Refactoring-as-Propositions: Proved Refactoring of Hybrid Systems via Proved Refinements
Pith reviewed 2026-06-30 19:28 UTC · model grok-4.3
The pith
Hybrid system refactorings preserve required properties when expressed as propositions in differential refinement logic.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Refactorings are represented as propositions in dRL, with a method for proving that system refactorings preserve their required properties by transferring the proof along the respective modification; these can be proved automatically or reduce to a modular proof solely about the local change.
What carries the argument
The refactoring-as-propositions principle, which uses refinements in differential refinement logic to simultaneously express system properties and the relation between an original hybrid system and its refactored version.
If this is right
- Changes to a hybrid system can be checked for property preservation without re-verifying the entire system.
- Proofs of required properties transfer directly from the original system to the refactored one.
- Refactorings that introduce auxiliary variables are covered by the same uniform treatment as other changes.
- Verification effort reduces to either fully automatic checks or modular proofs focused only on the local modification.
Where Pith is reading between the lines
- Iterative design loops for cyber-physical systems could become faster while retaining formal safety guarantees.
- Similar proposition-based transfer techniques might apply to refactorings in other formalisms or system classes.
- Verification tools could be extended to automate the proof-transfer step for common local changes.
- The approach emphasizes modularity, which could reduce the cost of maintaining large verified models over time.
Load-bearing premise
Differential refinement logic supplies a uniform way to express different hybrid-system refactorings while referring both to system properties and to the relation between original and changed versions.
What would settle it
A concrete hybrid-system refactoring known to preserve safety that cannot be proved to do so inside differential refinement logic, or a refactoring that alters safety yet receives an incorrect preservation proof.
Figures
read the original abstract
Cyber-physical systems are inherently complex due to their connection between software and the physical world. Iterative design reduces their complexity, but increases the need to repeatedly recheck their safety in full after every change. We introduce the refactoring-as-propositions principle in which refactorings are represented as propositions along with a method for proving that system refactorings preserve their required properties by transferring the proof along the respective modification. It is based on differential refinement logic (dRL), with which one can simultaneously and rigorously refer to properties of the systems and the relation between a refactored system and its original version. Refinements represent a uniform way of expressing different types of hybrid system refactorings, including those that introduce auxiliary variables. Furthermore, we show how these refactorings can be proved automatically, and/or reduce to a modular proof solely about the local change rather than about the whole system.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces the refactoring-as-propositions principle for hybrid systems. Refactorings are represented as propositions in differential refinement logic (dRL), enabling proofs that system properties are preserved under refactoring by transferring proofs along the modification. dRL is claimed to provide a uniform representation for multiple refactoring types (including auxiliary-variable introductions) while allowing simultaneous reference to system properties and the original/refactored relation; the resulting proofs are said to be automatable or reducible to modular local arguments about the change alone.
Significance. If the uniformity claim and the proof-transfer mechanism are substantiated with concrete definitions and derivations, the work would offer a practical formal method for safe iterative refactoring of cyber-physical systems without full re-verification. This directly addresses a recurring pain point in hybrid-system design and would constitute a meaningful extension of dRL if the added principles are shown to be independent of prior results.
major comments (2)
- The abstract asserts that dRL supplies a uniform representation for refactorings (including auxiliary-variable cases) while simultaneously referring to properties and the original/refactored relation, yet no definitions of the relevant dRL propositions, refinement relations, or proof rules appear in the supplied material. Without these, the central uniformity and proof-transfer claims cannot be verified and remain load-bearing for the entire contribution.
- No concrete example, derivation, or proof sketch is supplied to illustrate how a refactoring proposition is formed, how proof transfer occurs, or how automation or modularity is achieved. This absence prevents assessment of whether the refactoring-as-propositions principle rests on independent grounding or reduces to existing dRL results.
Simulated Author's Rebuttal
We thank the referee for the careful review and for identifying the need for explicit formal content to support the central claims. We agree that the supplied material (the abstract) does not contain the definitions, relations, or examples referenced in the abstract, and we will revise the manuscript to include them.
read point-by-point responses
-
Referee: The abstract asserts that dRL supplies a uniform representation for refactorings (including auxiliary-variable cases) while simultaneously referring to properties and the original/refactored relation, yet no definitions of the relevant dRL propositions, refinement relations, or proof rules appear in the supplied material. Without these, the central uniformity and proof-transfer claims cannot be verified and remain load-bearing for the entire contribution.
Authors: We acknowledge the validity of this comment. The supplied material consists only of the abstract, which summarizes the contribution without providing the formal definitions of the dRL propositions, refinement relations, or proof rules. In the revised manuscript we will add these definitions in the main sections to enable verification of the uniformity and proof-transfer claims. revision: yes
-
Referee: No concrete example, derivation, or proof sketch is supplied to illustrate how a refactoring proposition is formed, how proof transfer occurs, or how automation or modularity is achieved. This absence prevents assessment of whether the refactoring-as-propositions principle rests on independent grounding or reduces to existing dRL results.
