# Specification Slicing for VDM-SL

Tomohiro Oda<sup>1</sup> and Han-Myung Chang<sup>2</sup>

<sup>1</sup> Software Research Associates, Inc. (tomohiro@sra.co.jp) <sup>2</sup> Nanzan University (chang@nanzan-u.ac.jp)

Abstract. The executable specification is one of the powerful tools in lightweight formal software development. VDM-SL allows the explicit and executable definition of operations that reference and update internal state through imperative statements. While the extensive executable subset of VDM-SL enables validation and testing in the specification phase, it also brings difficulties in reading and debugging as in imperative programming. In this paper, we define specification slicing for VDM-SL based on program slicing, a technique used for debugging and maintaining program source code in implementation languages. We then present and discuss its applications. The slicer for VDM-SL is implemented on ViennaTalk and can be used on browsers and debuggers describing the VDM-SL specification.

## 1 Introduction

VDM-SL [\[2\]](#page-13-0) is a formal specification language with an extensive executable subset. A system is modelled as a collection of inter-connected modules, each of which has an internal state and operations that reference or update the internal state. Internal states and operations are defined within modules using mathematical language elements such as types, constants, and functions. Operations can be defined implicitly and abstractly by preconditions and postconditions, or explicitly and executably by imperative statements.

By executing the specification, testing techniques such as unit testing and combinatorial testing can be applied [\[1](#page-13-1)[,9\]](#page-14-0). It is also possible to validate whether the VDM-SL specification conforms to actual usage scenarios using interpreters [\[7\]](#page-14-1) or code generators [\[4\]](#page-13-2). Along with the benefits of testing and validation, defining operations using imperative statements brings the complexity of imperative programming to the specification phase. Because the execution of each statement is affected by preceding destructive assignments to variables, control structures, and calls to other operations, it is less obvious as to which part of the effect of an operation a statement contributes and in what way.

Program slicing [\[8\]](#page-14-2) is a technique to extract relevant parts of a program source based on the given slicing criterion. There are variations of program slicing techniques, and among them, we refer to static backward slicing which statically analyzes the given program source and extracts parts of the program that may affect the value of the specified variable or expression. Static backward slicing is used for debugging by narrowing the possible causes of the issue down to a slice. Slicing is also helpful in understanding imperative programs that manipulate multiple variables by separating the program into slices for each variable.

Oda and Araki proposed specification slicing, an application of the slicing technique to Z notation, a formal specification language based on the set theory and firstorder logic [\[3\]](#page-13-3). Although Z notation has a limited executable subset, it does not have imperative statements but declarations of variables and constraints on them. Slicing Z specification relies on transitive tracing of constraints on variables and it is hard to identify a minimal subset of constraints that affect possible values of a variable. On the other hand, VDM-SL has imperative statements, to which general program slicing techniques can be directly applied.

In Section [2,](#page-1-0) we define slice extraction algorithm for VDM-SL. We introduce expected applications in Section [3,](#page-8-0) and then discuss the implementation of a slicer and tools that use the slicer in ViennaTalk. Section [5](#page-13-4) concludes and explain future work.

## <span id="page-1-0"></span>2 Definition and Extraction

In this paper, we define a static backward slice, or simply a *slice* in this paper, of a specification s for a slicing criterion  $C = (o, e)$ . A slice is a subset of the AST (Abstract Syntax Tree) nodes of the specification s that may influence the value of the expression  $\in$  in the execution of the operation  $\circ$ . In Fig. [1,](#page-2-0) the slice for the return value b in the execution of the operation op2 is highlighted in cyan.

In Fig [1,](#page-2-0) the operation  $op2$  assigns the value 2 to the state variable b (Line 16), but later the variable b is overwritten in the operation call to  $op1$  (Line 11). As a result, the value of the variable  $\triangleright$  in Line 18 does not depend on the assignment statement in Line 16 and therefore Line 16 is not included in the slice. Instead, Line 11 assigns the value of  $a + x$  to the variable b, which puts the assignment statement into the slice. The state variable a referenced in Line 11 is assigned in Line 15, which is also included in the slice. In this section, the overview of the slice extraction method will be explained.

