Docstoc

trusted

Document Sample
trusted Powered By Docstoc
					.



    Object Technology



                          Providing Trusted
                                                                                                                     ter—to the tune of half a billion US dol-
                                                                                                                     lars—has already been ascribed to the
                                                                                                                     reuse of an improperly specified compo-
                                                                                                                     nent. With the progress of incompletely



                            Components to
                                                                                                                     designed approaches to reuse, more cat-
                                                                                                                     astrophes are likely to happen, leading to
                                                                                                                     a broad rejection of the very idea of
                                                                                                                     reusability, unless the industry takes mea-



                               the Industry
                                                                                                                     sures to guarantee component quality.
                                                                                                                        Formal methods, because of their cost,
                                                                                                                     only make sense when applied to widely
                                                                                                                     reused components, which can recoup
                                                                                                                     the investment through effects of scale.
                                                                 Bertrand Meyer, EiffelSoft                          (Possible exceptions are the mission-
                                   Christine Mingins and Heinz Schmidt, Monash University                            critical systems for which the stakes are
                                                                                                                     so high that money is not the issue.)
                                                                                                                        Widespread reuse is only attractive if
                                                                                                                     we can be formal enough to guarantee
                                                                                                                     that the components will be correct,
                                  he software industry stands on                                                     aiding rather than harming the systems



                        T         feet of clay. However carefully
                                  we may strive to build correct
                                  and reliable software, we have
                                  no way of guaranteeing the
                        quality of the result. Building correct and
                        reliable software depends on the quality
                        of so much else, from the hardware and
                                                                                                                     that will rely on them. (See “The Next
                                                                                                                     Software Breakthrough,” Computer,
                                                                                                                     July 1997.)
                                                                                                                        In this column, we describe an ambi-
                                                                                                                     tious but realistic project that combines
                                                                                                                     the ideas of reuse and formality with other
                                                                                                                     more pragmatic techniques. The goal is to
                        the operating system to the compiler and                                                     provide the entire software industry with
                        the runtime libraries. And any significant       The goal of this project is                  a powerful set of reusable components
                        software system has so many details and                                                      deserving a high degree of trust.
                                                                          to provide the entire
                        components of its own that we can
                        hardly expect to get everything right if
                                                                         software industry with                      HOW TO ENSURE TRUST
                        we do it all by ourselves.                          a powerful set of                           No single technique can produce com-
                           None of the commonly suggested                components deserving                        pletely trusted components. Trust is in
                        approaches suffices to quell these wor-           a high degree of trust.                     fact a social phenomenon. Even in math-
                        ries: “Test, test, and retest,” the implicit                                                 ematics, the most formal of all disci-
                        motto of much of the industry, is expen-                                                     plines, professionals only believe in a
                        sive and wasteful. Yet as any user of PC         • It is too difficult to build mathemati-    theorem based on a mix of formal crite-
                        software knows all too well, the result of         cal models of the most delicate aspects   ria, such as published proofs, and social
                        all this sweat is far from ideal. Software         of “real” programs, from floating-         ones, such as
                        companies systematically and openly                point computation to pointers.
                        ship software that has a large number of         • There are few powerful tools to             • who produced the theorem and its
                        known bugs.                                        assist this effort.                           proof,
                           On the academic side, much progress           • Even more fundamentally, it is just         • where it was published,
                        has been made toward formal methods,               too expensive and difficult to apply         • who reviewed the publication,
                        through which it is possible (in principle)        formal techniques thoroughly.               • who else already believes it,
                        to prove the correctness of program ele-                                                       • how much the result has already
                        ments using mathematical techniques.              The recent push for reuse and compo-           been applied,
                        But results from this important field have      nentware has raised the hope that by            • whether it is consistent with other
                        had only limited effect on the practice of     relying on reusable components we can             results in the same area or others,
                        the industry for several reasons:              gain quality and reliability. But without       • whether it gives the “right feeling,”
                                                                       excellent techniques to build the compo-          and
                         Editor: Bertrand Meyer, EiffelSoft, ISE       nents themselves, this nirvana is a             • whether the theorem and proof are
                         Bldg., 2nd Fl., 270 Storke Rd., Goleta, CA    mirage. In fact, the spread of less-than-         “elegant.”
                         93117; voice (805) 685-6869; ot-column@       optimal components could lead to a
                         eiffel.com                                    worsening of the situation.                   Part of the reason is that almost all pub-
                                                                          At least one major industrial disas-       lished proofs omit intermediate steps to

    104                              Computer
                                                                                                                                                     .




avoid overwhelming the reader with use-           OO and reuse techniques. Thoroughly            • Developing testing technology for
less complexity. The complexity in this        apply object-oriented techniques and the            reusable components, including
case is not unlike the complexity of a         strict principles of reusable library design.       standards describing the test cases
software system, except that many                 Global public scrutiny. Make the com-            and test procedures.
industrial systems are far more complex        ponents freely available in source form;          • Developing assertion language and
than the average mathematical proof.           seek contributions as well as criticism             other conceptual tools for proving
   As a result, trust—especially in soft-      from the worldwide Internet community.              practical components.
ware—will not be a binary proposition:            Extensive testing. Take advantage of           • Developing and applying effort
“blindly trusted” versus “untrusted.”          design by contract and focus on compo-              metrics.
We may trust Microsoft Word enough             nent reuse.                                       • Developing reuse-based teaching
to use it for our next paper, but we              Metrics efforts. Track component                 curricula and applying them to
would not bet a year’s salary on the           properties in a controlled fashion.                 actual courses.
assumption that it will not crash while                                                          • Identifying interesting application
we are writing the paper.                      None of these ideas by itself will do the           areas and developing application-
   A striking example of the power of          job. But by combining technical and                 specific libraries on the same princi-
social processes exists in software: the       social processes, we can hope to build              ples as the general-purpose libraries.
success of free source code, notably the       a set of components the industry can              • Identifying further techniques and
tools developed for GNU and Linux.             really trust.                                       tools for building quality compo-
These tools, some quite ambitious, have                                                            nentware.
been developed by volunteers under the         TASKS
international scrutiny of a network of            The Trusted Components Project has              There are many ways to get involved.
enthusiasts who, relying on all the tools      its initial home—in collaboration with          (A Web page is forthcoming at http://
of the Internet, scrutinize the source         Interactive Software Engineering (Eiffel-       www.trusted-components.org; you can
code of every new version, test it, report     Soft)—at Monash University. But it is           subscribe to a mailing list by writing to
defects, and suggest improvements. This        beyond the scope of any single institu-         trusted-request@eiffel.com.) This list
process leads to collective work of            tion and can only succeed as a long-term        includes practical tools as well as theo-
unprecedented scope outside of any for-        collaborative project between many              retical themes; research projects for uni-
mal organization or commercial frame-          organizations in academia and industry.         versities as well as product development
work.                                             The results will be of many kinds—           by companies; possible contributions by
   Some of the results are of astounding       publications and standards as well as           institutions as well as dedicated individ-
quality, leading many commercial com-          trusted software components. The                uals. We hope that it will operate as a
panies to select, for example, the free        major areas of effort include:                  truly cooperative endeavor in the tradi-
GCC compiler over commercial C/C++                                                             tion of the Internet.
compilers, or Linux—initially the work           • Choosing areas for component
of a student—over commercial versions              development. Starting with the                   he Trusted Objects Project offers
of Unix, which are the result of tens of
thousands of collective years of develop-
ment in industry hotbeds. Such examples
                                                   most humble areas, we can replace
                                                   the feet of clay with more solid
                                                   material.
                                                                                               T    the prospect of a joint effort that
                                                                                                    may have a major impact on the
                                                                                               evolution of the software industry. We
illustrate the power of this recent phe-         • Developing base components. The             view it as a collective, international effort
nomenon: volunteer scrutiny as a form              base versions will be developed in          and hope that many people will be inter-
of free, global quality assurance.                 Eiffel, which has the proper sup-           ested in joining it. The aim—providing
                                                   port for design by contract. The            a solid foundation for the software
BUILDING TRUST                                     Eiffel Kernel Library can serve as a        industry—is worth it. y
   The Trusted Component Project pro-              starting point.
poses to apply a mix of formal and infor-        • Adapting language-specific com-             Bertrand Meyer is editor of the Object
mal approaches. It rests on six principal          ponents. Versions of the compo-             Technology department.
techniques:                                        nents will be needed by other
   Design by contract. This approach to            widely used languages, such as C,           Christine Mingins is a senior lecturer and
software construction is meant to ensure           C++, and Java. Interface versions           associate head of school at Monash Uni-
software is reliable from the start, by            will have to be produced in IDL             versity, Melbourne, Australia. Contact her
building it as a collection of elements that       and Microsoft COM.                          at cmingins@insect.sd.monash.edu.au.
cooperate on the basis of precise defini-         • Adapting verification technology.
tions of mutual obligations—contracts.             Existing tools (such as those for B)        Heinz Schmidt is associate dean of re-
   Formal validation. Use modern tech-             may be appropriate, but both the            search of the Faculty of Information Tech-
niques and tools such as B or Object-Z             tools and the techniques will need          nology and head of software engineering
in connection with the principles of               to be adapted to the proof of               at Monash University. Contact him at
design by contract.                                reusable components.                        heinz.schmidt@fcit.monash.edu.au.

                                                                                                                       May 1998                105

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:1/19/2012
language:
pages:2