DOCSLIB.ORG

Design by Contract: the Lessons of Ariane

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

. Editor: Bertrand Meyer, EiffelSoft, 270 Storke Rd., Ste. 7, Goleta, CA 93117; voice (805) 685-6869; [email protected] several hours (at least in earlier versions of Ariane), it was better to let the computa- tion proceed than to stop it and then have Design by to restart it if liftoff was delayed. So the SRI computation continues for 50 seconds after the start of flight mode—well into the flight period. After takeoff, of course, this com- Contract: putation is useless. In the Ariane 5 flight, Object Technology however, it caused an exception, which was not caught and—boom. The exception was due to a floating- point error during a conversion from a 64- The Lessons bit floating-point value, representing the flight’s “horizontal bias,” to a 16-bit signed integer: In other words, the value that was converted was greater than what of Ariane can be represented as a 16-bit signed inte- ger. There was no explicit exception han- dler to catch the exception, so it followed the usual fate of uncaught exceptions and crashed the entire software, hence the onboard computers, hence the mission. This is the kind of trivial error that we Jean-Marc Jézéquel, IRISA/CNRS are all familiar with (raise your hand if you Bertrand Meyer, EiffelSoft have never done anything of this sort), although fortunately the consequences are usually less expensive. How in the world everal contributions to this made up of respected experts from major department have emphasized the European countries, which produced a How in the world could importance of design by contract report in hardly more than a month. These such a trivial error in the construction of reliable agencies are to be commended for the have remained S software. Design by contract, as speed and openness with which they han- undetected and cause you will recall, is the principle that inter- dled the disaster. The report is available a $500 million rocket faces between modules of a software sys- on the Web, in both French and English to blow up? tem— especially a mission-critical one— (http://www.cnes.fr/actualites/news/rap- should be governed by precise specifi- port_501.html). cations, similar to contracts between It is a remarkable document: short, clear, humans or companies. The contracts will and forceful. The explosion, the report can it have remained undetected and pro- cover mutual obligations (precondi- says, is the result of a software error, pos- duced such a horrendous outcome? tions), benefits (postconditions), and con- sibly the costliest in history (at least in dol- sistency constraints (invariants). Together lar terms, since earlier cases have cost lives). YOU CAN’T BLAME MANAGEMENT these properties are known as assertions, Particularly vexing is the realization that Although something clearly went wrong and are directly supported in some design the error came from a piece of the software in the validation and verification process and programming languages. that was not needed. The software (or we wouldn’t have a story to tell), and A recent $500 million software error involved is part of the Inertial Reference although the Inquiry Board does make sev- provides a sobering reminder that this System, for which we will keep the eral recommendations to improve the principle is not just a pleasant academic acronym SRI used in the report, if only to process, it is also clear that systematic doc- ideal. On June 4, 1996, the maiden flight of avoid the unpleasant connotation that the umentation, validation, and management the European Ariane 5 launcher crashed, reverse acronym has for US readers. Before procedures were in place. about 40 seconds after takeoff. Media liftoff, certain computations are performed The software engineering literature has reports indicated that a half-billion dollars to align the SRI. Normally, these compu- often contended that most software prob- was lost—the rocket was uninsured. tations should cease at −9 seconds, but lems are primarily management problems. The French space agency, CNES (Centre because there is a chance that a countdown This is not the case here: the problem was National d’Etudes Spatiales), and the could be put on hold, the engineers gave a technical one. (Of course you can always European Space Agency immediately themselves some leeway. They reasoned argue that good management will spot appointed an international inquiry board, that, because resetting the SRI could take technical problems early enough.) January 1997 129 . YOU CAN’T BLAME THE LANGUAGE indeed reused from 10-year-old software, • Most important, assertions are a Ada’s exception mechanism has been the software from Ariane 4. But this is not prime component of the software criticized in the literature, but in this case the real story. and its automatically produced doc- it could have been used to catch