On Partial-Function Application in Z

Home , Partial function

David A. Du y

Department of Computer Science, University of York

Heslington, York, YO10 5DD

E-mail: [email protected]

Abstract

We discuss the application of partial functions to elements outside their domain

in the context of the Z language and CADiZ to ol. We illustrate some surprising

results that can arise, and show that they may be readily justi ed, but also

show that undesirable results can arise that are less readily resolved. We o er

two p ossible resolutions, one that involves a simple change to, for example,

free typ es, and another more contentious approach that involves, in particular,

a new semantics for Z. We discuss the advantages and disadvantages of b oth

approaches.

1 Intro duction

Partial functions in Z [8] are simply relations with the prop erty that if they

\return a value" that value is unique. There is some debate as to the meaning

of the application of such functions to arguments outside their domain. Arthan

[2] outlines the main options and prop oses a classical approach for reasoning

purp oses in which a function application in a sp eci cation is assigned an

arbitrary value from the function's range in any particular interpretation \pre-

mo del" for . This semantics explains why, if f and g are partial functions

from N to N , then f 0 = f 0 holds in all mo dels, but f 0 = g 0 need not

even if b oth f and g are unde ned for 0: f 0 and g 0 may b e assigned di erent

values from the carrier set of N .

This semantics for partial-function application mayormay not b e emb ed-

ded into the standard semantics for Z currently b eing develop ed; the standard

semantics might assign the same range value to all \unde ned" function ap-

plications of the same typ e. Any pro of system that is sound with resp ect to

Arthan's prop osed semantics is, of course, sound with resp ect to the more re-

strictive semantics. CADiZ [9], a to ol develop ed at the UniversityofYork that

supp orts analysis of Z sp eci cations, is consistent with Arthan's approach in

that it accepts as valid f 0 = f 0, but not f 0 = g 0 unless forced to by

the axioms of the sp eci cation. In this pap er, we take CADiZ as representative

of pro of systems for Z such as Pro ofPower [5], with regard to the treatment

of partiality. Thus, Arthan's approach provides the starting p oint for our inves-

tigation. However, we go a step further, and consider the scenario in whichit

is imp ossible to assign a range value to a function application in any mo del. In

3rd Northern Formal Metho ds Workshop, 1998 1

other words, we consider the scenario in which adding a de nedness condition

suchasf 0 2 N would make a sp eci cation unsatis able.

Apparently, this scenario has b een investigated previously, and there are

unpublished notes on the sub ject, but in each case it was decided that any b en-

e ts accrued are outweighed by anomalous results. We argue that the partial-

function applications of realistic sp eci cations mayhave this prop erty, that the

apparently anomalous results they pro duce are not so disconcerting as they

might at rst seem, and that there is a ma jor b ene t from allowing them in

that the sp eci er is no longer required to know the domain of a partial function

in order to avoid contradictions when writing down axioms de ning the function.

However, we show that allowing such function applications can makea typical

Z sp eci cation inconsistent, and we pro ceed to o er two p ossible resolutions

to this problem, one involving mo di cation of our sp eci cations, and the other

involving mo di cation of our inference systems. We discuss the advantages and

disadvantages of each approach.

The presentation of the pap er is as follows. In the next section we discuss

partial functions in a general setting, indep endently of Z, and describ e a simple

realistic sp eci cation in which the de nedness problem arises. In Section 3, we

then review partial functions from the Z standp oint, illustrating some surprising

and undesirable prop erties that function application can havein Z, and show

how the surprising results may b e readily justi ed. We are then in a p osition

to present in Section 4 our resolutions to the undesirable results. The second of

these involves mo di cation to the typical laws and inference rules implemented

in reasoning systems for Z; we sp ecify the necessary changes for a subset of Z

in Section 5, provide a semantics for our Z expressions in Section 6, and justify

our pro of rules with resp ect to this semantics in Section 7. We go on to discuss

some of the consequences of b oth our resolutions in Section 8, including those

that are apparently anomalous, and argue that these apparent anomalies are

in fact reasonable. Finally,we present some conclusions on what wehave done

in Section 9, reviewing some of the advantages and disadvantages of our two

approaches.

We are concerned almost exclusively with the semantics of function appli-

cation in this pap er, and howitinteracts with the semantics of the rest of the

system. For this reason, we will consider only a limited subset of Z, omitting

discussion of, for instance, schemas; the subset should b e suciently inclusiveto

demonstrate our approach in a non-trivial context. For similar reasons, we will

also take only a semi-formal approach to the presentation of our semantics in

Section 6. Typical current formal approaches translate each Z construct into a

core language, and then de ne the semantics of the core language via a mapping

into ZF set theory. We map each Z construct of our subset into an informal

set-theoretic language with typ es. Our approach more closely resembles stan-

dard semantic de nitions given in text b o oks on logic. This approachwas found

not to work for the full Z language, principally due to the inclusion of schemas,

but it is adequate for our subset.

While we do not consider in detail Z-like languages such as B [1], we b elieve

that our semantics should b e applicable to them, p erhaps with minor mo di ca-

tions. In the case of B itself, wemust take account of a distinction that may

Sam Valentine, private communication

Ian Toyn, private communication

3rd Northern Formal Metho ds Workshop, 1998 2

be made between a well-formed and a well-typ ed formula. For instance, the

formula 8x x +0 = x is well-formed, but for typ e-checking purp oses wemust

add the constraint x 2 N ,say, to give 8x x 2 N x +0 = x; wemaysay that

this formula is well-typ ed. If we consider the well-typ ed language of B, then

the application of our Z semantics to B is quite straightforward, since B has

the same typ e system as Z. On the other hand, we consider later the p ossibility

of including in Z formulae that are not well-typ ed; it might b e argued that, in

principle, B already allows such expressions.

2 What are partial functions

From the mathematical p ersp ective, indep endently of Z, wemay distinguish two

typ es of partiality cf. [11].

Case 1: A function f is partial if it is not explicitly assigned any value for

certain arguments. Viewed computationally, that is, viewing the \de ning ax-

ioms" for f as, say, a set of rewrite rules if the axioms are equations, f may

or may not terminate on these arguments.

Example: Supp ose we are given

S pec1==

[f; g; h : N ! N j

8u : nats f succu = u

8v : nats g succv = g 0

8w : nats h0;w=0

8x; y : nats hsuccx;y=hsuccx y; y]:

In Sp ec1, f is not de ned for 0 and g is not de ned for any v 2 N . The function

h is non-terminating for x = 0;y = 0 if its de ning equations are treated as

rewrite rules from left to right as presented, and if, for t of typ e A , t 0

simpli es to t; since there are no other de ning axioms for hsucc0; 0, h is

unde ned over these arguments | hsucc0; 0 could, however, b e assigned the

value 0, say, without inconsistency with Sp ec1 arising.

Case 2: A function f is partial if imp osing de nedness conditions on f results

in inconsistency.

Example: Supp ose we are given

S pec2==

[q : N N ! N j

8w : nats q 0;w=0

8x; y : nats q succx;y=succq succx y; y]:

The partial function q maybeinterpreted as a \quotient" function over N ; the

imp ortant prop erty of Sp ec2 is that q succ0; 0, representing 1/0, is assigned

no numeric value. Not only is q nonterminating for x = 0;y = 0, but we

have q succ0; 0 = succq succ0; 0, so if we add the de nedness constraint

q succ0; 0 2 N , then we get 9z : N z = succz contradicting the usual

axioms for N .

Case 1 is consistent with the standard Z-user view of partial functions in

the sense that any function that satis es Case 1 could b e declared as partial in

3rd Northern Formal Metho ds Workshop, 1998 3

a Z sp eci cation without any p erceived inconsistency arising. This is the case

that Arthan accounts for [2]. Case 2 is more contentious. It might b e argued

that any function inaZspeci cation satisfying Case 2 should b e rejected as

inconsistent with its declaration. According to this view, it should always b e

p ossible to assign to any function application some value from the function's

0 0

range that is, the set S in the declaration f : S ! S for f . However, there

are several counterarguments.

Firstly, S pec2 describ es what seems to b e a reasonable sp eci cation in which

the function q cannot return a numeric value for certain arguments, though

its range is N . Secondly, since we cannot bar non-termination, it would seem

p ointless though not imp ossible for \semi-recursive" functions [6] to bar Case

2. Thirdly, and p erhaps most signi cantly of all, barring Case 2 would, from the

p ersp ective of function application, make redundant the declaration of functions

as partial in Z, since a partial function f : S ! S would have the prop erty

8x : S 9 y : S f x=y

at least if S is a typ e expression, exactly as for a total function. We discuss

this fourth justi cation for Case 2 further in the next section.

3 Partial Functions and Z

0 0

In Z, a relation r with declaration r : S $ S , for sets S and S , is a subset of

0 0 0

S S : r has typ e P T T , where P T and P T are the typ es of, resp ectively,

0 0

S and S , and the de ning axiom for r is 8p : r p:1 2 S ^ p:2 2 S . Partial

0 0

! S and f : S ! S , and total functions, with declarations of the form f : S

resp ectively, are relations with further restrictions expressed by axioms in the

language of Z. A partial function f has the extra prop erty

8p; q : f p:1= q:1 p = q;

while a total function f : S ! S is a partial function with the restriction that

its domain is the whole of S . These de nitions raise the question: what happ ens

when a partial function is \applied" to an ob ject outside of its domain. In fact,

Z allows arbitrary relations to b e applied as functions, and thus we cannot rely

on the sp ecial prop erty of partial functions in de ning application.

The fundamental p oint to note is that the de nition of relation imp oses only

the constraintofwell-typ edness on the application of a relation as a function,

and the de nition of partial function is only a little more restrictive. A relation

application r s is well-typ ed if r has typ e P T T and s has typ e T ; r s

then has typ e T . Partial functions imp ose the additional constraint that if

x; y 2 f is a consequence of the sp eci cation, then f x=y is a consequence;

the converse need not hold. Even total functions may be applied to ob jects

outside their domain without intro ducing inconsistency. We illustrate these

p oints with the following sp eci cations.

S pecA ==

[f : N $ N j

1; 1 2 f

f 1 = 2]

3rd Northern Formal Metho ds Workshop, 1998 4

S pecB ==

[f : N ! N j

f 1 = 0

f 2 = 2]

S pecC ==

[f : N ! N j

f 1 = 1

f 2 = 2]

These sp eci cations are \consistent" in Z in the sense that, from the axioms

currently asso ciated with relation and function declarations, we cannot derivea

contradiction P ^:P , for some P via the inference rules normally asso ciated

with Z as in CADiZ. The rst two sp eci cations illustrate the facts that a

relation may b e applied to ob jects e.g. 1 in Sp ecA for which it is not uniquely

de ned, and a partial function may b e applied to or return ob jects outside its

domain or range, as in the rst and second axioms of Sp ecB. As illustrated by

Sp ecC, even a total function may b e consistently applied to ob jects outside its

domain, and, if so, may return an ob ject outside its range. We are not claiming

that anybody would wish to write sp eci cations such as that ab ove, but if they

are consistent in Z, then we should b e able to o er, for instance, a semantical

justi cation for them.

The justi cation for these surprising prop erties of function application, that

is, the consistency of the ab ove sp eci cations, is that the axioms given assert

prop erties ab out each function application, not ab out the functions themselves.

In particular, f a=b, where f a and b are appropriately typ ed, do es not imply

a; b 2 f . Formally, in the mo dels of a sp eci cation, a function application f a

may b e assigned a total function App [2]. To account for the fact that, if there

is a unique b such that a; b 2 f , then f a=b,wemust imp ose constraints on

App as in the following de nition.

De nition: In a sp eci cation , let f b e an expression representing an n-ary

function of typ e PT T , and let ar g b e an expression of typ e T . If, in an

1 2 1

interpretation for , T and T are assigned, resp ectively, the \carrier" sets

1 2

T and T , f is assigned the function f , and ar g is assigned the value a 2 T ,

1 2 1

then

Appf ;a == the unique z such that a; z 2 f if suchaz exists

I I

otherwise. == some z in T

Thus, the value of a function application is not a value assigned to the function

itself that is, the function is not \totalised" | cf. [12], but to the application

op erator. In fact, what we assign to anyZ function symb ol partial or total

in a mo del is simply a relation satisfying the constraints imp osed by Z's partial

and total function axioms.

More problematic are sp eci cations involving de nitions such as that of q in

the previous section. The problem b ecomes most apparentifwe reexpress the

de nition in terms of a free typ e, as opp osed to N which is de ned as a subset

of the typ e A in standard Z. Wethus intro duce the free typ e nats, and de ne

the functions di and q uot in terms of nats.

3rd Northern Formal Metho ds Workshop, 1998 5

section S pecQ

nats ::= o j shhnatsii

di ; q uot : nats nats ! nats

8x : nats di x; o=x

8x; y : nats di sx;sy = di x; y

8y : nats q uoto; y =o

8x; y : nats q uotsx;y=sq uotdi sx;y;y

The rst line of SpecQ intro duces a free typ e: a given set nats together with

Peano-style axioms for o denoting zero and s denoting successor. The axioms

CADiZ asso ciates with the free typ e nats have some syntactic di erences from

typical Peano axioms for N [4], but the induction principle is typical, and the

prop erty 8x : nats :x = sx is a logical consequence.

