Recent Trends in Algebraic Development Techniques: 13th International Workshop, WADT'98 Lisbon, Portugal, April 2-4, 1998 Selected Papers (Lecture Notes in Computer Science, 1589) 9783540662464, 3540662464

Citation preview

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

1589

3 Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Singapore Tokyo

Jos´e Luiz Fiadeiro (Ed.)

Recent Trends in Algebraic Development Techniques 13th International Workshop, WADT’98 Lisbon, Portugal, April 2-4, 1998 Selected Papers

13

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands

Volume Editor Jos´e Luiz Fiadeiro University of Lisbon, Department of Informatics Campo Grande, 1700 Lisbon, Portugal E-mail: [email protected]

Cataloging-in-Publication data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Recent trends in algebraic development techniques : 13th international workshop ; selected papers / WADT’98, Lisbon, Portugal, April 2 - 4, 1998. Jos´e Luiz Fiadeiro (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 1999 (Lecture notes in computer science ; Vol. 1589) ISBN 3-540-66246-4

CR Subject Classification (1998): D.1.1-2, D.2.4, D.2.m, D.3.1, F.3.1-2 ISSN 0302-9743 ISBN 3-540-66246-4 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. c Springer-Verlag Berlin Heidelberg 1999
Printed in Germany Typesetting: Camera-ready by author SPIN 10704101 06/3142 – 5 4 3 2 1 0

Printed on acid-free paper

Foreword

The European conference situation in the general area of software science has long been considered unsatisfactory. A fairly large number of small and mediumsized conferences and workshops take place on an irregular basis, competing for high-quality contributions and for enough attendees to make them financially viable. Discussions aiming at a consolidation have been underway since at least 1992, with concrete planning beginning in summer 1994 and culminating in a public meeting at TAPSOFT’95 in Aarhus. On the basis of a broad consensus, it was decided to establish a single annual federated spring conference in the slot that was then occupied by TAPSOFT and CAAP/ESOP/CC, comprising a number of existing and new conferences and covering a spectrum from theory to practice. ETAPS’98, the first instance of the European Joint Conferences on Theory and Practice of Software, is taking place this year in Lisbon. It comprises five conferences (FoSSaCS, FASE, ESOP, CC, TACAS), four workshops (ACoS, VISUAL, WADT, CMCS), seven invited lectures, and nine tutorials. The events that comprise ETAPS address various aspects of the system development process, including specification, design, implementation, analysis and improvement. The languages, methodologies and tools which support these activities are all well within its scope. Different blends of theory and practice are represented, with an inclination towards theory with a practical motivation on one hand and soundly-based practice on the other. Many of the issues involved in software design apply to systems in general, including hardware systems, and the emphasis on software is not intended to be exclusive. ETAPS is a natural development from its predecessors. It is a loose confederation in which each event retains its own identity, with a separate programme committee and independent proceedings. Its format is open-ended, allowing it to grow and evolve as time goes by. Contributed talks and system demonstrations are in synchronized parallel sessions, with invited lectures in plenary sessions. Two of the invited lectures are reserved for “unifying” talks on topics of interest to the whole range of ETAPS attendees. The aim of cramming all this activity into a single one-week meeting is to create a strong magnet for academic and industrial researchers working on topics within its scope, giving them the opportunity to learn about research in related areas, and thereby to foster new and existing links between work in areas that have hitherto been addressed in separate meetings. ETAPS’98 has been superbly organized by Jos´e Luis Fiadeiro and his team at the Department of Informatics of the University of Lisbon. The ETAPS steering committee has put considerable energy into planning for ETAPS’98 and its successors. Its current membership is:

VI

Foreword

Andr´e Arnold (Bordeaux), Egidio Astesiano (Genova), Jan Bergstra (Amsterdam), Ed Brinksma (Enschede), Rance Cleaveland (Raleigh), Pierpaolo Degano (Pisa), Hartmut Ehrig (Berlin), Jos´e Fiadeiro (Lisbon), Jean-Pierre Finance (Nancy), Marie-Claude Gaudel (Paris), Tibor Gyimothy (Szeged), Chris Hankin (London), Stefan J¨ ahnichen (Berlin), Uwe Kastens (Paderborn), Paul Klint (Amsterdam), Kai Koskimies (Tampere), Tom Maibaum (London), Hanne Riis Nielson (Aarhus), Fernando Orejas (Barcelona), Don Sannella (Edinburgh, chair), Bernhard Steffen (Dortmund), Doaitse Swierstra (Utrecht), Wolfgang Thomas (Kiel) Other people were influential in the early stages of planning, including Peter Mosses (Aarhus) and Reinhard Wilhelm (Saarbr¨ ucken). ETAPS’98 has received generous sponsorship from: Portugal Telecom TAP Air Portugal the Luso-American Development Foundation the British Council the EU programme “Training and Mobility of Researchers” the University of Lisbon the European Association for Theoretical Computer Science the European Association for Programming Languages and Systems the Gulbenkian Foundation I would like to express my sincere gratitude to all of these people and organizations, and to Jos´e in particular, as well as to Springer-Verlag for agreeing to publish the ETAPS proceedings. Edinburgh, January 1998

Donald Sannella ETAPS Steering Committee chairman

Preface This volume contains papers selected from WADT’98 the 13th Workshop on Algebraic Development Techniques. Like its predecessors, WADT’98 focused on the algebraic approach to the specification and development of systems, an area that was born around the algebraic specification of abstract data types and encompasses today the formal design of integrated hardware and software systems, new specification frameworks, and a wide range of applications. WADT’98 was organized as part of the first European Joint Conferences on Theory and Practice of Software (ETAPS). It took place at the Gulbenkian Foundation in Lisbon, Portugal, April 2-4, 1998. The program of WADT’98 consisted of 43 presentations. The main topics addressed during the workshop were: algebraic and other approaches to system specification; algebraic combination of logics; algebraic structures and logics for concurrency; other algebraic structures and their logics; specification languages and their associated methods and tools; term rewriting and theorem proving. A committee consisting of Bernd Krieg-Br¨ uckner, Jos´e Luiz Fiadeiro, Peter Mosses, Fernando Orejas, Francesco Parisi Presicce, Don Sannella, and Andrzej Tarlecki, with the help of Marie-Claude Gaudel and H´el`ene Kirchner, selected a number of papers based on the abstracts and the presentations at the workshop, and invited their authors to submit a written version of their talks for possible inclusion in this volume. All the submissions underwent a careful refereeing process. The selection committee then made the final decisions. This volume contains the final versions of the contributions that were accepted. We are very grateful to all the referees that helped the selection committee in reviewing the submissions: Marek Bednarczyk, Michel Bidoit, Tomasz Borzyszkowski, Roberto Bruni, Luca Cardelli, Maura Cerioli, Christine Choppy, Pierpaolo Degano, Alessandro Fantechi, Nicoletta De Francesco, Martin Hofmann, Hans-J¨ org Kreowski, Neil Ghani, Jo Hannay, Stefan Kahrs, Manuel Koch, Alfio Martini, Wieslaw Pawlowski, Adolfo Piperno, Gianna Reggio, Horst Reichel, Pino Rosolini, H. Schlingloff, Aleksy Schubert, Patrick Viry, Martin Wirsing, and Uwe Wolter. Being part of ETAPS’98, the workshop shared the generous sponsorship acknowledged in the foreword and the dedication of the organization committee. As organizing chair of ETAPS’98, I would like to take the opportunity to express my deepest thanks to Antnia Lopes, whose help made it all feel so easy, as well as M.Costa, S.Jourdan, E.Moita, I.Nunes, L.Pires, J.Ramos, P.Resende, O.Torres, and M.Wermelinger. January 1999

Jos´e Luiz Fiadeiro

Table of Contents

An Algebraic Framework for Separate Type-Checking . . . . . . . . . . . . . . . . . . . . . . . 1 Davide Ancona Moving Specification Structures Between Logical Systems . . . . . . . . . . . . . . . . . . 16 Tomasz Borzyszkowski Normal Forms for Partitions and Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Roberto Bruni, Fabio Gadducci and Ugo Montanari Parameterisation of Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Carlos Caleiro, Cristina Sernadas and Am´ılcar Sernadas Semantic Constructions for Hidden Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Corina Cˆırstea Functorial Semantics for Multi-algebras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Andrea Corradini and Fabio Gadducci An Algebra of Graph Derivations Using Finite (co–) Limit Double Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Andrea Corradini, Martin Große–Rhode and Reiko Heckel Hierarchical Heterogeneous Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Sophie Coudert, Gilles Bernot and Pascale Le Gall Parallel Admissible Graph Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Rachid Echahed and Jean-Christophe Janodet Refinements and Modules for Typed Graph Transformation Systems . . . . . . 138 Martin Große–Rhode, Francesco Parisi Presicce and Marta Simeoni Complete Strategies for Term Graph Narrowing . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Annegret Habel and Detlef Plump Non-deterministic Computations in ELAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 H´el`ene Kirchner and Pierre-Etienne Moreau Rasiowa-Sikorski Deduction Systems: A Handy Tool for Computer Science Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Beata Konikowska Translating OBJ3 into CASL: The Institution Level . . . . . . . . . . . . . . . . . . . . . . 198 Till Mossakowski CASL: A Guided Tour of Its Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Peter D. Mosses Abstract Petri Nets as a Uniform Approach to High-Level Petri Nets . . . . . 241 J. Padberg

X

Table of Contents

Using Reflection to Specify Transaction Sequences in Rewriting Logic . . . . . 261 Isabel Pita and Narciso Mart´ı-Oliet Concurrency and Data Types: A Specification Method An Example with LOTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Pascal Poizat, Christine Choppy and Jean-Claude Royer The Situation and State Calculus versus Branching Temporal Logic . . . . . . . 293 Jaime Ramos and Am´ılcar Sernadas Modular Specification of Concurrent Systems with Observational Logic . . . 310 Pedro Resende Proof Normalization of Structured Algebraic Specifications Is Convergent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Martin Wirsing, John N. Crossley and Hannes Peterreins Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

An Algebraic Framework for Separate Type-Checking? Davide Ancona Dipartimento di Informatica e Scienze dell’Informazione Via Dodecaneso, 35 16146 Genova (Italy) [email protected]

Abstract. We address the problem of defining an algebraic framework for modularization supporting separate type-checking. In order to do that we introduce the notions of abstract type system and logic of constraints and we present a canonical construction of a model part, on top of a logic of constraints. This canonical construction works under standard assumptions on the underlying type system. We show that the framework is suitable for defining the static and dynamic semantics of module languages, by giving a concrete example of construction on top of the type system of a simple typed module language. As a result, the subtyping relation between module interfaces is captured in a natural way by the notion of signature morphism.

Introduction Modularization has been considered since the early 70s an essential principle for managing the complex task of software development [29]. Nowadays there exist many modular programming languages offering rather advanced features for modularization. Nevertheless, many recent papers [21,22,6,12,19,20,24,9,10] have shown that many of the modular mechanisms provided by them turn out to be inadequate in the light of the new software technology. Object-oriented and distributed programming have promoted a stronger demand for more flexible modularization mechanisms able to face the problem of software reuse, maintenance and extensibility. As a consequence, true separate compilation and linking are becoming more and more important issues which must be taken into account in order to successfully deal with complex system libraries. In particular, separate type-checking turns out to be an essential phase of separate compilation, both from the point of view of software reliability, since it allows compilers to statically detect many subtle errors due to incompatibility between modules, and of efficiency, since compilers may take advantage of the information about the external components modules depend on. ?

This work has been partially supported by Murst 40% - Modelli della computazione e dei linguaggi di programmazione and CNR - Formalismi per la specifica e la descrizione di sistemi ad oggetti.

J.L. Fiadeiro (Ed.): WADT’98, LNCS 1589, pp. 1–15, 1999. c Springer-Verlag Berlin Heidelberg 1999

2

Davide Ancona

Another important consideration that has emerged in the last years is related to the notion of modular module system [23]: following the approach of SML [27], many authors [8,6,23,11] have recognized the usefulness both from the practical and the theoretical point of view of considering a module language as a language on its own which is independent of the underlying core language. The algebraic framework for modularization developed in [4,3,2] partially fulfills the characteristics exposed above. It is based on the well-established theory of institutions [15] which allows an abstract approach to modularization [31,13]. Indeed, the framework is parametric in the algebraic framework used for modeling the underlying core language. The framework allows to deal with mixins [8] and generic modules (e.g., SML functors) in a uniform way and to define three primitive operations from which many higher-level operators commonly used in module languages can be derived [4,2]. Since their semantics abstracts from a particular underlying language, they actually correspond to linking operations. What the framework does not directly support, because of its generality, is the notion of type system, which is essential for dealing with type-checking. The aim of this paper is to define an algebraic framework supporting static and dynamic semantics of parametric modules in an arbitrary type system. In order to do that we introduce the notions of abstract type system and logic of constraints. Then, on top of a fixed logic of constraints, a model part (in the sense of institutions) can be canonically built; standard requirements over the logic ensure the model part to satisfy the amalgamation property and, therefore, to be suitable for defining static and dynamic semantics of module languages. The intuitive idea behind this construction is to consider a separately compiled module as a program fragment containing all the type information needed to successfully perform the inter-module type-checking (what is called intercheck in [9]) in order to link the module in a type-safe way. This information can be abstractly modeled by a set of type constraints whose form depends on the underlying type system. In this way it is possible to deal uniformly with several linguistic mechanisms adopted in module languages. For instance, if a generic module G is parametric in a type t s.t. t≤real (bounded types mechanism), then t≤real belongs to the set of constraints associated with G. This happens also for the types defined in G; if G exports the implementation of a type u=int*int (manifest types mechanism) then u=int*int is another constraint for G. Depending on the core language we consider, we have to specify which are the possible forms of constraints and how these constraints are translated when we rename the type symbols contained in them (e.g., t and u in the example of G). The logic of constraints has to be completed by adding an entailment relation between set of constraints (essential for dealing with inter-check), obtaining in this way an abstract type system, and, finally, by considering a satisfaction relation which introduces the notion of model. In Sect.1 we present two motivating examples showing the usefulness of type constraints in the context of separate type-checking. The definitions of abstract type system and logic of constraints together with the canonical construction of the model part are given in Sect.2. In the same section we give some standard

An Algebraic Framework for Separate Type-Checking

3

conditions needed for the construction to work and for the amalgamation lemma to hold. In Sect.3 we show how on top of the model part defined in Sect.2 we can conveniently define static and dynamic semantics of module languages. A simple instantiation of the model is presented in Sect.4, formalizing the concepts introduced in the examples of Sect.1. Sect.5 briefly discusses some related work and draws some conclusions.

