A lattice theoretic framework for the calculus of program refinement is presented. Specifications and program statements are combined into a single (infinitary) language of commands which permits miraculous, angelic and demonic statements to be used in the description of program behavior. The weakest precondition calculus is extended to cover this larger class of statements and a game-theoretic interpretation is given for these constructs. The language is complete, in the sense that every monotonic predicate transformer can be expressed in it. The usual program constructs can be defined as derived notions in this language. The notion of inverse statements is defined and its use in formalizing the notion of data refinement is shown.

It is argued that refinement, in which I/O signatures stay the same, preconditions are weakened and postconditions strengthened, is too restrictive to describe all but a fraction of many realistic developments. An alternative notion is proposed called retrenchment, which allows information to migrate between I/O and state aspects of operations at different levels of abstraction, and which allows only a fraction of the high level behaviour to be captured at the low level. This permits more of the informal aspects of design to be formally captured and checked. The details are worked out for the B-Method.

Goal orientation is an increasingly recognized paradigm for eliciting, modeling, specifying and analyzing software requirements. Goals are statements of intent organized in AND/OR refinement structures; they range from high-level, strategic concerns to lowlevel, technical requirements on the software-to-be and assumptions on its environment. The operationalization of system goals into specifications of software services is a core aspect of the requirements elaboration process for which little systematic and constructive support is available. In particular, most formal methods assume such operational specifications to be given and focus on their a posteriori analysis. The paper considers a formal, constructive approach in which operational software specifications are built incrementally from higher-level goal formulations in a way that guarantees their correctness by construction. The operationalization process is based on formal derivation rules that map goal specifications to specifications of software operations; more specifically, these rules map real-time temporal logic specifications to sets of pre-, post- and trigger conditions. The rules define operationalization patterns that may be used for guiding and documenting the operationalization process while hiding all formal reasoning details; the patterns are formally proved correct once and for all. The catalog of operationalization patterns is structured according to a rich taxonomy of goal specification patterns. Our constructive approach to requirements elaboration requires a multiparadigm specification language that supports incremental reasoning about partial models. The paper also provides a formal semantics for goal operationalization and discusses several semantic features of our language that allow for such incremental reasoning.

Abstract. Action systems are used to extend program refinement methods for sequential programs, as described in the refinement calculus, to parallel and reactive system refinement. They provide a general description of reactive systems, capable of modeling terminating, possibly aborting and infinitely repeating systems. We show how to extend the action system model to refinement of modular systems. A module may export and import variables, it may provide access procedures for other modules, and it may itself access procedures of other modules. Modules may have autonomous internal activity and may execute in parallel or in sequence. Modules may be nested within each other. They may communicate by shared variables, shared actions, a generalized form of remote procedure calls and by persistent data structures. Both synchronous and asynchronous communication between modules is supported. The paper shows how a single framework can be used for both the specification of large systems, the modular decomposition of the system into smaller units and the refinement of the modules into program modules that can be described in a standard programming language and executed on standard hardware. 1

Superposition refinement enhances an algorithm by superposing one computation mechanism onto another mechanism, in a way that preserves the behavior of the original mechanism. Superposition seems to be particularly well suited to the development of parallel and distributed programs: an originally simple sequential algorithm can be extended with mechanisms that distribute control and state information to many processes, thus permitting efficient parallel execution of the algorithm. We will in this paper show how superposition of reactive systems is expressed in the refinement calculus. We illustrate the power of this method by a case study, showing how a distributed broadcasting system is derived through a sequence of superposition refinements.

This paper describes the theoretical framework and an implemented system (Dtre) for the specification and verified refinement of specifications using operations on abstract data types. The system is semi-automatic in that users can specify some (possibly none) of the implementations and the system will determine the rest of the implementations. Data types are specified as parameterized theories within many-sorted first-order logic; usually these theories are centered around inductive sorts. Abstract specifications (theories) are refined in a stepwise fashion into increasingly more concrete theories. Our primary method of refinement is based on theory interpretation [1, 2, 3]. Theories and interpretations provide a clean, logically based separation between types and their implementations; thus permitting specification to proceed independently of implementation while simultaneously providing a basis for rapid and verifiably correct transformation to efficient code. Dtre provides a conven...

We study program states that are described as tuples, i.e., product state spaces. Modeling programs as predicate transformers, we define a product operator on program statements that describes the independent execution of statements on disjoint state spaces. The algebraic properties of this product operator are studied, in particular the basic monotonicity and distributivity properties that the operator has, and their applications. We also consider how to extend the state space by adding new state components, and show how this is modeled using the product operator. Finally, we show how products are useful to formulate data refinement, both as a general concept and as a technique for replacing local state components of program blocks.

We describe a prototype tool for developing programs by stepwise refinement in a weakest precondition framework, based on the HOL theorem proving system. Our work is based on a mechanisation of the refinement calculus, which is a theory of correctness preserving program transformations. We also use a tool for window inference that is part of the HOL system. Our tool permits subcomponents of a program to be refined separately, and the tool keeps track of the overall effects of each individual refinement. In particular, we show how specifications can be refined into code and how data refinements (i.e., replacing an abstract data structure with one that is more concrete) can be handled. All refinements are proved as theorems in the HOL logic, so our system is in fact a secure environment for program development. 1 Introduction Stepwise refinement is a methodology for developing programs from high-level program specifications into efficient implementations. In this approach to program dev...

Abstract not found

. In this paper we present an algebraic construction of monotonic predicate transformers, using a categorical construction which is similar to the algebraic construction of the integers from the natural numbers. When applied to the category of sets and total functions once, it yields a category isomorphic to the category of sets and relations; a second application yields a category isomorphic to the category of monotonic predicate transformers. This hierarchy cannot be extended further: the category of total functions is not itself an instance of the categorical construction, and can only be extended by it twice. 1 Introduction Predicate transformers were introduced originally by Dijkstra [8] in order to provide an elegant semantics for his programming language. Their strength lies in the fact that they can be used to model non-deterministic and non-terminating behaviour in terms of total functions, rather than relations. Not all monotonic predicate transformers represent programs in ...