The main diculty with Sp ecQ is that it is provably inconsistent in CADiZ.

We discuss a pro of of its inconsistency further in the next section. We note here

merely that we can prove q uotso;o 2 nats in CADiZ, and therefore that

8x; y : nats q uotsx;y=succq uotdi succx;y;y

contradicts the prop erty 8x : nats :x = sx of the free typ e nats.

There are several reasons why the inconsistency of Q is unfortunate. Firstly,

the de nition lo oks reasonable. Secondly, it is correct for the intended set,

fx; y : N j x>y^ y>0g; where N denotes the natural numb ers. Thirdly, the

fact that the de nition for q uot is nonterminating for q uotso;o is consistent

with our assumption that division of 1 by 0 is unde ned that is, is not a natural

numb er. Fourthly, and p erhaps most imp ortantly,ifwe bar this de nition, then

this means that the Z sp eci er must know the domain of q uot, b efore de ning it

by a set of equations, in order to avoid inconsistency; but in that case it would

seem preferable that q uot b e de ned as a total function from nats natsnfog

to nats. Thus, the utility of partial functions is substantially undermined if

de nitions such as that of q uot are inconsistent.

4 Resolving the Inconsistency

We prop ose two resolutions to the inconsistency issue raised in the preceding

section. The rst is the more straightforward, but involves explicitly mo difying

sp eci cations, while the second is more contentious, but leaves sp eci cations

unchanged, mo difying instead the usual laws and inference rules for Z.

4.1 Mo difying Free Typ es

The rst solution is straightforward: the sets intro duced by a free typ e e.g. nats

ab ove are not given typ e status, but are made subsets of typ es. In particular,

wemay asso ciate with the set nats the typ e nats . Thus, nats b ecomes the

given set, and nats is declared by nats : P nats . The other declarations and

axioms for nats in the original free-typ e expansion remain unchanged.

Nowany partial function f : nats ! nats may return avalue from nats

when it is not sp eci ed or is unable consistently to return a value from nats.

If we refer to as nats the set nats nnats, then nats maybe viewed as the

\unde ned values" of nats, though, as we indicate in Section 8 b elow, it is

preferable to view them as \sup er values" of nats.

3rd Northern Formal Metho ds Workshop, 1998 6

One incidental b ene t of this pro cess is that wemay reintro duce the intuitive

relationship b etween function application and memb ership. Wemay add as a

prop ertyofany partial function over, say, nats, that

8x; y : nats fx = y x; y 2 f:

The problem with adding this prop ertyif nats is taken to b e a typ e is that it

collapses f into a total function. For if nats is a typ e, then wehave

8x : nats 9y : nats fx = y ;

consequently, with the ab ove prop erty, we would have 8x : nats 9y : nats

x; y 2 f , making f total. However, if nats is the typ e and nats merely a

subset, then we do not automatically have 8x : nats 9y : nats fx = y ,

and f remains total only over its domain that subset of nats over which its

application always returns a value of nats.

The problem with this approach is that the set nats must be explicitly

included within the sp eci cation. Thus, either the sp eci er must build up the

free typ e from scratch in order to include nats or the analysis to ol must auto-

matically add it and the declaration nats : P nats . The rst p ossibility clearly

undermines the b ene ts of free typ es, while the second solution is likely to b e

disconcerting to the sp eci er, particularly if no partial functions are involved in

the sp eci cation.

4.2 Mo difying the Inference Rules

The alternative approach is more contentious in that it involves distinguishing

between `having typ e T ' from `b eing a member of T ', in order to allowawell-

typ ed function application to \return a value" not a memb er of its range typ e.

For instance, if nats is a given set, f is a partial function from nats to nats,

and o 2 nats holds, then f o has typ e nats, but mayormay not b e in nats.

The advantage of this approach is that the set nats now b ecomes the carrier

set of nats in a mo del, and thus b ecomes a metalogical concept; the sp eci er

is now unable to refer directly to nats , and consequently is unable to make

statements ab out all of its p ossible memb ers. Moreover, sp eci ers need not even

be aware of nats if they do not have partial functions in their sp eci cations;

the name nats maynow, of course, b e used freely within a sp eci cation.

The ma jor disadvantage is that wemust make some changes to the laws of Z

and the inference rules of typical pro of systems for Z such as CADiZ. However,

these changes are not esp ecially contrived; the new laws and rules coincide with

our intuitions ab out the prop erties of sets. We b elieve that the changes also

highlight some interesting prop erties of Z and CADiZ, and make the concept of

atyp e more than just a wayofavoiding meaningless expressions such as 0,1

= f1,2,3g and Russel-style paradoxes [8].

The required changes hinge on the fact that we can currently prove f o 2

nats in CADiZ if nats is a given set or free typ e, if o 2 nats is an axiom, and

! nats. Analogously we can prove q uotso;o 2 if f has declaration f : nats

nats, our earlier example. One such pro of pro ceeds as follows.

Sketch of Pro of:

Consider the set Q == fx; y : nats j tr ue q uotx; y g. First, we show, in

3rd Northern Formal Metho ds Workshop, 1998 7

CADiZ, that S pecQ ` q uotso;o 2 Q | we omit S pecQ in the following

for brevity. This involves expanding q uotso;o 2 Q to 9x; y : nats j tr ue

q uotso;o = q uotx; y ; x and y are then instantiated with so and o, re-

sp ectively, via quanti cation tac, and we subsequently show ` o 2 nats and

` so 2 nats prop erties of the free typ e nats, and ` q uotso;o=q uotso;o,

an axiom in CADiZ.

Nowwe show that Q = nats. This involves an expansion of set equality via

the following expansion rule:

0 0

S = S = 8u : T u 2 S , u 2 S ;

where S; S are sets and P T is their typ e. Thus, we derive the subgoal

`8u : nats u 2 Q , u 2 nats.

u 2 nats reduces via CADiZ's absorption rule to true, and another absorption

reduces u 2 Q , tr ue to u 2 Q. We now apply 8 elimination and then

memb ership expansion to derive

u : nats `9x; y : nats j tr ue u = q uotx; y :

We may now instantiate x and y with, resp ectively, u and so, and use the

de nitions of di and q uot and an induction over nats to complete the pro of of

this step.

Finally, we apply Leibniz to q uotso;o 2 Q via the equality Q = nats to

get q uotso;o 2 nats, completing the pro of of our original goal.

