Formal Methods Unifying Computing Science and Systems Theory

View metadata, citation and similar papers at core.ac.uk brought to you by CORE

provided by Ghent University Academic Bibliography

Raymond BOUTE INTEC, Universiteit Gent B-9000 Gent, Belgium

ABSTRACT The typical formal rules used are those for arithmetic (associativity, distributivity etc.) plus those from calculus. Computing Science and Systems Theory can gain much Exploiting formality and the calculational style are from unified mathematical models and methodology, in taken for granted throughout most of applied mathematics particular formal reasoning (“letting the symbols do the based on algebra and calculus (although, as shown later, work”). This is achieved by a wide-spectrum formalism. common conventions still exhibit some serious defects). The language uses just four constructs, yet suffices to By contrast, logical reasoning in everyday practice by synthesize familiar notations (minus the defects) as well as mathematicians and engineers is highly informal, and of- new ones. It supports formal calculation rules convenient ten involves what Taylor [20] calls syncopation, namely for hand calculation and amenable to automation. using symbols as mere abbreviations of natural language, The basic framework has two main elements. First, a for instance the quantifier symbols ∀ and ∃ just standing functional predicate calculus makes formal logic practical for “for all” and “there exists”, without calculation rules. for engineers, allowing them to calculate with predicates The result is a severe style breach between “regular and quantifiers as easily as with derivatives and integrals. calculus”, usually done in an essentially formal way, and Second, concrete generic functionals support smooth tran- the logical justification of its rules, which even in the best sition between pointwise and point-free formulations, facil- analysis texts is done in words, with syncopation instead itating calculation with functionals and exploiting formal of calculation. As Taylor observes, the logical structure of commonalities between CS and Systems Theory. the arguments is thereby often seriously obscured. Elaborating a few small but representative examples This style breach pervades applied mathematics, and is show how formal calculational reasoning about diverse reflected in the methodological gap between classical Sys- topics such as mathematical analysis, program semantics, tems Theory, based on calculus, and Computer Science, transform methods, systems properties (causality, LTI), based on logic. As explained by Gries [13], although for- data types and automata provides a unified methodology. mal logic exists as a separate discipline, its traditional form Keywords Calculation, Computing Science, Concrete is drowned in technicalities that make it too cumbersome Generic Functionals, Formal Methods, Functional Predi- for practical use, but now calculational variants exist [12]. cate Calculus, Quantifiers, Systems Theory, Unification The rewards of bridging the gap are huge, namely making the symbols do the work, as nicely captured by the 1. INTRODUCTION maxim “Ut faciant opus signa” of the conference series on Mathematics of Program Construction [2]. Here we do Motivation: ut faciant opus signa not mean only (nor even primarily) using software tools, Computing Science and Systems Theory are fundamen- but also the guidance provided by the shape of the expres- tal to engineering in general [17] and ICT in particular. sions in mathematical reasoning, and the development of Complex systems heavily rely on both. Yet, the concep- a “parallel intuition” to that effect. This complements the tual frameworks and modelling techniques are (still) very usual “semantic” intuition, especially when exploring ar- divergent. The crucial loss is that the benefits of formal eas where the latter is clueless or still in development. reasoning are much underexploited. We briefly elaborate. Approach: Functional Mathematics (Funmath) Whoever enjoyed physics will recall the excitement A unifying formalism is presented that spans a wide appli- when judicious manipulation of formulas yielded results cation spectrum. A formalism is a language (or notation) not obtainable by mere intuition. Such manipulation, from together with formal rules for symbolic manipulation. polynomial factorization in high school to calculation with The language [5] is functional in the sense that func- derivatives and integrals in calculus, is essentially formal, tions are first-class objects and also form the basis for unifi- i.e., guided by the shape of the expressions. The usual style cation. It supports declarative (abstract) as well as opera- is calculational, namely, chaining expressions by relational tional (implementation) aspects throughout all mathemat- operators such as equality (“=”). An example is ics relevant to computer and systems engineering, and is

free of all defects of common conventions, including those F s +∞ e−|x|e−i2πxsdx ( ) = −∞ outlined by Lee and Varaiya [18] as discussed later. +∞ −x The formal rules are calculational, supporting the same = 2 0 e cos 2πxs dx

style from predicate logic through calculus. Thereby the = 2Re +∞ e−xei2πxsdx 0 conceptual and notational unification provided by the lan- −1 = 2Re i2πs−1 guage is complemented by unified methodology. 2 In particular, this enables engineers to formally cal- = 4π2s2+1 , (1) culate with predicates and quantifiers with the same ease taken from a classic engineering text by Bracewell [10]. and algebraic flavor as with derivatives and integrals.

