Algebraic Specifications, Higher-order
Types and Set-theoretic Models
HÉLÈNE KIRCHNER, LORIA-CNRS, B.P. 239, F-54506
Vandœuvre-lès-Nancy Cedex, France.
E-mail: [email protected]
PETER D. MOSSES, BRICS & Department of Computer Science, University
of Aarhus, Ny Munkegade bldg. 540, DK-8000 Aarhus C, Denmark.
E-mail: [email protected]
Abstract
In most algebraic specification frameworks, the type system is restricted to sorts, subsorts, and first-order function
types. This is in marked contrast to the so-called model-oriented frameworks, which provide higher-order types,
interpreted set-theoretically as Cartesian products, function spaces, and power-sets. This paper presents a simple
framework for algebraic specifications with higher-order types and set-theoretic models. It may be regarded as the
basis for a Horn-clause approximation to the Z framework, and has the advantage of being amenable to prototyping
and automated reasoning. Standard set-theoretic models are considered, and conditions are given for the existence
of initial reducts of such models. Algebraic specifications for various set-theoretic concepts are considered.
Keywords: Algebraic specification, higher-order types, set-theoretic models, intensional set theory, Horn clause
logic, initiality.
1 Introduction
There are two main schools of thought regarding the formal specification of abstract data
types: the model-oriented [1, 5, 22], and the property-oriented [6, 23]. In model-oriented
specifications, the emphasis is on specifying data types as set-theoretic structures (products,
power sets, etc.), the operations of the data types then being defined as particular functions on
these structures. The underlying logic for reasoning about such a specification is a powerful
higher-order logic, e.g. based on ZF set theory. In property-oriented specifications, one
generally tries to avoid choosing an explicit representation: types are left abstract as so-called
sorts—sometimes equipped with a subsort inclusion relation, but otherwise unstructured. The
operations are specified by axioms that relate them to each other, generally including the main
intended algebraic properties. The underlying logic is often a modest Horn-clause fragment
of equational first-order logic—supplemented by an induction rule when dealing with initial
algebra semantics rather than loose semantics. In practice, some model-oriented specification
languages (such as Z) do allow types to be left abstract (or ‘given’), with the operations on
them specified by axioms. Moreover, the use of auxiliary (‘hidden’) sorts and operations in
property-oriented specifications can give these a model-oriented flavour. There are also some
wide-spectrum languages (e.g. RSL, Spectrum) which encompass both approaches, allowing
model- and property-oriented specifications to be mixed together.
It seems to us that both the model- and property-oriented approaches have their advantages
and disadvantages. In particular, we regard the restriction to Horn-clause logic in the latter
J. Logic Computat., Vol. 11 No. 3, pp. 453–481 2001
c Oxford University Press
454 Algebraic Specifications, Higher-order Types and Set-theoretic Models
as beneficial, since not only are the consequences of a specification much more obvious
than in full higher-order logic, but also automated reasoning and prototyping are feasible.
The resulting existence of initial models is useful (but does not preclude considering loose
semantics of specifications). The usual restriction to first-order functions and unstructured
sorts in property-oriented specifications, however, we regard as a definite disadvantage. This
has led us to investigate an intermediate or hybrid approach, combining the better features of
the model- and property-oriented approaches:
Types may be polymorphic, and include abstract types as well as the concrete set-theoretical
product, power-set, and function types.
Operations may be higher-order and partial.
The only built-in relations are equality, set membership, and definedness (the last merely
abbreviates an equality).
Formulae are restricted to Horn clauses (no disjunction, variables are universally quantified).
Models have set-theoretic foundations.
Specifications have initial models (when consistent).
Specifications are amenable to prototyping and reasoning using rewriting and saturation
techniques.
The main novelty of our approach is its treatment of set-theoretic concepts using the rather
weak logical framework of (equational) Horn clauses. It will be helpful to consider altogether
three kinds of models of specifications: arbitrary algebraic models, where values of settypes do not necessarily have any concrete set-theoretic structure at all; labelled-set models,
where they are pairs of arbitrary labels and ordinary sets; and standard set-theoretic models,
where values of set-types are ordinary sets. For the algebraic and labelled-set models we
obtain initial models, and we conjecture conditions such that the standard set-theoretic models
have initial reducts. The conclusion is that when sets are used essentially as types, and their
equality is of no concern, one need consider only the standard set-theoretic models of our
specifications, disregarding labels.
Thus a framework based on our approach could be attractive for those who prefer the concrete, higher-order, set-theoretic nature of B or Z, but who would also like the possibility
of automated reasoning and prototyping for exploring the consequences of (requirements or
design) specifications. The price to be paid for the latter is the restriction to Horn clauses,
and the avoidance of conditions involving equality between sets that do not necessarily have
the same members in all models. As a compensation, the models of our specifications are of
a much simpler nature than those of Z specifications. Note that merely restricting Z specifications to Horn clauses would not ensure the existence of initial (set-theoretic) models.
Plan of the paper. Section 2 explains the syntax of our simplified proposal for algebraic
specifications with (higher-order, polymorphic) set-theoretic types, giving some simple examples. Section 3 defines the notion of a presentation. Section 4 gives a deductive system for
type judgements. Section 5 presents our main proof system for reasoning about the consequences of specifications. Section 6 investigates the three kinds of models mentioned above.
Section 7 outlines how the language presented here can be extended to cater for explicit
subset inclusions, and indicates how accurately other familiar set-theoretic constructs can be
specified in this framework. Finally, Section 8 discusses the relationship of our framework to
other work, and considers possible directions for future developments.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 455
TABLE 1. Natural numbers
Naturals
type N
0 N
2
succ 2 N !
7
N
pred 2 N !
7
N
8
n2N pred(succ(n)) = n
pred(n) # ) succ(pred(n)) = n
pred(0) # ) ?
2 Specifications
Some simple examples of specifications are given in Tables 1–6. They are intended mainly to
illustrate the basic form of our specifications; this is reminiscent of (non-imperative) B and
Z, although there are also some significant differences, such as our treatment of partiality,
polymorphism, and overloading. The rest of this section gives an informal explanation of the
syntax and semantics of the specification language.
As illustrated in Table 1, a specification here is mainly just a set of Horn clauses where
the atomic formulae are equations t1 = t2 , set memberships t 2 s, or definedness assertions
t # (the last abbreviates the equality t = t). A Horn clause with conditions A1 , . . . , An
and conclusion A is written A1 ^ : : : ^ An ) A; when n = 0 it is written > ) A, or
simply A. Negative clauses, asserting that the conditions cannot all hold together, are written
A1 ^ : : : ^ An ) ? or simply A1 ^ : : : ^ An ). Terms t are formed from constants and
variables by the two binary operations of (partial) function application t1 (t2 ) and pairing
(t1 ; t2 ). Only one pair of parentheses is needed in f ((x; y)), and (x; (y; z )) may be written
(x; y; z ). Mixfix notation is allowed for application: when a function constant f has n placeholders (written ‘ ’), the application f (t1 ; : : : ; tn ) (or f (t1 ) : : : (tn )) may be written as f with
each place-holder replaced by the corresponding argument term ti : e.g, + (m; succ(n))
may be written m + succ n, as illustrated in Table 2.
The function constants , !
7
, P , used for expressing sets, have interpretations such
that for any sets S , T :
the members of S T are all pairs (s; t) with s 2 S , t 2 T ;
all members of S !
7
T represent partial functions which, when defined, map values in S
to values in T ;
all members of P S are subsets of S .
Note especially that partial functions are here regarded as individuals, and not identified with
their graphs, in contrast to their treatment in Z. This is crucial for the definition of reducts
of set-theoretic models in Section 6.3. It also allows a particularly simple and consistent
interpretation of overloaded function constants, whereby the membership succ 2 N !
7
N
does not prevent the extension of succ to sets including N , as it would in the Z interpretation.
456 Algebraic Specifications, Higher-order Types and Set-theoretic Models
TABLE 2. Natural numbers with addition
NaturalsP lus
Naturals
+
2
N N
!
7
N
m; n 2 N m+0=m
m + succ(n) = succ(m + n)
pred(n) # ) m + pred(n) = pred(m + n)
8
Moreover, by letting S !
7
T and P S return subsets of the usual results, we admit models
with countable universes.1 Meinke uses a similar technique for the type constructors in his
approach to higher-order algebra [14, 15]. Such models are known as Henkin models [9].
We distinguish some terms denoting sets as types, using them in checking the consistency
of use of symbols in specifications. An abstract ‘given’ type S is simply a set constant whose
members remain to be specified; it is introduced by writing type S , as with N in Table 1.
Applications of the function constants , !
7
, P then generate concrete set-theoretic
7
N and N N !
7
N are types in Table 1. (We
types based on the abstract types. e.g. N !
let have higher precedence than !
7
, and group both of them to the right; P has higher
precedence than .) The type of the constant N itself is implicitly P N; the membership
N 2 P N might look a bit strange at first sight, but it merely corresponds to the usual set
inclusion N N , implying that N must denote a set.
All the constants c used in a specification are required to have declared types, written as
(unconditional) memberships of the form c 2 T , where T is a type term. The assertion c 2 T
implies the definedness of c (and of T , but in fact type terms T always have defined values).
As illustrated in Tables 1–6, we follow the Z style of collecting all the declarations concerning types at the head of the specification, separating them from the body by a short line.
This style has the benefit of clearly exhibiting all the used constants, together with their types.
However, since our declarations are generally just written as unconditional membership assertions c 2 T , they may also be considered as ordinary clauses, which allows one to ignore
the separation between the head and the body of the specification when considering its logical consequences. Note that clauses other than unconditional membership assertions are not
allowed as declarations.
We also follow Z in the way that a specification may be named. A reference to its name in
the head of another specification is equivalent to inserting a copy of the named specification
(putting the head and body in the right places, and renaming any clashing variables). Thus
the specification in Table 2 extends that in Table 1.
Although all types are sets, not all sets need be types. Table 3 illustrates the specification
of the sets Even and Odd as subsets of N . Whereas checking whether a term has a particular
type is decidable, as we shall see in Section 4, it is in general undecidable to check member-
!7
1 In a previous proposal [11] we allowed the type constructors S
T and P S to be partial too, but the assumption of totality gives some useful simplifications. Returning an empty set has roughly the same effect as being
undefined.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 457
TABLE 3. Even and odd numbers
EvenOdd
Naturals
Even 2 P N
Odd 2 P N
n2N
8
0 Even
2
n 2 Even ) succ(n) 2 Odd
n 2 Odd ) succ(n) 2 Even
ship of a set, since a membership assertion may have equations as conditions (as well as other
memberships).
The clauses in the body of a specification generally involve variables, and we require the
types of the variables to be declared at the top of the body, again writing them as memberships, e.g. n 2 N . For conciseness, several variables of the same type may be declared
together, e.g. m; n 2 N . We follow the Z style by enclosing the list of type memberships
in 8 : : : , and by separating variable declarations involving different types with semicolons
(see Table 4). Apart from being used in type-checking, each variable membership is regarded
as an implicit condition of all the clauses in the body of the specification (or of just those in
which the variable occurs, if one prefers, as the choice here doesn’t affect the consequences or
satisfaction of the extended clauses). Note that the value of a variable can never be undefined.
7
,
Type variables are allowed too, and used as arguments of the type constructors , !
P to provide concrete polymorphic types. e.g. the first projection function first for pairs has
type X Y !
7
X , where X and Y are both type variables. Since type variables are needed
for use in declarations, they are listed before them, at the top of the head of the specification.
Type variables X may also be used in ordinary terms; the type of X is P X , reflecting that
types are interpreted as sets.
Table 4 gives a specification of the predefined constructors for polymorphic set-theoretic
7
Y , P Z , and of the projection functions for pairs: first; second. This
types: V W , X !
anonymous specification is assumed to be implicitly referenced by every other specification,
so that its declarations and clauses are always available. The ordinary variables Q, R, S , T ,
U , U 0 are declared to range over sets, whereas the type variables V , W , X , Y , Z range over
only those sets that are the values of type terms. Note that pairing is actually a total function:
the property (v; w) # follows from Table 4 in the proof system given in Section 5.
Type variables are also used to declare abstract polymorphic types, such as Seq (X ) in
Table 5. In fact Seq is interpreted as a (total) function from sets to sets, but in general
we only need to consider its application to particular argument type terms, e.g. Seq (N ),
Seq(Seq(X )). Notice that we only need to reference GenericSequences, after which we
may use Seq (X ) with arbitrary arguments X ; the treatment is different in Z, where a specification using GenericSequences would explicitly instantiate X to particular types.
Table 5 illustrates also the possibility of overloading, or ad hoc polymorphism, by declaring a second type for the function (constant) + . In models of this specification, + is
458 Algebraic Specifications, Higher-order Types and Set-theoretic Models
TABLE 4. Predefined constants
type V; W; X; Y; Z type V W
type X !7 Y
type P Z
first 2 V W !7 V
second 2 V W !
7
W
8
p 2 V W ; f 2 X !7 Y ;
v 2 V ; w 2 W ; x 2 X; z 2 Z;
Q 2 P V ; R 2 P W ; S 2 P X ; T 2 P Y ; U; U 0 2 P Z v 2 Q ^ w 2 R ) (v; w) 2 Q R
p 2 Q R ) first(p) 2 Q
p 2 Q R ) second(p) 2 R
(first(p); second(p)) = p
first(v; w) = v
second(v; w) = w
f2S!
7
T ^ x 2 S ^ f (x) # ) f (x) 2 T
z 2 U ^ U 2 P U0 ) z 2 U0
8
TABLE 5. Generic sequences
GenericSequences
NaturalsP lus
8type X type Seq(X )
hi 2 Seq (X )
h i 2 X !
7
Seq(X )
+ 2 Seq(X ) Seq(X ) !7 Seq(X )
j j 2 Seq (X ) !
7
N
s; t; u 2 Seq(X ); x 2 X hi + s = s
s + hi = s
s + (t + u) = (s + t) + u
8
jhij
=0
xij = succ(0)
js + tj = jsj + jtj
jh
Algebraic Specifications, Higher-order Types and Set-theoretic Models 459
TABLE 6. Mapping generic sequences
MappingGenericSequences
GenericSequences
8type X; Y mapseq 2 (X !
7
Y ) !7 Seq(X ) !
7
Seq(Y )
8
f 2X !
7
Y ; s; t 2 Seq(X ); x 2 X mapseq f hi = hi
f (x) # ) mapseq f hxi = hf (x)i
mapseq f s # ^ mapseq f t # )
mapseq f (s + t) = mapseq f s + mapseq f t
interpreted as a single partial function on the entire universe, returning only results in N when
applied to arguments in N , and only results in Seq (X ) when applied to arguments in Seq (X )
(for any set X ). Had we followed Z in interpreting S !
7
T as a subset of P (S T ), we
would have needed a more complicated interpretation of overloaded functions (as functions
from types to the actual functions of interest). Due to overloading or to substitutions for type
variables, a term may have several types. An equation t1 = t2 is considered well-formed
even when t1 and t2 have more than one type in common; and similarly for t 2 s, where the
type of s has of course to be P of the type of t.
7
Y , and P Z never have any values in common. Thus
The concrete types V W , X !
a specification where an overloaded constant is declared, say, with both a pair type and a set
type, is simply inconsistent, with no models at all. Similarly, abstract types never have any
values in common with concrete types (although they may have values in common with other
abstract types).
The use of higher-order functions in our framework is illustrated in Table 6. The somewhat tedious definedness conditions are needed there because equations are interpreted existentially, implying that their terms have defined values. They would not be needed if f were
restricted to total functions (sets of total functions are considered briefly in Section 7). One
could also eliminate the need for such definedness conditions by introducing so-called strong
equations, which hold when the values of both terms are undefined (as well as when they are
identical).
This completes the informal explanation of our syntax and its intended interpretation. We
believe that many existing (non-imperative) Z specifications could be reformulated in our
language. The following sections focus on the formal foundations: type-checking, proof
system, and models. But first, let us strip away the concrete syntax of specifications to obtain
abstract presentations.2
2 Presentations
could be divided into the signatures and sentences of an institution, as described in the appendix.
460 Algebraic Specifications, Higher-order Types and Set-theoretic Models
3 Presentations
As explained in the preceding section, a specification SP (always extending Table 4) is
mainly a (finite) set of Horn clauses, separated into two parts. It determines an abstract
presentation as follows:
D EFINITION 3.1
The abstract presentation determined by a specification SP is defined as the 5-tuple (F ; X ;
M; V ; H) where:
is the set of all the (untyped) constant symbols declared by memberships c 2 T or by
type declarations type c in the head of SP . The type symbols form a distinguished subset
Ft of F . For a polymorphic type declaration type F (X1 ; : : : ; Xn ) we let Ft include the
function symbol F .3
F
is the set of all the (untyped) variables declared by variable memberships x 2 T in
the body of SP or by type variable declarations type X in the head of SP . The type
variables form a distinguished subset Xt of X .
X
is the set of all the unconditional membership atoms specified in the head of the specification, together with implicit memberships determined by type declarations: a declaration of an abstract type constant c gives rise to c 2 P c; and a polymorphic type
F (X1 ; : : : ; Xn ) provides F 2 P X1 : : : P Xn !
7
P (F (X1; : : : ; Xn )).4 Moreover,
for each type variable X in Xt , M includes the membership atom X 2 P X .
M
is the set of all the membership atoms specified by the declarations of variables in the
body of SP .5
V
is the set of Horn clauses in the body of SP . The following negative clauses are added
to H:6
H
p2QR^p2 S !
7
T )?
f 2 S !7 T ^ f 2 P U ) ?
z 2 PU ^ z 2 QR ) ?
together with similar clauses expressing the impossibility of values common to both concrete and abstract types, such as z 2 N ^ z 2 P U ) ?. This reflects the intention of
keeping pairs, functions, and sets distinct from each other and from other values in our
models.7
Note that the declarations in a presentation provide a finite number of membership axioms
for each constant and variable used and that all membership axioms t 2 T are such that t is
either a constant or a variable.
3 When mixfix notation is used for polymorphic types, the constant is obtained by replacing the type variables by
place-holders.
4 This will imply the totality of F , i.e. F (X ; : : : ; X ) , according to the rule
of the proof system
n
1
given in Section 5.
5 Note that the membership atoms specified by the declarations of type variables in the head of SP do not need
to be included again here.
6 They could have been included in Table 4, but that would have required the declaration of p; f; z as overloaded
variables, which we prefer to avoid. Q, R, S , T , and U are ordinary (unsorted) variables.
7 A referee observes that these negative clauses also exclude non-well-founded types, since from T
T and
T P T one can deduce .
#
2
?
WellDef
2
Algebraic Specifications, Higher-order Types and Set-theoretic Models 461
A set of named specifications determines a map from names to presentations. A reference
in a specification to the name of another specification requires the inclusion of the presentation determined by the latter specification in that determined by the former. 8
Let F (resp. Ft ) be the set composed of all user-defined and predefined constants F (resp.
Ft ) and of two binary operators, namely application () and pairing (; ). T (F ; X ) denote
the set of terms built from the set of variables X and F . The set of type terms T (Ft ; Xt ) is
similarly built from Ft .
Notice that whereas a specification SP involves declarations of typed symbols, the declarations (F ; X ) of the corresponding abstract presentation are untyped, and the original type
information has been replaced by membership axioms, either in M or in V . Thus standard results and tools pertaining to unsorted Horn clause logic may be applied to our presentations.
Nevertheless, as we shall see in the next section, we can still check that our presentations are
well-typed.
Substitutions are mappings from X to T (F ; X ), mapping variables to terms, such that type
variables are mapped only to type terms. They are denoted by Greek letters. SUBST (F ; X )
denotes the set of such substitutions defined on T (F ; X ). The domain of , written Dom( ),
is defined as the set fx 2 X j (x) 6= xg, and is assumed finite.
4 Type checking
In this and the following sections we assume given a fixed presentation P = (F ; X ; M; V ; H),
determined by some specification as explained in Section 3.
Let us introduce type judgements of the form t : T , where t is any term but T is restricted
to type terms. The deduction system for such judgements given in Table 7 is composed of a
set of axioms describing a Horn theory, and the resolution rule for Horn clause logic [20].
Let us denote by PT ype the set of axioms described by Membership, Pair and Appl.
Membership actually stands for a set of axioms depending on the presentation P . Membership declarations of variables of the form x 2 T give rise to type judgements x : T . For
each membership axiom of the form t 2 T in M [ V , we have t : T as an axiom too. However, note that t 2 T is only a consequence of t : T when the value of t is defined. The
axioms Pair, Appl in Table 7 reflect that the judgement t : T is merely a decidable approximation to t 2 T , disregarding whether the values of terms are defined and the consequences
of equations, in contrast to the corresponding clauses given in Table 4 above.
Resolution is based on the computation of a most general unifier (mgu) of two literals L0
and L00 , i.e. a substitution in SUBST (F ; X ), such that (L0 ) = (L00 ), and is minimal
for the subsumption ordering on substitutions. The axioms PT ype and the rule Resolution
define a deduction relation PT ype `T ype taking two arguments: a theory PT ype and a
type judgement . PT ype `T ype means that one can derive from PT ype by repeatedly
applying the Resolution rule in Table 7. In that case, holds in the Horn theory defined
by PT ype , The resolution principle states that in first-order logic, if T h is any finite set of
clauses, then T h is unsatisfiable iff T h ` ? where ? is the empty clause [20]. We assume in
what follows that PT ype is satisfiable. In order to prove that a type judgement holds in the
Horn theory defined by PT ype , one may add the negation of to PT ype and derive the empty
clause.
The meta-variables G, G0 range over possibly-empty conjunctions of atomic formulae (the
8 Following linear chains of references is straightforward; one could also deal with circular chains, using a simple
closure operation.
462 Algebraic Specifications, Higher-order Types and Set-theoretic Models
Membership:
TABLE 7. Axioms and deduction rules for type-checking
t : T if (t 2 T ) is in M [ V
Pair:
x:X ^y :Y
Appl:
f :X !
7
Resolution:
G ^ L00 ) L; G0 ) L0 if is the mgu(L0; L00 )
(G ^ G0 ) ) (L)
(x; y) : (X Y )
Y x : X f (x) : Y
)
^
)
empty conjunction is written >) and L, L0 , L00 may be a single atomic formula or ?. Recall
that an atom L is identified with the Horn clause > ) L.
Note that we deliberately leave out the potential typing axiom:
x : T ^ T : PT0 ) x : T0
Thinking of T : P T 0 as a type inclusion T
larger types from smaller ones.
D EFINITION 4.1
A term t is well-typed iff PT ype
`T ype
t:T
T 0, such an axiom would merely let us deduce
for some T . T is called a type of t.
Due to overloading of constants, and to substitutions for type variables in polymorphic
types, a term may have many types.
P ROPOSITION 4.2
It is decidable to check whether a term is well-typed.
P ROOF. In order to prove that there exists X such that t : X , where X is a (universally
quantified) new variable, let us derive the empty clause from PT ype and (t : X ) ?).
Either t is a constant or a variable from the specification, and at least one resolution step
is possible with Membership. Or t is a term of the form f (x) or (x; y ) and a resolution
step is possible with Appl or Pair respectively. The derivation terminates since there is a
finite number of typing axioms for constants, and, in each resolution step using a non-atomic
clause, the structural complexity of terms to be typed strictly decreases.
In fact this typing procedure would not terminate if the axiom x : T ^ T : P T 0 ) x : T 0
considered above were to be included, since we have PT ype `T ype T : P T for any type T .
It would generate increasingly longer deductions of the judgement x : T , potentially causing
nontermination of type-checking.
D EFINITION 4.3
A substitution is well-typed iff 8x
(x) : (T ).
2 D
om(), if PT ype
`T ype
P ROPOSITION 4.4
If a term t is well-typed, all its subterms are well-typed.
P ROOF. The property holds by structural induction on the term.
x : T , then
PT ype `T ype
Algebraic Specifications, Higher-order Types and Set-theoretic Models 463
If t is a constant or a variable, t : T belongs to M [ V , since we assume that the declarations in a presentation provide membership axioms for each constant and variable, either
in M or in V . The property is trivially true.
If the term f (a) is well-typed, there exists a derivation PT ype `T ype f (a) : B for some
B . The last applied resolution step must be applied on two clauses of the form x : A )
f (x) : B and a : A. This imples that a is well-typed. On the other hand, x : A ) f (x) :
B is obtained by a resolution step between Appl and a clause f : A ! B , which implies
that f is well-typed.
If the term (a1 ; a2 ) is well-typed, there exists a derivation PT ype `T ype (a1 ; a2 ) : B for
some B . Similar considerations show that B must be of the form A1 A2 and that the
judgement is derived using (instances of) Pair and judgements a1 : A1 and a2 : A2 ,
which implies that a1 and a2 are well-typed.
P ROPOSITION 4.5
If a term t is well-typed, all its instances by well-typed substitutions are well-typed. More
precisely, if PT ype `T ype t : T , then PT ype `T ype (t) : (T ).
P ROOF. This amounts to proving that the empty clause can be derived from
From
(t) : (T ) ) ? where variables of (t) and (T ) are Skolemized.
((t) : (T ) ) ?), the empty clause is derived by resolution.
;t : T;
(t : T ) and
PT ype
Assume that P os and N have been declared as type constants (so P os 2 P (P os) and
2 P (N )), and that the specification contains the membership declarations P os 2 P (N )
and 1 2 P os. From the typing algorithm, 1 has type P os. But it is not possible to deduce
that 1 has type N .
Thus we do not support implicit coercions from subtypes to supertypes. We will provide
in Section 7 an axiomatization of subset inclusion but leave for future work the design of an
extended framework supporting implicit coercions and subsorts.
Typing terms is useful to define well-formed presentations.
N
D EFINITION 4.6
A presentation P = (F ; X ; M; V ; H) is well-formed if all atomic formulae in its axioms
M [ V [ H are well-formed, where:
A membership atom t 2 s is well-formed if there is a type T such that t : T and s : P T .
An equality atom t1 = t2 is well-formed if there is a type T such that t1 : T and t2 : T .
A definedness atom t # is well-formed if there is a type T such that t : T .
