## On Behavioural Abstraction and Behavioural Satisfaction in Higher-Order Logic (1996)

### Cached

### Download Links

- [www.dcs.ed.ac.uk]
- [ftp.dcs.ed.ac.uk]
- [www.dcs.ed.ac.uk]
- [homepages.inf.ed.ac.uk]
- [homepages.inf.ed.ac.uk]
- [www.dcs.ed.ac.uk]
- DBLP

### Other Repositories/Bibliography

Citations: | 25 - 5 self |

### BibTeX

@MISC{Hofmann96onbehavioural,

author = {Martin Hofmann and Donald Sannella},

title = {On Behavioural Abstraction and Behavioural Satisfaction in Higher-Order Logic},

year = {1996}

}

### Years of Citing Articles

### OpenURL

### Abstract

The behavioural semantics of specifications with higher-order logical formulae as axioms is analyzed. A characterization of behavioural abstraction via behavioural satisfaction of formulae in which the equality symbol is interpreted as indistinguishability, which is due to Reichel and was recently generalized to the case of first-order logic by Bidoit et al, is further generalized to this case. The fact that higher-order logic is powerful enough to express the indistinguishability relation is used to characterize behavioural satisfaction in terms of ordinary satisfaction, and to develop new methods for reasoning about specifications under behavioural semantics. 1 Introduction An important ingredient in the use of algebraic specifications to describe data abstractions is the concept of behavioural equivalence between algebras, which seems to appropriately capture the "black box" character of data abstractions, see e.g. [GGM76], [GM82], [ST87] and [ST95]. Roughly speaking (since there ...

### Citations

525 |
Introduction to HOL : a theorem proving environment for higher-order logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ... of constructing them from “specifications”, e.g. recursive definitions. Therefore, one needs a unique choice operator or (in the absence of a syntax for proofs) a general choice operator ε as in HOL =-=[GM93]-=-. The presence of such a choice operator again poses non-trivial albeit surmountable problems. But note that n-ary functions may already be coded as (n+1)-ary predicates in the usual way, and that thi... |

248 |
The Formal Semantics of Programming Languages
- Winskel
- 1993
(Show Context)
Citation Context ...at then Proposition 4.9 and hence Theorem 5.15 below would not hold, meaning that the results in Section 6 would not be applicable. By analogy with the terminology of denotational semantics (see e.g. =-=[Win93]-=-), a Σ-algebra A is called fully abstract when the indistinguishability relation on A is simply equality. Such an A is called an algebra of minimal redundancy in [Rei85]. Definition 4.3 ([BHW94]) Let ... |

224 |
Algebraic specifications
- Wirsing
- 1990
(Show Context)
Citation Context ...|= ≈ . See [Rei85], where a proof system for conditional equational logic is given that is sound for an indistinguishability relation different from ≈OBS, in the context of partial algebras; see also =-=[HW93]-=-. 7.4 ϕ ∈ Th(abstract 〈Σ, Φ〉 w.r.t. ≡) This is the problem that is of importance for reasoning about specifications in a language like ASL [SW83] that includes a specification-building operation corre... |

186 |
Completeness in the theory of types
- Henkin
- 1950
(Show Context)
Citation Context ...) Expanding fair(start) gives a single formula expressing the required property. � The language defined above is a trimmed version of the “classical theory of simple types” as introduced by Henkin in =-=[Hen50]-=-. Henkin considers non-standard models for which a natural Gentzen-style proof system is sound and complete. A good reference is also Chapter 4 of Schütte’s monograph [Sch77] where cut-elimination for... |

144 |
Type systems for programming languages
- Mitchell
- 1990
(Show Context)
Citation Context ...vious from the definition of satisfaction. The following definition explains how to extend the partial congruence ≈, which relates values of base types only, to a so-called logical relation (see e.g. =-=[Mit90]-=-) over all types. The resulting relation will be used below to give an interpretation of bracket types. Definition 3.14 We extend ≈ to “bracket” types by taking p ≈[τ1 ,...,τn] p ′ for p, p ′ ∈ [[[τ1,... |

141 | Toward formal development of programs from algebraic speci implementations revisited
- Sannella, Tarlecki
- 1988
(Show Context)
Citation Context ...t a solution to this problem provides the basis of a strategy for proving correctness of implementation steps in stepwise refinement of specifications (cf. [BH94b] and “abstractor” implementations in =-=[ST88]-=-). The following proof method follows immediately from Corollary 5.7: Proof Method 7.3 ϕ ∈ Th≈(〈Σ, Φ〉) iff Φ |= �ϕ�. � This is essentially the same as the solution proposed in [BH95], except that beca... |

101 |
Proof Theory
- Schütte
- 1977
(Show Context)
Citation Context ...s introduced by Henkin in [Hen50]. Henkin considers non-standard models for which a natural Gentzen-style proof system is sound and complete. A good reference is also Chapter 4 of Schütte’s monograph =-=[Sch77]-=- where cut-elimination for this system is established. 3 Semantics of higher-order logic Let Σ = 〈B, C〉 be a signature. Terms over Σ are interpreted in the context of a Σ-algebra which gives meaning t... |

91 | Specifications in an arbitrary institution
- Sannella, Tarlecki
- 1988
(Show Context)
Citation Context ...viour SP w.r.t. ≈) coincide by Theorem 3.35. But for structured specifications they do not coincide in general. Methods for reasoning about structured specifications — see e.g. the inference rules in =-=[ST88a]-=- — apply to the second interpretation but appear to be inapplicable to the first. Further research is required to clarify the relationship between abstractor specifications (which generalize easily to... |

85 |
Initiality, induction and computability
- Meseguer, Goguen
- 1985
(Show Context)
Citation Context ...oes not make use of the higher-order features of the language, except as a result of the way that equality is expressed via quantification over predicates. So ≡OBS is just the same as in e.g. [SW83], =-=[MG85]-=-, [NO88]. The reason for this choice is that the natural modification of the definition of ≡OBS to make use of higher-order formulae (Definition 5.13) gives exactly the same relation, see Corollary 5.... |

71 |
Universal realization, persistent interconnection and implementation of abstract modules
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...ations to describe data abstractions is the concept of behavioural equivalence between algebras, which seems to appropriately capture the “black box” character of data abstractions, see e.g. [GGM76], =-=[GM82]-=-, [ST87] and [ST92]. Roughly speaking (since there are different choices of definition), two algebras A, B over a signature Σ are behaviourally equivalent with respect to a distinguished set OBS of ob... |

71 | Modal and Temporal Logics of Processes - Stirling - 2001 |

66 | On observational equivalence and algebraic specification
- Sannella, Tarlecki
- 1987
(Show Context)
Citation Context ... satisfy the axioms Φ w.r.t. ≈: Mod(behaviour 〈Σ, Φ〉 w.r.t. ≈)={A∈Alg(Σ) | A |= ≈A Φ}. The notation used for behavioural specifications should not be confused with similar notation used in [SW83] and =-=[ST87]-=- for a particular special case of abstractor specifications. Example 6.4 〈Σctr, Φctr〉 is a specification having as models the class of all Σctr-algebras that are isomorphic to Nat. abstract 〈Σctr, Φct... |

55 |
A kernel language for algebraic specification and implementation
- Sannella, Wirsing
- 1983
(Show Context)
Citation Context ...ding operations deliver closed classes, see e.g. [NO88]) or by the specifier (by applying a specification-building operation, sometimes known as behavioural abstraction, to form the closure, see e.g. =-=[SW83]-=-, [ST87]). The term “behavioural semantics” is sometimes used to characterize approaches that take the need for behavioural closure into account. Behavioural abstraction seems to be an implicit ingred... |

