Bertrand Meyer

Politecnico di Milano | Polimi · Department of Electronics, Information, and Bioengineering

The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects,...

A paradox of requirements specifications as dominantly practiced in the industry is that they often claim to be object-oriented (OO) but largely rely on procedural (non-OO) techniques. Use cases and user stories describe functional flows, not object types. To gain the benefits provided by object technology (such as extendibility, reusability, relia...

The aim and scope of this topical issue are aligned with those of the DEVOPS series: to provide the most recent stages of what is being done in the area of software engineering targeting modern software development methods, with particular interest at those aimed at speeding up the development life cycle, while ensuring that the product to be relea...

A survey of fundamental software engineering concepts, and their evolution since the time of IFIP’s creation in 1960.

A major determinant of the quality of software systems is the quality of their requirements, which should be both understandable and precise. Most requirements are written in natural language, good for understandability but lacking in precision. To make requirements precise, researchers have for years advocated the use of mathematics-based notatio...

This book constitutes revised selected papers of the Second International Workshop on Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment, DEVOPS 2019, held at the Château de Villebrumier, France, in May 2019. The 15 papers presented in this volume were carefully reviewed and selected from...

This book constitutes invited papers from the First International Workshop on Frontiers in Software Engineering Education, FISEE 2019, which took place during November 11-13, 2019, at the Château de Villebrumier, France. The 25 papers included in this volume were considerably enhanced after the conference and during two different peer-review phases...

This book constitutes the refereed proceedings of the 51st International Conference on Software Technology: Methods and Tools, TOOLS 2019, held in Innopolis, Russia, in October 2019. The 19 revised full papers and 13 short papers presented in this book were carefully reviewed and selected from 62 submissions. The papers discuss all aspects of soft...

A major determinant of the quality of software systems is the quality of their requirements, which should be both understandable and precise. Natural language, the most commonly used for writing requirements, helps understandability, but lacks precision. To achieve precision, researchers have for many years advocated the use of"formal" approaches t...

Requirements engineering is crucial to software development but lacks a precise definition of its fundamental concepts. Even the basic definitions in the literature and in industry standards are often vague and verbose. To remedy this situation and provide a solid basis for discussions of requirements, this work provides precise definitions of the...

This book constitutes revised selected papers from the First International Workshop on Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment, DEVOPS 2018, hled at the hateau de Villebrumier, France, in March 2018. The 17 papers presented in this volume were carefully reviewed and selected f...

The aliasing question (can two reference expressions point, during an execution, to the same object?) is both one of the most critical in practice, for applications ranging from compiler optimization to programmer verification, and one of the most heavily researched, with many hundreds of publications over several decades. One might then expect tha...

The considerable effort of writing requirements is only worthwhile if the result meets two conditions: the requirements reflect stakeholders' needs, and the implementation satisfies them. In usual approaches, the use of different notations for requirements (often natural language) and implementations (a programming language) makes both conditions e...

Requirements engineering is crucial to software development but lacks a precise definition of its fundamental concepts. Even the basic definitions in the literature and in industry standards are often vague and verbose. To remedy this situation and provide a solid basis for discussions of requirements, this work provides precise definitions of the...

The considerable effort of writing requirements is only worthwhile if the result meets two conditions: the requirements reflect stakeholders’ needs, and the implementation satisfies them. In usual approaches, the use of different notations for requirements (often natural language) and implementations (a programming language) makes both conditions e...

The aliasing question (can two reference expressions point, during an execution, to the same object?) is both one of the most critical in practice, for applications ranging from compiler optimization to programmer verification, and one of the most heavily researched, with many hundreds of publications over several decades. One might then expect tha...

The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the [email protected] community. In each issue of Communications, we'll publish selected posts or excerpts. twitter Follow us on Twitter at http://twitter.com/blogCACM http://cacm.acm.org/blogs/blog-cacm Mark Guzdial considers the enormous opportunity costs...

This book provides an effective overview of the state-of-the art in software engineering, with a projection of the future of the discipline. It includes 13 papers, written by leading researchers in the respective fields, on important topics like model-driven software development, programming language design, microservices, software reliability, mod...

A Chair of Software Engineering existed at ETH Zurich, the Swiss Federal Insti-tute of Technology, from 1 October 2001 to 31 January 2016, under my leader-ship. Our work, summarized here, covered a wide range of theoretical and practi-cal topics, with object technology in the Eiffel method as the unifying thread .

Writing requirements for embedded software is pointless unless they reflect actual needs and the final software implements them. In usual approaches, the use of different notations for requirements (often natural language) and code (a programming language) makes both conditions elusive. To address the problem, we propose to write requirements in th...

A number of formal methods exist for capturing stimulus-response requirements in a declarative form. Someone yet needs to translate the resulting declarative statements into imperative programs. The present article describes a method for specification and verification of stimulus-response requirements in the form of imperative program routines with...

An effort, originating from an invited talk on “ethics and computers”, to re-found ethics on the rules of logical reasoning, from three concrete principles (Goodness, Truth, Fairness) and two meta-principles (Restraint and Importance).

The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the BLOG@CACM community. In each issue of Communications, we'll publish selected posts or excerpts. twitter Follow us on Twitter at http://twitter.com/blogCACM http://cacm.acm.org/blogs/blog-cacm Void safety, says Bertrand Meyer, relies on type declarations...

A number of formal methods exist for capturing stimulus-response requirements in a declarative form. Someone yet needs to translate the resulting declarative statements into imperative programs. The present article describes a method for specification and verification of stimulus-response requirements in the form of imperative program routines with...

Popular notations for functional requirements specifications frequently ignore developers' needs, target specific development models, or require translation of requirements into tests for verification; the results can give out-of-sync or downright incompatible artifacts. Seamless Requirements, a new approach to specifying functional requirements, c...

Class invariants are both a core concept of object-oriented programming and the source of the two key open OO verification problems: furtive access (from callbacks) and reference leak. Existing approaches force on programmers an unacceptable annotation burden. This article explains invariants and solves both problems modularly through the O-rule, d...

Ensuring mobility of the elderly is an important task in our aging society. To this end, this paper presents SmartWalker, a high-tech extension of a regular walker that aims to navigate around its environment autonomously and assist its user intelligently. The walker is equipped with sensors and actuators and operates in two modes, autonomous and a...

Network objects are a simple and natural abstraction for distributed object-oriented programming. Languages that support network objects, however, often leave synchronization to the user, along with its associated pitfalls, such as data races and the possibility of failure. In this paper, we present D-Scoop, a distributed programming model that all...

The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the BLOG@CACM community. In each issue of Communications, we'll publish selected posts or excerpts. twitter Follow us on Twitter at http://twitter.com/blogCACM http://cacm.acm.org/blogs/blog-cacm John Langford on AlphaGo, Bertrand Meyer on Research as Resear...

Network objects are a simple and natural abstraction for distributed object-oriented programming. Languages that support network objects, however, often leave synchronization to the user, along with its associated pitfalls, such as data races and the possibility of failure. In this paper, we present D-SCOOP, a distributed programming model that all...

Requirements and code, in conventional software engineering wisdom, belong to entirely different worlds. Is it possible to unify these two worlds? A unified framework could help make software easier to change and reuse. To explore the feasibility of such an approach, the case study reported here takes a classic example from the requirements enginee...

Existing techniques of Design by Contract do not allow software developers to specify complete contracts in many cases. Incomplete contracts leave room for malicious implementations. This article complements Design by Contract with a simple yet powerful technique that removes the problem without adding syntactical mechanisms. The proposed technique...

Using GPUs as general-purpose processors has revolutionized parallel computing by offering, for a large and growing set of algorithms, massive data-parallelization on desktop machines. An obstacle to widespread adoption, however, is the difficulty of programming them and the low-level control of the hardware required to achieve good performance. Th...

Ensuring mobility of the elderly is an important task in our aging society. To this end, this paper presents an automatic speed controller for the SmartWalker -- a high-tech extension of a regular walker. The walker locates its user by detecting the user's legs using a laser range scanner. The controller then determines the optimal speed for the wa...

The advent of Massive Open Online Courses makes it essential to develop tools and techniques that automatically support computer science students in solving programming assignments. Complementing existing tools for automatically checking the correctness of students' programs, we have developed and evaluated an incremental hint system for programmin...

In this paper we focus on the development of a toolbox for the verification of programs in the context of SCOOP -- an elegant concurrency model, recently formalized based on Rewriting Logic (RL) and Maude. SCOOP is implemented in Eiffel and its applicability is demonstrated also from a practical perspective, in the area of robotics programming. Our...

Alias analysis, which determines whether two expressions in a program may reference to the same object, has many potential applications in program construction and verification. We have developed a theory for alias analysis, the "alias calculus", implemented its application to an object-oriented language, and integrated the result into a modern IDE...

“Computer science” (informatics) is really program science since a computer, by itself too general a machine to be of practical interest, yields useful machines through programs that people write for it.

The LASER Summer School is intended for professionals from industry (engineers and managers) as well as university researchers, including PhD students. Participants learn about the most important software technology advances from pioneers in the field. Since its inception in 2004, the LASER Summer School has focused on an important software engin...

Concurrency is inherent to robots, and using concurrency in robotics can greatly enhance performance of the robotics applications. So far, however, the use of concurrency in robotics has been limited and cumbersome. This paper presents Roboscoop, a new robotics framework based on Simple Concurrent Object Oriented Programming (SCOOP). SCOOP excludes...

Using GPUs as general-purpose processors has revolutionized parallel computing by offering, for a large and growing set of algorithms, massive data-parallelization on desktop machines. As an obstacle to widespread adoption, programming GPUs has remained difficult due to the need of using low-level control of the hardware to achieve good performance...

In this paper we focus our efforts towards developing a toolbox for reasoning on the behaviour of concurrent applications and their properties. More precisely, we address the deadlock detection problem in the context of SCOOP - an OO-programming model for concurrency, recently formalized in Maude. We present the integration of a deadlock detection...

In shared-memory concurrent programming, shared resources can be protected using synchronization mechanisms such as monitors or channels. The connection between these mechanisms and the resources they protect is, however, only given implicitly; this makes it difficult both for programmers to apply the mechanisms correctly and for compilers to check...

Deadlocks remain one of the biggest threats to concurrent programming. Usually, the best programmers can expect is dynamic deadlock detection, which is only a palliative. Object-oriented programs, with their rich reference structure and the resulting presence of aliasing, raise additional problems. The technique developed in this paper relies on th...

MOOCs (Massive Open Online Courses), which have taken higher education by storm, are an opportunity to elevate the quality of existing residential courses. We report about an experimental attempt during the Autumn 2013 semester at ETH Zurich, involving our "Introduction to Programming" course. We designed and implemented a MOOC infrastructure and u...

This paper presents a newly-developed robotics programming course and reports the initial results of software engineering education in robotics context. Robotics programming, as a multidisciplinary course, puts equal emphasis on software engineering and robotics. It teaches students proper software engineering -- in particular, modularity and docum...

Message passing provides a powerful communication abstraction in both distributed and shared memory environments. It is particularly successful at preventing problems arising from shared state, such as data races, as it avoids sharing in general. Message passing is less effective when concurrent access to large amounts of data is needed, as the ove...

Making threaded programs safe and easy to reason about is one of the chief difficulties in modern programming. This work provides an efficient execution model for SCOOP, a concurrency approach that provides not only data race freedom but also pre/postcondition reasoning guarantees between threads. The extensions we propose influence both the underl...

While most debugging techniques focus on patching implementations, there are bugs whose most appropriate corrections consist in fixing the specification to prevent invalid executions—such as to define the correct input domain of a function. In this paper, we present a fully automatic technique that fixes bugs by proposing changes to contracts (simp...

From agile principles, agile methods derive specific practices: standardized activities that agile projects apply regularly and systematically. Chapter 6 covers management practices, including specific meetings held at predetermined stages in a project; other examples are the rules regarding code ownership and agile techniques of cost estimation.

Agile methods contain a mix of the best and the worst, plus some ideas of minor importance. Chapter 11 is the concluding assessment, discussing “The Good, the Hype and the Ugly”: Agile principles and practices, new or not, which demonstrably foster software quality and productivity – the good (and in some cases the brilliant). Widely touted ideas t...

Specific agile techniques all derive from a set of principles. Chapter 4, the longest in the book, is an in-depth exploration of agile principles, presenting the theoretical basis of agile ideas and the goals that agile methods seek to achieve.

Agile methods specifically target software projects and define a number of technical practices. Chapter 7 reviews these practices, including pair programming, mob programming, refactoring, test-first development and many others.

Agile methods present themselves in part as a rejection of established software engineering techniques. Chapter 3 reviews some of the fundamental ideas that agile texts love to lambast: plan-based software engineering methods, including the derided “waterfall”, and important techniques such as requirements engineering, CMMI and other “Big-Upfront”...

The presentations of agile methods have used a characteristic style, which helps promote the ideas but raises methodological concerns. Chapter 2 dissects the properties of agile texts, serving as a form of immunization against the risk of incorrect conclusions. Working from examples in the agile literature, it analyzes the intellectual devices, som...

When transitioning to agile development, or when working in collaboration with organizations or divisions that are applying agile ideas, it is important to be aware of the pitfalls. Chapter 10 discusses the most common risks and the precautions that one can take to guard against them.

One of the defining characteristics of agile methods is that they redefine the actors of software development and in particular reject the traditional role of project managers. Chapter 5 describes agile roles, explaining in particular how agile methods redistribute the tasks of the traditional manager among new actors in the project.

Applying agile ideas involves relying on specific artifacts, some material and others virtual. Chapter 8 covers these artifacts; examples among the numerous ones covered include, on the virtual side, “velocity” and story points, and on the material side the story card and the story board.

The agile approach exists not only as a collection of individual techniques (principles, practices, roles, artifacts) but also in the form of entire agile methods, each of which is defined as a particular compendium of agile techniques. Chapter 9 presents the four principal agile methods: Extreme Programming (XP), Lean Software, Crystal and Clear....

The importance of planning and management skills in software development is very difficult to convey in software engineering courses. We present the synopsis of an assignment whose purpose is to demonstrate the significance of such skills, including effective communication, team coordination and collaboration, and overall project planning. The assi...

Modular and local reasoning about object-oriented programs has been widely studied for programing languages such as C# and Java. Once source programs have been proven, the next verification challenge is to ensure that the code produced by the compiler is correct. Since verifying a compiler can be extremely complex, this paper uses proof-transformin...

Are you attracted by the promises of agile methods but put off by the fanaticism of many agile texts? Would you like to know which agile techniques work, which ones do not matter much, and which ones will harm your projects? Then you need Agile!: the first exhaustive, objective review of agile principles, techniques and tools. Agile methods are one...

Reasoning about object-oriented programs requires an appropriate technique to reflect a fundamental “general relativity” property of the approach: every operation is relative to a current object, which changes with every qualified call; such a call needs access to the context of the client object. The notion of negative variable, discussed in this...

Modular reasoning about class invariants is challenging in the presence of dependencies among collaborating objects that need to maintain global consistency. This paper presents semantic collaboration: a novel methodology to specify and reason about class invariants of sequential object-oriented programs, which models dependencies between collabora...

Modern software development extensively involves reusing library components accessed through their Application Programming Interfaces (APIs). Usability is therefore a fundamental goal of API design, but rigorous empirical studies of API usability are still relatively uncommon. In this paper, we present the design of an API usability study which com...

Automated random testing has been shown to be effective at finding faults in a variety of contexts and is deployed in several testing frameworks. AutoTest is one such framework, targeting programs written in Eiffel, an object-oriented language natively supporting executable pre- and postconditions; these respectively serving as test filters and tes...

Task parallelism is ubiquitous in modern applications for event-based, distributed, or reactive systems. In this type of programming, the ability to cancel a running task arises as a critical feature. Although there are a variety of cancellation techniques, a comprehensive account of their characteristics is missing. This paper provides a classific...

Can the methods of empirical software engineering give us answers to the truly important open questions in the field?

Programming models for concurrency are optimized for dealing with nondeterminism, for example to handle asynchronously arriving events. To shield the developer from data race errors effectively, such models may prevent shared access to data altogether. However, this restriction also makes them unsuitable for applications that require data paralleli...

Debugging - the process of finding and correcting programming mistakes - faces too the challenges of distributed and collaborative development. The debugging tools commonly used by programmers are integrated into traditional development environments such as Eclipse or Visual Studio, and hence do not offer specific features for collaboration or remo...

Alias analysis, which determines whether two expressions in a program may reference to the same object, has many potential applications in program construction and verification. We have developed a theory for alias analysis, the "alias calculus", implemented its application to an object-oriented language, and integrated the result into a modern IDE...

Many novel programming models for concurrency have been proposed in the wake of the multicore computing paradigm shift. They aim to raise the level of abstraction for expressing concurrency and synchronization in a program, and hence to help developers avoid programming errors. Because of this goal, the semantics of the models themselves becomes ev...

Even when implemented in a purely procedural programming language, properly designed programs possess elements of good design that are expressible through object-oriented constructs and concepts. For example, placing structured types and the procedures operating on them together in the same module achieves a weak form of encapsulation that reduces...

As software development becomes an increasingly collaborative effort, traditional development tools have to be extended to support seamless collaboration while minimizing the chances of conflicts. This paper describes Cloud Studio, a collaboration framework that integrates a fine-grained software configuration management model and a real-time aware...

The simple and often imprecise specifications that programmers may write are a significant limit to a wider application of rigorous program verification techniques. Part of the reason why non-specialists find writing good specification hard is that, when verification fails, they receive little guidance as to what the causes might be, such as implem...

One of the pleasures of learning computer science is to discover beautiful algorithms. In this chapter we explore an algorithm scheme with several claims to our attention: it is useful in many practical cases; it has a simple mathematical basis; it is particularly elegant; and it illustrates problem-solving techniques that you will find applicable...

On one of those evenings when it seems you have done nothing all day but store and retrieve things, have a kindred thought for your programs. Many of them — like Traffic with its list-like structures representing metro lines — spend a good deal of their time putting objects into repositories and searching for previously stored objects.

Over the past four decades software tools have profoundly changed how people from all industries design their products, from cars to pharmaceutical drugs, newspapers, bridges and buildings — the list goes on. This is known as Computer-Aided Design (CAD, complemented by CAM, Computer-Aided Manufacturing). Software construction is design too; disprov...

Large parts of today's software systems are devoted to detecting and recovering from failures, making exception handling a critical issue in software development. Concurrent software complicates this issue: most concurrent programming languages require a mechanism to deal with asynchronous exceptions, but because of the diverse design choices under...

Contracts are a form of lightweight formal specification embedded in the program text. Being executable parts of the code, they encourage programmers to devote the proper attention to specifications and help maintain consistency between specification and implementation as the program evolves. For verification, contracts can be evaluated at run time...

Software verification has emerged as a key concern for ensuring the continued progress of information technology. Full verification generally requires, as a crucial step, equipping each loop with a “loop invariant.” Beyond their role in verification, loop invariants help program understanding by providing fundamental insights into the nature of alg...

Can one estimate the number of remaining faults in a software system? A credible estimation technique would be immensely useful to project managers as well as customers. It would also be of theoretical interest, as a general law of software engineering. We investigate possible answers in the context of automated random testing, a method that is inc...

Testing presents a daunting challenge for concurrent programs, as non-deterministic scheduling defeats reproducibility. The problem is even harder if, rather than testing entire systems, one tries to test individual components, for example to assess them for thread-safety. We present demonic testing, a technique combining the tangible results of un...

To support developers in writing reliable and efficient concurrent programs, novel concurrent programming abstractions have been proposed in recent years. Programming with such abstractions requires new analysis tools because the execution semantics often differs considerably from established models. We present a performance analyzer that is based...

The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the BLOG@CACM community. In each issue of Communications, we'll publish selected posts or excerpts. twitter Follow us on Twitter at http://twitter.com/blogCACM http://cacm.acm.org/blogs/blog-cacm Bertrand Meyer asks why too many research agencies seem obsess...

Experience with lightweight formal methods suggests that programmers are willing to write specification if it brings tangible benefits to their usual development activities. This paper considers stronger specifications and studies whether they can be deployed as an incremental practice that brings additional benefits without being unacceptably expe...

This paper presents a case study on the impact of development processes on the success of globally distributed software projects. The study compares agile (Scrum, XP, etc.) vs. structured (RUP, waterfall) processes to determine if the choice of process impacts: the overall success and economic savings of distributed projects; the importance custome...

Can we reuse some of the huge code-base developed in C to take advantage of modern programming language features such as type safety, object-orientation, and contracts? This paper presents a source-to-source translation of C code into Eiffel, a modern object-oriented programming language, and the supporting tool C2Eif. The translation is completely...

A multitude of asynchronous exception mechanisms have been proposed. They specify where and when an asynchronous exception propagates. We highlight another aspect that has largely been overlooked: can an asynchronous exception expire? We discuss scenarios where it is meaningful for an asynchronous exception to expire. We further elaborate on one of...

In a flexible approach to concurrent computation, “processors” ’ (computational resources such as threads) are allocated dynamically, just as objects are; but then, just as objects, they can become unused, leading to performance degradation or worse. We generalized the notion of garbage collection (GC), traditionally applied to objects, so that it...

What kind of errors do beginners make? Objective answers to this question are essential to the design and implementa-tion of curricula that do not just reflect the educators' the-ories but succeed in conveying a course's topics and skills to the students. In the context of a new introductory program-ming course based on "inverted curriculum" ideas,...