Answers B Method

1
The B-method: an Introduction

Sample solutions to exercises
This document contains sample solutions to the exercises in the book The
B-Method: an Introduction by Steve Schneider.
Steve Schneider
S.Schneider@rhul.ac.uk
June 2001
The B-Method: an Introduction

Sample solutions to exercises from Chapter 1
Exercise 1.1
reset =
b
PRE true
THEN serve , next := 0 , 0
END
Exercise 1.2
MACHINE Ticket
VARIABLES serve , next
INVARIANT serve N next N serve next next 501
INITIALISATION serve , next := 0 , 0
OPERATIONS
ss - serve next =
b
PRE serve < next
THEN ss , serve := serve + 1 , serve + 1
END
tt - take ticket =
b
PRE next 500
THEN tt , next := next , next + 1
END
END
Exercise 1.3
nn - query =
b
PRE true
THEN nn := next serve
END
Exercise 1.4
MACHINE Ticket14
VARIABLES serve , next , record
INVARIANT serve N next N record N serve next
INITIALISATION serve , next , record := 0 , 0 , 0
OPERATIONS
ss - serve next =
b
PRE serve < next
THEN ss , serve , record := serve + 1 , serve + 1 , 0
END
tt - take ticket =
b
PRE true
THEN tt , next , record := next , next + 1 , record + 1
END
rr - query record =
b
PRE true
THEN rr := record
END
END
Exercise 1.5
MACHINE Ticket
VARIABLES serve , next , lim
INVARIANT serve N next N lim N serve next next lim
INITIALISATION serve , next , lim := 0 , 0 , 500
OPERATIONS
ss - serve next =
b
PRE serve < next
THEN ss , serve := serve + 1 , serve + 1
END
tt - take ticket =
b
PRE next < lim
THEN tt , next := next , next + 1
END
limit ( nn ) =
b
PRE nn N next nn
THEN lim := nn
END
END
Exercise 1.6
No, this operation is not consistent with the invariant of the Ticket machine,
since it may be called in the state in which serve and next are both 0. It can be
made consistent by strengthening the precondition to serve > 0.
Exercise 1.7
MACHINE CarPark
VARIABLES contents
INVARIANT contents N contents 640
INITIALISATION contents := 0
OPERATIONS
enter =
b
PRE contents < 640
THEN contents := contents + 1
END
leave =
b
PRE contents > 0
THEN contents := contents 1
END
nn - query =
b
PRE true
THEN nn := contents
END
END

Exercise 2.1
1. { {}, {fred}, {ginger }, {fred, ginger }, {harold},
{fred, harold}, {ginger , harold}, {fred, ginger , harold}}
2. { (fred, fred), (fred, ginger ), (fred, harold),
(ginger , fred), (ginger , ginger ), (ginger , harold),
(harold, fred), (harold, ginger ), (harold, harold)}
3. 512(= 29 )
4. 256(= 2( 23 ))
Yes to both questions: {{fred}, {ginger }} PPMEMBER, and {{fred, ginger }}
PPMEMBER.
Exercise 2.2
{} {home, work} = {}. S T = T S if S = {} or T = {} or S = T .
Exercise 2.3
This is the set of cubes of size less than 100, which is { 0, 1, 8, 27, 64 }
Exercise 2.4
1. always true
2. not always true
3. always true
4. always true
5. not always true
6. always true
7. always true

Exercise 3.1
0, {}
0, {olly}
0, {pat }
0, {olly, pat }
1, {}
1, {olly}
1, {pat }
1, {olly, pat }
2, {olly, pat }
2, {olly}
2, {pat }
2, {}
0, {}
0, {}
0, {olly}
0, {olly}
0, {pat }
0, {pat }
0, {olly, pat }
1, {}
0, {olly, pat }
1, {}
1, {olly}
1, {olly}
1, {pat }
1, {pat }
1, {olly, pat }
1, {olly, pat }
2, {olly, pat }
2, {olly, pat }
2, {olly}
2, {olly}
2, {pat }
2, {pat }
2, {}
2, {}
Exercise 3.2
0, 0
0, 0
0, 1
0, 1
0, 2
0, 2
1, 0
1, 0
1, 1
1, 1
1, 2
1, 2
2, 0
2, 0
2, 1
2, 1
2, 2
2, 2
The states which reach a state in which x+y = 2 are (0, 2), (2, 2), (1, 2), (2, 1), (2, 0).
By calculation, we obtain:
[ IF x < y THEN y := y x ELSE x := x y END ](x + y = 2)
=
(x < y [y := y x](x + y = 2))
> 2 [x := x y](x + y = 2))

(x < y x + y x = 2)
(x > y x y + y = 2)
(x < y y = 2) (x > y x = 2)
(x
=
=
=
max(x, y) = 2
which yields the same states as obtained directly from the relation.
Exercise 3.3
IF E1 THEN S1
ELSIF E 2 THEN S2
ELSIF ...
P
ELSIF En THEN Sn
ELSE Sn+1
END
E1 [S1 ]P
(E1 E2 ) [S2 ]P
=
...
(E1 ... En1 En ) [Sn ]P
(E1 E2 ... En ) [Sn+1 ]P
Exercise 3.4
6 next
2. serve + new 6 next + 1
1. serve + new
3. z.(z N 7 < z 2 ) (= false)

4. house set {x, y} (x 1)..(y + 1) = house set x 1..y + 1
5. num = card(house set )
6. house set old set {new}
Exercise 3.5
If i is even then it sets ans to even, otherwise it sets it to odd. The weakest
precondition for it to establish that ans = even is that i mod 2 = 0.
Exercise 3.6
That (i + 2)/3 is not 2 or 3; i.e. that i < 4 or that i > 9.

Exercise 4.1
allmags =
b
PRE true
THEN magazines := papers
END
This operation is consistent with the invariant of Paperround.

Exercise 4.2
removehouse(hh) =
b
PRE hh papers
THEN papers := papers {hh} || magazines := magazines {hh}
END
The proof obligations for this operation are given by instantiating I P

[S ]I : in this case, that
6 60) hh papers
[papers := papers {hh} || magazines := magazines {hh}]
(papers 1..163 magazines papers card(papers) 6 60)
(papers 1..163 magazines papers card(papers)
or, using the weakest precondition rule for assignment, that

(papers 1..163 magazines papers card(papers)
6 60) hh papers
(papers {hh} 1..163 magazines {hh} papers {hh}

card(papers {hh})
6 60)
which is true by elementary logic and set theory.

