Ecole Normale Supérieure de Cachan 61, avenue du Président Wilson Cachan Cedex France

Transcription

1 R. Hennicker and M. Bidoit Observational Logic Research Report LSV 98 6, June 1998 Ecole Normale Supérieure de Cachan 61, avenue du Président Wilson Cachan Cedex France

2 Observational Logic Rolf Hennicker*, Michel Bidoit** *Institut für Informatik, Ludwig-Maximilians-Universität München Oettingenstr. 67, D München, GERMANY **Laboratoire Specification et Verification, CNRS & Ecole Normale Supérieure de Cachan 61, Avenue du President Wilson, Cachan Cedex, FRANCE Abstract. We present an institution of observational logic which generalizes earlier approaches to observational systems specification in various ways. First, we introduce a notion of an observational signature which incorporates the declaration of a distinguished set of observers. Then, we define observational algebras whose operations are required to be compatible with the indistinguishability relation determined by the observers of an observational signature. In particular, we introduce a homomorphism concept for observational algebras which adequately expresses observational relationships between algebras. Then we consider a flexible notion of observational signature morphism which guarantees the satisfaction condition of institutions w.r.t. observational satisfaction for arbitrary first-order sentences. From the proof theoretical point of view we construct a sound and complete proof system for the observational consequence relation. Then we consider structured observational specifications (which, in contrast to previous approaches of the authors, have a built in observational semantics) and we provide a sound and complete proof system for such specifications by using a general, institution independent result of [B 98]. 1 Introduction In this paper we study a logical framework for the specification of the observable behaviour of software systems which is particularly suited for state based systems but may also be used for specifying infinite data and behavioural properties of abstract data types. Formally, we introduce an institution of observational logic and we study proof methods for first-order observational properties of structured specifications built over this institution. Although our approach is novel, it is influenced by previous behavioural approaches, in particular of [BHW 95], [P 96], [GM 97], [R 95] and [JR 97]. The important difference to [BHW 95] is that in the present approach we use a built in observational semantics which previously led to problems w.r.t. the encapsulation of observational properties of parts of a system specification (cf. [BB 91], [HN 93]). In the hidden sorted algebra approach (cf. e.g. [GM 97]) encapsulation is achieved at the cost of a rather restrictive notion of signature morphism (see the discussion in Section 5). Another popular formalism which deals with a state based view of systems is provided in the framework of coalgebras (cf. e.g. [R 95], [JR 97]). These approaches, however, have problems to deal with n-ary operations working on several non observable (hidden) argument sorts which frequently occurs in practice (see also Section 5). Moreover, coalgebraic approaches are based on terminal semantics while we are interested in a loose semantics in order to achieve sufficient freedom for the choice of implementations. The starting point of our approach is a methodological consideration: A well-known method for specifying abstract data types (or, more concretely, for writing functional programs) is to determine first a set of constructor symbols which describe how the 1

3 elements of the data type are constructed and then to define functions which can be applied to the data (usually by case distinction over the given constructors). An analogous method can be used for specifying state based systems. First, a set of observer symbols is declared which determines an indistinguishability relation (also called observational equality) for the non observable elements (i.e. for the states). Then the operations are specified, usually by describing their effects w.r.t. the given observers. Formally, these considerations lead to our notion of an observational signature which contains a distinguished set of observer symbols. A similar idea was presented in [P 96] (and recently in [DF 98]). 1 Based on the notion of an observational signature we define observational algebras as those structures whose operations are compatible with the observational equality (determined by the observers of the signature). In this way we obtain, in Section 3, a category of observational algebras with a notion of observational homomorphism that is suited to express observational relationships between algebras. Moreover, we establish a full and faithful functor from the category of observational algebras to the category of standard algebras which is compatible with the observational satisfaction relation defined in Section 4. In Section 5, we introduce the institution of observational logic. It turns out that our general notion of an observer (used in observational signatures) allows us to define a powerful notion of observational signature morphism which guarantees, nevertheless, that the (observational) satisfaction condition of the institution is valid. Then, in Section 6, we define a sound and complete proof system for observational logic. The results obtained so far allow us, first, to apply a generic construction of structured specifications over an arbitrary institution (cf. [ST 88]) thus obtaining a basic language of structured observational specifications. Secondly, we can also apply a generic construction of a sound and complete proof system for structured specifications (cf. [B 98]) which leads to a corresponding proof system for structured observational specifications. For this purpose we check that observational logic has pushouts and amalgamations and satisfies the interpolation property. 2 Algebraic Preliminaries We assume the reader to be familiar with the basic notions of algebraic specifications (cf. e.g. [LEW 96]), like the notions of (many sorted) signature Σ = (S, OP) with a set S of sorts and a set OP of operation symbols op: s 1,,s n s, total Σ-algebra A = ((A s ) s S, (f A ) f F ), Σ-term algebra T(Σ, X), valuation α : X A and interpretation I α : T(Σ, X) A. Throughout this paper we assume that the carrier sets A s of a Σ-algebra are not empty and that X = (X s ) s S is a family of countably infinite sets X s of variables of sort s S. A Σ-congruence on a Σ-algebra A is (as usual) a family A = ( A,s ) s S of equivalence relations A,s on A s compatible with the operations of Σ. The class of all Σ-algebras is denoted by Alg(Σ). Together with Σ-homomorphisms this class forms a category, for simplicity also denoted by Alg(Σ). A signature morphism σ: Σ Σ between two signatures Σ = (S, OP) and Σ = (S, OP ) is a pair (σ sorts, σ opns ) of mappings σ sorts : S S, σ opns : OP OP such that for all (op: s 1,,s n s) OP, σ opns (op) has the functionality σ sorts (s 1 ),,σ sorts (s n ) σ sorts (s). In the following we omit the indices of σ. 1 Indeed our notion of an "observer" is a generalization of an "action" in the sense of [P 96]. 2

4 For any signature morphism σ: Σ Σ the reduct functor _ σ : Alg(Σ ) Alg(Σ) is defined as usual, i.e. for any Σ -algebra A, its reduct A σ is defined by (A σ ) s = def A σ(s) for all s S and op A σ = def σ(op) A for all op OP. The reduct of a relation ϕ A x B w.r.t. σ: Σ Σ is denoted by ϕ σ where ϕ σ A σ x B σ is defined by (ϕ σ ) s = def ϕ σ(s) for all s S. The set of first-order Σ-formulas is defined as usual from equations t = r (with t, r T(Σ, X)), the logical connectives,... and the quantifiers,. We will also use infinitary Σ-formulas of ^, the form φ i or φ i where φ i is a countable set of Σ-formulas. A finitary Σ-formula is a Σ-formula which i I i I contains no infinitary disjunction (conjunction resp.). A Σ-sentence is a Σ-formula which contains no free variables. The (standard) satisfaction of a Σ-formula φ by a Σ-algebra A, denoted by A = φ, is defined as usual in the first-order predicate calculus (with a straightforward extension to infinitary conjunctions and disjunctions, cf. e.g. [K 71]). The notation A = φ is extended in the usual way to classes of algebras and sets of formulas. A Σ-sentence φ is a semantic consequence of a set Φ of Σ-sentences, also denoted by Φ = φ, if for any Σ-algebra A with A = Φ we have A = φ. 3 The Category of Observational Algebras An observational signature is a generalization of a standard algebraic signature with a distinguished set of observable sorts (determining the carrier sets of the observable values) and with a distinguished set of observer operations (determining the experiments that can be used to distinguish non observable elements, often called "states"). An n-ary operation op: s 1,, s n s with several non observable argument sorts may also be used as an observer. In this case op is equipped with a "position number" 1 i n which indicates the argument sort of the states to be observed by op. For instance, if op: s 1, s 2 s is a binary operation then we can declare either (op, 1) or (op, 2) or both, (op, 1) and (op, 2), as observer thus obtaining as much flexibility as needed in practical examples. Definition 3.1 (Observational signature) Let Σ = (S, OP) be a signature and S Obs S be a set of observable sorts. An observer is a pair (op, i) where (op: s 1,, s n s) OP is an operation symbol such that 1 i n and s i S Obs. (op, i) is a direct observer of s i if s S Obs ; otherwise it is an indirect observer. If op: s 1 s is a unary observer we will simply write op instead of (op, 1). An observational signature Σ Obs = (Σ, S Obs, OP Obs ) consists of a signature Σ = (S, OP), a set S Obs S of observable sorts and a set OP Obs of observers (op, i) with op OP. Convention We implicitly assume in the following (if not stated otherwise) that whenever we consider an observational signature Σ Obs, then Σ Obs = (Σ, S Obs, OP Obs ) with Σ = (S, OP) and similarly for Σ Obs etc. Example 3.2 The following is a simple observational signature for bank accounts with observer "bal" determining the balance of an account. Here and in the following examples we use postfix notation for unary operations and infix notation for binary operations. sorts {account, int} observable sorts {int} observers { _.bal: account int} operations {new: account, _.change_ : account, int account} 3

5 A more advanced signature for bank accounts may be obtained by introducing also an indirect observer "_.redo: account account" intended to reconstruct the previous state of an account after having performed an action. Any observational signature determines a set of observable contexts which represent those experiments which allow us to distinguish elements by the given observers. In the above example the only observable context is "z account.bal". If we additionally use the indirect observer "redo" then there are infinitely many observable contexts of the form "z account.redo.redo.bal". Definition 3.3 (Σ Obs -context) Let Σ Obs be an observational signature, let X = (X s ) s S be the generally assumed family of countably infinite sets X s of variables of sort s and let Z = ({z s }) s S be a disjoint S-sorted family of singleton sets. For all s, s S the set C(Σ Obs ) s s of Σ Obs -contexts with "application sort" s and "result sort" s is inductively defined as follows: (1) For each s S, z s C(Σ Obs ) s s. (2) For each (op, i) OP Obs with op: s 1,, s n s, for each c C(Σ Obs ) s si and pairwise disjoint variables x 1,, x n of sort s 1,, s n not occurring in c, op(x 1,, x i-1, c, x i+1,, x n ) C(Σ Obs ) s s. Each context c C(Σ Obs ) s s contains, besides variables in X, exactly one occurrence of the "context variable" z s and this is the only variable of Z occurring in c. The application of a context c C(Σ Obs ) s s to a term t of sort s, denoted by c[t], is the term obtained by substituting the term t for z s. An observable Σ Obs -context is a Σ Obs -context with observable result sort s S Obs. We denote by C(Σ Obs ) s SObs the set of observable contexts with application sort s. Elements which cannot be distinguished by the experiments of an observational signature are considered to be observationally equal. Formally, this is expressed as follows. Definition 3.4 (Σ Obs -equality) Let Σ Obs be an observational signature. For any Σ- algebra A Alg(Σ) the observational Σ Obs -equality on A is denoted by Σ Obs,A and defined by: For all s S, two elements a, b A s are observationally equal w.r.t. Σ Obs, i.e. a Σ Obs,A b, if and only if for all observable contexts c C(Σ Obs) s SObs and for all valuations α, β: X {z s } A with α(x) = β(x) if x X, α(z s ) = a, β(z s ) = b, we have I α (c) = I β (c). Obviously, if s is an observable sort, then for all a, b A, a Σ Obs,A b is equivalent to a = b (since for any observable sort s, the context variable z s is a (trivial) observable context). For any Σ-algebra A, Σ Obs,A is an equivalence relation on A but, in general, not a Σ- congruence on A. Let us illustrate this by an example. 4

6 Example 3.5 Consider the following algebra over the signature of bank accounts with observer "bal": A account = INT x INT, new A = (0,0), (n,m).bal A = n, (n,m).change A (x) = (n+m+x,m). Obviously, the operation change A is not compatible with the observational equality determined by bal A since, for any x INT, change A (x) may transform indistinguishable states like e.g. (4,5) and (4,6) into distinguishable states (9+x,5) and (10+x,6). Of course, an "observationally correct" definition of change A would be given by (n,m).change A (x) = (n+x,m). In this paper we follow the loose semantics approach to algebraic specifications where a specification can be considered as a description of all admissible implementations (represented by the models of the specification). The basic assumption of the present approach is that, having given a set of observers, an implementation can only be admissible if it respects the observational equality determined by the observers. Formally, this is expressed by the following notion of an observational algebra. Definition 3.6 (Observational algebra) Let Σ Obs be an observational signature. An observational Σ Obs -algebra is a Σ-algebra A such that Σ Obs,A is a Σ-congruence on A.2 The class of all observational Σ Obs -algebras is denoted by Alg Obs (Σ Obs ). Remark 3.7 (1) Let us consider the following special case of a Σ Obs -equality. Assume given a signature Σ = (S, OP) and a set S Obs S of observable sorts. Then we can choose each (non constant) operation symbol op OP as an observer for any non observable argument sort of op, i.e. OP Obs = def {(op, i) (op: s 1,, s n s) OP, 1 i n and s i S Obs }. We denote the resulting observational signature simply by (Σ, S Obs ) (because in this case the set of observers OP Obs is uniquely determined by Σ). For any Σ-algebra A, the observational equality induced by (Σ, S Obs ) will be denoted by S Obs,A. Obviously, this observational equality is a Σ-congruence on A. Hence in this case any Σ-algebra is an observational algebra. In particular, S Obs,A coincides with the (total) observational equality of elements defined in [BHW 95] and similarly in other approaches in the literature like, for instance, in [R 87], [GM 97]. (2) Let us now point out the relationship to the coalgebraic framework (cf. e.g. [R 95], [JR 97]). For this purpose assume that Σ Obs = (Σ, S Obs, OP Obs ) is an observational signature such that for any observer (op, i) OP Obs the operation symbol op: s 1,, s n s has exactly one non observable argument sort and this is the sort s i. Moreover, assume that any observable sort s S Obs is interpreted in any observational Σ Obs -algebra by the same fixed set of observable values (e.g. integers, booleans etc.). Then a (polynomial) functor T: Set Set can be associated to OP Obs which captures the functionality of the observer symbols. 3 Any observational Σ Obs -algebra A is an extension of a T-coalgebra C which has the same carrier sets as C and defines the non observer operations op OP\OP Obs on top of C. The fact that the extension A is an observational algebra is equivalent to the fact that each operation of OP preserves bisimilarity of elements (cf. e.g. [JR 97]). 2 Obviously, for this it is sufficient that all non observer operations are compatible with Σ Obs,A. 3 If there is more than one non observable sort in S\SObs then a set of functors has to be associated to Σ Obs. 5

7 The following lemma is a direct consequence of Lemma 15 in [BH 94]. Lemma 3.8 Let Σ Obs be an observational signature. For any Σ-algebra A Alg(Σ), A Alg Obs (Σ Obs ) if and only if Σ Obs,A coincides with the observational equality SObs,A (cf. Remark 3.7 (1) above). In order to obtain a category of observational algebras we still need an appropriate morphism notion. Of course, since any observational algebra is a Σ-algebra, one could simply use standard homomorphisms between Σ-algebras. But this does not reflect any relationships between the observable behaviour of algebras. Therefore, we have chosen another definition where an observational homomorphism is defined as a relation which is compatible with observational behaviours (cf. Theorem 3.13, Corollary 3.14). Moreover, we will also see that the associated isomorphism notion allows us to extend Scott s theorem to observational algebras and observational satisfaction (cf. Corollary 4.5). Definition 3.9 (Observational homomorphism) Let A, B Alg Obs (Σ Obs ) be two observational Σ Obs -algebras. An observational Σ Obs -homomorphism ϕ: A B is an S- sorted family (ϕ s ) s S of relations ϕ s A s x B s with the following properties for all s S: (1) For all a A s there exists b B s such that a ϕ s b. (2) For all a A s, b, b B s, if a ϕ s b then (a ϕ s b if and only if b Σ Obs,B b ). (3) For all a, a A s, b B s, if a ϕ s b and a Σ Obs,A a then a ϕ s b. (4) For all (op: s 1,, s n s) OP and a i A si, b i B si, if a i ϕ si b i for i = 1,, n then op A (a 1,, a n ) ϕ s op B (b 1,, b n ). Remark 3.10 (1) Let Σ Obs be an observational signature such that S Obs = S, i.e. all sorts are observable. Then each Σ-algebra A is an observational algebra and Σ Obs,A is the set-theoretic equality of elements. Hence for any two Σ-algebras A and B, ϕ: A B is an observational homomorphism if and only if ϕ is a (standard) Σ-homomorphism. For arbitrary observational signatures Σ Obs any standard homorphism h: A B induces also an observational homomorphism ϕ h : A B defined by ϕ h = def {(a, b) a Σ Obs,A a, h(a ) = b and b Σ Obs,A b for some a A, b B}. (2) For any two observational Σ Obs -algebras A and B, ϕ: A B is an observational homomorphism if and only if ϕ is representable by a span g: C A, h: C B (cf. [BT 95]) in the category of Σ-algebras such that g is surjective, h(c) is closed under Σ Obs,B, Ker(π B o h) = Ker(g) and Ker(π A o g) Ker(h) where π A : A A/ Σ Obs,A and π B: B B/ Σ Obs,B are the canonical epimorphisms. Theorem 3.11 (The category of observational algebras) For each observational signature Σ Obs, the class Alg Obs (Σ Obs ) together with the observational Σ Obs -homomorphisms is a category which, by abuse of notation, will also be denoted by Alg Obs (Σ Obs ). 6

8 Thereby the composition of observational homomorphisms is the usual composition of relations, i.e. for any two observational Σ Obs -homomorphisms ϕ: A B and ψ: B C, the composition ψ o ϕ is the family (ψ s o ϕ s ) s S where ψ s o ϕ s = def {(a, c) a A s, c C s, there exists b Β s with a ϕ s b and b ψ s c}. For each observational Σ Obs -algebra A, the identity id A : A A in the category Alg Obs (Σ Obs ) is the observational equality Σ Obs,A. (For the proof see Appendix.) For any observational Σ Obs -algebra A the observational equality Σ Obs,A is a Σ- congruence. Hence we can construct the quotient algebra A/ Σ Obs,A which identifies all elements of A which are "indistinguishable" by the experiments built with the observers of Σ Obs. A/ Σ Obs,A can be considered as the "black box view" of A thus representing the "observable behaviour" of A w.r.t. Σ Obs. Using this behaviour construction one can relate, for any observational signature Σ Obs, the category Alg Obs (Σ Obs ) and the category Alg(Σ) of Σ-algebras by a functor which associates to any observational algebra its observational behaviour. For morphisms this functor establishes even a one to one correspondence between observational homomorphisms ϕ: A B and standard homomorphisms h: A/ Σ Obs,A B/ ΣObs,B between the observable behaviours of A and B, i.e. the functor is full and faithful. Definition 3.12 (Behaviour functor) For any observational signature Σ Obs, F Σ Obs : Alg Obs(Σ Obs ) Alg(Σ) is defined by: For each A Alg Obs (Σ Obs ), F Σ Obs (A) = def A/ Σ Obs,A, for each observational Σ Obs -homomorphism ϕ: A B, F Σ Obs (ϕ): A/ ΣObs,A B/ ΣObs,B is defined by F ΣObs (ϕ)([a]) = def [b] if a ϕ b. For each A Alg Obs (Σ Obs ), F Σ Obs (A) is called the observational behaviour of A. Theorem 3.13 For any observational signature Σ Obs, F Σ Obs : Alg Obs(Σ Obs ) Alg(Σ) is a full and faithful functor. (For the proof see Appendix.) As a useful application of Theorem 3.13 which also points out the adequacy of our morphism notion for observational algebras we obtain that two observational algebras are observationally isomorphic if and only if they have isomorphic behaviours. The proof of this fact is standard since F Σ Obs is full and faithful. Corollary 3.14 (Observational isomorphism) Let A, B Alg Obs (Σ Obs ) be two observational Σ Obs -algebras. There exists an observational Σ Obs -isomorphism ϕ: A B if and only if F Σ Obs (A) and F ΣObs (B) are isomorphic Σ-algebras. 7

9 Remark 3.15 (1) According to Corollary 3.14 two observationally isomorphic algebras can be considered to be observationally equivalent since they have the same observable behaviour (up to standard isomorphism). In the literature explicit definitions of observational equivalences of algebras have been studied, for instance, in [R 87]. As a consequence of a result in [BHW 95] 4 these equivalence notions coincide with our notion of observational isomorphism for observational algebras. (2) In [Sch 90] a characterization of observational equivalence of algebras was given by means of correspondence relations. Indeed any observational isomorphism (being the identity on observable sorts) is a strong V-correspondence in the sense of [Sch 90] and, conversely, the closure of a strong V-correspondence under observational equality of elements is an observational isomorphism. (3) A similar relationship holds between observational isomorphisms and bisimulations of the coalgebraic framework if we assume the conditions described in Remark 3.7 (2). In particular, an observational isomorphism between two observational algebras A1 and A2 (being the identity on observable sorts) is just the greatest bisimulation between the underlying coalgebras C1 and C2; cf. Remark 3.7 (2). Analogously to the notion of an abstract data type in [LEW 96] abstract behaviour types are defined as follows. Definition 3.16 A class C Alg Obs (Σ Obs ) which is closed under observational Σ Obs -isomorphism is called an abstract behaviour type. 4 Observational Satisfaction The underlying idea of the observational satisfaction relation is to interpret the equality symbol "=" occurring in a first-order formula φ not by the set-theoretic equality but by the observational equality of elements. Hence the following definition is quite similar to the definition of the standard satisfaction relation. The only difference concerns (1) where "I α (t) = I α (r)" is replaced by "I α (t) Σ Obs,A I α(r)". Definition 4.1 (Observational satisfaction relation) The observational satisfaction relation between observational Σ Obs -algebras and Σ-formulas is denoted by = Σ Obs and defined as follows: Let A Alg Obs (Σ Obs ). (1) For any two terms t, r T(Σ, X) s of the same sort s and for any valuation α: X A, A, α = Σ Obs t = r holds if I α(t) Σ Obs,A I α(r). (2) For any arbitrary Σ-formula φ and for any valuation α: X A, A, α = Σ Obs φ is defined by induction over the structure of the formula φ in the usual way. (3) For any arbitrary Σ-formula φ, A = Σ Obs φ holds if for all valuations α: X A, A, α = Σ Obs φ holds. 4 It is shown in [BHW 95] that observational equivalences of algebras are factorizable by observational equalities (of elements). 8

10 The notation A = Σ Obs φ is extended in the usual way to classes of observational algebras and sets of formulas. Remark 4.2 Technically the observational satisfaction relation could be defined in the same way for arbitrary Σ-algebras which do not necessarilly belong to Alg Obs (Σ Obs ). But then the observational satisfaction of equations may not be compatible with (some) operations of the signature, i.e. A = Σ Obs t = r may not imply A = ΣObs op(t) = op(r) for some operation op. Obviously this cannot happen in our approach. In [DF 98] this problem is tackled by restricting the set of formulas for which the observational satisfaction relation is defined. But then it is not possible to study obervational properties which involve non observer operations. 5 Definition 4.3 (Observational consequence) A Σ-sentence φ is an observational consequence of a set Φ of Σ-sentences, also denoted by Φ = Σ Obs φ, if for any observational Σ Obs -algebra A, A = Σ Obs Φ implies A = ΣObs φ. The next proposition shows that the behaviour functor defined in Theorem 3.13 is compatible with the observational and the standard satisfaction relations. Proposition 4.4 For any A Alg Obs (Σ Obs ) and any Σ-formula φ, A = Σ Obs φ if and only if F ΣObs (Α) = φ. Proof: Follows from Theorem 3.11 of [BHW 95] and from the fact that for observational algebras A, Σ Obs,A coincides with SObs,A (cf. Lemma 3.8). As a consequence of Corollary 3.14 and Proposition 4.4 we can generalize Scott s theorem (cf. e.g. [K 71]) to observational algebras and observational satisfaction (taking into account that Σ-formulas may be infinitary; cf. Section 2). 6 Corollary 4.5 (Observational version of Scott s theorem) Let A, B Alg Obs (Σ Obs ) be two observational Σ Obs -algebras such that F Σ Obs (Α) and F Σ Obs (Β) are countable. The following conditions are equivalent: (1) There exists an observational Σ Obs -isomorphism ϕ: A B. (2) For all (possibly infinitary) Σ-formulas φ, A = Σ Obs φ if and only if B = ΣObs φ. Proof: (1) (2): Is a direct consequence of Corollary 3.14 and Proposition In [DF 98] some hints are given that one may still extend the observational satisfaction relation to arbitrary sentences. However, then the congruence rule of the equational calculus is only sound if one can prove that all operations of a specification are "behaviourally coherent" which in our terminology would mean that all models of the specification are indeed observational algebras. 6 It may be interesting to note that this generalization relies only on the fact that the functor F Σ Obs is full and faithful and compatible with the satisfaction relations of the involved categories. Hence analogous generalizations of Scott s theorem can always be achieved if these assumptions are satisfied. 9

11 (2) (1): Assume (2). Then, by Proposition 4.4, for all Σ-formulas φ, F Σ Obs (Α) = φ iff F Σ Obs (Β) = φ. Since F ΣObs (Α) and F ΣObs (Β) are countable we can now apply Scott s theorem (cf. [K 71]) and obtain that F Σ Obs (Α) and F ΣObs (Β) are isomorphic Σ-algebras. Then we obtain (1) by applying Corollary The above characterization of observationally isomorphic algebras underlines the adequacy of our observational homomorphism notion. A related result, but formulated in terms of observational equivalence of algebras instead of observational isomorphism, was given in [BHW 95]. We are now able to define the syntax and semantics of flat observational specifications. Structured specifications will be considered in Section 7. Definition 4.6 (Flat observational specification) A flat observational specification SP = Σ Obs, Ax consists of an observational signature Σ Obs = (Σ, S Obs, OP Obs ) and a set Ax of Σ-sentences, called the axioms of SP. The semantics of SP is given by its signature Sig Obs (SP) and by its class of models Mod Obs (SP) which are defined by Sig Obs (SP) = def Σ Obs, Mod Obs (SP) = def {A Alg Obs (Σ Obs ) A = Σ Obs Ax}. For any observational specification SP, the class Mod Obs (SP) is closed under observational isomorphisms. Remark 4.7 If we consider the special case where all operation symbols are used as observers (cf. Remark 3.7(1)) then our semantical definition coincides with the one in [BHW 95] (for total observational equalities). Moreover, if we assume given a fixed universe of observable data and if we restrict to equational axioms then the model class of a flat observational specification coincides with the model class of a hidden specification as defined in [GM 97]. Example 4.8 The following specification of bank accounts has additionally to the account operations of Example 3.2 an operation "paycharge" which reduces the balance of an account by a constant monthly fee. spec ACCOUNT = sorts {account, int} observable sorts {int} observers { _.bal: account int, _.redo_ : account account} operations "operations for the integers" {new: account, _.change_ : account, int account, _.paycharge_ : account account} 10

12 axioms "axioms for the integers" 7 { x: int, s: account. new.bal = 0, new.redo = new, s.change(x).bal = s.bal+x, s.change(x).redo = s, s.paycharge.bal = s.bal-10, s.paycharge.redo = s} A possible model of the specification ACCOUNT which satisfies the axioms even literally can be defined in terms of lists of integers. Another model which satisfies the axioms observationally (but not literally) can be constructed by using the well-known array with pointer realization of lists. (Note that in this example all algebras which satisfy (observationally) the axioms are already observational algebras. In general this is obviously not true, for instance, if an operation is specified very loosely.) 5 The Institution of Observational Logic The category of observational algebras is the basis for defining an institution of observational logic which captures the model-theoretic view of the observable behaviour of systems. For the underlying notions of institutions we refer, for instance, to [ST 88]. An essential ingredient which, up to now, is still missing is an appropriate morphism notion for observational signatures. In the following definition we utilize again the flexibility provided by our notion of an observer. Definition 5.1 (Observational signature morphism) Let Σ Obs = (Σ, S Obs, OP Obs ) and Σ Obs = (Σ, S Obs, OP Obs ) be two observational signatures with Σ = (S, OP) and Σ = (S, OP ). An observational signature morphism σ Obs : Σ Obs Σ Obs is a signature morphism σ: Σ Σ such that the following conditions are satisfied: (1) σ(s Obs ) = σ(s) S Obs. (2) If (op, i) OP Obs then (σ(op), i) OP Obs, (3) If (op, i) OP Obs such that op : s 1,,s n s and s i σ(s) then there exists op OP such that (op, i) OP Obs and op = σ(op). Condition (1) is standard. It requires that observable and non observable sorts are preserved by σ. Condition (2) requires that also observers are preserved by σ. Condition (3) is essential for the satisfaction condition presented below. It says that whenever the image σ(s) of some "old" sort s of Σ Obs is observed by an observer op of Σ Obs then there must be a corresponding observer op of Σ Obs which observes s and which is mapped to op. Thus no "new" observations can be introduced for "old" sorts. However, it is important to note that this still allows us to introduce new operation symbols in Σ Obs which are not in the image of σ but nevertheless may have argument sorts which are in the image of σ. A standard example may be given by the signature of a 7 The axioms of the integer operations are as usual. For expressing the generation principle of the integers one may use either an infinitary disjunction (cf. also [K 71]) or "generated by" axioms which can easily be incorporated in our approach; cf. Conclusion. Another possibility is, of course, to assume a fixed universe of visible data like in hidden algebra; cf. e.g. [GM 97]. 11

13 specification of a bank which is based (i.e. imports) a specification of accounts. Then the bank specification may introduce an operation "_.add_: bank, account bank" for adding an account to a bank. This is not a problem as long as "add" is not used as an observer for accounts which indeed would be strange. Whether "add" is used as an observer for banks or not is irrelevant for establishing an observational signature inclusion from the account signature into the bank signature. Examples like this, where some argument sorts of an operation are imported from another signature frequently occur in practice, in particular, in object oriented programming. This situation cannot be dealt with by hidden signature morphisms; cf. e.g. [MG 94]. Convention We implicitly assume in the following that whenever we consider an observational signature morphism σ Obs : Σ Obs Σ Obs then the underlying signature morphism is σ: Σ Σ. Lemma 5.2 Observational signatures and observational signature morphisms form a category which has pushouts. (For the proof see Appendix.) Definition 5.3 (Observational reduct functor) For any observational signature morphism σ Obs : Σ Obs Σ Obs, Alg Obs (σ Obs ): Alg Obs (Σ Obs ) Alg Obs (Σ Obs ) is defined by: For each A Alg Obs (Σ Obs ), Alg Obs (σ Obs )(A ) = def A σ. For each observational Σ Obs -homomorphism ϕ : A B, Alg Obs (σ Obs )(ϕ ): A σ B σ is defined by Alg Obs(σ Obs )(ϕ ) = def ϕ σ. (See Section 2 for the definition of the reducts A σ and ϕ σ.) The following lemma is essential for proving that Alg Obs (σ Obs ) is indeed a well-defined functor (cf. Theorem 5.5) and also for checking the (observational) satisfaction condition (cf. Theorem 5.6). It says that the observational equality is preserved by observational reducts. (The proof is given in the Appendix.) Lemma 5.4 For any observational signature morphism σ Obs : Σ Obs Σ Obs and observational Σ Obs -algebra A Alg Obs (Σ Obs ), ( Σ Obs,A ) σ = ΣObs,(A σ). Theorem 5.5 For any observational signature morphism σ Obs : Σ Obs Σ Obs, Alg Obs (σ Obs ): Alg Obs (Σ Obs ) Alg Obs (Σ Obs ) is a well-defined functor. (For the proof see Appendix.) We are now able to state the satisfaction condition for observational logic. It guarantees encapsulation in the sense that observational properties are respected when composing systems. In Section 7 we will consider structured specifications and we will see how a 12

14 straightforward sound and complete proof system for structured specifications can be constructed which needs the validity of the satisfaction condition. Theorem 5.6 (Observational satisfaction condition) Let σ Obs : Σ Obs Σ Obs be an observational signature morphism. For any A Alg Obs (Σ Obs ) and Σ-sentence φ, A = Σ Obs σ(φ) if and only if Alg Obs(σ Obs )(A ) = Σ Obs φ where σ(φ) is the usual extension of a signature morphism to Σ-sentences. (For the proof see Appendix.) Corollary 5.7 (The institution of observational logic) The quadruple INS Obs = (Sig Obs, Sen IFOLEQ, Alg Obs, = Obs ) is an institution whereby: Sig Obs is the category of observational signatures and observational signature morphisms. The functor Sen IFOLEQ : Sig Obs Set maps - each observational signature Σ Obs = (Σ, S Obs, OP Obs ) to the set of (possibly infinitary) many-sorted first-order Σ-sentences (cf. Section 2) and - each observational signature morphism σ Obs : Σ Obs Σ Obs to the obvious translation function which transforms Σ-sentences into Σ -sentences. The functor Alg Obs : (Sig Obs ) op Cat maps - each observational signature Σ Obs to the category Alg Obs (Σ Obs ) of observational Σ Obs -algebras and observational Σ Obs -homomorphisms and - each observational signature morphism σ Obs : Σ Obs Σ Obs to the observational reduct functor Alg Obs (σ Obs ): Alg Obs (Σ Obs ) Alg Obs (Σ Obs ). = Obs = ( = ΣObs ) ΣObs Sig Obs where, for each observational signature Σ Obs, = ΣObs is the observational satisfaction relation of a Σ-sentence by an observational Σ Obs - algebra. Remark 5.8 In Section 3 a family (F Σ Obs ) ΣObs SigObs of (full and faithful) functors F Σ Obs : Alg Obs(Σ Obs ) Alg(Σ) is defined and in Proposition 4.4 we have shown that these functors are compatible with observational and standard satisfaction. Hence, the family of functors F Σ Obs can be extended to an institution morphism (cf. [T 96]) which maps the institution of observational logic to the institution of (standard) infinitary first order logic. 6 A Proof System for Observational Logic In this section we study the proof theory for observational logic. For defining an appropriate proof system we first associate to any observational signature Σ Obs the following set FA Σ Obs of Σ-sentences. 13

15 Definition 6.1 Let Σ Obs = (Σ, S Obs, OP Obs ) be an observational signature with Σ = (S, F). FA Σ Obs = def {FA Σ Obs (s) s S\S Obs} where for any s S\S Obs, FA Σ Obs (s) = def x L, x R :s. Var(c). c[x L ] = c[y R ] x L = x R. c C(ΣObs) s SObs Thereby Var(c) denotes the set of all variables occurring in c besides the context variable z s. The underying idea for considering FA Σ Obs stems from a result in [BHW 95] where it is shown that the behavioural theory of a class C of Σ-algebras coincides with the standard theory of the fully abstract algebras of C. Indeed it is easy to prove (using Lemma 3.8) that an observational Σ Obs -algebra satisies FA Σ Obs if and only if it is fully abstract. (Note, however, that this does not hold for arbitrary Σ-algebras.) The following theorem shows that the sentences FA Σ Obs allow us to characterize the observational consequence relation in terms of the standard consequence relation. (The proof is given in the Appendix.) Theorem 6.2 Let Σ Obs be an observational signature, Φ be a set of Σ-sentences and φ be a Σ-sentence. Φ = ΣObs φ if and only if Φ FA Σ Obs = φ. Remark 6.3 Theorem 6.2 shows that there exists a correspondence between observational theories and standard theories which can be expressed by a map that associates to an observational theoy (Σ Obs, Φ) the standard theory (Σ, Φ FA Σ Obs ) in the sense of a plain institution map in [C 93]. In the sequel we assume given, for each signature Σ, a sound and complete proof system Π(Σ) for (many-sorted) first-order logic. The proof system Π(Σ Obs ) for observational logic is then constructed by adding to the axioms and rules of Π(Σ) the sentences FA Σ Obs as further axioms. Definition 6.4 (Proof system for observational logic) For any observational signature Σ Obs, Π(Σ Obs ) = def Π(Σ) FA Σ Obs. We write Φ ΣObs φ (Φ Σ φ resp.) if φ is a Σ-sentence that can be deduced from a set Φ of Σ-sentences by the axioms and rules of Π(Σ Obs ) (Π(Σ) resp.). Using Theorem 6.2 we can prove the soundness and completeness of Π(Σ Obs ). Corollary 6.5 (Soundness and completeness) For any observational signature Σ Obs, for any set Φ of Σ-sentences and any Σ-sentence φ, Φ ΣObs φ if and only if Φ = ΣObs φ. Proof: Φ ΣObs φ iff, by definition of Π(Σ Obs ), Φ FA Σ Obs Σ φ iff, by soundness and completeness of Π(Σ), Φ FA Σ Obs = φ iff, by Theorem 6.2, Φ = Σ Obs φ. 14

16 Remark 6.6 (1) If Σ Obs contains indirect observers there may be infinitely many observable contexts and then FA Σ Obs contains infinitary conjunctions. In this case we choose for Π(Σ) a proof system for infinitary first-order logic (for instance, the manysorted variant of the proof system in [K 71]). 8 Otherwise FA Σ Obs is finitary (if contexts which are equal up to α-conversion are removed). Then one can choose a formal proof system for finitary first-order logic (for instance, the one of [M 87]) to achieve the above result (provided that Φ is finitary). In particular, any available theorem prover for firstorder logic can be used to prove that φ is an observational consequence of Φ. 9 (2) The axioms FA Σ Obs can be considered as a coinductive proof principle (cf. e.g. [JR 97]) which, together with Π(Σ), allows us to prove the observational validity not only of equations but of arbitrary first-order formulas. The essential difference to the proof technique proposed in [BH 94] is that there the observational semantics was not defined in terms of observational algebras and therefore it was necessary to check that the observational equality induced by the observers of Σ Obs is a Σ-congruence on the algebras under consideration (cf. also the hidden coinduction principle for behavioural equations in [GM 97]). Example 6.7 Consider the signature of the observational specification ACCOUNT of Example 4.8. It induces the infinitary sentence FA(account) = def s L, s R : account. i N s L.redo i.bal = s R.redo i.bal s L = s R. Now consider the implicitly universally quantified equation s.paycharge = s.change(-10). It is easy to prove by induction that for all i N, s.paycharge.redo i.bal = s.change(-10).redo i.bal can be derived from the axioms of ACCOUNT. Then, using FA(account), we deduce s.paycharge = s.change(-10) and therefore, by Corollary 6.5, this equation is an observational consequence of the ACCOUNT specification. 7 Structured Observational Specifications In [B 98] (and similarly in [ST 88]) a basic set of specification building operations is defined which allows one to build structured specifications over an arbitrary institution. We will now apply these operators to the particular institution of observational logic thus obtaining the following set of operations for constructing structured observational specifications. The semantics of such a specification SP is determined by its 8 In this case it is however possible to apply a result of [BH 96] to encode the infinitary formulas FA Σ Obs by finitary ones using auxiliary (hidden) symbols and reachability constraints. 9 For instance, using the Larch Prover one can directly implement the axioms FA Σ Obs by the "partitioned by" construct of LP; cf. [GH 93]. 15

17 (observational) signature, denoted by Sig Obs (SP), and by its class of models, denoted by Mod Obs (SP). In the following definition we assume that σ Obs : Σ Obs Σ Obs is an observational signature morphism such that its underlying signature morphism σ: Σ Σ is injective. 10 basic: union: translate: derive: Any presentation Σ Obs, Ax is an observational specification. Its semantics is defined in Definition 4.6. For any two observational specifications SP1 and SP2 with Sig Obs (SP1) = Sig Obs (SP2), the expression SP1 SP2 is an observational specification with semantics Sig Obs (SP1 SP2) = def Sig Obs (SP1), Mod Obs (SP1 SP2) = def Mod Obs (SP1) Mod Obs (SP2). For any observational specification SP with Sig Obs (SP) = Σ Obs, the expression translate SP by σ Obs is an observational specification with semantics Sig Obs (translate SP by σ Obs ) = def Σ Obs, Mod Obs (translate SP by σ Obs ) = def {A Alg Obs (Σ Obs ) Alg Obs (σ Obs )(A ) Mod Obs (SP)}. For any observational specification SP with Sig Obs (SP ) = Σ Obs, the expression derive from SP by σ Obs is an observational specification with semantics Sig Obs (derive from SP by σ Obs ) = def Σ Obs, Mod Obs (derive from SP by σ Obs ) = def {Alg Obs (σ Obs )(A ) A Mod Obs (SP )}. Definition 7.1 Let SP be an observational specification with signature Σ Obs. A Σ-sentence φ is called an observational theorem of SP, written SP = ΣObs φ, if Mod Obs (SP) = ΣObs φ. In the following we are interested in a proof system which allows us to prove observational theorems of structured (observational) specifications. For this purpose we instantiate the institution independent proof system of [B 98] and obtain the following rules which generate, for each observational signature Σ Obs, a relation ΣObs between observational specifications SP and Σ-sentences φ. φ Ax (basic) Σ, Ax ΣObs φ SP1 ΣObs φ SP2 ΣObs φ (union-1) (union-2) SP1+SP2 ΣObs φ SP1+SP2 ΣObs φ SP ΣObs φ (translate) translate SP by σ Obs Σ Obs σ(φ) 10 The injectivity requirement ensures that the interpolation property for institutions (cf. [B 98]) needed for the completeness proof is valid. 16

18 SP Σ Obs σ(φ) (derive) derive from SP by σ Obs ΣObs φ SP ΣObs φ i for i I, {φ i i I} ΣObs φ (pi-obs) SP ΣObs φ According to the rule (pi-obs) the proof system for structured specifications is based on the proof system Π(Σ Obs ) for observational logic presented in Section 6. The other rules correspond to the specification building operations and hence proofs of observational theorems can be performed according to the structure of a given specification. An institution independent proof of the soundness of the above rules is presented in [ST 88]. The completeness can be checked by applying the results of [B 98] to the institution INS Obs of observational logic. For this purpose one has to show that INS Obs satisfies the amalgamation and interpolation properties which is detailed in the Appendix. Theorem 7.2 (Soundness and completeness) Let SP be an observational specification with signature Σ Obs = (Σ, S Obs, OP Obs ) and let φ be a Σ-sentence. SP = ΣObs φ if and only if SP ΣObs φ. 8 Conclusion The main topic of our next research steps is the consideration of refinement relations between (structured) observational specifications with an emphasis on refinement proofs. We hope that we can reuse several results of [BH 95] and [H 97] but we are aware that these approaches do not deal with a built in (internalised) observational semantics of structured specifications as considered in this paper. Easy further tasks should be, first, to extend our approach to partial observational equalities (in the spirit of [BHW 95]) thus obtaining a means to forget irrelevant junk elements and, secondly, to incorporate reachability constraints (or "generated by" axioms) for expressing generation principles. Such generation principles may be useful not only for observable data but also for states, because in reality any state is reachable from the initial state by a finite sequence of transitions. Other important directions of future research deal with a specification methodology based on observational logic, with observational term rewriting and with an extension to concurrent systems. 17

19 References [B 98] T. Borzyszkowski: Completeness of a logical system for structured specifications. In: F. Parisi Presicce (ed.): Recent Trends in Data Type Specification, LNCS 1376, , [BB 91] G. Bernot, M. Bidoit: Proving the correctness of algebraically specified software: modularity and observability issues. Proc. AMAST 91, , Springer-Verlag Works. in Comp. Series, [BH 94] M. Bidoit, R. Hennicker: Proving behavioural theorems with standard first-order logic. In Proc. ALP 94, LNCS 850, 41-58, [BH 95] M. Bidoit, R. Hennicker: Proving the correctness of behavioural implementations. In Proc. AMAST 95, LNCS 936, , An extended version entitled "Modular correctness proofs of behavioural implementations" appears in Acta Informatica. [BH 96] M. Bidoit, R. Hennicker: Behavioural theories and the proof of behavioural properties. Theoretical Computer Science 175, 3-55, [BHW 95] M. Bidoit, R. Hennicker, M. Wirsing: Behavioural and abstractor specifications. Science of Computer Programming 25, , [BT 95] M. Bidoit, A. Tarlecki: Behavioural satisfaction and equivalence in concrete model categories. Technical Report, Warsaw University and Ecole Normale Supérieure, [C 93] M. Cerioli: Relationships between logical formalisms. Ph.D. thesis, Univ. di Pisa-Genova-Udine, [DF 98] R. Diaconescu, K. Futatsugi: CafeOBJ Report, Version , [GH 93] J. Guttag, J. Horning: Larch: Languages and Tools for Formal Specification. Texts and Monographs in Computer Science, Springer, [GM 97] J. Goguen, G. Malcolm: A hidden agenda. Report CS97-538, Univ. of Calif. at San Diego, [H 97] R. Hennicker: Structured specifications with behavioural operators: semantics, proof methods and applications. Habilitation thesis, Institut für Informatik, Universität München (LMU), [HN 93] R. Hennicker, F. Nickl: A behavioural algebraic framework for modular system design with reuse. In: H. Ehrig, F. Orejas (eds.): Recent Trends in Data Type Specification, LNCS 785, , [JR 97] B. Jacobs, J. Rutten: A Tutorial on (Co)Algebras and (Co)Induction. EATCS Bulletin 62, , [K 71] H. J. Keisler: Model theory for infinitary logic. North-Holland, [LEW 96] J. Loeckx, H.-D. Ehrich, M. Wolf: Specification of Abstract Data Types. Wiley and Teubner, [M 87] E. Mendelson: Introduction to Mathematical Logic. Math. Series. Wadswort & Brooks/Cole, [MG 94] G. Malcolm, J. A. Goguen: Proving correctness of refinement and implementation. Technical Monograph PRG-114, Oxford University Computing Laboratory, [P 96] P. Padawitz: Swinging data types: syntax, semantics, and theory. In: M. Haveraaen, O. Owe, O.-J. Dahl (eds.): Recent Trends in Data Type Specification, LNCS 1130, , [R 87] H. Reichel: Initial computability, algebraic specifications, and partial algebras. International Series of Monographs in Computer Science No. 2, Oxford: Clarendon Press, [R 95] H. Reichel: An approach to object semantics based on terminal co-algebras. Math. Struct. Comp. Sci., 5, , [Sch 90] O. Schoett: Behavioural correctness of data representation. Sci. of Comp. Prog. 14, 43-57, [ST 88] D. T. Sannella, A. Tarlecki: Specifications in an arbitrary institution. Information and Computation 76, , [T 96] A. Tarlecki: Moving between logical systems. In: M. Haveraaen, O. Owe, O.-J. Dahl (eds.): Recent Trends in Data Type Specification, LNCS 1130, ,

20 Appendix Proof of Theorem 3.11: It is straightforward to prove that the composition of observational homomorphisms yields an observational homomorphism. Obviously, the composition is associative. To show that Σ Obs,A is the identity on any observational Σ Obsalgebra A, one has first to check that Σ Obs,A is an observational homomorphism between A and A. Properties (1) - (3) of Definition 3.9 are satisfied because Σ Obs,A is an equivalence relation on A. Property (4) is satisfied since Σ Obs,A is a Σ-congruence for any observational Σ Obs -algebra A. Then it is straightforward to prove that for any observational Σ Obs -homomorphisms ϕ: A B and ψ: C A we have ϕ o Σ Obs,A = ϕ and Σ o Obs,A ψ = ψ. Thus Σ Obs,A is the identity for any A Alg Obs(Σ Obs ). Proof of Theorem 3.13: Using the properties of observational homomorphisms it is straightforward to prove that F Σ Obs (ϕ) is a well-defined Σ-homomorphism. It is also straightforward to prove that F Σ Obs is compatible with the composition of morphisms and preserves identities. Thus F Σ Obs is a functor. To show that F Σ Obs is full and faithful it is sufficient to prove that for any A, B Alg Obs (Σ Obs ) and for any Σ-homomorphism h: A/ Σ Obs,A B/ ΣObs,B there exists a unique observational Σ Obs -homomorphism ϕ: A B such that F Σ Obs (ϕ) = h. Assume that h: A/ Σ Obs,A B/ ΣObs,B is a Σ-homomorphism. Then h induces a relation ϕ A x B such that for all a A, b B, a ϕ b if and only if h([a]) = [b]. It is esay to prove that ϕ is indeed an observational Σ Obs -homomorphism between A and B such that F Σ Obs (ϕ) = h. Let us now prove the uniqueness of ϕ. Assume that ϕ : A B is an observational Σ Obs -homomorphism such that F Σ Obs (ϕ ) = h. We have to show ϕ = ϕ. But this is simple since for any a A and b B, a ϕ b iff F Σ Obs (ϕ)[a] = [b] iff h([a]) = [b] iff F Σ Obs (ϕ )[a] = [b] iff a ϕ b. Proof of Lemma 5.2: Let σ1 Obs : Σ Obs Σ1 Obs and σ2 Obs : Σ Obs Σ2 Obs be observational signature morphisms with underying signature morphisms σ1: Σ Σ1 and σ2: Σ Σ2 resp. It is well-known that in the category of algebraic signatures there exists a pushout σ1 Σ > Σ1 σ2 σ1 σ2 Σ2 > Σ Now let S Obs = σ1 (S1 Obs ) σ2 (S2 Obs ), OP Obs = {(σ1 (op1), i) (op1, i) OP1 Obs } {(σ2 (op2), i) (op2, i) OP2 Obs } and Σ Obs = (Σ, S Obs, OP Obs ). 19