Note that all membership axioms in M [ V are well-formed by construction. From now
on, we will always assume that the presentations are well-formed.
5 Proof system
The proof rules shown in Table 8 are for a deduction relation P ` taking two arguments:
a presentation P and a formula . P ` means that one can derive by applying rules in
Table 8. It is known that Resolution and Paramod in first-order logic with equality are
complete for proofs by refutation [19].
464 Algebraic Specifications, Higher-order Types and Set-theoretic Models
Axioms:
WellDef:
PartialRef:
Resolution:
Paramod:
V ^
TABLE 8. Deduction rules for presentations
if (G ) L) is in M [ H
G)L
L[t] if L[t] is an atom (6= t #) containing t as a subterm
t#
t#
t=t
G ^ L00 ) L; G0 ) L0 if is a well-typed mgu(L0; L00 )
(G ^ G0 ) ) (L)
(G0 ) L)[s0 ]; G ) (s = t) if is a well-typed mgu(s; s0 )
((G ^ G0 ) L)[t])
The meta-variables G, G0 range over possibly-empty conjunctions of atomic formulae and
L, L0 , L00 may be a single atomic formula or ?. Recall that an atom L is identified with
the Horn clause > ) L. The notation [s] is used to mean that the term s occurs at some
position in the formula .
Thanks to the paramodulation rule Paramod, it is possible to deduce in this proof system
formulas with apparently not well-typed terms. Let us consider types A; B; C , membership
declarations a 2 A, a 2 B , b 2 B , f 2 A !
7
A and an equality a = b. We get f (a) : A and
f (a) 2 A, then f (b) 2 A using Paramod, although f (b) is not well-typed. However the
interpretation of f (b) in any model is guaranteed to be the same as f (a).
The next propositions state relations between type judgements and formulas deduced in
the proof system.
P ROPOSITION 5.1
Let P be a presentation, and T any type term in T (Ft ; Xt ). Then P
T #.
P ROOF. Type constants, type variables and polymorphic type terms F (X1 ; : : : ; Xn ) occur in
the membership formulas in
`
, so their existence follows from the axioms using the rule
M
WellDef . For applications of type constructors to arbitrary type terms, existence is proved
by refutation using Resolution applied on F (T1 ; : : : ; Tn ) # ) ? and F (X1 ; : : : ; Xn ) #.
A similar argument holds for a pair of arbitrary type terms, since (X; Y ) # holds.
P ROPOSITION 5.2
Let P be a presentation, and t; T any terms in T (F ; X ). Suppose PT ype
Table 7), as well as P ` t # (from Table 8). Then P ` t 2 T .
P ROOF. Any proof of PT ype
`T ype
t:T
`T ype
can be converted into a proof of P
WellDef to provide the required conditions of existence of subterms.
`
t:T
(from
t 2 T , using
P ROPOSITION 5.3
Let P be a presentation, and G ) L[t] a clause with the conclusion containing a term t
in T (F ; X ). Suppose P ` G ) L[t] (from Table 8). Then for some type term T , either
PT ype `T ype t : T (from Table 7), or there exists a term u such that P ` t = u (from
Table 8) and PT ype `T ype u : T (from Table 7).
P ROOF. By induction on the proof of P ` G ) L[t] using rules from Table 8.
Let us consider the last applied rule in Table 8.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 465
If P ` G ) L[t] is the result of applying Axioms, we get PT ype `T ype t : T for some
T , since the presentation is well-formed.
0
If P ` G ) L[t] is the result of applying WellDef , then G is >, L[t] is t #, and
0 0
0 0
0
0
P ` G ) L [t ] for some atom L [t ] containing t . Since t is either t or a subterm of it,
L0 [t0 ] can be written as L00 [t] and the result follows from the induction hypothesis.
0 0
If P ` G ) L[t] is the result of applying PartialRef , then G is >, L[t] is t = t , and
0
0
P ` G ) t #. Since t is either t or a subterm of it, the result follows from the induction
hypothesis.
If P ` G ) L[t] is the result of applying Resolution or Paramod,
– either t occurs in the substitution part and it is a subterm of a term (x) which is welltyped by hypothesis on , so t is well-typed, i.e. PT ype `T ype t : T according to
Proposition 4.4,
– or t occurs inside L. Then G ) L[t] is of the form (G0 ) L0 [t0 ]) and t = (t0 ).
Then t0 occurs in a premiss of the inference rule Resolution or Paramod. The
result follows from the induction hypothesis and by application of .
C OROLLARY 5.4
Let P be a presentation, and suppose P ` t # (from Table 8). Then for some type term T ,
either PT ype `T ype t : T (from Table 7), or there exists a term u such that P ` t = u (from
Table 8) and PT ype `T ype u : T (from Table 7).
6 Models
We are interested primarily in standard set-theoretic models, where values of set-types are
actually ordinary sets. But in order to obtain our initiality results, we shall consider other
classes of models as well.
6.1 Algebraic models
The first class of models we consider is a class of algebraic models, namely unsorted partial
first-order structures.
D EFINITION 6.1
An algebraic model I for F is a partial F -structure (I; :I ) consisting of a universe I and an
interpretation function :I .
Homomorphisms preserve not only the operations, but also their definedness, and the holding of definedness, equality, and membership assertions. (Preservation of definedness appears
to be the most natural choice in partial algebras, cf. [7, 8, 18, 23].)
D EFINITION 6.2
Let I ; J be two F -structures. An
h : I 7! J satisfying:
( )-homomorphism h :
F
I
7! J
is a (total) function
for each constant c, h(cI ) = cJ ;
I
J
for all t1 ; t2 in I , h((t1 ; t2 ) ) = (h(t1 ); h(t2 )) ;
I
J
for all t1 ; t2 in I , h(t1 (t2 ) ) = h(t1 )(h(t2 ))
whenever t1 (t2 ) exists;
466 Algebraic Specifications, Higher-order Types and Set-theoretic Models
for all t1 ; t2 in I , h(t1 ) 2J
h(t2 ) holds whenever t1 2I t2 holds.
D EFINITION 6.3
A (X ; I )-variable assignment is a total mapping from variables in X to elements of I , that
is extended to a possibly-partial mapping on terms, such that type variables are mapped to
type values, i.e. values denoted by type terms.
Partiality of is due to the presence of partial functions in I .
Now, given a F -structure I , we can define the truth value of a formula by universal quantification over all (X ; I )-variable assignments.
D EFINITION 6.4
Let I be a F -structure and be a (X ; I )-variable assignment.
An existential formula t # holds in I under if (t) is defined.
An equality s = t holds in I under if (s) and (t) are defined and identical.
A membership formula s 2 T holds in I under if (s), (T ) are defined and in the
relation 2I .
An implication A1 ^ : : : ^ An ) A holds in I under if A holds in I under whenever
all of A1 ; : : : ; An hold in I under . A negative implication A1 ^ : : : ^ An ) ? holds in
I under if A1 ; : : : ; An never hold together in I under . A trivial implication > ) A
holds in I under if A holds in I under .
A (F ; X )-Horn clause holds in I if it holds in I for all (X ; I )-variable assignments .
a model of a presentation P if all Horn clauses in P hold in I .
I
is
Formula satisfaction is written I j= , or P j= in case all models of P satisfy the
formula . Let Alg(P ) denote the class of all partial F -structures that satisfy all formulae
in P .
Our presentations for the algebraic models defined above can be made into an institution
(see the appendix).
We now address soundness and completeness of the deduction rules, which actually are
classical rules for deduction in Horn logic with equality and partial functions.
T HEOREM 6.5
Let P be a presentation. Deduction rules in Table 8 are sound, i.e. for any formula
P `
then P j= .
, if
P ROOF. We have to check that each rule is sound in any F -structure which is a model of P .
WellDef is sound since if an atom L[t] is valid in every model of P , any term t in this
atom should denote an element in the model. This is due to the fact that atoms only hold
when their argument terms denote elements—in particular, our equality is existential.
PartialRef is the restriction of reflexivity to well-defined terms, so is sound.
Axioms is trivially sound in every model of P .
Resolution and Paramod are standard sound rules for first-order logic with equality.
Since axioms in M [ H of a presentation P are Horn clauses, the class of unsorted partial F -structures satisfying M [ H has initial models (provided that the set of axioms is
Algebraic Specifications, Higher-order Types and Set-theoretic Models 467
consistent). For positive Horn clause specifications of many-sorted predicates and partial operations with existential equality, this is proved in [4]; the result for specifications of unsorted
predicates and partial operations follows immediately. When the negative clauses in H are
consistent with the positive clauses in M [ H, initial models of the latter satisfy them too;
otherwise there are no models at all.
We first build an initial model and then use it to prove completeness of the deduction rules.
