Victor L. Winter

University of Nebraska at Omaha | UN Omaha · Department of Computer Science

Technology is playing an increasingly prominent role in all human endeavors, including education. Tech enables the realization of educational environments that are adaptive, interactive, and immersive. Such environments are well-suited for appropriately engaging student populations comprised of digital natives. Bricklayer is an educational ecosyste...

This paper advocates for a future where the teaching of math and art are harmoniously intertwined as they were in the days of da Vinci. In this future, code provides the “brush” that enables the expression of artistic ideas and mathematical structures in digital and digitally-fabricated mediums. This educational idea is motivated by (1) literature...

As computer science becomes more prevalent in the K-12 world, elementary schools are increasingly adopting computing curricula. Computer scientists have recognized the connection between math and computer science, but little work has demonstrated how and whether computer science can support improved learning in math. This paper reports on a project...

Bricklayer is a freely-available online educational ecosystem designed in accordance with a "low-threshold infinite-ceiling" philosophy. Its purpose is to teach coding to people of all ages and coding backgrounds. A significant portion of the Bricklayer ecosystem has been developed specifically to help novices, especially primary school children, l...

This paper describes the Bricklayer Ecosystem - a freely-available online educational ecosystem created for people of all ages and coding backgrounds. Bricklayer is designed in accordance with a "low-threshold infinite ceiling" philosophy and has been successfully used to teach coding to primary school students, middle school students, university f...

Across the globe, there is an increasing push to incorporate coding into the entire K-12 curriculum -- a shift which entails enormous challenges. This paper presents preliminary findings of an approach we are developing which addresses a key challenge associated with teaching coding, namely how to enable teachers with minimal coding backgrounds to...

The complexity of formalizing the semantics of Verilog is significant. This presents an impediment when attempting to provide high assurance in the correctness of Verilog synthesis. This paper explores the use of higher-order transformation as a paradigm for implementing a synthesis system for a small subset of Verilog. The resulting system is capa...

Functional programming languages are seen by many as instrumental to effectively utilizing the computational power of multi-core platforms. As a result, there is growing interest to introduce functional programming and functional thinking as early as possible within the computer science curriculum. Bricklayer is an API, written in SML, that provide...

Socioeconomic needs combined with technological advances are creating a demand for an increasing number of systems for which high-assurance is an essential attribute. These system designs, which increasingly include semantic computing components, span a broad spectrum of applications. They are incredibly diverse and their complexity is growing. The...

In Java, type resolution is a function that takes a reference to a type occurring in a given context as input and returns the canonical name of that type. This information is fundamental to static analysis—a “must have” function underlying virtually all forms of semantic-based analysis. In the case of Java, this function is also complex and it is q...

The success of software development efforts typically require guidance derived from a deep understanding of its design space. Well-crafted software metrics can impart invaluable insight into the nature of software and can provide the underpinnings for informed decisions involving design and implementation trade-offs. Leveraging metrics to their ful...

The success of software development efforts typically require guidance derived from a deep understanding of its design space.Well-crafted software metrics can impart invaluable insight into the nature of software and can provide the underpinnings for informed decisions involving design and implementation trade-offs. Leveraging metrics to their full...

Static analysis and software manipulation tools are frequently rule-based and draw on a variety of software models in order to achieve their goals. Program transformation languages provide traversal and matching capabilities that are aligned with the core functionality of rule-based systems. Therefore, transformation systems should be considered as...

JVM-based processors used in embedded systems are often scaled back versions of the standard JVM which do not support the full set of Java byte codes and native methods assumed by a JVM. As a result, code bases such as Java libraries must be migrated in order make them suitable for execution on the embedded JVM-based processor. This paper describes...

The programming concept of rewrite strategies supports versatile composition of rewrite rules and control of their application. Such programmability of rewrites can possibly lead to incorrect compositions of rewrites or incorrect applications of rewrites to terms within a strategic rewriting program. In this paper, we explore the analysis of strate...

Modern high-level programming languages often contain constructs whose semantics are non-trivial. In practice however, software developers generally restrict the use of such constructs to settings in which their semantics is simple (programmers use language constructs in ways they understand and can reason about). As a result, when developing tools...

Modern high-level programming languages often contain constructs whose semantics are non-trivial. In practice however, software developers generally restrict the use of such constructs to settings in which their semantics is simple (programmers use language constructs in ways they understand and can reason about). As a result, when developing tools...

Optimizing compilers often perform an operation known as common subexpression elimination to improve code efficiency. Typically this is accomplished either by pruning a directed acyclic graph to replace eliminated subexpressions by memory fetches of stored values or by using partial-redundancy elimination, a data-flow analysis method. In this paper...

