The Design of Software Interfaces in Spec by Berzins, Valdis
Calhoun: The NPS Institutional Archive
DSpace Repository
Faculty and Researchers Faculty and Researchers' Publications
1988-10
The Design of Software Interfaces in Spec
Berzins, Valdis
IEEE
V. Berzins, "The design of software interfaces in Spec," Proceedings. 1988
International Conference on Computer Languages, Miami Beach, FL, USA, 1988, pp. 266-270.
http://hdl.handle.net/10945/64259
This publication is a work of the U.S. Government as defined in Title 17, United
States Code, Section 101. Copyright protection is not available for this work in the
United States.
Downloaded from NPS Archive: Calhoun
The Design of Software Interfaces in Spec 
Va/dis Berzins 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93943 
ABSTRACT 
This paper presents a language for giving black-box specifications 
in the early stages of software design. The underlying computa-
tional model combines message passing with temporal events in a 
precisely defined way. The features of the language, especially 
those important for large scale design are presented by means of 
examples. 
Keywords Black-box specifications, abstractions, specification language, 
computer aided software engineering, distributed systems, real-time sys-
tems. 
1. Introduction 
Spec is a formal language for writing black-box specifications for 
components of software systems. Black-box specifications are essential for 
realizing the benefits of abstractions in the software development process 
[2]. The critical early stages of software development are dominated by the 
tasks of building conceptual models of the proposed software and defining 
its interfaces. The Spec language is used in the functional specification 
stage for recording black-box specifications of the external interfaces of the 
proposed system, and in the architectural design stage for recording black-
box specifications of the internal interfaces of the proposed system. 
A formal specification language such as Spec is needed for defining 
the desired behavior of the proposed system before it is built, because 
English and other informal notations are too imprecise. Precision is impor-
tant because in a large project many people have to agree on the interpreta-
tion of the specifications to produce a correct implementation. Written 
specifications are attractive as a communications medium in very large pro-
jects because the effort of writing a formal specification is independent of 
the number of people reading it, whereas communications overhead tends to 
increase with the size of the project in more informal techniques. Formal 
notation is important because it enables mechanical processing, opening the 
way to higher levels of computer-aided design than are currently used in 
software development [4]. Programming languages such as Ada are formal, 
but are not well suited for writing black-box specifications because they 
have been designed for describing the algorithms and data structures realiz-
ing a module rather than the behavior a module presents at its interface. 
There has been much previous work on providing programming 
language support for abstractions [8, IO, 14, 19,23]. Much of the previous 
work on formal specifications has focused on the problem of proving the 
correctness of programs [9, 11, 16, 21, 25]. Spec has been intended pri-
marily for supporting the use of abstractions in the design of software sys-
tems. Surveys of related work can be found in [7, 24]. Spec has evolved 
from an earlier specification language [ I J and a rapid prototyping language 
for the design of large real-time systems [20], guided by extensive class-
room experience in using formal specifications in multi-person projects [2]. 
The most important advances over the earlier language are the integration 
of time into the underlying model, the development of an inheritance 
mechanism [3 ], and the separation of granularity and comrol state con-
siderations from the event-level interfaces of a module. The Spec language 
is suitable for specifying parallel, distributed, or time sensitive systems as 
U.S. Government Work. Not protected by 
U.S. copyright. 
266 
well as conventional systems. 
Spec differs from algebraic specification languages such as Larch 
[ 12, 13] because it is based on models rather than theories. While it is feasi-
ble to write Spec axioms in the conditional equation form commonly used 
in algebraic approaches, the use of models and axioms of other forms can 
sometimes lead to simpler specifications. The restricted form of Larch is 
helpful for supporting automated tools for program verification, while the 
expressiveness of Spec is useful in developing large scale designs. Larch is 
based on the premise that interfaces involving state changes are inherently 
dependent on the implementation language. Larch provides general pur-
pose facilities for defining immutable data types along with a framework for 
adding an implementation-language dependent layer for defining state 
changes and concrete interfaces. Spec is based on the premise that inter-
faces with state changes, exceptions, concurrent interactions, and time 
dependencies can all be specified independently of implementation 
language, and that the definition of a language dependent concrete interface 
is a matter of packaging rather than semantics. This reflects the difference 
between the prescriptive nature of specifications used as a design tool and 
the descriptive nature of specifications used primarily to prove properties 
about systems. 
Model based approaches such as VDM [6] have a few similarities to 
Spec. However, Spec has been designed to handle systems with a wide 
range of features, e.g. concurrency and time dependent constraints, while 
VDM is primarily intended for specifying sequential systems [7]. 
