the larch shared language

111

The Larch Shared Language

Based on:John V. Guttag and James J. Horning, Report on the Larch

Shared Language, Science of Computer Programming, 6:103-134, North-Holland,1986.

John V. Guttag and James J. Horning, Larch: Languages and Tools for Formal Specification, Springer-Verlag, 1993.

1

222

Outline

• Background• LSL basics

– Equational specifications– Stronger theories

• Other features– Modularization: combining traits and renaming– Stating intended consequences– Recording assumptions– Built-in operators and overloading– Shorthand notations

2

333

Model vs. Property-Oriented Specification

• Model-oriented– Behavior directly by constructing a model of the system– Use of math structures such as sets, sequences, relations, and

functions– E.g., Z data and operation schemas– Z, VDM, and OCL

• Property-oriented– Behavior indirectly by stating a set of properties– Axiomatic vs. algebraic

• First-order predicate logic vs. equations• Theory vs. (heterogeneous) algebra• Larch and OJB vs. Clear and ACT ONE

3

444

Larch

• Family of specification languages to specify interfaces of program modules

• Two tiered– Different languages for different programming languages to

specify interfaces of program modules– One language for specifying shareable concepts and abstract

models, called the Larch Shared Language (LSL)

4

LSL

Larch/CLU LCL LM3 Larch/Smalltalk Larch/C++

5

Example: Symbol Table

5

Larch/CLU

LSL

666

Outline

Background• LSL basics

– Equational specifications– Stronger theories


6

777

First LSL Specification (v. 2.3 syntax)

Table: trait introduces

new: Tabadd: Tab, Ind, Val Tab__ __: Ind, Tab Boollookup: Tab, Ind ValisEmpty: Tab Boolsize: Tab Int0,1: Int__+ __: Int, Int Int

asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0

7

888

Trait




8

• Unit of LSL specification• Different from data abstraction (e.g.,

sort Tab)• Denotes a theory (a set of

theorems) in multi-sorted first-order logic with equality

999

Operations




9

• Declare a set of operators with signatures (domain and range sorts)

• Signatures for sort checking; sort implicitly introduced

• Operators denote total functions• Prefix, infix, postfix, distributed

operators (use of _ _)• Use of symbols, e.g., (\in)

101010

Constraints




10

• Constrain operations by means of equations (t1 == t2 or t1 = t2)

• Often t, short for t == true• Restrict theory denoted by trait

– Trait’s assertions– Axioms of first-order logic– Everything that follows– Nothing else.

• Q: Value of lookup(new, i)?

11

Exercise

• What values do the following terms denote?– isEmpty(new)– isEmpty(add(new,i,v))– lookup(add(add(new,i,v1), i, v2), i)– lookup(add(add(new,I,v1), I, v2), j)


12

Exercise• Define remove(Tab, Ind) and index(Tab, Val) operators.




13

Exercise• Formulate the notion of stack (LIFO) in LSL.

141414

Outline

BackgroundLSL basics

Equational specifications– Stronger theories


14

15

Stronger Theories

• Equational theories by trait assertions

• Often stronger theories needed for specifying ADT, e.g.,– How to prove a property of an ADT?

t: Tab, i: Ind i t size(t) > 0

• Generated by clause

• Partitioned by clause

16

Generated by Clause

• A complete set of generators for a sort• Each value is equal to one written in terms of the

generators.• Provides an induction rule, i.e., an axiom for• E.g.,

– 0 and succ for natural numbers

Nat generated by 0, succ– 0, succ and pred for integers– Int generated by 0, succ, pred

17

Proof by Induction

• How to prove the following? t: Tab, i: Ind i t size(t) > 0


new: Tabadd: Tab, Ind, Val Tab% rest of definition

asserts Tab generated by new, add i, i1: Ind, val: Val, t: Tab

% rest of definition

18

Proof by Induction


• Basis step: i: Ind i new size(new) > 0

• Induction step: t: Tab, i1: Ind, v1: Val ( i: Ind i t size(t) > 0)

( i: Ind i add(t, i1, v1) size(add(t, i1, v1)) > 0)

19

Proof by Induction


• Basis step: i: Ind i new size(new) > 0

• Induction step: t: Tab, i1: Ind, v1: Val ( i: Ind i t size(t) > 0)

( i: Ind i add(t, i1, v1) size(add(t, i1, v1)) > 0)

Proof?Axiom: (i new)

Proof?

(i new);i add(t, i1, val) == i = i1 i t;size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;

20

Partitioned by Clause

• A complete set of observers for a sort• All distinct values can be distinguished by

the observers.• Terms are equal if not distinguishable by

the observers.• Provides a deduction rule, i.e., axiom for.• E.g.,

– Sets are partitioned by (i.e., no duplicate)S partitioned by

21

Proof by Deduction

i: Ind i t1 = i t2

i: Ind lookup(t1, i) = lookup(t2, i)

t1 = t2Table1: trait introduces

new: Tabadd: Tab, Ind, Val Tab% rest of definition

asserts Tab generated by new, add

Tab partitioned by , lookup i, i1: Ind, val: Val, t: Tab


22

Example

• Can derive theorems that do not follow from the equations alone.

• Q: Prove the commutativity of “add” of the same value.

t: Tab, i, j: Ind, v: Val add(add(t, i, v), j, v) = add(add(t, j, v), i, v)

23

Exercise

• Define “generated by” and “partitioned by” clauses for stacks.

24

Specifying ADT

• Identify a distinguished sort, often called a type of interest or data sort, that denotes the ADT.

• Categorize operators– Generators (also called basic constructors)

• Produce all the values of the distinguished sort– Observers

• Operators with the distinguished (and other) sorts as the domain and some other sort as the range

– Extensions• Remaining operators with the distinguished sort as the range

• Often have axioms sufficient to concert the observers and extensions.

• Usually “partition” the distinguished sort by at least one subset of the observers and extensions.

25

Good Heuristic for Writing Enough Equations for ADT

• Write an equations defining the result of applying each observer and extension to each generator.

• Example: Set – Generators*: {} (or ), insert– Observers: – Extensions: delete

*Generators can also be {}, {__}, and .

26

Exercise

• Specify sets by defining the following operators.– Generators: , insert– Observers: – Extensions: delete

272727

Outline

BackgroundLSL basics

Equational specificationsStronger theories


27

28

Combining Traits

• Modularization of trait specifications• Traits can “includes” other traits

– “imports” for a conservative extension in older version.

• Theory of including trait– Theory associated with its introduces and asserts

clauses– Those of its included traits

• E.g., can factor out 0, 1, and + from Table.Table: trait includes Integer % defines 0, 1, and +

% imports in older version

29

Example: EquivalenceReflective: trait introduces __ __: T, T Bool asserts x: T

x x

Symmetric: trait introduces __ __: T, T Bool asserts x, y: T

x y = y x

Transitive: trait introduces __ __: T, T Bool asserts x, y, z: T

x y y z x z

Equivalence: trait includes Reflective, Symmetric, Transitive

EquivalenceExpanded: trait introduces __ __: T, T Bool asserts x, y, z: T

x x;x y = y x;x y y z x z

30

Renaming

• Potential problem of including traits– Relies heavily on the use of same names (sorts and

operators), e.g., T and .

• Thus, often renaming needed– Renaming sorts changes signatures of operators– Can also be done based on positions

SparseArray (Val, Arr): trait includes Table (Arr for Tab, defined for , assign for add,

__[__] for lookup, Int for Ind)

IntegerArray: trait includes SparseArray(Int, IntArr)

31

Exercise

• Extend the set specification to introduce additional operators. (Assume Set(S,E) with operators {}, insert, , and delete.)– Observers: |__|, – Extensions: delete, {__}, , , -

• Define a choose operator, choose: S E.

32

Exercise

• Write a specification for binary trees by defining the following operators– [__]: E T– [__, __]: T, T T– content: T E– first, second: T T– isLeaf: T Bool

33

Stating Intended Consequences

• Redundancy information or checkable claims for– Error detection (e.g., proof obligations)– Confirming reader’s understanding– Providing useful lemmas that will simplify

reasoning about specifications

34

Implies Clause

• Make claims about theory containment• Example: In SparseArray, no array with a

defined element is empty.implies a: Arr, i: Int

defined(i, a) isEmpty(a)

SparseArray (Val, Arr): trait includes Table (Arr for Tab, defined for , assign for add,

_ _[_ _] for lookup, Int for Ind)

35

Converts Clause

• State completeness of theory– If the interpretation of all other operations are

fixed, there is only one interpretation of the listed operations that satisfies the axioms.

– I.e., the operations are completely defined.

• Example:implies converts isEmptyimplies converts isEmpty, lookup

exempting i: Ind lookup(new, i)

36

Recording Assumptions

• Often traits are suitable for use only in certain contexts.

• Such contexts can be explicitly specified as assumptions.

• Assumptions impose a proof obligation on the client, and may be presumed within the trait containing them.– Whenever a trait with assumptions is included or

assumed, its assumptions must be discharged.

• Use the assumes clause.

37

Example

Bag (E): trait assumes TotalOrder(E) includes BasicBag(E), Integer introduces rangeCount: E, E, B Int asserts e1, e2, e3: E, b: B

rangeCount(e1, e2, {}) == 0;rangeCount(e1, e2, insert(e3, b)) ==

rangeCount(e1, e2, b) + (if e1 < e3 e3 < e2 then 1 else 0) implies e1, e2, e3: E, b: B

e1 e2 rangeCount(e3, e1, b) rangeCount(e3, e2, b)

IntegerBag: trait includes Integer, Bag (Int)

BasicBag (E): trait introduces

{}: Binsert: E, B B


*TotalOrder defines operators like < and .Q: How does IntegerBag discharge the assumption?

38

Built-in Operators and Overloading

• Built-in operators– Logical connectives– if__then__else__– = and – Decimal numbers such as 0, 25, 2013– …

• Operator overloading– User-defined operators– Disambiguating overloaded operators

a: S = b % subterm qualified by its sortimplies converts <: Str, Str Boolean % signature

39

Shorthand: Enumeration• Shorthand notations for enumeration, tuple, and union• Enumeration

– A finite ordered set of distinct constants– An operator to enumerate them

Temp enumeration of cold, warm, hot

introduces cold, warm, hot: Temp succ: Temp Tempasserts Temp generated by cold, warm, hot equations

cold warm;cold hot;warm hot;succ(cold) = warm;succ(warm) = hot

40

Shorthand: Tuple• Introduce fixed-length tuples, similar to records in many

programming languages.

C tuple of head: H, tail: T

introduces [__, __]: H, T C __.head: C H __.tail: C T __.setHead: C, H C __.setTail: C, T C

asserts C generated by [__, __] C partitioned by .head, .tail h, h1: H, t, t1: T

([h, t]).head = h;([h, t]).tail = t;setHead([h, t], h1) == [h1, t];setTail([h, t], t1) == [h, t1]

41

Shorthand: Union

• Tagged unions found in programming languages

U union of atom: A, cell: C

Utag enumeration of atom, cellintroduces atom: A U cell: C U __.atom: U A __.cell: U C tag: U Utag

asserts U generated by atom, cell U partitioned by .atom, .cell, tag a: A, c: C

atom(a).atom == a;cell(c).cell == c;tag(atom(a)) == atom;tag(cell(c)) == cell

42

ExerciseSpecify in LSL a software system that automates test taking by allowing an instructor to

prepare test questions and students to take tests. The system shall:

R1: Maintain a pool of potential test questions that are classified by topics, difficulty levels, and similarity (of questions). Each question is a multiple choice question consisting of a stem---that presents the problem to be solved or the question to be answered---and a set of options---that are possible answers. The system shall allow an instructor to add a new test question to the pool.

R2: Allow an instructor to create a test on specific topics by suggesting a set of questions from the pool that meets the instructor's request (e.g., number of questions and their distributions among different topics and difficulty levels).

R3: Allow students to take tests prepared by the instructor.

R4: Grade tests taken by students to calculate test scores.

R5: Allow both the instructor and the students view test scores. However, students are allowed to view only their test scores.

the larch shared language

Documents