See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/220459741

Software Constraints for Large Application Systems

Article  in  The Computer Journal · October 1997

DOI: 10.1093/comjnl/40.10.598 · Source: DBLP

CITATION READS

1 6,325

3 authors:

Dag I. K. Sjøberg Ray Welland

University of Oslo University of Glasgow
121 PUBLICATIONS   6,544 CITATIONS    54 PUBLICATIONS   401 CITATIONS   

SEE PROFILE SEE PROFILE

Malcolm Phillip Atkinson

The University of Edinburgh
315 PUBLICATIONS   6,234 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Keynote at PROFES'2016: The Relationship between Software Process, Context and Outcome View project

ENVRI+ View project

All content following this page was uploaded by Ray Welland on 19 May 2014.

The user has requested enhancement of the downloaded file.

 Software Constraints for Large
Application Systems
DAG I. K. S JØBERG 1 , R AY W ELLAND 2 AND M ALCOLM P. ATKINSON 2
1 Department of Informatics, University of Oslo, PO Box 1080 Blindern, N-0316 Oslo, Norway
2 Department of Computing Science, University of Glasgow, 17 Lilybank Gardens, Glasgow G12 8QQ,
UK
Email: [email protected]

As application systems live longer and grow in size and complexity, there is an ever increasing
need for methods and tools that can support software builders in constructing maintainable, well-
structured and consistent systems. This paper describes the notion of software constraints as an aid
to developing such systems. Software constraints make rules and conventions commonly agreed to
in a given programming environment explicit and automatically checkable. The potential usefulness
of software constraints was investigated in both industrial and research environments. A framework
for categorization of such constraints is defined. Constraints are proposed that are generally
applicable and others that are tightly connected to and support a certain programming method.
Tools for automatic checking are crucial if software constraints are to be used. An architecture for
such tools and two realizations are described.

Received October 16, 1996; revised December 2, 1997

1. INTRODUCTION subsystems. The information collection system observes

Large and long-lived application systems that satisfy a
complete area of information-processing requirements, such
as management information systems, health management
systems, CAD/CAM systems, CASE tools, etc., must
continuously undergo change in order to reflect change in
their environments [1, 2, 3, 4]. To satisfy new requirements,
code must be modified, which in turn may cause its
structure to deteriorate [5] and introduce inconsistencies.
Consequently, to ensure consistency in such systems, better
methods, techniques and tools are required, and there is an
increased need for standardization and discipline in software
construction and maintenance.
The subject of this paper is how software constraints can
improve structure and consistency of application systems,
which we believe will simplify the maintenance of such
systems. Automatically checkable software constraints can
support software engineers who have chosen and made
explicit commonly agreed rules and conventions. In order
to understand how software constraints can be used and
in which contexts, a framework for categorizing them is
proposed.
The compiler of a programming language already
performs many forms of consistency check such as type
checking, ensuring that identifiers are declared and unique
within a scope, etc. Modern compilers give warnings of
local redundancy [6, 7]. Our main concern is complementary
checks at a more macroscopic level: those among software
components, and those between software components and
data on a secondary (persistent) storage.
Our automated technology consists of two primary
the software components and the maintenance process, and
extracts pertinent data. This data is organized around
names and is assembled in a structure we call the thesaurus,
although in some senses it resembles a concordance, a data
dictionary, a cross-reference database or a repository. The
other subsystem performs various checks on the contents of
the thesaurus, evaluating various constraints and providing
advisory information about the current state of software
consistency.
This architecture permits generality and language inde-
pendence. The collection systems are independent analysers
that scan stores, schema definitions, program sources,
scripts, etc. Each such analyser must be specific to its infor-
mation source, for example capable of analysing its language
or data structures. Having collected this information it can
be held in the thesaurus in a source-independent structure,
but with references to those sources. The constraints can
then describe rules that should be satisfied either within a
source or between sources in a consistent notation.
The remainder of this paper is organized as follows.
Section 2 discusses the problem domain in further detail,
describes assumptions of our work, and defines some basic
terms frequently used in the paper. Section 3 categorizes
software constraints and provides several examples. A
general implementation architecture and two constraint-
checking tools are described in Section 4. Evaluation of
our proposed constraints and constraint-checking tools is the
issue of Section 5. Section 6 describes related work and
Section 7 concludes.

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

 S OFTWARE C ONSTRAINTS FOR
2. PROBLEM DOMAIN AND ASSUMPTIONS
A typical software construction or maintenance team will
not find it difficult to agree that certain general rules should
describe their software, for example:
• that for every component, all other components that are
needed to use it or understand it should also exist; and
• that the body of software they maintain should not
contain redundant parts.
However, such rules are not very helpful as they are so
general that they are difficult to support automatically and
lack the precision necessary to report violations usefully or
to permit control of rule application and reporting. Hence,
crucial issues for the successful exploitation of software
constraints are:
• the actual constraints, which may depend on the
programming language(s), the software engineering
environment, the programming methodology being
used, etc.;
• the availability of supporting tools for automatic system
analysis and constraint checking; and
• the controls available to software engineers over the
checks performed and the ways in which they are
reported.
We assume that all useful constraint maintenance systems
must be automated as it is well known that imposing
extra work on programmers to supply information manually
fails. Under the pressure of development work with tight
deadlines, programmers either circumvent the requirement,
or supply minimal information and fail to maintain it.
A violation of a constraint could be a logical error, it could
indicate a situation that might eventually cause problems,
or it could be a transient consequence of the stage the
development has reached. In the last case, constraints may
be deliberately violated. The constraint checking may thus
be perceived as advisory more than mandatory.
The significance of constraints increases as the size and
longevity of a project increase. A greater number of
people who are working on or have worked on the software
increases the chance of inconsistency as one programmer is
unaware of decisions taken by others. The turnover of staff
increases the number of programmers who have to spend
increased time finding their way around the software if it
is inconsistent. These points are illustrated by two concrete
examples we have observed in two quite different systems.
In a hospital administrative system various programmers
edited the relational schema, the set of ‘canned’ queries, the
GUI scripts and the C/C++ programs. As programmers were
not confident that they knew what all the other programmers
were using, they were extremely reluctant to remove
anything. Unsurprisingly, a consistency check across these
components showed that many relations, queries and scripts
were no longer used. However, the software team was
spending considerable time carefully working around these
redundant items each time they made a change.
In a language system constructed from many packages
that had been developed by a succession of programmers,
T HE C OMPUTER J OURNAL,
L ARGE A PPLICATION S YSTEMS 599
the space management code was significantly more complex
because of various constructs to support multiple paths to
objects. However, the rest of the software only ever used
a single path. Revisions of the store manager had lovingly
(but expensively!) preserved the multiple path capability,
presumably because programmers working on that package
had no convenient mechanism for establishing that the
facility was not used in any of the other packages.
One underlying assumption of our approach is that names
are highly significant in an engineering enterprise such
as the construction and maintenance of a large software
system by a team of people. In particular, we contend
that these software engineers will name everything that is
important to them, and depend on this naming when they
return to a subsystem and when they communicate with one
another. The habit of defining policies for naming and the
prevalence of jargon within any group is anecdotal evidence
that this general human property also applies in the software
engineering context.
Other assumptions on which our work is based are:
• that we have access to all relevant information about the
application system under development;
• that the primary data from which we extract informa-
tion is reliable and accurate, including the applications’
components (source code, object code, data, etc.);
• that it will be possible to implement constraint checking
so that it is economically justified and sufficiently
unobtrusive and useful that programmers do not
circumvent the system; and
• that the ultimate responsibility for application system
quality remains with software engineers, so that they
should retain control of what is checked, when it is
checked, how it is reported and what responses should
be made.
Five terms used frequently in the paper are defined as
follows:
• Code: any fragment of program, for example a
procedure.
• Software component: an association between a name
and any collection of code that can be edited, rebuilt
(recompiled, linked, etc.) and maintained as a
single unit. Software components would typically be
modelled as modules in Pascal, Modula-2 [8], Modula-
3 [9] and Standard ML [10, 11], packages in Ada
[12] and classes, interfaces, etc., in JavaTM [13], etc.
Schemata in relational databases and scripts are other
examples.
• Store: persistent store, persistent object store, object-
oriented database, relational database, file store or
similar data repository.
• Persistent component: a software component in a store
or an association between a name and a value, object,
root, relation, file, or other collection of data also in a
store.
• Persistent Application System (PAS): a software
system with a common purpose comprising one or
Vol. 40, No. 10, 1997
600 D. I. K. S JØBERG et al.

TABLE 1. Dimensions of constraint categorization.

