Re�nement Concepts Formalized in Higher Order Logic

R�J�R� Back � J� von Wright y

September �� ����

Abstract

A theory of commands with weakest precondition semantics is formalized using the HOL

proof assistant system� The concept of re�nement between commands is formalized� a number

of re�nement rules are proved and it is shown how the formalization can be used for proving

re�nements of actual program texts correct�

� Introduction

The re�nement calculus is a theory of program transformations that preserve the total correctness ofprograms� It was �rst described in �Ba��� Ba��� and has been further elaborated in �Ba��a� Ba��b�MoRoGa��� Morr���� It is based on the weakest precondition technique of �Di���� The re�nementcalculus has been used as a tool for stepwise re�nement of sequential algorithms� and recently also forthe derivation of parallel algorithms from sequential algorithms �BaSe�� Wr���

The HOL system Higher Order Logic� is a theorem proving assistant� which can be used to for�malize theories and verify proofs of theorems within these theories� It is based on the LCF system�GoMiWa�� and is described in �Go���� It has been used mainly for formal speci�cation and veri��cation of hardware� However� a simple imperative programming language is formalized in the HOLsystem in �Go��� in an attempt to formalize Hoare logic� Another formalization of a simple program�ming language� using the original LCF� is used �So��� in a mechanical proof of the soundness of HoareLogic� However� neither of these formalizations permit nondeterminism in the programming language�

This paper describes an attempt to formalize the re�nement calculus using the HOL system�Sections and � describe brie�y the re�nement calculus and the HOL system� In section � wedescribe a formalization of predicates� Predicates are de�ned as functions from states to truth values�Using the HOL system it is proved that the predicates form a complete boolean lattice and thatevery monotonic function on predicates has a least �xpoint� These results provide a basis for theformalization of weakest preconditions� In section � we formalize the basic concepts of the re�nementcalculus� We �rst introduce a Dijkstra�style speci�cation language� The basic commands of thislanguage are primitive syntactic entities and their weakest precondition predicate transformers arede�ned� In section � we discuss two di�erent ways of formalizing the re�nement relation within thetheory of commands� In each formalization� some rules of re�nement are proved� Section � contains asmall example where the formalization is used to prove a re�nement of an actual program text correct�Finally� section � contains some concluding remarks�

� The re�nement calculus

We assume that Var is a set of program variables and that D is a set of values� A state is an assignmentof values for each variable� i�e� a total function from Var to D � The set of all states the state space�is denoted ��

��Abo Akademi University� Department of Computer Science� Lemmink�aisenkatu ��� SF������ Turku� FinlandySwedish School of Economics and Business Administration� Biblioteksgatan �� SF����� Vasa� Finland

�

A predicate is a total function from � to the set Bool � f�� ttg of truth values and an expressionis a total function from � to D � The set of all predicates is denoted Pred� Pred is a complete booleanlattice when ordered by the implication ordering i�e� pointwise extension of the implication orderingon Bool��

P � Qdef� ���

�P�� � Q��

�

The bottom element of Pred is the predicate false which assigns the value � to every state and thetop element is the the predicate true which assigns the value tt to every state� Logical operationsconjunction� disjunction� implication and negation� on predicates are natural extensions of the corre�sponding operations on truth values� As Pred is a complete lattice we permit arbitrary conjunctionsmeets� and disjunctions joins�� Also� every monotonic function on Pred is guaranteed to have a least�xpoint �Ta����

A predicate transformer is a total� function from Pred to Pred� We de�ne a speci�cation languageby introducing a syntactic class of statements� Every statement is given a semantics by de�ning itsweakest precondition predicate transformer�The weakest precondition for statement S and predicate Q is denoted wpS �Q�� It is a predicate

which is true of a state � if and only if S is guaranteed to terminate in a state satisfying Q whenexecuted in the initial state � �Di����

��� The speci�cation language

We now de�ne the syntax of our speci�cation language� It is essentially the language of �Di����extended with a nondeterministic update statement and a block construct� However� we permitunbounded nondeterminism� so we cannot use Dijkstra�s original de�nition of the semantics of theiterative construct�

Statements of the speci�cation language are de�ned recursively as follows�

S ��� fbg assert statement�j v �� e assignment statement�j v �P update statement�j �varv� S� block�j S�� S� sequential composition�j if b� � S���b� � S� � conditional composition�j do b� S od iteration�

Here v is a variable� e is an expression� P � b�� b� and b are predicates� and S � S� and S� arestatements�

Weakest precondition semantics Formally the meanings of all statements are given by the fol�lowing de�nitions of their weakest precondition predicate transformers�

wpfbg�Q�def� b �Q

wpv �� e�Q�def� Q �e�v �

wpv �P �Q�def� �v �P � Q�

wp�varv� S��Q�def� �v �wpS � �v �Q�

wpS�� S��Q�def� wpS��wpS��Q��

wpifb� � S���b� � S� ��Q�def� b� � b�� � b� � wpS��Q�� � b� � wpS��Q��

For the iterative construct we take the same de�nition as in �Pa��� DiGa��� and de�ne wpdob �S od�Q� to be the least �xpoint of the monotonic function

�X �b �wpS �X �� � �b �Q�� ��

The assignment statement� sequential composition and conditional composition have their usualmeanings� as de�ned in e�g� �Gr���� The assert statement fbg asserts the truth of the predicate b�Thus it aborts if b does not hold and it terminates without a�ecting any variables if b holds� Themeaning of the block statement di�ers from the meaning given by e�g� �Ba��� Morr��� GaMo���� Inorder to permit predicates over all the variables of Var the local variable is an ordinary variable whosevalue before entering the block is ignored and whose value is unde�ned when the block statementterminates �BaWr��� Thus it is assumed that the programmer does not use the local variable as aglobal variable� The update statement assigns a value to the variable v � such that the condition P isestablished� If this is not possible� the update statement aborts�

Semantics of the iterative construct when nondeterminism is bounded The nondetermin�ism of a statement S is said to be bounded if any computation that is guaranteed to terminate has atmost a �nite number of possible �nal states� This is equivalent to the weakest precondition predicatetransformer of S being continuous �Di���� For statements S with bounded nondeterminism it can beshown in fact� we have proved it in the HOL system� that

wpdob� S od�Q� � �n�Hn b� S �Q� �

where the function H is de�ned recursively for all natural numbers n by

H�b� S �Q� � �b �Q

Hn��b� S �Q� � H�b� S �Q��wpfbg� S �Hnb� S �Q��

As noted above� our speci�cation language permits unbounded nondeterminism� Both the updatestatement and a block with an uninitialized local variable can introduce unbounded nondeterminism�Thus we have to use the �xpoint de�nition �� of the weakest precondition of the iterative construct�rather that using � as a de�nition�

