Animation can show only the presence of errors, never their absence

Abstract

A formal specification animator executes and interprets traces on a specification. Similar to software testing, animation can only show the presence of errors, never their absence. However, animation is a powerful means of finding errors, and it is important that we adequately exercise a specification when we animate it. The paper outlines a systematic approach to the animation of formal specifications. We demonstrate the method on a small example, and then discuss its application to a non-trivial, system-level specification. Our aim is to provide a method for planned, documented and maintainable animation of specifications, so that we can achieve a high level of coverage, evaluate the adequacy of the animation, and repeat the process at a later time.