. SRI International, Palo Alto, CA. Tech Rep. Rushby, J. M. and von Henke, F. 1993. Formal verification of algorithms for critical systems. IEEE Trans. Software Eng. 19(1):13–23. Wing, J. and Vaziri-Farahani, M. 1995. Model checking software systems: a case study, pp. 128–139. In Proc. 3rd Symp. Found. Software Eng. Young, M. and Taylor, R. N. 1989. Rethinking the taxonomy of fault detection techniques, pp. 53–62. In Proc. 11th Int. Conf. Software Eng.
Further Information The monthly journals IEEE Transactions on Software Engineering and ACM Transactions on Software Engineering and Methodology contain articles on software verification. Papers on this topic are frequently presented at the International Conference on Software Engineering, the ACM’s Foundations of Software Engineering, the ACM’s International Conference on Software Analysis and Testing, and the IEEE Conference on COMPuter ASSurance (COMPASS).
© 2004 by Taylor & Francis Group, LLC
Two recent books on the analysis of software systems are: Leveson, N. G. 1995. Safeware: System Safety and Computers. Addison–Wesley, Reading, MA. Rushby, J. 1995. Formal Methods and the Certification of Critical Systems. Cambridge University Press, Cambridge, U.K. Readers interested in automated analysis tools should investigate both automated theorem provers and model checkers. Representative theorem provers include the following: PVS (Prototype Verification System) is a theorem prover based on classical typed higher-order logic developed at the SRI International Computer Science Laboratory. EVES unites the Verdi specification language based on set theory and an automated deduction system, called NEVER. This system is available from Mark Saaltink and Dan Craigen of ORA, Ottawa, Ontario, Canada. LP, the Larch Prover, is an interactive theorem proving system for multisorted first-order logic. It was developed by Stephen Garland and John Guttag at the MIT Laboratory for Computer Science, Cambridge, MA. Interesting model checkers include: HyTech (The Cornell HYbrid TECHnology Tool) computes the condition under which a linear hybrid system satisfies a temporal requirement. Hybrid systems are specified as collections of automata with discrete and continuous components. The SMV (Symbolic Model Verifier) model checker verifies formulas written in a propositional branchingtime temporal logic. It is available from Ed Clarke at Carnegie Mellon University, Pittsburgh, PA. Murphi is a symbolic model checker developed by David Dill at Stanford University, Stanford, CA.
© 2004 by Taylor & Francis Group, LLC
108 Development Strategies and Project Management 108.1
Development Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 108-1 The Linear Sequential Model • The Prototyping Model • The RAD Model • Evolutionary Software Process Models
108.2
The Management Spectrum . . . . . . . . . . . . . . . . . . . . . . 108-11 People
108.3
•
The Problem
•
The Process
Software Project Management . . . . . . . . . . . . . . . . . . . . 108-14
Measurement and Metrics • Project Estimating • Risk Analysis • Scheduling • Tracking and Control
Roger S. Pressman R.S. Pressman & Associates, Inc.
108.4 108.5 108.6
Software Quality Assurance. . . . . . . . . . . . . . . . . . . . . . . 108-17 Software Configuration Management . . . . . . . . . . . . . 108-18 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108-18
Successful planning, control, and tracking of a software project is accomplished when a project manager defines an effective development strategy. Once the strategy has been established, software project management commences. The intent of this chapter is to: (1) describe the generic development strategies that are available to software project teams, and (2) present an overview of the tasks required to perform good software project management.
108.1 Development Strategies A development strategy for software engineering integrates a process model and the technical methods and tools that populate the model. A process model for software engineering is chosen on the basis of the nature of the project and application, the methods and tools to be used, and the controls and deliverables that are required. Four classes of process models have been widely discussed (and debated). A brief overview of each is presented in the sections that follow. All software development can be characterized as a problem-solving loop (Figure 108.1) in which four distinct stages are encountered: status quo, problem definition, technical development, and solution integration [Raccoon 1995]. Status quo represents state of the project; problem definition identifies the specific problem to be solved; technical development solves the problem through the application of some technology; and solution integration delivers the results (e.g., documents, programs, data, new business function, new product) to those who requested the solution in the first place.
© 2004 by Taylor & Francis Group, LLC
status quo
problem definition
status quo
technical development
solution integration
problem definition
technical development
status quo solution integration
FIGURE 108.1 The phases of a problem-solving loop [Raccoon 1995].
The problem-solving loop described above applies to software engineering work at many different levels of resolution. It can be used at the macro level when the entire application is considered, at a middle level when program components are being engineered, and even at the line of code level. In the sections that follow, a variety of different process models for software engineering are discussed. Each represents an attempt to bring order to an inherently chaotic activity. It is important to remember that each of the models has been characterized in a way that (one hopes) assists in the control and coordination of a real software project. Each represents a different development strategy, and yet, at their core, all of the models exhibit characteristics of the problem-solving loop described above.
108.1.1 The Linear Sequential Model Figure 108.2 illustrates the linear sequential model for software engineering. Sometimes called the “classic life cycle” or the “waterfall model,” the linear sequential model demands a systematic, sequential © 2004 by Taylor & Francis Group, LLC
FIGURE 108.2 The linear sequential model.
approach to software development that begins at the system level and progresses through analysis, design, coding, testing, and maintenance. Modeled after the conventional engineering cycle, the linear sequential model encompasses the following activities: system/information engineering and modeling, software requirements analysis, design, code generation, and testing and maintenance/reengineering. The linear sequential model is the oldest and the most widely used development strategy. However, criticism of the paradigm has caused even active supporters to question its efficacy [Hanna 1995]. Among the problems that are sometimes encountered when the linear sequential model is applied are the following: 1. Real projects rarely follow the sequential flow that the model proposes. Although the linear model can accommodate iteration, it does so indirectly. As a result, changes can cause confusion as the project team proceeds. 2. It is often difficult for the customer to state all requirements explicitly. The linear sequential model requires this and has difficulty accommodating the natural uncertainty that exists at the beginning of many projects. 3. The customer must have patience. A working version of the program(s) will not be available until late in the project time-span. A major blunder, if undetected until the working program is reviewed, can be disastrous. In an interesting analysis of actual projects [Bradac et al. 1994], Bradac found that the linear nature of the classic life cycle leads to “blocking states” in which some project team members must wait for other members of the team to complete dependent tasks. In fact, the time spent waiting can exceed the time spent on productive work! The blocking state tends to be more prevalent at the beginning and end of a linear sequential process. Each of these problems is real. However, the linear development strategy has a definite and important place in software engineering work. It provides a template into which methods for analysis, design, coding, testing, and maintenance can be placed.
108.1.2 The Prototyping Model Often, a customer defines a set of general objectives for software but does not identify detailed input, processing, or output requirements. In other cases, the developer may be unsure of the efficiency of an algorithm, the adaptability of an operating system, or the form that human–machine interaction should take. In these, and many other situations, a prototyping paradigm may offer the best approach. The prototyping strategy (Figure 108.3) begins with gathering requirements. Developer and customer meet and define the overall objectives for the software, identify whatever requirements are known, and outline areas where further definition is mandatory. A “quick design” then occurs. The quick design focuses on a representation of those aspects of the software that will be visible to the customer/user (e.g., input approaches and output formats). The quick design leads to construction of a prototype. The prototype is evaluated by the customer/user and is used to refine requirements for the software to be developed. © 2004 by Taylor & Francis Group, LLC
FIGURE 108.3 The prototyping paradigm.
Iteration occurs as the prototype is tuned to satisfy the needs of the customer while enabling the developer to better understand what needs to be done. Ideally, the prototype serves as a mechanism for identifying software requirements. If a working prototype is built, the developer attempts to make use of existing program fragments or applies tools (e.g., report generators, window managers, etc.) that enable working programs to be generated quickly. Both customers and developers like the prototyping paradigm. Users get a feel for the actual system and developers get to build something immediately. Yet, prototyping can also be problematic for the following reasons: 1. The customer sees what appears to be a working version of the software, unaware that the prototype is held together “with chewing gum and baling wire,” unaware that in the rush to get it working we have not considered overall software quality or long-term maintainability. When informed that the product must be rebuilt so that high levels of quality can be maintained, the customer cries foul and demands that “a few fixes” be applied to make the prototype a working product. Too often, software development management relents. 2. The developer often makes implementation compromises in order to get a prototype working quickly. An inappropriate operating system or programming language may be used simply because it is available and known; an inefficient algorithm may be implemented simply to demonstrate capability. After a time, the developer may become familiar with these choices and forget all the reasons why they were inappropriate. The less-than-ideal choice has now become an integral part of the system. Although problems can occur, prototyping can be an effective paradigm for software engineering. The key is to define the rules of the game at the beginning; that is, the customer and developer must both agree that the prototype is built to serve as a mechanism for defining requirements. It is then discarded (at least in part) and the actual software is engineered with an eye toward quality and maintainability.
108.1.3 The RAD Model Rapid Application Development (RAD) is a linear sequential software development process model that emphasizes an extremely short development cycle. The RAD model is a “high speed” adaptation of the linear sequential model in which rapid development is achieved by using a component-based construction approach. If requirements are well understood and project scope is constrained,∗ the RAD process enables a development team to create a “fully functional system” within very short time periods (e.g., 60–90 days)
∗
These conditions are by no means guaranteed. In fact, many software projects have poorly defined requirements at the start. In such cases, prototyping or evolutionary approaches are much better process options. © 2004 by Taylor & Francis Group, LLC
[Martin 1991]. Used primarily for information systems applications, the RAD approach encompasses the following phases [Kerr and Hunter 1994]: Businessmodeling. The information flow among business functions is modeled in a way that answers the following questions: What information drives the business process? What information is generated? Who generates it? Where does the information go? Who processes it? Data modeling. The information flow defined as part of the business modeling phase is refined into a set of data objects that are needed to support the business. The characteristics (called attributes) of each object are identified and the relationships between these objects are defined. Process modeling. The data objects defined in the data modeling phase are transformed to achieve the information flow necessary to implement a business function. Processing descriptions are created for adding, modifying, deleting, or retrieving a data object. Application generation. RAD assumes the use of fourth-generation techniques (Fourth Generation Techniques subsection of the following section). Rather than creating software using conventional third-generation programming languages, the RAD process works to reuse existing program components (when possible) or create reusable components (when necessary). In all cases, automated tools are used to facilitate construction of the software. Testing and turnover. Since the RAD process emphasizes reuse, many of the program components have already been tested. This reduces overall testing time. However, new components must be tested and all interfaces must be fully exercised. The RAD process model is illustrated in Figure 108.4. Obviously, the time constraints imposed on a RAD project demand “scalable scope” [Kerr and Hunter 1994]. If a business application can be modularized in a way that enables each major function to be completed in less than three months (using the approach described above), it is a candidate for RAD. Each major function can be addressed by a separate RAD team and then integrated to form a whole. Like all process models, the RAD approach has drawbacks [Butler 1994]: r For large, but scalable, projects, RAD requires sufficient human resources to create the right number
of RAD teams. r RAD requires developers and customers who are committed to the rapid-fire activities necessary
to get a system complete in a much-abbreviated time frame. If commitment is lacking from either constituency, RAD projects will fail. r Not all types of applications are appropriate for RAD. If a system cannot be properly modularized, building the components necessary for RAD will be problematic. If high performance is an issue, and performance is to be achieved through tuning the interfaces to system components, the RAD approach may not work. r RAD is not appropriate when development technical risks are high. This occurs when a new application makes heavy use of new technology or when the new software requires a high degree of interoperability with existing computer programs. RAD emphasizes the development of reusable program components. Reusability is the cornerstone of object technologies and is encountered in the component assembly strategy discussed later in this chapter.
108.1.4 Evolutionary Software Process Models There is growing recognition that software, like all complex systems, evolves over a period of time [Gilb 1988]. Business and product requirements often change as development proceeds, making a straight line path to an endproduct unrealistic; tight market deadlines make completion of a comprehensive software product impossible, but a limited version must be introduced to meet competitive or business pressure; a set of core product or system requirements is well understood, but the details of product or system extensions have yet to be defined. In these and similar situations, software engineers need a development strategy that has been explicitly designed to accommodate a product that evolves over time. © 2004 by Taylor & Francis Group, LLC
FIGURE 108.4 The RAD model.
Evolutionary models meet this need. They are characterized in a manner that enables software engineers to develop increasingly more complete versions of the software in an iterative manner. 108.1.4.1 The Incremental Model The incremental model combines elements of the linear sequential model (applied repetitively) with the iterative philosophy of prototyping. Referring to Figure 108.5, the incremental model applies linear sequences in a staggered fashion as calendar time progresses. Each linear sequence produces a deliverable “increment” of the software [McDermid and Rook 1993]. For example, wordprocessing software developed using the incremental paradigm might deliver basic file management, editing, and document production functions in the first increment; more sophisticated editing and document production capabilities in the second increment; spelling and grammar checking in the third increment; and advanced page layout capability in the fourth increment. It should be noted that the process flow for any increment can incorporate the prototyping paradigm. When an incremental model is used, the first increment is often a core product; that is, basic requirements are addressed, but many supplementary features (some known, others unknown) remain undelivered. The core product is used by the customer (or undergoes detailed review). As a result of use and/or evaluation, © 2004 by Taylor & Francis Group, LLC
FIGURE 108.5 The incremental model.
a plan is developed for the next increment. The plan addresses the modification of the core product to better meet the needs of the customer and the delivery of additional features and functionality. This process is repeated following the delivery of each increment, until the complete product is produced. Incremental development is particularly useful when staffing is unavailable for a complete implementation by the business deadline that has been established for the project. Early increments can be implemented with fewer people. If the core product is well received, then additional staff (if required) can be added to implement the next increment. In addition, increments can be planned to manage technical risks. 108.1.4.2 The Spiral Model The spiral model, originally proposed by Boehm [Boehm 1988], is an evolutionary software process model that couples the iterative nature of prototyping with the controlled and systematic aspects of the linear sequential model. It provides the potential for rapid development of incremental versions of the software. Using the spiral model, software is developed in a series of incremental releases. During early iterations, the incremental release might be a paper model or prototype. During later iterations, increasingly more complete versions of the engineered system are produced. The spiral model is divided into a number of framework activities, also called task regions. Typically, there are between three and six task regions. Figure 108.6 depicts a spiral model that contains six task regions: r Customer communication. Tasks required to establish effective communication between developer
and customer. r Planning. Tasks required to define resources, timelines, and other project-related information. r Risk analysis. Tasks required to assess both technical and management risks. r Engineering. Tasks required to build one or more representations of the application. r Construction and release. Tasks required to construct, test, install, and provide user support (e.g.,
documentation and training). r Customer evaluation. Tasks required to obtain customer feedback based on evaluation of the soft-
ware representations created during the engineering stage and implemented during the installation stage. © 2004 by Taylor & Francis Group, LLC
FIGURE 108.6 A typical spiral model.
Each of the regions is populated by a series of work tasks that are adapted to the characteristics of the project to be undertaken. For small projects, the number of work tasks and their formality is low. For larger, more critical projects, each task region contains more work tasks that are defined to achieve a higher level of formality. In all cases, the umbrella activities (e.g., software configuration management and software quality assurance) are performed. As this evolutionary process begins, the software engineering team moves around the spiral in a clockwise direction, beginning at the center. The first circuit around the spiral might result in development of a product specification; subsequent passes around the spiral might be used to develop a prototype and then progressively more sophisticated versions of the software. Each pass through the planning region results in adjustments to the project plan. Cost and schedule are adjusted on the basis of feedback derived from customer evaluation. In addition, the project manager adjusts the planned number of iterations required to complete the software. The spiral model is a realistic approach to the development of large-scale systems and software. Because software evolves as the process progresses, the developer and customer better understand and react to risks at each evolutionary level. The spiral model uses prototyping as a risk reduction mechanism but, more importantly, enables the developer to apply the prototyping approach at any stage in the evolution of the product. It maintains the systematic stepwise approach suggested by the classic life cycle but incorporates it into an iterative framework that more realistically reflects the real word. The spiral model demands a direct consideration of technical risks at all stages of the project and, if properly applied, should reduce risks before they become problematic. But like other paradigms, the spiral model is not a panacea. It may be difficult to convince customers (particularly in contract situations) that the evolutionary approach is controllable. It demands considerable risk assessment expertise, and it relies on this expertise for success. If a major risk is not uncovered and managed, problems will undoubtedly occur. Finally, the model itself is relatively new and has not been used as widely as the linear sequential or prototyping paradigms. It will take a number of years before efficacy of this important new paradigm can be determined with absolute certainty. 108.1.4.3 The Component Assembly Model Object technologies provide the technical framework for a component-based process model for software engineering. The object-oriented paradigm emphasizes the creation of classes that encapsulate both data and the algorithms that are used to manipulate the data. If properly designed and implemented, objectoriented classes are reusable across different applications and computer-based system architectures. The component assembly model (Figure 108.7) incorporates many of the characteristics of the spiral model. It is evolutionary in nature [Nierstrasz 1992], demanding an iterative approach to the creation of software. However, the component assembly model composes applications from prepackaged software components (called “classes” in Figure 108.7). © 2004 by Taylor & Francis Group, LLC
FIGURE 108.7 The component assembly model.
The engineering activity begins with the identification of candidate classes. This is accomplished by examining the data that are to be manipulated by the application and the algorithms that will be applied to accomplish the manipulation. Corresponding data and algorithms are packaged into a class. Classes created in past software engineering projects are stored in a class library or repository. Once candidate classes are identified, the class library is searched to determine if these classes already exist. If they do, they are extracted from the library and reused. If a candidate class does not reside in the library, it is engineered using object-oriented methods. The first iteration of the application to be built is then composed, using classes extracted from the library and any new classes built to meet the unique needs of the application. Process flow then returns to the spiral and will ultimately reenter the component assembly iteration during subsequent passes through the engineering activity. The component assembly model leads to software reuse, and reusability provides software engineers with a number of measurable benefits. Based on studies of reusability, QSM Associates reports [Yourdon 1994] component assembly leads to a 70% reduction in development cycle time, an 84% reduction in project cost, and a productivity index of 26.2, compared with an industry norm of 16.9. Although these results are a function of the robustness of the component library, there is little question that the component assembly model provides significant advantages for software engineers. 108.1.4.4 The Concurrent Development Model The concurrent development model, sometimes called concurrent engineering, has been described in the following manner by Davis and Sitaram [Davis and Sitaram 1994]: Project managers who track project status in terms of the major phases [of the classic life cycle] have no idea of the status of their projects. These are examples of trying to track extremely complex sets of activities using overly simple models. Note that although . . . [a large] project is in the coding phase, there are personnel on the project involved in activities typically associated with many phases of development simultaneously. For example, . . . personnel are writing requirements, designing, coding, testing, and integration testing [all at the same time]. Software engineering process models by Humphrey and Kellner [Humphrey and Kellner 1989] have shown the concurrency that exists for activities occurring during any one phase. Kellner’s more recent work [Kellner 1991] uses statecharts [a notation that represents the states of a process] to represent the concurrent relationship existent among activities associated with a specific event (e.g., a requirements change during late development), but fails to capture the richness of © 2004 by Taylor & Francis Group, LLC
concurrency that exists across all software development and management activities in project . . . Most software development process models are driven by time; the later it is, the later in the development process you are. [A concurrent process model] is driven by user needs, management decisions, and review results. The concurrent process model can be represented schematically as a series of major technical activities, tasks, and their associated states. For example, the engineering activity defined for the spiral model is accomplished by invoking the following tasks: prototyping and/or analysis modeling, requirements specification, and design.∗ The concurrent process model is often used as the paradigm for development of client–server∗∗ applications. A client–server system is composed of a set of functional components. When applied to client–server, the concurrent process model defines activities in two dimensions [Sheleg 1994]: a system dimension and a component dimension. System level issues are addressed using three activities: design, assembly, and use. The component dimension is addressed with two activities: design and realization. Concurrency is achieved in two ways: (1) system and component activities occur simultaneously and can be modeling using the state-oriented approach described above; (2) a typical client–server application is implemented with many components, each of which can be designed and realized concurrently. In reality, the concurrent process model is applicable to all types of software development and provides an accurate picture of the current state of a project. Rather than confining software engineering activities to a sequence of events, it defines a network of activities. Each activity on the network exists simultaneously with other activities. Events generated within a given activity or at some other place in the activity network trigger transitions among the states of an activity. 108.1.4.5 The Formal Methods Model The formal methods model encompasses a set of activities that leads to formal mathematical specification of computer software. Formal methods enable a software engineer to specify, develop, and verify a computer-based system by applying a rigorous, mathematical notation. A variation on this approach, called cleanroom engineering [Mills et al. 1987, Dyer 1992], is currently applied by some software development organizations. When formal methods (Chapter 107) are used during development, they provide a mechanism for eliminating many of the problems that are difficult to overcome by using other software engineering paradigms. Ambiguity, incompleteness, and inconsistency can be discovered and corrected more easily — not through ad hoc review, but through the application of mathematical analysis. When formal methods are used during design, they serve as a basis for program verification and therefore enable the software engineer to discover and correct errors that might otherwise go undetected. 108.1.4.6 Fourth Generation Techniques The term fourth generation techniques (4GT) encompasses a broad array of software tools that have one thing in common: each enables the software engineer to specify some characteristic of software at a high level. The tool then automatically generates source code based on the developer’s specification. There is little debate that the higher the level at which software can be specified to a machine, the faster a program can be built. The 4GT paradigm for software engineering focuses on the ability to specify software using specialized language forms or a graphic notation that describes the problem to be solved in terms that the customer can understand. Currently, a software development environment that supports the 4GT paradigm includes some or all of the following tools: nonprocedural languages for database query, report generation, data manipulation,
∗
It should be noted that analysis and design are complex tasks that require substantial discussion. In client–server applications, software functionality is divided between clients (normally PCs) and a server (a more powerful computer) that typically maintains a centralized database. ∗∗
© 2004 by Taylor & Francis Group, LLC
screen interaction and definition, and code generation; high-level graphics capability; and spreadsheet capability. Initially, many of the tools noted above were available only for very specific application domains, but today 4GT environments have been extended to address most software application categories. Like other paradigms, 4GT begins with a requirements gathering step. Ideally, the customer would describe requirements and these would be directly translated into an operational prototype. But this is unworkable. The customer may be unsure of what is required, may be ambiguous in specifying facts that are known, and may be unable or unwilling to specify information in a manner that a 4GT tool can consume. For this reason, the customer–developer dialog described for other process models remains an essential part of the 4GT approach. For small applications, it may be possible to move directly from the requirements gathering step to implementation using a nonprocedural fourth generation language (4GL). However, for larger efforts, it is necessary to develop a design strategy for the system, even if a 4GL is to be used. The use of 4GT without design (for large projects) will cause the same difficulties (poor quality, poor maintainability, poor customer acceptance) that we have encountered when developing software by using conventional approaches. Implementation using a 4GL enables the software developer to represent desired results in a manner that results in automatic generation of code to generate those results. Obviously, a data structure with relevant information must exist and be readily accessible by the 4GL. To transform a 4GT implementation into a product, the developer must conduct thorough testing, develop meaningful documentation, and perform all other solution integration activities that are also required in other software engineering paradigms. In addition, the 4GT-developed software must be built in a manner that enables maintenance to be performed expeditiously. Like all software engineering paradigms, the 4GT model has advantages and disadvantages. Proponents claim dramatic reduction in software development time and greatly improved productivity for people who build software. Opponents claim that current 4GT tools are not all that much easier to use than programming languages, that the resultant source code produced by such tools is “inefficient,” and that the maintainability of large software systems developed using 4GT is open to question. There is some merit in the claims of both sides, and it is possible to summarize the current state of 4GT approaches: 1. The use of 4GT has broadened considerably over the past decade and is now a viable approach for many different application areas. Coupled with computer-aided software engineering (CASE) tools and code generators, 4GT offers a credible solution to many software problems. 2. Data collected from companies that are using 4GT indicate that time required to produce software is greatly reduced for small and intermediate applications and that the amount of design and analysis for small applications is also reduced. 3. However, the use of 4GT for large software development efforts demands as much or more analysis, design, and testing (software engineering activities) to achieve substantial time saving that can be achieved through the elimination of coding. To summarize, 4GT have already become an important part of software development. When coupled with component assembly approaches, the 4GT paradigm may become the dominant software development strategy in the 21st century.
108.2 The Management Spectrum Effective software project management focuses on the three P’s: people, problem, and process. The order is not arbitrary. The manager who forgets that software engineering work is an intensely human endeavor will never have success in project management. A manager who fails to encourage comprehensive customer communication early in the evolution of a project risks building an elegant solution for the wrong problem. Finally, the manager who pays little attention to the process runs the risk of inserting competent technical methods and tools into a vacuum. © 2004 by Taylor & Francis Group, LLC
108.2.1 People The cultivation of motivated, highly skilled software people has been discussed since the 1960s (e.g., [Cougar and Zawacki 1980, DeMarco and Lister 1987, Weinberg 1988]). The Software Engineering Institute has sponsored a people management maturity model “to enhance the readiness of software organizations to undertake increasingly complex applications by helping to attract, grow, motivate, deploy, and retain the talent needed to improve their software development capability” [Curtis 1989]. The people management maturity model defines the following key practice areas for software people: recruiting, selection, performance management, training, compensation, career development, organization, and team and culture development. Organizations that achieve high levels of maturity in the people management area have a higher likelihood of implementing effective software engineering practices.
108.2.2 The Problem Before a project can be planned, objectives and scope should be established, alternative solutions should be considered, and technical and management constraints should be identified. Without this information, it is impossible to develop reasonable estimates of the cost, a realistic breakdown of project tasks, or a manageable project schedule that provides a meaningful indication of progress. The software developer and customer must meet to define project objectives and scope. In many cases, this activity occurs as part of a structured customer communication process such as joint application design (JAD) [Wood and Silver 1994]. JAD is an activity that occurs in five phases: project definition, research, preparation, the JAD meeting, and document preparation. The intent of each phase is to develop information that helps better define the problem to be solved or the product to be built.
108.2.3 The Process A software process can be characterized as shown in Figure 108.8. A small number of framework activities are applicable to all software projects, regardless of their size or complexity. A number of task sets — tasks, milestones, deliverables, and quality assurance points — enable the framework activities to be adapted to the characteristics of the software project and the requirements of the project team. Finally, umbrella activities — such as software quality assurance, software configuration management, and measurement — overlay the process model. Umbrella activities are independent of any one framework activity and occur throughout the process.
FIGURE 108.8 A common process framework. © 2004 by Taylor & Francis Group, LLC
In recent years, there has been a significant emphasis on process “maturity” [Paulk et al. 1993]. The Software Engineering Institute (SEI) has developed a comprehensive assessment model that is predicated on a set of software engineering capabilities that should be present as organizations reach different levels of process maturity. To determine an organization’s current state of process maturity, the SEI uses an assessment questionnaire and a five-point grading scheme. The grading scheme determines compliance with a capability maturity model [Paulk et al. 1993] that defines key activities required at different levels of process maturity. The SEI approach provides a measure of the global effectiveness of a company’s software engineering practices and establishes five process maturity levels that are defined in the following manner: Level 1, Initial: The software process is characterized as ad hoc and occasionally even chaotic. Few processes are defined, and success depends on individual effort. Level 2, Repeatable: Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications. Level 3, Defined: The software process for both management and engineering activities is documented, standardized, and integrated into an organization-wide software process. All projects use a documented and approved version of the organization’s process for developing and maintaining software. This level includes all characteristics defined for level 2. Level 4, Managed: Detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled by using detailed measures. This level includes all characteristics defined for level 3. Level 5, Optimizing: Continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies. This level includes all characteristics defined for level 4. The five levels defined by the SEI are derived as a consequence of evaluating responses to the SEI assessment questionnaire that is based on the capability maturity model. The results of the questionnaire are distilled to a single numerical grade that provides an indication of an organization’s process maturity. The SEI has associated key process areas (KPAs) with each of the maturity levels. The KPAs describe those software engineering functions (e.g., software project planning, requirements management) that must be present to satisfy good practice at a particular level. Each KPA is described by identifying the following characteristics: r Goals: The overall objectives that the KPA must achieve. r Commitments: Requirements (imposed on the organization) that must be met to achieve the goals
and provide proof of intent to comply with the goals. r Abilities: Those things that must be in place (organizationally and technically) that will enable the
organization to meet the commitments. r Activities: The specific tasks that are required to achieve the KPA function. r Methods for monitoring implementation: The manner in which the activities are monitored as they
are put into place. r Methods for verifying implementation: The manner in which proper practice for the KPA can be
verified. Eighteen KPAs (each defined using the structure noted above) are defined across the maturity model and are mapped into different levels of process maturity. Each of the KPAs is defined by a set of key practices that contribute to satisfying its goals. The key practices are policies, procedures, and activities that must occur before a key process area has been fully instituted. The SEI defines key indicators as “those key practices or components of key practices that offer the greatest insight into whether the goals of a key process area have been achieved.” Assessment questions are designed to probe for the existence (or lack thereof) of a key indicator. © 2004 by Taylor & Francis Group, LLC
108.3 Software Project Management Software project management encompasses the following activities: measurement, project estimating, risk analysis, scheduling, tracking, and control. A comprehensive discussion of these topics is beyond the scope of this chapter, but a brief overview of each topic will enable the reader to understand the breadth of management activities required for a mature software engineering organization.
108.3.1 Measurement and Metrics To be most effective, software metrics should be collected for both the process and the product. Processoriented metrics [Hetzel 1993, Jones 1991] can be collected during the process and after it has been completed. Process metrics collected during the process focus on the efficacy of quality assurance activities, change management, and project management. Process metrics collected after a project has been completed examine the efficacy of various software engineering activities and productivity. Process measures are normalized using either lines of code or function points [Dreger 1989], so that data collected from many different projects can be compared and analyzed in a consistent manner. Product metrics measure technical characteristics of the software that provide an indication of software quality [Fenton 1991, Zuse 1990, Lorenz and Kidd 1994]. Measures can be applied to models created during analysis and design activities, during code generation, and during testing. The mechanics of measurement and the specific measures to be collected are beyond the scope of this chapter.
108.3.2 Project Estimating Scheduling and budgets are often dictated by business issues. The role of estimating within the software process often serves as a “sanity check” on the predefined deadlines and budgets that have been established by management. (Ideally, the software engineering organization should be intimately involved in establishing deadlines and budgets, but this is not a perfect or fair world.) All software project estimation techniques require that the project have a bounded scope, and all rely on a high-level functional decomposition of the project and an assessment of project difficulty and complexity. There are three broad classes of estimation techniques [Pressman 1993] for software projects: Effort estimation techniques. The project manager creates a matrix in which the left-hand column contains a list of major system functions derived using functional decomposition applied to project scope. The top row contains a list of major software engineering tasks derived from the common process framework. The manager (with the assistance of technical staff) estimates the effort required to accomplish each task for each function. Size-oriented estimation. A list of major system functions derived using functional decomposition applied to project scope. The “size” of each function is estimated by using either lines of code (LOC) or function points (FP). Average productivity data (e.g., function points per person month) for similar functions or projects are used to generate an estimate of effort required for each function. Empirical models. Using the results of a large population of past projects, an empirical model that relates product size (in LOC or FP) to effort is developed, using a statistical technique such as regression analysis. The product size for the work to be done is estimated and the empirical model is used to generate projected effort. In addition to the above techniques, a software project manager can develop estimates by analogy; that is, by examining similar past projects and projecting effort and duration recorded for these projects to the current situation.
108.3.3 Risk Analysis Almost five centuries have passed since Machiavelli said: “I think it may be true that fortune is the ruler of half our actions, but that she allows the other half to be governed by us . . . [fortune] is like © 2004 by Taylor & Francis Group, LLC
an impetuous river . . . but men can make provision against it by dykes and banks.” Fortune (we call it risk) is in the back of every software project manager’s mind, and that is often where it stays. And as a result, risk is never adequately addressed. When bad things happen, the manager and the project team are unprepared. In order to “make provision against it,” a software project team must conduct risk analysis explicitly. Risk analysis [Charette 1990, Jones 1994] is actually a series of steps that enable the software team to perform risk identification, risk assessment, risk prioritization, and risk management. The goals of these activities are: (1) to identify those risks that have a high likelihood of occurrence; (2) to assess the consequence (impact) of each risk should it occur; and (3) to develop a plan for mitigating the risks when possible, monitoring factors that may indicate their arrival, and developing a set of contingency plans should they occur. Risk identification is a systematic attempt to specify threats to the project plan (estimates, schedule, resource loading, etc.). By identifying known and predictable risks, the project manager takes a first step toward avoiding them when possible and controlling them when necessary. There are two distinct types of risks for each of the categories that have been presented: generic risks and product-specific risks. Generic risks are a potential threat to every software project. Product-specific risks can be identified only by those with a clear understanding of the technology, the people, and the environment that are specific to the project at hand. To identify product-specific risks, the project plan and the software statement of scope are examined and an answer to the following question is developed: “What special characteristics of this product may threaten our project plan?” Both generic and product-specific risks should be identified systematically. Gilb [Gilb 1988] drives this point home when he states: “If you don’t actively attack the risks, they will actively attack you.” Risk projection, also called risk estimation, attempts to rate each risk in two ways — the likelihood or probability that the risk is real and the consequences of the problems associated with the risk, should it occur. The project planner, along with other managers and technical staff, performs four risk projection activities [Babich 1986]: (1) establish a scale that reflects the perceived likelihood of a risk; (2) delineate the consequences of the risk; (3) estimate the impact of the risk on the project and the product; and (4) note the overall accuracy of the risk projection so that there will be no misunderstandings. All of the risk analysis activities presented to this point have a single goal — to assist the project team in developing a strategy for dealing with risk. An effective strategy must consider three issues: r Risk avoidance r Risk monitoring, and r Risk management and contingency planning.
The manner in which each of these issues is to be addressed is documented in a plan for risk mitigation, monitoring, and management.
108.3.4 Scheduling Fred Brooks, the well-known author of The Mythical Man-Month [Brooks 1975], was once asked how software projects fall behind schedule. His response was as simple as it was profound: “One day at a time.” The reality of a technical project (whether it involves building a hydroelectric plant or developing an operating system) is that hundreds of small tasks must occur to accomplish a larger goal. Some of these tasks lie outside the mainstream and may be completed without worry about impact on project completion date. Other tasks lie on the “critical path.”∗ If these “critical” tasks fall behind schedule, the completion date of the entire project is put into jeopardy.
∗
The critical path is the sequence of project tasks that nust be closely monitored by the project manager.
© 2004 by Taylor & Francis Group, LLC
The objective of the project manager is to define all project tasks, identify the ones that are critical, and then track their progress to ensure that delay is recognized “one day at a time.” To accomplish this, the manager must have a schedule that has been defined at a degree of resolution that enables the manager to monitor progress and control the project. Software project scheduling is an activity that distributes estimated effort across the planned project duration by allocating the effort to specific software engineering tasks. It is important to note, however, that the schedule evolves over time. During early stages of project planning, a macroscopic schedule is developed. This type of schedule identifies all major software engineering activities and the product functions to which they are applied. As the project gets under way, each entry on the macroscopic schedule is refined into a detailed schedule. Here, specific software tasks (required to accomplish an activity) are identified and scheduled. Scheduling for software development projects can be viewed from two rather different perspectives. In the first, an end-date for release of a computer-based system has already (and irrevocably) been established. The software organization is constrained to distribute effort within the prescribed time frame. The second view of software scheduling assumes that rough chronological bounds have been discussed but that the enddate is set by the software engineering organization. Effort is distributed to make best use of resources and an end-date is defined after careful analysis of the software. Unfortunately, the first situation is encountered far more frequently than the second. As in all other areas of software engineering, a number of basic principles guide software project scheduling: Compartmentalization: The project must be compartmentalized into a number of manageable activities and tasks. To accomplish compartmentalization, both the product and the process are decomposed (Chapter 3). Interdependency: The interdependencies of each compartmentalized activity or task must be determined. Some tasks must occur in sequence, whereas others can occur in parallel. Some activities cannot commence until the work product produced by another is available. Other activities can occur independently. Time allocation: Each task to be scheduled must be allocated some number of work units (e.g., persondays of effort). In addition, each task must be assigned a start date and a completion date that is a function of the interdependencies and whether work will be conducted on a full-time or part-time basis. Effort validation. Every project has a defined number of staff members. As time allocation occurs, the project manager must ensure that no more than the allocated number of people have been allocated at any given time. For example, consider a project that has three assigned staff members (e.g., 3 person-days are available per day of assigned effort).∗ On a given day, seven concurrent tasks must be accomplished. Each task requires 0.50 person-day of effort. More effort has been allocated than there are people to do the work. Defined responsibilities: Every task that is scheduled should be assigned to a specific team member. Defined outcomes: Every task that is scheduled should have a defined outcome. For software projects, the outcome is normally a work product (e.g., the design of a module) or a part of a work product. Work products are often combined in deliverables. Defined milestones: Every task or group of tasks should be associated with a project milestone. A milestone is accomplished when one or more work products have been reviewed for quality and have been approved. Each of the above principles is applied as the project schedule evolves.
∗
In reality, less than 3 person-days are available because of unrelated meetings, sickness, vacation, and a variety of other reasons. For our purposes, however, we assume 100% availability. © 2004 by Taylor & Francis Group, LLC
108.3.5 Tracking and Control Project tracking and control is most effective when it becomes an integral part of software engineering work. A well-defined development strategy should provide a set of milestones that can be used for project tracking. Control focuses on two major issues: quality and change. To control quality, a software project team must establish effective techniques for software quality assurance, and, to control change, the team should establish a software configuration management framework.
108.4 Software Quality Assurance In his landmark book on quality, Crosby [Crosby 1979] states: The problem of quality management is not what people don’t know about it. The problem is what they think they do know . . . In this regard, quality has much in common with sex. Everybody is for it. (Under certain conditions, of course.) Everyone feels they understand it. (Even though they wouldn’t want to explain it.) Everyone thinks execution is only a matter of following natural inclinations. (After all, we do get along somehow.) And, of course, most people feel that problems in these areas are caused by other people. (If only they would take the time to do things right.) There have been many definitions of software quality proposed in the literature. For our purposes, software quality is defined as: Conformance to explicitly stated functional and performance requirements, explicitly documented development standards, and implicit characteristics that are expected of all professionally developed software. There is little question that the above definition could be modified or extended. If fact, a definitive definition of software quality could be debated endlessly. But the definition stated above does serve to emphasize three important points: 1. Software requirements are the foundation from which quality is assessed. Lack of conformance to requirements is lack of quality. 2. A mature software process model defines a set of development criteria that guide the manner in which software is engineered. If the criteria are not followed, lack of quality will almost surely result. 3. There is a set of implicit requirements that often goes unmentioned (e.g., the desire for good maintainability). If software conforms to its explicit requirements, but fails to meet implicit requirements, software quality is suspect. Software quality is designed into a product or system. It is not imposed after the fact. For this reason, software quality assurance (SQA) actually begins with the set of technical methods and tools that help the analyst to achieve a high quality specification and the designer to develop a high quality design. Once a specification (or prototype) and design have been created, each must be assessed for quality. The central activity that accomplishes quality assessment is the formal technical review (FTR). The FTR — conducted as a walkthrough or an inspection [Freedman and Weinberg 1990] — is a stylized meeting conducted by technical staff with the sole purpose of uncovering quality problems. In many situations, formal technical reviews have been found to be as effective as testing in uncovering errors in software [Gilb and Graham 1993]. Software testing combines a multistep strategy with a series of test case design methods that help ensure effective error detection. Many software developers use software testing as a quality assurance “safety net.” That is, developers assume that thorough testing will uncover most errors, thereby mitigating the need for other SQA activities. Unfortunately, testing, even when performed well, is not as effective as we might like for all classes of errors. A much better strategy is to find and correct errors (using FTRs) before getting to testing. © 2004 by Taylor & Francis Group, LLC
The degree to which formal standards and procedures are applied to the software engineering process varies from company to company. In many cases, standards are dictated by customers or regulatory mandate. In other situations standards are self-imposed. An assessment of compliance to standards may be conducted by software developers as part of a formal technical review, or, in situations where independent verification of compliance is required, the SQA group may conduct its own audit. A major threat to software quality comes from a seemingly benign source: changes. Every change to software has the potential for introducing error or creating side effects that propagate errors. The change control process contributes directly to software quality by formalizing requests for change, evaluating the nature of change, and controlling the impact of change. Change control is applied during software development and, later, during the software maintenance phase. Measurement is an activity that is integral to any engineering discipline. An important object of SQA is to track software quality and assess the impact of methodological and procedural changes on improved software quality. To accomplish this, software metrics must be collected. Record keeping and recording for SQA provide procedures for the collection and dissemination of SQA information. The results of reviews, audits, change control, testing, and other SQA activities must become part of the historical record for a project and should be disseminated to development staff on a need-to-know basis. For example, the results of each formal technical review for a procedural design are recorded and can be placed in a “folder” that contains all technical and SQA information about a module.
108.5 Software Configuration Management Change is inevitable when computer software is built. And change increases the level of confusion among software engineers who are working on a project. Confusion arises when changes are not analyzed before they are made, recorded before they are implemented, reported to those who should be aware that they have occurred, or controlled in a manner that will improve quality and reduce error. Babich [Babich 1986] discusses this when he states: The art of coordinating software development to minimize . . . confusion is called configuration management. Configuration management is the art of identifying, organizing, and controlling modifications to the software being built by a programming team. The goal is to maximize productivity by minimizing mistakes. Software configuration management (SCM) is an umbrella activity that is applied throughout the software engineering process. Because change can occur at any time, SCM activities are developed to (1) identify change, (2) control change, (3) ensure that change is being properly implemented, and (4) report change to others who may have an interest. A primary goal of software engineering is to improve the ease with which changes can be accommodated and reduce the amount of effort expended when changes must be made.
108.6 Summary The role of a software project manager is to understand the scope of the problem to be solved and, knowing this, to select an appropriate development strategy for the problem. Once a strategy is selected, software project management activities are conducted. Project management encompasses the measurement of the process and the product, estimation, risk analysis, scheduling, and tracking. To control the project, software quality assurance and software configuration management also must be conducted.