Healthiness conditions In �Di��� the following healthiness conditions are assumed to hold forevery program statement S �

�� Strictness� i�e� wpS � false� � false�

� Monotonicity� i�e� wpS �Q�� wpS �Q �� whenever Q � Q ��

�� Conjunctivity� i�e wpS �Q �Q �� � wpS �Q� � wpS �Q �� for all predicates Q and Q ��

�� Continuity� i�e� the nondeterminism of S is bounded�

As already noted� the statements of the speci�cation language considered in this paper may exhibitunbounded nondeterminism so we do not assume continuity� However� all statements will be strict�monotonic and conjunctive� Recently� most of the healthiness conditions have been dropped forstatements of speci�cation languages� leaving only monotonicity as the ultimate healthiness condition�GaMo��� BaWr���

Derived statements Using the given statements it is possible to de�ne a number of derived state�ments� i�e� statements de�ned in terms of the primitive statements� We de�ne the s

�kip and a

�bort

statements� as well as a nondeterministic assignment statement v �� v ��P � by

skipdef� ftrueg

abortdef� ffalseg

v �� v ��Pdef� �varv�� v��P� v �� v��

The nondeterministic assignment statement �Back��� assigns nondeterministically� values v � to thevariable v so that the condition P is established� If this is not possible it aborts�

�

We also want to generalize the i�f� and d

�o�statements to permit an arbitrary �nite number of

branches� The one�branched i�f�statement is de�ned as

ifb� S �def� fbg� S

The many�branched i�f�statement can now be de�ned inductively�

ifb� � S� �� � � � �� bn�� � Sn�� �def�

ifb� � � � ��bn�� if b� � S� �� � � � �� bn� Sn ���� bn�� � Sn���

Similarly� we de�ne the two�branched d�o�statement�

dob� � S� �� b� � S� oddef� dob� �b��� if b� � S� �� b� � S� �� od

and then inductively d�o�statements with more than two branches� For completeness� we also de�ne

the empty conditional composition and the empty iteration�

if �def� abort

do oddef� skip

��� The re�nement calculus

The re�nement relation � on the set of all statements is de�ned following �Ba��� Ba��� Ba��a� by

S � S � def� �Q �wpS �Q�� wpS ��Q��

Here the quanti�cation is over all predicates in Pred�The re�nement relation is re�exive and transitive� i�e� it is a preorder� It is not antisymmetric

on the level of syntactic statements� However� if we choose to identify statements with their weakestprecondition predicate transformers� as is done in �Morr��� GaMo��� BaWr��� then it is antisym�metric� The re�nement relation induces an equivalence relation� re�nement equivalence� Re�nementequivalence between two statements S and S �� denoted S � S �� is de�ned by

S � S � def� S � S � � S � � S

Stepwise re�nement of programs The re�nement relation S � S � can be characterized usingthe total correctness notion �Ba��a���

S � S � � �P �Q �P �S �Q � P �S ��Q�

where P �S �Q denotes that the statement S is totally correct with respect to precondition P andpostcondition Q � Thus the re�nement relation preserves the total correctness of a statement�

From the transitivity of the re�nement relation it follows that if we can show a chain of re�nements

S� � S� � � � � � Sn

then we have shown� using stepwise re�nement� that the �nal statement Sn satis�es any speci�cationthat the initial statement S� satis�es�

Re�nement rules The re�nement calculus can be used to derive algorithms by stepwise re�nement�starting from speci�cations �Ba��a� Ba��b� Morg��� Case studies �BaSe�� Wr�� show e�g� thatthe stepwise transformation of sequential algorithms into highly parallel algorithms can be done byrepeatedly using a limited number of re�nement rules�

�

� The HOL system

The HOL system is a proof assistant for higher�order logic based on the Edinburgh LCF theoremproving system� This in turn is a combination of predicate calculus and the typed lambda calculus�This section describes some of the most important features of the HOL system� A more detailedpresentation can be found in �Go����

Types� terms and theorems When working with the HOL system one always works inside sometheory� Within a theory one can de�ne types� constant and axioms and prove theorems� The theoryHOL really a tree of theories� contains among other things the types bool� representing truth valuesand num� representing the natural numbers� Together with these go axioms and theorems of logicand arithmetic�The logic of HOL is higher�order logic with a strict type discipline� Thus every entity must have

a unique type assigned to it type variables are permitted�� Types can be combined into functiontypes� A function which maps arguments of type type� to values of type type� has type type��type��The arrow symbol associates to the right so type��type��type� stands for type���type��type���Application of a function f to an argument x is written as f x or as f x �� Function applicationassociates to the left so f x y is the same as f x �y or f x ��y�� Most of the time we omit parenthesesin order to make function expressions more readable�

The surface level user interface of the HOL system is quite poor� Standard ASCII�characters orcharacter combinations� are used for the logical symbols of higher�order logic� In this paper we usethe standard logical symbols� to make the text and formulas more readable� We use the HOL system�ssymbols F and T for the boolean truth values�

The theory HOL is a parent of any user�de�ned theory� This means that the de�nitions� axiomsand theorems of the theory HOL are always available� The theorems of a theory are represented bythe type thm� Axioms automatically have theorem�status� Also every de�nition is represented by atheorem� The only other way to give a term theorem�status is to prove it using existing theorems andinference rules� Theorems are printed with a leading turnstile symbol � by the HOL system�

It should be noted that the user can de�ne any term with type bool for example F � T� to be anaxiom� It is therefore recommended �Go��� that new concepts be formalized using de�nitions ratherthan new axioms� since this guarantees that no inconsistencies are introduced�

Pre�proved theorems In addition to de�nitions and axioms� the HOL theory contains a numberof pre�proved theorems� Two examples of pre�proved theorems� used in subsequent proofs are

EXCLUDED MIDDLE �t� �t � �t�ADD ASSOC �m n p� �m�np� � �mn�p�

we use the convention that a theorem is always preceded by its name��

Inference rules and forward proofs in HOL An inference rule is a function mapping a numberof terms and�or theorems to a theorem� To use an inference rule� we supply the name of the inferencerule and the arguments theorems and�or terms� or their names in the current environment� andthe HOL system replies with the resulting theorem or an error message�� As an example we takethe inference rule MP for Modus Ponens� which is of type thm�thm�thm� Given two argumenttheorems having the forms t � t and t it produces the new theorem t� A typical step in aforward proof looks the following way � is the HOL system prompt and �� is an input terminatorsymbol��

�let newthm � MP th� th���newthm � � � �

Here th� and th� are the names of two existing theorems and the resulting theorem the dots�becomes bound to the name newthm in the current environment� We can save the new theorem inthe current theory �le� so that it can be used in subsequent sessions� Often the result of applying

�

an inference rule is just an intermediate step in a long sequence of steps� Thus we save only thosetheorems that are of special interest� Working in this way step by step is an example of forward proof�The inference rules support this kind of reasoning�In addition to the primitive postulated� inference rules there are a number of derived inference

rules� such as SPEC specialization of universally quanti�ed variables� and IMP TRANS transitivityof implication�� We will not describe the use of inference rules in more detail here� as our examplesdo not use forward proof�

Tactics� tacticals and goal�directed proofs in HOL If we want to prove a theorem whichrequires a long sequence of steps using a forward proof in HOL� we probably have to do an outlineof the proof on paper �rst� Thus HOL works as a proof checker rather than as an interactive proofassistant�It is possible to do interactive proofs in a goal�directed manner using tactics and tacticals� A

tactic is a function which is applied to a goal and reduces it to subgoals� A tactical is a function thatcombines existing tactics into new tactics�A goal is a formalization of a sequent� It is a pair A� t�� where A is a list of assumptions and t

is a term� A goal can be set up using the function set goal� After this� tactics can be applied to thecurrent goal by use of the function expand� The initial goal is given theorem�status if all subgoals areeventually reduced to existing theorems� Many tactics are inverses of a corresponding inference rule�For example� there is a tactic called MP TAC� which takes a theorem t as argument and reduces agoal t to the new goal t � t� A few of the most frequently used tactics are presented in Section ����where they are used in an example proof�We can de�ne new� more complex tactics by means of tacticals� For example� the tactical THEN

is used to combine tactics into a sequence� REPEAT repeats application of a tactic as long as it isapplicable to the resulting goals and ORELSE tries a second tactic if the �rst one fails� The followingis an example of a combined tactic�

�MP TAC THEN REPEAT GEN TAC� ORELSE BETA TACGEN TAC is a tactic which strips o� universal quanti�ers while BETA TAC reduces all beta�redexes��

The user environment When starting a HOL session� an ML environment is set up� Thus the userinteracts with the HOL system through ML� The user can make de�nitions and evaluate expressions�It is also possible to make very intricate tactics� However� this requires quite an amount of ML�hacking�� In the examples of this paper� we do not assume that the reader is familiar with the MLprogramming language�

� The theory of predicates

We now turn to the formalization of the re�nement calculus� We start from predicates� de�ning themin terms of variables and values�

��� A formalization of the basic concepts

Program variables are represented by a special type var and values by a type val� We generally assumethat all programs work with natural numbers� so val can really be seen as an alternative name fornum�Typical program variables are denoted by the letters x and y while values are typically denoted by

the letter d�Since a state is an assignment of a value to each variable� states will be represented by the function

type var�val� which we sometimes abbreviate state� Typical states are denoted by the letter s� Thismeans that a state is a total function from the set of variables to the set of natural numbers� Thus weassume that every program has access to all possible program variables� Uninitialized variables areassumed to be assigned an arbitrary value�

�

We use pred as an abbreviation for the type state�bool� Thus� pred stands for predicates� Notethat we do not assume that a predicate can be expressed as a �rst�order formula� Predicates aretypically denoted by the letters b� p and q�

Sets of variables We represent sets of variables by their characteristic functions� Thus a set ofvariables v has type var�bool� and a variable x belongs to v if and only if v x holds� Sets of variablesare typically denoted by the letter v�

Variable substitutions In some situations we need states with a value substituted for a variable�If s is a state� x a variable and d a value� then s d�x� is the state which di�ers from s only in that itassigns the value d to x� This is formalized by the constant bind� de�ned as

bind d x sdef� �y� ��y�x� �� d j s y�

where b �� x j y is the HOL system�s notation for the conditional expression if b then x else y� Thisde�nition is taken from �Go���� The de�nition is given to the HOL system by typing

�let bind def � new de�nition��bind def���bind d x s � �y� ��y�x� �� d j s y����

The � is the prompt sign of the HOL system� and it results in the new de�nitional theorem

bind d x s � �y� �y�x� �� d j s y����

being saved in the theory �le under the name bind def as well as being bound to the name bind def inthe current environment�

Operators and relations on predicates We now de�ne operators on predicates� correspondingto the logical symbols� constants� connectives and quanti�ers� We de�ne the predicates false and trueof type pred� the unary operator not of type pred�pred� the binary in�x operators and� or and impof type pred�pred�pred and the quanti�er operators exists and forall of type var�pred�pred� Thede�ning theorems are the following�

false def false � �s� Ftrue def true � �s� Tnot def not q � �s� � q sand def p and q � �s� �p s � q s�or def p or q � �s� �p s � q s�imp def p imp q � �s� �p s � q s�exists def exists x p � �s� ��d� �p �bind d x s���forall def forall x p � �s� ��d� �p �bind d x s���

i�e� we lift the connectives and quanti�ers from Bool to Pred� As can be seen above� we name everyde�ning theorem by adding the su�x def to the name of the constant being de�ned�We also de�ne the implication relation implies on predicates�

implies def p implies q � �s� �p s � q s�

The variables of a predicate We say that a predicate p depends on a variable x if there are valuesd and d � such that p�d�x � � p�d ��x �� i�e� if �x �p� � p� Furthermore� p is a predicate on a set ofvariables v if p is independent of x for all variables x that are not in v � These notions are formalizedby the following de�nition� de�ning the two in�x constants indep and pred on�

indep def p indep x � �forall x p � p�pred on def p pred on v � �x� �� v x � p indep x�

Thus p indep x means that the predicate p does not depend on the variable x while p pred on v meansthat p is a predicate on the set v of variables recall that a set of variables is formalized as a functionfrom var to bool��

�

Arithmetic expressions Expressions can be viewed as functions from states to values� Thus weformalize expressions using the type state�val� abbreviated expr� Typical expressions are denoted bythe letter e�

We de�ne the in�x constant indepexp of type expr�var�bool for expressions corresponding to theconstant indep for predicates� The de�ning theorem is

indepexp def e indepexp x � �d� �e � �s� e �bind d x s��

Thus e indepexp x holds if the value of e is independent of the value assigned to variable x�

��� Fixpoints

As we want to de�ne the semantics of the iterative construct� we have to de�ne a �xpoint operatorfor monotonic functions on predicates� For this� we �rst de�ne general conjunctions meets� anddisjunctions joins��

Arbitrary conjunctions and disjunctions As in the case of variables� a set of predicates isformalized as a function of type pred�bool� If P is a set of predicates then the conjunction of allpredicates in P is formalized as glb P� with the de�ning theorem

glb def glb P � �s���p��P p � p s��

Similarly� the disjunction of all predicates in P is lub P� where

lub def lub P � �s���p��P p � p s��

It is straightforward to show that these actually de�ne greatest lower bounds and least upper boundsof sets of predicates see section ��� below�� Also it is straightforward to prove that if P contains onlytwo predicates� p and q� then glb P � p � q and lub P � p � q� so that glb and lub are generalizationsof and and or� respectively�

A least �xpoint operator From the Tarski �xpoint theorem �Ta��� it follows that any monotonicfunction f on a complete lattice L has a least �xpoint� This �xpoint is the meet of the set of elementsx such that f x � � x �

Thus� for functions of type pred�pred we de�ne an operator �x by

�x def �x f � glb ��p���f p� implies p��

and prove see section ��� below� that if f is monotonic then �x f is the least �xpoint of f�

��� Chains� limits and continuity

In order to formalize the concepts of bounded and unbounded nondeterminism we need the notion ofa continuous function on predicates� This in turn requires a formalization of the concept of chains ofpredicates and the limit of a chain�

A sequence of predicates Q��Q�� � � � is formalized as a function from natural numbers to predicates�i�e� it has type num�pred� We use the letter Q to denote sequences of predicates� The concept ofchain ascending sequence� is formalized by the following de�nition�

chain def chain Q � �n���Q n� implies �Q �SUC n���

where SUC is the successor function on the natural numbers�The limit of a chain is formalized by the constant limit�

limit def limit Q � �s� �n� Q n s

making limit Q correspond to the predicate �n�Qn �Finally we formalize the concept of continuity� A function on predicates is continuous if it preserves

limits of chains� Thus we have the following de�nition�

continuous def continuous f � �Q� �chain Q � �f �limit Q� � limit ��n� f �Q n����

�

��� Theorems

We now present a few theorems of the theory pred that we have proved in the HOL system�

Theorems concerning variable substitutions We have proved two theorems concerning vari�ables substitutions� These are

bind twice thm �d d x s� �bind d x �bind d x s� � bind d x s�bind bind thm �d d x y s� ���x�y� � �bind d x �bind d y s� � bind d y �bind d x s���

The �rst theorem states that of successive substitutions to the same variable� only the outermostresults� The second theorem states that substitutions to distinct variables can be made in any order�

In section ��� we show how the second theorem is proved by �rst setting up the theorem as a goaland then applying di�erent tactics�

Theorems concerning predicates We have proved a number of basic properties of the operatorson predicates� Among these are the following�

�� Idempotence� commutativity� associativity and absorption of the operators and and or� Thuspred is a lattice�

� That the implies relation is a partial order i�e� it is re�exive� antisymmetric and transitive�� Itis the partial order induced by the lattice structure�

�� Monotonicity of the operators and and or in their arguments with respect to the implies relation�

�� Theorems showing that true false� is the top bottom� element and that not is the booleaninverse operator on predicates�

All these theorems have straightforward proofs in our formalization�We have further proved two theorems concerning the forall operator� which are counterparts to

the two theorems concerning variables substitutions� given above� These are

forall twice thm �x q� �forall x �forall x q� � forall x q�forall forall thm �x y q� �forall x �forall y q� � forall y �forall x q��

Theorems concerning �xpoints As mentioned above� we have shown that glb actually is a greatestlower bound operator� This is shown by proving in HOL� the following theorems�

glb bound thm �P p� �P p � �glb P� implies p�glb greatest thm �P q� ��p� �P p � q implies p� � �q implies �glb P���

The corresponding theorems for lub are similar�

We can then show that �x is the least �xpoint operator for monotonic functions on predicates�by proving the following two theorems pmonotonic has been de�ned to formalize the concept ofmonotonic function on predicates��

�x fp thm �f� �pmonotonic f � f ��x f� � �x f��x least thm �f p� ��f p� implies p� � ��x f� implies p�

We have also proved the following theorem� useful for showing that a predicate is indeed the least�xpoint of a function�

�x char thm �f q� �pmonotonic f � �f q� implies q � �p���f p� implies p � q implies p�� q � �x f�

��� Example proof of a theorem

We show the proof of the theorem bind bind thm of section ���� All the lines starting with the promptcharacter � are supplied by the user� while all the other lines are the HOL system�s responses� Wehave replaced the HOL syntax ASCII characters for logical symbols with the ordinary logical symbolsto make the dialogue more readable� Note that in the HOL syntax� the scope of quanti�ers extendsas far to the right as possible� thus quanti�ers bind weaker than other connectives�

After starting up the HOL system and setting up the theory of predicates as the current theorywe set up the goal�

� set goal� ����m n y z s� ��y�z� � �bind m y �bind n z s� � bind n z �bind m y s������

Now we expand the goal� using �rst the STRIP TAC tactic� which is repeated as long as it results�and then the REWRITE TAC tactic� using the de�nition of the constant bind�

� expand�REPEAT STRIP TAC THEN REWRITE TAC bind def����

Since STRIP TAC strips universal quanti�ers and undischarges assumptions� this results in thefollowing sequent the new goal is written in quotes� and the current assumptions below in brackets��

���v� ��v � y� �� m j ��v� ��v � z� �� n j s v��v��� �v� ��v � z� �� n j ��v� ��v � y� �� m j s v��v��� ���y�z���

The goal now is an equality between two functions� We expand further� using the conversionFUN EQ CONV which converts a term �f � g� to the theorem ��f � g� � ��x� f x � g x�� and thenBETA TAC which makes beta�reductions i�e� changes lambda�applicating terms of type ���x� f x�y�to �f y��

� expand�CONV TAC FUN EQ CONV THEN BETA TAC���OK����x� ��x � y� �� m j ��x � z� �� n j s x�� ���x � z� �� n j ��x � y� �� m j s x��� ���y�z���

Now we apply the conversion EQ COND CONV which makes a case split using a conditional withthe pattern �t� � t�� �� t� j t� present in the goal�

� expand�CONV TAC EQ COND CONV THEN REPEAT STRIP TAC���OK��� subgoals���x � y� �� m j ��x � z� �� n j s x�� � ��x � y� �� m j s x��

���y�z��� ���x�z���

���x � y� �� m j ��x � z� �� n j s x�� � n� ���y�z��� ��x�z���

This expansion resulted in two subgoals�The HOL system assumes that we start working with thesecond subgoal �rst� The tactic ASM REWRITE TAC now rewrites the goal using the assumptionsand the theorems supplied in the argument list� SYM CONV is a conversion which converts a term�t� � t�� into the theorem � �t� � t�� � �t� � t���� The dialogue continues as follows�

� expand�ASM REWRITE TAC SYM CONV �z�y�����OK��goal proved

��

��� j� ��x � y� �� m j ��x � z� �� n j s x�� � n

Previous subproof����x � y� �� m j ��x � z� �� n j s x�� � ��x � y� �� m j s x��

���y�z��� ���x�z���

We succeded in proving the second subgoal� For the �rst subgoal we simply rewrite� using theassumptions�

� expand�ASM REWRITE TAC ����OK��goal proved� j� ��x � y� �� m j ��x � z� �� n j s x�� � ��x � y� �� m j s x��� � �j� �m n y z s� ��y�z� � �bind m y �bind n z s� � bind n z �bind m y s��

Previous subproof�goal proved

In the place of the � � � the HOL system really prints all the goals of the goal stack that were provedby the last expansion� The important one is the goal on the top of the stack� the initial goal� We savethis theorem� giving it the name bind bind thm and at the same time binding it to the same name inthe current environment�

� let bind bind thm � save top thm �bind bind thm���

This example shows how the initial goal is reduced step by step until all subgoals are proved byexisting theorems� Every time we expand a goal the resulting goals are added to the goal stack� It isalso possible to undo expansions� by giving the command

� backup����

� The theory of commands

We now create a new theory� representing the program statements by a new primitive recursive typecmd� We call the statements in our formalization �commands�� thus making a distinction between thestatements and their formalization in the theory in HOL� Our theory has the theory of predicates asa parent in addition to the basic HOL theory��

��� Commands and their weakest preconditions

The HOL system has a package for de�ning recursive types �Me���� The user inputs a kind of BNFgrammar for the type and the system then automatically proves some basic theorems about the type�The commands are written in our formalization as follows�

assign x e for x �� eupdate x p for x �passert b for fbgseq c c for c� c�

if b b c c for ifb� c��b� � c� �do b c for dob� c od

The syntax of a command de�nes its type� For example the constant assert has type pred�cmdshowing that if b is a predicate then assert b is a command�

��

De�nition of weakest precondition The weakest precondition semantics is given by introducingan recursively de�ned function wp of type cmd�pred�pred� The weakest preconditions of the di�erentbasic commands are thus de�ned as follows�

wp �assign x e� q � �s��q �bind �e s� x s��wp �update x p� q � �exists x p� and �forall x �p imp q��

wp �assert b� q � b and qwp �seq c c� q � wp c �wp c q�

wp �if b b c c� q � �b or b� and �b imp �wp c q�� and �b imp �wp c q��wp �do b c� q � �x ��p� ��b and �wp c p�� or ��not b� and q���

these de�nitions actually constitute the single de�ning theorem wp def� see section �� ��Now the healthiness concepts can be de�ned� strictness� monotonicity� conjunctivity and bound�

edness�

strict def strict c � �wp c false � false�monotonic def monotonic c � �p q��p implies q � �wp c p� implies �wp c q��conjunctive def conjunctive c � �p q��wp c �p and q� � �wp c p� and �wp c q��bounded def bounded c � continuous �wp c�

Finally� we de�ne a function free in recursively over the commands� It is de�ned so that x free inc holds whenever the command c mentions the variable x or some predicate or expression mentionedin c depends on x� However� the local variable in a block is not free in the block�

Section �� � shows how the de�nitions are given to the HOL system�

Structural induction The package for de�ning recursive types provides an automatic proof of astructural induction theorem� For the type cmd� this theorem states that any property that holdsfor the primitive commands assign� update and assert� and that is preserved by the constructorssequential composition� conditional composition and iteration� holds for all commands� This theoremis given the name cmd induct� It is shown below�

��� Setting up the theory of commands in HOL

We now show how the theory of commands is created�First� we give the new theory the name ref� It automatically has the basic theory HOL as a parent�

to this we add the theory of predicates� pred�

�new theory �ref����new parent �pred���

Now the type of commands is de�ned recursively� The �rst argument to the function de�ne type is thename of the new type while the second argument is a BNF�style grammar de�ning the type the cmdto the left of the equal sign indicates that the de�ning theorem is given the name cmd�� The resultingtheorem shows how the type de�nition package �Me��� represents recursive types in the HOL system�

�let cmd � de�ne type �cmd�� �cmd � assert pred� j assign var expr� j update var pred� j seq cmd cmd� j if pred pred cmd cmd� j do pred cmd� j block var cmd���cmd � �f� f� f� f� f� f� f���� fn���f� fn�assert f� � f� f� �

�

��v f� fn�assign v f� � f� v f� ���v f� fn�update v f� � f� v f� ���c c� fn�seq c c� � f��fn c��fn c�c c� ���f f c c� fn�if f f c c� � f��fn c��fn c�f f c c� ���f c� fn�do f c� � f��fn c�f c� ���v c� fn�block v c� � f��fn c�v c�

Next the theorem of structural induction for commands is proved automatically�

� let cmd induct � prove induction thm cmd��cmd induct � �P���f� P�assert f�� ���v f� P�assign v f�� ���v f� P�update v f�� ���c c� P c � P c � P�seq c c�� ���c c� P c � P c � ��f f� P�if f f c c��� ���c� P c � ��f� P�do f c��� ���c� P c � ��v� P�block v c��� ���c� P c�

The function wp is de�ned recursively� with the HOL system checking that the de�nition is consistent�The arguments to the function new recursive de�nition are a �ag false shows that wp is not an in�x��the name of the underlying type� the name of the de�nition and �nally the de�ning expression�

� let wp def � new recursive de�nition false cmd �wp def�� ��wp �assert b� q � b and q� �� �wp �assign y e� q � ��s�state�� q �bind �e s� y s�� �� �wp �update y p� q � �exists y p� and �forall y �p imp q��� �� �wp �seq c c� q � wp c �wp c q�� �� �wp �if b b c c� q �� �b or b� and �b imp �wp c q�� and �b imp �wp c q��� �� �wp �do b c� q � �x ��p� �b and �wp c p�� or ��not b� and q��� �� �wp �block y c� q � forall y �wp c �forall y q������wp def ���b q� wp�assert b�q � b and q� ���y e q� wp�assign y e�q � ��s� q�bind�e s�y s��� ���y p q� wp�update y p�q � �exists y p� and �forall y�p imp q��� ���c c q� wp�seq c c�q � wp c�wp c q�� ���b b c c q�wp�if b b c c�q ��b or b� and ��b imp �wp c q�� and �b imp �wp c q���� �

��b c q� wp�do b c�q � �x��p� �b and �wp c p�� or ��not b� and q��� ���y c q� wp�block y c�q � forall y�wp c�forall y q����

The concept of free variables of a command is now formalized by the de�nition of the in�x free in�In the de�nition the constant free in cannot be used as an in�x� instead it is used as a pre�x with aleading � indicating that it is actually not a pre�x�

�let free def � new recursive de�nition true cmd �free def�� ���free in y �assert b� � �b indep y� �� ��free in z �assign y e� � �y�z� � �e indepexp z� �� ��free in z �update y p� � �y�z� � �p indep z� �� ��free in y �seq c c� � �free in y c � �free in y c� �� ��free in y �if b b c c� �

�b indep y � �b indep y � �free in y c � �free in y c� �

��

� ��free in y �do b c� � �b indep y � �free in y c� �� ��free in z �block y c� � ��y�z� � �free in z c����

free def ���y b� y free in �assert b� � �b indep y� ���z y e� z free in �assign y e� � �y � z� � �e indepexp z� ���z y p� z free in �update y p� � �y � z� � �p indep z� ���y c c� y free in �seq c c� � y free in c � y free in c� ���y b b c c� y free in �if b b c c� � �b indep y � �b indep y � y free in c � y free in

c� ���y b c� y free in �do b c� � �b indep y � y free in c� ���z y c� z free in �block y c� � ��y � z� � z free in c�

Now the four healthiness properties are formalized�

� let strict def � new de�nition��strict def�� �strict c � �wp c false � false�����strict def � �c� strict c � �wp c false � false�� let monotonic def � new de�nition��monotonic def���monotonic c � �p q� p implies q � �wp c p� implies �wp c q�����

monotonic def � �c� monotonic c � ��p q� p implies q � �wp c p� implies �wp c q��� let conjunctive def � new de�nition��conjunctive def���conjunctive c � �p q� ��wp c p� and �wp c q�� implies �wp c �p and q������

conjunctive def � �c� conjunctive c � ��p q� ��wp c p� and �wp c q�� implies �wp c�p and q���

� let bounded def � new de�nition��bounded def�� �bounded c � continuous �wp c�����bounded def � �c� bounded c � continuous�wp c�

��� Derived commands

The commands skip and abort and the nondeterministic assignment command nondetass are de�nedas in section ���

skip def skip � assert trueabort def abort � assert falsenondetass def nondetass x x p � block x �seq �update x p� �assign x ��s�s x���

We prove that they have the following weakest preconditions�

skip thm wp skip q � qabort thm wp abort q � falsenondetass thm wp �nondetass x x p� q � �exists x p� and

��s���d� ��p �bind d x s� � q �bind d x s���

we omit the universal quanti�cation of q for readability��General sequential composition� conditional composition and iteration are de�ned recursively� We

formalize a sequence of commands as a function of type num�cmd� A �nite sequence c��c��� � ��cn isthen formalized by the constant Seq of type num��num�cmd��cmd the �rst argument indicatingthe length of the sequence�� by the following de�ning theorem�

Seq def �Seq � C � skip� ��Seq �SUC n� C � seq �Seq n C� �C �SUC n���

Thus an empty sequence is equal to skip� This is natural since s�kip is the neutral element for sequential

composition in our speci�cation language�To de�ne general conditional composition we have to de�ne the disjunction of a �nite sequence

of predicates� This is done by a construction� similar to that of the sequential composition above�Sequences of predicates have type num�pred and we de�ne the constant gg as

��

gg def �gg � B � false� ��gg �SUC n� B � �gg n B� or �B �SUC n���

Now general conditional composition is formalized by the constant If� the de�ning theorem is�

If def �If � B C � abort� ��If �SUC n� B C � if �gg n B� �B �SUC n�� �If n B C� �C �SUC n���

General iteration is de�ned in terms of general conditional composition� formalized by the constantDo�

Do def Do n B C � do �gg n B� �If n B C�

It is straightforward to prove that Seq� If and Do are extensions of seq� if and do� proving the followingtheorems

Seq � C � seq �C �� �C �� If � B C � if �B �� �B �� �C �� �C �� Do � B C � do �B �� �C ��

Furthermore� we de�ne the two�way iteration command� giving it the name do�� The de�ningtheorem is

do� def do� b b c c � do �b or b� �if b b c c��

and it is straightforward to prove that this is a special case of Do�

Do � B C � do� �B �� �B �� �C �� �C ��

��� Healthiness conditions

We have proved the three healthiness properties for almost� all commands using the HOL system�These are

�� Strictness of all commands

� Monotonicity of all commands� and

�� Conjunctivity of all commands� actually� we have not managed to prove this for do in theunbounded case��

The following frame condition� stating that wp preserves the variable environment of its arguments�has also been proved�

frame thm �c v q��c cmd on v � q pred on v � �wp c q� pred on v�

The frame condition is important when reasoning about local variables in blocks�

��� Bounded nondeterminism

Within our formalization we have proved that Dijkstra�s classical de�nition for the weakest precondi�tion of do for the bounded case � holds� The H �function is formalized by the constant H with typenum�pred�cmd�pred�pred given by the following de�ning theorem�

H def �H � b c q � �not b� and q� ��H �SUC n� b c q � ��not b� and q� or �wp �seq �assert b� c� �H n b c q���

and the theorem giving wp for do in the bounded case is

do bounded thm bounded c � �wp �do b c� � �s� �n� H n b c q s�

We have also shown that assert and assign are bounded and that boundedness is preserved by seq�if and do� Thus unbounded nondeterminism can be introduced only by update and block�

��

� The re�nement relation

We now turn to the re�nement relation between commands� We �rst de�ne the re�nement relation inthe ordinary way� i�e� as the pointwise extension of the implies relation on predicates� As we assumea �xed variable environment we cannot in general assume that local variables of commands are drawnfrom outside this �xed set of variables� This means that we have to de�ne a second re�nement relationwhich takes into account the global set of variables within which the re�nement holds�

��� Re�nement without variable environment

De�nition of the general re�nement relation The general re�nement relation ref is an in�x oftype cmd�cmd�bool� The de�ning theorem is

ref def c ref c � �q� ��wp c q� implies �wp c q��

The re�nement relation is easily shown to be a preorder� i�e� re�exive and transitive� The equiva�lence relation � induced by the re�nement relation is formalized as req�

req def c req c � c ref c � c ref c

Re�nement rules We have proved a number of simple re�nement rules in our formalization� In thefollowing we present some of these rules we generally omit the outermost universal quanti�cations ofc� c� b� b and q� to increase readability��

�� Rules stating that abort is re�ned by any command and that a skip command can be droppedfrom any sequence of commands�

abort ref c �seq skip c� req c �seq c skip� req c

� Rules for deleting� weakening and adding context assertions�

�assert b� ref skip �b implies b� � �assert b� ref �assert b� �wp c q � true� � c ref �seq c �assert q��

�� The rule for loop unfolding�

�do b c� req �if b �not b� �seq c �do b c�� skip�

�� The rule for explicitly choosing an enabled branch of an if�command�

�seq �assert b� �if b b c c�� ref c

and the corresponding rule for the do��command�

�seq �assert b� �do� b b c c�� ref �seq c �do� b b c c��

The rule for introducing and deleting local variables has proved important when developing parallelalgorithms from sequential algorithms� This rule states that if the statement S does not mention thevariable x then the re�nement equivalence S � �var x� S� holds� However� it does not hold in ourformalization� As noted above� we have to consider re�nement with respect to some speci�c set ofglobal variables to be able to deal with local variables�

��

��� Re�nement with respect to a �xed variable environment

De�nition of the re�nement relation The re�nement relation with respect to some �xed variableenvironment is called refv and is of type �var�bool��cmd�cmd�bool� The de�ning theorem is

refv def refv v c c ���x� x free in c � v x� � ��x� x free in c � v x� ���q� q pred on v � �wp c q� implies �wp c q��

Thus refv is a re�nement relation within a �xed variable environment v� It holds between commandsc and c i�

�� the variables of both c and c are in v� and

� for all predicates q on v� wp c q implies wp c q�

The re�nement relation refv is easily shown to be re�exive and transitive� Its correspondingequivalence relation is called reqv�

The relation between ref and refv is shown by the following two theorems�

c ref c � refv ��x�T� c c �c cmd on v� � �c cmd on v� � �c ref c� � refv v c c

Here ��x�T� is the variable environment consisting of all variables mapping all variables to truth�while c cmd on v holds whenever all free variables of c are in v� Thus the �rst theorem states thatgeneral re�nement is the same as re�nement with respect to the environment containing all variables�The second theorem states that within a �xed variable environment� ref implies refv�

Re�nement rules The re�nement rules proved for ref hold for refv also� Furthermore� we haveproved a rule for introducing local variables� stating that a variable x not belonging to the variableenvironment v can be introduced�

�c cmd on v� � ��v x� � refv v c �block x c��

The proof of this rule rests on the frame condition ���

��� Example proof of a re�nement rule

As an example of how re�nement rules are proved we show the proof of the rule for explicitly choosingan enabled branch of an if�command�

First the goal is set up�

�set goal� ����b b c c� �seq �assert b� �if b b c c�� ref c������b b c c� �seq �assert b� �if b b c c�� ref c�

Now we do a rewriting� using the de�nitions of ref and wp� This moves us down to the level ofpredicates�

�expand�REWRITE TAC ref def�wp def����OK���� b b c c��b and ��b or b� and ��b imp �wp c q�� and �b imp �wp c q����� implies �wp c q��

Next we rewrite using the de�nitions of and� or� imp and implies� moving us down to the level of bool�

�expand�REWRITE TAC and def�or def�imp def�implies def����OK���� b b c c s���s��b s���s���s�b s�b s�s���s���s�b s��wp c q�s�s���s�b s��wp c q�s�s�s�s�s� �wp c q�s�

��

We now have an expression with beta�redexes that can be reduced using BETA TAC� After this weuse a standard combination� REPEAT STRIP TAC removes universal quanti�ers and undischargesassumptions� RES TAC applies modus ponens to assumptions and ASM REWRITE TAC rewritesusing assumptions� This combination often solves �rst�order tautologies�

�expand�BETA TAC THEN REPEAT STRIP TAC THEN RES TACTHEN ASM REWRITE TAC ����

OK��goal proved

Thus the theorem is proved�

� Proving re�nements of actual program texts

The re�nement rules proved in the previous section were general rules� not involving any speci�cvariables or data� In this section we show how a simple re�nement of an actual program text can bemade using the formalization of the re�nement calculus presented in this paper�

When doing re�nements to actual program texts we have to work with the properties of datatypes� Our example uses natural numbers� and we can use the existing theory num that is a part ofthe basic HOL�theory�

�� Formalizing a program re�nement

Assume that X �Y and Z are program variables we use capital letters to avoid confusion betweenprogram variables and meta�variables�� We want to show that the following re�nement holds�

X �� X � Y � X �� X � Z � X �� X �Y � Z

Although this is a very simple fact� formalizing and proving it will show quite well how the formal�ization is used in practice and some problems in connection with re�ning actual program texts�We �rst have to express the problem in our formalization� We want to prove that

�seq �assign X �s��s X s Y�� �assign X �s��s X s Z���req �assign X �s��s X s Y s Z��

so we set this up as our goal�

�set goal� ����seq�assign X��s�s X s Y���assign X��s�s X s Z��� req� �assign X��s�s X s Y s Z��������seq�assign X��s� �s X� �s Y����assign X��s� �s X� �s Z���� req�assign X��s� �s X� ��s Y� �s Z�����

�� Proving the re�nement

The proof mainly consists of rewriting using the de�nitions of req� wp and the associativity of addition�However� the following lemmas that have been proved earlier are needed�

�� The theorem req thm�

�c c� �c req c � � q� �wp c q � wp c q��

stating that two commands are re�nement equivalent if and only if their weakest preconditionpredicate transformers are equal�

� the theorem fun eq lemma�

�x y� ���f��f x � f y�� � �x � y�

��

where the function f has the polymorphic type ��bool this theorem is a formulation of Leibnitz�principle of identity��

�� The theorem var distinct� which states that variables with distinct names are distinct� and

�� The theorem ADD ASSOC�

�m n p� m �n p� � �m n� p

stating the associativity of addition on the natural numbers�

We have proved the two �rst theorems� the third one is proved automatically when de�ning the typeof variables� while the fourth one is a pre�proved theorem part of the basic HOL theory��

We begin by rewriting using req thm and the de�nition of wp� beta�reducing� removing univer�sal quanti�ersGEN TAC� and using extensional equality of functions we have de�ned the tacticFUN TAC so that it reduces a goal f � g to the goal f x � g x� doing a beta�reduction if it is possible�

�expand�REWRITE TAC req thm�wp def� THEN BETA TAC THEN GEN TAC THENFUN TAC���

OK���q �bind ��bind��f X��f Y��X f X� �bind��f X��f Y��X f Z�� X �bind��f X��f Y��X

f��� q�bind��f X� ��f Y� �f Z���X f��

Now we generalize on the predicate q and rewrite using fun eq lemma� This way q disappears fromthe goal�

�expand�SPEC TAC��q���q�� THEN REWRITE TAC fun eq lemma����OK���bind ��bind��f X� �f Y��X f X� �bind��f X� �f Y��X f Z�� X �bind��f X� �f Y��X

f�� bind��f X� ��f Y� �f Z���X f�

Next we rewrite using the de�nition of bind and simplify the resulting expression by beta�reducingand using extensional equality of functions�

�expand�REWRITE TAC bind def� THEN BETA TAC THEN FUN TAC���OK�����v � X� �� ��X � X� �� �f X� �f Y� j f X� ��Z � X� ��

�f X� �f Y� j f Z� j ��v � X� �� �f X� �f Y� j f v��� ��v � X� �� �f X� ��f Y� �f Z�� j f v��

Now we can simplify using the fact that X and Z are distinct SYM CONV �Z�X� produces thetheorem �Z�X���X�Z� used for rewriting the goal��

�expand�REWRITE TAC SYM CONV �Z�X��var distinct����OK�����v � X� �� ��f X� �f Y�� �f Z� j ��v � X� �� �f X� �f Y� j f v�� ���v � X� �� �f X� ��f Y� �f Z�� j f v��

Now follows a case split� then rewriting using the assumptions the case ��v�X� gives the goal f v �f v which is proved immediately� so only the case �v�X� remains��

�expand�ASM CASES TAC �v�X� THEN ASM REWRITE TAC ����OK�����f X� �f Y�� �f Z� � �f X� ��f Y� �f Z���

�v � X� �

The �nal step is a rewriting using the associativity of addition�

�

�expand�REWRITE TAC ADD ASSOC����OK��goal proved��� �seq�assign X��s� �s X� �s Y����assign X��s� �s X� �s Z���� req

�assign X��s� �s X� ��s Y� �s Z����

Previous subproof�goal proved�� � void

� Conclusions

We have shown how the re�nement calculus can be formalized in the HOL system the HOL�� ver�sion�� The formalization has been done in two steps� The �rst step is a formalization of the theoryof the complete boolean lattice of predicates over a given set of variables� The second step is the for�malization of commands� weakest preconditions and re�nement� This has been accomplished withoutintroducing any new axioms� only de�nitions using existing concepts� Thus the theory is guaranteedto be consistent �Go���� In this formalization we have proved a number of basic re�nement rules�that are useful when doing re�nements to actual program texts� We concluded with a small example�showing how a re�nement of a program text is proved correct within our formalization�

Case studies have shown that the re�nement calculus is a powerful tool for developing algorithmsfrom speci�cations and for transforming sequential algorithms into parallel algorithms� However� thecorrectness proofs are often long� involving large amounts of routine work with proof details� Thisshows the potential use of our formalization of the re�nement calculus� the mechanized proofs usingthe HOL system are guaranteed to be correct provided that the de�nitions of the concepts capturetheir intended meaning��

The syntax of our formalization is quite awkward� It would be nice to have a parser�pretty�printerthat would allow the user to enter program texts using the ordinary syntax� Such an interface ispossible to make� but it has to be tailored to the speci�c speci�cation language syntax used and forthe present version of the HOL system� it must be coded in LISP� An example of a similar interfaceis described in �Go����

The example in section � shows that even a simple re�nement requires quite a long proof thisis the case especially when assignments are involved�� Thus there is a need for a hierarchy of pre�proved general re�nement rules in combination with a user�interface that permits the user to do largerre�nements in an interactive manner� This will be the focus of future work�

References

�Ba��� R�J�R� Back� On the Correctness of Re�nement in Program Development� Ph�D� thesis� Re�port A������� Department of Computer Science� University of Helsinki� ����

�Ba�� R�J�R� Back� Correctness Preserving Program Re�nements� Proof Theory and Applications�Mathematical Centre Tracts ���� Mathematical Centre� Amsterdam ����

�Ba��a� R�J�R� Back� A Calculus of Re�nements for Program Derivations� Acta Informatica� Vol� �� No� �� ���� � �����

�Ba��b� R�J�R� Back� Re�ning atomicity in parallel algorithms� Conference on Parallel Architecturesand Languages Europe �� also available as Reports on Computer Science and Mathematics��� Abo Akademi �����

�

�BaSe�� R�J�R� Back� K� Sere�Stepwise Re�nement of Action Systems� Conference on the Mathe�matics of Program Construction� Enschede� june ��� Lecture Notes in Computer Science ����Springer ���

�BaWr�� R�J�R� Back� J� von Wright� A Lattice�theoretical Basis for a Speci�cation Language�Conference on the Mathematics of Program Construction� Enschede� june ��� Lecture Notesin Computer Science ���� Springer ���

�Di��� E�W� Dijkstra� A Discipline of Programming� Prentice Hall ����

�DiGa��� E�W� Dijkstra� A�J�M� van Gasteren� A Simple Fixpoint Argument without the Restrictionto Continuity� Acta Informatica �� ���� ����

�GaMo��� P� Gardiner� C� Morgan� Data Re�nement of Predicate Transformers� manuscript ����accepted by Theoretical Computer Science�

�Go��� M� Gordon� HOL� A Proof Generating System for Higher�Order Logic� Techn� Rep� ���Computer Lab�� University of Cambridge� ����

�Go��� M� Gordon� Mechanizing Programming Logics in Higher�Order Logic� Techn� Rep� ����Computer Lab�� University of Cambridge� ����

�GoMiWa�� M� Gordon� R Milner� C� Wadsworth� Edinburgh LCF� A Mechanised Logic of Com�putation� Lecture Notes in Computer Science� Vol ��� Springer Verlag ���

�Gr��� D� Gries� Science of Programming� Springer Verlag ����

�Me��� T� Melham� Automating Recursive Type De�nitions in Higher Order Logic� Techn� Rep����� Computer Lab�� University of Cambridge� ����

�Morg�� C� Morgan� Programming from Speci�cations� Manuscript ���

�MoRoGa��� C� Morgan� K�A� Robinson� P�H� Gardiner� On the Re�nement Calculus� TechnicalReport PRG���� Programming Research Group� Oxford ����

�Morr��� J� Morris� A Theoretical Basis for Stepwise Re�nement and the Programming Calculus�Science of Programming� ����� �������

�Pa�� D� Park� On the Semantics of Fair Parallelism� Lecture Notes in Computer Science� Vol� ����Springer Verlag ����

�So��� S� Sokolowsky� Soundness of Hoare�s Logic� An Automated Proof Using LCF� ACM Transac�tions on Programming Languages and Systems� Vol� � No� � ����� ����� ��

�Wr�� J� von Wright� Stepwise Derivation of a Parallel Matrix Multiplication Algorithm� Manuscript���

