Development Workspaces: an introduction 1

Development Workspaces: an introduction T. Dimitrakos and T.S.E. Maibaum Department of Computing, Imperial College, London SW7 2BZ ftd, [email protected] Abstract

Interpolation and schematic reasoning underlie critical and somewhat complementary aspects of the design and manipulation of speci cation modules. Unfortunately, many formalisms that have been used in formal approaches to software engineering lack uniform interpolation and do not directly support schematic reasoning. This paper presents the skeleton of a novel general construction for extending conservatively a base entailment system E to an entailment system E such that E provides a uniform presentation of interpolants for entailments between E -sentences and supports the precise logical encapsulation of uniform schemata on E . This conservative extension is presented by means of a Subentailment system hE ; J : E !E i called a Development Workspace on E . spec

dev

dev

spec

spec

spec

spec

dev

spec

1 Introduction There is a well established relation between interpolation [6, 21, 31, 2] and modularity properties of re nement via implementations (eg., [12, 11, 10] and [22, 23, 41, 38, 40, 39]) and databases [24]. Also, some operations of module algebras [4] have been linked directly with a \splitting" version of interpolation ([28] discussing an earlier version of [4]), and the behaviour of the language restriction (also \information hiding" in [8]) is associated in [11, 13, 10] with an interpolation property of the speci cation formalism. Furthermore, the presence of uniform interpolants facilitates formal reasoning and syntactic manipulations in all these cases (as is explained in [10] and [11]). On the other hand, uniform schemata, ie. schemata whose application conserves consequence through language expansions (like equality schema, mathematical induction, the classical Hilbert-style axiomatisations, etc.) can be used for describing general properties of abstractions of \hidden" data [13], and they play an important role in the detection and manipulation of parameterisation and parameter instantiation [10]. Unfortunately, many common formalisms, including those traditionally used in logical and algebraic approaches to re nement or databases lack the desirable interpolation properties, and schematic reasoning is often exogenous. To compensate for this inadequacy we seek methods to expand a speci cation formalism so that an adequately strong version of the critical interpolants becomes available and uniform schemata are made logical. Our intention is neither to substitute meta-reasoning, not to develop a formal meta-theory of interpolation. It is merely to internalise{ in a uniform and well-founded way { some fundamental meta-logical statements (such as abstraction and generalisation of expressions in an object language) that associate derivability with linguistic transformations. The paper is structured as follows: Uniform interpolants, uniform schemata and the employed General Logics framework [25] are reviewed in section 2. For more on the signi cance of uniform interpolants and uniform schemata for manipulatingspeci cation modules see [11, 10] and [13, 10], respectively. The skeleton of a generic (ie., notation/semantics-independent) 1

method to extend conservatively a \speci cation" formalism Espec to a \development" formalism Edev so that an adequately strong, uniform presentation interpolants for entailments between Espec-sentences is obtained and uniform schemata over Espec -syntax become logical, is presented in section 3. For a detailed analysis of this extension with emphasis on the salient characteristics of the resulting entailment, proofs and indicative examples see Chapter 6 of the rst author's Ph.D. thesis [10].

2 Preliminaries

De nition 2.1 [General Logic] A General Logic [25] L = hSign; gram; ` , sem; j=I i provides an abstract presentation of a E

formal logic, consisting of 1. a category Sign of signatures; 2. a functor gram:Sign!Set, that assigns to each signature  the set of sentences/wellformed-formulae built over  ; 3. a Sign-indexed family of binary relations (entailment) ` , such that, `  2gram( )  gram() is re exive (ie., f'g` '), monotonic (ie., if ? 
and ?` ' then
` '), transitive (ie., if
` ' and ?`  , for all  2
, then ?` '), and stable under translation (ie., for every i:1 !2 in Sign, if ?`1 ' then ?i `2 'i ); 4. a functor sem:Signop ?! Cat which assigns to each signature the corresponding category of models (notice the reverse direction of the arrows); 5. a Sign-indexed family of binary relations j=I (satisfaction), such that for each i:1 !2 in Sign the following condition j=-invariance: sem(i)(A2 )j=I1 ' i A2 j=I2 'i ; E

E

E

E

E

E

E

E

E

E

holds for all objects A2 of sem(2 ) and any ' 2 gram(1 ). 6. a soundness condition holds, ie., if ?` ' then ?j=I ' (?j=I ' i Aj=I ' for every model A in sem( ) such that Aj=I for all 2 ?, ie., by abuse of language we use the same symbol for the satisfaction relation and the notion of consequence between sentences that is de ned it. The intended use of the j=I symbol is always be clear from the context.). where for each translation i:1 !2 and  2 gram(1 ) the writing of  i 2 gram(2 ) denotes the image of the formula  under the translation induced by i. Analogously, if
 gram(1 ) then
i = f i :  2
g. Finally, ?`
for ?;
 gram( ) means ?`  for each  2
. E

E

E

In addition, a General Logic is complete when ?` ' if ?j=I ', and compact when ?` ' implies that there is a nite ?'  ? such that ?' ` '. De nition 2.2 [Grammar, Entailment System and Institution] The tuple G =hSign; grami is the Grammar, which presents the language(s) of L; the triple E =hSign; gram; ` i is the Entailment System [25, 14, 16], which presents the logical consequence; and the quadruple I = hSign, gram, sem, j=I i is an Institution [18, 25, 29, 36], E

E

E

E

which presents the semantical consequence.

The notation G [E ], G [I], etc., may be used to denote the Grammar associated with an En-

tailment System E , an Institution I, etc.