Let P be a consistent presentation and T (P ) be the initial quotient F -structure constructed
as follows. Its carrier U is made of equivalence classes [t] of terms t with P ` t # modulo
the positive Horn axioms. More precisely, if P ` t #,
[ t] = u
f
j P `
u = tg:
The interpretation of each constant c 2 F is simply [c]. Moreover, for any [t1 ]; [t2 ]
us define the interpretation of () and ; as follows:
2
U , let
([t1 ]; [t2 ]) = [(t1 ; t2 )] if (t1 ; t2 ) ;
[t1 ]([t2 ]) = [t1 (t2 )] if t1 (t2 ) , otherwise undefined.
P `
P `
#
#
Then equality and membership predicates are interpreted as follows:
[s] = [t] iff s = t,
[s] [t] iff s t,
[t] iff t .
P `
2
#
P `
P `
2
#
T HEOREM 6.6
Let P be a presentation. The deduction rules in Table 8 are sound and complete, i.e. for any
atomic formula , P j= iff P ` .
P ROOF. Since T (P ) is an algebraic model, if P j= , then T (P )
of T (P ), for any atomic formula , T (P ) j= iff P ` .
=
j
. Using the definition
The following definition plays an important rôle in relating algebraic models to models
with set-theoretic structure:
D EFINITION 6.7
Let I be an F -structure in Alg(P ). The set-like values of I are those values s in I such that
s 2I P I (v) for some value v in I .
It follows from Theorem 6.6 and Proposition 5.2 that in a model of a presentation, the
value of any ground term of type P T for some T is set-like, when defined.
6.2 Labelled-sets models
Now we restrict the class of algebraic models by imposing that set-like values (cf. Definition 6.7) are interpreted as labelled sets of values. A labelled set is denoted by S l or fsi gli2I
where fsi gi2I is the extensional description of the set and l is the label.
D EFINITION 6.8
A labelled set model L is a pair (UL ; :L ) of a universe UL and an interpretation function :L ,
such that:
468 Algebraic Specifications, Higher-order Types and Set-theoretic Models
UL
is a set of values which are atomic objects (functions, individuals and pairs), and
labelled sets composed of such values.
L is a total binary operation on UL .
(; )
L
()
is a partial binary operation on UL .
L is an atomic object which, when applied to a labelled set S l , gives a labelled set of
P
labelled subsets of S.
L is an atomic object which, when applied to a pair of labelled sets S s and T t, gives
a labelled set of pairs belonging to the Cartesian product of S and T .
L is an atomic object which, when applied to a pair of labelled sets S s and T t, gives
!
7
a labelled set of atomic objects that represent functions from S to T (i.e. application of
these atomic objects to elements of S produces elements of T when defined).
L
L
first (resp. second ) is an atomic object which, when applied to a pair of values, gives
its first (resp. second) argument.
L is a defined value.
For each user-defined constant c in F , c
L is membership of values in the underlying sets, thus ignoring the labels on sets.
2
The holding of equality and definedness assertions in labelled-set models is as for algebraic
models.
Validity of formulae in a labelled set model under an (X ; L)-variable assignment is
defined as in Definition 6.4, just by replacing I by L. Let LSAlg(P ) be the class of all
labelled-set models that satisfy P .
Assuming that P is consistent, let us now build a labelled-set model S (P ) isomorphic to
T (P ). First let us choose the set of labels as the set of equivalence classes of T (P ). Then
the idea is to associate to any term t : P T a labelled set with label [t], and whose elements
are values that are provably members of t.
To any term of type S !
7
T (as for instance P , , !7 , first and second) is associated
an atomic object that can be applied to values (atomic objects or labelled sets).
To any term of type S T is associated an atomic object which is a pair of two values
(atomic objects or labelled sets).
Let us now formally define S (P ) (assuming that P is consistent).
D EFINITION 6.9
For each equivalence class [t] and type term T in T (P ), such that PT ype `T ype u : T for
some u in [t], let hT ([t]) be defined as follows: if T is of the form P S , then hT ([t]) is the
labelled set fhS ([s]) j P ` s 2 tg[t] , otherwise hT ([t]) is the equivalence class [t] (regarded
as an individual value). The carrier of S (P ) consists of the union of the images of T (P )
under hT as T ranges over all type terms in T (P ).
The application () and pairing (; ) operations are defined on S (P ) as follows. Let u; v 2
S (P ) be respectively hS ([s]); hT ([t]).
u(v) = hS ([s])(hT ([t])) = hT !7 R ([s(t)])
if P ` s(t) # and PT ype `T ype s(t) : R (otherwise undefined).
(u; v ) = (hS ([s]); hT ([t])) = hS T ([(s; t)]).
Each constant c of type T is interpreted as hT ([c]).
Since [t] is a value of T (P ) only if P ` t #, and then [t] contains some u such that PT ype `T ype
for some type term T (by Corollary 5.4), the hT map every value of T (P ) to some
u:T
Algebraic Specifications, Higher-order Types and Set-theoretic Models 469
value of S (P ). Moreover, the following lemma establishes the well-definedness of the union
h of the hT .
L EMMA 6.10
Suppose [u] = [v ] where u has type U and v has type V . Then hU ([u]) = hV ([v ]).
P ROOF. The lemma is proved by induction on the structure of U and V together. There are
three cases:
Neither U nor V is of the form P T : we have immediately hU ([u]) = [u] = [v ] =
hV ([v]).
U is of the form P S and V is of the form P T : we have hU ([u]) = fhS ([s]) j P ` s 2
ug[u] and hV ([v]) = fhT ([t]) j P ` t 2 vg[v] . Suppose x 2 hU ([u]), then x = hS ([y])
for some y such that P ` y 2 u; but then clearly P ` y 2 v , hence hT ([y ]) 2 hV ([v ]). By
the induction hypothesis, hS ([y ]) = hT ([y ]), showing x 2 hV ([v ]), so we may conclude
hU ([u]) hV ([v]). By symmetry, also hV ([v]) hU ([u]), hence hU ([u]) = hV ([v])
also in this case.
U is of the form P S but V is not of the form P T , or vice versa: we may then derive ?
from P using the negative clauses in H, see Section 3, contradicting the consistency of P
(which was assumed when defining S (P )).
C OROLLARY 6.11
The union h of the mappings hT for all type terms T is a well-defined (partial) mapping.
P ROPOSITION 6.12
h is a homomorphism.
P ROOF. By definition of the operations and predicates in S (P ). Preservation of membership
follows from the definition of hPT ([t]).
With these definitions:
If t is a user-defined constant c : C , with C not of the form P T , h([c]) = [c].
For instance, to 0 : N is associated [0].
[c]
If t is a user-defined constant c : P c, h([c]) = fh([u]) j P ` u 2 cg
.
[N]
n
[N]
For instance N : P N is mapped to N
= f[succ (0)] j n 0g and P N : P P N is
mapped to fh([u]) j P ` u 2 P Ng[PN] and N [N] is an element of this labelled set.
If t is a predefined constant P , !
7
, , first, second, h([t]) = [t].
If t : U V or t : U !
7
V , h([t]) = [t].
P ROPOSITION 6.13
In S (P ), two labelled sets are equal iff their labels are equal.
P ROOF. If two labelled sets are equal, their labels are equal by definition.
Conversely assume that two labels are equal: [t1 ] = [t2 ], i.e. P ` t1 = t2 . Let us define
s1 = fh([u]) j P ` u 2 t1 g and s2 = fh([v]) j P ` v 2 t2 g. For all h([u]) in s1 , from
u 2 t1 and t1 = t2 , u 2 t2 is deducible by Paramod. So h([u]) is in s2 for all u, hence s1
is included in s2 . Similarly, s2 is included in s1 .
P ROPOSITION 6.14
h is an isomorphism.
470 Algebraic Specifications, Higher-order Types and Set-theoretic Models
P ROOF. h is an homomorphism by construction. Let the function g from S (P ) to T (P ) map
each labelled set to its label, and each atomic object to itself. Then from the definitions of
h and g, we have g(h([t])) = [t] for all [t] in T (P ), and h(g(u)) = u for all u in S (P ).
Thus g is the inverse to h. Moreover, it is easy to show that g is a homomorphism, using
Proposition 6.12 and the definitions of h and g , hence g is an isomorphism.
Thus h is an isomorphism and we get:
P ROPOSITION 6.15
( ) is initial in the class of labelled set models.
S P
P ROOF. S (P ) is isomorphic to T (P ) which is initial in the class of algebraic models of P .
( ) is also a labelled set model and is thus initial in the subclass of labelled set models.
S P
6.3 Set-theoretic models
Let us finally consider a further class of models of interest here, namely set-theoretic models.
D EFINITION 6.16
A set model N is a pair (UN ; :N ) of a universe UN and an interpretation function :N , such
that:
UN is a set of values which are atomic objects (functions, individuals and pairs), and sets
of values;
N is a total binary operation on UN ;
(; )
N is a partial binary operation on UN ;
()
N
P
is an atomic object which, when applied to a set S ; gives a subset of the ordinary
power-set of S ;
N is an atomic object which, when applied to a pair of sets S and T , gives a set of
pairs belonging to the Cartesian product of S and T ;
N is an atomic object which, when applied to a pair of sets S and T , gives a set of
!