54 | Toward formal development of ML programs: foundations and methodology
- Sannella, Tarlecki
- 1989
(Show Context)
Citation Context ...servable types that are not OBS-reachable: see [ONS91] for an example. The second variant seems to be unnecessarily restrictive in the presence of parameterised specifications, since (as discussed in =-=[ST89]-=-) OBS will normally include the parameter types and these types typically lack generators; this leads to a behavioural equivalence relation that is too coarse. 5 Expressible congruences and relativiza... |

49 |
Context induction: a proof principle for behavioral abstractions
- Hennicker
- 1991
(Show Context)
Citation Context ...act number ERBCHBICT930420. ‡ E-mail dts@dcs.ed.ac.uk. Supported by an EPSRC Advanced Fellowship and EPSRC grants GR/H73103 and GR/J07303. 1sto be too complicated for convenient use in practice (e.g. =-=[Hen91]-=-, [Far92]). One avenue of attack on this problem is to consider the relationship between the class of algebras produced by applying the behavioural abstraction operation to a specification 〈Σ, Φ〉, and... |

38 |
Behavioural validity of conditional equations in abstract data types
- Reichel
- 1985
(Show Context)
Citation Context ...as obtained by simply interpreting equality in the axioms Φ as indistinguishability rather than as identity. The latter approach, sometimes known as behavioural satisfaction, was pioneered by Reichel =-=[Rei85]-=- who showed that these two classes coincide when the axioms involved are conditional equations, provided that the conditions used are equations between terms of types in OBS. This yields a reasoning m... |

36 | The definition of Extended ML: A gentle introduction
- Kahrs, Sannella, et al.
- 1997
(Show Context)
Citation Context ...semantics of specifications with higher-order formulae as axioms was the desire to apply the results in the Extended ML framework for the formal development of ML programs from specifications [ST89], =-=[KST94]-=-. The characterization results and reasoning methods are of direct relevance in this context: the interpretation of Extended ML interfaces involves abstractor specifications, and the logical system us... |

32 | Modular correctness proofs of behavioural implementations
- Bidoit, Hennicker
- 1998
(Show Context)
Citation Context ...tienting 2swith respect to indistinguishability of values, provided that indistinguishability is weakly regular and that behavioural equivalence is factorizable by indistinguishability. Subsequently, =-=[BH95]-=- and [BH96] use this characterization as the basis for reasoning methods. In this paper we examine these issues for the case of (flat) specifications with higher-order logical formulae as axioms. Our ... |

32 | Behavioural theories and the proof of behavioural properties
- Bidoit, Hennicker
- 1996
(Show Context)
Citation Context ...with respect to indistinguishability of values, provided that indistinguishability is weakly regular and that behavioural equivalence is factorizable by indistinguishability. Subsequently, [BH95] and =-=[BH96]-=- use this characterization as the basis for reasoning methods. In this paper we examine these issues for the case of (flat) specifications with higher-order logical formulae as axioms. Our first main ... |

32 |
Behavioural correctness of data representations
- Schoett
- 1985
(Show Context)
Citation Context ...s, since (as discussed in [ST89]) OBS will normally include the parameter types and these types typically lack generators; this leads to a behavioural equivalence relation that is too coarse. Schoett =-=[Sch90]-=- has shown that A ≡OBS A ′ iff there exists an OBS-correspondence between A and A ′ (a family of relations 〈↔b ⊆ [[b]] A ×[[b]] A ′ 〉b∈B such that for all c : b1 × ··· ×bn → b in C and all v1 ∈ [[b1]]... |

30 | Behavioural satisfaction and equivalence in concrete model categories
- Bidoit, Tarlecki
- 1996
(Show Context)
Citation Context ...is characterization is useful for proving that specific algebras are 4 In fact, the definition of A ≡OBS A ′ in [Sch90] requires [b] A =[b] A ′ for all b ∈ 24sbehaviourally equivalent. Very recently, =-=[BT96]-=- has generalized this result. First, they consider an arbitrary concrete category of models, rather than that of ordinary algebras, and study the concepts of behavioural satisfaction and behavioural e... |

29 |
Observability concepts in abstract data type speci
- Giarratana, Gimona, et al.
- 1976
(Show Context)
Citation Context ... specifications to describe data abstractions is the concept of behavioural equivalence between algebras, which seems to appropriately capture the “black box” character of data abstractions, see e.g. =-=[GGM76]-=-, [GM82], [ST87] and [ST92]. Roughly speaking (since there are different choices of definition), two algebras A, B over a signature Σ are behaviourally equivalent with respect to a distinguished set O... |

29 |
Universal algebra in higher types
- Meinke
- 1992
(Show Context)
Citation Context ...gic. However, the framework presented here needs to be extended in two directions to make the match a perfect one. First, the framework needs to be generalized to allow functions of higher type as in =-=[Mei92]-=-, in addition to the predicates of higher type that are already present. The most obvious examples which require the use of behavioural semantics in the context of higher-order logic (e.g. in Extended... |

29 |
Initial behaviour semantics for algebraic speci
- Nivela, Orejas
- 1988
(Show Context)
Citation Context ...e realizations that are indistinguishable from acceptable ones. Closure can be ensured by the specification framework (by making all specification-building operations deliver closed classes, see e.g. =-=[NO88]-=-) or by the specifier (by applying a specification-building operation, sometimes known as behavioural abstraction, to form the closure, see e.g. [SW83], [ST87]). The term “behavioural semantics” is so... |

28 |
A.: Implementation and behavioural equivalence : a survey
- Orejas, Navarro, et al.
- 1993
(Show Context)
Citation Context ...is simply wrong because the resulting behavioural equivalence relation fails to identify algebras that differ only in their behaviour on values of non-observable types that are not OBS-reachable: see =-=[ONS91]-=- for an example. The second variant seems to be unnecessarily restrictive in the presence of parameterised specifications, since (as discussed in [ST89]) OBS will normally include the parameter types ... |

23 |
An introduction to fibrations, topos theory, the effective topos, and modest sets
- Phoa
- 1992
(Show Context)
Citation Context ...ere the proof method is analogous. We believe that the above development would do through, mutatis mutandis, for Henkin models [Hen50] as well as in a constructive framework like that of topos theory =-=[Pho92]-=-. In the absence of the axiom of choice, e.g. in topos theory, one must replace the function χ in the proof of Theorem 3.28 by a relation which is functional up to ≈. 10s4 Behavioural equivalence and ... |

17 | Proving behavioural theorems with standart firstorder logic
- Bidoit, Hennicker
- 1994
(Show Context)
Citation Context ...osed under quotienting w.r.t. indistinguishability of values, provided that indistinguishability is regular and that behavioural equivalence is factorizable by indistinguishability. A companion paper =-=[BH94a]-=- uses this characterization as the basis for a reasoning method. In this paper we examine these issues for the case of (flat) specifications with higher-order logical formulae as axioms. Our first mai... |

13 |
Behavioural and abstractor specifications. Science of Computer Programming 25:149–186
- Bidoit, Hennicker, et al.
- 1995
(Show Context)
Citation Context ... problem treated in Section 7.4 below according to the following result, taking ≡ to be the equivalence induced by ≈, i.e. such that A ≡ A ′ iff A/≈A ∼ = A ′ /≈A ′.See Example 7.18. Proposition 7.12 (=-=[BHW95]-=-) If ≡ is factorizable by ≈ then Th≈(Abs ≡(A)) = Th≈(A). Proof: Straightforward, using Corollary 3.14 and two applications of Theorem 3.35. � (In [BHW95], this result has an additional assumption, not... |

11 | Proving the Correctness of Behavioural Implementations
- Bidoit, Hennicker
- 1995
(Show Context)
Citation Context ...is studied in [BH95], where it is argued that a solution to this problem provides the basis of a strategy for proving correctness of implementation steps in stepwise refinement of specifications (cf. =-=[BH94b]-=- and “abstractor” implementations in [ST88]). The following proof method follows immediately from Corollary 5.7: Proof Method 7.3 ϕ ∈ Th≈(〈Σ, Φ〉) iff Φ |= �ϕ�. � This is essentially the same as the so... |

