Investigating Z: the schema calculus - CiteSeerX

Investigating Z : the schema calculus Martin C. Henson and Steve Reeves Department of Computer Science, University of Essex, England [email protected] fax: +44 1206 872788 Department of Computer Science, University of Waikato, New Zealand [email protected] fax: +64 7 838 4155

Abstract. In this paper we introduce and investigate an improved kernel logic ZC for the speci -

cation language Z . Unlike the standard accounts [8] [4] [1] [3] this logic is consistent and is easily shown to be sound. We show how a complete schema calculus can be derived within this logic and in doing so we reveal a high degree of logical organisation within the language. Finally, our approach eschews all non-standard concepts introduced in the standard approach, notably object level notions of substitution and entities which share properties both of constants and variables. We show, in addition, that these unusual notions are derivable in ZC and are, therefore, unnecessary innovations.

1 Introduction In this paper we introduce and investigate an improved kernel logic ZC for the speci cation language Z , a logic in which, in particular, we can derive a schema calculus: a logic for the entire range of schema expressions permitted in Z . The work presented here builds on [6] in several ways: we provide more mathematical detail; we treat many constructs that were missing before or given cursory treatment; we have moved to a dierent style for the presentation of the language and logic, resulting in a simpler and more elegant development. Lastly, we spend some time showing how one of the innovations of the standard account, the so-called `frogspawn' operators, are also emergent properties of ZC and are, therefore technically unnecessary. Currently, the formalisation of Z is given in [4] and a logic, due essentially to Martin, appears as Annex K. Unfortunately, and for reasons we do not know, this annex is not based on [8] (the most recent draft to appear before the publication of [4]) but on an much earlier and incomplete draft which contains many errors and notational inconsistencies. In view of this we take [8], rather than annex K of [4], to be the current de nitive account of the standard logic. The report [8] is an attempt to improve upon the earlier logic contained in the previous draft standard for Z [3] which suered from a number of problems (inference did not preserve typing [6] and it was, in fact, inconsistent [5]). However, all versions of the standard logic, including the most recent, are very monolithic. [8] covers, or attempts to cover, explicitly all features of Z and does not reveal nor exploit any structure in the notions which make up the language. It makes no attempt at proof-theoretic economy: very many of the rules are redundant. Additionally, the system unexpectedly introduces object level notions of substitution (which introduce more than 70 equivalence axioms) and introduces unusual entities which resemble both variables and constants; this being technically supported by distinct notions of free variable and alphabet which result in a large number of side-conditons on many of the rules. There is a semantics for Z given in [4] which, again, covers the entire language monolithically. There is no proof of soundness of the logic with respect to this interpretation in either [4] nor [8]. Our approach in this paper is quite dierent. Our approach reveals and exploits the logical structure of the language clearly. We rst introduce a typed set-theory ZC , which introduces schema types, and go on to show how the schema calculus of Z may be logically constructed in layers of complexity on this basis. The soundness of the entire logic for Z then reduces to the soundness of this simple typed set-theory.

This turns out to be trivial once we demonstrate how to model its schema types in ZF by means of a suitable dependent product space. Our touchstone in this paper is logical compositionality: as we introduce new linguistic constructs we ensure that they are de ned in terms of the logical properties of their immediate constituents and not by the intensional transformation of syntactic structure . As a result one can equally treat the de nition of any new construct as a logical extension of, or as providing a denotational semantics into, the unextended system. Proofs of properties which characterize each new construct strictly adhere to the same principle: whenever a new construct is introduced, the proofs of its characteristic logical properties use those of the constructs directly used in its de nition. The main outcome of this methodology is a logic for the schema calculus, though we are also able to show that several non-standard ideas introduced in the standard approach are not needed. 1

2 The speci cation logic ZC In this section we shall describe a simple speci cation logic which we call ZC . This is a typed set-theory based upon the notion of schema type. Our formulation in this paper will be \Church-style", in which types are carried explicitly by the variables (and hereditarily by the terms). This contrasts with our earlier presentations (e.g. [7]) in which ZC is presented \Curry-style", with the types assigned by type assignment rules. There is, as a consequence of this style of presentation, a signi cant simpli cation in the presentation of the logic, and then consequent simpli cations in the uses we make of it. One of the reasons why formalizations of Z have in the past been presented in Curry-style (our own included) is over attention to mechanization: it is certainly true that an implementation of a logic for Z will require an explicit inference system, or algorithm for type-checking. But this is essentially only an implementation and not a logical requirement. A logic must establish precisely its language, and in the case of Z this is most simply achieved in the manner here presented. Similarly, an implementation of a logic will have to determine syntactically well-formed expressions. In the case of Z this requires some form of type-checking in accordance with the logic. But how this is achieved is an entirely separate question.

2.1 The language of ZC ZC is a typed set theory. We begin with the types: T ::= N

j

PT

j

T T

j

[ li : Ti ]

We will often permit the meta-variable D to range over sequences of type assignments such as li : Ti (the order is not important), also writing [D ], when D is li : Ti , for the alphabet set (in the metalanguage) of labels f li g. We shall need to indicate multiple substitutions for all labels in a given alphabet, writing [[D ]=t :[D ]] to indicate the family of substitutions [li =t :li ] when t is some term and [D ] = f li g. No label may occur more than once in such a type. Types of the form [D ] are called schema types. Other operations on schema types that we will need: [D ] v [D ] holds when the set of type assignments in [D ] is a subset of those of [D ]; [D ] t [D ] is the schema type comprising all the type assignments appearing in the components. It is not de ned, of course, if this union contains distinct type assignments for duplicated labels. [D ] u [D ] is the schema type comprising all type assignments occurring in both [D ] and [D ]. Finally, [D ] ? [D ] is the schema type comprising all type assignments in [D ] which are not in [D ]. All categories of the language of ZC must be well-formed with respect to these types. First we have the category of terms: We assume the existence of a denumerable set of variables for each type T . The syntax of terms is then: 0

1

0

1

0

0

0

1

1

0

0

1

1

1

1

In this regard, we return to a theme dicernable in [10] (e.g. the semantic compositionality of the operation de ned on p. 43) which seems to have been overlooked in other formal work concerning Z . Compositionality has in our work, however, been raised to the logical level rather than left at the semantic level.

2

tT ::= x T j fz 2 t T j P g j t l T :l j t T T :1 j t T T :2 j t T T N t ::= n t li Ti ::= hj li V tiTi ji ::= (t T ; t T ) t T T t PN ::= N P T t ::= P t T P T T t ::= t PT t PT t P li Ti ::= [ li 2 tiPTi ] where T v T 0 . We pronounce the symbol \ lter" and the purpose of ltered terms is to permit the restriction of bindings to a given schema type. These are crucial for establishing the logic for the schema calculus. We immediately introduce two notational conventions in order to avoid the repeated use of ltering in the context of membership and equality propositions. Note that the T in t T 2 t 0 , for example, is unnecessary since it can always be recovered from the type of t 0 (there is only one T for which the proposition is type correct). So, we can abbreviate the above restricted membership statement by leaving out the type, though we must indicate the fact that a restriction takes place, if only in order to dierentiate from a non-well-typed membership statement. We, therefore, introduce the following: [

[

:

[

]

0

0

1

]

0

(

:

0

1

0

1)

0

:

1

1

0

1

]

De nition 1.

t 2_ t 0 =df t T 0 2 t 0 PT

0

A similar tactic can be employed with equality.

De nition 2.

(i ) t T =_ t T =df t T = t (T v T ) (ii ) t T =_ t T =df t = t T (T v T ) 0

0

1

1

0

0

1

1

0

1

1

1

0

0

1

0

0

1

As usual we can write t (x ) to indicate a free variable of the term t . For terms of schema type we shall need a more complex notational convention to indicate situations in which a binding denotes a term at a particular label. Speci cally, suppose that t has the schema type [ li : Ti ]. We shall write t ( li V ti ) to indicate that t :li = ti ; in other words that t has the form hj li V ti ji. Numerals are as expected: n ::= 0 j succ n Sets, then, are formed from the natural numbers by powerset, cartesian product, schema sets and separation (bounded comprehension). For notational clarity we will, in the sequel, use the meta-variable C to range over sets (terms of type P T ) and S to range over schemas (those sets for which T is a schema type). We will often write schema sets as [] (where ranges over sequences of the form li 2 Ci ) by analogy with schema types and generalize the alphabet operator in the obvious manner. Among the sets are the carriers of the types. These are formed by closing the carrier for the basic type N under the three set forming operations with corresponding operations in the type language. In the sequel we will often write T as a set (the carrier of the type T ). In this regard we are following the notational abuse described in [11] (p. 24); this is entirely harmless since only a type can follow the type assignment relation, and only a set can follow the membership relation. The formul of ZC delineate a typed bounded predicate logic. P ::= ? j t T = t T j t T 2 C PT j :P j P _ P j 9 z T 2 C PT P 0

1

0

1

The logic of ZC is classical, so the remaining logical operations are available by de nition. A crucial observation is unicity of types: every term and set of ZC has a unique type and (hence) every proposition is well-formed in exactly one way. We can make great use of this property. It enables us to remove type decoration in most circumstances: the assumption that a proposition is a well-formed formula of ZC uniquely determines the types of the set and term components. This leads to a very elegant and simple presentation of the system and its extensions, much more so than in other approaches (e.g. [7]). 3

2.2 The logic of ZC The judgements of the logic have the form ? `C P where ? is a set of formul. The logic is presented as a natural deduction system in sequent form. When, later, we need to undertake derivations in the logic, we shall present them in pure natural deduction form, in which a sequent of the form Pi ` P will be represented by: P..i .. P We shall omit all data (entailment symbol, contexts, type etc.) which remains unchanged by a rule. The usual side-conditions apply. P P P _ P P ` P P ` P (_? ) ( _ ) ( _ ) 0 1 P _P P _P P 0

1

+

0

1

0

(()0 )

0

1

0

1

+

0 2 N (N 0 ) +

succ n = succ m n=m

(V1 ) =

=

]

(()2 ) =

(t :1; t :2) = t

t 2 fz 2 C j P g ? (fg1 ) P [z =t ]

C 2 PC t 2 C ? (P ) t2C 0

+

1

t 2C t 2C (t ; t ) 2 C C ( ) 1

(()1 )

t 2 fz 2 C j P g ? (fg0 ) t 2C

z 2C `z 2C (P ) C 2 PC

0

t = t 0 P [z =t ] (sub) P [z =t 0 ] [

(t ; t 0 ):2 = t 0

=

1

(9? )

1

hj li V t :li ji = t li 2Ti

=

0

? ? P (? )

0

P

t = t (ref )

hj li V ti ji:li = ti (V0 )

+

2

1

?; P ` P (ass)

P [z =t ] t 2 C t 2 fz 2 C j P g (fg )

1

9 z 2 C P y 2 C ; P [z =y ] ` P

+

1

2

::P (:? ) P

+

P [z =t ] t 2 C 9 z 2 C P (9 )

0

0

2

P :P (? ) ?

