In: U. W. Lipeck / G. Koschorreck (eds.): Proc. of. the Int. Workshop on Information Systems — Correctness and Reusability (ISCORE’93) Universit¨ at Hannover, Informatik-Bericht 01/93, pp. 155–177. Specification of Object Behaviour with Defaults * Stefan Brass 1 Udo W. Lipeck 1 Pedro Resende 2 Abstract In this paper we present how to extend object specification logic by defaults. Thus overridable rules may be used in specifications which deal not only with ob- ject states, but also with dynamic object behaviour like enabling / occurrence of actions and temporal evolution. Defaults are particularly useful to formalize im- plicit negation, the “minimal change” semantics of actions, inheritance between object classes and aggregation of objects. We demonstrate this by means of ex- amples, and study which default patterns should be used for typical problems of behaviour specification. 1 Introduction In this paper, we consider the different uses defaults may have in specifications of system behaviour. Systems are viewed as societies of interacting objects. To this end, we define a first version of OSD, an object specification logic with defaults, and study typical examples. OSD is based on a temporal logic which allows to refer to the occurrence and enabling of actions in the style of OSL [SSC92, SS93]. OSD allows to specify defaults of different priorities and contains a simple module mechanism. In [BRL91] we have already introduced a general framework for extending arbitrary logics by defaults, and its application to a multi-modal object calculus [FM91] (with elements from dynamic and temporal logic). To support temporal specifications more specifically (e.g. to solve standard problems like the Yale shooting problem) we have just added a temporal prioritization. In how far some of the defaults applied here should be built into the semantics of OSD is subject to further discussion. But at the moment we believe that it is useful to show the defaults explicitly in the specifications. Let us now consider some applications for defaults. Specifications (no matter in what logic) are often made much simpler by allowing to concentrate on the “interesting half” of and “if and only if”-definitions and leaving the other direction as subject to an implicit completion default, e.g.: 1 Institut f¨ ur Informatik, Universit¨ at Hannover, Lange Laube 22, D-30159 Hannover, Germany, (sb|ul)@informatik.uni-hannover.de 2 INESC, Apartado 10105, 1017 Lisboa Codex, Portugal, [email protected]* This work was partially supported by the CEC under the ESPRIT Working Group 6071 IS-CORE (Information Systems — COrectness and REusability), coordinated by Am´ ılcar Sernadas. 1
23
Embed
Speci cation of Object Behaviour with Defaults file1 Introduction In this paper, we consider the di erent uses defaults may have in speci cations of system behaviour. Systems are viewed
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
In: U. W. Lipeck / G. Koschorreck (eds.): Proc. of. the Int. Workshop on
Information Systems — Correctness and Reusability (ISCORE’93)
Universitat Hannover, Informatik-Bericht 01/93, pp. 155–177.
Specification of Object Behaviour with Defaults∗
Stefan Brass1 Udo W. Lipeck1 Pedro Resende2
Abstract
In this paper we present how to extend object specification logic by defaults.
Thus overridable rules may be used in specifications which deal not only with ob-
ject states, but also with dynamic object behaviour like enabling / occurrence of
actions and temporal evolution. Defaults are particularly useful to formalize im-
plicit negation, the “minimal change” semantics of actions, inheritance between
object classes and aggregation of objects. We demonstrate this by means of ex-
amples, and study which default patterns should be used for typical problems of
behaviour specification.
1 Introduction
In this paper, we consider the different uses defaults may have in specifications of system
behaviour. Systems are viewed as societies of interacting objects.
To this end, we define a first version of OSD, an object specification logic with defaults,
and study typical examples. OSD is based on a temporal logic which allows to refer to
the occurrence and enabling of actions in the style of OSL [SSC92, SS93]. OSD allows to
specify defaults of different priorities and contains a simple module mechanism.
In [BRL91] we have already introduced a general framework for extending arbitrary
logics by defaults, and its application to a multi-modal object calculus [FM91] (with
elements from dynamic and temporal logic). To support temporal specifications more
specifically (e.g. to solve standard problems like the Yale shooting problem) we have just
added a temporal prioritization. In how far some of the defaults applied here should be
built into the semantics of OSD is subject to further discussion. But at the moment we
believe that it is useful to show the defaults explicitly in the specifications.