A generic syntax-based approach is presented by which a fixed set of aspect-oriented features belonging to an aspect language family L _A can be applied to a domain-specific language (DSL). The approach centres on the construction of a grammar in which a predefined and fixed set of abstract join points and join point environments are link...

Integrating security policies into security assurance mechanisms to ensure end-to-end behavior is still a challenge. Information flow analysis and type checking are effective methods for the analysis and verification of secure communications and processing. Language-based information flow security models use programming-language for specifying and...

Transformation can be viewed as a philosophy on how to achieve change. A rigorous treat- ment of transformation has its roots in equational reasoning { the idea that equals can be substituted for equals. This article explores transformation as it applies to the manipulation of software.

Embedded systems are computational environments having restricted capabilities. These restrictions make the incorporation of high-level general purpose libraries, such as Java.lang and java.util, into the embedded systems software development process problematic. This paper describes a general transformation-based approach that can be used to adapt...

Embedded systems can be viewed as scaled-down versions of their stand-alone counterparts. In many cases, the software abstractions and libraries for embedded systems can be derived from libraries for stand-alone systems. One such example is the Java library for Java Virtual Machines. An embedded system does not always support all features as in the...

A generic weaver is presented capable of realizing the weav- ing function over a large class of languages. There are several reasons why such a weaver is interesting. First, properties that can be proven about the weaver hold for all languages that fall within the domain of the weaver. Second, the problem of constructing a weaver for a particular l...

We present an aspect-oriented requirements specification system for software product lines. We encapsulate nonfunctional concerns as a set of advices for transforming parameterized requirements to product-specific requirements. We apply our system to the Health Watcher case study to demonstrate our approach. We sort out system requirements, excepti...

Software document repositories store artifacts produced in the course of developing software products. But most repositories are simply archives of documents. It is not unusual to find projects where different software artifacts are scattered in unrelated repositories with varying levels of granularity and without a centralized management sys- tem....

This paper describes a practical application of transformation-based analysis and code generation. An overview is given of an approach for automatically construct- ing Java stress tests whose execution exercises all \interesting" class initialization sequence possibilities for a given class hierarchy.

A primary characteristic of Embedded Real-Time Systems (ERTS) is the fact that they are resource constrained. Such constraints present unique challenges to the embedded systems programmer who must develop software satisfying a given set of functional requirements while simultaneously addressing the limitations of available resources and dependabili...

In a strategic framework, combinators provide a fundamental mechanism for exer- cising control over rewriting. This type of control is based on the observation of the success or failure of strategy application. This paper describes a framework where information relating to the outcome of strategy application is stored in two internally maintained s...

The SSP is a hardware implementation of a subset of the JVM for use in high consequence embedded applications. In this context, a majority of the activities belonging to class loading, as it is dened in the specication of the JVM, can be performed statically. Static class loading has the net result of dramatically simplifying the design of the SSP...

The dichotomy resulting from tangled and untan-gled representations may prove beneficial with re-spect to the manipulation and analysis of system re-quirements. This paper describes an invertible ap-proach to weaving requirements documents that is based on β-conversion as defined in the λ-calculus.

As the theoretical underpinnings of aspect-orientation mature, its application across the software lifecycle has expanded. An active area of research focuses on the application of aspect oriented techniques to unstructured or semi-structured requirements documents. In this context, primary issues involve the identification of early aspects and vari...

Based on our investigations of a case study of controllers for train systems [6,7,13,14], we present a model of reactive systems which emphasizes dynamic partitioning of system behavior into normal and abnormal. The class of reactive systems considered are non-strict in the sense that their behavior is not entirely governed by past events; instead,...

Aspect-oriented domain engineering is a promising extension to the domain engineering process. We present several lines of inquiry that demonstrate how domain engineering benefits from adopting aspect-oriented software development concepts.

When viewed from a strategic perspective, a labeled rule base in a rewriting system can be seen as a restricted form of strategic expression (e.g., a collection of rules strictly composed using the left-biased choice combinator). This paper describes higher-order mechanisms capable of dynamically constructing strategic expressions that are similar...

The SSP is a hardware implementation of a subset of the JVM for use in high consequence embedded applications. In this context, a majority of the activities belonging to class loading, as it is defined in the specification of the JVM, can be performed statically. Static class loading has the net result of dramatically simplifying the design of the...

This article gives an overview of a transformation system called HATS { a freely available platform independent IDE facilitating experimentation in transformation-oriented software development. Ex- amples are discussed highlighting how the transformational abstractions provided by HATS can be used to solve various problems.

The distributed data problem is characterized by the desire to bring together semantically related data from syntactically unrelated portions of a term. A strategic combinator called transient and a strategic constant called skip are introduced in the context of a higher-order strategic framework. The notion of traversal is lifted to the higher ord...