Dimension Explanation Examples

Kind of constraint The purpose of the constraint
Locality The containers of the names being
subject to the constraint
Generality Context dependence of the
constraint
Eliminating redundant code or persistent components
– eliminating unused code or persistent components
– eliminating duplicate code
Minimizing mutability
Ensuring existence of required components at run-time
Local, i.e. within software components
Global
– between names internal to different software components
– between names internal to a software component and name of another software
component
– between names internal to a software component and named stored data
External, i.e. between software components and external components
Any combination of:
programming language dependent
data model dependent
methodology dependent
application dependent

more stores with a set of persistent components. A
PAS has the potential to be large, long-lived and
concurrently accessed.
3. SOFTWARE CONSTRAINTS
This section discusses categories of constraints and gives
examples of constraints applicable in most programming
environments.
3.1. Categorizing software constraints
Various kinds of software constraint (automatically checked
or not) have been defined in both academia and indus-
try. Meyers et al. [14, 15] distinguish among stylistic,
implementation and design constraints, but there exists
no commonly used framework for categorizing software
constraints. Table 1 shows our first attempt to develop one.
We categorize constraints along three dimensions: kind of
constraint, locality and generality. (A discussion of the need
for categorization and taxonomies in computer science in
general can be found in [16].)
3.1.1. Kind of constraint
The kind of constraint categories are abstractions over the
purpose of collections of constraints. The purpose of
constraints for ‘eliminating redundant code or persistent
components’ is to help prevent applications from becoming
unnecessarily large, complex and confusing. Redundant
source code and stored components are in particular likely
to distract future maintenance programmers. It is a widely
experienced problem in industry, also confirmed by our
experiments, that programmers rarely remove code or files
etc. because they are worried by the potential effects.
However, elimination of redundant information militates
against planning for change. The constraints discourage,
for example, the common practice by many programmers
where identifier3 declarations are deliberately left in the code
in the belief that the identifiers will be used later. (Their
use may also be temporarily commented out.) Although we
have experienced that this is an example of a poor strategy,
particularly in the long run, there may be cases where change
can be ‘anticipated’ and a sensible plan would be to place
hooks for future changes. Therefore, it should be possible to
omit parts of the application from checking.
Constraints aiming to ‘minimize mutability’ are applica-
ble to both source code identifiers and persistent compo-
nents. If a name denotes a variable, it should be updated with
a new value, which in turn should be used somewhere. If it
is not, it should be a constant, which may lead to improved
performance and programming precision. Unnecessary use
of variables can lead to redundant code, which in turn
can lead to further redundant code. For example, if the
expression on the right-hand side of an assignment is the
only use of some other identifier, that use also becomes
redundant. Moreover, a maintenance team might waste time
trying to inspect the current value of a variable or ensure that
it is correctly assigned.
If a component specified to be used by a software
component does not exist at run-time, run-time problems
will occur. Constraints for ‘ensuring existence of required
items’ aim to reduce the likelihood of such cases.
An important kind of constraint not discussed further
concerns documentation, which includes conventions for
layout, commenting and naming. Naming is of particular
interest as names are central to system builders’ thinking and
thus influence the way software is organized. The choice
of names is crucial to the readability of programs and is
particularly important when trying to administer and manage
3 In the context of source code, names are usually called identifiers.

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

 S OFTWARE C ONSTRAINTS FOR L ARGE A PPLICATION S YSTEMS 601

FIGURE 1. Components and relationships in a PAS.

TABLE 2. Local constraints.

(a) Eliminating unused identifiers: A declared identifier should be used at least once within a software
component
(b) Minimizing mutability: For every identifier declared as variable there should be some code in the
system that might update it, otherwise it should be constant
(c) Eliminating unused variables: If there is code that updates a variable, then there should also be code
that might subsequently access it

change. Various naming guidelines have been proposed in
the literature [17, 18]. The important point is that there is a
naming scheme, not its exact form.
3.1.2. Locality
The locality dimension categorizes constraints according
to the kind of container of the names and the kind of
components they denote. The two kinds of persistent
components, software components and data components,
and the different relationships we consider are shown in
Figure 1.
It is possible to define constraints at the fine granularity
of statement, declaration, assignment, etc. However,
the constraints at the finest granularity we consider are
those local to a software component, as illustrated by
relationship (1) in Figure 1. These are constraints within
single compilation units, exemplified by those in Table 2,
and are well understood and described in the literature, for
example in the data flow community [19]. Exempt from
constraint 2a are identifiers to persistent components. A file,
relation, etc., may correctly be declared, but not used, within
one software component. Similarly, mutable persistent
components are exempt from constraint 2c since they may
be accessed in other software components. Whether the
persistent components actually are accessed elsewhere is
captured by constraints defined at the global level.
Global software constraints operate at the PAS level, that
is, they are defined across code in different compilation units
and components in stores. Table 1 distinguishes among three
categories of global constraints in compliance with three
kinds of relationship shown in Figure 1. Relationship (2)
is between names within different software components.
Relationship (3) is between a name within a software
component and the name of another software component.
Relationship (4) is between a name within a software
component and the name of a data component. Since our
work focuses on global constraints, we present some detailed
examples in Subsection 3.2.
External constraints involve relationships between a name
within a software component and a name in an external PAS,
for example a library or legacy system (relationship (5)).
A constraint could be that the component denoted by the
external name should be accessible.
3.1.3. Generality
The generality dimension categorizes software constraints
according to whether or not they are dependent on
the application programming language, data model, and
methodology being applied by the software engineers, and
the semantics of the actual application being developed.
These four elements describing the context of a software
constraint are not mutually exclusive; a constraint may
depend or not depend on each of them, which gives 16
combinations.
Date [20] describes constraints in databases that are
programming language and methodology independent. He

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

602 D. I. K. S JØBERG et al.

TABLE 3. Eliminating redundant and ambiguous meta-data.

(a) Eliminating unused types. There should be at least one occurrence of a statement that will generate
an instance of any declared type identifier
(b) Eliminating unused substructures of types. If a type definition introduces internal substructure,
such as named fields in a record, then code should exist that may utilise values from each
substructure
(c) Eliminating duplicate and ambiguous type definitions. A type name should be declared only once
within an application system:
(i) Type definitions should not be duplicated
(ii) Type definitions should have unique names

refers to application-independent constraints as ‘general
integrity rules’ or ‘meta-rules’. They constrain the
application structure independently of the actual application.
‘Specific integrity rules’ express constraints in the real-
world application being modelled; general integrity rules are
independent of a specific application but may depend on the
type of data model being used (e.g. the relational model).
All the software constraint examples we present in this
paper are independent of the programming language, data
model and application. Those in Subsection 3.2 are also
methodology independent, while those in Subsection 4.3.1
are examples of methodology-dependent constraints.
It may not always be simple to classify a constraint.
For example, we consider the constraints we present that
involve relationships of category (4) (Figure 1) as being
programming language independent. However, one may
argue that to some extent they are language dependent since
there are, for example, functional languages that do not
support I/O to secondary storage.
3.2. Examples of global software constraints
This section describes a set of global constraints among
software components and another set of constraints between
software components and a store. The samples we
have identified are obviously not exhaustive; many other
constraints may be applicable.
3.2.1. Constraints among software components
Table 3 defines five constraints on type definitions. A
permitted violation of constraint 3a is the case where the
type (class) is abstract in the sense that it is solely used
for modelling purposes. In those cases one should be able
to annotate the code with ‘virtual’, for example, enabling
the constraint-checking tool to avoid reporting warning
messages for those cases. One might also introduce a
constraint that says that an abstract class should have at least
one (or two) specialization(s).
In systems with flat naming space, the compiler ensures
that a type name is declared in only one place (constraint 3c).
In systems where types can be defined in different scopes,
the constraint may be violated in two ways. First, two
or more types might be defined with the same name and
type structure in the overall application system. In that
case they should be replaced by exactly one definition at
a higher level in the hierarchy of scopes, that is the type
definitions should be more global. Maintaining consistency
requires that all declarations describing the same concept
(e.g. Person) must be changed consistently if the intention is
to modify the implementation of the concept (e.g. add a new
attribute). It is difficult to arrange consistent changes when
several programmers (responsible for several components),
who require use of a common type, each write out equivalent
type definitions (particularly if they are complex). It is
even harder to ensure that when the type is amended, the
same amendments are applied in every usage context. One
concept should therefore be represented by only one type
definition.
Second, type definitions may have the same name but
denote different types. To avoid confusion, they should
then be renamed to acquire unique names. This might be
unrealistic in large PASs where names may be reused in
different naming contexts, but the programmers should at
least be aware of such clashes. The inverse, that several
names denote structurally equivalent types, is accepted
because semantically different types with different names
may in practice have the same type structure (e.g. integer). A
useful by-product of a tool for checking constraint 3c could
be a list of equivalent type names.
An issue for future work is to examine the use of type
functions and formulate and check appropriate constraints
on these. Templates in object-oriented languages, type
functions in Quest [21], functors in ML [22], parametric
types in Napier88 [23], etc., have similar sets of rules as type
definitions: they should be used at least once, they should
not be multiply defined, etc.
Other constraints among software components of an
application concern source code involving persistent com-
ponents such as files in a file store, relations in a relational
database, objects in an OODB or values in a persistent store
(Table 4). There might be a few permitted exceptional
cases to constraint 4a. For example, logging files may be
frequently written to within an application, but they may be
inspected only in an ad hoc way by programmers. Neverthe-
less, even that example indicates an unsatisfactory situation.
The application should include software components that
read the file for the purpose of undo, restore or examination
of the audit trail.
Constraint 4b states that there should be exactly one

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

 S OFTWARE C ONSTRAINTS FOR L ARGE A PPLICATION S YSTEMS 603

TABLE 4. Eliminating unused and duplicated persistent components.

(a) Eliminating unused persistent components. A persistent component specified to be created in a
storea by one software component should be used, in particular:
(i) There must exist at least one software component that potentially updates the component with a
meaningful (i.e. non-null) value
(ii) There must exist at least one software component that potentially reads that value (it should be a
different software component to that which specified the component creation)
(b) Eliminating duplicate persistent component creation. For each persistent component potentially
used by a software component there should be exactly one corresponding software component that
specifies the creation of that component
(c) Eliminating duplicate persistent component deletion. A persistent component should potentially be
deleted in at most one software component
a ‘Create file’, ‘insert object’, ‘create table’, etc.

software component that specifies the creation of a persistent
component used in an application. (Exempt from this
constraint are persistent components imported from an
external application.) If no such software component exists,
there is a risk of the component being non-existent when
a software component attempts to write to or read from it,
thereby causing a run-time error.
There is also a risk of confusion and run-time problems if
several software components specify creation of the same
persistent component. Some examples will illustrate the
potential problems. O2 [24] permits objects (that become
persistent roots) and values to be named. It would be
confusing if two software components created an object
(root) with the same name. It would be a race condition as to
which one made it. If the other was then run, it would either
generate an error or lose information. The same potential
problems arise in a filing system if two software components
attempt to generate the same file, and in a system that can
dynamically create relations.
Constraint 4c has been defined in order to avoid confusion
and reduce the chances of attempting to delete a component
that has already been deleted (which may cause a run-time
error).
3.2.2. Constraints between software components and store
The constraints presented in Table 5 concern relationships
between source code and components accessible from a
store at the time of analysis. This store should be
either the store the code will eventually work with, or
a store that is representative of this target store. These
constraints are similar to those in Table 4, but instead
of comparing source code with source code, source code
is compared with the actual contents of a store. It is
checked whether the association between names in the
source code and components in a store, specified to be
established at execution-time, is likely to succeed. The
constraints described in this section must be rechecked when
the application code is installed in the environment in which
it will be executed.
The purpose of constraint 5a is to prevent the situation
where a part of a store associated with an application
has accumulated components unused by the application.
For example, a relation or file, once used by a software
component, may still reside in a store even though that
software component has been deleted or changed in such
a way that the relation or file will never again be
used. It is particularly during development and ad hoc
programming that programmers tend to forget to remove
unused components.
A component in the store that is not referred to in the
source code should probably be removed. However, it could
be the case that the source code was changed or a source
program deleted by accident. Hence, it is impossible to
automate deletion of components entirely without any user
intervention.
Moreover, the reader may correctly object that data is
often collected with a view to future use. New programs
that analyse it may be written. There is also the possibility
of using general tools outside the application software for
reading files such as editors, browsers and ad hoc query
notations, for example SQL. Even though it still may be
useful to be told that certain data is currently unused by the
application software, this is an example of a constraint that
we clearly may wish to switch off.
If a file, for example, used by a program is unintentionally
deleted or renamed, or if the programmer forgets to change
the program in accordance with a file deletion or renaming,
then the inconsistency would be detected by constraint 5b
before a software component attempts to access the file at
run-time.
Cases where the persistent component deliberately is
not present at the time of the constraint checking are
allowable exceptions to this constraint. For example, a
software component that creates a file to be used by another
software component may be executed just before the latter is
executed.
Constraint 5c concerns compliance between components
in a persistent store and the source code that specifies the
component creation. (Components that are imported as part
of another application are exempt from this constraint.) If
a component in the store has no corresponding creation
specification, then that specification must have been changed
or deleted by mistake, or the programmer must have
forgotten to delete the component when the code was

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

604 D. I. K. S JØBERG et al.

TABLE 5. Constraints between software components and components in a store.

(a) Eliminating unused data. A component present in a store should be used by at least one software
component
(b) Used data must exist. A persistent component specified to be used in a software component should
be present in a store (unless something else is indicated by the programmer)
(c) Unique component creator must exist. For each component present in a store there should be
exactly one software component that creates the persistent component

deliberately changed. Alternatively, components may have
been created in an ad hoc way.
This constraint helps ensure that persistent components
can be recreated on the basis of the source code (stores
may get corrupted, be remote, be isolated, or use different
value representations), and that the whole application can
be installed in another environment if need be. Although
components may be copied directly between stores, it should
still be possible to recreate a system. Furthermore, the
source programs serve as documentation for the declaration
and usage of the components in the store. To avoid confusion
and make it easier for programmers to understand the
application, there should not be more than one place for
potential component creation.
4. IMPLEMENTING CONSTRAINT CHECKING
It is generally difficult (in some cases hardly possible) and
invariably time consuming to check software constraints
manually. Hence, their success depends heavily upon a
supporting environment that automatically checks adherence
and provides relevant information in the case of violation.
Our assumption is that constraint checking will take place
after successful compilation of the application software.
This is similar to invoking a compiler after the source
code has been written, as opposed to invoking a compiler
interactively as part of using a syntax-directed editor. The
constraints are post-checked because it is not sensible
to check most of the constraints interactively (code for
declaring and using a component cannot be written at exactly
the same time).
Subsection 4.1 presents a general architecture for the
implementation of a constraint management system. Sub-
section 4.2 describes an exploratory study in an industrial,
multilingual environment that preceded the development
of this general architecture. Subsection 4.3 describes a
realization in a research, monolingual environment.
4.1. Implementation architecture
The major elements of our architecture are shown in Figure 2
and are described below:
• The application components comprise all persistent
components and all the source code written in all the
languages used to build the application programs, user
interfaces and databases of a PAS.
• The observer scans all the application components,
extracts relevant name information and stores it in the
thesaurus.
• The thesaurus is a persistent data structure that
contains information about each name occurrence
in all application components. In a multilingual
environment an additional thesaurus structure should
record dependencies among names used in code written
in the different languages.
• The constraint checker encapsulates all the constraints
that are defined in the system and actually checks those
that have been selected by the application builder. The
constraint checking is performed on the basis of the
contents of the thesaurus.
• The results of the constraint checking, including
information about constraints that were violated, the
sources of the violations and the time of the last
thesaurus update, are stored in a structure called
constraint-checking results.
• The presenter displays the constraint-checking results
using various textual or graphical presentations that
illustrate the kind of constraint violation and the
affected parts of the application. These may be
requested at various levels of detail. Statistical
summaries of constraint violation can be provided for
evaluation and quality management.
4.1.1. The thesaurus
Below are described the attributes of thesaurus entries
which can be used to check the constraints discussed in
Section 3. In practice, an implementation of the thesaurus
must be tailored to the actual programming language(s) and
environment.
• Name denotes a persistent component or an identifier
in the source text of a software component.
• Kind of the name is a base type (integer, real, etc.), a
constructed type (record, class, procedure, etc.) or a
construct with a loose connection to the notion of type
(relation, file, query, etc.).
• Constancy shows whether the name was declared
constant or variable.
• Container identifies the enclosing unit of the name
occurrence. The name, access path and type of the
container are recorded. We divide the various types into
two categories:
– Persistent components are contained within a
store, or they may be nested within other
persistent components.

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

 S OFTWARE C ONSTRAINTS FOR
FIGURE 2. General implementation architecture.
– If the name is an identifier in a source text, then
the container is its enclosing software component.
Block depth and block sequence, which yield
information about the scope of the name, may be
recorded for block-structured languages.
• Usage is applicable only where the container is
a software component and records what the name
occurrence represents, which is categorized as follows:
– Declaration of a type (kind).
– Use of a type (kind), which may be specialized
into more detailed usage such as creation of
an instance of the type, specialization of a
polymorphic procedure, specification of the type
of a parameter, etc.
– Declaration of a value, which may be specialized
into declaration of a local identifier, declaration of
a parameter of a procedure, class etc., declaration
of a substructure such as an attribute of a class
or relation, named field of a record or tag of a
variant, etc., creation of a persistent component,
specification of a persistent component to be used
in a program (i.e. reading a persistent value),
etc. Checking many of the constraints requires
that the name of the unit to which the declared
name belongs also be recorded, for example the
procedure of a parameter, the class or relation
of an attribute, etc. Similarly, when the name
occurrence denotes a persistent component, the
name of its container is also recorded. The same
kind of additional information is recorded for the
following two categories of usage.
– Assignment of a value, which may be specialized
into assignment of a local or global variable and
update of the value of a persistent component.
– Use of a value, which may be specialized into
the right context of an assignment, a procedure
or function call, a de-referencing of an attribute
of a class, field of a record, etc., or a deletion of a
persistent component.
• Date keeps track of the date and time when the entry
was inserted.
T HE C OMPUTER J OURNAL,
L ARGE A PPLICATION S YSTEMS 605
4.1.2. The observer
The observer consists of two parts: a source code analyser,
which provides the information required to check local
constraints and part of the information required to check
global constraints, and a store analyser, which provides
the other part of the information required for global
constraints. The source code analyser may be part of an
enhanced compiler where additional information relevant to
the thesaurus is extracted. A requirement would be that it
must be easy to switch on and off the extraction of this
information since this process will degrade performance
and is an unnecessary overhead if the compiler is invoked
for the purpose of syntax checking only. However, we
implemented our source code analysers as tailored tools,
decoupled from a compiler, because they are then simpler
to implement and can be made more flexible for the users.
Whereas most programmers use the same compiler with
minor adaptations, different programmers will benefit from
different sets of constraint depending on context, level of
experience (e.g. tighter constraints for novices than for
experienced programmers), etc. One may build a decoupled
source code analyser from scratch, or one may reuse the
lexical and syntax analysers of a compiler, but replace
executable code generation with generation of thesaurus-
relevant information.
The most convenient way of implementing a store
analyser depends on the kind of store, for example shell-
scripts for scanning file stores, SQL code for querying the
catalogue of relational databases, browsers for scanning
persistent stores or object-oriented databases, etc.
To help ensure that changes have been correctly imple-
mented, the constraints should be checked at intermediate
states of the software product during its development
and maintenance, particularly after each major change.
Constraint checking is typically performed after successful
compilation and before execution of software components.
Since the constraint checker extracts information from the
thesaurus, the timing of the thesaurus update is crucial.
The thesaurus content is automatically maintained and is
accurate up to the time of the last update.
In the two constraint-checking systems we have built,
the observers analyse the whole application and update
Vol. 40, No. 10, 1997
606 D. I. K. S JØBERG et al.
the thesaurus regularly at times specified by the user. A
full analysis and update can also be initiated at any time
(e.g. after a major set of changes). Analysing all software
components may be expensive. A smarter approach would
be to analyse only the changed components (e.g. indicated
by timestamps) and incrementally update the thesaurus.
4.1.3. The constraint checker
The checking of the constraints described in Section 3
exploits the information in the thesaurus attributes. How to
tackle certain problems, for example scoping, depends on
the actual programming environment and requires tailored
thesaurus information. This section outlines a model for the
implementation of constraint checking.
The constraints in Table 2 are checked by scanning
all the thesaurus entries of a software component. All
identifier declarations are added to one set; all identifier
uses to another set. A set difference between the latter
and the former set yields the unused identifiers violating
constraint 2a. Regarding constraint 2b, variables not updated
are detected by performing a set difference on one set
with variable declarations and another with the names
occurring in assignments. The same principle also applies
to constraint 2c.
Regarding constraints on meta-data (Table 3), we assume
a model where types can be defined in special, globally
accessible units such as declaration files or database
schemata. Constraint 3a is checked by performing a set
difference on one set of all global type definitions and
another set of all type identifiers used in instance creations.
In systems where types may also be defined and used
locally to a software component, an additional check must
be carried out for each component4.
The most difficult problem of checking constraint 3b is to
provide sufficiently detailed information uniquely to identify
the definition and use of substructures. If this is achieved,
checking is done by a simple set difference.
Identifying duplicate use of type names (constraint 3c (ii))
is trivial. Regarding checking duplicate declarations of
the same type (constraint 3c (ii)), the thesaurus yields
information about kinds only. Checking complete equality
between two complex types would require access to the full
type graph.
Checking the constraints in Table 4 involves creating four
sets that contain information about software components that
respectively create, read the value of, update the value of,
and delete persistent components. The information required
to create the first two sets is extracted from the third category
of the usage attribute (Subsection 3.1.1). The last two sets
exploit information in the third and fourth category of the
usage attribute, respectively. Having created these four sets,
checking the constraints is straightforward.
Checking the constraints in Table 5 exploits the first
two sets described above and another set that identifies the
4 In our programming environment, we are unable to distinguish between
the use of a type that is defined globally and the use of a type that is defined
locally. However, this potential problem is avoided if constraint 3c (ii) is
complied with.
T HE C OMPUTER J OURNAL,
components present in the store when the store analyser of
the observer was last run. Checking is straightforward by
comparing the elements in these three sets.
4.1.4. Constraint-checking results
Constraint checking may be carried out regularly, typically
in quiescent periods. Storing the constraint-checking results
in an appropriate format in a database, including information
about the time and extent of the checking, enables the
developers to obtain this information when convenient for
them. Such a database may also be exploited to provide
useful summary information over time and thus document
aspects of the system development process.
4.1.5. The presenter
The most straightforward presentation of the constraint-
checking results is a textual interface giving a list, in which
each entry displays which constraint was violated, when
and where. Constraint checking can potentially generate a
large number of violations. Therefore it is useful to allow
the users to select subsets of the violation entries either by
kind of violation or by location. Alternatively, it would be
possible to graphically depict the areas affected by constraint
violations. Colour could be used to enhance the feedback
provided. This would require a graphical presentation of the
application, which could be generated from the thesaurus.
Statistical summaries could be generated to provide input
to the evaluation of the constraint checking, see Section 5.
Such summaries could also be used to compare development
technologies, for example the use of different programming
languages.
4.1.6. Constraint rectification
The architecture illustrated in Figure 2 does not include
constraint rectification. Generally, there are many ways of
violating software constraints, and for each violation there
are several ways of rectification. For example, if a persistent
component is never used, a program could be modified or
a new one created to use it, or it could be removed from
the store. One may envisage automatic support for the latter
but not the former. Since it is a semantic problem to rectify
inconsistent states, fully automatic supporting tools are
generally infeasible, but future research should investigate
the possibility of semi-automatic tools that interact with the
programmer.
4.2. Exploratory study in a multilingual environment
The Health Management System (HMS) is a large
application system currently running in several hospitals in
the UK. It was developed in a C/C++, X Window system and
relational database environment. To speed up development
time, tailored languages (a screen definition language, a
procedural language, a query dictionary language and a
schema definition language) running on top of this base
technology were used to implement the system. To help
solve problems of maintenance experienced in the HMS
project, we built the HMS thesaurus tool [3]. This work
Vol. 40, No. 10, 1997
 S OFTWARE C ONSTRAINTS FOR L ARGE A PPLICATION S YSTEMS 607