#### 2.1 Slicer

In general, backward program slicing identifies dependency among the AST nodes, and transitively follows the dependency from the slicing criterion. Our slicing algorithm uses the variables listed in Fig. [2](#page-2-1) to identify and follow the dependency. The variables criteria and toplevel are set from the slicing criterion. The variable toplevel is typed as an option type just for initialization. The variable agenda holds the dependency that the slicer is now following. At the initialization of the slicer, the variable agenda is copied from the variable criteria. The variables reads and writes store read and write accesses in the current statement, and the variable slice stores the AST nodes found in the slice so far. The variables read, writes and slice are initialized to empty.

The slicer processes the AST of the operation definition starting at the slicing criterion and in the reverse order of interpretation. At each AST statement node, the slicer executes the pseudo-code shown in Fig. [3.](#page-3-0) The slicer updates reads and writes depending on each AST node (the cases statement in the Fig [3\)](#page-3-0).

```
module Example
\mathbf{1}exports all
\overline{2}\overline{3}definitions
   state S of
4
        a:int5
6
        b: int
   init s == s = mk_S(0, 0)\mathbf{7}8
   end
\overline{9}operations
10
        op1 : int ==>( )op1(x) == b := a + x;111213
        opp2: () ==> int14
        op2() ==15
             (a := 1;b := 2;
16
17op1(1);18
             return b);end Example
19
```
<span id="page-2-0"></span>Fig. 1. An example static backward slice

```
\overline{a}1 state Slicer of
 \begin{array}{c|c} 2 & \text{criterion : set of AST} \\ 3 & \text{toplevel : IAST} \end{array}toplevel : [AST]
 4 agenda : set of AST<br>5 reads : set of AST
 5 reads : set of AST<br>6 writes : set of AS
 6 writes : set of AST<br>7 slice : set of AST
 7 \parallel slice : set of AST<br>8 init s == s = mk Slice
 8 \parallel \text{init } s == s = \text{mk\_Slicer}(\{\}, \text{nil}, \{\}, \{\}, \{\}, \{\})<br>9 end
     9 end
10 operations
11 setCriterion: AST \star set of AST ==> ()<br>12 setCriterion(o, e) ==
     setCriterion(o, e) ==13 | (criteria := e;
14 toplevel := \circ;
15 \parallel agenda := e;
16 reads := {};
17 writes := {};
18 \parallel slice := {});
```
<span id="page-2-1"></span>Fig. 2. Pseudo-code of the variables in the slicer and their initialization

 $\overline{\phantom{a}}$ 

The operation process dependency is a common procedure to check whether or not any AST node in agenda is also in writes, which means that the slicer identified a data dependency. If so, the slicer updates agenda so that the slicer retracts interests in the written nodes and the nodes in reads will be followed. The AST node is influential to the slicing criterion and therefore added to slice. In the following sections, specific processes on major kinds of AST nodes will be explained.

```
\overline{a}1 operations
2 \text{ } | process: AST ==> ()
3 \parallel process (node) ==
4 (cases node:
\begin{array}{c|c} 5 & \end{array} /* AST node specific processes */<br>6 end:
      6 end;
7
8 \text{ | process-dependentity: AST ==>} ()
9 process_dependency (node) ==
10 (let common = agenda inter writes in
11 if common \langle \rangle {}
12 then
13 \parallel (agenda := (agenda \ common) union read;
14 \parallel slice := slice union {node});
15 writes := {};
16 \parallel reads := {});
   \overline{\phantom{a}}
```
<span id="page-3-0"></span>Fig. 3. Pseudo-code of the overview of how the slicer process each AST node

#### 2.2 Pure expressions

The most expressions in VDM-SL do not change the state but may refer to state variables. An interpreter evaluates an expression by evaluating subexpressions and then computes the value of the entire expression using the values of the subexpressions. A slicer works in the other direction. Fig. [4](#page-4-0) shows a pseudo-code for binary operator expressions to be filled in as a case-alternative into the cases statement in Fig [3.](#page-3-0) The slicer adds the entire expression node into the writes variable to mean that the value of the entire expression will be computed and will be passed to the caller's context. The slicer also adds the subexpressions into the reads variable. By calling process dependency, the slicer identifies dependency and updates the slice and agenda for further slicing operations. If the expression node is in the agenda variable, the slicer then identifies the data dependency from the expression node to the subexpression. The subexpression will be added into the agenda variable. The slicer then processes subexpressions in order, and on each subexpression, the slicer will add the subexpression into the write variable. This recursion chains dependency from the expression to its subexpressions.

The recursion into subexpressions will terminate at atomic expressions such as name references and literal values. The name nodes and literal nodes under an expression are added in the caller's context, and the slicer will do nothing to process name references and literal values.

```
\overline{a}1 \parallel mk_BinExp(op, exp1, exp2) ->
2 (writes := writes union {node};<br>3 (reads := reads union {expl, exp
          3 reads := reads union {exp1, exp2};
4 process_dependency(node);<br>
process(exp2);
          process(exp2);
\begin{bmatrix} 6 \\ 7 \end{bmatrix} process(exp1)),
       7 mk_Literal(v) -> skip,
8 \parallel mk_Name(identifier) -> skip,
  \overline{\phantom{a}}
```
<span id="page-4-0"></span>Fig. 4. Pseudo-code of processing binary operator expressions

### 2.3 Assignments and pattern matchings

Assignments and pattern matchings are major sources of data dependency. Fig [5](#page-4-1) shows how a slicer finds read and write accesses in an assignment statement. In VDM-SL, the left-hand side of an assignment statement is not only a simple variable name but a state designator which may involve field references and map/sequence references. The slicer uses two utility functions var and arg expressions to extract the variable and map/sequence reference arguments. The slicer adds the variable node in the state designator var (state\_designator) to the writes variable, and also adds all arguments in the state designator (args) to the reads variable along with the righthand side expression. The slicer then identifies and follows the dependency.

 $\overline{a}$ 

```
1 || mk_Assign(state_designator, expression) ->
2 let args = elems arg_expressions(state_designator) in
3 (writes := writes union {var(state_designator)};
4 reads := reads union {expression} union args;
5 process_dependency (node);
6 for arg in reverse args do process(arg);
7 process(expression)),
 \overline{\phantom{a}}
```
<span id="page-4-1"></span>Fig. 5. Pseudo-code of processing assignment statements

Pattern matching is a prominent language feature of VDM-SL. While identifiers are presented as the left-hand side of local definitions and formal parameters of functions and/or procedures in many programming languages, VDM-SL allows rich patterns, such as set union patterns, record patterns and match value patterns, to be placed as the left-hand side of local definitions and formal parameters. Identifiers in those patterns should also be added to the writes variable. Each match value pattern, denoted by an expression enclosed by a pair of parentheses, matches to the identical value. The expressions in match value patterns influence which value the other pattern identifiers match, and therefore should be added to the reads variable. Fig [6](#page-5-0) shows the process of pattern identifier, set union patterns and match value patterns.

```
\overline{a}1 || mk_PatternIdentifier(identifier) ->
2 \parallel (writes := writes union {node};
3 process_dependency(node)),
4 mk_SetUnionPattern(pattern1, pattern2) ->
5 \parallel (writes := writes union {node};
6 \parallel reads := reads union {pattern1, pattern2};
7 | process_dependency (node);
8 process(pattern2);
9 \parallel process (pattern1)),
10 || mk_MatchValuePattern(expression) ->
11 \parallel (writes := writes union {node};
||2|| reads := reads union {expression};
13 || process_dependency (node);
14 process(expression)),
  \overline{\phantom{a}}
```
<span id="page-5-0"></span>Fig. 6. Pseudo-code of processing patterns

### 2.4 Sequential executions, branches, loops and calls

VDM-SL has statements for control structures. Fig. [7](#page-6-0) shows pseudo-code for the block statement and the if statement. A block that consists of two or more statements optionally with local variable declarations can be processed simply by processing its substatements in the reverse order. For a branch, the slicer processes all possible execution paths in a conditional statement and merges them by taking unions of agenda, reads and writes from the execution paths.

If statements in VDM-SL may have elseif clauses, which allows a chain of multiple conditionals. The pseudo-code shown in Fig. [7](#page-6-0) shows how to process a simple ifthen-else statement without elseif clauses because if statements with elseif clauses can be replaced with their equivalent if-then-else statement. In the pseudo-code, the slicer processes two paths:  $\exp r \rightarrow$  then statement and  $\exp r \rightarrow$  optional else statement, and then they are merged by taking unions. A control dependency is identified when either statement in the then or else clause changes the agenda variable. The basic idea is, that if there is a slice in one or more branches, the condition expression will also be put into the slice.

