Contract-Based Design: a Temporal Logics Approach∗

1. EXTENDED ABSTRACT Contract-based design, first conceived for software specification [7] and now also applied to embedded systems (cfr. e.g., [2, 1]), structures the component properties into contracts. A contract specifies the properties assumed to be satisfied by the component environment (assumptions), and the properties guaranteed by the component in response (guarantees). There are several points supporting the idea of contract-based reasoning. The first one is that it provides a clean framework for compositional verification of global properties of a system: the contracts are used as landmarks for the proof, so that in the end it is possible to obtain the guarantee for the global property out of the proof that each of the components satisfies its contracts, and that the individual contracts entail the global property. The second is that it supports stepwise refinement, so that when a component is decomposed, the corresponding specification is decomposed at the same time, i.e. way before the behavioral descriptions are provided. The third reason is the support of component reuse: the proof of refinement holds for any component implementation satisfying the contracts of the component leaves. In the contract framework originally proposed in [6], assumptions and guarantees are specified as temporal formulas. Checking the correctness of contracts refinement is supported by generating a set of sufficient and necessary conditions. These proof obligations are temporal logic formulas obtained from assumptions and guarantees, so that they are valid if and only if the contracts refinement