R.J.R. Back: Refinement Calculus, Part I: Sequential Nondeterministic Programs. REX Workshop. In: J. W. deBakker, W.-P. deRoever, G. Rozenberg (eds): Stepwise Refinement of Distributed Systems. Lecture Notes in Computer Science 430, 42-66  Home/Search   Document Not in Database   Summary   Related Articles   Check

....operational semantics. The basic idea is that, even though the two programming paradigms are fundamentally different, we can define weakest and enabling precondition of a rule miming the weakest precondition of a demonic strict and angelic strict assignment, respectively, as introduced by Back [23]. 1.3 Refinement: background and proposal We first propose a classification of refinement methods accordingly to the following, independent criteria: the nature of the approach, its heterogeneity, and compositionality. The first criterion distinguishes the nature of the approaches to refinement ....

....5.2. Demons and Angels 89 One of the contributions of this chapter is the idea that, even though the two programming paradigms are fundamentally different, we can establish an analogy between rules and demonic strict and angelic strict assignments as they are introduced by Back and von Wright in [23]. Exploiting this analogy, we introduce a new semantic notion, the enabling precondition (ep) When we say that p ep(R; q) we say that rule R can fire in every state s satisfying p and possibly lead to state s satisfying q. We conclude this introduction section by observing that (1) says ....

R.J.R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J.W. de Bakker, W.P. de Roever, and G. Rozenberg, editors, Proc. Stepwise Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer-Verlag, Berlin, 1989.

....a non deterministic action can be viewed as a function that takes an initial state as its input and returns a set of possible final states. Below we give a number of standard operators to construct actions, the notation used is similar to that of Back and von Wright s command language in [4]. We will need these actions later to specify more complicated atomic actions. 24 Let # and # be atomic actions and b be a predicate. Let s and t range over states and let t =V s mean that: in the states s and t the values of any variable V are equal. If, for example, states are viewed as ....

....e is implemented property cannot be directly verified because it contains a universal quantification over a set of Hoare triples which can be infinitely large. To get around this we can use refinement since it is also a universally quantified notion over Hoare triples. A refinement logic such as [4] allows us to prove refinement without having to actually do the quantification. Let e and # be two actions. Below we define a more general notion of refinement by adding two more parameters: predicates a and b. # when a unless b if a then (e # #b#) else skip if a then # else skip (46) ....

[Article contains additional citation context not shown here]

R.J.R. Back and J. Von Wright. Refinement calculus, part I: Sequential nondeterministic programs. Lecture Notes of Computer Science, 430:42--66, 1989.

....: Veri cation Conditions hold for P P t:P In other words if certain veri cation conditions are satis ed, then applying rule t to program P is a correctness (and in the case of distributed systems, temporal properties) preserving re nement step. Many transformation rules can be found in [Bac88, Bac89, BvW89, BvW90, Bac90, Ser90, BS91, vW92a, vW92b, Bac93, BS96, SW97, BvW98, BKS98], concerning among others, data re nement, guard strengthening, superposition re nement, and atomicity re nement (or changing the granularity) Some other references on uses of the re nement calculus for distributed systems include [SW94a, SW94b, SW96] where the re nement steps are applied ....

R.J.R. Back and J. von Wright. Re nement Calculus, Part I: Sequential Nondeterministic Programs. In J.W. de Bakker, W.P. de Roever, and G. Rozenberg, editors, Stepwise Re nement of Distributed Systems: Models, Formalisms, Correctness, volume 430 of LNCS, pages 42-66. Springer-Verlag, 1990.

....of the stepwise refinement method of program construction. It was originally proposed by Back [2] and it has later been studied and extended by several researchers, see [17, 18] among others. In recent years data refinement within the refinement calculus has been a topic for extensive research [9, 10]. Back and Sere [4, 7] have extended the refinement calculus to handle parallel algorithms as well as reactive programs. In both cases parallel and concurrent activity is modelled within a purely sequential framework. We shall here concentrate on reactive programs. Procedures were added to the ....

R. J. R. Back and J. von Wright. Refinement calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W.--P. de Roever, and G. Rozenberg, editors, Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness. Proceedings. 1989.

