the Common Algebraic Specification Language

Similar documents
A Gentle Introduction to CASL

CafeOBJ. CafeOBJ. Starting CafeOBJ. Wolfgang Schreiner 1. A Quick Overview. 2.

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Checking Conservativity With HETS

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Introduction to dependent types in Coq

The Programming Language Core

Z Notation. June 21, 2018

The Prototype Verification System PVS

Appendix 1. Description Logic Terminology

Appendix 1. Description Logic Terminology

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

Specification, Verification, and Interactive Proof

Data-Oriented System Development

K Reference Card. Complete example

A Michael Jackson presentation. CSE503: Software Engineering. The following slides are from his keynote at ICSE 1995

VS 3 : SMT Solvers for Program Verification

Algebraic-coalgebraic specification in CoCasl

Computing Fundamentals 2 Introduction to CafeOBJ

The design of a programming language for provably correct programs: success and failure

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

Outline Mousavi: ADT

Denotational Semantics. Domain Theory

type classes & locales

14 Foundation of Programming Languages and Software Engineering: Summer Term 2010

Functional Programming and Modeling

Lecture 4. First order logic is a formal notation for mathematics which involves:

Checking the Conformance of Java Classes Against Algebraic Specifications

IA014: Advanced Functional Programming

Data Types. (with Examples In Haskell) COMP 524: Programming Languages Srinivas Krishnan March 22, 2011

Induction and Semantics in Dafny

Specifying and Verifying Programs (Part 2)

LOGIC AND DISCRETE MATHEMATICS

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Section 17.2

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Semantics via Syntax. f (4) = if define f (x) =2 x + 55.

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Data types for mcrl2

An Evolution of Mathematical Tools

The Rule of Constancy(Derived Frame Rule)

Built-in Module BOOL. Lecture Note 01a

Lecture Notes in Computer Science 2900 Edited by G. Goos, J. Hartmanis, and J. van Leeuwen

THE AGDA STANDARD LIBRARY

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Programming Languages Third Edition

Encoding functions in FOL. Where we re at. Ideally, would like an IF stmt. Another example. Solution 1: write your own IF. No built-in IF in Simplify

Reasoning About Programs Panagiotis Manolios

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

Local Specialization in Open-Axiom

3.7 Denotational Semantics

Automated Reasoning. Natural Deduction in First-Order Logic

Towards Trustworthy Specifications I: Consistency Checks

Relating the MSR Crypto-Protocol Specification Language to Rewriting Logic with Dependent Types

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 11 p. 1/38

CS 457/557: Functional Languages

From Event-B Models to Dafny Code Contracts

Foundations: Syntax, Semantics, and Graphs

Bridging the Gap Between Algebraic Specification and Object-Oriented Generic Programming

SOFTWARE ENGINEERING DESIGN I

Monad (1A) Young Won Lim 6/26/17

CSE 20 DISCRETE MATH. Fall

Abstract Interpretation

Maude Implementation of MSR

Verifying Java Programs Verifying Java Programs with KeY

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Verifying Java Programs Verifying Java Programs with KeY

RSL Reference Manual

Program analysis parameterized by the semantics in Maude

Monad (3A) Young Won Lim 8/9/17

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

The Maude 2.0 System. M. Clavel F. Durán S. Eker P. Lincoln. N. Martí-Oliet J. Meseguer C. Talcott

Programming with Universes, Generically

COM2001 Advanced Programming Techniques. Mike Stannett Department of Computer Science The University of Sheffield

3.1 IMP: A Simple Imperative Language

Functional Logic Programming Language Curry

Unification in Maude. Steven Eker

Talen en Compilers. Jurriaan Hage , period 2. November 13, Department of Information and Computing Sciences Utrecht University

The Isabelle/HOL type-class hierarchy

The Java Modeling Language (Part 2)

The ITP Tool s Manual

MITOCW watch?v=kz7jjltq9r4

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

In Our Last Exciting Episode

Lecture 09: Data Abstraction ++ Parsing is the process of translating a sequence of characters (a string) into an abstract syntax tree.

The SMT-LIB 2 Standard: Overview and Proposed New Theories

GADTs. Wouter Swierstra. Advanced functional programming - Lecture 7. Faculty of Science Information and Computing Sciences

Overloading, Type Classes, and Algebraic Datatypes

Why. an intermediate language for deductive program verification

Discrete Mathematics Lecture 4. Harper Langston New York University

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

Programming with (co-)inductive types in Coq

Formal Verification. Lecture 10

Assertions, pre/postconditions

Overview. A Compact Introduction to Isabelle/HOL. Tobias Nipkow. System Architecture. Overview of Isabelle/HOL

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Section 17.1

Tool Support for CSP-CASL

Haskell Overview II (2A) Young Won Lim 8/9/16

Program Analysis: Lecture 02 Page 1 of 32

Advanced Type System Features Tom Schrijvers. Leuven Haskell User Group

15-819M: Data, Code, Decisions

Transcription:

Introduction to CASL, the Common Algebraic Specification Language Franz Lichtenberger Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria Franz.Lichtenberger@risc.uni linz.ac.at

Contents Historical remarks General remarks about CASL Underlying Concepts CASL by examples (Basic Specifications only) Franz Lichtenberger http://www.risc.uni linz.ac.at 2

Historical Remarks First papers on Algebraic Specification of Abstract Data Types, around 1975: Liskov/Zilles, Guttag/Horning, ADJ Group (Goguen, Thatcher, Wagner, Wright) Several AlgSpec languages developed in the next 20 years CoFI: The Common Framework Initiative for Algebraic Specification and Development, EU Project, started 1995 The specification language defined by CoFI: CASL The Common Algebraic Specification Language Franz Lichtenberger http://www.risc.uni linz.ac.at 3

Algebraic Specification Observation/Claim/Thesis: Data types are algebras (set(s)+operations+axioms) Abstract data types (ADTs) are classes of (usually heterogeneous) algebras (Software) Systems can be specified by ADTs. Thus: ADTs / Software systems can/should be specified algebraically CASL: a language for specifying requirements and designs, not a programming language Franz Lichtenberger http://www.risc.uni linz.ac.at 4

CASL Core of a family of languages: restrictable (e.g. for executability) extendable (higher order, state based, reactive, modal,...) CASL specifications denote classes of models CASL has a complete formal definition Abstract and concrete syntax are defined formally CASL has a complete formal semantics The foundations of CASL are rock solid! (Claim by CoFI) Franz Lichtenberger http://www.risc.uni linz.ac.at 5

CASL Specifications Basic specifications (this talk) Structured specifications Large and complex specifications are easily built out of simpler ones by means of (a small number of) specification building operations Architectural specifications impose structure on implementations Libraries are named collections of named specifications The CASL Basic Libraries contain the standard datatypes Franz Lichtenberger http://www.risc.uni linz.ac.at 6

Underlying concepts CASL is based on standard concepts of algebraic specification Basic specifications declare symbols, and give axioms and constraints The semantics of a basic specification is (a signature and) a class of models: A signature corresponding to the symbols introduced by the specification a class of -models, corresponding to those interpretations of the signature that satisfy the axioms and constraints of the specification When a model M satisfies a specification SP we write M \models SP Franz Lichtenberger http://www.risc.uni linz.ac.at 7

Specifications CASL specifications may declare sorts subsorts operations predicates A spec is called many sorted if it has no subsort specifications (otherwise subsorted) A spec is called algebraic if it has no predicate declarations Franz Lichtenberger http://www.risc.uni linz.ac.at 8

Sorts A sort is a symbol which is interpreted as a set, called a carrier set The Elements of carrier sets are abstract representations of data: numbers, characters, lists, trees, etc. A sort is approx. a type in a programming language CASL allows compound sort symbols, i.e. List[Int] Franz Lichtenberger http://www.risc.uni linz.ac.at 9

Subsorts Subsort declarations are interpreted as embeddings Set inclusion would be sufficient for, e.g. Nat < Int Embedding is necessaray for, e.g. Char < String (Char and String are disjoint) An embedding is a 1 1 function Franz Lichtenberger http://www.risc.uni linz.ac.at 10

Operations Operations may be declared as total or partial An operation symbol consists of its name together with its profile Profile: number and sort of arguments, and result sort An operations is interpreted as a total or a partial function from the Cartesion product of the carrier sets of the arguments to the carrier set of the result sort The result of applying an operation is undefined if any of the arguments is undefined Constant: operation with no arguments, interpreted as an element of the carrier set of the result sort Franz Lichtenberger http://www.risc.uni linz.ac.at 11

Predicates A predicate symbol consists of a name and its profile Profile: number and sorts of the arguments, but no result sort Predicates are different from boolean valued operations!!! Predicates are used to form atomic formulas, rather than terms A predicate symbol is interpreted as a relation on (i.e., a subset of) the Cartesian product of the carrier sets of the argument sorts Predicates are never undefined, they just do not hold if any of the arguments is undefined (two valued logic) For boolean valued operations: three valued logic (true, false, undefined) Franz Lichtenberger http://www.risc.uni linz.ac.at 12

Overloading Operation and predicate symbols may be overloaded, i.e. can be declared with different profiles in the same specification Examples: 'empty' for empty list and empty set < : predicate on unrelated sorts such as Char and Int Overloading has to be compatible with embeddings between subsorts, i.e. for sorts Nat < Int, operation +, predicate <: interpretations are required to be such that it makes no difference whether the embedding from Nat to Int is applied to the arguments (and the result) or not Franz Lichtenberger http://www.risc.uni linz.ac.at 13

Atomic Formulas predicate applications equations (strong or existential) existential: both sides are defined and equal strong: hold as well, if both sides are undefined definedness assertions subsort membership assertions Franz Lichtenberger http://www.risc.uni linz.ac.at 14

Axioms Axioms are formulas of first order logic Logical connectors have usual interpretation Quantification: universal, existential, unique existential Interpretation of quantification: completely standard! Variables in formulas range over the carrier sets of specified sorts An axiom either holds or does not hold in a particular model: there is no maybe or undefinedness about holdig (regardless of whether the values of terms occurring in the axioms are defined) Franz Lichtenberger http://www.risc.uni linz.ac.at 15

Constraints Sort generation constraints eliminate junk from specific carrier sets, i.e. restrict the class of models Default case: all sets allowed as carriers Generated: no junk all elements can be obtained by consecutively applying the operations of the sort in question Free: no junk, no confusion generated, and no equations hold except those implied by the axioms Franz Lichtenberger http://www.risc.uni linz.ac.at 16

CASL by examples Simple specifications can be written essentially as in many other algebraic specification languages CASL provides useful abbreviations and annotations Tools: the Heterogeneous Tools Set (HETS) is the main analysis tool for CASL; it provides a parser, static analysis and translation to an intermediate/exchange format (so called A terms) Useful only together with other tools like theorem provers (Isabelle/HOL, etc.), SW development environments,... Not tried out yet! Franz Lichtenberger http://www.risc.uni linz.ac.at 17

Loose specifications spec Strict_Partial_Order = %% Let's start with a simple example! sort Elem pred < : Elem * Elem %% pred abbreviates predicate forall x, y, z:elem. not (x < x) %(strict)%. (x < y) => not (y < x) %(asymmetric)%. (x < y) /\ (y < z) => (x < z) %(transitive)% %{ Note that there may exist x, y such that neither x < y nor y < x. }% end Franz Lichtenberger http://www.risc.uni linz.ac.at 18

Specification extension spec Total_Order = Strict_Partial_Order then forall x, y:elem. (x < y) \/ (y < x) \/ x = y %(total)% end Franz Lichtenberger http://www.risc.uni linz.ac.at 19

Abbreviations spec Total_Order_With_MinMax = Total_Order then ops min(x, y :Elem): Elem = x when x < y else y; max(x, y :Elem): Elem = y when min (x, y) = x else x end abbreviates forall x,y:elem. min(x,y) = x when x<y else y which abbreviates (x<y => min(x,y)=x) /\ (not(x<y) => min(x,y)=y) Franz Lichtenberger http://www.risc.uni linz.ac.at 20

Pretty printing spec Partial_Order = Strict_Partial_Order then pred <= (x, y :Elem) <=> (x < y) \/ x = y end less or equal can be pretty printed using %display <= %LATEX \le Not tried out yet! Franz Lichtenberger http://www.risc.uni linz.ac.at 21

Redundancy with %implies annotation spec Partial_Order_1 = Partial_Order then %implies forall x, y, z:elem. (x <= y) /\ (y <= z) => (x <= z) %(transitive)% end Can be used to generate the proof obligation Partial_Order \models (x <= y) /\ (y <= z) => (x <= z) Franz Lichtenberger http://www.risc.uni linz.ac.at 22

Attributes spec Monoid = sort Monoid ops 1 : Monoid; * : Monoid * Monoid > Monoid, assoc, unit 1 end assoc abreviates, as expected, the following axiom: forall x,y,z:monoid. (x*y)*z = x*(y*z) Franz Lichtenberger http://www.risc.uni linz.ac.at 23

Generic specifications via parameters spec Generic_Monoid [sort Elem] = sort Monoid ops inj : Elem > Monoid; 1 : Monoid; * : Monoid * Monoid > Monoid, assoc, unit 1 forall x, y:elem. inj (x) = inj (y) => x = y end Franz Lichtenberger http://www.risc.uni linz.ac.at 24

Datatype declarations by constructors spec Container [sort Elem] = type Container ::= empty insert(elem; Container) pred is_in : Elem * Container forall e, e':elem; C:Container. not (e is_in empty). (e is_in insert (e', C)) <=> e = e' \/ (e is_in C) end Abbreviation for: sort Container ops empty: Container; insert: Elem * Container > Container Franz Lichtenberger http://www.risc.uni linz.ac.at 25

Generated Specifications spec Generated_Container [sort Elem] = generated type Container ::= empty insert(elem; Container) pred is_in : Elem * Container forall e, e':elem; C:Container. not (e is_in empty). (e is_in insert (e', C)) <=> e = e' \/ (e is_in C) end Generated types allow induction over the constructors! Franz Lichtenberger http://www.risc.uni linz.ac.at 26

Free specifications spec Natural = free type Nat ::= 0 suc(nat) end Equivalent to generated type Nat ::= 0 suc(nat) forall x,y: Nat. suc(x)=suc(y) => x=y forall x:nat. not(0 = suc(x)) Franz Lichtenberger http://www.risc.uni linz.ac.at 27

Enumerated types Free datatype declarations are particulary convenient for defining enumerated types spec Color = free type RGB ::= Red Green Blue free type CMYK ::= Cyan Magenta Yellow Black end With generic instead of free one woud have to add not(red=green) /\ not(red=blue) /\... Franz Lichtenberger http://www.risc.uni linz.ac.at 28

Freeness constraints spec Integer = free {type Int ::= 0 suc(int) pre(int) forall x:int. suc (pre (x)) = x. pre (suc (x)) = x} end Franz Lichtenberger http://www.risc.uni linz.ac.at 29

Predicates and freeness Predicates hold minimally in models of free specifications spec Natural_Order = Natural then free {pred < : Nat * Nat forall x, y:nat. 0 < suc (x). (x < y) => (suc (x) < suc (y))} end Franz Lichtenberger http://www.risc.uni linz.ac.at 30

Inductive definitions of operations/predicates spec Natural_Arithmetic = Natural_Order then ops 1: Nat = suc (0); + : Nat * Nat > Nat; * : Nat * Nat > Nat forall x, y:nat. x + suc (y) = suc (x + y). x * 0 = 0. x * suc (y) = (x * y) + x end Franz Lichtenberger http://www.risc.uni linz.ac.at 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback