Multialgebras, power algebras and complete calculi of identities and inclusions

Multialgebras, Power Algebras and Complete Calculi of Identities and Inclusions" Michal Walicki and Sigurd Meldal Department of Informatics, University of Bergen HiB, N-5020 Bergen, Norway {michal,sigurd}~i.uib.no Abstract: After motivating the introduction of nondeterministic operators into algebraic specifications, a language s with two primitive predicates, identity and inclusion, for specifying nondeterministic operations is introduced. It is given a multialgebraic semantics which captures the singular (call-time-choice) strategy of passing nondeterministic parameters. A calculus NEQ, with restricted substitutivity rules, is introduced. NEQ is sound and complete wrt. the muhialgebraic semantics. A language s is obtained by a slight modification of s admitting plural (run-time-choice) parameters. The multialgebraic semantics is not sufficient for modeling such parameters and it is generalized to power algebras. Augmenting NEQ with one rule for unrestricted substitutivity for the plural variables yields NEQ* which is sound and complete wrt. to the power algebra semantics. 1. Introduction A major motivating force behind research into abstract data types and algebraic specifications is the realization that software in general and types in particular should be descibed ("specified") in an abstract manner. The objective is to give specifications at some level of abstraction: on the one hand leaving open decisions regarding further refinement and on the other allowing for substitutivity of modules as long as they satisfy a particular specificaiton. We argue that the use of nondeterministic operators is an appropriate and useful abstraction tool, and more: nondeterminism is a natural abstraction concept whenever there is a hidden state or other components of a system description which are, methodologically, conceptually or technically, inaccessible at a particular level of abstraction. Having established our motivation for using nondeterministic operators, we discuss the distinction between two modes of parameter passing - "call by value" and "call by name." In deterministic programming this distinction is well known. The former corresponds to the situation where the actual parameters to function calls are evaluated and passed as values. The latter allows parameters which are function expressions, passed by a kind of Algol copy rule [23], and which are evaluated whenever a need for their value arises. Thus call-by-name will terminate in many cases when the value of a function may be determined without looking at (some of) the actual parameters, i.e., even if these parameters are undefined. Call-by-value will, in such cases, * This work has been partially supported by the Architectural Abstraction project under NFR (Norway), by CEC under ESPRIT-II Basic Reearch Working Group No. 6112 COMPASS, by the US DARPAunder ONR contract N00014-92-J-1928, N00014-93-1-1335 and by the US Air Force Office of ScientificResearch under Grant AFOSR-91-0354. 454 lead to an undefined result of the call. Nevertheless, the call-by-value semantics is usually preferred in the actual programming languages since it results in clearer and more tractable programs. The nondeterministic counterparts of these two notions 1 are what we call singular (also called call-~me-choice and corresponding to call-by-value) and plural (runtime-choice corresponding to call-by-name) parameter passing [2, 7, 24]. In the context where one allows nondeterministic parameters the difference between the two semantics becomes quite obvious even without looking at their termination properties. Let us suppose that we have defined an operation g(x) as " f x;0 then 0 elseifx~-i then 1 e/se 2", and that we have a nondeterministic choice operation " L / . : Set(S)--. S" returning an arbitrary element from the argument set. The singular interpretation of g(U.{0,1}) will yield either 0 or 1, i.e., the result set ofg(u.{0,1}) is {0,1}. The plurat interpretation wilt give {0,1,2} as the set of possible results. (In a deterministic environment both semantics would yield the same results for this example.) Another important difference concerns reasoning in the presence of nondeterministic operations, in particular, the substitutivity property. The inside-out substitution (corresponding, roughly speaking, to singular parameters) is not associative in the nondeterministic context [3, 4], and complicates the reasoning system by requiring specific restrictions on the substitution rules [12, 25]v Plural parameters, on the other hand, admit unrestricted substitution rules and, although semanti calty more complex, lead to simpler reasoning systems [25]. The above observations, together with the fact that the distinction has not received a thorough algebraic treatment, 2 motivate our investigation. Muttiatgebras, used to model singular parameters, are algebras where operations are interpeted as set-valued functions and composition is defined by pointw~se extension. This reflects the fact that, when the argument to an operation is a "set" (i.e., a nondetenninistic expression), the choice of denotation for the expression (i.e. which element is to be used) is made at call-time, before passing the argument to the body of the operation. To model plural arguments, one has to generalize this construction and allow passing "whole sets" as arguments. 