asm specification comment: specification of the abstract level of the Mondex case study as an ASM: the ASM chooses which transfers to do arbitrarily instead of reading from an input stream. It also randomly chooses when to finish (by setting final to true). Since ASM refinement requires to preserve termination, even when doing nothing (ABIGNORE) the final flag must be set.; AASM# using set-nat genname target procedures AASM# : (name → nat) × (name → nat) nonfunctional indeterministic; ASTEP# : (name → nat) × (name → nat) nonfunctional indeterministic; TRANSFEROK# name × nat × name : (name → nat) nonfunctional; TRANSFERFAIL# name × nat : (name → nat) × (name → nat) nonfunctional; variables balance, balance', balance'0, balance1, balance2, lost, lost0, lost' : name → nat; fail? : bool; value : nat; from, to : name; input variables ; state variables balance, lost; initial state lost = (λ na. 0) final state false asm rule ASTEP# declaration asm : AASM# (balance, lost) { while ¬ false do ASTEP# };, ASTEP# (balance, lost) { choose from, to, value, fail? with (authentic(from) ∧ authentic(to) ∧ from ≠ to ∧ value ≤ balance(from)) in if ¬ fail? then TRANSFEROK# else TRANSFERFAIL# ifnone skip };, TRANSFEROK# (from, value, to; balance) { balance(from) := balance(from) - value ; balance(to) := balance(to) + value };, TRANSFERFAIL# (from, value; balance, lost) { balance(from) := balance(from) - value, lost(from) := lost(from) + value }; end asm specification