1

2

3

4

PTSPTS ;

5

6

7

8

PSt

PSt

.

ENDINVAR

9

10

11

12

13

14

15

16

MACHINE TeamSETS ANSWER={in, out}VARIABLES teamINVARIANT team <: 1..22 & card(team)=11INITIALISATION team := 1..11OPERATIONS

substitute (pp, rr) = PRE pp : team & rr : 1..22 & not(rr:team) THEN team := (team \/{rr})-{pp}END ;aa <-- query(pp) = PRE pp : 1..22 IF pp : team THEN aa := in ELSE aa := out ENDEND

END

17

REFINEMENT TeamRREFINES TeamVARIABLES teamrINVARIANT teamr <: 1..11 >-> 1..22 &

ran(teamr)=teamINITIALISATION teamr := %nn.(nn:1..11|nn)OPERATIONS

substitute (pp, rr) = teamr(teamer~(pp)) := rr;aa <-- query(pp) = IF pp : ran(teamr) THEN aa := in ELSE aa := out ENDEND

END

18

REFINEMENT TeamRREFINES TeamVARIABLES teamaINVARIANT teama : 1..22 --> ANSWER &

team = teama~[{in}]INITIALISATION

teama :=(1..11)*{in}\/(12..22)*{out}OPERATIONS

substitute (pp, rr) =BEGIN teama(pp) := out; teama(rr) := inEND ;aa <-- query(pp) =BEGIN aa := teama(pp)END

END

19

MACHINE ExamSETS CANDIDATEVARIABLES marksINVARIANT marks : CANDIDATE +-> 1..100INITIALISATION marks := {}OPERATIONS

enter (cc, nn) = PRE cc : CANDIDATE &

cc /: dom(marks)& nn : 1.. 100

THEN marks(cc) := nnEND ;aa <-- average = PRE marks /= {} THEN aa:= SIGMA zz.(zz:dom(marks)|marks(zz))

/ card(dom(marks)) ENDnn <-- number = nn := card(dom(marks))END

END

20

MACHINE ExamRREFINES ExamSETS CANDIDATEVARIABLES total, numINVARIANT

num = card(dom(marks)) &total = SIGMA zz.(zz:dom(marks)|marks(zz))

INITIALISATIONtotal := 0; num := 0;

OPERATIONSenter (cc, nn) =BEGIN total := total + nn || num := num+1END ;aa <-- average = aa := total / num;nn <-- number = nn := numEND

END

21

22

23

24

25

26

27

28

Initialization in refinements

• Abstract machine initialization T establishes the invariant I

• Refinement machine initialization T1 establishes the linking invariant J

• Every possible state that T1 can reach must match (via the linking invariant J) some possible state that T can reach.

29

• NOT(J) means that J is false• [T]NOT(J) means that every transition of T guarantees that J is false

• NOT([T]NOT(J)) means that not every transition of T guarantees that J is false

• i.e., some transition of T guarantees that J is true

30

MACHINE ColoursSETS COLOUR = {red. Green, blue}VARIABLES colsINVARIANT cols <: COLOURINITIALISATION cols :: POW(COLOUR - {blue})OPERATIONS

add (cc) = PRE cc : COLOUR THEN cols := cols \/ {cc};END ;cc <-- query = PRE cols /= {} THEN cc :: cols END ;change = cols :: (POW(COLOUR) - {cols})

END

31

REFINEMENT ColoursRREFINES ColoursSETS COLOUR = {red. Green, blue}VARIABLES colourINVARIANT colour <: colsINITIALISATION colour :: COLOUR - {blue}OPERATIONS

add (cc) = colour :: {colour, cc};cc <-- query = cc := colour;change = colour :: COLOUR - {colour}

END

32

{}, {red}, {green}, {red, green}

T

red greenblue

T

T1

For T1 to be a refinement of T we require that NOT([T]NOT(J))must be true for any state that T1 can reach! That is[T1]NOT([T]NOT(J))

33

• Any transition T1 must reach a state in which some transition of T can establish the linking invariant J

For T1 to be a refinement of T we require that NOT([T]NOT(J))must be true for any state that T1 can reach! That is[T1]NOT([T]NOT(J))

34

35

36

37

38

39

40

41

42

43

44

45