Open Forum Education: Where Are the Software Engineers of Tomorrow?

By Dr. Robert B.K. Dewar and Dr. Edmond Schonberg AdaCore Inc. It is our view that Computer Science (CS) education is neglecting basic skills, in particular in the areas of programming and formal methods. We consider that the general adoption of Java as a first is in part responsible for this decline. We examine briefly the set of programming skills that should be part of every software professional’s repertoire.

t is all about programming! Over the last the methods (and the hardware) of the take MatLab to be the universal program- few years we have noticed worrisome time prevented these techniques from ming tool and ignore the topic altogether. trendsI in CS education. The following rep- becoming widespread, and as a result they resents a summary of those trends: are more or less ignored by most CS pro- The Pitfalls of Java as a First grams. This is unfortunate because the Programming Language 1. Mathematics requirements in CS pro- techniques have evolved to the point that Because of its popularity in the context of grams are shrinking. they can be used in large-scale systems and Web applications and the ease with which 2. The development of programming can contribute substantially to the reliabili- beginners can produce graphical programs, skills in several languages is giving way ty of these systems. A case in point is the Java has become the most widely used lan- to cookbook approaches using large use of SPARK in the re-engineering of the guage in introductory programming cours- libraries and special-purpose packages. ground-based air traffic control system in es.We consider this to be a misguided 3. The resulting set of skills is insufficient the (see a description of attempt to make programming more fun, for today’s software industry (in partic- iFACTS – Interim Future Area Control perhaps in reaction to the drop in CS ular for safety and security purposes) Tools Support, at ). SPARK is a subset of Ada aug- bust. What we observed at New York the outsourcing industry can offer.We mented with assertions that allow the University is that the Java programming are training easily replaceable profes- designer to prove important properties of courses did not prepare our students for sionals. a program: termination, absence of run- the first course in systems, much less for time exceptions, finite memory usage, etc. more advanced ones. Students found it These trends are visible in the latest [2]. It is obvious that this kind of design hard to write programs that did not have a curriculum recommendations from the and analysis methodology (dubbed graphic interface, had no feeling for the Association for Computing Machinery Correctness by Construction) will add sub- relationship between the source program (ACM). Curriculum 2005 does not mention stantially to the reliability of a system and what the hardware would actually do, mathematical prerequisites at all, and it whose design has involved SPARK from and (most damaging) did not understand mentions only one course in the theory of the beginning. However, PRAXIS, the the semantics of pointers at all, which programming languages [1]. company that developed SPARK and made the use of in systems program- We have seen these developments from which is designing iFACTS, finds it hard to ming very challenging. both sides: As faculty members at New recruit people with the required mathemat- Let us propose the following principle: York University for decades, we have ical competence (and this is present even in The irresistible beauty of programming regretted the introduction of Java as a first the United Kingdom, where formal meth- consists in the reduction of complex for- language of instruction for most computer ods are more widely taught and used than mal processes to a very set of primi- science majors. We have seen how this in the ). tive operations. Java, instead of exposing choice has weakened the formation of our Another formal approach to which CS this beauty, encourages the programmer to students, as reflected in their performance students need exposure is model checking approach problem-solving like a plumber in systems and architecture courses. As and linear temporal logic for the design of in a hardware store: by rummaging through founders of a company that specializes in concurrent systems. For a modern discus- a multitude of drawers (i.e. packages) we Ada programming tools for mission-critical sion of the topic, which is central to mis- will end up finding some gadget (i.e. class) systems, we find it harder to recruit quali- sion-critical software, see [3]. that does roughly what we want. How it fied applicants who have the right founda- Another area of computer science does it is not interesting! The result is a stu- tional skills. We want to advocate a more which we find neglected is the study of dent who knows how to put a simple pro- rigorous formation, in which formal meth- floating-point computations. At New York gram together, but does not know how to ods are introduced early on, and program- University, a course in numerical methods program. A further pitfall of the early use ming languages play a central role in CS and floating-point computing used to be of Java libraries and frameworks is that it is education. required, but this requirement was dropped impossible for the student to develop a Formal Methods and Software many years ago, and now very few students sense of the run-time cost of what is writ- take this course. The topic is vital to all sci- ten because it is extremely hard to know Construction entific and engineering software and is what any method call will eventually exe- Formal techniques for proving the correct- semantically delicate. One would imagine cute. A lucid analysis of the problem is pre- ness of programs were an extremely active that it would be a required part of all cours- sented in [4]. subject of research 20 years ago. However, es in scientific computing, but these often We are seeing some backlash to this

