Higher-Order Logic and Theorem Proving for Structured ... - CiteSeerX

Higher-Order Logic and Theorem Proving for Structured Specifications? Tomasz Borzyszkowski Institute of Mathematics, University of Gda´ nsk e-mail:[email protected]

Abstract. In this paper we present the higher-order logic used in theorem-provers like the HOL system (see [GM 93]) or Isabelle HOL logic (see [Paul 94]) as an institution. Then we show that for maps of institutions into HOL that satisfy certain technical conditions we can reuse the proof system of the higher-order logic to reason about structured specifications built over the institutions mapped into HOL. We also show some maps of institutions underlying the CASL specification formalism (see [CASL 99]) into HOL that satisfy conditions needed for reusing proof systems.

1

Introduction

Following [MKB 97] we want to prepare a theoretical background for the tools support for CASL. We choose the higher-order logic (see [An 86]) as a logic which is a bridge from CASL to theorem-proving and transformation development, because on one hand it seems most appropriate to express the logic of the CASL language and on the other hand it has a quite effective and widely-used tools/machine support (e.g. the HOL system described in [GM 93] or the HOL logic of the Isabelle system described in [Paul 94]). First we define the higher-order logic, presented in [An 86], as an institution (the technical details are based on [GM 93] and [Paul 94]). Next, we propose several maps of institutions from the logics underlying the CASL specification formalism to the HOL logic. We also show that those maps satisfy the conditions (essentially: β-expansion and weak-D-amalgamation, see [Borz 98]) required for reusing the proof system of the HOL logic for the CASL logics. Finally we propose a methodology for reusing the proof system of the HOL logic for reasoning about structured specifications. This methodology allows us to translate the reasoning about structured specifications (e.g. about CASL specifications) to the HOL logic and consequently to some of the theorem provers for the HOL logic.

2

Language, Models and Satisfaction

In this section we present the language of the HOL logic. Most of the definitions and notions follow [GM 93]. ?

This research was partially supported by ESPRIT CRIT2 program, working group 29432 (CoFI WG) and KBN grant 8 T11C 037 16.

Let TyVars be an infinite set of type variables, given with a fixed linear order. Greek letters α, β, . . . , possibly with subscripts or primes, are used to range over TyVars. We assume that an infinite set TyNames of the names of type constants is given. The Greek letter ν is used to range over arbitrary members of TyNames. We also assume that sets TyVars and TyNames are disjoint. A type structure is a set Ω of type constants. A type constant is a pair (ν, n), where ν ∈ TyNames is the name of the type constant and the natural number n is its arity. We assume that no two distinct type constants have the same name, i.e. whenever (ν, n1 ) ∈ Ω and (ν, n2 ) ∈ Ω, then n1 = n2 . The set Types Ω of types over the type structure Ω is defined as the smallest set such that: – – – –

TyVars ⊆ Types Ω ; if (ν, 0) ∈ Ω, then ()ν ∈ Types Ω ; if (ν, n) ∈ Ω and τi ∈ Types Ω , for i = 1, . . . , n, then (τ1 , . . . , τn )ν ∈ Types Ω ; if τ1 , τ2 ∈ Types Ω , then τ1 → τ2 ∈ Types Ω .

The distinguished type operator → is assumed to associate to the right, so that τ1 → τ2 → . . . → τn → τ abbreviates τ1 → (τ2 → . . . → (τn → τ ) . . .). Following [GM 93] we introduce the notion of type-in-context. Definition 1 (Type-in-context). A type context, α is a finite (possibly empty) list of distinct type variables α1 , α2 , . . . , αn . A type-in-context is a pair, written α.τ , where α is a type context, τ is a type and all the type variables occurring in τ appear also in the list α. A canonical context of type τ is its minimal context, where all the variables are listed in order. 2 If the type structure Ω includes type constants: (o, 0) and (ι, 0) then the set Types Ω of types and the type structure Ω are called standard. When Ω includes type constant (×, 2) then we say that the set Types Ω and the type structure Ω have product. Definition 2 (Type instance). If τ, τ1 , . . . , τn ∈ Types Ω are types, then τ [τ1 , . . . , τn /β1 , . . . , βn ] is the type which is a result of the simultaneous substitution for each type variable βi in τ the type τi , for i = 1, . . . , n. The resulting type is called an instance of τ . 2 Lemma 1. Suppose τ is a type containing distinct type variables β1 , . . . , βn and τ 0 = τ [τ1 , . . . , τn /β1 , . . . , βn ] is an instance of τ , where β1 , . . . , βn are all type variables in τ . Then the types τ1 , . . . , τn are uniquely determined by τ and τ 0 . Proof. By induction on the structure of type τ .

2

Let VarNames be an infinite set of names of variables, which is given together with a fixed linear order. For a given type structure Ω a denumerable set of typed variables is defined as follows: V = {Vτ ⊆ VarNames × {τ } | τ ∈ Types Ω }, where each set Vτ is denumerable. We will write xτ as an abbreviation for (x, τ ), or

just x if it is clear that x is a variable of a given type τ . We assume that all variables have distinct names, i.e. if xτ1 ∈ Vτ1 and xτ2 ∈ Vτ2 , then τ1 = τ2 . Let Names be an infinite set of names of constants, disjoint from VarNames, and then for a given type structure Ω, a denumerable set of typed constants is defined as follows: C = {Cτ ⊆ Names × {τ } | τ ∈ Types Ω }, where each set Cτ is denumerable. Similarly as for variables, we will write cτ as an abbreviation for (c, τ ) or c if the type follows from the context. For a given standard type structure Ω, the set C of constants is standard if it contains constants: Qα→α→o and ι(α→o)→α , where α is a type variable. A HOL signature is a pair Σ = (Ω, C), where Ω is a type structure and C is a set of constants typed by types from Types Ω . The signature Σ is called standard, if Ω and C are standard. We also say that Σ has product, if Ω has product and C contains constants: pair α→β→α×β , fst α×β→α and snd α×β→β , where α and β are type variables. For any signature Σ = (Ω, C), the set V of typed variables, defined for the type structure Ω, is called a Σ-variable system. The set Terms Σ of terms over signature Σ is the smallest set closed under the following rules: – – – –

each variable xτ from the Σ-variable system Vτ is in Terms Σ ; if cτ ∈ C and τ 0 ∈ Types Ω is an instance of τ , then cτ 0 ∈ Terms Σ ; if tτ1 →τ ∈ Terms Σ and t1τ1 ∈ Terms Σ , then (tτ1 →τ t1τ1 )τ ∈ Terms Σ ; if xτ1 ∈ Terms Σ and tτ2 ∈ Terms Σ , then (λxτ1 .tτ2 )τ1 →τ2 ∈ Terms Σ .

