An Relat ions

Inst i tut ion as Abstract Datatypes:

to Specify Relat ions between Algebras*

H u b e r t Baume i s t e r

Max-Planck-Inst i tut ffir Informatik Im Stadtwald, 66123 Saaxbr~cken, Germany

hubert@mpi-sb, mpg. de

Abstract. One way to view the execution state of an imperative pro- gram is as a many sorted algebra. Program variables axe (constant) func- tions and their types are sorts. The execution of a program defines a relation between the state of the program (algebra) before and after the execution of the program. In this paper we shall define an insti tut ion for the specification of relations between structures of some base institu- tion (eg. the insti tution of equational logic or first order predicate logic). Sets of structures over a common signature, abstract datatypes, in this insti tution denote relations between structures of the base institution. This makes it possible to apply a rich repertoire of existing techniques for specifying abstract data types to the specification of relations. This paper tries to narrow the gap between algebraic specification languages like Clear, ASL or Act-One and model theoretic based specification lan- guages like Z, VDM-SL or the Larch Interface language.

1 I n t r o d u c t i o n

Sta te s cons is t ing of var iables Xl. �9 �9 xn of sor t s l . �9 �9 s,~ can be seen as a lgebras over a m a n y so r t ed s igna tu re Z = (S, Op) having sor ts S = { st I i = 1 . . . m } and ope ra t i ons Op = { x~ : s~ I i = 1 . . . n, st C S }, poss ib ly sa t i s fy ing some s t a t e invar iants .

As an example consider the speci f ica t ion of a b i r t h d a y book, t aken f rom the Z reference m a n u a l [17]. The goal is to specify a sys t em to record peop le ' s b i r thdays . The s t a t e of a b i r t h d a y book consists of known, a set of names of peoples whose b i r t h d a y s are recorded , and birthday, a set of a ssoc ia t ions of names to dates . The s t a t e invar ian t is t h a t known is exac t ly the set of names occur ing as a first componen t in the e lements of birthday. Using a n o t a t i o n a d a p t e d f rom Z, the s t a t e of a b i r t h d a y book is desc r ibed by the speci f ica t ion Birthdaybook

The research described in this paper was supported by the German Ministry for Research and Technology (Bundesministerium ffir Forschung und Technologie) under grant ITS 9103 and by the ESPRIT Basic Research Working Group 6112 COMPASS (A Comprehensive Algebraic Approach to System Specification and Development).

757

_ Birthdaybook Env known : S E T O F N A M E birthday : S E T O F B B E N T R Y

V n : N A M E n E known iff 3 entry : B B E N T R Y entry E birthday and name(en t r y ) = n

Birthdaybook is based on the specification Env

_ Env B B E n t r y S e t ( N a m e ) [ S E T O F N A M E +-- SET] Set ( B B E n t r y ) [ S E T O F B B E N T R Y +- SET]

and B B E n t r y

_ B B E n t r y Name , Date bbEntry : N A M E • D A T E --~ B B E N T R Y name : B B E N T R Y --+ N A M E date : B B E N T R Y -+ D A T E

name ( bb En t ry ( n, d ) ) = n date( bbEntry(n , d) ) = d

and where the specifications N a m e and Date merely define the sorts N A M E and D A T E . S e t ( N a m e ) [ S E T O F N A M E +-- SET] is the notat ion for the application of the parameter ized specification Set to the specification N a m e and then re- naming the sort S E T in the result to S E T O F N A M E . 2 Algebras satisfying the Birthdaybook specification are possible states of a bir thday book.

Operat ions modifying the state of a system are interpreted as functions on algebras or, more generally, as relations between algebras. For example, the operation AddBir thday(name: N A M E ; d a t e : D A T E ) adds a new entry to the bi r thday book if the bir thday for name is not already known. More pre- cisely, AddBir thday(n , d) defines, for a name n and a date d, a relation be- tween Birthdaybook algebras A and B such tha t known s = known A U {n}, birthday s = birthday A U {bbEn t ryA(n , d)} and such tha t A and B, when re- stricted to their environment, the specification Env, coincide.

More formally we may define specifications

_ AddBir thdayIn Birthdaybook name? : N A M E date? : D A T E

2 We allow for operations to have the same name, as long as they can be distinguished by their types. For instance the insert operations from Se t (Name)[SETOFNAME +- SET] and Se t (BBEn t ry ) [SETOFBBENTRY +- SET] are considered different.

758

and

AddBirthdayOut I - Birthdaybook

and consider AddBirthday as a relation between AddBirthdayIn algebras A and AddBirthdayOut algebras B satisfying A IEnv = B IEnv and the equations

known B = known A U {name? A } . and

birthday B = birthday A U { bb Entry A (name? A, date? A) }.

