VDM : Mathematical Structures for Formal Methods Andrew Butterfield - - PowerPoint PPT Presentation

VDM♣: Mathematical Structures for Formal Methods

Andrew Butterfield 19th May 2000

Abstract This talk describes the philosophy and work of the “Irish School” of the Vienna Development Method (VDM♣). It starts by placing the Irish School in its historical context within the other schools of VDM. It proceeds to introduce the notation and methodology of VDM♣, by contrast with the VDM-SL standard. The notion of mathematical structure as a key organising principle is then explored, looking at monoids and their morphisms, and their application to modelling problems. The use of category theory as a meta-organising principle is also stressed, with a discussion of the importance of issues such as topoi, algebras and co-algebras. The talk will end in an exploration of the relationship between the “Irish School”, and other formal methods, such as VDM-SL, Z, CCS, CSP, as well as tools like Mathematica, PVS and Isabelle.

We present VDM♣, a history and an introduction. We explain how to specify and refine a simple dictionary system. We show the intimate connection to functional programming languages. We then talk about structure - monoids and their morphisms, with further examples We introduce indexing and explore the concept, including bags, relations, indexing towers, as well as the auto-(or self-?)indexing structure. We explore the geometry aspects, touching on recursion diagrams and sheaves and fibre-bundles. We then explore the meta-theory of structure, namely category theory, and point to future work in this area, with particular emphasis on the interrelationships between algebraic and co-algebraic approaches. Finally, we comment on the Irish School’s rˆ

• le in advising on mathematical toolkits for existing model-theoretic

methods such as VDM-SL or Z, rather than as a replacement. We also discuss the future application of VDM♣, and the issue of the use of tools. 1

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

VDM♣: Mathematical Structures for Formal Methods Andrew Butterfield Foundations and Methods Group Trinity College, Dublin University 19th May 2000

Slide 1 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Outline of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 2 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Personnel Irish School of the VDM (VDM♣) M´ ıche´ al Mac an Airchinnigh, Andrew Butterfield, Alexis Donnelly, Arthur Hughes, Gerard O’Regan, Colman Reilly Irish School of Constructive Mathematics (M♣

C)

M´ ıche´ al Mac an Airchinnigh, Arthur Hughes Foundations and Methods Group (FMG) — Functional Programming Hugh Gibbons, Andrew Butterfield, Klemens H¨ agele, Glenn Strong, Richard Hayes — Logic Hugh Gibbons, Colin Little — Complexity Theory Klemens H¨ agele — Process Algebras Alexis Donnelly, Andrew Butterfield, Malcolm Tyrrell

Slide 3 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Location Foundations and Methods Group,

• Dept. of Computer Science,

O’Reilly Institute, Trinity College, Dublin 2, Ireland. URL: http://www.cs.tcd.ie/research_groups/fmg/

Slide 4 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 5 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

History of VDM 1960s: IBM starts work on PL/I programming language. 1969: Vienna Lab. produces VDL as semantics language for PL/I. early 1970s: The Vienna Development Method (VDM) is developed. 1975: The Vienna Lab VDM group is broken up. — from Vienna to Denmark and Manchester 1980s: work continues on VDM and metalanguage Meta-IV 1990s: BSI/ISO Standards for VDM-SL appear. see [Jon99] for further details

Slide 6 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The “Schools” of VDM Key event — the “diaspora” of 1975 Formation of working groups (“Schools”) in diverse locations “Danish School” (Dines Bjørner) “Polish School” (Andrezj Blikle) “English School” (Cliff B. Jones) see [Mac90, p41] for further details

Slide 7 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The “Irish School” of VDM In 1978, Bjørner & Jones [BJ87, p33] state, regarding the metalanguage (Meta-IV):

“We do not offer an interpreter or compiler for this meta-language. And we have absolutely no intention of ever wasting out time trying to mechanize this meta-language. We wish, as we have done in the past, and as we intend to contiue doing in the future, to further develop the notation and to express notions in ways for which no mechanical interpreter system can ever be provided.”

The response of M´ ıche´ al Mac an Airchinnigh [Mac90, p39] was

“bind definitively the Meta-IV with classical algebraic structures and to exhibit the potential for the establishment of a body of theorems that might be usefully employed in formal specifications.”

However, in 1987, Peter Lucas [Luc87, p7] had flagged the emerging need for some standarization:

“The community using Meta-IV has always resisted standardization of the notation, and kept it open to extension. However in practice the notation is very stable, and the variations seem to be relatively small. The emergence of automated tools may make standardization more desirable.”

Slide 8 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 9 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Some examples Model of a Spell-Checker Dictionary [Mac90, p48–55] Purpose(s): introduce notation of VDM♣ display associated mathematical style to contrast with VDM-SL show how the “Method” is retained and adapted.

Slide 10 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

A Spell-Checker Dictionary Spell-Checking: checking a list of words for correct spelling For every word in list: does word exist in a dictionary ? if so, continue if not, offer user choices: ignore, correct, add to dictionary Model presented is of a dictionary (Dict) of words (Word) with operations: Insert new word into dictionary (Ins) Lookup word in dictionary (Lkp) Remove word from dictionary (Rem) Return word count for dictionary (Wct) Translate dictionary (Trl)

Slide 11 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The First Dictionary Model We start by introducing appropriate domain (or type) equations: w ∈ Word δ ∈ Dict = PWord δ0 : Dict δ0

△ ∅

Notes: Domains introduced without definition (Word) are taken as “given”. Variables denoting typical members of a domain (w and δ) are introduced in domain declarations. We use the functor notation PA to denote “set of A” instead of VDM-SL’s A-set. We define an initial state (δ0) of the dictionary In general, a ∈ A declares a as an arbitrary element of A, while a : A declares a as an specific element of A. We speak Greek !

Slide 12 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Invariants in VDM♣ The Dictionary example is really too simple for an invariant. For illustration purposes we could adopt the following: isNonUS : Word → B inv-Dict δ

△ ∀[ isNonUS ]δ

Notes: We assume that isNonUS is a given function (designed to keep out American spellings !). We avoid quantifiers — ∀ is a combinator of signature: (A → B) → PA → B We frequently emphasise curried application by using [ ] to bracket curried arguments, i.e. f[a]b instead of f a b. We get a proof obligation regarding the initial state: inv-Dict δ0 = True

Slide 13 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Insert Operation We now define the Dictionary Insert Operation: Ins : Word → Dict → Dict pre-Ins[w]δ

△ isNonUS(w) ∧ w /

∈ δ Ins[w]δ

△ δ ⊔ {w}

Notes: We make extensive use of higher-order functions, using the syntactical device of currying. By convention, an operator with inputs I, outputs O, and transforming a state Σ, has signature (I × Σ) → Σ → (Σ × O). This style corresponds to explicit function definitions in VDM-SL. We use preconditions as per VDM-SL, but make much less use of postconditions. A possible postcondition for the above might be: post-Ins[w]δ → ∆

△

δ ⊆ ∆ ∧ w ∈ ∆ Observe the explicit naming of the resulting state. We use the set extend operator ⊔ to denote that the added word is not already present.

Slide 14 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Proof Obligation for Insertion As in VDM-SL, we have proof obligations associated with operator definitions. The obligation for Ins is formulated as follows: inv-Dict δ ∧ pre-Ins[w]δ = ⇒ inv-Dict(Ins[w]δ) Note: Absence of quantifiers. Use of an explicit function outcome rather than postcondition. This eliminates the need for satisfiability proofs, or equivalently, the explicit construction provides same automatically.

