. Non-determinacy is important in the formal specification and formal derivation of programs, but non-determinacy within expressions is theoretically problematical. The refinement calculus side-steps the problem by admitting non-determinacy only at the level of statements, leading to a style of programming that favours statements and procedures over expressions and functions. But expressions are easier to manipulate than statements, and the poverty of the expression notation has made the formal derivation of imperative programs tedious. Here we introduce non-deterministic expressions into the refinement calculus by constructing a weakest precondition semantics for imperative specifications and programs that holds good even when expressions may be non-deterministic. Keywords non-deterministic expressions; weakest preconditions; refinement calculus 1 Introduction Consider the little problem of making a program to compute the sign ('+' or '--') of an integer n, not caring whether '+' o...

. Specifications and programs make much use of nondeterministic and / or partial expressions, i.e. expressions which may yield several or no outcomes for some values of their free variables. Traditional 2-valued logics do not comfortably accommodate reasoning about undefined expressions, and do not cater at all for nondeterministic expressions. We seek to rectify this with a 4-valued typed logic E4 which classifies formulae as either "true", "false", "neither true nor false", or "possibly true, possibly false". The logic is derived in part from the 2-valued logic E and the 3-valued LPF, and preserves most of the theorems of E. Indeed, the main result is that nondeterminacy can be added to a logic covering partiality at little cost. 1. Introduction The basic idea of a function as a rule which determines a unique outcome for any given input (in a certain domain) is intuitively simple, and adequately describes most of the functions we meet in everyday mathematics. Just occasionally we h...

We give a canonical program refinement calculus based on the lambda calculus and classical first-order predicate logic, and study its proof theory and semantics. The intention is to construct a metalanguage for refinement in which basic principles of program development can be studied. The idea is that it should be possible to induce a refinement calculus in a generic manner from a programming language and a program logic. For concreteness, we adopt the simply-typed lambda calculus augmented with primitive recursion as a paradigmatic typed functional programming language, and use classical first-order logic as a simple program logic. A key feature is the construction of the refinement calculus in a modular fashion, as the combination of two orthogonal extensions to the underlying programming language (in this case, the simply-typed lambda calculus). The crucial observation is that a refinement calculus is given by extending a programming language to allow indeterminate expressions (or ‘stubs’) involving the construction ‘some program x such that P ’. Factoring this into ‘some x...’

The refinement calculus provides a framework for the stepwise development of imperative programs from specifications. In this paper we study a refinement calculus for deriving logic programs. Dealing with logic programs rather than imperative programs has the dual advantages that, due to the expressive power of logic programs, the final program is closer to the original specification, and each refinement step can achieve more. Together these reduce the overall number of derivation steps. We present a logic programming language extended with specification constructs (including general predicates, assertions, and types and invariants) to form a wide-spectrum language. General predicates allow non-executable properties to be included in specifications. Assertions, types and invariants make assumptions about the intended inputs of a procedure explicit, and can be used during refinement to optimize the constructed logic program. We provide a semantics for the extended logic progr...

Abstract. Refinement is a method to derive correct programs from specifications. A rich type language is another way to ensure program correctness. In this paper, we propose a wide-spectrum language mixing both approaches for the ML language. Mainly, base types are simply included into expressions, introducing underdeterminism and dependent types. We focus on the semantic aspects of such a language. We study three different semantics: a denotational, a deterministic operational and a nondeterministic operational semantics. We prove their equivalence. We show that this language is a conservative extension of ML. 1

In order to use expressions as the basis of a specification language, we admit undefinedness, and introduce nondeterminism through the use of a choice operator. We extend expressiveness of the language by allowing choice from a set of values. Such a set could be infinite, giving unbounded non-determinism, or it could be empty, producing miracles. In this paper we treat the miraculous specification, examining its uses and highlighting related problems. In particular, we find that miracles promote the possibility of specification in parts, and piecewise refinement. However, their undesirable properties mean that we must limit their use. A biased choice operator is introduced as a method of totalising miraculous expressions. Finally, the formation of miraculous functions is considered with reference to their use and manipulation. 1

Specification of system requirements is often involved with ambiguity and nondeterminism. Formal methods tend to mitigate ambiguity but nondeterminism remains as an inherent part of specification.

this paper, and nothing of substance in what follows depends on it. Note that (2x:T j true) differs from ? T in that ? T is refined even by a "non-terminating" expression such as an application of the recursive function f where f = x:T ffl f x. There is a bottom for each type, indicated by subscripting, but we nearly always omit the type, either because it is not significant in the context, or it can be easily inferred. In refinement calculi, partial operations such as 3=0 are commonly equated with ?, and similarly for nonterminating expressions. It is also customary to use ? as a "don't care" term by which the customer indicates that she has no interest in the outcomes. Although it may be useful in other contexts to distinguish these various roles for ?, in program derivation they are similar in that they represent error situations in which the outcome is unpredictable and unconstrained.

Abstract. Refinement is a method to derive correct programs from specifications. A rich type language is another way to ensure program correctness. In this paper, we propose a wide-spectrum language mixing both approaches for the ML language. Mainly, base types are simply included into expressions, introducing underdeterminism and dependent types. We focus on the semantic aspects of such a language. We study three different semantics: a denotational, a deterministic operational and a nondeterministic operational semantics. We prove their equivalence. We show that this language is a conservative extension of ML. 1