Introducing Reference Semantics Via Refinement
Introducing Reference Semantics Via Refinement
Introducing Reference Semantics Via Refinement
Graeme Smith
Software Verication Research Centre, University of Queensland, Australia
[email protected]
Abstract. Two types of semantics have been given to object-oriented
formal specication languages. Value semantics denote a class by a set
of values representing its objects. Reference semantics denote a class by
a set of references, or pointers, to values representing its objects. While
adopting the former facilitates formal reasoning, adopting the latter facil-
itates transformation to object-oriented code. In this paper, we propose
a combined approach using value semantics for abstract specication and
reasoning, and then rening to a reference semantics before transforming
specication to code.
1 Introduction
Research on object-oriented formal specication languages has gone through two
main phases of development.
The rst phase focussed on extending existing formal specication languages
with object-oriented constructs in order to enhance modularity and reusability.
These constructs included classes, objects, inheritance and polymorphism. A
number of new formal languages were developed, notable among which are those
which extend VDM or Z [21, 14]. The goal was to make formal methods more
applicable to larger-scale systems and industrial problems [6, 15].
The languages developed in this phase of research, including MooZ [20], ZEST
[23] and early versions of VDM++ [8] and Object-Z [2, 4], have a value semantics,
i.e., a semantics in which a class is denoted by a set of values. Each value in such
a set corresponds to an object of the class at some stage of its evolution. Such
a semantics is conservatively based on that of the language being extended and
hence introduces no additional complexity to the semantic basis.
The second phase of research saw the inclusion of object references in object-
oriented formal specication languages. Object references work in the same man-
ner as pointers in programming languages. They introduce the possibility of
object sharing (through aliasing) and non-trivial, recursively dened structures
(since objects may reference objects which also reference them). Existing object-
oriented formal specication languages such as VDM++ and Object-Z were ex-
tended with object references [13, 7, 5, 17]. The goal was to make the transition
from formal specication to code easier [9].
To incorporate object references, the new versions of the languages developed
in this phase of research have a reference semantics, i.e., a semantics in which
a class is denoted by a set of references to values (denoting objects). Such a
semantics is a major departure from that of the language being extended and
hence much eort has subsequently gone into developing suitable semantics [10].
The additional complexity of reference semantics has had a large impact on
developing methods for reasoning about specications [11], rening specica-
tions [3] and encoding languages in tools such as theorem provers [19]. Although
object references enable an easy transition from specication to object-oriented
code, they hinder the abstract representation of systems and hence unnecessarily
complicate renement and reasoning.
In this paper, we propose a step backward to the languages with value se-
mantics for abstractly specifying systems as part of a step forward to a new
approach to formal object-oriented development. This approach involves ren-
ing value-semantics specications to specications with reference semantics. This
allows reasoning to be carried out in the absence of object references, but al-
lows the addition of references through renement in order to ease the transition
to code. To illustrate our approach, we use the Object-Z specication language
for which both value and reference semantics exist. This distinguishes our work
from similar work in the renement calculus where explicit stores are introduced
during renement to model mappings from references to values [22, 1]. In Sec-
tion 2, we introduce the value-semantics version of Object-Z and in Section 3,
the reference-semantics version. In Section 4, we illustrate through a simple case
study how a value-semantics specication can be rened to a one with a reference
semantics.
2 Value Semantics
The early work on Object-Z [2, 4] adopts a value semantics [16]. The main ex-
tension to Z is syntactic: the introduction of a class schema. A class schema
encapsulates a single state schema with its associated initial state schema and
all the operations which can change its variables. For example, the following
species a generic node which has two state variables, empty denoting whether
or not a value has been inserted into the node and val denoting the value.
Node[T]
empty : B
val : T
INIT
empty
Insert
(empty, val )
v? : T
empty val
= v? empty
Initially, the node is empty and a value v? can be inserted into it via the
operation Insert . The -list of this operation indicates that it is able to change
the variables empty and val . The operation can occur when empty is true, and
results in empty being false and val taking the value v?.
Like schemas in Z, a class schema can be used as a type: its instances are
values denoting possible objects of the class. For example, a generic list could
be dened as a non-empty sequence of node objects as follows (seq
X extends
the Z denition seq X of nite sequences of type X, i.e., nite functions whose
domain is a contiguous set of natural numbers with least element 1 and whose
range is X, to possibly innite sequences, i.e., seq
X == seq X N X).
