## The Refinement Calculator: Proof Support for Program Refinement (1997)

Venue: | Formal Methods Pacific ’97 |

Citations: | 27 - 2 self |

### BibTeX

@INPROCEEDINGS{Butler97therefinement,

author = {Michael Butler and Jim Grundy and Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright},

title = {The Refinement Calculator: Proof Support for Program Refinement},

booktitle = {Formal Methods Pacific ’97},

year = {1997},

pages = {40--61},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

. We describe the Refinement Calculator, a tool which supports

### Citations

1442 |
A Discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ...first developed, using informal methods, and then checked for desired correctness properties. The refinement calculus is based on the predicate transformer (weakest precondition) calculus of Dijkstra =-=[8]-=-. The calculus was originally developed for the refinement of sequential programs, but was later extended to deal with parallel and distributed programs through the action system formalism [3]. It is ... |

1235 | Tcl and the Tk Toolkit
- Ousterhout
- 1995
(Show Context)
Citation Context ...ining an earlier window inference based GUI for HOL built using the Centaur tool [26], and then by experimenting with other interface tools including the Cornell Synthesiser Generator [24] and Tcl/Tk =-=[23]-=-. In the end, we adopted Tcl/Tk as the implementation vehicle for our own graphical interface. Tcl/Tk consists of a general purpose scripting language (Tcl), together with a powerful set of widgets (T... |

864 |
A formulation of the simple theory of types
- Church
- 1940
(Show Context)
Citation Context ...hat we can reuse existing HOL theories describing numbers, arrays, lists, and other data-types for the types of variables in our language. The logic of the HOL system (Church's simple theory of types =-=[7]-=-) makes an excellent choice for formalising program refinement for several reasons. Firstly, the predicate transformer semantics commonly associated with program refinement is naturally modelled in hi... |

479 |
Programming from Specifications
- Morgan
- 1990
(Show Context)
Citation Context ...o select and focus on subcomponents of a specification using simple mouse operations. The refinement-oriented transformations are illustrated with a case study. 1 Introduction The refinement calculus =-=[2, 20, 22]-=- is a formalisation of the stepwise refinement method of program construction. The required behaviour of a program is specified as an abstract, possibly executable, program which is then refined by a ... |

199 |
editors. Introduction to HOL: a theorem proving environment for higher order logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...ntegrating HOL and a computer algebra system [16]. 4 HOL and Window Inference The previous section described the overall design of the Refinement Calculator. The use of the HOL theorem proving system =-=[9]-=- and its accompanying window Library [12] form a major part of that design. Together they make up the underlying engine for the formal manipulation of expressions. In this section we describe HOL and ... |

181 |
The Synthesizer Generator: A system for constructing language-based editors
- Reps, Teitelbaum
- 1989
(Show Context)
Citation Context ...We began by examining an earlier window inference based GUI for HOL built using the Centaur tool [26], and then by experimenting with other interface tools including the Cornell Synthesiser Generator =-=[24]-=- and Tcl/Tk [23]. In the end, we adopted Tcl/Tk as the implementation vehicle for our own graphical interface. Tcl/Tk consists of a general purpose scripting language (Tcl), together with a powerful s... |

156 |
A theoretical basis for stepwise refinement and the programming calculus
- Morris
- 1987
(Show Context)
Citation Context ...o select and focus on subcomponents of a specification using simple mouse operations. The refinement-oriented transformations are illustrated with a case study. 1 Introduction The refinement calculus =-=[2, 20, 22]-=- is a formalisation of the stepwise refinement method of program construction. The required behaviour of a program is specified as an abstract, possibly executable, program which is then refined by a ... |

90 |
Edinburgh LCF: A Mechanised Logic
- Gordon, Milner, et al.
- 1979
(Show Context)
Citation Context ... build the Refinement Calculator would only be justified if it was possible to confidently trust the results proved with it. HOL is built using the LCF architecture for theorem provers, named for LCF =-=[10]-=-, the first system of this kind. Tools with the LCF architecture are built around a small, trusted core implementing the abstract data-type of theorems in the logic of the tool. The axioms of the logi... |

47 |
Formalising the hierarchical structure of practical mathematical reasoning
- Robinson, Staples
- 1989
(Show Context)
Citation Context ...to model the type system of the target programming language within the logic ourselves. 4.2 Window Inference Window inference is a transformational style of reasoning proposed by Robinson and Staples =-=[25]-=-, and later generalised by Grundy [14]. A transformational proof begins with an term E, and proceeds by applying transformations that preserve some desired relationship, R. The proof ends when E has b... |

44 |
On correct refinement of programs
- Back
- 1979
(Show Context)
Citation Context ...o select and focus on subcomponents of a specification using simple mouse operations. The refinement-oriented transformations are illustrated with a case study. 1 Introduction The refinement calculus =-=[2, 20, 22]-=- is a formalisation of the stepwise refinement method of program construction. The required behaviour of a program is specified as an abstract, possibly executable, program which is then refined by a ... |