Authors: We agree that the supplied material contains no concrete example, derivation, or proof sketch. The revised version will incorporate a concrete example together with a derivation and proof sketch demonstrating formation of a refactoring proposition, the proof-transfer mechanism, and the relation to prior dRL results. revision: yes
Circularity Check
No significant circularity identified
full rationale
The paper presents the refactoring-as-propositions principle as a method built on differential refinement logic (dRL) for proving preservation of properties under refactorings, including auxiliary variable introductions. The abstract and supplied material describe this as a uniform representation allowing simultaneous reference to system properties and original/refactored relations, with proofs that can be automated or reduced to local changes. No equations, definitions, or derivation steps are exhibited that reduce a claimed prediction or result to its inputs by construction, nor any load-bearing self-citation chain where the central claim collapses to an unverified prior result. dRL is treated as an established external logic providing the necessary expressiveness, making the contribution self-contained rather than circular. The uniformity and modularity claims rest on the logic's features rather than re-deriving them from the present work's outputs.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Differential refinement logic can simultaneously express system properties and refinement relations between original and modified hybrid systems.
invented entities (1)
-
refactoring-as-propositions principle
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Cambridge University Press (2010).https://doi.org/10.1017/CBO9781139195881
Abrial, J.: Modeling in Event-B - System and Software Engineering. Cambridge University Press (2010).https://doi.org/10.1017/CBO9781139195881
-
[2]
Abrial, J., Butler, M.J., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin: an open toolset for modelling and reasoning in Event-B. Int. J. Softw. Tools Technol. Transf.12(6), 447–466 (2010).https://doi.org/10.1007/ S10009-010-0145-Y
2010
-
[3]
Abrial, J., Su, W., Zhu, H.: Formalizing hybrid systems with Event-B. In: Ab- stract State Machines, Alloy, B, VDM, and Z - Third International Confer- ence, ABZ 2012, Pisa, Italy, June 18-21, 2012. Proceedings. pp. 178–193 (2012). https://doi.org/10.1007/978-3-642-30885-7_13,https://doi.org/10.1007/ 978-3-642-30885-7_13
-
[4]
In: Raschke, A., Méry, D., Houdek, F
Afendi, M., Laleau, R., Mammar, A.: Modelling hybrid programs with Event-B. In: Raschke, A., Méry, D., Houdek, F. (eds.) Rigorous State-Based Methods - 7th International Conference, ABZ 2020, Ulm, Germany, May 27-29, 2020, Proceed- ings. LNCS, vol. 12071, pp. 139–154. Springer (2020).https://doi.org/10.1007/ 978-3-030-48077-6_10
2020
-
[5]
Banach, R., Zhu, H., Su, W., Wu, X.: Continuous behaviour in Event-B: A sketch. In: Abstract State Machines, Alloy, B, VDM, and Z - Third International Confer- ence, ABZ 2012, Pisa, Italy, June 18-21, 2012. Proceedings. pp. 349–352 (2012). https://doi.org/10.1007/978-3-642-30885-7_29,https://doi.org/10.1007/ 978-3-642-30885-7_29
-
[6]
In: Pientka, B., Tinelli, C
Brieger, M., Mitsch, S., Platzer, A.: Uniform substitution for dynamic logic with communicating hybrid programs. In: Pientka, B., Tinelli, C. (eds.) CADE. LNCS, vol. 14132, pp. 96–115. Springer (2023).https://doi.org/10.1007/ 978-3-031-38499-8_6
2023
-
[7]
Butler,M.J.,Maamria,I.:PracticaltheoryextensioninEvent-B.In:Liu,Z.,Wood- cock, J., Zhu, H. (eds.) Theories of Programming and Formal Methods - Essays Dedicated to Jifeng He on the Occasion of His 70th Birthday. LNCS, vol. 8051, pp. 67–81. Springer (2013).https://doi.org/10.1007/978-3-642-39698-4_5
-
[8]
Dupont, G., Ameur, Y.A., Pantel, M., Singh, N.K.: Proof-based approach to hybrid systemsdevelopment:DynamiclogicandEvent-B.In:AbstractStateMachines,Al- loy, B, TLA, VDM, and Z - 6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. pp. 155–170 (2018).https://doi.org/10.1007/ 978-3-319-91271-4_11,https://doi.org/10.1007/978-...
