111
The Larch Shared Language
Based on:John V. Guttag and James J. Horning, Report on the Larch
Shared Language, Science of Computer Programming, 6:103-134, North-Holland,1986.
John V. Guttag and James J. Horning, Larch: Languages and Tools for Formal Specification, Springer-Verlag, 1993.
1
222
Outline
• Background• LSL basics
– Equational specifications– Stronger theories
• Other features– Modularization: combining traits and renaming– Stating intended consequences– Recording assumptions– Built-in operators and overloading– Shorthand notations
2
333
Model vs. Property-Oriented Specification
• Model-oriented– Behavior directly by constructing a model of the system– Use of math structures such as sets, sequences, relations, and
functions– E.g., Z data and operation schemas– Z, VDM, and OCL
• Property-oriented– Behavior indirectly by stating a set of properties– Axiomatic vs. algebraic
• First-order predicate logic vs. equations• Theory vs. (heterogeneous) algebra• Larch and OJB vs. Clear and ACT ONE
3
444
Larch
• Family of specification languages to specify interfaces of program modules
• Two tiered– Different languages for different programming languages to
specify interfaces of program modules– One language for specifying shareable concepts and abstract
models, called the Larch Shared Language (LSL)
4
LSL
Larch/CLU LCL LM3 Larch/Smalltalk Larch/C++
5
Example: Symbol Table
5
Larch/CLU
LSL
666
Outline
Background• LSL basics
– Equational specifications– Stronger theories
• Other features– Modularization: combining traits and renaming– Stating intended consequences– Recording assumptions– Built-in operators and overloading– Shorthand notations
6
777
First LSL Specification (v. 2.3 syntax)
Table: trait introduces
new: Tabadd: Tab, Ind, Val Tab__ __: Ind, Tab Boollookup: Tab, Ind ValisEmpty: Tab Boolsize: Tab Int0,1: Int__+ __: Int, Int Int
asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0
7
888
Trait
Table: trait introduces
new: Tabadd: Tab, Ind, Val Tab__ __: Ind, Tab Boollookup: Tab, Ind ValisEmpty: Tab Boolsize: Tab Int0,1: Int__+ __: Int, Int Int
asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0
8
• Unit of LSL specification• Different from data abstraction (e.g.,
sort Tab)• Denotes a theory (a set of
theorems) in multi-sorted first-order logic with equality
999
Operations
Table: trait introduces
new: Tabadd: Tab, Ind, Val Tab__ __: Ind, Tab Boollookup: Tab, Ind ValisEmpty: Tab Boolsize: Tab Int0,1: Int__+ __: Int, Int Int
asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0
9
• Declare a set of operators with signatures (domain and range sorts)
• Signatures for sort checking; sort implicitly introduced
• Operators denote total functions• Prefix, infix, postfix, distributed
operators (use of _ _)• Use of symbols, e.g., (\in)
101010
Constraints
Table: trait introduces
new: Tabadd: Tab, Ind, Val Tab__ __: Ind, Tab Boollookup: Tab, Ind ValisEmpty: Tab Boolsize: Tab Int0,1: Int__+ __: Int, Int Int
asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0
10
• Constrain operations by means of equations (t1 == t2 or t1 = t2)
• Often t, short for t == true• Restrict theory denoted by trait
– Trait’s assertions– Axioms of first-order logic– Everything that follows– Nothing else.
• Q: Value of lookup(new, i)?
11
Exercise
• What values do the following terms denote?– isEmpty(new)– isEmpty(add(new,i,v))– lookup(add(add(new,i,v1), i, v2), i)– lookup(add(add(new,I,v1), I, v2), j)
asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0
12
Exercise• Define remove(Tab, Ind) and index(Tab, Val) operators.
Table: trait introduces
new: Tabadd: Tab, Ind, Val Tab__ __: Ind, Tab Boollookup: Tab, Ind ValisEmpty: Tab Boolsize: Tab Int0,1: Int__+ __: Int, Int Int
asserts i, i1: Ind, val: Val, t: Tab(i new);i add(t, i1, val) == i = i1 i t;lookup(add(t, i, val), i1) == if i = i1 then val else lookup(t, i1);size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;isEmpty(t) == size(t) = 0
13
Exercise• Formulate the notion of stack (LIFO) in LSL.
141414
Outline
BackgroundLSL basics
Equational specifications– Stronger theories
• Other features– Modularization: combining traits and renaming– Stating intended consequences– Recording assumptions– Built-in operators and overloading– Shorthand notations
14
15
Stronger Theories
• Equational theories by trait assertions
• Often stronger theories needed for specifying ADT, e.g.,– How to prove a property of an ADT?
t: Tab, i: Ind i t size(t) > 0
• Generated by clause
• Partitioned by clause
16
Generated by Clause
• A complete set of generators for a sort• Each value is equal to one written in terms of the
generators.• Provides an induction rule, i.e., an axiom for• E.g.,
– 0 and succ for natural numbers
Nat generated by 0, succ– 0, succ and pred for integers– Int generated by 0, succ, pred
17
Proof by Induction
• How to prove the following? t: Tab, i: Ind i t size(t) > 0
Table: trait introduces
new: Tabadd: Tab, Ind, Val Tab% rest of definition
asserts Tab generated by new, add i, i1: Ind, val: Val, t: Tab
% rest of definition
18
Proof by Induction
• How to prove the following? t: Tab, i: Ind i t size(t) > 0
• Basis step: i: Ind i new size(new) > 0
• Induction step: t: Tab, i1: Ind, v1: Val ( i: Ind i t size(t) > 0)
( i: Ind i add(t, i1, v1) size(add(t, i1, v1)) > 0)
19
Proof by Induction
• How to prove the following? t: Tab, i: Ind i t size(t) > 0
• Basis step: i: Ind i new size(new) > 0
• Induction step: t: Tab, i1: Ind, v1: Val ( i: Ind i t size(t) > 0)
( i: Ind i add(t, i1, v1) size(add(t, i1, v1)) > 0)
Proof?Axiom: (i new)
Proof?
(i new);i add(t, i1, val) == i = i1 i t;size(new) == 0;size(add(t, i, val)) == if i t then size(t) else size(t) + 1;
20
Partitioned by Clause
• A complete set of observers for a sort• All distinct values can be distinguished by
the observers.• Terms are equal if not distinguishable by
the observers.• Provides a deduction rule, i.e., axiom for.• E.g.,
– Sets are partitioned by (i.e., no duplicate)S partitioned by
21
Proof by Deduction
i: Ind i t1 = i t2
i: Ind lookup(t1, i) = lookup(t2, i)
t1 = t2Table1: trait introduces
new: Tabadd: Tab, Ind, Val Tab% rest of definition
asserts Tab generated by new, add
Tab partitioned by , lookup i, i1: Ind, val: Val, t: Tab
% rest of definition
22
Example
• Can derive theorems that do not follow from the equations alone.
• Q: Prove the commutativity of “add” of the same value.
t: Tab, i, j: Ind, v: Val add(add(t, i, v), j, v) = add(add(t, j, v), i, v)
23
Exercise
• Define “generated by” and “partitioned by” clauses for stacks.
24
Specifying ADT
• Identify a distinguished sort, often called a type of interest or data sort, that denotes the ADT.
• Categorize operators– Generators (also called basic constructors)
• Produce all the values of the distinguished sort– Observers
• Operators with the distinguished (and other) sorts as the domain and some other sort as the range
– Extensions• Remaining operators with the distinguished sort as the range
• Often have axioms sufficient to concert the observers and extensions.
• Usually “partition” the distinguished sort by at least one subset of the observers and extensions.
25
Good Heuristic for Writing Enough Equations for ADT
• Write an equations defining the result of applying each observer and extension to each generator.
• Example: Set – Generators*: {} (or ), insert– Observers: – Extensions: delete
*Generators can also be {}, {__}, and .
26
Exercise
• Specify sets by defining the following operators.– Generators: , insert– Observers: – Extensions: delete
272727
Outline
BackgroundLSL basics
Equational specificationsStronger theories
• Other features– Modularization: combining traits and renaming– Stating intended consequences– Recording assumptions– Built-in operators and overloading– Shorthand notations
27
28
Combining Traits
• Modularization of trait specifications• Traits can “includes” other traits
– “imports” for a conservative extension in older version.
• Theory of including trait– Theory associated with its introduces and asserts
clauses– Those of its included traits
• E.g., can factor out 0, 1, and + from Table.Table: trait includes Integer % defines 0, 1, and +
% imports in older version
29
Example: EquivalenceReflective: trait introduces __ __: T, T Bool asserts x: T
x x
Symmetric: trait introduces __ __: T, T Bool asserts x, y: T
x y = y x
Transitive: trait introduces __ __: T, T Bool asserts x, y, z: T
x y y z x z
Equivalence: trait includes Reflective, Symmetric, Transitive
EquivalenceExpanded: trait introduces __ __: T, T Bool asserts x, y, z: T
x x;x y = y x;x y y z x z
30
Renaming
• Potential problem of including traits– Relies heavily on the use of same names (sorts and
operators), e.g., T and .
• Thus, often renaming needed– Renaming sorts changes signatures of operators– Can also be done based on positions
SparseArray (Val, Arr): trait includes Table (Arr for Tab, defined for , assign for add,
__[__] for lookup, Int for Ind)
IntegerArray: trait includes SparseArray(Int, IntArr)
31
Exercise
• Extend the set specification to introduce additional operators. (Assume Set(S,E) with operators {}, insert, , and delete.)– Observers: |__|, – Extensions: delete, {__}, , , -
• Define a choose operator, choose: S E.
32
Exercise
• Write a specification for binary trees by defining the following operators– [__]: E T– [__, __]: T, T T– content: T E– first, second: T T– isLeaf: T Bool
33
Stating Intended Consequences
• Redundancy information or checkable claims for– Error detection (e.g., proof obligations)– Confirming reader’s understanding– Providing useful lemmas that will simplify
reasoning about specifications
34
Implies Clause
• Make claims about theory containment• Example: In SparseArray, no array with a
defined element is empty.implies a: Arr, i: Int
defined(i, a) isEmpty(a)
SparseArray (Val, Arr): trait includes Table (Arr for Tab, defined for , assign for add,
_ _[_ _] for lookup, Int for Ind)
35
Converts Clause
• State completeness of theory– If the interpretation of all other operations are
fixed, there is only one interpretation of the listed operations that satisfies the axioms.
– I.e., the operations are completely defined.
• Example:implies converts isEmptyimplies converts isEmpty, lookup
exempting i: Ind lookup(new, i)
36
Recording Assumptions
• Often traits are suitable for use only in certain contexts.
• Such contexts can be explicitly specified as assumptions.
• Assumptions impose a proof obligation on the client, and may be presumed within the trait containing them.– Whenever a trait with assumptions is included or
assumed, its assumptions must be discharged.
• Use the assumes clause.
37
Example
Bag (E): trait assumes TotalOrder(E) includes BasicBag(E), Integer introduces rangeCount: E, E, B Int asserts e1, e2, e3: E, b: B
rangeCount(e1, e2, {}) == 0;rangeCount(e1, e2, insert(e3, b)) ==
rangeCount(e1, e2, b) + (if e1 < e3 e3 < e2 then 1 else 0) implies e1, e2, e3: E, b: B
e1 e2 rangeCount(e3, e1, b) rangeCount(e3, e2, b)
IntegerBag: trait includes Integer, Bag (Int)
BasicBag (E): trait introduces
{}: Binsert: E, B B
% rest of definition
*TotalOrder defines operators like < and .Q: How does IntegerBag discharge the assumption?
38
Built-in Operators and Overloading
• Built-in operators– Logical connectives– if__then__else__– = and – Decimal numbers such as 0, 25, 2013– …
• Operator overloading– User-defined operators– Disambiguating overloaded operators
a: S = b % subterm qualified by its sortimplies converts <: Str, Str Boolean % signature
39
Shorthand: Enumeration• Shorthand notations for enumeration, tuple, and union• Enumeration
– A finite ordered set of distinct constants– An operator to enumerate them
Temp enumeration of cold, warm, hot
introduces cold, warm, hot: Temp succ: Temp Tempasserts Temp generated by cold, warm, hot equations
cold warm;cold hot;warm hot;succ(cold) = warm;succ(warm) = hot
40
Shorthand: Tuple• Introduce fixed-length tuples, similar to records in many
programming languages.
C tuple of head: H, tail: T
introduces [__, __]: H, T C __.head: C H __.tail: C T __.setHead: C, H C __.setTail: C, T C
asserts C generated by [__, __] C partitioned by .head, .tail h, h1: H, t, t1: T
([h, t]).head = h;([h, t]).tail = t;setHead([h, t], h1) == [h1, t];setTail([h, t], t1) == [h, t1]
41
Shorthand: Union
• Tagged unions found in programming languages
U union of atom: A, cell: C
Utag enumeration of atom, cellintroduces atom: A U cell: C U __.atom: U A __.cell: U C tag: U Utag
asserts U generated by atom, cell U partitioned by .atom, .cell, tag a: A, c: C
atom(a).atom == a;cell(c).cell == c;tag(atom(a)) == atom;tag(cell(c)) == cell
42
ExerciseSpecify in LSL a software system that automates test taking by allowing an instructor to
prepare test questions and students to take tests. The system shall:
R1: Maintain a pool of potential test questions that are classified by topics, difficulty levels, and similarity (of questions). Each question is a multiple choice question consisting of a stem---that presents the problem to be solved or the question to be answered---and a set of options---that are possible answers. The system shall allow an instructor to add a new test question to the pool.
R2: Allow an instructor to create a test on specific topics by suggesting a set of questions from the pool that meets the instructor's request (e.g., number of questions and their distributions among different topics and difficulty levels).
R3: Allow students to take tests prepared by the instructor.
R4: Grade tests taken by students to calculate test scores.
R5: Allow both the instructor and the students view test scores. However, students are allowed to view only their test scores.