A Technique for Analyzing the Effects of Changes in Formal Specifications

Formal specifications are increasingly used in modeling software systems. An important aspect of a model is its value as an analytical tool to investigate the effect of changes. This paper defines the notion of predicate differences and shows how predicate differences may be used to analyze the effects of changes in formal specifications. Predicate differences have both theoretical and practical applications. As a theoretical tool, predicate differences may be used to define a meaning for the 'size' of a change to a formal specification. Practical applications include analyzing the effect of design changes on a previously verified design; defining an affinity function for reusable software components; computing slices of formal specifications, similar to program slices; investigating the conditions under which invalid assumptions will render a system non-secure; and formalizing the database inference problem. Formal specifications are increasingly used in verifying that a design meets critical requirements, such as safety or security. In addition to design verification, formal models are useful as analytical tools, to answer questions about how the system will behave in various circumstances. A model should also be useful to investigate the effect of changes to design or requirements. For example, suppose a design P is stated formally, then shown to meet the requirements specification S through a formal proof that P=> S. The design may be changed from P to P', so that verifying the new design requires showing P' => S. Depending on the formulas involved, changing the value of a variable x may or may not affect the truth of the implication. In general, the values of other terms will determine whether a change in the value of x will change the implication P=> S. This paper defines the notion of predicate differences and shows how predicate differences may be used to analyze the effects of changes in formal specifications. This paper extends the work described in ref. 6. Predicate differences might be used in formal specification language tools to compute 'predicate slices' from formal specifications, similar to the program slices defined by Weiser. 13 A program slice selects all lines from a program that may directly or indirectly affect the value of a particular variable at a particular point. Computing the predicate difference for a substitution in a formal specification gives the conditions under which the change makes a difference, in effect a 'slice' through the specification. The changes that will be considered in this paper are those that are made by replacing some variable x with an expression e in a predicate formula or subformula. This is denoted P%. (The notation P x e represents predicate P with every free occurrence of variable x replaced by expression e, with suitable renaming to prevent variable capture. The symbols &, |, ->, => represent and, or, not, implies, respectively. The exclusive OR operation is denoted by ©.) In some cases, additional terms may be added to the formula. For example, suppose an invariant is A&B&C&D^>S, and it is changed to G&B&C&D=>S. The desired new invariant G&B&C&D=>S is given by (A &B&C&D)i=>S. When the invariant is a Boolean formula, the effect of such a change can be determined using the Boolean difference. The predicate difference, introduced in Section 3, can be used to determine the effects of changes in predicate calculus formulas. It will be helpful in discussing the predicate difference to first review the properties of the Boolean difference.