Refinements in HOLCF: Implementation of Interactive Systems

Renements in HOLCF

Implementation of Interactive Systems

Oscar Slotosch

Fakultat fur Informatik

der Technischen Universitat Munchen

Renements in HOLCF

Implementation of Interactive Systems

Oscar Slotosch

Vollstandiger Ab druckdervon der Fakultat fur Informatik der Technischen

Universitat Munchen zur Erlangung des akademischen Grades eines

Doktors der Naturwissenschaften Dr rer nat

genehmigten Dissertation

Vorsitzender UnivProf Dr rer nat habil Jurgen Eickel

Prufer der Dissertation

UnivProf Dr rer nat Dr rer nat habil Manfred Broy

UnivProf Tobias Nipkow Ph D

Die Dissertation wurde am bei der Technischen Universitat

Munchen eingereicht und durch die Fakultat fur Informatik am angenommen

Abstract

In this thesis renement relations for the logic HOLCF are dened We compare rene

ment relations dened by theory interpretations and by mo del inclusion We use these

renements to implement abstract data typ es ADTs with LCF domains and continuous

functions Therefore the implementation of ADTs maybe applied to the implementation

of interactive and distributed systems sp ecied in HOLCF

The implementation of interactive systems is embedded into the deductive software deve

lopment pro cess Every development step corresp onds to a renement in HOLCF A de

tailed classication of dierent situations in the developmentofinteractive and distributed

systems is given For all p ossible development situations concrete renement metho ds are

describ ed This allows us to prove the correctness of development steps by verifying the

renement relation in HOLCF The renement relation is comp ositional and in some sit

uations the metho ds improve the known metho ds for interaction renement by requiring

less and more concrete pro of obligations and by a stronger comp ositionality result

For the implementation of abstract data typ es in HOLCF twotyp e constructors are added

to the Isab elle pro of system The subdom typ e constructor conservatively intro duces a

sub domain of a LCF domain that is again a LCF domain The quot typ e constructor

conservatively denes at quotient domains with resp ect to an arbitrary partial equivalence

relation PER PERs are also the basis for a higher order predicate allowing us to express

observability of higher order functions in HOLCF to characterize congruences Both typ e

constructors are supp orted with metho ds and examples for the intro duction of continuous

functions

A standard library of ADTs is dened and the implementation of a WWW server is taken

as an example and some critical development steps are veried with the Isab elle pro of system

Acknowledgments

Four years ago when I started to work at the group of Manfred BroyandTobias Nipkow

with the plan to write a thesis I did not know how much work this would be and how

much supp ort would be necessary Now I try to thank all who help ed me in doing this

thesis

First of all I like to thank my sup ervisors Manfred Broy and Tobias Nipkow Manfred

Broy gave me the opp ortunity to work in the eld of formal metho ds and he directed me

towards the concrete topic of my thesis Tobias Nipkow encouraged me to work with the

Isab elle system and he improved the quality of the realization with his technical advice

For the scientic and constructive discussions I thank my sup ervisors

Sp ecial thanks go to Franz Regensburger for inventing the logic HOLCF and for intro ducing

me into it For discussions ab out HOLCF domains and xed points I thank David von

Oheimb I thank Birgit Schieder for carefully reading the pro ofs which I did not carried

out in Isab elle

Particular thanks go to all my colleagues from our department For comments on many

parts of previous versions of my thesis I would like to thank Manfred BroyTobias Nipkow

Bernhard Schatz Ursula Hinkel Ingolf Kruger Rudolf Hettler Konrad Slind Katharina

Spies Birgit Schieder Bernhard Rump e Franz Regensburger David von Oheimb Eva

Geisb erger and Cornel Klein For help with L T X I also thank Franz Regensburger

Bernhard Rump e and Katharina Spies

I furthermore want to thank Konrad Slind Rosemary Monahan Susen Werner Ingolf

Kruger and Bernhard Schatz for p olishing up my sometimes rough English with their

constructive comments

Personally I am grateful to my family Esp ecially I would like to thank my father who

gave me the energy for this work and Susanne for her love and patience

Contents

Intro duction and Concepts

Motivation

Deductive Software Development

Traditional Software Development

Formal Metho ds in Software Development

Graphical Description Techniques

Developmentof Interactive and Distributed Systems

Implementation of Abstract Data Typ es

Abstract Data Typ es

Implementation Step

Example Sets by Sequences

Renement Requirements

Consistency

Mo dularity

Development

Logic and Language

Related Work

Goals

Structure of the Thesis

Renements in HOLCF

HOLCF

HOLCF Terms

HOLCF Typ e Classes

HOLCF Mo dels

Conservative Extensions

Data Typ es

Executabilityand Pattern Matching

Predened Typ e Constructors

Mo del Inclusion in HOLCF

Theory Interpretations

Sub domains in HOLCF

Motivation I

II CONTENTS

Theory Interpretation

Sort Translation

Constant Translation

Term Translation

Invariance and Preserving Functions

Normalization

Reduct of Mo dels

Mo del Construction

Metho d for the Restriction Step

Example BOOLEAN by NAT

Renement for Restrictions

Mo del Inclusion

Intro ducing a Sub domain

Invariance and Preserving Functions

Intro ducing Executable Op erations

Deriving an Induction Rule

Co de Generation

Metho d for the Restriction Step

Example BOOLEAN by NAT

Summary and Comparison of Restrictions

The subdom Constructor in HOLCF

Quotient Domains in HOLCF

Motivation

PERs Quotients and Congruences

PERs

Quotients

Quotient Domains

Observability and Congruence

The Class eq

Mo del Inclusion

Metho d for the Quotient Step

Denition of the PER

Intro ducing a Quotient Domain

Intro ducing Op erations

Pro of Obligations

Theory Interpretation

Simple Sort Translation

Simple Constant Translation

Simple Translation

Satisability

Metho d for the Quotient Step

Example State by Histories

Simple Theory Interpretation Basis

CONTENTS III

Summary and Comparison of Quotients

Other Approaches for Behavioural Implementations

Context Induction over Programs

Restricting the Programming Language

Enco ding the Programming Language into the Logic

Comparison of the Approaches

Implementation of ADTs in HOLCF

Metho d for the Implementation

Using the Metho d

Interface Situations

Parameters of the Metho d

Example Sets by Sequences

Implementations in FOCUS

Focus Notations

Stream Pro cessing Functions

Forms of Comp osition

Renements for Interactive Systems

Behavioural Renement

Structural Renement

State Renement

State Elimination

Schematic Implementations

Communication Channel Development

Restricted Communication Channel Development

Interface Simulation

Implementation of Comp onents with Isomorphic Typ es

Implementation of Comp onents with Concrete Sub domains

Implementation of Comp onents with Abstract Sub domains

Implementation of Comp onents with Concrete Quotients

Implementation of Comp onents with Abstract Quotients

Dialog Development

Individual Implementations

Summary for the Implementation of Interactive Systems

Case Studies of a WWW Server

The Library of ADTs

Natural Numbers

Lists

Bytes

Strings

Finite Numb ers

Rational Numb ers

IV CONTENTS

Structure and Critical Asp ects of the WWW

Database of a WWW Server

Transmission of Strings

Future Work

A HOLCF Extensions

A The subdom constructor

A ADM

A SUBD

A The quot Constructor

A PER

A QUOT

A PERCPO

A EQ

A The ADT Library for HOLCF

A Dnat

A Dlist

A Bit

A Byte

A Char

A String

A Fin

A Pos

A Rat

Bibliography

List of Figures

List of Examples

List of Denitions

Index

Chapter

Intro duction and Concepts

In this chapter the motivation for the implementation of interactive systems by renement

in the logic HOLCF is presented The deductive software development pro cess is sketched

and a classication of dierent situations in the developmentofinteractive and distributed

systems is presented in Section We call the concrete metho ds for formally developing

these situations implementation of interactive systems b ecause we extend the metho ds for

the implementation of abstract data typ es ADTs to interactive systems In Section

we lo ok at the ideas of the implementation of ADTs and collect the requirements for the

renement relation in Section The use of HOLCF is explained in Section goals

and structure of this thesis are given at the end of this chapter

The main structure of this work is inuenced by the implementation of ADTs There

are two dierent implementation steps quotient step in Chapter restriction step in

Chapter for ADTs and we develop two renements techniques theory interpretation

and mo del inclusion for each of them and compare them by the criteria from the deductive

software development pro cess The prop osed metho d Chapter for the implementation

of ADTs is a combination of these two renements and is applied and extended to the

implementation of interactive systems in Chapter Chapter denes a standard library

of ADTs and uses it for case studies on a WWW server

Motivation

Hardware b ecomes smaller and systems are growing This trend is caused by the miniatur

ization and integration in the development of computer chips Having smaller and more

ecient hardware allows us to build more complex systems An additional source of system

complexity is communication The development of b er optics and satellite channels are

examples for the improvement in communication technology This allows us to connect

computers worldwide to build eciently interacting systems The internet is an example

CHAPTER INTRODUCTION AND CONCEPTS

of this development The numb er of WWW servers in the internet doubles approximately

every year Pax

In the expanding market of software systems pro duct quality is an imp ortant marketing

strategy Quality has many asp ects ranging from a friendly interface good service and

do cumentation to adequate problem solutions Correctness of the system is the basis for

quality since for example a wrong do cumentation an ab orting system or an inadequate

software program are not acceptable in a market with comp etition Apart from the market

ing asp ects of correctness there are critical systems which have to be correct since errors

are very intolerable For example avionic systems medical systems and access control

systems in condential environments have to full their requirements

In traditional software development reviews and tests are the metho ds to increase the

correctness and the quality of systems The software development pro cess starts with an

sp ecication sp ecication of the b ehaviour of the system The development pro cess renes

these do cuments by incorp orating design decisions For xed input values tests are used

to show that a sequential program fulls its requirements Due to the high complexity

of distributed systems tests can only cover small parts of the system and therefore they

cannot ensure correctness in general

Formal methods give the p ossibility to prove the correctness of systems Using them re

quires to formalize the system requirements into a sp ecication and to give formal seman

tics to the system Apart from the p ossibility to prove the correctness of a system such

a formalization may detect errors and inconsistencies of the requirement sp ecication A

calculus allows us to prove the correctness of the system by showing that the sp ecication

of the system renes the requirement sp ecication There are two notions of renement In

the software development it means the design of the system in formal metho ds it denotes a

logical relation whichcanbeveried by a deduction in a calculus Formal metho ds apply

the logical renement to verify the renement of systems

The advantage of the formal metho ds is that they are abstract and hence applicable to

every kind of systems However the drawback is that the calculus do es not provide any

metho ds for structuring the correctness pro of One p ossibility to structure this pro of

is to give a concrete formal metho d that develops the pro of step by step together with

the stepwise realization of the system Deductive software development is the result of

integrating formal metho ds into the software development pro cess

Large systems are comp osed of components For the developmentofinteractive systems it

is imp ortant that the comp onentscanbedevelop ed indep endently in a mo dular way The

correctness of the system should also b e provable in a mo dular way A renement relation

is called compositional if the correctness of the system can b e derived from the correctness

of the comp onents Hence the most imp ortant basis for a mo dular development of correct

interactive systems is a comp ositional renement relation which is integrated into the

software development pro cess

DEDUCTIVE SOFTWARE DEVELOPMENT

Deductive Software Development

Deductive software development includes formal metho ds into the pro cess of software deve

lopment It aims at a software development pro cess that allows us to deduce the correctness

of software with resp ect to the sp ecication that describ es the required behaviour of the

system

For deducing the correctness of a program it is necessary to have formal semantics for the

sp ecication and the program Metho ds and to ols are needed to show that the program is

correct with resp ect to its sp ecication In Section a sketch of a traditional software

development pro cess as it is state of the art in industry is given In Section it is

briey describ ed how the software development pro cess of interactive systems could lo ok

like if formal metho ds were integrated In this work we concentrate on the foundations

for the deductive software development pro cess bydeveloping a renement relation which

allows us to prove the correctness of all steps in the development of interactive systems

Traditional Software Development

There are many traditional metho ds for the development of systems Many of them are

inuenced by a certain programming paradigm or are tailored to a sp ecial application

domain One programming paradigm are the structured metho ds GS Dem They

use data ow diagrams to mo del the system More recently the ob ject oriented design

metho ds app eared RBP Jac Bo o There are basically two application domains

for which the given metho ds were sp ecialized One are technical systems with real time

asp ects See WM HP for extensions of the structured techniques and SGW for an

ob ject oriented metho d for technical systems The other application domain are database

systems with a large amountofdatamodellingChe DCC AG Den

All traditional metho ds use mainly testing to ensure the quality and the correctness of

the system The following coarse scheme describ es traditional software development It

emerges from the waterfall mo del Roy and graphically displayed it lo oks likeaVand

therefore it is called V mo del in Dav

The development starts with a sp ecication of the requirements of the system This

sp ecication may be informal and coarse but it is in general easy to understand

Usually these sp ecications contain text and diagrams describing the behaviour of

the system In the rst sketch these requirements are lo ose and have to be worked

out They x only the requirements of the system but not the structure or other

details of the system

During the design phase this requirement sp ecication is develop ed step by step

by incorp orating decisions concerning the architecture of the system Splitting the

system into comp onents requires a splitting of the requirements with each comp onent

CHAPTER INTRODUCTION AND CONCEPTS

having its own requirements The combination of the comp onents must preserve the

system sp ecication

The functions are implemented by programming some algorithms or by cho osing

pieces of hardware for their realization This is done until all parts are completely

designed

Testing shows whether the system fulls the requirements or not First the basic

comp onents are tested then their integration is checked If a test contradicts the

requirements some wrong design or implementation steps will be revised and the

development will continue at this p oint

During the sp ecication and the design of the system some behaviours of the system are

xed and during the integration phase it can be tested whether the system has these

behaviours In this scheme and therefore in every traditional software development

metho d errors can only b e detected by testing For small comp onents such a try and error

development can b e manageable but in large systems where the rst design decisions are

justied by the nal integration test early errors have fatal consequences the development

has to b e redone starting from the p oint where the wrong step was made Such a pro cess

is very exp ensive and dicult to control for the management Sources of early errors are

misunderstandings due to ambiguityofthe informal requirement sp ecication

Graphical descriptions are an imp ortant part of traditional software development metho ds

for example ERdiagrams SDL statecharts SSADM since they help us to visualize

and communicate complex structures Their disadvantage is that they often lack precise

semantics and therefore they are an additional source of errors

Formal Metho ds in Software Development

The use of formal metho ds allows us to deduce the correctness of programs with resp ect

to their sp ecications See GM Bro Hoa for overviews of formal metho ds Dil

for Z or AI for VDM some very p opular formal metho ds and BDD Bro SS

for a functional metho d for developing distributed systems Formal metho ds are the basis

of deductive software development They provide precise syntax and formal semantics

based on mathematics and logic for sp ecications and programs a denition of rene

mentbetween sp ecications and programs and deduction metho ds and to ols to provethis

renement relation

To reduce the numb er of design and implementation errors reviews and co de insp ections are practiced

The V mo del Davissuch a pro cess mo del describing the development of large systems

DEDUCTIVE SOFTWARE DEVELOPMENT

Deductive software development is the result of integrating formal metho ds into software

development The basic concepts of deductive software development are

to use the traditional development pro cess requirement design implementation

to use the same logic in all phases of the software development to sp ecify comp onents

to use implication as basis for the renement relation since there are a lot of theorem

provers which supp ort implication pro ofs and

to use graphical description techniques with formal semantics

A transitive renement relation allows us to divide the deductivesoftware developmentpro

cess into several development steps Every development step corresp onds to a renement

step on the semantic level

Having the same logic in all phases requires the formal language to include abstract and

understandable requirement sp ecications as well as executable sp ecications The advan

tage of using one logic in all phases is that there are no transitions b etween dierent logics

and that the develop er has to use only one logical formalism

Executable sp ecications can b e executed byaninterpreter prototyping or can b e trans

lated into a programming language If this generation or interpretation is correct there is

no need of co ding and testing in the development pro cess since the programs are generated

correctly out of executable sp ecications If executable sp ecications corresp ond directly

to programs as in HR Hot co de generation will b e only a syntactic translation and

no formal correctness pro of will b e needed There are other formal metho ds allowing us to

extend the denition of executable sp ecications for example to dene an interpreter and

to prove its correctness BHN However since functional programming languages are

quite expressive we dene executability with resp ect to these languages and do not worry

ab out the correctness of their realization

We use the following notations for the deductive software development pro cess

Denition Deductive Software Development Basis

A deductive software development basis DSWDB LM j j is a quadruple

where

L is a sp ecication language and

M is the semantic domain of the language containing the set of formal mo d

els and

M L M assigns the semantics to a sp ecication All executable sp eci

cations have at least one mo del

CHAPTER INTRODUCTION AND CONCEPTS

j M M is the semantic renement relation b etween mo dels such that

for A C M A j C denotes that C concrete is a renementofA abstract

we require j to b e transitive and

j L L is a syntactic renement relation for which a calculus and to ols

should exist For the correctness of the calculus it is required that for all A C

L A j C implies M A jMC

We will use the term renement p olymorphically If we consider formal mo dels we

mean j ifwe are talking ab out sp ecications AC Lwe mean A j C or M A

j M C We will even use the term renement for comp onents or functions and

will mean the renement of the sp ecications describing the functions

The intention is that we develop the abstract requirement sp ecication into a concrete

and executable sp ecication and require that we can prove this development step by step

with our deductive software development basis Although these notations will be lled

with concrete denitions later on they suce for example to dene consistency

Denition Consistency

Let LM j j b e a deductivesoftware development basis then a sp ecica

tion A L is called consistent if

M A

Otherwise A is called inconsistent

In this intro duction we collect the requirements for the metho d for the implementation

of interactive systems the result is describ ed in Section Every renement step from

an abstract sp ecication A to a concrete sp ecication C will b e correct if M A jMC

holds In the deductivesoftware development pro cess the resulting pro of obligation is A j

C Since the renement relation is transitive a correctly develop ed executable sp ecication

will b e a renement of the requirement sp ecication

There have been many pro jects in the eld of deductive software development providing

semantics calculi and renement relations for the deductivesoftware development pro cess

esp ecially for sequential software systems BBB BJ For interactive and distributed

systems the metho ds are in a more theoretical form ie their description is less detailed

see Section

There are two main approaches to formal software development transformational and

deductive software development Both have a deductive software development basis but the

pro cess of the formal development is dierent In transformational software development

for example in the CIPPro ject BBB correct transformation rules are applied to a

requirement sp ecication until the development is nished The correctness of the rules

DEDUCTIVE SOFTWARE DEVELOPMENT

Require Design

Base

Figure KorSo Development Graph

hastobeproved b efore they are applied to a development situation In deductive software

development as in many parts of the KorSo pro ject BJ the develop er proves the

correctness after each development step In order to simplify these pro ofs it is allowed

and desired to reuse some general theorems Deductive developments allow us to delay

correctness pro ofs We will view transformational software development as a sp ecial case of

deductive software developmentandwe will not use transformation rules in our notations

Graphical Description Techniques

As in traditional software development graphical description techniques are an imp ortant

part of the deductivesoftware development pro cess In the deductive software development

graphical description techniques have a xed formal semantics ie they are only nice

abbreviations for complex formulas In this work we will use only two dierent graphical

description techniques

KorSo development graphs and

Focus system diagrams

Development graphs are used to represent the logical structure of the sp ecications and

their development System diagrams show the structure architecture of the system

Development Graphs

The development graphs we use here were intro duced in the KorSo pro ject PW

BW One result of the KorSo pro ject was the metho d for software development

A graphical representation for sp ecications was used to visualize the development This

representation was called KorSo development graphs These graphs have sp ecications

as no des depicted as boxes and two imp ortant relations

Pro ofs should not b e delayed to o long since they mayreveal errors

CHAPTER INTRODUCTION AND CONCEPTS

in out

m m

n n

Figure Black Box System Diagram

The semantic renement relation j called is refinement of in KorSo and

depicted as double arrows reverse implication arrows and

based on and depicted as simple arrows asyntactic structure relation called is

A simple example is given in Figure It shows the renement from a requirement

sp ecication Require based on a mo dule Base by a design sp ecication Design whichis

also based on Base The sp ecications Require and Design are b oth syntactic extensions

of the sp ecication Base

System Diagrams

In the Focus metho d BDD Bro system diagrams are used to visualize the structure

of distributed systems or comp onents of a system System diagrams are hierarchical

ie every comp onent of the system may be describ ed by another system diagram An

distributed interactive system or a comp onent receives messages on input channels and

sends messages on output channels Focus system diagrams maybeusedintwo dierent

sp ecication styles

as black box specicationsand

as glass box specications

The black box sp ecications graphically describ e the interface of a system Black box

sp ecications contain the name of the system the names of the input and output channels

and the typ es of the messages The sp ecications of the system describ es the b ehaviour of

system The system diagram in Figure sp ecies the interface of a system F It has n

In KorSo M A j M C has b een mo del inclusion M C M AandA j C has b een logical

implication C A

In the KorSo sp ecication language Spectrum BFG a is based on was used to denote the

syntactic enrichment of sp ecications

DEDUCTIVE SOFTWARE DEVELOPMENT

in out

A A

Figure Glass Box System Diagram

input channels named in of typ e and m output channels named out of typ e

i i j j

The glass b ox sp ecications contain the same information as the blackbox sp ecication and

in addition they showofwhich comp onents a system consists and how they communicate

This is a sp ecial form to describ e the b ehaviour of a system The system diagram in Figure

sp ecies the interfaces and the structure of system A It consists of two subsystems A

and A communicating over an internal channel of typ e Because we have directed and

typ ed channels a restriction of the communication within a glass b ox sp ecication is that

the typ es of the channels have to t and that no input channel is connected with another

input channel and no output channel is connected with another output channel Glass b ox

sp ecications allowus to describ e recursive systems

We use only system diagrams development graphs and textual sp ecications in our deve

lopment pro cess There are many other useful graphical description techniques see Section

but since we fo cus on a renement relation these diagrams suce

Development of Interactive and Distributed Systems

In interactive and distributed systems communication is an imp ortant asp ect We decided

to work with an asynchronous communication mo del that mo dels every communication

with a channel Interactive systems communicate by sending messages over channels

The term interactive system refers to the fact that the system has interaction with its

environment A distributed system is a system which may consist of several comp onents

which can b e at dierent places The comp onents of a distributed system communicate by

sending messages over channels A distributed system with communication between the

comp onents is therefore also an interactive system and hence interactive systems enclose

distributed systems Since b oth kinds of systems communicate over channels we will not

To simplify formulas we omit the ranges from indices if they are clear from the context In this case

they are i n and j m

Our renement relations can b e used as basis for dening graphical renement steps for further gra

phical description techniques of interactive systems that have a semantics in HOLCF

CHAPTER INTRODUCTION AND CONCEPTS

further dierentiate between these systems and use the terms interactive and distributed

synonymously

The development of distributed systems encloses the development of sequential systems

Therefore the renement requirements for the renement relation j should also sup

port development of sequential programs The requirements for the development of se

quential systems are mainly those arising from the implementation of ADTs see Section

This section describ es the dierent situations which are typical for the development

of interactive systems The renement relation j has to be able to express all these

steps as renements Concrete metho ds are needed to supp ort the renement of these

situations with the calculus j

We assume that we are working with a deductive development basis L M j j

We call the sp ecication of the abstract system A Land the sp ecication of the designed

system C L The requirements for the renement relation are that it has to be p ossible

to supp ort every development situation Of course whether M A jMC holds or not

in the concrete development dep ends on the sp ecications A and C In Chapter we will

give concrete metho ds for rening the sp ecications arising in the development situations

of this section

Wegive a short overview of the dierenttyp es of development situations A similar classi

cation is in Bro As was mentioned in Section we use two forms of system diagrams

to sp ecify the structure of interactive systems blackbox sp ecications and glass b oxspec

ications Therefore we havetwo groups of development situations in the developmentof

distributed systems

Behavioural Development

In the developmentofinteractive systems one typical situation is that an arbitrary system

A p ossibly sp ecied as a black box is develop ed into another system C with the same

interface by giving a more concrete sp ecication of the system The sp ecication of the

rened system C has all behaviours sp ecied for the abstract system A This situation is

called behavioural development One example is the development of a comp onent with

a sorting algorithm out of its requirement sp ecication Many development steps are

Behavioural development is quite well known There exists a lot of functional behavioural

renement techniques to supp ort b ehavioural developments We will fo cus more on other

development steps and try to express them as sp ecial b ehavioural developments

Communication Channel Development

In the development of distributed systems one typical situation is that we develop one

single message channel This situation is indep endent from the structure of comp onents

And a lot of dierentdevelopment steps will b e reduced to b ehavioural development

Therefore we call b ehavioural development sometimes functional development

DEDUCTIVE SOFTWARE DEVELOPMENT

and hence also a blackbox development situation The messages on the twochannels are

isomorphic in this situation and therefore they may be easily translated into each other

Lo oking closer at these translations we can distinguish two kinds of translations

schematic translations and

individual translations

In schematic translations every message of one channel corresp onds exactly to one message

of the other channel The translations between the two channels can be constructed by

applying elementwise translations to all messages of the channels With individual trans

lations wemay transform every single message on the abstract channel into many concrete

messages p ossibly on many concrete channels

An example for a schematic communication channel development situation is the deve

lopment of a character channel into a byte channel The messages in the channels are

isomorphic An example for an individual communication channel development is the

development of one byte channel by eight parallel bit channels

Restricted Communication Channel Development

A more general situation is that we have two nonisomorphic channels A p ossible reason

is that not all values in one channel are used Therefore we need to formulate restrictions

on the values ofachannel

Again we have schematic and individual translations In the schematic restricted commu

nication channel development the restriction for the channel is just a conjunction of the

restrictions of all single messages of the channel In individual restricted communication

channel development arbitrary restrictions are p ossible An example of an individual re

stricted communication channel development is the development of a byte channel into a

sequential bit channel In this case the restriction for the bit channel is that the number

of elements in the channel is divideable by eight see page

Interface Simulation

Another situation is the development of an arbitrary black box sp ecication with simu

lations translating the inputs from the abstract sp ecication into inputs for the designed

system and translating the output of the designed system back The idea is that the

translations and the concrete system simulate the abstract system

These twochannels refer to two sp ecications of one channel one abstract requirement sp ecication

and one concrete design sp ecication

This corresp onds to U simulation in Bro and Section

CHAPTER INTRODUCTION AND CONCEPTS

Again wehaveschematic and individual interface simulations An example for an individual

interface simulation is a proto col where strings are translated into packets then the packets

are sent over a packet channel and then the packets are put together to a string This

proto col simulates a string communication on the abstract level see page

Structural Development

Structural development is the b order b etween blackbox development situations and glass

box situations It develops a black box sp ecication into a glass box sp ecication by

dening the internal structure of the system sometimes also called architecture An

example is a development where a comp onentis dened as a network

State Development

In glass b o ck sp ecications states are an imp ortanttechnique to sp ecify systems esp ecially

in abstract sp ecications Many software development metho ds use graphical description

techniques to sp ecify state dep endent comp onents We will call state dep endent comp o

nents automata Automata have with state transition diagrams nice graphical representa

tions for example in LT Har

In the development of statebased systems it is often required to add or to remove state

transitions from an automaton Adding and removing of state transitions can be treated

with behavioural development techniques since it do es not change the interface of the

automaton

Adding or removing states of automata changes the signature of the automata and

therefore corresp onds to the development of the ADTs of the states These situations can

be develop ed by our metho d for the implementation of ADTs

An interesting question is to relate two statebased sp ecications of the same comp onents

with dierent state spaces and to nd out whether they sp ecify the same b ehaviour

State Elimination

In sequential programs states may be explicitly used as data typ es We regard states in

interactive systems as abstract views of input histories ie those messages on a channel

which arrived until now In the developmentwehave a situation where we need to eliminate

Adding a new state transitions adds new b ehaviour to the systems which is a trivial renement step

but for the elimination of state transitions the context has to b e analyzed and it has to b e proved that the

removed state transition was sup eruous

We will use functions from states to comp onents to sp ecify of statebased comp onents

DEDUCTIVE SOFTWARE DEVELOPMENT

i o

C C

Figure Develop ed System Diagram

states If we use executable simulations for state elimination we are able to execute the

abstract automaton

State elimination removes the states from the sp ecication of the system It is a develop

ment step between two dierent description styles of system and therefore it is dierent

from removing a single state from the state space of a description which is describ ed in

the previous section

The intro duction of states will not be treated separately since it can be done by dening

states as predicates on the input histories see for example Spi

Dialog Development

Dialog development is a situation where at least two comp onents communicating over

at least one channel are develop ed together This can only b e done if the abstract system

and the concrete system are sp ecied byglassbox sp ecications Consider for example the

system A in Figure as abstract requirement sp ecication and the system C in Figure

as designed sp ecication where C is a renement of A The general dialog development

i i

may also be regarded as interface simulation but the relation between A and C is more

i i

concrete C is called downward simulation of A if the result of applying the downward

i i

translation b efore C is a development of the comp osition of rst applying A and then doing

i i

the downward transformation

Again we have schematic and individual dialog developments dep ending on the form of

the translations

Dialog development is the b ehavioural developmentofglassbox sp ecications It allows us

to use restrictions arising from the environment of a comp onent In our example we may

develop the internal channel between A and A into the internal channel between C and

C with a restricted communication channel development since weknowthatallvalues of

the internal channel are sent by C

The elimination of states comes from our Focus view of interactive systems We regard systems as

stateless functions pro cessing streams of messages see Chapter

See page for a formal denition of downward simulation

CHAPTER INTRODUCTION AND CONCEPTS

An imp ortant requirement for the translations used in many development situations is

their executability For a logical emb edding for example an isomorphism no executable

translations are needed With executable translations we can extend our executable

system mo del from stream pro cessing functions see Chapter to more abstract mo dels

For example an executable elimination of states allows us to simulate automata on the

basis of messages in a system

Our goal is to have a renement relation which supp orts all these development situations

In Chapter we will dene concrete metho ds for every development situation presented in

this section

Implementation of Abstract Data Typ es

This section gives an idea why the implementation of ADTs is an imp ortant part of the

implementation of interactive systems If we are able to implement ADTs in a deductive

development basis which is adequate for the development of interactive systems then we

will be able to give concrete metho ds for the development situations of Section

Therefore the implementation of ADTs is a central topic in this work

First the concept of ADTs is presented together with two dierent renement steps func

tional renement and the implementation step The implementation step is informally

presented in Section Section illuminates this presentation by presenting an

implementation step of sets by sequences in a simple equational logic

Abstract Data Typ es

ADTs are a well known concept Hoa EM EM EGL Wir and an accepted

basis for the deductivesoftware development pro cess The basic idea of abstract data typ es

is to describ e data typ es abstractly without referring to the later implementation byspec

ifying the basic functions op erating on them In rst approaches initial semantics EM

were chosen but since lo ose semantics BWb leave more ro om for implementations they

t b etter to the deductive software development pro cess

A lo ose sp ecication characterizes the b ehaviour of the functions without determining the

programs for their realization Therefore an ADT may have dierent implementations

Algebraic sp ecications EGL Wir use axioms written in a certain logic to sp ecify

ADTs The most p opular logic for ADTs is equational logic It allows us to write univer

sally quantied p ositive conditional axioms to sp ecify the functions of an ADT A notion

of renement is needed to make ADTs suitable for the deductive software development pro cess

IMPLEMENTATION OF ABSTRACT DATA TYPES

There are two dierent development steps for ADTs Both should be supp orted by the

renement relation j

functional renement also called prop erty renementorbehavioural renement and

the

implementation step also called data renement

Functional renement do es not change the signature of a function In functional renement

the sp ecication of a function is develop ed into a more concrete sp ecication With this

renement step functions describ ed by some axioms that characterize their b ehaviour quite

abstractlymay b e rened by more concrete functions This renement step can b e rep eated

until the functions are executable in a certain programming language Since renement is

transitive the executable function is a renement of the rst required function This topic

is very well understo o d in formal metho ds literature and will not b e elab orated further in

this work

The other step in the development is the implementation step Of course this renement

should also be compatible with functional renement Compatibility is ensured if the

renement relation is transitive and includes also the implementation step More details

on the implementation step are presented in the following section

Implementation Step

In the development of ADTs the implementation step allows us to replace one typ e in the

ADT by another The implementation provides metho ds to dene the functions working on

the replaced typ e by functions working with the new typ e The goal of the implementation

of ADTs is to hide the representation of the data typ e and to characterize the typ e only

by axioms for the functions working on it

Dep ending on the relation between the replaced typ e and the new typ e we consider two

dierent forms of implementation which of course mayalsobe combined

a restriction step which builds a subtyp e and

a quotient step which allows us to identify dierent elements

Implementing an abstract ADT with typ e A with a restriction step by a concrete ADT

with typ e C means that A is isomorphic to a subtyp e of C a subset of values of typ e C

The subtyp e is characterized by a restriction predicate

Implementing an abstract ADT with typ e A with a quotient step by a concrete ADT with

typ e C means that A is isomorphic to a quotient of C a set of equivalent values of typ e

C The quotient is characterized by an observable equivalence relation

CHAPTER INTRODUCTION AND CONCEPTS

The implementation step is split into these two steps b ecause they may occur indep en

dently in the development pro cess and because it is easier to treat them one by one In

the literature many implementations cover b oth steps see for example EKMP The

concepts of the implementation of ADTs go back to Hoa

To implement an abstract ADT we will dene a sort implementation which relates the

abstract sort to the concrete sort A constant implementation is dened to relate the

op erations of the abstract ADT to the corresp onding op erations These terms b ecome

clear in the following example

Example Sets by Sequences

In this section the implementation is presented in an equational logic framework on the

example of implementing sets by sequences Equational logic is chosen for two reasons

it is easier to get into the topic compared to a higher order logic

the idea of using an explicit abstraction function is not new in the equational frame

work see eg PBDD but has not b een totally worked out esp ecially the explicit

pro of obligations to ensure the correctness were missing

Rening sets by sequences is a good example since it is small and contains all relevant

details likesubtyp es and quotients The renement pro ofs of the example and the general

description of the metho d are in Slo The metho d is integrated into the CSDM system

Sta

The chosen representation of sets by sequences is the following

Every sequence without duplicates represents a set

Two sequences represent the same set if they contain the same elements

For the notation of signatures and axioms the syntax of the sp ecication language Spec

trum BFG a is used since it supp orts the description of axioms in a convenient way

For example the denedness of a function x fx is abbreviated byf total

The strictness of some functions f is a requirement for sp ecic functional pro

gramming languages likeML see Pau

Sets

The abstract sort Set is sp ecied p olymorphically Axioms fsetg and fsetg require

some sets to b e identied Sets are generated by empty and add

Sort classes to control the p olymorphism are omitted here for readability

IMPLEMENTATION OF ABSTRACT DATA TYPES

SET f strict all functions are strict

sort Set sort declaration

empty Set constant signature

add Set Set function signatures

has Set Bool

has total add total attributes

Set generated by empty add generation constraint

axioms xy sSet in SET axioms

fsetg hasxempty

fsetg hasxaddxs

fsetg xy hasxaddys hasxs

fsetg addxaddxs addxs

fsetg addxaddys addyaddxs

endaxioms

Sequences

The concrete sort is Seq The data construct denes the sequences together with con

structor functions and some implicit axioms which make the denition equivalent to the

datatype declaration of ML

SEQ f strict

data Seq eseq executable sort

j cons Seq with induction rule

isin Seq Bool function signatures

subset Seq Seq Bool

axioms xy pqSeq in SEQ axioms

fising isinxeseq false

fising isinxconsyq

if xy then true else isinxq endif

fsubsg subseteseqq true

fsubsg subsetconsxpq

if isinxq then subsetpq else false endif

endaxioms

After the selection of SET and SEQ the following sp ecications are used to represent

the development of the implementation step see Figure The combination of an

is refinement of arrow with an is based on arrowisthe graphical form in which pro of

obligations are depicted in the development graph In Spectrum the semantic renement

relation M A j M C is mo del inclusion M C M A and A j C is logical

CHAPTER INTRODUCTION AND CONCEPTS

SET SET by SEQ

EQ SET cong SEQ

SEQ REP SET inv

SEQ ext

SEQ SIGSET

is renement of

is based on

Figure Development Graph for Sets by Sequences

implication C A For example on the basis of SEQ EQ the axioms of SET cong have

to b e derived SEQ EQ is a renement of SET cong

In the following the contents of these sp ecications are listed together with the necessary

user inputs for the denitions of the corresp onding functions the restriction predicate

and the congruence

Extension of Sequences for Sets

In this sp ecication the corresp onding functions are sp ecied

ext f enriches SEQ SEQ

Step scheme Define corresponding functions

x Seq empty

add x Seq Seq add x strict

x Seq Bool has x strict has

Step user Specify the functions

axioms x qSeq in

The term user refers to the user of the metho d

IMPLEMENTATION OF ABSTRACT DATA TYPES

fconstruct g empty x eseq

g add xxq fconstruct

if isinxq then q else consxq endif

ffunction g has xxq isinxq

endaxioms

Restriction of Sequences for Sets

The representation predicate is mo delled by a function is SetSeq Bool

REP f enriches SEQ ext SEQ

Step scheme Add the representation predicate

is SetSeq Bool is Set strict total

Step user Specify the representation predicate

axioms x qSeq in

frepg is Seteseq

frepg is Setconsxq isinxq is Setq

endaxioms

Homomorphism and Equality

The homomorphism is mo delled by a partial function absSeq Set whereas the

congruence relation for the equality on sets is dened as a partial function eq SetSeq

Seq Bool Both have to be dened only for elements that full the restriction

Set predicate is

SEQ EQ f enriches SEQ REP SIGSET

Step scheme Define the partial homomorphism

abs Seq Set abs strict

Step schemeGive the source of the partial homomorphism abs

axioms q Seq in

fpartialg absq is Setq

endaxioms

Step schemeDefine the homomorphism

axioms x qSeq in

x fhomg empty absempty

fhomg is Setq addxabsq absadd xxq

Setq hasxabsq has xxq fhomg is endaxioms

CHAPTER INTRODUCTION AND CONCEPTS

Step scheme Add a congruence predicate

Set Seq Seq Bool eq Set strict eq

Step user Specify the congruence predicate

axioms pqSeq in

feqg is Setp is Setq

eq Setpq subsetpq subsetqp

endaxioms

Generate Sets by Sequences

This sp ecication is the most imp ortantone it instantiates the equality to the congruence

and adds the new generation principle

by SEQ f enriches SEQ EQ SET

Step scheme axiom to instantiate equality to the congruence

axioms pqSeq in

finstantg is Setp is Setq

Setpq absp absq eq

endaxioms

Step scheme Add the generation principle for sets

Set generated by abs

Invariance of the Restriction Predicate

This sp ecication contains all pro of obligations for the invariance of the restriction predi

cate It is required that all corresp onding functions are preserving the predicate is Set

inv f enriches SEQ REP SET

invariance of the corresponding functions proof obligation

axioms x qSeq in

finvarg is Setempty x

Setq is Setadd xxq finvarg is

endaxioms

Congruence of the Equality for the Corresp onding Functions

This sp ecication contains all pro of obligations for the congruence of the equality for the corresp onding functions

IMPLEMENTATION OF ABSTRACT DATA TYPES

SET cong f enriches SEQ EQ

the axioms for a congruence proof obligation

axioms x pqrSeq in

equivalence relation

freflg is Setp eq Setpp

fsymg is Setp is Setq

eq Setpq eq Setqp

ftransg is Setp is Setq is Setr

eq Setpq eq Setqr

Setpr eq

substitutivity for observable functions

fcong add xg is Setp is Setq eq Setpq

Setadd xxpadd xxq eq

fcong has xg is Setp is Setq eq Setpq

has xxp has xxq

endaxioms

Here we use an explicit axiomatization of the congruence eq Set We will dene a predicate

Cobs on page to express this in amoreelegantway is

Pro ofs

All is refinement of relations of the development graph have to be proved by theory

inclusion of all axioms

by SEQ SET j SET

SET inv j SEQ REP

SET cong j SEQ EQ

The consistency of is Set and the executabilityof eq Set can automatically b e seen from

its syntactic form The pro ofs of this example have b een carried out with the Isab elle pro of

system Paub in Slo All axioms of the three pro of obligations were proved The

structure of the sp ecications provides a structure for the pro ofs Most pro ofs are simple

rewrite pro ofs Some pro ofs were done by induction on sets Therefore it has b een helpful

to rst deduce an induction rule for sets Set generated by empty add from the

axiom Set generated by abs which allows induction on the constructors empty and

add instead of abs

CHAPTER INTRODUCTION AND CONCEPTS

In the example the implementation is xed by

A sort implementation Set Seq

Constant implementations

empty eseq

x add add

has isin

A restriction predicate is Set

A congruence eq Set

The equivalence relation has to b e a congruence This means that it has to b e substitutive

for all observable functions In the example abs is not an observable function but add

and has are observable For co de generation this means that abs must not be exp orted

Hidden functions allowmultiple concrete representations for the same abstract element

Since equational logic with arbitrary typ es do es not suce for the development of inter

active systems we need a more expressive logic HOLCF is expressive enough but has

no appropriate notion of renement to cover the implementation step

Renement Requirements

This section denes the requirements for the renement relation j of our deductive

software development basis see Denition Furthermore it is explained whyweuse

HOLCF as logic and how the requirements may b e sp ecialized for HOLCF

The metho d for the implementation of interactive systems is a collection of dierent meth

o ds one for every development situation All metho ds are based on the renement relation

j and have to full the requirements

Consistency

Consistency see Denition is a very imp ortant asp ect in the deductive software

development pro cess Therefore one requirement to the renement relation j is that

it should be consistency preserving

Of course wemay also sp ecify the systems in HOLCF only with equations but wehavetyp es with

cpo structures and continuous functions in HOLCF which ensure the existence of least xed p oints for the

adequate description of comp onents with feedback

REFINEMENT REQUIREMENTS

Given an arbitrary requirement sp ecication of a system we do not know whether it is

consistent If it is inconsistent the system sp ecication is wrong and the system cannot

be implemented It is dicult to ensure the existence of a mo del at the b eginning of the

development

Denition Consistency Preserving

If LM j j is a deductivesoftware development basis then j is called

consistency preservingi

for all ACLwith A j C and C is consistent implies that A is also consistent

Our way to ensure the consistency of the requirement sp ecication is to require j to

be consistency preserving

Note that this prop erty do es not prevent us from rening a consistent sp ecication by

an inconsistent one for example by adding a wrong axiom but the prop erty ensures

that if we arrive during the deductive development at an executable sp ecication then

our requirement sp ecication will also be consistent To summarize transitivity of j

ensures that the executable sp ecication is a renement of the requirement sp ecication

and a consistency preserving j ensures that the requirement sp ecication is consistent

Of course we prefer renements that cannot intro duce inconsistencies like conservative

extensions in Section and we require from our metho ds that they do not intro duce

inconsistencies

Mo dularity

For the development of large systems a mo dular development has to be supp orted such

that many teams can work simultaneously on dierent parts of the system This leads to

an additional requirement for our renement relation j

The idea of mo dularity is to allow the renement of arbitrary mo dules of a sp ecication

and to require that the sp ecication with the rened mo dule is a renement of the original

sp ecication The mo dules are syntactic parts of the sp ecication and do not dep end

on the system structure A mo dule has to be a sp ecication The mo dule structure is

not necessarily related with the structure of the system For example two distributed

comp onents can both base on the same sp ecication mo dule The mo dule of strings is

used in many sp ecications

The initial approach to sp ecication assigns a mo del to every sp ecication but in the case that

tr ue false this mo del is useless

CHAPTER INTRODUCTION AND CONCEPTS

System System

AMo d

ab ab

Mo d Mo d

aNat a

bNat b

Figure Development graph with Mo dules

Denition Modularity

Let L M j j be a deductive software development basis then j is

called modularif

for all S T Lwith M S j M T and for all mo dular sp ecications Ax

L the following holds M AS j M AT

If M AS and M T are consistent then M AT is consistent

A mo dular sp ecication Ax is a sp ecication based on x It may also be regarded

as a parametrized sp ecication see EGL

The development graphs of Section are used to present the mo dule structure of the

sp ecication

Mo dularity is a very strong requirement since it requires to split a sp ecication into

arbitrary mo dules to develop them indep endently and then the result of the combination

of the mo dules should be a renement of the splitted sp ecication Mo dularity includes

consistency This may lead to troubles Assuming we have the p ossibility to express

equations in L then wemay lo ok at the example in Figure It shows a system System

consisting of a mo dular sp ecication AMod using the mo dule Mod This mo dule is

rened by the mo dule Mod and the system AMod is a renement of AMod The

problem in this example is that even if Mod Mod and AMod are consistent AMod

is not

Wechose the notation Ax as generalization of all constructs which allows us to structure sp ecica

tions For example in Spectrum BFG a one p ossibility to express that the sp ecication A textually

includes the sp ecication x L is A f enriches x g In Isab elle we have the op eration to structure sp ecications

REFINEMENT REQUIREMENTS

There are two p ossibilities to weaken the requirements of mo dularity

Restrict the sp ecication language L for example by excluding equations

Restrict the form of the Mo dules Ax for example byallowing only sp ecic comp o

sition op erators

Conservative extensions see Section are a restricted sp ecication language and en

sure conservativity for arbitrary mo dules and therefore supp ort simultaneous development

of large systems

Mo dularity is called horizontal comp ositionality in CZdR whereas vertical comp osi

tionality means transitivity If a renement relation is horizontally comp ositional the

development of the mo dules may be done indep endently and in parallel In Focus the

emphasis lies on the comp osition of interactive systems from comp onents The comp osi

tion op erators are sequential parallel jj and feedback comp osition Therefore the

form of mo dularity from Denition is not needed in Focus and comp ositionality

with resp ect to the main comp osition op erators suces We call comp ositionality with

resp ect to arbitrary structuring op erators mo dularity and comp ositionality with resp ect to

jj and comp ositionalitysee Denition

Development

In addition to consistency and mo dularity or comp ositionality we require that j

supp orts the development of interactive systems in all p ossible development situations

This includes the p ossibility to express the following development steps as renements

all development situations in Section

implementation of ADTs

functional renement and

for our metho ds we require that we have

executable constructions or co de generation

Of course we require j to cover all development situations This includes the im

plementation of ADTs see Section and functional renement The requirement of

executability or co de generation is practically relevant Here we see the inuence of practi

cal requirements on theory Theoretically a semantic embedding would suce for example

the semantic denition of automata in terms of stream pro cessing functions is a sucient

foundation for proving some prop erties ab out automata but an executable translation and

an executable translation back from stream pro cessing functions representing automata to

automata allows us to construct to ols that simulate automata on distributed systems

CHAPTER INTRODUCTION AND CONCEPTS

Logic and Language

This section describ es the requirements for the logic used and the sp ecication language

and it shortly explains why we decided to use HOLCF

The requirements for the logic M and the language L we use in the deductive software

development pro cess are simply that it should be p ossible to express all development sit

uations as renements and to formulate all pro of obligations in the language Therefore

the requirements are

Express requirement design and executable sp ecication in the same logic

sp ecify interactive systems with feedback channels and

supp ort an adequate characterization of executability

Having the same logic and language for requirements design and executable sp ecica

tion preserves us from using and learning several languages and from worrying ab out the

correctness of the changes between the languages and logics

In the deductive software development we need to be able to characterize requirement

sp ecications of interactive systems If wewould restrict us to op erational semantics then

we would have a very concrete view of systems Using denotational semantics gives us

more exibilityby allowing abstract behavioural sp ecications of systems Hoa

The second requirement sounds trivial but our general mo del of interactive systems re

quires to express comp onents and communication channels messages and their typ es in

the language and to have the corresp onding semantic concepts Since weallowed almost

arbitrary comp osition of comp onents to systems see Section we need semantics

and syntax for feedback comp osition comp onents that use their own output channels

as input To mo del interactive systems with recursive structures functionally requires to

assign semantics to feedback comp ositions Fixed p oints are used to denote their semantics

and the underlaying domains should have an order to express that the denoted xed p oints

is the least one HOLCF provides xed p oints and cpo structures Therefore we mo del

interactive systems with HOLCF

Executability needs an adequate characterization in the logic otherwise our results are not

of practical relevance see Section

HOLCF is describ ed in Section The reader not interested in the technical argumenta

tion why we selected HOLCF may accept our choice and skip the rest of this section

HOLCF is a higher order logic and oers the p ossibility to express abstract requirement

sp ecications more concrete sp ecications and executable sp ecications HOLCF allows us

to give denotational semantics to systems HOLCF also includes executable sp ecications

RELATED WORK

therefore HOLCF is one logic for abstract requirement sp ecications and for executable

systems With a powerful renement relation HOLCF is a go o d basis for the deductive

software development pro cess

The sp ecication of interactive systems is supp orted with the lazy data typ e of streams

to represent communication histories and stream pro cessing functions for the comp onents

see Denition or SS

The feedback rules are dened with a xed point construction To ensure the existence

of xed points the functions are required to be monotone with resp ect to an order on the

domain of streams HOLCF provides ordered domains

HOLCF contains LCF the logic of computable functions and it is therefore adequate to

characterize executable functions including asp ects like partial functions and undersp ec

ication HOLCF has continuous functions that work on cpo structured domains Fixed

points of continuous functions may be approximated by computing Kleenechains The

domain construct of HOLCF allows us to conservatively intro duce free data typ es with cpo

structures

The renement requirement of executability may b e formulated in HOLCF as

continuous functions have to b e implemented by continuous functions and

cpo structured domains have to b e implemented by cpo structured domains

The only disadvantage of HOLCF is that it has no supp ort for intro ducing subtyp es and

quotients needed in the implementation of ADTs and interactive systems with cpo struc

tures and continuous functions on it Therefore the main technical part of this work is a

conservative denition of such constructs in HOLCF

Related Work

A dierent approach to the correctness of programs is the transformational approach

Bro BBB HKB KB Its aim is a transformation of the requirement sp e

cication to an executable sp ecication by applying correctness preserving transformation

rules instead of showing the correctness of every development step deductively However

transformational development restricts us to use a set of correctness preserving rules A

theorem prover is needed to derive some application conditions of some rules furthermore

the correctness of every new rule has to be established deductively On the other hand

we want the deductive software development to have some schemes that may be applied

without excessive use of theorem provers for example for the renement of automata The

approaches are approaching each other and the more interesting asp ect is the logic they use

CHAPTER INTRODUCTION AND CONCEPTS

For b oth approaches there exist many sp ecializations for certain classes of systems or pro

gramming languages An imp ortant criterion is whether the sp ecication is statebased

which corresp onds to imp erative programming languages or whether the system sp eci

cation is not state based and realized by functional languages Since imp erative program

ming languages Algol Rut Pascal Wir have a longer tradition than functional

language MLPau Haskell HJW the rst sp ecication languages where devel

op ed for those state oriented languages Hoa Hoa Bac Bac MV together

with appropriate renement relations even for distributed systems and nondeterminism

Nip Nip Han WB The notion of state is quite complicated in distributed

systems and is usually rened by simulation and bisimulation techniques Mil Even the

rst pap ers of renement in sequential settings deal with variables and states and tackle

the initialization of variables for rened systems

Interactive systems may b e describ ed with dierent semantics Op erational algebraic and

denotational semantics are the most used ones See Hoa for an overview Op era

tional semantics are used if the emphasis is on the execution of programs for example

for automata or CCS Mil If we are interested in algebraic manipulations as transfor

mations of distributed programs we may use pro cess algebras with algebraic semantics

like CSP Hoa to describ e our systems For the sp ecication of interactive systems

denotational semantics are b est suited since they give semantics to recursive predicates

describing the observable behaviour of the system see SS for the foundations For

simple programming languages these semantics can b e shown to b e equivalent but for the

abstract sp ecications of requirements denotational semantics are preferable

Functional languages allow us to mo del states explicitly An imp erative pro cedure may

be seen as functions on the state with the state as input and output parameter The

renement calculus MV describ es pro cedures together with read and write access to

the state in order to simplify pro ofs for the non aected variables This is quite close to the

functional view The p ossibility of abstracting from states makes functional descriptions an

elegantway in mo delling distributed systems abstractly Since in the software development

pro cess the most imp ortant criterion is to have a comp ositional renement relation some

mo dels for example traces are enriched with additional structures just to make them

comp ositional For functional system descriptions those tricks are not necessary This

makes them quite appropriate for the deductive software development pro cess

Abstract sp ecications may b e quite understandable esp ecially when graphical description

techniques are used This requires them to have formal semantics in terms of HOLCF or

HOL which is a part of HOLCF HOLCF builds a basis for many description techniques

State automata are formally founded in NS ER diagrams are dened in Het and

structuring diagrams for distributed systems are embedded into HOLCF in SS Even

for Statecharts a graphical sp ecication widely used in praxis Har there exist formal

semantics NRS With these user oriented description techniques the sp ecication of

systems is mathematically founded and user friendly For the development with such

graphical sp ecications techniques the basic renement steps have to be applied They

GOALS

can either be applied on the level of HOLCF or more user friendly there should be some

graphical renements dened based on the renements of HOLCF

BDD denes several metho ds for structural renement that allow us to decomp ose

the system In BDD Bro the renement relations of Focus are dened in a quite

abstract way Abstraction and representation functions are used and conditions are given

for comp ositionality In the deductive software development pro cess these conditions will

be put to the develop er as proof obligations However these conditions are very general

and hard to prove without a supp orting metho d This work renes these conditions by

some necessary conditions for example invariance which guide the develop er to design

implementations and the pro of obligations are helpful lemmata for the abstract pro of

obligations

To summarize the related work we can say that there has b een a lot of work in the area of the

sp ecication of interactive systems and also a lot of work in the area of the implementation

of ADTs but no work combines the advantages of both approaches In this work the

implementation of ADTs provides concrete metho ds for the implementation of interactive

systems which improvethe general metho ds from Focus by some sp ecic results

Goals

The technical goals of this work stem from the motivation of giving a practicable metho d for

the implementation of interactive systems on the basis of ADTs in HOLCF This requires

to solve the following tasks

Conservative implementation of subtyp es with cp o structures and continuous func

tions

Conservative implementation of quotients with cp o structures and continuous func

tions

Give concrete metho ds for dierent development situations in the development of

interactive systems

Tosolve these tasks in a practicable waywe decided to work with HOLCF and wehaveto

ensure that

simple pro of obligations are generated to guarantee the correctness of the implemen

tation

all pro of obligations are expressible in HOLCF

metho dical help for the pro of is provided

CHAPTER INTRODUCTION AND CONCEPTS

the metho ds are constructive such that co de generation is p ossible

restriction predicates and congruences are formulated in HOLCF and that

the metho ds are integrated into the deductive development pro cess

To ensure that the pro of obligations are simple two dierent techniques for the deni

tion of renement relations theory interpretation and mo del inclusion with conservative

extension are compared Technically the most interesting results are

A conservative denition of subtyp es in LCF and its implementation in Isab elles

logic HOLCF

A constructive metho d for dening co ercion functions b etween the abstract elements

and the corresp onding terms for p olymorphic and higher order terms

A higher order theory interpretation that preserves continuous functions

A conservative denition of quotients in HOLCF including equivalence classes and

metho ds for the denition of continuous functions

A denition of observability in a higher order logic on the basis of partial equiv

alence relations PERs and a exible class eq for the sp ecication of observable

congruences

Rening Focus using ADTs

Improving comp ositionalityof downward simulation for invariant functions

A simulation of an automaton based on stream pro cessing functions

Besides many small and medium sized examples in this work some critical asp ects of a

WWW server are taken as case study in Chapter

Structure of the Thesis

The structure of this thesis is inuenced by the dierent implementation steps and by the

two applied techniques to dene the renement relation We decided to compare two tech

niques since mo del inclusion did not t to our denition of executability whereas theory

interpretation which is the more general technique seamed to generate more complicated

pro of obligations Having compared b oth metho ds for the implementation of ADTs ex

plicitlywe know that our metho d is the b est solution for our requirements

STRUCTURE OF THE THESIS

The developmentofinteractive systems requires to have a renement relation that supp orts

all development situations of Section These situations include the implementation

of the ADTs of messages in the system The implementation of ADTs is studied since

Hoa in many dierent logics see ONS for an overview The implementation

consists of two imp ortant steps

The restriction step which builds a subtyp e and

the quotient step which allows us to identify equivalent elements

Since we decided to use HOLCF for the implementation we start with the presentation

of the parts of HOLCF which are relevant for this work The two renement techniques

theory interpretation and mo del inclusion with conservative extension are presented in

Chapter In Chapter two metho ds based on the two dierent renement relations one

for mo del inclusion and one for theory interpretation for the restriction step are compared

where Chapter does the same comparison for the quotient step

The reader not interested in a higher order theory interpretation that preserves continuous

functions may skip Section The credulous reader b elieving in the deciencies of mo del

inclusion in the treatmentofmultiple representations may skip Section

Chapter combines the conservative extension of Section with the theory interpreta

tion of Section to a comp ositional metho d whichiswell suited for the implementation

of interactive systems As we mentioned in the previous sections the implementation of

interactive systems uses the implementation of ADTs in two dierent ways in schematic

translations and in individual translations In schematic translations interactive systems

are implemented by applying the implementation of ADTs to every single message In indi

vidual translations the metho ds for the implementation of ADTs are extended to implement

arbitrary systems but they still use the same concepts of abstraction and representation

functions which were already intro duced by Hoare

In Chapter we show that this metho d for the implementation of ADTs is well suited

for the schematic implementation of interactive systems and we extend it to a metho d for

the individual implementations of interactive systems These metho ds are applied in the

case study of implementing some critical asp ects of a WWW server in Chapter This

work is the basis for many future research activities which are describ ed in the concluding

Chapter At the end an index and a list of denitions are added to nd o ccurrences of

imp ortant terms

Chapter

Renements in HOLCF

In the software development pro cess a coarse requirement sp ecication is develop ed step

wise towards a realization of the system The deductive software development pro cess

mo dels each correct development step as renement and requires to prove the correctness

of every development step This avoids incorrect development steps For this pro cess it is

imp ortant to have an appropriate renement relation which supp orts the verication of

all desired development steps

We decided to compare two techniques since mo del inclusion did not t to our denition of

executability whereas theory interpretation which is the more general technique seamed

to generate more complicated pro of obligations Having compared b oth metho ds for the

implementation of ADTs explicitlywe know that our metho d is the b est solution for our

requirements Theory interpretations are needed for the translation of equivalence classes

into representing elements Theory interpretations are describ ed in Section mo del

inclusion for HOLCF is dened in Section

First a short intro duction to the used parts of HOLCF is given see Reg for a short

overview of HOLCF and the the sp ecications of ADTs in HOLCF are presented

HOLCF

The logic HOLCF Reg is a conservative extension of the higher order logic HOL GM

by the concepts from the logic of computable functions LCF Pau It is well suited for the

sp ecication of interactive systems since it has xed points and cpo structured domains

Furthermore its supp orts the development from abstract requirement sp ecications to

concrete designs It has a higher order logic for formulating abstract and expressive re

quirement sp ecications but also a continuous function space and a domain construct

which are adequate for formulating executable recursive functions This is the basis for

co de generation

HOLCF

This section gives some denitions of HOLCF from Reg In order to cut down termi

nology some denitions are simplied at points where the complete formal denitions are

not imp ortant for this work for example typ e classes and typ e inference The notions of

data typ e abstract data typ e free data typ e and executable data typ e are also dened for

HOLCF An interesting asp ect in the following chapters is the executable implementation

of subtyp es and quotients which are nonfree data typ es

HOLCF Terms

HOLCF terms are HOL terms In HOLCF there are a lot of additional constants typ es

classes and arities but since they are intro duced conservatively it suces to fo cus on HOL

terms HOL is a higher order logic and therefore we have to signatures and one

for the typ e terms and the other for the terms

HOL is strongly typ ed ie every term has a typ e Typ es are typ e terms over a typ e

signature with typ e constructors and typ e variables

Denition Type Term

The set of typ e terms T over a typ e signature ftc g a set of typ e constructors

with typ e variables is dened by

Typ Var T for

i n

Typ App t T for in tc t t T for tc

n n

Typ e constructors have an arity whichwe sometimes write as an index tc are typ e

t In Isab elle the arity is constants and ntuples as t t are abbreviated by

i n

declared together with the denition of the typ e by the types statement see for

example page

Some examples of typ e terms in HOL are

bool nat typ e constants

list nat set typ e terms with p ostx constructors of arity

nat bool typ e term with inx constructor of arity

The well typ ed terms in HOLCF are dened as the set of all untyp ed terms which in

Reg are called raw terms which are typ e correct

In Isab elle there is also an arities statement It is used to declare the typ e classes of a typ e constructor

or typ e constants

CHAPTER REFINEMENTS IN HOLCF

Denition Raw Term

Let be a typ e signature and let C fc d g be a set of constants then for

C the set RT of raw terms with variables from is the set of untyp ed

terms over dened by

RTerm Con c RT for c C

Var x RT for x RTerm

RTerm App t t RT t t RT

Abs t RT x t RT for x RTerm

Every raw term t maybe annotated by a typ e term T by t

The set of raw terms is reduced to typ e correct terms by the following denition

Denition Term

The set of terms T over a signature Cwithvariables from is the typ e

correct subset of RT which is dened by

for every term t T there exists a typ e context and a typ e term with

See Reg Section for the denitions of typ e context and a calculus for the typ e

inference relation

For this work an intuitive understanding of typ e correctness suces A classication of

p olymorphic typ e systems can be found in Naz We assume typ e correctness of the

terms since the implementation of abstract data typ es makes only sense for typ e correct

ADTs

Some examples of constants in HOLCF are

TT FF tr

not boolbool

bool bool

xTT and xFF are abbreviated in the following by dxe and bxc resp ectively In HOLCF

the distinction b etween the typ es bool and tr is imp ortant bool is twovalued and used

in the predicate level to express prop erties of sp ecications and op erations tr is three

valued and represents the truth values of op erations in the sp ecication which may not

Even typ ed abstraction is used x t

HOLCF

terminate expressed by tr With partial functions may be mo delled see MS

for an overview

In addition to these real HOLCF constants we use some schemes as abbreviations for

concrete constants This allows us to give more readable denitions for the treatment of

data typ es with arbitrary typ es and constructors Instead of writing ntuples x x or

x in Isab elle formulas as abbreviation The following abbreviations x x we also use

i n

are also used

and tr tr with and x andx and x

n n i

tr tr with or x orx or x or

n i n

cases tr tr with cases cond x

n n i i

If cond then x else If

If cond then x else x fi fi

n n n

HOLCF Typ e Classes

This section informally describ es the typ e classes of HOLCF and explains their application

For a formal denition of typ e classes see Reg Section

Typ e classes are used to control p olymorphism In ML Pau there only exist two typ e

classes and to distinguish p olymorphic functions that do not p ermit equality tests

from those that do

As in other typ e systems HaskellGofer HJW Jon or Isab elle Paub HOLCF

allows typ e classes to be dened with a sub class hierarchy Typ e classes consist of p oly

morphic characteristic functions and constants available on every monomorphic typ e that

b elongs to the class and characteristic axioms describing prop erties of the characteristic

constants

The characteristic constants are dened p olymorphically but are only available on typ es

that b elong to the class Therefore b efore applying them to a value of a concrete typ e

it must be assured that this typ e b elongs to the class This is called instantiation It

is done by showing that some terms mostly constants on the concrete typ e satisfy the

characteristic axioms of the class Such pro ofs are called witnesses for the fact that the

concrete typ e b elongs to a class If such a witness exists the characteristic constants

may be instantiated to the concrete constants by dening them to be equal to the term

satisfying the characteristic axioms The typ e checker needs an arity declaration to check

the new instance correctly Instantiating a typ e into a class requires to instantiate it rst

into all sup erclasses of the class see Section for an example

Since wehave in HOLCF two function spaces we need twodierentlamb da for the abstractions We

use for the full function space and for the continuous function space

The intro duction of new arities is fully treated in Reg

CHAPTER REFINEMENTS IN HOLCF

class sub class of constants axioms

po term v refl less xvx

antisym less xv y yv x xy

trans less xv y yv z xv z

pcpo po minimal v x

cpo is chain Sxrange Sjx

Figure Typ e Classes of HOLCF

Figure shows the typ e classes used in HOLCF If we declare the typ e of a p olymorphic

constant in a typ e class we may app end the typ e class separated by to the typ e of

the constant For example the typ e of is pcpo The typ e class pcpo describ es

cpo structures and esp ecially the pro of of the axiom cpo for sub domains is an interesting

asp ect in Section

Axiomatic typ e classes Wen allow us to declare the characteristic axioms for a typ e

class and axiomatic typ e classes provide a syntax for a safe instantiation into typ e classes

This safe instantiation rule checks the witnesses for the characteristic axioms b efore it

declares the arity to the typ e checker Because axiomatic typ e classes formulate axioms

over arbitrary constants they do not allowus to intro duce a characteristic constant for a

typ e class in one step

Intro ducing an axiomatic typ e class with a characteristic constant available only on this

class requires two steps The rst step is to dene a general constant which is available

on all p olymorphic typ es of the class term or any other sup erclass of the dened class

With this general constant the new typ e class is axiomatized The second step is to dene

the characteristic constant only available on the new class and to dene it to be equal

to the general constant With this two step metho d the typ e checker tests whether the

characteristic constant is applied to a term which resides in the new class

Example Axiomatic Type Class per

Consider the theory PER as an example for such a two step denition

PER Set axclass per with characteristic constant

consts general constant

term bool infixl

axclass per term

characteristic axioms for per

ax sym per x y y x

ax trans per x y y z x z

consts characteristic constant for per

per bool infixl

HOLCF

defs ax per def op per bool op

end

Since this is our rst Isab elle sp ecication we explain the used syntax briey PER

is the name of the sp ecication it bases on the sp ecication Set from HOL consts

intro duces constants and declares their typ es infixl assigns a priorityto an

inx op erator axclass is the keyword for the intro duction of axiomatic typ e classes

per is the name of the dened class It is a sub class of the general class term The

axiomatic typ e class is intro duced with characteristic axioms which start with a

name and are followed by the rule defs can b e used to dene op erations in Isab elle

defs requires to use the denition symbol

The rst step after the denition is to derive the characteristic axioms for the char

acteristic constant by a simple simplication We get the following theorems

per x y y x sym

trans per x y y z x z

From now on all further theorems for per use Only for the denition of PERs on

other typ es we need the general constant For example we dene on bool to

be the identityby

bool per op boolbool bool op

The safe instantiation of bool into the class per is p erformed by

PER PER

instance proofs of the characteristic axioms

bool per bool sym perbool trans per

end

The instance syntax allows us to provide theorems which are witnesses of the char

acteristic axioms Before the ab ove instantiation we proved the following witnesses

bool sym per xbooly yx

bool trans per xboolyyz x z

This example shows the conservative denition and instantiation of typ e classes in the

Isab elle system All pro ofs are simple and are only mentioned here to show that the

witnesses for the instantiation into the class have b een proved

Using axiomatic typ e classes without this two step declaration has the disadvantage that

typ e inference sometimes infers a to o general typ e For example the typ es of x and y in

yxyx are inferred to term Therefore we can not prove the prop erty which

CHAPTER REFINEMENTS IN HOLCF

we could have proved if x and y are of typ e bool Sometimes this might be confusing

Even more confusing is the fact that dnat is typ e correct Using the two

step declaration of characteristic constants would allow the typ e checker to reject those

strange terms Therefore we use the two step instantiations in this work

The formal semantics of typ e classes are not used in this work The informal treatment

of typ e classes leads to a simplication of the semantics since typ e classes and resulting

restrictions as regularity coregularity downward completeness and some others are not

mentioned here See Reg or Nip for the treatment of these asp ects

HOLCF Mo dels

The mo dels of HOLCF in Reg are dened in two steps rst the mo dels of HOLC

HOL with classes are dened then HOLCF is syntactically constructed on top of HOLC

by intro ducing new constants typ es classes and arities Since these intro ductions are

conservative HOLCF mo dels are constructed along this syntactic extension This metho d

is called conservative extension method Some examples of conservative extensions can be

found in Section

Thus the mo dels of HOLCF are based on the mo dels of HOLC A dicult problem in

HOLC is the semantic mo delling of typ e classes with characteristic constants Complex

mo dels that include a class structure of mo dels for the characteristic constants are used

to dene the semantics for HOLC in Reg Section We mayomittyp e classes from

the structure of the HOLCF mo dels since for this work an informal understanding of typ e

classes suces And b esides it would only be a rep etition of Reg and notations are

simpler without them Therefore this denition of mo dels is based only on the simple typ e

mo dels for typ e terms

Denition Simple Type Model

A simple typ e mo del TM PUTCforatyp e signature consists only of

a set PU of nonempty carriers closed under nonempty subsets pro ducts and

total functions and with a choice function ch that cho oses an arbitrary

element of any carrier for X PU chX X

The set TC ftc g of interpretations for all typ e constructors tc

Here denotes an op eration of a class minusinwhich dnat is not instantiated

A further advantage of the denition with twoconstants is that it allows us to adopt theories which

are dened without axiomatic typ e classes like HOLCF in its currentversion easily to axiomatic typ e

classes The metho d is to intro duce a second constant for every characteristic constant and to derive the

old characteristic axioms in the rst step Then all other theorems can b e adopted without further change

HOLCF

Some examples of simple typ e mo dels in HOLCF are

PU fbool gwithfT F g PU

PU ftr gwithfTT FF g PU

PU f g with for all A B PU A B PU since PU is closed under

To dene an interpretation of typ e terms a typ e variable assignment PU is

needed With this mapping the interpretation can b e dened

Denition Type Interpretation

Let TM be a typ e mo del for a typ e signature with typ e variables then the

interpretation TM ofatyp e term T is simply dened by

TM TM for where T is a variable assignment

TMtc tc t TMt for tc

n i i n

Compared to the semantics of typ e terms in Reg this is a much simpler semantics of

typ e mo dels In the following we omit the typ e variable assignment in the index since

it is not needed b ecause we treat typ e classes and p olymorphism informally

With these semantics of typ e terms mo dels for terms may be dened

Denition Model

A mo del M TMI for a signature C consists of

a simple typ e mo del TM for and

a set I fc g of interpretations for all constants c C

The interpretation of terms dep ends on a variable assignment X where X PU

and is a set of variables

Denition Term Interpretation

The interpretation in a mo del M TMIand I fc g of a term is dened by

M M

Con M c c for c and c I Int

Int Var M x x for x where X is a variable assign

ment and isa set of variables

fort t T M t M t App M t t Int

CHAPTER REFINEMENTS IN HOLCF

Int Abs M x ut f for x u T and t T where f is the

by extensionality uniquely dened function

f a TMu M t

Additional requirements for and which arise from the restriction to typ e correct

terms are omitted here and may b e found in Reg

Some constants have to b e in every mo del and their interpretations are

F if b T and b F

Imp b b Sem

T else

T if b T or b T

Sem Or b b

F else

T if a and b are equal

Sem Eq ab

F else

Sem Eps p bool cho oses an arbitrary xed x chTM with

M px T This op erator is called Hilb ert op erator an may be used to sp ecify

nondeterministic op erations for example the choice function of an equivalence class

on page

With this interpretation the semantics of terms are dened Based on the syntactic notion

of a theory satisfaction can be dened for axioms and theories

Denition Theory

The theory Th Ax is a pair where

is a signature and

Ax fax bool g and ax T

i i

The axioms Ax describ e prop erties of the intended mo del

Theories are often called specications when they are used to sp ecify requirements or

realizations of a system

Denition Satisfaction

A mo del M satises a formula T of typ e bool M j if

M T for all variable valuations

The notion can b e extended to theories Th Ax by M j Th if

HOLCF

M j ax for all ax Ax

The axioms Ax are closed boolean terms and therefore they are indep endent from

the assignment

In this denition of satisfaction the typ e environmentandthetyp e assignment are not

needed since typ e correctness of terms and variables is assumed

Conservative Extensions

Conservative extensions are a metho d to safely extend HOL theories see GM They are

called conservative since mo dels of the extended theory can b e constructed in terms of the

basic theory and it do es not aect the basic mo dels p ersistent construction Renements

between a theory its conservative extensions are consistency preserving since conservative

extensions explicitly construct a mo del and they are mo dular since the extended mo del

may be reduced to the concrete one see Reg Section Since HOLCF is a conser

vative extension of HOL and since HOL has a mo del the semantics of HOLCF is well

dened Realizing this conservative embedding was a challenge to Franz Regensburger in

his thesis Reg

In Reg Section a sp ecial form of conservative extension to intro duce free data typ es

is presented This intro duction ensures that the constructed typ e resides in the class pcpo

This has been implemented in form of the domain construct see Ohe or on page

For the implementation of interactive systems it is imp ortant that the typ es reside into

the typ e class pcpo since on functions b etween typ es of the typ e class pcpo the xed p oint

construction denotes the semantics for recursive functions In order to guarantee that typ es

are in the class pcpo the metho ds presented in the following chapters provide techniques

which ensure this without requiring the user to provide a partial order or to prove chain

completeness which are the characteristic prop erties of the class pcpo

In this section the HOL metho d for the conservativeintro duction of new typ es is rep eated

from GM and the intro duction of free data typ es is presented as in Reg Ohe

The following example from the implementation of HOLCF Reg page shows the

conservative intro duction of the continuous function space in HOLCF

Example Continuous Functions

Continuous functions b ecome a conservative extension of HOL constructed by build

ing a subset of values from the full function space from HOL The rst restriction of

the subset excludes all structures which are not chain complete This is expressed

by the use of the typ e class pcpo The second restriction allows only continuous

functions between typ es with cpo structures This is expressed by the predicate

CHAPTER REFINEMENTS IN HOLCF

cont pcpo pcpo bool The set of all continuous functions is denoted

by the inx typ e constructor To ensure the welldenedness of this denition the

conservative extension metho d uses an abstraction function and a representation

function

Cfun Cont

types declares the arity of the type constructor

consts

Cfun set subset

fapp rep

fabs abs

rules

Cfun def Cfun ff contfg

Cfun fapp fo Cfun Rep

Rep Cfun inverse fabs fapp fo fo

Abs Cfun inverse f Cfun fappfabs f f

end

Toshow that this denition is conservative it is necessary to show that the new typ e

is not empty otherwise the choice function would be undened and cause inconsis

tencies This is done by proving that there exists a function f with cont f This

function is the witness for the correctness of the typ e denition The abstraction

function fabs is written as the binder and the representation function fapp is ab

breviated by For applying the reduction of a continuous function it is necessary

to prove that the function is continuous This is expressed by the following theorem

beta cfun cont c xc xu c u

We sometimes call continuous functions operations

In HOLCF there exist conservative extension metho ds for intro ducing new classes arities

typ es and constants see Reg Section For classes it is necessary to give a witness

that fulls the class axioms for arities a witness for the characteristic axioms is needed

see Section The conservativeintro duction of a constant requires that the constant

is dened by a term that denotes its meaning

Some examples for the intro duction of new constants in HOL are the formulation of

Henkins denitions Hen for the quantors in Reg page

Def PP xTrue

Def PP xP

In LCF Pau cpos and continuous functions form the basis of the logic for computable

functions In this thesis ADTs are based on data typ es over cpo structured domains

chain YrangeifY ijflubrange Y From Reg cont f Yis

HOLCF

Data Typ es

This section denes dierent notions of data typ es and shows that for the sp ecication of

ADTs in HOLCF a typ e classes eq is useful

Data typ es represent the values on which functions are working To ensure the well

denedness of recursive functions denitions it is necessary to dene them with a termina

tion ordering Another way is to dene recursive functions with the help of a xed p oint

op erator denoting the least xed p oint The basis for this construct are the domains with

chain complete partial orders and continuous functions Acentral asp ect in HOLCF is the

existence of typ es with such order structures In Isab elles logic the fact that a typ e has

a certain structure is expressed by declaring that the typ e is a member of a typ e class

For example the class po has a partial order for the denition of monotonicity and is a

sup erclass of pcpo the typ e class with pointed complete partial orders pcpo provides a

continuous function space and a xed p oint op erator fix for the denotational

semantics of recursive functions and interactive systems

Therefore all data typ es used in sp ecications in the deductive software development

pro cess should reside in pcpo the typ e class of pointed complete partial orders Data

typ es are sp ecied in theories

Denition Data Type

A data typ e T C on sp ecied in a theory Th CAx is a typ e charac

terized by a set of constructor functions Con fcon con g with

T and resides in the typ e class pcpo

Con C

all con are continuous functions of typ e or constants of typ e In the

i i

case of multiple arguments the typ e which is an abbreviation

i ij

for and

i im

a typical induction rule Ind Ax for admissible predicates dep ending on the

typ e of the constructors

x sx P x P con x P x where Ind adm P P

ij ij ij i ij

the typ e dep endent schemata P z t P z if t and else tr ue and

sz z if the constructor is strict in the argument at p osition ij and else

tr ue

The induction rule is an imp ortant part of a data typ e It allows us to deduce admissible

prop erties over all values of the typ e In addition it characterizes the constructor functions

chain Y i P Y i P lub range Y From Reg adm P Y is

CHAPTER REFINEMENTS IN HOLCF

A data typ e without induction rule would only be a sp ecication containing a typ e and

some functions on that typ e

There are two dierent kinds of data typ es nite data typ es and innite data typ es

Innite data typ es may have innite elements The best known example is stream see

page for a denition of streams Mathematically this is expressed by allowing the

data typ e constructor to b e lazy ie by not requiring it to b e strict For nite data typ es

all constructor functions have to be strict

ConStrict con

This is equivalent to the requirement that all selectors of a data typ e b e total

SelTotal x selx

In this work we rst fo cus on nite data typ es After b eing able to implement nite ADTs

we extend our metho ds to the implementation of innite ADTs see Chapter

Note that the admissibility of the predicate in the induction rule is only needed for data

typ es with innite elements Since the formulation of the induction rule is quite complicated

even without admissibility there exists an abbreviation for it in HOLCF see Ohe

The rule maybe sp ecied in HOLCF with the generated by construct by

generated by con j j con

The denition of a data typ e is shown on the example of lists

Example Data Type List

The data typ e list DLI S T D List fdnil dconsg can be sp ecied in HOLCF

in the following theory

DLIST HOLCF

types DList

ops curried

dnil DList

dcons DList DList

rules

DList Ind P P dnil

a d a d P d Pdconsad P x end

HOLCF

The data typ e constructor DList is sp ecied and the axiom describing the induction

rule which xes the set of constructors and allows us to deduce prop erties ab out lists

is given The name DList is used since in HOL list is already dened With the

generated finite by construct the keyword finite is used if no admissibilityis

needed the induction rule for DList maybe sp ecied by

generated finite DList by dnil j dcons

Acentral idea of abstract data typ es is to give a small set of functions that characterize the

prop erties of the data typ e These functions can be used for the denition of all complex

functions based on the data typ e The basic functions can be divided into three groups

constructor functions whose result typ e is the constructed data typ e They may be

recursive in this typ e for example succ NatNat

selector functions select comp onents from the relevant sort for example fst

discriminator functions are used to discriminate b etween variants of data typ es for

example is empty Set tr

On nite data typ es we require in addition that

there exists a continuous equivalence relation tr to compare the elements

of the typ e This comparison should b e

reexive on dened values symmetric and transitive

strict

total

should be a congruence ie for all constructor selector and discriminator

functions f it should hold that dx ye implies if fx and fy

then dfx fye where and are the continuous equalities tting to the

typ e of f

We call continuous equality

A helpful function which should be available for every data typ e constructor is the map

List functional It applies functions to every elementofthetyp e the b est known is Map

List List If tct t then the map functional Map takes

n functions f t s and has the typ e t s t s tc t t tcs s

i i i n n n n

In Section weintro duce a predicate to express this prop erty

CHAPTER REFINEMENTS IN HOLCF

If the data typ e constructor is of arity for example Nat then the map functional is the

identity The map functionals are needed to dene the implementation of terms of typ e

list where is the implemented typ e The general map functional was also prop osed for

the datatype construct in HOL see Vol

This leads to the following denition of ADTs

Denition Abstract Data Type

A data typ e T C on sp ecied in Th CAx is called an abstract data

typ e if there exist selector functions Sel fsel gC discriminator func

ij ij

tions Dis fdis tr g C a map functional Map C and on nite ADTs

acontinuous equality C so that the following rules are in Ax

Discrimx ddis con xe for all i n

i i

ConSeld dis xe con sel x x for all i j n

i i ij

MapCond dis xe Map f x con Map f sel x for all i j n

i i ij

where Map is the appropriate map functional of the comp onent or the identity

if the typ e of sel x is basic and f f are the arguments of the map

functional according to the typ e of the comp onents

has to be a strict and total equivalence relation This is expressed by the

following rules

EqStrict x

EqTotal x y x y

EqRefl x d x xe

EqSym x y y x

EqTrans dx ye dy ze dx ze

EqObs dx ye f x f y df x f ye for all f

i i i i i i

Con Sel Dis

The existence of a continuous equality may be required by sp ecifying the typ e

to reside in the class eq see page and by the explicit sp ecication of the

observers Our class eq see Section provides the predicate is Cobs to

express observability in HOLCF

In the following we write T C on S el D is M ap for a nite abstract data

typ e and T C on Sel Dis M ap for an arbitrary ADT

This denition of ADTs has all features known from classical ADTs and b esides the

powerful higher order logic of computable functions it incorp orates the notion of map

functionals which is very useful for higher order data typ es see our metho ds in Sections

HOLCF

and actually is integrated into Isab elle HOL logic Vol In addition our class

eq see Section gives us the p ossibilitytocharacterize congruences with predicates

This denition is illustrated again with the example of lists

Example Abstract Data Type List

dnil is dconsg The ADT list DLI S T D List fdnil dconsg fdht dtl g fis

Map eq D List can be sp ecied inHOLCFinthe following theory

D List

DLIST EQ

types DList

ops curried

constructor functions

dnil DList

dcons DList DList

discriminator functions

is dnil DList tr

is dcons DList tr

selector functions

dhd DList

dtl DList DList

Map on DLists

Map DList DList DList

continuous equality for DList

DList eq DList a DList tr eq

rules

Induction rule

DList Ind P P dnil

a d a d P d P dconsad P x

discriminator rules

is dnil dis dnildnile

is dcons dconsxy dis dconsdconsxye

selector rules

dcons app dis dconste dconsdhdtdtlt t

Map rules

Map dnil dis dnilte Map DListft dnil

Map dcons dis dconste Map DListft

dcons fdhdt

Map DListfdtlt

definition of the continuous equality

DList deq DListdnildnile eq

DList dconsxy beq DListdnildconsxyc eq

eq DList dconsxy beq DListdconsxydnilc

CHAPTER REFINEMENTS IN HOLCF

eq DList eq DListdconsxsdconsy t

DListst xy andalso eq

end

The continuous equality for DList is based on the continuous equality of the base

typ e A pro of that eq DList is a continuous equality would justify the instantiation

of DList into the class eq In some requirements sp ecication the existence of a

continuous equality is required This can be sp ecied by requiring the typ e to be

of the class eq and by sp ecifying some observers for see Example The

DList would allow us to deduce that it is a continuous equality denitions of eq

The observability can be expressed by the predicate is Cobs from Section

is Cobs dcons

is Cobs is dnil

is Cobs is dcons

is Cobs dhd

is Cobs dtl

The following general theorems for ADTs are obvious and will be used in some pro ofs in

Section

DisCases ddis xe for some i

xx z z MapId Map

In programming languages esp ecially in functional languages data typ es are free This

means that constructors are distinct and dierent arguments lead to dierent results of

the constructor functions This is captured by the following denition

Denition Free Data Type

Let T C on S el D is M ap b e an ADT sp ecied in Th Ax This ADT

will b e called a free data typ e if the following rules are in Ax

Distinctbdis con xc for all i j n

j i

Injective con x con y x y forall i n

i i

This is without the observability an initial characterization of the solution of the recursive

domain equation for the data typ e It is unique up to isomorphism

HOLCF

This denition is illustrated again at the example of lists

Example Free Data Type List

The ADT DLI S T from Example is sp ecied as a free data typ e in the following

theory

DLIST EQ

types DList

arities DList eqeq provides on DList

ops curried

constructor functions

dnil DList

dcons DList DList

discriminator functions

is dnil DList tr

dcons DList tr is

selector functions

dhd DList

dtl DList DList

Map on DLists

Map DList DList DList

rules Induction rule

Ind P P dnil DList

a d a d P d P dconsad P x

discriminator rules

axioms further axioms

defvars f x y s t in

is dnil dis dnildnile

dnil bis dnildconsxsc is

is dcons dis dconsdconsxse

is dcons bis dconsdnilc

selector rules

app dis dconste dconsdhdtdtlt t dcons

Map rules

Map dnil dis dnilte Map DListft dnil

Map dcons dis dconste Map DListft

dcons fdhdt

DListfdtlt Map

injectivity of constructors

injective dconsxs dconsyt xy st end

CHAPTER REFINEMENTS IN HOLCF

axioms defvars x in P x is an Isab elleHOLCF abbreviation for x P x in

the following axioms

From the monotonicity of the discriminators one can deduce that the constructors

are distinct here dnil dconsxt

Since such a description of free data typ es is very long it is helpful to have shorthands for

their sp ecication In the sp ecication language Spectrum BFG a BFG b a data

construct has b een intro duced that allows us to deduce these axioms In HOL there exists

a data construct as well

In Reg the intro duction of free data typ es was dened and justied by the colimit

construction In Ohe this intro duction of free data typ es is implemented with the

domain construct With this the free data typ e of lists may be sp ecied by

DLIST eq

domain DList dnil j dcons dhd dtl DList

arities DList eqeq

rules

eq obs is Cobs dcons is Cobs is dnil

is Cobs is dcons is Cobs dhd is Cobs dtl

end

Since the characterization of all observer functions may not be required for some data

typ es we dene a class EQ in Section in which all total and continuous functions are

observers This will allowus to sp ecify DLIST by

DLIST EQ

domain DList dnil j dcons dhd dtl DList

arities DList EQEQ

end

So wehave seen that we could also need a sub class EQ of eq with some stronger prop erties

The class EQ corresp onds to the class EQ of Spectrum The class eq oers more exibility

in the implementation of abstract data typ es we see this in Chapter The dierences

between eq and EQ are discussed in Section where these typ es classes are formally

dened

The domain construct denes constructor selector and discriminator op erations but in its current

implementation not the map functional

Cobs works also with higher order functions another p ossibilitywould b e to require the when Since is

functional to b e an observer instead of the selector and discriminator functions The when functional is

an internal higher order functional from the domain construct which is used to dene the selector and discriminator functions

HOLCF

Data typ es sp ecied by the domain construct can be directly translated into datatype

declarations in a functional programming language as Haskell or ML The precise syntax

and features of the domain construct are contained in Ohe

The data typ es used in most functional programming languages are free data typ es Some

exp eriments with nonfree data typ es were made see Tur Tho but did not b ecome

part of functional programming languages However in sp ecications nonfree data typ es

are used frequently esp ecially sets are a standard sp ecication technique Z Dil is

based on sets Since nonfree constructs restrictions and quotients are necessary for the

implementation of ADTs and hence for the development of interactive systems a supp ort

for the implementation of nonfree data typ es in HOLCF is needed Another motivation

is the lack of the typ e classes eq and EQ in HOLCF

Executability and Pattern Matching

In the developmenttowards functional programs executabilityisacharacteristic prop erty

of sp ecications which informally states that wemay directly generate program co de from

the sp ecications or execute them with an appropriate interpreter Usually co de is gener

ated since this is easier and more useful most of the time only syntactic translations are

needed than to build an interpreter for executable sp ecications

The following denition of executability also includes some nonfree data typ es provided

that all functions are executable This leaves some freedom for the implementation of data

typ es However on the nonfree data typ es pattern matching is not supp orted

Denition Executable Data Type

A abstract data typ e T C on S el D is M ap is executable if all functions in

C on S el D is M ap and are executable

A function is executable if

it is a constructor function of a free data typ e over executable data typ es

if it is conservatively intro duced by a continuous term built of executable sub

terms

If the data typ e is in a sub class of pcpo all characteristic op erations for that class

have to be instantiated by executable functions Consider the instantiation of the

continuous equality in Section as an example

In some HOLCF extensions there exists a class which provides a so called weak equality with

dxyexy However this do es not allow us to sp ecify observer functions

This excludes the typ e list The function space is not a data typ e since there is no induction

rule for it Sp ecifying an induction rule for it as in Mol would not b e conservative

CHAPTER REFINEMENTS IN HOLCF

For example an executable denition of the map functional on DList would b e

DLIST HOLCF

domain DList dnil j dcons dhd dtl DList

ops curried

DList DList b DList Map

defs

Map DList def Map DList fix Map f l

dnill If is

then dnil

else dconsfdhdl Mapfdtll

end

Note that executability do es not imply termination For example g fix f xfx is

executable but do es not terminate

Using the xed p oint constructor fix may lead to unreadable denitions and do es not use

the full p ower of functional languages since there are more elegant notations with the same

meaning As in functional languages pattern matching with nonoverlapping and complete

constructor patterns are allowed to increase usability See Har Rea Pau HR

for a more formal denition of patterns

Denition Executability with Pattern Matching

A sp ecication Th Ax of an ADT T with pattern matching is executable if

the data typ e T is free and

in the axioms Ax the patterns are complete dened for all values except

and disjoint

This allows us to translate a function dened by pattern matching into an executable

denition by a term

The requirement that the patterns have to b e complete comes from the dierence b etween

undersp ecication and From undersp ecication no axioms for f we cannot deduce

f However from the develop ers point of view it is acceptable if for all undened

patterns dummy patterns dened by are inserted by the co de generator This is realized

in the ML co de generator of executable Spectrum sp ecications in HR

Example Executable Data Type List

An executable denition with pattern matching for the data typ e DList is

HOLCF

DLIST EQ

domain DList dnil j dcons dhd dtl DList

arities DList eq eq

ops curried

Map DList DList DList

eq DList eq DList DList tr

axioms

defvars f x y s t in

DList def Map DListfnil nil Map

Map DList def Map DListfdconsxs dconsxMap DListfs

eq DList deq DListdnildnile

DList dconsxs beq DListdnildconsxsc eq

eq DList dconsxs beq DListdconsxsdnilc

eq DList eq DListdconsxsdcons yt

xy andalso eq DListst

DList eq op eq DList needs a witness inst

end

The instantiation into the class eq is essential It requires to prove the class axioms

of eq for eq DList

ML do es not oer the p ossibility to instantiate the equality It uses the canonical denition

of the equality In Haskell the equalitymay b e instantiated by an arbitrary function which

may lead to incorrect programs Our metho d gives us the p ossibility to characterize an

observable equalityforany data typ e see Chapter andtoprove that the instantiation

is correct

In BC a metho d which allows pattern matching over nonfree data typ es is presented

It works with two dierent kinds of constructors one for the construction the values and

another for destructing them with pattern matching

Predened Typ e Constructors

Many data typ es that are used for sp ecication and programming are based on primitive

typ e constructors as sums pro ducts pairs etc Therefore wenow dene selector functions

discriminator functions map functionals and a continuous equality to construct arbitrary

complex data typ es which base on these predened typ e constructors For typ e construc

tors with an arity greater than one pairs the map functional has to take more than one

function as arguments and apply them to each comp onent

For the intro duction of constants with a typ e that involves typ e constructors the Map

functionals together with discriminator functions and selector functions are needed For

CHAPTER REFINEMENTS IN HOLCF

typ e constructors intro duced with the domain construct there exist such functions The

map functional may easily be dened for such typ es by pattern matching or by the when

functional

For the predened data typ e constructors of HOLCF discriminator and selector functions

and the map functionals can b e dened as follows

PREDEF EQ

all predefined data type constructors in HOLCF in pcpo are

pcpopcpopcpo strict Sum

pcpopcpopcpo strict Product

pcpopcpopcpo cartesian Product

now Selectors and map functionals are defined

consts

selSs

disSs tr

mapSs

eqSs eq eq tr

selSp

disSp tr

mapSp

eqSp eq eq tr

selCp

disCp tr

mapCp

eqCp eq eq tr

defs

selSs def selSs s sswhen xx s

selSs def selSs s sswhen xxs

def disSs s sswhen xTT xFFs disSs

disSs def disSs s sswhen xFF xTTs

def mapSs f g sswhensinl oo fsinr oo g mapSs

eqCp def eqCp x yselSsx selSsy andalso selSsx selSsy

MODEL INCLUSION IN HOLCF

def selSp sfst selSp

selSp def selSp ssnd

def disSp s sswhen xTT xFFs disSp

disSp def disSp s sswhen xFF xTTs

mapSp def mapSp f g xjfselSpxgselSp xj

eqSp def eqSp x yselSpx selSpy andalso selSpx selSpy

selCp def selCp cfst

def selCp csnd selCp

disCp def disCp s sswhen xTT xFFs

disCp def disCp s sswhen xFF xTTs

def mapCp f g xfselCpxgselCpx mapCp

eqCp def eqSp x yselCpx selCpy andalso selCpx selCpy

instantiations

arities

eqeqeq

rules

inst Ss eq op eqSs

inst Sp eq op eqSp

Cp eq op eqCp inst

end

As can be seen from these examples the denitions of the selectors and constructors are

schematic and can easily be dened by the when functional which is provided by the

domain construct

Mo del Inclusion in HOLCF

This section denes a basis for the deductive software development using mo del inclusion

in HOLCF The renement relation we use is mo del inclusion Many of the development

situations in Section can b e expressed by conservative extension and mo del inclusion

Another deductive development basis will use a sp ecial theory interpretation as renement

relation Theory interpretations are a generalization of mo del inclusion and are presented

in Section Chapters and will compare these two bases for the deductive software

development on the implementation of the restriction step and the quotient step

The rst notion of renement in HOLCF is mo del inclusion and it can b e proved by theory

inclusion In this section we use the notion of HOLCF mo del from Denition together

CHAPTER REFINEMENTS IN HOLCF

with the satisfaction relation j from Denition as a lo ose semantics for theories as

in BWa The next section contains the ideas of theory interpretation which will be

worked out for the task of implementation of ADTs in HOLCF in the next chapters

Mo del inclusion is based on a lo ose semantics

Denition Loose Semantics of Theories

Let Th Ax be a theory then the set of all mo dels M of all Th Ax

with and Ax Ax is the loose semantics of Th if

M jAx

We write MOD Th to denote the lo ose semantics of a theory

This denition reects the intuition that mo dels with more features functions and typ es

as required in the sp ecication are in the semantics of the sp ecication With these lo ose

semantics of HOLCF sp ecications we dene a sp ecic deductive software development

basis

Denition Model Inclusion Basis

The four tuple L MOD Th is called model inclusion basis if

L is the set of all sp ecications

MODTh are the lo ose semantics

is set inclusion on the mo dels and

a c

is logical implication for HOLCF theories Th Th L dened by

a c a c

Th Th i Th Th where is the reexive closure under the syntactic

deduction relation I see Reg Section This logical implication is often

called theory inclusion

In the following we write CA instead of AC and S T instead of T S

a c

The metho d to prove theory inclusion is to derive all axioms of Th from Th with a

theorem prover We sometimes write C A for theory inclusion We now prove that our

mo del inclusion basis is a deductivesoftware development basis byshowing the prop erties

of Denition

Executable sp ecications are consistent since HOLCF is consistent and executable

sp ecications are dened conservatively

Set inclusion is transitive

MODEL INCLUSION IN HOLCF

CA is correct since the syntactic deduction relation I is correct Reg page

In addition we have

is consistency preserving and

is mo dular if the theories are intro duced by conservative extensions see Section

This simple notion of renement has an obvious disadvantage It do es not relate mo dels

and theories with nonincluding signatures In many b o oks on algebraic sp ecications

like EGL EM Wir the standard solution for this problem are homomorphisms

Denition Homomorphism

a a a c c c

Let Th Ax Th Ax be theories Then a homomorphism h is a

mapping from T to T if

a c

a a a a

holds hf t hf ht Homo for all f and all t T

j j j

This denition extends in the many sorted case to a family of mappings in the

standard way

A homomorphism is a mapping that resp ects structures but the use of homomorphisms in

software development has serious disadvantages If we use homomorphisms to relate our

theories we have to prove that the equations Homo hold For proving this we need the

a c

axioms of b oth theories Ax and Ax since b oth theories are involved h T T

a c

a a c

If the abstract axioms Ax contain a contradiction Th is inconsistent and if Th is

a c

consistent we may prove the renement with Homo of Th into Th Therefore this

renement relation is not consistency preserving since we rened an inconsistent sp eci

cation by a consistent one Therefore homomorphisms cannot b e used in this form for the

deductive software development pro cess without requiring extra consistency pro ofs

by C In equational logic the pro of of Homo is avoided by constructing the sp ecication A

as a homomorphic extension with the explicit abstraction function abs of the concrete

sp ecication and requiring that it renes the abstract sp ecication b ehaviourally However

the axiom finstantg see on page would not be conservative in HOLCF Therefore

the metho d for the implementation of ADTs in HOLCF has to ensure consistency for this

step

Another drawback of homomorphism is that they are a concept of rst order logic and

therefore they are not dened for higher order terms Theory interpretations can be

regarded as the homomorphisms for higher order logics We fo cus on them now

a c c a

Neither nor

There are further requirements from the implementation of interactive systems that make the use of

equational logic inadequate For example xed p oints cpo structures and continuous functions

CHAPTER REFINEMENTS IN HOLCF

Theory Interpretations

This section presents the concept of theory interpretation a technique to dene further

renement relations In Farb there is a theory interpretation dened for a higher

order logic This section shortly presents theory interpretation and shows why it cannot

b e applied to the implementation of ADTs for interactive systems Therefore we will dene

dierent theory interpretations for the implementation of ADTs in the following chapters

These metho ds will b e compared to metho ds based on mo del inclusion in Chapters and

The motivation for using theory interpretation is Theory Interpretation is alogical tech

nique for relating one axiomatic theory to another with important applications in math

ematics and computer science as wel l as in logic itself Farmer in Farb In rst

order predicate logic theory interpretation is a standard metho d for problem reduction

see End Sch It guarantees the solution of an abstract problem if the translated

problem can b e solved satisability The translation is like a homomorphism xed bya

sort translation and a constant translation In contrast to homomorphisms theory inter

pretations translate not only terms but also formulas with quantiers If the abstract sort

is translated into a subsort of a concrete sort the quantiers will b e relativated weakened

by a predicate that restricts the range of the concrete sort

We will use theory interpretations for the translation of equivalence classes in quotient

typ es into representing elements This allows us to develop our quotient sp ecications

into executable sp ecications in the sense of Denition Theory interpretation is a

generalization of mo del inclusion Theory interpretations are a mathematical technique and

they are used to reduce abstract problems to simpler ones guaranteeing the satisability

of the abstract problem Usually theory interpretations are dened inductively over the

structure of the terms

Denition General Theory Interpretation

a a a c c c a

Let Th Ax and Th Ax be theories with signatures

a a c c c

from T C and C then a translation or mapping T

c a

a c

Th to Th is called a theory interpretation if it is dened inductively by a sort

in the following and a constant translation C T T translation T

c c a

inductive form

GTI Const c c for constants c C

Var x x for Variables x GTI

GTI App f t f t for a function f applied to an argument

Concrete theory interpretations for the quotient step and the restriction step of the implementation are dened in Chapters and

THEORY INTERPRETATIONS

GTI Abs xt x t for a abstraction

T T T and T T are the rules which describ e how the

c c c c c

translations of the terms are comp osed to the translation of the application and

abstraction of terms For a theory interpretation the following prop erties have to

hold

a c

Correctness Th implies Th for all formulas T

c a

Satisfiability M j Ax and M jAx implies that there exists M

with M jAx

On page there is an example for the denition of the rules and These rules

are intro duced to show two dierent kinds of theory interpretations In the case that Th

has a mo del M we could dene to be the identity and we would have a trivial theory

interpretation However since we do not know the consistency of Th in the development

pro cess we dene theory interpretations which transform the abstract theories to simpler

ones which are closer to an implementation One example for such a translation is the

translation of theories with quotients into theories with representations

c b

In many cases M M can be provided by a schematic construction from Cor

rectness states that preserves correctness for all p ossible consequences of Th This

is imp ortant since if some prop erties are derived for the abstract theory from Ax these

theorems will b e required to hold in the representing theory in the translated form The

a a a

ories extending Th can b e seen as sp ecial prop erties of Th since they are based on Ax

only Correctness of those theories will b e preserved if preserves correctness

Satisfiability guarantees the existence of an abstract mo del M for Th This will ensure

a c

consistency of Th if Th is consistent

a c

In the sp ecial case where is the identityand the notion of theory interpretation

reduces to mo del inclusion The asp ect of preserving the correctness is covered by theory

inclusion and the satisability is provided by mo del inclusion which is a consequence of

theory inclusion is the identity So theory interpretation is a generalization of mo del

inclusion However the price for theory interpretation is as we will see on the examples

a more complicated form of the resulting pro of obligations to ensure the renement

Since the comp osition of mappings is a mapping and since theory interpretations are based

on mappings they are obviously a transitive metho d Satisability ensures that the rene

ment relations dened by theory interpretations are consistency preserving translates

theories like a compiler into more concrete ones and is therefore well suited for co de gen

eration It will turn out see Example that theory interpretations are not mo dular

and therefore it is a challenge to integrate them into the software development pro cess

The notion of theory interpretation for HOL was intro duced byFarmer in Farb As we

will see in an example of Farmers theory interpretation it do es not preservecontinuity and

CHAPTER REFINEMENTS IN HOLCF

is therefore not suited for the implementation of interactive systems and we will dene

our own theory interpretation in the following chapters

Farmers theory interpretation consists of a sort translation of a constant translation

which t together in the sense of typ e checking and of a restriction predicate U The

constant translation extends to higher order terms in a schematic way If the translations

full some additional prop erties which guarantee the Correctness and Satisfiabil

ity they will b e called theory interpretation These prop erties include the nonemptyness

of the corresp onding elements fx j U xg and the invariance of the representing functions

c ab with resp ect to the corresp onding elements

In Farmers logic there are typ e terms and terms as in HOL Terms may be built of

constants variables abstraction and application of typ es The extension of to these

higher order terms dep ends on the typ es of the terms

Farmer Const cc for constants c

Farmer Var x s xs for variables x

App f tf t Farmer

Farmer Abs x stxs if x then t else

Where is the extension from to typ e terms and x is a typ e dep endent predicate

calculating the invariance of the functions argument

We will not rep eat the denition of and from Farb but we will demonstrate it by

a small example where is calculated for a functional sort

Farmers theory interpretation is a general theory interpretation in the sense of Denition

is the usually application of functions and is a more complex translation

dep ending on the typ e of the involved variables

Example Farmers Theory Interpretation

In this example the abstract sort B is interpreted by a subset of N which is charac

terized by the restriction predicate isRNbool The theory B consists of

the sort B

the constants

notBB

BidBB

BcompB BBBBB

THEORY INTERPRETATIONS

BtwiceBBBB

the axioms for the functions

notF T

notT F

Bid xx

Bcomp f g xfgx

Btwice fBcomp f f

Btwice not Bid

The sorts are interpreted by

B N

The elementary constants are interpreted by

not x x

Bcomp Ncomp

Nowwe show the translation of the last axiom Btwice not Bid using the deni

tions of and Farmers rules Farmer ConstFarmer VarFarmer App and

Abs Farmer

Btwice not Bid

f BBBcomp ff x N x x Bx

f BBBcomp ff x x

x Nif isRx then x else

f NNif f then Bcomp f f else x x

xif isRx then x else

fif x Nif isRx then fx isRfx else fx

then Ncomp f f else x x xif isRx then xelse

if xif isRx then x isR x else x

then Ncomp x x x x else xif isRx then x else

CHAPTER REFINEMENTS IN HOLCF

As can be seen from this example the premise calculation of functional arguments gives a

test for all p ossible inputs The resulting function is obviously a noncontinuous function

since it tests its argument f for all p ossible inputs

Therefore applying Farmers theory interpretation to HOLCF would translate continuous

higher order functions to noncontinuous functions We prove consistency of our sp eci

cations simply by developing them into executable sp ecications for which consistency is

trivial Therefore we need to implement continuous functions by continuous functions

Thats whywe dene another theory interpretation and ensure correctness and satisabil

ity

In contrast to the rules for and Farmer App and Farmer Absour rules for

and in Section use the more complex translation for the application and the simple

translation for the abstraction Our translations preserve continuity An additional

asp ect is the treatment of typ e constructors in PF Farmers logic there are no typ e

constructors We dene our theory interpretation in a way that it also works for terms of

constructed typ es Furthermore we have to cop e with p olymorphism

Theory interpretation is like conservative extension a conservative approach but the

dierences are In conservative extension a theory is syntactically constructed b ottom

up whereas theory interpretation constructs the mo del of the abstract theory semantically

and the theory is translated to a concrete one topdown In the software development

pro cess this results in dierent programs We compare b oth metho ds in the following

chapters

Using theory interpretation in the deductivesoftware development pro cess requires to show

that it preserves correctness and satisability This will be guaranteed by showing that

the chosen theory interpretation is satisable if some invariance prop erties hold These

prop erties are additional pro of obligations in the metho d the user proves correctness and

invariance which guarantee the theory interpretation to b e satisable

In addition the noncontinuous test y is used in

A similar dierence is b etween downward and U simulation in Chapter

Chapter

Sub domains in HOLCF

The implementation of ADTs consists of two steps The restriction step and the quo

tient step The quotient step is treated in Chapter We call the development from an

abstract requirement sp ecication with a sub domain into a concrete sp ecication with a

more general typ e restriction step Restriction steps o ccur frequently in the developmentof

interactive systems see Section A renement relation for HOLCF should supp ort

the renement of restriction steps

The metho d for the implementation of interactive systems bases on the implementation of

ADTs sp ecied in HOLCF To ensure that this metho d ts well into the deductive software

development pro cess we compare metho ds based on dierent renementtechniques for the

restriction step in this chapter These techniques are

theory interpretation from Section and

mo del inclusion from Section

Therefore this chapter is structured as follows In Section the motivations for sub do

mains are given and the role of invariance for subtyp es is explained

Since theory interpretation as presented in Section do es not necessarily implement

continuous functions by continuous functions we dene a new theory interpretation in

Section that do es this The metho d for restrictions based on theory interpretation will

not be used in the metho d for the implementation of ADTs in Chapter Therefore the

reader not interested in a theory interpretation that preserves continuous functions may

skip this section with the technical correctness proofsofthe metho d

As mentioned on page mo del inclusion cannot directly relate comp onents with dierent

interfaces Therefore the metho d presented in Section constructs a new ADT and

Rening the requirement sp ecication by a sp ecication constructed on top of a concrete sp ecication

is called constructor implementation in ST

CHAPTER SUBDOMAINS IN HOLCF

requires to show that the new ADT renes the original ADT by mo del inclusion The

diculty solved in Section is to show that the new typ e has cpo structure and that

the functions op erating on it are continuous Section compares b oth metho ds with

the criteria from the development pro cess For that purp ose a small example is analyzed

Section describ es the denition of a conservative sub domain construct in Isab elles logic

HOLCF and shows by an example how this construct is used

Motivation

Subtyp es describ e a subset of values from a typ e by a restriction predicate The term

subtyping is used in typ es systems that allow us to use the subtyp es instead of the more

general typ es For example if the natural numb ers are a subtyp e of the integers then

subtyping allows us to use a function for integers also for natural numb ers A function

dened for natural numb ers is not applicable to integers values Since typ e checking for

systems with subtyping in general cannot give the most concrete typ e of a value for

example the typ e nat cannot be derived for the value of HOL and HOLCF have no

subtyping

In HOL and HOLCF subtyp es have to be intro duced as new typ es with conservative

extensions see Section A restriction predicate allows us to dene a subset of cor

resp onding values that are isomorphic to the new typ e Emb edding functions are required

for the conversions b etween the basic typ e and the new typ e With this typ e checking can

work around the problems of subtyping

For the implementation of interactive systems we need domains that b elong to the typ e

class pcpo see Section If we formulate a new typ e as a subtyp e of a domain this

new typ e is not necessarily a domain We will see that an admissible restriction predicate

suces to intro duce a subtyp e of a domain as a domain We call a subtyp e of a domain

that b elongs to the class pcpo a subdomain

In contrast to free extensions of data typ es the central idea of restrictions is that not all

values from the concrete typ e are used to represent abstract values There is a subset of

concrete values that corresp ond to the abstract values which may be dened by

Denition Corresponding Elements

Let T be the required typ e and T be the implementing typ e then the

a c

corresp onding elements for a restriction predicate p are

ft j ptg

The other values of are called noncorresponding elements

MOTIVATION

abstract typ e

isomorphism

concrete disR xe x

typ e

Figure Preserving Function

An interesting asp ect of subtyp es is the denition of functions on the subtyp e If we have

functions for the conversions then we call the function from the concrete typ e into the new

subtyp e the abstraction function and the inverse function the representation function The

representation function is dened for all values in the new typ e whereas the abstraction

function is only partially dened for those values fullling the restriction predicate see

Example With the these functions we can lift functions from the concrete typ e

to functions on the new subtyp e However this will only be well dened if the concrete

functions do not leave the subset of corresp onding values Those functions are called

preserving functions The restriction predicate is invariant under preserving functions

a a

To illustrate invariance we cho ose the most simple case that the function f fc g is

of the typ e and the restriction predicate p is of typ e bool The invariance of

c c

p for the corresp onding function f fc g is xp x pfx It is shown in Figure

c c

A nonpreserving function f would leave and therefore the results of f could not

be translated by the isomorphism The corresp ondence between the required typ e and

is established by an isomorphism The main dierence between theory interpretation

and conservative extension is the form of this isomorphism In theory interpretation the

isomorphism is split into a mapping on theories and a reverse mapping on mo dels whereas

in conservative extension two functions abs and rep are syntactically intro duced for this

isomorphism

In the restriction step the corresp onding op erations c have to b e preserving The metho d

for implementation of ADTs requires to prove that the functions are preserving Therefore

preserving op erations have to be chosen for the corresp onding op erations Invariance will

also hold if the restriction predicate is stable with resp ect to the corresp onding op erations

Section explains this more detailed

CHAPTER SUBDOMAINS IN HOLCF

Theory interpretation and mo del inclusion are illustrated by the following example on which

aschematic translation b etween two comp onents communicating over b o olean values could

be based

Example Restriction Step

The requirement sp ecication Th is

BOOLEAN DLIST

types B

arities B pcpo

ops curried

T B

F B

Band B B B cinfixl

Bnot B B

c B DList a constant

rules

Band T Band x x

Band F Band x F

Bnot BnotF T

Bnot BnotT F

defs

c def c Map DListBnotdconsTdc ons Fdn il

induction rule

generated finite B by T j F

end

Of course tr could have been used instead of B but BOOLEAN is used to present the

requirements together in one sp ecication

The implementing sp ecication Th is

NAT DLIST

types N

arities Npcpo

ops curried strict

Zero N

One N

succ N N

isB N tr

defs

one One succZero

isB def isB xN is Zerox orelse is Zerox One

MOTIVATION

induction rule

generated finite N by Zero j succ

end

To illustrate the Correctness prop erty of our theory implementation we lo ok at

the formula which follows from BOOLEAN

unique fB B xB fx Bnotx

The translation of this formula has to b e valid in the concrete theory

The other rules for the domain of N and for are omitted They could easily be

dened by the domain construct The desired implementation is

B N sort implementation

T One

F Zero

Bnot xN One x

Band xN yN If is Zerox then Zero else y fi

The restriction op eration is isB

The corresp onding values N are f ZeroOneg

An implementation of Band bywould violate the invariance of the implementation

of Band since isBOne One is false An implementation of Band by is p ossible

if we build a quotient construction on N identifying all values greater than zero

Quotient implementations are presented in Chapter

a a a

In this chapter we implement an abstract ADT T Con Sel Dis Map

a a a a a a c

sp ecied in a theory Th Ax C by a concrete typ e S Con

c c c c c c c c

Sel Dis Map sp ecied in a theory Th Ax C To cut down

a a a

notations we write fc g T for the set of all abstract op erations Con Sel

c a c

T g for the sets of corresponding operations c Dis fMap g and fc

i i

Since the quotient step is treated in Chapter the implementation of T by S consists in

this chapter of

T A sort implementation where T

c a

a c a a

A constant implementation c c for all c fc g

i i i i

The continuous equality do es not need a sp ecial treatment for restrictions and is therefore omitted

in this chapter

The c stands for constants Note that in HOL a function is a higher order constant

CHAPTER SUBDOMAINS IN HOLCF

A restriction predicate p of the form p xx disRxe where isR isacontinuous

restriction predicate dened in Th

The restriction predicate uses a continuous function isR of typ e trwhichisTT for all

values of the sub domain except Thus isR characterizes a sub domain Requiring the

restriction predicate to have this form do es not allow to express arbitrary subtyp es as for

example in HOL GM Mel but it ensures that the subtyp e has a cpo structure Since

ADTs are sp ecied with discriminator and selector functions there are many op erations

available to construct a restriction predicate In Section weweaken this restriction and

require only the admissibility of the predicate characterizing the sub domain However for

the comparison of theory interpretation and mo del inclusion we need isR

Now two metho ds for the implementation of the restriction step are presented Their

comparison is in Section

Theory Interpretation

This section presents the rst metho d for the restriction step of the implementation This

metho d is based on theory interpretation which in contrast to the theory interpretation

presented in Section interprets continuous functions bycontinuous functions and hence

could b e used for the development of interactive systems However the metho d presented

in the next section which is based on mo del inclusion is b etter suited for the deductive

software development pro cess and it will b e used in the metho d for the implementation of

ADTs in Chapter Therefore the reader neither interested in the comparison of the two

metho ds nor in a theory interpretation which maps continuous functions to continuous

functions may skip this section since it contains some technical details not needed for the

implementation of interactive systems

This section denes a sp ecial theory interpretation for the restriction step of the imple

mentation by dening a constant translations a sort translation and by giving rules for

the inductive translation of terms To show that this sp ecial theory interpretation is well

dened in the sense of Denition on page we have to ensure that the following

prop erties hold for our theory interpretation

Correctness

Satisfiability

The rst requirement is a pro of obligation for the user From our denition of mo dels it

follows that it suces to prove all axioms Ax instead of all formulas We fo cus on the

Since wedonotwant to exclude strict functions we do not require isRepTT

To compare the metho ds more precise b oth are presented

THEORY INTERPRETATION

concrete

abstract

M M

mo dels

a a

Th Th

theories

Figure Satisabilityin HOLCF

sp ecial formula unique from Example to demonstrate the normalization see Section

To ensure the second requirement satisability of theory interpretation is our task

in this section It will turn out that this can b e proved only under some assumptions that

restrict the form of the sp ecication The metho d for the implementation presented at

the end of this section guarantees this restriction since it emb eds the implementation into

the pro cess of deductive software development

Since our theory interpretation do es not restrict functions for reasons of continuity see

page the mo del construction of M is dierent from the construction used in Farmers

work The mo del construction is depicted in Figure

a c c

Theory Th is translated into Th but only a part of Th is needed This is mo delled by

c a

a restriction of M to a restricted mo del M that contains the semantics of Th This

reduct is equivalenttoM The pro of of satisability pro ceeds as follows

Denition

Denition M

a a

Theorem M Th M Th

Denition M

a a

Theorem M jTh implies M jTh

The new idea of our theory interpretation is that it checks the arguments of a function at

the application and not at the abstraction This results in a simple translation rule

CHAPTER SUBDOMAINS IN HOLCF

and a more complex translation rule of the general denition of theory interpretation

see page Since calculating the restriction predicate for the argument of a function is

continuous no quantication continuous functions based on continuous terms remain

continuous This trick can be understo o d as some kind of additional typ e checking in the

concrete theory Since the values of the abstract and the concrete typ e are represented by

the same typ e the application guarantees that only typ e correct values are given to the

functions

However things are not so easy since the semantics is dierent In Example the

identity op eration on B is translated into the identity on N This is correct for all applied

o ccurrences of the identity but using the semantics in a nonapplied form causes troubles

Consider the formula

Bool Id f f fT T fF F

It states that there exists only one identity function on B and its translation should b e true

in N Expanding the denition of xpxxpx ypy x y shows that the

semantics of f is directly used since they are compared by to the semantics of another

function

The rst solution would be to translate the application of the equality of functions

fg by extensionality into xfx gx b efore applying the theory interpretation

However this cannot be done since some predicates as in the example are dened

p olymorphically and therefore the typ e dep endent premise cannot be calculated for all

instances correctly This problem do es only o ccur in predicates since is a noncontinuous

function and therefore it must not b e used in op erations

So the application of our theory interpretation would b e restricted to theories that contain

no p olymorphic predicates applied to functional terms This would b e a handicap since one

loses expressiveness but the pro cess of deductivesoftware development provides a remedy

it requires at the stage of the requirement sp ecication that all predicates describing the

systems b ehaviour are xed Since predicates should be dened conservatively to ensure

consistency see page there exists a dening term for the predicates Replacing the

p olymorphic predicates applied to functions by their denition in a normalization step

ensures that our theory interpretation can be applied see Section

Based on a sort translation and a constant translation the term translation is dened

Sort Translation

In order to dene the implementation by theory interpretation formally it is necessary to

have a translation from sort terms of the abstract requirement sp ecication Th to sort

terms from the concrete sp ecication Th

THEORY INTERPRETATION

Denition Sort Translation

Let T be an abstract sort and T be a concrete sort then the sort

a c

translation T T is dened by

a c

if is atyp e constant

t t if is a typ e constructor with variables unied by the typ e

i i

terms t

tc t tc t if tc

n i n i n

if isavariable in

We call the corresponding sort to

In Example the sort implementation B N can be mo delled by the following sort

translation by B N This translation can be applied to arbitrary sort terms of the

abstract theory For example listB list N

To cut down notations we use only translations which translate one sort since we would

need a dierent restriction predicate and dierent premises for every implemented sort

translates the abstract sort terms to concrete sort terms and leaves the other sorts

unaected To ensure that this denition is well dened we need the requirement that the

a a a c

sort constructors ftc g of Th are contained in the sort constructors ftc g f g of

j j

Th and This is only a technical restriction to make the formalism more readable since

may b e iterated

Constant Translation

In order to dene the implementation by theory interpretation formally it is necessary

to have a translation from constants of the abstract requirement sp ecication Th to

corresp onding terms from the concrete sp ecication Th Since constants of functional

typ e are functions in HOLCF not only constants of the sp ecication but also functions

can be implemented with this denition of constant translation

Denition Constant Translation

a a c

concrete terms then the constant Let c be abstract constants and c T

i i

translation T is dened by

a c

Corr c uc u

i i

a a

Else c c for all c c fc g

For the transitivity of our renement relation we need the implementation of many sorts but for

practical applications it is not relevant since the implementation may b e rep eated

CHAPTER SUBDOMAINS IN HOLCF

c a

The c are called corresponding constants of the c The constant translation has

i i

to resp ect the sort translation ie the typ es of the corresp onding functions have to

equal to the results of the sort translation of the typ es of the abstract functions This

restriction ensures that the translated theory is typ e correct

translates the implemented constants to corresp onding terms and leaves the other con

stants unaected To ensure that this denition is well dened we need the requirement

a c

that the nontranslated constants of Th are contained in the constants from Th This

a c

can be formulated as all constants from Th that are not in Th have to be translated

by Conservatively dened constants can b e translated by translating their denitions

Sort translation and constant translation are xed by the user of the implementation

metho d In Example the implementation would be

B N sort implementation

T One

F Zero

Bnot xN One x

Band xN yN If is Zerox then Zero else y fi

Since c is dened conservatively it do es not need to b e translated by

The constant translation resp ects the sort translation in the example therefore the trans

lated theory is typ e correct

Term Translation

On the basis of the sort translation and the constant translation we can complete the

denition of our theory interpretation by xing the term translation For the translation

of the application of terms we need a premise which ensures the invariance The premises

are a generalization of the restriction predicate isR to the case of arbitrary sorts and sort

constructors In order to have a continuous restriction op eration the premise has to be

equal to TT for all corresp onding values except and FF for the other values

Denition Premises

Let isR tr b e the continuous restriction predicate of the implementation of the

restriction step on Then the premise T T tr is a translation

a c

which pro duces for an abstract sort term T a continuous representation

predicate of typ e tr The denition of the translation is

In the inductive Denition on page and are not xed

THEORY INTERPRETATION

Var xTT if is a variable in

FFun s txTT

TC Rep

t xcases dis x and sel x and isR x

i m j n i ji

tc t xcases dis x and sel x if tc

i m j n i ji

Where m is the numb er of dierent constructors and n are the numb ers of selectors

for each constructor and are the restriction predicates of the sort of the selectors

result typ e If the selectors result typ e is the same as its argument for example for

recursive typ es the xed p oint construction would have to b e applied

Functions have no premises They are checked when they are applied to arguments There

fore op erations remain continuous Obviously the resulting premises are continuous func

tions Therefore wemay use instead of for the application of op erations and T

tr instead of T tr Premises are typ e dep endent and can therefore not be formal

ized as a function in the logic HOLCF The premise translation is part of the metho d and

can b e done automatically No user input is necessary The premises characterize all values

that corresp ond to abstract values For premises the following theorems can b e derived for

arbitrary typ e terms s t T

CFun s txTT

Con xisR x

Rest t xTT if the typ e do es not o ccur in the typ e s

The following example shows the calculation of premises for recursive typ es

Example Premise for Recursive Types

The recursive typ e of nite lists is sp ecied with the domain construct by

domain DList dnil j dcons fst rst DList

Now the premises are calculated for Example

B DListdnil TT

B DListdconsxs and Bx B DLists

The premise for B DList is a recursive function It may for data typ es without

pattern matching b e expressed by the following xed point formulation

There is no principal diculty in it therefore this case is only treated in Example

CHAPTER SUBDOMAINS IN HOLCF

B DList fix P lIf is dnill

then TT

else and isBfstl Prstl

So all elements of a list are checked by the premise calculation

Based on the premise the term translation can be dened

Denition Term Translation

Let be sort constant and premise translations Then the term translation

T T is dened by

a c

a a

Con c c

i i

Var xu x u for variables x

Eq ab ab

Abs xut x u t

App f t upcpo fIf u t then t else fi

Rest f tu f t if u is not in pcpo

The premises are tested when functions are applied to arguments This ensures that the

translation of applied terms do es not leave the set of corresp onding values Therefore

it is not necessary to require that any term o ccurring in the sp ecication is preserving

This term translation is dened on arbitrary HOL terms The following theorems can be

proved by expanding the denitions of the HOLCF constants

if f is continuous then f is also

x ut x u t

f tu If u t then f t else f fi

t u t u if do es not o ccur in u

As an example for the pro of consider the pro of of

THEORY INTERPRETATION

x u t v x u t

x u t v

Syntax fabs xt

App fabsIf uv xt then xt else fi

FFun fabs xt

Con fabs xt

else fabs xt

Abs fabs x ut

Syntax x ut

Since continuous functions are translated as general functions and therefore remain con

tinuous we ignore the dierence and use op erations instead of functions whenever it is

appropriate

Two interesting facts can be derived in HOLCF since the quantiers are dened in

HOLCF as constants For all typ es u in pcpo

x upx x u d uxe px

As an example consider the pro of of the rst fact

x u px x u d uxe px

x u px

Syntax xpx

Def xpx xTrue

Eq xpx xTrue

Else xpx xTrue

Abs xpx xTrue

App xIf u x then px else p fi xTrue

Var xIf ux then px else p fi xTrue

DefSyntax xIf ux then px else p fi

if xd uxe px

These theorems corresp ond to Farmers denitions of relativations in his theory interpre

tations Farb

CHAPTER SUBDOMAINS IN HOLCF

One requirement for the correctness of theory interpretations in our approach is the invar

iance of the restriction predicate with resp ect to the corresp onding op erations

Invariance and Preserving Functions

A function is called preservingif isinvariant with resp ect to the function Invariance

is necessary to show that the reduct of the mo dels suces to dene the semantics of

translated terms Informally invariance of the restriction predicate of the corresp onding

op erations means that the results of the op erations that are used instead of the abstract

ones do not leave the set of corresp onding elements see Figure on page

In the case of term translations with premises this means that the premise holds for the

translations of all elements So it is imp ortant that the restriction op eration isR ts to

the corresp onding op erations see Section for this asp ect

The aim of this section is to give syntactic verication conditions that ensure that the

invariance holds for all p ossible terms First a denition of invariance is needed

Denition Invariance and Preserving Function

a c

For a term translation with from Th to Th the invariance pro of obligation

for a functional term is dened by

Invariance M Invf u T for all f T where

Inv Def Invf s s

x x f x where

j s j s j j

Def xx d sxe

A function f that fulls Invf is called preserving

It is obvious that the application of two preserving terms gives an preserving term

Term Invt Invt Invt t Inv

is intro duced in addition to in order to allow a continuous realization of the premise

op eration For reducing the invariance pro of obligations to all representing constants we

require that invariance holds for all variables This is ensured by our metho d

The invariance requirements for the user of the metho d can be generated automatically

from the typ e of the abstract constants c The metho d for the implementation see

Section requires the pro of of these pro of obligations The user has to resp ect them

when cho osing the representations for the required op erations and constants see Section

THEORY INTERPRETATION

Denition Invariance Requirement

a c

For a term translation from Th to Th with premise the invariance requirements

are dened by

Inv Fun M x x c x T

j j s j t j

a a c

for all c s s t with c c

i i i

In the sp ecial case of simple constants this means

c c a

Inv Con M d tc e c T for all c t and

i i i

In Example the invariance requirements are

for T M d isBOneeOne T

for F M d isBZeroeZero T

for not M xd isBxex disBOne xeOne x T

for and M x y x y If is Zerox then Zero else y fi T

B B B

where x disBxe x

The invariance pro of obligations may reduce from to if the corresp onding constants

are dened

Nowitisshown that terms resulting from the translation of abstract terms are preserving

the invariance

Thm Theorem Inv

a c

If is a term translation from Th to Th with premises and invariance Inv

then

M Invt T for Inv x for all x

Pro of

t c M Invc

Inv Con T

t x M Invx

Hyp T

CHAPTER SUBDOMAINS IN HOLCF

t f vuz M Inv fz

App M Inv fIf v zthen z else fi

case v z M Inv f

Inv Term M Invf Inv

IHyp T

case b vzc M Inv f

Inv Term M Invf Inv

IHyp T

case d vze M Inv f z

Inv Term M Invf Invz

IHyp T

t xf v w M Inv xf

Abs M Invx f

Def M x f Inv

v w

x Inv x

IHyp T

So the invariance of the restriction predicate with resp ect to all corresp onding terms can

be guaranteed if the representing constants are preserving

Thm follows From Inv

Def True M d s t se t T

This expresses the inability to write abstract terms for which the translation is dened

but whichhave no corresp onding value In Example this means that we cannot write

a term in BOOLEAN that corresp onds to

The next step is to give the normalization which ensures that the axioms of the abstract

sp ecications are satisable

Normalization

Toshowthatwe dened a theory interpretation in the sense of Denition wehaveto

prove satisability The pro of of satisability is only p ossible for a restricted class of axioms

THEORY INTERPRETATION

Normalization transforms almost all axioms to this form The same problem arises

when the semantics of functions is dened only for applied values which simplies many

semantics see BFG aBFG b for an applied semantics denition of a parametrized

sp ecication language In contrast to this purely algebraic question the implementation

of ADTs is a part of the deductive software development pro cess This pro cess ensures

that all axioms are of the right form when an implementation step is p erformed

As an example of the necessity of normalization consider the identity on the abstract sort

It should b e uniquely dened This can be expressed by

Bool Id f f fT T fF F

This holds in BOOLEAN but translating this formula to NAT

Nat Id f f fOne One fZero Zero

gives an incorrect rule since f is not xed on the other values The reason is that uses

the semantics of function f and compares it directly to other functions Expanding the

denition of xpx xpx ypy xy yields

Bool Id ff fT T fFFgg gT T gFF fg

The translation of this formula

Nat Id ff fOne One fZero Zero

gg gOne One gZero Zero fg

would not hold in NAT since there may be a lot of other functions g that are not equal

Eq of uses the functions directly without applying them to f The semantics Sem

Normalizing with the extensionality of functions from HOL fg xfx gx

gives

Bool Id ff fT TfF F

gg gTT gF F xfx gx

Since now the op erations are compared by comparing their result on all input and since

these applications are translated by the result of the translation is the following formula

Nat Id ff fOne One fZero Zero

gg gOne One gZero Zero

xIf isBx then fx else f fi If isBx then gx else g fi

CHAPTER SUBDOMAINS IN HOLCF

The requirement for this normalization is that all o ccurrences ofbetween op erations on

the abstract typ e can be eliminated This requires to have normalizations for all p oly

morphic predicates that may b e applied to abstract op erations In op erations the identity

cannot be used since this would violate continuity

For all predicates that are intro duced conservatively the normalization corresp onds to an

expansion of the predicate denitions In the early phases of software engineering with

sp ecications it may be useful to describ e predicates abstractly in a nonconservative

way by axioms However in the rst phase of the deductive software development pro cess

it is necessary to rene the predicates into a precise requirement sp ecication and to give

an explicit conservative denition of those predicates to allow a comp ositional renement

Since the implementation of interactive systems b elongs to the design and realization phase

in software engineering the requirement of conservative denitions for p olymorphic predi

cates on implemented op erations is no handicap for the metho d of implementing ADTs

Normalization ensures that the sp ecication is in the right syntactic form to successfully

apply theory interpretation The metho d for the implementations with restrictions in

Section checks these requirements automatically

Denition Normal

A theory T Ax is called normal if

no p olymorphic predicates are applied to op erations in Ax

Esp ecially no op erations are compared by eg xx

Denition Normalization

The pro cess of replacing p olymorphic predicates on continuous p olymorphic functions

by their denitions is called normalization For normalization it is required that the

p olymorphic predicates are explicitly dened in the way of a conservative extension

p xqx Normalization in addition uses the extensionality of op erations

Norm Ext fstg xs fx gx

A sp ecication which has only conservatively dened p olymorphic predicates is called

normalizeable

Since HOLCF is conservative for all predened predicates in HOLCF such a denition

exists For example

Norm Delta f f

THEORY INTERPRETATION

Norm Neq f g fg

Norm Ex xpx xpx ypy xy

Normalization ensures that no op erations are compared by Therefore for normalized

theories it suces to dene the semantics when op erations are applied

Denition Applied Semantics

According to Denition of mo dels the semantics of a functional term f

is used when

f is compared by to another functional term

f is an argumentofafunction xz then the semantics of xzf is M z

f x

The semantics of f is stored in the valuation and maybe used in z

f is under a abstraction F xf then the semantics is used when the

semantics of F is used

f is applied to an argument t Then M f t M f M t the seman

tics of f is real ly used for a given argument

Ext so it suces to dene the Normalization eliminates case by applying Norm

semantics of abstraction only for p ossible arguments

NormalAbs M xf f where f a fM t g M f

This is a partial denition Since this semantics is used for translated theories all arguments

have to be translations of abstract terms corresp onding elements The dierence to

Int Abs see page is only imp ortant when the semantics of function is really used

which is only the case when functions are compared by Normalization ensures that this

is not the case

Reduct of Mo dels

In Farmers theory interpretation it is easy to giveamo del which allows us to show satis

ability since the logic has subtyp es which maybecharacterized by arbitrary predicates

Therefore the required mo del is simply characterized by the subtyp e dened by the re

striction predicate In HOLCF we do not have such subtyp es in the mo dels Therefore

we build a reduct from the general mo dels

The key idea of the pro of of satisability is that not all terms in Th are needed The

term translation generates only a subset of values in Th It translates constants to

CHAPTER SUBDOMAINS IN HOLCF

corresp onding constants and the invariance of the corresp onding functions ensures that

some terms cannot be reached by the translation In Example one cannot write a

term in BOOLEAN that corresp onds to the natural number Therefore we do not need

the semantics of in the pro of of satisability and we restrict our mo dels to mo dels of

corresp onding terms However things b ecome a bit more complicated since for example

the semantics of xBx do es not corresp ond to the semantics of x Nx Therefore

the general denition of reduct is needed It is based on the following denition

Denition Reduct of Type Models

Let be the premise of a term translation and let TM be atyp e mo del and s T

be the restricted data typ e then the sreduct of the typ e mo del TM is dened by

TM PU TC where

js js

PU fX j X PUg where

js js

fx X jd sxe xg if TMs X

X else

Since PU is closed under nonempty subsets TM is well dened

This typ e restriction dep ends on the typ e s This is used to restrict the mo dels selectively

This means that typ es that corresp ond to abstract typ es are only restricted when they are

used for representation of abstract values The typ e mo del restriction is so constructed

that for the interpretation of typ e terms for reduced typ e mo dels the following equivalence

holds

TM TM s fM t s g

j js

Thm In Example the typ e of N is only restricted when The pro of is based on Inv

it is used to represent b o olean values TM N f Zero Oneg but TM N N

jB jN

The reduct of mo dels dep ends also on agiven typ e

Denition Reduct of Models

Let TM be a reduct of a typ e mo del Then the sreduct of the mo del M dened

js js

Red Con M c M c for c

Red Var M x M x for x

Red App M f stz M f M z and

js jst js

Abs M xz f where f is the by extensionality exactly Red

jst

xed function f a TM s M z

js jt

THEORY INTERPRETATION

The reduct is well dened for all translated terms since they are preserving and therefore

the application of a function to an argumentis of the restricted typ e

With this denition the semantics of op erations is reduced to the corresp onding elements

The reduct restricts only corresp onding functions In Example the identityon N that

corresp onds to the identity on B is reduced to an identity which is only dened for corre

sp onding natural numb ers whereas the identity on natural numbers remains unaected

With this reduct the restriction is dened as an additional typ e among other typ es of the

implementing theory

The rst theorem states that the semantics of translated terms are the same as the reducts

of the semantics of translated terms Exactly this is the aim of the denition of reduct

Then next step in Denition is to construct a mo del for the abstract sp ecication

to show the satisability

Theorem Reduct

a c c

If is a term translation from Th to Th and M a mo del of Th then

M t u M t

Pro of

t c M c

Red Con Con M c

t x M x

Red Var Var M x

t f stz M f z

App M f If sz then z else fi

case sz M

Con M Red

case bsz c M f

Red App M f M

jst js

IHyp M f M

case dsz e M f z

Red App M f M z

jst js

M z IHyp M f

CHAPTER SUBDOMAINS IN HOLCF

t x sf M xf

jst

Abs M x f

jst

Abs f a TM s M f Red

js jt

IHyp f a TM s M f

TM f a fM z s g M f

NormalAbs M xf

This is a structural induction pro of that resp ects all cases of terms The interesting case

is the case of the abstraction In this case the normalization NormalAbs plays an

imp ortant role It guarantees that the semantics of restricted functions is equal to semantics

of unrestricted functions for all normalized translated terms

Mo del Construction

For satisabilityit is necessary that for every theory interpretation an inverse mo del

construction exists This mo del construction extends the mo dels M of the concrete theory

byintro ducing a new typ e as in Section and new constants conservatively The main

dierence to the usual conservative extensions is that we givea scheme as a metho dical

help for intro ducing the corresp onding constants which ensures that they have the typ e

required from the abstract constants In this section we use this scheme only on the level

of mo dels but in Section this scheme is used on a syntactic level to explicitly intro duce

op erations This scheme works also for typ e constructors and higher order functions and

it can be computed automatically from the typ e of the abstract constants

First the typ e mo del is dened

Denition Type Model Construction

Let be the abstract sort and T the corresp onding concrete sort term

then the typ e mo del construction TM for a concrete typ e mo del TM PUTCis

dened by

TM PUTC f g where

fx TM j x d x eg

Since the denition of is equivalent to the Denition of reduct of typ e mo del the

following holds

TM Equal TM v TMv

TM Red TMv TMv

THEORY INTERPRETATION

As in Reg Section for the new typ e abstraction and representation functions are

dened to relate the new typ e with the other typ es

Denition Embedding Functions

Let be anew typ e then the emb edding functions are dened

Def abs by Abs

y if y d y e

absy

else

Rep Def rep by repy y

Since the subset predicate for the typ es is selected carefully we can show using the

admissibilitythat is a p cp o and that abs and rep are continuous

From the denitions it can b e seen that the representations are preserving

Rep repx u

where is the same abbreviation as in Def from Denition

Based on this emb edding op erations the scheme for the intro duction of constants can be

dened It works for arbitrary terms including functions and other data typ e constructors

For the intro duction of constants with a typ e that involves typ e constructors the map

functionals together with constructor functions and selector functions are needed They

are dened for basic typ es in Section and for new typ es the functions may b e dened

schematically with the when functional from the domain construct for the conservative

intro duction of data typ es

Denition Construction Scheme

Let b e a term translation Then the construction scheme T T T for

a c a

agiven target typ e and a corresp onding constant is dened by

Var tt for x

Fun f x a f x

ab b a

Tau t abs Map y t y t

i t

y t if tc TC y t tMap

i t

tc t

Since abs is continuous the resulting function for every typ e index is continuous

The continuityof abs requires isR to b e total See page for more details

CHAPTER SUBDOMAINS IN HOLCF

c a

This scheme do es the lifting from the corresp onding terms c to abstract functions c

i i

It is a typ e dep endent scheme and allows us to lift functions of arbitrary higher order

typ es The lifting of concrete functions to abstract functions requires a representation of

the arguments and an abstraction of the result The abstraction is supp orted by and for

the representation we have a dual construction which maps to representing values

Denition Dual Construction Scheme

Let be a term translation Then the dual construction scheme

T T T for a given target typ e and a corresp onding constant is dened

a a a

Var tt for x

Fun f x a b f x

ab a

Tau t rep Map y t y t

i t

TC y t y t if tc tMap

i t

tc t

Since rep is continuous the resulting function for every typ e index is also continuous

This scheme do es the representation from abstract to corresp onding values As on page

it maybeproved that the continuous abstraction is constructed bythescheme in a con

tinuous way In the following we therefore apply the construction directly to continuous

functions

Obviously for any abstract typ e and any concrete constant the schematically generated

function is continuous since abs rep and the map functionals are continuous

With the schemes and it is easy to construct the abstract mo del for any translation

The idea of the schemes is to build abstractions and representations for all terms For

terms constructed by typ e constructors the map functional is used to reach all subterms

Denition Model Construction

Let b e a translation and M C a concrete mo del Then the mo del construc

tion is dened by

b d

M TMC fabs repgfc g

c b

In the following we use M instead of M

The interpretation for abs and rep is abs and rep from Denition The interpretation

for the abstract constants with the schemes is based on abs rep and on the interpretation

of the corresp onding constants

THEORY INTERPRETATION

Int abs M abs abs

Int rep M rep rep

a a c

c c

c M c uM c Int

i i i

The interpretation of terms in M is as in Denition With this the interpretations in

Example are

c c c

M not M not M xabsOne repx

M Map DListnotdconsTdnil

M Map DListBnotdconsTdnil

B DList

M Map DList xabsxMap DList xOne xdconsOnednil

Note that the construction schemes construct only the semantics and do es not intro duce

the constants syntactically as in the conservative extension in Section

For the pro of of satisabilitytwo general theorems over and are necessary

Theorem Thm

Let be a translation with and invariance Inv and as in Denition

and the construction scheme of Denition then

Invt u implies M t M t

u ju

The induction pro of go es over the typ e structure of u since and dep end on it

Pro of

t M t u

Hyp Invt

Inv Def t

Def d t te t

TC Rep dx cases dis xand sel x andisR x te t

m j n i ji

beta cfun dcases dis t and sel t and isR tet

m j n i ji

For that j with ddis t e j

CHAPTER SUBDOMAINS IN HOLCF

M odP on dand sel jit and isRt e t

and Def d sel jit edisRt e t

Def sel t disRt e t

i i ji

Inv Def Invsel t

i ji

model s M t

Tau M abs Map x xt

For that j with ddis te

Map x xsel t MapCon M abs con

y ji j

c c c c

Int M sel t App M abs con M Map M x x

ji j y

c c c

IHyp M abs con M Map M xx M sel t

j ji

MapId M abs con M sel t

j ji

sel t IHyp M abs M con

ji ju j

ConSel M abs M t

DefHyp M t Abs

u tct anal og to t

i i

u ab M t

a b

Fun M x t x

b a

d c

Int Abs f c TMa M t x

b a

TM Equal f c TM a M t x

b a

Thm f c TM a M tx

and Invx

Inv TermHyp Invtx

IHyp f c TM a M tx

ja jb

Int Abs M t

In the pro of there are the schemes and that have an argument written as an index

The index is chosen dep ending on the parameters result typ e In the example sel x

i ji

THEORY INTERPRETATION

the index i of is chosen such that it ts to the selectors result If sel is of typ e

ji i

then i is that value with i In the same way the Map dep end on the typ e

In the rst case u t the assumption that there exists a j with ddis te is valid

i j

since is an ADT The application of Inv Def uses the fact that the selectors are total

SelTotal on the representing values This is no restriction since ADTs are not lazy

It is obvious that the application of map functional makes only sense for nite ones since

it would not terminate for innite lazy data typ es So this theory interpretation works

only for nite data typ es

The next theorem complements the previous

Theorem Thm

Let be a translation with premises and and the construction scheme of

Denition then

c c

M t u M t and Invt

The induction pro of go es over the typ e structure of u since and dep end on it

Pro of

t M u t

Tau M rep Map x xt

For that j with ddis te

Map x xsel t MapCon M rep con

y ji j

IHyp M rep con Map xx sel t

j ji

sel t MapId M rep con

ji j

ConSel M rep t

Rep M rep t and rep t

Inv Def M rep t and Invrep t

Rep Def M t and Invt

For that j with ddis te

u tc t anal og to t

i i

For that j with ddis te j

CHAPTER SUBDOMAINS IN HOLCF

u ab M t

a b

Fun M x t x

b a

d c

Int Abs f c TMa M t x

b a

TM Red f c TMa M t x

b a

NormalAbs f c fM z g M t x

b a

Inv Thm Invc

d c

Thm f c TMa M tx

d c

and Invtc IHyp f c TMa M t x

d c

Inv and Invt Def f c TMa M t x

Abs M xtx and Invt Int

Ext M t and Invt

With these theorems we can prove the main result of this section the satisabilityof

Theorem Satisfiability Thm

a c

If is a term translation with from Th to Th Inv is the invariance and

c a

M j Th then for all axioms a bool Ax

if for all x x xand Inv x M a M a

Since Theorem it suces to prove M a u M a

Pro of

a a

t c M c

i i

Con Corr M c

Con Thm M c Inv

a a

M c Int c

i i

THEORY INTERPRETATION

t x M x

Var M x

Var M x Red

Int Var x

Hyp x

Int Var M x

t xz v w M xz

jv w

Abs M xz

jv w

Red Abs f c TM v M z

jv jw

M z IHyp f c TM v

d c

Equal f c TMv M z TM

Int Abs M xz

t f v uz M f z

App M f If uz then z else fi

cases u z z

if M f z

Red App M f M z

jv u jv

Inv Thm Hyp Inv f and Invz

c c

IHyp M f M z

True is impossibl e case b u zc Def

d u ze if M f z

Red App M f M z

jv u jv

Inv Thm Inv f and Invz

c c

IHyp M f M z

Now the results are combined and we gain a metho d for the restriction step

CHAPTER SUBDOMAINS IN HOLCF

Metho d for the Restriction Step

To nd a metho d for the restriction step we collect all assumptions required by the theorems

and put them together to a metho d The general scheme is dened for an abstract theory

a a a c c c

Th Ax and a concrete theory Th Ax

Check if the theory Th is normalizeable and normalize it

a c

Dene a term translation from Th to Th including

Check the translation syntactically typ e check etc

Generate pro of obligations

Prove pro of obligations

Generate co de

Optimize co de

In the case of implementing an ADT by theory interpretation the concrete steps are

The rst step is to check if normalization is p ossible It requires that all p olymorphic

predicates that are used in the sp ecication are dened conservatively This can

be done automatically As mentioned on page the software development pro cess

ensures that normalization is p ossible

In the second step the user of the metho d has to x

the abstract sort T

the corresp onding sort T

the restriction predicate isR tr

a a

the abstract constants c and

c a

the corresp onding constants c T for all c

i i

The translation is checked

Typ e correctness for all c u the typ e of the corresp onding constants has to

be c u

The sorts have to b e data typ es pcpo and pcpo

a c

All constants of Th n Th except the conservatively dened ones have to be

implemented by

a a

g of Th are contained in the sort constructors All sort constructors ftc

c c

g f g of Th ftc j

THEORY INTERPRETATION

These tests can be p erformed automatically

The pro of obligations are

The correctness preserving of see Denition for all abstract axioms

a c

ax Ax prove the translation Th ax

The invariance which is needed for satisability

c c

Th x x c x

j j s j t j

for all c s s t

The pro of of the pro of obligations has to be done by the develop er It can be

completely proved within HOLCF

It is p ossible to generate co de if the corresp onding constants are executable If so

the co de is the translation Ax ofthe requirement sp ecication

It is p ossible to eliminate some redundantchecks This can b e done for nested terms

or for functions that are ensured to get corresp onding values

So the user has to dene the implementation and prove its correctness The rest is done

automatically

Example BOOLEAN by NAT

The metho d applied to Example is

The theory BOOLEAN on page is normal

The denition of in the example is

B N B and N

a c

T One c Tc One

a c

F Zero c Fc Zero

a c

Bnot xN One x c Bnot c xOne x

Zerox then Zero else y fi Band xN yN If is

a c

c Band c x yIf is Zerox then Zero else y fi

The restriction predicate isR is isB

The translation is typ e correct Consider the typ e of c NNN B BB

is the translated typ e of c

CHAPTER SUBDOMAINS IN HOLCF

The pro of obligations for the invariance are

NAT d isBOneeOne

NAT d isBZeroeZero

NAT xd isBxex disBOne xeOne x

NAT xyd isBxex disByey disBIf is Zerox then

Zero else y fie

If is Zerox then Zero else y fi

The pro of obligations for the correctness are

for BnotNAT xOne xIf isBZero then Zero else fi One

for BnotNAT xOne xIf isBOne then One else fi Zero

for BandSince T Band x x is an abbreviation for xBandTx x the pro of

obligation is

NAT xd isBxe x yIf is Zerox then Zero else y fi

If isBOne then One else fiIf isBx then x else fix

for Band

Zerox then Zero else y fi NAT xd isBxe x yIf is

If isBZero then Zero else fiIf isBx then x else fiZero

The simplied pro of obligation for the induction rule is

P P Zero P One xisBx x P x

c def is a denition that is based on the constants that are implemented It

could have b een written in a separate sp ecication using BOOLEAN Therefore

no pro of obligations are necessary for it

If constants are dened pro of obligations can be simplied The invariance obliga

tions b ecome

NAT d isBOnee

NAT d isBZeroe

NAT xd isBxe disBOne xe

NAT xyd isBxedisBye

d isBIf is Zerox then Zero else y fie

If the corresp onding constants are preserving the correctness pro of obligations may

be reduced to

for BnotNAT One Zero One

for BnotNAT One One Zero

THEORY INTERPRETATION

for BandNAT

for B InductNAT P P ZeroP OnexisBx xP x

The pro of obligations for Band ad Band disapp ear since the invariance disBxe

disBIf is Zerox then Zero else x fie holds

Co de generation eliminates all abstract constants by translation Therefore only c

remains and the generated co de for BOOLEAN is

BY NAT NAT BOOLEAN

consts

c N DList

rules

c def c Map DList xIf isBx then One x else fi

nill true If fix P lcases is

is consl andisBfstl

Prstl

dconsOnedconsZerodn il

then dconsOnedconsZerodn il

else fi

end

The executability is clear since N is a free data typ e The xed point op eration can

b e implemented for every example by a recursive function of the functions In this

case it is even p ossible to eliminate the test by optimizations

the optimizations give the following ecient co de

BOOLEAN BY NAT NAT

consts

c N DList

rules

c def c Map DList xOne xdconsOnedconsZerod nil

end

If we fo cus on the normalized formula

uniqueN f xfx Bnotx g xgx Bnotxyfy gy

CHAPTER SUBDOMAINS IN HOLCF

we see that it is translated and simplied into

f xd isBxe fxxOne xx

g xd isBxe gxxOne xx

ydisBye fy gy

this is obviously true and hence it is an example for the Correctness of our metho d

Renement for Restrictions

This section denes a renement relation for the restriction step of the implementation

based on the theory interpretation of the previous sections With this renement relation

a basis for the deductive software development pro cess is dened On an example we will

see that this basis may intro duce inconsistencies when it is applied to arbitrary mo dules

parts of the system Therefore it is not mo dular in the sense of Denition

The following denition of the theory interpretation basis includes the denition of a re

nement relation for restrictions

Denition Theory Interpretation Basis

Let L MOD b e a mo del inclusion basis and let b e a theory interpretation

for restrictions with invariance Inv then the quadruple L MOD is called

theory interpretation basisif

L L is the set of all normalizeable sp ecications

is for dened by

b b

M N M N or M N where N is the mo del construction for

N see Denition This renement relation allows us to do renement

by mo del inclusions and theory interpretations

is for M N MOD dened by

S T S T if a renement by mo del inclusion has to be proved and

S InvT if a theory interpretation with invariance Inv has to be

proved

The theory interpretation basis is obviously a deductive software development basis and

due to the satisability of the theory interpretation it is also consistency preserving For

mo dularitywe lo ok at the following example It showus that applying a theory interpre

tation only to a mo dule can intro duce a typ e error

THEORY INTERPRETATION

Example Theory Interpretation with Modules

We sp ecify a function that takes a natural numb er and doubles it The sp ecication

DOUBLEDnat is mo dular since it includes the natural numb ers as mo dule

DOUBLE Dnat Isabelle syntax for DOUBLEDnat

consts

double dnat dnat dnat

defs

double def double n n add n

end

The sp ecication bases on the following sp ecication mo dule

Dnat EQ

domain dnat dzero j dsuccdnat

consts

add dnat dnat dnat

rules

add dzero add nn

add dsuccn add mdsuccn add m

end

See Section A for a complete sp ecication of the natural numb ers Now we use

a theory interpretation with sort translation dnat Fin see Section A

translates natural numb ers into nite natural numb ers Applying this theory

interpretation to Dnat changes the typ e of the function add from dnat dnat

dnat to Fin Fin Fin Since double is still of typ e dnat dnat dnat

the denition double def in the sp ecication DOUBLE Dnat is not typ e correct

Applying theory interpretations to the whole system avoids this problem In the example

it translates the typ e of the function double from dnat to Fin

Since theory interpretations may only b e applied to normalizeable theories it mightbethe

case that a comp onent is normalizeable and the whole system is not Therefore theory

interpretations are in general not mo dular in the sense of Denition In Faraitis

proved that theory interpretations are mo dular for conservative sp ecications The result

cannot b e applied in general since sp ecications are in general not conservative In Section

we prove that some restricted form of theory interpretations which are used for

the quotient step are comp ositional and therefore well suited for the implementation of

interactive systems

The origin of the problems with dierent implementations is that there is no abstraction

any more Esp ecially an abstraction function would help to avoid these problems since it

abstracts from the concrete typ e Therefore many renement techniques use abstraction

functions to relate dierent data typ es Conservative extension is a metho d that is based

on abstraction and representation functions

CHAPTER SUBDOMAINS IN HOLCF

Mo del Inclusion

The last section presented a metho d for the restriction step based on theory interpretation

In order to compare theory interpretation with mo del inclusion this section gives a metho d

for the implementation of the restriction step based on mo del inclusion This metho d

intro duces a subtyp e by a conservative extension This allows us to prove the renement

for the restriction step of the implementation by theory inclusion The metho d provides

a subtyp e with cpo structure called subdomainand continuous functions needed for the

implementation of interactive systems To ol supp ort for this metho d is available in form of

the subdom typ e constructor see Section and App endix A whichwehave develop ed

in HOLCF The metho d is compared with the metho d of the previous section and will b e

part of the metho d for the implementation of ADTs in Chapter

The metho d extends a concrete sp ecication by a subtyp e which is shown to reside gen

erally in the class pcpo and provides syntactic schemes for the conservative intro duction

of functions of the new typ e If the corresp onding concrete functions on the concrete typ e

are preserving the dened functions will b e continuous

For the logic HOL there exists a metho d Mel which allows us to intro duce subtyp es

The metho d realizes this by enco ding an induction rule into the predicate describing the

values of the new typ e In general we cannot apply this technique since weintro duce typ es

with cpo structures and require the admissibility of our restriction predicate Therefore

wehave to provide rules which allow us to deduce the induction rule for the abstract typ e

from the induction rule of the concrete typ e

We use the same notations as in Section The implementation consists of a sort imple

mentation from a typ e to a corresp onding sort a constant implementation and a

restriction op eration isR which is equal to TT for all values of the subtyp e

The section is structured as follows First a new subtyp e is intro duced by conservative

extension and it is proved that it b elongs to the class pcpo Section Then invariance

will b e required Section b ecause it is used to show continuity of the op erations on

the new ADT which are schematically intro duced in Section The induction principle

is proved in Section and co de generation is describ ed in Section In the last

section the metho d presented in is applied to a small example Since the following

pages contain a lot of pro ofs whichareschematic and could b e used for the intro duction of

arbitrary sub domains we present in Section a generic implementation which supp orts

the denition of sub domains

For the implementation of this metho d we generalize the restriction predicate to arbitrary admissible predicates see Section

MODEL INCLUSION

Intro ducing a Sub domain

This section conservatively intro duces a new subtyp e with a cpo structure using abstrac

tion and representation functions as in Example The subtyp e will implement the

abstract typ e and is a subset of a concrete typ e A subtyp e of a typ e of class pcpo is

called subdomain if the subtyp e also b elongs to the class pcpo Weintro duce sub domains

conservatively The rst step is to intro duce a subtyp e The next step is to show that the

new domain has a cpo structure This is p ossible since the restriction predicate for the

implementation of ADTs is continuous Since the new typ e has to have a cpo structure

it has to include an undened element The subset contains and all values from the

concrete typ e for which the restriction op eration isR is TT

The abstract typ e is intro duced isomorphic to a subtyp e of the concrete typ e of class

pcpo Since the extension is syntactic we use Isab elle syntax

T Th

types

n the arity of the type is n

consts

Val set subset

rep representation

abs abstraction

defs

Val def Val fs d isRse sg

rules

Val rep t Val rep

abs rep abs rep t t

abs s Val rep abs s s rep

end

The intro duction of with the HOLCF metho d requires to show that it is not empty This

is obvious since abs is in by the denition of Val def The more dicult part is to

show that has a cpo structure A conservative intro duction of a cpo structure pro ceeds

in the following steps

Intro duce v and show that it is a partial order The characteristic axioms for the

class po are see page

reexivity

antisymmetry and

transitivity

In our realization of subdom we will only require an arbitrary admissible predicate

CHAPTER SUBDOMAINS IN HOLCF

These axioms have to b e proved for v b efore instantiating into the class po

Show that abs is the least element in

Show that is a pcpo with resp ect to v by proving the characteristic axioms

minimal v x

chain C range C j abs i rep C i where cpo is

j denotes the least upp er bound of a chain In HOLCF it is dened by

is lub Sjx Sjx uSju xv u and j is an upp er b ound de

ned by is ub Sjx yy S yvx

After these pro ofs the cpo structure may be instantiated by xing the least element

The partial order v for is dened in the following Isab elle theory

T T add an order

consts

v bool

defs

def abs

v def v a b rep a v rep b

end

The pro ofs of the partial order axioms are easy since the new order v is based on the partial

order on The next theory instantiates in the class of partial order by instantiating

v the p olymorphic partial order v on into

T T

arities

rules

inst po v bool v

end

The following lemmata for T were proved

abs v x minimal

p v q rep p v rep q v

MODEL INCLUSION

monofun rep monofun rep

is chain rep is chain C is chain j repC j

lub is chain C range C j abs i repC i

cpo is chain C a range C j a

eq rep a rep b ab

mfun abs x Val y Val x v y abs x v abs y

The theorems minimal and cpo are the witnesses for the fact that has a cpo structure

and hence maybe instantiated into the class pcpo in the next theory

T T

arities

pcpo

rules

inst pcpo

end

The pro ofs of the lemmata mostly reduce the order on to the order on The only

It is carried out in Isab elle by interesting pro of is the pro of of lub

chain Crange Cj abs i repC i val prems goal Tthy is

by cut facts tac prems

The rst pro of state is

chain C range C j abs i rep C i is

Eliminating the application of the least upp er bound by

by rtac is lubI

by rtac conjI

This gives the pro of state

chain C range C j abs i rep C i is

is chain C u range C j u abs i rep C i v u

CHAPTER SUBDOMAINS IN HOLCF

Eliminating the application of the upp er b ound by

by rtac ub rangeI

by rtac allI

This gives the pro of state

F V

chain C C i v abs i rep C i i is

chain C u range C j u abs i rep C i v u is

The weaker order on is reduced to the weaker order on by

by rtac less RS ssubst

This gives the pro of state without the second subgoal which has not changed

V F

i is chain C repC i v rep abs i rep C i

abs has to be applied It requires the Now the denition of the isomorphism rep

argumenttobe in the set of corresp onding values

by rtac rep abs RS ssubst

The rst subgoal expands into

V F

i is chain C i rep C i Val

V F

i is chain C rep C i v i rep C i

The second subgoal is a prop erty of the least upp er bound and can b e eliminated by

ub thelub by rtac is

by etac is chain rep

This is the pro of state where a prop erty of the least upp er b ound is needed To show this

prop erty admissibilityof the predicate is needed It is used in the following rule which is

aforward comp osition

def RS iffD RS spec RS mp RS mp adm

chain x i P x i P lub range x adm P is

This comp osed theorem is applied by

MODEL INCLUSION

br adm def RS iffD RS spec RS mp RS mp

It creates the following three subgoals

chain C adm u u Val i is

i is chain C is chain i rep C i

i is chain C i rep C i Val

The second and the third subgoals are reduced by

by rtac allI

Val by rtac rep

chain rep by etac is

Now the denition of Val is expanded by rewriting the subgoals with

by rewrite goals tac Val defmem Collect eq RS eq reflection

This gives the pro of state for the admissibilityofthe restriction predicate

i is chain C adm u disRue u

It can b e proved using the fact that isR isacontinuous function

by rtac adm disj

adm x disRxe

adm x x

by rtac adm eq

cont fapp isR

cont x TT

adm x x

by cont tacR

adm x x

by rtac adm eq

cont x x

cont x

tacR by cont

Now the proofofthe rst subgoal is nished It remains to show that

is chain C u range C j u abs i rep C i v u

ub thelub The pro of uses the same ideas as the rst subgoal but instead of the prop erty is

it uses is lub thelub Therefore it is not shown here

CHAPTER SUBDOMAINS IN HOLCF

Invariance and Preserving Functions

ppreservingness is a prop erty of the corresp onding functions which ensures that the func

tions do not leave the set of corresp onding elements ie provided that a function gets

a value of the subtyp e its result will be again of the subtyp e A function f is called p

preserving with resp ect to a predicate p if the predicate p is invariant under the functions

ie xpx pf x see Section for a precise denition of invariance If we have

the p ossibilitytocho ose the predicate p wemaycho ose it to b e equal to true and therefore

preservingness is trivial

In the general case we cannot cho ose the restriction predicate for example if we want to

represent the values true and false by the natural numb ers one and zero the restriction

predicate is xed to the test whether the natural number is one or zero Therefore the

invariance is a pro of obligation in the metho d for the implementation of ADTs It ensures

continuity of the op erations intro duced in the next section This might lo ok lab orious

since it has to b e proved in every implementation of interactive systems with a restriction

step In fact there is a metho d without this explicit pro of obligation This metho d would

enco de the test of the restriction op eration into a continuous abstraction function by

c abs x If isRx then abs x else fi

Since this function can b e shown to b e continuous if isR is total all intro duced op erations

could be based on this abstraction function and would be preserving and continuous by

denition However this would lead to inecient co de isR would be evaluated in every

abstraction which could only be optimized by the help of invariance Furthermore the

renement pro of of totalityofthe abstract op erations for example the selector functions

would require to show that the corresp onding functions are preserving Therefore for a

given restriction predicate invariance is a necessary pro of obligation and proving it once

helps to structure our correctness pro ofs

In addition invariance may help to nd the restriction predicate and the corresp onding

values see Section for the use of the general metho d Therefore it is advantageous to

treat invariance as an explicit pro of obligation

Intuitively the invariance as describ ed in Figure on page states that the corre

sp onding functions must not leave the subset of corresp onding values Formally this can

be dened as in Denition by

c c

Th x x c x

j j s j t j

for all c s s t

The denition of the predicate is a typ e dep endent generalization of the restriction

predicate p to arbitrary typ es For a sp ecial case we are able to derive the following

theorem over the theory T

See Section for an example of a more appropriate choice of p

MODEL INCLUSION

invcont xx Val fx Val cont s abs f rep s

This theorem allows us to deduce continuity of the op erations which are intro duced on

the new typ e The functions abs and rep are used in the schemes for the denition

of the op erations For continuity it remains to show that the corresp onding functions are

preserving functions ie that the restriction predicate is invariant

Intro ducing Executable Op erations

To construct an ADT that renes the abstract ADT T fc g by mo del inclusion

we need to implement not only the typ e but also the op erations c In the previous

section we have implemented the typ e and now we implementthe op erations As dened

on page op erations are executable if they can b e dened by continuous terms Therefore

continuity is imp ortant here Weprovide a metho d that sp ecies the abstract op erations in

terms of the corresp onding concrete op erations Provided that the concrete op erations are

executable the abstract op erations are also Invariance is a requirement for the continuity

of our new op erations c Invariance requires the corresp onding functions to b e preserving

This section denes syntactic construction schemes for the intro duction of op erations based

on the corresp onding constants c which have the same typ e as the abstract ones The

conversion is done by abs and rep The schemes may also be applied if higher order

functions and higher order typ es with typ e constructors are used in c Continuity is

derived from the preservingness of the c by the ab ove theorem invcont The new

op erations will rene the abstract ADT if the corresp onding concrete op erations are chosen

correctly This renement pro of is a pro of obligation for the metho d of the implementation

The schemes are of the same shap e as the schemes used in the previous section see page

to construct the semantics of the abstract theory but they are used here on the syntactic

level They take the corresp onding concrete term and the desired typ e as input written

as an index and pro duce the desired executable op erations

Denition Syntactic Construction Scheme

Let be a term translation with and Then the construction scheme

for a given target typ e and a corresp onding constant is dened by T T T

a c a

Var t t for typ e variables x

Fun f x a f x

ab b a

Tau t abs Map y t y t

i t

TC tMap y t y t if tc

i t

tct

Of course these typ es haveto match in the sense that the concrete typ e is the translated typ e of

abstract typ e

CHAPTER SUBDOMAINS IN HOLCF

This scheme p erforms the lifting from the corresp onding terms c to abstract functions

c It is a typ e dep endent scheme and allows us to lift functions of arbitraryhigherorder

typ es The lifting of concrete functions to abstract functions requires a representation of

the arguments and an abstraction of the result The abstraction is supp orted by and for

the representation we have a dual construction which maps to representing values

Denition Dual Syntactic Construction Scheme

Let be a term translation with and Then the dual construction scheme

T T T foragiven target typ e and a corresp onding constant is dened

a a a

Var t t for typ e variables x

Fun f x a f x

ab b a

Tau t rep Map y t y t

i t

TC y t y t if tc tMap

i t

tc t

This scheme p erforms the representation from abstract to concrete and corresp onding

values It may b e demonstrated on the construction of the function not in Example

Starting with the translation of the abstract function ensures that the typ es match since

this is a requirement for the translation

not BB not

x NOne x

b B x NOne x b

B B

bBabs x NOne xBrepb

bBabsOne Brepb

The continuity of this function is ensured by invcont since for all xf Zero Oneg the

following holdsyOne y x f Zero Oneg

Deriving an Induction Rule

Since the abstract data typ e contains an induction rule see Denition and since we

rene the abstract data typ e by mo del inclusion we have to prove this induction rule We

prove the abstract induction rule based on a concrete induction rule for the corresp onding

values In other words we have to show that all corresp onding values are generated from

the constants corresp onding to the abstract constructor functions

MODEL INCLUSION

The following rule which is derivable from theory T helps us to derive the abstract

induction rule

all sd ss d isRse P abs s P x

Thus proving an arbitrary prop erty over avariable of typ e can b e reduced with all sd

to the pro of of the prop erty of all corresp onding values ss disRse P

abs s The remaining pro of can be done on the concrete typ e

A dierent approachischosen in the HOL logic Gor GM There exists a metho d for

intro ducing subtyp es and deriving the desired induction rule In Mel the typ e of trees

is intro duced by the following restriction predicate

p n P tlEvery P tl Pnode REP tl P n where Every P tl states

that P holds for every element in the list of no des and node REP gives the enco ding

of trees

As in this example the desired induction rule is generally enco ded into the restriction

predicate in this metho d In HOLCF such a restriction predicate could also b e formulated

but since it is not admissible it cannot b e used to show that the subtyp e is a pcpo So we

cannot use this HOL metho d to intro duce subtyp es which belong to the class pcpo with

derivable induction rules

Co de Generation

Since the schemes of Denitions and are conservativeintro ductions of continuous

functions they are executable in the sense of Denition In programming languages

with free data typ es as ML the datatype construct may b e used to generate co de for free

data typ es

Co de generation has to ensure that only corresp onding values may be generated Since

are preserving the only dangerous function is the free constructor of the data typ e the c

abs By hiding this constructor we achieve correctness but we lose the ability to dene

functions with pattern matching In BC there is an idea to work around this problem

whichwould corresp ond to exp orting the continuous constructor function c abs see page

for the construction of abstract values and the abs for pattern matching

Co de generation for the free data typ e is simple

datatype tau tauabs of sigma data type

fun taurep tauabs x x representation function

We will see an application of this rule for streams in Example

CHAPTER SUBDOMAINS IN HOLCF

c a

If the corresp onding constant c for an abstract constant c t is executable then the func

i i

tions generated by the construction schemes are executable Co de generation for constants

is schematically dened by

a c

val c t c

i i

To ensure that only restricted values are constructed the free data typ e constructor tauabs

has to b e hidden in the signature

Metho d for the Restriction Step

This metho d for implementing the restrictions is based on the metho d of conservative

extensions in HOL and HOLCF The general scheme is

a c

Dene a translation Th to Th

Check the translation syntactically typ e check etc

Apply conservative extension and generate pro of obligations

Prove pro of obligations

Generate co de

A more detailed description of these steps is

First the user has to x the implementation as in Section

the abstract sort

the corresp onding sort term with

the restriction predicate isR tr

the abstract constants c and

c a a c

the corresp onding constants c for all c c c

i i i i

The translation is checked as in Section

a c

typ e correctness for all c u the corresp onding typ e has to b e c u

i i

the sorts and have to b e data typ es pcpo and pcpo

a c

all constants of Th n Th except the conservatively dened ones have to be

implemented by

MODEL INCLUSION

a a

all sort constructors ftc g of Th are contained in the sort constructors

c c

ftc g f g of Th

This test can be checked automatically

In this metho d the pro of obligations arise from theory inclusion for all abstract

a c

c c

axioms ax Ax Thax where Th is the conservative extension from Th by a

new pcpo typ e and by op erations dened by the schemes as describ ed in Sections

and Invariance is a pro of obligation which helps to structure the pro ofs

The pro of of the pro of obligations has to be done by the develop er It can be

completely proved within HOLCF

It is p ossible to generate co de if the corresp onding constants are executable If so

the co de is generated out of Th

So the user has to dene the implementation and has to prove invariance and theory

inclusion of the generated conservative extension Th The rest is done automatically

Example BOOLEAN by NAT

The metho d of Section is illustrated again with the Example where B is imple

mented by N

The denition of the implementation in the example is

B N B and N

a c

T One c Tc One

a c

F Zero c Fc Zero

a c

Bnot xN One x c not c xOne x

Zerox then Zero else y fi Band xN yN If is

a c

and c x yIf is Zerox then Zero else y fi c

The restriction predicate isR is isB

The translation is typ e correct Consider the typ e of c NNN B BB

is the translated typ e of c

The pro of obligations are all axioms except the conservative denition of c of

BOOLEAN based on the extended theory NAT

NAT Band T Band x x

NAT Band F Band x F

CHAPTER SUBDOMAINS IN HOLCF

NAT Bnot BnotF T

NAT Bnot BnotT F

The rst extension of NAT is the intro duction ofanew typ e by

NAT NAT

types B

consts

BVal N set subset

Brep B N representation

Babs N B abstraction

defs

BVal def BVal fs disBse sg

rules

Brep Val Brep t BVal

Babs rep Babs Brep t t

Brep abs s BVal BrepBabs s s

end

No explicit pro ofs are necessary since all pro ofs were done schematically in Section

The next extension is the partial order

NAT NAT add an order

consts

B v B B bool

B B

defs

B def B Babs

v def B v a bBrep a v Brep b B

end

The next extension is the instantiation of the partial order

NAT NAT

arities

B po

rules

inst B po v B B bool B v

end

The next extension is the instantiation of the cpo

MODEL INCLUSION

NAT NAT

arities

B pcpo

rules

inst B pcpo B B

end

Based on the new typ e the op erations are intro duced by the schemes The result is

NAT NAT

ops curried

T B

F B

Band B B B cinfixl

Bnot B B

c B DList a constant

defs

def T BabsOne T

F def F BabsZero

Bnot def Bnot xBabs Brepx

def Band x yBabsIf is ZeroBrepx Band

then Zero else Brepy fi

c def c Map DListBnotdconsTdco nsF dni l

generated finite B by T j F derivable

end

The necessary pro of obligations of the invariance are the same as in Section

The pro ofs NAT Inv and NAT B can b e carried out by functional renement

Co de generation gives in ML

datatype B Babs of N

fun BrepBabs x x

val F Babs One

val T Babs Zero

fun Bnot x BabsOneBrep x

fun Band x y BabsIf isZeroBrep x then Zero else Brep y

The signature of the mo dule must hide Babs

CHAPTER SUBDOMAINS IN HOLCF

Theory Interpretation Mo del Inclusion

p p

transitive

mo dular no

p p

executable

co de generation compilation new data typ e construction

pattern matching no no

applicable normal theory all theories

restrictions nite data typ es

a a

pro of obligations Th Inv Th Inv

Figure Metho ds for the Restriction Step

Summary and Comparison of Restrictions

This section compares the two metho ds for the implementation of the restriction step of

the implementation of ADTs

Both metho ds supp ort the implementation of pcpo typ es by pcpo typ es without additional

pro of obligations for the instance of pcpo Invariance is a pro of obligation in b oth metho ds

but since extends the size of the axioms we prefer the pro of of Th The admissibility

which is required to instantiate the conservative extension is ensured by the denition of

the form of the restriction predicate with the continuous function isR and therefore it

is not mentioned in Figure

Pattern matching is not supp orted by b oth metho ds although there are metho ds BC

that supp ort pattern matching over nonfree data typ es by having a constructor and

a destructor and by separating metho dically between them This would corresp ond to

exp orting the constructor abs only for pattern matching usually only on the left hand

side of function denitions and c abs for the safe construction of arbitrary terms on

the right hand side Since this would require a lot of uninteresting work in adapting the

semantics and to ols to the concepts presented in BC it is not done in this work

Theory interpretation is restricted to nite data typ es since it uses the totality of the

selector functions in the pro of of Theorem The conservative construction for the

sub domain requires only an admissible predicate and therefore we can apply it to innite

data typ es as well

To express the restriction step in a renement relation we dened a restricted theory

interpretation basis for the metho d based on theory interpretation For the metho d based

on mo del inclusion with conservative extensions we can use the general mo del inclusion

basis of Denition The renement relation of the theory interpretation basis is not

mo dular

Therefore the metho d in Chapter uses conservative extension for the restriction step

However for the implementation of quotients we need theory interpretations

THE SUBDOM CONSTRUCTOR IN HOLCF

The subdom Constructor in HOLCF

Since the restriction step is an imp ortant part of the implementation we decided to supp ort

the development of restrictions by a generic typ e constructor An example for a typ e

constructor is list It takes an arbitrary typ e and builds the typ e list There

are several op erations on lists see Example available The idea of our subdom

constructor is similar but it do es not work for arbitrary typ es butonly for those typ es

with an admissible predicate These typ es are collected in the typ e class adm

The main goal of the realization of this typ e constructor was to show that it resides into

the class pcpo ie it has the

arity subdomadmpcpo

All pro ofs of Sections and are carried out p olymorphically so that they are

available on every typ e of the class adm

Since the imp ortant construction schemata of Section are typ e dep endent we cannot

dene a function for them However since the most imp ortant case is the lifting of an

op eration of typ e to the typ e we dened a sp ecial function sd lift for this

lifting and proved some prop erties for it The most imp ortant prop erty is the following

invcont lift inv f cont lift f

The denition for invariance for this sp ecial case is also given

All theories and theorems for the typ e constructor subdom and the class adm are in Ap

p endix A The realization resp ects some metho ds from RegWen which ensure the

technical correctness of the conservative extensions

The instantiation into typ e classes is done step by step For example rst subdom

is dened in SUBD Then it is proved that the typ e subdom is not empty The

next step in theory SUBD is to dene an order on subdom After having proved

that it is a partial order it is instantiated into the class po with the arity declara

tion subdomadmpo in theory SUBD The last step is to add the desired arity

subdomadmpcpo in theory SUBD

Axiomatic typ e classes are used whenever it is p ossible For the denition of the

class adm we used axclasses and we proved the instantiations We used the two step

technique describ ed in Section for the intro duction of characteristic constants

Since for HOLCF by now no version with axiomatic typ e classes is available we

used the stepwise instantiation into typ e classes as in Reg

CHAPTER SUBDOMAINS IN HOLCF

Intro duce continuous functions conservatively step by step Acontinuous function

can be dened as comp osition of continuous functions In our case abs is

not continuous and hence we cannot use abs in the continuous function space

Therefore we have to dene a function in rst and after having proved that it

is continuous we dene a continuous function for example the intro duction of the

lifting op eration in App endix A

The realization of the implementation with the subdom constructor has one small disad

vantage it do es not allowustoformulate dierent restriction predicates on one typ e since

this would lead to inconsistent sp ecications For example if we like to have the natural

numbers zero and one as representations of b o olean values and if we also require the nat

ural numb ers from zero to to be the representations of characters then we have this

conict

In small case studies where this case do es not o ccur wemay ignore this but it is easy to

work around this problem likethe following example shows

Istream Stream ADM

domain IS IabsIrep stream

defs

is Istream def adm pred x stream finite Irepx

This example shows the emb edding of the typ e stream to the typ e IS with the domain

construct The restriction predicate for the class adm has to use the representation function

Irep dened by the emb edding After the pro of of the admissibility of adm pred in

theorem adm is Istream adm adm pred pcpo ISbool the emb edded typ e IS

is instantiated into the class adm and we can dene the domain of innite streams as

sub domain of IS

Istream Istream SUBD

instance

IS pcpoadm adm is Istream

types Istream IS subdom defines infinite streams

end

The emb edding slightly complicates the pro ofs but it oers the advantage that the new

sub domain of innite streams maybe reused in arbitrary developments

The op erations on innite streams have to be preserving to ensure their continuity This

means for the concatenation that it is strict otherwise we could build nite streams by

concatenating one element to the undened stream The data typ e of innite streams uses

the following preserving functions on streams and lifts them into the new domain

THE SUBDOM CONSTRUCTOR IN HOLCF

consts

Scons stream stream strict cons

lifting for streams

lift stream stream IS IS IS

defs

Scons def Scons xsIf is s then xs else fi

IS lift def IS lift fIabs oo f oo Irep

end

lift the lifting IS Lift of the emb edding In addition to the predened lifting op erator sd

is dened

With these preserving corresp onding functions we dene some op erations on innite

streams by

consts

Ift Istream

Irt Istream Istream

Icons Istream Istream

ith dnat Istream

defs

Ift def Ift xftIreprep sd x

Irt def Irt sd liftIS liftrt

Icons def Icons xsd liftIS lift sSconsxs

def ith fix ithn sIf is dzeron ith

then Ifts else

ithdprednIrts fi

Chapter

Quotient Domains in HOLCF

Quotients are an imp ortant concept of the implementation of ADTs see Section In

the development of interactive systems states can b e regarded as quotients of streams and

the typ es of the communication messages in the system can also contain quotients For

example if sets are transmitted A quotient domain is a quotient with domain structure

Quotients are used in the development since they allowus to sp ecify multiple representa

tions for the same abstract value The representations for every abstract value are group ed

into an equivalence class by an equivalence relation An implementation step which in

volves multiple representations is called quotient step

Generating programs working on the representations instead of the abstract values is

only correct if the executable functions have equivalent results for equivalent inputs

This congruence prop erty of functions and typ es is called observability or b ehavioural

correctness in the literature Thus for a metho d that allows us to prove the correctness of

the quotient step we have to dene the terms equivalence classes quotients congruences

and observability

Section contains the motivations for the dierent concepts It demonstrates the quotient

step with an example for the implementation of states by quotients of streams In Section

we dene higher order quotients congruences and observability These concepts base

on partial equivalence relations PERs In the realization we tried to formulate as many

concepts as p ossible in the HOL part of HOLCF in order to make them also available for

the HOL logic The result is a typ e constructor quot that takes a typ e with an arbitrary

PER and makes a quotient typ e of it The Isab elle realization of this typ e constructor is

describ ed in App endix A

In Section we present an implementation metho d for quotients using the higher order

quotient construction and mo del inclusion as the renement relation Section denes

a simple form of theory interpretation for the elimination of quotients This gives us the

p ossibility to use functions working with representations instead of equivalence classes as

MOTIVATION

implementations of the abstract functions provided that the representing functions are

observer functions

In Section we compare b oth metho ds mo del inclusion and theory interpretation and

prop ose a sp ecication style that allows us to implement the quotient situations in the

pro cess of deductivesoftware development by mo del inclusion and conservative extensions

Section denes a exible typ e class eq which can be used to sp ecify continuous

equivalence relations for nite data typ es

Motivation

With the restriction step we are able to implement ADTs such that every abstract element

is represented by a concrete one For example if we implement sets with a restriction step

by ordered sequences we have the situation that every set is represented by the ordered

sequence of its elements For this implementation we need a total order on the elements and

the invariance of the corresp onding functions requires to keep the representing elements

sorted For some abstract op erations union a reordering of the elements is necessary

Therefore it might b e inecienttohave single representations and in the implementation

of ADTs it is desired to allow multiple representations for the same abstract value This

supp orts ecient implementations

In the implementations of ADTs dierent representations will not give dierent results if

all programs using the implemented ADT do not dep end on the representations In other

words the programs cannot observe the dierence in the representations This leads to the

general concept of b ehavioural implementations see for example Nip

AnADTC implements an ADT A with respect to a set of programs P if for al l pC P

that use the ADT C holds pC implements pA

To show that an implementation is behaviourally correct requires to reason over all pro

grams in P based on the ADTs Showing the correctness of b ehavioural implementations

in general dep ends on the set of observable programs P This set and also the correct

ness pro of base on the programming language in which p P may be formulated In

NipPage it was noted that descending to the level of programs for every correctness

proof is undesirable Ideal ly one would like a criterion on the level of data types which

guarantees implementation on the level of programs

One p ossibility is to enco de the programs into the logic of data typ es Since we sp ecify

data typ es in HOLCF we could also enco de the notion of programs as in Gan and

In the development situations of Section we need the quotient step for the elimination of states

and in some schematic translations

In Nip mo deltheoretic characterizations of behavioural implementation concepts for data typ es

with nondeterministic op erations are studied by using the semantics of programs as observers to charac

terize the b ehaviour of data typ es

CHAPTER QUOTIENT DOMAINS IN HOLCF

of behavioural implementation as in Wan into HOLCF but enco ding b oth into the

logic would x the target programming language and would lead to a lot of additional

formalization which would make the deductive software development pro cess much more

complicated However omitting the treatmentofobservers P from the logic and the deve

lopment system would b e dangerous since the b ehavioural correctness cannot b e formally

veried without observability concepts Therefore the crucial p oint for a metho d to prove

behavioural correctness of implementations is to nd a practicable emb edding of the ob

servers into the logic of data typ es

For unique representations as for example in the restriction step we may construct an

ADT C which renes A Renement isabehavioural implementation in this general sense

since we may regard the programs p as arbitrary terms over ADTs as in Sch With

the mo dularity of renement we obtain that pC renes implements pA Therefore

mo del inclusion is a sp ecial case of b ehavioural implementation

There are many approaches to b ehavioural implementation but in HOL and HOLCF none

of these has b een yet realized One reason might b e that almost all known approaches use a

simple equational logic Instead of formalizing one known approachwe combine the p ower

of higher order logic and the cpo structured domains of HOLCF to a solution which allows

us to sp ecify quotients over functions and streams to eliminate quotients and to express

the congruence by sp ecifying the observability for partial and higher order functions in the

sp ecication of the ADTs

The following example motivates the dierent concepts that are dened in Section

The metho ds of the following sections use these concepts The example denes a free

ADT of states and shows how it is used to sp ecify a buer that receives messages and

stores values until it is asked to give them back The interesting asp ect are the multiple

representations in this example and how they are mo delled Every state has multiple

histories as representations and there are two ways to mo del this One abstract way is

to dene an equivalence class for every state This means to dene the typ e state as a

quotient of histories This allows us rene the sp ecication of states by mo del inclusion

An executable way istomodelmultiple representations and to sp ecify states in a way that

p ermits multiple representations with instead of The example shows the dierences

between pure conservative extension and theory interpretation

Example States for an oneelement Buer

The requirement sp ecication of the buer consists of three mo dules One sp ecies

the free data typ e of states another contains the typ es of the messages and the

main mo dule contains the sp ecication of the buer comp onent using states and

messages

In Section we see that many approaches do not have these close integration of axiomatization and

observability Manyapproaches use observability as a separate semantic concept

MOTIVATION

State Dnat module for states

domain State empty j statednat

State eq

end

The mo dule uses the domain of natural numb ers

Messages EQ module of messages

domain message req j data dnat

domain answer stored j error j valuednat

arities message eq

answer eq

Using the arities declaration in this way requires that there exists a continuous

equality on the typ es We could also sp ecify observer functions for example with

is Cobs data like on page but we use this notation just as a shorthand to

inform the reader that there is an equivalence relation on the typ es In the concrete

case study the equivalence relation is conservatively dened and it is continuous

equality

state based specification of the buffer component

SBUF Stream Messages State

ops curried

Buffer message stream answer stream

SBuffer State message stream answer stream

rules

Buffer def Buffer SBufferempty

SBuffer SBufferemptydatans storedSBufferstatens

SBuffer SBufferemptyreqs errorSBufferemptys

SBuffer SBufferstatenreqs valuenSBufferemptys

SBuffer SBufferstatendatams errorSBufferstatens

end

This sp ecication is executable since it uses only free data typ es with pattern match

ing However for an implementation of the buer sp ecication in terms of a more

concrete system using stateless stream pro cessing functions it may be desired to

eliminate the states from the sp ecication In this example we implement the ADT

State by a quotient of histories

Continuous equalities see Denition are continuous functions computing the result of a con

gruence see Denition

In this simple example this might lo ok strange but consider the elimination of the data base in a

distributed realization of a monolithic data base system as a more realistic example

With history we mean the inputs a comp onent has received b efore the current message arrived

CHAPTER QUOTIENT DOMAINS IN HOLCF

SBUF

State HSTATE Message

Figure Quotient Implementation of State

Since our buer stores only one message it suces to lo ok at at the rst elementof

the history streams We suggest the following implementation

State Stream

empty req

state ndatan

Beside req all other streams of messages starting with a req are representa

tions of the state empty Therefore wehavemultiple representations We implement

this step nowby mo del inclusion Therefore we construct a mo del with the quotient

constructor see Section for the denition After the sp ecication of an appro

priate PER which relates the equivalent histories we can dene the implementation

in the following sp ecication

history based specification of states

HSTATE Dnat Message Stream

types State message stream quot quotient of streams

ops curried

empty State

state dnat State

defs partial equivalence classes use

empty def empty req

state def state n datan

end

With this implementation of states we can derive all prop erties of the required sp eci

cation of states including the axioms of the domain construct In other words the

sp ecication HSTATE is a renement by mo del inclusion of the sp ecication STATE

The situation is depicted in Figure However we lost the direct corresp ondence

to a program since quotients are not executable in the sense of our Denition

since quotients are not a free data typ e The source of our problems is the sp ecica

tion of states It uses injectivity for the constructors In our example the injectivity

rule of Denition is

MOTIVATION

SBUF

State HSTATE Message

Figure Implementation of State with Theory Interpretation

injective staten statem n m

It is the basis for executability see Section but it excludes the executability

of our implementation The idea of our theory interpretation is to replace the equality

in the axioms by a congruence and to require that the functions working on the

typ e cannot observe dierences between two equivalent elements

Having replaced by in STATE and HBUF with the theory interpretation on

Message is the identity we can implementitby the following sp ecication

HSTATE Dnat Message Stream

types State message stream

ops curried

empty State

state dnat State

defs

empty def empty req

state def state ndatan

end

The situation is depicted in Figure This implementation is executable and renes

the mo died sp ecication of states One interesting asp ect is the continuous equality

on states It has to b e rened byacontinuous equality on streams which is observable

by the function state but not necessarily by the functions working on streams for

example the rest function The continuous equality on histories is a nontrivial task

since the usual classes for equality sp ecications see page restrict equalities to

at typ es and our histories are streams and hence they are not at

To summarize the example we see that quotients are mo dels for multiple representations

and that quotients are not executable Observability is used to eliminate quotients a

exible class for equalities is required So the main requirements for the treatment of the

quotient step are

the sp ecication of congruences including

CHAPTER QUOTIENT DOMAINS IN HOLCF

the sp ecication of observer functions

a quotient construction

a class eq which allows us to sp ecify acontinuous equality on nonat domains

a a a

In this chapter we implement an abstract ADT T Con Sel Dis Map

a a a a c c

sp ecied in a theory Th C Ax by a concrete ADT S Con Sel

c c c c c

Dis Map sp ecied in a theory Th C Ax To cut down notations we

a a a a

write fc g for the set of all abstract op erations Con Sel Dis fMap g and

c c

fc g for the sets of corresponding operations c T

i i

Since the restriction step is treated in Chapter the implementation from T by S in this

chapter consists of

asort implementation where T T

a c

a c a a

a constant implementation c c for all c fc g and

i i i i

a congruence on the concrete typ e

The congruence groups the dierent representations for every abstract element together

The next section denes PERs quotients and congruences in HOLCF The following sec

tions of this chapter compare a metho d based on mo del inclusion to one based on theory

interpretation

PERs Quotients and Congruences

This section denes partial equivalence relations PERs quotients for higher order func

tions and streams It also denes a predicate for the sp ecication of higher order observer

functions and congruences which also may be applied to partial functions The metho ds

for the implementation of the quotient step in the following section use these concepts

The theories and the theorems proved for quotients are describ ed in App endix A

Even if the quotient construction is not executable it is required since there we need the existence of

a mo del for the satisability of our theory interpretation For the quotient construct there are many other

applications p ossible see Chapters and

Except which is treated separately

For the implementation the existence of suces however to deduce more prop erties we sometimes

require the existence of a exible continuous equality on

PERS QUOTIENTS AND CONGRUENCES

PERs

The higher order concept of PERs ts into the logic HOL but with the gain in generality

we lose some nice prop erties For example the comp osition of observer functions is not

necessarily an observer function Therefore we can use these higher order quotients only

for the sp ecication Integrating the HOLCF domains and nite data typ es into the concept

of PERs results in the denition of the classes percpo and eqwhich solve these problems

Denition Partial Equivalence Relation

A relation on atyp e R is called partial equivalence relation PER if

is symmetric xy R x y implies y x

is transitive xyz R x y and y z implies x z

The domain D of a PER is the subset of R on which is reexive

D fx Rx xg

PERs are called partial equivalence relations since they are in contrast to equiva

lence relations reexive only on the domain D

From these axioms we can deriveby symmetry and transitivity that all values not in the

domain D are not partially equivalent see App endix A

x y x D

x D x y

In Isab elle PERs are sp ecied as p olymorphic functions of typ e bool in the HOL

part of HOLCF All typ es for which such a function exists are collected in the typ e class

per see App endix A PERs are the basis for higher order quotients and observability

Compared with equivalence relations the main advantage of PERs is that for any typ es

S T with PER and and domains D and D we mayschematically dene aPER

S T S T

on all functions of typ e S T by

f g x yx D y D x y fx gy for all

S T S S S T

f g of typ e S T

It can b e shown that the relation is symmetric and transitive and therefore PERs

S T

are closed under functional comp osition see also Rob Intuitively this means that

with PERs on nat and bool we have automatically PERs on all function typ es between

them for example nat bool nat This nice prop erty do es not hold for equivalence

relations since in general equivalence relations on functions are not reexive since x y

f x f y

The identity is the only equivalence relation which is closed under arbitrary functional comp osition

CHAPTER QUOTIENT DOMAINS IN HOLCF

Quotients

This section intro duces higher order quotients the following section denes a cpo structure

on them They are called higher order quotients since they base on the higher order

concept of PERs

Denition Higher Order Quotient

Let be a partial equivalence relation on S Then the higher order quotient is the

set of all partial equivalence classes dened by

f x j x S g where quotient S

Partial Equivalence Class x fy S j x y g for all x S

We sometimes call higher order quotients simply quotients

Using quotients allows us to implement an abstract typ e a set of elements by a set of

equivalence classes With this every abstract element is represented by a set of dierent

concrete representations which are group ed together by the partial equivalence relation

In our realization in HOL see App endix A weintro duce a typ e constructor quotwhich

takes a typ e with an arbitrary PER and delivers the quotient typ e consisting of a set of

partial equivalence classes characterized by some representants The reader not interested

in the technical details of the implementation maylookatthe theorems proved for higher

order quotients in App endix A and believe that we intro duce quotient domains and

continue to read at Section

We dene a typ e constructor quot which takes a typ e with a PER and builds its higher

order quotient The representation of these quotients are all sets of partial equivalence

classes We dene a predicate is pec of typ e per set bool which charac

terizes the set s of equivalent elements for any representant x It is dened by

is pec def is pec x s yy sy x

For any partial equivalence class this representant has to exist Therefore the sp ecication

of an equivalence class is

rpred s xis pec x s

We named this predicate rpred in analogy to the intro duction of sub domains that follows

a similar scheme see Section Dening the quotienttyp e as the union of all equivalence

classes as in Denition could give an empty typ e if the PER is always false and

therefore no representants exists Since in HOL emptytyp es are not allowed we included

the empty set as a representing set for the quotient This is expressed in the denition of

the corresp onding values cor and Val q

The rst pro of obligation is always to showthatanintro duced typ e is not empty

PERS QUOTIENTS AND CONGRUENCES

cor def cor f rpred f ffg

q def Val q ff cor fg Val

The quotienttyp e is constructed with a typ e constructor quot

types quot

arities quot perterm

This denotes that quot is available on every typ e which b elongs to per The whole con

struction is on page Another advantage is that the empty set is used as representant

for the minimal element in the intro duction of the cpo structure for quotients

In order to dene op erations on quotient typ es we need a function which builds the

equivalence class of an element and an inverse function which selects an arbitrary element

from the equivalence class These functions are also dened in the theory QUOT see

App endix A The abstraction function is of typ e per quot The

representation function is called any in They are dened by

peclass def x abs q fyy xg

any in def any in f x xf

For these functions we could derive the following prop erties see page for a complete

list of theorems

eqI x yx y qclass

qclass eqE x D xyx y

qclass eq x Dxyx y

exhaust z per y zysx quot s class

all class z per y z y x P x P s

eqI states that the equivalence classes of equivalent elements are equal Theorem qclass

This theorem ensures the satisability of our theory interpretation in Section One

disadvantage of our mo delling is the form of the rules for induction and exhaustiveness

on quotients Since we included the empty set as a representant for quotients we have to

treat it separately if the partial equivalence relation is reexive ie if there is no element

which has no equivalence class This is expressed by the premise z yz y This ugly

premise will disapp ear in Section where we intro duce the class eq and use as the

only element which is not in the domain D of the PERs

All denitions of this section are formulated in the HOL part of HOLCF Therefore they

could also be used if someone is working only with the HOL part of HOLCF In the next

section the cpo structure is intro duced for arbitrary PERs To construct a quotient

domain requires to instantiate the quotients into the typ e classes po and pcpo of HOLCF

see page

CHAPTER QUOTIENT DOMAINS IN HOLCF

Quotient Domains

This section denes a at order on the higher order quotients and shows that they have

a cpo structure

The intro duction of the arities is done step by step as in the intro duction of sub domains

in Section First we dene a partial order in theory QUOT see page then we

show the characteristic axioms for the class po Theory QUOT denes the least element

and shows that the quotient fullls the characteristic axiom of the class pcpo

The partial order on quotients is dened by

less q def less q abrep q afg ab

q fg Of course the order is This is a at order on the quotients with the least element abs

reexive transitive and antisymmetric Therefore it is a partial order As was mentioned

in Section we dene the least element to b e equal to abs q fg

UU q def UU q abs q fg

With this element the quotients are at domains See App endix A and App endix

A for the theories and theorems of the order The theorems for the quotient domain

are mainly those of QUOT To derive more powerful theorems we restrict our domains

from the class per to the classes percpo and eq of domains with congruences see Section

All realized theories and theorems for the quot constructor are p olymorphic Therefore

they may b e applied to every typ e with a PER This makes our construction quite exible

and there is no need for carrying out a lot of schematic pro ofs This comes from the p ower

of the p olymorphism in the Isab elle system with the typ e classes

Observability and Congruence

This section intro duces observability for partial and higher order functions to dene con

gruences To sp ecify observability is an imp ortant part in the sp ecication of ADTs It

is the basis for the correctness of the b ehavioural implementation This section denes a

class percpo on which these concepts may be used in HOLCF and a predicate to express

observability of higher order and partial functions

Observer functions and congruences are in equational logic two views of the same thing

since a congruence is substitutive with resp ect to all observer functions of the signature of

The quotients are called higher order since they are build on higher order elements even if the resulting structures are a at domains

PERS QUOTIENTS AND CONGRUENCES

a sp ecication In higher order logic we can dene arbitrary functions by abstraction

Therefore there is a dierence b etween all functions of the signature and all p ossible func

tions and we use the denition of observer functions to have more negrained p ossibility

to characterize congruences

PERs are the basis for the higher order observability ie PERs allow us to express the

congruence prop erty for higher order functions We could dene a predicate for HOL

functions which describ ed the observabilityby is Cobs f x yx D y Dx yf

x f y Since we work with partial functions we use HOLCF as logic and pcpo domains

Therefore we need b oth concepts PERs and pcpo domains for an adequate sp ecication

of observability and congruences The rst step towards a formulation of observability is

the intro duction of a class percpo as a sub class of per and pcpo This is in Isab elle dened

by see App endix A

axclass percpo perpcpo

After a denition of a PER on the continuous function space almost the same as for the

HOL functions and after the pro of of the witnesses for the fact that percpo is not empty

and for the arity percpopercpopercpo we are ready to dene observability for

details consider App endix A

Denition Observer Function

Let and be PERs on the typ es S and T and domains D and D Then a

S T S T

function f of typ e S T is called observer functionif

for all x y D with x y holds if f x f y D then f x f y

S S T T

This denition treats partiality of functions with resp ect to the domain D This concept

could also b e used in HOL

In the following section we dene the class eq with a continuous equality One b enet

of eq is that the domain of the PERs coincides with the denedness of elements in the

typ e class eq x eq Dx This means that is the only element not in DThe

axiomatization of observability for continuous functions in HOLCF denes a predicate

is Cobs by

Cobs def is Cobs f is

x yx D yD x yfx Dfy Dfx fy

Since the functions may be partial we fail to prove the general comp osition theorem for

Cobs f is Cobs gis Cobs xfgx This is another observable functions is

motivation for the intro duction of the class eq

CHAPTER QUOTIENT DOMAINS IN HOLCF

There are many other approaches to observability in the literature some of them are

describ ed in Section Many of them use observable typ es for the sp ecication of

observability and require all functions containing this typ e to be observer functions For

rst order logic this is adequate since the set of all functions consists simply of those

in the signature but in higher order logic we may build functions by lamb daabstraction

or application of higher order terms Therefore we need the more negrained notion of

observer functions Another advantage is the integrated treatment of observability We

may sp ecify observability simply by writing additional axioms for the data typ e see for

example page

With the notion of observer function we can dene congruences

Denition Congruence

on an ADT T fc g is called partial congruence A family of PERs

relation if

all functions f fc g of typ e S T are observer functions with resp ect to the

PERs f g

S T

Usually we call the PER a congruence In this case we ignore the other PERs of

the family

We sp ecify the congruence prop erty in HOLCF for an ADT T fc g by requiring

that the predicate is Cobs holds for all op erations f fc g

The Class eq

This section denes a class eq which allows us to sp ecify the continuous equality op era

tion see Denition and also to sp ecify observer functions needed for proving the

behavioural correctness of the quotient step To present the advantages of the class eq

it is compared with the class EQ from Spectrum and in addition we dene a class EQ in

HOLCF just to show the dierence between EQ and eq As we will see typ es of our class

HOLCF are not normalizeable

First we lo ok at the class EQ of the sp ecication language Spectrum BFG b It is

deed by the following Spectrum sp ecication

In the development pro cess every typ e of the class pcpo should have a PER Wegive metho ds for the denition of PERs in Section

PERS QUOTIENTS AND CONGRUENCES

Predefined Specification

class EQ

EQ Bool

strict total

axioms EQ ab in

fweak eqg a b ab

endaxioms

This requires the continuous function to coincide with the equalityon dened values

From the monotonicity of the function it follows that all typ es in the class EQ have to

be at For the elimination of states in statebased sp ecications by histories of streams

see Section for the general development situation and page for an example

we need a continuous equality on nonat domains In addition this class EQ do es not

allow dierent representations without the use of theory interpretations However in

a development with nite data typ es without multiple representations such an equality

class is useful Therefore we intro duce two equality classes The exible class eq and the

rigorous class EQ

We start with the exible typ e class eq It could be dened as sub class of percpo with

an additional op eration for the continuous equality and some axioms describing it

Instantiating a typ e into this class eq correctly would require to instantiate it rst into the

class per We prefer a more comfortable instantiation esp ecially a schematic denition of

the PER by xydxye would be nice since the develop er would not have to dene

rst the PER show that it is symmetric and transitive then to instantiate the PER and

continue with the denition of the continuous equality Instead we dene our class eq with

the following axioms for see App endix A for the whole theory

ax eq refl def x dxxe

ax eq sym d xyedyxe

eq trans d xye dyzedxze ax

ax eq strict x

ax eq total x y xy

eq per xydxye just to define a per ax

These axioms are the axioms for the continuous equality from the denition of ADTs on

page In addition they include the axiom ax eq per for the schematic denition of the

PER We can simply deduce that is symmetric and transitive Sp eaking in terms of

axiomatic typ e classes this means that we can prove the sub class relation pereq

The syntax of this construct allows us to give the names of theorems containing the witnesses to verify

the arity

CHAPTER QUOTIENT DOMAINS IN HOLCF

This sub class relation is expressed by the following statement

instance eqper eq sym pereq trans per

For this class we can derive a lot of theorems The most imp ortantis

eq x eq D x UU

The theorems for quotients are also more elegant since the premise z per y z y

can be removed from the induction rule and from the exhaustiveness rules for quotients

since yy holds A further theorem describ es the comp osition of observer functions

on the class eq

is Cobs comp eq is Cobsf eq eqis Cobsg eq

is Cobs f oo g

This theorems ensures the behavioural correctness of programs that are comp osed of ob

server functions All theorems for eq are listed in App endix A

The class EQ

As we saw in Section sometimes there was a class EQ used which is equivalent to

the equality class EQ of Spectrum Using this class seamed only helpful to simplify some

sp ecications b ecause on this class all total functions are observers The class is sp ecied

as sub class of the class eq

axclass EQ eq

ax EQ a ba b dabe ab

Theorems and the full theory of the class EQ are listed in App endix A However we

prefer not to use this class since it do es not allow us to dene exible implementations

All sp ecications using this class are not normalizeable since they implicitly contain the

characteristic axiom of the class ax EQ which is a p olymorphic predicate using There

fore the simple theory interpretation of Section cannot be applied to allowmultiple

representations for typ es of this class So using EQ instead of eq for an ADT xes the

implementation of this ADT

The next section denes a metho d for the implementation of the quotientstep It uses the

quot constructor to extend the concrete sp ecication and it requires to prove the renement

of the abstract sp ecication by theory inclusion Since it uses quotients it is not directly

executable and we need a metho d with theory interpretation to come to a sp ecication

which is directly executable This metho d is presented in Section

MODEL INCLUSION

Mo del Inclusion

This section implements quotients with mo del inclusion and conservative extension The

presented metho d uses the quot constructor to dene a quotient

The conservative intro duction of a new typ e in HOLCF requires with the axiom

repabsq q that the representation is unique see Section Therefore the main

goal of having dierent representations of the same abstract value cannot be achieved by

conservative extension but dierent representations of the same abstract element can be

group ed together by the partial equivalence relation

Quotients are not a free data typ e and therefore cannot be translated directly into func

tional programs The translation from the equivalence classes in the quotients to single

representing elements requires a correctness pro of This can be veried at the level of

programs see for example some approaches in Section or indep endently from pro

gramming languages at the level of sp ecications by theory interpretation

The reason for presenting an inexecutable mo del for quotients is that it is needed in the

next section to show the satisability of the theory interpretation which eliminates the

quotient step Furthermore quotients are useful in the abstract sp ecication of systems

for example if states are used

The cpo structure of the domains is ensured by the construction of quotients in Section

The metho d denes continuous op erations on the quotient domains

Metho d for the Quotient Step

This section describ es the metho d for the implementation of the quotient step in HOLCF It

is in the following sections applied to Example where an ADT of states is implemented

by a quotient over streams

The metho d extends the concrete ADT S fc g with the quot constructor The

main pro of obligation is a theory inclusion which ensures mo del inclusion of the extended

theory The concrete steps are

Dene aPER on

Instantiate it into the class per The pro of obligations are the characteristic axioms

of per symmetry and transitivity

Extend the concrete ADT S with the typ e quot

a c

Intro duce the op erations c as liftings from the corresp onding op erations c into an

i i

extended ADT S

In this section we are working with the mo del inclusion basis of Section

CHAPTER QUOTIENT DOMAINS IN HOLCF

Prove that the extended ADT S with the quotienttyp e and the new op erations is a

renement of the abstract ADT T This requires to prove all axioms ax Th

a the induction rule for the abstract typ e and

b the axioms for the sp ecications of the data typ e

The following sections describ e these steps more detailed

Denition of the PER

This section describ es a metho d for the denition of the PER on the concrete typ e

The aim of the PER is to group the dierent representations of the every abstract value

together into one equivalence class

In many cases the required PER is induced by equations b etween terms in the sp ecication

of the abstract terms For instance from the example of the intro duction page we

have the axioms

set addxaddxs addxs

set addxaddys addyaddxs

Implementing add by cons induces us the following axioms for our PER

PER consxconsxs consxs

PER consxconsys consyconsxs

If wehave a complete set all p ossible equations b etween the constructor terms for exam

ple f g of equations then the induced relation is obviously

symmetric and transitive

If the denition of the PER is not so simple for example if inequations are used in the

sp ecication the develop er has to dene the PER explicitly and has to derive the desired

prop erties A sp ecial case is the denition of PERs on streams In our example on page

we used only the rst elements of the streams but in general all elements can b e used

For example two streams are partially equivalent if all elements in the stream are partially

equivalent This PER could b e dened with the following xed p oint construction for the

denition of the PER

SPer Stream Wfp PER

types

StPER per stream stream bool consts

MODEL INCLUSION

SperFkt percpo StPER StPER

Sper percpo StPER

defs

def SperFkt F stfts ftt Frtsrtt SperFkt

Sper def Sper wfp SperFkt

end

Since a PER is a predicate we cannot use the least xed p oint op erator for the denition of

continuous functions from HOLCF We dene the PER on streams SPertobetheweakest

xed p oint of a functional SperFkt that recursively describ es the desired prop erties of

the PER The weakest xed point construct on predicates wfp is dened by

types

pred bool

consts

Charfun set pred

wfp pred pred pred

Charfun def Charfun A x x A

wfp def wfp PF CharfungfpCollect o PF o Charfun

It uses the greatest xed p oint of sets see Paua for more details Denitions of

recursive predicates as weakest xed p oints are standard in the Focus metho d BDDG

and their to ol supp ort is describ ed in SM Ohe Roughly sp eaking the metho d starts

with the pro of that the predicate is monotone and then it requires to deduce prop erties

from the xed p oint denition of the predicate

The easy way to dene PERs on typ es of the class eq is to dene the PER schematically

Consider the following sp ecication of the domain of natural numb ers

Dnat EQ introduce dnat with continuous equality

domain dnat dzero j dsucc dpred dnat

defs

dnat eq def op fix eqx y

dzerox If is

then is dzeroy

dzeroy else If is

then FF

else eqdpredxdpredy

per def op x ydnatd xye schematic dnat

end

The identity is trivially a PER but since there exists no p ossibility to dene a continuous

equalityforit

CHAPTER QUOTIENT DOMAINS IN HOLCF

This sp ecication contains the denition of the domain of natural numb ers with the domain

construct and the denition of the continuous equality as recursivecontinuous function with

the xed p oint construction from HOLCF The PER on dnat is dened schematically After

the instantiation into the class eq it is automatically available on dnat This is p ossible

since we included the axioms ax eq per x ydxye into the characteristic axioms

of the class eq Therefore we could also prove the fact that PER is a sub class of eq see

Section for the denition of the class eq and App endix A for the theorems

In the Example wehave the following denition of the continuous equality on histories

This induces the schematic denition of the PER

domain HV Habs Hrep message stream

HV eq def op x yftHrepx ftHrepy

HV per def op x yd xye

Since we can only dene one PER for every typ e and since wewant to sp ecify comp onents

which may be reused in greater systems we used the same emb edding as in the example

on page for the denition of histories and the continuous equality on it The denition

of the continuous equality on histories bases on the continuous equality of messages

To instantiate HV into the class per is not explicitly necessary since weinstantiate HV with

the following statements into the class eq which is a sub class of per

eq reflHV eq symHV eq trans instance HV eq HV

HV eq strictHV eq strictHV eq total

HV per def

The theorems contain witnesses for the characteristic axioms of the class eq They could

easily be derived from the denition HV eq def

Intro ducing a Quotient Domain

Since we dened the quot constructor p olymorphically for the typ e class per we can use

it now simply by quot In our example this leads to the following typ e declaration

for State

types State HV quot

The next step is to intro duce the op erations which corresp ond to the op erations of State

MODEL INCLUSION

Intro ducing Op erations

This section describ es the intro duction of the abstract op erations fc g on the basis of the

concrete op erations fc g The situation is similar to the intro duction of op erations for

sub domains We have corresp onding terms for the required abstract op erations and we

have the abstraction function which builds the equivalence class and the represen

in which selects an arbitrary element from the equivalence class see tation function any

App endix A and App endix A for theorems on these functions Therefore wecan

apply the same schemes to dene the general conversions between an arbitrary abstract

constant and its corresp onding term The schemes are describ ed on page and are not

rep eated here

Since for the intro duction of quotients there is no restriction predicate we have no in

variance requirements Since the quotient domain is at continuity of the intro duced

abstract op erations is quite simple The interesting asp ect is the monotonicity For the

simple scheme we derived a lifting theorem for strict functions

monofun lift x x f monofun x fany in x

In the example we have the corresp onding functions and the following denitions of the

abstract functions

corresponding functions

ops curried

empty HV

state dnat HV

defs

empty def empty Habsreq

def state nHabsdatan state

abstract functions

ops curried

empty State

state dnat State

SBuffer State message stream answer stream

Buffer message stream answer stream

defs

empty def empty empty

state def state n state n

SBuffer def SBuffer sHBufferany in s

def Buffer SBufferempty Buffer

As was mentioned in the motivating example in Section the quotient domain is not

executable However one extension of this work could be to extend the denition of exe

cutable sp ecications to quotients by giving a veried interpreter or a similar to ol to ensure

CHAPTER QUOTIENT DOMAINS IN HOLCF

the b ehavioural correctness of these sp ecication Therefore it makes sense to think ab out

the continuity of the intro duced op erations

Pro of Obligations

The pro of obligations of the quotient step with the mo del inclusion basis are

to show that the PER is symmetric and transitive and

to derive all abstract axioms from the concrete axioms by theory inclusion

The rst pro of obligation was treated in Section The renement of the abstract

axioms requires to prove all axioms in Ax These are the axioms of the sp ecied functions

and the axioms for the domain construct esp ecially the induction rule Since the pro of of

the axioms of the function dep ends on their sp ecication it is hard to give general rules

to supp ort these pro ofs The only general style is that functions are frequently sp ecied

by equations Proving an equation between equivalence classes requires to show that the

representants are equivalent We have the following rules

equality and symmetry for equivalence classes

qclass eqI x yxy

qclass eqE x D xyx y

qclass eq x Dxyx y

For the intro duction of the induction rule we have the following theorems for induction

over the class per

class z per y zy x Px P s all

all class Pabs qfg xPx P s

for the induction over typ es of the class eq we have the following stronger rule

eq all class x eqP x P s quot

In addition to these rules there are a many other rules supp orting the renement pro ofs

see App endix A

THEORY INTERPRETATION

Theory Interpretation

This section denes a theory interpretation for the quotient step of the implementation

Although we have a corresp onding typ e our theory interpretation translates terms

over into terms over The implementation of typ e by a typ e could be done

with a free domain construct consider the example in Section and the known lifting

techniques In this section we concentrate on the theory interpretation which makes this

implementation p ossible

Toensurethatatheoryinterpretation as dened in Denition is made it is necessary

a a a c c c

to show foranabstract theory Th Ax and a concrete theory Th Ax

a c

Correctness Th implies Th for all formulas T

c a

and M jAx implies that there exists Satisfiability M j Ax M with

M jAx

The rst requirement is a pro of obligation for the user From our denition of mo dels it

follows that it suces to prove all axioms Ax instead of all formulas The second

requirement is our task in this section to show that the interpretation is satisable This

is trivial since we dene avery simple form of theory interpretation

Theory interpretation for quotients replaces by and requires to b e a congruence If

is used in p olymorphic predicates we cannot replace it by Therefore normalization

is needed again as in Section However we do not rep eat the normalization in this

chapter

The theory interpretation for the quotient step is simple since it has no premises

Therefore there is no need for invariance requirements and this section is structured as

follows rst is formally dened on normalized theories and satisability is proved

Then the metho d is presented including pro of obligations and co de generation The

treatment of Example shows the applicability of this metho d The section concludes

with a denition of a software development basis containing a renement relation for the

quotient step

Simple Sort Translation

The theory interpretation bases on a simple sort translation The sort translation

is the basis for the term translation In the quotient step it is the identity

Id x x for all x T

CHAPTER QUOTIENT DOMAINS IN HOLCF

The only nontrivial requirement is that the sort translation generates the the following

arity

Arity eqeq where is the abstract sort constructor and

the observability sp ecication is Cobs f for all functions f fc g

This makes the congruence available on and ensures some nice prop erties which we

require for the satisability of the metho d The necessary instantiation is a normal re

nement step in the deductivesoftware development pro cess towards executable programs

Simple Constant Translation

The only translated constant is bool It is translated into bool

Denition Simple Constant Translation

The simple constant translation T is dened by

EQ x y xyx yx y if is used on the typ e

Const cc for all other constants c

Since there is no real sort translation and no real constant translation there are no addi

tional requirements for typ e correctness

Simple Translation

Since there are no restrictions in the quotient step all terms are translated canonically by

Denition Simple Term Translation

Let b e simple sort and constant translations Then the simple term translation

for quotients is canonically dened by

Con cc

Here is an asp ect for future work It could b e p ossible to nd a more restrictive formalization of the

class percpo or a more restrictive formalization of the predicate is Cobs for example a restriction to total

functions could ensure the satisability for restricted PERs We restricted the satisability to the class

eq However for the sp ecication the class percpo can b e used This will b e our prop osal for a metho d

based only on mo del inclusion whichallows multiple representations in Section

THEORY INTERPRETATION

Var x ux uif x isavariable

Abs x utx ut

App f tf t

Both rules and of the general theory interpretation on page are dened without

complicated terms in contrast to the theory interpretations on pages and Since

there are no premises in the translation the invariance is not needed for the quotient

step The simple term translation is the theory interpretation for the quotient step Its

correctness is ensured since the translated axioms are pro of obligations in the renement

pro cess The injectivity axiom of Example is translated into

injective staten statem n m

The next section shows the satisability of simple translations

Satisability

The task of this section is to give amodelM which ensures

c a a

c c

Satisfiability M j Th and M jAx implies there exists M with M jAx

We need the satisabilityof our theory interpretation to ensure that there exists a mo del

of the abstract theoryifwehave a mo del for the concrete theory In the implementation of

ADTs this will ensure that replacing the equalityby a congruence is a correct development

step

The key idea of the pro of of satisability is to construct a quotient mo del which bases on

the typ e The rst step is to construct a typ e mo del

Denition Quotient Type Model Construction

Let T be the abstract sort of class eq Then the typ e mo del construction

TM for a concrete typ e mo del TM PUTCis dened by

TM PUTC fbg where

b ff TMquot g

In Section it was shown that this typ e has a cpo structure Now the quotient mo del

M is constructed

CHAPTER QUOTIENT DOMAINS IN HOLCF

Denition Quotient Model M

a a

Let be a simple translation and M C be a mo del of Ax Then the

quotient mo del M is dened by

c d

q and rep q M TMC fabs r epg where abs and rep are dened as abs

in the intro duction of the quot constructor see page

With this semantic extensions of the concrete mo dels we have abstract mo dels The only

remaining task is to show that they are mo dels of the requirement sp ecication This is

quite easy since we know that they are mo dels of the concrete sp ecication and hence

they satisfy the translated axioms of the form t s From this we may deduce with

the rule qclass eqI x y x y see App endix A that the

abstract axioms hold Therefore our mo del is a mo del of the requirement sp ecication

The congruence prop erty ensures that the b ehaviour the results of arbitrary comp ositions

of observer functions are equal

Metho d for the Quotient Step

To nd a metho d for the quotient step all required assumptions are collected and put into

the metho d The general scheme is

Check if the theory Th is normalizeable

Apply normalization and the simple theory interpretation

Generate pro of obligations for further renement Ax

Since is xed the develop er only has to apply it No additional consistency denition

and checks are needed The pro of obligations are simple renement obligations and are

not part of the quotient step although they have to b e proved in the further development

towards executable sp ecications

Example State by Histories

The metho d is applied to Example The theory State is normalizeable since no

p olymorphic predicates that are not conservative are used The domain construct for

states is expanded The only translated rule is injective

The theorem is Cobs comp eq is Cobs fis Cobs gis Cobs f oo g in Section ensures

this for typ es in the class eq

THEORY INTERPRETATION

State Dnat

types state

ops curried

empty State tr is

is State State tr

empty State

state dnat State

rules

Induction rule

Ind P P empty P staten P x State

discriminator rules

is empty d is emptyemptye

empty b is emptystateyc is

is state d is statestateye

is state b is stateemptyc

translated injectivity rule

injective staten statem n m

added by the theory interpretation

arity stateeq

rules specify the congruence

obs is Cobs state

obs is Cobs is empty

obs is Cobs is state

end

From now on the rest of the example is conservative extension and mo del inclusion The

examples in Section and Section show these steps

Since ML do es not dierentiate b etween the equality and the continuous equality the

co de generated for the quotientstep should use a functional language like Gofer HJW

Jon Gofer allows us to redene the equality of the class EQ In addition Gofer has

lazy typ e constructors and therefore allows us to generate prototyp e co de for the stream

pro cessing functions

Simple Theory Interpretation Basis

This section denes a renement relation for the restriction step of the implementation

based on the theory interpretation of the previous sections With this renement relation

a basis for the deductive software development pro cess is dened This section shows the

deciency of the metho d and prop oses a pragmatic way to sp ecify data typ es in order to

allowmultiple representations

CHAPTER QUOTIENT DOMAINS IN HOLCF

The following denition of the simple theory interpretation basis includes the denition of

a renement relation for mo del inclusion

Denition Simple Theory Interpretation Basis

Let L MOD be a mo del inclusion basis and let be a simple theory

interpretation for quotients then the quadruple L MOD is called simple

theory interpretation basisif

L L is the set of all normalizeable sp ecications

is for M N MOD dened by

b b

M N M N or M N where N is the quotient mo del for N

see Denition This renement relation allows us to do renement by

mo del inclusions and simple theory interpretations

is dened by

S T S T if a renement by mo del inclusion has to be proved and

S T if a theory interpretation has to b e proved

It is obviously a deductive software development basis and due to the satisability of the

theory interpretation it is also consistency preserving Transitivity is trivial since may

only b e replaced once by To see that is not mo dular consider as in Section a

sp ecication S which uses a sp ecication A If A is normalizeable then A is welldened

but if S is not normalizeable for example due to a nonconservative p olymorphic predicate

in S cannot b e applied to S and therefore simple theory interpretations are not mo dular

in general

Again as in Chapter the emb edding of the implementation of ADTs in the deductive

software development pro cess provides a solution since it ensures that sp ecications are

normalizeable when data typ es are implemented Comp ositionality of is proved in

Chapter

Another more pragmatic solution is to use instead of in the sp ecication of the

system and to sp ecify the observers on the abstract typ e This allows us to base the

complete development on conservative extension and gives the opp ortunitytocharacterize

the observers for every data typ e within the sp ecication An additional advantage of

this sp ecication style is that we are not restricted to the class eq and therefore we may

sp ecify quotients of more typ es for example stream do es not reside in the class eq Since

this wouldbeasevere restriction of the sp ecication style the metho d in the next chapter

assumes normalizeability of the theories and uses the simple theory interpretation basis

SUMMARY AND COMPARISON OF QUOTIENTS

Theory Interpretation Mo del Inclusion

p p

transitive

mo dular normal theories

p p

comp ositional

co de generation not directly

pattern matching no

representations dierent unique

applicable normal theories all theories

a a

pro of obligations PER Th is Cobs PERTh

Figure Metho ds for the Quotient Step

Summary and Comparison of Quotients

The comparison of the metho ds Figure is dicult since they are used for dier

ent purp oses Conservative extension extends theories with unique representation where

theory interpretation allows dierent representations If dierent representations are mo d

elled with conservative extension by equivalence classes the resulting sp ecications are not

executable The requirement of unique representations in conservative extension can be

weakened by normalization which allows executable implementations The b ehavioural

correctness of this step is formalized in the logic and is ensured by co de generation Con

servative extensions cannot b e used in the deductive software development pro cess without

normalization

The main dierence to theory interpretation for the restriction step is that theory interpre

tation for quotients is mo dular for normal theories The reason is that it do es not translate

sorts and therefore do es not x a concrete representation Both metho ds are transitive

The only disadvantage of simple theory interpretation is that it is in general not mo dular

but in Chapter it is proved that simple theory interpretations are comp ositional Simple

theory interpretations are an elegant way to intro duce observability into sp ecications

since they ensure satisability without program dep endent pro of obligations

The pro of obligations are interesting asp ects Both metho ds require the pro of of the PER

In contrast to the previous chapter there is no restriction and therefore no invariance is

required The pro of of the congruence prop erty with the observabilityisthe price we pay

in theory interpretations for the p ossibility of co de generation Both metho ds have only

simple renement pro of obligations

For understanding how dierent representations and pattern matching are p ossible consider

Figure It is imp ossible to nd a conservative extension in the sense of HOL whichuses

abstraction and representation functions which allows us to have dierent representations

of the same abstract ob ject xy crep x crep y The conservative extension

presented in Section uses equivalence classes as representations This requires only a

CHAPTER QUOTIENT DOMAINS IN HOLCF

abstract

typ e

free concrete

typ e

Figure Theory interpretation for quotients

congruence on the corresp onding typ e for a unique representation The idea to solving

this problem by theory interpretation is that it eliminates the quotient by weakening the

equality to a congruence which allows us to group together dierent elements by A

simple theory interpretation weakens the axioms such that it is allowed to have dierent

representations for the same abstract value The resulting sp ecication may b e rened by

free data typ es Satisability ensures the correctness of this step

The main reason for prefering the simple theory interpretation rather than conservative

extension is that executabilitymaybeachieved in a completely formal development without

xing a certain target programming language by enco ding it into the logic The best

solution is to use instead of in the requirement sp ecications since it makes the use

of theory interpretations sup eruous and allows us to use the simple mo del inclusion basis

in the deductive software development pro cess

Other Approaches for Behavioural Implementa

tions

Other approaches to b ehavioural implementation in the literature can show that a certain

programming language fulls the sp ecied observability The main dierence to our ap

proach is that we express observability in the logic of data typ es and we do not need an

extra treatment in the semantics The mo dule systems of functional programming lan

guages like ML together with the predicate is Cobs suce to prove the b ehavioural

correctness of implementations

This section gives a short overview over existing approaches to b ehavioural implementation

esp ecially under the asp ect of the formalization of the quotient step with observers More

general overviews are in NipSection or in ONS

OTHER APPROACHES FOR BEHAVIOURAL IMPLEMENTATIONS

There are three classes of approaches which supp ort the verication of the quotient step

The rst is to prove by induction over p ossible contexts that a program based on a data

typ e cannot observe the dierence between dierent representations of the data typ e

The second is to imp ose restrictions on the programming language in use Members of

the last approaches apply formalize the notions of programs or of implementations in the

logic This allows us to use the logical calculus to derive the correctness of the b ehavioural

implementation

Context Induction over Programs

Induction is a well known and p owerful pro of principle In Hen it was applied to reason

over the structure of contexts terms with a hole This allows us to show b ehavioural

prop erties by the so called context induction

In RHx a structured sp ecication language is presented which allows us to sp ecify

observability The language supplies constructs for sp ecifying quotients by identifying all

elements that are b ehaviourally equal could not be distinguished from observers The

pap er presents a calculus for proving b ehavioural rst order prop erties over structured

sp ecications This calculus is well suited for pro ofs over structured sp ecications but for

the pro of of b ehavioural prop erties of basic sp ecications one of the innitary many rules

for context induction has to b e applied

In the examples the authors refer to Hen for the pro ofs of basic b ehavioural prop erties

The pro ofs in this pap er are nested inductions over all contexts No general calculus is

presented but the contexts are formalized by algebraically sp ecifying a simple program

ming language PROG with variables assignment and sequential comp osition almost as

the approaches in Section

Another way for proving b ehavioural prop erties as the correctness of behavioural imple

mentation are the so called b ehavioural theories MBx These theories interpret the

equalityby a b ehavioural equality

In BMPW it was shown that the algebraic implementations for restrictions and quo

tients called enrichforgetidentify implementations preserve the correctness of a

certain class of programs The programming language for these programs allows us to use

variables while lo ops conditional statements and assignments

The pro of of b ehavioural implementations is reduced from all program contexts to the

base case of emptycontexts by showing that the implementations are compatible with the

programs Compatibility is captured by the notion of homomorphism Of course the

induction pro of of this compatibility go es over the structure of the programs contexts

So the main result of BMPW is algebraic implementations preserve correctness since

they are homomorphisms with resp ect to the programs Context induction is done once

for the class of all those programming languages and it is not necessary to use context

induction in the development pro cess

CHAPTER QUOTIENT DOMAINS IN HOLCF

This result can also be seen the other way round If the programming language is com

patible with algebraic implementation then it may be used as correct implementation

language for the sp ecications More approaches restricting the programming languages

are sketched in the following section

Restricting the Programming Language

Scho etts idea in Sch Sch is to dene a strong correspondence relation which allows

us to relate one abstract element to multiple representations and to require this relation

to b e compatible like a homomorphism with all functions of the typ e Behavioural equiv

alence is dened over all terms with visible input and result The distinction between

visible and invisible sorts allows us to hide the implemented sort It was shown that the

corresp ondence relation ensures b ehavioural equivalences of visible terms

In Sch the requirements for b ehavioural correctness are carried over to the target pro

gramming language It needs a go o d mo dule system which ensures that the hidden sort

remains hidden and that it may only b e accessed by the dened and compatible functions

This prop erty is called HEP homomorphic extension prop erty

Indep endently the notion of simulations between the semantics of data typ es was develop ed

in Nip Nip It was shown that these relations can also b e applied for nondeterministic

data typ es

The logical relations in Mit are a generalization from relations to the second order

calculus In Meh they are extended to higher order logic

Enco ding the Programming Language into the Logic

The following approaches formalize the quotient step by enco ding a programming language

into the logic This allows us to apply the used logical calculus to derive the correctness

of b ehavioural implementations All these logical approaches use theory interpretations to

relate dierent theories in the logic

In Wan functions and pro cedures are added to the rst order dynamic logic of Pratt

Pra Having the programming language as part of the logic allows us to show the

correctness of the implementation within the logic Wand denes a theory interpretation

in his logic which allows us to replace by an equivalence relation which is substitutive

for all functions and pro cedures This condition ensures the b ehavioural implementation

A satisability theorem for this theory interpretation is proved

In MVS it was argued that asimilarlogical approach based on conservative extension

and theory interpretation is appropriate for program development since implementations

With weak corresp ondence relation Scho ett ensures b ehavioural inclusion a concept which allows us

to express restrictions and partial implementations

OTHER APPROACHES FOR BEHAVIOURAL IMPLEMENTATIONS

theory interpretations comp ose No programming language is xed and probably there

fore the treatment of substitutivity is omitted

In Gan an imp erative language with variables assignments while lo ops and pro cedures

is used Ganzinger assigns denotational semantics to it by dening an algebra for it

Within this algebra behavioural equivalence may be formulated easily This b ehavioural

equivalence is the basis for mo dular languages

Comparison of the Approaches

Imp osing the b ehavioural correctness of implementations as requirements on the target

programming language as in Section means to delay the correctness pro of until the

target programming language is chosen Furthermore there is no calculus for verifying that

a programming language fulls these requirements We prefer to b e able to show the cor

rectness of an implementation step indep endently from the chosen programming language

and in the same development phase as the implementation Waiting with the correctness

pro of until the programming language is chosen is not the goal of the implementation

The only class of approaches which provide a calculus for behavioural implementation

are those of Section They enco de imp erative programming languages into the

logic However enco ding a programming language into the logic xes the development to

a sp ecic language in a phase where this is not adequate since we want to separate the

implementation of data typ es from the choice of the target programming language For

example the implementation of sets by sequences should b e provable without determinating

whether C or Pascal is used as programming language

In the presented approaches observability is expressed by dening that the context consists

of terms of typ e inout To prove a prop erty for all contexts requires therefore to reason

over all p ossible terms In the case of rst order approaches the set of functions is xed in

the signature but in approaches with higher order logic arbitrary functional terms maybe

formalized by applying higher order functions or by abstraction Therefore innitely

manycontexts exist and we need a more ne grained notion of observability Characterizing

sp ecic functions as observer functions by a higher order predicate is Cobs

bool would solve theses problems and would also integrate smo othly into the higher order

logic Of course the observability dened by typ es may be expressed by requiring that

Cobs f finoutis

A disadvantage of almost all approaches in the literature is that these approaches are

not suited for our logic of the developmentofinteractive systems since except Mit and

Meh they are all dealing with rst order logic and except BMPW and Meh they

have no domains with continuous functions and xed points In Meh the observability

issue is not treated

Observer functions are dened as a subset of the signature in an equational setting in vDtoachieve mo dularization

CHAPTER QUOTIENT DOMAINS IN HOLCF

Comparing our metho d to those from the literature we can conclude that the general

concept for proving the b ehavioural correctness by observability arguments is similar but

there are a lot of technical dierences Many of them come from the fact that we use

higher order logic with domains Therefore we have a more dicult environment and

we manage this with dierent techniques for partial observer functions PERs and higher

order quotients One advantage of the higher order logic is that we can sp ecify observability

together with the ADT on an abstract and program indep endent level

Working with functional languages that have a mo dule system like ML has the advantage

that if we exp ort only functions that full the predicate is Cobs then we will know that our

programs are b ehaviourally correct The correctness of this step bases like the correctness

of our co de generation on the direct corresp ondence between sp ecication and program

For other programming languages the correctness pro of of behavioural implementations

can be carried out with one of the ab ove approaches

The following chapter denes a metho d for the implementation of ADTs including the

restriction step and the quotient step It uses the simple theory interpretation basis

Chapter extends the metho d from the implementation of ADTs in two ways to the

implementation of interactive systems

Chapter

Implementation of ADTs in HOLCF

Why do we implement ADTs in HOLCF

Why do we need HOLCF for ADTs

Why do we use continuous abstraction and representation functions

The answers to these questions in reverse order are Continuous functions are an adequate

mo del of computation We generalize the implementation of ADTs to implementation of

distributed and interactive systems Because we want to compute the abstractions for

example from streams of bits to streams of bytes or from histories to automata and

representations we need continuous functions abstraction and representation functions

Having continuous abstraction and representation functions on ADTs makes the gener

alization easy Using continuous abstraction functions is also useful for simulations and

prototyping HOLCF provides cpo INDdomains and continuous functions and therefore

we need it as foundation for our continuous abstraction and representation functions The

implementation of ADTs is an imp ortant part in software development and it was not

available in HOLCF

In the previous chapters we dened renements in HOLCF which t into the deductive

software development pro cess of interactive systems This chapter combines the metho ds

of Section and Section to a metho d for the implementation of ADTs in HOLCF

Since we use the logic HOLCF we are able to extend our implementation of ADTs to the

implementation of interactive systems in Chapter This results in a collection of concrete

metho ds for the renement of all situations in the developmentofinteractive systems see

Section

The general metho d for the implementation of ADTs has b een studied since Hoa under

very dierent asp ects see ONS for an overview The implementation of ADTs consists

of two imp ortant steps

the restriction step which builds a sub domain and

As mentioned in Section wehavetwotyp es of translations Schematic translations which are an

application of our metho d and individual translations which are an extension of our metho d

CHAPTER IMPLEMENTATION OF ADTS IN HOLCF

the quotient step which allows us to identify dierent elements

Our metho d do es not change these classical steps that proved to b e useful in many years

Wemake these concepts more p owerful byintegrating them into the deductivedevelopment

pro cess of interactive systems Since we use the logic HOLCF in this pro cess we use new

techniques for the implementation of ADTs

In the previous chapter we compared two dierent metho ds for the two steps of the im

plementation theory interpretation and mo del inclusion The results of this comparison

of are for the restriction step mo del inclusion with conservative extension is b etter since

it has simpler pro of obligations but for the quotient step simple theory interpretation is

needed since it is imp ossible to nd a conservative extension which implements quotients

in an executable sp ecication Away to omit the simple theory interpretation is to sp ecify

the requirements in a form that admits implementations with multiple representations and

therefore theory interpretations would b e sup eruous see Section However since the

requirement sp ecications are sometimes xed we dene our metho d for the most dicult

case and we show p ossible simplications for easier cases

The metho d is visualized with a KorSodevelopment graph whichalsoshows the required

pro of obligations

Our metho d has several parameters the abstract sort the concrete sort the restriction

predicate the congruence and the corresp onding constants Before the metho d presented

in Section is applied to an example see Section the metho d is prepared for the

develop er in the deductive software development pro cess by explaining how to use it see

Section This includes hints for elegant choices of the parameters

Metho d for the Implementation

This section describ es a metho d for the implementation of ADTs in HOLCF Since our

metho ds are transitive it suces to fo cus on the implementation of one abstract sort

by a concrete representation This implementation may be rep eated to implement more

sorts The metho d consists of a restriction step followed by a quotient step like the

restrictidentify implementations for example in EKMP

First the intuition of the term implementation from the example in the intro duction on

page is formalized by the following denition It denes the implementation of a

requirement sp ecication with an abstract ADT by a design sp ecication containing the

concrete ADT The implementation in general consists of a combination of the restriction

and the quotient step

The extension to mutually recursive sorts as trees and branches is a schematic extension similar to

those presented in Section

METHOD FOR THE IMPLEMENTATION

Denition Implementation of ADTs in HOLCF

a a a a

Let A C on Sel Dis Map be an abstract ADT sp ecied in a theory

a a a a a a c c c c

Th Ax C and let C Con Sel Dis Map be

c c c c c c

a concrete ADT sp ecied in Th Ax C To cut down nota

a a a a

tions we write fc g for the set of all abstract op erations Con Sel Dis

c c

fMap g and fc g for the sets of corresponding operations c T Then the

i i

implementation of A by C consists of

a sort implementation which implements the sort T by the corresp ond

ing sort term T

a constant implementation which implements all higher order constants c

by corresp onding terms c

an admissible restriction predicate p bool which describ es the subset

of the corresp onding values by fx j px x g

a continuous equality tr is the implementation of

See Chapter for the formal denition of and and for a detailed description of

the metho d consider Sections and On innite data typ es without theory

interpretation we use congruences instead of continuous equalities

The metho d p erforms rst a restriction step restrict and then a quotient step identify

as almost all metho ds for the implementation of ADTs It consists of the following steps

c c

Extend Th by an admissible predicate p and by preserving denitions of c The

ext result is in the sp ecication C

Prove the admissibility of p and the invariance of p with resp ect to the c These

pro of obligations are collected in the sp ecication A inv

Intro duce the sub domain and intermediate constants c for every corresp onding

ext into C sd constant c This extends the sp ecication C

is a continuous equality by showing the Prove that the equivalence relation

substitutivity for all op erations c These pro of obligations are collected in the

sp ecication A cong

Except which is treated separately and except Map whichmaybe dened conservatively see

page and therefore it do es not need to b e implemented by the constant implementation

Theoretically it could b e required that this step is included in C but metho dically it b elongs to the

implementation

Theory interpretation requires that has to be instantiated into the class eq For that reason the

Theoretically the instantiation is not required to b e part of class axioms of eq havetobeproved for

the metho d the aritywould suce but metho dically it b elongs to the implementation since it is needed

for the developmenttowards executable sp ecications

CHAPTER IMPLEMENTATION OF ADTS IN HOLCF

A by C A

A C sd cong

C ext A inv

is renement of

is based on

Figure Development Graph for the Implementation of ADTs

Intro duce the typ e as free extension from with the domain construct

Add denitions for c based on the abstraction and representation functions for

and on c with the general schemes describ ed in Section The resulting

sp ecication is called A by C

by C where is the simple theory interpreta Prove by theory inclusion A j A

tion dened by the sort implementation

The metho d is depicted in the KorSo development graph in Figure

As in Section the notation for pro of obligations is the combination of an

is refinement of arrow with an is based on arrow Note that b oth pro of obligations

can b e hidden since they are part of the main pro of and the requirement of executability

but for metho dical reasons it is b etter to have them explicitly given see Section

As in Section every is refinement of edge of the graph gives a pro of obligation For

that reason the pro of obligations are

by C prove A by C A in HOLCF A j A

A cong j C sd prove C sd A cong in HOLCF

inv j C ext prove C ext A inv in HOLCF A

All pro of obligations are theory inclusions and can b e discharged with theorem provers as

Isab elle

The metho d is well suited for the deductive software development pro cess see Sections

and for a discussion of the deductive software development bases The only

USING THE METHOD

disadvantage is that the simple theory interpretation requires the concrete typ e to reside

in the class eq This could give diculties in the implementation of arbitrary quotients

However as we saw in Example our class eq is exible enough to allow us to use

quotients of streams Therefore we are able to give metho ds for all development situations

in the deductive development of interactive systems in Chapter

The next section explains how to use the metho d by describing how to x the parameters

of the implementation

Using the Metho d

The description of the metho d in the previous section is dened precisely but it do es not

describ e how to x the parameters in the implementation in an appropriate way This

section provides hints for the application of the implementation of ADTs in the deductive

software development pro cess It explains how to x the parameters of the implementation

They are

the sort implementation

the constant implementation

the restriction predicate p and

the continuous equality

The rst step is to x the desired sort implementation The abstract sort is a sort in the

sp ecication of the abstract ADT The concrete sort is a sort from the concrete ADTs

Arbitrary combinations are p ossible but usually the concrete sort is executable or closer to

a realization than the abstract one In all our examples the sort implementation is xed a

priori The selection of the other parameters is more interesting since they dep end on each

other and of course on the sort implementation The following classication of dierent

realizations b etween the typ es helps to nd the desired parameters

Interface Situations

In order to apply the implementation of ADTs in the development we have to x the

parameters of the implementation metho d by dening the observable equivalence relation

the restriction predicate and the corresp onding constants These parameters dep end on

the relation b etween the typ es of the interfaces of the comp onents There may b e dierent

situations This section gives an overview over dierent interface situations which are

implemented by cho osing the right parameters of the implementation metho d

CHAPTER IMPLEMENTATION OF ADTS IN HOLCF

An ADT of an abstract comp onent is implemented by an ADT of a concrete comp onent

The situation dep ends on the typ es in the ADTs of the interfaces of the comp onent The

typ e of the interface of the abstract comp onent is called abstract typ e The typ e of the

concrete interface is called concrete typ e The following relations between the abstract

typ e and the concrete typ e characterize the p ossible situations

isomorphic typ es This situation may also be called renaming An example

for this situation is the implementation of b o oleans by bits

concrete sub domain where This situation o ccurs if not all values of the

concrete typ e are needed to represent abstract values An example for this situation

is the implementation of sets by ordered sequences where the ordered sequences are

a sub domain of sequences

abstract sub domain where This situation o ccurs if not all values of the

abstract typ e are used in a comp onent This allows the implementation of unbounded

data typ es by b ounded ones if the values b eyond the b ound are actual ly not needed

This is called b ounded implementation in Bre or partial implementation in

KA An example for this situation is the implementation of natural numb ers by

bit unsigned integers

concrete quotient where is a quotient of This allows us to have mul

j j

tiple representations for the same abstract value An example for this situation is

the implementation of integers by a redundant typ e integer with two zeros and

for the representation of the abstract value

abstract quotient This allows us to implement dierent abstract elements by

the same concrete one This may b e appropriate if not all information of the abstract

typ e is actual ly relevant This is called indenite representation in Bro An

example for this situation is the implementation of pairs consisting of values and a

timing information by the typ e of values This is only p ossible if the timing infor

mation is not needed for the implementation Time sometimes may be useful in the

sp ecication but not always in programs

Situations that result from a combination of this situations for example a concrete quotient

of a sub domain as in the Section of sets and sequences are not analyzed in detail

since they can be mo delled by two implementations one for the sub domain and one for

the quotient

Note that we fo cus here on the typ e b eing implemented and ignore other typ es of the interface of other

typ es These typ es are not aected in this implementation step

Isomorphic means that there exists functions a and r with arxx and rayy

Subtyp e means that there exists an admissible predicate with fx xg

A b ounded typ e has a nite numb er of elements

See Denition for the denition of a quotient with resp ect to a PER

USING THE METHOD

The intuition of the terms actually not needed and not actually relevant in the situ

ations of abstract sub domain and abstract quotient is that these situations may be func

tionally rened by sp ecications that do not need this irrelevant information This will b e

explained in more detailed with Example on page

Having identied the interface situation it will b e easier to x the other parameters of the

metho d

Parameters of the Metho d

In the developmentofinteractive systems wemay arrive at dierent development situations

see Section Many of these development situations require to implement an abstract

comp onent by a concrete one In the previous section we describ ed dierent interface

situations by regarding the relations between the comp onents interfaces According to

these situations we x the sort implementation and the other implementation parameters

This section provides help to x the parameters of the implementation metho d presented

in Section

Although our metho d p erforms the quotient step with the PER after the restriction step

we suggest to decide rst whether multiple representations should b e allowed or not since

this inuences the choice of the restriction predicate If more representations are desired

the observers which sp ecify the congruence have to be xed This may be done in a

sp ecication style by requiring is Cobs f for any observer f or more constructive by

explicitly dening a continuous equality or a partial equivalence relation The second way

allows to characterize the continuous equality by theorems whereas the rst way is more

abstract and requires these theorems to b e proved later in the development Some examples

for dierent denitions of the PER are in Section If multiple representations are not

desired then the PER is not needed

The other parameters that have to be xed are the restriction predicate and the corre

sp onding constants the abstract constants are at least all constants in the abstract ADT

which use the implemented typ e and which are not conservatively dened If we x the

corresp onding constants rst then the invariance of p determines the restriction predicate

p The restriction predicate has to b e stable invariant under the corresp onding functions

Consider for example the case with one corresp onding constant c Then the stability

invariance of the restriction predicate is sp ecied by

xpx pcx

The Focus metho d for the recursive denition of predicates see page can b e applied

to the denition of the restriction predicate as well

Besides the fact that it might be dicult to prove the admissibility of predicates which

such denitions stable predicates can lead to undesired eects Consider for example the

CHAPTER IMPLEMENTATION OF ADTS IN HOLCF

implementation of the twovalued b o oleans by natural numb ers We decide to represent

false by zero and true by one conjunction bymultiplication and disjunction by addition

Now we dene the restriction predicate as greatest stable xed point and p erform our

implementation with a trivial invariance pro of obligation since our predicate is stable

invariant This leads in our case to undesired eects since the result of true or

true corresp onds to the value two In addition we see from several dierentdevelopment

situations for example conservativeintro duction of a typ e with functions on page that

it is a natural choice to dene the restriction predicate and to cho ose the corresp onding

predicates such that they are stable ie they preserve the invariance

c a

The constant implementation is xed by giving corresp onding constants c for all c

i i

c are the constants in the abstract ADT A which have the typ e in their typ es and are

not conservatively intro duced On page we describ ed a metho d that allows us to use

arbitrary corresp onding functions by using a continuous function isR in the denition of

acontinuous abstraction function c abs

c abs x If isRx then abs x else fi

This denes a partial abstraction function With this denition we may intro duce partial

op erations on However for total op erations we have to ensure that isR is always true

for the results of the corresp onding functions This is exactly the invariance requirement

Having xed the restriction predicate the invariance helps to cho ose the corresp onding

constants In the next section we see on an example how eciency of the op erations may

help us to nd the interface situation and how the invariance helps to dene corresp onding

constants

The essence of this section is the choice of the PER and the restriction predicate are very

imp ortant For the sp ecial case of a stable predicate we have no invariance requirements

in the metho d and for some PERs we get reexivity transitivity and symmetry for free In

general for xed restriction predicates the invariance pro of obligations are a helpful to ol

for nding the right corresp onding constants

Example Sets by Sequences

This section uses the metho d of Section as explained in the previous section for the

implementation of sets by sequences

The rst decision to implement sets by sequences is already xed The next parameter is

the continuous equality We decide that sequences with the same elements should represent

the same set This means that Setst samest

The next decision is the restriction Due to the eciency of has we restrict the represen

tations of sets to those sequences without duplicates by dening an op eration which tests

EXAMPLE SETS BY SEQUENCES

by SEQ SET

SET

SEQ sd cong SET

SEQ ext SET inv

SEQ

renement of is

is based on

Figure Development Graph of the Example

whether a sequence contains duplicates Now the corresp onding constants for empty add

and has are chosen The intention is to take eseq cons and isin but cons do es not

preserve no dup d no dupqe dno dupconsxqe and for that reason addxq has

to be implemented by If isinxq then q else consxq fi This denition makes

no dup invariant for the corresp onding constants

Having xed the parameters of the metho d the implementation can be carried out The

metho d supplied with these parameters generates concrete instances of the schemes in

Figure The user of the metho d has to ll the parameters into these schemes For the

example of implementing sets by sequences the generated sp ecications can b e depicted in

the development graph in Figure

The contents with the concrete denitions of the sp ecications are

SEQ EQ

domain a Seq eseq j cons first rest Seq

ops curried strict total

isin eq Seq tr

contains eq Seq Seq tr

same eq Seq Seq tr

axioms

defvars x y eq

s t eq Seq

isin bisinxeseqc

isin isinxconsys xy OR isinxs

contains dcontainseseqse

contains containsconsxst isinxt AND containsst

same samest containsst AND containsts end

CHAPTER IMPLEMENTATION OF ADTS IN HOLCF

The extension SEQ ext of SEQ intro duces corresp onding constants for the constants in SET

The denitions are supplied by the user of the metho d

ext Seq SEQ

ops curried strict total

corresponding constants

empty Seq eq Seq

add Seq eq Seq Seq

has Seq eq Seq tr

continuous restriction predicate

no dup eq Seq tr

p eq Seq bool

defs

empty Seq def empty Seq eseq

Seq def has Seq isin has

add Seq def add Seq x qIf isinxq then q else consxq fi

no dup dno dupeseqe

no dup no dupconsxq negisinxq AND no dupq

p def p xd no dupxe

end

The pro of obligations for the sub domain construction are in

SET inv SEQ ext

axioms

defvars x eq

s eq Seq

admissible adm p

empty d no dupempty Seqe inv

inv add d no dupse dno dupadd Seqxse

end

The admissibilityis trivial since the predicate is dened by a continuous restriction pred

icate the op erations are constructed such that they are invariant This allows us to

intro duce the sub domain

sd SEQ ext SEQ

instance Seqeqadm admissible

sd Seq subdom types Seq

ops curried

intermediate operations on the subdomain

EXAMPLE SETS BY SEQUENCES

empty eq Seq sd

eq Seq sd tr has

add eq Seq sd Seq sd

defs introduces with general schemes for abs rep

empty def empty abs sd empty Seq

has def has x shas Seqxrep sd s

add def add x sabs sdadd Seqxrep sd x

end

To derive the applied rules has xs has Seqxrep sd s we need to prove that x

shas Seqxrep sd s is continuous This can b e proved with invcont see page

since the function is preserving

Now we dene the continuous equalityinSEQ sd by

defs

eq tau x y samerep sd xrep sd y

per op x y eqd xye eq

The pro of obligations for continuous equality are the characteristic axioms of the class eq

and the observability for the corresp onding intermediate functions

SET cong SEQ sd

rules

refl def x d xxe eq

eq sym d xyedyxe

eq trans d xyed yzedxze

strict x eq

eq strict x

eq total x y xy

per xy dxye eq

end

SET cong SET cong

instance Seq sdeqeq eq refl defeq symeq trans

eq stricteq stricteq totaleq per

rules

obs is Cobs has

obs is Cobs add

The use of the axiomatic typ e classes requires to split SET cong into two parts since for

Cobs is the sp ecication of the observability we have to instantiate the PER b efore is

available

CHAPTER IMPLEMENTATION OF ADTS IN HOLCF

SET by SEQ SEQ sd

sd domain FSet FabsFrep Seq

ops curried strict total

abstract constants

empty eq FSet

add eq FSet FSet

has eq FSet tr

defs schematic definitions

empty def empty Fabsempty Seq

def has x shas xFreps has

add def add x sFabsadd xFreps

end

SET contains the main pro of obligation of the implementation of sets by sequences It

results from the application from to SET

SET EQ

types FSet

arities FSet eqeq

ops curried strict total

empty eq FSet

add eq FSet FSet

has eq FSet tr

generated finite FSet by empty j add

axioms

defvars x y s in

has bhas x emptyc

has dx yedhas x add y se

has bx ychas x add y s hasxs

quot addx addx oo addx

quot addx oo addy addy oo addx

end

Since the implementing sp ecication SET by SEQ is executable it can b e translated directly

into the corresp onding Gofer program The main renement pro of which proves all axioms

of the sp ecication SET is similar to the pro of in Slo

In this chapter we presented an approach for the classical implementation of ADT with

a restriction and a quotient step Our approach uses HOLCF as sp ecication logic and

since we sp ecify interactive systems in HOLCF we are able to apply the metho ds for the

implementation of ADT to the implementation of distributed systems in the next chapter

Chapter

Implementation of Interactive

Systems in FOCUS

This chapter contains concrete metho ds for the implementation of interactive systems in

Focus Focus is an approach to the sp ecication and development of distributive and

interactive systems It contains general metho ds for the implementation of interactive sys

tems We sp ecialize these metho ds by describing a lot of concrete metho ds for concrete

situations in the development pro cess Furthermore we give to ol supp ort for the imple

mentation of interactive systems in HOLCF by showing how to prove the resulting pro of

obligations with the Isab elle pro of system

A central idea of the implementation of interactive systems using the concept of streams

Kah BDD is to dene abstraction and representation functions on streams see

Bro and to require that they are inverse as done in the conservative intro duction of

typ es see Example on page Having continuous abstraction and representation

functions allows us to mo del the computation b etween dierent abstraction levels Having

executable abstraction and representation functions allows us to simulate our interactive

systems on a high abstraction level This is esp ecially useful for prototyping

Our metho ds extend the implementation of ADTs to interactive systems in two dierent

ways

schematic implementations and

individual implementations

Furthermore there are direct applications of the implementation of ADTs to the imple

mentation of statebased interactive systems

absrepaa and pcrepabscc

CHAPTER IMPLEMENTATIONS IN FOCUS

Schematic implementations schematically dene abs and rep on streams such that the

implementation of ADTs is applied to every single message of channels of interactive sys

tems Abstraction and representation functions of schematic implementations are inverse

by construction If the ADT is implemented with continuous and executable functions

schematic implementations will also b e continuous and executable

Individual implementations are more exible They allow us to dene arbitrary abstraction

and representation functions between the typ es However individual implementations

require to pro of the inverse theorems explicitly We provide metho ds that supp ort these

pro ofs

This chapter is structured as follows Section intro duces basic concepts of the Focus

approach to the sp ecication of interactive systems The following Section contains

direct applications of the implementation of ADTs to interactive systems and esp ecially

examples for the intro duction and elimination of states in the sp ecication Section

denes metho ds for the schematic implementation situations We show comp ositionality

of theory interpretation and deriveanelegant comp ositionality result for downward simu

lation development Section presents concrete metho ds and examples for individual

implementations

Focus Notations

This section presents Focus an approach for the sp ecication of distributed and interac

tive systems and intro duces notations for the presentation of our metho ds in Sections

and

There are many dierentways to sp ecify distributed and interactive systems LT Lam

BDD BS Mil LT CM UK Bac Gur A go o d overview can be found

in BMSa where dierent metho ds are applied to one sp ecication example including

a comparison BMSb In some approaches concrete metho ds and to ol supp ort are not

considered to be imp ortant since the approaches concentrate on the sp ecication of sys

tems Other approaches are op erational and do not need to be implemented Gur but

they do not give us the p ossibilityto describ e distributed systems in an abstract prop erty

oriented style We decided to use Focus because it includes denotational semantics for

abstract requirement sp ecications and concepts for the renement from abstract to con

crete sp ecications Since these concepts are very general we dene sp ecic metho ds for

dierent situations in the development of interactive systems see Section

In Focus BDD Bro SS interactive systems consist of comp onents interacting

over channels with other comp onents and their environment All channels names and

typ es of a comp onent are called its interface Focus provides formal description tech

niques to describ e interactive systems on dierent levels of abstraction Furthermore

We will use these terms synonymously

FOCUS NOTATIONS

Focus supp orts the formal developmentofinteractive systems and allows us to prove the

correctness of a concrete system with resp ect to an abstract sp ecication In contrast to

many other formal description techniques Focus allows us to functionally describ e recur

sive comp onents or systems with feedback channels In Focus they get semantics by a

xed p oint op erator which denotes the least xed p oint of a recursivecontinuous function

HOLCF is an appropriate logic for Focus since it supp orts continuous functions and xed

point construction by the use of domains with cpo structures

A main asp ect in Focus is comp ositionality Comp ositionality ensures that if the com

ponents of a system are develop ed correctly and the comp onents are comp osed correctly

then the comp osed system will b e a correct development of the original system This allows

us to develop the comp onents indep endently and for that reason it is the basis for a correct

development of large systems with many comp onents

Focus provides techniques for the sp ecication and the development of interactive dis

tributed systems It uses stream pro cessing functions to sp ecify systems and comp onents

This section rep eats denitions for stream pro cessing functions and forms of comp osition

and denes a notation for preserving stream pro cessing functions

Stream Pro cessing Functions

Stream pro cessing functions mo del interactive systems and comp onents by describing their

behaviour with streams of input and output values First we dene streams

Denition Stream

A stream is a in general innite sequence of messages sp ecied in HOLCF by

Stream HOLCF

domain stream ft lazy rt stream

end

Streams are partially ordered by the prex ordering and are members of the class

pcpo provided the messages are of the class pcpo

Every stream corresp onds to the history of a communication channel of the system The

domain stream is p olymorphic This means that for every message typ e of class pcpo

stream denotes a channel for messages of typ e This denition with the domain

construct denes the selectors ft and rt and implicitly it also denes the discriminator

is Therefore streams are ADTs

CHAPTER IMPLEMENTATIONS IN FOCUS

in out

m m

n n

Figure Stream Pro cessing Function

With streams we dene the notion of stream pro cessing functions by

Denition Stream Processing Function

Let stream stream and stream stream b e streams then every

n m

continuous function f of typ e stream stream stream stream

n m

is a stream processing function We abbreviate this typ e of stream pro cessing func

n m

tions by writing f

i j

For the sp ecication of stream pro cessing functions f we use predicates

n m

F bool We write Ff to denote that a function f fulls its sp ecication

i j

We can represent stream pro cessing functions graphically by system diagrams Further

more these diagrams allow us to assign names to the communication channels The system

diagram in Figure shows the signature and the channel names of the functions sp ecied

by F Note that for the analysis of renements we do not need the names of the channels

in and out and therefore will only write the typ es to the channels

i j

In the sp ecication of F the op erations available on the input and output typ es and

may be used ADTs provide these op erations in a well structured way together with

induction rules to prove prop erties Therefore the op erations on and should be

i j

sp ecied with ADTs

Without restricting the generality of our metho d but to simplify the following sp ecica

tions we fo cus on stream pro cessing functions with one input and one output channel

Denition Preserving Stream Processing Function

A stream pro cessing function f sp ecied in F with Ff is called

preserving with resp ect to a predicate bool if

x x fx

With F we sp ecify preserving functions which full F

FOCUS NOTATIONS

Ff Ff x x fx

If is clear from the context we simply call the function f preserving

The predicate is invariant for preserving functions Wechose this application notation

on sp ecications since invariance in general is a predicate dep ending on the typ e of the

functions and the restriction predicate see Denition For example the invariance

of bool with resp ect to a function g of typ e isx gx Invariance is

needed in the restriction step of the implementation see Chapter and will b e the basis

for improving the comp ositionality result see Theorem

Forms of Comp osition

A distributed system is comp osed by its comp onents Our forms of comp osition are se

quential parallel and feedback comp osition Kah BDD

Denition Sequential Composition

The sequential comp osition of two stream pro cessing functions f and

g is dened by

fgx gfx

The notation is lifted to sp ecications by

FGh f g Ff Gg h fg

Denition Paral lel Composition

The parallel comp osition of two stream pro cessing functions f and g

is dened by

fjjgxy fxgy

The notation is lifted to sp ecications by

FjjGh f g Ff Gg h fjjg

The feedback comp osition allows a comp onent to read its own output Semantically this

is mo delled by axed point construction

CHAPTER IMPLEMENTATIONS IN FOCUS

Denition Feedback Composition

The feedback comp osition of a stream pro cessing function f is dened

fx fix yfxy

The notation is lifted to sp ecications by

Fh f Ff hf

The feedback comp osition uses the xed p oint op erator of HOLCF In order to have an

op erational meaning it is required that fix denotes the least xed point HOLCF allows

us to use the weaker order v on INDdomains which b elong to class pcpo fix denotes the

least xed p oint with resp ect to v So feedback comp osition of distributed systems is the

main reason for using cpo structured domains and continuous functions in the sp ecication

of interactive systems

In the development of large systems it is imp ortant that the renement relation allows

us to develop the systems in separate parts We intro duced the notion of a deductive

software development basis and dened mo dularity for the renement relation j in

Section A mo dular renement relation allows us to develop the system in arbitrary

parts As we have seen in Section the theory interpretation in our metho d for the

implementation is not mo dular This is due to the very general denition of parts in the

Denition of mo dularity

Now we dene comp ositionality A comp ositional renement relation j supp orts a

separate development of sp ecic parts of the system The denition uses the comp onents

of the system as parts So comp ositionalityallows us to structure the development of the

system in the same way as the system is structured into comp onents

Denition Compositionality

Let L M j j be a deductive software development basis Then j is

b b

compositional with resp ect to jj and if for sp ecications P P P P P

and P the following holds

b b b

P j P for i implies P P j P P

i i

b b b

P j P for i implies P jjP j P jjP

i i

b b

P j P implies P jP

Comp ositionality is a useful weakening of the strong requirement of mo dularity Every

mo dular renement relation is comp ositional

With these notations from Focus wewillnow dene concrete metho ds for every situation

in the development of interactive systems from Section

REFINEMENTS FOR INTERACTIVE SYSTEMS

Renements for Interactive Systems

We have two renement techniques for interactive systems The well known functional

renement and the implementation of ADTs By combining these techniques we dene

renements for dierent development situations Our metho ds for the implementation

of interactive systems show how to use these renements Since our metho ds use the

implementation of ADTs we call our metho ds implementation methods for interactive

systems

In the developmentofinteractive systems there are the following dierent situations which

have already been intro duced in Section

behavioural development

communication channel development

restricted communication channel development

interface simulation

structural development

state development

state elimination and

dialog development

In the next sections we dene concrete renements whichallowustoprove the correctness

of these development steps These development situations are similar to those in Bro

Some situations allow schematic and individual translations marked with a In this

section we present metho ds for the other situations marked with a Schematic im

plementations are treated in Section individual translations are describ ed in Section

Behavioural Renement

Behavioural renement is avery general technique for the development of interactive sys

tems Many other metho ds are based on behavioural renement

The idea of b ehavioural renement is to rene a comp onentby another one which is more

concrete and satises the sp ecication of the more abstract one The concrete function

b ehaves likethe abstract one

CHAPTER IMPLEMENTATIONS IN FOCUS

Denition Behavioural Renement

Let LM j j b e a mo del inclusion basis Then a stream pro cessing function

c sp ecied by C with Ccisabehavioural renement of a stream pro cessing

function a sp ecied in A with Aa if

A j C by deriving A C in HOLCF

Since b ehavioural renement is based on functional renement in the mo del inclusion

basis we will sometimes call it functional renement

The metho d for behavioural development only consists of one step

Prove A j C by deriving C A in HOLCF

Since many other renements are reduced to behavioural renement and since there are

many examples for theses renements we do not give an example for behavioural rene

ment here

Structural Renement

Structural renement allows us to dene the structure of a black box sp ecication by

dening its architecture The architecture of a system is a network of comp onents or

systems In networks it is allowed to connect comp onents with channels and to comp ose

comp onents with the comp osition op erators jj and

To dene structural renement formally we would need a formal denition of networks

ANDL the AgentNetwork Description Language SS of Focus can b e used to describ e

arbitrary networks ANDL has a semantic translation into HOLCF and a syntax to

describ e systems such that we can use the resulting networks in our sp ecications It is

not our task to rep eat the denition of ANDL here It is enough to dene a notation for

arbitrary networks sp ecied in ANDL We write andlABZ to denote an arbitrary

network of the comp onents ABZ

With this we can simply dene structural renement by

Denition Structural Renement

Let L M j j be a mo del inclusion basis Then the network

andlABZ sp ecied in ANDL with ANDLandlABZ is a

structural renement of a stream pro cessing function f sp ecied in F with

Ff if

b b

F j F where F extends ANDL by the equation f andlABZ

REFINEMENTS FOR INTERACTIVE SYSTEMS

Note that structural development is only p ossible if the interfaces are identical How

ever ANDL allows us to embed comp onents into comp onents with a larger interface by

describing the emb edding as a network

The metho d for structural renement consists of emb edding and behavioural renement

Extend the concrete sp ecication F by the equation dening the network into the

sp ecication F

b b

Prove F j F by deriving F F in HOLCF

Since the development step is a simple b ehavioural renement we do not give an example

here

Behavioural renement and structural renement can be treated with a simple mo del

inclusion basis see Denition They are functional renements The following im

plementation techniques use the implementation of ADTs and require a deductive software

development basis which allows us to express the implementation of ADT as a renement

for example the simple theory interpretation basis of page

State Renement

This section intro duces statebased sp ecications of interactive systems and shows how

they can be develop ed with the metho d for the implementation of ADTs

In the developmentofinteractive systems states are a comfortable way to describ e systems

The concept is to characterize stream pro cessing functions with an initial state and describ e

the b ehaviour for every state together with the next state

Now we dene a simple notion of statebased sp ecications in Focus See Spi BS for

a more general treatment of states in Focus

Denition Statebased Specication

Let f be a stream pro cessing function Let T be an ADT containing the

sp ecication of states of typ e Then a statebased sp ecication F of f with

consists of

an initial state init and

equations of the form fs x xsF ft xs where

i i i

s are dierent states in

xs is a stream of messages

F are outputs of the function f for a single message x and i

CHAPTER IMPLEMENTATIONS IN FOCUS

t are the successor states in

The semantics of such a sp ecication is the set of all functions f that start with init

and continue as describ ed with the statebased sp ecication We write f

to denote that f is sp ecied with states of typ e and we write Ff to denote that f

fulls a statebased sp ecication F

An example for such a statebased sp ecication is on page This simple sp ecication

of statebased functions may easily be generalized to functions pro cessing more than one

message in one equation

State renement will b e necessary if an additional state is required in the sp ecication or

in the more dicult case if one state has to b e eliminated from the set of all states

In the developmentofinteractive systems the situation state developmentischaracterized

by a change of the typ e in the statebased sp ecication And we dene a renement

relation on statebased sp ecications

Denition State Renement

Let L M j j be a deductive software development basis supp orting the

implementation of ADTs and let A and C b e state based sp ecications of the stream

pro cessing function c speciedby C with Cc and a spec

ied in A with Aa Then the stream pro cessing function with Cc are state rene

mentof the functions Aa if

A j C

In this denition we use the fact that we dened a deductive software basis that allows

the implementation of ADTs see Denition Of course statebased sp ecications

may also be rened by functional renement if neither the state space nor the interface

is changed

For a state development we have two metho ds one for the removement of a state and

another for the intro duction of a new state Note that these metho ds only change the states

in the sp ecication of distributed systems The elimination of states from the sp ecication

of distributed systems is treaded in Section

The metho d for the removement of states from an abstract sp ecication S with state space

and a statebased function f is

Remove the state transitions from the requirement sp ecication by dening a sp eci

cation S that behaviourally renes the abstract sp ecication

Prove S j S for the stateless function

REFINEMENTS FOR INTERACTIVE SYSTEMS

Add the denition of a PER on which is true for all used states into the

sp ecication S

Prove instance per j S or instance eq j S that is symmetric

and transitive

Add the denition of the new state space with types quot to S

intro duce the states as equivalence classes of all used states from and

i i

dene a new state based function f on as a lifting from the old statebased

function f The result is within the sp ecication S

Then all axioms of S with instead of instead of and f instead of f

i i

automatically hold in S

S is the desired sp ecication with the reduced statespace The development continues

with the development of S

This metho d can also b e applied to a bisimulation equivalence see Mil b etween state

based sp ecications which base on completely dierent states The bisimulation equiva

lence of the states will help to structure the pro of in step If wehave a stream pro cessing

function f with a statebased sp ecication and another statebased sp ecica

tion then we will need abstraction and representation functions abs and

rep with absrepx x and repabsy y for all reachable states x and

y to relate the equivalent states

In the following example we show the simple case where is a sub domain of Therefore

the bisimulation pro of will b e very easy since abs and rep are the identity on the states

To illustrate statebased sp ecications and state renementwe lo ok again at Example

on page

Example Removing a State from a Buer

Our sp ecication bases on the following ADT Tcontaining the sp ecication of states

T Dnat

domain TState Tempty j strange j Tstatednat

end

The state strange is used to mo del the eect when an empty buer gets a request

The following sp ecications use the ADT Message from page

TBUF Stream Messages T

ops curried

Buffer message stream answer stream

CHAPTER IMPLEMENTATIONS IN FOCUS

TBuffer TState message stream answer stream

rules

Buffer def Buffer TBufferempty init empty

TBuffer TBufferTemptydatans storedTBufferTstatens

TBuffer TBufferTemptyreqserrorTBufferstranges

TBuffer TBufferTstatenreqsvaluenTBufferTemptys

TBuffer TBufferTstatendatam s errorTBufferTstatens

TBuffer TBufferstrangedatamsstoredTBufferTstatems

TBuffer TBufferstrangereqserrorTBufferstranges

end

Because the state strange is redundant in our sp ecication we want to eliminate it

from our sp ecication The rst step is to remove the translations from and into

the state strange Therefore we sp ecify TBuffer without it and we have to show

that this sp ecication is a b ehavioural renement of the previous one

TBUF Stream Messages T

ops curried

Buffer message stream answer stream

TBuffer TState message stream answer stream

Buffer def Buffer TBufferempty

TBuffer TBufferTemptydatans storedTBufferTstatens

TBuffer TBufferTemptyreqserrorTBufferTemptys

TBuffer TBufferTstatenreqsvaluenTBufferTemptys

TBuffer TBufferTstatendatam s errorTBufferTstatens

This sp ecication is under sp ecied for the state strange It b ehaviourally renes

the function Buffer from TBUF

To remove the sup eruous state strange from the typ e TState formally the next

step is to change the typ e of TBuffer from TState to State This is achieved by

dening a quotient on TState with empty strange since empty and strange are

bisimulation equivalent since they pro duce the same output

The following sp ecication renes SBUF from page functionally and uses the lifting

metho ds

SBUF TBUF QUOT

defs

TState per def op x yTState

Temptyx and is Temptyy or dis

is strangex and is strangey or

TStatex and is TStatey or is

is Temptyx and is strangey or

REFINEMENTS FOR INTERACTIVE SYSTEMS

is strangex and is Temptyye

rules the following proof obligations are derivable

TState sym xTState y y x

trans xTState y y z x z TState

now instantiate TState into the class per

instance TStateper TState symTState trans

now quotients are available

types State TState quot

consts

empty State

state dnat State

Buffer message stream answer stream

SBuffer State message stream answer stream

defs lift the operations

empty def empty Tempty strange

state def state nTStaten

def SBuffer sTBufferany in s SBuffer

end

This sp ecication is a conservative extension of TBUF Therefore it renes it trivially

We can continue our development with an implementation of SBUF as describ ed in

Example b ecause the ab ove sp ecication SBUF is equivalent to the sp ecication

SBUF from the Example

This example showed how quotients can b e used in the development of statebased sp eci

cations by removing a state from the state space The fact that the resulting sp ecication

is not executable is not imp ortant since we are able to eliminate the states from our

sp ecication see next section or the example on page

If we want to add a state to a requirement sp ecication we use the subdom construct

to dene the states of the requirement sp ecication on the basis of our implementing

sp ecication which has more states

The metho d adds a state to the state space of statebased sp ecication S The new state

space is named

Dene with the domain construct like and add the new states to the domain

construct to the sp ecication S

Add a denition of the predicate adm pred into a sp ecication S on the new typ e

such that it is true for all values that corresp ond to the values from the old

state space If p ossible use continuous functions for the denition of the predicate

For simplicitywe assume that has b een dened with the domain construct

CHAPTER IMPLEMENTATIONS IN FOCUS

Prove the admissibility j adm adm pred bool j S If continuous

functions are used this step will b e trivial

Extend S to S by types subdom constructor and dene a constant in

sd for every of the old typ e the new sub domain by abs

i i i

S j S holds automatically Continue the development with S

If we use only continuous functions in the denition of the admissible predicate we have

no further pro of obligations Using the discriminators from the domain construct ensures

this

Consider the following example

Example Adding a State to the Buer

To mo del the eect that our buer in a the state strange gets another request

we can add a more strange state ms to the sp ecication of state in the previous

example and givethe following more strange sp ecication of the buer

T Dnat

domain TState Tempty j strange j ms j Tstatednat

end

TBUF Stream Messages T

consts

TBuffer TState message stream answer stream

rules

rules TBuffer TBuffer like the rules in TBUF

TBuffer TBufferstrangereqs errorTBuffermss

TBuffer TBuffermsdatamsstoredTBufferTstatems

TBuffer TBuffermsreqserrorTBuffermss

This sp ecication T is now extended with the sub domain constructor to a sp eci

cation T which functionally renes T

T T SUBD

defs restriction predicate

St adm adm pred sd is Temptys or is stranges or is Tstatese

rules

this rule is easily derivable

obligation adm adm predTState bool proof

now instantiate State into adm

instance TStateadm proof obligation

REFINEMENTS FOR INTERACTIVE SYSTEMS

now subdom is available on TState

now introduce TState as subdomain

types TState TState subdom

now introduce operations

consts

Tempty TState

Tstate dnat TState

defs

Tempty abs sdTempty

sdTstaten Tstate nabs

This sp ecication functionally renes T Now we construct a sp ecication TBUF

identical to TBUF except that it uses T instead of T

TBUF Stream Message T

rest is identical to TBUF

Since T functionally renes T and because all sp ecications in the example are

conservative extensions we conclude by mo dularity of functional renement that

TBUF is a renementofTBUFWe could continue the development with implementing

TBUF

These examples show how the implementation of ADTs is applied to the implementation

of statebased interactive systems

State Elimination

For the translation from statebased into purely functional sp ecications the elimination of

states is an imp ortant step The metho d for the elimination of states from the sp ecication

S of a statebased stream pro cessing function f b is

Extend S with a PER on stream into the sp ecication S

Prove instance streamper j S

Dene the histories by types stream quot

Dene the states as equivalence classes of histories

Dene a realization of the statebased stream pro cessing function stream in terms of

histories into the sp ecication S

Prove S j S

CHAPTER IMPLEMENTATIONS IN FOCUS

Eliminate the quotient using a theory interpretation if desired

This metho d is presented in Section together with the example from page

Usually the elimination of states will rst reduce the states byremoving some elements of

the state space Then the states will b e eliminated completely

Schematic Implementations

In the previous section we dened some metho ds for the development of interactive sys

tems The metho ds supp ort behavioural development structural development and the

development of statebased systems Another imp ortant group of development situations

deals with the development of systems sp ecied at dierent levels of abstraction Many

steps of communication proto cols are go o d examples for sp ecications with dierent levels

of abstraction for example the realization of a stringbased communication proto col by

serial communication channels

The following development situations from Section are examples for dierent abstrac

tion levels

communication channel development

restricted communication channel development

interface simulation and

dialog development

Focus provides general techniques for the implementation of interactive systems at dier

ent levels of abstraction Bro Bro The key idea is as in the metho d for conservative

extension to use abstraction and representation functions between the two levels The

main requirement is to prove that these functions exists and that they are inverse at

least for a subset of the concrete values For an sp ecication of an abstract system or

comp onent which uses the typ e and a sp ecication of a concrete realization of the sys

tem which uses the typ e the abstraction and representation functions have the following

typ es

Another waywould b e to sp ecify the states with instead of This would allow us to omit the last

step and in step it would suce to dene types stream

This scheme also ts to the implementation of ADTs without theory interpretation

SCHEMATIC IMPLEMENTATIONS

ABS REP

consts

abs abstraction function

rep representation function

cor bool restriction predicate

rules

abs rep absrepa a

rep abs cor c repabsc c

cor rep cor repa

end

To allowmultiple representations we could use instead of in these equations Weuse

for readability and apply a simple theory interpretation if we want to allow multiple

representations

In Focus often only the rst equation is required for exampleincommunication history

renement However having the second equation ensures us that the extension from the

concrete theory to the abstract theory is conservative The axiom cor rep states that the

representation of the abstract values are corresp onding elements

Our task in the implementation of interactive systems at dierent levels of sp ecication

is to dene abstraction and representation functions together with a restriction predicate

Since we use Focus distributed systems with dierent levels of abstraction are sp ecied

with streams of messages We classify the implementations into two groups according to

the form of the functions abs and rep Schematic implementations are schematic liftings

from abstraction and representation functions used in the implementation of ADTs to

Sabs and Srep on the streams

Therefore schematic implementations use schematic abstraction and representation func

REP contains the implementation of the ADT over then the tions Assuming that ABS

schematic liftings which are again an instance of our general lifting metho ds in Section

have the following form

SCHEMATIC ABS REP Stream

consts

Sabs stream stream abstraction function

Srep stream stream representation function

Scor stream bool restriction predicate

defs

Sabs def Sabs fix Sabs sabsfts Sabsrts

def Srep fix Srep srepfts Sreprts Srep

Scor def Scor wfp c scorfts crts

See Section for a denition of the greatest xed point for predicates Provided

that we have abstraction and representation functions for ADTs the existence of these

CHAPTER IMPLEMENTATIONS IN FOCUS

schematic functions is ensured since they are conservatively dened by conservative ex

tensions The advantage of these schematic denitions is that we can derive the following

theorems schematically

Srep SabsSrepa a Sabs

Srep Sabs Scor c SrepSabsc c

Scor Srep Scor Srep

Therefore the schematic implementations are well suited for the implementation of inter

active systems

Individual implementations are arbitrary denitions of Sabs and Srep in particular it

is allowed to relate one message of an abstract stream to many messages of the concrete

stream For example this allows us to implement a stream of bytes by a stream of bits

with a sequential transmission of the bits see page

This section describ es schematic implementations for dierentdevelopment situations We

have a comp osition result for downward simulation development in Section which

improves the comp osition of downward simulation from Focus Individual implementa

tions are describ ed in Section

The concrete metho ds for schematic implementations are of the following form

Implement the ADTofthe messages

Lift the implementation to streams as describ ed in SCHEMATIC

We now dene concrete metho ds for implementations of interactive systems

Communication Channel Development

Communication channel development is the most simple form of relating parts of systems

sp ecied at dierent levels of abstraction Communication channel development is the

basis for other implementation metho ds

Denition Communication Channel Development

An isomorphic pair of streams stream and stream is called communication

channel developmentif

there exists inverse abstraction and representation functions with

SCHEMATIC IMPLEMENTATIONS

consts

abs stream stream abstraction function

rep stream stream representation function

rules

abs rep absrepa a

rep abs repabsc c

In the schematic case the typ es and have to be isomorphic Consider the example of

implementing a stream of characters by a stream of bytes

Example Streams of Characters

This example uses a typ e byte of the sp ecication BYTEThenwe can dene the typ e

of characters with the domain construct by

CHAR BYTE

domain Char bccbbyte

end

This denes the ADT Char isomorphic to byte Instantiating the general scheme of

schematic implementations from page generates us the communication channel

development functions

COM CHN SCH Stream CHAR

consts

abs byte stream char stream abstraction function

rep char stream byte stream representation function

defs

abs def abs fix sabs sbcfts sabsrts

def rep fix srep scbfts sreprts rep

end

The pro of that these functions are a communication development can be obtained

from the general pro of of schematic implementations since bccbc c and

cbbcb b are valid in CHAR

Restricted Communication Channel Development

Restricted communication channel development is a generalization from communication

channel development

CHAPTER IMPLEMENTATIONS IN FOCUS

Denition Restricted Communication Channel Development

A pair of streams stream and stream is called restrictedcommunication channel

developmentif

there exist abstraction and representation functions and a restriction predicate

with

consts

abs stream stream abstraction function

rep stream stream representation function

cor stream bool restriction predicate

rules

rep absrepa a abs

rep abs cor c repabsc c

cor rep cor repa

We write COR AR I to denote the axiom rep abs and CORR for cor rep

In the schematic case has to b e a sub domain of Consider the example of implementing

a stream of bytes by a stream of natural numb ers

Example Streams of Bytes

This example denes the typ e byte in the sp ecication BYTE It uses the subdom

constructor and extends the natural numb ers

BYTE Dnat

defs restriction predicate

Dnat adm def adm pred nd n e

rules

this rule is easily derivable

proof obligation adm adm preddnat bool

now instantiate dnat into adm

instance dnatadm proof obligation

now subdom is available on dnat

now introduce Byte as subdomain

types byte dnat subdom

consts continuous abstraction representation function

cabs dnat byte

crep byte byte

defs

def cabs nIf n then abs sd n else fi cabs

def crep nrep sd n rep sd is continuous cabs end

SCHEMATIC IMPLEMENTATIONS

This denes the ADT byte as sub domain of dnat and a continuous abstraction

function since it is needed in the xed p oint for the schematic liftings Instantiating

the general scheme of schematic implementations from page generates us the

restricted communication channel development functions

RCOM CHN SCH Stream BYTES

consts

abs dnat stream byte stream abstraction function

rep byte stream dnat stream representation function

cor byte stream bool restriction predicate

defs

abs def abs fix sabs scabsfts sabsrts

def rep fix srep screpfts sreprts rep

cor def cor wfp c nd ftn e crts

end

The pro of that these functions are a restricted communication development can be

obtained directly from the general pro of of schematic implementations

The communication channel development situations are quite simple since they are only

dealing with channels The following situations describ e the implementations of situations

in which also comp onents occur

Interface Simulation

This section presents a central renement technique for the implementation of interactive

systems In Bro these situations are called interaction renements

Denition Interface Simulations

Let L M j j be a deductive software development basis supp orting the

implementation of ADTs Let stream and stream be a restricted communica

tion channel development with functions abs and rep with Aabs and Rrep Let

furthermore b e p a stream pro cessing function sp ecied in P with Pp and

b b

p a stream pro cessing function sp ecied in P with P p then the restricted

communication channel development is called

U simulation if P j RPA

U simulation if P j APR

Downward simulation if PR j RP

Upward simulation if AP j PA

CHAPTER IMPLEMENTATIONS IN FOCUS

U Simulation

USimulation

P P

R A A R

b b

P P

Downward Simulation Upward Simulation

P P

R R A

Figure Simulations for Interface Interaction Renement

Note that this denition includes the axioms RA I COR ARIandCORR from the

restricted communication channel development see Denition for the precise axioms

This denition intro duces dierent forms of simulations They are depicted in Figure

To emphasize the metho dical dierence b etween abstraction and representation functions

and the comp onents describing the behaviour of the system at the abstract and concrete

level we used dashed lines for the comp onents relating the dierent abstraction levels and

solid lines for the other comp onents

We use U simulation and downward simulation in our metho ds for the implementation

since we do not nd examples in the deductivesoftware developmentforupward simulation

and U simulation For that reason we will analyze their comp ositionality more detailed

U simulation constructs a comp onent with conservative extension based one the concrete

comp onent which renes the abstract one by mo del inclusion Therefore U simulation is

mo dular and trivially comp ositional

The imp ortant dierence between downward simulation and U simulation is that U simu

lation constructs a comp onent with the same interface as the abstract one while downward

simulation do es not For the pro cess of software development this means that every com

ponentmaybedevelop ed byaUsimulation indep endent of the comp onents environment

Since downward simulation changes the interface it can only be applied if b oth comp o

Even in BFG there is no such example

SCHEMATIC IMPLEMENTATIONS

abstract

system

RjjR R concrete

system

IjjA RP

A R

Figure General Comp ositionality for the Feedback Op erator

nents communicating over a channel of the abstract typ e are implemented in the same way

see the dialog development situation in Section Downward simulation cannot be

p erformed if a comp onent has achannel of the abstract typ e to the environment This is

clear since only the system is develop ed but not its environment For the implementation

of such comp onents U simulations are needed

Since downward simulation is no conservative extension and no mo del inclusion its com

p ositionality requires an extra treatment In Bro the following comp ositionality results

are proved for downward simulations

b b b b

P R j R P and P R j R P imply P P R j R P P

b b b b

P R j R P and P R j R P imply P jjP RjjR j RjjR P jjP and

b b

PR j RjjRP implies PR j RIjjA RP

The rst two theorems state that downward simulation is comp ositional with resp ect

to and jj The third rule is weaker since it requires to use the complex system

b b

R IjjAR P instead of RP to implement P R The graphical representation in Fig

ure shows the idea of that construction The feedback op erator ranges over the parallel

comp osition of the identity whichonlyis in the formula b ecause of typ e correctness and

the sequential comp osition of A and R which has no immediate motivation but is required

CHAPTER IMPLEMENTATIONS IN FOCUS

abstract

system

RjjR R

concrete

system

Figure Improved Comp ositionality for the Feedback Op erator

for proving comp ositionality Informally sp eaking this is the way in which the concrete

comp onent ensures that its input values are representations of abstract values However

since these input values are fed back from the comp onent itself it is easier to require the

comp onent to b e preserving and to reason without the overhead of A R

This general but complex comp osition rule may b e simplied using the implementation of

ADTs in HOLCF as describ ed in Chapter With this concrete metho d we will b e able to

improvethe general comp ositionalityofthe feedback op erator for downward simulation

and prove the following rule see Theorem

b b

PR j RjjRP implies PR j RP

This improved result is shown in Figure The b enet of this solution is that wehavethe

optimal comp ositionality of the renement relation In the general case comp ositionality

was enforced by including AR into the feedbacklooptohave a comp ositional comp osition

of comp onents So the development from P to P will be mo dular only if the system uses

P comp osed with AR Our solution with invariance will not need this comp osition with

AR in the feedback channel but it needs the existence of a function abs with Aabs to

ensure the correctness of this step However our prop osed metho ds for the implementation

of interactive systems dene functions for A and R for every implementation For the

schematic denitions we get the rules directly from the corresp onding rules for ADTs in

HOLCF and for the individual case we provide metho ds to prove these rules

Nowwe analyze the interface situations see Section more detailed and then wegive

metho ds and examples for every interface situation We fo cus on U simulation and Down

SCHEMATIC IMPLEMENTATIONS

ward simulation since wedonotnd examples in the deductive software development for

upward simulation and U simulation All examples assume A and R to b e sp ecications

of schematically lifted functions

Implementation of Comp onents with Isomorphic Typ es

The implementation of comp onents with interfaces of isomorphic typ es is easy and the

parameters of the metho d for the implementation of ADTs of the previous chapters are

trivial neither a restriction step nor a quotient step is needed For this sp ecial case of

the implementation of ADTs the domain construct may be used see Section It

conservatively intro duces continuous abstraction and representation functions which are

by construction consistent Therefore it ensures that the following facts hold

AR I

RA I

As an example we take the implementation of the b o olean values by bits allowing to

implement comp onents which base on b o oleans by comp onents based on bits

Example Implementation of Boolean by Bits

The abstract data typ e sp ecication of BOOL is

BOOL HOLCF

domain B T j F

ops curried strict total

and B B B cinfixl

rules

and T and x x

and F and x F

end

The sp ecication of the concrete data typ e BIT is

BIT HOLCF

domain Bit L j H

ops curried strict total

hw and Bit Bit Bit cinfixl

rules

hw H hw and b b

and b L hw L hw

end

Even in BFG there is no such example

CHAPTER IMPLEMENTATIONS IN FOCUS

For both kinds of implementations the concrete sp ecication is extended by the

domain construct

by BIT BIT BOOL

domain B abs rep Bit

ops curried strict total

T B

F B

and B B B cinfixl

defs

T def T absH

F def F absL

and def a and b absrepa hw and repb

end

The sp ecication BOOL by BIT constructs the abstract functions and constants with

the construction schemes of Denitions and which are generalizations of

RPA for arbitrary typ es

The dierences between downward simulation and U simulation are pro of obligations

comp ositionality pro of and co de generation

Since the domain construct ensures consistency of A and R the only remaining pro of obli

gation for the correctness of the implementation of comp onents for isomorphic typ es with

U simulation is

P j RPA

In the example this would be BOOL j BOOL by BIT U simulation is a metho d for con

structing an implementation which b ehaviourally renes the abstract sp ecication There

fore comp ositionality of U simulation follows from the comp ositionality of functional re

nement

Since the domain construct ensures consistency of A and R the only remaining pro of obli

gation for the correctness of the implementation of comp onents for isomorphic typ es with

downward simulation is

PR j RP

and repy repx and y j fBOOL In the example this would b e repx hw

BIT repg

SCHEMATIC IMPLEMENTATIONS

The interesting case in the comp ositionality of downward simulation is comp ositionality

with resp ect to the feedback op erator Since AR I the optimal comp osition rule holds

b b

PR j RjjRP implies PR j RP

The pro of is in Bro

Co de generation for U simulation generates the program out of the extended sp ecication

by BIT It uses the datatype construct of functional programming in the example BOOL

languages for the translation of the domain construct The representation function is

dened by pattern matching by

fun rep abs x x

The translation of the other functions and constants from the extended sp ecication is

only syntactic and that is why it is omitted here

Co de generation for downward simulation only uses the concrete sp ecication in the ex

ample BIT Therefore it generates neither a new data typ e nor the simulation of the

abstract functions and constants Downward simulation requires the consistent abstrac

tion and representation functions of the extended sp ecication only for correctness and

comp ositionality

The only interesting remark ab out co de generation for downward simulation is that it

changes the interface of the implemented comp onent For typ e correctness of the system

it is necessary that the comp onents communicating with the implemented comp onent are

implemented in the same way

For the development pro cess this means If two comp onents communicating over a channel

are implemented in the same way it will be allowed to use downward simulation For

example if two comp onents are communicating over a channel of typ e set this channel

may only be replaced by a channel of ordered sequences if b oth comp onents use the sets

implemented by ordered sequences If one comp onent uses for example hash tables then

the channel has to remain of typ e set and the only p ossible implementation is U simulation

Only the system and not the environment is develop ed in the development pro cess

Therefore comp onents communicating with the environment have to be develop ed by U

simulation See Section for a waytodevelop comp onents together with parts of their

environment Such developments are dialog developments and are treated in Section

Implementation of Comp onents with Concrete Sub domains

For the implementation of interactive comp onents with an interface of concrete sub domains

we cannot directly use the domain construct We use the implementation of ADTs of the

CHAPTER IMPLEMENTATIONS IN FOCUS

previous chapters and only need a restriction step See Section for a detailed description

how to x the restriction predicate and the corresp onding constants The restriction step

of the implementation of ADTs in HOLCF conservatively intro duces a new typ e whichis

isomorphic to a concrete sub domain see Section

For U simulation the only remaining pro of obligations are

RPA j P

b b

P P is preserving see Denition

The invariance pro of obligation P do es not app ear in Bro Bro but it is implicitly

used in P j RPA The advantages of an explicit treatmentof invariance are

a stronger comp ositionalityresult Theorem

the continuity of the abstract functions which are schematically intro duced by con

servative extension in the restriction step follows automatically see Section for

details and

invariance is a metho dical help for nding the corresp onding functions and the re

striction predicate see Section

For downward simulation the remaining pro of obligations are

PR j RP

Comp ositionalityofdownward simulation with resp ect to sequential and parallel comp osi

tion is proved in Bro For comp ositionality with resp ect to the feedback we derive the

following theorem

Theorem Compositionality of Downward Simulation

Let A and R be a communication history renement with AR I and R

Let further P and P b e the sp ecications of two stream pro cessing functions with the

invariance P then the following comp ositionality for downward simulation holds

b b

P R j RjjR P implies P R j R P

If P contains a total op eration for example a selector then wehavetoshow that the abstraction is

dened This can only b e veried if the invariance holds

SCHEMATIC IMPLEMENTATIONS

The general comp osition rule is shown in Figure on page whereas the improved

comp ositionality rule is depicted in Figure on page

Pro of

The pro of uses the general comp osition rule proved in Bro and improves it There it

has been shown that

b b

PR j RjjRP implies PR j RIjjA RP

This may be simplied since R ensures that the op erator gets the values x of the

sub domain with x The invariance P ensures that it only pro duces output values

of the concrete typ e P x Now the rst rule of the conservative extension of the

sub domain may be applied and reduces AR to I Elimination of the identity I gives the

result

This result holds also in the general case of individual implementations since it only

uses the requirements from the communication history renement AR I and R

However in the general case these premises cannot b e proved schematically

The generated co de for U simulation of this implementation also uses the datatype con

struct but since not all values should be reachable the generated co de hides the real

constructor abs and only exp orts the implemented functions of the abstract data typ e

see Section for details Co de generation for U simulation bases on the extended

sp ecication

The generated co de for downward simulation of this implementation uses only the concrete

representations As shown in Section downward simulation may only b e applied if

b oth comp onents using the same channel are implemented in the same way

Implementation of Comp onents with Abstract Sub domains

The task of schematically implementing an interactive comp onent with an interface of an

abstract typ e by a comp onent with an interface of a concrete typ e which is isomorphic

to a sub domain of the abstract typ e is generally imp ossible This is indep endent from

the development of interactive comp onents and their interfaces The typ es are the only

reason for that for example consider the typ e of natural numb ers N which cannot be

implemented schematically by a b ounded typ e That is one motivation for the individual

implementation which allows such implementations

If not all values of the abstract typ e are used it is p ossible to implement it schemati

cally Another p ossibility are individual implementations since they allow us to use many

concrete messages for the representation of one abstract element see Section The

implementation uses a partial emb edding from the abstract sp ecication into the concrete

The functions in the abstract sp ecication have to be invariant otherwise the renement

CHAPTER IMPLEMENTATIONS IN FOCUS

would be imp ossible since the emb edding function is partial Consider the following

example which only fo cuses on the typ es of the comp onents interfaces

Example Implementation of an Abstract Subdomain

The abstract sp ecication describ es a mo dulo counter

MODCNT N

ops cnt N N

rules

count cnt n If n then else n fi

end

The denition of the cnt function ensures that cnt is only sp ecied on the abstract

sub domain fn gof N

Let BYTE be a sp ecication of bytes with a function inc to increment bytes by one

an order and a maximal value FF Then the implementation is

BYTECNT BYTE

domain N absrepByte

ops cnt N N

rules

def absFF

partial n cnt n absincrepn

end

Since incFF is undened the emb edding has to b e partial It is obvious that cnt of

BYTECNT renes cnt of MODCNT behaviourally

In the example MODCNT would have b een called nite in Bre and could b e implemented

without additional b ounds restricting its implementations

The situation of abstract sub domains is reduced by b ehavioural renementinto another im

plementation situation Therefore comp ositionality and co de generation are not analyzed

here

A similar example is treated in Fuc

The pro of go es by induction over the sub domain

SCHEMATIC IMPLEMENTATIONS

Implementation of Comp onents with Concrete Quotients

The implementation of comp onents with concrete quotients bases on the implementation

of ADTs in the previous chapter The restriction step is not needed but an observable

equivalence relation has to b e supplied See Section for details how to nd this relation

The situation of concrete quotients handles the case of multiple representations for one ab

stract element There are values x and y with x y and absx absy Since

repabsx x holds for abstraction and representation functions it follows that abstrac

tion and representation functions for this situation cannot exist Therefore no U simulation

can b e dened for this step Small mo dications however would lead us to a sp ecication

which is implementable by a U simulation These mo dications are the result of a simple

theory interpretation see Denition It replaces the equality on the abstract typ e

by an observable equivalence and requires the typ e to be in the class eq see Section

This replacement has to b e carried out in all sp ecications of the system but since

it has no additional pro of obligation see Section for its correctness this do es not

matter

There is only one problem with this replacement it cannot b e applied to arbitrary sp eci

cations but only to normalizeable ones see Denition Therefore wehave to prove

comp ositionality for this implementation by simple theory interpretation

Theorem Compositionality of Simple Theory Interpretation

Let be a simple theory interpretation as dened in Denition then is

comp ositional

Pro of

b b b

We have to show that for sp ecications P P P P P and P the following holds

b b b b

P j P and P j P imply P P j P P

b b b b

P j P and P j P imply P jjP j P jjP and

b b

P j P implies P jP

Since P P P P if P P is normalizeable it remains to show that P P

is normalizeable This follows from the fact that P and P are normalizeable P will be

normalizeable if P do es not contain axiomatized p olymorphic predicates Since do es

not intro duce such predicates normalizeabilityholds for P P The other rules and

hold b ecause of the same argumentation

Since this step only prepares an implementation by adding an observable equivalence co de

generation only has to instantiate this equivalence into the class eq see Section for

details Another p ossibility for concrete quotients is the elimination of states It allows us

to weaken the requirement of executability since it implements nonexecutable quotients

by executable constructs see example on page

CHAPTER IMPLEMENTATIONS IN FOCUS

Implementation of Comp onents with Abstract Quotients

For the implementation of comp onents with interfaces of abstract quotients the metho d of

behavioural renement is used As in Section abstract quotients cannot be imple

mented in general but only in a context which do es not actually need all informations of

the abstract typ e This reduces the implementation of comp onents with abstract quotients

to behavioural renement Therefore neither comp ositionality nor co de generation have

to b e analyzed here

An example for an abstract quotient is the implementation of a timed sp ecication pairs of

values and time by a sp ecication without time information The PER on the timed sp eci

cation would b e the pro jection on the values Of course correctness would require to show

that the implementation ensures the timing conditions of the requirement sp ecication

Dialog Development

Some renements require knowledge ab out the environment of a comp onent If we know

the environment of a comp onent for example b ecause the comp onent is a part of a sp ecic

system then we may implement the comp onent with additional restrictions which are

ensured by the sp ecic system

Dialog development is a situation where at least two comp onents communicating over

at least one channel are develop ed together This can only be done if the abstract

system and the concrete system are sp ecied by glass b ox sp ecications Therefore dialog

development is a sp ecial form of b ehavioural renement between glass box sp ecications

For example if two comp onents are only sending zero and one over a channel of typ e

nat then we can implementthis dialog The implementation involves an interface imple

mentation of b oth comp onents The channel can now be schematically implemented by a

b o olean channel since the implementation of the channel may use the knowledge from the

environment the dialog that only zero and one are sent

The situation is depicted in Figure It shows howaUsimulation of the system can lead

to an downward simulation b etween some comp onents depicted with the dotted lines A

sp ecial case is that and In this case we do not need explicit abstraction and

representation functions One such example is in Section

Dialog development is a metho dical combination of other development steps we can apply

the same renement relation as for structural development in Section

INDIVIDUAL IMPLEMENTATIONS

Abstract system

Concrete system

Figure Dialog Development with U and downward Simulations

Individual Implementations

The previous section provided metho ds for the elimination of states and for a lot of

schematic implementations between dierent levels of abstraction For every schematic

development situation we can also give individual implementations The only additional

pro of obligation is invertability with the axioms for abs and rep see page

This section presents an example for an individual implementation of a restricted commu

nication channel development Wecho ose the implementation of a channel with byte bya

channel with bits The idea is that the bits are sequentially transmitted over the channel

In addition to the used sp ecications we present the metho d for the pro ofs This makes

individual implementations easier to handle

Example Implementation of a Byte Stream

This example shows the implementation of a byte stream by a bit stream The used

metho d is a restricted communication channel development The restriction is a

concrete subtyp e realized with the subdom construct The basic sp ecication are the

sp ecication of bits and bytes are in Section on page

CHAPTER IMPLEMENTATIONS IN FOCUS

Since we do not use arbitrary bit streams as representations but only those of a

length divideable by eight We use the additional lifting to make the comp onent

reusable Now we dene the concrete subtyp e as sub domain of streams

BITS FStream BIT

domain BitS absBitSrepBitSbit stream

consts

is evenS bit stream bool

defs

is even def is evenS wfp xx rt x E rt x

Bits adm def adm pred nis evenSrepBitSn

end

With rt x we abbreviate the times iteration of rt on the stream x Before we

can build the sub domain we have to derive the admissibility of the predicate By

now this requires to use a theorem for the admissibility for wfp on at streams

see SM Ohe for the to ol supp ort for Focus Because of this theorem we

used FStream the theory of at streams in our sp ecication BITS The pro of of

admissibility requires to show that the functional used in the denition of is evenS

has the following prop erties

monoP

contP

stream monoP

See Ohe for a denition of these predicates For our case study the only in

teresting asp ect is that these pro ofs ensure together with the atness of Bit the

admissibilityof the predicate dened as greatest xed pointwith wfp The admissi

pred is proved as the theorem adm is even Then we can instantiate bility of adm

BitS into the class adm and dene the sub domain of even bits stream

BITS BITS SUBD

instance BitSadm adm is even

types BitSd BitS subdom

end

Now we are ready to dene the abstraction and representation functions We use

likethe schemes on page the xed point constructor of HOLCF

We could also use quotients on bits streams to handle the case of nonrepresenting bit streams

INDIVIDUAL IMPLEMENTATIONS

The following sp ecication is an executable sp ecication of a translation between

streams of bytes and streams of bits

BYTES Byte BITS

consts

absBB BitSd Byte stream

repBB Byte stream BitSd

defs

absBB def absBB fix absx

sd x mkByftrepBitSrep

ftrtrepBitSrep sd x

sd x ftrt repBitSrep

ftrt repBitSrep sd x

repBitSrep ftrt sd x

ftrt repBitSrep sd x

absabs sdabsBitSrt repBitSrep sd x

repBB def repBB yabs sdabsBitS

fix rep xbftx

bftx bftx

bftx reprt xy

end

This lo oks more dicult than it is since we have two dierent abstraction and

representation functions for the emb edding and for the sub domain The abstraction

makes a stream of bytes by taking the rst eight elements in a stream The next byte

will be computed from the rest of the byte stream The representation is dual It

takes abyte and concatenates all bits at the top of the representation from the rest

The rst theorems to prove are the unfolding theorems for absBB and repBB From

these we can easily derive the pattern matching rules

UU absBB absBB

unfold a b is evenS s absBB

sdabsBitSabs absBBabs

mkByab absBBabs sdabsBitSs

UU repBB repBB

repBB cons repBBbs abs sdabsBitS

bb bb repBitSrep sdrepBBs

With this lemmata we can derive the main theorems for the implementation of byte

streams by bit streams

CHAPTER IMPLEMENTATIONS IN FOCUS

abs rep BB absBBrepBBx x

abs BB repBBabsBBx x rep

The rst theorem could be derived by induction on streams However induction on

stream requires to show the admissibility of the predicate In our case this was easy

A more elegant way is to use the lemma from streams to prove the equality of two

streams

streamtake lemma nstream take nx stream take nx xx

This allows us to reduce the pro of to an induction pro of over the length of the stream

The second theorem rep abs BB is a theorem over all representing elements in the

sub domain Therefore we used the rule from SUBD see App endix A

all sd scor sd s P abs sd s P x

This allowed us to reduce the theorem to a theorem over stream which we proved

with help of the lemma streamtake lemma

The result of the example is that individual translation can be carried out with the pro of

system since to ol supp ort for all steps is available The pro ofs are not complex even if we

used the emb edding into BitS

Summary for the Implementation of Interactive

Systems

The metho ds for the implementation of ADTs in HOLCF can b e applied to the implemen

tation of interactive systems in Focus The results are concrete metho ds which supp ort

the deductive development pro cess of interactive systems

These concrete metho ds provide several b enets for the development pro cess of interactive

systems compared with the more abstract metho ds of Focus

Pro of Obligations Consistency of A and R is ensured by construction invariance is

treated explicitly For schematic implementations we get the axioms AR I COR

ARI and CORR from the corresp onding axioms in the implementation of

ADTs without further pro ofs

Comp ositionality Invariance improves the comp ositionality result for downward simu

lation in the feedback case The notation of simple theory interpretation weakens the

sp ecication but ensures the existence of a mo del of the original sp ecication and

allows multiple representations Simple theory interpretations are comp ositional

SUMMARY FOR THE IMPLEMENTATION OF INTERACTIVE SYSTEMS

Classication The metho ds for the implementation of ADTs characterizes dierent situ

ations in the developmentofinteractive systems The classication includes a relation

between the typ es of messages

Metho ds For every situation a concrete metho d is given Downward and U simulation

are integrated into the development pro cess of interactive systems by characterizing

its applicability

Statebases Sp ecications We have dened concrete metho ds for rening statebased

sp ecications of stream pro cessing functions They allowustoremove states to add

states and to show bisimulation equivalence b etween states Furthermore it has b een

shown how states can be eliminated from the sp ecications

Executability Since we have a metho d for the implementation of nonexecutable quo

tients for states we can implement ADT of states with the quot constructor Simple

theory interpretation or a slightchange in the sp ecication style is the foundation of

this step Executability of the abstraction and representation functions are the basis

for simulation and prototyping It is shown how to generate functional programs

from the implementations

Tool Supp ort The implementation of ADTs in HOLCF is realized with typ e constructors

in the Isab elle system Therefore the presented metho ds have to ols supp ort in the

logic HOLCF

Therefore our results are applicable metho ds for the implementation of interactive systems

in HOLCF We will apply them to the implementation of some critical asp ects of a WWW

server in the next chapter

Chapter

Case Studies of a WWW Server

This chapter contains an extended case study with further applications of the implementa

tion of ADTs in HOLCF First a library of ADTs in HOLCF is dened with the standard

data typ es The standard library show how our metho ds are applied and it is a basis for

case studies The denitions of the standard library use the subdom and quot constructors

The second part presents case studies on the implementation of a WWW server In Section

the structure of the case studies is given and the critical asp ects are identied The

following sections describ e the implementation of the critical asp ects Section contains

an implementation of the data base of a WWW server and Section fo cuses on a correct

transmission of strings

The Library of ADTs

This section contains the library of ADTs in HOLCF We dened this library with the

most frequently used ADTs b ecause the library is useful in many case studies and b ecause

it shows howourtyp e constructors subdom and quot are applied In contrast to free data

typ es intro duced with the domain construct the denition of sub domains and quotients

involves a numb er of small steps Having a standard library allows us to reuse these ADTs

A standard library is very useful for sp ecifying large systems

An adequate data mo delling is an imp ortant basis for the implementation of interactive

systems For example the ARIANE failure rep ort Lioidenties one cause in the chain

of errors which caused the disaster

The internal SRI software exception was caused during execution of a data conversion

from bit oating point to bit signed integer value The oating point number which

was converted had a value greater than what could berepresented by a bit signed integer

This resulted in an Operand Error The data conversion instructions in Ada code were

THE LIBRARY OF ADTS

Byte String Rat

Fin Dlist Char Pos

Bit Dnat

Figure Structure of the Library

Char

Figure Structure of Char

not protected from causing an Operand Error although other conversions of comparable

variables in the same place in the code were protected

Sub domains can mo del nite data typ es as they are realized within computer systems

Thus sub domains allow us to detect prop erties like overow errors in calculations We

can avoid these errors with preserving functions and wecanprovethatsuch errors cannot

o ccur We dene the typ e of bit unsigned integers as part of our library

The library is a conservative extension of HOLCF The structure of the library is depicted

in the development graph in Figure Conservative extensions require to extend HOLCF

step by step Therefore every b ox in the development consists of several small sp ecications

which directly base on each other For example Figure shows the structure of Char

The library can b e used as basis for further extensions Two kinds of extensions are p ossible

Signed integers could also b e intro duced but are omitted since the metho ds are the same

CHAPTER CASE STUDIES OF A WWW SERVER

One is to mo del further data typ es and further functions for example oating p oints The

other extension is to provide b etter pro of supp ort for the data typ es In this work and

in the library we derived numerous theorems for the intro duction and renement of data

typ es however for the ecient evaluation of expressions for example we

would need even more tactics

Recently in HOLCF a lifting constructor lift has b een develop ed It has the arity

lifttermpcpo This means that the constructor lifts arbitrary typ es from HOL to

HOLCF domains The resulting domains have at structures The advantage of this lift

ing is that no admissible predicate is required to construct the domains however for the

construction of nonat domains it cannot be applied Since the development of inter

active systems uses a lot of nonat sub domains see for example the domain of innite

streams on page we need our subdom constructor in the development of distributed

systems Intro ducing the domain of natural numb ers dnat with the lift constructor would

allowus to lift the theorems from nat in HOL to dnat schematically To show how our

constructors are working we use them in this library

There are many metho dical asp ects in the examples concerning the use of the following

HOLCF constructs

axiomatic typ e classes

conservative extensions

continuous functions

xed p oint denitions

domain construct

subdom construct and

quot construct

Since we presented the metho ds for the implementation in Chapter and since it is not

our goal to present all these metho ds in detail in this thesis we just show how they are

working on examples and leave the collection of all HOLCF metho ds as a future work in

Chapter

As the library contains the basic ADTs it uses the class EQ and the domain construct to

dene the at data typ es The exible class eq is used in the case study to sp ecify data

typ es which should b e implemented in terms of streams

The following sections describ e the sp ecications of the library App endix A contains

the full sp ecications with the derived prop erties

Reproving all arithmetic rules for and on dnat to ok ab out one hour in the development of this

library

THE LIBRARY OF ADTS

Natural Numb ers

Natural numbers are needed in almost every case study Since they can be easily dened

with the domain construct they are not integrated into HOLCF However redening the

basic functions for every case study is not desired Furthermore natural numbers are an

imp ortant basis for the library of ADTs since many data typ es base on them

The ADT of natural numb ers is intro duced with the domain construct by

domain dnat dzero j dsucc dpred dnat

The natural numbers are intro duced by two steps since they are instantiated into the

class EQ The rst step is to dene the general equality on the typ e dnat by the

denition of the equality on natural numb ers To derive the characteristic axioms of this

equality we expand the xed point from the denition and derive the axioms in the form

of pattern matching For exampleddzero dzeroe Having these rules we can provethe

characteristic axioms and instantiate the typ e dnat into the axiomatic typ e class EQ see

page for axiomatic typ e classes page for the class eq and App endix A for the

complete theories and the theorems derived for natural numb ers Since we prefer to use

instead of we derive the equality rules with by simply expanding the denition of

on the class eq see page

With the example of natural numb ers we showtwo dierent sp ecication styles The xed

point denitions of recursive functions and the denition with pattern matching without

explicit use of the xed p oint op erator The equality and the function are dened

with xed p oints the other functions like add and mult are dened with pattern matching

Both styles have their advantages Dening a function by xed p oints is a logical denition

and wemay use the dening equality of Isab elle Using in the denition causes Isab elle

to check whether the denitions are conservative for example no free variable mayoccur

on the right side of a denition equation however the xed point denitions require to

derive the pattern matching rules since these rules are very helpful in theorem proving

with the simplier

Dening a function with patterns see Section requires to ensure that the patterns

do not overlap and like in the denition that no free variables occur These restrictions

are not checked by the Isab elle system in its current version however these checks are

decidable and for example the co de generator for Spectrum in HR Hotchecks these

conditions Sometimes it is useful just to write axioms to sp ecify functions abstractly

however using this sp ecication style wehavetobevery careful that the sp ecications are

not inconsistent One example for such an abstract sp ecication is the function divwhich

is only required to full the axiom

div n dzero divn mult mn m

CHAPTER CASE STUDIES OF A WWW SERVER

We need this function only once and therefore we do not give an algorithm for its denition

but we know that there is a function div which satises this axiom and therefore the

sp ecication is consistent

Since natural numbers are frequently used in sp ecications we intro duce some syntactical

abbreviations for these numb ers for example for twenty The syntax of these

abbreviations is explained in Paub

For the denitions of the following sp ecications we also use the techniques presented

on the sp ecication of natural numb ers However we fo cus more on other sp ecication

metho ds

Lists

Lists are also an imp ortant sp ecication element They are dened p olymorphically with

the domain construct by

domain dlist dnil j dhd dtl dlist cinfixr

The annotation cinfixr denotes that is a continuous inx op erator with asso

ciates to the right with priority All functions on dlist are dened with xed p oint

constructions Witnesses for the instantiation of dlist into the typ e classes eq and EQ are

proved provided that the elements of the lists are of these classes

Bytes

Bytes are included in the standard library for two reasons One is that they are used

in many case studies esp ecially in the implementations of communicating systems see

Example The other reason is that they are used to demonstrate how larger domains

can be intro duced without the domain construct Bytes base on bits which are sp ecied

with the domain construct by

domain Bit L j H

Since and are natural numb ers in HOL wedecidedtouseL and H for the representation

of bits in HOLCF

As was mentioned on page the domain construct is a conservative denition of data

typ es This means that it derives all axioms of the data typ e as describ ed in Section

For example the distinctness of bits L H However if we use the domain construct for

larger data typ es it derives so many axioms that it takes very long to wait for the result

For example the following domain of bytes could not be intro duced within acceptable

time with the domain construct

THE LIBRARY OF ADTS

domain Byte mkBybBitbBitb B it b Bit

bBitbBitbB it b Bit

The subdom constructor provides an elegant way to characterize such data typ es With

the subdom constructor we can mo del bytes as list of bits of length eight This mo delling

can be easily extended to words of or bits

Using the subdom constructor in a mo dular way requires to intro duce emb eddings see

Section We use the following emb edding for bytes

Byte Dlist Bit bit bytes with embedding

types BitL Bit dlist

domain BBabsBrepBitL

defs

Badm pred def adm predB bool id dlenBrepi e

defines equality and PER on B

B eq def op x yBrepx Brepy

B per def op x yBd xye

end

Because the equalityon bit dlist is lifted schematically to the typ e B the pro ofs that this

is an equality are trivial With the equality rules for the subdom constructor see App endix

A we get the equality of bytes automatically With the equality on bytes we can

easily deduce the distinctness if needed For example if we need distinctness between

two dierent bytes we deduce it at the state in the pro of where we need it This is more

ecient than to derive all axioms for the data typ e

We use the additional typ e denition BitL since the domain construct in its current

version requires basic typ es on the selector p ositions

Strings

Strings are an imp ortant part for mo delling communication on a higher level of abstraction

Strings are mo delled by lists of characters Therefore wehavetointro duce characters rst

In principle we could use the domain construct for the denition of characters however as

explained in the previous section we dene characters as abstraction from a sub domain of

natural numbers We use the following embedding

domain CCabsCrepdnat

defs

pred def adm pred cd Crepc e Cadm

Another alternative currently under discussion is to lib erate the domain construct from proving these

schematically rules ever and ever again

CHAPTER CASE STUDIES OF A WWW SERVER

Since the restriction predicate is based on continuous functions its admissibility pro of is

trivial

For the denitions of the functions on the sub domain we have two p ossibilities One is

to dene them according to the metho dical lifting schemata in Section and to prove

the invariance for their continuity This style is supp orted with the lifting constructs for

sub domains see Section The other form for the intro duction of continuous functions

is to dene a continuous abstraction function However this bases on the fact that the

admissible predicate which characterizes the sub domain is monotone We have to derive

theorems like

mono Cadm pred x yxv yadm pred Cabsxadm pred Cabsy

Since the used domains are at we can derive the continuity simply from monotonicity

Monotonicityisalso easy to prove on at domains

Like for natural numbers we intro duce syntactic abbreviations for characters based on a

continuous abstraction function natchr This function allows us to dene an enco ding

from natural numb ers characters We used ASCI I enco ding Consider for example the

denition A natchr Based on the sp ecication of characters strings can

be easily dened as list of characters see App endix A

Finite Numbers

Finite numb ers are the rst real sub domain which is needed in the developmentofinter

active systems An adequate mo delling of nite numb ers is necessary to detect overow

errors We dene p ositive numb ers to be the natural numb ers less or equal than

This allows us to use bit words as representations Finite numb ers use the following

emb edding

domain FFabsFrepdnat

defs

pred def adm pred id Frepi sub e Fadm

In the theory Fin see page we dene a continuous abstraction function natfin

However this function is not total since the natural numb ers greater than are

represented by The following denition of a nonpreserving function denes an addition

Fadd on nite numbers by

Fadd def Fadd n mnatfinfinnatn add finnatm

It cannot b e dened with the domain construct

THE LIBRARY OF ADTS

This function is continuous but not total The reason for this undesired eect is that add

is not preserving However with this function we can detect overow errors byproving for

dened values x and y that Faddxy is not dened Toavoid overow errors we advo cate

the use of preserving functions see Section for a further discussion of invariance

Rational Numbers

Wecho ose fractional representations to intro duce rational numb ers Positive rational num

bers are pairs of natural numb ers numerator and denominator The denominator must

not b e zero and two fractions are equivalent if they denote the same rational numb er for

Since we restrict the denominator to nonzero numb ers we have to build example

the sub domain of p ositive numbers This is a usual sub domain and it is dened in the

theory Pos see App endix A The more interesting asp ect is the quotient construc

tion which identies the fractions representing the same rational numbers We obtain the

following sp ecication

domain R Rabsnumdnatdenpos

defs

R eq def op x ynumx mult posnatdeny n

n numy mult posnatdenx

R per def op x yRd xye

In contrast to the previous emb eddings this is not a canonical emb edding It uses a more

c a

a dc b Proving the complex denition of the equality between fractionals

b d

characteristic axioms for this equalitywasnotasschematically as proving the characteristic

axioms for canonical emb eddings Esp ecially the transitivity rule for requires to prove

some arithmetical theorems for dnat After the instantiation into the class eq we can

dene the quotient construction and the fractional representations by

types Rat R quot

ops curried

dnat dnat Rat cinfixl

defs

fract def op x yRabsxnatposy

We also derived some rules to compute this equality see App endix A Since the

domains are at it suces to prove monotonicity to ensure continuity For monotonicityof

class see App endix A the fractional representations we used the theorem monofun

Future case studies will dene additional ADTs and functions and will derive further

useful theorems which can b e integrated into this library However the presentation of the

CHAPTER CASE STUDIES OF A WWW SERVER

WWW

Request

Cmds

Browser WWWServer

Views

Page

User HTTP

Figure Structure of the System

standard library demonstrated some HOLCF metho ds and it showed how to use the typ e

constructors subdom and quot for the intro duction of new data typ es The sp ecications

of the critical asp ects of the WWW server in the following sections base on this library of

ADTs for HOLCF

Structure and Critical Asp ects of the WWW

We decided to use implementations of a WWW server a case study b ecause the WWW

is quite well known and b ecause it is of increasing imp ortance since the numb er of WWW

servers doubles approximately every year Pax Since the WWW is well known we

do not have to explain terms like URL HTTP or htmlpage see for example Tan A

WWW server has many functions and requirements It is not our goal to implement a com

plete WWW server but we concentrate on some of the critical asp ects of the requirement

sp ecications

According to the KorSys pro cess mo del SM for the verication of critical asp ects

in large systems we cho ose some critical asp ects of the system and formalize only the

relevant parts This formalization is the basis for the verication of the critical asp ects of

the system The advantage is that we do not have to formalize the complete system but

only those parts which are relevant for the critical prop erties

This section presents the structure of the WWW system and some critical asp ects which

have to b e ensured by the implementation of the system The following sections showhow

the renement relations in HOLCF and the implementation metho ds can b e used to verify

the critical asp ects of the WWW server

The structure of the WWW server is depicted in the structure diagram in Figure

It shows how a user can interact with the WWW The user enters commands into the

browser which transmits requests to a WWW server We do not mo del the internet with

more than one users and more than one servers since this it no relevant for our case study

STRUCTURE AND CRITICAL ASPECTS OF THE WWW

WWWServer with Proxy

Request

Proxy WWWServer

Page

Figure Cache in the WWW

The browser oers two features to the user to surf to a certain address in the WWW ie

to ask for a html page with a certain URL and to create html pages and to put them into

the net at a certain URL

A further renement in the WWW are proxy servers Proxy servers are the caches in the

WWW Proxy servers can be intro duced by structural development of the WWW server

A WWW server with a proxy server is a distributed system depicted in Figure

Proxy servers are very imp ortant in the WWW However since a WWW server with

proxy has the same interface as a WWW server without proxy it is a simple structural

development step Thus this step can be proved with b ehavioural renement for which

many case studies have already b een carried through BFG Since a proxy is like

a cache in a sequential system the verication of the correctness of the proxy is like a

sequential correctness pro of of a cache Therefore we do not fo cus on this implementation

step and concentrate on more dicult critical asp ects of the WWW which show how the

implementation of ADTs can b e used to verify critical asp ects of a WWW system

One critical asp ect is that the WWW server do es not lose stored pages To verify this

prop erty we formalize the server We use a statebased sp ecication with a data base

state From this sp ecication it can be easily derived that the pages are not lost in the

WWW server The implementation of this server has to ensure this prop erty Since the

used renement relation is mo dular we have only to show that the implementation of the

statebased sp ecication is correct This is done in Section

Another critical asp ect of the WWW is the transmission of messages This asp ect is closely

related with the dierent abstraction levels in the sp ecication of proto cols Since all URLs

requests and html pages are enco ded into strings we fo cus on a correct transmission of

strings In Section we implement the string transmission on the basis of a packet

transmission which is realized in internet proto cols see Tan

CHAPTER CASE STUDIES OF A WWW SERVER

Database of a WWW Server

This section formalizes the functions and the data typ es of a WWW server which are

required to prove the critical asp ect that the server do es not lose stored informations We

give a statebased sp ecication of the server in Figure and the data typ es Request and

Page of the interface For the data state of this sp ecication we sp ecify a small database

We implement the server with a stream pro cessing functions which stores the received

messages likethe buer in Example In the sp ecication of the database we use

instead of and formalize observer functions to characterize the congruence See Section

for the denition of and Section for the advantages of this sp ecication style

We start with a sp ecication of the requests and assume that the sp ecication HTTP contains

the sub domains Page and url of strings

REQUEST HTTP

domain Request getreq urlurl

j putput urlurl put contPage

arities Requesteq

end

Of course we could have mo delled Request also as a sub domain of streams however for

readability we use the domain construct since it intro duces all functions of the ADT in

a compact way see page This sp ecication is the basis for our small database It

contains only pages with theURLsaskey It is sp ecied without the domain construct in

order to allow an implementation based on streams without quotients

DB REQUEST Specification of the Data Base

types Db

arities Dbeq

the following operations are available on Db

ops curried strict

constructors

emptyDb Db

addDb Db url Page Db

selectors

key Db url

content Db Page

restDb Db Db

discriminators

emptyDb Db tr is

is addDb Db tr

DATABASE OF A WWW SERVER

further operations on databases

isinDb Db url tr

find Db url Page

replace Db url Page Db

insert Db url Page Db

generated Db by emptyDb j addDb

axioms

defvars db u p db u p in

discriminator rules

emptyDb dis emptyDbemptyDbe is

is emptyDb bis emptyDbaddDbdbupe

is addDb dis addDbaddDbdbupe

addDb bis addDbemptyDbc is

selector rules

key keyaddDbdbup u

content contentaddDbdbup p

restDb restDbaddDbdbup db

weakened injectivity

injective addDbdbup addDbdbup uu pp db db

observability to characterize

obs is emptyDb is Cobs is emptyDb

obs is addDb is Cobs is addDb

obs addDb is Cobs addDb

key is Cobs key obs

obs content is Cobs content

obs restDb is Cobs restDb

rules for db functions

isinDb b isinDbemptyDbuc

isinDb isinDbaddDbdbupu

uu orelse isinDbdbu

find findemptyDbu errorPage

find findaddDbdbupu

If u u then p else finddbu fi

replace replaceemptyDbup emptyDb

replace replaceaddDbdbup u p

If u u then addDbdbup

else addDbreplacedbupu p fi

insert insertdbup

If isinDbdbup

then replacedbup

else addDbdbup fi end

CHAPTER CASE STUDIES OF A WWW SERVER

The statebased sp ecication of the WWW server is

SERVER DB Stream WWW

ops curried strict

server Request stream Page stream

DBserver Db Request stream Page stream

rules

server def server DBserveremptyDb

DBserver DBserverDBgetus findDBu DBserverDBs

Page DBserver DBserverDBputups stored

DBserverinsertDBups

end

This sp ecication allows us to use the mo del inclusion basis for the functional renement

of the sp ecication states and to give a renement of states in terms of histories of request

streams This renement do es not use quotients and is therefore executable in the sense

of our Denition on page Since the mo del renement relation of the mo del

inclusion basis is mo dular wedonothave to reprove our critical asp ect for the executable

implementation It suces to show that the DB sp ecication is implemented correctly

The critical prop erty that the server do es not lose pages unless they are replaced by more

recent ones is formalized by

rsRequest stream inat let rithirs in

if d is getre

then ithiserverrs last pageireq urlrrs

else true

We do not go further into details of this formalization since the implementation of the

WWW server preserves all predicates which hold for the requirement sp ecication

Server and we assume the predicate to be true for this case study If we rene WWW

the sp ecication DB with a mo dular renement relation then this prop erty is also true for

the sp ecication WWW SERVER see page for a denition of mo dularity The structure of

the development is visualized in Figure

We sp ecied the database with the PER such that we can apply the behavioural re

nement relation of HOLCF which is mo dular to the implementation of the database

and therefore we do not need to reprove the critical asp ect The only remaining pro of

obligation is that the database is rened b ehaviourally by the database sp ecication which

bases on histories of streams

Of course this pro of is a main part of the correct development of the system but since a lot of those

pro ofs have b een carried through in Focuswe do not present here another case study The interesting

asp ect of our implementation is that it preserves the prop erties since it is mo dular

DATABASE OF A WWW SERVER

WWW

SERVER

DB DB

REQUEST

Figure Developmentofthe WWW Server

DB REQUEST Stream

embedding for histories

domain Db Habs Hrep Request stream

ops curried strict

collects all URLs in a stream

collect urls Request stream url dlist

rules

ignores get requests

collect collect urlss

s If is

then If is putfts

then insert dlput urlfts

urlsrts collect

else collect urlsrts fi

else dnil fi

defs

equality on histories

Db eq def xycollect urlsHrepx collect urlsHrepy

Db PER def xyDb dxye

instance Db into the class eq

instance Dbeq witnesses for eq are needed here

now define the database operations

ops curried strict

constructors

emptyDb Db

addDb Db url Page Db

selectors

key Db url

content Db Page

CHAPTER CASE STUDIES OF A WWW SERVER

restDb Db Db

discriminators

is emptyDb Db tr

addDb Db tr is

further operations on databases

isinDb Db url tr

find Db url Page

replace Db url Page Db

insert Db url Page Db

axioms

defvars db u p db u p in

discriminator rules

is empty def is emptyDb Habsgetdef url

is addDb def is addDb db u pHabsputupHrepdb

selector rules

key def key dbput urlftHrepdb

def content dbput contftHrepdb content

restDb def restDb dbHabsrtHrepdb

identical rules for other db functions

isinDb b isinDbemptyDbuc

isinDb isinDbaddDbdbupu

uu orelse isinDbdbu

find findemptyDbu errorPage

find findaddDbdbupu

If u u then p else finddbu fi

replace replaceemptyDbup emptyDb

replace replaceaddDbupdb u p

If u u then addDbupdb

else addDbreplacedbupu p fi

insert insertdbup

If isinDbdbup

then replacedbup

else addDbdbup fi

end

The implementation of the database based on histories of request streams is a generaliza

tion of the implementation of buer of length one see Section The implementation

of the database requires to handle histories of nite length Histories are those messages

which have already b een pro cessed by the server Since the server starts with an empty

history all histories are nite We could also implement the database by histories of

length one if we take lists or databases as messages however this is not desired since

these histories do not consist of the input values and therefore they would be rather

strange histories

TRANSMISSION OF STRINGS

String

Sender Receiver

Figure Communication with Strings

The pro of that DB is a renement of DB requires to derive all axioms for the requirement

sp ecication DB including the observability axioms Since we used instead of we can

derive these axioms

Transmission of Strings

The second critical asp ect in our WWW server is the transmission of strings in our system

We represent html pages and URLs as strings and the HTTP proto col Tan uses also

sp ecial strings which can b e mo delled by sub domains for communication Therefore it is

imp ortant to ensure that strings are transmitted correctly

In this section we use an individual translation b etween strings and packets which is only

correct for some strings This restriction is ensured since we develop the system by a

dialog development step We rene the communication channel with the general string

communication together with b oth comp onents communicating over this channel into two

comp onents for which the restricted communication channel suces

In our system diagram on page we have two communication channels between the

browser and the WWW server Since b oth channels can b e implemented by sp ecial string

pro cessing channels we concentrate on a string transmission from a sender to a receiver

This situation is depicted in Figure

Since communication channels in general do not allow us to transmit strings of arbitrary

length on the internet wehave to send strings in smaller units It would b e easy to identify

a stringend character and to transmit every string by transmitting every character of the

string separately followed by the stringend character This could b e implemented likethe

implementation of bytes by bits on page on a more hardware oriented level However

since the internet has no direct channels between all browsers and servers the messages

on the internet have a header which contains information ab out their target address

Sending every character separately would require to add such a message header to every

single character Since this would be very inecient messages have usually a maximum

size between and bytes Those messages are called packets in the internet

The strings containing html pages and URLs are not restricted in their length Esp ecially

they can be so long that they do not t into one packet This requires to split them into

CHAPTER CASE STUDIES OF A WWW SERVER

several packets These packets are sent one by one from the sender to the receiver and

the receiver puts them together to the original string Since in the internet packets do not

necessarily arrive in the order in which they are sent eachpacket header contains an nite

unsigned integer number describing the p osition of the packet in the stream

The rst step is to formalize the notion of packets We use pairs of nite numb ers and

strings with length less or equal than

STRING String

embedding

domain S Sabs SrepString

defs

adm pred def adm pred sd strlenSreps e S

admissibility of S adm pred def is proved

by giving an explicit tactic

instance Sadm S adm fj rewrite goals tac S adm pred def

THEN adm cont tacR jg

now define the subdomain

types S S subdom

end

The sp ecication String is an extension of String from the library see page by

some sp ecic functions used for packets headtaildnat String String With the

typ e S of short string we can dene the typ e of packets by

PACKET STRING Fin

domain Packet mkP headerFin contentS

The other asp ects of the header are ignored here since we have no addresses in our sys

tem For packets we formalize two functions split and combine which split a string into

packets and combine the packets to a string They are sp ecied by

ops curried strict

split String Packet dlist

combine Packet dlist String

combine Packet dlist String auxiliary function

rules

split def split sIf strlens

then mkPSabss dnil

else mkPnatintdivstrle ns

Sabshead s

splittail s

TRANSMISSION OF STRINGS

combine def combine lcombinesortl

def combine lIf is dnill then emptySt combine

else concat dlSrepcontentdhdl

combinedtls

The following theorems hold in this theory

combine split dstrlens mult sub e

combinesplits s

split combine splitcombinel l

Since combine is based on nite numb ers and since every string in the packets has a length

split for arbitrary strings less or equal than we cannot prove the rule combine

but for strings with length smaller than This allows us to transmit

strings up toasizeofabout mega bytes For many applications this might suce but

since multimedia applications will b ecome more imp ortant this limit could be exceeded

sometimes Exceeding this limit would lead to an integer overowandwe cannot transmit

the string correctly Therefore we have to restrict the size of our html pages to MB or

to use another enco ding into packets

We fo cus now on the task of string transmission with packets For simplication we con

centrate on the case that the messages arrive in the order in which they are sent otherwise

wewould need an extra stringend packet and additional informations on the length of the

string This simplication allows us to use the packet numbers to indicate the end of a

string We do this by sending the packet with the highest numb er rst and then decrease

the number in each packet by one The packet with the number zero contains the last

packet of the string This trickworks since the messages in our channel arrive in the same

order as they are sent

The implementation of a channel with lists of packets as messages byachannel with packets

as messages is an individual implementation see Section We dene the abstraction

and representation functions explicitly and then show that they are inverse like in Example

on page

consts

absPP packet stream string stream

absPPL packet stream dlist packet

dlist packet stream

repPP string stream packet stream

repPPL packet dlist string stream packet stream

axioms

defvars n p l s in

absPP def absPPs absPPLdnils

CHAPTER CASE STUDIES OF A WWW SERVER

WWW

Packet

Cmds

implemented implemented

Views

Packet

browser WWW server

HTTP User

Figure Communication with Packets

absPPL absPPLlmkPp s

combinemkPpl absPPs

absPPL absPPLlmkPIsuccnp s

absPPLmkPIsuccnp ls

repPP def repPPxs repPPLsplitxs

repPPL repPPLdnils repPPs

repPPL repPPLpls p repPPLls

With the same pro of techniques as in Example we derive the following theorems

spsd strlense mult sub e

repPPabsPPps ps

absPPrepPPlps lps

The restriction comes from the restriction of splitting strings into lists of packets with nite

numbers In Example a sub domain is constructed for the representing elements We

omit this step here to have the restriction explicitly

We cannot implement strings of arbitrary length with such a packet proto col For our

implementation of the channels between the WWW server and the browser this means

that b oth comp onents have to ensure that the strings containing the pages are not greater

than MB This is a typical situation in the development of interactive systems we

can implementa channel in an ecient way but only if we know that it is used correctly

Formally this is a dialog development see Sections and ie we rene the system

consisting of sender receiver and the communication channel together The renement

do es not aect the external interfaces but allows us to use downward simulations see

Denition in the system without changing the interface to the environment

TRANSMISSION OF STRINGS

Out implementation of the WWW server is depicted in Figure It do es not change the

user interface but the browser ensures that the strings which are split into packets are

not greater than MB This involves esp ecially that the functions working on the strings

are preserving We could dene a concrete sub domain and pro ceed as describ ed in Section

The resulting pro of obligations would be simple behavioural renements and are

not presented here

In our case only the browser is the critical part of the system since the server do es only

store the arriving strings If the browser do es not pro duce large strings pages the server

will not need to send them One p ossible implementation would be to divide large pages

and to store them at dierent URLs

With the formalizations and implementations of the state correctness and with the correct

string transmission wehave demonstrated even without presenting the formal pro ofs how

large interactive and distributed systems can be implemented with the metho ds from the

implementation of ADTs in HOLCF

Chapter

Future Work

This chapter describ es p ossible extensions of our work which are of theoretical and prac

tical interest

A theoretical challenge is to nd out whether there exists a typ e class between percpo

and eq which ensures the comp osition of observer functions and allows us to instantiate

arbitrary streams This could be the basis for a simple theory interpretation which do es

not require an equality on the concrete typ e This would allow us to use arbitrary

streams instead of histories as representations of abstract typ es for theory interpretations

However since our class eq is not restricted to at domains we can instantiate streams

to it and for the quotient construction a PER on the data typ e suces Since PERs

are available on functions and streams nding another class between percpo and eq is a

theoretical challenge

To implement a domain construct domain which sp ecies an ADT with constructor

selector and discriminator functions and uses instead of would provide us with a nice

shorthand for sp ecication of ADTs with observability constraints Using this construct

would make theory interpretation sup eruous in the deductive software development pro

cess and we could use the mo dular mo del inclusion basis as renement relation The

implementation of the domain construct is only a small mo dication of the domain con

struct esp ecially since the domain construct is a sp ecication of ADTs it would not

require to derive the axioms for the sp ecication of the ADT

A more practical extension of this work would b e to extend our denition of executability

to a denition which allows us to execute quotients This could be done by dening

an op erational semantics for HOLCF An executable quotient construction would lead to

nice simplications of the renement relations since it would make theory interpretation

sup eruous This extension should also enclose the asp ect of co de generation since a

correct co de generation is an imp ortant part in the deductive software development pro cess

Since functional languages like ML Gofer or Erlang are very similar to our functional

sp ecications the correctness of a functional target language is easier to ensure The

language Erlang AVW is a functional language for distributed systems which could b e

used for co de generation Since the WWW is a growing interactive system we used it as

case study The most p opular language in the WWW is Java Fla Java would also b e

a candidate for a target language of the co de generator

Since graphical description techniques are useful in the informal sp ecication and deve

lopmentofinteractive systems they should also b e integrated into the deductive software

development pro cess Focus uses system diagrams to describ e the structure of distributed

systems Integrating a graphical description technique into the deductive software deve

lopment pro cess requires to have formal semantics for it The system diagrams have a

semantics in HOLCF SS There are many other graphical description techniques for

interactive systems see Section An imp ortant one are statetransition diagrams since

they can be used to graphically describ e statebased systems

To rene systems at the level of graphical description techniques we do not only need a

formal semantics but also a renement relation which allows us to express renements at

the graphical level For example inserting a new state into an automaton is a renement

step Since our work provides renements in HOLCF it is the basis for dening renements

of graphical description techniques that have a formal semantics in HOLCF

Avery interesting asp ect is to use the domains to give to ol supp ort for further theories in

Isab elle and HOLCF For example we could dene the domains of strict and continuous

functions or pulse driven functions as sub domains of the function space The quotient

constructor can be used to dene quotients of streams for example for the abstraction

from timed streams to untimed streams

Prototyping and simulation are extensions of high practical relevance of the implementa

tion of ADT They can be achieved by using executable abstraction and representations

functions for a simulation b etween dierent levels of abstraction in the description of sys

tems For example we could dene a simulation of a statebased comp onent which is

realized by a distributed system or a simulation of an abstract communication channel

which is realized by a hardware communication channel and fulls a certain proto col The

AutoFocus to ol HSS could b enet from our basis for simulation and prototyping

A further extension imp ortant for the acceptance of formal metho ds in industry is a

detailed pro cess mo del for the developmentofinteractive systems In the pro ject KorSys

a coarse pro cess mo del has b een develop ed SM It requires to formalize only those

parts of the system which are relevant for proving the correctness of the critical asp ects

The extension to a more detailed pro cess mo del should also contain a detailed description

of all metho ds available in HOLCF including those not presented formally in this work

The implementation of ADTs is an imp ortant basis for a formal software development

framework For example the thesis of W Reif Rei handles the implementation of ADTs

in the dynamic logic This work is the basis for the successful KIV system Rei The

logic in which the implementation of ADT is solved determines the p ower of the deductive

CHAPTER FUTURE WORK

software development framework The dynamic logic of the KIV system is well suited for

adevelopment of sequential systems

Since HOLCF is an adequate logic for the sp ecication of interactive and distributed sys

tems and since our work solves the implementation of ADTs in HOLCF this thesis is the

basis for a development framework for distributed systems

App endix A

HOLCF Extensions

The structure of the theory theories of ADTs in HOLCF is depicted in Figure A Since

the theory EQ contains all other theories for the implementation of ADT in HOLCF the

theory ADT is simply dened by

ADT EQ

The sub domains are used in the theory EQ since the instance subdomeqeq is proved

for the class eq

The following sections describ e the dierent theories

A The subdom constructor

This section contains the theories and the derived theorems for the subdom typ e construc

tor The realization in HOLCF is describ ed in Section the metho d is describ ed in

Section

A ADM

Two step intro duction see Section of the typ e class adm with the characteristic

constant adm pred

ADM HOLCF adm is the class with admissible predicates

consts general constant

pred term bool adm

APPENDIX A HOLCF EXTENSIONS

SUBD

PERCPO

ADM

HOLCF

HOL

QUOT

PER

Figure A Structure of ADTs in HOLCF

axclass adm pcpo

ax adm adm pred adm adm pred

consts characteristic constant for adm

adm pred adm bool

pred def adm pred adm pred defs adm

adm pred for void

adm pred void adm predvoid bool xTrue

end

The typ e void is instantiated into adm to show that the class is not empty Theorems for

ADM

characteristic axiom for the characteristic constant

adm pred adm adm pred adm

admissibility for void

void adm adm predvoid bool adm

A ADM

Safe instantiation for void into adm

A THE SUBDOM CONSTRUCTOR

ADM ADM instantiates void into adm

instance

voidadm fj rtac adm void jg

end

Theorem for ADM

inst adm void adm pred xvoid True

A SUBD

Intro duces the subdom typ e constructor The functions abs rep and the restriction

predicate p are called abs sd rep sd and cor sd in HOLCF Val sd contains the corre

sp onding elements The intro duction of the new typ e is describ ed also on page The

following theories provide additional arities for subdom

SUBD ADM

types subdom

arities subdom admterm

consts

cor sd adm bool

Val sd adm set

rep sd adm subdom

sd adm subdom abs

defs

cor sd def cor sd f adm pred f f

Val sd def Val sd ffcor sd fg

rules

Val sd rep sd t Val sd rep

abs rep sd abs sdrep sd t t

rep abs sd s Val sd rep sdabs sd s s

end

Theorems for SUBD

first show that subdom is not empty

sd UU cor sd cor

in Val sd Val sd UU

not empty sd x x Val sd

sd prove the admissibility of the predicate cor

adm cor sd adm xcor sd x

APPENDIX A HOLCF EXTENSIONS

now some general lemmas for subdom and predicates

sdVal sd cor sd xx Val sd cor

adm predVal sd adm pred xx Val sd

sd rep sd cor sd rep sd x cor

cor sdD cor sd xadm pred x x

induction rule for subdomains

all sd scor sd s P abs sd s P x

A SUBD

This theory denes a partial order on subdom based on the order of

SUBD SUBD add an order

consts

less sd adm subdom subdom bool

defs

less sd def less sd abrep sd a v rep sd b

end

Theorems for SUBD

sd is a partial order show that less

refl less sd less sd a a

antisym less sd less sd f f less sd f f f f

less sd less sd a b less sd b c less sd a c trans

A SUBD

This theory instantiates subdom into the class po and denes the least element for the cpo

construction

SUBD SUBD

arities subdom admpo

rules

inst sd po op adm subdom subdombool less sd

consts

sd adm subdom UU

defs

sd def UU sd abs sd UU end

A THE SUBDOM CONSTRUCTOR

Theorems proved for SUBD see page for the proofofthe axiom lub sd

minimal

minimal sd UU sd v x

some theorems for the order

less sd p v q rep sd p v rep sd q

sd eq rep sd a rep sd b ab

abs sd less x Val sd y Val sd x v yabs sd x v abs sd y

monofun rep sd monofun rep sd

is chain rep sd is chain C is chain jrep sdC j

proof of cpo

lub sd is chain C range C j abs sd irep sd C i

cpo sd is chain C a adm subdomrange C j a

A SUBD

This theory instantiates subdom into the class pcpo and denes invariance and lifting for

the simple case of the general construction schemes

SUBD SUBD

arities subdom adm pcpo

rules

sd pcpo adm subdom UU sd inst

for some special functions on subdomains there is a lifting

consts

inv adm adm bool

sd lift adm adm subdom subdom

defs

def inv f xcor sd xcor sdfx inv

sd lift def sd lift f xabs sd frep sd x

sd lift def sd lift f xsd lift f x

end

Theorems proved for SUBD

sd pcpo abs sd inst

sd and abs sd strictness and totality for rep

rep sd UU rep sd

sd UU abs sd abs

rep sd total x rep sd x

APPENDIX A HOLCF EXTENSIONS

rep sd total rep sd x x

sd total s cor sd s abs sd s abs

exhaustiveness induction all sd is in SUBD

sd x scor sd s xabs sd s exhaust

a theorem on flatness

flatflat sd flatx adm flaty subdom

continuity proofs and invariance

cont rep sd cont rep sd

invcontcont xx Val sd F x Val sdcont F

sd F rep sd s cont sabs

inv def inv f x cor sd x cor sd fx

invI x cor sd x cor sd fx inv f

sd x cor sd fx invE inv f x cor

further theorems for invariance proofs

inv If inv finv gcont Binv xIf B x then fx else gx fi

inv oo inv finv g inv f oo g

sd frep sd s invcontcfun inv f cont sabs

now theorems for the lifting

invcont lift inv fcont sd lift f

sd lift inv f xcor sd xPabs sdfxPsd lift fx all

sd lift app inv fsd lift fx abs sdfrep sd x

sd lift UU sd lift

sd lift def sd lift f x abs sd frep sd x

lift inv fxsd lift f xx sd lift f x beta

Future case studies will reuse these theorems and provide further lemmata Thus the

collection of theorems available for the implementation is growing to the b enet of the

deductive software development pro cess

A The quot Constructor

This section describ es the realization of the quotient constructor together with the typ e

class of partial equivalence classes It contains theories and theorems of the realization of

the concepts of Section

A PER

This theory denes a class per for PERs and uses axiomatic typ e classes see Section

It extends the HOL theory of sets

A THE QUOT CONSTRUCTOR

PER Set axclass per with characteristic constant

consts

bool infixl

axclass

per term

characteristic axioms

ax sym per x y y x

ax trans per x y y z x z

consts

characteristic constant

per bool infixl

Domain

D per set

defs

ax per def op op

Domain Dfxx xg

define on bool and fun

bool per op boolbool bool op

fun per f g x yx D yD xy fx gy

end

The characteristic constant is intro duced with the two step technique describ ed in Section

The following theorems on PERs hold

convert to

ax sym per x y y x

trans per x y y z x z ax

first derive the characteristic properties of

sym per x y y x

trans per x y y z x z

further theorems on

per x yy x sym

symrefl x y xx

symrefl x y yy

not per sym x y y x

theorems for the Domain D

DomainD x D x x

DomainI x x x D

DomainEq x D x x

DomainI left x y x D

DomainI right x y y D

notDomainE x D x y

notDomainE y D x y

APPENDIX A HOLCF EXTENSIONS

witnesses for boolper with general

sym per xbooly yx bool

bool trans per xbooly yz x z

witnesses for perperper with general

fun sym per x per per y y x

fun trans per f per per g g h fh

The pro ofs of the witnesses use the denition of the PER on the general constant In

this case bool per and fun per

A PER

This section instantiates bool and the function space into the class per It uses the

instance construct whichchecks the witnesses to declare the arities to the typ e checker

PER PER arities for per

instance bool per bool sym perbool trans per

instance fun perperper fun sym perfun trans per

end

The following theorems hold in PER

instantiation rules for bool

inst bool per op boolbool bool op

inst fun per fg x yx Dy D x yf x g y

A QUOT

This section contains the intro duction of the higher order quotients It is explained on

page

QUOT PER Quotient is type of partial equivalence classes

types quot represented by HOL sets

arities quot perterm

consts

checks the representant

is pec per set bool

defines partial equivalence class

rpred per set bool

defines elements in the quotient

A THE QUOT CONSTRUCTOR

cor per set bool

represents the quotient

Val q per set set

abstraction and representation

abs q per set quot

rep q per quot set

defs

is pec def is pec x s yy sy x

rpred def rpred f xis pec x f

def cor f rpred f ffg cor

Val q def Val q ff cor fg

rules

Val q rep q t Val q rep

abs rep q abs qrep q t t

rep abs q s Val q rep qabs q s s

consts constants for equivalence classes

peclass per quot

any in per quot

syntax ecl per quot

translations x peclass x

defs

peclass def x abs q fyy xg

any in def any in f x xf

end

The translations with the syntax allow a more readable form of the theorems The

following theorems could b e proved for quotients

first show that quot is not empty

UU in Val q fgVal q

empty q x x Val q not

technical lemmata of the construction

quot eq rep q a rep q b ab

used predicates for equivalence relations

q cor xx Val q corVal

cor rep q cor rep q x

corD cor xrpred x xfg

rpredD rpred f xis pec x f

is pecD is pec x fyy fy x

rpred rpred fyy xg rep

rep cor corfyy xg

Val q fyy xgVal q rep

rep Val empty fgVal q

APPENDIX A HOLCF EXTENSIONS

emptynotrefl fy y zgfgz z

general induction and exhaustiveness

all q scor s P abs q s P x

q scor s xabs q s exh

rep abs q defined zz sabs qfxx sg abs qfg

lemmas for the equivalence classes

equality and symmetry for equivalence classes

qclass eqI x yxy

qclass eqE x D xyx y

eq x Dxyx y qclass

exhaustiveness and induction for classes

class exhaust z per y zysx quot s

exhaust xabs q fg sx s class

all class z per y z y x P x P s

all class Pabs qfg xPx P s

inequality

qclass not eqI x D x yx y

qclass not eqE x y x y

qclass not eq xDx y x y

in any

any in class s per Dany in ss

The ugly premise z y z y in the induction and exhaustiveness rules for equivalence

classes comes from the fact that we have the empty set fg included in the values of the

quotient

A QUOT

This theory contains the intro duction of the order for the higher quotient

QUOT QUOT add an order for quotients

consts

less q per quot quot bool

defs

q def less q abrep q afg ab less

end

The order is a at order with the least abstraction of the empty set as least element This

can be seen from the theorems derived for QUOT

q is a partial order show that less

A THE QUOT CONSTRUCTOR

refl less q less q a a

less q less q f f less q f f f f antisym

trans less q less q a b less q b c less q a c

q fg is least element abs

less abs empty less q abs qfg x

A QUOT

This theory contains the instantiation into the class po of partially ordered domains and

the denition of the least element

QUOT QUOT HOLCF needs po of HOLCF

arities quot per po

rules

inst quot po op per quot quot bool less q

consts

q per quot UU

defs

UU q def UU q abs q fg

end

The following theorem show that abs q fg is the least element and that the order is chain

complete

minimality of UU q

q UU qv x minimal

further theorems for the order and chains

inst quot po x per quotv y rep q x fg x y

flat x abs qfgxvyx y quot

chainE is chain C iC iabs qfg quot

iC i abs qfg ji jC iC j

cpo quot is chain C a per quotrange C j a

These theorems justify the instantiation of the quotients into the class pcpo in the next

theory

APPENDIX A HOLCF EXTENSIONS

A QUOT

The following theory instantiates the quotients into the class pcpo

QUOT QUOT

arities quotperpcpo

rules

quot pcpo per quot UU q inst

end

The following theorems are derived for QUOT

theorem for on quot

inst quot pcpo abs qfg

rep q UU rep q fg

q UU abs q fg abs

rep q total x rep q x fg

abs q total s fgcor s abs q s

flatness

flat x per quot xv yxy quot

flat quot flat x per quot

some lemmas for the equivalence classes

abs q defined s zz sabs qfxx sg rep

class total x x x

A PERCPO

The typ e class percpo is intro duced as sub class of pcpo and per The conservative in

tro duction pro ceeds in several step The rst step is to dene a PER on the continuous

function space and on the typ e void

PERCPO QUOT HOLCF

defs

define on void

void per op x yvoidFalse

per op f g x yx D y Dx y fx gy cfun

end

The following theorems are proved for PERCPO

A THE QUOT CONSTRUCTOR

show void and cfun are in per

sym per xvoid y y x void

void trans per xvoid y y z x z

sym per f fpcpoperg fpcpopergggf cfun

cfun trans per f fpcpoperg fpcpopergg ghfh

These theorems are the witness for the instances in the following theory

A PERCPO

This theory denes the axiomatic typ e class percpo as sub class of pcpo and per Since

there are no further axioms the instances for void and cfun can b e proved without further

Cobs is dened witnesses On the class percpo the predicate is

PERCPO PERCPO

sym pervoid trans per instance void per void

instance fperpcpogfperpcpog per

cfun sym percfun trans per

axclass percpo perpcpo

no further axioms for percpo

instance void percpo

instance percpopercpopercpo

consts

Cobs percpo percpo bool is

defs

is Cobs def is Cobs fx yx D y Dx yfx D fy Dfx fy

end

The following theorems hold for PERCPO

derive instantiations

inst void per op x yvoidFalse

inst cfun per op f g x yx D yD x yfx gy

Cobs some rules for is

Cobs def is Cobs fx yx D yD x yfx D fy Dfx fy is

is CobsD is Cobs fx yx D y Dx yfx D fy Dfx fy

CobsI x yx D y Dx yfx D fy Dfx fy is Cobs f is

is CobsE is Cobs f xa D x D xa x fxa D fx D

fxa fx

application of observer functions

is Cobs app is Cobs f percpo percpo cpercpo

is Cobs xfx

APPENDIX A HOLCF EXTENSIONS

A EQ

This theory denes the exible class eq with the characteristic constant eq It is intro duced

ax axiomatic typ e class and describ ed in Section

EQ PERCPO SUBD

ops curried

trcinfixl

axclass eq pcpo

eq refl def x dxxe ax

ax eq sym d xyedyxe

ax eq trans d xye dyzedxze

ax eq strict x

eq total x y xy ax

ax eq per xydxye just to define a per

ops curried

characteristic constant for eq

eq tr cinfixl

defs ax eq def op op

add an equality for subdom

eq def op x yrep sd x rep sd y sd

sd per def op x y fadmeqgd xye

end

The following theories are proved for EQ

convert to

ax eq sym dxye dyxe

eq trans d xye dyze d xze ax

derive the characteristic axioms

eq refl x dxxe

sym dxye d yxe eq

trans dxye d yze dxze eq

eq per x ydxye

eq strict x

eq total x y x y

derive the rules for per

sym per x eq y y x eq

trans per x eqyyzxz eq

eq sym per x eqyy x

A THE QUOT CONSTRUCTOR

eq not per sym x eq y y x

derive some rules for continuous equality and per

eqper d xye x y

pereq x y dxye

neqnper b xyc xy

eq defined x y d xye bxyc

nperneq x y x ybxyc

eq nperneq x y x ybxyc

eq sym tr xyz yx z

sym eq xy yx eq

neq sym xy TT yx TT

characteristic axioms for subdom

sd eq app x yrep sd xrep sd yxy rep sd x rep sd y rep

sd eq refl c fadmeqg subdom d cce

sd eq sym dx fadmeqg subdom yed yxe

sd eq trans da fadmeqg subdom bedb cedace

eq strict fadmeqg subdom b sd

sd eq strict b fadmeqg subdom

sd eq total a b fadmeqg subdom ab

per def a b fadmeqg subdom d a be sd

A EQ

This theory instantiates eq as sub class of per and percpo This allows us to deduce nice

prop erties for the quotients over the class eq In addition the class EQ is dened

EQ EQ

instance eq per eq sym pereq trans per

instance eq percpo

axclass EQ eq

ax EQ a ba b d abe a b

end

The following theorems could b e proved for EQ

convert to

weqeq xa EQ x d xaxe xax

different conversions between and for EQ

APPENDIX A HOLCF EXTENSIONS

weq x EQ y x yd xye x y b xyc

eqweq x EQ y xy dxye

neqnweq x EQ y x y bx yc

weq x EQ y xyd xye eq

theorems for on eq

not UU refl x eq x x

not UU D x eq x D

not UUE x eqP

not UU I xDx eq

eq x Dx eq UU

not UU per eq x eq

not inD eq eq D UU

eq Domain x x eq D

UU eq set empty fy eq y g fg

quotients over eq

eq class total x eq x

eq not ex z eq y z y

any in class sym x x eq any in x

class strict eq eq

eq any strict any in eq quot

eq any total x any in x eq

eq any class x eq quot any in x

exhaust s eqx quot s eq

eq all class x eqP x P s quot

is Cobs on eq

Cobs eq is Cobs fx y d xyefx fy dfx fye is

is Cobs eq is Cobs fx y d xyefx fy dfxfye

eq less c cv cdc ce

is Cobs comp eq is Cobsf eq ceqis Cobsg eq

Cobs f oo g is

total EQ is Cobs xx EQ fx is Cobsf eq

further lemmas for the lifting

monofun class flatz f b b

monofun x eq fx percpo

monofun lift x percpo x f

monofun x eq quot fany in x

A THE ADT LIBRARY FOR HOLCF

A The ADT Library for HOLCF

This section contains the theories and the derived theorems for the library of ADTs in

HOLCF The structure and the theories are explained in Section The main theory is

LIB ADT String Byte Fin Rat

A Dnat

The ADT of natural numbers is describ ed in Section The natural numb ers are

intro duced in two steps b ecause they use axiomatic typ e classes The rst step is to dene

and to deduce prop erties

Dnat EQ introduce dnat with equality

domain with mixfix annotation for syntax defines

domain dnat dzero j dsucc dpred dnat

defs equality

eq def op fix eqx y dnat

If is dzerox

then is dzeroy

dzeroy else If is

then FF

else eqdpredxdpredy

dnat per def op x ydnatd xye

end

Theorems for Dnat

derive rules for the equality

eq unfold op x yIf is dzerox then is dzeroy dnat

n else If is dzeroy then FF

else dpredx dpredy fi fi

dnat eq app xyIf is dzerox then is dzeroy

else If is dzeroy then FF

else dpredx dpredy fi fi

eq strict xdnat dnat

dnat d e

APPENDIX A HOLCF EXTENSIONS

dnat n bdsuccn c

dnat n bdsuccnc

dnat n m dsuccn dsuccm nm

derive characteristic axioms for the class EQ

dnat eq total ndnat m nm

dnat eq eq d ndnat menm

dnat eq refl ndnat dnne

dnat eq sym d xdnat ye dy xe

dnat eq trans d ndnat me dmkednke

per def xdnat y dxye dnat

dnat ax EQ a bdnat a b d abe ab

Dnat is flat

dnat flatxdnat flat

Selector rule

dpred dsucc x dpreddsuccx x

These theorems justify the instantiation into the class EQ TR contains the strict op erations

AND and OR for the nonstrict op erations andalso and orelse of HOLCF

Dnat Dnat TR instantiate Dnat in eq

instance dnat EQ dnat eq refldnat eq symdnat eq trans

dnat eq strictdnat eq strictdnat eq total

per def dnat

dnat ax EQ

ops curried

dnat dnat tr cinfixl

defs

dnle def op fix le n mis dzeron OR

If is dzerom OR is dzeron then FF

else ledpredndpredm fi

ops curried strict total

sub dnat dnat dnat cinfixr

add dnat dnat dnat cinfixl

mult dnat dnat dnat cinfixl

div dnat dnat dnat

dnat dnat dnat cinfixl

axioms

defvars n m in

add add nn

add dsuccn add m dsuccn add m

sub n sub n

sub dsuccn sub dsuccm n sub m

A THE ADT LIBRARY FOR HOLCF

mult mult m

mult dsuccn mult m m add n mult m

pow n dsucc

pow n dsuccm n mult n m

div n divn mult mnm

some nice writings for natural numbers

ops curried strict total

dnat dnat dnat cinfixl

on dnat

two dnat

three dnat

four dnat

five dnat

six dnat

seven dnat

eight dnat

nine dnat

ten dnat

axioms

defvars n m in

exp def n m n mult ten add m

defs

one dsucc

two dsucc

three dsucc

four dsucc

five dsucc

six dsucc

seven dsucc

eight dsucc

nine dsucc

ten ten dsucc

end

The following theorems are derived for Dnat

characteristic axioms for dnat with

dnat eq de

dnat eq x b dsuccx c

eq x b dsuccxc dnat

dnat eq x y dsuccx dsuccy x y

theorems for

dnle unfold op n mis dzeron OR

APPENDIX A HOLCF EXTENSIONS

If is dzerom OR is dzeron then FF

else dpredn dpredm fi

dnle app nm is dzeron OR

dzerom OR is dzeron then FF If is

else dpredn dpredm fi

dnle strict x

dnle total n m n m

dnle d e

dnle n d ne

dnle n bdsuccn c

dnle n m dsuccn dsuccm n m

refl n dn ne dnle

dnle trans n hd nmedmhed nhe

dnle trans n hb nmcbmhcb nhc

further theorems

zero defined

one defined

two defined

defined three

four defined

five defined

six defined

defined seven

eight defined

nine defined

rules for add

addb n add n

addb n add dsuccm dsuccn add m

add com n add m m add n

ass m add n add l m add n add l add

add ass left x add y add zy add x add z

add cancel a a add na add m nm

cancel a n add am add a nm add

rules for mult

multb m m mult

multb m mult dsuccn m add m mult n

mult m mult m

multb mult m m

com n mult m m mult n mult

add mult m add n mult k m mult k add n mult k

mult k mult m add n k mult m add k mult n add

mult ass m mult n mult k m mult n mult k

A THE ADT LIBRARY FOR HOLCF

mult ass left k mult m mult n m mult k mult n

mult eq a a da mult na mult me dnme pos

pos mult eq a a a mult na mult mnm

These arithmetic rules for dnat are basically the same as the rules from the arithmetic

theory of the Isab elle logic HOL

A Dlist

The ADT of lists is describ ed in Section

Dlist Dnat

domain dlist dnil j dhd dtl dlist cinfixr

ops curried

lmap dlist dlist

dlen dlist dnat

lmem eq dlist tr cinfixl

defs

def lmap fix h f s case s of dnil dnil lmap

j x xs fx hfxs

dlen def dlen fix len s case s of dnil

j x xs dsucclenxs

def op lmem fix h e l case l of dnil FF lmem

j x xs If ex then TT

else hexs fi

l eq def op fix eqx y

If is dnilx

then is dnily

dnily else If is

then FF

dhdy andalso eqdtlxdtly else dhdx

dlist per def x y eq dlist d xye

end

The following theorems are proved for Dlist

unfold the fixed points

lmap

APPENDIX A HOLCF EXTENSIONS

lmap def lmap f scase s of

dnil dnil j

x l fx lmapfl

lmap lmapf

lmap lmapfdnil dnil

lmap x xs lmapfxxs fxlmapfxs

dlen

dlen def dlen scase s of

dnil j

x l dsuccdlenl

dlen strict dlen

dlen dlendnil

eq x y dlenxd dlenyd dlen

dlen x dlenxxs dsuccdlenxs

dlen total x dlenx

by subgoal tac x dlenx

equality on lists

eq unfold op x yIf is dnilx then is dnily l

else If is dnily then FF

else dhdx dhdy andalso

dtlx dtly fi fi

l eq app xyIf is dnilx then is dnily

else If is dnily then FF

else dhdx dhdy andalso

dtlx dtly fi fi

dlist strict y eq dlist

strict x eq dlist dlist

dlist ddnil eq dlist dnile

dlist d eq l bdl dnilc

dlist d eq l bdnil dlc

dlist n eq m s t

ns mt nm andalso st

further properties of dlist

flatdlist flat flat x flaty dlist

characteristic axioms for eq

dlist total n eq dlist m nm

dlist refl n eq dlist dn ne

l eq sym dn eq dlist medmne

l eq sym dx eq dlist yedyxe

eq trans dn eq dlist med mkednke l

dlist per def x eq dlisty dxye

EQ EQ a b EQ dlista b d abea b dlist

A THE ADT LIBRARY FOR HOLCF

These theorems justify the following instantiations

Dlist Dlist instantiate Dlist in eq and EQ

instance dlisteqeq dlist refll eq syml eq trans

strictdlist strictdlist total dlist

dlist per def

instance dlistEQEQ dlist EQ EQ

ops curried strict total

concat dl dlist dlist dlist

insert dl eq dlist dlist

axioms

defvars x l m in

concat concat dldnill l

dlxlm xconcat dlml concat concat

insert def insert dlxl If isinxl then l else xl fi

end

The following theorems are proved for Dlist

explicit instantiation rules

inst dlist eq xyIf is dnilx then is dnily

else If is dnily then FF

else dhdx dhdy andalso

dtlx dtly fi fi

eq ddnil dnile dlist

dlist eq d l b d l dnilc

dlist eq d l b dnil d lc

eq n s m t n m AND s t dlist

A Bit

The ADT of bits is describ ed in Section Bits are dened with the domain construct

The equality is dened together with the schematic PER

Bit EQ TR

domain Bit L j H

defs

Bit eq def op x yis Lx AND is Ly

OR is Hx AND is Hy

per def op b cBitd bce Bit end

APPENDIX A HOLCF EXTENSIONS

The following theorems justify the instance of Bit into the class eq

Bit is flat

Bit flat xBit flat

derive characteristic axioms for the class EQ

Bit eq refl c dcce

Bit eq sym dxBit ye dy e

Bit eq trans daBit be dbce dace

eq strict Bit b Bit

Bit eq strict b Bit

Bit eq total a bBit ab

per def abBit da be Bit

Bit ax EQ a bBita b dabe a b

Theory Bit instantiates the typ e Bit into the typ e class eq

Bit Bit

instance BitEQ Bit eq reflBit eq symBit eq trans

Bit eq strictBit eq strictBit eq total

per defBit ax EQ Bit

end

The following theorems are derived for Bit

explicit instantiation

inst Bit eq xyis Lx AND is Ly OR is Hx AND is Hy

rules

Bit eq dLLe

eq dHHe Bit

Bit eq bLHc

Bit eq bHLc

A Byte

The ADT of Bytes is describ ed in Section It consists of lists of bits of length eight

Byte Dlist Bit Bit Bytes with embedding

types BitL Bit dlist

domain BBabsBrepBitL

defs

pred def adm predB bool id dlenBrepi e Badm

A THE ADT LIBRARY FOR HOLCF

defines equality and PER on B

eq def op x yBrepx Brepy B

B per def op x yBd xye

end

The following theorems are proved for Byte

admissibility

adm Badm pre adm adm predB bool

further theorems

flat B flat xB

con sel BabsBrepc c B

characteristic axioms for eq

B eq refl cB d cce

B eq sym dxB ye d y xe

B eq trans daB be d b ce da ce

B eq strict B b

B eq strict b B

eq total a bB ab B

B per def a bB d abe

These theorems justify the instance of the typ e C into the typ e classes adm and eq

Byte Byte

Badm pred instance Badm adm

eq reflB eq symB eq trans instance Beq B

B eq strictB eq strictB eq total

B per def

types Byte B subdom

ops curried

cBabs Bit dlist Byte continuous abs

mkBy BitBit BitBit BitBit BitBitByte

b Byte Bit

defs defines continuous abstraction function

def cBabs lIf dlenl then abs sdBabsl else fi cBabs

APPENDIX A HOLCF EXTENSIONS

mkBy def mkBy a b c d e f g h

cBabsabcdefg h dni l

b def b BdhdBreprep sd B

def b BdhddtlBreprep sd B b

b def b BdhddtldtlBrepr ep sd B

b def b BdhddtldtldtlBr ep rep sd B

b def b Bdhddtldtldtldt l

Breprep sd B

b def b Bdhddtldtldtldt l

sd B dtlBreprep

b def b Bdhddtldtldtldt l

dtldtlBreprep sd B

def b Bdhddtldtldtldt l b

dtldtldtlBreprep sd B

end

The following theorems are proved for Byte

explicit instantiations

inst B adm adm pred cd dlenBrepc e

inst B eq xyBrepx Brepy

prepare continuous functions

Badm pred x yxv yadm predBabsxadm predBabsy mono

cont cont cBabs cont xif x adm predBabsx

then abs sd Babsx else

cont cBabs cont xIf dlenx cont

then abs sd Babsx else fi

cBabs app cBabsl If dlenl

then abs sdBabsl else fi

app mkByabcdefgh mkBy

cBabsabcdef g h dnil

A Char

The ADT of characters is describ ed in Section

Char Dnat basic theory for ASCII characters

embedding

domain CCabsCrepdnat

defs

Cadm pred def adm pred cd Crepc e

A THE ADT LIBRARY FOR HOLCF

defines equality and PER on C

eq def op x yCrepx Crepy C

C per def op x yCd xye

end

The following theorems are proved for Char

admissibility of the restriction

adm Cadm pred adm adm predC bool

C is flat

flat C flat xC

further theorems

con sel CabsCrepc c Crews C

defined

zero le d e

characteristic axioms for eq on C

C eq refl cC d cce

C eq sym dxC ye d y xe

C eq trans daC be d b ce da ce

eq strict C b C

C eq strict b C

C eq total a bC a b

C per def a bC d a be

These theorems justify the instance of the typ e C into the typ e classes adm and eq

Char Char

Cadm pred instance Cadm adm

instance Ceq C eq reflC eq symC eq trans

C eq strictC eq strictC eq total

per def C

types Char C subdom

ops curried

natchr dnat Char

chrnat Char dnat

defs

defines continuous abstraction function

natchr def natchr nIf n

then abs sdCabsn else fi

def chrnat nCreprep sd n chrnat

end

The following theorems are proved for Char

APPENDIX A HOLCF EXTENSIONS

derive explicit instantiation rules

C adm adm pred cd Crepc e inst

inst C eq xy Crepx Crepy

Char eq xy chrnatx chrnaty inst

theorems for the continuity of natchr

mono Cadm pred x yxv yadm pred Cabsxadm pred Cabsy

monofun contAbs monofun xif x adm pred Cabsx

then abs sd Cabsx else

cont contAbs cont x if x dx e

sd Cabsx else then abs

cont contAbs cont xIf x

then abs sdCabsx else fi

rules for conversion nat char

natchr app natchrn If n

then abs sdCabsn else fi

chrnat app chrnatn Creprep sd n

strict natchr natchr

chrnat strict chrnat

natchr total dx e natchrx

total x chrnatx chrnat

natchr chrnat natchrchrnatc c

chrnat natchr dn e chrnatnatchrn n

This ADT is the basis for the ASCI Ienco ding whichisgiven here only for some characters

Char Char Char with ASCII encoding

ops curried

a Char a c

c b Char b

c c Char c

A Char A c

c B Char B

c C Char C

c Char

defs

c natchr

A A natchr

B B natchr

C C natchr

A THE ADT LIBRARY FOR HOLCF

a a natchr

b b natchr

c c natchr

end

Theorems of the following kind can be proved in one step

definedness

defined c c

inequality

test b A c

These theorems are not derived for all characters they can be inferred with the provided

tactics whenever they are needed

A String

The ADT of strings is describ ed in Section

String Dlist Char

types String Char dlist

ops curried strict total

strlen String dnat

strcmp String String tr

strcat String String String

defs

strlen def strlen dlen

def strcmp op strcmp

axioms

defvars a s t in

strcat strcatdnils s

strcat strcatast astrcatst

end

Since these denitions are only equations between functions we do not derive further

theorems for them With the simplier we can substitute these denitions easily and prove

theorems like

Test dstrlen O s c a r dnil e

APPENDIX A HOLCF EXTENSIONS

A Fin

The ADT of nite numbers is describ ed in Section

Fin Dnat finite numbers Bit

embedding

domain FFabsFrepdnat

defs

pred def adm pred id Frepi sub e Fadm

defines equality and PER on F

eq def op x yFrepx Frepy F

F per def op x yFd xye

end

The following theorems are proved for Fin

characteristic axiom for adm

adm Fadm pred adm adm predF bool

further theorems

flat F flat xF

F con sel FabsFrepc c

defined sub

zero le d sub e

characteristic axioms for eq

eq refl cF dc ce F

F eq sym d xF ye dy xe

eq trans d aF be db ce d a ce F

F eq strict F b

F eq strict b F

F eq total a bF a b

per def abF dabe F

This justies the instantiations into the classes adm and eq

Fin Fin

instance Fadm adm Fadm pred

instance Feq F eq reflF eq symF eq trans

F eq strictF eq strictF eq total

per def F

types Fin F subdom

ops curried

natfin dnat fin

A THE ADT LIBRARY FOR HOLCF

finnat fin dnat

defs

defines continuous abstraction function

def natfin nIf n sub natfin

then abs sdFabsnelse fi

finnat def finnat nFreprep sd n

end

The following theorems are proved for Fin

explicit instantiations

F adm adm pred cd Frepc sub e inst

inst F adm xyFrepx Frepy

inst Fin eq xy finnatx finnaty

prepare continuous operations

mono Fadm pred x yxv yadm pred Fabsxadm pred Fabsy

monofun contFAbs monofun xif x adm predFabsx

then abs sdFabsx else

contFAbs cont xif x adm pred Fabsx cont

then abs sdFabsx else

contFAbs cont xIf x sub cont

then abs sd Fabsx else fi

natfin and finnat

natfin app natfinn If n sub

sd Fabsn else fi then abs

finnat app finnatn Freprep sd n

natfin strict natfin

strict finnat finnat

natfin total d x sub e natfinx

finnat total x finnatx

natfin finnat natfinfinnatc c

finnat natfin d n sub e finnatnatfinn n

Now the op erations on unsigned integers are dened

Fin Fin defines non preserving operations on Fin

to show the overflow errors explicitly

ops curried

Fzero Fin

Fsucc Fin Fin

Fadd Fin Fin Fin defs

APPENDIX A HOLCF EXTENSIONS

Fzero def Fzero natfin

def Fsucc nnatfindsuccfinn atn Fsucc

Fadd def Fadd n mnatfinfinnatn add finnatm

end

We did not prove many theorems for nite numb ers The only interesting pro of is that

even if add on dnat is total this function Fadd on nite numb ers is not The reason is

that it is not preserving

unfold the definition of Fadd

Fadd app Faddnm natfinfinnatn add finnatm

additional theorems on natural numbers

dsucc le x bdsuccx xc

le not eq bx dsuccyc bxyc

n add n le n bnc b n add n nc not

sub one le d ne dn me dn sub m sub e

Fadd is not total

not Fadd total x yx y Faddxy

A Pos

The ADT of p ositive natural numb ers is describ ed in Section

Pos Dnat positive numbers

embedding

domain P PabsPrepdnat

defs

Padm pred def adm pred cd negPrepc e

defines equality and PER on P

P eq def op x yPrepx Prepy

P per def op x yPd xye

end

The following theorems are proved for Pos

characteristic axiom for adm

Padm pred adm adm predP bool adm

further theorems

P flat xP flat

con sel PabsPrepc c P

characteristic axioms for eq

A THE ADT LIBRARY FOR HOLCF

P eq refl cP d cce

eq sym dxP ye d y xe P

P eq trans daP be d b ce da ce

eq strict P b P

P eq strict b P

P eq total a bP ab

P per def a bP d abe

These axioms justify the instantiation into eq and adm

Pos Pos

Padm pred instance Padm adm

instance Peq P eq reflP eq symP eq trans

P eq strictP eq strictP eq total

P per def

types pos P subdom

ops curried simplify proofs

natpos dnat pos

posnat pos dnat

defs

natpos def natpos nIf negn then abs sdPabsn else fi

posnat def posnat nPreprep sd n

end

The following theorems are proved for Pos

explicit instantiations

inst P adm adm pred c d negPrepc e

inst P eq xyPrepx Prepy

prepare continuous functions

Padm pred x yxv yadm predPabsxadm pred Pabsy mono

monofun contPabs monofun xif x adm predPabsx

sdPabsx else then abs

contPabs cont xif x adm predPabsx cont

then abs sd Pabsx else

cont contPabs cont xIf negx

then abs sdPabsx else fi

natpos and posnat

app natposn If negn then abs sdPabsn else fi natpos

natpos app bnc natposn abs sd Pabsn

strict natpos natpos

natpos total n n natposn

APPENDIX A HOLCF EXTENSIONS

natpos zero natpos

app posnatn Preprep sd n posnat

posnat total x posnatx

strict posnat posnat

pos not zero c bposnatc c

posnat natpos n posnatnatposn n

natpos posnat natposposnatp p

The p ositivenumb ers are the basis for the quotient construction which leads to the rational

numbers

A Rat

The ADT of fractionals for expressing rational numbers is describ ed in Section

Rat Pos rationals with fractional representation

embedding

domain R Rabsnumdnatdenpos

defs

R eq def op x ynumx mult posnatdeny n

n numy mult posnatdenx

R per def op x yRd xye

end

The following theorems are proved for Rat

general theorems on R

R con sel Rabsnumrdenr r

derive the eq axioms for R

eq refl cR d cce R

R eq sym dxR ye d y xe

R eq trans daR be d b ce da ce

eq strict R b R

R eq strict b R

R eq total a bR a b

R per def a bR d a be

These axioms justify the instantiation into the typ e classes eq and adm

A THE ADT LIBRARY FOR HOLCF

Rat Rat type of positive rationals

eq reflR eq symR eq trans instance Req R

R eq strictR eq strictR eq total

per def R

types Rat R quot

ops curried

dnat dnat Rat cinfixl

defs

fract def op x yRabsxnatposy

end

The following theorems are proved for Rat

theorems for fractal representations

fract app xy Rabsxnatposy

fract rule bn cb nc d z mult nz mult ne

zn zn

fract zero rule d nezn

These rules allowus to deduce prop erties like easily

Bibliography

AG C Ashworth and M Go o dland SSADM A Practical Approch McGrawHill

London

AI D Andrews and D Ince Practical Formal Methods with VDM Series in

Software Engeneering McGrawHill

AVW J L Armstrong R H Virding and M C Williams Erlang Users Guide and

Reference Manual Version Ellemtel Utvecklings AB Sweden

Bac R J R Back On the Correctness of Renement Steps in Program Deve

lopment PhD thesis University of Helsinki Also available as rep ort

Bac R J R Back A Calculus of Renements for Program Derivations ACTA

Informatica

Bac R J R Back Renement calculus part II Parallel and reactive programs

In J W de Bakker WP de Ro ever and G Rozenb erg editors Stepwise

Renement of Distributed Systemsvolume of Lecture Notes in Computer

Science SpringerVerlag

BBB FL Bauer R Berghammer M Broy W Dosch F Geiselbrechtinger

R Gnatz E Hangel W Hesse and B KriegBruc kner The Munich Project

CIP Vol The Wide Spectrum Language CIPL volume of LNCS

Springer

BC F W Burton and R D Cameron Pattern Matching with Abstract Data

Typ es Journal of Functional Programming

BDD M Broy F Dederichs C Dendorfer M Fuchs TF Gritzner and R Web er

The design of distributed systems an intro duction to FOCUS Technical

Rep ort TUMI Technische Universitat Munc hen Institut fur Informatik

Januar

BIBLIOGRAPHY

BDDG Ralph Betschko Sabine Dick Klaus Didrich and Wolfgang Grieskamp For

mal Development of an Ecient Implementation of a Lexical Scanner within

the KorSo Metho dology Framework Forschungsb erichte des Fachb ereichs In

formatik Technische Universitat Berlin Franklinstrae D

Berlin Octob er

BFG a M Broy C Facchi R Grosu R Hettler H Hussmann D Nazareth F Re

gensburger O Slotosch and K Stlen The Requirement and Design Sp eci

cation Language Spectrum An Informal Intro duction Version Part I

Technical Rep ort TUMI Technische Universitat Munchen Institut fur

Informatik May

BFG b M Broy C Facchi R Grosu R Hettler H Hussmann D Nazareth F Re

gensburger O Slotosch and K Stlen The Requirement and Design Sp eci

cation Language Spectrum An Informal Intro duction Version Part II

Technical Rep ort TUMI Technische Universitat Munchen Institut fur

Informatik May

BFG M Broy M Fuchs T F Gritzner B Schatz K Spies and K Stlen Sum

mary of Case Studies in Focus a Design Metho d for Distributed Systems

SFBBericht A Technische Universitat Munc hen June

BHN M Broy U Hinkel T Nipkow Ch Prehofer and B Schieder Interpreter

verication of a functional language

BJ Manfred Broy and Stefan Jahnichen editors KORSO Methods Languages

and Tools for the Construction of Correct Software Final Report volume

of LNCS Springer Heidelb erg Nov

BMPW M Broy B Moller P Pepp er and M Wirsing Algebraic Implementations

Preserve pPogram Correctness Science of Computer Programming

BMSa M Broy S Merz and K Spies editors Formal Systems Specication

The RPCMemory Specication Case Study Springer LNCS Novem

ber

BMSb M Broy S Merz and K Spies The RPCMemory Sp ecication Problem A

Synopsis In M Broy S Merz and K Spies editors Formal Systems Speci

cation The RPCMemory Specication Case Study pages Springer

LNCS November

Bo o G Booch ObjectOriented Analysis and Design with Applications Second

Edition BenjaminCummings

BIBLIOGRAPHY

Bre M Breu Bounded Implementation of Algebraic Sp ecications Lecture Notes

in Computer Science

Bro M Broy Algebraic metho ds for program construction The pro ject CIP In

SOFSEM Also in P Pepp er ed Program Transformation and

Programming Environments NATO ASI Series Series F BerlinHeidelb erg

New YorkTokyo Springer

Bro M Broy Comp ositional renement of interactive systems Technical Rep ort

SRC DIGITAL Systems Research Center

Bro M Broy Interaction renement the easy way In M Broy editor Program

Design Calculi Springer NATO ASI Series Series F Computer and System

Sciences Vol

Bro M Broy Mathematical Metho ds in System and Software Engineering

Marktob erdorf Summer Scho ol

BS Manfred Broy and Ketil Stlen FOCUS on System Development A Metho d

for the Development of Interactive Systems to app ear

BW FL Bauer and H Wossner Algorithmic Language and Program Development

Springer Berlin

BWa Broy and Wirsing UltraLo ose Algebraic Sp ecication Bul letin of the Euro

pean Association for Theoretical Computer Science

BWb M Broy and M Wirsing UltraLo ose Algebraic Sp ecication Bericht MIP

Universitat Passau

BW Manfred Broy and Martin Wirsing Correct Software From Exp eriments to

Applications In Broy and Jahnichen BJ

Che PP Chen The Entity Relationship Mo del Toward an Unied View of Data

ACM Trans on Database Sys March

CM K M Chandy and J Misra Paral lel Programming Design AddisonWesley

CZdR J Co enen J Zwiers and WPdeRoever A Note on Comp ositional Rene

ment Technical rep ort Eindhoven

Dav A M Davis SoftwareRequirements Analysis and Specication PrenticeHall

Englewood Clis NJ

DCC E Downs P Clare and I Co e Structured systems analysis and design method

nd ed PrenticeHall

BIBLIOGRAPHY

Dem Tom Demarco Structured Analysis and System Specication Prentice Hall

Englewood Clis edition

Den Ernst Denert SoftwareEngineering methodische Projektabwicklung

Springer Berlin

Dil A Diller Z An Introduction to Formal Methods John Wiley Sons Chich

ester UK nd edition

EGL HansDieter Ehrich M Gogolla and U Lip eck Algebraische Spezikation

Abstrakter Datentypen Bg Teubner Stuttgart

EKMP H Ehrig HJ Kreowski B Mahr and P Padawitz Algebraic Implemen

tation of Abstract Data Typ es Theoretical Computer Science

EM H Ehrig and B Mahr Fundamentals of Algebraic Specication Springer

EM H Ehrig and B Mahr Fundamentals of Algebraic Specication Module

Specications and Constrains Springer

End H B Enderton A Mathematical Introduction to Logic Academic Press New

York

Fara W M Farmer A General Metho d for Safely Overwriting Theories in Mecha

nized Mathematics Systems Technical rep ort The mitre Corp oration

ftpmathharvardeduimpsdo coverwritingtheoriesdvigz

Farb William M Farmer Theory Interpretation in Simple Typ e Theory In J Heer

ing K Meinke B Moller and T Nipkow editors HigherOrder Algebra Logic

and Term Rewriting volume of LNCS pages Springer

Fla David Flanagan Java in a Nutshel l a desktop quick reference for Java pro

grammers A Nutshell handb o ok OReilly Asso ciates Inc Chestnut

Street Newton MA USA

Fuc Maximilian Fuchs Formal Design of a Mo delN Counter Technical Rep ort

TUMI Technische Universitat Munc hen Institut fur Informatik

Gan Harald Ganzinger Denotational Semantics for Languages with Mo dules In

Dines Bjorner editor Formal Description of Programming Concepts II pages

NorthHolland Amsterdam

GM N Gehani and A McGettrick editors Software Specication Techniques

AddisonWesley Wokingham

BIBLIOGRAPHY

GM M Gordon and T Melham Introduction to HOL A Theorem Proving Envi

ronment for Higher Order Logic Cambridge University Press

Gor MCJ Gordon HOL A Machine Oriented Formulation of HigherOrder

Logic Technical Rep ort University of Cambridge Computer Lab oratory

GS C Gane and E Sarson Structured Systems Analysis PrenticeHall

Gur Gurevich Evolving Algebras BCTCS British Col loquium for Theoretical

Computer Science

Han G Hansoul Systemes Relationel les et Algebres Multiformes PhD thesis

Universite de Liege

Har R Harp er Intro duction to Standard ML Technical Rep ort ECSLFCS

University of EdinburghDepartment of Computer Science November

Har D Harel Statecharts A Visual Formalism for Complex System Science of

Computer Programming

Hen Leon Henkin A theory of prop ositional typ es Fund Math

Hen Rolf Hennicker Context Induction A Pro of Principle for Behavioural Abstrac

tions and Algebraic Implementations Formal Aspects of Computing

Het Rudolph Hettler EntityRelationshipDatenmodel lierung in axiomatischen

Spezikationssprachen TectumVerlag

HJW P Hudak S Peyton Jones and PWadler editors Report on the Programming

Language Haskel l A Nonstrict Purely Functional Language Version

ACM SIGPLAN Notices May

HKB Berthold Homann and B KriegBruckner Program development by speci

cation and transformation the PROSPECTRA methodology language family

and systemvolume of Lecture Notes in Computer Science SpringerVerlag

Inc New York NY USA

Hoa C A R Hoare An Axiomatic Basis of Computer Programming Communi

cations of the ACM

Hoa C A R Hoare Pro of of Correctness of Data Representation Acta Informatica

Hoa C A R Hoare Communicating Sequential Processes PrenticeHall

BIBLIOGRAPHY

Hoa CAR Hoare Unied Theories of Programming Marktob erdorf Sum

mer Scho ol

Hot Alfred Hottarek Ub ersetzung von Spectrum in the large nachML Masters

thesis Technische Universitat Munchen httpwwwinformatiktu

muenchendepap ersDA Hottarekpsgz

HP D J Hatley and I Pirbhai Strategies for RealTime System Specication

Dorset House New York NY

HR A Hottarek and J Rudolph Spectrum nach ML Ub ersetzer Fortgeschrit

tenenpraktikum Technische Universitat Munchen

HSS Franz Hub er Bernhard Schatz and Katharina Spies AutoFocus Ein

Werkzeugkonzept zur Beschreibung verteilter Systeme In Ulrich Herzog Hol

ger Hermanns editor Formale Beschreibungstechniken fur verteilte Systeme

pages Universitat ErlangenNurn b erg Erschienen in Arb eits

b ereichte des Insituts fur mathematische Maschinen und Datenverarb eitung

Bd Nr

Jac I Jacobson ObjectOriented Software Engineering AddisonWesley Mas

sachusetts

Jon M P Jones An Introduction to Gofer August

KA Samuel Kamin and Mila Archer Partial Implementations of Abstract Data

Typ es A Dissenting View on Errors In Giles Kahn David MacQueen and

Gordon Plotkin editors Semantics of Data Types pages Springer

Lecture Notes in Computer Science Volume

Kah G Kahn The Semantics of a Simple Language for Parallel Programming In

J L Rosenfeld editor Information Processing Proceedings of the IFIP

Congress pages NorthHolland New York NY

KB Bernd KriegBruc kner Programmentwicklung durchSpezikation und Trans

lation Technical Rep ort Universitat Bremen February

Lam Leslie Lamp ort The Temp oral Logic of Actions ACM Transactions on Pro

gramming Languages and Systems May

Lio J L Lions ARIANE Failure Full Rep ort

httpwwwitdtudk hraarianerephtml

LT Kim G Larsen and Bent Thomsen A Mo dal Pro cess Logic In Proceedings

Third Annual Symposium on Logic in Computer Science pages Ed

inburgh Scotland JulyIEEE Computer So ciety

BIBLIOGRAPHY

LT N A Lynch and M R Tuttle An Intro duction to InputOutput Automata

CWI Quarterly Also available as MIT Technical Memo

MITLCSTM

MBx R Hennicker M Bidoit Behavioural Theories and The Pro of of Behavioural

Prop erties Theoretical Computer Sciencex to app ear

Meh M Mehlich Implementation of Combinator Specications PhD thesis

LudwigMaximiliansUniversitat Munc hen

Mel Tom Melham Automating Recursive Typ e Denitions in Higher Order

Logic In Graham Birtwistle and PA Subrahmanyam editors Current Trends

in Hardware Verication and Automated Theorem Proving pages

SpringerVerlag

Mil Rob ert Milner CCS A Calculus for Communicating Systems volume of

Lecture Notes in Computer Science Springer Verlag

Mil R Milner Communication and ConcurrencyInternational Series in Computer

Science Prentice Hall

Mit John C Mitchell Representation Indep endence and Data Abstraction In

Conference Record of the Thirteenth Annual ACM Symposium on Principles

of Programming Languages pages ACM ACM January

Mol Moller HigherOrder Algebraic Specications PhD thesis TUM Ha

bilitationsschrift

MS Olaf Muller and Konrad Slind Isab elleHOL as a Platform for Partiality In

Mechanization of Partial Functions CADE Workshop

MV C C Morgan and T Vickers editors On the Renement Calculus For

mal Approaches to Computing and Information Technology series FACIT

SpringerVerlag

MVS TSE Maibaum Paulo A Veloso and MR Sadler A theory of Abstract

Data Typ es for Program Development briging the Gap In H Ehrig C Floyd

M Nivat and J Thatcher editors Formal Methods and Software Engineer

ingTAPSOFTvolume pages SpringerVerlag

Naz D Nazareth A Polymorphic Sort System for Axiomatic Specication Lan

guages PhD thesis Technische Universitat Munc hen Technical Rep ort

TUMI

Nip Tobias Nipkow Nondeterministic Data Typ es Mo dels and Implementations

Acta Informatica March

BIBLIOGRAPHY

Nip Tobias Nipkow Behavioural Implementation Concepts for Nondeterministic

Data Types PhD thesis University of Manchester Computer Science De

partment May

Nip T Nipkow OrderSorted Polymorphism in Isab elle In G Huet G Plotkin

and C Jones editors Proc nd Workshop on Logical Frameworks pages

NRS Dieter Nazareth Franz Regensburger and Peter Scholz MiniStatecharts A

Lean Version of Statecharts TUMI Technische Universitat Munchen

NS Tobias Nipkow and Konrad Slind In P Dyb jer B Nordstrom J Smith editor

Proc of Types for Proofs and Programs LNCS pages

Ohe David von Oheimb Datentypsp ezikationen in HigherOrder LCF Masters

thesis Technische Universitat Munchen httpwwwinformatiktu

Oheimbhtml muenchendePap ersDA

Ohe David von Oheimb Isab elle Case Study of a Buer of Length One Isab elle

Theories to b e published

ONS Fernando Orejas Marisa Navarro and Ana Sanchez Algebraic Implementa

tion of Abstract Data Typ es aSurvey of Concepts and new Comp ositionality

Results Mathematical Structures in Computer Science February

Pau L C Paulson Logic and Computation Interactive Proof with Cambridge LCF

volume of Cambridge Tracts in Theoretical Computer Science Cambridge

University Press

Pau L C Paulson ML for the Working Programmer Cambridge University Press

Paua Lawrence C Paulson A Fixedp oint Approach to Implementing coInductive

Denitions In A Bundy editor Automated Deduction CADE volume

of Lecture Notes in Computer Science pages Springer

Paub Lawrence C Paulson Isabel le A Generic Theorem Prover volume of

LNCS Springer

Pax V Paxon Groth Trends in WideArea TCP Connections IEEE Network

Magazine July

PBDD Peter Pepp er Ralph Betschko Sabine Dick and Klaus Didrich Realizing Sets

by Hash Tables In Broy and Jahnichen BJ

BIBLIOGRAPHY

Pra Vaughan R Pratt Semantical Considerations on FloydHoare Logic In

th Annual Symposium on Foundations of Computer Science pages

IEEE Octob er

PW Peter Pepp er and Martin Wirsing A Metho d for the Development of Correct

Software In Broy and Jahnichen BJ

RBP J Rumbaugh M Blaha W Premerlani F Eddy and W Lorensen Solutions

Manual ObjectOriented Modeling and Design Prentice Hall Englewood

Clis

Rea C Reade Elements of Functional Programming AddisonWesleyWokingham

Berks

Reg Franz Regensburger HOLCF Eine konservative Erweiterung von HOL um

LCF PhD thesis Technische Universitat Munchen

Reg Franz Regensburger HOLCF Higher Order Logic of Computable Functions

In ET Schub ert PJ Windley and J AlvesFoss editors Higher Order Logic

Theorem Proving and its Applications volume of Lecture Notes in Com

puter Science pages Springer

Rei Wolfgang Reif Korrektheit von Spezikationen und generischen Moduln PhD

thesis Karlsruhe

Rei Wolfgang Reif The KIV System Systematic Construction of Veried Soft

ware In th Conference on Automated Deductionvolume of lncs pages

RHx M Bidoit R Hennicker M Wirsing Pro of Systems for Structured Sp ecica

tions with Observability Op erators Theoretical Computer Science x to

app ear

Rob Edmund Robinson How Complete is PER In Fourth Annual Symposium on

Logic in Computer Science pages

Roy Winston W Royce Managing the Development of Large Software Systems

Concepts and Techniques In WESCON Technical Papers v pages A

A Los Angeles August WESCON First Occurence of the Term

Waterfall Mo del

Rut H Rutishauser Description of Algol Handb o ok for Automatic Computa

tion Vol a SpringerVerlag Berlin

Sch J R Scho eneld Mathematical logic AddisonWesley

BIBLIOGRAPHY

Sch O Scho ett A Theory of Program Mo dules their Sp ecication and Implemen

tation Technical Rep ort CSR University of Edinburgh

Sch Oliver Scho ett Behavioural Correctness of Data Representations Internal Re

p ort CSR Department of Computer Science UniversityofEdinburgh

April

Sch O Scho ett Behavioural correctness of data representations Science of Com

puter Programming

SGW Bran Selic Garth Gullekson and Paul T Ward RealTime ObjectOriented

Modeling John Wiley Sons

Slo Oscar Slotosch Implementing the Change of Data Structures with Spectrum

in the Framework of KorSo Development Graphs Technical Rep ort TUM

I Technische Universitat Munc hen Institut fur Informatik

SM O Slotosch and W Mala KorSysProzemo dell mit Kritikalen Asp ekten

httpwwwinformatiktumuenchendepro jkorsyspublicpmo dpsgz

SM Rob ert Sandner and Olaf Muller Theorem Prover Supp ort for the Renement

of Stream Pro cessing Functions In Proc rd Int Workshop on Tools and

Algorithms for the Construction and Analysis of Systems TACAS Lecture

Notes in Computer Science Springer

Spi K Spies Funktionale Sp ezikation eines Kommunikationsprotokolls SFB

Bericht A Technische Universitat Munc hen May

SS Dana Scott and Christopher Strachey Toward a Mathematical Semantics for

Computer Languages pages April

SS Bernhard Schatz and Katharina Spies Formale Syntax zur logischen Kern

sprache der FOCUSEntwicklungsmetho dik TUMI Technische Univer

sitat Munc hen httpwwwinformatiktumuenchenderep ortsTUM

Ihtml

ST D Sannella and A Tarlecki Toward Formal Development of Programs from

Algebraic Sp ecications Implementation Revisited Acta Informatica

Sta R Stabl The CSDM System an Environment for the Algebraic Sp ecication

Language SPECTRUM In Bericht zum GIWorkshop Bad Honnef

Tan Andrew S Tanenbaum Computer Networks P T R PrenticeHall Englewood

Clis NJ USA third edition

BIBLIOGRAPHY

Tho S J Thompson Lawful Functions and Program Verication in Miranda Sci

ence of Computer Programming

Tur DA Turner Miranda a NonStrict Functional Language with Polymor

phic Typ es In Jouannaud editor Conference on Functional Programming

Languages and Computer Architecture pages Springer Verlag

UK R T Udink and J N Kok ImpUNITY UNITY with pro cedures and lo cal

variables Lecture Notes in Computer Science

vD N W P van Diep en Implementation of Mo dular Algebraic Sp ecications

extended abstract In H Ganzinger editor Proceedings of the European

Symposium on Programming volume of Lecture Notes in Computer Sci

ence pages Springer Verlag

Vol Norb ert Volker On the Representation of Datatyp es in Isab elleHOL Tech

nical Rep ort University of Cambridge Computer Lab oratory Pro

ceedings of the First Isab elle Users Workshop

Wan M Wand Sp ecications Mo dels and Implementations of Data Abstractions

Theoretical Computer Science

WB Michal Walicki and Manfred Broy Structured Sp ecications and Implemen

tation of Nondeterministic Data Typ es TUMI Technische Univer

sitat Munc hen httpwwwinformatiktumuenchenderep ortsTUM

Ipsgz

Wen Markus Wenzel Axiomatische Typklassen in Isab elle Masters thesis Institut

fur Informatik TU Munchen

Wir Niklaus Wirth The Programming Language PASCAL Acta Automatica

December

Wir M Wirsing Algebraic Sp ecication In J van Leeuwen editor Handbook

of Theoretical Computer Science chapter pages NorthHolland

Amsterdam

WM Paul T Ward and Stephen J Mellor Structured Development for RealTime

Systems volume volume Essential Mo deling Techniques Yourdon Inc

Englewood Clis New Jersey

List of Figures

KorSo Development Graph

BlackBox System Diagram

Glass Box System Diagram

Develop ed System Diagram

Development Graph for Sets by Sequences

Development graph with Mo dules

Typ e Classes of HOLCF

Preserving Function

Satisabilityin HOLCF

Metho ds for the Restriction Step

Quotient Implementation of State

Implementation of State with Theory Interpretation

Metho ds for the Quotient Step

Theory interpretation for quotients

Development Graph for the Implementation of ADTs

Development Graph of the Example

Stream Pro cessing Function

Simulations for Interface Interaction Renement

General Comp ositionality for the Feedback Op erator

LIST OF FIGURES

Improved Comp ositionality for the Feedback Op erator

Dialog Development with U and downward Simulations

Structure of the Library

Structure of Char

Structure of the System

Cache in the WWW

Developmentofthe WWW Server

Communication with Strings

Communication with Packets

A Structure of ADTs in HOLCF

List of Examples

Axiomatic Typ e Class per

Continuous Functions

Data Typ e List

Abstract Data Typ e List

Free Data Typ e List

Executable Data Typ e List

Farmers Theory Interpretation

Restriction Step

Premise for Recursive Typ es

Theory Interpretation with Mo dules

States for an oneelement Buer

Removing a State from a Buer

Adding a State to the Buer

Streams of Characters

Streams of Bytes

Implementation of Bo olean by Bits

Implementation of an Abstract Sub domain

Implementation of a Byte Stream

List of Denitions

Deductive Software Development Basis

Consistency

Consistency Preserving

Mo dularity

Typ e Term

Raw Term

Term

Simple Typ e Mo del

Typ e Interpretation

Mo del

Term Interpretation

Theory

Satisfaction

Data Typ e

Abstract Data Typ e

Free Data Typ e

Executable Data Typ e

Executability with Pattern Matching

Lo ose Semantics of Theories

Mo del Inclusion Basis

Homomorphism

LIST OF DEFINITIONS

General Theory Interpretation

Corresp onding Elements

Sort Translation

Constant Translation

Premises

Term Translation

Invariance and Preserving Function

Invariance Requirement

Normal

Normalization

Applied Semantics

Reduct of Typ e Mo dels

Reduct of Mo dels

Typ e Mo del Construction

Emb edding Functions

Construction Scheme

Dual Construction Scheme

Mo del Construction

Theory Interpretation Basis

Syntactic Construction Scheme

Dual Syntactic Construction Scheme

Partial Equivalence Relation

Higher Order Quotient

Observer Function

Congruence

Simple Constant Translation

Simple Term Translation

QuotientTyp e Mo del Construction

LIST OF DEFINITIONS

QuotientModelM

Simple Theory Interpretation Basis

Implementation of ADTs in HOLCF

Stream

Stream Pro cessing Function

Preserving Stream Pro cessing Function

Sequential Comp osition

Parallel Comp osition

Feedback Comp osition

Comp ositionality

Behavioural Renement

Structural Renement

Statebased Sp ecication

State Renement

Communication Channel Development

Restricted Communication Channel Development

Interface Simulations

Index

Mathematical Symbols c

Denitions and Rules

Abs

App

Con

Else

Rest

Var

Def

Rep

abstraction

Fun

d e

b c

Tau

Thm

Var

Arity

CFun

Con

FFun

abs

Rest

TC Rep

cpo

Var

Fun

rep

Tau

MOD Th

Thm

Var c

Corr

INDEX

Abs Def Satisfiability Thm

ConSel

Satisfiability

ConStrict

SelTotal

Correctness

Equal TM

Def True

TM Red

DisCases

Typ App

Discrim

Typ Var

Distinct

Def

EqObs

Def

EqRefl

Isab elle

EqStrict

EqSym

EqTotal

EqTrans

Homo

abs

Ind

and

Injective

antisym less

Int Abs

axclass

App Int

axioms

Int Con

beta cfun

Int Var

bool

Int c

cases

abs Int

consts

Int rep

cont

Inv Thm

cpo

Con Inv

datatype

Inv Def

datatype construct

Inv Fun

defs

Inv Term

defvars

Invariance

domain

MapCon

domain construct

MapId

Delta Norm

Ex Norm

fix

Norm Ext

generated by

Norm Neq

generated finite by

NormalAbs

instance

RTerm Abs

isR

App RTerm

Cobs is

RTerm Con

Var is based on RTerm

Rep is Def refinement of

INDEX

admissible lift

ADT minimal

pcpo

percpo

algebraic sp ecication

per

antisymmetry

applied semantics denition quot constructor

arity refl less

rep

automaton

stream

axiom

strict

axiomatic typ e class

subdom constructor

behaviour

term

behavioural correctness

less trans

behavioural development

behavioural implementation

behavioural renement

behavioural renement denition

behaviourally correct

bisimulation

black box

bounded implementation

Keywords

channel

abstract ADT

characteristic axiom

abstract axiom

characteristic constant

abstract comp onent

class

abstract constant

abstract data typ e

class axiom

abstract data typ e denition

co de generation

abstract function

abstract mo del

communication channel development

abstract op eration

comp onent

abstract quotient

comp ositional

abstract sort

comp ositionality

abstract sp ecication

abstract sub domain

comp ositionality denition

abstract theory

concrete ADT

abstract typ e

concrete comp onent

abstract value

concrete op eration

abstraction function

concrete quotient admissibility

INDEX

corresp onding elements denition concrete sp ecication

concrete sub domain

corresp onding function

concrete typ e

congruence

corresp onding op eration

congruence denition

corresp onding sort

conservative

corresp onding sort term

corresp onding term

conservative denition

corresp onding value

conservative extension

critical asp ect

critical systems

data construct

conservative extension denition

data renement

conservative intro duction

data typ e

consistency

consistency preserving

data typ e constructor

data typ e denition

consistency preserving denition

deductive software development

consistency denition

consistent

deductivesoftware development basis

constant

constant implementation

deductive software development basis de

nition

constant translation

deductive software development pro cess

constant translation denition

construction scheme denition

constructor

constructor function

design phase

constructor implementation

destructor

context

development

context induction

development graph

continuous

development situation

development step

continuous equality

dialog development

discriminator

continuous function

discriminator function

distributed system

continuous function space

continuous restriction predicate

distributed systems

correctness

domain

corresp onding

corresp onding constant

downward simulation

corresp onding element

INDEX

hiding dual construction scheme denition

higher order

emb edding

higher order function

higher order logic

emb edding functions denition

higher order quotient

environment

higher order typ e

equality

history

equational logic

HOL

equivalence

equivalence class

HOLCF

equivalence relation

executability

executable

executable data typ e

executable data typ e denition

HOLCF mo del

executable function

homomorphism

executable sp ecication

homomorphism denition

extensionality

implementation

feedback

feedback comp osition

feedback op erator

nite data typ e

implementation of ADT

xed point

at domain

Focus

implementation of interactive systems

formal metho d

formal semantics

implementation of state

formalization

implementation step

free data typ e

implementation denition

implication

free data typ e denition

inconsistent

function

indenite representation

functional programming language

individual translation

functional programming languages

induction

functional renement

induction rule

innite data typ e

generation principle

innite stream

glass b ox

initial

Gofer

instantiate

graphical description technique

instantiation

interaction renement Haskell

INDEX

network interactive system

noncorresp onding

interface

nonfree data typ e

interpretation

normal theory

interpretation of typ e term

normal denition

invariance

normalization

normalization denition

invariance pro of obligation

normalize

invariance requirement

normalizeable

invariance requirement denition

normalizeable denition

invariance denition

normalized

invariant

observability

Isab elle

observable

isomorphic typ es

observer

isomorphism

observer function

lazy

observer function denition

LCF

op eration

least upp er b ound

optimization

lift

parallel

lifting

parallel comp osition

lo ose

parallel comp osition denition

lo ose semantics

partial

lo ose semantics denition

partial equivalence class

partial equivalence relation map functional

partial equivalence relation denition

metho d

partial function

partial order

pattern matching

mo del

pattern matching denition

mo del construction

PER

mo del construction denition

PER denition mo del inclusion

pointed complete partial order mo del inclusion basis

p olymorphic

mo del inclusion basis denition

p olymorphic predicate

mo del denition

p olymorphism

mo dular

premise

mo dularity

premise translation

mo dularity denition

premise denition

multiple representation

preserving

multiple representations

INDEX

restriction op eration preserving function

restriction predicate preserving stream pro cessing function de

nition

program

restriction step

programming language

pro of obligation

satisfaction denition

satisability

prop erty renement

schematic translation

prototyping

scheme

selector

quotient

selector function

sequential

quotient domain

sequential comp osition

quotient mo del denition

sequential comp osition denition

quotient step

signature

simple constant translation denition

quotient typ e mo del construction deni

simple term translation

tion

simple term translation denition

quotient denition

simple theory interpretation

recursive function

reduct

simple theory interpretation basis

reduct of mo dels denition

simple theory interpretation basis deni

reduct of typ e mo dels denition

tion

renement

simple translation

simulation

renement relation

software

software development

software development pro cess

renement step

reexivity

sort constructor

representation

sort implementation

representation function

sort term

representation predicate

sort translation

requirement

sort translation denition

requirement sp ecication

sp ecication

restricted communication channel develop

ment

sp ecication language

Spectrum restriction

INDEX

total stable

total function

state

transformational software development

state renement

transitive

state renement denition

transitivity

statebased

translation

statebased denition

stream pro cessing function

truth values

typ e

stream pro cessing function denition

typ e class

stream denition

typ e constructor

strict

structural renement

typ e denition

sub class

typ e interpretation denition

sub domain

typ e mo del

typ e mo del construction denition

typ e mo del restriction

substitutive

typ e mo del denition

subtyp e

typ e restriction

symmetry

typ e term

syntactic construction scheme denition

typ e term denition

syntactic dual construction scheme de

Usimulation

nition

undersp ecication

system

system diagram

verication

term

witness

term interpretation denition

WWW server

term translation

term translation denition

term denition

theorem

theory

theory inclusion

theory interpretation

theory interpretation basis

theory interpretation basis denition

theory interpretation denition

theory denition