The additional constants name? and date? in AddBirthdayIn model the input parameters of the operation AddBirthday. In case AddBirthday is supposed to deliver a result x! of sort s, a constant x! : s is added to AddBirthdayOut. Next we observe that A and B can be extended to an algebra C, a model of

_ AddBirthday A ddBirthdayIn AddBirthdayOut[known' +- known, birthday' +- birthday]

name? ~ known bwthday r = insert(bbEntry(name?, date?), birthday)

such tha t CIAddBirthdayin : A and CIAddBwthdayOu t = B .

Note, tha t there is no need to include an axiom of the form

known' = insert(name?, known)

explicitly in AddBirthday because this is a consequence of the axiom

birthday' = insert( bbEntry(name?, date?), birthday)

together with the axioms of Birthdaybook. On the other hand, the specification AddBirthday defines a relation R be-

tween states of bir thday book (models of Birthdaybook) by

A R B iff 3C C~AddBirthday, CI~=A and C I ~ = B ,

where ~ is the inclusion of Birthdaybook into AddBirthday and a is a morphism from Birthdaybook to AddBirthday mapping known to known I and birthday to bwthday r. Therefore, relations between algebras can be regarded as sets of alge- bras specified using standard abstract data types techniques.

In the rest of this paper we shall define an institution Tr over some base in- sti tution Z such tha t sets of formulas in this institution denote relations between structures from 27, which formally are abstract data types in the institution 7r D. Abstract data types are pairs (Z, M), where Z is a signature and M a set of Z-structures. We shall show that this institution inherits some nice properties from its base institution, like for example a cocomplete category of signatures and amalgamation, which implies extension.

759

2 P r e l i m i n a r i e s

2.1 Ins t i tu t ions

The notion of an institution was introduced by Goguen and Burstall to define the semantics of the specification language Clear [3] independent of an underlying logic. Here we will only recall the definition of institutions, for more details see the paper by Goguen and Burstall [10]. An institution Z = {SIGN, Mod, Sen, ~) consists of

- a category of signatures SIGN, - a functor Mod: SIGN -~ CAT ~ assigning to each signature Z the cate-

gory of Z-structures and to each signature morphism a: Z --+ Z ' a forgetful functor Mod(a): Mod( Z') --+ Mod( Z), 3

- a functor Sen: SIGN --+ SET, assigning to each signature Z the set of Z- formulas and to each signature morphism a: Z --+ Z ' a translation Sen(a) of Z-formulas to Z'-formulas, 4 and

- a family of satisfaction relations ( ~ z C_ Mod(Z) x Sen(Z))EeSIGN indicat- ing whether a Z-formula f is valid in a Z-structure m (m ~ s f or for short m f)

where the satisfaction condition holds: for all signature morphisms a: Z --+ Z ' , formulas f e Sen(Z) and structures m' C Mod(Z')

m'l~ ~ f iff m ' ~ a ( f )

Each institution has associated two categories PRESz and ADTz. The ob- jects of PRESz are pairs (Z, F) where Z is a signature from SIGN and F a set of Z-formulas. Morphisms a: (Z, F) -+ (Z ' , F ' ) in PRESz are signature morphisms such that F ' ~ (r(F). In ADTz objects are pairs (Z, M) where M is a set of Z- structures and morphisms a: (Z, M) --+ {Z', M') are signature morphisms such that M'I~ _c M. There are also forgetful functors SigP:PRESz ~ SIGN and Siga: ADTz --+ SIGN defined by

SigP((Z, F)) = Siga((X, M)) = Z and SigP(a) = Siga(a) = a

It is known (eg. [15, 2]) that the functors Sig p and Sig a create (finite) (co)limits and that as a consequence PRESz and ADTz are (finitely) (co)complete if the category of signatures SIGN is.

Objects in PRESz can be thought of as specifying or presenting objects in ADTz, which are called abstract datatypes. Thus, there is a semantics function sere: PRESz -+ ADTz associating to a presentation {Z, F) an abstract datatype (Z ' , M'). Two commonly used semantic functions are loose and initial, where

loose((Z, F)) = (Z, { m E Mod(Z) I m ~ F })

and initial((Z, F)) = (Z, M) with M the set of all objects that are initial in the full subcategory of Mod(Z) whose objects satisfy F.

3 The application of Mod((7) to a E'-structure m' will be written as rn'l~. If cr is understood from the the context we may write re'Is instead.

4 The application of Sen@r) to a formula f will be abbreviated by a(f).

760

2.2 L imi t s and Co l i mi t s

This section defines the notations used in this paper for limits and colimits in categories. For a definition of limits and colimits refer, for example, to the book of MacLane [14].

We use the notation l-II F to denote the limit object of the functor F: I --+ C, if it exists, and 7r F, or 7c~ if there is no ambiguity, for the projections ~r~: r I I F --+ F(i). If G: I ~ C is another functor with a limit and 7-: F =~ G is a natural transformation, then I-II 7 denotes the unique morphism from the limit object I-[I F to the limit object r l i G such that for all i E I the following diagram commutes

r l i F ~ YII G

F(i) ~,~ a(i)

The colimit object of a functor F: I --+ C is denoted by ~ I F and t ( , or L,, denotes the inclusions f : F(i) ~ ~ I F. If G: I --+ C is another functor with a colimit and T: F =~ G is a natural transformation, then ~--~I T denotes the unique morphism from the colimit object ~ I F to the colimit object ~ I G such that for all i E I the following diagram commutes

E I F ~ E I a

t4 F(i) ~, ~ a(i)

3 B i n a r y R e l a t i o n s

Before presenting the general construction in section 4 we shall illustrate the construction using binary relations. Let us assume we are given an institution Z = {SIGN, Mod, Sen, ~) and let O = (Z1, Z2) be a pair of signatures from SIGN. A (binary) relation R of type O is a subset M of the cartesian product of Mod(Z~) and Mod(Z2). A morphism a: R --+ S from a relation R of type O R to a relation S of type 0 S is a pair of signature morphisms al: Z R --+ Z~ and a2:Z2 n ~ Z2 s such that whenever rnl S me then TYtlI~ 1 R T/~ 21c~2. The category REL of binary relations has relations as objects and morphisms between relations as arrows.

To specify objects from REL we need to define a notion of formulas together with a satisfaction relation between formulas and elements of the cartesian prod- uct of Mod(K1) and Mod(~2). A possible definition of such formulas is as ele- ments of the disjoint union of Sen(~l) and Sen(Z2). Then for a pair (ml, m21 of Mod(Zi) • Mod(Z2) and a formula f of Sen(Z1) + Sen(Z2) we define

(T/.tl, ~Tt2) ~RELf ii~ { Tftlnv2 ~ ~f f ififff Ce Sen(z2)Sen(Z1)

761

However, with this definition it is not possible to write a formula similar to

birthday' = insert (bbEntry Cname?, date?), birthday)

from the AddBirthday example because this formula is neither a formula over the signature of AddBirthdayIn nor a formula over the signature of AddBirthdayOut, instead, it is a formula over the disjoint union of the signatures of AddBirthdayIn and AddBirthdayOut.

Therefore, we are interested in formulas f from Sen(Zi + ~s). Now we have the problem to define the satisfaction relation between pairs (ml, m2) and for- mulas f . In the institution of first order logic, and many other interesting in- stitutions, there is a one to one correspondence between pairs of algebras from Mod(Z1) x Mod(Z2) and algebras from Mod(Z1 + Z2). A Z1 + Zs-algebra m defines a pair of Z1- and Z2-algebras by (mlzl, mI~2) and each pair (ml, m2) defines an algebra ml + ms such that the interpretation of a symbol s (a sort, function or predicate symbol) from Z1 + Zs in ml 4- ms is the interpretation of s in ml if s originates from ~1 or the interpretation of s in m2 otherwise. This makes it possible to define

<ml,ms) ~RELI iff m l + m 2 ~ f .

Given a set of formulas F from Sea(El + Z2) a pair Sp = (O, F) defines a relation by

ml Sp m2 iff Vf E F : (ml, m2) ~REL f .

The category of specifications of binary relations, RELSPEC, has as objects pairs Sp = {O, F) and as arrows c~: SpR ~ Sps signature morphisms a: z R + ~ _+ Z s + ~z s such that F s ~REL c~(FR).

There is a functor Ret from RELSPEC to REL mapping specifications of binary relations to binary relations defined by

Ret(<O, F)) = (O, { (ml, m2) [ <ml, m2> ~REL F }) and

Rd(a: SpR ~ Sps) = ~: R d ( S p R ) -+ Rel(Sps) .

The domain of a binary relation R = CO, M) in REL is given by

dora(R) = { ml [ (ml, m2) e M }

and its codomain by

codCR) = { m2 [ <ml, rr~) e M }.

762

3.1 Binary Relations as Abstract Datatypes

In this section we shall define an institution Tr 2 such that the category of ab- stract datatypesSADT2 (cf. section 2.1) in this institution is the category of binary relations REL and the category of presentations PRES 2 is the category of specifications of binary relations RELSPEC. The construction of 7r 2 is param- eterized by an institution Z. To define the satisfaction relation of 7~ 2 we require that SIGN has coproducts and that Mod preserves them. Now the institution

7r 2 = (RSIGN2, RMod2, RSen2, ~ n~)

is given by:

RSIGN2 = SIGN 2,

RMod2(6): 2 -+ SIGN) = IX 6); Mod 2

RMod2(a: O R => 6),9) = H a; Mod 2

Rse 2(6)) = 6)) =

2 2

rn ~n2 f iff m ~ f

The category 2 is the discrete category having only 1 and 2 as objects and the identities as arrows.

Objects in ADT 2 are pairs R = (6), M), where 6) is an element of RSIGN2 and M is a subset of RMod2(6)). 6) is a functor from 2 to SIGN and thus, a pair of signatures (69(1), 6)(2)) from SIGN • SIGN. Since RMod2(6)) is Mod(6)(1)) • Mod(6)(2)), elements of M C_ RMod2(6)) are pairs (rex, m2).

An arrow a: 6)R =~ 6)s in RSIGN2 is a natural transformation between functors from 2 to SIGN and thus, just a pair of signature morphisms at from 6)R(i) to 6)s(i) (i = 1, 2). The application of RMod2 to an arrow a of RSIGN2 yields the pair of functors (Mod (al), Mod (a2)).

Thus an arrow a: (6)n, M R) _+ (6)s, M s) in ADT 2 is a morphism a from 6)n to 6)s in RSIGN2 such that (m1[~1, m2[~z) E M R for all (ml, mz) E M s or, whenever ml S m2 then ml[al R ra2la 2.

Since SIGN has coproducts, the object Y~2 6) = 6)(1) + 6)(2) exists for any object 6) in RSIGN2. Moreover, since Mod preserves coproducts

Mod(O(1) + 0(2)) = Mod(O(1)) x Mod(O(2)) = RMod2(O).

Therefore each m in RMod2(O) is also in Mod(O(1) + 0(2)) and each formula f in RSen2(O) is an element of Sen(O(1) + 0(2)) . Thus the satisfaction relation m ~n2 f iff m ~ f is well defined.

s To avoid subscripts of subscripts we write ADT 2 instead of ADTze 2.

763

4 A n I n s t i t u t i o n t o S p e c i f y R e l a t i o n s B e t w e e n A l g e b r a s

The institution 7-42 is based on the discrete category 2. However, the construc- tion of T~ 2 did not depend on the specific properties of 2. In fact, the same construction can be used to define an institution

T~ D = (RSIGND, RModD, RSenD, ~ n D )

based on an arbitrary category D, provided that SIGN is cocomplete with re- spect to diagrams of shape D and that Mod preserves the colimit of diagrams of shape D:

RSIGND = SIGN D

RModD(6):D -+ SIGN) = H 6); Mod RModD(ocO R =r 6)s) = H o~; Mod

D D

RSenD(6)) = S e n ( E 6)) RSenD(a) = S e n ( ~ (~)

D D

The following easy facts hold:

- 7-4 D is an institution, - RSIGND is (finitely) cocomplete if SIGN is and - RModD preserves (finite) colimits if Mod preserves them.

Objects in A D T D are typed relations of arity D. Let, for example, D be the discrete category K~ generated by the set { 1 , . . . , n}. An object 6) of RSIGNK~ is an n-tuple ~ 1 , . . . , S,~ of signatures from SIGN and objects in RModK,~(O) are n-tuples m l , . . . , m~ such that m~ E Mod(S O. Thus an object R = (69, M) in A D T K , is an n-ary relation R C_ Mod(S1) • .. . • Mod(S~).

Now let D have an arrow g: d --+ d I other than the identity. Together with signatures O(d) = Sd and O(d') = Sd, objects 69 in RSIGND also provide a signature morphism 6)(g) = a: ~d --} ~d ' . This imposes on objects m from RModD(6)) the restriction that

5 R e l a t i o n s w i t h S h a r e d P a r t s

We are interested in binary relations R, such that , if ml R rr~ then ml and m2 are persistent extensions of some algebra, like an algebra providing some base types such as bool and nat. This type of relation can be modeled by a three place r e l a t i o n / / g i v e n by a set M C_ Mod(Z1) • Mod(Eo) • Mod(E2) with the requirement that for all (ml, rao, m2) from M

mll~, = m o = m2[~,

where ~r~: So --+ Z~ (i = 1, 2) define the parts that Z1 and ~2 have in common.

764

The type of R is given by a functor O from 3 to SIGN, where 3 is the category freely generated by the diagram

1 2

0

such that O(1) = G1, O(0) = X'o, 0(2) = ~2, 0(91) = al and O(g2) = a2. The set M is a subset of the objects of the pullback 1-I3 O; Mocl of the following diagram in CAT

H3 o; Mod 71"1 ~ ~ "/I-2

I~o Mod(O(2)) Mod(O(1))

Mod(O(O))

Since the above diagram commutes in CAT, for any object m and morphism h: m --> m' in H3 z ; Mod we have

~ l ( '~ )b ~ = ~1L1 = ~ = "~:G = ~ : ( ' ~ ) ] ~ and

- 1 ( h ) b l = h l G = h0 = h~l~2 = ~2(h)b2 .