2

As is explained in [10] (also noted in [25]), the presentation of logical consequence by means of an Entailment System E =hSign; gram; ` i is independent of the means by which it is actually de ned (eg. proof-calculus, satisfaction system, forcing, etc.). The usefulness of the Entailment Systems framework stems from its power of abstraction. By analysing properties and describing development frameworks by means of Entailment Systems, one gains generality: Every concrete development framework that de nes the same notion of logical consequence is a candidate for being used in applications. A special class of Entailment Systems are the 1-canonic Entailment Systems [10] which have the following additional characteristics: (1.) Sign is nitely cocomplete; (2.) signatures are constituted by symbols, ie. (Sign,symb) is a concrete category [1, 17] on Set;1 (3.) subsignature morphisms, ie. embeddings of subobjects in Sign, are pushout-stable; (4.) subsignature morphisms lift to language embeddings, ie. if e:1 !2 is a subsignature morphism then gram(e):gram(1 )!gram(2 ) is a language embedding; (5.) language embeddings conserve entailment, ie. if e:1 !2 is a subsignature morphism, then ?`1 ' i ?e `2 'e ; (6.) there is a xed logical component log which includes the logical symbols (such as, variables, labels, quanti ers, modalities, connectives, etc.) and gram( ) is recursively generated by each  in Sign and log . A detailed analysis of 1-canonic Entailment System is presented in [10] where a large class calculi are shown to give rise to 1-canonic Entailment Systems, including the most popular calculi in both mathematical and computer science logics (such as, equational and classical/intuitionistic logics of any order and their many-sorted variants, most common modal and temporal logics, dynamic logic, etc.) De nition 2.3 [Interpolation] E

E

E

An Entailment System E possesses Craig-Robinson Interpolation (CRI) i for every pushout diagram D in Sign and every A  gram(A ), B  gram(B ), ' 2 gram(B ), such that Ai [Be `C 'e , there is a set I(A;B;';D)  gram(R ) of interpolants such that: i 1. A`A Ie (A;B;';D), A C 0

0

E

0

0

E

2. Ii (A;?;';D)[B`B '.

e

E

Craig Interpolation (CI) is possessed when the above hold for at least B = ?. R

e

D

i

0

B

Notice the use of the pushout construction to capture the idea that the interpolants are in a \shared" language, which is required for stating the property (as in [36]). Also notice that the emphasis is on the extra-logical shared symbols: It is extra-logical symbols of the shared language (on R ), that should appear in both the source language of the principle assertions A (on sign|specA) and the source language of the secondary assertions B and the entailed sentence '. The logical operators that appear in the interpolant I(A;?;';D) may or may not appear in any of A, B and '. If E is compact then, for each ', the set of interpolants is nite. If there is also a deduction theorem for E then the set of interpolants I(A;B;';D) can be viewed independently of B. In this case CRI and CI collapse.2 Finally, if E is a weakly structural -Institution [16] then some structural axioms on D need to be taken into account. (See [16] and [10].)

1 A concrete category (C,f ) on B is of a category C and a forgetful functor f :C!B. An embedding of subobjects is an initial arrow e of C such that f (e) is a monomorphism of B. 2 A property similar to CRI rst appeared explicitly in the literature in [21] where it was established for the intuitionistic propositional calculus (see also [2]). \Maehara Interpolation" { a term now commonly used in sentential logic{and CRI coincide (at least) for calculi on propositional and predicate languages. In the computer science literature the terms \Splitting", \Strong" and \Pushout" Interpolation have been used to designate either precisely the same or similar (ie., equivalent for calculi on propositional and predicate languages) properties as CRI (see [28, 36, 15, 8] and [16] among others). Finally, the term CRI originally appeared at Shoen eld's book [31] and recently reappeared in [39] and [11, 9]. In the particular case of classical rst order logic, a (highly non-deterministic) algorithm to generate interpolants for a derivation D using Unskolemization and Resolution is presented in [5].

3

CRI is strongly related with Modularisation (MP). The latter is a structural property of the category of speci cation and speci cation morphisms on an Entailment System E , with signi cant importance for speci cation design, parameter instantiation and re nement by means of implementation steps [37]. The role of MP in speci cation theory has been analysed in [23, 38, 15, 38, 39, 12, 10], and in more recently in [9, 11, 10] from the perspective of uniformity. The Modularisation property (MP) is captured in the Entailment Systems framework as the preservation of conservative extensions under pushouts in the category of speci cations and speci cation morphisms (\theory interpretations"): hA Ai hC Ai [Be i If e:hR ; Ri!hA ; Ai is a conservative extension and D is D a pushout diagram in the category of theories of E then 0 i e e :hB ; Bi!hC ; A [B i is also a conservative extension. hR Ri hB Bi 0 i

;

;

0

0

e

0

0

e

0

;

;

i

Proposition 2.1 An Entailment System E possesses CRI i E possesses the MP. The above equivalence was put forward in [23] and proved in detail in [38] for rst order speci cations. In [10] it is proved for the general case of an 1-canonic Entailment System. Interpolants which are independent of (the logical structure of) the conclusion of a derivation are called uniform. De nition 2.4 [Uniform Interpolant] Given a pushout diagram D in the category of signatures, and A  gram(A ), B  gram(B) we say that interpolants have a uniform presentation i there is a set of interpolants I(A;B;D) such that: (1). A`A Ie (A;B;D), E

(2). I(A;B;D)`R I(A;B;';D) for every ' 2 gram(B ), and (3). I(A;B;D) is nite whenever A is nite. (ie. for each assertion  2 A there is a nite set of interpolants which is stronger than any other interpolants and independent of ') E

De nition 2.5 [Uniform Interpolation] E possesses Uniform Craig-Robinson Interpolation (UCRI) i for every A, B and D there is a uniform presentation I(A;B;D) of the Craig-Robinson interpolants. Consequently, E possesses Uniform Craig Interpolation (UCI) i for every A, B and D there is a uniform presentation I(A;?;D) of the Craig interpolants. Uniform interpolants provide a tractable presentation of submodules (restrictions to a sublanguage) of speci cations [13, 10] and assist in deriving proof obligations that are used to establish the correctness of the design, parameterisation and re nement of speci cation modules [11, 10]. Calculi that possess a uniform version of interpolation include classical propositional logic, (Heyting's) intuitionistic propositional logic [26], Lob's logic (GL) [30], Gregorczyk's logic (S4Grz) [42], polymodal (Hennessy-Milner) logic, -calculus [7], classical and intuitionistic second order predicate logics with predicate variables of all arities. Calculi that do not possess a uniform version of interpolation include propositional dynamic logic, (conditional) equational logic, classical and intuitionistic rst order logics, S4, in nitary modal logic, L!1 ! (ie., in nitary classical rst order logic), and monadic second order logic. An immediate consequence of Uniform interpolation is that the restriction R of a nitely axiomatisable theory A to a sublanguage R has some nite R -axiomatisation: A R -sentence ' belongs to R i I(A;?;e)`R '. (Since restrictions of theories and (syntactically) conservative extensions are dual concepts, virtually the same necessary and sucient E

4

condition constitutes a proof obligation for characterising an extension as conservative: Given that e:R !A denotes a subsignature morphism, a speci cation A=hA ; Ai is a conservative extension of R=hR ; Ri through e i (1.) A extends R, ie., A`R Re , and it (2.) R axiomatise the R -module of A, ie., R`R I(A;?;e). See [11, 10] for details.) The above equivalence can also be used for proving that a logic lacks Uniform interpolation: It suces to nd a speci cation A on A and a subsignature R on which A has a ( nitely) unspeci able restriction. Such a counterexample for rst order logic is given by restricting the speci cation of a dense linear order to the language of equality. Similar counter-examples can be found easily for equational logic, in nitary logic (L!1 ! ), propositional dynamic logic, monadic second order logic, etc. A schema is \an outline or image universally applicable to a general conception, under which it is likely to be presented to the mind". This perception of schematic representation originates in Kantian philosophy and has been exploited in [19] (see also [27]). A schema in mathematical logic is a method of representing a possibly in nite number of ws, of some object language by using metalinguistic expressions that take object language as substitution instances. In that sense, a schema is a linguistic meta-form indexed by the (category of) languages in which the language of a \base" signature R is embedded. R comprises the (\object") symbols that appear xed in the schema. Schemata cannot be identi ed with a(ny) concrete set of sentences in the language of some particular (\object") alphabet. De nition 2.6 [Uniform Schema] E

E

A schema USch is called uniform i its instantiations conserve (logical) consequence along language expansions.

Common examples of uniform schemata include the ( rst order) mathematical induction schema, the equality schema, the usual Hilbert-style axiomatisations of propositional (modal) logics, the (second order) comprehension schema, etc. Uniform schemata assist in encapsulating and reasoning with general properties of data that can be hidden, based on the accessible information. As is explained in [13], the ability to encapsulate and syntactically manipulate uniform schemata may assist in reasoning with general properties of sharing or interaction of information that is possibly hidden in a module.

3 Development Workspaces

In this section we novel generic method for conservatively extending the 1-canonic Entailment System Espec of a \speci cation" formalism to a \development" formalism Edev , so that uniform interpolants for entailments between Espec -sentences become available and uniform

Espec -schemata are precisely encapsulated into Edev -sentences. This extension is presented

by means of a Subentailment System called a Development Workspace, and seems to be suitable for (1.) a (theoretical) framework where precise formal encapsulations of the desired modularity properties can be studied, (2.) an abstract construction providing insights and inspiration for extending concrete calculi and satisfaction systems, and (3.) a classi er for detecting the adequacy of extensions which attempt to \ x" modularity problems of concrete calculi and satisfaction systems. Uniform interpolants and uniform schemata are in a sense dual from the perspective of modularity: One may talk about the consequences of some particular hidden data in the accessible language of a module using uniform interpolants (when these are available), whereas one can talk about general properties of data that can appear in an arbitrary context that encloses the accessible data as a module (when logical encapsulations of uniform schemata are tractable). The main feature of the construction is the extension of the speci cation formalism with special (logical) operators for abstracting and generalising Espec -expressions, such that uni5

form interpolants are associated with result of such abstraction and uniform schemata are associated with the result of such generalisations. The latter involves the augmentation of the speci cation grammar with new \development" variables { n to abstract linguistic structure of Espec-expressions of type n. The new logical operators are interpreted as follows:

{ n \for all linguistic expansions L0 (within the speci cation formalism) of the language L and for every n-ary formula { n in L0 : : :"; 9 { n \for some linguistic expansions L0 (within the speci cation formalism) of the language L, there is some n-ary formula { n in L0 such that : : :". The presentation of the extension J :Espec!Edev is divided into the following tasks: Grammatical Expansion: G[Espec] is expanded to the development grammar by appending 8

new \development" variables and new quanti er-like operators to bind the \development" variables. A lambda abstraction operator is also added in order to associate Espec-formulae with Edev -terms. Induction of \logical" semantics: A form of a sound and complete semantics for Espec is given by means of an Institution Espec. This Institution is then extended so that G [Edev ]models which interpret all G [Edev ]-statements are obtained. Finally a notion of satisfaction for G [Edev ] sentences is de ned and a satisfaction system Edev is obtained. Expanded logical consequence: A notion of logical consequence over the extended grammar G [Edev ] is de ned, based on the Edev -satisfaction and, thus, an Entailment System Edev is obtained.

