Partially bounded algebraic specification

ers words, there is no specification hierarchy and no “semantical” encapsulation.

To use an AADT that has been defined in another file, one must use the key-wordimportfollowed by a file name.

Fig.4.2presents a realization of the parametric type pair described in Fig.4.1.

In this example, ’first(resp. second) is replaced by natural(resp. boolean). This example also demonstrates the use of imported specification as it usesnatural.adt,

boolean.adt, andpair.gadt. Please note that the order of import declarations does not matter.

Listing 4.2: A pair of natural and boolean

import "natural.adt"

import "boolean.adt"

import "pair.gadt"

Adt pairNB is pair[natural, boolean]

AlPiNA provides parametric polymorphism through a template mechanism à la C++. Unlike in Java, the parameter is not erased (e.g.,pair[natural, boolean]

is erased to pair) at runtime and a the parametrized version (i.e.,pair[natural, boolean]) of the type is instantiated.

4.3 Partially bounded algebraic specification

As mentioned previously, the designer does not always want to consider all the values of a given algebra (either for design or for performance reasons). A solution to create finite data types is to enumerate them. Obviously, it is sometimes more appropriate to declare the type inductively (and thus to have an infinite number of values) and then to restrict it to a subset of its values.

To that end, we follow the approach described in [AGM96]. The idea is to provide a set of measures and boundaries for the sorts that the user decides to be bound. The sorts that are not explicitly bound are considered to be unlimited. The measures are inductively defined over the generators of the sorts and the bound-aries are expressed over the Presburger [Pre] arithmetic and the measures. The Presburger constraint system is a first order logic system based on a minimal set of operations. The interpretation domain is the natural numbers and there is an al-gorithm for the decision process. Presburger constraints limit the domain induced by an algebraic specifications by constraining the length of its terms. Therefore, the existence of a calculus for the validity of Presburger constraints on terms from a bounded algebraic specification enable the computation of all the values that do satisfy the bound (i.e.,the constraint).

Since we do not require the user to restrict every sort of the specification, the algebraic specification is said to be “partially bounded”. Def. 4.3.1

ex-100 Chapter 4. Designing the model tends Def.3.1.32 with a set of measuresM and a set of constraintsC. The last item of the definition states that a sort that belongs to the set of bounded sorts implies that all the parameters of its non-constant generators are of bounded sorts.

Definition 4.3.1 (Partially Bounded order sorted specification). — A bounded version ofSpecisBSpec= hSpec,BS,M,Ciwhere:

• Spec=hΣ,Φ,Xibe an order sorted specification as defined in Def.3.1.32 whereΣ =hS,≤,Fi,

• BS⊆S is the subset of sorts ofS that are bounded. That is,s∈ BS implies thatC_sandM_sare defined.

• M = (Ms)s∈BS is a BS-sorted set of measures M_s : (T_Ω)s → N that is inductively defined over the set of terms built upon generators (T_Ω)s

(see Def.3.1.38),

• C = (Cs)s∈BS ⊆ F_pres is a BS-sorted set of formulas expressed in the Pres-burger logic as defined in Def.4.3.2.

• ∀fs₁,...,s_i,...,s_n,s∈Gs, s∈ BS =⇒ si ∈BS where 1 ≤i≤n.

A Presburger formula f ∈ F_presis built upon atomic Presburger formulaA_pres composed of the following operators: 0,1,+ in addition with the measures on variables ranging over the set of terms built upon generators. Presburger logic presents the benefit of being decidable.

Definition 4.3.2 (Presburger constraint). —Given a BS-sorted set of measures (Ms)s∈BS, the set of Presburger constraintsF_presis the least set defined by:

• 0,1∈ A_pres,

• M_s(v)∈ A_pres, ∀M_s: (T_Ω)s →Nis a measure andv∈Xsis a variable,

• a1+a2 ∈ A_pres, ∀a1,a2 ∈ A_pres,

• a1 ≤a2 ∈ F_pres, ∀a1,a2 ∈ A_pres,

• not(p1)∈ F_pres, ∀p1 ∈ F_pres,

• p₁◦p₂ ∈ F_pres, ∀p₁,p₂∈ F_presand◦ ∈ {∨,∧}

4.3. Partially bounded algebraic specification 101 Based on that, we can now define what is a set of terms bounded by Presburger constraints. It consists in selecting the terms built upon the generators of a given sort that do satisfy the constraints defined for that sort.

Definition 4.3.3 (Bounded set of terms). —LetBSpec=hSpec,BS,M,Cibe a bounded order sorted specification withSpec= hΣ,Φ,XiandΣ =hS,≤,Fi. Let s∈ BS be a bounded sort and let (T_Ω)s

Cs

be the set of terms, constrained byCs, that are built upon the set of generatorsGs ⊆ Fsand such that:

(T_Ω)s C_s

={t|t∈(T_Ω)s∧t`Cs}

t`Cs iffthe result of the substitution of the variables inCsbytevaluates to true.

Example 4.3.4. — Let us consider the pair of naturals defined in Fig. 4.2 and let us restrict this sort to the pairs that contained naturals smaller than three: pair (zero, true), pair(zero, false), pair(suc(zero),true), pair(suc(zero), false), pair (suc(suc(zero)), true), pair(suc(suc(zero)), false). To that end, it is required to limit all the sorts that are used by its generators. In this case, Booleans as well as natural numbers. Consider the specification of the Boolean given in Fig. 3.4a enriched with the measureM_bool : (T_Ω)bool → Ndefined by:

M_bool :

( true 7→ 1

false 7→ 1

and by the constraintCbool = M_bool(t)≤ 1. This boundary only allows to generate the terms^trueand^false. In other words, atomic terms measure “1”.

Let us now limit the sort of the natural numbers described in Fig.3.1 by en-riching it with the measureM_nat : (T_Ω)nat → Ndefined by:

Mnat :

( zero 7→ 1

suc($n) 7→ M_nat($n)+1

and by the constraint Cnat = M_nat(t) ≤ 3. This boundary allows the terms zero,

suc(zero),suc(suc(zero)).

Finally, we enrich the sort of pairs given in Fig. 4.2 with the measure M_pairnat,bool : (T_Ω)pair_nat,bool → Ndefined by:

M_pairnat,bool :pair($n, $m)7→1

and by the constraintCpairnat,bool =M_pairnat,bool(t)≤1.

102 Chapter 4. Designing the model In the current version of AlPiNA, the constraints are of the form M_s(t) ≤ n wheret ∈ (T_Ω)s. The actual syntax used by the tool to restrict the domain of the natural numbers of Fig.3.1ais shown in Fig.4.3. In this example,nis set to 3 and therefore the domain is restricted to the valueszero,suc(zero),suc(suc(zero)). If a sort is not explicitly mentioned, it is assumed to beunbounded.

Listing 4.3: Bounding (via unfolding) of the sorts natural and boolean

import "natural.adt"

The current syntax does not allow to specify the function that measures the size of a term. A simple function that measures the depth of the term is provided as a default measure. We plan to extend the current language to support an axiomatic definition of the measures. In the current version of the tool, the measuresM_s(t) are currently hard-coded and of the form:

M_s :

In other words, constants (e.g.,^true, false, zero) and non-inductively defined generators (e.g.,pair) always measure 1, while inductively defined generators (e.g.,suc) measure their argument size plus one. As the tool sets a fix definition of measure, the boundarynmust be set by the user.

Bounded specifications as defined in Def.4.3.1are naturally syntactically and semantically extended to multisets following Def.3.1.59and Def.3.1.60.

Definition 4.3.5 (Syntactic multiset Extension of a bounded specification). — LetBSpec= hSpec,BS,M,Cibe a bounded specification as defined in Def.4.3.1 where Spec = hΣ,Φ,Xi. Its syntactic bounded multiset extension [BSpec] is defined by:

[BSpec]=h[Spec],BS,M,Ci.

LetT_[Ω]be the multiset extension of closed terms finitely generated by the gen-eratorsΩ ⊆F ofΣ.

The next subsection introduces notational shortcuts that leverage the bound-aries to ease the designer task.

4.3. Partially bounded algebraic specification 103

4.3.1 Free variables & set by intension

We present here two syntactical shortcuts: free variables and set (resp. multiset) defined by intension. These shortcuts help to reduce the size of the model and thus to improve its tractability (from a design perspective).

Informally a free variable (by opposition to a bound variable or linked variable)is a variable that can take any value of its sort. In other words, the values it can take are not constrained by any mean. Although the previous definitions exclude the use of free variables in the axioms of the specification for the sake of the explanation, free variables are very helpful to specify set of equations (and set of values) using a single variable. Enablingfree variablesis an important feature to ease the modelization.

Example 4.3.6. —For instance, consider Example4.3.4, if a user wants to write all the possible pairs that contain naturals less than three he must explicitly enu-merate the terms. Using free variables the user simply writes pair($x, $y) and defines the boundaries of$xand$yaccording to its need.

Free variables are treated differently than bound variables. Any model that contains free variables will be normalized to a model in which they have been instantiated and replaced by the set of terms that compose its domain. Free vari-ables are allowed in equations as well as to define set by intension. Usage of free variables is shown and commented in Fig.4.3as well as in Section4.6.

Definition 4.3.7 (Free variables). — Let BSpec = hSpec,BS,M,Ci be an order-sorted bounded specification. We note the BS-sorted set of free variables (FVs)s∈BS ⊆ X.

Example 4.3.8. — In the following equation: f(x,g(y)) = h(x,y,z), x andyare bound variableswhereaszis a free variable.

Another interesting modeling tool is the definition of sets that are defined by intension. It is the same idea as using free variables. The major difference be-ing that the resultbe-ing set is not only bounded by the constraints that are solely expressed on the sorts but also by user-defined conditions. Free variables can be seen as a special case of a set defined by intension without constraints.

104 Chapter 4. Designing the model Definition 4.3.9 (Set defined by intension). —LetBSpec = hSpec,BS,M,Ci, and let also (FVs)s∈BS ⊆ Xbe aBS-Sorted set of variables. A set of terms defined by intension is a pairT =hts,condiwheret ∈ T_Σ,FV is a term of sort s∈BS and condis a conjunction of equations in which all variables belong to FV. We note T_{Σ},FV, the set of all set of terms defined by intension overΣandFV.

Note that the set of terms over free variable T_Σ,FV ⊆ T{Σ},FV is included in the set of terms defined by intension as it corresponds to the case in which the conjunction of equationcondalways evaluates to true.

For instance, let us suppose one wants to represent the set of naturals that contains every number between 0 and 100. The standard definition would be an enumeration like zero, suc(zero), ... , suc^100(zero). A definition by intension is much more compact: {$n, le($n, suc^100(zero))= true} wherele is theless or equaloperation and$nis a variable.

For the user, defining a multiset by explicit enumeration of its contents may be tedious. Thus, similarly to sets by intension Def.4.3.9, in addition to the stan-dard way of defining multisets, AlPiNA supports multiset definition by intension.

For instance, let us suppose one wants to represent the multiset of naturals that contains every number between0and100twice. The standard definition would be an enumeration like[2∗zero, 2∗suc(zero),... , 2∗suc^100(zero)].

Definition 4.3.10 (Multiset defined by intension). —Sets defined by intension of Def.4.3.9overBSpec = hSpec,BS,M,CiwithSpec = hΣ,Φ,Xiand a set of variables (FVs)s∈BS ⊆ Xare naturally extended to multisets and notedT_[{Σ}],FV.

Lett ∈ T_[{Σ}],FV be a multiset defined by intension, the corresponding multi-sets of terms is notedt^↑ ∈ P(T_[Σ]). If the operator↑is applied to a set that is not defined by intension it leaves it unchanged.

A definition by intension is usually more compact than the definition by ex-tension: [2∗{ $n : $n le suc^100(zero)}]where le is the less or equal operation.

As definition by intension involves free variables, it requires unfolding. There-fore, the sorts involved in the creation of sets of elements by intension have to be unfolded and thus bounded using the Presburger constraints.

4.3.2 The producer / consumer algebraic specification

Fig.4.2is an example of a complete algebraic specification for the producer/ con-sumer algebraic Petri net described in Fig.4.3. This specification demonstrates the

4.3. Partially bounded algebraic specification 105 modularity as it is split over several AADT(Consumers.adt, Producers.adt, Packets .adt, Boolean.adt, Naturals.adt and Buffers.adt). This model is simple enough to demonstrate our approach, yet complete enough to show the optimizations intro-duced in Chapter6.

Producers and consumers Those are the basic bricks. Producers and Consumers

AADTsrespectively describe the producers and the consumers. An axiom between generators limits the size of the terms that can be created. Accord-ing to these specificationsp(p(p(p(p0)will be reduced top0. The consumers are isomorphic to the natural numbers and the producers to the natural num-bers modulo 4. They are inductively defined on the model of Peano logic.

Thanks to the axiom between generators, the sort of the producers is finite.

Packets On top of that thePacketsAADTdescribes packets that associate a pro-ducer to a consumer. The definition starts with two ofimportstatements to reuse the sorts and the operations defined inProducers.adtand Consumer.adt. The AADTalso defines two accessors (getProd and getCons) to extract the producer or the consumer from a given packet. TheVariablessection gives the type and the name of the variables that are used in the axioms. Please note that theAADTPacketscould have been defined using a parametric type as a pair of producers and consumers: Adt Packets is pair[P, C]

Unfolding This is the place where the boundaries are set. In this example, both the sort of the produces and the sort of the consumers are bounded to four values.

Buffers Finally, theBuffers AADTdefines how to represent a buffer and its be-havior. For instance, the termpush(pk(p0,c0),push(pk(p(p0),c0),empty)) rep-resents a buffer with two packets in it. The Buffers AADTalso describes several operations to manipulate buffers such as computing the size (size) of a buffer, extracting its head (head) or its tail (tail) and testing whether the buffer is not full (isNotFull) or empty (isEmpty). Buffers also relies on pre-definedAADTsnamelyBoolean.adtandNaturals.adt.

106 Chapter 4. Designing the model

Figure 4.2: TheAADTsused by the model of Fig.4.3