Formal Approaches to Computing and Information Technology Also in this series: Proof in VDM: a Practitioner's Guide J.e. Bicarregui, J.S. Fitzgerald, P.A. Lindsay, R. Moore and B. Ritchie ISBN 3-540-19813-X Systems, Models and Measures A. Kaposi and M. Myers ISBN 3-540-19753-2 On the Refinement Calculus Edited by Carroll Morgan and Trevor Vickers Carroll Morgan Paul Gardiner Ken Robinson Trevor Vickers Springer-Verlag London Berlin Heidelberg New York Paris Tokyo Hong Kong Barcelona Budapest Carroll Morgan, BSc, PhD Oxford University Computing Laboratory Programming Research Group 8-11 Keble Road, Oxford OX13QD, UK Trevor Vickers, BSc, PhD Department of Computer Science Australian National University P.O. Box 4, Canberra 2601, Australia Series Editor Steve A. Schuman, BSc, DEA, CEng Department of Mathematical and Computing Sciences University of Surrey, Guildford, Surrey GU2 5XH, UK British Library Cataloguing in Publication Data On the Refinement Calculus - (Formal Approaches to Computing & Information Technology Series) I. Morgan, Carroll II. Vickers, Trevor III. Series 005.1 ISBN-13: 978-3-540-1993-1 e-ISBN-13: 978-1-4471-3273-8 001: 10.1007/978-1-4471-3273-8 Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of repro graphic reproduction in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers. © 1992 Carroll Morgan and Trevor Vickers, except where indicated otherwise for individual articles. Softcover reprint of the hardcover I st edition 1992 Published by Springer-Verlag London Limited 1994 The use of registered names, trademarks etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant laws and regulations and therefore free for general use. The publisher makes no representation, express or implied, with regard to the accuracy of the information contained in this book and cannot accept any legal responsibility or liability for any errors or omissions that may be made. Typesetting: camera-ready by editors 34/3830-543210 Printed on acid-free paper Contents Introduction ............................................................... ix The Specification Statement Carroll Morgan ............ ...... .... ........................... .......... 1 1 Introduction ........................................................... 1 2 Specification statements ............................................ 3 3 The implementation ordering .................................... 7 4 Suitability of the definitions ....................................... 8 5 Using specification statements.................................... 10 6 Miracles ... 0,........................................................... 12 7 Guarded commands are miracles ................................ 14 8 Positive applications of miracles ................................. 16 9 Conclusion ............................................................ 19 10 Acknowledgements ................................................. 20 Specification Statements and Refinement Carroll Morgan and Ken Robinson. ..... ..... .... .... ..... .... ...... 23 1 Introduction ........................................................... 23 2 The refinement theorems .. ............... ...................... ... 31 3 The refinement calculus ............................................ 32 4 An example: square root .......................................... 37 5 Derivation of laws ................................................... 41 6 Conclusion ............................................................ 44 7 Acknowledgements ................................................. 45 Procedures, Parameters, and Abstraction: Separate Concerns Carroll Morgan ........................................................... 47 1 Introduction ........................................................... 47 2 Procedure call ........................................................ 48 3 Procedural abstraction ............................................. 49 4 Parameters ............................................................ 51 5 Conclusion ............................................................ 58 6 Acknowledgements ................................................. 58 Data Refinement by Miracles Carroll Morgan ........................................................... 59 1 Introduction ........................................................... 59 2 An abstract program ................................................ 60 3 A difficult data refinement ........................................ 61 4 Miraculous programs ............................................... 61 5 Eliminating miracles ................................................ 62 6 Conclusion ............................................................ 63 7 Acknowledgements ................................................. 64 Auxiliary Variables in Data Refinement Carroll Morgan ....... ................ .................... ...... .......... 65 1 Introduction........................................................... 65 2 The direct technique ................................................ 66 3 The auxiliary variable technique ................................. 66 4 The correspondence ................................................ 67 5 Conclusion ............................................................ 69 6 Acknowledgements ................................................. 70 Data Refinement of Predicate Transformers Paul Gardiner and Carroll Morgan .................................. 71 1 Introduction ........................................................... 71 2 Predicate transformers ............................................. 72 3 Algorithmic refinement of predicate transformers .......... 74 4 Data refinement of predicate transformers ................... 74 5 The programming language ....................................... 76 6 Distribution of data refinement .................................. 79 7 Data refinement of specifications................................ 81 8 Data refinement in practice ....................................... 82 9 Conclusions ........................................................... 83 10 Acknowledgements ................................................. 84 Data Refinement by Calculation Carroll Morgan and Paul Gardiner.................................. 85 1 Introduction ........................................................... 85 2 Refinement ............................................................ 86 3 Language extensions ................................................ 90 4 Data refinement calculators ....................................... 92 5 Example of refinement: the "mean" module................. 96 6 Specialized techniques .............................................. 101 7 Conclusions ........................................................... 107 8 Acknowledgements ................................................. 108 9 Appendix: refinement laws ........................................ 108 A Single Complete Rule for Data Refinement Paul Gardiner and Carroll Morgan .................................. 111 1 Introduction ........................................................... 111 2 Data refinement ...................................................... 112 3 Predicate transformers ............................................. 