Correctness of data structures
This is a biggie, which you’ve already seen in Z
- Showing the implementation of the BirthdayBook satisfied the specification
- Primarily due to Hoare; figures from Wulf et al.
Prove the specifications on the abstract operations (e.g., Pusha)
Prove the specifications on the concrete operations (e.g., Pushc)
Prove the relation between abstract and concrete operations (e.g., R), the representation mapping
{?full(Sa)} {?full(R(Sc))} Pusha(Sa,x) Pushc(Sc,x){Sa=<x>||S’a} {R(Sc) = <x>|| R(S’c)}