3.1 Grammatical Expansion

The Espec grammar is expanded to the Edev grammar as follows: (i) The category of extra-logical alphabets (signatures) remains intact. One basic aim of the extension is to provide logical support for reasoning with abstractions and generalisations of Espec expressions. Had an augmentation of the extralogical part of G [Espec] been allowed, the new concrete substitution instances could disturb either the domain of the abstraction or the range of the instantiation and therefore destruct the behaviour the pursued abstraction and generalisation operations. (ii) An unlimited collection of new \development" variables ({in) of each type n are added and used as grammatical abstractions (\place-holders") of Espec-atomic primitives3. Note that, when abstracting, one should abstract Espec-atomic primitives rather than Especexpressions, so that the linguistic pattern abstracted formula is preserved. On the other hand, when instantiating, one may proceed by substituting a \development" variable { n by any compatible expression (ie., of the same type n). (iii) Two new logical operations 8 , 9 to bind the \development" variables are added. The purpose of these operators is to provide the means of expressing, on a signature R , generalisations{via 8 {and abstractions{via 9 {of Espec-formulae on signatures A that have R embedded. These logical operators resemble the structure dynamic modalities combined with quanti cation on Espec-expressions which is relativised on the (extra-logical) language expansions of R . The latter is emphasised by choice of symbols 8 as \8-in-box" and 9 as \9-in-diamond". 3 The term \atomic primitive" is used here loosely, in order to denote primitive syntactic entities. In that sense, an E -\atomic primitive" can be either a proposition or an atomic formula, a constant or a term consisting of only one appearance of an E -extralogical symbol. E.g., q, p(x1 ;x2 ), c, f (x), x1 = x2 , where q and p are predicate symbols, c and f are function symbols are \atomic primitives" whereas p(x1; f (x2)), 8x1p(x1;x2 ), f (c), x1 = c are not. spec

spec

6

(iv) A lambda abstraction operator to bind free speci cation variables is added: For every

formula [x1 : : :xn] in gramdev ( ) with x1 : : :xn free \speci cation" variables and such that neither 8 nor 9 appear in , the expression x1 : : :xn: is an n-ary \development" term in gramdev ( ). The purpose of the lambda-abstraction is to bind the free speci cation variables that may occur in a concrete Espec-instance and transform a free abstraction of such an instance to a \development" term that is then used as a Edev -grammatical entity that denotes a substitution instance for a (compatible) \development"-variable. This notion of substitution is distinguished from the substitution in Espec with which it is related as follows: (v) Free occurrences of n-ary \development" variables can be substituted by n-ary development terms by means of a \bound" substitution that reduces the redex, ie., { 2(t1 ; t2)[{2 7!x1;x2 :'[x1 ;x2 ]]  (' [x1; x2]) [x1 7!t1 ; x27!t2 ]  '(t1 ; t2) ; Note that the lambda-bound abstraction of development terms are always 8 , 9 -\free". In this sense they are terms denoting pure abstractions (idealisations) of concrete syntactical entities, and provide a common pattern for basic linguistic structure of the substitution instances. (vi) All formulae of gramdev ( ) are generated by (a)-(e) above.

3.2 The induction of \logical" semantics

A categorial technique to engineer semantics for the extended syntax such that an appropriate Entailment System Edev is conservatively de ned on top of Espec , is described in this section. These semantics are presented by means of an Institution Edev . For presentation purposes, the generation of Edev is divided in two phases: (1.) At rst, a certain type of sound and complete category-theory based semantics for Espec is induced. This semantics, which we call \logical" semantics,is presented by means of an Institution Espec. (2.) Then, the fundamental structure of a semantical interpretation (\development-model") of the extended syntax using the semantical entities of Espec(\speci cation-models") as the primitive structural constituents. Note that the construction does not aim to provide a mechanism for extending one particular proof calculus or a concrete satisfaction system, and that Espec has just an auxiliary role in the overall construction.

Inducing semantics for Espec

Espec is induced by associating the semantics of an Espec  -formula ' with the logical status of its linguistic transformations 'i for each i: !A . In terms of categories, this amounts to (a) identifying the category semspec() of \speci cation" models for  with the \slice" category [20, 3, 1] 0 =T heo[Espec], where 0 = h ; ?i denotes the initial theory (colloquially called the \empty" theory) on  and T heo[Espec] denotes the category of all Espec-theories; (b) identifying the model-reduction functor for each i:1 !2 in Sign with a functor i:h1 ; ?i=T heo[Espec] h2 ; ?i=T heo[Espec], which denotes composition with i on right. In this case, a the  \speci cation" model mA is associated with a theory interpretation mA :h ; ?i!hA; Ai (always with source h ; ?i) and a homomorphism between h:mA!mB 7

between two  \speci cation" models is conceived as a natural transformation of theory interpretations over h ; ?i as depicted below: Diagram in T heo[Espec] h ;?i

mA

hA ;Ai

Diagram in semspec ( ) h ;?i

mB h

h

mA

hA ;Ai

hB ;Bi

h ;?i

mB

hB ;Bi

A  -formula ' is satis ed by a model mA i the A -instance 'mA of ' is a theorem of the hA ; Ai logical theory over Espec . The functor sem:T heoop spec !Cat, which assigns to each theory S the category of S \speci cation" models of S, is formed analogously, and it is (categorially) equivalent to the slice category S=T heo[Espec]. Also, each theory interpretation i:S!T induces a functor i from T=T heo[Espec] to S=T heo[Espec]. A precise mathematical formulation of this semantics is given in [25] using a comma category [20, 3] construction in the general framework of Institution s, and it is further analysed in [10]. The quadruple Espec= h Sign,gramspec, semspec,j=Espec i is an Institution and that the derived notion of consequence j= spec coincides with ` spec . Hence, Espec gives rise to a complete General Logic LEspec =hSign; gramspec ; ` spec ; semspec; j=E i. Finally, the induced Institution Espec has some nice algebraic properties. Notably, Espec is (semi)exact and admits initial models [25, 10]. That Espec admits initial models (induced by the identity interpretation idA :hA; Ai!hA ; Ai) follows by the de nition of the category and that it is exact follows directly from the basic properties of a pushout, for recall that pullbacks in T heoop spec are pushouts in T heo[Espec]. Moreover, if T heo[Espec] has pushouts, then Espec is liberal. E

E

E

Elementary extension and model expansion in Espec

The notion of an expansion of a \speci cation" model in semspec( ) along a signature inclusion e:R ! can be de ned as the dual of model reduction: De nition 3.1 [Espec-model expansion] Let meA :h ; ?i!hA; Ai be a semspec (R )-model, e:R ! be a signature inclusion, and meA :h ; ?i!hA ; Ai be a semspec( )-model. Then, meA is an expansion of mA i mA is the semspec(R )-reduct of meA with respect to e. Since Espec-model reduction along e denotes composition with e on the right, the relation between expansions and restrictions of Espec models is characterised by that: mA = semspec(e)(meA ) = meA e Another, signi cantly important for the intended construction, notion of enlarging Especmodels is by means of \elementary extensions": De nition 3.2 [Elementary Espec-model extension] Given a subsignature inclusion e:R ! , the model meB e h  ; ? i hB ;Bi mB :h ; ?i!hB; Bi is an (elementary) extension of the model mA :hR ; ?i!hA ; Ai i there is a conservative extension em :hA ; Ai!hB ; Bi so that em mA =mB e, as em mB e is depicted to the right.

The R -reduct of meB is the semspec(R )-model mB = meB e.

8

hR ;?i

mA hA ;Ai

Note that the gramspec(R )-reduct mB of meB describes the R -oriented view of the property enlargement, by hiding most information regarding the change of base language that was carried by e:hR ; ?i!h ; ?i (viz., mB = meB e), and by emphasising on the R realisation of the property enrichment (mB =eB mA ). The gramspec(R )-reducts of Espec-model expansions are identical to their gramspec(R )-origin.

3.3 Engineering the \development" models

The categorial models for the G [Edev ]-syntax are obtained by associating each  -model m:h ; ?i!hM ; Mi of Espec with the space of the  -reducts of all elementary extensions of m. The resulting model is denoted by m and its structure is de ned as follows: (a) m has an initial object that is the model expansion of m via identity, ie. m; (b) if mA :h ; ?i!hA ; Ai is an object in m and meB :hX ; ?i!hB ; Bi is an elementary extension of mA , then the  -reduct mB :h ; ?i!hB ; Bi, such that eAB mA = mB = meB e, is an object of m and the T heo[Espec]-conservative extension eAB :mA !mB is an arrow of m; (c) All objects and arrows of m are generated by (a)&(b) above. By constructing a  -\development" model m of G [Edev ] by means of elementary extensions over an (initial) -\speci cation" model m:h ; ?i!hA; Ai of Espec, one guarantees conservation of j=Espec (resp. ` spec ): For every mA in m the set of  -sentences in gramspec ( ) that are satis ed (wrt. the Espec-satisfaction) on (the initial) m. By considering all elementary extensions of m, on the other hand, all language expansions of  are captured, and so the m arrows can be considered to encapsulate information about the variations (translationinstances) of Espec - sentences in all property and/or language enlargements that enclose the codomain theory of m as a part. Note that an Edev model m has a partial order structure: E

T heo[Espec] diagram h ;?i

mA hA ;Ai

e mB

hX ;?i

meB

eAB hB ;Bi

m accessibility h ;?i

mA

hA ;Ai



h ;?i

mB =(eAB mA ) hB ;Bi

A \development" model homomorphism h:m1 !m2 is a functor that preserves  4 . \Development"  -models together with \development" model homomorphismconstitute a category, and the semantics functor semEdev for hSign; gramdev i, assigns to each  of Sign this category (to which we refer by semdev ( )). Analogously, to each i:1 !2 of Sign, the functor semdev assigns a functor i:semdev (1 ) semdev (2 ) that denotes composition with i from the right. (For Espec-elementary extension is preserved under composition from the right, ie., model reduction along a signature morphism e.) Note that every \development" model homomorphism h:m1 !m2 reduces to a \speci cation" model homomorphism h:m1 !m2 , giving rise to a forgetful functor (
)spec : semdev ( ) !semspec ( ). \Speci cation" model homomorphisms, on the other hand, do not necessarily lift to \development" model homomorphisms. In fact, a \speci cation" model homomorphism h:m1 !m2 is associated with a \development" model homomorphism h:m1 !m2 4 h can be viewed as a functor by considering each \development" model m to be a partial-order category with m as an initial object.

9

i all (syntactically) conservative extensions over hM ; Mi are pushout-stable along h in T heo[Espec]. This is how the existing (not necessarily uniform) Espec -Craig-Robinson interpolants are detected. Notably, if Espec possesses (non-uniform) CRI, and Sign (therefore, T heo[Espec]) has pushouts, then every h:m1 !m2 of semspec( ) lifts to an homomorphism h:m1 !m2 between the corresponding \development"  -models, giving rise to an adjoint situation (
) (
)spec .

Extended satisfaction

The semantical interpretation of the \development" variables and the new operators on the above de ned models is presented by means of a satisfaction relation j=Edev which extends j=Espec as follows: Edev ' i m j=Espec 'mb oldA , conservativeness: if ' is an Espec -formula ' on  , then m j= A   for all mA in m. The condition is equivalent to that, for any Espec-formula ' on  and any \development" -model m in Edev , m j=Edev ' i m j=Espec ' whenever This is due to the fact that m has an Espec model m as an initial element and all arrows in m are induced by conservative extensions of theories. Hence, the gramspec ( ) which are satis ed by any mA in m are exactly the gramspec ( ) which are satis ed by m (wrt. j=Espec ). m satis es 8 {mn i for each m mA of m and each Espec -expression  on A of type n, A n [{ 7!] mAA j=Edev A A where mA is the semdev (A )-model induced by mAA :hA; ?i!hA ; Ai in semspec (A ). 9 m satis es 9 { n i for some m mA of m and some Espec-expression  on A of type mA n [{ 7!] n, mAA j=Edev A A where mA is the semdev (A )-model induced by mAA :hA; ?i!hA ; Ai in semspec (A ). The above interpretation of the 8 and 9 operators combines a language enrichment (via mA : !A ) with a property enrichment (via m!mA ) that conserves the gramspec ( ) properties of m. The instantiation of { n, in particular, is accomplished on a (possibly) larger space than the context of  , allowing substitution instances that are not directly conceivable by means of  . In both cases ( 8 and 9 ) the substitution instance of { n is required to be a -abstraction  of an Espec-expression, so that the logical complexity of is decreased (wrt. 8 , 9 )5 . 8

3.4 Extended entailment

The extended entailment Edev is de ned by means of the Edev -satisfaction: De nition 3.3 [The Edev Entailment System] Edev = hSign; gramE[Edev ]; ` dev i where the family of ` dev ofEentailment relations is de ned as ?`dev ' i mj=dev ', for each  -model m such that mj=dev , for all 2 ?. E

E

E

Clearly, `dev is conservative over `Espec . (For Espec is complete wrt. Espec and for each E dev ' 2 gramspec( ), mj= ' i mj=spec '.) Edev not only provides uniform interpolants for derivations between Espec-sentences, but also oers a simple syntactic pattern for their immediate production: E

E

Hence, for 1-canonic Entailment Systems with a nitary grammar, the actual search space for validating a G [E ]-theorem is constituted by a nite collection objects in m. For that the 8/ 9 -pre x will always be nite. 5

dev

10

Proposition 3.1 [Edev -uniform interpolants for Espec-derivations] For every pushout diagram D in Sign (with R a subsignature of A ) and every Especsentence on A there is an Edev -sentence # such that: i e A C (1). `dev # , and A 0

E

i dev e (2). for each Espec-sentence ' on B , if i `spec C ' then # `B '. 0

0

E

E

e

R

e

D

i

0

B

(3). Also, # = 9 {1n1 :: 9 {mnm [p17!{1n1 :::pm7!{mnm ], where fp1 ; ::; png is the dierence between  and e(R ).

Proof outline:For each Edev -entailment between Espec-sentences there is an Espec-entailment between the same sentences,E by conservativeness. Consider # as in (3). Then (1) is immediate for that mj=Edev  i mj=spec  and A is re exive in m. As for (2), it follows since if A A i E 0 dev m j=B # , then there is an m0 B m0X and some (p0i )i2I such that m0XX j=Edev #[{ ni 7!p0i ]. X Also m0X conserves the gramspec(B )-theorems on m0 and X (uniquely) interprets C [by mapping pi7!p0i]. See Chapter 6 of the author's Ph.D. dissertation [10] for details of the proof. The generalisation to nite sets of A -assertions, requires ( nite) conjunction { or equivalent { in the Espec syntax. But this raises no barrier; the addition of ( nite) conjunction is always conservative. Similarly structured Edev -interpolants work as above with arbitrary Espec -assertions on B as required for CRI, and when Espec possesses not-necessarily-uniform interpolation, Edev possesses UCRI in total. (See [10] for proofs and a further analysis.) Such a development workspace is given by instantiating the previously described construction over rst order logic. Example 3.1 [Uniform Interpolants] If Espec is rst order logic, then the Edev -presentation of the uniform interpolant, via abstraction of q, for (p^q)_r is 9 { 0((p^{ 0)_r), which is reducible to p_r. Also, the Edev presentation of the uniform for 8(x; y) (I(x; y)!O? (x; f (x) ; y; g (y) ; q (f(x); g(y))))), ?

via abstraction of f and q is 9 {i1 9 {j2(8x)(8y) I(x)!O x; {i1(x); y; g(y); {j2 ({i1(x); g(y)) ), which is not reducible to any rst order sentence . Similarly, for the dense linear order one needs to abstract the strict order symbol by an 9 bound 2-ary predicate variable, from the conjunction of the axioms.  Uniform schemata, on the other hand, are encapsulated by means of 8 -bound \development" variables: An R -assertion 8 {1n1 ::: 8 {knk ', where 8 and 9 do not occur in ', forces on each A that includes R , a Espec-instance '[n {1n1 7! &1 ; :::; {knk] for each k-uple &1 :::&k of Especn k 1 expressions on A (of the same type as {1 :::{k respectively). Moreover, an R sentence ) whenever '[{1n1 7!&1 ; :::; {knk `spec of Espec is a consequence of 8 {1n1 ::: 8 {knk ' (under `dev A R for arbitrary A that includes R and arbitrary &1 :::&k in A (of the same type with {1n1 :::{knk respectively). Hence, for every A that includes R , 8 {1n1 ::: 8 {knk ' `dev i A 8 { n1 ::: 8 { nk ' ` dev , ie., the encapsulated schema is uniform. R 1 k Example 3.2 [Uniform schemata]?
If Espec is CFOC then 8 { 1({ 1(0)^ 8x{ 1(x)!{ 1(succ(x)) !8x{ 1(x)) is a precise encapsulation of the rst order induction schema. (It is weaker than, say, second order induction, and if used (in the Development Workspace on CFOC ) as a substitute of the ( rst order) mathematical induction schema in Peano's axiomatisation of arithmetic, it generates a conservative extension of the rst order theory of Peano arithmetic.  E

E

E

E

11

4 Conclusion & Further Work

Many logics that have been used in re nement or databases lack the desirable interpolation properties and do not support direct encapsulations of uniform schemata [13]. In order to compensate for these inadequacies we seek for methods to expand a speci cation formalism so that an adequately strong form of the critical interpolants is obtained and the logical consequence is conserved. A potential breakthrough emerges from the inception of a Development Workspace. The latter is a Subentailment System [25] hEspec ; J i such that J :Espec ! Edev expands the Espec-syntax with additional logical operators, leaves the extra-logical symbols intact, and extends ` spec conservatively. The construction is such that not only does Edev provide uniform interpolants for entailments between Espec -sentences, but also, all these interpolants are instances (in Edev ) of a common syntactic pattern. The availability of a common syntactic form for all the crucial interpolants trivialises the usually complex process of deriving (uniform) interpolants. The latter is consistent with the insight of [26] and the remark of [7] that uniform interpolants have the same implicit (meta)form. It should be noted that, in our case, this common form is revealed in the formal syntax. Note that neither Espec nor Edev need to possess interpolation as a (global) meta-logical property. Though, the extension is such that Edev possesses uniform interpolants for entailments between Edev sentences. If Espec possesses (not-necessary-uniform) interpolation, on the other hand, then Edev possesses uniform interpolation in total. The use of the 9 operator in a Development Workspace presents conceptual analogies to the well-known \information hiding" of algebraic speci cation or the \derive" construct which is well known as an operation to build \structured speci cations". Note, however, that 9 is a logical operator in a \notation-independent" framework and, as such, it can be manipulated syntactically, participate in a rule-based reasoning system and be enriched axiomatically. Another related form of operation is the general \institutional" form of (meta) quanti cation based on signature extensions as presented by Tarlecki in [36]. From a slightly dierent perspective, a Development Workspace can also be viewed as a general method for forming a reasoning system over a space of (extra-logical) language expansions combining features of dynamic logic (transition along an action [viz. Language extension]) with built-in local quanti ers over extensions and modally restricted lambda-abstractors. As it has been mentioned already, the purpose of this paper is not to provide a technique for extending concrete proof-calculi of some style or speci c satisfaction systems so that uniform interpolants for the source entailments are available in the extension and uniform schemata for the source logic are objecti ed. It is rather to illustrate the feasibility of such extensions. Therefore, an extension of the satisfaction system of the source logic was considered and a proof theory for the extended logic was developed over the proof theory of the source logic. The existence of the required extension has been established by extending the (abstract form of) consequence captured by a (family of) entailment relation(s), and this process need not involve relating the means by which the entailment is de ned. Of course, an incarnation of the presented general methods for (re)engineering a concrete \speci cation" formalism in order to obtain an appropriate \development" formalism may require accomplishing both of these tasks (ie., relating the satisfaction system of Espec to an appropriate satisfaction system of with Edev and de ning a proof calculus of Edev on the basis of the proof calculus for Espec). But this is out of the scope of this paper and it is in fact a subject of on-going research. The pursued practical applications in Computer Science include the joint extension of systems development environments [35] and algorithmic design tools [32, 34, 33] so that more advanced and general manipulations of speci cation modules are supported. As is explained in Chapters 5 and 6 of [10] and in [11, 13] a Development Workspace can be used as the means of generating a back-end \development" formalism Edev for a given front-end \speci cation" formalism Espec , such that Edev accommodates easy-to-derive proof obligations that assist in the validation, synthesis and correct composition of sequential and parallel re nements, E

12

parameterisations, and parameter instantiations of speci cation modules over Espec.