-
[9]
Dupont, G., Ameur, Y.A., Pantel, M., Singh, N.K.: Handling refinement of contin- uous behaviors: A proof based approach with Event-B. In: 2019 International Sym- posiumonTheoreticalAspectsofSoftwareEngineering,TASE2019,Guilin,China, July 29-31, 2019. pp. 9–16 (2019).https://doi.org/10.1109/TASE.2019.00-25 Refactoring-as-Propositions 17
-
[10]
In: Ayala-Rincón, M., Muñoz, C.A
Fulton, N., Mitsch, S., Bohrer, B., Platzer, A.: Bellerophon: Tactical theorem proving for hybrid systems. In: Ayala-Rincón, M., Muñoz, C.A. (eds.) ITP. LNCS, vol. 10499, pp. 207–224. Springer (2017).https://doi.org/10.1007/ 978-3-319-66107-0_14
2017
-
[11]
In: Felty, A., Middel- dorp, A
Fulton, N., Mitsch, S., Quesel, J.D., Völp, M., Platzer, A.: KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In: Felty, A., Middel- dorp, A. (eds.) CADE. LNCS, vol. 9195, pp. 527–538. Springer, Berlin (2015). https://doi.org/10.1007/978-3-319-21401-6_36
-
[12]
(eds.): Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science
Grohe, M., Koskinen, E., Shankar, N. (eds.): Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science. ACM, New York (2016)
2016
-
[13]
Jeannin, J., Ghorbal, K., Kouskoulas, Y., Gardner, R., Schmidt, A., Zawadzki, E., Platzer, A.: A formally verified hybrid system for the next-generation airborne col- lision avoidance system. In: Baier, C., Tinelli, C. (eds.) TACAS. LNCS, vol. 9035, pp. 21–36. Springer (2015).https://doi.org/10.1007/978-3-662-46681-0_2
-
[14]
Kozen, D.: Kleene algebra with tests. ACM Trans. Program. Lang. Syst.19(3), 427–443 (1997).https://doi.org/10.1145/256167.256195
-
[15]
Loos, S.M., Platzer, A.: Differential refinement logic. In: Grohe et al. [12], pp. 505–514.https://doi.org/10.1145/2933575.2934555
-
[16]
Lunel, S., Boyer, B., Talpin, J.: Compositional proofs in differential dynamic logic dl. In: 17th International Conference on Application of Concurrency to System Design, ACSD 2017, Zaragoza, Spain, June 25-30, 2017. pp. 19–28 (2017).https: //doi.org/10.1109/ACSD.2017.16,https://doi.org/10.1109/ACSD.2017.16
-
[17]
In: Jones, C.B., Pihlajasaari, P., Sun, J
Mitsch, S., Quesel, J.D., Platzer, A.: Refactoring, refinement, and reasoning: A logical characterization for hybrid systems. In: Jones, C.B., Pihlajasaari, P., Sun, J. (eds.) FM. LNCS, vol. 8442, pp. 481–496. Springer (2014).https://doi.org/ 10.1007/978-3-319-06410-9_33
-
[18]
Platzer, A.: Logics of dynamical systems. In: LICS. pp. 13–24. IEEE, Los Alamitos (2012).https://doi.org/10.1109/LICS.2012.13
-
[19]
Platzer, A.: A complete uniform substitution calculus for differential dy- namic logic. J. Autom. Reas.59(2), 219–265 (2017).https://doi.org/10.1007/ s10817-016-9385-1
2017
-
[20]
In: Fontaine, P
Platzer, A.: Uniform substitution at one fell swoop. In: Fontaine, P. (ed.) CADE. LNCS, vol. 11716, pp. 425–441. Springer (2019).https://doi.org/10.1007/ 978-3-030-29436-6_25
2019
-
[21]
Platzer, A.: Hybrid dynamical systems logic and its refinements. Sci. Comput. Program.239, 103179 (2025).https://doi.org/10.1016/J.SCICO.2024.103179
-
[22]
Platzer, A., Tan, Y.K.: Differential equation axiomatization: The impressive power of differential ghosts. In: Dawar, A., Grädel, E. (eds.) LICS. pp. 819–828. ACM, New York (2018).https://doi.org/10.1145/3209108.3209147
-
[23]
In: Benzmüller, C., Heule, M.J., Schmidt, R.A
Prebet, E., Platzer, A.: Uniform substitution for differential refinement logic. In: Benzmüller, C., Heule, M.J., Schmidt, R.A. (eds.) IJCAR. LNCS, vol. 14740, pp. 196–215. Springer (2024).https://doi.org/10.1007/978-3-031-63501-4_11
-
[24]
org/10.5281/zenodo.20142337,https://doi.org/10.5281/zenodo.20142337
Prebet,E.,Platzer,A.:Refactoring-as-Propositions:1.0(May2026).https://doi. org/10.5281/zenodo.20142337,https://doi.org/10.5281/zenodo.20142337
-
[25]
1016/J.SCICO.2014.04.015,https://doi.org/10.1016/j.scico.2014.04.015 18 E
Su, W., Abrial, J., Zhu, H.: Formalizing hybrid systems with Event-B and the Rodinplatform.Sci.Comput.Program.94,164–202(2014).https://doi.org/10. 1016/J.SCICO.2014.04.015,https://doi.org/10.1016/j.scico.2014.04.015 18 E. Prebet, A. Platzer A Additional Rules and Axioms used (:∗merge)x:=∗; ?p(x);x:=∗=x:=∗; ?∃y p(y) (=)a=b↔a≤b∧b≤a (MP) ϕ→ψ ϕ ψ (→2↔) ⊢ϕ↔ψ ⊢...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.