Using a set-theoretic model of predicate transformers and ordered data types, we give a total-correctness semantics for a typed higher-order imperative programming language that includes record extension, local variables, and proceduretype variables and parameters. The language includes infeasible speci cation constructs, for a calculus of re nement. Procedures may have global variables, subject to mild syntactic restrictions to avoid the semantic complications of Algol-like languages. The semantics is used to validate simple proof rules for non-interference, type extension, and calls of procedure variables and constants.

Introduction For reasoning about total correctness of while-programs, the rules proposed by Hoare [10] have stood the test of time. But for procedure calls, a number of dierent rules have appeared (e.g, [11,9,2,1,5,12]). There appears to be no consensus on the \right" rule, and some proposals even turn out to be unsound. The results reported in this note were found in an attempt to derive an adaptation rule |rather than pulling it from a magician's hat| using tools from renement calculus. This sheds new light on the subject, explaining and extending the applicability of recent proposals, and it brings to light a new form of specication statement. Adaptation rules. For the moment, let us take for granted a semantics for commands and predicates. Say a triple f pre g S f post g is valid if every computation of command S from a state satisfying pre terminates in

Using a set-theoretic model of predicate transformers and ordered data types, we give a semantics for an Oberon-like higher order imperative language with record subtyping and procedure-type variables and parameters. Data refinement is shown to be sound for this language: It implies algorithmic refinement when suitably localized. And all constructs are shown to preserve simulation, so data refinement can be carried out piecewise.

Abstract. Behavioral subtyping enables modular reasoning about the functional behavior of object-oriented programs. It validates supertype abstraction, that is, modular reasoning about dynamically dispatched method calls, such as E.m(), using specifications associated with their receiver’s static type, such as the static type of E. For languages with references and mutable objects neither behavioral subtyping nor supertype abstraction has been rigorously formalized as such. Moreover, the standard informal notion of behavioral subtyping has inadequacies. This paper gives a new formalization of behavioral subtyping and supertype abstraction, and a new proof of their equivalence. Our new formalization handles a realistic subset of sequential Java, with classes and interfaces, recursive types, and dynamically-allocated mutable objects.

higher types, lax exponent. Abstract. Using 2-categorical laws of algorithmic refinement, we show soundness of data refinement for stored programs and hence for higher order procedures with value/result parameters. The refinement laws hold in a model that slightly generalizes the standard predicate transformer semantics for the usual imperative programming constructs including prescriptions. 1.

. We argue that the category of transformers of monotonic predicates on posets is superior to the category of transformers on powersets, as the basis for a calculus of higher order imperative programming. We show by an example polytypic program derivation that such transformers (and the underlying categories of order-compatible relations and monotonic functions) model a calculus quite similar to the more familiar calculus of functional programs and relations. The derived program uses as a data type an exponent of transformers; unlike function-space, this transformer-space is adequate for semantics of higher order imperative programs. 1 Introduction Programs are arrows of a category whose objects are data types --- but what category? what objects? what arrows? The primordial, if fanciful, answer is Fun, the category of "all" sets and functions (often called Set). If we choose a few objects as primitives, say integers and booleans, we get a rich collection of types by applicat...

The algebra of functions and relations has been used so successfully in program construction that textbooks have appeared. Despite the importance of predicate transformers in imperative programming, the algebra of transformers has been less explored. To show its promise, we prove results on exponents and recursion on inductive data types, sufficient for carrying out a polytypic derivation that has been given as a substantial example for functions and relations. We also give a data refinement from exponents of specifications to the concrete exponents needed for program semantics.

Refinement calculi for imperative programs provide an integrated framework for programs and specifications and allow one to develop programs from specifications in a systematic fashion. The semantics of these calculi has traditionally been de ned in terms of predicate transformers and poses several challenges in defining a state transformer semantics in the denotational style. We de ne a novel semantics in terms of sets of state transformers and prove it to be isomorphic to positively multiplicative predicate transformers. This semantics disagrees with the traditional semantics in some places and the consequences of the disagreement are analyzed.

Abstract. Adaptation rules adapt the pre-post specification of a procedure to contexts where it is called. Such rules are important for practical reasons, and are necessary for completeness of proof systems for languages with recursive procedures. A sharp rule is one that gives the weakest precondition with respect to a given postcondition. A number of rules have been proposed for simple imperative languages with recursive procedures, most unsound or incomplete or non-sharp. Taking an algebraic approach, we clarify and extend the applicability of previously proposed sharp rules for total correctness, and show how further rules may be found.

Point-free relation calculi have been fruitful in functional programming, but in specific applications pointwise expressions can be more convenient and comprehensible than point-free ones. To integrate pointwise with point-free, de Moor and Gibbons [AMAST 2000] give a relational semantics for lambda terms with non-injective pattern matching. Alternative semantics has