Acknowledgment This chapter has been adapted from selected excerpts of R. S. Pressman, Software Engineering: A Practitioner’s Approach, 4th ed. McGraw–Hill, New York, 1997. © 2004 by Taylor & Francis Group, LLC
Defining Terms Capability maturity model: Defines key activities required at different levels of software process maturity. Change control: An umbrella process that enables a project team to accept, evaluate, and act on changes in a systematic manner. Classic life cycle: A linear, sequential approach to process modeling. Common process framework: A process model that encompasses a limited set of problem-solving activities populated by tasks, milestones, SQA points, and deliverables. Component assembly model: A process model that encourages construction of software from reusable software components. Design: An activity that translates the requirements model into a more detailed model that is the guide to implementation of the software. Errors: A lack of conformance found before software is delivered to the customer. Estimation: A project planning activity that attempts to project effort and cost for a software project. Evolutionary model: A process model that is designed with the recognition that software evolves through a number of iterations. Formal methods: A mathematical approach to the specification and validation of computer-based systems. Formal technical review: A structured meeting conducted by software engineers and others with the intent of uncovering errors in some deliverable or work product. Fourth generation techniques: Encompasses a broad array of software tools that enables the software engineer to specify some characteristic of software at a high level of abstraction. Incremental model: A process model that results in delivery of versions of an application that provide increasingly greater functionality. Linear sequential model: A process model that defines a set of linear activities for developing computer software. Maintenance: The activities associated with changes to software after it has been delivered to end-users. Measurement: Collecting quantitative data about the software or the software engineering process. Object-oriented: An approach to software development that makes use of a classification approach and packages data and processing together. Process model: A model that outlines the major activities and work flow for software development and acts as a framework for project management. Prototyping: The creation of a mock-up of an application with the intent of helping a customer to better identify requirements. Quality: The degree to which a product conforms to both explicit and implicit requirements. Rapid Application Development (RAD): A linear sequential software development process model that emphasizes an extremely short development cycle. Reengineering: A series of activities that transform old systems (with poor maintainability) into software that exhibits high quality. Requirements analysis: A modeling activity whose objective is to understand what the customer really wants. Risk analysis: The set of activities that identify and evaluate a potential problem or occurrence that may put a project in jeopardy. Scheduling: The activity that lays out a timeline for work to be conducted on a project. Software engineering: A discipline that encompasses process, methods, and tools. Software metrics: Quantitative measures of the process or the product. Software quality assurance (SQA): A series of activities that assist an organization in producing highquality software. Spiral model: An evolutionary software engineering paradigm. Testing: A set of activities that attempt to find errors. Work breakdown structure (WBS): The set of work tasks required to build the software; defined as part of the process model. © 2004 by Taylor & Francis Group, LLC
References Babich, W. 1986. Software Configuration Management. Addison–Wesley, Reading, MA. Boehm, B. 1988. A spiral model for software development and enhancement. Computer 21(5): 61–72. Bradac, M., Perry, D., and Votta, L. 1994. Prototyping a process monitoring experiment. IEEE Trans. Software Eng. 20(10):774–784. Brooks, M. 1975. The Mythical Man-Month. Addison–Wesley, Reading, MA. Butler, J. 1994. Rapid application development in action. Managing System Development, Applied Computer Research 14(5):6–8. Charette, R. 1990. Application Strategies for Risk Analysis. McGraw–Hill, New York. Cougar, J. and Zawacki, R. 1980. Managing and Motivating Computer Personnel. Wiley, New York. Crosby, P. 1979. Quality is Free. McGraw–Hill, New York. Curtis, B. 1989. People management maturity model. Proc Intl. Conf. Software Eng., Pittsburgh. Davis, A. and Sitaram, P. 1994. A concurrent process model for software development. Software Eng. Notes 19(2):38–51. DeMarco, T. and Lister, T. 1987. Peopleware. Dorset House. Dreger, J. B. 1989. Function Point Analysis. Prentice–Hall, Englewood Cliffs, NJ. Dyer, M. 1992. The Cleanroom Approach to Quality Software Development. Wiley, New York. Fenton, N. E. 1991. Software Metrics. Chapman & Hall, New York. Freedman, D. and Weinberg, G. 1990. The Handbook of Walkthroughs, Inspections and Technical Reviews. Dorset House. Gilb, T. 1988. Principles of Software Engineering Management. Addison–Wesley, Reading, MA. Gilb, T. and Graham, D. 1993. Software Inspection. Addison–Wesley, Reading, MA. Hanna, M. 1995. Farewell to waterfalls, pp. 38–46. Software Magazine. May. Hetzel, B. 1993. Making Software Measurement Work. QED Publishing. Humphrey, W. and Kellner, M. 1989. Software process modeling: principles of entity process models, pp. 331–342. In Proc. 11th Intl. Conf. Software Eng. IEEE Computer Society Press. Jones, C. 1991. Applied Software Measurement. McGraw–Hill, New York. Jones, C. 1994. Assessment and Control of Software Risks. Yourdon Press. Kellner, M. 1991. Software process modeling support for management planning and control, pp. 8–28. In Proc. 1st Intl. Conf. Software Process. IEEE Computer Society Press. Kerr, J. and Hunter, R. 1994. Inside RAD. McGraw–Hill, New York. Lorenz, M. and Kidd, J. 1994. Object-Oriented Software Metrics. Prentice–Hall, Englewood Cliffs, NJ. Martin, J. 1991. Rapid Application Development. Prentice–Hall, Englewood Cliffs, NJ. McDermid, J. and Rook, P. 1993. Software development process models, pp. 15/26–15/28. In Software Engineer’s Reference Book. CRC Press, Boca Raton, FL. Mills, H. D., Dyer, M., and Linger, R. 1987. Cleanroom software engineering. IEEE Software X(Y): 19–25. Nierstrasz. 1992. Component-oriented software development. Commun ACM 35(9):160–165. Paulk, M. et al. 1993. Capability Maturity Model for Software. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA. Pressman, R. S. 1993. A Manager’s Guide to Software Engineering. McGraw–Hill, New York. Raccoon, L. B. S. 1995. The chaos model and the chaos life cycle. ACM Software Eng. Notes 20(1): 55–66. Sheleg, W. 1994. Concurrent engineering: a new paradigm for C/S development. App. Dev. Trends 1(6): 28–33. Weinberg, G. 1988. Understanding the Professional Programmer. Dorset House. Wood, J. and Silver, D. 1994. Joint Application Design, 2nd ed. Wiley, New York. Yourdon, E. 1994. Software reuse. App. Dev. Strategies VI(12):1–16. Zuse, H. 1990. Software Complexity. deGruyer, Berlin.
© 2004 by Taylor & Francis Group, LLC
Further Information The current state of the art in software engineering can best be determined from monthly publications such as IEEE Software, Computer, and the IEEE Transactions on Software Engineering. Industry periodicals such as Application Development Trends and Software Development often contain articles on software engineering topics. The discipline is “summarized” every year in the Proceedings of the International Conference on Software Engineering, sponsored by the IEEE and ACM, and is discussed in depth in journals such as ACM Transactions on Software Engineering and Methodology, ACM Software Engineering Notes, and Annals of Software Engineering. Many software engineering books have been published in recent years. Some present an overview of the entire process, whereas others delve into a few important topics to the exclusion of others. Three anthologies that cover a wide range of software engineering topics are: Keyes, J., ed. 1993. Software Engineering Productivity Handbook. McGraw–Hill, New York. McDermid, J., ed. 1993. Software Engineer’s Reference Book. CRC Press, Boca Raton, FL. Marchiniak, J. J., ed. 1994. Encyclopedia of Software Engineering. Wiley, New York. An excellent three-volume series written by Weinberg (1992, 1993, 1994. Quality Software Management. Dorset House) introduces basis systems thinking and management concepts, explains how to use measurements effectively, and addresses “congruent action,” the ability to establish “fit” between the manager’s needs, the needs of technical staff, and the needs of the business. It will provide both new and experienced managers with useful information. Fred Brooks (1995. The Mythical Man-Month, Anniversary Edition, Addison–Wesley, Reading, MA) has updated his classic book to provide new insight into software project and management issues. S. Purba (1995. How to Manage a Successful Software Project. Wiley, New York) presents a number of case studies that indicate why some projects succeed and others fail. E. Bennatan (1995. Software Project Management in a Client/Server Environment. Wiley, New York) discussed special management issues associated with the development of client/server systems. R. House (1988. The Human Side of Project Management. Addison–Wesley, Reading, MA) and P. Crosby (1989. Running Things: The Art of Making Things Happen. McGraw–Hill, New York) provide practical advice for managers who must deal with human as well as technical problems. Books by T. DeMarco and T. Lister [1987] and G. Weinberg [1988] provide useful insight into software people and the way in which they should be managed. Pragmatic guidance on project management is presented by F. O’Connell (1994. How To Run Successful Projects. Prentice–Hall, Englewood Cliffs, NJ). Still another take on project management in the software world is provided by L. Constantine (1995. Constantine on Peopleware. Prentice–Hall, Eaglewood Cliffs, NJ). A wide variety of information sources on software engineering and the software process is available on the internet. An up-to-date list of World Wide Web references that are relevant to the software process can be found at http://www.rspa.com.
© 2004 by Taylor & Francis Group, LLC
109 Software Architecture
Stephen B. Seidman New Jersey Institute of Technology
109.1 109.2 109.3 109.4 109.5
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109-1 Underlying Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109-2 Describing Individual Software Architectures . . . . . 109-3 Architecture Description Languages . . . . . . . . . . . . . . 109-4 Describing Architectural Styles . . . . . . . . . . . . . . . . . . . 109-6
109.1 Introduction A software architecture (henceforth architecture) is an abstraction that allows a designer to ignore lowlevel implementation issues, such as programming languages, hardware and device requirements, and communication protocols. Garlan and Perry [1995] state that architectures “simplify our ability to comprehend large systems by presenting them at a level of abstraction at which a system’s high-level design can be understood.” The idea of abstracting away detail to uncover the essential structure of a complex system is very old. The classical notion of architecture abstracts the structure of a building or other human construction away from the entity itself. By 1980, this idea had been adopted by computer engineers and network engineers. Common examples in these domains include RISC architectures, instruction set architectures, shared-memory architectures [Hennessy and Patterson, 1996], layered architectures, TCP/IP architectures, and IP forwarding architectures [Leon-Garcia and Widjaja, 2000]. Software architecture comprises two kinds of entities: components that perform computation and connectors that express relationships (typically communication) between the components. An architectural description must also include syntactic and semantic information about the components and connectors. This information constrains how an assemblage of components and connectors can be formed and when it can be regarded as an architecture. These constraints are embodied in an architecture description language (ADL). Software architectures allow designers to codify their expertise. One way to do this is by recognizing and defining software architectural styles: collections of architectural features that tend to co-occur. The concept of style is familiar from building architecture; examples include Gothic, Tudor, and skyscraper. Software architectural styles can be abstractions of descriptors like client–server model, uses remote procedure calls, or pipeline. They can also be embodied in collections of rules encapsulated in a specific paradigm for software development. Architecture description languages assist with the process of describing and developing software architectures and styles. They incorporate formal foundations that support architectural analysis: reasoning about descriptions of architectures and architectural styles. Many formal techniques have been used for this purpose, including specification languages, process algebras, graph grammars, and a variety of logics. These techniques are used to investigate properties of architectures and styles along several dimensions. Functional properties include the semantics of the components that make up an architecture. Structural properties deal with the types of interactions supported by the components. Nonfunctional properties
© 2004 by Taylor & Francis Group, LLC
are more difficult to address formally; they include reliability, robustness, ease of use, conformance to standards, hardware requirements, and security [Shaw and Garlan, 1996]. Architectural abstraction can potentially reduce testing costs. Because an architecture is often used to develop multiple systems, the cost of any architecture level testing effort is amortized across all of these systems [Richardson and Wolf, 1996]. It can also aid in software evolution and reuse. Finally, it is important to note that much software is domain-specific. By creating architectural abstractions that are specific to their domain, software organizations can combine the best aspects of standard platforms and standardized components to create and specialize their domain-related product families [Garlan and Perry, 1995].
109.2 Underlying Principles By the late 1970s, software engineers realized that there was a critical distinction between programming in the small (using conventional programming languages) and programming in the large (building industrial-strength software systems). In order to deal with the issues raised by programming in the large, software systems were regarded as collections of modules, with communication between modules mediated by clearly defined interfaces. Module interconnection languages (MILs) were developed to specify the characteristics of these interfaces and particularly the resources required by and provided to the modules. A MIL can be used to describe the global structure of a software system. Examples of early MILs are MIL75 [deRemer and Kron, 1976] and INTERCOL [Tichy, 1979]. By 1985, several researchers had come to realize that module specifications needed to express aspects of interface semantics that could not be accommodated within the requires/provides model used by early MILs. This realization gave rise to much research. For example, the Conic configuration language developed at Imperial College [Magee et al., 1989] specifies how the components of a distributed system are assembled. The STILE system described in Stovsky and Weide [1990] uses a graphical language that embodies a similar approach. Software systems specified in Conic are assemblages of group modules, which are hierarchical entities made up of smaller modules. Lower-level modules may also be group modules, or they may be task modules, which are specified using a programming language. The external interfaces of Conic modules consist of exit ports and entry ports. Ports in turn have notify and request–reply modes. Communication between Conic modules is specified by linking ports in their external interfaces that have the same type and mode. A single notify exit port may be linked to a set of notify entry ports (or the reverse). A request–reply exit port may be linked to only one request–reply entry port. Module specifications in Conic describe the syntax of permissible connections between modules. In general, the purpose of MILs is to describe the syntax of module interconnections. Alternative attributes associated with module interfaces may be provides and requires (INTERCOL), notify and request– reply (Conic), or entry and exit (Conic). Rice and Seidman [1994] presented a general model of MILs that can express the specific syntactic constraints used by many MILs. The model is based on a number of generic Z schemas [Spivey, 1989] that can be customized for a particular MIL. It has been used to model Conic and Stile. For similar reasons, Batory and O’Malley [1992] developed a model of hierarchical software systems. This model assumes that software systems have an explicitly layered organization. Components are selected at each layer from one or more domain-specific lists of choices. Communications between components may only take place by invoking operations that access components that are adjacent in the hierarchy. The Batory model was first applied to file structures and database management systems. These models can be used in two distinct ways: to analyze the features of a particular MIL and to explore the design space for MILs. In either case, they provide formalism that describes the way in which a particular MIL permits modules to be composed to form a software system. By analogy with conventional programming languages, MILs can be used to describe the syntax that governs the construction of a system of modules. Software architectures are abstract models that contain syntactic and semantic information about the components of software systems and the relationships between those components. Since MILs only © 2004 by Taylor & Francis Group, LLC
give syntactic information, they cannot be used to represent software architectures. Modeling a software architecture requires a way to describe the semantics associated with the composition of modules in a software system. A similar observation was made in Abowd et al. [1995]. Software architectures can be described at several levels [Shaw and Garlan, 1996, p. 130]. First, one can describe the architecture of a particular software system. Second, one can describe a family of architectures as an architectural style. Third, one can develop an architecture description language (ADL) that is based on a formal theory of software architectures. Finally, one can define semantics for ADLs. Formalisms that can be used for all of these descriptions include specification languages (e.g., Z), process algebras (e.g., CSP, -calculus), graph grammars and regular expressions, and partial orders.
109.3 Describing Individual Software Architectures The software architecture modeling process will be illustrated by a relatively early example that is particularly well worked out. In the late 1980s, Garlan and Delisle developed a formal model for the architecture of a digital oscilloscope [Delisle and Garlan, 1990]; also see the discussions in Garlan and Shaw [1996, Sections 3.2, 6.2]. The goal of their project was to develop an oscilloscope system architecture that would increase reuse and make configuration easier. Several models were initially proposed but rejected. For example, an object-oriented model identified relevant data types but could not explain how they fit together. In the end, the architecture was represented by a pipe-and-filter model modified to allow an external entity to set filter parameters. The processing done by a digital oscilloscope is modeled as a pipeline of nodes that successively transform the signals. The processing carried out by the individual nodes can be configured by a user through parameter settings. For example, the waveform display is parameterized by user-defined factors that support zooming and panning. The description given below is taken from Section 6.2 of Shaw and Garlan [1996]. A portion of the model is shown in Figure 109.1 (taken from Figure 6.1 in Shaw and Garlan [1996]). The four nodes successively subtract a DC offset from a signal (Couple), extract a time-sliced waveform from a signal (Acquire), create a trace by converting (time, voltage) pairs to horizontal and vertical values (WaveformToTrace, or W → T ), and clip it to a display screen (Clip). The oscilloscope’s inputs (signals), internal representations (waveforms), and outputs (traces) are modeled as functions. The model uses Z formalism [Spivey, 1989], in which → represents a function and −|→ a partial function defined on a subset of its domain. A brief summary of Z notation is given in the appendix for this chapter. This distinguishes waveforms, which are only defined on a specific time interval, from signals. Signals, waveforms, and traces are specified to be Signal == AbsTime → Volts, Waveform == AbsTime −|→ Volts, and Trace == Horiz −|→ Vert. For our present purposes, it will be sufficient to give a precise characterization of the first node of the pipeline. The Couple transformer subtracts a DC offset from a signal. The user has three parameter choices: DC, AC, Ground. Choosing DC leaves the signal unchanged; choosing AC subtracts a DC offset, and choosing Ground sets the signal to zero. The formal specification of this architectural element is given in Figure 109.2, where Coupling is specified to be either DC, AC, or GND. Similar formal descriptions can be given for the Acquire, WavefrontToTrace, and Clip nodes, but lack of space precludes their inclusion here. The pieces are assembled into a system by the specification illustrated in Figure 109.3. Delay, Duration ScaleH, ScaleV PosnH, PosnV
Coupling
S
✲
❄ Couple
S
✲
❄ Acquire
W
✲
❄
W→T
T
✲
Clip
FIGURE 109.1 The architecture of a digital oscilloscope. © 2004 by Taylor & Francis Group, LLC
T
✲
Couple : Coupling → Signal → Signal Couple DC s = s Couple AC s = ( t: AbsTime • s (t) − dc(s )) Couple GND s == ( t: AbsTime • 0) FIGURE 109.2 Z specification for the Couple transformer.
ChannelParameters c : Coupling delay, dur : RelTime scaleH : RelTime scaleV : Volts posnV : Vert posnH : Horiz
ChannelConfigurations : ChannelParameters → TriggerEvent → Signal → Time ChannelConfiguration == ( trig: TriggerEvent • Clip o WaveformToTrace (p.scaleH, p.scaleV, p.posnH, p.posnV) o Acquire (p.delay, p.dur) trig Couple p.c) FIGURE 109.3 Z specification for digital oscilloscope.
This description represents the high-level structure of the digital oscilloscope software. It describes what the software is to do and how it is to be organized. It can be used as the basis for low-level design and code development, while also serving as the basis for evolutionary change. This perspective has recently been elaborated into the idea of software product families (see Jayazeri et al. [2000]).
109.4 Architecture Description Languages Since the early 1990s, many groups of investigators have proposed ADLs for describing software architectures. At first glance, these languages are quite different from each other. The goal of Medvidovic and Taylor [2000] is to provide some clarity by giving a framework for classifying and comparing ADLs. This framework looks at the way individual ADLs model architectural elements (components and connectors) and the way these elements are configured to form architectures. Model features considered by the framework include interfaces, types, semantics, constraints, evolution, and nonfunctional properties. Configuration features treated include understandability, refinement and traceability, heterogeneity, scalability, evolution, and dynamism. Medvidovic and Taylor also consider the tool support provided by various ADLs. In this section, we will give brief treatments of two rather different ADLs: Rapide [Luckham et al., 1995] and C2SADEL [Medvidovic et al., 1999]. Both ADLs were developed in the context of specific application domains. Rapide is an event-based, concurrent, object-oriented language specifically designed for prototyping architectures of distributed systems. Its features include an execution model and executable architecture constructs, formal constraints, and mappings that support constraint-based definition of (industry standard) reference architectures and testing of systems for conformance to these standards. A Rapide architecture consists of components and connections. An architecture is described by specifying module (component) interfaces, connection rules that define communication between the interfaces, and formal constraints that define legal and illegal patterns of communication. These architectural aspects are © 2004 by Taylor & Francis Group, LLC
Type Application is interface extern action Request (p: params); public action Results (p: params); behavior (?M in String) Receive (?M) => Results (?M);; end Application Type Resource is interface extern action Results (Msg: String); public action Receive (Msg: String); end Resource FIGURE 109.4 Examples of Rapide module interfaces.
architecture AP_RM_Only return X/Open is P: Application; Q:Resource; ... connect (?M in String) P.Request(?M) to Q.Receive (?M); end AP_RM_Only FIGURE 109.5 Defining the flow of events among Rapide components.
expressed using distinct sublanguages. The interfaces of a Rapide architecture provide a template for a family of systems; specific systems are instantiated by assigning modules to interfaces. The architecture and each of its instances can be analyzed and executed. An executing Rapide architecture generates a partially ordered set (poset) of events that interact with threads of control (called processes, which may be module processes, architecture connections, or interface behavior transitions). Rapide architectural models use an execution semantics built on three event dependence relations: A and B are generated by the same process, and A is generated before B. A process observes A and generates B. A process generates A and writes to a variable v; another process within the same module reads v before any intervening write to v, and then generates B. Module interfaces are specified by a types language. The example shown in Figure 109.4 [Luckham et al., 1995] defines Application and Resource components. In Application, the observation of a Receive event causes a Results event to be generated with the same parameter. An architecture language is used to describe the flow of events between components. In the simple example shown in Figure 109.5 [Luckham et al., 1995], a connection is defined between Application module P and Resource module Q. Whenever P generates a Request event, Q will observe a Receive event with the same data. More complex connection patterns are possible. Algebraic constraints and pattern constraints can be used to control how events may occur. Figure 109.6 shows a specification [Luckham et al., 1995] in which The –> operator requires that the Receive and Result events occur in dependent pairs. The ∗ operator asserts that any number of pairs may occur. The ∼ operator asserts that the events in the pairs must be distinct. The ?S parameter is used to require that the Receive and Results events have the same parameter. Rapide has been applied to specify the X/Open distributed transaction processing (DTP) reference architecture. Interfaces in the published X/Open standard are formalized as Rapide interface types, and textual © 2004 by Taylor & Francis Group, LLC
type Resource is interface public action Receive (Msg: String); extern action Results (Msg: String); constraint match ((?S in String) (Receive (?S) -> Results (?S)))^(*~); end Resource FIGURE 109.6 Complex connections among Rapide components.
descriptions of calling sequence protocols are formalized as Rapide connection rules and pattern constraints. Rapide has been used to test the conformance of a combination of two X/Open DTP subsystems with the reference architecture. This is done by constructing a map between the two Rapide models that preserves the necessary structures and constraints. C2ADEL [Medvidovic et al., 1999] was developed explicitly for modeling architectures within the C2 architectural style [Taylor et al., 1996], which was itself developed for use in the GUI application domain. A C2 architecture is specified as a topology that defines its components and connectors and their interconnections. The components and connectors are instantiated from type definitions. This makes it possible to use subtyping and type checking. The example illustrated in Figure 109.7, taken from Medvidovic et al. [1999], shows how an architecture is specified in C2SADEL. Note the explicit top and bottom connections, which enforce the requirement of the C2 style that components are linearly ordered into layers that may only communicate with components immediately above or below them. Components may be virtual (not defined within C2SADEL) or external (defined elsewhere in a specification). Figure 109.8 gives a specification for the DeliveryPort component taken from Medvidovic et al. [1999]. Note that # denotes set cardinality and ∼ indicates the value of a variable after an operation has been performed. The invariant requires that the current capacity of a port be between zero and the maximum capacity. The example illustrates how operations required and provided by a component can be specified. Many ADLs use formal methods and notation that are likely to be unfamiliar to practitioners in industry. Examples include posets in Rapide and first-order logic in C2SADEL. This may present an obstacle to widespread use of software architecture modeling. An alternative approach is presented in Robbins et al. [1998]. The authors show how universal modeling language (UML) metamodels and stereotypes can be used to represent C2 architecture models in UML.
