Gary T. Leavens's Home Page

GARY T. LEAVENS (Leavens@ucf.edu)

Professor in the University of Central Florida's Department of Computer Science.

(From January 1989 until August 2007, I was a professor of Computer Science at Iowa State University.)

• B.S. 1978, Computer & Communication Sciences, The University of Michigan
• M.S. 1980, Computer Science, The University of Southern California
• Ph.D. 1989, Computer Science, Massachusetts Institute of Technology

Major Research Interests

Programming and specification language design and semantics, formal methods (program specification and verification), aspect-oriented languages, object-oriented languages, distributed languages, type theory, programming methodology, software engineering, information assurance, computer science education.

Current Research

The long term goal of my research is to better understand how to solve programming problems: how to specify such problems, methods for thinking about such problems, notations for expressing solutions, and ways to check that the solutions are correct. In pursuing this goal, I have worked in two main areas: formal methods and programming languages. formal methods and programming languages.

Formal Methods

My work in formal methods has been focused on ways to specify and verify object-oriented (OO) software components. The specification work involves the design and formal description of behavioral interface specification languages (BISLs). BISLs record information about detailed design: the interfaces and functional behavior of program modules. My group has designed a BISL for Smalltalk, called Larch/Smalltalk, a BISL for C++, called Larch/C++ Larch/C++, and, a BISL for Java called JML. Current work focuses on JML, and is being done with a large and growing international team of collaborators. Work on JML focuses on the problem of how to make it expressive enough for documenting existing code; we measure this using both theoretical analysis and case studies. We have made some progress; for example, work with Clyde Ruby reported at OOPSLA 2000 and in his dissertation aims to explain needs to be specified to deriving a subclass without seeing the source code for a superclass. There have also been papers (with Peter Müller and Arnd Poetzsch-Heffter) that use ownership to solve modularity problems in the specification and verification of layered systems. JML has also fostered much interesting work by other researchers. However, there are several important features that need more work, such as concurrency and performance constraints. Our current work on JML funded by the National Science Foundation (NSF) tries to address some of these issues, as well as issues of practicality. Early work on JML was done jointly with (former ISU professor) Al Baker, and former Ph.D. student Clyde Ruby. Former Ph.D. student Yoonsik Cheon, designed Larch/Smalltalk, helped in the design of Larch/C++, tools for JML, and is also contributing to the design of JML as an assistant professor at Univ. of Texas, El Paso. Several of my other students have also helped with the JML project. I have also worked with Baker and a former Ph.D. student, Tim Wahls, on executing such specifications.

A long term interest in formal methods for OO software components is behavioral subtyping. The message passing mechanism of OO languages, such as C++ and Java, allows one to easily extend programs by adding new types. This works best if objects of the new types behave like the objects of the old types; the old types are supertypes of the new types, which are called subtypes. How should one reason about programs that use subtyping and message passing? We seek a reasoning method, formalized by specification and verification techniques, that is modular in the sense that when subtypes are added to a program, unchanged modules do not have to be respecified or reverified.

The idea of behavioral subtyping, which I helped develop, supports a programming discipline, supertype abstraction, that solves this problem. To use supertype abstraction, one specifies and verifies code in terms of the static types of expressions written in a program (as usual), uses a type checker to ensure that the static types are supertypes of the run-time types, and then must prove that subtypes obey the specifications of their supertypes. Behavioral subtyping makes this technique sound. Krishna Kishore Dhara, a former Ph.D. student, has extended the formal theory of behavioral subtyping to types whose instances have time-varying state. Professor Don Pigozzi (now retired from the Mathematics Department at ISU) and I have found an exact algebraic characterization of behavioral subtyping for immutable types. We have also been working on effective techniques for proving behavioral subtyping. Recent work with David Naumann (of Stevens) on behavioral subtyping has precisely characterized modular reasoning (supertype abstraction) for Java-like languages with mutation, and formally justifies its soundness. The work with Dhara, Pigozzi, and Naumann on the above topics was funded by various grants from the NSF.

The potential impact of the work in formal methods is possibly great; it might lead to the engineering of software, instead of hacking. It also seems necessary for high quality software components and reuse. But more realistically, I view my research as trying to formally understand what one needs to think about when documenting and reasoning about a program or program component. This can be of great value for teaching and for the construction of tools, even if people do not use the formalism directly or on a daily basis.

Programming Language Design and Semantics

The other main aspect of my work has been on the design and semantics of programming languages. This falls in two areas: object-oriented languages with generic functions and aspect-oriented languages.

Languages with generic functions are also known as multimethod programming languages, because method calls can dispatch a message send on all arguments, unlike a single-dispatching OO language, such as Smalltalk, C++, or Java. Multimethod languages are interesting because they can more easily express solutions to certain problems in OO programming (binary methods). My work on multimethod languages is joint with my (former) Ph.D. student Curtis Clifton (now a professor at Rose-Hulman) and has been done in collaboration with Craig Chambers of the University of Washington and his former Ph.D. student Todd Millstein (now a professor at UCLA). (Students Jianbing Chen and Sevtap Karakoy also have contributed to this work.) The work focuses on the semantics and type systems for variants of the Cecil and Java languages. To date we have published papers about an algorithm for type checking such languages with very expressive features (orthogonal inheritance and subtyping), about how to add multimethods to existing languages, and a way to add multimethods to Java. The latter has been developed into the language MultiJava and is featured in an ACM TOPLAS article.

One big problem I worked on (with Craig Chambers) was how to get a language with both a (sound) static type system and a sensible module system. This problem was solved by Millstein and Chambers (as reported in ECOOP '99). We have applied their ideas to the design of an extension to the Java programming language called MultiJava. The ideas also seem applicable to the design of OO languages that are more flexible.

A second interest in programming languages has been in aspect-oriented (AO) languages. As typified by AspectJ, AO languages offer advanced features for modularizing cross-cutting concerns, such as advice and intertype declarations (like MultiJava's ``open classes''). As part of a long term effort to better understand AO languages, my former Ph.D. student Curtis Clifton and I have been working on reasoning (e.g., about correctness) in AO languages. This work has been backed by a study of the operational semantics and type systems of AO languages. Curtis developed a simple and easily understood operational semantics for an AspectJ-like language, with a sound type system. This work also involved an effect system (concern domains) that makes it possible to more efficiently and effectively reason about AO programs. Recent results towards this end (with James Noble) appear in ECOOP 2007. This work also involved an effect system (concern domains) that we hope will make it possible to more efficiently and effectively reason about AO programs.

More recently, Hridesh Rajan and I have been working on a programming language that is less expressive than AspectJ-like languages, but which has advantages for modular reasoning. This language, Ptolemy, is a hybrid of an implicit-invocation language and an aspect-oriented language. It has promise both as a low-level language for virtual machines and for supporting easier static reasoning.

The potential impact of these research directions might be large if this leads to more flexible, modular, and reusable coding practices. A recent NSF grant funded Curtis's research on AO languages.

Details are available through my selection of representative publications below and through my other WWW pages (especially the the JML papers page). You can also look at my vita.

Representative Publications

• Gary T. Leavens and David A. Naumann. Behavioral Subtyping, Specification Inheritance, and Modular Reasoning. ACM TOPLAS, 37(4):13:1-13:88, Aug. 2015. http://doi.acm.org/10.1145/2766446.
• Mehdi Bagherzadeh, Hridesh Rajan, Gary T. Leavens, and Sean Mooney. Translucid Contracts: Expressive Specification and Modular Verification for Aspect-Oriented Interfaces. In Proceedings of the tenth international conference on Aspect-oriented software development, Porto de Galinhas, Pernambuco, Brazil, ACM, 2011, pp. 141-152. http://doi.acm.org/10.1145/1960275.1960293.
• C.A.R. Hoare, Jayadev Misra, Gary T. Leavens, and Natarajan Shankar. The Verified Software Initiative: A Manifesto. ACM Computing Surveys, 41(4):22:1-22:8, October, 2009. http://dx.doi.org/10.1145/1592434.1592439.
• John Hatcliff, Gary T. Leavens, K. Rustan M. Leino, Peter Müller, and Matthew Parkinson. Behavioral Interface Specification Languages. ACM Computing Surveys, 44(3):16:1-16:58, June, 2012. http://dx.doi.org/10.1145/2187671.2187678.
  Also Dept. of Computer Science, University of Central Florida, CS-TR-09-01, March 2009. [abstract] [PDF] [Survey home] [Examples]
• Hridesh Rajan and Gary T. Leavens. Ptolemy: A Language with Quantified, Typed Events. In Jan Vitek (ed.), ECOOP 2008 -- Object-Oriented Programming: 22nd European Conference, pages 155-179. Volume 5142 of Lecture Notes in Computer Science, Springer-Verlag, July, 2008.
  The original publication is available at springerlink.com from http://dx.doi.org/10.1007/978-3-540-70592-5_8.
• Curtis Clifton, Gary T. Leavens, and James Noble. MAO: Ownership and Effects for more Effective Reasoning about Aspects. In ECOOP 2007 -- Object-Oriented Programming: 21st European Conference, pages 451-475. Volume 4609 of Lecture Notes in Computer Science, Springer-Verlag, July, 2007.
  The original publication is available at springerlink.com from http://dx.doi.org/10.1007/978-3-540-73589-2_22.
• Steve M. Shaner, Gary T. Leavens. David A. Naumann, Modular Verification of Higher-Order Methods with Mandatory Calls Specified by Model Programs. In OOPSLA'07: Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications, pages 351-368, October 2007. (Volume 42, number 10 of ACM SIGPLAN Notices.) http://dx.doi.org/10.1145/1297105.1297053
• Gary T. Leavens, K. Rustan M. Leino, and Peter Müller. Specification and verification challenges for sequential object-oriented programs. Formal Aspects of Computing, 19(2):159--189, June 2007. The original publication is available at springerlink.com from http://dx.doi.org/10.1007/s00165-007-0026-7.
• Curtis Clifton and Gary T. Leavens. MiniMAO₁: Investigating the Semantics of Proceed. Science of Computer Programming, 63(3):321-374, Elsevier, Dec. 2006. http://dx.doi.org/10.1016/j.scico.2006.02.009.
• Gary T. Leavens. JML's Rich, Inherited Specifications for Behavioral Subtypes. In Zhiming Liu and He Jifeng (eds), Formal Methods and Software Engineering: 8th International Conference on Formal Engineering Methods (ICFEM), Macao, China, pages 2-34. Volume 4260 of Lecture Notes in Computer Science, Springer-Verlag, 2006.
  The original publication is available at springerlink.com from http://dx.doi.org/10.1007/11901433_2.
• Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leavens. Modular Invariants for Layered Object Structures. Science of Computer Programming, 62(3):253-286, Elsevier, Oct. 2006. http://dx.doi.org/10.1016/j.scico.2006.03.001.
• Curtis Clifton, Todd Millstein, Gary T. Leavens, and Craig Chambers. MultiJava: Design Rationale, Compiler Implementation, and Applications. ACM TOPLAS, 28(3):517-575, May 2006. http://doi.acm.org/10.1145/1133651.1133655.
• Gary T. Leavens, Yoonsik Cheon, Curtis Clifton Clyde Ruby, and David R. Cok. How the design of JML accommodates both runtime assertion checking and formal verification. Science of Computer Programming, 55(1-3):185-205, Elsevier, 2005. http://dx.doi.org/10.1016/j.scico.2004.05.015.
• Lilian Burdy, Yoonsik Cheon, David R. Cok, Michael Ernst, Joseph Kiniry, Gary T. Leavens, K. Rustan M. Leino, and Erik Poll. An Overview of JML Tools and Applications. International Journal on Software Tools for Technology Transfer, 7(3):212-232, June 2005. The original publication is available at http://www.springerlink.com from http://dx.doi.org/10.1007/s10009-004-0167-4.
• Yoonsik Cheon, Gary T. Leavens, Murali Sitaraman, and Stephen Edwards. Model Variables: Cleanly Supporting Abstraction in Design By Contract. Software, Practice & Experience, 35(6):583-599, Wiley, May, 2005. http://dx.doi.org/10.1002/spe.649.
• Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leavens. Modular Specification of Frame Properties in JML. Concurrency and Computation: Practice and Experience, 15(2):117-154, February, 2003. http://dx.doi.org/10.1002/cpe.713.
• Yoonsik Cheon and Gary T. Leavens. A Simple and Practical Approach to Unit Testing: The JML and JUnit Way. In Boris Magnusson (ed.), ECOOP 2002 -- Object-Oriented Programming, 16th European Conference, Malaga, Spain, June 2002, Proceedings. Volume 2374 of Lecture Notes in Computer Science, Springer-Verlag, 2002, pages 231-255. The original publication is available at springerlink.com from http://www.springerlink.com/content/2yjt7jdnduntpgwp/.
• Clyde Ruby and Gary T. Leavens. Safely Creating Correct Subclasses without Seeing Superclass Code. In OOPSLA 2000 Conference Proceedings, pages 208-228. Volume 35, number 10 of ACM SIGPLAN Notices, October 2000. http://doi.acm.org/10.1145/353171.353186.
• Gary T. Leavens and Don Pigozzi. A complete algebraic characterization of behavioral subtyping. Acta Informatica, 36(8):617-663, March 2000. The original publication is available at springerlink.com from http://dx.doi.org/10.1007/s002360050168.
• Gary T. Leavens and Krishna Kishore Dhara. Concepts of Behavioral Subtyping and a Sketch of their Extension to Component-Based Systems. In Gary T. Leavens and Murali Sitaraman (editors), Foundations of Component-Based Systems, Cambridge University Press, 2000. Chapter 6, pages 113-135. [PDF]
• Gary T. Leavens and Albert L. Baker. Enhancing the Pre- and Postcondition Technique for More Expressive Specifications. In Jeannette M. Wing, James Woodcock, and Jim Davies (editors). FM'99 -- Formal Methods: World Congress on Formal Methods in Development of Computer Systems, Toulouse, France, September 1999, pages 1087-1106. Volume 1709 of Lecture Notes in Computer Science, Springer-Verlag, 1999. The original publication is available at springerlink.com from http://www.springerlink.com/content/74v251avr98krlmw.
• Gary T. Leavens and Todd D. Millstein. Multiple Dispatch as Dispatch on Tuples. In OOPSLA '98 Proceedings, pages 374-387. Volume 33, number 10 of ACM SIGPLAN Notices, October 1998. http://doi.acm.org/10.1145/286936.286977.
• Gary T. Leavens and Jeannette M. Wing. Protective Interface Specifications. Formal Aspects of Computing, 10(1):59-75, January 1998. The original publication is available at springerlink.com from http://dx.doi.org/10.1007/PL00003926.
• Gary T. Leavens. An Overview of Larch/C++: Behavioral Specifications for C++ Modules. In Haim Kilov and William Harvey (editors), Specification of Behavioral Semantics in Object-Oriented Information Modeling (Kluwer Academic Publishers, 1996), Chapter 8, pages 121-142.
  An extended and up-to-date version is Department of Computer Science, Iowa State University, TR #96-01d, revised July 1997.
• Krishna Kishore Dhara and Gary T. Leavens. Forcing Behavioral Subtyping Through Specification Inheritance. In Proceedings 18th International Conference on Software Engineering, Berlin, Germany, pages 258-267. IEEE, 1996. http://doi.ieeecomputersociety.org/10.1109/ICSE.1996.493421.
  An extended and slightly revised version is Department of Computer Science, Iowa State University, TR #95-20c, August 1995, revised August and December 1995, March 1997.
• Gary T. Leavens and William E. Weihl. Specification and Verification of Object-Oriented Programs Using Supertype Abstraction. Acta Informatica, 32(8):705-778, November 1995. The original publication is available at springerlink.com from http://dx.doi.org/10.1007/BF01178658.
• Kim B. Bruce, Luca Cardelli, Giuseppe Castagna, The Hopkins Objects Group, Gary T. Leavens, and Benjamin Pierce. On Binary Methods. Theory and Practice of Object Systems 1(3):221-242, 1995.
• Craig Chambers and Gary T. Leavens. Typechecking and Modules for Multimethods. ACM Transactions on Programming Languages and Systems, 17(6):805-843, November 1995. http://doi.acm.org/10.1145/218570.218571.
  The longer version (with an appendix of formal proofs) is Department of Computer Science, Iowa State University, TR #95-19, August 1995. [abstract] [postscript]
• Yoonsik Cheon and Gary T. Leavens. The Larch/Smalltalk Interface Specification Language. ACM Transactions on Software Engineering and Methodology, 3(3):221-253, July 1994. http://doi.acm.org/10.1145/196092.195325.
• Gary T. Leavens, Modular Specification and Verification of Object-Oriented Programs. IEEE Software, 8(4):72-80, July, 1991. http://doi.ieeecomputersociety.org/10.1109/52.300040.
• Gary T. Leavens and William E. Weihl. Reasoning about Object-Oriented Programs that use Subtypes (extended abstract). In OOPSLA ECOOP '90 Proceedings, pages 212-223 (Volume 25, number 10 of ACM SIGPLAN Notices, October 1990). http://doi.acm.org/10.1145/97945.97970.

For More Information

See the following for more publications and other information.

• My research page, main.html
• Index of my other WWW pages, index.html

Contact Information

Gary T. Leavens
University of Central Florida
College of Engineering and Computer Science
Dept. of Computer Science, 329 L3Harris Center (Building 116)
4000 Central Florida Blvd.,
Orlando, Florida 32816-2362 USA

e-mail: Leavens@ucf.edu
Phone: +1-407-823-4758 / fax: +1-407-823-1488

Last update $Date: 2024/08/09 16:00:20 $