Exercise 4.3
The operations addmagazine and remove are not consistent with the new
invariant. Their preconditions require strengthening, for example as follows:
addmagazine ( hh ) =
b
PRE hh papers card ( magazines ) < card ( papers ) / 2
THEN magazines := magazines { hh }
END
remove ( hh ) =
b
PRE hh 1 . . 163
card ( magazines { hh } ) card ( papers { hh } ) / 2
10
THEN
papers := papers { hh } k magazines := magazines { hh }
END
Exercise 4.4
The operation board is consistent with the invariant of Bus. The other two
operations, buy and double are not consistent.
The machine can be amended by strengthening the invariant so that tickets
passengers is a clause; and by altering the precondition of buy to ensure the
(new) invariant is met, resulting in the following machine:
MACHINE Bus
VARIABLES tickets , passengers
INVARIANT tickets N passengers N tickets passengers
INITIALISATION tickets , passengers := 0 , 0
OPERATIONS
buy ( mm ) =
b
PRE mm N tickets + mm passengers
THEN tickets := tickets + mm
END
board ( nn ) =
b
PRE nn N
THEN passengers := passengers + nn
END
double =
b
PRE true
THEN tickets , passengers := 2 tickets , 2 passengers
END
END
With the additional clause passengers

tickets + 45 in the invariant, the
operations board and double which increase the number of passengers require stronger preconditions to prevent violation of this new clause. The new
precondition for board is
nn N passengers + nn
6 tickets + 45
The new precondition for double is

passengers
6 tickets + 22
11

Exercise 5.1
The proof obligations are:
1. ITEM , sample, num.ITEM {} sample ITEM num N num >
card(ITEM ). This proof obligation is true. Observe that the set ITEM must
be non-empty, and is an implicit clause of the constraint.
2. (ITEM {} sample ITEM num N num > card(ITEM ))
storage.storage N1 storage
num. This proof obligation is also
true.
3. (ITEM {} sample ITEM num N num > card(ITEM )

storage N1 storage
num) existscurrent , nextprevious.current
ITEM next ITEM previous ITEM next previous. This proof
obligation is not true in the case where ITEM is a singleton set. Thus it is
not universally true, and hence the machine clauses are not all consistent.
Exercise 5.2
>
The initialisation is consistent with the invariant, constraints and properties,

since num 2 follows from them.
input is not consistent, since nn = next is a permitted input, resulting in
a state which violates the invariant.
output is not consistent, since it also reaches a state in which next
current , violating the invariant.
increment is consistent.
12

Exercise 6.1
1.
ian
eggs
jim
cheese
ken
salad
lisa
pizza
eats
C eats = {ian eggs, ian cheese, ian pizza}

3. {jim}
C eats = { ian eggs, ian cheese, ian pizza
2. {ian}
ken pizza, lisa cheese, lisa salad, lisa pizza}
B {cheese, pizza} = { ian cheese, ian pizza,

}
ken pizza, lisa cheese, lisa pizza
5. dom(eats C {eggs}) = {ian, jim}
6. dom(eats C {eggs, pizza})
7. dom(eats C {cheese}) dom(eats C {pizza})
4. eats
Exercise 6.2
1. eats[{ian, lisa}] = {eggs, cheese, pizza, salad}
2. eats 1 = { eggs ian, cheese ian, pizza ian,
eggs jim, salad jim, pizza ken,
cheese lisa, salad lisa, pizza lisa}
3. eats 1[{cheese, eggs}] = {ian, jim, lisa}
4. eats ; cost = { ian cheap, ian expensive, jim cheap,
kenmapstoexpensive, lisa cheap, lisa expensive}
5. eats ; (cost {expensive}) = {ian cheap, jim cheap, lisa cheap}

6.
eats 1[cost 1 [{expensive}]] =
{ian, ken, lisa}
7. eats <+ {lisa steak} = { ian eggs, ian cheese, ian pizza,
jim eggs, jim salad, ken pizza, lisa steak}
13
Exercise 6.3
The invariant becomes
access USER PRINTER uu . (uu USER card(access[{uu}])
6 6)
Two operations are no longer consistent with this strengthened invariant: add,
and unify.
In order to regain consistency of the machine, the precondition of add can
be strengthened to
uu USER pp PRINTER card(access[{uu}]) < 6
and the precondition of unify can be strengthened to
u1 USER u2 USER card(access[{u1}]) + card(access[{u2}])
66
.
Exercise 6.4
exchange ( u1 , u2 ) =
b
PRE u1 USER u2 USER
THEN access := access <+ ( { u1 } access [ { u2 } ] { u2 } access [ { u1 } ] )
END
Exercise 6.5
maintenance ( pp , alt ) =
b
PRE pp PRINTER alt PRINTER
THEN access := access { pp } access
END
[ { pp } ] { alt }
Exercise 6.6
The variable barred and associated conditions and operations are incorporated
into the machine below. The operations which require strengthened preconditions are again add and unify. all other operations are consistent with the next
invariant and remain unchanged from their description in the original Access
machine.
MACHINE Access
SETS USER ; PRINTER ; OPTION ; PERMISSION = { ok , noaccess }
CONSTANTS options
PROPERTIES options PRINTER OPTION
14
dom ( options ) = PRINTER ran ( options ) = OPTION

VARIABLES access , barred
INVARIANT access USER PRINTER barred USER OPTION
( access ; options ) barred = {}
INITIALISATION access , barred := {} , {}
OPERATIONS
addbar ( uu , oo ) =
b
PRE uu USER oo OPTION
THEN barred := barred { uu oo } k access := access { uu } options
END
[ { oo } ]
removebar ( uu , oo ) =
b
PRE uu USER oo OPTION uu oo barred
THEN barred := barred { uu oo }
END
add ( uu , pp ) =
b
PRE uu USER pp PRINTER options [ { pp } ] barred [ { uu } ] = {}
THEN access := access { uu pp }
END
unify ( u1 , u2 ) =
b
PRE u1 USER u2 USER access ; options [ { u1 , u2 } ] barred [ { u1 , u2 } ] = {}
THEN access := access { u1 } access [ { u2 } ] { u2 } access [ { u1 } ]
END
END
15

Exercise 7.1
MACHINE Reading
SETS READER ; BOOK ; COPY ; RESPONSE = { yes , no }
VARIABLES books , copies , copyof , hasread , reading
INVARIANT copyof copies
books
books BOOK copies COPY
hasread READER books
reading READER 7 copies
( reading ; copyof ) hasread = {}
INITIALISATION copyof := {} k books := {} k copies := {}
k hasread := {} k reading := {}
OPERATIONS
addcopy ( cc , bb ) =
b
PRE cc COPY bb BOOK cc 6 copies
THEN copies := copies { cc } k books := books { bb }
k copyof := copyof { cc bb }
END
start ( rr , cc ) =
b
PRE rr READER cc copies copyof ( cc ) 6 hasread [ { rr } ]
rr 6 dom ( reading ) cc 6 ran ( reading )
THEN reading := reading { rr cc }
END
finished ( rr , cc ) =
b
PRE rr READER cc copies cc = reading ( rr )
THEN hasread := hasread { rr copyof ( cc ) }
k reading := { rr } reading
END
resp - precurrentquery ( rr ) =
b
PRE rr READER
THEN
IF rr dom ( reading )
THEN resp := yes
ELSE resp := no
END
END
bb - currentquery ( rr ) =
b
PRE rr READER rr dom ( reading )
THEN bb := copyof ( reading ( rr ) )
END
resp - hasreadquery ( rr , bb ) =
b
PRE rr READER bb BOOK
16
THEN
IF bb hasread [ { rr } ]
THEN resp := yes
ELSE resp := no
END
END
END
Exercise 7.2
pp - position ( rr ) =
b
PRE rr ran ( finish )
THEN pp := finish 1 ( rr )
END
remove ( rr ) =
b
PRE rr ran ( finish )
THEN
pp
BE pp = finish
LET
IN
( rr )
finish := finish pp 1
END
END
a ( finish pp )
17

