partial recursive functions such an algebraic specification generally includes se- mantic models where .... notions of minimal full abstractness and weak terminality therefore capture the notion of ..... SI, S2 and S3 are not visibly equivalent in.
ON THE ALGEBRAICSPECIFICATION OF NONDETERMINISTIC PROGRAMMINGLANGUAGES*)
,,) M. Broy, M. Wirsing Technische Universit~t MUnchen, Institut fur Informatik ArcisstraBe 21, D-8000 MUnchen 2
Abstract Different semantic models for a nondeterministic programming language are defined, analysed, and compared in the formal framework of algebraic specifications of programming languages by abstract types. Four abstract types are given representing
choice (%rratic") nondeterminism~ backtrack {"d~monic'~ nondeterminism~ unbounded ("angelic") nondeterminism and loose nondeterminism. The classes of algebras of these types represent classes of semantic models. A comparison of these classes of semantic models shows the connections and differences between the four different concepts of nondeterminism as fbund in programming languages. 1. Introduction The concepts of nondeterminism and nondeterminacy have found their way into programming languages only during the middle of the last decade, although McCarthy in his pioneering paper /McCarthy 63/ already introduced an "ambiguity operator" and Floyd in /Floyd 67/ suggested nondeterministic programs for the implicit formulation of backtrack programs. Recently the growing interest in rigorous methods for formal specification and program development and numerous attempts to define a formal semantics for concurrent programming languages has led to intensive investigations in the theory and formal foundations of nondeterminism. However, a careful study of the different approaches indicates, that not only the formal description methods are different, but there are actually different concepts described, although the differences are often rather *) This work was carried out within the Sonderforschungsbereich 49 - Programmiertechnik - Munich ~ ) Present address: Department of Computer Science, University of Edinburgh, Edinburgh EH9 3JZ
183 sophisticated but nevertheless of great importance. Strictly speaking essentially ("extensionally") different semantic models can be given for nondeterministic programming languages reflecting the different concepts of nondeterminism. Recent studies have shown, that algebraic methods allow the specification of programming languages by abstract (data) types in a short, flexible way (cf./Broy, Wirsing 80a/). There the context free syntax corresponds to the signature (the termalgebra represents the set of syntactically correct programs), the context conditions (sometimes called "static semantics") are expressed by particular definedness predicates (restricting the term algebra), and the semantics is specified by a number of (conditional) equations. Then each model of that type can be considered as a particular semantic model of the programming language. Due to the termination problem of partial recursive functions such an algebraic specification generally includes semantic models where optimal or even maximal fixed points are associated with recursive definitions. The minimality property of least fixed points, however, can be conveniently expressed by weakly terminal models, the existence of which is guaranteed under certain (syntactic) conditions (cf. /Broy, Wirsing 8Oh/). The class of extensionally equivalent models of the type containing the weakly terminal models comprises all possible semantic models which specify the semantics of least fixed points (syntactic, operational, algorithmic and mathematical models). In particular the i n i t i a l model of the type lies in this class which forms a complete lattice of models (in the usual sense, cf. /Wirsing, Broy 80/). In this formal framework i t is also possible to discuss the semantic models of nondeterministic (applicative or procedural) programming languages. The various concepts of nondeterminism such as backtrack nondeterminism versus choice nondeterminism (cf. /Broy et al. 80/, /Kennaway, Hoare 80/) as well as loose versus tight nondeterminism (cf. /Park 80/) may be discussed conveniently in the algebraic approach by the particular classes of models of a nondeterministic programming language characterized by the resp. semantic equations. We show that backtrack nondeterminism, unbounded nondeterminism and choice nondeterminism admit terminal semantics. The weakly terminal models of backtrack nondeterminism as well as of unbounded nondeterminism are properly weaker than those of choice nondeterminism. In the Cpartial) i n i t i a l semantics of both forms of nondeterminism nondeterministic statements differ only in their evaluation, while the induced equalities between them are the same.
164 Loose nondeterminism does not allow terminal or i n i t i a l semantics, but only minimal
models which correspond to a l l possible deterministic and nondeterministic least fixed point semantics which implement nondeterministic statements. The weakly terminal model of backtrack nondeterminism is one of these minimal models. By introducing an "implementation" relation E l
we can structurize these minimal models in such a
way that the ~ I - minimal models are exactly the deterministic least fixed point implementations. The weakly terminal models of choice nondeterminism are optimal in the following sense: They are the weakest models which are ~ I - greater than a l l I - minimal models. F i n a l l y we show that the so-called Egli-Milner Ordering is a consequence of the specification using weak homomorphisms and thus is "natural" in the weakly terminal models. In fact, the goal of this case study is twofold: F i r s t , we want to demonstrate how algebraic methods can be used as a powerful, f l e x i b l e tool for the formulation and analysis of semantic specifications. Second, we give an attempt to c l a r i f y , unify, and compare several notions of nondeterminism with rather sophisticated differences as found in the literature. We demonstrate our approach by means of abstract data types specifying the sort sta
of nondeterministic statements. The types define procedural programming langua-
ges very similar to Dijkstra's language of guarded commands. We investigate several closely related versions: - a type AN the weakly terminal model of which corresponds to unbounded ("angelic") nondeterminism (this type resembles to the wlp-calculus definition of Dijkstra). - a type
BN the weakly terminal model of which corresponds to backtrack ("demonic")
nondeterminism (this type resembles to the wp-calculus definition of Dijkstra), - a type CN the weakly terminal model of which corresponds to choice ('~rratic") nondeterminism. Every model of
CN implements a model of
BN in a "natural" way~)
- a type LN corresponding to loose nondeterminism. For this type there does not exist a weakly terminal model. However a l l models of models of
CN are models of
LN,
AN, BN as well as a l l
too. Each minimal model of
LN represents the
mathematical semantics of a particular (possibly deterministic) programming language.
*)This type resembles to the wp/wlp-calculus definition of Dijkstra,
165
2. Basic Definitions Before we define one type we b r i e f l y give the most important d e f i n i t i o n s ( f o r a complete d e f i n i t i o n see /Broy, Wirsing 80a/). We consider hierarchical abstract types with primitive subtypes and finitely generated partial heterogeneous
E-algebras
as models; i . e . partial
algebras. Between two called
E-algebras
heterogeneous
E-algebras without proper sub-
A und B a family
m of total mappings is
( p a r t i a l ) Z -homomorphism (cf./Gr~tzer 68/), i f for all operations
~(fA(xl . . . . . Xn)) = {
undefinedfB(~(Xz) . . . . . ~(Xn))
if
otherwisefA(xl . . . . 'Xn)
f
is defined
and i f fA(x I . . . . . Xn) A model
I
of
defined
T
~
is called
fB(~(Xl) . . . . . ~(Xn) ) initial
, i f for all models
exists a unique homomorphism ~ : I ~ A . i . e . every term
t
defined
An i n i t i a l
model
which is undefined in some model of
T
A of
T
I
minimally defined,
is
there
is undefined in
I, too.
The properties of homomorphisms for total algebras are generalized by the following notion (cf. /Broy, Wirsing 8Oh/). A family operations
~
of partial mappings is called
i f for all
weak Z -homomorphism,
f i
~(fA(xl . . . . . Xn)) =
fB(~(Xl) . . . . .
~(Xn) )
undefined
if
fB(~(x I) . . . . ~(Xn))
is defined
otherwise
I f such a weak Z-homomorphism exists, then B is called weaker than A . A mapping which is both a partial Z-homomorphism and a weak z-homomorphism is called a strong
Z-homomorphism,
In order to describe observable equivalence we need a notion of terminality for partial algebras. Let W =def
I
be an i n i t i a l
{AI there exists a s t r o ~
model of
T and consider the class
z-homomorphism
~ : I ~ A}. Then a model
Z
of T is said to be weakly terminal i f Z is strongly terminal in W, i . e . for all A E W there exists a strong Z-homomorphism m : A ~ Z . The weakly terminal models as well as all elements of
W are minimally defined.
Let us f i x a single model P' of the primitive subtype P of T and consider only the models of T which are extensions of P'. Then every two models A and B for which a stron~
~-homomorphism ~ : A ~ B or
extensionally equivalent, i . e . for every function
f
~ : B~ A
exists are
with range in
P and every
~66
nonprimitive term W forms
t
we have
f ( . . . . t . . . . )A =
f ( . . . . t . . . . )B. In p a r t i c u l a r ,
a class of e x t e n s i o n a l l y equivalent models. Every
between two e x t e n s i o n a l l y equivalent models is a strong a class of e x t e n s i o n a l l y equivalent
are
z-homomorphism. I f
models then a strongly i n i t i a l
C is
(terminal)
(C-)extensionally i n i t i a l (terminal). For example, the
model A E C is called i n i t i a l models of
Z-homomorphism
T are
W-extensionally i n i t i a l and the weakly terminal models
W-extensionally terminal (cf. figure I).
The extensional equivalence leads to another d e f i n i t i o n of t e r m i n a l i t y . A model R of
T
is called
reachable , i f f o r a l l models
e x t e n s i o n a l l y equivalent model
B of
T
A of
T
such that there is a weak z-homomor-
phism ~ : B ~ R . Every reachable model is minimally defined,
terminal
there e x i s t s an T
reaoh~ly
is
i f i t is strongly terminal in the class of a l l reachable models.
I f an i n i t i a l
model e x i s t s , then every reachably terminal model is weakly terminal
( but in general not vice versa ). A model
A of a h i e r a r c h i c a l abstract type is called
77/) i f f o r every pair of terms every p r i m i t i v e context of sort s t
of sort
is a term s , K[t]
K[x]:
K[x]
tl,
f u l l y abstract. ( c f . / M i l n e r
t2 of nonprimitive sort
t l A = t2 A
a p r i m i t i v e context
K [ t l ] A = K[t2] ;
with the only free variable
x
iff
K[x]
for f o r terms
such that f o r every term
is a term of p r i m i t i v e sort.
Obviously ( c f . /Broy, Wirsing 80b/) a f u l l y abstract model is minimal with respect to strong homomorphisms. Furthermore, i f there e x i s t s a f u l l y abstract, minimally defined model of a type and a weakly terminal model, then both are isomorphic. Both notions of minimal f u l l abstractness and weak t e r m i n a l i t y therefore capture the notion of observable e q u a l i t y or functional equivalence. This means that in a f u l l y abstract model two terms are considered to be equal, i f f
a l l observable results of
applications of t h i s term (the r e s u l t of t h i s term in a l l p r i m i t i v e contexts) are equal. Then the two terms are called
v i s i b l y equivalent,
3. The Abstract Type o f Choice Nondeterminism We define an abstract type comprising the f o l l o w i n g p r i m i t i v e sorts:
dora
the sort of a semantic objects ( i n c l u d i n g the t r u t h values
,
t h e i r c h a r a c t e r i s t i c operations) with an e q u a l i t y operation yaP
tt
and
ff
and
~ ,
the sort of i d e n t i f i e r s f o r programming variables,
,
pros,,
the sort of i d e n t i f i e r s f o r procedures,
exp
the sort of a r i t h m e t i c expressions over var together with a t o t a l evalua t i o n f u n c t i o n eval : exp ~ dom' , which y i e l d s error for free i d e n t i f i e r s
,
(where error is a defined constant of
dom). We denote by
el[e2/v]
the
167 substitution of bexp,
v
in
el
by
e2.
the set of boolean expressions (also with evaluation function
eval).
For s i m p l i c i t y we may assume that these sorts are given by abstract types, which are
monomo~hic, i . e , f o r which up to isomorphic only one model e x i s t s . Equivalently we might assume to take always i n i t i a l
(or terminal) models of the p r i m i t i v e sub-
type (cf. /Broy, Wirsing 80b/). As the o n l y n o n p r i m i t i v e s o r t we specify the s o r t statements with the
nop.
abort
assign
As
: ~
of nondeterministic
sta,
: v a r x exp ~
if
sta,
: bexp x st__aax sta
semi,
sta
eon~tructorfunctions:
choice
: sta x sta
~
letrec
: proc x s t a
call
: proc
~
~
sta,
sta, sta,
st a,
semantic functions we use loops : sta elem
~
{tt,ff}
: sta x exp × dom ~ { t t , f f }
with the meaning
loops(S) = f f
i f f the execution of
S
cannot lead to a non-
terminating computation elem(S,e,x) = t t
i f f a f t e r the execution of may be evaluated to
S the expression
x .