Usually we will drop some type subscripts in terms, writing (tτ1 →τ t1τ1 ) or just (t t1 ) for (tτ1 →τ t1τ1 )τ , and (λxτ1 .tτ2 ) or (λxτ1 .t) for (λxτ1 .tτ2 )τ1 →τ2 . Function application is assumed to associate to the left, so that t1τ1 t2τ2 t3τ3 . . . tnτn abbreviates (. . . ((t1τ1 t2τ2 )t3τ3 ) . . . tnτn ). The notation λxτ1 xτ2 · · · xτn .tτ abbreviates λxτ1 .(λxτ2 . · · · (λxτn .tτ ) · · ·). A free and bound occurrence of a variable in a term is defined as usually (see [Bar 98]). If C is standard then we can introduce following abbreviations (see also [An 86]): We define As an abbreviation for tτ = t0τ Qτ →τ →o tτ t0τ To Qo→o→o = Qo→o→o Fo (λxo .To ) = (λxo .xo ) τ ∀x .to (Q(τ →o)→(τ →o)→o (λxτ .To ))(λxτ .to ) ∧o→o→o λxo .λy o .(λg o→o→o .(gTo To )) = (λg o→o→o .(gxo y o )) ⇒o→o→o λxo .λy o .(xo = (xo ∧ y o )) ¬o→o Qo→o→o Fo ∃xτ .to ¬(∀xτ .¬to ) IFo→τ →τ →τ →o λbo .λxτ .λy τ .λz τ .(bo ⇒ z τ = xτ ) ∧ (¬bo ⇒ z τ = y τ ) (if to then t0τ else t00τ )τ ι(IF to t0τ t00τ ) Σ-terms of type o, where Σ is standard, are called Σ-formulas; we use metavariables ϕ and ψ to range over them. Σ-formulas that do not contain free variables are called Σ-sentences. If Σ has product then we will write (a, b) for ((pair a) b). Similarly as for types we introduce term context and term-incontext. Definition 3. A context α, x consists of type context α and a list x = (xτ11 , . . . , xτnn ) of distinct variables whose types only contain type variables from the list α. A

term-in-context α, x.t consists of a context α, x and a term satisfying the following conditions: 1) α contains all type variables that occur in t; 2) x contains all variables that occur freely in t; and 3) x does not contain any variable that occurs bound in t. The canonical context of a term t is its minimal context, such that both lists α and x are listed in order. 2 The combination of the second and the third condition in the above definition implies that a variable cannot have both free and bound occurrences in t, but for any term t there always exists a term t0 , such that t and t0 are equal up to renaming of bound variables, which satisfies the above conditions. In the rest of the paper we will work with terms which do not have both free and bound occurrences of a variable. Following [GM 93] we define a universe as a class U of sets satisfying the following conditions: 1) each element of U is a non-empty set; 2) if X ∈ U and ∅ 6= Y ⊆ X then Y ∈ U; 3) if X ∈ U and Y ∈ U then X × Y ∈ U; 4) if X ∈ U then the powerset P(X) = {Y | Y ⊆ X} ∈ U; 5) U contains a distinguished infinite set I; and 6) there exists a distinguished element ch ∈ ΠX∈U X, where the elements of the product ΠX∈U X are dependently typed functions and ch(X) ∈ X witnesses property 1). Consequences of the above properties are: 1) if X ∈ U and Y ∈ U, then X → Y ∈ U, where X → Y is a set of all functions from X to Y ; 2) U contains a distinguished one-element set 1; 3) U contains a distinguished two-element set 2 and one-element set 0, such that 1 ∪ 0 = 2. In the rest of the paper we will work with an arbitrary but fixed universe U. Let Σ = (Ω, C) be a fixed signature. A Σ-structure is a pair M = (T, I), where T is an interpretation of type constants from Ω and I is an interpretation of constants from C. An interpretation of a type constant (ν, n) ∈ Ω is an n-ary function T(ν, n) : U n → U. Definition 4 (Interpretation of types-in-context). For each type-in-context α.τ and a given interpretation of type constants T we define a function T[[α.τ ]] : U n → U, where α = (α1 , . . . , αn ), by induction as follows: – T[[α.αi ]](X1 , . . . , Xn ) = Xi , for Xi ∈ U and i ∈ {1, . . . , n}; – T[[α.(τ1 , . . . , τm )ν]](X) = T(ν, m)(T[[α.τ1 ]](X), . . . , T[[α.τm ]](X)); – T[[α.τ1 → τ2 ]](X) = T[[α.τ1 ]](X) → T[[α.τ2 ]](X), where X ∈ U n .

2

Definition 5 (Interpretation of types). For a given interpretation of type constants T the interpretation of a type τ ∈ Types Ω , T[[τ ]] : U n → U, is given by T[[α.τ ]], where α is the canonical context of τ . 2 Lemma 2. Given types-in-context β.κ and α.τi , where β = β1 , . . . , βp and i = 1, . . . , p, if κ0 = κ[τ1 , . . . , τp /β1 , . . . , βp ] then α.κ0 is also type-in-context and for a given interpretation of type constants T and for every X ∈ U n , where n is the length of α, T[[α.κ0 ]](X) = T[[β.κ]](T[[α.τ1 ]](X), . . . , T[[α.τp ]](X))

Proof. By induction on the structure of κ.

2

Definition 6 (Interpretation of constants). For a given interpretation of type constants T an interpretation of a constant cτ ∈ Cτ is an element I(cτ ) ∈ ΠX∈U n T[[τ ]](X), where n is the number of type variables occurring in τ . 2 Definition 7 (Interpretation of terms-in-context). Let Σ be a signature, tτ a Σ-term, α, x.tτ be a term-in-context, where x = (xτ11 , . . . , xτmm ) and α = (α1 , . . . , αn ), and (T, I) be a Σ-structure. The interpretation of the term-incontext α, x.tτ is given by an element I[[α, x.tτ ]] ∈ ΠX∈U n (T[[α.τ1 ]](X) × · · · × T[[α.τm ]](X)) → T[[α.τ ]](X), and for X = (X1 , . . . , Xn ) ∈ U n and y = (y1 , . . . , ym ) ∈ T[[α.τ1 ]](X) × · · · × T[[α.τm ]](X) is defined by induction as follows: – I[[α, x.xτi i ]](X)(y) = yi , for i ∈ {1, . . . , m}; – I[[α, x.cτ 0 ]](X)(y) = I(cτ )(T[[α.τ10 ]](X), . . . , T[[α.τp0 ]](X)), where cτ ∈ Cτ , τ 0 is an instance of τ and, by Lemma 1, τ 0 = τ [τ10 , . . . , τp0 /β1 , . . . , βp ] for uniquely determined types τ10 , . . . , τp0 (by Lemma 2 I[[α, x.cτ 0 ]](X)(y) is an element of T[[α.τ ]](X));

– I[[α, x.(t1τ2 →τ t2τ2 )]](X)(y) = I[[α, x.t1τ2 →τ ]](X)(y) I[[α, x.t2τ2 ]](X)(y) ; τ1 2 2 – I[[α, x.(λx .tτ2 )]](X)(y) = Λz : T[[α.τ1 ]](X).I[[α, (x, x).tτ2 ]](X)(y, z). 2 In the above definition the notation of the form Λx : X.y(x) denotes a function which for every element v ∈ X yields the value y(v). Definition 8 (Interpretation of terms). For a given Σ-structure (T, I) the interpretation of a term tτ , I[[tτ ]], is interpretation of tτ in its canonical context. 2 Definition 9 (Standard interpretation). Let Σ be a standard signature. A Σ-structure M = (T, I) is called standard, if 1) T(o, 0) = 2 and T(ι, 0) = I; 2) I(Qα→α→o ) ∈ ΠX∈U .X → X → 2 is the function assigning to each X ∈ U the equality test function; 3) I(ι(α→o)→α ) ∈ ΠX∈U .(X → 2) → X is the function assigning to each X ∈ U the function sending each function f ∈ (X → 2) to 
ch(f −1 {1}) if f −1 {1} 6= ∅ I(ι(α→o)→α ) f = ch(X) otherwise.

If Σ has product then the Σ-structure M = (T, I) is standard if: T(×) = ΠX,Y ∈U X × Y , I(pair α→β→α×β ) ∈ ΠX,Y ∈U X → Y → X × Y is a function sending each x ∈ X and y ∈ Y to (x, y) ∈ X × Y , and I(fst α×β→α ) ∈ ΠX,Y ∈U X × Y → X and I(snd α×β→β ) ∈ ΠX,Y ∈U X × Y → Y are the projection functions to the first and to the second element of the pair, respectively. 2

Definition 10 (Satisfaction). A Σ-structure M satisfies formula ϕ, written M |=Σ ϕ, iff for every X ∈ U n and y ∈ T[[α.τ1 ]](X) × · · · × T[[α.τm ]](X), I[[ϕ]](X)(y) = 1, where (α1 , . . . , αn ), (xτ11 , . . . , xτmm ) is the canonical context of ϕ and α = (α1 , . . . , αn ). 2

3

The institution HOL

Definition 11 (Signature morphism). Let Σ = (Ω, C) and Σ 0 = (Ω 0 , C 0 ) be signatures. A signature morphism from Σ to Σ 0 is a pair σ = (σΩ , σC ), where σΩ : Ω → Ω 0 and σC : C → C 0 are functions satisfying the following conditions: 1) if σΩ (ν, n) = (ν 0 , n0 ), then n = n0 ; and 2) σC (cτ ) ∈ Cσ0 ] (τ ) , for cτ ∈ Cτ , Ω

] where σΩ is the homomorphic extension of σΩ to type expressions. We also ex] ] ] tend σΩ to types-in-context as follows: σΩ (α.τ ) = α.σΩ (τ ). The composition of 0 σ : Σ → Σ 0 and σ 0 : Σ 0 → Σ 00 is σ; σ 0 = (σΩ ; σΩ , σC ; σC0 ). The identity morphism is id = (idΩ , idC ). For standard signatures Σ and Σ 0 , a signature morphism σ : Σ → Σ 0 is standard if it preserves type constants (o, 0) and (ι, 0), and constants Qα→α→o and ι(α→o)→α . When Σ and Σ 0 have product then σ is standard if it preserves the type constant (×, 2) and constants pair α→β→α×β , fst α×β→α and snd α×β→β . 2

Definition 12 (Translation of terms). Let Σ = (Ω, C) and Σ 0 = (Ω 0 , C 0 ) be signatures, σ : Σ → Σ 0 be a signature morphism and V be aSΣ-variable system, ] then the Σ 0 -variable system V 0 induced by V and σ is the set {Vτ | σΩ (τ ) = τ 0 }. ] The homomorphic extension of σC to Σ-terms is denoted by σC . Extension of σC] to terms-in-context is given as follows σC] (α, x.tτ ) = α, σC] (x).σC] (tτ ), where σC] (x) = (σC] (xτ11 ), . . . , σC] (xτmm )), for x = (xτ11 , . . . , xτmm ). 2 We usually drop the sub- and superscripts when they are clear from the context, ] writing σ(t) and σ(τ ) for σC] (tτ ) and σΩ (τ ) respectively. Definition 13. Let σ : Σ → Σ 0 be a signature morphism and let M0 = (T0 , I0 ) be a Σ 0 -structure. The σ-reduct of M0 , M0 |σ , is the Σ-structure M = (T, I), where T(ν, n) = T0 (σ(ν, n)), for (ν, n) ∈ Ω and I(cτ ) = I0 (σ(cτ )), for cτ ∈ Cτ . 2 Lemma 3. Let σ : Σ → Σ 0 be a signature morphism, M0 = (T0 , I0 ) be a Σ 0 -structure, and M = M0 |σ . Then for every Σ-type τ ∈ Types Σ and X ∈ U n , T0 [[α.σ(τ )]](X) = T[[α.τ ]](X), where α.τ is a type-in-context and α = (α1 , . . . , αn ). Proof. By induction on the structure of the Σ-type τ .

2

Lemma 4. Let σ : Σ → Σ 0 be a signature morphism, M0 = (T0 , I0 ) is a Σ 0 -structure, and M = M0 |σ . Then for every Σ-term t, X ∈ U n and y ∈ T[[α.τ1 ]](X) × · · · × T[[α.τm ]](X): I[[α, x.t]](X)(y) = I0 [[σ(α, x.t)]](X)(y), where (α1 , . . . , αn ), (xτ11 , . . . , xτmm ) is the canonical context of t, α = (α1 , . . . , αn ) and x = (xτ11 , . . . , xτmm ). Proof. By induction on the structure of the Σ-term t.

2

Lemma 5. If σ : Σ → Σ 0 is a signature morphism, M0 = (T0 , I0 ) is a Σ 0 structure then for every Σ-formula ϕ: M0 |σ |=Σ ϕ iff M0 |=Σ 0 σ(ϕ). Proof. Immediately from Definition 10 and Lemma 4.

2

In the next definition we define the HOL logic in terms of an institution, proposed by Goguen and Burstall in [GB 92]. Definition 14. The institution HOL is defined as follows: – SignHOL is the category of all standard signatures with product and standard signatures morphisms; – For each signature Σ ∈ |SignHOL |, SenHOL (Σ) is the set of all Σ-sentences, such that for each Σ-sentence ϕ there exists Σ-variable system V containing all the variables occurring in ϕ, and for each signature morphism σ : Σ → Σ 0 and a Σ-sentence ϕ, SenHOL (σ)(ϕ) = σ(ϕ). – For each signature Σ ∈ |SignHOL |, ModHOL (Σ) is the discrete category of all standard Σ-structures, and for each signature morphism σ : Σ → Σ 0 and a Σ 0 -model M0 , ModHOL (σ)(M0 ) = M0 |σ ; – For each signature Σ ∈ |SignHOL |, the satisfaction relation is the relation |=Σ defined in Definition 10. 2 By Lemma 5, the above definition really defines an institution.

