VDM : Mathematical Structures for Formal Methods Andrew Butterfield - PowerPoint PPT Presentation

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Insert Operation We now define the Dictionary Insert Operation: Ins : Word → Dict → Dict △ isNonUS( w ) ∧ w / pre- Ins[ w ] δ ∈ δ △ δ ⊔ { w } Ins[ w ] δ Notes: We make extensive use of higher-order functions, using the syntactical device of currying. By convention, an operator with inputs I , outputs O , and transforming a state Σ , has signature ( I × Σ) → Σ → (Σ × O ) . This style corresponds to explicit function definitions in VDM-SL. We use preconditions as per VDM-SL, but make much less use of postconditions. A possible postcondition for the above might be: △ post- Ins[ w ] δ �→ ∆ δ ⊆ ∆ ∧ w ∈ ∆ Observe the explicit naming of the resulting state. We use the set extend operator ⊔ to denote that the added word is not already present. Slide 14 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Proof Obligation for Insertion As in VDM-SL, we have proof obligations associated with operator definitions. The obligation for Ins is formulated as follows: inv- Dict δ ∧ pre- Ins[ w ] δ = ⇒ inv- Dict (Ins[ w ] δ ) Note: Absence of quantifiers. Use of an explicit function outcome rather than postcondition. This eliminates the need for satisfiability proofs, or equivalently, the explicit construction provides same automatically. Slide 15 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Proof of Insertion Obligation Prove: inv- Dict δ ∧ pre- Ins[ w ] δ = ⇒ inv- Dict (Ins[ w ] δ ) Proof: inv- Dict δ ∧ pre- Ins[ w ] δ = “Defn. of inv- Dict ” ∀ [isNonUS] δ ∧ pre- Ins[ w ] δ = “Defn. of pre- Ins ” ∀ [isNonUS] δ ∧ isNonUS[ w ] ∧ w / ∈ δ ⇒ = “prop. calculus” ∀ [isNonUS] δ ∧ isNonUS[ w ] = “Defn. of ∀ ” ∀ [isNonUS]( δ ⊔ { w } ) = “Defn. of Ins ” ∀ [isNonUS](Ins[ w ] δ ) = “Defn. of inv- Dict ” inv- Dict (Ins[ w ] δ ) Slide 16 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Lookup Operation The Dictionary Lookup Operation is a predicate: Lkp : Word → Dict → B △ χ [ w ] δ Lkp[ w ] δ Notes: We often express set membership using the characteristic function χ : A → P A → B . This is a choice we motivate later on, when discussing structure. In essence, this definition states that dictionary lookup is the characteristic (membership) function. Slide 17 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Word Removal Operation Word Removal is an operation changing a dictionary: Rem : Word → Dict → Dict △ ⊳ Rem[ w ] δ − [ w ] δ Notes: We do not use “classical” set removal ( δ \ { w } ), instead preferring a curried form: − : P S → P S → P S ⊳ where △ − [ A ] B B \ A ⊳ Yes, the ⊳ − notation comes from Z ! We abuse notation frequently, in this case dropping “redundant” brackets, i.e using ⊳ − [ w ] δ instead of ⊳ − [ { w } ] δ . The Rem operation isn’t quite the same as ⊳ − as there is an implicit injection of w into { w } . Slide 18 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Word Count Function The Word Count function simply observes the size of the dictionary: Wct : Dict → N △ 0 Wct ∅ △ Wct δ + 1 Wct( δ ⊔ { w } ) Notes: We present a recursive definition over sets ! This is only well-defined if certain side conditions hold, as is the case here. We employ pattern matching on set structure The pattern δ ⊔ { w } matches a set ∆ if and only if it contains w , with δ being bound to ∆ \ { w } . We could have defined Wct much more simply using set cardinality directly. Slide 19 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Recursion over Sets Simple Recursion over Sets can be captured by the following schema: b : B g : ( A × B ) → B f : A → B △ b f ( ∅ ) △ g ( a, f ( S )) f ( S ⊔ { a } ) This gives rise to the following proof obligation: Show, for all a 1 , a 2 ∈ A , and all b ∈ B that: g ( a 1 , g ( a 2 , b )) = g ( a 2 , g ( a 1 , b )) In general in VDM ♣ , universal quantification is implicit over free variables of an equation ( a 1 , a 2 , b above). Slide 20 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 On the use of set extension ( ⊔ ) in VDM ♣ Set Extension is Set Union restricted to cases where the two sets are disjoint. Depending on context, the expression S ⊔ T is interpreted as follows: In a definition right-hand side (rhs), or general expression, it captures the notion that the sets S and T are disjoint. This allows us to write Wct( δ 1 ⊔ δ 2 ) = Wct δ 1 + Wct δ 2 instead of Wct( δ 1 ∪ δ 2 ) = Wct δ 1 + Wct δ 2 − Wct( δ 1 ∩ δ 2 ) The first expression above could be used to define Wct ! In a definition left-hand side (lhs), or pattern, it requires that whatever (non-empty) input matches the pattern can be broken into disjoint pieces, both smaller than the input. Slide 21 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Translate Operation The Dictionary Translate Operation maps a Word Translation function ( τ ) to every word in the dictionary: Trl : ( Word → Word ) → Dict → Dict △ ( P τ ) δ Trl[ τ ] δ Notes: If f : A → B , then P is a functor, such that P f : P A → P B applies f to every element of its argument set. P f is the same as the “ map f ” concept in functional languages. Another functor called reduce ( / ) applies a binary operator to a set to reduce it to a single value. op / is the same as “ fold op ” in a functional language Slide 22 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Summary of Set Operators We have seen the following set operators: P A Set of A in type expressions, P f Set Map functor in non-type expressions ∅ Empty Set ⊔ Set Extension, defd. only for disjoint sets χ Set Membership, defd. as (characteristic) function − ⊳ Set Removal, defd. as curried operator ⊕ / Set Reduction or Fold, using ⊕ ∀ Maps Predicate over Set, reducing with And ∧ / ◦ P ρ ∀ [ ρ ] = Why the preference for curried forms in certain cases ? Slide 23 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Currying of Set Restriction Consider Set Restriction, VDM ♣ -style: ⊳ : P A → P A → P A △ The elements of T restricted to those contained in S ⊳ [ S ] T But, ⊳ [ S ] T = ⊳ [ T ] S = S ∩ T !! i.e. Set Restriction is a curried form of Set Intersection. Why not use S ∩ T or S ⊳ T (i.e. infix notation) ? Why use notation similar to that used by Z for relations and maps ? We shall address this later . . . Slide 24 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Refining our Dictionary We now illustrate the process of refinement in VDM ♣ Let us implement the dictionary as a sequence of words ( DSeq ) σ ∈ DSeq = Word ⋆ △ ∀ [ isNonUS ] σ inv- DSeq σ σ 0 : DSeq △ Λ σ 0 Notes: The functor notation A ⋆ denotes sequences of A , normally indicated in VDM-SL by A -seq. More overloading — ∀ is also the obvious combinator with signature ( A → B ) → A ⋆ → B . We use Λ to denote empty sequences, with occasional use of the �� notation. We easily satisfy the proof obligation: inv- DSeq σ 0 = True Slide 25 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Retrieving Dict s from DSeq s We get from our sequence implementation to our set specification with the obvious retrieval function: : DSeq → Dict retr- Dict △ elems σ retr- Dict σ Notes: The retrieval function is simply the elems operator, returning the set of all elements in a sequence. The immediate proof obligation regarding the initial states is retr- Dict Λ = ∅ which is trivially true. The retrieve function is generally many-to-one and surjective. Slide 26 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Insertion into DSeq s We define insertion ( Ins 1 ) as simple sequence “consing”: Ins 1 : Word → DSeq → DSeq △ isNonUS w ∧ w / pre- Ins 1 [ w ] σ ∈ elems σ △ w : σ Ins 1 [ w ] σ Notes: We denote the cons-operator by a colon ( : ), as per modern functional languages. An alternative, more verbose, notation is � w � ⌢ σ , where ⌢ is the sequence concatenator. We obtain the following proof obligation: inv- DSeq σ ∧ pre- Ins 1 [ w ] σ = ⇒ inv- DSeq (Ins 1 [ w ] σ ) Proof of this straightforward (as for Ins previously) Slide 27 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Proving Refinement To show that Ins 1 refines Ins , we must show: pre- Ins 1 [ w ] σ = ⇒ retr- Dict (Ins 1 [ w ] σ ) = Ins[ w ]( retr- Dict σ ) Proof Sketch: unfolding all definitions: isNonUS w ∧ w / ∈ elems σ = ⇒ elems ( w : σ ) = ( elems σ ) ⊔ { w } ∈ S = ⇒ S ⊔ { x } = S ∪ { x } , and discarding part of antecedent: using fact that x / ∈ elems σ = ⇒ elems ( w : σ ) = ( elems σ ) ∪ { w } w / The consequent is true because it matches the normal recursive step in the (traditional) definition of elems . Slide 28 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 (most of) The Remaining DSeq Operators Sequence Lookup, Removal and Count Lkp 1 : Word → DSeq → B △ False Lkp 1 [ w ]Λ Lkp 1 [ w ]( w ′ : σ ) △ w = w ′ → True , Lkp 1 [ w ] σ Rem 1 : Word → DSeq → DSeq △ Λ Rem 1 [ w ]Λ △ w = w ′ → σ , w ′ : (Rem 1 [ w ] σ ) Rem 1 [ w ]( w ′ : σ ) Wct 1 : Word → DSeq → DSeq △ len σ Wct 1 [ w ] σ Notes: We prefer the use of the McCarthy conditional The function len is the length function on sequences The proof that Wct 1 refines Wct depends crucially on the precondition of Ins 1 ! Slide 29 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The refined Translate Operation The Dictionary Translate Operation maps a Word Translation function ( τ ) to every word in the dictionary: Trl 1 : ( Word → Word ) → DSeq → DSeq △ ( τ ⋆ ) σ Trl 1 [ τ ] σ Notes: ⋆ is a functor, If f : A → B , then such that f ⋆ : A ⋆ → B ⋆ applies f to every element of its argument sequence. f ⋆ is the same as the “ map f ” concept in functional languages. Another functor called reduce ( / ) applies a binary operator to a sequence to reduce it to a single value. op / is the same as “ fold op ” in a functional language Slide 30 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Summary of Sequence Operators A ⋆ Sequence of A in type expressions f ⋆ Sequence Map with f , in non-type expression Λ Empty Sequence : Sequence Cons operator ⌢ Sequence Concatenation ⊕ / Sequence Reduce or Fold, using ⊕ Returns Set of Sequence elements elems ∪ / ◦ I ⋆ — I is the Identity function ( I x = x ) elems = len Sequence Length + / ◦ ( K 1) ⋆ len = K k is the Constant function combinator (K k x = k ) ∀ Maps Predicate over Set, reducing with And ∧ / ◦ ρ ⋆ ∀ [ ρ ] = Observe the preference for curried forms in certain cases, once more. Slide 31 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 I’ve some questions ! Why use your own notation ? Wny not use VDM-SL, or Z ? The problem with using established notations, is that they have associated assumptions about semantics and methodology. Where is the logic ? Using a logic requires a lot of machinery, and a commitment to a particular world-view. In neither case, notation nor logic, did we feel like making the appropriate commitments. However, see later . . . Slide 32 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Progress of Talk 1. Introduction 2. History 3. Some VDM ♣ Models 4. Structures and Morphisms 5. Indexed Structures 6. A Geometry of Formal Methods 7. A meta-theory of structures: Categories 8. On building mathematical toolkits and tools 9. Conclusions Slide 33 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Rˆ ole of Structure A key feature of VDM ♣ is the use of mathematical structure Structure is used as an organising principle — organising collections of laws — organising proofs — organising models of systems Emphasis isn’t just on producing structures. Great importance is also given to: classifying structures by key properties constructing new structures from existing ones. Slide 34 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Structural Forms In general, structures consist of one or more carrier sets ( A, B, C, . . . ). one of more values from, or functions over, the carrier sets ( a : A, f : B → C, ⊕ : A × A → A ) some associated properties relating its parts. Frequently, we have a distinguished carrier set ( A ), with the others, if present, relegated to a subsidiary rˆ ole. With a distinguished carrier set, we can classify some structures as: Algebras , if all functions are of the form F A → A co-Algebras , if all functions are of the form A → F A Here F A is any functor (type expression) in A . In VDM ♣ to date, the bulk of the work has been using Algebras Slide 35 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Our first Algebra We start by introducing the concept of a Semigroup : A single distinguished carrier set: S A single binary operator : ⊕ : S × S → S Two properties: ⊕ is closed in S , i.e. a total function on S × S . ⊕ is associative, i.e. a 1 ⊕ ( a 2 ⊕ a 3 ) = ( a 1 ⊕ a 2 ) ⊕ a 3 We write a semigroup in shorthand as ( S, ⊕ ) . If ⊕ is also commutative ( a 1 ⊕ a 2 = a 2 ⊕ a 1 ), then the structure is an Abelian Semigroup ( S, ⊕ ) ab . Slide 36 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Example Semigroups Some proper SemiGroups ( N 1 , +) ab : Natural Numbers less Zero, under addition (Abelian). ( A + , ⌢ ) : Non-empty Sequences, under concatenation. ( P ′ A, ∪ ) : Non-empty Sets, under set union. By “proper” is meant that these have no extra structure Some improper SemiGroups ( N , +) ab : Natural Numbers, under addition (Abelian). ( A ⋆ , ⌢ ) : All Sequences, under concatenation. ( P A, ∪ ) ab : All Sets, under set union (Abelian). ( P A, ∩ ) ab : All Sets, under set intersection (Abelian). By “improper” is meant that these have extra structure, as will be explained shortly Slide 37 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 moving on up . . . Semigroups have associated structure preserving maps (Semigroup Homomorphisms) However, Semigroups are a very weak structure We shall immediately move on to the next step on the structure “ladder”. This brings us to a key structure level — that of Monoids We shall investigate morphisms at this level Slide 38 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Monoids We now introduce some extra structure, giving a Monoid : A single distinguished carrier set: M A single binary operator : ⊕ : M × M → M A distinguished (unit/identity) element : u : M Two properties: ( M, ⊕ ) is a Semigroup. u is an identity for ⊕ , i.e. u ⊕ a = a = a ⊕ u We write a monoid in shorthand as ( M, ⊕ , u ) . If ⊕ is also commutative then the structure is an Abelian Monoid ( M, ⊕ , u ) ab Slide 39 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Example Monoids Some proper Monoids ( N , + , 0) ab : Natural Numbers, Addition, Zero (Abelian). ( A ⋆ , ⌢ , Λ) : Sequences, Concatenation, Empty-Sequence. ( P A, ∩ , A ) ab : Sets, Intersection, Universe (Abelian). ( P A, ∪ , ∅ ) ab : Sets, Union, Empty-Set (Abelian). Some improper Monoids ( Z , + , 0) ab : Integers, Addition, Zero (Abelian). ( Q 0 , × , 1) ab : Rational Numbers less Zero, Multiplication, One (Abelian). ( P A, ∩ , A ) ab : Sets, Intersection, Universe (Abelian). ( P A, ∪ , ∅ ) ab : Sets, Union, Empty-Set (Abelian). ( P A, ∩ , θ ) and ( P A, ∩ , A ) are improper because they form Boolean Lattices, structures we won’t discuss here. Slide 40 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Structure Preserving Maps Also known as Morphisms Given two monoids ( S, ⊕ , u ) and ( T, ⊗ , v ) , a function h : S → T is structure preserving iff, for any expression built using ⊕ , u and elements of S , we get the same result by either: (i) evaluating the expression in S , and applying h to the result, or (ii) applying h to each element of S , and evaluating with each ⊕ replaced by ⊗ and u replaced by v . i.e., for all s 1 , s 2 ∈ S , we have h ( u ) = v and h ( s 1 ⊕ s 2 ) = h ( s 1 ) ⊗ h ( s 2 ) . In this case we say that h is a Monoid Homomorphism from ( S, ⊕ , u ) to ( T, ⊗ , v ) , i.e. h : ( S, ⊕ , u ) → ( T, ⊗ , v ) If h : S → S , then it is called an Monoid Endomorphism . Slide 41 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Example Monoid Homomorphisms len : ( A ⋆ , ⌢ , Λ) → ( N , + , 0) — Sequence Length, from Sequences to Natural Numbers. elems : ( A ⋆ , ⌢ , Λ) → ( P A, ∪ , ∅ ) — Sequence Elements, from Sequences to Sets. log : ( R + 0 , × , 1) → ( R , + , 0) — Logarithm, from Positive Reals less Zero under Multiplication to Addition. ¬ : ( B , ∧ , True ) → ( B , ∨ , False ) — Logical Negation, from Booleans under And to those under Or (and v.v) For a ∈ A : χ [ a ] : ( P A, ∪ , ∅ ) → ( B , ∨ , False ) χ [ a ] : ( P A, ∩ , A ) → ( B , ∧ , True ) — Characteristic Function, from Sets to Booleans One function can be homomorphic many ways ! Slide 42 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Quantifiers as Homomorphisms The VDM ♣ versions of the quantifiers are homomorphisms: For ρ ∈ A → B : △ ∧ / ◦ P ρ ∀ [ ρ ] ∀ [ ρ ] : ( P A, ∪ , ∅ ) → ( B , ∧ , True ) ∨ / ◦ P ρ △ ∃ [ ρ ] ∃ [ ρ ] : ( P A, ∪ , ∅ ) → ( B , ∨ , False ) However for the above to work, the following identities must hold: ∧ / ∅ = True ∨ / ∅ = False . and To achieve this, we need to define reduction w.r.t to a monoid and operator, rather than w.r.t. a set and operator ⊕ /S △ . . . Wrong approach: / : ( A × A → A ) → P A → A, ⊕ /S △ . . . Correct approach: ⊕ / : ( M, ⊕ , u ) → P M → M, Slide 43 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Important Monoid Endomorphisms Assume a given S where S ⊆ A : − [ S ] : ( P A, ∪ , ∅ ) → ( P A, ∪ , ∅ ) ⊳ — Removal w.r.t S , on Sets under Union − [ S ] : ( P A, ∩ , A ) → ( P A, ∩ , A ) ⊳ — Removal w.r.t S , on Sets under Intersection ⊳ [ S ] : ( P A, ∪ , ∅ ) → ( P A, ∪ , ∅ ) — Restriction w.r.t S , on Sets under Union ⊳ [ S ] : ( P A, ∩ , A ) → ( P A, ∩ , A ) — Restriction w.r.t S , on Sets under Intersection Now we see the motivation for special remove/restrict notation ! The curried forms of set difference and intersection (remove and restrict resp.), parameterised by a given set, are endomorphisms of sets under both union and intersection operations. Slide 44 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Why are Monoids and their Morphisms useful ? They permit compact description of laws They permit compact function definitions They permit compact/re-usable proof steps Slide 45 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Compact Description of Laws the following equation: len : ( A ⋆ , ⌢ , Λ) → ( N , + , 0) ab captures the following eleven laws: ⌢ is total ⌢ ( σ 2 ⌢ σ 3 ) = ( σ 1 ⌢ σ 2 ) ⌢ σ 3 σ 1 Λ ⌢ σ = σ σ ⌢ Λ = σ + is total n 1 + ( n 2 + n 3 ) = ( n 1 + n 2 ) + n 3 0 + n = n n + 0 = n n 1 + n 2 = n 2 + n 1 ⌢ σ 2 ) = len σ 1 + len σ 2 len Λ = 0 len ( σ 1 However, we haven’t done quite enough here to fully define len . Slide 46 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Compact Function Definitions A typical definition of the function len : A ⋆ → N , might be: △ 0 len Λ △ 1 + len σ len ( a : σ ) We could then use this definition to prove it is a homomorphism. or we can view it captured by the following laws: len Λ = 0 len � a � = 1 ⌢ σ 2 ) = len σ 1 + len σ 2 len ( σ 1 The first and third law state the homomorphism property. The second law is the missing ingredient — it defines the action of len on a single “element” of a list — a singleton. Any homomorphism is uniquely defined by identifying the relevant structures, and such an “element action” rule. Slide 47 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Example Homomorphism Definitions The Sequence Length Homomorphism: len : ( A ⋆ , ⌢ , Λ) → ( N , + , 0) △ 1 len � a � The Sequence Elements Homomorphism: elems : ( A ⋆ , ⌢ , Λ) → ( P A, ∪ , ∅ ) △ { a } elems � a � The Logarithm (base n ) Homomorphism: log n : ( R + 0 , × , 1) → ( R , + , 0) △ 1 log n ( n ) Note that we have a family of homomorphisms, indexed by n . The Characteristic Function Homomorphism ( a ∈ A ): χ [ a ] : ( P A, ∪ , ∅ ) → ( B , ∨ , False ) χ [ a ] : ( P A, ∩ , A ) → ( B , ∧ , True ) △ a = a ′ χ [ a ] { a ′ } Slide 48 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Example Endomorphism Definitions Given S ⊆ A : Set Removal Endomorphisms: − [ S ] : ( P A, ∪ , ∅ ) → ( P A, ∪ , ∅ ) ⊳ − [ S ] : ( P A, ∩ , A ) → ( P A, ∩ , A ) ⊳ △ a ∈ S → ∅ , { a } − [ S ] { a } ⊳ Set Restriction Endomorphisms: ⊳ [ S ] : ( P A, ∪ , ∅ ) → ( P A, ∪ , ∅ ) ⊳ [ S ] : ( P A, ∩ , A ) → ( P A, ∩ , A ) △ a ∈ S → { a } , ∅ ⊳ [ S ] { a } Slide 49 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Re-usable Proof Steps Any proof fragment done using only structural and morphism properties, like: ⌢ σ 2 ) + len � a � len ( σ 1 = “ len homomorphism” ( len σ 1 + len σ 2 ) + len � a � = “associativity of +” len σ 1 + ( len σ 2 + len � a � ) = “element action of len ” len σ 1 + ( len σ 2 + 1) can be generalised, for h : ( S, ⊕ , u ) → ( T, ⊗ , v ) , and h ( t ) △ s , as: h ( s 1 ⊕ s 2 ) ⊗ h ( t ) = h ( s 1 ) ⊗ ( h ( s 2 ) ⊗ s ) and applied to any other corresponding instances of such structures and morphisms. e.g.: − [ S ]( A 1 ∩ A 2 ) ∩ ⊳ ⊳ − [ S ] { a } = − [ S ] A 1 ∩ ( ⊳ ⊳ − [ S ] A 2 ∩ ( a ∈ S → ∅ , { a } )) Slide 50 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Reducing Monoids to Semigroups We will proceed next to illustrate the real power of the structural approach. As a prerequisite, we will introduce the notion of reducing a monoid to a semigroup, alternatively refferred to as dropping the monoid unit. Given a monoid ( M, ⊕ , u ) , we defined the corresponding reduced semigroup as ( M ′ , ⊕ ′ ) , where M ′ = M \ { u } ⊕ ′ is ⊕ restricted to M ′ × M ′ Notes: We use the prime notation in a general way to indicate a carrier set with the unit or identity element removed (e.g. P ′ A denotes P A \ {∅} ). Some carrier sets have their own notations: A + instead of A ∗ ′ , N 1 instead of N ′ . Slide 51 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Progress of Talk 1. Introduction 2. History 3. Some VDM ♣ Models 4. Structures and Morphisms 5. Indexed Structures 6. A Geometry of Formal Methods 7. A meta-theory of structures: Categories 8. On building mathematical toolkits and tools 9. Conclusions Slide 52 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 VDM ♣ Maps To date, we have avoided mention of finite maps, or partial functions. We shall present our approach, using monoids and homomorphisms to define the key functions. We shall then see how we can obtain a whole host of useful structures using a single general construction. Slide 53 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Finite/Partial Maps in VDM ♣ We describe a finite map between domains A and B with a declaration of the form: m µ, ν ∈ A → B We introduce the notion of a null or empty map: m → B θ : A We also have the concept of a singleton “maplet”: m { a �→ b } : A → B We construct maps using map override: m m m † : ( A → B ) × ( A → B ) → ( A → B ) We introduce the notion of map application: m a ∈ A, µ ∈ A → B = ⇒ µ a ∈ B The notation and behaviour is very similar to that found in VDM-SL, so we will not elaborate further. Slide 54 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Map Monoid m Maps under override form a monoid, with the null map as identity: ( A → B, † , θ ) The map domain operator ( dom ) returns the elements of A for which the map is defined. It is a homomorphism, so can be defined as: m dom : ( A → B, † , θ ) → ( P A, ∪ , ∅ ) △ { a } dom { a �→ b } Note: A common abuse of notation employed in VDM ♣ is to write a ∈ µ as a shorthand for a ∈ dom µ . The map range operator ( rng ) returns the elements of B onto which some element of the domain is mapped. It is also a homomorphism, so can be defined as: m rng : ( A → B, † , θ ) → ( P B, ∪ , ∅ ) △ { b } rng { a �→ b } Slide 55 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Other Map Homomorphisms Given S ⊆ A , we can define . . . Domain Removal w.r.t S ( ⊳ − [ S ] ) as an endomorphism: m m − [ S ] : ( A ⊳ → B, † , θ ) → ( A → B, † , θ ) △ a ∈ S → θ , { a �→ b } − [ S ] { a �→ b } ⊳ Domain Restriction w.r.t S ( ⊳ [ S ] ) as an endomorphism: m m → B, † , θ ) → ( A → B, † , θ ) ⊳ [ S ] : ( A △ a ∈ S → { a �→ b } , θ ⊳ [ S ] { a �→ b } Notes: We are overloading the restrict/remove symbols once more We further extend the concept to restrict/removal w.r.t another map, by abuse of notation — for maps µ, ν , ⊳ − [ µ ] ν should be read as ⊳ − [ dom µ ] ν Slide 56 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Map “map” Functor Given injective f : A → C and any g : B → D , we obtain . . . m Map functor ( f → g ) as a homomorphism: m m m → g ) : ( A → B, † , θ ) → ( C → D, † , θ ) ( f m △ { f ( a ) �→ g ( b ) } → g ) { a �→ b } ( f Notes: m ( f → g ) is the map functor for maps. m The most common usage is of the form ( I → g ) . Slide 57 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Map Extend, Removal and Override We also define a map extend operator ( ⊔ ) as follows: m m m ⊔ : ( A → B ) × ( A → B ) → ( A → B ) ( partial ) △ dom µ ∩ dom ν = ∅ pre- ( µ ⊔ ν ) △ µ † ν µ ⊔ ν Note Map extend is analagous to Set extend, and plays a similar rˆ ole, especially for defining recursive functions over finite maps. We have the following identity between map override, extend and removal: µ † ν = ⊳ − [ ν ] µ ⊔ ν Observe the abuse of notation mentioned previously. If we relax the totality requirement for a monoid’s operator, but still require that the identity law holds for all elements we obtain a Partial Monoid ( M, ⊕ , u ) p . Map and Set extend, form partial monoids. Slide 58 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Instances of Maps Given the Map construction, we can consider various common instances, and define appropriate operators, as is done in VDM-SL, Z and other formalisms: Bags are maps from some domain to Natural Numbers: m β ∈ A → N We can define bag addition ( ⊕ ) appropriately, so for example : { a �→ m } ⊕ { a �→ n } = { a �→ m + n } Set-valued Functions/Maps map from a domain to sets of range values: m γ ∈ A → P B We can define a lifted form of set union ( ⊎ ), such that { a �→ S } ⊎ { a �→ T } = { a �→ S ∪ T } Slide 59 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Issues regarding Map Instances In the process of defining bags and set-valued functions, questions such as the following arise: Q: Should we allow bags to map some domain elements to zero ? m m i.e. should we use A → N or A → N 1 ? Q: if a set-valued function is partial, should it map some domain elements to the null-set ? In VDM ♣ , we have a single construction technique which produces all these instances, and gives a technical criterion for deciding about the presence of identity elements in map ranges. This technique involves the so-called Indexed Monoid . Slide 60 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Indexed Monoid (Na¨ ıve Version) We start with a given monoid ( M, ⋆, u ) , and introduce an indexing set X . m We are going to index M by X giving a map X → M . ⋆ , as follows: Define an indexed form of ⋆ , called � m m m � : ( X → M ) × ( X → M ) → ( X → M ) ⋆ △ µ µ � θ ⋆ △ ρ � ⋆ ν µ � ( { x �→ m } ⊔ ν ) ⋆ where � µ ⊔ { x �→ m } , if x / ∈ µ ρ = µ † { x �→ µ ( x ) ⋆ m } , if x ∈ µ m ⋆ , θ ) . Theorem : If ( M, ⋆, u ) is a monoid, then so is ( X → M, � m ⋆ , θ ) . → M, � Theorem : If ( M, ⋆, u ) is abelian, then so is ( X Proofs : see [ ? ] Slide 61 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Indexing gives us Instances If we index the monoid ( N , + , 0) ab by A , m + , θ ) ab we obtain the indexed monoid of bags of A : ( A → N 1 , � But what does this say about zeros in the range ? If we index the monoid ( P A, + , 0) ab by B , m ∪ , θ ) ab → P A, � we obtain the indexed monoid of set-valued maps of B : ( B But what does this say about empty-sets in the range ? Why is this referred to as na¨ ıve ? To see the answer to all these questions, we need to look at a higher-level structure: Groups Slide 62 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Groups and Indexing A Group has carrier set G , operation ⊕ : G × G → G , identity u : G and an inverse − 1 : G → G , with properties: function ( G, ⊕ , u ) is a monoid. For all g ∈ G , g − 1 ⊕ g = u = g ⊕ g − 1 . We use the following shorthand: ( G, ⊕ , u, − 1 ) . Example Groups: ( Z , + , 0 , − ) Integers under Addition. ( Q , × , 1 , ÷ ) Rationals under Multiplication. Can we have “indexed groups” ? m i.e., if ( G, ⋆, u, − 1 ) is a group, is ( X ⋆ , θ, ? ) then also a group ? → G, � What is the inverse for such a group ? Slide 63 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Why Na¨ ıve Indexing fails for Groups Consider the group ( Z , + , 0 , − ) . m + , θ, ⊖ ) , where We might expect indexing to produce a group of integer bags ( X → Z , � ⊖ negates all the range elements. However, ⊖ is not a proper inverse. Let µ = { x �→ i } then ⊖ µ = { x �→ − i } + ⊖ µ = { x �→ 0 } � = θ so µ � + to give the The putative inverse ⊖ does not produce something that combines with � identity θ ! Careful thought and analysis indicates that the problem lies with the carrier, and the indexed operation, not the proposed inverse. Slide 64 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Avoiding Complications The central issue is philosophical in nature, and deals with the most prevalent interpretations given to such structures. We tend to view θ , { x �→ 0 } , { x �→ 0 , y �→ 0 } as all denoting the same thing — an empty bag. One technical solution would be to define equivalence classes, and to talk about identity and inverse “up to equivalence”. We find this cumbersome and awkward. We prefer to get rid of maplets of the form { x �→ u } . We choose to do this for both monoids and groups. Slide 65 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Indexed Monoid (Sophisticated Version) We start with a given monoid ( M, ⋆, u ) , and introduce an indexing set X . We reduce the monoid to a semigroup ( M ′ , ⋆ ) We are going to index M ′ by X giving a map X m → M ′ . ⋆ ′ , as follows: Define a reduced indexed form of ⋆ , called � m m m ⋆ ′ → M ′ ) × ( X → M ′ ) → ( X → M ′ ) � : ( X △ µ µ � θ ⋆ △ ρ � ⋆ ν µ � ( { x �→ m } ⊔ ν ) ⋆ where  µ ⊔ { x �→ m } , if x / ∈ µ  ρ = µ † { x �→ µ ( x ) ⋆ m } , if x ∈ µ ∧ µ ( x ) ⋆ m � = u µ, if x ∈ µ ∧ µ ( x ) ⋆ m = u  ⋆ ′ , θ ) . m → M ′ , � Theorem : If ( M, ⋆, u ) is a monoid, then so is ( X ⋆ ′ , θ ) . m → M ′ , � Theorem : If ( M, ⋆, u ) is abelian, then so is ( X Proofs : see [ ? ] Slide 66 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Na¨ ıve vs Sophisticated Indexing Sophisticated Indexing produces “cleaner” monoids, by cleaning out { x �→ u } entries in maps Given a group ( G, ⋆, u, − 1 ) , m m ⋆ ′ , θ, ( I → G ′ , � − 1 )) is also a group. then ( X → In general, sophisticated indexing is preferred in the Irish School, ⋆ ′ is often dropped so much so, that the prime on � ⋆ ′ by default). ⋆ is taken to mean � (i.e. � ⋆ (the na¨ However, � ıve form) is more general and can be applied to any binary operator, even if not associated with a monoid . So, for example a proper semigroup ( S, ⋆ ) can be na¨ ıvely indexed to form the monoid m ⋆ , θ ) ( X → S, � A general result for both forms of indexing allows us to give a meaning to the application of an (indexed) map to elements not in its domain: we simply return the identity element of the monoid that was indexed to give the map. Slide 67 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Multiple Indexing Indexing takes a monoid to a (higher) monoid So what happens if we index an already indexed structure ? There is no difficulty — we get an index tower: ( M, ⋆, u )  index w.r.t X 1 � m ⋆ , θ ) → M, � ( X 1  index w.r.t X 2 � m m ⋆ 2 , θ ) → X 1 → M, � ( X 2  index w.r.t X 3 � m m m ⋆ 3 , θ ) ( X 3 → X 2 → X 1 → M, � Notes: We are ignoring the naive/sophisticated distinction here ⋆ 0 , and � ⋆ 1 . ⋆ written as � ⋆ could be written as � The key point is that with the concept of indexing structures, we can build new structures of a similar type in a coherent way, simply by constructing appropriate maps and operators. Slide 68 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Modelling Relations in VDM ♣ A relation between A and B is modelled as R ⊆ P ( A × B ) . m A functional view might use set-valued maps: ρ ∈ A → P B . However, this is unsatisfactory, as elements of the latter have no counterpart in the former — e.g. { a �→ ∅} . Sophisticated indexing comes to the rescue: m → P ′ B, � ∪ , θ ) We index ( P B, ∪ , ∅ ) to obtain ( A Throwing away empty sets in the range is key : m A → P B is isomorphic to P A × B . To ask if a is related to b , with R , we ask if ( a, b ) ∈ R , with ρ , we ask if b ∈ ρ ( a ) . ∪ , ⊳ We have a series of results connecting † , � − , ⊳ − 1 : ( A m m → P ′ A ) and relational inverse (a.k.a. inverse image) → B ) → ( B Slide 69 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 What if Indexing was foundational ? ⋆ without reference to Consider a scheme, that given a binary operator ⋆ , could construct � override. Now consider the following unusual semigroup: ( A, π 2 ) , where π 2 ( a 1 , a 2 ) △ a 2 is the 2nd projection operator, which we could consider as an infix operator ( π 2 ) m → A, � Then the monoid obtained by indexing the semigroup is ( X π 2 , θ ) ∈ µ , then µ � π 2 { x �→ a } becomes µ ⊔ { x �→ a } . If x / However, If x ∈ µ , then µ � π 2 { x �→ a } becomes µ † { x �→ µ ( x ) π 2 a } , which is the same as µ † { x �→ a } . In other words, � π 2 = † We can define override in terms of indexing. This is not as mysterious as it seems. The operator indexing scheme effectively embodies map override, however it is defined, so the projection operator simply brings this aspect out. Hmmm, so what is � π 1 ? Slide 70 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Dictionary revisited One use for a dictionary is to quickly look up an identifier gleaned from a program text, to see if it is a keyword. The dictionary is usually small and static, so fast lookup is much more important that speed of inserting words. One possible implementation is to structure the dictionary as a n -way tree, where n is the number of letters in the alphabet of an identifier. The first letter of the identifier selects the corresponding branch, and follows it to the next node, if not null If null, the identifier is not a keyword. Repeat with the second character, and so on . . . Typically each node is implemented as an array, indexed by character, containing a pointer to another such node, which may be null. Lookup is fast, O ( c ) where c is the no. of chars in identfier. Slide 71 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Using Maps to model Fast-Lookup Dictionaries We revisit our dictionary model, to model a fast lookup version ( DFast ) but now assume that words are non-empty sequences of characters ( A ): w ∈ Word = A + c ∈ A We model an array of pointers (some of which might be null) indexed by characters, by a partial map from characters to on-null pointers. In fact, we model pointers by the maps they point to, resulting in a recursive domain definition: m δ ∈ DFast = A → DFast Note: The type DFast is its own index, in some sense ! The fact that the map is partial is essential at this point. For example, the dictionary containing “ and ”, “ alt ” and “ or ” is modelled as: � ’l’ �→ { ’t’ �→ θ } ,  �  ’a’ �→ ,   δ = ’n’ �→ { ’d’ �→ θ } ’o’ �→ { ’r’ �→ θ }   Slide 72 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Building a Fast Dictionary For the dictionary model DFast , we need an build operation. One possible attempt is — to define an operation Cvt to convert a word into a DFast map: Cvt : A ⋆ → DFast △ θ Cvt Λ △ { c �→ Cvt w } Cvt( c : w ) — to define a binary operation ( △ ) that merges DFast maps: △ DFast × DFast → DFast : △ δ δ △ θ △ η △ ϕ δ △ ( ϕ ⊔ { c �→ γ } ) where � δ ⊔ { c �→ γ } , ∈ δ if c / η = δ † { c �→ δ ( c ) △ γ } , if c ∈ δ ! This looks familiar ! Slide 73 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Self Indexing Examination of the dictionary merge operator leads to the following surprising result: For a reflexive (recursively defined) type T such as m T = A → T which is inherently self-indexing, then the merge operator △ : T × T → T is its own index: △ = � △ m In other words, given monoid ( T A , △ , θ ) where T A = A → T , then indexing by A has no effect m △ , θ ) ( T A , △ , θ ) ≈ ( A → T A , � Note: this result requires na¨ ıve indexing to work. Slide 74 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Open Questions about Indexing and Structure We have applied indexing to semigroups, monoids and groups Can the concept be extended easily to rings, fields, etc.. ? The powerset monoids lead into the area of lattices Can lattices be indexed ? What happens if we make the carrier set the indexing set ? What other ways exist to generate structures ? More recent work on VDM ♣ has focussed on Inner and Outer Laws , a weaker but more general notion than monoids. Slide 75 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Progress of Talk 1. Introduction 2. History 3. Some VDM ♣ Models 4. Structures and Morphisms 5. Indexed Structures 6. A Geometry of Formal Methods 7. A meta-theory of structures: Categories 8. On building mathematical toolkits and tools 9. Conclusions Slide 76 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 From Indexing to Geometry The concept of the indexed monoid led research in VDM ♣ into the areas of fibre-bundles and sheaves, which are complex structures associated with function spaces. A lot of this theory is tied into modelling dynamic systems and certain forms of constructive geometry. Drawing inspiration from the Cartesian duality between Algebra and Geometry, M´ ıche´ al Mac an Airchinnigh hypothesised the existence of a Geometry of Formal Methods [Mac96, Mac97]. In particular, it was viewed that these structures might provide a springboard for developing models of distributed systems with VDM ♣ . Slide 77 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Fibre-Bundles A fibre-bundle is a way of viewing a map which emphasises their partitioning properties. A set A is partitioned into a set of sets { A i | A i ⊆ A } for i ∈ I , if the A i are pairwise disjoint, and � { A i } = A . Such a collection of pairwise disjoint sets is an I -indexed bundle . m → I , a partitioning is induced on A , where each partition contains Given a map µ : A elements of A which map to the same element of I Alternatively put: For all i ∈ I , The collection of inverse images µ 1 ( { i } ) forms a partition of A . m m → P ′ A ) (Inverse image maps µ ∈ A → I onto β ∈ I Each element of I acts as a partition index . m → P ′ A . So we can view the bundle { A i } i ∈ I , as a map β ∈ I This gives us a way to represent a partition without an explicit invariant. Slide 78 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Monoid of Inverted Maps m → P ′ A ) , lead to an exploration The use of fibre-bundles, in their form as inverted maps ( I of the structure associated with such entities. Clearly an inverted map monoid is obtained by indexing the monoid of sets under union: m ∪ ′ , θ ) → P ′ A, � ( P A, ∪ , ∅ ) − → ( I Investigation of the relationship between override and inverted maps [Mac93] led to the following result: − [ ν ]) ′ µ − 1 � ( µ † ν ) − 1 = ( I m ∪ ν − 1 → ⊳ It is instructive to compare it with: µ † ν = ⊳ − [ ν ] µ ⊔ ν From this, the definition of an operator on inverse maps analagous to override was developed [Hug00]: m − [( ∪ / ◦ rng ) γ ]) β � ∪ γ β ‡ γ = ( I → ⊳ This operator ( ‡ ) is called “underride”. Slide 79 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Relating Maps and their Inverses Arthur Hughes [Hug00] has established an isomorphism between the monoid of maps, and that of inverse maps. As a result, many operations in one have equivalents in the other Maps Inv.Maps m m → P ′ A µ, ν ∈ A → B β, γ ∈ B ∪ γ µ ⊔ ν β � m ⊳ [ S ] µ ( I → ⊳ [ S ]) β m − [ S ] µ ( I → ⊳ − [ S ]) β ⊳ ⊲ [ S ] µ ⊳ [ S ] β − [ S ] µ ⊲ − [ S ] β ⊳ ( ∪ / ◦ rng ) β dom µ rng µ dom β µ † ν β ‡ γ Slide 80 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 A view of Fibre-Bundles m As an example, consider the map µ : A → I : µ = { a 1 �→ i 1 , b 2 �→ i 2 , c 1 �→ i 1 } A traditional picture places A on the left and I on the right: a 1 − → i 1 b 2 − → i 2 A I c 1 − → i 1 The fibre-bundle view makes the partitioning more explicit: � a 1 � P ′ A A ( b 1 ) c 1  � � �     β = µ − 1 µ     � � �  I i 1 i 2 I Observe how the “fibres” ( i 1 ↔ a 1 , c 1 ) and ( i 2 ↔ b 2 ) sit above the “base” I . Slide 81 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Fibre-Bundles and Geometry How does this connect to geometry ? We can view the fibres as having further structure, so i 1 ↔ { a 1 , c 1 } might become i 1 ↔ � a 1 , c 1 � We can take a “horizontal” projection (or section) through the fibres, to give a map m I → A , for example { i 1 �→ c 1 , i 2 �→ b 2 } . m → I as a “vertical” projection. We can view the map µ : A We can then view the fibre elements ( A ) as a cross product, in some sense, of I and a horizontal projection of A . For example, let I be points in the plane that mark out a circle, and let A be points on a line perpendicular to that plane. Then, the fibres denote vertical sections through a cylinder obtained by sweeping the line around the circle. For VDM ♣ , this was the first hint of a possible geometry underlying maps. Slide 82 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Sheaves The other key structure that lead us towards geometry, and ultimately towards category theory, was that of sheaves, which are closely related to fibre-bundles We shall only summarise the definition of sheaves here: Consider a base set B with an associated topology O ( B ) = { O i } Associate with every open set O i a function f i : O i → A for some set A . Require that the f i agree on common intersections (are glueable ), i.e. x ∈ O i ∩ O j = ⇒ f i ( x ) = f j ( x ) The resulting structure is a sheaf. A typical modelling use of a sheaf is for the base topology to be one derived from a partial order, which can then represent linear or branching time. Then the sheaf becomes a model of a temporal or dynamic system. Another modelling use is for the base topology to capture spatial properties. This should allow us to model distribution. Slide 83 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Recursion Diagrams Looking for a geometry of formal methods, we sought some sort of space in which algorithms have trajectories . This was to allow us to explore issues such as relating na¨ ıve- and tail-recursion. An output of this was the notion of Recursion Diagrams [But98]. These diagrams made explicit the trade-offs involved in transforming various forms of single and multiple recursion, into efficient tail recursion. In particular, it provided a graphical method for assessing multiply recursive definitions (e.g. Fibonacci) to see if they could be put into tail form. Slide 84 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Geometry — Issues The question of what mathematical (categorical) structure underlies Recursion Diagrams is still open. The Sheaf structure is complex, and is an instance of a category theoretic notion of a Topos , which seesm to have something to do with topology (?). Clearly, we need to improve still further our understanding of mathematical structure. Slide 85 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Progress of Talk 1. Introduction 2. History 3. Some VDM ♣ Models 4. Structures and Morphisms 5. Indexed Structures 6. A Geometry of Formal Methods 7. A meta-theory of structures: Categories 8. On building mathematical toolkits and tools 9. Conclusions Slide 86 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Why Category Theory ? In 1990, M´ ıche´ al Mac an Airchinnigh avoided Category Theory [Mac90]. However, several factors have conspired to draw VDM ♣ back towards this area: The functional nature of VDM ♣ , and modern functional languages using currying, fit very well with a categorical view of the world. The exploration of more elaborate structures such as fibre-bundles and sheaves involved increasing exposure to the theory. The discovery by the Irish School of work by others on the concept of Topoi , a particular class of categories, with important properties. A growing realisation that Category Theory is a (the) meta-theory of mathematical structure. Slide 87 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 What is a Category ? A Category C consists of the following entities [Wal91, LS97]: A, B, C, . . . ∈ Obj ( C ) : A collection of Objects f, g, h, . . . ∈ Arr ( C ) : A collection of Arrows each of which originates at and ends upon objects. An arrow f originating at object A and terminating on object B f is often written as f : A → B or A → B A partial binary operator on arrows called Composition ( ◦ ) The objects, arrows and compostion must obey the following rules: For every object A there is an identity arrow id A : A → A . g f Composition ( f ◦ g ) is defined for all pairs of arrows of the form ( B → C, A → B ) Composition is associative : ( f ◦ ( g ◦ h ) = ( f ◦ g ) ◦ h ) f For all arrows A → B we have : id B ◦ f = f = f ◦ id A Slide 88 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 What are Categories ? To identify a category, we need to identify the entities acting as objects, arrows and composition. Here are a few key examples: Category Objects Arrows Composition Sets Total Functions Function Composition Set Pfn Sets Partial Functions Function Composition Sets Relations Relation Composition Rel C.P.O.s Monotonic Functions Function Composition Cpo Pwr Subsets Inclusions Inclusion Composition Monoids Monoid Homomorphisms Function Composition Mon Groups Group Homomorphisms Function Composition Grp Top Topologies Continuous Functions Function Composition Sheaves Sheaf Morphisms Morphism Composition Shf There are many others ! Slide 89 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Enriching the concept (I) Category Theory gets its richness from extra definitions, given largely in terms of arrows and composition. For example, in a category, two objects A and B are isomorphic ( A ≈ B ) f g iff there exist arrows A → B and B → A such that f ◦ g = id B and g ◦ f = id A ( g is often written as f − 1 ). Such arrows are known as bijections or isomorphisms . In Set , sets with the same cardinality are isomorphic. An object (typically called 0 ) is Initial if there exists exactly one arrow from it to any object. An object (typically called 1 ) is Terminal if there exists exactly one arrow to it from any object. All initial objects are isomorphic to each other, as are terminal objects. In Set , the empty set is initial, while any singleton set is terminal. In Pfn and Rel , the empty set is both initial and terminal ( 0 = 1 ) ! Slide 90 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Enriching the concept (II) It is possible to give category-theoretic definitions of Products: A × B , A × ( B × C ) , . . . In Set , these are the usual Cross Products. Sums: A + B , A + ( B + C ) , . . . In Set , these are Disjoint Unions e.g. ( { 1 } × A ) ∪ ( { 2 } × B ) . Exponentials A B , . . . In Set , these are graphs of functions of type B → A . Exponentials are the mechanism by which currying is defined categorically, Given suitable conditions (satisfied by Set ) we gets lots of the “usual” properties: 0 + A ≈ A 1 × A ≈ A , A B × A C ≈ A B + C A × B ≈ B × A A × B → C ≈ A → C B Slide 91 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Topoi Let us introduce two extra concepts [LS97]: True Truth Object ( 1 → Ω ) In Set , this is True ∈ B Sub-Object Classifiers ( χ ) which allow us to talk about “elements” of objects, and objects as sub-parts of each other In Set , these are the characteristic functions. Then we can define a Topos as a category T which has, for all A , B : True 0 , 1 , A + B , A × B , A B , 1 → Ω and χ . Set is a topos So is Shf , and Top There are many others . . . But neither Pfn or Rel are topoi ! Slide 92 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Why are Topoi interesting ? Every topos is a model of an intuitionistic logic. Moreover, for certain types of topoi, it is possible to add in the law of the excluded middle provided you also accept the axion of choice (and vice-versa). Set is a topos of this type, whereas Top is not. If we can give a topos-theoretic foundations to VDM ♣ , then we get a logic “for free”, and the ability to work in any topos (i.e Shf ). This one of the aims of current research [Hug98, Hug00]. Slide 93 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 What is the difficulty ? VDM ♣ , like other formal methods, makes extensive use of partial functions and maps But the category involving such things ( Pfn ) is not a topos. m However, it is possible to represent a partial function µ : A → B by two total functions: One is a total function f : dom µ → B The other is the relational datum dom µ ⊆ A , which can represented as an injective function ı : dom µ → A . We link them by observing that f = µ ◦ ı (in some sense). The key is to build the map operator definitions (such as override) on this foundation [Hug00]. A deeper difficulty lies in handling recursion, which requires partiality in an essential way — it appears at present that Domain Theory and Topos Theory are not compatible. Slide 94 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Back to Algebras (and co-Algebras) Every category has a dual in which all arrows are reversed and composition is revised accordingly. Some concepts are duals of each other, for example 0 and 1 , and × and + . Some categories are their own dual (e.q. Rel ). It is possible to define structure-preserving mappings between categories — these are called functors . ( P f , f ⋆ and ( f m → g ) are such functors). A functor (F) to and from the same category is called an endofunctor . Endofunctors on a category can be used to generate algebras (F ( A ) → A ), and their dual concept, co-algebras ( A → F ( A ) ), which themselves can form categories ! The key point is that algebras and co-algebras (as discussed earlier) are dual concepts in the category-theoretic sense Slide 95 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The Algebraic/co-Algebraic Duality Some aspects of the duality are: Aspect Algebra co-Algebra Models Finite Structures Finite & Infinite Structures Definitions Recursion co-Recursion Reasoning Congruence Bisimulation Tools Theorem Provers Model-Checkers Areas Data & Computation Communication & Behaviour Thanks to ACMMPC at Lincoln College, Oxford, April 2000, for helping us build this view We can construct a table that captures this duality under different headings The Irish School has put considerable work into the algebraic side, we now hope to focus on the co-algebraic side Slide 96 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 Progress of Talk 1. Introduction 2. History 3. A simple VDM ♣ Model 4. Structures and Morphisms 5. Indexed Structures 6. A Geometry of Formal Methods 7. A meta-theory of structures: Categories 8. On building mathematical toolkits and tools 9. Conclusions Slide 97 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The need for tools Working on foundations is one thing, using VDM ♣ to model real systems is quite another. Tool support would be nice Tool support is expensive to implement Tool support requires a commitment to a concrete syntax a concrete logic Who needs yet another (model-theoretic) formal method ? Slide 98 � May 22, 2000 Andrew Butterfield c

VDM ♣ : Mathematical Structures for Formal Methods Graz, Austria, 19th May 2000 The position of VDM ♣ among other Methods We view VDM ♣ as complimentary to existing methods such as VDM-SL, Z or B. We see it as complimentary to various tools such as Mathematica, PVS, HOL or Isabelle. We see the results on mathematical structure as guiding the construction of theories and libraries for those methods and tools. We see a sensible way forward as the take-up of some of our ideas by practitioners whose main notation, method or tools are not those associated with VDM ♣ . The main theme is that of mathematical structure as an organising principle to obtain compact clean models and compact clean proofs. Slide 99 � May 22, 2000 Andrew Butterfield c