For objects R = <O, M) in the category of abstract datatypes of the institu- tion 74 3 we define

rnl Rm2 iff 3 m E M : T r l ( m ) = r n l and~r2(m)=m2

which gives us that whenever rnl R m2 then ml[o(g~) = rr~lo(g2). Formulas in RSen3(@) are formulas over the pushout ~ 3 @ of the following

diagram in SIGN

~ 3 G

O(1) po O(2)

o(o)

Here we have to require that SIGN has all pushouts and that Mod preserves them, which is equivalent for the institution T to have amalgamation [7, 2, 5].

As an example the AddBirthday specification is given as an object of PRES 3 for first oder logic with equality as the base institution. The following functor O: 3 -4 SIGN is the signature of AddBirthday:

765

O(0) = s o r t s N A M E , D A T E , B B E N T R Y , S E T O F N A M E ~ S E T O F B B E N T R Y

o p s bbentry: N A M E • D A T E --+ B B E N T R Y name: B B E N T R Y --+ N A M E date: B B E N T R Y -+ D A T E insert: N A M E • S E T O F N A M E -+ S E T O F N A M E insert: N A M E • S E T O F B B E N T R Y -+ S E T O F B B E N T R Y

o(1) = o(o) + ops known : S E T O F N A M E

birthday : S E T O F B B E N T R Y name? : N A M E date? : D A T E

0 ( 2 ) = 0 ( 0 ) + o p s known : S E T O F N A M E

birthday : S E T O F B B E N T R Y E 3 O = e (o ) +

o p s known : S E T O F N A M E birthday : S E T O F B B E N T R Y known' : S E T O F N A M E birthday ~ : S E T O F B B E N T R Y name? : N A M E date? : D A T E

~(g l ) , ~(g2) and ~1 are the corresponding inclusion of signatures and ~2 maps birthday to birthday ~ and known to known' and is the identity on all other symbols. The axioms of AddBirthday are formulas in R S e n 3 ( 0 ) = S e n ( ~ 3 ~):

name( bb Entry ( n, d) ) = n date( bb Entry ( n, d) ) = d . . . (all the axioms for S e t ( N a m e ) and S e t ( B B E n t r y ) ) V n : N A M E n E known iff

3 entry : B B E N T R Y entry E birthday and name(en t ry ) = n V n : N A M E n C known' iff

3 entry : B B E N T R Y entry E birthday' and name(en t ry ) = n name? r known birthday' = insert ( b b Entry ( name ? , date?), birthday)

For an algebra m of R M o d 3 ( 0 ) satisfying AddBir thday it holds that , among others,

birthday' "~ = insert "~ ( bbEntry "~ (name? "~ , date? "~ ), birthday "~ ).

Since m is a persistent extension of ml and n~2, which in turn are persistent extensions of mo, this is equivalent to

birthday "~2 _= insert'~o ( bbEntry "~o (name? m~ , date? "~1 ), birthday m~ ).

When writing specifications of relations it is convenient to use instead of func- t o r s ~ : D ~ S I G N functors ~: D --+ P R E S z as the type of relations. We have

766

done this in section 1, where we gave AddBirthdayIn, Env and AddBirthdayOut as specifications instead of just giving their signatures and including their axioms (eg. the axioms for the environment or the state invariant of BirthdayBook) in the set of formulas defining AddBirthday, as we have done in this section. This can be achieved by using the institution 7)Z = (PRESz, PMod, Sig~ ; Sen, ~ ) built fl'om an institution Z as the base institution of 7~ D instead of Z itself. Here PMod(((9, F>) yields the full subcategory of Mod((9) whose objects satisfy F.

6 Specifications with Auxiliary Symbols

In some cases we would like to use auxiliary sort or function symbols in the specification of relations. For example let (9(1) and (9(2) be enrichments of (9(0) by a new sort s. To define how the interpretation of sort s in m1 is related to the interpretation of sort s in rnr an auxiliary function f : tl(s) -+ L2(s) may be needed. For example to require that s "~I is isomorphic to a subset of s ~2 we provide the formula Vx, y : f ( x ) = f (y ) =~ x = y. However, this formula can not be written in any of the institutions 7~ 2 and 7~ 3 because formulas in these institutions are only allowed to use the symbols from (9(1) and (9(2).

A solution to this problem is to use T~4, where 4 is the category freely generated by

3

1 2

0

and the equation gl; g4 = g2; g3- Now the function f : ~l(s) -+ L2(s) can be defined in 0(3). It is easy to prove that for a functor O: 4 ~ SIGN from RSIGN4 the colimit ~ 4 (9 is isomorphic to 0(3). This holds for any category D with a terminal object dT. Thus by providing (9(3) one defines exactly the symbols one can use in the specification of relations. Most likely (9(3) will be an extension of the pushout of (9(gl) and (9(g2) by auxiliary sort and function symbols, but it is also possible that (9(3), (9(1) and (9(2) coincide.

Objects Sp -- <(9, F> in PRES 4 define binary relation~ by

ml Sp m2 lit 3 m ~Tr F :Tr l (m) = mi and ~2(rrt) = m 2.

6.1 Composition of Binary Relations

Using 7~ 4 has also the advantage that PRES 4 is closed under the composition of binary relations. If Sp R and SPs are viewed as binary relations and SpR; Sp s is defined in the usual set theoretic way then there exists an object Sp T of PRES 4 defining the same binary relation as SpR; Sps. This, depending on the expressiveness of the base institution Z, does not hold, in general, for the composition of relations in PRES2/3 (see below).

767

Let SPR = (0 R, F R) and Sp s = <0 s, F s) be specifications in PRES 4. If OR(g2) = OS(gl) then the composition SPR; SPs = ( OT, FT) is defined. The type of SPR; Sp s is given by the following diagram in SIGN

o T ( 1 )

On( I )

o T ( 3 )

OR(3) po. oS(3)

O R OR(2) = oS(1) O s =

t jjj os (2)

oT(0) = o (0) = o s (0)

and F T = al (F R) U a2(FS).

T h e o r e m . ml SPR; Sp s m2 iff 3 n : m l Sp R n and n Sp s m2

As an example consider the specifications SPR and Sps such that OR(g2) = OS(gl) and OR(l) = oS(1) = oS(2) is an enrichment of (9(0) by a constant x : s. Let F R contain the formula x = f (x ' ) and F s the formula x" = g(x'), where f and g are functions defined in oR(0). For SPR; Sp8 = (0 T, F T} as an object of PRES 4 the type O T contains the auxiliary symbol x' : s in o T ( 3 ) together with x : s from (gT(1) = OR(l) and x" : s from OT(2) = Os(2) and F T equals {x = f ( x ' ) , =

However, to define SPR; Sps = (0 T, FT> in PRES 3 we do not have the possibility to use the auxiliary symbol x' : s, therefore we have to find a set of formulas equivalent to the conjunction of x = / ( x ' ) and x" = g(x') only using the symbols x, x", f and g. Provided that the base institution Z allows to use existential quantifiers we can use {3 x' : x = f (x ' ) A x" = g(x')}. In general, it may not be possible to find such a set of formulas.

7 S e m a n t i c s

Which relation <O, M} from ADT~ is denoted by the presentation (O, F) in PRES~ (i = 2, 3, 4)? This is a question about the semantics function

sere: PRES, --+ ADT,.

Common semantics are initial and loose from section 2. However, mztial is not appropriate since all models of initial(sp) are isomorphic, and thus, if ml initial(@) m2 and m~ initial(sp) m~, then ?n I iS isomorphic to rn~ and rna is isomorphic to m~.

Another possible semantics is free. If free((O, F)) = (O, M} then struc- tures m in M are required to be free extensions of m[~ 1 (or role(g4) in case

768

of 7~4) with respect to the full subcategory of M o d ( ~ i (9) (i = 2, 3, 4) given by { m I m ~ F } (cf. Goguen and Burstall [10] and Baumeister [2]). free(Sp) can be considered as denoting a partial function from structures of Mod((9(1)) to structures of Mod((9(2)) in the sense that, if for some ml there exists m2 such that ml free(Sp) m2 then m2 is unique up to isomorphism. If ~ (9 does not define any new sorts with respect to (9(1), m2 is unique.

loose(Sp) (or Rel in section 3) in general yields a relation between algebras which can be interpreted as a non-deterministic, partial function on algebras. However, for certain types of F the loose semantics of Sp yields a (partial) deterministic function on algebras. This is, for example, the case when F consists of formulas of type x' = t[x] for all symbols x' not in (9(1), where t[x] is a term over the signature (9(1), and ~ (9 does not contain new sorts with respect to (9(1). Thus loose semantics allows to specify non deterministic functions as well as deterministic functions.

8 R e l a t e d W o r k

It is not new or surprising to view states as algebras. For example, Ganzinger [9] and Gurevich [11] use this view to define an algebraic semantics of programming languages. Ganzinger defines the semantics of while-programs to be the com- position of a free functor and a forgetful functor on algebras representing the state of the program. In principle we have three specifications. Specbas~ is the specification of some base types defining the domain over which the variables range. Spec x is a conservative extension of Specbase containing constants of the form x : s denoting the variables of the program. Each program p determines a specification SpeCPzux ,, which is an enrichment of Spec x that contains for each x : s in Spec X a constant x t : s and contains for example in the case where p is the assignment statement x := t the formula x I = t. The semantics of a program p is given by Tp; U~, where Tp: Alg(Specx) --+ Alg(SpecPxux ,) is the left adjoint to the forgetful functor U with respect to the inclusion of Spec X in SpecPxux , and U~: Alg(SpecPxux ,) --+ Alg(Specx) is the forgetful functor for the signature morphism a that takes each x : s in Spec X to x / : s in SpecPxux , . In general Tp will be a persistent functor, however, if p does not terminate then (Tp; U)(A) ~ A. This approach corresponds to using the free semantics of section 7 with objects Spp = ((9, F) from P R E S 3 such that (9(0) = Specba~e , (9(1) = (9(2) = Spec x and ( ~ 3 (9, F) = SpecPxux,. The only difference is that in our approach, in the case of non-termination, free(Spp), seen as a function, is undefined; this is the reason why free is defined by using free extensions in- stead of a free functor. Ganzinger's results can be used in two ways. First, we have new operations at hand to build relations from relations, like the condi- tional and while construct; on the other hand, the semantics of while-programs have the same semantic domain as their specifications, objects in A D T 3. This provides us with a connection of specifications of state transformations to their implementation by imperative programs within the same framework.

