mmhhhhhhhhmmlm - Defense Technical Information · PDF fileofUw *mooe n 3 Cpie AM Ma~: mwtm bmlsft. ... FS af lbehgse baboiln Polkm 97 ... The mns significant contribution of this approah

AD-A121 520 AUTOMATIC SYNTHESIS 0F IMPLEMENTATIONS FOR ABSRAC PADATA TPES FROM At OEB U) MASSACHUSETTS INST FTCCAMBRIDGE LAB FOR COMPUTER SCIENCE. M K< SRIA JU 8

UNCLASSIFIED MIT/CS/T-7 N004 75C 6 F/ 90 NL

mmhhhhhhhhmmlm-1 - m II

_r"- 131

NATIONAL BURLAU Of STANDARDS 1963 A

i.I

LABORATORY FO0...PU I' NOV17 V

AtFNA CSaII.IS( M HAlAIA11IJ A

.CUNTV CLASIICATION OF ug Paie mhw. "0 Swoe* as"__________________

RE. =PMI NOOMETAIO ACC SATw *I3IUCIIOU

)ITILCS/TR-276 ______________

4. lTL8' EWE "Q Automatic Synthesis of 11upimenta- TV oW~f INWPT PC$"* om"INCe

tions for Abstract Data Types from Algebraic Technical Report June 182Specifications. a SOtoOe ISON ult

Nandaysm K. SrivasDAP 01-5C66

9. 0PFSNmuO OftMORAIU NOW =as man 1 MMIASM T'MIT Lab for Computer Science

545 chnologyM OPISuaeMEAS*UU 5t0

DARPAJune 1982240 WisonBouevad t "oasss or PAsuArligto, Vrgina 2217161

Office of Koval Researcb UnclassifiledDepartiment of the Nv1sf ormat ion Systmxi Program n .1clo93a"Ia'Arlington, Virginia 22217 _____________

le mosYr~u feaow IMICUNY "II.. mUnllimited

This document to approved for public release and sale, distribution unlimited

0O, SUPPa* MT,. NOT"~ ern

__ -ICotty~~~SS? Os.OfCAIS OCllw dorn mCOOS Goa x smmO .0lI

pasoma o Mmm

I sh -I'm d m V w 1

**nmwftf"I SW - 1k -

su to to me % ftW MMs a" lo

- r - -w ft now" atp"f mo fwl a

ft"" 4 t t" taw~mM

om a A a" ft. -mm

eipmfuc lbt onumbe M avw E

~ a sp~u=and

PVICIAL USIRISTINU LST

lirut I owesbfmo Mvms seevrh ft*Jsgt AmmC3

AtIlsoom in ~il MIDAinIsm hPoqm NUMgin

ofUw n *mooe 3 Cpie

AM Ma~: mwtm bmlsft. cob W1

of s fst" 1.seIo I o

Mildlas 1942

Itulsm: A. Fwvus

Urcto 1bual Smourch Llbahq owS.C.WAt,-tim: Cb S62

%come ical tafintim Ceter 12 ois~rm Stift

frif oftu NMIee 1ph14

mSl W 140$al"

S6 bust. LL.buhqtm D.C. "m6

Aiatm Thn u.Pwr u

Automtic Synthesis ofImplementations for Abstract Data Types

from Algebraic Specficatonas

by

Ccprbh Mamxhum Imideasi o(Tmahsua

Jut. 19m2

ThW releWCh wu mPpon (in pan) by *w NMiwWa Sdena Foadmion unde pmKMCS7S01798 mid by dee Ddk. Adimiced Rinmb ch s Asmcy manhord by dueOffie of H"va R d-her Comm No NOODOW7SCOSGL

Almuhom 1 10 of Tmebw

LabsrussSol hrC.pu Sh

CmM~. MAR@139

DTICTlt j7-e1 toicsO~ NOV 171M8

A

*2-

Automatic Synthesis ofImplementations for Abstract Data Types

from Algebraic Specifications

AbstractAlgebraic qxikczirm baire been used extensively to prove pwv~sof "W~c dotn typesand to wablish the coreiinm or implemeri;*vm of dama types. )tbs thcsis e~pkwes anaubvmusi method of syntheiininletcmcntions ror d:77 t r(c tm their lerc

The inputs to the %) nthes6 procedure P, I a or it qmocflcion ror the implemented type. aspedflction fo cabi or the hlmctieng typesL and a ronaal 4wciption of therpenwkn scheme to be used by the implemnwudon. Mhe outpu of the procedure

wnuiis% at an implemmentak Wo cxli of the operatins of the w.nplented type in a idmple*wpphmitC kin"Mase

I he mpub and th%- output of the wriths~ procedurec product) diwat"i~i A loulbush ror the metd employed by the prdure is developedL 'Ihe method is based om 6heprincipic of retcwsinl the tchnique o( prot ing tOw wrrea of ant implemcntation or a daatype. The mrcitioai an the inpums and the conditions under wli the procduresynthe~iies an ImpkieenWon awccasllly awe farmally charaterized.

Nowe mwl Tiii, of Ihes Supenko. John V. GutugAdocate Prokeow of Compute ScimnceMWd Engknsaft

Ks7 W.6 mud Pbrm Absact Dos Type. Alpbrul Spefcilaon.Axodation Specflczatkot. Abstramti FunctiomIntMratt Preftnary Implementation. TargeImplementimn Term Rewiitln Sy~wm, Pdwcilof Definition. Reducton. FAPmlOn

1. This report b a mimor ri, Ora Oi of fte saiw t wMwtm d to the Deqiunmew or FawicdENpetenmad CtupuerSciencein t~mbar IIin partid ulfltmem of therequirunmfbo wdegre of [)cw Philosophy.

Acknowledgmnents

I w=n1 to exprem my appecdm to my thesis wupervlmor. John Guutag kv At thehelp he ha Sive n me His pahiece. cncourqcnmumpport ad axautncve critihcis ofthe work at vauou gu~ or Its developmnt have been invauable.

Each of my thcs tenderu Arvind. Berbera Udov. and Dove Mtuer. ba

cuntnbuted imponant insights to different ur xts of both the researe and the peataofte i tha nespeialy thankful to Sarbwrmgcin ome the opicofthethsi.and to (ave or his careful rea din of sem draft ofd theth&i which mad~e the &Wna vesin

substantidly more readoble

My oftacnsms Dccpak Kapeur. Pierr Lascanne. and Cadi SeaquWs. have helpedme in many ways during t rack They Save me a pien audienc wftencu I needede

and read drat of the theIs. Dep wa esilly helpful in orgakling my idea at theWiniin **mofte inem-1

Many people at MIT, truaft audens in the LAboratory of ComputerSceeand ouWsde hae helpe cate an kdatereuin. uidsften diverting, but always

supportive environmerd in which to work. I went to thank in pmnitaar Doty. Jeatnam

Srlran Ravik and Kaneban for thei awtial marcu inp.This ir wa em mpponed (i put) by the Niomal Scimvc Foundutln tunder

gri MCS71I4I798 ad by the Deft= Advanced Resea ch Priet Agency monX bythe Ofie of Naod Remt tunder Conirto Noa N=1OI75-C6L

.4.

CONTENTS

1.. I~.Ctmk of______ a

13 mht*. WallI,$ OigpIaii.. of blbh 3

2. Asoown!go @1gb, Subuh Prwwr.13

L I 'tho U,,' %1"w 13Z2 %.imuw of th SyMsin rwmcu.ILI Saw 1: nelka.m 1~muh IbPhh 1891

Z11.2 1*140i~. shr Sx* Isaw sM, 2

ILI st Whi ofehs dwtw 23mud

122lb. MRuruir~ImI'wmuft Me"he N13 lb. dlq .1 sb. ubnh 3urwm 33

U3.1 NohiUlkwoonsiesb.34L13 M l o ( k g i t* uqku usshu Oidd IN N

3. hipftI It*b *WUb PIOsnWI 37

11 ~ ~sm terS.~~n 371.1 lmlomhss Comm r3

1.3.33 ob. leuSsp~ lo 43312 Ame.miS~plkis 41ILIu~im5eIeii 4512.2 H. i tpudIM.. ue~b.w I~ww~nm aAsmbd SMeh A O33 Rlamiks- lbs lan-*-b3II t"Ot WSR. ad woress -smIII2 lb. PIm,01of 0441111110__________________5

I" 3 ift oek Sb ik of thuIdm

3332Chekg Flauk Tevtls. 571.4 Pm IPmpot @I a o lr 57

4. Slaow 1: 11W l'hliniy Im I mIa

4.1 A Iiehmy lukkeai" n

UlI The Unhasim oEnqAugys

442O li IWeiscob Puulk Ro 65i.3.3- lktwhit th Rkmw, 3lmphu6im s

434 taewieugb t t aind ie~74A1L2 lhewI~g Ike RI(V 11ud de 7432 iWfhgf Ise The I1m IU44, thli b~hIn 1rulahi 79"A43. Ibr(vumI33kW~ed~S

443.. %a Imajsukssm A hS bn F IiismW43 %* %bosa1 16,uuab im f i I kihghe 14*eeduuu.v 92

FS af lbehgse baboiln Polkm 97

M3 ('ueugietbwwh of ohe rooke 9112 Ihmki .6 . rtelamar mpuwi)se~9

5±2I Ihihi~tbe euhs PI -- Is*

M !i 1*t l3e uiu I be Ni* 33ud Sid fto

5.3 % lle wl Ifb e beh I p ia 0

5.32 14nev mahe IcoMpwu Wed Mto532.3 The Pwpowo.11W__ _ _ _ _ __~ .to

M lp2 he nwo7 liet~lmuh 2

SU 31 The bwd I lielq eb 11.3

4k3.1 ladiq3n~ ii3~'q sli 2401 1 1 1 1w Tihe abhe Futims in42 The Uecuilum MA ins Rsbd4) An UMawutiof a Cwmphi S1 d 1.36

7. Comgbsm wW Fawnmes Eme 1 3

Aed L F~~ew so Neuw* R" bi n 154

Il333 Poe eITh.om ~

.77

FIGURES

it I. Spmifk-xionu(Queu -lnl ..... ........ ............... 1F, 2. Spccifkim o(C L .......... 16H& I Asmacwm Spccmnkus .. ......... . .. 17Fit 4. An Impknml iot n ................................ . -..................... 17

Fli 5. A Prciin Im u .................... .... 19I& &. cucl in nmo(Tp . .. . 32Flg 7. Special-mn o(Quemi.l 43.... .43

M.* & Soccikvin o(Ckc-~jiu ........ .... . ......... 43H& 9. Iwo Amxixion Spccflk m f or uMj. . 46Fig M0 Spe ~wn o(Array-lo .~. . .47

it 11, Tbhe Quc.lM Rewr$ Sisem ......................521g . r r I nduniv I ........................... 60

F 13, rhe Pitudwd Wold .... .. 74FI. 14. A PWIld Premimary Ipl enalm .... ... .............................. 77FMg. 13. Qucue~tni iacruso(TdpIS ...... .....................-....... 9

Fig 16 Thc taurhed Wodd 10........................................ 101Sig 17L A AsufnkA Pvdunowy I pie wom bo 102F*r It An .~m ..n~ w . ... . ......... ............................ 121F I nI~xmt ~ 121Fig 19 ThPn. ... RPM ... ........... 128F 20 The I . ol wmh Re-q mtt w Crdefs, ....... ......................................... I5

g 21, The Sudwid AIb Ordms Am a Iwa Type Re.gimr Symm ..... IM8Fig 71 ThSud dA'ph.j4wbu rdeftrHowl #phimSpedf datm ........... 159

-

I. Introduction

1.1 Goals of the Thesis

This thesis is concerned with the problcsu of automatic synthesis of implcmcntations

for altract data types from their algebraic specifications. Thc inputs to the synthesis

procedure include (i) a formal speci caion of the data type to be implcmented. (ii) a formal

spaificaion of each of the impkmcnting types, and (iii) a ronnal description of the

reprsenLttion scheme to be used b) the desired implementation. The output consists of an

implemcntation for eaih of the opcrations of the implemented type. Thc inputs arc specified

using an algebraic ipocation techiique (14. 18. 253.

The thesis has three main Soak:

(1) -ro precisely characterizc both the inputs of the s)'nthesis procedure, and the outpuL

(2) To devise an automatic method of deriving the output from the inputs.

(3) To pnide a formal bais ior the method.

The method of derivation is described in terms of a set of synthesis rdle. The

output is derived by invoking the synthesis rules a finite number of times. The thesis

describes how the s)nthesis rules are used in deriving a suitable implementation.

1 he purpw of providing a formal basis for the method is to justify the correctness

of the implementaticnm derived by the synthesis procedure. The formal basis also helps in

chaicrirng the scpe of the synthesis procedure.

1.2 MIUhalIn kr The Reerb

The reliabiliy of ctnmputer sftware has received a great deal of attention in recent

vam Rapid advances in hardware technology have dramatically decreased the cost of

hwdware relatveto software. As a resut, the cos of producing and maintaining software has

become a majo concern. An effective way of improing the reliability and the cost of

softwem simultanemsly is to find methods to decrease the effort required to produce correct

softwae At prmnt. active researc is underway 1431 in exploring this avenue. Several

no

.9"

approaches have been propmed, each of which am be put under one of the following three

cUcOn bwd on the degree of automation it often: manual appMachcs, scmi-automatic

app~roace, and automatic apprmedie

11e manual approach advocates discipline in human propamnling 131. It. 41. It

consists of denoifyring new mcchanisms of absractons 1321 that Cncourage the advocated

iscipline. The mns significant contribution of this approah Ita been the inducement or a

change in the attitude of programmmu towards the style of programming. CMcrete

mralfcsa'ons or OIbis change includt, the birth or the uoivt of abstract ata typcs. and the

developmnt of new Iiguzos 134. 29.521 touppon dat types.

The goa of the scml-auknatic approach is o so machine help to establish the

cositnes o( programs written by the user. Fomal methods are developed to spmciy and

Vafy psepics of pecs of sofware 113. 12. 20: systems arc built to carry out verification

auIn i MMalIly or mi-ausomatically 127. 151 A variant of ihe verificmtion method is the.'s apprntice method 1191 The pruramnw's apprentie provides an interctive

programming enironment buil up by a set of tos which hclps the proramme in

preparfng and dieckinl his work in several ways The tools rang~e from simple editors to

more sophigiclted ones tha can ailyze and citicie a users program during the various

phases of prorammminm Yet amother way of proKiding partial machine help is to build

systems 12. 3. 48] that will help apply uansfomation rues chosen from a cataloue of

equivalnce pfrecring trammfbrmtat The pogram mer cam refine or improve the

e of his pgmrsu by udiciously choin - the appropriate rules from the ctalogue.

The automatic approach. under which our resear Ills. seeks to automate a pan or

all of the pnMrnminS prcs ielf. Its l WW is to Sonre code fbx programs from their

high-level deitaive deuitions. theeby relieving the progainmer or having to worry

about enor-prone, low-level details of programming. Though this may one day be fearib

experlece 11. 361 in the Im few ywn sho that not neary enough is known about the

process to autornase it completely. Too remedks have been used with some incos to break

the staleate in the situaatio: The irt is to rrict the domain for which pnumms are being

synthesized 14: the second is io expect the user to fumish more information about the desired

prMpetin of the porum IQ to guide the synthesis procedure.

; - 10-

A third course of action that has not so far been employed in earnest is to

complement the automatic approach with recent advances in programming methodology.

(Bauer. cLal., 131 have employed this idea with the scmi-automatic approach.) In particular,

the idea of designing software as a hierarchy of abstractions can be used to aid the synthesis

procedure. Stich a hierarchical design for the program reduces the amount of rcfinement

required to be performed by the synthesizer at each step.

The thesis takes into consideration all the facwtors mentioned above. Within the

general area of programming. we restrict ourselves to the study of synthesis of

implementations for abstract data types. We believe that the synthesis of implementations for

abstract data types is amenable to automation because the specifation techniques for data

types have been extensively studied, and hence, are better understood We also expect

additional infomation about the implemcntation to be furnished by the user. This

information is provided in the form of a description of the representation scheme to be used

by the implementation.

1.3 Related Work

The works rt:atcd to ours he partly in the area of general progiram synthesis and

partly in the area of automat implementation of data structures

In the general area of synthei . the work most cloely related to ours is that of

Darington 18. 93 He has developed a system that uses a set of transformato rles to

improve semi-automatcally the efficiency of recursive progams and also to construct new

recursive programs. Recently. he has also applied t tr arslrmaton rules to synthesize

implementations for data types (73, The synthesis rules developed in the thesis are clody

related to his The difference lies in the method in which the synthesis rules are used to

synthesize Implenatatom Our method Is baed on verification techniques of data types.

Our work has two advantWs over his. First y. the da of Implementations derived by our

method is lar than his This is becam we develop more ways of usins the synthesis rules

for dedvftiiliemsetions Secondly. we Iornally charctefre the conditions under which

the synthesis rules yield a coo, i: nplementaton for da types.

The ZAP system 1301 of Feather's is a program transformation system in which the

basic rules of manipulations are similar to our synthesis rules. His work is different from ours

in two ways. Firstly. he is concerned with developing highcr level stretcgies to apply the basic

tranformation rules (in general, any equivalence preserving rules) for the construction of

large-sized programs. Secondly. his approach is less automatic than ours. The emphasis in

the design of AP is to use "metaprograms" to improve communication between the user and

the system. There are two inputs to ZAP: the specifcation of the program to be constructed

and a metaprogram which consists of a sequence of commands that direct the transfemation

process. The mctaprogram expresses the higher level strategy to be used in applying the

tran formation rules.

Within the area of automatic implementations for data structures the work of

Okrcnt (401 has goals closest to ours. Okrent's method uses only the algebraic specifications

of the data types involved as inputs. Because of the lack of information about the desired

representation scheme, the implementations generated by his synthesis procedure are not as

interesting as the ones generated by ours. He limits severely the range of the data types

acceptable as inputs. He also concentrates on a fixed set of target structures such as

contiguous memory and heap memory for the implementations.

Another work in this area that is related to ours is that of Subrahmanyam's [501.

Subrahmanyam's method like Okrents does not use any information about the

representation scheme. His method has a provision for the user to specify performance

constraints on the desired implementation. The method is based on partitioning the

operation set of the data type into a kernel set and a nonkcmel seL Implementations for the

kernel operations are derived by identifying pairs of functions (on the representation type)

called retrievaoble insertion function pairs. Implementations for the nonkemel operations are

derived in terms of the implementations for the kernel operations so as to meet the

performance constraints.

Most of the other research in the automatic generation of data structure

implementations has been concerned with the automatic selection of an optimal

representation for data structures, Rowe and Tonge [47], Rovner 1461 and Tompa and

Gotlieb 1511 have studied optimization problems for a language containing a fixed set of high

-12-

level data structures. First they build a library of possible implementations for each fixed

high level data structure in the language. along with a parameterized dcscription of the

performancc of cach library cntry. Then they proceed to select the "txst" implementation for

each instance of the data structure, by making a flow analysis of the program that uses the

data structure. The goal of our work is to derive an implementation for a given

representation rather than to select an optimal one aniong a given set of representations.

Standish. cLal.. 149. Bauer, cal., 13]. and Wile, cLal. 121 have developed catalogues

of equivalence preserving transformation rules as a part of program development systems.

The programmer can refine or improve the eflicicicy of his programs by instructing the

system to apply appropriate transformation rules on the programs. None of these works,

however, deals explicitly with the implementation of data types. It is possible, with some

modifications, to incorporate our synthesis rules as a part of their system.

1.4 Organization of the Thesis

The next chapter gives an overview of the synthesis procedure. The third chapter

describes in detail the inputs of the synthesis procedure, and formalizes the restrictions on the

input-. The synthesis procedure derives an implementation in two stages: The

implementation is first derived in a preliminary form which is then transformed into a final

form. The first stage of the procedure is the topic of the fourth and the fiflh chapters. The

sixth chapter describes the second stage. The last chapter gives the concluding remarks.

.13 -

2. An Overview of the Synthesis Procedure

This chapter gives an overview of the synthesis procedure. The first section gives a

scenario of the synthesis procedure from a user's point of view. It briefly describes the form

of the inputs to the synthesis procedure. and the form of its outputs via an example. Thesecond section gives a summary of the synthesis procedure. It points out the nontrivial issues

involvcd in the method employed by the procedure for deriving an implementation. The last

section describes the scope of the procedure.

2.1 The User's View

Consider the following scenario involving a programmer. The programmer hasdesigned an abstract data type (the implemented type) to be used in solving one of his

programming problems. He is now seeking the help of a system for implementing the type

using another data type. called the reprentation type. The representation type is chosen by

the user himself. Furthermore. he is willing to furnish information about how he wants thevalues of the representation type to be used in representing the values of the implemented

type. The system is cnected to generate automatically (or with some help from the user) an

implementation for the implemented type that uses the representation type as the

representation in a manner consistent with that suggested by the user.

Viewed as a black box. the inputs to the procedure are:

(i) A specification of the implemented type.

(ii) a specification of the representation type. and specifications of all the types used in

the specification of the representation type. We refer to the representation type. and

all the types its specification uses as the implementing type&

(iii) an association specification that describes how the values of the representation type

are to be used in representing the values of the Implemented type: this corresponds

to the representation (or abstraction)function defined by Hoare in 1211.

The output of the synthesis piocedure consists of an implementation for each of the

-14-

operations of the implencnted type in terms of the operations of the implementing types. To

get a better idea about the inputs and the output. let us consider an example of deriving an

implementation for the data type Quenelat in terms of ClcLIsL Quet alct is a

firs-in-flt-out queue of integers. Elements are added to a queue at the rear end. and

removed from the front end. CIrclJst is a list of integers. Elements are inserted into and

removed from a list at the same end, which is the rear end of the list. T he tperation that gives

Clrc._List a circular character is Rotate. Rotate moves every element in a list by one position

towards the rear end in a cyclic fashion. i.e.. the element at the rear end is moved to !he front

end.

In this bxample. the implemented type is Qmseuelnt and the representation type is

ClrcList. CircUst uses (this notion is defined precisely in the next chapter) the data types

Integer and Nool. so the implementing types include CireList Integer. and Bool. Figures 1,

2. and 3 give the inputs to the synthesis procedure. (The figures also give an informal

description of the operations of the data types.) Specifications of Integer and Bool should

also be given as inputs, although % e have not shown them here. The language used to express

the data type Vpcirications is equational, similar to the ones developed in [14, 18. 251. One of

the crucial differences is the following: We assume that the specification of every data type

idnk a basis for the data type. A basis is a minimal set of operations of the data type that

can be used to generate all the values of the type. The operations in the basis are called the

generators of the type. For example, the operations Create and Insert can be the generators

for CireList. The specification language is described In the next chapter.

Fig. 3 gives the association specification for the implementation to be derived. It

characterizes the representation scheme to be used by the implementation. The association

specification is expressed in two parts. The first pan specifies the imnarian J. 3 is a predicate

that specifics the set of values that may be used to represent the values of the implemented

type: only those values of the representation type for which 3 is True may be used to

represent the values of the implemented type. In the present example. 3 is True fbr all values

of CfrcLkL The second pai specifies the astraction function A; A maps a value the

representation t)pe to the value of the implemented type that the former may represent. In

the present example A specifies the fbllowing mapping: The empty queue is represented by

Fig 1. SpeIflkallo. ofQuetwejal

Queuejamt is Nulkq Enquen. Front. Elequen. Append. Szee

Defining Types

Booklid

Operations

Nolkq -> Queuc...IaFMqaCue Quucnt X lot )> QUMuislIFront Qucjat *lot U I ERROR Ilkqucue Queuejast *)Queucint U I ERROR IAppend Quesucins X Qucuc-Int -> Qucuelatsiue QuGCujit -> lot

Coment-ni?ucJUn is a 1:1 FO queue of inicgcrs. Nu~lq consincas the CmptY qtieue. Faqucuce a"d an clement to

a queue at the rear end. Dequeue removes he element at the front of a queue. Frceal returns theelemen~ft at t front or a queue. Append joins iwo queues adding the elements of die second argumlentat ft rear of the first argument. Size computes tOw number of elements in a queue.

I Nuflq Fispmne

Axioms

(I)ffrout(NaI~q) n ERROR(2) Front(Enqueue(Nulkq e)) =e(3) Front(lEnqueue(VFaqweft. ci) e2)) w Front(FEnqueue~q. e1))

(4) t)equeucjNullq)!s ERROR(S) IDequenuquce(Nuflq e)) a Nullq(6) IicqueWnquu(nqueueq. ci) I. 2)) w Fnqucue(lequeu(Fnuqueueq. el)), e2)

(10) Appeud(q. Nuilq) a q(11) Apjpeudql. Enquq2. e2)) a EAquce(AppnudqI, qlZ)e2)

(12) Sie(Nuflq) a 0(13) Size(Enquee(q. e)) a Slzeq) + I

-16-

FIt L Sped llibm ofClrieL-d(rltcjk6t is Create. loed. Value. Remie. Rotate. E 1y. Joi

Ikflning TypesInteger. Rooleam

Opeutlions

Create : 4 (lvr_1UInsert : (irejl1 X In"eger -) (.IrhlA

Value : Circ-Li* ) Inleger U I KRROR IRcme : (ir.jist ) (iW-l.1l U I E.ROR IRotate : (rclJs -> ClirLisIPy : (Irc.Is -4 IsookenJol : crcJht X (Cir_1st -> (ir.Uut

Commet

(Ircki o ki a IN tif inltger-. uith a frrit end and a rear end. (mrine constructs an empty list: the front

and thc rear ends of an empty list arc thc a.m. Ins"rt inserts in element into a list at the rear end.Value returns the clement at the rear end of a list. Remote removcs the element at the rear end from alist. Rotate mo'c% every clemtroe in a Ik by one p tikm towards the rear end In a cyclic fashion. e.,

the element at tde rear s mu-d to the frnt. Fmpty chkcks if a list it empty. Join joins two lists byposimnng the firt argument in front ofrthe secnd.

Bas

(Create. Insert)

Axiom

(1) VahMlCreate) a ERROR

(2) Vake(lmeut(c. 0) a I

(3) RemoveCreite) a ERROR(4) Remodie(lnsur(e. i)) 0 C

(5) RotateCreate) u Crete(6) Roat(rln(Create. I)) m Imiet(Crnte, i)(7) Rotae(lnsen(Iasern(. ift i2))) m Insert(Rotate(Imuort(cl. it)

(8) Fmply(Crle) atrun(9) IEmty (c. i)) a fble

(10) Joln(c. Create) m c(II) Joln(c. Imert(d. )) a luert(Jo(, A i)

* 17-

RIg, 3 A.cstion Spedcidl.lInvriaet

J() True

Absit'xiwo fIn'ievu.

.A(C'ate) -, Nulkq,A(haieulrc. i)) * n mt..heal[,A(c), i)

md_*_brja*Nulkq I) m Vnqsk-ui(Nakq i)mdat~h-aqucuc(q. I). U • sqmue(adLhnd(q. iI), I)

the empty list. A nonempty queue is represented by a list whose element are identical to the

ones in the queue. but are arranged in the reverse order. The motivation for this

represcntation scheme is that: reading and deletion of elements from a queue can be

performed cflTiently. Note that the speciication of . uses an atxiliary function

Adlj-2Lhm on Queejnt, the auxiliary function adds an element at the front end of a

queue.

Fig. 4 shows the output of the synthesis procedure. The output defines a set of

functions, called the implementing functionx. on C(rc.isL Every implementing function

implements an operation of Qemejut The implementing function implementing the

operation f is given the name F. For instance. NULLQ implements NYlIq. Tl ta get

Fig. 4. An Implemeladlom

NULLOO ::a CreatoO

ENOUEUE(c, 1) :: Rotat(Insert(c, J))

FRONT() ::a Value(c)

DEOUEUE(c) ::a Remove(c)

APPEND(c, d):: w Join(d, a)

SIZE() : If Empty(c) then 0else SIZE(Remove(c)) # 1

lanSuage used to express the implementations for the operations is a simple applicative

lanSuage. 'Ihe only mechanisms available in the language to build programs are: functional

composition. conditional expressions, and recursivc funtiion definition. The language uses a

method or dcflning function that is customarily used in applicauive languages like pure LISP

1371 A fun.tion . is definecd ung the folloUing schema: Fgv,.... ., ) ::- e. where

, .k arc variables. and e is an expression containing those variables. A function

definition may use the operations of the implementing t)pes as base functionx

2.2 A Summary r ae Synthesis Procedure

"ie synthesis procedure is summarized in an illustrative fashion using the example

already introduced. This is done in the firs two subk.lions. In the example introduced. the

invariant 3 is a trivial one: I is Tre on all values In the third subsection, we highlight the

issues involved in deriving an implementation in the presence of a nontriial invariant by

introducing a new example.

The mcthod used by the procedure to derive an implementation is based on treating

every equation in the specifications as a rewte rule.2 The procedure begins by combining all

the input pcciwatkx. into a r% riling sy etm called the IniW Worl d(IW). (IW is obtained

by simply replacing the symbol a by -. in the input specifications.) The procedure asumes

that IW satisfies the uniform termination property as well a the unique termination property.

(IW is said to be convergent in such a case. This is similar to the Church-Rosser property.)

The uniform termination property ensures that every chain of reductions starting from an

expression terminates, The unique termination property ensures that l chains of reduction

starting from an expression terminate in the same expression. These two properties ensure

that the equivalence relation characterized by a specification can be computed by using the

rules in IW for reducing expressions The procedure also assumes that there is a predefined

2. A rewrite role (written a-., is an ordered pair-a left hand side and a right hand side- ofexpressions. A rewrite rle can be used to reduce any expressmion that is an instance of the left handside into an expression that is an instance of the right hand side. A rewriting system is a set of rewriterules,

- 19-

termination ortlcin (>-) on expresions which can be used ror showing the uniform

termination property of rewriting systems

The synthesis procedure derives the inmplcmcntatiofn in two s"ages. In the first sW

the procedure derives the implemenmataon In an intermediate form. The intcnncdiate rorm is

called a primnafy implmnmion. In the second stage the preliminary implemcntation is

tramn~ormcd into an implemcntation in the target languagc (laqrge imonoation). Fig. S

gives a preliminary implementation for Qwutmealt that is consistent with the association

4.ciri-ation given in Fig. 3. There are two crucial difference% between a pre'iminary

implementation and a target implementation. The first one concerns the methods used for

defining the inplcmenting function. A preliminary implementation defincs a function as a

set or rewrite rules The rewrite rules defining an implementing functkn F are the ones that

hivc F i the oucnmost s)mbol on their left hand side. For instance, rulcs(2) and (3) in

Fiq. 5 define ENQUELE. The second difference is that the only operations of the

representation type that are permitted to appear in a preliminary implementation are its

gcnerators, A target implementation is permitted to use all the operations of the

reprcscntation type. In the example under consideratkion. for instance. a preliminary

implementation may use all the operations of Iu Ifer and BooL but only the generatols

FI 5. A Prellitury Impkmistlm

(1) NULLOO -* Creat.O

(2) ENOUEUE(Creaft, J) -. Insort(Create, J)(3) ENOUEUE(Insert(, i), 1) - insertFNOUEUE(c. ), i)

(4) FRONT(Create) --, ERROR(5) FRONT(Ineert(c, 1)) --. I

(6) DEOUEUE(Creoe) -. ERROR(7) OEOUEUE(Insrt(c,i)) -- c

(8) APPEND(c, Create) --(9) APPEND(c, Insert(d, I) -- APP8ND(ENOUEUE(c, ), d)

(10) SIZE(Creato) -. 0( 1) SIZE(insert(c, i))-- SIZE(W). 1

(Create. and lamse) o(CaIcJmL

There arc two reuos for the decomposition. Firly. it makes the synthesis

procedure more modular. Targt bnguiic dependent ransformatimns am separated rrni the

language Indntraonalo The decomposition also lends iclr naturally to

defcrin cfkiency improving trans'onnadons to he later stage It t first zagc one can

concentrate on deriving a simple corret implementation. Secondly, the deonposition

reduces the complexity of the structure of synthesis proceure. The first stop deals with Ie

tcchniquem roe deriving an implementaton from the specifcatiin of the data type. The

second stage deals with the techniqucs for deriving alternate forms or implementations from

an preliminary implemcntadlon. ihe decomposition provides a better insight into the

synthesis method. and simplifies the dcsciption or the synthesis procedure. The next two

subscctions give an overview or the two stages of the synthesis procedure.

2.. Sla l: I'rlminiry Implemetalin Defvlalioa

A preliminary implementation of a data type is coret with repc to an abstract

functionA . ifthe fOlowing condition holds: Every implementing function F (that implenments

the operation ) defined by the prelimnay implementatitn is a total function on the

representation values so that t homomorphism property 6(F(x)) = R(x)) holds. Here X

is a function on the values of the implement types; X behaves exactly lIkc the abstraction

function A on the represenaton values, and like an identity function on all other values. The

synthesis procedure derives a preliminary implementatim so that the above crterion of

corree is satisfied.

The procedure synthesizes the preliminary implment on ror one opeation at a

time by deriving a separte set of rmwrite ruks for every opeao Snc the method umd is

the ame fbor every operatlon, we illustrae the synthss of only a couple of operations. The

procedure first determines the left hand des of all the rules of the preliminary

implementation. Then. it determin a suitable right hand side for each of the rukl

-21-

.2.1.1 Determiing the Left an Sde

One of the wrrecunc requirements or a preliminary implemwnLtdiot is d1 it nus

define a total furti.ion on the reprientalon type. This requirement Is ensured by deriving

the rules of the preliminary implementation so that (I) they saif, the uni ",km tamination

property. and (2) they are we-spawmwd The int propery is ensured Mhilk dciving the niht

hand side of the rules The second property is usd to dectrmine the left hand sides.

The scond prpey requires the lehf hand side expreonms or the rules to be of a

pirticu"lar 1ffof For minsace. any pair of rolks that have the form given bckw onstitute a

wcll-spanned wet of rules for NQUEUF. (in the fUolowing WM, and ?rbs are used as pace

hokkrs for c pmspiom to be decrmined later.)

LINQUrUACfeC. -. ?dmPINQUElUImwM( I). J) -. M

Note that the lf hand side of each or the above rules conm or FNQUEUE

.Vplicd to argmen% that are generator ctpresins, /I The Wt of arguments. i e.. equences of

generator cprmons. to ENQUF.UE on the ft hand side of the rules is

AipgSu = ((Cnue.j. <Iec.1)>1. ApSet q m the aet of all ordered pair or

generator cosmtant In other words, every pair oficrnerator comants is an inunce orone of

the arguments in AiSKt Tis property cnsures that the dcfiniion of EQUFUE acounts

for all the reprsentation values It is yasy to build a procedure that automatically generates a

welkpnnned AqpSeL once the generAors of the 9represenatin type am identified. Thus. an

approptae swt of left hand sides for the rewrite rules to be deived can be determined

,ulatniticaly.

3. A penerator eprtmion is an cwnrerkm in which he only function symbols iniolved am diegilewato A geerator cuimat h a generaor espresion tht does not contain any variables.

°22-

.. 1.2 I)etcrmining tih Right I land Side

T'he right hand sides or the rules are dctemiincd so that the preliminary

implcmenatkon satisfies die homonirphism property mentioned earlier. For this. the Initial

World. IW. is first supplennted with a set of rules. called the X-rulcs. The UG-alcs express

the honMmorlhisl proplny: there is an X-rule for every implementing function. For

ins ance. tle %rulc corresponding to ENQUEUE is

X(4EQUEUY(c.J)) -. ¥.alqe (4e). Xj)). Let us call the supplemented system thePrsut&'d Wwkd(PW). 4

The Ilctturbcd World (PWI is then used to derive a set of synthesis Lqualions. one

equation for cecry rule in the prcliniinary implementation. The right hand side of a rule is

dctlemined frti the right hand side of the corresponding synthesis equation. For instance,ihe s)nthcws equatir corrconding to the rule ENQUEUL(I4Isrl(c, i), J) --. ?rhs2 is an

equatioM of the form X(F1%QUEUIlmseu1(. I)j)) , X(?rs 1) that satislies the following

conditions:

(1) XFNQUEUF(1wh1(i. i)j)) M 3,(?rbs2) is a theorem of PW

(2) [.%QUlLLFlr(lacl j) • "M2

(3) Wht contains only the permitted operations of the implementing types, and the

implementing functions.

The SyMbees Tbeorem in chapter 4 shows that. when a preliminary

implementation is well-spanned. the preliminary implementation satisfies the

homomorphism property if the synthesis equation corresponding to each of the rules in the

preliminary implemenLation is a therem of PW. Note that the second condition above

ensures that the rewrite rules derived satisfy the uniform termination property. The third

comditon ensures the syntaic corectness of the preliminary implementation.

4. Nqxe that since X is a function that behas cmssnUally like A. the rewrite nules, specifying it in PWare obtained by simply replac:ing A by X, in the asociation specifcation.

-23-

2.2.1-3 Deriving the Synthesis Equations

Every synthesis equation of the preliminary implementation is derived with the help

of two infcrence ,lus alled the synthesis nlek& Thc synthesis rules arc designed for

gcncrating theorems or PW that havc the same lcfl hand sides, but different right hand bides,

For deriving a synthesis equation. the synthesis rules are invoked repeatedly a finite number

of times to generate a series of theorems until the desired equation is gencnrted. For inswtace.

the synthesis equation corresponding to the rule E:NQUEUE(Inert(c, I), j) - ?rks is derived

by generating a series of theorems that have X(FAQUEUFAlser(c. I), j)) as their Icf hand

side. "he generation continues until a theorem whose right hand side qualifies the theorem

to be a synthesis equation is encountered.

The idea used for generating an equation is to reverse the method of demonstrating

that such an cquation is a theorem or W. The central notion used in the generation is a

mechanism called expansion. ExpansionS is the opposite of reduction. It is the act of

applying a rewrite nle to an expression from right to left.

For example. consider the rule X(ENQUEUE(e.j)) -. FuUve((c), D ). ac i

the expression Add.athead(Eaqueu(X(Create). %(i)). k). The subexpresr

Equeue(%(Create). %(i)) is an instance of the right hand side of the rule for the substitution

{e -. Create.j,-.I }. The corresponding instance of the left hand side is3G(ENQUEUE(Create. i)). Therefore. Add-at1head(Faqueue()G(Crete). %(I)). k) expands to

AddaLhead(X(ENQUEUE(Create. i)). k) by the rule.

The first synthesis rule specifies a way of generating a theorem from an expression

with that expression as the left hand side. In the following e4 denotes the normal form of e

obtained using PW.6 (The normal form of e is the result of reducing it using the rewrite rules

of PW until it becomes irreducible.)

5. The definition of expansion will be revised later in chapter 4 to make it more general. According tothe definition given here. expansion is identical to the transformation technique folding used byDarlingtwn 171 for synthcsis of recursive progruns.6. PW is a convergent system. Therefore, every expression is guaranteed to have a unique normalform.

-24-

e is an expressionRulee e4

The second synthesis rule specifics how to generate a theorem from an existing one

so that the new theorem has the same left hand side as the old one. In the following

expond(e) denotes any expression that is an expansion ore, using some rewrite rule of PW.

Rule 2: e in exlpad(e )

We investigate two methods in which the synthesis rules can be used for dcriving a

synthesis equation. The first method derives synthesis equations that are in the equational

theory of PW. The second method derives equations that are in the inductive theory. The

second method is more general than the first one. A systcm that implements the synthesis

procedure would. therefore. use only the second method. We discuss them separately for

pedagogic reasms.

U1.3.1 Derivation in the Equational Theory

As an illustration, let us derive a synthesis equation that is of the form

G(FN QUEUF4Imeut(c, i)j)) a X4?rllsl). The equation is derived by generating a series of

theorems that have X(INQUEUE(l4sert(c, l),J)) as their left hand side. The generation is

begun by invoking synthesis rule(l) on the left hand side expression. The rest of the

theorems in the series are generated by invoking synthesis rule (2) using the rewrite rules of

PW for expansion. The rewrite rules for expansion are chosen with the following ultimate

goal: Obtain a right hand side that has the form (?rhs) so that

36(ENQUEtJE(Imseru(c,J))>- X(?rs). and ?rhs contains only the implementing

functions and the permitted operations of the implementing types. In the illustration given

below, the generation of every theorem in the series is considered as a step. At each step. the

expression expanded, and the rewrite rule used for expansion are indicated. The relevant

rewrite rules of PW that are going to be used for expansion are listed at the beginning.

Rule (1) is the X-rule coresponding to Euqueue: rules (2) through (5) are obtained frora the

asiociation specification.

-25-

Relevant Rcwritc Rules of the Perturbed WVorld

(1) 36(FNQUF.UF4c, j)) --# Fnqueuc(1G(c). NO~))

(2) J(reatc) - Nulhj

(4) Add-at-hcad(Nultq. i) --# Enqueue(Nallq. I)(5) Add-.u-hcad(Fnqucue(q. I), J) -4 lnqueuc(Add-at-head(q. j), I)

Form of thic thcorcim to be gene rated: "G( INQU FUF~lnsert(c. i).j)) :JC(?rhs,)Norma itiornof 1(E:NQUEUI:(Iiscrn(c. i).j)): Enqucu&(Ad-atjwiai(JG(c). :Ki)). GQj))Rules used for the normal rorm: (1). (3)

Step (1) Invoke Synthesis Rulc (I) on :JG(FNQUI.UF(lnsert(c. i).j))Xr(ENQU FU F(l nsert(c. i). j)) =- btqueutjAdd..utjicad(3G(c), :Jc~i)), 3GG))

Step (2) Expand lExpression: Enqueue(Add-athad(3G(c), X()). 3GG)Using Rule: (5)

1(FNQUEUF(lnsert(c. i). j)) =-Add-atjwad(Vqueue(3G(c). X)), 36(i))

Step (3) ExpaiJ FAprcssion: FVnqueue(JG(c). XOJ)Using Rule: (1)

X(ENQUlUF(lnscrt(c, i). j)) =- Add-at-headV(INQUEUE~jc. J)). 3G(i))

Step (4) Fxpand lxpresion: Add-atjed(J(ENQUEUElc. D) 3G(i))

Using Rule: (3)

(FNQUFUE(Jmser(c. i). j)) a G(uInsert(fNQUE1UF~c. A) i)

Tbe theorem generated in step (4) qualifies to be a synthesis equation. Hence the desired rule of thepreliminary implementation is:

ENQUEUE4Iosert(c. 1). j) -. inscrt(ENQUEUFle. J) I)

One can similarly gencrate a theorem of the form X6(FNQU EU FACreate. j)', in 3(nsert(Create, j)).which gives rise to the following rewrite rule to complete the preliminary implementation for

-26-

FNQUFUE:

ENQUEtJE(Cre;ute. j) - Insert(Create. j)

2.2.1.3.2 Derivation in the Inductive Theory

The method used for deriving a synthesis equation in the inductive theory is based

on the following property that every theorem of PW satisfies: If an equation is a theorem of

PW. then every instance of it is in the equational theory of PW. An instance of an equation

e =-ez is an equation obtained by replacing every variable in e1 and ez by generator

constants.7

We, therefore, take the following approach for deriving an equation in the inductive

theory. First derive an instance of the desired equation; the method of derivation described

earlier can be used for this purpose. The instance of the equation derived should be such that

a generalization of it has the form of the desired synthesis equation, and is a theorem of PW.

A gcncralization of e, = e2 is an equation obtained by replacing assorted constants in e, and

e2 by suitable variables. To check if the generalization is a theorem of PWV, we use an

automatic procedure called ls-an-inductive-theorem-of. The procedure is an extension of the

method of using the Knuth-Bendix completion algorithm for proving inductive properties of

convergent rewriting systems [28. 38. 22. The procedure is described in chapter 4.

As an illustration let us derive a synthesis equation of the form

3,(APPEND(c, Insert(di ))) = J(?rhs2) which gives rise to one of rules in the preliminary

implementation of Append. We begin by deriving an instance determined by the replacement

of the variable d by the constant Create. and then apply generalization.

Relevant Rewrite Rules of the Perturbed World

(10) Append(q, Nullq) - q(14) 3;(Create) - Nullq

7. A generator constant is an expression formed out of generators, and does not contain any variables.

NN

-27-

(20) X(ENQUEUF(c. Q)) - Enqiaeuc(l%(c), 3G()

(22) %(A PITINl(c. Q) - Appcnd(JG(c). 3G(d))

Form of the theorem tobc generated: :R(API'ENI)(c. ln.sri(Crcntc. i)))=-G(?c)Normal form of3(APPE)Nl)(c. lnsert(tret-ite. i))): Enqucue(3G(c). 1C(i))

Rules used for the normal form:

Step (1) Invoke Syntheisluiic (1) on I1(Ai'PFNl)(c,Insert(Create. i)))3G(APPENI)(c, lnscrt(Crcatc, i))) -= nqucutjX(c). 3G(i))

Step (2) Expand Expression: X4(AlPPENl)(c, Inscrt(Creatc, i)))Using Rule: (10)

X(APPYND(c. insert(Creatc. i))) =-Append(Fnqueuc(J6(c), Xf(i)), Nullq)

Step (3) Expand Expression: NullqUsing Rule: (14)

Xl(A PPI.NI)(c. Ilnscrt(Creatc, i))) =-Appcnd(E nqueue(3G(c), 3G(i)), :IG(Create))

Step (4) Expand Expression: Enqueuc(JC(c). JG6V))Using Rule: (20)

3G(APPENI)(c, lnsert(Create. i))) =-Append(3G(lNQUEUVF(c. ), 3K4Creatc))

Step (5) Expand Expression: Append(1(ENQUEUE~c, i)), Jf(Crcate))Using Rule:

X6(APPIEND~c, tnsert(Crcatc, iQ)) =- (Al)PIEND(FNQUEUF~c i). Create))

Step (6) Generalize the thcorcm in step (5) by replacing the constantCreate by the variable d to obtain the following equation:X(APPENl)(c, lnserl(dO ))) (APPEND(ENQUEUE(c, 1), d))

Apply is-an-inductive theoremof on the above equation.7Tis yields True coqfrming that the equation is a theorem'

- 28 -

Hence ie desired rule (obtained by dropping IG on both sides) is:

APlPFNlXc, lnsert(d,i )) -- AI'PFNl)(ENQUEUE(c, i), d)

One can similarly generate a theorem of thc tbrm f J(APPENI(Create. d)) - 3G(d) which gives rise tothe following rewrite rule to complete the prcliminary implementation of APPEN I).

APPEND(Creatc, d) --# d

2.2.2 Slage2: Derivation .f the Target Implementation

In the second stage of the synthesis procedure, the preliminary implementation is

transformed into a target implementation. It should be noted that the preliminaryimplementation is itself an executable implementation. It can be executed by ,an interpreter

that is capable of simplifying algebraic expressions using the equations in the specifications of

data types as rewrite rules. The data type verification system AFFIRM [391 provides such an

interpreter. Given the specifications of all the implementing types, the interpreter can

execute the preliminary implementation on any given input. Our goal is to derive the target

implementation in a form that can be compiled by a compiler for an applicative language.

There are two reasons why a target implementation is more efficient than a preliminary

implementation. The first one arises because of the freedom to use nongenerators of the

representation type in a target implementation. This makes it possible, in some instances, to

eliminate recursion from a preliminary implementation of an operation, and to transform into

one which is a composition of the operations of the implementing types. The second reason

is that an implementation that can be compiled by means of a conventional compiler is in

general more efficient than interpreting a set of rewrite rules. We investigate two methods of

transforming a preliminary implementation into a target implementation. We describe each

of them briefly below. The first method, although less efficient than the second, derives a

larger set of implementations.

-29-

2.2.2.1 Recursion Eliminating Method

According to this method the problem of deriving a target implementation is viewed

as finding a composition P of the operations of the implementing types and the

implementing functions (possibly including the ifjthenelse function) that has die same

functional behavior s the implementing function F defined by the preliminary

implcmentation. For example. the composition Rotate(insert(d, k)) has th. same behavior as

the function ENQUEUE defined by the rewrite rules of the following preliminary

implementation:

ENQUEUE(Create, j) - Insert(Create, j)

ENQUEU E(Insert(c, i), j) - Insert(ENQUEU E(c, j), i)

So, the following can be a target implementation for it:

ENQUEUE(d, k) :: = Rotate(Insert(d, k)). Note that the target implementation does not use

recursion.

More formally, the problem can be stated as follows: Find a co:niposition P so that

the equations obtained by substituting f* for ENQUEUE in the rewrite rules are theorems of

the implementing types. The equations for ENQUEUE arc given below. Note that, in

obtaining the following equations, the two sides of the rewrite rules are interchanged after

replacing ENQUEUE by *. The need for the interchange will be explained later.

(1) Insert(Create, j) -f(Create, j)

(2) Insert(f*(c, j), i) f*(Insert(c, i),j)

We use the following strategy to find a solution for I*, We generate a theorem of

the implementing types using one of the above equations as a template. For generating such

a theorem we use the synthesis rules mentioned earlier. However this time, since we are

interested in the theorems of the implementing types, the rewrite rules in the specification of

the implementing types are used for expansion. The theorem generated determines a

candidate for '. The goal is to generate a theorem so that the candidate for 1 determined b)y

the theorem also satisfies the other equation. For instance, the sequence of steps given below

generates a theorem that has the form of equation (1).

P2i

-30-

Re rite Rules of CircList

(3) Rotale(Create) - Create(4) Rotate(Insert(Create, i)) - lausrt(Create, i)(5) Rotate(Insert(hosrt(c. il), i2)) - Insert(Rotate(Insert(c, i2)), if)

Forn of thc theorem to be generated: Inscrt(Create. j) f*(Create, j)Nonml form of Insert(Create, j): Insert(Create. j)

Rules used for the normal form: Noni

Step (l) Invoke Synthesis Rule (1) on Insert(Create, j)

Insert(Create, j) = Insert(Create, J)

Step (2) Expand Expression: Insert(Create.j)

Using Rule: (4)

Insert(Crcate. j) - Rotateijnsert(Create. j)

The last theorem generated in the above series suggests that Rotate(Insert(d, k)) is a

candidate for 9*(d. k). The candidate composition can be determined mechanically by

comparing the theorem generated with the template equation. The candidate we currently

have is such that the equation Rotate(Insert(lnsert(c, I), I)) - lnsert(Rotate(Insert(c, j)), I),

which is obtained by replacing P' by Rotate o Insert in equation (2), is a theorem of CircList.

Had the candidate obtained in the last step not satisfied equation (2). the theorem generation

would have continued further to generate another theorem that had the form of equation (1).

The reason that the first equation, rather than the second, was used as the template

equation is the following. The synthesis rules are formulated so that the unknown expression

in the equation to be searched for is on the right hand side. In equation (2) both sides are

unknown since 10 occurs on both the sides. That is not the case with equation (1). This was

also the reason for interchanging the two sides of the rewrite rules while obtaining the

template equations. In the example illustrated the theorem desired was in the equational

theory. In general, we need to use the generalization technique described earlier since the

- 31 -

theorem may be in the inductive theory.

2.2.2.2 The Recursion IPreserving Method

In this method the target implcmentation is derived with the help of a special set of

functions, called the inverting functions 8 on the representation type. To understand what

inverting functions are, and why there are useful, let us consider n example. The

preliminary implementation of SIZE consists of the following rules:

SiZE(Create) -- 0

SIZE(lgscrt(c, i)) - SIZE(c) + I

A target implementation for SIZE may take the following form:

SIZE(d) :: = If Empty(d) then 0

else SIZE(Remove(d)) + I

Note that in the preliminary implementation the argument to SIZE on the left hand

side of a rule is permitted to be a generator expression. The argument indicates the pattern or

the structure of the expression that constructs the values for which the rewrite rule is

applicable.9 This freedom is used in a preliminary implementation to perform a case analysis

based on the structure of the argument, and to decompose the argument.

In a target implementation the argument to SIZE on the left hand side of the

definition must be a variable. This means that the expression on the right hand side of the

definition must have explicit subexpressions for determining the structure of the argument,

and to decompose the argument. Inverting functions of a data type can be used to build these

subexpressions.

Informally speaking. the inverting functions of a data type are functions that can be

8. Inverting functions are closely related to distinguished functions of a data type defined in (241. In1241 the distinguished functions are used to formalize the expressive power of a data type.9. If we are interested in interpreting the preliminary implementation, it is. therefore, necessary forthe interpreter to have pattern matching capability to invoke the appropriate rewrite rule whilesimplifying an expression.

- 32 -

used to algorithmically invert the process of constructing a value of the type from the

generators of the type. In other words, by applying one or more of the inverting functions a

finite number or timns on a value one can determine a generator expression that constructs

the value. For instance, for CircList the operations Rotate. Value, and Empty can serve as a

set of inverting functions. The structure of any circular list value in terms of Create and

Insert can be detcrmined using these operations. For instance, if v is a vat iable denoting the

value constructed by lnsert(c, j), then Remove(v) extracts the component c: -Empty(v) checks

if v is constructed by an expression of the form Insert(c,j). So, the rewrite rules can be

merged into the following conditional expressions:

if Empty(d) then 0 else SIZE(Removc(d))+ 1.

The target implementation is derived in two steps. The first step identifies a set of

inverting functions for the representation type. In the second step the rewrite rules

constituting the preliminary implementation of every operation are transformed into a target

implementitation in terms of the inverting functions. The method is described in detail in

chapter 6.

2.2.3 Extending the Synthesis Procedure

Consider the association specification given in Fig. 6. It specifies a representation

scheme for implementing Queue.lnt as a triple Array-Jnt X Integer X Integer, which can

informally be described as follows. (Arrayjnt is specified in the next chapter which also

describes the association specification shown below in more detail.) Nullq can be represented

Fig. 6. Queue-int in terms of Triple

A((v. , Li>) --s Nullq

.44(Assign(v, ej), L j+ ID) - inl = j+ I then Nullqelse Enqueue(A((v. I, j)), e)

S((v, I, i)) True((Assign(v, e, j). I, J+ I)) a If = J+ I then True

else if i j + I then J(<,, 1, J))else False

- 33-

by any triple in which the two integer components are equal. A nonempty queue can be

represented by a triple v, I, j). where v is an array of arbitrary length containing the elcmcnts

of the queue between the index values I and J-I, in order. In other words. I points to the front

end of the queue. and j points to the next position available in the queue for adding an

element. Note that in this example. unlike the list one, not every value of the representation

type can legally represent a queue. A triple (V. I, J> is a legal representation value if only ifI < j. and v is guaranteed to be defincd on all index values between i and j-I. The invariant 3

in Fig. 6 specifies this condition.

The synthesis the presence of a nontrivial invariant J has to be performed differcntly

bccause the implementation must be such that every implementing function F defined

preserves 3: That is, (V v)YI(v) = 5((v))j.

The synthesis procedure for such a situation is similar to the one described earlier

except for the method employed in determining the right hand sides of the rules of apreliminary implementation. The difference lies in the set of rewrite rules used for expansion

while generating the theorems. Earlier, the rewrite rules of PW were used. but now it is

necessary to use an additional set of rewrite rules. The additional rewrite rules describeinformation pertaining to the invariant 3. and the assumption that the arguments to the

implementing function satisfy the invariant. The information pertaining to 3 is maintained as

a separate entity called the Temporary World Chapter 5 describes how the Temporary World

is constructed, maintained, and used in the synthesis of an implemenation.

2.3 The Scope of Ihe Synthesis Procedure

The scope of the synthesis procedure is limited because of two reasons, Firstly. the

restrictions imposed on the input specifications limit the range of data type specifications that

are acceptable as inputs to the procedure. Secondly. the synthesis procedure is capable of

deriving only a class of implementations that satisfy certain properties. We describe the two

forms of limitations below.

-34-

2.3.1 Restrictions on the Inputs

The input specifications must be such that the Initial World (W). which is a

combination of all the specifications. forms a rewriting system that

(1) has the uniform termination property.

(2) has the unique termination property, and

(3) is wcll-spanned.

The second and the third properties are not restrictive because they can be attained

by adding ccrtaid additional rewrite rules to the system. There arc automatic procedures [28.

38. 221 for determining the rules that need to be added, provided the system satisfies the

uniform tennination property.

The uniform termination property can be restrictive. It is. in general. not possible to

express all the properties one wishes to specify in a manner that preserves the unirorm

termination property. For example. consider the data type Setofements that has an

operation Insert to insert -n element into a seL To express the property that the order of

insertion of Czments into a set is immaterial, it is necessary to have a rewrite rule of the form

insert(Insert(s, i), j) - Insert(Insert(s, j), I) as a part of IW. A system containing this kind of

rule need not. in general, terminate because the rule does not strictly reduce an expression.

One way of getting around this problem is to exclude the concerned rule(s) from

IW. However, there are two reasons why one may not want to do this. Firstly, the rule might

be needed to attain the second and the third properties mentioned above. In such a situation

excluding the rule(s) makes the input unacceptable. The second reason is that omitting the

rule may leave the specification incomplete.10 The method used by the synthesis procedure

does not require the specifications to be complete. so the input (excluding the concerned rule)

in this case is acceptable. But the procedure will not be able to derive an implementation that

is dependent on the property expressed by the rule.

10. We use the following notion of completeness: A specification is complete if all the properties thatare valid fi)r the data type are provable from the specification.

-Wi.

-35.

2-3.2 The Clas of Implementations Derived

There are three factors that are responsible ft,r limiting the class of implementations

derived by the procedure. The irst is related to the subset of the proof theory of the input

specifications in which the synthesis procedure operates. The procedure can only derive

those implemenltions whose correctness proof is within the operational pani of the theory.

The operitional part of the theory comprises the subset of the inductive thcry that is decided

by the Musser/Knuth-Bendix method 1381 of proving inductive properties.

'he second limiting lC-tor is the termination ordering >-. The s) nthesis procedure

assumes that an effective ordering is implicitly available to be used in ensuring the

tcm)inattion of the implemcntation. %o. the procedure can only derivc those implementations

whose temlinalion can be procd using The )rdcring >-. The more general' I the ordering >-.

the larger is the clxLs of implementations that can be derived..he third rcason is that the implemenations derived may not involve arbitrary

helping functions. The synthesis procedure is not capable of automatically discovering a

helping function that might be necessary in an implementation. The user has to furnish a

specification of the helping function as a part of the Initial World if he wishes an

implementation in terms of the helping function.

2.3.3 Effects of Using the Procedure Outside its Scope

Using the procedure on a specification that does not satisfy the uniform terminationproperty may result in infinite looping. This is because, under such a circumstance, there can

be expressions for which a normal form does not exist. The effect of a violation of the unique

termination property depends on how serious the violation is. If the violation implies that the

system is inconsistent, then the procedure may derive an incorrect implementation. However.

if the system is consistent despite the violation, the effect will only be a reduction in the class

of implementations that the procedure can derive. It should be noted that all three of the

II. An ordering >-I is considercd to be more general 1231 than >-2 if >-, contains >-. T hat is, -relates a larger set of expressions than >-

-36-

propenies rcquired of the inputs can be checked automatically (assuming that a tcrmination

ordering >- is available).

IV

-37.

3. Inputs to the Synthesis Procedure

This chapter has four sections. The first section defines data types and their

specification. The second section describes the association specification. The third section

characterizes the restrictions on the inputs. The last section describes proving properties of

data types from the specifications.

3.1 Data Types and their Specification

3.1.1 Preliminary Concepts

A data type consists of a set (perhaps infinite) of values, called the value set. and a

finitc set of operations, called the operation set. The only way in which the values of a data

type can be constructed. manipulated or observed is through the operations of the data type.

ihe behavior of a data type is usually dependent on several other data types. These

data types appear as a part of the domain or as the range of the operations of the data type

under consideration. We call these other data types the defining types. the data type under

consideration is referred to as the type of interest (TOI). If the TOI is the one that is being

implemented. we refer to it as the implemented type. The type that is used to represent the

implemented type is called the representation type. The defining types of the representation

type are called the ancillary types, The union of the representation type and the ancillary

types is called the set of implementing types. For example, the defining types of the data type

Queueclnt specified in Fig. 7 are Integer and BooL

A data typ : has two kinds of operations. A constructor is an operation that yields a

value of the TOI. and an observer is an operation that yields a value of a defining type. For

Queue-lnt, the operations Nullq, Enqueue. Dequeue, and Append are all constructors; the rest

of the operations are observers.

We treat the exceptional behavior of a data type in a simplified fashion. We assume

that every data type has a unique exceptional value that is constructed by the operation Error

belonging to the type. The value Error( ) is treated like any other value of the type except

that it has the following unique property. Every operation is assumed to be strict with respect

A

- 38-

to Erroa): Every operation f is such that when applied to Fror() from any of its domain

types it yields the exceptional value of the range type of fE We assume that every operation f

is a total function: ihat is. f is dcfined on every elemcnt of its domain yielding either an

exceptional valuc or a normal value from its range type.

The requirement on a data type that its values be manipulated only b5 its operations

translates to requiring that its values be constructed only by its constructors. possibly using

the values of its defining types. Furthermore, in a computer the values can be constructed

only by a finite sequence of operations, so the ,'due set of a data type is the smallest set closed

under finitely many applications of its constructors. This property of a dala type is called the

minimality property (251.

A subset of constructors is said to be complete if every value of the TOI can be

constructed by some composition of the constructors in the subset (possibly using values of

the defining types). A basis for a data type is a complete set of constructors that is minimal.

i.e.. no subset of a basis is complete. A data type may have more than one basis. ( Nulkq,

FnIqueue ) is a basis for Queuejlnt since all queues can be generated using NulIq and

Enqueue, and no subset of it can do so.