The GIST language is based on a global state model approach that 
describes behavior independently of interfaces [17], and is intended for use 
in the early stages of requirements analysis where properties of the entire 
application are being determined without assigning boundaries or allocating 
functions to either the proposed software system or its environment. Spec 
makes no attempt to address this stage, and is intended for use in the later 
functional specification and architectural design stages, where properties of 
proposed external and internal interfaces are specified. Localization of 
information, treatment of distributed systems, and treatment of real-time 
constraints are explicit design goals of Spec. The goals of Spec and GIST 
are complementary and the two can be used together at different phases of 
software development. 
Spec is based on the event model of computation, and uses predicate 
logic for the precise definition of the desired behavior of modules. The 
most important ideas of this language are modules, messages, events, 
atomic transactions, and defined concepts. Events can be used for defining 
timing constraint~. while localized states and atomic transactions are impor-
tant for specifying distributed or concurrent systems. Spec supports reuse 
of abstractions via inheritance and generic modules. Spec also has features 
important for specifying large conventional systems, such as import/export 
controls for defined concepts, and view and inheritance mechanisms. 
2. The Event Model 
The Spec language uses the event model to define the behavior of 
black box software modules. The event model has been influenced by the 
actor model [15, 26]. The main differences from the actor model are the 
treatment of time and temporal events, and the treatment of multi-event 
transactions[!]. In the event model, computations are described in terms of 
modules, messages, and events. A module is a black box that interacts with 
other modules only by sending and receiving messages. A message is a 
data packet that is sent from one module to another. An event occurs when 
a message is received by a module at a particular instant of time. 
Modules can be used to model external systems such as users and 
peripheral hardware devices, as well as software components. Modules are 
active black boxes, which have no visible internal structure. The behavior 
of a module is specified by describing its interface. The interface of a 
module consists of the set of stimuli it recognizes and the associated 
responses. A stimulus is an event, and the response is the set of events 
directly triggered by the stimulus. The events in the response consist of the 
arrivals of the messages sent out by the module because of the stimulus. 
Messages can be used to model user commands and system 
responses. Messages represent abstract interactions that can be realized in a 
wide variety of ways, including procedure call, return from a procedure, 
Ada rendezvous, coroutine invocation, external 1/0, assignments to non-
local variables, hardware interrupts, and exceptions. A message has a con-
dition, a name, and a sequence of zero or more data values. The condition 
has the value normal for messages representing nonnal interactions, and 
the value exception for messages representing abnonnal interactions such 
as exceptions. The name of a message identifies the service requested by a 
nonnal message or the exception condition announced by an exception 
message. The data values represent either inputs or results, and may be 
present for any kind of message. The triggering event is an implicit attri-
bute of each message, used for identifying the destination for reply mes-
sages. 
Each module has its own local clock and can send messages to itself 
at times determined by its local clock. The arrival of such a message is 
called a temporal event. Temporal events allow modules to initiate actions 
as well as responding to external stimuli. 
Events at the same module happen one at a time, in a well-defined 
order. lbis order can be observed as a computation proceeds, and 
corresponds to the ordering of the local times at which those events occur. 
Events at different places need not have a well-defined order because the 
local clocks of different modules are not guaranteed to be precisely syn-
chronized with each other. lbis is realistic since perfect synchronization of 
clocks at different locations is not possible in practice. Clocks can be syn-
chronized only by sending messages with a non-zero delay. Clock syn-
chronization depends on unverifiable assumptions about the unknown mes-
sage delays involved (e.g. delays in both directions are equal) and the rela-
tive rates of the local clocks. 
Because there is no completely accurate global time reference, the 
only guaranteed orderings between events are derivable from discrete 
sequences of the following types of steps: 
(I) Two events at the same module are ordered by their local times. 
(2) The event which triggered the sending of a message comes before 
the event in which that same message is received. 
Message transmission is assumed to be reliable, which means every 
message sent eventually arrives at its destination. In the absence of explicit 
specifications constraining the delay, messages can have arbitrarily long 
and unpredictable transmission delays. Specifications for message delays 
are inherently approximate unless the origin and destination of the message 
are the same. 
The response of a module to a message is influenced only by the 
sequence and arrival times of the messages received by the module since it 
was created. This means there is no action at a distance: all interactions 
must involve explicit message transmissions. This restriction is a formali-
zation of tl1e requirement that each module must correspond to a coherent 
abstraction. 
The event model and the Spec language admit nondeterminism due to 
partially specified communication delays or partially specified responses. 
Complete specifications admit only deterministic behavior. In Spec it is 
possible to specify that a response must be deterministic (repeatable) 
without completely specifying the other properties of the response. 
Each module has the potential of acting independently, so that there is 
natural concurrency in a system consisting of many modules. Since events 
happen instantaneously and the response of a module is not sensitive to any-
thing but the sequence of events at the module, the event model implies 
concurrent interactions with a module cannot interfere with each other at 
the level of individual events. Atomic transactions can be used to specify 
constraints on the order in which a module can accept events. Atomic tran-
sactions can be used to specify synchronization constraints involving chains 
of events in distributed systems. Atomic transactions must be used with 
267 
care, because they can interact with each other or with timing constraints to 
produce unsatisfiable specifications. Deadlocks are a well known example 
of such situations. 
Modules can be used to model concurrent an<l distributed systems, as 
well as systems consisting of a single sequential process. The event model 
helps to expose the parallelism inherent in a problem, since a stimulus can 
have a set of unordered responses occurring at different locations. 
3. Specifying Software in Terms of Events 
The Spec language provides a means for specifying the behavior of 
three different types of modules: functions, state machines, and abstract 
data types. Messages can also be used to model generators or iterators 
[18,22]. The properties of these kinds of modules and message are 
described below, with examples of each. 
3.1. Functions 
The response of a function module is influenced only by the most 
recent stimulus, so that function modules do not exhibit internal memory. 
Completely specified function modules calculate single-valued functions in 
the mathematical sense. An example of a specification for a square_root 
function is shown below. 




WHERE y >= 0.0 & approximates(y * y, x) 
OTHER WISE REPLY EXCEPTION imaginary _square_root 
CONCEPT approximates(rl r2: real) 
-- True if rl is a sufficiently accurate approximation of r2. 
-- The precision is relative rather than absolute. 
V ALUE(b: boolean) 
WHERE b <=> abs((rl - r2) / r2) <= precision 
END 
Function modules usually provide only a single service, and are usually 
designed to accept anonymous messages. The square_root function accepts 
anonymous messages containing a single real number. The response of a 
module to a message can be defined with several cases introduced by 
WHEN clauses. The predicate after each WHEN is a precondition, describ-
ing the conditions under which the associated response must be triggered by 
an incoming message with a given name and condition. The preconditions 
in each WHEN statement are stated independently, so that the order of the 
WHEN statements does not matter. 
OTHER WISE is an abbreviation for the case where none of the other 
WHEN statements apply. In the example above, the OTHERWISE means 
the same thing as WHEN x < 0.0. In the Spec language each series of 
WHEN statements must be terminated by an OTHERWISE, to make sure 
all cases are covered. If a case is to be left undefined, the designer must say 
so explicitly. 
A REPLY describes the message sent back in response to a stimulus. 
The reply is sent to the module originating the message that arrived in the 
stimulus, determined by the implicit origin attribute of the message. If 
REPLY is followed by EXCEPTION then the condition of the reply mes-
sage is exception, representing an exceptional event, and otherwise the con-
dition of the reply message is normal, representing a normal response. 
EXCEPTION can also appear after MESSAGE in the specification of an 
exception handler, indicating that the stimulus must be an exception condi-
tion. 
An outgoing message such as a REPLY can have a WHERE clause, 
which describes a postcondition that must be satisfied by the outgoing mes-
sage. The WHERE keyword is followed by a statement in predicate logic 
describing the relation between the contents of the message that was 
received and the contents of the reply message. This predicate states how 
to recognize a correct result, but it does not specify how to compute the 
required output. 
Whenever a message arrives which matches a MESSAGE header of a 
module and satisfies the precondition (WHEN) of one of the cases, then a 
response must be sent which matches the REPLY header and sati-sfies the 
associated postconditions (WHERE). A message matches a header if the 
message has the specified name, condition, and number of data values, and 
if each data value belongs to the specified data type. A message satisfies a 
predicate if the predicate is true in the state where the formal argume?ts of 
the visible message specifications are bound to the actual data values m the 
message. Only the incoming message is visible in a precondition, while the 
incoming message and all associated outgoing messages are visible in a 
postcondition. 
Messages without any WHEN clauses have a single case whose 
precondition is always true. lf the precondition for more than one ~ase i~ 
satisfied, all of the associated responses must be sent and the constramts o, 
all the associated postconditions must be met simultaneously. Overlapping 
preconditions are not recommended because they can lead to inconsisten-
cies. 
