J. He, C.A.R Hoare, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2):71--76, 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....or we must propose an alternative semantic model for CSP, a model in which availability is recorded on an eventby event basis. Extensive research has been undertaken on the former approach. We discuss this further in our conclusions and we present sets of sound and jointly complete simulation [HHS87] rules defining such a model. However, our primary focus in this thesis is the previously un explored problem of identifying a semantic model for Communicating Sequential Processes that coincides with the relational semantics of data types. We define such a model, the singleton failures semantic ....

....or by weakening the precondition. Data refinement can be used to compare systems having di#erent state spaces, relating abstract variables and concrete variables with a predicate transformer. Refinement can be established either directly [Bac90, MRG88] or inductively using simulation rules [HHS87] The state based specification language Z [Spi92] is based on typed set theory coupled with a structuring mechanism: the schema. Schemas can be used to define the state space as well as dynamic aspects of the language: the e#ect of operations on the state. ObjectZ [Smi00] is an object oriented ....

[Article contains additional citation context not shown here]

C. A. R. Hoare, J. He, and J. W. Sanders. Prespecification in data refinement. Information Processing Letters, 1987.

....next consider forward simulations and backward simulations, generalizations of refinements that allow a set of states of B to correspond to a single state of A. Forward simulations are similar to the simulations of [44, 19, 21] the possibilities mappings of [33, 35] the downward simulations of [17, 23, 13], the forward simulations of [22] and the history measures of [25] The correspondence conditions (a) and (b) for refinements are generalized so that (a) every start state of A has some image that is a start state of B, and (b) every step of A and every state of B corresponding to the beginning ....

....A and every state of B corresponding to the beginning state of the step yield a corresponding sequence of steps of B ending with an image of the ending state of the given step. Again, we give soundness and partial completeness results. Backward simulations are similar to the upward simulations of [17, 23, 13], the prophecy mappings of [39] the backwards simulations of [21] and the prophecy measures of [25] In the case of a backward simulation, conditions (a) and (b) for refinements are generalized so that (a) all images of every start state of A are start states of B, and (b) every step of A and ....

[Article contains additional citation context not shown here]

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....v: 0; n: 0; do vg#m l[ i: int; i: m.v; i = m.v v: v 1) Figure 3: concrete specification 8. Conclusion Although data refinement is a well established technique it was popularised in [5] and has been central to VDM [7] there has been renewed interest in it recently [3, 6, 9] stemming from our better understanding of the mathematics of programming. The earliest treatment based on predicate transformers is that of Back [1] which is a development of his earlier Ph.D. thesis) Back considers abstraction invariants of the shape Q b = e where Q and e contain concrete ....

Hoare, C. A. R., He, J. F. and Sanders, J. W.: Prespecification in data refinement. Info. Proc. Letters 25, 71-76 (1987)

....lax or oplax transformations. We show that the adjunction extends to an enriched adjunction in the sense of lax, and which provide the fundamental machinery in the proof of soundness and completeness of the downward simulation with respect to the refinement. 1 Introduction Hoare, He and Sanders [3,1] gives a theory of data refinement for imperative languages with nondeterminism and the recursions that are supposed to be interpreted as greatest fixpoints. On the setting of a relational semantics, they gave a definition of upward and downward simulation between the interpretations of atomic ....

....of simulation methods to data refinement. Later, Single completeness theorem rather than Joint completeness theorem is argued in [2,13] The aim of this paper is to give a foundation of the functional semantics approach, as in [5,7] to the calculus, which we call calculus, introduced in [3]. Functorial semantics given by adjunction Interpretations of both atomic symbols and commands are given by functors. An existence of adjunction enables the extension of an interpretation of atomic symbols to that of commands. Simulations and refinements by lax or oplax transformations All ....

C.A.R. Hoare, He Jifeng and Jeff W. Sanders, Prespecification in data refinement, Information Processing Letters, 25 (1987) 71--76.

....be extended to provide an adequate semantic treatment of promoted data types. Section 6 is a discussion of related work. That of Fischer, Smith, and Derrick [Fis97b, FS97, Fis98, Smi97, SD97] is particularly relevant. Earlier studies by Back, Sere, Hoare, He, Sanders, Woodcock, Morgan, and Butler [BS89, HHS87, WM90, But93] are also of interest. The paper ends with a brief summary and a list of references. 2 Notation 2.1 Abstract data types An abstract data type combines a notion of state with a collection of named operations, modelled as relations, that may involve input and output. Two operations are ....

