Applications and Meaning of Inheritance in Software Specifications by Berzins, Valdis et al.
Calhoun: The NPS Institutional Archive
Faculty and Researcher Publications Faculty and Researcher Publications
1992




Applications and Meaning of Inheritance in Software Specifications 
Valdis Berzins* Luqit Yuh- Jeng Lee 
Computer Science Department 
Naval Postgraduate School, Monterey, CA 93943 
Abstract 
We present a novel inheritance mechanism for a 
specification language. This mechanism supports step- 
wise refinement by  combining constraints that can be 
inherited from several sources. Inheritance in specifi- 
cations differs from inheritance in programming lan- 
guages. The proposed mechanism has been designed 
specifically t o  support computer-aided requirements 
analysis. The main design issues for the mechanism 
are explained, and the application of the mechanism 
to requirements analysis is illustrated via examples. 
1 Introduction 
The value of inheritance mechanisms in object- 
oriented programming languages has been widely rec- 
ognized. Inheritance provides an easy way to ex- 
tend and adapt reusable software components without 
modifying their source code, and helps make software 
systems more flexible. Inheritance introduces a sub- 
class structure that is useful for organizing complex 
systems to make them easier to understand. The sub- 
class structure also provides an important kind of gen- 
eralization that can significantly simplify programs: a 
single polymorphic program that depends only on the 
attributes (instance variables) and operations (meth- 
ods) of a general class can be applied to instances of 
all of its subclasses, regardless of possible differences 
in the data structures used to represent instances of 
different subclasses. 
Inheritance is useful in the context of specification 
languages as well as programming languages, and en- 
ables new and useful software development paradigms 
in that context. This paper discusses the inheri- 
tance mechanism provided by the specification lan- 
guage Spec [5, 71, and explores its application to re- 
quirements analysis. 
Spec is a language for representing conceptual do- 
main models in the problem definition phase of re- 
quirements analysis and for representing black-box 
specifications in the functional specification and archi- 
tectural design of software systems. Black-box specifi- 
cations are essential for realizing the benefits of ab- 
stractions in the software development process [2]. 
The critical early stages of software development are 
dominated by the tasks of building conceptual models 
of the proposed software and defining its interfaces. A 
precise notation for such models is needed as a medium 
for organizing and communicating conceptual models 
and as a means for supporting computer-aided design. 
Such conceptual models are essential for the applica- 
tion of abstractions, because they enable a designer to 
use a complex subsystem without examining its im- 
plementation. Some of the of the tasks that should 
be supported by a CAD system based on Spec include 
inheritance expansion, rearrangement of inheritance 
structures, automatic propagation of design implica- 
tions, error checking [17, 181, materializing implied 
aspects of a design, prototyping, formal proofs, and 
automated classification of test results [12]. 
Spec has evolved from earlier specification lan- 
guages [l, 191 based on extensive classroom experience 
in using formal specifications in multi-person projects 
[2]. A general description of the language can be found 
in [ 5 ,  while a complete treatment and extensive ex- 
we concentrate on the inheritance mechanism of Spec, 
extending the formulation in [8], making some of its 
formal properties explicit, and illustrating some novel 
uses of inheritance in requirements analysis via exam- 
ples. 
An inheritance mechanism induces a generalization 
hierarchy, which can be useful for organizing a library 
of reusable components. The generalization structure 
can be exploited when automating the bookkeeping as- 
sociated with design by stepwise refinement, which in 
practice involves considering alternatives 161 and oc- 
heritance also has some uses which are more important 
for specifications than for programs, and may be less 
familiar. 
amp I es of its use can be found in [SI. In this paper 
casionally backtracking to explore paralle I paths. In- 
'This research was supported in part by the Army Research 
tThis research was supported in part by the National Science 
Office under grant number ARO-145-91. 
Foundation under grant number CCR-9058453. 
0073-1 129-1/92 $3.00 0 1992 IEEE 
View Integration Large systems are designed by 
groups of people, who must work on different as- 
pects of the same problem simultaneously. When 
64 
a specification language supporting multiple in- 
heritance is available, each designer can specify 
the view of the system through one of the external 
interfaces as a separate module. The whole sys- 
tem is materialized in a trivial module that inher- 
its the features of the modules defining the views. 
This enables each designer to edit and control a 
separate module, and allows CAD tools to keep 
track of interactions and conceptual dependencies 
between decisions made by different designers. 
Standardization A common problem in developing 
very large software systems is to ensure that the 
same commands in different subsystems have con- 
sistent interfaces and interpretations. One way to 
achieve this is by means of a skeleton specification 
for the common interfaces, which is defined once 
by the system architect and inherited by all of the 
subsystems. 
Design History Inheritance supports an incremen- 
tal style of documenting the evolution of a system 
specification. Each enhancement in the history 
corresponds to another layer in the inheritance 
structure. This structure is most useful during 
requirements formulation via exploratory analy- 
sis and design, which specifications are changing 
rapidly and alternatives are being explored. 
