A Modular Development of the Denotational RSL ... - Semantic Scholar

0 downloads 0 Views 152KB Size Report
The concurrency features of the RAISE specification language RSL are based ... is extended in two steps — preserving properties such as behaviour and static ...
A Modular Development of the Denotational RSL Concurrency Model Claus Pahl Department of Information Technology, Technical University of Denmark DK-2800 Lyngby, Denmark

Abstract The concurrency features of the RAISE specification language RSL are based on an adaptation of Hennessy’s model of acceptance trees [Hen85]. An extension was necessary to meet requirements of RSL. A paper by Bolignano and Debabi [BD92] describes this extension. We will revisit this extension, now formalising the relationship between the basic model and its extension in a rigorous way. We will show general mechanisms how to extend languages and models in order to preserve properties of the basic model. Our mechanisms are applied to the basic model — which is extended in two steps — preserving properties such as behaviour and static domain constraints. The framework of language extension which will be used here aims at supporting experimentation with and exploration of semantics. In this case, a semantic model for concurrent languages is investigated. An application could be an investigation into the suitability of a semantic model for a given language which has to be defined formally. Categories and Subject Descriptors: D.3.1 [Programming Languages] Formal Definitions and Theory (Semantics), F.3.2 [Logics and Meanings of Programs] Semantics of Programming Languages (Denotational Semantics), F.3.3 [Logics and Meanings of Programs] Study of Program Constructs Additional Key Words: Concurrency, acceptance trees, language extension, RSL, behaviour preservation, domain constraints

1 Introduction Bolignano and Debabi’s technical report [BD92] is the basis for this investigation. Using an effect-based semantics (functional type, side effect, and communication as the components of a semantical entity represented by a product), Bolignano and Debabi extend a simple denotational model based on acceptance trees [Hen85] to meet the requirements of RAISE. This extension shall be investigated in a more thorough and formal way considering aspects of modularity in language design. RSL is the RAISE specification language. RSL is based on principles of VDM, but also includes features for the specification of concurrency and a modularity concept (see [Geo91] for an introduction or [Gro92] for a full description). A similar approach is followed by Hennessy and Ing´olfsd´ottir [HI93b, HI93a]. They extend a simple process language in the same way as Bolignano and Debabi by introducing values and assignments. We will follow [BD92] as close as possible by adapting their semantic constructions.  This work has been supported by the EU-HCM project De Stijl.

1

Our objective is to point out that these extensions can be carried out in a much more rigorous way. We will provide a framework in which these extensions are formalised by using operators on an algebraic framework. We will provide a selection of common templates of extension which allow us to derive such operators. By providing such templates, we will facilitate the process of adapting domain constructions and function definitions of a basic model to new requirements. A model definition possesses certain properties: functions behave in a certain way, domains are constrained. We will show how these properties can be preserved using our templates. The practical advantage of preserving properties can be illustrated by considering the behaviour of programs implemented by the concurrency model. It can be guaranteed that a program preserves its behaviour if it is executed as a program of the extended language (possibly modified syntactically). The behaviour is not necessarily identical since underlying semantical notions might have changed, but there exists an observation under which the behaviour is identical. This observation is similar to a retrieve function known from data refinement. This allow us to define orthogonal extensions, in the sense that the extensions do not conflict with the basic language to which the extension is applied. The reader is expected to be familiar with [BD92] and [Pah97b]. The concurrency model is not explained in detail since our interest here relating and extending models. More motivation and a broader introduction can be found in [Pah97b, Pah97a]. We will use a notation similar to VDM or Z to specify domains and functions, i.e. we make use of an operator calculus including e.g. symmetric difference 4 or override y. We will start with introducing the basic model in section 2. This section also introduces basic ideas of our approach of extension. Behaviour and domain constraints as important properties are addressed. The formal background underlying the ideas presented in that section are content of section 3. Some more theoretical results are addressed at the end of the section. We use these results in section 4 for a first extension by partitioning events. A second extension in section 5 adds states and values.

2 The Basic Language The basic model, which resembles Hennessy’s acceptance tree model (but in the representation of Bolignano and Debabi), is presented. The basic ideas of behaviour preserving and domain constraint preserving extensions are introduced.

2.1 The Basic Model A simple process language based on an acceptance tree model shall be presented firstly (figure 1). The basic model is a space of processes

P0 = (( ! P0 )  PP)? where  is a set of events. The first component of those pairs is a mapping from events to processes in P0. The second component is an acceptance set (some constraints will be introduced below). An acceptance set is a set of possible internal states which can be reached non-deterministically by executing a process. Each of these states is a set of actions that can be taken in that particular state. The domain is defined recursively, but a solution for this equation exists (see [BD92] Chapter 5). ? is the semantic correspondence to the chaos process. [BD92] provides two choice operators. Only the external choice operator jj is considered here, the internal choice will be neglected. These operators differ only slightly from another. 2

LANGUAGE DESCRIPTION Syntax Process ::= ’stop’ j ’chaos’ j Event ’!’ Process j Process jj Process Semantic Domains

P0 = (( ! P0 )  PP)?

Semantic Functions

P0 P0[ chaos] P0[ stop] P0[ e ! p] P0[ p1jjp2]

: := := := :=

Process ! P0 ? ([]; f;g) ([e 7! P0[ p] ]; ffegg) let (M1; S1) := P0 [ p1 ] ; (M2; S2) := P0[ p2 ] in (M1jjmM2; S1jjsS2)

with M1 jjmM2 := (([e 7! M1(e) j e 2 dom(M1)] 4 [e 7! M2 (e) j e 2 dom(M2)]) t [e 7! M1(e)jjmM2(e) j e 2 dom(M1) \ dom(M2)]) and S jj S := fx j x 2 P ^ x  Sfy j y 2 S [ S g ^ 9v 2 S ; w 2 S :x  v [ wg 1 s 2

1

2

1

2

END Figure 1: The basic language definition

2.2 Principles of Extension Some of the principal ideas of extension shall be presented using the phrase e ! p as a very primitive process description whose behaviour has to be preserved in an extension of the notion of process by a value domain.

P0[ e ! p] := ([e 7! P0[ p] ]; ffegg) e ! p is a phrase of the syntactic domain Process. The semantic function P0 maps from Process to P0 . The event e is an acceptable event, e is associated with the meaning of the process p (which is to be executed). Let us now consider an extension of the language containing the phrase. Processes shall be extended by allowing them to have a value. Thus, the semantic function has to be adapted by introducing a value domain V . This is expressed by a mapping  .

 : P0 = (( ! P0 )  PP)? 7! P1 = (V  ( ! P1 )  PP)?;  : P0 7! P1  is an association of domain and function names. An extended algebra based on P1 preserves the behaviour of the command on P0 (defined by the mathematical model of e ! p), if the following diagram commutes: Process P1

6

Id

- P1 6

P0

Process P0 3

- P0

or

P1(Id(e ! p))  P0 (P0(e ! p)) It is not straightforward here to talk about behaviour of processes which has to be preserved. Semantics p for processes are here not given in a transitional form s1 7! s2 where p transforms a state s1 into s2 . The semantics of a process is given here as a constant semantic entity which, by its recursive structure, describes the possible future behaviour of a process (depending on events). A more suitable representation would be

P1[ e ! p]  P0  P0[ e ! p] or simplified to a schema c0  (c).  describes data refinement. The extension P1[ e ! p] has to be defined in accordance with . The value of P0 [ e ! p] has to be preserved, rather than the behaviour (the behaviour is hidden in its value). As an example, injection shall be used to extend the domain P : INJECT

P

V al  P

into

Processes p = (ep; s) are refined to [(v; ep; s)] expressed by a mapping r where [(v; ep; s)] := f(a; b; c)j b = ep ^ c = sg  P1 . We have used an equivalence on P1 (called ) to define relevant behaviour. Extended functions are only expected to behave correctly with respect to these classes. A mapping c : (v; ep; s) 7! [(v; ep; s)] does always exist, q : p 7! (v; ep; s) can be constructed. These set-based mappings can be extended to morphisms ; ;  on algebras by using the constructs congruence  and quotient algebra P1 =:

P0



- P1

@@ @@  R@ ?

P1 =

 is a morphism which preserves behaviour and  is a canonical morphism onto the quotient algebra. 2.3 Domain Constraints for Processes Bolignano and Debabi impose constraints on domains: 1. For (m; S ) 2 P0 :

dom(m) = 2.

[

S

Sat(A) for A 2 PP. A has to be a saturated finite subset of P. [ Sat(A) := 8x 2 A; y 2 P:(y  fzjz 2 Ag ^ x  y) ) y 2 A This is an adaption of criterion Sat on p. 8 (Figure 3) in [BD92]. 4

The consistency of the definitions with the constraints has to be proven, i.e. it has to be shown that the functions works properly regarding the constraint. For the operator jj we have: 1.

2.

S S dom(M1jjmM2 ) =Sdom(SM1) [ dom ( M ) with dom(M1) = S1 and dom(M2) = S2 , i.e. 2 dom(M1jjmM2) = S1S[ S2 = S(S1 [ S2 ). S1 jjsS2  S(S1 [ S2 ) by construction x  Sfy j y 2 S1 [ S2g and S1 jjsS2 = (S1 [ S2 ) by construction 9v 2 S1 ; w 2 S2 :x  v [ w. x 2 S1jjsS2 is saturated obviously by definition of Sat.

Note, that the consistency of the basic language is not an issue of extension, but has rather to be resolved by the language designer.

3 Some Formal Background A notation for defining languages has been implicitly and informally introduced in the previous section. Extensions of the presented language shall be prepared by introducing the mathematical framework, Universal Algebra [Coh65, Gr¨a68], and the necessary extension mechanisms. The general framework as it is presented e.g. in [Pah97b] can be found in the appendix. Here, only extensions to that framework will be presented. In particular, this will be the treatment of domain constraints.

3.1 Preserving Domain Constraints Constraints on domains can be interpreted in two ways: as a construction of a subspace or as a property that has to be preserved. We will pursue the second alternative. It is a more general approach and does not interfere with behaviour preservation. Thus, domain constraints are a property similar to behaviour. They have to be preserved by appropriate means. Domain constraints could be handled in two ways. Firstly, by explicit extension of constraints and explicit proofs by the language designer or, secondly, by implicit treatment through appropriate operators and templates. A constraint is a predicate on a domain expression relating concrete elements of domains. Two examples were presented in section 2.3. The extension of domains is expressed by  : S 7! D(S ) where D(S ) is a domain expression on S . Single elements are mapped by (s) for s 2 S and  : S !  (S ). We will start assuming the extension of semantic algebras defined by an association  and an extension morphism  (the latter not necessarily behaviour preserving). Definition 3.1 Let  be an extension morphism and  an association. A domain constraint C is extended to C 0 in two steps, called a constraint extension: 1. Substitute each variable si by s0i in the constraint C where the si

(i = 1; ::n) are variables:

C (s1; : : :; sn) 7! C 0(s01 ; : : :; s0n )[ (S )=S] Each si in iterated.

C is substituted by s0i in order to form C 0.  is applied to all domains S over which is 5

2. Apply the inverses ?1 to the elements s0i (substitute syntactically s0i

7! ?1(s0i)).

The first step is a syntactical substitution which has to be corrected in the second step. Let us consider a S domain S which is extended by injection to S  T . Let there be a constraint 8m 2 S : dom(m) = S . This S constraint is extended in the first step to 8m0 2 S  T : dom(m0) = S . Since dom is a function on S , we S will adapt to 8m0 2 S  T : dom(1(m0)) = S . The inverse operation to injection is projection (second step). Examples for these inverses with respect to the extension operators are: extend inject d 7! (d; e) index d 7! f with 8i:f (i) = d

retrieve project 1(d; e) = d apply f (i)

These ideas indicate that constraint extension can be defined similar to domain extension, based on a certain domain construction. The constraint extension preserves the validity of the domain constraint. The domain extension s 7!  (S ) determines behaviour templates as well as constraint templates. The constraint extension is a general-purpose template applicable to all kinds of domain extension. It lifts the original constraint such that its validity is preserved. Proposition 3.1 Constraints which are extended by the above constraint extension are automatically satisfied if the extension is carried out with the corresponding semantics extension. Proof: Obvious, since the constraint template reverts the extension by the extension morphism.

ut

3.2 Recursive Domain Equations We will not consider problems of recursive domain equations D = F (D) in particular (see [Sch86], [AJ94] for deeper considerations). Elements in our approach must denote semantic entities in order to make associations possible. There must be a solution to a particular recursive domain equation. Applying domain extensions to domains which have solutions preserve the existence of those solutions (assuming solutions for added domains, e.g. in injection, as well). Consider:



Modifications at the outer level: D = F (D) is extended to D = G(F (D)) where G might denote a product construction, e.g. D = F (D)  E . The domain extension is D 7! (D  E ).



Modifications at the inner level: D = F (D) is extended to D = F (G(D)) where G might denote a function space construction, e.g. F (D) = E  D is extended to F (G(D)) = (I ! E )  D. The domain extension is E 7! (I ! E ).

If we assume that the newly introduced domain identifiers E denotes domain expressions for which solutions exist, then the existence is preserved by the two presented forms of modification. For the first case see [AJ94] Chapter 3.2.6. For the second case it is obvious that the internal structure of E is not relevant for the existence of a solution for D as long as E has a solution itself. 6

3.3 Lifting The presented model P0 is a lifted domain, i.e. containing a distinguished bottom element ?. We could have started with a simpler, non-lifted domain which would have been extended by a lifting template introducing ? which can be defined as follows. The domain extension is S 7! S [ f?g.  is equality on S? (short for S [ f?g), thus a congruence.  is an embedding into S? , i.e. the identity on S . If S is already lifted, then  is strict. A canonical way to define the extended functions would be to make them strict. Behaviour preservation is obviously guaranteed.

4 First Extension — Partitioning Events In the first extension step we will partition the set of events into input, output and termination events. The former two denote the direction in which communication via channels happens. Before we address the concrete problem, we will introduce the general technique of partitioning in form of an extension template. We will argue that partitioning corresponds to the idea of introducing dynamic typing into an untyped environment. The extension of the semantic structure with behaviour preservation as well as the extension of the domains constraint preserving the original constraint will be considered.

4.1 Partitioning and Dynamic Typing A domain S might be partitioned into subdomains Sk1 ; : : :; Skn , if a function kind : S ! K with K = fk1; : : :; kng exists, which assigns a unique kind to each element (we could also call the function type instead of kind and call S the universe of values, but for the moment we will stick to a more generic notion). The partition shall be expressed explicitly through an extension template based on a product

S 7! Sk1  : : :  Sk

n

such that s 2 Ski whenever kind(s) = ki. Note, that choosing a product construction is only one possibility to realise partitioning on the extension level, another possibility would be a type-tagging construction (a pair of a value and its type). Two variants shall be provided. One is a simple behaviour preserving extension, the other one will also preserve a partitioning on the basic domain S expressed by a function kind. 1. Variant:

 is the equality on Sk1  : : :  Sk

n

, thus it is a congruence.

 : s 7! case kind(s) in ki ) [sk1 ; : : :; sk ] end n

with ski

 is defined by

= s and sk = default for i 6= j j

The behaviour is trivially preserved by this construction for all function schemes (applying the usual function constructions as explained in section A.3). 2. Variant: The definition of kind can be used to derive an equivalence P on the source domain S : all elements of the same kind are equivalent, i.e. for s; t 2 S

sP t

iff

kind(s) = kind(t) 7

Assuming that functions on S satisfy the substitution property with respect to P , the extension would preserve behaviour with respect to an equivalence 0P defined by

[s1; : : :; sn] 0P [t1; : : :; tn]

iff si P ti

(, kind(si) = kind(ti) )

for all i

under consideration of the equivalence P on S . This variant preserves behaviour with respect to P , i.e. the partitioning on S is preserved by definition of 0P . Both variants of partitioning have the existence of kind as a precondition. Variant 2 also requires the satisfaction of the substitution property. We will call these variants constrained templates. Variant 2 is presented in figure 2. The assumed function kind is used to derive an equivalence on S which is used instead of the predefined equality for the investigation of behaviour preservation in the second variant. EXTENSION TEMPLATE Precondition: existence of kind, substitution property holds PARTITION2 S into Sk1  : : :  Skn :=

(

 : S 7! Sk1  : : :  Sk ;  : fiA 7!c fiB [s1; : : :; sn] 0P [t1; : : :; tn] iff kind(si) = kind(ti) for all i S (s) :=  : s 7! case kind(s) in ki ) [sk1 ; : : :; sk ] with sk = s and sk = default for i 6= j (s1; : : :; sn) for each [(s1; : : :; sn)] n

n

)

i

j

Figure 2: Extension template PARTITION Partitioning is a technique which can be used to introduce dynamic typing. The initial set S can be considered as the universe of values. The function kind corresponds to a function which assigns a type for each value. Such a function would be an element of a semantic algebra introducing dynamic typing. In case of a partitioning, the assigned type for a value is unique. For our application, we could say that the set of events is typed. There are other possibilities to obtain dynamic typing, e.g. by type tagging using an injection of values into a product domain of values and type tags. Static typing is not dealt with here. Static typing is a matter of static semantics with which we are not concerned here.

4.2 Partitioning Events The template shall now be applied. Let 1 in the extended process space

= Pin  Pout  Pp be the partitioning of events from 1

P1 = ((in ! P1 )  (out ! P1 )  PP1)? The following assumption shall be made.  is partitioned, expressed by a disjoint sum  = in +out +p , i.e. the function kind, which we have presented in the previous section, exists. Functions consider the partitioning, i.e. the equivalence 1 on 1 is a congruence (this can be guaranteed by the canonical construcp tion). p consist of only one element which denotes immediate termination. We will use a variant of the 8

template which partitions  as a index set. The variant is obtained by applying PARTITION to each first component of maplets of type Sigma ! P1 . PARTITIONIND ( ! P1 ) into (in

! P1)  (out ! P1)

By applying the template, we get the following definitions for  and  where the empty map [] is used as the default element:

([e 7! p]) = ([]) (?)

case e in

in(e) : ([e 7! p]; []) out : ([]; [e 7! p]) p(e()e): ([] ; []) = ([]; []) = ?

and

(a; b)  (a0; b0) []  []

iff iff

a = a0 ^ b = b0 [] = []

i.e.  is the equality on the extension.  has to be strict (this could always be assumed if lifted domains are considered). Empty elements of sets and maps have to be dealt with explicitly. All relevant functions in this particular example have the type f : X ! P . Their extension is defined by f 0 : X ! P 0 where  is partitioned in P with f 0(x) := (x). The behaviour is preserved due to the application of a template. The definitions for the functions extensions are (derived by template):

P1 P1[ chaos] P1[ stop] P1[ e ! p] P1[ p1jjp2]

: := := := :=

Process ! P1 ? ([]; []; f(;; ;; fpg)g) (P[ e ! p] ) let (IN1; OUT1; S1) := P1 [ p1] ; (IN2; OUT2; S2) := P1 [ p2] (IN1jjmIN2; OUT1jjmOUT2; S1jjsS2)

in

The formulation of P1 [ p1jjp2] as given above does not correspond directly to the application of the template, but is semantically equivalent. Proving the substitution property for functions is trivial since for P1 the domain Process is a syntactic domain and the relevant equality is identity. The application of the template guarantees behaviour preservation. The preservation of domain constraints is addressed in the next section. Remark 4.1 Alternative techniques for partitioning using other templates could have been used, e.g. indexp ing I !  with I = fin; out; g as the index set. Injecting  into   I is a type tagging approach.  would be defined by (e; i)(e0; i0) iff i = i0 to model the partitioning, but this construction would not coincide with the template construction INJECT. 9

4.3 Extending the Domain Constraint The consistency constraints as presented above in section 2.3 for the basic model 1. 2.

dom(m) = S S for (m; S ) 2 P , Sat(A) for A 2 PP with Sat(A) := 8x 2 A; y 2 P:(y  Sfzjz 2 Ag ^ x  y) ) y 2 A.

do not apply to the new domain of interest. A reformulation by template is necessary (see section 3.1). This would result in: 1. for all acceptance sets S1 and i 2 in ; o 2 out ;

p 2 p :

dom(p i) = SSf1(z)jz 2 S1 g ^ dom(o) = Sf2(z)jz 2 S1g ^ dom( ) = f3 (z)jz 2 S1 g

with S1 =  (S ) and  = in + out + p . Projection  is the inverse of injection (a product was used to represent the partitioning). 2.

Sat1(A) for A 2 PP1 where Sat(A) := 8x 2 A; y 2S (P  P  P) : ( 1 (y)  Sf1(z)jz 2 Ag ^ 1 (x)  1(y) ^ 2 (y)  Sf2(z)jz 2 Ag ^ 2 (x)  2(y) ^ 3 (y)  f3(z)jz 2 Ag ^ 3 (x)  3(y) ) )y2A with 1

= Pin  Pout  Pp.

By using the constraint extension template, the constraint is preserved (see Proposition 3.1). The first part of the constraint is partitioned into three parts and then projections are used to reduce to the original constraint. Using the product for extension and then projecting is also used for the second criterion.

5 Second Extension — Values and States Values (as results of processes) and states are added in one step. In the model presented by Bolignano and Debabi, values are read via input channels and are immediately bound to variables of the state. An extension in two steps is therefore not appropriate. We will start, as in the previous section, with introducing the mechanisms in their general form necessary to tackle the problems before we apply them to the concrete domain construction. Afterwards, the extension of domain constraints is considered.

5.1 Templates We will need two templates for the extension. The injection template INJECT is presented in figure 3. The INDEX template is presented in figure 4. Background is provided in appendix A.3. 10

EXTENSION TEMPLATE INJECT S into S  T

:= (

)

 : S 7! S  T;  : fiA 7!c fiB (s; t)(s0; t0) iff s = s0 S (s) := [(s; t)] (s0; t0) for each [(s0; t0)] Figure 3: Extension template INJECT

EXTENSION TEMPLATE INDEX S by I

! S := (

)

 : S 7! I ! S;  : fiA 7!c fiB f f 0 , f (i) = f 0(i) for all i S (s) := [f s ] with f (i) = s for all i 2 I f0 for each [f0 ] Figure 4: Extension template INDEX

5.2 Application of Domain Templates

States and values will form a new component of the process space. Values can also be read from or written onto channels. The resulting domain of the last extension presented here is:

P2 = (P(S  V )  (in ! V ! P2 )  (out ! V ! P2 )  PP1)? The partitioned set of events 1 remains unchanged. The extension is done by using the templates INJECT and INDEX applied in two consecutive steps. Substep 1 injects values by INJECT (P(S  V )) into P1 , using f[]g as the default value. In substep 2 we index the process space by values: INDEX P2 by V using v0 7! p as default for any v0 and a given p. The operations chaos; stop; e 7! p; p1jjp2 are extended by template. skip, the assignment, and the input and output operations c? and c!a are newly introduced (a sequence operator, which is also presented in [BD92], is omitted here – sequencing is a composition of commands, an issue which has not been considered here, see [Pah97b]). Using the templates, behaviour preservation is guaranteed without any proof obligation. The 11

result of applying the templates is the following:

P2 P2[ chaos] s P2[ stop] s P2[ e ! p] s P2[ p1jjp2] s

: := := := :=

P2[ skip] s P2[ x := e] s P2[ c?]]s P2[ c!a] s

:= := := :=

Process ! P2 ? ([]; []; []; f(;; ;; fpg)g) (P1 [ e ! p] ) let (R1; IN1; OUT1; S1) := P2 [ p1 ] s; (R2; IN2; OUT2; S2) := P2 [ p2] s in (R1 [ R2; IN1jjmIN2; OUT1jjmOUT2; S1jjsS2) (f(s; ())g; []; []; f(;; ;; fpg)g) p (f(sy[x 7! [ e] s]; ())g; []; []; f(;; ;; f pg)g) (fg; [c 7! v:(f(s; v)g; []; []; f(;; ;; f g)g)]; []; f(fcg; ;; ;)g (fg; []; [c 7! [[[a] s 7! (f(s; ())g; []; []; f(;; ;; fpg)g)]; f(;; fcg; ;)g

The formulation of P1 [ p1 jjp2] does not correspond directly to the application of the template, but is semantically equivalent.

5.3 Extending the Domain Constraint Again, we need to adapt the domain constraint to the new domain construction. The domain constraint is reformulated as follows: 1. For all acceptance sets S1 and i 2 in ; o 2 out ;

p 2 p :

dom(ip) = SSf1(z)jz 2 S1 g and dom(o) = Sf2(z)jz 2 S1g dom( ) = f3 (z)jz 2 S1 g 2.

p 2 Sf (z)jz 2 S g , P(S  V ) 6= ; 3 1

3.

Sat1(A) for A 2 PP1 with

and

Sat1 (A) := 8x 2 A; y 2S (P  P  P) : ( 1(y)  Sf1(z)jz 2 Ag ^ 1 (x)  1 (y) ^ 2(y)  Sf2(z)jz 2 Ag ^ 2 (x)  2 (y) ^ 3(y)  f3(z)jz 2 Ag ^ 3 (x)  3 (y) ) )y2A The constraint extension template is not used, since the two conditions remain unchanged and another condition (the second) has been added explicitly. But since the result set P(S  V ), to which the new constraint applies to, did not exist in the source language, the original constraint is preserved. 12

6 Conclusions Using our framework, we could prove that certain properties such as behaviour and domain constraints are preserved if Hennessy’s model of acceptance trees is adapted to meet the requirement of the RAISE specification language1. We have dealt with this extension in a stepwise approach based on a selection of common extension templates. The results presented in this paper extend the approach presented in [Pah97b] in that two different properties are preserved:

 

behaviour of functions domain constraints

Both property preservation criteria are defined on an extension of semantic algebras. The framework, which was used here, has also been applied to the Unix C shell interpreter language [Pah97b, Pah97a]. Regarding those results, in particular [Pah97a], it appears that the extensions here can be carried out in parallel, since they do not seem to depend on each other. This could also be investigated. Alternatively, we could have started with an imperative model including states and values, on which processes are added and then events are distinguished. A deterministic function yields a single result, a non-deterministic one possibly a set of result. A deterministic one is always a special case of a non-deterministic one. Thus, a language with deterministic functions can be extended to one with non-deterministic functions by using a template based on the power-set construction for domains. We could have pursued a pure semantical approach without using any syntax, since the aim was to extend the model first before the extended model is used as the semantics of the RSL concurrency features. The syntax of a toy language was given to illustrate the semantics. The approach is in principle applicable to models only.

References [AJ94]

S. Abramsky and A. Jung. Domain Theory. In S. Abramsky, D. Gabbay, and T. Maibaum, editors, Handbook of Logic in Computer Science, Vol. III, pages 1–168. Oxford University Press, 1994.

[BD92]

D. Bolignano and M. Debabi. On the Foundations of the RAISE Specification Language Semantics. Technical report, ESPRIT project LACOS, 1992.

[Coh65] P.M. Cohn. Universal Algebra. Harper and Row Publishers, 1965. [Geo91] C. George. The RAISE Specification Language – A Tutorial. In S. Prehn and W.J. Toetenel, editors, VDM’91 – Formal Software Development Methods. Springer-Verlag, October 1991. LNCS 552. [Gr¨a68] G. Gr¨atzer. Universal Algebra. D. van Nostrand Company, 1968. 1 Passing processes via channels is also introduced by Bolignano and Debabi (p. 19-24 in [BD92]). The approach proposed involves a dependence of static and dynamic semantics. We focussed here on dynamic semantics only.

13

[Gro92] The RAISE Language Group. The RAISE Specification Language. CRI A/S, Denmark, 1992. [Hen85] M. Hennessy. Acceptance Trees. Journal of the ACM, 32(4):896–928, October 1985. [HI93a] M. Hennessy and A. Ing´olfsd´ottir. A Theory of Communicating Processes with Value-Passing. Information and Computation, 107(2), 1993. [HI93b] M. Hennessy and A. Ing´olfsd´ottir. Communicating Processes with Value-passing Assignments. Formal Aspects of Computing, 3, 1993. [Pah97a] C. Pahl. An Investigation into Parallel Extensions of the Unix C shell Interpreter Language. Technical Report IT-TR:1997-015, Department of Information Technology, Technical University of Denmark, 1997. [Pah97b] C. Pahl. Modular, Behaviour Preserving Extensions of the Unix C shell Interpreter Language. Technical Report IT-TR:1997-014, Department of Information Technology, Technical University of Denmark, 1997. [Sch86] D.A. Schmidt. Denotational Semantics: A Methodology for Language Development. Wm.C. Brown Publishers, 1986.

