ter—to the tune of half a billion US dol-
lars—has already been ascribed to the
reuse of an improperly speciﬁed compo-
nent. With the progress of incompletely
designed approaches to reuse, more cat-
astrophes are likely to happen, leading to
a broad rejection of the very idea of
reusability, unless the industry takes mea-
sures to guarantee component quality.
Formal methods, because of their cost,
only make sense when applied to widely
reused components, which can recoup
the investment through effects of scale.
Bertrand Meyer, EiffelSoft (Possible exceptions are the mission-
Christine Mingins and Heinz Schmidt, Monash University critical systems for which the stakes are
so high that money is not the issue.)
Widespread reuse is only attractive if
we can be formal enough to guarantee
that the components will be correct,
he software industry stands on aiding rather than harming the systems
T feet of clay. However carefully
we may strive to build correct
and reliable software, we have
no way of guaranteeing the
quality of the result. Building correct and
reliable software depends on the quality
of so much else, from the hardware and
that will rely on them. (See “The Next
Software Breakthrough,” Computer,
In this column, we describe an ambi-
tious but realistic project that combines
the ideas of reuse and formality with other
more pragmatic techniques. The goal is to
the operating system to the compiler and provide the entire software industry with
the runtime libraries. And any signiﬁcant The goal of this project is a powerful set of reusable components
software system has so many details and deserving a high degree of trust.
to provide the entire
components of its own that we can
hardly expect to get everything right if
software industry with HOW TO ENSURE TRUST
we do it all by ourselves. a powerful set of No single technique can produce com-
None of the commonly suggested components deserving pletely trusted components. Trust is in
approaches sufﬁces to quell these wor- a high degree of trust. fact a social phenomenon. Even in math-
ries: “Test, test, and retest,” the implicit ematics, the most formal of all disci-
motto of much of the industry, is expen- plines, professionals only believe in a
sive and wasteful. Yet as any user of PC • It is too difﬁcult to build mathemati- theorem based on a mix of formal crite-
software knows all too well, the result of cal models of the most delicate aspects ria, such as published proofs, and social
all this sweat is far from ideal. Software of “real” programs, from ﬂoating- ones, such as
companies systematically and openly point computation to pointers.
ship software that has a large number of • There are few powerful tools to • who produced the theorem and its
known bugs. assist this effort. proof,
On the academic side, much progress • Even more fundamentally, it is just • where it was published,
has been made toward formal methods, too expensive and difﬁcult to apply • who reviewed the publication,
through which it is possible (in principle) formal techniques thoroughly. • who else already believes it,
to prove the correctness of program ele- • how much the result has already
ments using mathematical techniques. The recent push for reuse and compo- been applied,
But results from this important ﬁeld have nentware has raised the hope that by • whether it is consistent with other
had only limited effect on the practice of relying on reusable components we can results in the same area or others,
the industry for several reasons: gain quality and reliability. But without • whether it gives the “right feeling,”
excellent techniques to build the compo- and
Editor: Bertrand Meyer, EiffelSoft, ISE nents themselves, this nirvana is a • whether the theorem and proof are
Bldg., 2nd Fl., 270 Storke Rd., Goleta, CA mirage. In fact, the spread of less-than- “elegant.”
93117; voice (805) 685-6869; ot-column@ optimal components could lead to a
eiffel.com worsening of the situation. Part of the reason is that almost all pub-
At least one major industrial disas- lished proofs omit intermediate steps to
avoid overwhelming the reader with use- OO and reuse techniques. Thoroughly • Developing testing technology for
less complexity. The complexity in this apply object-oriented techniques and the reusable components, including
case is not unlike the complexity of a strict principles of reusable library design. standards describing the test cases
software system, except that many Global public scrutiny. Make the com- and test procedures.
industrial systems are far more complex ponents freely available in source form; • Developing assertion language and
than the average mathematical proof. seek contributions as well as criticism other conceptual tools for proving
As a result, trust—especially in soft- from the worldwide Internet community. practical components.
ware—will not be a binary proposition: Extensive testing. Take advantage of • Developing and applying effort
“blindly trusted” versus “untrusted.” design by contract and focus on compo- metrics.