Since wehave a pro of that q uotso;o 2 nats holds in CADiZ, we cannot

separate the carrier set nats into nats the elements of nats and nats the

\unde ned" values of typ e nats and argue that the meaning of q uotso;oina

mo del is some elementofnats . Thus, if we are to take this line formalised in

Section 6, wemust nd a \ aw" in the ab ove pro of. We agree that q uotso;o 2

Q holds, and accept the application of Leibniz. This leaves the second part of the

pro of in whichwe apply the expansion rule for sets. We prop ose the following

alternative expansion rule:

0 0 0

S = S = 8u : S u 2 S ^8u : S u 2 S:

Unfortunately,we can still prove Q = nats via CADiZ's rule of normalisation:

x : x j x 2 t `

;

x : t `

where x denotes the typ e of x. The pro of pro ceeds as follows.

Sketch of Pro of:

Expanding Q = nats via the new expansion rule we get

8u : Q u 2 nats ^8u : nats u 2 Q.

Via ^ and 8 elimination we derivetwo subgoals:

u : Q ` u 2 nats, and

u : nats ` u 2 Q.

The pro of of the second subgoal pro ceeds via an inductive pro of of 8u : nats

u = q uotu;so, as ab ove, and we do not contend it. The pro of of the rst

subgoal pro ceeds via two applications of normalisation:

u : nats j u 2 Q ` u 2 nats, then

3rd Northern Formal Metho ds Workshop, 1998 8

u : nats j u 2 nats; u 2 Q ` u 2 nats,

which is an axiom.

Thus, in outline, wehave proven Q = nats. Consequently,wemust change

the rule of normalisation to sustain the distinction between nats and nats :

we replace x by t in the hyp othesis; see Section 5. We are now unable to

prove Q = nats, since we are unable to prove u : Q ` u 2 nats, normalisation

now reducing this merely to u : Q j u 2 Q ` u 2 nats.

Wemust show that these new expansion and inference rules do supp ort the

p ossibility of a term having a value not a memb er of its typ e. This may b e done

via a soundness pro of for the rules with resp ect to an appropriate semantics.

We present such a semantics and an outline of the soundness pro of in Sections 6

and 7, resp ectively. First we must describ e the syntax of the expressions we

allow and present our inference rules more fully.

5 Syntax and Inference Rules

In this section we describ e the subset of Z expressions that we are concerned

with, and our expansion and inference rules relating to this subset. We refer to

all allowed syntactic ob jects as `expressions', distinguishing b etween `predicates'

i.e. prop ositions and `terms', as opp osed to `predicates' and `expressions'.

5.1 The Syntax of Expressions

Typ es:

Type ::= T y peN ame j P Type j Type Type

Typ eName denotes a given set.

Declarations:

D ecl ::= B asicD ecl ; :::; B asicD ecl

B asicD ecl ::= DeclName;:::;DeclName : Term

Each D ecl N ame is said to b e introduced by the declaration; its typ e is T if the

typ e of Term is P T .

Terms:

Term ::= C onst j F r eeV ar j T upl e j T upl eS el j Appl ication j S etE xp

C onst is a name intro duced by a declaration within a sp eci cation, while

F r eeV ar is a free variable, a name intro duced by either a declaration within

a sequent or a quanti cation in a predicate e.g. all o ccurrences of x in the P

part of 8x : N P ; all o ccurrences of x are said to b e bound in 8x : N P .

T upl e ::= Term;:::;Term

An n-tuple of terms t ;:::;t , where n 2, may b e abbreviated t; the typ e

1 n

of t ;:::;t isT T , where T is the typ e of t .

1 n 1 n i i

T upl eS el ::= t:i

where t a term of typ e T T for some n, and i is a value of N between

1 n

1 and n.

Appl ication ::= f Term

where f is a Term of typ e P T T and Term has typ e T ; the typ e of the

1 2 1

application is T .

3rd Northern Formal Metho ds Workshop, 1998 9

S etE xp ::=

S etN ame jfTerm;:::;Termgj fD ecl j Predgj fD ecl j Pred Termg

j P S etE xp j S etE xp S etE xp

A S etN ame is a declared name p ossibly a T y peN ameoftyp e P T for some

T y pe T . The elements of a set must all have the same typ e T ; the typ e of the

set is then P T .

Predicates:

Pred ::=

tr ue j false j R T er m j Term = Term j Term 2 Term

j:Pred j Pred ^ Pred j Pred _ Pred j Pred Pred j Pred , Pred

j8D ecl Pred j9D ecl Pred j9 D ecl Pred

where R is a relation symbol | R T er m is, of course, not an application. Such

relational predicates may b e represented with in x notation, as in 2 < 3.

5.2 The Inference Rules

We describ e our inference rules in terms of sequents, here expressions of the

form D j ` |we omit generic parameters | where D is a declaration,

and , called the antecedents, and , called the consequents, are nite lists

representing sets of Z predicates separated by commas. Our rules are closely

based up on those of CADiZ. However, apart from the necessary mo di cations

of CADiZ's inference and expansion rules indicated ab ove, wehave simpli ed

several of CADiZ's rules to take account of our more restricted language; in par-

ticular, since wehave not included expressions in our subset, we combine into

one inference CADiZ's expansion of a function application into a expression

and its -tac inference rule.

We omit from our pro of system explicit inference rules for ; ,; 9 and

9 , making the assumption that predicates involving these logical symb ols are

merely abbreviations for others involving only :; _; ^; 8 and, in the case of 9 ,=.

As is usual in the descriptions of sequent pro of systems for Z, we also omit from

the sequents in our rules any information that is not relevant to the inference.

, where H is a collection of se- Our inference rules have either the form

quents referred to as the hypotheses and C is a sequent referred to as the con-

clusion, or the form , denoting axioms inference rules without hyp otheses.

We denote by P t the fact that the predicate P contains the term t, and by

P s=t the replacementoft with s. A substitution of an n-tuple of terms t for

an n-tuple of free variables x within a predicate P is denoted P fx ! tg.

Tautologies: Wehave as axioms

j False ` ` True j `

Declaration normalisation: For a set or typ e expression , wehave

x : j x 2 `

x : `

Function-application expansion: Let P b e a predicate containing an application

ft, let s denote the typ e of the term s, and let F abbreviate t; x 2 f . We

3rd Northern Formal Metho ds Workshop, 1998 10

have:

`9 x : ft F; P ft j9 x : ft F `9x : ft F ^ P x=f t

1 1

` P ft

j P ft `9 x : ft F j9 x : ft F; 9x : ft F ^ P x=f t `

1 1

j P ft `

Equality reasoning: For=wehave an axiom and two pairs of inference rules:

re ection: ` t = t

commutation:

` s = t j s = t `

j t = s ` ` t = s

Leibniz:

j s = t; P s=t ` j s = t ` P s=t

j s = t; P t ` j s = t ` P t

Connectives:

: intro duction:

j P ` ` P

j:P ` `:P

_ intro duction:

` P; Q j P ` j Q `

` P _ Q j P _ Q `

^ intro duction:

j P; Q ` ` P ` Q

` P ^ Q j P ^ Q `

8 quanti er:

8 intro duction:

D ` P

;

`8D P

where D is D with anyvariables renamed to avoid clashes with names intro-

duced by declarations in the sp eci cation or in the conclusion.

8 substitution:

j8D P ^ Q P fx ! tg`

;

j8D P `

where x is the n-tuple of variables intro duced by D ecl , t is an n-tuple of terms,

Q is a conjunction of memb erships t 2 S for each declaration x : S in D ,

i i i i

and P is P with any b ound variables renamed to avoid clashes with names

o ccurring in t. This rule combines CADiZ's quanti cation tac tactic, onep oint

rule, and absorption rules.

The inference rules are applied backwards in CADiZ to reduce a goal to

subgoals. Thus, in particular, the intro duction rules b ecome elimination rules.

Expansions: An expansion rule X = Y isalaw that allows any instance of

X to b e replaced by Y . We assume that these laws are meta-level expressed

3rd Northern Formal Metho ds Workshop, 1998 11

outside Z, like the inference rules, but always pro duce Z expressions. Our ex-

pansion rule for memb erships are exactly as in CADiZ; for example, S 2 P S ,

0 0

for set expressions S and S ,may b e expanded to 8x : S x 2 S . However, we

replace CADiZ's expansion rule for set equality as indicated in Section 4.2.

This new expansion rule is, of course, entirely reasonable, as is our rule of

normalisation; it is unfortunate that set equality cannot b e de ned as equiva-

lence of memb ership say, 8x x 2 S , x 2 S , as in classical set theory [4],

but then wewould need a typ e for x, and this would take us back to CADiZ's

de nition. More imp ortantly, when new concepts | and corresp onding expan-

sion rules | are intro duced, suchas ,wemust b e careful to ensure that they

satisfy the exp ected prop erties. For example, should b e de ned byalaw with

the same expansion as memb ership of P. If, instead, it is de ned by

0 0

S S ,8x : T x 2 S x 2 S ;

where P T is the typ e of S and S , then we will no longer have

0 0

S 2 P S , S S

as a consequence of our pro of system though CADiZ's unchanged normalisation

rule would allow this equivalence to b e proven. For example, wewould have

trivially ffog nats assuming fohas typ e nats, but not necessarily ffog2

P nats. We will discuss this issue further in Section 8.

6 The Semantics of the Subset

In this section we will describ e what we b elievetobeanintuitively straightfor-

ward and natural semantics for the expressions of our subset of Z. This semantics

provides a meaning for terms that may not b e assigned a value of their typ e.

We will subsequently show that our expansion and inference rules are sound

with resp ect to this semantics.

As mentioned previously, since our principal goal is merely to describ e the

meaning of partial-function applications in the context of a substantial subset of

Z, our semantic \target language" will b e an informal set-theoretic one, which

itself includes disjoint\typ es" T ;T ;::: for eachZtyp e expression T ;T ;:::.

1 2

We do not concern ourselves with the interpretation of such a language, in

particular, the sets T ;T ;:::, in terms of, say, ZF set theory, this b eing a

1 2

problem to b e resolved by the Z standards committee.

In our semantics, we follow the \classical" approach discussed by Arthan [2],

where unde ned expressions are assigned some element of the appropriate typ e.

However, in order to allowa well-typ ed function application to \return a value"

not a memb er of the function's range typ e, we distinguish `having typ e T ' from

`b eing a member of T '. We formalise this as follows.

Letbeawell-typ ed sp eci cation involving a typ e T . In an interpretation

forwe assign a set T to T , constructed according to the form of T as follows.

If T is a given set, then T is the union of two p ossibly empty disjoint

sets T [ T .

If T is a p ower set P T , then T == PT .

3rd Northern Formal Metho ds Workshop, 1998 12

If T is a pro duct T T , then T == T T .

1 n

Note that + and are op erators applied to the set T to pro duce a subset; it is

not strictly necessary to treat + and as op erators | we mighthave de ned

T to b e T [ T | but the op erator view simpli es the presentation of the

meaning of memb ership `2' b elow. However, we will often abbreviate T and

+ +

T to, resp ectively, T and T . Informally, T and T maybeinterpreted

as, resp ectively, the de ned values of T and the unde ned values of typ e T . It

is preferable, however, to view elements of T not as unde ned values, but as,

say, \sup er values" of typ e T , since they mayhavevarious prop erties assigned

to them; for example, if f 0 is an \unde ned" expression of typ e A , and g is

a function from A to A , then wemayhave g f 0 = 0, without inconsistency

arising.

Any set expression S intro duced by a sp eci cation will have a typ e P T ,

and will thus be assigned a subset of T in an interpretation. For example,

ff og, with typ e P nats, will be assigned the set consisting of the value of

f o whether this value is in nats or nats . If S is a non-typ e set expression

whose typ e is the powerset of a given set G, and S is the set assigned to S

in an interpretation, then the application of + to S simply pro duces S itself;

+ + + +

clearly, S mayormay not b e a subset of G . We also de ne P == P

+ +

and == for anytyp es or sets in the mo dels

1 n

; ;:::; , analogously to *. Similarly, for values v ;:::;v ,v ;:::;v =

1 n 1 n 1 n

+ +

v ;:::;v . For any other interpretation value v we de ne v == v .

In the following, we view any name n intro duced by a declaration n : S

within a Z sp eci cation as a constant of the appropriate typ e, and thus assign

a single meaning to it in anyinterpretation. Names intro duced by declarations

in sequents, on the other hand, are viewed as free variables, and for a sequent

to be \valid" it must be \true" in every interpretation under all well-typ ed

assignments to its free variables.

We are now able to de ne the meaning of our Z expressions in an inter-

pretation I , under an assignment [d] to any free-variable o ccurrences. In the

following, let S; S denote set expressions, D denote a declaration, P; Q denote

i i

predicates, a denote a free variable or a constant, x; x denote free variables,

i i

c denote a constant, s; t; t denote terms, f denote a term of typ e PT T

for some T; T , and R denote a relation symb ol. In the language of our mo dels

we use the same symb ols P; and brackets f; g; ; as are used in Z, since no

confusion should arise. However, b ecause the relationship b etween 2 of Z and

memb ership in the mo dels is not straightforward, we use for memb ership

in the mo del language. The symbol == is our metalogical equality. The total

function App is de ned as b efore.

Declarations:

I D ; :::; D [d]== I D ^ ::: ^ D [d]

1 n 1 n

I a ;:::;a : S [d]== I a 2 S ^ ::: ^ a 2 S [d]

1 n 1 n

Terms:

I c[d]== c , an elementof T , where T is the typ e of c.

I x [d]== d , the ith elementof[d]

i i

I t ;:::;t [d]==I t [d];:::;It [d]

1 n 1 n

I t:i[d]== I t [d], where t is the ith element of the tuple t.

i i

3rd Northern Formal Metho ds Workshop, 1998 13

I f t[d]== AppI f [d];It[d]

I ft ;:::;t g[d]== fI t [d];:::;It [d]g

1 n 1 n

I fx : S j P g[d]== fy j yIS [d] ;IP [d; y ]g,

where y is a meta-language variable assigned to x.

I fD j P tg[d]== fI t[d; v ] j I D [d; v ];IP [d; v]g,

where v is a sequence of meta-language variables v ; :::; v assigned to the

1 m

variables intro duced by D .

I P S [d]== PI S [d]

I S S [d]== I S [d] I S [d]

1 n

Predicates:

I tr ue[d]== True

I false[d]== False

I :P [d]== True i I P [d]== False

I P _ Q[d]== True i I P [d]== T r ue or I Q[d]== True

I P ^ Q[d]== True i I P [d]== T r ue and I Q[d]== True

+ +

I t 2 S [d]== True i I t[d] IS [d]

I Rt[d]== True i I t[d] IR [d]

+ +

I s = t[d]== True i I s[d] == I t[d]

I 8x : S P [d]== True i I P [d; a]== True for all aIS [d]

In the nal equation, a is assigned to any o ccurrences of x in P . The meaning

of more general universal quanti cations e.g. 8x; y : S ; z : S P is similar.

Example:

+ +

I fx : N j:x =0 f xg == ff y j yN ;y 6=0 g

== ff y j yN ;y 6= g

where, in the standard mo del, N is the set of natural numb ers and is zero.

I f 0 = succf 0 ==AppI f ; 0 == Appsucc ; AppI f ; 0 .

I I I

Wemaynow de ne mo dels and consequence in the usual way.

De nition: An interpretation I is said to b e a model of a sp eci cation if all

the axioms in are satis ed by I i.e. have the value True in I .

In a mo del if one exists of a sp eci cation including

f : N ! N and f 0 = succf 0,

the value of Appf ; 0 will b e non-numeric, but of typ e A .

I I

De nition: Let X =x ; :::; x b e the sequence of free variables o ccurring in

1 n

the declarations D in the conjecture D j ` . Then the conjecture is said to b e

^ _

a consequence of a sp eci cation if every mo del of satis es under

all assignments [d ; :::; d ]to X , where is the conjunction of the memb ers of

1 n

and is the disjunction of the memb ers of .

For example, 0; 0 2 f do es not follow from the sp eci cation

! N j f 0 = 0], [f : N

since Appf ; 0 must be equal to 0 in any mo del of the sp eci cation, but

I I I

0 ; 0 2 f need not hold.

I I I

3rd Northern Formal Metho ds Workshop, 1998 14

7 Soundness of our Rules

In this section we demonstrate that our expansion and inference rules are con-

sistent with the ab ove semantics, via a soundness pro of, and contrast this with

the CADiZ rules. This should make sense of our semantics from the p ersp ective

of a typical Z/CADiZ user.

We say that an inference rule is sound if, whenever the hyp otheses are a

consequence of a sp eci cation, so is the conclusion. By an induction on pro of

structures wemay show that soundness of our inference rules implies that our

pro of system is sound in the sense that, if a sequent X is proven from a sp ec-

i cation , then X is a consequence of cf. [3]. Wethus concern ourselves

merely with the soundness of our rules.

If we translate a conjectural sequent D j ` , for non-empty and ,

^ _

into the Z sentence 8 D , then the sequent is a consequence of a

sp eci cation i the sentence is True in every mo del of . If and/or is

empty,wemay replace them by, resp ectively, tr ue and false in the corresp ond-

ing sentence. Wemaythus show that, for each inference rule, if the hyp otheses

translated into sentences are True in every mo del of , then so is the conclu-

sion. We signify that a sentence S is True in all mo dels of a sp eci cation by

j= S .

Theorem: Our inference rules are sound.

Pro of:

Tautologies: The tautologies are clearly True in all mo dels, and thus sound

when viewed as axioms.

Normalisation: This rule is sound if 8x : S x 2 S ^ j= 8x : S , for

arbitrary Z predicates and , and set or typ e expression S . With the assign-

ment[d] omitted for brevity, the meaning of the antecedentinaninterpretation

+ +

8y yIS yIS ^ I I ;

but this simpli es to

8y yIS I I ,

which is the meaning of the consequent.

Function-application expansion: For a \function" f PT T , and ar-

1 2

gument a 2 T ,

Appf; a== the unique z such that a; z 2 r if suchaz exists.

The rst hyp otheses of each inference rule for function application is concerned

with showing that suchaz exists for the function expression f and argument t.

If it do es exist, then wemay assume its unique existence, and replace P ftby

its equivalent 9x : ft F ^ P x=f t, which is what the second hyp otheses of

each inference rule do es.

Equality reasoning: The inference rules of re ection, commutation, and Leibniz

are clearly sound for the equality of non-typ e terms, since the meaning of sucha

term of typ e T is simply some elementofT , and the meaning of equalityover

T in a mo del is the \identity" relation over T . Equalityoftyp es also satis es

+ +

by the disjointness of the mo del = T these rules, since if T = T , then T

2 1

1 2

3rd Northern Formal Metho ds Workshop, 1998 15

typ es, and so the interpretation of equality is again the identity relation. The

only dicult case is the equality of sets with typ es. If we have, for instance,

S = T in our sp eci cation, where S is a set expression and T is a typ e expres-

sion, then this implies that the meaning of S in a mo del is the same as T , not

T ;we do not have identity in the mo del. However, commutation clearly holds,

and Leibniz holds b ecause the meaning of 2; =, and so on, refer only to the sets

S for any set or typ e S , so the meaning of any predicate will b e unchanged by

+ +

the replacementofS by T or vice-versa if I S and T are the same.

Connectives: The soundness of these is straightforward.

8 quanti er: 8 intro duction is sound, since 8 D tr ue P is equivalent to

tr ue 8D P . The soundness of 8 substitution holds b ecause

Q P fx ! tg j=8 D P ,

where D; P; Q, x and t are as in the inference rule, and is any predicate.

Memb ership Expansion: We justify only the expansion of p owerset memb ership,

+ +

leaving the other cases to the reader. Essentially, S 2 P S means S P S ,

1 2

+ +

. These are clearly equivalent xS while 8x : S x 2 S means 8x xS

1 2

2 1

according to the usual meanings of ; P, and so on.

+ +

, while the mean- = S Set-Equality Expansion: Essentially, S = S means S

1 2

2 1

ing of 8x : S x 2 S is as ab ove, and similarly for 8x : S x 2 S . Clearly,

1 2 2 1

the meanings of the two sides of the expansion are equivalent.

The original CADiZ normalisation rule is unsound with resp ect to our se-

mantics, since t 2 S t 2 tmay b e false. The original CADiZ set-expansion

rule is unsound with resp ect to our semantics, since S and S , with typ e P T ,

may have the same elements from T , and thus be the same according to the

CADiZ rule, but mayhave di erent elements of typ e T ; for example, S might

be ffog and S mightbeff sog, where I fo 6= I f so and neither fo nor

f so are in their typ e nats.

8 Prop erties of the Semantics

In our semantics, t = t always holds, but a conjecture suchas9x : A f 0 = x,

! A , may not hold. Applying existential where f has the declaration f : A

instantiation with x b ound to f 0 results in an identity, f 0 = f 0, apparently

proving the conjecture. However, there is a side condition to b e proven, namely,

f 0 2 A , and this memb ership may not hold according to our semantics, since

the fact that f 0 has typ e A do es not imply that f 0 2 A .

As an example where \non-terminating" functions are involved, consider the

following sp eci cation, based up on an example given by Smolka and Nutt [7]:

[f : N ! N j8n : N f n=succf n]

If f had b een declared to b e a total function, then it would b e p ossible to prove

` f 0 f 0 ^:f 0 f 0,

a contradiction, but this is not surprising since a consequence of the axiom

\de ning" f is that f has no numeric value for any natural-numb er argument.

This is a problem for Smolka and Nutt since they have only total functions; to

3rd Northern Formal Metho ds Workshop, 1998 16

solve the problem they intro duce an error element and make f total on the set

?N = N + ferror g. However, since f is de ned as partial, no contradiction arises

in our semantics. The reason the attempted pro of of the contradiction fails is

that again a memb ership constraint arises, f 0 2 N .

These prop erties of our semantics seem reasonable, but there are other prop-

erties that may app ear anomalous. Firstly, our \unde ned" values may have

prop erties, apparently contradicting their unde ned status. For example, we

mighthave g f 0 = 0 as an axiom, though f 0 has no value in its range i.e.,

is \unde ned". However, this holds for function applications that are unde-

ned merely in the sense that they have not b een explicitly assigned a value.

For example, we mighthave f 0 > 3 as an axiom, though f 0 has no explicit

value according to the sp eci cation; that is, a mo del might assign any element

of N nf0; 1; 2; 3g to f 0. We preempted this argumentby p ointing out that our

\unde ned" values should more accurately b e referred to as \sup er" values.

A second, more disconcerting, asp ect of our semantics is that our sup er

values mayhave counterintuitive prop erties.

Example: Supp ose wehave a relation > : PN N , a function f : N ! N ,

and the usual axiom for >, 8x : N :x>x. No contradiction arises if we add to

a sp eci cation with just these declarations and axiom, the prop erties f 0 > 0

and f 0 < 0, the reason b eing that, to contradict the given axiom, f 0 must

b e assigned a value in N and there are mo dels in which it is not assigned such

avalue.

Our rst justi cation for this apparently anomalous result is that f 0 has the

unexp ected prop erties only b ecause it has b een assigned them by the sp eci ca-

tion. Of course, even if the axioms f 0 > 0 and f 0 < 0 had not b een added

to the sp eci cation, there would still b e mo dels of the original sp eci cation in

which they hold, but, in that case, wewould not b e able to prove that they hold

as a consequence of the sp eci cation.

Secondly, we argue that the counter-intuitive nature of this result partly

arises from the choice of the symbol > for our relation. Consider a sp eci cation

in which we have a relation R : PA A , and the axiom 8x : N :R x; x;

clearly no contradiction arises formally or intuitively if we add R 1 2; 1 2,

where `' denotes division: a mo del for this sp eci cation is one in which R is

assigned the relation 8x; y : A x y,however,

1 2 > 1 2would have b een disconcerting. Of course, Z users will typically

wish to use suggestive names and symb ols such as > for their relation and

function symb ols; the p oint is that, since a relation is always declared over a

set of, for example, pairs, the sp eci er cannot exp ect all de ned prop erties of

the relation to hold over ob jects not in that set, and these ob jects include the

sup er values in our semantics.

All these prop erties of our semantics have a counterpart in the alternative

approachto partialityin which we mo dify, for instance, the concept of a free

typ e within Z. For example, if we de ne nats as a subset of the given typ e nats ,

and include the axiom 8x : nats :x>x, then wemayormay not have fo > fo

in any mo del in which fo is assigned some value from nats nnats. Similarly,

the reinstatement, in the typ e-change approach, of the prop erty 8x : T 9y :

0 0 0

T fx = y x; y 2 f , where T; T are typ es, and f has typ e PT T , as

suggested in Section 4.1, is also p ossible in the semantic approach.

3rd Northern Formal Metho ds Workshop, 1998 17

The relationship b etween the two approaches to partialitymay b e formalised

as follows. Let b e a sp eci cation with exactly the given typ es T ;:::;T , and

1 n

in which there is no use of the names T ;T or T for any i. We derive from

i i

the sp eci cation by replacing the intro duction of each given typ e T with

the intro duction of the given typ e T , and by adding the declaration T : P T

i i

for each T . We also mo dify our semantics I to J by deleting all o ccurrences of

`+' | our subset of Z thus b ecomes virtually its own semantics. If we represent

logical consequence in our I semantics with j= and logical consequence in the

J semantics with j= , then for any Z predicate in the language of , wehave

j= i j= :

I J

The reason for this is that, since neither nor makes reference to either the

T ;T or T ,wemay correlate each T with the J interpretation of each T ,

i i

i i i

and correlate, for each set expression S in or , the I -set S with the J

interpretation of S . We then have a corresp ondence b etween the two semantics

for and the expressions in .

This do es not mean, however, that the approaches are, for all practical

purp oses, identical. One ma jor di erence is the relative diculty in de ning

certain concepts, suchas[,even if we supp ose they are de ned via expansion

laws. In the rst approach, wemay de ne the union of anytwo arbitrary set

expressions S and S by

fx : T j x 2 S _ x 2 S g;

where P T is the typ e of S and S . This de nition will not always pro duce the

full union in the second approach, but only the union of the \de ned" subsets.

On the other hand, for practical applications we may wish to construct only

the union of these de ned subsets. For example, in the pro cess of re nement,

where we wish to construct a function satisfying our sp eci cation, it is likely

that the desired domain for our function will b e the maximal set over which

the function's sp eci cation is total [10]. There seems to b e no practical reason

for constructing the full union of sets with unde ned elements; the construction

of such sets in this pap er was purely for theoretical considerations.

One, as yet unresolved, diculty with our semantic approach to partial-

function application is that we cannot always simplify expressions involving

unde ned terms as wewould like. For example, we cannot simplify the expres-

sion so o+o via the equation 8x : nats x + o = x, b ecause we cannot show

that so o is in the typ e nats; the principal b ene t of Arthan's approach [2] is

that such expressions may b e simpli ed, since so o would b e assumed to b e in

nats. One p ossible resolution to this problem is to allowuntyp ed quanti ers .

For example, we might allow equations such as 8x x + o = x. Any applied

instance of predicates with untyp ed quanti ers must have appropriate typ es.

For example, any applied instance, t +0 = t, of the equation 8x x + o = x,

must b e such that t + 0 and t are b oth well-typ ed Terms and have the same

typ e. This constraint on the application of predicates with untyp ed quanti ers

should ensure that untyp ed quanti ers do not intro duce the sort of problems

e.g. paradoxes typing is designed to eliminate [8]. Consequently,we are not

advo cating that all expressions b e untyp ed.

Rob Arthan, private communication

3rd Northern Formal Metho ds Workshop, 1998 18

9 Conclusions

Wehave argued that it is advantageous to b e able to include in our sp eci cations

functions applications that do not always return a value of the function's range,

but have shown that this can maketypical Z sp eci cations inconsistent according

to the usual intuitive, if not yet formalised semantics of Z. We have also

presented two p ossible resolutions to this inconsistency problem, one involving

a mo di cation to our sp eci cations, and the other a mo di cation to our pro of

systems.

Wehave shown that the two approaches are closely related, and thus have

some b ene ts in common. Neither imp oses constraints on the meaning of a

function itself; in particular, partial functions are not \totalised". Also, wedo

not have a \b ottom" ob ject, and do not have the problem of deciding whether

or not our functions should b e strict: the value of a function application to a

sup er value is simply an element of the set assigned to the typ e of the function

application. Perhaps most imp ortantly, partial functions are not total from the

p ersp ective of function application.

The ma jor disadvantage of the sp eci cation-change approach is that it is an

imp osition on the sp eci er, even if automated to ols make the necessary changes.

The inference-change approachavoids this problem, for the most part, but de-

viates from the classical view of and approach to reasoning ab out Z [8,2,9]. If

either of these approaches are to b e used in practice, preference will probably

dep end up on the p erceived utility and p ervasiveness in real sp eci cations of

non-total function application.

Irresp ective of the acceptability of non-total function application, it is hop ed

that this pap er has clari ed the meaning of application in general, including

the application of relations that are neither total nor partial functions. With

resp ect to partial functions, Arthan [2] and Valentine [10] have argued that

wemay assign some memb er of their range typ es to any application to ob jects

outside their domains. In this pap er, wehave shown further that this p ossibility

is implicitly built in to current reasoning systems for Z such as CADiZ: while

it is not immediately apparent that fo is an element of the typ e nats if f is a

partial function from nats to nats,wehave shown that it is p ossible to provein

CADiZ that fx : nats j tr ue fxg is a subset of nats. Thus, any other approach

to partial-function application, such as the intro duction of a b ottom ob ject ?

or the one wehave prop osed, will entail mo di cation of the inference rules of

reasoners such as CADiZ.

There are several p ossible directions for future research. We havecovered

only a fairly small subset of Z, omitting, most prominently,schemas and gener-

ics; inclusion of these is paramount for the utility of our work to Z users. There

is also more work to b e done on the e ects of non-total function application on

the issues of re nement and inductive pro of; recently,wehave b een developing

an approach to proving inductive prop erties of partial functions that utilises the

distinction our semantics makes b etween de ned and unde ned function appli-

cations. Completeness results for our pro of rules with resp ect to the describ ed

semantics might also b e develop ed: we should be able to show that our rules

supp ort the pro of of all p ossible prop erties of partial functions, at least for sub-

sets of Z. In addition, we need to consider further the problem of simplifying

rewriting expressions involving unde ned terms.

3rd Northern Formal Metho ds Workshop, 1998 19

Acknowledgements

Iwould like to thank Ian Toyn for his detailed and helpful comments on suc-

cessiveversions of this pap er, and to thank Ian, Rob Arthan, Rob ert Dormer,

Alan Frisch, and Sam Valentine for our discussions of the ideas presented.

References

[1] J-R. Abrial. The B-Book: Assigning Meaning to Programs. Cambridge

University Press, 1996.

[2] R.D. Arthan. Unde nedness in Z: issues for sp eci cation and pro of. In

CADE-13 Workshop on Mechanisation of Partial Functions. Springer, Rut-

gers University, New Brunswick, New Jersey, USA, 1996.

[3] H.B. Enderton. A Mathematical Introduction to Logic. Academic Press,

1972.

[4] H.B. Enderton. Elements of Set Theory. Academic Press, 1977.

[5] D.J. King and R.D. Arthan. Development of practical veri cation to ols.

Ingenuity - the ICL Systems Journal, 11, May 1996.

[6] Z. Manna. Mathematical Theory of Computation. Prentice-Hall Interna-

tional Editions, 1974.

[7] G. Smolka, W. Nutt, J.A. Goguen, and J. Meseguer. Order-sorted equa-

tional computation. In H. Ait-Kaci and M. Nivat, editors, Resolution of

Equations in Algebraic Structures. Academic Press, 1989.

[8] J.M. Spivey. The Z Notation: AReference Manual, Second Edition. Pren-

tice Hall, 1992.

[9] I. Toyn. Proving conjectures using CADiZ. Available from the De-

partment of Computer Science, University of York at the web address

http://www.cs.york.ac.uk/ ian/cadiz/tutorials.html, 1997.

[10] S. Valentine. Inconsistency and unde nedness in Z { a practical guide. To

app ear in Proceedings 11th International Conference of Z User's, ZUM'98,

1998.

[11] C. Walther. Mathematic induction. In D.M. Gabbay, C.J. Ho oger, and J.A.

Robinson, editors, Handbook of Logic in Arti cial Intel ligence and Logic

Programming, Vol. 2: Deduction Methodologies. Clarendon Press, Oxford,

1994.

[12] J. Wo o dco ck and J. Davies. Using Z: Speci cation, Re nement and Proof.

Prentice Hall, 1996.

3rd Northern Formal Metho ds Workshop, 1998 20