The concept approximates defines the intended meaning of 
"sufficiently accurate approximation" in tenns of the generic parameter pre-
cision. The generic parameter allows a single templale for a square root 
module to be adapted to many applications with different precision require-
ments. Some notion of approximation is needed to specify a practical 
square root function because it is not possible to implement exact s~uare 
roots using machine arithmetic. In this case the size of the acceptable mter-
val is delined relative to the size of the input value rather than as an abso-
lute constant. Introducing an explicitly defined concept modularizes the 
specification. This helps simplify the postcondition and supports stepwise 
refaiement and localization of information. The definition of the concept 
c,m be delayed or left as an informal comment when the concept ic 
identified and the postcondition is developed. 
3.2. Machines 
A machine i:; a module with an internal state, i.e. machines arc mut-
able modules. An example of a machine is shown below. 
!llACHlNE inventory 
·- assumes that shipping and supplier are other modules 
STATE\stock: map{item, integer 1) 
IN\' ARI ANT ALL\i: item :: stock[ij >= (I J 
!N111ALL Y ALL(i: item:: stock[i1 = fl) 
MESSAGE re~eive(i: item, q: integer) 
-- Process a shipment from a supp1ier. 
WHEN q> 0 
TRANSITION stock[i] = *stock[i] + q 
-- Delayed respoases to backorders are not silown here. 
OUIERWISE REPLY EXCEPTION empty_shipmem 
MESSAGE order(io: item, qc,: integc1) 
-- Prvcess an order from a customer. 
WHEN O < qo <= slock[io] 
SEND ship(is: item, qs: integer) TO shipping 
\','HERE is = io, qs = qo 
TRANSITION stock[io] + qo = *stock[ io] 
WHEN U < qo > stock[io ~ 
SEND ship(is: item, qs: integer) TO shipoic:_l 
WHERE is= io, qs = stock[io] 
SEND back_onlerl ib: item, qb: integer) TO suppli~--
WHERE ib = io, qb + qs = qa 
TRANSITION stock[io J = () 
OTHERWISE REPLY EXCEPTION empty _ort!er 
END 
Tlie behavior of a machine is describeJ in tem,o of a conceptual model of 
tt:; ,)?<1t:.::·. rath~r than directly 1n terms of thi.:• messages that arrived in th...:-. 
n:1st. b~caus·::-such dcscrirti~ns are usually shorter an<l easier to understand. 
The n1mpo11ents •)f the conceptual model of tlie stat~ are declrucd after the 
k~vword STA TE. and restrictions on the set of meaningful states are given 
afler the kevword lNV ARIANT. Restrictions on the initial state are give,1 
alter the kevword !NITIALL Y. The restrictiom after IN'V ARIA.NT must 
t,e satistie(l ·in all reachable states, while the restrictions after INITIALLY 
must be satislieJ only in the first state. 
State cim1ges arc described by predicate, Jher the keyword TRA..l\f-
SJTlON. In such statement~, plain variable~ of tl1e form x refer to the valuf?· 
.-,r" in the current state (just after the arrival of the stimulus), while vari-
.iblcs of the fom1 *x refer to the value of x in the previous state (just before 
tile .,.-rival of the stimulus). Tlie transitions in the example are equatiom 
rather than assignment statement:;. Equation., can describe the transition 
268 
either forwards or backwards in time, whichever is simpler ( cf. the first two 
transitions). 111e *x notation can only be used in the INVARIANT, !lie 
TRANSITIONS, and in WHERE clauses describing the output in terms of 
the new state. The Spec language follows the convention that components 
of the state of a machine or the model of an abstract data type do not change 
unless the component is explicitly mentioned in a TRANSIDON clause. 
The SEND statement is used instead of REPLY to describe messages 
sent to destinations other than !lie origin of the incoming ·message. A 
SEND statement means that a message satisfying the description must be 
sent to the given destination. SEND statements are useful for describing 
clislributed systems with a pipeline structure. There can be only one 
REPLY, but there can be any number of SEND's. If there is more than one 
SEND, the message transmissions can be performed concurrently or one at 
a time in any order, without waiting for any responses. The example has 
such a multiple response to the order message in the case where there arc 
not enough items on hand lo fill the order completely. 
3.3. Types 
A type module defines an abstract data type. An abstract data type 
consists of a value set and a set of primitive operations involving the value 
set. In the event model, a type module manages !lie value set of an abstract 
data type, creating all of the values of the type and performing all of the 
primitive operations on those values. Each message accepted by the type 
module corresponds to one of !lie operations of the abstract data type. The 
messages of a type module usually have names, since abstract data types 
usually provide more than one operation. 
A module is mutable if the response of !lie module to at least one 
message it accepts can depend on messages that arrived before the most 
recent incoming message. A module is immutable if the response of the 
module to every possible message is completely detennined by tl1e most 
re.,cnl message it has received. Mutable modules behave as if tliey had 
internal stales or memory, while immutable modules behave like mathemat-
i~al fui,ctions. A module is immutable if and only if it is not mutable. An 




MODEL(num den: integer) 
INV ARIAt'ff ALL(r: rational:: r.den ~= OJ 
MESSAGE ratio\num den: integer) 
\\.'HEN den -= 0 
REPLY(r: rational) 
WHERE r.num = num, r.den = den 
OTHERWISE REPLY EXCEPTION zero_denominator 
MESSAGE add\x y: rational) OPERATOR+ 
REPL Y(r: rational) 
WHERE r.num = x.num * y.den + y.num • x.den, 
r.den = x.den * y.den 
MESSAGE multiply(x y: rational) OPERATOR* 
REPL Y(r: ration~J) 
\.\THERE r.num = x.num * y.num, r.den = x.den * y.den 
MESSAGE equal(x y: rational) OPERATOR~ 
REPL Y(b: boolean) 
,\1-lERE lr <==> fx.num * ~1 .den :=.: y.nur..L * x.rien: 
EN[; 
Data types have conceptual models, which are used to visualize and 
Jcscribe the value set of tbe type. TI1e conceptual mo<lel is used to specify 
lh~ beliavior of a typ~, and forms the mental picture of the type for the pro-
gnunmec; who use the operations of the type. Tr1c conceptual model is 
chosen for clarity, and is usually different than the data structure used in tlie 
implementation. In case the data type must be r~-impltmented to improve 
\J~rfonn:rnce, the data structure used in the implementation will change, bu! 
th~ conceptual model will nut . 
Each instance of the type can be represented as a tuple containing the 
da:a components declared after the MODEL keyword. The restriction~ on 
the components of the model are described in the INVARIANT, which 
selects a subset of th~ tuple data type defined by the MODEL to serve as the 
conceptual representation. The INVARIANT is a predicate that must be 
true for all meaningful conceptual representations. 
The invariant on the conceptual representation should be adjusted to 
make the descriptions of the operations as simple as possible. The invaria!ll 
on the conceptual representation does not involve the implementation data 
structure and does not restrict the designer's choice of implementations. 
The invruiants on the implementation data structures will often be much 
more complicated than the conceptual invariants, because implementation 
invariru1t, often determine efficiency. Most books on data structures are 
really about the art of choosing implementation invariants that enable 
efficient algorithms. 
Inside the module defining an abstract data type, predicates describ-
ing the effects of the operations can be written in tenns of the conceptual 
representation. Inside the module defining an abstract type instances of the 
type can be described as if they were tuples containing the components 
specified in the MODEL. The notation x.y can be used to refer to the y 
component of the abstract data value x. The specifications of other modules 
may describe the values of abstract types onl.y in terms of the MESSAGEs 
it provides and the CONCEPTs it EXPORTs. 
It is sometimes convenient to express complicated conditions as lists 
of independent constraints. The predicates after INVARIANT, WHEN, and 
WHERE can be lists of expressions separated by comma,. A list of state-
ments is true if and only if all of the statements in the list are true individu-
ally, so that in tlris context a comma means the same thing as &. The 
comma has a lower precedence than all of the other operators, so that it can 
be used to separate statement, at the top level without need for parentheses. 
An exrunple of a defurition for a mutable type is shown below. 
TYPE queue It: type) 
INHERIT mutable{queue} 
-- Inherit definitions of the concepts "new" and "defined'". 
MODEL(e: sequence) 
-- The front of the queue is at the right en1. 
INVARIANT true 
-- Any sequence is ~ valid modei for a queec. 
MESSAGE create 
-·· A newly created empty quev,:. 
REPLY(q: queuc{tl) WHERE q.e = l J 
TRANSITION new(q/ 
MESSAGE enqueue(,.: t, q: queue( t l) 
-- Add x to tht> back e>f the queut'. 
TRANSITION q.e = append([x]; *q.c,l 
?-.IBSSAGE <l~queue(q: queue{ t)) 
-- Renrnve and return tne front element of the queu~. 
WHEN not_cmptyt,;1 
REPLY(x:-.· 
TRANS!TION *q.e = append(g.~. [x]) 
OTHERV.1SEREPLY EXCEP11ON queue __ nnderflow 
l\1l~SAGE n1,!t __ empty(q: que:-.ue{t }': 
-- Trut• if q is not empty 
REP'...,Y\t,: boolean) Wf-LERE b <=> {'-!-~ -= ! 
ENfJ 
iu mtHal1fe tvre~ th:.: instances of the typ{· have JntcrriaJ state:.., and op·:r-.1-
dorn, :n,_· r,ru~·id.ed fur (;hangirJg th(.· iutenJa! srnte...:: of ~c ins~ances. TR.~\I,-
SfTiUN clauses ;u~ allowed m type:) ii'> weH as machines. A 1ype is nmt-
ab!(' i, an,i nnlv ifit has a nun-trivial TRA..1\/SJT!ON clause !i.e. a TRA.t"ISl· 
TlON tlia! 1mi1lii.:s -= ,: for some component x.) Mutating operalio!J~. 
such as c1.queuc in ilK· exan1:>k ahe;v~. arf dcsctihcd using 1RANSJTIO~·~ 
clause~; 
VoJcc,t Hicnltl) i:} in m1porwn~ jssue f:--); mutabI~ types bec:mse an~!· 
the program varial~le.-.: hvuod to the :-i:arn? mur:-tbh~ o?jei;t wilt be affec~ed if>~ 
stat~ changing 01•crador: i .. , applieC ~-, th,· o't1Jt-·1. A new ob3ecl L: 
g-m~rantee<l t) l>e di:--:tinct frnw 2.U objt.:cts defined in the previous state. Iht.: 
concepL; ne.t· arid de.fined i:1J'.:' not oa1i of the Spec language. but th~.:,r :,Te 
provided by a prc•delined generi,, modul,~ m11t;1ble whos~ instance:; can re 
:1;;~~~·::sb~,-~~~;;'~!:~1:r~ ~c}t~\,ft .~~ ~: ~~ '.. ,~:8i,;•~ ::,:;~/r~~;,I:1c :~ 
of many systems. We recommend avoiding mutable types in user inter-
faces. 
3.4. Generators 
A generator is a message that generates a sequence of values one at J 
tin1e. An exan1ple of a specification for a generator is shown below. 
FUNCTION primes 
IMPORT prime FROM nat 




ALL(i: nat :: i IN s <=> l <= i <= limit & prime(i)) 
CONCEPT increasing_order(s: sequence { nat}) 
V ALUE(b: boolean) 
WHERE b <=> sorted{ less_or_equal@nat }(s) 
END 
The "@" is used in Spec to determine the type of an overloaded operator o< 
constant in places where it is not clear from the context. The GENERA TE 
keyword means the srune thing as a REPLY except that the result is a 
sequence whose elements are delivered one at a time rather than all at once 
This means that the elements will be generated one at a time, and processed 
incrementally, rather than being generated all at once and returned in a sin-
gle data structure contai.tring all of the elements, as would be the case for a 
REPLY of type sequence. In a program a generator is used to control a da:a 
driven loop. Generators can also be used in specifications of other modules, 
for exrunple to define the range of a quantified variable. Generators ar~ 
interpreted ;,s sequence-valued ,unction., when they appe~ in 
specifications. 
Any message with a GENERATE is a generator, so that generators 
can be defined as operations of an abstract data type l', a machine. This i'" 
an impot1:in! application of generators. because ii is t'lh<'rwist' difficulr t·, 
scan all of the elements nf an abstract collection ,,,ithout exposing the da'.J 
structure used lo implement the collectior, 
4. Features for Specifying Large System~ 
Th, Spec hmguage contains a number of featurt>s tlic,t an.· ne~,Je-; 
rnc,stly for specifying large system.,. Some of these features include generic 
modules. defined concepts, and an inheritance mecharusm. An exampfe 
illustrating the development of a compleie system using Spec and a more 
detailecl descrirtion of lhe lang1iage can be found in [5}. 
<4.l. Generic Module, 
A parametrized module speciiks a family of muduies rather than ai: 
in-.lividual module. {ieneric modules are importam for achievil,g re-use of 
snecification::i mid designs because tlli.~y can be adaph>.l to i\ wider variety nf 
a~pp1icahnn:; tl1an tlv~ir tnon! spe..:-ifk instances. A p,uame;.tizcd m0duk 
looks like an ordin:~ty modu,e defini1ion except tha: li1ere can be paramete,:; 
:liier tht mod uh: nanle. wi\;i an optional WHERE dause restricting ti:•' 
values of th<:' parame!ers. 1be specifications for sqn:.u-!' _root and queut 
~iven in the previous section are examples of para1neui.!ed modules. Such 
:1. definition defittes one module for each ;~g~l set pf v:1lues for the para.m,:-· 
,ers of the module The paramNers can range over data values values, func-
tions or types. 