Fig. [8](#page-7-0) shows a pseudo-code for slicing while statements. The slicer first processes the conditional expression because the interpreter terminates the while loop with the

| 1  | $mk_Block$ (dcl_statement, statements) $\rightarrow$           |
|----|----------------------------------------------------------------|
| 2  | (for statement in reverse statements do process (statement);   |
| 3  | if $dcl$ statement $\leq$ nil then process( $dcl$ statement)), |
| 4  | process_dependency(node)),                                     |
| 5  | $mk_BinffStatement$ (expr, then statement, else statement) ->  |
| 6  | (dcl saved agenda : set of $AST := aqenda,$                    |
| 7  | saved reads : set of AST := reads,                             |
| 8  | saved_writes : set of AST := writes,                           |
| 9  | branch_agenda : set of AST,                                    |
| 10 | branch_reads : set of AST,                                     |
| 11 | branch writes : set of AST;                                    |
| 12 | if else_statement <> nil then process(else_statement);         |
| 13 | if agenda <> saved agenda then                                 |
| 14 | agenda := agenda $union$ {expr};                               |
| 15 | process (expr);                                                |
| 16 | $branch_aqenda := aqenda;$                                     |
| 17 | branch reads $:=$ reads;                                       |
| 18 | branch writes := writes;                                       |
| 19 | $aqenda := saved_aqenda;$                                      |
| 20 | reads $:=$ saved reads;                                        |
| 21 | writes $:=$ saved writes);                                     |
| 22 | process (then_statement);                                      |
| 23 | if agenda <> saved agenda then                                 |
| 24 | agenda := agenda $union$ {expr};                               |
| 25 | process (expression);                                          |
| 26 | agenda := agenda union branch_agenda;                          |
| 27 | reads := reads union branch_reads;                             |
| 28 | writes := writes union branch_writes),                         |
|    |                                                                |

<span id="page-6-0"></span>Fig. 7. Pseudo-code of processing sequential execution and branch

conditional expression being false. The slicer repeats processing the loop content and the conditional until the result converges. The control dependency is identified if the agenda variable changes by processing the loop content. The resulting agenda, reads and writes are union of all iterations.

```
\overline{a}1 \parallel mk WhileStatement(expr, statement) ->
2 (dcl saved_agenda : set of AST, saved_reads : set of AST,
3 || saved_writes : set of AST, branch_agenda : set of AST,
4 branch reads : set of AST, branch writes : set of AST;
5 if else_statement <> nil then process(else_statement);
6 if agenda <> saved_agenda then
7 \parallel agenda := agenda union {expr};
\begin{array}{c|c} 8 & \text{process (expr)}; \\ \hline 9 & \text{ saved aqenda} \end{array}saved_agenda := agenda;
\|10\| saved_reads := reads; saved_writes := writes;
11 | branch_agenda := agenda;
||2|| branch_reads := reads; branch_writes := writes;
13 process(statement):
14 if agenda <> saved_agenda then
15 \parallel agenda := agenda union {expr};
16 process (expr)
17 while agenda psubset branch_agenda or
18 a reads psubset branch_reads or writes <> branch_writes
19 do
20 (branch_agenda := branch_agenda union agenda;
21 branch_reads := branch_reads union reads;
22 branch_writes := branch_writes union writes;
23 \parallel saved_agenda := agenda;
24 \parallel saved reads := reads;
25 saved writes := writes;
26 process(statement);
27 if branch_agenda <> saved_agenda then
28 \parallel agenda := agenda union {expr};
29 process (expr));
30 agenda := branch_agenda;
31 \parallel reads := branch_reads;
32 writes := branch_writes),
  \overline{\phantom{a}}
```
<span id="page-7-0"></span>Fig. 8. Pseudo-code of processing while loops

In VDM-SL, an apply expression may cause a change of state when the callee is an operation. A function also may refer to a value definition which may influence the slicing criterion. A slicer traverses function definitions and operation definitions when the slicer encounters an apply expression or an operation call.

### <span id="page-8-0"></span>3 Applications

Program slicing tools have been used in debugging and maintenance to narrow the scope of the source in concern. In this section, we describe how specification slicing can help debugging and refactoring tasks.

