Heterogeneous formal specification based on Object-Z and statecharts: semantics and verification Juan Pablo Gruer a, * , V. Hilaire a , A. Koukam a , P. Rovarini b a Laboratoire Systemes et Transports, Universite de Technologie de Belfort-Montbeliard, Computer Science, Site UTBM de Belfort, 90010 Belfort Cedex, France b Laboratorio de Inteligencia Artificial, Universidad Nacional de Tucuman, 4000 S.M. de Tucuman, Argentina Received 22 July 2002; received in revised form 20 December 2002; accepted 23 December 2002 Abstract This work presents a specification language, called OZS, based on two formalisms: Object-Z and the statecharts. Such a spec- ification style facilitates the modeling of systems with both reactive and functional aspects. The accent is placed on OZS semantics so as to give formal foundations to verification and simulation of OZS models. Every OZS model has a transition system as its semantic interpretation. Untimed and timed versions of the OZS semantics are presented. Both transition system models of an OZS class can be used for verification purposes by model checking. In this work, a real-word example is treated and the resulting specification is model-checked by using the Stanford Temporal Prover environment from Stanford. Ó 2003 Elsevier Inc. All rights reserved. Keywords: Object-Z; Statecharts; Transition systems; Model-checking 1. Introduction Formal specification languages and methods will come to maturity as more and more experience is gained on their application at every phase in the software de- sign process and if such an expertise is fed back to the definition of new tools and working environments. Among the potential benefits of using formal specifica- tion languages is the possibility of exploiting the speci- fication model to prove or deduce properties of the system under study, before implementing it. Two main techniques allow to investigate properties of the specification: verification and simulation. Verifi- cation consists in proving or checking that the specifi- cation satisfies the properties. The satisfaction relation between specification models and the investigated properties is given a precise meaning. Properties are expressed by logical formulas and verification estab- lishes or rejects the fact that the specification is a se- mantic model of the logical formulas. Simulation and animation, although not as conclusive as verification, appear as a means for fast prototyping of the applica- tion, in order to test it against a set of predefined use cases and scenarios. Additionally, integrating temporal parameters into the simulation model associated to the specification, allows for the investigation of nonfunc- tional properties, such as throughput or dependability. The objectives of this work are first to present a specification formalism and second to assign an opera- tional semantics to it. Additionally, this work illustrates how to use the operational semantics as a basis for ver- ification purposes. The specification formalism we intend to present combines two formal languages: Object-Z (Duke et al., 1995) and the statecharts (Harel, 1987). Object-Z is well suited to model data structures and functionalities in a highly abstract fashion. The state- charts are very well adapted to the expression of reac- tivity. The integration of both into a single language, which we call OZS for brevity, is done syntactically and semantically. Considerable research efforts have been devoted to precisely define languages that combine Z with some other formalism. Generally, the main objec- tive is to extend the bare expressive capabilities of Z or Object-Z, with behavioral or process-oriented features. * Corresponding author. Tel.: +33-3-84-58-30-87; fax: +33-3-84-58- 33-42. E-mail address: pablo.gruer@utbm.fr (J.P. Gruer). 0164-1212/$ - see front matter Ó 2003 Elsevier Inc. All rights reserved. doi:10.1016/S0164-1212(02)00161-9 The Journal of Systems and Software 70 (2004) 95–105 www.elsevier.com/locate/jss