In the refinement calculus, program statements are modelled as predicate transformers. A product operator for predicate transformers was introduced by Martin [18] and Naumann [25] using category theoretic considerations.

We describe an approach to the derivation of correct algorithms on treebased pointer structures. The approach is based on enriching trees in a way that allows us to model commonly-used pointer manipulations on tree structures.

The refinement calculus is a well-established theory for formal development of imperative program code and is supported by a number of automated tools. Via a detailed case study, this article shows how refinement theory and tool support can be extended for a program with real-time constraints. The approach adapts a timed variant of the refinement calculus and makes corresponding enhancements to a theorem-prover based refinement tool.

reports are available via anonymous ftp, from svrc.it.uq.edu.au in the directory /pub/techreports. Abstracts and compressed postscript files are available via

In this paper we present an approach for modelling functional procedures (as they occur in imperative programming languages) in a weakest precondition framework. Functional procedures are modelled in their full generality � thus the body of a functional procedure can be built using standard speci cation syntax, including nondeterminism, sequential composition, conditionals and loops. We integrate our theory of functional procedures into the existing mechanisation of the re nement calculus in the HOL system. To make formal reasoning possible, we derive correctness rules for functional procedures and their calls. Weshow also how recursive functional procedures can be handled according to our approach. Finally,weprovide a nontrivial example of reasoning about a recursive procedure for binary search.

The refinement calculus is a well-established theory for translating specifications to program code. Recent research has extended the calculus to handle real-time requirements and we have developed an interactive support tool based on these extensions. Via a case study, this paper shows how the tool helps the programmer by supporting the many forms of variables used in the theory. These include simple state variables as in the untimed calculus, timed-trace variables that model the evolution of properties over time, and auxiliary variables that exist to support formal reasoning only. 1

In this paper we propose a novel approach to speci cation, development, and veri cation of object-oriented frameworks employing separate interface inheritance and implementation inheritance hierarchies. In particular, we illustrate how our method of framework speci cation and veri cation can be used to specify Java Collections Framework, which is a part of the standard Java Development Kit 2.0, and ensure its correctness. We propose to associate with Java interfaces formal descriptions of the behavior that classes implementing these interfaces and their subinterfaces must deliver. Verifying behavioral conformance of classes implementing given interfaces to the speci cations integrated with these interfaces allows us to ensure correctness of the system. The characteristic feature of our speci cation methodology is that the speci cation language used combines standard executable statements of the Java language with possibly nondeterministic speci cation statements. A speci cation of the intended behavior of a particular interface given in this language can serve asa precise documentation guiding implementation development. Since subtyping polymorphism in Java is based on interface inheritance, behavioral conformance of subinterfaces to their superinterfaces is essential for correctness of object substitutability inclients. As we view interfaces augmented with formal speci cations as abstract classes, verifying behavioral conformance amounts to proving class re nement between speci cations of superinterfaces and subinterfaces. Moreover, the logic frameworkthatwe use also allows veri cation of behavioral conformance between speci cations of interfaces and classes implementing these interfaces. The uniform treatment of speci cations and implementations and the relationships between them permits verifying correctness of the whole framework and its extensions.

Simulation machines for checking action system refinements

In this paper we present an approach for modelling functional procedures (as they occur in imperative programming languages) in a weakest precondition framework. Functional procedures are modelled in their full generality; thus the body of a functional procedure can be built using standard specification syntax, including nondeterminism, sequential composition, conditionals and loops.

Formal modelling is indispensable for engineering highly dependable systems. However, a wider acceptance of formal methods is hindered by their in- sufficient usability and scalability. In this paper, we aim at assisting developers in rigorous modelling and design by increasing automation of development steps. We introduce a notion of refinement patterns – generic representations of typical correctnesspreserving model transformations. Our definition of a refinement pattern contains a description of syntactic model transformations, as well as the pattern applicability conditions and proof obligations for verification of correctness preservation. This establishes a basis for building a tool supporting formal system development via pattern reuse and instantiation. We present a prototype of such a tool and some examples of refinement patterns for automated development in the Event B formalism.