#### 3.1 Debugging

While program code in programming languages is oriented to execution, executable specifications aim at defining important properties and organizations of functionalities. Even though explicit operations with statements can run without preconditions and postconditions, preconditions and postconditions are the main concerns of specification engineers. In this section, we start with an erroneous specification that causes a postcondition violation and find the bug using specification slicing.

```
\overline{a}1 state MemberBook of
 2 EmailBook : map Id to Email
 3 NameBook : map Id to Name
 4 NextId : Id
 5 \parallel \text{inv} mk MemberBook(emails, names, next) ==
 6 next not in set dom emails and next not in set dom names
 7 \parallel \text{init} \text{ s } == \text{ s } = \text{mk\_MemberBook} (\{ |-> \}, \{ |-> \}, \text{ 1})8 end
 9 operations
10 register : Name * [Email] ==> Id
11 | register(name, email) ==
12 \parallel \qquad 13 NextId := NextId + 1;
14 NameBook(i) := name;
15 if
16 email \langle \rangle nil
17 then
18 (i := NextId;19 \parallel NextId := NextId + 1;
20 \parallel EmailBook(i) := email);
21 return i)
22 post
23 NameBook = NameBook<sup>\sim</sup> munion { |-> name}
24 \parallel and (email = nil and EmailBook = EmailBook<sup>\sim</sup>
25 or email <> nil and
26 EmailBook = EmailBook<sup>~</sup> munion {RESULT |-> email});
   \overline{\phantom{a}}
```
<span id="page-8-1"></span>Fig. 9. Erroneous specification of MemberBook

Fig. [9](#page-8-1) shows a part of an erroneous specification of a member management system. The system issues an ID for each member and records the name and optionally an email address associated with the ID. To generate unique IDs, the system holds the NextId state variable, and the invariant (Line 5-6) states that the value of the Next Id must not be already associated with any name or email address.

The register operation accepts two arguments, name and email. The operation picks the Next  $Id$  and increments it to keep it unique (Line 12-13), and associates the name to the id (Line 14). In VDM-SL, Line 14 does not overwrite the existing map value but assigns a new map value NameBook munion  $\{i \mid -\rangle$  name. The operation then processes the email in the same manner if the argument email is not nil. Finally, the operation returns the value of id that the given name and optional email address are associated with, as postcondition (Line 22-26) asserts.



Highlighted in red: the violated assertion. Highlighted in cyan: the slice for the violated assertion.

#### <span id="page-9-0"></span>Fig. 10. Slice for the violated postcondition

When register ("John Doe", "jd@example.com") is evaluated as a test, a postcondition violation occurs. The statements in the register operation do not work as intended. The violated postcondition is shown in red in Fig. [10.](#page-9-0)

To spot the erroneous statements, slice for the violated postcondition NameBook = NameBook~ munion  ${RESULT \mapsto name}$  (shown in cyan in Fig [10\)](#page-9-0) should contain the erroneous statements. The slice should include the parts that contribute to how the name is stored. The slice looks suspicious because the condition expression of the if statement (Line 16) is included. Why the email should be involved in storing the name? In Line 9, the assignment to the local variable i is also in the slice. Yes, Line 9 modifies the return value, and therefore should be in the slice. Line 9 is erroneous because it makes the name no longer associated with the returned ID. Fig. [11](#page-10-0) shows the corrected definition of the register operation.

```
\overline{a}\begin{array}{c} 1 \\ 2 \end{array} register: Name * [Email] ==> Id<br>
register(name, email) ==
          register(name, email) ==\begin{array}{c|c}\n 3 & \text{del} : \text{Id} := \text{NextId}; \\
 4 & \text{NextId} := \text{NextId} + 1\n \end{array}\begin{array}{c|c} 4 & \text{NextId} := \text{NextId} + 1; \\ 5 & \text{NameBook(i)} := \text{name}; \end{array}NameBook(i) := name;
 6 \parallel if email \langle \rangle nil then EmailBook(i) := email;
 7 return i)
 8 post
 9 \parallel NameBook = NameBook~ munion { |-> name}
10 and (email = nil and EmailBook = EmailBook<sup>\sim</sup>
11 or email <> nil and
12 EmailBook = EmailBook<sup>~</sup> munion {RESULT |-> email});
   \overline{\phantom{a}}
```
<span id="page-10-0"></span>Fig. 11. Corrected specification of MemberBook

#### 3.2 Refactoring

The corrected register operation shown in Fig. [11](#page-10-0) does two things: (1) to generate an id, and  $(2)$  to associate name and optionally email to the id. We can look for the possibility of refactoring by splitting the operation. Fig. [12](#page-11-0) shows slices for each state variable. The slices do not overlap except Line 3, which is a simple renaming. We can safely extract a generateId operation to generate an id as shown in Fig. [13.](#page-11-1)

Slicing can also be used to eliminate dead code. The register operation in Fig. [13](#page-11-1) registers the name and optional email. Suppose that we modify the specification to register only name. We first loosen the postcondition of the register operation to NameBook = NameBook~ munion  ${RESULT} \rightarrow name$  by removing the other conjunct for EmailBook and extract the slice for the new postcondition as shown in Fig. [14.](#page-12-0) The if statement in Line 6 is no longer necessary because it does not contribute to satisfying the postcondition. Fig. [15](#page-12-1) is the result of simplification.