A Definitions and Properties of Extension Semantics A.1

Mathematical Background

Notions for describing a language (semantic algebra, congruence relation, quotient structure) and for extending a language (behaviour preserving morphism) and some properties are presented. Definition A.1 A semantic algebra is an algebra consisting of

 

(possibly compound) domains D1 ; : : :; Dn functions of type2 1) f : S ! X , 2) f : X ! S , 3) f : S ! S , and 4) f : X ! are composed of the Di and S using domain constructors such as ; !; +; P .

Y

where X and Y

For the extensions we will apply later on, we will identify a domain of interest S 2 fD1; : : :; Dng. This distinguished element is not part of the definition of a semantic algebra. Based on the (possibly compound) domain S , a domain extension will be carried out. Let Alg be the collection of all semantic algebras. With each semantic algebra A we have associated a signature sig (A) = (S; Di(i = 1::n); fj (j = 1::m)) using the symbols for semantic entities as syntactic elements. Definition A.2 A congruence relation  on a set S is an equivalence relation (reflexive, symmetric, transitive) which satisfies the substitution property with respect to functions f on that set (let a; b; 2 S ): ab ) f (a)f (b). 2 The

fourth case of the function types is often omitted in further investigations since S does not appear on the outer level.

14

Definition A.3 Let A be an algebra and  a congruence relation on the sets Ad in A. The quotient algebra A= is defined by Ad= := f[a] j a 2 Ad g and f  ([a]) := [f (a)] . Equivalence relations will be used to define the property that certain elements are similar with respect to some observation. In particular, we will express behaviour preservation. A quotient algebra is obtained from applying the equivalence to a given algebra. A special morphism on algebras shall be introduced which captures the idea of behaviour preservation. Definition A.4 Let A and B be semantic algebras. Let B= be a quotient algebra with respect to an equivalence relation  on B . Let  : A ! B be an association between semantic domains and operations ( shall be a signature morphism from sig (A) to sig (B )). A morphism  : A ! B is called behaviour preserving, if

  is a domain-sorted set of mappings: fd : Ad ! B(d) j Ad is a domain in Ag   preserves the operation behaviour, e.g. for op : d ! d0; x 2 d it holds d0 (op(x))  (op)(d(x)) Note, that behaviour preservation requires only equivalence  of results on the extended level. If two behaviour preserving morphisms  and are composed (  ), then the definition of  is relevant for  .  is based on the domain extension and  . Proposition A.1 If  : A 7! B= and  : B 7! B= are morphisms, then there exists a mapping  : A ! B such that   (A) = (A). ?1 can always be represented by a composition ?1   where  is onto and ?1 is 1-1.

 can be constructed by (s) := s0 if (s) = [s0 ] with s0 2 S 0 such that    =  since (s0 ) = [s0] .  is a morphism since  is a congruence and  a morphism to B=. (f (s))   (f )((s)) ) (f )((s)) = (f )([s0]) = [(f )(s0)] = [(f )((s))]. Therefore,  preserves the operations as ut well as . See Corollary II.3.8 [Coh65] for the existence of ?1 . 0 Sets are extended by S : S !  (S ). The mapping on function symbols  : OP ! OP with  (f ) = f 0 associates functions. Let OP be the set of functions of the basic algebra  defines the function mapping. It has to depend on  to satisfy the behaviour preservation criterion. Functions f 0 2 OP 0 have to be defined regarding the definition of . Appropriate templates will be presented later on. Proof:

A.2

Semantics Extensions

A language description based semantically on semantic algebras can be extended to another language defined by other semantic algebras. Behaviour might be one of the properties to be preserved. This involves defining the extending morphism, describe the relevant behaviour and proof the proof obligation that the defined morphism is behaviour preserving with respect to the relevant (or observable) behaviour. An extension operator is an operator on semantic algebras. Semantic functions might be functions of a semantic algebra. Syntactic domains are also domains. We can always view a whole language semantics as a semantic algebra. The domain of interest is then the one to be extended. The operators have to satisfy some 15

properties in order to allow to construct a behaviour preserving morphism. The general form of such operators facilitating extension shall be investigated now. Let  : A 7! B denote a morphism on algebras where nothing is said about the algebras A and B . Let S and T be the semantic domains of interest of A and B , respectively. Note that each domain identifier S or T might be defined in a domain equation. Definition A.5 An extension operator on semantic algebras A and B is a 4-tuple (; ; ; d) where

   

 is a signature morphism on semantic algebras (from sig(A) to sig(B))  is a binary relation on (S ) if S is the domain of interest in the source algebra  : Alg ! Alg= is a mapping from semantic algebras to quotient algebras d is a collection of default elements s0[s0 ] for each equivalence class [s0] in  (S ).

For domains of interest S , there might already be a behavioural equivalence S defined from previous extension which has to substitute the equality =S on S , if the latter is used for defining D(s) . For all domains D not equal to S , D is assumed to be the equality (i.e. a congruence) and D is assumed to be the identity function. The following proof obligations arise, if a behaviour preserving morphism  has to be derived from such an extension operator : 1. 2. 3.

 is an equivalence relation on S (S ) = T . The substitution property holds for , i.e.  is a congruence and B= is a quotient algebra. Behaviour preservation is guaranteed by a constructed .

Definition A.6 Let A be a semantic algebra with a domain of interest S and  be a signature morphism with domain sig (A). Let  be an equivalence on a domain  (S ). A behaviour preserving extension is every algebra B which extends A syntactically by  such that  is a congruence on B . Corollary A.1 We shall state two obvious properties: 1. A quotient algebra B= exists. 2. The definition A.6 determines a class of algebras with isomorphic quotients.

A.3

Extension Templates

In this subsection, some properties shall be investigated allowing to derive operators from a reduced amount of information in some particular situations. In general, all elements of an extension operator are necessary to define an extension on semantic algebras. Let S 7!  (S ) the domain extension (part of  ). An equivalence  for  (S ) can not be automatically derived from S . Only if there is such a possibility, the mapping  can also be derived. This is in particular possible in the following examples. 16

Example A.1 Common templates of extension: 1. 2. 3. 4.

S 7! S  T : (s; t)(s0; t0) iff s = s03 and  : s 7! [(s; t)], (s; t0) is the default element for [(s; t0)] S 7! S + T : xx0 iff x = x0 and  : s 7! [s], s is the default element for [s] S 7! (I ! S ): tt0 iff 8i 2 I:t(i) = t0 (i) and  : s 7! t with t(i) = s for all i 2 I , f0 with f0(i) = s is the default element for [f0)] S 7! P(S ): pp0 iff p = p0 and  : s 7! [fsg], fsg is the default element for [fsg]

In the following we will provide three lemmata which generalise some of the ideas just presented. Conditions for obtaining a template from just a domain construction will be elaborated. Lemma A.1 Let s; s0 2 S be elements of a domain of interest and e[x] is an expression of type  (S ) where  is a signature morphism and x is a variable of type S . Assume e[x=s]  e[x=s0 ] iff s = s0 . Then,  is an equivalence on  (S ). Proof: e depends only on the argument, thus an equivalence is formed.  is an equivalence relation since = is one. ut The substitution property xy ) f (x)f (y ) shall be investigated for the different kinds of function signatures.

: S ! X : requires f1B (x) = f1B (y) if xy f2A : X ! S : requires f2B (x)f2B (y) if x = y f3A : S ! S : requires f3B (x)f3B (y) if xy f4A : S ! S : requires f4B (x) = f4B (y) if x = y

1. f1A 2. 3. 4.

It will be proven for each particular case, that using a canonical construction for  and the functions fiB , a mapping  can be derived such that behaviour preservation is guaranteed. It is not necessary to define  for functions fi explicitly. Once  exists (either derived or explicitly defined), functions  (fi ) in B can be derived (if desirable) from fi in A which satisfy the substitution property. This shall be presented now. Lemma A.2 The following function definitions fiB in algebra B satisfy the substitution property ab ) fiB (a)fiB (b) for an extension of function fiA of a semantic algebra A, an equivalence  and a morphism . 1. f1B ((s)) := f1A (s)

2. f2B (x) := (f2A (x))

3. f3B ((s)) := (f3A (s)) 3 The

symbol

= might denote behavioural equivalence on S , see above. 17

We will refer to this construction by using the mapping fiA on.

7 c fiB . The fourth case will be investigated later !

Proof: Consider the types: 1. 2. 3.

(s1)(s2) ) s1 = s2 ) f1A (s1) = f1A (s2) ) f1B ((s1)) = f1B ((s2)) (x1) = (x2) ) x1 = x2 ) f2A (x1) = f2A (x2) ) (f2A(x1))(f2A (x2)) ) f2B (x1 )f2B (x2) (s1)(s2) ) s1 = s2 ) f3A(s1) = f3A(s2 ) ) (f3A((s1 )))  (f3A ((s1))) ) f3B ((s1 ))  f3B ((s2)) ut

Lemma A.3 If  is a congruence on  (S ) and  is an injective mapping and d are the defaults, then a behaviour preserving mapping  : Alg ! Alg and an extension operator T = (; ; ; d) can be constructed. Proof: Use the defaults s0[s0 ] from the equivalence classes to form  with  : s 7! s0[s0 ] where  Construction is guaranteed by Proposition A.1. Definition A.7 An extension template (S 7! T; ; ; d ) consists of a domain maplet S alence on T such that Lemma A.3 is satisfied, a mapping  : S ! T= and defaults d . The four examples A.1 are extension templates.

18

: s 7! [s0]. ut

7! T , an equiv-