A Practical Course on KIV

State Machines and ASM refinement Abstract State Machines (ASMs) are a formalism to model algorithms in a simple, but formally defined way. ASMs originally were the result of theoretical research into the foundations of computation: The idea was to sharpen the thesis by Church and Turing, which says that all definitions of “algorithm” are equivalent (and equivalent to the computations of a Turing machine). This lead Gurevich to the thesis that every algorithm (which satisfies some simple principles) can be naturally expressed as the computation of an ASM. Recently, ASMs have been used in a large number of projects in software engineering. (for an overview see either [BS03] or have a look at http://www.eecs.umich.edu/gasm/). In this section we give a short overview over ASMs, the support for ASMs in KIV, ASM refinement and the proof obligations generated by KIV for ASM refinement.State Machines (ASMs) are a formalism to model algorithms in a simple, but formally defined way. ASMs originally were the result of theoretical research into the foundations of computation: The idea was to sharpen the thesis by Church and Turing, which says that all definitions of “algorithm” are equivalent (and equivalent to the computations of a Turing machine). This lead Gurevich to the thesis that every algorithm (which satisfies some simple principles) can be naturally expressed as the computation of an ASM. Recently, ASMs have been used in a large number of projects in software engineering. (for an overview see either [BS03] or have a look at http://www.eecs.umich.edu/gasm/). In this section we give a short overview over ASMs, the support for ASMs in KIV, ASM refinement and the proof obligations generated by KIV for ASM refinement. 12.1 Abstract State Machines Basically, ASMs are like automata: they have initial and final states, and a transition relation to get from one state to the next. Since the idea of ASMs is that states should be as general as possible, the state of an ASM is an algebra over some fixed signature (since what is more general than an arbitrary algebra?). The transition relation is defined by a rule which modifies algebras. Formally, an ASM = (S,I,F,R) consists of a set of states (a class of algebras over some fixed signature), two sets of algebras I and F (the initial and the final states) and an ASM rule R. ASM rules resemble the programs of KIV we saw earlier, but are more general: first, since the state not only consists of variables like in KIV programs, ASMs may modify functions. Therefore the simplest ASM rule R0 is an assignment of the form: R0 ≡ f(t) := t where t and t are terms without variables. Such an assigment is called a function update. Executed in state A it computes a new algebra B, which is equal to A, except that function fA has been modified, such that fB now computes [[t ′]]A at position [[t]]A. A function f that is modified is called a dynamic function. “Dynamic constants” which are updated in assigments c := t are no longer constant, and we call them program variables. Functions which are not dynamic are called static and used to describe fixed datastructures like lists, natural numbers (just as we did in algebraic specifications). Second, ASMs are more general than the programs we saw until now, since they may be nondeterministic. For example the ASM rule choose x with φ(x) in R(x)