Relations as Executable Specifications

Relations as Executable SpecificationsTaming Partiality and Non-determinism Using Invariants

Nuno Macedo Hugo Pacheco Alcino Cunha

HASLab — High Assurance Software LaboratoryINESC TEC & Universidade do Minho, Braga, Portugal

RAMiCS 13September 20, 2012, Cambridge

Introduction Relational Calculus Optimizations Recursion Bidirectional Transformations Conclusions

Introduction

• Relational calculus provides a more natural way to specifyprograms;

• Many programs are partial and non-deterministic;

• A point-free (PF) version has been used in a variety ofcomputer science areas;

• Such specifications are not amenable for execution.

Nuno Macedo, Hugo Pacheco, Alcino Cunha 2 / 21


Motivating Example

(id M id)◦ ◦ (head◦ M length◦) : Nat→ [Nat]

• Calculates a list with length n and the same n at its head;

• Not total nor functional;

• Very inefficient given a naive semantics;

• head◦ could be generating all lists by increasing length andnever reach n.

(id4id)�

(id4id)� � (head�4length�)

head�4length�



Motivating Example

• We can predict the behavior of partial expressions bycalculating the exact domain and range;

• They can also be used to narrow non-deterministic executions.

(id4id)�

(id4id)� � (head�4length�)

head�4length�

{(l, l0) 2 [Nat]⇥ [Nat]|head l = length l0 ^ l = l0}●

{n 2 Nat|n 6= 0}●{l 2 [Nat]|head l = length l}●



Taming Partiality and Non-determinism

• We propose a PF relational framework where data-types areenhanced with invariants;

• The simplicity of the PF calculus allows us to developpractical type-inference and type-checking algorithms;

• Those invariants can then used to run the specifications moreefficiently;

• Bidirectional transformations are our application scenario.



PF Relational Calculus

Identity id : A→ ATop > : A→ B

Bottom ⊥ : A→ BConverse ·◦ : (A→ B)→ (B → A)

Composition · ◦ · : (B → C )→ (A→ B)→ (A→ C )Intersection · ∩ · : (A→ B)→ (A→ B)→ (A→ B)

Union · ∪ · : (A→ B)→ (A→ B)→ (A→ B)Split · M · : (A→ B)→ (A→ C )→ (A→ B × C )

Projections π1 : A× B → A and π2 : A× B → BEither · O · : (B → A)→ (C → A)→ (B + C → A)

Injections i1 : A→ (A + B) and i2 : B → (A + B)Constants ! : A→ 1 and · : B → (A→ B)

Conditional · ? :(A→ A)→ (A→ A + A)

• The simple equational rules are harnessed in a strategicrewrite system that simplifies expressions.



Membership Semantics

a′ JidK a = a ≡ a′

a JR◦K b = b JRK ab JS ◦ RK a = ∃ c. b JSK c ∧ c JRK ab JR ∩ SK a = b JRK a ∧ b JSK ab JR ∪ SK a = b JRK a ∨ b JSK a(b, c) JR M SK a = b JRK a ∧ c JSK aa′ Jπ1K (a, b) = a ≡ a′

b′ Jπ2K (a, b) = b ≡ b′

a JR O SK (Left b) = a JRK ba JR O SK (Right c) = a JSK c(Left a′) Ji1K a = a ≡ b(Left a′) Ji2K b = False(Right b′) Ji1K a = False(Right b′) Ji2K b = a ≡ bb J>K a = Trueb J⊥K a = False1 J!K a = Trueb′ JbK a = b ≡ b′



Execution Semantics

J|||| id ||||K a = {a}J||||R◦ ||||K b = {a | a← A, a JR◦K b}J||||S ◦ R ||||K a = {b | c ← J||||R ||||K a, b ← J||||S ||||K c }J||||R ∩ S ||||K a = {b | b ← J||||R ||||K a, b JSK a}J||||R ∪ S ||||K a = J||||R ||||K a ∪ J||||S ||||K aJ||||R M S ||||K a = {(b, c) | b ← J||||R ||||K a, c ← J||||S ||||K a}J||||π1 ||||K (a, b) = {a}J||||π2 ||||K (a, b) = {b}J||||R O S ||||K (Left b) = J||||R ||||K bJ||||R O S ||||K (Right c) = J||||S ||||K cJ|||| i1 ||||K a = {Left a}J|||| i2 ||||K b = {Right b}J|||| > ||||K a = BJ|||| ⊥ ||||K a = { }J|||| ! ||||K a = {1}J|||| b ||||K a = {b}



Predicates as Coreflexives

• Domain δR and range ρR are predicates that can be definedas coreflexives;

• Coreflexives Φ : A→ A are relations smaller than the identity;

• If a satisfies the predicate Φ then a JΦK a;

• For pairs A×B related by R : A→ B, the invariant is lifted as[R] : A× B → A× B;

• Invariants on coproducts are simply the coproduct Φ + Ψ;

• R : Φ→ Ψ denotes δR = Φ and ρR = Ψ.



Inferring Checkable Invariants

• Domain and range can be directly computed asδR = R◦ ◦ R ∩ id and ρR = R ◦ R◦ ∩ id;

• May result in inefficient membership tests (due tocomposition);

• By expanding the definition, we define an equivalent definitionwith most compositions removed;

• Others will fall in the special caseb (f ◦ ◦ R ◦ g) a ≡ (f b) R (g a);

• The rewriting system further simplifies the formula and issuesa warning if problematic expressions remain.