109.5 Describing Architectural Styles Architectural styles are “sets of design rules that identify the kinds of components and connectors that may be used to compose a system or subsystem, together with local or global constraints on the way the composition is done” [Shaw and Clements, 1996]. The importance of identifying useful styles is widely recognized [Abowd et al., 1995]. This section presents a formalism and methodology for describing both software architectural styles and architectures built within specific styles. The approach is embodied in a language called ASDL [Rice and Seidman, 1996], which can be used to compare architectural styles and particular architectures, and also to gain an increased understanding of complex architectural styles. One important feature of ASDL is its powerful and flexible capabilities for abstraction and representation of hierarchy in descriptions of software architectures. An ASDL description of a software architecture or architectural style is made up of three elements: templates, settings, and units. Templates represent interfaces of components that are available for inclusion into a software architecture. Settings represent architectures that have been built by instantiating templates. Units represent system hierarchy: they can encapsulate settings so that their interfaces can be used in turn as templates or represent interfaces designed in a top-down manner. Each element is associated with a © 2004 by Taylor & Francis Group, LLC
Architecture CargoRouteSystem is component_types { component DeliveryPort is extern (Port.cs;) component graphicsBinding is virtual () } connector_types { connector FiltConn is (filter msg_filter;) connector RegConn is {filter no_filter) } architectural_topology { component_instances { Runway : DeliveryPort Binding : GraphicsBinding; } connector_instances { UtilityConn : FiltConn; BindingConn: RegConn; } connections { connector UtilityConn { top SimClock, DistanceCalc; bottom Runway, Truck; } connector BindingConn { top LayoutArtist, RouteArt; bottom Binding; } } } } FIGURE 109.7 C2SADEL architecture specification.
generic Z schema [Spivey, 1989], which is invariant across all styles. A brief introduction to Z syntax is given in the appendix to this chapter. Structural aspects common to all styles are expressed by the generic schemas, whereas features that are characteristic of a particular style are expressed by style-specific versions of the schemas. This is done by specifying the parameters of the generic schemas and by adding style-specific declarations, constraints, and operations. The resulting schema versions constrain the configuration of the elements that make up an architecture. The ASDL schemas use a common formalism to describe both syntax and semantics of architectures and styles. The use of Z gives the language a flexible and modifiable foundation. ASDL also provides operations that support construction of a software architecture within a style. The Z schemas of ASDL are similar to those used in Rice and Seidman [1994] to describe MILs. Figure 109.9 shows the generic schema that describes ASDL templates. It provides a collection (library) of templates that represent interfaces of components available for inclusion in a software architecture. The schema parameters (Indices, Attributes, Parts) are used to customize the schema to describe a specific style. The schema components define the template’s interface, which consists of a finite set of ports that can be used for data communication or other relationships between components. The port-attr function determines the characteristics of a port by giving it attribute values (taken from the style-specific parameter Attributes) with respect to members of a set of indices (represented by the style-specific parameter Indices). © 2004 by Taylor & Francis Group, LLC
Component DeliveryPort is subtype CargoRouteEntity {int \and beh { state { cargo : \set Shipment; selected : Integer; } invariant { (cap >= 0) \and (cap < = max_cap); connector RegConn is {filter no_filter) } interface { prov ip_selshp: Select (sel: Integer); req ir_clktck: ClockTick(); } operations { prov op_selshp: ; let num : Integer ; pre num <= #cargo ; post ~selected = num ; } req or_clktck { let time : STATE_VARIABLE; post ~time = time + 1; } } map { ip_selshp -> op_selshp (sel -> num); ir_clktck -> or_clktck () ; } } FIGURE 109.8 C2SADEL component specification.
ASDL Library [Indices, Attributes, Parts] interfaces : Templates >−|→ F1 Ports port-attr : Ports −|→ Indices → Attributes part : Templates −|→ Parts interp : Templates −|→ Interpretations Collection : F1 Templates Primitives ⊆ Collection Collection = dom interfaces = dom interp = dom part disjoint ran interfaces dom port-attr = ∪ ran interfaces {dir, type} ⊆ Indices ∧ {in, out} ⊆ Attributes ∀ p ∈ dom port-attr • port-attr(p).dir ∈ {in, out} FIGURE 109.9 Z schema defining ASDL templates.
© 2004 by Taylor & Francis Group, LLC
interfaces(filter f ) = { p f , q f } interfaces(split) = { ps , q s , r s } interfaces(merge) = { pm , q m , r m } port-attr( p f )(dir) = in; port-attr(q f )(dir) = out port-attr( ps )(dir) = in; port-attr(q s )(dir) = port-attr(r s )(dir) = out port-attr( pm)(dir) = port-attr(q m )(dir) = in; port-attr(r m )(dir) = out interp(filter f ) = ∗ ( p f ? x → q f ! f (x) → SKIP) interp(split) = ∗ ( ps ? x → (q s ! x → SKIP||r s ! x → SKIP)) interp(merge) = ∗ (( pm ? x → r m ! x → SKIP) (q m ? x → r m ! x → SKIP)) part(filter f ) = part(split) = part(merge) = filter FIGURE 109.10 Pipe-and-filter interfaces.
The function part assigns each template to a style-specific category. The function interp defines a template’s interface semantics by associating the template with a composition of guarded CSP processes [Hoare, 1985]. For example, if a template has ports p and q with direction attributes in and out, respectively, then the CSP process interp () = ∗ ( p ? x → q ! f (x) → SKIP) specifies that the template acts as a filter represented by the function f .∗ Some templates are identified as primitive templates; these correspond to interfaces of software system components that have been preloaded into the library. Collection represents the set of templates that can be used to construct software systems. The members of Collection\Primitives are templates that correspond to interfaces of encapsulated composite modules. Members of Templates\Collection can serve as reference templates, which correspond to interfaces designed in a top-down fashion. The schema constraints define the requirements needed for any style. For example, they require that each template has a nonempty interface, a category assignment, and interface semantics; that the interfaces of distinct templates are disjoint; that attribute values are defined for all interfaces; and that category and semantics are given for each template. Furthermore, they require that dir and type, which give a port’s direction and data type, are indices supplied for all styles, and that the only acceptable attribute values for dir are in and out. As an example, we will consider the pipe-and-filter architectural style (see also Allen [1997], Abowd et al. [1995], and Shaw and Garlan [1996]). Our version of this style uses a filter component that applies a function f to its input and produces an output, a split component that sends its input to each of its two outputs, and a merge component that performs a nondeterministic merge of its two inputs. To specify the interfaces of these components in ASDL, we define the schema parameters to be Indices = {dir, type}, Attributes = {in, out, float}, and Parts = {filter}. We then assume that (filter f , split, merge) ⊆ Templates (where f is a member of a set that includes all of the filter functions needed by an application), and that the schema components satisfy the requirements given in Figure 109.10.∗∗ Settings (defined in the Z schema of Figure 109.11) represent architectures that have been built by instantiating templates as computational nodes. The nodes correspond to the components of a software architecture. A node has external interfaces called slots that correspond to (and inherit attributes from) the ports on the node’s underlying template. Slots can be labeled; shared labels are used to represent relationships among nodes, such as data communication. The schema components define the essential syntactic features of the nodes representing the components of an architecture: the templates from which the nodes were instantiated, the node interfaces (represented ∗
The process p ? x → q ! f (x) → SKIP receives x on channel p, sends f (x) on channel q , then terminates. The operator ∗ indicates indefinite repetition of the filter process. ∗∗ In the split process, the || operator indicates concurrency, so that the input of x on the channel ps is followed by the output of x on channels q s and r s . In the merge process, the operator indicates deterministic choice, so that the first of the channels pm or q m to receive x outputs it on channel r m . © 2004 by Taylor & Francis Group, LLC
ASDL Setting [Indices, Attributes, Parts] ASDL Library [Indices, Attributes, Parts] node-parent : Nodes −|→ Templates slots : F(Nodes × Ports) slot-attr : Nodes × Ports −|→ Indices → Attributes label : Nodes × Ports −|→ Labels comp-expr : ProcessExpressions semantic-descr : Labels −|→ SemanticDescriptions slots = dom slot-attr dom label ⊆ slots dom semantic-descr = ran label ∀n ∈ dom node-parent • node-parent(n) ∈ Collection ∧ p ∈ interfaces(node-parent(n)) ⇒ (n, p) ∈ dom slot-attr ∧ slot-attr(n, p) = port-attr( p) FIGURE 109.11 Z schema defining ASDL schemas.
as ordered node–port pairs), and the interfaces’ characteristics and labels. Other schema components contain information that can be used to determine the semantics of the architecture represented by the setting. The semantic description mapping assigns a semantic abbreviation to each label used in a module, and the composition expression specifies how the nodes in a setting are composed for execution purposes. A composition expression is a CSP process in which node names are viewed as processes. For example, it may specify that the nodes in a setting will be executed in parallel. The members of ProcessExpressions are described in Rice and Seidman [1996]. The node constraints require that the slots representing the interfaces of a node n consist of the pairs (n, p), where p is a port of node-parent(n), that the slot attributes are inherited from those of the corresponding ports, and that all slot labels are associated with semantic abbreviations. Note that ASDL uses the Z and CSP formalisms orthogonally, so that there is no need to propose a common semantic domain for the two formalisms. The use of CSP is confined to providing a process algebra value for the comp-expr variable of the ASDL Setting schema and for the interpretation of each template. The character strings assigned to these elements correspond to CSP process algebra expressions. The semantic abbreviation associated with a label represents a communication protocol, as well as additional style-dependent information. The set SemanticDescriptions contains abbreviations that correspond to a variety of communication capabilities, and the mapping semantic-descr assigns an abbreviation to each label in a setting. For example, the abbreviations uac and usc represent unidirectional asynchronous and synchronous communication, respectively, and brod represents broadcast of input data. Each abbreviation a has a meaning [a] and a set of associated properties, including its text description. For example, the meaning of usc is described by the CSP expression [usc] = ∗ (in ? x → (out ! x → SKIP). The associated properties may include an alphabet like {in, out} or an alternate specification of the meaning, such as out ≤ in (each trace on out is a prefix of a trace on in). Other properties might include timing information or a restriction on the buffer size for an asynchronous protocol. In some cases, the meaning of an abbreviation is parameterized by a potential set of connections. For example, the meaning of the broadcast abbreviation is defined by [brod](S) = ∗ (in ? x(out s !x → SKIP : s ∈ S)) The execution semantics of a module can be derived from the semantic interpretations of the templates underlying the nodes, the composition expression, and the semantic descriptions of the labels that specify
© 2004 by Taylor & Francis Group, LLC
1
4
2 α
α
β
β
3
5
B
6
8
δ
δ
η
η
7
9
D
A C
10
FIGURE 109.12 A pipe-and-filter architecture.
the connections between nodes. The ASDL Setting schema therefore contains the basic components and the information needed to simulate the execution of the module. To illustrate these concepts, we return to the pipe-and-filter style. Figure 109.12 shows a pipe- and-filter architecture with four components: A sends its input to B and C, which are filters (using the functions f, g , respectively) whose results are merged by D. An ASDL description of this architecture corresponds to a setting that uses the nodes A, B, C, and D. The function node-parent is defined by the ordered pairs (A, split), (B, filter1,1, f ), (C, filter1,1,g ), (D, merge). The setting uses the following ten slots: 1 = (A, ps ) 6 = (C, p g )
2 = (A, q s ) 7 = (C, q g )
3 = (A, r s ) 8 = (D, pm )
4 = (B, p f ) 9 = (D, q m )
5 = (B, q f ) 10 = (D, r m )
In the figure, Greek letters are used to represent slot labels, and shared labels indicate data communication between slots. The function label associates labels with slots; it is defined by the ordered pairs (2, ), (3, ), (4, ), (5, ), (6, ), (7, ), (8, ), (9, ). The semantic-descr function assigns the abbreviation usc (unidirectional synchronous communication) to all four labels. The composition expression associated with this setting represents the concurrent composition of its components. The following four constraints are associated with this style: r b ∈ ran label ⇒ | label (b)| ≤ 2 r ∀b ∈ran label • semantic-descr(b) = usc
r n ∈ dom node-parent ⇒ part (node-parent(n)) = filter r ∀s , t ∈ dom label • label(s ) = label(t) ⇒ port-attr(second(s )).dir = port-attr(second(t)).dir
The first three constraints require that no more than two slots can share the same label, that all labels represent unidirectional synchronous communication, and that all nodes are instantiated from filter templates. The final constraint states that if two slots share a label, the underlying ports must have the opposite direction. The ASDL Setting schema represents an architecture as a self-contained computational unit without any external connections. Figure 109.13 shows the ASDL Unit and ASDL Boundary schemas that describe these connections and the associated interface semantics. They include a set of virtual ports that represent the public interfaces of the unit and a mapping that specifies the attributes of these ports. The mapping virtual-port-descr assigns semantics to each virtual port in a unit. The connect mapping describes the links between slots and virtual ports. ASDL Unit imposes only a minimal restriction on the interface, which enforces consistency with respect to the direction of data movement. Further restrictions are based on style-dependent information about the desired behavior of units. For example, type-consistency requirements may be placed on the connect mapping, and the virtual-port-descr mapping may specify broadcasting or multiplexing behavior for a virtual port.
© 2004 by Taylor & Francis Group, LLC
ASDL Unit [Indices, Attributes, Parts] ASDL Setting [Indices, Attributes, Parts] ASDL Boundary [Indices, Attributes] connect : Nodes × Ports −|→ FPorts virtual-port-descr : Ports −|→ Interpretations dom connect ⊆ Slots ∪ ran connect ⊆ virtual-ports dom virtual-port-descr = virtual-ports ∀ p ∈ virtual-ports • {interface-attr(p).dir} = {slot-attr(s).dir : p ∈ connect(s)} ASDL Boundary [Indices, Attributes] interface-attr : Ports −|→ Indices → Attributes virtual-ports : FPorts virtual-ports = dom interface-attr FIGURE 109.13 Unit and boundary schemas.
ρ
α
β
σ
τ
µ
FIGURE 109.14 Multiplexing semantics in a unit.
Because ASDL operations can be used to add the boundary of a unit to the library as a template, units provide powerful and flexible support for hierarchical descriptions of software architectures. The mapping of slots to virtual ports specified by the connect mapping need not be one-to-one. A software architect can use the virtual-port-descr mapping to specify the attributes of virtual ports and derive the semantics of the virtual ports from information about the setting associated with the unit: the interpretation of the templates used to instantiate the setting’s nodes, the semantic abbreviations assigned to slot labels, and the setting’s composition expression. Figure 109.14 shows an architecture that has been converted into a unit that uses a multiplexing semantics. In this example, virtual-ports = {, } and the connect mapping is constructed from the ordered pairs (, ), ( , ), ( , ), and (
, ). Note that this mapping is not one-to-one. The semantics of the virtual © 2004 by Taylor & Francis Group, LLC
ports are defined by virtual-port-descr () = ∗ (a ? x → b ! x → SKIP) virtual-port-descr() = ∗
(((r ? x → SKIP) (s ? x → SKIP) (m ? x → SKIP)) ; (t ! x → SKIP)
where a, b, r , s , m, and t are CSP channels corresponding to the slots and ports in the ASDL description. ASDL contains a number of operations that support the incremental specification of software architectures. These serve as guides for the design of style-dependent operations that are constructed by adding new signatures and constraints to existing operations or by incorporating existing operations into a new operation. The operations include setting operations to create and delete nodes and pseudonodes, assign labels to slots, specify a composition expression, and select semantic abbreviations; interface operations to specify virtual ports, attributes, links, and virtual port descriptions; an encapsulation operation to create a new library template based on a unit; and operations that define the units needed to support a top-down design methodology. For example, the encapsulation operation ASDL External creates a new library template from an existing unit type. The virtual ports of the unit type become the ports of the template, and the attributes of these ports are derived from the unit’s interface. The template’s interpretation is derived from the interpretations of the templates underlying the nodes, the composition expression, the abbreviations of labels, and the semantics of the virtual ports. This represents a complex synthesis of the semantics of the entities associated with the unit. The new library template can in turn be used to create a node in another module. ASDL permits a styledependent interpretation of the extent to which the internal structure of the node is visible in the new module. For example, if encapsulation requires that each virtual port is linked to a node in the underlying unit, then one interpretation is that only the resources of the nodes linked to the port can be accessed through the port. On the other hand, if encapsulation permits a virtual port with no links, then another interpretation may allow characteristics of the node to be modified by using the port.
Defining Terms Architectural analysis: Reasoning about descriptions of architectures and architectural styles. Architectural style: A set of design rules that identify the kinds of components and connectors that may be used to compose a system or subsystem, together with local or global constraints on the way the composition is done. Architectural view: A partial description of a software architecture that features architectural aspects useful for specific purposes or for specific categories of users. Architecture description language (ADL): Language designed for describing software architectures. Component: Software architecture entity that abstracts a computational activity. Connector: Software architecture entity that abstracts a relationship between components. Functional properties: The semantics of a software architecture’s components. Module interconnection language (MIL): A language that describes the properties of the interfaces between the modules of a software system. Nonfunctional properties: Deal with an architecture’s reliability, robustness, ease of use, conformance to standards, hardware requirements, and security. Programming in the large: Building industrial-strength software systems. Programming in the small: Development of small software applications. Software architecture: An abstraction of a software system that allows a designer to ignore low-level implementation issues, such as programming languages, hardware and device requirements, and communication protocols. Structural properties: The nature of the interactions supported by the architecture’s components. © 2004 by Taylor & Francis Group, LLC
References Abowd, G., Allen, R.J., and Garlan, D., 1995. Formalizing Style to Understand Descriptions of Software Architecture, IEEE Trans. Softw. Engr. 4: 319–364. Allen, R.J., 1997. A Formal Approach to Software Architecture, Carnegie Mellon University School of Computer Science Technical Report CMU-CS-97-144. Bass, L., Clements, P., and Kazman, R., 1998. Software Architecture in Practice, Addison-Wesley, Reading, MA. Batory, and O’Malley, S., 1992. The Design and Implementation of Hierarchical Software Systems with Reusable Components, ACM Trans. Softw. Engr. Meth. 1: 355–398. Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., and Stal, M., 1996. Pattern-Oriented Software Architecture: A System of Patterns, John Wiley & Sons, Chichester, U.K. Clements, P., Bachmann, F., Bass, L., Garlan, D., Ivers, J., Little, R., Nord, R., and Stafford, J., 2003. Documenting Software Architectures: Views and Beyond. Addison-Wesley, Boston, MA. Clements, P., Kazman, R., and Klein, M., 2002. Evaluating Software Architectures: Methods and Case Studies, Addison-Wesley, Boston, MA. Delisle, N., and Garlan, D., 1990. A Formal Specification of an Oscilloscope, IEEE Softw. 7: 29–36. DeRemer, F., and Kron, H., 1976. Programming-in-the-large versus programming-in-the-small, IEEE Trans. Soft. Engr. 2: 80–86. Garlan, D., and Perry, D., 1995. Introduction to the Special Issue on Software Architecture, IEEE Trans. Softw. Engr. 21: 269–274. Hennessy, J.L., and Patterson, D., 1996. Computer Architecture: A Quantitative Approach, 2nd edition, Morgan Kaufmann, San Francisco, CA. Hoare, C.A.R., 1985. Communicating Sequential Processes, Prentice Hall, New York. IEEE, 2000. IEEE Standard 1471-2000: IEEE Recommended Practice for Architectural Description of SoftwareIntensive Systems, IEEE, New York. Jayazeri, M., Ran, A., van der Linden, F., and van der Linden, P., 2000. Software Architectures for Product Families: Principles and Practice, Addison-Wesley, Boston, MA. Leon-Garcia, A., and Widjaja, I., 2000. Communication Networks: Fundamental Concepts and Key Architectures, McGraw-Hill, New York. Luckham, D., Kenney, J., Augustin, L., Vera, J., Bryan, D., and Mann, W., 1995. Specification and Analysis of System Architecture Using Rapide, IEEE. Trans. Softw. Engr. 21: 336–355. Magee, J., Kramer, J., and Sloman, M., 1989. Constructing Distributed Systems in Conic, IEEE Trans. Softw. Engr. 15(6): 663–675. Medvidovic, N., Rosenblum, D., and Taylor, R., 1999. A Language and Environment for Architecture-Based Software Development and Evolution, Proceedings of 1999 Intl. Conf. on Softw. Engr., pp. 44–53. Medvidovic, N., and Taylor, R., 2000. A Classification and Comparison Framework for Software Architecture Description Languages, IEEE. Trans. Softw. Engr. 26: 70–93. Rice, M., and Seidman, S., 1994. A Formal Model for Module Interconnection Languages, IEEE Trans. Softw. Engr. 20: 88–101. Rice, M., and Seidman, S., 1996. Using Z as a Substrate for an Architectural Style Description Language, Technical Report CS-96-120, Department of Computer Science, Colorado State University. Richardson, D., and Wolf, A., 1996. Software Testing at the Architectural Level, Proc. of the 2nd Intl. Softw. Arch. Workshop (ISAW-2), San Francisco, CA, pp. 68–71. Robbins, J.E., Medvidovic, N., Redmiles, D.F., and Rosenblum, D.S., 1998. Integrating Architecture Description Languages with a Standard Design Method, Proc. of the 20th Intl. Conf. on Softw. Engr., pp. 209–218. Shaw, M., and Clements, P., 1996. Toward Boxology: Preliminary Classification of Architectural Styles, Proc. of the 2nd Intl. Softw. Arch. Workshop, pp. 50–54. Shaw, M., and Garlan, D., 1996. Software Architecture: Perspectives on an Emerging Discipline, Prentice Hall, Upper Saddle River, NJ.
© 2004 by Taylor & Francis Group, LLC
Spivey, J.M., 1989. The Z Notation: A Reference Manual, Prentice Hall, New York. Stovsky, M., and Weide, B., 1990. Building Interprocess Communication Models Using STILE, in Visual Programming Environments: Paradigms and Systems, Ed. E. Glinert, pp. 566–574. IEEE Computer Society Press, Los Alamitos, CA. Taylor, R., Medvidovic, N., Anderson, K., Whitehead, E., Robbins, J., Nies, K., Oreizy, P., and Dubrow, D., 1996. A Component- and Message-Based Architectural Style for GUI Software. IEEE Trans. Softw. Engr. 22: 390–406. Tichy, W., 1979. Software Development Control Based on Module Interconnection. Proc. of the 4th Intl. Conf. on Softw. Engr., pp. 29–41.
Further Information An excellent source for the foundations of software architectures and architectural styles is Software Architecture: Perspectives on an Emerging Discipline [Shaw and Garlan, 1996]. This book has a strong research flavor and contains a good summary of early software architecture research. Although the Shaw and Garlan book is an essential basic reference, its applicability to realistic industrial situations may be less clear. This deficiency is remedied by Software Architecture in Practice [Bass et al., 1998], which provides a useful bridge between software architecture research and industrial practice. It contains significant industrial case studies and also deals with issues of architectural analysis and reuse. The recent book Documenting Software Architectures [Clements et al., 2003] addresses the question of how software architectures should be described to different communities of potential users. They advocate the explicit adoption of disparate architectural views and discuss the use of styles within each view. Software architectures play a critical role in the software life cycle, and the adoption of an architectural perspective is now a recommended practice. This has been recognized in the recently adopted IEEE Recommended Practice for Architectural Description of Software-Intensive Systems [IEEE, 2000]. A critical activity in the software life cycle is the evaluation of potential architectures. This topic is treated extensively in Evaluating Software Architectures: Methods and Case Studies [Clements et al., 2002]. The book presents several architecture evaluation methodologies and illustrates them with case studies. The use of architectural ideas in the design of software product families has received much attention in recent years. Research on this topic has a strong industrial flavor. An overview of the area can be obtained from the papers in Jayazeri et al. [2000]. Patterns are another way of capturing design knowledge, and they are often regarded as architectural in nature. If code construction is regarded as a low-level endpoint of the design axis, architectural styles can be found near the opposite endpoint. Architectures are close to styles, and patterns closer to construction. A good survey of patterns and their relationship to architectures can be found in Buschmann et al. [1996]. The Software Engineering Institute maintains a useful bibliography on software architecture (http://www. sei.cmu.edu/architecture/bibliography.html). The best place to look for current research on software architectures is in the proceedings of special-purpose conferences. Of particular interest is the Working IEEE/IFIP Conference on Software Architecture, which tends to include both industrial and academic papers (http://wicsa3.cs.rug.nl). Other, more general software engineering conferences that usually include papers on software architecture are ICSE (International Conference on Software Engineering, http://www.icse-conferences.org) and FSE (Foundations of Software Engineering, e.g., http://www.cs.pitt.edu/FSE-10).
Appendix: A Quick Introduction to Z Notation The following discussion will introduce the reader to the basic elements of Z notation that are used in this paper. A more complete treatment can be found in Spivey [1989]. Z is based on typed set theory and uses schemas to define functions and types. A schema associates declarations of typed variables with predicates that constrain their possible values. The simplest variable types name familiar sets such as the natural numbers N. More complex types are built using type constructors, which are analogues of familiar set operations:
© 2004 by Taylor & Francis Group, LLC
power set formation (P), products (·), and function space formation (→). A schema definition assigns a name to a group of variable declarations and predicates relating these variables. It has the following form: S declarations predicates
A schema S can be used as a type, and the notation w : S declares a variable w whose components are declared in S. For example, if x is a variable declared in S, then w .x denotes the x component of w . A schema definition may also use generic parameters X 1 , X 2 , . . . , X n associated with the schema name: S[X 1 , X 2 , . . . , X n ]. These parameters are set constants that can be used in the schema definition. A schema S can be included in the declarations of another schema T , in which case the declarations of S are merged with the declarations of T and the predicates of S and T are conjoined. An inclusion of S in T has the following form: S T declarations predicates
The schemas formed by merging the declarations of S and T are denoted by S∧T S∨T
if the respective predicates are conjoined if the respective predicates are disjoined
Schema definitions may be used to specify operations on a state specified by another schema. In this case, the following conventions are used for variable names: undashed dashed’
state before state after
ending in ? ending in !
inputs outputs
Given a schema S, S is the schema obtained by renaming all variables declared in S with dashes’. N Z
Set of natural numbers {0, 1, . . . } Set of integers {. . . , −1, 0, 1, . . . }
Given a set S #S PS (FS) P1 S (F1 S)
Cardinality of S Set of all subsets (all finite subsets) of S Set of all nonempty subsets (all nonempty finite subsets) of S
Given G ∈ PS ∪G disjoint G
Union of all subsets in the family G Predicate which is true if and only if G is a pairwise-disjoint family
Given sets S and T S×T S\T ∃x : T • P ∀x : T • P {x : T | P }
Cartesian product of S and T Difference of S and T There exists x of type T such that P holds (a unique x if ∃1 is used) For all x of type T , P holds Set of all x’s of type T such that P holds
© 2004 by Taylor & Francis Group, LLC
Given sets S and T S↔T Set of all relations from S to T S→T Set of all total mappings from S to T S −|→ T Set of all partial mappings from S to T S −||→ T Set of all partial mappings from S to T with finite domains The additional symbol > on the left end (right end) of an arrow denotes a one-to-one (onto) mapping. For example, ←||→ denotes a one-to-one partial mapping with a finite domain. All the function operators are right-associative. For example, f : S → T → V means that for each x ∈ S, f (x) : T → V . In this case, we write f (x).y instead of f (x)(y). Given f : S −|→ g dom f = {x ∈ g : f(x) is defined} ran f = {f(x) ∈ T : x dom f} Given f : S −|→ g and g −|→ V g o f : S −|→ V composition of f and g with dom (g o f) = {x ∈dom f : f(x) ∈ dom g}. Functions can also be defined by lambda abstraction, as in square == n : N • n ∗ n The domain is the set of natural numbers, and the expression defines the function.
© 2004 by Taylor & Francis Group, LLC
110 Specialized System Development 110.1 110.2
Introduction Principles of Specialized System Development Roots of Specialized System Development • Generic vs. Specialized Development • The Context of Problem Solving in Specialized System Development
Osama Eljabiri
110.3
New Jersey Institute of Technology
Fadi P. Deek New Jersey Institute of Technology
Application-Based Specialized Development Pervasive Software Development • Real-Time Software Development • Web-Based Software Development • Security-Driven Software Development
110.4
Research Issues and Summary
110.1 Introduction Software development is a complex problem-solving process with various interdisciplinary variables driving its evolution. Such variables are either problem-related or solution-based. Problem-related variables set the criteria for solution characteristics and help designers tailor solutions to specific problems. Solutionbased variables explain current options, assist in future forecasting, and facilitate scaling solutions to problems. The issue of whether to find generic prescriptions to common problems (i.e., bottom-up generalization) or derive domain-dependent solutions to specific problems (i.e., top-down specialization) is debatable. One viewpoint considers modern software engineering to be a standardized response that uses generic methodologies and strategies, as opposed to the nonsystematic approaches that characterized earlier software development. Standardization implies the use of generic rules, procedures, theories, and notations that mark a milestone in the development of any discipline. When standardization came, software development witnessed a paradigm shift from trial-and-error experimentation to scientific maturity, from differing representation and implementation of concepts to unified modeling and cross-platform independency, and from vague economic considerations to well defined, software-driven business models. The competing viewpoint of “one size fits all” has not proved to be practical in real-world software development (Glass, 2000). There is no one methodology appropriate for every case, no strategy that works perfectly for every problem, no off-the-shelf-prescriptions that can be applied directly without scalability, tailorability, or customization. Even specific approaches that fit certain situations do not necessarily fit them all the time, because change is the only constant in contemporary business. Evolving needs accompany innovation and emerging technologies. It can be argued that a balanced approach between generalization and specialization can be adopted to achieve effectiveness in software development.
© 2004 by Taylor & Francis Group, LLC
This chapter addresses the notion of specialized system development. The field of system specialization has been overlooked in the software engineering literature since the discipline was formally launched. Also, generic software development had only provided a weakstrategy (Vessey and Glass, 1998) to solve problems because it only supplies guidance for solving problems and not actual solutions to problems at hand. Scalability, tailorability, and specialization have become relevant issues in the software industry and software engineering research. Even general applications are not actually generic. Many current applications support customization features. Additionally, these systems are released in various modes, which range from standard to professional to enterprise editions, suiting a diversity of needs and problem complexity. Such applications also evolve over time to reflect changes in business requirements and technological capabilities. Subsequent sections of this chapter define specialized system development, discuss its drivers, present its advantages and disadvantages, and explore the types of specialized system development and its categories. We also consider the need for specialized system development and how that can be mapped to team structures.
110.2 Principles of Specialized System Development According to the Merriam-Webster dictionary, to specialize is to concentrate one’s efforts in a special activity or field or to change in an adaptive manner. Concentration leads to more attention to detail and presumably enables more efficient problem solving. Specialization links theory to practice and makes it more meaningful. Generally speaking, specialized system development is about developing software systems with focus. The focus may be on the application domain, a certain phase of the development cycle, or a specific system development methodology. An example of application-domain focus is software development for pervasive computing, including wireless and portable systems. An example of development-phase focus is special emphasis on project management, requirements analysis, or architectural design, as opposed to generic knowledge in software engineering. An example of methodology focus is systems development using structured or object-oriented strategies. However, specialization in methodology spans a wider array of approaches and tools. This includes software development process models (i.e., problem-solving strategies), CASE tools, and implementation techniques. Application-focused software development is the most frequently used definition for specialized system development in the current software industry. Application-focused development can be classified into two categories: application-oriented and infrastructure-oriented. Each of these two categories can have a problem focus or a solution focus. Problem focus can be based on the type of industry involved or the application domain. Solution focus can be based on custom development, package development, or development aid (Glass and Vessey, 1995).
110.2.1 Roots of Specialized System Development The history of specialized system development is tightly coupled with the evolution of computer hardware and technology advancement. 110.2.1.1 Domain-Dependent Era (Pre--Software Development Methodology) During the period of 1955 to 1965, computer hardware was application-dependent. It was virtually impossible to develop business and scientific applications on the same machine. Medical applications and unusual applications were two examples of the distinct focus of application development during this era. Problem-oriented languages, such as Fortran, COBOL, and ALGOL, were developed to translate old software to be compatible with the requirements of new computers. Domain-specific focus was the major driver in building successful software systems. New disciplines emerged to support these systems, such as numerical analysis and information retrieval (Vessey, 1997). 110.2.1.2 Domain-Independent Era (Early Software Development Methodology) This era comprised the period between 1964 and 1980. In 1964, the IBM 360 was introduced, including the lower-midrange model 40 and the model 67, shipped with hardware to support virtual memory. The IBM © 2004 by Taylor & Francis Group, LLC
360 combined scientific and business applications in one machine. The sociology of software development was strongly influenced by the 360’s ability to end the separation between scientific and business applications. Generic applications were possible when the software business became independent of hardware vendors. Competitive advantage in software development became directly proportional to the interdependency of standards, hardware, and platforms. This era witnessed many attempts to institutionalize application-independent software development strategies (Vessey, 1997) and led to the building of a solid foundation for the next era of methodology-intensive software development. 110.2.1.3 Generic Applications Era (Methodology-Intensive Software Development) The period of 1980 to 1995 witnessed the birth and evolution of desktop PC computing and laptop computing. With the availability of computers and the high degree of usability, user involvement became more dominant, the availability of technology facilitated automation efforts in software implementation, and nontechnical users became active participants in the process (Glass, 1998). User-friendly GUIs took over job control language (JCL) taking human–computer interaction (HCI) to a new level. Some attempts at developing application-dependent software (such as fourth-generation languages, rule-based languages, and simulation languages) were also carried out (Vessey, 1997). 110.2.1.4 Return to Application-Focused Development (Software Development Post-Methodology) From 1995 to the present, the evolution of networked hardware architecture has been dominant. Developing Web-based applications marked a milestone in this era, along with the emergence of Web-driven tools and programming languages (i.e., HTML, Java, JavaScript, XML, VML, etc.), the evolution of friendly Web interfaces through Internet browsers and e-mail agents, the emergence of Web-based software engineering as a software development methodology, the increasing demand for software that balances speed and quality, and the synchronization of business processes and software evolution.
110.2.2 Generic vs. Specialized Development The shift from domain-specific computers to application-independent ones was an important event for software development. The subsequent advancement of application-independent computers into desktop and notebook computing was another milestone, which marked a shift toward generic infrastructure systems, applications, and components with notable advantages such as the following: Portability — Software can be used virtually anytime and anywhere because of the development of generic Web-based downloading and installation protocols. Compatibility — One operating system can host a vast number of applications, regardless of their vendors. Generic operating systems are a central repository for shared components across applications. Reusability — One application or one module can be used across computer models, organizations, and user groups. It can be distributed over an organizational network or the World Wide Web. It can also be reused to develop new releases of software implementations. Furthermore, with few modifications through built-in preferences or options, the same application can be customized or tailored to a variety of specific needs. Ease of training — Generic applications are easier to learn because of their availability, and training material is inexpensive (or even free), due to the use of mass production techniques. Cost-effectiveness — Because operational costs are generally lower with mass production and sales volume is usually high, products can be sold at competitive prices to the end user. Generic applications also have disadvantages worth noting. For example, such applications are based on the assumption that there are no significant differences among individuals and/or organizations that require special tailorability or scalability. This assumption applies also to generic methodologies and strategies in software development. These methodologies are rarely based on the type or size of the project or on technology environments and organizational settings. Such methodologies are considered © 2004 by Taylor & Francis Group, LLC
Generic Problems
Criteria for
Domain-Based Solutions
Domain-Based Problems Criteria for
Problem-Based
Criteria for Application-Based Problems
Ad-Hoc Solutions Tailored to
Process Based
Semi-Structured Problems
Structured Problems
Generic Solutions
Product-Based Ill-Structured Problems
Tailored to
Architectures Frameworks Patterns
Tailored to
FIGURE 110.1 Generic and specialized software development in the problem-solving context.
one-dimensional approaches, because they often do not mirror a particular organization’s underlying social, political, and organizational development dimensions (Avison and Fitzgerald, 2003). Generic applications also assume that businesses or individuals should be able to adapt to the infrastructure and functionalities of generic applications with limited room for changes. This assumption can be true within the same application domain, but it may be untrue for another, causing extreme ineffectiveness. Additionally, the assumption that business processes can easily be changed to fit a generic software product is unrealistic and costly. Diversity of goals, market demands, stakeholder requirements, architectural specifications, nonfunctional requirements, and organizational cultures across business domains and specializations makes generic development strategies impractical. For some organizations, adopting a specific methodology may not lead to the desired result, and it can lead to rejecting methodologies altogether (Avison and Fitzgerald, 2003). Agile software development may be viewed as a response to this difficulty.
110.2.3 The Context of Problem Solving in Specialized System Development Because software development essentially aims to solve problems, it is important to view specialized system development in the problem-solving context. Basically, solving problems involves two key elements: the ability to comprehend the problem and the capability to solve it. Hence, specialized system development is either problem-focused or solution-driven (see Figure 110.1). Because problem types and solution strategies in software engineering vary, effective understanding of their diversity is a precondition to successful specialized system development. In fact, this diversity is a major driver of specialized development, because differences are the catalyst for any specialization. Relevant challenges for the developer include understanding how specialization, in identifying problem characteristics, can help to evaluate existing options, select the most proper options, and use domain © 2004 by Taylor & Francis Group, LLC
analysis and requirements engineering to develop effective solutions. How can software products or solutions be adequately used, reused, customized, personalized, reengineered, or redeveloped based on application-driven or domain-specific specialization? How can specialization in problem, method, product, or domain analysis assist in proper selection or successful construction of computer-based solutions that utilize suitable methods, process models, techniques, and tools? Careful examination of problem and solution diversity reveals three key drivers for specialized system development: characteristics of the system to be developed (as well as characteristics of the system’s anticipated users); solution-driven capabilities, experience, and knowledge; and characteristics of system developers. 110.2.3.1 Characteristics of the System to Be Developed This is a problem-focused category. Diversity of software systems in terms of size, complexity, time constraints, scope, underlying technology, business goals, and problem environment are its most critical drivers. Problems range from structured, at the operational levels of organizations, to semistructured at the tactical level, to ill structured at the top management or strategic level (vertical specialization). Problem specialization can be between organizations in the same industry, across industries (external horizontal specialization) or within the same organization across its various functional departments or key business processes (internal horizontal specialization). 110.2.3.2 Characteristics of System’s Anticipated Users This is also a problem-focused category. Some of the drivers in this category are age considerations, gender considerations, purpose in using the system (i.e., personal vs. business users), user background (i.e., technical vs. nontechnical users), and user environment. User environment includes, but is not limited to, cultures, languages, geographic locations, technical resources, financial resources, human resources, and legal and ethical issues. Each of these creates certain needs in systems development and therefore triggers specific specializations in responding to these requirements. 110.2.3.3 Solution-Driven Capabilities, Experience, and Knowledge System specialization under this category is based on tools and resources, rather than on application domain. This includes capabilities and experience in project management tools, requirements analysis techniques, architectural models, user interface approaches, database management strategies, implementation languages, development tools, development methodologies, and process models. These capabilities affect numerous specializations in the solution area.
110.3 Application-Based Specialized Development The convergence of three traditional computing specializations — personal, networking, and embedded — produced a new computing era referred to as pervasive computing. Mobile computing, wireless devices, PDAs, Pocket PCs, and Tablet PCs are all examples of pervasive computing products. Software applications are important components of these products, and the distinct nature of these applications brings a new set of challenges to software development.
110.3.1 Pervasive Software Development Pervasive applications can be distinguished by the following characteristics: ubiquity, interconnectedness, and dynamism. These applications strive to be embedded, distributed, nonintrusive, and cost-effective (Ciarletta and Dima, 2000). This implies that software economics, system architecture, and security are significant issues in pervasive software engineering. A conceptual model is suggested to highlight the aspects of pervasive system development in which four layers have been identified: physical, resource, © 2004 by Taylor & Francis Group, LLC
TABLE 110.1 Layer
The Roles of Pervasive System Development Layers Rationale
Software Development Ramifications
Physical
The flow of control in pervasive applications may depend on signals received from or by the user’s physical body. Excellent software architecture is ineffective in pervasive devices, unless it is well supported by hardware design that mirrors physical characteristics of humans.
Designing effective hardware architectures is crucial to software design because software effectiveness is dependent on hardware usability and hardware is irreplaceable (in contrast with desktop computing).
Resource
Represents the infrastructure of pervasive software applications (operating systems, logical devices, system API, user interface, network protocol).
ROM-based operating systems should be reliable with early releases because it will be very costly to make any upgrades thereafter. System resources must be matched to user goals and needs. User interfaces must be intuitive and consistent. They must accommodate users’ language and physical limitations. Networking features should be automatically available, self-configuring, and compatible with existing technology. System storage must enable users to access, retrieve, and organize information in a way that suits their requirements. Execution environment and volatile memory should be responsive and provide both speed and sense of control via multithreading and multitasking.
Abstract
Represents the direct software application that the user will use.
Maintaining compatibility between users’ mental model expectations and application logic “state.” Shorter time frames are available to pervasive system users for learning about the system, compared with desktop users. More difficult physical conditions are encountered by mobile users of pervasive systems. User involvement and participation is much more critical in pervasive applications than in traditional applications.
Intentional
Represents user goals and purposes in using the pervasive system.
Analyzing the system to determine user goals and designing the system to fulfill these goals.
abstract, and intentional (Ciarletta and Dima, 2000). Table 110.1 describes the roles of these layers in specialized pervasive system development. A framework of four levels can provide a sound process for developing effective mobile commerce (m-commerce) applications (Varshney and Vetter, 2001). These four levels are as follows: M-commerce applications — These modify e-commerce applications for a mobile environment. Wireless user infrastructure — New m-commerce applications should support the capabilities of user infrastructures. For example, m-commerce applications must be effective for such mobile devices as PDAs and cell phones. Mobile middleware — The new m-commerce applications must have better response time and reliability when deployed, because the middleware will be used to connect e-commerce applications to different wireless networks. Wireless network infrastructure — Networking requirements must be fulfilled by the m-commerce applications being deployed. Such requirements include quality of service, network reliability, location management, roaming across multiple networks, and multicast support. © 2004 by Taylor & Francis Group, LLC
Effective m-commerce applications can be deployed if network reliability and redundancy are increased. Furthermore, creating m-commerce applications requires unique knowledge and needs-specific networking support to create effective applications (Kalakota et al., 2000), which includes wireless quality of service (QoS), efficient location management, and reliable and survivable networks.
110.3.2 Real-Time Software Development Real-time software development originated in the 1970s and continues to evolve today. The development of real-time systems requires consideration of three basic issues (Felder, 2002): complex timing (at the higher requirements specification levels), resource constraints (at lower design levels), and scheduling constraints (at lower design levels). Gaulding and Lawson (1976) describe a disciplined engineering approach to real-time software development with a focus on a process design methodology. The basis for this approach is a process performance requirement, a document describing the software interfaces, the software functional and performance requirements, the operating rules, and the data processor hardware description. The goal of process design engineering is the development of an automated approach to the evolutionary design, implementation, and testing of real-time software. Gaulding and Lawson define the crucial aspects of effective real-time software development to include four important components: Transformational technology — Enables traceable transformation from functional requirements to a software structure for a given computer Architectural approach — Requires top-down design, implementation, and testing techniques supported by a single process design language Simulation technology — Provides a capability for evaluating trial designs for real-time software processes Supporting tools — Automate such functions as requirements traceability, configuration management, library management, simulation control, and data collection and analysis. An early software development life-cycle method for real-time systems was proposed by Gomaa (1986). This method attempts to tailor generic software development methodology to reflect the special needs of real-time software development. Table 110.2 describes this method, its phases, and its applications.