7
atomic objects that represent functions from S to T (application of these atomic objects
to elements of S produces elements of T when defined);
N (resp. secondN ) is a functional atomic object which, when applied to a pair of
first
sets, gives its first (resp. second) argument;
N is a defined value;
for each user-defined constant c in F , c
N is ordinary membership of values in sets.
2
A set-theoretic model is one where all set-like values (cf. Definition 6.7) are ordinary,
unlabelled sets. The interpretation of the membership predicate is now exactly as in standard
set theory. Validity of formulae in a set-theoretic model under a (X ; N )-variable assignment
is defined as in Definition 6.4, just by replacing I by N . Let SAlg(P ) be the class of all
standard set-theoretic models that satisfy P .
A first idea is to obtain set-theoretic models from labelled set models by forgetting the
labels on sets. This may, however, map two different labelled sets to the same unlabelled set.
In particular, the set-theoretic model obtained by forgetting labels from S (P ) need not be
initial in SAlg(P ). For example, suppose that P declares two constants of power-set type,
but does not require them to have any members at all, so they are interpreted as distinctlylabelled empty sets in S (P ); forgetting the labels identifies the interpretations of the two
Algebraic Specifications, Higher-order Types and Set-theoretic Models 471
constants, preventing homomorphisms to those set-theoretic models of P where they have
distinct members. Moreover, forgetting the labels may even result in a set-theoretic model
that does not satisfy the axioms of P (i.e. the model is not in SAlg(P )), for instance when
conditional axioms test equality of sets.
Suppose, however, that one forgets not only the labels, but also the sets themselves! To do
this, let us first define the following subset of type terms:
D EFINITION 6.17
The P -less types are those type terms that do not contain any occurrence of the concrete
type-constructor P at all. A P -less typed term t is such that if t : T then T is a P -less type.
D EFINITION 6.18
Let P = (F ; X ; M; V ; H) be a presentation, and let J be any (algebraic, labelled-set, or
standard set-theoretic) model of F . The P -less restriction G of F consists of those constants
in F that have a P -less type (i.e. constants a such that a 2 A is a membership axiom in M
and A does not contain P ). The P -less restriction of J retains only those values generated
by G that are members of P -less types, giving an (algebraic) model for G .
Note that the P -less restriction of a model removes not only all the set-like values, but
also pairs of set-like values, and functions that take and/or return set-like values. The P -less
restriction of an algebraic or labelled-set model of a presentation P is, however, not always
the P -less restriction of some set-theoretic model of P . It is easy to see that for it to be the
P -less restriction of a set-theoretic model of P , the clauses in H should generally not involve
equality between terms of set-type, nor membership of elements of set-type; but we leave the
investigation of sufficient conditions to future work.
Even though this removal of all the values involving sets may seem rather drastic, the
important point is that we retain all values of all types such as N , N N , Seq (N ), etc. We
7
N (since we have avoided
even retain the values of function types, e.g. succ 2 N N !
identifying functions with their graphs, and since the existence of a value does not require the
existence of a set that contains it—in contrast to many-sorted frameworks, where forgetting
a sort requires forgetting all operations whose profiles include it).
Now let R(P ) be the algebraic G -model obtained as a reduct of S (P ) by keeping only
values of P -less types.
P ROPOSITION 6.19
( ) is initial in the class of all G -models arising as reducts of models in LSAlg(P ).
R P
P ROOF. The proof relies on any homomorphism of P -models h : I
P -less types in I to values of P -less types in J .
! J
mapping values of
We show that the unique homomorphism h from S (P ) to an arbitrary labelled-set model
in LSAlg(P ) cuts down to a unique homomorphism from R(P ) to the P -less restriction
of L. Let x be any value of R(P ); then there exists a P -less type term T such that x 2S (P )
T S (P ) holds. Since h preserves membership, we have h(x) 2L h(T S (P ) ) = T L , so h(x)
is the value of a P -less type in L, hence in the P -less restriction of L. Thus h cuts down
to a homomorphism between the P -less restrictions; a simple induction proves uniqueness.
That the cut-down homomorphism is the unique homomorphism from R(P ) to the P -less
restriction of L follows from R(P ) being the P -less restriction of S (P ), which is termgenerated.
L
472 Algebraic Specifications, Higher-order Types and Set-theoretic Models
TABLE 9. The trivial type 1
T rivialT ype
type 1
2
1
x21x=
8
7 Algebraic specification of set theory
Our predefined notation for sets consists merely of the function constants , !
7
, P ,
first, second, together with the atomic formulae for membership and equality. But further
familiar set-theoretic notation can also be specified using our framework: sets of relations,
set inclusion, set union and intersection, singletons and (finite) set comprehensions, as well
as total functions. Relations are represented simply as partial functions to a singleton set.
Set inclusion is specified as a partial order; union and intersection are specified to have the
properties of a distributive lattice, as in unified algebras [17]. A finite set comprehension
merely lists the elements that are its members, leaving it to initiality to ensure that there
are no further members. A set of total functions between two sets is a subset of the partial
functions between the same sets, but not necessarily containing all such functions that happen
to be total. We give below a few examples of how some of these features can be defined in
our framework.
Our intention, however, is not to try to provide a full ‘Mathematical Toolkit’ like the ones
available for Z and B, but rather to test the limits of our modest Horn-clause specification
framework. It is admittedly harder to work out the various Horn-clause properties of an
operation like union, instead of defining it extensionally using a disjunctive formula. But
such properties are perhaps often needed in proofs about sets in any case, so work in this
direction should be of significant practical relevance.
A natural extension of the framework provided in this paper is to allow inclusions to be
declared between types, making set inclusion an atomic formula, similar to membership, with
fixed properties, instead of representing it as a relation. Then, for example, total function
types may be specified to be subtypes of the corresponding partial function types. Type
constructors are generally monotonic, preserving inclusion—except for function types, which
are anti-monotonic in their argument types. Our type system can be extended with a rule for
subsumption, so that a term of a particular type has all types that include that type; type
inference remains decidable. Such an extension of our framework is to be reported in a
forthcoming paper.
7.1 Relations
An n-ary relation on S1 : : : Sn is simply regarded as a partial function in S1 : : : Sn !
7
1 where the trivial type 1 is specified as in Table 9. The definedness of an application
corresponds to the holding of the relation. Since homomorphisms preserve definedness, they
automatically preserve the holding of relations.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 473
TABLE 10. Ordered natural numbers
OrderedNaturals
Naturals
<
2
2
N N
N N
!
7
!
7
1
1
x; y 2 N xx
x succ(x)
x y ) succ(x) succ(y)
x y ) pred(x) pred(y)
0 < succ(x)
x < y ) succ(x) < succ(y)
x < y ) pred(x) < pred(y)
x<y)xy
8
TABLE 11. Domain and range
DomainRange
type X; Y dom 2 (X !7 Y ) !
7
PX
ran 2 (X !
7
Y ) !7 P Y
8
f 2X !
7
Y;x 2 X f (x) # ) x 2 dom(f )
x 2 dom(f ) ) f (x) #
f (x) # ) f (x) 2 ran(f )
8
For any term t of type 1, let t abbreviate the atom t #. Then we may specify the familiar
ordering relations on the natural numbers as in Table 10.
It is straightforward to specify a function dom, mapping any partial function to its domain
of definition, as shown in Table 11. When r is a partial function to the trivial type 1, dom(r)
returns a set containing exactly those values x for which r(x) holds. For instance, dom( < )
has exactly the elements of f(x; y ) x < y g as members.
However, it does not seem to be possible to specify so precisely a function ran mapping a
partial function to its range: the property y 2 ran(f ) ) 9x y = f (x) appears to be beyond
the expressiveness of Horn logic. The property of ran specified in Table 11 is adequate to
define it only in the case of taking initial semantics.
474 Algebraic Specifications, Higher-order Types and Set-theoretic Models
TABLE 12. Inclusion
Inclusion
type X 8
2
PX PX !
7
1
S; T; U 2 P X ; V 2 P Y S T ) S 2 PT
S 2 PT ) S T
SS
S T ^T U )S U
S T ^T S )S =T
S T ) SV T V
S T ) V S V T
S T ) PS PT
S T ) V !7 S V !7 T
ST )T !
7
V S!
7
V
8
7.2 Inclusion
We can now introduce set inclusion as a binary relation. The essential properties of inclusion
7
T
are that it is a partial order, preserved by many operations on sets (note however that S !
is anti-monotonic in S ). Table 12 specifies the close relationship between 2, , and equality.
Actually, one could weaken the first clause by adding P T # as a condition; but the slightly
stronger property given has the advantage that we get the following natural property as a
direct consequence:
x 2 X ; S; T 2 P X x 2 S ^ S T ) x 2 T:
8
7.3 Union, intersection, and singletons
For axiomatization of union S [ T and intersection S \ T , where S; T 2 P (X ), we specify
a set of conditional laws that characterize distributive lattices, see Table 13. They may be
summarized as follows:
S [ T; S \ T are associative, commutative, idempotent, and preserve .
S [ T is the l.u.b., S \ T is the g.l.b. of S , T .
S [ T; S \ T distribute over each other.
(Hence) S T () S [ T = T () S \ T = S .
One could give a purely equational characterization of union and intersection, but there appears to be no advantage of this in our setting. Operations such as disjoint union and set
difference can be defined in terms of the above operations.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 475
TABLE 13. Union and intersection
UnionIntersection
8
8
type X [
2
\
2
PX PX !
7
PX
PX PX !
7
PX
S; T; U 2 P X S [ (T [ U ) = (S [ T ) [ U
S \ (T \ U ) = (S \ T ) \ U
S[T =T [S
S\T =T \S
S[S =S
S\S =S
S U )S[T U [T
S U )S\T U \T
S S[T
S\T S
S U ^T U )S[T U
U S^U T )U S\T
(S [ T ) \ U = (S \ U ) [ (T \ U )
(S \ T ) [ U = (S [ U ) \ (T [ U )
TABLE 14. Empty and full subsets
EmptyF ull
type X 8
; 2
PX
U 2 PX
S 2 PX ; S
SU
S[;=S
S\U=S
S\;=;
S[U=U
8
476 Algebraic Specifications, Higher-order Types and Set-theoretic Models
TABLE 15. Singleton
Singleton
type X 8
f g 2
X!
7
PX
S 2 P X ; x; y 2 X x 2 S ) fxg 2 P S
x 2 fxg
y 2 fxg ) x = y
8
TABLE 16. Total functions
T otalF unctions
type X; Y
8
!
2
PX PY
!
7
P (X !
7
Y)
f 2X !
7
Y ; x 2 X; S 2 P X; T 2 P Y
f 2 S ! T ^ x 2 S ) f (x) 2 T
8
For the empty set
Table 14:
;
and full subset U of
P (X ) we specify the following properties in
is the least subset, the unit for [, and a zero for \.
U is the greatest subset, the unit for \, and a zero for [.
;
Singletons fxg are specified in Table 15. However, the indivisibility of a singleton set
(corresponding to the property of being an atom of a lattice) cannot be captured in Horn
logic, nor can the property that the only proper subset of fxg is the empty set.
7.4 Total functions
Sets of total functions may be introduced as subsets of the sets of partial functions, as specified in Table 16. The function set constructors are anti-monotone in the first argument.
Notice that asserting that a particular function belongs to a set of total functions implies the
definedness of the result of applying it to all appropriate arguments. The converse property
would not be expressible as a Horn clause.
8 Conclusion
We have presented a framework for algebraic specifications with higher-order types and settheoretic models. It embodies significant simplifications, compared to our original proposal
Algebraic Specifications, Higher-order Types and Set-theoretic Models 477
for such a framework [11]. The set-theoretic models considered there were however somewhat non-standard: in the initial model of a specification, a value of a power-set type was
indeed a set that included the intended elements; but it also included an extra element, resulting from applying a so-called choice-function to the set. Moreover, an unfamiliar type
constructor (T) was needed in all declared types. Semantically, the extra elements generated
by the choice-functions ensured the existence of initial models for our specifications. They
distinguished sets that would otherwise have exactly the same members, but which had not
been explicitly specified to be equal. From a methodological point of view, the presence of
the extra elements was not a major problem: when the conditions of axioms in specifications
tested only membership of sets, never equality, one could simply ignore the extra elements;
and when equality of two sets was significant, one could specify this equality explicitly.
Nevertheless, it was felt that the choice functions and the extra type constructor were an unwelcome complication in the original proposal, and we have subsequently been considering
how they might be avoided.
We have now managed to make some significant simplifications to our proposed framework, by completely eliminating the need for the choice-functions and the type constructor T.
We have studied three classes of models (algebraic, labelled-set, and standard set-theoretic)
and obtained at least some initiality results. The extension of our framework to accommodate
type inclusions is to be reported in a forthcoming paper.
We refer to the previous paper for a discussion of the connections between our original proposal and such frameworks as Rn =Gn logics [12, 10], ETL [13], and unified algebras [17].
Let us here consider the relationship between our work and two other frameworks that have
been developed in recent years: Meinke’s higher-order initial algebra specifications, and
Meseguer’s (first-order) membership equational logic. We conclude by discussing the relationship between out work and constructive mathematics.
Higher-order equational logic. Meinke [14, 15] has studied the theoretical properties and
practical applications of a different framework with higher-order (non-polymorphic) types
and set-theoretic models. Although product and (total) function types are allowed, power-set
types are not, and it appears that it would not be easy to incorporate them [14, p. 388]. The
lack of power-set types precludes considering set membership in formulae, and the use of
types as values.
Higher-order algebras with pairing and application operations are considered. The values
of the product and function types are the standard set-theoretic objects, but, as in our own
framework, the types themselves are allowed to be subsets of the usual types. Higher-order
algebras are shown to be isomorphic to first-order algebras that satisfy the usual extensionality
axiom for functions.
Specified axioms are restricted to conditional equations involving terms of base type.
Meinke provides a complete finitary (conditional) equational logic for the class of all extensional models, but needs an infinitary logic for the construction of initial models as quotients
of term models. Meinke shows that (when also constructors are distinguished from other
functions) every countable algebra of complexity 11 can be specified by a recursive set of
higher-order equations with initial-algebra semantics. He also considers the intractability of
theorem-proving in the general case, and provides a sufficient condition (involving continuity
w.r.t. a finite-information topology) for completeness of ground first-order rewriting for the
initial algebra. In contrast to Meinke, we have focused on the power-set type, and kept to
a finitary Horn-clause logic, getting a useful expressiveness but keeping tractability by not
requiring extensional equality of sets.
478 Algebraic Specifications, Higher-order Types and Set-theoretic Models
TABLE 17. Join operation
JoinOperation
type X; Y j 2 P X (X !7 P Y ) !7 P (X Y )
8
A 2 P X; f 2 X !7 P (Y ); x 2 X; y 2 Y (x; y) 2 j (A; f ) () x 2 A ^ y 2 f (x)
8
Membership equational logic (MEL). Meseguer [16] has developed MEL, a first-order algebraic specification framework with set-theoretic models. The types are abstract types (called
kinds), first-order n-ary total function types (for declaring operations), and first-order powerset types (called sorts); positive conditional clauses are allowed as axioms. Subsort inclusions can be declared. Atomic formulae are equations between values of the same kind, and
memberships of such values in sorts. Equality between sets (or functions) is not directly expressible, so extensionality is not an issue for obtaining a complete proof system and initial
models.
Constructive mathematics.
In [7], Feferman presented a formal system T0 to encode basic
features of Bishop’s approach to constructive mathematics. The language of T0 introduces
individual and class variables, individual and class constants; atomic formulas are equality,
membership and application App(t1 ; t2 ; t3 ) meaning t1 (t2 ) = t3 . ? denotes falsity. Formulas are obtained by applying logical connectors ^, _, ), 8, 9, which gives a richer language
than in our framework. A partial application operator and definedness predicate are definable
in this language. The logic of T0 is the intuitionistic two-sorted predicate calculus with equality. Axioms are divided into two groups: applicative axioms are also true in our framework
(either explicitly like pairing and projection, or implicitly like constants, substitutions and
definition by cases on natural numbers, or user-defined like zero, successor and predecessor).
The second group, called class existence axioms, has a less direct correspondence. Elementary comprehension is not expressible as a construct in our framework. However, each use
of an elementary comprehension axiom can be expressed in our approach by introducing a
constant defining a set. The join operation is a dependent sum of disjoint sets that is also
expressible in our formalism, as shown in Table 17.
Eventually, one can note that taking initial semantics provides inductive closure and makes
induction a sound proof principle in our framework, while they are explicit axioms in T0 .
Based on these correspondences, our framework seems to provide a reasonably expressive
sublogic of T0 .
Future work. We plan to investigate sufficient conditions for the independence of P -less
restrictions and labels on sets. We intend also to clarify the relationship between our framework and MEL. We believe that any MEL specification can be straightforwardly translated
into a presentation P in our framework, such that the initial model in MEL corresponds exactly to our initial labelled-set model S (P ). The image of this translation would identify a
sub-framework where we could exploit the term-rewriting techniques that have already been
developed for MEL [3]. It would be interesting then to see how far these techniques could be
extended to allow more general (e.g. partial, higher-order) specifications.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 479
Finally, along the same lines as in our previous paper, we will further consider the use
of saturation techniques [2, 21] for obtaining a refutationally-complete automatic theoremprover for consequences of our specifications.