....data types and processes. The key to this extension is a relational semantics for promotion, which explains how structural information can be used to define the semantics of a compound data type. The theory of simulation and refinement for data types developed in this paper is based upon those of [HHS87], Spi92] and [WD96] The relational semantics employed is an alternative formulation of the one defined in [WD96] totalising and lifting to represent blocking rather than non blocking behaviour. A number of other alternatives remain to be explored. The proof that the simulation rules are ....

C. A. R. Hoare, J. He, and J. W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2):71 -- 76, 1987.

....i 0 denotes the initial state of i) We introduce other program operators as we need them. Rather than using the cumbersome Def. 2. 1 directly for which we would need to check refinement for all functions P to verify data refinements we use instead the standard technique of simulations [9]. Definition 2.2 We say that (I 0 ; OP 0 ; F 0 ) simulates (I; OP;F ) if there is a program rep: S PS satisfying: I; rep v I 0 opa; rep v rep; opc F v rep; F 0 ; where the second refinement holds for all corresponding pairs (opa; opc) in OP Theta OP 0 . 2 2 In general p can be ....

C.A.R Hoare, Jifeng He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2), May 1987.

.... relation in (3) is an ordinary program refinement since sequential composition with initialisation and finalisation hides the local variables, equalising the state spaces on the both sides of the refinement (3) Usually, data refinement between data types is proved using a simulation technique [14]: Definition 2.1 Data type (I 0 ; OP 0 ; F 0 ) simulates (I; OP ; F ) if there is a program rep: S PS satisfying: I; rep v I 0 opa; rep v rep; opc F v rep; F 0 6 A simulation of data types implies data refinement provided the program rep is suitable defined [17] 3 Example: triple ....

C.A.R Hoare, Jifeng He, and J. W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2), May 1987.

.... refinement (conjunctive abstraction statements) The idea of calculating data refinements is not new, but most existing work has concentrated on the syntactic level, with rules that explicitly talk about the program variables and the boolean expressions involved [1, 10, 18] Hoare, He and Sanders [14] make use of the weakest prespecification [13] and a dual strongest postspecification to calculate data refinements at an algebraic level. However, they work in a relational framework, which means that they do not model nontermination properly, and they have to handle forward and backward data ....

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....and the central notion here is that of algebraic structure on locally ordered categories, not on sets. Our definition of refinement is neither a restriction nor a generalisation of Hoare, He and Sanders definition, but we include all their important examples. 1 Introduction Hoare, He and Sanders [6, 7] introduced the notion of downward simulation and upward simulation between interpretations of base statements and showed joint completeness of downward and upward simulations with respect to data refinement in the # calculus, in the sense that every data refinement arises as an extension of a ....

....and obtained a single completeness result for simulation and cosimulation, providing the operators preserve some properties. The aim of our paper is to give a completeness result for downward simulation in a more general setting. Our definition of downward simulation can be specialised to that in [7], as well as the notion of simulation in the sense of [4] and L simulation in [2] We analyse why we obtained completeness hitherto unfound. Our result characterises the power of downward simulation as a method of proving refinement. Downward simulation gives a restrictive class of refinements, ....

[Article contains additional citation context not shown here]

C. A. R. Hoare, He Jifeng, and Je# W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....a refinement of a system described by other paragraphs. Thus there is no formal way to generate and discharge the proof obligations. The proof obligations themselves ought to be justified with respect to the semantics. This should not be too difficult, as the theoretical basis is well in place [31] (and was evidently the source of the proof obligations in the first place) There are, in fact, at least four different refinement relations that apply to sequential nondeterministic systems (a brief summary appears in [16] The refinement proof obligation uses the most common of these ....

C. A. R. Hoare, He Jifeng, and J. W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....for Syntactic Definition of Fixpoint Programs Talk at # Calculus Seminar 99 Yoshiki Kinoshita February 23, 1999 Abstract In order to give a precise syntactic definition of fixpoint programs, we introduced judgements similar to those used in typed # calculus. Hoare He Sanders[1] gave the following inductive definition of the set of commands as a set of binary relations on a given set S. This definition is parameterised by a family of binary relations R i i # I . R i (i # I) is a command. skip is a command. abort is a command. If R, R # are ....

C. A. R. Hoare, He Jifeng, and Je# W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....) C p c linking abstract, full length, coercive traces p c with concrete, partiallycompleted, extending traces p e . Unfortunately, our attempts to do this showed that it results in specification statements that are still infeasible. The usual solution to this problem is to use upward simulation [12], or the complete rule developed by Gardiner and Morgan [7] However, these have the restriction that the abstract program must not contain unbounded nondeterminism, whereas our abstract program does it chooses an entire trace non deterministically Therefore, we must resort to the underlying ....

