fullpaper.tex

\documentclass[12pt]{article} % may want something different here

\newcommand{\code}[1]{\texttt{#1}}      % code examples in text
\newcommand{\reserved}[1]{\textbf{\texttt{#1}}} % reserved words of Larch/C++
\newcommand{\type}[1]{\textrm{\textit{#1}}}        % names of types

\newcommand{\RULELAB}[1]{\texttt{#1}}

% a few notations from Dave Schmidt's book
% ``The Structure of Typed Programming Languages'' (MIT Press).
\newcommand{\uminus}{\mbox{$\cup\!\!\!\!-$}}
\newcommand{\udot}{\mbox{$\cup\!\!\!\cdot\,$}}


% formatting boxed displays
\newcommand{\UNSPACEFORBOX}{\vspace{-2ex}}
\newcommand{\HLINE}{\UNSPACEFORBOX%
\begin{flushleft}\rule{\textwidth}{0.01in}\end{flushleft}%
\UNSPACEFORBOX}
\newenvironment{BFIGURE}{

\begin{figure}
\small
\HLINE
}{
\HLINE
\normalsize
\end{figure}
}

\newenvironment{BFIGURE*}{
\begin{figure*}
\HLINE
}{
\HLINE
\end{figure*}
}


%{obey}

% \myobeycr is same as \obeycr, but doesn't do a \@gobblecr.
{\catcode`\^^M=13 \gdef\myobeycr{\catcode`\^^M=13 \def^^M{\\}}%
\gdef\restorecr{\catcode`\^^M=5 }}

% \obeytabs
{\catcode`\^^I=13 \gdef\obeytabs{\catcode`\^^I=13 \def^^I{\hbox{\hskip 4em}}}}

% \obeyspaces
{\obeyspaces\gdef {\hbox{\hskip0.5em}}}

% environment for displayed text, indented, obeys cr, tab, spaces
\newenvironment{obeyDisplay}{%
\samepage%
\begin{list}{}{}\item\obeyspaces\obeytabs\obeycr}{%
\end{list}}

%{grammar}, needs {obey}

%\newcommand{\heading}[1]{\vspace{3ex}{\noindent#1}\vspace{1.5ex}}
\newcommand{\goesto}{\mbox{$::=$}}
\newcommand{\arbno}[1]{#1\mbox{\textrm{*}}}
\newcommand{\nonterm}[1]{\mbox{\it #1}}

\newenvironment{grammar}{
  \def\:{\goesto{}}
  \def\|{$\vert$}
  \tt \myobeycr%
  \begin{tabbing}%
  \qquad \= $\vert$ \= \qquad \= \kill%
}%
{\unskip\end{tabbing}}

\newenvironment{grammar*}{
  \def\:{\goesto{}}
  \def\|{$\vert$}
  \tt%
  \begin{tabbing}%
  \qquad \= $\vert$ \= \qquad \= \kill%
}%
{\unskip\end{tabbing}}

\newenvironment{roman-grammar}{
  \def\:{\goesto{}}
  \def\|{$\vert$}
  \myobeycr%
  \begin{tabbing}%
  \qquad \= $\vert$ \= \qquad \= \kill%
}%
{\unskip\end{tabbing}}

\newenvironment{roman-grammar*}{
  \def\:{\goesto{}}
  \def\|{$\vert$}
  \begin{tabbing}%
  \qquad \= $\vert$ \= \qquad \= \kill%
}%
{\unskip\end{tabbing}}

\newenvironment{mathGrammar}{
  \def\:{\goesto{}}
  \def\|{\hbox{$\vert$}}
   \begin{displaymath}%
     \tt \obeyspaces%
}%
{\unskip\end{displaymath}}


\addtocounter{tocdepth}{1}

%\documentclass[twoside]{report}
\begin{document}
\begin{titlepage}
\vspace*{1.2in}
\begin{center}
{\LARGE Design and Implementation\\ of the Larch/C++\\ Type System} \\
~ \\
Matthew W. Markland \\
 ~ \\
\end{center}

\thispagestyle{empty}
\vfill
{\bf Keywords:} Specification languages; Larch; LSL; Larch/C++; Type Systems;.


{\bf 1997 CR Categories:}

\noindent D.1.5 [{\em Programming Techniques}]
        Object-oriented Programming
D.2.1 [{\em Software Engineering\/}]
	Requirements/Spec\-ifications --- languages, Larch,
        tools
D.3.3 [{\em Programming Languages\/}]
        Language Constructs and Features ---  Modules, packages;
D.3.4 [{\em Programming Languages\/}]
        Processors ---  Parsing
F.3.1 [{\em Logics and Meanings of Programs\/}]
        Specifying and Verifying and Reasoning about Programs ---
                assertions, pre- and post-conditions,
                specification techniques, LSL
F.3.3 [{\em Logics and Meanings of Programs\/}]
        Studies of Program Constructs --- Type Structure

\vspace*{0.2in}

%A version of this paper, without the appendix sections,
%will appear in the proceedings of the
%{\em Colloquium on Formal Approaches in Software Engineering
%(FASE), TAPSOFT '97, Lille, France, April 1996}, to be published by
%Springer-Verlag in their {\em Lecture Notes in Computer Science} Series.

%An earlier version of this paper
%was called ``Protection from the Underspecified''.
%This technical report is also CMU-CS-96-129R.

\copyright{} 
        Copyright 1997,1998 by Matthew W. Markland.
        All rights reserved.
\begin{center}
Department of Computer Science \\
226 Atanasoff Hall \\
Iowa State University \\
Ames, Iowa 50011-1040, USA
\end{center}
\end{titlepage}
\pagenumbering{roman}
\newpage
\tableofcontents
\newpage
\listoffigures
\newpage


\bibliographystyle{plain}
\pagenumbering{arabic}
\setcounter{page}{1}

\author{Matthew W. Markland}
\title{Design and Implementation of the Larch/C++ Type System}
\date{\today}
\maketitle
\begin{abstract}
This paper describes the design of a type system for the Larch/C++
specification language. To motivate the features of the type system,
the type systems of both the Larch Shared Language and C++ are
described. After this background, an informal description of the
Larch/C++ type system is followed by a formalization of that
system. The implementation of an infrastructure for the type system is
then described.
\end{abstract}

%\input{introduction}
\section{Introduction}
\label{introduction}
The goal of Larch/C++ \cite{Leavens96c} is to give the programmer a
formal specification language that is expressive and useful in
practice. The work described in this paper focuses on the addition of
type checking capabilities to the Larch/C++ Checker. In
this context a
\emph{type} is a set of values that exhibit uniform behavior under
a set of associated operations \cite{Watt90}. \emph{Type checking}
defines a process by which a set of formal rules that describe the
type system are applied to operations and statements in a given
specification to decide whether the operations and statements are type
consistent (the terms \emph{sort} and \emph{sort checking} will also
be used interchangeably for type and type checking). The addition of
this functionality allows programmers and specifiers to gain useful
information as to whether the design of a program is sensible and type
consistent before its actual implementation.  

Work has been done in the following areas:

\begin{itemize}
\item The creation of a formal description of the Larch/C++ type system.

\item The coding of basic functionality to support the 
implementation of the Larch/C++ type system. This work has many
smaller pieces including:

\begin{itemize}
\item Support for User Interaction 
\begin{itemize}
\item Improved usability and control over the Larch/C++ Checker via the
creation of a number of command line arguments.
\end{itemize}

\item Support for Larch Shared Language Constructs
\begin{itemize}
\item Modification of the LSL Checker to follow Unix conventions and
use less memory.
\item Development of an interface between the existing Larch/C++ Checker and
the LSL Checker.
\end{itemize}

\item Support for the Evolving C++ Language Standard
\begin{itemize}
\item Support for Draft ANSI Standard C++ \cite{C++Apr95}
language constructs.
\item Support for translation of C++ declarations into Larch/C++
sorts.
\end{itemize}
\end{itemize}
\end{itemize}

The paper begins with a background section that introducing formal
methods, specification, and the Larch/C++ behavioral interface
specification language. Following the general introduction, the type
systems of the Larch Shared Language and C++ are described
briefly. These descriptions motivate a discussion of the basic
functionality of the Larch/C++ type system. This functionality is then
formalized in a description of the sort rules for Larch/C++. Finally
the details of the implementation of the functionality mentioned in
the list above are presented.

\section{Background}
\label{background}
\subsection{Formal Methods}

The information in this section is based upon Wing's
paper \cite{Wing90a}. 

Formal methods define processes that are used for software
development. Built upon a mathematical basis, these processes are
designed to reveal ambiguities, incompleteness, and inconsistencies in
software as it is developed \cite{Wing90a}. A formal method will
typically define the specific vocabulary and steps involved in
designing a piece of software.

Formal specifications may be a part of a specific formal
method. \emph{Formal specification} describes a process by which an
abstraction of a problem may be defined and expressed. Usually the
abstraction is expressed in some sort of language specifically
designed for the purpose. Once clearly expressed, the abstraction may serve
as documentation of the problem, a means to communicate the problem
clearly, and/or as a contract defining the problem. Specifications and
their languages are based upon mathematical properties making
them more precise and concise than informal specifications based upon
natural languages. The rigorous definition and mathematical basis
behind formal specification languages also makes it easier to apply machine
analysis and manipulations to them than to specifications in an
informal language \cite{Wing90a}.

Larch/C++ is a behavioral interface specification language. A \emph{behavioral}
specification langauge is used to define an abstraction for a system
based upon thae behavior of that system under certain conditions. In
other words, it describes a system's behavior as observed from the
outside. Larch/C++ describes behavior using a
\emph{model-based} approach; a user builds an abstract model of the system
which describes its behavior. the abstract model becomes a way of
expressing the real world in a manner that can be controlled and
reasoned about. The basic pieces of the model are the interfaces which
exist between the pieces of the system. After a user has described the
behavior in terms of the interfaces, solutions to the problem may then
be designed based up the formal contract defined by the model.

%One common type of formal specification is
%model-based. \emph{Model-based} specification involves the creation
%of an abstract model of the problem that is independent of any actual
%implementation to serve as the specification. The abstract model
%becomes a way of expressing the real world in a manner that can be
%controlled and reasoned about. Once the model has been developed, a
%solution based upon this model can be formalized. Since the solution
%has a rigorous, formal, and mathematical basis, it may be reasoned
%about to decide if it meets the requirements. Once the solution has
%been deemed correct, the specification becomes a formal contract
%describing how the implementation should behave under certain
%conditions.

%There are many different layers at which one may specify a
%problem. Larch/C++ is based upon the idea of behavioral
%specification. \emph{Behavioral specifications} describe the
%constraints on the observable behavior of the items specified. In this
%way, they form a contract between an implementor and a user of the
%implementation.


\subsection{Introduction to Larch/C++}
\label{lcppintro}
Larch/C++ \cite{Leavens96c} is a model-based, formal specification language tailored for
the specification of the behavior of C++ program modules or
application program interfaces (API's). Larch/C++ is not designed to
specify the 
behavior of an entire program; instead it allows for the precise,
unambiguous documentation of the behavior C++ program modules
(functions, classes, etc.). Larch/C++ adds syntax to C++ to allow the
specification of complex C++ structures, the inheritance of
specifications, and the clear specification of the interface to a
class.

Larch/C++ is a two-tiered specification language. Specifications
consist of Larch Shared Language (LSL) \cite{Guttag-Horning93} traits
which describe the abstract models, and interface specifications which
formalize the behavioral contracts. This two-tiered approach allows
for the clear separation of the definition of the abstract model and its
vocabulary from the actual details of the programming language modeled
by the interface language. One reason for the separation is so that
the abstract models may be written so that they can be reused in other
specifications. If the abstract models were written in a language
closer to the actual implementation, it would be more difficult to
reuse the same model in a specification for an implementation written
in a different language.

\subsubsection{The Larch Shared Language}
\label{lslintro}
The Larch Shared Language \cite{Guttag-Horning93} allows an user to
supply basic semantic information, and a specialized vocabulary for
describing abstract values. The basic unit of LSL is the
\emph{trait}. Traits contain information on \emph{sorts}, which are
like types in a programming language, and \emph{operators} which define
various operations upon these sorts. Figure~\ref{CounterTrait}
illustrates the LSL portion of a specification for a simple counter
\cite{Leavens96c}. This particular trait illustrates four common
parts that are in many traits. The
\reserved{includes} statement allows for a trait to build upon and
reuse previously written traits. All of the information from the
traits listed in this statement are available in the following
sections of the current trait. Items from the included traits may be
renamed syntactically to make the new trait more readable. This
provides a shortcut for users, allowing them to reuse previous work.
The \reserved{introduces} section defines the abstract model's
operations. In this case, a Counter may be created via
\reserved{newCounter}, or \reserved{inc}, and have its
value reported via \reserved{value}. The
\reserved{asserts} section supplies meaning to these
operations by logically illustrating how the abstract values are
manipulated by the operators. For now, note that a trait defines a
model consisting of a set of abstract values and a set of operations
upon those values. Examples of possible abstract values for the trait
in Figure~\ref{CounterTrait} are \reserved{newCounter}, representing a
brand new counter, and \reserved{inc(newCounter)} representing a
counter that has been incremented once. These values are independent
of any implementation of Counter.

\begin{BFIGURE}
\begin{verbatim}
 @(#)$Id: CounterTrait.lsl,v 1.3 1994/12/09 02:48:06 leavens Exp $
CounterTrait: trait
  includes Natural(Nat), NoContainedObjects(Counter)
  introduces
    newCounter: -> Counter
    inc: Counter -> Counter
    value: Counter -> Nat
    Limit: -> Nat
  asserts
    Counter generated by newCounter, inc
    Counter partitioned by value
    \forall c: Counter
      value(newCounter) == 0;
      value(inc(c)) == value(c) + 1;
      0 < Limit;
\end{verbatim}

\caption{CounterTrait.lsl}
\label{CounterTrait}
\end{BFIGURE}


\subsubsection{The Larch/C++ Specification Language}
\label{lcppbisl}
Figure~\ref{CounterSpec} contains the Larch/C++ specification
for a class that implements the counter modeled by the previous trait
\cite{Leavens96c}. Larch/C++ specifications consist of a C++ header
file which contains additional annotations set off in speically marked
C++ comments. The use of the comment delimiters, \reserved{//@} and
\reserved{/*@ $\dots$ @*/}, allows the annotations to be easily embedded
directly into new or existing C++ source code. Larch/C++ annotations contain various keywords. In this example, the first section is a
\emph{uses-clause}, which serves a function similar to the \reserved{\#include}
directive in C++; it tells the Larch/C++ Checker the traits that will
be used by this specification. Following that, the next annotations
define a \reserved{spec-variable}, an \reserved{invariant}, and a
\reserved{constraint}. A \reserved{spec-variable} is used to define a
variable which will be used in the specification. The
\reserved{invariant} describes a condition for the C++ class that must
always be true. The \reserved{constraint} describes any limits that
this class must adhere to. 

Most individual function specifications
consist of at least three pieces: a requires clause, a modifies
clause, and an ensures clause. The \emph{requires clause} states the
conditions that must be met before an individual function may be
called. If these conditions are not met, there is no guarantee that
the function will run correctly. The \emph{modifies} clause lists all
objects whose state may be initialized or modified by the execution of
this function. Only objects listed
in this clause may change state; thus the modifies clause acts as a
frame axiom. The \emph{ensures clause} serves to state the expected
results of the function provided the conditions specified in the
requires clause were met.

A closer look at the \reserved{increment} function specification illustrates
these sections.
 

\begin{verbatim}
  virtual void increment();
  //@ behavior {
  //@   requires cnt_value(self^) < Limit;
  //@   modifies self;
  //@   ensures  self' = inc(self^);
  //@ }
\end{verbatim}

%\begin{verbatim}
%  virtual void increment();
%  //@ behavior {
%  //@   requires value^ < Limit;
%  //@   modifies value;
%  //@   ensures  value' = value^ + 1;
%  //@ }
%\end{verbatim}

\noindent The first line is the C++ prototype for the function. The
\reserved{behavior} keyword announces the beginning of the body of the
specification. The requires clause states that for this function to be
called the value of the counter must be less than the value of
\reserved{Limit}. If it is not, then the behavior of the function is
not specified. If the requires clause is met and function is called,
the modifies clause states that the only possible item that can change
is the counter itself. The ensures clause then states that, if the
previous conditions in the requires clause are met, the value of the counter after the
invocation of this function will be the result of incrementing the
counter. 
 
\begin{BFIGURE}
\begin{verbatim}
// @(#)$Id: Counter.lh,v 1.7 1997/01/12 22:27:38 leavens Exp $
// See J.P. Lejacq's paper in SIGPLAN 26(10), Oct, 1991

//@ uses CounterTrait;

class Counter {
public:
  //@ invariant cnt_value(self\any) <= Limit;
  //@ constraint cnt_value(self\pre) <= cnt_value(self\post);

  Counter();
  //@ behavior {
  //@   modifies self;
  //@   ensures  self' = newCounter;
  //@ }

  virtual int cnt_value() const;
  //@ behavior {
  //@   ensures result = cnt_value(self^);
  //@ }

  virtual void increment();
  //@ behavior {
  //@   requires cnt_value(self^) < Limit;
  //@   modifies self;
  //@   ensures  self' = inc(self^);
  //@ }

  virtual void reset();
  //@ behavior {
  //@   modifies self;
  //@   ensures  cnt_value(self') = 0;
  //@ }
};

\end{verbatim}
\caption{Counter.lh}
\label{CounterSpec}
\end{BFIGURE}

%\input{typesystem}
\section{The Type System}
\label{typesystem}
The type system for Larch/C++ is built upon the type systems of LSL
and C++. The process of building a type system involves defining how
the language is scoped, how individual terms are assigned types, and
how the statements and expressions type check. \emph{Scoping} is a
description of the visibility of identifiers. The Larch/C++ type
system bases its assignment of types and rules for type checking
expressions and statements more on the LSL type system, while the
scoping rules are based upon those of C++. This leads to an
interesting algorithm for looking up variables.

Recall that the terms sort and type, and the corresponding
sort checking and type checking, are used interchangeably throuhout
this paper.

\subsection{The LSL Type System}
\label{lslts}
As mentioned earlier in Section~\ref{lslintro} the basic unit of
structure in LSL is the trait. Traits are used to define sorts and
their associated operations, which exhibit uniform behavior under
their associated operations.

Since the Larch/C++ language depends upon LSL to supply
abstractions, it was important to learn how the LSL type system
works. Unfortunately, little has been written on the LSL type
system. Neither the technical report on LSL
\cite{Guttag-Horning-Modet90} nor the Larch book \cite{Guttag-Horning93}
offered any details. What was available was the LSL Checker
\cite{LSLChecker}. The LSL Checker is a tool that will perform semantic and
syntactic checks on LSL traits. Since the LSL Checker provides type
checking of traits, it serves as an operational definition of the
LSL type system. Given this definition, information about the type
system could be generated by running the Checker on example
traits. One option of the LSL Checker that assisted in the development
of the traits, and the initial ideas about the system was its \reserved{-syms}
option. This option will cause the LSL Checker to produce a list of
the operators and their signatures contained within the LSL trait. An
example of this output, generated by the command line \reserved{lsl
-syms Example1.lsl} is illustrated in Figure~\ref{symsoutput} (Note:
this is only a portion of the actual output). Please refer to
Figure~\ref{lslex1} for the trait \reserved{Example1.lsl}, which
generated this output. 
\begin{BFIGURE}
\begin{verbatim}
if __ then __ else __: Bool, Bool, Bool -> Bool
if __ then __ else __: Bool, Int, Int -> Int
if __ then __ else __: Bool, int, int -> int
if __ then __ else __: Bool, float, float -> float
true: -> Bool
false: -> Bool
x: -> int
y: -> Bool
f: int -> float
f: int -> Bool
g: Bool -> float
q: int, Bool -> Bool
q: int, Bool -> float
...
\end{verbatim}
\caption{Partial output from the \reserved{lsl -syms} command}
\label{symsoutput}
\end{BFIGURE}

Each line of the \reserved{-syms} output consists of a operator
name and an associated signature for that operator; these parts are separated by a
colon. In the example above, there is an operator named \reserved{x}
which takes no input and returns an item of sort \reserved{int}. There
are also operators such as \reserved{f}, which have two different
signatures. The ability of an operator to have more than one distinct
signature is an example of overloading.\emph{Overloading} occurs when a
given name can simultaneously stand for multiple, distinct
functions. 

