asm specification comment: approximate specification of the abstract level of the Mondex case study as an ASM: the ASM chooses which transfers to do arbitrarily instead of reading from an input stream. Also we do not have an (empty) ABIGNORE operations, since ASM refinement does not require 1:1 diagrams. A concrete operation can be verified using a 0:1 diagram instead.; using set-nat genname declaration initial state lost := λ na. 0 final state false ASTEP# choose fail?, value, from, to with (authentic(from) ∧ authentic(to) ∧ from ≠ to ∧ value ≤ balance(from)) in if ¬ fail? then balance(from) := balance(from) - value seq balance(to) := balance(to) + value else balance(from) := balance(from) - value lost(from) := lost(from) + value end asm specification asm specification comment: approximate specification of the abstract level of the Mondex case study as an ASM: the ASM chooses which transfers to do arbitrarily instead of reading from an input stream. Also we do not have an (empty) ABIGNORE operations, since ASM refinement does not require 1:1 diagrams. A concrete operation can be verified using a 0:1 diagram instead.; using set-nat genname target procedures AASM# : (name → nat) × (name → nat) nonfunctional indeterministic; ASTEP# : (name → nat) × (name → nat) nonfunctional indeterministic; variables balance, lost : name → nat; fail? : bool; value : nat; from, to : name; declaration asm : AASM# (var balance, lost) begin lost := λ na. 0 ; while ¬ false do ASTEP#(; balance, lost) end; ASTEP# (var balance, lost) begin var fail?, value, from, to with (authentic(from) ∧ authentic(to) ∧ from ≠ to ∧ value ≤ balance(from)) in if ¬ fail? then begin balance(from) := balance(from) - value ; balance(to) := balance(to) + value end else balance(from) := balance(from) - value, lost(from) := lost(from) + value end; end asm specification