28 CROSSTALK The Journal of Defense Software Engineering January 2008 Computer Science Education: Where Are the Software Engineers of Tomorrow? approach. For example, Bjarne Stroustrup tree manipulation libraries in Ada, and 1. An understanding of concurrent pro- reports from Texas A & M University that garbage collection in anything but Java. gramming (for which threads provide a the industry is showing increasing unhappi- The study of a wide variety of languages is, basic low-level model). ness with the results of this approach. thus, indispensable to the well-rounded 2. Reflection, namely the understanding Specifically, he notes the following: programmer. that a program can be instrumented to examine its own state and to determine I have had a lot of complaints about Why C Matters its own behavior in a dynamically that [the use of Java as a first pro- C is the low-level language that everyone changing environment. gramming language] from industry, must know. It can be seen as a portable specifically from AT&T, IBM, Intel, assembly language, and as such it exposes Why Ada Matters Bloomberg, NI, Microsoft, Lock- the underlying machine and forces the stu- Ada is the language of software engineer- heed-Martin, and more. [5] dent to understand clearly the relationship ing par excellence. Even when it is not the between software and hardware. Perfor- language of instruction in programming He noted in a private discussion on this mance analysis is more straightforward, courses, it is the language chosen to teach topic, reporting the following: because the cost of every software state- courses in software engineering. This is ment is clear. Finally, (GCC for because the notions of strong typing, It [Texas A&M] did [teach Java as example) make it easy to examine the gen- encapsulation, information hiding, concur- the first language]. Then I started erated assembly code, which is an excellent rency, generic programming, inheritance, teaching C++ to the electrical engi- tool for understanding machine language and so on, are embodied in specific fea- neers and when the EE students and architecture. tures of the language. From our experience started to out-program the CS stu- and that of our customers, we can say that Why C++ Matters dents, the CS department switched a real programmer writes Ada in any lan- to C++. [5] C++ brings to C the fundamental concepts guage. For example, an Ada programmer of modern software engineering: encapsu- accustomed to Ada’s package model, which It will be interesting to see how many lation with classes and namespaces, infor- strongly separates specification from departments follow this trend. At mation hiding through protected and pri- implementation, will tend to write C in a AdaCore, we are certainly aware of many vate data and operations, programming by style where well-commented header files universities that have adopted Ada as a first extension through virtual methods and act in somewhat the same way as package language because of similar concerns. derived classes, etc. C++ also pushes stor- specs in Ada. The programmer will include age management as far as it can go without bounds checking and consistency checks A Real Programmer Can full-blown garbage collection, with con- when passing mutable structures between Write in Any Language (C, structors and destructors. subprograms to mimic the strong-typing Java, Lisp,Ada) Why Lisp Matters checks that Ada mandates [6]. She will Software professionals of a certain age will organize concurrent programs into tasks Every programmer must be comfortable and protected objects, with well-defined remember the slogan of old-timers from with functional programming and with the two generations ago when structured pro- synchronization and communication important notion of referential transparency. mechanisms. gramming became the rage: Real program- Even though most programmers find imper- mers can write Fortran in any language. The concurrency features of Ada are ative programming more intuitive, they must particularly important in our age of multi- The slogan is a reminder of how thinking recognize that in many contexts that a func- core architectures. We find it surprising that habits of programmers are influenced by tional, stateless style is clear, natural, easy to these architectures should be presented as a the first language they learn and how hard understand, and efficient to boot. novel challenge to software design when it is to shake these habits if you do all your An additional benefit of the practice of Ada had well-designed mechanisms for writ- programming in a single language. Lisp is that the program is written in what ing safe, concurrent software 30 years ago. Conversely, we want to say that a compe- amounts to abstract syntax, namely the tent programmer is comfortable with a internal representation that most compilers Programming Languages Are number of different languages and that the use between parsing and code generation. Not the Whole Story programmer must be able to use the men- Knowing Lisp is thus an excellent prepara- tal tools favored by one of them, even tion for any software work that involves A well-rounded CS curriculum will include when programming in another. For exam- language processing. an advanced course in programming lan- ple, the user of an imperative language Finally, Lisp (at least in its lean Scheme guages that covers a wide variety of lan- such as Ada or C++ must be able to write incarnation) is amenable to a very compact guages, chosen to broaden the understand- in a functional style, acquired through prac- self-definition. Seeing a complete Lisp ing of the programming process, rather tice with Lisp and ML1, when manipulating interpreter written in Lisp is an intellectual than to build a résumé in perceived hot lan- recursive structures. This is one indication revelation that all computer scientists guages. We are somewhat dismayed to see of the importance of learning in-depth a should experience. the popularity of scripting languages in number of different programming lan- introductory programming courses. Such guages. What follows summarizes what we Why Java Matters languages (Javascript, PHP, Atlas) are think are the critical contributions that Despite our comments on Java as a first or indeed popular tools of today for Web well-established languages make to the only language, we think that Java has an applications. Such languages have all the mental tool-set of real programmers. For important role to play in CS instruction. pedagogical defaults that we ascribe to Java example, a real programmer should be able We will mention only two aspects of the and provide no opportunity to learn - to program inheritance and dynamic dis- language that must be part of the real pro- rithms and performance analysis. Their patching in C, information hiding in Lisp, grammer’s skill set: absence of strong typing leads to a trial-

January 2008 www.stsc.hill.af.mil 29 Open Forum

and-error programming style and prevents /curric_vols/CC2005-March06 students from acquiring the discipline of Final.pdf>. separating design of interfaces from speci- 2. Barnes, John. High Integrity Ada: The fications. Spark Approach. Addison-Wesley, Get Your Free Subscription However, teaching the right languages 2003. alone is not enough. Students need to be 3. Ben-Ari, M. Principles of Concurrent Fill out and send us this form. exposed to the tools to construct large- and Distributed Programming. 2nd ed. scale reliable programs, as we discussed at Addison-Wesley, 2006. 517 SMXS/MXDEA the start of this article. Topics of relevance 4. Mitchell, Nick, Gary Sevitsky, and 6022 Fir Ave are studying formal specification methods Harini Srinivasan. “The Diary of a Bldg 1238 and formal proof methodologies, as well as Datum: An Approach to Analyzing Hill AFB, UT 84056-5820 gaining an understanding of how high-reli- Runtime Complexity in Framework- Fax: (801) 777-8069 DSN: 777-8069 ability code is certified in the real world. Based Applications.” Workshop on When you step into a plane, you are putting Library-Centric Software Design, Phone: (801) 775-5555 DSN: 775-5555 your life in the hands of software which Object-Oriented Programming, Sys- Or request online at www.stsc.hill.af.mil had better be totally reliable. As a comput- tems, Languages, and Applications, San er scientist, you should have some knowl- Diego, CA, 2005. NAME: ______edge of how this level of reliability is 5. Stroustrup, Bjarne. Private communica- achieved. In this day and age, the fear of tion. Aug. 2007. terrorist cyber attacks have given a new 6. Holzmann Gerard J. “The Power of RANK/GRADE: ______urgency to the building of software that is Ten – Rules for Developing Safety not only bug free, but is also immune from Critical Code.” IEEE Computer June POSITION/TITLE: ______malicious attack. Such high-security soft- 2006: 93-95. ware relies even more extensively on for- mal methodologies, and our students need Note ORGANIZATION: ______N to be prepared for this new world. 1. Several programming language and sys- tem names have evolved from ADDRESS: ______References acronyms whose formal spellings are 1. Joint Taskforce for Computing no longer considered applicable to the ______Curricula. “Computing Curricula 2005: current names for which they are read- The Overview Report.” ACM/AIS/ ily known. ML, Lisp, GCC, PHP, and BASE/CITY: ______IEEE, 2005

30 CROSSTALK The Journal of Defense Software Engineering January 2008