110.3.3 Web-Based Software Development Web-based software development is growing at a faster rate than any other domain. Software systems with Web capabilities can maximize the business added value more effectively, with their ability to reach customers and partners and to enrich the business process with information (Evans and Wurster, 1999). Three criteria to assess business value in IT-based systems are productivity, business profitability, and consumer surplus (Hit and Brynjolfsson, 1996). Web applications extend traditional business goals to encompass measures of customer satisfaction, internal processes, and the organization’s innovation activities. These operational measures affect organizational financial performance (Der Zee and de Jong, 1999). Efficiency, quality, market share, and penetration have emerged as important measures and goals of business (Singleton et al., 1988) that can be improved by Web-based systems. These influences have motivated industry to integrate Internet/intranet information systems in their businesses and adopt new management techniques to align new technology with the organizational structure. 110.3.3.1 E-business Software Systems There are now more demands on quality and reliability for Web-based software development than ever before. Successful configuration of Web applications requires special attention to several interrelated strategies that leverage Web engineering to the level of competitive advantage. Development teams, legacy systems, value chain, and business integration and management structures drive these strategies. © 2004 by Taylor & Francis Group, LLC
TABLE 110.2
Life-Cycle Phases for Real-Time Software Systems
Phase
Phase Definition
Phase Application
Requirements analysis and specification
As in other approaches, user requirements are analyzed, and system specifications are formulated to elaborate on these requirements.
State transition diagrams are used to describe the different states of the system to the user. Object-oriented UML-based state transition diagrams carry out this technique more effectively. Any operator interaction with the system should also be explicitly specified. Throwaway repaid prototyping techniques have proved to be extremely effective in requirements analysis for real-time systems.
System design
While the system is structured into tasks as in other software systems, real-time systems are designed with a specific focus on concurrent processes and task interfaces.
The asynchronous nature of the functions within the system is a key characteristic that distinguishes decomposing real-time software systems into concurrent tasks. Data flow diagrams and event-trace diagrams are effective techniques in mapping this phase.
Task design
Each task is structured into modules, and module interfaces are defined.
Task-structure charts with intensive project and team management elements are essential to carrying out task design efficiently.
Module construction
Detailed design, coding, and unit testing of each module are carried out.
This is similar to module construction in other system development approaches.
Task and system integration
Modules are integrated and tested to form tasks, which in turn are gradually integrated and tested to form the total system.
Incremental system development is used to achieve task and system integration.
System testing
The whole system or major subsystems are tested to verify conformance with functional specifications. To achieve greater objectivity, system testing is best performed by independent test teams.
Automated testing is widely used for real-time systems.
Acceptance testing
This is performed by the user.
Extends user involvement to the validation and verification stages after system delivery.
110.3.3.1.1 Skills, Structure, and Management of the Development Team In Web-driven software development projects, skillful staff can significantly boost performance. Training programs and availability of necessary resources have a strong influence on the quality of e-business applications, reducing the development time for tailoring solutions to application needs. Effective management can create the right team structure and the necessary synergy from diverse abilities. 110.3.3.1.2 Legacy Applications The scope and domain of legacy systems shape the strategies needed to solve e-business software problems. The negative correlation between organizational complexity and the impact of technical change is a disputable one (Keen, 1981), because the more complex the organization, the more ill structured its business problems are (Mitroff and Turoff, 1973). Even though this influences the ability to tackle such problems smoothly, information technology enables a complex organization to redesign its business processes so that it can manage complexity more effectively (Davenport and Stoddard, 1994). © 2004 by Taylor & Francis Group, LLC
110.3.3.1.3 Value Chain and Logistics Management Value chain is the set of activities business requires to achieve its objectives, by adding values as activities proceed from one phase to another. E-business applications utilize Internet technology to cover products and services that require integration of business processes, the logistics of end users, and original suppliers. Effective management of the entire process can add considerable value to consumers by organizing, coordinating, and controlling supply chain activities and logistics (Turban et al., 2000). This defines certain criteria for effective Web-based development, which encompass flexibility, quality, dependability, agility, and efficiency. Optimality can be assessed in terms of delivering the right product at the right time at each level of the supply chain (Vokurka et al., 2002). The value chain concept can be further utilized to build decision support systems that enhance the decision-making process at the tactical and strategic management levels (Haavengen et al., 1996). Also, electronic product development (EPD) is another aspect of e-business growth that relies on a holistic perspective of the entire product value chain (encompassing customers, designers, suppliers, manufacturers, and logistics providers) to develop more successful mass customization (Helander and Jiao, 2000). 110.3.3.1.4 Aligning E-business Applications with Organizational Goals E-business solutions can effectively serve organizational goals and marketing requirements. Strategies that integrate the Internet and traditional advantages are expected to create potential advantages for existing corporations (Porter, 2001). E-business software systems rely on both the internal preparation of the company and the readiness of its customers and suppliers to engage in electronic interactions. By committing resources to the business problem, management can create a value driver that boosts business readiness for e-commerce challenges (Barua et al., 2001). These e-commerce solutions link customers, suppliers, partners, and interorganizational departments in one or more unified value chains. If these links are not well managed and efficiently aligned in synchronized frameworks, delays will occur and costs will exceed profits, resulting in financial loss and customer dissatisfaction. Other issues may have an indirect effect on the success of e-business applications. These are supply chain management (SCM) and enterprise resource management (ERM), which can help explain the impact of legacy business applications on the success of e-business development. Better understanding of customer and supplier needs, and the effect of current business processes on the overall methods of supply chain and resource management, can lead to flexible and manageable utilization of information technology to help reengineer business processes (Daoud, 2000). 110.3.3.2 Object-Oriented Development for Web Applications Gellersen and Gaedke (1999) propose a Web composition model that defines an object-oriented approach to Web development based on Web implementation models. This model was developed to provide developers with the capabilities of object-oriented concepts, such as reusability, inheritance, improved modifiability, and extensibility. Conallen (1999) addresses object-oriented Web application architecture through a UML-based approach. This approach aims to facilitate managing complexity for Web applications and to enable enhanced reusability. The approach, which works in conjunction with CASE tool support, integrates three models of Web application architecture: business model, navigation model, and implementation model. 110.3.3.3 Customizable Web Applications Several approaches to modeling and implementing customizable Web applications have been proposed. These approaches all share those characteristics of Web development environments (Kappel et al., 2000) that explicitly consider user context for customization. This view reflects the need for personalization, both for individuals and for classes of users, and it includes network and device contexts. Network context is related to network settings; device context is based on multidelivery of different devices or classes of devices. However, they have different degrees of location context (related to mobile computing and portability) and temporal context (based on time constraints). © 2004 by Taylor & Francis Group, LLC
TABLE 110.3
The Four Generations of Information Systems Security Approaches
Generation
Drivers
Strategies
Techniques
Problems
First (early 1980s)
Generic thinking Common sense principles
Linking requirements (what to do) with existing capabilities (what can be done)
Risk analysis
Gaps between generic strategies and special needs
Second (late 1980s)
Some focus on organization requirements
Formal methods
Control points and checklists
Considering natural, functional, and technical requirements while ignoring the social nature of organizations
Third (early 1990s)
Business processes Focus on specific organization requirements
Information systems modeling
Responsibility modeling Security semantics Logical approach ERM, DFD, OO and business process modeling for security
Not enough focus on social requirements of organizations
Fourth (late 1990s to present)
Socio-technical design User participation Strong focus on specific organizational requirements
Domain-specific and applicationdriven design for information systems security
Responsibility modeling Viable information systems
Still in its first phases
110.3.4 Security-Driven Software Development Software systems have evolved into global networked infrastructures, multidimensional databases, and enterprise data warehouses that interconnect individuals, businesses, organizations, competing supply chains, numerous mobile and wireless applications, and even countries. The software engineering literature typically includes security as one of the measures of quality and reliability in software products. Moreover, the software engineering field addresses the security issue as a part of the risk analysis process, in order to minimize the likelihood of intrusions, attacks, hacking, or fraud in information systems. The issue of security in contemporary software applications is a critical component of business survival. There is a need to protect organizational strategic assets, such as information. In e-commerce, for example, customers, who are more aware than ever of the ramifications of unsecured personal or private information, tend to trust businesses with sufficient security measures, policies, and standards. The area of information systems security has evolved across paradigms and strategies (Siponen, 2002). These range from the generic, based on common sense, to the specific, based on organizational culture and needs, as summarized in Table 110.3. Security-driven systems are receiving greater attention in current software development strategies, and the reengineering of existing systems adds security features, builds security-based applications to ensure security in systems (such as antiviruses and firewalls), adds features that enhance individuals’ privacy, and builds surveillance-based applications that can help detect or protect against crime and terrorism. Computer vision, image processing, and multimedia-based technologies play a significant role in these applications. As with all forms of software development, the design of such systems is not without challenges. The trade-off between open communication channels and the potential for security threats through these same © 2004 by Taylor & Francis Group, LLC
Investigate Vulnerabilities
Define Security Objectives
Set Security Metrics
Examine To-be System
Identify Potential Risks
Review Current Requirements
Determine Security Requirements
Re-formulate Requirements Document
Create what-if Scenarios
FIGURE 110.2 Security-driven requirements analysis process.
channels is one example. The remaining parts of this section present a framework for dealing with security considerations in the software development process, particularly in terms of the analysis and design of such systems. 110.3.4.1 Security-Driven Requirements Analysis Because a large portion of software engineering literature was developed before the Web era, investigating vulnerabilities was rarely addressed adequately. Web-driven applications and infrastructures have necessitated a change. For example, in terms of security, while Web connectivity increased access to public information, it exposed the very same information and information systems to more risks and vulnerabilities (Deswarte, 1997). In some software engineering methodologies, security requirements are addressed in the analysis phase as nonfunctional requirements, because software systems must comply with internal and external security standards. Sommerville (1996) classifies security requirements as external, nonfunctional safety and privacy requirements. This view is true from a categorization perspective, but it needs to consider that even functional requirements should be guided by security metrics; otherwise, they may increase system vulnerabilities. Additional requirements or flexible requirements could expose the system to unexpected risks (Smith, 1991; Pfleeger, 1997). Security-driven requirements analysis involves defining security objectives, setting their metrics, identifying potential risks, investigating vulnerabilities, creating what-if scenarios, reviewing current requirements, and reformulating requirements to reflect the input of the analysis phase. Analysis output becomes the guideline for designing security-driven solutions. Additional details are shown in Figure 110.2. Security objectives are usually based on organizational standards, underlying technology, and the magnitude of the anticipated threat. Because security breaches are highly unpredictable and their nature and scope can change over time, organizations must adapt to new threats and be able to adjust their objectives to meet the demands of evolving challenges. Once objectives are determined, quantitative and qualitative measurements should be derived to establish evaluation metrics to verify quality of software products in terms of security requirements. The major task in security-driven analysis is to identify potential security risks. Risk assessment is essential, because an organization may be attacked from both inside and outside its network (Philips and Swiler, 1998). © 2004 by Taylor & Francis Group, LLC
Check if some requirements have negative impacts on security
Verify
Check if DB, network, logical or physical design have negative impacts on security
Design Models
Verify
Systems Implementation
Check if current implementation exposes system to threats
Program
Verify
Systems Testing
Feedback
Systems Design
Feedback
Requirements
Feedback
Feedback
Requirements Analysis
Feedback Control
Verify
Check if new enhancemetns have negative security consequences
FIGURE 110.3 A software engineering approach to system security via traceability analysis.
Identifying potential security risks involves investigating system vulnerabilities. Vulnerabilities can be attributed to intentional or unintentional factors. Unintentional factors are related to human mistakes, exceptional hazards in the environment, system failures, gaps in hardware or software design, or bad requirements specifications. While external factors contribute to the existence of vulnerabilities, it is the analysis, design, implementation, and usability of the system that enable the vast majority of security threats in most organizations. For example, a problem in data collection, data entry, data distribution, referential integrity, or authorization can result in breaches that put data into risky situations. The growing concern about infrastructure vulnerabilities, where more damage can be done with a keyboard than with a bomb (Baskerville, 1993), is an important issue for organizational management. Tracing and tracking leakages, security gaps, and security-related problems across the software development process are ways to ensure security in software systems. The traceability process shown in Figure 110.3 offers a strategy for a software engineering approach to system security via traceability analysis. Intentional factors that threaten system security include data theft, data abuse, source code theft, deliberate data manipulation, data tampering, malicious damage, virus and attack destruction, cyber crimes, terror attacks, and other miscellaneous computer crimes. Computer crimes range from using the computer or computer network as a target, to using the computer as a medium (i.e., giving misleading information), to using the computer as a planning or deception tool (Turban et al., 2002). One of the current and serious challenges of information systems is to discover how information and communication technologies can contribute to public safety (Shneiderman, 2002). Recent efforts focus on enhancing security at the technical level (i.e., network-based security), while paying some attention to security at the analysis and architectural levels. Antiterror system development relies not only on solution-focused capabilities but also on profound comprehension of the problem domain by studying the attacker’s behavior (Erland and Olovsson, 1997). System vulnerabilities or security gaps in any information system provide opportunities to carry out attacks or steal critical information. Identifying and securing these gaps will minimize potential risks. Holmes (2001) points out the need to assess system security breaching motives in order to protect and then manage the system’s infrastructure according to the vulnerabilities of those motives. Salenger (1997) relates the level of organizational Internet security to the relative “functional uses” of the Internet. Engineering secure systems requires managing infrastructure vulnerability (Demuth and Rieke, 2000). Three models suggested in designing a secure environment (Salter et al., 1998) are the adversary model, the vulnerabilities model, and the methodology model. The adversary model includes an understanding of the motives for threat potentials: what they can do, what they are willing to do, and what they want to do. The vulnerabilities model suggests three steps for any successful attack: analyze the targeted system to find weaknesses, gain access quietly, and execute the attack. The methodology model categorizes attacks based on their characteristics and aims to find the best protective countermeasure. Although the adversary © 2004 by Taylor & Francis Group, LLC
System vulnerability Prevention controls Detection Limitation Recovery Correction Threats
FIGURE 110.4 Seven-layer conceptual model for defense strategies in security-focused system design.
model is based on information gathering, the vulnerabilities model is driven by risk analysis, and the methodology model is related to response procedure and recovery. 110.3.4.2 Security-Driven Systems Design Designing security-focused solutions for software systems can be done at two different levels: conceptual and technical. The conceptual level provides the architectural foundation for the technical level. The key concept for security-focused architectures is defense strategies. The ability of a software system to withstand threats is tightly coupled with its capability to reduce vulnerabilities and provide protection shields that prevent, eliminate, or deal effectively with breaches and attacks. Figure 110.4 depicts this concept as a seven-layer conceptual model for defense strategies in security-focused system design. In this model, five key defense strategies — prevention control, detection, limitation, recovery, and correction — can be used separately or together to minimize system vulnerabilities or weaknesses (Turban et al., 2002). Prevention control is the most effective strategy, whether it prevents human error, external attack, or unauthorized use. Access control also plays a significant role in this defense strategy. Figure 110.5 provides a basic taxonomy of various types of security controls in software systems. An intrusion detection system (IDS) is a system that can distinguish authorized uses, misuses, and abuses of computers, either by authorized users or by external perpetrators. Intrusions can be classified into three categories: single intruder, single terminal (SIST); single intruder, multiple terminal (SIMT); and multiple intruder, multiple terminal (MIMT) (Puketza et al., 1996). Object-oriented and component-based architectures have proved to be maintainable structures, because they allow easy replacing of defective components. Distributed object architecture and design standards provide an adequate level for generic distributed applications. But these are only the first step in building application-specific software architectures for achieving overall system development objectives. Although commercial enterprise application integration (EAI) tools and workflow management system (WFMS) products can help advance basic distributed standards to the commercial level, they are still far below the mission-critical needs of business and information security processes. System designers should employ security solutions that reinforce each other, define relationships based on trust, and use protective countermeasures to prevent attacks. The effectiveness of database and network design plays a crucial role in reducing system vulnerabilities. For instance, cryptographic protocol design is frequently cited in the literature as a source of distributed systems vulnerabilities. Yet, analysis and design techniques have proved useful in detecting protocol vulnerabilities (Stubblebine and Wright, 2002). © 2004 by Taylor & Francis Group, LLC
Security Control
General Control
Network Control
Application Control
Input Control
Processing Control
Output Control
Physical Control
Access Control
Biometric Control
Data Security
Other Control
Hand Geometry
Back-ofthe-eyeretain
Voice Recognition
Signature
Keystroke Dynamics
Encryption
Facial Thermography
Cable Tester
Firewall
Fingerprints
FIGURE 110.5 A basic taxonomy for security control techniques in software systems.
Cybenko and Jiang (2000) discussed the vulnerabilities of the Internet and proposed a six-stage protection process to counteract malicious uses. Information-gathering techniques are the first essential step, and they include intelligence reports, unusual-incident analysis, and automated information harvesting from the Web and news services. The second essential step is a thorough risk assessment of the current system to find vulnerable areas. This risk assessment includes modeling an attack, modeling failure of the main system, and modeling subsidiary failures due to main system failures. The third step is interdiction, which includes being able to use current prevention methods that are already available. The fourth step is detection of attacks through early warning systems and monitoring resources. Monitoring subsystems can take actions while an attack is underway, whereas a warning system can attempt to prevent an attack before it happens (Salter et al., 1998). The fifth step is implementing the proper response procedure once an attack has been acknowledged. Response procedures, which Cybenko and Jiang call forensic challenges, can only be implemented when an attack is already underway. Once an attack is detected, the system should be able to trace the attack. The final stage in Cybenko and Jiang’s approach is recovery, which includes learning from the attack and documenting its characteristics for future reference in a knowledge base.
110.4 Research Issues and Summary The area of specialized system development can be characterized as new, huge, and crucial. This field is evolving as the importance of scalability and tailorability in software development, as opposed to generic strategies and approaches, is realized. The theoretical foundations of specialized system development will continue to evolve and provide a roadmap for new research and development. This will provide new challenges and opportunities to the software engineering community, because specialized system development is not only new but also critical for many contemporary software applications. An important consideration is that future research and development of specialized systems concerns the government, industry, and academia alike. The government’s role in information decryption on the © 2004 by Taylor & Francis Group, LLC
Internet is crucial (Fox, 2001). For example, some of the intelligence issues and policies to be further addressed (Artz, 2001; Wilson, 2000; Zorpette, 2002) include the human role in information analysis, gaps in technical intelligence, and cooperation between organizations and services that collect intelligence. While there is some need to define the role of the government, other needs require a clearer definition of organizational roles. Salenger (1997) states that the level of security implemented by organizations is directly proportional to two factors: size and income. Larger companies have the people and the resources required to establish and run a secure Internet environment, whereas smaller companies may not. Better protocols for defining and enforcing standards are expected to continue to emerge.
Defining Terms Attentive systems: Systems that can be used to understand user trends or log and track Internet use across multiple sources. Cognitive fit: An approach in specialized system development where the goal is to match, as closely as possible, the representation to the task and the user. The key concept is that there should be harmony among three variables: the user’s cognitive skills, the task, and the representation of the task (as presented to the user). Horizontal specialization: Specialization across various functional departments or business needs within the organization, across various domains of an industry, or between industries. Infrastructure vulnerabilities: Weak points and security gaps in the physical or logical architecture of information systems that may enhance opportunities to carry out attacks or steal critical information. Interdiction: The ability to make use of prevention methods that are already available. Pamela: Process abstraction method for embedded large applications. Pervasive computing: The convergence of three traditional computing specializations (personal, networked, and embedded) to produce a new computing era marked by wireless and portable hardware and software. Process design engineering: An automated engineering approach to the evolutionary design, implementation, and testing of real-time software. SCR: Software cost reduction. Steganography: Hiding data within data. System specialization: Concentration on unique problems and the techniques for comprehending and solving them. Vertical specialization: Specialization in the different levels of problem complexity across the interorganizational pyramid, from operations to top management. Weak strategy: A generic approach to problem solving that is not tailored to specific problem domains.
References Artz, D. 2001. Digital Steganography: Hiding Data within Data. IEEE Internet Computing. 5(3): 75–80. Avison, D., and Fitzgerald, G. 2003. Where Now for Development Methodologies? Communications of the ACM. 46(1): 48–72. Barua, A., Konana, P., Whinston, A., and Yin, F. 2001. Driving E-business Excellence. MIT Sloan Management Review. Cambridge, MA. 43(1): 36–44. Baskerville, R. 1993. Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys. 25(4): 365–414. Ciarletta, L., and Dima, A. 2000. A Conceptual Model for Pervasive Computing Parallel Processing. Proceedings of the 2000 International Workshops on Parallel Processing. 9–15. Conallen, J. 1999. Modeling Web Application Architecture with UML. Communications of the ACM. 42: 63–70. Cybenko, G., and Guofei, J. 2000. Developing a Distributed System for Infrastructure Protection. IT Professional. 2(4): 17–23. © 2004 by Taylor & Francis Group, LLC
Cybenko, G., and Jiang, G. 2000. Developing a Distributed System for Infrastructure Protection. IEEE IT Professional. 4:17–22. Daoud, F. 2000. Electronic Commerce Infrastructure. IEEE Potentials. 19(1): 30–33. Davenport, T., and Stoddard, D. 1994. Reengineering: Business Change of Mythic Proportions? MIS Quarterly. 18(2): 121–127. Demuth, T., and Rieke, A. 2000. Bilateral Anonymity and Prevention of Abusing Logged Web Addresses. 21st Century Military Communications Conference Proceedings. 1: 435–439. Der Zee, J.T.M. van, and de Jong, B.M. 1999. Alignment is not enough-Integrating IT in the Balanced Business Scorecard. Journal of Management Information Systems. Deswarte, Y. 1997. Internet Security despite Untrustworthy Agents and Components. Proceedings of the 6th IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems. 53: 218–219. Erland, J., and Olovsson, T. 1997. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering. 23(4): 235–245. Evans, P., and Wurster, T. 1999. Getting Real about Virtual Commerce. Harvard Business Review. 77(6): 85–94. Felder, M. 2002. A Formal Design Notation for Real-Time Systems. ACM Transactions on Software Engineering and Methodology (TOSEM). 11(2): 149–190. Fox, R. 2001. Privacy Tradeoff Fighting Terrorism. Communications of the ACM. 44(12): 9–10. Gaulding, S.N., and Lawson, J.D. 1976. Process design system: an integrated set of software development tools. Proceedings of the 2nd International Conference on Software Engineering. San Francisco, 86–90. Gellersen, H., and Gaedke, M. 1999. Object-Oriented Web Application Development. IEEE Internet Computing. 3(1): 60–68. Glass, R. 1998. In the Beginning: Recollections of Software Pioneers. IEEE Computer Society Press, Los Alamitos, CA. Glass, R., and Vessey, I. 1995. Contemporary Application-Domain Taxonomies. IEEE Software. 12(4): 63–76. Glass, R.L. 2000. Process Diversity and a Computing Old Wives’/Husbands’ Tale. IEEE Software. 17(4): 128–129. Gomaa, H. 1986. Software Development of Real-Time Systems. Communications ACM. 29(7): 657–668. Haavengen, B., Olsen, D., and Sena, J. 1996. The Value Chain Component in a Decision Supports System: A Case Example. IEEE Transactions on Engineering Management. 43(4): 418–428. Helander, M., and Jiao, J. 2000. E-Product Development (EPD) for Mass Customization. Management of Innovation and Technology, Proceedings of the 2000 IEEE International Conference on ICMIT 2000. 2 (2): 848–854. Hitt, L., and Brynjolfsson, E. 1996. Productivity, Business Profitability, and Consumer Surplus: Three Different Measures of Information Technology Value. MIS Quarterly. 20(2): 121–142. Holmes, N. 2001. Terrorism, Technology and the Profession. Computer. 34(11): 134–136. Kalakota, R., Varshney, U., and Vetter, R. 2000. Mobile Commerce: A New Frontier. IEEE Computer Society: Special Issue on E-commerce. 33(10): 32–38. Kappel, G., Retschitzegger, W., and Schwinger, W. 2000. Modeling Customizable Web Applications — A Requirements Perspective. Proceedings of the International Conference on Digital Libraries: Research and Practice. Kyoto. Keen, P. 1981. Information Systems and Organizational Change. Communications of the ACM. 24(1): 24–33. Kelly, J. 1987. A Comparison of Four Design Methods for Real-Time Systems. IEEE Proceedings of the 9th International Conference on Software Engineering. 238–252. Kelsey, J., and Bruce, S. 1999. Secure Audit Logs to Support Computer Forensics. ACM Transactions on Information and System Security (TISSEC). 2(2): 159–176. Mitroff, I., and Murray, T. 1973. Technological Forecasting and Assessment: Science and/or Mythology? Journal of Technological Forecasting and Social Change. 5(1): 113–134.