Exercise 8.1
[a(i) := 5](a(j ) = a(k)
=
(a <+ {i 5})(j ) = (a <+ {i 5})(k)
i =j i =k
i = j i k a(k) = 5
i j i = k a(j ) = 5
i j i k a(j ) = a(k)
Exercise 8.2
a := x . (x dom(a) | 2 x)
Exercise 8.3
betterswap ( rr , ss ) =
b
PRE
rr ROOM ss ROOM
( rr small numbers ( ss ) 4 )
( ss small numbers ( rr ) 4 )
THEN numbers := numbers <+ { rr numbers ( ss ) , ss numbers ( rr ) }
END
Exercise 8.4
step =
b
guests := xx . ( xx
N xx + 1 ROOM
| guests ( xx + 1 ) )
Exercise 8.5
MACHINE Hotelguests ( sze )
CONSTRAINTS sze N1
SETS NAME ; REPORT = { present , notpresent }
CONSTANTS empty , ROOM
PROPERTIES card ( ROOM ) = sze empty NAME ROOM
VARIABLES pguests
INVARIANT pguests ROOM
7 NAME
INITIALISATION pguests := {}
OPERATIONS
guestcheckin ( rr , nn ) =
b
18
rr ROOM nn NAME
THEN pguests ( rr ) := nn
PRE
END
guestcheckout ( rr ) =
b
PRE rr ROOM
THEN pguests := { rr } pguests
END
nn - guestquery ( rr ) =
b
PRE rr ROOM
THEN IF rr dom ( pguests )
THEN nn := pguests ( rr )
ELSE nn := empty
END
END
rr - presentquery ( nn ) =
b
PRE nn NAME
THEN IF nn ran ( pguests )
THEN rr := present
ELSE rr := notpresent
END
END
guestswap ( rr , ss ) =
b
PRE rr ROOM ss ROOM
THEN
IF rr dom ( pguests )
ss dom ( pguests )
THEN pguests := pguests <+ { rr pguests ( ss ) , ss pguests ( rr ) }
ELSE pguests := { rr } pguests { ss pguests ( rr ) }
THEN IF
END
ELSE IF ss dom ( pguests )

THEN
pguests := { ss } pguests { rr pguests ( ss ) }
END
END
END
step =
b
pguests := xx . ( xx
END
N xx + 1 dom ( pguests )
| pguests ( xx + 1 ) )
19

Exercise 9.1
ANY nn
WHERE nn : N
THEN square := nn nn
END
Exercise 9.2
This operation adds some arbitrary value between 1 and 5 to total.
[ ANY a WHERE a N1 a
=
6 5 [total := total + a](total > 8))

a 6 5 total + a > 8)
a . (a N1 a
a . (a N1
total
>8
6 5 THEN total := total + 5 END ](total > 8)
Exercise 9.3
This statement picks an arbitrary set of up to three numbers between 1 and N .
[ ANY s WHERE s 1..N card(s)
=
=
=
6 3 THEN myset := s END ](i.(i myset | i) < 40)
6 3 [myset := s](i.(i myset | i) < 40)

s . s 1..N card(s) 6 3 (i.(i s | i) < 40)
N 6 14
s . s 1..N card(s)
The statement is guaranteed to achieve the postcondition provided the numbers comprising the set are all no greater than 14.
Exercise 9.4
ANY nn WHERE nn 1..49 card(nn) = 6 THEN ticket := nn END
Exercise 9.5
ANY d WHERE d : order [{p}] THEN delivery := d END
[ ANY d WHERE d : order [{p}] THEN delivery := d END ](delivery fridge)

=
d.(d : order [{p}] [delivery := d](delivery fridge))
d.(d : order [{p}] d fridge))
fridge 6 order [{p}]
20
Exercise 9.6
CHOICE salary := salary 1.03 OR salary := salary + 400 END
[ CHOICE salary := salary 1.03 OR salary := salary + 400 END ](salary > 14000)
=
[salary := salary 1.03](salary > 14000) [salary := salary + 400](salary > 14000]
(salary 1.03 > 14000) (salary > 13600)
salary > 13592 salary > 13600
salary > 13600
Exercise 9.7
1.
SELECT albert here THEN hh := albert
WHEN betty here THEN hh := betty
WHEN clarissa here THEN hh := clarissa
ELSE hh := fido END

=
(hh = clarissa)
albert here [hh := albert ](hh = clarissa)

(betty here [hh := betty](hh = clarissa))
(clarissa here [hh := clarissa](hh = clarissa)
(albert 6 here betty 6 here clarissa 6 here [hh := fido](hh = clarissa)
albert here false

(betty here false
(clarissa here true
(albert 6 here betty 6 here clarissa 6 here false
albert 6 here betty 6 here clarissa here
2.
ELSE hh := fido END

=
(hh albsert )
albert here [hh := albert ](hh albert )

(betty here [hh := betty](hh albert ))
(clarissa here [hh := clarissa](hh albert )
(albert 6 here betty 6 here clarissa 6 here [hh := fido](hh albert )
albert here false

(betty here true
21
(clarissa here true

(albert 6 here betty 6 here clarissa 6 here true
=
albert 6 here
3.
ELSE hh := fido END

=
(hh fido)
albert here [hh := albert ](hh fido)

(betty here [hh := betty](hh fido))
(clarissa here [hh := clarissa](hh fido)
(albert 6 here betty 6 here clarissa 6 here [hh := fido](hh fido)
albert here true

(betty here true
(clarissa here true
(albert 6 here betty 6 here clarissa 6 here false
albert here betty here clarissa here
Exercise 9.8
MACHINE Deliveries
SETS ITEM ; ADDRESS
VARIABLES van , nogo
INVARIANT van ADDRESS ITEM nogo ADDRESS
INITIALISATION van := {} k nogo : P ( ADDRESS )
OPERATIONS
load ( aa , ii ) =
b
PRE aa ADDRESS ii ITEM
THEN van := van { aa ii }
END
aa , ii - drop =
b
PRE van {}
THEN
ad , it
ad ADDRESS it ITEM ad it van
THEN aa := ad k ii := it
ANY
WHERE
END
END
warning ( aa ) =
b
PRE aa ADDRESS
THEN IF aa nogo
22
van := { aa } van
OR nogo := nogo { aa }
THEN CHOICE
END
ELSIF aa 6 dom ( van )

THEN nogo := nogo { aa }
END
END
END
23

Exercise 10.1
The included machine Locks provides no single operation for closing a door
and locking it, and Safes can only call one operation from Locks in any of its
own operations.
The new operation for Locks is
quickclose ( dd ) =
b
PRE dd DOOR position ( dd ) = open
THEN closedoor ( dd ) k status ( dd ) := locked
END
;
The new operation for Safes is
quickcloseandlock ( dd ) =
b
PRE dd DOOR position ( dd ) = open
THEN quickclose ( dd ) k removekey ( unlocks
END
( dd ) )
Exercise 10.2
MACHINE Safes
INCLUDES Locks , Keys
PROMOTES opendoor , closedoor , lockdoor
CONSTANTS unlocks
PROPERTIES unlocks KEY DOOR
VARIABLES masterkey
INVARIANT status 1 [ { unlocked } ] unlocks [ keys ]
masterkey DOOR card ( masterkey ) 1
status 1 [ { unlocked } ] masterkey
INITIALISATION masterkey := {}
OPERATIONS
insertmaster ( dd ) =
b
PRE dd DOOR masterkey = {}
THEN masterkey := { dd }
END
removemaster =
b
PRE status [ masterkey ] = { locked }
THEN masterkey := {}
END
insert ( kk , dd ) =
b
PRE kk KEY dd DOOR unlocks ( kk ) = dd
24
insertkey ( kk )
THEN
END
extract ( kk , dd ) =
b
PRE kk KEY dd DOOR unlocks ( kk ) = dd status ( dd ) = locked
THEN removekey ( kk )
END
unlock ( dd ) =
b
PRE dd DOOR unlocks
THEN unlockdoor ( dd )
END
( dd ) keys dd masterkey
quicklock ( dd ) =
b
PRE dd DOOR position ( dd ) = closed
THEN lockdoor ( dd ) k removekey ( unlocks
( dd ) )
END
END
Exercise 10.3
MACHINE Safes
INCLUDES Locks , Keys
PROMOTES opendoor , closedoor , lockdoor
VARIABLES unlocks
INVARIANT status 1 [ { unlocked } ] unlocks [ keys ]
unlocks KEY 7 DOOR keys dom ( unlocks )
INITIALISATION unlocks := {}
OPERATIONS
allocate ( kk , dd ) =
b
PRE kk KEY kk 6 dom ( unlocks ) dd DOOR dd 6 ran ( unlocks )
THEN unlocks ( kk ) := dd
END
deallocate ( kk , dd ) =
b
PRE kk KEY dd DOOR kk dd unlocks kk 6 keys status ( dd ) = locked
THEN unlocks := { kk } unlocks
END
insert ( kk , dd ) =
b
PRE kk KEY dd DOOR unlocks ( kk ) = dd
THEN insertkey ( kk )
END
extract ( kk , dd ) =
b
PRE kk KEY dd DOOR unlocks ( kk ) = dd status ( dd ) = locked
THEN removekey ( kk )
END
unlock ( dd ) =
b
PRE dd DOOR unlocks
( dd ) keys
25
unlockdoor ( dd )
THEN
END
quicklock ( dd ) =
b
PRE dd DOOR position ( dd ) = closed dd ran ( unlocks )
THEN lockdoor ( dd ) k removekey ( unlocks 1 ( dd ) )
END
END
Exercise 10.4
MACHINE RobustLocks
INCLUDES Locks
SETS REPORT = { ok , error }
OPERATIONS
rep - robustopen ( dd ) =
b
PRE dd DOOR
THEN IF status ( dd ) = unlocked
THEN opendoor ( dd ) k rep := ok
ELSE rep := error
END
END
rep - robustclose ( dd ) =
b
PRE dd DOOR
THEN closedoor ( dd ) k rep := ok
END
rep - robustunlock ( dd ) =
b
PRE dd DOOR
THEN unlockdoor ( dd ) k rep := ok
END
rep - robustlock ( dd ) =
b
PRE dd DOOR
THEN IF position ( dd ) = closed
THEN lockdoor ( dd ) k rep := ok
ELSE rep := error
END
END
END
Exercise 10.5
MACHINE Hotelregister ( sze )
INCLUDES Hotel ( sze ) , Hotelguests ( sze )
PROMOTES guestquery , presentquery , roomquery , vacancies , totalguests
INVARIANT guests 1 [ { empty } ] = numbers 1 [ { 0 } ]
26
OPERATIONS
fullcheckin ( room , name , number ) =
b
PRE name NAME number 1 . . 6
room ROOM guests ( room ) = empty name empty
( room small number 4 )
THEN checkin ( room , number ) k guestcheckin ( room , name )
END
fullcheckout ( room ) =
b
PRE room ROOM
THEN checkout ( room ) k guestcheckout ( room )
END
fullswap ( room1 , room2 ) =

b
PRE room1 ROOM room2 ROOM room1 small ( room2 small )
THEN swap ( room1 , room2 ) k guestswap ( room1 , room2 )
END
END
27

Exercise 11.1
MACHINE Limit
SEES Goods
VARIABLES limit
INVARIANT limit GOODS N1
INITIALISATION limit : GOODS
OPERATIONS
setlimit ( gg , pp ) =
b
PRE gg GOODS pp N1
THEN limit ( gg ) := pp
END
N1
pp - limitquery ( gg ) =
b
PRE gg GOODS THEN pp := limit ( gg ) END
END
MACHINE Customer
SEES Price , Goods , Limit
VARIABLES purchases
INVARIANT purchases GOODS
INITIALISATION purchases := {}
OPERATIONS
pp - buy ( gg ) =
b
PRE gg GOODS price ( gg ) limit ( gg )
THEN purchases := purchases { gg } k pp - pricequery ( gg )
END
END
Exercise 11.2
change ( nn ) =
b
PRE nn PERSON nn male female
THEN IF nn male
THEN female := female { nn } k male := male { nn }
ELSE male := male { nn } k female := female { nn }
END
END
The sexchange operation must take into account the possibility that
the person nn is married. Here we simply include as a precondition that
nn should not be married. Thus the function marriage will not change. An
28
alternative would be to accept married nn as well as unmarried, and update

the function marriage by removing nn from it.
sexchange ( nn ) =
b
PRE nn male female nn 6 dom ( marriage ) nn 6 ran ( marriage )
THEN change ( nn )
END
Exercise 11.3
MACHINE Voters
USES Life
SETS RESPONSES = { listed , notlisted }
VARIABLES voters
INVARIANT voters male female
INITIALISATION voters := {}
OPERATIONS
addvoter ( nn ) =
b
PRE nn male female
THEN voters := voters { nn }
END
removevoter ( nn ) =
b
PRE nn male female
THEN voters := voters { nn }
END
resp - voterquery ( nn ) =
b
PRE nn PERSON
THEN IF nn voters
THEN resp := listed
ELSE resp := notlisted
END
END
END
In fact, Voters can be included in Registrar, and all its operations can be
promoted, so the extends clause is used. The dies operation requires amendment: when a person dies then they should also be removed from the electoral
roll.
MACHINE Registrar
EXTENDS Marriage , Voters
INCLUDES Life
PROMOTES born
OPERATIONS
dies ( nn ) =
b
29
nn male female
PRE
THEN
die ( nn ) k removevoter ( nn ) k
IF nn dom ( marriage )
THEN part ( nn , marriage ( nn ) )
ELSIF nn ran ( marriage )
THEN part ( marriage 1 ( nn ) , nn )
END
END
END
Exercise 11.4
MACHINE Fullregistrar
INCLUDES Registrar
PROMOTES partner
SETS STATUS = { bachelor , spinster , married , divorced , widow , widower }
VARIABLES status
INVARIANT status male female STATUS
status 1 [ { married } ] = dom ( marriage ) ran ( marriage )
INITIALISATION status := {}
OPERATIONS
birth ( nn , ss ) =
b
PRE nn PERSON nn 6 ( male female ) ss SEX
THEN born ( nn , ss )
k IF ss = boy
THEN status ( nn ) := bachelor
ELSE status ( nn ) := spinster
END
END
death ( nn ) =
b
PRE nn PERSON nn male female
THEN dies ( nn )
k IF status ( nn ) married
THEN status := { nn } status
ELSE IF nn male
THEN status := { nn } status <+ { marriage ( nn ) widow }
ELSE status := { nn } status <+ { marriage 1 ( nn ) widower }
END
C
C
END
END
marry ( mm , ff ) =
b
PRE mm male mm 6 dom ( marriage ) ff female ff 6 ran ( marriage )
THEN wed ( mm , ff )
30
k status := status <+ { mm married , ff married }

END
divorce ( mm , ff ) =
b
PRE mm male ff female mm ff marriage
THEN part ( mm , ff )
k status := status <+ { mm divorced , ff divorced }
END
ss - maritalstatus ( nn ) =
b
PRE nn male female
THEN ss := status ( nn )
END
END
31

Exercise 12.1
1. aa 1..300
7 N ran(aa) = orders
N ran(aa) = orders
2. aa 1..300 7
3. ll seq(N) ran(ll) = orders
4. ll iseq(N) ran(ll) = orders

5.
ll seq(N) ran(ll) = orders

ii, jj . (ii : dom(ll) jj dom(ll) (ii < jj ll(ii) < ll(jj )
Exercise 12.2
The first refinement uses an 11-place array.
REFINEMENT PlayerR
REFINES Player
VARIABLES teamr
INVARIANT teamr 1 . . 11
PLAYER ran ( teamr ) = team
PLAYER
INITIALISATION teamr : 1 . . 11
OPERATIONS
substitute ( pp , rr ) =
b
BEGIN
teamr ( teamr
END
( pp ) ) := rr
aa - query ( pp ) =
b
IF pp ran ( teamr )
THEN aa := in
ELSE aa := out
END
END
The second refinement uses an array indexed by the players, recording for
each whether he is in or out of the team.
REFINEMENT PlayerR2
REFINES Player
VARIABLES teamr
INVARIANT teamr PLAYER ANSWER team = teamr 1 [ { in } ]
INITIALISATION ANY tr WHERE tr PLAYER ANSWER card ( tr
THEN teamr := tr
[ { in } ] ) = 11
32
END
OPERATIONS
substitute ( pp , rr ) =
b
BEGIN
teamr ( pp ) := out ;
teamr ( rr ) := in
END
aa - query ( pp ) =
b aa := teamr ( pp )
END
Exercise 12.3
In the abstract machine:
jumpqueue ( ss , qq ) =
b
PRE ss SHIP ss 6 ran ( waiting ) ss 6 ran ( docked )
qq QUAY qq 6 dom ( docked )
THEN docked ( qq ) := ss
END
In the refinement:
jumpqueue ( ss , qq ) =
b insert ( ss , qq ) ;
33

Exercise 13.1
First style of refinement:
REFINEMENT JobshopR
REFINES Jobshop
VARIABLES jobarr
INVARIANT jobarr 1 . . limit
7 JOB ran ( jobarr ) = jobs
INITIALISATION jobarr := {}
OPERATIONS
take ( jj ) =
b
ANY tmp WHERE tmp 1 . . limit tmp 6 dom ( jobarr ) THEN
jobarr ( tmp ) := jj
END
jj - process =
b
ANY tmp WHERE tmp dom ( jobarr ) THEN
jj := jobarr ( tmp ) ;
jobarr := { tmp } jobarr
END
prioritise ( jj ) =
b jobarr := jobarr { jj }
END
REFINEMENT JobshopRR
REFINES Jobshop
VARIABLES jobarr , counter
INVARIANT jobarr 1 . . limit JOB counter 0 . . limit
jobarr [ 1 . . counter ] = jobs counter = card ( jobs )
INITIALISATION jobarr : 1 . . limit JOB ; counter := 0
OPERATIONS
take ( jj ) =
b
BEGIN
counter := counter + 1 ; jobarr ( counter ) := jj

END
jj - process =
b
BEGIN
jj := jobarr ( counter ) ;
counter := counter 1
END
prioritise ( jj ) =
b
ANY ii WHERE ii 1 . . counter jobarr ( ii ) = jj THEN
34
jobarr ( ii ) := jobarr ( counter ) ; counter := counter 1

END
END
Exercise 13.2
REFINEMENT BoothR
REFINES Booth
VARIABLES reserved , ticketsr
INVARIANT ticketsr SEAT
7 CUSTOMER
cc . ( cc CUSTOMER card ( ticketsr
= card ( tickets
[ { cc } ] )
[ { cc } ] ) + reserved ( cc ) )
INITIALISATION reserved := CUSTOMER { 0 } k ticketsr := {}

OPERATIONS
reserve ( cc , nn ) =
b
BEGIN
reserved ( cc ) := reserved ( cc ) + nn k
ANY ss WHERE ss SEAT card ( ss ) = nn ss dom ( ticketsr ) = {} THEN
ticketsr := ticketsr ss { cc }
END
END
collect ( cc ) =
b reserved ( cc ) := 0
END
35

Exercise 14.1
There are no sets and constants of ColoursR2 so there are no proof obligations
associated with sets and constants.
ColoursR2 has no state, and hence no initialisation. However, it does have a
non-trivial invariant J which requires that red cols, so it will have a proof obligations associated with initialisation. The initialisation of Colours2 is equivalent to skip, so the proof obligation that concrete initialisation refines abstract
initialisation is:
[skip][cols : P(COLOUR {blue})](red cols)
=
=
( cols P(COLOUR {blue}) . red 6 cols)

cols . (cols P({red, green}) red cols)
i.e. there is some subset of {red, green}) which contains redand this proof
obligation is true.
Each operation PRE P1 THEN S 1 END which refines PRE P THEN S END
will have the proof obligation that I J P [S 1[out /out ]][S ](J
out = out ), where I is the invariant of Colours. For each operation in turn we
calculate [S 1[out /out ]][S ](J out = out ) and show that it is implied by
I J P.
add(cc): This operation does not have any outputs.
[S 1][S ]J
=
[skip][cols := cols {cc}](red cols)
red (cols {cc})
red cols
I J P
(= J )
cc - query:
[S 1[out /out ]][S ]J
=
[cc := red][cc : cols](red cols cc = cc)
( cc . cc cols (red cols red = cc))
cc . (cc cols (red cols red = cc))
red cols
I J P
(= J )
change: This operation has no outputs:

