enrich dummyoutput , AASM , AINPUT , Mondex-index with functions AOP : mindex → ainput × (name → nat) × (name → nat) × (name → nat) × (name → nat) × dummyoutput → bool; variables balance', lost' : name → nat; aop : ainput × (name → nat) × (name → nat) × (name → nat) × (name → nat) × dummyoutput → bool; axioms ⊦ AOP(transfer-req)(ain, balance, lost, balance', lost', dum) ↔ 〈if ain = null then ABIGNORE#() else AOP#(ain .value, ain .from, ain .to; balance, lost)〉 (balance = balance' ∧ lost = lost') ; used for : s, ls ; ⊦ AOP(abignore-ignore)(ain, balance, lost, balance', lost', dum) ↔ 〈ABIGNORE#()〉 (balance = balance' ∧ lost = lost'); used for : s, ls; ⊦ AOP(abignore-abort) = AOP(abignore-ignore); used for : s, ls; ⊦ AOP(abignore-increase) = AOP(abignore-ignore); used for : s, ls; ⊦ AOP(abignore-startfrom) = AOP(abignore-ignore); used for : s, ls; ⊦ AOP(abignore-startto) = AOP(abignore-ignore); used for : s, ls; ⊦ AOP(abignore-val) = AOP(abignore-ignore); used for : s, ls; ⊦ AOP(abignore-ack) = AOP(abignore-ignore); used for : s, ls; comment: Specification of the abstract operations of the Mondex refinement. Instead of defining relations AOP(as,as') directly we use formulas 〈AOP#(as)〉 as = as' (meaning: started with as, ASM rule AOP# terminates and yields as'). This allows to automate proofs using symbolic execution of AOP#. ABIGNORE# is used several times since several concrete operations refine this operation.; end enrich