After examining the \reserved{-syms} output it was clear that LSL
supported overloading. However, the extent of LSL's overloading or its
overload resolution techniques were still unknown. A series of traits
were created that used different sets of functions and the built-in
\texttt{if-then-else} LSL operator. The \texttt{if-then-else} operator
was chosen because it was built-in, because it allowed for
experimentation with types that might not be numeric, and because it
requires the
\reserved{then} and \reserved{else} clauses to have the same unique
sort. The LSL Checker was run on the traits to see what kind of errors,
if any, it found.

\begin{BFIGURE}
\begin{verbatim}
Example1:trait

   includes Integer

   introduces
        x: -> int
        y: -> Bool
        f: int->float
        f: int->Bool
        g: Bool->float
        q: int,Bool->Bool
        q: int,Bool->float

   asserts
        \forall a:int,b:Bool
        q(a,b) == if true then f(a) else g(b);
\end{verbatim}
\caption{Example1.lsl}
\label{lslex1}
\end{BFIGURE}

Figure~\ref{lslex1} is an example of an LSL trait that successfully
sort checks. Working under the assumption that terms could carry sets
of sorts, this trait sort checks in the following way. The term
\reserved{q(a,b)} has the set of sorts
\{\reserved{Bool},\reserved{float}\} associated with it. Similarly the
term \reserved{f(a)} has the set
\{\reserved{float},\reserved{Bool}\}, and the term \reserved{g(b)}
has the set \{\reserved{float}\}. Since the
\reserved{if-then-else} function requires the \reserved{then} and
\reserved{else} clauses to have the same sort, the
resulting sort of this operator must be \reserved{float}. This
illustrates an important point. In this case, the system chooses the
version of operator \reserved{f} that it will use in the type checking
based upon what it needs in the context of the \reserved{if-then-else}
operator. In this case, by choosing the intersection
of the two sets, the LSL Checker chooses to use \reserved{f:~int -> float} because it
works in the context where \reserved{g(b)} only has one sort. This is an
example of context-dependent overload
resolution. \emph{Context-dependent overloading} means that the
context in which the function or variable is used to help uniquely identify
its sort \cite{Watt90}. Finally, since both sides of the \reserved{==}
operator have a sort in common, and it is known from the
\reserved{-syms} output that it requires equivalent sorts for its
arguments, the expression sort checks. 

\begin{BFIGURE}
\begin{verbatim}
Example2:trait

   includes Integer
   introduces
        x: -> int
        y: -> Bool
        f: int->int
        f: int->Bool
        f: int->E
        g: Bool->float
        q: int,Bool->Bool
        q: int,Bool->float

   asserts
     \forall a:int,b:Bool
        q(a,b) == if true then f(a) else g(b);
\end{verbatim}
\caption{Example2.lsl}
\label{lslex2}
\end{BFIGURE}

Figure~\ref{lslex2} illustrates a situation where the trait will not
sort check. This trait was designed with the purpose of confirming the
assumption made in the above example: that all terms may have sets of
sorts associated with them.

\begin{verbatim}
./Example2.lsl:16: (near col 18): `if __ then __ else __' not 
declared with matching domain sorts
        Possible sorts for arg 1: Bool
        Possible sorts for arg 2: int, Bool, E
        Possible sorts for arg 3: float
Abort: error in checking LSL traits
\end{verbatim}

The output from the LSL Checker for this trait describes the possible
sorts available for the arguments to the \reserved{if-then-else}
operation. In this case note that arg 2, which is \reserved{f(a)}, has
three possible sorts. The sort checking error also shows that there
must be an intersection between the sets of the arguments for the
operator to sort check. In this case there is an empty intersection between
\reserved{f(a)}'s set \{\reserved{int},\reserved{Bool},\reserved{E}\}
and \reserved{g(b)}'s set \{\reserved{float}\}. This leads to the
error condition.

\begin{BFIGURE}
\begin{verbatim}
Example3:trait
   includes Integer

   introduces
        x: -> int
        y: -> Bool
        f: int->int
        f: int->Bool
        f: int->E
        g: Bool->float
        g: Bool->int
        g: Bool->E
        q: int,Bool->Bool
        q: int,Bool->float

   asserts
     \forall a:int,b:Bool
        q(a,b) == if true then f(a) else g(b);
\end{verbatim}
\caption{Example3.lsl}
\label{lslex3}
\end{BFIGURE}

To follow up on the previous examples, a trait was created to see if
similar errors could be generated with other operators. This trait is
shown in Figure~\ref{lslex3}. 
\begin{verbatim}
./Example3.lsl:18: (near col 8): `q' sorts of terms in equation 
do not match
        Possible sorts for left side: Bool, float
        Possible sorts for right side: int, E
Abort: error in checking LSL traits
\end{verbatim}

\noindent This error shows that the sort associated with the
\reserved{if-then-else} operator is the set consisting of
\{\reserved{int},\reserved{E}\}. So, the LSL Checker will try to find
a sort for \reserved{q(a,b)} that would fit the constraint that
operator \reserved{==} needs to have the same sort for each
argument. In this case, since \reserved{q(a,b)} has the set
\{\reserved{Bool},\reserved{float}\} associated with it, there is no
possible solution.

\begin{BFIGURE}
\begin{verbatim}
Example4:trait
   introduces
        x: int->int
        x: int->float
        y: int->int
        y: int->float
        p: int,int->int
        p: int,int->float

   asserts
     \forall a,b:int
        p(a,b) == if (a=b) then x(a) else y(a)
\end{verbatim}
\caption{Example4.lsl}
\label{lslex4}
\end{BFIGURE}

The previous examples have shown that for an operator like
\reserved{==} to sort check, there needs to be a non-empty intersection between
the sets of sorts for its arguments. What if that set has a
cardinality larger than one? Figure~\ref{lslex4} is an example where
the intersection between the sets of sorts for the arguments to
\reserved{==} does not have an intersection of cardinality one. This
generates the following output from the LSL Checker.

\begin{verbatim}
./Example4.lsl:12: (near col 8): `p' more than one possible 
sort for terms in equation 
Possible sorts: int, float 
Abort: error in checking LSL traits
\end{verbatim}

\noindent Since the intersection is not of cardinality one, the
expression does not sort check.

\begin{BFIGURE}
\begin{verbatim}
foo:trait

includes Integer

introduces
  x: -> int
  y: -> Bool
  f: int->float
  f: int->Bool
  g: Bool->float
  q: int,Bool->Bool
  q: int,Bool->float

asserts
 \forall x:int,b:Bool
    q(x,b) == if true then f(x) else g(b);
\end{verbatim}
\caption{A LSL Trait with an Error in the Declaration of Variables}
\label{quanttrait}
\end{BFIGURE}

Another property of the LSL type system is that any variables declared
must have completely unique names. For example the trait in
Figure~\ref{quanttrait} causes the following error to be issued by the
LSL Checker:

\begin{verbatim}
./foo.lsl:15: (near col 9): `x' variable duplicates constant 
of same sort
Abort: error in checking LSL traits
\end{verbatim}

\noindent Notice how the \reserved{x:int} declaration within the
\verb+\+\texttt{forall} expression interferes with the \reserved{x: -> int}
declaration in the \reserved{introduces} section. This error occurs
because of constraints placed upon the output the LSL Checker
generates for the Larch Prover. 

The results of these experiments with the LSL Checker can be
summarized as follows:

\begin{itemize}
\item LSL terms have non-empty sets of sorts associated with them. 
\item The elements in a LSL term's set of sorts may be dependent on
the context in which the term is used.
\item When checking is complete, every expression or equation
should have a single sort. If this does not occur, there is a type error.\item Declared variables should have unique names.
\end{itemize}

\noindent When the system sort checks, there will be sets of sorts
associated with the various terms. As the sort checking progresses,
these sets will be narrowed by the contextual information until every
expression has an assigned, singular sort, or has sort checked.

The other major issue in type systems is scoping. Scoping has few
complications in LSL. There are two scopes, the global scope and
quantifier scope. All names go into the global scope, with the
appropriate overloading, unless they are declared in a quantified
expression. 


\begin{BFIGURE}
\begin{verbatim}
asserts
  \forall x:E, s1:Set, s2:Set

   s1 \subset s2 == \A x (x \in s1 => x \in s2) /\ s1 \neq s2

\end{verbatim}
\caption{An Example of Quantifier Scope.}
\label{quantscope}
\end{BFIGURE}

An example of the creation of quantifier scope is shown in
Figure~\ref{quantscope}. This example shows a portion of a LSL trait
which describes Sets. Notice that the definition of the
\verb+\+\reserved{subset} function contains a quantified
expression of the form \verb+\+\reserved{A x ( $\dots$ )}. The scope
of \reserved{x} is the text between the parentheses. 


\subsection{The C++ Type System}
\label{cppts}
This section gives a brief overview of the C++ type
system. Although not a complete description, it should serve as an
introduction for people unfamiliar with it. The section is based upon the C++
Annotated Reference Manual \cite{Ellis-Stroustrup90} which should be
referred to for a complete description of the C++ type system.

The C++ type system is based upon the C type system with a few
additions. There are two broad categories of types, fundamental
types and derived types. \emph{Fundamental types} are the basic
building blocks of the type system. They consist of the types that are
built-in to the implementation. Examples are \reserved{int},
\reserved{float}, and \reserved{char}. \emph{Derived types} are types
built from the fundamental types or from other derived types. Examples of
these include arrays, functions, and classes. Type names can be
created via the \reserved{typedef} construct, which assigns a new name to
a previously existing type. 

C++ also offers a variety of polymorphic forms. These include
templates, static overloading, dynamic overloading, and subtype
polymorphism. Although these forms are important to the C++ type
system, with the exception of templates, they are not an important
part of the Larch/C++ type system. Thus it is beyond the scope of this
paper to describe them in more detail.

Templates in C++ let users create generic classes that can be
instantiated to support a specific type. A template allows the
programmer to pass types as parameters to a class. This structure is
an example of parametric polymorphism. \emph{Parametric polymorphism}
is when a set of operations require a type parameter that defines
their behavior.

Compared to LSL, C++ has a complex scope system. The innermost scope
level is local scope. \emph{Local} scope refers to the declarations
within a given block. Items declared with local scope are visible
within the block they are declared in. \emph{Function} scope refers to use of labels within
functions. \emph{Class} scope contains the names of all members, both
functions and variables, that are contained within a class
definition. Finally, \emph{file} scope refers to any declarations that
occur outside of all blocks and classes. Declarations at file scope
are visible within the given translation unit (usually the source
file).

In general, name lookup in C++ begins within the local scope and moves
outward to file scope. The process may be modified by using the scope
resolution (\reserved{::}) operator to state explicitly where to look for the
name. Names may also be hidden or overridden within given scopes. The
key idea is that even with the above features, C++ requires that any
use of a name be unambiguous within a given scope.

\subsection{The Larch/C++ Type System}
\label{lcppts}
\subsubsection{Overview}
The Larch/C++ language has its own unique type system. Though this
system has many things in common with both the LSL and C++ type
systems, Larch/C++ is its own language. Looking at the structure of a
Larch/C++ specification will help to explain the system and its
unique properties. Below is a specification for a simple C++ function
\reserved{increment} which increments a global variable
\reserved{x}. It is based upon the Counter trait shown in Figure~\ref{CounterTrait}.

\begin{verbatim}
  int i;
  void increment();
  //@ behavior {
  //@   requires value(i^) < Limit;
  //@   modifies i;
  //@   ensures  i' = inc(i^);
  //@ }
\end{verbatim}

\noindent Recall that this specification could be broken down into a
C++ portion and the actual Larch/C++ specification. In this case the line
\begin{verbatim}
  int i;
\end{verbatim}
is the C++ declaration for the variable \reserved{i}. The
Larch/C++ type system must be able to take this C++ declaration and
convert it into a binding of i to a sort. This sort can then be used later
when \reserved{i} is mentioned. 

The items set off by the \reserved{behavior} keyword are behavioral annotations. It is within this section that the
Larch/C++ system must do its type checking. Within this section, it is
not legal to call an actual C++ function. For example, it would be
illegal to write the following:
\begin{verbatim}
ensures self' = increment();
\end{verbatim}
Thus any terms within the specification that look like functions do not
refer to C++ functions, but rather to LSL operators defined either by
user traits or by the inherent traits for the system. This lack of C++
function calls in the specifications makes the type system simpler. It
does not have to understand the C++ concepts of static and dynamic
overload resolution. It does need to understand LSL operators,
though. Because of this, the Larch/C++ type system acts like the LSL
type system in that it supports operator overloading by creating sets
of sorts for operators, and it will attempt to determine the sorts for
expressions via contextual clues.

The basic notion of the Larch/C++ type system is that there is a
correspondence between C++ declarations and the LSL sorts. Larch/C++
creates this correspondence by having a set of basic sorts which correspond to
the fundamental types in C++. It also adds auxiliary sorts that allow
for the discussion of objects. The Larch/C++ Checker automatically has
these basic sorts available and uses them to convert C++ declarations
into equivalent sorts. Users may also define abstract values and
operations in their own traits. The user would place the trait in a
\reserved{uses} clause before using any theory from it. The
\reserved{uses} clause causes the Larch/C++ Checker to generate
information about the sorts and operations from the trait and make it
available to the rest of the specification.

The \reserved{Uses} clause also supports the C++ template
facility. Since there is no equivalent to parametric polymorphism in
LSL, the \reserved{uses} clause, when combined with renaming, is used
to ``instantiate'' a trait with the correct sort. An example of this
is the SimpleSet specification from the Larch/C++ Manual, Section 8.2
\cite{Leavens96c}. Figure \ref{simpleset} is an example of this 
for a simple set class implemented via templates. There is one
template argument, a class \reserved{Elem}, which will be the elements
of the set. The specifier needs to create an abstract model that can
be used with this trait. The specifier creates the following
\reserved{uses} clause for this purpose.


\begin{BFIGURE}
\begin{verbatim}
// @(#)$Id: SimpleSet.lh,v 1.19 1997/06/03 20:29:52 leavens Exp $

template <class Elem>
  //@ expects contained_objects(Elem);
  //@ where Elem is {
  //@   bool operator ==(Elem x, Elem y);
  //@   behavior {
  //@       ensures returns /\ result = (x = y);
  //@   }
  //@ };
class Set {
public:
  //@ uses SimpleSetTrait(Elem for E, Set<Elem> for C);

  Set() throw();
  //@ behavior {
  //@   constructs self;
  //@   ensures liberally self' = empty;
  //@ }

  void insert(Elem e) throw();
  //@ behavior {
  //@   modifies self;
  //@   ensures liberally self' = self^ \U {e};
  //@ }

  bool is_in(Elem e) const throw();
  //@ behavior {
  //@   ensures result = (e \in self);
  //@ }
};
\end{verbatim}
\caption{SimpleSet.lh}
\label{simpleset}
\end{BFIGURE}


\begin{verbatim}
  //@ uses SimpleSetTrait(Elem for E, Set<Elem> for C);
\end{verbatim}

\noindent This \reserved{uses} clause has the effect of specializing the trait
so that the basic sorts are now \reserved{Elem} and
\reserved{Set[Elem]} (note that the translation of the \reserved{<>}
notation to the [] notation is done by the Larch/C++ Checker
automatically). This means that an LSL operation, such as
\reserved{empty}, which used to have a result sort of \reserved{C} now
has a result sort of \reserved{Set[Elem]}.

The other major complication in the Larch/C++ type system is the
scoping of identifiers and operators. Recall that the scoping system
in LSL is simpler than that of C++. Larch/C++ will build upon both of
these type systems to create its own. 

Larch/C++ expands the basic C++ scoping system by adding three new
scope units. \emph{Function-specification} scope refers to the area
inside of a specific function specification. It contains the
declarations for the function parameters, the function's
\reserved{result}, the keyword \reserved{self}, and any other
declarations found there. It is a specialization of the local scope from
C++. \emph{Spec-case} scope refers to the fact that in a specification
that has multiple cases, each case has its own local scope. This is
because each spec-case is essentially a miniature
function-specification. Finally, as in LSL, there is a
\emph{quantifier} scope. All information in Larch/C++ is scoped. This
means that the location of a declaration or a
\reserved{uses} clause may affect the visibility of certain identifiers.

The goal when looking up an identifier in a Larch/C++ specification is
to find a single, unambiguous type that is bound to a given identifier.
Larch/C++'s mix of both LSL and C++ declarations makes
for more complex insertion and lookup functions for identifiers. One
reason for the complexity is that information from C++ declarations
and information about LSL operations are kept in separate worlds
within a scope. This is done for two reasons:
\begin{itemize} 
\item it allows for name conflict resolution
\item it allows the system to simulate the overloading system present in LSL.
\end{itemize}
\noindent These two ideas are described in more detail below.

The Larch/C++ Checker attempts to insert all identifiers into the
symbol table as they would be in C++. This leads to LSL operations
being scoped as in C++. The insertion process also does name conflict
resolution. Name conflict resolution occurs when, in a given scope, a
name for a variable or operation tries to reside in both the C++ and
LSL worlds. This is not allowed. If this occurs, the offending LSL
trait operation is discarded from the symbol table, giving preference
to the C++ declaration. Figures~\ref{xtrait} and ~\ref{fooex}
illustrate a typical situation in Larch/C++ where name conflict
resolution is needed. Note that the trait defines two operators:
\reserved{x}, a zero-argument operator that generates an integer value, and
\reserved{iden}, which takes an argument and returns it. These
operators are then put to use in the specification of the function
\reserved{foo}. In the specification shown in Figure~\ref{fooex}, there
is no problem with conflicting names. The trait operations defined in
the trait are inserted into an outer scope. The argument \reserved{int
x} is placed within the function-specification scope. Thus, the two
versions of \reserved{x} are in different scopes. Since the type
system tries to find the most local match, it will choose the formal
parameter. 

Figure~\ref{fooex2} shows a specification very similar to the previous
one, except for a name conflict that is harder to resolve.  In this
case the two possibilities for \reserved{x}, the formal parameter and
the LSL operator, both exist within the function-specification scope. A
lookup algorithm that tries to find the most local identifier has a
problem; there are two good choices. One way of solving this
problem is to prioritize the worlds. The system would look in the
local C++ world first, then in the world containing the local trait
operations. If a conflict exists the Checker would always use the C++
name. Another possibility is to reverse the action, so that the the trait
operation is always chosen by the Checker.
The best choice, and the one implemented
in the Larch/C++ Checker, is to flag this as a type error. Once the
user has been informed, the system discards the trait operation that
has the name conflict. Once informed, the user may either ignore the
error, in which case the local identifier would in this example
resolve to the formal parameter, or the trait may be modified; renaming
the trait operation that causes the conflict. This would then allow
for both the trait operation and the local C++ declaration to
coexist. This solution is both flexible and has a default behavior
that makes sense.


\begin{BFIGURE}
\begin{verbatim}
Problem:trait
   includes Integer(int for Int)

   introduces
        x:->int
        iden:int->int

   asserts
     \forall i:int
        iden(i) == i;
\end{verbatim}
\caption{XTrait.lsl}
\label{xtrait}
\end{BFIGURE}

\begin{BFIGURE}
\begin{verbatim}
//@ uses Problem;
int foo(int x);
//@ behavior {
//@ ensures result = iden(x);
//@}
\end{verbatim}
\caption{Function foo: Version 1}
\label{fooex}
\end{BFIGURE}


\begin{BFIGURE}
\begin{verbatim}

int foo(int x);
//@ behavior {
//@ uses Problem;
//@ ensures result = iden(x);
//@}
\end{verbatim}
\caption{Function foo: Version 2}
\label{fooex2}
\end{BFIGURE}

The discussion of name conflict resolution leads to another
important question: how are identifiers looked up in Larch/C++? As
mentioned earlier, the goal is to find the most local match, while
still offering the feel of ``global'' scope to the trait
operations. Recall from Section~\ref{lslts} that LSL operators are
overloaded. This means that one name may refer to multiple trait
operators. Recall also that the names of these operators all reside
in a single scope. The given operator name should be able to return
any of the possible overloads. In Larch/C++, the information on the
LSL operations is scoped. Thus a given name may only see overloads that
exist within its scope. This does not correctly match the LSL model, where
all the trait operations exist in a single global scope. The Larch/C++ name
lookup algorithm needs to simulate the LSL global scope or it may miss some
valid operations when sort checking. 

