language has a semantics in an arbitrary but xed institution with sym- bols. Compared with .... speci cation SP, its signature Sig SP] 2 jSignj and the collection of its models. Mod SP] Mod(Sig ...... development, electronic archives. Notes and ...
Speci cations in an arbitrary institution with symbols Till Mossakowski Department of Computer Science and Bremen Institute for Safe Systems, University of Bremen, Germany.
Abstract. We develop a notion of institution with symbols and a ker-
nel language for writing structured speci cations in CASL. This kernel language has a semantics in an arbitrary but xed institution with symbols. Compared with other institution-independent kernel languages, the advantage is that translations, hidings etc. can be written in a symboloriented way (rather than being based on signature morphisms as primitive notion), while still being institution-independent. The semantics of the kernel language has been used as the basis for the semantics of structured speci cations in CASL.
1 Introduction Formal speci cation of software systems can typically be split into speci cation-in-the-small, dealing with the speci cation of individual datatypes, and speci cation-in-the-large, dealing with the combination of speci cations and/or datatypes in a structured way. The framework of institutions, a formalization of the model-theoretic aspects of the notion of logical system, allows a clean separation of these issues: while speci cation-in-the-small is based on a particular institution, a number of formalisms for speci cation-in-the-large such as Clear, ACT TWO, ASL and ASL+ have been developed largely for an arbitrary (but xed) institution. However, the institution-independent setting as used in the above formalism has some important drawbacks:
{ signature morphisms are taken as primitives. This implies that one cannot
rename or hide just a symbol, but rather has to construct the resulting signature in advance, together with the corresponding signature morphism; { pushouts (in some formalisms necessary for instance to instantiate generic speci cations) are de ned only up to isomorphism; thus, the user does not have full control over the name space of the speci cation constructed; { unions can be taken only of speci cations over the same signature (unless an extra inclusion system is speci ed). In this work, to resolve these problems, we propose a notion of institution with symbols. Roughly, an institution with symbols is an institution where each signature has an underlying set of symbols, and each signature morphism has
2
an underlying symbol translation function. Within this setting, we can de ne renamings, hidings, unions and pushouts in an explicit, symbol-oriented way that overcomes the above drawbacks. We also de ne a notion of institution with quali ed symbols to deal with the problems of overloading. To show that these extra complications can be avoided when not needed, we show that an institution with quali ed symbols can be constructed out of any institution with symbols in a trivial way (with no overloading possible). These notions provide a proper institutional framework for the semantics of CASL, a speci cation formalism developed within the CoFI initiative. In particular, the semantics of structured speci cations in CASL can be based on an arbitrary institution with quali ed symbols. The paper is organized as follows. In section 2, we recall the notion of institution and a kernel language allowing to write speci cations over an arbitrary institutions. We discuss the problems with this approach, which leads to the de nition of institution with symbols in section 3 and of a new kernel language (together with its semantics) in section 4. Institutions with quali ed symbols are introduced in section 5, and the CASL institution is shown to be an institution with quali ed symbols in section 6. Finally, section 7 contains conclusions and future work. An extended version of this paper (including all proofs) is available as CoFI study note S-10 in [4].
2 Speci cations in an arbitrary institution The theory of institutions [7] takes a predominantly model-theoretic view of logic, with the satisfaction relation between models and logical sentences adopted as a primary notion. Somewhat unlike in the classical model-theory though, a family of such relations is considered at once, indexed by a category of signatures.
De nition 2.1. An institution I consists of: { a category SignI of signatures ; { a functor SenI: SignI ! Set, giving a set Sen(� ) of � -sentences for each signature � 2 jSignI j; { a functor ModI: SignopI ! Cat , giving a class Mod(� ) of � -models for each signature � 2 jSignI j; and { for � 2 jSignIj, a satisfaction relation j=I;� � ModI(� ) � SenI(� ) such that for any signature morphism �: � ! � 0 , � -sentence ' 2 SenI (� ) and � 0 -model M 0 2 ModI (� 0 ) the following satisfaction condition holds: M 0 j=I;�0 SenI (�)(') () ModI (�)(M 0 ) j=I;� ' We write M 0 � for Mod(�)(M 0 ), where �: � ?! � 0 2 Sign and M 0 2 Mod(� 0 ). 1
The notion of institution emerged as a formalisation of the concept of logical system underlying algebraic speci cation formalisms. Given an institution 1
Cat is the (quasi-)category of all categories.
3
I, the rough idea is that signatures determine the syntax of the systems to be speci ed, models of the institution represent (the semantics of) the systems themselves, and sentences are used to specify the desired system properties. Whatever speci cations are, they should ultimately describe a signature and a class of models over this signature, called models of the speci cations, to capture the admissible realizations of the speci ed system. Consequently, any speci cation formalism over I determines a class of speci cations, and then, for any speci cation SP , its signature Sig [SP ] 2 jSignj and the collection of its models Mod [SP ] � Mod(Sig [SP ]). If Sig [SP ] = � , we refer to SP as � -speci cation. In [9], the following kernel language for speci cations in an arbitrary institution I has been proposed: presentations : For any signature � 2 jSignj and set � � Sen(� ) of � sentences, the presentation h�; �i is a speci cation with: Sig [h�; �i] = � Mod [h�; �i] = fM 2 Mod(� ) j M j= �g union : For any signature � 2 jSignj, given � -speci cations SP 1 and SP 2 , their union SP 1 [ SP 2 is a speci cation with: Sig [SP 1 [ SP 2 ] = � Mod [SP 1 [ SP 2 ] = Mod [SP 1 ] \ Mod [SP 2 ] translation : For any signature morphism � : � ! � 0 and � -speci cation SP , translate SP by � is a speci cation with: Sig [translate SP by �] = � 0 Mod [translate SP by �] = fM 0 2 Mod(� 0 ) j M 0 � 2 Mod [SP ]g hiding : For any signature morphism � : � ! � 0 and � 0 -speci cation SP 0 , derive from SP 0 by � is a speci cation with: Sig [derive from SP 0 by �] = � Mod [derive from SP 0 by �] = fM 0 � j M 0 2 Mod [SP 0 ]g The above speci cation-building operations, although extremely simple, already provide exible mechanisms for expressing basic ways of putting speci cations together and so for building speci cations in a structured manner. Further, perhaps rather more convenient-to-use operations may be built on this basis. See for instance [9] for examples and much further discussion. However, the institution-independent setting as used in this and other similar formalisms has some important drawbacks: { signature morphisms are taken as primitives. This implies that one cannot rename or hide just a symbol, but rather has to construct the resulting signature in advance, together with the corresponding signature morphism; { pushouts (in some formalisms necessary for instance to instantiate generic speci cations) are de ned only up to isomorphism; thus, the user does not have full control over the name space of the speci cation constructed; { unions can be taken only of speci cations with the same signature. The third problem (concerning unions) can be overcome by working with signature categories having associated inclusion systems [3]. However, the other problems still remain in such an approach.
4
3 Institution with symbols To resolve the problems mentioned at the end of the last section, we propose a notion of institution with symbols. Roughly, an institution with symbols is an institution where each signature has an underlying set of symbols, and each signature morphism has an underlying symbol translation function. Within this setting, we can de ne renamings, hidings, unions and pushouts in an explicit, symbol-oriented way that overcomes the above problems. Consider an institution (Sign; Sen; Mod; j=) additionally equipped with a faithful functor j j: Sign ?! Set that extracts from each signature the set of (fully quali ed) symbols that occur in it (i.e. (Sign; j j) is a concrete category [1]). We assume that there is some xed \universe" of Sym of symbols that may be used by the speci er when writing symbol mappings. The latter are the means for the user to specify signature morphisms in a convenient way. A symbol map should be some kind of map on Sym . We cannot expect this map to be total, because not all symbols may be mapped. Moreover, we even cannot expect it to be total on the set of symbols of a given source signature, since we want to free the user from specifying identically mapped symbols. Finally, it turns out to be much more convenient even not to require symbol maps to be functions { a user may erroneously map one and the same symbol to two di�erent symbols (of course, in such a case, there will be no signature morphism induced by the symbol map). So we arrive at the following: A symbol map h is a nite relation h � Sym � Sym . The domain of a symbol map is de ned as
dom(h) = fSY 2 Sym j 9(SY ; SY 0 ) 2 hg We further assume that some function Ext: jSignj � jSignj � FinSet (Sym �
Sym ) ?! FinSet (Sym � Sym ) is given. Its use is as follows. Consider a parameterized speci cation; and let h be a symbol map tting the formal parameter (having signature � ) with the actual parameter (having signature � 0 ). Then Ext(�; � 0 ; h) extends h to a translation of compound identi ers in the body (for example, in CASL, a tting of sort Elem to sort Nat leads to the renaming of sort List[Elem] into the sort List[Nat]). If one is not interested in compound identi ers, Ext(�; � 0 ; h) can be taken to be just h. In section 5, we will propose a particular de nition of Ext. Now we are ready for our central de nition: De nition 3.1. An institution with symbols (Sign; Sen; Mod; j=; Sym ; j j) consists of { an institution (Sign; Sen; Mod; j=), { a set of (fully quali ed) symbols Sym , { a faithful functor j j: Sign ?! Set giving, for each signature � , a set of symbols j� j � Sym , and for each signature morphism �: � ?! � 0 , a translation of symbols j�j: j� j?!j� 0 j, { a function Ext: jSignj�jSignj�FinSet (Sym �Sym ) ?! FinSet (Sym �Sym ),
5
such that
h � Ext(�; � 0 ; h) for each h � Sym � Sym and �; � 0 2 jSignj.
In the sequel, we will, by abuse of notation, identify � and j�j (this is legitimated by faithfulness of j j). In particular, we say that a map �: j� j ?! j� 0 j is a signature morphism if there exists a signature morphism �: � ?! � 0 with j�j = �. By faithfulness of j j, such a � is unique. By abuse of notation, we will also denote it by �: � ?! � 0 .