Program transformation through the repeated application of simple rewrite rules is conducive to formal verification. In practice, program transformation oftentimes requires data to be moved throughout the program structure. This ar- ticle explores the use of higher-order rewrite rules as the mechanism for accomplishing such data movement. The effec...

The SSP is a high assurance systems engineering effort spanning both hardware and software. Extensive design review, first principle design, n-version programming, program transformation, verification, and consistency checking are the techniques used to provide assurance in the correctness of the resulting system.

Motivated by the design and development challenges of the BART case study, an approach for developing and analyzing a formal model for reactive systems is presented. The approach makes use of a domain specific language for specifying control algorithms able to satisfy competing properties such as safety and optimality. The domain language, called S...

This chapter describes the BART case study, that will be used in all this book as a common problem to be solved by various analysis methods. The following chapters pick-up pieces from this example to illustrate possibilities of the presented techniques.

The SSP is a hardware implementation of a subset of the JVM for use in high consequence embedded applications. In this context, a majority of the activities belonging to class loading, as it is defined in the specification of the JVM, can be performed statically. Static class loading has the net result of dramatically simplifying the design of the...

This chapter describes the BART case study, that will be used in all this book as a common problem to be solved by various analysis methods. The following chapters pick-up pieces from this example to illustrate possibilities of the presented techniques.

Motivated by the design and development challenges of the BART case study, an approach for developing and analyzing a formal model for reactive systems is presented. The approach makes use of a domain specific language for specifying control algorithms able to satisfy competing properties such as safety and optimality. The domain language, called S...

A software development paradigm known as Transformation-Oriented Programming (TOP) is introduced. In TOP, software development consists of constructing a sequence of transformations capable of systematically constructing a software implementation from a given formal specification. As such TOP falls under the category of formal methods.The general t...

The use of formal methods for analyzing and synthesizing a controller for a multi-train multi-track railway system is discussed. The research was motivated by a case study involving the Bay Area Rapid Transit (BART) system. The overall goal is to design a train acceleration control function that enables trains to be safely placed but also increases...

A key step in the construction of high consequence software is its specification in a formal framework. In order to minimize the difficulty and potential for error, a specification should be expressed in a domain language supporting operators and structures that are intrinsic to the class of algorithms one wishes to specify. In this paper we descri...

To date most validation techniques are highly biased towards calculations involving symbolic representations of problems. These calculations are either formal (in the case of consistency and completeness checks), or informal in the case of code inspections. The authors believe that an essential type of evidence of the correctness of the formalizati...

This document contains an informal description of a portion of the Advanced Automatic Train Control (AATC) system being developed for the Bay Area Rapid Transit (BART) system. BART provides commuter rail service for part of California’s San Francisco bay area. Specifically, the informal specification given below focuses on those aspects of BART tha...

In this paper we propose a formal testing frameworkfor a behavioural subset of UML Statechart Diagrams(UMLSDs). A new formal operational semantics is defined,which uses the same core semantics introduced in previouswork of ours but which is better suited ...

This paper surveys various complementary formal approaches that could be used to facilitate the development of the train control system described in BART case study. This system is interesting because train control must take into account complex behaviors, positional uncertainties, noise, continuous aspects, and a predefined computational architect...

An essential type of "evidence" of the correctness of the requirements formalization process can be provided by human-based calculation. Human calculation can be significantly amplified by shifting from symbolic representation to graphical representations. Having a formally defined system model, we can visualize formulas that represent functional b...

The purpose of this paper is to demonstrate how transformation can be used to derive a high integrity implementation of a train controller from an algorithmic specification. The paper begins with a general discussion of high consequence systems(e.g., software systems) and describes how rewrite-based transformation systems can be used in the develop...

The second half of the twentieth century has witnessed remarkable advances in technology. The unquestioned leader in this race has been computer technology. Even the most modest personal computers today have computing power that would have astounded the leading technol­ ogists a few decades earlier, and what's more, similar advances are pre­ dicted...

Introduction Software for safety-critical systems must be highly reliable since failures can have catastrophic consequences. While existing methods, such as formal techniques and testing, can signi#cantly enhance software reliability, they have some limitations in achieving ultrahigh reliability requirements. One approach that works for hardware sy...

As our society becomes more technologically complex, computer systems are finding an alarming number of uses in safety-critical applications. In many such systems, the software component's reliability is essential to the system's safe operation, so it becomes natural to ask, "How can software be made to behave correctly when executed?"Using program...

Transformations that are based on syntax directed rewriting systems can have a significant impact on the construction of high assurance systems. However, in order for a transformational approach to be useful to a particular problem domain, a (general) transformation system must be adapted to the notation of that particular domain. A transformation...

First Page of the Article

The purpose of this panel is to present different perspectives and opinions regarding the issues surrounding why software should or shouldn't be entrusted with critical (high consequence) functionality.