A first solution for name lookup might simply search up the symbol
table, finding all possible C++ and LSL operation identifiers that
match. This brute force solution leads to frequent name
conflict problems. Identifiers that should not even
be visible may be chosen as solutions, or may cause ambiguities. Other
possible solutions limit the search by matching the most local C++
identifier and matching all possible trait operations throughout the
symbol table. While this solution seems feasible it has the same flaw:
it may return an identifier that leads to an ambiguity.

The lookup algorithm chosen attempts to avoid finding ambiguous
identifiers by limiting the search in the trait operation side of the
table. The algorithm is illustrated in Figure~\ref{lookupalgm}.
\begin{BFIGURE}
\begin{verbatim}
Begin within the local scope.  
Look in the C++ world for an identifier with the correct name.

If a C++ identifier with the correct name is found, 
then return it and the search stops.

If a C++ identifier is not found, search the trait operation
world. If any identifier with the correct name is found, begin a
search in all enclosing scopes. 
This search is terminated by one of two conditions:

1. A C++ identifier with the correct name is seen. 
   Return the set of trait operations that has been generated.

2. The top of the symbol table is reached.
   Return the set of matching trait operations.

If no matching identifier is found in the local scope,
recurse on the next enclosing scope if it is valid. 

At the top of the table, return an error.

\end{verbatim}
\caption{The Larch/C++ Name Lookup Algorithm}
\label{lookupalgm}
\end{BFIGURE}

This algorithm always locates the most local matching C++ declaration,
which it should do to model the C++ system, and always stops searching
the trait operations side at a point where name conflicts could
begin. The essence is that a C++ declaration ``shadows'' or hides all
possible trait operations of the same name in enclosing scopes. Thus,
the lookup of trait operations should stop when that shadowing
declaration is seen to avoid ambiguity. There will not
be any ambiguity at the point of the shadow declaration because of the
algorithm for name conflict resolution.

\subsubsection{Examples}
Here are some examples of how scoping and name lookup work in
Larch/C++. In these examples, the enclosing boxes represent the scope
boundaries for the various identifiers. Figure~\ref{scopetraits} shows
the simple traits that will be used in these examples.

\begin{BFIGURE}
\begin{verbatim}
XTrait:trait
    introduces 
        x: -> int
        y: -> Bool

YTrait:trait
     introduces 
        y: -> int

fooTrait:trait
     introduces
        foo: int -> int
        y: -> float
\end{verbatim}
\caption{Example Traits for Scope and Variable Lookup}
\label{scopetraits}
\end{BFIGURE}

\begin{BFIGURE}
\begin{center}
%\input{scopeex1}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(3699,3849)(1564,-4198)
\thicklines
\put(1726,-3211){\framebox(3375,2175){}}
\put(1801,-2536){\framebox(3225,675){}}
\put(1801,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ uses XTrait;}}}
\put(1801,-946){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}class foo \{}}}
\put(1801,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}int bar(int x);}}}
\put(1576,-4186){\framebox(3675,3825){}}
\put(1801,-2026){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ behavior \{}}}
\put(1801,-1306){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ uses fooTrait,YTrait;}}}
\put(1801,-2206){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@   ensures result = x + y;}}}
\put(1801,-2386){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ \}}}}
\put(1801,-2926){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}\} ;}}}
\put(1801,-766){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}int y;}}}
\end{picture}

\end{center}
\caption{Scope and Variable Lookup: Example 1}
\label{scopeex1}
\end{BFIGURE}
Figure~\ref{scopeex1} shows a small example of a specification. The
goal is to build the sets of possible sorts for the variables
\reserved{x} and \reserved{y} and the operation \reserved{+}. The
process begins within the function-specifier scope represented by the
innermost box in the figure. The system attempts to find either a C++
declaration or a trait operation which is usable for \reserved{x}. As
there is no declaration for \reserved{x} there, it finds the formal
parameter declared by \reserved{int x} in the enclosing scope. At this
point, the search stops and the set of sorts for \reserved{x} is
\{\reserved{-> int}\}.

The system continues by building the set of sorts for
\reserved{y}. Again it starts in the function-specifier scope. It does
not find a match in the two inner scopes. It moves to the next
enclosing scope, a class scope. Once in this scope, the search begins
within the C++ world. Again, no C++ declaration is found. The search
continues in the trait operation world. Here the system finds two
possibilities for \reserved{y}, either \reserved{-> int} or \reserved{
-> float}, which are provided by the traits fooTrait and YTrait
mentioned in the
\reserved{uses} clause. Since neither stopping condition holds, the search is continued into the enclosing scope. Here the
system finds a C++ declaration \reserved{int y}. Because of this, the
system stops searching and returns the set of sorts associated with the trait
operations that have been seen. 
This means that the
identifier
\reserved{y} has the set of sorts \{\reserved{-> int,-> float}\}. 


The search for the trait operation \reserved{+} occurs in a similar
fashion. In this case, the search goes to the top level of the symbol
table where the builtin sorts and their operations are inserted. The
system will have a set of possible signatures for \reserved{+} that come
both from the built-in traits and from whatever definitions of
\reserved{+} have been seen due to \reserved{uses} clauses. The system 
will try to find a signature that can be used with the set of types
for \reserved{x} and \reserved{y}. As seen above, the system knows
that the set of sorts for \reserved{x} is \{\reserved{int} and it
knows that knows that the set of sorts for \reserved{y} is
\{\reserved{-> int, -> float}\}. So since there are no redefinitions
of \reserved{+}, in this case the system will end up searching the
built-in operations which are included at the highest level of the
symbol table structure. One of the signatures it finds is
\reserved{int,int -> int} (there would be others). In this case, the 
system would chose this signature for \reserved{+} because the
arguments to \reserved{+}, \reserved{x} and \reserved{y}, have the
sort \reserved{int} in their sets.[[[Need a statement about int and
->int being equivalent???]]] 

[[[Finally, note that this example would have generated a warning from
the Larch/C++ system. Within the outermost scope, there exists a
\reserved{uses} clause for XTrait, which has a definition of
\reserved{y}, and a C++ declaration of \reserved{y}. As the Larch/C++
Checker processes this file, it would first place the definition of
\reserved{y} from the \reserved{uses} clause into the LSL portion of
the symbol table. Then when it saw the C++ declaration for
\reserved{y}, it would use the rules for name conflict resolution
described earlier. In other words, it would discard the LSL operation
from the symbol table and issue a warning to the user. In this case,
the system would still be able to type check this
specification. However, in the general case, type checking results
when identifiers are discarded due to the name conflict resolution
system may be incomplete and possibly inaccurate.]]]

\begin{BFIGURE}
\begin{center}
%\input{scopeex2}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(3699,3849)(1564,-4198)
\thicklines
\put(1726,-3211){\framebox(3375,2175){}}
\put(1801,-2536){\framebox(3225,675){}}
\put(1801,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ uses XTrait;}}}
\put(1801,-946){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}class foo \{}}}
\put(1576,-4186){\framebox(3675,3825){}}
\put(1801,-1306){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ uses fooTrait,YTrait;}}}
\put(1801,-2926){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}\} ;}}}
\put(1801,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}int bar(int x);}}}
\put(1801,-2026){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ behavior \{}}}
\put(1801,-2206){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@   ensures result = x + y;}}}
\put(1801,-2386){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ \}}}}
\end{picture}

\end{center}
\caption{Scope and Variable Lookup: Example 2}
\label{scopeex2}
\end{BFIGURE}

Figure~\ref{scopeex2} shows another small example of a
specification. This specification differs from the previous example in
that there is no declaration of the variable \reserved{y} in the outer
scope. As before, the set of sorts for \reserved{x} is \{\reserved{int}\}.

To build the set of sorts for
\reserved{y}, the system starts in the function-specifier scope. This
time, again, it does not find a match. It moves to the next
enclosing scope, a class scope. Once in this scope, the search begins
within the C++ world. Again, no C++ declaration is found. The
search continues in the trait operation world. Here the system
finds two possibilities for \reserved{y,} either \reserved{-> int} or \reserved{
-> float}, both of which are provided by the traits in the \reserved{uses}
clause. Since the stopping conditions were not met, the search
is continued into the enclosing scope. At the file scope, there is no
C++ declaration for \reserved{y}. So the system finds an trait
operation imported from \reserved{XTrait} that adds another
possibility to the set, \reserved{ -> Bool}. The system continues to
the next enclosing scope, realizes that it has reached the top of the
symbol table, and returns the set of sorts
\{\reserved{->int,->float,->Bool}\} for \reserved{y}.

The search for the trait operation \reserved{+} is the same as in the
previous example.


\begin{BFIGURE}
\begin{center}
%\input{scopeex3}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(3699,3849)(1564,-4198)
\thicklines
\put(1726,-3211){\framebox(3375,2175){}}
\put(1801,-2536){\framebox(3225,675){}}
\put(1801,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ uses XTrait;}}}
\put(1801,-946){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}class foo \{}}}
\put(1576,-4186){\framebox(3675,3825){}}
\put(1801,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}int bar(int x);}}}
\put(1801,-2926){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}\} ;}}}
\put(1801,-2026){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ behavior \{}}}
\put(1801,-2206){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@   ensures result = x + y;}}}
\put(1801,-2386){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{tt}//@ \}}}}
\end{picture}

\end{center}
\caption{Scope and Variable Lookup: Example 3}
\label{scopeex3}
\end{BFIGURE}

Figure~\ref{scopeex3} shows another small example of a
specification. This specification differs from the previous two in
that it contains a declaration that will cause a type error. Again,
the basic goal is to build the sets of possible sorts for the
variables
\reserved{x} and \reserved{y} and the operation \reserved{+}. The
process to build the set for \reserved{x} is the same as
the previous two examples.

The system continues by building the set of sorts for
\reserved{y}. As in the previous examples, it begins at the
function-specifier scope. As in the first example, a match is not
found in the two inner scopes. The system moves to the next enclosing
scope, a class scope. Once in this scope, the search begins within the
C++ world. Again, no C++ declaration is found. The search continues in
the trait operation world. Again, no match is found. The system
continues searching upward until it sees the \reserved{uses} clause at
the global scope. Here it finds a definition for \reserved{y} of
\reserved{ -> Bool}.  Since the system found trait operations that
match, the search is continued into the enclosing scope. However,
since this match for \reserved{y} is found in the outermost scope, the
system stops searching and returns the the set of sorts
\{\reserved{Bool}\}. This set will lead to a type error unless \reserved{+}
has the sort \reserved{int,Bool -> int}, which is unlikely. 

\subsubsection{Summary}
The Larch/C++ type system has the following qualities:

\begin{itemize}

\item Information for symbols is kept in two ``worlds.'' One portion
contains C++ declarations, the other contains LSL trait operations.

\item A scoping system similar to that of C++ which is applied to all
C++ and trait operation names.

\item A name conflict resolution algorithm which handles the case
where there exists a C++ declaration and a trait operation with the same
name in a given scope.

\item A name lookup algorithm that attempts to always give the most
local C++ declaration that is a match, and gives the illusion that the
trait operations are all stored within a single scope, while avoiding
the possibility of having an ambiguous solution (i.e. one where there
is both a trait operation and a C++ identifier that may be used).

\end{itemize}

\section{Formal Sort Rules for Larch/C++}
\label{typerules}


The following sort rules represent the type system for Larch/C++ in a
more formal manner. We use the name \emph{sort} here because the
system is closely related to the LSL system. The rules presented in
this section are based upon the concrete syntax for Function
Specifications in Larch/C++, contained in Appendix A of the Larch/C++
Reference Manual \cite{Leavens96c}. Some of the concrete rules have
had their names abbreviated in the formal rules to allow for easier
presentation. An abstract syntax grammar has also been created to
allow for easier presentation of the rules themselves. Please refer to
Figures~\ref{fig-abs} and~Figure~\ref{abb-fig} for these shorthands.

%\input{gramtab}
\begin{BFIGURE}
\begin{center}
\begin{tabular}{|l| |l|}
Shorthand & Concrete Syntax Rule \\
\hline
\mbox{\textit{DS}} & declaration-sequence \\
\mbox{\textit{EC}} & ensures-clause \\
\mbox{\textit{ES}} & expects-sequence \\
\mbox{\textit{FI}} & fun-interface \\
\mbox{\textit{FR}} & frame \\
\mbox{\textit{FSB}} & fun-spec-body \\
\mbox{\textit{MC}} & modifies-clause \\
\mbox{\textit{P}} & primary \\
\mbox{\textit{RC}} & requires-clause \\
\mbox{\textit{S}} & sort-name \\
\mbox{\textit{SC-B}} & sc-bracketed \\
\mbox{\textit{SCS}} & spec-case-sequence \\
\mbox{\textit{SC}} & spec-case \\
\mbox{\textit{SEC}} & secondary \\
\mbox{\textit{SLS}} & string-literal-sequence \\
\mbox{\textit{SRL}} & storage-reference-list \\
\mbox{\textit{SR}} & storage-reference \\
\mbox{\textit{TC}} & trashes-clause \\
\mbox{\textit{US}} & uses-sequence \\
\end{tabular}
\end{center}
\caption{Abbreviations for Concrete Syntax Rules}
\label{abb-fig}
\end{BFIGURE}

\begin{BFIGURE}
\begin{grammar}
\nonterm{T} \: \reserved{if} \nonterm{T$_1$} \reserved{then} \nonterm{T$_2$} \reserved{else} \nonterm{T$_3$} 
\> \| \> \nonterm{T$_1$} \nonterm{EQ} \nonterm{T$_2$}
\> \| \> \nonterm{T$_1$} \nonterm{OP$_{l}$} \nonterm{T$_2$}
\> \| \> \nonterm{Q}$^+$ \reserved{(} \nonterm{T} \reserved{)}
\> \| \> \nonterm{T} \reserved{satisfies} \nonterm{FI} \nonterm{FSB}
\> \| \> \nonterm{T}\reserved{(} \nonterm{T}$^*$ \reserved{)}

\nonterm{OP$_{lsl}$} \: \nonterm{OP$_{lsl}$$^+$} \nonterm{SEC}
\> \| \> \nonterm{SEC}
\> \| \> \nonterm{SEC$_1$} \nonterm{OP$_{lsl}$} \nonterm{SEC$_2$}
\> \| \> \nonterm{SEC} \nonterm{OP$_{lsl}$} \nonterm{OP$_{lsl}$}

\nonterm{Q} \: \nonterm{QS} (ID\reserved{:}sort)$^+$

\nonterm{QS} \: \verb|\|\reserved{A} \|  \verb|\|\reserved{forall} \| \verb|\|\reserved{E} \|  \verb|\|\reserved{exists}

\nonterm{EQ} \: \reserved{=} \| \reserved{==} \| \verb|\|\reserved{eq} \| \reserved{~=} \| \reserved{!=} \| \verb|\|\reserved{neq}

\nonterm{OP$_{l}$} \: \verb|\|\reserved{and} \| \verb|\|\reserved{or} \|\verb|\|\reserved{implies} \| /\verb|\| \| \verb|\|/ \| =>

\nonterm{IDSEQ} \:  (\nonterm{ID} \reserved{:}\nonterm{S} \reserved{be} \nonterm{T}) $^+$

\nonterm{SCS} \: \nonterm{SC} \| \nonterm{SCS} \reserved{also} \nonterm{SC}

\nonterm{ID} \: class\_name \|  built\_in\_type\_name \| identifier

\nonterm{$\diamond$} \: \reserved{\^} \| \verb|\|\reserved{pre} \| \reserved{'} \| \verb|\|\reserved{post} \| \verb|\|\reserved{any}

\nonterm{SLS} \: string\_literal$^*$

\end{grammar}
\caption{Partial Abstract Syntax for Type Rules}
\label{fig-abs}
\end{BFIGURE}


\subsection{Notation}
\label{trnot}
The following notational conventions are used within these
rules. \textit{E}, and any subscripted or primed variant, such as
$E_1$ or $E'$, represent the type environment within which the
production is checked. A \emph{type environment} is a finite function
which maps identifiers to corresponding sorts. A type environment has
the form ${(\reserved{id:S})\dots}$ where (\reserved{id:S}) is a pair
relating the identifier \reserved{id} to the sort
\reserved{S}. Another way of stating this is that the statement
\reserved{id}:$\tau \in E$ represents the fact that within the
environment $E$, \reserved{id} has a set of sorts $\tau$. In
Larch/C++, a type environment $E$ can be further divided into two
halves, the C++ half and the LSL operator half. These halves have no
${(\reserved{id:S})}$ pairs in common. This property can be expressed
in the following manner:
\begin{displaymath}
E = (C,L), C \cap L = \emptyset
\end{displaymath}
The process
of merging two type environments together is called the \emph{shadow
union} of the environments and is represented by the $\uminus$
symbol~\cite{Schmidt}. The expression $E_1 \uminus E_2$ means that a new type
environment is created where the following holds:
\begin{displaymath}
E_1 \uminus E_2 = (C_3,L_3) where 
\begin{array}{l}
C_3 = \{(i:\tau) | (i:\tau) \in C_1 \wedge (i:\tau') \notin C_2\} \cup
C_2\\
L_3 = L_1 \cup L_2\\
\end{array}
\end{displaymath}

The idea is that, as you enter a new scope, any identifiers declared
in that new scope shadow the previous declarations in the type
system. In the above formula, $E_1$ is the existing type environment
and $E_2$ is the type environment of the new scope. If a pair with
identifier \reserved{i} is in $E_1$ and not in $E_2$, it may
remain. Otherwise, the pair from $E_2$ shadows the pair in $E_1$.

Another operation, \emph{disjoint union} (represented by $\uplus$), is also
used to combine type environments. In this context, 
disjoint union has its usual meaning, except for the following: if the
environments $E_1$ and $E_2$ are not disjoint, $E_1 \uplus E_2$ flags an error
condition and creates the union of $E_1$ and $E_2$ with the offending
elements of $E_2$ removed. In this way, disjoint union models the
Larch/C++ type system's name conflict resolution system which is used
inside of a given scope.

Figure~\ref{typeruleex} illustrates the general format for the formal
sort rules. The structure of each rule is as follows. The bracketed
item on the left is the name of the rule. The middle section consists
of an optional top portion and a bottom portion separated by dividing
line. The top portion is the \emph{hypothesis}, the bottom is the
\emph{conclusion}, and the horizontal bar means logical
implication. This means that a given rule should be interpreted as follows:
if the hypothesis is true, the conclusion should also be true. Within
these rules, the $\vdash$ operator also represents implication. In
this case, an expression such as $E \vdash x$ means that if $E$ is
assumed, then $x$ can be proved. Another way of thinking about the
$\vdash$ operator is that the left side represents the attributes
inherited from parents in the syntax tree. The set of sorts to the
right of the colon (\reserved{:}) in the rule represent the
synthesized attributes created by checking the syntactic form between
the $\vdash$ and the \reserved{:}. A
term that sort checks correctly, but for whcih the sort is unimportant 
has the colon and sort replaced by a $\surd$. Possible
sets of types that a given expression may have are represented by
$\tau$, $\alpha$, and $\beta$. Function types are represented via the
standard $\rightarrow$ notation. To the right of the rule, the
\emph{side conditions} state other necessary conditions for the rule
to be applied.