C. A. R. Hoare, J. F. He, and J. W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2), May 1987.

....and complete with respect to the refinement semantics given in Section 4. In Section 7, we review related work. In particular, we explain how our notion of refinement relates to the VDM and Z notion of data refinement [12,17] and how it relates to forward and backward simulation of state machines [8,10,11,15]. The appendices contain the definitions of a number of languages and specifications that we use as examples throughout the paper. Each appendix first defines a language informally, and then presents one or more Object Z specifications [4] for that language. We have used Object Z merely because it ....

....S C with a concrete state representation is correct with respect to a specification S A with an abstract state representation. There are various well explored refinement techniques. The refinement of specifications or state machines is often defined as subset relation on observable behaviours [8,1,13,15]. In other words, refinement means that the observable behaviour of S C must be a subset of the observable behaviour of S A . In the following we are going to define an ordering relation on the languages that are generated by specifications and we will use this ordering as the semantics for ....

[Article contains additional citation context not shown here]

C.A.R. Hoare, He Jifeng, and J. W. Sanders. Prespecifications in data refinement. Information Processing Letters, 25:71--76, 1987.

....forward simulations and backward simulations, which are generalizations of refinements that allow a set of states of B to correspond to a single state of A. Forward simulations are similar to the the simulations of [27, 8] the possibilities mappings of [19, 21] the downward simulations of [7, 12, 5], the forward simulations of [11] and the history measures of [14] The correspondence conditions (a) and (b) above are generalized so that (a) every start state of A has some image that is a start state of B, and (b) every step of A and every state of B corresponding to the beginning state of ....

....and (b) every step of A and every state of B corresponding to the beginning state of the step yield a corresponding sequence of steps of B ending with the image of the ending state of the given step. Again, we give soundness and partial completeness results. Backward simulations occurred first in [7] under the name of upward simulations and were used later in the setting of CSP in [12, 5] In [24] and [10] where they are called prophecy mappings and backwards simulations, respectively, it is observed that they are closely related to the prophecy variables first defined in [1] In the case of ....

[Article contains additional citation context not shown here]

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....value of retrenchment for the formal construction of continuous systems. 1 Introduction From early concerns about proving correctness of programs such as Hoare s [Hoa69] and Dijkstra s [Dij76] a mature refinement calculus of specifications to programs has developed via work such as [Bac81, Mor94, BvW89, HHS87]. The first relational proposal for a sound and complete proof method for data refinement was [HHS86] A modern version of this simulation method, in its forward and backward forms, appears in [WD96, SCW98] in the Z notation [Spi93] and is discussed more generally in [dRE98] In this context of ....

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....a solution for S when R and a specific T are given. Our aim is to give a concise, calculational proof at the level of relations (rather than at the point level, in predicate logic) Simulation has been explored first by Milner [8] and was used later in a relational setting by Hoare and Sanders [7]. A short summary is given by Fokkinga [5] Correctness. Let R be a relation (standing for a program or a specification) and p, q conditions. Then the classical Hoare style partial correctness assertion: for all x, y : if p(x) and xRy , then q(y) is expressed at the relation level by: p ; ....

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....for deterministic programs, so the more general notion of a (binary) relation provides a natural model for nondeterministic programs. This idea has been exploited by various authors. For example, it is evident in Floyd Hoare logic for program verification, it has been extended to specification in Hoare and He, Jifeng (1987), it figures in logics of programs such as dynamic logic (Parikh 1981, Harel 1984) and it was used in the early seventies to model recursive procedures (de Bakker and de Roever 1973, Hitchcock and Park 1972) Recently the algebra of relations has been extensively used in a graph theoretic ....

....manipulate both sets and relations simultaneously. From an applications oriented point of view this is an advantage, and we present two (sets of) sample applications to substantiate this point. The first shows how three programming constructs in the calculus of weakest prespecification of Hoare and He, Jifeng (1987) can be modelled naturally in Peirce algebras. This comes about through the isomorphism in any Peirce algebra (B; R; c ) between the Boolean algebra B and the Boolean algebra of right ideal elements of the relation algebra R and the isomorphism between B and the Boolean algebra of identity ....

[Article contains additional citation context not shown here]

Hoare, C. A. R., He, Jifeng and Sanders, J. W. (1987), Prespecification in data refinement, Information Processing Letters 25, 71--76.

....specification S = Sigma; Phi; T; L) by adding a simple prophecy variable iff: P1: Sigma p Sigma Theta Sigma P (The state space is enlarged with an additional component. 2 This requirement is well known from definitions of a concept called forward , downward , or Lsimulation [HHS87, Jon91, CZdR91] K. Engelhardt and W. P. de Roever SA S p C SC Fig. 8. A prophecy variable. P2: Phi p = Pi Gamma1 [P] Phi) The initial states of S p are exactly all those states in Sigma p which correspond in their first component with an initial state of S. P3: s; p) s 0 ; p 0 ....

....work that ought to be done by the state automaton. This requirement is named in the following definition and e.g. fulfilled if the supplementary property is a liveness property. 3 This requirement is well known from definitions of a concept called backward , upward , or L Gamma1 simulation [HHS87, Jon91, CZdR91] Towards a Practitioners Approach to A L s Method 11 Definition 12. taken from [AL88a] A specification S having machine property M and supplementary property L is machine closed iff M = M L. 2.3.3. Abstract Safety Specifies Observable Liveness The requirement which A L impose on the ....

C.A.R. Hoare, Jifeng He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....of data types and simulation rules. Both these dependencies are considered in the context of a simple language for terminating programs. Keywords: Data refinement, data structure, formal semantics, J onsson Tarski duality, simulation rule. 1 Introduction Simulation rules have been introduced [10, 12, 8] as a technique for developing or verifying an implementation against its more abstract specification. Their importance for establishing refinement of abstract by concrete data structures results from their soundness and completeness. These theoretical properties depend on both the programming ....

....However their value lies in providing an approach for establishing soundness and completeness of simulations from that of simpler simulations. We use J onsson Tarski duality [9] based on Stone s representation theorem [14] to effect a translation (similar to that in [13] between the relational [11, 8] and predicate transformer [3] semantics of data types and simulation rules. This automatically provides a reformulation of the explanation in [3] of why in the relational model two kinds of simulation rule are necessary to establish completeness while in the predicate transformer model only one ....

[Article contains additional citation context not shown here]

C.A.R. Hoare, He Jifeng and J.W. Sanders. Prespecification in data refinement. Information Processing Letters 25 (1987) p 71--76.

....concerns about proving correctness of programs such as Hoare s [19] and Dijkstra s [15] a mature refinement calculus of specifications to programs has developed. This development has been in two strands, the predicate transformer lattice theoretic, e.g. 4, 23, 6, 16] and the relational, e.g. [20, 21]. The first relational proposal for a sound and complete proof method for data refinement was [18] a modern version of this simulation method appears in [28] in the Z notation [27] In this context the term refinement has a very precise meaning; according to Back and Butler [5] it is a ....

C. Hoare, J. He, and J. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

....to an action of the original loop. The ordinary method of data refinement corresponds to the methods of downward simulation and forward simulation used in other frameworks. As is well known, a dual method of simulation is needed in some cases. This is the method of upward or backward simulation [13, 14]. A corresponding method of data refinement also exists [18, 22] We may want to prove a data refinement between two loops, such that the refined loop sometimes makes actions which affect only the local variables and which do not correspond to any action of the original loop. This can be handled ....

C.A.R. Hoare, He Jifeng and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

.... relationship, so data refinement was later generalised to use a relation between the abstract and concrete variables [Jon86] Bac88b] Rob86] More recently still, the relational approach has been generalised to allow the abstract and concrete state spaces to be related by an arbitrary program [HHS87] GM91] BvW90a] This program is called a simulation if it converts from the abstract state space to the concrete, or a co simulation if it converts from the concrete state space to the abstract [GM93] Formally, if rep is a simulation, we say that S is data refined by S 0 if S ; rep v rep ; ....

C. A. R. Hoare, J. F. He, and J. W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2), May 1987. Ref. on page 19.

....of S with 1 respect to R , since X ; S # R expresses that after precondition X , program S gives no other results than allowed by R . We do not need this interpretation in the sequel, so we shall not elaborate this view any further. The interested reader should consult Hoare et al. [3, 4]. The importance of the above Galois connection for formal proofs about relations in general cannot be overemphasised. One should be entirely familiar with its use: rewriting (blindfolded, I would say) a statement of the form xxxx ; S # yyyy into the equivalent statement xxxx # yyyy S , and ....

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

No context found.

J. He, C.A.R Hoare, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25(2):71--76, 1987.

No context found.

C.A.R. Hoare, J. He, and J.W. Sanders. Prespecification in data refinement. Information Processing Letters, 25:71--76, 1987.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC