The refinement calculus for the development of programs from specifications is well suited to mechanised support. We review the requirements for tool support of refinement as gleaned from our experience with a number of existing refinement tools, and report on the design and implementation of a new tool to support refinement based on these requirements. The main features of the new tool are close integration of refinement and proof in a single tool (the same mechanism is used for both), good management of the refinement context, an extensible theory base that allows the tool to be adapted to new application domains, and a flexible user interface.

This paper describes the prototype interactive theorem prover demo3.3. The prototype demonstrates several proposals for increasing the efficiency and convenience of interactive deductive reasoning. These include: the use of a very high-level logic programming language (Qu-Prolog) for implementation, which provides strong support for symbolic computation with mathematical notations, rapid prototyping, schematic notations and programming of interactive theorem prover tactics; a new window inference method specifically designed to capture hierarchical goal-directed proofs; and a capacity to support a variety of logics. 1 Contents 1 Introduction 3 2 Qu-Prolog 3 3 Elementary Use of Demo3.3 5 3.1 Getting Started : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 3.2 Positions and Opening Windows : : : : : : : : : : : : : : : : : : : : : : : : 7 3.3 Equivalence Transformations : : : : : : : : : : : : : : : : : : : : : : : : : : 8 3.4 Closing Windows : : : : : : : : : : : :...

A program can be refined either by transforming the whole program or by refining one of its components. The refinement of a component is, for the main part, independent of the remainder of the program. However, refinement of a component can depend on the context of the component for information about the variables that are in scope and what their types are. The refinement can also take advantage of additional information, such as any precondition the component can assume. The aim of this paper is to introduce a technique, which we call program window inference, to handle such contextual information during derivations in the refinement calculus. The idea is borrowed from a technique, called window inference, for handling context in theorem proving. Window inference has been incorporated into the proof development tool Ergo, and this tool has been adapted to support program window inference for program refinement.

Refinement is a mathematically-based technique for developing a program from an abstract specification so that the program satisfies the specification. The aim of the Program Refinement Tool project is to develop a generic refinement tool suitable for supporting a methodology for the interactive development of programs based on the refinement calculus. This report summarizes our investigation into how the Ergo theorem prover can be used to model the refinement calculus and form the basis of this tool.

This paper gives an overview of the real-time specification of a commercial RISC processor. The specification is at two related levels, with an abstraction relation defined between them. The lower level specification models separate stages of execution of up to five overlapped instructions. The higher level specification abstracts from the lower level to recapture an atomic, instruction level view of code execution. The load word instruction is used as an example to illustrate the specification at both levels. 1 Introduction This paper summarises a two-layered approach to specifying the real-time behaviour of a commercial RISC processor (the MIPS R3000 1 ). This provides a sound formal basis for reasoning about real-time programs running on the processor, with a degree of precision and rigour not made available by existing processor documentation. The real-time performance of a RISC processor such as the MIPS R3000 depends on its use of instruction pipelining and data and in...

This document contains a specification of the behavioural and real-time aspects of a typical MIPS R3000 RISC CPU. To increase assurance of correctness relative to the operational behaviour of the actual device, this specification directly specifies the five-stage pipeline structure of the CPU, rather than taking an instruction level view. A more abstract instruction level specification has been derived from this specification and is available as a separate report. Both specifications are written using functional logic, which extends classical logic by supporting reasoning about predicates that have an implicit parameter. Contents 1 Introduction 3 2 Functional Logic 3 3 Computer Arithmetic 6 4 System Overview 7 4.1 Assumptions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 9 5 Specification Scope 13 6 Instruction Decoding 13 6.1 Instruction Groups : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 16 1 7 CP0 Registers 19 8 The R3000 CPU 23 8.1 IF...

Refinement is a mathematically-based technique for developing a program from an abstract specification so that the program satisfies the specification. The aim of the Program Refinement Tool project is to develop a generic refinement tool suitable for supporting a methodology for the interactive development of programs based on the refinement calculus. This report summarizes our investigation into an appropriate engine to use for the refinement calculator and theorem prover in this tool. Contents 1 Introduction 2 2 Refinement Engine 3 2.1 Structure of Refinement Rules : : : : : : : : : : : : : : : : : : 3 2.2 Applicability Conditions : : : : : : : : : : : : : : : : : : : : : 5 2.3 Parameters : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 2.4 Monotonicity : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 2.5 Proving Refinement Rules : : : : : : : : : : : : : : : : : : : : 8 2.6 Schematic Developments : : : : : : : : : : : : : : : : : : : : : 8 2.7 Customizing t...

The paper focusses on the logical backgrounds of the Dijkstra-Scholten program development style for correct programs. For proving the correctness of a program (i.e. the fact that the program satisfies its specifications), one often uses a special form of predicate calculus in this style of programming. We call this the Dijkstra-Scholten (DS) predicate calculus, since [DS90] is the first place in which it is described. DS predicate calculus can be conceived of as a logically sound and complete manipulation technique for dealing with logical formulas which also contain programming variables. We relate DS predicate calculus to the classical logical formalism, by contrasting its syntax, derivation rules and semantics to the classical framework. We also comment on two abstractions of DS predicate calculus: the set-theoretical and the algebraic approach. In doing so, we give DS predicate calculus and its abstract variants a firm basis, on a par with the foundations of the well-known first order logic. Such a comparison of DS predicate calculus and classical logic has not yet been sufficiently elaborated before. We conclude our paper with a number of examples showing that the, up to now, unsatisfactory presentation of DS predicate calculus and some of its features (such as the square brackets notation) has led to errors and fallacies in the literature.

This paper gives an overview of: two levels of formal specification of the real-time behaviour of a commercial RISC chip; an approach to verifying the higher-level specification relative to the lower-level one; and the proof tool and environment used for the proofs. The specifications are written in functional logic, which provides an adaptable modal facility. The proof tool and environment support both rewriting and forward and backwards proof, through a development of the sequent calculus called window inference, and provide for the flexible interaction of manual and automatic modes of proof.