## 4 Discussions

Specification slicing for VDM-SL is implemented in ViennaTalk [\[5\]](#page-13-5). ViennaTalk is an IDE for VDM-SL specialized to the exploratory stage of the specification phase and is an open-source software published at github<sup>[3](#page-10-1)</sup>. The implemented slicer is embedded in VDM Refactoring Browser [\[6\]](#page-14-3) and the user can select a slicing criterion from the source and the extracted slice is shown highlighted in cyan. Fig. [1,](#page-2-0) [10,](#page-9-0) [12](#page-11-0) and [14](#page-12-0) are screenshots of the VDM Refactoring Browser showing slices. Based on the development and use of the slicer in ViennaTalk, we will discuss, in this section, specification slicing for VDM-SL from the perspectives of extraction algorithms and applications compared to program slicing.

Numerous practical programming languages allow aliasing; more than one reference to point at the same data. Aliases make data dependency analysis complex because

<span id="page-10-1"></span><sup>3</sup> <https://github.com/tomooda/ViennaTalk>



<span id="page-11-0"></span>Fig. 12. Slice for the violated postcondition

```
\overline{a}1 \parallel generateId : () ==> Id
 2 \parallel generateId() ==<br>3 (dcl id:Id
         3 (dcl id:Id := NextId;
 4 NextId := NextId + 1;
 5 return id)
 6 \vert register : Name * [Email] ==> Id<br>7 \vert register (name, email) ==
    register(name, email) ==8 \parallel let i = generateId()
\begin{array}{c|c} 9 & \text{in} \\ 10 & \end{array}(NameBook(i) := name;11 \parallel if email \langle \rangle nil then EmailBook(i) := email;
12 return i)
   \overline{\phantom{a}}
```
<span id="page-11-1"></span>Fig. 13. Refactored specification of MemberBook

```
register : Name * [Email] ==> Id
\overline{1}\overline{2}register(name, email) ==\overline{3}let i = generateId()
\overline{4}in
5
               (NameBook(i) := name;6\overline{6}if email \leftrightarrow nil then EmailBook(i) := email;
\overline{7}return i)
8 post NameBook = NameBook~ munion {RESULT \left| \rightarrow \right| name}
```
<span id="page-12-0"></span>Fig. 14. Slice for the loosen postcondition

```
\overline{a}1 \parallel \text{register} : Name ==> Id
2 \parallel \text{register(name)} = 3 \parallel \text{let} i = \text{generic}let i = generateId()
\begin{array}{c|c} 4 & \text{in} \\ 5 & \end{array}(NameBook(i) := name;6 return i)
7 \parallel \textbf{post} NameBook = NameBook<sup>\sim</sup> munion {\textbf{RESULT} |-> name}
  \overline{\phantom{a}}
```
<span id="page-12-1"></span>Fig. 15. Simplified specification of MemberBook

the extraction algorithms have to keep track of all possible aliases. For example, the following python snippet prints 10 because the two variables l1 and l2 point at the same list object and the assignment to 12 [0] also overwrites 11 [0], and therefore the slice for  $\perp$ 1 must include  $\perp$ 2 [0]=10.

 $11 = [1, 2, 3]$  $12 = 11$  $12 [0] = 10$ print (11 [0])

On the other hand, VDM-SL has so-called value semantics that compound types, such as sets, maps, sequences and records, are values, not references, in assignments and pattern matchings. The following block statement returns 1 although the statement looks similar to the Python snippet above. The absence of aliases in VDM-SL makes slicing extraction simpler than slicing for programming languages with aliases.

```
(dcl 11 : seq of nat, 12 : seq of nat;11 := [1, 2, 3]12 := 11;12 (1) := 10;return 11 (1)
```
Another significant difference from program slicing is assertions. Although many programming languages provide assertions, they are often merely used as runtime sanity checking. In VDM-SL, assertions such as invariants, preconditions and postconditions are theses of the specification; assertions declare properties that the system ought to have. Assertions and their subexpressions are major concerns of the specification engineers and therefore they can be good sources of slicing criteria. Fig. [10](#page-9-0) and Fig. [14](#page-12-0) are examples of such use of specification slicing, and slicing tools are expected to have UIs to specify an assertion or its subexpression as a slicing criterion.

## <span id="page-13-4"></span>5 Concluding Remarks

Executable definitions of operations in VDM-SL have been used for testing and validation. Specification slicing is another technique that takes benefit of executability by revealing potential dependencies among constituents. While implicit definitions of operations also reveal influences via read and write access to state variables, specification slicing on explicit operations can reveal finer granularity of influences based on the semantics of statements.

We have investigated how the slicing technique used in imperative programming contributes to formal specifications, and are looking into further other applications of specification slicing. For example, VDM-SL does not have specific features or standard tools to maintain the reusable library. We expect slicing-based tools to support extracting necessary fragments of specification from libraries and migrating the retrieved fragments into the specification at hand.

### Acknowledgements

The authors thank valuable comments by anonymous reviewers. A part of this research was supported by JSPS KAKENHI Grant Number JP 23K11058 and Nanzan University Pache Research Subsidy I-A-2 for the 2024 academic year.

### References

- <span id="page-13-1"></span>1. Larsen, P.G., Lausdahl, K., Battle, N.: Combinatorial Testing for VDM. In: Proceedings of the 2010 8th IEEE International Conference on Software Engineering and Formal Methods. pp. 278–285. SEFM '10, IEEE Computer Society, Washington, DC, USA (2010), [http:](http://dx.doi.org/10.1109/SEFM.2010.32) [//dx.doi.org/10.1109/SEFM.2010.32](http://dx.doi.org/10.1109/SEFM.2010.32), ISBN 978-0-7695-4153-2
- <span id="page-13-0"></span>2. Larsen, P.G., Lausdahl, K., Battle, N., Fitzgerald, J., Wolff, S., Sahara, S., Verhoef, M., Tran-Jørgensen, P.W.V., Oda, T.: VDM-10 Language Manual. Tech. Rep. TR-001 (2013)
- <span id="page-13-3"></span>3. Oda, T., Araki, K.: Specification slicing in formal methods of software development. In: Proceedings of 1993 IEEE 17th International Computer Software and Applications Conference COMPSAC'93. pp. 313–319 (1993)
- <span id="page-13-2"></span>4. Oda, T., Araki, K., Larsen, P.G.: Automated VDM-SL to Smalltalk Code Generators for Exploratory Modeling. In: Larsen, P.G., Plat, N., Battle, N. (eds.) The 14th Overture Workshop: Towards Analytical Tool Chains. pp. 48–62. Aarhus University, Department of Engineering, Aarhus University, Department of Engineering, Cyprus (2016)
- <span id="page-13-5"></span>5. Oda, T., Araki, K., Larsen, P.G.: A formal modeling tool for exploratory modeling in software development. IEICE Transactions on Information and Systems 100(6), 1210–1217 (2017)
- <span id="page-14-3"></span>6. Oda, T., Araki, K., Sahara, S., Chang, H.M., Gorm, P.: Refactoring for exploratory specification in vdm-sl. Proceedings of the 19th Overture Workshop pp. 21–35 (2021)
- <span id="page-14-1"></span>7. Oda, T., Yamomoto, Y., Nakakoji, K., Araki, K., Larsen, P.G.: VDM Animation for a Wider Range of Stakeholders. In: Ishikawa, F., Larsen, P.G. (eds.) Proceedings of the 13th Overture Workshop. pp. 18–32. Center for Global Research in Advanced Software Science and Engineering, National Institute of Informatics, 2-1-2 Hitotsubashi, Chiyoda-Ku, Tokyo, Japan (2015)
- <span id="page-14-2"></span>8. Silva, J.: A vocabulary of program slicing-based techniques. ACM computing surveys (CSUR) 44(3), 1–41 (2012)
- <span id="page-14-0"></span>9. Tran-Jørgensen, P.W.V., Nilsson, R., Lausdahl, K.: Enhancing Testing of VDM-SL Models. In: Pierce, K., Verhoef, M. (eds.) The 16th Overture Workshop. pp. 7–22. Newcastle University, School of Computing, Oxford (2018)