GARY T. LEAVENS
(leavens@eecs.ucf.edu)
Professor, School of Electrical Engineering and Computer Science, University of Central Florida.
(From January 1989 until August 2007, I was a professor of Computer Science at Iowa State University.)
- B.S. 1978, Computer & Communication Sciences, The University of Michigan
- M.S. 1980, Computer Science, The University of Southern California
- Ph.D. 1989, Computer Science, Massachusetts Institute of Technology
Major Research Interests
Programming and specification language design and semantics, formal methods (program specification and verification), aspect-oriented languages, object-oriented languages, distributed languages, type theory, programming methodology, information assurance, computer science education.
Current Research
The long term goal of my research is to better understand how to solve programming problems: how to specify such problems, methods for thinking about such problems, notations for expressing solutions, and ways to check that the solutions are correct. In pursuing this goal, I have worked in two main areas: formal methods and programming languages. formal methods and programming languages.
Formal Methods
My work in formal methods has been focused on ways to specify and verify object-oriented (OO) software components. The specification work involves the design and formal description of behavioral interface specification languages (BISLs). BISLs record information about detailed design: the interfaces and functional behavior of program modules. My group has designed a BISL for Smalltalk, called Larch/Smalltalk, a BISL for C++, called Larch/C++ Larch/C++, and, a BISL for Java called JML. Current work focuses on JML, and is being done with an international team of collaborators, in addition to people at ISU. Work on JML focuses on the problem of how to make it expressive enough for documenting existing code; we measure this using both theoretical analysis and case studies. We have made some progress; for example, work reported at OOPSLA 2000 aims to explain needs to be specified to deriving a subclass without seeing the source code for a superclass. There have also been papers (with Peter Müller and Arnd Poetzsch-Heffter) that use ownership to solve modularity problems in the specification and verification of layered systems. JML has also fostered much interesting work by other researchers. However, there are several important features that need more work, such as concurrency and performance constraints. Our current work on JML funded by the National Science Foundation (NSF) tries to address some of these issues, as well as issues of practicality. Early work on JML was done jointly with (former ISU professor) Al Baker, and former Ph.D. student Clyde Ruby. Former Ph.D. student Yoonsik Cheon, designed Larch/Smalltalk, helped in the design of Larch/C++, tools for JML, and is also contributing to the design of JML as an assistant professor at Univ. of Texas, El Paso. I have also worked with Baker and a former Ph.D. student, Tim Wahls, on executing such specifications.
A long term interest in formal methods for OO software components is behavioral subtyping. The message passing mechanism of OO languages, such as C++ and Java, allows one to easily extend programs by adding new types. This works best if objects of the new types behave like the objects of the old types; the old types are supertypes of the new types, which are called subtypes. How should one reason about programs that use subtyping and message passing? We seek a reasoning method, formalized by specification and verification techniques, that is modular in the sense that when subtypes are added to a program, unchanged modules do not have to be respecified or reverified.
The idea of behavioral subtyping, which I helped develop, supports a programming discipline, supertype abstraction, that solves this problem. To use supertype abstraction, one specifies and verifies code in terms of the static types of expressions written in a program (as usual), uses a type checker to ensure that the static types are supertypes of the run-time types, and then must prove that subtypes obey the specifications of their supertypes. Behavioral subtyping makes this technique sound. Krishna Kishore Dhara, a former Ph.D. student, has extended the formal theory of behavioral subtyping to types whose instances have time-varying state. Professor Don Pigozzi (now retired from the Mathematics Department at ISU) and I have found an exact algebraic characterization of behavioral subtyping for immutable types. We have also been working on effective techniques for proving behavioral subtyping. Recent work with David Naumann (of Stevens) on behavioral subtyping has precisely characterized modular reasoning (supertype abstraction) for Java-like languages. The work with Dhara, Pigozzi, and Naumann on the above topics was funded by various grants from the NSF.
The potential impact of the work in formal methods is possibly great; it might lead to the engineering of software, instead of hacking. It also seems necessary for high quality software components and reuse. But more realistically, I view my research as trying to formally understand what one needs to think about when documenting and reasoning about a program or program component. This can be of great value for teaching and for the construction of tools, even if people do not use the formalism directly or on a daily basis.
Programming Language Design and Semantics
The other main aspect of my work has been on the design and semantics of programming languages. This falls in two areas: object-oriented languages with generic functions and aspect-oriented languages.
Languages with generic functions are also known as multimethod programming languages, because method calls can dispatch a message send on all arguments, unlike a single-dispatching OO language, such as Smalltalk, C++, or Java. Multimethod languages are interesting because they can more easily express solutions to certain problems in OO programming (binary methods). My work on multimethod languages is joint with my (former) Ph.D. student Curtis Clifton and has been done in collaboration with Craig Chambers of the University of Washington and his (former) Ph.D. student Todd Millstein. (Students Jianbing Chen and Sevtap Karakoy also have contributed to this work.) The work focuses on the semantics and type systems for variants of the Cecil and Java languages. To date we have published papers about an algorithm for type checking such languages with very expressive features (orthogonal inheritance and subtyping), about how to add multimethods to existing languages, and a way to add multimethods to Java. The latter has been developed into the language MultiJava.
One big problem I worked on (with Craig Chambers) was how to get a language with both a (sound) static type system and a sensible module system. This problem was solved by Millstein and Chambers (as reported in ECOOP '99). We have applied their ideas to the design of an extension to the Java programming language called MultiJava. The ideas also seem applicable to the design of OO languages that are more flexible.
A second interest in programming languages has been in aspect-oriented (AO) languages. As typified by AspectJ, AO languages offer advanced features for modularizing cross-cutting concerns, such as advice and intertype declarations (like MultiJava's ``open classes''). As part of a long term effort to better understand AO languages, my former Ph.D. student Curtis Clifton and I worked on modular reasoning issues in AO languages. This work has been backed by a study of the operational semantics and type systems of AO languages. Curtis developed a simple and easily understood operational semantics for an AspectJ-like language, with a sound type system. This work also involved an effect system (concern domains) that we hope will make it possible to more efficiently and effectively reason about AO programs.
The potential impact of these research directions might be large if this leads to more flexible, modular, and reusable coding practices. A recent NSF grant funded Curtis's research on AO languages. Curtis Clifton is now an assistant professor at Rose-Hulman Institute of Technology.
Details are available through my selection of representative publications below and through my other WWW pages (especially the the JML papers page). You can also look at my vita.
Representative Publications
-
Curtis Clifton and
Gary T. Leavens.
MiniMAO1: Investigating the Semantics of Proceed.
Science of Computer Programming, 63(3):321-374,
Elsevier, Dec. 2006.
http://dx.doi.org/10.1016/j.scico.2006.02.009.
Preprint: Department of Computer Science, Iowa State University, TR #05-01, January 2005. [abstract] [PDF] -
Gary T. Leavens.
JML's Rich, Inherited Specifications for Behavioral Subtypes.
In Zhiming Liu and He Jifeng (eds),
Formal Methods and Software Engineering: 8th International Conference on Formal Engineering Methods (ICFEM), Macao, China, pages 2-34.
Volume 4260 of
Lecture Notes in Computer Science, Springer-Verlag, 2006.
The original publication is available at springerlink.com from http://dx.doi.org/10.1007/11901433_2.
Preprint: Department of Computer Science, Iowa State University, TR #06-22, August 2006. [abstract] [PDF] -
Peter Müller,
Arnd Poetzsch-Heffter,
and Gary T. Leavens.
Modular Invariants for Layered Object Structures.
Science of Computer Programming, 62(3):253-286,
Elsevier, Oct. 2006.
http://dx.doi.org/10.1016/j.scico.2006.03.001.
Preprint: ETH Zurich, Technical Report 424, revised March 2005. [abstract] [PDF] -
Curtis Clifton,
Todd Millstein,
Gary T. Leavens, and
Craig Chambers.
MultiJava: Design Rationale, Compiler Implementation, and Applications.
ACM TOPLAS,
28(3):517-575, May 2006.
http://doi.acm.org/10.1145/1133651.1133655.
Preprint: Department of Computer Science, Iowa State University, TR #04-01b, December 2004. [abstract] [PDF] -
Gary T. Leavens,
Yoonsik Cheon,
Curtis Clifton
Clyde Ruby,
and
David R. Cok.
How the design of JML accommodates both runtime assertion checking
and formal verification.
Science of Computer Programming, 55(1-3):185-205,
Elsevier, 2005.
http://dx.doi.org/10.1016/j.scico.2004.05.015.
Preprint: Department of Computer Science, Iowa State University, TR #03-04a, revised March 2004. [abstract] [PDF] -
Lilian Burdy,
Yoonsik Cheon,
David R. Cok,
Michael Ernst,
Joseph Kiniry,
Gary T. Leavens,
K. Rustan M. Leino, and
Erik Poll.
An Overview of JML Tools and Applications.
International Journal on Software Tools for Technology
Transfer, 7(3):212-232, June 2005.
The original publication is available at
http://www.springerlink.com
from
http://dx.doi.org/10.1007/s10009-004-0167-4.
Preprint: [PDF] -
Yoonsik Cheon,
Gary T. Leavens,
Murali Sitaraman, and
Stephen Edwards.
Model Variables: Cleanly Supporting Abstraction in Design By Contract.
Software, Practice & Experience, 35(6):583-599,
Wiley, May, 2005.
http://dx.doi.org/10.1002/spe.649.
Preprint: Department of Computer Science, Iowa State University, TR #03-10b, revised August 2004. [abstract] [PDF] -
Peter Müller,
Arnd Poetzsch-Heffter,
and Gary T. Leavens.
Modular Specification of Frame Properties in JML.
Concurrency and Computation: Practice and Experience,
15(2):117-154, February, 2003.
http://dx.doi.org/10.1002/cpe.713.
Preprint: Department of Computer Science, Iowa State University, TR #02-02a, revised October 2002. [abstract] [PDF] -
Yoonsik Cheon and Gary T. Leavens.
A Simple and Practical Approach to Unit Testing: The JML and JUnit Way.
In Boris Magnusson (ed.),
ECOOP 2002
-- Object-Oriented Programming, 16th European Conference, Malaga,
Spain, June 2002, Proceedings. Volume 2374 of
Lecture Notes in Computer Science,
Springer-Verlag, 2002, pages 231-255.
The original publication is available at
springerlink.com
from
http://www.springerlink.com/content/2yjt7jdnduntpgwp/.
Preprint: Department of Computer Science, Iowa State University, TR #01-12a, revised March 2002. [abstract] [PDF] -
Clyde Ruby
and Gary T. Leavens.
Safely Creating Correct Subclasses without Seeing Superclass Code.
In OOPSLA 2000 Conference Proceedings, pages 208-228.
Volume 35, number 10 of ACM SIGPLAN Notices, October 2000.
http://doi.acm.org/10.1145/353171.353186.
Preprint: Department of Computer Science, Iowa State University, TR #00-05d, revised July 2000. [abstract] [PDF] -
Gary T. Leavens and
Don Pigozzi.
A complete algebraic characterization of behavioral subtyping.
Acta Informatica, 36(8):617-663, March 2000.
The original publication is available at
springerlink.com
from
http://dx.doi.org/10.1007/s002360050168.
Preprint: Department of Computer Science, Iowa State University, TR #96-15, November 1996. [abstract] [PDF] - Gary T. Leavens and Krishna Kishore Dhara. Concepts of Behavioral Subtyping and a Sketch of their Extension to Component-Based Systems. In Gary T. Leavens and Murali Sitaraman (editors), Foundations of Component-Based Systems, Cambridge University Press, 2000. Chapter 6, pages 113-135. [PDF]
- Gary T. Leavens and Albert L. Baker.
Enhancing the Pre- and Postcondition Technique
for More Expressive Specifications.
In Jeannette M. Wing, James Woodcock, and Jim Davies (editors).
FM'99 -- Formal Methods: World Congress on Formal Methods in Development
of Computer Systems, Toulouse, France, September 1999,
pages 1087-1106.
Volume 1709 of
Lecture Notes in Computer Science,
Springer-Verlag, 1999.
The original publication is available at
springerlink.com
from
http://www.springerlink.com/content/74v251avr98krlmw.
Preprint: Department of Computer Science, Iowa State University, TR #97-19b, revised June 1999. -
Gary T. Leavens and
Todd D. Millstein.
Multiple Dispatch as Dispatch on Tuples.
In OOPSLA '98 Proceedings, pages 374-387.
Volume 33, number 10 of ACM SIGPLAN Notices, October 1998.
http://doi.acm.org/10.1145/286936.286977.
Preprint: Department of Computer Science, Iowa State University, TR #98-03b, revised July 1998. [abstract] [postscript]. -
Gary T. Leavens and
Jeannette M. Wing. Protective Interface Specifications.
Formal Aspects of Computing, 10(1):59-75, January 1998.
The original publication is available at
springerlink.com
from
http://dx.doi.org/10.1007/PL00003926.
Preprint: Department of Computer Science, Iowa State University, TR #96-04d, revised September 1997. [abstract] [postscript]. -
Gary T. Leavens.
An Overview of Larch/C++: Behavioral Specifications for C++ Modules.
In Haim Kilov and William Harvey (editors),
Specification of Behavioral Semantics in Object-Oriented Information
Modeling (Kluwer Academic Publishers,
1996), Chapter 8, pages 121-142.
An extended and up-to-date version is Department of Computer Science, Iowa State University, TR #96-01d, revised July 1997. -
Krishna Kishore Dhara and Gary T. Leavens.
Forcing Behavioral Subtyping Through Specification Inheritance.
In Proceedings 18th International Conference on
Software Engineering, Berlin, Germany, pages 258-267.
IEEE, 1996.
http://doi.ieeecomputersociety.org/10.1109/ICSE.1996.493421.
An extended and slightly revised version is Department of Computer Science, Iowa State University, TR #95-20c, August 1995, revised August and December 1995, March 1997. -
Gary T. Leavens and William E. Weihl.
Specification and Verification of Object-Oriented Programs
Using Supertype Abstraction.
Acta Informatica, 32(8):705-778, November 1995.
The original publication is available at
springerlink.com
from
http://dx.doi.org/10.1007/BF01178658.
A longer version of this paper is Gary T. Leavens and William E. Weihl. Subtyping, Modular Specification, and Modular Verification for Applicative Object-Oriented Programs. Department of Computer Science, Iowa State University, TR #92-28d, revised September 1994. [abstract] [postscript] -
Kim B. Bruce,
Luca Cardelli,
Giuseppe Castagna,
The Hopkins Objects Group,
Gary T. Leavens,
and
Benjamin Pierce.
On Binary Methods.
Theory and Practice of Object Systems
1(3):221-242, 1995.
Preprint: Department of Computer Science, Iowa State University, TR95-08a, revised December 1995. [abstract] [postscript] -
Craig Chambers and Gary T. Leavens.
Typechecking and Modules for Multimethods.
ACM Transactions on Programming Languages and Systems,
17(6):805-843, November 1995.
http://doi.acm.org/10.1145/218570.218571.
The longer version (with an appendix of formal proofs) is Department of Computer Science, Iowa State University, TR #95-19, August 1995. [abstract] [postscript] - Yoonsik Cheon and Gary T. Leavens. The Larch/Smalltalk Interface Specification Language. ACM Transactions on Software Engineering and Methodology, 3(3):221-253, July 1994. http://doi.acm.org/10.1145/196092.195325.
- Gary T. Leavens, Modular Specification and Verification of Object-Oriented Programs. IEEE Software, 8(4):72-80, July, 1991. http://doi.ieeecomputersociety.org/10.1109/52.300040.
- Gary T. Leavens and William E. Weihl. Reasoning about Object-Oriented Programs that use Subtypes (extended abstract). In OOPSLA ECOOP '90 Proceedings, pages 212-223 (Volume 25, number 10 of ACM SIGPLAN Notices, October 1990). http://doi.acm.org/10.1145/97945.97970.
For More Information
See the following for more publications and other information.
Contact Information
Gary T. LeavensUniversity of Central Florida
School of Electrical Engineering and Computer Science, Harris Center (Building 116)
4000 Central Florida Blvd.,
Orlando, Florida 32816-2362 USA
e-mail: leavens@eecs.ucf.edu
Phone: +1-407-823-4758 / fax: +1-407-823-5419
Last update $Date: 2008/02/21 18:56:50 $