4

CASL logics in HOL

In this section we define maps of institutions (see [Mes 89]) underlying the CASL specification formalism into the HOL institution. We also prove the conditions under which the proof system of the HOL logic can be reused for reasoning about CASL specifications (see Section 5). Definition 15. The institution PFOL of partial first-order logic is defined as follows: – the category SignPFOL is the category PFOSig of partial first-order signatures, where: objects are partial first-order signatures Σ = hS, T F , P F , Πi, where S is a set of sort names, T F and P F are sets of total and partial operation names, respectively, such that T F w,s ∩P F w,s = ∅ for each w ∈ S ∗ and s ∈ S, and Π is a set of predicate names; morphisms are first-order signature morphisms σ = hσS , σT F , σP F , σΠ i : Σ → Σ 0 , where σS : S → S 0 , σT F and σP F are families of functions respecting the arities and result sorts of operation names in Σ and their “totality”, that is σT F = h(σT F )w,s : T F w,s → T F 0σ∗ (w),σS (s) iw∈S ∗ ,s∈S and σP F = h(σP F )w,s : P F w,s → P F 0σ∗ (w),σS (s) ∪ S S T F 0σ∗ (w),σS (s) iw∈S ∗ ,s∈S , and σΠ = h(σΠ )w : Πw → ΠσS∗ (w) iw∈S ∗ ; S

– the functor SenPFOL : PFOSig → Set for every signature Σ gives the set SenPFOL (Σ) of all partial first-order Σ-sentences built out of atomic e sentences (i.e. existential equalities t1 =t2 , where t1 and t2 are Σ-terms of the same sort; and predicate formulas of the form p(t1 , . . . , tn ), where p ∈ Πs1 ,...,sn and t1 , . . . , tn are Σ-terms of sorts s1 , . . . , sn , respectively) using the standard propositional connectives: ∧ and ¬, and the universal quantifier ∀; additionally we assume that the sentence (∀x : s)ϕ is in SenPFOL (Σ) iff x : s is not bound in ϕ, where the notion of bound (and free) variables in a formula is defined in the standard way (see [EFT 96]); for each signature morphism σ : Σ → Σ 0 , SenPFOL (σ) is the σ-translation function taking Σ-sentence to Σ 0 -sentence; – the functor ModPFOL : PFOSigop → Cat for each signature Σ gives the discrete category, ModPFOL (Σ), of partial first-order Σ-structures, where objects are partial first-order Σ-structures M = h{|M |s ∈ U}s∈S , {cM : |M |s1 × · · · × |M |sn → |M |s }c∈T F , {cM : |M |s1 × · · · × |M |sn * |M |s }c∈P F , {pM ⊆ |M |s1 × · · · × |M |sn }p∈Π i; for each signature morphism σ : Σ → Σ 0 , ModPFOL (σ) is the reduct functor |σ : ModPFOL (Σ 0 ) → ModPFOL (Σ) mapping partial first-order Σ 0 -structures to partial first-order Σ-structures; PFOL – for each Σ ∈ |PFOSig|, the satisfaction relation |=Σ ⊆ |ModPFOL (Σ)|× SenPFOL (Σ) is defined as follows: let ϕ be a Σ-formula, X be the set containing all free variables of ϕ, M ∈ |ModPFOL (Σ)| and v : X → |M | be a valuation of Σ-variables from X. Then the satisfaction of the formula ϕ under valuation v M, v |=PFOL ϕ is defined as follows: Σ e ] ] =t iff v (t ) • M, v |=PFOL t 1 2 1 and v (t2 ) are defined and equal; Σ PFOL ] • M, v |=Σ p(t1 , . . . , tn ) iff all v (ti ), for i = 1, . . . , n, are defined and (v ] (t1 ), . . . , v ] (tn )) ∈ pM ; • M, v |=PFOL ϕ1 ∧ ϕ2 iff M, v |=PFOL ϕ1 and M, v |=PFOL ϕ2 ; Σ Σ Σ PFOL • M, v |=Σ ¬ϕ iff it is not true that M, v |=PFOL ϕ; and Σ • M, v |=PFOL ∀(x : s).ϕ iff for every valuation v 0 : X ∪ {x : s} → |M |, Σ 0 such that v (y) = v(y), for y ∈ X, M, v 0 |=PFOL ϕ, Σ where v ] is the maximal homomorphic extension of v to terms. A Σ-sentence ϕ is satisfied in a model M , M |=PFOL ϕ, iff M, v∅ |=PFOL ϕ, where v∅ : Σ Σ ∅ → |M | is an empty valuation. 2 The PFOL institution presented in the above definition is the basic logic underlying the CASL formalism (see also [CASL 99]). In the next definition we use the notion of institution representation (see [Tar 95]) which is a special case of a map of institutions (see [Mes 89]), called also a simple map of institutions, for coding the PFOL institution into the HOL institution. Definition 16. The institution representation ρ : PFOL → HOL is defined as follows: the functor ρSign : PFOSig → SignHOL : – for each signature Σ = hS, T F , P F , Πi ∈ |PFOSig|, ρSign (Σ) = (Ω, C), where (Ω, C) ∈ |SignHOL | is the smallest HOL signature, such that: 1) for every s ∈ S, (s, 0) ∈ Ω; 2) for every c : s1 × · · · × sn → s ∈ T F ,

cs1 ×···×sn →s ∈ C, and we will write ρSign T F (c : s1 × · · · × sn → s), for cs1 ×···×sn →s ; 3) for every c : s1 × · · · × sn → s ∈ P F , cs1 ×···×sn →(o×s) ∈ C, and we will write ρSign P F (c : s1 × · · · × sn → s), for cs1 ×···×sn →(o×s) ; and 4) for every p : s1 × · · · × sn ∈ Π, ps1 ×···×sn →o ∈ C and we will write ρSign (p : s1 × · · · × sn ), for ps1 ×···×sn →o ; Π – for each signature morphism (σ : Σ → Σ 0 ) ∈ PFOSig, ρSign (σ) is a signature morphism in HOL such that: ρSign (σ)Ω (s, 0) = (σ(s), 0), for s ∈ Σ, ρSign (σ)C (cs1 ×···×sn →s ) = ρSign T F (σ(c : s1 × · · · × sn → s)), for c : s1 × · · · × sn → s ∈ T F , ρSign (σ)C (cs1 ×···×sn →(o×s) ) = ρSign P F (σ(c : Sign s1 × · · · × sn → s)), for c : s1 × · · · × sn → s ∈ P F , and ρ (σ) preserves standard and product symbols; the natural transformation ρSen : SenPFOL → ρSign ; SenHOL is a family of functions ρSen : SenPFOL (Σ) → SenHOL (ρSen (Σ)), given by the following exΣ tension to formulas (in the rest of the definition we write Def as an abbreviation for ρ] ; fst):
Sign – ρSen (p) snd (ρ] (t)) , where t = Σ (p(t)) = Def (t1 ) ∧ . . . ∧ Def (tn ) ∧ ρΠ (t1 , . . . , tn ); e ] ] – ρSen Σ (t1 =t2 ) = Def (t1 ) ∧ Def (t1 ) ∧ snd (ρ (t1 )) = snd (ρ (t2 )); Sen Sen Sen – ρΣ (ϕ1 ∧ ϕ2 ) = ρΣ (ϕ1 ) ∧ ρΣ (ϕ2 ); Sen Sen s Sen – ρSen Σ (¬ϕ) = ¬ρΣ (ϕ) and ρΣ (∀(x : s).ϕ) = ∀x .ρΣ (ϕ), where ρ] is the homomorphic extension of ρSign to terms given as follows: – ρ] (x : s) = (To , xs );    if Def (t1 ) ∧ . . . ∧ Def (tn ) then ρSign (c) snd(ρ] (t)) P F   – ρ] (c(t)) =  else Fo , ι(λxs .To )

for c ∈ P F (s1 ,...,sn ),s and t = (t1 , . . . , tn );    if Def (t1 ) ∧ . . . ∧ Def (tn ) then To , ρSign (c)(snd (ρ] (t))) T F   – ρ] (c(t)) =  else Fo , ι(λxs .To ) for c ∈ T F (s1 ,...,sn ),s and t = (t1 , . . . , tn ); the natural transformation ρMod : (ρSign )op ; ModHOL → ModPFOL is a family : ModHOL (ρSign (Σ)) → ModPFOL (Σ) given on ρSign (Σ)of functions ρMod Σ structure M = (T, I) as follows: (M) = h{T(ρSign (s))}s∈S , {I(ρSign ρMod Σ S T F (c))}c∈T F , {cM : T(s1 , 0) × · · · × T(sn , 0) * T(s, 0) | ∀a ∈ T(s1 , 0) × · · · × T(sn , 0). cM (a) = snd M (I(ρSign (c))(a)) if fst M (I(ρSign (c))(a)) = 1 and cM (a) is undefined otherwise}c∈P F {pM ⊆ T(s1 , 0) × · · · × T(sn , 0) | ∀a ∈ T(s1 , 0) × · · · × T(sn , 0). pM (a) iff (I(ρSign (p)))(a) = 1}p∈Π i Π 2

Proposition 1. Definition 16 defines an institution representation. Proof. Obviously ρSign is a functor and ρSen : SenPFOL → ρSign ; SenHOL and ρMod : (ρSign )op ; ModHOL → ModPFOL are natural transformations. The representation condition ρMod (M) |=Σ ϕ iff M |=ρSign (Σ) ρSen Σ Σ (ϕ), where Σ is a PFOL-signature, ϕ is a Σ-sentence and M is a ρSign (Σ)-model, can be proved by induction on the structure of the sentence ϕ. 2 Now, we recall properties of maps of institutions, mentioned also in [Borz 99], which are crucial for the results that will be presented in Section 5. Details concerning maps of institutions can be found in [Mes 89]. Definition 17 (β-expansion). Let (Φ, α, β) : I → I 0 be a map of institutions and T h be a class of theories over the institution I. The map of institutions (Φ, α, β) has the β-expansion for T h, if for any theory th ∈ T h, any th-model M has a β-expansion to a Φ(th)-model, that is, there exists a Φ(th)-model M 0 such that βth (M 0 ) = M . We say that the map (Φ, α, β) has the β-expansion property if it has β-expansion for the class {(Σ, ∅) | Σ ∈ |SignI |}. If the map of institutions (Φ, α, β) is an institution representation ρ then we call this property ρ-expansion. 2 Definition 18 (Weak-D-amalgamation). Let (Φ, α, β) : I → I 0 be a map of institutions, T h be a class of theories over institution I and D be a class of morphisms of theories from T h. We say that the map of institutions (Φ, α, β) has the weak-D-amalgamation for T h iff for every theories th1 , th2 ∈ T h, (d : th2 → th1 ) ∈ D, M1 ∈ |Mod(th1 )| and M2 ∈ |Mod0 (Φ(th2 ))|, given as on the following diagram: Mod(th1 ) o

βth1

|Φ(d)

|d

 Mod(th2 ) o

Mod0 (Φ(th1 ))

βth2

 Mod0 (Φ(th2 ))

if β(th2 ) (M2 ) = M1 |d then there exists M ∈ |Mod0 (Φ(th1 ))|, such that β(th1 ) (M ) = M1 and M |Φ(d) = M2 . We say that the map (Φ, α, β) has weak-D-amalgamation property if it has weak-D-amalgamation for the class {(Σ, ∅) | Σ ∈ |SignI |}. 2 Observation 1 The institution representation ρ : PFOL → HOL, defined by Definition 16, satisfies both ρ-expansion and weak-PFOSig-amalgamation properties for any class of theories over PFOL. 2

Now, we consider the extension of the PFOL institution to institution of partial first-order logic with subsorts SubPFOL (see also [CASL 99]). Definition 19. The institution SubPFOL of subsorted partial first-order logic is given as follows: signatures are subsorted partial first-order many-sorted signatures (with sort names S, disjoint sets T F of total and P F of partial operation names, predicate names P and a pre-order relation ≤S of subsort embedding on the sort names). The pre-order ≤S naturally extends to sequences of sorts. We also define overloading relations for operations as follows: f 1 : w1 → s1 ∼F f2 : w2 → s2 holds if there exist w ∈ S ∗ and s ∈ S such that w ≤S w1 , w2 , s1 , s2 ≤S s and f1 ≡ f2 , similarly we define ∼P for predicates. Subsorted signature morphisms are usual signature morphisms (as in the institution PFOL) that preserve subsort relation and the overloading relations. Sentences are usual PFOL sentences, except that we can use implicit subsort embeddings. Models are usual PFOL models such that (see also [CASL 99]) for every sorts s 1 and s2 , if s1 ≤S s2 then for the carrier sets |M |s1 and |M |s2 we have in model M an M embedding emM s1 ,s2 : |M |s1 → |M |s2 , a partial projection pr s2 ,s1 : |M |s2 * |M |s1 M and a membership predicate ins1 ,s2 : |M |s1 testing whether values in |M |s2 are embeddings of values in |M |s1 , such that the obvious compatibility conditions hold (see [CASL 99] for details); the satisfaction relation is defined as in the PFOL institution. 2 Given an institution its category Th0 of theories has as objects pairs T = (Σ, Γ ), where Σ is a signature and Γ a set of sentences on Σ. Morphisms σ : (Σ1 , Γ1 ) → (Σ2 , Γ2 ) are the signature morphisms σ : Σ1 → Σ2 such that Sen(σ)(Γ1 ) ⊆ Cl(Γ2 ), where Cl(Γ2 ) is the closure of Σ2 -sentences Γ2 defined as follows (see [GB 92]): Cl(Γ2 ) = {ϕ ∈ SenI (Σ2 ) | Γ2 |=IΣ2 ϕ}. Let us consider the following map of institutions: Definition 20. The map of institutions (Φ, α, β) : SubPFOL → PFOL is defined as follows: 1. Φ : ThSubPFOL → ThPFOL is a functor such that: for every Σ = hS, T F, P F, 0 0 P, ≤S i ∈ |SignSubPFOL |, Φ(Σ, ∅) = (Σ 0 , Γ ), where the signature Σ 0 is an extension of the signature hS, T F, P F, P i ∈ |SignPFOL | by a total embedding operation ems1 ,s2 : s1 → s2 , a partial projection operation prs2 ,s1 : s2 * s1 , and a membership predicate ins1 ,s2 : s1 , for each pair of sorts s1 , s2 ∈ S such that s1 ≤S s2 ; Γ is a set of axioms describing the obvious compatibility conditions between embeddings, projections and membership predicates (see also [CASL 99]); for every theory morphism σ ∈ ThSubPFOL , Φ(σ) is 0 the same as σ and additionally preserves the symbols used for embeddings, projections and membership relations; 2. for every Σ ∈ |SignSubPFOL |, αΣ : SenSubPFOL (Σ) → SenPFOL (Φ(Σ, ∅)) sends each Σ-sentence ϕ, with possibly implicit embeddings to a Φ(Σ, ∅)sentence ψ, where ψ is the same as ϕ, except that all implicit embeddings are made explicit;

3. for every Σ ∈ |SignSubPFOL |, β(Σ,∅) : ModPFOL (Φ(Σ, ∅)) → ModSubPFOL (Σ) just forgets about interpretations of embedding, projection and membership relation symbols axiomatized by Γ , where (Σ 0 , Γ ) = Φ(Σ, ∅), and translates them to the interpretation of the pre-order relation ≤S of subsort embedding on the sort names from Σ (see Definition 19). 2 Observation 2 The map of institutions (Φ, α, β) : SubPFOL → PFOL defined in Definition 20 has β-expansion and weak-SignSubPFOL -amalgamation properties. 2 Lemma 6. Let (Φ1 , α1 , β1 ) : I1 → I2 and (Φ2 , α2 , β2 ) : I2 → I3 be maps of institutions satisfying β1 -expansion and β2 -expansion for the class of theories {Φ(Σ, ∅) | Σ ∈ |SignI |}, and weak-D-amalgamation and weak-Φ(D)amalgamation for the class of theories {Φ(Σ, ∅) | Σ ∈ |SignI |}, respectively, where D is a class of morphisms of theory {(Σ, ∅) | Σ ∈ |SignI |} then the map of institutions (Φ, α, β) = (Φ1 , α1 , β1 ); (Φ2 , α2 , β2 ) : I1 → I3 has β-expansion and weak-D-amalgamation properties. Proof. Immediately from definitions.

2

Corollary 1. The map of institutions (Φ1 , α1 , β1 ) = (Φ, α, β); ρ : SubPFOL → HOL, where (Φ, α, β) : SubPFOL → PFOL is given by Definition 20 and ρ : PFOL → HOL by Definition 16, has β1 -expansion and weak-SignSubPFOL amalgamation properties. 2 Now, we define the institution SubPCFOL of partial first-order logic with subsorts and sort-generation which is the logic underlying the CASL specification formalism (see also [CASL 99]). Definition 21. The institution SubPCFOL of partial first-order logic with subsorts and sort-generation is the same as the institution SubPFOL defined in Definition 19 except that for every signature hS, T F , P F , P, ≤S i ∈ |SignSubPCFOL | the sentence functor SenSubPCFOL gives also sort-generation sentences of the form (S 0 , F 0 ), where S 0 ⊆ S and F 0 ⊆ T F ∪ P F . A sortgeneration sentence (S 0 , F 0 ) is satisfied in a Σ-model M if the carrier sets |M |s for s ∈ S 0 , are generated by the function symbols from F 0 (possibly using variables of sorts not in S 0 ). 2 Corollary 2. The map of institutions (Φ0 , α0 , β 0 ) : SubPCFOL → HOL, which is the same as in Corollary 1 except that, for every signature Σ and a sort-generation sentence (S 0 , F 0 ): V s01 s0m ∀x . · · · .∀x α0Σ (S 0 , F 0 ) = ∀Pss11 →o . · · · .∀Pssnn →o . s0 ×···×s0m →s m . 1 0 0 1 s∈S ,f  ∈FV 0 0 s0i s0i1 s s Ps0i (xi1 ) ∧ . . . ∧ Ps0i (xikk ) ⇒ Ps (f (x11 , . . . , xmm )) ⇒ s∈S 0 ∀xs .Ps (xs ), 1

k

0

where S = {s1 , . . . , sn } and {i1 , . . . , ik } ⊆ {1, . . . , m} has β 0 -expansion and weak-SignSubPCFOL -amalgamation properties. 2

5

Specifications in HOL

In this section we will work with structured specifications presented also in [Borz 98] (based on the specifications presented in [SST 92]). The structured specifications presented below are also a part of structured specifications of the CASL formalism. Definition 22 (Specifications). Finite specifications over a (D, T )-institution I (i.e., institution I with two distinguished classes of morphisms, DI and TI , that are closed under composition, include all identities and for every d ∈ D I and t ∈ TI there exists (d, t)-pushout in SignI , see [Borz 98] for details) and their semantics are defined inductively as follows: 1. Any pair hΣ, Γ i, where Σ ∈ SignI and Γ ⊆ SenI (Σ) is a finite set of Σsentences, is a specification with the following semantics: Sig[hΣ, Γ i] = Σ and Mod[hΣ, Γ i] = {M ∈ |ModI (Σ)| | M |=IΣ Γ }. 2. For any signature Σ and Σ-specifications SP 1 and SP 2 , SP 1 ∪ SP 2 is a specification with the following semantics: Sig[SP 1 ∪ SP 2 ] = Σ and Mod[SP 1 ∪ SP 2 ] = Mod[SP 1 ] ∩ Mod[SP 2 ]. 3. For any morphism (t : Σ → Σ 0 ) ∈ TI and Σ-specification SP , translate SP by t is a specification with the following semantics: Sig[translate SP by t] = Σ 0 and Mod[translate SP by t] = {M 0 ∈ |ModI (Σ 0 )| | M 0 |t ∈ Mod[SP]}. 4. For any morphism (d : Σ → Σ 0 ) ∈ DI and Σ 0 -specification SP 0 , derive from SP 0 by d is a specification with the following semantics: Sig[derive from SP 0 by d] = Σ and Mod[derive from SP 0 by d] = {M 0 |d | M 0 ∈ Mod[SP 0 ]}. 2 Definition 23 (Specifications in HOL). Let SP be a finite specification over a (D, T )-institution HOL, where DHOL is the class of signature morphisms which are identities on sort names, inclusions on operation names and such that for every (d : Σ ,→ Σ 0 ) ∈ DHOL there is only a finite number of operations in Σ 0 which are not in Σ. Then the specification translation δ is a family of functions {δΣ }Σ∈|SignHOL | between specifications over a (D, T )-institution HOL and HOL-sentences defined inductively as follows: 1. 2. 3. 4.

δ(hΣ, {ϕ1 , . . . ϕn }i) = ϕ1 ∧ . . . ∧ ϕn ; δ(SP 1 ∪ SP 2 ) = δ(SP 1 ) ∧ δ(SP 2 ); δ(translate SP 1 by t) = t(δ(SP 1 )), for t ∈ THOL ; δ(derive from SP 1 by (d : Σ ,→ Σ1 )) = ∃f1 . · · · .∃fn .δ(SP 1 ), where f1 , . . . , fn are all the operations in Σ1 which are not in Σ. 2

Lemma 7. If SP is a Σ-specification over a (D, T )-institution HOL, where DHOL is the class of signature morphisms which are identities on sort names, inclusions on operation names and such that for every (d : Σ ,→ Σ 0 ) ∈ DHOL there is only a finite number of operations in Σ 0 which are not in Σ then Mod[SP ] = ModHOL (δ(SP )).

Proof. By induction on the structure of the specification SP. The derive case follows from the following fact in HOL: ModHOL ((Σ 0 , {ϕ}))|d = ModHOL ((Σ, {∃f .ϕ})), where (d : Σ ,→ Σ 0 ) ∈ DHOL , f is the only symbol that is in Σ 0 but is not in Σ and ϕ ∈ SenHOL (Σ 0 ). For this case we obtain: Mod[derive from hΣ 0 , {ϕ}i by d] = ModHOL ((Σ, {∃f .ϕ})) = ModHOL (δ(derive from hΣ 0 , {ϕ}i by d)). 2 In Definition 23 and in the above lemma we have restricted the class DI to signature morphisms which are identities on sort names and inclusions on operation and predicate names. Similar result to Lemma 7 holds also for the class DI of morphisms injective on operation and predicate names and bijective on sort names. Unfortunately we do not know how to obtain a similar result to those presented in this section for a class DI of signature morphisms inclusive/injective on sort names (i.e. when sort names may be hidden by the derive specification). Definition 24 (Specification representation [Borz 98]). For any (D, T )institution representation ρ : I → I 0 , the specification representation ρˆ is a family of functions {ˆ ρΣ }Σ∈|Sign| between classes of specifications over (D, T )institutions I and I 0 defined as follows: 1. 2. 3. 4.

ρˆΣ (hΣ, Γ i) = hρSign (Σ), ρSen Σ (Γ )i; ρˆΣ (SP 1 ∪ SP 2 ) = ρˆΣ (SP 1 ) ∪ ρˆΣ (SP 2 ); ρˆΣ (translate SP 1 by t) = translate ρˆΣ1 (SP 1 ) by ρSign (t); ρˆΣ (derive from SP 1 by d) = derive from ρˆΣ1 (SP 1 ) by ρSign (d),

where (t : Σ1 → Σ) ∈ TI and (d : Σ ,→ Σ1 ) ∈ DI .

2

Theorem 3. Let ρ : I → HOL be a (D, T )-institution representation satisfying weak-DI -amalgamation, where ρSign (DI ) ⊆ DHOL and DHOL satisfies assumptions of Lemma 7, Σ ∈ |SignI | and SP be a Σ-specification over I. Then, if every model M ∈ Mod[SP ] has ρ-expansion to a ρSign (Σ)-model then for every Sen ρΣ (SP)) |=HOL Σ-sentence ϕ: Mod[SP] |=IΣ ϕ iff δ(ˆ ρSign (Σ) ρΣ (ϕ). Proof. Directly from Theorem 1 from Section 6 presented in [Borz 98] we have: Sen Mod[SP ] |=IΣ ϕ iff Mod[ˆ ρΣ (SP )] |=HOL ρSign (Σ) ρΣ (ϕ). Next, by Lemma 7 Mod[ˆ ρΣ (SP )] = ModHOL (δ(ˆ ρΣ (SP ))). 2 An example of (D, T )-institution representation satisfying assumptions of the above theorem is the (D, T )-institution representation ρ : PFOL → HOL presented in Definition 16, with the class DPFOL satisfying assumptions of Lemma 7. Similarly to [Borz 98] we obtain soundness of the following scheme of rules: (δ-ρ-join)

Sen δ(ˆ ρΣ (SP)) `HOL ρSign (Σ) ρΣ (ϕ)

SP `Σ ϕ

,

where ρ and SP satisfy assumptions of Theorem 3. A similar result we can obtain also for maps of (D, T )-institutions.

Definition 25 (Map of specifications [Borz 99]). For any map of (D, T )institutions (Φ, α, β) : I → I 0 , the map of specifications γˆ is a family of functions {ˆ γΣ }Σ∈|Sign| between classes of specifications over (D, T )-institutions I and I 0 defined similarly as specification representation (see Definition 24), except: 1. γˆΣ (hΣ, Γ i) = hΣ 0 , Γ 0 ∪ αΣ (Γ )i; 2. γˆΣ (translate SP 1 by t) = translate γˆΣ1 (SP 1 ) by Φ(t) ∪ hΣ 0 , Γ 0 i, where (Σ 0 , Γ 0 ) = Φ(Σ, ∅), (t : Σ1 → Σ) ∈ TI and Φ(t) is considered as a signature morphism. 2 Theorem 4. Let (Φ, α, β) : I → HOL be a map of (D, T )-institutions satisfying weak-DI -amalgamation, where Φ(DI ) ⊆ DHOL and DHOL satisfies assumptions of Lemma 7, Σ ∈ |SignI | and SP be a Σ-specification over I. Then, if every model M ∈ Mod[SP ] has β-expansion to a Φ(Σ, ∅)-model then for every Σsentence ϕ: Mod[SP] |=IΣ ϕ iff δ(ˆ γΣ (SP )) |=HOL sign0 (Φ(Σ,∅)) αΣ (ϕ). Proof. Proof simillar to the proof of Theorem 3 (by Theorem 8.11 presented in [Borz 99] and Lemma 7). 2 Examples of maps of institutions satisfying the theorem presented above are maps of (D, T )-institutions (Φ, α, β) : SubPFOL → HOL (see Corollary 1) and (Φ0 , α0 , β 0 ) : SubPCFOL → HOL (see Corollary 2) with classes DSubPFOL and DSubPCFOL satisfying assumptions of Lemma 7 (see Appendix A for practical example). Results similar to those presented in Theorem 3 and Theorem 4 hold also for the refinement of specifications.

6

Conclusions and Future Work

In this paper we have defined the institution HOL of the higher-order logic, which best fits the ideas presented in [An 86] and also in [GM 93] and [Paul 94]. Then we have represented in the institution HOL institutions underlying the CASL specification formalism. Similar work was done in [MKB 97], but the maps of institutions presented there are different from the representations and maps presented in this paper. In [MKB 97] authors describe “partiality” by adding a new element ⊥ to each carrier set, which represent the “undefined value”, and many axioms described “undefinedness”, whereas the maps of institutions presented in this paper do not produce any new sentences. We also have proved the conditions under which the proof system of the higher-order logic can be reused for the proof systems of represented (mapped) logics. In the last section we have presented a methodology which allows us to reuse the proof system of the higher-order logic for reasoning about structured specifications over institutions which are presentable in HOL. This methodology allows us to translate the judgments about properties (and the refinement relation) of structured specifications directly to some of known machine supported tools, like the HOL system (see [GM 93]) or the Isabelle HOL logic (see [Paul 94]).

A task for the future is to extend presented work to the CASL language and to design a tool for automatic translation of the CASL specifications into one of the theorem-provers for HOL logic together with a set of tactics that will be well-suited for proving theorems translated by this tool.

References [An 86] P. B. Andrews. An introduction to mathematical logic and type theory: to truth through proof. Academic Press, INC., 1986. [Bar 98] H. P. Barendregt. The Lambda Calculus Its Syntax and Semantics. Studies in Logic and The Foundations of Mathematics, Elsevier 1998. [Borz 98] T. Borzyszkowski. Moving specification structures between logical systems. Recent Trends in Algebraic Development Techniques, Selected Papers, 13th International Workshop WADT’98, Lisboa, Portugal, April 1998, ed. Jos´e Luiz Fiadeiro, Springer LNCS 1589, pages 16-28, 1998. [Borz 99] T. Borzyszkowski. Logical systems for structured specifications. Special issue of Theoretical Computer Science, to appear1 . [CASL 99] CASL The Common Algebraic Specification Language - Summary, by The CoFI Task Group on Language Design. Version 1.0, 19 March 1999. Document is available on WWW2 and FTP3 . [EFT 96] H. –D. Ebbinghaus, J. Flum, W. Thomas. Mathematical Logic. Undergraduate Texts in Mathematics Second Edition, Springer-Verlag, 1996. [GB 92] J. A. Goguen, R. M. Burstall. Institutions: abstract model theory for specifications and programming. Journal of the Assoc. for Computing Machinery, 39:95146, 1992. [GM 93] M. J. C. Gordon, T. F. Melham. Introduction to HOL. Cambridge University Press, 1993. [Mes 89] J. Meseguer, General logic. Logic Colloquium’87, eds. H. D. Ebbinghaus et al., pages 279–329, North-Holland 1989. [MKB 97] T. Mossakowski, Kolyang, B. Krieg-Br¨ uckner. Static Semantic Analysis and Theorem Proving for CASL. Recent Trends in Algebraic Development Techniques, Selected Papers, 12th International Workshop WADT’97, Tarquinia, Italy, June 1997, ed. Francesco Parisi-Presicce, Springer LNCS 1376, pages 333-348, 1997. [Paul 94] L. C. Paulson. Isabelle: A Generic Theorem Prover. Springer-Verlag LNCS 828, 1994. [SST 92] D. Sannella, S. Sokolowski, A. Tarlecki. Towards formal development of programs from algebraic specification: parameterization revisited. Acta Informatica, volume 29, pages 689–736, 1992. [Tar 95] A. Tarlecki. Moving between logical systems. Recent Trends in Data Type Specifications. Selected Papers. 11th Workshop on Specification of Abstract Data Types ADT’95, Olso, September 1995, eds. M. Haveraaen, O. J. Dahl, O. Owe, Springer LNCS 1130, pages 478–502, 1996. 1 2 3

See http://monika.univ.gda.pl/∼mattb/papers.html http://www.brics.dk/Projects/CoFI/Notes/S-9/ ftp://ftp.brics.dk/Projects/CoFI/Notes/S-9/

A

Practical example

In this appendix we define a specification of ordered lists over the institution SubPCFOL and then translate it to HOL to obtain an “input theory”for theorem provers for the HOL logic. First we define the specification of ordered lists LOrd. LOrd-Sig = sorts el, list; opns nil : list; cons : el × list → list; popns hd : list → el; tl : list → list; pred le : el × el.  e e LOrd = h LOrd-Sig, ∀l:list .¬(l=nil) ⇒ cons(hd(l), tl(l))=l; e e ¬(hd(nil)=hd(nil)); ¬(tl(nil)=tl(nil)); ∀x:el .le(x, x); ∀x,y,z:el .le(x, y) ∧ le(y, z) ⇒ le(x, z); e ∀x,y:el .le(x, y) ∧ le(y, x) ⇒ x=y; ({list}, {nil : list, cons : el × list → list}) i Now, we extend the above specification by a new total operation sort : list → list and implement it in terms of a hidden operation insert : el×list → list. We define signatures: LSrt-Sig = sorts el, list; LSrtImp-Sig = sorts el, list; opns nil : list; opns nil : list; sort : list → list; sort : list → list; cons : el × list → list; cons : el × list → list; popns hd : list → el; tl : list → list; insert : el × list → list; pred le : el × el. popns hd : list → el; tl : list → list; pred le : el × el. and specifications:  e LSrtImp = (translate LOrd by ı1 ) ∪ hLSrtImp-Sig, sort(nil)=nil; e ∀a:el,l:list .sort(cons(a, l))=insert(a, sort(l)); e ∀a:el .insert(a, nil)=cons(a, nil) e ∀a,b:el,l:list .le(a, b) ⇒ insert(a, cons(b, l))=cons(a, cons(b, l)) e ∀a,b:el,l:list .le(b, a) ⇒ insert(a, cons(b, l))=cons(b, insert(a, l)) i LSrt = derive from LSrtImp by ı2 , where ı1 : LOrd-Sig ,→ LSrtImp-Sig and ı2 : LSrt-Sig ,→ LSrtImp-Sig are signature inclusions. By definitions and after removing tautologies we obtain:

 δ(ˆ γ (LSrt)) = ∃insert :(el,0)×(list ,0)→(list ,0) . ¬fst(hd(nil)) ∧ ¬fst (tl(nil))∧
∀llist . ¬(l = nil) ∧ fst(hd(l)) ∧ fst(tl(l)) ⇒ cons(snd (hd(l)), snd
(tl(l))) = l∧ ∀xel .le(x, x) ∧ ∀xel ,yel ,zel .le(x, y) ∧
le(y, z) ⇒ le(x, z) ∧ ∀xel ,yel .le(x, y) ∧ le(y, x) ⇒ x = y ∧
∀P :list→o .P (nil) ∧ (∀ael ,llist .P (l) ⇒ P (cons(a, l))) ⇒ ∀llist .P (l) ∧ sort(nil) = nil ∧ ∀ael ,llist .sort(cons(a, l)) = insert(a, sort(l))∧ ∀ael .insert(a, nil) = cons(a, nil)∧ ∀ael ,bel ,llist .le(a, b) ⇒ insert(a, cons(b, l)) = cons(a, cons(b, l))∧ ∀ael ,bel ,llist .le(b, a) ⇒ insert(a, cons(b, l)) = cons(b, insert(a, l)) .

Now, to prove some of the properties of the specification LSrt e.g.: e

LSrt `SubPCFOL ∀a:el .∀l:list .le(a, hd(l)) ⇒ sort(cons(a, l))=cons(a, sort(l)) we can use one of theorem provers for the higher-order logic and prove: δ(ˆ γ (LSrt)) `HOL ∀ael ,llist .le(a, snd (hd(l))) ∧ fst(hd(l)) ⇒ sort(cons(a, l)) = cons(a, sort(l)) .