Introduction to Components
and Specifications Using
RESOLVE
Computer Science  School of Computing  Clemson University
Murali Sitaraman
Clemson University
Overview
School of Computing  Clemson University
 Specifications provide user-oriented
cover story
 Designs address efficiency and
sufficient functional completeness
issues
 Specifications hide implementationspecific information
 Multiple implementations may be
developed to satisfy the same
specification
Languages for Formal Specification
School of Computing  Clemson University
 ANNA (and SPARK) for Ada
 JML for Java
 Larch/C++ for C++
 Spec# for C#
 …
 Eiffel
 RESOLVE
 …
 VDM
 Z
Common Principles: Data
Abstraction Specification
School of Computing  Clemson University
 Specifications are contracts
 Formal; unambiguous
 Mathematical logic
 Use a combination of well-known
mathematical theories and notation
 Specify mathematical models for
objects
 Specify the behavior of operations
using those models
Example: Use of Mathematical
Theories
School of Computing  Clemson University
Concept Stack_Template(type Entry;
…);
uses String_Theory;
Type Family Stack is modeled by …
Operation Push…
Operation Pop…
…
end Stack_Template;
Alternative Specification of Push
Operation
School of Computing  Clemson University
Operation Push_1 (restores E: Entry; updates S: Stack);
requires |S| < Max_Depth;
ensures S = <E> o #S;
Note: Implementation needs to make a copy of the Entry E.
This could be inefficient if entries are large.
Alternative Specification of Push
Operation
School of Computing  Clemson University
Operation Push_2 (clears E: Entry; updates S: Stack);
requires |S| < Max_Depth;
ensures S = <#E> o #S;
Note: Implementation needs to “clear”, i.e., initialize the Entry
E.
…
Alternative Specification of Push
Operation
School of Computing  Clemson University
Operation Push (alters E: Entry; updates S: Stack);
requires |S| < Max_Depth;
ensures S = <#E> o #S;
Note: Implementation may change Entry E in any way, so it
permits the most efficient implementations; it is the most
flexible specification
Clients have flexibility…
School of Computing  Clemson University
Operation Push (alters E: Entry; updates S: Stack);
requires |S| < Max_Depth;
ensures S = <#E> o #S;
Example code to do Push_1 (i.e., “restore” pushed entry):
Copy(E, Temp);
Push(Temp, S);
Example code to do Push_2 (i.e., “clear” the pushed entry:
Push(E, S);
Clear(E);
Specification of Operations
School of Computing  Clemson University
Operation Push (alters E: Entry; updates S: Stack);
requires |S| < Max_Depth;
ensures S = <#E> o #S;
Operation Pop (replaces R: Entry; updates S: Stack);
requires |S| > 0;
ensures #S = <R> o S;
Operation Depth (restores S: Stack): Integer;
ensures Depth = |S|;
…
Specification of Operations
School of Computing  Clemson University
Operation Push (alters E: Entry; updates S: Stack);
requires |S| < Max_Depth;
ensures S = <#E> o #S;
Operation Pop (replaces R: Entry; updates S: Stack);
requires |S| > 0;
ensures #S = <R> o S;
Operation Depth (restores S: Stack): Integer;
ensures Depth = |S|;
…
Requires and Ensures clauses
School of Computing  Clemson University
 Requirements and guarantees
 Requires clauses are preconditions
 Ensures clauses are postconditions
 Who is responsible for requires
clauses?




Client (i.e., caller)
Implementer
Neither
Both
 Discussion of consequences
Requires and Ensures clauses
School of Computing  Clemson University
 Requirements and guarantees
 Requires clauses are preconditions
 Ensures clauses are postconditions
 Who is responsible for requires
clauses?




Client (i.e., caller)
Implementer
Neither
Both
 Discussion of consequences
Understanding specifications
School of Computing  Clemson University
 Please see the tutorials at the web
interface under help on:
 String theory notations
 Understanding specification parameter
modes
 Understanding details of specifications
Using Reusable Components
School of Computing  Clemson University
 Users (clients) need to know only
interface specifications
 Users need to supply appropriate
parameters to instantiate
 Depending on the paradigm, special
operations are automatically available
on objects
 Assignment in Java (e.g., S = T)
 Swap in RESOLVE (e.g., S :=: T)
Multiple Implementations
School of Computing  Clemson University
 Alternative implementations provide
the same functionality
 Provide performance trade-offs




time vs. space
average case vs. worst case
Efficiency vs. predictability
some subset of methods vs. some others
 Users pick ones best fitting their
requirements when instantiating