. Action systems provide a general description of reactive systems, capable of modeling terminating, aborting and infinitely repeating systems. Arbitrary sequential program statements can be used to describe the behavior of atomic actions. Action systems are used to extend program refinement methods for sequential programs to parallel and reactive system refinement. We give here a behavioral semantics of action systems in terms of execution traces, and define refinement of action systems in terms of this semantics. We give a simulation based proof rule for action system refinement in a reactive context, and illustrate the use of this rule with an example. The proof rule is complete under certain restrictions. 1 Introduction An action system describes the behavior of a parallel system in terms of the atomic actions that can take place during the execution of the system. Action systems provide a general description of reactive systems, capable of modeling systems that may or may not ter...

A lattice theoretic framework for the calculus of program refinement is presented. Specifications and program statements are combined into a single (infinitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakest precondition calculus is extended to cover this larger class of statements and a game-theoretic interpretation is given for these constructs. The language is complete, in the sense that every monotonic predicate transformer can be expressed in it. The usual program constructs can be defined as derived notions in this language. The notion of inverse statements is defined and its use in formalizing the notion of data refinement is shown.

. In this survey paper we present some of the recent developments in the temporal formal system for the specification, verification and development of reactive programs. While the general methodology remains very much the one presented in some earlier works on the subject, such as [MP83c, MP83a, Pnu86], there have been several technical improvements and gained insights in understanding the computational model, the logic itself, the proof system and its presentation, and connections with alternative formalisms, such as finite automata. In this paper we explicate some of these improvements and extensions. The main difference between this and preceding versions is that here we consider a notion of validity for temporal formulae, which is anchored at the initial state of the computation. The paper discusses some of the consequences of this decision. Key words: Temporal Logic, Reactive Systems, Concurrent Programs, Specification, Verification, Proof System, Classification of Prtoperties, Sa...

In this paper we study the fragile base class problem. This problem occurs in open object-oriented systems employing code inheritance as an implementation reuse mechanism. System developers unaware of extensions to the system developed by its users may produce a seemingly acceptable revision of a base class which may damage its extensions. The fragile

Abstract. Action systems are used to extend program refinement methods for sequential programs, as described in the refinement calculus, to parallel and reactive system refinement. They provide a general description of reactive systems, capable of modeling terminating, possibly aborting and infinitely repeating systems. We show how to extend the action system model to refinement of modular systems. A module may export and import variables, it may provide access procedures for other modules, and it may itself access procedures of other modules. Modules may have autonomous internal activity and may execute in parallel or in sequence. Modules may be nested within each other. They may communicate by shared variables, shared actions, a generalized form of remote procedure calls and by persistent data structures. Both synchronous and asynchronous communication between modules is supported. The paper shows how a single framework can be used for both the specification of large systems, the modular decomposition of the system into smaller units and the refinement of the modules into program modules that can be described in a standard programming language and executed on standard hardware. 1

Superposition refinement enhances an algorithm by superposing one computation mechanism onto another mechanism, in a way that preserves the behavior of the original mechanism. Superposition seems to be particularly well suited to the development of parallel and distributed programs: an originally simple sequential algorithm can be extended with mechanisms that distribute control and state information to many processes, thus permitting efficient parallel execution of the algorithm. We will in this paper show how superposition of reactive systems is expressed in the refinement calculus. We illustrate the power of this method by a case study, showing how a distributed broadcasting system is derived through a sequence of superposition refinements.

Development of different parts of large software systems by separate teams, replacement of individual software parts during maintenance, and marketing of independently developed software components require behavioral interface descriptions. Interoperation and reuse are impossible without sufficient description; only abstraction leaves room for alternate implementations. Specifications that only

In this paper, we describe an approach to the design of distributed systems with B AMN. The approach is based on the action-system formalism which provides a framework for developing state-based parallel reactive systems. More specifically, we use the so-called CSP approach to action systems in which interaction between subsystems is by synchronised message passing and there is no sharing of state. We show that the abstract machines of B may be regarded as action systems and show how reactive refinement and decomposition of action systems may be applied to abstract machines. The approach fits in closely with the stepwise refinement method of B. We illustrate the approach by the abstract specification of an email service as a single machine and it's subsequent refinement into a store-and-forward network.

We study program states that are described as tuples, i.e., product state spaces. Modeling programs as predicate transformers, we define a product operator on program statements that describes the independent execution of statements on disjoint state spaces. The algebraic properties of this product operator are studied, in particular the basic monotonicity and distributivity properties that the operator has, and their applications. We also consider how to extend the state space by adding new state components, and show how this is modeled using the product operator. Finally, we show how products are useful to formulate data refinement, both as a general concept and as a technique for replacing local state components of program blocks.

We describe a prototype tool for developing programs by stepwise refinement in a weakest precondition framework, based on the HOL theorem proving system. Our work is based on a mechanisation of the refinement calculus, which is a theory of correctness preserving program transformations. We also use a tool for window inference that is part of the HOL system. Our tool permits subcomponents of a program to be refined separately, and the tool keeps track of the overall effects of each individual refinement. In particular, we show how specifications can be refined into code and how data refinements (i.e., replacing an abstract data structure with one that is more concrete) can be handled. All refinements are proved as theorems in the HOL logic, so our system is in fact a secure environment for program development. 1 Introduction Stepwise refinement is a methodology for developing programs from high-level program specifications into efficient implementations. In this approach to program dev...