84 Overview parentheses are never used as operators, but only for pars- The formalism is presented in section 2, which introduces ing. Rules for making them optional are the usual ones. If the language, its rationale and its four basic constructs, f is a function-valued function, fxy stands for (fx) y. and in section 3, which gives the general-purpose formal Let ⋆ be infix. Partial application is of the form a⋆ or rules, namely those for concrete generic functionals and for ⋆b, defined by (a⋆) b = a⋆b =(⋆b) a. Variadic application functional predicate calculus (quantifiers). Application ex- is of the form a ∗ b ∗ c etc., and is always defined to equal amples are given in section 4 for Systems Theory, section 5 F (a,b,c) for a suitably defined elastic extension F of ⋆. for Computing Science, and section 6 for common aspects. Abstraction: the form is b.e, where b is a binding Some concluding remarks are given in section 7. and e an expression (extending after “ . ” as far as com- patible with parentheses present). Intuitively, v : X ∧. p.e denotes a function whose domain is the set of v in X sat- 2. THE FORMALISM, PART A: LANGUAGE isfying p, and mapping v to e (formalized in section 3). Syntactic sugar: e | b for b.e and v : X | p for v : X ∧. p . v. Rationale: the need for defect-free notation A trivial example: if v does not occur (free) in e, we Notation is unimportant if and only if it is well-designed, define • by X • e = v : X.e to denote constant functions. but becomes a crucial stumbling block if it is deficient. Special cases: the empty function ε := ∅ .e (any e) and The criterion is supporting formal calculation: if during defining 7→ by e′ 7→ e = ιe′ • e for one-point functions. expression manipulation one has to be on guard for the We shall see how abstractions help synthesizing famil- defects, one cannot let the symbols do the work. iar expressions such as i : 0 .. n . qi and {m : Z | m < n}. In long-standing areas of mathematics such as algebra Tupling: the 1-dimensional form is e,e′,e′′ (any and analysis, conventions are largely problem-free, but not length), denoting a function with domain axiom entirely. Most important are violations of Leibniz’s princi- D (e,e′,e′′)= {0, 1, 2} and mapping axiom (e,e′,e′′)0= e ple, i.e., that equals may always be substituted for equals. and (e,e′,e′′)1= e′ and (e,e′,e′′)2= e′′. The empty tuple An example is ellipsis: writing dots as in a0 +a1 +. . .+an. 2 is ε and for singleton tuples we define τ with τe = 0 7→ e. By Leibniz’s principle, if ai = i and n = 7, this should Parentheses are not part of tupling, and are as optional equal 0+1+ . . . + 49, which most likely is not intended. in (m, n) as in (m+n). Matrices are 2-dimensional tuples. Other defects, also pointed out in [18], are related to writing function application when the function is intended, as in y(t)= x(t)∗h(t) where ∗ is convolution. This causes in- 3. THE FORMALISM, PART B: RULES stantiation to be incorrect, e.g., y(t−τ)= x(t−τ)∗h(t−τ). The formal calculation rules and gaining fluency with them In discrete mathematics the situation is worse, e.g.,