the excep- umentation (“short form” in Eiffel tion. In fact, the report says: BUT YOU REALLY HAVE TO BLAME environments). In a project such as REUSE SPECIFICATION Ariane, in which there is so much Not all the conversions were protected What was truly unacceptable in this case emphasis on quality control and because a maximum workload target of was the absence of any kind of precise thorough validation of everything, 80% had been set for the SRI computer. specification associated with this reusable assertions would have been the qual- To determine the vulnerability of unpro- module. The requirement that the hori- ity assurance team’s primary focus of tected code, an analysis was performed on zontal bias should fit on 16 bits was in fact attention. Any test team worth its every operation which could give rise to stated in an obscure part of a mission doc- salt would have checked systemati- an ... operand error. This led to protection ument. But it was nowhere to be found in cally that every call satisfies every being added to four of [seven] variables ... the code itself! precondition. That would have im- in the Ada code. However, three of the One of the principles of design by con- mediately revealed that the Ariane 5 variables were left unprotected. tract, as earlier columns have said, is that software did not meet the expecta- any software element that has such a fun- tion of the Ariane 4 routines that it YOU CAN’T BLAME THE DESIGN damental constraint should state it explic- called. Why was the exception not monitored? itly, as part of a mechanism present in the The analysis revealed that overflow (a hor- language. In an Eiffel version, for exam- he Inquiry Board makes several rec- izontal bias not fitting in a 16-bit integer) ple, it would be stated as ommendations with respect to soft- could not occur. Was the analysis wrong? T ware process improvement. Many No! It was right for the Ariane 4 trajec- convert (horizontal_bias: are justified; some may be overkill; some tory. For Ariane 5, with other trajectory DOUBLE): INTEGER is would be very expensive to put in place. parameters, it did not hold. require There is a more simple lesson to be horizontal_bias learned from this unfortunate event: YOU CAN’T BLAME THE <= Maximum_bias Reuse without a precise, rigorous speci- IMPLEMENTATION do fication mechanism is a risk of potentially Some may criticize removing the conver- ... disastrous proportions. sion protection to achieve more perfor- ensure mance (the 80 percent workload target), ... but this decision was justified by the theo- end There is a simple lesson retical analysis. To engineer is to make here: Reuse without compromises. If you have proved that a where the precondition (require...) a precise specification condition cannot happen, you are entitled states clearly and precisely what the input mechanism is a not to check for it. If every program checked must satisfy to be acceptable. disastrous risk. for all possible and impossible events, no Does this mean that the crash would useful instruction would ever get executed! automatically have been avoided had the mission used a language and method sup- YOU CAN’T BLAME TESTING porting built-in assertions and design by It is regrettable that this lesson has not The Inquiry Board recommends better contract? Although it is always risky to been heeded by such recent designs as IDL testing procedures, and it also recommends draw such after-the-fact conclusions, the (the Interface Definition Language of testing the entire system rather than parts of answer is probably yes: CORBA)—which is intended to foster it (in the Ariane 5 case the SRI and the flight large-scale reuse across networks but fails software were tested separately). But even if • Assertions (preconditions and post- to provide any semantic specification you can test more, you can never test all. conditions in particular) can be auto- mechanism—Ada 95, or Java. None of Testing, as we all know, can show the pres- matically turned on during testing, these languages has built-in support for ence of errors, not their absence. The only through a simple compiler option. The design by contract. fully realistic test is a launch. And in fact, the error might have been caught then. Effective reuse requires design by con- launch was a test launch, in that it carried no • Assertions can remain turned on dur- tract. Without a precise specification commercial payload, although it was prob- ing execution, triggering an exception attached to each reusable component— ably not intended to be a $500 million test. if violated. Given the performance precondition, postcondition, invariant— constraints on such a mission, how- no one can trust a supposedly reusable YOU CAN TRY TO BLAME REUSE ever, this would probably not have component. Without a specification, it is The SRI horizontal bias module was been the case.
Recommended publications
  • The Essence Initiative

