The interface specification of a procedure describes the procedure's behavior using pre-and postconditions. These pre-and postconditions are written using various functions. If some of these functions are partial, or underspecified, then the procedure specification may not be well-defined. We show how to write pre-and postcondition specifications that avoid such problems, by having the precondition ``protect'' the postcondition from the effects of partiality and underspecification. We formalize the notion of protection from partiality in the context of specification languages like VDM-SL and COLD-K. We also formalize the notion of protection from underspecification for the Larch family of specification languages, and for Larch show how one can prove that a procedure specification is protected from the effects of underspecification.
KeywordsProtective specifications, Specification languages, Underspecification, Partiality, Larch
Disciplines
Databases and Information Systems | Information Security
AbstractThe interface speci cation of a procedure describes the procedure's behavior using pre-and postconditions. These pre-and postconditions are written using various functions. If some of these functions are partial, or underspeci ed, then the procedure speci cation may not be well-de ned.We show how to write pre-and postcondition speci cations that avoid such problems, by having the precondition protect" the postcondition from the e ects of partiality and underspeci cation. We formalize the notion of protection from partiality in the context of speci cation languages like VDM-SL and COLD-K. We also formalize the notion of protection from underspeci cation for the Larch family of speci cation languages, and for Larch show h o w one can prove that a procedure speci cation is protected from the e ects of underspeci cation.