43 |
Exploring Expect: A Tcl-based Toolkit for Automating Interactive Programs. pub-ORA:adr: O’Reilly & Associates
- Libes
- 1994
(Show Context)
Citation Context ...mple, it was relatively easy for us to implement a freely re-associating selection mechanism (described in Sect. 5.1), which necessarily ignores the syntax tree of the underlying HOL term. The Expect =-=[18]-=- library for Tcl is used to manage the communication between HOL and the user interface. At present we use Expect only for coupling the interface and the theorem prover, but this feature may prove use... |

40 |
Data refinement by calculation
- Morgan, Gardiner
- 1990
(Show Context)
Citation Context ...ned and are thus common to both S and T ). An abstraction relation R, relating the abstract and concrete variables, is required in order to perform a data refinement transformation. It has been shown =-=[21, 29]-=- that the concrete statement T can be 53 calculated from the abstract statement S and the abstraction relation R. This allows us to define a function DR such that j[ var a \Delta S ]j v j[ var c \Delt... |

34 |
R.: Decentralisation of Process Nets with Centralised Control
- Back, Kurki-Suonio
- 1983
(Show Context)
Citation Context ...ijkstra [8]. The calculus was originally developed for the refinement of sequential programs, but was later extended to deal with parallel and distributed programs through the action system formalism =-=[3]-=-. It is a calculus of program transformations that preserve total correctness. If S and S 0 are statements (program fragments), then the refinement S v S 0 holds if and only if S 0 satisfies every tot... |

33 | Extending the HOL theorem prover with a computer algebra system to reason about the reals
- Harrison, Théry
- 1993
(Show Context)
Citation Context ... refinement calculator for interfacing the system with external oracles. The use of oracles to guide HOL proofs has already been demonstrated by a system integrating HOL and a computer algebra system =-=[16]-=-. 4 HOL and Window Inference The previous section described the overall design of the Refinement Calculator. The use of the HOL theorem proving system [9] and its accompanying window Library [12] form... |

26 | Ergo user manual
- Utting, Whitwell
- 1994
(Show Context)
Citation Context ...printer tools. Independently of the tool described here, a refinement tool called PRT has been developed by a group at the University of Queensland [6]. PRT is built on top of the Ergo theorem prover =-=[27]-=-, which also supports the window inference style of reasoning. This tool is similar to the Refinement Calculator though an important difference is that PRT uses a purpose-built logic in which commands... |

21 | Program refinement by theorem prover
- Wright
- 1994
(Show Context)
Citation Context ...ol supporting mechanically verified program derivation. Thus, emphasis has been placed on making TkWinHOL easy to customise for the needs of particular HOL theories (like those for program refinement =-=[29]-=- or lattice theory [17]). In such specific theories one usually wants to use a higher-level notation (abstract syntax) for the interaction with HOL. This can be achieved in TkWinHOL by adding a theory... |

20 |
Transformational hierarchical reasoning
- Grundy
- 1996
(Show Context)
Citation Context ... programming language within the logic ourselves. 4.2 Window Inference Window inference is a transformational style of reasoning proposed by Robinson and Staples [25], and later generalised by Grundy =-=[14]-=-. A transformational proof begins with an term E, and proceeds by applying transformations that preserve some desired relationship, R. The proof ends when E has been transformed into another term E 0 ... |

16 |
An overview of a refinement editor
- Vickers
- 1990
(Show Context)
Citation Context ...f details. To make program refinement more practical, we need tools that take care of the details. One such kind of tool is a refinement editor, which keeps track of applicability and side conditions =-=[11, 28]-=-. A more advanced tool is a refinement calculator, where the application of a refinement rule leads to a formal proof of the refinement step in a mechanised logic (i.e., the logic of a theorem proving... |

13 | A Tool for Developing Correct Programs by Refinement
- Carrington, Hayes, et al.
- 1996
(Show Context)
Citation Context ... to safely 45 define the predicate transformer semantics of our target programming language as a definitional extension of higher-order logic; while similar tools based on first order logic, like PRT =-=[6]-=-, need extend their logic with new axioms to achieve the same effect. Secondly, to avoid limiting our tool to trivial applications, we needed a logic with sufficient abstraction mechanisms to specify ... |

12 |
A tactic driven refinement tool
- Groves, Nickson, et al.
(Show Context)
Citation Context ...f details. To make program refinement more practical, we need tools that take care of the details. One such kind of tool is a refinement editor, which keeps track of applicability and side conditions =-=[11, 28]-=-. A more advanced tool is a refinement calculator, where the application of a refinement rule leads to a formal proof of the refinement step in a mechanised logic (i.e., the logic of a theorem proving... |