© 2004 by Taylor & Francis Group, LLC
Phillips, C.A., and Swiler, L.P. 1998. A Graph-based System for Network Vulnerability Analysis. Proceedings of the 1998 Workshop on New Security Paradigms. 71–79. Pfleeger, C.P. 1997. The Fundamentals of Information Security. IEEE Software. 14(1): 15–16. Porter, M.E. 2001. Strategy and the Internet. Harvard Business Review. 79: 63–78. Puketza, N., Zhang, K., Chung, M., Mukherjee, B., and Olsson, R. 1996. A Methodology for Testing Intrusion Detection Systems. IEEE Transactions on Software Engineering. 22(10): 719–729. Salenger, D. 1997. Internet Environment and Outsourcing. International Journal of Network Management. 7(6): 300–304. Salter, C.O.S., Schneier, B., and Wallner, J. 1998. Toward a Secure Engineering Methodology. Proceedings of the 1998 Workshop on New Security Paradigms. 2–10. Shneiderman, B. 2002. ACM’s Computing Professionals Face New Challenges. Communications of the ACM. 31–34. Singleton, J., McLean, E. and Altman, E. 1988. Measuring Information Systems Performance: Experience with the Management by Results System at Security Pacific Bank. MIS Quarterly. 12(2): 325–337. Siponen, M. 2002. Designing Secure Information Systems and Software: Critical Evaluation of the Existing Approaches and a New Paradigm. Unpublished Ph.D. dissertation. University of Oulu. Sommerville, I. 1996. Software Engineering. 5th ed., Addison-Wesley, Workingham, U.K. Stubblebine, S., and Wright, R. 2002. Authentication Logic with Formal Semantics Supporting Synchronization, Revocation, and Recency. IEEE Transactions on Software Engineering. 28(3): 265–285. Smith, G.W. 1991. Modeling Security-Relevant Data Semantics. IEEE Transactions on Software Engineering. 17(11): 1195–1203. Turban, E., Lee, J., King, D., and Chung, H. 2000. Electronic Commerce: A Management Perspective. Prentice Hall, Upper Saddle River, NJ. Turban E., Rainer, K., and Potter, R. 2002. Introduction to Information Technology, 2nd edition. Wiley, New York. Varshney U., and Vetter, R. 2001. A Framework for the Emerging Mobile Commerce Applications. Proceedings of the 34th Hawaii International Conference on System Sciences (HICSS 34). IEEE Computer Society. Varshney U., and Vetter, R. 2000. Emerging Mobile and Wireless Networks. Communications of the Association of Computing Machinery (ACM). 43(6): 73–81. Vessey, I. 1997. Problems versus Solutions: The Role of the Application Domain in Software. Proceedings of the 7th Workshop on Empirical Studies of Programmers, Virginia. 233–240. Vessey, I., and Glass, R. 1998. Strong vs. Weak: Approaches to Systems Development. Communications of the ACM. 41(4): 99–102. Vokurka, R., Gail, M., and Carl, M. 2002. Improving Competitiveness through Supply Chain Management: A Cumulative Approach. Competitiveness Review. 12(1): 14–24. Wilson, C. 2000. Holding Management Accountable: A New Policy for Protection against Computer Crime. National Aerospace and Electronics Conference. Proceedings of the IEEE 2000. 272–281. Zorpette, G. 2002. Making Intelligence Smarter. IEEE Spectrum. 39(1): 38–43.
Further Information A good survey of industry frameworks is presented in the article Contemporary Application-Domain Taxonomies by Glass and Vessey, published in IEEE Software in 1995. The authors pay particular attention to representative taxonomies, the IBM industry’s taxonomy, digital industry’s taxonomy, digital application taxonomy, and Reifer’s application taxonomy. Here are some other good sources: SIMS: A Secure Information Management System for Large-Scale Dynamic Coalitions by Jiang and Dasgupta published in the IEEE Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001. The article discusses security of large-scale systems.
© 2004 by Taylor & Francis Group, LLC
Attack Detection in Large Networks by Peterson and Bauman, published by the IEEE Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001. This article addresses the impact of large systems’ characteristics on security. Security of Distributed Object-Oriented Systems by MacDonnell et al., published by the IEEE Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX II), June 2001. This article addresses object-oriented security mechanisms that can provide scalable, fine-grained access control both in applications and at the boundary controller, using CORBA and Java.
© 2004 by Taylor & Francis Group, LLC
Appendix A: Professional Societies in Computing A.1 A.2 A.3 A.4 A.5 A.6 A.7 A.8
The Association for Computing Machinery (ACM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Computing Research Association (CRA) . . . . . . . . . The Institute of Electrical and Electronics Engineers (IEEE) Computer Society . . . . . . . . . . . . . . . . . The British Computer Society (BCS) . . . . . . . . . . . . . . . . . Computer Professionals for Social Responsibility (CPSR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The American Association for Artificial Intelligence (AAAI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Special Interest Group on Computer Graphics (SIGGRAPH). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Society for Industrial and Applied Mathematics (SIAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A-1 A-1 A-2 A-2 A-2 A-2 A-2 A-3
A.1 The Association for Computing Machinery (ACM) “Founded in 1947, ACM is a major force in advancing the skills of information technology professionals and students worldwide. Today, our 75,000 members and the public turn to ACM for the industry’s leading portal to computing literature, authoritative publications and pioneering conferences, providing leadership for the 21st century.” More complete information on ACM can be obtained by visiting its Web page, from which the preceding quotation was taken: http://www.acm.org.
A.2 The Computing Research Association (CRA) “The Computing Research Association (CRA) is an association of more than 200 North American academic departments of computer science, computer engineering, and related fields; laboratories and centers in industry, government, and academia engaging in basic computing research; and affiliated professional societies. CRA’s mission is to strengthen research and education in the computing fields, expand opportunities for women and minorities, and improve public and policymaker understanding of the importance of computing and computing research in our society.” More information about the CRA can be obtained by visiting its Web page, from which the preceding quotation was taken: http://www.cra.org.
© 2004 by Taylor & Francis Group, LLC
A.3 The Institute of Electrical and Electronics Engineers (IEEE) Computer Society “With nearly 100,000 members, the IEEE Computer Society is the world’s leading organization of computer professionals. Founded in 1946, it is the largest of the 37 societies of the Institute of Electrical and Electronics Engineers (IEEE). The Computer Society’s vision is to be the leading provider of technical information and services to the world’s computing professionals.” More information about the IEEE Computer Society can be obtained by visiting its Web page, from which the preceding quotation was taken: http://www.computer.org.
A.4 The British Computer Society (BCS) “The British Computer Society (BCS) is the only Chartered Engineering Institution for Information Technology (IT). With members in over 100 countries around the world, the BCS is the leading professional and learned Society in the field of computers and information systems.” More information about the BCS can be found by visiting its Web page, from which the preceding quotation was taken: http://www1.bcs.org.uk.
A.5 Computer Professionals for Social Responsibility (CPSR) “CPSR is a public-interest alliance of computer scientists and others concerned about the impact of computer technology on society . . . . As technical experts, CPSR members provide the public and policymakers with realistic assessments of the power, promise, and limitations of computer technology. As concerned citizens, we direct public attention to critical choices concerning the applications of computing and how those choices affect society.” More information about CPSR can be found by visiting its Web page, from which the preceding quotation was taken: http://www.cpsr.org.
A.6 The American Association for Artificial Intelligence (AAAI) “Founded in 1979, the American Association for Artificial Intelligence (AAAI) is a nonprofit scientific society devoted to advancing the scientific understanding of the mechanisms underlying thought and intelligent behavior and their embodiment in machines. AAAI also aims to increase public understanding of artificial intelligence, improve the teaching and training of AI practitioners, and provide guidance for research planners and funders concerning the importance and potential of current AI developments and future directions.” More information about AAAI can be found by visiting its Web page, from which the preceding quotation was taken: http://www.aaai.org.
A.7 Special Interest Group on Computer Graphics (SIGGRAPH) “ACM SIGGRAPH is dedicated to the generation and dissemination of information on computer graphics and interactive techniques. We are a membership organization that values passion, integrity, excellence, volunteerism, and cross-disciplinary interaction in all of our activities.” More information about SIGGRAPH can be found by visiting its Web page, from which the preceding quotation was taken: http://www.siggraph.org. © 2004 by Taylor & Francis Group, LLC
A.8 The Society for Industrial and Applied Mathematics (SIAM) “To ensure the strongest interactions between mathematics and other scientific and technological communities, it remains the policy of SIAM to: advance the application of mathematics and computational science to engineering, industry, science, and society; promote research that will lead to effective new mathematical and computational methods and techniques for science, engineering, industry, and society; provide media for the exchange of information and ideas among mathematicians, engineers, and scientists.” More information about SIAM can be found by visiting its Web page, from which the preceding quotation was taken: http://www.siam.org.
© 2004 by Taylor & Francis Group, LLC
Appendix B: The ACM Code of Ethics and Professional Conduct B.1 B.2 B.3 B.4 B.5 B.6
B.1
Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Moral Imperatives . . . . . . . . . . . . . . . . . . . . . . . . . . More Specific Professional Responsibilities . . . . . . . . . . . Organizational Leadership Imperatives . . . . . . . . . . . . . . Compliance with the Code . . . . . . . . . . . . . . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B- 1 B- 2 B- 4 B- 5 B- 7 B- 7
Preamble
Commitment to ethical professional conduct is expected of every member (voting members, associate members, and student members) of the Association for Computing Machinery (ACM). This Code, consisting of 24 imperatives formulated as statements of personal responsibility, identifies the elements of such a commitment. It contains many, but not all, issues professionals are likely to face. Section 1 outlines fundamental ethical considerations, whereas section 2 addresses additional, more specific considerations of professional conduct. Statements in section 3 pertain more specifically to individuals who have leadership roles, whether in the workplace or in a volunteer capacity such as with organizations like ACM. Principles involving compliance with this Code are given in section 4. The Code shall be supplemented by a set of guidelines, which provide explanations to assist members in dealing with the various issues contained in the Code. It is expected that the guidelines will be changed more frequently than the Code. The Code and its supplemented guidelines are primarily intended to serve as a basis for ethical decision making in the conduct of professional work. Secondarily, they may serve as a basis for judging the merit of a formal complaint pertaining to violation of professional ethical standards. It should be noted that although computing is not mentioned in the imperatives of section 1.0, the Code is concerned with how these fundamental imperatives apply to one’s conduct as a computing professional. These imperatives are expressed in a general form to emphasize that ethical principles that apply to computer ethics are derived from more general ethical principles. It is understood that some words and phrases in a Code of ethics are subject to varying interpretations, and that any ethical principle may conflict with other ethical principles in specific situations. Questions related to ethical conflicts can best be answered by thoughtful consideration of fundamental principles, rather than reliance on detailed regulations.
© 2004 by Taylor & Francis Group, LLC
B.2
General Moral Imperatives: As an ACM member I will . . .
B.2.1 Contribute to Society and Human Well-Being This principle concerning the quality of life of all people affirms an obligation to protect fundamental human rights and to respect the diversity of all cultures. An essential aim of computing professionals is to minimize negative consequences of computing systems, including threats to health and safety. When designing or implementing systems, computing professionals must attempt to ensure that the products of their efforts will be used in socially responsible ways, will meet social needs, and will avoid harmful effects to health and welfare. In addition to a safe social environment, human well-being includes a safe natural environment. Therefore, computing professionals who design and develop systems must be alert to, and make others aware of, any potential damage to the local or global environment.
B.2.2 Avoid Harm to Others Harm means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of the following: users, the general public, employees, employers. Harmful actions include intentional destruction or modification of files and programs leading to serious loss of resources or unnecessary expenditure of human resources such as the time and effort required to purge systems of computer viruses. Well-intended actions, including those that accomplish assigned duties, may lead to harm unexpectedly. In such an event the responsible person or persons are obligated to undo or mitigate the negative consequences as much as possible. One way to avoid unintentional harm is to carefully consider potential impacts on all those affected by decisions made during design and implementation. To minimize the possibility of indirectly harming others, computing professionals must minimize malfunctions by following generally accepted standards for system design and testing. Furthermore, it is often necessary to assess the social consequences of systems to project the likelihood of any serious harm to others. If system features are misrepresented to users, co-workers, or supervisors, the individual computing professional is responsible for any resulting injury. In the work environment the computing professional has the additional obligation to report any signs of system dangers that might result in serious personal or social damage. If one’s superiors do not act to curtail or mitigate such dangers, it may be necessary to blow the whistle to help correct the problem or reduce the risk. However, capricious or misguided reporting of violations can, itself, be harmful. Before reporting violations, all relevant aspects of the incident must be thoroughly assessed. In particular, the assessment of risk and responsibility must be credible. It is suggested that advice be sought from other computing professionals. See principle 2.5 regarding thorough evaluations.
B.2.3 Be Honest and Trustworthy Honesty is an essential component of trust. Without trust an organization cannot function effectively. The honest computing professional will not make deliberately false or deceptive claims about a system or system design, but will instead provide full disclosure of all pertinent system limitations and problems. A computer professional has a duty to be honest about his or her own qualifications, and about any circumstances that might lead to conflicts of interest. Membership in volunteer organizations such as ACM may at times place individuals in situations where their statements or actions could be interpreted as carrying the weight of a larger group of professionals. An ACM member will exercise care to not misrepresent ACM or positions and policies of ACM or any ACM units.
© 2004 by Taylor & Francis Group, LLC
B.2.4 Be Fair and Take Action Not to Discriminate The values of equality, tolerance, respect for others, and the principles of equal justice govern this imperative. Discrimination on the basis of race, sex, religion, age, disability, national origin, or other such factors is an explicit violation of ACM policy and will not be tolerated. Inequities between different groups of people may result from the use or misuse of information and technology. In a fair society, all individuals would have equal opportunity to participate in, or benefit from, the use of computer resources regardless of race, sex, religion, age, disability, national origin, or other such similar factors. However, these ideals do not justify unauthorized use of computer resources nor do they provide an adequate basis for violation of any other ethical imperatives of this Code.
B.2.5 Honor Property Rights Including Copyrights and Patents Violation of copyrights, patents, trade secrets, and the terms of license agreements is prohibited by law in most circumstances. Even when software is not so protected, such violations are contrary to professional behavior. Copies of software should be made only with proper authorization. Unauthorized duplication of materials must not be condoned.
B.2.6 Give Proper Credit for Intellectual Property Computing professionals are obligated to protect the integrity of intellectual property. Specifically, one must not take credit for other’s ideas or work, even in cases where the work has not been explicitly protected by copyright, patent, etc.
B.2.7 Respect the Privacy of Others Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies. This imperative implies that only the necessary amount of personal information be collected in a system, that retention and disposal periods for that information be clearly defined and enforced, and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages, without the permission of users or bona fide authorization related to system operation and maintenance. User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code. In these cases, the nature or contents of that information must be disclosed only to proper authorities.
B.2.8 Honor Confidentiality The principle of honesty extends to issues of confidentiality of information whenever one has made an explicit promise to honor confidentiality or, implicitly, when private information not directly related to the performance of one’s duties becomes available. The ethical concern is to respect all obligations of
© 2004 by Taylor & Francis Group, LLC
confidentiality to employers, clients, and users unless discharged from such obligations by requirements of the law or other principles of this Code.
B.3
More Specific Professional Responsibilities: As an ACM computing professional I will . . .
B.3.1 Strive to Achieve the Highest Quality, Effectiveness, and Dignity in Both the Process and Products of Professional Work Excellence is perhaps the most important obligation of a professional. The computing professional must strive to achieve quality and to be cognizant of the serious negative consequences that may result from poor quality in a system.
B.3.2 Acquire and Maintain Professional Competence Excellence depends on individuals who take responsibility for acquiring and maintaining professional competence. A professional must participate in setting standards for appropriate levels of competence and strive to achieve those standards. Upgrading technical knowledge and competence can be achieved in several ways: doing independent study; attending seminars, conferences, or courses; and being involved in professional organizations.
B.3.3 Know and Respect Existing Laws Pertaining to Professional Work ACM members must obey existing local, state, province, national, and international laws unless there is a compelling ethical basis not to do so. Policies and procedures of the organizations in which one participates must also be obeyed. But compliance must be balanced with the recognition that sometimes existing laws and rules may be immoral or inappropriate and, therefore, must be challenged. Violation of a law or regulation may be ethical when that law or rule has inadequate moral basis or when it conflicts with another law judged to be more important. If one decides to violate a law or rule because it is viewed as unethical, or for any other reason, one must fully accept responsibility for one’s actions and for the consequences.
B.3.4 Accept and Provide Appropriate Professional Review Quality professional work, especially in the computing profession, depends on professional reviewing and critiquing. Whenever appropriate, individual members should seek and utilize peer review as well as provide critical review of the work of others.
B.3.5 Give Comprehensive and Thorough Evaluations of Computer Systems and Their Impacts, Including Analysis of Possible Risks Computer professionals must strive to be perceptive, thorough, and objective when evaluating, recommending, and presenting system descriptions and alternatives. Computer professionals are in a position of special trust and therefore have a special responsibility to provide objective, credible evaluations to employers, clients, users, and the public. When providing evaluations the professional must also identify any relevant conflicts of interest, as stated in imperative 1.3. As noted in the discussion of principle 1.2 on avoiding harm, any signs of danger from systems must be reported to those who have opportunity and/or responsibility to resolve them. See the guidelines for imperative 1.2 for more details concerning harm, including the reporting of professional violations. © 2004 by Taylor & Francis Group, LLC
B.3.6 Honor Contracts, Agreements, and Assigned Responsibilities Honoring one’s commitments is a matter of integrity and honesty. For the computer professional this includes ensuring that system elements perform as intended. Also, when one contracts for work with another party, one has an obligation to keep that party properly informed about progress toward completing that work. A computing professional has a responsibility to request a change in any assignment that he or she feels cannot be completed as defined. Only after serious consideration and with full disclosure of risks and concerns to the employer or client should one accept the assignment. The major underlying principle here is the obligation to accept personal accountability for professional work. On some occasions other ethical principles may take greater priority. A judgment that a specific assignment should not be performed may not be accepted. Having clearly identified one’s concerns and reasons for that judgment, but failing to procure a change in that assignment, one may yet be obligated, by contract or by law, to proceed as directed. The computing professional’s ethical judgment should be the final guide in deciding whether or not to proceed. Regardless of the decision, one must accept the responsibility for the consequences. However, performing assignments against one’s own judgment does not relieve the professional of responsibility for any negative consequences.
B.3.7 Improve Public Understanding of Computing and Its Consequences Computing professionals have a responsibility to share technical knowledge with the public by encouraging understanding of computing, including the impacts of computer systems and their limitations. This imperative implies an obligation to counter any false views related to computing.
B.3.8 Access Computing and Communication Resources Only When Authorized to Do So Theft or destruction of tangible and electronic property is prohibited by imperative 1.2: “Avoid harm to others.” Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle (see 1.4). No one should enter or use another’s computer system, software, or datafiles without permission. One must always have appropriate approval before using system resources, including .rm57 communication ports, filespace, other system peripherals, and computer time.
B.4
Organizational Leadership Imperatives: As an ACM member and an organizational leader, I will . . .
B.4.1 Background Note This section draws extensively from the draft IFIP Code of Ethics, especially its sections on organizational ethics and international concerns. The ethical obligations of organizations tend to be neglected in most codes of professional conduct, perhaps because these codes are written from the perspective of the individual member. This dilemma is addressed by stating these imperatives from the perspective of the organizational leader. In this context leader is viewed as any organizational member who has leadership or educational responsibilities. These imperatives generally may apply to organizations as well as their leaders. In this context organizations are corporations, government agencies, and other employers, as well as volunteer professional organizations. © 2004 by Taylor & Francis Group, LLC
B.4.2 Articulate Social Responsibilities of Members of an Organizational Unit and Encourage Full Acceptance of Those Responsibilities Because organizations of all kinds have impacts on the public, they must accept responsibilities to society. Organizational procedures and attitudes oriented toward quality and the welfare of society will reduce harm to members of the public, thereby serving public interest and fulfilling social responsibility. Therefore, organizational leaders must encourage full participation in meeting social responsibilities as well as quality performance.
B.4.3 Manage Personnel and Resources to Design and Build Information Systems That Enhance the Quality of Working Life Organizational leaders are responsible for ensuring that computer systems enhance, not degrade, the quality of working life. When implementing a computer system, organizations must consider the personal and professional development, physical safety, and human dignity of all workers. Appropriate human– computer ergonomic standards should be considered in system design and in the workplace.
B.4.4 Acknowledge and Support Proper and Authorized Uses of an Organization’s Computing and Communication Resources Because computer systems can become tools to harm as well as to benefit an organization, the leadership has the responsibility to clearly define appropriate and inappropriate uses of organizational computing resources. Whereas the number and scope of such rules should be minimal, they should be fully enforced when established.
B.4.5 Ensure That Users and Those Who Will Be Affected by a System Have Their Needs Clearly Articulated during the Assessment and Design of Requirements; Later the System Must Be Validated to Meet Requirements Current system users, potential users, and other persons whose lives may be affected by a system must have their needs assessed and incorporated in the statement of requirements. System validation should ensure compliance with those requirements.
B.4.6 Articulate and Support Policies That Protect the Dignity of Users and Others Affected by a Computing System Designing or implementing systems that deliberately or inadvertently demean individuals or groups is ethically unacceptable. Computer professionals who are in decision-making positions should verify that systems are designed and implemented to protect personal privacy and enhance personal dignity.
B.4.7 Create Opportunities for Members of the Organization to Learn the Principles and Limitations of Computer Systems This complements the imperative on public understanding (2.7). Educational opportunities are essential to facilitate optimal participation of all organizational members. Opportunities must be available to all members to help them improve their knowledge and skills in computing, including courses that familiarize them with the consequences and limitations of particular types of systems. In particular, professionals must be made aware of the dangers of building systems around oversimplified models, the improbability of anticipating and designing for every possible operating condition, and other issues related to the complexity of this profession.
© 2004 by Taylor & Francis Group, LLC
B.5
Compliance with the Code: As an ACM member I will . . .
B.5.1 Uphold and Promote the Principles of This Code The future of the computing profession depends on both technical and ethical excellence. Not only is it important for ACM computing professionals to adhere to the principles expressed in this Code, each member should encourage and support adherence by other members.
B.5.2 Treat Violations of This Code as Inconsistent with Membership in the ACM Adherence of professionals to a Code of ethics is largely a voluntary matter. However, if a member does not follow this Code by engaging in gross misconduct, membership in ACM may be terminated.
B.6
Acknowledgments
Adopted by ACM Council Oct. 16, 1992; Copyright 1993 by ACM, all rights reserved; reprinted with permission from ACM; originally published in 1993 Communications of the ACM 36(2) and also available on the ACM Web site http://www.acm.org.
© 2004 by Taylor & Francis Group, LLC
Appendix C: Standards-Making Bodies and Standards C.1 C.2 C.3 C.4 C.5 C.6 C.7
The International Organization for Standardization (ISO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The American National Standards Institute (ANSI) . . . The IEEE Standards Association . . . . . . . . . . . . . . . . . . . . . The World Wide Web Consortium (W3C) . . . . . . . . . . . The American Standard Code for Information Interchange (ASCII). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The UNICODE Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . Floating-Point Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . .
C-1 C-2 C-2 C-2 C-2 C-3 C-3
International and national standards play an important role in computer science and engineering. Standards help unify the definition and implementation of complex systems, especially in the areas of architecture, human–computer interaction, operating systems and networks, programming languages, and software engineering. Principal roles in standardization for computer science and engineering are played by the International Standards Organization (ISO), the American National Standards Institute (ANSI), and the Institute of Electrical and Electronics Engineers (IEEE). These organizations are briefly described in the following sections, with pointers to their Web pages provided for further information.
C.1 The International Organization for Standardization (ISO) “ISO is a network of the national standards institutes of 147 countries, on the basis of one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization: its members are not, as is the case in the United Nations system, delegations of national governments. Nevertheless, ISO occupies a special position between the public and private sectors. This is because, on the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.” Some of the countries represented in ISO and their respective member bodies (in parentheses) are listed below.
© 2004 by Taylor & Francis Group, LLC
Country Australia Brazil Canada China Czech Republic Denmark Egypt Finland France Germany India
Member Body (SAI) (ABNT) (SCC) (SAC) (COSMT) (DS) (EOS) (SFS) (AFNOR) (DIN) (BIS)
Country Ireland Israel Italy Japan Netherlands Sweden Switzerland USA Ukraine United Kingdom
Member Body (NSAI) (SII) (UNI) (JISC) (NEN) (SIS) (SNV) (ANSI) (DSSU) (BSI)
More information about the ISO can be can be obtained by visiting its Web page: http://www.iso.ch.
C.2 The American National Standards Institute (ANSI) “The American National Standards Institute (ANSI) is a private, non-profit organization (501(c)3) that administers and coordinates the U.S. voluntary standardization and conformity assessment system. The Institute’s mission is to enhance both the global competitiveness of U.S. business and the U.S. quality of life by promoting and facilitating voluntary consensus standards and conformity assessment systems, and safeguarding their integrity.” (See http://www.ansi.org for more details.) ANSI standards in computer science exist in the areas of architecture, graphics, and programming languages. The International Committee for Information Technology Standards (INCITS) is accredited by ANSI to create and maintain standards in information technology, including the various areas of computer science. More information about specific ANSI standards in these and other areas can be obtained by visiting the INCITS Web site: http://www.incits.org.
C.3 The IEEE Standards Association The IEEE Standards Association also develops standards for certain areas of computer science and engineering, especially the areas of architecture, networks, and software engineering. For more information, visit the Web page: http://standards.ieee.org.
C.4 The World Wide Web Consortium (W3C) The World Wide Web Consortium was created in October 1994 to lead the World Wide Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. W3C has around 400 Member organizations from all over the world and has earned international recognition for its contributions to the growth of the Web. For more information, see the Web site: http://www.w3.org.
C.5 The American Standard Code for Information Interchange (ASCII) The American Standard Code for Information Interchange (ASCII) is a standard representation scheme for English language text based information storage and network transfer. The ASCII standard was established in 1968, and the current version of the standard is ANSI X3.110-1983. © 2004 by Taylor & Francis Group, LLC
C.6 The UNICODE Standard Unicode is a standard representation scheme for every character, no matter what the language. The Unicode Standard has been adopted by the major technology vendors, and is required by modern standards such as XML, CORBA, and Java. It is supported in many operating systems, all modern browsers, and many other products. For more information, see the Web site: http://www.unicode.org.
C.7 Floating-Point Arithmetic Computer implementations of floating-point numbers and arithmetic generally follow the IEEE floatingpoint standards ANSI/IEEE 754-1985 (R1991) and ANSI/IEEE 854-1988 (R1994). The 754 standard has been adopted by nearly every computer manufacturer since about 1980. It uses a 32- and 64-bit binary word as the basis for representing a floating-point number. The 854 standard restates this representation in a radix-independent style.
© 2004 by Taylor & Francis Group, LLC
Appendix D: Common Languages and Conventions D.1 D.2 D.3 D.4 D.5 D.6 D.7 D.8 D.9 D.10 D.11 D.12 D.13 D.14 D.15 D.16 D.17 D.18 D.19 D.20
ADA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C ................................................... C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COBOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EIFFEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Extensible Markup Language (XML) . . . . . . . . . . . . . . . . . FORTRAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hypertext Markup Language (HTML) . . . . . . . . . . . . . . . Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LaTeX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OpenGL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PASCAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PERL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PostScript and PDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PROLOG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SCHEME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tcl/Tk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
D-1 D-2 D-2 D-2 D-3 D-3 D-3 D-3 D-3 D-4 D-4 D-4 D-5 D-5 D-5 D-5 D-5 D-6 D-6 D-6
This appendix contains brief descriptions of several computer languages, with pointers to their standard versions and current Web pages added for further information. Each of these languages is supported by texts and professional references as well as compilers and interpreters. Readers interested in learning about current texts or implementations for a programming language are encouraged to consult the Web pages and Usenet news groups listed below.
D.1 ADA ADA was designed during the late 1970s in a collaborative effort sponsored by the U.S. Department of Defense. Its purpose was to provide a common high-level language in which systems programs could be designed and implemented, with special features that support concurrency, data abstraction, and software reuse. ADA was first implemented in the early 1980s and was first standardized in 1983 as
© 2004 by Taylor & Francis Group, LLC
a U.S. military standard. Since then, a variety of ADA implementations have emerged and many new features have been added. The current international ADA standard definition is found in ANSI/ISO/IEC 8652-1995. ADA is an imperative programming language whose recently added features also support object-oriented programming. Its syntax is in the PASCAL tradition, and its semantics supports strong typing, data abstraction and encapsulation, and concurrency control for real-time systems. ADA applications now cover a wide range, including military, commercial, and other large software systems. ADA compilers are available for a wide variety of computing platforms. Compilers for the 1995 standard version of ADA are also available. For more information about ADA and its implementations, consult the Usenet news group comp.lang.ada or the following Web page: http://www1.acm.org/sigs/sigada.
D.2 C The language C was designed in 1969 as a systems programming language to support programmers who were implementing the Unix operating system. Its usage grew rapidly alongside that of Unix itself and today is probably the most widely used systems programming language. C was standardized in 1990, and its current standard version is ANSI/ISO 9899-1990. C is also used widely in the sciences and other programming application areas. It is a high-level imperative language with extensive function libraries and unusually efficient implementations. C compilers run on most modern computers and operating systems. For more information about C, consult the Usenet news group comp.lang.c or the following Web page: http://www.gnu.org/software/gcc/gcc.html.
D.3 C++ C++ was designed by Bjarne Stroustrup in the early 1980s. It is an extension of C that adds new features for data abstraction, object-oriented programming, and a number of other improvements over traditional C constructs. C++ is a hybrid language, including facilities for both imperative and object-oriented programming. It is a very widely used language, especially in areas of software design that require object-oriented techniques. C++ implementations exist for nearly all modern platforms, including Unix and non-Unix operating systems. A standard definition of C++ was adopted by ANSI and ISO in 1998. For more information about C++, consult the Usenet news group comp.lang.c or the following Web page: http://www.gnu.org/software/ gcc/gcc.html.
D.4 COBOL Common business-oriented language (COBOL) was first designed in 1960 as a high-level programming language for data processing applications. Its use grew rapidly in the 1960s, and it has been the most widely used language in business applications throughout the past three decades. The first ANSI standard version of COBOL was developed and published in 1968, and subsequent extensions to the standard were published in 1974 and 1985. The current standard version of COBOL is ANSI X3.23-1985 (R1991). COBOL programs are written in an abbreviated and stylized form of English. The text of a program has four main parts or divisions. The identification division serves to identify the program, its author, and other documentary information. The environment division characterizes the features of the computer on which the program is run. The data division describes the variables, data structures, and files that the program uses, and the procedure division contains the executable code for the program. COBOL is an imperative language, so that programs are the result of procedural decomposition as a design methodology. For more information about COBOL, consult the Usenet news group comp.lang.cobol or the following Web page: http://www.cobolportal.com. © 2004 by Taylor & Francis Group, LLC
D.5 EIFFEL EIFFEL is an object-oriented programming language that enforces principles of software design, especially reliability and reuse. It was invented by Bertrand Meyer in the late 1980s, but at this time no EIFFEL standard either exists or is in development. EIFFEL programs are written using the philosophy of “design by contract.” This means that each object’s state during execution conforms to a predetermined set of constraints that are defined by method preconditions and postconditions and a class invariant. Before a method can be applied to an object, the object must be in a state that satisfies the class invariant and the method’s preconditions. Similarly, after a method has been applied to an object, assurance is guaranteed that the state satisfies the class invariant and the method’s postconditions. EIFFEL’s type system ensures that type errors are caught at compile time, and EIFFEL provides automatic garbage collection so that programs need not use a destructor to take an object out of use. EIFFEL is implemented on a wide variety of platforms. For more information about EIFFEL, consult the Usenet news group comp.lang.eiffel or the following Web page: http://www.eiffel.com.
D.6 Extensible Markup Language (XML) XML is a flexible text formatting language derived from SGML (ISO 8879). Originally designed for largescale electronic publishing applications, XML is now playing an important role in the definition and exchange of a wide variety of data on the Web. More information about XML can be found at the Web site: http://www.w3c.org/XML.
D.7 FORTRAN Designed by John Backus in 1954, formula translating system (FORTRAN) has become the most widely used scientific and engineering programming language of the past three decades. Its early versions were standardized in 1966 and a more extended version was standardized in 1977. The current FORTRAN standards are defined in ISO/IEC 1539:1991 and ISO/IEC 1539-2:1994 (Part 2: varying length character strings). A new draft Fortram standard is due to be published in 2004. FORTRAN is an imperative language, with extensive facilities and libraries to support scientific and engineering applications. Vast amounts of FORTRAN software exist in government and industrial computing laboratories. FORTRAN is implemented efficiently and widely, with compilers available on all contemporary platforms and operating systems. For more information about FORTRAN, consult the Usenet news group comp.lang.fortran or the following Web page: http://www.fortran.com.
D.8 Hypertext Markup Language (HTML) HTML is the standard language for preparing documents to be published on the World Wide Web. It is nonproprietary, and it can be created and processed by a wide range of word and document processing tools. HTML uses tags such as and
to structure text into headings, paragraphs, lists, hypertext links, graphics, sound, and video. HTML was standardized by ISO in the year 2000 as ISO-15445. More information can be found at the Web site: http://www.w3c.org/MarkUp.
D.9 Java Java was designed in the early 1990s by a team at Sun Microsystems headed by James Gosling. Designed to facilitate interactive programming on the Internet and World Wide Web, Java was rapidly disseminated among systems programmers at major companies in the technology industry. Java programs, or applets, can be embedded in appliances and HTML documents, providing interactive executable programs for users on the Web. © 2004 by Taylor & Francis Group, LLC
According to the description in Sun’s white paper, “Java is a simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” Java is based on C++ but excludes much of the baggage that makes C++ so cumbersome to use. Absent from Java are pointers; all objects are dynamic, and automatic garbage collection eliminates the need for destructors. Because Java is designed for use in networked environments, its designers included facilities for security. For more information about Java, consult the Usenet news group comp.lang.Java or the following Web page: http://java.sun.com.
D.10 LaTeX LaTeX is a markup language and system for document typesetting. It is implemented as a macro package that extends the TeX system, allowing a wide range of scientific documents to be easily prepared for typesetting. Tex was designed in 1970 by Donald Knuth. Many of the chapters in this Handbook were prepared using LaTeX. The LaTeX language can be used to describe the typesetting characteristics (e.g., boldface words, numbered lists) of a document. It is particularly good for describing mathematical formulas, maintaining bibliographies, and managing number streams (such as section numbers, figure numbers, etc.). LaTeX supports the automatic insertion of PostScript figures, and has many other features. For more information about LaTeX, consult the following Web page: http://www.latex-project.org.
D.11 LISP List processor (LISP) was designed by John McCarthy in the late 1950s. LISP has been used predominantly in the artificial intelligence area and developed rapidly throughout the 1960s and 1970s. Two dominant dialects of LISP evolved during that period: MACLISP and INTERLISP. An effort to unify these dialects and develop a single standard resulted in Common LISP, first implemented in the 1980s. Common LISP was finally standardized in 1994 as the standard ANSI X3.226-1994. More recently, object-oriented extensions to LISP have been developed under the rubric Common LISP Object System (CLOS). Thus, one can view CLOS as a hybrid functional/object-oriented programming language. Both Common LISP and CLOS are implemented on a wide range of platforms. LISP is a functional programming language based on the application of functions written in the form of lambda expressions using prefix notation. It is particularly useful in areas of artificial intelligence programming that require the representation of symbolic expressions for mechanical reasoning and knowledge representation. Many illustrations of the functional programming paradigm appear in Chapter 92, and examples of LISP programs appear among the chapters of the Intelligent Systems section of this Handbook. For more information about LISP and CLOS, consult the Usenet news groups comp.lang.lisp and comp.lang.clos as well as the following Web page: http://www.lisp.org.
D.12 ML Meta language (ML) was developed by Robin Milner and others as a functional programming language with imperative features and an unusually advanced concept of type. Its current version was defined in 1983, modestly updated in 1997, and is called Standard ML. It is a compiled language whose major applications are in the computer science education and research communities. ML has a simple syntax and yet supports data abstraction through its strong static typing system and type inference mechanism, polymorphism, exceptions, and rule-based specifications. ML is widely implemented on the major computing platforms, including Unix, Mac, and PC machines. Standard ML of New Jersey is a free implementation of ML, developed jointly by Princeton University and AT&T. For more information about ML, consult the Usenet news group comp.lang.ml or the following Web page: http://www.smlnj.org. © 2004 by Taylor & Francis Group, LLC
D.13 OpenGL OpenGL is the most widely supported environment for developing portable, interactive graphics applications. Since its introduction in 1992, OpenGL has become the most widely used graphics application programming interface (API), incorporating a broad set of rendering, texture mapping, special effects, and other visualization functions. Developers can use OpenGL on all popular desktop and workstation platforms. For more information, consult the following Web page: http://www.opengl.org.
D.14 PASCAL PASCAL was designed by Niklaus Wirth in the early 1970s as a language for teaching principles of computer science and imperative programming. It was the main language for expressing algorithms in computer science curricula throughout the 1970s and 1980s. However, wide PASCAL usage has given way to the rapid rise of the object-oriented programming paradigm and related languages such as C++ and Java. PASCAL’s current standard version is defined in the document ANSI/ISO/IEC 7185– 1990. As a language designed for teaching, PASCAL is characterized by a strong type system support for modularity, simple syntax, and robust compile and runtime programming environments. Its features have evolved over the past two decades, and nonstandard extensions are available that support a wide range of library functions as well as object-oriented programming. PASCAL was also used as a basis for the design of the language ADA. For more information about PASCAL, consult the Usenet news group comp.lang.pascal.misc or the following Web page: http://www.pascal-central.com.
D.15 PERL PERL is a special-purpose language designed for text processing applications, especially those that require text search, extraction, and text-based reporting. Its syntax is similar to that of C, and it is usually implemented in Unix environments. However, PERL is an interpreted language, designed for rapid prototyping, so that its programs will not run as fast as comparable C programs. Optimized for text processing, PERL employs sophisticated pattern matching techniques to speed up text search. It also does not arbitrarily limit the size of a file or the depth of a recursive call, as long as memory is available. For more information about PERL, consult the Usenet news group comp.lang.perl.misc or the following Web page: http://www.perl.com/.
D.16 PostScript and PDF PostScript is both a graphics standard and a programming language for page layout and typesetting text and graphics on laser printers. For example, most of the figures in this Handbook were separately created in PostScript and then embedded in a word processing document at the time it was typeset. Portable Document Format (PDF) is a universal file format that preserves the fonts, images, graphics, and layout of any source document, regardless of the application and platform used to create it. For more information about PostScript and PDF, consult the Web page: http://www.adobe.com.
D.17 PROLOG Programming in logic (PROLOG) was developed in the early 1970s by Philippe Roussel. It is primarily an interpreted logic programming language, designed for use in such artificial intelligence applications as problem solving, expert systems, knowledge representation, and natural language processing. PROLOG is implemented on a wide variety of computers, and its general core is defined by the standard ISO/IEC 13211-1:1995. © 2004 by Taylor & Francis Group, LLC
The syntax of PROLOG is based on logic expressions, and its semantics is defined using the concepts of resolution and unification. Chapter 93 in this Handbook provides a tutorial introduction to the logic programming paradigm, with many PROLOG examples provided as illustrations. For more information about PROLOG, consult the Usenet news group comp.lang.prolog or the following Web page: http://www.afm.sbu.ac.uk/logic-prog/.
D.18 SCHEME SCHEME is a dialect of LISP that developed in the 1970s, designed for educational use, widely implemented, and having a simple syntax and semantics. SCHEME was standardized by ANSI and IEEE in 1991 (ANSI/IEEE 1178-1991). SCHEME is distinguished from LISP by its small size, static scoping, and more flexible treatment of functions (i.e., a SCHEME function can be a list element, the value of a variable, the value of an expression, or passed as a parameter). For more information about SCHEME, consult the following Web page: http://www.swiss.ai.mit.edu/projects/scheme.
D.19 Tcl/Tk The Tcl/TK programming system was developed by John Ousterhout. It has two parts: the programming language Tcl and the toolkit of widgets called Tk, which supports the programming of interactive graphical user interfaces (GUIs). A main goal of Tcl/Tk is to support the rapid development and prototyping of such interfaces, so that Tcl programs are usually run in interpretive mode. Tcl/Tk can also be used in coordination with other languages, and it is implemented on a variety of platforms. Tcl is an imperative language, with modest support for handling types and data abstractions. It may not be an ideal language for writing large, complex programs; its narrow focus is to facilitate the rapid development of user interfaces. Tk widgets include labels, messages, listboxes, texts, frames, scrollbars, buttons, and other elements that commonly appear in user interfaces. A wide range of applications for languages such as Tcl/Tk are discussed in the Human–Computer Interaction section of this Handbook. For more information about Tcl/Tk, consult the following Web page: http://www.tcl.tk.
D.20 X Windows X Windows is a standard technology for windowing systems that was developed at MIT and is now maintained by the consortium X.Org. X Windows consists of a library of graphics function calls, called Xlib, written in C, that is freely available. Application programs that require graphics can call functions from this library. The functions in Xlib are simpler than those in GKS or PHIGS. They are also more stylized to the needs of interactive user interface programming, such as creating a window or sampling the mouse pointer. On the other hand, X Windows functions are not as extensive as PHIGS functions in the area of graphics applications. For more information about X Windows, consult the following Web page: http://www.x.org.
© 2004 by Taylor & Francis Group, LLC