is the topic of a full course [7], so here we must be terse. for the sum- many conventions are mutually inconsistent and calculation rules are rarely given. Poorest are the con- Rules for equational and calculational reasoning ventions in logic and set theory used in daily practice. A The equational style of Eq. (1) is generalized to the format typical defect is abusing the set membership relation ∈ for e R′ hJustificationi′ e′ , (2) binding a dummy. Frequent patterns are {x ∈ X | p}, as in ′ {m ∈ Z | m < n}, and {e | x ∈ X}, as in {n · m | m ∈ Z}, where the R in successive lines are mutually transitive, where in the patterns p is boolean and e any expression. for instance =, ≤, etc. in arithmetic, ≡, ⇒ etc. in logic. The ambiguity is shown by taking y ∈ Y for p and e. De- In general, for any theorem p we have the rule fects like these prohibit formal rules and explain why, for v Instantiation: from p, infer p[e . (3) such expressions, syncopation prevails in the literature. v We write [e to express substitution of e for v, for instance, Funmath language design x,y (x + y = y + x)[ =3+(z +1)=(z + 1) + 3. We do not patch defects ad hoc, but generate correct forms 3,z+1 For equational reasoning (i.e., using = or ≡ only), the by orthogonal combination of just 4 constructs, gaining basic rules [12] are reflexivity, symmetry, transitivity and new useful forms of expression for free. The basis is func- ′ v v tional.A function f is fully defined by its domain D f and Leibniz’s principle: from e = e , infer d[e = d[e′ . (4) its mapping (image definition). Here are the constructs. For instance, x + 3 · y = hx = z2i z2 + 3 · y. Eq. (4) is Identifier: any symbol or string except colon, filter used by taking d := v + 3 · y and e := x and e′ := z2. mark, abstraction dot, parentheses, and a few keywords. Identifiers are introduced by bindings i : X ∧. p, read “i Rules for calculating with propositions and sets in X satisfying p”, where i is the (tuple of) identifier(s), Assume the usual propositional operators ¬, ≡, ⇒, ∧, ∨. X a set and p a proposition. The filter ∧. p (or with p) is For a practical calculus, a much more extensive set of rules optional, e.g., n : N and n : Z ∧. n ≥ 0 are interchangeable. is needed than given in classical texts on logic, so we refer Identifiers from i should not appear in expression X. to Gries [12]. Note that ≡ is associative, but ⇒ is not. We Shorthand: i := e stands for i : ιe. We write ιe, not make parentheses in p ⇒ (q ⇒ r) optional, hence required {e}, for singleton sets, using ι defined by e′ ∈ ιe ≡ e′ = e. in (p ⇒ q) ⇒ r. Embedding binary algebra in arithmetic Identifiers can be variables (in an abstraction) or con- [3, 4], logic constants are 0 and 1, not False and True. ′ v v stants (declared by def binding). Well-established sym- Leibniz’s principle can be rewritten e = e ⇒ d[e = d[e′ . bols, such as B, ⇒, R, +, serve as predefined constants. For sets, the basic operator is ∈. The rules are derived Application: for function f and argument e, the de- ones, e.g., defining ∩ by x ∈ X∩Y ≡ x ∈ X∧x ∈ Y and × fault is fe; other conventions are specified by dashes in by (x,y) ∈ X × Y ≡ x ∈ X ∧ y ∈ Y . After defining {—}, x the operator’s binding, e.g., — ⋆ — for infix. For clarity, we shall be able to prove y ∈ {x : X | p} ≡ y ∈ X ∧ p[p .

85 Set equality is defined via Leibniz’s principle, written Let p and q be propositions, then p, q is a predicate as an implication: X = Y ⇒ (x ∈ X ≡ x ∈ Y ) and the and ∀ (p, q) ≡ p ∧ q. So ∀ is an elastic extension of ∧ and converse, extensionality, written here as an inference rule: we define variadic application by p ∧ q ∧ r ≡ ∀ (p,q,r) etc. from x ∈ X ≡ x ∈ Y , infer X = Y , with x a new variable. Letting P be an abstraction v : X.p yields the familiar This rule is strict, i.e., the premiss must be a theorem. form ∀ v : X.p, as in ∀ x : R .x2 ≥ 0. For every algebraic Rules for functions and generic functionals law, most elegantly stated in point-free form, a matching We omit the design decisions, to be found in [5] and [8]. In pointwise (familiar-looking) form is obtained in this way. what follows, f and g are any functions, P any predicate Derived rules All laws follow from Eq. (10) and func- (B-valued function, B := {0, 1}), X any set, e arbitrary. tion equality. A collection sufficient for practice is derived Function equality and abstraction Equality is de- in [7]. Here we only give some examples, starting with a fined via Leibniz’s principle (taking domains into account) characterization of f = g without inference rules: f = g ⇒ D f = D g ∧ (x ∈ D f ∩ D g ⇒ fx = gx), and f = g ≡ D f = D g ∧ ∀ x : D f ∩ D g.fx = g x . (11) extensionality as a strict inference rule: with new x, from p ⇒ D f = D g ∧ (x ∈ D f ∩ D g ⇒ fx = gx), infer Another example is duality (generalizing De Morgan law) p ⇒ f = g. ¬∀ P = ∃ (¬ P ) ¬ (∀ v : X.p) ≡ ∃ v : X . ¬ p . (12) Abstraction encapsulates substitution. Formal axiom: v Here are the main distributivity laws. All have duals. for the domain d ∈ D (v : X ∧. p.e) ≡ d ∈ X ∧ p[d, and for v the mapping: d ∈ D (v : X ∧. p.e) ⇒ (v : X ∧. p.e) d = e[d. Name of the rule Point-free form Equality is characterized via function equality (exercise). Distributivity ∨/∀ q ∨∀ P ≡ ∀ (q ⇀∨ P ) Generic functionals Our goal is (a) removing re- L(eft)-distrib. ⇒/∀ q ⇒∀ P ≡ ∀ (q ⇒⇀ P ) strictions in common functionals from mathematics, (b) R(ight)-distr. ⇒/∃ ∃ P ⇒ q ≡ ∀ (P ⇒↼ q) making often-used implicit functionals from systems the- ⇀ P(seudo)-dist. ∧/∀ D P = ∅ ∨ (p ∧∀ P ) ≡ ∀ (p ∧ P ) ory explicit. The idea is defining the result domain to avoid out-of-domain applications in the image definition. Pointwise: ∃ (v : X.p) ⇒ q ≡ ∀ (v : X.p ⇒ q) (new v). Case (a) is illustrated by composition f ◦ g, whose com- Here are a few additional illustrative laws. mon definition requires R g ⊆ D f; then D (f ◦ g) = D g. Name of the rule Point-free form Removing the restriction, we define f ◦ g for any functions: Distribut. ∀/∧ ∀ (P ∧ Q) ≡ ∀ P ∧∀ Q f ◦ g = x : D g ∧. gx ∈ D f . f (gx) . (5) One-point rule ∀ P=e ≡ e ∈ D P ⇒ Pe

Trading ∀ PQ ≡ ∀ (Q ⇒ P ) Observation: x ∈ D (f ◦ g) ≡ x ∈ D g ∧ gx ∈ D f by the Transposition ∀ (∀ ◦ R) ≡ ∀ (∀ ◦ RT) abstraction axiom, hence D (f ◦ g)= {x : D g | gx ∈ D f}. Case (b) is illustrated by the usual implicit generaliza- Distributivity ∀/∧ assumes D P = D Q, otherwise only tion of arithmetic functions to signals, traditionally writ- ∀ P ∧∀ Q ⇒∀ (P ∧ Q). The one-point rule written point- ′ ′ v ten (s+s )(t)= s(t)+s (t). We generalize this by (duplex) wise is ∀ (v : X . v = e ⇒ p) ≡ e ∈ X ⇒ p[e . For the last B T direct extension ( ): for any functions ⋆ (inﬁx), f, g, line, R : S → T → and (v : X . w : Y .e) = w : Y . v : X.e, hence ∀ (v : X . ∀ w : Y .p) ≡ ∀ (w : Y . ∀ v : X.p) (∀-swap).

f ⋆g x f g fx,gx ⋆ .fx⋆gx . = : D ∩ D ∧. ( ) ∈ D ( ) (6) Duals and other pointwise forms are left as an exercise. Often we need half direct extension: for function f, any e, Sometimes the following rules are useful:

↼ • ⇀ • Instantiation: ∀ P ⇒ e ∈ D P ⇒ P e and, with new x: f ⋆ e f ⋆ f e e ⋆ f f e ⋆ f . = (D ) and =(D ) (7) Generalization: from p ⇒ x ∈ D P ⇒ P x, infer ∀ P . Simplex direct extension ( ) is defined by fg = f ◦ g. Wrapping up the rule package for function(al)s Function merge (∪· ) is defined in 2 parts to fit the line: Function range We define the range operator R by D (f ∪· g) = {x : D f ∪ D g | x ∈ D f ∩ D g ⇒ fx = gx} and x ∈ D (f ∪· g) ⇒ (f ∪· g) x =(x ∈ D f) ? fx gx. (8) e ∈ R f ≡ ∃ x : D f.fx = e . (13) Filtering (↓) introduces/eliminates arguments: A consequence is the composition rule ∀ P ⇒∀ (P ◦ f) and f ↓ P = x : D f ∩ D P ∧. Px.fx . (9) D P ⊆ R f ⇒ (∀ (P ◦ f) ≡ ∀ P ), whose pointwise form yields ∀ (y : R f.p) ≡ ∀ (x : D f.p[y ) (“dummy change”). • f x A particularization is restriction (⌉): f ⌉ X = f ↓ (X 1). Set comprehension We define {—} as fully inter- We extend ↓ to sets: x ∈ (X ↓ P ) ≡ x ∈ X ∩ D P ∧ P x. changeable with R. This yields defect-free set notation: Writing ab for a ↓ b and using partial application, this expressions like {2, 3, 5} and Even = {2·m | m : Z} have fa- Z yields formal rules for useful shorthands like f0. miliar form and meaning, and all desired calculation rules A relational generic functional is compatibility ( c ) follow from predicate calculus via Eq. (13). In particular, with f c g ≡ f ⌉ D g = g ⌉ D f. For many other generic v we can prove e ∈ {v : X | p} ≡ e ∈ X ∧ p[e (exercise). functionals and their elastic extensions, we refer to [8]. Function typing The familiar function arrow (→) is A very important use of generic functionals is support- defined by f ∈ X → Y ≡ D f = X ∧ R f ⊆ Y . A more ing the point-free style, i.e., without referring to domain refined type is the Functional Cartesian Product (×): points. The elegant algebraic flavor is illustrated next. f ∈ × T ≡ D f = D T ∧∀ x : D f ∩ D T.fx ∈ T x (14) Rules for predicate calculus and quantifiers Axioms and forms of expression The quantifiers where T is a set-valued function. Note × (X,Y )= X × Y • ∀, ∃ are predicates over predicates: for any predicate P , and × (X Y )= X → Y . We write X ∋ x → Y as a shorthand for × x : X.Y , where Y may depend on x. ∀ P ≡ P = D P • 1 and ∃ P ≡ P 6= D P • 0 (10).

86 4. EXAMPLES I: SYSTEMS THEORY A systems is a function s : SA →SB. The response of s to input signal x : SA at time t : T is sxt, read (sx) t. Analysis: calculation replacing syncopation Characteristics Let s : SA →SB. Then s is memory- We show how traditional proofs rendered tediuos by syn- less iff ∃ f— : T → A → B . ∀ x : SA . ∀ t : T .sxt = ft (xt). copation [20] are done calculationally. The example is ad- Let T be additive, and the shift function σ— be defined jacency [15]. Since predicates (of type R → B) yield more by στ xt = x (t + τ) for any t and τ in T and any signal x. elegant formulations than sets (of type P R), we define Then system s is time-invariant iff ∀ τ : T .s ◦ στ = στ ◦ s. the predicate transformer ad :(R → B) → (R → B) and the 2 A system s : SR →SR is linear iff for all (x,y) : SR and

open closed R B B 2 ⇀ ⇀ ⇀ ⇀ predicates and both of type ( → ) → , by (a,b) : R we have s (a · x + b · y) = a · sx + b · sy. R R Equivalently, extending s to SC →SC in the evident way, ad P v ≡ ∀ ǫ : >0 . ∃ x : P . |x − v| < ǫ ⇀ ⇀ the system s is linear iff ∀ z : SC . c : C .s (c · z)= c · sz. open P ≡ ∀ v : RP . ∃ ǫ : R>0 . ∀ x : R . |x − v| < ǫ ⇒ P x closed P ≡ open (¬ P ) A system is LTI iff it is both linear and time-invariant. Response of LTI systems Define the parametrized c·t We prove the closure property closed P ≡ ad P = P . The exponential E— : C → T → C by Ec t = e . Then we have: ⇀ calculation, assuming the (easy) lemma P v ⇒ ad P v, is Theorem: if s is LTI then s Ec = s Ec 0 · Ec. Proof: we calculate s Ec (t+τ) to exploit all properties. closed P ≡hclosedi open (¬ P ) s Ec (t + τ) = hDefinition σi στ (s Ec) t ≡hopeni ∀ v : R¬ P . ∃ ǫ : R>0 . ∀ x : R . |x − v| < ǫ ⇒ ¬ P x = hTime inv. si s (στ Ec) t ⇀ ≡hTrading ∀i = hProperty Eci s (Ec τ · Ec) t R R R ⇀ ∀ v : . ¬ P v ⇒∃ ǫ : >0 . ∀ x : . |x − v| < ǫ ⇒ ¬ Px = hLinearity si (Ec τ · s Ec) t ⇀ ≡hContrapositive, i.e., ¬ p ⇒ q ≡ ¬ q ⇒ pi = hDefintion i Ec τ · s Ec t ∀ v : R . ¬∃ (ǫ : R>0 . ∀ x : R .P x ⇒ ¬ (|x − v| < ǫ)) ⇒ P v ⇀ ≡hDuality and ¬ (p ⇒ ¬ q) ≡ p ∧ qi Substituting t := 0 yields s Ec τ = s Ec 0 · Ec τ or, using , ⇀ ⇀ ∀ v : R . ∀ (ǫ : R>0 . ∃ x : R .P x ∧ |x − v| < ǫ) ⇒ P v s Ec τ = (s Ec 0 · Ec) τ, so s Ec = sEc 0 · Ec by function ⇀ ≡hDef. adi ∀ v : R . ad P v ⇒ P v equality. The hProperty Eci is στ Ec = Ec τ · Ec (easy). ≡hLemmai∀ v : R . ad P v ≡ P v . Note that this proof uses only the essential hypotheses. An example about transform methods Tolerances on specifications × We show how formally correct use of functionals, in par- Our first motivation for designing was formalizing the ticular avoiding common defective notations like F {f(t)} concept of tolerance for functions, based on a common

and writing F fω instead, enables formal calculation. In convention for specifying frequency/gain characteristics: F fω = +∞ e−j·ω·t · ft · d t 6Gain −∞ Tx F ′gt = 1 · +∞ ej·ω·t · gω · d ω ¤ 6A 2·π −∞ q fx ¤ ¤ A A bindings are clear and unambiguous. The example formal- ¤ ¤ A? A izes Laplace transforms via Fourier transforms. We assume ¤ ¤ A A some familiarity with the usual informal treatments. ¤ ¤ A A −σ·t ¤ ¤ A A- Given ℓ— : R → R → R with ℓσ t = (t < 0) ? 0 e , x Frequency we deﬁne the Laplace-transform L f of a function f by: Clearly, with Tx specifying the desired interval for every

L f (σ + j · ω) = F (ℓσ · f) ω (15) x, the functions f satisfying f ∈ ×T are precisely the desired ones. Next we show other uses of the same operator.

for real σ and ω, with σ such that ℓσ · f has a Fourier transform. With s := σ+j·ω we obtain L fs = +∞ ft·e−s·t·d t. 0 5. EXAMPLES II: COMPUTING SCIENCE The converse L′ is speciﬁed by L′ (L f) t = ft for all

t ≥ 0 (weakened where ℓσ · f is discontinous). For such t, From data structures to query languages Records as in PASCAL [14] are expressed by × as L′ (L f) t functions whose domain is a set of field labels (an enumer- = hSpecific.i ft ation type). Example: with field names name and age, σ·t = ha = 1 · ai e · ℓσ t · ft ∗ Person := × (name 7→ A ∪· age 7→ N)

σ·t = hDefin. i e · (ℓσ · f) t σ·t ′ defines a function type such that person : Person satisfies = hWeaken.i e · F (F (ℓσ · f)) t A∗ N

person name ∈ and person age ∈ . Obviously, by ′ σ·t 1 +∞ j·ω·t = hDeﬁn. F i e · 2·π · −∞ F (ℓσ · f) ω · e · d ω deﬁning record F = × ( · F ) ( · : elastic extension of ∪· ),

∗ σ·t 1 +∞ j·ω·t one can also write Person := record (name 7→ A , age 7→ N).

= hDefin. Li e · 2·π · −∞ L f (σ + j · ω) · e · d ω Trees are functions whose domains are branching 1 +∞ (σ+j·ω)·t = hFactori 2·π · −∞ L f (σ + j · ω) · e · d ω structures, i.e., sets of sequences describing the path from 1 σ+j·∞ s·t the root to a leaf in the obvious way (for any branch la- = hs := σ+j·ωi · L fs · e · d s 2·π·j σ−j·∞ beling). Other structures are covered similarly Characterization and properties of systems Relational databases The following record type General Signals over a value space A are functions of record (code 7→ Code, name 7→ A∗, inst 7→ Staff , prrq 7→ Code∗) type SA with SA = T → A for some time domain T. specifies the type of tables of the form

87 Code Name Instructor Prerequisites Substituting the program equations for the various con- CS100 Elements of logic R. Barns none structs, calculation in our predicate calculus yields [9] MA115 Basic Probability K. Jason MA100 v CS300 Formal Methods R. Barns CS100, EE150 wa [[v := e]] p ≡ p[e wa [[c′ ; c′′]] p ≡ wa c′ (wa c′′ p) · · · · · · · · · ′ ′ wa [[if i : I.bi -> ci fi]] p ≡ ∃ b ∧∀ i : I.bi ⇒ wa ci p ′ N n Generic functionals subsume all usual query-operators: wa [[do b -> c od]] p ≡ ∃ n : . w (¬ b ∧ p) ′ For the selection-operator (σ): σ (S, P )= S ↓ P . defining w by w q ≡ (¬ b ∧ p) ∨ (b ∧ wa c q) . For projection (π): π (S, F )= {r ⌉ F | r : S}. For the join-operator (⊲⊳): S ⊲⊳T = S ⊗ T . 6. EXAMPLES III: COMMON ASPECTS Here ⊗ is the generic function type merge operator, de- Automata theory is a classical common ground between fined as in [8] by S ⊗ T = {s ∪· t | (s,t) : S × T ∧. s c t}. computing and systems theory. Yet, even here formal- Note that ⊗ is associative, although ∪· is not (exercise). ization yields unification and new insights. The example Formal semantics of programming languages is sequentiality (capturing non-anticipatory behavior) and We show how the functional predicate calculus unifies the the derivation of properties by predicate calculus. methodology for analysis (the ad example) and semantics. Preliminaries For any set A we define An by An = The state s is the tuple made of the program variables, n → A where n = {m : N | m < n} for n : N or n := ∞,

8 and S its type. We let s denote the state before and s′ e.g., (0, 1, 1, 0) ∈ B4. Also, A∗ = n : N .An (lists). Con- after executing a command. This allows referring to dif- catenation is ++, e.g., (0, 7,e) ++(3,d) = 0, 7, e, 3,d. Also, ferent states in one equation. We write s • e for s : S .e. x − c fi ∃ i : I.bi ∧ R c (s,s ) i i ∃ (u : B∗ .sy = sx ++ u) Command c Termination T cs ≡hRdst ⇒/∃i∀ (x,y):(A∗)2 . ∀ (z : A∗ .y = x ++ z ⇒ v := e 1 ∃ u : B∗ .sy = sx ++ u) ′ ′′ ′ ′ ′′ c ; c T c s ∧∀ t • R c (s,t) ⇒T c t ≡hNest, swpi∀ x : A∗ . ∀ z : A∗ . ∀ (y : A∗ .y = x ++ z ⇒ ′ ′ if i : I.bi -> ci fi ∃ b ∧∀ i : I.bi ⇒T ci s ∃ u : B∗ .sy = sx ++ u) ≡h1-pt, nesti ∀ (x,z):(A∗)2 . ∃ u : B∗ .s (x ++ z)= sx ++ u ′ ′ For skip: R skip (s,s ) ≡ s = s and T skip s ≡ 1. For ≡hCompreh.i ′ abort: R abort (s,s ) ≡ 0 and T abort s ≡ 0. The loop ∃ r :(A∗)2 → B∗ . ∀ (x,z):(A∗)2 .s (x ++ z)= sx ++ r (x,z) do b -> c′ od stands for if ¬ b -> skip b -> (c′ ; c) fi by definition, where c is the command itself. This completes the proof. Remarkably, the definition of Hoare semantics Let the state before and after ex- ++is used nowhere, illustrating the power of abstraction. ecuting c satisfy a (antecondition) and p (postcondition) The last step uses the function comprehension axiom: 8 ′ s ∀ (x : X . ∃ y : Y . R (x,y) ≡ ∃ f : X → Y . ∀ x : X . R (x,f x) respectively. Since all that is known about s and s is a[8s 8 ′ s for any relation R : X × Y → B. and R c ( s,s ), this must imply p[s′ . This is the intuition behind the definitions of the following correctness criteria: Derivatives and primitives This framework leads 8 ′ s 8 ′ s to the following. An rb function is unique (exercise). We Partial: {a} c {p}≡∀ s • ∀ s • a[8 ∧ R c ( s, s ) ⇒ p[ ′ s s define the derivative operator D on sequential systems by Termination: Term ca ≡ ∀ s • a ⇒T cs s (x −

s ′ ′ s ≡hLdst. ⇒/∀i ∀ s • a[8s ⇒∀ s • (R c ( s,s ) ⇒ p[s′ ) ∧ T c s x 8 s ′ 8 ′ s 8 tor from analysis, and I gx = 0 gy · d y for integrable g. ≡hPdst. ∧/∀i ∀ s • a[8s ⇒∀ (s • R c ( s,s ) ⇒ p[s′ ) ∧ T c s 8 ′ ′ s Moreover, fx +D fx · h is only approximate. s s s • a s • R c s,s p ′ T cs ≡h for i ∀ ⇒∀ ( ( ) ⇒ [s ) ∧ This and other diﬀerences conﬁrm the observation in [18] that automata are easier than real functions. Note the similarity with the ad -calculations. We proved: ∗ ∗ s Finally, {(y : A .r (x,y)) | x : A } is the state space. ′ • ′ wla cp ≡ ∀ s R c (s,s ) ⇒ p[s′ and wa cp ≡ wla cp∧T cs.

88 7. CONCLUSION [8] Raymond T. Boute, “Concrete Generic Functionals: Principles, Design and Applications”, in: Jeremy Gib- We have shown how a formalism, consisting of a very sim- bons and Johan Jeuring, eds., Generic Programming, ple language of only 4 constructs, together with a powerful pp. 89–119, Kluwer (2003) set of formal calculation rules, not only yields a notational [9] Raymond T. Boute, “Calculational semantics: deriv- and methodological unification of computing science and ing programming theories from equations by func- systems theory, but also of a large part of mathematics. tional predicate calculus”, Technical note B2004/02, Apart from the obvious scientific ramifications, the for- INTEC, Universiteit Gent (2004) (submitted for pub- malism provides a unified basis for education in ECE (Elec- lication to ACM TOPLAS) trical and Computer Engineering), as advocated in [17]. The difficulties should be recognized as well. First, al- [10] Ronald N. Bracewell, The Fourier Transform and Its though calculational logic is easier than classical formal Applications, 2nd ed, McGraw-Hill (1978) logic, the de-emphasis on proofs in education has caused [11] Edsger W. Dijkstra and Carel S. Scholten, Predicate students to find logic increasingly difficult [1, 19]. Second, Calculus and Program Semantics. Springer-Verlag, conservatism of colleagues may even be a larger problem Berlin (1990) [1, 18, 19, 21], and there are known cases of censorship. [12] David Gries and Fred B. Schneider, A Logical Ap- Yet, the wide scope of the formalism demonstrated in proach to Discrete Math, Springer-Verlag, Berlin these few pages, with only minor gaps left for the reader to (1993) fill, provides ample evidence for the long-term advantages. [13] David Gries, “The need for education in useful formal logic”, IEEE Computer 29, 4, pp. 29–30 (April 1996) 8. REFERENCES [14] Kathleen Jensen and Niklaus Wirth, PASCAL User Manual and Report. Springer-Verlag, Berlin (1978) [1] Vicki L. Almstrum, ”Investigating Student Difficulties With Mathematical Logic”, in: C. Neville Dean and [15] Serge Lang, Undergraduate Analysis. Springer- Michael G. Hinchey, eds, Teaching and Learning For- Verlag, Berlin (1983) mal Methods, pp. 131–160. Academic Press (1996) [16] Leslie Lamport, Specifying Systems: The TLA+ Lan- [2] Eerke Boiten and Bernhard Möller, Sixth Inter- guage and Tools for Hardware and Software Engineers. national Conference on Mathematics of Program Pearson Education Inc. (2002) Construction (Conference announcement), Dagstuhl [17] Edward A. Lee and David G. Messerschmitt, “Engi- (2002). neering — an Education for the Future”, IEEE Com- www.cs.kent.ac.uk/events/conf/2002/mpc2002 puter, Vol. 31, No. 1, pp. 77–85 (Jan. 1998), via [3] Raymond T. Boute, “A heretical view on type em- ptolemy.eecs.berkeley.edu/publications/papers/98/ bedding”, ACM Sigplan Notices 25, pp. 22–28 (Jan. [18] Edward A. Lee and Pravin Varaiya, “Introducing Sig- 1990) nals and Systems — The Berkeley Approach”, First [4] Raymond T. Boute, Funmath illustrated: A Declara- Signal Processing Education Workshop, Hunt, Texas tive Formalism and Application Examples. Declara- (Oct. 2000), via tive Systems Series No. 1, Computing Science Insti- ptolemy.eecs.berkeley.edu/publications/papers/00/ tute, University of Nijmegen (July 1993) [19] Rex Page, BESEME: Better Software Engineering [5] Raymond T. Boute, “Fundamentals of hardware de- through Mathematics Education, project presentation scription languages and declarative languages”, in: http://www.cs.ou.edu/~beseme/besemePres.pdf Jean P. Mermet, ed., Fundamentals and Standards in [20] Paul Taylor, Practical Foundations of Mathematics Hardware Description Languages, pp. 3–38, Kluwer (second printing), No. 59 in Cambridge Studies in Academic Publishers (1993) Advanced Mathematics, Cambridge University Press [6] Raymond T. Boute, “Supertotal Function Definition (2000); quoted from the introduction to Chapter 1 in in Mathematics and Software Engineering”, IEEE www.dcs.qmul.ac.uk/~pt/Practical Foundations/html Transactions on Software Engineering, Vol. 26, No. 7, [21] Jeannette M. Wing, “Weaving Formal Methods into pp. 662–672 (July 2000) the Undergraduate Curriculum”, Proceedings of the [7] Raymond Boute, Functional Mathematics: a Unifying 8th International Conference on Algebraic Methodol- Declarative and Calculational Approach to Systems, ogy and Software Technology (AMAST) pp. 2–7 (May Circuits and Programs — Part I: Basic Mathematics. 2000); file amast00.html in Course text, Ghent University (2002) www-2.cs.cmu.edu/afs/cs.cmu.edu/project/calder/www/