Is a formal specification complete ?

- Does it fully-define an actual implementation (this is overly restrictive) ?
- Does it exactly prescribe all allowable, observable behaviours ?

By `formal' we mean a machine-readable description of what is correct
or incorrect behaviour. A **complete** specification might describe all allowable
behaviours and prohibit all remaining behaviours, but most formal definitions
today are not complete in this sense. For instance, a definition that consists of
a list of safety assertions and a few liveness assertions might still allow all
sorts of behaviours that the designer knows are wrong. He can go on adding
more assertions, but when does he stop ?

One might define a 'complete specification' as one that describes all observable
behaviours. Such a specification does not restrict or prescribe the internal implementation
in **black box** terms since this is not observable.

When evaluating an assertion-based test program for an IP block, we can think of various, ad hoc, coverage metrics: e.g. What percentage of rule disjuncts (terms that are ORed) held as dominators (a term that makes the disjunction hold) on their own (without any other term in that disjunction holding) ?

Or, e.g. What percentage of reachable state space was spanned?

But there are no widely accepted such metrics in the industry, but the sytem Verilog 'cover' statement keeps statistics. »System Verilog Assertions

8: (C) 2012-17, DJ Greaves, University of Cambridge, Computer Laboratory. |