4.2 Concept•, 
Con~epl'.i arc :mportant for explaining arh~ lP8ti.ng the be-havicr 0: 
m,iduleo, ,md should be rc;leci.l'<l in reference manu:1:cl and test orack; 1\ 
con~f'p1 ~n tJ,t~ languag~ i:-, !.l constant symbJ:, predicate symbo:, o~ 
function symbol i..:an be usf•d ln construct1:1r r:--ie iof:ic;.Ll asseition:.. 
defmin~ lhe behavior of modules. Concepts w1thout iom1a1 argun1ents arr~ 
int('q1reted as constams. A con~tmt can be either a symboilc name fc•r : 
dm:1 \a[ue or a sywbo1ic 1rn.me ior a data type. Concepts with fornwl argu-
mcn,;: an~ mterprcte,l :is prcd.ic.11e syrnools if !hey r,ave one VALVE and it; 
type is oookan, mid as ~·unction symbols otherwi8e. 
Even· concepl is attached to some mode,lc, ,md is local to that rnodu' · 
,,n,css it i., exported nr inl1erited. Only con;;epts can be exportecl. Ir a ,_.,.,,. 
cept is exported, then it can be explicitly imported by other modules and 
used in their definitions. The export/import mechanism is used to record 
logical dependencies between modules, so that mechanical aid can be 
provided for tracing the impact of a proposed change to a definition. 
A facility for introducing named concepts with explicit definitions 
and interfaces is important for organizing and simplifying descriptions of 
complex software systems. It is not a good idea to express a complicated 
constraint a~ a single very long expression in predicate logic, just as it is not 
a good idea to implement a large system as a single monolithic module: the 
result is too difficult for people to understand. Concepts have the same pur-
pose in a specification language that subprograms do in a programming 
language, namely to provide a mechanism for orderly decomposition. 
Concepts can also be used to mix formal and informal specifications, 
by a formal definition of a precondition, postcondition, invariant, or transi-
tion in terms of some concepts, and then providing informal definitions for 
the concepts. The formal definitions of the concepts can be filled in later, 
when the design has stabilized, or can be left out entirely if the details are 
not critical. The ability to mix formal and informal specifications in a dis-
ciplined manner can be important in practical projects with tight schedules. 
Concepts represent the properties of the software that are needed to 
explain or describe the intended behavior of the software system. Concepts 
are delivered to the customer in the manuals explaining how the system is 
supposed to operate, where they may be explained less formally than in the 
functional specifications and architectural design. Concepts do not nor-
mally represent components of the code to be delivered, although it may be 
useful to implement them for testing purposes. 
A function should be defined as a module of type FUNCTION if it is 
part of the model of the software system, and it should be defined as a con-
cept that is part of a module if the function is needed to specify the behavior 
of the module, but is not part of the model of the system at the current level 
of description. If a function is needed to specify the behavior of a module 
at a high level of the architectural design, and is also one of the components 
used to realize that module at a lower level, then it should be defined as a 
concept attached to the module at the higher level and exported. At the 
lower level it should be specified as a FUNCTION module, which imports 
the concept from the higher level module and has a trivial definition in 
terms of the imported concept 
4.3. Views and Inheritance 
The Spec language has an inheritance mechanism which can be used 
for specifying constraints common to the interfaces of many modules and 
for view integration. Specifying constraints common to many interfaces is 
essential for achieving interface consistency in very large systems. The 
interface of a system to each class of users can be a separate view of the 
system, perhaps specified by different designers. A total picture of the sys-
tem is formed by expanding the definition of a module that inherits all of 
the individual views. The inheritance mechanism and the rules for combin-
ing different versions of messages and concepts inherited from multiple 
parents are described in more detail in [3]. 
5. Conclusions 
Spec is a specification language with a broad range of applications. 
The language is primarily intended for recording black box interface 
specifications in the early stages of design. The language has a precise 
semantics and a simple underlying model. Experience has shown that it is 
sufficiently powerful to allow the specification of many kinds of software 
systems, and sufficiently flexible to allow software designers to express 
their thoughts without forcing them into a restrictive framework. The 
language is sufficiently formal to support mechanical processing. Some 
tools for computer-aided design of software that are currently under investi-
gation are syntax-directed editors, consistency checkers, design completion 
tools, test case generators, and prototype generators. 