1"his is achieved by using power algebras algebras with carriers being (subsets of) power sets, and with operations mapping sets to sets (which in this setting are just the elements of the carriers). In section 2 we give a general motivation for introducing nondeterministic operators as specification tools. In section 3 we define the language for specifying nondeterministic operators and its multialgebraic semantics which allow us to present, in section 4, two examples illustrating the usefulness of nondeterminism in achieving appropriate levels of abstraction. In section 5 we introduce a sound and Complete calculus and discuss some of its features. Then we present an algebraic perspective on the distinction between the singular and plural passing of nondeterministic parameters. In section 6 the multiatgebraic semantics for singular parameters is generalized to power algebras capable of modeling plural parameters. The corresponding sound and complete extension of the calculus is discussed in section 7. A comparison of both semantics in section 8 is guided by the similarity of the respective calculi. We indicate the 1We are not focusing here on the related distinctions (such as eager vs. lazy, IO vs. Ol evaluation), discussion of which is beyond the scope of this paper. 2 Unified algebras [ 19, 20] of P.D.Mosses, and rewriting logic [ i7, 16] ofJ. Meseguer handle both kinds of parameters. However, they do it in a highly non-standard, albeit elegant, way. We feel that multi- and power algebras stay closer to the traditional algebraic framework. 455 increased complexity of the power algebra semantics reflecting the problems with intuitive understanding of plural arguments. We also point out that plural variables can be used meaningfully to increase expressibility of the specification formalism even if all operations have only singular arguments. The main (completeness) proofs are quite long and involved. The space limitation does not allow us to include them here, but all the proofs may be found in [26]. 2. Nondeterministic Operators as Specification Tools There are essentially two reasons why one might want to include the concept of nondeterminism in the traditional algebraic specification methods: (1) Real nondeterminism. The system being specified realty is nondeterministic - its behavior is not fully predictable, nor fully reproducible. (2) Representational nondeterminism. The behavior of the system being specified may be fully predictable in its final implementation (i.e. deterministic), but it may not be so at the level of abstraction of the specification. Though man)' think of representational nondeterminisrn as identical to underspecification, they turn out to be technically and conceptually quite distinct (as we shall see shortly). Whether the world really is nondeterministic or not we leave to the physicists and philosophers to ponder. A computer system in isolation certainly is deterministic: When started from a particular state (given in full detail) twice, both executions will demonstrate identical behavior. Possible sources.of perceived nondeterminism lie o n l y in the unpredictability of the environment such as hardware failures or human factors. Considering all such factors as parts of the total state given in full detail may obviate the perceived nondeterminism, but leads to undesirable complexity- and is possible only in principle. The primary argument in favor of accepting nondeterministic operators is instrumental, and identical to the credo of the abstract data type community: One should specify a system only in such detail that any implementation satisfying the specification also satisfies the user, and no more. It turns out that nondeterministic operators ease the process of specifying systems by allowing one to disregard irrelevant aspects be they the external influences or implementation details - and thus reducing the danger of overspecification resulting from technical rather than methodical reasons. For purposes of discussion it may be convenient to further identify three variants of representational nondeterminism: (1) abstraction from hidden state, (2) abstraction from time, and (3) abstraction from external entities. Though dealt with uniformly within our framework, these have often been considered distinct. In particular, the introduction of nonde terminism as a result of abstraction from dine is usually taken as a given in the process algebra community without thereby necessesarily accepting abstraction over state as requiring nondeterminsm for specification purposes. How does this use of nondeterminism differ from the usual notion of underspecification? Consider for a moment a choice function U from sets of integers to integers, returning one of the elements of the set: For instance, U.{0,1} may return either of the values 0 and 1. If u were just an underspecified function, then we would have that u .{0,1}=U.{1,0}, since the arguments of the function are equal (though not syntactically identical) in the two terms. 456 In practical terms, this would require the choice operator always to return the same value when applied to a particular set. I.e., U .{0,1} is always 0, or always 1. However, this kind of underspecification does not allow for abstraction from (conceptually) invisible entities that might influence the choice (such as a hidden state, timing or interaction with a human being). E.g., if set values were implemented as unordered sequences with new elements always added to the front of the sequence, this underspecified description of the choice function would disallow using a simple implementation of choice as the head-function, since such an implementation would sometimes return the value 0, sometimes the value 1, when applied to the set {0,1}, depending on which of the two elements were added first. If we were to treat U as a nondeterministic operator, on the other hand, then such a straightforward implementation (though deterministic) would be quite acceptable (both formally and according to the usual intuition about the requirements of an operator picking some element from a set). Similarly, if the implementation of the choice function asked a human operator to pick an element then one would encounter the same difficulty: The behavior of human beings may be deterministic, but even were that the case their inner state determining that behavior is not available for inspection. A specification needs to abstract away from that inner state, and nondeterminism is the right concept for doing that. And similarly again, if the choice depended upon timing properties (e.g. the set was distributed among a number of processors, and the choice function simply queried them all, returning the first (in terms of time) value returned to it by one of these processors) the abstraction away from timing properties would introduce a seeming nondeterminism. In order to make further examples more understandable, we have to introduce a formal language for specifying (possibly nondeterministic) operators and its semantics. 3. The Language £ and the Multialgebra Semantics A specification is a pair (X, II), where the signature ~ is a pair of a sets (S, F) of sorts S and operation symbols F (with argument and result sorts in S). There exists a denumerable set V of variables for every sort. For any syntactic entity (term, formula, set of formulae) X, VDc] will denote the set of variables in X. The set of terms over the signature ~ and a variable set X is denoted W x x- We always assume that the set of ground terms of every sort S, Swx, is not empty. 1 ' rI is a set of sequents of atomic formulae written as a2,...,a n ~-. ev...,e m. The left hand side of ~ is called the antecedent and the right hand side the consequent, and both are to be understood as sets of atomic formulae (i.e., the ordering and multiplicity of the atomic formulae do not matter). In general, we allow either antecedent or consequent to be empty, in which case 0 is usually dropped in the notation. A sequent with exactly one formula in the consequent (re=l) is called a Horn formula, and a Horn formula with empty antecedent (n=0) is a simple formula (or a simple sequent). An atomic formula is either an equation, t=s, or an inclusion, t-<s, of terms t, 1 We do not address the problem of empty sorts here and will present calculi which work under the assumption that sorts are not empty. We use signatures with at least one constant for every sort but other ways of approaching this problem [5, 6, 11] seem to be compatible with our framework. 457 sEW:~ x. All variables occurring in a sequent are implicitly universally quantified over the whole sequent. For a specification SP=(G, rI), £(sP) is the restriction of Z to W:~'VThe semantics of Z specifications uses multistructures. Our definitions are very similar to those used by other authors [9, 12, 13, 21] except for the notion of equality. Also, we provide the means to interpret the occurrences of terms in L as applications of (possibly nondeterministic) operations rather than, as it is usually the case, as the sets of possible results. Definition 3.1 (Multistructures). Let SP be an ~ specification. M is an SPmulflstructure if 1. 2. [] its carrier IM] is an S-sorted set and for everyf: $1X... XS, --- S in F there is a corresponding function fM: S 1MX... X S~~'-* 2P~(SM). where 2P~ denotes the power set with the empty set excluded, We let MStr(SP) denote the class of SP-multistructures. It has the distinguished term structure: Definition 3.2 (Term multistructure). The term multistructure W~ for a specification SP=(G,I'I) is defined as: [] 1. 2. for each SE S, Sw~ is the set of ground terms of sort S, for each f: S1x... XSn --. Sin F, tiEsiW~:fwz(tl...tn) = {f(tp..tn)} It is a known fact that, in the general case, one cannot guarantee the existence of initial multimodels. Hut~mann [12] has shown that even if we restrict £ to simple formutae such multimodels may not exist. Therefore we admit general, and not only Horn, formulae in the specifications and will consider the whole class of muttimodels of a specification. 1 The significance of the term muttistructure is then summarized in Lemma 3.3. If M is an SP-multistructure then for every set X of variables and a s s i g n m e n t [~: X-~]MI, there exists a unique function [3[_]: ~V~:~: ~/::~([MD such that: [3Ix] = {[3(x)), ~[c] = cM and ~[f(tl... tn)] = tiM(t/..,tn) ] t/E~[ti]} [] Application of multialgebraic operations to sets is defined by pointwise extension. Consequently, all operations in multistructures are _G.-monotonic, i.e., B[s]C_B[t] t3~(s)] ~13~(t)]. Definition 3.4. An SP-multistructure M satisfies an L(SP) sequent ~: ti=si ..... tj-< s) ~-" p~=r~,...p~-< rr~ , written M ~ ~r, iff for every assignment ]3 : X ~]M] we have 1 For a discussion of initiality the reader is referred to [12, 25], All the results reported in this paper remain valid for the specificationlanguage restricted to Horn formulae. 458 13[t~]=13[sd ^... ^ 13[tjl---I?,[sfl ~ 13[p,]-~,[r,,] v... v 13[p,,,l _Cl3 [r,,,] where A~ B iff A and B are the same 1-element set. An SP-rnultimodel is an SP-muttistrucmre which satisfies all the axioms of SP. MMod(SP) denotes the class of mulfimodels of SP. As a consequence of this definition, = is not an equivalence relation (it is not reflexive). ~ t=t holds in a multialgebra M only if t Mhas exactly one element, i.e., if the term t is deterministic. Of course, the set equality of two terms is expressible as two inclusions: ~s-~t and ~ t-(s. Note that all variables are used singularly, i.e., they range over individuals (telement sets) arid not over arbitrary sets. In particular, assignments in lemma 3.3 and definition 3.4 assign to each variable a 1-element set. This fact is utilized to distinguish between the result set of an operation (which is represented by the corresponding term) and the result returned by a particular application of the operation as the following example illustrates. Example 3.5. The axiom ~ xUy=x, xLJy=y would make the binary choice operation _U_: S×S--*S deterministic (though underspecified). It says that (for any value of x,y), the set xUy is either the same as the 1-element set x ory. In order to make LI a nondeterminisfic choice we have to say that any application ofxUy returns either x ory, This is expressed by the axiom: z-4xLJy ~-~ z=x, z=y. [3 4. T w o E x a m p l e s Consider the problem of generating a depth-first traversal tree of nodes reachable from a particular node in a directed graph. The algorithm is found in standard algorithms textbooks (e.g. [15]), arid is often given imperatively along the following lines (G is the graph, v is the start node, T is traversal tree being created and edges are ordered pairs of nodes): Example 4. I.a DFS(G,v) = begin T := Q; trav(G,v,T); return T; end; trav(G,v,T) = begin mark v; for all edges (v,x) do if x is unmarked t h e n trav(G,x,T); T := TU(v,x); endif ; endloop ; end; D Now, consider an equational definition of DFS as a deterministic function. Let the function n(__,_) : Graph x Node ~ Set(Node) return the set of neighbors of a node in a given graph. 459 Example 4.1.b G,v,T,S,x~V: DFS(G,v) = trav(G,v,~) n(G,v)=g) ,-, trav(G,v,T)= T n(G, v) = add(S, x),'~ ~ trav(G,v,T) = trav(G~{( v,x)}, v, T) x ~ T = True J [] "n(G, v ) = add(S,x),~ ~ trav(G,v,T) = trav(G~{(v,x)}, v, trav(G~{(v,x)}, x, ZU{(v,x)})) x E T = False J (The element tests check whether a node is in the tree (i.e., marked) already.) This definition looks plausible only as long as we do not inspect the Set sort. Adding elements to a set should be commutative - we have that ~, add(add(S,x),y)- add(add($,y),x) But then we also obtain tray(a&/(add(G,(v,a)),(v,b)), v, ~) = tray(add(add(G,(v,b)),(v,a)), v, ~) In other words, for the graph which was not at all the intention - it collapses distinct tree values. The problem is that the internal structure of the set value (in this case, the definition of DFS in terms of adding elements to the set) intrudes into the specification, quite contrary to the central tenet of abstract specifications. An abstract definition of the DFS operator could be Example 4.1.c G , v , T , S , x , y E V: DFS(G,v) < trav(G,v,g)) n(G,v)=g) ~ trav(G,v,T)= T n(G, v) = add(S, y),] x -~ tl.n(G,v), ~ ~ trav(G,v,T)< trav(G~{(v,x)}, v, T) x ~ T = True J n(G, v) = add(S, x-~ U.n(G,v), x ~ T = False [] Y),I ~ ~ trav(G,v,T).< trav(G~{(v,x)}, v, trav(G~{(v,x)}, x, ZU{(v,x)})) J Though the specification still makes use of the structure of the set-generator functions, this no longer intrudes into the valuation of the function itself beyond ensuring a distinction between empty neighbor-sets and non-empty such. The variable x denotes the result of an arbitrary choice among these neighbors. The resultant definition defines the function without being concerned with (or specifying) the internal, repre- 460 sentational structure of the graph. We no longer collapse "distinct" trees, instead we only get the following (and plausible) result; that DFS-traversal will generate one of t w o trees: tray(( ~ ,v,®) -< In general, iterating over sets or other structures is a natural operation, even when there is no intrinsic total order on the elements of such a structure. Such iteration is often deterministic, but representation-dependent, and if the iteration operation is specified as determinis tic then we get an overspecification. The possibility to ignore the representation-dependent structure of the specified data is one of the fundamental requirements for a specification formalism. The last small example illustrates another aspect of the abstraction potential inherent in nondeterminism. Abstracting over time is such a natural thing to do that many consider timing dependencies as representing real nondeterminism. However, time is just another component of state, and abstraction over time could therefore be handled similarly to abstraction over state in general. As an example of how time can be removed from consideration in a specification, consider the specification of a merge function m. Its a rguments are two streams of data, and the result a new stream which is a merger of the two (here the metric aspects of time have been removed, leaving time only in a vestigial form as a total order for each of the input- and output-streams, ignoring even the relative ordering of elements in distinct streams) (e.g. in [10, 18] and related works). Let M be a function with only one input stream, but constructed from m with the output stream fed back as one of the input streams of m (see fig~are). , A specification of these two functions could be (where ^ is the concatenation operator on streams and ~ is an empty stream): Example 4.2 q , p , x , y , r ~ V: rn(s,q) = q ,--, m(q,e)= q r< X^m(q,yAp), r-< yAm(xAq, p) r -< m(x^q,yAp) r -< M(xAq) [] r-< x^m(q,r) 46t As we can see, m is deterministic when there is only one non-empty input stream. Buf if there are two, then the first element of the result stream (r) is the first element of one or the other of the two input streams. When we construct the feedback function M then any nonempty input stream results in an infinite output stream, but the composition of the output is not determined - that would reflect the timing property of the function evaluation and of the input, which we have abstracted. Again, the abstraction shows up as nondeterminism. It may be an interesting excercise for the reader to convince himself that the above specification yields the intended meaning for the M operator and does not lead to the classical merge-anomalies [ 11, 14]. The example is discussed in more detail in [251. Finally, we can mention that the close relation between nondeterministic terms and sets makes it possible to use the former to define and handle subsorting directly at the term level. This is the basic intuition behind the framework of unified algebras [19, 20] and can also be done within the formalism we have introduced here. 5. T h e C a l c u l u s N E Q The last axiom in the merge example 4.2 uses the variable r to specify the desired properties of each possible result produced by the M operator. It says that any such r is obtained by taking the first element x of the input sequence and then merging the rest of the input sequence with r itself. This is different from the axiom obtained by replacing the occurrences of r with M(x^q): ~ MOo^q) -< x^m(q,M(xAq)) which, plausible as it may seem, creates the usual merge-anomalies. This illustrates the inherent problem of reasoning with nondeterminism, namely, unsoundness of unrestricted substitution of terms for variables. In our formalism we handle this problem by turning = into a partial equivalence reakion and allowing substitution of a term t for a variable only if ~ t=t is derivable (rule SB). The rules of the calculus NEQ are: RI: ~ x=x R2: rf~+A{ ; r'~+ s=t,A' r~,r" ~ a~,a' R3: xE V Ft-+A t ; P'v-~ s'<t,A' r , r ' ~ A~,/,, R4: e~ e P.5: F ~ + A , e ; £',ev-~A" F , F ' ~-+ A,A' R6: a) F~+A r ~-+ A,e x not in a RHS1 of -< (CUT) b) F ~ + A F,e ~-+A 1 RHS, resp. LHS, stand for right, resp. left, hand side. (WEAK) 462 RT: b) F , x - ~ t , y - ~ r ~ - ~ A a) F , x - < t ~ A (ELIM) x e V\V[t] x E V\VIt], y e V at most one x in F ~ A x in F isn't in RI-IS of -< no x in r ~ A at most one x in r x and y are distinct variables X ~ denotes X with b substituted for a. The rule R1 expresses the fact that only variables are guaranteed to be deterministic. The restriction on R3 prevents one, for instance, from drawing the unsound conclusion s-<p from the premises s-<t and p-<t: The R7 rules allow one to eliminate a redundant binding x < t repI~cing x by t. Since x refers to one and the same value, such a replacement requires that there be at most one occurrence of x. Otherwise we could, for instance, derive t ~ (for arbitrary t) from x-4t ~ x = x by a single application of R7a. A similar problem would occur if we removed the second or third restriction from R7b. The other restrictions are of purely technical character. Allowing x to occur in t would, for instance, lead to the unsound deduction (using RTa): x ~ t(x), x = 1 t(x) = 1 The last restriction in RTa excludes the speciaI case which is related to the singular semantics and is treated by R7b. As an example of the semantic import of thes rules we give a few derived rules: NE: SI: x-~ t ~ Restrictions as for RTa x -< t, s -.<r ~ (Terms represent non-empty sets) ; ~ s = s Restrictions as for R7b (Arguments are singular) s-~ rtx This rule can be rephrased as V x ( x e t ~ s ~ r(x)) which, read contravariantly, says: s ¢~r(t) if s is in the result set of r(t) then there exists an individual x ~ t such that s is in the result set r0c), i.e., the argument t to r is singular. SB: F~ A F' ~-~ t=t,~' r ~ , r ' ~ a'~,,~' (Variables are replacable by deterministic terms) The main theorem states soundness and completeness of NEQ wrt. the multialgebraic semantics: Theorem 5.1. For every specification SP=(E,FI), sequent ~r E £(SP) MMod(SP) ~ w iff II t--NEQ ,rr 6. Power Algebras Singular arguments have the usual algebraic property that they refer to a unique value. This corresponds to evaluation at the moment of substitution and passing the result to the fol lowing computation. Plural arguments, on the other hand, are best understood as textual parameters. They are not passed as a single value but the expression receiving them is first expanded and evaluation takes place only when the expansion is completed. 463 To capture this possibility we have to extend the multialgebra semantics to po~ver algebras where operations map sets to sets. We will allow both singular and plural parameter passing in anyone specification. The corresponding semantic distinction will be between the power set functions which are merely _ -monotonic and those which also are u-additive. In the language we merely introduce a notational device for distinguishing the singular and plural arguments. We allow annotating the sorts in the profiles of the operation by a superscript, as in S*, to indicate that an argument is plural. Furthermore, we partition the set of variables into two disjoint subsets of singular, X, and plural, X*, variables, x and x ÷ are to be understood as distinct symbols. We will say that an operation f is s~nguIar in the iz~argument iff the i ~ argument (in its signature) is singular. The specification language extended with such annotations of the signatures will be referred to as £÷. By a singular specification we will mean one where all arguments to all operations are singular. Definition 6.1. Let each S i be the power set of some underlying set S~, i.e., S~ = 1 / : ~ ) . A function f: S1 ×... ×S n --* S is U-additive in the i~argument iff for all xi~Si and allx~ES k (for kei) :f(xz...xv..x~) = U {j(xi...{xl..x.)l x~x~ }. Definition 6.2. Let ~ be a £+-signature. A is a ~,-powerstructure, A EPStr(E), iff A is a (deterministic) structure such that: 1. for every S ES, the carrier Sa c_ 2/~S(S),for some underlying set S, 2. for every f: $1 ×... xS~--*S in E , f a is a __ -monotonic function A × A_. rA "" • qh • . . Sl X... Sn S suchthat, tfthet argumentofflssmgularthenfAls additive in the i~ argument. D Note the unorthodox point in definition 6.2 - w e do not require the carrier of a power structure to be the whole power set but allow it to be a subset of some power set. All finite subsets are needed, for instance, if one assumes a primitive nondeterminisfic choice with predefined semantics of set union. We do not assume anything of the kind and expect that quite many meaningful specifications may do very well without all possible subsets. In addition, using full power sets as carriers would always yield unreachable structures whenever the underlying set is infinite. Given an f:S× S÷ -T, we will say that an actual argument at the first position has a singular occurrence. E.g., inf(t,t), the first t has a singular, and the second one a plural occurrence. More precisely: Definition 6.3. a has a singular occurrence in a term tiff one of the following holds ( - denotes syntactical identity): I. t ' = a 2. t - f(...,a,...) and f i s singular in the argument corresponding to a, 3. t -~ f(tl,...,t n) and a has a singular occurence in one of ti. The first point is included for the technical reasons - the definition will be used to specify additional restrictions on the application of some reasoning rules. To define satisfiability of formulae by a power structure we only need to extend the definition of an assignment 464 Definition 6.4. Let X be a set of singular and X + a set of plural variables. BE an msignment into a power structure A we mean a function [3: X U X + - , [A[ such that, for all xEX, 1[3(x)[ = 1. [] If t3 is as in this definition, then every term t(x,x*)~W~ x,x" has a unique set interpretation 13[t(x,x÷)] in A defined as tA(~(X),B(X÷ )). Satisfiability of sequents over L+(~,X,X *) by a power structure is then defined exactly as before (def. 3.4) and the class of power models of a specification SP is denoted PMod(SP). Since functions from A to P ÷ (B) are isomorphic tO U-additive functions from P~(A) to P~(B), [A---~(B)] "-" [ ~ ( A ) - , u P ( B ) ] , we may consider every multistruct-are A to be a power structure A* by taking [A*1 = I:~(A) and extending all operations in A pointwise. We then have the obvious L e m m a 6.5. Let SP be a singular specification, AEMStr(SP), and .tr be a sequent in L ( S P ) . Then A ~ r iff A ÷N~r, and so AEMMod(SP) iff A*EPMod(SP). [] 7. The Calculus NEQ ÷ for Join Semantics We let V[t] be the set of singular and V÷ [t] the set of plural variables in t. Rules R1-R7 are as in N E Q (except for a new restriction in R7) but n o w all terms tt belong to Wz,x,x,. In particular, any ti may be a plural variable. ~->x=x RI: R2: R3: R4: R5: xE V r' xt ~-> Axt •, r ~ , r " ~ A],A' F~--~A~ ; F ' ~ s-et, A" ......... x ; F , F " ~ As, A x not in a RHS of -< e~-) e F~A,e "• F,F'~ R6: F ' ~ S= t, A" a) F ~ h F ~-> A,e F',e~h ~ (CUT) A,A' b) F ~ A F,e ~-~ A (WEAK) 465 R7: R8: a) F,x-et~-4A b) F,x-et, y-~r~-~A x E V\V[t] at most onex i n F ~-~ A x in F isn't in RHS of -< the occurrence ofx is singular xE V\V[t], yE V no x i n F ~ A at most one x in r the occurrence ofx in r is singular x and y are distinct variables (ELIM) F~A (SUBP) AtX + We used R7b from NEQ to derive SI, which expressed singularity of all arguments. Therefore, in NEQ÷ we need an additional restriction to make sure that the substitution for x takes place only at the arguments which are singular. The derived rules MO, NE, SB are the same as for NEQ, but SI is now restricted to the singular occurrences ofx. The new rule R8 expresses the semantics of plural variables. It allows us to substitute an arbitrary term t for a plural variable x +. Taking t to be a singular variable x, we can thus exchange plural variables in a provable sequent rr with singular ones. The opposite is, in general, not possible because rule R1 applies only to singular variables. Thus a plural variable x ÷ will satisfy ~ x+-<x÷, but this is not sufficient for performing a substitution for a singular variable according to SB. The result corresponding to theorem 5.1 is: l~tX ~" Theorem 7.1. For any L+-specification SP and L+(SP) sequent 'rr: PMod(SP) w rr iff II ~- NEC~7r 8. S i n g u l a r vs. P l u r a l , A r g u m e n t s vs. V a r i a b l e s NEQ+ has the additional rule R8 which could suggest that more formulae are derivable with it than with NEQ. This would go counter lemma 6.5 and the intuition that power models form a more general class than multimodels. There is no contradiction, however, because what actually limits the number of derivations in NEQ ÷ is the additional restriction on the rules R7. For instance, having operations g:S--- T, andf:S ÷~T, we may in both calculi prove: x-<t,y-~ g ( x ) ~ RTb y -~ g(t) ~-~ Replacing g with f in the assumption would disallow the analogous conclusion in NEQ÷. Rule R8, admitting instantiation of plural variables, is useful only if the axioms of the specification contain such variables. Axioms with plural variables can also be viewed as axiom schemata for axioms without such variables. From the logical point of view, axiom F---~f(x+)-<r(x+,x÷) leads to the same formulae (without plural variables) as the set of axioms { ~--~f(t)-<r(t,t) I tEW~ x }. Thus we can see that rule R7~ is concerned with plural arguments, while rule R8 with plural variables. In fact, introducing plural arguments does not force one to use plural variables and, on the other hand, axioms containing plural variables can be used even if all operations are singular. "We may set up the relations between the use of singular/plural variables/arguments and the associated sound and complete rea- 466 soning systems in the following way (R7 + denotes R7 with the restrictions from NEQ*): v ~ t S singular singular 1 [3 plural ............. NEQ ............. : NEQ,R8 plural 2 NEQ,R7* 4 NEQ ÷ If a specification contains only singular variables, then NEQ is sufficient for proving all its consequences if all operations are singular (1) - if some arguments are plural (2) then we have to use the more restricted version R7*. Obviously, we have that 2 _c1 and 4_c3, If all operations are singular then we may still use plural variables in the formulae and need to extend NEQ with the rule R8 (3). In this case, we have to consider multialgebras as power algebras with all operations being additive (according to lemma 6.5), in order to obtain a proper notion of assignment to the plural variables. In fact, this is the alternative we would prefer in general, unless one is explicitly interested in the specification of plural arguments. We feel that this combination of the singular semantics of parameter passing with the use of plural variables gives us both simplicity of multialgebras (as compared to power algebras) and the increased expressive power in writing specification as illustrated by the following example. Example 8.1. Consider the following (singular) specification of binary choice U . S ×S ~ S as the join operator: ~-~ x+-~ x+Uy+ y* < x +Uy÷ x*-~ z ,y -~ z* x y z An analogous attempt to specify join with singular variables only would fail, because the last axiom would then be x~z,y-~z ~ xUy~z which is equivalent to ~-~ zUz=z. This observation indicates that plural variables may be an alternative to disjunctions which had to be used for the specification of choice in example 3.5. [] 9. Conclusions and Further Work. We have introduced a formalism for specification of (possibly) nondeterministic operations and defined multialgebra and power algebra semantics for the singular, respectively, plural parameters. The main resuk of the paper are the two reasoning systems which are sound and complete for the respective semantics. The comparison of the two semantics led us to point out that the singular/plural distinction has two, reIatively independent, facets. On the one hand, it may be taken as a purely semantic distinction concerning the mechanism of parameter passing. On the other hand, plural variables may be used as a merely syntactic device to increase expressiveness of the specification language, which does not force one to accept the plural semantics of parameter passing. 467 We have considered only fiat Specifications and consequently the current results mtist be seen only as the first step toward a full specification formalism which would be applicable in software develompment practice. The work on structural specification with nondeterminism is in progress and we can only indicate some main points. The central idea is the one emphasized in this and other papers [7, 22, 25, 27]: nondeterminism is a natural abstrac tion tool and this fact may prove valuable when considering the implementation and composition of specifications. Specification-building operations such as enrich (+), derive, (reduct) and hence export and rename should extend smoothly to the nondeterministic context. Quotient needs a slight generalisation since we have only partial equivalence and not congruence. Releasing the congruency claim w.r.t, nondeterminisitc operations may seem a blasphemy to the mathematical practice, but it turns out to be a crucial move in achieving a sound data refinement in a nondeterminisitic setting. Our current experiences and [22] show that some problematic cases may be elegantly handled using our nondeterministic framework. Consider for instance the implementation of abstract sets with a (non- or underdetermined) choice operator. A natural and simple implementation would represent sets as sequences with the "head" operation implementing choice. Accepting this as a correct implementaiton would traditionally require the notion of behavioral equivalence. In such cases, the abstract character of nondeterministic operations may be used successfully as an alternative to the behavioural abstraction. Whether this is a viable way for a wider range of applications and whether this will allow one to limit the need for behavioral abstraction remains to be seen. As we have observed, initial multialgebras do not exist even in very elementary eases. Since initiality and quotient are special cases of free extensions, one shouldn't expect much of the extend-freely operation. Reachable extensions seem still possible but one will face several choices of the notion of teachability [ 25]. References 1. 2. 3. 4. 5. 6. 7. 8. 9. Brock, J.D., Ackermann, W.B., "Scenarios: A model of non-determinate computation", in Formalization of Programming Concepts, LNCS, vol. 107, Springer, 1981. Clinger, W., "Nondeterministic call by need is neither lazy nor by name", Proc. ACM Syrup. LISP and Functional Programming, 226-234, 1982. Engelfriet, J., Schmidt, E.M., "IO and OI. 1", Journal of Computer and System Sciences, vol. 15,328-353, 1977 Engelfriet, J., Schmidt, E.M., "IO and OI. 2", Journal of Computer and System Sciences, vol. 16, 67-99, 1978. Goguen, J.A., Meseguer, J., "Completeness of Many-Sorted Equational Logic", S/GPLAN Nogtces, vol. 16, no. 7, 1981. Goguen, J.A., Meseguer, J., "Remarks on Remarks on Many-Sorted Equational Logic", SIGPLANNo~ces, vol. 22, no. 4, 41-48, April 1987. Hayes, I., Jones, C., "Specifications are not (necessarily) executable", in Software En~neeringJournal, 4(6): 330-338. 1989. Hennessy, M.C.B., "The semantics of call-by-value and call-by-name in a non= deterministic environment", SIAMJ. Comput., vol. 9, no. 1, 1980. Hessetink, W.H., "A Mathematical Approach to Nondeterminism in Data Types", ACM: Transactions on Programming Languages and Systems, rot. 10, 1988. 468 10. Hoare, C.A.R., Communicating Sequential Processes, Prentice-Hall International Ltd., 1985. 11. Huet, G., Oppen, D., "Equations and Rewrite Rules: A Survey", in Formal Language Theory: Perspectives and Open Problems, Academic Press, 1980. 12. Hu~mann, H., Nondeterminism in Algebraic Specifications and Algebraic Programs, Birkh~user, 1993. 13. Kaput, D.,~Towards a theory of abstract data types, Ph.D. thesis, Laboratory for CS, MIT, 1980. 14. Keller, R.M., "Denotational models for parallel programs with indeterminate operators", in Formal Descriptions of Programming Concepts, North-Holland, Amsterdam, 1978. 15. Manber, U., Introduction to Algorithms, Addison-Wesley, 1989. 16. Meseguer, J., "Conditional rewriting logic as a unified model of concurrency", TCS, no. 96, 73-155, 1992. 17. Meseguer, J., "Conditional Rewriting Logic: Deduction, Models and Concurrency", in Proceedings of CTRS'90, LNCS vol. 516, 1990. 18. Milner, R., Communication and Concurrency, Prentice Hall Intemational, 1989. 19. Mosses, P.D., "Unified Algebras and Action Semantics", in STACS'89, LNCS, vol. 349, Springer, 1989. 20. Mosses, P.D., "Unified Algebras and Institutions", in Proceedings of LICS'89, Fourth Annual Symposium on Lo~c in Computer Science, 1989. 21. Nipkow, T., "Non-deterministic Data Types: Models and Implementations", Acta Informatica, voL 22, 629-661, 1986. 22. Qian, X., Goldberg, A., "Referential Opacity in Nondeterministic Data Refinement", in ACM LoPLAS, vol.2, no.1-4, 1993. 23. Schwartz, R.L., "An axiomatic treatment of ALGOL 68 routines", in Proceedings of Sixth Colloquium on Automata, Languages and Programming, vot. 71, Springer, 1979. 24. Sondergaard, H., Sestoft, P., Non-Determinacy and Its Semantics, Tech. Rep. 86/12, Datalogisk Institut, K~benhavns Universitet, January 1987. 25. Walicki, M., Algebraic Specifications of Nondeterminism, Ph.D. thesis, University of Bergen, Department of Informatics, 1993. 26. Waticki, M., Singular and Plural Nondeterministic Parameters: Multialgebras, Power Algebras and Complete Reasoning Systems, Tech. Rep. 96, Department of Informatics, University of Bergen, 1994. 27. Ward, N., "A Refinement Calculusfor Nondeterminisitc Expressions", PhD Thesis, Dept.. of Computer Science, The University of Queensland, submitted February 1994. View publication stats