Introduction to Components and Specifications Using RESOLVE

Computer Science School of Computing Clemson University

Introduction to Components and Specifications Using RESOLVE

Murali SitaramanClemson University

School of Computing Clemson University

Overview

Specifications provide user-oriented cover story

Designs address efficiency and sufficient functional completeness issues

Specifications hide implementation-specific information

Multiple implementations may be developed to satisfy the same specification


Languages for Formal Specification

ANNA (and SPARK) for Ada JML for Java Larch/C++ for C++ Spec# for C# … Eiffel RESOLVE … VDM Z


Common Principles: Data Abstraction Specification

Specifications are contracts Formal; unambiguous Mathematical logic Use a combination of well-known

mathematical theories and notation Specify mathematical models for

objects Specify the behavior of operations

using those models


Example: Use of Mathematical Theories

Concept Stack_Template(type Entry; …);

uses String_Theory;

Type Family Stack is modeled by …

Operation Push…Operation Pop……

end Stack_Template;


Alternative Specification of Push Operation

Operation Push_1 (restores E: Entry; updates S: Stack);requires |S| < Max_Depth;ensures S = <E> o #S;

Note: Implementation needs to make a copy of the Entry E. This could be inefficient if entries are large.



Operation Push_2 (clears E: Entry; updates S: Stack);requires |S| < Max_Depth;ensures S = <#E> o #S;

Note: Implementation needs to “clear”, i.e., initialize the Entry E.

…



Operation Push (alters E: Entry; updates S: Stack);requires |S| < Max_Depth;ensures S = <#E> o #S;

Note: Implementation may change Entry E in any way, so it permits the most efficient implementations; it is the most flexible specification


Clients have flexibility…


Example code to do Push_1 (i.e., “restore” pushed entry):Copy(E, Temp);Push(Temp, S);

Example code to do Push_2 (i.e., “clear” the pushed entry:Push(E, S);Clear(E);


Specification of Operations


Operation Pop (replaces R: Entry; updates S: Stack);requires |S| > 0;ensures #S = <R> o S;

Operation Depth (restores S: Stack): Integer;ensures Depth = |S|;

…


Specification of Operations


Operation Pop (replaces R: Entry; updates S: Stack);requires |S| > 0;ensures #S = <R> o S;

Operation Depth (restores S: Stack): Integer;ensures Depth = |S|;

…


Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions

Who is responsible for requires clauses? Client (i.e., caller) Implementer Neither Both

Discussion of consequences

Requires and Ensures clauses


Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions

Who is responsible for requires clauses? Client (i.e., caller) Implementer Neither Both

Discussion of consequences

Requires and Ensures clauses


Understanding specifications

Please see the tutorials at the web interface under help on: String theory notations Understanding specification parameter

modes Understanding details of specifications


Using Reusable Components

Users (clients) need to know only interface specifications

Users need to supply appropriate parameters to instantiate

Depending on the paradigm, special operations are automatically available on objects Assignment in Java (e.g., S = T) Swap in RESOLVE (e.g., S :=: T)


Multiple Implementations

Alternative implementations provide the same functionality

Provide performance trade-offs time vs. space average case vs. worst case Efficiency vs. predictability some subset of methods vs. some others

Users pick ones best fitting their requirements when instantiating

Documents

Introduction to Components and Specifications Using RESOLVE