Factoring Complex conceptual models can be parti- 
tioned into small, logically related groups of con- 
cepts that can be inherited in all of the contexts in 
which they are used. This helps make the sharing 
of conceptual dependencies explicit, helps makes 
complex descriptions humanly understandable by 
separating them into independent parts that are 
smaller than system boundaries, and provides a 
mechanism for controlled sharing of definitions. 
We expect CAD tools to support rearrangement 
of inheritance structures corresponding to the de- 
sign history into cleaner logical groupings. The 
tools should preserve a copy of the design his- 
tory, and maintain the mapping between the two 
forms to support continued evolution of the spec- 
ification. The factoring process is appropriate af- 
ter a specification module has been fully refined 
and stabilized. Since proper factoring can make a 
specification easier to read and analyze, this pro- 
cess should be performed before design reviews. 
Reuse Standard building blocks for specifications 
can be reused by inheriting them and special- 
izing them. Generalized types and partial con- 
straints are essential for making interface struc- 
tures and domain models reusable: if the compo- 
nents are too specific, they will not correspond to 
a wide variety of applications, and will fail to be 
reusable in practice. Examples of such libraries 
of reusable components for conceptual modeling 
and for defining system interfaces can be found in 
There has been a great deal of previous work on 
providing programming language support for inheri- 
tance [9, 14, 211. Parameterization is an important 
PI  
mechanism for reusing designs and code 131, which is 
Section 2 describes the specification language Spec 
used in this paper. Section 3 gives an informal ex- 
planation of the inheritance mechanism and discusses 
some of the design issues that affected its design. A 
formal transformational semantics [ll, 101 for the in- 
heritance mechanism of the Spec language can be 
found in [4]. Section 4 illustrates the application of in- 
heritance to requirements analysis via examples. Sec- 
tion 5 presents our conclusions. 
important for realizing the full benefits o I inheritance. 
2 The Spec Language 
The Spec language is based on the event model of 
computation and uses (second order, temporal) predi- 
cate logic for the precise definition of desired behavior. 
The event model is an extension of the actor model 
that extends the familiar precondition/postcondition 
style of specification to concurrent, distributed, and 
real-time systems in a natural way [SI. The primitives 
of the simplified event model are modules, messages, 
events, and alarms. 
A module is a black box that interacts with other 
modules only by sending and receiving messages. 
Modules can represent software systems, such as Ada 
tasks or packages, as well as people and hardware de- 
vices. A message is a data packet that is sent from one 
module to another. Messages represent interactions 
between modules, such as calls on Ada task entries or 
subprograms declared in Ada package specifications. 
Messages can also be realized by I/O, exceptions, and 
other mechanisms. An event occurs when a module re- 
ceives a message at a particular instant of time. Events 
represent both stimuli and responses, and serve as ref- 
erence points for timing constraints. An alarm is a 
point in time that triggers a temporal event. 
Spec provides language features supporting devel- 
opment of complex systems, such as controlled name 
spaces. The most important ideas of this language 
are modules, messages, events, localized state models, 
atomic transactions, parameterization, inheritance, 
and defined concepts. 
In Spec modules are classified as functions, ma- 
chines, and types. System behavior is defined using 
Spec MESSAGE declarations. Each MESSAGE dec- 
laration defines the required responses for all events 
in which a message of the declared form arrives at the 
module. A response consists of a set of outgoing mes- 
sages that represent required future events. Responses 
of modules with internal states can also include an 
optional state transition, which is defined via a local 
state model. An event can have several different re- 
sponses that are guarded by preconditions. Require- 
ments on the contents of outgoing messages and the 
next state of the module are defined by postconditions. 
Preconditions and postconditions are logical assertions 
marked by the keywords WHEN and WHERE, respec- 
tively. For modules with internal states, the part of 
the postcondition specifying the requirements on state 
transitions is separated and marked with the keyword 
TRANSITION to improve readability and to syntac- 
tically distinguish intended state transitions. 
65 
Spec modules can also define concepts. A CON- 
CEPT declaration defines a logical symbol represent- 
ing a predicate, function, type, or constant. Concepts 
are used to concisely represent assertions in precondi- 
tions and postconditions. They support hierarchical 
structuring of complex definitions, and help make for- 
mal logic humanly understandable. Messages directly 
represent observable aspects of system behavior. Con- 
cepts represent abstract ideas that are used to state 
the requirements but do not appear as part of the sys- 
tem behavior. 
3 The Spec Inheritance Mechanism 
This section informally explains the Spec multiple 
inheritance mechanism. A Spec module can inherit 
the messages, concepts, and data or state model from 
a set of other modules. A novel aspect of inheritance 
in the Spec language is that each inherited definition 
is combined with the corresponding local definition, 
if there is one. This choice differs from most object- 
oriented programming languages, in which local def- 
initions supersede inherited definitions with the same 
name. The purpose of this interpretation for inheri- 
tance in Spec is to support design by stepwise refine- 
ment as well as the applications listed in Section 1. 
In cases where several definitions for the same op- 
eration are inherited, these are also combined. In 
most programming languages that support multiple 
inheritance, situations in which several methods are 
inherited for the same operation are either resolved 
by precedence rules that pick one of the methods to 
supersede the others (e.g. in LISP flavors) or are re- 
ported as errors (e.g. in Eiffel). Inheritance in pro- 
gramming languages provides a refinement capability 
only for virtual messages, which declare an operation 
but do not provide a method. Virtual messages can 
be inherited by subclasses that supply methods for 
realizing them. One reason for these restrictions on 
inheritance in programming languages is that reliable 
automated techniques for combining different versions 
of a pro ram are still the subject of active research 
[3, 15, 6f This paper describes a sound method for 
consistently combining specifications, and explains its 
application to  an inheritance mechanism for the Spec 
language. 
Inheritance in the Spec language can be used in 
ways similar to an include directive for a compiler, 
but it is a semantic operation rather than a text ma- 
nipulation process. Specifications can be combined 
by forming the union of the interfaces they introduce, 
and forming the intersection of the associated behav- 
ioral constraints. This is illustrated by a very simple 
example in Figures 1 - 3. For brevity the example 
shows only a fragment of a complete specification, fo- 
cusing on the requirements for the equal operation of 
an abstract data type representing rational numbers. 
Figure 1 shows the specification written by the ana- 
lyst, which inherits the standard properties of math- 
ematical equality, common to the equality operations 
of all data types, from the library unit shown in Fig- 
ure 2. Figure 3 shows an inheritance-free specification 
equivalent to the specification in Figure 1, which is de- 
rived via an expansion process. The effect of the IN- 
TYPE rational INHERIT equality(rationa1) 
MODEL(num den: integer) 
INVARIANT ALL(r: rational :: r.den = zero) 
MESSAGE equal(r1 r2: rational) 
REPLY(b: boolean) 
WHERE b <=> 
(rl.num * r2.den = r2.num * rl.den) 
END 
Figure 1: Main specification 
TYPE equality {t: type} EXPORT Reflexive 
MESSAGE equal(x y: t )  REPLY(b: boolean) 
WHERE Transitive(equa1) 
WHERE b <=> equal(x, y) 
MESSAGE not-equal(x y: t)  REPLY(b: boolean) 
CONCEPT Transitive(f: function{ t ,  t, boolean}) 
VALUE(b: boolean) 
WHERE b <=> 
ALL(x y z: t :: f(x, y) & f(y, Z) => f(x, 2)) 
END 
Figure 2: Inherited specification 
TYPE rational 
MODEL(num den: integer) 
INVARIANT ALL(r: rational :: r.den = zero) 
REPLY(b: boolean) 
WHERE b <=> 
MESSAGE equal(r1 r2: rational) 
(rl.num * r2.den = r2.num * rl.den), 
Transitive(equa1) 
MESSAGE not-equal(x y: t)  
REPLY(b: boolean) 
WHERE b <=> equal(x, y) 
CONCEPT Transitive(f function{t, t ,  boolean}) 
VALUE(b: boolean) 
WHERE b <=> 
ALL(x y z: t :: f(x, y) & f(y, z) => f(x, z)) 
END 
Figure 3: Equivalent specification 
HERIT clause in Figure 1 is to add some constraints to 
the postcondition of the message equal in addition to 
adding the message not-equal and the concept f ian-  
sitive. The effect on the postcondition of the equal 
operation illustrates the combination of inherited con- 
66 
straints with constraints from a local definition. In the 
Spec language, a list of constraints denotes the con- 
junction of the individual constraints in the list. The 
effect of the INHERIT on the postcondition of equal 
illustrates the intersection of constraints, while the ad- 
dition of the message not-equal illustrates the union of 
the interfaces. Some of the finer points in the design of 
the Spec inheritance mechanism are discussed in the 
remainder of this section. The next section gives ex- 
amples of the use of these mechanisms in the context 
of requirements analysis and architectural design. 
3.1 Algebraic properties 
Inheritance in Spec is transitive: if module A in- 
herits module B and B inherits module C, the A in- 
herits C. This property is common with most of the 
inheritance mechanisms in object-oriented program- 
ming languages. 
Multiple inheritance in Spec is associative and com- 
mutative: the path by which a module is inherited and 
the order of inheritance are irrelevant. To be precise, 
the specifications shown in Figure 4 are all equivalent 
with respect to module A, although there are differ- 
ing effects on modules B and C. In the above, MOD- 
MODULE A INHERIT B INHERIT C END 
MODULE B ... END 
MODULE C ... END 
MODULE A INHERIT C INHERIT B END 
MODULE B ... END 
MODULE C ... END 
MODULE A INHERIT B C END 
MODULE B ... END 
MODULE C ... END 
MODULE A INHERIT C B END 
MODULE B ... END 
MODULE C ... END 
MODULE A INHERIT B END 
MODULE B INHERIT C ... END 
MODULE C ... END 
MODULE A INHERIT C END 
MODULE B ... END 
MODULE C INHERIT B ... END 
Figure 4: Equivalent inheritance paths 
ULE is a schema parameter ranging over the Spec key- 
words FUNCTION, MACHINE, TYPE, INSTANCE, 
and DEFINITION. 