F i r s t we specify a number of semantic e q u a l i t i e s for statements: semi(abort,S) = abort = semi(S,abort), semi(nop,S)
= S = semi(S,nop),
semi(semi(S1,S2),S3) = semi(Sl, semi(S2,S3)), choice(Sl,choice(S2,S3)) = choice(choice(Sl,S2),S3), letrec(p,S) = S [ l e t r e c ( p , S ) / c a l l ( p ) ] , (STA)
semi(if(b,S1,S2),S3) = if(b,semi(S1,S3), semi(S2,S3)), semi(assign(v,e), if(b,S1,S2)) = i f ( b E e / v ] , semi(assign(v,e),Sl), semi(assign(v,e),S2)), semi(choice(Si,S2),S3) = choice(semi(Sl,S3), semi(S2,S3)), semi(Sl,choice(S2,S3)) = choice(semi(Sl,S2), semi(Sl,S3)), if(b,choice(S1,S2),S3) = c h o i c e ( i f ( b , S l , S 3 ) , if(b,S2,S3)), if(b,S1,choice(S2,S3)) = choice(if(b,S1,S2), i f ( b , S l , S 3 ) ) , choice(Sl,S2) = choice(S2,Sl),
e
168 We consider the f o l l o w i n g semantic equations i n v o l v i n g the evaluation-operations eval, loops and elem ( f o l l o w i n g /Broy, Wirsing 80b/ to specify the definedness of a term t by DEFINED(t)): loops(nop)
= ff,
elem(nop,e,x)
= (x ~ e v a l ( e ) ) ,
DEFINED(abort), DEFINED(Ietrec(p,S)), DEFINED(if(B,SI,S2)), eval(b)
= tt
~
if(b,S1,S2) : SI,
eval(b)
: ff
~
i f ( b , S l , S 2 ) = $2,
eval(b)
: e r r o r ~ if(b,S1,S2) = a b o r t ,
loops(semi(S,assign(v,el)))
= loops(S),
elem(semi(S,assign(v,el)),e2,x) = elem(S,e2[el/v],x), loops(semi(S,call(p))) = ff, e l e m ( s e m i ( S , c a l l ( p ) ) , e , x ) = (x ~ e r r o r ) , DEFINED(semi(SI,S2)), DEFINED(choice(Sl,S2)), For our choice operation we require (loops(Sl) : f f
^
loops(S2) = f f )
elem(Sl,e,x) : t t Let us c a l l t h i s type
~
~
loops(choice(Sl,S2)) = f f
elem(choice(S1,S2),e,x) = t t
CN. Every statement is defined in every model of
loops and elem may be p a r t i a l f u n c t i o n s . We i n d i c a t e expression
loops(S)
The theorems in
Prop:
(1)
by
CN whereas
the undefinedness of the
loops(S) = undefined (analogously f o r
elem(S,e,x)).
/Broy, Wirsing 80a,b/ immediately give the f o l l o w i n g p r o p o s i t i o n .
The type
defined (2) The type
CN is weakly s u f f i c i e n t l y complete CN has a reachably terminal model
and every statement is C w i t h the f o l l o w i n g
properties: (a) C ~ Ioops(S) E { f f , u n d e f i n e d } (b) C is a
minimally defined model:
3 model M :
M ~ loops(S) = undefined
3 model M :
M ~ elem(S,e,x) = undefined ~ C~ elem(S,e,x)=undefined
(c) C is a
~
C ~ loops(S) = undefined
f u l l y abstract model i . e .
C ~ SI = $2 for all iff
bE{tt,ff,undefined},
s t a S,
exp e,
dom x:
loops(semi(S,Sl)) : b ~ ~loops(semi(S,S2)) = b and ~- elem(semi(S,S1),e,x) : b (3)
The type
CN has an i n i t i a l
e q u a l i t y in I C~
$I = $2
model
Felem(semi(S,S2),e,x) = b I C which is minimally defined. The
I C is determined by the equations iff
STA F- $1 : $2
STA:
169
Therefore two statements are identical in the weakly terminal model C i f they are v i s i b l y equivalent. From the "minimal definedness"-property we see that the weakly terminal models are equivalent to least fixed point semantics. The weak homomorphisms induce exactly the Egli-Milner-ordering (cf. e.g. /Nivat 80/)between semantic models: PE°P" Let
A, B be models of
CN. I f there exists a weak homomorphism from A to
B
then for every statement S
SB ~
SA Egli-Milner
i . e . for a l l i d e n t i f i e r s
y
and
dom x :
B~ elem(S,y,x) = t t B~ loops(S) = f f
and
(A~ loops(S)=ff The i n i t i a l
model
Ic
is
equivalent , i . e . f o r a l l
and
A ~ elem(S,y,x) = t t
: ^
(B~ elem(S,y,x) = t t
minimally defined and b E {tt,ff,
A~elem(S,y,x) = t t ) )
and
C F loops(S) : b
iff
I C F loops(S) = b
iff
I c F elem(S,e,x) = b
are i d e n t i c a l in
C
are e x t e n s i o n a l l y
undefined}
C F elem(S,e,x) = b
The e q u a l i t y between two statements in
I C is the strong e q u a l i t y : Two statements
I C i f t h e i r e q u a l i t y is provable from the axioms
The class of minimally defined models of models and forms a complete l a t t i c e w . r . t , relation
Ic
~
STA .
CN coincides with the class of reachable to the usual homomorphisms as ordering
( c f . /Wirsing, Broy 80/). The i n i t i a l
model
I C is i n i t i a i
in t h i s class
whereas the weakly terminal model is terminal. As in /Broy, Wirsing 80b/
one can
define a p a r t i a l order on the classes of e x t e n s i o n a l l y equivalent models by C1