4 A new kernel language In this section, we de ne a new kernel language for structured speci cations, which can be seen as an underlying kernel language for CASL. It is de ned over an arbitrary institution with symbols and allows to write speci cations in a more concise and convenient way in comparison with the kernel language introduced in section 2. For simplicity, we include not all the constructs of CASL structured speci cation in the kernel language, but leave out those like local speci cations that can be expressed using other constructs. Moreover, we do not allow signature fragments as in CASL, since allowing these would lead to a more complex semantics of the language without giving much more insight into the concepts that we want to present. The kernel language for institutions with symbols consists of the following (the function Sig, computing the signature of a speci cation, as well as the constructions h j� , � jSYs , � jSYs and h j��0 , will be de ned in the subsections below): presentations : For any signature � 2 jSignj and set � � Sen(� ) of � sentences, the presentation h�; �i is a speci cation, union : For any speci cations SP 1 and SP 2 with the corresponding signature union Sig [SP1 ] [ Sig [SP2 ] de ned, their union SP 1 and SP 2 is a speci cation, translation : For any symbol map h � Sym � Sym and speci cation SP with h jSig [SP ] de ned, SP with h is a speci cation revealing : For any speci cation SP and set of symbols SYs � Sym with Sig [SP ] jSYs de ned, SP reveal SYs is a speci cation, hiding : For any speci cation SP and set of symbols SYs � Sym with Sig [SP ] jSYs de ned, SP hide SYs is a speci cation, instantiation : For any three speci cations SP , SP 0 and SP A and a symbol map h � Sym � Sym such that Sig [SP ] is a subsignature of Sig [SP 0 ] and Sig [SP ] is de ned, instantiate (SP ; SP 0 ) by SP t h is a speci cation. h jSig A [SP A ] The side conditions on the well-formedness of a speci cation are explained in the following subsections. For typical institutions with symbols, they can be checked statically. Thus, it makes sense to impose them on the language. The semantics of the new kernel language is given by translating it to the old kernel language, using a translation function [ ] . Using this translation function,
6
we can easily lift the semantic functions Sig and Mod from the old to the new kernel language by putting, for a speci cation SP written in the new kernel language: Sig [SP ] = Sig [[[SP ] ] Mod [SP ] = Mod [[[SP ] ] Note that even for well-formed speci cations, the translation function [ ] will be a partial function, and so will be Sig and Mod . This means that the semantics of some speci cations of the new kernel language will be unde ned (this will happen only for speci cations involving instantiations). Checking de nedness involves checking model class inclusions, which is undecidable in general. In contrast, the function Sig will be decidable for those institutions with symbols having the constructions h j� , � jSYs , � jSYs and h j��0 computable. For presentations, the clause of the inductive de nition of the translation function is trivial: [ h�; �i] = h�; �i
4.1 Revealings and Hidings To be able to interpret the revealing of a set of symbols of a given signature, we need to be able to construct a subsignature generated by these symbols. This can be formalized within an arbitrary but xed institution with symbols as follows, directly following [10]. We say that a signature morphism �: � ?! � 0 is a signature inclusion if j�j is an inclusion (of j� j into j� 0 j). If there exists a signature inclusion from � to � 0 , we call � a subsignature of � 0, and write � � � 0 . Notice that then the signature inclusion is unique, since the functor j j is faithful; we denote it by ����0 . A subsignature � of � 0 is said to be full2 if every subsignature of � 0 with the same set of symbols as � is a subsignature of � . Notice that for standard many-sorted signatures, the notions of signature and full subsignature coincide | every subsignature is full. A subsorted subsignature � of � 0 is full if and only if � inherits from � 0 all the subsort requirements concerning the sorts of � . We call a set of symbols SYs � j� j closed in � if there is a subsignature � 0 of � with the set of symbols SYs , i.e. such that j� 0 j = SYs . For any set SYs � j� j, a signature generated in � by SYs is a full subsignature � 0 of � such that j� 0 j is the smallest set containing SYs and closed in � . It is denoted by � jSYs . Dually, to be able to interpret hiding, we need: For any set SYs � j� j, a signature co-generated in � by SYs is a full subsignature � 0 of � such that j� 0 j is the largest set disjoint from SYs and closed in � . It is denoted by � jSYs . With this, we can give a (translational) semantics of revealing and hiding: [ SP reveal SYs ] = derive from [ SP ] by � where � = Sig [SP ] and �: � jSYs?! � is the inclusion. 2 To be more uniform with section 4.2, we could replace fullness by initiality. �: � ?! � is initial if for any function �: j� j?!j� j, � is a signature morphism provided � � � 0
00
is. Initiality implies fullness, but not conversely, although the converse is true for the standard examples.
7
[ SP hide SYs ] = derive from [ SP ] by � where � = Sig [SP ] and �: � jSYs?! � is the inclusion.
4.2 Translations For translations, the main problem is the following: Given a signature � and a symbol map h, construct a signature morphism �: � ?! � 0 that is in some sense compatible with h. Generally, there are many di�erent choices for the target signature � 0 with the same underlying symbol map j�j: one can arbitrarily extend � 0 with some stu� that is not in the image of j�j. We therefore want � 0 to be minimal in a certain sense. This is achieved by the notion of nality3 . A signature morphism �: � ?! � 0 is said to be nal [1]4 if for any function �0 : j� 0 j?!j� 00 j, �0 is a signature morphism provided that �0 � � is. In the category of many-sorted algebraic signatures, a signature morphism is nal i� it is surjective. For morphisms between subsorted signatures, nality additionally means that � 0 has the minimal subsorting relation making � into a signature morphism (i.e. � 0 inherits the subsorting relation from � along �), see proposition 6.5 below. Next, we have to specify the exact relation between a symbol map h and the corresponding signature morphism �. We want to free the user from specifying the mapping of symbols that are mapped identically. This is achieved by the following: Given a signature � and a symbol map h, if there is a unique signature morphism �: � ?! � 0 such that h � graph(j�j) and � is nal, then � is called the signature morphism from � induced by h, written h j� (otherwise, h j� is unde ned). Given a signature � , a symbol map h is called admissible for � , if there is some signature morphism �: � ?! � 0 with h � graph(j�j) and � is nal. Let Admissible(� ) be the set of symbol maps admissible for � . With this, we can specify how translations are mapped to the old kernel language: [ SP with h] = translate [ SP ] by h jSig [SP ] Note that de nedness of h jSig [SP ] is already required by the well-formedness condition of the translation. The reader may be surprised that nality corresponds to some minimality principle here, while nal algebras usually satisfy some maximality principle. The reason is that the notion of nality comes from categorical topology, and nal continuous maps indeed have a maximal topology on their target (while nal signature morphisms typically have a minimal target). 4 In the theory of co- brations, these morphisms as called co-cartesian [2], and they are de ned in a slightly more general setting, namely, faithfulness of the functor is not required. We nevertheless stick to nality here, because nality is also de ned for sinks, see below.
3
8
4.3 Unions Concerning unions, the main feature that we have added to the old kernel language is the ability to unite speci cations having di�erent signatures. Therefore, we need to be able to unite signatures. We will do this using so-called minimal lifts of sinks. A sink is a pair of morphisms with common codomain. A lift of a j j-structured sink (�1 : j�1 j ?! SYs ; �2 : j�2 j ?! SYs ) is a sink (�1 : �1 ?! �; �2 : �2 ?! � ) such that j� j = SYs .5 A lift (�1 : �1 ?! �; �2 : �2 ?! � ) of a j j-structured sink (�1 : j�1 j ?! SYs ; �2 : j�2 j ?! SYs ) is said to be minimal, if for every other lift (�1 : �1 ?! � 0 ; �2 : �2 ?! � 0 ) of the same sink, the function idj�j: � ?! � 0 is a signature morphism. Given two signatures �1 and �2 , if the sink (�j�1 j�j�1 j[j�2j ; �j�2j�j�1 j[j�2j ) has a unique minimal lift, the latter is called the union of �1 and �2 , denoted by �1 [ �2 . This enables us to de ne the semantics of unions: [ SP 1 and SP 2 ] = (translate [ SP 1 ] by �1 ) [ (translate [ SP 2 ] by �2 ) where �1 = Sig [SP1 ], �2 = Sig [SP2 ], � = �1 [ �2 , and �1 : �1 ?! � and �2 : �2 ?! � are the inclusions.
4.4 Instantiations For instantiations of generic speci cations, usually a pushout semantics is used [6]. The problem with this approach is that the user does not have full control over the name space of the speci cation constructed: generally, new names have to be created in the pushout. In contrast, CASL follows a \same name{same thing" philosophy, which leaves the control over the name space to the user: instantiations are constructed in a naive set-theoretic way. The pushout approach and the set-theoretic approach can be reconciled by requiring the set-theoretic construction to actually be a pushout (and letting the instantiation being unde ned if this requirement is not ful lled). In this section, we show how to perform the set-theoretic construction of an instantiation and formulate conditions that guarantee this construction to be a pushout. Both the construction and the conditions can be formulated in an institution-with-symbols-independent way. Again, the crucial notion is that of nality. A sink (�1 : �1 ?! �; �2 : �2 ?! � ) is called nal, if for each function �: j� j ?! j� 0 j, � is a signature morphism provided that � � �1 and � � �2 are. Again, a sink of many-sorted algebraic signature morphisms is nal i� the signature morphisms are jointly surjective. For subsorted signature morphisms, additionally the subsorting relation on � has to be minimal w.r.t. making both 5
Recall that by abuse of notation, we use the same names for a signature morphism and its underlying symbol map.
9
�1 and �2 signature morphisms, and the transitive closure of the overloading relation has to be the transitive closure of the union of the translated overloading relations (for a related result, see proposition 6.8). A nal lift of a j j-structured sink (�1 : j�1 j ?! SYs ; �2 : j�2 j ?! SYs ) is a nal sink (�1 : �1 ?! �; �2 : �2 ?! � ) such that j� j = SYs . A union of two signatures is said to be nal if the sink consisting of the two inclusions is nal. The notions of nal sink and nal lift can be generalized to an arbitrary number of morphisms with common codomain. The concept gains its importance from the following (note that cocones and colimits are special cases of sinks): Proposition 4.1. In a concrete category, a nal lift of a colimit is again a colimit. Since we use nal signature morphisms and nal unions in the stepwise construction of an instantiation of a generic speci cation, we can use the above proposition to show that the instantiation is a pushout. The construction assumes that the formal parameter signature of the generic speci cation is included in the body signature (so we do not allow an arbitrary signature morphism between formal parameter and body). Our construction now works as follows: Given a signature inclusion �: � ?! � 0 (which acts as the inclusion of the formal parameter into the body) and a signature morphism �: � ?! �A (which acts as the tting morphism from the formal to the actual parameter), if { the signature morphism h j�0 from � 0 induced by h = Ext(� 0 ; �A ; graph (j�j)) exists6 (let its target be denoted by �A (�)), { the union �A [ �A(�) exists7, and moreover, it is nal8, { j�Aj \ j�A(�)j � j�j(j� j)9 , and { ker(j(h j�0 )j) � ker(j�j)10 , This may fail to exist for several reasons. One is that the symbol map h is not a function because of the de nition of Ext (see section 5 for an example). Another one is that h is a function, but there is no signature morphism induced by it. In the CASL institution, the latter can happen for example if h does not preserve the overloading relations. An example is given in [8]. 7 The union may fail to exist in the CASL institution because a total and a partial operation symbol with the same pro le get united. 8 The union may fail to be nal in the CASL institution if symbols newly get into the overloading relation, cf. Proposition 6.8. 9 This property may fail if the actual parameter and the body share symbols that are not in the formal parameter. 10 For the standard de nition of Ext described in section 5, this property may fail if the tting morphism � is not injective (say, it maps both Elem1 and Elem2 to nat) and this leads to new identi cations in the extension (say, both List[Elem1] and List[Elem2] occur in the body, so �(�) maps both to List[Nat]). 6
10
then ��A (�)��A [�A(�) � h j�0 is called the extension of � along �, denoted by �(�): � 0 ?! �A [ �A (�). Here, the kernel of a function f : A ?! B is de ned as usual:
ker(f ) = f(x; y) 2 A � Ajf (x) = f (y)g: Proposition 4.2. If the extension of �: � ?! �A along �: � ?! � 0 exists, then
�
�
�0
�
�A [ �A (�)
�
�A �
�(�) �
is a pushout in Sig. Before we can use the above construction to de ne the semantics of instantiations, we rst have to specify how the tting morphism is obtained from a symbol map. Given signatures � and � 0 and a symbol map h � Sym � Sym , if there is a unique signature morphism �: � ?! � 0 with
h � graph(j�j) we call it the signature morphism from � to � 0 induced by h, denoted by h j��0 . Given signatures � and � 0, a symbol map h � Sym �Sym is called admissible for � and � 0 , if there is some signature morphism �: � ?! � 0 with h � graph(j�j). Admissible(�; � 0) denotes the set of all symbol maps admissible for � and � 0 . With this, the semantics of instantiations (given by a translation to the old kernel language) is as follows: [ instantiate (SP ; SP 0 ) by SP A t h] = [ SP A ] [ (translate [ SP 0 ] by �(�)) where � = Sig [SP ], of � 0 = Sig [SP 0 ], �: � ?! � 0 is the inclusion, �A = Sig [SP A ] and � = h j��A . The semantics is unde ned whenever it is not the case that 1. Mod(SP 0 ) �Sig[SP ]�Sig[SP 0 ] � Mod(SP ), and 2. Mod(SPA ) � � Mod(SP ). which means that �Sig [SP ]�Sig [SP 0 ] and � are both speci cation morphisms.
5 Institutions with quali ed symbols In this section, we de ne a notion of institution with quali ed symbols to deal with the problems of overloading and quali cation. In the CASL institution, the natural choice for j� j is the set of fully quali ed symbols of � (if we omit quali cations, j j is no longer faithful, because symbols may be overloaded with di�erent pro les). Now in CASL symbol mappings, one
11
may (either partially or completely) omit quali cations of symbols. This leads to the notion of raw symbol, which in the case of the CASL institution can be a quali ed symbol, an unquali ed symbol or a partially quali ed symbol. The link between symbols and raw symbols is given by a matching relation specifying which symbols correspond to which raw symbols. In order to be able to construct the extension map Ext explicitly, we further assume that there is a set of compound identi ers. The following notion abstracts this to an institution-independent setting: De nition 5.1. An institution with quali ed symbols (Sign; Sen; Mod; j=; Sym ; j j; ID; RawSym ; IDAsRawSym; SymAsRawSym; matches) consists of { an institution (Sign; Sen; Mod; j=), { a set of (fully quali ed) symbols Sym , { a faithful functor j j: Sign ?! Set, { a set ID of compound identi ers, { a set of raw symbols RawSym together with two injections IDAsRawSym : ID ?! RawSym and SymAsRawSym : Sym ?! RawSym , { a matching relation matches � Sym � RawSym specifying which quali ed symbols match which raw symbols, such that { j� j � Sym for each � 2 jSignj, { for id; ci1; : : : ; cin 2 ID, also id[ci1; : : : ; cin] 2 ID (i.e. we can form compound identi ers) { SY matches SymAsRawSym (SY 0) i� SY = SY 0 for SY ; SY 0 2 Sym 11 and { for each SY 2 Sym , there is a unique Ident 2 ID with SY matching IDAsRawSym (Ident) (called the name of SY ) Raw symbol maps are de ned like symbol maps: they are nite binary relations r � RawSym � RawSym . In the kernel language of section 4, we now can replace symbol maps by raw symbols maps and thus obtain more conciseness when writing speci cations. In most cases, the kernel language just remains the same as before (note that Sig[ ], ff gg and ff gg are de ned later on): presentations : For any signature
� 2 jSignj and set � � Sen(� ) of � sentences, the presentation h�; �i is a speci cation, union : For any speci cations SP 1 and SP 2 with the corresponding signature union Sig [SP1 ] [ Sig [SP2 ] de ned, their union SP 1 and SP 2 is a speci cation, translation : For any raw symbol map r � RawSym �RawSym and speci cation SP with ffrggAdmissible(Sig [SP ]) jSig [SP ] de ned, SP with r is a speci cation revealing : For any speci cation SP and set of raw symbols RSYs � RawSym with Sig [SP ] jffRSYs gg\Sig [SP ] de ned, SP reveal SYs is a speci cation,
11
This property is not technically needed in the semantics, but it is desirable since it means that for each ambiguity there is a quali cation to resolve it.
12 hiding : For any speci cation SP and set of raw symbols RSYs � RawSym with Sig [SP ] jffRSYs gg\Sig [SP ] de ned, SP hide SYs is a speci cation, instantiation : For any three speci cations SP , SP 0 and SP A and a raw symbol
map r � RawSym � RawSym such that Sig [SP ] is a subsignature of Sig [SP 0 ] ISig[SP ] is de ned, and ffrggAdmissible(Sig [SP 0 ];Sig [SPA ]) jSig [SP A ]
instantiate (SP ; SP 0) by SP A t r
is a speci cation. To be able to interpret this modi ed kernel language and explain its wellformedness conditions, we need to construct a symbols out of raw symbols somehow. At the symbol level this is easy: just put
ffRSYs gg = fSY 2 Sym jSY matches some RSY 2 RSYs g
Now let us concern the level of maps. A rst step is to extend the matching relation from symbols to maps as follows: Given a symbol map h � Sym � Sym and a raw symbol map r � RawSym � RawSym , we say that h matches r if { For all RSY 2 dom0(r), there exists some SY 2 dom(h) matching RSY { For all (RSY ; 0RSY ) 2 r and (SY ; SY 0) 2 h, SY matches RSY implies SY 0 matches RSY . However, the matching relation between symbol maps and raw symbol maps does not su�ce to achieve our goal. This is illustrated by an example that lives in the CASL institution (this institution is formally de ned in section 6). Consider the signatures Signature sorts operation symbols � s; u f : s ! s; f : u ! u � 0 t; v g : t ! t; f : v ! v � 00 t; v g : t ! t; g : v ! v Let r be the raw symbol map f(s; t); (u; v); (f : s ?! s; g)g. We are looking for a symbol map that both matches r and is admissible for � (admissibility has been de ned in section 4.2). Now there are at least two symbol maps satisfying these constraints, namely
h = f(sort s; sort t); (sort u; sort v); (f : s ?! s; g: t ?! t); (f : u ?! u; f : v ?! v)g k = f(sort s; sort t); (sort u; sort v); (f : s ?! s; g: t ?! t); (f : u ?! u; g: v ?! v)g Admissibility of h and k can be seen by noticing that h indeed is a signature morphism from � to � 0 , while k is a signature morphism from � to � 00 . How to distinguish h as the symbol map that we want? Neither of h and k map f : u ?! u identically, but h maps it to a symbol with the same name. This
can be formalized in an arbitrary institution with quali ed symbols as follows: The core of a symbol map is de ned to be
core(h) := f(SY ; SY 0 ) 2 h j SY does not have the same name as SY 0 g
13
(Note that by the de nition of institution with quali ed symbols, each symbol has a unique name.) With this, we can de ne a pre-order relation on the set of symbol maps by putting
h � h0 i� core(h) � core(h0 ) For the above example, we have h � k but not vice versa, since (f : u ?! u; g: v ?! v) 2 core(k) n core(h). Given a set of admissible symbol maps Ad and a raw symbol map r, we now can de ne the associated symbol map ffrggAd to be the least element of the set of all symbols maps that match r and are in Ad, provided this least element exists and is unique. Otherwise, ffrggAd is unde ned. (Note that in a pre-order, there may be several least elements.) The function ff ggAd now admits to interpret the modi ed kernel language, by just replacing each raw symbol map r by the corresponding symbol map ffrggAd. Before doing this, however, we rst have to construct an institution with symbols out of an institution with raw symbols. We do this by de ning, for a given institution with quali ed symbols, the map Ext which is required in the de nition of institution with symbols. Recall that Ext is needed for the semantics of instantiations of generic speci cations (see section 4.4). We here de ne Ext in such a way that it implements the automatic renaming of compound identi ers that is used in CASL to prevent name clashes between di�erent instantiations of one and the same generic speci cation. The function Ext takes two signatures (the formal and the actual parameter signature) and a symbol map (the tting symbol map) and delivers a symbol map again (the symbol map modi ed by the mechanism to rename compound identi ers). We want to rename the components of compound identi ers according to the tting map. Since the tting map is a symbol map, while the component of compound identi ers are just identi ers, we need the machinery of raw symbols to link these concepts properly: Given a symbol map h � Sym � Sym , de ne
Ext(�; � 0 ; h) = ffrggAdmissible(�;�0 ) where
r = (SymAsRawSym � SymAsRawSym )(h) [f(IDAsRawSym(id[ci1; : : : ; cin ]); IDAsRawSym(id[ci01 ; : : : ; ci0n ])) j some SY 2 j� j matches IDAsRawSym(id[ci1 ; : : : ; cin]) and (cii ; ci0i ) 2 h0 for i = 1; : : : ; ng12
12
The union may lead to non-functionality (and, therefore, unde nedness of the instantiation of the generic extension, because the raw symbol map does not induce a signature morphism), if a compound identi er is mapped both explicitly by the tting morphism and implicitly by the extension mechanism.
14
and
h0 = f(Ident; Ident0 ) j Ident; Ident0 2 ID; (SY ; SY 0 ) 2 h; SY matches IDAsRawSym (Ident); SY 0 matches IDAsRawSym (Ident0 )g13 : It is obvious that h � Ext(�; � 0 ; h), thus we get:
Proposition 5.1. From each institution with quali ed symbols, we get an insti-
tution with symbols by letting Ext be de ned in the above way and by forgetting the sets of raw symbols and of identi ers and the functions associated with them. With this, we now can interpret kernel language with raw symbols in an arbitrary institution with quali ed symbols. Most constructs are the same as for institution with symbols; thus we interpret them in the associated institution with symbols (see proposition 5.1). Translation and instantiation have a new form; we interpret them by translating them to the kernel language for institutions with symbols:
ffh�; �igg = h�; �i ffSP and SP gg = ffSP gg and ffSP gg 1
2
1
2
ffSP with rgg = SP with ffrggAdmissible Sig SP (
[
])
ffSP reveal RSYs gg = ffSP gg reveal ffRSYs gg \ Sig [SP ] ffSP hide RSYs gg = ffSP gg hide ffRSYs gg \ Sig [SP ] ffinstantiate (SP ; SP 0 ) by SP A t rgg = instantiate (SP ; SP 0) by SP A t ffrggAdmissible Sig SP 0 ;Sig SPA (
[
]
[
])
Again, we can de ne Sig and Mod on the kernel language with raw symbols using the above translation: Sig [SP ] = Sig [ffSP gg] (= Sig [[[ffSP gg] ) Mod [SP ] = Mod [ffSP gg] (= Mod [[[ffSP gg] ) What if we want to use the kernel language for institution with quali ed symbols, but only have an institution with symbols at hand? 13 Notice that h may fail to be a function even if h is one, destroying the de nedness of the instantiation of a generic extension. In the CASL institution, this may happen, for example, if two di�erent pro les of a function are mapped to di�erent names, and the function name occurs in a compound identi er. 0
15
Proposition 5.2. For each institution with symbols closed under compound symbols, i.e.
for id; ci1; : : : ; cin 2 Sym ; also id[ci1 ; : : : ; cin] 2 Sym ; there is an institution with quali ed symbols corresponding to no possible quali cations. Note that the Ext component is forgotten during this constructions; it gets replaced by a speci c Ext as de ned above when interpreting the kernel language for institutions with quali ed symbols.
6 CASL as an institution with (quali ed) symbols We here concentrate on the category of CASL signatures and signature morphisms, together with the symbol functor. Sentences, models and satisfaction are described in the CASL semantics [5] in detail, we leave them out here since they do not really matter in this context.
6.1 CASL as an institution with symbols
Let ID be a xed set of identi ers. A CASL signature � = (S; TF ; PF ; P; �) consists of: { a set S � ID of sorts, together with a pre-order � { two S ��S -sorted families TF = (TF w;s)w2S�;s2S and PF = (PF w;s)w2S�;s2S of total function symbols and partial function symbols, respectively, with TF w;s � ID PF w;s � ID and such that TF w;s \ PF w;s = fg, for each (w; s) 2 S ��S (constants are treated as functions with no arguments) { a family P = (Pw )w2S� of predicate symbols with Pw � ID We write f : w ?! s 2 TF for f 2 TF w;s , f : w ?! s 2 PF for f 2 PF w;s and p : w 2 P for p 2 Pw . For a subsorted signature, � = (S; TF ; PF ; P; �S ), we de ne overloading relations �F and �P , for function and predicate symbols, respectively: Let f : w1 ! s1 ; f : w2 ! s2 2 TF [ PF , then f : w1 ! s1 �F f : w2 ! s2 i� there exist w 2 S � with w � w1 and w � w2 and a common supersort s of s1 and s2 . Let p : w1 , p : w2 2 P , then p : w1 �P p : w2 i� there exists w 2 S � with w � w1 and w � w2 . Given signatures � = (S; TF ; PF ; P; �) and � 0 = (S 0 ; TF 0 ; PF 0 ; P 0 ; �0 ), a signature morphism �: � ?! � 0 consists of { a map �S : S ?! S 0, TF : TF w;s ?! TF 0 S� 14 � { a map �w;s � (w);�S (s) for each w 2 S ; s 2 S ,
14
�S� is the extension of �S to nite strings
16 0 PF : PF w;s ?! PF 0 S� { a map �w;s � w ;�S s [ TF �S� w ;�S s , and { a map �wP : Pw ?! P�0 S� w for each w 2 S �, such that the subsort relation � and the overloading relations �F and �P are ( )
( )
( )
( )
( )
preserved by �S . Let the set Sym of symbols be the set
t ID [ffws j f; s 2 ID; w 2 ID� g[ffwsp j f; s 2 ID; w 2 ID� g[fpw j p 2 ID; w 2 ID� g
The functor j j maps a signature � = (S; TF ; PF ; P; �) to the set j� j =
fs j s 2 S g [ ffwst j f 2 TF w;sg [ ffwsp j f 2 PF w;s g [ fpw j p 2 Pw g Given a signature morphism �: � ?! � 0 , j�j maps a symbol of form s 2 ID
t to � TF (f )t p to �S (s), a symbol of form fws w;s �S� (w)� S (s) , a symbol of form fws to p PF P �w;s (f )�S� (w)�S (s) , and a symbol of form pw to �w (p)�S� (w) . For simplicity, let Ext(�; � 0 ; h) just be h (a better Ext will emerge when considering CASL as an institution with quali ed symbols).
Proposition 6.1. The above gives us CASL as an institution with symbols. Let us now examine how the various constructions needed for the semantics of the kernel language look in CASL.
Proposition 6.2. In the CASL institution, the following are equivalent for a subsignature � of � 0 :
1. � is a full subsignature of � 0 . 2. � inherits from � 0 all the subsort requirements concerning the sorts of � , i.e. �=�0 \(S � S ).
We now have the following Proposition 6.3. In the CASL institution, for any set SYs � j� j, there is a signature generated in � by SYs.
Proposition 6.4. In the CASL institution, for any set SYs � j� j, there is a signature co-generated in � by SYs.
Proposition 6.5. In the CASL institution, given two signatures � = (S; TF; PF; P; �) and � 0 = (S 0 ; TF 0; PF 0 ; P 0 ; �0 ) and a signature morphism �: � ?! � 0 , the following are equivalent:
1. � is nal. 2. j�j is surjective, detects totality (i.e. f 0 : w0 ?! s0 2 TF implies that there is TF (f ) = f 0 ); and �0 is the least pre-order on some f : w ?! s 2 TF with �w;s 0 S satisfying �S (s1 ) �0 �S (s2 ) if s1 � s2
17
Given two signatures �1 = (S1 ; TF1; PF1 ; P1 ; �1 ) and �2 = (S2 ; TF2 ; PF2 ; P2 ; �2) their union �1 [ �2 = (S; TF; PF; P; �), is de ned by { S = S 1 [ S2 { XF (ws) = XF1(ws) [ XF2(ws) for XF 2 fTF; PF g and ws 2 S � � S . Here, if in XF1 (ws) [ XF2 (ws) one of both sides is unde ned, it counts as the empty set.
{ P (ws) = P (w) [ P (w) for w 2 S �. Again, if in P (w) [ P (w) one of both sides is unde ned, it counts as the empty set. { �=� [� The union exists i� � [ � is a signature i� TF (ws) \ PF (ws) = ; for all ws 2 S � � S . Otherwise, the union is unde ned. Proposition 6.6. In the CASL institution, given two signatures � and � such that � [ � exists, the sink (�j�1 j�j�1j[j�2j ; �j�2 j�j�1j[j�2j ) has a unique 1
1
2
1
2
2
1
2
1
1
2
2
minimal lift, namely (��1 ��1[�2 ; ��2 ��1 [�2 ). Let �F and �P denote the transitive closures of the overloading relations �F and �P , respectively. Proposition 6.7. In the CASL institution, signature morphisms preserve �F and �P . Proposition 6.8. In the CASL institution, for a union �1 [ �2, the following are equivalent: 1. The union is nal. 2. The relation ��F 1 [�2 of �1 [ �2 is the transitive closure of the union of the relations ��F 1 and �F�2 (and similarly for �P ).
6.2 Alternative de nition of a CASL institution with symbols The above de nition is not the only natural way to turn the CASL institution into an institution with symbols. The other natural way would we to throw out p , and use symbols of form f t for both total and partial symbols of form fws ws operation symbols. The e�ect would be the following: { Subsignature inclusions may change a partial operation symbol in the subsignature to a total operation symbol in the supersignature, and only full subsignatures inherit totality. { Unions of signatures are always de ned. An operation symbol in the union is total i� it is total in one of the signatures that are united. Whether one choses the rst or second variant of CASL as an institution with symbols, is mainly a matter of taste. In the CASL semantics, the rst version is chosen. The second version has the nice consequence that unions are always de ned.
18
6.3 CASL as an institution with quali ed symbols The set of compound identi ers in CASL is de ned by just closing some given set SIMPLE-ID of simple identi ers under formation of compound identi ers, i.e. ID is the least set with SIMPLE-ID � ID
for id; ci1 ; : : : ; cin 2 ID; also id[ci1 ; : : : ; cin ] 2 ID; The set of raw symbols is de ned by RawSym = Sym ] (SymKind � ID)
where SymKind = fimplicit ; sort ; fun ; pred g. We write SY sym 2 RawSym for SY 2 Sym and (k; Ident) 2 RawSym for k 2 SymKind and Ident 2 ID. Both identi ers and symbols can be regarded as raw symbols using the injections IDAsRawSym : ID ?! RawSym and SymAsRawSym : Sym ?! RawSym de ned by IDAsRawSym (Ident) = (implicit ; Ident) and SymAsRawSym (SY ) = SY sym The matching relation
matches � Sym � RawSym between symbols and raw symbols is the least relation satisfying s matches (implicit ; s), s matches (sort ; s), for s 2 sort, t matches (fun ; f ), t matches (implicit ; f ), fws fws p p matches (fun ; f ), fws matches (implicit ; f ), fws pw matches (implicit ; f ), pw matches (pred ; f ), SY matches SY sym for SY 2 Sym . Proposition 6.9. The above de nition turns CASL into an institution with quali ed symbols. Note that by Proposition 5.1, we also get an institution with symbols out of this. It is the same institution with symbols as the one de ned in section 6.1, except from the function Ext. The Ext function in the present case ensures a treatment of compounf identi ers within instantiations as it is in CASL.
7 Conclusion and Future Work We have de ned a kernel language for CASL structured speci cations, which allows us to deal with symbols and symbol maps in a convenient way, instead of taking signature morphisms as a primitive notion. This has the advantage that the user has full control over the name space, and the transition from a symbol map to a signature morphism can be described in an institution-independent way.
19
The kernel language can be interpreted over an arbitrary but xed institution with symbols. For coping with overloading, we also have de ned a notion of institution with quali ed symbols. We show how these notions specialize to the CASL institution. Since the structure required by an institution of (quali ed) symbols is just a bit of syntax, it can be expected that nearly any institution can be extended to an institution with (quali ed) symbols. The work presented here has been the basis of the semantics of CASL structured speci cations [5]. Thus, it is possible to use CASL structured speci cations practically for any institution, the only easy-to-ful ll requirement being to equip the institution with a symbol structure. Future work (jointly with Andrzej Tarlecki) will extend the kernel language and the notion of institution developed here to deal with the problems of sharing, which occurs in (the semantics of) CASL architectural speci cations. It is also planned to implement an institution-with-symbols static analysis of CASL structured speci cations. Acknowledgements Thanks to all participants of the CoFI semantics group (and the rst reader of the semantics, Sasha Zamulin). In particular, I wish to thank Andrzej Tarlecki for numerous fruitful discussions and comments.
References 1. J. Ad�amek, H. Herrlich, and G. Strecker. Abstract and Concrete Categories. Wiley, New York, 1990. 2. F. Borceux. Handbook of Categorical Algebra I { III. Cambridge University Press, 1994. 3. V. E. C�az�anescu and G. Ro�su. Weak inclusion systems. Mathematical Structures in Computer Science, 7(2):195{206, Apr. 1997. 4. CoFI. The Common Framework Initiative for algebraic speci cation and development, electronic archives. Notes and Documents accessible from http://www.brics.dk/Projects/CoFI. 5. CoFI Semantics Task Group. CASL { The CoFI Algebraic Speci cation Language { Semantics. Note S-9 (version 0.95), in [4], Mar. 1999. 6. H. Ehrig and B. Mahr. Fundamentals of Algebraic Speci cation 1. Springer Verlag, Heidelberg, 1985. 7. J. A. Goguen and R. M. Burstall. Institutions: Abstract model theory for speci cation and programming. Journal of the Association for Computing Machinery, 39:95{146, 1992. Predecessor in: LNCS 164, 221{256, 1984. 8. T. Mossakowski. Cocompleteness of the CASL signature category. Note S-7, in [4], Feb. 1998. 9. D. Sannella and A. Tarlecki. Speci cations in an arbitrary institution. Information and Computation, 76:165{210, 1988. 10. D. T. Sannella and A. Tarlecki. Extended ML: an institution-independent framework for formal program development. In Proc. Workshop on Category Theory and Computer Programming, volume 240 of Lecture Notes in Computer Science, pages 364{389. Springer, 1986.