    The Essence Initiative

    The Essence Initiative Ivar Jacobson Agenda Specific Problems A Case for Action - Defining a solid theoretical base - Finding a kernel of widely agreed elements Using the Kernel Final Words Being in the software development business Everyone of us knows how to develop our software, but as a community we have no widely accepted common ground A CASE FOR ACTION STATEMENT • Software engineering is gravely hampered today by immature practices. Specific problems include: – The prevalence of fads more typical of fashion industry than of an engineering discipline. – The lack of a sound, widely accepted theoretical basis. – The huge number of methods and method variants, with differences little understood and artificially magnified. – The lack of credible experimental evaluation and validation. – The split between industry practice and academic research. Agenda Specific Problems A Case for Action - Defining a solid theoretical base - Finding a kernel of widely agreed elements Using the Kernel Final Words The SEMAT initiative Software Engineering Method and Theory www.semat.org Founded by the Troika in September 2009: Ivar Jacobson – Bertrand Meyer – Richard Soley What are we going to do about it? The Grand Vision We support a process to refound software engineering based on a solid theory, proven principles and best practices The Next Steps Defining A Kernel of a solid widely agreed theoretical basis elements There are probably more than 100,000 methods Desired solution: Method Architectureincl. for instance SADT, Booch, OMT, RUP, CMMI, XP, Scrum, Lean, Kanban There are around 250 The Kernel includes identified practices incl such elements as for instance use cases, Requirement, use stories, features, Software system, components, Work, Team, Way-of- working, etc.
  • Contracts for System Design

    Contracts for System Design

    Contracts for System Design Albert Benveniste, Benoit Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet, Philipp Reinkemeier, Alberto Sangiovanni-Vincentelli, Werner Damm, Thomas Henzinger, Kim Guldstrand Larsen To cite this version: Albert Benveniste, Benoit Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet, et al.. Contracts for System Design. [Research Report] RR-8147, INRIA. 2012, pp.65. hal-00757488 HAL Id: hal-00757488 https://hal.inria.fr/hal-00757488 Submitted on 28 Nov 2012 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Contracts for Systems Design Albert Benveniste, Benoît Caillaud, Dejan Nickovic Roberto Passerone, Jean-Baptiste Raclet, Philipp Reinkemeier Alberto Sangiovanni-Vincentelli, Werner Damm Tom Henzinger, Kim Larsen RESEARCH REPORT N° 8147 November 2012 Project-Teams S4 ISSN 0249-6399 ISRN INRIA/RR--8147--FR+ENG Contracts for Systems Design Albert Benveniste∗, Benoît Caillaudy, Dejan Nickovicz Roberto Passeronex, Jean-Baptiste Raclet{, Philipp Reinkemeierk Alberto Sangiovanni-Vincentelli∗∗, Werner Dammyy Tom Henzingerzz, Kim Larsen Project-Teams S4 Research Report n° 8147 — November 2012 — 64 pages This work was funded in part by the European STREP-COMBEST project number 215543, the European projects CESAR of the ARTEMIS Joint Undertaking and the European IP DANSE, the Artist Design Network of Excellence number 214373, the MARCO FCRP TerraSwarm grant, the iCyPhy program sponsored by IBM and United Technology Corporation, the VKR Center of Excellence MT-LAB, and the German Innovation Alliance on Embedded Systems SPES2020.
  • Budgen, Software Design Methods

    Budgen, Software Design Methods

    David Budgen The Loyal Opposition Software Design Methods: Life Belt or Leg Iron? o software design methods have a correctly means “study of method.”) To address, but future? In introducing the January- not necessarily answer, this question, I’ll first consider D February 1998 issue of IEEE Software,Al what designing involves in a wider context, then com- Davis spoke of the hazards implicit in pare this with what we do, and finally consider what “method abuse,”manifested by a desire this might imply for the future. to “play safe.”(If things go well, you can take the credit, but if they go wrong, the organization’s choice of method can take the blame.) As Davis argues, such a THE DESIGN PROCESS policy will almost certainly lead to our becoming builders of what he terms “cookie-cutter, low-risk, low- Developing solutions to problems is a distinguish- payoff, mediocre systems.” ing human activity that occurs in many spheres of life. The issue I’ll explore in this column is slightly dif- So, although the properties of software-based systems ferent, although it’s also concerned with the problems offer some specific problems to the designer (such as that the use of design methods can present. It can be software’s invisibility and its mix of static and dynamic expressed as a question: Will the adoption of a design properties), as individual design characteristics, these method help the software development process (the properties are by no means unique. Indeed, while “life belt” role), or is there significant risk that its use largely ignored by software engineers, the study of the will lead to suboptimum solutions (the “leg iron”role)? nature of design activities has long been established Robert L.
  • Génération Automatique De Tests Unitaires Avec Praspel, Un Langage De Spécification Pour PHP the Art of Contract-Based Testing in PHP with Praspel

    Génération Automatique De Tests Unitaires Avec Praspel, Un Langage De Spécification Pour PHP the Art of Contract-Based Testing in PHP with Praspel