This paper describes a modeling technique for single-agent reactive systems, that is influenced by the modeling paradigm of Parnas as well as by the synchronous paradigms of LUSTRE and ESTEREL. In this paradigm, single-agent reactive systems are modeled in a universe having a discrete clock. This discretization of time greatly reduces the temporal...

All systems, regardless of how carefully they have been constructed, suffer failures. This paper focuses on developing a formal understanding of failure with respect to system implementations. Furthermore, we would like the system design process to be able to leverage off of this understanding. It is important to deal with failures in a system cont...

This paper focuses on developing a formal understanding of “failure” with respect to system implementations. Furthermore, we would like the system design process to be able to leverage off of this understanding. Our approach is restricted to the class of systems that can be modelled by HFSMs as described in Winter (1998). The purpose of this paper...

The paper consists of project summaries concerning high-assurance systems. Those who are grappling with practical high-assurance design issues report their strategies, the problems they solved, and the challenges that remain. The six summaries represent a cross-section of projects and domains with some strikingly similar challenges. Although they a...

In "Passive Safety in High-Consequence Systems," Victor L. Winter, John M. Covan, and Larry J. Dalton discuss the design principles behind passive safety, which means that a system is not required to initiate any action to arrive at a safe state.

Writing correct numerical software is a complex, demanding, and, at times, even a boring, task. In this chapter, we describe an approach to constructing software—program specification and transformation—and allied tools that can help not only to ensure the correctness of numerical computations but also automate much of the drudge-work involved in p...

This paper describes how automatic transformation technology can be used to construct a verified compiler for an imperative language. Our approach is to 'transformationally' pass a source program through a series of canonical forms each of which correspond to some goal or objective in the compilation process (e.g., introduction of registers, simpli...

TAMPR is a fully automatic, rewrite-rule based program transformation system. From its initial implementation in 1970, TAMPR has evolved into a powerful tool for generating correct and efficient programs from specifications. The TAMPR approach to program transformation is distinguished by ffl A restricted repertoire of constructs for expressing tra...

As our society becomes technologically more complex, computers are being used in greater and greater numbers of high consequence systems. Giving a machine control over the lives of humans can be disturbing, especially if the software that is run on such a machine has bugs. Formal reasoning is one of the most powerful techniques available to demonst...

As our society becomes more technologically complex, computers (and the software that they run) are being used in a potentially alarming number of high consequence safety-critical applications. When these systems fail, the outcome can be devastating. Formal methods provide what, by a growing number of experts, is considered to be the best approach...

The construction of a high-assurance system requires some evidence, ideally a proof, that the system as implemented will behave as required. Direct proofs of implementations do not scale up well as systems become more complex and therefore are of limited value. In recent years, refinement-based approaches have been investigated as a means to manage...

TAMPR is a fully automatic transformation system based on syntactic rewrites. Our approach in a correctness proof is to map the transformation into an axiomatized mathematical domain where formal (and automated) reasoning can be performed. This mapping is accomplished via an extended denotational semantic paradigm. In this approach, the abstract no...

This paper presents an intelligent tutoring framework that can be effectively utilized to assist teaching courses and therefore to achieve pedagogical goals. The courses generated using the framework are adaptive, i.e., they adjust their behavior to overcome the individual differences among students. The architecture of the framework provides three...

In many strategic systems, the choice combinator provides a powerful mechanism for controlling the application of rules and strategies to terms. The ability of the choice combinator to exercise control over rewriting is based on the premise that the success and failure of strategy application can be observed. In this paper we present a higher-order...

When designing a high consequence system, considerable care should be taken to ensure that the system can not easily be placed into a high consequence failure state. A formal system design process should include a model that explicitly shows the complete state space of the system (including failure states) as well as those events (e.g., abnormal en...

The purpose of this paper is to demonstrate how transformation can be used to derive a high integrity implementation of a train controller from an algorithmic specification. The paper begins with a general discussion of high consequence systems (e.g., software systems) and describes how rewrite-based transformation systems can be used in the develo...

2615), Raymond Berg (2615) and Jim Ringland (8112) All from Sandia National Laboratories 1 Objective This document contains an informal description of a portion of the Advanced Automatic Train Control (AATC) system being developed for the Bay Area Rapid Transit (BART) system. BART provides commuter rail service for part of California's San Francisc...

This technical report describes a general-purpose approach to document generation and viewing. One begins by decomposing a document into contents. A document view is then defined as a subset of the contents of a document. The set of views for a given document can be related using the ⊆ operator. The resulting view-relation forms a lattice with the...

We investigate the product line approach to specifying per-formance requirements. Within a given application domain such as telecommunications, performance requirements tend to have similarities. However, dierences in external needs, such as environmental conditions and user needs, can dic-tate varying performance requirements across similar prod-u...