Protective Interface Speci cations 1

The interface speciication of a procedure describes the procedure's behavior using pre-and postconditions. These pre-and postconditions are written using various functions. If some of these functions are partial, or underspec-iied, then the procedure speciication may not be well-deened. We show how to write pre-and postcondition speciications that avoid such problems, by having the precondition \protect" the postcondition from the eeects of partiality and underspeciication. We formalize the notion of protection from partiality in the context of speciication languages like VDM-SL and COLD-K. We also formalize the notion of protection from underspeciication for the Larch family of speciication languages, and for Larch show how one can prove that a procedure speciication is protected from the eeects of underspeciication. 1. The Problem This paper seeks to explain and precisely deene properties of \good" procedure speciications. These properties say when the precondition of a procedure spec-iication protects the postcondition from partiality or underspeciication in the vocabulary used in the speciication. While we will precisely deene protection for formal speciications, it can be applied and used in even informal speciications (with, of course, less precision).