Certification of Object Oriented Programs

This paper will address the current state of the art in certification of Object Oriented programs. There are some fundamental difficulties which arise in the area of dynamic dispatching, since the control flow is not clear. In a sense the requirements are diametrically opposed: dynamic dispatching is about not knowing the control flow until run time, and certification practices are based on knowing the control flow precisely and if possible statically so that appropriate tests can be constructed. One approach is to limit the set of object oriented constructs to be used. The paper will describe the utility and practical use of language subsets in which many of the advantages of OO programming techniques can be applied without using dynamic dispatching. If dynamic dispatching is to be used, then issues to be examined are guaranteeing the integrity of the dispatching techniques (for example, the integrity of indirect links in a dispatching table), and construction of tests. The paper will examine various proposals for construction of tests, and also possibilities of source transformations that eliminate dynamic dispatching, allowing conventional certification tools to be used. This issue is becoming increasingly important as more programs are requiring formal certification, and as more programmers insist on the possibility of using OO techniques in safety- and security-critical programs. The paper will also examine the status of standards efforts such as DO-178C which are intended to address this problem.