....powerful notion of backward simulation that can also handle automata with infinite invisible nondeterminism. We preferred not to use this notion since it fails to reduce reasoning about entire executions to reasoning about individual states and transitions. 7. This paper is related to the work of [17, 18, 3, 7, 48] on data refinement. In [17] an operation is a binary relation over some universal set Sigma. A data type is a triple (AI ; AO ; AF ) where AI and AF are the initialization and finalization operation, respectively, and AO = fAO j j j 2 Jg is an indexed set of operations. An automaton A can be ....

R.J.R. Back and J. von Wright. Refinement calculus, part I: Sequential nondeterministic programs. In J.W. de Bakker, W.P. de Roever, and G. Rozenberg, editors, Proceedings REX Workshop on Stepwise Refinement of Distributed Systems: Models, Formalism, Correctness, Mook, The Netherlands, May/June 1989.

....We have SWT UFM The proof of this formula is a simple consequence of the invariant proved for SWT. q Of course we may also introduce a refinement concept for state machines explicitly in terms of relations between states leading to variations of simulations and bisimulations (see [1] 2] [5], 6] and also [3] This is useful if components are refined that are described by state machines. We do not carry out this idea here explicitly. We call a relation between state machines with initial states s and s , initial output y and y and transition function D and D a refinement if B ....

R.J.R. Back: Refinement Calculus, Part I: Sequential Nondeterministic Programs. REX Workshop. In: J. W. deBakker, W.-P. deRoever, G. Rozenberg (eds): Stepwise Refinement of Distributed Systems. Lecture Notes in Computer Science 430, 1989, 42-66

....Much work remains to be done to achieve our goal of large repositories of software components with their proofs of correctness. This is a step in that direction. 9 Related Work Many people have studied methods for designing systems by composition of components [1, 2] and by systematic re nement [3, 4, 16, 35]. A signi cant amount of work has been done on compositional methods within the Unity framework [14, 15, 28, 27] Composition using rely guarantee properties and systematic speci cations of interfaces have been proposed by Jones [19, 21 23, 36] This paper di ers from most of the earlier work in ....

R. Back. Renement calculus, Part I: Sequential nondeterministic programs. In REX Workshop on Stepwise Renement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, pages 42-66. Springer-Verlag, 1989.

....mention that the imperative meta language is interpreted by predicate transformers in the tradition of Dijkstra s wp calculus [12] and the refinement calculus [34, 5, 32] but extended to communicating programs. For performing the abstractions we use a variant of the data refinement theory of Back [4], Gardiner Morgan [16] and Morris [35] Details can be found in the monograph [37] Compilation and Synthesis for Real Time Embedded Controllers 5 The exposition up to now is of course oversimplified. Firstly, the model of the instruction s e#ect is too abstract. For example, the Transputer ....

R. J. R. Back and J. von Wright. Refinement calculus, Part I: Sequential nondeterministic programs. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Stepwise Refinement of Distributed Systems --- Models, Formalisms, Correctness. REX Workshop, LNCS 430, pages 42--66, Springer-Verlag, 1989.

....[42] and others. We base our notions of program correctness on the work of Hoare [44] and others. Program development via stepwise refinement. Our approach to program development is based on stepwise refinement and program transformations, as described for sequential programs in the work of Back [6], Gries, and Hoare [44] and for parallel programs in the work of, for example, Back [5] Martin [56] and Van de Velde [74] Operational models. Our operational model is based on defining programs as state transition systems, as in the work of Chandy and Misra [24] Lynch and Tuttle [52] ....

.... about parallel programs, for example Chandy and Misra [24] and Lamport [50] in emphasizing sequential style specifications over specifications describing ongoing behavior (e.g. safety and progress properties) Our emphasis on program development by stepwise refinement builds on the work of Back [6], Gries [42] and Hoare [44] for sequential programs, and Back [5] Martin [56] and Van de Velde [74] for parallel programs. Sequential programming models. We base our programming model on the standard sequential model as defined for example by Gries [42] Parallel programming models. Since we ....

R. J. R. Back and J. von Wright. Refinement calculus, part I: Sequential nondeterministic programs. In Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer-Verlag, 1990.

.... of this paper is the idea that, even though the two programming paradigms are fundamentally different, we can define weakest and enabling precondition of a rule miming the weakest precondition of a demonic strict and angelic strict assignment, respectively, as introduced by Back and von Wright in [7]. A demonic strict assignment has the following syntax: x : x 0 :c where x; x 0 are variables, c is a predicate; x : x 0 :c assign to x any value x 0 satisfying c. As an example, x : X:fX 2 Zg assign to x any integer. The weakest precondition of a strict demonic assignment statement ....

R.J.R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J.W. de Bakker, W.P. de Roever, and G. Rozenberg, editors, Proc. Stepwise Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer-Verlag, Berlin, 1989.

.... as it has been proved in [12] result (1) is replaced by the following one: s 0 2 T (C) s) iff 8q [sjj= wp(C; q) s 0 jj= q] 8q 0 [s 0 jj= q 0 sjj= ep(C; q 0 ) 2) where weakest and enabling preconditions (wp and ep) correspond to demonic and angelic nondeterministic choice [3], respectively, and coincide in the case of deterministic statements. By exploiting (2) we hence solve the problem of deriving properties of the basic TAO statements. Then, since TAO processes are defined as sequencing, choice, or parallel composition of these statements, we are left with the ....

....fr(a) p(a) p(b)g, and s 00 = fp(a) p(b) r(b)g, both s 0 and s 00 are in T (A) s) Take s 0 , we have s 0 j j= r(a) but we cannot have sjj= wp(A; r(a) since s 00 does not satisfy such a postcondition. Non determinism in atomic statements has been studied by Back and von Wright in [3]. Among others, they introduce the demonic strict ( x : x 0 :c) and the angelic strict ( x : x 0 :c) assignments. In both cases any value x 0 satisfying c is assigned to x, but in the first case the choice is demonic and in the second one it is angelic. Consequently, given a postcondition ....

R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J. de Bakker, W. de Roever, and G. Rozenberg, editors, Proc. Stepwise Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer-Verlag, 1989.

....d(4)g, transitions: s fd(1) d(4)g and s fd(2) d(3)g are allowed, and therefore fd(1) d(4)g 2 T (R) s) On the other side, given q = d(1) d(4) sj6j= wp(R; q) since from s we may end in fd(2) d(3)g that does not satisfy q. 18 Non determinism has been studied by Back and von Wright in [11]. We summarize below the results of interest. In section 4.3 we use them to define the weakest precondition of a rule, and, in section 4.4, to introduce the notion of enabling precondition, and to define an operational semantics. According to Back and von Wright, a demonic strict assignment has ....

R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J. de Bakker, W. de Roever, and G. Rozenberg, editors, Proc. Stepwise Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer-Verlag, 1989.

....over the set of observables v . A Z schema with signature u belongs to PRED v for all v u . PRED is the collection of all predicates Z schemas and when ordered by entailment PRED forms a lattice with top and bottom elements true and false respectively. Following Back and von Wright [5] the notation MTRAN u v is used to represent the class of monotonic predicate transformers from PRED v to PRED u . The reverse order of the signatures v and u is indicative of the fact that the transformers are used to support a weakest assumption process model. The process modelled by a ....

.... S (t) hi) 8 t : R ffl x t z ) R(t) lo) 8 t : R ffl x ffi t z ) Q(t) hi) 6 The bit constructor process can be specified by Q [true; Bit ] 2 3 Using the refinement calculus The refinement calculus supports top down development through the use of the refinement relation [5, 25], which determines when an implementationmay safely replace a specification, and through the use of process operators which allow complex specifications to be expressed as combinations of simple specifications. Definition 3.1 (Refinement) A process, T : MTRAN u z , refines a ....

R. J. R. Back and J. von Wright. Refinement calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W. P. de Roever, and G. Rozenberg, editors, Stepwise Refinement of Distributed Systems: Models, Formalism, Correctness, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer Verlag, 1990.

....p, and time variable , and leaves them visible in the final state. However, this is not a serious problem, since Back and von Wright have defined a more flexible definition of data refinement, which uses separate encoding and decoding programs to convert between the various state spaces [3, 30]. ffl The most common data refinement technique uses downward simulation [7] and this is known to be incomplete for the kind of data refinement we need, where a non deterministic choice is moved from early in the execution sequence to later. For instance, it might seem that one way to achieve our ....

R.-J. R. Back and J. von Wright. Refinement calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W. P. de Roever, and G. Rozenberg, editors, REX Workshop for Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, pages 42--66. Springer-Verlag, 1989.