    CORE Metadata, citation and similar papers at core.ac.uk Provided by HAL - Université de Franche-Comté G´en´erationautomatique de tests unitaires avec Praspel, un langage de sp´ecificationpour PHP Ivan Enderlin To cite this version: Ivan Enderlin. G´en´eration automatique de tests unitaires avec Praspel, un langage de sp´ecificationpour PHP. Informatique et langage [cs.CL]. Universit´ede Franche-Comt´e,2014. Fran¸cais. <NNT : 2014BESA2067>. <tel-01093355v2> HAL Id: tel-01093355 https://hal.inria.fr/tel-01093355v2 Submitted on 19 Oct 2016 HAL is a multi-disciplinary open access L'archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destin´eeau d´ep^otet `ala diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publi´esou non, lished or not. The documents may come from ´emanant des ´etablissements d'enseignement et de teaching and research institutions in France or recherche fran¸caisou ´etrangers,des laboratoires abroad, or from public or private research centers. publics ou priv´es. Thèse de Doctorat école doctorale sciences pour l’ingénieur et microtechniques UNIVERSITÉ DE FRANCHE-COMTÉ No X X X THÈSE présentée par Ivan Enderlin pour obtenir le Grade de Docteur de l’Université de Franche-Comté K 8 k Génération automatique de tests unitaires avec Praspel, un langage de spécification pour PHP The Art of Contract-based Testing in PHP with Praspel Spécialité Informatique Instituts Femto-ST (département DISC) et INRIA (laboratoire LORIA) Soutenue publiquement
  • Assertions, Pre/Post- Conditions and Invariants

    Assertions, Pre/Post- Conditions and Invariants

    9/14/12 Assertions, pre/post- conditions and invariants Section 2.1 in Walls and Mirrors Section 4.5 Rosen Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true before the method is executed q Caller obligation n Postcondition q Specifies what will happen if the preconditions are met q Method obligation 1 9/14/12 Class Invariants n A class invariant is a condition that all objects of that class must satisfy while it can be observed by clients n What about Points in Cloud? q boundaries? q center? What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } // what could you state here? 2 9/14/12 What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } //n >= limit //more? What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } //n >= limit //n is the smallest power of 2 >= limit 3 9/14/12 assert Using assert: assert n == 1; while (n < limit) { n = 2 * n; } assert n >= limit; When to use Assertions n We can use assertions to guarantee the behavior.
  • Cyber-Physical System Design Contracts

    Cyber-Physical System Design Contracts

    Cyber-Physical System Design Contracts Patricia Derler Edward A. Lee Martin Törngren University of California, University of California, KTH Royal Institute of Berkeley Berkeley Technology [email protected] [email protected] [email protected] Stavros Tripakis University of California, Berkeley [email protected] ABSTRACT tinct disciplines such as control engineering, software engineer- This paper introduces design contracts between control and em- ing, mechanical engineers, network engineering, etc. The com- bedded software engineers for building Cyber-Physical Systems plexity and heterogeneity of all the different design aspects require (CPS). CPS design involves a variety of disciplines mastered by methodologies for bridging the gaps between the disciplines in- teams of engineers with diverse backgrounds. Many system prop- volved. This is known to be challenging since the disciplines have erties influence the design in more than one discipline. The lack of different views, encompassing terminology, theories, techniques clearly defined interfaces between disciplines burdens the interac- and design approaches. tion and collaboration. We show how design contracts can facilitate In this paper, we focus on interactions between control and em- interaction between 2 groups: control and software engineers. A bedded software engineers. A multitude of modeling, analysis and design contract is an agreement on certain properties of the system. synthesis techniques that deal with codesign of control functions Every party specifies requirements and assumptions on the system and embedded software have been developed since the 1970s. We and the environment. This contract is the central point of inter- use the term codesign for approaches that provide an awareness of domain communication and negotiation.
  • Software Design Document 1

    Software Design Document 1

    SOFTWARE DESIGN DOCUMENT 1. Introduction The following subsections of the Software Design Document (SDD) should provide an overview of the entire SDD. 1.1 Purpose This subsection should explain the purpose of the SDD and specify the intended audience for it. The SDD described the software structure, software components, interfaces and data necessary for the implementation phase. Each requirement in the SRS should be traceable to one or more design entities in the SDD. 1.2 Scope This subsection should relate the design document to the SRS and to the software to be developed. 1.3 Definitions, Acronyms and Abbreviations This subsection should provide the definitions of all terms, acronyms and abbreviations that are used in the SDD. 2. References This subsection should provide a complete list of all documents referenced in the SDD. It should identify these references by title, report number, date and publishing organization. It should also specify the sources from which these references are available. 3. Attributes of Design Entities There are some attributes common to all entities, regardless of the approach utilized, whether procedural or object-oriented. These are used in subsections 4 and later. 3.1 Identification The name of the entity should be specified. Two entities should not have the same name. 3.2 Type The type attribute should describe the nature of the entity. It may simply name the kind of entity, such as subprogram, module, procedure, process, data item, object etc. Alternatively, design entities can be grouped, in order to assist in locating an entity dealing with a particular type of information.
  • Formal Specification Methods What Are Formal Methods? Objectives Of

    Formal Specification Methods What Are Formal Methods? Objectives Of

    ICS 221 Winter 2001 Formal Specification Methods What Are Formal Methods? ! Use of formal notations … Formal Specification Methods ! first-order logic, state machines, etc. ! … in software system descriptions … ! system models, constraints, specifications, designs, etc. David S. Rosenblum ! … for a broad range of effects … ICS 221 ! correctness, reliability, safety, security, etc. Winter 2001 ! … and varying levels of use ! guidance, documentation, rigor, mechanisms Formal method = specification language + formal reasoning Objectives of Formal Methods Why Use Formal Methods? ! Verification ! Formal methods have the potential to ! “Are we building the system right?” improve both software quality and development productivity ! Formal consistency between specificand (the thing being specified) and specification ! Circumvent problems in traditional practices ! Promote insight and understanding ! Validation ! Enhance early error detection ! “Are we building the right system?” ! Develop safe, reliable, secure software-intensive ! Testing for satisfaction of ultimate customer intent systems ! Documentation ! Facilitate verifiability of implementation ! Enable powerful analyses ! Communication among stakeholders ! simulation, animation, proof, execution, transformation ! Gain competitive advantage Why Choose Not to Use Desirable Properties of Formal Formal Methods? Specifications ! Emerging technology with unclear payoff ! Unambiguous ! Lack of experience and evidence of success ! Exactly one specificand (set) satisfies it ! Lack of automated
  • Grammar-Based Testing Using Realistic Domains in PHP Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet

    Grammar-Based Testing Using Realistic Domains in PHP Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet

    Grammar-Based Testing using Realistic Domains in PHP Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet To cite this version: Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet. Grammar-Based Testing using Realistic Domains in PHP. A-MOST 2012, 8th Workshop on Advances in Model Based Testing, joint to the ICST’12 IEEE Int. Conf. on Software Testing, Verification and Validation, Jan 2012, Canada. pp.509–518. hal-00931662 HAL Id: hal-00931662 https://hal.archives-ouvertes.fr/hal-00931662 Submitted on 16 Jan 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Grammar-Based Testing using Realistic Domains in PHP Ivan Enderlin, Fred´ eric´ Dadeau, Alain Giorgetti and Fabrice Bouquet Institut FEMTO-ST UMR CNRS 6174 - University of Franche-Comte´ - INRIA CASSIS Project 16 route de Gray - 25030 Besanc¸on cedex, France Email: fivan.enderlin,frederic.dadeau,alain.giorgetti,[email protected] Abstract—This paper presents an integration of grammar- Contract-based testing [5] has been introduced in part to based testing in a framework for contract-based testing in PHP. address these limitations. It is based on the notion of Design It relies on the notion of realistic domains, that make it possible by Contract (DbC) [6] introduced by Meyer with Eiffel [7].
  • Software Design Document (SDD) Template

    Software Design Document (SDD) Template

    Software Design Document (SDD) Template Software design is a process by which the software requirements are translated into a representation of software components, interfaces, and data necessary for the implementation phase. The SDD shows how the software system will be structured to satisfy the requirements. It is the primary reference for code development and, therefore, it must contain all the information required by a programmer to write code. The SDD is performed in two stages. The first is a preliminary design in which the overall system architecture and data architecture is defined. In the second stage, i.e. the detailed design stage, more detailed data structures are defined and algorithms are developed for the defined architecture. This template is an annotated outline for a software design document adapted from the IEEE Recommended Practice for Software Design Descriptions. The IEEE Recommended Practice for Software Design Descriptions have been reduced in order to simplify this assignment while still retaining the main components and providing a general idea of a project definition report. For your own information, please refer to IEEE Std 1016­1998 1 for the full IEEE Recommended Practice for Software Design Descriptions. 1 http://www.cs.concordia.ca/~ormandj/comp354/2003/Project/ieee­SDD.pdf Downloaded from http://www.tidyforms.com (Team Name) (Project Title) Software Design Document Name (s): Lab Section: Workstation: Date: (mm/dd/yyyy) Downloaded from http://www.tidyforms.com Software Design Document TABLE OF CONTENTS 1. INTRODUCTION 2 1.1 Purpose 2 1.2 Scope 2 1.3 Overview 2 1.4 Reference Material 2 1.5 Definitions and Acronyms 2 2.
  • Software Reliability and Dependability: a Roadmap Bev Littlewood & Lorenzo Strigini

    Software Reliability and Dependability: a Roadmap Bev Littlewood & Lorenzo Strigini

    Software Reliability and Dependability: a Roadmap Bev Littlewood & Lorenzo Strigini Key Research Pointers Shifting the focus from software reliability to user-centred measures of dependability in complete software-based systems. Influencing design practice to facilitate dependability assessment. Propagating awareness of dependability issues and the use of existing, useful methods. Injecting some rigour in the use of process-related evidence for dependability assessment. Better understanding issues of diversity and variation as drivers of dependability. The Authors Bev Littlewood is founder-Director of the Centre for Software Reliability, and Professor of Software Engineering at City University, London. Prof Littlewood has worked for many years on problems associated with the modelling and evaluation of the dependability of software-based systems; he has published many papers in international journals and conference proceedings and has edited several books. Much of this work has been carried out in collaborative projects, including the successful EC-funded projects SHIP, PDCS, PDCS2, DeVa. He has been employed as a consultant to industrial companies in France, Germany, Italy, the USA and the UK. He is a member of the UK Nuclear Safety Advisory Committee, of IFIPWorking Group 10.4 on Dependable Computing and Fault Tolerance, and of the BCS Safety-Critical Systems Task Force. He is on the editorial boards of several international scientific journals. 175 Lorenzo Strigini is Professor of Systems Engineering in the Centre for Software Reliability at City University, London, which he joined in 1995. In 1985-1995 he was a researcher with the Institute for Information Processing of the National Research Council of Italy (IEI-CNR), Pisa, Italy, and spent several periods as a research visitor with the Computer Science Department at the University of California, Los Angeles, and the Bell Communication Research laboratories in Morristown, New Jersey.
  • Contracts for Concurrency Piotr Nienaltowski, Bertrand Meyer, Jonathan S

    Contracts for Concurrency Piotr Nienaltowski, Bertrand Meyer, Jonathan S

    Contracts for concurrency Piotr Nienaltowski, Bertrand Meyer, Jonathan S. Ostroff To cite this version: Piotr Nienaltowski, Bertrand Meyer, Jonathan S. Ostroff. Contracts for concurrency. Formal Aspects of Computing, Springer Verlag, 2008, 21 (4), pp.305-318. 10.1007/s00165-007-0063-2. hal-00477897 HAL Id: hal-00477897 https://hal.archives-ouvertes.fr/hal-00477897 Submitted on 30 Apr 2010 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. DOI 10.1007/s00165-007-0063-2 BCS © 2007 Formal Aspects Formal Aspects of Computing (2009) 21: 305–318 of Computing Contracts for concurrency Piotr Nienaltowski1, Bertrand Meyer2 and Jonathan S. Ostroff3 1 Praxis High Integrity Systems Limited, 20 Manvers Street, Bath BA1 1PX, UK E-mail: [email protected] 2 ETH Zurich, Zurich, Switzerland 3 York University, Toronto, Canada Abstract. The SCOOP model extends the Eiffel programming language to provide support for concurrent programming. The model is based on the principles of Design by Contract. The semantics of contracts used in the original proposal (SCOOP 97) is not suitable for concurrent programming because it restricts parallelism and complicates reasoning about program correctness. This article outlines a new contract semantics which applies equally well in concurrent and sequential contexts and permits a flexible use of contracts for specifying the mutual rights and obligations of clients and suppliers while preserving the potential for parallelism.