An expression (or a term) is a sequence of operations and variables denoting an

application of the operations to the variables. The type of an expression is the range type of

the operation symbol that appears at the outermost level of the expression. A constant is an

expression that does not contain any variables. For example. Dequeue(Enqueue(q, e)) is an

expression of type Queue-int it is not a constant since it contains variables.

Dequeue(Enqueue(Nullq. 0)) is a constant of type Queue-Int.

3.1.2 Definition of a Data Type

The only way in which the values of a data type can be manipulated is through the

operations of the type. We define a data type so as to capture the behavior of the type as

viewed through the operations of the type. This behavior is called the observable behaviorof

the data type. This method of definition was advocated by Guttag [161, and later developed

by Kapur 1251. According to this view, the values of a data type are distinguishable only by

., i = ... i rll l .. . 1 1 .. .......

-39-

means of the operations of the type.

Heterogeneous algebras provide a natural means of modeling the behavior of a data

type. A heterogeneous algebra that can be used to model a data type is defined recursively in

terms of the algebra that is used to model each of its defining types. The basis of this

recursion is the type Bool which does not have any defining types.

A heterogeneous algebra for a data type D, consists of(i) a domain corresponding to

D. which is called the principal domain, (ii) a domain corresponding to every defining type ofD. (iii) a function corresponding to every operation of D. lhe elements of the rrincipal

domain are used to denote the values of 1). The minimality property of a data type requiresthat every element of the domains of the algebra be constructible by a finite number ofapplications of the constructors of the appropriate type. Any heterogeneous algebra that has

the appropriate signature, and that exhibits the desired observable behavior can be used to

model the data type. Hence. we define a data type as a set of heterogeneous algebras that

exhibit the same observable behavior. Every algebra in the set is said to be a model of the

data type. The elements of the principal domain are called the sulues (of D) in that model.Below we formally characterize the observable behavior of a heterogeneous algebra.

The observable behavior of a model is characterized in terms of the

distinguishability relation on the values of the model. The distinguishability relation isdefined inductively in terms of the distinguishability of the values of the defining types. Thatis, we assume that the distinguishability relation is already defined the domain corresponding

to each of the defining types. (The basis of this induction is the data type Bool that does nothave any defining types: the only two values, True and False of Bool are assumed to be

distinguishable.) Two values of a model are distinguishable if and only if there is a sequence

of operations of D with an observer as the outermost operation, that produces distinguishable

results when applied separately on the values. If two values are not distinguishable, they are

observably equivalent. For instance, the Queuejlnt values constructed by Enqueue(Nullq, 0)and Append(Nullq, Enqueue(Nullq, 0)) are observably equivalent; but the ones constructed byEnqueue(Nullq, 0) and Dequeue(Enqueue(Nullq, 0)) are distinguishable. Observable

equivalence is an equivalence relation.

__

-40-

Definition Two models are behaviorally equivalent if their quotient models induced by the

observable equivalence relations are isomorphic to each other.

Definition A data type is a set of behaviorally equivalent heterogeneous algebras.

3.1.3 Specification or a Data Type

The specification of a data type is a piece of text in a formal language. It describes a

set of properties concerning the operations of the data type. The aim of writing a

specification is to characterize through the specification the observable equivalence relation

that defines the data type.

It has been observed [171 that the construction of an algebraic specification for a

data type is rendered easier and more reliable (in the sense that one has increased confidence

in the consistency and completeness of the specification) by using a basis of the data type as a

guide for constructing the specification. We assume that all our specifications are constructed

in this fashion. The operations belonging to the basis of a specification are called the

generators of the specification. An operation that is not in the basis is called a non-generator.

Note that all generators are constructors- non-generators may be constructors or observers.

Throughout the development when we refer to the basis or the generators of a data

type involved in the synthesis, we actually mean the basis or the generators associated with

the specification of the data type being used as an input to the synthesis procedure.

Definition of a couple of new terms pertaining to the generators are in order at this point. A

generator expression (generator constant) of a data type is an expression (constant) that

consists of only the generators of the type. Taking Queue-Int with the specification given in

Fig. 7 as an example: Enqueue(Nullq, 0) is a generator constant whereas,

Dequeue(Enqueue(Nullq, 0)) is not a generator constant, because Dequeue is a non-generator.

7

-41-

3.1.3.1 The Specification Language

The specification language we use is a restricted version of an equational language

that permits conditionals and auxiliary functions. The language is similar to the ones used in

several other works on data type specification and verification such its (14, 18, 251. A

specification has two parts: the Operations part describes the functionality of every operation

of the TOI: we assume that the Operations part identifies the basis used for the specification.

The Axioms part consists of a set of axioms describing the properties of the operations. Every

axiom has the form of an equation el = e2, where e, and e, are expressions of the same type.

The expressions may involve any of the operations of the '701 and the defining types. The

expressions may contain any of a finite number of auxiliary functions which are also specified

as part of the spccification. The equations may involve conditional expressions on their fight

hand side, i.e., e2 may contain the auxiliary function ifthenelse which behaves like a

conditional expression.12 For the sake of clarity, we use the following more conventional

syntax for an expression involving if-then-else. The expression if-then-else(, 21, e 22) is

written as if b then e 2 else e22.

We differ from the works cited above by assuming that every axiom in the

specification satisfies the following syntactic constraints. The constraints are not restrictive, in

the sense that they do not restrict the class of data types that can be specified. The first

constraint enables us to automatically partition the axiom set into two disjoint sets: One that

contains only the generator symbols; the other whose axioms may involve generators as well

as nongenerators. The partitioning of the axiom set facilitates the synthesis process by

reducing the inter-dependence of the synthesis of different operations. The second constraint

permits the axioms to be treated as left to right rewrite rules (to be described later) without

having to interchange the two sides of the axioms.

12. ifthen-else can be specified by the following two equations.If-then-else : Bool X T X T -> TIfthenelse(True, e,. e) a e,

-42-

Every axiom e, = e2 of a specification satislies the following conditions:

(1) Every data type specification explicitly identifies a basis, i.e., a set of generators.

(2) The set of variables in e2 is a subset of the set of variables in e,.

Figures 7 and 8 show specifications of a (FIFO) queue of integers (Queuecjnt) and a circular

list of integers (CircList). The specifications meet the constraints specified above.

3.1.3.2 Semantics or a Spweification

The specification of a date type characterizes the observable equivalence relation

that defines the data type. The semantics of a specification is a set of heterogeneous algebras

that are behaviorally equivalent based on the observable equivalence relation characterized

by the specification.

To determine the observable equivalence rclation characterized by a specification,

the symbol '-' in the axioms of the specification should be read as 'observably equivalent'.

For instance, the equation SiA:(Enqucue(q, c)) = Size(q) + I in the specification of

Queuejlnt asserts that the two expressions yield observably equivalent values for all

instantiations of the variables in them. The observable cquivalcnce relation characterized by

the specification is the reflexive, symmetric, transitive closure of M. Every algebra that

satisfies all the axioms in the specification is a model of the type being specified by

specification.

3.2 Association Specification

In addition to the specifications of the types involved in the synthesis, the synthesis

procedure expects the user to provide information about the representation scheme to be

used by the implementation that is to be derived. This section explains what exactly that

information is, and how it can be specified. We call the formal description of the information

the association specification of an implementation.

-43 -

Fig. 7. Specification of Queue-lot

Queiae-jnt is Nul~q, Enqucue, Front. lDcqueue. Apperi. Sime

Defiig Types

Ilool, mnt

Opera/ions

Nuilq )Qucuc-int

Enquetic Queuuejnt X hIt -> QueuejatFront QueucejInt In t U I ERRORlDcqucue Queue-iit ->Queue-nt U I ERROR IAppend QueuejInt X QueucjInt -) QueucjIntSize QueuecInt 4> mt

Basis

I Nuitq, E.nqueuc

Axioms

(1) Front(Nuijiq) -=:RROR(2) Front(EnqueutiNuI~q. c)) =-e(3) Front(Enquetic(Enqucuc(q, ci), c2)) =-Front((Enqucue(q. ci))

(4) l)cqueue(Nuhlq) =-ERROR

(5) lDequeue(Enqueue(Nullq. c)) =-Nullq

(6)1 )equcue(Enqueut( Enqucutjq. ci1), c2)) =- Enqucue(l)cqucue(Enqucuc(q. el)), e2)

(10) Append(q, NuIlq) = q(11) Append(q I, Enqucuc(q2. e2)) -= Fqucuc(Appcnd(ql, q2), e2)

(12) SizcjNuItq) =0(13) Size(Enqueue(q. c)) =-Size(q) + I

Fig. 8. Specification of Circ-JistCirc..List is Create. Insert, Value, Remove, Rotate, Empty, Join

Defining TypesInteger, Boolean

Operations

-44-

Create > Circjl ist

Insert CircList X Integer> Circ-listValue Circ..List -> Integer U I ERROR }Remove CircList -> Circ-list U I ERROR }

Rotate Circ-list > CircListEmpty Circjlist> Boolean

Join Circlist X Circ-list -> Circ.list

CommentCircList i a list of integers with a front end and a rear end. Create constructs an empty list; the frontand the rear ends of an empty list are the same. Insert inserts an element into a list at die rear end.Value returns the element at the rear end of a liSL Remove removes the element at the rear end from alist. Rotate moves every element in a list by one position towards the rear end in a cyclic fashion. i.e.,the clement at the rear is moved to the front. Empty checks if a list is empty. Join joins two lists bypositioning the first argument in front of the second.

Basis{Create. Insert)

Axioms

(I) Value(Create) - ERROR(2) Value(lnsert(c, i)) M

(3) Remov€(Create) =- LAROR(4) Remote(Insert(c, i)) c

(5) Rotate(Create) - Create(6) Rotate(Insert(Create, i)) - insert(Create, i)(7) Rotate(Insert(Insert(c, il), i2))) Insert(Rotate(Insert(c, i2)), il)

(8) Empty(Create) = true(9) Empty(Insert(c, i)) =- false

(10) Join(c, Create) - C(II) Join(c, insert(d, i)) a Insert(Join(c, d), I)

-45-

3.2.1 What is an Association Specification ?

An association specification characterizes two pieces of information about a

representation scheme:

(1) The set of values Gf the representation type that an implementation may use in

representing the values of the implemented type. We call this set the representing

domain ('). R is characterized by means of a predicate on the representation type

called the invariant'(J): % is the set of values of the representation type for which

is True.

(2) A function, called the abstraction function, from the values of the representation type

to the values of the implemented type. The function corresponds to the

representation function of a data type introduced by [211. The abstraction function

maps a representation value to an abstract value that the former may represent in an

implementation. An abstraction function may be a many-lo-one function. An

abstraction does not have to be defined on every value of the representation type.

However, it has to be defined on every value in the representing domain.

The information characterized by the association specification is often the most

creative part of an implementation. The proof of correctness of an implementation also, in

general, needs to use information such as this. If the invariant part of an association

specification is vacuous, then we assume that the invariant is true on all values of the

representation type. In such a case the representing domain includes all the values of the

representation type.

3.2.2 How Is It Expressed ?

We specify 5 and A using the same language that is used to specify the data types

involved. 5 is specified as a set of equations, like any other predicate on the value set of the

representation type. A is specified as a set of equations relating expressions of the

representation type to expressions of the implemented type. We require that A be specified

as a well-defined function with a nonempty domain.

-46-

Fig. 9. Two Association Specifications for Queue-lnt

9(a) Qucuetlnt in terms ofCircList

.A(Create) = Nullq

.A(lnsert(c. i)) = add-atjhead(.A(c), i)

add-at-head(Nullq) - Enqueue(Nullq, i)add-at-head(Enqueue(q. i), it) - Enqueue(add-at-head(q, it), i)

9(b) Queue-lnt in terms ofArray-lnt X lnt X nt

A(<v, i, i>t --- Nullq

.A(<Assign(v, e, j). i, j + I >) - if i = j + I then Nullqelse Enqueue(.A(<v, i, j>), e)

5(<v, i, i>) =TrueJ(<Assign(v, e, j), i, j+ >) = if i = j+ I then True

else ifj+I < i then Falseelse i(<v, i, j))

Fig. 9 gives a couple of example of an association specification. 9(a) specifies an

implementation of Queue-Int in terms of CircList. The empty queue is represented by the

empty list; a nonempty queue is represented by a list whose elements are identical to the ones

in the queue, but are arranged in the reverse order. The motivation for this representation

scheme is that reading and deletion of elements from a queue can be performed efficiently.

Consider the association specification given in Fig. 6. it specifies a representation

scheme for implementing Queue-Int as a triple , which can informally be described as

follows. (Arrayjlnt is specified in the next chapter which also describes the association

specification shown below in more detail.)

Fig. 9(b) specifies an implementation in which a queue is implemented as a triple

Array.lnt X Integer X Integer. (Arrayjnt is specified in Fig. 10.) The representation scheme

can be informally described as follows. Nuliq can be represented by any triple in which the

two integer components are equal. A nonempty queue can be represented by a triple v, i, J,

;t47 "

Fig. 10. Specification of Array-intArray-int is Nullarr, Assign, Read, Size, Empty

Defining TypesInteger, Boolean

Operations

Nullarr -> ArrayIntAssign ArrayjIt X Integer X Integer -> ArrayjIntRead Arrayjlnt X Integer -> Integer U I ERROR ISize Arrayuint -) IntegerEmpty Arraylnt -) Boolean

CommentArray-int is an array of integers. Every element in the array is indexed by an integer; the indices arenot necessarily contiguous. Nullarr creates an empty array. Assign assigns a given value (the second

argument) to the element at a given index (the third argument); if die array does not have an elementwith the given index, then the value is addcd to the array. Read reads the clemcnt at the given index.

Empty checks if an array is empty.

BasislNullarr, Assigni

Axioms

(1) Assign(Assign(v. el, il), e2, i2) - if il = i2 then Assign(v, e2. i2)else Assign(Assign(v, e7, i2). el, il)

(2) Read(Nullarr. i) = ERROR(3) Read(Assign(v, e. j). i) - if I = j then e

else Read(v, i)

(4) Fupty(Nullarr) a true(5) Enipty(Assign(v. e, i)) a false

- 48-

where v is an array of arbitrary length containing the elements of the queue between the

index values i and j-1, in order. In other words, i points to the front end of the queue, and j

points to the next position available in the queue for adding an clement.

Note that in this example, unlike the last one, not every value of the representation

type can legally represent a queue. A triple (v, i, j) is a legal representation value if only if

I < j. and v is guaranteed to be defined on all index values between I and j-1. The invariant 3

in specifies this condition.

The abstraction furiction A is specified so that it is defined on all values for which 3

is True. The specification uses an auxiliary function Add-at-head. Add-at-head is a function

on Queue-int that adds a given element at the front of a queue. A specification of

Add.athead is given as a part of the association specification.

3.2.3 Further Discussion on Association Specification

It is important to note that every association specification need not have an

implementation corresponding to i. To understand this more clearly, let us look at the

relationship between an association specification and an implementation that uses a

representation scheme consistent with the one characterized 1'y the association specification.

An implementation of a data type consists of

(i) a representation type being used as the representation for the implementation.

(ii) a program, i.e.. a segment of code, for every operation of the type in a language; this

program is called the implementation of the corresponding operation.

Note that both a preliminary implementation and a target implementation (as introduced in

the previous chapter) of a data type are implementations of the data type. A preliminary

implementation uses one language to express the program, while the target implementation

uses another.

Formally, an implementation of a data type can be considered to be denoting a

heterogeneous algebra, called an implementation algebra, with

.49-

(i) a principal domain that is a subset of the value set of the representation type.

(ii) a domain corresponding to every defining type of the implemented type - this

domain is identical to the value set of the corresponding defining type.

(iii) a function corresponding to the implementation of every operation of the

implemented type so that the function mimics the behavior of the implementing

program.