1

Two Motivating Examples

In this section we show the usefulness of the notion of type constraint for separate type-checking by means of two motivating examples, written in SML. The first example deals with manifest types and type information propagation, whereas the second deals with bounded polymorphism. In both cases we show how these mechanisms allows one to gain flexibility in the context of module languages with separate type-checking and how they can be formalized in a uniform way by means of the general notion of type constraint. Manifest Types The notion of manifest type has been introduced by Leroy [21] in the context of separate type-checking for SML; a completely equivalent approach can be found also in [16]. Roughly speaking, manifest types correspond to the ability of interfaces to contain type definitions, so that additional information can be recovered by the compiler when performing separate type-checking. Consider, for instance, the following definitions: signature TwiceSig = sig type t; val f:t->t end; functor TwiceFun(structure S:TwiceSig):TwiceSig = struct type t=S.t; fun f(x)=S.f(S.f(x)) end; structure Succ:TwiceSig = struct type t=int; fun f(x)=x+1 end; structure TwiceSucc:TwiceSig = TwiceFun(structure S=Succ);

Since we are interested in separate type-checking, the compiler can inspect the signatures (i.e., the interfaces) of Succ and TwiceFun, but not their code; for this reason, it can infer that TwiceSucc matches the signature (i.e., has the interface) TwiceSig, but it cannot infer (as we would like in this case) that TwiceSucc matches the signature sig val f:int->int end. As a consequence, the module TwiceSucc is of little use. The solution to this problem consists in adding the information t=int and t=S.t in the signature of Succ and in the interface of TwiceFun, respectively: functor TwiceFun(structure S:TwiceSig):sig type t=S.t;val f:t->t end =... structure Succ:sig type t=int; val f:t->t end = ...

The information t=int is necessary for the compiler to know how t is implemented in Succ, whereas t=S.t expresses type information propagation.

4

Davide Ancona

Bounded Polymorphism Consider the following definitions: signature RealSig = sig val plus:real*real->real end; signature ComplexSig = sig type cpx; val plus:cpx*cpx->cpx end; functor Complex(structure S:RealSig):ComplexSig = struct type cpx=real*real; fun plus((x1,y1),(x2,y2))=(S.plus(x1,x2),S.plus(y1,y2)) end;

The functor Complex allows one to build complex number on top of a given implementation for real numbers. This definition has the drawback that Complex cannot be applied to structures (i.e., modules) implementing other kinds of numbers (e.g., natural, integer and rational numbers). We can solve this problem by changing the signature of the parameter of Complex in this way: signature PlusSig = sig type t; val plus:t*t->t end; functor Complex2(structure S:PlusSig):ComplexSig = struct type cpx=S.t*S.t; ... end;

However, this is not a completely satisfactory solution, since now our functor can be applied to too many structures (namely, also to non-numeric ones). A better solution consists in adding to PlusSig the subtyping constraint t≤real. Obviously, one can take advantage of these kinds of constraints only for module languages whose core language supports subtyping, typically, the object oriented ones. For instance, the language Eiffel [26] supports this approach by allowing the definition of generic classes to depend on a bounded object type; even more advanced is the F -bounded polymorphism of generics in the language Pizza [28]. What should be clear from these examples is that modular programming in the context of separate type-checking becomes more flexible when we have the possibility of enriching interfaces with some information about types in the form of type constraints. What is more interesting, this is a general approach that, in principle, can be applied to any typed core language, independently of its particular type system. Indeed, a particular type system being fixed, one can easily define the set of equality and subtyping constraints over it. Furthermore, equality and subtyping are two possible kinds of constraints, but many others can arise in practice. Consider, for instance, constraints over the structure of types, in order to ensure recursive types to be well defined (see [1]); another example is given by Pizza generics which can contain constraints of the form C implements I(C), where C is a class and I a generic interface.

2

Abstract Type Systems and Logic of Constraints

This section is devoted to the notion of abstract type system and logic of constraints. Abstract type systems are characterized by the notions of constraint, translation of a constraint along a function and constraint entailment. On top of this notion we can build a category of signatures, where subtyping between signatures is modeled by inclusion morphisms. A logic of constraints is an abstract type system equipped with a satisfaction relation for constraints which is used for defining the model functor; this is

An Algebraic Framework for Separate Type-Checking

5

essential for ensuring that the typing rules of the module language (constraint entailment) are sound w.r.t. its semantics (constraint satisfaction). A set of minimal requirements on the abstract type system and on the logic of constraints must hold in order to be able to define a model part on top of them; we prove that such requirements corresponds to very natural properties of type systems by providing a set of stronger requirements which we expect to be satisfied in a type system (e.g., soundness of the entailment relation w.r.t. the satisfaction relation). Furthermore, such requirements allow logics of constraints to determine model parts where the signature category is finitely cocomplete and the model functor preserves such colimits, an essential property for dealing with modularization [13]. Abstract Type System The notion of abstract type system is strictly based on the concept of type constraint which is crucial when dealing with modules and separate type-checking. Indeed, this turns to be a very general notion which does not need to introduce the concept of type, which is “encapsulated” in that of constraint: this allows to define a general framework which can be instantiated with many different type systems and kinds of constraints. Definition 1. An abstract type system T is a pair where: – Con: Set → Set is a functor over the category Set of small sets, mapping sets of type symbols into sets of constraints. For any set T in Set, we call Con(T ) the set of all constraints over T ; similarly, each subset C of Con(T ) is called a set of constraints over T and each element belonging to it is called a constraint over T . For each morphism f: T1 → T2 in Set, Con(f): Con(T1 ) → Con(T2 ) is a function associating with each constraint c ∈ Con(T1 ) its translation via f, denoted by fc (rather than Con(f)(c)). For each set C of constraints over T1 , we denote by fC the set of constraints over T2 defined by {fc | c ∈ C}; – ` is a family of entailment relations `T ⊆ P(Con(T ))×Con(T ) indexed over sets of type symbols. If C `T c then we say that the set of constraints C entails the constraint c. – the following two properties are satisfied: 1. for any set of constraints C, C ` C; 2. for any set of constraints C1 , C2, C3 over T1 , T2 , T3 , respectively, and any function f1 : T1 → T2 and f2 : T2 → T3 , if C3 ` f2 C2 and C2 ` f1 C1 then C3 ` (f2 ◦ f1 )C1 . We also write C1 `T C2 if C2 is a set of constraints over T s.t. for all c ∈ C2 , C1 `T c. In the following we will omit the subscripts from the entailment relation. A similar notion of constraint was introduced in [13] in the context of specification modules. However, here the intention is to focus on the notion of type. Therefore we avoid the more general notion of constraint over a signature and assume that constraints specify only properties about types. The entailment relation is at the basis of the notion of type system. If C1 ` C2 holds, then we

6

Davide Ancona

expect C2 to be a logical consequence of C1 , hence, when considering models, we expect that every solution for C1 is also a solution for C2 . We now prove that an abstract type system determines a category of signatures. Proposition 2. Let T = be an abstract type system. Then T determines a category of signatures SigT where objects are all the triples , with C over T and O a T -family of sets of symbols, morphisms from to are all the pairs with f t : T1 → T2 s.t. C2 ` f t C1 and f o a T1 -family of functions {fto : (O1 )t → (O2 )f t (t)}t∈T1 and identities and composition are defined in the obvious way. If Σ = is a signature, then we say that Σ is over T . Logic of Constraints We turn now to define a model functor over a category of signatures defined on top of an abstract type system in order to obtain a model part. A satisfaction relation for sets of constraints is at the basis of the notion of model. Definition 3. A logic of constraints L is a triple , where: – is an abstract type system (denoted by T (L)); – |= is a family of satisfaction relations |=T ⊆ [T → Set]×Con(T ) indexed over sets of type symbols, where [T → Set] denotes the class of all T -families of sets (i.e., all functors from the discrete category T into Set), called carriers over T . If A |=T c, then we say that the carrier A over T satisfies the constraint c; – the following property is satisfied: 3. for any C1 , C2 over T1 , T2 , respectively, and for any f: T1 → T2 and A over T2 , if A |= C2 and C2 ` fC1 then A|f |= C1 . We could consider a more general notion of carrier by replacing [T → Set] with [T → Cat]; this choice should be better for dealing with advanced semantics of types (e.g., CPO and PER models). However, here we prefer to restrict ourselves to sets in order to make the presentation simpler. We write A |=T C if C is a set of constraints over T s.t. for all c ∈ C, A |=T c. We also write C1 |=T C2 if C1 and C2 are sets of constraints over T s.t. for any carrier A over T , A |= C1 ⇒ A |= C2 . In the following we will always omit the subscript from the satisfaction relation. Furthermore, if A is over T1 and f: T2 → T1 , we will adopt the more standard notation A|f for denoting A ◦ f = {Af(t) }t∈T2 ; we also use A|T2 when f is the inclusion of T2 into T1 . There exists a clear connection between the notion of abstract type system and logic of constraints and those of entailment system [25], π-institution [14] and logical system [18]. The main difference is that here we focus on the notion of type and type system of a programming language. Hence, defining a logic of

An Algebraic Framework for Separate Type-Checking

7

constraints means to fix a particular type system and its associate semantics. Once these “ingredients” are fixed, it is possible to define a model part on top of them. Proposition 4. Let L = be a logic of constraints. Then L determines a model part , where SigL is the signature category SigT (L) determined by T (L) and Mod L : Sigop L → Class is defined in the following way: – Mod L () is the class of pairs , with A carrier over T s.t. A |= C and I a T -family of functions {It : Ot → At }t∈T called interpretation; then Mod L () – if : → t o is the function defined by Mod L ()() = , for any model over . By an abuse of notation, in the following we will often denote a model simply by A and use the standard notation A| for denoting Mod L ()(). Furthermore, we will also write gA instead of It (g). Conditions 1, 2, and 3 ensure that the model part construction is correct. However, even though minimal, conditions 2 and 3 are not standard. Therefore we prefer to replace them with a set of more restrictive but standard conditions ensuring the correctness of our construction. Proposition 5. Let L = be a triple satisfying the following properties: – (reflexivity of entailment) for any set of constraints C, C ` C; – (transitivity of entailment) for any set of constraints C1 , C2 and C3 over T , if C1 ` C2 and C2 ` C3 then C1 ` C3 ; – (preservation of entailment under translation) for any set of constraints C1 and C2 over T1 and any function f: T1 → T2 , if C1 ` C2 then fC1 ` fC2 ; – (soundness) for any set of constraints C1 and C2 over T , if C1 ` C2 then C1 |= C2 ; – (satisfaction condition) for any set of constraints C over T1 , any function f: T1 → T2 and any carrier A over T2 , A |= fC iff A|f |= C. Then L determines a logic of constraints. Note that here, by contrast with the notion of entailment system,π-institution and logical system, we do not require monotonicity of the entailment relation, therefore the framework is suitable also for supporting non-monotonic reasoning. Note also that for the proof of Prop.5 we need only one side of the satisfaction condition (actually, it suffices to assume that reduct preserves satisfaction); the other side is needed for proving that Mod L preserves finite colimits (Prop.10). Proposition 6. Let L = be a logic of constraints satisfying the five properties of Prop.5. Then the signature category SigL determined by L is finitely cocomplete.

8

Davide Ancona

We have shown that we can combine signatures together in SigL ; we turn now to consider models and wonder whether it is possible to combine models, too, by means of the amalgamated sum. Fortunately, the answer is affirmative, since it can be proved that for any logic of constraints L, Mod L preserves finite colimits and, therefore, the amalgamation lemma holds [13]. In order to prove this fact, we first need to show that the model functor UMod , obtained from Mod L by simply forgetting type constraints, preserves finite colimits. In the following we denote by SSet the category of many-sorted sets (see [32] for a formal definition); furthermore, we recall that SSet is (finitely) cocomplete. Definition 7. Let UMod : SSet → Class be the functor defined by: – UMod () is the class of pairs , with A carrier over T and I a T -family of functions {It : Ot → At }t∈T ; – if : → then UMod() is the function defined by UMod ()() = , for any model over . Note that, if L is a logic of constraints, then, trivially, for any morphism f: Σ1 → Σ2 in SigL , the equality i1 ◦Mod L (f) = (UMod ◦UL )(f)◦i2 , holds, where ik :Mod L (Σk ) ,→ (UMod ◦ UL )(Σk ), k = 1, 2, denotes the obvious inclusions. Let be the model part of many-sorted algebras (see [32]); it is well-known that Alg preserves finite colimits [7]; furthermore there exists an embedding functor E from SSet into AlgSig s.t. E preserves finite colimits and Alg ◦ E is naturally isomorphic to UMod , hence UMod preserves finite colimits, too. That is formalized by the following propositions. Proposition 8. Let E: SSet → AlgSig be the functor defined by:  Ot if t¯ = Λ 0 for each ∈ T ∗ ×T E() = , O< = t¯,t> ∅ otherwise fto if t¯ = Λ o o E() = , f 0 = for each ∈ T ∗ ×T id∅ otherwise Then E has a right-adjoint and UMod is naturally isomorphic to Alg ◦ E. Corollary 9. The functor UMod preserves finite colimits. Proposition 10. Let L = be a logic of constraints satisfying the five properties of Prop.5. Then the functor Mod L determined by L preserves finite colimits.

3

Modeling Generic Modules in an Arbitrary Type System

In this section we show how it is possible to model constant (i.e., non parametric) and generic (i.e., parametric) modules defined on top of a typed core language.

An Algebraic Framework for Separate Type-Checking

9

In order to be able to do this, we only need the type system of the underlying core language to give rise to a logic of constraints satisfying the five properties of Prop.5. Indeed, the models are directly defined on top of the model part determined by the logic of constraints, and the semantics of generic module application is based on the amalgamation sum. For reasons of space we consider a very simple module language supporting constant and generic modules and application as the only possible operation over modules. However, we see no restrictions in defining a richer language, with more sophisticated operators and features, as investigated in [4,2]. Static Semantics The entities denoted by the module typed language we are going to define are constant and generic modules, whereas types are their interfaces. Types for constant modules are the objects of the signature category SigL : T represents the exported type components, whereas O represents all the other exported components (associated with their corresponding types); C represents the set of constraints over the exported type components that are assumed to be statically satisfied by the module. The type for a generic module is of the form Σ in → Σ out , with Σ in and Σ out the type of the parameter and of the body of the generic, respectively. Definition 11. All generic module types are of the form Σ in → Σ out , with Σ in and Σ out signatures in SigL over T in and T out , respectively, and T in ⊆ T out . The condition T in ⊆ T out is essential for dealing with type information propagation. However, such a condition corresponds to automatically export all the type components of the parameter; by slightly complicating Def.11 we could also manage with situations where one wants to hide some types of the parameter, but here we prefer to avoid such a complication in favor of a clearer presentation. As already stated, the module language supports subtyping: intuitively, a generic module G can be applied to a module whose interface is larger and have more restrictive requirements than the parameter interface. This is formalized by the notion of inclusion morphism. Definition 12. An inclusion morphism : ,→ in SigL is a morphism s.t. it :T1 ,→ T2 is the inclusion function from T1 into T2 and io is the family of inclusions {it :(O1 )t ,→ (O2 )t }t∈T1 . If :Σ1 ,→ Σ2 is an inclusion morphism, then we will often use the notation A|Σ1 instead of A| . Definition 13. The type Σ1 is a subtype of Σ2 iff there exists an inclusion morphism (necessarily unique) from Σ2 into Σ1 . By definition of SigL (see Prop.2) and by Def.12 and Def.13 we can easily derive the rule for subtyping (Fig.1).

