A Hidden Agenda
Joseph Goguen
Dept. of Computer Science & Engineering
University of California at San Diego
Grant Malcolm
Connect Centre
Dept. of Computer Science
University of Liverpool
Report CS97{538, April 1997
Abstract: This paper unveils and motivates an ambitious programme of hidden algebraic research in software engineering, beginning with our general goals, continuing
with an overview of results, and including some future plans. Selected literature on
concurrency and the object paradigm is reviewed, and a new perspective on nondeterminism is developed. The main contribution is powerful hidden coinduction techniques
for proving behavioral correctness of concurrent systems; several mechanical proofs are
given using OBJ3. We also show how modularization, bisimulation, transition systems,
concurrency and combinations of the functional, constraint, logic and object paradigms
t into hidden algebra.
1 Introduction
The initial goal of our hidden research was both straightforward and ambitious:
(A1) To give a semantics for software engineering, and for the object paradigm in particular, supporting
correctness proofs that are as simple and mechanical as possible.
This emphasis on the eectiveness of proofs seemed to rule out approaches based on models expressed in set theory, denotational semantics, higher order logic, type theory, etc., because of the
diculties of proving things in these approaches. An equational approach seemed worth exploring,
because equational logic achieves maximal simplicity and mechanization, while still allowing full
expressiveness. So building on a long tradition in computing science (often called algebraic specication), we use algebra for our semantics. However, the hidden algebra approach is distinct in that
it uses sorts in two dierent ways:
1. some sorts are used for data values (e.g., of attributes), as in the algebraic approach to data
types; and
2. some sorts are used for states, as in the algebraic approach to abstract machines.
The latter gives us objects, classes, etc..
These two uses of sorts are dual. Induction is used to establish properties of data types, whereas
coinduction is used to establish properties of objects. Similarly, initiality is important for data types,
whereas nality is important for states. However, we do not insist that implementations of data
types must be initial, or that implementations of abstract machines (i.e., objects) must be nal;
on the contrary, we accept any implementation that satises the given axioms. This is important
because in general, the best implementations are neither initial nor nal, but somewhere between.
The hidden paradigm takes as basic the notion of behavioral abstraction, or more precisely,
behavioral satisfaction: our specications characterize how objects (and systems) behave, not how
they are implemented; they provide a notion of behavioral type, which we prefer to call a hidden
theory (or behavioral theory or hidden specication). Our correctness proofs show that one hidden
theory behaviorally satises another, in the sense that any model of the second theory yields a
model of the rst. This principle allows us to justify our proof techniques model theoretically,
reecting our view that
1
semantics is fundamental at the meta level (for showing correctness for proof rules), while
syntax is fundamental at the object level (for building, describing and verifying systems).
(See [37] for further discussion and examples of this viewpoint.)
Since we use hidden sorts to specify classes of objects, order sorted algebra provides a very natural way to handle multiple inheritance; it also allows specifying partial functions, non-terminating
systems, subtypes of various kinds, error denition and recovery, coercions, overwriting, multiple
representations, and more1 . However, for expository simplicity, this paper treats only hidden many
sorted algebra. The module system of parameterized programming gives us other forms of inheritance, plus all the power of higher order functional programming in a rst order setting which
facilitates both proving and programming [30].
Modularization is weak in many contemporary languages, especially in object and logic languages; moreover, it can be surprisingly hard to reuse code in practice, and methods to support
development remain vague. Therefore we broadened our research goals to
(A2) develop powerful modularization techniques and semantically sound methods for renement
(dealing with hierarchies of abstract machine implementations).
(A sketch of our work in this area in given in Appendix Section C.)
We later realized that constraints were already inherent in our approach and that an entirely new
style of logic programming could develop out of hidden algebra by adding existential quantiers.
This put a new item on our hidden agenda:
(A3) to combine the functional, object, logic, concurrent and constraint paradigms.
What is perhaps amazing is that it is actually articial to exclude any of these paradigms: concurrency, nondeterminism, local states, objects, classes, inheritance, constraints, streams, existential
queries, etc. are all very natural parts of the hidden world.
In summary, we are concerned with semi-mechanical proof techniques for hidden (order sorted)
algebra, as a way of proving behavioral properties of systems, including renement. We make the
no doubt outrageous claim that our hidden approach leads to simpler proofs than other formalisms;
this is because we exploit algebraic structure that most other approaches discard. The following
sections give an overview of what support we now have for this claim.
The next two subsections provide further motivation for hidden algebra and compare our research programme to some others. Section 2 gives an introduction to hidden algebra, and Section
3 discusses hidden coinduction for proving behavioral properties. Section 3.5 discusses how this
relates to labeled transition systems and bisimulation. Section 4 shows how our techniques can be
used to prove correctness of renements (i.e., implementations), and Section 5 discusses composite
systems of concurrent interacting objects. Many results are new. Section 6 gives some conclusions
and directions for future research, and Appendix Section B gives two further small mechanical
proofs.
The examples in this paper use OBJ3 to express theories and do proofs. We give `proof scores,' in
which humans have done the interesting structuring work, while OBJ does the boring computations.
Of course, much of the `interesting' work could also be automated, including the examples in
this paper, but this is certainly impossible in general. We assume some familiarity with basic
many sorted algebra and with OBJ. The relevant background (and much more!) can be found in
[45, 37, 57, 60] and [78], among many other places; Appendix Section A summarizes certain aspects
of this work in a way that is particularly suited to proof orientation of this paper. We try to avoid
1 [40] discusses polymorphism, dynamic binding and overwriting, and [50] discusses errors, coercions,
2
etc.
category theory, but in some cases its greater elegance and power was so compelling that we could
not resist. For ease of reference, formal textual items (theorems, denitions, etc.) are numbered
sequentially on the same counter.
1.1 Algebraic Engineering and the Object paradigm
We are algebraic engineers, in (at least) four dierent senses:
1. We use algebra to build real software systems.
2. We build huge algebras to help build software systems.
3. We build software tools to help deal with these huge algebras.
4. We build new kinds of algebra, to get better results in building software.
All this is within the general framework of universal (also called `general') algebra, as pioneered
by Birkho [8] and Tarski (among others). Our programme of research can be seen as a natural
extension of universal algebra that takes account of the realities of modern software, and this paper
reports on our work as algebraic engineers in the fourth sense. Our agenda in this, however, is to
enable ourselves and others to be better algebraic engineers in the rst three senses (and perhaps
also the fourth sense).
Software development is very dicult. To understand it better, we can distinguish among
designing, coding and verifying (i.e., proving properties of) a program. Most of the literature
addresses code verication, but this is very dicult in practice, and empirical studies have shown
that little of the cost of software arises from errors in coding: most comes from errors in design
and requirements [9]. Moreover, many of the most important programs are written in obscure
and/or obsolete languages, with complex ugly semantics (like Cobol, Jovial and Mumps), are very
poorly documented, are indispensable to some enterprise, and are very large, often several million
lines, sometimes more. Therefore it is usually an enormous eort to verify real code, and it isn't
usually worth the trouble. We call this the semantic swamp ; it is a place to avoid. Moreover,
programs in everyday use usually evolve, because computers, operating systems, tax laws, user
requirements, etc. are all changing rapidly. Therefore the eort of verifying yesterday's version
is wasted, because even small code modications can require large proof modications; proof is a
discontinuous function of truth.
The above suggests we should focus on design and specication. But even this is dicult,
because the properties that people really want, such as security, deadlock freedom, liveness, ease
of use, and ease of maintenance, are complex, not always formalizable, and even when they are
formalizable, may involve subtle interactions among remote parts of the system. However, this is
an area where mathematics can make a contribution.
It is well known that most of the eort in programming goes into debugging and maintenance
(i.e., into improving and updating programs) [9]. Therefore anything that can be done to ease
these processes has enormous economic potential. One step in this direction is to `encapsulate data
representations'; this means to make the actual structure of data invisible, and to provide access
to it only via a given set of operations which retrieve and modify the hidden data structure. Then
the implementing code can be changed without having any eect on other code that uses it. On
the other hand, if client code relies on properties of the representation, it can be extremely hard to
track down all the consequences of modifying a given data structure (say, changing a doubly linked
list to an array), because the client code may be scattered all over the program, without any clear
identifying marks. This is why the so-called year 2,000 problem is so dicult.
An encapsulated data structure with its accompanying operations is called an abstract data type .
The crucial advance was to recognize that operations should be associated with data representations;
3
this is exactly the same insight that advanced algebra from mere sets to algebras , which are sets
with their associated operations. In software engineering this insight seems to have been due to
David Parnas [82], and in algebra to Emmy Noether.
It turns out that although abstraction as isomorphism is enough for algebras representing data
values (numbers, vectors, etc.), other important problems in software engineering need the more
general notion of behavioral abstraction, where two models are considered abstractly the same if
they exhibit the same behavior. The usual many sorted algebra is not rich enough for this: we
have to add structure to distinguish sorts used for data values from sorts used for states, and we
need a more general, behavioral, notion of satisfaction; these are developed in Section 2.
In line with our general discussion of software methodology above, we want to prove properties
of specications, not properties of code. Often the most important property of a specication is
that it renes another specication, in the sense that any model (i.e., any code realizing) the second
is also a model of the rst. Methodologically, a renement embodies a set of closely related design
decisions for realizing one set of behaviors from another2 . In line with the discussion of the previous
paragraph, we want to prove behavioral properties and renements. Behavioral renement is much
more general than ordinary renement, and many of the enormous variety of clever implementation techniques that so often occur in practice require this extra generality. Section 4 describes
techniques for verifying behavioral renements.
Today's software systems are often concurrent and distributed, with interfaces that encapsulate
local states. These features are the core of what has come to be called the `object paradigm', which
may be described as follows:
1. objects, with local state , plus attributes and methods;
2. classes, to classify objects through an inheritance hierarchy ; and
3. concurrent distributed operation.
Some less basic aspects that should still be captured include:
4. encapsulation and distribution of state;
5. overloading and overwriting of methods and attributes, including polymorphism and dynamic
binding;
6. nondeterminism;
7. reactivity and message passing ; and
8. abstract (also called `deferred') classes.
These are less basic because it can be argued that 4 is already implicit in 1, 5 in 2, 6 and 7 in 3,
and 8 in the proof orientation of our programme.
Items 1 and 4 constitute the older notion of abstract machine, which already supports data abstraction. The object paradigm adds support for code reuse through inheritance, and an anity for
concurrency. The hidden algebraic engineering in the body of this paper pays particular attention
to the object paradigm. However, we would emphasize that our results apply to ordinary programs
and their components, because these can be regarded as abstract machines.
2 Empirical studies show that real software
development projects involve many false starts, redesigns, prototypes,
patches, etc. [13]. Nevertheless, an idealized view of a project as a sequence of renements is still useful as a way to
organize and document verication eorts, often retrospectively.
4
1.2 A Little Literature
An adequate survey of the literature on concurrency would consume many volumes, and the literature on the object paradigm would surely take more; and then there are the logic, functional
and constraint paradigms! Even worse, each of these literatures seem to be growing so fast that no
individual can keep up with them. The situation remains unreasonable even if we conne attention
to work that is mathematically rigorous. Consequently, this subsection only considers research that
seems especially closely related to ours, and that has inuenced it in some way. Even this more
modest task is impossible, and we beg forgiveness for our many sins of omission, and humbly request
any who are suciently annoyed to send us their suggestions for improvement. Unfortunately, the
work that is most closely related to our current work is our own prior work, so we must also beg
the reader's indulgence for an overabundance of self-citation.
We begin before the beginning, with algebra. Although algebra has its roots in mathematics,
computing science has made several contributions, starting with a simplication of notation for
many sorted algebra [26], and continuing with initial algebra semantics (for abstract syntax and
abstract data types) [26, 57, 58], then order sorted algebra (giving a systematic approach to subtypes
that also allows specifying partial recursive functions, partially dened functions, error denition
and recovery, coercions and multiple representations [40, 52, 50]), and most recently in this tradition,
hidden sorted algebra [33, 41, 43], or hidden algebra for short.
The hidden approach diers from earlier approaches in its explicit connections to the object
paradigm, including concurrency, its use of a xed universe of data values, and its use of behavioral
satisfaction. The founding paper in hidden algebra is [33], which builds on earlier algebraic work on
abstract data types [26, 57, 58], and is a natural extension of prior work by Goguen and Meseguer
on (what they then called) abstract machines [48, 78]. Hidden algebra also generalizes automaton
theory, which again has a long tradition in computing science; we would particularly mention the
pioneering work of Eilenberg and Wright [23], which took a categorical approach to `tree automata,'
generalizing traditional state transition automata. The rst systematic exposition of hidden algebra
is given in [41], with many new ideas, including our approach to concurrency. The problem of
combining hidden with ordered sorts was rst solved in [11]. Order sorted hidden algebra is further
developed in [43] and [75], and [40] shows how to handle overwriting of methods using a special
kind of signature. The development of our coinduction method began with [43, 75], in the context
of correctness proofs for renement of objects and abstract machines.
The hidden approach uses behavioral satisfaction to get an algebraic treatment of state that
abstracts away from implementation details. The elegant idea of behavioral satisfaction was introduced by Reichel [84] in the context of partial algebras; see also [85]. Behavioral equivalence of
states, a generalization of bisimulation, appeared in [48], which also rst recognized the connection between tree automata and software engineering. Reichel's notion of behavioral theory has
been developed further in several dierent directions within the algebraic specication community,
mainly using partial algebras, e.g., see [7, 21, 22] and the survey [81].
In order to get the powerful module and type system of parameterized programming [53, 27,
29, 28, 31, 59], it is necessary that the signatures (with their morphisms), models and axioms
form what is called an `institution' [39]. What we call `half institutions' are used in [22], which
claims that one cannot get a full institution for the object paradigm with behavioral satisfaction.
However, this is because they fail to distinguish between xed data values and hidden states, and
between the use of hidden signature maps for vertical structure (renements) and hidden signature
morphisms for horizontal structure (module composition). In [75], we suggest these two kinds of
signature arrows are appropriate for dierent purposes, and show that the one that should form an
institution (morphisms) in fact does so (see also Section 4).
5
The rst eective algebraic proof technique for behavioral properties was context induction,
introduced by Hennicker [67] and further developed with Bidoit (e.g, [7]). This research programme
is similar to ours in many ways; their approach is more concerned with semantics than with proofs,
and their context induction can be very awkward to apply in practice (see [24] for a discussion of
some of the diculties). We propose hidden coinduction as a way to eliminate the awkwardness of
context induction.
Reichel's seminal work on behavioral satisfaction was in part motivated by an insight on how to
unify initial and nal semantics [84]. Behavioral and nal semantics were perhaps rst advocated
by Montanari et al. [25], though Wand [95] also made an early contribution. Finality is also used
for treating states in [84, 48, 78, 74], among many other places, including the present paper; there
is some elegant more recent by work by Reichel on co-algebraic semantics for the object paradigm
[86]. Some sophisticated results on computability for initial and nal algebras appear in [80]; both
initiality and nality results compatible with the hidden paradigm were proved in [48]. This ood of
work on nality and behavioral abstraction validates some intuitions expressed long ago by Guttag
[62, 63].
The hidden approach seems the rst to address both concurrency and eective proof techniques
for systems of objects within the algebraic tradition, although we should certainly mention rewriting
logic [77], which also works in the algebraic specication tradition, and indeed, also builds on
OBJ [60]. This elegant approach views actions as inference steps in a `rewriting logic,' which is
essentially equational logic without the law of symmetry. A strong point of this approach is its
ability to model many dierent approaches to concurrency in natural and simple ways. However,
its treatment of objects (and messages), based on an associative-commutative (AC) `soupication3'
operation, seems to raise substantial diculties for proving properties of large systems, due to the
computational complexity of AC unication, and the concrete level of its representations. In [19],
behavioral specication is applied to rewriting logic, through the sophisticated semantic denition
of behavioral satisfaction between rewriting logic models and (conditional) rules that arises from
the very general `institutional4' approach to behavior developed in [11].
So called `process algebras' (also called concurrency calculi), like CCS [79], ACP [5] and CSP
[69], are typically presented using systems of equations. Equations are used very dierently in
process algebra than in hidden algebra. In process algebra, variables range over processes and operators combine processes. Consequently, process algebra equations describe relations among ways
of combining processes, rather than relations among methods and attributes, as in hidden algebra.
The emphases of the three research groups dier: the CSP group has emphasized set theoretic
semantics of processes as streams of actions, while the CCS group has been more concerned with
equational axiomatization and decision procedures, and the ACP group has been more concerned
with the use of their equations as rewrite rules; these dierent motivations and intuitions have led
to dierent equations. But as noted by Abramsky [1], the
veritable Babel of formalisms ... suggests that the current methodologies for concurrency
are insuciently constrained, or perhaps that some key ideas are still missing.
The lack of consensus on a suitable system of equations is discouraging, suggesting that these `laws
of concurrency' may not have the same status as `laws of nature' in physics, despite occasional
claims to the contrary. Process algebras treat an anemic5 special case that disallows attributes,
parameterized methods, and any explicit role for data types. Of course, process algebra can be
3 This refers to the vision of a `rich soup' of objects and messages; by contrast, messages appear as terms in hidden
algebra, and do not get blended with objects.
4 This means it is independent of the underlying logic, and hence can be applied to order sorted algebra, rewriting
logic, and many other `institutions.'
5 The technical term `anemic' is dened in Section 3.5.
6
generalized, and in fact, hidden algebra can be seen as such a generalization, whose aim is to
compress state spaces by parameterizing states, and to admit powerful algebraic proof techniques,
as opposed to search through vast transition graphs.
Like process algebras, labeled transition systems correspond to an anemic special case of hidden
algebra, where much of the structure that makes proofs easier has been discarded; for example,
parameterized methods must be represented by a (generally innite) number of similarly labeled
transitions. Also, there is no explicit place for the data types used as attribute values. However,
transition systems can be generalized to avoid some of these limitations, as shown in Section 3.5,
where they are given additional structure to represent attribute values. Despite these limitations,
we have been much inspired by the many deep insights that can be found in the mainstream of
concurrency research. Abramsky [1] introduces interaction categories, a very elegant categorical
approach to processes, having some similarities to our approach to concurrency that deserve further
exploration.
Approaches based on set theoretic semantic models, such as Z [91] and CSP [69], can lead to very
dicult proofs involving properties of sets and hence axioms for set theory6 . Denotational semantic
models (e.g., [4]) are no better in this respect, and as Abramsky [1] remarks, have only been really
successful for functional languages; this should not be surprising, because denotational semantics
is so strongly based on the -calculus. For the ambitious verier, set theoretic and denotational
semantic denitions lead into a dangerous semantic swamp, infested with alligator-mouth-like 2s
and/or sharkn-like s.
There is also a distinguished tradition of research in coalgebra . One thread in this tradition seeks
to show existence of nal transition systems, which give rise to an abstract notion of bisimulation
and can be used to give a semantics for process algebras [2, 6]. Another thread views coalgebra
as a variation on universal algebra [88], and applies it to functional programming [64, 73, 61], to
automata theory [87, 88, 76], and to the object paradigm [86, 70, 71, 72, 14]. An interesting recent
development combines algebra and coalgebra to describe denotational and operational semantics
[93].
Reichel [86] was the rst to apply coalgebra explicitly to the object paradigm, and his basic
construction can be used to show that hidden algebra extends coalgebra with generalised constants
[74, 15]. It is precisely this extension that allows the treatment of nondeterminism we advocate
in this paper. In fact, it seems dicult to treat nondeterminism at all in a purely coalgebraic
approach, since the obvious move of using power objects in the dening functor compromises the
eectiveness of equational reasoning.
Hidden algebra was developed with the object paradigm in mind [33, 41], but it also supports
combining the functional, logic (see Section 2.4) and object paradigms [34, 47] and [44]. The key to
combining dierent paradigms is to combine their underlying semantics at an appropriate level of
abstraction, as advocated in [49]. It should be possible to combine the object, logic, and constraint
paradigms along the lines of [42], using the very elegant category theoretic approach to constraint
logic programming described in [17, 18]. Note that ordinary imperative programming is the special
case of hidden algebra where the objects correspond to program variables; hence our work will apply
to traditional concurrent and sequential programming7. Hidden algebra and the proof techniques
described in this paper can be useful in many areas of computing science; for example, they have
been used to prove the correctness of a rather sophisticated optimizing compiler for OBJ [66, 65].
6 Of course, any algebraic
laws that have been shown to hold can be used, but because any such rule set must be
incomplete, such an approach is necessarily limited.
7 This does not mean that traditional pre- and post-condition techniques cannot be used; in fact, our `executable'
algebraic text [45] on the semantics of imperative programs shows how order sorted algebra and rewriting can add
greatly to their eectiveness.
7
1.3 Acknowledgements
The research described in this paper has been supported in part by Fujitsu Laboratories Ltd.,
the cec under esprit-2 bra Working Groups 6071, is-core (Information Systems COrrectness
and REusability) and 6112, compass (comprehensive Algebraic Approach to System Specication
and development), a contract under the management of the Information Technology Promotion
Agency (ipa), Japan, as part of the Industrial Science and Technology Frontier Program `New
Models for Software Architectures,' sponsored by nedo (New Energy and Industrial Technology
Development Organization), and the CafeOBJ project, under management of the IPA as part of
its Advanced Software Technology Programme. We thank the members of the `declarative' group
at Oxford for their ideas, comments, and support, without which the project described here would
not be possible; in addition to ourselves, members include Corina C^rstea, Razvan Diaconescu,
Lutz Hamel, Hendrik Hilberdink, Akira Mori, Simone Veglioni and James Worrell. We especially
wish to acknowledge the contributions of Razvan Diaconescu, who is co-author of two of the basic
hidden papers, and who also made many helpful comments on drafts of this paper, and of Jose
Meseguer, who is co-author of two of the most important pre-hidden papers, and who also made
helpful comments on a draft of the paper. We are also grateful to Uwe Wolter for useful comments.
After the Algebraic Engineering '97 conference, Joseph Goguen learned that it would be dedicated to Prof. John Rhodes, in honor of his sixtieth birthday. On behalf of both authors, he makes
the following
Dedication
When I was a graduate student at Berkeley, I had the pleasure of taking classes from John, and
of working for his company, the Krohn-Rhodes Research Institute. In Aizu, I had the pleasure of
giving the opening lecture of the conference, as the warm up act to John's rst talk, and now I
have the pleasure of dedicating this paper to him, hoping that many new generations of students
will benet from his inimitable, eervescent and eective teaching style.
2 Hidden Algebra
Hidden algebra captures the fundamental distinction between data values and internal states by
modeling the former with `visible' sorts and the latter with `hidden' sorts. These are respectively
treated in the next two subsections.
2.1 Visible Data Values
The components of a system must use the same representations for the data that they share, or else
they cannot communicate; thus it makes sense to declare a xed collection of shared data values,
bundled together in a single algebra8 :
Denition 1: Let D be a xed data algebra, with its signature and V its sort set, such that
each Dv with v 2 V is non-empty and for each d 2 Dv there is some 2 [];v such that is
interpreted as d in D. For convenience, we assume that Dv [];v for each v 2 V . We may also
call (V; ; D) the visible data universe, and we call V the visible sorts. 2
8 In
practice, there may be multiple representations for data with translations among them, and representations
may change during development; but our simplifying assumption can easily be relaxed.
8
The above concerns semantics; but the prudent verier needs an eective specication for data
values to support proofs, and it is especially convenient to use initial algebra semantics, which
also supports proofs by induction9. For example, the following OBJ3 specication for the natural
numbers is used in later examples:
obj NAT is sort Nat .
op 0 : -> Nat .
op s_ : Nat -> Nat [prec 1].
op _<_ : Nat Nat -> Bool .
var N M : Nat .
eq
0 < s N = true .
eq
N <
N = false .
eq s N <
0 = false .
eq s N < s M = N < M .
endo
Here NAT is the name of the module and Nat is the name of the sort for natural numbers. The
keyword pair obj...endo indicates initial algebra semantics. The underbar characters indicate
where an argument goes, so that the successor operator s_ has prex syntax, and the inequality
operator _<_ has inx syntax. The rest of the OBJ3 syntax used here should be fairly self-evident;
for more on OBJ3, see [45, 60].
Our examples assume a xed OBJ3 module DATA giving a signature and axioms for D (D need
not be a term model for DATA, or even an initial model). The following says that DATA is just the
natural numbers; this is adequate for (most of) this paper, noting that NAT imports the Booleans.
obj DATA is
pr NAT .
endo
Of course, the (cumulative) signature of DATA must be , and we may let F denote its set of
equations.
In writing a specication for the data involved in a problem, it is encouraging to recall that any
computable algebra can be nitely specied with initial algebra semantics, and that data types used
as values really should be computable. However, one could just as well use a loose semantics, by
explicitly giving any properties that are needed, and then noting that any -algebra D satisfying
these properties could be the data universe. Indeed, some data universes are not computable, e.g.,
the real and complex numbers, which are important for constraint logic programming. However,
even these data types can be captured with initial algebra semantics by using an uncountable
number of constants and equations (though order sorted algebra should be used to prohibit division
by zero).
2.2 Hidden Signatures and Hidden Algebras
This subsection gives basic denitions for hidden algebra. Hidden algebra uses a loose behavioral
semantics over a xed data algebra. Contrary to [81], there is no competition between this and
initial algebra semantics, because they are used for dierent purposes.
Denition 2: A hidden signature (over (V; ; D)) is a pair (H; ), where H is a set of hidden
sorts disjoint from V , is an S = (H [ V )-sorted signature with , such that
9 More precisely, the `no junk' half of initiality validates induction proofs over any reachable algebra, while the `no
confusion' half supports disequality proofs.
9
(S1) each 2 w;s with w 2 V and s 2 V lies in w;s, and
(S2) for each 2 w;s at most one hidden sort occurs in w.
We may abbreviate (H; ) to just . If w 2 S contains a hidden sort, then 2 w;s is called a
method if s 2 H , and an attribute if s 2 V . If w 2 V and s 2 H , then 2 w;s is called a
(generalized) hidden constant.
A hidden (or behavioral) theory (or specication) is a triple (H; ; E ), where (H; ) is
a hidden signature and E is a set of -equations that does not include any -equations; we may
write (; E ) or even E for short. 2
Condition (S1) expresses data encapsulation, that cannot add any new operations on data items.
Condition (S2) says that methods and attributes act singly on (the states of) objects. Note that
every operation in a hidden signature is either a method, an attribute, or else a constant. Equations
about data (-equations) are not allowed in specications; any such equation needed as a lemma
should be proved and asserted separately, rather than being included in a specication. Note
that this denition allows multiple hidden sorts; these are useful for (in the jargon of the object
paradigm) complex attributes, which are class valued attributes; however, it is always possible to
reduce to a single hidden sort without loss of expressiveness, at some cost in complexity.
The following example may help clarify this denition. This code uses OBJ3 syntax for theories,
where the keyword pair th...endth with `pr DATA' indicates a loose semantics `protecting' DATA;
we will explain this soon.
Example 3: We specify ag objects, where intuitively a ag can be either up or down, with
methods to put it up, to put it down, and to reverse it:
th FLAG is sort Flag .
pr DATA .
ops (up_) (dn_) (rev_) : Flag -> Flag .
op up?_ : Flag -> Bool .
var F : Flag .
eq up? up F = true .
eq up? dn F = false .
eq up? rev F = not up? F .
endth
Here FLAG is the name of the module and Flag is the name of the class of ag objects. The
operations up, dn and rev are methods to change the state of ag objects, and up? is an attribute
that tells whether or not the ag is up; all have prex syntax.
We could add a hidden constant newf as an initial state for FLAG objects, with an equation
eq up? newf = false .
to set the initial value of the attribute; of course, the initial value could equally well be true, or it
could be left undened by simply not giving such an equation. 2
If is the signature of FLAG, then is a subsignature of , and so a model of FLAG should be
a -algebra whose restriction to is D, providing functions for all the methods and attributes in
, and behaving as if it satises the given equations. Elements of such models are possible states
for Flag objects. This motivates the following:
Denition 4: Given a hidden signature (H; ), a hidden -algebra A is a (many sorted) algebra A such that Aj = D. A hidden -homomorphism is a (many sorted) -homomorphism
that is the identity on visible sorts. 2
10
For any hidden algebra A and ground -terms t; t0 , since we are `given' D, we can decide whether
A j= t = t0 by checking D j= t = t0 by just evaluating the terms in D, i.e., by checking whether
g(t) = g(t0 ), where g : T ! D is the unique -homomorphism. Notice that D implies that
D Tj , and also that g(d) = d for any d 2 D.
We next dene behavioral satisfaction of an equation; intuitively, its two terms should `look the
same' under every `experiment' consisting of some methods followed by an `observation,' i.e., an
attribute. More formally, such an experiment is given by a context, which is a term of visible sort
having one free variable of hidden sort:
Denition 5: Given a hidden signature (H; ) and a hidden sort h, then a -context of sort
h is a visible sorted -term having a single occurrence of a new variable symbol z of sort h. A
context is appropriate for a term t i the sort of t matches that of z . Write c[t] for the result
of substituting t for z in the context c, and let C [z ] denote the V -indexed set of contexts with
hidden variable z .
A hidden -algebra A behaviorally satises a -equation (8X ) t = t0 i for each appropriate
-context c, A satises the equation (8X ) c[t] = c[t0 ]; then we write A j (8X ) t = t0 , and we
may drop the subscript .
Similarly, A behaviorally satises a conditional equation e of the form
(8X ) t = t0 if t1 = t01 ; :::; tm = t0m
i for every assignment : X ! A, we have10
(c[t]) = (c[t0 ])
for all appropriate contexts c whenever
(cj [tj ]) = (cj [t0j ])
for j = 1; :::; m and all appropriate contexts cj . As with unconditional equations, we write A j e.
A model of a hidden theory P = (H; ; E ) is a hidden -algebra A that behaviorally satises
each equation in E . Such a model is also called a (; E )-algebra, or a P -algebra, and then we
write A j P or A j E . Also we write E 0 j E i A j E 0 implies A j E for each hidden
-algebra A.
Finally, a hidden -algebra A is reachable i the unique -homomorphism from the initial
(term) -algebra T is surjective. 2
Example 6: The following are some contexts for FLAG:
c1 [z] =
c2 [z] =
c3 [z] =
up?
z
up? up rev
up? dn dn
z
z
There are an innite number of contexts; all begin with up? since that is the only attribute. 2
We next give some models for the FLAG theory, i.e., some objects of class Flag:
10 Here denotes the unique -homomorphic extension of .
11
Example 7: Let's rst look at a simple Boolean cell C as a hidden algebra. Here, CFlag = CBool =
ftrue; falseg, up F = true, dn F = false, up? F = F , and rev F = not F .
A more complex implementation H keeps complete histories of interactions, so that the action
of a method is merely to concatenate its name to the front of a list of method names. Then
HFlag = fup; dn; revg , the lists from fup; dn; revg, while HBool = ftrue; falseg, up F = up_F ,
dn F = dn_F , rev F = rev _F , while up? up_F = true, up? dn_F = false, and up? rev _F =
not up? F , where _ is the concatenation operation.
Note that C and H are not isomorphic. 2
For visible equations, there is no dierence between ordinary satisfaction and behavioral satisfaction. But these concepts can be very dierent for hidden equations. For example,
rev rev F = F
is strictly satised by the Boolean cell model C , but it is not satised by the history model H .
However, it is behaviorally satised by both models. This shows that behavioral satisfaction is
often more appropriate for computing science applications. (We will later use coinduction to prove
that every FLAG-model behaviorally satises this equation.)
Example 8: The following OBJ3 code species a cell that holds a single natural number X .
th X is sort State .
pr DATA .
op putx : Nat State -> State .
op getx_ : State -> Nat .
var S : State . var N M : Nat .
eq getx putx(N,S) = N .
endth
Objects of class X are really just `program variables' of integer type, i.e., cells that hold an integer,
and the models are ways of implementing such cells. 2
The following justies the simplest ways to reason about behavioral satisfaction:
Proposition 9: In proving E j e, the ordinary rules of equational deduction are valid, including
substituting one behavioral equation into another, and of course symmetry and transitivity; visible
equations can also be used in such proofs. 2
This result is easy to prove, and can be very useful. For example, if we want to prove
getx putx(N, putx(M, S)) = N ,
for the above theory X, we can just do the following:
red getx putx(N, putx(M, S)) == N .
(OBJ3 complains about the variables, but does the reduction anyway, treating them as constants,
and giving the correct result, true; see Appendix Section A.) However something more powerful
than reduction is needed to prove the equation about double reverse given above, or to prove
putx(M, putx(N, S)) = putx(M, S)).
Unfortunately, it is easy to write theories that have no models. For example, if we add a
constant newf of sort Flag and the equation
eq not up? F = up? F .
to FLAG, then we can prove that true = false, which contradicts Denition 4. This motivates:
12
Denition 10: A hidden theory is consistent i it has at least one model. 2
Some techniques for guaranteeing consistent specications from [47] are summarized in Theorem
13 below, which uses the following concepts:
Denition 11: A (X )-term is local i it is a constant or a variable (i.e., is in D or in X );
a (X )-term that is not a (X )-term is local i all visible proper subterms are local. Let L;s
denote the set of local ground -terms of sort s. An equation is local i its left and right sides
are local and its conditions (if any) are (X )-terms; a set of equations is local i each one is. A
constraint is an equation such that both its terms have their top operations in . 2
A local equation cannot be a constraint. Constraints constrain the values of undened terms over a
theory, as discussed in some detail in Section 2.3, which shows how this relates to nondeterminism.
Denition 12: A set E of -equations is D-complete i D j= (8;) t = t0 implies E j= (8;) t =
t0 for all -terms t and t0 . 2
Theorem 13: If the equations E in a hidden theory are D-complete and Church-Rosser local
rewrite rules, then the theory is consistent.
Proof: We show consistency by constructing a model M with carriers Mh = L;h for h 2 H and
Mv = Dv for v 2 V . Its methods are interpreted as term building operations, noting that this
preserves locality. For an attribute 2 hw;v , given t 2 Mh and d 2 Dw , let M (t; d) = d0 if
E j= (t; d) = d0 , and otherwise let M (t; d) be some element dv of Dv , xed for each visible sort v.
Because E is Church-Rosser, there is at most one d0 with E j= (t; d) = d0 , so M is well-dened.
To show M j E , let (8X ) t = t0 if t1 = t01 ; : : : ; tm = t0m be in E , and let : X ! M . Because the
unique -homomorphism g : T ! M is surjective, there is : X ! T with = ; g. Suppose
ti = t0i for i = 1; : : : ; m, then because ti ; t0i are (X )-terms, we have D j= (8;) ti = t0i,
and by D-completeness, this implies E j= (8;) ti = t0i , and so
E j= (8;) t = t0 :
(1)
By Proposition 20 below, we can show behavioral satisfaction by considering only contexts that are
local terms. Since t is a local term, so too is c[t] for any local context c, and by the denition of M
it follows that
( 0
E j= (8;) c[t] = d0
c[t] = g( c[t]) = dd ifotherwise
v
If there is some d0 with E j= (8;) c[t] = d0 , then by (1) it follows that c[t] = d0 = c[t0 ];
similarly if, there is no such d0 then c[t] = dv = c[t0 ]. In both cases c[t] = c[t0 ], so M j E
as desired. 2
Many examples in this paper can be shown consistent using this result. A sucient condition
for the Church-Rosser property is that the equations are nonoverlapping11 . Once a specication
has been shown consistent ignoring its nonlocal equations, the consistency of constraints can be
considered separately; however, determining whether a set of constraints has a solution can be
arbitrarily dicult, even unsolvable.
Example 14: This hidden theory for arrays is used in a later example, and can be seen consistent
by using Theorem 13:
11 For conditional equations, the left sides may overlap, but then the conditions must be disjoint.
13
th ARR is sort Arr .
pr DATA .
op nil : -> Arr .
op put : Nat Nat Arr -> Arr .
op _[_] : Arr Nat -> Nat .
var I J N : Nat . var A : Arr .
eq nil[I] = 0 .
cq put(N,I,A)[J] = N if I == J .
cq put(N,I,A)[J] = A[J] if not I == J .
endth
Here nil is the empty array, A[I] is the value of A at index I, and put(N,I,A) puts N at I in A.
There are no hidden equations. 2
Hidden algebra can be regarded as an instance of the constraint logic as described in [17, 18]:
(V; ) is the signature of builtins, D the model of builtins, and is an extension of the `logical'
signature; however, hidden algebras dier from constraint logic models, because the builtins are
protected.
2.3 Nondeterminism
Modern distributed programming paradigms cannot do without nondeterminism, because the nodes
of a network cannot be expected to know what the other nodes are going to be doing. Therefore
it is essential that a formalism intended to be useful for modern software engineering should treat
nondeterminism in a simple and natural way. But most concurrency calculi treat nondeterminism
in complex and unnatural ways; moreover, there are sharp ongoing debates among the advocates
of the various approaches, with no obvious resolution in sight.
Nondeterminism is inherent to the hidden paradigm; it arises whenever some attribute values
are not determined by a specication. To understand this, it may help to view models as `possible
worlds,' where each possible combination of nondeterministic choices appears in a dierent world.
However, this does not mean more than one value can occur in a given world; on the contrary, each
model is deterministic, in that attributes only take one value at a time. However, a given hidden
specication may have multiple models, in which the attributes have completely dierent values.
Denition 15: Given a hidden theory P = (H; ; E ), a ground -term t is dened i for every
context c (of appropriate sort), there is some d 2 D such that E j c[t] = d; otherwise, t is
undened. P is lexic i all ground terms are dened. 2
Fact 16: Given a hidden theory P = (H; ; E ), then:
1. A visible term t is dened i E j t = d for some d 2 D.
2
2. P is lexic i all visible ground terms are dened.
3. Call a ground term invisible i it is of hidden sort and has no contexts; then all invisible
terms are dened.
4. P is lexic if it has no hidden (generalized) constants.
Having no undened ground terms corresponds to Guttag's notion of sucient completeness [63].
However, not only do we not require this condition, but we claim that undened terms are very
14
useful in system development, and even at run time. Instead of having explicitly to say something is
`undened,' one simply does not dene it; then it can have any value consistent with the given theory, and indeed, all possible combinations of values occur among the models of the theory. Hidden
nondeterminism avoids theological disputes, e.g., between angelic and demonic nondeterminism12;
we simply get a certain range of implementation freedom, i.e., of possible worlds.
Example 17: Consider the following simple theory with one hidden sort, one natural number
valued attribute, one hidden constant, no equations, and the usual data (naturals and Booleans):
th EX1 is sort H .
pr DATA .
op c :
-> H .
op a : H -> Nat .
endth
There is exactly one undened visible ground term here, namely a(c). Hence this theory calls for a
nondeterministic choice of a natural number, and indeed (up to behavioral equivalence, as dened
in Section 3) there is exactly one reachable -algebra for each choice of a natural number for the
attribute. There are also innitely many non-reachable models; these worlds may have arbitrarily
many other `unnamed' (i.e., unreachable or `junk') objects, each with a natural number attribute.
If we add the constraint
eq a(H) < s s s s 0 = true .
then the nondeterminism is restricted so that (again up to behavioral equivalence) there are just
four reachable models, each a world where the attribute of the object c has value 0, 1, 2 or 3. The
unreachable models contain other objects, each of which has an attribute with value 0, 1, 2 or 3. 2
Things get more interesting when there are methods as well as attributes. Then the elements
reachable from a given element of a hidden algebra are the states that can arise by applying methods
to that element; a connected component of elements consists of all states for a single object. It
is almost obligatory to test drive a new specication technology over a range of stacks, because
most approaches have already done so; hence stacks are a convenient (but minimal) benchmark for
comparing approaches. We rst specify a non-deterministic stack. (Since this paper is limited to
many sorted algebra, the handling of errors is weak; [40, 52] show how to do it better with order
sorted algebra.)
Example 18: Here the operation push nondeterministically puts a new natural number on top
of a stack. This single operation thus corresponds to countably many nondeterministic transitions
in a traditional state transition system.
th NDSTACK is sort Stack .
pr DATA .
op empty : -> Stack .
op push_ : Stack -> Stack .
op top_ : Stack -> Nat .
op pop_ : Stack -> Stack .
var S : Stack .
eq pop push S = S .
eq pop empty = empty .
endth
12 That there are so many dierent kinds of nondeterminism in the standard approaches is a major cause for the
Babel of mutually inconsistent `laws of concurrency' mentioned in Section 1.2.
15
Terms like top push empty are undened, i.e., nondeterministic, and can take any value. Each
model of this specication is deterministic, and represents one possible way of resolving the nondeterminism.
Behavioral satisfaction of the rst equation implies that whatever number is pushed on a stack
stays there until it is popped; for example, it follows that
top pop push S
and that
=
top S
top pop pop push push S
However, it is not true that
=
top S
.
,
because the new number pushed on S may be dierent from the old one.
The term top empty is also undened, and hence can take any value. Of course, we could x
its value with an equation like
top empty = 0 .
Moreover, we could constrain push to just one of the four values 0, 1, 2, 3 by adding an equation
like that in Example 17:
top push S < s s s s 0 = true .
It is also possible to have several dierent nondeterministic push methods, each subject to dierent
constraints. 2
top push pop S
=
top S
Thus hidden semantics diers sharply from initial semantics, where terms like top empty would
appear as new elements of sort Nat; it also diers from pure loose semantics, where such terms
could be either new elements or else old data values.
Hidden algebraic nondeterminism can be used much as in the concurrent constraint paradigm: a
specication describes the possible states of an object in isolation, but what states actually occur is
co-determined with other objects through their interactions, expressed as constraints. For example,
the specications for an array and a pointer into it describe all their possible states separately, but
when they are put together to implement a stack, many states are no longer reachable13 . Thus,
hidden algebra is naturally nondeterministic; we will see that it is also well suited to nonterminating
(Example 36), concurrent, and reactive systems.
Example 19: Here is a hidden version of the traditional stack theory with a non-unary deter-
ministic push:
th STACK is sort Stack .
pr DATA .
op empty : -> Stack .
op push : Nat Stack -> Stack .
op top_ : Stack -> Nat .
op pop_ : Stack -> Stack .
var S : Stack . var I : Nat .
eq top push(I,S) = I .
eq pop empty = empty .
eq pop push(I,S) = S .
endth
Here top
empty
is the only undened ground term (up to equality). 2
13 Details of this implementation are given in Example 49; in that context, it is impossible for the array containing
all 1's to occur.
16
A similar situation to that in the above example arises if we delete the equation nil[I] = 0 from
the ARR theory in Example 14; then a user of an implementation of this specication may nd
`garbage' in the array, and so must be careful not to rely on its having any particular initial value.
Undened values obstruct initial hidden algebras, as shown in Theorem 22 below. Recalling
that L;s denotes the set of local ground -terms of sort s, note that any -algebra M induces a
hidden -algebra structure on L which we denote LM , by interpreting methods as term building
operations, and interpreting an attribute 2 w;v by (LM ) (`) = M (hM (`)) = hM ((`)) for
suitable ` 2 (L )w , where hM is the unique -homomorphism T ! M . Restricting hM to local
terms gives a unique hidden -homomorphism LM ! M that we denote 'M .
Proposition 20: Let L[z]s C [z]s denote the set of local -contexts of sort s involving the
variable z of hidden sort. Then a hidden -algebra M behaviorally satises a hidden equation
(8X ) t = t0 i it satises (8X ) c[t] = c[t0 ] for every visible local context c 2 L [z ].
Proof: The `only if' direction follows from the fact that every local context is a context. For
the converse, note that the unique -homomorphism T ! LM extends14 to a -homomorphism
b : T(z) ! LM (z) that translates a context c to a local context cb. We now show that for any context
c and substitution : X ! M , we have (cb[t]) = (c[t]). Any -algebra M becomes a (X )algebra by picking values m 2 M of the right sort for each x 2 X via some assignment : X ! M .
In particular, any t 2 T (X ) of the same sort as z will make T (X ) into a (X [fz g)-algebra, and
we let [t] : T (X [ fz g) ! T (X ) denote the unique -homomorphism. Now : X ! M and t
give t : X [fz g ! M , sending x 2 X to (x) and z to (t), which induces a (X [fz g) structure
on M and hence a unique -homomorphism t : T(X [fzg) ! M extending t . But each side of the
equation is the value of c along one such homomorphism, and hence they are equal. This means
M interprets a context c the same way it interprets cb. Therefore if the left and right sides of an
equation are equal in all local contexts, then for any context c, they are equal in the local context
cb, and therefore in c. 2
Proposition 21: For a given hidden signature , we have the following:
1. For any hidden -homomorphism f : M ! N and equation e, if N j e then M j e.
2. For any -algebra M and equation e, if M j e then LM j e.
3. If a hidden theory has an initial model, then that initial model behaviorally satises any
equation behaviorally satised by any other hidden model of the theory.
4. If either e is a ground equation or M is reachable, then M j e i LM j e.
5. If there is a hidden -homomorphism f : M ! N , then LM = LN .
Proof: For the rst assertion, let e be of the form (8X ) t = t0, and let : X ! L. Then
; f : X ! N , and N j e implies (; f ) (c[t]) = (; f )(c[t0 ]) for any context c, which implies
that f ((c[t])) = f ( (c[t0 ])), which because f is the identity on visible elements, then implies
(c[t]) = (c[t0 ]), as desired. A similar proof can be given for conditional equations.
The second and third assertions use the homomorphism 'M : LM ! M .
The fourth assertion follows by factoring assignments X ! T through LM .
For the fth assertion, note rst that hN = hM ; f . Then (LM ) (`) = hM ((`)) and (LN ) (`) =
hN ((`)). But hN ((`)) = f (hM ((`))), and therefore hN ((`)) = hM ((`)), because f is the
identity on visible sorts. 2
14 This extension is most easily explained using a little categorical magic. To the signature inclusion (z )
corresponds a forgetful functor from (z)-algebras to -algebras. This functor has a left adjoint that forms the free
(z)-algebra M (z) over any -algebra M , and that extends -homomorphisms to homomorphisms of (z)-algebras.
17
Theorem 22: A hidden theory P = (H; ; E ) has an initial model, denoted LP , i it is consistent
and lexic.
Proof: We rst show that if P is consistent and lexic, then LM = LN for any two P -models M; N .
Lexicality implies that for any visible ground term t there is a unique dt 2 D with E j (8;) t = dt .
Then LM = LN because (LM ) (`) = hM ((`)) = dt and similarly for (LN ) (`). Because E
is consistent, there is at least one model, say M . So we have LM and a unique homomorphism
'M : LM ! M . Moreover, for any model N , there is a unique homomorphism 'N : LM = LN ! N .
Therefore LM is an initial model.
Conversely, if there is an initial model M , then E is consistent. For every visible term t, there
is a data value f (t) given by the homomorphism f : T ! M . Moreover, for any other model N
with homomorphism g : T ! N , we have g(t) = '(g(t)) = f (t), where ' is the unique hidden
homomorphism M ! N . Therefore N j (8;) t = f (t). Because N is arbitrary, for every ground
term t there is a data value f (t) such that E j (8;) t = f (t). 2
System development consists in part of progressively reducing implementation freedom15 , which
may involve reducing nondeterminism, among other things. Reducing nondeterminism is consistent
with software engineering practice, where all the operations in a program are deterministic, but
at a given development stage many programs may still satisfy the specication. Thus, hidden
nondeterminism is more appropriate for renement (see Section 4) than the forms usually found
e.g., in process algebra. Nondeterminism can also remain right down to the implementation level,
where any consistent value may be returned. For example, a set of constraints may be resolved only
at run time, and in dierent ways at dierent times. Thus, the same notion of nondeterminism is
useful for implementation freedom and for runtime choice.
2.4 More Hidden Satisfaction and the Logic Paradigm
It is easy to dene hidden satisfaction for all the connectives of rst order logic, and indeed of
modal and other logics. For us, the most important of these is existential quantication, because it
provides the existential queries that are the basis of our combined logic-object paradigm [47, 44]:
Denition 23: An (existential) -query is a sentence of the form
(9X ) t1 = t01 ; : : : ; tm = t0m
and is behaviorally satised by a -algebra A i there is some assignment : X ! A such that
(cj [tj ]) = (cj [t0j ])
for j = 1; :::; m and all appropriate contexts cj . 2
To establish our combined logic-object paradigm, we need a hidden Herbrand theorem to reduce
reasoning over arbitrary models (e.g., of object oriented databases) to reasoning over a single
`Herbrand universe' term algebra, as in ordinary logic programming (see [49] for a precise statement
of the corresponding result for equational logic programming). The following result is from [47]:
Theorem 24: Given a consistent lexic hidden theory (; E ), then an initial (; E )-algebra G
behaviorally satises a -query q i every (; E )-algebra behaviorally satises q. 2
15 However,
real software development processes involve much more, including constantly evolving requirements
and the resulting need to constantly evolve the software [35].
18
We can always choose a canonical term algebra [57] for G, and thus use narrowing to solve queries,
as illustrated in [47]; of course, more ecient methods can be used in special cases. Applications
of this paradigm [44] may involve queries to an object oriented database where the resulting object
is not just retrieved, but actually created. For example, one might describe a holiday package
(or a software package) that one wants, and then actually get the tickets and reservations (or the
executable code) as the result of the query16 .
The work in this section (and also on renement in Section 4) extends to Horn clause logic with
equality, by applying a construction that reduces that logic to hidden equational logic (see [47],
extending Diaconescu [16]). This gives a paradigm that unies the object paradigm with equational
logic programming and traditional Horn clause logic programming [49].
3 Behavior and Hidden Coinduction
Induction is a standard technique for proving properties of initial (or more generally, reachable)
algebras of a theory. Principles of induction can be justied from the fact that an initial algebra has
no proper subalgebras (e.g., [37, 78]). We will see that nal (terminal) algebras play an analogous
role in justifying reasoning about behavioral properties with hidden coinduction. We rst need the
following:
Denition 25: Given a hidden signature , a hidden subsignature , and a hidden -algebra
A, then behavioral -equivalence on A, denoted , is dened as follows, for a; a0 2 As:
(E1) a ;s a0 i a = a0
when s 2 V , and
(E2) a ;s a0 i Ac(a) = Ac (a0 ) for all v 2 V and all c 2 C [z ]v
when s 2 H , where z is of sort s and Ac denotes the function interpreting the context c as an
operation on A, that is, Ac (a) = a (c), where a is dened by a (z ) = a and a denotes the free
extension of a .
When = , we may call just behavioral equivalence and denote it .
For , a hidden -congruence on a hidden -algebra A is a -congruence ' which is
the identity on visible sorts, i.e., such that a 'v a0 i a = a0 for all v 2 V and a; a0 2 Av = Dv . We
call a hidden -congruence just a hidden congruence. 2
It is not hard to demonstrate the following:
Fact 26: Given a hidden signature and a hidden subsignature :
1. any hidden -congruence is a hidden ( [ )-congruence;
2. 0 implies 0 ; and
3. behavioral -equivalence is a hidden -congruence.
2
However, the key property17 is:
Theorem 27: If is a hidden signature, is a hidden subsignature of , and A is a hidden
-algebra, then behavioral -equivalence is the largest behavioral -congruence on A. 2
16 Of course, you may wish to rene the constraints before your tickets are printed and your credit card is billed.
17 This elegant formulation appeared in a conversation between Grant Malcolm and Rolf Hennicker, for the special
case where = .
19
Probably the most common case is = , but the generalization to smaller is useful, for example
in verifying renements, as we will see in Section 4.
Theorem 27 is not hard to prove (a simple but very abstract proof is given in Section 3.2).
The proof generalizes the well known construction of an abstract machine as a quotient of the
term algebra by the behavioral equivalence relation (usually called the Nerode equivalence in that
context) [78, 74], and uses the existence of nal algebras that is proved in Section 3.1.
Theorem 27 implies that if a ' a0 under some hidden congruence ', then a and a0 are behaviorally equivalent. This justies a variety of techniques for proving behavioral equivalence (see also
[43, 75]). In this context, a relation may be called a candidate relation before it is proved to be
a hidden congruence.
Example 28: Let A be any model of the FLAG theory in Example 3, and for f; f 0 2 AFlag , dene
f ' f 0 i up? f = up? f 0 (and d ' d0 i d = d0 for data values d; d0 ). Then we can use the equations
of FLAG to show that f ' f 0 implies up f ' up f 0 and dn f ' dn f 0 and rev f ' rev f 0, and of
course up? f ' up? f 0 . Hence ' is a hidden congruence on A.
Therefore we can show A j (8F : Flag) rev rev F = F just by showing A j= (8F : Flag)
up? rev rev F = up? F. This follows by ordinary equational reasoning, since up? rev rev F
not(not(up? F)). Therefore the equation is behaviorally satised by any FLAG-algebra .
A
=
It is easy to do this proof mechanically using OBJ3, since all the computations are just ordinary
equational reasoning. We set up the proof by opening FLAG and adding the necessary assumptions;
here R represents the relation ':
openr FLAG .
op _R_ : Flag Flag -> Bool .
var F1 F2 : Flag .
eq F1 R F2 = (up? F1 == up? F2) .
ops f1 f2 : -> Flag .
close
The new constants f1, f2 are introduced to stand for universally quantied variables (using the
ordinary theorem of constants [45, 37]). The following shows R is a hidden congruence:
open .
eq up? f1 = up? f2 .
red (up f1) R (up f2) .
red (dn f1) R (dn f2) .
red (rev f1) R (rev f2) .
close
***> should be: true
***> should be: true
***> should be: true
Finally, we show that all FLAG-algebras behaviorally satisfy the equation with:
red (rev rev f1) R f1 .
All the above code runs in OBJ3, and gives true for each reduction, provided the following lemma
about the Booleans is added somewhere,
eq not not B = B .
where B is a Boolean variable; alternatively, a decision procedure for the Booleans could be used
instead of OBJ3's builtin Booleans, which only knows how to reduce ground terms. We believe the
proof above is about as simple as could be hoped for18 . 2
18 Actually, the third reduction above is unnecessary, but it is more trouble to justify its elimination than it is to
ask OBJ to do the reduction. Section 3.4 discusses this example and the techniques that are needed.
20
The above is an example of what we call hidden coinduction; this will be explained further below.
We now give some results to simplify hidden coinduction proofs. Suppose = ? [ ; the letters
? and are intended to suggest generators (also called constructors) and destructors (also called
selectors), respectively19 [75]. In Example 28, contains up? and ? contains all the other ag
operations.
Corollary 29: If = [ ? and if on -algebra A is preserved by ?, then = on A.
More generally, if = [ ? and is preserved by ?, then = .
Proof: We show the more general result. By Fact 26, is a hidden ( [ )-congruence that
contains behavioral -equivalence, since . If is preserved by ?, then it is a hidden
[? = -congruence, and the desired result follows from Theorem 27. 2
Veriers naturally want to do as little work as possible. Hence they do not want to bother with
at all, and they do not want any overlap between and ?, i.e., they want to use and ? such
that = + ? + , where `+' denotes disjoint union for operations and ordinary union for sorts.
In the object paradigm, it is often natural to let contain attributes and ? methods; then we can
give a simple syntactic denition for :
Proposition 30: If = + ? + where consists of visible operations, if A is a -algebra,
and if we dene aR a0 i (a; d) = (a0 ; d) for all 2 and all d 2 Aw where w is the arity of ,
then R = . Thus, if R is preserved by ?, then R is behavioral -equivalence.
Proof: (E2) of Denition 25 is equivalent to the denition of R because all operations in are
visible. 2
The above shows that R as dened in Example 28 really is . Furthermore, if ? consists of
methods and of attributes, and if the equations satisfy a certain common property, then R is
automatically preserved by ?:
Denition 31: If = + ? + where operations in are visible and in ? are hidden, then a
set E of -equations is =?-complete i for all 2 ; m 2 ?, there is some t 2 T[ (fxg) such
that using E we can prove
(d; m(d0 ; x)) = t ;
with x of hidden sort h0 , 2 wh;v , m 2 ?w0 h0 ;h , d 2 Dw , and d0 2 Dw0 . 2
The following is a straightforward corollary to Proposition 30:
Proposition 32: If = + ? + with operations in visible and in ? hidden, if A is a hidden
-algebra, and if E is =?-complete, then R is preserved by ?, and therefore R is behavioral
-equivalence. 2
In the special case where all equations involving ? have the form
(m(x)) = t ;
with x of hidden sort h, 2 ; m 2 ?; t 2 T[ (fxg), it is easy to see that E is =?-complete.
(This result was suggested to us by Razvan Diaconescu.)
To summarize, hidden coinduction is the proof technique where we dene a relation, show
it is a hidden congruence, and then show behavioral equivalence of two terms by showing they are
congruent.
19 More information on constructors and selectors
in order sorted algebra is given in [50].
21
Exercise 33: Prove that the equation
eq putx(M,putx(N,S)) = putx(M,S) .
is a behavioral consequence of the theory X in Example 8, and that it is not strictly satised. (A
proof for the satisfaction part of this exercise appears in Appendix B.) 2
The way we dene the congruence relation in a coinductive proof can have a signicant eect
on how the proof applies to models. If the relation is dened inductively over some constructors,
then given a model A, the congruence is only dened on the subalgebra A0 A generated by
those constructors in A; this is the subalgebra that is reachable using those constructors. More
specically, the proof that such a candidate relation is a congruence might proceed by induction
on the given constructors; in this case, what is proved is that the relation is a congruence on
the subalgebra A0 . Usually we don't care whether or not a behavioral equation is satised by
unreachable states, because these states cannot occur when the machine is run. An example of a
correctness proof that applies only to reachable states is given in Example 49 in Section 4.
3.1 Finality
This paper does not advocate nal algebra semantics; instead, our semantics for hidden theories
is a loose behavioral semantics with a standard interpretation for data. In practice, the best
implementations are often neither initial nor nal, but somewhere between. However, nal hidden
algebras are important for our theoretical development, and in particular, they play a key role in
justifying hidden coinduction. The construction of a nal algebra F below follows [11], and should
help our intuition to grasp what is going on.
Given a hidden signature without generalized hidden constants (recall these are hidden operations with no hidden arguments), the hidden carriers of F are given by the following `magical
formula':
Y
F;h = [C[zh ]v ! Dv ] ;
v2V
the product of the sets of functions taking contexts to data values (of appropriate sort).
Elements of F can be thought of as `abstract states' represented as functions on contexts,
returning the data values resulting from evaluating a state in a context; thus they are a kind of
continuation. This also appears in the way F interprets attributes: let 2 hw;v be an attribute,
let p 2 F;h and let d 2 Dw ; then we dene F; (p; d) = pv ((zh ; d)); i.e., pv is a function taking
contexts in C [zh ]v to data values in Dv , so applying it to the context (zh ; d) gives the data value
resulting from that experiment.
Methods are interpreted similarly: Let 2 hw;h0 be a method, let p 2 F;h and let d 2 Dw ;
then F; (p; d) must be an element of
F;h0 =
Y
v2V
[C [zh0 ]v ! Dv ] :
For v 2 V and c 2 C [zh0 ]v , dene
(F; (p; d))v (c) = pv (c[(zh ; d)]) ;
i.e., with a slight abuse of notation, given an abstract state p, the result we get from looking at
(p; d) in a context c is the same as the result that p gives in the context c[(zh ; d)].
22
Theorem 34: For any hidden signature without generalized hidden constants, F is a nal
hidden -algebra.
Proof: The preceeding paragraph shows that F is a hidden -algebra. Given another hidden
-algebra A, there is a hidden -homomorphism g : F ! A taking a 2 Ah to the family (over
v 2 V ) of mappings C[zh ]v ! Dv that send c to Ac(a). It is now straightforward to check that g
is unique. 2
Given a hidden -algebra A, the unique -homomorphism A ! F takes takes a hidden state to
all its observable behaviors; it can be thought of as evaluating all attributes for all states that can
be reached from the given state.
Example 35: For the signature of FLAG in Example 3, the unique -homomorphism from a
FLAG-algebra A to F maps a state f 2 AFlag into the set of all assignments of boolean values to
all contexts, i.e., to each of the following:
f
up? up f
up? up up f
up?
up? dn
f
up? up dn
::::::::::::
2
f
up? rev
f
up? dn up
f :::::::
Example 36: A class of innite streams of numbers can be specied as follows:
th STREAM is sort Stream .
pr DATA .
op hd_ : Stream -> Nat .
op tl_ : Stream -> Stream .
endth
Here hd gives the rst value in the stream, and tl gives the remainder of the stream. The nal
algebra for this theory is the set of innite lists of numbers, and the unique homomorphism from
a STREAM-algebra A to the nal algebra F maps a 2 A to the innite list of numbers
hd
2
a;
hd tl
a;
hd tl tl
a; : : : :
We now show that Theorem 34 generalizes to give nal models for all consistent lexic theories.
Denedness is exactly what allows constants to be interpreted in the nal model. First, we need
the following:
Denition 37: Given a hidden signature , let denote with all hidden constants removed.
Given a -algebra A, let A denote A viewed as a -algebra. 2
Theorem 38: If each equation in a hidden theory P = (H; ; E ) has at most one variable of
hidden sort, then P has a nal model, denoted FP , i it is consistent and lexic.
Proof: Suppose P is consistent and lexic, and for any P -algebra A, let ' : A ! F be the unique
hidden -homomorphism to the nal algebra F , made into a hidden -algebra by interpreting
generalised constants 2 w;h by (F ) (d) = '((A) (d)) for all d 2 Dw ; note that ' is a
hidden -homomorphism. Let FA be the image of ', i.e., factor ' as the composition of surjective
'0 : A ! FA and inclusive '1 : FA ,! F . Because '0 is surjective, Lemma 39 below implies
that FA j E . Now let FP be the greatest subalgebra of F that behaviorally satises E ; in fact,
23
this is the union of all the images FA for each hidden P -algebra A. For any equation in E with
variables X , because at most one variable in X is of hidden sort, any assignment : X ! FP is an
assignment : X ! FA for some A, and so FP j E . For any P -algebra A, we have already noted
that FA is a subalgebra of F that behaviorally satises E ; therefore it is contained in FP , which
shows that the domain of ' lies in FP , which is therefore nal. This concludes the `if' direction of
proof. The converse is like that of Theorem 22. 2
Lemma 39: Given a surjective hidden homomorphism h : A ! B and an equation e, then A j e
implies B j e.
Proof: Let e be of the form (8X ) t = t0 if t1 = t01; : : : ; tm = t0m, and let : X ! B be such that for
i = 1; : : : ; n (ti ) B (t0i ). Because h is surjective, there is some : X ! A such that = h; .
Therefore h( (ti )) B h( (t0i )), and so by Lemma 40, (ti ) A (t0i ) for i = 1; : : : ; m. If A j e,
this means that (t) A (t0 ), so by Lemma 40, h( (t)) B h( (t0 )), i.e., (t) B (t0 ), and
therefore B j e. 2
Lemma 40: Given and a hidden -homomorphism h : A ! B , then a a0 in A i
h(a) h(a0 ) in B for all a; a0 in A.
Proof: By denition, a a0 is equivalent to Ac(a) = Ac(a0 ) for all c 2 L[z], which is equivalent
to h(Ac (a)) = h(Ac (a0 )) for all c 2 L [z ], because h is the identity on visible sorts; moreover,
because h is a homomorphism, this in turn is equivalent to Bc (h(a)) = Bc(h(a0 )) for all c 2 L [z ],
which is by denition h(a) h(a0 ). 2
Dual to the construction of an initial algebra for a theory as a quotient by the congruence
dened by its equations, the nal hidden algebra FP of a theory P is the greatest subalgebra of F
that satises the equations20 . The unique homomorphism to the nal algebra can be thought of as
mapping each state to all the observations that can be made upon it. We can get such a function
for an arbitrary -algebra A by forgetting that certain hidden elements of A are named by hidden
constants in . This motivates the following:
Proposition 41: Two elements of a hidden -algebra A are behaviorally equivalent i they map
to the same element under the unique -homomorphism A ! F to the nal -algebra F .
Proof: This follows straightforwardly from the denition of behavioral equivalence and the `magic
formula' that denes F . 2
In other words, behavioral equivalence on an algebra is the kernel of the unique homomorphism to
the nal algebra [74]. The quotient under this equivalence gives an algebra which is used in [11]
to dene behavioral satisfaction. The constructions for initial and nal abstract machines given in
[48] are very similar to those given here, and are perhaps the rst in the literature.
3.2 A Categorical Hat Trick
Those who are antagonistic to and/or ignorant about category theory should skip this subsection.
The remaining readers will nd here a very brief but elegant correctness proof for hidden coinduction
using nality.
Given a hidden theory (; E ) and an (; E )-algebra A, let h : A ! F be the unique homomorphism to the nal -algebra F . We can factor h as j ; i where j is surjective and i is
injective. Now let C denote the category of all factorizations e; f of h where e is surjective. Then
the factorization j ; i is nal in C and therefore has no proper quotients. This is the same as saying
that the congruence dened by (the kernel of) j is maximal on A. Thus we have proved Theorem
27 for the case = ; but the general case now follows, because any -algebra is also a -algebra.
20 This exists because there is at least one model.
24
3.3 A Vending Machine
Since none of the examples of nondeterminism in Section 2.3 involve state, which is the most
characteristic feature of hidden algebra, we really should give an example of nondeterminism with
a hidden sort. For some reason, vending machines are very popular for illustrating nondeterminism
and concurrency. The specication below describes perhaps the simplest vending machine that
isn't entriely trivial: when you put a coin in, it nondeterministically gives you either coee or tea,
represented (let's say) by true and false, respectively; and then it goes to a new state where it is
prepared to do the same again. In this spec, init is the initial state, in(init) is the state after
one coin, in(in(init)) is the state after two coins, etc., while out(init) is what you get after
the rst coin, out(in(init)) after the second, etc.
th VCT is sort St .
pr DATA .
op in : St -> St .
op out : St -> Bool .
endth
As before, it is easy to restrict behavior by adding equations like
cq out(in(in(S)) = not out(S) if out(S) == out(in(S)).
which says you can't get the same substance three times in a row. It is interesting to look at
the nal algebra, let's denote it F , for the signature without the constant init: according to our
`magic formula', it consists (up to isomorphism) of all innite Boolean sequences | i.e., it is the
algebra of (what are called) traces in traditional concurrency theory. Since there is a unique hidden
homomorphism M ! F for any model M of VCT, the image of init under this map characterizes
the behavior of M . This simple and elegant situation holds in general for hidden algebraic models
of nondeterministic concurrent systems.
3.4 Derived Operations
A derived operation is one that can be dened in terms of other operations; intuitively, it can be
eliminated; it is convenient but not necessary. However, derived operations can sometimes get in
the way. For example, in showing ' is a hidden -congruence, we want to ignore the derived
operations in . This is justied by a result saying that given , if 0 consists of the
non-derived operations in , then ' is a hidden -congruence i it is a hidden 0 -congruence.
This simplies hidden congruence proofs.
The most dicult part of making this precise is to dene what derived operations are. The
easiest way to do this involves a little category theory:
Denition 42: Let (; E ) be a hidden theory and let (0; E 0 ) (; E ) be a subtheory. Let A
and A0 be the categories of models of (; E ) and (0 ; E 0 ), respectively, and let U : A ! A0 be
the forgetful functor. Then the operations in ? 0 are all derived i there exists an inverse F
to U (so that both are isomorphisms). In this case, we say that (0 ; E 0 ) (; E ) is a deriving
extension. 2
This long sought general denition of derived operation applies beyond equational logics to any
institution whose signatures are an inclusive category. We can now state the following generalization
of the result informally sketched in the rst paragraph of this subsection:
25
Proposition 43: Given a deriving extension (0; E 0 ) (; E ), then a relation is a hidden 0-
congruence i it is a hidden -congruence.
Proof: Note that the functors U and F do not change the underlying sets of models. Therefore,
a relation R is a hidden 0 -congruence i the equivalence classes of R give a (0 ; E 0 )-model, i
(by applying F to this model) these equivalence classes give a (; E )-model, i.e., i R is a hidden
-congruence. 2
Let's illustrate this on the method rev of Example 28. If rev is derived, then the third reduction
in that example is unnecessary. Recall that the equation dening rev is
eq up? rev F = not up? F .
It is not obvious from this that
equations to dene rev:
rev
is derived, so instead we use the following two conditional
cq rev F = dn F if up? F .
cq rev F = up F if not up? F .
These two equations are behaviorally equivalent to the single equation, in the sense that the two
theories dene exactly the same model categories: it is not hard to see that a hidden algebra A
satises the single equation i it behaviorally satises the two conditional equations. Now dene
the functor F : A0 ! A to add to an A0 -model the unique operation rev dened by the above two
equations; now it is easy to see that this F is inverse to U , and hence is an isomorphism (and thus
also a left adjoint). Thus, rev is derived. Eliminating one reduction from Example 3 is not worth
the eort involved in this proof, but there certainly are other cases where such a proof would be
worth the trouble, and the proof technique is of some interest in itself.
Note that in general there is no maximal deriving extension. It is quite possible for a signature
to have many dierent subsignatures of derived operations. For example, we have just shown that
rev can be dened in terms of up and dn; however, we can also derive both up and dn from rev
alone, using the following conditional equations:
cq
cq
cq
cq
up
up
dn
dn
F
F
F
F
=
=
=
=
F
if up?
rev F if not
rev F if up?
F
if not
F .
up? F .
F .
up? F .
3.5 Bisimulation and Transition Systems
This section considers the relationship between hidden theories and certain classes of labeled transition systems: we show that models of anemic hidden theories correspond to labeled transition
systems that have been given an additional structure to handle attributes. It follows that bisimulation proofs are anemic coinduction proofs.
Traditional state transition systems (and process algebras) consider systems with a single global
state and just one kind of data; hence they correspond to specializing our hidden paradigm to just
one hidden sort, say h, and just one visible sort, say v; thus we may write D for Dv . But to
capture the traditional notion, we must discard even more algebraic structure: because only unary
operations are allowed, we must replace each operation 2 h w;s by a collection of operations d 2
h;s, one for each d 2 Dw (i.e., we must x each visible sorted argument, which is possible because
D [];v [];v); nally we must also forget the algebraic structure on D. This impoverishment
means that structural facts like pop push(X,S) = S cannot be expressed, and hence cannot play
the useful role in verication that they should. However, impoverishing hidden algebra isn't enough:
we must also enrich the traditional transition system with additional structure to handle attributes.
26
Denition 44: An anemic signature is a hidden signature with no hidden constants and with
just two sorts, h hidden and v visible, such that each operation has at most one argument, and
that argument is hidden21.
Given an anemic signature , a -transition system is a triple (N; ; ), where N is a set
(of states), : N h;h ! N is a state transition function, and is an output function
N ! [C [z]v ! D].
A morphism of -transition systems, h : (N; ; ) ! (N 0 ; 0 ; 0 ), is a function h : N ! N 0
such that = h; 0 and h((n; )) = 0 (h(n); ). 2
In traditional transition systems, what is visible is essentially the sequence of transitions, called
a trace (more precisely, a trace is a sequence of transition labels). Attributes are not explicit,
and are considered inferable from traces. For example, in a cookie vending transition system, the
number of cookies left in the machine is calculated from the number of give-cookie transitions
in the trace. Our denition of transition system diers from the traditional in having an output
function that gives attributes for states. Our denition also diers in that transitions are total and
deterministic : in any state n, a transition leads to precisely one new state, namely (n; ). This
is no problem, as we have already shown that hidden nondeterminism is at least as powerful and
elegant as standard approaches.
Given an anemic signature and a -algebra A, we get a -transition system (NA ; A ; A ),
where NA = Ah , A (a; ) = A (a), and A is the unique homomorphism to the nal -algebra
F . Also, any hidden -homomorphism h : A ! A0 gives a morphism of -transition systems
h : (NA ; A ; A ) ! (NA0 ; A0 ; A0 ). Moreover, every -transition system (N; ; ) gives rise to a
hidden -algebra N , where (N )h = N , and for methods 2 h;h we dene (N ) (n) = (n; ),
and for attributes 2 h;v we dene (N ) (n) = (n)((z )). It is straightforward to show that
this denes a one-to-one correspondence between hidden -algebras and -transition systems.
Every anemic signature has a nal -transition system, namely FT = (F;h ; ; 1), where 1
is the identity function on F;h and (f; )(c) = f (c[(z )]), i.e., (f; ) = (F ) (f ). The unique
-transition morphism from (N; ; ) to the nal -transition system is . Finality of FT gives
rise to the traditional bisimilarity relation for transition systems, in the same way that nality of
F gives rise to the behavioral equivalence relation on hidden algebras:
Denition 45: Given an anemic signature , a bisimulation on a -transition system (N; ; )
is a relation B N N such that for all (n1 ; n2 ) 2 B :
2
1. (n1 ) = (n2 ) .
2. ((n1 ; ); (n2 ; )) 2 B for all 2 h;h .
The rst condition says bisimulations are coherent with respect to observations given by ; the
second is the standard bisimulation condition for deterministic transition systems.
Example 46: Let be the signature of FLAG as in Example 28. Then one -transition system
is (ftrue; falseg; ; ), where (b; up) = true, (b; dn) = false, (b; rev) = not (b), and where is
dened recursively on contexts as follows:
(b)(up?(z)) = b
(b)(c[up(z)]) = (true)(c)
(b)(c[dn(z)]) = (false)(c)
(b)(c[rev(z)]) = (not (b))(c) :
21 It follows
that contains only constants, i.e., [] = D and ;v
27
w;s
= ; otherwise.
If we dene B = f(b1 ; b2 ) j (b1 )(up?(z )) = (b2 )(up?(z ))g, then B is a bisimulation. Note that
in the hidden -algebra corresponding to this transition system, (b)(up?(z )) corresponds to the
attribute up? in the state b. Example 28 shows that two states of FLAG-models are behaviorally
equivalent i they have the same up?-values; the relation ' of that example corresponds to the
bisimulation B here, and the proof that ' is a hidden congruence shows that B is indeed a bisimulation. 2
The two conditions in Denition 45 state that a bisimulation is a -congruence; in particular,
the rst condition ensures that we can extend a bisimulation to an S -sorted relation that is the
identity on visible sorts. This means that every bisimulation on a -transition system gives rise to a
hidden congruence on the corresponding hidden algebra, and conversely, any hidden congruence on
a hidden algebra gives rise to a bisimulation on the corresponding -transition system. Many results
concerning hidden congruences translate across this correspondence to give results about bisimulations. In the standard terminology, two states are called bisimilar i they are related by some
bisimulation; in other words, bisimilarity is a maximal bisimulation, just as behavioral equivalence
is a maximal hidden congruence. Indeed, we can show that two states of a -transition system are
bisimilar i they are behaviorally equivalent in the transition system viewed as a hidden -algebra.
Moreover, bisimilarity arises from morphisms to the nal transition system in the same way that
behavioral equivalence arises from homomorphisms to the nal -algebra (cf. Proposition 41):
Proposition 47: Given an anemic signature and a -transition system A, two states of A are
bisimilar i the unique morphism to the nal transition system (i.e., the nal algebra) maps those
states to the same element. 2
In other words, for a -transition system (N; ; ), two states n and n0 are bisimilar i (n) = (n0 ).
This is another way of looking at coinduction: two states of a transition system are bisimilar i
those states are behaviorally equivalent in the transition system viewed as an algebra of a hidden
signature (cf. Theorem 41). More details on transition systems and hidden algebras will appear
elsewhere [76].
It is possible to relate hidden algebras and nondeterministic transition systems via an adjunction . This says that for every nondeterministic transistion system, there is a `best' hidden
algebra with the given behaviour, and vice-versa. Nondeterministic -transition systems are like
-transition systems (N; ; ), except returns sets of states, i.e., each method is interpreted as an
action that gives a nondeterministic choice of result states, or possibly no result state if returns
the empty set. All -transition systems are nondeterministic systems, if we think of as always
returning a singleton set, so any hidden algebra gives a nondeterministic -transition system, as
above. To construct a hidden algebra from a nondeterministic transition system, note that hidden
contexts (i.e., sequences of methods) form a transition system where takes a context c and a
method in and returns the singleton set f(c)g. For any nondeterministic -transition system (N; ; ), we construct a hidden algebra whose carrier set is the set of functions from hidden
contexts to N that preserve transitions, i.e., the set of functions f such that for all contexts c and
methods , we have f ((c)) 2 (f (c); ). This algebra interprets a method as mapping a function
f to the function c 7! f ((c)) for hidden contexts c. Transition preserving functions from contexts
to N correspond to deterministic `paths' through the nondeterministic transition system, so the
hidden algebra we have constructed can be thought of as the largest deterministic subsystem of
(N; ; ).
To summarize, our main points have been that: (1) hidden algebra generalizes traditional
transition systems to nonanemic signatures, capturing additional algebraic structure of methods,
28
attributes and states; (2) bisimulation is the anemic special case of hidden coinduction; (3) the
extra structure of hidden algebra makes verication easier; and (4) hidden nondeterminism is more
graceful than that of traditional transition systems.
4 Renement
The simplest view of renement assumes a specication (; E ) and an implementation A, and asks
if A j E ; the generalization to behavioral satisfaction is signicant here, as it allows us to treat
many subtle implementation tricks that only `act as if' correct, e.g., data structure overwriting,
abstract machine interpretation, and much more.
Unfortunately, trying to prove A j E directly dumps us into the semantic swamp described
in the introduction. To rise above this, we work with a specication E 0 for A, rather than an actual
model22 . This not only makes the proof far easier, but also has the advantage that the proof will
apply to any other model A0 that satises E 0 . Hence, what we prove is E 0 j E ; in semantic terms,
this means that any A satisfying E 0 also satises E , but very signicantly, it also means that we
can use hidden coinduction to do the proof. The remarks immediately preceding Section 3.1 about
how an inductive denition of the congruence relation of a coinductive proof aects the models
that it applies to are also relevant to coinductive renement proofs.
Renement is consistent with a view of software development as a series of design decisions
giving a series of specications that are progressively more rened and closer to actual code23 . In
this view, the more abstract specications allow more `implementation freedom,' while the more
concrete specications tend to have larger signatures and/or more dened terms; this is illustrated
in the following.
Exercise 48: Show that each of C1, C2, C3 below renes A1, and discuss how these renements can
be seen as reducing nondeterminism (c.f. the discussion in Section 2.3). The abstract specication
A1 says that objects have two natural number valued attributes, the rst of which is less than the
second:
th A1 is sort State .
pr DATA .
ops a b : State -> Nat .
var S : State .
eq a(S) < b(S) = true .
endth
The proofs that the following rene A1 need a richer theory of NAT than that in Section 2.1,
including a denition for addition and some simple lemmas about how it relates to inequality. We
have concealed24 these lemmas, so that our readers may have the pleasure of discovering them from
22 Some may object that this maneuver isolates us from the actual code used to dene operations in A, preventing
us from verifying that code. However, we contend that this isolation is actually an advantage. Empirical studies
show that little of the diculty of software development lies in the code itself (only about 5% [9]); much more of
the diculty lies in specication and design, and our approach addresses these directly, without assuming the heavy
burden of a messy programming language semantics. But of course we can use algebraic semantics to verify code if
we wish, as extensively illustrated in [45]. Thus we have achieved a signicant separation of concerns.
23 Empirical studies show that this view of software development is naive; real development projects involve many
false starts, redesigns, prototypes, patches, etc. [13]. Nevertheless, the idealized view is still useful as a way to organize
and document verication eorts, often retrospectively.
24 They are in the source le for this paper, so that OBJ3 can read them to do the proofs, but to LAT X they are
E
invisible comments.
29
the results of the reductions without the lemmas, as this is such an important and productive part
of the verication process.
th C1 is sort State .
pr DATA .
ops a b : State -> Nat .
var S : State .
eq b(S) = s a(S) .
endth
The above satises the constraint in A1 by letting the value of b be one more than that of a. In
the next module, b can be any value greater than a:
th C2 is sort State .
pr DATA .
ops a b c : State -> Nat .
var S : State .
eq b(S) = a(S) + s c(S) .
endth
In the following module, b must be at least three more than a:
th C3 is sort State .
pr DATA .
ops a b c : State -> Nat .
var S : State .
eq b(S) = a(S) + c(S) .
eq s s 0 < c(S) = true .
endth
(Hint: Our proof uses a Skolem function.) Readers who want to try more proofs could determine
which of the three concrete theories above are renements of others. 2
4.1 Stack as Pointer plus Array
We now give a more substantive illustration of renement, showing correctness of the familiar
array-with-pointer implementation of stack.
Example 49: We have to prove that the equations in the STACK specication of Example 19 are
behavioral consequences of a specication for pairs of an array state and a pointer, enriched with
the stack operations. Let be the signature of STACK with E its equations, and let be the
signature of the implementation with E 0 its equations. , because the stack operations are
dened in the implementation. We will show E 0 j E , which means that every appropriate model
of the implementation gives rise to a model of STACK after forgetting the operations in but not
in (the subscript on E 0 j E means that behavioral satisfaction of E will be in terms of
-contexts). Our proof uses hidden coinduction, without considering models at all, although our
inductive denition of the candidate relation does eect the set of models to which it applies.
We represent the pointer by the state of a cell containing a natural number. A stack of depth
n has n in this cell, and has its n elements in places 0; :::; n ? 1 of the array. Instead of using the
`helper' results in Section 2.2, we apply Theorem 27 directly. The line `pr ARR' means that the
models of PTR||ARR should include all and only the models of ARR, and in particular, that they
have the same data algebra as ARR, namely DATA.
30
th PTR||ARR is sort Stack .
pr ARR .
op _||_ : Nat Arr -> Stack [prec 10].
op empty : -> Stack .
op push : Nat Stack -> Stack .
op top_ : Stack -> Nat .
op pop_ : Stack -> Stack .
var I N : Nat . var A : Arr .
eq empty = 0 || nil .
eq push(N, I || A) = s I || put(N,I,A) .
eq top s I || A = A[I] .
eq top 0 || A = 0 .
eq pop s I || A = I || A .
eq pop 0 || A = 0 || A .
endth
th LEMMA is pr PTR||ARR .
vars I I1 I2 : Nat . vars A A1 A2 : Arr .
cq I1 || put(I,I2,A) = I1 || A if not I2 < I1 .
endth
***> relation + new constants used for quantifier elimination
th R is pr PTR||ARR .
op _R_ : Stack Stack -> Bool .
op _R_ : Nat
Nat
-> Bool .
vars I I1 I2 : Nat . vars A A1 A2 : Arr .
eq I1 R I2 = I1 == I2 .
eq (0 || A1) R (I || A2) = I == 0 .
eq (I || A) R (I || A) = true .
eq (s I1 || A1) R (s I2 || A2) = I1 == I2 and A1[I1] == A2[I1] and
(I1 || A1) R (I2 || A2) .
ops n i j i1 i2 : -> Nat .
ops a a1 a2
: -> Arr .
endth
***> first show R a congruence using case analysis: i1=0 or i1=s(j):
open R + LEMMA .
eq i1 = 0 .
***> then expanding i1 || a1 R i2 || a2 gives
eq i2 = 0 .
***> now check the congruence equations:
red top(i1 || a1) R top(i2 || a2) .
red pop(i1 || a1) R pop(i2 || a2) .
red push(n, i1 || a1) R push(n, i2 || a2) .
close
open R + LEMMA .
eq i1 = s j .
31
***> then expanding i1 || a1 R i2 || a2 gives the 3 equations below:
eq i2 = s j .
eq a2[j] = a1[j] .
eq j || a1 R j || a2 = true .
***> now check the congruence equations:
red top(i1 || a1) R top(i2 || a2) .
red pop(i1 || a1) R pop(i2 || a2) .
red push(n, i1 || a1) R push(n, i2 || a2) .
close
***> finally check the stack equations:
red pop empty R empty .
red top push(n, i || a) R n .
red pop push(n, i || a) R i || a .
All reductions give true. We believe this proof is about as simple as possible. Indeed, most of the
text is specications; the proof itself is just 27 lines (not counting open/close commands, variable
declarations or comments, but including the proof of the lemma). OBJ3 does all the boring work
in executing the 11 red commands, for a total of 120 rewrites. Formally, the congruence proofs use
quantier elimination, case analysis on i1, implication elimination, relation expansion, conjunction
elimination, and nally reduction, where relation expansion makes explicit some consequences of R
being true on a pair of terms.
Now we prove the lemma used above, which just says that values in the array that lie above
the pointer do not matter:
cq I || put(N,J,A) = I || A if not J < I ,
by proving
cq I || put(N,J,A)
R
I || A = true if not J < I
with the following:
open R .
***> base case:
red 0 || put(n,j,a) R 0 || a .
***> induction step:
eq not j < s i = true .
eq i || put(n,j,a) R i || a = true .
red s i || put(n,j,a) R s i || a .
close
The reader can visit this proof on the world wide web, execute the OBJ proof score on a remote
OBJ3 sever, and follow links to explanation pages attached to proof pages, and to background
information. The url for the proofsite homepage is http://lex.ucsd.edu/links.
Two points about this proof need further consideration. The rst is that the lemma is used
in proving that R is a congruence, and the proof of that lemma appears to rely upon R being a
congruence; we treat this point in an exercise below, because the technique involved is useful for
other problems. The second point is that the inductive denition of the congruence R implies that
this proof only applies to states in models of the concrete specication that are reachable using
that induction scheme (see the discussion just before Section 3.1). In particular, the proof that R
is a congruence assumes that all stacks are of the form I || A. Therefore our proof only applies to
states that are reachable by the _||_ operation. Of course, we could add operations
32
op getPointer : Stack -> Nat .
op getArray
: Stack -> Array .
together with appropriate equations in order that all models of the concrete theory be reachable.
Another possibility would be to use a dierent candidate relation, say
S1 R S2
=
top S1 == top S2
and
(pop S1) R (pop S2) .
This relation would of course require a dierent correctness proof [43].
It is also worth noting that although this specication has two hidden sorts, but we are mainly
interested in one of them, namely Stack; both sorts have visible-valued operations, but only the
Stack sort's (single) visible-valued operation (namely top) is an attribute. Some subtle points
regarding our use of OBJ3's builtin equality relation == are discussed in Section 1.1 of [45]. 2
Exercise 50: Show that the use of the lemma in the congruence proof is not circular, because its
use there depends only on R being transitive and symmetric, not on its being a congruence. Hint :
show that the proof of the lemma, together with transitivity and symmetry, justify the following:
2
var I1 I2 I : Nat . var A : Arr . var S : Stack .
cq I1 || put(I,I2,A) R S = S R I1 || A if not I2 < I1 .
This proof was fairly straightforward to construct, except for the lemma. However, our style of
using OBJ greatly facilitated even this, by producing an expression that suggested lemma; this is
typical of our experience with OBJ proof scores [32, 45, 37].
Notice that in this implementation the term top empty is given the concrete value 0; however,
it could have been given any other value, for example, by adding one of the equations
eq top 0 || A = s 0 .
eq top 0 || A = A[0] .
In fact, the above proof does not require any particular value to be specied; all that is necessary
in order to prove that R is a congruence is that all empty stacks (i.e., all stacks whose pointer is 0)
should give the same value for top. Thus, we might have added one of the equations
eq top 0 || A = top 0 || nil .
eq top 0 || A1 = top 0 || A2 .
although the latter is not a rewrite rule because of the free variable in the right side. A fully satisfactory treatment of stacks requires order sorted algebra, and would also allow a more satisfactory
proof of renement, because it would allow us to disregard values of top and pop on empty stacks,
so that the value of top empty could be left unspecied.
Exercise 51: Specify sets and lists and, by verifying an appropriate renement, show that sets
can be implemented with lists. 2
A more sophisticated view of renement [48, 89, 67, 81] allows the concrete implementation to
rename or even identify some of the abstract sorts and operations, thus giving rise to a hidden
signature map from the abstract to the concrete signature:
Denition 52: A hidden signature map ' : (H; ) ! (H 0 ; 0) is a signature morphism
' : ! 0 that preserves hidden sorts and is the identity on (V; ). A hidden signature map
' : ! 0 is a renement ' : (; E ) ! (0; E 0 ) i 'A0 j E for every (0; E 0 )-algebra A0 . 2
33
(In the above, 'A0 denotes 0 A viewed as a -algebra.) It can be shown that ' is a renement if all
visible consequences of the abstract specication hold in the concrete specication [75]:
Proposition 53: A hidden signature map ' : (; E ) ! (0 ; E 0 ) is a renement if E 0 j= '(c[e])
for each e 2 E and each visible -context c, where if e is the equation (8X ) t = t0 , then c[e] denotes
the equation (8X ) c[t] = c[t0 ]. 2
The following consequence of Corollary 29 justies the use of hidden coinduction for proving
correctness of renements; some examples appear in [75].
Proposition 54: A hidden signature map ' : (; E ) ! (0 ; E 0 ) is a renement if = ? + + ,
all operations in (?) preserve () , and E 0 j= '(c[e]) for each e 2 E and all visible -contexts
c. 2
We write (?) for the subsignature of 0 whose operations are of the form ( ) for in ?. Correctness proofs for renements involve showing that the concrete specication has the desired behaviour,
and generally make use of the concrete equations. The proposition above says that a renement
can be proved correct using the concrete equations to verify both the congruence property of ()
and the satisfaction of the equations '(c[e]).
4.2 Model Based Renement
Early studies of renement were model oriented [68], considering renement a relationship between
two models, one `abstract' and the other `concrete.' Then it makes sense to map from concrete
variables to the abstract objects they represent. However, the (often) complex representations
of the concrete program, and the (usually) complex semantics of the programming language in
which it is expressed introduce gratuitous diculties into such proofs. Our approach to renement
simplies the rst diculty by considering theories for both the concrete and the abstract levels,
while the complexity of the programming language semantics becomes a completely separate issue.
In particular, our more abstract denition of renement for specications allows stepwise renement
to begin before choosing concrete representations for variables; such a choice corresponds to xing
a model, and it is good engineering practice to delay such a commitment as long as possible.
For us, a representation is correct if it is a model of the concrete theory, and showing this should
be much easier than showing that it satises the abstract specication, because the representations
will be much closer. The perhaps initially mysterious fact that mappings go in opposite directions
for specications and for models is explained at a higher level of abstraction by the theory of
institutions [39], which shows that in logics satisfying certain mild assumptions, it is natural that
the maps induced by a signature morphism on models and on theories should go in opposite
directions. Hence, the duality between model based and theory based renement is very natural.
Finally, note that hidden algebra allows subtle changes of representation to be proved correct
much more easily; indeed, our primary motivation is always to make correctness proofs just as easy
as possible.
5 Concurrent Connection
Concurrency is an essential part of the object paradigm, and is natural to hidden algebra, in that
no order of execution is specied by hidden theories; in particular, concurrent execution is legal
whenever it is possible. This section describes an elegant construction of composite systems from
components using the concurrent connection (a weaker version of this construction was called the
independent sum when rst introduced in [41]). As motivation, consider the following:
34
Example 55: Recall the specication X of an integer cell X in Example 8, and dene another
integer cell, Y , by everywhere replacing X and x with Y and y, respectively. Then the concurrent
connection of X and Y should have a specication X k Y with a single hidden sort, where the
operations of X and Y have the same semantics as before, such that operations in X and Y do not
interfere with each other. Thus X k Y should be the union of the specications X and Y , with
their sorts identied, and with some new equations to express the noninterference of X and Y , as
follows:
th XY is sort State .
pr DATA .
ops putx puty : Nat
ops (getx_) (gety_)
var S : State .
vars M N : Nat .
eq getx putx(N,S) =
eq gety puty(N,S) =
eq getx puty(N,S) =
eq gety putx(N,S) =
endth
State -> State .
: State -> Nat .
N .
N .
getx S .
gety S .
The last two equations express the noninterference of X and Y . 2
Exercise 56: Prove that the equation
eq putx(M,puty(N,S)) = puty(N,putx(M,S)) .
is a behavioral consequence of theory XY in Example 55. (A solution appears Appendix B.) 2
We now give a generalization and universal characterization of the above construction to any
pair of specications (it extends to any set of specications):
Denition 57: A synchronization of specications P1; P2 with just one hidden sort is a specication P with renements '1 : P ! P1 ; '2 : P ! P2 , where P is called the shared part, and
a connection of a synchronization '1 ; '2 is a specication Q with renements i : Pi ! Q such
that
Q j (8X )(8Y )(8S ) i(ai )(X; j (mj )(Y; S )) = i(ai )(X; S ) ,
Q j (8X )(8Y )(8S ) i(mi )(X; j (mj )(Y; S )) = j (mj )(Y; i (mi)(X; S )) , and
'1 ; 1 = '2 ; 2 ,
for i = 1; 2, where S is an h-sorted variable, mk is a method and ak is an attribute of Pk , such
that none of these symbols lie in the image of 'k . We call an initial connection the concurrent
connection, if there is one. 2
In practice, we can avoid these commutativity equations by representing states as ordered tuples,
as in Example 49; this is possible because we do not mix messages into the same `soup' as objects.
Intuitively, the concurrent connection is `the best' among all specications with noninterfering
insertions for the Pi . Although the components Pi must have just one hidden sort, the candidate connections Q need not have this property. However, the proof of the result below (slightly
generalizing the proof in [41]) shows that it does have just one hidden sort.
35
Theorem 58: Every synchronization '1 : P ! P1 ; '2 : P ! P2 has a concurrent connection.
Proof: The concurrent connection Q has the signature obtained by combining the signatures of P1
and P2 , identifying those parts that come from the shared part P . This gives signature morphisms
i : P ! Q with '1 ; 1 = '2 ; 2 . The equations of Q are i (E1 ) [ 2 (E2 ) [ I' , where I'
represents the noninterference axioms of Denition 57, and where we recall that
Ei = fc[e] j e 2 Ei ; c 2 C [z]v g :
It is straightforward to check that this is an initial connection [14]. 2
Thus the specication XY of Example 55 is the concurrent connection of X and Y synchronized over
the sort State, where the shared part P might (for example) be
i
i
th STATE is sort State .
pr DATA .
endth
where DATA contains at least NAT and the Booleans.
The proof of the theorem above shows that in general, concurrent connections have an innite
number of equations. However, in many cases a nite number suces; for example, if = +?+,
where consists of visible operations, and is preserved by ?, as in Proposition 32.
We can prove that a concurrent system is free from deadlock by proving that it is consistent; this
is because deadlock means that the equations expressing synchronization do not have a solution.
Hidden coinduction can be used to verify properties of systems built by concurrent connection,
as in the concurrent connection of an array and a pointer implementing a stack in Example 49.
Communication protocols provide many further examples where correctness proofs are desirable.
For example, we might have an abstract specication of a persistent buer which ignores incoming
values when it is full. Its specication would include an equation like
cq in(S,V) = S
if full(S) .
where in is the method that sends an input to the buer. This kind of buer can be implemented
by the concurrent connection of a buer that always accepts incoming values (possibly overwriting
values if it is full) and a `gatekeeper' object that only allowing incoming values when the buer is not
full; hidden coinduction gives an elegant correctness proof. Some examples of hidden correctness
proofs for asynchronous communication protocols are given in [94].
The concurrent connection of two objects without synchronization is their coproduct in the
category having appropriate specications as objects and certain renements as morphisms; more
generally, Corina C^rstea has shown that concurrent connection with synchronization is colimit in
this category [14].
Finally, we emphasize that the denition of concurrent connection in this section is not really
suitable for proofs, but instead provides an abstract characterization of the intended semantics.
For proving behavioral properties, the ordered tuple approach used in Example 49 is much better,
because it avoids the extra complication of the commutativity equations.
6 Conclusions and Futures
The hidden agenda disclosed here is very ambitious, but we hope to have given evidence that it is
feasible to meet its goals, and indeed that much of the necessary groundwork has already been done.
We would agree it is surprising that the hidden approach is both more general and more eective
(in regard to proofs) than the traditional process algebra and transition system approaches, but
36
it really does seem that the `simplications' introduced by these approaches actually make many
proofs more dicult. It is perhaps even more surprising that while we initially focused on the object
paradigm, we could not avoid the constraint, logic, and concurrent paradigms, nor nondeterminism
and innite data values. Moreover, by using the module system of parameterized programming, we
obtain the power of higher order functional programming in a simple rst order setting. Of course,
much work remains to meet the challenge set by the applications and mechanical support of the
more established approaches.
We are experimenting with ways to organize hidden proofs as active websites, using html, Java,
JavaScript, etc., and a website editor called Kumo [55, 54], which provides direct support for hidden
coinduction and automatically generates an entire website for a proof, including executable OBJ3
proof scores, links to background material, and to explanation pages. We intend to link this tool to
decision methods for special domains beyond canonical term rewriting theories, such as Presburger
arithmetic. Traceability is very important when constructing complex new proofs, and we intend
to explore use of the toor hypermedia tool [83] for this purpose. We have already done one rather
substantial hidden proof, namely the correctness of an optimizing compiler for OBJ3, based on an
abstract term rewriting machine [66, 65], and several smaller examples are on the web, including
the stack example of Section 4.
This paper has restricted attention to hidden many sorted algebra. The extension to hidden
order sorted algebra is not really dicult, but it cannot be trivial, since it covers nonterminating
systems, partial recursive functions, multiple inheritance, error denition and handling, coercion,
overwriting, multiple representation, and more; many details appear in [75], but there is still more
work to be done. We also wish to further explore connections with other approaches, including
coalgebra and concurrent logic programming; it would be interesting to nd morphisms between
the relevant institutions, generalizing the adjunctions of Winskel [96].
We feel that hidden algebra is a natural next step in the evolution of algebraic specication,
carrying forward the intentions of its founders in a simple and elegant way to the realities of modern
software. Initial algebra semantics still works for data values, but now we can also handle systems
of objects (abstract machines), concurrency, constraints, streams, existential queries, and more; we
wish to further explore this potent combination of paradigms, and apply it to further problems of
real practical value.
References
[1] Samson Abramsky. Interaction categories and communicating sequential processes. In A. William
Roscoe, editor, A Classical Mind: Essays in Honour of C.A.R. Hoare, pages 1{15. Prentice Hall, 1994.
[2] Peter Aczel and Nax Mendler. A nal coalgebra theorem. In D.H. Pitt et al., editor, Category Theory
and Computer Science. Springer, 1989. Lecture Notes in Computer Science, Volume 389.
[3] Jiri Adamek. Observability and Nerode equivalence in concrete categories. In Ferenc Gecseg, editor,
Fundamentals of Computation Theory. Springer-Verlag Lecture Notes in Computer Science 117, 1981.
[4] Pierre America, Jaco de Bakker, Joost Kok, and Jan Rutten. Denotational semantics of a parallel
object-oriented language. Information and Computation, 83(2):152{205, 1990.
[5] Jan Baeten and W.P. Weijland. Process Algebra. Cambridge, 1990. Cambridge Tracts in Theoretical
Computer Science, Volume 18.
[6] Michael Barr. Terminal coalgebras in well-founded set theory. Theoretical Computer Science, 114:299{
315, 1993.
[7] Michel Bidoit, Rolf Hennicker, and Martin Wirsing. Behavioural and abstractor specications. Science
of Computer Programming, to appear, 1996.
37
[8] Garrett Birkho. On teh structure of abstract algebras. proceedings of the Cambridge Philosphical
Society , 31:433{454, 1935.
[9] Barry Boehm. Software Engineering Economics. Prentice-Hall, 1981.
[10] Rod Burstall. Programming with modules as typed functional programming. Proceedings, International
Conference on Fifth Generation Computing Systems, 1985.
[11] Rod Burstall and Razvan Diaconescu. Hiding and behaviour: an institutional approach. In A. William
Roscoe, editor, A Classical Mind: Essays in Honour of C.A.R. Hoare, pages 75{92. Prentice Hall, 1994.
[12] Rod Burstall and Joseph Goguen. Putting theories together to make specications. In Raj Reddy,
editor, Proceedings, Fifth International Joint Conference on Articial Intelligence, pages 1045{1058.
Department of Computer Science, Carnegie-Mellon University, 1977.
[13] Graham Button and Wes Sharrock. Occasioned practises in the work of implementing development
methodologies. In Marina Jirotka and Joseph Goguen, editors, Requirements Engineering: Social and
Technical Issues, pages 217{240. Academic, 1994.
[14] Corina C^rstea. A Semantic Study of the Object Paradigm. Transfer thesis, Programming Research
Group, Oxford University, 1996.
[15] Corina C^rstea. Coalgebra semantics for hidden algebra: parameterized objects and inheritance. Paper
presented at the 12th Workshop on Algebraic Development Techniques, June 1997.
[16] Razvan Diaconescu. The logic of Horn clauses is equational. Technical Report PRG-TR-3-93, Programming Research Group, University of Oxford, 1993. Written in 1990.
[17] Razvan Diaconescu. Category-based Semantics for Equational and Constraint Logic Programming. PhD
thesis, Programming Research Group, Oxford University, 1994.
[18] Razvan Diaconescu. A category-based equational logic semantics to constraint programming. In Magne
Haveraaen, Olaf Owe, and Ole-Johan Dahl, editors, Recent Trends in Data Type Specication, Lecture
Notes in Computer Science, pages 200{222. Springer, 1996.
[19] Razvan Diaconescu. Foundations of behavioural specication in rewriting logic. In Proceedings, First
International Workshop on Rewriting Logic and its Applications. Asilomar, California, September 1996.
North-Holland, to appear 1996.
[20] Razvan Diaconescu, Joseph Goguen, and Petros Stefaneas. Logical support for modularisation. In
Gerard Huet and Gordon Plotkin, editors, Logical Environments, pages 83{130. Cambridge, 1993. Proceedings of a Workshop held in Edinburgh, Scotland, May 1991.
[21] Hartmut Ehrig, Hans-Jorg Kreowski, Bernd Mahr, and Peter Padawitz. Algebraic implementation of
abstract data types. Theoretical Computer Science, 20:209{263, 1983.
[22] Hartmut Ehrig, Fernando Orejas, Felix Cornelius, and Michael Baldamus. Abstract and behaviour
module specications. Technical Report 93{25, Technische Universitat Berlin, 1993.
[23] Samuel Eilenberg and Jesse Wright. Automata in general algebras. Information and Control, 11:452{
470, 1967.
[24] Marie-Claude Gaudel and Igor Privara. Context induction: an exercise. Technical Report 687, LRI,
Universite de Paris-Sud, 1991.
[25] V. Giarrantana, F. Gimona, and Ugo Montanari. Observability concepts in abstract data specications.
In Proceedings, Conference on Mathematical Foundations of Computer Science. Springer-Verlag, 1976.
Lecture Notes in Computer Science, Volume 45.
[26] Joseph Goguen. Semantics of computation. In Ernest G. Manes, editor, Proceedings, First International
Symposium on Category Theory Applied to Computation and Control, pages 151{163. Springer, 1975.
Lecture Notes in Computer Science, Volume 25; also in Proceedings, University of Massachusetts at
Amherst, 1974, pages 234{249.
38
[27] Joseph Goguen. Parameterized programming. Transactions on Software Engineering, SE{10(5):528{
543, September 1984.
[28] Joseph Goguen. Suggestions for using and organizing libraries in software development. In Steven Kartashev and Svetlana Kartashev, editors, Proceedings, First International Conference on Supercomputing
Systems, pages 349{360. IEEE Computer Society, 1985. Also in Supercomputing Systems, Steven and
Svetlana Kartashev, Eds., Elsevier, 1986.
[29] Joseph Goguen. Principles of parameterized programming. In Ted Biggersta and Alan Perlis, editors,
Software Reusability, Volume I: Concepts and Models, pages 159{225. Addison Wesley, 1989.
[30] Joseph Goguen. Higher-order functions considered unnecessary for higher-order programming. In David
Turner, editor, Research Topics in Functional Programming, pages 309{352. Addison Wesley, 1990.
University of Texas at Austin Year of Programming Series.
[31] Joseph Goguen. Hyperprogramming: A formal approach to software environments. In Proceedings,
Symposium on Formal Approaches to Software Environment Technology. Joint System Development
Corporation, Tokyo, Japan, January 1990.
[32] Joseph Goguen. Proving and rewriting. In Helene Kirchner and Wolfgang Wechler, editors, Proceedings,
Second International Conference on Algebraic and Logic Programming, pages 1{24. Springer, 1990.
Lecture Notes in Computer Science, Volume 463.
[33] Joseph Goguen. Types as theories. In George Michael Reed, Andrew William Roscoe, and Ralph F.
Wachter, editors, Topology and Category Theory in Computer Science, pages 357{390. Oxford, 1991.
Proceedings of a Conference held at Oxford, June 1989.
[34] Joseph Goguen. An approach to situated adaptive software. In Proceedings, International Workshop
on New Models of Software Architecture, pages 7{20. NEDO, 1993.
[35] Joseph Goguen. Requirements engineering as the reconciliation of social and technical issues. In Marina
Jirotka and Joseph Goguen, editors, Requirements Engineering: Social and Technical Issues, pages
165{200. Academic Press, 1994.
[36] Joseph Goguen. Parameterized programming and software architecture. In Proceedings, Reuse'96, pages
2{11. IEEE Computer Society, April 1996. Invited keynote address.
[37] Joseph Goguen. Theorem Proving and Algebra. MIT, to appear.
[38] Joseph Goguen and Rod Burstall. CAT, a system for the structured elaboration of correct programs
from structured specications. Technical Report CSL{118, SRI Computer Science Lab, October 1980.
[39] Joseph Goguen and Rod Burstall. Institutions: Abstract model theory for specication and programming. Journal of the Association for Computing Machinery, 39(1):95{146, January 1992.
[40] Joseph Goguen and Razvan Diaconescu. An Oxford survey of order sorted algebra. Mathematical
Structures in Computer Science, 4:363{392, 1994.
[41] Joseph Goguen and Razvan Diaconescu. Towards an algebraic semantics for the object paradigm. In
Hartmut Ehrig and Fernando Orejas, editors, Proceedings, Tenth Workshop on Abstract Data Types,
pages 1{29. Springer, 1994. Lecture Notes in Computer Science, Volume 785.
[42] Joseph Goguen and Razvan Diaconescu. An introduction to category-based equational logic. In V.S.
Alagar and Maurice Nivat, editors, Proceedings, AMAST 95, pages 91{126. Springer, 1995. Lecture
Notes in Computer Science, Volume 936.
[43] Joseph Goguen and Grant Malcolm. Proof of correctness of object representation. In A. William Roscoe,
editor, A Classical Mind: Essays in Honour of C.A.R. Hoare, pages 119{142. Prentice Hall, 1994.
[44] Joseph Goguen and Grant Malcolm. Situated adaptive software: beyond the object paradigm. In Proceedings, International Symposium on New Models of Software Architecture, pages 126{142. InformationTechnology Promotion Agency, 1995.
39
[45] Joseph Goguen and Grant Malcolm. Algebraic Semantics of Imperative Programs. MIT, 1996.
[46] Joseph Goguen and Grant Malcolm. More higher order programming in OBJ3. In Joseph Goguen
and Grant Malcolm, editors, Algebraic Specication with OBJ: An Introduction with Case Studies. To
appear.
[47] Joseph Goguen, Grant Malcolm, and Tom Kemp. A hidden Herbrand theorem, to appear.
[48] Joseph Goguen and Jose Meseguer. Universal realization, persistent interconnection and implementation
of abstract modules. In M. Nielsen and E.M. Schmidt, editors, Proceedings, 9th International Conference
on Automata, Languages and Programming, pages 265{281. Springer, 1982. Lecture Notes in Computer
Science, Volume 140.
[49] Joseph Goguen and Jose Meseguer. Eqlog: Equality, types, and generic modules for logic programming.
In Douglas DeGroot and Gary Lindstrom, editors, Logic Programming: Functions, Relations and Equations, pages 295{363. Prentice Hall, 1986. An earlier version appears in Journal of Logic Programming,
Volume 1, Number 2, pages 179{210, September 1984.
[50] Joseph Goguen and Jose Meseguer. Order-sorted algebra solves the constructor selector, multiple representation and coercion problems. In Proceedings, Second Symposium on Logic in Computer Science,
pages 18{29. IEEE Computer Society, 1987.
[51] Joseph Goguen and Jose Meseguer. Unifying functional, object-oriented and relational programming,
with logical semantics. In Bruce Shriver and Peter Wegner, editors, Research Directions in ObjectOriented Programming, pages 417{477. MIT, 1987.
[52] Joseph Goguen and Jose Meseguer. Order-sorted algebra I: Equational deduction for multiple inheritance, overloading, exceptions and partial operations. Theoretical Computer Science, 105(2):217{273,
1992. Drafts exists from as early as 1985.
[53] Joseph Goguen, Jose Meseguer, and David Plaisted. Programming with parameterized abstract objects
in OBJ. In Domenico Ferrari, Mario Bolognani, and Joseph Goguen, editors, Theory and Practice of
Software Technology, pages 163{193. North-Holland, 1983.
[54] Joseph Goguen, Akira Mori, Kai Lin, Girgore Rosu, and Akiyoshi Sato. Web-based Formal Methods
Tools. Submitted for publication, 1997.
[55] Joseph Goguen and Akira Mori. Semiotics, ProofWebs, and Distributed Cooperative Proving. To appear
in Proceedings, User Interfaces for Theorem Provers, Sophie-Antipolis, France, 1997.
[56] Joseph Goguen and Adolfo Socorro. Module composition and system design for the object paradigm.
Journal of Object Oriented Programming, 7(9):47{55, February 1995.
[57] Joseph Goguen, James Thatcher, and Eric Wagner. An initial algebra approach to the specication,
correctness and implementation of abstract data types. In Raymond Yeh, editor, Current Trends in
Programming Methodology, IV, pages 80{149. Prentice Hall, 1978.
[58] Joseph Goguen, James Thatcher, Eric Wagner, and Jesse Wright. Initial algebra semantics and continuous algebras. Journal of the Association for Computing Machinery, 24(1):68{95, January 1977.
[59] Joseph Goguen and Will Tracz. An implementation-oriented semantics for module composition, 1997.
Submitted for publication.
[60] Joseph Goguen, Timothy Winkler, Jose Meseguer, Kokichi Futatsugi, and Jean-Pierre Jouannaud.
Introducing OBJ. In Joseph Goguen and Grant Malcolm, editors, Algebraic Specication with OBJ: An
Introduction with Case Studies. To appear. Also Technical Report, SRI International.
[61] Andrew D. Gordon. Bisimilarity as a theory of functional programming. Electronic Notes in Theoretical
Computer Science, 1, 1995.
[62] John Guttag. The Specication and Application to Programming of Abstract Data Types. PhD thesis,
University of Toronto, 1975. Computer Science Department, Report CSRG{59.
40
[63] John Guttag. Abstract data types and the development of data structures. Communications of the
Association for Computing Machinery, 20:297{404, June 1977.
[64] Tatsuya Hagino. A typed lambda calculus with categorical type constructors. In D.H. Pitt, A. Poigne
and D.E. Rydeheard, editors, Category Theory and Computer Science , pages 140{157. Lecture Notes
in Computer Science, Volume 283. Springer, 1988.
[65] Lutz Hamel. Behavioural Verication and Implementation of an Optimizing Compiler for OBJ3. PhD
thesis, Oxford University Computing Lab, 1996.
[66] Lutz Hamel and Joseph Goguen. Towards a provably correct compiler for OBJ3. In Manuel
Hermenegildo and Jaan Penjam, editors, Proceedings, Conference on Programming Language Implementation and Logic Programming, pages 132{146. Springer, 1994. Lecture Notes in Computer Science,
Volume 844.
[67] Rolf Hennicker. Context induction: a proof principle for behavioural abstractions. In A. Miola, editor,
Proceedings, International Symposium on the Design and Implementation of Symbolic Computation
Systems, volume 429 of Lecture Notes in Computer Science, pages 101{110. Springer, 1990.
[68] C.A.R. Hoare. Proof of correctness of data representation. Acta Informatica, 1:271{281, 1972.
[69] C.A.R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.
[70] Bart Jacobs. Mongruences and cofree coalgebras. In Maurice Nivat, editor, Algebraic Methodology and
Software Technology (AMAST95), pages 245{260. Springer, 1995. Lecture Notes in Computer Science,
Volume 936.
[71] Bart Jacobs. Objects and classes, coalgebraically. In B. Freitag, Cli Jones, C. Lengauer and H.-J.
Schek, editors, Object-Orientation with Parallelism and Persistence, pages 83{103. Kluwer, 1996.
[72] Bart Jacobs. Invariants, bisimulations and the correctness of coalgebraic renements. Technical Report
CSI{R9704, Computer Science Institute, University of Nijmegen, March 1997.
[73] Grant Malcolm. Data structures and program transformation. Science of Computer Programming , 14,
1990.
[74] Grant Malcolm. Behavioural equivalence, bisimilarity, and minimal realisation. In Magne Haveraaen
and Olaf Owe and Ole-Johan Dahl, editors, Recent Trends in Data Type Specications. Springer, 1989.
Lecture Notes in Computer Science, Volume 389.
[75] Grant Malcolm and Joseph Goguen. Proving correctness of renement and implementation. Technical Monograph PRG-114, Programming Research Group, University of Oxford, 1994. Submitted for
publication.
[76] Grant Malcolm and James Worrell. Toposes of abstract machines with observational semantics. Draft,
Oxford University Computing Laboratory, 1997.
[77] Jose Meseguer. Conditional rewriting as a unied model of concurrency. Theoretical Computer Science,
96(1):73{155, 1992.
[78] Jose Meseguer and Joseph Goguen. Initiality, induction and computability. In Maurice Nivat and John
Reynolds, editors, Algebraic Methods in Semantics, pages 459{541. Cambridge, 1985.
[79] Robin Milner, Joachim Parrow, and David Walker. A calculus of mobile processes, Parts I and II.
Technical Report ECS{LFCS{89{85 and -86, Computer Science Department, University of Edinburgh,
1989.
[80] Lawrence Moss, Jose Meseguer, and Joseph Goguen. Final algebras, cosemicomputable algebras, and
degrees of unsolvability. Theoretical Computer Science, 100:267{302, 1992. Original version from March
1987.
[81] Fernando Orejas, Marisa Navarro, and Ana Sanchez. Algebraic implementation of abstract data types:
a survey of concepts and new compositionality results. Mathematical Structures in Computer Science,
6(1), 1996.
41
[82] David Parnas. Information distribution aspects of design methodology. Information Processing '72 ,
71:339{344, 1972. Proceedings of 1972 IFIP Congress.
[83] Francisco Pinheiro and Joseph Goguen. An object-oriented tool for tracing requirements. IEEE Software,
pages 52{64, March 1996. Special issue of papers from ICRE '96.
[84] Horst Reichel. Behavioural equivalence { a unifying concept for initial and nal specications. In
Proceedings, Third Hungarian Computer Science Conference. Akademiai Kiado, 1981. Budapest.
[85] Horst Reichel. Behavioural validity of conditional equations in abstract data types. In Contributions
to General Algebra 3. Teubner, 1985. Proceedings of the Vienna Conference, June 21-24, 1984.
[86] Horst Reichel. An approach to object semantics based on terminal co-algebras. Mathematical Structures
in Computer Science, 5:129{152, 1995.
[87] Jan Rutten and Daniele Turi. Initial algebra and nal coalgebra semantics for concurrency. In Jaco
de Bakker, Jan Willem de Roever, and Gregorz Rozenberg, editors, Proc. REX Symposium `A Decade
of Concurrency', pages 530{582. Springer, 1994. Lecture Notes in Computer Science, Volume 803.
[88] Jan J.M.J. Rutten. Universal coalgebra: a theory of systems. Technical Report CS{R9652, CWI, 1996.
[89] Donald Sannella and Andrzej Tarlecki. Toward formal development of programs from algebraic specications. Acta Informatica, 25:233{281, 1988.
[90] Adolfo Socorro. Design, Implementation, and Evaluation of a Declarative Object Oriented Language.
PhD thesis, Programming Research Group, Oxford University, 1994.
[91] J. Michael Spivey. Understanding Z. Cambridge, 1988.
[92] Will Tracz. Parameterized programming in lileanna. In Proceedings, Second International Workshop
on Software Reuse, March 1993. Lucca, Italy.
[93] Daniele Turi and Gordon Plotkin. Towards a mathematical operational semantics. In Proceedings,
Logic in Computer Science , 1997.
[94] Simone Veglioni. Integrating Static and Dynamic Aspects in the Specication of Open, Object-based and
Distributed Systems . PhD thesis, Oxford University Computing Laboratory, submitted November 1997.
[95] Mitchell Wand. Final algebra semantics and data type extension. Journal of Computer and System
Sciences, 19:27{44, 1979.
[96] Glynn Winskel. Categories of models for concurrency. In Steven Brooks, A. William Roscoe, and Glynn
Winskel, editors, Proceedings, Workshop on the Semantics of Concurrency, pages 246{267. Springer,
1984. Lecture Notes in Computer Science, Volume 197.
A Using OBJ3 for Hidden Algebraic Proofs
OBJ3 does just two kinds of computation: reduction with rewrite rules, and general equational
reasoning; these are implemented by its reduce and apply commands, respectively. When combined
with OBJ3's declarative capabilities, these computations support a surprisingly wide range of proof
techniques, including reasoning for loose, initial, and hidden semantics, as discussed in the following
subsections. Perhaps the easiest way to explain how this works is to explicate the various relations
involved; we will see that there are many of them. (This discussion requires a slightly more
sophisticated understanding of algebra than is assumed in most of the body of this paper.)
42
A.1 Loose Semantics
Under loose semantics, we have the beautiful situation described by Birkho's Theorem, that an
equation is true for all models i it is provable by equational deduction. In particular, anything
provable by reduction is true of all models. Although the converse does not hold and reduction is
incomplete, reduction has the tremendous advantage of being totally automatic. This is important
because even fairly simple problems can require a few hundred deductions. Applying a non-rewrite
equation requires user control, to choose values for variables and the precise point of application;
this can get tedious. Even though OBJ3 does allow sophisticated combinations of application and
rewriting (see Section 5.5 of [60]), it is clear that users will always prefer proofs by pure rewriting
if they are possible.
Now let's introduce our rst four relations: let t = t0 mean that the equation can be deduced
using equational reasoning; more explicitly, we can write T ` (8X ) t = t0 . This is the domain
of general equational reasoning; note that the equality sign is also used in OBJ3 as a separator
between the two
terms of an equation.
Second, t ! t0 means that t rewrites to t0 ; more explicitly, we can write T ` (8X ) t ! t0 , where
all equations in T must be rewrite rules. When a specication consists of rewrite rules, and when
only rewriting is to be used for proofs, it would make sense to use the notation ! for equations
in T instead of =, because then ! is the transitive and reexive closure of our third relation !,
which represents one rewriting step. Note that we do not assume any special properties of T , such
as Church-Rosser or termination, only that T consists of rewrite rules25. This is the domain of
Meseguer's rewriting logic [77]. It is worth noting that in practice, OBJ specications nearly always
consist of rewrite rules, even though this is far from a theoretical necessity. The relation = is the
transitive, reexive, and symmetric closure of !, and thus goes beyond rewriting logic by invoking
symmetry.
Fourth, t == t0 means that t; t0 both have normal forms under T , and that these forms are
identical; if t == t0 is true, then t and t0 rewrite to the same term, so that an equational proof for
t = t0 exists; but if t == t0 is false, then we don't know whether or not t = t0 holds. Note also that
t == t0 can fail to have a value because
of non-termination.
0
0
To summarize, t ! t implies t ! t , which implies t == t0 if t0 has a normal form, and each of
these implies t = t0 . None of these implications can be reversed.
A.2 Initial Semantics
Under initial semantics, the intended interpretation of a specication T is the class of its initial
models. For equational logic, we know that such models always exist, and moreover that they are
all isomorphic [57]. Strictly speaking, OBJ3 makes no special computational provision for initial
semantics; however it does allow users to declare their intention that certain specications should
be interpreted initially instead of loosely, by using the keyword pair obj...endo instead of the pair
th...endth. Although it would make no computational dierence at all if this convention were
reversed, certain computations have a dierent signicance under initial semantics than they would
under loose semantics. In particular, if T is canonical, i.e., both Church-Rosser and terminating,
then for t; t0 ground terms, t == t0 i t = t0 holds in the initial algebra; that is, == gives a decision
procedure for initial ground equational satisfaction, and it decides disequality as well as equality.
But reduction cannot prove all the equations that are true in initial models; inductive proofs are
more powerful, are valid, and are often necessary.
25 Of course, OBJ3 is actually more general, in that it supports rewriting modulo associativity, commutativity
and/or identity.
43
All proof methods discussed in the previous subsection for loose semantics are still valid for
initial semantics; in fact they are valid for all models, so they certainly hold for an initial model,
and they do not require T to be canonical. Inductive proofs are also valid without any assumptions
on the form of equations, although such assumptions may facilitate computations for the base and
step cases of an inductive proof.
We now introduce some more relations: let t = t0 mean D j= (8X ) t = t0 , where D is an
initial T -algebra; we may also write this as T j= (8X ) t = t0 , or even (as in [37]) T j
= (8X ) t = t0 .
The important fact that reasoning techniques for loose semantics are still valid is expressed bythe
assertion t = t0 implies t = t0 . So in particular, t == t0 implies t = t0 , and also of course t ! t0
0
implies t = t . But more than this, we can use `inductive lemmas' in these loose deductions; that
is, if we have previously proved t1 = t2 using induction, and if t1 = t2 is a rewrite rule, then we
can add t1 ! t2 to T in computing t == t0 . Let us (somewhat informally, since it doesn't indicate
exactly what set T 0 of rewrite rules is involved, except that T T 0 Th(D), where Th(D) denotes
the set of all equations true of D) write t let us write
=
= t0 for proofs done this way; and similarly,
0
0 implies t t0
t > t for proofs by reduction that
may
use
inductive
lemmas.
Then
we
have
t
>
t
==
if t0 has a normal form, and t > t0 and t =
= t0 both imply t = t0 . In fact, these relations represent
the most convenient way to do many inductive arguments.
A.3 Hidden Semantics
A hidden specication is a loose protecting extension (because j is dened interms of j=) of an
initially interpreted subtheory; let T denote the entire theory and let TD denote its initial subtheory.
Under this denition, hidden models are technically (loose) models of T such that when restricted
to the signature D of TD they are an initial model of TD ; but because all initial models are
isomorphic, there is no loss of generality if we assume, as in the body of this paper, that the
restriction to D is a particular initial model D of TD .
Now more relations: behavioral equality, t t0 , is as in Denition 5; we may also write T j=
(8X ) t t0 , or even T j (8X ) t = t0 . Once again, it is important to note that loose reasoning
is valid; in other words t = t0 implies t t0 . Therefore t == t0 implies t t0 , and t ! t0 implies
t t0 . Moreover, we can use `behavioral lemmas' about hidden sorts and inductive lemmas about
visible sorts in such loose deductions: if we have previously shown t1 t2 or t1 = t2 , and if t1 = t2
0
is a rewrite rule, then we can add t1 ! t2 to T in computing t == t . That inductive assertions
about the data subtheory can be used in behavioral proofs is expressed by saying t = t0 implies
t t0 , provided t; t0 are always of visible sort whenever we write t = t0 . In fact, inductive lemmas
about data are often needed in behavioral proofs. Let us (again somewhat informally, since it
doesn't indicate exactly what rewrite rules are involved) indicate this kind of deduction by writing
t t0 , and let us similarly
write t > t0 for proofs by reduction that may use behavioral and
inductive lemmas. Then t > t0 implies t t0 implies t t0 ; these relations often represent the
most convenient way to carry out behavioral arguments, often as part of a coinductive proof.
The ocial OBJ3 syntax does not allow declaring some sorts to be hidden. Although it would
be easy to modify the syntax, there is no compelling reason to do so, because (1) just as with the
distinction between obj...endo and th...endth, it would have no computational eect, and (2)
it is easy to introduce a notational convention that serves the same purpose, which after all is just
to declare user intentions. In fact, we have already introduced such a convention: all new sorts
declared in theory modules containing the line pr DATA are hidden, and all the sorts declared in
DATA are visible.
44
A.4 Discussion
In doing coinductive proofs within the hidden conventions suggested above, there are just two kinds
of sort, hidden and visible; therefore the two kinds of computation that OBJ3 provides (rewriting
and general equational reasoning) are always valid, because they are valid for each kind of sort
separately. However, because induction is only valid for visible (data) sorts and coinduction is only
valid for hidden sorts, some mental discipline is necessary in using OBJ3 this way; it is necessary to
keep track of the signicance of computations based on conventions that do not actually eect the
outcome of the computations. Under this discipline, many assertions that would otherwise have to
be made outside OBJ can be seen as assertions within OBJ. The fact that nearly all the relations
that we have so carefully distinguished in our theoretical discussion above, are denoted by the same
symbol in OBJ3 syntax, namely =, makes more sense than seems reasonable at rst, because of its
convenience, and because of the inclusions among these relations as discussed above.
Turning a bit towards philosophy, we note that a mechanical theorem prover does not know
what it is doing (nor does any program, or any computer); the meaning of a computation can only
can supplied by a user, based on information about its context.
B Two Small Coinductive Proofs
Below are OBJ3 proof scores using hidden coinduction to solve two exercises in this paper.
Exercise 33: We let contain getx, and let ? contain putx; then we use Proposition 30 and
apply Corollary 29.
***> to prove putx(M,putx(N,S)) = putx(M,S):
openr X .
op _R_ : State State -> Bool .
var S1 S2 : State .
eq S1 R S2 = getx S1 == getx S2 .
ops s1 s2 : -> State .
ops n m : -> Nat .
close
2
***> first show R is a congruence:
open .
eq getx s1 = getx s2 .
red putx(n,s1) R putx(n,s2) . ***> should be: true
close
***> now prove the equation:
red putx(m,putx(n,s1)) R putx(m,s1) .
***> should be: true
Exercise 56: Let contain getx and gety, let ? contain putx and puty, then use Proposition
30 and apply Corollary 29.
***> to prove putx(M,puty(N,S)) = puty(N,putx(M,S)):
openr XY .
op _R_ : State State -> Bool .
var S1 S2 : State .
eq S1 R S2 = getx S1 == getx S2 and gety S1 == gety S2 .
45
ops s1 s2 : -> State .
ops n m : -> Nat .
close
***> first prove R is a congruence:
open .
eq getx s1 = getx s2 .
eq gety s1 = gety s2 .
red putx(n,s1) R putx(n,s2) . ***> should be: true
red puty(n,s1) R puty(n,s2) . ***> should be: true
close
***> now prove the equation:
red putx(m,puty(n,s1)) R puty(n,putx(m,s1)) .
***> should be: true
2
C Modularity and Inheritance
Our approach to modularity assumes that signatures, models and axioms satisfy certain natural
axioms that dene a so called institution26 [39, 20, 59]. This gives the powerful module facilities of
parameterized programming [29, 31], including generic modules that take other modules as parameters which may themselves be parameterized, module expressions that say how to interconnect
and/or modify a collection of modules taking proper account of their parameterization and of any
modules that they may inherit, and much more [29].
An analogy with functional programming may help [10]: modules are like functions, with theories as their types; then evaluating a well-typed module expression yields a new module, just as
evaluating a well-typed functional expression yields a new function. In fact, parameterized programming gives all the power of higher order functional programming in a purely rst order setting,
which makes it easier to do proofs and to write programs [30].
Parameterized programming also allows integrating specications with executable code, where
the former is in a specication language and the latter is in a conventional programming language27 .
In this case, executing a module expression builds new executable code and its specication; the
code may be in both textual and compiled executable forms. This is implemented in lileanna[59],
which also extends parameterized programming with a notion of information hiding that generalizes
hidden algebra. lileanna, a module interconnection language for Ada [28, 92, 59], has shown that
this can have signicant practical benet for real problems (ight control software for helicopters).
Parameterized programming was rst implemented in OBJ [53, 27, 60], and builds on ideas in the
Clear language [12]; it has inuenced the module systems in the Ada and ML languages. Recent
work on parameterized programming shows how it can be used to express software architectures
[36], and can be extended to higher order modules and views [46].
We will not discuss our approach to inheritance here, because it uses order sorted algebra, but
it is natural and simple, with subclasses just subsorts having more attributes and methods [41].
26 For this, we must use (hidden) signature morphisms [41], rather than (hidden) signature maps (see Denition
52); this is appropriate because signature morphisms are used for horizontal structure, which is what modularity
provides, whereas signature maps are used for vertical structure ([38] introduced this distinction between vertical and
horizontal structure).
27 The idea of associating code, specications, and possibly other software objects, such as test cases and documentation, comes from hyperprogramming [31].
46
C.1 Multiple Paradigms
We have been able to handle the signicant features of the object paradigm, and even to clarify
and improve it a bit, e.g., by cleanly separating data from objects, and classes from modules;
we have also shown how to add powerful generic modules, behavioral types for specication, and
a declarative programming style. These ideas have been implemented in the foops language
[51, 56, 90] and been shown useful, e.g., for implementing a multimedia requirements tracing system
[83]. Parameterized programming can be considered a design (or architecture) language for any
combination of paradigms [29, 36].
The integration of functional and logic paradigms in the Eqlog language [49, 17] has been
extended to integrate the object, logic and functional paradigms, while adding the constraint
paradigm. Section 5 shows how to integrate concurrency with the above ideas in a natural way.
We have generally talked as if hidden theories are only used for specication. But theories can
be directly executed under certain restrictions on the form of equations, as already implemented
in OBJ, Eqlog and foops. Therefore hidden theories can be used directly for small and medium
applications, as well as for prototyping large applications.
47
Contents
1 Introduction
1
2 Hidden Algebra
8
1.1 Algebraic Engineering and the Object paradigm . . . . . . . . . . . . . . . . . . . . .
1.2 A Little Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1
2.2
2.3
2.4
Visible Data Values . . . . . . . . . . . . . . . . . .
Hidden Signatures and Hidden Algebras . . . . . .
Nondeterminism . . . . . . . . . . . . . . . . . . .
More Hidden Satisfaction and the Logic Paradigm
3 Behavior and Hidden Coinduction
3.1
3.2
3.3
3.4
3.5
Finality . . . . . . . . . . . . . . . .
A Categorical Hat Trick . . . . . . .
A Vending Machine . . . . . . . . . .
Derived Operations . . . . . . . . . .
Bisimulation and Transition Systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
5
8
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
. 9
. 14
. 18
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
19
22
24
25
25
26
4 Renement
29
5 Concurrent Connection
6 Conclusions and Futures
A Using OBJ3 for Hidden Algebraic Proofs
34
36
42
4.1 Stack as Pointer plus Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2 Model Based Renement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
A.1
A.2
A.3
A.4
Loose Semantics .
Initial Semantics .
Hidden Semantics .
Discussion . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
B Two Small Coinductive Proofs
C Modularity and Inheritance
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
43
43
44
45
45
46
C.1 Multiple Paradigms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
48