• NAME—a textual form of the entry

• SEQ NO—system-generated key
• NAME TYPE—one of the following codes:
Action Name (AN), Action Script name (AS), Class Name (CN), Datum Name (DN), Field Name (FN), Function
name (FU), Query Name (QN), Relation Name (RN), Screen Macro name (SM), Transaction Name (TN) or Update
function Name (UN)
• CONTAINER—a textual name describing where a name is used
• CONTAINER TYPE—codes appropriate to the type of the CONTAINER value:
Action Script (AS), Display Language program (DL), Hippo Program (HP), Query (QN), Query Dictionary (QD),
Relation (RN), Schema (SC), Transaction (TN) or Update function (UN)
• DEFINITION USE (D/U)—indicates definition or use of the name
FIGURE 3. HMS thesaurus.

preceded and gave input to the development of the general
architecture described above.
The thesaurus consists of three relations; the main one
is shown in Figure 3. The categories of NAME TYPE
and CONTAINER TYPE reflect particular constructs of
the languages used in the HMS project. To carry out
global constraint checking, dependencies among identifier
occurrences in the software written in the different languages
had to be recorded. Hence, we created another relation
that describes direct correspondences between fields of the
database relations and identifiers used in the user interface
or application code. That is, an occurrence where a variable
in such code reads or updates a database field, or vice versa,
gives rise to an entry in this thesaurus relation (duplicates are
not included). The third relation keeps track of the history
of thesaurus entries and is defined similarly to the main
relation except for two additional fields: ADD DELETE,
which indicates whether an entry represents an addition or
a deletion, and INTRODUCED, which stores the date for
the addition/deletion.
The observer, which analyses the schemata and other
software and subsequently updates the thesaurus, is
implemented as a combination of SQL scripts, Unix csh
and awk scripts, and one C program. The analysis part of
the observer is implemented by SQL scripts that operate on
the schemata and Unix csh and awk scripts that implement
parsers for the display, query dictionary and the application
languages. The first two thesaurus relations are updated by
simply deleting the existing contents and loading the newly
generated information in the relations. The history relation
is updated by first performing a difference (Unix diff) on
a file with the newly generated information and a file with
the thesaurus history unloaded. Entries that are only in
the former file are inserted with an ‘A’ for addition in the
ADD DELETE field; those only in the latter are inserted
with a ‘D’ indicating a deletion.
The HMS project comprised about 150,000 lines of source
code when we collected measurements. The total analysis
and thesaurus update was carried out at 02:00 every night
and took about 30 minutes.
The constraint checker identifies two global anomalies:
‘names defined but not used’, and worse, ‘names used
but not defined’. These basically capture constraints 2a,
2c, 3a, 4a, 5a and 5b, and are a generalization of
the conventional definition–use anomalies within software
components [25]. More detailed thesaurus information
would have been needed to check the other constraints. The
checks were implemented as one (complex) SQL query over
the thesaurus relation.
There is no database that stores the results of the checking;
the results are presented directly to the user as two tables.
Both the invocation of the checking and the presentation of
the results take place through a coloured, X Window system
user interface. Details of the user interface and example
thesaurus data can be found in another paper [3].
4.3. Realization in a persistent programming environ-
ment
After the HMS experience, we implemented a constraint
management system in and for the persistent programming
language Napier88 [23]. The concept of persistence tackles
the mismatch between database systems and programming
languages [26, 27, 28]; a uniform model for representations
and operations on persistent and transient data is provided.
Tools, programs and data may all reside in the same
persistent store. The experimental work has been carried out
using Napier88 because it has several properties we needed:
• it provides longevity for all data, including the data we
generate to represent the thesaurus;
• as it provides persistence through reachability [28],
it maintains references and hence relationships in the
system reliably [27];
• it provides strong typing, which assisted in our
information collection and gave us accurate type
information about application components;
• we had access to the source code of the compiler and
all other program development tools, which greatly
facilitated the collection of data; and
• there was an active local user community giving us
access to several applications under construction.
The Structured Persistent Application System Model
(SPASM) is a set of software constraints introduced to
support programmers using Napier88. SPASM includes
the general constraints described in Section 3 and a set of
methodology constraints. The concrete interpretation and
implementation of the constraints have been tailored for the

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

608 D. I. K. S JØBERG et al.
programming environment of Napier88 and reflect particular
constructs of the language. For example, consider constraint
3a: ‘There should be at least one occurrence of a statement
that will generate an instance of any declared type identifier’.
Napier88 provides polymorphic procedures in which a type
identifier may occur as a parameter in an instantiation of
such a procedure. This is not an instantiation of the type,
but is sufficient to justify the existence of the type identifier.
Therefore, this requires an exception to constraint 3a, in
addition to the exception for abstract classes discussed in
Subsection 3.2.1.
4.3.1. Methodology-dependent constraints
SPASM defines a set of constraints that support a software
construction method, called location binding, described
elsewhere [29, 30, 31, 32, 33]. We believe similar sets of
constraints would be useful where other methods are used
to build applications with this technology or for systems
using other technologies, such as the synthesis of an object-
oriented language and a database system. This particular set
is therefore considered illustrative and a valid foundation for
preliminary experiments.
Following the method, applications are built incremen-
tally by placing procedures in the store, so that they can
be found via named constructs in the stable store called
environments. Each procedure is given a name that is unique
within an environment. Programs that place the procedures
in the store obtain other procedures they use by looking
up the name in a specified environment. The target of
construction is application programs that use procedures to
implement required tasks.
To support the construction method we have further
tailored the general constraints presented in Section 3
and defined some specific method-support constraints.
Inter-component constraints, including those between a
stable store (effectively a database for our purposes) and
software components, are expressed in terms of procedures,
environments and programs. The tailored constraints
include:
• for every program all the environments it requires are
in the store;
• for every program all the procedures it requires are in
the place it specifies in the store;
• every procedure is used directly or indirectly by a
program; and
• every environment contains at least one procedure.
The above constraints are illustrative simplifications of
those necessary in the Napier88 programming environment
in which we perform our experiments. However, they
are representative. For example, the first two are
tokens for those constraints that ensure that all that is
needed is available, whilst the last two are typical of
constraints to avoid redundant vestiges that often remain
from earlier versions of a system or from abandoned lines
of development.
A simplified subset of the method-support constraints
used in our experiment is:
T HE C OMPUTER J OURNAL,
• a software component is restricted to perform only one
kind of construction step (place procedure in the store,
update procedure value, delete procedure);
• each procedure declaration should occur only once and
have exactly one software component to create it, one
to update it and at most one to delete it; and
• there should be a partial order among software
components that create procedures in the persistent
store and those that use them.
The full description and justification of these constraints
are given in [33].
4.3.2. Implementation
The implementation of the prototype Napier88 constraint-
checking system is based on the general architecture
described in Subsection 4.1. The implementation of
the thesaurus particularly affects the general model of
containers. The containers of persistent components in
Napier88 are environments. The thesaurus records the name
of an environment and its path from a persistent root. If
the container of an identifier is a software component and
that identifier denotes a component that is inserted into,
updated within, or deleted from an environment, then the
thesaurus also records the name and access path of that
environment. This information is required in order to check
the constraints of Tables 4 and 5, and the method-support
constraints outlined above.
The part of the observer that processes Napier88 source
programs is based on the Napier88-in-Napier88 compiler
[31]. The lexical and syntax analysers have been adjusted to
conform to the special information needs of the thesaurus.
Instead of generating executable code, relevant information
is inserted into the thesaurus. The part of the thesaurus
analyser that extracts information from the persistent store
reuses low-level procedures used in the implementation of a
Napier88 browser [34].
The Napier88 constraint checker includes the full set of
SPASM constraints, which are embedded in the tool. A
programmer can select which constraints should be applied
in a particular tool invocation. Those constraints that
apply to the contents of the persistent store are simple to
implement since the same language model is used both for
transient data during program executions and for persistent
data in a store.
In the present version of the constraint-checking system,
the constraint-checking results are presented directly to the
user, but could easily be retained in the persistent store.
The first version of our presenter has only a primitive
textual user interface for displaying constraint violations.
The example in Figure 4 shows the output after a check
of constraint 4a (ii). Two software components each have
one persistent component that is not used. A component is
identified by its name and path of Napier88 environments
(separated by a ‘\’ in the figure), analogously to file
identification in a filing system. The built-in procedure ‘PS’
yields a persistent root environment.
Although the constraint-checking results are not persis-
Vol. 40, No. 10, 1997
 S OFTWARE C ONSTRAINTS FOR L ARGE A PPLICATION S YSTEMS 609

CONSTRAINT VIOLATION: PERSISTENT COMPONENTS CREATED BUT NOT READ

-------------------------------------------------------------------------------
SOFTWARE COMPONENT UNUSED PERSISTENT COMPONENT
-------------------------------------------------------------------------------
˜Personnel/Project/libraryKey_I.N PS()\Personnel\Project\libraryKey
˜Personnel/Project/team_I.N PS()\Personnel\Project\team
-------------------------------------------------------------------------------
Persistent components created in total : 24
Persistent components created but not used: 2
Proportion not used : 8%
-------------------------------------------------------------------------------

FIGURE 4. Presentation of constraint-checking results.

tently stored and the presenter is minimal, our Napier88
prototype demonstrates the utility of the general constraint-
checking architecture. This prototype has also provided us
with experience of constraint checking which is discussed in
the next section.
5. EVALUATION
A constraint should be of practical value in that either it
is violated in a significant number of applications or the
constraint violation is expensive. Therefore measurements
of inconsistency in real applications should be collected.
The results of a study we carried out are described in
Subsection 5.1. Owing to limited resources we were unable
to set up an experiment that measured the consequences of
constraint violation, but some experiences are reported in
Subsection 5.2.
Some of the anomalies and inconsistencies detected by
automatic constraint checking may cause errors that can
be detected during testing, but there are always cases not
identified in a test. The errors that we aim to avoid may occur
when the system has been operational for any period from
one day to many years. There are also limitations to software
constraint checking, however. All cases of constraint
violation cannot be detected, and several constraints would
have been more useful if they could have been defined more
accurately. This is the issue of Subsection 5.3.
The subsequent three sections discuss, respectively,
checking of method adherence, adapting constraint checking
to individual needs, and some viewpoints on how to deploy
constraint checking in an organization.
5.1. Extent of constraint violation
This section presents statistics concerning the extent of
software constraint violations in a Napier88 context. We
collected data from 20 applications consisting of more than
108,000 lines of source code with developers ranging from
students to experienced programmers from three separate
universities. This section reports some of the results;
more can be found in [35]. All the results are based on
measurements of source code and the actual contents of a
persistent store, which were automatically collected by the
Napier88 observer.
The study checked inconsistencies that are ‘violations’
of constraints imposed a posteriori. Each application was
constructed with no formal requirement for programmers
to adhere to the constraints tested, they had no aids
for checking these constraints themselves, and they were
unaware that their software would be analysed. The
applications were operational at the time of the analysis. One
would expect an even larger proportion of inconsistencies
during periods of development.
Measurement 1a in Table 6 indicates that 35% of all
variables that were never updated could have been declared
as constants. The table (1b) also shows that 8% of
all value identifiers (as opposed to type identifiers) were
unused. Interviews with the programmers revealed that there
are several reasons why this kind of redundancy occurs:
collections of declarations are copied indiscriminately from
other programs; too many identifiers are declared in the
belief that they would be needed later; and code using
identifiers is removed without the programmer remembering
to remove the corresponding declarations. Also other factors
may affect such figures, such as programmer expertise, tool
support and programming language. Hence, there may be
many reasons why, for example, as much as 28% of all
identifiers were reported unused in a study of production
PL/1 programs [36].
In our study, 10% of the names declared to denote external
software or data components were unused (not shown in
the table). Other studies of unused imported names report
similar figures (from 7% to 20%) [37, 38].
The 4% violation in Table 6 (1c) is a lower bound on the
frequency of redundant updates as we have not analysed
actual paths through programs. Table 6 (2b) shows that
24% of the type identifiers are unused. Some applications
use all the type identifiers declared within the application;
other applications use only one-third. In the latter extreme
cases the reason is that when libraries are used, all the types
associated with the library are copied even though only a
small part of the library is actually used in the application.
This indiscriminate copying of types is indicative of a
requirement for a tool to collect required items (types or
values).
Inconsistencies 2c, 2d and 2e show that 10% of all
statements specifying deletion of components are repeated,

T HE C OMPUTER J OURNAL, Vol. 40, No. 10, 1997

610 D. I. K. S JØBERG et al.
TABLE 6. Measurements of inconsistency.
Measurement
1. Local
(a) Value identifiers declared variable when they
could have been constant
(b) Value identifiers declared but never used
(c) Variables updated but not otherwise accessed
2. Global—between software components
(a) Repeated declarations of type identifiers
(b) Unused type identifiers
(c) Repeated delete statements
(d) Inserted components not used
(e) Repeatedly inserted components
3. Global—between software components and persistent store
(a) Unused components in the store
(b) Used components that do not exist
8% of the components declared to be inserted into a
persistent store are not used elsewhere, and 7% of such
declarations are re-declarations.
Inconsistency 3a shows that 9% of all components in the
persistent store are not used in any software component.
Finally, 3b shows the inverse, that 2% of the components
specified to be used in a software component do not exist. As
part of another study on maintaining Napier88 applications
[39], we collected statistics on the extent of run-time errors
and found in particular that the error ‘component cannot be
found’ is a significant problem.
The applications were divided into four groups depending
on the experience of the application programmers. There
was no noticeable difference between experts and novices
regarding the extent of inconsistencies.
The study described above investigated the extent of
certain inconsistencies, and thereby one aspect of the
relevance of constraints to help prevent them. Most of the
programmers thought that their programs were relatively
free of the kinds of inconsistency that were detected and
claimed to try to avoid them. They were therefore surprised
by the high rate of inconsistencies found in the studies.
They found the results interesting and were curious about the
quality of their own software compared with other people’s
software.
5.2. Consequences of constraint violation
The purpose of defining and checking software constraints
is to prevent states that may have undesirable consequences.
For example, a study of FORTRAN programs found a
correlation between the proportion of unused variables and
fault rate [40], which justifies the constraint that a declared
name should be used. It may not necessarily be a causal
relationship, but that study indicated that reducing the
number of unused variables might reduce the fault rate.
Identifying possible causes of faults and then constraints
T HE C OMPUTER J OURNAL,
Percentage Percentage of
35 All value identifiers declared
variable
8 All declared value identifiers
4 All updated variables
29 All type identifiers
24 All type identifiers
10 All delete statements
8 All inserted components
7 All inserted components
9 All stored components
2 All use-declared components
that will help prevent such faults occurring is essential when
defining programming methods and standards.
However, the consequences of violation are very hard
to measure, and thus conducting a proper cost/benefit
analysis is extremely difficult. Such an analysis should
aim to quantify the effect of software constraints and their
supporting tools on the basis of empirical data. This may
be achieved by measuring software before and after the
constraints and tools have been used. Such an experiment
is beyond the scope of this paper, but feedback received
from industrial software engineers, students and researchers
who have used our tools indicates, at least in our context,
that checking the particular constraints we have defined is
worthwhile.
In the HMS project the usefulness of the constraints was
evaluated on the basis of programmer feedback. Some of the
experiences were:
• Many unused identifiers were found. In the case of
procedures, the most common reason was that existing
procedures were replaced with new ones without the
programmers remembering to delete the old ones.
• Several references to undeclared identifiers were
detected. Typically, those were identifiers used in one
language and supposed to be declared in another, for
example, queries called from code written in the screen
definition language that did not have a corresponding
declaration in code written in the query dictionary
language.
• Inconsistencies were also detected at the macro
command level: shell environment variables not set
as appropriate, non-existent files included (because file
names had changed but not the corresponding file name
in an #include statement), etc.
The automatic checks on identifiers defined but not used,
and vice versa, proved more useful than they may seem at
first sight since they operate across software components
Vol. 40, No. 10, 1997
 S OFTWARE C ONSTRAINTS FOR
written in different languages. Performing inspection of
the direct and indirect relationships among identifiers in the
various components manually is infeasible in a system of the
size and complexity of the HMS.
The constraint checker was not used in all parts of the
HMS. Constraint 5b: ‘Used data must exist’, which applies
regardless of the type (text, multimedia data, etc.) of the
content of the persistent component being used, could have
prevented a very expensive service interruption and the loss
of information in the HMS in a particular hospital. The
reason for the problem was that a file containing a font used
by the user interface management system had been lost [28].
Examples of the usefulness of constraint checking
similar to those described above were experienced in the
context of Napier88, but more importantly there we were
able to experiment with method-specific constraints, see
Subsection 5.4.
We have described some examples of usefulness, but
more investigation on whether using a constraint-checking
system significantly improves the structure and consistency
of an application is needed. Demonstrating the effect on
maintenance requires long-term experiments, which could
not be carried out within the current work. The longevity
and scale of apparatus that are needed can be illustrated
by the work at the Software Engineering Laboratory, where
empirical data about software development processes has
been collected for two decades [41].
In a long-term experiment the constraint-checking system
could be instrumented to collect information automatically,
such as which constraint was checked and when, whether
it was adhered to or violated (if possible, to what extent),
name and size of application, etc. More challenging is to
define measurable criteria of maintainability. This is still an
open research issue.
5.3. Completeness and accuracy of constraint checking
All of our constraints concerning software components are
based on the use of names, which are extracted statically
from source code. This restricts the kinds of languages
to which we can completely apply our constraints. Using
constraints based on names causes some problems even for
the programming languages we have investigated. Because
we depend on static analysis, we cannot determine whether
specific code fragments will be executed at run-time.
Conditional execution of code reduces the accuracy of the
constraint we are able to specify.
Our approach to constraint checking is not generally
applicable to languages using type inference because some
of our constraints depend on explicit type declarations.
Languages in which code can be generated dynamically
(reflective programming languages [42, 43], dynamic SQL,
etc.) cause us problems because the complete source code
is not available statically. However, even for such languages
there will usually be a substantial amount of code that can
be statically analysed and subjected to constraint checking.
The use of names as the basis of constraint checking
is one reason why we are unable to identify completely
T HE C OMPUTER J OURNAL,
L ARGE A PPLICATION S YSTEMS 611
all constraint violations. For example, the constraints of
Tables 4 and 5 concern persistent components that are
identified by their name and the name of their context (e.g.
a path name) although this may not be possible in all cases.
During static analysis it may be hard to identify a file given
by a name in a program. The identity of the file may depend
on dynamic issues such as the directory of the executing
program or the contents of Unix environment variables, for
example.
Restricting the constraints to named components elim-
inates the possibility of handling unnamed files (e.g. in
VMS/VME) or other components that are statically bound,
such as Ada code, Fibonacci code [44] or Hyper-programs
[45, 46]. In all these environments, names have been
eliminated or never existed. Unnamed components are
typically computationally identified by a persistent identifier
(PID) or object identifier (OID) and reached by navigation
or query. There is a new and difficult challenge of how to
detect and report constraint violation among such unnamed
components. This is an issue for future work.
Some of the constraints involve statements in source code
that could be part of procedures or conditions, implying
that they are not necessarily executed in a given program
execution. For example, consider constraint 2b: ‘For every
identifier declared as variable there should be some code
in the system that might update it’. It cannot be checked
statically that particular updates are actually executed. It
can be checked statically that no code exists to do the
update, but we cannot say that the variable will be updated.
That would require an execution profile, and in this case
constraint 2b could be replaced by a stronger constraint: ‘For
every identifier declared as variable code will eventually be
executed that modifies its value’.
Data flow analysis techniques [19] could have been
exploited to improve the accuracy of our constraint
checking. Consider constraint 2b again; data flow analysis
would allow us to eliminate cases where the update code can
never be executed. This is more accurate than our present
checking, which will not detect constraint violations in such
cases. However, there are still cases that can only be detected
at run-time.
An even stronger constraint could aim also to prevent
cases where variables are updated but due to various
conditions could be replaced by constants. One example is
the case where the only use of a variable occurs after the last
of several assignments and its final value can be determined
statically. Constant propagation techniques can be exploited
to detect such cases [47].
In addition to improving the accuracy of the checking of
our existing constraints, data flow analysis would allow the
definition of further constraints, for example detection of
dead code within software components.
It has to be recognized that we can never specify the
software constraints for consistency and maintainability
completely. Were this possible, we would be able to specify
completely all possible future systems. It is impractical to
do this for two reasons. We have insufficient information
and knowledge to write such constraints, and many of
Vol. 40, No. 10, 1997
612 D. I. K. S JØBERG et al.
them could not be checked because they would require
information about future changes, states of the system,
etc., or because they would be computationally infeasible.
Nevertheless, our work suggests that there remain useful
constraints that can be written and checked, and we believe
that supporting them will give significant benefit.
5.4. Checking method adherence
Programmers who share a common view of how to
develop applications in their environment form a particular
programming culture. The rules and conventions of
such a culture implicitly express software construction
and maintenance methods adhered to within that culture.
Automatically checkable software constraints make such
methods explicit, which have the following advantages:
• they allow adherence to the methods to be checked;
• they communicate the methods to others, that is
programmers elsewhere and programmers who subse-
quently maintain the actual application systems;
• they will most likely refine the methods.
Possible disadvantages are:
• they remove important flexibility and variability;
• they hinder growth of better methods.
In compliance with the first advantage, we exploited the
Napier88 constraint-checking system to investigate whether
programmers follow the location binding method (Subsec-
tion 4.3.1). The applications described in Subsection 5.1
were divided into four groups: OLD applications developed
before the latest methods were developed, applications of the
STUDENTS who were taught the latest methods, new ap-
plications of experienced programmers who were AWARE
of those methods, without being fully committed to them,
and finally, applications with authors who were explicitly
COMMITTED. Not surprisingly, major differences were
measured among the groups. Constraint violation was
smallest in the COMMITTED group but still not ignorable.
Details can be found in [35].
5.5. Adaptability
Software engineers may wish to control the application
and the reporting of constraint checking. Therefore, the
user interface should permit them to control the checks
performed and to manage the consequent reports. There
are several ways of tailoring a constraint checking tool to
individual needs. For example, software engineers should
be enabled to perform the following:
• selection of a subset of constraints to be used in an
application;
• selection of components to which the constraints should
or should not apply;
• specification as to when observers should collect
information, for example concurrently with each build,
nightly or each time a version is checked in:
T HE C OMPUTER J OURNAL,
• determination of when all or specific constraints should
be checked, for example after each build, nightly, etc.
• specification as to where the constraint-checking
reports should be stored and what should be included;
and
• identification of what summary or detailed extracts are
to be presented during checking.
There is an interesting point about how programmers
indicate the exceptions to the default constraint checking. It
is clearly tedious to indicate the exceptions repeatedly every
time a check is run. However, the presence of exceptions
reduces the effectiveness of constraint checking and their
validity as exceptions may be questionable or temporary. If
the tool remembers exceptions indefinitely, the programmers
will forget them, they will accumulate, and the program’s
structure will deteriorate. So the handling of such exceptions
is a major challenge, including the design of a convenient
user interface.
The Napier88 constraint checker allows individual
constraints to be disabled. For example, a programmer
may know that certain constraints will not be adhered
to during a certain period of the development (typically
during initial construction) and may wish to avoid the
noise of unnecessary inconsistency messages. There are
several possibilities for specifying the period for ignoring
the constraint checking including: turning off checking for
the invoked session only; specifying a given period (e.g. in
terms of weeks or months); turning off checking until a given
action occurs (e.g. no checking before a quality assurance
final report is to be produced). It is also possible to select
parts (e.g. source programs or environments in the persistent
store) that should or should not be the subject of checking.
Another aspect of adaptability is the possibility of
modifying the set of constraints for specific purposes. Some
of the SPASM constraints reflect a methodology that has
been developed over years by experienced programmers.
Methodologies do not change that fast, and we have received
very few suggestions for new constraints. Therefore, in
our current implementation the constraint specifications are
hard-wired into the Napier88 constraint checker. One way
to achieve flexibility in constraint specification would be to
design and implement a constraint specification language
(cf. CCEL [14], see Section 6) that is tailored to and exploits
the software engineering features of persistent language
technology.
5.6. Constraint checking in an organizational context
Developing large and long-lived application systems is
a complex and time-consuming task; with many people
involved it is crucial that commonly agreed practices and
conventions are followed. Within an organization there is a
potential conflict between allowing flexibility in constraint
checking and the need for standardization and method
adherence. Increased flexibility makes maintenance more
difficult, but a very rigid standardization policy may lead to
programmers circumventing the constraint-checking system.
For example, software developers at ICL (e.g. working on
Vol. 40, No. 10, 1997
 S OFTWARE C ONSTRAINTS FOR
VME) were required to use CADES [48, 49] and to conform
to its built-in constraints. The S3 compiler was set up only
to take source from properly installed items in the CADES
database. The result was unreproducible and undocumented
patches in machine code as programmers circumvented
CADES’ lack of speed and restrictions. At one stage, in
consequence, a new release of VME was prevented because
the developers could not rebuild the kernel.
Software constraints provide one mechanism for stan-
dardization of software structure, which may eliminate
peculiar programming styles and simplify collaboration,
maintenance, software reuse, etc. It is essential that the
software engineers and programmers find it worthwhile to
learn and apply the standards; it should be easier to fulfil
the programmers’ tasks by using them, and they should not
hinder normal working practice. In particular, experienced
software builders may feel that constraints inhibit their
personal programming styles5 . However, it is crucial that
the organization invest in setting up and preserving structure
to reduce maintenance costs.
Our experience from an industrial environment indicates
that when introducing a tool that automatically checks the
quality of software, one should consider the following
questions. Who should use the tool? How should the
working process be organized to benefit as much as possible
from the tool? How should the project management motivate
and encourage active use of the tool? It is particularly
important that inexperienced and immature programmers
find bugs and inconsistencies by themselves before the
software is released. The only purpose of the tool should
be to improve the quality of the software. A negative
attitude may be created if it is felt that the tool is used for
individual monitoring purposes, for example by the project
management.
6. RELATED WORK
Constraints are employed in many domains of computer
science—from hardware verification to graphical user
interfaces to computational linguistics [50]. In software
engineering, rule checkers of many CASE tools support
constraints defined on design structures, data model
specifications, etc., and may also support particular system
development methodologies [51]. Recently, work has been
carried out on automatic checking of consistency rules in
requirements specifications [52, 53]. We are concerned
with constraints that apply to the implementation phase of
the software life cycle, which we therefore have termed
‘software constraints’. One of the contributions of this paper
is the classification scheme for such constraints (Table 1),
which will be used to describe related work below.
The focus of our work is application-independent
constraints. In the area of formal specification of
requirements and constraint specification languages, for
example Kaleidoscope [54, 55], constraints are typically
application dependent. Work on application-dependent
5 On the contrary, novices will probably appreciate the support given by
the rules for organizing their applications.
T HE C OMPUTER J OURNAL,
L ARGE A PPLICATION S YSTEMS 613
constraints also exists in the area of extensible compilers
[56].
We have generalized work on software constraints also
to include those that operate between software components
and a secondary storage (file stores, databases, etc.). In
the related work we have been able to find, the constraints
are always defined within or between compilation units
(software components). In the latter case, they operate at
the interface level. For example, to support Ada software
builders in incremental development, the AdaPIC tool set
[57] provides consistency analyses on interfaces among (and
within) modules. Consistency violations are divided into
errors and anomalies.
The majority of related work concerns constraints local
to software components. Within this category, one of the
few language-independent works described in the literature
is the Law of Demeter [58, 59], which intends to improve
the style and structure of object-oriented programs. The
aim is to help ensure that the software is as modular as
possible. Transformations are defined that modify any
program to become consistent according to the law in the
case of violation.
Language-dependent related work includes many en-
hanced compilers [6, 7] and tailored static analysis tools
that perform code-rule checking beyond that of conventional
compilers. The classical C program checker in Unix
environments is lint [60, 61]. It checks many kinds of
inconsistencies that are due to weak typing and memory
management in C. However, it also detects anomalies such
as unused #include directives, variables and procedures,
unused variables after assignments, and uses of variables
before they are initialized. For C and C++ there are also
many commercial tools [62, 63, 64, 65]. An example in an-
other language context is FORTVER [66], which identifies
unused, unevaluated, unassigned, and other anomalous use
of variables in FORTRAN programs.
In our tools the constraint checking is hard-coded.
Programmers do not need to specify the constraints—
just indicate the ones they wish to be checked. Other
work has focused on providing programmers with the
flexibility of defining constraints themselves. In the
context of C++, Meyers et al. [15, 67] have identified
several programming anomalies that are not language errors
detected by compilers. To help prevent such anomalies,
they developed the C++ Constraint Expression Language
(CCEL) [14], a meta-language for C++ that enables software
builders to specify a whole range of constraints on programs.
Violations are automatically detected. In CCEL one can also
specify parts of a system (program files, functions or classes)
where the constraints should (or should not) apply.
The basic functionality provided by LCLint [68] is similar
to that of lint. However, LCLint gives enhanced support if
the (C) program conforms to certain stylistic guidelines, or
if the programmer writes formal program specifications in
the LCLanguage [69, 70]. LCLint reports inconsistencies
between a program and its specification.
Finally, our techniques for implementing constraint
checking are simple. More sophisticated and accurate
Vol. 40, No. 10, 1997
614 D. I. K. S JØBERG et al.
techniques for checking constraints within software com-
ponents have been developed by the data flow community.
The program dependency graph used in program slicing
[71, 72] to capture relationships among statements and
control predicates can be compared with our thesaurus, and
the slicing method can be compared with our constraint
checking. Nevertheless, the software constraints discussed
in this paper are at a higher level of abstraction than those
constraints commonly tackled in program slicing. Regarding
implementation, our contribution is the general architecture
for building constraint-checking systems.
7. CONCLUSIONS
Software constraints that identify missing components, re-
dundant components, components whose definition permits
more operations than are actually used, etc., are commonly
used within compilation units. We have generalized the
scope of such constraints to include also intercomponent and
secondary storage relationships. A classification of software
constraints was given.
Various strategies for reifying general rules as specific
software constraints are possible. We have chosen to focus
on named constructs as elements that can appear in particular
constraints. Constraints of this form have three advantages:
• they are in some sense ‘natural’ as it is an established
human practice to name concepts, processes, constructs
and components of importance;
• they are neutral in the sense that naming pervades
all technologies and components out of which an
application is built; and
• they permit extensive, though not necessarily complete,
automation of consistency checking as we have
demonstrated in two different contexts.
We anticipate that various kinds of software constraint
will help software engineers in building and maintaining
long-lived and large application systems. As yet we have
only common-sense inference and anecdotal observation
with which to validate this claim to utility. The prototypical
experiments described in this paper demonstrated that it was
possible to construct software to check many of the example
constraints over some medium-scale application systems.
However, we suspect that the gains are greatest for large
and particularly long-lived systems. Although inevitably
difficult to conduct, because of the significance of scale and
duration, we believe that experiments to test this hypothesis
are worthwhile.
We plan to rebuild the technology from scratch using
JavaTM and one of its available persistent technologies. This
will bring us into a much larger community of developers
with whom we would hope to refine the example constraints
and conduct larger-scale experiments. Java provides an
