16
MACHINE TeamSETS ANSWER={in, out}VARIABLES teamINVARIANT team <: 1..22 & card(team)=11INITIALISATION team := 1..11OPERATIONS
substitute (pp, rr) = PRE pp : team & rr : 1..22 & not(rr:team) THEN team := (team \/{rr})-{pp}END ;aa <-- query(pp) = PRE pp : 1..22 IF pp : team THEN aa := in ELSE aa := out ENDEND
END
17
REFINEMENT TeamRREFINES TeamVARIABLES teamrINVARIANT teamr <: 1..11 >-> 1..22 &
ran(teamr)=teamINITIALISATION teamr := %nn.(nn:1..11|nn)OPERATIONS
substitute (pp, rr) = teamr(teamer~(pp)) := rr;aa <-- query(pp) = IF pp : ran(teamr) THEN aa := in ELSE aa := out ENDEND
END
18
REFINEMENT TeamRREFINES TeamVARIABLES teamaINVARIANT teama : 1..22 --> ANSWER &
team = teama~[{in}]INITIALISATION
teama :=(1..11)*{in}\/(12..22)*{out}OPERATIONS
substitute (pp, rr) =BEGIN teama(pp) := out; teama(rr) := inEND ;aa <-- query(pp) =BEGIN aa := teama(pp)END
END
19
MACHINE ExamSETS CANDIDATEVARIABLES marksINVARIANT marks : CANDIDATE +-> 1..100INITIALISATION marks := {}OPERATIONS
enter (cc, nn) = PRE cc : CANDIDATE &
cc /: dom(marks)& nn : 1.. 100
THEN marks(cc) := nnEND ;aa <-- average = PRE marks /= {} THEN aa:= SIGMA zz.(zz:dom(marks)|marks(zz))
/ card(dom(marks)) ENDnn <-- number = nn := card(dom(marks))END
END
20
MACHINE ExamRREFINES ExamSETS CANDIDATEVARIABLES total, numINVARIANT
num = card(dom(marks)) &total = SIGMA zz.(zz:dom(marks)|marks(zz))
INITIALISATIONtotal := 0; num := 0;
OPERATIONSenter (cc, nn) =BEGIN total := total + nn || num := num+1END ;aa <-- average = aa := total / num;nn <-- number = nn := numEND
END
28
Initialization in refinements
• Abstract machine initialization T establishes the invariant I
• Refinement machine initialization T1 establishes the linking invariant J
• Every possible state that T1 can reach must match (via the linking invariant J) some possible state that T can reach.
29
• NOT(J) means that J is false• [T]NOT(J) means that every transition of T guarantees that J is false
• NOT([T]NOT(J)) means that not every transition of T guarantees that J is false
• i.e., some transition of T guarantees that J is true
30
MACHINE ColoursSETS COLOUR = {red. Green, blue}VARIABLES colsINVARIANT cols <: COLOURINITIALISATION cols :: POW(COLOUR - {blue})OPERATIONS
add (cc) = PRE cc : COLOUR THEN cols := cols \/ {cc};END ;cc <-- query = PRE cols /= {} THEN cc :: cols END ;change = cols :: (POW(COLOUR) - {cols})
END
31
REFINEMENT ColoursRREFINES ColoursSETS COLOUR = {red. Green, blue}VARIABLES colourINVARIANT colour <: colsINITIALISATION colour :: COLOUR - {blue}OPERATIONS
add (cc) = colour :: {colour, cc};cc <-- query = cc := colour;change = colour :: COLOUR - {colour}
END
32
{}, {red}, {green}, {red, green}
T
red greenblue
T
T1
For T1 to be a refinement of T we require that NOT([T]NOT(J))must be true for any state that T1 can reach! That is[T1]NOT([T]NOT(J))
33
• Any transition T1 must reach a state in which some transition of T can establish the linking invariant J
For T1 to be a refinement of T we require that NOT([T]NOT(J))must be true for any state that T1 can reach! That is[T1]NOT([T]NOT(J))