An implcnentation of a type is correct if there exists a homoomorphism, from the

implementation algebra to to the implemented type. The association specification should be

such that there exists an implementation algebra with computable functions that corresponds

to the representation scheme characterized by the association specification. More specifically.

the implcmentation algebra should satisfy the following conditions:

(i) The principal domain of the algebra is the representing domain characteried by the

association specification.

(ii) There is a computable function in the algebra with the appropriate functionality

corresponding to every operation of the implemented type.

(iii) The implemented data type is a homomorphic image of the implcmentation algebra

with respect to the abstraction function.

We do not intend to formally characterize the properties that the association specification

ought to satisfy so that it meets the above requirement. Rather. we trust the intuition of the

user, and assume that there exists an implementation that is consistent with the association

specification furnished by him. If the association specification provided as an input to the

synthesis procedure is such that there is no implementation corresponding to it. then the

synthesis procedure will, in general, never terminate. The synthesis method, however, does

not produce an incorrect implementation in such a case.

-50-

3.3 Restrictions on the Inputs

The method used by the synthesis procedure to derive an implementation is based

on treating every equation in the specifications as a rewrite rule. The procedure combines all

thc input specifications. and treats the union as a set of rewrite rules called the Initial World

The restrictions imposed on the inputs are intendcd to ensure that the Initial World satisfies a

useful propcrt) called the principle of definition.

The first subsection informally introduces the basic concepts about rewrite rules.

(See Appendix I for formal definitions.) The second subsection defines principle of

definition, and develops a sufficient set of conditio, s for principle of definition (SCPD). ibe

input is expected to satisfy SCPD. The third subsection describes how to prove properties

from a specification that satisfies SCPD.

3.3.1 Rewrite Rules and Rewriting Systems

A rewrite rule is an ordered pair (left, right), written left - right, where left and

right are expressions containing variables go that the variables in right are among the

variables in left. A rule is used to reduce an expression by replacing any subexpression that is

matched by left with a corresponding version of right, i.e.. with the same substitutions for

variables that were made in matching left. (More precise definitions are given in Appendix 1.)

For example, consider the rule

Appeti(q, En- eue(q, 1z)) - Enqueue(Append(q 3 , q,), 12)' and the expression

a = Dequeuc(Appeuid(q, Enqueue(Nullq, 0))). a is reducible using the rule because it has a

subexpression a ' - Append(q, Enqueue(Nullq. 0)) that has the form of the left hand side of

the rule: That is. Append(q,, Enqueue(q 2, 11)) becomes identical to

AppeA(q, EaqWeue(Nulk, 0)) when the variables in the former are substituted according to

the substitution o = (q, - q3. q, '-. NuIIq, iz - 01. The corresponding instance of the right

hand side of the rule (obtained by substituting the variables in Enqueue(Append(q,, ) Y

using the substitution 0) is p' - Enqueve(Append(q, Nuflq), 0).

= Dequeue(Emqueve(Append(q, NuIk), 0)) is the expression obtained by replacing a' by

,' in a. Then. we say that a reduces bvp. written a

- 51 -

A rewriting system is a set of rewrite rules. Let R be a rewriting system. An

expression a is reducible by R if it is reducible by some rule in R. If a is not reducible by any

rule in R, then a is irreducible by R.

If a -, P by a rule in R, then we say that a directly reduces to/ using R. and once

again write it as a -/3 (using R). Let --.* be the smallest relation on pairs of expressions

which is the reflexive, transitive closu~e of -+. Thus, a -"/ if and only if there exist

expressions a0 a1, ... , a., where n > 0, such that a = a0 . ai --* ai+ for i = 0,..., n-1 and

a. = p. We read a - s *asa reduces to /.

Suppose a -- */1, and 8 is irreducible. Then we say that a simplifies to /; / is called

a normalform of'a (in R).

Rewriting systems are used to simplify expressions into their normal forms. Thus, a

useful property of a system is unifonn termination: R has the uniform termination property if

no infinite sequence of reductions, a. --4 a I -- .... is possible in R. When R has the uniform

termination property every expression is guaranteed to have a normal form. Another useful

property of a rewriting system is unique termination: I has the unique termination property if

any two terminating sequences of reductions starting from the same expression have identical

final expressions. When R has the unique termination property the normal form (if it exists)

of every expression is unique. A rewriting system that has both the uniform termination

property and the unique termination property is said to be convergent. When R is convergent

every expression a has exactly one normal form: we denote the unique normal form of a in a

convergent system by a4.

The rewriting systems corresponding to our input specifications are obtained by

simply replacing the symbol 'a by the symbol '-,' in each of the equations in the

specifications. For example. Fig. 11 gives the rewriting system corresponding to the

specification of Queue-lat in Fig. 7. Henceforth, we treat the input specifications as rewriting

systems obtained as explained above. When we refer to a specification, we actually mean the

rewriting system obtained from the specification.

- 52-

Fig. II. 1 he Queueclnt Rewriting System

(I) Front(Nullq) - ERROR

(2) IFrosl.(Enquctic(Nullq. e)) - e

(3) Frotit(Enqucuc(Enqueuc(q. e I). e2)) -- Front(V'nqueuc(q. el))

(4) I)equcuc(NulIq) - ERROR

(5) I)cqueuc(Fnqucue(Nullq, e)) -- Nullq(6) IkquttuEnqaitcu(Enqueuc(q. c 1). c2)) --+ Enqucue(l)queuc(Enqucuc(q. cl)), e2)

(10) %ppivnd(q. Nullq) --o q(II) .%ppcsd(q I. ilqueue(q2. c2)) -- Entiucui(Append(ql. q2), e2)'

(12) SitLlNullq) -, 0(13) Sin lVnquuctq. e)) -4 Sizec(q) + I

3.3.2 The Principle of Definition

The principle of definition is a property of a specification (or a group of

specifications). The property ensures the consistency of a specification. The property

reinforces the two-tier characteristic inherent in our specifications: It ensures that the

generators are spccified among themselves, and the nongenerators are specified as total

functions in terms of the generators. Finally. the property is useful in mechanically proving

properties of data types from their specifications. The property is similar to a property with

the same name defined in 122). Our definition is more general than the one in 1221.

Definition The Principle of Definition

A specification (or a group of specifications) S has the principle of definition property if every

constant t has exactly one normal form (in S), and the norma' form is a generator constant of

the appropriate type.

There will be situations in our development when it is necessary to use a restricted

version of the principle of definition. The notion is restricted in the sense that the principle

of definition need hold good only for a subset of terms. The restricted property is useful in

stating that every nongenerator defined by a system be defined as a total function on a subset

-53-

of the value set of a type. We give a definition the property below.

Definition Principle of Definition With Respect T

Let T be a set of generator constants not necessarily including all possible constants. A

system S satisfies the principle of definition with respect to T if the following condition holds:

Every constant of the form F(g1,..... g.), where F is a nongenerator fniction symbol and

g1, ... g are generator constants in T, has a unique normal form (in S) that is a generator

constant in T.

The principle of definition has two parts to it: It requires every constant to have a

unique normal form in S, and the normal form to be a generator constant. SCPD has to be

formulated so as to ensure the two parts. The first part can be ensured by requiring S to be

convergent (i.e., to satisfy the unilbrmi termination property and the unique termination

property). The second part is ensured by requiring S to be well-spanned. We define what it

means for S to be well-spanned below, and then show how the two properties ensure the

principle of definition of S.

Consider the rewriting system shown in Fig. 11. The system has three rules (1, 2,

and 3) in which the expression on the left hand side has Front as its outermost symbol. The

set. (Nullq, Enqueue(Nullq, e), Enqueue(Enqueue(q, el), e2)1, of generator expressions that

appear as arguments to Front on the left hand side in the rules spans the entire set of

generator constants of Queuejlnt; in other words, every generator constant of type

Queuejlnt is an instance of one of the expressions in the above set. When a rewriting system

has enough rules corresponding to a nongenerator function f so that the set of generator

expressions appearing as arguments to f spans the set of all generator constants, we say that f

is well-spanned by the rewriting system. We say that a rewriting system is well-spanned if

every nongenerator function symbol of the system is well-spanned. We formalize this notion

below.

In general, since f can be multi-ary, the arguments to f art: k-tuples of expressions of

appropriate types, where k is the arity off. In the following formalization, we first define the

notion of a set of k-tuple of generator expressions being well-spanned, informally, a set of

- 54-

k-tuples of generator expressions is well-spanned if it spans the set of all k-tuplcs of generator

constants of appropriate types. The property of a function being well-spanned is defined in

terms of the notion of a well-spanned set of k-tuple of generator expressions. In the

following, we assume that the k-tuples are homogeneous with regard to the types of their

components. The extension to the heterogeneous case is simple.

Definition A set A = {A 1 ..... A } of k-tuples of generator expressions A, = <ell,. e > is

ivell-spanned if the following condition holds: For every k-tuple, (t..., tk>. of generator

constants there exist n, 1 < n < p, and a substitution o, such that for every j, 1 < j <_ k, we

have t. = a(e.)..

Definition A nongenerator function f is well-spanned by a rewriting system R if there is in R a

set of rewrite rules whose left hand sides are of the form f(e,, ,... , ei). 1 < i < p, and the set

{ <e,,,. ..,eik> I I < i < p I is complete.

Definition A rewriting system R is well-spanned if every nongenerator function symbol in R is

well-spanned.

Definition A specification S satisfies the sufficient condition for the principle of definition

(SCPD) ifS satisfies the following conditions:

(i) S is convergent

(ii) S is well-spanned.

Lemma IfS satisfies SCPD then S satisfies the principle of definition.

Proof Condition (i) guarantees that every constant has exactly one normal form. Condition

(ii) implies that every constant of the form t(g1,"', g), where f is a nongenerator and

gt..., k are generator constants is reducible. Since S satisfies uniform termination

property, this means that no constant with a nongenerator can be a normal form. Hence the

normal form of every constant is a generator constant.

Q.ED

- 55 -

3.3.3 Checking the Principle or Definition

The main reason for formulating SCPD is so that we might he able to develop

effective methods of checking if a specification satisfies the principle of definition. This

section sheds some light on this topic.

To check if a specification is well-spanned, we have to check if the set of expressions

(or k-tuples of expressions) that appear as arguments to each of the implementing functions is

complete. Huet in 122] has demonstrated that it is possible to come up with an effective set of

conditions that is sufficient to check if a set of expressions is complete.

Checking the convergence of a set of rules. which forms the remaining condition of

SCPD. has been investigated in [28, 22]. The result in the cited works, which is due to Knuth

and Bendix, provides an algorithm (hence'brth referred to as the K B-algorithm) to check the

convergence of a finite set of rewrite rules that satisfies the uniform terlination property.

Thus, if we can independently ensure the uniform termination property of a specification,

then we can use the KB-algorithm to show the unique termination property of the

specification.

3.3.3.1 Checking Unique Termination

Let R be a finite set of rewrite rules that has the uniform termination property. The

following theorem is the basis for the KB-algorithm for checking the unique termination

property. The theorem depends upon the concept of unification of expressions. We will first

define this concept.

Two expressions a and f with disjoint variable sets are said to be unifiable if there

exists a substitution 9 such that O(a) = 0(8). 13 The most general unifier of two unifiable

expressions a and I is the unifier 9. such that for any unifier a of a and / there exists a

substitution p such that a is the composition of p and 0. The unification algorithm of

Robinson 144) can be used to determine a most general unifier of two given expressions or

13. The symbol = stands for two expressions being identically equal.

- 56-

decide that they are not unifiable. In the discussion to follow we assume that the candidates

for unification have variables renamed if necessary to obtain disjoint variable sets.

Let "- and I- be two rules of R so that "y, is unifiable with a nonvariable

subexpression of More precisely, there exists an occurrence u in -y, such that a = -ylu is

not a variable, and a is unifiable with -y. Let 0 be the most general unifier of a and yr

Then, we say that 0(y ) is a superposition of ,y on 7 2 " (If/P is either a superposition of -Y on Y2

or a superposition of Y2 on -y,, then we say that /1 is a superposition between -y, and Y2 -) To

each superposition there corresponds a critical pair <aV. a > of expressions defined as follows.

a, and a2 are the expressions obtained by applying to 0(-Y) the above two rules, respectively.

More precisely,

= (Y2)u .- 8(8,)]

a2 = 0(82)For example, consider the following rules

Append(ql, Enqueue(q2, 12)) -. Enqueue(Append(ql, q2), i2)

Append(Append(q3, q4), q5)) -. Append(q3, Append(q4, q5))

Y, is unifiable with the entire expression -t, by the most general unifier 0 = [Append(q3, q4)

for q1, Enqueue(q2, i2) for q5]. yielding the zuperposition a and the critical pair <a, a>

shown below:

a = Append(Append(q3, q4), Enqueue(q2, 12))

a1 = Enqueue(Append(Append(q3, q4), q2), 12)

a2 - Append(q3, Append(q4, Enqueue(qZ, 12)))

Theorem I The KB-Theorem

If R has the finite termination property, then it has the unique termination property if and

only if every critical pair <al. a > of R has the property that a and az have identical normal

form.

Proof For a proof see [28, 22].

If a finite rewriting system has nc. superpositions, and therefore, no critical pairs, it is said to

- 57 -

be superposition-free. Thus, we trivially have:

Corollary If a finite rewriting system has the uniform termination property, and is

superposition-free, then it has the unique termination property.

For example, the rewriting system in Fig. 11 corresponding to Queue-Int is

superposition-free. In the next subsection we show that it satisfies the uniform termination

property. So the rewriting system is convergent.

3.3.3.2 Checking Finite Termination

A general technique for checking termination of a rewriting system R is to

demonstrate that it is possible to define a well-founded partial ordering >- on the set of all

constants (that can be constructed using the function symbols in 11) so that t1 -. t2 implies

ti >- tZ. A partial ordering is well-founded if there are no infinite descending sequences such

as t i >.- t2 >-... for any constants. Hence, there cannot be any infinite sequence of rewrites

using R also. Appendix II goes into this topic in greater detail. It describes a theorem that

provides a useful guideline to define a suitable partial ordering to check the uniform

termination property of a rewriting system.

We assume that a well-founded partial ordering >- on expressions is available as an

input to the synthesis procedure. The ordering >- is used by the synthesis procedure not only

to ensure the uniform termination property of inputs, but also to ensure that the output

synthesized terminates. The orderings used in our examples belong to a class of orderings,

called the lexicographic recursive path ordering (26, 101. A formal definition of the ordering is

given in Appendix 11.

3.4 Proving Properties of a Data Type

The properties of a data type we are interested in are always expressed as equations

of the form e = e2, where e, and e are expressions, and s denotes the observable

equivalence relation (see sec. 3.1.2). For instance, the property

Append(Append(q%, q2), q3) =_ Append(q, Append(q2, q)) asserts that for every instantiation of

- 58 -

the variables by values the expressions on the two sides of the equation yield observably

equivalent values. Our objective is to prove a property as a theorem from a specification of

the type. This is crucial to our work because synthesis of implementations involves searching

for appropriate theorems of the input specifications. In the following, we describe how to

mechanically prove theorems from a specification that satisfies the principle of definition.

Definition A Theorem of a Specification

Let S be a specification (or a group of specifications). Let a be a substitution that maps

variables to generator constan. An equation e = e2 is a theorem of S if for every a the

constants a(e1) and u(e2) have identical nornal forms.

Note that.the above definition of a theorem gurantees that if e = e2 is a theorem of S thene1

and e2 always yield observably equivalent values. This is because the principle of definition

ensures that for every instantiation of the variables (in e, and e,) by generator constants the

two expressions simplify to the same generator constant. This provides a basis for developing

a method for mechanically proving properties of data types from specifications.