Example

(id M id)◦ ◦ (head◦ M length◦) : Nat→ [Nat]

ρ((id M id)◦ ◦ (head◦ M length◦))={Range definition}

ρ((id M id)◦ ◦ ρ(head◦ M length◦))={Range definition}

ρ((id M id)◦ ◦ [length◦ ◦ head])={Range definition}

δ([length◦ ◦ head] ◦ (id M id))={Domain definition, Simplifications : PF Laws}

(head◦ ◦ length) ∩ id

(idMid)◦◦(length◦Mhead◦):inN◦(⊥+id)◦outN → (head◦◦length)∩id



Optimizing Non-deterministic Executions

• After determining the domain and range, they can bepropagated down to primitives,

• This reduces the generation of irrelevant intermediate values;

J|||| id : Φ→ Ψ ||||K a = J||||Ψ ||||K a

J||||π1 : [U ]→ Ψ ||||K (a, b) = J||||Ψ ||||K a

J||||R ◦ S : Φ→ Ψ ||||K a = {b | c ← J||||S : Φ→ δR ||||K a,b ← J||||R : ρS → Ψ ||||K c }

J||||R ∩ S : Φ→ Ψ ||||K a = {b | b ← J||||R : Φ ∩ δS → ρ(Ψ ◦ S ◦ a) ||||K a}



Recursive Relations with Invariants

• We support the well-know recursion patterns ofcatamorphisms (folds) and anamorphisms (unfolds);

• Execution is not problematic, as it is performed by unfoldingtheir definitions;

• However, there is no known normal form for invariants overrecursive types;

• The rewrite system tries to simplify the generic domain/rangeexpression.



Recursive Relations: Example

unzip : [A× B ]→ [A]× [B ]

ρunzip={Range definition}

(unzip ◦ unzip◦) ∩ id={Simplifications : unzip is functional , Liftify : range of unzip is a product}

[π2 ◦ unzip ◦ unzip◦ ◦ π◦1 ]={Catamorphism fusion : π1 ◦ g = nil O (cons ◦ (π1 × id)) ◦ F π1}

[(|nil O (cons ◦ (π1 × id))|) ◦ (|nil O (cons ◦ (π2 × id))|)◦]={Definitions : map}

[(map π1) ◦ (map π2)◦]

={Simplifications : map converse,map fusion (see below)}[map (π1 ◦ π◦2 )]={Simplifications : PF Laws}

[map >]

unzip : id→ [map >]



Bidirectional Transformations

• Bidirectional transformations are transformations betweendata-structures that may be applied in both directions;

• Defining the transformations individually is expensive anderror-prone;

• BXs should be inferred a single specification;

• We propose a solution using the relational calculus.




• Lenses are one of the most famous BX frameworks;

• A lens S Q V between sources S and more abstract views Vconsists of transformations Get : S → V and Put : V × S → S ;

• It is said to be well-behaved if:• Get ◦ Put ⊆ π1 (acceptability);• Put ◦ (Get M id) ⊆ id (stability);

• Usually there are multiple valid Puts, but existing frameworksare deterministic.




• In principle, it is possible to lift any functional expression to awell-behaved lens;

• Existing frameworks either:• Have maximum updatability but

disregard some operators;• Refine the type-system to allow

operators with smaller updatability;• Support any operator but disregard

updatability;

• We refine the type-system andguarantee maximum updatability.

? ? ?



Generic Non-deterministic Lenses

• Using relational calculus we can define a generic Put that isthe largest relation that satisfies the properties;

• A transformation get : A→ B can be lifted to a well-behavednon-deterministic lens bgetc : δget Q ρget, with

Put = (π2 O (get◦ ◦ π1)) ◦ [get◦] ?

• Emerges naturally from the lens laws:• [get◦] ? (v , s) tests if v was changed, returning either the

original s (acceptability), or any source s ′ such that s ′ = get v(stability);

• Maximum updatability: δPut = ρget× δget.



Generic Non-deterministic Lenses

• Type-checking over δget and ρget directly could beundecidable and due to the central role of the converse, Putcan not be directly executed;

• Both these issues can be addressed by the optimizationsalready presented;

• Forward transformations are functional so problematic casesare very limited:• Regarding type-checking, only particular ranges of splits are

possibly undecidable;• The backward transformation can be efficiently executed;

• Recursive expressions are also supported as they preserve thefunctionality of their algebras.



Generic Non-deterministic Lenses: Example

bπ1 M idc : id Q [π◦1]

• The range is [π◦1] : A× (A× B)→ A× (A× B), so Put onlytakes views (a, (b, c)) where a ≡ b;

• When the view is updated, (π1 M id)◦ will run, and π◦1 couldgenerate all pairs until reaching (a, c);

• With our optimization, the output of π1 is restricted to have cin the second element.



Conclusions

• We have presented mechanisms for the efficient execution PFrelational expressions over data-types with invariants;

• Regarding BX, we identify an open problem in thecomposition of lenses;

• By modeling lenses in this framework we were able toimplement an expressive PF BX language with maximumupdatability;

• Researching possible normal forms for invariants over recursivetypes;

• Exploring mechanisms for a better control of thenon-determinism through user-defined quality measures.


Relations as Executable Specifications

Technology

r b b s r

right b i2 b b

b b anuno macedo

b r ab

b r ac

r s left b

i2 b right b i1

r s r s i1 i2