Trusted Components for the software industry
Bertrand Meyer - ISE / Monash, Christine Mingins - Monash University, Heinz Schmidt - Monash University
A shorter variant of this article appeared
in Computer (IEEE), as part of the Component and
Object Technology department, in the May 1998 issue.
A research and application project aimed at providing a solid foundation for the software industry through extensive libraries of trusted reusable software components ("componentware"), where trust is built from a combination of approaches: use of Design by Contract; mathematical proofs of correctness; testing; wide public scrutiny; evaluation through metrics; exhaustive validation in practical projects; rigorous change management.
Can we get the bugs out?
The software industry rests on feet of clay. However carefully we may strive to build correct and reliable software, we have no way of ensuring the quality of the result: because it depends of the quality of so much else, from hardware and operating system to compiler and run-time libraries; and because any significant system has so many details and components of its own that we can hardly expect to get everything right if we do it all by ourselves.
None of the commonly suggested approaches suffices to quell these worries:
The last two points were analyzed in a recent IEEE Computer Object Technology column , which suggested that the solution, for each of formal methods and reusability, lies in the other proposition: formal methods, because of their cost, only make sense (except for a handful of mission-critical systems, mostly in the defense and transportation industries, where the stakes are so high that money is not the issue) when applied to widely reused components, which can recoup the investment through effects of scale; and widespread reuse is only attractive if we can be formal enough to guarantee that the components will be correct, aiding rather than harming the systems that will rely on them.
The present proposal builds on the conclusions of that article to describe an ambitious but realistic project combining the ideas of reuse and formality with other more pragmatic techniques; the goal is to provide the entire software industry with a powerful set of reusable components deserving a high degree of trust -- leading to the "Trusted Objects" of the title.
How to ensure trust
No single technique can produce completely trusted components. Trust is in fact a social phenomenon. Even in mathematics, the most formal of all disciplines, professionals only believe in a theorem based on a mix of formal criteria, such as published proofs, and social ones such as: who produced the theorem and its proof; where it was published; who reviewed the publication; who else already believes it; how much the result has already been applied; whether it seems consistent with other results in the same area or others; whether it gives the "right feeling"; whether theorem and proof are "elegant". Part of the reason is that almost all published proofs omit many intermediate steps, to avoid overwhelming the reader with useless complexity -- not unlike the complexity of a software system, except that many industrial systems are far more complex than the average mathematical proof.
As a result trust, especially in software, will not be a binary proposition -- "blindly trusted" vs. "untrusted". We may trust Microsoft Word enough to use it for our next paper, but we would not bet a year's salary on the assumption that it will not produce crash while we are writing the paper.
A striking example of the power of social processes exists in software: the success of free, source-code-available products, notably GNU and Linux software. These tools, some quite ambitious, have been devoted by volunteers, under the international scrutiny of a network of enthusiasts who, relying on all the tools of the Internet (FTP, World-Wide Web, Usenet discussion groups, e-mail) scrutinize the source code of every new version, test it, report defects, suggest improvements -- leading to collective work of unprecedented scope outside of any formal organization or commercial framework. Some of the results are of astounding quality, leading many commercial companies to select, for example, the free GCC compiler over the $2,000-per-user C/C++ compiler from Sun, or the Linux operating system -- initially the work of a student -- over Sun's Solaris, the result of tens of thousands of man-years in one of the hotbeds of the industry. Such examples illustrate the power of this recent phenomenon: volunteer scrutiny as a form of free, global quality assurance.
The Trusted Components project proposes to apply a mix of formal and informal approaches. Here are the principal techniques:
The Trusted Components project can only be successful as a collaborative, federative multi-year effort. It can be a rich source of academic gratification: journal and conference articles, books, theses (Master's, PhD), industry collaborations, grants, workshops and conferences (e.g. in the framework of TOOLS).
The major areas of effort include (non-exhaustive list):
The Trusted Components project offers the prospect of an academic effort that may have a major impact on the evolution of the software industry.
 Jean-Raymond Abrial: The B-Book; Cambridge University Press, 1997.
 Bertrand Meyer: Eiffel: The Language; Prentice Hall, 1992.
 Bertrand Meyer: Reusable Software; Prentice Hall, 1994.
 Jean-Marc Jézéquel and Bertrand Meyer: Design by Contract: The lessons of Ariane; IEEE Computer, January 1997. See online version.
 Bertrand Meyer: The Next Software Breakthrough; IEEE Computer, July 1997. See online version.
 Bertrand Meyer: Object-Oriented Software Construction, second edition; Prentice Hall, 1997.
More Trusted Components developments!
Since the publication of this article, a number of developments have happened in Trusted Components. See among others the ETH Web page.