Paul H. B. Gardiner

Data refinement by calculation

SummaryData refinement is the systematic substitution of one data type for another in a program. Usually, the new data type is more efficient than the old, but possibly more complex; the purpose of the data refinement in that case is to make progress in program construction from more abstract to more concrete formulations. A recent trend in program construction is to calculate programs from their specifications; that contrasts with proving that a given program satisfies some specification. We investigate to what extent the trend can be applied to data refinement.

Data refinement of predicate transformers

Abstract Data refinement is the systematic substitution of one data type for another in a program. Usually, the new data type is more efficient than the old, but also more complex; the purpose of data refinement in that case is to make progress in a program design from more abstract to more concrete formulations. A particularly simple definition of data refinement is possible when programs are taken to be predicate transformers in the sense of Dijkstra. Central to the definition is a function taking abstract predicates to concrete ones, and that function, a generalisation of the abstraction function, therefore is a predicative transformers as well. Advantages of the approach are: proofs about data refinement are simplified; more general techniques of data refinement are suggested; and a style of program development is encouraged in which data refinements are calculated directly without proof obligation.

An Algebraic Construction of Predicate Transformers

In this paper we present an algebraic construction of the category of monotonic predicate transformers from the category of relations which is similar to the standard algebraic construction of the integers from the natural numbers. The same construction yields the category of relations from the category of total functions. This provides a mechanism through which the rich type structure of the category of total functions can be promoted to successively weaker ones in the categories of relations and predicate transformers. In addition, it has exposed two complete rules for the refinement and composition of specifications in Morgans refinement calculus.

A tactic calculus -- abridged version

We present a very general language for expressing tactic programs. The paper describes some essential tactic combinators (tacticals), and gives them a formal semantics. Those definitions are used to produce a complete calculus for reasoning about tactics written in this language. The language is extended to coverstructural combinators which enable the tactics to be precisely targeted upon particular sub-expressions.

A methodology for model-checking ad-hoc networks

Wireless networks, specifically ad-hoc networks, are characterised by rapidly changing network topologies. The dynamic nature of ad-hoc networks makes protocol design and assessment particularly challenging. We present a methodology, based on CSP and the FDR model-checker, to validate critical properties of ad-hoc networks, properties like self-stabilisation. Our work started by applying CSP/FDR to a tactical internet (a military mobile network). The techniques developed there were generalised to our methodology for model-checking ad-hoc networks, and more general self-configuring systems. We first give an overview of the results of model-checking the tactical internet, then we describe the methodology on an ad-hoc network case study, namely the Cluster-Based Routing Protocol. The methodology is quite generic, but it enables the complex dynamic properties of ad-hoc networks to be captured quickly and easily, in models that are ususally readily tractable. We end with a brief discussion of some of its other applications.

A Simpler Semantics for Z

We compare two formal semantics for the Z notation: the first is Spivey’s original semantics, and the second a new treament, which assigns the same meanings to language constructs. We start by recalling the varietal semantics of Z, and describe the semantic environment of a Z specification. Next, we describe a new semantic environment, and illustrate it by describing the semantic equations for schemas and schema designators. We contrast this description with the varietal approach.

Power simulation and its relation to traces and failures refinement

There are two quite distinct approaches commonly used when giving meaning to process algebra expressions: an operational semantics, often associated with the CCS language, defines an equivalence between terms by considering whether each can simulate the other; a denotational semantics, often associated with CSP, provides a mapping, recursively defined over the structure of the language, taking each term into a carefully chosen collection of set-theoretic objects. (The traces and failures models are well-known examples of such semantic domains.) We present a formal link between the two approaches, consisting in defining a variant of the bisimulation equivalence that naturally gives rise to the traces and failures ordering. We have no way at present to extend this result to the failures/divergence model.

Algebraic proofs of consistency and completeness

An embedding of the relations in the predicate transformers, analogous to that of the integers in the rationals, is exploited to provide simple algebraic proofs for the consistency and completeness of a calculus of program refinement. The calculus of refinement is derived by almost direct translation of the Hoare logic inference rules, and so alternatively the proofs may be viewed as demonstrating the soundness and completeness of Hoare logic. The main attributes of the embedding used in the proofs are that it supports a weak form of inversion (i.e. Galois connection) of relations, and that it supports an operator on predicate transformers that behaves like the floor operator on rationals: the operator maps arbitrary predicate transformer down in the natural ordering to the nearest embedded relation. A more general use for the floor-like operator in extending the relational calculus is suggested by its providing decomposition of the weakest prespecification operator. A weak algebraic set theory is used as a foundation for proving all required properties of the floor-like operator.

The Formal Specification in Z of Defence Standard 00–56

We give a formal specification of the safety analysis elements of the Revised Defence Standard 00–56, which describes procedures for the development of safety-critical systems. The specification is written in the Z notation, and, as it is an unusual application of formal methods, we reflect on the positive aspects of the experience as well as the main difficulties.

Reasoning algebraically about recursion

Abstract An algebraic technique for reasoning about recursive programs is proposed. The technique is based on Tarskis axioms of least fixed points of monotonic functions and the existence of weak-op-inverses. The algebraic style gives rise to elegant proofs, although the requirement of existence of weak-op-inverse may limit applicability. When such inverses do exist, the method can be used in presence of noncontinuous but monotonic operators occuring in languages containing unbounded nondeterminism, fairness constraints and specification statements.