interesting context because its incremental construction
methodology and dynamic binding mechanisms mean that
the intercomponent properties are not fully specified6 . In
6 For example, the class loader will not necessarily find a class that some
other class expects to use.
T HE C OMPUTER J OURNAL,
addition, it has libraries that permit combination with many
legacy and database components. With the addition of
groups at different sites semi-independently constructing
libraries of components, Java provides a domain where
macroscopic constraint support will have a large pay-off.
ACKNOWLEDGEMENTS
The St Andrews persistent programming team provided the
underlying language technology for the work described in
the paper. We would like to thank our colleagues in the
Persistence Systems Research Group at the University of
Glasgow for stimulating discussions. We would also like to
thank the anonymous referees for their extensive feedback
which improved this paper and provided us with many
useful ideas for future work. The authors benefited from
a collaboration project between Norway and the UK funded
by the Research Council of Norway and the British Council,
and the Pastel Working Group (EP 22552) funded by the
European Community.
REFERENCES
[1] Lientz, B. P. and Swanson, E. B. (1980) Software
Maintenance Management: A Study of the Maintenance
in 487 Data Processing Organizations. Addison-Wesley
Publishing Company, Reading, MA.
[2] Nosek, J. T. and Palvia, P. (1990) Software maintenance
management: changes in the last decade. J. Software
Maintenance, 2, 157–174.
[3] Sjoberg, D. I. K. (1993) Quantifying schema evolution.
Information and Software Technology, 35, 35–44.
[4] Jorgensen, M. (1995) An empirical study of software
maintenance tasks. J. Software Maintenance, 7, 27–48.
[5] Lehman, M. M. and Belady, L. (1985) Program Evolution,
Processes of Software Change. APIC. Studies in Data
Processing, No. 27. Academic Press, London.
[6] Borland C++, User’s Guide, Version 4.5. (1994) Borland
International Inc., Scotts Valley, CA.
[7] CodeWarrior User’s Guide. (1995) Metrowerks, Inc., Austin,
TX.
[8] Wirth, N. (1983) Programming in Modula-2. Springer-Verlag,
New York.
[9] Cardelli, L., Donahue, J., Glassman, L., Jordan, M.,
Kalsow, B. and Nelson, G. (1989) Modula-3 Report (revised).
Research Report 52, Systems Research Center, Digital
Equipment Corporation, Palo Alto, CA.
[10] MacQueen, D. B. (1985) Modules for Standard ML.
Polymorphism, 2(2).
[11] Appel, A. W. and MacQueen, D. B. (1994) Separate
compilation for standard ML. Proc. International Conference
on Programming Language Design and Implementation,
Orlando, FL, pp. 13–23. ACM.
[12] Barnes, J. G. P. (1991) Programming in Ada plus Language
Reference Manual. Addison-Wesley, New York.
[13] Gosling, J. and McGilton, H. (1995) The Java Language
Environment: A White Paper. Sun Microsystems, Inc., San
Jose, CA.
[14] Meyers, S., Duby, C. K. and Reiss, S. P. (1993) Constraining
the structure and style of object-oriented programs. Proc.
First Workshop on Principles and Practice of Constraint
Vol. 40, No. 10, 1997
 S OFTWARE C ONSTRAINTS FOR
Programming (PPCP93), Newport, RI, 28-30 April, pp. 200–
209.
[15] Chowdhury, A. and Meyers, S. (1993) Facilitating software
maintenance by automated detection of constraint violations.
Proc. Conference on Software Maintenance, Montreal,
Quebec, Canada, 27–30 September, pp. 262–271. IEEE
Computer Society Press.
[16] Glass, R. L. and Vessey, I. (1995) Contemporary application-
domain taxonomies. IEEE Software, 12, 63–76.
[17] Anand, N. (1988) Clarify function! ACM SIGPLAN Notices,
23, 69–79.
[18] Einbu, J. M. (1988) An architectural approach to improved
program maintainability. Software Practice Experience, 18,
51–62.
[19] Keables, J., Roberson, K. and von Mayrhauser, A.
(1988) Data flow analysis and its application to software
maintenance. Proc. Conference on Software Maintenance,
Phoenix, AR, 24–27 October, pp. 335–347. IEEE Computer
Society Press.
[20] Date, C. J. (1990) An Introduction To Database Systems.
The Systems Programming Series. Addison Wesley, Reading,
MA.
[21] Cardelli, L. (1989) The Quest Language and System (Tracking
Draft). Digital Equipment Corporation, Systems Research
Center, Palo Alto, CA.
[22] Milner, R., Tofte, M. and Harper, R. (1989) The Definition of
Standard ML. MIT Press, Cambridge, MA.
[23] Morrison, R., Brown, F., Connor, R. and Dearle, A. (1989)
The Napier88 Reference Manual. Technical Report PPRR-77-
89, Universities of Glasgow and St Andrews, UK.
[24] Bancilhon, F., Delobel, C. and Kanellakis, P. (1992) Building
an Object-Oriented Database System: The Story of O2 .
Morgan Kaufmann Publishers, San Mateo, CA.
[25] Taylor, R. N. and Osterweil, L. J. (1980) Anomaly detection
in concurrent software by static data flow analysis. IEEE
Trans. Software Engng, 6, 265–278.
[26] Atkinson, M. P. (1978) Programming languages and
databases. Proc. Fourth International Conference on Very
Large Data Bases, Berlin, West Germany, 13–15 September,
pp. 408–419. IEEE and ACM.
[27] Morrison, R., Connor, R. C. H., Cutts, Q. I., Dunstan, V. S.
and Kirby, G. N. C. (1995) Exploiting persistent linkage in
software engineering environments. Comput. J., 38, 1–16.
[28] Atkinson, M. and Morrison, R. (1995) Orthogonally
persistent object systems. VLDB J., 4, 319–401.
[29] Dearle, A. (1988) On the Construction of Persistent
Programming Environments. Ph.D. Thesis, Department of
Mathematical and Computational Sciences, University of St
Andrews, UK.
[30] Connor, R. C. H. (1991) Types and Polymorphism in
Persistent Programming Systems. Ph.D. Thesis, Department
of Mathematical and Computational Sciences, University of
St Andrews, UK.
[31] Cutts, Q. I. (1993) Delivering the Benefits of Persistence
to System Construction and Execution. Ph.D. Thesis,
Department of Mathematical and Computational Sciences,
University of St Andrews, UK.
[32] Dearle, A., Cutts, Q. and Connor, R. (1993) Using persistence
to support incremental system construction. Microprocessors
Microsystems, 17, 161–171.
[33] Sjøberg, D. I. K., Welland, R., Atkinson, M. P., Philbrow, P.
and Waite, C. (1997) Exploiting persistence in build
management. Software Practice Experience, 27, 447–480.
T HE C OMPUTER J OURNAL,
L ARGE A PPLICATION S YSTEMS 615
[34] Kirby, G. N. C. and Dearle, A. (1990) An Adaptive Graphical
Browser for Napier88. University of St Andrews, UK.
[35] Sjøberg, D. I. K., Cutts, Q., Welland, R. and Atkinson, M. P.
(1994) Analysing persistent language applications. Proc.
Sixth International Workshop on Persistent Object Systems,
Tarascon, Provence, France, 5–9 September, pp. 235–255.
Springer-Verlag, Berlin, Germany and British Computer
Society, Swindon, UK.
[36] Elshoff, J. L. (1976) An analysis of some commercial PL/1
programs. IEEE Trans. Software Engng, SE-2, 113–120.
[37] Kamel, R. F. (1984) Further experience with separate
compilation at BNR. Proc. IFIP WG2.4/ IFORS System
Implementation and Languages: Experience and Assessment,
Canterbury, UK, September. North-Holland.
[38] Conradi, R. and Wanvik, D. H. (1985) Mechanisms and
Tools for Separate Compilation. Technical Report 25/85, The
Norwegian Institute of Technology, University of Trondheim,
Norway.
[39] Sjøberg, D. I. K., Welland, R., Atkinson, M. P., Jorgensen, M.,
Martinussen, J. P. and Maus, A. (1996) Evaluating software
maintenance technology. Proc. Norwegian Conference in
Informatics, Alta, Norway, 18–20 November, pp. 49–61.
TAPIR.
[40] Card, D. N., Church, V. E. and Agresti, W. W. (1986) An
empirical study of software design practices. IEEE Trans.
Software Engng, SE-12, 264–270.
[41] SEL (1994) Annotated Bibliography of Software Engineering
Laboratory Literature. SEL-82-1306, Software Engineering
Laboratory, NASA/Goddard Space Flight Center, MD.
[42] Maes, P. (1987) Concepts and experiments in computational
reflection. Proc. Conference on Object-Oriented Program-
ming Systems, Languages and Applications, Orlando, FL, 4–8
October, pp. 147–155. ACM, New York.
[43] Stemple, D. et al. (1992) Type-Safe Linguistic Reflection:
A Generator Technology. Technical Report FIDE/92/49,
ESPRIT Basic Research Action, Project Number 3070–
FIDE1.
[44] Albano, A., Ghelli, G. and Orsini, R. (1995) Fibonacci: a
programming language for object databases. VLDB J., 4, 403–
444.
[45] Kirby, G., Connor, R., Cutts, Q., Dearle, A., Farkas, A. and
Morrison, R. (1992) Persistent hyper-programs. Proc. Fifth
International Workshop on Persistent Object Systems. Design,
Implementation and Use, San Miniato, Italy, 1–4 September,
pp. 86–106. Springer-Verlag, Berlin, Germany, and British
Computer Society, Swindon, UK.
[46] Kirby, G. N. C. (1992) Reflection and Hyper-Programming in
Persistent Programming Systems. Ph.D. Thesis, Department
of Mathematical and Computational Sciences, University of
St Andrews, UK.
[47] Wegman, M. N. and Zadeck, F. K. (1991) Constant
propagation with conditional branches. ACM Trans. Progr.
Languages Systems, 13, 181–210.
[48] Hutchings, A. F., McGuffin, R. W., Elliston, A. E.,
Tranter, B. R. and Westmacott, P. N. (1979) CADES—
software engineering in practice. Proc. Fourth International
Conference on Software Engineering, Munich, September,
pp. 136–144. IEEE Computer Society Press.
[49] Snowdon, R. A. (1981) CADES and Software System
Development. Software Engineering Environments. North
Holland.
Vol. 40, No. 10, 1997
616 D. I. K. S JØBERG et al.
[50] CP96 (1996) Proc. Second International Conference on Prin-
ciples and Practice of Constraint Programming, Cambridge,
Massachusetts, 19–22 August. Lecture Notes in Computer
Science, 1118 Springer-Verlag, Berlin.
[51] Jankowski, D. J. (1994) The feasibility of CASE structured
analysis methodology support. Software Engng Notes, 19,
72–82.
[52] Heitmeyer, C. L., Jeffords, R. D. and Labaw, B. G.
(1996) Automatic consistency checking of requirements
specifications. ACM Trans. Software Engng Methodol., 5,
231–261.
[53] ACM SIGSOFT‘96 Workshops (1996) Proc. of View-
points‘96, San Francisco, CA, 14–16 October.
[54] Freeman-Benson, B. and Borning, A. (1992) Integrating
constraints with an object-oriented language. Proc. European
Conference on Object-Oriented Programming, Lecture Notes
in Computer Science, 615, 268–286. Springer-Verlag, Berlin.
[55] Lopez, G., Freeman-Benson, B. and Borning, A. (1994)
Kaleidoscope: a constraint imperative programming lan-
guage. In Mayoh, B., Tougu, E. and Penjam, J. (eds) Con-
straint Programming, pp. 313–329, Springer-Verlag, Berlin.
[56] Hedin, G. (1997) Attribute extensions—a technique for
enforcing programming conventions. Nordic J. Comput., 4,
93–122.
[57] Wolf, A. L., Clarke, L. A. and Wileden, J. C. (1989) The
AdaPIC tool set: supporting interface control and analysis
throughout the software development process. IEEE Trans.
Software Engng, 15, 250–263.
[58] Lieberherr, K. J., Holland, I. M. and Riel, A. J. (1988)
Object-Oriented Programming: An Objective Sense of Style.
Proc. Object-Oriented Programming Systems, Languages and
Applications, New York, pp. 323–334. ACM Press.
[59] Lieberherr, K. J. and Holland, I. M. (1989) Assuring good
style for object-oriented programs. IEEE Software, 6, 38–48.
[60] lint—a C program verifier (1988), Manual page, Unix System
V release 4.
T HE C OMPUTER J OURNAL,
View publication stats
[61] Darwin, I. F. (1988) Checking C Programs with lint. O’Reilly,
Sebastopol, CA.
[62] Programming Research Ltd (1993) QA C/C++. Hersham,
Surrey, UK.
[63] VERILOG SA (1994) LOGISCOPE C Programming Rules
Checker, Reference Manual, Version 1.0.
[64] Gimpel Software (1994) PC-lint for C/C++. Collegeville, PA,
USA.
[65] Rational Software Corporation (1995) Rational Apex C/C++.
User’s guide, Release 2.1, Boulder, CO.
[66] Conradi, R. (1987) Experience with Fortran verifier. Proc.
European Software Engineering Conference (ESEC‘87),
Lecture Notes in Computer Science, 289, 263–275. Springer-
Verlag, Berlin.
[67] Meyers, S. and Lejter, M. (1991) Automatic detection of
C++ programming errors: initial thoughts on a lint++. Proc.
USENIX C++ Conference Proceedings, pp. 29–40.
[68] Evans, D., Guttag, J., Horning, J. and Tan, Y. M. (1994)
LCLint: a tool for using specifications to check code.
Software Engng Notes, 19, 87–96.
[69] Guttag, J. V., Horning, J. J., Garland, S. J., Jones, K. D.,
Modet, A. and Wing, J. M. (1993) Larch: Languages and
Tools for Formal Specification. Springer-Verlag, Berlin.
[70] Tan, Y. M. (1994) Formal Specification Techniques for
Promoting Software Modularity, Enhancing Software Doc-
umentation, and Testing Specifications. Technical report
MIT/LCS/TR-619, MIT Laboratory for Computer Science,
MA.
[71] Weiser, M. (1979) Program Slicing: Formal, Psychological
and Practical Investigations of an Automatic Program
Abstraction Method. Ph.D. Thesis, University of Michigan,
Ann Arbor.
[72] Tip, F. (1995) A survey of program slicing techniques.
J. Progr. Languages, 3, 121–189.
Vol. 40, No. 10, 1997