Deduction-based software component retrieval uses preand postconditions as indexes and search keys and an automated theorem prover (ATP) to check whether a component matches. This idea is very simple but the vast number of arising proof tasks makes a practical implementation very hard. We thus pass the components through a chain of filters of increasing deductive power. In this chain, rejection filters based on signature matching and model checking techniques are used to rule out non-matches as early as possible and to prevent the subsequent ATP from "drowning." Hence, intermediate results of reasonable precision are available at (almost) any time of the retrieval process. The final ATP step then works as a confirmation filter to lift the precision of the answer set. We implemented a chain which runs fully automatically and uses MACE for model checking and the automated prover SETHEO as confirmation filter. We evaluated the system over a medium-sized collection of components. The resul...

Abstract. Code certification is a lightweight approach for formally demonstrating software quality. Its basic idea is to require code producers to provide formal proofs that their code satisfies certain quality properties. These proofs serve as certificates that can be checked independently. Since code certification uses the same underlying technology as program verification, it requires detailed annotations (e.g., loop invariants) to make the proofs possible. However, manually adding annotations to the code is time-consuming and error-prone. We address this problem by combining code certification with automatic program synthesis. Given a high-level specification, our approach simultaneously generates code and all annotations required to certify the generated code. We describe a certification extension of AutoBayes, a synthesis tool for automatically generating data analysis programs. Based on built-in domain knowledge, proof annotations are added and used to generate proof obligations that are discharged by the automated theorem prover E-SETHEO. We demonstrate our approach by certifying operator- and memory-safety on a data-classification program. For this program, our approach was faster and more precise than PolySpace, a commercial static analysis tool.

We present a tool which allows implicit VDM specifications to be used as search keys for the retrieval of software components. A preprocessing phase utilizes signature matching to filter promising candidates out of a component library. The actual specification matching phase builds proof obligations from the specifications of key and candidates and feeds them into a theorem prover. Validated obligations denote matching components. First experiments clearly demonstrate the feasibility of this approach. We thus get a high-precision retrieval tool which helps programmers in locating components which exactly match their needs. Keywords: formal methods, software component retrieval, signature matching, specification matching, theorem proving, model searching. 1 Introduction Effective software component retrieval methods play a key role in reuse. Most methods grew out of classical information retrieval (e. g. [13, 10]) but recently semantic-based methods have gained more attention. As oppo...

We review the various arguments which have been advanced for and against the use of executable specifications. Examples are given of the problems which may arise in applying this technique and of the benefits which may accrue. A case study is reported in which execution is used to validate the published specification of a commercially available package. We conclude that there are circumstances when executable specifications can be of high value but that execution must be used together with, and as a supplement to, other methods of validating specifications such as inspection and proof. 1 Introduction Formal specifications have been accepted as having value in a number of areas, including critical systems. A specification that does not correctly capture requirements, however, is of dubious benefit. Validating a specification, whether formal or informal, is known to be difficult. With a formal specification there are a number of techniques available for validation, including r...

If Z specifications are used as requirements specifications then test result evaluation leads to evaluation of schema predicates in states that are reached by the test. For automation of this approach Z operational schemas must be translated into programs that perform schema predicate evaluation. Predicate evaluation is straightforward; expressions are replaced by their values, logical connectives are evaluated using truth-tables, quantifiers and set constructions are evaluated using iteration. In order to exclude infinite iterations while evaluating quantifiers the schema compiler accepts besides finite quantifications only those which can be transformed into finite ones using term-rewriting techniques. These ideas are implemented in a Z predicate compiler.

Software testing consumes a large percentage of total software development costs. Yet, it is still usually performed manually in a non rigorous fashion. While techniques, and limited automatic support, for the generation of test data from the actual code of the system under test have been well researched, test cases generation from a high level specification of the intended behaviour of the system being developed has hardly been addressed. In this thesis we present a rationale for using tests derived from high level formal specifications and then set to find an efficient technique for the generation of adequate test sets from specifications written in our study language, VDM-SL. In this work, we formalise the traditional high level partitioning technique used in a previously researched test cases generator prototype, and extend it to take the semantics of VDM-SL fully into account. We then discuss, and illustrate, the shortcomings of the technique as used, which results in too few test...

This paper attempts to provide an understanding of the interesting differences between two well-known specification languages. Copyright c fl1993. All rights reserved. Reproduction of all or part of this work is permitted for educational or research purposes on condition that (1) this copyright notice is included, (2) proper attribution to the author or authors is made and (3) no commercial gain is involved. Technical Reports issued by the Department of Computer Science, Manchester University, are available by anonymous ftp from ftp.cs.man.ac.uk in the directory /pub/TR. The files are stored as PostScript, in compressed form, with the report number as filename. Alternatively, reports are available by post from The Computer Library, Department of Computer Science, The University, Oxford Road, Manchester M13 9PL, U.K. The main ideas are presented in the form of a discussion. This was partly prompted by Lakatos' book `Proof and Refutations' but, since this paper is less profound, char...

. This paper presents a method for translating a subset of VDM-SL to higher order logic, more specifically the PVS specification language. This method has been used in an experiment where we have taken three existing, relatively large specifications written in VDM-SL, hand-translated these to PVS and then tried to type check the results. This is not as simple as it may sound since the specifications make extensive use of subtypes, via type invariants and pre- and postconditions, and therefore type checking necessarily involves some theorem proving. In trying to prove some of these type checking conditions, a worrying number of errors were identified in the specifications. 1 Introduction In a research project entitled "Towards industrially applicable proof support for VDM-SL", we aim at developing tool support for proving theorems about specifications written in the VDM Specification Language (VDM-SL) [6]. We would like to base our work on available theorem proving technology. The goal...

This document presents a full version of the formal semantics of data ow diagrams reported in [Larsen&93]. Data Flow Diagrams are used in Structured Analysis and are based on an abstract model for data flow transformations. The semantics consists of a collection of VDM functions, transforming an abstract syntax representation of a data flow diagram into an abstract syntax representation of a VDM specification. Since this transformation is executable, it becomes possible to provide a software analyst/designer with two `views' of the system being modeled: a graphical view in terms of a data flow diagram, and a textual view in terms of a VDM specification. The specification presented in this document have been processed by The IFAD VDM-SL Toolbox [Lassen93] and the LATEX output is produced directly by means of this tool. The complete transformation has been syntax-checked, type-checked and tested using the IFAD VDM-SL Toolbox [Lassen93]; this has given us confidence that the transformation...

VDM-SL, the notation incorporated in the formal method VDM, is currently being standardized under auspices of the International Standards Institution (ISO) and the British Standards Institution (BSI). It is one of the few formal languages of which the syntax and the semantics have been completely formally defined. In this paper we present an overview of the standard, including a report on the current status of the standardization effort. 1 Introduction The acceptance of the importance of formal methods for software development, and the industrial application of formal methods are becoming increasingly widespread. Formal methods provide a mathematical approach to the specification and subsequent development of software, thus allowing unambiguous specifications and development steps which can be proved to be correct. One of the most mature formal methods, primarily intended for the formal specification and development of functional aspects of software systems, is the Vienna Development ...