11 | A browsable format for proof presentation
- Grundy
- 1996
(Show Context)
Citation Context ...senting structured scripts that document proofs performed using TkWinHOL. Fig. 3 shows an example of such a proof script. The basic idea 49 is to present proofs in a hierarchical and browsable format =-=[13]-=- (using HTML) so that the reader can focus on the parts of the proof that are of particular interest. For example, consider the logical term \Gamma As((AsB) ) (CsA)) \Delta \Gamma ((YsZ) ) (XsZ)) ) (X... |

9 | Mechanizing some advanced refinement concepts
- Wright, Hekanaho, et al.
- 1993
(Show Context)
Citation Context ...des a menu of transformations for refining programs; some of these are represented as rules in Fig. 5. The refinement transformations are all derived from the HOL semantics of programs and refinement =-=[1, 29, 31]-=-. Some of the rules in Fig. 5 require the user to provide arguments (that possibly may not appear in the current focus) before the transformation is applied; for example, the Cond Introduction rule re... |

8 | Refinement Concepts Formalized in Higher Order Logic
- Back, Wright
- 1990
(Show Context)
Citation Context ...des a menu of transformations for refining programs; some of these are represented as rules in Fig. 5. The refinement transformations are all derived from the HOL semantics of programs and refinement =-=[1, 29, 31]-=-. Some of the rules in Fig. 5 require the user to provide arguments (that possibly may not appear in the current focus) before the transformation is applied; for example, the Cond Introduction rule re... |

7 |
Higher Order Logic and Hardware Verification, volume 31 of Cambridge Tracts
- Melham
- 1993
(Show Context)
Citation Context ... solve them. Part of our motivation for selecting the HOL system was that the power of the abstraction mechanisms of its logic had already been well demonstrated in the field of hardware verification =-=[19]-=-. Temporarily setting aside our already noted preference for a higher-order (and hence typed) logic; we observe that when choosing an expressive logic, a decision must be made between using a set theo... |

6 | Program derivation using the refinement calculator
- Butler, Langbacka
- 1996
(Show Context)
Citation Context ...nal reasoning, including a graphical user interface, and its subsequent specialisation for use with program refinement. An overview of the Refinement Calculator has been presented in an earlier paper =-=[5]-=-. Here we discuss more of the development history of the tool and the rationale for various design decisions as well. We also give a more detailed view of the tool from a user's perspective. The remai... |

3 |
Re nement Calculator tutorial and manual. Draft available upon request
- Butler, Långbacka, et al.
(Show Context)
Citation Context ... seen more clearly in Sect. 7 where they are applied to an example. The full program syntax and list of refinement rules supported by the Refinement Calculator may be found in its manual and tutorial =-=[4]-=-. 6.4 Data refinement Data refinement is a special case of refinement where abstract program variables are replaced with more concrete ones. Typically, `more concrete' means more easily or efficiently... |

3 |
The HOL window library. In The HOL System, volume Libraries
- Grundy
- 1991
(Show Context)
Citation Context ...stem [16]. 4 HOL and Window Inference The previous section described the overall design of the Refinement Calculator. The use of the HOL theorem proving system [9] and its accompanying window Library =-=[12]-=- form a major part of that design. Together they make up the underlying engine for the formal manipulation of expressions. In this section we describe HOL and the window Library in more detail, giving... |

2 | Towards a browsable record of HOL proofs
- Grundy, Langbacka
- 1996
(Show Context)
Citation Context ...o record proofs in a readable and easily distributable (through the WWW) format for pedagogic purposes. A detailed description of the proof scripting mechanism is available as a TUCS technical report =-=[15]-=-. 5.3 Extending TkWinHOL Our original goal was to build a tool supporting mechanically verified program derivation. Thus, emphasis has been placed on making TkWinHOL easy to customise for the needs of... |

1 |
Using lattice theory in higher order logic
- Laibinis
(Show Context)
Citation Context ...lly verified program derivation. Thus, emphasis has been placed on making TkWinHOL easy to customise for the needs of particular HOL theories (like those for program refinement [29] or lattice theory =-=[17]-=-). In such specific theories one usually wants to use a higher-level notation (abstract syntax) for the interaction with HOL. This can be achieved in TkWinHOL by adding a theory specific parser and pr... |

1 |
An X-windows interface for the window inference system
- Th'ery
- 1993
(Show Context)
Citation Context ...he recording and browsing of proofs is described in Sect. 5.2. -- Choosing an interface building tool: We began by examining an earlier window inference based GUI for HOL built using the Centaur tool =-=[26]-=-, and then by experimenting with other interface tools including the Cornell Synthesiser Generator [24] and Tcl/Tk [23]. In the end, we adopted Tcl/Tk as the implementation vehicle for our own graphic... |

1 | editors. Theorem Proving - Wright, Grundy, et al. - 1996 |