+

0

1

1

P ` ? (: ) :P

(t ; t 0 ):1 = t

0

+

0

1

0

1

t 2 C C (? ) 0 t :1 2 C 0

1

0

z 2N succ z 2 N (N 1 ) +

t 2 C C (?) 1 t :2 2 C 0

1

1

n 2N 0 6= succ n

P [z =0] z 2 N ; P ` P [z =succ z ] ? (N ) z 2N `P

t i 2 Ci hj li V ti ji 2 [ li 2 Ci ] ([] ) +

4

t 2 [ li 2 Ci ] ? ([] ) t :li 2 Ci

t T :li = ti [ li : Ti ] v T ( ) (t [ li 2 Ti ]):li = ti

t t (ext) t =t 0

1

0

1

where

=

t t =df 8 z 2 t z 2 t ^ 8 z 2 t z 2 t 0

1

0

1

1

0

The transitivity of equality and numerous equality congruence rules for the various term forming operations are all derivable in view of rule (sub). In particular, we can prove that set-equality in ZC is extensional.

Proposition 1. The following axiom is admissible for ZC : (T )

tT 2 T

Proof. By induction on the structure of the term t . For example: Ad t = (t ; t )T T : We have to show that (t ; t ) 2 T T and we may assume, ex hypothesi that ti 2 Ti (i 2 2). This follows immediately by rule ( ). 2 0

1

0

1

0

1

0

1

+

This is such a fundamental relationship between the type theory and set theory of ZC that we shall, from now on, take ZC to incorporate this axiom. Similarly, the following weakening rule is admissible and is incorporated within the system. ? `P ?; P ` P (wk ) 1

0

1

3 A model of ZC in ZF In this section we provide an interpretation from the language of ZC into ZF and prove the soundness of the ZC logic. The central idea is our interpretation of schema types as dependent products over a family of sets from a small (in ordinal terms) cumulative universe. It does not dier signi cantly from the model we have previously given for the \Curry"-style version of ZC in [7]. Consequently, we will only outline the contours of what, in any event, is very elementary. The following de nition in ZF constructs a tiny (in ordinal terms) cumulative hierarchy.

De nition 3.

(i ) F (0) =N (ii ) F ( + 1) = FS() [ P F () (iii ) F (!) =
This function is guaranteed to exist by trans nite induction (in fact only trans nite induction below !:2 is required) and we then take F (! + 1) to be the universe within which the type system of Z may be interpreted. This universe is a set. Let B (X ) be an I -indexed family of sets over F (!) (That is, B (X ) 2 I ! F (! + 1)). Then we can de ne a dependent function space which is suitable for our purposes as follows:

X 2I :B (X ) =df ff 2 I ! F (!) j (8 i 2 I )(f (i ) 2 B (i ))g (

)

This we can harness to interpret the schema sets (consequently also the schema types) of ZC . We will write E for the interpretation in ZF of a ZC entity E . [ li : Ci ] =df X 2I :B (X ) (

)

where I =df f li g and B (li ) =df Ci . The remaining types of Z are interpreted in ZF in the obvious way. 5

The labels li can be modelled in ZF in any number of ways, for example as nite ordinals. The only important point is that they be formally distinguishable from one another. We shall write them in ZF as we do in ZC for simplicity. With this in place we can easily interpret the binding projection terms of the form t :l by application in ZF , i.e. as: t l . Finally, the bounded quanti cation in ZC can be unpacked in ZF in the standard manner.

Proposition 2 (Soundness of ZC typing). For every ZC term t T we have `zf t 2 T 2 Proposition 3 (Soundness of ZC logic). If ? `C P then ? `zf P 2 In the sections which follow we provide interpretations for a sequence of extended languages, beginning with the addition of schemas. To simplify the presentation we shall adopt the convention of not stating any clauses in such an interpretation which are merely homomorphic. All interpretations are indicated using heavy brackets (i.e. J K); each such interpretation maps an extended language into the language of the previous extension of ZC (for example the interpretation of section 4.1 maps ZC + Schema into ZC and that of section 4.3 maps ZC + SchemaExpressions into ZC + Schema + Theta.

4 Schema calculus fundamentals In this section we demonstrate how a core schema calculus can be derived from the kernel system ZC . Once this is in place we will be able to extend the calculus still futher in order to provide a logic for the entire range of schema expressions allowed in Z .

4.1 Introducing schema As we have already indicated, schemas are simply sets of type P T when T is a schema type; in other words, they are sets of bindings. As it stands, our only means for introducing schemas is by means of schema sets of the form []. We now give an extended language of terms to permit the conventional notation for schemas: S PT ::= j [S PT j P ]

As is usual, we will write schemas of the form: [[] j P ] as [ j P ] and we allow the obvious generalisation of our alphabet operator to schemas: [S j P ] = S . The interpretation of schemas in ZC is then given by:

De nition 4.

q

[

y

S j P ] =df fz 2 JS K j JP [S =z :S Kg

Note that the meta-variable P , which occurs in the schema in the de niens, can range over the propositions extended with labels as terms. The de niendum is, of course, syntactically valid in ZC . Given this de nition we may provide the following rules using the schema notation:

Proposition 4. The following rules are sound for the interpretation of schema in ZC : t 2 [S j P ] ? t 2 S P [S =t :S ] t 2 [S j P ] ? (S ) t 2 [S j P ] t 2 S (S0 ) P [S =t :S ] (S1 ) +

Proof. Trivial: these are all special cases of the three rules for bounded comprehension in ZC . Note that the rules for schema which are merely schema sets are already explicit in ZC as rules ([] ) and ([]? ). 2 +

6

4.2

-expressions

In view of the extended language of terms we permit in schema, we may make the usual identi cation of

-expressions with characteristic bindings: S P li Ti =df hj li V li ji [

:

]

It is, perhaps, worth explaining in detail how this de nition interacts with the de nition of schema we have given. Consider a schema [S j P ] in which S occurs in P . This schema is interpreted in ZC by the comprehension fz 2 JS K j JP [S =z :S ]Kg. An occurrence of S in P has, consequently, the ZC interpretation hj li V z :li ji in the ZC proposition JP [S =z :S ]K. In view of axiom (V1 ), this means that, in this context, S has the ZC interpretation z . There are well-known complications in Z concerning the use of primed schemas and the operator. In other publications we have tried to explain that these result from a deep rooted ambiguity regarding the nature of schemas (see e.g. [7]). Here, however, we adhere to the standard informal understanding of Z to provide a point of comparison with that earlier work. Essentially, the key point is that terms of the form S 0 should be regarded as operations on S and not on S 0 . It might then be wiser to accept this explicitly as indicating a distinct operation by writing such expressions as 0 S . In any event, notational niceties notwithstanding, such expressions are de ned by: =

0 S P li Ti =df hj li V li0 ji Consequently, occurrences of 0 S (or, equivalently: S 0 ) in the context of a schema [S 0 j P ], itself interpreted as fz 2 JS 0 K j JP [S 0 =z :S 0 ]Kg, will be interpreted in ZC as hj li V z :li0 ji (which, nota bene, [

:

]

is not equivalent to z ).

4.3 Schema expressions We may now introduce the schema expressions upon which the schema calculus is based. First of all we extend our syntax of schemas with the basic operations of disjunction, negation, and existential hiding. S ::= j S _ S j :S j 9 l 2 T S

We rst de ne three algebraic operations in ZC which correspond to this extended language. These are naturally polymorphic: the type of their instances being determined by the particular sets to which they are applied.

De nition 5.

(i ) :C =df fz 2 T j z 62 C g (ii ) C _ C =df fz 2 T t T j z T 2 C _ z 2 T 2 C g (iii ) 9 l 2 T C =df fz 2 T ? [l : T ] j 9 x 2 T x 2 C ^ z = x T ? [l : T ]g 0

1

0

0

1

1

0

0

0

1

1

1

1

0

With these in place it is possible to interpret the new language of schema expressions in ZC .

De nition 6.

