asm specification comment: definition of an ASM for the abstract level of the Mondex refinement. Only parts of this ASM (ABIGNORE# and ABTRANSFER#) are used in the definitions of abstract operations of the Mondex refinement. Proving ASM refinement directly is future work and may require small corrections to the ASM definition.; using set-nat genname AINPUT-list declaration initial state lost := λ na. 0 ; final state ail = [] ASTEP# let value = (hd ail) .value, from = (hd ail) .from, to = (hd ail) .to in ail := tl ail seq AOP# AOP# ABIGNORE#() ∨ ABTRANSFER# ABTRANSFER# choose fail? in if value ≤ balance(from) ∧ authentic(from) ∧ authentic(to) ∧ from ≠ to then if ¬ fail? then balance(from) := balance(from) - value seq balance(to) := balance(to) + value else balance(from) := balance(from) - value lost(from) := lost(from) + value else abort ABIGNORE# skip end asm specification asm specification comment: definition of an ASM for the abstract level of the Mondex refinement. Only parts of this ASM (ABIGNORE# and ABTRANSFER#) are used in the definitions of abstract operations of the Mondex refinement. Proving ASM refinement directly is future work and may require small corrections to the ASM definition.; using set-nat genname AINPUT-list target procedures AASM# : (name → nat) × (name → nat) × ainputlist nonfunctional indeterministic; ASTEP# : (name → nat) × (name → nat) × ainputlist nonfunctional indeterministic; AOP# nat × name × name : (name → nat) × (name → nat) nonfunctional indeterministic; ABTRANSFER# nat × name × name : (name → nat) × (name → nat) nonfunctional indeterministic; ABIGNORE# : nonfunctional; variables balance, lost : name → nat; fail? : bool; value : nat; from, to : name; declaration asm : AASM# (var balance, lost, ail) begin lost := λ na. 0 ; while ail ≠ [] do ASTEP#(; balance, lost, ail) end; ASTEP# (var balance, lost, ail) begin var value = (hd ail) .value, from = (hd ail) .from, to = (hd ail) .to in begin ail := tl ail ; AOP#(value, from, to; balance, lost) end end; AOP# (value, from, to; var balance, lost) begin ABIGNORE#() ∨ ABTRANSFER#(value, from, to; balance, lost) end; ABTRANSFER# (value, from, to; var balance, lost) begin var fail? with true in if value ≤ balance(from) ∧ authentic(from) ∧ authentic(to) ∧ from ≠ to then if ¬ fail? then begin balance(from) := balance(from) - value ; balance(to) := balance(to) + value end else balance(from) := balance(from) - value, lost(from) := lost(from) + value else abort end; ABIGNORE# () begin skip end; end asm specification