Slide 15 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Proof of Insertion Obligation Prove: inv-Dict δ ∧ pre-Ins[w]δ = ⇒ inv-Dict(Ins[w]δ) Proof: inv-Dict δ ∧ pre-Ins[w]δ = “Defn. of inv-Dict” ∀[isNonUS]δ ∧ pre-Ins[w]δ = “Defn. of pre-Ins” ∀[isNonUS]δ ∧ isNonUS[w] ∧ w / ∈ δ = ⇒ “prop. calculus” ∀[isNonUS]δ ∧ isNonUS[w] = “Defn. of ∀” ∀[isNonUS](δ ⊔ {w}) = “Defn. of Ins” ∀[isNonUS](Ins[w]δ) = “Defn. of inv-Dict” inv-Dict(Ins[w]δ)

Slide 16 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Lookup Operation The Dictionary Lookup Operation is a predicate: Lkp : Word → Dict → B Lkp[w]δ

△ χ[w]δ

Notes: We often express set membership using the characteristic function χ : A → PA → B. This is a choice we motivate later on, when discussing structure. In essence, this definition states that dictionary lookup is the characteristic (membership) function.

Slide 17 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Word Removal Operation Word Removal is an operation changing a dictionary: Rem : Word → Dict → Dict Rem[w]δ

△ ⊳

−[w]δ Notes: We do not use “classical” set removal (δ \ {w}), instead preferring a curried form: ⊳ − : PS → PS → PS where ⊳ −[A]B

△

B \ A Yes, the ⊳ − notation comes from Z! We abuse notation frequently, in this case dropping “redundant” brackets, i.e using ⊳ −[w]δ instead of ⊳ −[{w}]δ. The Rem operation isn’t quite the same as ⊳ − as there is an implicit injection of w into {w}.

Slide 18 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Word Count Function The Word Count function simply observes the size of the dictionary: Wct : Dict → N Wct ∅

△ 0

Wct(δ ⊔ {w})

△ Wct δ + 1

Notes: We present a recursive definition over sets ! This is only well-defined if certain side conditions hold, as is the case here. We employ pattern matching on set structure The pattern δ ⊔ {w} matches a set ∆ if and only if it contains w, with δ being bound to ∆ \ {w}. We could have defined Wct much more simply using set cardinality directly.

Slide 19 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Recursion over Sets Simple Recursion over Sets can be captured by the following schema: b : B g : (A × B) → B f : A → B f(∅)

△ b

f(S ⊔ {a})

△ g(a, f(S))

This gives rise to the following proof obligation: Show, for all a1, a2 ∈ A, and all b ∈ B that: g(a1, g(a2, b)) = g(a2, g(a1, b)) In general in VDM♣, universal quantification is implicit over free variables of an equation (a1, a2, b above).

Slide 20 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

On the use of set extension (⊔) in VDM♣ Set Extension is Set Union restricted to cases where the two sets are disjoint. Depending on context, the expression S ⊔ T is interpreted as follows: In a definition right-hand side (rhs), or general expression, it captures the notion that the sets S and T are disjoint. This allows us to write Wct(δ1 ⊔ δ2) = Wct δ1 + Wct δ2 instead of Wct(δ1 ∪ δ2) = Wct δ1 + Wct δ2 − Wct(δ1 ∩ δ2) The first expression above could be used to define Wct! In a definition left-hand side (lhs), or pattern, it requires that whatever (non-empty) input matches the pattern can be broken into disjoint pieces, both smaller than the input.

Slide 21 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Translate Operation The Dictionary Translate Operation maps a Word Translation function (τ) to every word in the dictionary: Trl : (Word → Word) → Dict → Dict Trl[τ]δ

△ (Pτ)δ

Notes: If f : A → B, then P is a functor, such that Pf : PA → PB applies f to every element of its argument set. Pf is the same as the “map f” concept in functional languages. Another functor called reduce (/) applies a binary operator to a set to reduce it to a single value.

• p/ is the same as “fold op” in a functional language

Slide 22 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Summary of Set Operators We have seen the following set operators: PA Set of A in type expressions, Pf Set Map functor in non-type expressions ∅ Empty Set ⊔ Set Extension, defd. only for disjoint sets χ Set Membership, defd. as (characteristic) function ⊳ − Set Removal, defd. as curried operator

⊕/

Set Reduction or Fold, using ⊕ ∀ Maps Predicate over Set, reducing with And ∀[ρ] =

∧/ ◦ Pρ

Why the preference for curried forms in certain cases ?

Slide 23 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Currying of Set Restriction Consider Set Restriction, VDM♣-style: ⊳ : PA → PA → PA ⊳[S]T

△ The elements of T restricted to those contained in S

But, ⊳[S]T = ⊳[T]S = S ∩ T !! i.e. Set Restriction is a curried form of Set Intersection. Why not use S ∩ T or S ⊳ T (i.e. infix notation) ? Why use notation similar to that used by Z for relations and maps ? We shall address this later . . .

Slide 24 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Refining our Dictionary We now illustrate the process of refinement in VDM♣ Let us implement the dictionary as a sequence of words (DSeq) σ ∈ DSeq = Word⋆ inv-DSeq σ

△ ∀[ isNonUS ]σ

σ0 : DSeq σ0

△ Λ

Notes: The functor notation A⋆ denotes sequences of A, normally indicated in VDM-SL by A-seq. More overloading — ∀ is also the obvious combinator with signature (A → B) → A⋆ → B. We use Λ to denote empty sequences, with occasional use of the notation. We easily satisfy the proof obligation: inv-DSeq σ0 = True

Slide 25 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Retrieving Dicts from DSeqs We get from our sequence implementation to our set specification with the obvious retrieval function: retr-Dict : DSeq → Dict retr-Dict σ

△ elems σ

Notes: The retrieval function is simply the elems operator, returning the set of all elements in a sequence. The immediate proof obligation regarding the initial states is retr-Dict Λ = ∅ which is trivially true. The retrieve function is generally many-to-one and surjective.

Slide 26 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Insertion into DSeqs We define insertion (Ins1) as simple sequence “consing”: Ins1 : Word → DSeq → DSeq pre-Ins1[w]σ

△ isNonUS w ∧ w /

∈ elems σ Ins1[w]σ

△ w : σ

Notes: We denote the cons-operator by a colon (:), as per modern functional languages. An alternative, more verbose, notation is w ⌢ σ, where ⌢ is the sequence concatenator. We obtain the following proof obligation: inv-DSeq σ ∧ pre-Ins1[w]σ = ⇒ inv-DSeq(Ins1[w]σ) Proof of this straightforward (as for Ins previously)

Slide 27 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Proving Refinement To show that Ins1 refines Ins, we must show: pre-Ins1[w]σ = ⇒ retr-Dict(Ins1[w]σ) = Ins[w](retr-Dict σ) Proof Sketch: unfolding all definitions: isNonUS w ∧ w / ∈ elems σ = ⇒ elems(w : σ) = (elems σ) ⊔ {w} using fact that x / ∈ S = ⇒ S ⊔ {x} = S ∪ {x}, and discarding part of antecedent: w / ∈ elems σ = ⇒ elems(w : σ) = (elems σ) ∪ {w} The consequent is true because it matches the normal recursive step in the (traditional) definition of elems.

Slide 28 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

(most of) The Remaining DSeq Operators Sequence Lookup, Removal and Count Lkp1 : Word → DSeq → B Lkp1[w]Λ

△ False

Lkp1[w](w′ : σ)

△ w = w′ → True , Lkp1[w]σ

Rem1 : Word → DSeq → DSeq Rem1[w]Λ

△ Λ

Rem1[w](w′ : σ)

△ w = w′ → σ , w′ : (Rem1[w]σ)

Wct1 : Word → DSeq → DSeq Wct1[w]σ

△ len σ

Notes: We prefer the use of the McCarthy conditional The function len is the length function on sequences The proof that Wct1 refines Wct depends crucially on the precondition of Ins1 !

Slide 29 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The refined Translate Operation The Dictionary Translate Operation maps a Word Translation function (τ) to every word in the dictionary: Trl1 : (Word → Word) → DSeq → DSeq Trl1[τ]σ

△ (τ ⋆)σ

Notes: If f : A → B, then

⋆ is a functor,

such that f ⋆ : A⋆ → B⋆ applies f to every element of its argument sequence. f ⋆ is the same as the “map f” concept in functional languages. Another functor called reduce (/) applies a binary operator to a sequence to reduce it to a single value.

• p/ is the same as “fold op” in a functional language

Slide 30 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Summary of Sequence Operators A⋆ Sequence of A in type expressions f ⋆ Sequence Map with f, in non-type expression Λ Empty Sequence : Sequence Cons operator

⌢

Sequence Concatenation

⊕/

Sequence Reduce or Fold, using ⊕ elems Returns Set of Sequence elements elems =

∪/ ◦ I⋆

— I is the Identity function (I x = x) len Sequence Length len =

+/ ◦ (K 1)⋆

K k is the Constant function combinator (K k x = k) ∀ Maps Predicate over Set, reducing with And ∀[ρ] =

∧/ ◦ ρ⋆

Observe the preference for curried forms in certain cases, once more.

Slide 31 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

I’ve some questions ! Why use your own notation ? Wny not use VDM-SL, or Z ? The problem with using established notations, is that they have associated assumptions about semantics and methodology. Where is the logic ? Using a logic requires a lot of machinery, and a commitment to a particular world-view. In neither case, notation nor logic, did we feel like making the appropriate commitments. However, see later . . .

Slide 32 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 33 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Rˆ

• le of Structure

A key feature of VDM♣ is the use of mathematical structure Structure is used as an organising principle — organising collections of laws — organising proofs — organising models of systems Emphasis isn’t just on producing structures. Great importance is also given to: classifying structures by key properties constructing new structures from existing ones.

Slide 34 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Structural Forms In general, structures consist of

• ne or more carrier sets (A, B, C, . . . ).
• ne of more values from, or functions over, the carrier sets

(a : A, f : B → C, ⊕ : A × A → A) some associated properties relating its parts. Frequently, we have a distinguished carrier set (A), with the others, if present, relegated to a subsidiary rˆ

• le.

With a distinguished carrier set, we can classify some structures as: Algebras, if all functions are of the form FA → A co-Algebras, if all functions are of the form A → FA Here FA is any functor (type expression) in A. In VDM♣to date, the bulk of the work has been using Algebras

Slide 35 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Our first Algebra We start by introducing the concept of a Semigroup: A single distinguished carrier set: S A single binary operator : ⊕ : S × S → S Two properties: ⊕ is closed in S, i.e. a total function on S × S. ⊕ is associative, i.e. a1 ⊕ (a2 ⊕ a3) = (a1 ⊕ a2) ⊕ a3 We write a semigroup in shorthand as (S, ⊕). If ⊕ is also commutative (a1 ⊕ a2 = a2 ⊕ a1), then the structure is an Abelian Semigroup (S, ⊕)ab.

Slide 36 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Example Semigroups Some proper SemiGroups (N1, +)ab : Natural Numbers less Zero, under addition (Abelian). (A+, ⌢) : Non-empty Sequences, under concatenation. (P′A, ∪) : Non-empty Sets, under set union. By “proper” is meant that these have no extra structure Some improper SemiGroups (N, +)ab : Natural Numbers, under addition (Abelian). (A⋆, ⌢) : All Sequences, under concatenation. (PA, ∪)ab : All Sets, under set union (Abelian). (PA, ∩)ab : All Sets, under set intersection (Abelian). By “improper” is meant that these have extra structure, as will be explained shortly

Slide 37 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

moving on up . . . Semigroups have associated structure preserving maps (Semigroup Homomorphisms) However, Semigroups are a very weak structure We shall immediately move on to the next step on the structure “ladder”. This brings us to a key structure level — that of Monoids We shall investigate morphisms at this level

Slide 38 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Monoids We now introduce some extra structure, giving a Monoid: A single distinguished carrier set: M A single binary operator : ⊕ : M × M → M A distinguished (unit/identity) element : u : M Two properties: (M, ⊕) is a Semigroup. u is an identity for ⊕, i.e. u ⊕ a = a = a ⊕ u We write a monoid in shorthand as (M, ⊕, u). If ⊕ is also commutative then the structure is an Abelian Monoid (M, ⊕, u)ab

Slide 39 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Example Monoids Some proper Monoids (N, +, 0)ab : Natural Numbers, Addition, Zero (Abelian). (A⋆, ⌢, Λ) : Sequences, Concatenation, Empty-Sequence. (PA, ∩, A)ab : Sets, Intersection, Universe (Abelian). (PA, ∪, ∅)ab : Sets, Union, Empty-Set (Abelian). Some improper Monoids (Z, +, 0)ab : Integers, Addition, Zero (Abelian). (Q0, ×, 1)ab : Rational Numbers less Zero, Multiplication, One (Abelian). (PA, ∩, A)ab : Sets, Intersection, Universe (Abelian). (PA, ∪, ∅)ab : Sets, Union, Empty-Set (Abelian). (PA, ∩, θ) and (PA, ∩, A) are improper because they form Boolean Lattices, structures we won’t discuss here.

Slide 40 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Structure Preserving Maps Also known as Morphisms Given two monoids (S, ⊕, u) and (T, ⊗, v), a function h : S → T is structure preserving iff, for any expression built using ⊕, u and elements of S, we get the same result by either: (i) evaluating the expression in S, and applying h to the result, or (ii) applying h to each element of S, and evaluating with each ⊕ replaced by ⊗ and u replaced by v. i.e., for all s1, s2 ∈ S, we have h(u) = v and h(s1 ⊕ s2) = h(s1) ⊗ h(s2). In this case we say that h is a Monoid Homomorphism from (S, ⊕, u) to (T, ⊗, v), i.e. h : (S, ⊕, u) → (T, ⊗, v) If h : S → S, then it is called an Monoid Endomorphism.

Slide 41 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Example Monoid Homomorphisms len : (A⋆, ⌢, Λ) → (N, +, 0) — Sequence Length, from Sequences to Natural Numbers. elems : (A⋆, ⌢, Λ) → (PA, ∪, ∅) — Sequence Elements, from Sequences to Sets. log : (R+

0 , ×, 1) → (R, +, 0)

— Logarithm, from Positive Reals less Zero under Multiplication to Addition. ¬ : (B, ∧, True) → (B, ∨, False) — Logical Negation, from Booleans under And to those under Or (and v.v) For a ∈ A: χ[a] : (PA, ∪, ∅) → (B, ∨, False) χ[a] : (PA, ∩, A) → (B, ∧, True) — Characteristic Function, from Sets to Booleans One function can be homomorphic many ways !

Slide 42 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Quantifiers as Homomorphisms The VDM♣ versions of the quantifiers are homomorphisms: For ρ ∈ A → B : ∀[ρ]

△ ∧/ ◦ Pρ

∀[ρ] : (PA, ∪, ∅) → (B, ∧, True) ∃[ρ]

△ ∨/ ◦ Pρ

∃[ρ] : (PA, ∪, ∅) → (B, ∨, False) However for the above to work, the following identities must hold:

∧/∅ = True

and

∨/∅ = False.

To achieve this, we need to define reduction w.r.t to a monoid and operator, rather than w.r.t. a set and operator Wrong approach: / : (A × A → A) → PA → A,

⊕/S △ . . .

Correct approach: ⊕/ : (M, ⊕, u) → PM → M,

⊕/S △ . . .

Slide 43 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Important Monoid Endomorphisms Assume a given S where S ⊆ A: ⊳ −[S] : (PA, ∪, ∅) → (PA, ∪, ∅) — Removal w.r.t S, on Sets under Union ⊳ −[S] : (PA, ∩, A) → (PA, ∩, A) — Removal w.r.t S, on Sets under Intersection ⊳[S] : (PA, ∪, ∅) → (PA, ∪, ∅) — Restriction w.r.t S, on Sets under Union ⊳[S] : (PA, ∩, A) → (PA, ∩, A) — Restriction w.r.t S, on Sets under Intersection Now we see the motivation for special remove/restrict notation ! The curried forms of set difference and intersection (remove and restrict resp.), parameterised by a given set, are endomorphisms of sets under both union and intersection operations.

Slide 44 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Why are Monoids and their Morphisms useful ? They permit compact description of laws They permit compact function definitions They permit compact/re-usable proof steps

Slide 45 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Compact Description of Laws the following equation: len : (A⋆, ⌢, Λ) → (N, +, 0)ab captures the following eleven laws:

⌢ is total

σ1

⌢ (σ2 ⌢ σ3) = (σ1 ⌢ σ2) ⌢ σ3

Λ ⌢ σ = σ σ ⌢ Λ = σ + is total n1 + (n2 + n3) = (n1 + n2) + n3 0 + n = n n + 0 = n n1 + n2 = n2 + n1 len Λ = 0 len(σ1

⌢ σ2) = len σ1 + len σ2

However, we haven’t done quite enough here to fully define len.

Slide 46 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Compact Function Definitions A typical definition of the function len : A⋆ → N, might be: len Λ

△ 0

len(a : σ)

△ 1 + len σ

We could then use this definition to prove it is a homomorphism.

• r we can view it captured by the following laws:

len Λ = 0 len a = 1 len(σ1

⌢ σ2) = len σ1 + len σ2

The first and third law state the homomorphism property. The second law is the missing ingredient — it defines the action of len on a single “element” of a list — a singleton. Any homomorphism is uniquely defined by identifying the relevant structures, and such an “element action” rule.

Slide 47 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Example Homomorphism Definitions The Sequence Length Homomorphism: len : (A⋆, ⌢, Λ) → (N, +, 0) lena

△ 1

The Sequence Elements Homomorphism: elems : (A⋆, ⌢, Λ) → (PA, ∪, ∅) elemsa

△ {a}

The Logarithm (base n) Homomorphism: logn : (R+

0 , ×, 1) → (R, +, 0)

logn(n)

△ 1

Note that we have a family of homomorphisms, indexed by n. The Characteristic Function Homomorphism (a ∈ A): χ[a] : (PA, ∪, ∅) → (B, ∨, False) χ[a] : (PA, ∩, A) → (B, ∧, True) χ[a]{a′}

△ a = a′

Slide 48 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Example Endomorphism Definitions Given S ⊆ A: Set Removal Endomorphisms: ⊳ −[S] : (PA, ∪, ∅) → (PA, ∪, ∅) ⊳ −[S] : (PA, ∩, A) → (PA, ∩, A) ⊳ −[S]{a}

△ a ∈ S → ∅ , {a}

Set Restriction Endomorphisms: ⊳[S] : (PA, ∪, ∅) → (PA, ∪, ∅) ⊳[S] : (PA, ∩, A) → (PA, ∩, A) ⊳[S]{a}

△ a ∈ S → {a} , ∅

Slide 49 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Re-usable Proof Steps Any proof fragment done using only structural and morphism properties, like: len(σ1

⌢ σ2) + lena

= “len homomorphism” (len σ1 + len σ2) + lena = “associativity of +” len σ1 + (len σ2 + lena) = “element action of len” len σ1 + (len σ2 + 1) can be generalised, for h : (S, ⊕, u) → (T, ⊗, v), and h(t) △ s, as: h(s1 ⊕ s2) ⊗ h(t) = h(s1) ⊗ (h(s2) ⊗ s) and applied to any other corresponding instances of such structures and morphisms. e.g.: ⊳ −[S](A1 ∩ A2) ∩ ⊳ −[S]{a} = ⊳ −[S]A1 ∩ (⊳ −[S]A2 ∩ (a ∈ S → ∅ , {a}))

Slide 50 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Reducing Monoids to Semigroups We will proceed next to illustrate the real power of the structural approach. As a prerequisite, we will introduce the notion of reducing a monoid to a semigroup, alternatively refferred to as dropping the monoid unit. Given a monoid (M, ⊕, u), we defined the corresponding reduced semigroup as (M ′, ⊕′), where M ′ = M \ {u} ⊕′is ⊕ restricted to M ′ × M ′ Notes: We use the prime notation in a general way to indicate a carrier set with the unit or identity element removed (e.g. P′A denotes PA \ {∅}). Some carrier sets have their own notations: A+ instead of A∗′, N1 instead of N′.

Slide 51 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 52 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

VDM♣ Maps To date, we have avoided mention of finite maps, or partial functions. We shall present our approach, using monoids and homomorphisms to define the key functions. We shall then see how we can obtain a whole host of useful structures using a single general construction.

Slide 53 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Finite/Partial Maps in VDM♣ We describe a finite map between domains A and B with a declaration of the form: µ, ν ∈ A

m

→ B We introduce the notion of a null or empty map: θ : A

m

→ B We also have the concept of a singleton “maplet”: {a → b} : A

m

→ B We construct maps using map override: † : (A

m

→ B) × (A

m

→ B) → (A

m

→ B) We introduce the notion of map application: a ∈ A, µ ∈ A

m

→ B = ⇒ µ a ∈ B The notation and behaviour is very similar to that found in VDM-SL, so we will not elaborate further.

Slide 54 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Map Monoid Maps under override form a monoid, with the null map as identity: (A

m

→ B, †, θ) The map domain operator (dom) returns the elements of A for which the map is defined. It is a homomorphism, so can be defined as: dom : (A

m

→ B, †, θ) → (PA, ∪, ∅) dom{a → b}

△ {a}

Note: A common abuse of notation employed in VDM♣is to write a ∈ µ as a shorthand for a ∈ dom µ. The map range operator (rng) returns the elements of B onto which some element of the domain is mapped. It is also a homomorphism, so can be defined as: rng : (A

m

→ B, †, θ) → (PB, ∪, ∅) rng{a → b}

△ {b}

Slide 55 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Other Map Homomorphisms Given S ⊆ A, we can define . . . Domain Removal w.r.t S (⊳ −[S]) as an endomorphism: ⊳ −[S] : (A

m

→ B, †, θ) → (A

m

→ B, †, θ) ⊳ −[S]{a → b}

△ a ∈ S → θ , {a → b}

Domain Restriction w.r.t S (⊳[S]) as an endomorphism: ⊳[S] : (A

m

→ B, †, θ) → (A

m

→ B, †, θ) ⊳[S]{a → b}

△ a ∈ S → {a → b} , θ

Notes: We are overloading the restrict/remove symbols once more We further extend the concept to restrict/removal w.r.t another map, by abuse of notation — for maps µ, ν, ⊳ −[µ]ν should be read as ⊳ −[dom µ]ν

Slide 56 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Map “map” Functor Given injective f : A → C and any g : B → D, we obtain . . . Map functor (f

m

→ g) as a homomorphism: (f

m

→ g) : (A

m

→ B, †, θ) → (C

m

→ D, †, θ) (f

m

→ g){a → b}

△ {f(a) → g(b)}

Notes: (f

m

→ g) is the map functor for maps. The most common usage is of the form (I

m

→ g).

Slide 57 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Map Extend, Removal and Override We also define a map extend operator (⊔) as follows: ⊔ : (A

m

→ B) × (A

m

→ B) → (A

m

→ B) (partial) pre-(µ ⊔ ν)

△ dom µ ∩ dom ν = ∅

µ ⊔ ν

△ µ † ν

Note Map extend is analagous to Set extend, and plays a similar rˆ

• le, especially for

defining recursive functions over finite maps. We have the following identity between map override, extend and removal: µ † ν = ⊳ −[ν]µ ⊔ ν Observe the abuse of notation mentioned previously. If we relax the totality requirement for a monoid’s operator, but still require that the identity law holds for all elements we obtain a Partial Monoid (M, ⊕, u)p. Map and Set extend, form partial monoids.

Slide 58 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Instances of Maps Given the Map construction, we can consider various common instances, and define appropriate operators, as is done in VDM-SL, Z and other formalisms: Bags are maps from some domain to Natural Numbers: β ∈ A

m

→ N We can define bag addition (⊕) appropriately, so for example : {a → m} ⊕ {a → n} = {a → m + n} Set-valued Functions/Maps map from a domain to sets of range values: γ ∈ A

m

→ PB We can define a lifted form of set union (⊎), such that {a → S} ⊎ {a → T} = {a → S ∪ T}

Slide 59 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Issues regarding Map Instances In the process of defining bags and set-valued functions, questions such as the following arise: Q: Should we allow bags to map some domain elements to zero ? i.e. should we use A

m

→ N or A

m

→ N1 ? Q: if a set-valued function is partial, should it map some domain elements to the null-set ? In VDM♣, we have a single construction technique which produces all these instances, and gives a technical criterion for deciding about the presence of identity elements in map ranges. This technique involves the so-called Indexed Monoid.

Slide 60 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Indexed Monoid (Na¨ ıve Version) We start with a given monoid (M, ⋆, u), and introduce an indexing set X. We are going to index M by X giving a map X

m

→ M. Define an indexed form of ⋆, called

⋆ , as follows:

• ⋆

: (X

m

→ M) × (X

m

→ M) → (X

m

→ M) µ

⋆

θ

△ µ

µ

⋆

({x → m} ⊔ ν)

△ ρ ⋆ ν

where ρ = µ ⊔ {x → m}, if x / ∈ µ µ † {x → µ(x) ⋆ m}, if x ∈ µ Theorem : If (M, ⋆, u) is a monoid, then so is (X

m

→ M,

⋆ , θ).

Theorem : If (M, ⋆, u) is abelian, then so is (X

m

→ M,

⋆ , θ).

Proofs : see [?]

Slide 61 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Indexing gives us Instances If we index the monoid (N, +, 0)ab by A, we obtain the indexed monoid of bags of A: (A

m

→ N1,

+ , θ)ab

But what does this say about zeros in the range ? If we index the monoid (PA, +, 0)ab by B, we obtain the indexed monoid of set-valued maps of B: (B

m

→ PA,

∪ , θ)ab

But what does this say about empty-sets in the range ? Why is this referred to as na¨ ıve ? To see the answer to all these questions, we need to look at a higher-level structure: Groups

Slide 62 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Groups and Indexing A Group has carrier set G, operation ⊕ : G × G → G, identity u : G and an inverse function

−1 : G → G, with properties:

(G, ⊕, u) is a monoid. For all g ∈ G, g−1 ⊕ g = u = g ⊕ g−1. We use the following shorthand: (G, ⊕, u, −1). Example Groups: (Z, +, 0, −) Integers under Addition. (Q, ×, 1, ÷) Rationals under Multiplication. Can we have “indexed groups” ? i.e., if (G, ⋆, u, −1) is a group, is (X

m

→ G,

⋆ , θ, ?) then also a group ?

What is the inverse for such a group ?

Slide 63 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Why Na¨ ıve Indexing fails for Groups Consider the group (Z, +, 0, −). We might expect indexing to produce a group of integer bags (X

m

→ Z,

+ , θ, ⊖), where

⊖ negates all the range elements. However, ⊖ is not a proper inverse. Let µ = {x → i} then ⊖µ = {x → −i} so µ

+ ⊖µ = {x → 0} = θ

The putative inverse ⊖ does not produce something that combines with

+ to give the

identity θ ! Careful thought and analysis indicates that the problem lies with the carrier, and the indexed operation, not the proposed inverse.

Slide 64 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Avoiding Complications The central issue is philosophical in nature, and deals with the most prevalent interpretations given to such structures. We tend to view θ, {x → 0}, {x → 0, y → 0} as all denoting the same thing — an empty bag. One technical solution would be to define equivalence classes, and to talk about identity and inverse “up to equivalence”. We find this cumbersome and awkward. We prefer to get rid of maplets of the form {x → u}. We choose to do this for both monoids and groups.

Slide 65 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Indexed Monoid (Sophisticated Version) We start with a given monoid (M, ⋆, u), and introduce an indexing set X. We reduce the monoid to a semigroup (M ′, ⋆) We are going to index M ′ by X giving a map X

m

→ M ′. Define a reduced indexed form of ⋆, called

⋆ ′, as follows:

• ⋆ ′

: (X

m

→ M ′) × (X

m

→ M ′) → (X

m

→ M ′) µ

⋆

θ

△ µ

µ

⋆

({x → m} ⊔ ν)

△ ρ ⋆ ν

where ρ =    µ ⊔ {x → m}, if x / ∈ µ µ † {x → µ(x) ⋆ m}, if x ∈ µ ∧ µ(x) ⋆ m = u µ, if x ∈ µ ∧ µ(x) ⋆ m = u Theorem : If (M, ⋆, u) is a monoid, then so is (X

m

→ M ′,

⋆ ′ , θ).

Theorem : If (M, ⋆, u) is abelian, then so is (X

m

→ M ′,

⋆ ′ , θ).

Proofs : see [?]

Slide 66 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Na¨ ıve vs Sophisticated Indexing Sophisticated Indexing produces “cleaner” monoids, by cleaning out {x → u} entries in maps Given a group (G, ⋆, u, −1), then (X

m

→ G′,

⋆ ′, θ, (I m

→

−1)) is also a group.

In general, sophisticated indexing is preferred in the Irish School, so much so, that the prime on

⋆ ′ is often dropped

(i.e.

⋆ is taken to mean ⋆ ′ by default).

However,

⋆ (the na¨

ıve form) is more general and can be applied to any binary operator, even if not associated with a monoid. So, for example a proper semigroup (S, ⋆) can be na¨ ıvely indexed to form the monoid (X

m

→ S,

⋆ , θ)

A general result for both forms of indexing allows us to give a meaning to the application

• f an (indexed) map to elements not in its domain:

we simply return the identity element of the monoid that was indexed to give the map.

Slide 67 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Multiple Indexing Indexing takes a monoid to a (higher) monoid So what happens if we index an already indexed structure ? There is no difficulty — we get an index tower: (M, ⋆, u) 

• index w.r.t X1

(X1

m

→ M,

⋆ , θ)



• index w.r.t X2

(X2

m

→ X1

m

→ M,

⋆ 2, θ)



• index w.r.t X3

(X3

m

→ X2

m

→ X1

m

→ M,

⋆ 3, θ)

Notes: We are ignoring the naive/sophisticated distinction here ⋆ could be written as

⋆ 0, and ⋆ written as ⋆ 1.

The key point is that with the concept of indexing structures, we can build new structures

• f a similar type in a coherent way, simply by constructing appropriate maps and operators.

Slide 68 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Modelling Relations in VDM♣ A relation between A and B is modelled as R ⊆ P(A × B). A functional view might use set-valued maps: ρ ∈ A

m

→ PB. However, this is unsatisfactory, as elements of the latter have no counterpart in the former — e.g. {a → ∅}. Sophisticated indexing comes to the rescue: We index (PB, ∪, ∅) to obtain (A

m

→ P′B,

∪ , θ)

Throwing away empty sets in the range is key : A

m

→ PB is isomorphic to PA × B. To ask if a is related to b, with R, we ask if (a, b) ∈ R, with ρ, we ask if b ∈ ρ(a). We have a series of results connecting †,

∪ , ⊳

−, ⊳ and relational inverse (a.k.a. inverse image)

−1 : (A m

→ B) → (B

m

→ P′A)

Slide 69 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

What if Indexing was foundational ? Consider a scheme, that given a binary operator ⋆, could construct

⋆ without reference to

• verride.

Now consider the following unusual semigroup: (A, π2), where π2(a1, a2) △ a2 is the 2nd projection operator, which we could consider as an infix operator ( π2 ) Then the monoid obtained by indexing the semigroup is (X

m

→ A,

π2 , θ)

If x / ∈ µ, then µ

π2 {x → a} becomes µ ⊔ {x → a}.

However, If x ∈ µ, then µ

π2 {x → a} becomes µ † {x → µ(x) π2 a},

which is the same as µ † {x → a}. In other words,

π2 = †

We can define override in terms of indexing. This is not as mysterious as it seems. The operator indexing scheme effectively embodies map override, however it is defined, so the projection operator simply brings this aspect

• ut.

Hmmm, so what is

π1 ?

Slide 70 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Dictionary revisited One use for a dictionary is to quickly look up an identifier gleaned from a program text, to see if it is a keyword. The dictionary is usually small and static, so fast lookup is much more important that speed of inserting words. One possible implementation is to structure the dictionary as a n-way tree, where n is the number of letters in the alphabet of an identifier. The first letter of the identifier selects the corresponding branch, and follows it to the next node, if not null If null, the identifier is not a keyword. Repeat with the second character, and so on . . . Typically each node is implemented as an array, indexed by character, containing a pointer to another such node, which may be null. Lookup is fast, O(c) where c is the no. of chars in identfier.

Slide 71 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Using Maps to model Fast-Lookup Dictionaries We revisit our dictionary model, to model a fast lookup version (DFast) but now assume that words are non-empty sequences of characters (A): c ∈ A w ∈ Word = A+ We model an array of pointers (some of which might be null) indexed by characters, by a partial map from characters to on-null pointers. In fact, we model pointers by the maps they point to, resulting in a recursive domain definition: δ ∈ DFast = A

m

→ DFast Note: The type DFast is its own index, in some sense ! The fact that the map is partial is essential at this point. For example, the dictionary containing “and”, “alt” and “or” is modelled as: δ =    ’a’ → ’l’ → {’t’ → θ}, ’n’ → {’d’ → θ}

• ,

’o’ → {’r’ → θ}   

Slide 72 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Building a Fast Dictionary For the dictionary model DFast, we need an build operation. One possible attempt is — to define an operation Cvt to convert a word into a DFast map: Cvt : A⋆ → DFast Cvt Λ

△ θ

Cvt(c : w)

△ {c → Cvt w}

— to define a binary operation (△) that merges DFast maps: △ : DFast × DFast → DFast δ △ θ

△ δ

δ △ (ϕ ⊔ {c → γ})

△ η △ ϕ

where η = δ ⊔ {c → γ}, if c / ∈ δ δ † {c → δ(c) △ γ}, if c ∈ δ ! This looks familiar !

Slide 73 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Self Indexing Examination of the dictionary merge operator leads to the following surprising result: For a reflexive (recursively defined) type T such as T = A

m

→ T which is inherently self-indexing, then the merge operator △ : T × T → T is its own index: △ =

△

In other words, given monoid (TA, △, θ) where TA = A

m

→ T, then indexing by A has no effect (TA, △, θ) ≈ (A

m

→ TA,

△ , θ)

Note: this result requires na¨ ıve indexing to work.

Slide 74 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Open Questions about Indexing and Structure We have applied indexing to semigroups, monoids and groups Can the concept be extended easily to rings, fields, etc.. ? The powerset monoids lead into the area of lattices Can lattices be indexed ? What happens if we make the carrier set the indexing set ? What other ways exist to generate structures ? More recent work on VDM♣ has focussed on Inner and Outer Laws, a weaker but more general notion than monoids.

Slide 75 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 76 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

From Indexing to Geometry The concept of the indexed monoid led research in VDM♣ into the areas of fibre-bundles and sheaves, which are complex structures associated with function spaces. A lot of this theory is tied into modelling dynamic systems and certain forms of constructive geometry. Drawing inspiration from the Cartesian duality between Algebra and Geometry, M´ ıche´ al Mac an Airchinnigh hypothesised the existence of a Geometry of Formal Methods [Mac96, Mac97]. In particular, it was viewed that these structures might provide a springboard for developing models of distributed systems with VDM♣.

Slide 77 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Fibre-Bundles A fibre-bundle is a way of viewing a map which emphasises their partitioning properties. A set A is partitioned into a set of sets {Ai|Ai ⊆ A} for i ∈ I, if the Ai are pairwise disjoint, and {Ai} = A. Such a collection of pairwise disjoint sets is an I-indexed bundle. Given a map µ : A

m

→ I, a partitioning is induced on A, where each partition contains elements of A which map to the same element of I Alternatively put: For all i ∈ I, The collection of inverse images µ1({i}) forms a partition of A. (Inverse image maps µ ∈ A

m

→ I onto β ∈ I

m

→ P′A) Each element of I acts as a partition index. So we can view the bundle {Ai}i∈I, as a map β ∈ I

m

→ P′A. This gives us a way to represent a partition without an explicit invariant.

Slide 78 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Monoid of Inverted Maps The use of fibre-bundles, in their form as inverted maps (I

m

→ P′A), lead to an exploration

• f the structure associated with such entities.

Clearly an inverted map monoid is obtained by indexing the monoid of sets under union: (PA, ∪, ∅) − → (I

m

→ P′A,

∪ ′, θ)

Investigation of the relationship between override and inverted maps [Mac93] led to the following result: (µ † ν)−1 = (I

m

→ ⊳ −[ν])′µ−1

∪ ν−1

It is instructive to compare it with: µ † ν = ⊳ −[ν]µ ⊔ ν From this, the definition of an operator on inverse maps analagous to override was developed [Hug00]: β ‡ γ = (I

m

→ ⊳ −[(∪/ ◦ rng)γ])β

∪ γ

This operator (‡) is called “underride”.

Slide 79 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Relating Maps and their Inverses Arthur Hughes [Hug00] has established an isomorphism between the monoid of maps, and that of inverse maps. As a result, many operations in one have equivalents in the other Maps Inv.Maps µ, ν ∈ A

m

→ B β, γ ∈ B

m

→ P′A µ ⊔ ν β

∪ γ

⊳[S]µ (I

m

→ ⊳[S])β ⊳ −[S]µ (I

m

→ ⊳ −[S])β ⊲[S]µ ⊳[S]β ⊲ −[S]µ ⊳ −[S]β dom µ (∪/ ◦ rng)β rng µ dom β µ † ν β ‡ γ

Slide 80 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

A view of Fibre-Bundles As an example, consider the map µ : A

m

→ I: µ = {a1 → i1, b2 → i2, c1 → i1} A traditional picture places A on the left and I on the right: a1 − → i1 A b2 − → i2 I c1 − → i1 The fibre-bundle view makes the partitioning more explicit: A a1 c1

• (b1)

P′A µ   

• 



• 



• 

  β = µ−1 I i1 i2 I Observe how the “fibres” (i1 ↔ a1, c1) and (i2 ↔ b2) sit above the “base” I.

Slide 81 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Fibre-Bundles and Geometry How does this connect to geometry ? We can view the fibres as having further structure, so i1 ↔ {a1, c1} might become i1 ↔ a1, c1 We can take a “horizontal” projection (or section) through the fibres, to give a map I

m

→ A, for example {i1 → c1, i2 → b2}. We can view the map µ : A

m

→ I as a “vertical” projection. We can then view the fibre elements (A) as a cross product, in some sense, of I and a horizontal projection of A. For example, let I be points in the plane that mark out a circle, and let A be points on a line perpendicular to that plane. Then, the fibres denote vertical sections through a cylinder obtained by sweeping the line around the circle. For VDM♣, this was the first hint of a possible geometry underlying maps.

Slide 82 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Sheaves The other key structure that lead us towards geometry, and ultimately towards category theory, was that of sheaves, which are closely related to fibre-bundles We shall only summarise the definition of sheaves here: Consider a base set B with an associated topology O(B) = {Oi} Associate with every open set Oi a function fi : Oi → A for some set A. Require that the fi agree on common intersections (are glueable), i.e. x ∈ Oi ∩ Oj = ⇒ fi(x) = fj(x) The resulting structure is a sheaf. A typical modelling use of a sheaf is for the base topology to be one derived from a partial

• rder, which can then represent linear or branching time. Then the sheaf becomes a model
• f a temporal or dynamic system.

Another modelling use is for the base topology to capture spatial properties. This should allow us to model distribution.

Slide 83 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Recursion Diagrams Looking for a geometry of formal methods, we sought some sort of space in which algorithms have trajectories. This was to allow us to explore issues such as relating na¨ ıve- and tail-recursion. An output of this was the notion of Recursion Diagrams [But98]. These diagrams made explicit the trade-offs involved in transforming various forms of single and multiple recursion, into efficient tail recursion. In particular, it provided a graphical method for assessing multiply recursive definitions (e.g. Fibonacci) to see if they could be put into tail form.

Slide 84 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Geometry — Issues The question of what mathematical (categorical) structure underlies Recursion Diagrams is still open. The Sheaf structure is complex, and is an instance of a category theoretic notion of a Topos, which seesm to have something to do with topology (?). Clearly, we need to improve still further our understanding of mathematical structure.

Slide 85 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. Some VDM♣ Models
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 86 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Why Category Theory ? In 1990, M´ ıche´ al Mac an Airchinnigh avoided Category Theory [Mac90]. However, several factors have conspired to draw VDM♣ back towards this area: The functional nature of VDM♣, and modern functional languages using currying, fit very well with a categorical view of the world. The exploration of more elaborate structures such as fibre-bundles and sheaves involved increasing exposure to the theory. The discovery by the Irish School of work by others on the concept of Topoi, a particular class of categories, with important properties. A growing realisation that Category Theory is a (the) meta-theory of mathematical structure.

Slide 87 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

What is a Category ? A Category C consists of the following entities [Wal91, LS97]: A, B, C, . . . ∈ Obj(C) : A collection of Objects f, g, h, . . . ∈ Arr(C) : A collection of Arrows each of which originates at and ends upon objects. An arrow f originating at object A and terminating on object B is often written as f : A → B or A

f

→ B A partial binary operator on arrows called Composition ( ◦ ) The objects, arrows and compostion must obey the following rules: For every object A there is an identity arrow idA : A → A. Composition (f ◦ g) is defined for all pairs of arrows of the form (B

g

→ C, A

f

→ B) Composition is associative : (f ◦ (g ◦ h) = (f ◦ g) ◦ h) For all arrows A

f

→ B we have : idB ◦ f = f = f ◦ idA

Slide 88 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

What are Categories ? To identify a category, we need to identify the entities acting as objects, arrows and composition. Here are a few key examples: Category Objects Arrows Composition Set Sets Total Functions Function Composition Pfn Sets Partial Functions Function Composition Rel Sets Relations Relation Composition Cpo C.P.O.s Monotonic Functions Function Composition Pwr Subsets Inclusions Inclusion Composition Mon Monoids Monoid Homomorphisms Function Composition Grp Groups Group Homomorphisms Function Composition Top Topologies Continuous Functions Function Composition Shf Sheaves Sheaf Morphisms Morphism Composition There are many others !

Slide 89 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Enriching the concept (I) Category Theory gets its richness from extra definitions, given largely in terms of arrows and composition. For example, in a category, two objects A and B are isomorphic (A ≈ B) iff there exist arrows A

f

→ B and B

g

→ A such that f ◦ g = idB and g ◦ f = idA (g is often written as f −1). Such arrows are known as bijections or isomorphisms. In Set, sets with the same cardinality are isomorphic. An object (typically called 0) is Initial if there exists exactly one arrow from it to any object. An object (typically called 1) is Terminal if there exists exactly one arrow to it from any object. All initial objects are isomorphic to each other, as are terminal objects. In Set, the empty set is initial, while any singleton set is terminal. In Pfn and Rel, the empty set is both initial and terminal (0=1) !

Slide 90 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Enriching the concept (II) It is possible to give category-theoretic definitions of Products: A × B, A × (B × C), . . . In Set, these are the usual Cross Products. Sums: A + B, A + (B + C), . . . In Set, these are Disjoint Unions e.g. ({1} × A) ∪ ({2} × B). Exponentials AB, . . . In Set, these are graphs of functions of type B → A. Exponentials are the mechanism by which currying is defined categorically, Given suitable conditions (satisfied by Set) we gets lots of the “usual” properties: 0 + A ≈ A 1 × A ≈ A, A × B ≈ B × A AB × AC ≈ AB+C A × B → C ≈ A → CB

Slide 91 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Topoi Let us introduce two extra concepts [LS97]: Truth Object (1

True

→ Ω) In Set, this is True ∈ B Sub-Object Classifiers (χ) which allow us to talk about “elements” of objects, and objects as sub-parts of each other In Set, these are the characteristic functions. Then we can define a Topos as a category T which has, for all A,B: 0, 1, A + B, A × B, AB, 1

True

→ Ω and χ. Set is a topos So is Shf, and Top There are many others . . . But neither Pfn or Rel are topoi !

Slide 92 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Why are Topoi interesting ? Every topos is a model of an intuitionistic logic. Moreover, for certain types of topoi, it is possible to add in the law of the excluded middle provided you also accept the axion of choice (and vice-versa). Set is a topos of this type, whereas Top is not. If we can give a topos-theoretic foundations to VDM♣, then we get a logic “for free”, and the ability to work in any topos (i.e Shf). This one of the aims of current research [Hug98, Hug00].

Slide 93 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

What is the difficulty ? VDM♣, like other formal methods, makes extensive use of partial functions and maps But the category involving such things (Pfn) is not a topos. However, it is possible to represent a partial function µ : A

m

→ B by two total functions: One is a total function f : dom µ → B The other is the relational datum dom µ ⊆ A, which can represented as an injective function ı : dom µ → A. We link them by observing that f = µ ◦ ı (in some sense). The key is to build the map operator definitions (such as override) on this foundation [Hug00]. A deeper difficulty lies in handling recursion, which requires partiality in an essential way — it appears at present that Domain Theory and Topos Theory are not compatible.

Slide 94 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Back to Algebras (and co-Algebras) Every category has a dual in which all arrows are reversed and composition is revised accordingly. Some concepts are duals of each other, for example 0 and 1, and × and +. Some categories are their own dual (e.q. Rel). It is possible to define structure-preserving mappings between categories — these are called functors. (Pf, f ⋆ and (f

m

→ g) are such functors). A functor (F) to and from the same category is called an endofunctor. Endofunctors on a category can be used to generate algebras (F(A) → A), and their dual concept, co-algebras (A → F(A)), which themselves can form categories ! The key point is that algebras and co-algebras (as discussed earlier) are dual concepts in the category-theoretic sense

Slide 95 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The Algebraic/co-Algebraic Duality Some aspects of the duality are: Aspect Algebra co-Algebra Models Finite Structures Finite & Infinite Structures Definitions Recursion co-Recursion Reasoning Congruence Bisimulation Tools Theorem Provers Model-Checkers Areas Data & Computation Communication & Behaviour

Thanks to ACMMPC at Lincoln College, Oxford, April 2000, for helping us build this view

We can construct a table that captures this duality under different headings The Irish School has put considerable work into the algebraic side, we now hope to focus on the co-algebraic side

Slide 96 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. A simple VDM♣ Model
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 97 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The need for tools Working on foundations is one thing, using VDM♣ to model real systems is quite another. Tool support would be nice Tool support is expensive to implement Tool support requires a commitment to a concrete syntax a concrete logic Who needs yet another (model-theoretic) formal method ?

Slide 98 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

The position of VDM♣ among other Methods We view VDM♣ as complimentary to existing methods such as VDM-SL, Z or B. We see it as complimentary to various tools such as Mathematica, PVS, HOL or Isabelle. We see the results on mathematical structure as guiding the construction of theories and libraries for those methods and tools. We see a sensible way forward as the take-up of some of our ideas by practitioners whose main notation, method or tools are not those associated with VDM♣. The main theme is that of mathematical structure as an organising principle to obtain compact clean models and compact clean proofs.

Slide 99 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Tools for VDM♣ ? In order to support our ongoing activity in this area, tool support for VDM♣ may prove useful. However, we view such support as providing a simple parser, plus output routines to produce material for handing by existing tools such as Mathematica, PVS or the IFAD toolkit. We see scope for translating VDM♣ into code written for a functional language such as Clean or Haskell, to support animation of specifications.

Slide 100 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Specific Applications for VDM♣ ? Given the close similarity between VDM♣ and functional programming a growing interest in FMG in functional programming It seems promising to explore VDM♣ as a formal method for developing functional programs. We also see VDM♣ as an ideal vehicle to develop general theories (formal models) with wide applicability (e.g. dynamic graphs)

Slide 101 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Progress of Talk

• 1. Introduction
• 2. History
• 3. A simple VDM♣ Model
• 4. Structures and Morphisms
• 5. Indexed Structures
• 6. A Geometry of Formal Methods
• 7. A meta-theory of structures: Categories
• 8. On building mathematical toolkits and tools
• 9. Conclusions

Slide 102 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Summary We have seen the history of the emergence of VDM and VDM♣. We have seen models of a dictionary used to introduce the notation and method. We have seen the importance of structures and their morphisms We have looked at the indexing construction associated with maps We have glimpsed a possible connection between geometry and formal methods We have explored the rˆ

• le of category and topos theory

We have considered how VDM♣ can inform other methods and tools.

Slide 103 c May 22, 2000 Andrew Butterfield

VDM♣: Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000

Thanks THANK YOU FOR YOUR ATTENTION

Slide 104 c May 22, 2000 Andrew Butterfield

References

[BJ87]

• D. Bjørner and C. B. Jones, editors. The Vienna Development Method: The Meta-Language, number 61 in Lecture Notes in Computer

Science, Berlin, 1987. Springer Verlag. [But98] Andrew Butterfield. Recursion diagrams: ideas for a geometry of formal methods. In Andy Evans, David Duke, and Tony Clarke, editors, NFM’98: 3rd Northern Formal Methods Workshop, electronic Workshops in Computing, Ilk- ley, Yorkshire, September 1998. University of Bradford, British Computer Society — Formal Aspects of Computing. URL: http://ewic.org.uk/ewic/workshop/view.cfm/NFM-98. [Hug98] Arthur Hughes. Towards an Override in Topoi. In Andrew Butterfield and Sharon Flynn, editors, 2nd Irish Workshop

• n

Formal Methods, Electronic Workshops in Computing. British Computer Society, 1998. http://ewic.org.uk/ewic/workshops/view.cfm/IWFM-98. [Hug00] Arthur Hughes. Elements of an Operator Calculus. Ph.D. dissertation, University of Dublin, Trinity College, Department of Computer Science, 2000. in preparation. [Jon99] C. B. Jones. Scientific decisions which characterise vdm. In Jeanette M. Wing, J.C.P. Woodcock, and Jim Davies, editors, FM’99 — Formal Methods, volume 1708–9 of Lecture Notes in Computer Science, pages 28–47, Toulouse, France, September 1999. Formal Methods Europe, Springer-Verlag. [LS97]

• F. William Lawvere and Stephen H. Schanuel. Conceptual Mathematics: a first introduction to categories. Cambridge University

Press, 1997. [Luc87] Peter Lucas. VDM: Origins, Hopes and Achievements. In VDM ’87: VDM — A Formal Method at Work, volume 252 of Lecture Notes in Computer Science, pages 1–18. Springer Verlag, 1987. [Mac90] M´ ıche´ al Mac an Airchinnigh. Conceptual Models and Computing. Ph.D. dissertation, University of Dublin, Trinity College, Depart- ment of Computer Science, 1990. [Mac93] M´ ıche´ al Mac an Airchinnigh. Formal Methods & Testing. 625 Third Street, San Francisco, CA 94107–1997, May 1993. Software Research Institute. [Mac96] M´ ıche´ al Mac an Airchinnigh. Towards a new conceptual framework for the Modelling of Dynamically Distributed Systems. electronic Workshops in Computing, Ilkley, West Yorkshire, U.K., July 1996. BCS-FACS, Springer Verlag. [Mac97] M´ ıche´ al Mac an Airchinnigh and Arthur Hughes. The Geometry of Distributions in Formal Methods. electronic Workshops in Computing, Ilkley, West Yorkshire, U.K., September 1997. BCS-FACS, Springer Verlag. [Wal91] R. F. C. Walters. Categories and Computer Science. Cambridge Computer Science Texts. Cambridge University Press, 1991.