In the evolving algebra approach of Gurevich [11] a transformation of an algebra A to an algebra B over the same signature is given by a set of guarded

769

local function updates of the form if b t h e n f ( t ) := to. The problem in trans- lating these updates in our framework to formulas over RSen2(O) for some object Sp = (0, F) from P R E S 2 is the t reatment of conflicting updates, eg. f (a) := true and f (a) := false. Gurevich chooses one of the updates non deter- ministicly and discards the others, while in our approach all updates have to be satisfied. This means that some values have to be equated (eg. true = false) or the relation, viewed as a (non-deterministic) function, is not defined for some algebras. The algebras of Gurevich have only one sort called the superuniverse containing two distinguished elements true and false. Different sorts (universes) are modeled by using characteristic functions on the superuniverse. This al- lows to model the evolution of sorts just by changing the interpretation of their characteristic functions without having to change the interpretation of the su- peruniverse.

In the implicit state approach of Dauchy and Gaudel [4] states are enrich- ments of the datatypes used in the system by access functions. Modifiers are functors on states built from elementary modifiers by sequential and indifferent composition and using conditionals. Elementary modifiers #-ac(Tr, t), for some accessor function ac and terms lr and t over the signature of states, can be translated into our framework as the formula

V x ( 3 y : ( ~ r = x = v a c ' ( x ) = t ) V V y : ( T r C x = V a c ' ( x ) = a c ( x ) ) ) ,

where y is the vector of variables occuring free in ~r and t. This is a formula in F, where Sp = (e), F) is an object of PRES3, 5)(1) = 5)(2) contains the accessor function ac and (9(0) is the specification of the used datatypes. Now, for a structure m satisfying Sp, it holds that

ac "~2 (v) = { p*(t)ac "~1 (v) elseif p*(Tr) = v for a variable assignment p: X --+ m~

This means, that loose(Sp) defines a function on algebras corresponding to the semantics of the elementary modifiers of Dauchy and Gaudel. Sequential compo- sition of modifiers is given by the composition of relations in P R E S 3 and A D T 3 and indifferent composition can be described by colimits in PRES 3 and ADT3, respectively.

In all the above approaches the stress is on constructing transformations of algebras rather than on specifying these transformations in a possibly non- constructive way. In our approach we are able to specify how the states before and after a transformation are related and not necessarily how this relation is established (eg. by while-programs, local function updates or modifiers).

D-oids are a model theoretic approach by Astesiano and Zucca [1] to define dynamic datatypes. D-oids consist of a set of algebras over some signature to- gether with a set of dynamic operations. A dynamic operation associates to an algebra A and a set of values from A an algebra B, a family of functions from the carrier sets of A to the carrier sets of B, the tracking m a p / : A =~ B, and possibly a return value from B. However, Astesiano and Zucca do not have a method to specify their dynamic datatypes yet.

All the previous approaches keep the interpretation of sorts fixed, allowing only for the interpretation of function symbols to change. This is not required by

770

the d-oids approach. The tracking map f is responsible for relating the elements of the sort whose interpretation has changed in B and also for the elements of those sorts that did not change. In our approach there is the possibility to include new sorts in O(1) and 0(2) and functions f~ in O(3), f~: si --~ s~, for new sorts sl in 6)(1) and 6)(2), and f,: sl --~ s,, for sorts s, in O(0). The functions fi can be seen as defining the tracking map of dynamic operations.

An approach similar to d-oids is the informal proposal for dynamic abstract datatypes by Ehrig and Orejas [8]. The instant structure specification, a conser- vative extension of some value type specification, is intended to model class sorts and at tr ibute functions of objects. A dynamic operation denotes for a model A of the instant structure specification, together with a set of values from A, a set of transformations from A to some other instant algebra B. Given a specifica- tion Sp = (O, F) in PRES4, a value type specification corresponds to 6)(0), an instant structure specification, ronghly~ to O(1) and 0(2) and certain classes of transformations could be modeled using function symbols f : s --+ s r and f: s ~ s in 0(3) . Then a dynamic operation is an object R = (6)R, M R) of ADT 4 such that M R ~T44 F.

9 C o n c l u s i o n

In this paper we have defined a family of institutions in which abstract datatypes have an interpretation as relations between structures from some base insti- tution. We have achieved two things. First we have a model theory of typed relations, which are objects in ADT2, and for typed relations respecting a com- mon environment, objects in ADT 3. Since relations are abstract datatypes in certain institutions methods for the construction of abstract datatypes in an arbitrary institution, like eg. various forms of parameterization, can be used to also construct relations, see for example the work of Goguen and Burstall [3, 10], Sannella, Wirsing and Tarlecki [16, 15], Ehrig and others [6]. However, further investigation is needed into whether these constructions are appropriate for con- structing relations and which additional constructions, eg. the composition of relations, are needed.

The second achievement of this paper is a specification method for relations between algebras within the theory of abstract datatypes resembling the methods used in specification languages like Z [17], VDM-SL [13] and Larch [12]. Future research has to show how far the resemblance between the presented method and Z, VDM-SL and Larch extends. One could image that the two tiered approach of Larch for some programming language can be given full a semantics within this framework. The base institution is given by the Larch Shared Language; Larch Interface Language specifications are objects in PRES4, which have a denotation as objects in ADT3, and the results of Ganzinger [9] can be used to define the semantics of the programs again as objects of ADT3, which can then be checked to see if they implement the specification.

Colimits in SIGN and therefore in ADT D and PRES D allow us to combine smaller states to larger ones and to extend relations from the smaller states to relations on the larger ones. Also colimits allow us to combine several relations on one state as one relation on the same state. This corresponds to a parallel

771

composition of relations instead of a sequential one defined by the composition of relations in section 6.1.

The interpretation of abstract data types as relations fails when it comes to refinement. The refinement of abstract datatypes does not correspond to the refinement of relations if relations are viewed as non-deterministic functions. The refinement of one abstract datatype by another is an abstract datatype morphism, while R refines to S with respect to a signature morphism c~: ~9 R -+ Os iff. dom(R) C_ dom(S)l ~ and a:R --+ Sick(dora(R) ) is a morphism between

relations. Sl~(dom(R)) denotes the restriction of S to the domain a(dom(R)).

R e f e r e n c e s

1. Egidio Astesiano and Elena Zucca. D-oids: A model for dynamic data types. Mathematical Structures in Computer Science, 1994. to appear.

2. Hubert Baumeister. Unifying initial and loose semantics of parameterized specifi- cations in an arbitrary institution. In Proceedings Tapsoft/CAAP, Brighton, UK, number 493 in LNCS, pages 103-120. Springer, April 1991.

3. R. M. Burstall and J. A. Goguen. The semantics of Clear, a specification language, February 1980.

4. P. Dauchy and M.-C. Gaudel. Algebraic specifications with implicit state, February 1994.

5. R. Diaconescu, J. Goguen, and P. Stefaneas. Logical support for modularisation. Programming Research Group, Oxford University, August 1991.

6. H. Ehrig, P. Pepper, and F. Orejas. On recent trends in algebraic specification. In Proceedings ICALP, Stresa, Italy, number 372 in LNCS, pages 263-288. Springer, July 1989.

7. Hartmut Ehrig and Bernd Mahr. Fundamentals of Algebraic Specification 1: Equa- tions and initial Semantics. Number 6 in EATCS Monographs on Theoretical Computer Science. Springer, 1985.

8. Hartmut Ehrig and Fernando Orejas. Dynamic abstract data types, an informal proposal. Bulletin of the EATCS, (53):162-169, June 1994.

9. Harald Ganzinger. Programs as transformations of algebraic theories (extended abstract). Informatik Fachberiehte, 50:22-41, 1981.

10. J. A. Goguen and R. Burstall. Institutions: Abstract model theory for specification and programming. Journal of the Association for Computing Machinery, 39(1):95- 146, January 1992.

11. Yuri Gurevich. Evolving algebras: An attempt to discover semantics. Bulletin of the EATCS, (43):264-284, February 1991.

12. J. V. Guttag, J. J. Horning, and J. M. Wing. Larch i-n five easy pieces. Report 5, DEC Systems Research Center, July 1985.

13. Cliff B. Jones. Systematic Software Development Using VDM. International series in computer science. Prentice Hall, New York, 2sd edition, 1990.

14. Saunders Mac Lane. Categomes for the working mathematician. Graduated Texts in Mathematics. Springer, 4th edition, 1988.

15. DonMd Sannella and Andrzej Tarlecki. Specifications in an arbitrary institution. Information and Computation, 76(2/3):165-210, February/March 1988.

16. Donald Sannella and Martin Wirsing. A kernel language for algebraic specification. Internal Report CSR-131-83, University of Edinburgh, September 1983.

17. J. Michael Spivey. The Z Notation: A Reference Manual. International series in computer science. Prentice Hall, New York, 2nd edition, 1992.