A middle ground

• Jackson and Damon have found an interesting middle ground

• Write infinite state specs (in the style of Z)

• Use “model checking” on all instances of the specifications up to a certain size

  • Report counterexamples, if found
  • Success doesn’t guarantee that the properties hold in the specification (beyond the checked sizes)

Previous slide

Next slide

Back to first slide

View graphic version