## A Theory of Program Refinement (1998)

Citations: | 6 - 1 self |

### BibTeX

@TECHREPORT{Denney98atheory,

author = {Ewen W. K. C. Denney},

title = {A Theory of Program Refinement},

institution = {},

year = {1998}

}

### Years of Citing Articles

### OpenURL

### Abstract

We give a canonical program refinement calculus based on the lambda calculus and classical first-order predicate logic, and study its proof theory and semantics. The intention is to construct a metalanguage for refinement in which basic principles of program development can be studied. The idea is that it should be possible to induce a refinement calculus in a generic manner from a programming language and a program logic. For concreteness, we adopt the simply-typed lambda calculus augmented with primitive recursion as a paradigmatic typed functional programming language, and use classical first-order logic as a simple program logic. A key feature is the construction of the refinement calculus in a modular fashion, as the combination of two orthogonal extensions to the underlying programming language (in this case, the simply-typed lambda calculus). The crucial observation is that a refinement calculus is given by extending a programming language to allow indeterminate expressions (or ‘stubs’) involving the construction ‘some program x such that P ’. Factoring this into ‘some x...’

### Citations

1399 |
A Discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ...as specifications so that satisfying a property amounts to refinement. The classical refinement calculus of Back, Morgan and Morris [Bac88, Mor94, Mor87], based on Dijkstra’s Guarded Command Languag=-=e [Dij76]-=-, is a calculus for deriving imperative programs from specifications expressed in terms of preand postconditions in first-order logic. They do not consider refinement on expressions. The Guarded Comma... |

1103 |
The Z Notation, A reference Manual
- Spivey
- 1992
(Show Context)
Citation Context ...structed using full second order intuitionistic logic. The type theory can also internalise notions of realisability and refinement. As pointed out by Hayashi, schemas in the Z specification language =-=[Spi92] c-=-an be seen as refinement types. They comprise two parts — a typing declaration, and a logical predicate given as a collection of axioms. The deliverables approach [BM92, McK92] is to consider a prog... |

818 | Dynamic logic
- Harel, Kozen, et al.
(Show Context)
Citation Context ...ber of ways. We will first consider logics in which the propositions refer to programs — program logics. The term ‘program logic’ is often used specifically for the first-order dynamic logic of =-=Harel [Har79]-=- (see the survey in [vL90] for example), but we use it more generally, for any logic of programs (although we will only consider one ourselves). Harel [Har80] gives a survey of different techniques fo... |

731 | Notions of Computation and Monads
- Moggi
- 1991
(Show Context)
Citation Context ...inism. For example, the term (λn : nat.〈n, n〉)?nat should not be equal to 〈?nat, ?nat〉. However, we do expect (λn : nat.n)?nat =?nat. For similar reasons to those of the computational lambda=-= calculus [Mog91], th-=-is leads us to introduce a ‘let’ construction, albeit with a different axiomatisation than there. A direct motivation for introducing a let-construct comes from considering the result of combining... |

638 |
Systematic Software Development Using VDM
- Jones
- 1990
(Show Context)
Citation Context ...han a datatype. In this thesis we are concerned with program refinement. Some authors see data refinement as being the central concept in program development. This is the basis of the VDM methodology =-=[Jon90]-=- for example. However, we believe that any calculus for data refinement would have to incorporate program refinement anyway, as the stepwise development of a datatype must include the stepwise develop... |

563 |
Assigning meanings to programs
- Floyd
- 1967
(Show Context)
Citation Context ...n must be within certain bounds, then a programmer (or compiler) may be able to perform some partial evaluation or optimisation. Annotating program text with propositions was first suggested by Floyd =-=[Flo67] and-=- is now used in many refinement calculi (e.g. [Bun97]) to facilitate reasoning and to express local assumptions. Extending the type system of λ ×→ to refinement types gives a simple notion of prog... |

474 |
Programming from Specifications
- MORGAN
- 1990
(Show Context)
Citation Context ...lobal indeterminacy and does not account for substitution allowing variable capture. Although much work has been published on refinement calculi, there seem to be no fully axiomatised systems. Morgan =-=[Mor94] des-=-cribes the ‘classical’ refinement calculus, developed independently by Back, Morgan and Morris. This is an imperative language extended with specification constructs. Their system however, uses no... |