....in a standard way [4] as follows: fpg c fqg b = p c q. The re nement relation preserves total correctness. For a; b : P A;B , a v b ( 8p : PA q : PB: fpg a fqg ) fpg b fqg The simpli ed forms of our de nitions correspond fairly closely to standard de nitions of statements and re nement [1, 5]. Our de nitions also receive some measure of validation by the proof of theorems about our language which we would expect to be true. For example, the skip statement is the identity stateassignment, and the sequential composition of state assignments is the assignment of their compositions. That ....

R. J. R. Back and J. von Wright. Renement calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W. P. de Roever, and G. Rozenberg, editors, Stepwise Renement of Distributed Systems, volume 430 of LNCS, pages 42-66. Springer-Verlag, 1989.

....a glass box refinement formalised as follows F D ( TII In this case TII is refined into a state machine. n Of course we may also introduce a refinement concept for state machines explicitly in terms of relations between states leading to simulations or bisimulations (see [1] 2] [5], 6] and also [3] We do not do this here explicitly. We call a relation between state machines with initial states s and s and transition function D and D a refinement if F D (s) F D (s) The compositionality of glass box refinement is a straightforward consequence of the compositionality of ....

R.J.R. Back: Refinement Calculus, Part I: Sequential Nondeterministic Programs. REX Workshop. In: J. W. deBakker, W.-P. deRoever, G. Rozenberg (eds): Stepwise Refinement of Distributed Systems. Lecture Notes in Computer Science 430, 42-66

.... 72] These ideas were further explored and developed (see, for instance, Jones 86] Broy et al. 86] Sannella 88] see [Coenen et al. 91] for a survey) The idea of refining interacting systems has also been treated in numerous papers (see, for instance, Lamport 83] Abadi, Lamport 90] and [Back 90]) Typically, distributed interactive systems are composed of a number of components that interact, for example, by exchanging messages or by updating shared memory. Various forms of composition allow the construction of systems from smaller ones. Parallel and sequential composition, communication ....

R.J.R. Back: Refinement Calculus, Part I: Sequential Nondeterministic Programs. REX Workshop. In:

....of the specifications in the TLA representation. We also allow arbitrary user defined data types. The work on DisCo [9] is similar to ours in that TLA is used as the target logic for reasoning about specifications. The DisCo approach is based on joint actions similar to the action systems of Back [5, 4]: several objects may participate in one action which allows them to interact with each other; there are no actions internal to the objects. This is in contrast to our approach, where objects may have internal activities. Another important difference to our approach is that DisCo specifications ....

R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In de Bakker et al. [6], pages 42--66.

No context found.

R.J.R. Back: Refinement Calculus, Part I: Sequential Nondeterministic Programs. REX Workshop. In: J. W. deBakker, W.-P. deRoever, G. Rozenberg (eds): Stepwise Refinement of Distributed Systems. Lecture Notes in Computer Science 430, 42-66

No context found.

R. J. R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J. W. de Bakker, et al, (eds.), Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, REX Workshop, Mook, The Netherlands, May/June 1989, pages 42-66. Volume 430 of Lecture Notes Computer Science, Spring-Verlag, 1989.

No context found.

R. J. R. Back and J. von Wright. Refinement Calculus, Part I: Sequential Nondeterministic Programs. In J. W. de Bakker, et al, (eds.), Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, REX Workshop, Mook, The Netherlands, May/June 1989, pages 42-66. Volume 430 of Lecture Notes Computer Science, Spring-Verlag, 1989.

No context found.

R. J. R. Back and J. von Wright. Refinement Calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W.-P. de Roever and G. Rozenberg, editors, Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science, pages 42 V 66. springer-Verlag, 1990.

No context found.

R. J. R. Back and J. von Wright. Refinement Calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W.-P. de Roever and G. Rozenberg, editors , Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science , pages 42 -- 66. springer-Verlag, 1990.

No context found.

R.J.R. Back: Refinement Calculus, Part I: Sequential Nondeterministic Programs. REX Workshop. In: J. W. deBakker, W.-P. deRoever, G. Rozenberg (eds): Stepwise Refinement of Distributed Systems. Lecture Notes in Computer Science 430, 42-66

No context found.

R.J.R. Back and J. Von Wright. Refinement calculus, part I: Sequential nondeterministic programs. 430:42--66, 1989.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC