This paper traces the important steps in the history --up to around 1990-- of research on reasoning about programs. The main focus is on sequential imperative programs but some comments are made on concurrency. Initially, researchers focussed on ways of verifying that a program satisfies its specification (or that two programs were equivalent). Over time it became clear that post facto verification is only practical for small programs and attention turned to verification methods which support the development of programs; for larger programs it is necessary to exploit a notation of compositionality. Coping with concurrent algorithms is much more challenging -- this and other extensions are considered briefly. The main thesis of this paper is that the idea of reasoning about programs has been around since they were first written; the search has been to find tractable methods.

We show how to formalise different kinds of loop constructs within the refinement calculus, and how to use this formalisation to derive general transformation rules for loop constructs. The emphasis is on using algebraic methods for reasoning about equivalence and refinement of loop constructs, rather than operational ways of reasoning about loops in terms of their execution sequences. We apply the algebraic reasoning techniques to derive a collection of transformation rules for action systems an for guarded loops. These include transformation rules that have been found important in practical program derivations: data refinement and atomicity refinement of action systems; and merging, reordering, and data refinement of loops with stuttering transitions. TUCS Research Group Programming Methodology Research Group 1 Introduction Loops in imperative programming notations are generally defined using recursion. For recursion constructs (greatest and least fixpoints) a simple algebraic th...

In the refinement calculus, program statements are modelled as predicate transformers. A product operator for predicate transformers was introduced by Martin [18] and Naumann [25] using category theoretic considerations.

views of amortization : : : : : : : : : : : : : : : : : : : 44 4 Implementation aspects 49 4.1 Functional program notation : : : : : : : : : : : : : : : : : : : : 50 4.2 Eager evaluation : : : : : : : : : : : : : : : : : : : : : : : : : : : 51 4.3 Pointer implementation of stacks : : : : : : : : : : : : : : : : : : 52 4.4 Destructivity : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 54 4.5 Queues and concatenable deques : : : : : : : : : : : : : : : : : : Contents iii 4.6 Linear usage of destructive monoalgebras : : : : : : : : : : : : : 58 4.7 Benevolent side-effects : : : : : : : : : : : : : : : : : : : : : : : : 61 5 Analysis of functional programs and algebras 63 5.1 Cost measures : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 63 5.2 Worst-case analysis : : : : : : : : : : : : : : : : : : : : : : : : : : 67 5.3 Amortized cost of functions : : : : : : : : : : : : : : : : : : : : : 69 5.4 Amortized analysis : : : : : : : : : : : : : : : : : : : : : : : : : ...

KAT (Kleene Algebra with Tests) have proved to be useful for reasoning about programs in a partial correctness framework. We describe DRA (demonic Refinement Algebra), a variation of KAT for total correctness and illustrate its modeling and reasoning power with a number of applications and examples.

We describe a tool for data refinement based on the Refinement Calculator. The tool supports the calculational approach to data refinement. As a consequence of the program calculation, a refinement theorem is automatically derived. The operation of the tool is illustrated with a case study.

We show how a parallel composition of action systems can be refined by refining the components separately, and checking noninterference against invariants and guarantee conditions, which are abstract and stable. The guarantee condition can be thought of as a very abstract specification of how a system affects the global state, and it allows us to show that an action system refinement is valid in a given environment, even if we do not know any of the details of that environment. The paper extends the traditional notion of action systems slightly, and it makes use of a generalisation of the attribute model for program variables.

. Non-determinacy is important in the formal specification and formal derivation of programs, but non-determinacy within expressions is theoretically problematical. The refinement calculus side-steps the problem by admitting non-determinacy only at the level of statements, leading to a style of programming that favours statements and procedures over expressions and functions. But expressions are easier to manipulate than statements, and the poverty of the expression notation has made the formal derivation of imperative programs tedious. Here we introduce non-deterministic expressions into the refinement calculus by constructing a weakest precondition semantics for imperative specifications and programs that holds good even when expressions may be non-deterministic. Keywords non-deterministic expressions; weakest preconditions; refinement calculus 1 Introduction Consider the little problem of making a program to compute the sign ('+' or '--') of an integer n, not caring whether '+' o...

this paper. Thus we write S(Q) for wp S (Q). In [deBa80, Ne87] the weakest precondition calculus is extended to cover partial state transformers, i.e. nonstrict (miraculous) statements. Miraculous statements are used in program refinements in [Morg88b, Ba88b]. The angelic basic statement of [Ba88c], used in data refinement, is not conjunctive but disjunctive. Thus, in going from a pure programming language to specification languages, most of the original healthiness conditions have been questioned, in order to gain expressive power and to develop calculi for program development. In this sense a specification language is truly more general than a programming language, for which all the original healthiness conditions are well motivated. The conjunctivity condition reflects the view that the nondeterminism associated with the execution of a statement is demonic, i.e. in order for a computation to be successful, all possible execution paths must lead to a successful result. Dropping the conjunctivity condition means accepting other kinds of nondeterminism. If the conjunctivity condition is replaced with a disjunctivity condition, the

We consider the notion of a contract that governs the behavior of a collection of agents. In particular, we study the question of whether a group among these agents can achieve a given goal by following the contract. We show that this can be reduced to studying the existence of winning strategies in a two-person game. We define a weakest precondition semantics for contract statements that permits us to compute the initial states from which a group of agents has a winning strategy to reach their goal. This semantics generalizes the traditional predicate transformer semantics for program statements to contracts and games. Ordinary programs and interactive programs are special kinds of contracts. A notion of correctness and refinement is introduced for contracts. Contracts are shown to form a complete lattice with respect to the refinement ordering. TUCS Research Group Programming Methodology Research Group 1 Introduction A computation can generally be seen as involving a number of ag...