A Precise Semantics for Ultraloose. Specications. Alastair D. Reid. Submitted for the degree of. Master of Science

Transcription

1 Computing Science M.Sc Thesis A Precise Semantics for Ultraloose Specications Alastair D. Reid Submitted for the degree of Master of Science c1993, Alastair D. Reid

2 i Abstract All formal speciers face the danger of overspecication: accidentally writing an overly restrictive specication. This problem is particularly acute for axiomatic specications because it is so easy to write axioms which hold for some of the intended implementations but not for all of them (or, rather, it is so hard not to write overly strong axioms). One of the best developed ways of recovering some of those implementations which do not literally satisfy the specication is to apply a \behavioural abstraction operator" to a specication: adding in those implementations which have the same \behaviour" as an implementation which does satisfy the specication. In two recent papers Wirsing and Broy propose an alternative (and apparently simpler) approach which they call \ultraloose specication." This approach is based on a particular style of writing axioms which avoids certain forms of overspecication. An important, unanswered question is \How does the ultraloose approach relate to the other solutions?" The major achievement of this thesis is a proof that the ultraloose approach is semantically equivalent to the use of the \behavioural abstraction operator." This result is rather surprising in the light of a result by Schoett which seems to say that such a result is impossible.

3 Acknowledgements I would like to thank the following people for their help during the period of this research. Dr. Muy Thomas for acting as my supervisor. My oce-mates Kei Davis and Shahad Ahmed for their support and advice. My parents for nancial and other support. The Computing Science Department for their patience and generosity in providing facilities. The Science and Engineering Research Council for funding (award ] ). Aran Lunzer for caeine xes and questions for all my LaT E X answers. ii

4 Contents 1 Introduction 1 2 The Semantics of ASL and USL Signatures, Algebras and Axioms : : : : : : : : : : : : : : : : : : : : Signatures and Algebras : : : : : : : : : : : : : : : : : : : : : Terms, Derived Operators and Reachability : : : : : : : : : : Formul and Axioms : : : : : : : : : : : : : : : : : : : : : : : Specications : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Specication Building Operations : : : : : : : : : : : : : : : : Examples : : : : : : : : : : : : : : : : : : : : : : : : : : : : : The ASL and USL sublanguages : : : : : : : : : : : : : : : : : : : : : 36 3 Behavioural Equivalence Behavioural Equivalence Special Case : : : : : : : : : : : : : : : : Behavioural Equivalence General Case : : : : : : : : : : : : : : : : Properties of Behavioural Equivalence : : : : : : : : : : : : : : : : : : Behavioural Equivalence and Specications : : : : : : : : : : : : : : : Observational Axioms : : : : : : : : : : : : : : : : : : : : : : : : : : Schoett's Impossibility Theorem : : : : : : : : : : : : : : : : : : : : : Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 68 4 Ultraloose Specications Dening Ultraloose Style : : : : : : : : : : : : : : : : : : : : : : : : : Closure of SP IN under! IN : : : : : : : : : : : : : : : : : : : : : : : Closure of SP IN IN under! : : : : : : : : : : : : : : : : : : : : : : Equivalence of ASL and USL : : : : : : : : : : : : : : : : : : : : : : Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Ease of Proofs in ASL and USL Diculty of Proofs in ASL : : : : : : : : : : : : : : : : : : : : : : : : Ease of Proofs in USL : : : : : : : : : : : : : : : : : : : : : : : : : : Comparision : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 114 iii

5 Contents iv 6 Summary and Conclusions 116

6 List of Figures 1.1 Stacks in ASL : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : A Stack Implementation : : : : : : : : : : : : : : : : : : : : : : : : : Stacks in USL : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Inconsistent Stacks in ASL : : : : : : : : : : : : : : : : : : : : : : : : Specication of Natural Numbers : : : : : : : : : : : : : : : : : : : : Counter Specication : : : : : : : : : : : : : : : : : : : : : : : : : : : An Ultraloose Stack Specication : : : : : : : : : : : : : : : : : : : : A \Normal" Stack Specication : : : : : : : : : : : : : : : : : : : : : An Ultraloose Stack Specication : : : : : : : : : : : : : : : : : : : : A Behaviourally Closed USL Stack : : : : : : : : : : : : : : : : : : : Multiple Counter ASL : : : : : : : : : : : : : : : : : : : : : : : : : Multiple Counter USL : : : : : : : : : : : : : : : : : : : : : : : : : Restructured Multiple Counter : : : : : : : : : : : : : : : : : : : : : 109 v

7 List of Theorems and Denitions 1.1 Denition: closure Denition: signatures Denition: signature morphisms Denition: algebras Denition: reducts Denition: homomorphisms and isomorphisms Lemma: bijectivity and uniqueness of isomorphisms Counterexample: Aj 0 = Bj 0 6) A = B Denition: congruences and quotients Lemma: homomorphism to quotient algebras Denition: terms Denition: valuations and interpretation Lemma: representation of terms Denition: reachability, reachable subalgebras Lemma: homomorphism from reachable subalgebras Lemma: quotients of reachable subalgebras Denition: well formed formul, axioms and satisfaction Denition: specications Denition: Behavioural equivalence ground case Denition: Behavioural equivalence alternative denition Denition: Behavioural equivalence alternative denition.. 42 IN! 3.4 Denition: and IN! Denition: observational and behavioural equivalence Lemma: IN! EQ(IN ; ) Lemma: behavioural equivalence of isomorphic algebras Lemma: behavioural equivalence of reachable subalgebras Denition: ( ; )-congruence Lemma: behavioural equivalence of quotient algebras vi

8 List of Theorems and Denitions vii 3.11 Lemma: behavioural equivalence and reachability Theorem: A IN! B, R( ; IN ; A)= A = R( ; IN ; B)= B Denition: behavioural semantics, equivalence and closure Lemma: SP1 IN! SP2 ) (SP SP1 ), (SP SP2 ) Denition: observational formul and axioms Theorem: IN! Axm(IN ; ) Corollary: SP j= ax, behaviour SP wrt (IN ; ) j= ax Lemma: Cl() Counterexample: EQ(IN ; ) 6 Axm(IN ; ) Corollary: IN! EQ(IN ; ) Theorem: Schoett's impossibility result Corollary: weakness of observational axioms Denition: congruence axioms Denition: ultraloose axiom and specication transformation Denition: (A) Denition: A Theorem: downward closure of SP IN Denition: negation normal form Theorem: closure of SP IN Lemma: Mod(SP IN ) Mod IN (SP) Lemma: SP IN SP Theorem: semantic eect of ultraloose transformation Corollary: Counter fg fboolg is behaviourally closed Corollary: SP IN = behaviour SP wrt (IN ; ) Lemma: ignoring behavioural abstraction is unsound Lemma: minc(m + n; c) minc(m; minc(n; c)) Lemma: mdec(n; minc(n; c)) c Theorem: n < m ) :iszero(mdec(n; minc(m; c)))

9 Chapter 1 Introduction Two important requirements of a framework for formal program development are that it should allow any \legitimate" informal program development; and that it should be straightforward to prove that each step in a program development is allowed. All programmers know that replacing one module by another module with the same external behaviour has no eect on the overall behaviour of a program and so, to satisfy the rst requirement, any framework for formal program development should support the replacement of \behaviourally equivalent" modules (i.e. modules with the same \external behaviour"). That is, program specications should have the following closure property. If a program module implements a specication then so should all behaviourally equivalent program modules. 1 This thesis is concerned with dierent ways in which axiomatic (aka algebraic) specication languages achieve this closure property and with how these dierent approaches aect the ease of proving properties of the resulting specications. In 1 We are being deliberately vague about what we mean by \implements" and \behavioural equivalence." These terms are dened in chapters 2 and 3 respectively. 1

10 Introduction 2 particular, we look at two closely-related languages due to Wirsing, Sannella and Tarlecki and to Wirsing and Broy. The best developed axiomatic specication language which addresses the issue of behavioural closure is ASL proposed by Wirsing and Sannella [34,40] and developed further by Sannella and Tarlecki [27{30]. ASL is a kernel specication language used to dene the semantics of higher-level specication languages such as PLUSS [6] and Extended ML [26]. Not all specications written in ASL are behaviourally closed: for example, the specication of stacks of natural numbers in gure 1.1 admits some stack-like implementations such as the obvious list-based implementation but rejects others with the same behaviour such as the \array and pointer" implementation in gure enrich Nat by sign Stack : type empty:! Stack push: Nat Stack! Stack pop: Stack! Stack top: Stack! Nat isempty: Stack! Bool axioms 8s: Stack ; x : Nat: top(push(x ; s)) = x 8s: Stack ; x : Nat: pop(push(x ; s)) = s isempty(empty) = True 8s: Stack ; x : Nat: isempty(push(x ; s)) = False end Figure 1.1: Stacks in ASL There are two reasons why the stack specication in gure 1.1 is too strong and so fails to have the desired closure property. 1. The use of equations between stacks is too strong. This can be seen by considering the array and pointer implementation's failure to satisfy the second axiom. 2 We use an ad-hoc but, we hope, clear notation to dene the \implementation." In chapter 2 we will see that implementations should be dened in the same language that is used to write specications.

11 Introduction 3 type Stack = Pair(Int, Array of Nat) empty = h0 ; emptyarrayi push(x ; hi ; ai) = hi + 1 ; a[i ]: = xi pop(hi ; ai) = hi? 1 ; ai top(hi ; ai) = a[i ] isempty(hi ; ai) = i == 0 Figure 1.2: A Stack Implementation pop(push(x ; empty)) = f denition of empty g pop(push(x ; h0 ; emptyarrayi)) = f denition of push g pop(h1 ; emptyarray[0 ]: = xi) = f denition of pop g h0 ; emptyarray[0 ]: = xi 6= h0 ; emptyarrayi = f denition of empty g empty Although the array and pointer implementation does not satisfy this axiom, there is no \real" problem (from the programmer's point of view) because it is not possible to distinguish pop(push(x ; empty)) from empty using the operations provided (i.e. empty, push, pop and top). The problem with the specication is that is that it requires two values to be identical when it is sucient for them to be indistinguishable (with respect to the operations provided). 2. The use of universal quantication is too strong. This can be seen for the array and pointer implementation by considering the fourth axiom and instantiating s with the \nonsense" value h?1 ; emptyarrayi. 8s: Stack ; x : Nat: isempty(push(x ; s)) = False ) 8x : Nat: isempty(push(x ; h?1 ; emptyarrayi)) = False = f denition of push g 8x : Nat: isempty(h0 ; emptyarray[?1 ]: = xi)) = False

12 Introduction 4 = f denition of isempty g 8x : Nat: (0 == 0 ) = False = f arithmetic, predicate calculus g false Again, the non-satisfaction of this axiom is not a \real" problem because \nonsense" values such as h?1 ; emptyarrayi cannot be constructed using the operations provided and so will never arise during the running of a program. The problem with the specication is that it requires a condition to hold for all values of type Stack when it is sucient for the condition to hold only for values that can be constructed using the operations provided. The solution to these problems adopted in ASL is to provide a \behavioural abstraction operator" which modies the meaning of a specication SP by allowing any implementation which is behaviourally equivalent to an implementation of SP. Wirsing and Broy's \ultraloose framework" [2,42] takes the alternative approach of trying to x the problems with equations and quantication directly. The language (which we shall call USL) used in this framework is closely related to ASL (it shares four of ASL's ve basic specication building operations.) It lacks ASL's behavioural abstraction operator but achieves a similar eect by allowing the use of slightly dierent notions of equality and quantication. The specication in gure 1.3 is a USL specication of a stack. There are two important dierences: 1. To avoid the above problems with universal quantication, the ultraloose specication uses \reachable quantication" (8 r ) which only ranges over the values which can be constructed using the available operations. 2. To avoid the above problems with equality, the ultraloose specication uses a congruence instead of equality. (Since congruences are not \built in" to the specication language as equality is, it is necessary to add the last eight axioms specifying the reexivity, symmetry, transitivity and substitutivity of.) Unlike ASL, USL has not been extensively studied. The major contribution of this thesis are answers to the following questions:

13 Introduction 5 enrich Nat by sign Stack : type empty:! Stack push: Nat Stack! Stack pop: Stack! Stack top: Stack! Nat isempty: Stack! Bool : Stack Stack! Bool axioms 8 r s: Stack ; x : Nat: top(push(x ; s)) = x 8 r s: Stack ; x : Nat: pop(push(x ; s)) s isempty(s) = True 8 r s: Stack ; x : Nat: isempty(push(x ; s)) = False 8s: Stack : s s 8s1 ; s2 : Stack : s1 s2, s2 s1 8s1 ; s2 ; s3 : Stack : s1 s2 ^ s2 s3 ) s1 s3 end empty empty 8s1 ; s2 : Stack ; x : Nat: s1 s2 ) push(x ; s1 ) push(x ; s2 ) 8s1 ; s2 : Stack : s1 s2 ) pop(s1 ) pop(s2 ) 8s1 ; s2 : Stack : s1 s2 ) top(s1 ) = top(s2 ) 8s1 ; s2 : Stack : s1 s2 ) isempty(s1 ) = isempty(s2 ) Figure 1.3: Stacks in USL Under what circumstances are USL specications behaviourally closed? We tackle this question by dening a transformation (the \ultraloose transformation") from ASL specications such as that in gure 1.1 to USL speci- cations such as that in gure 1.3 and identifying sucient conditions under which the transformed specication is behaviourally closed. There are two obvious ways of making the specication in gure 1.1 behaviourally closed: apply ASL's behavioural abstraction operation; or apply the ultraloose transformation mentioned above. Under what circumstances do these two approaches give the same result?

14 Introduction 6 For which approach is it easiest to prove properties of the resulting specications? Since the ASL specication is shorter than the corresponding USL specication, one might think that the ASL specication is simpler than the USL specication; but, Wirsing and Broy claim that the behavioural abstraction operator is \mathematically dicult" and that their approach avoids these diculties [42 paragraphs 4{5]. It is not immediately obvious which argument is correct. We tackle the question by comparing proofs for ASL and USL specications. Our interest in these results is twofold: they provide a basis on which to compare the approaches taken in ASL and in USL; and they provide useful results for use in proving properties of specications and of specication transformations. Related Work The notion of behavioural equivalence can be traced back to Hoare's paper \Proof of Correctness of Data Representation" [13] which uses abstraction functions to describe the relationship between two modules. The use of functions rather than relations resulted in an asymmetric relation that is, Hoare dened a behavioural ordering. Later work in the area of model-based formal program development (for example, [18,19]) generalised the abstraction function to a representation relation yielding an equivalence like that discussed in this thesis. Early work on axiomatic specications (in partciular, that of the inuential ADJ group [9 section 5.5]) adopted a notion of implementation like that of Hoare. This has been developed further by (amongst others) Ehrig et al. [4] and is discussed in detail by Wirsing in [41]. One of the earliest uses of behavioural equivalence in the semantics of a specication language is that of Sannella and Wirsing discussed earlier (notable previous moves in this direction are those of Giarratana et al. [7] and of Wand [39]). Making the use of behavioural equivalence by inclusion of the behavioural abstraction operator

15 Introduction 7 in ASL allowed Sannella and Wirsing to adopt a notion of implementation which was very much simpler than that of the ADJ group and Ehrig et al. (this is perhaps the major technical innovation in ASL). The ASL language has subsequently been rened in a series of papers including [27{30]. Instead of explicitly including the behavioural abstraction operator in the language, several workers [8,11,12,17,20] have dened notions of \behavioural satisfaction" of axioms. Roughly, a model behaviourally satises an axiom i there is a behaviourally equivalent model which satises (in the usual sense) that axiom. This approach (potentially) suers from a major problem: behavioural satisfaction leads to strange results if we allow arbitrary rst-order axioms. For example, under the usual semantics the specication in gure 1.4 would be inconsistent (unimplementable) because the second and third axioms conict but under a behavioural semantics based on this notion of behavioural satisfaction, this specication is consistent. (For example, the usual list-based implementation satises the rst two axioms directly and behaviourally satises the third axiom since the behaviourally equivalent array and pointer-based implementation satises the third axiom.) enrich Nat by sign Stack : type empty:! Stack push: Nat Stack! Stack pop: Stack! Stack top: Stack! Nat axioms 8s: Stack ; x : Nat: top(push(x ; s)) = x 8s: Stack ; x : Nat: pop(push(x ; s)) = s 8s: Stack ; x : Nat: pop(push(x ; s)) 6= s end Figure 1.4: Inconsistent Stacks in ASL To avoid this problem, this approach (severely) restricts the form of axioms allowed in specications to being conditional equations. That is, axioms must be of the form 8xs: s: l1 = r1 ^ : : : lm = rm ) l = r :

16 Introduction 8 An early attempt to avoid the need for a radically dierent semantics is that of Maibaum, Sadler and Veloso [14,15] who used a direct encoding of Hoare's abstraction function. At rst glance, their approach seems very complex since it uses innitary logic suggesting that it would be hard to carry out nite proofs. However, their use of innitary logic could have been replaced by use of the quantier 8 r used in gure 1.3 for which we need only structural induction. The importance of this work is that using essentially the same simple notion of implementation as in ASL and USL, this approach allows broadly the same implementations as under the more complex semantics of the ADJ group. (We shall not attempt to give a more precise characterisation of the semantics here.) Schoett's impossibility theorems [36,37] show that neither the usual language of rst order logic with equality (as used in gure 1.1) nor Wirsing and Broy's logic (with 8 r instead of 8) is powerful enough to precisely characterise a simple behaviourally closed class of algebras. This seems to suggest that something like ASL's behavioural abstraction operator is essential. However, as a corollary he showed that proving simple properties of modules using specications written using the behavioural abstraction operator can require innite proofs if one uses the proof technique suggested by Sannella and Tarlecki in [27]. This suggests that the goal of a simple behaviourally closed axiomatic specication language is unattainable. Most algebraic specication languages provide a way to control which sorts and operations are exported from a specication. We shall show that, for such languages, Wirsing and Broy's logic is powerful enough to precisely characterise the class of all stack-like algebras (this is a corollary to our discussion of the relation between ASL and USL in chapter 3). (Since 1977 it has been known that allowing operations to be \hidden" by not exporting them greatly increases the power of specication languages (see, for example, [16,17]) so our result is perhaps not overly surprising. Indeed, in [37 section 5 ] Schoett suggests that operation hiding may be one way of avoiding the problem but does not show how it could be done. Our contribution is to conrm that operation hiding can be used to solve the problem and to provide a systematic method for doing so.) Finally, it is worth remarking that Schoett's thesis [35] is the only work we know

17 Introduction 9 of which relates (any of) the above theoretical notions of behavioural equivalence to the modularisation facilities found in programming languages. Schoett introduces a concept he calls \stability (for behavioural equivalence)" (discussed further in chapter 5) and shows that if a programming language only provides \stable" modularisation facilities, then traditional Abstract Data Type theory is valid. That is, it is valid to replace an implementation of a module by any behaviourally equivalent module. Schoett is primarily concerned with programming languages and so his ideas do not directly apply to this thesis. Sannella and Tarlecki [32 section 6] discuss how the notion of stability can be applied to specication languages we give a brief outline in chapter 5. Organisation of this Thesis The remainder of this chapter discusses various pieces of notation used throughout this thesis. Specications in both ASL and USL denote a class of algebras. Chapter 2 denes both languages and a satisfaction relation between algebras and specications. This is used to dene the implementation and equivalence relations between specications. Chapter 3 denes the major tool used in exploring the semantics of USL specications: behavioural equivalence. Chapter 4 explores two of the main themes of this thesis: behavioural closure of USL specications and the relationship between USL and ASL. Having shown that the ASL and the USL approaches to behavioural closure have the same result, chapter 5 demonstrates an advantage of USL over ASL: it can be easier to prove that a USL specication satises a given axiom than to show that the corresponding ASL specication satises the same axiom. Chapter 6 concludes.

18 Introduction 10 Notation Our notation for the predicate calculus closely follows that of the Eindhoven School. That is: Logical Operators :, ^, _, ),, denote negation, conjunction, disjunction, implication and equivalence respectively as usual. ( pronounced \follows from," is dened by P ( Q def = Q ) P. In decreasing binding power we have :; ^ and _; ) and (; and,. Format of Proofs Many of our proofs have the shape P, f hint why P, Q g Q ) f hint why Q ) R g R. This is used as a shorthand for P, Q ^ Q ) R ^ : : :. Quantiers The general pattern for a quantied expression is (Q xs : P(xs) : F (xs)) with Q a quantier, xs a list of variables, P(xs) a predicate in terms of the variables (the range) and F (xs) the term of the quantication. (F (xs) should be dened for all xs that satisfy P(xs).) (For sets, the notation f x : P(x) : F (x) g is used as an abbreviation for ([x : P(x) : ff (x)g).) The following table gives a few examples in \conventional" notation and in the notation used in this report. [ i2i \ avxvb A i [ B i ([i : i 2 I : A i [ B i ) F (x) (\x : a v x v b : F (x))

19 Introduction 11 f y j 9x 2 dom(f ): f (x) = y g f x : x 2 dom(f ) : f (x) g One advantage of this notation that it eliminates any ambiguity as to which variables are being quantied over (as shown in the second example). In this thesis we make extensive use of the notion of the (downward) closure of a set. Denition 1.1 (closure) Let A be a set and : A $ A a reexive transitive relation on A. The downward closure of a subset A 0 of A with respect to (written Cl (A 0 )) is dened by Cl (A 0 ) def = fa; a 0 : a 2 A ^ a 0 2 A 0 ^ a a 0 : ag A subset A 0 of A is said to be downward closed with respect to if Cl (A 0 ) = A 0. In the common case that is an equivalence, we drop the word \downward" that is we refer to Cl (A 0 ) as \the closure of A 0 with respect to " and say that A 0 is \closed with respect to if Cl (A 0 ) = A 0." End Denition. Much of our other notation is taken from the Z specication language. (For example, the image of a set X under a function f is f (jx j) def = fx: x 2 X : f (x)g.) Other notation will be introduced as the need arises.

20 Chapter 2 The Semantics of ASL and USL This chapter denes the language and semantics of ASL and USL. Given the similarity between the two languages it is convenient to dene the semantics of the \union" of the the languages and dene ASL and USL as sublanguages. In both languages, the simplest and most fundamental form of specication consists of a signature (which names the types and operations dened by the specication) and a set of axioms. For example, spec sign Bool :type True; False :! Bool axioms True 6= False 8x : Bool : x = True _ x = False end The semantics of such specications is the class of algebras satisfying the axioms. Section 2.1 denes signatures, algebras, axioms and related concepts. Those familiar with the semantics of axiomatic specications will be able to skim everything except the denition of axioms. Section 2.2 denes the specication building operations used to construct large, structured specications from these components and denes the notion of implementation used in ASL and USL. Again, those familiar with ASL will be able to skim this section. Finally, section 2.3 denes the sublanguages corresponding to ASL and USL. 12

21 2.1. Signatures, Algebras and Axioms Signatures, Algebras and Axioms This section denes the mathematical structures used to dene two important aspects of ASL and USL: the syntax and the semantics. The syntactic aspects of ASL and USL are signatures (which name the types and functions in a specication), signature morphisms (functions between signatures), terms (expressions) and axioms. The semantics aspects of ASL and USL are algebras (which dene interpretations of the types and functions in a signature). Algebras are used to give a meaning to terms (by dening a notion of evaluation of a term) and to axioms (by dening a satisfaction relation between algebras and axioms) Signatures and Algebras In essence a signature is a set of symbols with an additional (monomorphic, rstorder) type structure. The denition of this \set with structure" is as follows. Denition 2.1 (signatures) A \signature" is a triple = ht ; F ; : F! [T ] T i where T and F are disjoint sets containing the \sort symbols" and the \function symbols" of respectively. 1 For f 2 F, the \type" of f in is (f ); and if (f ) = h[1 ; : : : m]; i, we write f : 1 m! in. We dene Tp(hT ; F ; i) def = T and Op(hT ; F ; i) def = F. We write Sign to denote the class of all signatures and write : Sign to indicate that is a signature. End Denition. 1 Our notation for lists is based on the functional programming language Haskell: [A] denotes the set of lists of A; [a1 ; : : :am] denotes the list of length m with elements a1, : : : am; as ++ bs denotes the concatenation of the lists as and bs; and ]as denotes the length of the list as.

22 The Semantics of ASL and USL 14 [Note: In the literature, F and are often replaced by a [T ] T -indexed set of function symbols which may be (and occasionally is) used to express \overloading" of function symbols. e.g. +: Nat Nat! Nat and +: Int Int! Int could appear in the same signature. Our denitions resemble those of Wirsing and Schoett: in [41], Wirsing denes a signature as a pair ht ; F i but leaves implicit; in [37], Schoett denes a signature as a pair ht ; i but leaves F implicit.] For example, the following is a typical signature for a stack. StackSig def = h fnat; Stack g; f0 ; succ; empty; push; pop; topg; 8 h[]; Nati; if f = 0 ; h[nat]; Nati; if f = succ; >< h[]; Stacki; if f = empty; f : h[nat; Stack ]; Stacki; if f = push; h[stack ]; Stacki; if f = pop; >: h[stack ]; Nati; if f = top. i This notation is a bit unwieldy and so we usually use the following more readable notation instead. StackSig def = sign Nat; Stack : type 0 :! Nat succ: Nat! Nat empty:! Stack push: Nat Stack! Stack pop: Stack! Stack top: Stack! Nat end Signature morphisms are functions between signatures which respect the type structure. Denition 2.2 (signature morphisms) Let = ht ; F ; i and 0 = ht 0 ; F 0 ; 0 i be signatures.

23 2.1. Signatures, Algebras and Axioms 15 A signature morphism from to 0 (written :! 0 ) is a function of type (T [ F )! (T 0 [ F 0 ) such that j T : T! T 0, j F : F! F 0 and, for each f : 1 m! in, (f ): (1 ) (m)! () in 0. 2 The signature is a subsignature of 0 (written 0 ) if T T 0, F F 0 and = 0 j F. A signature morphism :! 0 is said to be an inclusion (written :,! 0 ) if 0 and = id T[F. 3 Where is obvious from context and 0, we sometimes use the set T 0 [ F 0 to denote 0. End Denition. In essence an algebra is an abstraction of a program module: it is a function mapping symbols in a signature to their interpretation (either a set of values or a function). Algebras abstract away from details like the execution time or space of a function: this reects the emphasis of formal methods on correctness rather than eciency. Denition 2.3 (algebras) Let = ht ; F ; i be a signature. A -algebra A is a T [ F -indexed family such that for each 2 T, A is a set (the \carrier of ") and for each f : 1 m! in, A f is a (total) function of type A f : A 1 A m! A If A and B are -algebras, A is a subalgebra of B (written A B) if, for each sort 2 T, A B and, for each function symbol f : 1 m! in and each a1 2 A 1, : : : am 2 A m, A f (a1 ; : : : am) = B f (a1 ; : : : am). 2 The notation hj X 0 denotes the restriction of a function h: X! Y to a subset X 0 of its domain X. That is, hj X 0(x 0 ) def = h(x 0 ) for x 0 2 X 0. 3 The notation id X denotes the identity function over the set X dened by id X (x) def = x for x 2 X.

24 The class of all -algebras is denoted by Alg(). End Denition. The Semantics of ASL and USL 16 [Our denition of an algebra is essentially the same as that of Schoett [37]. Other authors such as Ehrig and Mahr [5] use two functions S A and OP A (respectively) to assign interpretations to sort and function symbols (respectively) instead of a single family A.] For example, the following is a StackSig-algebra called stack. stack Nat stack Stack stack 0 stack succ stack empty stack push stack pop stack top def = f0 ; 1 ; 2 ; : : :g def = [f0 ; 1 ; 2 ; : : :g] def = 0 def = x : x + 1 def = [ ] def = x ; s: [x ] ++ s def = s: if s = [ ] then [ ] else tail (s) def = s: if s = [ ] then 0 else head (s) This notation is a bit unwieldy and so we usually use the following more readable notation instead. stack def = h Nat = f0 ; 1 ; 2 ; : : :g Stack = [Nat] 0 = 0 succ(x ) = x + 1 empty = [ ] push(x ; s) = [x ] ++ s pop(s) = if s = [ ] then [ ] else tail (s) top(s) = if s = [ ] then 0 else head (s) i One of the most useful operations on an algebra is to compose it with a signature morphism and so rename, copy or hide some of the interpretations of the symbols in the algebra.

25 2.1. Signatures, Algebras and Axioms 17 Denition 2.4 (reducts) Let and 0 be signatures, : 0! a signature morphism and A a -algebra. The \-reduct of A" (written Aj ) is the 0 -algebra dened by Aj def = A. If is an inclusion, and B = Aj, A is an extension of B. End Denition. We note that if is an inclusion, then Aj is the algebra obtained by restricting the domain of A to the sort and function symbols named in 0 (hence the choice of notation). Where is obvious from context and an inclusion, we write Aj 0 instead of Aj. A homomorphism can be thought of as a \representation function" describing how values in one algebra may be represented by values in another algebra. Denition 2.5 (homomorphisms and isomorphisms) Let be a signature with sorts T and let A and B be -algebras. A total T -indexed function h : Aj T! Bj T is a -homomorphism if, for each f : 1 m! in and values a1 2 A 1, : : : am 2 A m, h (A f (a1 ; : : : am)) = B f (h 1(a1 ); : : : h m(am)) If h: A! B and h 0 : B! A are -homomorphisms such that h 0. h = id A and h. h 0 = id B then both h and h 0 are said to be -isomorphisms (written h: A = B or just A = B.) End Denition. [Notes: Since A is a family (i.e. a function), Aj T denotes the T -indexed set of \carriers" of the sorts T. Thus, a homomorphism relates the values in one algebra to the values in another.

26 The Semantics of ASL and USL 18 The condition h (A f (a1 ; : : : am)) = B f (h 1(a1 ); : : : h m(am)) is known as \the homomorphism condition."] The following result is standard (see, for example, [5 section 3.1]): Lemma 2.6 (bijectivity and uniqueness of isomorphisms) Let be a signature and A and B two -algebras. If h: A! B is a -isomorphism, then h is bijective; and there is exactly one - isomorphism h 0 : B! A such that h 0. h = id A and h. h 0 = id B. End Lemma. It is easily seen that reducts preserve isomorphisms (that is: A = B ) Aj = Bj ). It has been remarked (see, for example [28 section 5] that reducts need not reect isomorphisms (that is: Aj = Bj 6) A = B). Counterexample 2.7 (Aj 0 = Bj 0 6) A = B) Let def = sign Bool :type ; True; False :! Bool end, 0 def = sign Bool :type end and let the -algebras A and B be dened by A def = h Bool def = f0 ; 1 g i True def = 1 False def = 0 and B def = h Bool def = f0 ; 1 g i True def = 1 False def = 1 It is clear that Aj 0 = Bj 0 (since Aj 0 = Bj 0) but A 6 = B. Hence, Aj 0 = Bj 0 6) A = B End Counterexample.

27 Denition 2.8 (congruences and quotients) 2.1. Signatures, Algebras and Axioms 19 Let be a signature with sorts T, let A be a -algebra. If is a T -indexed equivalence over A (that is, for each 2 T, : A $ A is an equivalence) and, for each function symbol f : 1 m! in and elements a1 ; a1 0 2 A 1, : : : am; am 0 2 A m, a1 1 a1 0 ^ : : : am m am 0 ) A f (a1 ; : : : am) A f (a1 0 ; : : : am 0 ) then we say that is a -congruence over A. If is a -congruence relation over A, the quotient algebra A= is dened for each sort 2 T by 4 (A= ) def = fa: a 2 A : [[a]] g and for each function symbol f : 1 m! by (A= ) f ([[a1 ]] 1 ; : : : [[am]] m ) def = [[A f (a1 ; : : : am)]] End Denition. It is well known (see, for example, [5 section 3.13]) that there is a surjective homomorphism from an algebra A to any quotient of A. (This fact is used in the discussion of behavioural equivalence in chapter 3.) Lemma 2.9 (homomorphism to quotient algebras) Let be a signature with sorts T, A a -algebra, and a -congruence over A. def The T -indexed function [[ ]] dened for each 2 T by ([[ ]] ) = [[ ]] ( ) is a surjective -homomorphism from A to A=. Proof The homomorphism condition follows immediately from the denition of (A= ) f. Surjectivity of [[ ]] follows from the denition of (A= ). End Lemma. 4 For any equivalence relation : A $ A, the equivalence class [[a]] of an element a 2 A is the def set of all values equivalent to a. That is, [[a]] = fa 0 : a 0 2 A ^ a a 0 : a 0 g.

28 The Semantics of ASL and USL Terms, Derived Operators and Reachability This section denes terms, interpretations and derived operators. In essence, a (X )-term is an expression constructed using the function symbols in a signature and a set of variable symbols X. Throughout this thesis, we use X to denote an innite indexed set of variable symbols such that X and X 0 are disjoint if 6= 0. We say x has sort (written x: ) if x 2 X. Denition 2.10 (terms) Let be a signature with sorts T and X a T -indexed set of variables. The T -indexed set W ( ; X ) of nite -terms with variables X is the least T - indexed set (with respect to ) such that: 5 x 2 W ( ; X ) f (ts) 2 W ( ; X ) if x 2 X if s 2 [T ], f : s! and ts 2 W ( ; X ) s We say that t is a \(X )-term" (or just \-term") if t 2 W ( ; X ). The set of variables used in a term t (written vars(t)) is dened by vars(x) vars(f (t1 ; : : : tm)) def = fxg def = vars(t1 ) [ : : :vars(tm) We say that a term t is \ground" (or that t is a \ground term") if vars(t) = ;. The T -indexed set of variables used in a term t (written Vars(t)) is dened for each 2 T by Vars (t) def = X \ vars(t). We say that a -term t has sort (written t: ) if t 2 W ( ; X ). This is extended to lists and tuples of terms in the obvious way. That is, t1 ; : : : tm: 1 ; : : : m def = t1 : 1 ; : : : tm: m End Denition. 5 The notation [a1 ; : : :am] 2 A [i1 ;:::in] (where i1 ; : : :in 2 I and A is an I -indexed set) is an abbreviation for m = n ^ a1 2 A i1 ^ : : : am 2 A in.

29 2.1. Signatures, Algebras and Axioms 21 For example, empty(): Stack and top(push(x ; empty())): Nat. Where obvious from context, we drop the redundant \()" after constant operators. For example, we write empty and top(push(x ; empty)) for the above terms. Denition 2.11 (valuations and interpretation) Let be a signature with sorts T, A a -algebra. A valuation is any partial T -indexed function v: X +! A (it \assigns" values to variables). 6 For any set of variables x1 2 X 1, : : : xm 2 X m and values a1 2 A 1, : : : am 2 A m we write fx1 : = a1 ; : : : xm: = amg to denote the least valuation which, for each i 2 f1 ; : : : mg assigns the value ai to the variable xi. That is, for each i 2 f1 ; : : : mg, fx1 : = a1 ; : : : xm: = amg i(xi) def = ai Let t be a (X )-term and v: X +! A a valuation such that the value of v (x) is dened for each x 2 Vars(t) (and possibly undened otherwise). The value (or \interpretation") of t in A under v (written t A (v)) is inductively dened by: x A (v) f (t1 ; : : : tm) A (v) def = v(x) def = A f (t1 A (v); : : : tm A (v)) If vars(t) = ;, the value of t A (v) is independent of v and so we dene def t A = t A (fg) where fg denotes the completely undened valuation. To let us emphasize that a function v: X +! A is a valuation, we dene the set Val(A) to be the set of all partial T -indexed functions v: X +! A and the set Val(A; t) to be the set of all partial T -indexed functions v: X +! A such that v (x) is dened for each x 2 Vars(t). End Denition. 6 Partial functions are used to avoid the problem that, if any carrier of an algebra is empty, there is no total T -indexed function v: X! Aj T. This solution is based on that used by Schoett in [37].

30 The following property of homomorphisms is used in chapter 3: The Semantics of ASL and USL 22 Lemma 2.12 (representation of terms) Let be a signature with sorts T, X a T -indexed set of variables, A and B, - algebras and h: A! B a -homomorphism. Then, for any (X )-term t and v 2 Val(A; t) a valuation. Proof h(t A (v)) = t B (h. v) The proof is by induction over the structure of t. Base case (t def = x) h(x A (v )) = f denition of t A (v ) g h(v (x )) = f denition of composition g (h. v )(x ) = f denition of t B (v ) g x B (h. v ) Inductive step (t def = f (t1 ; : : : tm)) Assume that h(t1 A (v)) = t1 B (h. v), : : : h(tm A (v)) = tm B (h. v). h(f (t1 ; : : :tm) A (v )) = f denition of t A (v ) g h(a f (t1 A (v ); : : :tm A (v ))) = f homomorphism condition g B f (h(t1 A (v )); : : :h(tm A (v ))) = f ind. assumption: h(t1 A (v )) = t1 B (h. v ), : : : h(tm A (v )) = tm B (h. v ) g B f (t1 B (h. v ); : : :tm B (h. v )) = f denition of t B (v ) g f (t1 ; : : :tm) B (h. v ) So, h(x A (v)) = x B (h. v) and, if h(t1 A (v)) = t1 B (h. v), : : : h(tm A (v)) = tm B (h. v), then h(f (t1 ; : : : tm) A (v)) = f (t1 ; : : : tm) B (h. v). Thus, by the principle of structural induction, h(t A (v)) = t B (h. v).

31 2.1. Signatures, Algebras and Axioms 23 End Lemma. An element a 2 A is reachable if a can be constructed using the operations named in. That is, if for some t 2 W ( ; ;), t A = a. More generally, for some subsignature 0 of and subset T 0 of the sorts of, a is 0 (T 0 )-reachable if a can be constructed using the operations named in 0 and the values in Aj T 0. More formally, Denition 2.13 (reachability, reachable subalgebras) Let be a signature with sort symbols T, 0 a subsignature of, T 0 a subset of T and A a -algebra. Let X 0 be the T -indexed set of variables dened for each 2 T by ( X ; if 2 T 0 ; and X 0 def = ;; otherwise. For each sort symbol 2 T and value a 2 A, we say that a is 0 (T 0 )-reachable if R( 0 ; T 0 ; a) where R( 0 ; T 0 ; a) def = (9t ; v : t 2 W ( 0 ; X 0 ) ^ v 2 Val(A; t) : t A (v) = a) The 0 -algebra R( 0 ; T 0 ; A) is dened for each sort symbol 2 0 by R( 0 ; T 0 ; A) def = fa: a 2 A ^ R( 0 ; T 0 ; a): ag and for each function symbol f : 1 m! in 0 by R( 0 ; T 0 def ; A) f = (A f )j R( 0 ;T 0 ;A) 1 R( 0 ;T 0 ;A) m Let B be a -algebra and h: A! B a -homomorphism. The homomorphism R( 0 ; T 0 ; h): R( 0 ; T 0 ; A)! R( 0 ; T 0 ; B) is dened for each sort 2 T by R( 0 ; T 0 ; h) End Denition. def = hj R( 0 ;T 0 ;A)

32 The Semantics of ASL and USL 24 [In early work on algebraic specication (including, for example, [5 section 3.15]), the word \generated" or \term-generated" is used instead of \reachable." ] It is well known (see, for example, [5 proof of theorem 4.5,41 proof of fact ]) that there is an injective homomorphism to an algebra from any of its reachable subalgebras. (This fact is used in the discussion of behavioural equivalence in chapter 3.) Lemma 2.14 (homomorphism from reachable subalgebras) Let be a signature with sorts T, T 0 a subset of T, and A a -algebra. The T -indexed function h dened for each 2 T and a 2 R( ; T 0 ; A) is an injective -homomorphism from R( ; T 0 ; A) to A. by h (a) def = a Proof Since all elements of R( ; T 0 ; A) can be written in the form t A (v) where t 2 W ( ; X 0 ) and v 2 Val(A; t), it is straightforward to verify that the homomorphism condition holds. Injectivity follows immediately from the denition of h. End Lemma. The following property is less well known it is used in chapter 3 when establishing properties of behavioural equivalence. Lemma 2.15 (quotients of reachable subalgebras) Let be a signature with sorts T, 0 a subsignature of and T 0 a subset of T and A and B -algebras. If h: A! B and hj T 0 is surjective then R( 0 ; T 0 ; A)= = R( 0 ; T 0 ; B) where : Aj T $ Aj T is the -congruence dened for each sort 2 T and values a1 ; a2 2 A by a1 a2 def = h (a1 ) = h (a2 )

33 2.1. Signatures, Algebras and Axioms 25 Proof Let the T -indexed function g: R( 0 ; T 0 ; B)! R( 0 ; T 0 ; A)= be dened for each sort 2 T and ( 0 ; T 0 )-reachable value b 2 B by g (b) def = fa: h (a) = b: ag Then: 1. g is bijective. Since R( 0 ; T 0 ; h) is surjective, every equivalence class in R( 0 ; T 0 ; A)= corresponds to precisely one ( 0 ; T 0 )-reachable value in B. 2. g is a homomorphism. Since R( 0 ; T 0 ; h) is surjective, it suces to show that, for each function symbol f : 1 m! and ( 0 ; T 0 )-reachable values a1 ; : : : am 2 A 1;:::m g (B f (h 1 (a1 ); : : :h m (am))) = f h is a homomorphism g g (h (A f (a1 ; : : :am))) = f denition of g g fa: h (a) = h (A f (a1 ; : : :am)): ag = f denition of g fa: a A f (a1 ; : : : am): ag = f denition of [ ] g [A f (a1 ; : : : am) ] = f denition of R( 0 ; T 0 ; A) g [R( 0 ; T 0 ; A) f (a1 ; : : :am) ] = f [ ] is a homomorphism g R( 0 ; T 0 ; A)= f ( [a1 ] ; : : : [am ] m ) = f [a ] = g (h (a)) g R( 0 ; T 0 ; A)= f (g 1 (h 1 (a1 )); : : :g m (h m (am))) Since g is a bijective -homomorphism, we conclude that g is a -isomorphism. Hence result. End Lemma.

34 The Semantics of ASL and USL Formul and Axioms This section denes formul and axioms. -formul are just the standard formul of rst-order logic with the addition of equality over -terms (t1 = t2 ) and \reachable" quantication (8 0 T 0x: : P); -axioms are -formul with no free variables. Reachable quantication diers from normal quantication in that we only quantify over reachable values. Denition 2.16 (well formed formul, axioms and satisfaction) Let be a signature. The set WFF() of well-formed -formul is dened as the least set satisfying true 2 WFF ( ) t1 = t2 2 WFF ( ) if t1 ; t2 in W ( ; X ) :P 2 WFF ( ) if P 2 WFF ( ) P ^ Q 2 WFF ( ) if P 2 WFF ( ) and Q 2 WFF ( ) 8 0 T 0x: : P 2 WFF ( ) if P 2 WFF ( ), 0 and x 2 X 8x : : P 2 WFF ( ) if P 2 WFF ( ) and x 2 X The set of free variables in a well-formed -formula is dened as follows. (Note the use of free(p)? fxg in the last line which removes a variable x from the set of free variables when it is bound by a quantier.) free(true) = ; free(t1 = t2 ) = vars(t1 ) [ vars(t2 ) free(:p ) = free(p ) free(p ^ Q) = free(p ) [ free(q) free(8 0 T 0x : : P ) = free(p )? fxg free(8x : : P ) = free(p )? fxg The T -indexed set of free variables in a formula P (written Free(P)) is dened for each 2 T by Free (P) def = X \ free(p). We extend the notation for valuations by dening Val(A; P) to be the set of all partial T -indexed functions v: X +! A such that v (x) is dened for each x 2 Free(P).

35 2.1. Signatures, Algebras and Axioms 27 A well-formed -formula ax is a -axiom if free(ax) = ;. We write Axm() to denote the set of all -axioms. Let A be an algebra, P a well-formed -formula and v 2 Val(A; P) a valuation. The satisfaction of P by A with respect to v (written A j= v P) is dened by A j= v true A j= v t1 = t2 A j= v :P A j= v P ^ Q A j= v (8 0 def T 0x : : P ) A j= v (8x : : P ) def = true def = t1 A (v ) = t2 A (v ) def = :(A j= v P ) def = (A j= v P ) ^ (A j= v Q) = (8a : a 2 A ^ R( 0 ; T 0 ; a) : A j= vfx :=ag P ) def = (8a : a 2 A : A j= vfx :=ag P ) For any -algebra A and -axiom ax, A satises ax (written A j= ax) i A j= fg ax where fg denotes the completely undened valuation. Also, for any set Ax of - axioms, we write A j= Ax as an abbreviation for (8ax: ax 2 Ax: A j= ax). End Denition. Our denition of reachable quantication is based on that of Schoett [36,37]. It diers in that we make the signature 0 and set of sorts T 0 explicit whereas Schoett requires 0 = and makes the set T 0 implicit in what he calls an \observational signature." The use of reachable quantication in the algebraic literature can be traced (at least) as far back as Maibaum et al. [14,15] and Poigne [21]. All these early works use reachable quantication for the same purpose as model-based specications use invariants: to restrict the domain of concern to those values which the specier expects programs to encounter during execution that is, the reachable values. Wirsing and Broy [42] dene a family of predicates 2 0 for each (non-empty) subsignature 0 of and each sort 2 Tp() with semantics A j= v t 2 0 def = R( 0 ; ;; t A (v))

36 The Semantics of ASL and USL 28 which they use to dene a less general form of reachable quantication (restricted to the case that T 0 = ;) by 8 0 x: : P def = 8x: : x 2 0 ) P We could remove 8x: : P from the denition of WFF() since it can be dened as follows: 8x : : P def = 8 ; fgx : : P We dene the abbreviations 6=, _, ),,, : : : in the usual manner. For example, we have: t1 6= t2 P _ Q P ) Q P, Q 9x : : P 9 0 def T 0x: : P t 2 0 (T 0 ) def = :(t1 = t2 ) def = :((:P ) ^ (:Q)) def = (:P ) _ Q def = (P ) Q) ^ (Q ) P ) def = :8x : : :P = :8 0 T 0x: : :P def = (9 0 T 0y: : y = t) It is well known that rst-order logic cannot distinguish reachable and unreachable models of the natural numbers (see, for example, [3 corollary 2.1.7]) whereas the axiom can. f0 ;succg 8x: Nat : 9; y: Nat : x = Nat y Therefore, the addition of reachable quantication increases the expressive power of rst-order logic. 2.2 Specications This section denes the semantics of the languages ASL and USL and presents some examples of their use. The bulk of this work lies in the denition of some \specication building operations" which are used to construct complex specications out of simple specications.

37 2.2. Specications 29 One important point to note about ASL and USL is that if an axiom holds in an ASL/USL specication, then it must hold in all implementations of that specication. For example, all implementations of the specication Bool in the introduction to this chapter will satisfy the axiom 8x: Bool : x = True _ x = False and so will have at most two elements in the sort Bool. ASL and USL are unusual in this respect in that the semantics of many alternative specication languages allow implementations which do not literally satisfy the axioms as long as the user of such an implementation could not tell that the axiom was broken. For example, the notion of implementation proposed by ADJ [9 section 5.5] is based on the relationship meaning \isomorphic to a subalgebra of". Under this notion of implementation, it would be possible for an implementation of the speci- cation Bool to have three elements in the sort Bool since such an implementation would have models which are isomorphic to a subalgebra of a model of Bool Specication Building Operations Many papers have been written about ASL (see, for example, [27{30,32{34,40,41]); each dening a slightly dierent set of specication building operations. Rather than list all operations ever dened for ASL, we shall consider only those operations which appear in all denitions of ASL. That is, we consider the following ve specication building operations: The simplest form of specication consists of a signature and set of axioms. Such specications are known as \at" specications. Just as reducts are used to hide, rename or copy objects in an algebra, so the specication building operation \derive" is used to hide, rename or copy objects in a specication.