10 |
Verification in ASL and Related Specification Languages
- Farr'es-Casals
- 1992
(Show Context)
Citation Context ...r ERBCHBICT930420. ‡ E-mail dts@dcs.ed.ac.uk. Supported by an EPSRC Advanced Fellowship and EPSRC grants GR/H73103 and GR/J07303. 1sto be too complicated for convenient use in practice (e.g. [Hen91], =-=[Far92]-=-). One avenue of attack on this problem is to consider the relationship between the class of algebras produced by applying the behavioural abstraction operation to a specification 〈Σ, Φ〉, and the clas... |

8 |
Two Impossibility Theorems on Behaviour Specification of Abstract Data Types
- Schoett
- 1992
(Show Context)
Citation Context ...aclosedrespectfulformula.Then Φ|=ϕimplies ϕ ∈ Th(abstract 〈Σ, Φ〉 w.r.t. ≡). � In the case of behavioural abstraction, note that ∀ r on base types corresponds exactly to reachable quantification as in =-=[Sch92]-=-. Also, since every observable formula amounts to a respectful formulae (since respectful abstraction and quantification over observable types is equivalent to ordinary abstraction and quantification)... |

8 |
Model-theoretic foundations for program development: basic concepts and motivation
- Sannella, Tarlecki
- 1995
(Show Context)
Citation Context ...data abstractions is the concept of behavioural equivalence between algebras, which seems to appropriately capture the “black box” character of data abstractions, see e.g. [GGM76], [GM82], [ST87] and =-=[ST95]-=-. Roughly speaking (since there are different choices of definition), two algebras A,B over a signature Σ are behaviourally equivalent with respect to a distinguished set OBS of observable types if al... |

5 |
Modal and temporal logics for processes. In Logics for Concurrency: Structure versus Automata
- Stirling
- 1996
(Show Context)
Citation Context ... → proc. We would like to require that start is a fair schedule, i.e. that it schedules each process infinitely often. The following is essentially a translation of a formula in the modal mu-calculus =-=[Sti92]-=- into higher-order logic. We begin with the least and greatest fixed point operators, which can be expressed directly as follows: µ =def λ(Φ:[[sched],sched] ,s:sched). ν =def λ(Φ:[[sched],sched] ,s:sc... |

4 |
Second-order proof systems for algebraic specification languages
- Schobbens
- 1994
(Show Context)
Citation Context ...behavioural semantics is revealed as special case of something more general. Higher-order logic provides sufficient power to express the indistinguishability relation as a predicate (Theorem 5.2, cf. =-=[Sch94]-=-). A second main contribution is the application of this fact to develop methods for reasoning about specifications under behavioural semantics. In Section 5 we characterize behavioural satisfaction i... |

4 |
Higher-Order Algebraic Specifications
- Moller
- 1987
(Show Context)
Citation Context ... over predicates in addition to the usual quantification over individuals. There is however no quantification over function types or use of functions as arguments to predicates or functions, cf. e.g. =-=[Möl87]-=-, [Mei92]. There are two reasons for wanting to include functional types. First, higher-typed functional constants in signatures permit elegant specifications both of functional data structures such a... |

4 | Universal algebra in higher types, Theoretical Computer Science 100 - Meinke - 1992 |

2 |
Behavioural and abstractor specifications. Report LIENS-9410, Ecole Normale Sup'erieure
- Bidoit, Hennicker, et al.
- 1994
(Show Context)
Citation Context ... of higher type. Second, the use of behaviour and abstract in the context of structured specifications built using operations like enrich and derive needs to be studied. An attempt at this appears in =-=[BHW94]-=-, 22swhere the extension of behaviour to structured specifications is a post hoc construction on the class of models of the underlying specification: Mod(behaviour SP w.r.t. ≈)=Beh ≈(Mod(SP)) Unless S... |

