Faraz Torshizi

Abstract. SCOOP and Spec # are programming languages that aim to extend Design by Contract to concurrent and reactive systems. In this paper we discuss how appropriate theorem provers (using Hoare-like verification) can be used to statically check that the contracts are obeyed in concurrent executions, as well as discussing the syntactic and semantic differences between SCOOP and Spec#. We provide a formal model for SCOOP programs as a fair transition system and we use temporal logic for describing system properties beyond contractual correctness. We show that verified contracts provide only a certain measure of correctness, but may not be able to guarantee additional safety and liveness system properties without global reasoning. We show how Microsoft Research’s SpecExplorer tool can be used to test SCOOP programs for system properties beyond contracts. 1

Abstract. A design specification is the artifact intermediate between implemented code and the customer requirements. In this paper we argue that customer requirements and design specifications should be testable and testable early in the design cycle leading to early detection of re-quirement and specification errors. The core idea behind early testable requirements is that the problem is described before we search for a so-lution that can be tested against the problem description. We also want the problem description to drive the design. We provide a method for describing early testable requirements and specifications and a support tool called ESpec. ESpec allows for the description of testable require-ments via Fit tables as well as testable design specifications via contracts written in Eiffel using mathematical models following the single model principle. The tool can mechanically check the requirements and specifi-cations. 1

MASTER OF COMPUTER SCIENCE c ○ 2007 Permission has been granted to: a) YORK UNIVER-SITY LIBRARIES to lend or sell copies of this dissertation in paper, microform or electronic formats, and b) LIBRARY AND ARCHIVES CANADA to reproduce, lend, distribute, or sell copies of this thesis anywhere in the world in microform, paper or electronic formats and to authorise or procure the reproduction, loan, distribution or sale of copies of this thesis anywhere in the world in microform, paper or electronic formats. The author reserves other publication rights, and neither the thesis nor extensive extracts for it may be printed or otherwise reproduced without the author’s written permission.

ESpec is a suite of tools that facilitates the testing and verification of object-oriented Eiffel programs in an integrated environment. The suite includes unit testing tools (ES-Test) and Fit tables (ES-Fit for customer requirements) that report contract failures. This paper describes ES-Verify (part of ESpec) for automatically verifying a significant subset of Eiffel constructs written with a value semantics. The tool includes a mathematical model library (sequences, sets, bags and maps) for writing high-level specifications, and a translator that converts the Eiffel code into the language used by the Perfect Developer (PD) theorem prover. Preliminary experience indicates that the vast majority of verification conditions are quickly and automatically discharged, including loop variants and invariants. ES-Verify is the first automated Eiffel

Abstract. SCOOP is a concurrent programming language with a new semantics for contracts that applies equally well in concurrent and sequential contexts. SCOOP eliminates race conditions and atomicity violations by construction. However, it is still vulnerable to deadlocks. In this paper we describe how far contracts can take us in verifying interesting properties of concurrent systems using modular Hoare rules and show how theorem proving methods developed for sequential Eiffel can be extended to the concurrent case. However, some safety and liveness properties depend upon the environment and cannot be proved using the Hoare rules. To deal with such system properties, we outline a SCOOP Virtual Machine (SVM) as a fair transition system. The SVM makes it feasible to use model-checking and theorem proving methods for checking global temporal logic properties of SCOOP programs. The SVM uses the Hoare rules where applicable to reduce the number of steps in a computation.

Concurrency has been rapidly gaining importance in computing, and correspondingly in computing curricula. Concurrent programming is, however, notoriously hard even for expert programmers. New language designs promise to make it easier, but such claims call for empirical validation. We present a methodology for comparing concurrent languages for teaching purposes. A critical challenge is to avoid bias, especially when (as in our example application) the experimenters are also the designers of one of the approaches under comparison. For a study performed as part of a course, it is also essential to make sure that no student is penalized. The methodology addresses these concerns by using self-study material and applying an evaluation scheme that minimizes opportunities for subjective decisions. The example application compares two object-oriented concurrent languages: multithreaded Java and SCOOP. The results show an advantage for SCOOP even though the study participants had previous t...

Abstract. SCOOP is a minimal extension to the sequential object-oriented programming model for concurrency. The extension consists of one key-word (separate) that avoids explicit thread declarations, synchronized blocks, explicit waits, and eliminates data races and atomicity violations by construction through a set of compiler rules. It attempts to guarantee fairness via use of a global scheduler. We present a new implementation of SCOOP for Java, called JSCOOP. JSCOOP introduces a new set of an-notations modeled after SCOOP keywords, as well as several core library classes which provide the support necessary to implement the SCOOP semantics. A prototype Eclipse plug-in allows for the creation of JSCOOP projects. The plug-in does syntax checking and detects consistency prob-lems at compile time. The use of JSCOOP is demonstrated by an example. 1

Abstract. SCOOP is a minimal extension to the sequential object-oriented programming model for concurrency. The extension consists of one key-word (separate) that avoids explicit thread declarations, synchronized blocks, explicit waits, and eliminates data races and atomicity violations by construction through a set of compiler rules. It attempts to guarantee fairness via use of a global scheduler. We present a new implementation of SCOOP for Java, called JSCOOP. JSCOOP introduces a new set of an-notations modeled after SCOOP keywords, as well as several core library classes which provide the support necessary to implement the SCOOP semantics. A prototype Eclipse plug-in allows for the creation of JSCOOP projects. The plug-in does syntax checking and detects consistency prob-lems at compile time. The use of JSCOOP is demonstrated by an example. 1

SCOOP and Spec# are programming languages that aim to extend Design by Contract to concurrent and reactive systems. In this paper we discuss how appropriate theorem provers (using Hoare-like verification) can be used to statically check that the contracts are obeyed in concurrent executions, as well as discussing the syntactic and semantic differences between SCOOP and Spec#. We provide a formal model for SCOOP programs as a fair transition system and we use temporal logic for describing system properties beyond contractual correctness. We show that verified contracts provide only a certain measure of correctness, but may not be able to guarantee additional safety and liveness system properties without global reasoning. We show how Microsoft Research’s SpecExplorer tool can be used to test SCOOP programs for system properties beyond contracts.

ESpec is a suite of tools that facilitates the testing and veriflcation of object-oriented Eifiel programs in an integrated environment. The suite includes unit testing tools (ES-Test) and Fit tables (ES-Fit for customer requirements) that report contract failures. This paper describes ES-Verify (part of ESpec) for automatically verifying a signiflcant subset of Eifiel constructs written with a value semantics. The

ESpec is a suite of tools that facilitates the testing and veriflcation of object-oriented Eifiel programs in an integrated environment. The suite includes unit testing tools (ES-Test) and Fit tables (ES-Fit for customer requirements) that report contract failures. This paper describes ES-Verify (part of ESpec) for automatically verifying a signiflcant subset of Eifiel constructs written with a value semantics. The

SCOOP is a minimal extension to the sequential object-oriented programming model for concurrency. The extension consists of one key-word (separate) that avoids explicit thread declarations, synchronized blocks, explicit waits, and eliminates data races and atomicity violations by construction through a set of compiler rules. It attempts to guarantee fairness via use of a global scheduler. We present a new implementation of SCOOP for Java, called JSCOOP. JSCOOP introduces a new set of an-notations modeled after SCOOP keywords, as well as several core library classes which provide the support necessary to implement the SCOOP semantics. A prototype Eclipse plug-in allows for the creation of JSCOOP projects. The plug-in does syntax checking and detects consistency prob-lems at compile time. The use of JSCOOP is demonstrated by an example.

Abstract Concurrency has been rapidly gaining importance in computing, and correspondingly in computing curricula. Concurrent programming is, however, notoriously hard even for expert programmers. New language designs promise to make it easier, but such claims call for empirical validation. We present a methodology for comparing concurrent languages for teaching purposes. A critical challenge is to avoid bias, especially when (as in our example application) the experimenters are also the designers of one of ...

The paper reports on experiences of mechanizing various proposals for compositional reasoningin concurrent systems. The work uses the UNITY formalism and the Isabelle proof tool. The proposalsinvestigated include existential/universal properties, guarantees properties and progress sets. The resultsalso apply to related proposals such as traditional assumption-commitment guarantees and Misra's closureproperties. Findings that have been published in detail elsewhere are summarised and consolidated here. Oneconclusion is ...