D. Gries and F. B. Schneider. Avoiding the undefined by underspecification. In Computer Science Today, volume 1000 of LNCS, pages 366--373. SpringerVerlag, 1995.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....an exception or an error. Another source of undefinedness is the use of JML specific specification constructs that are not executable (e.g. informal descriptions) The JML semantics for undefinedness is to substitute an arbitrary expressible value of the correct type for an undefined expression [56] [67] 89, Section 3.1] 93] 94] The challenge is to make the runtime assertion checker s handling of undefinedness faithful to the semantics of JML, yet at the same time in such a way as to benefit the programmers (e.g. catching more potential errors) Quantified expressions: JML has ....

....of view, this has the e#ect of checking pre state assertions in the pre state and post state assertions in the post state. 1.4. 3 Local Contextual Interpretation The JML semantics for undefinedness is to substitute an arbitrary expressible value of the correct type for an undefined expression [56] [89, Section 3.1] My approach is called a local contextual interpretation, and the motivation is to detect as many assertion violations as possible while preserving the standard rules of logic. The various causes of undefinedness are classified into two groups: demonic undefinedness and angelic ....

[Article contains additional citation context not shown here]

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, NY, 1995.

....For example, when one divides an integer by 0, the expression throws an ArithmeticException. Exceptions may also be thrown by methods called from within specification expressions. Specification languages have adopted several di#erent approaches to dealing with undefinedness in expressions [4,32]. We wanted a semantics that would not be surprising to either Java programmers or to those doing formal verification. Typically, a Java programmer would try to write the specification in a way that protects the meaning of the expression against any source of undefinedness [62] This can be ....

....are not protective. Hence, the semantics of JML does not rely on the programmer writing protective specifications but, instead, ensures that every expression has some value. To do this, we adopted the underspecified total functions approach favored in the calculational style of formal methods [31,32]. That is, an expression that would not have a value in Java is given an arbitrary, but unspecified, value. For example, num 0 has some integer value, although this approach does not say what the value is, only that it must be uniformly substituted in any surrounding expression. In JML all ....

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, NY, 1995.

....pair of angle brackets. The square brackets can be ignored in Section 1; they will be explained in Section 2. 1.1. Gries s and Schneider s logic Recently Gries and Schneider gave the issue of logics for partial functions a new direction: they suggested a calculational logic for partial functions [13, 14]. The original calculational logic was designed by Dijkstra and Scholten [1] Gries and Schneider [2] Feijen, van Gasteren, and others. But in its original form, calculational logic is intended for total functions only. Program semantics being defined by means of weakest preconditions in [1] ....

....Law of the Excluded Middle, associativity of equivalence and Identity of Equivalence. Hence those logics do not meet our requirement for a calculational logic. 1.4. Bijlsma s approach We will not repeat Gries s and Schneider s discussion of still other approaches to handling partial functions [13, 14]. We pick out only one approach that is particularly interesting in regard to calculational logic. In [5] Bijlsma gives a model of evaluation of formulae with undefined terms, which satisfies all laws of propositional logic. It is particularly elegant that the model is defined in such a way that ....

[Article contains additional citation context not shown here]

Gries, D. and Schneider, F. B. (1995) Avoiding the Undefined by Underspecification. Technical Report TR 951520, Department of Computer Science, Cornell University.

....formulas. In this paper we consider what protection means with respect to partiality and underspecification. Our treatment of protection is not meant to be exhaustive, but merely to illustrate concepts that are useful with some logics that are widely used for formal specification. See [CJ90, GS95] for surveys that also cover additional kinds of logics that might be used in formal specification, and hence might need their own concepts of protection. Also PVS [ORSvH95] represents another kind of specification logic that should be considered in extending our concepts. The first concept of ....

....similar concepts [Bij90, Bli91, SKT95, KTB91, WDC 95] The second concept of protection we discuss is appropriate for BISLs that use a logic that does not admit the existence of partial functions, but uses underspecification. In such a logic, one avoids specifying a value for undefined terms [GS95, Jon95] In this approach, to make a term undefined one simply does not specify its value; hence it will not be possible to prove anything about such a term. This kind of logic is used in the Larch Shared Language, LSL [GHG 93, Chapter 4] GHM90] which is the mathematical component of the ....

[Article contains additional citation context not shown here]

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

....and Underspecification Any method for specifying and verifying computer programs has to deal with partial functions. Our explanation of this problem reviews a recent article by C. Jones [13] Since the use of underspecification as a solution to this problem has been advocated by others [9], our point, in this review, is the need for ways to: ffl document what is intended to be completely defined (or, conversely, underspecified) and ffl prevent underspecification from having unintended consequences. 1.1 Background A partial function is a function that does not give a value ....

.... partiality in reasoning is to use a specialized logic, for example, one with three logical values and two kinds of equality [1] However, because all such logics either do not satisfy standard logical laws or are not compositional, such logics are subtle, and thus more difficult to use and teach [9]. More importantly, if one uses informal reasoning and informal specifications, as is common in real software projects, then there is no hope of using such a specialized logic. We agree with Gries and Schneider [9] that the best approach to dealing with partiality is to use underspecification. ....

[Article contains additional citation context not shown here]

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

....are not in scope [24, Section 11.3] The modifies clause gives considerable notational abbreviation, because it asserts that all objects not mentioned retain their values. 5. 1 Trashing In the Larch family, predicates use the logic of the Larch Shared Language, which is a logic of total functions [12, 23]. In such a logic, the pre and post states, which are modeled by functions, will return proper values for objects that are not allocated or that are not assigned a proper value. To avoid ill defined specifications, it is important that a specification written in such a logic ensures that whenever ....

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366-- 373. Springer-Verlag, New York, N.Y., 1995.

....and Underspecification Any method for specifying and verifying computer programs has to deal with partial functions. Our explanation of this problem reviews a recent article by C. Jones [13] Since the use of underspecification as a solution to this problem has been advocated by others [9], our point, in this review, is the need for ways to: ffl document what is intended to be completely defined (or, conversely, underspecified) and Leavens s work was supported in part by NSF grant CCR 9593168. y Wing s research is sponsored by the Wright Laboratory, Aeronautical Systems ....

.... partiality in reasoning is to use a specialized logic, for example, one with three logical values and two kinds of equality [1] However, because all such logics either do not satisfy standard logical laws or are not compositional, such logics are subtle, and thus more difficult to use and teach [9]. More importantly, if one uses informal reasoning and informal specifications, as is common in real software projects, then there is no hope of using such a specialized logic. We agree with Gries and Schneider [9] that the best approach to dealing with partiality is to use underspecification. ....

[Article contains additional citation context not shown here]

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

....Consequently, f is, in general, not equal to f : fff 1 Theta Delta Delta Delta Theta ff n g ffig. Another partial function is the vector constructor, which accepts only tuples of homogeneously typed arguments. Calculation with partial functions is addressed by Gries and Schneider [11], and we follow their approach. However, when stating laws, we tacitly drop hypotheses requiring equal length or homogeneity of types of the arguments whenever these constraints can be easily derived from the context. Below we denote multiple lifting of a function f by f (n ) f (n Gamma1 ) ....

D. Gries and F. B. Schneider. Avoiding the undefined by underspecification. In J. van Leeuwen, editor, Computer Science Today, LNCS 1000, pp. 366--373. Springer, 1996.

....such formulas. In this paper we consider what protection means with respect to partiality and underspecification. Our treatment of protection is not meant to be exhaustive, but merely to illustrate concepts that are useful with some logics that are widely used for formal specification. See [8, 14] for surveys that also cover additional kinds of logics that might be used in formal specification, and hence might need their own concepts of protection. Also PVS [25] represents another kind of specification logic that should be considered in extending our concepts. The first concept of ....

....other languages with similar concepts [4, 6, 27, 21, 29] The second concept of protection we discuss is appropriate for BISLs that use a logic that does not admit the existence of partial functions, but uses underspecification. In such a logic, one avoids specifying a value for undefined terms [14, 18]. In this approach, to make a term undefined one simply does not specify its value; hence it will not be possible to prove anything about such a term. This kind of logic is used in the Larch Shared Language, LSL [15, Chapter 4] 16] which is the mathematical component of the Larch family BISLs ....

[Article contains additional citation context not shown here]

D. Gries and F. B. Schneider. Avoiding the undefined by underspecification. In J. van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

....are not in scope [35, Section 11.3] The modifies clause gives considerable notational abbreviation, because it asserts that all objects not mentioned retain their values. 4. 1 Trashing In the Larch family, predicates use the logic of the Larch Shared Language, which is a logic of total functions [20, 33]. In such a logic, the pre and poststates, which are modeled by functions, will return proper values for objects that are not allocated or that are not assigned a proper value. To avoid illdefined specifications, it is important that a specification written in such a logic ensures that whenever ....

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

....such formulas. In this paper we consider what protection means with respect to partiality and underspecification. Our treatment of protection is not meant to be exhaustive, but merely to illustrate concepts that are useful with some logics that are widely used for formal specification. See [8, 13] for surveys that also cover additional kinds of logics that might be used in formal specification, and hence might need their own concepts of protection. Also PVS [24] represents another kind of specification logic that should be considered in extending our concepts. The first concept of ....

....other languages with similar concepts [4, 6, 26, 20, 28] The second concept of protection we discuss is appropriate for BISLs that use a logic that does not admit the existence of partial functions, but uses underspecification. In such a logic, one avoids specifying a value for undefined terms [13, 17]. In this approach, to make a term undefined one simply does not specify its value; hence it will not be possible to prove what its value is. For example, the Larch family BISLs [14] use a mathematical component, LSL [14, Chapter 4] 15] which has this kind of logic. See Appendix A for more ....

[Article contains additional citation context not shown here]

D. Gries and F. B. Schneider. Avoiding the undefined by underspecification. In J. van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995. 19

....such formulas. In this paper we consider what protection means with respect to partiality and underspecification. Our treatment of protection is not meant to be exhaustive, but merely to illustrate concepts that are useful with some logics that are widely used for formal specification. See [7, 12] for surveys that also cover additional kinds of logics that might be used in formal specification, and hence might need their own concepts of protection. Also PVS [23] represents another kind of specification logic that should be considered in extending our concepts. The first concept of ....

....not. Other examples of this approach include [3, 4, 19, 26] The second concept of protection we discuss is appropriate for BISLs that use a logic that does not admit the existence of partial functions, but uses underspecification. In such a logic, one avoids specifying a value for undefined terms [12, 16]. In this approach, to make a term undefined one simply does not specify its value; hence it will not be possible to prove what its value is. For example, the Larch family BISLs [13] use a mathematical component, LSL [13, Chapter 4] 14] which has this kind of logic. See Appendix A for more ....

[Article contains additional citation context not shown here]

David Gries and Fred B. Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

No context found.

D. Gries and F. B. Schneider. Avoiding the undefined by underspecification. In Computer Science Today, volume 1000 of LNCS, pages 366--373. SpringerVerlag, 1995.

No context found.

David Gries and Fred B. Schneider. Avoiding the Undefined by Underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, volume 1000 of Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

No context found.

David Gries and Fred B. Schneider. Avoiding the Undefined by Underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, volume 1000 of Lecture Notes in Computer Science, pages 366--373. Springer-Verlag, New York, N.Y., 1995.

No context found.

Gries, D. and Schneider, F. B. 1995. Avoiding the undefined by underspecification. In Computer Science Today, J. van Leeuwen, Ed. Lecture Notes in Computer Science, vol. 1000. Springer Verlag, Berlin, 366--373.

No context found.

GS95. David Gries and Fred B Schneider. Avoiding the undefined by underspecification. In van Leeuwen [vL95], pages 366--373. GS96. David Gries and Fred B Schneider. A Logical Approach to Discrete Math. Springer-Verlag, second edition, 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC