Specications in an arbitrary institution with
symbols
Till Mossakowski
Department of Computer Science and Bremen Institute for Safe Systems,
University of Bremen, Germany.
Abstract. We develop a notion of institution with symbols and a ker-
nel language for writing structured specications in CASL. This kernel
language has a semantics in an arbitrary but xed institution with symbols. Compared with other institution-independent kernel languages, the
advantage is that translations, hidings etc. can be written in a symboloriented way (rather than being based on signature morphisms as primitive notion), while still being institution-independent. The semantics
of the kernel language has been used as the basis for the semantics of
structured specications in CASL.
1 Introduction
Formal specication of software systems can typically be split into specication-in-the-small, dealing with the specication of individual datatypes, and
specication-in-the-large, dealing with the combination of specications and/or
datatypes in a structured way. The framework of institutions, a formalization of
the model-theoretic aspects of the notion of logical system, allows a clean separation of these issues: while specication-in-the-small is based on a particular
institution, a number of formalisms for specication-in-the-large such as Clear,
ACT TWO, ASL and ASL+ have been developed largely for an arbitrary (but
xed) institution.
However, the institution-independent setting as used in the above formalism
has some important drawbacks:
{ signature morphisms are taken as primitives. This implies that one cannot
rename or hide just a symbol, but rather has to construct the resulting
signature in advance, together with the corresponding signature morphism;
{ pushouts (in some formalisms necessary for instance to instantiate generic
specications) are dened only up to isomorphism; thus, the user does not
have full control over the name space of the specication constructed;
{ unions can be taken only of specications over the same signature (unless
an extra inclusion system is specied).
In this work, to resolve these problems, we propose a notion of institution
with symbols. Roughly, an institution with symbols is an institution where each
signature has an underlying set of symbols, and each signature morphism has
2
an underlying symbol translation function. Within this setting, we can dene
renamings, hidings, unions and pushouts in an explicit, symbol-oriented way
that overcomes the above drawbacks. We also dene a notion of institution with
qualied symbols to deal with the problems of overloading.
To show that these extra complications can be avoided when not needed, we
show that an institution with qualied symbols can be constructed out of any
institution with symbols in a trivial way (with no overloading possible).
These notions provide a proper institutional framework for the semantics
of CASL, a specication formalism developed within the CoFI initiative. In
particular, the semantics of structured specications in CASL can be based on
an arbitrary institution with qualied symbols.
The paper is organized as follows. In section 2, we recall the notion of institution and a kernel language allowing to write specications over an arbitrary
institutions. We discuss the problems with this approach, which leads to the
denition of institution with symbols in section 3 and of a new kernel language
(together with its semantics) in section 4. Institutions with qualied symbols are
introduced in section 5, and the CASL institution is shown to be an institution
with qualied symbols in section 6. Finally, section 7 contains conclusions and
future work. An extended version of this paper (including all proofs) is available
as CoFI study note S-10 in [4].
2 Specications in an arbitrary institution
The theory of institutions [7] takes a predominantly model-theoretic view of
logic, with the satisfaction relation between models and logical sentences adopted
as a primary notion. Somewhat unlike in the classical model-theory though, a
family of such relations is considered at once, indexed by a category of signatures.
Denition 2.1. An institution I consists of:
{ a category SignI of signatures ;
{ a functor SenI: SignI ! Set, giving a set Sen( ) of -sentences for each
signature 2 jSignI j;
{ a functor ModI: SignopI ! Cat , giving a class Mod( ) of -models for
each signature 2 jSignI j; and
{ for 2 jSignIj, a satisfaction relation j=I; ModI( ) SenI( )
such that for any signature morphism : ! 0 , -sentence ' 2 SenI ( ) and
0 -model M 0 2 ModI ( 0 ) the following satisfaction condition holds:
M 0 j=I;0 SenI ()(') () ModI ()(M 0 ) j=I; '
We write M 0 for Mod()(M 0 ), where : ?! 0 2 Sign and M 0 2 Mod( 0 ).
1
The notion of institution emerged as a formalisation of the concept of logical system underlying algebraic specication formalisms. Given an institution
1
Cat is the (quasi-)category of all categories.
3
I, the rough idea is that signatures determine the syntax of the systems to
be specied, models of the institution represent (the semantics of) the systems
themselves, and sentences are used to specify the desired system properties.
Whatever specications are, they should ultimately describe a signature and a
class of models over this signature, called models of the specications, to capture
the admissible realizations of the specied system. Consequently, any specication formalism over I determines a class of specications, and then, for any
specication SP , its signature Sig [SP ] 2 jSignj and the collection of its models
Mod [SP ] Mod(Sig [SP ]). If Sig [SP ] = , we refer to SP as -specication.
In [9], the following kernel language for specications in an arbitrary institution I has been proposed:
presentations : For any signature 2 jSignj and set Sen( ) of sentences, the presentation h; i is a specication with:
Sig [h; i] = Mod [h; i] = fM 2 Mod( ) j M j= g
union : For any signature 2 jSignj, given -specications SP 1 and SP 2 ,
their union SP 1 [ SP 2 is a specication with:
Sig [SP 1 [ SP 2 ] = Mod [SP 1 [ SP 2 ] = Mod [SP 1 ] \ Mod [SP 2 ]
translation : For any signature morphism : ! 0 and -specication SP ,
translate SP by is a specication with:
Sig [translate SP by ] = 0
Mod [translate SP by ] = fM 0 2 Mod( 0 ) j M 0 2 Mod [SP ]g
hiding : For any signature morphism : ! 0 and 0 -specication SP 0 ,
derive from SP 0 by is a specication with:
Sig [derive from SP 0 by ] = Mod [derive from SP 0 by ] = fM 0 j M 0 2 Mod [SP 0 ]g
The above specication-building operations, although extremely simple, already
provide exible mechanisms for expressing basic ways of putting specications
together and so for building specications in a structured manner. Further, perhaps rather more convenient-to-use operations may be built on this basis. See
for instance [9] for examples and much further discussion.
However, the institution-independent setting as used in this and other similar
formalisms has some important drawbacks:
{ signature morphisms are taken as primitives. This implies that one cannot
rename or hide just a symbol, but rather has to construct the resulting
signature in advance, together with the corresponding signature morphism;
{ pushouts (in some formalisms necessary for instance to instantiate generic
specications) are dened only up to isomorphism; thus, the user does not
have full control over the name space of the specication constructed;
{ unions can be taken only of specications with the same signature.
The third problem (concerning unions) can be overcome by working with
signature categories having associated inclusion systems [3]. However, the other
problems still remain in such an approach.
4
3 Institution with symbols
To resolve the problems mentioned at the end of the last section, we propose
a notion of institution with symbols. Roughly, an institution with symbols is
an institution where each signature has an underlying set of symbols, and each
signature morphism has an underlying symbol translation function. Within this
setting, we can dene renamings, hidings, unions and pushouts in an explicit,
symbol-oriented way that overcomes the above problems.
Consider an institution (Sign; Sen; Mod; j=) additionally equipped with a
faithful functor j j: Sign ?! Set that extracts from each signature the set of
(fully qualied) symbols that occur in it (i.e. (Sign; j j) is a concrete category
[1]). We assume that there is some xed \universe" of Sym of symbols that may
be used by the specier when writing symbol mappings. The latter are the means
for the user to specify signature morphisms in a convenient way. A symbol map
should be some kind of map on Sym . We cannot expect this map to be total,
because not all symbols may be mapped. Moreover, we even cannot expect it
to be total on the set of symbols of a given source signature, since we want to
free the user from specifying identically mapped symbols. Finally, it turns out
to be much more convenient even not to require symbol maps to be functions {
a user may erroneously map one and the same symbol to two dierent symbols
(of course, in such a case, there will be no signature morphism induced by the
symbol map). So we arrive at the following:
A symbol map h is a nite relation h Sym Sym .
The domain of a symbol map is dened as
dom(h) = fSY 2 Sym j 9(SY ; SY 0 ) 2 hg
We further assume that some function Ext: jSignj jSignj FinSet (Sym Sym ) ?! FinSet (Sym Sym ) is given. Its use is as follows. Consider a parameterized specication; and let h be a symbol map tting the formal parameter
(having signature ) with the actual parameter (having signature 0 ). Then
Ext(; 0 ; h) extends h to a translation of compound identiers in the body
(for example, in CASL, a tting of sort Elem to sort Nat leads to the renaming
of sort List[Elem] into the sort List[Nat]). If one is not interested in compound
identiers, Ext(; 0 ; h) can be taken to be just h. In section 5, we will propose
a particular denition of Ext. Now we are ready for our central denition:
Denition 3.1. An institution with symbols (Sign; Sen; Mod; j=; Sym ; j j) consists of
{ an institution (Sign; Sen; Mod; j=),
{ a set of (fully qualied) symbols Sym ,
{ a faithful functor j j: Sign ?! Set giving, for each signature , a set of symbols j j Sym , and for each signature morphism : ?! 0 , a translation
of symbols jj: j j?!j 0 j,
{ a function Ext: jSignjjSignjFinSet (Sym Sym ) ?! FinSet (Sym Sym ),
5
such that
h Ext(; 0 ; h)
for each h Sym Sym and ; 0 2 jSignj.
In the sequel, we will, by abuse of notation, identify and jj (this is legitimated by faithfulness of j j). In particular, we say that a map : j j ?! j 0 j
is a signature morphism if there exists a signature morphism : ?! 0 with
jj = . By faithfulness of j j, such a is unique. By abuse of notation, we will
also denote it by : ?! 0 .
4 A new kernel language
In this section, we dene a new kernel language for structured specications,
which can be seen as an underlying kernel language for CASL. It is dened
over an arbitrary institution with symbols and allows to write specications
in a more concise and convenient way in comparison with the kernel language
introduced in section 2. For simplicity, we include not all the constructs of CASL
structured specication in the kernel language, but leave out those like local
specications that can be expressed using other constructs. Moreover, we do
not allow signature fragments as in CASL, since allowing these would lead to a
more complex semantics of the language without giving much more insight into
the concepts that we want to present. The kernel language for institutions with
symbols consists of the following (the function Sig, computing the signature of
a specication, as well as the constructions h j , jSYs , jSYs and h j0 , will
be dened in the subsections below):
presentations : For any signature 2 jSignj and set Sen( ) of sentences, the presentation h; i is a specication,
union : For any specications SP 1 and SP 2 with the corresponding signature
union Sig [SP1 ] [ Sig [SP2 ] dened, their union SP 1 and SP 2 is a specication,
translation : For any symbol map h Sym Sym and specication SP with
h jSig [SP ] dened, SP with h is a specication
revealing : For any specication SP and set of symbols SYs Sym with
Sig [SP ] jSYs dened, SP reveal SYs is a specication,
hiding : For any specication SP and set of symbols SYs Sym with Sig [SP ] jSYs
dened, SP hide SYs is a specication,
instantiation : For any three specications SP , SP 0 and SP A and a symbol
map h Sym Sym such that Sig [SP ] is a subsignature of Sig [SP 0 ] and
Sig [SP ] is dened, instantiate (SP ; SP 0 ) by SP t h is a specication.
h jSig
A
[SP A ]
The side conditions on the well-formedness of a specication are explained
in the following subsections. For typical institutions with symbols, they can be
checked statically. Thus, it makes sense to impose them on the language.
The semantics of the new kernel language is given by translating it to the old
kernel language, using a translation function [ ] . Using this translation function,
6
we can easily lift the semantic functions Sig and Mod from the old to the new
kernel language by putting, for a specication SP written in the new kernel
language:
Sig [SP ] = Sig [[[SP ] ]
Mod [SP ] = Mod [[[SP ] ]
Note that even for well-formed specications, the translation function [ ] will
be a partial function, and so will be Sig and Mod . This means that the semantics
of some specications of the new kernel language will be undened (this will
happen only for specications involving instantiations). Checking denedness
involves checking model class inclusions, which is undecidable in general. In
contrast, the function Sig will be decidable for those institutions with symbols
having the constructions h j , jSYs , jSYs and h j0 computable.
For presentations, the clause of the inductive denition of the translation
function is trivial:
[ h; i] = h; i
4.1 Revealings and Hidings
To be able to interpret the revealing of a set of symbols of a given signature, we
need to be able to construct a subsignature generated by these symbols. This can
be formalized within an arbitrary but xed institution with symbols as follows,
directly following [10].
We say that a signature morphism : ?! 0 is a signature inclusion if jj is
an inclusion (of j j into j 0 j). If there exists a signature inclusion from to 0 ,
we call a subsignature of 0, and write 0 . Notice that then the signature
inclusion is unique, since the functor j j is faithful; we denote it by 0 .
A subsignature of 0 is said to be full2 if every subsignature of 0 with
the same set of symbols as is a subsignature of . Notice that for standard
many-sorted signatures, the notions of signature and full subsignature coincide
| every subsignature is full. A subsorted subsignature of 0 is full if and only
if inherits from 0 all the subsort requirements concerning the sorts of .
We call a set of symbols SYs j j closed in if there is a subsignature 0
of with the set of symbols SYs , i.e. such that j 0 j = SYs .
For any set SYs j j, a signature generated in by SYs is a full subsignature 0 of such that j 0 j is the smallest set containing SYs and closed in .
It is denoted by jSYs .
Dually, to be able to interpret hiding, we need: For any set SYs j j, a
signature co-generated in by SYs is a full subsignature 0 of such that j 0 j
is the largest set disjoint from SYs and closed in . It is denoted by jSYs .
With this, we can give a (translational) semantics of revealing and hiding:
[ SP reveal SYs ] = derive from [ SP ] by where = Sig [SP ] and : jSYs?! is the inclusion.
2
To be more uniform with section 4.2, we could replace fullness by initiality. : ?! is initial if for any function : j j?!j j, is a signature morphism provided 0
00
is. Initiality implies fullness, but not conversely, although the converse is true for the
standard examples.
7
[ SP hide SYs ] = derive from [ SP ] by where = Sig [SP ] and : jSYs?! is the inclusion.
4.2 Translations
For translations, the main problem is the following: Given a signature and
a symbol map h, construct a signature morphism : ?! 0 that is in some
sense compatible with h. Generally, there are many dierent choices for the
target signature 0 with the same underlying symbol map jj: one can arbitrarily
extend 0 with some stu that is not in the image of jj. We therefore want 0
to be minimal in a certain sense. This is achieved by the notion of nality3 .
A signature morphism : ?! 0 is said to be nal [1]4 if for any function
0 : j 0 j?!j 00 j, 0 is a signature morphism provided that 0 is. In the category of many-sorted algebraic signatures, a signature morphism is nal i it
is surjective. For morphisms between subsorted signatures, nality additionally
means that 0 has the minimal subsorting relation making into a signature
morphism (i.e. 0 inherits the subsorting relation from along ), see proposition 6.5 below.
Next, we have to specify the exact relation between a symbol map h and the
corresponding signature morphism . We want to free the user from specifying
the mapping of symbols that are mapped identically. This is achieved by the
following: Given a signature and a symbol map h, if there is a unique signature
morphism : ?! 0 such that h graph(jj) and is nal, then is called
the signature morphism from induced by h, written h j (otherwise, h j is
undened). Given a signature , a symbol map h is called admissible for , if
there is some signature morphism : ?! 0 with h graph(jj) and is nal.
Let Admissible( ) be the set of symbol maps admissible for .
With this, we can specify how translations are mapped to the old kernel
language:
[ SP with h] = translate [ SP ] by h jSig [SP ]
Note that denedness of h jSig [SP ] is already required by the well-formedness
condition of the translation.
The reader may be surprised that nality corresponds to some minimality principle
here, while nal algebras usually satisfy some maximality principle. The reason is that
the notion of nality comes from categorical topology, and nal continuous maps
indeed have a maximal topology on their target (while nal signature morphisms
typically have a minimal target).
4
In the theory of co-brations, these morphisms as called co-cartesian [2], and they
are dened in a slightly more general setting, namely, faithfulness of the functor is
not required. We nevertheless stick to nality here, because nality is also dened
for sinks, see below.
3
8
4.3 Unions
Concerning unions, the main feature that we have added to the old kernel language is the ability to unite specications having dierent signatures. Therefore,
we need to be able to unite signatures. We will do this using so-called minimal
lifts of sinks.
A sink is a pair of morphisms with common codomain.
A lift of a j j-structured sink (1 : j1 j ?! SYs ; 2 : j2 j ?! SYs ) is a sink
(1 : 1 ?! ; 2 : 2 ?! ) such that j j = SYs .5
A lift (1 : 1 ?! ; 2 : 2 ?! ) of a j j-structured sink (1 : j1 j ?!
SYs ; 2 : j2 j ?! SYs ) is said to be minimal, if for every other lift (1 : 1 ?!
0 ; 2 : 2 ?! 0 ) of the same sink, the function idjj: ?! 0 is a signature
morphism.
Given two signatures 1 and 2 , if the sink (j1 jj1 j[j2j ; j2jj1 j[j2j )
has a unique minimal lift, the latter is called the union of 1 and 2 , denoted
by 1 [ 2 . This enables us to dene the semantics of unions:
[ SP 1 and SP 2 ] = (translate [ SP 1 ] by 1 ) [ (translate [ SP 2 ] by 2 )
where 1 = Sig [SP1 ], 2 = Sig [SP2 ], = 1 [ 2 , and 1 : 1 ?! and
2 : 2 ?! are the inclusions.
4.4 Instantiations
For instantiations of generic specications, usually a pushout semantics is used
[6]. The problem with this approach is that the user does not have full control
over the name space of the specication constructed: generally, new names have
to be created in the pushout. In contrast, CASL follows a \same name{same
thing" philosophy, which leaves the control over the name space to the user: instantiations are constructed in a naive set-theoretic way. The pushout approach
and the set-theoretic approach can be reconciled by requiring the set-theoretic
construction to actually be a pushout (and letting the instantiation being undened if this requirement is not fullled). In this section, we show how to perform
the set-theoretic construction of an instantiation and formulate conditions that
guarantee this construction to be a pushout. Both the construction and the
conditions can be formulated in an institution-with-symbols-independent way.
Again, the crucial notion is that of nality.
A sink (1 : 1 ?! ; 2 : 2 ?! ) is called nal, if for each function
: j j ?! j 0 j, is a signature morphism provided that 1 and 2
are. Again, a sink of many-sorted algebraic signature morphisms is nal i the
signature morphisms are jointly surjective. For subsorted signature morphisms,
additionally the subsorting relation on has to be minimal w.r.t. making both
5
Recall that by abuse of notation, we use the same names for a signature morphism
and its underlying symbol map.
9
1 and 2 signature morphisms, and the transitive closure of the overloading relation has to be the transitive closure of the union of the translated overloading
relations (for a related result, see proposition 6.8).
A nal lift of a j j-structured sink (1 : j1 j ?! SYs ; 2 : j2 j ?! SYs ) is a
nal sink (1 : 1 ?! ; 2 : 2 ?! ) such that j j = SYs .
A union of two signatures is said to be nal if the sink consisting of the two
inclusions is nal.
The notions of nal sink and nal lift can be generalized to an arbitrary
number of morphisms with common codomain. The concept gains its importance
from the following (note that cocones and colimits are special cases of sinks):
Proposition 4.1. In a concrete category, a nal lift of a colimit is again a
colimit.
Since we use nal signature morphisms and nal unions in the stepwise construction of an instantiation of a generic specication, we can use the above
proposition to show that the instantiation is a pushout.
The construction assumes that the formal parameter signature of the generic
specication is included in the body signature (so we do not allow an arbitrary
signature morphism between formal parameter and body).
Our construction now works as follows: Given a signature inclusion : ?!
0 (which acts as the inclusion of the formal parameter into the body) and a
signature morphism : ?! A (which acts as the tting morphism from the
formal to the actual parameter), if
{ the signature morphism h j0 from 0 induced by
h = Ext( 0 ; A ; graph (jj))
exists6 (let its target be denoted by A ()),
{ the union A [ A() exists7, and moreover, it is nal8,
{ jAj \ jA()j jj(j j)9 , and
{ ker(j(h j0 )j) ker(jj)10 ,
This may fail to exist for several reasons. One is that the symbol map h is not a
function because of the denition of Ext (see section 5 for an example). Another
one is that h is a function, but there is no signature morphism induced by it. In
the CASL institution, the latter can happen for example if h does not preserve the
overloading relations. An example is given in [8].
7
The union may fail to exist in the CASL institution because a total and a partial
operation symbol with the same prole get united.
8
The union may fail to be nal in the CASL institution if symbols newly get into the
overloading relation, cf. Proposition 6.8.
9
This property may fail if the actual parameter and the body share symbols that are
not in the formal parameter.
10
For the standard denition of Ext described in section 5, this property may fail if
the tting morphism is not injective (say, it maps both Elem1 and Elem2 to nat)
and this leads to new identications in the extension (say, both List[Elem1] and
List[Elem2] occur in the body, so () maps both to List[Nat]).
6
10
then A ()A [A() h j0 is called the extension of along , denoted by
(): 0 ?! A [ A ().
Here, the kernel of a function f : A ?! B is dened as usual:
ker(f ) = f(x; y) 2 A Ajf (x) = f (y)g:
Proposition 4.2. If the extension of : ?! A along : ?! 0 exists,
then
0
A [ A ()
A
()
is a pushout in Sig.
Before we can use the above construction to dene the semantics of instantiations, we rst have to specify how the tting morphism is obtained from a
symbol map. Given signatures and 0 and a symbol map h Sym Sym , if
there is a unique signature morphism : ?! 0 with
h graph(jj)
we call it the signature morphism from to 0 induced by h, denoted by h j0 .
Given signatures and 0, a symbol map h Sym Sym is called admissible for
and 0 , if there is some signature morphism : ?! 0 with h graph(jj).
Admissible(; 0) denotes the set of all symbol maps admissible for and 0 .
With this, the semantics of instantiations (given by a translation to the old
kernel language) is as follows:
[ instantiate (SP ; SP 0 ) by SP A t h] = [ SP A ] [ (translate [ SP 0 ] by ())
where = Sig [SP ], of 0 = Sig [SP 0 ], : ?! 0 is the inclusion, A =
Sig [SP A ] and = h jA . The semantics is undened whenever it is not the case
that
1. Mod(SP 0 ) Sig[SP ]Sig[SP 0 ] Mod(SP ), and
2. Mod(SPA ) Mod(SP ).
which means that Sig [SP ]Sig [SP 0 ] and are both specication morphisms.
5 Institutions with qualied symbols
In this section, we dene a notion of institution with qualied symbols to deal
with the problems of overloading and qualication.
In the CASL institution, the natural choice for j j is the set of fully qualied
symbols of (if we omit qualications, j j is no longer faithful, because symbols
may be overloaded with dierent proles). Now in CASL symbol mappings, one
11
may (either partially or completely) omit qualications of symbols. This leads
to the notion of raw symbol, which in the case of the CASL institution can
be a qualied symbol, an unqualied symbol or a partially qualied symbol.
The link between symbols and raw symbols is given by a matching relation
specifying which symbols correspond to which raw symbols. In order to be able
to construct the extension map Ext explicitly, we further assume that there is
a set of compound identiers.
The following notion abstracts this to an institution-independent setting:
Denition 5.1. An institution with qualied symbols (Sign; Sen; Mod; j=; Sym ;
j j; ID; RawSym ; IDAsRawSym; SymAsRawSym; matches) consists of
{ an institution (Sign; Sen; Mod; j=),
{ a set of (fully qualied) symbols Sym ,
{ a faithful functor j j: Sign ?! Set,
{ a set ID of compound identiers,
{ a set of raw symbols RawSym together with two injections IDAsRawSym : ID ?!
RawSym and SymAsRawSym : Sym ?! RawSym ,
{ a matching relation matches Sym RawSym specifying which qualied
symbols match which raw symbols,
such that
{ j j Sym for each 2 jSignj,
{ for id; ci1; : : : ; cin 2 ID, also id[ci1; : : : ; cin] 2 ID (i.e. we can form compound
identiers)
{ SY matches SymAsRawSym (SY 0) i SY = SY 0 for SY ; SY 0 2 Sym 11 and
{ for each SY 2 Sym , there is a unique Ident 2 ID with SY matching
IDAsRawSym (Ident) (called the name of SY )
Raw symbol maps are dened like symbol maps: they are nite binary relations r RawSym RawSym . In the kernel language of section 4, we now can
replace symbol maps by raw symbols maps and thus obtain more conciseness
when writing specications. In most cases, the kernel language just remains the
same as before (note that Sig[ ], ff gg and ff gg are dened later on):
presentations : For any signature
2 jSignj and set Sen( ) of sentences, the presentation h; i is a specication,
union : For any specications SP 1 and SP 2 with the corresponding signature
union Sig [SP1 ] [ Sig [SP2 ] dened, their union SP 1 and SP 2 is a specication,
translation : For any raw symbol map r RawSym RawSym and specication
SP with ffrggAdmissible(Sig [SP ]) jSig [SP ] dened, SP with r is a specication
revealing : For any specication SP and set of raw symbols RSYs RawSym
with Sig [SP ] jffRSYs gg\Sig [SP ] dened, SP reveal SYs is a specication,
11
This property is not technically needed in the semantics, but it is desirable since it
means that for each ambiguity there is a qualication to resolve it.
12
hiding : For any specication SP and set of raw symbols RSYs RawSym with
Sig [SP ] jffRSYs gg\Sig [SP ] dened, SP hide SYs is a specication,
instantiation : For any three specications SP , SP 0 and SP A and a raw symbol
map r RawSym RawSym such that Sig [SP ] is a subsignature of Sig [SP 0 ]
ISig[SP ] is dened,
and ffrggAdmissible(Sig [SP 0 ];Sig [SPA ]) jSig
[SP A ]
instantiate (SP ; SP 0) by SP A t r
is a specication.
To be able to interpret this modied kernel language and explain its wellformedness conditions, we need to construct a symbols out of raw symbols somehow. At the symbol level this is easy: just put
ffRSYs gg = fSY 2 Sym jSY matches some RSY 2 RSYs g
Now let us concern the level of maps. A rst step is to extend the matching
relation from symbols to maps as follows: Given a symbol map h Sym Sym
and a raw symbol map r RawSym RawSym , we say that h matches r if
{ For all RSY 2 dom0(r), there exists some
SY 2 dom(h) matching RSY
{ For all (RSY ; 0RSY ) 2 r and (SY ; SY 0) 2 h, SY matches RSY implies SY 0
matches RSY .
However, the matching relation between symbol maps and raw symbol maps
does not suce to achieve our goal. This is illustrated by an example that lives in
the CASL institution (this institution is formally dened in section 6). Consider
the signatures
Signature sorts operation symbols
s; u f : s ! s; f : u ! u
0 t; v g : t ! t; f : v ! v
00 t; v g : t ! t; g : v ! v
Let r be the raw symbol map f(s; t); (u; v); (f : s ?! s; g)g. We are looking for
a symbol map that both matches r and is admissible for (admissibility has
been dened in section 4.2). Now there are at least two symbol maps satisfying
these constraints, namely
h = f(sort s; sort t); (sort u; sort v); (f : s ?! s; g: t ?! t); (f : u ?! u; f : v ?! v)g
k = f(sort s; sort t); (sort u; sort v); (f : s ?! s; g: t ?! t); (f : u ?! u; g: v ?! v)g
Admissibility of h and k can be seen by noticing that h indeed is a signature
morphism from to 0 , while k is a signature morphism from to 00 .
How to distinguish h as the symbol map that we want? Neither of h and k
map f : u ?! u identically, but h maps it to a symbol with the same name. This
can be formalized in an arbitrary institution with qualied symbols as follows:
The core of a symbol map is dened to be
core(h) := f(SY ; SY 0 ) 2 h j SY does not have the same name as SY 0 g
13
(Note that by the denition of institution with qualied symbols, each symbol
has a unique name.) With this, we can dene a pre-order relation on the set of
symbol maps by putting
h h0 i core(h) core(h0 )
For the above example, we have h k but not vice versa, since (f : u ?!
u; g: v ?! v) 2 core(k) n core(h).
Given a set of admissible symbol maps Ad and a raw symbol map r, we now
can dene the associated symbol map ffrggAd to be the least element of the set of
all symbols maps that match r and are in Ad, provided this least element exists
and is unique. Otherwise, ffrggAd is undened. (Note that in a pre-order, there
may be several least elements.) The function ff ggAd now admits to interpret
the modied kernel language, by just replacing each raw symbol map r by the
corresponding symbol map ffrggAd.
Before doing this, however, we rst have to construct an institution with
symbols out of an institution with raw symbols. We do this by dening, for a
given institution with qualied symbols, the map Ext which is required in the
denition of institution with symbols. Recall that Ext is needed for the semantics
of instantiations of generic specications (see section 4.4). We here dene Ext in
such a way that it implements the automatic renaming of compound identiers
that is used in CASL to prevent name clashes between dierent instantiations
of one and the same generic specication.
The function Ext takes two signatures (the formal and the actual parameter
signature) and a symbol map (the tting symbol map) and delivers a symbol map
again (the symbol map modied by the mechanism to rename compound identiers). We want to rename the components of compound identiers according to
the tting map. Since the tting map is a symbol map, while the component of
compound identiers are just identiers, we need the machinery of raw symbols
to link these concepts properly:
Given a symbol map h Sym Sym , dene
Ext(; 0 ; h) = ffrggAdmissible(;0 )
where
r = (SymAsRawSym SymAsRawSym )(h)
[f(IDAsRawSym(id[ci1; : : : ; cin ]); IDAsRawSym(id[ci01 ; : : : ; ci0n ]))
j some SY 2 j j matches IDAsRawSym(id[ci1 ; : : : ; cin])
and (cii ; ci0i ) 2 h0 for i = 1; : : : ; ng12
12
The union may lead to non-functionality (and, therefore, undenedness of the instantiation of the generic extension, because the raw symbol map does not induce
a signature morphism), if a compound identier is mapped both explicitly by the
tting morphism and implicitly by the extension mechanism.
14
and
h0 = f(Ident; Ident0 ) j Ident; Ident0 2 ID;
(SY ; SY 0 ) 2 h;
SY matches IDAsRawSym (Ident);
SY 0 matches IDAsRawSym (Ident0 )g13 :
It is obvious that h Ext(; 0 ; h), thus we get:
Proposition 5.1. From each institution with qualied symbols, we get an insti-
tution with symbols by letting Ext be dened in the above way and by forgetting
the sets of raw symbols and of identiers and the functions associated with them.
With this, we now can interpret kernel language with raw symbols in an
arbitrary institution with qualied symbols. Most constructs are the same as
for institution with symbols; thus we interpret them in the associated institution with symbols (see proposition 5.1). Translation and instantiation have a
new form; we interpret them by translating them to the kernel language for
institutions with symbols:
ffh; igg = h; i
ffSP and SP gg = ffSP gg and ffSP gg
1
2
1
2
ffSP with rgg = SP with ffrggAdmissible Sig SP
(
[
])
ffSP reveal RSYs gg = ffSP gg reveal ffRSYs gg \ Sig [SP ]
ffSP hide RSYs gg = ffSP gg hide ffRSYs gg \ Sig [SP ]
ffinstantiate (SP ; SP 0 ) by SP A t rgg =
instantiate (SP ; SP 0) by SP A t ffrggAdmissible Sig SP 0 ;Sig SPA
(
[
]
[
])
Again, we can dene Sig and Mod on the kernel language with raw symbols
using the above translation:
Sig [SP ] = Sig [ffSP gg] (= Sig [[[ffSP gg] )
Mod [SP ] = Mod [ffSP gg] (= Mod [[[ffSP gg] )
What if we want to use the kernel language for institution with qualied
symbols, but only have an institution with symbols at hand?
13
Notice that h may fail to be a function even if h is one, destroying the denedness of
the instantiation of a generic extension. In the CASL institution, this may happen,
for example, if two dierent proles of a function are mapped to dierent names,
and the function name occurs in a compound identier.
0
15
Proposition 5.2. For each institution with symbols closed under compound
symbols, i.e.
for id; ci1; : : : ; cin 2 Sym ; also id[ci1 ; : : : ; cin] 2 Sym ;
there is an institution with qualied symbols corresponding to no possible qualications.
Note that the Ext component is forgotten during this constructions; it gets
replaced by a specic Ext as dened above when interpreting the kernel language
for institutions with qualied symbols.
