A lattice theoretic framework for the calculus of program refinement is presented. Specifications and program statements are combined into a single (infinitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakest precondition calculus is extended to cover this larger class of statements and a game-theoretic interpretation is given for these constructs. The language is complete, in the sense that every monotonic predicate transformer can be expressed in it. The usual program constructs can be defined as derived notions in this language. The notion of inverse statements is defined and its use in formalizing the notion of data refinement is shown.

In this paper we study the fragile base class problem. This problem occurs in open object-oriented systems employing code inheritance as an implementation reuse mechanism. System developers unaware of extensions to the system developed by its users may produce a seemingly acceptable revision of a base class which may damage its extensions. The fragile

Development of different parts of large software systems by separate teams, replacement of individual software parts during maintenance, and marketing of independently developed software components require behavioral interface descriptions. Interoperation and reuse are impossible without sufficient description; only abstraction leaves room for alternate implementations. Specifications that only

We describe a prototype tool for developing programs by stepwise refinement in a weakest precondition framework, based on the HOL theorem proving system. Our work is based on a mechanisation of the refinement calculus, which is a theory of correctness preserving program transformations. We also use a tool for window inference that is part of the HOL system. Our tool permits subcomponents of a program to be refined separately, and the tool keeps track of the overall effects of each individual refinement. In particular, we show how specifications can be refined into code and how data refinements (i.e., replacing an abstract data structure with one that is more concrete) can be handled. All refinements are proved as theorems in the HOL logic, so our system is in fact a secure environment for program development. 1 Introduction Stepwise refinement is a methodology for developing programs from high-level program specifications into efficient implementations. In this approach to program dev...

Subtype polymorphism, based on syntactic conformance of objects' methods and used for substituting subtype objects for supertype objects, is a characteristic feature of the object-oriented programming style. While certainly very useful, typechecking of syntactic conformance of subtype objects to supertype objects is insufficient to guarantee correctness of object substitutability. In addition, the behaviour of subtype objects must be constrained to achieve correctness. In class-based systems classes specify the behaviour of the objects they instantiate. In this paper we define the class refinement relation which captures the semantic constraints that must be imposed on classes to guarantee correctness of substitutability in all clients of the objects these classes instantiate. Clients of class instances are modelled as programs making an iterative choice over invocation of class methods, and we formally prove that when a class C # refines a class C, substituting instances of C # for instances of C is refinement for the clients.

We describe a tool for data refinement based on the Refinement Calculator. The tool supports the calculational approach to data refinement. As a consequence of the program calculation, a refinement theorem is automatically derived. The operation of the tool is illustrated with a case study.

this paper. Thus we write S(Q) for wp S (Q). In [deBa80, Ne87] the weakest precondition calculus is extended to cover partial state transformers, i.e. nonstrict (miraculous) statements. Miraculous statements are used in program refinements in [Morg88b, Ba88b]. The angelic basic statement of [Ba88c], used in data refinement, is not conjunctive but disjunctive. Thus, in going from a pure programming language to specification languages, most of the original healthiness conditions have been questioned, in order to gain expressive power and to develop calculi for program development. In this sense a specification language is truly more general than a programming language, for which all the original healthiness conditions are well motivated. The conjunctivity condition reflects the view that the nondeterminism associated with the execution of a statement is demonic, i.e. in order for a computation to be successful, all possible execution paths must lead to a successful result. Dropping the conjunctivity condition means accepting other kinds of nondeterminism. If the conjunctivity condition is replaced with a disjunctivity condition, the

We consider the notion of a contract that governs the behavior of a collection of agents. In particular, we study the question of whether a group among these agents can achieve a given goal by following the contract. We show that this can be reduced to studying the existence of winning strategies in a two-person game. We define a weakest precondition semantics for contract statements that permits us to compute the initial states from which a group of agents has a winning strategy to reach their goal. This semantics generalizes the traditional predicate transformer semantics for program statements to contracts and games. Ordinary programs and interactive programs are special kinds of contracts. A notion of correctness and refinement is introduced for contracts. Contracts are shown to form a complete lattice with respect to the refinement ordering. TUCS Research Group Programming Methodology Research Group 1 Introduction A computation can generally be seen as involving a number of ag...

A notion of inverse commands is de ned for a language with a weakest precondition semantics, permitting both demonic and angelic nondeterminism as well as miracles and nontermination. Every conjunctive and terminating command is invertible, the inverse being non-miraculous and disjunctive. A simulation relation between commands is described using inverse commands. A generalized form of inverse is de ned for arbitrary conjunctive commands. The generalized inverses are shown to be closely related to strongest postconditions. 1

To my mother, for making this possible ß è ñàäîâíèê, ÿ æå è öâåòîê,  òåìíèöå ìèðà ÿ íå îäèíîê. Íà ñòåêëà âå÷íîñòè óæå ëåãëî Ìî ¸ äûõàíèå, ìî ¸ òåïëî.