(i ) J:S K =df : JS K (ii ) JS _ S K =df JS K _ JS K (iii ) J9 l 2 T S K =df 9 l 2 T JS K 0

1

0

1

The most important observation is the compositional/algebraic nature of these de nitions. This is possible because the language is typed and the concrete structure which is necessary to eect the interpretation is carried explicitly by these types. Additionally, as we mentioned in the introduction, the compositionality of our account means that our interpretation of ZC + SchemaExpressions into ZC + Schema may be thought of as a semantics or, alternatively, as logical infrastructure. In the same way, the propositions we provide in section 4.5 below may be thought of as providing an extended logic for ZC + Schema 7

Expressions and establishing its soundness in ZC + Schema (the semantic view), or as the construction of a number of derived rules for newly de ned notions extending ZC + Schema (the infrastructural view). What we call existential hiding is usually referred to either as schema existential quanti cation or simply as hiding (with an alternative notation). The use of schema components as variables in the context of quanti ers (such as the existential here) but as constants in, for example, bindings has led to unusual complications, in for example the sketch of a logic in [3], leading to the suggestion that Z declarations introduce entities which are variables of some new species. This is a trap that has dogged eorts to develop satisfactory formal models of Z in the past. Our approach here, and elsewhere, introduces no such unwelcome entities: declarations introduce constants and schemas are a special notation for sets of bindings, this latter desideratum being entirely uncontested in the literature. We shall make further comments about the use of quanti cation in the schema calculus in section 4.6 below.

4.4 Renaming and Priming In addition to the three basic schema expressions, we have what is known in the literature as renaming. This permits a systematic substitution for labels. We use an unusual notation to avoid confusion with quite distinct meta-language substitution . t 2 S [l l ] ? t2S t [l l ] 2 S [l l ] (S ) t [l l ] 2 S (S ) 2

0

+

0

1

0

1

1

1

0

Priming can then, as usual, be understood as an instance of renaming. When S has the type P[ li : Ti ] we have: S 0 =df S [ li li0 ] It is worth highlighting that priming, in particular, sets up a logical relationship between certain labels. This is not dicult to achieve in our approach because the labels are constants. In this regard consider the logically similar relationship between names and co-names in CCS [9]: again, these names are constants. The contrasts with the standard approaches in which these entities are variables, a technical decision which we have already had occasion to bring into question.

4.5 The logic of the schema calculus Naturally, the new language of schema expressions inherits a logic via the interpretation in ZC . Beginning, then, with negation:

Proposition 5. The following rules for schema negation are sound for the interpretation in ZC : t 62 S t 2 :S (:S ? ) t 2 :S (:S ) t 62 S +

These rules are unexpectedly ecient: the fact that the language is typed ensures that a judgement of the form t 62 S (for example) requires t at the very least to be potentially a member of S . As a consequence we may conclude immediately that t 2 :S . Proof. Consider the following derivations in ZC : t 62 S t 2 T (T ) t 2 fz 2 T j z 62 S g (fg ) +

and: 2 2

t 2 fz 2 T j z 62 S g ? (fg1 ) t 62 S

Note, for instance that z V z [z =t ] is z V t (substitution) but z V z [z hj

ji

hj

ji

hj

8

ji

v ] is v V v (renaming). hj

ji

Moving on to disjunction.

Proposition 6. The following three rules are sound for the interpretation of schema disjunction in ZC : t 2_ S (S ) t 2_ S (S ) _ 0 t 2S _S t 2 S _ S _1 +

0

0

t 2S _S 0

+

1

1

0

1

t 2_ S ` P t 2_ S ` P (S ?) _ P

1

0

1

Proof. These are justi ed by means of the following derivations in ZC : t T 2S t T 2 S _ t T 2 S _i t 2 T t T (T ) t 2 fz 2 T t T j z T 2 S _ z T 2 S g (fg ) 0

0

0

0

+

1

0

1

1

0

0

0

1

1

1

+

A similar derivation justi es the remaining introduction rule, and for the elimination rule we have: t 2 fz 2 T t T j z T 2 S _ z T 2 S g ? (fg1 ) t T 2 S _t T 2S P 0

1

0

0

0

0

1

1

1

1

t T.2 S .. . P 0

t T.2 S .. . P ? (_ )

0

1

1

2

The following two rules are direct consequences of these schema operations.

Corollary 1.

t 2 S t 2 :S

t 2 S _ :S

?

2

Finally we have hiding.

Proposition 7. The following two rules are sound for the interpretation of schema existential hiding in ZC : t2S (S ) t 2_ 9 l 2 T S 9 where T =df T ? [l 2 T ] when t has type T. t 2 9 l 2 T S y 2 S ; y =_ t ` P (S ? ) +

0

1

0

0

9

P

where T =df T ? [l 2 T ] when y has type T and does not occur in P ; t nor any other assumptions; in other words the usual sideconditions for eigen variables apply. 1

0

Proof. These have the following justi cations in ZC : t 2 S t T = t T (ref ) t 2S ^t T =t T 9 x 2 T x 2 S ^ t T = x T t 2 T (T )(fg ) t T 2 fz 2 T j 9 x 2 T x 2 S ^ z = x T g 1

1

1

1

1

1

1

1

+

1

9

and:

y 2S ^y T =t y 2S ^y T =t y 2S y T =t . .. t 2 fz 2 T j 9 x 2 T x 2 S ^ z = x T g . 9x 2 T x 2 S ^ t = x T P P 1

1

1

1

1

1

2

The following simple observations are so often required that we shall not bother to ag their role in the sequel:

Lemma 1. ? ` P [T =t T :T ] , P [T =t :T ] Proof. This is a simple extension of the fact that t T :l = t :l for any label l in the alphabet of T . 2

Lemma 2. If T v T 0 and no label in T 0 ? T occurs in P then: ? ` P [T =t :T ] , P [T 0 =t :T ] 2 4.6 Equational logic for the schema calculus It is now possible to show that the expected equational relationships to be found in the literature (e.g. [13]), and which are commonly used to de ne the schema expressions, are provable in the schema logic. It is important to note that the proofs which follow are all undertaken strictly in the logic for schema which we have just introduced. This ensures that the logic is adequate and demonstrates that the proofs are compositional: membership in a compound expression is determined solely in terms of the membership conditions on the proper components. This de nitional and logical compositionality inherent in our approach should be contrasted with the highly non-compositional approach of de ning schema operations by means of these equations (e.g. [13]). In the proofs which follow we will make use of simple consequences of pure predicate logic (such as De Morgan equivalences) without further comment.

Proposition 8.

:[D j P ] = [D j :P ]

Proof. We will write S , S : , , ? and ? 0 for [D j P ], [D j :P ], [[D ]=t :[D ]], t 62 [D ] and :P in what follows. Then the result then follows, by rule (ext), from these two derivations: t 2 :S S ? t 62 S : ? ` t 62 [D ] ? ` t D 2 [D ] ? 0 ` :P ? 0 ` t D 2 [D ] :(t 2 [D ] ^ P ) ?` ? t 62 [D ] _ :P ? ` t 2 S: ?0 ` t 2 S: t 2 S: [

]

[

and:

t 2 S: t 2 S :P P

?

t 62 S t 2 :S (:S ) +

2

Proposition 9.

[D j P ] _ [D j P ] = [D t D j P _ P ] 0

0

1

1

0

10

1

0

1

]

Proof. We shall write D ; S , S , S , and 0 for D t D ; [D j P ], [D j P ], [D t D j P _ P ], [[Di ]=t :[D ]] and [[Di ]=t [Di ]:[D ]], respectively, in what follows (i 2 2). The result follows from the following two derivations, by rule (ext). 0

1

0

1

0

0

0

0

and:

t 2S _S

1

0

1

0

1

0

1

t [D ] 2 S t [D ] 2 S P 0 P 0 P P P _ P P _ P (S ? ) _ P _ P 0

1

0

t 2S _S t 2 [D ]

1

0

1

1

0

1

0

1

1

0

t2S

1

1

t 2S t2S t 2 [D ] t 2 [D ] P P t [D ] 2 [D ] P 0 t [D ] 2 [D ] P 0 t [D ] 2 S (S ) t [D ] 2 S (S ) t2S _ _1 0 P _P t2S _S t 2S _S t 2S _S 0

0

0

0

0

0

1

Proposition 10.

1

0

0

1

1

+

1

0

2

1

0

1

1

+

1

1

9 l 2 T [D j P ] = [D ? [l 2 T ] j 9 z 2 T P [l =z ]]

Proof. We will write [D ?l ] for [D ] ? [l 2 T ] and assume that its form is [ li 2 Ti ]. We further write t 0 for the binding hj li V t :li ; l V y ji and the three substitutions [[D ?l ]=t :[D ?l ]], [[D ]=t 0:[D ]] and [[D ?l ]=y [D ?l ]:[D ?l ]] as , P and . Note, in particular, that P = P [l =y ]. The schema [D j P ] we will write as S and, nally, the equation in question will be written Sl = Sr . The result follows, by rule (ext), from these two derivations. 0

1

2

1

0

y2S y 2S y2S ? l y 2 [D ] P [l =y :l ] y [D ] = t y 2 [D ] y [D ?l ] 2 [D ?l ] y [D ?l ] = t P [l =y :l ] y :l 2 T ? l t 2 [D ] 9 z 2 T P [l =z ] t 2 Sl t 2 Sr (S ? ) h t 2 Sr 2

0

0

and:

t 2 Sr t 2 [D ?l ] t :li 2 Ti t :li = t :li [D ?l ] v [D ?l ] t 0 2 [D ] P t 0 2 [D j P ] (t 0 [D ?l ]):li = t :li (Sh ) 0 ? l t [D ] 2 Sl t 0 [D ?l ] = t t 2 Sr 9 z 2 T P [l =z ] t 2 Sl t 2 Sl 1

+

0

2

As we remarked earlier, what we call existential schema hiding is often written using an explicit hiding notation: S n (l 2 T ). In this case the equation is expressed alternatively as: [D j P ] n (l 2 T ) = [D ? [l 2 T ] j 9 z 2 T P [l =z ]] Although it is senseless to consider the quanti er as binding the constant l , the equation reveals that it eectively removes the constant entirely. We feel that the account of the relationship between schema types 11

and schema quanti cation we have given in this paper is a major improvement over the complications employed in earlier attempts to develop a satisfactory logic of Z . We believe that these complications have been largely responsible for problems with these earlier attempts. In addition, it must be better to proceed with conventional (and well understood) concepts of variable and constant than to introduce new entities with extraordinary properties. For each of these schema operations we have in addition a number of easily proved congruence rules for equality:

Proposition 11. S =S :S = :S 0

0

1

1

S =S S _S =S _S 0

0

1

2

1

S =S S _S =S _S

2

0

1

2

1

0

S =S 9l 2 T S = 9l 2 T S 0

2

1

0

1

Proof. We illustrate with the rst of these. In one direction we have: S =S 8 z 2 T z 2 S , S tT 2 T t 2S t 2S ,t 2S t 26 :S t 62 :S ) t 62 :S t 62 S t 2 :S t 2 :S ) t 2 :S 0

1

0

0

1

0

0

1

0

1

1

1

0

1

In the other direction, a similar derivation provides us with t 2 :S ) t 2 :S . Whence: .. .. .. .. t 2 :S ) t 2 :S t 2 :S ) t 2 :S t 2S ,t 2S 8 z 2 T z 2 :S , z 2 :S :S = :S 1

0

1

0

1

0

0

1

0

0

1

1

2

5 Logical extensions to the schema calculus With the basic schema calculus in place, and in the context of classical logic, it is possible to extend the schema calculus with new logical operators in a straightforward manner. We now introduce schema conjunction, schema implication and schema universal hiding: S ::= j S ^ S j S ) S j 8 l 2 T S

The interpretations are unexceptional:

De nition 7.

(i ) JS ^ S K =df :(: JS K _ : JS K) (ii ) JS ) S K =df : JS K _ JS K (iii ) J8 l 2 T S K =df :(9 l 2 T : JS K) 0

0

1

0

1

0

1

1

Proposition 12. The following rules are sound for the interpretation of conjunction schema: t 2_ S t 2_ S (S ) t 2 S ^ S (S ? ) T 2 S ^ S (S ? ) ^0 ^1 ^ t2S ^S t 2_ S t 2_ S 0

1

0

+

0

1

1

0

12

0

1

1

Proof. Consider the following derivations:

t 2 :S _ :S 0

t T 2 S 0

t T 2 :S ? t T 62 S (:S ) t T 2 S 0

0

1

?

0

0

0

1

1

1

?

t 62 :S _ :S t 2 :(:S _ :S ) 0

1

1

1

1

0

and:

t T 2 :S ? t T 62 S (:S ) ? (S ? ) _

1

t 2 :(:S _ :S ) ? t T 2 :S (S ) t 62 :S _ :S (:S ) t 2 :S _ :S _0 0

1

0

0

1

0

0

?

t T 62 :S t T 2S 0

0

+

1

0

0

The other elimination rule is similar. 2

Proposition 13. The following rules are sound for the interpretation of implication schema: t 2 S ) S t 2_ S t 2_ S ` t 2_ S t 2S )S t 2_ S 0

0

1

0

1

1

0

1

Proof. Consider the following derivations: t T.2 S .. . t T 2 S t T 2 :S t T 2 S _ :S t 2 :S _ S t 2 :S _ S (S ? ) _ t 2 :S _ S 0

0

1

0

0

0

0

and: t 2 :S _ S 0

0

0

t T 2S

? t T 2S t T 2S 1

1

0

1

1

1

t T 2 :S 0

0

1

0

1

0

0

t T 2S

1

1

1

1

2

Proposition 14. The following rules are sound for the interpretation of universally quanti ed schema: t (l V x Tb ) 2 S PTa (S ) 8 t 2_ 8 l 2 Tb S +

t (l V x ) 2_ 8 l 2 Tb S PTa (S ?) 8 t (l V t ) 2 S 0

0

1

where T =df Ta ? [l 2 Tb ] and where, in the introduction rule, x is not free in S, any (other) subterm of t nor any assumption in the context. Proof. The absence of an assumption in the introduction rule and a second premise in the elimination rule is unexpected but results from the strong typing of terms: note that the expected second premise in the introduction rule would be t T 2 T , but this is already a theorem of the logic. When we consider generalised rules in section 6 such assumptions and premises will be necessary.

13

Consider the following derivations. We make use of one or two simple equality lemmata without further comment. Let t 0 be the term t (l V y :l ) and Ta have the form [ li 2 Ti ]. y T =t T (t 0 T ):li = (y T ):li t 0 :l = y :l t 0 :li = y :li t 2S 0 8 x 2 Tb t 2 S y 2 :S t =y t0 2 S t 0 62 S

t 2 9 l 2 Tb :S

?

? t : 9 l 2 Tb :S

and: (t 0 T ):li = (t (l V t ) T ):li t 0 T = t (l V t ) T t0 T

0

1

0

t 0 T 2 : 9 l 2 Tb :S

1

?

t (l V t ) 62 S t (l V t ) 2 :S t (l V t ) T 2 9 l 2 Tb :S 2 9 l 2 Tb :S 0

0

0

1

1

1

t (l V t ) 2 S 0

1

We are now in a position to extend the equational logic to cover these new operators.

Proposition 15.

[D j P ] ^ [D j P ] = [D t D j P ^ P ] 0

0

1

1

0

1

0

1

Proof. This is straightforward in the presence of the equational logic for disjunction and negation schema: :(:[D j P ] _ :[D j P ]) = :([D j :P ] _ [D j :P ]) = :[D t D j :P _ :P ] = [D t D j :(:P _ :P )] = [D t D j P ^ P ]. 2 0

1

0

0

1

1

Proposition 16.

1

0

0

0

1

1

0

1

0

1

0

1

0

1

[D j P ] ) [D j P ] = [D t D j P ) P ] 0

0

1

1

0

1

0

1

Proof. Similar to proposition 15. 2

Proposition 17.

8 l 2 T [D j P ] = [D ? [l 2 T ] j 8 z 2 T P [l =z ]]


This last equation establishes the universal quanti er as another mechanism in the schema calculus by which hiding of labels may be eected. We suggest that our logical analysis recommends the more rigorous use of terminology we have introduced: what we have conventionally called hiding (or schema existential quanti cation) should be referred to as existential hiding and the quanti cation we have here, usually called schema universal quanti cation, should be referred to as universal hiding. As expected, there are equality congruence rules for these operators. We will not state or prove them, and when we introduce further operations below we will not even trouble to mention them.

6 Schema level restriction and quanti cation In this section we further extend our syntax of schema to include schema level restriction and existential hiding at the schema level: 14

S ::= j S S j 9 S S 0

1

0

1

We can also write expressions of the form 9 S S as S n S . In order to de ne the rst of these, schema restriction, we begin by extending ltering from terms to sets. 0

1

1

0

De nition 8. Let T v T . 0

1

C P T =df fz 2 T j 9 x 2 T x 2 C ^ z = x T g 0

0

1

0

Lemma 3. The following rules are then derivable: t 2 C P T x 2 C ; x =_ t ` P t 2 C PT T v T t 2_ C P T P 1

0

1

0

The usual sideconditions apply to the eigen variable x. Proof. These follow immediately from the rules for comprehensions and the existential quanti er. 2

We now de ne schema restriction as follows:

De nition 9.

q

y

S S T =df JS 0

1

0

K

T ^ JS

1

K

Proposition 18. The following rules are sound for the interpretation of schema restriction: t 2 S S PT x 2 S ; x 2_ S ; x =_ t ` P t 2 S t 2_ S t 2_ S S P 0

0

1

0

0

1

1

1

Proof. These follow by the following derivations (note that the sets S T and S have equal type): t 2S t T 2 S PT t T 2 S t T 2 S PT ^ S 0

1

0

0

1

0

and:

1

t 2 S PT ^ S t 2S x T =t x 2S x T =t .. .. P 0

t 2 S PT ^ S t 2 S PT 0

x 2S

0

1

1

0

1

1

P

2

Next we turn to existential hiding at the schema level.


1

r

z

9 S PT S PT =df JS ^ S K P(T ? T ) 1

0

0

1

0

1

1

0

Proposition 19. The following rules are sound for the interpretation of schema level existential hiding: t 2 S PT t 2_ S PT T v T t 2 9 S S x 2 S ; x 2_ S ; x =_ t ` P t 2_ 9 S S P 0

1

1

0

0

0

1

0

1

15

1

1

0

Proof. Consider the following derivations. When T v T we have: t 2S t T 2S t 2S ^S t (T ? T ) 2 (S ^ S ) (T ? T ) and: x 2S ^S x 2S ^S x 2S x T 2 S x (T ? T ) = t .. .. P t 2 (S ^ S ) P(T ? T ) P 2 0

0

1

1

0

0

0

0

1

0

1

0

1

1

0

1

1

1

0

0

1

0

0

1

0

0

Now we can introduce a notation for schema level universal quanti cation. S ::= 8 S S with the following interpretation: 0

1


1

r

z

8 S PT S PT =df : 9 JS K : JS K 1

0

0

1

0

1

Proposition 20. The following rules are sound for the interpretation of schema level universal quanti xj 2 Tjm ; hj mj V xj jiT 2 S PT ` t ( mj V xj )T 2 S PT t 2_ 8 S S t ( mj V xj ) 2_ 8 S S PT t T 2 S t ( mj V t :mj ) 2 S Proof. Let T =df [ li 2 Til mj 2 Tjm ], T =df [ mj 2 Tjm ], T =df T ? T and the terms t ; t ; t ; t ; t and t be hj mj V xj ji; hj li V t :li mj V xj ji; hj mj V (y T ):mj j i; hj li V t :li mj V (y T ):mj ji; hj li V t :li mj V y :mj ji, and hj li V y :li mj V y :mj ji, respectively. Consider rst the introduction rule:

cation:

0

0

0

1

1

2

3

0

0

0

1

0

1

1

0

4

1

1

0

0

1

1

0

1

0

5

0

0

. . .. . .. t 2S y =t y 2S .

1

1

5

t T 2 9 S :S 0

1

1

1

?

?

y 2 :S

1

t T 2 :(9 S :S ) 0

where and are: 0

5

1

1

y T = t T (y T ):li = (y T ):li y :li = y :li (y T ):li = y :li (t T ):li = (y T ):li t :l = t :l (t T ):li = t :li (t T ):li = y :li t :li = y :li

and: y :mj = y :mj (y T ):mj = y :mj t 2S

. y T 2 S y T = hj mj = (y T ):mj ji . 2

..

0

t 2S

0

4

0

3

1

16

0

t 2S 2

1

0

0

and where is: 2

xj 2 Tjm t 2 S 0

.. ..

0

y T 2 S t 2S t 2S )t 2S y T 2T 8 xj 2 Tjm t 2 S ) t 2 S y T :mj 2 Tjm t 2S )t 2S 0

1

1

0

1

1

0

0

0

2

1

0

0

1

V

1

0

0

3

We now turn to the elimination rule: Let t be t ( mj

0

0

T :mj ). 0

.

.. . t S x =t T x S t S t T S t T S S

1 62

t T

2 :9

1

S

S

0 :

1 2 :

1

1

1

1

0 2

1

2 9

1

2

0

0 :

0

0

1

?

t S x S t 1 2

8

2

0

1 1 2

S

1

t

1 2

where is:

S

t

0 2

S

0

1

t :mj = t :mj t :mj = x :mj x :mj = x :mj (t T ):mj = t :mj x :mj = t :mj x :mj = (t T ):mj 1

1

1

1

0

1

1

1

0

2

There are equational laws for these three schema calculus operations:

Proposition 21. Let [D ] v [D ]. [D j P ] [D j P ] = [D j (9([D ] ? [D ]) P ) ^ P ] where is the substitution [ li =zi ] for fresh zi and where ([D ] ? [D ]) = f li g. 1

0

0

0

1

1

1

0

1

0

0

1

1

Proof. We write the equation as S S = S , x 0 for x [D ], T for [D ] ? [D ], f mj g for [D ], for the substitution [ mj =x 0 :mj ], 0 for the substitution [ mj =x :mj ] and for the substitution [ zi =x :li ]. Consider the following derivations: 0

1

2

1

0

1

1

0

1

0

x 2S P 0 x 2 S 9 T P 0 x 0 2 S x 2 [D ] 9 T P P x 0 2 [D ] 9 T P ^ P x0 2 S x [D ] = t t2S t 2S S t 2 [D j (9 T P ) ^ P ] 0

0

1

0

0

0

0

0

0

0

1

0

0

0

1

0

1

1

2

0

1

2

1

1

0

1

Extra data we require for the second derivation: We write T as [ li 2 Ti ]. Let t be the term hj li V yi mj V t :mj ji and ; and be the substitutions [ mj =t :mj ]; [ zi =yi ] and 0

0

1

2

17

[ li =t :li mj =t :mj ]. 0

0

t 2S t 2 S 9 T P ^ P . .. t 2 [ D ] P . . .. t [D ] = t t 2 S . . .. t 2S t [D ] 2 S . t [D ] = t t [D ] 2 S S t 2S S t 2 S S 2

0

2

1

0

0

2

0

1

0

1

1

1

1

0

0

1

t 2S 9 T P ^ P 9 T P 0

0

0

0

0

0

0

1

0

1

where is:

1

1

0

1

0

0

1

1

1

1

0

t S t [D ] t :mj T j t :mj = t :mj t :mj T j 2

yi Ti t :li = yi t :li Ti t [D ] 2

0

0

2

0 2

2

2

1

2

1

0

2

0

1

1

P

0

0

t :li = yi P

1

0

0

t S t [D ] S P[D ] 0 2

0

1

t :mj = t :mj 0

2

0

2

0

1

and is: 1

t :mj = t :mj [D ] v [D ] (t [D ]):mj = t :mj t 0 :mj = (t [D ]):mj t 0 :mj = t :mj 0 0 t [D ] = t t =t t [D ] = t where t 0 is hj mj V t [D ] ji. 2 0

1

0

0

0

1

0

1

1

0

0

1

1

Proposition 22. Let D v D , where [D ] = f li g and be the substitution [ li = zi ] 1

0

1

where the zi are fresh variables. 9[D j P ] [D j P ] = [[D ] ? [D ] j 9 D (P ^ P )] 0

0

1

1

1

0

0

0

1

Proof. The equation follows by rule (ext) from the following derivations: We will write T ; T and T for [D ]; [D ] and [D ]?[D ] respectively. Let the alphabets T and T be f li mj g and f mj g. We will write the equation as 9 U U = U . Let ; 0 ; ; and be the following substitutions: [ li =t :li ]; [ li =t :li mj =y :mj ]; [ li =y :li mj =y :mj ] and [ mj =(x T ):mj ]. 0

0

1

1

0

1

0

1

2

1

0

0

1

2

0

y U y T y T T y T =t t T 2

1

2

1

2

t

2 9

U

0

U

2

1

t U 2

.

.. . T (P t U

0

9

2

0

0 ^

P )0 1

2

2

where is: 0

x T U P 0 2

0

2

0

y :mj = y :mj y :mj = y T :mj P 0

0

0

y U P 2

(P

1

0 ^

1

P )

18

1

1

x :li = x :li (y T ):li = y :li t = y T t :li = y :li P 1

0

0

In the next derivation let T ; T ; T ; 0 and be as above and let and be the substitutions [ li =t :li mj =t :mj ] and [ mj =(t T ):mj ]. Finally, let t be the term hj li =t :li mj =yj ji and T have the form [ li 2 Til mj 2 Tjm ]. 0

0

1

0

0

0

1

0

2

0

1

(P

.

.. .

0

t

0 2

1

1

1

0

t

0 2

yj = t :mj P

0

1

t U T (P P )0 2

9

T

P ) P

0 ^

U

0

1

1

0 ^

0

1

t

U

2 9

0

U

.

0

1

t T

2

t :li = t :li

2 9

U

0

U

t T 0

1

t

2 9

U

0

U

.. .

0 2

U

.

.. . t T =t 1

0

0

1

1

where , and are: 0

1

.

.. .

0

t :mj = yj ( t T ):mj = yj t T t T T P t T U 0 2

1

0 2

0

0

0

0 2

2

2

0

0

0

2

2

2

0

1

0

0

t U t T t :li = t :li t :li Til t :li Til 2

P ) P

0 ^

0

0

0

(P

0

t :mj = yj yj Tjm t :mj Tjm 2

0

t

0 2

T

2

0

1

and: t :li = t :li t T :li = t :li li V t T :li 0

hj

li V t T :li 0

ji

=t T t T =t

hj

0

0

ji

0

=t

0

2

Proposition 23. Let D v D , where [D ] = f li g and be the substitution [ li = zi ] 0

1

0

where the zi are fresh variables. 8[D j P ] [D j P ] = [[D ] ? [D ] j 8 D (P ) P )] 0

0

1

1

1

0

0

1

0

Proof. 8[D j P ] [D j P ] = : 9[D j P ] :[D j P ] = : 9[D j P ] [D j :P ] = :[D ? D j 9 D (P ^ :P )] = [D ? D j : 9 D (P ^ :P )] = [D ? D j : 9 D :((:P _ P )] = [D ? D j 8 D (P ) P )] 2 0

1

0

0

0

1

1

1

1

1

0

0

0

1

0

1

1

0

1

1

0

0

0

1

1

1

1

0

0

1

1

1

7 Schema composition, piping and precondition Schema composition and piping provide mechanisms for structuring operation schemas. They are similar in the sense that they both involve connections between arguments via complementary labels. In the case of composition these are before and after states, and in the case of piping they are inputs and outputs. 19

Schema precondition oers a means by which an operation schema induces a state schema: its domain of de nition. Our next extension to our language of schema is, therefore: S ::= j S S j S o

1

0 9

>> S j

0

pre S

1

We base our de nition on the account of [2], which gives a de nition of composition in terms of existential hiding, renaming and conjunction.

De nition 12. s

l m m n S Pli Ti mj Tj S Pmj Tj nk Tk =df [

0

:

:

]

0

[

o 9

:

:

]

{

1

9

vj

2

Tjm

S K [ mj0

J

]

vj

0

^

S K [ mj

J

vj

1

]

in which the labels vi are fresh. Schema piping is almost identical. As usual, output labels are decorated with a shriek e.g. l . Input labels with a query e.g. l . !

?

De nition 13. s

l m S Pli Ti mj Tj [

!

:

:

]

0

>> S Pmj

?

[

1

Tjm nk :Tkn ]

:

{

=df

9

vj

2

Tjm

S K [ mj

J

vj

!

0

]

^

S K [ mj

J

vj

?

1

]

again, in which the labels vi are fresh.

Proposition 24. The following rules are sound for the interpretation of schema composition. Let T ; T and T be [ li : Til mj0 : Tjm ]; [ mj : Tjm nk : Tkn ] and [ li : Til nk : Tkn ]. (t T [ mj0 vj ])[ vj mj0 ] 2 S (t T [ mj vj ])[ vj mj ] 2 S t 2_ S PT S PT t 2 S PT S PT (y T )[ vj mj0 ] 2 S ; (y T )[ vj mj ] 2 S ; y T = t ` P 0

1

0

0

1

0 o 9

0

0

0 o 9

1

0

1

1

1

1

0

1

P

1

Proof. Consider the following derivations: (t T [ mj0 t T [ mj0

vj vj

0

0

])[ vj mj0 ] S (t T [ mj vj ])[ vj mj ] S ] S [ mj0 vj ] t T [ mj vj ] S [ mj vj ] t S [ mj0 vj ] S [ mj vj ] vj Tjm S [ mj0 vj ] S [ mj vj ]

2

0

2

t T

2 9

2

0

0

2

^

1

1

1

0

2

2

1

1

^

1

and: y S [ mj0 vj ] S [ mj vj y T S [ mj0 vj ] (y T )[ vj mj0 ] S 2

0

0 2 0

P0

^

1

0

2

0

P

where P 0 is t 2 9 vj 2 Tjm S [ mj0 0

] y S [ mj0 vj ] S [ mj vj y T S [ m j vj ] (y T )[ vj mj ] S .. .. P

2

0

1 2

1

vj ] ^ S [ mj 1

20

^

1

1

vj ] 2

2

1

]

y T =t

Proposition 25. The following rules are sound for the interpretation of schema piping: Let T ; T and T be [ li : Til mj : Tjm ]; [ mj : Tjm nk : Tkn ] and [ li : Til nk : Tkn ]. (t T [ mj vj ])[ vj mj ] 2 S (t T [ mj vj ])[ vj mj ] 2 S t T 2 S PT >> S PT t 2 S PT >> S PT (y T )[ vj mj ] 2 S ; y T [ vj mj ] 2 S ; y T = t ` P 0

!

1

?

!

0

!

0

?

1

0

1

0

1

!

0

1

1

1

0

0

?

0

P

?

1

1


The general idea of precondition schema is that the domain of de nition state schema is calculated by collecting all possible values in the initial state together with all possible inputs for which there exist values in the output state, and output values, satisfying the operation's constraints. The account in [13] (p. 206) is very informal and relies on a recursive simpli cation algorithm for its explication. We can give a simple and precise account here in terms of schema existential hiding:

De nition 14.

r

z

l m n pre S P li ;li Ti mj Tj nk Tk =df 9 li0 2 Til nk 2 Tkn JS K 0

[

?

:

!

:

:

]

!

The rules, and the extension to the equational logic, are then very straightforwardly calculated.

Proposition 26. The following rules are sound for the interpretation of precondition schema. Let T =df [ li ; li0 : Til mj : Tjm nk : Tkn ] and T = [ li : Til mj : Tjm ]: t T 2 pre S y 2 S ; y =_ t ` P t 2 S PT t 2_ pre S P 0

?

!

?

1

0

1

Proof. These are trivial consequences of proposition 7. 2

Proposition 27. Let D =df li ; li0 2 Til mj 2 Tjm nk 2 Tkn , D T =df li 2 Til nk 2 Tkn and D T =df D ? D T , then: pre [D j P ] = [D T j 9 D T P ] ?

!

!

0

1

0

0

1

Proof. This is obtained by iterating proposition 10. 2

8 Schema inclusion We begin by introducing an extended syntax for schema sets: ::= l 2 C PT ::= S PT C tT t ::= [ T ]

lT T [ :

(

]

)

Schema sets may now include direct references to schema. We shall still use the notation [] for schema sets in the new form. We can now interpret the extended language into the unextended language where the crucial equation is:

De nition 15.

J

[ i ]K =df [J[ ]K ^ Ji K ^ J[ ]K] 21

Proposition 28. The following rules are sound for this interpretation of schema inclusion: t 2 [] ^ S P [([] ^ S )=t :([] ^ S )] t 2 [; S j P ] t 2 [; S j P ] P [([] ^ S )=t :([] ^ S )] t 2 [; S PT j P ] t 2_ S

t 2 [PT ; S j P ] t 2_ []

Proof. These following immediately from the rules for simple schema (additionally schema conjunction elimination for the second pair). 2

As expected, there is an equation for schema inclusion.

Proposition 29.

[PT ; [PT j P ] j P ] = [ t j P ^ P ] 1

0

1

1

0

0

0

1

0

1

Proof. Let S be [ ; [ j P ] j P ] and T be T ? T . The result follows from the the following derivations: t2S t T 2 [ j P ] t2S t T 2 [ ] t T 2 [ ] t 2S P [T =t :T ] t 2 [ t ] t 2S t 2 [ t j P ] t T 2 [ j P ] t 2 [ t j P ^ P ] and: t 2 [ t j P ^ P ] t 2 [ t j P ^ P ] t 2 [ t j P ^ P ] t 2 [ t ] (P ^ P )[T =t :T ] t 2 [ t j P ^ P ] t 2 [ t ] t 2 [ ] P [T =t :T ] t T 2 [ ] t T 2 [ j P ] (P ^ P )[T =t :T ] t 2 [ ] ^ [ j P ] P [T =t :T ] t 2 [ ; [ j P ] j P ] 0

1

1

0

0

1

1

0

0

0

1

0

1

0

0

0

1

1

0

0

1

1

1

0

1

0

0

1

1

1

1

1

1

0

1

0

1

1

0

1

1

1

0

0

1

0

0

1

1

0

0

1

1

1

0

1

1

0

1

1

0

0

1

1

0

2

9 A more general schema calculus When it comes to using the schema calculus in practice, rather more general rules are needed. In this section we review a number that are particularly useful. We do not attempt to be exhaustive. Indeed the beauty of a system like ZC is that one can develop, as infrastructure, just what is required when it is required. The major limitation of the basic equational logic is its restriction to schema whose declarations are schema types. Generally, speci cations are constructed with more general declarations. It is easy to see that the equation for negation, for example, is not even valid if the declaration is permitted to be arbitrary. This is well-known in the literature. We begin, then, with an equation which relates general declarations over sets to declarations over types. This can be used iteratively, to remove all non-type-carrier sets from the declarations of schema.

Proposition 30.

[; l 2 C PT j P ] = [; l 2 T j l 2 C ^ P ] 22

Proof. This follows by rule (ext) from the following two derivations. Let us write the equation as S = S and for the substitution [[]=t :[]][l =t :l ]. We assume that [] has the form: li 2 Ci . 0

t2S t2S t 2 [; l 2 C ] t 2 [; l 2 C ] t 2 S t :l 2 T t :li 2 Ci t :l 2 C P t 2 [; l 2 T ] (l 2 C ^ P ) t2S 0

1

0

0

1

and:

t 2S t 2S t 2 [; l 2 T ] P ^ t :l 2 C t 2S P ^ t :l 2 C t :l 2 C t :li 2 Ci t 2 [; l 2 C ] P t 2S 1

1

1

0

2

The following two rules are useful together for reasoning about general conjunction schemas.

Proposition 31.

[ ] [ ] [ j P ] ^ [ j P ] = [ j P ] ^ [ j P ] 0

0

1

0

1

1

0

0

0

1

Proof. Suppose that j has the form li 2 CjPi Ti (j 2 2). From the premise we may conclude that C i C j . Let us write the equation in question as S ^ S = S ^ S . Using rule (2 ) repeatedly we may conclude that Sj = Uj (j 2 3) where Uj = [ li 2 Ti j ^ li 2 Cji ^ ^ Pj ] (j 2 2) and U = [ li 2 Ti j ^ li 2 C i ^ ^ P ]. We can now use the standard equation for conjunction schema to show that 0

1

0

2

1

0

=

2

1

0

U ^ U = [ li 2 Ti j ^ li 2 C i ^ ^ P ^ P ] 0

1

0

0

1

But we also have

U ^ U = [ li 2 Ti j ^ li 2 C i ^ ^ P ^ P ] hence U ^ U = U ^ U as required. 2 0

0

1

0

2

0

0

1

2

A more general form of the rule for conjunction is:

Proposition 32.

[ ; j P ] ^ [ ; j P ] = [ ; ; j P ^ P ] providing that \ = fg. 0

0

0

1

1

0

1

0

1

1

Proof. The strategy is similar to the previous proposition. Writing this equation as S ^ S = S we rst use rule (2 ) repeatedly to obtain three schemas Uj (j 2 3) such that Sj = Uj (j 2 3) and where the declarations of the Uj are in type carriers. Then the result follows using the standard equation for schema conjunction. 2 0

=

There is a version of this pair for disjunction too, proved in similar ways:

Proposition 33.

[ ] [ ] [ j P ] _ [ j P ] = [ j P ] _ [ j P ] 0

0

1

0

1

1

0

2

23

0

0

1

1

2

Proposition 34.

[ ; j P ] _ [ ; j P ] = [ ; ; j P _ P ] 0

2

0

1

1

0

1

0

1

A nal generalisation, for existential hiding, is:

Proposition 35.

9 l 2 T [; l 2 C j P ] = [ j 9 z 2 C P [l =z ]]

Proof. Write the equation as S = S . First we use rule (2 ) to show that [; l 2 C j P ] n (l 2 T ) = [; l 2 T j l 2 C ^ P ] n (l 2 T ). The equation for hiding establishes that this is equal to [ j 9 z 2 T z 2 C ^ P [l =z ]] which by de nition is [ j 9 z 2 C P [l =z ]] as required. 2 0

=

1

10 Relating ZC to the standard logic of Z The standard approach to the logic for Z is contained in the two most recent versions of the draft standard [3] [4] and an associated technical report [8], the last of these being the most complete and mature. There are two features of the standard approach which are rather striking. Firstly, schema components are treated as a species of variable with unusual status, hovering between the conventional notions of free and bound variable. Secondly, there is no meta-linguistic notion of substitution. Since this fact has a huge in uence on the standard accounts of Z we shall devote the next section of the paper to it.

10.1 The `frogspawn' substitutions In place of the usual meta-linguistic notion of substitution that appears in most formal theories, in the standard accounts of Z there are two object language substitutions, both indicating the substitution of a binding: one into propositions and the other into expressions. These are written, respectively: (i ) b P (ii ) b e In [8] there is a guarded suggestion that these can be de ned in terms of existential quanti cation and de nite description. Speci cally : (i ) b P =df 9fb g P (ii ) b e =df fb g e This suggestion cannot be made good within the framework of the standard logic for two related reasons. Firstly, the rules for the existential quanti er and de nite description make direct use of the frogspawn operators, so the putative de nitions are proof-theoretically circular. For example: ? ` b P ? ` b 2 S (ExistsI ) ? ` 9S P 3

Secondly, there is no prospect of eliminating the use of these operators in the these rules because the standard logic for Z provides no alternative, meta-linguistic, notion of substitution with which the frogspawn might be replaced. Given this, and having little alternative, it seems, the standard accounts follow an axiom route for introducing the frogspawn operations. However, they are characterized by a very large number of axioms and a small number of rules. There has been little or no discussion in the literature which explains why the logic should have been developed in this unusual way. The approach seems to date back to [12] in which the pre x notation for substitution was introduced, along with the idea that substitutions could be represented by bindings. However, it is not obvious that 3

In fact these are expressed as rewrites in the technical report. As a consequence they do not establish a de nition at all. We assume that what follows is what was intended.

24

the authors, at that time at least, were advocating an object level notion of substitution. Matters are not helped by the fact that the rules and axioms for substitution in the current standard accounts are enormously redundant: many of the axioms can be derived from the rules, and vice versa. We illustrate this with one example : 4

Proposition 36. The rules (EquBind) and (EquBind0): ? AX fb g END ` u = e ? ` b = ? ù= ? ù=b e 1

? ù=b e ? ` b= ? ù= ? AX fb g END ` u = e 1

2

2

( \ 1

( \ 1

2

2

= fg)

= fg)

are equivalent to the axioms: (i ) b (e = e ) , b e = b e (ii ) b e = e (b n e ) 0

1

0

1

Proof. Consider b =df hj b 0 ; x V e ji. We have ? AX fb g END ` b :x = x by the axiom BindMem and ? AX fb g END ` b :x = e by the axiom BindEqu . By substitution we then have: ? AX fb g END ` x = e then by the rule EquBind : ? ` b x = e yielding (i ). We also have: AX fb g END ` e = e by re exivity, and then we immediately establish (ii ) by EquBind (when b n e ): ` b e = e . In the other direction: ? AX fb g END ` u = e is, using UseBind , ? ` b (u = e ), then using (i ) we have: ? ` b u = b e . Then by substitution, (ii ) and assuming the necessary sidecondition, we have: ? ` u = b e as required. This last argument reverses, hence EquBind 0 is derivable from (i ) and (ii ). 2

The fact that these redundancies exist (and there are very many more) is surprising enough. However, as we shall show below, it turns out that the frogspawn constructions can be seen as following from much simpler and straightforward ideas. There are, in fact, two approaches which we can explore. The rst employs the binding restriction operation which we have introduced in our earlier work (e.g. [6]) for the complete development of the schema calculus; the second builds on the suggestion mentioned above, i.e. the use of existential quanti cation.

10.2 The relationship between and restricted membership Using the de nition

(T v T ) t T C PT =df t T 2 C how far can we derive the rules which involve ? The answer to this question will allow us to see how far we can remove in the standard accounts in favour of the straightforward ideas of restriction and set membership. This is desirable since making substitution an object-language operation is unusual and does not seem to aid understanding. First, the condition T v T is clearly needed in the de nition, otherwise the right-hand side is not well-de ned. This induces the same condition on the left-hand side and it is this condition that we want to consider in the context of frogspawn in the standard accounts. Put brie y, is such a condition needed, in the standard accounts, for t S to be well-formed? If not, then our de nition cannot be correctly capturing all of the meaning of frogspawn in the standard accounts (though this is not to say that we have not captured some interesting aspects of it, nevertheless). The typechecking rules of the Standard [3] include T29 (p. 201), and this appears to say that an expression of the form b P typechecks as long as P typechecks in the same context, with which b must be compatible. T49 on p. 203 is similar. So, our de nition appears to impose a constraint on the types where there is no constraint in the standard. This seems to imply that there are predicates of the form t S that we cannot give a meaning to via our de nition. All references to rules and axioms refer to [8]. 0

1

1

1

0

4

25

1

0

There also seems to a problem in that our de nition only deals with predicates which are schemas-aspredicates, not with predicates in general. However, we can translate predicates proper into schemas (and so use the de nition) by a completion process. Given b T P , we use b to form the schema P =df [D j P ], which we call the completion of P derived from b , where D is li : Ti for each label li of b declared at type Ti (and recall that we have extended our term language to include labels). Note that, having done all this, we have a special case of the de nition: b P =df b T 2 P = b 2 P , since b T = b . Returning to our main theme: although there seem to be predicates that we may not be able to translate via the de nition, we may still be able to derive all the rules involving frogspawn that appear in the logic in the standard accounts. This is especially likely in view of the fact that rules like SchBindMem on p. 207 of the Standard (1.2) clearly require the types of b and S to be the same (otherwise b 2 S is not well-formed. This proviso missing from 1.2 appears explicitly in 1.3, though, of course, it renders the rule correct but weak, as we have pointed out in [6].) For example, we have:

Proposition 37. The following rule is derivable: ? ` : b S ? ` b :S Proof. Recall that ? ` b : S is ? ` b T 2 : S and ? ` : b S is ? ` : (b T 2 S ). Consider the following derivation in ZC : ? ` : b S ? ` b T 62 S (: S ) ? ` b : S 2 1

1

1

+

Note that in the standard accounts there is no restriction on the types of b and S , whereas for us the restriction associated with the de nition of frogspawn carries through. Here is another example of how frogspawn interacts with the schema calculus:

Proposition 38. b (S _ S ) , b S _ b S . 1

2

1

2

Proof. The required derivations, one for each direction and using the abbreviations S for S _ S , T for T t T and b r for b T , are: 1

1

br

2

2

2 S b T

bT 2 S ` b T 2S b T 2S ` b T 2S ( _ ) 0 2S ` b T 2 S _b T 2S b T 2 S ` b T 2 S _ b T 2 S ((_S 1?)) _ b T 2S _ bT 2 S 1

1

1

1

1

1

1

1

2

+

2

1

2

2

1

2

2

2

2

1

2

1

+

2

2

2

and: b r T 2 S ` b r T 2 S (S ) b r T 2 S ` b r T 2 S (S ) _0 br T 2 S _ br T 2 S br T 2 S ` br 2 S b r T 2 S ` b r 2 S ? _1 (_ ) r b 2S Note here that b (S T _ S T ) = b (T t T ) 2 S _ S and that (b (T t T )) T 2 S = b T 2 S = b S , and similarly for S . 2 1

1

1

2

2

1

1

1

1

2

2

1

1

1

1

1

2

1

+

2

2

2

1

2

1

2

2

+

2

2

1

1

1

2

In order to show how SchemaMem (p. 22 of [8]) can be derived we rst have to rewrite the premise so that b P (where P is a predicate) comes within our de nition, and that means using the completion idea above.

Proposition 39. This rule is derivable:

? ` b 2 S ^ b P ? ` b 2 [S j P ] 26

Proof.

? ` b 2 S ^b P ? ? ` b 2S ^b P ? ? ` b 2 P (S(^?1) ) ( ^ ) 0 ? `b2S ? ` P [S =b :S ] 1 (S ) ? ` b 2 [S j P ] +

2

Part of the derivation above, it turns out, is so commonly used within much of our work on this topic, and indeed makes clear exactly what means when applied to a predicate, that we extract it as a lemma (which we use in the sequel without comment). We have the following:

Lemma 4. ? ` b T P if and only if ? ` P [T =b :T ]. Proof.

and:

? ` b 2 P (S ? ) ? ` P [T =b :T ] 1 ? ` P [T =b :T ] ? ` b 2 T (S ) ? ` b 2 P +

2

Returning to the other direction of SchemaMem we have:

Proposition 40. This rule is derivable: ? ` b 2 S ^ b P ? ` b 2 [S j P ] Proof.

? ` b 2 [S T j P ] ? ? ` b 2 [S j P ] ? ? ` P [T =b :T ] (S1 ) ? ` b 2 S (S0 ) ? ` b P (^ ) ? ` b 2 S ^ b P +

2

SchBindMem and SchBindMem 00 follow directly from our de nition of and the fact that the provisos on those rules, that the alphabets of b and S are same, mean that b : T and S : P T for some type T . Turning to some rules involving quanti ers (p. 19 of [8]), consider the rule AllE . First we have to interpret 8 S T P , and we can do this straightforwardly by using 8 z 2 S P [T =z :T ]. We then have

Proposition 41. The following rule is derivable: ? ` 8 z 2 S P ? ` bT 2 S ? ` b P Proof.

? ` 8 z 2 S P ? ` bT 2 S ? 8 ? ` P [T =b :T ] ? ` b P

2

27

As a concrete example of how this works (and we unravel the lemma to make the point more clearly), consider the following derivation, where we abbreviate hj a V 5; x V 3; y V 2 ji by u : 8

z [a ; x ; y : N x 2

j

y + a ] z :x + 1 > z :y u [a ; x ; y : N x y + a ] ? z :x + 1 > z :y [z =u [x ; y : N]] u [x ; y : N] [x ; y : N] S u x +1>y

2

j

8

2

+

Note that, for us, 8[x ; y : N j x y + a ] x + 1 > y is 8 z 2 [x ; y : N j x y + a ] z :x + 1 > z :y , hj a V 5; x V 3; y V 2 ji x + 1 > y is hj a V 5; x V 3; y V 2 ji [x ; y : N ] 2 [x ; y : N j x + 1 > y ].

Proposition 42. The following rule is derivable: ? ` b P ? ` b T 2 S (ExistsI ) 9 z 2 S P [T =z :T ] Proof.

? ` b P ? ` P [T =b :T ] ? ` b T 2 S 9 9 z 2 S P [T =z :T ]

+

2

Here is another concrete example, again unravelling the lemma. We abbreviate the binding hj a V 1; x V 3; y V 1 ji to v . ? ` v [x ; y : N] 2 [x ; y : N j x > y + 1] S ? ? ` v 2 [a ; x ; y : N j x + y > 4a ] ? ` x > y + 1[[a ; x ; y : N j x + y > 4a ]=v :[a ; x ; y : N j x + y > 4a ]] 9 z 2 [a ; x ; y : N j x + y > 4a ] x > y + 1[[a ; x ; y : N j x + y > 4a ]=z :[a ; x ; y : N j x + y > 4a ]] 1

+

9

10.3 Following the standard approach As we saw in section 10.1, the suggestion in [8] that the frogspawn operators can be de ned in terms of existential quanti cation and de nite description cannot work. In ZC , however, it is entirely possible to develop the standard logic of frogspawn by employing the suggested de nitions. To begin with we must revise some of the infrastructural development of ZC . As we have seen before in the case of (i ), quanti cation over a schema can be represented by means of: (i ) 9 S PT P =df 9 z 2 S P [T =z :T ] (ii ) S PT e =df z 2 S e [T =z :T ] Note that we take the operations of Z to be notation for the explicit characteristic bindings; so these de nitions suce to handle those notions too. In fact, given the logic, an occurrence of S in P (for example) will be equal to the value of the bound variable z . Consequently, the de nitions of frogspawn in our framework amount to: (i ) b T P =df 9 z 2 fb g P [T =z :T ] (ii ) b T e =df z 2 fb g e [T =z :T ] We can immediately illustrate the de nitions with an example. One of the equations given for frogspawn is the subject of the following proposition.

Proposition 43. The following equation holds in ZC : b :P , :(b P ) 28

Proof. Consider the following derivations. Let P =df P [T =z :T ] where T is the type of the binding b . Recall that fb T g = fz 2 T j z = b g: y 2 fb g :P [T =y :T ] y = b y 2 fb g P [T =y :T ] y = b 9 z 2 fb g :P :P [T =b :T ] P [T =b :T ] :P [T =b :T ] 1

1

0

9 z 2 fb g P [T =z :T ]

0

?

? :(9 z 2 fb g P [T =z :T ])

and:

1

b =b P [T =b :T ] b 2 fb g 9 z 2 fb g P : 9 z 2 fb g P

? b=b :P [T =b :T ] b 2 fb g 9 z 2 fb g :P [T =z :T ]

2

Once again, as we did in our rst formulation in 4, we can do much better than this via the following lemma, whose proof one can detect explicitly in the derivations above.

Lemma 5. ? ` b T P if and only if ? ` P [T =b :T ] Proof. Consider the following derivations: b=b P [T =b :T ] b 2 fb g 9 z 2 fb g P [T =z :T ]

and:

y 2 fb g y = b P [T =y :T ] 9 z 2 fb g P [T =z :T ] P [T =b :T ] P [T =b :T ]

2

Of course, we have now shown, via lemmas 4 and 5, that our two formulations for on predicates are equivalent. However, to illuminate this topic from a second perspective is useful, so we will continue a little further with the development based on this second formulation. With lemma 5 in place proposition 43 becomes entirely trivial, recording nothing beyond the fact that substitution commutes with negation. Similarly the standard rules for existential introduction and universal elimination are immediately derivable in ZC using this lemma.

Proposition 44. The following rules are derivable: ? ` b P ? ` b 2 S ? ` 8S P ? ` b 2 S ? ` 9S P ? ` b P 29

Proof. Consider the following derivations: ? ` 9 z 2 fb g P [T =z :T ] ? ` P [T =b :T ] b2S ? ` 9 z 2 S P [T =z :T ] (9 ) and: 8 z 2 S P [T =z :T ] b 2 S P [T =b :T 9 z 2 fb g P [T =z :T ] (8? ) 2 +

The standard logic contains two rules (UseBind) which characterize the frogspawn operator in terms of assumptions. Speci cally these are: ? AX fb g END ` P ? ` b P ? AX fb g END ` P ? ` b P These, or a formalisation of them, are derivable from our de nition in ZC . Firstly, we must interpret the use of the binding set fb g as an assumption. To this end we de ne, for any binding b of the form: hj li V tiTi ji, the set of equalities b with the form: xi = b :li (the variables xi must, of course, be fresh). Then we can prove the following encodings of the rules (UseBind).

Proposition 45. The following rules are derivable in ZC : ?; b ` P [ li =xi ] ? ` b P ?; b ` P [ li =xi ] ? ` b P Proof. Let x =df hj li V xi ji, P 0 =df ^ xi = b :li ^ and =df [T =x :T ]. Consider the following derivations: 9 z 2 fb g P [T =z :T ] P [T =b :T ] xi = b :li and:

2

P [T =x :T ]

xi =. b :li .

.. P b :li = ei eiTi 2 Ti P0 ) P 8 xi 2 Ti P 0 ) P b :li 2 Ti b :li = b :li ) P [T =b :T ] b :li = b :li P [T =b :T ] 9 z 2 fb g P [T =z :T ]

Next we turn to the standard rules known as (SchemaMem). In view of lemma 5 these are simple notational variations of the schema introduction and elimination rules of ZC .

Proposition 46. The following rules are derivable: ? ` b 2 S ? ` b P ? ` b 2 [S j P ] Proof. Consider the following derivations: b2S

? ` b 2 [S j P ] ? ` b P

9 b 2 fb g P [T =z :T ] P [T =b :T ] b 2 [S j P ]

30

and:

2

b 2 [S j P ] P [T =b :T ] 9 b 2 fb g P [T =z :T ]

10.4 Conclusions about frogspawn We have not shown that all the rules in [8] and [3] which mention are interpretable and then derivable using our de nitions of , but we have, we feel, given enough instances to show that our rst interpretation serves to explain in a more familiar way, i.e. as a form of restricted membership in sets. The second serves to show that we can, using ZC , treat via an alternative de nition (suggested in [8] but not implementable in the logic given there) which allows a better understanding of this unusual formal device. As for the substitution into expressions that appears in [8], this seems to be de nable just as ordinary substitution into expressions, i.e. what we have, all along, been writing conventionally using [ x =e ]. We have shown that an unusual and non-standard invention of the Z Standard is not actually necessary and serves only to complicate what is really a quite straightforward language.

11 Conclusions and future work In this paper we have provided a new core logic for the speci cation language Z . It diers from the logic presented in the draft Z standard [4] in several respects, all to clear advantage. We have also shown how, from the simple kernel logic ZC , there emerges a calculus for manipulating the main, and deservedly acclaimed, innovations of Z : the schema and the associated language of schema expressions. Rather than presenting a calculus for these expressions as a syntacitic extension of Z (the methodology of the standard approach), we have shown that this calculus is derivable in a well-structured hierarchy of layers. As a result, the set-theoretic model is kept very simple, and the soundness of our logic, including the entire schema calculus, is easily demonstrated. In addition, we have also shown that the unusual use of object level substitution used, in the standard account, is expressible, to a large extent, in our framework in terms of much simpler and more familiar notions, and is as a consequence an unnecessary innovation.

Acknowledgements We would like to thank the Department of Computer Science at the University of Waikato, New Zealand; the Centre for Discrete Mathematics and Theoretical Computer Science, New Zealand; the Royal Society; and the EPSRC (grant number GR/L57913) for nancial assistance which has supported the development of this research. We are grateful to Rob Arthan, Jonathan Bowen, Stephen Brien, Ricardo Calderon-Cruz, Doug Goldson, Lindsay Groves, Thomas Santen, Ian Toyn, Ray Turner, Mark Utting, Sam Valentine, Norbert Volker, Jim Woodcock, and most particularly, Andrew Martin, for many useful discussions concerning Z and its formalisation, and for comments on drafts of this paper.

References 1. S. Brien and A. Martin. A tutorial of proof in standard Z. Technical report, Technical monograph PRG-120, University of Oxford, 1996. 2. A. Diller. Z: An introduction to formal methods (2nd ed.). J. Wiley and Sons, 1994. 3. J. Nicholls (ed.). Z Notation: Version 1.2. Z Standards Panel, 1995. 4. J. Nicholls (ed.). Z Notation: Version 1.3. Z Standards Panel, 1998.

31

5. M. Henson. The standard logic for Z is inconsistent. Technical report, Technical Report CSM-???, University of Essex, 1998. 6. M. C. Henson and S. V. Reeves. A logic for the schema calculus. In J. Bowen and A. Fett, editors, Proc. Int. Conf. on Z : ZUM '98, 1998. 7. M. C. Henson and S. V. Reeves. Revising Z : semantics and logic. Submitted to: Formal Aspects of Computing, 1998. 8. A. Martin. A revised deductive system for Z. Technical report, Technical Report TR98-21, SVRC, University of Queensland, 1998. 9. R. Milner. Communication and concurrency. Prentice-Hall International, 1989. 10. J. M. Spivey. Understanding Z: A speci cation language and its formal semantics. C.U.P., 1988. 11. J. M. Spivey. The Z notation: A reference manual. Prentice Hall, 1992. 12. J. Woodcock and S. Brien. : A logic for Z . In Proceedings of ZUM '91, 6th Conf. on Z. Springer Verlag, 1992. 13. J. Woodcock and J. Davies. Using Z: Speci cation, Re nement and Proof. Prentice Hall, 1996. W

32