\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[EXAMPLE]} &
\begin{array}{c}
\mbox{\textit{E}} \vdash \mbox{\texttt{foo}}:\beta,\\
\mbox{\textit{E}} \vdash \mbox{\texttt{x}}:\alpha \\
\hline
E \vdash \mbox{\texttt{foo(x)}}:\tau
\end{array}
&
\begin{array}{l}
\mbox{if } \tau = \{n_1 \dots n_k\}, \\
\alpha = \{m_1 \dots m_k\} \\
\beta = \{m_1 \rightarrow n_1 \dots m_k \rightarrow n_k\} \\
k > 0
\\
\end{array}
\end{array}
\end{displaymath}
\caption{An Example Type Rule}
\label{typeruleex}
\end{BFIGURE}

For the example in Figure~\ref{typeruleex}, the name of the rule is
\reserved{[EXAMPLE]}. The rule itself states that given the
environment $E$, if it can be shown that \reserved{foo} has set of types
$\beta$ and that \reserved{x} has set of sorts $\alpha$, and the side
annotations hold, then it can be
stated that given $E$ the expression \reserved{foo(x)} has the set of 
types $\tau$. The side condition states that for the implication to be
true, it must be demonstrated that $\alpha$ contains a set of input sorts,
and that $\beta$ contains the correct functions to map the $m$ sorts to
their related $n$ sorts. If this holds, then $\tau$ should be the set
of $k$ sorts $\{n_1 \dots n_k\}$.

\subsection{The Formal Sort Rules}
An attempt has been made to break the formal rules into sets of rules
that have similar structures or related conclusions. For the most
part, the rules are allowed to describe themselves.


\subsubsection{Top Level Rules}
\label{toprules}

\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[FUN-SPEC-BODY]} &
\begin{array}{c}
E \vdash \mbox{\it ES} \Rightarrow E_1,\\
E \vdash \mbox{\it US} \Rightarrow E_2,\\
E \vdash \mbox{\it DS}\Rightarrow E_3,\\
E \uminus (E_1 \uplus E_2 \uplus E_3) \vdash \mbox{\it SCS}~\surd\\
\hline
E \vdash \mbox{\reserved{behavior} \reserved{\{} \textit{ES US DS SCS} \reserved{\}}} \surd
\end{array}
&
\begin{array}{c}
if (E_1 \cap E_2) = \emptyset,\\
(E_1 \cap E_3) = \emptyset,\\
(E_2 \cap E_3) = \emptyset
\end{array}
\\
~\\
\RULELAB{[SCS]} &
\begin{array}{c}
E \vdash \mbox{\it SC}~\surd,~E \vdash \mbox{\it SCS}~\surd\\
\hline
E \vdash \mbox{\textit{SC} \reserved{also} \textit{SCS}}~\surd
\end{array}
\\
~\\
\RULELAB{[SC]} &
\begin{array}{c}
E \vdash \mbox{\it LC} \Rightarrow E',\\
E \uminus E' \vdash \mbox{\it RFE}~ \surd,\\
E \uminus E' \vdash \mbox{\it EX}~ \surd,\\
E \uminus E' \vdash \mbox{\it CS}~ \surd\\
\hline
E \vdash \mbox{\it LC RFE EX CS}~ \surd
\end{array}
\\
~\\
\RULELAB{[RFE]} &
\begin{array}{c}
E \vdash \textit{RC}~\surd,E \vdash \textit{FR}~\surd,E\vdash \textit{EC}~ \surd\\
\hline
E \vdash \mbox{\it RC FR EC }~\surd
\end{array}
\\
~\\
\end{array}
\end{displaymath}
\caption{Top Level Rules}
\label{fig-one}
\end{BFIGURE}
Figure ~\ref{fig-one} illustrates the rules that describe the top
level of the type checking system. Of these, the rule for
\RULELAB{[FUN-SPEC-BODY]} is probably the most interesting. Notice
that the rule creates new type environments from the expects sequence,
the uses sequence, and the declaration sequence. These individual
environments are then shadow unioned to the existing
environment. Remember that the shadow union will override any existing
information about a variable in $E$ with the information contained in
$(E_1 \uplus E_2 \uplus E_3)$. This modification of the environment
corresponds to the creation of the function-specification scope in
which the actual specification will be sort checked (see
section~\ref{lcppts} for a description of the scoping system). The
function-specification-body will sort check if the specification
represented by the \textit{SCS} sort checks within the newly created
environment.

Similarly, the rule for \RULELAB{[SC]} shows the creation of the
spec-case scope via the shadow union of the existing environment with
the environment generated by the let clause. Then the spec-case sort
checks if its individual pieces sort check within the newly created
environment.

\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[IDSEQ1]} &
\begin{array}{l}
E \vdash \mbox{\nonterm{IDSEQ}} \Rightarrow E', E \vdash T:\tau, \\
E \vdash S \reserved{ OK} \\
\hline
E \vdash \mbox{\nonterm{IDSEQ }} id:S \reserved{ be } T \Rightarrow E'''
\end{array}
&
\begin{array}{l}
\mbox{if } S \in \tau, E''' = E' \uplus \{(id:\{S\})\} \\
\mbox {See text.}
\end{array}
\\
~\\
\RULELAB{[IDSEQ2]} &
\begin{array}{l}
E \vdash id:S \Rightarrow E', E \vdash S \reserved{ OK} \\
\hline
E \vdash id:S \Rightarrow E' \\
\end{array}
&
\mbox{if } E' = \{(id:S)\}
\\
~\\ 
\RULELAB{[LC]} &
\begin{array}{l}
E \vdash IDSEQ => E'\\
\hline
E \vdash \mbox{\reserved{let} \textit{IDSEQ}} \Rightarrow E'
\end{array}

\\
~\\
\RULELAB{[ES]} &
\begin{array}{c}
E \vdash \mbox{\it ES} \Rightarrow E'
\end{array}
& \mbox{See text.}\\
~\\
\RULELAB{[US]} &
\begin{array}{c}
E \vdash \mbox{\it US} \Rightarrow E'
\end{array}
& \mbox{See text.}
\\
~\\
\RULELAB{[DS]} &
\begin{array}{c}
E \vdash \mbox{\it DS} \Rightarrow E'
\end{array}
& \mbox{See text.}
\\
~\\
\RULELAB{[Q]} &
\begin{array}{c}
E \vdash \tau_1~\mbox{\tt OK},\dots,E \vdash \tau_n~\mbox{\tt OK} \\
\hline
E \vdash \mbox{\it QS }
x_1\mbox{\reserved{:}}\tau_1\mbox{\reserved{,}}
\dots\mbox{\reserved{,}} x_n\mbox{\reserved{:}}\tau_n \Rightarrow E'
\end{array}
&
\begin{array}{l}
E' = x _1:\tau _1,\dots,x _n:\tau_n, \\
n>0, \\
\mbox{See text for a description of \tt OK}
\end{array}
\\
~\\
\RULELAB{[Q1]} &
\begin{array}{c}
E \vdash Q \Rightarrow E', \\
E \uminus E' \vdash T:\tau \\
\hline
E \vdash Q(T):\{\reserved{Bool}\}
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\
\end{array}
\end{displaymath}
\caption{Rules Affecting the Type Environment}
\label{xxxxx}
\end{BFIGURE}

\subsubsection{Rules Affecting the Type Environment}
The rules in Figure~\ref{xxxxx} serve to show the points at which the
existing type environment may be extended. In some cases, such as the
rules for quantifiers (\RULELAB{[Q]} and \RULELAB{[Q1]}, the extension
occurs at the point when a new scope is entered. Remember from the
description of the Larch/C++ scoping system (Section ~\ref{lcppts})
that quantifiers introduce a new scope. The rules show that the type
environment for this scope will contain the new identifiers declared
within the quantifier. The \reserved{OK} marker is there to denote
that the sort $S$ is allowable. By \reserved{allowable} it is meant
that declarations in LSL cannot introduce new sorts; they can only
refer to previously mentioned sorts. Thus the judgment $E \vdash
m$\reserved{ OK} means that within the type environment $E$ the sort
$m$ must exist. This modifier will be used in later rules also.

The other rules listed here do not create a new scope to contain the
new type environment; instead they augment the existing environment. However,
they all create a new environment that may shadow previous
declarations. Note that the let clause (\RULELAB{[LC]}) shares the
requirement that the sort associated with a declared identifier should
have existed in the previous type environment.

\subsubsection{Predicate Rules}
\label{predrules}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{llc}

\RULELAB{[RC1]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{requires} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\\
\RULELAB{[RC2]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{requires} \reserved{liberally} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\
\RULELAB{[FR]} &
\begin{array}{c}
E \vdash \mbox{\it MC}~ \surd,~E \vdash \mbox{\it TC}~ \surd\\
\hline
E \vdash \mbox{\it FR}~ \surd
\end{array}
\\
~\\
\RULELAB{[EC1]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{ensures} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\
\RULELAB{[EC2]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{ensures} \reserved{liberally} }\mathcal{P}~\surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\
~\\
\RULELAB{[EX1]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{example} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\\
\RULELAB{[EX2]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{example} \reserved{liberally} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\
\RULELAB{[CS1]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{claims} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\\
\RULELAB{[CS2]} &
\begin{array}{c}
E \vdash \mathcal{P}: \tau\\
\hline
E \vdash \mbox{\reserved{claims} \reserved{liberally} }\mathcal{P}~ \surd
\end{array}
&
\mbox{if $Bool \in \tau$}
\\
~\\
\RULELAB{[informally]} &
\begin{array}{c}
E \vdash \mbox{\reserved{informally} \textit{SLS}} : \{\reserved{Bool}\}
\end{array}
\\
~\\
\end{array}
\end{displaymath}
\caption{Predicate Rules}
\label{fig-two}
\end{BFIGURE}
Figure~\ref{fig-two} contains the rules for predicates. Note that as
mentioned in Section~\ref{lcppts}, a given construct may have a set of
types associated with it. Remember also that if an item sort checks in
LSL, it should be possible to assign a unique type to the
term. Predicates, represented by $\mathcal{P}$, are a special
case. They must have the sort \reserved{Bool} as an element of their
set of sorts.

\subsubsection{Term Rules}
\label{termrules}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[IF]} &
\begin{array}{c}
E \vdash T_1:\tau',~E \vdash T_2:\alpha,~E \vdash T_3:\beta \\
\hline
E \vdash \mbox{\reserved{if} }T_1 \mbox{ \reserved{then} } T_2 \mbox{
\reserved{else} } T_3:\tau
\end{array}
&
\begin{array}{l}
\mbox{if } Bool \in \tau',\\
\tau = \alpha \cap \beta,\\
\tau \not= \emptyset
\end{array}
\\
~\\
\RULELAB{[LT]} &
\begin{array}{c}
E \vdash (\mbox{\it OP}_{l})(T_1,T_2):\tau \\
\hline
E \vdash T_1~ OP_l~ T_2:\tau
\end{array}
\\
~\\
\RULELAB{[OP$_{lsl}$]} &
\begin{array}{c}
E \vdash (\mbox{\it OP}_{lsl})(\mbox{\it SEC}):\tau\\
\hline
E \vdash \mbox{\textit{OP}$_{lsl}$~\it SEC}:\tau
\end{array}
\\
~\\
\RULELAB{[OP$_{lsl}$2]} &
\begin{array}{c}
E \vdash (\mbox{\it OP}_{lsl})(\mbox{\textit{SEC}$_1$,\textit{SEC}$_2$}):\tau\\
\hline
E \vdash \mbox{\textit{SEC}$_1$ \textit{OP}$_{lsl}$ \textit{SEC}$_2$}:\tau
\end{array}
\\
~\\
\RULELAB{[P0]} &
(C,L) \vdash \mbox{\it ID}:\tau
&
\mbox{if \textit{ID}:$\tau \in C$}
\\
~\\
\RULELAB{[P1]} &
(C,L) \vdash \mbox{\it ID}:\tau
&
\mbox{if \textit{ID}:$\tau \notin C$,~\textit{ID}:$\tau \in L$}
\\
~\\
\RULELAB{[P2]} &
\begin{array}{c}
E \vdash T_1:\tau_1,\dots,E \vdash T_n:\tau_n,~ E \vdash F:\tau \\
\hline
E \vdash \mbox{\textit{F}}(T_1,\dots,T_n):\tau'
\end{array}
&
\begin{array}{l}
\mbox{if } \tau' = \{m_1',\dots,m_k'\},\\
m_1 \in \tau_1 \times \dots \times \tau_n,~m_1 \rightarrow m_1' \in
\tau,\\
\vdots\\
m_k \in \tau_1 \times \dots \times \tau_n,~m_k \rightarrow m_k' \in
\tau,\\
k > 0
\end{array}
\\
~\\
\RULELAB{[PRIM1]} &
\begin{array}{c}
E \vdash (\mbox{\reserved{\_\_.}}\mbox{\it ID})(P):\tau \\
\hline
E \vdash P\mbox{\reserved{.}}\mbox{\it ID}:\tau
\end{array}
\\
~\\
\end{array}
\end{displaymath}
\caption{Term Rules}
\label{fig-term}
\end{BFIGURE}

Figure~\ref{fig-term} contains most of the rules for the sort checking
Larch/C++ terms. Recall from Section~\ref{lcppts} that
Larch/C++ and LSL sort check terms identically. Thus rules, such as
if-then-else (\RULELAB{[IF]}), represent the ideas expressed in
Sections~\ref{lslts} and~\ref{lcppts}. Notice the side condition that
states that the conditional's test term, $T_1$, must have \reserved{Bool} in its
set of types, and that the resulting sort consists of the non-empty
intersection of the possible sorts for $T_2$ and $T_3$. It might seem
that $\tau$ should have a cardinality of one at this point so that
there would be a single sort associated with the operator. However, it
is important to remember that the context surrounding the use of the
if-then-else operator should serve to narrow $\tau$ as the sort
checking process continues. Thus, the cardinality need not be one at
this point.

Of the rules listed here, the operator application rule
,\RULELAB{[P3]}, probably has the most impact on the system. The
behavior embodied in this rule is used within any rule that may act
like a function call (\RULELAB{[PRIM1]}, \RULELAB{[OP$_{lsl}$]},
\RULELAB{[OP$_{lsl}$2]}, the sc-bracketed rules,\RULELAB{[LT]}, and
others). Since trait functions are overloaded, and the overload
resolution involves context, a given operator name can have a set of
possible return sorts. Each of these return sorts has a corresponding set
of domain sorts that is the cross-product of the sorts of the
arguments. For a function application to sort check, it must be shown
that given a set of return sorts there must be a function signature
that consists of the cross-product of the sets of types of the
arguments. For example, given the following signatures for a function
foo:

\begin{verbatim}
foo: int -> float
foo: char -> Bool
foo: float -> int
foo: int -> int
\end{verbatim}

and a use of foo in the following specification:

\begin{verbatim}
int bar(int x);
//@ behavior {
//@   ensures result = foo(x);
//@ }
\end{verbatim}

\noindent Here \reserved{foo} has the set of signatures \{\reserved{int -> float,char
-> Bool,float -> int, int -> int}\} associated with it. In this case,
since \reserved{=} requires that the two arguments have the same sort
and the sort of \reserved{result} is known to be \reserved{int}, the
set of possible signatures for \reserved{foo} is \{\reserved{float ->
int, int -> int}\}. From this set, only one signature has the correct
sort for the argument \reserved{x}. So in this case, the operator
\reserved{foo} will have the signature \reserved{int -> int}, and the
statement \begin{verbatim} result = foo(x) \end{verbatim} will sort
check.

\subsubsection{sc\_bracketed Rules}
\label{scbrules}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{llc}
\RULELAB{[SC-B]} &
\begin{array}{c}
E \vdash (\mbox{\reserved{[]}})(T_1,\dots,T_n):\tau \\
\hline
E \vdash \mbox{\reserved{[}}T_1,\dots,T_n\mbox{\reserved{]}}:\tau
\end{array}
\\
~\\
\RULELAB{[SC-B2]} &
\begin{array}{c}
E \vdash (\mbox{\reserved{\{\}}})(T_1,\dots,T_n):\tau\\
\hline
E \vdash \mbox{\reserved{\{}} (T_1,\dots,T_n) \mbox{\reserved{\}}}:\tau
\end{array}
\\
~\\
\RULELAB{[SC-B3]} &
\begin{array}{c}
E \vdash (\verb|\|\mbox{\reserved{langle}}\verb|\|\mbox{\reserved{rangle}})(T_1,\dots,T_n):\tau\\
\hline
E \vdash \verb|\|\mbox{\reserved{langle}} (T_1,\dots,T_n) \verb|\|\mbox{\reserved{rangle}}:\tau
\end{array}
\\
~\\
\RULELAB{[SC-B4]} &
\begin{array}{c}
E \vdash (\verb|\|\mbox{\reserved{<}}\verb|\|\mbox{\reserved{>}})(T_1,\dots,T_n):\tau\\
\hline
E \vdash \verb|\|\mbox{\reserved{<}} (T_1,\dots,T_n) \verb|\|\mbox{\reserved{>}}:\tau
\end{array}
\\
~\\
\end{array}
\end{displaymath}
\caption{sc-bracketed rules}
\label{fig-bracket}
\end{BFIGURE}

The sc-bracketed rules are used for operators that have signatures
similar to the following.
\begin{verbatim}
[ __ , __ ]: int , int -> Pair[int]
\end{verbatim}
These functions may be formed by builtins, such as
tuple constructors, or may be defined by the specifier.

\subsubsection{State Function Rules}
\label{staterules}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}

\RULELAB{[STATE1]} &
\begin{array}{c}
E \vdash P:\tau \\
\hline
E \vdash P\mbox{\reserved{$\diamond$}}:\tau'
\end{array}
&
%\begin{array}{l}
%\mbox{let }strip(\mbox{\reserved{ConstObj[T]}}) = \mbox{T and } strip(\mbox{\reserved{Obj[T]}}) = \mbox{T},\\
%strip(\{S_1,\dots,S_n\}) = \{strip(S_1),\dots,strip(S_n)\},\\
%selobjs(\{S_1,\dots,S_n\})\\
%=\{S_i | 1 \leq i \leq n, S_i\mbox{ has form \reserved{Obj[T]} or \reserved{ConstObj[T]}}\},\\
\mbox{if }\tau' = strip(selobjs(\tau))
%\end{array}
\\
~\\
\RULELAB{[STATE6]} &
\begin{array}{c}
E \vdash P:\tau \\
\hline
E \vdash P\verb|\|\mbox{\reserved{obj}}:\tau
\end{array}
\\
~\\
\end{array}
\end{displaymath}
\caption{State Functions}
\label{state-fig}
\end{BFIGURE}
Larch/C++ specifications have the ability to describe the
abstract value contained within a given object. To do this,
Larch/C++ has a formal model that describes the relationship between
objects and their values. This is described in Section 2.8 of the
Reference Manual \cite{Leavens96c}. Most of the time, a C++
declaration will create an object containing an abstract value. The
state of the variable ``associates to each object, an abstract
value.'' \cite[page 21]{Leavens96c}. State functions allow a specifier to
extract the abstract value for a variable for a specific state. For
example, the C++ declaration \begin{verbatim} int i; \end{verbatim}
creates an object with the following sort.
 \begin{verbatim} 
Obj[int]
\end{verbatim}
A state function, when applied to \reserved{i}, returns the value for
the state, which has sort \reserved{int}. Please refer to the
Reference Manual \cite[Section 6.2.1]{Leavens96c} for more details.

Figure~\ref{state-fig} illustrates the rules for state functions. Two
auxiliary functions, $strip$ and $selobjs$, defined below, allow for
the extraction of abstract values. 

\begin{displaymath}
\begin{array}{l}
strip(\mbox{\reserved{ConstObj[T]}}) = \reserved{T} \\
\\
strip(\mbox{\reserved{Obj[T]}}) = \reserved{T}\\
\\
strip(\{S_1,\dots,S_n\}) = \{strip(S_1),\dots,strip(S_n)\}\\
\\
selobjs(\{S_1,\dots,S_n\})\\
~~~=\{S_i | 1 \leq i \leq n, S_i\mbox{ has form \reserved{Obj[T]} or \reserved{ConstObj[T]}}\},\\
\end{array}
\end{displaymath}

\noindent $strip$ takes an object type, and
strips off the object portion, leaving the value. For example,
$strip(\reserved{Obj[int]})$ would return \reserved{int}. $selobjs$
takes a set of sorts and builds a subset consisting of the object
sorts. Used in conjunction, $strip$ and $selobjs$ create a set of
values that the object may have for the given state.

\subsubsection{Miscellaneous Rules}
\label{miscrules}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[HOC]} &
\begin{array}{c}
E \vdash \mbox{\it FI} \Rightarrow E',\\
E \uminus E'\vdash \mbox{\textit{FSB}}: \surd \\
\hline
E \vdash \mbox{\textit{OP}$_{lsl}$}\mbox{\reserved{ satisfies} \textit{FI FSB}}:\{\reserved{Bool}\}
\end{array}
&
\begin{array}{l}
\mbox{If $E'$ is as described } \\
\mbox{in the text.}
\end{array}
\\
~\\
\RULELAB{[EQ]} &
\begin{array}{c}
E \vdash \mbox{\textit{OP}$_{{lsl}_1}$}:\alpha,~E \vdash \mbox{\textit{OP}$_{{lsl}_2}$}:\beta \\
\hline
E \vdash \mbox{\textit{OP}$_{{lsl}_1}$ \textit{EQ} \textit{OP}$_{{lsl}_2}$}:\{\reserved{Bool}\}
\end{array}
& 
\mbox{if $| \alpha \cap  \beta | = 1$}
\\
~\\
\end{array}
\end{displaymath}
\caption{Miscellaneous Rules}
\label{fig-three}
\end{BFIGURE}
In Larch/C++ \emph{higher-order} functions are functions which either
take pointers to functions as arguments, or return pointers to
functions \cite{Leavens96c}. The rule \RULELAB{[HOC]} in
Figure~\ref{fig-three} is the rule for the higher-order-comparison
used in the specification of higher-order functions. The
function-interface (\textit{FI}) is used to create a new type
environment, $E'$, from the formal parameters of the function
interface. Then the fun-spec-body(\textit{FSB}) is sort checked in
accordance with the rule presented earlier. Please see the Reference
Manual \cite[Section 6.12]{Leavens96c} for more information on
higher-order functions.

\subsubsection{Literal Rules}
Figures~\ref{fig-lit} and~\ref{fig-cpplit} illustrate the sort rules
for some of the literals. They are divided into the Larch/C++ basic
sorts and the special C++ literals. These rules show that the basic
building blocks have the specific sorts dictated by C++. The rule
\RULELAB{[LIT2]} serves as a model for the formulation of sorts for
the unsigned types. For a complete list, please see the Reference
Manual ~\cite[Chapter 11]{Leavens96c}.

\label{literalrules}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[LIT1]} &
E \vdash int\_const:\{\mbox{\texttt int}\}
\\
~\\
\RULELAB{[LIT2]} &
E \vdash unsigned_ int\_const:\{\mbox{\texttt unsignedInt}\}
\\
~\\
\RULELAB{[LIT3]} &
E \vdash float\_const:\{\mbox{\texttt double}\}
\\
~\\
\RULELAB{[LIT4]} &
E \vdash char\_const:\{\mbox{\texttt char}\}
\\
~\\
\RULELAB{[LIT5]} &
E \vdash \mbox{\reserved{L }}char\_const:\{\mbox{\texttt wchar\_t}\}
\\
~\\
\RULELAB{[LIT6]} &
E \vdash string\_literal:\{\mbox{\texttt Arr[Obj[char]]}\}
\\
~\\
\RULELAB{[LIT7]} &
E \vdash \mbox{\reserved{L }}string\_literal:\{\mbox{Arr[Obj[wchar\_t]]}\}
\\
~\\
\RULELAB{[LIT8]} &
E \vdash abstract\_string\_literal:\{\mbox{\texttt String[char]}\}
\\
~\\
\end{array}
\end{displaymath}
\caption{A Sampling of Literal Rules}
\label{fig-lit}
\end{BFIGURE}
\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[this]} &
E \vdash \mbox{\reserved{this}}:\tau
& 
\mbox{if $E(\mbox{\tt this}) = \tau$}
\\
~\\
\RULELAB{[self]} &
E \vdash \mbox{\reserved{self}}:\tau
& 
\mbox{if $E(\mbox{\tt self}) = \tau$}
\\
~\\
\RULELAB{[result]} &
E \vdash \mbox{\reserved{result}}:\tau
& 
\mbox{if $E(\mbox{\texttt{result}}) = \tau$}
\\
~\\
\RULELAB{[pre]} &
E \vdash \mbox{\reserved{pre}}:\{State\}
\\
~\\
\RULELAB{[post]} &
E \vdash \mbox{\reserved{post}}:\{State\}
\\
~\\
\RULELAB{[any]} &
E \vdash \mbox{\reserved{any}}:\{State\}
\\
~\\
\RULELAB{[sizeof]} &
E \vdash \mbox{\reserved{sizeof(}}type\mbox{\reserved{)}}:\{int\}
\\
~\\
\end{array}
\end{displaymath}
\caption{More Literal Rules}
\label{fig-cpplit}
\end{BFIGURE}

\subsubsection{Storage Rules}
\label{storerules}

\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[fresh]} &
\begin{array}{c}
E \vdash T_1:\tau_1,\dots, E \vdash T_n:\tau_n\\
\hline
E \vdash
\mbox{\reserved{fresh(}$T_1$\reserved{,}\dots\reserved{,}$T_n$\reserved{)}}:\{\reserved{Bool}\}
\end{array}
&
\begin{array}{l}
n > 0,\\
\forall k (1 \leq k \leq n) \Rightarrow \tau_k \not= \emptyset
\end{array}
\\
~\\
\RULELAB{[trashed]} &
\begin{array}{c}
E \vdash SRL~\surd\\
\hline
E \vdash \mbox{\reserved{trashed(}SRL\reserved{)}}:\{\reserved{Bool}\}
\end{array}
\\
~\\
\RULELAB{[unchanged]} &
\begin{array}{c}
E \vdash SRL~\surd\\
\hline
E \vdash \mbox{\reserved{unchanged(}SRL\reserved{)}}:\{\reserved{Bool}\}
\end{array}
\\
~\\
\RULELAB{[thrown]} &
\begin{array}{c}
E \vdash S \reserved{ OK}, E \vdash SRL~\surd \\
\hline
E \vdash \mbox{\reserved{thrown(}}S\reserved{)}:\{S\}
\end{array}
\\
~\\
\RULELAB{[throws]} &
\begin{array}{c}
E \vdash S \reserved{ OK}\\
\hline
E \vdash \mbox{\reserved{throws(}}S\reserved{)}:\{\reserved{Bool}\}
\end{array}
\\
~\\
\RULELAB{[returns]} &
E \vdash \reserved{returns}:\{\reserved{Bool}\}
\\
~\\
%\RULELAB{[SRL5]} &
%\begin{array}{c}
%E \vdash SR:\tau \\
%\hline
%E \vdash SR~\surd
%\end{array}
%&
%\begin{array}{l}
%\end{array}
%\\
%~\\
\RULELAB{[modifies]} &
\begin{array}{c}
E \vdash SRL~\surd \\
\hline
E \vdash \mbox{\reserved{modifies }} SRL: \surd
\end{array}
\\
~\\
\RULELAB{[constructs]} &
\begin{array}{c}
E \vdash \reserved{modifies}~ SRL~\surd \\
\hline
E \vdash \mbox{\reserved{constructs }} SRL: \surd
\end{array}
\end{array}
\end{displaymath}
\caption{Storage Reference Rules, Part One}
\label{ref-fig}
\end{BFIGURE}

\begin{BFIGURE}
\begin{displaymath}
\begin{array}{lll}
\RULELAB{[SRL]} &
\begin{array}{c}
E \vdash SR_1~\surd,\dots,E\vdash SR_n~\surd\\
\hline
E \vdash SR_1,\dots,SR_n~\surd
\end{array}
&
\mbox{if $n \geq 0$}
\\
~\\
\RULELAB{[SRL2]} &
\begin{array}{c}
E \vdash \mbox{\reserved{nothing}}~\surd
\end{array}
\\
~\\
\RULELAB{[SRL3]} &
\begin{array}{c}
E \vdash \mbox{\reserved{everything}}~\surd
\end{array}
\\
~\\
\RULELAB{[SRL4]} &
\begin{array}{c}
E \vdash SR:\tau \\
\hline
E \vdash SR~\surd
\end{array}
&
\begin{array}{l}
\mbox{if \reserved{Set[TypeTaggedObject]}} \in \tau \mbox{ or } \\
(\tau = \{S\} \mbox{ and}  \\
S \not= \mbox{\reserved{Set[TypeTaggedObject]}} \mbox{ and} \\
S \rightarrow \mbox{\reserved{Set[TypeTaggedObj]}} \\
~~~~~~~~~\in E(\mbox{\reserved{contained\_objects}}))
\end{array}
\\
~\\
\end{array}
\end{displaymath}
\caption{Storage Reference Rules, Part Two}
\label{ref-fig2}
\end{BFIGURE}

In Larch/C++ storage references are used in the \reserved{modifies}
clause, and in a few other places. The storage reference rules
illustrated in Figures~\ref{ref-fig} and~\ref{ref-fig2} show how these
references interact with the sort system. Rule \RULELAB{[SRL4]} is the
most complex of the rules. Its side condition states that a storage
reference must either have the sort \reserved{Set[TypeTaggedObject]}
or if it does not have this sort, there must be a operation
\reserved{contained\_objects} within the type environment $E$ which
has the signature \\ \reserved{S -> Set[TypeTaggedObject]} associated
with it and the sort of the storage reference must be \reserved{S}. The
constraints in the side condition are there because of the definition
of storage references. For more information on the
semantics of storage references, see the
Reference Manual \cite[Section 6.2.3.3 and following]{Leavens96c}.

%\input{implementation}
\section{Implementation of the System} 
As mentioned in the
Introduction, the development process for type checking in the
Larch/C++ Checker has occurred in many pieces. This section of the
paper begins with a short description of the Checker's source files
and the tools used in development. Following that, the modifications to
the Checker to support the C++ \reserved{namespace} construction are
described. A description of the modifications to the Larch/C++ Checker
and the LSL Checker to allow for the support of LSL constructs in
Larch/C++ continues the section. Then a description of how
the system converts C++ declarations to LSL sorts is given. The
concluding section discusses the lookup algorithm and preliminary type
checking results. Note that the source code presented in the following
sections has been stripped of any comments or specifications in order to save
space. Please refer to the actual implementation for more details.

\subsection{Overview of the System}
The task of creating tools for a language as complex as Larch/C++ is
difficult. Any implementation of the tools will also be complex.
Larch/C++'s implementation can be broken down into the following major pieces:
\begin{itemize}

\item The lexer and parser for Larch/C++
\item The lexer and parser for LSL operation signatures
\item The temporary file support system
\item The LSL Checker
\item The Symbol Table System

\end{itemize}

Note that the LSL Checker is included here because it required
modification to work within the system, and because it is an important 
part of the system as a whole.
 
\begin{BFIGURE}
\begin{center}
%\input{sysover2}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(6107,4534)(364,-4300)
\thicklines
\special{ps: gsave 0 0 0 setrgbcolor}\put(2932,-3954){\framebox(3145,3931){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(3456,-3692){\framebox(787,524){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(5029,-3692){\framebox(786,524){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(573,-2578){\framebox(1179,524){}}
\special{ps: gsave 1 0 0 setrgbcolor}\put(4767,-1858){\framebox(1048,524){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(5553,-3168){\vector( 0, 1){1310}}
\special{ps: grestore}\special{ps: gsave 0 0 0 setrgbcolor}\put(5553,-1334){\vector( 0, 1){263}}
\special{ps: grestore}\special{ps: gsave 0 0 0 setrgbcolor}\put(5029,-1071){\vector( 0,-1){263}}
\special{ps: grestore}\special{ps: gsave 0 0 0 setrgbcolor}\put(5029,-1858){\vector( 0,-1){262}}
\special{ps: grestore}\special{ps: gsave 0 0 .69 setrgbcolor}\put(3980,-2906){\framebox(1311,786){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(5094,-2906){\vector( 0,-1){262}}
\special{ps: grestore}\put(5815,-678){\vector( 1, 0){525}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(5815,-3299){\vector( 4, 3){524.640}}
\special{ps: grestore}\special{ps: gsave 0 0 0 setrgbcolor}\put(5815,-3496){\vector( 1,-1){491.500}}
\special{ps: grestore}\special{ps: gsave 0 0 0 setrgbcolor}\put(5815,-3430){\vector( 1, 0){525}}
\special{ps: grestore}\special{ps: gsave 1 0 1 setrgbcolor}\put(4505,-1071){\framebox(1310,786){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(638,-1792){\framebox(1049,524){}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(1752,-2382){\line( 1, 0){656}}
\put(2408,-2382){\line( 0,-1){1048}}
\put(2408,-3430){\vector( 1, 0){1048}}
\special{ps: grestore}\special{ps: gsave .56 0 .56 setrgbcolor}\put(4505,-3299){\vector( 1, 0){524}}
\put(4505,-3299){\line( 0, 1){262}}
\put(4505,-3037){\line(-1, 0){787}}
\put(3718,-3037){\line( 0, 1){2097}}
\put(3718,-940){\vector( 1, 0){787}}
\special{ps: grestore}\special{ps: gsave .56 0 .56 setrgbcolor}\put(1687,-1530){\line( 1, 0){721}}
\put(2408,-1530){\line( 0, 1){917}}
\put(2408,-613){\vector( 1, 0){2097}}
\special{ps: grestore}\special{ps: gsave 0 0 0 setrgbcolor}\put(4243,-3430){\vector(-1, 0){  0}}
\put(4243,-3430){\vector( 1, 0){786}}
\special{ps: grestore}\put(3001,-2986){\framebox(600,525){}}
\put(3601,-2686){\vector(-1, 0){  0}}
\put(3601,-2686){\vector( 1, 0){375}}
\put(3226,-3286){\vector( 1, 0){225}}
\put(3226,-3286){\vector( 0, 1){300}}
\special{ps: gsave 0 0 0 setrgbcolor}\put(376,-3103){\framebox(1573,2097){}}
\put(3226,-3286){\line( 0,-1){600}}
\put(3226,-3886){\line( 1, 0){2175}}
\put(5401,-3886){\vector( 0, 1){225}}
\put(3076,-2686){\makebox(0,0)[lb]{\smash{\SetFigFont{9}{10.8}{sf}SymTab}}}
\put(2997,108){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}lcppparse\special{ps: grestore}}}}
\put(704,-2251){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}Larch/C++\special{ps: grestore}}}}
\put(704,-2447){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}Statements\special{ps: grestore}}}}
\put(4898,-1661){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 1 0 0 setrgbcolor}TmpFiles\special{ps: grestore}}}}
\put(4046,-2316){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 .69 setrgbcolor}operation\special{ps: grestore}}}}
\put(4046,-2513){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 .69 setrgbcolor}signature\special{ps: grestore}}}}
\put(4046,-2709){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 .69 setrgbcolor}parser\special{ps: grestore}}}}
\put(6405,-3365){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}syntax\special{ps: grestore}}}}
\put(6405,-3561){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}errors\special{ps: grestore}}}}
\put(6405,-744){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .82 0 0 setrgbcolor}errors\special{ps: grestore}}}}
\put(6405,-2775){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .82 0 0 setrgbcolor}semantic\special{ps: grestore}}}}
\put(6405,-2972){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .82 0 0 setrgbcolor}errors\special{ps: grestore}}}}
\put(6471,-3889){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .82 0 0 setrgbcolor}trait\special{ps: grestore}}}}
\put(6471,-4085){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .82 0 0 setrgbcolor}inclusion\special{ps: grestore}}}}
\put(6471,-4282){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .82 0 0 setrgbcolor}errors\special{ps: grestore}}}}
\put(4570,-744){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 1 0 1 setrgbcolor}LSL Checker\special{ps: grestore}}}}
\put(376,-875){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{rm}\special{ps: gsave 0 0 0 setrgbcolor}Specification\special{ps: grestore}}}}
\put(376,-678){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}Larch/C++\special{ps: grestore}}}}
\put(704,-1596){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}LSL Traits\special{ps: grestore}}}}
\put(5160,-3496){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}parser\special{ps: grestore}}}}
\put(3822,-1389){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .56 0 .56 setrgbcolor}control\special{ps: grestore}}}}
\put(3822,-1585){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave .56 0 .56 setrgbcolor}signals\special{ps: grestore}}}}
\put(3653,-3496){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{sf}\special{ps: gsave 0 0 0 setrgbcolor}lexer\special{ps: grestore}}}}
\end{picture}

\end{center}
\caption{The Structure of the Larch/C++ Checker}
\label{sysover2}
\end{BFIGURE}

\noindent Figure~\ref{sysover2} shows a pictorial representation of the
structure of the system.

The majority of the Larch/C++ Checker's implementation lies within the
lexer, the parser, and the support code. The lexer and parser are
built using an attribute grammar system called Ox~\cite{Ox}. The
Checker does not take full advantage of Ox, but the
syntax for the creation and access of attributes for rules in Ox can
be clearer than the equivalent expressions in \reserved{yacc}. Ox takes a
decorated grammar as input and generates output in the form of
\reserved{.l} and \reserved{.y} files to be sent through \reserved{lex} and
\reserved{yacc}. 

The support files for the lexer and parser include all of the code to
generate the various data structures used within the Checker. The code
has been developed using C++. Names of the source files and classes
attempt to clearly state what they are used for. The file names can be
confusing because they are limited to 8.3 format for compatibility
with MS-DOS (Originally, MS-DOS allowed only filenames which had eight 
characters followed by a three character extension). An example of how the files and classes are named is the
case of type specifiers. Type specifiers are a part of the C++
declaration syntax. The support code for type specifiers in the
Larch/C++ Checker is contained in files named \reserved{TypeScfr.*}
and the class implemented is actually named \reserved{TypeSpecifier}. It is
important to note that some header files are broken into four
pieces, the \reserved{.pre} file, the \reserved{.h} file, the
\reserved{.pri} file, and the \reserved{.bse} file. Not all headers
have all of these files, but most have at least the \reserved{.h} and
\reserved{.pri}. The \reserved{.pre} file is used to hold any
private declarations or \reserved{\#include} directives for the
\reserved{.h} file that might occur before a class definition. The
\reserved{.h} file contains the public portion of the class definition. The
\reserved{.pri} file contains protected or private members. The
\reserved{.bse} file is used for private or protected inheritance.

The common code portion of the system contains code that is not
specific to the Larch/C++ Checker. This includes implementations of
dynamic strings, debugging code, interfaces to the environment, and
other functions. These classes and functions are used throughout the
whole of the system.

Finally, not mentioned in the above list but still very important to
the Larch/C++ Checker is the Boehm-Demers-Weiser Conservative Garbage
Collector~\cite{Boehm-Weiser88}. All reclamation of allocated storage
is handled by the garbage collector. This is important because the
code makes heavy use of pointers and dynamic allocation of objects.