115 4 Completeness ......................................................... 116 5 Soundness ............................................................. 118 6 Partial programs ..................................................... 120 7 An example ........................................................... 123 8 Conclusion ............................................................ 125 9 Acknowledgements ................................................. 126 Types and Invariants in the Refinement Calculus Carroll Morgan and Trevor Vickers ................................. 127 1 Introduction ........................................................... 127 2 Invariant semantics .................................................. 128 3 The refinement calculus ............................................ 129 4 A development method ............................................ 133 5 Laws for local invariants ........................................... 135 6 Eliminating local invariants ....................................... 137 7 Type-checking ........................................................ 139 8 Recursion .............................................................. 141 9 Examples .............................................................. 143 10 A discussion of motives ............................................ 150 11 Related work ............................ ; ............................ 151 12 Conclusions ........................................................... 152 Acknowledgements ................................................. 153 A Additional refinement laws ....................................... 153 References .................................................................. 155 Authors' Addresses ...................................................... 159 Introduction The refinement calculus is a notation and set of rules for deriving imperative programs from their specifications. It is distinguished from earlier methods (though based on them) because the deri vations are carried out within a single 'programming' language: there is no separate language of specifications. That does not mean that specifications are executable; it means rather that "not all programs are executable" [3]. Some are written too abstractly for any computer to execute, and they are the opposite extreme to those which - though executable - are too complex for any human to understand. Program derivation is the activity that transforms one into the other. R.-J.R. Back [4] first extended Dijkstra's language of guarded commands with specifications, auu .laS more recently developed it further [5, 6, 7]. J. Morris also does significant research in this area [50, 51]. This collection however includes only the work done at Oxford. The refinement calculus is distinguished from some other 'wide spectrum' approaches (e.g., [13, 24]) by its origins and scale: it is a simple programming language to which specifications have been added. The extension is modest and unpredjudiced, and one can sit back to see where it leads. So far, it has uncovered 'miracles' [44, 50,42], novel techniques of data refinement [4, 51, 20, 47,19]' a simpler treatment of procedures [43, 6], 'conjunction' of programs [40, 20, 47], and a light-weight treatment of types in simple imperative programs [45]. It has been applied by Back and his colleagues to parallel and reactive systems [10, 9], and some work has begun on designing a refinement calculus of expressions (rather than of state-transforming programs), by Gardiner and Martin [38] and, independently, by Morris [52]. The work at Oxford sprang from the need to develop a rigorous imperative programming course for our first undergraduate computing degree, which began only in 1985. The strong local tradition of specification and refinement, in Z [25, 49, 59], had not yet reached the level of everyday programming languages (a disadvantage with respect to VDM, for example); the specification statement, like a Z schema but with wp-semantics, was to make the connection. The current text for that course [46] rests on the subsequent research, reported in this volume, but has been much informed -by the work of others. As an undergraduate program ming text, it presents its method mostly by example, and is deliberately light on justification and history. Thus those seeking the background and mathematical underpinnings should look in the present collection. The specification statement introduces specifications to Dijkstra's language of guarded commands, and explores the consequences: increased expressive power, the new prominence of the refinement relation, miracles, and a surprising factorisation of that language into smaller pieces. It is the same factorisation reported indepen dently by Nelson [54]. Specification statements and refinement gives our first collection of 'laws of refinement', and lays the emphasis on a calculus of refinement. Procedures, parameters, and abstraction: separate concerns shows how specifications in a programming language allow the copy rule of ALGOL 60, once again, to give the meaning of procedures. One side effect is the ability to parametrize program fragments which are not procedures. Data refinement using miracles and Auxiliary variables in data refinement describe small aspects of data refinement, indepen dently of the refinement calculus. The former uses the Gries and Prins data-refinement rule [23] only in order to be self-contained. Data refinement is dealt with more generally in Data refinement of predicate transformers and Data refinement by calculation. The first gives a more theoretical, the second a more practical exposition of the way data refinement and the refinement calculus can interact. Types and invariants in the refinement calculus explains the way in which the hitherto informal treatment of types during wp-based program derivation can be made rigorous without undue formal cost. It exposes some surprising connections - for example that ascribing a type to a variable is a degenerate form of data refinement. It leads also to some unexpected conclusions, one of which is that 'ill-typed' programs can be considered well-formed but miraculous. A single complete rule for data refinement brings two separate techniques of data refinement, known to be jointly-complete up to bounded nondeterminism, into a single method. The separate techniques, based on relations, are able to be integrated only once they have been reformulated in terms of predicate transformers. Work remains to be done on the more calculational aspects of the general rule. A reasonable overview can be gained by reading Specification statements and refinement and Data refinement by calculation. There is some overlap between the papers: the introduction to Specification statements and refinement repeats material from The specification statement; Auxiliary variables in data refinement ampli fies a section of Data refinement by calculation; and various laws of program refinement appear in two places: in Specification state ments and refinement and as an appendix to Data refinement by calculation. (A more comprehensive collection is given in [46].) September 1992 Carroll Morgan Trevor Vickers