The Equalities of OCL

The OCL contains a particular version of equality, written in Standard documents _ = _ and _ <> _ for its negation, which is referred as weak referential equality hereafter and for which we use the symbol _ .

=_ throughout the formal part of this document. Its semantics is motivated by the desire of fast execution, and similarity to languages like Java and C, but does not satisfy the needs of logical reasoning

Name Theorem

textbook-dened IJδ XK τ = (if IJXK τ =IJUML-Types.bot-class.botKτ ∨IJXK τ =IJnullKτ then IJfalseK τ else IJtrueKτ)

textbook-valid IJυ XK τ = (if IJXK τ =IJUML-Types.bot-class.botKτ then IJfalseKτ else IJtrueKτ)

Table 1.3.: Basic predicate denitions of the logic.

Name Theorem

dened1 δinvalid =false

dened2 δnull =false

dened3 δtrue =true

dened4 δ false =true

dened5 δ δ X =true

dened6 δ υX =true

Table 1.4.: Laws of the basic predicates of the logic.

over OCL expressions and specications. We therefore introduce a second equality, referred as strong equality or logical equality and written _ ,_ which is not present in the current standard but was discussed in prior texts on OCL like the Amsterdam Manifesto [18] and was identied as desirable extension of OCL in the Aachen Meeting [14] in the future 2.5 OCL Standard. The purpose of strong equality is to dene and reason over OCL. It is therefore a natural task in Featherweight OCL to formally investigate the somewhat quite complex relationship between these two.

Strong equality has two motivations: a pragmatic one and a fundamental one.

1. The pragmatic reason is fairly simple: users of object-oriented languages want something like a shallow object value equality. You will want to say a.boss, b.boss@pre instead of

a.boss .

=b.boss@pre and (* just the pointers are equal! *) a.boss.name .

=b.boss@pre.name@pre and a.boss.age .

=b.boss@pre.age@pre

Breaking a shallow-object equality down to referential equality of attributes is cumbersome, error-prone, and makes specications dicult to extend (add for example an attribute sex to your class, and check in your OCL specication everywhere that you did it right with your simulation of strong equality). Therefore, languages like Java oer facilities to handle two dierent equalities, and it is problematic even in an execution oriented specication language to ignore shallow object equality because it is so common in the code.

2. The fundamental reason goes as follows: whatever you do to reason consistently over a language, you need the concept of equality: you need to know what expressions can be replaced by others because they mean the same thing. People call this also Leibniz Equality because this philosopher brought this principle rst explicitly to paper and shed some light over it. It is the theoretic foundation of what you do in an optimizing compiler: you replace expressions by equal ones, which you hope are easier to evaluate. In a typed language, strong equality exists uniformly over all types, it is polymorphic _ = _ :: α∗α → boolthis is the way that equality is dened in HOL itself. We can express Leibniz principle as one logical rule of surprising simplicity and beauty:

s=t=⇒P(s) =P(t) (1.30)

Whenever we know, that s is equal tot, we can replace the sub-expression sin a term P byt and we have that the replacement is equal to the original.

While weak referential equality is dened to be strict in the OCL standard, we will dene strong equality as non-strict. It is quite nasty (but not impossible) to dene the logical equality in a strict way (the substitutivity rule above would look more complex), however, whenever references were used, strong equality is needed since references refer to particular states (pre or post), and that they mean the same thing can therefore not be taken for granted.

Denition

The strict equality on basic types (actually on all types) must be exceptionally dened on null otherwise the entire concept of null in the language does not make much sense. This is an important exception from the general rule that null argumentsespecially if passed as self-argumentlead to invalid results.

We dene strong equality extremely generic, even for types that contain a null or⊥element. Strong equality is simply polymorphic in Featherweight OCL, i. e., is dened identical for all types in OCL and HOL.

denition StrongEq::[⁰Ast ⇒ ⁰α,⁰Ast ⇒ ⁰α]⇒(⁰A)Boolean (inxl,30) where X , Y ≡ λ τ . xxX τ =Y τyy

From this follow already elementary properties like:

lemma[simp,code-unfold]: (true , false) =false hproofi

lemma[simp,code-unfold]: (false ,true) =false hproofi

Fundamental Predicates on Strong Equality

Equality reasoning in OCL is not humpty dumpty. While strong equality is clearly an equivalence:

lemma StrongEq-re [simp]: (X , X) =true hproofi

lemma StrongEq-sym: (X , Y) = (Y ,X) hproofi

lemma StrongEq-trans-strong [simp]:

assumes A: (X , Y) =true and B: (Y ,Z) =true shows (X ,Z) =true hproofi

it is only in a limited sense a congruence, at least from the point of view of this semantic theory.

The point is that it is only a congruence on OCL expressions, not arbitrary HOL expressions (with which we can mix Featherweight OCL expressions). A semanticnot syntacticcharacterization of OCL expressions is that they are context-passing or context-invariant, i. e., the context of an entire OCL expression, i. e. the pre and post state it referes to, is passed constantly and unmodied to the sub-expressions, i. e., all sub-expressions inside an OCL expression refer to the same context. Expressed formally, this boils down to:

lemma StrongEq-subst :

assumes cp:VX.P(X)τ =P(λ-.X τ)τ and eq: (X , Y)τ =true τ

shows (P X ,P Y)τ =true τ

hproofi

lemma dened7[simp]:δ (X ,Y) =true hproofi

lemma valid7[simp]:υ (X ,Y) =true hproofi

lemma cp-StrongEq: (X ,Y)τ = ((λ-.X τ), (λ-.Y τ))τ hproofi