Software architectural standards such as Microsoft's Component Object Model (COM) and OMG's CORBA are critical elements of our information infrastructure. Vast numbers of critical software systems will be built relying on architectural properties ostensibly guaranteed by such standards. Any major subtleties in such standards that could lead to their erroneous use are thus cause for real concern. Those standards that provide the basis for interoperation of independently developed, binary components are especially critical, because errors made in the earliest architectural design stages might go undetected until fully deployed components and applications fail to interoperate properly, revealing deepply embedded "killer bugs."
This research is based on the position that the judicious use of formal methods, or formal methods "in the small," can help both the developers and the users of architectural standards to reason about them both precisely and profitably. To evaluate this position, we have developed several formal theories of interface negotiation and efficient hierarchical composition under Microsoft's Component Object Model (COM). COM is the foundation for a variety of higher-level architectural standards including Microsoft's OLE and ActiveX technologies.
We have two primary results to date. First, under one interpretation of the published COM specification (one that we believe to be widely used), we have demonstrated that the hierarchical composition of legal COM objects using aggregation is incompatible with information hiding, in a precise sense. In particular, we showed that if a a legal COM object O aggregates another legal COM object I, then the set of types of interfaces that O must expose includes as a subset the set of types of interfaces of I. Moreover, because the developers of COM stipulate that selective hiding of aggregated interfaces must be permitted, we conclude that non-conforming COM components must be allowed within aggregates. Non-conforming objects present some serious problems, as they do not guarantee precisely those architectural properties that the standard exists to enforce, so as to permit clients to operate on objects with a priori knowledge that certain operations are permitted. Abstract and paper.
Second, we showed that another interpretation of the COM specification is possible. This alternative theory of COM implies that the COM standard has quite different properties than those that follow from the first formalization. The "up side" is the need for non-conforming objects is mitigated, at least in principle. The "down side" is that legality is no longer a local component property but a global system property, which can severely complicate reasoning about architectural legality of developed systems. Abstract and paper.