We may trust Microsoft Word enough nent reuse. • Developing reuse-based teaching
to use it for our next paper, but we Metrics efforts. Track component curricula and applying them to
would not bet a year’s salary on the properties in a controlled fashion. actual courses.
assumption that it will not crash while • Identifying interesting application
we are writing the paper. None of these ideas by itself will do the areas and developing application-
A striking example of the power of job. But by combining technical and speciﬁc libraries on the same princi-
social processes exists in software: the social processes, we can hope to build ples as the general-purpose libraries.
success of free source code, notably the a set of components the industry can • Identifying further techniques and
tools developed for GNU and Linux. really trust. tools for building quality compo-
These tools, some quite ambitious, have nentware.
been developed by volunteers under the TASKS
international scrutiny of a network of The Trusted Components Project has There are many ways to get involved.
enthusiasts who, relying on all the tools its initial home—in collaboration with (A Web page is forthcoming at http://
of the Internet, scrutinize the source Interactive Software Engineering (Eiffel- www.trusted-components.org; you can
code of every new version, test it, report Soft)—at Monash University. But it is subscribe to a mailing list by writing to
defects, and suggest improvements. This beyond the scope of any single institu- firstname.lastname@example.org.) This list
process leads to collective work of tion and can only succeed as a long-term includes practical tools as well as theo-
unprecedented scope outside of any for- collaborative project between many retical themes; research projects for uni-
mal organization or commercial frame- organizations in academia and industry. versities as well as product development
work. The results will be of many kinds— by companies; possible contributions by
Some of the results are of astounding publications and standards as well as institutions as well as dedicated individ-
quality, leading many commercial com- trusted software components. The uals. We hope that it will operate as a
panies to select, for example, the free major areas of effort include: truly cooperative endeavor in the tradi-
GCC compiler over commercial C/C++ tion of the Internet.
compilers, or Linux—initially the work • Choosing areas for component
of a student—over commercial versions development. Starting with the he Trusted Objects Project offers
of Unix, which are the result of tens of
thousands of collective years of develop-
ment in industry hotbeds. Such examples
most humble areas, we can replace
the feet of clay with more solid
T the prospect of a joint effort that
may have a major impact on the
evolution of the software industry. We
illustrate the power of this recent phe- • Developing base components. The view it as a collective, international effort
nomenon: volunteer scrutiny as a form base versions will be developed in and hope that many people will be inter-
of free, global quality assurance. Eiffel, which has the proper sup- ested in joining it. The aim—providing
port for design by contract. The a solid foundation for the software
BUILDING TRUST Eiffel Kernel Library can serve as a industry—is worth it. y
The Trusted Component Project pro- starting point.
poses to apply a mix of formal and infor- • Adapting language-specific com- Bertrand Meyer is editor of the Object
mal approaches. It rests on six principal ponents. Versions of the compo- Technology department.
techniques: nents will be needed by other
Design by contract. This approach to widely used languages, such as C, Christine Mingins is a senior lecturer and
software construction is meant to ensure C++, and Java. Interface versions associate head of school at Monash Uni-
software is reliable from the start, by will have to be produced in IDL versity, Melbourne, Australia. Contact her
building it as a collection of elements that and Microsoft COM. at email@example.com.
cooperate on the basis of precise deﬁni- • Adapting verification technology.
tions of mutual obligations—contracts. Existing tools (such as those for B) Heinz Schmidt is associate dean of re-
Formal validation. Use modern tech- may be appropriate, but both the search of the Faculty of Information Tech-
niques and tools such as B or Object-Z tools and the techniques will need nology and head of software engineering
in connection with the principles of to be adapted to the proof of at Monash University. Contact him at
design by contract. reusable components. firstname.lastname@example.org.
May 1998 105