\subsection{Support for C++ \reserved{namespace}}
\label{namspcimp}
The Draft C++ Standard~\cite{C++Apr95} contains definitions for many
new language constructs. One of these is \reserved{namespace}. The
\reserved{namespace} construct was added to C++ to allow for 
an additional level of scoping for names. Before namespaces, the
possibility existed for vendors to supply libraries of code that would
have name conflicts. For example, vendor A ships a linked-list library
with the operation Delete(). It was possible that this Delete could
name conflict with some other piece of code. The only solution was either to
not use the library or to wrap the library in another class to 
isolate the name. Namespaces allow for declarations to be
wrapped in another name without the need for additional classes. These
wrapped names can then be made available via a \reserved{using}
declaration. 
\begin{BFIGURE}
\begin{verbatim}
namespace foo{
  int i;
  int j;
}

void inc(){
  using namespace foo;
}

void dec(){
  uses foo::i;
}
\end{verbatim}
\caption{The C++ \reserved{namespace} Construction}
\label{namespcex}
\end{BFIGURE}

Figure~\ref{namespcex} shows an example of the use of
the \reserved{namespace} construction.The \reserved{namespace} declaration creates a new \reserved{namespace} named
\reserved{foo} which contains the declarations for \reserved{i} and
\reserved{j}. These variables will not be visible at any scope level
(see Section~\ref{cppts} for a review of the C++ scoping system)
unless there is a \reserved{using} directive or a
\reserved{using} declaration involving them. Within the function
\reserved{inc()} there is an example of a \reserved{using}
directive. The 
\begin{verbatim} 
using namespace foo; 
\end{verbatim}
informs the system that all the declarations contained within
\reserved{namespace foo} should become visible at the current
scope. Similarly the \reserved{using} declaration: 
\begin{verbatim} 
uses foo::i;
\end{verbatim} 
informs the system that the declaration for \reserved{i} contained in
\reserved{namespace foo} should be visible at the current
scope. Another form of the \reserved{namespace} declaration, the
\emph{unnamed namespace}, has a similar syntax, except a name is not
supplied for the namespace. The semantics of unnamed namespaces
are a little different, however. An unnamed \reserved{namespace} has the effect
of declaring a namespace followed by an immediate \reserved{using}
directive. Thus, the names become visible immediately.

\begin{BFIGURE}
\begin{center}
%\input{symtab}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(4512,2724)(139,-2473)
\thicklines
\put(751,-2161){\makebox(6.6667,10.0000){\SetFigFont{10}{12}{rm}.}}
\put(751,-2161){\vector( 1, 0){750}}
\put(151,-1861){\framebox(1200,300){}}
\put(226,-61){\framebox(1200,300){}}
\put(676,-61){\line( 0,-1){300}}
\put(676,-361){\makebox(6.6667,10.0000){\SetFigFont{10}{12}{rm}.}}
\put(676,-361){\vector( 1, 0){825}}
\put(2701,-661){\framebox(1575,600){}}
\put(4126,-211){\vector( 1, 0){450}}
\put(4126,-511){\vector( 1, 0){450}}
\put(2701,-361){\line( 1, 0){1575}}
\put(1501,-2461){\framebox(900,600){}}
\put(1501,-2161){\line( 1, 0){900}}
\put(2176,-2311){\vector( 1, 0){525}}
\put(1501,-1561){\framebox(900,600){}}
\put(1501,-1261){\line( 1, 0){900}}
\put(2176,-1411){\vector( 1, 0){525}}
\put(1501,-661){\framebox(900,600){}}
\put(1501,-361){\line( 1, 0){900}}
\put(2176,-511){\vector( 1, 0){525}}
\put(2701,-1561){\framebox(1575,600){}}
\put(4126,-1111){\vector( 1, 0){450}}
\put(4126,-1411){\vector( 1, 0){450}}
\put(2701,-1261){\line( 1, 0){1575}}
\put(751,-1861){\line( 0,-1){300}}
\put(2701,-2461){\framebox(1575,600){}}
\put(4651,-2086){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}Symbols ...}}}
\put(4126,-2011){\vector( 1, 0){450}}
\put(4126,-2311){\vector( 1, 0){450}}
\put(2701,-2161){\line( 1, 0){1575}}
\put(2326,-2011){\vector( 0, 1){450}}
\put(2326,-1111){\vector( 0, 1){450}}
\put(151,-1786){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}currentSymTab}}}
\put(301, 14){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}globalSymTab}}}
\put(2776,-286){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}nonClassOrEnum}}}
\put(2776,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}classOrEnum}}}
\put(4576,-286){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}Symbols ...}}}
\put(4576,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}Symbols ...}}}
\put(1576,-2086){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}globals}}}
\put(1576,-2386){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}locals}}}
\put(1576,-1186){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}globals}}}
\put(1576,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}locals}}}
\put(1576,-286){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}globals}}}
\put(1576,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}locals}}}
\put(2776,-1186){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}nonClassOrEnum}}}
\put(2776,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}classOrEnum}}}
\put(4651,-1186){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}Symbols ...}}}
\put(4651,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}Symbols ...}}}
\put(2776,-2086){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}nonClassOrEnum}}}
\put(2776,-2386){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}classOrEnum}}}
\put(4651,-2386){\makebox(0,0)[lb]{\smash{\SetFigFont{10}{12.0}{tt}Symbols ...}}}
\end{picture}

\end{center}
\caption{The Structure of the Symbol Table}
\label{symtabstruct}
\end{BFIGURE}

Before describing the implementation of the support for the
\reserved{namespace} construction 
within the Larch/C++ Checker, some background on the symbol table
system used within the Checker is needed. Figure~\ref{symtabstruct}
illustrates the structure of the system's symbol table at some point.
The basic structure of the symbol table is contained within the
\reserved{class SymTab}. In this illustration, there are two pointers,
\reserved{globalSymTab} and \reserved{currentSymTab}, which point to
objects of type \reserved{SymTab}. \reserved{globalSymTab} always
points to the top of the symbol table, while \reserved{currentSymTab}
always points to the current local scope. Each \reserved{SymTab}
object contains a link to its enclosing scope, \reserved{global}, and
a link to the information in that table's current scope,
\reserved{locals}. At the top level of the symbol table, the
\reserved{globals} pointer is
\reserved{NULL} to signify the top of the table. The local information
in a \reserved{SymTab} is contained with a \reserved{Locale} object. A
Locale contains references to two lists of \reserved{Symbols}, those
that are classes or enumerations, \reserved{classOrEnum}, and those
which are not, \reserved{nonClassOrEnum}. The \reserved{Symbol} class,
and its derived classes, are used to represent and store the various
types of C++ declarations. Please see Figure~\ref{symbolh} for the class
hierarchy diagram for \reserved{Symbol} and its derived classes.

\begin{BFIGURE}
\begin{center}
\include{classsym}
\end{center}
\caption{The \reserved{Symbol} Class Hierarchy}
\label{symbolh}
\end{BFIGURE}

Modifying the Larch/C++ system to support the \reserved{namespace} and
\reserved{using} constructs was not difficult. Within the Larch/C++
checker, there was already support for the parsing of the
\reserved{namespace} and \reserved{uses} syntax. \reserved{Symbol}s of
the form
\reserved{OriginalNamespaceName} were created when a
\reserved{namespace}  declaration was parsed. The
\reserved{OriginalNamespaceName} object contains a local symbol table
with a structure similar to the system's symbol table. The declarations
within a namespace are placed within this local table so that they are
available whenever the namespace object is referenced. Since this
portion of the implementation was already complete, all that needed to
be done was to implement the semantics of the using declarations and
directives.

At first, the best solution was thought to be that when a \reserved{using}
directive or declaration was seen, simply copy the symbol for that
declaration out of the namespaces local symbol table into the current
symbol table for that scope. However, the question was raised, are the
symbols we copy really like the other symbols within the table? The
declarations introduced by using declarations and directives appear to
be or are synonyms for the previous declarations. It was decided that
the declarations introduced by the \reserved{using} forms should be
differentiated from other forms of declarations. This was done because 
using directives and declarations don't really create new declaration
information, they simply change it's visibility. Thus simply creating
new regular declaration objects that were copies of the previous
declaration objects would not suffice.

Various solutions to this problem were proposed. One solution involved
the creation of a new form of \reserved{Symbol}, the \reserved{Alias}
which would have contained a reference back to the original symbol in
the namespace symbol object. These \reserved{Alias} objects would have been
placed into the scope containing the \reserved{using} form. While this
solution had promise, it also added complexity. The actual declaration
information would not have been easily accessible within the \reserved{Alias}
object because it would have had to have been dereferenced in some manner.

While the \reserved{Alias} object idea was rejected, the basic idea
behind it, the idea of aliases, formed the cornerstone for the actual
solution. The basic structure of the \reserved{Symbol} class and its
derived classes was modified to support a new data member, the alias
field. The \reserved{alias} field is a boolean value that stated whether this
object was an alias or a simple symbol. Besides the data member,
member functions for the observation and modification of this data
member were created. The use of C++ and inheritance shined at this
point. Only the code for the \reserved{Symbol} class had to be
modified, with the change affecting the derived classes via
inheritance. This solution also avoided the extra complexity of creating a
new type of \reserved{Symbol} and the difficulty in getting at the declaration
information. When a \reserved{using} statement was seen, all that needed to be
done was create a copy of the symbols within the namespace
object, flag these copies as aliases, and insert them into the symbol
table.

The code to create the alias copies and do the insertion into the
symbol table ended up going through two revisions. The first
implementation took a non object-oriented path to the
solution. Remember that the \reserved{namespace} objects contained a
symbol table with the same structure as the global symbol table
described earlier. To create copies of the symbols, the system needed
to be able to access them easily. The first implementation modified
the
\reserved{Locale} class, adding member functions that gave access to
the protected data members. Once the system had the lists of
\reserved{Symbol}s out of the \reserved{Locale}, it processed these
Symbols one at a time via a large case statement. The case statement
checked to see what kind of \reserved{Symbol} it was, created a copy
of the symbol with the \reserved{alias} field set, and passed this
copy back to the system to add to the current scope. While this
solution worked, it seemed to void some of the advantages of
object-oriented design. First, member functions should not pass
private or protected data members to their callers. This breaks the
property of encapsulation. Second, with the use of virtual functions,
there should be no need for large case statements to differentiate
between the type of symbols. Thus, the code was rewritten to be more
object-oriented.

The final implementation consists of the following. The \reserved{Symbol} class
and its derived classes were modified to have member functions
\reserved{CloneSym} and \reserved{CloneSymAsAlias}. A \reserved{Symbol}
object receiving one of these method calls creates a copy of itself,
setting the \reserved{Alias} flag as necessary. The functions to allow
for access to the data within the \reserved{Locale} objects and the
\reserved{SymTab} objects were moved into member functions for those
classes. This kept the encapsulation of the protected data members
intact. Figure ~\ref{cpsymcpp} illustrates the
\reserved{CopySymbols} functions and Figure ~\ref{usdlgram} shows
their use in the Larch/C++ grammar file for the case of a
\reserved{using} directive.
\begin{BFIGURE}
\begin{verbatim}

void SymTab::CopySymbols(SymTab *Table, bool asAlias){ 
    locals->CopySymbols(Table,asAlias);
}

void Locale::CopySymbols(SymTab *Table, bool asAlias){
  Table->CopySymbols(asAlias,nonClassOrEnum);
  Table->CopySymbols(asAlias,classOrEnum);
}

void SymTab::CopySymbols(bool asAlias, SymNodePtr SymList){
 
  SymNodePtr currentSym;
  Symbol *copySym;
  currentSym = SymList;

  while (currentSym != NULL) {
    if (asAlias) {
      copySym = Car(currentSym)->CloneSymAsAlias();
    } else {
      copySym = Car(currentSym)->CloneSym();
    }
    if ((this->Defined(Car(currentSym)->GetName()))) {
      Warning(*(currentSym->value->GetName()) +
              DyString(" is multiply defined in this scope\n")+
              DyString("The new definition was ignored and not inserted"));
    } else {
      this->AddSym(copySym);
    }
    SymNodePtr currentSym2 = Cdr(currentSym);
    currentSym = currentSym2;
  }

}
\end{verbatim}
\caption{The \reserved{CopySymbols} Functions}
\label{cpsymcpp}
\end{BFIGURE}

\begin{BFIGURE}
\begin{verbatim}
using_directive
    : USING NAMESPACE complete_namespace_name T_SEMI
        @{ @m using_directive.sym;
           @using_directive.sym@ = @complete_namespace_name.sym@;
           SymTab *LocalSyms = @using_directive.sym@->GetLocals();
           /*
             LocalSyms contains a SymTab that contains the
             symbols that must be inserted.
           */
           LocalSyms->CopySymbols(currentSymTab,true);

        @}
\end{verbatim}
\caption{One Production for Using Directives}
\label{usdlgram}
\end{BFIGURE}
The way the functions work for this example is as follows. Looking at
Figure~\ref{usdlgram}, notice the comment. The \reserved{LocalSyms}
variable contains the local symbol table associated with the
namespace. The function \reserved{CopySymbols} is overloaded for SymTab
objects. In this case the call
\begin{verbatim}
LocalSyms->CopySymbols(currentSymTab,true)
\end{verbatim}
 resolves to the first function in Figure~\ref{cpsymcpp}. The arguments
to this function are the destination symbol table into which the
copies will be placed, and a boolean value representing whether the
copies should be aliases. This function then calls
\reserved{Locale::CopySymbols} passing along the
arguments. \reserved{Locale::CopySymbols} calls the more complex of
the two \reserved{SymTab::CopySymbols} functions to do the actual
copying of the symbols and insertion within the symbol table. The
insertions are done as follows. The first item is taken off of the
list of symbols. The item is copied either as an alias or as a plain
\reserved{Symbol} object depending on the value of the
\reserved{asAlias} parameter. The 
copy is then inserted into the symbol table referenced by the default
parameter if it is not already there. The next Symbol to copy is taken
off the list, and the process continues until all symbols have been
copied.

\subsection{Support for LSL Constructs}
As its name suggests, Larch/C++ is dependent upon the Larch Shared
Language. Specifiers use LSL traits to create the abstract models for
their specifications. These models can then be referenced in Larch/C++
in a number of ways: \reserved{uses} sequences, \reserved{expects}
sequences, etc. The Larch/C++ Checker needs to be able to extract
information about the operations defined within traits. The system
must handle the overloading of trait operations and the renaming of
sort parameters within traits. One possible solution was to write a
filter for LSL traits that would extract the necessary
information. This appeared to be a time sink, however. It was decided
to see how other languages in the Larch family handled this interface.

\subsubsection{Interface to the LSL Checker}
\label{lslinterf}
After examining an early implementation for the LCLint
tool~\cite{lclint}, it was realized that the LSL Checker handles the
renaming of traits in
\reserved{includes} clauses, and will generate the needed information
about the trait operations via the \reserved{-syms} option. Reusing
this functionality would save time and effort. Thus, an interface to
the LSL Checker was needed. The interface and its development occurred
in a series of steps. First, the information within the Larch/C++
specifications needed to be converted into a form useful to the LSL
Checker. Then a system of passing this information to the LSL Checker
and capturing the output was needed. Finally the information from the
LSL Checker needed to be translated and stored in a form that the
Larch/C++ Checker could later use.

The first step, converting Larch/C++ \reserved{uses} clauses into useful LSL
information, was a non-trivial task. For example, there needed to be a
way to convert a \reserved{uses} clause like 
\begin{verbatim}
//@ uses SimpleSetTrait(Elem for E, Set<Elem> for C);
\end{verbatim}
into an equivalent LSL \reserved{includes} line. To do this, the
Larch/C++ parser was modified to build strings of trait
information. Two attributes were added to the parse tree nodes, a
pointer to a
\reserved{DyString} called \reserved{info} and a boolean called
\reserved{TooComplex}. The \reserved{info} attribute points to the
string that will eventually contain the trait and renaming information
for the LSL \reserved{includes} line. The string is built as expected,
bottom up, as the parse is conducted. The system handles template
types, like the type \reserved{Set<int>} above, by translating the
\reserved{<>} symbols into legal \reserved{[]} symbols. The system can
do this because Larch/C++ requires that template types have equivalent
sorts~\cite[Page 20]{Leavens96c}.However, C++ allows for complex
expressions as template arguments. How should the system handle those?
The answer is, it does not. The \reserved{TooComplex} attribute is
used to keep track of the simplicity of the template arguments. If
something that the system cannot handle, such as an expression
\reserved{1 < 2}, appears as an argument, the \reserved{TooComplex}
flag is set. This causes the Checker to generate a warning that the
\reserved{uses} clause was too complex to translate into an LSL
\reserved{includes} directive.

Once the information in a \reserved{uses} clause has been translated,
it needs to be passed to the LSL Checker. This requires some sort of
interface between the Larch/C++ Checker and the LSL Checker. The
interface used owes a lot of its basic design to the interface used by
LCLint 1.4a~\cite{lclint}. The LCLint tool generates a temporary trait
file that contains an \reserved{includes} statement for the trait
information. It then uses the Standard C \reserved{system} call to run
the LSL Checker over that file, redirecting the Checker's output into another
temporary file. If \reserved{system} returns an error condition, then the LSL
Checker is run again over the file to allow the error messages to be
passed to the user.

As in the LCLint tool, the Larch/C++ Checker takes the
information generated from the \reserved{uses} clause (or other expressions
involving traits) and creates a temporary trait. This trait consists
of an
\reserved{includes} statement that uses the generated traits. The LSL
Checker is then run on this temporary trait to both check its syntax and to
generate the \reserved{-syms} output. Once this basic interface 
was sketched out, a few questions surfaced. How are the temporary
files generated and managed? What is the best way to call the LSL
Checker? Does the LSL Checker need to be run twice?

Temporary file management was the first item to be addressed. It was
known that there was a \reserved{tmpfile} function in Standard C that
would generate a uniquely\-named temporary file. The problems with this method
were that the file was always automatically deleted, and that the
return value of the call was a \reserved{FILE *}. Since the system was
implemented in C++, it was felt that the system should use streams as
the interface rather than \reserved{FILE} pointers. The system should
also have the ability to keep its temporary files around both for
debugging purposes, and perhaps for caching purposes in the future
(see Section ~\ref{futwork}). It was also necessary to design the
implementation of temporary files in a way that would be more easily
portable to other operating systems.

The best solution to all of these issues was to design a temporary
file class. The class would encapsulate the creation of the file names
within its constructor, allowing us the ability to provide our own
name or let the system choose one. It would also provide the ability
to flag a file as undeleteable, so that it would not be reclaimed by
the system. The destructor could check this flag, and delete the file
as necessary. Figure~\ref{tmpfile} shows the header for the class
\reserved{TmpFile} designed to meet these goals.

\begin{BFIGURE}
\begin{verbatim}
#ifndef _TmpFile_h
#define _TmpFile_h 1
#include <fstream.h>
#include <stdio.h>
#include <stdlib.h>
#include "DyString.h"
#include "dirname.h"

class TmpFile {

public:
  TmpFile();
  TmpFile(char *extension);
  virtual ~TmpFile();
  virtual bool open();
  virtual bool close();
  virtual char *GetPath() const;
  virtual char *GetFileName() const;
  virtual char *GetCompletePath() const;
  virtual bool IsDeleteable() const;
  virtual void Deleteable(bool flag);
  friend ostream& operator << (ostream& out, const TmpFile& tmp);
  static void SetDefaultPath(char *def_dir);

protected:
  static DyString default_path;
  DyString path;
  DyString filename;
  DyString extension;
  DyString CompletePath;
  bool deleteable;
  fstream mystream;
};
#endif
\end{verbatim}
\caption{The TmpFile header}
\label{tmpfile}
\end{BFIGURE}
\reserved{TmpFile}, which is part of the common code for the system, is an
abstract class. Derived classes may be specialized to allow for
different behaviors. In the Larch/C++ Checker, a derived class
\reserved{OutTmpFile} generates temporary files for system outputs. The classes
carry along their path information, which is based upon a default path
stored in a static member variable. The value of this variable defaults to
the current directory, but may be reset as needed. The \reserved{Deleteable}
member function is used to change the deleteable flag on the file. If
the deleteable flag is true, the file will be deleted when its
destructor is called. The class currently allows for an extension to
be added to the temporary file. This was added because LSL requires
traits to reside in files with the extension
\reserved{.lsl}.