Let us now consider some applications for defaults. Specifications (no matter in what
logic) are often made much simpler by allowing to concentrate on the “interesting half”
of and “if and only if”-definitions and leaving the other direction as subject to an implicit
(sb|ul)@informatik.uni-hannover.de2INESC, Apartado 10105, 1017 Lisboa Codex, Portugal, [email protected]∗This work was partially supported by the CEC under the ESPRIT Working Group 6071 IS-CORE
(Information Systems — COrectness and REusability), coordinated by Amılcar Sernadas.
1
• A proposition is false unless it is explicitly specified that it is true.
• A proposition can only change its truth value if this is explicitly required by the
specification.
• An action is enabled unless explicitly specified otherwise.
• An action only occurs if it is explicitly called.
Each of these rules defines a default.
Of course, in the context of temporal specifications, the “minimal change” frame-rule
is especially interesting and has led to a lot of discussions whether defaults can be used
to formalize it [HM87, Rei92]. We believe that defaults can make the specification task
much simpler. For instance, assume that we have a set, implemented as a boolean array p,
and two operations insert and delete. In OSD, we can concentrate on the effect the two
actions have, i.e. it is sufficient to specify that if insert(X) happens, then p(X) is true in
the next state, and if delete(X) occurs, then p(X) is false afterwards:
5insert(X)→ X p(X).5delete(X)→ X ¬p(X).
However, without an implicit frame rule, we need the following specification:(
X p(X))
↔ 5insert(X) ∨(
p(X) ∧ ¬5delete(X))
.
Furthermore, suppose we later want to add an action clear , which makes p empty. In
OSD, we do not have to change the existing rules, we simply add
5clear → X ¬p(X).
Without the frame rule, we must change the explicit specification of X p(X) to(
X p(X))
↔ 5insert(X) ∨(
p(X) ∧ ¬5delete(X) ∧ ¬5clear)
.
An of course, “real life” specifications can have a lot more than only three actions and
one attribute, and the single rules may be conditional, so that it may be very complicated
to describe their combined effect.
Another well known application of defaults is to formalize the (partial) overriding of
inherited rules in object-oriented specifications [BL91, Rya91, BRL91, BL93]. Like the
example above, this allows a really incremental style of specification and greatly enhances
the reusability of specifications. For instance, we can first introduce an ideal counter,
which works with arbitrary long integers, and later derive counters restricted to different
word sizes from the general specification.
Often, objects have a default behaviour when considered in isolation, but in aggrega-
tion with other objects, they may behave differently.
Our paper is structured as follows: In section 2, we introduce the underlying temporal
logic. Then we define specifications with defaults in section 3. Section 4 contains quite
a number of examples which illustrate the use of defaults for different purposes, and
especially the interplay between the different defaults. In section 5, we consider the
composition of object specifications. Such a “modular specification” is especially needed
to solve the “stolen car problem”. Finally, we give a short summary and outline directions
for future research.
2
2 Temporal Logic
In this section, we present syntax and semantics of the underlying temporal logic. It
contains the temporal quantifiers I (initially), X (next), F (sometime), G (always),
U (until), and it allows to refer to the occurrence (5) and enabling (�) of actions.
Syntax
For the syntax, our goal is to define formulas, which are strings of symbols from an
alphabet A, partitioned into logical symbols AL (like ∧, ¬, X , U ), variable symbols AV
(like X, Y, Z), and non-logical or application symbols AN (like customer , order). The
non-logical symbols which can be used in formulas depend on the application and are
defined by means of a signature:
Definition 2.1 (Signature): A signature Σ = 〈S, F, P,A〉 consists of
• S, a finite set of nonlogical symbols (sorts, type symbols),
• F , an S∗ × S-indexed family of nonlogical symbols (function symbols),
• P , an S∗-indexed family of nonlogical symbols (predicate symbols),
• A, an S∗-indexed family of nonlogical symbols (action symbols).
This is the standard definition of a first-order signature, extended by action symbols.
For simplicity, the function symbols will be assigned their “free” interpretation, so they
can only be used as (time-independed) names or record constructors. Object attributes
must be modelled by predicates.
Predicates are also used to express the occurrence and the enabling of an action (as
introduced by [SSC92] for OSL):
Definition 2.2 (Extended Predicates): We write E for the family
Es1...sn:= Ps1...sn
∪ {5a | a ∈ As1...sn} ∪ {�a | a ∈ As1...sn
}.
Beside the logical symbols and the application symbols, we need variables to build formu-
las. Each formula can have its own set of variables. The following definition is standard:
Definition 2.3 (Variable Declaration): A variable declaration is an S-indexed fam-
ily V of subsets of AV .
As usual, objects in the universe are denoted by terms:
Definition 2.4 (Term): The set of (Σ, V )-terms T(s)
Σ,V of sort s is the smallest set with:
• If f ∈ Fs1...sn,s, and ti ∈ T(si)
Σ,V (i = 1, . . . , n), then f(t1, . . . , tn) ∈ T(s)
Σ,V .
• If v ∈ Vs, then v ∈ T(s)
Σ,V .
A Σ-ground term is a (Σ, ∅)-term (a variable-free term).
3
In the examples, the sorts of symbols and terms will always be clear from the context, so
that we do not show it explicitly. We allow other syntactic liberties as well, for instance,
we drop the () after constants (0-arity function symbols), and use infix notation for the
usual arithmetic operations.
Now we can define the formulas of the logic:
Definition 2.5 (Formula): The set of (Σ, V )-formulas LΣ,V is the smallest set with:
• If t1, t2 ∈ T(s)
Σ,V , then t1 = t2 ∈ LΣ,V .
• If e ∈ Es1...sn, and ti ∈ T
(si)Σ,V , then e(t1, . . . , tn) ∈ LΣ,V .
• If L1, L2 ∈ LΣ,V , then (¬L1), (L1 ∧ L2) ∈ LΣ,V .
• If L ∈ LΣ,V and v ∈ Vs, then (∃v L) ∈ LΣ,V .
• If L1, L2 ∈ LΣ,V , then I L1, X L1, L1 U L2 ∈ LΣ,V .
A Σ-formula is a pair consisting of a variable declaration V and a (Σ, V )-formula L.
Of course, we drop parentheses corresponding to the usual binding rules and we usually
do not mention the variable declaration (it can be determined from the formula). We also
introduce the usual shorthands:
• t1 6= t2 for ¬(t1 = t2),
• false for X 6= X,
• true for X = X,
• L1 ∨ L2 for ¬(¬L1 ∧ ¬L2),
• L1 → L2 for ¬L1 ∨ L2,
• L1 ← L2 for L1 ∨ ¬L2,
• L1 ↔ L2 for (L1 ← L2) ∧ (L1 → L2),
• ∀v L for ¬∃v (¬L),
• G L for L U false,
• F L for ¬G ¬L.
Semantics
We use a fixed domain (the Herbrand universe) in order to avoid problems with variable
assignments referring to deleted objects. It is, however, possible to introduce a predicate
for the current objects of some sort. Therefore, the fixed domain is no restriction.
So have a Herbrand interpretation for every point in the timeline:
Definition 2.6 (State): A state I defines a relation I[[e]] ⊆ I[[s1]]× · · · × I[[sn]] for every
extended predicate symbol e ∈ Es1,...,sn, and it satisfies the additional condition
• for every action symbol a, if (d1, . . . , dn) ∈ I[[5a]], then (d1, . . . , dn) ∈ I[[�a]].
The latter requirement means that only enabled actions can occur. Formulas are inter-
preted in state sequences:
4
Definition 2.7 (Interpretation): An interpretation is a mapping I, which assigns a
state I(i) to every natural number i ≥ 1.
The notions of variable assignment and term evaluation are again standard (since we
consider only Herbrand interpretations, term evaluation merely consists of applying the
substitution given by the variable assignment):
Definition 2.8 (Variable Assignment): Let a variable declaration V be given. A
variable assignment α is an S-indexed family of mappings from VS to T(s)
Σ,∅.
Definition 2.9 (Term Evaluation): The value α[[t]] of a term t given an assignment α
is defined as follows:
• If t has the form f(t1, . . . , tn), then α[[t]] := f(
α[[t1]], . . . , α[[tn]])
.
• If t is a variable v, then α[[t]] := α(v).
Definition 2.10 (Satisfaction of Formulas): The satisfaction of a formula L in an
interpretation I for a variable assignment α and current state number i ∈ IN is defined