Abstract. Constructing new classes from existing ones by inheritance or subclassing is a characteristic feature of object-oriented development. Imposing semantic constraints on subclassing allows us to ensure that the behaviour of superclasses is preserved or re ned in their subclasses. This paper de nes a class re nement relation which captures these semantic constraints. The class re nement relation is based on algorithmic and data re nement supported by Re nement Calculus. Class re nement is generalized to interface re nement, which takes place when a change in user requirements causes interface changes of classes designed as renements of other classes. We formalize the interface re nement relation and present rules for re nement of clients of the classes involved in this relation. 1

In this paper we propose a novel approach to speci cation, development, and veri cation of object-oriented frameworks employing separate interface inheritance and implementation inheritance hierarchies. In particular, we illustrate how our method of framework speci cation and veri cation can be used to specify Java Collections Framework, which is a part of the standard Java Development Kit 2.0, and ensure its correctness. We propose to associate with Java interfaces formal descriptions of the behavior that classes implementing these interfaces and their subinterfaces must deliver. Verifying behavioral conformance of classes implementing given interfaces to the speci cations integrated with these interfaces allows us to ensure correctness of the system. The characteristic feature of our speci cation methodology is that the speci cation language used combines standard executable statements of the Java language with possibly nondeterministic speci cation statements. A speci cation of the intended behavior of a particular interface given in this language can serve asa precise documentation guiding implementation development. Since subtyping polymorphism in Java is based on interface inheritance, behavioral conformance of subinterfaces to their superinterfaces is essential for correctness of object substitutability inclients. As we view interfaces augmented with formal speci cations as abstract classes, verifying behavioral conformance amounts to proving class re nement between speci cations of superinterfaces and subinterfaces. Moreover, the logic frameworkthatwe use also allows veri cation of behavioral conformance between speci cations of interfaces and classes implementing these interfaces. The uniform treatment of speci cations and implementations and the relationships between them permits verifying correctness of the whole framework and its extensions.