Automatic Algorithm Programming Model Based on the Improved Morgan 􀆳 s Refinement Calculus

: The automatic algorithm programming model can in‐ crease the dependability and efficiency of algorithm program de‐ velopment, including specification generation, program refine‐ ment, and formal verification. However, the existing model has two flaws: incompleteness of program refinement and inadequate automation of formal verification. This paper proposes an auto‐ matic algorithm programming model based on the improved Mor‐ gan 􀆳 s refinement calculus. It extends the Morgan 􀆳 s refinement cal‐ culus rules and designs the C++ generation system for realizing the complete process of refinement. Meanwhile, the automation tools VCG (Verification Condition Generator) and Isabelle are used to improve the automation of formal verification. An ex‐ ample of a stock 􀆳 s maximum income demonstrates the effective‐ ness of the proposed model. Furthermore, the proposed model has some relevance for automatic software generation.

ment turns a specification into an executable program by gradually lowering the level of abstraction; and formal verification verifies the correctness of abstract programs generated during program refinement.
The process of specification generation is relatively simple.As a result, in the following, we would introduce a variety of automatic algorithm programming models based on Dijkstra  s weakest precondition method [6][7][8] , Morgans refinement calculus [9][10][11][12] and PAR(Partition and Recur) method [13] from the two core processes of program refinement and formal verification.In program refinement, the three methods all provide formal refine-ment rules, with Morgans refinement calculus rules being the most numerous.However, only PAR method implements the complete program refinement process, from program specification to executable program(C++ program).In formal verification, the three methods all generate verification conditions manually and then perform manual verification.You et al [14] enhanced the PAR method by replacing manual verification with mechanical verification via Isabelle.Table 1 compares the above mentioned automatic algorithm programming models in terms of program refinement and formal verification.
The current automatic programming model has two flaws.The first is the incompleteness of program refinement, and the second is the inadequate automation of formal verification.This paper presents an automatic algorithm programming model based on improved Morgans refinement calculus to address these two issues.For the first deficiency, Morgan  s refinement calculus is extended by adding quantifier specification transformation rules, and the C++ generation system is designed and implemented to complete the refinement process from specification to executable program.For the second deficiency, verification conditions are generated automatically based on VCG and mechanically verified by Isabelle.This is a significant step toward achieving high reliability and automation of the verification process.

Automatic Algorithm Programming Model
The flow chart of automatic algorithm program-ming model proposed in this paper is shown in Fig. 1.

Specification Generation
By analyzing user requirements, we generate an initial formal specification with pre-and post-conditions in specification generation.In this model, the specification is written as w: [P, Q] [10] , where P is the precondition, Q is the postcondition, and w is the list of frame variables.The variables whose values may change, i. e. those in the list w above, are called the frame variables (or, more concisely, simply the frame) of the specification.The code that satisfies the specification w: [P, Q] may only change the value of one or more variables in w.

Specification Simplification
The generated specification could always be simplified to a lower complexity equivalent specification based on the analysis of concrete features of the specific field.We adopt the methods of problem division and specification transformation to simplify the specification.To make this idea more formal, the assertion that means X is refined by Y (or, equivalently, Y is a refinement of X) is denoted by X ⊆ Y, which is defined as follows [10] .
Definition 2(Refinement) w: Thus w: [P, Q] is refined by w: [P', Q'] if every IMP program that satisfies the specification w:[P',Q'] also satisfies the specification w:[P,Q].
The process of abstraction program refinement be-gins with the specification and ends with the abstract program (IMP program).Each step of the process adheres to the rules for demonstrating correctness.If these rules are applied strictly, we could end up with a correct IMP program [11] .In this model, the refinement of the abstract program is based on Morgan  s refinement calculus.Morgan  s refinement calculus provides refinement calculus rules for transforming one specification into another specification or an IMP statement.However, appropriate rules must be chosen by analyzing the specification.In one word, the specification should always be transformed in an equivalent manner to match the appropriate rules.
The Morgan  s refinement calculus rules [6] used in this model are shown in Table 2.
Quantifiers are used in specification to describe the preconditions and postconditions, but the refinement rules outlined above are insufficient to refine such specifications.In this model, we add some quantifier specification transformation rules, as shown in Table 3(Q a is a quantifier, q a is the binary operation corresponding to Q a ), which are used to transform the precondition or postcondition equivalently.The formalization of program refinement is optimized by expanding the available formal rules.

Formal Verification
Artificial analysis during the refinement of an abstract program may result in program errors.Therefore, formal verification is required to ensure the correctness of the IMP program [12] .Formal verification is divided into two steps.First, based on VCG, verification conditions are generated automatically by the IMP program.Second, the verification conditions are mechanically verified by Isabelle.