292 |
Abstract types have existential types
- Mitchell, Plotkin
- 1985
(Show Context)
Citation Context ...s natural to consider different equalities at the abstract and concrete types. Moreover, the combination of refinement types and existential variables would be a natural way of augmenting the work in =-=[MP88]-=- with equations. It will be interesting to see how the calculi can be extended to the second order. This should reduce the number of rules through the impredicative encodings of unit and product (as w... |

261 |
Program Development by Stepwise Refinement
- Wirth
- 1971
(Show Context)
Citation Context ...e primary. Scherlis and Scott [SS83] discuss the need for a logic of programming, as distinct from a logic of programs. An early advocate of refinement and its use for program comprehension was Wirth =-=[Wir71]. Th-=-e idea of explaining a program by its refinement can, in principle, be applied to program optimisation. Although an executable program may consist of optimised ‘spaghetti’, there will be a level o... |

215 | Logical frameworks
- Pfenning
- 2001
(Show Context)
Citation Context ...n based formalisms, and we will make some specific suggestions below. 6.1.1 Refinement Terms We would be interested to see how this calculus might be usefully combined with work on logical frameworks =-=[Pfe96].-=- The use of logical variables there is an example of underdeterminism. Although Lego has a richer type system than those studied here, a fragment of it could be studied using λ? as a metalanguage. It... |

214 |
Empirical Studies of Programming Knowledge
- Soloway, Ehrlich
- 1984
(Show Context)
Citation Context ...entially having solutions to generic problems and how to apply them in particular situations. Empirical studies have shown that programming knowledge can be encapsulated as collections of derivations =-=[SE84]-=-. To a certain extent, modern programming languages encourage programmers 11sto indicate levels of abstraction through the use of abstract data types and structured programming methods, but it is not ... |

172 | Refinement types for ML
- Freeman, Pfenning
- 1991
(Show Context)
Citation Context ...se systems axiomatises property deductions using refinements φ ⊑ φ ′ . Pfenning, who introduced the term “refinement type”, gave a refinement type system for expressing properties of mini-ML=-= programs [FP91]. In-=- another work [Pfe93] he gave an extension to LF with (possibly intensional) properties such as “in normal form” (a property of derivations), given as refinement types. He does not allow refinemen... |

155 | A Theoretical Basis for Stepwise Refinement and the Programming Calculus - Morris - 1989 |

147 | A calculus of refinements for program derivations - Back - 1988 |

147 |
LEGO Proof Development System: User's Manual
- Luo, Pollack
- 1992
(Show Context)
Citation Context ...he programming language. Moreover, we might want to consider a combination of nondeterminism and underdeterminism, for example when developing a logic program. Proof development systems, such as Lego =-=[LP92]-=-, allow users to interactively construct a proof by refinement. Intermediate states in a proof development may be modelled as underdetermined terms. The idea there of allowing existential variables in... |

137 | Predicate logic unplugged
- Bos
- 1996
(Show Context)
Citation Context ... 5.4. The concept of underdeterminism also arises in linguistics (with the name ‘underspecification’), where semantically ambiguous statements such as “every student is ?noun phrase” are studi=-=ed. Bos [Bos95]-=- for example, considers a language with metavariables for representing such statements. 1.6.2 Refinement Types A number of authors have advocated program analysis using annotated type systems. An exam... |

125 |
On the meanings of the logical constants and the justifications of the logical laws
- Martin-Löf
- 1996
(Show Context)
Citation Context ...tion of refinement described here could be extended to other situations, and how refinement itself might be incorporated into a larger theory of program development. 1.8 Notation Following Martin-Löf=-= [Mar96]-=- we refer to the atomic statements of a theory as basic judgements. These are either judgements of well-formedness or of truth. The most general form of judgement is in hypothetico-general form, that ... |

121 |
Logic and structure
- Dalen
- 1994
(Show Context)
Citation Context ...: τ ⊢ P ] } [Γ ⊢ t =τ t ′ ] = {η Γ | [Γ ⊢ t : τ ](η)=[Γ⊢ t ′ : τ ](η)} Figure 2.10: Interpretation of Well-formed Propositions existentials. We will achieve this by using the no=-=tion of Henkin theory1 [vD94]. A Henkin t-=-heory, T, has the property that if the proposition ∃x : τ.P is in T,then P[t/x]isinT for some t : τ. Definition 2.4.3 A first-order λ ×→-Henkin theory, T, over an axiom system 〈Sg,Ax〉, in ... |