References

[1] Jiri Adamek, Horst Herllich, and G. E. Strecker. Abstract and Concrete Categories. Pure and Applied Mathematics. John Wiley and Sons, New York, New York, 1990. [2] G. Takeuti. Proof Theory. North-Holland Publishing Co., Amsterdam, 1976. [3] M. Barr and C. Wells. Category Theory for Computer Science, volume 5 of Series in Computer Science. Prentice Hall International, 1990. [4] J.A. Bergstra, J. Heering, and P. Klint. Module algebra. ACM, 37(2):335{372, 1990. [5] Ritu Chadha. Applications of Unskolemization. PhD thesis, University of North Carolina at Chapel Hill, 1991. [6] W. Craig. Three uses of the Herbrand-Getzen theorem in relating model theory and proof theory. Journal of Symbolic Logic XXII, pages 269{285, 1957. [7] Giovanna D'Agostino and Marco Hollenberg. Uniform interpolation, automataand the modal -calculus, May 1996. Available at http://www.phil.ruu.nl/home/marco/. [8] Razvan Diaconnescu, Joseph Goguen, and Petros Stefaneas. Logical support for modularisation. In Gerard Huet and Gordon Plotkin, editors, Logical Environments, pages 83{130. Cambridge University Press, 1993. [9] T. Dimitrakos. Craig-Robinson interpolation Modularisation and the construction of re nements. In S. Jahnichen, J. Loeckx, D. Smith, and M. Wirsing, editors, Dagstuhl Seminar report No. 9710. TMREuroconferences, 1997. Abstract. [10] T. Dimitrakos. Formal support for speci cation design and implementation. PhD thesis, Imperial College, March 1998. Submitted. Copies available at http://www-tfm.doc.ic.ac.uk/td/MyThesis/. [11] T. Dimitrakos and T.S.E. Maibaum. Notes on re nement, interpolation and uniformity. In Automated Software Engineering{ASE'97, 12th IEEE International Conference, 1997. [12] T. Dimitrakos and T.S.E. Maibaum. On the role of interpolation in stepwise re nement. In Proceedings of the First Panhellenic Symposium on Logic, July 1997. [13] T. Dimitrakos and T.S.E. Maibaum. Uniformity, interpolation and module speci cation in a Development Workspace. Technical report, Imperial College, 1997. To appear in the proceedings of the Theory and Formal Methods '98 Workshop, April'98, Bath. [14] J.L. Fiadeiro and A.Sernadas. Structuring theories on consequence. In D. Sannella and A. Tarlecki, editors, Recent Trends in Data Type Speci cation, pages 44{72, 1988. [15] J.L. Fiadeiro and T.S.E. Maibaum. Stepwise program development in -institutions. Technical report, Imperial College, 1990. [16] J.L. Fiadeiro and T.S.E. Maibaum. Generalising interpretations between Theories in the Context of (-)institutions. In S. Gay G. Burn and M. Ryan, editors, Theory and Formal Methods, pages 126{147. Springer-Verlag, 1993. [17] P.J. Freyd. Concreteness. J. Pure Appl. Algebra, 3:171{191, 1973. [18] J. Goguen and Burstall. Introducing institutions. In E Clarke and D. Kozen, editors, Logics of Programming Workshop, LNCS 164, pages 221{256. Springer-Verlag, 1984. [19] Immanuel Kant. The critique of pure reason; The critique of practical reason and other ethical treatises; The critique of judgement. Great books of the Western world. 42 Britannica great books. WilliamBenton: Encyclopedia Britanica: Chicago London, 1952. [20] S. MacLane. Categories for the Working Mathematician, volume 5 of Graduate Texts in Mathematics. Springer-Verlag, 1971. [21] S. Maehara. Craig's interpolation theorem. Sugaku, pages 235{237, 1961. In Japanese. [22] T.S.E. Maibaum. The role of abstraction in program development. Information processing '86, 1986. [23] T.S.E. Maibaum and M.R. Sadler. Axiomatising speci cation theory. In H.J. Kreowski, editor, Recent Trends in Data Type Speci cation, pages 171{177. Springer-Verlag, Berlin, 1985. [24] M. Marx. Interpolation, modularization and knowledge representation. In C. Bioch and Y.H. Tan, editors, Proceedings of Dutch Conference on AI (NAIC'95), June 1995. [25] Jose Meseguer. General logics. In H.D. Ebbinghaus, editor, Logic Colloquium'87, pages 275{329, 1989. [26] A. Pitts. On an interpretion of second order quanti cation in rst order intuitionistic propositional logic. Journal of Symbolic Logic, 57:33{52, 1992.

13

[27] Vasilis Politis, editor. \Critique of Pure Reason" by Immanuel Kant. Everyman, London, 1993. A revised and expanded tranlsation based on previous translation by Meiklejohn. [28] P.H. Rodenburg and R.J. van Galbbeek. An Interpolation Theorem in Equational Logic. Technical Report CS-R8838, Centre for Mathematics and Computer Science, P.O. Box 4079, 1009 AB Amsterdam, The Netherlands, 1988. [29] D. Sanella and A. Tarlecki. Building theories in an Arbitrary Institution. Information and Control 76, 1988. [30] V. Yu. Shavrukov. Subalgebras of diagonalizable algebras of theories containing arithmetic. Dissertationes Mathematicae, Polska Akademia Nauk, Mathematical Institute, Warszawa, 1993. [31] J.R. Shoen eld. Mathematical Logic. Addison-Wesley, Publishing Company, 1967. [32] D. R. Smith. KIDS: A semiautomatic program development system. IEEE Transactions on Software Engineering, 16(9):1024{1043, September 1990. [33] D. R. Smith. Constructing speci cation morphisms. Symbolic Computation, 15(5-6):571{606, May-June 1993. [34] D. R. Smith and M. R. Lowry. Algorithm theories and design tactics. Science of Computer programming, 14(2-3):305{321, September 1990. [35] Yellamraju V. Srinivas and Richard Jullig. SpecWare : Formal suport for composing software. In Mathematics of Program Construction, July 1995. (KES.U.94.5). [36] A. Tarlecki. Bits and pieces of the theory of institutions. In Workshop on Category Theory and Computer Science, LNCS 240. Springer-Verlag, 1986. [37] Wladyslaw M. Turski and Thomas S. E. Maibaum. The Speci cation of Computer Programs. AddisonWesley, 1987. [38] P.A.S. Veloso. A new, simpler proof of the modularisation theorem for logical speci cations. Bulletin of the IGPL, 1(1):3{12, July 1993. [39] P.A.S. Veloso. From extensions to interpretations: Pushout consistency, modularity and interpolation. Technical report, Departamento de inforamtica Ponti cia Universidade Catolica do Rio de Janeiro, 1996. (To appear in Information Processing Letters 1997). [40] P.A.S. Veloso and T.S.E. Maibaum. On the modularisation theorem for logical speci cations. Information Processing Letters 53, pages 287{293, 1995. [41] P.A.S. Veloso, T.S.E. Maibaum, and M.R. Sadler. Program development as theory manipulations. In 3 International Workshop on Software Speci cation and Design, 1985. [42] A. Visser. Bisimulations, model descriptions and propositional quanti ers. Technical report, Department of Philosophy, Utrecht University, 1996. TM

rd

14