On a New Notion of Partial Refinement

Formal specification techniques allow expressing idealized specifications, which abstract from restrictions that may arise in implementations. However, partial implementations are universal in software development due to practical limitations. Our goal is to contribute to a method of program refinement that allows for partial implementations. For programs with a normal and an exceptional exit, we propose a new notion of partial refinement which allows an implementation to terminate exceptionally if the desired results cannot be achieved, provided the initial state is maintained. Partial refinement leads to a systematic method of developing programs with exception handling.Comment: In Proceedings Refine 2013, arXiv:1305.563

Semantic mutation testing

This is the Pre-print version of the Article. The official published version can be obtained from the link below - Copyright @ 2011 ElsevierMutation testing is a powerful and flexible test technique. Traditional mutation testing makes a small change to the syntax of a description (usually a program) in order to create a mutant. A test suite is considered to be good if it distinguishes between the original description and all of the (functionally non-equivalent) mutants. These mutants can be seen as representing potential small slips and thus mutation testing aims to produce a test suite that is good at finding such slips. It has also been argued that a test suite that finds such small changes is likely to find larger changes. This paper describes a new approach to mutation testing, called semantic mutation testing. Rather than mutate the description, semantic mutation testing mutates the semantics of the language in which the description is written. The mutations of the semantics of the language represent possible misunderstandings of the description language and thus capture a different class of faults. Since the likely misunderstandings are highly context dependent, this context should be used to determine which semantic mutants should be produced. The approach is illustrated through examples with statecharts and C code. The paper also describes a semantic mutation testing tool for C and the results of experiments that investigated the nature of some semantic mutation operators for C

Tactics From Proofs

Proof guarantees the correctness of a formal specification with respect to formal requirements, and of an implementation with respect to a specification, and so provides valuable verification methods in high integrity system development. However, proof development by hand tends to be an erudite, error-prone and seemingly interminable task. Tactics are programs that drive theorem-provers, thus automating proof development and alleviating some of the problems mentioned above. The development of tactics for a particular application domain also extends the domain of application of the theorem-prover. A LCF-tactic is safe in that if it fails to be applicable to a particular conjecture, then it will not produce an incorrect proof. The current construction of tactics from proofs does not yield sufficiently robust tactics. Proofs tend to be specific to the details of a specification and so are not reusable in general, e.g. the same proof may not work when the definition of a conjecture is changed. The major challenges in proof development are deciding which proof rule and instantiations to apply in order to prove a conjecture. Discerning patterns in formal interactive proof development facilitates the construction of robust tactics that can withstand definitional changes in conjectures. Having developed an interactive proof for a conjecture, we develop the necessary abstractions of the proof steps used, to construct a tactic th at can be applicable to other conjectures in that domain. By so doing we encode human expertise used in the proof development, and make proofs robust and thus generally reusable. We apply our theory on the proofs of conjectures involving some set theory operators, and on the proof obligations that arise in the formal development of numerical specifications using the retrenchment method under the IEEE-854 floating-point standard in the PVS theorem-prover/proof-checker

Pushouts in software architecture design

A classical approach to program derivation is to progressively extend a simple specification and then incrementally refine it to an implementation. We claim this approach is hard or impractical when reverse engineering legacy software architectures. We present a case study that shows optimizations and pushouts--in addition to refinements and extensions--are essential for practical stepwise development of complex software architectures.NSF CCF 0724979NSF CNS 0509338NSF CCF 0917167NSF DGE-1110007FCT SFRH/BD/47800/2008FCT UTAustin/CA/0056/200

Sound and Relaxed Behavioural Inheritance

Object-oriented (OO) inheritance establishes taxonomies of OO classes. Behavioural inheritance (BI), a strong version, emphasises substitutability: objects of child classes replace objects of their ascendant classes without any observable effect difference on the system. BI is related to data refinement, but refinement's constrictions rule out many useful OO subclassings. This paper revisits BI at the light of Z and the theory of data refinement. It studies existing solutions to this problem, criticises them, and proposes improved relaxations. The results are applicable to any OO language that supports design-by-contract (DbC). The paper's contributions include three novel BI relaxations supported by a mathematical model with proofs carried out in the Isabelle proof assistant, and an examination of BI in the DbC languages Eiffel, JML and Spec#

Abstraction, Refinement, Enrichment

In the no longer existing South African journal Quaestiones Informaticae, "An Approach to Defining Abstractions, Refinements and Enrichments" was published by Derrick Kourie more than twenty years ago. At some occasion, about two years ago, Derrick Kourie had asked and encouraged me to review his original topics, such as to re-construct and re-present them from a different perspective. In this festschrift chapter, in honour of Derrick Kourie's 65th birthday, I outline the results of my attempt at fulfilling Derrick Kourie's collegial request. For this purpose I shall first recapitulate the key concepts of Kourie's original paper, since that paper has more or less fallen into oblivion and cannot be easily retrieved from the public domain any more. Thereafter Kourie's notions of abstraction, refinement and enrichment are re-defined in a different (more classical) theoretical framework. Finally those notions are contextualised with respect to the related notion of retrenchment developed since the mid-1990s by Banach, Poppleton, et alNote that the related Chapter 1 in the above-mentioned book published by Shaker Verlag contains three Figures, as well as a long list of Acknowledgments, which are OMITTED in this pre-print version.http://www.shaker.de/shop/978-3-8440-2068-7mv201

Session Types with Arithmetic Refinements

Session types statically prescribe bidirectional communication protocols for message-passing processes. However, simple session types cannot specify properties beyond the type of exchanged messages. In this paper we extend the type system by using index refinements from linear arithmetic capturing intrinsic attributes of data structures and algorithms. We show that, despite the decidability of Presburger arithmetic, type equality and therefore also subtyping and type checking are now undecidable, which stands in contrast to analogous dependent refinement type systems from functional languages. We also present a practical, but incomplete algorithm for type equality, which we have used in our implementation of Rast, a concurrent session-typed language with arithmetic index refinements as well as ergometric and temporal types. Moreover, if necessary, the programmer can propose additional type bisimulations that are smoothly integrated into the type equality algorithm