[S 1][S ]J
=
[skip][cols : P(COLOUR) {cols}](red cols)
36
( cs . (cs P(COLOUR) {cols} (red cs)))
cs . (cs P(COLOUR) {cols} red cs)
true
I J P
The penultimate line follows from the fact that there will always be some subset
of COLOUR other than cols which contains red (since there are 4 such subsets
altogether).
Thus all proof obligations are discharges, establishing that ColoursR2 is a
refinement of Colours.
If the invariant is simply true then the query operations proof obligations
will not discharge. This linking invariant is not strong enough to establish that
ColoursR2 is a refinement of Colours.
Exercise 14.2
There are no sets or constants introduced by TeamR, so there are no proof
obligations generated there.
The proof obligation for initialisation is as follows:
[teamr := nn . (nn 1..11 | nn)]
[team := 1..11]
(teamr 1..11
=
1..22 ran(teamr = team))

1..22)
( nn . (nn 1..11 | nn) 1..11
ran( nn . (nn 1..11 | nn) = 1..11

(which is true)
The proof obligation for substitute is
I J P [teamr (teamr 1(pp)) := rr ]
[team := team {rr } {pp}]
1..22 ran(teamr = team))

(pp) rr } 1..11 1..22
(teamr 1..11
=
I J P
(teamr <+ {teamr 1
ran(teamr <+ {teamr 1 (pp) rr } = team {rr } {pp}))

(which is true)
The proof obligation for query is
I J
[ IF pp ran(teamr ) THEN aa := in ELSE aa := out END ]
[ IF pp team THEN aa := in ELSE aa := out END ]
(J aa = aa)
37
I J
[ IF pp ran(teamr ) THEN aa := in ELSE aa := out END ]
J (pp team aa = in
pp 6 team aa = out )
I J
J (pp ran(teamr ) pp team in = in
pp 6 ran(teamr ) pp team out = in
pp ran(teamr ) pp 6 team in = out
pp 6 ran(teamr ) pp 6 team out = out )
(and this is true, since J implies ran(teamr ) = team.)

Exercise 14.3
No, it is not possible. If ColoursR is in the state colour = blue, then this is
related to four states of Colours, including {blue} and {blue, green}. In the first
case, alter will result in the state {blue, red} and in the second case {green}.
Thus any possible resulting state of alter in the refinement ColoursR must
match both of these states, since it must refine alter called from either of them.
But this is not possible, since there is no resulting value for colour which is in
both sets.
Exercise 14.4
REFINEMENT Colours2R
REFINES Colours2
VARIABLES in , out
INVARIANT in cols out COLOUR
( cols COLOUR out COLOUR cols ) in out
INITIALISATION in := red k out := blue
OPERATIONS
add ( cc ) =
b BEGIN IF cc = out THEN out : COLOUR { in , out } END
cc - inquery =
b cc := in ;
cc - outquery =
b cc := out ;
change =
b skip ;
invert =
b VAR tt IN tt := in ; in := out ; out := tt
END
END
END
38

Exercise 15.1
e := 1;
i := 0;
WHILE i < b
DO i := i + 1; e := e 2
INVARIANT i 0..b e = 2i
VARIANT b i
END
establishes postcondition e = 2b .
e := 1;
i := 0;
WHILE i < b
DO i := i + 1; e := e a
INVARIANT i 0..b e = a i
VARIANT b i
END
establishes postcondition e = a b .
Exercise 15.2
i := 0;
WHILE i < N
DO i := i + 1; arr (i) := i
INVARIANT i 0..N dom(arr ) 1..N VARIANT N i
((1..i)
END
C arr ) = j .(j 1..i | j )
establishes postcondition arr = j .(j 1..i | j ), provided initially dom(arr )

1..N .
Exercise 15.3
The proof obligations are:
1. (r + (q a) = a r > b [q := q + 1; r := r a](r + (q a) = a)
2. (r + (q a) = a (r > b) (q = a div b r = a mod b)
3. r + (q b) = a r N
39
4. (r + (q b) = a r > b r = ) [q := q + 1; r := r b](r < )

5. [r := a; q := 0](r + (q b) = a)
The first and the fifth are true. The second is false in the case where r = b or
r < 0. The third is falser could be negative. The fourth is false when b 0,
since then r b does not decrease r . The third and fourth indicate that the
invariant requires strengthening to state that b > 0 and that r 0. The second
proof obligations indicates that the guard of the loop should be r
b rather
than r > b.
>
>
Thus the loop should be as follows:

r := a; q := 0;
WHILE r
>b
DO q := q + 1; r := r b
INVARIANT r N b N1 r + (q b) = a
VARIANT r
END
Since the invariant must be true when the loop is started, it requires that a
N b N1 .
Exercise 15.4
ans := TRUE
j := 2
WHILE j < n
DO IF n mod j = 0 THEN ans := FALSE END ; j := j + 1
INVARIANT ans = TRUE ( i.(i 2..j 1 n mod i 0)) j
VARIANT n j
END
Exercise 15.5
i := 0;
maximum := 0;
WHILE i < N
DO i := i + 1;
IF arr (i) > maximum THEN maximum := arr (i) END
INVARIANT maximum = max(arr [1..i] {0}) i 0..N
VARIANT N i
END
6n
40
Exercise 15.6
We first calculate
[ IF i = 0 THEN rep := FALSE ELSE rep := TRUE END ](rep = TRUE p ran(a))
=
i = 0 (FALSE = TRUE p ran(a))

i 0 (TRUE = TRUE p ran(a))
(i = 0 p 6 ran(a)) (i 0 p ran(a))
(=
P)
This is the postcondition for the loop section of the program. The proof conditions for the loop are therefore:
1. (p 6 a[(i + 1)..N ] i
a[(i + 1)..N ] i N)
i > 0 a(i) p) [i := i 1](p 6
2. (p 6 a[(i + 1)..N ] i N (i > 0 a(i) p)) P
3. (p 6 a[(i + 1)..N ] i N i N
4. (p 6 a[(i + 1)..N ] i N i > 0 a(i) 6 p i = [i := i 1](i < )

5. [i := N ](p 6 a[(i + 1)..N ] i N)
These are all straightforward to establish, except the second, which bears
closer examination:
(p 6 a[(i + 1)..N ] i N (i > 0 a(i) p))
=
(p 6 a[(i + 1)..N ] i N (i = 0 a(i) = p))
i = 0 p 6 a[(i + 1)..N ]
a(i) = p p 6 a[(i + 1)..N ]
i = 0 p 6 ran(a)
a(i) = p i 0 p ran(a)
Thus the postcondition of the loop is established.

Exercise 15.7
i := 1;
j := 1;
WHILE a(i) b(j )
DO IF a(i) < b(j )THEN i := i + 1ELSE j := j + 1END
INVARIANT ran(a (i 1)) ran(b (j 1)) {}
6 a(x + 1))
x . (x dom(b) x size(b) b(x) 6 b(x + 1))
x . (x dom(a) x size(a) a(x)
VARIANT size(a) + size(b) i j

END
41
Exercise 15.8
i := a;
j := b;
k := a;
l := b;
WHILE i j
DO IF i < j
THEN j := j i; l := l + k
ELSE i := i j ; k := k + l
END
INVARIANT (i l) + (j k) = 2 a b
VARIANT i + j
END ;
gcd := i;
x := (k + l)/2
The value of x at the end of the loop is (k + l)/2, and i = j = gcd(a, b). Since
the invariant il + jk = 2ab is true on termination, i.e. gcd(a, b) (l + k) = 2ab,
we have that (k + l)/2 = ab/gcd(a, b) = lcm(a, b), i.e. x is the lowest common
multiple of a and b: the smallest number that they both divide into.
42

Exercise 16.1
We must establish that I J P [S 1[out /out ]][S 1]J , where S 1 and S

are the bodies of the implementation and specification respectively of add.
[ VAR nn IN nn - number ;
IF nn < cap
END ]
THEN rr := ok; input (ee); inc

ELSE rr := failed
END
[ IF size(queue) < cap THEN rr := ok k queue := queue ee ELSE rr := failed END ]
(counter = size(contents) contents = queue rr = rr )
=
[ VAR nn IN nn - number ;
END ]
IF nn < cap
THEN rr := ok; input (ee); inc
ELSE rr := failed
END
(size(queue) < cap (counter = size(contents) contents = queue ee rr = ok)
size(queue)
=
> cap (counter = size(contents) contents = queue rr
[ VAR nn IN nn := counter ;
IF nn < cap
THEN rr := ok;
PRE ee ELEM size(contents < cap)
THEN contents := contents ee
END ;
counter := counter + 1
ELSE rr := failed
END
END ]
(size(queue) < cap ( counter = size(contents)
contents = queue ee
rr = ok)
size(queue)
> cap ( counter = size(contents)

contents = queue
rr = failed)
= failed)
43
counter < cap (size(queue) < cap ( counter + 1 = size(contents ee)

contents ee = queue ee
ok = ok)
size(queue)
> cap ( counter + 1 = size(contents)

contents ee = queue
counter
> cap
ok = failed))
(size(queue) < cap ( counter = size(contents)
contents = queue ee
failed = ok)
size(queue)
> cap ( counter = size(contents)

contents = queue
failed = failed))
counter < cap size(queue) < cap (counter + 1 = size(contents ee)

contents ee = queue ee)
counter
> cap
size(queue)
> cap (counter = size(contents)
contents = queue)
counter = size(contents) contents = queue
I J P
as required.
Exercise 16.2
MACHINE RussianMult
OPERATIONS
rr - mult ( aa , bb ) =
b
PRE aa N1 bb N1
THEN rr := aa bb
END
END
IMPLEMENTATION RussianMultI
REFINES RussianMult
IMPORTS RussianBody
OPERATIONS
rr - mult ( aa , bb ) =
b
VAR xx , yy , total IN
xx := aa ;
yy := bb ;
total := 0 ;
WHILE xx > 0
DO xx , yy , total - body ( xx , yy , total )
44
INVARIANT
VARIANT
END
total + xx yy = aa bb xx
N yy N total N
xx
rr := total
END
END
MACHINE RussianBody
OPERATIONS
dd , ee , tt - body ( xx , yy , ss ) =
b
PRE xx N yy N ss N
THEN
IF xx mod 2 = 1 THEN
tt := ss + yy END
k dd := xx / 2
k ee := yy 2
END
END
Exercise 16.3
IMPLEMENTATION DateI
REFINES Date
SEES DateFields
PROPERTIES
DATE = { dd , mm , yy | dd DAY mm MONTH yy YEAR
( mm { April , June , September , November } dd 30 )
( mm = February dd 29 )
( mm = February ( yy YEAR yy mod 4 0 }
( yy mod 100 = 0 yy mod 400 0 ) )
dd 28 )
END
MACHINE DateFields
SETS DAY ; YEAR ;
MONTH = { January , February , March , April , May , June ,
July , August , September , October , November , December }
PROPERTIES DAY = 1 . . 31 YEAR = N
END
45

Exercise 17.1
IMPLEMENTATION HeapI
...
OPERATIONS
insert ( nn ) =
b
BEGIN
inc ;
VAR ii , rep IN
ii - number ;
rep := TRUE ;
append ( nn ) ;
WHILE ii > 1 rep = TRUE
DO rep - siftup ( ii ) ; ii := ii / 2
INVARIANT ii 1 . . counter counter = size ( queue ) + 1
( xx , yy ) . ( xx 2 . . counter 1 yy 1 . . counter 1
( xx yy parent *
( rep = FALSE
xx . ( xx
xx ii ) heaparray ( yy ) heaparray ( xx ) ) )
card ( heaparray
[ { xx } ] )
= card ( ( queue nn) 1 [ { xx } ] ) )

VARIANT
ii
END
END
END
MACHINE Heaparray
...
rr - siftup ( ii ) =
b
PRE ii 2 . . size ( heaparray )
THEN IF heaparray ( ii / 2 ) > heaparray ( ii )
THEN heaparray := heaparray <+ { ii / 2 heaparray ( ii ) , ii heaparray ( ii / 2 ) }
k rr := TRUE
ELSE rr := FALSE
END
END
Exercise 17.2
sort ( ii , jj ) =
b
PRE ii 1 . . cap jj 1 . . cap ii < jj
46
THEN
ANY
pp
pp ii . . jj ii . . jj
nn . ( nn ii . . jj 1 pp ; aa ( nn ) pp ; aa ( nn + 1 ) )
THEN aa := aa <+ ( pp ; aa )
WHERE
END
END
IMPLEMENTATION SortarrayI
...
sort ( ii , jj ) =
b
BEGIN
cc , nn IN
cc := ii 1 ;
WHILE cc < jj
DO cc := cc + 1 ;
nn - get ( cc ) ;
insert ( nn )
INVARIANT cc ii 1 . . jj
pp . ( pp ii . . cc 1 . . cc ( ii 1 ) ( pp ; queue ) = ii . . cc
array = aa
VARIANT jj cc
VAR
C array )
END
END
cc , nn IN
cc := ii 1 ;
WHILE cc < jj
DO cc := cc + 1 ;
nn - extract ;
set ( cc , nn )
INVARIANT cc N cc cap
VAR
pp . ( pp ii . . jj ii . . jj ( pp ; queue ( ii . . cc array ) ) = ii . . jj
xx . ( xx ii . . cc 1 array ( xx ) array ( xx + 1 ) )
( xx , yy ) . ( xx ran ( queue ) yy array [ ii . . cc ] yy xx )
VARIANT cap cc
END
END
END
END
C aa )
47

Exercise 18.1
The constraints clause CONSTRAINTS
maximum < 2146483646 must be
added to SizeCounter, in order to make use of an Nvar machine.
IMPLEMENTATION SizeCounterI
REFINES SizeCounter
IMPORTS sze Nvar ( maximum )
INVARIANT sze Nvar = sze
INITIALISATION sze STO NVAR ( 0 )
OPERATIONS
szeinc =
b sze INC NVAR ;
szedec =
b sze DEC NVAR ;
ss - szeget =
b ss - sze VAL NVAR
END
Exercise 18.2
MACHINE Checkouts
...
OPERATIONS
closeandmove ( co1 , co2 ) =
b
PRE co1 COUNTER co2 COUNTER
THEN opencounters := opencounters { co1 }
k queues := { co1 } queues <+ { co2 ( queues ( co2 )

END
...
IMPLEMENTATION CheckoutsI
...
closeandmove ( co1 , co2 ) =
b
VAR tt1 , tt2 , bb IN
tt1 - get ( co1 ) ;
tt2 - get ( co2 ) ;
bb - queues APP SEQ OBJ ( tt2 , tt1 ) ;
queues KIL SEQ OBJ ( tt1 ) ;
remove ( co1 )
END
...
a queues ( co1 ) ) }
48
Exercise 18.3
Specification:
jumpqueue ( co , cu ) =
b
PRE
co opencounters cu CUSTOMER
S
cu 6 cc . ( cc dom ( queues ) | ran ( queues ( cc ) ) )
THEN queues ( co ) := cu queues ( co )
END
Implementation:
jumpqueue ( co , cu ) =
b
VAR pp , bb IN
pp - get ( co ) ;
queues REV SEQ OBJ ( pp ) ;
bb - queues PSH SEQ OBJ ( pp , cu ) ;
queues REV SEQ OBJ ( pp )
END
Exercise 18.4
rep - present ( cu ) =
b
PRE cu CUSTOMER
THEN
IF cu
cc . ( cc dom ( queues ) | ran ( queues ( cc ) ) )

THEN rep := TRUE
ELSE rep := FALSE
END
END
;
Implementation:
rep - present ( cu ) =
b
VAR nn , pp , bb , ii , ans IN
nn , pp - queues FIRST SEQ OBJ ;
ans := FALSE ;
WHILE nn > 0
DO bb , ii - queues MBR SEQ OBJ ( pp , cu ) ;
IF bb = TRUE THEN ans := TRUE END ;
nn , pp - queues NEXT SEQ OBJ ( nn , pp )
INVARIANT nn N
VARIANT nn
END
rep := ans
END
49
Exercise 18.5
mm - maximum =
b
VAR vv , ii , msf IN
msf := 0 ;
ii - marks CRD SET ;
WHILE ii > 0
DO vv - marks VAL SET ( ii ) ;
IF vv > msf THEN msf := vv END ;
ii := ii 1
INVARIANT
ii N
msf = max ( marks ordn [ ii + 1 . . card ( marks ) ] { 0 } )
marks sset = marks
VARIANT
ii
END
mm := msf
END
Exercise 18.6
IMPLEMENTATION BasketsI
REFINES Baskets
IMPORTS
Baskets set obj ( GOODS , 1000 , 1000 ) ,
Baskets set ctx , Pfun ( CUSTOMER , Baskets SETOBJ ) , Bool TYPE
INVARIANT ( pfun ; Baskets setstruct ) = baskets
ran ( pfun ) = Baskets settok
OPERATIONS
enter ( cu ) =
b
VAR bb , pp IN
bb , pp - Baskets CRE SET OBJ ;
set ( cu , pp )
END
add ( cu , gg ) =
b
VAR pp , bb IN
pp - get ( cu ) ;
bb - Baskets ENT SET OBJ ( pp , gg )
END
nn - checkout ( cu ) =
b
VAR pp , ll , ii , total , vv IN
pp - get ( cu ) ;
50
ll - Baskets CRD SET OBJ ( pp ) ;

ii := 0 ;
total := 0 ;
WHILE ii < ll
DO ii := ii + 1 ;
vv - Baskets VAL SET OBJ ( pp , ii ) ;
total := total + price ( vv )
INVARIANT
ii 0 . . ll
P
total =
jj . ( jj Baskets setord ( pp ) [ 1 . . ii ] | price ( jj ) )
VARIANT ll ii
END
nn := total ;
Baskets KIL SET OBJ ( pp )
END
END

Answers B Method

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Answers B Method

Diunggah oleh

Hak Cipta:

Format Tersedia

1

The B-method: an Introduction

The B-Method: an Introduction

The B-Method: an Introduction

The B-Method: an Introduction

(x < y [y := y x](x + y = 2))

> 2 [x := x y](x + y = 2))

3. z.(z N 7 < z 2 ) (= false)

The B-Method: an Introduction

This operation is consistent with the invariant of Paperround.

The proof obligations for this operation are given by instantiating I P

(papers 1..163 magazines papers card(papers)

or, using the weakest precondition rule for assignment, that

(papers {hh} 1..163 magazines {hh} papers {hh}

which is true by elementary logic and set theory.

papers := papers { hh } k magazines := magazines { hh }

With the additional clause passengers

The new precondition for double is

The B-Method: an Introduction

3. (ITEM {} sample ITEM num N num > card(ITEM )

The initialisation is consistent with the invariant, constraints and properties,

The B-Method: an Introduction

C eats = {ian eggs, ian cheese, ian pizza}

ken pizza, lisa cheese, lisa salad, lisa pizza}

B {cheese, pizza} = { ian cheese, ian pizza,

kenmapstoexpensive, lisa cheap, lisa expensive}

5. eats ; (cost {expensive}) = {ian cheap, jim cheap, lisa cheap}

eats 1[cost 1 [{expensive}]] =

{ian, ken, lisa}

dom ( options ) = PRINTER ran ( options ) = OPTION

The B-Method: an Introduction

The B-Method: an Introduction

(a <+ {i 5})(j ) = (a <+ {i 5})(k)

ELSE IF ss dom ( pguests )

pguests := { ss } pguests { rr pguests ( ss ) }

The B-Method: an Introduction

6 5 [total := total + a](total > 8))

6 5 THEN total := total + 5 END ](total > 8)

6 3 THEN myset := s END ](i.(i myset | i) < 40)

6 3 [myset := s](i.(i myset | i) < 40)

[ ANY d WHERE d : order [{p}] THEN delivery := d END ](delivery fridge)

d.(d : order [{p}] [delivery := d](delivery fridge))

d.(d : order [{p}] d fridge))

fridge 6 order [{p}]

(salary 1.03 > 14000) (salary > 13600)

salary > 13592 salary > 13600

salary > 13600

SELECT albert here THEN hh := albert

WHEN betty here THEN hh := betty

WHEN clarissa here THEN hh := clarissa

ELSE hh := fido END

albert here [hh := albert ](hh = clarissa)

albert here false

albert 6 here betty 6 here clarissa here

SELECT albert here THEN hh := albert

WHEN betty here THEN hh := betty

WHEN clarissa here THEN hh := clarissa

ELSE hh := fido END

albert here [hh := albert ](hh albert )

albert here false

(clarissa here true

SELECT albert here THEN hh := albert

WHEN betty here THEN hh := betty

WHEN clarissa here THEN hh := clarissa

1..22 ran(teamr = team))

1..22 ran(teamr = team))