A spec bug is just as bad as a code bug! Declaring a system free of defects because it matches the spec is sneaky sleight-of-hand that ignores the costs of having a spec.
The actual testing value is the difference between the cost of writing and maintaining the code, and the cost of writing and maintaining the spec.
If the spec is similar in complexity to the code itself, then bugs in the spec are just as likely as bugs in the code, thus verification to spec has gained you nothing (and probably cost you a lot).
The actual testing value is the difference between the cost of writing and maintaining the code, and the cost of writing and maintaining the spec.
If the spec is similar in complexity to the code itself, then bugs in the spec are just as likely as bugs in the code, thus verification to spec has gained you nothing (and probably cost you a lot).