Multiple inheritance in Spec is idempotent: inherit- 
ing a module more than once is the same as inheriting 
it once. Thus inheriting the same module more than 
once via different paths does no harm, and neither 
does circular inheritance. 
3.2 Monotonicity: upwards compatibility 
The basic inheritance mechanism of Spec is mono- 
tonic. This means that if a module A inherits a module 
B, then every interaction with A that appears in the 
interface of B satisfies the specification of B. In par- 
ticular, if A and B are type modules, then A defines 
a subtype of B, and if A and B are function modules, 
then A defines a subfunction of B. This means that A 
can be used in any context where B can be used, al- 
though A may provide services that B does not. In the 
context of software configuration management, this is 
called an upwards compatibility relationship. 
The Spec INHERIT statement has two optional 
clauses that can introduce non-monotonic (not up- 
wards compatible) behavior. An inherit statement of 
the form “INHERIT m RENAME n l  AS n2” substi- 
tutes the name n2 for all free occurrences of the name 
n l  in the module m before inheriting it. The names 
that are affected by RENAME clauses are messages 
names, concept names, state variable names, and in- 
stance variable names. This mechanism is used to re- 
solve unintended name collisions, and is especially use- 
ful when inheriting reusable modules from a library. 
The mechanism can also be used to introduce more 
specific meaningful names for general-purpose opera- 
tions that are inherited in a specialized context. For 
example, when the set module inherits the partial or- 
dering module, it renames the less-or-equal operation 
as subset. 
The RENAME mechanism is not intended to affect 
module behavior, in the sense that the behavior of 
the renamed module should be isomorphic to the be- 
havior of the original, although strictly speaking this 
property holds only in the absence of name collisions. 
A name collision occurs when two different messages 
with the same signature are coalesced by being re- 
named to the same name. Name collisions do not OC- 
cur for messages with differing signatures because of 
operator overloading. An example of a name collision 
is “INHERIT integer RENAME plus AS combine R E  
NAME times AS combine”. A CAD tool for detect- 
ing unintended name collisions and producing warning 
messages is useful. 
Intentional non-monotonic changes are made via 
statements of the form “INHERIT m HIDE d’. This 
hides the name n and removes all structures bound 
to the name in the module m before inheriting the 
result. Hiding is legal for the same set of names as 
for the renaming operation. This mechanism is used 
most often to supersede an inherited definition with 
an incompatible reformulation. This situation is com- 
mon in exploratory design and analysis, and in system 
evolution in response to requirements changes. 
The Spec language has chosen to syntactically high- 
light all incompatible changes via the keywords R E  
NAME and HIDE to make it easier for CAD tools to 
detect incompatible changes. This supports a refine- 
ment to tools that manage induced changes in a soft- 
ware configuration [20]. Dependencies between source 
modules can be managed based on principles similar to 
those used by tools to keep mechanically derived files 
up to date, such as the UNIX “make” tool. However, 
make recomputes all dependent files whenever there 
61 
is any kind of change to a source file, based just on a 
timestamp. If an interface specification for a module 
is changed in an upwards compatible way, then there 
is no need to rederive all places where the module is 
used or to rederive all modules that depend on the in- 
terface specification. Since checking dependencies and 
rederiving source modules dependent on other source 
modules can be a tedious manual operation in the 
maintenance of a large software system, tool support 
for keeping track of all the places potentially impacted 
by a software change is useful. Avoiding rederivation 
in cases where it is not necessary can have significant 
practical value. 
3.3 State and instance variables 
Spec defines the behavior of types and machines 
based on conceptual representations consisting of sets 
of variables representing the state of the machine 
(state variables) or the information content of the val- 
ues of the type (instance variables). These are called 
conceptual representations because they are abstract 
data models that need not be the same as the data 
structures used in the implementation. For this reason 
instance variables in Spec differ from the instance vari- 
ables of most object-oriented programming languages. 
The Spec inheritance mechanism combines instance 
variables by matching up variable names (coalesced 
union). An alternative interpretation (disjoint union 
ferent modules artificially distinct, by using (module 
name, variable name) pairs as variable identifiers. The 
disjoint interpretation is plausible for programming 
languages because we might not want implementa- 
tions of different aspects of the behavior to interfere 
with each other. We did not adopt the disjoint inter- 
pretation for the Spec inheritance mechanism because 
we expect different partial views of machines to inter- 
act. The application of this aspect of inheritance in 
the context of requirements analysis is illustrated in 
Section 4. 
The constraints associated with a state model, such 
as type declarations, invariants, and initial value con- 
straints, are combined by intersecting constraints. For 
logical assertions such as invariants and initial value 
constraints the intersection is realized as a conjunc- 
tion. For type declarations the intersection is realized 
as the most general common subtype in the subtype 
lattice. For example, the result of combining a vehi- 
cle type with an airplane type is the airplane type. 
The result of combining two incompatible types is an 
empty type, which is generally an indication of a de- 
sign error. 
3.4 Overloading and interface refinement 
Concepts and messages in the Spec language can 
be overloaded if they have different signatures. The 
signature of a concept or message consists of its name 
and the sequence of the types of its input parameters. 
The Spec inheritance mechanism matches up concepts 
and messages by their signatures. Operations with 
different signatures are inherited separately, while op- 
erations with a common signature are combined. The 
result of combining a message and a concept with the 
same signature is an error. 
makes instance variables that are inherited from di 2 -
Each message represents a kind of stimulus recog- 
nized by the module. The response to a stimulus can 
be different in different cases, where each case is de- 
fined by a logical assertion called a precondition or a 
guard. When several different definitions for the same 
operation are defined, we take the conjunction of the 
postconditions for each case. The set of possible cases 
is defined by the cross product of the sets of precon- 
ditions for each of the definitions to be combined. If 
the preconditions defining the cases for all the defi- 
nitions are the same, then most of the terms in the 
cross product simplify to the false guard, and can be 
dropped. However, inheriting operations defined by 
cases can cause a significant increase in the number of 
cases in the equivalent expanded specification. 
For each case, the response can consist of zero or 
more outgoing messages and a state transition. The 
postconditions for the state transitions are combined 
by conjunction, as are the postconditions associated 
with corresponding outgoing messages. Outgoing mes- 
sages are matched up by destination module, message 
name, and message type (normal, exception, or gen- 
erator). Output parameters are matched by position, 
and type declarations are combined by intersection, 
which is explained in Section 3.3. This mechanism 
is useful for factoring complex decisions into indepen- 
dent views, thus avoiding combinatorial explosions in 
the number of cases to be specified. 
3.5 Module type restrictions 
There are five module types in Spec: FUNCTION, 
MACHINE, TYPE, INSTANCE, and DEFINITION. 
Any module can inherit the same type of module. 
In addition, any module can inherit a DEFINITION 
module, since such a module contains only concept 
definitions, which are compatible with all of the other 
module types. A MACHINE module or a TYPE mod- 
ule can also inherit a FUNCTION module, since ev- 
erything that can appear in a function can also ap- 
pear in a type or a machine. All other combinations 
of module types are prohibited because of potential 
incompatibilities. 
3.6 Visibility of names 
Name scoping in Spec is not affected by inheritance. 
Message names are globally visible in Spec. Spec con- 
cepts are local by default, but can be made visible 
to other modules via EXPORT and IMPORT decla- 
rations. An EXPORT declaration makes the speci- 
fied concepts visible from those modules with match- 
ing IMPORT declarations. The purpose of an IM- 
PORT declaration is to specify the location where an 
imported concept is defined. To avoid the need to fol- 
low chains of indirect references to find the definition 
of an imported concept, the Spec language does not 
allow inherited concepts to be exported by the inher- 
iting modules. For this reason, EXPORT declarations 
are not inherited. 
For example, the EXPORT declaration in Figure 2 
is not shown in Figure 3.  The module rational there- 
fore does not implicitly export the concept Transitive, 
and cannot explicitly export it. Other modules that 
want to use this concept must import it directly from 
the module equality. 
4 Using Inheritance in Requirements 
This section illustrates the use of inheritance in re- 
quirements analysis using a case study of an infor- 
mation system for a discount store. We illustrate two 
main themes: using inheritance for coordinating teams 
of analysts, and using inheritance to record design his- 
tory. We expand on the coordination aspect first. 
The initial analysis identifies the systems and inter- 





Figure 5 :  Context diagram 
decompose the requirements model into three views 
of the proposed system, as seen from the viewpoint 
of each external system. These views are defined by 
different analysts, each of whom creates and modifies 
separate sets of specification modules. These speci- 
fication modules are linked via inheritance relations, 






Figure 6: Top level specification 
parallel as shown in Figures 7 - 9. The definitions 
of various aspects of the state model are inherited by 
the external interface views because the state models 
are shared by the different interfaces as illustrated by 
the inheritance diagram shown in Figure 10. The def- 
initions of the state views are shown in Figure 11 and 
Figure 12. 
The work of different analysts interacts only be- 
cause of shared state models. The inheritance struc- 
ture makes these dependencies explicitly visible, and 
supports systematic coordination of their efforts. The 
inheritance structure also records the dependencies be- 
tween different aspects of the requirements model. In 
particular, we can see that the receiving department is 
not concerned with the cash flow aspect in the current 
version of the requirements model. 
The required coordination can be accomplished via 
policies and manual procedures, but the inheritance 
MACHINE clerk -view 
INHERIT inventory-view 
INHERIT cash-view 
MESSAGE process sale( items sold : items , 
Davment: monev) 
inventory = *inventory - itemssold, 
cash = *cash + payment - change 
END 
Figure 7: Specification of clerk view 
MACHINE customerservice-view 
INHERIT inventory -view 
INHERIT cash-view 
MESSAGE processreturn(itemsreturned: items, 
refund: money) 
TRANSITION 
inventory = *inventory + itemsseturned, 
cash - *cash - refund 
END 
Figure 8: Specification of customer service view 
MACHINE receiving-view 
INHERIT state-view 
INHERIT inventory -view 
MESSAGE receiveshipment(itemsreceived: items) 
TRANSITION 
inventory = *inventory + itemsreceived 
END 
Figure 9: Specification of receiving view 
structure also makes software tool support feasible. 
For example, the design entry tools can be aware of 
the special role of state models, and of which analysts 
are working on which projects. Whenever a new com- 
ponent of a state model or a change to an existing 
state model is proposed, the tools can alert the other 
designers in the team. The important part of this ap- 
proach is that the analysts do not have to examine 
each other’s work except in the situations where the 
system alerts them to do so. 
The analysts can examine the already-defined state 
views when they discover that the interface they are 
elaborating requires a new kind of state information. 
If this kind of information has already been modeled 
by some other analyst for a different purpose, the ex- 
isting structure can be shared and reused. If the ex- 
isting structure is almost but not quite appropriate, 
69 
Inventory Kl KI 
Clerk Customer Receiving 
View Service View 
View 
c , 
Discount U Store 
Figure 10: Inheritance diagram 
MACHINE inventory-view 
STATE(inventory: items) INVARIANT true 
CONCEPT items: type 
INITIALLY is-empty(inventory) 
-- A collection of items carried by the store. 
WHERE items = map{from :: upccode, to :: nat} -- The map specifies how many items of each type -- are in the inventory. 
CONCEPT upc-code: type 
-- Unique identifiers for types of items 
-- carried by the store. 
CONCEPT "+"(x y: items) VALUE(z: items) 
WHERE ALL(u: upc-code :: Z[U] = x[u] + y[u]) 
generalizations or reformulations that can cover both 
purposes. However, note that such direct communi- 
cation is required only to resolve incompatibilities. If 
the existing formulation is adequate, the second ana- 
lyst can just use the first analyst's results by adding 
an inheritance link, without disturbing the first ana- 
lyst's thought processes. This supports non-intrusive 
communication, and helps improve the efficiency of 
the analysts. 
To illustrate the use of inheritance to record design 
history, we consider the repair of a deficiency in the ini- 
tial requirements model. If we examine the clerk view, 
we can see that a sales transaction is supposed to tell 
the clerk how much change to provide, but the require- 
ments do not explain the constraints on the amount 
of chan e to be reported. The analysts considers this, 
and re3izes that information about the prices of the 
items is needed in order to formulate the requirements. 
This in turn leads to the question of where the price 
information comes from, and whether it can change. 
It is not reasonable for the price information to be 
supplied as an input by the clerk, and it is also not 
reasonable to require all prices to remain fixed. There 
fore the price information must come from the state 
model. Examining the components of the state model 
defined by all the other analysts so far, we find that 
this aspect of the problem has not yet been considered, 
and propose the new state component shown in Figure 
13. This information is used to create the refinement 
MACHINE price-view 
IMPORT upc-code FROM inventory-view 
IMPORT money FROM cash-view 
STATE(price: map{from :: upC-code, to :: money}) 
CONCEPT "-" x y: items) VALUE(z: items) INVARIANT ALL(u: upc-code :: price[u] > 0) 
-- Prices are non-negative. 
INITIALLY domain(price) = { }, 
-- Initially all prices are undefined. 
WHERE ALL[u: upc-code :: Z[U] = x[u]- y[u]) 
CONCEPT is-empty@ items) VALUE(b: boolean) default(price) = ! 
WHERE b <=> ALL(u: upc-code :: ;[U] = 0) 
END END 
Figure 11: Specification of inventory view Figure 13: Specification of price view 
MACHINE cash-view 
IMPORT Subtype FROM type 
STATE(cash: money) INVARIANT true 
INITIALLY cash = 0 
CONCEPT money: type 
WHERE Subtype(money, integer) 
END 
Figure 12: Specification of cash view 
the information provided by the tool can identify the 
other analyst working on the same aspect of the prob- 
lem, and the two can communicate directly to explore 
of the clerk view shown in Figure 14. The new version 
of the clerk view inherits the previous version. 
This modification is a consistent refinement because 
the previous version is inherited without any HIDE or 
RENAME clauses, as discussed in Section 3.2. The 
net effect of the refinement is to add a new postcon- 
dition to the REPLY. In order to formulate this new 
postcondition, it is necessary to refer to the new com- 
ponent of the state model (the price map) and to de- 
fine a new concept (the total price for a collection of 
items), as shown in Figure 13. 
The requirements model is still by no means com- 
plete. Some of the unresolved issues are how the prices 
can change, what happens if the price of an item is un- 
defined, and how the amount of a refund is related to 
prices of items. Some reasonable reactions to these 




MESSAGE processsale(itemsso1d: items, 
payment: money) 
REPLY(change: money) 
WHERE payment = 
totalprice(itemsso1d) + change 
CONCEPT total-price@ items) 
VALUE(t: money) 
WHERE t = SUM(u: upc-code :: i[u] * price[u]) 
END 
Figure 14: Specification of refined clerk view 
manager of the store, and a mechanism for updating 
prices. 
The second issue leads to a coupling between two 
components of the state model: the price should be 
defined for every item that is in stock. This restric- 
tion is a state invariant, which cannot be stated in the 
current state model structure because the inventory 
and the price are not both visible in the same module. 
A revised state model structure in which the new in- 
variant can be expressed is shown in Figure 15. The 
lnven tory Price 
View View 
lnven tory 
View Price View 
Discount 
Figure 15: Revised inheritance diagram 
diagram shows a somewhat surprising consequence of 
the analysis: the receiving department interacts with 
the price component of the model, even though it has 
nothing to do with the cash flow. The interaction 
stems from violations of the newly discovered invari- 
ant. One possible form for this interaction is to delay 
processing shipments of items that do not have prices 
defined for them, and to send a problem report me% 
sage to the manager, requesting the price to be defined 
so that the shipment can be processed. 
We do not complete the analysis of the example 
here, since our goal is to illustrate the use of inher- 
itance in requirements analysis rather than to pro- 
vide a complete explanation of our systems analysis 
procedure. Complete examples and explanations of a 
method for requirements analysis via formal specifica- 
tions and abstractions can be found in [8]. 
5 Conclusions 
Inheritance is especially useful in the context of 
specification languages. We have explained the mean- 
ing of the inheritance mechanism of the Spec lan- 
guage and have illustrated its use for view integra- 
tion and recording development history in the context 
of requirements analysis. The most important aspect 
of the Spec inheritance mechanism is its support for 
gradual refinement of requirements, by allowing inher- 
ited requirements to be further constrained. 
Some of the main issues in the design of the mech- 
anism are related to the treatment of data types and 
state variables. When combining data models, we 
have coalesced state or instance variables in cases 
where variables of the same name are inherited from 
several different parents. This interpretation is neces- 
sary to properly model interactions between decisions 
made by several analysts who are concurrently refinin 
different but partially overlapping views (projections! 
of a requirements specification for a complex software 
system. 
For example, updates to state variables visible in a 
view can affect other views that read those state vari- 
ables. When state variables from different views are 
merged, the constraints on them are combined. Thus 
the type of a merged state variable must be the great- 
est common subtype of all the inherited versions, and 
the merged data invariant must be the conjunction of 
all the inherited invariants. Logical dependencies be- 
tween aspects of the system that were thought to be 
independent can be discovered via this mechanism, as 
illustrated in the previous section. 
Similar considerations apply to output variables 
and postconditions, but not to preconditions. The 
type signatures of the input variables serve to iden- 
tify overloaded variants of stimuli, and preconditions 
serve to identify disjoint cases in the required response 
behaviors. 
Inheritance can be formulated on semantic grounds, 
so that the boundaries between specification mod- 
ules are almost transparent to the process. This al- 
lows the specifications to be factored and reorganized 
freely. Such reorganization is necessary to keep a com- 
plex specification humanly understandable, because 
the analysts rarely have sufficient insight to organize 
the specification in exactly the right way when they 
first start the analysis. After the analysis is complete, 
the shape of the problem domain becomes apparent, 
and with the benefit of hindsight, it becomes possible 
to impose a rational structure on the specification. 
71 
The one exception to this transparency is the treat- 
ment of name scoping via the import/export mecha- 
nism. In order to simplify the necessary support en- 
vironment for the language, and to enable analysts to 
read printed specifications without resorting to me- 
chanical aid, we have required that non-local refer- 
ences to defined symbols refer to the physical location 
of the definition, and have not allowed modules to ex- 
port inherited definitions. This rules out chains of in- 
direct references and reduces the need for page flipping 
when reading a large specification. This amounts to 
simplifying the tools for browsing a specification at the 
expense of complicating the tools for reorganizing the 
specification. We believe this is appropriate because 
specifications will be read much more frequently than 
they are reorganized, especially in the context of large 
projects and large development teams. 
We have defined the Spec inheritance mechanism 90 
that it supports multiple inheritance and gradual re- 
finement. We have been able to afford clean semantics 
that is convenient for the users because combining con- 
straints on specifications is much easier than combin- 
ing constraints on algorithms code merging). A useful 
guage processor as well as providing convenience to 
the users of the language. 
Combining logical postconditions is relatively easy: 
all it takes is forming the proper conjunctions and 
computing the greatest common subtypes of the signa- 
tures. Performing the corresponding transformations 
on algorithms that realize the specifications is consid- 
erably more difficult. Some results on merging differ- 
ent versions of code can be found in [3,15,6]. Since the 
process of merging programs is not yet well understood 
in the general case, multiple inheritance mechanisms 
in some programming languages have been subjected 
to implementation restrictions that complicate the se- 
mantics. 
We believe that it is preferable to report conflicts in 
cases where it is not possible to produce merged code 
corresponding to the semantics of the merged speci- 
fications, rather than to produce code with behavior 
that is hard to predict. A conservative practical design 
can report a conflict whenever two different algorithms 
for the same message must be merged if more power- 
ful code merging techniques are not available to the 
compiler writers. 
inheritance mechanism must b e realizable by the lan- 
References 
[l] V. Berzins and M. Gray, “Analysis and Design in 
MSG.84: Formalizing Functional SDecifications” . 
IEEE Trans. on Sofiware Eng. SE-11, 8 (Aug: 
1985), 657-670. 
[2] V. Berzins, M. Gray and D. Naumann, “Ab- 
straction-Based Software Development”, Comm. 
of ihe ACM 29, 5 (May 1986), 402-415. 
[3] V. Berzins, “On Merging Software Extensions”, 
Acta Informatica 23, Fasc. 6 (Nov. 1986), 607- 
619. 
[4] V. Berzins and Luqi, The Semantics of Inheri- 
tance in Spec, NPS 52-87-032, Computer Sci- 
ence, Naval Postgraduate School, 1987. 
[5] V. Berzins and Luqi, “An Introduction to the 
Specification Language Spec”, IEEE Software, 
March, 1990, 74-84. 
[6] V. Berzins, “Software Merge: Models and Meth- 
ods” , International Journal on Systems Integra- 
tion l ,  2 (Aug. 1991), 121-141. 
[7] V. Berzins, “Black-Box Specification in Spec”, 
Computer Languages 16, 2 (1991), 113-127. 
[8] V. Berzins and Luqi, Software Engineering with 
Abstractions, Addison-Wesley, 1991. 
[9] G. Birtwistle, 0. Dahl, B. Myrhau and K. Ny- 
gaard, Simula Begin, Auerbach Pubyishers, 1973. 
[lo] M. Broy, “Transformational Semantics for Con- 
current Programs”, Inf. Proc. Letters 11, 2 (Oct. 
1980), 87-91. 
[ll] M. Broy, M. Wirsing and P. Pepper, “On the Al- 
gebraic Definition of Programming Languages”, 
Trans. Prog. Lang and Systems 9, 1 (Jan. 1987), 
54-99. 
[12] G. DePasquale, “Design and Implementation of 
Module Driver and Output Analyzer Generator”, 
M. S. Thesis, Computer Science, Naval Postgrad- 
uate School, Monterey, CA, June 1990. 
[ 131 J .  A. Goguen, “Parameterized Programming”, 
IEEE B a n s .  on Software Eng. SE-10, 5 (Sep. 
[14] A. Goldberg and D. Robinson, Smalltalk-80: The 
Language and its Implementation, Addison Wes- 
ley, Reading, MA, 1983. 
1984), 528-543. 
[15] S. Horowitz, J .  Prins and T .  Reps, “Integrating 
Non-Interfering Versions of Programs”, B a n s .  
Prog. Lang and Systems 11, 3 (July 1989), 345- 
387. 
[16] M. Ketabchi and V. Berzins, “The Theory and 
Practice of Representing and Managing the Re- 
finements, Alternatives, and Versions of Compos- 
ite Objects”, Tech. Rep. 85-40, Computer Sci- 
ence Department, University of Minnesota, 1985. 
[17] R. Kopas, “The Design and Implementation of 
a Specification Language Type Checker”, M. S. 
Thesis, Computer Science, Naval Postgraduate 
School, Monterey, CA, June 1989. 
[18] R. Kopas and V. Berzins, “The Design and Im- 
plementation of a Specification Language Type 
Checker”, Proc. of the Hawaii Iniernational Con- 
ference on System Sciences, Jan. 1990. 
12 
[19] Luqi, V. Bereins and R. Yeh, “A Prototyping 
Lan uage for Real-Time Software”, IEEE Dans .  
on .!?oftware Eng. 14, 10 (October, 1988), 1409- 
1423. 
[20] Luqi, “A Graph Model for Software Evolution”, 
IEEE f ians .  on Software Eng. 16,8 (Aug. 1990), 
[21] B. Meyer, “Eiffel: Programming for Reusabil- 
ity and Extensibility”, SIGPLAN Notices Notices 
22, 2 (Feb. 1987), 85-94. 
9 17-927. 