2 |
Observing nondeterministic data types. Selected Papers from the 5th Workshop on Specification of Abstract Data Types, Gullane
- Nipkow
- 1988
(Show Context)
Citation Context ...stinctions between algebras to be made. This is not necessarily what one would expect: in the case of non-deterministic algebras, the use of more complex formulae does yield a different relation, see =-=[Nip88]-=-. Corollary 5.16 ≡RelForm = ≡OBS = ≡OBSForm. Proof: Immediate from Theorem 5.15 and the definition of factorizability. � 6 Relating abstractor specifications and behavioural specifications As discusse... |

2 | Specification languages. Chapter 7 of Algebraic Foundations of Systems Specification - Sannella, Wirsing - 1996 |

1 |
Behavioural theories. Selected Papers from the 10th Workshop on Specification of Abstract Data Types, Santa Margherita Ligure
- Bidoit, Hennicker
- 1995
(Show Context)
Citation Context ...nvironment w.r.t. ≈A. ThenA|= ≈A ρ ϕiff A |=ρ �ϕ�. Proof: Immediate from Theorem 5.6. � The definition of the ∼-relativization of a formula is closely related to the definition of “lifted” formula in =-=[BH95]-=-, and Corollary 5.7 is a higher-order version of Theorem 15 there. Corollary 5.8 Let A, A ′ be Σ-algebras such that A/≈A ∼ = A ′ /≈A ′,andletϕbeaclosedformula. Then A |= �ϕ� iff A ′ |= �ϕ�. Proof: A |... |

1 |
Behaviouralvalidity of conditional equationsin abstract data types
- Reichel
- 1984
(Show Context)
Citation Context ...as obtained by simply interpreting equality in the axioms Φ as indistinguishability rather than as identity. The latter approach, sometimes known as behavioural satisfaction, was pioneered by Reichel =-=[Rei85]-=- who showed that these two classes coincide when the axioms involved are conditional equations, provided that the conditions used are equations between terms of types in OBS. This yields a reasoning m... |

1 |
On observationalequivalenceand algebraicspecification
- Sannella, Tarlecki
- 1987
(Show Context)
Citation Context ... satisfy the axioms Φ w.r.t. ≈: Mod(behaviour 〈Σ, Φ〉 w.r.t. ≈)={A∈Alg(Σ) | A |= ≈A Φ}. The notation used for behavioural specifications should not be confused with similar notation used in [SW83] and =-=[ST87]-=- for a particular special case of abstractor specifications. We have now built up enough machinery to redo the development in [BHW94] in the framework of higher-order logic. Although it is not made ex... |

1 |
and temporal logicsfor processes. Report ECS-LFCS-92-221, Univ. of Edinburgh(1992). To appear in
- Modal
- 1995
(Show Context)
Citation Context ... → proc. We would like to require that start is a fair schedule, i.e. that it schedules each process infinitely often. The following is essentially a translation of a formula in the modal mu-calculus =-=[Sti92]-=- into higher-order logic. The following predicate expresses that a predicate P holds infinitely often in a schedule s: infinitely-often =def λ(P:[sched],s:sched). always((λ(s ′ :sched).eventually(P, s... |

1 |
Farrés-Casals.Verification in ASL and Related Specification Languages
- unknown authors
- 1992
(Show Context)
Citation Context ...vioural semantics have been developed, but these are either insufficiently powerful (e.g. [ST87], cf. Section 5 of [Sch92]) or tend to be too complicated for convenient use in practice (e.g. [Hen91], =-=[Far92]-=-). One avenue of attack on this problem is to consider the relationship between the class of algebras produced by applying the behavioural abstraction operation to a specification 〈Σ, Φ〉, andtheclass ... |

1 |
Spezifikation hoherer Ordnung
- Grunler
- 1990
(Show Context)
Citation Context ...dition to S and K one could also add a family of fixpoint operators (Y ) to allow for recursivelydefined functions in axioms. The source language of this encoding would then resemble the framework of =-=[Grü90]-=-, except that his logic is first-order. Even when signatures contain only first-order constants, function types can be useful in formulae as shown by Example 7.6. Such types can be encoded using predi... |