10

Davide Ancona

The typing rule for application is given in Fig.1. Note that no subsumption rule has been given, since in rule (Aτ ) we need to know the most specific type of M , in order to properly deal with type information propagation. More precisely, the types of M and their associated constraints are propagated to the outside by putting together the interface of the body (Σ out ) with the type information of M () by means of the pushout operator +T in (note that, by contrast, the other components of M are not propagated):Σ out +T in denotes the pushout for the pair of (inclusion) morphisms ,→ Σ out and ,→ . (S)

(Aτ )

Σ1 ≤ Σ2

:Σ2 ,→ Σ1

G: Σ in → Σ out M :Σ G(M ):Σ out +T in

Σ ≤ Σ in Σ in = Σ =

Fig. 1. Typing rule for application

Dynamic Semantics We turn now to consider the entities denoted by the module language. Constant modules of type Σ are simply modeled by models in Mod L (Σ); recall that such models provide interpretations for the types in T which are consistent with the set of constraint C and for the other components in O (see Prop.4). Intuitively, one expects generic modules of type Σ in → Σ out to be modeled by functions from Mod L (Σ in ) into Mod L (Σ out ). But this is a too coarse domain since type propagation implies that for any constant module M and generic module G which are type-compatible, M and G(M ) must coincide over the type components in T in . Definition 14. For any module type Σ in → Σ out , its class of models is defined by all functions F : Mod L (Σ in ) → Mod L (Σ out ) s.t. ∀ A ∈ Mod L (Σ in ) A = (F (A))|T in . The semantic clause for application is given in Fig.2. It is assumed that G and M satisfy the typing rule (Aτ ) of Fig.1. The semantics of M must be explicitly coerced to the supertype of the parameter by means of the reduct operator (A|Σ in ), then F can be safely applied. Finally, the result must be “augmented” by the types introduced by the actual parameter by means of the amalgamated sum operator ⊕T in (the model counter-part of the +T in operator over signatures); note that the types in T in must be shared. We finish this section by showing that the semantics of application is welldefined. Proposition 15. For any well-typed expression G(M ), [[ G(M ) ]] is well-defined.

An Algebraic Framework for Separate Type-Checking

11

[[ G ]] = F [[ M ]] = A [[ G(M ) ]] = F (A|Σ in ) ⊕T in A|

(Aσ)

Fig. 2. Semantic clause for application

4

Fixing a Logic of Constraints

In this section we instantiate the framework presented in Sect.2 and 3 over a particular logic of constraints (henceforth denoted by L0 ) in order to define a model for the module language presented in Sect.1. We give a concrete definition of abstract type system and of logic of constraints and prove that these definitions verify the requested properties of Prop.5. Finally, we show how the two examples presented in Sect.1 are mapped into the model. Constraints A constraint over {t1 , . . . , tn } is either of the form τ1 = τ2 or τ1 ≤ τ2 , where τ1 and τ2 range over the type expressions inductively defined over basic types (unit, bool, int, real), the type variables t1 , . . . , tn and the constructors ∗ and →. For reasons of space and for sake of simplicity we have not not considered polymorphic types, which, obviously should be taken into account when dealing with SML-like core languages. Translation is straightforward: f(τ1 = τ2 ) ≡ f # (τ1 ) = f # (τ2 ), f(τ1 ≤ τ2 ) ≡ # f (τ1 ) ≤ f # (τ2 ), where ≡ denotes syntactic equivalence and f # is the homomorphic extension of f to type expressions. The entailment relation is defined in Fig.3.

C `τ ≤τ

C ` τ1 ≤ τ2 C ` τ2 ≤ τ 1 C ` τ1 = τ2

C ` τ 1 = τ2 C ` τ 2 = τ1

C ` τ1 ≤ τ 2 C ` τ2 ≤ τ 3 C ` τ 1 ≤ τ3

C ` τ1 = τ 2 C ` τ1 ≤ τ 2

C ` τ1 ≤ τ10 C ` τ2 ≤ τ20 C ` τ1 ∗ τ2 ≤ τ10 ∗ τ20

C ` int ≤ real

C ` τ10 ≤ τ1 C ` τ2 ≤ τ20 C ` τ1 → τ2 ≤ τ10 → τ20

{c} ∪ C ` c

Fig. 3. Constraint entailment

Satisfaction The relation is defined by A |= τ1 ≤ τ2 ⇐⇒ [[ τ1 ]] (A) ⊆ [[ τ2 ]] (A) and A |= τ1 = τ2 ⇐⇒ [[ τ1 ]] (A) = [[ τ2 ]] (A), where [[ τ ]] (A) denotes the semantics of τ w.r.t. the carrier A and is defined in Fig.4. The notation A * B denotes the set of all partial functions from A to B and A×B the Cartesian product of A and B. Again, for reasons of space, we have preferred a simple semantics avoiding to introduce CPO models, which, however, are essential ingredients when dealing with recursive type expressions.

12

Davide Ancona [[ unit ]] (A) = {∗} [[ bool ]] (A) = {f, t} [[ int ]] (A) = ZZ [[ t ]] (A) = At [[ τ1 ∗ τ2 ]] (A) = [[ τ1 ]] (A) × [[ τ2 ]] (A) [[ τ1 → τ2 ]] (A) = [[ τ1 ]] (A) * [[ τ2 ]] (A)

Fig. 4. Semantics of types Proposition 16. The logic L0 satisfies the five properties of Prop.5. Mapping modules into models We conclude this section by showing how the modules presented in Sect.1 are mapped into models of the form defined in Sect.3, instantiated over L0 . We stress again that in this case L0 turns out to be adequate, since the examples given in Sect.1 do not deal with polymorphism and recursive types; however, for more sophisticated examples, more advanced logics are needed. Manifest types The interface of Succ corresponds to the signature ΣS = , where {f:t0 } denotes the family O s.t. Ot = ∅, Ot0 = {f} (we keep using this notation in the examples that in out → ΣTF of TwiceFun is defined by follow below). The signature ΣTF in 0 0 0 ΣTF = , out ΣTF = , where t, t00 correspond to S.t and t in the first example of Sect.1, respectively. Since {t = int, t0 = t → t} ` {t0 = t → t}, we have, by (S) of Fig.1, in ΣS ≤ ΣTF , therefore, applying (Aτ ) of Fig.1 we can derive that TwiceFun(Succ) has the signature , which is a subtype of , since, clearly, {t00 = t, t000 = t00 → t00 , t = int, t0 = t → t} ` {t00 = int, t000 = t00 → t00 }. The module Succ denotes the model AS defined by (AS )t = ZZ, (AS )t0 = ZZ * ZZ and f AS = λx.x + 1, whereas the generic module TwiceFun denotes the in out ) to the model Aout (over ΣTF ) function F , mapping each model Ain (over ΣTF out out in out out in Aout Ain Ain defined by At = At00 = At , At0 = At000 = At0 , f = f ◦f . By clause (Aσ) of Fig.2, TwiceFun(Succ) denotes the model B defined by Bt = Bt00 = ZZ, Bt0 = Bt000 = ZZ * ZZ, f B = λx.x + 2. in out → ΣC of Complex2 is defined by Bounded Polymorphism. The signature ΣC in 0 0 0 ΣC = , out = , where t, t00 ΣC correspond to S.t and cpx in the second example of Sect.1, respectively. Let ΣI = be the signature of a module I in , since implementing integer numbers. Then ΣI ≤ ΣC 0 0 {t = t ∗ t → t, t = int} ` {t = t ∗ t → t, t ≤ real}. Note that subtyping could not be inferred if the constraint t = int were not present in the signature ΣI . Finally, Complex2(I) has the signature . Analogously to the previous example, we can easily derive the models denoted by Complex2, I and Complex2(I).

An Algebraic Framework for Separate Type-Checking

5

13

Conclusion and Related Work

We have defined an algebraic framework directly supporting the notion of type and separate type-checking. More precisely, we have shown how it is possible to construct a model part on top of a given type system by introducing the notions of abstract type system and logic of constraints. We have proved that, under standard requirements over the logic, such a model part satisfies the usual properties needed for defining the semantics of module systems. Indeed, following the technique developed in [4,2], we have defined over this model part the static and dynamic semantics of a typed module language with generic modules; as a consequence, the definition of such a language is independent of the underlying core language and its type system. A simple module language has been considered, but one could define richer languages, with more sophisticated operators and features, as investigated in [4,2]. Finally, we have presented an instantiation of the framework able to model a module language over a simple typed functional language supporting manifest types, type information propagation and bounded polymorphic generics. The notion of logic of constraints has been inspired by [13] where it was introduced in the context of specification modules; however, even though the approach is similar in the spirit (and, for this reason, we have used the same terminology), here the technical details are different, since we are interested in type constraints over programs, rather than generic constraints over specifications. As already stated, the notions of abstract type system and logic of constraints have a strict connection with those of entailment system [25], π-institution [14] and logical system [18]. Our approach, however, is different from the others since it privileges the aspects connected with the notion of type system and separate type-checking. For instance, we do not need to assume monotonicity of the entailment relation, as it happens in the other mentioned approaches. The PhD thesis of Aspinall ([5], Chap.6 and 7) and the related paper [30] is without any doubt the most related work to this paper: the instantiation of ASL+ over the institution F PC allows Aspinall to define a powerful typechecking system for modules. However, such a system deals with type equalities, but not with more general type constraints like subtyping; furthermore, the choice of the specific FPC institution prevents from defining module systems over arbitrary core languages. Finally, many other interesting theoretical papers can be found about modularization and separate type-checking [17,16,21,22,20,33]. However, this paper differs from them since it proposes a general framework bound to neither any particular language nor type system and able to embody some of the techniques proposed in them. For instance, the several subtyping relations on polymorphic constrained types defined in [33] in the context of constrained type inference, have also interesting applications to separate type-checking of modules, as recognized by the authors themselves.

14

Davide Ancona

Acknowledgments Special thanks to Elena Zucca for her suggestions and corrections to early drafts to this paper; many thanks also to Maura Cerioli, whose technical suggestions helped me in the development of some proofs. Finally, I am also in debt with Xavier Leroy and Didier R´emy, for their interesting discussions about preliminary versions of this paper.

References 1. R. Amadio and L. Cardelli. Subtyping recursive types. ACM Transactions on Programming Languages and Systems, 15(4):575–631, September 1993. Extended abstract in POPL 1991. 4 2. D. Ancona. Modular Formal Frameworks for Module Systems. PhD thesis, Dipartimento di Informatica, Universit` a di Pisa, March 1998. 2, 2, 9, 13, 13 3. D. Ancona and E. Zucca. An algebra of mixin modules. In F. Parisi-Presicce, editor, Proc. 12th International Workshop, WADT ’97, Tarquinia, Italy, June 1997. Selected Papers, volume 1376 of Lecture Notes in Computer Science, Berlin, 1998. Springer Verlag. To appear. 2 4. D. Ancona and E. Zucca. A theory of mixin modules: basic and derived operators. Mathematical Structures in Computer Science, 1998. To appear. 2, 2, 9, 13, 13 5. D. Aspinall. Type Systems for Modular Programs and Specifications. PhD thesis, Department of Computer Science, University of Edinburgh, August 1997. 13 6. G. Banavar and G. Lindstrom. An application framework for module composition tools. In Proc. of European Conference on Object-Oriented Programming, number 1098 in Lecture Notes in Computer Science, pages 91–113. Springer Verlag, July 1996. 1, 2 7. S. Bloom and E. Wagner. Many-sorted theories and their algebras, with examples from computer science. In US-French Joint Symp. on the Applications of Algebra to language definition and Compilation, Fontainebleau, 1982. 8 8. G. Bracha and G. Lindstrom. Modularity meets inheritance. In Proc. International Conference on Computer Languages, pages 282–290, San Francisco, April 1992. IEEE Computer Society. 2, 2 9. L. Cardelli. Program fragments, linking, and modularization. In Proc. 24th ACM Symp. on Principles of Programming Languages, pages 266–277. ACM Press, January 1997. 1, 2 10. J. Courant. An applicative module calculus. In M. Bidoit and M. Dauchet, editors, Proc. TAPSOFT ’97: Theory and Practice of Software Development, number 1217 in Lecture Notes in Computer Science, pages 622–636. Springer Verlag, April 1997. 1 11. J. Courant. MC: un calcul de modules pour les syst` emes de types purs. PhD thesis, ´ Ecole normale sup´erieure de Lyon, 1998. 2 12. D. Duggan and C. Sourelis. Mixin modules. In Intl. Conf. on Functional Programming, Philadelphia, May 1996. ACM Press. 1 13. H. Ehrig and B. Mahr. Fundamentals of Algebraic Specification 2. Module Specifications and and Constraints, volume 21 of EATCS Monograph in Computer Science. Springer Verlag, 1990. 2, 5, 5, 8, 13

An Algebraic Framework for Separate Type-Checking

15

14. J. Fiadeiro and A. Sernadas. Structuring theories on consequence. In Selected Papers from the 5th Workshop on Specification of Abstract Data Types, number 332 in Lecture Notes in Computer Science, pages 44–72. Springer Verlag, 1988. 6, 13 15. J. A. Goguen and R. Burstall. Institutions: abstract model theory for specification and programming. Journ. ACM, 39(1):95–146, 1992. 2 16. R. Harper and M. Lillibridge. A type theoretic approach to higher-order modules with sharing. In Proc. 21st ACM Symp. on Principles of Programming Languages, pages 127–137. ACM Press, 1994. 3, 13 17. R. Harper, M. Lillibridge, and E. Moggi. Higher-order modules and the phase distinction. In Proc. 17th ACM Symp. on Principles of Programming Languages, pages 341–354, S. Francisco, CA, January 1990. ACM Press. 13 18. R. Harper, D. Sannella, and A. Tarlecki. Structure theory presentations and logic representations. Annals of Pure and Applied Logic, 67:113–160, 1994. 6, 13 19. M. P. Jones. A system of constructor classes: Overloading and implicit higher-order polymorphism. Journal of Functional Programming, 5(1), January 1995. 1 20. M. P. Jones. Using parameterized signatures to express modular structure. In Proc. 23rd ACM Symp. on Principles of Programming Languages, pages 68–78, St. Petersburg Beach, Florida, Jan 1996. ACM Press. 1, 13 21. X. Leroy. Manifest types, modules and separate compilation. In Proc. 21st ACM Symp. on Principles of Programming Languages, pages 109–122. ACM Press, 1994. 1, 3, 13 22. X. Leroy. Applicative functors and fully transparent higher-order modules. In Proc. 22nd ACM Symp. on Principles of Programming Languages. ACM Press, 1995. 1, 13 23. X. Leroy. A modular module system. Technical Report 2866, INRIA, April 1996. 2, 2 24. M. Van Limberghen and T. Mens. Encapsulation and composition as orthogonal operators on mixins: a solution to multiple inheritance problems. Object Oriented Systems, 3:1–30, 1996. 1 25. J. Meseguer. General logic. In Logic Colloquium ’87, pages 275–329. North Holland, 1989. 6, 13 26. B. Meyer. Eiffel: The language. Prentice Hall, 1992. 4 27. R. Milner, M. Tofte, and R. Harper. The Definition of Standard ML. The MIT Press, Cambridge, Massachussetts, 1990. 2 28. M. Odersky and P. Wadler. Pizza into Java: Translating theory into practice. In Proc. 24th ACM Symposium on Principles of Programming Languages, January 1997. 4 29. D.L. Parnas. On the criteria to be used in decomposing systems into modules. Communications of the ACM, 5(12):1053–1058, December 1972. 1 30. D. Sannella, S. Sokolowoski, and A. Tarlecki. Toward formal development of programs from algebraic specifications: Parameterisation revisited. Acta Informatica, 29:689–736, 1992. 13 31. D. Sannella and A. Tarlecki. Specification in an arbitrary institution. Information and Computation, 76:165–210, 1988. 2 32. A. Tarlecki, R.M. Burstall, and J.A. Goguen. Some fundamental algebraic tools for the semantics of computation - Part III: Indexed categories. TCS, 91:239–264, 1991. 8, 8 33. V. Trifonov and S. Smith. Subtyping constrained types. In Proc. of the Third International Static Analysis Symposium, volume 1145 of Lecture Notes in Computer Science, pages 349–365. Springer Verlag, 1996. 13, 13

Moving Specification Structures Between Logical Systems ? Tomasz Borzyszkowski Institute of Mathematics, University of Gda´ nsk [email protected]

Abstract. The conditions under which a formal system for reasoning about structural specifications, built over one logical system could be reused for reasoning about structured specifications built over another logical system are formulated and studied. Following Goguen and Burstall, the notion of a logical system is formalized as an institution and extended to a D-institution. A new function between classes of specifications, inspired by a similar function from [HST 94], is defined as a natural extension of institution representations to structured specifications.

1

Introduction

In the process of software specification and development, we often have to use various logical systems to capture various aspects of software systems and various programming paradigms. The problem which arises during such processes (see also [Tar 95]) can be formulated as follows: Can we reuse various tools, libraries and proof strategies available for different logical systems in the context of other logical systems? Attempts to find a positive answer to this question could be found in various works on logical systems and specifications built over them (see e.g. [CM 97,HST 94,Mossa 96,Tar 95]). In this paper we extend institution representation to specification representation and formulate conditions under which a complete and sound proof system for reasoning about logical consequences (and also about refinement) of structured specifications can be reused for a sound, but not necessarily complete, proof system for reasoning about logical consequences (and also about refinement) of structured specifications. The conditions under which a proof system for structured specifications is sound and complete can be found in [Wir 91,Cen 94,Borz 97]. The main theorems of this paper were inspired by similar theorems presented in [HST 94] on the theory level and also in [Tar 95] for flat specifications and extend them to structured specifications. Relationships presented in section 5 were also studied in [AC 94]. ?

This research was partially supported by KBN grant 8 T11C 018 11 and ESPRIT CRIT2 program.

J.L. Fiadeiro (Ed.): WADT’98, LNCS 1589, pp. 16–30, 1999. c Springer-Verlag Berlin Heidelberg 1999

Moving Specification Structures Between Logical Systems

17

In last sections, we demonstrate “how and while” the results presented in this paper are stronger then those presented in [HST 94] and also compare them with similar results presented in other papers.

2

Institutions

While developing a specification system independently of the underlying logical system, it is necessary to formalize an abstract mathematical concept of what a logical system is. Our choice of an abstract formalization depends on what we mean by a logical system. Following [GB 92] in the model–theoretic tradition of logic: “One of the most essential elements of a logical system is its relationship of satisfaction between its syntax (i.e. its sentences) and its semantics (i.e. models)...” Based on this principle, the notion of a logical system is formalized as a mathematical object called institution in [GB 92]. An institution consists of a collection of signatures, together with a set of Σ-sentences and a collection of Σ-models for each signature Σ, and a satisfaction relation between Σ-models and Σ-sentences. The only requirement is that when we change signatures (by signature morphisms), the induced translations of sentences and models preserve the satisfaction relation. Definition 1 (Institution [GB 92]). An institution I consists of: – a category SignI of signatures; – a functor SenI : SignI → Set, giving a set SenI (Σ) of Σ-sentences for each signature Σ ∈ |SignI |; – a functor ModI : Signop I → Cat, giving a category ModI (Σ) of Σ-models for each signature Σ ∈ |SignI |; – for each Σ ∈ |SignI |, a satisfaction relation |=IΣ ⊆ |ModI (Σ)| × SenI (Σ) such that for any signature morphism σ : Σ → Σ 0 , Σ-sentence ϕ ∈ SenI (Σ) and Σ 0 -model M 0 ∈ |ModI (Σ 0 )|: M 0 |=IΣ 0 SenI (σ)(ϕ)

iff

ModI (σ)(M 0 ) |=IΣ ϕ (Satisfaction condition) 2

In the rest of the paper, the following abbreviations are used: – for every set of sentences Φ ⊆ SenI (Σ) and M ∈ ModI (Σ), we define M |=IΣ Φ as an abbreviation for for all ϕ ∈ Φ M |=IΣ ϕ and similarly for every class of models M ⊆ ModI (Σ) and sentence ϕ ∈ SenI (Σ) we define M |=IΣ ϕ as an abbreviation for for all M ∈ M M |=IΣ ϕ; – the following abbreviations will be used: σ ϕ for SenI (σ)(ϕ), M |σ for ModI (σ)(M ) and |= or |=Σ for |=IΣ when it is clear what they mean.

18

Tomasz Borzyszkowski

Examples of various logical systems viewed as institutions can be found in [GB 92]. In this paper we recall a few examples of institutions. The first two were presented also in [Tar 95]: Example 1. The institution EQ of equational logic: Signatures are the usual many-sorted algebraic signatures; sentences are (universally quantified) equations with translations along a signature morphism essentially by replacing the operation names as indicated by the signature morphism; models are manysorted algebras with reducts along a signature morphism defined in the usual way; and satisfaction relations are given as the usual satisfaction of an equation in an algebra. 2 Example 2. The institution FOEQ of first-order logic with equality: Signatures are first-order many-sorted signatures (with sort names, operation names and predicate names); sentences are the usual closed formulae of first-order logic built over atomic formulae given either as equalities or atomic predicate formulae; models are the usual first-order structures; satisfaction of a formula in a structure is defined in the standard way. 2 Example 3. The institution PEQ of partial equational logic: Signatures are (as in EQ) many-sorted algebraic signatures; sentences are (universally quantified) equations and definedness formulae with translations along a signature morphism defined similarly as in institution EQ; models are partial many-sorted algebras with reducts along a signature morphism defined in the usual way; and satisfaction relations are defined as the satisfaction of an equation1 and a definedness formula in a partial many-sorted algebra. 2 Definition 2 (D-institution). An institution I (as in Definition 1) with a fixed class of signature morphisms DI ⊆ SignI will be called D-institution. 2

3

Institution representations

The notion of an institution representation introduced below is a special case of a map of institutions (see [Mes 89]). A similarly motivated notion was introduced in [Tar 95]. Definition 3 (Institution representation). Let I = hSign, Sen, Mod, h|=Σ iΣ∈|Sign| i and I 0 = hSign0 , Sen0 , Mod0 , h|=0Σ iΣ∈|Sign0| i be arbitrary institutions. An institution representation ρ : I → I 0 consists of: 1

The satisfaction of an equation is strong, i.e. the equation t1 = t2 holds if t1 and t2 are either both undefined or both defined and equal.

Moving Specification Structures Between Logical Systems

19

– a functor ρSign : Sign → Sign0 ; and – a natural transformation: ρSen : Sen → ρSign; Sen0 , that is, a family of functions ρSen : Sen(Σ) → Sen0 (ρSign(Σ)), natural in Σ ∈ |Sign|: Σ ρSen Σ

Sen0 (ρSign(Σ2 ))

2

Sen(Σ2 )

Σ2

/

O

O O

σ

Sen0 (ρSign (σ))

Sen(σ) Sen(Σ1 )

ρSen Σ1

Σ1

/

Sen0 (ρSign(Σ1 ))

– a natural transformation ρMod : (ρSign )op ; Mod0 → Mod, that is, a family : Mod0 (ρSign (Σ)) → Mod(Σ), natural in Σ ∈ |Sign|: of functors ρMod Σ ρMod Σ2

Mod(Σ2 )

Σ2

o

Mod0 (ρSign (Σ2 ))

O

σ

Mod0 (ρSign (σ))

Mod(σ)  

Σ1

Mod(Σ1 ) o

ρMod Σ1

Mod0 (ρSign (Σ1 ))

such that for any signature Σ ∈ |Sign| the translations ρSen : Sen(Σ) → Σ 0 Sign : Mod (ρ (Σ)) → Mod(Σ) of modSen0 (ρSign (Σ)) of sentences and ρMod Σ els preserve the satisfaction relation, that is, for any ϕ ∈ Sen(Σ) and M 0 ∈ |Mod0 (ρSign (Σ))|: M 0 |=0ρSign (Σ) ρSen Σ (ϕ)

iff

ρMod (M 0 ) |=Σ ϕ Σ

(Representation condition) 2

An institution representation ρ : I → I 0 shows how the institution I is encoded in the institution I 0 . It means that all parts of I are represented, but only some parts of I 0 are used for representing various parts of I. The above definition can be easily extended to D-institutions. A D-institution representation ρ : I → I 0 is a usual institution representation ρ : I → I 0 which additionally satisfies: ρSign (DI ) ⊆ DI 0 . The following example was also presented in [Tar 95]: Example 4. The institution representation ρEQ→FOEQ : EQ → FOEQ is given by the embedding of the category of algebraic signatures into the category of first-order signatures which equips algebraic signatures with the empty set of predicate names. The translation of sentences is an inclusion of (universally quantified) equations as first-order logic sentences, and the translation of models is the identity. 2 It is also possible to represent a richer logic in a poorer one.

20

Tomasz Borzyszkowski

Example 5. The institution representation ρPEQ→EQ : PEQ → EQ is given by the identity on the category of algebraic signatures. Translation of an equality from PEQ is the corresponding equality in EQ. Translation of the definedness formulae D(t) is the equality t = t. Translation of models is the embedding of the category of total many-sorted algebras into the category of partial many-sorted algebras. 2 The institution representation presented in the above example does not fit to our expectations (see the explanations after Definition 3). To improve this situation we put some extra condition on the model part of institution representations. Definition 4 (ρ-expansion). An institution representation ρ : I → I 0 , has the ρ-expansion property, if for any signature Σ ∈ |Sign|, any Σ-model M has a ρ-expansion to a ρSign (Σ)-model, that is, there exists a ρSign(Σ)-model M 0 such (M 0 ) = M . 2 that ρMod Σ Example 6. The institution representation ρEQ→FOEQ : EQ → FOEQ has the ρ-expansion property, whereas the institution representation ρPEQ→EQ : PEQ → EQ does not. 2 Definition 5 (Weak-D-amalgamation). Let ρ : I → I 0 be an institution representation and D be a class of signature morphisms in I. We say that the institution representation ρ has the weak-D-amalgamation property iff for every signatures Σ1 , Σ2 ∈ |Sign|, (d : Σ2 → Σ1 ) ∈ D, M1 ∈ Mod(Σ1 ) and M2 ∈ 0 Sign (Σ1 )) Mod0 (ρSign (Σ2 )), if ρMod Σ2 (M2 ) = M1 |d there exists M ∈ Mod (ρ Mod 2 such that ρΣ1 (M ) = M1 and M |ρSign (d) = M2 . Example 7. The institution representation ρEQ→FOEQ : EQ → FOEQ presented in Example 4 has the weak-D-amalgamation property for the class D being the class of all inclusions in the category of algebraic signatures. 2 Example 8. The institution representation ρPEQ→EQ : PEQ → EQ defined in Example 5, for D being class of all inclusions in the category of algebraic signatures, does not have the weak-D-amalgamation property (see Appendix B for details). 2

4

Specifications

In the rest of the paper we will work with specifications similar to specifications defined in [ST 88]. As in [ST 88], we assume that software systems described by specifications are adequately represented by models of institutions. This means that a specification must describe a signature and a class of models over this signature. We call this class the class of models of the specification. For any specification SP, we denote its signature by Sig[SP] and the collection of its models by Mod[SP]. We also have Sig[SP] ∈ |SignI | and Mod[SP] ⊆ |Mod(Sig[SP])|. If Sig[SP] = Σ, we will call SP a Σ-specification.

Moving Specification Structures Between Logical Systems

21

Definition 6 (Specifications). Specifications over a D-institution I and their semantics are defined inductively as follows: 1. Any pair hΣ, Φi, where Σ ∈ |Sign| and Φ ⊆ Sen(Σ), is a specification, called also flat specification, with the following semantics: Sig[hΣ, Φi] = Σ; Mod[hΣ, Φi] = {M ∈ |Mod(Σ)| | M |=Σ Φ}. 2. For any signature Σ and Σ-specifications SP1 and SP2 , SP1 ∪ SP2 is a specification with the following semantics: Sig[SP1 ∪ SP2 ] = Σ; Mod[SP1 ∪ SP2 ] = Mod[SP1 ] ∩ Mod[SP2 ]. 3. For any morphism (σ : Σ → Σ 0 ) ∈ Sign and Σ-specification SP, translate SP by σ is a specification with the following semantics: Sig[translate SP by σ] = Σ 0 ; Mod[translate SP by σ] = {M 0 ∈ |ModI (Σ 0 )| | M 0 |σ ∈ Mod[SP]}. 4. For any morphism (d : Σ → Σ 0 ) ∈ DI and Σ 0 -specification SP0 , derive from SP0 by d is a specification with the following semantics: Sig[derive from SP0 by d] = Σ; Mod[derive from SP0 by d] = {M 0 |d | M 0 ∈ Mod[SP0 ]}. 2 A definition of structured specifications similar to that presented above can be found in [Borz 97]. Definition 7 (Semantic consequence). A Σ-sentence ϕ is a semantic con2 sequence of a Σ-specification SP (written SP |=Σ ϕ) if Mod[SP] |=IΣ ϕ. Definition 8 (Semantic refinement). A Σ-specification SP2 is a semantic refinement of a Σ-specification SP1 (written SP1 ;Σ SP2 ) if Mod[SP1 ] ⊇ Mod[SP2 ]. 2 Definition 9 (Specification representation). For any D-institution representation ρ : I → I 0 , the specification representation ρˆ is a family of functions {ρˆΣ }Σ∈|Sign| between classes of specifications defined as follows: 1. If SP is a Σ-specification of the form hΣ, Φi, then ρˆΣ (SP) = hρSign (Σ), ρSen Σ (Φ)i; 2. If SP is a Σ-specification of the form SP1 ∪ SP2 , then ρˆΣ (SP) = ρˆΣ (SP1 ) ∪ ρˆΣ (SP2 ); 3. If SP is a Σ-specification of the form translate SP1 by (σ : Σ1 → Σ), then ρˆΣ (SP) = translate ρˆΣ1 (SP1 ) by ρSign(σ : Σ1 → Σ); 4. If SP is a Σ-specification of the form derive from SP1 by (d : Σ → Σ1 ), then ρˆΣ (SP) = derive from ρˆΣ1 (SP1 ) by ρSign (d : Σ → Σ1 ). For a Σ-specification SP we will write ρˆ(SP) as an abbreviation for ρˆΣ (SP).

2

Remark 1. For any D-institution representation ρ : I → I 0 and Σ-specification SP over D-institution I, ρˆ(SP) is a ρSign (Σ)-specification over D-institution I 0 .

22

5

Tomasz Borzyszkowski

Mod[SP] vs. Mod[ρ(SP)] ˆ

In this section we study mutual relationships between models of a given specification SP and the specification ρ(SP). ˆ Lemma 1. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , signature Σ ∈ |Sign|, Σ-specification SP over the D-institution I and ρSign(Σ) model M 0 ∈ Mod[ρˆ(SP)], we have ρMod (M 0 ) ∈ Mod[SP]. Σ Proof. By induction on the structure of the specification SP. Let us assume that M 0 ∈ Mod[ρˆ(SP)]. 1. If SP = hΣ, Φi: By assumption and Definition 9 we have: M 0 ∈ Mod[hρSign(Σ), ρSen Σ (Φ)i]. (Φ) and by the representation conThis is equivalent to M 0 |=0ρSign (Σ) ρSen Σ Mod 0 Mod 0 dition to ρΣ (M ) |=Σ Φ. Finally, we obtain ρΣ (M ) ∈ Mod[hΣ, Φi]. 2. If SP = SP1 ∪ SP2 : By assumption: M 0 ∈ Mod[ρˆ(SP1 )] ∩ Mod[ρˆ(SP2 )]. Now, by the induction (M 0 ) ∈ Mod[SP1 ] ∩ Mod[SP2 ] = Mod[SP]. hypothesis, we obtain ρMod Σ 3. If SP = translate SP1 by (σ : Σ1 → Σ): By assumption: M 0 ∈ Mod[translate ρˆ(SP1 ) by ρSign(σ)]. By definition, M 0 |ρSign (σ) ∈ Mod[ρˆ(SP1 )]. Now, by the induction hypothesis 0 ρMod Σ1 (M |ρSign (σ) ) ∈ Mod[SP1 ]

and because the following diagram commutes ρMod Σ

Mod(Σ) o

Mod0 (ρSign (Σ))

(1)

|ρSign (σ)

|σ  

Mod(Σ1 ) o

ρMod Σ1

Mod0 (ρSign (Σ1 ))

0 Mod (M 0 ))|σ , hence ρMod (M 0 )|σ ∈ Mod[SP1 ] we have ρMod Σ1 (M |ρSign (σ) ) = (ρΣ Σ Mod 0 and finally ρΣ (M ) ∈ Mod[SP]. 4. If SP = derive from SP1 by d : Σ → Σ1 : By assumption: M 0 ∈ Mod[derive from ρˆ(SP1 ) by ρSign (d)]. Now, there exists M 00 ∈ Mod[ρˆ(SP1 )] such that M 00 |ρSign (d) = M 0 . By the induction 00 Mod 00 hypothesis, ρMod Σ1 (M ) ∈ Mod[SP1 ]. Then, since ρΣ1 (M )|d ∈ Mod[SP] and because the following diagram commutes: ρMod Σ 1

Mod(Σ1 ) o

Mod0 (ρSign (Σ1 )) |ρSign (d)

|d  

Mod(Σ) o

ρMod Σ

Mod0 (ρSign (Σ))

(2)

Moving Specification Structures Between Logical Systems 00 Mod we have ρMod (M 00 |ρSign (d) ) = ρMod (M 0 ) ∈ Mod[SP]. Σ1 (M )|d = ρΣ Σ

23

2

As a consequence we obtain: Corollary 1. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , signature Σ ∈ |Sign| and Σ-specification SP over D-institution I, we have: (Mod[ρˆ(SP)]) ⊆ Mod[SP]. ρMod Σ 2 Now, we present conditions ensuring the inclusion in the opposite direction. Let us first consider a more basic property: Lemma 2. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , if ρ satisfies the weak-DI -amalgamation then for every signature Σ ∈ |Sign|, Σ-specification SP over the D-institution I and ρSign (Σ)-model M 0 ρMod (M 0 ) ∈ Mod[SP] Σ

implies

M 0 ∈ Mod[ρˆ(SP)].

Proof. By induction on the structure of SP. 1. If SP = hΣ, Φi: (M 0 ) ∈ Mod[hΣ, Φi]. It is equivalent to By assumption: ρMod Σ Mod 0 ρΣ (M ) |=Σ Φ. By the representation condition, we obtain M 0 |=0ρSign (Σ) 0 ρSen ˆ(hΣ, Φi)]. Σ (Φ), which is equivalent to M ∈ Mod[ρ 2. If SP = SP1 ∪ SP2 : By assumption: ρMod (M 0 ) ∈ Mod[SP1 ]∩Mod[SP2 ]. Next, by the induction Σ hypothesis, we obtain M 0 ∈ Mod[ρˆ(SP1 )] ∩ Mod[ρˆ(SP2 )] = Mod[ρˆ(SP1 ∪ SP2 )]. 3. If SP = translate SP1 by (σ : Σ1 → Σ): By assumption: ρMod (M 0 ) ∈ Mod[translate SP1 by σ]. Next, by DefiniΣ (M 0 )|σ ∈ Mod[SP1 ], which by the commutativity of the diation 6, ρMod Σ 0 gram (1) (see the proof of Lemma 1) is equivalent to ρMod Σ1 (M |ρSign (σ) ) ∈ Mod[SP1 ]. Now, by the induction hypothesis we obtain: M 0 ∈ Mod[translate ρˆ(SP1 ) by ρSign (σ)] = Mod[ρˆ(translate SP1 by σ)]. 4. If SP = derive from SP1 by (d : Σ → Σ1 ): (M 0 ) ∈ Mod[derive from SP1 by d]. There exists By assumption: ρMod Σ (M 0 ). Now, because ρ has the M1 ∈ Mod[SP1 ] such that M1 |d = ρMod Σ weak-DI -amalgamation property, there exists M10 ∈ |Mod(ρSign (Σ1 ))| such 0 0 0 that ρMod Σ1 (M1 ) = M1 and M1 |ρSign (d) = M (see diagram (2) from the proof of Lemma 1). By the induction hypothesis, we obtain M10 ∈ Mod[ρˆ(SP1 )], and finally M10 |ρSign (d) ∈ Mod[ρˆ(SP)]. 2 Now, we are ready to prove the expected inclusion.

24

Tomasz Borzyszkowski

Lemma 3. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , if ρ has the weak-DI -amalgamation property, then for every signature Σ ∈ |Sign|, Σ-specification SP over the D-institution I, if each model M ∈ Mod[SP] has a ρ-expansion to a ρSign(Σ)-model, then Mod[SP] ⊆ ρMod (Mod[ρˆ(SP)]). Σ Proof. Let M ∈ Mod[SP]. By the ρ-expansion, there exists a ρSign (Σ)-model M 0 such that ρMod (M 0 ) = M . By Lemma 2, we have M 0 ∈ Mod[ρˆ(SP)]. Finally, Σ Mod 0 (Mod[ρˆ(SP)]). 2 since ρΣ (M ) = M , we have M ∈ ρMod Σ The following example shows that the ρ-expansion property is needed as an assumption in Lemma 3. Example 9. In this example we will write ρ for the institution representation ρPEQ→EQ defined in Example 5. Let SP = hΣ, truei be a Σ-specification over the D-institution PEQ, where Σ ∈ |SignPEQ| and true is sentence satisfied by each Σ-model M ∈ ModPEQ(Σ). It means that Mod[SP] = ModPEQ(Σ). Sign Similarly, the sentence ρSen (Σ)-model M 0 ∈ Σ (true) is satisfied by each ρ ModEQ(ρSign (Σ)) and so Mod[ρˆ(SP)] = ModEQ (ρSign(Σ)). Now, by defini(Mod[ρˆ(SP)]). 2 tion of ρ, we have that Mod[SP] is not included in ρMod Σ Corollary 2. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , if ρ has the weak-DI -amalgamation property, then for every signature Σ ∈ |Sign|, Σ-specification SP over the D-institution I, if each model M ∈ Mod[SP] has a ρ-expansion to a ρSign(Σ)-model, then Mod[SP] = ρMod (Mod[ρˆ(SP)]). Σ 2

6

Reusing proof systems

The following result was presented in [Tar 95] for the case of flat specifications (cf. Definition 6). Theorem 1. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , if ρ has the weak-DI -amalgamation property, then for every signature Σ ∈ |Sign|, Σ-specification SP over D-institution I and Σ-sentence ϕ, if each Σ-model M has ρ-expansion to a ρSign (Σ)-model, then: SP |=Σ ϕ

iff

ρˆ(SP) |=0ρSign (Σ) ρSen Σ (ϕ).

Proof. ⇒: Let M 0 ∈ Mod[ρˆ(SP)]. Then ρMod (M 0 ) ∈ ρMod (Mod[ρˆ(SP)]). By Σ Σ Mod 0 (M 0 ) |=Σ ϕ. Lemma 1, we obtain ρΣ (M ) ∈ Mod[SP], which implies ρMod Σ 0 0 By the representation condition, this is equivalent to M |=ρSign (Σ) ρSen Σ (ϕ).

Moving Specification Structures Between Logical Systems

25

⇐: Let M ∈ Mod[SP]. Then by Lemma 3 M ∈ ρMod (Mod[ρˆ(SP)]). This Σ (M 0 ) = M and means that there exists M 0 ∈ Mod[ρˆ(SP)] such that ρMod Σ M 0 |=0ρSign (Σ) ρSen Σ (ϕ). By the representation condition, we obtain 0 ρMod (M ) |= ϕ, that is M |=Σ ϕ. 2 Σ Σ Let us see what the advantages of Theorem 1 are. First of all it ensures soundness of the following scheme of rules2 : (ρ-join)

ρˆ(SP) `0ρSign (Σ) ρSen Σ (ϕ) SP `Σ ϕ

where ρ and SP satisfy the assumptions of Theorem 1. Now, let us assume that we have: 1. A sound and complete set of rules for proving logical consequences of specifications over D-institution I 0 ; 2. A D-institution representation: ρ : I → I 0 satisfying assumptions of Theorem 1. We can construct a sound and complete set of rules for the logical system for reasoning about specifications over D-institution I from rules from point 1 and the (ρ-join) rule schema for ρ from point 2 (see Example 10 below for usage in a particular case). The next theorem allows us to repeat the above argumentation also for the refinement relation (see [Cen 94] for the completeness result for the refinement relation in the context of FOEQ). Theorem 2. For any D-institutions I and I 0 , D-institution representation ρ : I → I 0 , if ρ has the weak-DI -amalgamation property, then for every signature Σ ∈ |Sign| and Σ-specifications SP1 and SP2 over D-institution I, if any Σmodel has ρ-expansion to a ρSign (Σ)-model, then: SP1 ;Σ SP2

iff

ρˆ(SP1 ) ;ρSign (Σ) ρˆ(SP2 ).

Proof. ⇒: Assumption: Mod[SP2 ] ⊆ Mod[SP1 ]. (M ) ∈ Mod[SP2 ] and Let M ∈ Mod[ρˆ(SP2 )]. Then by Lemma 1, we have ρMod Σ (M ) ∈ Mod[SP ]. Now, by Lemma 2, we obtain next, by the assumption ρMod 1 Σ M ∈ Mod[ρˆ(SP1 )]. ⇐: Assumption: Mod[ρˆ(SP2 )] ⊆ Mod[ρˆ(SP1 )]. Let M ∈ Mod[SP2 ]. Then by Lemma 3, we have M ∈ ρMod (Mod[ρˆ(SP2 )]). Σ 0 (M ) = M and by the assumpThere exists M 0 ∈ Mod[ρˆ(SP2 )] such that ρMod Σ tion M 0 ∈ Mod[ρˆ(SP1 )]. Now, by Corollary 1: (M 0 ) ∈ ρMod (Mod[ρˆ(SP1 )]) ⊆ Mod[SP1 ]. M = ρMod Σ Σ 2 2

The entailment relations ` and `0 are defined in Appendix A.

26

7

Tomasz Borzyszkowski

Examples

Example 10. This (positive) example is inspired by a (negative) example for logic representations presented in [HST 94] and also mentioned in [ST 97]. Let us consider a specification SP over D-institution EQ, where DEQ is the class of signature inclusions, and also: SP0 = hΣ0 , ∅i, SP1 = derive from SP0 by ı, SP2 = hΣ1 , ∀x:s .b = ci, SP = SP1 ∪ SP2 , where: – Σ0 = sig sorts s, s0 opns a : s; b, c : s0 end; – Σ1 = sig sorts s, s0 opns b, c : s0 end; – ı : Σ1 ,→ Σ0 . As shown in [ST 97]: SP |=Σ1 b = c,

(3)

SP `Σ1 b = c

(4)

whereas the judgment: cannot be proved in EQ logic by using rules similar to presented in Appendix A, because the sentence b = c cannot be derived from the sentence ∀x:s .b = c (the nonemptiness of the carrier of sort s, ensured by the hidden constant a, cannot be expressed using equations, cf. [GM 85]). Let us try to prove judgment (4) by using rules from Appendix A and the (ρEQ→FOEQ-join) rule schema, where ρEQ→FOEQ is the institution representation defined in Example 4. Let us notice, that the institution representation ρEQ→FOEQ and the specification SP satisfy assumptions of Theorem 1. Therefore we can prove (4) (details in Appendix C). 2 Example 11. Let ρEQ→FOEQ be the institution representation defined in Example 4, Σ ∈ |SignEQ|, SP be any Σ-specification over the D-institution EQ and ϕ be a Σ-sentence, then by Theorem 1 and completeness of the logical system for structured specifications over the D-institution FOEQ (see [Cen 94]) we have: SP |=Σ ϕ implies SP `Σ ϕ. 2

8

Conclusions

Results similar to Theorems 1 and 2 for the case of flat specifications are presented in [CM 97,Tar 95]. As presented there, the ρ-expansion property is a sufficient condition for Theorems 1 and 2 to hold for flat specifications. In this paper, we present that in order to extend these results to structural specifications, we need an additional condition: weak-D-amalgamation. This gives a solution for some of the problems presented in [AC 94].

Moving Specification Structures Between Logical Systems

27

Similar results to these presented in our paper, but on the theory level, can also be found in [HST 94]. The main difference between our paper and [HST 94] is the way of lifting the logic representation to the level of structured theory presentations, in the case of [HST 94], and to the level of structured specifications, in our case. The natural lifting similar to that presented in Definition 9 fails in [HST 94], as demonstrated there by a counterexample similar to Example 10. Another difference is in the “proof power”. The proof rules given in [HST 94] are more restricted then our proof strategy presented in Section 6. For instance Example 10 is example of a successful use of our strategy, whereas when using the strategy proposed in [HST 94], we are not able to complete the proof of a judgment similar to presented in Example 10 (in fact, this is necessary, since this judgment is not sound under the theory level semantics considered there). An interesting task could be to work out examples of universal logics (cf. [Tar 95]), in which we will represent simpler logics in order to reuse for them strategies known/worked out for stronger universal logics. Theorem 1 together with results of [Borz 97] gives us the interpolation property as the required property of a reasonable universal logic. It will be also fine if some of known logical frameworks turn out to satisfy this property. Proper candidates seem to be for instance LF and HOL.

Acknowledgments I would like to thank Andrzej Tarlecki for encouragement, support and helpful comments, Till Mossakowski and Grigore Rosu for pointing me at interesting examples, Wieslaw Pawlowski for useful discussions, and also people from the Institute of Computer Science of the Polish Academy of Sciences for stimulating atmosphere.

References AC 94.

E. Astesiano, M. Cerioli. Multiparadigm Specification Languages: a First Attempt at Foundations. In C.A. Middelburg D.J. Andrews, J.F. Groote, editor, Semantics of Specification Languages (SoSL’93), Workshops in Computing, pages 168–185. Springer Verlag, 1994. 16, 26 BHK 90. J. A. Bergstra, J. Heering, P. Klint. Module algebra. Journal of the ACM, 37(2):335-372, April 1990. Borz 97. T. Borzyszkowski. Completeness of the logical system for structured specifications. Recent Trends in Algebraic Development Techniques, Selected Papers, 12th International Workshop WADT’97, Tarquinia, Italy, June 1997, ed. Francesco Parisi-Presicce, Springer LNCS 1376, pages 107-121, 1997. 16, 21, 27, 29 Bur 82. P. Burmeister. Partial algebras — survey of a unifying approach towards a two-valued model theory for partial algebras. Algebra Universalis, 15:306358, 1982. Bur 86. P. Burmeister. A model theoretic approach to partial algebras. Akademie Verlag, Berlin, 1986.

28 Cen 94.

Tomasz Borzyszkowski

M. V. Cengarle. Formal Specifications with High-Order Parameterization. Ph.D. thesis, Institut f¨ ur Informatik, Ludwig-Maximilians-Universit¨ at M¨ uenchen, 1994. 16, 25, 26 CM 97. M. Cerioli, J. Meseguer. May I Borrow Your Logic? (Transporting Logical Structures along Maps) Theoretical Computer Science, 173(2):311–347, 1997. 16, 26 DGS 93. R. Diaconescu, J. Goguen, P. Stefaneas. Logical Support for Modularization. In: G. Huet, G. Plotkin, editors Logical Environments, Proceedings of a Workshop held in Edinburgh, Scotland, May 1991, Cambridge University Press, pp. 83–130, 1993. GB 92. J. A. Goguen, R. M. Burstall. Institutions: abstract model theory for specifications and programming. Journal of the Assoc. for Computing Machinery, 39:95-146, 1992. 17, 17, 17, 18 GM 85. J. A. Goguen, J.Meseguer. Completeness of many–sorted equational logic. Houston Journal of Mathematics, volume 11(3), pages 307–334, 1985. 26 HST 94. R. Harper, D. Sannella, A. Tarlecki. Structured theory presentations and logic representations. Annals of Pure and Applied Logic, volume 67, pages 113–160, North-Holland 1994. 16, 16, 16, 17, 26, 27, 27, 27, 27, 27, 27 Mes 89. J. Meseguer, General logic. Logic Colloquium’87, eds. H. D. Ebbinghaus et al., pages 279–329, North-Holland 1989. 18 Mossa 96. T. Mossakowski. Representations, Hierarchies, and Graphs of Institutions. Ph.D. thesis, Fachbereich Mathemetik und Informatik der Universit¨ at Bremen, 1996. 16 Mosse 97. P. D. Mosses. CoFI: The Common Framework Initiative for Algebraic Specification and Development. Theory and Practice of Software Development, volume 1214 of LNCS, pages 115–137, Springer-Verlag, 1997. SST 92. D. Sannella, S. Sokolowski, A. Tarlecki. Towards formal development of programs from algebraic specification: parameterization revised. Acta Informatica, volume 29, pages 689–736, 1992. ST 88. D. Sannella, A. Tarlecki. Specifications in an Arbitrary Institution. Information and Computation, volume 76, pages 165–210, 1988. 20, 20, 29 ST 97. D. Sannella, A. Tarlecki. Essential concepts of algebraic specification and program development. Formal Aspects of Computing, vol. 9, pages 229–269, 1997. 26, 26 Tar 86. A. Tarlecki. Bits and pieces of the theory of institutions. Proc. Workshop on Category Theory and Computer Programming, Guildford. Springer LNCS 240, pages 334–363, 1986. Tar 95. A. Tarlecki. Moving between logical systems. Recent Trends in Data Type Specifications. Selected Papers. 11th Workshop on Specification of Abstract Data Types ADT’95, Olso, September 1995, eds. M. Haveraaen, O. J. Dahl, O. Owe, Springer LNCS 1130, pages 478–502, 1996. 16, 16, 16, 18, 18, 19, 24, 26, 27 Wir 91. M. Wirsing. Structured Specifications: Syntax, Semantics and Proof Calculus. In F. L. Bauer, W. Brauer, and H. Schwichtenberg, editors, Logic and Algebra of Specification, volume 94 of NATO ASI Series F: Computer and Systems Sciences, pages 411–442. Springer Verlag, 1991. 16

Moving Specification Structures Between Logical Systems

A

29

Inference rules for structured specifications

The entailment relation `Σ ⊆ SpecΣ × Sen(Σ) between specification over Dinstitution I, where DI ⊂ Sign and Σ-sentence ϕ is defined by the following set of rules: (CR)

{SP `Σ ϕj }j∈J {ϕj }j∈J `IΣ ϕ SP `Σ ϕ

(basic)

ϕ∈Φ hΣ, Φi `Σ ϕ SP2 `Σ ϕ SP1 ∪ SP2 `Σ ϕ

(sum1)

SP1 `Σ ϕ SP1 ∪ SP2 `Σ ϕ

(sum2)

(trans)

SP `Σ ϕ translate SP by σ `Σ 0 σϕ

(derive)

SP0 `Σ 0 dϕ derive from SP0 by d `Σ ϕ

where d ∈ DI . A similar set of rules was presented in [ST 88] and also in [Borz 97].

B

Example 8: continued

In this appendix, we will write ρ as an abbreviation for the institution representation ρPEQ→EQ defined in Example 5. Let: – Σ = sig sorts s opns op : s → s end and – Σ 0 = sig sorts s opns op : s → s; pop : s → s end be signatures in PEQ and ı : Σ ,→ Σ 0 an inclusion, then in the model part of representation ρ, we have the following diagram: ρMod Σ0

Mod PEQ(Σ 0 ) o

ModEQ (ρSign (Σ 0 )) ModEQ (ρSign (ı))

ModPEQ (ı)  

ModPEQ (Σ) o

ρMod Σ

ModEQ (ρSign(Σ))

Let us take M ∈ ModPEQ (Σ) such that it interpretes operation op : s → s as a total operation, and M 0 ∈ ModPEQ(Σ 0 ) interpreting operation op : s → s in the same way as M and operation pop : s → s as a partial operation. The forgetful functor ModPEQ(ı) just forgets interpretation of pop : s → s. From the definition of ρ (cf. Example 5), we know that ρSign (Σ) and ρSign(Σ 0 ) are just ¯ ∈ ModEQ(ρSign (Σ)) Σ and Σ 0 , but considered as signatures in EQ. Now, if M interpretes op : s → s in the same way as M , then ¯ ) = M = ModPEQ (ı)(M 0 ). (M ρMod Σ

30

Tomasz Borzyszkowski

On the other hand, from the definition of ρ we know that for any

¯ 0 ∈ ModEQ (ρSign(Σ 0 )) M

¯0 ρMod Σ 0 (M )

is total

0 ¯0 ¯ 0 ∈ ModEQ (ρSign (Σ 0 )) such that ρSign hence there is no M Σ 0 (M ) = M . It means that ρ does not have the weak-DPEQ-amalgamation property for DPEQ being the class of all inclusions in the category of algebraic signatures.

C

Example 10: a direct proof

In this appendix we present the direct proof of the following judgment: SP `Σ1 b = c from Example 10. Proof. In the following proof, we will use the inference rules from Appendix A and the (ρ-join) rule schema. We will also write ρ as an abbreviation for ρEQ→FOEQ. The following tree makes the proof:

(CR)

ρˆ(SP)

(1) ∀x:s .ρSen Σ1 (b = c)

`0ρSign (Σ1 )

(ρ-join)

ρˆ(SP)

(2)

ρˆ(SP) `0ρSign (Σ1 ) ∃x:s .true `0ρSign (Σ1) ρSen Σ1 (b = c)

(3)

SP `Σ1 b = c

where (1) is: (basic) (sum2)

Sen ∀x:s .ρSen Σ1 (b = c) ∈ {ρΣ1 (∀x:s .b = c)} ρˆ(hΣ1 , ∀x:s .b = ci) `0ρSign (Σ1 ) ∀x:s .ρSen Σ1 (b = c)

ρˆ(SP1 ) ∪ ρˆ(SP2 ) `0ρSign (Σ1 ) ∀x:s .ρSen Σ1 (b = c)

(2) is: .. . (CR) (derive) (sum1)

∅ `FOEQ ∃ .true ρSign (Σ0 ) x:s

ρˆ(h{{s, s0 }, {a : s, b, c : s0 }}, ∅i) `0ρSign (Σ0 ) ∃x:s .true

derive from ρˆ(SP0 ) by ρSign(ı) `0ρSign (Σ1 ) ∃x:s .true ρˆ(SP1 ) ∪ ρˆ(SP2 ) `0ρSign (Σ1 ) ∃x:s .true

and finally, (3) is: FOEQ Sen {∀x:s .ρSen Σ1 (b = c), ∃x:s .true} `ρSign (Σ1 ) ρΣ1 (b = c)

2

Normal Forms for Partitions and Relations? Roberto Bruni1 , Fabio Gadducci2 , and Ugo Montanari1 1

Univ. of Pisa, Dipartimento di Informatica, Corso Italia 40, I-56125 Pisa, Italia. {bruni,ugo}@di.unipi.it 2 TU Berlin, Fach. 13 Informatik, Franklinstr. 28/29, D-10587 Berlin, Germany. [email protected]

Abstract. Recently there has been a growing interest towards algebraic structures that are able to express formalisms different from the standard, tree-like presentation of terms. Many of these approaches reveal a specific interest towards their application in the “distributed and concurrent systems” field, but an exhaustive comparison between them is difficult because their presentations can be quite dissimilar. This work is a first step towards a unified view, which is able to recast all those formalisms into a more general one, where they can be easily compared. We introduce a general schema for describing a characteristic normal form for many algebraic formalisms, and show that those normal forms can be thought of as arrows of suitable concrete monoidal categories.

1

Introduction

Since models of computation based on the notion of free and bound names are widespread, the notion of name sharing is essential for several applications ranging from logic programming, λ-calculus, functional programming and process algebra with restriction (or name hiding mechanisms) to mobile processes (where local names may be communicated to the external world, thus becoming global names). We can think of names as links to communication channels, or to objects, or to locations, or to remote shared resources, or also to some cause in the event history of the system. In general, names can be freely α-converted, because the only important information they offer is sharing. An informal “wire and box notation” gives an intuitive understanding of the name sharing mechanism, and of the role played by auxiliary term-structure: Wires represents variables and the operators of the signature are denoted by boxes labeled with the corresponding operation symbols. For instance, the term f(x1 , g(x2 ), h(x1 , a)) over the signature Σ = {a : 0 −→ 1, g : 1 −→ 1, h : 2 −→ 1, f : 3 −→ 1} and variables x1 , x2 admits the graphical representation ?

Research partly supported by the EC TMR Network GETGRATS through the Technical University of Berlin and the University of Pisa; and by Esprit Working Groups CONFER2 and COORDINA, through the University of Pisa.

J.L. Fiadeiro (Ed.): WADT’98, LNCS 1589, pp. 31–48, 1999. c Springer-Verlag Berlin Heidelberg 1999

32

Roberto Bruni et al.

x1

@@ @@ @@ g x2 f @@ ooo o @ o oo !

/

/

/

7

a

/

•

h

Notice that wire duplications (e.g., of x1 ) and wires swapping (e.g., of x2 and a copy of x1 ) are auxiliary, in the sense that they belong to any wire and box model, independently from the underlying signature. The properties of the auxiliary structure are far from trivial and could lead to somehow misleading system representations, when their interpretation is not well formalized. For example, let us consider the wire and box diagrams c1 and c2 in the picture below: a

• /

c1 ≡

GG GG #

ww ww ;

a /

•

ww ww • G GG G ;

h /

•

c2 ≡

a /

#

•

GG GG #

ww ww ;

•

h /

•

In a value-oriented interpretation, both c1 and c2 yield the same term h(a, a). Instead, in a reference-oriented interpretation, c1 and c2 define different situations: in the former the two arguments of the h operator are uncorrelated, while in the latter they point to the same shared location. Term graphs [32] are a reference-oriented generalization of the ordinary (value-oriented) notion of term, where the sharing of sub-terms can be specified also for closed (i.e., without variables) terms.1 The distinction is made precise by the axiomatization of algebraic theories: Terms and term graphs differ for two axioms, representing, in a categorical setting, the naturality of transformations for copying and discharging arguments [8]. Many other mathematical structures have been proposed, for expressing formalisms different from the ordinary tree-like presentation of terms. They range from the flownomial calculus of Stefanescu [6,34], to the bicategories of processes of Walters [18,19], to the pre-monoidal categories of Power and Robinson [28], to the action structures of Milner [24], to the interaction categories of Abramsky [1], to the sharing graphs of Hasegawa [16] and to the gs-monoidal categories of Corradini and Gadducci [7,8], just to mention a few (see also [9,11,15,29]). All these structures can be seen as enrichments of symmetric monoidal categories, which give the basis for the description of a distributed environment in terms of a wire and box diagram. We propose a schema for describing normal forms for this kind of structures, generalizing the one in [12] (and that bears some similarity to the equational term graph of [2]), thus obtaining a universal framework where each structure finds its unique standard representation. We describe distributed spaces as sets of assignments over sets of variables, distinguishing between four different kinds 1

Terms may share variables, but shared sub-terms of a closed term can be freely copied, always yielding an equivalent term.

Normal Forms for Partitions and Relations

33

of assignment, each representing a basic functionality of the space, namely input and output interfaces, basic modules, and connections. Changing the constraints on the admissible connections is the key to move between formalisms. We call Σ-spaces the distributed spaces over a signature Σ, and show that the classes of Σ-spaces we are interested in always form a symmetric monoidal category. We then establish a sort of triangular correspondence between various formalisms proposed in the literature (usually in a set-theoretical way), different classes of Σ-spaces and suitable enriched symmetric monoidal categories. The structure of the paper is as follows: In Section 2 we give a categorical account of the various formalisms presented in the literature that we want to embed in our concrete normal-form representation. All of them are suitably enriched symmetric monoidal categories. In section 3 we formally define Σ-spaces, and equip them with two operations of parallel and sequential composition, yielding a monoidal category structure. In Section 4 we show how it is possible to have a normal form representation for net processes, relations, labeled partial orders, partitions, and contextual nets using suitable classes of Σ-spaces. We want to remark that all the classes under consideration are characterized by simple restrictions on the admissible links of Σ-spaces. In Section 5 we draw some conclusion and sketch a promising future research aimed at the integration of the mathematical structures considered in this paper via an implementation of their uniform normal form representations offered by Σ-spaces.

2

A Categorical View for Different Formalisms

We recall here a few categorical definitions, which allow to recast the usual notion of term over a signature in a more general setting. Moreover, the progressive enrichment of a basic theory with different auxiliary mathematical constructors generates a great variety of different model classes, where the usual notions of relation, partial order, partition, and many other can be represented. Definition 1 (Signatures). A many-sorted hyper-signature Σ over a set SΣ of sorts is a family {Σω,ω0 }ω,ω0 ∈SΣ∗ of sets of operators. If SΣ is a singleton, we denote the hyper-signature Σ by the family {Σn,m }n,m∈lIN . We usually omit the prefix “hyper”. When it is clear from the context that a set S is the underlying set of sorts of a signature Σ, we drop the subscript Σ . Definition 2 (Graphs). A graph G is a 4-tuple (OG , AG , ∂0 , ∂1 ), where OG is the set of objects, AG is the set of arrows, and ∂0 , ∂1 : AG −→ OG are functions, called respectively source and target. We use the standard notation f : a −→ b to denote an arrow f with source a and target b. A graph G is with pairing if OG is a monoid. A many-sorted signature Σ over S is a graph with pairing GΣ , where its objects are strings on S (OGΣ = S ∗ , string concatenation · yields the monoidal operator, and the empty string  is the neutral element), and its edges are the operators of the signature (i.e., f : ω −→ ω0 ∈ AGΣ iff f ∈ Σω,ω0 ).

34

Roberto Bruni et al.

A chain of structural enrichments enhances the expressiveness of different classes of models, e.g., the usual algebraic notion of terms over a signature. However, we are interested in weaker theories, where name sharing finds a natural embedding. The first enrichment is common to all the formalisms we will consider, and introduces the sequential and parallel compositions between arrows together with all the arrows necessary for arbitrary permutations of objects (corresponding to the swappings of wires in the wire and box presentation). Then, the models of the resulting symmetric theory of Σ are just suitable symmetric monoidal categories [21] (i.e., also equipped with the Σ-structure). Definition 3 (Symmetric Monoidal Categories). A monoidal category is a triple hC, ⊗ , ei, where C is the underlying category, ⊗ : C × C −→ C is a functor satisfying the associative law (t1 ⊗ t2 ) ⊗ t3 = t1 ⊗ (t2 ⊗ t3 ), and e is an object of C satisfying the identity law t ⊗ e = t = e ⊗ t, for all arrows t, t1 , t2 , t3 ∈ C. A symmetric monoidal category is a 4-tuple hC, ⊗ , e, γi, where hC, ⊗ , ei is a monoidal category, and γ : 1 ⊗ 2 ⇒ 2 ⊗ 1 : C × C −→ C is a natural transformation satisfying the coherence axioms a⊗γb,c a⊗b⊗c a⊗c⊗b

LL LL L γa⊗b,c L /

&

γa,c ⊗b

a⊗b

γa,b

GG b⊗a GG G γb,a a⊗b /

#



c⊗a⊗b



a⊗b

A functor F : C −→ C 0 between two (symmetric) monoidal categories is called monoidal if F (t1 ⊗ t2 ) = F (t1 ) ⊗0 F (t2 ), and F (e) = e0 ; it is symmetric if F (γa,b ) = γF0 (a),F (b) . We denote by SMCat the category of symmetric functors. Among the uses of symmetric monoidal categories as a semantics framework, we recall the characterization of concatenable processes for Petri nets in [10], and the description of a basic network algebra for data-flows in [3,34]. 2.1

Enriching the Monoidal Structure

The constructive definition of algebraic theories [20] as enriched monoidal categories dates back to the mid-Seventies [17,27], even if it has received a new stream of attention in these days. In our opinion, it separates very nicely the auxiliary structure from the Σ-structure (better than the ordinary description involving the meta-operation of substitution). Moreover, the naturality axioms for duplicator and discharger express a controlled form of data-sharing and data-garbaging. If these axioms are missing, then the corresponding theory, called gs-monoidal , is the natural framework for the representation of term-graphs rather than terms, as shown in [8]. Definition 4 (Share and GS-Monoidal Categories). A share category is a 5-tuple hC, ⊗ , e, γ, ∇i, where hC, ⊗ , e, γi is a symmetric monoidal category and ∇ : 1 ⇒ 1 ⊗ 1 : C −→ C is a transformation such that ∇e = e, and satisfying the coherence axioms (the first two diagrams express a sort of “output”

Normal Forms for Partitions and Relations

35

associativity and commutativity for the duplicator, and the third diagram tells how the duplicator of a composed object a ⊗ b can be obtained by composing the duplicators of the subcomponents) a

∇a

a⊗a /



a⊗a



/

∇a ⊗a

a⊗b

DD a⊗a DD γa,a D ∇

a⊗∇a

∇a

∇a

a

/

a

a⊗a⊗a

!

∇a ⊗∇b

a⊗a⊗b⊗b QQQ QQQ a⊗γa,b ⊗b QQ /

∇a⊗b



a⊗a

(



a⊗b⊗a⊗b

A share functor F : C −→ C 0 between two share categories is a symmetric functor such that F (∇a) = ∇0F (a) . We denote by ShCat the category of share functors. A gs-monoidal category is a 6-tuple hC, ⊗ , e, γ, ∇, !i, where hC, ⊗ , e, γ, ∇i is a share category, and ! : 1 ⇒ e : C −→ C is a natural transformation such that !e = e and satisfying the coherence axioms (the first diagram says that creating two links to a and then discharging one of them just yields the identity on a, the second diagram expresses the monoidality of the discharger) a

∇a

a⊗a HH HH HH a⊗!a a

#

!a ⊗!b

e⊗e JJ JJ JJ e !

a⊗b

/

/

a⊗b



a=a⊗e

%



e⊗e=e

A gs-monoidal functor F : C −→ C 0 is a share functor such that F (!a) =!0F (a) . We denote by GSCat the category of gs-monoidal functors. Interesting applications often require the presence of the categorical opposite of duplicators, which may be used to express a sort of data-matching. Analogously, co-dischargers are introduced to represent the explicit creation of data. Several combinations are then possible, where only some of the operators are considered, and their mixed compositions are differently axiomatized, ranging from the match-share categories of [14] to the dgs-monoidal categories of [13,18]. Here we just sketch a survey of the categorical framework, and briefly comment their role in the literature and the main differences between similar models. We start with what we call a r-monoidal category: One of the various extensions, albeit with a different name, proposed in [5,33,34]. Definition 5 (R-Monoidal Categories). A r-monoidal category is an 8-tuple hC, ⊗ , e, γ, ∇, !, ∆, †i such that hC, ⊗ , e, γ, ∇, !i and hC op , ⊗op, e, γ op , ∆op , †op i are both gs-monoidal categories, and satisfying the additional coherence axioms (expressing the interplay between the gs and co-gs structures) a⊗a

∆a /

a

∇a /

a⊗a O

a

∆a ⊗∆a

∇a ⊗∇a 

a⊗a⊗a⊗a

e

†a

@@ a @@ ! e @ a /

e 

/

a⊗γa,a ⊗a e

a⊗a⊗a⊗a

†a

a EE EE E ∇a

†a ⊗†a

/

"



a⊗a

∇a

EE a⊗a EE E ∆a a E /

"

∆a

a 

EE a EE !a !a ⊗!a E

a⊗a

/

e 

"

36

Roberto Bruni et al.

A r-monoidal functor F : C −→ C 0 is a gs-monoidal functor such that also F op is so. We denote by RMCat the category of r-monoidal functors. The axioms we considered naturally embed the properties of relations, and the (partial) algebraic structure of r-monoidal categories yields a useful mathematical tool for their representation [5]. A stronger version of the axiom involving the composite ∆; ∇ is the basis for a different family of structures. In a certain sense, the stronger axiom establishes that duplicators and co-duplicators embed a sort of transitive and symmetric closure of the relation, i.e., it does not matter how two objects are connected, but just the fact that they are connected. Definition 6 (Match-Share Categories). A match-share category is a 6tuple hC, ⊗ , e, γ, ∇, ∆i such that hC, ⊗ , e, γ, ∇i and hC op , ⊗op, e, γ op , ∆opi are both share categories, and satisfying the additional coherence axioms a⊗a

∆a /

a

∇a ⊗a

a ∇a



a⊗a⊗a



/

a⊗∆a

a⊗a

∇a

EE a⊗a EE E ∆a a E /

"

a 

A match-share functor F : C −→ C 0 is a share functor such that also F op is so. We denote by MShCat the category of match-share functors. Match-share categories have been introduced in [14], and used to embed the algebraic properties of processes for contextual nets [25]. They are the basis for a class of categories where suitable models of partition-based structures can live. Definition 7 (Part-Monoidal Categories). A part-monoidal category is an 8-tuple hC, ⊗ , e, γ, ∇, !, ∆, †i such that both hC, ⊗ , e, γ, ∇, !i and hC op , ⊗op, e, γ op , ∆op , †op i are gs-monoidal categories, hC, ⊗ , e, γ, ∇, ∆i is a match-share category, and satisfying the additional coherence axiom e

†a

@@ a @@ ! e @ a /

e 

A part-monoidal functor F : C −→ C 0 is a gs-monoidal functor such that also F op is so. We denote by PartMCat the category of part-monoidal functors. Differently from the previous structures, part-monoidal categories, as far as we know, has never been explicitly analyzed in the literature. The leading idea is that a generic arrow from a1 ⊗· · ·⊗an to b1 ⊗· · ·⊗bm (where the ai ’s and the bi ‘s are “basic” objects) represents some kind of partition of {a1 , ..., an, b1 , ..., bm}. For example, the axiom ∆a ; !a =!a ⊗!a of r-monoidal categories does not hold for partitions, because in the partition ∆a; !a both a sources belong to the same class, whereas in partition !a ⊗!a they belong to disjoint classes.

Normal Forms for Partitions and Relations

3

37

The General Model: Σ-Spaces

We introduce now a concrete representation for the several formalisms discussed in the previous sections. It can be thought of as a normal form presentation of the less formal wire and box diagrams illustrated in the introduction. Basically, we split the operative components from the logical connectivity of a diagram. The typical operative components of a distributed system are the input and output interfaces, and the basic functional modules (n-to-m transforming blackboxes which give the building blocks of the wire and box notation). The way these components can interact constitutes the logical part of the system. Suitable linkchannels can faithfully express this connectivity-related aspect. As a matter of notation, we write z : s to say that the variable z has sort s. Definition 8 (Σ-Spaces). Let Σ be a signature. A Σ-assignment over a biparU tite set Z = X Y (X is called the set of names, and Y the set of results) of typed variables is any of the following sentences, where the x’s, the y’s and the z’s range over X , Y and Z respectively. f

 y1 ...ym , where xi : si for i = 1...n, yj : s0j for j = Generator: x1 ...xn 1...m, and f ∈ Σω,ω0 with ω = s1 ...sn , and ω0 = s01 ...s0m,  z2 , where z1 : s and z2 : s, Link: z1  Input: 2 y1 ...yn, where n ≥ 0, 2, where n ≥ 0. Output: x1 ...xn  We say that a variable z is used (respectively assigned) if it appears in the lefthand (respectively right-hand) side of a sentence. A distributed space over Σ is a set G of Σ-assignments such that /

/

/

/

/

/

/

/



αin (G), denoted by in(G), 1. G contains exactly one input sentence 2  2. G contains exactly one output sentence αout (G) 2, denoted by out(G), /

/

/

/

f

 y1 ...ym ∈ G} 3. all the variables in in(G), out(G) and gen(G) = { x1 ...xn are different,  z2 ∈ G} occur also in either gen(G), 4. all the variables in link(G) = { z1 in(G) or out(G). /

/

/

/

Given a distributed space G, its flow relation FG is the pre-order induced over variables by (the reflexive and transitive closure of ) the set of sentences; its link-flow relation LFG is the pre-order induced over variables by the set of links. We call Σ-spaces the equivalence classes of distributed spaces over Σ up to α-conversion. Abusing the notation, we denote a generic Σ-space by the same symbols of the distributed spaces in the equivalence class it represents. Σ-spaces yield a monoidal category. Indeed, let G be any Σ-space, and let st : V ∗ −→ S ∗ be the function mapping a list of typed variables into the corresponding list of types, e.g. st(z1 ...zn) = s1 ...sn if zi : si for i = 1...n. The objects are the elements of S ∗ (the free monoid over the set of sorts S), while each G is viewed as an arrow G : st(αin (G)) −→ st(αout (G)).

38

Roberto Bruni et al.

The parallel composition of two Σ-space G1 and G2 is always defined, yielding as a result the Σ-space G1 ⊗ G2 that can be constructed as follows: Choose two distributed spaces in the classes of G1 and G2 such that their underlying sets of variables are disjoint (we can assume without loss of generality that G1 and G2 are already variable-disjoint), then take the following distributed space αin (G1 ⊗ G2 ) = αin (G1 ) · αin (G2 ), αout (G1 ⊗ G2 ) = αout (G1 ) · αout (G2 ), gen(G1 ⊗ G2 ) = gen(G1 ) ∪ gen(G2 ), link(G1 ⊗ G2 ) = link(G1 ) ∪ link(G2 ), where · denotes ordinary string concatenation. Proposition 1. Let G1 , G2 be two Σ-spaces. Then G1 ⊗ G2 is a Σ-space.

,   2}, where  denotes the empty The empty Σ-space G = { 2  list of variables, is the unit element for parallel composition. /

/

/

/

Proposition 2. Let G be a Σ-space. Then G ⊗ G = G = G ⊗ G. The sequential composition of G1 and G2 is defined if and only if st(αout (G1 )) = st(αin (G2 )). As before, we assume G1 and G2 to be variable-disjoint and take the distributed space G1 ; G2 defined by αin (G1 ; G2) = αin (G1 ), αout (G1 ; G2) = αout (G2 ), gen(G1 ; G2) = gen(G1 ) ∪ gen(G2 ), link(G1 ; G2) = [link(G1 )/αout (G1 )][link(G2 )/αin(G2 )], where the composition of links is defined as [L1 /X][L2 /Y ] = I1 ∪ I2 ∪ Ffw ∪ Fbw ∪ D1 ∪ D2 (but in all the cases we consider, except for partitions in Section 4.5 and Section 4.6, the three sets Fbw , D1 , and D2 are empty), and if we denote by X[i] the i-th variable of the list X, the formal definition of each subset of links is I1 = { z1



I2 = { z2



Ffw = { z1



Fbw = { z2



D1 = { z1



D2 = { z2



with

z1 , z10

/

/

/

/

/

/

/

/

/

/

/

z10 ∈ L1 },

/

z20 ∈ L2 }, z2 | z1 

/

/

/

/

/

/

/

z1 | z2 

/

 z10 | z1  z20 | z2

6∈ X and

z2 , z20

X[i] ∈ L1 , Y [i]



Y [i] ∈ L2 , X[i]





X[i] , X[j] Y [i] , Y [j]

6∈ Y .

 /

/

/

/

/

/

/

z2 ∈ L2 },

/

z1 ∈ L1 }, 

z10 ∈ L1 , Y [i] z20 ∈ L2 , X[i]

 /

/

/

/

Y [j] ∈ L2 } X[j] ∈ L1 }.

Normal Forms for Partitions and Relations

39

Intuitively, variables in αout (G1 ) and αin (G2 ) are removed from the composition G1 ; G2 , but their ingoing and outgoing links are propagated to the remaining variables, with respect to the matching αout (G1 )[i] ↔ αin (G2 )[i], for i = 1...n, of the variables in the “merged” interfaces of G1 and G2 . Therefore, link(G1 ; G2) contains: (1) the internal links I1 of G1 , and I2 of G2 , i.e. those links not involving removed variables, (2) the forward and backward fusion links Ffw and Fbw , and (3) the forward and backward derived links D1 and D2 , propagating links involving only removed variables. However, as said before, most of the classes of Σ-spaces that we consider are acyclic, and define an intuitive information flow from left (in(G)) to right (out(G)): in this case, Fbw ∪ D1 ∪ D2 = ∅. Proposition 3. Let G1 , G2 be two Σ-spaces, such that st(αout (G1 )) = st(αin (G2 )). Then G1 ; G2 is a Σ-space. For each ω ∈ S ∗ , the Σ-space Gω such that st(αin (G)) = st(αout (G)), gen(G) = ∅ and link(G) = { αin(G)[i]  αout (G)[i] | i = 1... |ω|}, behaves as the identity with respect to the sequential composition. /

/

Proposition 4. Let G be a Σ-space. Then G; Gst(αout(G)) = Gst(αin(G)) ; G = G. Also the other properties of monoidal categories (e.g., Gω ⊗ Gω0 = Gω·ω0 , and (G1 ; G01 ) ⊗ (G2 ; G02) = (G1 ⊗ G2 ); (G01 ⊗ G02 ), giving the functoriality of the tensor product ⊗ ) are trivially satisfied by the definitions.

4

A Unified View for Nets, Relations and Partitions

In this section we show that all the models presented in Section 2 can be characterized as suitable Σ-spaces, simply imposing different requirements over the set of links. Moreover, such properties are preserved by the parallel and sequential composition as defined in Section 3, so that those spaces can be considered as concrete representations of their categorical counterparts. 4.1

Symmetric Monoidal

We begin by providing the class of Σ-spaces which characterize symmetric monoidal categories: its elements must satisfy a tight requirement over links. Definition 9 (Symmetric Σ-space). A Σ-space G is called symmetric if and only if each variable is used and assigned exactly once in G, and the flow relation induced by the assignment in G is acyclic. Or, in other words, the flow relation is actually a partial order. Proposition 5. If G is a symmetric Σ-space, then – the only kind of link sentences allowed consists of sentences of the form y x where y is a result and x is a name, /

/

40

Roberto Bruni et al.

– no result can be discharged in G, – no name can be created in G, – parallel and sequential composition of symmetric Σ-spaces yield symmetric Σ-spaces. Note that the restrictions always imply that Fbw = D1 = D2 = ∅, whenever two symmetric spaces are sequentially composed. To show that each symmetric Σ-space G defines a concrete symmetric monoidal category, we have to show what the symmetries are. For each pair of string ω, ω0 ∈ S ∗ , with |ω| = n, and 0 |ω| = m, we define the symmetric Σ-space Gω,ω0 as follows: Let Y and X be two lists of (pairwise disjoint) names such that |Y | = |X| = n + m, Y [i] : (ω · ω0 )[i], and X[i] : (ω 0 · ω)[i] for i = 1...n + m, then Gω,ω0 = { 2



∪ { Y [i]

/



/

Y, X /

/

 /

/

2} ∪ { Y [i]

 /

/

X[i + m] | i = 1...n} ∪

X[i − n] | i = n + 1...n + m}.

Theorem 1. Symmetric Σ-spaces are the arrows of a concrete symmetric monoidal category, which is (isomorphic to) the one freely generated by Σ. Proof sketch. From the last property of Proposition 5, we have just to show that the family of Σ-spaces {Gω,ω0 }ω,ω0 ∈S ∗ is a natural isomorphism from 1 ⊗ 2 to 2 ⊗ 1 , and verifies the coherence axioms of Def. 3. This can be easily done by exploiting the definition of Gω,ω0 and applying the definition of parallel and sequential composition. The initiality result relies on previous characterization results for symmetric monoidal categories as suitable Petri processes [31,30], to which our spaces are equivalent. 2 4.2

GS-Monoidal

As illustrated in Section 2, gs-monoidal categories are symmetric monoidal categories enriched with suitable transformations for copying and discharging information, which lack the naturality axiom. In our setting, this enrichment reflects into a relaxation of the previous constraints over symmetric Σ-spaces. Definition 10 (GS-Monoidal Σ-space). A Σ-space G is called gs-monoidal if and only if each variable is assigned exactly once in G, and the flow relation induced by the assignment in G is acyclic. Proposition 6. If G is a gs-monoidal Σ-space, then – the only kind of link sentences allowed consists of sentences of the form y x where y is a result and x is a name, – no name can be created in G, – parallel and sequential composition of gs-monoidal Σ-spaces yield gs-monoidal Σ-spaces. /

/

Normal Forms for Partitions and Relations

41

The characterization of duplicators and dischargers is intuitive. For each string ω ∈ S ∗ , with |ω| = n, we define the gs-monoidal Σ-spaces G2ω , and G0ω as follows: Let Y and X be list of names such that |Y | = n, |X| = 2n, Y [i] : ω[i], X[i] : ω[i], and X[i + n] : ω[i], for i = 1...n. Then G0ω = { 2  G2ω

={2



∪ { Y [i]



/

/

Y,  

/

/

Y, X /

/



/

2}, /

/

/

2} ∪ { Y [i]

 /

/

X[i] | i = 1...n} ∪

X[i + n] | i = 1...n},

where we recall that  denotes the empty list of variables. Theorem 2. GS-Monoidal Σ-spaces are the arrows of a concrete gs-monoidal category, which is (isomorphic to) the one freely generated by Σ. Proof sketch. From the last property of Proposition 6, we have just to show that the families of Σ-spaces {G2ω }ω∈S ∗ , and {G0ω }ω∈S ∗ are transformation from 1 to 1 ⊗ 1 , and to G , respectively, verifying the coherence axioms of Def. 4. This can be easily done exploiting the definition of G2ω , and G0ω . As an important remark, it is trivial to verify that the naturality axioms are not satisfied by {G2ω }ω∈S ∗ , and {G0ω }ω∈S ∗ . To show the initiality of our model we rely on the results of [8], since gs-monoidal Σ-spaces offer a concrete mathematical structure corresponding to a normalized representation for gs-graphs. 2 The main result of [8] states that the free gs-monoidal category over a (ordinary) signature is isomorphic to the class of (ranked) term graphs labeled over it. Such a property is exploited in [7] to give an inductive, algebraic account of term graph rewriting. It is in this setting that we recover the intuitive interpretation of copying and discharging as suitable operations over graphical structures. Also the open graphs of [26] form a free gs-monoidal category: The one generated by the one-sorted signature Σ such that Σh,k = ∅ if k 6= 0, and Σh,0 = Lh for h ∈ lIN, where L = {Lh }h∈lIN is the set of labels for the edges of the graph. Therefore, they find a normalized presentation in terms of Σ-spaces. 4.3

Relations

Due to the presence of both co-duplicators and co-dischargers in the relational model, we have no restriction on the number of ingoing and outgoing links in the corresponding version of Σ-spaces. The weaker constraint considered here just involves the global structure of the link sentences. Definition 11. A Σ-space G is called relational if and only if its link sentences  x where y is a result and x is a name, and the flow relation have the form y induced by the assignments in a relational Σ-space G is acyclic. /

/

For example, in a relational Σ-space, each variable can be assigned and used as many times as necessary.

42

Roberto Bruni et al.

Proposition 7. The parallel and sequential composition of relational Σ-spaces yield relational Σ-spaces. 2

For each string ω ∈ S ∗ , with |ω| = n, we define the relational Σ-spaces Gω , 0 and Gω as follows: Let Y and X be list of names such that |Y | = 2n, |X| = n, Y [i] : ω[i], Y [i + n] : ω[i], and X[i] : ω[i], for i = 1...n. Then Gω = { 2 

, X 

0

2 Gω

={2

/

 /

/

/

Y, X

∪ { Y [i + n]  2

/

/

/



2},

/

/

/

2} ∪ { Y [i]  /

/

X[i] | i = 1...n} ∪

X[i] | i = 1...n},

0

Families {Gω }ω∈S ∗ , and {Gω }ω∈S ∗ are the co-duplicators and the co-dischargers. Theorem 3. Relational Σ-spaces are the arrows of a concrete r-monoidal category, which is (isomorphic to) the one freely generated by Σ. Therefore, relational Σ-spaces define an initial relational model for Σ. Theorem 4. Given any two strings ω, ω0 ∈ S ∗ , the class of relational Σ-spaces G from ω to ω0 such that gen(G) = ∅ is isomorphic to the class of possible type-preserving relations between the components of ω and those of ω0 . The proof relies on Theorem 3 and on the results of [5,34]. 4.4

Partial Orders

If Σ is a one-sorted signature that contains only unary operators, then we may use relational Σ-spaces for the representation of labeled partial orders. Definition 12. A relational Σ-space G is called poΣ -space if SΣ = {s}, and Σ = Σs,s . Let (P, v, `, A), where ` : P −→ A, be a generic partial order labeled over the set A, and let us consider the Σ-spaces over the signature ΣA = {a : 1 −→ 1 | a ∈ A}. In a similar fashion to the proposal of [14], the basic ingredients are the ΣA -spaces in the family {Ga }a∈A , where Ga = { 2

 /

/

 y1 , x

a /

/

y , x1  /

/

 2, y1 /

/

x, y /

x1 , y1  /

/

/

x1 }.

Intuitively, each Σ-space Ga represents the label a in parallel with an identity.  x1 , acting as a duplicator of the x and y1  The presence of the links y1  x1 and y1  x1 , input position, together with the presence of the links y acting as a match in the output position, creates a sort of implicit transitive closure of identities whenever the sequential composition is applied. As a result, the ordering relation of the partial order, say between e and e0 , is represented by propagating a copy of the identity of e in parallel with e0 . The ΣA -space associated to P is obtained by composing the Ga’s following the intuitive correspondence with the labeled elements of P . /

/

/

/

/

/

/

/

Normal Forms for Partitions and Relations

e4

43

(`(e4 )=b)

LL LL LL

rr rr rr 9

e2

e

e3

(`(e2 )=b)

(`(e3 )=c)

LL LL LL

rr rr rr

e

9

e1

(`(e1 )=a)

Fig. 1. A partial order P = {ei }i=1...4 with labels over the set A = {a, b, c}. 2

0

Example 1. The ΣA -space G0 ; Ga; G2 ; (Gb ⊗ Gc ); G ; Gb ; G corresponds to the partial order in Fig. 1. The explicit construction for a sub-term is given in Fig. 2.

 

x

v 6vvv _ Y [1] ; HHH H X[1]

a

O

;

y

/

O

_  Y [1]

X[1]

;

/



/



/

#

#

x1



  _  Y [1]   ;   x2   



b

 x1



  _  Y [1]   ;   x2   

O

 y x CmCm X[1]  CC m m m _ -m  m /

/

/

/

O

=

6

6

O

!

!

Y [1]

/

/

X[2]

c /

/

_ 

O

_ 

/

  X[1]  ;  y2  _   



/

/

c /

O

O

Y [2]

HHH H



/

#

v 6vvv

/





/

/

X[2]



x3

#

X[1]

b /

; _  Y [1]

y3

_

/

O

O

;

;

=





/

/

X[1]

Y [2]





/

X[2] /

y1

/

O

a

_  Y [2]

Y [1]

   ;  y2  _   

X[1]

/



b

O



_ 

/

O

X[2]

y1

/

O

b y  x1 1 gg x3 t4g v 44 yy _b ggg   gggg 6'vvgvgg y4   g  yy 44 y3 y V y V s33 VV V y  VVVy 4 _ y VVVV 4 = a _ 33 . y V y  X[1] x  3 yy  h 3 h h  y  yy33hhhhhh 9 yyy Q y _Q 9y(h hh   x y Y [1] /

/

/

/

3

3

;

H

H