88 | The HOL logic
- Pitts
- 1993
(Show Context)
Citation Context ...any well-formedness requirements on axioms, but check for well-formedness at the point of using the axiom in a proof. A similar convention is adopted by Pitts for dependently-typed algebraic theories =-=[Pit95]. Hence, althou-=-gh we intend that when k has sort τ1,...,τn → τ,thatwehave Γ ⊢ φi : Ref (τi) (i =1,...,n)andΓ⊢ψ : Ref (τ) wedonotenforceitin the axiom system. We could, for example, have required for a... |

68 | Subtyping dependent types - Aspinall, Compagnoni - 1996 |

62 |
Axiomatic Domain Theory in Categories of Partial Maps
- Fiore
- 1994
(Show Context)
Citation Context ...ency and the other the logic. Underdeterminism should be a separate feature on top of this set-up. We should be able to characterise ⊑φ semantically, using the specialisation order for example, as =-=in [Fio94]-=-. Whether derived or assumed, there is a posetenriched structure where the ordering of morphisms corresponds to refinement. More generally, we could envisage a 2-categorical structure, where the 2-cel... |

46 | Subtyping with Singleton Types
- Aspinall
- 1995
(Show Context)
Citation Context ... present work in being concerned with subtyping type families. Dependency there is at the level of types themselves, whereas we only allow dependent structure at the refinement type level. Aspinall’=-=s [Asp95] depen-=-dent type theory, λ≤{}, is 25sformally similar in that it has subtyping on dependent functions and products. Dependency in λ≤{} comes from singleton types, which are a special case of subset typ... |

44 | Strictness Analysis in Logical Form
- Jensen
- 1991
(Show Context)
Citation Context ...dvocated program analysis using annotated type systems. An example in the ‘non-standard type system as program logic’ paradigm is [NN88], a system for binding time analysis (and optimisation). Jen=-=sen [Jen91]-=- performs strictness analysis using intersection types and primitive types to indicate termination. Burn [Bur92] considers a more general framework, with intersection and union types. Each of these sy... |

44 | Kripke-style models for typed lambda calculus
- Mitchell, Moggi
- 1991
(Show Context)
Citation Context ...mptiness is require, either by having a special rule (as in [MMMS87]) or by using a logic powerful enough to derive this (as in the next section). Alternatively, a wider class of models could be used =-=[MM91]-=-. Here, we will just assume that all types are syntactically inhabited, that is, there are closed terms at every type. In fact, for completeness, a slightly weaker assumption would suffice, namely, th... |

42 | Refinement types for logical frameworks - Pfenning - 1993 |

40 |
Foundations for Programming Languages. Foundations of Computing series
- Mitchell
- 1996
(Show Context)
Citation Context ...ns, we will assume that all signatures in this thesis are countable, but will not bother to repeat this assumption. In order to define the notion of constant over a type signature, we follow Mitchell =-=[Mit96] i-=-n making a distinction between types and sorts. Toeachprimitive constant we ascribe a sort — a metalevel construct which explains how to form well-formed terms using the constant. Definition 2.1.2 A... |

38 |
and Andrzej Tarlecki. Toward formal development of programs from algebraic specifications
- Sannella
- 1988
(Show Context)
Citation Context ... if we had to do some implementation, combine the resulting specifications somehow, then do some more implementation and so on. Thus we adhere to the ‘principle of modular decomposition’ advocated=-= in [SST92]. Th-=-e same principle applies when refining into the application of two terms (see Remark 5.2.7). Remark 3.2.5 Let us consider why a ‘naive’ approach using free variables is not sufficient. Suppose we ... |

34 | Type and effect systems
- Nielson, Nielson
- 1999
(Show Context)
Citation Context ...ram itself. Examples of such notions include complexity, program style, and so on. Here we will be concerned with extensional properties and say more about this later in Section 1.4. Program analysis =-=[Nie96]-=- is the task of taking a program and finding which, of a specific class of properties, it satisfies. These are typically computational in nature, such as strictness properties, or binding times. A spe... |