1. V. Berzins and M. Gray, "Analysis and Design in MSG.84: 
Formalizing Functional Specifications", IEEE Trans. on Software 
E11g. SE-11, 8 (Aug. 1985). 
2. V. Berzins, M. Gray and D. Naumann, "Abstraction-Based Software 
Development", Comm. of the ACM 29, 5 (May 1986), 402-415. 
3. V. Berzins and Luqi, The Semantics of Inheritance in Spec, Computer 
Science, Naval Postgraduate School, 1987. NPS 52-87-032. 
4. V. Berzins and Luqi, "Languages for Specification, Design and 
Prototyping", in Handbook of Computer-Aided Software 
Engineering, Van Nostrand Reinhold, 1988. 
5. V. Berzins and Luqi, Software Engineering with Abstractions: An 
Integrated Approach to Software Development using Ada, Addison-
Wesley, 1988. 
6. D. Bjoerner and C. Jones, Formal Specification and Software 
Development, Prentice Hall, Englewood Qiffs, NJ, 1982. 
7. B. Cohen, W. T. Harwood and M. I. Jackson, Tire Specification of 
Complex Systems, Addison Wesley, Reading, MA, 1986. 
8. "Ada Programming Language", American National Standards 
Institute/MlL-STD-1815A, DoD, 1983. 
9. J. A. Goguen, J. W. Thatcher, E. G. Wagner and J. B. Wright, 
'' Abstract Data Types as Initial Algebras and the Correctness of Data 
Representations", in Proc. Co,rf. on Computer Graphics, Pattern 
Recognition, and Data Structures, 1975, 89-93. 
10. A. Goldberg and D. Robinson, Smalltalk-BO: The Language and its 
Implementation, Addison Wesley, Reading, MA, 1983. 
ll. J. V. Guttag, E. Horowitz and D.R. Musser, "Abstract Data Types 
and Software Validation", Comm. of the ACM 21, 12 (1978). 
12. J. V. Guttag and J. J. Horning, "A Larch Shared Language 
Handbook", Science of Computer Programming 6 (1986), 135-157. 
13. J. V. Guttag and J. J. Horning, "Report on the Larch Shared 
Language", Science of Computer Programming 6 (1986), 103-134. 
14. M. Herlihy and B. H. Liskov, "A Value Transmission Method for 
Abstract Data Types", Trans. Prog. Lang and Systems 4, 4 (Oct. 
1982), 527-551. 
15. C. Hewitt and H. Baker, "Actors and Continuous Functionals", in 
Formal Description of Programming Concepts, North-Holland, New 
York, 1978, 367-387. 
270 
16. C. A. R. Hoare, "Proof of Correctness of Data Representations", 
Acta Informatica 1, 4 (1972), 271-281. 
17. L. Johnson, "Overview of the Knowledge-Based Specification 
Assistant", in Proc. Second Annual RADC Knowledge-based 
Assistant Conference, RADC(COES), Grifiss AFB, NY, 1987. 
18. B. H. Liskov, A. Snyder, R. Atkinson and J. C. Schaffert, 
"Abstraction Mechanisms in CLU", Comm. of the ACM 20, 8 (Aug. 
1977), 564-576. 
19. B. Liskov, R. Atkinson, T. Bloom, E. Moss, J. Schaffert and R. 
Scheifler, CLU Reference Manual, Springer Verlag, 1981. 
20. Luqi, V. Berzins and R. Yeh, "A Prototyping Language for Real-
Time Software", to appear in IEEE TSE, 1988. 
21. R. Nakajima, "IOTA", IEEE Trans. on Software Eng., Feb. 1985. 
22. M. Shaw, W. A. Wulf and R. L. London, "Abstraction and 
Verification in ALPHARD: Defining and Specifying Iteration and 
Generators", Comm. of the ACM 20, 8 (Aug. 1977), 553-564. 
23. M. Shaw, Alphard: Form and Content, Springer Verlag, 1981. 
24. W. Turski and T. Maibaum, The Specification of Computer 
Programs, Addison Wesley, Reading, MA, 1987. 
25. W. A. Wulf, R. L. London and M. Shaw, "An Introduction to the 
Construction and Verification of Alphard Programs", IEEE Trans. on 
Software Eng. SE-2, 4 (Dec. 1976), 253-265. 
26. A. Y onezawa, "Specification and Verification Techniques for 
Parallel Programs Based on Message Passing Semantics", Ph. D. 
Thesis, MlT, I 977. 