Acknowledgements.
The authors are grateful to the anonymous referees for helpful comments. Peter D. Mosses
has been supported by BRICS (Centre for Basic Research in Computer Science), established
by the Danish National Research Foundation in collaboration with the Universities of Aarhus
and Aalborg, Denmark.
References
[1] J. R. Abrial. B-Tool Reference Manual. Edinburgh Portable Compiler, 1991.
[2] L. Bachmair, H. Ganzinger, C. Lynch, and W. Snyder. Basic paramodulation. Information and Computation,
121, 172–192, 1995.
[3] A. Bouhoula, J.-P. Jouannaud, and J. Meseguer. Specification and proof in membership equational logic. In
Proceedings Theory and Practice of Software Development, Lille (France), M. Bidoit and M. Dauchet, eds. pp.
67–92. Volume 1214 of Lecture Notes in Computer Science,Springer-Verlag, Apr. 1997.
[4] M. Cerioli, T. Mossakowski, and H. Reichel. From total equational to partial first-order logic. In Algebraic
Foundations of System Specification, IFIP State-of-the-Art Reports, chapter 3. E. Astesiano, H.-J. Kreowski,
and B. Krieg-Brückner, eds. Springer-Verlag, 1999.
[5] J. Dawes. The VDM-SL Reference Guide. Pitman, 1991.
[6] H. Ehrig and B. Mahr. Fundamentals of Algebraic Specification 1. Equations and initial semantics, volume 6
of EATCS Monographs on Theoretical Computer Science. Springer Verlag, 1985.
[7] S. Feferman. Constructive theories of functions and classes. In Proceedings of Logic Colloquium’78, pp.
159–224. North-Holland, Amsterdam, 1979.
[8] G. Grätzer. Univeral Algebra, second edition. Springer-Verlag, 1979.
[9] L. Henkin. Completeness in the theory of types. Journal of Symbolic Logic, 15, 81–91, 1950.
[10] C. Hintermeier. Déduction avec sortes ordonnées et égalités. Thèse d’université, Nancy I, Oct. 1995.
[11] C. Hintermeier, H. Kirchner, and P. D. Mosses. Combining algebraic and set theoretic specifications. In Recent
Trends in Data Type Specification, Proc. 11th Workshop on Specification of Abstract Data Types joint with the
9th general COMPASS workshop. Oslo, Norway, September 1995. Selected papers, M. Haveraaen, O. Owe,
and O.-J. Dahl, eds. pp. 255–273. Volume 1130 of Lecture Notes in Computer Science, Springer-Verlag, 1996.
[12] C. Hintermeier, H. Kirchner, and P. D. Mosses. Rn - and Gn -logics. In HOA’95, Proc. Second Int. Workshop on
Higher-Order Algebra, Logic and Term Rewriting, G. Dowek, ed. volume 1074 of Lecture Notes in Computer
Science, pp. 90–108. Springer-Verlag, 1996.
[13] V. Manca, A. Salibra, and G. Scollo. Equational type logic. Theoretical Computer Science, 77, 131–159, 1990.
[14] K. Meinke. Universal algebra in higher types. Theoretical Computer Science, 100, 385–417, 1992.
[15] K. Meinke. Higher-order equational logic for specification, simulation and testing. In HOA’95, Proc. Second
Int. Workshop on Higher-Order Algebra, Logic and Term Rewriting, G. Dowek, ed. volume 1074 of Lecture
Notes in Computer Science, pp. 124–143. Springer-Verlag, 1996.
[16] J. Meseguer. Membership algebra as a semantic framework for equational specification. In Recent Trends in
Algebraic Development Techniques, F. Parisi Presicce, ed. volume 1376 of Lecture Notes in Computer Science,
pp. 18–61. Springer-Verlag, 1998.
[17] P. D. Mosses. Unified algebras and institutions. In Proceedings 4th IEEE Symposium on Logic in Computer
Science, Pacific Grove, pp. 304–312, 1989.
[18] P. D. Mosses. C ASL: A guided tour of its design. In Recent Trends in Algebraic Development Techniques,
Proceedings, J. L. Fiadeiro, ed. volume 1589 of Lecture Notes in Computer Science, pp. 216–240. SpringerVerlag, 1999.
[19] G. A. Robinson and L. T. Wos. Paramodulation and first-order theorem proving. In Machine Intelligence 4,
B. Meltzer and D. Mitchie, eds. pp. 135–150. Edinburgh University Press, 1969.
480 Algebraic Specifications, Higher-order Types and Set-theoretic Models
[20] J. A. Robinson. A machine-oriented logic based on the resolution principle. Journal of the ACM, 12, 23–41,
1965.
[21] M. Rusinowitch and L. Vigneron. Automated Deduction with Associative-Commutative Operators. Applicable
Algebra in Engineering, Communication and Computation, 6, 23–56, Jan. 1995.
[22] J. M. Spivey. Understanding Z: a Specification Language and its Formal Semantics. Cambridge University
Press, 1988.
[23] M. Wirsing. Algebraic specification. In Handbook of Theoretical Computer Science, volume B, chapter 13.
J. van Leeuwen, A. Meyer, M. Nivat, M. Paterson, and D. Perrin, eds. Elsevier Science Publishers B. V. (NorthHolland), 1990.
Appendix
F X ; M; V ; H) are summarized below. They are based on the
The various institutions for untyped presentations ( ;
same definitions of signatures and sentences:
D EFINITION A.1
The category of signatures
Sig has as objects sets of constants F that contain the set F0 of predefined constants
!7 ; P ; f irst; secondg, with distinguished subsets of type constants F containing f ; !7 ; P g.
Signature morphisms are identity on F0 , and map type constants to type constants and ordinary constants to ordinary
f
;
t
constants.
D EFINITION A.2
, the sentences over ,
( ), are Horn clauses A1
: : : An
A together with
For each signature in
sets of variables (with distinguished subsets of type variables t ), where the atoms Ai , A are of the form s = t,
s t, or t , and s, t are in ( ; ), the set of terms built from the set of variables and .
0
, the translation of sentences
( ) simply maps all the constants
For each signature morphism :
accordingly, leaving the variables unchanged.
2
#
X
F Sig
F Sen F
TFX
^
X
Sen
F!F
^
X
)
F
F X ; M; V ; H) to a signature (determined by F alone) and a set
H
It is straightforward to convert a presentation ( ;
, , and ).
of sentences (determined also by ,
X MV
D EFINITION A.3
, the algebraic models for ,
( ), are the partial -structures where = is interFor each signature in
preted as identity, as definedness, and by an arbitrary binary relation. The homomorphisms and the satisfaction
relation are as defined in Section 6.1.
0
, the reduct functor
( ) from
( 0 ) to
( ) along maps
For each signature morphism :
a model 0 to a model with the same universe, defining the interpretation of each constant c of in to be the
same as that of (c) in 0 . The interpretations of application and pairing in are defined to be the same as in 0 .
F Sig
#
I
F Alg F
2
Alg
F !F
I
I
F
Alg F
Alg F
F I
I
I
P ROPOSITION A.4
Sig; Sen; Alg; j=) is an institution.
(
F !F
X I
I
F
I
Sig I Alg F
Sen F
Sen
0
P ROOF. Let :
be a signature morphism in
, 0 in
( 0 ), and in
( ) be a Horn clause with
( ). We need to show
a set of variables . Let be the reduct of 0 along , and 0 the translation of by
0
= 0 .
that satisfaction is preserved by translation, i.e. that = For a constant c in , its interpretation in is the same as that of its translation (c) in 0 . The interpretations of
application and pairing are identical in and 0 . Assignments to ordinary variables range over the same universe.
Assignments to type variables in t are restricted to the values of type terms, but due to the restriction on signature
morphisms, these are preserved. The desired result follows.
X
I
Ij
() I j
I
I
D EFINITION A.5
in
, the labelled-set models for ,
( ), are those algebraic models where the
For each signature
set-like values (cf. Definition 6.7) are interpreted as labelled sets of values, as defined in Section 6.2. The homomorphisms and the satisfaction relation are as for the algebraic models.
F Sig
F LSAlg F
P ROPOSITION A.6
Sig; Sen; LSAlg; j=) is an institution.
(
P ROOF. This follows from Proposition A.4, since the only difference is that the class of models is restricted.
Algebraic Specifications, Higher-order Types and Set-theoretic Models 481
D EFINITION A.7
, the set-theoretic models for ,
( ), are those algebraic models where the setFor each signature in
like values (cf. Definition 6.7) are interpreted as ordinary sets of values. The homomorphisms and the satisfaction
relation are as for the algebraic models.
F Sig
F SAlg F
P ROPOSITION A.8
Sig; Sen; SAlg; j=) is an institution.
(
P ROOF. This also follows from Proposition A.4, since the only difference is that the class of models is restricted.
Received 4 October 2000