34 | Formal program development in Extended ML for the working programmer
- Sannella
- 1990
(Show Context)
Citation Context ...age. Moreover, the constructs added – placeholders (“question marks”) and axioms – corresponds exactly to those of our modular analysis here. There is a well-defined semantics [KST97] and meth=-=odology [San91]-=-. The semantics is separated into static, dynamic and verification parts. The static semantics is analogous to finding the underlying type of a term, which we have not formalised directly. Refinement ... |

30 | Terminating general recursion
- Nordström
- 1988
(Show Context)
Citation Context ...ich the recursion is over, such that at each stage the computation on a value can only make use of computations on values lower in the order. This form of recursion is known as well-founded recursion =-=[Nor88]. We-=- will only use well-founded recursion over the naturals with the usual less-than ordering. We write Πz<xφ[z]forΠz:nat|(z<x)φ[z]. Rather than separate the proof of termination from well-formedness,... |

28 | Program specification and data refinement in type theory
- Luo
- 1993
(Show Context)
Citation Context ... possible to study refinement via an encoding in a type theory (assuming that the programming language constructs can be suitably encoded — not necessarily the case in the presence of recursion). Lu=-=o [Luo91]-=- gives an encoding of data refinement in the Extended Calculus of Constructions. An explicit calculus for refinement, however, has the advantage that it forces us to think directly about the formalism... |

24 | Deliverables: A categorical approach to program development in type theory - McKinna, Burstall - 1993 |

21 | Relations and refinement in circuit design
- Jones, Sheeran
- 1990
(Show Context)
Citation Context ...] has a notion of refinement of proof state. If we regard refinement terms as being representations of such a proof state, then Lego’s notion of refinement is like ours. The relational calculus, Rub=-=y [JS91]-=-, is essentially an untyped functional language extended with inverses. It is the use of inverses which gives the language specificational power. Nevertheless, specifications in Ruby are usually funct... |

21 | Programming in Martin-Lof's Type Theory, volume 7 - Nordstrom, Petersson, et al. - 1990 |

20 |
union and intersection types for program extraction
- Singleton
(Show Context)
Citation Context ...owever, but to give a type structure to specification building operations. His system is based on subtyping rather than refinement types. We discuss Aspinall’s thesis further in 5.4.2. Hayashi’s A=-=TTT [Hay94b]-=- is a rich type theory conservatively extending the polymorphic lambda calculus with singleton, union and intersection types. It is based on the refinement type philosophy, maintaining a distinction b... |

19 |
First Steps Towards Inferential Programming
- Scherlis, Scott
- 1983
(Show Context)
Citation Context ...sed in writing the program in the first place, and so it would be best if these were retained. Hence we are led to study a paradigm of programming in which derivations are primary. Scherlis and Scott =-=[SS83]-=- discuss the need for a logic of programming, as distinct from a logic of programs. An early advocate of refinement and its use for program comprehension was Wirth [Wir71]. The idea of explaining a pr... |

18 | Categories for Types. Cambridge Mathematical Textbooks - Crole - 1993 |

18 | An axiomatic approach to binary logical relations with applications to data refinement - Kinoshita, O’Hearn, et al. - 1997 |

18 |
Andrzej Tarlecki. The definition of extended ml: a gentle introduction
- Kahrs, Sannella
- 1997
(Show Context)
Citation Context ...inement calculus. In an implementation of a program development system, we would like to be able to evaluate partially developed programs such as is formalised in the dynamic semantics of Extended ML =-=[KST97].-=- If the system is based on the logical refinement calculus of Chapter 5, then we cannot directly evaluate terms. We can, however, use the fragment based on the λ?-calculus. Now, Propositions 3.2.11 a... |

18 |
and Computation in General Logic
- Proofs
- 1990
(Show Context)
Citation Context ...lculus would be to take annotations as primitive. Then we could define ‘set-theoretic’ (as opposed to pertheoretic) specifications as 6.5 Search Calculi ?(x:τ)P = let x : τ in (x|P) The thesis o=-=f Pym [Pym90]-=- presents a theory of proof search. One idea developed there (and also in [PW90]) is to give a hierarchy of calculi each of which can be regarded as the metatheory of the next and in which the search ... |

17 |
Type Systems for Modular Programs and Specifications
- Aspinall
- 1997
(Show Context)
Citation Context ...nderlying t. The types are implicit in the interpretation. An alternative would be to make them explicit by giving an interpretation over well-structuredness judgements. This is the approach taken in =-=[Asp97], for example. [Γ ⊢ φ] = R [Γ,x: φ, Γ ′ ⊢ x-=-]〈η,a,η ′ 〉 = {a ′ | a ′ R(η) a} [Γ ⊢ t1] = m1 ··· [Γ ⊢ tn] = mn [Γ ⊢ k(t1,...,tn)](η)={kA (a1,...,an) | ai ∈ mi(η)} [Γ ⊢∗](η)=1 A [Γ ⊢ t] = m [Γ ⊢ t ′ ] = m... |

17 | Deliverables: a categorical approach to program development in type theory - Burstall, McKinna - 1992 |

13 |
A Refinement Calculus for Nondeterministic Expressions
- Ward
- 1994
(Show Context)
Citation Context ...Bun97] continued their approach for a functional language, retaining some imperative features using a state monad in the style of the computational lambda calculus. Norvell and Hehner [NH92] and Ward =-=[War94]-=- consider functional languages based on the untyped lambda calculus. All these authors have based their calculi on nondeterminism which, we will see, has consequences for the axiomatisation of refinem... |

12 |
Empty types in polymorphic lambda calculus
- Meyer, Mitchell, et al.
- 1987
(Show Context)
Citation Context ...mbda calculus depends on whether or not nonemptiness of types is assumed. If types are allowed to be empty then a form of case analysis on emptiness is require, either by having a special rule (as in =-=[MMMS87]-=-) or by using a logic powerful enough to derive this (as in the next section). Alternatively, a wider class of models could be used [MM91]. Here, we will just assume that all types are syntactically i... |

12 |
Automatic binding time analysis for a typed λ-calculus
- Nielson, Nielson
- 1988
(Show Context)
Citation Context ...ing such statements. 1.6.2 Refinement Types A number of authors have advocated program analysis using annotated type systems. An example in the ‘non-standard type system as program logic’ paradigm=-= is [NN88]-=-, a system for binding time analysis (and optimisation). Jensen [Jen91] performs strictness analysis using intersection types and primitive types to indicate termination. Burn [Bur92] considers a more... |

11 |
Logical Predicates and Indeterminates
- Fibrations
- 1993
(Show Context)
Citation Context ...nterpart. A significant motivation for carrying this out is 207sthat a general notion of model offers some hope of making connections between refinement and popular development methodologies. Hermida =-=[Her93] use-=-s fibrations to model predicates over λ ×→ (but not for any more complicated type theories). He uses fibrations with indeterminates to model parameterisation. Models of many calculi can be present... |

10 |
Proving the correctness of regular deterministic programs
- Harel
- 1980
(Show Context)
Citation Context ...or the first-order dynamic logic of Harel [Har79] (see the survey in [vL90] for example), but we use it more generally, for any logic of programs (although we will only consider one ourselves). Harel =-=[Har80]-=- gives a survey of different techniques for proving program correctness. However, a basic distinction can be drawn between extensional and intensional properties. Extensional (or functional) propertie... |

9 | Refinement types for specification
- Denney
- 1998
(Show Context)
Citation Context ...specification type theory. A further problem is that it is not easy to combine nontermination with type theories. 1 Earlier versions of some of the work in this chapter were presented in [Den97a] and =-=[Den98]. -=-88sAnother possibility is to say that a specification is just a proposition of the program logic with a distinguished free variable. Our square root example would be the proposition ∀n : nat . (f n)... |

9 |
Fibrations with indeterminates: contextual and functional completeness for polymorphic lambda calculi
- Jacobs
- 1995
(Show Context)
Citation Context ...les. Therefore we must embed underdeterminism locally in the terms with the ?τ construct. We will discuss this further in Chapter 3. Hermida and Jacobs’ study of indeterminates in the lambda calcul=-=us [HJ95]-=- is essentially the same form of global indeterminacy and does not account for substitution allowing variable capture. Although much work has been published on refinement calculi, there seem to be no ... |

9 | and Eric Hehner. Logical specifications for functional programs
- Norvell
- 1993
(Show Context)
Citation Context ...on. Bunkenburg [Bun97] continued their approach for a functional language, retaining some imperative features using a state monad in the style of the computational lambda calculus. Norvell and Hehner =-=[NH92]-=- and Ward [War94] consider functional languages based on the untyped lambda calculus. All these authors have based their calculi on nondeterminism which, we will see, has consequences for the axiomati... |