VCG
Hoare logic provability could be reduced to assertion language provability.In particular, if we want to prove a Hoare logical triple {P}c{Q}, we can compute an assertion A from it, and then {P}c{Q} is provable if A is provable.A is referred to as a verification condition, and the function that computes A is referred to as a verification condition generator, or VCG [15] .
The precondition and postcondition are provided as annotations to the VCG for all algorithm programs, and the invariant is additionally provided for WHILE loops.Figure 2 depicts the VCG code template for generating verification conditions.
The advantage of using VCG is that no human or machine is required to know the Hoare logic when trying to prove the generated validation conditions [15] .

Isabelle theorem prover
Isabelle [16][17][18][19] is an auxiliary theorem prover who provides theorem proving with strong theoretical and technical support.Compared with other traditional theorem provers, the Isabelle theorem prover has the following distinguishing features.1) Isabelle can handle multiple object logics.2) Isabelle is in favor of new logic, which could be implemented by defining object logic  s con-crete syntax, abstract syntax, and inference rules.3) Isabelle  s verification language is Isar.It could accurately describe the system under test.Furthermore, Isar benefits from a wide range of data types, logic systems, and so on.4) The editing tool jEdit could verify each step in the theorem proof, and display the proof status in the output panel.

IMP Program Refinement
We propose IMP program refinement to improve the completeness of program refinement.This refinement allows for the conversion of formally verified IMP programs to executable C++ programs.As a result, an automatic system known as the C++ generation system [20][21][22] is created, and the overall structure of the system is depicted in Fig. 3.
The system mainly consists of four modules: lexical analysis, syntactic analysis, semantic analysis and program transformation.
Lexical analysis transforms the IMP program character sequences into equivalent internal symbol sequences using IMP  s lexical rules.Syntactic analysis (J represents any non-empty set of constraint variables)

Fig. 2 VCG code template for generating verification conditions
identifies IMP syntactic items from internal symbol sequences using IMP syntax rules.Semantic analysis applies semantic processing to the syntactic items that have been identified.If the results of the above three analyses are incorrect, error messages will be reported in error handling.On the other hand, if the result is correct, the IMP program will be converted into a C++ program.

Problem description
Suppose you could buy one share or sell your share per day at the stocks closing price.A stocks income is equal to the selling price minus the buying price.The problem with the maximum income of a stock is to calculate the maximum sum of the incomes from all possible trades over n days.Figure 4 is an example of the volatility of a stocks closing price over n days.

Specification generation
The closing price of this stock in n days is stored in the array P[0..n -1](n = p.len n > 1).According to the problem description, the essence of solving the problem is to find all the ascending segments P[i.

.j](P[i] and P[j]
are the minimum value and the maximum value of the ascending segment respectively), then calculate the income P[j]-P[i], finally add up the income of each ascending segment and the result of addition is maximum income.
Therefore, the maximum income of a stock in n days could be expressed by maxincome(nP) as: maxincome(nP) = (åi: The expression of the maxincome(n, P) is required when describing the specification of this problem.However, the specification would be complicated due to the complexity of this expression.

Specification simplification
In order to reduce the complexity of the specification, we could simplify the expression of the maxincome(nP).The maximum income could then be calculated by adding the incomes of all ascending segments [23] .It is obviously that whether P[i-1, i] is an ascending segment or not is determined by the truth value of Therefore, maxincome(nP) could be simplified to: maxincome(nP) = (åi:

]< P[i]: P[i]-P[i -1]
).We introduce a variable s to represent the maximum income calculated at some point in the process, then the postcondition of this problem could be expressed as: s = maxincome(nP).Because the income of a stock is calculated from the second day, the precondition is n>1.In conclusion, the specification is as follows: s:[n > 1s = maxincome(nP)]

Choosing the invariant
We introduce a variable m(0<m≤n) to traverse the array P[0..n-1] from left to right.When the subarray P[0.. m-1] is traversed, the maximum income maxincome(m, P) could be calculated, as shown in Fig. 6.Therefore the loop invariant could be defined as inv≡s=maxincome(m, P)Ù0<m≤n, which is similar to the postcondition(post≡s= maxincome(n, P) ≡invÙm=n), so the program specification could be replaced equivalently by m, s: [n>1, invÙm =n] [16] .

Establishing the invariant
Before we can refine it to a loop, the general pattern for a specification should be something like w: [inv,  invÙ¬G].The following refinement process is required to get our refined specification into this shape [10] .
According to Sequential Composition Rule, specification ② could be refined as: Specification ③ : We could prove that 0<m+1≤ nÙm 0 <m+1≤n is true.Thus the specification ③ could be simplified to be viewed as some actions needed to establish the invariant(which must hold before the iteration could start) [10] .
It should not be difficult to see that the assignment of m=1 and s=0 will be a suitable refinement.We could prove that n>1=>inv[m,s\1,0] is true, thus the specifications ③ are refined as follows: ms: where V 0 is the previous value of V.
V is defined as n-m, and m 0 is defined as the previous value of m, so we could get: All that remains is to refine the body of the loop After the above refinement, we have obtained the IMP statement (IMP statement I 1 ) that changes m, so we remove m from the frame variable.The specification is then updated as follows: It is obvious that invÙm≠n=>invÙm≠nÙm 0 =m is true, so: We could prove that 0<m+1≤nÙm 0 <m+1≤n is true.Thus the specification ⑧ could be simplified to: The next refinement is: After observing the pre-and post-conditions of specifications ⑩ , we analyze the relationship between maxincome(m,P) and maxincome(m+1,P): Therefore, specification ⑩ would be refined as follows: Specification    could be updated as follows by substituting maxincome(m,P) with its definition: For refinement, there is no suitable Morgans refinement calculus rule.However, using quantifier specification transformation rules, the postcondition could be transformed into a suitable shape: ì It is easy to find: (åi:P The specification could then be transformed to: We could prove that the following derivation is true.
Therefore the specification could be refined as fol-

Putting IMP statements all together
We could now glue all of the pieces(IMP statement I 1 , I 2 , I 3 , I 7 ) together to get the code in Fig. 7 as a refinement of specification ①.

Formal Verification through Isabelle Based on VCG
The refinement process of Section 2.2 is accompanied by mathematical proof, ensuring manual reliability.
However, it is not automatic and highly reliable.If the IMP program in Section 2.2.4 could be verified using Isabelle and VCG, the reliability of the automatic algorithm programming model could be ensured mechanically.

Automatically generating verification conditions based on VCG
Based on the IMP program obtained in Section 2.2.4,we insert the precondition and postcondition before and after the program respectively, and the loop invariant before the loop statement, as shown in top half of Fig. 8.The verification conditions could then be obtained (3 subgoals in bottom half of Fig. 8).

Mechanically verifying the generated conditions through Isabelle
The second subgoal in Fig. 8 generates two recursions, which can be transformed into two lemmas to assist us in verifying the second subgoal.The verification of the two lemmas is depicted in Fig. 9.The next step is to verify the three subgoals in Fig. 8.After we call the Isabelle code "apply auto", there is only one subgoal to verify.This subgoal could be demonstrated automatically using the tool sledgehammer [24,25] .Figure 10 depicts the outcome of applying sledgehammer for current verification.We can select the Isar proof code and click on it.
Figure 11 depicts the overall verification process for all the verification conditions.

Refinement of the IMP Program
Through the C++ generation system, an IMP program could be refined to a C++ program.Figure 12 depicts the refinement process for the problem of a stocks   the help of the C++ generation system.An example of a stock  s maximum income demonstrates the model  s effectiveness.The model in this paper has the following characteristics in general.1) Morgan  s refinement calculus is extended by adding of quantifier specification transformation rules.Therefore, the formalization of program refinement is enhanced.
2) The manual generation of verification conditions for algorithm programs is replaced by the automatic generation.Therefore, formal verification automation is improved.
3) Based on the C++ generation system, abstract IMP programs are refined to executable programs.Therefore, the program refinement is more complete.
The automatic algorithm programming model allows for efficient programming while also ensuring the correctness of the generated program.However, two aspects of future work must be improved.One is to expand the refinement rule library to further optimize Morgans refinement calculus, and the other is to apply the model to more complex data structures.

Definition 1 (
Sat) Sat(C, w: [P, Q]) is a predication that asserts the IMP(Imperative Programming Language) program C satisfies the specification w:[P,Q].

Figure 5
Figure 5 shows the whole process of refining abstract program, where ① , ② , … ,    represent program specifications and I 1 , I 2 , … , I 6 represent refined IMP statements.The abstract program refinement ends when all of the specifications have been refined into IMP statements.

Fig. 3 Fig. 4
Fig. 3 The overall structure of the C++ generation system

Fig. 7 Fig. 9
Fig. 7 IMP program of a stocks maximum income

3 Conclusion
This paper proposes an automatic algorithm programming model based on the improved Morgan  s refinement calculus to improve the automation and reliability of algorithm programming.The model generates the program specifications according to user requirements.It refines step by step with formal verification and generates executable programs automatically with

Fig. 10 Fig. 12
Fig. 10 Tool sledgehammer for auxiliary verification Fig. 11 The overall verification process