Once a system for generating temporary files was ready, it was time to
design the method for calling the LSL Checker. All of the efforts
surrounding the call are encapsulated within the \reserved{call\_lsl}
function. Figures~\ref{calllsl1} and~\ref{calllsl2} show the source
code for this function. The first half of the function
(Figure~\ref{calllsl1}) sets up the temporary files that are needed. It creates
two \reserved{OutTmpFile}s, \reserved{tmptrait} to hold the temporary trait information, and
\reserved{symsout} to hold the output from the LSL Checker. The function checks
to make sure that these files can be opened for writing. If not, it
exits with an error. Once it has opened the files, it proceeds to
create the temporary trait. Traits in LSL are required to have the
trait name and the file name be the same. Thus the first thing
\reserved{call\_lsl} does is get the file name from
\reserved{tmptrait}. It takes the name provided by the
\reserved{OutTmpFile} and the \reserved{includes} line 
passed as an argument, and creates the temporary trait. For example,
given the \reserved{uses} clause
\begin{verbatim}
//@ uses SimpleSetTrait(Elem for E, Set<Elem> for C);
\end{verbatim}

\reserved{call\_lsl} will be called with the \reserved{includes}
parameter set to
\begin{verbatim}
SimpleSetTrait(Elem for E, Set[Elem] for C)
\end{verbatim}
and will generate a temporary trait similar to the following.
\begin{verbatim}
eaaa04712:trait
includes SimpleSetTrait(Elem for E,Set[Elem] for C)
\end{verbatim}

\begin{BFIGURE}
\begin{verbatim}
#include <signal.h>
#include <stdlib.h>
#include "OutTmpFile.h"
#include "LSLsup.h"
#include "debug.h"
#include "DGetEnv.h"
#include "execit.h"

extern int lslparse();
extern bool LSL_keep_on_error;
extern bool verbose;

int call_lsl(DyString includes){
  extern bool debug_flag;
  int val,pid,status;
  DyString sys_str;
  
  OutTmpFile tmptrait("lsl");
  OutTmpFile symsout;
  if(debug_flag){
    tmptrait.Deleteable(false);
    symsout.Deleteable(false);
  }
  if(!tmptrait.open()){
    return(TMPFILE_ERR);
  }
   if(!symsout.open()){
    return(TMPFILE_ERR);
  }
  tmptrait.write(tmptrait.GetFileName());
  tmptrait.write(":trait\n");
  tmptrait.write("includes ");
  tmptrait.write(includes.ToCppString());
  tmptrait.write("\n");
  tmptrait.close();
\end{verbatim}
\caption{The \reserved{call\_lsl} Function, Part One}
\label{calllsl1}
\end{BFIGURE}

The second part of \reserved{call\_lsl} handles the generation of the
call to the LSL Checker and any resulting errors from that call; then it
passes the results on to the next stage. \reserved{call\_lsl} uses 
the environment variable \reserved{LSL\_EXE\_PATH} to locate the LSL
Checker in the operating system. The use of an environment variable here was
more flexible than either using a compilation macro to set the path,
or simply choosing a path. The environment variable makes it easy for
users to customize their installation of the tools. A call to the
\reserved{system} function is built from the path to the LSL
Checker and  the name of the temporary files. The macro variable
\reserved{EXECIT} is used to prepend an \reserved{exec} to the front of the
string on systems that support exec. This was done to improve the
ability of the system to handle user interrupts. The first version of
\reserved{call\_lsl} did not use exec and it had a tendency to not
report errors or respond to user signals. For example, if a user hit
Ctrl-C in the middle of checking, the system would return the user to
the command prompt, but continue to execute. The abnormal behavior was
traced to the shell invoked by the \reserved{system} call catching the signals
that should have been passed upward. The addition of the \reserved{exec} to
the command line passed to the \reserved{system} call allows for the messages
to return back to \reserved{system} as expected. 

After the actual \reserved{system} call, most of the remainder of
\reserved{call\_lsl} handles error conditions that may be
returned. The return value of \reserved{call\_lsl} is checked within
the parser. If the system has been interrupted, this fact is passed up
the call chain to the system driver, which halts the system. If the
\reserved{system} call has executed correctly, the Larch/C++ Checker
is ready to move on to parse the resulting \reserved{-syms} output.

\begin{BFIGURE}
\begin{verbatim}
  if(verbose){
    cerr << "Checking traits: " << includes.ToCppString() << endl;
  }
  DyString * lsl_exe = DGetEnv("LSL_EXE_PATH", new DyString("lsl"));
  sys_str = DyString(EXECIT) + *lsl_exe + DyString(" -syms ") +
            DyString(tmptrait.GetFileName());
  sys_str = sys_str + DyString(" > ") + DyString(symsout.GetFileName());
  val = system(sys_str.ToCppString());
  if(val < 0){
    return(SYSCALL_ERR);
  }
  if (WIFEXITED(val) && WEXITSTATUS(val) != 0) {
    if (LSL_keep_on_error) {
      tmptrait.Deleteable(false);
    }
    return(LSL_ERR);
  }
  if (WIFSIGNALED(val)) {
    tmptrait.close();
    return(WTERMSIG(val));
  }
  symsout.close();
  tmptrait.close();
  val = parse_lsl(symsout.GetFileName());
  return(val);
}
\end{verbatim}
\caption{The \reserved{call\_lsl} Function, Part Two}
\label{calllsl2}
\end{BFIGURE}

Once the basic interface was present in \reserved{call\_lsl}, and
before the parser for the
\reserved{-syms} output was written, the
interface to the LSL Checker was tested. At first everything seemed to
work fine. However, on very large traits the Larch/C++ checker consistently
caused core dumps. After investigation, it was discovered that the LSL
Checker had a large memory footprint that seemed to be causing the
system to run out of memory. After consulting with the maintainers of
the LSL Checker for ideas, the LSL Checker was modified to use the
garbage collector also. This reduced its memory footprint to one-half
the previous size, and allowed the Larch/C++ Checker to execute as
expected. 

Another discovery was that the LSL Checker did not follow
the UNIX convention of sending output that reported errors to the
\reserved{stderr} stream. This made clear why the implementors of the
LCLint tool made two calls to the LSL Checker. Since the errors were
reported on \reserved{stdout}, and they captured \reserved{stdout} to
a file, the second execution was to allow for the errors to appear to
the screen. Since modifications had already been made to support the
garbage collector, the LSL Checker's output system was modified to
support standard UNIX conventions. This allows the Larch/C++ checker
to make a single system call and still get user messages output to
the screen, and the \reserved{-syms} output to a file.

\subsubsection{Data Structures for Sorts}
Before one can parse and store the output from the LSL Checker, there
must be data structures to store it in. The design of the data
structures for sorts needed to embody the concept of sorts as they are
used in LSL, while also being easy to build. The belief was that the
sorts for C++ declarations might need to be built in pieces,
bottom-up, as the parse occurred. This influenced the functionality of
the design.

Originally, the Larch/C++ Checker had one class, \reserved{LCPPSort},
which was used to store sort information. It simply stored the
\reserved{TypeSpecifier} and \reserved{Declarator} information for a
declaration. The design of the new sort system began with the
\reserved{LCPPSort} class so that it would be easy to plug into the
existing tools.

After examining documentation for LSL and a multitude of traits, a
basic idea of what was needed to represent sorts was built. There are
three types of sorts within LSL, atomic sorts, parameterized sorts,
and arrow sorts. \emph{Atomic} sorts are the basic sort building
blocks. An example would be the sort \reserved{int}. Atomic sorts take
no arguments, and cannot be broken down into smaller
pieces. 


\emph{Parameterized} sorts are built by combining atomic sorts, or
other parameterized sorts, into a more complex whole. An example would
be the sort
\reserved{Set[int]}, which consists of the two atomic sorts,
\reserved{Set} and \reserved{int}. Even though most observed
parameterized sorts only had one parameter, the decision was made to
support the general case of an indeterminant number of parameters for a
given sort.

\emph{Arrow} sorts represent the signatures for LSL operators. An
example would be \reserved{int , int -> int}. Arrow sorts consist of
two pieces, an argument list which contains a list of atomic and
parameterized sorts, and a result sort which is either a atomic or
parameterized sort. Note that LSL does not support the concept of
higher order operations; that is, arrow sorts cannot be used as either
arguments or results. This fact simplifies the concrete implementation
of these sorts.

\begin{BFIGURE}
\begin{center}
%\input{classes2}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(5499,5724)(1789,-5773)
\thicklines
\put(4276,-961){\framebox(1875,900){}}
\put(4876,-1861){\line( 1, 0){ 75}}
\put(4951,-1861){\line( 1, 1){300}}
\put(5251,-1561){\line( 1,-1){300}}
\put(5551,-1861){\line(-1, 0){600}}
\put(5551,-1861){\line( 1, 0){150}}
\put(5701,-1861){\line(-1, 0){150}}
\put(3151,-3361){\framebox(1800,900){}}
\put(3751,-4261){\line( 1, 1){300}}
\put(4051,-3961){\line( 1,-1){300}}
\put(4351,-4261){\line(-1, 0){600}}
\put(3751,-4261){\line(-1, 0){1200}}
\put(4051,-3436){\line( 0,-1){525}}
\put(1801,-5761){\framebox(1650,900){}}
\put(5251,-961){\line( 0,-1){600}}
\put(5476,-3361){\framebox(1800,900){}}
\put(5926,-2986){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}ArrowSort}}}
\put(4876,-1861){\line(-1, 0){825}}
\put(4051,-1861){\line( 0,-1){600}}
\put(5551,-1861){\line( 1, 0){750}}
\put(6301,-1861){\line( 0,-1){600}}
\put(2551,-4261){\line( 0,-1){600}}
\put(4876,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}LCPPSort}}}
\put(2176,-5386){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}ParamSort}}}
\put(3601,-2986){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}AtomicSort}}}
\end{picture}

\end{center}
\caption{Class Hierarchy for \reserved{LCPPSort}: First Design}
\label{classfirst}
\end{BFIGURE}

Originally, the class hierarchy in Figure~\ref{classfirst} was
proposed. Within this hierarchy, \reserved{LCPPSort} was viewed as an abstract
class, allowing for basic behavior to be shared, and so that the
implementation could use \reserved{LCPPSort} pointers to hold any type of
sort. The class structure represents the feeling that atomic sorts are
basic and parameterized sorts build upon them. The arrow sorts exist
in their own tree, but contain both atomic and parameterized
sorts. While this design captured the behavior of the various sorts
well, it was uncertain whether it would be practical in practice. As
mentioned earlier, it was believed that the sorts for a C++
declaration might have to be built bottom-up. For example, the sort
for a declaration \reserved{int i;} would first build an atomic sort
\reserved{int}, later converting it to the parameterized sort
\reserved{Obj[int]}. The question was raised whether a design for the
classes could be found where these conversions would not have to
happen. It was also noted that the list of parameters inside of a
parameterized sort and the list of arguments within an arrow sort could be a
mix of atomic and parameterized sorts. This could lead to 
later headaches when trying to decide if two parameterized sorts were
equal. The lack of homogeneity would make the task more complex.

The realization that atomic sorts were equivalent to parameterized
sorts with zero parameters simplified the class hierarchy for sorts to
that shown in Figure~\ref{classfinal}. This hierarchy still supports
the three forms of sorts, while not needing to be able to convert
between atomic and parameterized sorts. With the new hierarchy a
declaration \reserved{int i;} will first build a parameterized sort
\reserved{int} which has no parameters. Later it would create the
final sort \reserved{Obj[int]} by adding the \reserved{int} as a
parameter to the \reserved{Obj} sort. The change in design also made
lists of parameters in both parameterized and arrow sorts homogeneous.

\begin{BFIGURE}
\begin{center}
%\input{classes}
\setlength{\unitlength}{0.00083300in}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined
% extract first six characters in \fmtname
\def\x#1#2#3#4#5#6#7\relax{\def\x{#1#2#3#4#5#6}}%
\expandafter\x\fmtname xxxxxx\relax \def\y{splain}%
\ifx\x\y   % LaTeX or SliTeX?
\gdef\SetFigFont#1#2#3{%
  \ifnum #1<17\tiny\else \ifnum #1<20\small\else
  \ifnum #1<24\normalsize\else \ifnum #1<29\large\else
  \ifnum #1<34\Large\else \ifnum #1<41\LARGE\else
     \huge\fi\fi\fi\fi\fi\fi
  \csname #3\endcsname}%
\else
\gdef\SetFigFont#1#2#3{\begingroup
  \count@#1\relax \ifnum 25<\count@\count@25\fi
  \def\x{\endgroup\@setsize\SetFigFont{#2pt}}%
  \expandafter\x
    \csname \romannumeral\the\count@ pt\expandafter\endcsname
    \csname @\romannumeral\the\count@ pt\endcsname
  \csname #3\endcsname}%
\fi
\fi\endgroup
\begin{picture}(5424,3324)(1189,-4273)
\thicklines
\put(3601,-2761){\line( 1, 1){300}}
\put(3901,-2461){\line( 1,-1){300}}
\put(4201,-2761){\line(-1, 0){600}}
\put(3601,-2761){\line(-1, 0){1500}}
\put(2101,-2761){\line( 0,-1){600}}
\put(4276,-2761){\line( 1, 0){1425}}
\put(5701,-2761){\line( 0,-1){600}}
\put(4201,-2761){\line( 1, 0){ 75}}
\put(3901,-1861){\line( 0,-1){600}}
\put(1201,-4261){\framebox(1800,900){}}
\put(5251,-3886){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}ArrowSort}}}
\put(4801,-4261){\framebox(1800,900){}}
\put(3001,-1861){\framebox(1875,900){}}
\put(3526,-1486){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}LCPPSort}}}
\put(1651,-3886){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}{rm}ParamSort}}}
\end{picture}

\end{center}
\caption{Class Hierarchy for \reserved{LCPPSort}: Final Design}
\label{classfinal}
\end{BFIGURE}

The final piece of the puzzle for representing sorts was how to
support the overloading of LSL operators. Remember from earlier
discussion (Section~\ref{lslts}) that LSL allows for a given operator
name to have many different signatures associated with it. The choice
of which signature to use is then made based upon the context of the
use of the operator. The data structure needed to handle basic insertion,
and insertion of duplicates easily. It would be convenient if it could
handle retrieval based on different pieces of the arrow sort
structure. The design chosen was an iterated set of arrow sorts. This
data structure had the advantage of easily handling insertion,
especially insertion of duplicates. Although the data structure itself
does not handle retrieval of a given arrow sort by the parts of arrow
sorts, i.e. by either parameter list or result sort, helper functions
could provide that functionality.

Figure~\ref{ArrowSet} shows the class \reserved{ArrowSet} used to
implement the set of arrow sorts. The set is actually built on top of
a singly linked list provided by the macros in the
\reserved{SINGLYLL.h} file. The functionality is as expected for
sets with the member functions modeling the usual mathematical
behavior for sets. The member functions \reserved{Union},
\reserved{Intersection}, and \reserved{Diff} generate their results
within the default parameter, rather than generating a completely new
set. For example, given sets \reserved{S1} and \reserved{S2}, the
operation \reserved{S1.Union(S2)} will change \reserved{S1} to hold
\reserved{S1} $\cup$ \reserved{S2}. This behavior, while documented in
the specification for the class, can be somewhat confusing.

\begin{BFIGURE}
\begin{verbatim}
#include "SINGLYLL.h"
#include "ArrowSrt.h"
typedef ArrowSort *ArrowSortPtr;
DECLARE_SINGLYLL(ArrowSortPtr,ArrowSortNode)
typedef ArrowSortNode *ArrowSortNodePtr;
class ArrowSet{
public:
  ArrowSet();
  ArrowSet(const ArrowSortPtr item);
  ArrowSet(const ArrowSet& set);
  bool In(const ArrowSortPtr item) const;
  int Cardinality() const;
  bool IsEmpty() const;
  bool Subset(const ArrowSet& set) const;
  bool Insert(const ArrowSortPtr item);
  bool Remove(const ArrowSortPtr item);
  void Union(const ArrowSet& set1);
  void Intersection(const ArrowSet& set1);
  void Diff(const ArrowSet& set1);
  bool operator == (const ArrowSet& set1) const;
  bool operator != (const ArrowSet& set1) const;
  void Save_Iterate();
  void Restore_Iterate();
  void Reset_Iterate();
  ArrowSortPtr Iterate();
protected:
  
  ArrowSortNodePtr theSet;
  ArrowSortNodePtr iteratePoint;
  ArrowSortNodePtr old_iteratePoint;
};
ostream& operator << (ostream& out, ArrowSet item);
\end{verbatim}
\caption{The \reserved{ArrowSet} class}
\label{ArrowSet}
\end{BFIGURE}
The major addition to the implementation of set shown here is the
ability to iterate through the items in the set. Most sets allow you
to look to see if an item is in a set. When dealing with sets of arrow
sorts, however, the user might only know the result sort he is looking
for. This means that there needs to be a way to examine each member in
the set, allowing for comparisons with the individual parts of an
arrow sort. Thus the iterator, and its controlling functions, were
added. The \reserved{Reset\_Iterate} function clears any information
about previous iterations and makes the set ready to iterate. The
\reserved{Iterate} function returns the next member of the set in
the iteration, or NULL if there are no elements remaining. The
\reserved{Save\_Iterate} and \reserved{Store\_Iterate} member
functions were added to help support the ability to print out the
sets. The \reserved{operator <<} function was written using the
\reserved{Iterate} function to output one member at a time. However,
what if a user wanted to print out the set in the middle of an
iteration without losing the iteration
information. \reserved{Save\_Iterate} saves the current iteration
point, which can be later restored via
\reserved{Restore\_Iterate}. The use of all of the iteration
functions is illustrated in the code for \reserved{operator <<} shown
in Figure~\ref{oppto}.
\begin{BFIGURE}
\begin{verbatim}
ostream& operator << (ostream& out, ArrowSet item){
  
  ArrowSortPtr val;
  int iter;

  iter = 0;
  out << "{";
  item.Save_Iterate();
  item.Reset_Iterate();
  val = item.Iterate();
  while(val != NULL){
    if (iter == 0){
      val->Print(out);
      iter++;
    }
    else {
      cout << ",";
      val->Print(out);
    }
    val = item.Iterate();
  }
  out << "}";
  item.Restore_Iterate();
}
\end{verbatim}
\caption{The \reserved{operator <<} function for \reserved{class
  ArrowSet}}
\label{oppto}
\end{BFIGURE}

\subsubsection{The Operator Signature Parser}
Once the LSL Checker has been used to generate the \reserved{-syms}
output, there needs to be a way of getting that information into the
Larch/C++ Checker's symbol table. A tool was needed that would convert
the \reserved{-syms} output into operator names and associated arrow
sorts. The development of this portion of the system again looked to
the previous work of LCLint for an idea of how to proceed. The LCLint
tool used a hand-crafted lexer, combined with a \reserved{yacc}-based
parser to generate data structures from the
\reserved{-syms} data. A close examination revealed that the
hand-crafted lexer was too complex to be easily converted for use
within the Larch/C++ Checker. This led to the development of a
\reserved{flex}-based lexer for this input. Starting from the token
definitions in LCLint's signature file and the information in the LSL
technical report \cite{Guttag-Horning-Modet90}, a set of regular
expressions was developed to represent the tokens. The major
difficulty here was that some characters had multiple meanings
depending upon context. For example, the signature
\begin{verbatim}
[ __ , __ ] : int , int -> Tuple[int]
\end{verbatim} 
represents a function named \reserved{[]} which takes two
\reserved{int} arguments and constructs a \reserved{Tuple[int]}. At
first glance this does not seem difficult to break into
tokens. However, the square brackets that form the name of the
function are actually the tokens \reserved{OPENSYM} and
\reserved{CLOSESYM}, while the square brackets in the sort
\reserved{Tuple[int]} are the tokens \reserved{LBRACKET} and \reserved{RBRACKET}. How should
the system be designed to return the correct tokens? The solution was
to create a lexer with start states to allow for the differentiation
of the uses for square brackets. \emph{Start states} allow \reserved{flex} to use
different matching rules based upon what has been seen in the
input. In this case, the switching of states in the lexer is based
upon having seen either a colon or a new-line character. The lexer
knows that when it has seen a colon, it is within the signature for
the operation. Thus the lexer always returns \reserved{LBRACKET} and
\reserved{RBRACKET} in 
this case. When the lexer reaches a new-line character, it knows that
it has reached the end of a complete signature. At this point it
switches to a start state where square brackets are \reserved{OPENSYM}s and
\reserved{CLOSESYM}s. Please see
\cite{Levine-Mason-Brown92} for more details on the use of start states.

The initial testing of the operator signature parser revealed a minor
problem. The system was consistently returning parse errors for input
that looked correct. The problem turned out to be that the LSL Checker
automatically broke long lines by inserting a
new-line character and continuing the output on the next line. This
was done to allow for users to easily read long lines that appeared on
their screens. However, the insertion of the new-line character was
causing the lexer for the signatures to switch states prematurely,
leading to the parse errors. There were a number of possible
solutions. One possibility was to change the lexer to use a different
form of start states. While this was probably possible, the lexer as
it existed was relatively simple to understand. If the lexer was to be
modified, it would probably become more complex and difficult to
understand. The other solutions were all based upon modifying the LSL
Checker to change its output format. Any change to the output,
however, had to preserve the output format used by the Larch Prover,
and should continue to make the messages readable to the user. Since
all output in the LSL Checker passed through the same output
functions, some sort of conditional check was needed to turn on and
off the output of the offending new-line. An additional boolean
variable, \reserved{PrintingSyms} was added to the system to flag when
the \reserved{-syms} output was being printed. If the flag is true,
then no new-lines are inserted into the output. This allows the parser
to work as expected.

The final piece of the operator signature parser is the interface to
the Larch/C++ symbol table. This involved the creation of a new type
of \reserved{Symbol} to hold the operator's information and a
modification to the \reserved{Locale} portion of the symbol
table. New classes \reserved{TraitOp} and
\reserved{ExtendedTraitOp} were derived from the \reserved{Symbol}
base class. Basically \reserved{TraitOp} objects look
like all other \reserved{Symbol}s, especially \reserved{Ident}s, except for the
fact that their sort information is an 
\reserved{ArrowSet} not a simple \reserved{LCPPSort}. \reserved{ExtendedTraitOp}
is derived from \reserved{TraitOp} and has an extra name field that is
used in reporting errors. For example, the signature \reserved{if \_\_
then \_\_ else \_\_: Bool, Bool, Bool -> Bool} creates an
\reserved{ExtendedTraitOp}. The name used to index the function in the
symbol table is \reserved{ifthenelse}, while the name reported for
errors is \reserved{if \_\_ then \_\_ else \_\_}. Other signatures, such as
\reserved{f: int -> float}, generate \reserved{TraitOps} because the
name reported for errors is the same as the name used to index the
operation in the symbol table. 

The parser creates a local symbol table into which it places
\reserved{TraitOp} and \reserved{ExtendedTraitOp} symbols as it parses
the signatures. It is at this point where the system does the name
conflict resolution described in Section~\ref{lcppts}. If the
parser-generated symbol has a name that already exists in the 
\reserved{currentSymTab}, the trait operation is discarded, and a
warning is reported to the user. Similarly, if the system is inserting a C++
identifier into the symbol table and discovers an existing trait operation
with the same name, it discards the trait operation and warns the user.

The other major modifications to the symbol table involved adding an
additional field to the \reserved{Locale} class, with its associated
member functions, and the modification of the \reserved{SymTab} class
to allow for copying of the new fields. Figure~\ref{symtabstruct}
shows the old structure of the symbol table. \reserved{Locale}s
contained two namespaces, \reserved{nonClassOrEnum} and
\reserved{classOrEnum}. This form was modified to add a third field,
\reserved{TraitOps}, to hold lists of the trait operations. This was
needed to support the split of the symbol table into separate C++ and
LSL operator ``worlds'', as described in Section~\ref{lcppts}. The
addition of this field required the creation of supporting functions
that operated upon this new field. The new functions are simply copies
of the existing \reserved{Locale} functions which operate upon this
new field. All operations on the new field were kept separate to make
sure that the existing behavior of the Larch/C++ Checker did not
change. Of these new functions, the only one examined in detail here
is the new \reserved{CopyTraitOps} series of functions within
\reserved{Locale} and
\reserved{SymTab}. These functions are basically clones of the
\reserved{CopySymbols} functions described in Section~\ref{namspcimp} modified
to work with the new \reserved{TraitOps} field in the
\reserved{Locale} class. These functions are used to copy the local
symbol table created by the LSL operator signature parser into the
Larch/C++ Checker's main symbol table. Please see the implementation
for further details on all of the new functions.

The operator signature parser is used for more than support for
\reserved{uses} clauses within specifications. It is also used to load
all of the built-in traits, such as the traits for the basic C++
types, in the initialization of the Larch/C++ Checker. This
information is stored at the top level of the symbol table, outside of
any C++ scope [[[so that it will not be removed by the name conflict
resolution system.]]]

\subsubsection{Conversion of C++ declarations to LSL sorts}

The final major piece of support required for sort checking within the
Larch/C++ Checker is the ability to convert C++ declarations into
their equivalent sorts. Recall from the discussion of the rules for
state functions, Section~\ref{staterules}, that C++ declarations
consist of an abstract value wrapped within an object. This
interaction between the sorts of the abstract values and the sorts of
the enclosing objects can make it difficult to automatically generate
sorts. Examples of declarations and their equivalent sorts taken from
the Reference Manual ~\cite[Chapter 5 and Section 6.1.8.1]{Leavens96c}
are illustrated in Figures~\ref{globalsorts} and
~\ref{formalsorts}. Notice that the same form of declaration may have
a different sort depending upon whether it is a declaration of a
variable or a declaration of a formal parameter. Notice also the
complexities surrounding the sorts for
\reserved{struct}, \reserved{union}, and \reserved{class} types. These
special cases make the code for the translation more complex.


\begin{BFIGURE}
\begin{verbatim}
Declaration             Sort of x (used as global)
-------------           --------------------------
const int &const x;     ConstObj[int]
const int *const x;     ConstObj[Ptr[ConstObj[int]]]
const int x[3][4];      Arr[Arr[ConstObj[int]]]
int *x[10];             Arr[Obj[Ptr[Obj[int]]]]
struct IntList {
  int val;
  IntList *next;
  };
IntList x;              ConstObj[IntList]
const IntList x;        ConstObj[Const[IntList]]
int (*x)(int i);        Obj[Ptr[ConstObj[cpp_function]]]
int (* const x)(int i); ConstObj[Ptr[ConstObj[cpp_function]]]
int (*x[10])(int i);    Arr[Obj[Ptr[ConstObj[cpp_function]]]]
\end{verbatim}
\caption{Sorts for Global C++ Declarations}
\label{globalsorts}
\end{BFIGURE}

\begin{BFIGURE}
\begin{verbatim}
Declaration      VarId   Its Sort (when used as a formal parameter)
-------------    -----   -----------------------------------------
int i            i       int
int & ir         ir      Obj[int]
int * ip         ip      Ptr[Obj[int]]
int ai[]         ai      Ptr[Obj[int]]
struct IPair {
  int fst, snd;
  };
Ipair sip;       sip     Val[IPair]
union FI {
  float f;
  int i;
  };
FI fi;           fi      Val[FI]
\end{verbatim}
\caption{Sorts for Formal Parameter Declarations}
\label{formalsorts}
\end{BFIGURE}

At first, the thought was that sort information would have to be
gathered and passed as attributes throughout the parse tree. However,
this method was discarded once the realization occurred that the
parser was already gathering the information necessary for building
sorts within the \reserved{TypeSpecifier} and \reserved{Declarator} objects. In Larch/C++,
as in C++, type specifiers contain a type name and an associated
qualifier (either \reserved{const} or \reserved{volatile}). \reserved{int},
\reserved{unsigned int}, \reserved{enum color}, and \reserved{const
int}, are all examples of valid type
specifiers~\cite{Leavens96c}. Declarators contain the names of the
items being declared along with a list of qualifiers that provide
additional information. Figure~\ref{declquals} lists the qualifiers as
presented in the Larch/C++ Reference Manual \cite{Leavens96c}.
\begin{BFIGURE}
\begin{verbatim}
  Operator     Meaning
  ---------    -----------------
   *            Pointer
   ::*          Pointer to Member
   &            Reference
   []           Array
   ()           Function
\end{verbatim}
\caption{Declarator Qualifiers}
\label{declquals}
\end{BFIGURE}


After it was realized that the type specifier and declarator
information was enough to build sorts, the question became, at what
point during a parse is this information complete and available? It
turns out that the key was within the function
\reserved{Declare}. \reserved{Declare} is used to add declarations
to the current symbol table. It was clear at this point that all of
the information required would be available. In examining
the \reserved{Declare} function, it was noted that at certain points
it made calls to the \reserved{LCPPSort} constructor. It was decided that
this would be the best place to generate sorts. 

\begin{BFIGURE}
\begin{verbatim}
ParamSort *BuildSort(const TypeScfr *typescfr, 
                    DQNode *dqlist, bool IsMember){

  ParamSort *typescfrsort, *result;
  ParamSort *tmp1, *tmp2, *tmp3;
  DQNode *currlist, *revlist;

  if(typescfr == NULL){
    result = NULL;
  } else {
    if(typescfr->isConst){
      tmp1 = new ParamSort(DyString("ConstObj"),NULL);
    }
    else {
      tmp1 = new ParamSort(DyString("Obj"),NULL);
    }
    
    if((typescfr->sym->GetKeywordKind()) 
           == TypedefNonClassOrEnumNameTag){
      tmp1 = (ParamSort *)typescfr->sym->GetLCPPSort();
    } else {
      tmp2 = new ParamSort(*(typescfr->sym->GetName()),NULL);
      tmp1->AddParam(tmp2);
    }

    typescfrsort = tmp1;
    result = typescfrsort;
  }
\end{verbatim}
\caption{Function \reserved{BuildSort}, Part One}
\label{buildsrtone}
\end{BFIGURE}
Once the location was known, a function needed to be developed to
convert the type specifier and declarator information into the correct
sorts. A preliminary version of this function for global declarations,
called \reserved{BuildSort}, which does not handle classes,
unions, or structs, is pictured in Figures~\ref{buildsrtone} and
~\ref{buildsrttwo}. The portion of the function in
Figure~\ref{buildsrtone} handles the translation of the type specifier
information into an equivalent sort. It first checks to see if a
\reserved{const} specifier is associated with the declaration. If one
is, it creates a parameterized sort \reserved{ConstObj}; otherwise it
creates the sort \reserved{Obj}. Next it examines the \reserved{Symbol}
associated with this type specifier. The Symbol carries the name of
the type or \reserved{typedef}, for which this specifier was
created. If you examine the class hierarchy for \reserved{Symbol} in
Figure~\ref{symbolh}, you will see that one form of identifier is
\reserved{BuiltInTypeName}. Many declarations carry \reserved{Symbol}s of this
sort whose name fields are the built in types. If the Symbol is not a
\reserved{typedef}, the function takes the name from the \reserved{Symbol},
creates a parameterized sort from the name, and then uses that name as
a parameter to the sort created from the \reserved{const}
specifier. If the \reserved{Symbol} associated with this type specifier is a
\reserved{typedef}, it looks inside that symbol to find the correct
sort to use as a parameter to the previously created sort. For
example, this algorithm works as follows on a declaration of the form
\reserved{int i;}.
\begin{itemize}
\item It creates a sort \reserved{Obj} because there is no
\reserved{const} associated with the declaration.
\item Since the symbol carried along with the \reserved{TypeSpecifier}
is a
\reserved{BuiltInTypeName}, the system creates another sort
\reserved{int}.
\item The system uses the second sort as a parameter to the first,
creating the correct sort \reserved{Obj[int]}.
\end{itemize}

It is important to note that this portion of the system is dependent
upon the system creating the correct type names for
\reserved{BuiltInTypeName} \reserved{Symbol}s. When preliminary testing began, it
was discovered that type specifiers such as {unsigned int} did not
create the correct names. Functionality was added to the function
\reserved{TypeScfr::Combine} to generate these names correctly. 

\begin{BFIGURE}
\small
\begin{verbatim}
  currlist = dqlist;
  while(currlist != NULL) {
    DeclQual *tmp = Car(currlist);
    if(tmp->IsPointer()){
      if(tmp->IsConst()){
        tmp1 = new ParamSort(DyString("ConstObj"),NULL);
      }
      else {
        tmp1 = new ParamSort(DyString("Obj"),NULL);
      }
      tmp2 = new ParamSort(DyString("Ptr"),NULL);
      tmp2->AddParam(result);
      tmp1->AddParam(tmp2);
      result = tmp1;
    }
    else if (tmp->IsArray()){
      tmp1 = new ParamSort(DyString("Arr"),NULL);
      tmp1->AddParam(result);
      result = tmp1;
    }
    else if (tmp->IsFunction()){
      tmp1 = new ParamSort(DyString("ConstObj"),NULL);
      if (IsMember){
        tmp2 = new ParamSort(DyString("cpp_member_function"),NULL);
      } else {
        tmp2 = new ParamSort(DyString("cpp_function"),NULL);
      }
      tmp1->AddParam(tmp2);
      result = tmp1;
    }
    else {
    }
    currlist = Cdr(currlist);
  }
  return(result);
}
\end{verbatim}
\normalsize
\caption{Function \reserved{BuildSort}, Part Two}
\label{buildsrttwo}
\end{BFIGURE}

The second half of \reserved{BuildSort} handles any associated
declaration qualifiers. [[[These are handled by building up a sort in
pieces. The individual pieces are not semantically complete sorts, but 
when it finishes, it will have generated a complete sort. \reserved{BuildSort} starts out by checking to see if a pointer,
\reserved{*} has been seen. Declaration qualifiers carry
information about whether they have been modified with a
\reserved{const} keyword also. If the declaration qualifier is a pointer, the system
generates one of the following incomplete sorts, either \reserved{ConstObj[Ptr]} or \reserved{Obj[Ptr]} from
the pointer qualifier depending upon the \reserved{const}ness of the
pointer. Then the sort created from the type
specifier is added to the incomplete sort as a parameter, yielding a
complete sort. As an example,
look what happens to the declaration \reserved{int * const i;}:
\begin{itemize}
\item The type specifier builds a sort \reserved{Obj[int]} as described
above.
\item The first declaration qualifier is a pointer. The system checks
to see if it is modified by a \reserved{const} keyword. Since it is,
it generates the incomplete sort \reserved{ConstObj[Ptr]}.
\item The system combines the sort from the type specifier and the
declaration qualifier to get the final sort \reserved{ConstObj[Ptr[Obj[int]]]}.
\end{itemize}
]]]
The other declaration qualifiers work in a similar way, building the
correct sorts for themselves based upon the definitions in the
Reference Manual~\cite{Leavens96c}. As the algorithm cycles through
the list of qualifiers, it builds the sort from the inside out.

Once the basic declaration qualifier code was built, another
abnormality was discovered in testing. Member functions which were
referenced outside of the actual class declaration were not given the
sort \reserved{cpp\_member\_function} as they should have been. The
class \reserved{Point} in Figure~\ref{Pointlcc} is a specification
that illustrates this problem.
\begin{BFIGURE}
\begin{verbatim}
class Point {
public:
  uses informally "pairs of [x,y] values";
  Point();
  int x_val() const;
  int y_val() const;
  void set_x(int xv);
  void set_y(int yv);
};
extern Point::Point();
behavior {
  constructs self;
  ensures self\post = [0,0];
}
extern int Point::x_val() const;
behavior {
  ensures result = self\any.x;
}
extern int Point::y_val() const;
behavior {
  ensures result = self\any.y;
}
extern void Point::set_x(int xv);
behavior {
  modifies self;
  ensures self\post.x = xv /\ (self\pre).y = (self\post).y;
}
extern void Point::set_y(int yv);
behavior {
  modifies self;
  ensures self\post.y = yv /\ (self\pre).x = (self\post).x;
}
\end{verbatim}
\caption{The Point.lcc Specification}
\label{Pointlcc}
\end{BFIGURE}

This specification attempts to redeclare the functions outside of the
class declaration. When this happened, the system had no way of
knowing that the functions were actually member functions and that their sorts
were redeclared as \reserved{cpp\_function}. To solve this problem,
the \reserved{Declare} function was modified to check the \reserved{Symbol} it
was declaring to see if it already has a sort. If it does,
\reserved{Declare} keeps that type and does not create a new one. The
code for this is illustrated in Figure~\ref{declarecode}

\begin{BFIGURE}
\begin{verbatim}
if (sym->GetKeywordKind() == OriginalClassNameTag
    || sym->GetKeywordKind() == TemplateClassNameTag) {
  // it's a constructor
  Symbol *ctorSym = new Ident(sym->GetName(), DD_Declared);
  ctorSym->SetLCPPSort(BuildSort(
                currentTypeScfr, dcltor->dcl_quals,IsMember));
  sym->AddCtor(ctorSym);
} else {
  if(sym->GetLCPPSort() == NULL){
    sym->SetLCPPSort(BuildSort(
               currentTypeScfr, dcltor->dcl_quals,IsMember));
  }
  illFormed = AddCheckingDeclarable(currentSymTab, sym) || illFormed;
}
\end{verbatim}
\caption{Code from \reserved{Declare} Checking for Previous Sort}
\label{declarecode}
\end{BFIGURE} 
The code that performs the check
\begin{verbatim}
sym->GetLCPPSort() == NULL
\end{verbatim}
is making sure that the \reserved{Symbol}'s sort pointer has not
been assigned to previously. If this is the case, the system builds a
sort for the \reserved{Symbol} \reserved{sym}.

As mentioned earlier, formal parameters may have sorts that differ from
similar global declarations. A function \reserved{BuildArgSort} which
works in a similar manner as \reserved{BuildSort} handles the
different formulations.

\subsubsection{Additional Work}

To complete the development of the sort checking system for the
Larch/C++ Checker, additional work needs to be done. The lookup
algorithm described in Section~\ref{lcppts} needs to be implemented
and tested. Also, the support functions for dealing with the
\reserved{ArrowSet} objects need to be defined and
implemented. Finally, the main grammar file needs to be modified to
actually perform the sort checking. It is expected that work will
continue on this portion of the project in the future.


\section{Future Work}
\label{futwork}
In the future, steps need to be taken to improve the performance of
the Larch/C++ Checker. One idea, raised when the memory problems were
found in the LSL Checker, is the use of a cache to hold traits that
have been processed previously. This ``symscache'' could then be
checked to see if a trait had already had the \reserved{-syms} output
created. It it had been created and is up-to-date, the Larch/C++
checker could simply parse that file rather than calling the LSL
Checker to regenerate the information. Problems that would need to be
addressed include how to keep track of which traits are in the cache,
how to keep track of how the traits have been renamed, and the policy
for regenerating the information. Another major issue has to do with
renaming. When items are renamed in a uses clause or other trait use,
the output generated by the LSL Checker reflects that
renaming. Somehow, the cache will need to be able to look at a file,
tell how it was renamed, and see if that renaming is equivalent to the
current use.

Another area for future work is an examination of the structure of the
Larch/C++ source code. Perhaps the application of design patterns
could create a clearer, less cluttered design. One place where this
could be applied is in the creation of an class based on the
\reserved{Iterator} pattern~\cite{Gamma-Helm-Johnson-Vlissides95} to
handle the iteration of the sets of arrow sorts.

Another place in the code that could stand a redesign is the
\reserved{TmpFile} classes. The current system could be improved by
rewriting the base \reserved{TmpFile} class so that it inherits from
the class \reserved{fstream}. This implementation would require fewer
classes, because the functionality of the \reserved{OutTmpFile} class
could be moved into \reserved{TmpFile}. It also would allow the use of
the C++ \reserved{putto} (\reserved{<<}) and \reserved{getfrom}
(\reserved{>>}) operators on \reserved{TmpFile}s without the complex
overloading that is required in the present implementation.

\section{Conclusions}
The goal of this project was to add the ability to sort check
specifications to the Larch/C++ Checker. The current status of the
project shows the the original goal is obtainable. This project has
contributed the basic support needed within the Larch/C++ Checker, and
the formalization of the Larch/C++ type system, that will allow for a
sort checker to be added. The contributions are as follows:

\begin{itemize}

\item Creation of a formal and systematic statement describing the
Larch/C++ type system.

\item Development of an interface between the existing Larch/C++ Checker and
the LSL Checker.

\item Development of an automated system for translating C++
declarations into equivalent LSL sorts.

\item Support for the Evolving C++ Language Standard

\end{itemize}

This work, and the work to develop the sort checker itself, continue
as this is written. It is my hope that the work I have done will make
the future work of others easier.

\section{Acknowledgments}
\label{ack}
This work was partially funded under NSF grant CCR-9503168.

Many people assisted in the above work. Dr. Gary Leavens gave me the
opportunity to work on this project and supported me
every step of the way. My family was always there for me when I needed them.
Marybeth Gurski offered support and insight every step of the way. Professor
John Hagge filled in at the last minute on my committee and offered
outstanding criticism on this paper. Dr. Kelvin Nilsen also offered support
along the way. The following people created the tools used in my project: 
Kurt Bischoff, Hans Boehm, et al., previous members of the Larch/C++
project, and others who previously have worked with the Larch Shared
Language and its associated languages. Finally, to any and all others who have
been forgotten, thanks one and all.

\bibliography{journal-abbrevs,mypaper}
\end{document}