6 CASL as an institution with (qualied) symbols
We here concentrate on the category of CASL signatures and signature morphisms, together with the symbol functor. Sentences, models and satisfaction
are described in the CASL semantics [5] in detail, we leave them out here since
they do not really matter in this context.
6.1 CASL as an institution with symbols
Let ID be a xed set of identiers. A CASL signature = (S; TF ; PF ; P; )
consists of:
{ a set S ID of sorts, together with a pre-order { two S S -sorted families TF = (TF w;s)w2S;s2S and PF = (PF w;s)w2S;s2S
of total function symbols and partial function symbols, respectively, with
TF w;s ID PF w;s ID and such that TF w;s \ PF w;s = fg, for each
(w; s) 2 S S (constants are treated as functions with no arguments)
{ a family P = (Pw )w2S of predicate symbols with Pw ID
We write f : w ?! s 2 TF for f 2 TF w;s , f : w ?! s 2 PF for f 2 PF w;s and
p : w 2 P for p 2 Pw .
For a subsorted signature, = (S; TF ; PF ; P; S ), we dene overloading
relations F and P , for function and predicate symbols, respectively:
Let f : w1 ! s1 ; f : w2 ! s2 2 TF [ PF , then f : w1 ! s1 F f : w2 ! s2
i there exist w 2 S with w w1 and w w2 and a common supersort s of s1
and s2 .
Let p : w1 , p : w2 2 P , then p : w1 P p : w2 i there exists w 2 S with
w w1 and w w2 .
Given signatures = (S; TF ; PF ; P; ) and 0 = (S 0 ; TF 0 ; PF 0 ; P 0 ; 0 ), a
signature morphism : ?! 0 consists of
{ a map S : S ?! S 0,
TF : TF w;s ?! TF 0 S
14
{ a map w;s
(w);S (s) for each w 2 S ; s 2 S ,
14
S is the extension of S to nite strings
16
0
PF : PF w;s ?! PF 0 S
{ a map w;s
w ;S s [ TF S w ;S s , and
{ a map wP : Pw ?! P0 S w for each w 2 S ,
such that the subsort relation and the overloading relations F and P are
( )
( )
( )
( )
( )
preserved by S .
Let the set Sym of symbols be the set
t
ID [ffws
j f; s 2 ID; w 2 ID g[ffwsp j f; s 2 ID; w 2 ID g[fpw j p 2 ID; w 2 ID g
The functor j j maps a signature = (S; TF ; PF ; P; ) to the set j j =
fs j s 2 S g [ ffwst j f 2 TF w;sg [ ffwsp j f 2 PF w;s g [ fpw j p 2 Pw g
Given a signature morphism : ?! 0 , jj maps a symbol of form s 2 ID
t to TF (f )t
p
to S (s), a symbol of form fws
w;s S (w) S (s) , a symbol of form fws to
p
PF
P
w;s (f )S (w)S (s) , and a symbol of form pw to w (p)S (w) .
For simplicity, let Ext(; 0 ; h) just be h (a better Ext will emerge when
considering CASL as an institution with qualied symbols).
Proposition 6.1. The above gives us CASL as an institution with symbols.
Let us now examine how the various constructions needed for the semantics
of the kernel language look in CASL.
Proposition 6.2. In the CASL institution, the following are equivalent for a
subsignature of 0 :
1. is a full subsignature of 0 .
2. inherits from 0 all the subsort requirements concerning the sorts of ,
i.e. =0 \(S S ).
We now have the following
Proposition 6.3. In the CASL institution, for any set SYs j j, there is a
signature generated in by SYs.
Proposition 6.4. In the CASL institution, for any set SYs j j, there is a
signature co-generated in by SYs.
Proposition 6.5. In the CASL institution, given two signatures = (S; TF; PF;
P; ) and 0 = (S 0 ; TF 0; PF 0 ; P 0 ; 0 ) and a signature morphism : ?! 0 , the
following are equivalent:
1. is nal.
2. jj is surjective, detects totality (i.e. f 0 : w0 ?! s0 2 TF implies that there is
TF (f ) = f 0 ); and 0 is the least pre-order on
some f : w ?! s 2 TF with w;s
0
S satisfying
S (s1 ) 0 S (s2 ) if s1 s2
17
Given two signatures 1 = (S1 ; TF1; PF1 ; P1 ; 1 ) and 2 = (S2 ; TF2 ; PF2 ;
P2 ; 2) their union 1 [ 2 = (S; TF; PF; P; ), is dened by
{ S = S 1 [ S2
{ XF (ws) = XF1(ws) [ XF2(ws) for XF 2 fTF; PF g and ws 2 S S .
Here, if in XF1 (ws) [ XF2 (ws) one of both sides is undened, it counts as
the empty set.
{ P (ws) = P (w) [ P (w) for w 2 S . Again, if in P (w) [ P (w) one of both
sides is undened, it counts as the empty set.
{ = [
The union exists i [ is a signature i TF (ws) \ PF (ws) = ; for all
ws 2 S S . Otherwise, the union is undened.
Proposition 6.6. In the CASL institution, given two signatures and such that [ exists, the sink (j1 jj1j[j2j ; j2 jj1j[j2j ) has a unique
1
1
2
1
2
2
1
2
1
1
2
2
minimal lift, namely (1 1[2 ; 2 1 [2 ).
Let F and P denote the transitive closures of the overloading relations
F and P , respectively.
Proposition 6.7. In the CASL institution, signature morphisms preserve F
and P .
Proposition 6.8. In the CASL institution, for a union 1 [ 2, the following
are equivalent:
1. The union is nal.
2. The relation F 1 [2 of 1 [ 2 is the transitive closure of the union of the
relations F 1 and F2 (and similarly for P ).
6.2 Alternative denition of a CASL institution with symbols
The above denition is not the only natural way to turn the CASL institution
into an institution with symbols. The other natural way would we to throw out
p , and use symbols of form f t for both total and partial
symbols of form fws
ws
operation symbols.
The eect would be the following:
{ Subsignature inclusions may change a partial operation symbol in the subsignature to a total operation symbol in the supersignature, and only full
subsignatures inherit totality.
{ Unions of signatures are always dened. An operation symbol in the union
is total i it is total in one of the signatures that are united.
Whether one choses the rst or second variant of CASL as an institution with
symbols, is mainly a matter of taste. In the CASL semantics, the rst version
is chosen. The second version has the nice consequence that unions are always
dened.
18
6.3 CASL as an institution with qualied symbols
The set of compound identiers in CASL is dened by just closing some given
set SIMPLE-ID of simple identiers under formation of compound identiers, i.e.
ID is the least set with
SIMPLE-ID ID
for id; ci1 ; : : : ; cin 2 ID; also id[ci1 ; : : : ; cin ] 2 ID;
The set of raw symbols is dened by
RawSym = Sym ] (SymKind ID)
where SymKind = fimplicit ; sort ; fun ; pred g. We write SY sym 2 RawSym for
SY 2 Sym and (k; Ident) 2 RawSym for k 2 SymKind and Ident 2 ID.
Both identiers and symbols can be regarded as raw symbols using the injections IDAsRawSym : ID ?! RawSym and SymAsRawSym : Sym ?! RawSym
dened by
IDAsRawSym (Ident) = (implicit ; Ident)
and
SymAsRawSym (SY ) = SY sym
The matching relation
matches Sym RawSym
between symbols and raw symbols is the least relation satisfying
s matches (implicit ; s),
s matches (sort ; s), for s 2 sort,
t matches (fun ; f ),
t matches (implicit ; f ),
fws
fws
p
p matches (fun ; f ),
fws matches (implicit ; f ), fws
pw matches (implicit ; f ),
pw matches (pred ; f ),
SY matches SY sym for SY 2 Sym .
Proposition 6.9. The above denition turns CASL into an institution with
qualied symbols.
Note that by Proposition 5.1, we also get an institution with symbols out of
this. It is the same institution with symbols as the one dened in section 6.1,
except from the function Ext. The Ext function in the present case ensures a
treatment of compounf identiers within instantiations as it is in CASL.
7 Conclusion and Future Work
We have dened a kernel language for CASL structured specications, which
allows us to deal with symbols and symbol maps in a convenient way, instead of
taking signature morphisms as a primitive notion. This has the advantage that
the user has full control over the name space, and the transition from a symbol
map to a signature morphism can be described in an institution-independent way.
19
The kernel language can be interpreted over an arbitrary but xed institution
with symbols. For coping with overloading, we also have dened a notion of
institution with qualied symbols. We show how these notions specialize to the
CASL institution. Since the structure required by an institution of (qualied)
symbols is just a bit of syntax, it can be expected that nearly any institution
can be extended to an institution with (qualied) symbols.
The work presented here has been the basis of the semantics of CASL structured specications [5]. Thus, it is possible to use CASL structured specications
practically for any institution, the only easy-to-fulll requirement being to equip
the institution with a symbol structure.
Future work (jointly with Andrzej Tarlecki) will extend the kernel language
and the notion of institution developed here to deal with the problems of sharing, which occurs in (the semantics of) CASL architectural specications. It is
also planned to implement an institution-with-symbols static analysis of CASL
structured specications.
Acknowledgements Thanks to all participants of the CoFI semantics group
(and the rst reader of the semantics, Sasha Zamulin). In particular, I wish to
thank Andrzej Tarlecki for numerous fruitful discussions and comments.
References
1. J. Adamek, H. Herrlich, and G. Strecker. Abstract and Concrete Categories. Wiley,
New York, 1990.
2. F. Borceux. Handbook of Categorical Algebra I { III. Cambridge University Press,
1994.
3. V. E. Cazanescu and G. Rosu. Weak inclusion systems. Mathematical Structures
in Computer Science, 7(2):195{206, Apr. 1997.
4. CoFI. The Common Framework Initiative for algebraic specication and
development, electronic archives. Notes and Documents accessible from
http://www.brics.dk/Projects/CoFI.
5. CoFI Semantics Task Group. CASL { The CoFI Algebraic Specication Language
{ Semantics. Note S-9 (version 0.95), in [4], Mar. 1999.
6. H. Ehrig and B. Mahr. Fundamentals of Algebraic Specication 1. Springer Verlag,
Heidelberg, 1985.
7. J. A. Goguen and R. M. Burstall. Institutions: Abstract model theory for specication and programming. Journal of the Association for Computing Machinery,
39:95{146, 1992. Predecessor in: LNCS 164, 221{256, 1984.
8. T. Mossakowski. Cocompleteness of the CASL signature category. Note S-7, in
[4], Feb. 1998.
9. D. Sannella and A. Tarlecki. Specications in an arbitrary institution. Information
and Computation, 76:165{210, 1988.
10. D. T. Sannella and A. Tarlecki. Extended ML: an institution-independent framework for formal program development. In Proc. Workshop on Category Theory
and Computer Programming, volume 240 of Lecture Notes in Computer Science,
pages 364{389. Springer, 1986.
© Copyright 2026 Paperzz