List [T]
list : seq
Node[T]
list ,= )
INIT
n : ranlist n.INIT
Insert
(list )
v? : T
i : domlist
( j : 1 . . i 1 list (j ).empty)
list (i).Insert
i list
= i list
The class List denotes the functionality of a (possibly bounded) list abstractly
by dening a possibly innite sequence of nodes, the non-empty nodes of which
denote the actual list. A nite sequence models a bounded list and an innite
sequence, an unbounded list.
Initially, each node n in the list satises the initial state of the class Node,
i.e., it is empty. The operation Insert chooses a node such that all other nodes
before it in the sequence are not empty, and inserts a value v? into that node.
The fact that a node must be empty for an insertion to take place (as dened in
class Node) ensures that the selected node is the rst empty one in the sequence.
The nal line of the operation ensures that all other nodes are unchanged ( is
domain subtraction). It is needed since the inclusion of list in the -list allows
list to change arbitrarily unless otherwise constrained.
3 Reference Semantics
More recent work on Object-Z [7, 5, 17] adopts a reference semantics [10]. This
enables a style of specication which more closely reects implementation in an
object-oriented programming language. In particular, it allows object sharing
and non-trivial, recursive structures to be dened. For example, a list could be
specied recursively by the variables associated with the node at the head of the
list together with a pointer to the tail of the list (as in Fig. 1).
A reference-semantics specication in Object-Z is
empty
value
empty
value
empty
value
empty
value
tail tail
tail
tail
Fig. 1. Recursively dened list
List *[T]
empty : B
val : T
tail : List *[T]
tail = self tail List *[T]
C
INIT
empty tail .INIT
Insert = [ (empty, val ) v? : T [ empty val
= v? empty
]
[] [ empty ] tail .Insert
Classes in the reference-semantics version of Object-Z have an implicitly de-
clared constant self denoting a reference to the current object. This is used in
class List * to specify that tail may point to the current object (when there is
no tail). In all other cases, the tail list and all objects referenced either directly
or indirectly from it must be contained by the current list (denoted by the
_C symbol decorating the type). Containment is a means of controlling aliasing
among references. An object may be directly contained by only one other ob-
ject and may not contain itself. Hence, circularities in the structure of list are
precluded.
The initial state schema and operation Insert are dened recursively.
Initially, the lists head is empty and the lists tail is in an initial state. Since
the lists tail is a list, this means its head element is also empty and its tail is
also in an initial state, and so on.
The operation Insert is specied by an operation expression (rather than a
schema) using the operators for disjoining ([]) and conjoining () operations.
It inserts a value v? into the head element of the list (when it is empty), or
performs an insert operation on the tail of the list when its head element is not
empty.
The meaning of INIT and Insert can be given using xed point theory as
shown by Smith [18]. INIT can be shown to be equivalent to
INIT
s : seq
List *[T]
s(1) = self ( i : doms 1 s(i) = s(i 1).tail )
s seq List *[T] s(#s).tail = s(#s)
( i : doms s(i).empty)
and Insert can be shown to be equivalent to
Insert = [] s : seq
= v? empty
].
4 Renement
Renement in reference-semantics Object-Z is dened in terms of simulation
rules by Derrick and Boiten [3]. Downward simulation is dened as follows.
An Object-Z class C is a downward simulation of a class A if there is a
retrieve relation R such that every abstract operation AOp of A is recast
into a concrete operation COP of C and the following hold.
DS.1 C.INIT A.INIT R
DS.2 A.STATE; C.STATE R = (pre AOp pre COp)
DS.3 A.STATE; C.STATE; C.STATE
R COp = ( A.STATE
AOp)
That is, the initial state predicate can be stronger in the concrete class (DS.1)),
as can operation postconditions (DS.3). Operation preconditions (i.e., the pred-
icate pre Op for an operation Op) can neither be weaker nor stronger (DS.2).
This denition is simply that for a blocking model of operations, i.e., where
an operation Op cannot occur unless pre Op is true, and is therefore independent
of the semantics adopted (see Josephs [12], for example, for a similar denition).
Hence, we would like to use it show that List of Section 2 is rened by List *
of Section 3. The renement is done in three phases (see Fig. 2) each compris-
ing one or more renement steps consistent with downward simulation. These
phases represent a general strategy for rening from value semantics to reference
semantics.
Phase 1 In the rst phase, all object values are changed to references. Hence,
the sequence of nodes in List becomes a sequence of references to nodes.
Phase 2 In the second phase, references are added between objects where
appropriate. Hence, references are added linking each node to the next in the
list. A self reference is added to the nal node in a nite list.
Phase 3 In the third phase, the class describing the system is replaced by
the class of an object which is connected via references to all other objects in
the system. In the list example, the class rened from List is replaced by a class
describing the list from the head node, i.e., List *.
4.1 Phase 1: Replacing object values with references
To accomplish the rst phase of renement in Object-Z, any operation schemas in
which operations are applied to objects must be replaced by equivalent operation
expressions. This is necessary since the reference-semantics version of Object-Z
does not support operation application in schemas [17].
Phase 2
Phase 3
Phase 1
List*
List
Node
List1*
List2*
Node*
Node1*
Fig. 2. Renement of List to List*
The operation Insert of List , can be replaced by
Insert = [ (list ) ] ( [] i : domlist [ p list (i).Insert )
where p is ( j : 1 . . i 1 list (j ).empty) i list
= i list .
The main step in this phase of renement is then to replace all classes C in
the specication by a new class with reference semantics. In the case where C
has no declared objects, the denition of the new class is syntactically identical
to C. The new class is therefore trivially a renement of C under the identity
retrieve relation. In the case where C declares objects, these declarations are
changed to refer to the new classes. Furthermore,
since, in a value semantics, dierent declarations always refer to dierent
objects, all declared references must be contained by C and an invariant
must be added that all declared references are distinct, and
since, in a value semantics, values are changed by operation application but
in a reference semantics, references are not, a schema [ a
= a ] must be
conjoined with any operation application a.Op.
The resulting classes are again trivially a renement under the retrieve relation
which equates the state variables of the corresponding declared objects. Such a
retrieve relation is necessary since the semantic representations of the objects in
the dierent semantics are not directly comparable.
Applying these steps to our example specication, results in a class Node*
dened syntactically identically to Node, and a class List 1* dened as follows.
(Note that the conjunction of the schema [ list
Node*[T]
C
list ,= )
i, j : domlist i ,= j list (i) ,= list (j )
INIT
n : ranlist n.INIT
Insert = [] i : domlist [ j : 1 . . i 1 list (j ).empty list (i).Insert
The retrieve relations for these renements are, respectively, Node.empty =
Node*.empty Node.val = Node*.val and domList .list = domList 1*.list
(i : domList .list List .list (i).empty = List 1*.list (i).empty List .list (i).val =
List 1*.list (i).val ). The latter relates the value-semantics nodes to the reference-
semantics nodes by equating the values of their state variables (empty and val ).
4.2 Phase 2: Adding references between objects
For the second phase, we need to add references to classes and constraints on
references reecting the desired system structure. We begin by rening the class
Node* to a class Node1* which has an added reference next : Node1*[T] denoting
the next node in the list, and strengthens the state invariant as follows.
Node1*[T]
empty : B
val : T
next : Node1*[T]
next = self next Node1*[T]
C
INIT
empty
Insert
(empty, val )
v? : T
empty empty
val
= v?
Node1* is a downward simulation of Node* under the retrieve relation which
identies the variables empty and val , i.e., Node*.empty = Node1*.empty
Node*.val = Node1*.val .
The state invariant of a class is implicitly conjoined to the initial state predi-
cate and the precondition and postcondition of each operation. To show that the
precondition of Insert is not strengthened under the retrieve relation, we need
to show DS.2 holds. That is,
Node*.STATE; Node1*.STATE
Node*.empty = Node1*.empty Node*.val = Node1*.val
(Node*.empty Node1*.empty Node1*.Inv)
where Inv = [ next = self next Node1*[T]
C
]. This trivially holds since
the declaration of Node1*.STATE introduces the invariant Inv on the variables
of Node1*. In general, invariants can be added during renement provided they
do not constrain variables related (by the retrieve relation) to variables that are
changed by the abstract operations [3].
To complete this phase, we rene the class List 1* by adding an invariant
linking the nodes in the list in the appropriate way. That is, the next node of
each node in the list, except the last in the case of a nite list, is that which
occurs after it in the list. The next node of the last node of a nite list is itself.
Once again, the invariant does not strengthen the precondition under the retrieve
relation which in this case is the identity relation, i.e, List 1*.list = List 2*.list .
List 2*[T]
list : seq
Node1*[T]
C
list ,= )
i, j : domlist i ,= j list (i) ,= list (j )
i : domlist
list (i).next = list (i + 1)
(list seq Node1*[T] i = #list list (i).next = list (i))
INIT
n : ranlist n.INIT
Insert = [] i : domlist [ j : 1 . . i 1 list (j ).empty list (i).Insert
4.3 Phase 3: Replacing the system class with an object class
The nal phase involves removing the system class needed in a value semantics
specication to relate the objects in the specied system. It is replaced by the
class of one of the objects from which all others can be referenced. In cases
where the value-semantics system class species an actual object of the specied
system, this nal phase may be unnecessary.
In our example, we want to replace the class List 2* with the class List * of
Section 3 (see Fig. 2). We begin by introducing a new variable head as an alias
to the head node of the list and redene INIT and Insert in terms of head. This
is done by adding an existentially quantied variable s to both INIT and Insert
which denotes a sequence of nodes starting with head and such that each other
node in the sequence is the next node of it predecessor in the sequence.
List 3*[T]
list : seq
Node1*[T]
C
head : Node1*[T]
C
list ,= )
i, j : domlist i ,= j list (i) ,= list (j )
i : domlist
list (i).next = list (i + 1)
(list seq Node1*[T] i = #list list (i).next = list (i))
head = list (1)
INIT
s : seq
Node1*[T]
s(1) = head
( i : doms 1 s(i) = s(i 1).next )
s seq Node1*[T] s(#s).next = s(#s)
( i : doms s(i).INIT)
Insert = [] s : seq
Node1*[T]; i : doms [
s(1) = head
( j : doms 1 s(j ) = s(j 1).next )
s seq Node1*[T] s(#s).next = s(#s)
( j : 1 . . i 1 s(j ).empty)
s(i).Insert
List 3* is a downward simulation of List 2* under the retrieve relation List 2*.list=
List 3*.list .
Since list is no longer used in the initial state schema or operation Insert ,
the class can be further rened by removing this variable. The invariants in
terms of list do not constrain head and can be removed as well. In particular,
the invariant that nodes in the list are distinct is captured by the invariant of
Node1* which precludes circular list structures.
In the case where one or more of the invariants did constrain head, they
would need to be redened in terms of head.
The following class, List 4*, is a downward simulation of List 3* under the
retrieve relation List 3*.head = List 4*.head.
List 4*[T]
head : Node1*[T]
C
INIT
s : seq
Node1*[T]
s(1) = head
( i : doms 1 s(i) = s(i 1).next )
s seq Node1*[T] s(#s).next = s(#s)
( i : doms s(i).INIT)
Insert = [] s : seq
Node1*[T]; i : doms [
s(1) = head
( j : doms 1 s(j ) = s(j 1).next )
s seq Node1*[T] s(#s).next = s(#s)
( j : 1 . . i 1 s(j ).empty)
s(i).Insert
Our system class List 4* now comprises a single contained object. Such a class
can be rened to a class C with the single object declaration a : A
C
replaced by
the state declarations of A, and with all occurrences of a, A, a.INIT and a.Op
replaced by self , C, and the denitions of INIT and Op respectively. Hence, class
List 4* is rened by
List 5*[T]
empty : B
val : T
next : List 5*[T]
next = self next List 5*[T]
C
INIT
s : seq
List 5*[T]
s(1) = self
( i : doms 1 s(i) = s(i 1).next )
s seq List 5*[T] s(#s).next = s(#s)
( i : doms s(i).empty)
Insert = [] s : seq
= v? empty
].
Given that self .x = x for each state variable x, List 5* is a downward simu-
lation of List 4* under the retrieve relation List 4*.head = List 5*.self .
With next renamed to tail , the initial state schema and operation Insert of
List 5* are the equivalent schemas of those of List * derived using xed point the-
ory in Section 3. Hence, under the retrieve relation List 5*.empty =List *.empty
List 5*.val = List *.val List 5*.next = List *.tail , we can rene List 5* to List *.
5 Conclusion
In this paper, we have shown how to rene an object-oriented formal speci-
cation with a value semantics to one with a reference semantics. This process
allows an abstract specication to be written in a value semantics in order to fa-
cilitate reasoning, and then be rened to a concrete specication with a reference
semantics in order to facilitate transformation to code.
The general process was illustrated using a simple case study. This case study
involved the introduction of recursion. Other renements to reference semantics
could involve the introduction of object sharing. The renement steps were jus-
tied with respect to the denition of downward simulation in Object-Z. A set of
rules proved sound with respect to this denition, or that of upward simulation,
could be developed to aid the specier by removing much of the proof burden.
Acknowledgement
Thanks to John Derrick for discussions which led to this work and Ian Hayes
for his constructive comments on an earlier draft of this paper. This work was
funded by a University of Queensland External Support Enabling Grant.
References
1. P. Bancroft and I.J.Hayes. Type extension and renement. In L. Groves and
S. Reeves, editors, Formal Methods Pacic (FMP97), pages 2339. Springer-
Verlag, 1997.
2. D. Carrington, D. Duke, R. Duke, P. King, G. Rose, and G. Smith. Object-Z: An
object-oriented extension to Z. In S. Voung, editor, Formal Description Techniques
(FORTE89), pages 281296. North-Holland, 1989.
3. J. Derrick and E. Boiten. Renement in Z and Object-Z, Foundations and Advanced
Applications. Springer-Verlag, 2001.
4. R. Duke, P. King, G. Rose, and G. Smith. The Object-Z specication language.
In T. Korson, V. Vaishnavi, and B. Meyer, editors, Technology of Object-0riented
Languages and Systems (TOOLS 5), pages 465483. Prentice Hall, 1991.
5. R. Duke and G. Rose. Formal Object-Oriented Specication using Object-Z.
MacMillan, 2000.
6. R. Duke, G. Rose, and G. Smith. Transferring formal techniques to industry: A
case study. In J. Quemada, J. Ma nas, and E. Vazquez, editors, Formal Description
Techniques (FORTE90), pages 279286. North-Holland, 1990.
7. R. Duke, G. Rose, and G. Smith. Object-Z: A specication language advocated
for the description of standards. Computer Standards and Interfaces, 17:511533,
1995.
8. E.H. D urr and J. van Katwijk. VDM++ A formal specication language for
object-oriented designs. In B. Meyer, G. Heeg, and B. Magnusson, editors, Technol-
ogy of Object-oriented Languages and Systems (TOOLS Europe 92), pages 6378.
Prentice-Hall, 1992.
9. A. Griths. From Object-Z to Eiel: a rigorous development method. In C. Min-
gins, R. Duke, and B. Meyer, editors, Technology of Object-Oriented Languages
and Systems (TOOLS 18), pages 293308. Prentice Hall, 1995.
10. A. Griths. An extended semantic foundation for Object-Z. In 1996 Asia-Pacic
Software Engineering Conference (APSEC96), pages 194207. IEEE Computer
Society Press, 1996.
11. A. Griths. Modular reasoning in Object-Z. In Wai Wong and K. Leung, editors,
Asia-Pacic Software Engineering Conference and International Computer Science
Conference (APSEC 97/ICSC 97), pages 140149. IEEE Computer Society Press,
1997.
12. M.B. Josephs. A state-based approach to communicating processes. Distributed
Computing, 3:918, 1988.
13. K. Lano. Formal Object-Oriented Development. Springer-Verlag, 1995.
14. K. Lano and H. Haughton, editors. Object-Oriented Specication Case Studies.
Object-Oriented Series. Prentice Hall, 1993.
15. K. Rosenberg. The adoption of formal methods within OTC. In K. Parker and
G. Rose, editors, Formal Description Techniques (FORTE91), pages 8592, 1991.
16. G. Smith. A fully abstract semantics of classes for Object-Z. Formal Aspects of
Computing, 7(3):289313, 1995.
17. G. Smith. The Object-Z Specication Language. Advances in Formal Methods.
Kluwer Academic Publishers, 2000.
18. G. Smith. Recursive schema denitions in Object-Z. In A. Galloway J. Bowen,
S. Dunne and S. King, editors, International Conference of B and Z Users (ZB
2000), volume 1878 of Lecture Notes in Computer Science, pages 4258. Springer-
Verlag, 2000.
19. G. Smith, F. Kamm uller, and T. Santen. Encoding Object-Z in Isabelle/HOL.
In D. Bert, J.P. Bowen, M.C. Henson, and K. Robinson, editors, International
Conference of Z and B Users (ZB 2002), volume 2272 of Lecture Notes in Computer
Science, pages 8299. Springer-Verlag, 2002.
20. S.R.L.Meira and A.L.C. Cavalcanti. Modular object-oriented Z specications. In
Z User Meeting 1990, Workshops in Computing, pages 173192. Springer-Verlag,
1990.
21. S. Stepney, R. Barden, and D. Cooper, editors. Object-Orientation in Z. Workshops
in Computing. Springer-Verlag, 1992.
22. M. Utting. Reasoning about aliasing. In Australian Renement Workshop (ARW
95), pages 195211, School of Computer Science and Engineering, The Univeristy
of New South Wales, 1995.
23. H.B. Zadeh and S. Stepney. ZEST Z Extended with Structuring: A Users Guide,
PROST-Objects, BT.7004.0.20.13, Issue 2, 1996.