A formal language ccsl is introduced for describing specifications of classes in object-oriented languages. We show how class specifications in ccsl can be translated into higher order logic. This allows us to reason about these specifications. In particular, it allows us (1) to describe (various) implementations of a particular class specification, (2) to develop the logical theory of a specific class specification, and (3) to establish refinements between two class specifications. We use the (dependently typed) higher order logic of the proof-assistant pvs, so that we have extensive tool support for reasoning about class specifications. Moreover, we describe our own front-end tool to pvs, which generates from ccsl class specifications appropriate pvs theories and proofs of some elementary results.

Behavioural theories are a generalization of first-order theories where the equality predicate symbol is interpreted by a behavioural equality of objects (and not by their identity). In this paper we first consider arbitrary behavioural equalities determined by some (partial) congruence relation and we show how to reduce the behavioural theory of any class of algebras to (a subset of) the standard theory of some corresponding class of algebras. This reduction is the basis of a method for proving behavioural theorems whenever an axiomatization of the behavioural equality is provided. Then we focus on the important special case of (partial) observational equalities where two elements are observationally equal if they cannot be distinguished by observable computations over some set of input values. We provide general conditions under which an obvious infinite axiomatization of the observational equality can be replaced by a finitary one and we provide methodological guidelines for finding such...

The use of formal methods in large complex applications implies the need for an evolutionary formal program development in which specification and verification phases are interleaved. But any change of a specification either by adding new parts or by changing erroneous parts affects existing verification work in a subtle way. In this paper we present a truth maintenance system for structured specification and verification. It is based on the simple but powerful notion of a development graph as an underlying datastructure to represent an actual consistent state of a formal development. Based on this notion we try to minimize the consequences of changes of existing verification work. 1. Introduction The application of formal methods in an industrial setting results in an increased complexity of the specification and the corresponding verification. It comprises on the one hand different layers of specifications reflecting the iterated process to refine the requirement specification towa...

Abstract not found

. Essential concepts of algebraic specification refinement are translated into a type-theoretic setting involving System F and Reynolds' relational parametricity assertion as expressed in Plotkin and Abadi's logic for parametric polymorphism. At first order, the type-theoretic setting provides a canonical picture of algebraic specification refinement. At higher order, the type-theoretic setting allows future generalisation of the principles of algebraic specification refinement to higher order and polymorphism. We show the equivalence of the acquired type-theoretic notion of specification refinement with that from algebraic specification. To do this, a generic algebraic-specification strategy for behavioural refinement proofs is mirrored in the type-theoretic setting. 1 Introduction This paper aims to express in type theory certain essential concepts of algebraic specification refinement. The benefit to algebraic specification is that inherently first-order concepts are tra...

Abstract. In this paper we investigate formally the relationship between the notion of abstract datatypes in an arbitrary institution, found in algebraic specification languages like Clear, ASL, and CASL; and the notion of schemata from the model-oriented specification language Z. To this end the institution S of the logic underlying Z is defined, and a translation of Z-schemata to abstract datatypes over S is given. The notion of a schema is internal to the logic of Z, and thus specification techniques of Z relying on the notion of a schema can only be applied in the context of Z. By translating Z-schemata to abstract datatypes, these specification techniques can be transformed to specification techniques using abstract datatypes. Since the notion of abstract datatypes is institution independent, this results in a separation of these specification techniques from the specification language Z and allows them to be applied in the context of other, e.g. algebraic, specification languages. 1

We present a method using an extended logical system for obtaining "correct" programs from specifications written in a sublanguage of CASL. By "correct" we mean programs that satisfy their specifications. The technique we use is to extract programs from proofs in formal logic by techniques due to Curry and Howard. The logical calculus, however, has the novel feature that as well as the conventional logical rules it includes structural rules corresponding to the standard ways of modifying specifications: translating (renaming), taking unions of specifications and hiding signatures. Although programs extracted by the Curry-Howard process can be very cumbersome, we use a number of simplifications that ensure that the programs extracted are in a language close to a standard high-level programming language. We use this to produce an executable refinement of a given specification and we then provide a method for producing a program module which respects the original structure of the specific...

The notion of data type specification refinement is discussed in a setting of System F and the logic for parametric polymorphism of Plotkin and Abadi. At first order, one gets a notion of specification refinement up to observational equivalence in the logic simply by using Luo's formalism. This paper generalises this notion to abstract data types whose signatures contain higher-order and polymorphic functions. At higher order, the tight connection in the logic between the existence of a simulation relation and observational equivalence ostensibly breaks down. We show that an alternative notion of simulation relation is suitable. This also gives a simulation relation in the logic that composes at higher order, thus giving a syntactic logical counterpart to recent advances on the semantic level.

. In this paper an overview on proof systems for structured algebraic specifications is presented. As underlying language we choose an ASL-like kernel language which includes reachability and observability operators. Three different kinds of proof systems are studied. The first two approaches are non-compositional systems where the basic idea is to compute for any structured specification a flat unstructured set of axioms and rules which, combined with some standard proof systems for the underlying logic, may be used for deriving theorems of the specification. In the normal form approach of Bergstra, Hering and Klint, a flat set of axioms is constructed for each structured specification, whereas in the second approach not only individual axioms but also individual proof rules are taken into account. The drawback of the non-compositional proof systems is that they do not reflect the modular structure of specifications. Therefore we present also a structured proof system the derivations ...

Abstract. This paper deals with test case selection from axiomatic specifications whose axioms are quantifier-free first-order formulae. Test cases are modeled as ground formulae and any specification has an exhaustive test data set whose successful submission means correctness, provided that the software under verification can be modeled as a firstorder structure over the same signature. As it has already been done for positive conditional equational specifications, we derive test cases from selection criteria based on axiom coverage. Our selection criteria allows us to select test cases by iteratively unfolding an initial target test purpose, given as a formula. The initial reference test set is iteratively split into successive subsets. Each subset of test cases is defined by constraints which are increasingly introduced by the unfolding procedure to ensure an appropriate matching between the current test purpose under unfolding and specification axioms. Our unfolding procedure is sound (no test is added) and complete (no test is lost) with respect to the starting test purpose. It is exemplified on a simple example. Keywords: Specification-based testing, quantifier-free first-order specifications, selection criteria, test purpose, axiom coverage, unfolding, proof tree normalization.