Note that the reverse of the above implication is not true. This is because we

require that the input specifications be only consistent (via the principle of definition), but

not complete [251. A specification S of a data type D is complete if every equation el = e2

such that e, and e are observably equivalent for D is a theorem of S. The synthesis

procedure would be more productive if the input specifications are complete. This is because

it is possible to prove more properties from a complete specification, and hence the synthesis

procedure might be able to derive a larger class of implementations.

There are several ways in which the above result can be used to deduce that an

equation is a theorem of a specification. The methods differ in the reasoning or logic used for

the deduction. In our development we deal with two kinds of logic: the equational logic, and

the inductive logic.

Equational Logic

In the equational logic el -- e, is deduced to be a theorem of S by checking if and

e have the same normal form in S. Note that ifei4 = e 4, then it is obvious that e, and e,

have identical normal forms for every substitution of the variables by generator constants. (e4,

denotes the normal form of e.) An equation deduced to be a theorem of S in this fashion is

said to be a theorem in the equational theory of S. When S satisfies the principle of

definition every expression is guaranteed to have a unique normal form. Therefore, it is

possible to develop a general procedure to decide the entire equational theory of S. As an

illustration, we give a proof of

Append(Appenl(q1 , q), Nullq) - Append(q, Arpend(q, Nullq)) using the specification of

Queuecint shown in Fig. 11.

Fquation to be proved: Appcnd(Append(q, q1), Nullq) = Append(q. Append(q , Nullq))

Normal foirm of left hand side: Normal form of right hand side:

Append(Append(q%, q)' Nullq) Appetd(q, Append(q,. Nullq))

Rule (10) Rule(10)

Append(ql, q1) Append(q, q2)

Inductive Logic

A property 0 is deduced to be a theorem in the inductive logic by using, besides the

reduces relation -*, some form of mathematical, induction. A property that is deduced

using the inductive logic is called a theorem in the inductive logic. The set of all properties

that can be deduced from a specification using the inductive logic is called the inductive

theory of the specification.

The induction used is carried over the set of all generator constants using one or

more of the variables in 4D as parameters for the induction. The induction is based on any

well-founded partial ordering on the set of generator constants. Suppose G is the set of all

generator constants, and >.- is a well-founded partial ordering on G. Suppose we are using

the variable v of O(v) as the parameter of induction. Then the induction rule may be stated as

follows:

Induction rule

-60-

If for every t E G we can show that, for every t E G such that t >- t' 44v/t'J Of*v/t], then

4O(v) is theoremn.

To apply the induction rule, we have to define a partial ordering >- on G. Since G

can, in general, be infinite the definition of >- is usually recursive. 'hc step of showing

44lv/t'] =* 4k4v/tJ. for every t >.- it', is fragmented into several cases. Each of these cases is

established using the relation --+ as was done in the equational logic. Fig. 12 gives an

example of an inductive proof. It proves the property

Appcnd(Appcnd(ql, q), q3) =-Append(%,, Appcnd(qr, q3) from the specificattion of Qucuejont

given in Fig.11. The proof uses an ordering generated by the following relation on the

generator expressions of Queuc-Int: Enqueue(q, I)>- Nullq, and Enqucue(q, I) >- q. The

proof uses the variable q, as the parameter of induction.

It is not possible to develop a general procedure to decide the entire inductive

Fig. 12. Proof by Inductive Logic

I'heorcmn to bc proved: Append(Appcnd(q1.%1). %~) -=Append(%1, Appcnd(q1. q 3))

Basis: q3-" NullqTo prove: Append(Append(ql. q2), Nullq) =-Appcnd(q,, Appcnd(q1. Nulla))

Proof is demonstrated above.

Induction: q3 "- Enqucue(q, si)Hypothesis: Appcnd(Appcnd(q,. q 2), q) - Append(%1. Appcnd(q1. 0)To provc: Appcnd(Append(q1.Q), Fnqucuc(q, Q)) Append(q,. Appcnd(q 2, Enqueuc(q. 1)))

Normal form of left hand side: Normal form of right hand side:

Appcnd(Append(q,. %2), Enqueue(q, I)) Append(%3. Append(q,, Enqucuc(q. i)))

Rule(11) Ruk.(]1 )

Eaqucue(App4 d(Append(q,,% q2 ), 9.I Append(qi, Emq u(ppend(q%, a), )

Hyp. Rule(I 1)

Enqueue(Append(q 1, Appcead(q, qa)), I) EnqueueAppend(q1, Append(qr 'A I

theory of S. This is because the inductive hypotheses necessary for the proof cannot be

generated automatically in all situations. However, when S satisfies the principle of

definition a significant number of interesting properties in the inductive theory can be proved

automatically. The automatic method, first developed by Musser 138, 221, is based on the

Knuth-Bendix algorithm (see sec 3.3.3.1) for checking convergence of a rewriting system. We

use this method for synthesizing implementations whose proofs of correctness need

induction. We will explain the method -in chapter 4 while describing synthesis in the

inductive theory.

- 62 -

4. Stage I: The Preliminary Implementation

This chapter discusses the preliminary implementation of a data type, and develops

a method to derive it from the inputs to the synthesis procedure. A distinguishing

characteristic of the method outlined is that it is based on a method for proving the

correctness of a preliminary implementation. The chapter is organized into the following

sections. The first section defines precisely what constitutes a preliminary implementation.

The second section gives a mathematical formulation of the problem involved in the

derivation of a preliminary implementation for a data type from the given inputs. For

convenience, the problem is formulated, and solved here for a situation where the

representing domain is identical to the representation value set. In the next chapter, we

extend the derivation problem to the more general situation where the representing domain is

a subset of the representation value set. The last section describes a procedure to derive tie

preliminary implementation from the input specifications.

4.1 A Preliminary Implementation

A preliminary implementation of a data type is an implementation for the

implemented type in a rewrite rule language. The preliminary implementation uses a

representation scheme that is consistent with the one characterized by the association

specification supplied by the user. It consists of two parts: The Representation part, and the

Definitions part.

The Representation part gives the representation type used for the implementation

of the implemented type. We call the values of the representation type the representation

values, and the set of representation values the representation value set. Only a subset of the

representation value set need be used to represent the values of the implemented type. This

subset is called the representing domain, and is characterized by the association specification.

The Definitions part contains definitions for a set of new functions on the

representation values. We call the new functions the implementing fuinctions. There is an

implementing function corresponding to every operation of the implemented type; the

former implements the latter. The definition of an implementing function that implements

- 63-

an operation is called the preliminary nplementation of that operation. An implementing

function is not necessarily a total function on the representation value seL However. it has to

be defined on every value of the representing domain. We use the following convention

throughout the development to help associate an implementing function with the operation

of the implemented type it implements: The identifier that denotes an implementing function

is the capitalized version of the identifier that denotes the corresponding abstract operation.

For instance. NULLQ is the implemcnting function of the operation Nullq.

The Definiions part consists of a set of rewrite rules of the form e-, e . The

rewrite rules in the Definitions part defining an implementing function U are the ones that

have F as the outermost symbol on their left hand side. e, and e2 are expressions that may

contain the implementing functions, the operations of the implementing types, and

if-then.elsc with the following constraints:

(1) The only operations of the representation type that may appear in e, and e, are the

generators of the type.

(2) e, and e, may not contain any auxiliary (or helping) functions other than

if-lbenelse.

There are two reasons for constraining the preliminary implementation. Firstly, we

would like to constrain the structure of the preliminary implementation so that the synthesis

procedure has to perform less work in searching for the desired solution. Secondly, we want

to keep the language as simple as possible so that the principle behind the synthesis method is

brought out more clearly in our description.

The first constraint is imposed to keep the preliminary implementation derivation

problem simple. This constraint permits us to ignore several axioms in the specifications of

the implementing types during verification as well as synthesis of a preliminary

implementation. In particular, the only axioms in the specification of the representation type

that we need to consider are the ones that involve only the generators of the type involved in

the specification. This is because only the generators of the representation type may appear

in the preliminary implementation. To this extent this constraint simplifies the synthesis

method. An implementation that also uses the rest of the operations is derived in the next

•n r 4,-.*-

-64-

stage of the synthesis as a transformation of the preliminary implementation.

The second constraint, in general. restricts the logical power, i.e., the ability to

define any computable function on the representation type, of the preliminary

implementation language because the constraint prohibits the use of any helping (or

auxiliary) functions (except ir-then-clse) in a preliminary implementation. Our synthesis

method cannot automatically discover the helping functions that might be necessary in the

preliminary implementation. We use two approaches to get around this problem; both the

approaches amount to relaxing the second corstraint. They are explained here briefly, but

are illustrated more clearly when we later consider examples involving them.

The first approach consists of seeking help from the user. We require the user to

furnish a specification of the helping function needed in the preliminary implementation.

We thcn relax the second constraint to pemit the use of the helping function in the

preliminary implementation.

The second approach consists of introducing a new construct into the preliminary

implementation language. The construct, which is used primarily in conjunction with a tuple

type. helps eliminate the need for helping functions while defining several functions on tuple

types. The motivation for paying special attention to tuple type is because a tuple type is a

commonly used representation type. The construct provides a way of accessing the

components of a tuple being returned by an expression of tuple type without explicitly using

the operations that select the components of a tuple. This construct may be used in

expressions that appear on the right hand side of an equation of a prelim.nary

implementation. The construct is expressed by means of an expression with the following

syntax:

el where 09 ... , vR> is e22

In the above, V, .... v are variables; eU is an expression of n-tuple type- e, is an expression

that may contain the variables vi .... , v. The construct binds, in order, vt, ... , v. to the

components returned by ezz. The scope of the binding is limited to the expression e,. For

example, consider the expression

<Assign(vI, e, JI), il, JI + I) where vl, i, jl) is DEQUEUE((v, , J>). Assuming

DEQUEUE is a function from Triple to Triple, the variables vV IV, and J, in the above

-65 -

expression are bound to the components of the triple returned by DEQUEUE((v, i, J).

4.2 The Preliminary Imlementation Derivation Problem

Our intention is to study the problem of synthesis within the data type verification

framework. So we formulate the problem of deriving a preliminary implcmentation as

roughly the inverse of the problem of proving the correctness of the preliminary

implementation.

First, we develop the criterion of correctness of a preliminary implementation.

Then, we formulate the problem of verifying if a preliminary implementation meets the

correctness criterion. We define the derivation problem after that. For convenience, the

verification problem and the derivation problem are formulated here for a situation in which

the representing domain is identical to the representation value seL This situation

corresponds to the case where the abstraction function is total, and the invariant part of the

association specification is vacuous. We discuss the derivation problem for a situation where

the representing domain is a subset of the representation value later. It should be noted that

the formulation of the correctness criterion given below applies to both situations.

4.2.1 The Criterion of Correctness

Informally, for a preliminary implementation to be correct, the implementing

functions it defines should collectively exhibit a behavior that is consistent with the

observable behavior characterized by the specification of the implemented type. Also, the

preliminary implementation should use a representation scheme that meets the requirements

of the association specification given as input. Let us formalize this intuitive notion.

The formal object that a preliminary implementation is denoting can be considered

to be a heterogeneous algebra, called the implementation algebra, with the following

components:

(i) A principal domain that is a subset of the representation value set. The principal

domain is defined as the set of all values of the representation type that are"reachable" through the implementing functions corresponding to the constructors

-66-

of the implemented type. In other words, the principal domain is the set of

representation values generated by the closure under functional composition of the

implementing functions corresponding to the constructors of the implemented type.

(ii) A domain corresponding to every defining type of the implemented type. We

assume that this domain is identical to the value set of the corresponding defining

type.

(iii) a function corresponding to every implementing function defined by the preliminary

implementation.

A preliminary implementation is correct if the implementation algebra it denotes is

a model of the implemented data type in a manner constrained by the association

specification. This means that there exists a homomorphism from the implementation

algebra to the the implemented type that behaves as an identity function on the values of the

defining types, and exactly like the abstraction function characterized by the association

specification on the values of the representation type.

Let %R denote the representing domain, and .4 denote the abstraction function

specified by the association specification. Let 3G be a function defined as below.

D: Implemented Type, : Representing Domain, DV ... D,:The defining types of D

J:tUDU...UD.-> DUD 1U...UD0

,.A: -> D

:G(r) = .A(r) if r E

r otherwise

A preliminary implementation of a data type is correct with respect to the association

specification A , if the following two conditions hold.

(1) Totality Property:Every implementing function is total over %.

(2) Homomorphism Property. The operation f of the implemented type and the

implementing function F are related by the property:

(V r E %)[3G(F(..., r,.-)) = f(..., :3G(r),..)]

-67.

The correctness criterion formulated above is different from the formulation found

in the literature on data type verification 125, 14, 18] which is not formulated with respect to a

given homomorphism X. According to the conventional formulation a preliminary

implementation is correct if there exists a function X4 from the representation value set to the

value set of the implemented type so that: For all r E the principal domain,

%(F(..., r,...)) = f(.... 3G(r) ,...). Thus, according to this criterion the implementing functions

are not required to be total with respect to 61. Note that the principal domain can be a subset

of %L. What distinguishes our formulation is the requirement that F be total over %, and also

satisfy the homomorphism property over 9.

Our formulation is more useful in the context of synthesis. It enables us to

determine a principal domain of the implementation algebra (which, in turn, determines the

set of representation values on which every implementing function should be defined)

directly from the association specification. This reduces the interdependence of the synthesis

of preliminary implementation for the various operations of the type. This is because in other

formulations the principal domain has to be determined by computing the closure under

composition of the implementing functions of the constructors. Thus the domain of the

implementing function of each of the constructors is. in general, dependent on the behavior

of the implementing function of every other constructor.

The totality requirement is also more interesting in the context of synthesis. In the

synthesis process the association specification initiates the derivation of an implementation by

defining the representation scheme to be used. The association specification is expected to

express the intention of the user regarding the representation scheme he wants the

implementation (to be derived) to use. So it is logical to assume that the user wants the entire

representing domain characterized by the association specification to be used for representing

the values of the implemented type.

-68 -

4.2.2 The Derivation Problem

The goal of the derivation problem is to derive a preliminary implementation from

the given inputs so that the preliminary implementation meets the correctness criterion. The

inputs consist of the specification of the implemented type, the specification of the

implementing types, and the homomorphism specification. The homomorphism specification

is a specification of the homomorphism 1G that the preliminary implementation ought to

obey. This specification is easily derived from the specification of the abstraction function A

(given as a part of the association specification). The Homomorphism Specification contains

two kinds of rewrite rules obtained as described below. The first set of rules specifies that 16

behaves exactly like the abstraction hinction on the representation values. The second set of

rules specifies that I, behaves as an identity function on the values of all the ancillary types.

More precisely,

(1) if.A(e,) = e2 belongs to the abstraction function specification

then JG(e 1) ce belongs to Homomorphism Specification

(2) if u is a generator of an ancillary type

then )G(a(v 1, ... , v)) - ((v 1), ..., %(v,)) belongs to Homomorphism Specification

Let us call the combination of all the input specifications the Input World(iW). The

restrictions on the inputs (see sec 2.3.1 of the previous chapter) ensure that the Input World

satisfies the principle of definition. The strategy behind the method used in deriving the

preliminary implementation is based on the principle of definition property.

Suppose IW is supplemented with a set of rewrite rules, called the X-rules, thatexpress the homomorphism property a preliminary implementation is expected to satisfy: Forevery pair of an operation f of the implemented type, and its implementing function F there

exists an X-rule of the form JG(F(v,, ... ,Xv,))- f((V),...,G(v*)). Let us call the

supplemented system the Perturbed World (PW). Let us suppose that the addition of the

X-rules does not destroy the uniform termination property of 1W. The reason we refer to the

supplemented system as the Perturbed World is because the addition of the X-rules destroys

the principle of definition property. PW does not satisfy the principle of definition because

the implementing functions that are newly introduced into the system are as yet undefined.

f

-69-

A constant involving the implementing function symbols does not simplify to a generator

constanL

Recall that the principle of definition is a formal expression of the requirement that

every nongencrator function in asystem be completely defined as a total finction. If we can

generate a set of rewrite rules that can restore the principle of definition property of PW, then

the new set of rules can be considered as a complete definition for the implementing

functions. Thus, preliminary implementation derivation is a problem of restoring the

principle of definition of a system that violates it.

More precisely, the problem involved in synthesizing a preliminary implementation

consists of deriving from the Perturbed World a set of rewrite rules, P1 (the acronym stands

for preliminary implementation), so that

(1) PI U IW satisfies the principle of definition, as well as

(2) PI U IPW satisfies the principle of definition.

In the following, we give a formal proof that the above conditions guarantee the correctness

of the preliminary implementation.

The Correctness Theorem

Let PI be a set of rewrite rules derived so that the above two conditions hold. Then. P!

satisfies the criterion of correctness of a preliminary implementation.

Proof The first condition asserts that P1 U 1W satisfies the principle of definition. This

implies that every nongenerator function in the system, which includes every implementing

function, is defined as a total function. Hence, P1 satisfies the Totality Property.

To show that P1 satisfies the Homomorphism Property, we have to show that every

equation of the form 3G(F(v,.,... , v ) -- f3(vn),..., G(v)) is a theorem of P1 U IW. The

argument to show that the second condition implies this is based on the following interesting

-~ .A

-"70-

result about any system that satisfies the principle of definition. The result. 14 which is proved

as Theorem 6 in Appendix Ill, enunciates a sufficient condition for an equation to be a

theorem of a system that satisfies the principle of definition. Suppose S is a system that

satisfies the principle of definition. and e, = e is an equation so that e, and e, have at least

one nongenerator function symbol in them. Then, e, = e2 is a theorem of S ifS U le, -+ e2

satisfies the principle of definition. i1e result is proved in the Lemma to follow.

Because of the second condition P! U PW satisfies the principle of definition. Since

PW is IW U X-rules, this implies that (P1 U IW) U X-rules satisfies the principle of

definition. Now, by the first condition P1 U IW satisfies the principle of definition. By

applying the above result, each of the %-rules (when treated as equations) is a theorem of

PI U IW. Note that the result can be applied because the :J,-rules have nongenerator

function symbols in them.

Q.E.D.

4.3 Derivation of a Preliminary Inplementation

In the previous section the problem of deriving a preliminary implementation was

formulated as deriving a set of rewrite rules, PI, so as to restore the principle of definition

property to the Perturbed World PW. This section develops a procedure to derive a

preliminary implementation. The procedure makes. two assumptions about its input: (1) The

initial World (1W) satisfies SCPD, a sufficient condition for the principle of definition, and

(2) a termination ordering >- on expressions is available to the procedure to ensure the

uniform termination property of rewriting systems.

The obvious strategy for the procedure is to derive the rules of the preliminary

implementation so that P1 U 1W and P1 U PW satisfy SCPD. But this limits the class of

14. [22. 381 contain results similar to the one proved in this lemma. 'he result here is differentbecause we have a different set of assumptions. The principle of definition property used in [221 ismore constrained than the one we have. The result in [381 assumes that S satisfies a completenessproperty called fully specifledness which is not assumed here. This is the reason for the requirementin the lemma that e, and e, should have at least one nongenerator function symbol in it.

-71-

implementations that can be derived by the procedure. So. we develop another set of

conditions, called the synthesis conditions, that is weaker than SCPD. PI is generaLed so that

it satisfies the synthesis conditions. It can be shown that when PI satisfies the synthesis

conditions, PI U IW and PI U PW satisfy the principle of definition. We first formulate the

synthesis conditions, and then develop a procedure to derive a set of rules that satisfies the

synthesis conditions.

4.3.1 The Synthesis Conditions

The synthesis conditions for, a set of rewrite rules PI are the following:

(1) Totality Condition:

(a) PI is well-spanned (for every implementing function) with every rule in it

being of the form F(g,...., g.) -. t,15 where F is an implementing

function symbol, and g,... , g. are generator expressions.

(b) PI satisfies the uriform termination property.

(2) Uniqueness Condition: PI has the unique termination property.

(3) flomomorphism Condition: For every rule F(g 1 ... ,%g)--t in Pi,

3G(F(g,... ,gn)) =:J(t) is a theorem of PW.

The following Synthesis Theorem shows that when PI satisfies the synthesis conditions,

PI U IW and PI U PW satisfy the principle of definition, and hence, by the Correctness

Theorem, PI is correct. An informal motivation for the conditions can be given as follows.

The Totality Condition ensures that every implementing function is defined on all the values

of the representation type, and it terminates on each of them. The Uniqueness Condition

ensures that every implementing function is well-defined, in the sense that it yields a unique

value for every argument value. The Homomorphism Condition ensures that the preliminary

15. Note that the syntactic constraint on a preliminary implementation requires that t may containneither the function symbol X, nor any of the operations of the implemented type.

-72 -

implementation satisfies the Homomorphism Property.

The Synthesis Theorem

If P1 satisfies the synthesis conditions, then PI U IW and Pi U PW satisfy the principle of

definition, and hence P! is a correct preliminary implementation.

Proof It is easy to see that PI U lW satisfies the principle of definition because the Totality

Condition and the Uniqueness Condition imply that preliminary implementation satisfies

SCPD, and IW satisfies SCPD by our assumption about the inputs.

Let NW denote PI U PW, for convenience. We apply Theorem 8 (Appendix Ill) to

show that NW satisfies the principle of definition. According to that theorem, a rewriting

system S satisfies die principle of definition if

(a) S is well-spanned.

(b) S has the uniform termination property

(c) Every critical pair <a1 , a? of S is such that a, - a2 is a theorem of S.

We show that NW satisfies all three premises of the above theorem. NW is well-spanned.

This is because 1W is well-spanned by our assumption, and Pt is we.i-spanned by Totality

Condition (a). The only nongenerator function symbols of NW are the ones in 1W and PI.

By Totality Condition (b) P1 has the uniform termination property, so NW has the uniform

termination property also. The following lemma shows that NW satisfies premise (c).

Q.E.D.

Lemma Every critical pair <eV e> of NW is such that el a e2 is a theorem of NW.

Proof Note that PW is convergent. This is because 1W is convergent by assumption, and the

%-rules added to 1W do not give rise to any new critical pairs.

NW is constructed from PW by adding PI to the former. Therefore, any new

critical pairs of NW would be generated as a result of a superposition of the rules of P1 on the

rules of NW. Because of Totality Condition (a) on the form of the rules in P! the only rules

-73-

on which the rules of PI can have a superposition are the following:

(I) The rules of P1 themselves, or

(II) the rules of the implementing types,

(11l) the 3G-rulcs.

Every critical pair <e1,e> determined by a superposition on the rules in

category (1), and (II) is such that e,4 is identical to e 2 . This is because, by the Uniqueness

Condition, PI satisfies the unique termination property. Hence, e, = e2 is a thcorem of NW.

Every critical pair determined by a superposition of the rules in category (111) is of

the form CIG(F(g t ... ,g)),G(t)>, where F(g1,...,g )--. t is a rule in PI. By the

Homomorphism Condition, G(F(g, ... , g.)) = IG(t) is a theorem of PW, and hence a

theorem of NW.

Q.E.D.

4.3.2 Derivation of the Rules of PI

The rewrite rules of PI are derived from the Perturbed World (PW). So the initial

task of the derivation procedure is to construct PW. PW is a rewriting system that includes

the Initial World (IW) and the X-rules. iW is constructed by combining the specification of

the implemented type, the specifications of the implementing types. and the Homomorphism

Specification. Without any loss of generality, we assume that there is no conflict among the

names of the various function symbols in the specifications. PW is formed by then adding a

rule of the form X(F(v, ..., v)) - f(()01)., ,(vQ)) for every implementing function F

to be defined. We assume that the termination ordering >- being used by the synthesis

procedure is such that 3G(F(v, ... , v)) >- f(:J(v 1).,..., J(v)), for every implementing

function. This ensures that PW retains the uniform termination property as desired by the

derivation problem. Note that this is not a restriction because the implementing function

symbols (in the 3G-rules) are fresh symbols being introduced into IW. Hence, an appropriate

ordering can always be found.

Although PW is defined to include the specification of every implementing type

,..

- 74 -

completely, it is not necessary to do so. Since the derivation method does not require the

specifications to be complete, one may include only parts of the specifications of the

implementing types. The advantage. of doing so is that the fewer rules in PW the more

efficient it is to derive the preliminary implementation. However, by not including certain

rewrite rules one might be excluding certain implementations.

Let us illustrate the construction of PW on an example. We consider the derivation

of an implementation for Qucuejunt with Circi-List as the representation type using the

association specification given in Fig. 9 in the previous chapter. Fig. 13 gives the rules of PW

for the example under consideration. The rules of the types Integer and Bool, which are also

among the implehienting types are omitted from the figure for convenience. The rules of the

Fig. 13. The Perturbed World

(1) Froiit(Nullq) --# ERROR(2) Front(Enqucuc(NuI~q, c)) -+e(3) Front(Eiqueu(Enqueue(q, el), e2)) -Front(Fnqueuceq. ci))

(4) Dcqueuc(Nullq) --+ ERROR(5) iDequcut(Enqiucue(Nullq, e)) --+ Nullq(6) lDcqucuc(Enqucu(Enqueuijq, cl), e2)) - Enquue(Dequcuo-Enqucuc(q, ei)), e2)

(10) Append(q. Nullq) --* q(11) Append(ql, Enqucucjqi, e2)) --. Enqueue(Append(ql, qi), e2)

(12) Empty(NuIlq) --* True(13) Ernpt) (Enqueuc(q, c)) --# False

(14) X(Creatc) --+ Nullq(15) :JG(lnsert(c, iQ) --+ ad&..aLhcad(3G(c), X(i))

(16) add-aLhead(Nullq. Q) --# Enqucue(Nullq,' Q)(17) add-at-.hcad(Eniqucuc(q. 1). ii) --# Enqueuc(add-at-hcad(q, if), I

(19) X(NULLQO) --# Nulq(20) 1(ENQUEUF~c, Q)) -4 Enqueue(JG(c, 3X(i))(21) X(DFEQUEUF~c)) --# DequcueMl(c)(22) 3(APPFNI)(cI. c2)) --4 Append(16(cl), 3G4c2))(23) (EMPTY(c)) --# Faipty(3G(c))

- 75 -

representation type CircList are omitted because they are not going to be used in the

derivation of the preliminary implementation. This situation arises because a preliminary

implementation is permitted to use only the generators of the representation type. So, the

only rules of the representation type needed in verification, and hence also in the derivation

of a preliminary implementation, are the ones that contain only the gencrators. Since

CircList does not have any rules of this kind. Circjist does not contribute any rules to IW.

Rules (1) through (13) in the figure are rules of QueuecInt; rules (14) through (17) are the

niles of Homomorphism Specification.

The next task is to derive the rewrite rules of PI from PW. Strictly speaking, P1

should be derived so that all the three synthesis conditions are satisfied. But, it is more

convenient to develop a procedure that derives the rewrite rules so that only the Totality

Condition and the Homomorphism Condition are met. lhe effect of ignoring the

Uniqueness Condition is not harmful in the sense that it can be fixed at a later stage by

post-processing the preliminary implementation. The Uniqueness Condition ensures that

every implementing function defined by I'1 returns a unique value on every representation

value. When the Uniqueness Condition is not satisfied, an implementing function F being

defined by PI may be nondeterministic: That is, F can be so that F(v) = v, and F(v) = v2.

but v : v , however, both the values v, and V2 will represent the same value of the

implemented type. The nondeterministic behavior, if any, in the preliminary implementation

will be eliminated by our synthesis procedure in the second stage while deriving a target

implementation. The semantics of the target implementation language is such that it is

impossible to define nondetenninistic functions.

The procedure derives the preliminary implementation for one operation at a time

by deriving a separate set of rewrite rules for every operation. The method used is the same

for every operation. The procedure first determines the left hand sides of all the rules of the

preliminary implementation. Then, it determines a suitable right hand side for each of the

rules from the already determined left hand side.

II

-76-

4.3.2.1 Determining the Left Iland Side

The Totality Condition is used to detennine die left hand side of the rules. The

Totality Condition has two parts: The first part requires PI to be well-spanned, and the

second part requires Pt to have the uniform termination property. Ibe second part is

ensured while deriving the right hand side, which will be discussed later. The first part is

used here.

The well-spannedness property (d-scribed formally in sec 2.3.1 of the previous

chapter) requires the left hand side expressions of the rules defining an implementing

function F to satisfy the following property: The set of generator expressions the appear as

arguments to F on the left hand side should span the set of all generator constants. More

precisely, suppose the preliminary implementation of F consists of the following set of rules:

(In the following the question mark identifiers are used as place holders for expressions to be

determined later.)

F(g) - ?t

.,..............o....

F() -. ,

Then. the set {gj,..., gj should be well-spanned (see sec 2.3.1), i.e., span the set of all

generator constants of the appropriate implementing type. For instance, as a concrete

example, any pair of rules that have the form given below constitute a well-spanned set of

rules for ENQUEUE

ENQUEUE(Create,J) -4 ?rhs2

ENQUEUE(Isert(c, i), J) --# ?rhs3

Note that the left hand side of each of the above rules consists of ENQUEUEapplied to arguments that are generator expressions. The set of arguments, i.e., sequences of

generator expressions, to ENQUEUE on the left hand side of the rules is

ArgsSet = {<Create, J%, <Insert(c, I), J>J. ArgiSet spans the set of all ordered pairs of

generator constants because every pair of generator constants (the first one of type CIrc_LKt

and the second of type Integer) is 2n instance of one of the arguments in ArgsSet.

It is easy to build a procedure that automatically generates a well-spanned ArgsSet.

- 77 -

once the generators of the representation type are identified. In fact a slight modification to

the procedure referred in sec 3.3.3 (which checks if an ArgsSet is complete) can be used to

generate a complete set of argument expressions. Thus, an appropriate set of left hand sides

for the rewrite rules to be derived can be determined automatically.

Fig. 14 gives a possible set of left hand side expressions for a preliminary

implementation for the example under consideration. Note that the right hand side of each

of the rules in the figure is denoted by a question mark identifier. So Fig. 14 can be

considered as a partial preliminary implementation of QueueInt.

4.3.2.2 Determining the Right Ilaind Side

The right hand side of each of the rules is determined using the already determined

left hand side so that the Homomorphism Condition and the second part of the Totality

Condition are met. This where the Perturbed World (PW) conies into the picture.

PW is used to derive a set of equations, called the synthesis equations, one equation

for every rule in the preliminary implementation. The right hand side of a rule is detcrmined

from the right hand side of the corresponding synthesis equation. The synthesis equation

Fig. 14. A Partial Preliminary Implementation

(I) NUIJ ) -. ?rhs,

(2) ENQUEUFACreate, j) -- ?rhs2(3) ENQUEUFAInsert(c, i). j) - ?rhs3

(4) FRONT(Create) - ?rhs4(5) FRONT(Insert(c. i)) -. ?rhs,

(6) iEQUFUFCreate) -# ?rhs,(7) DEQUEUE(insert(cli)) --# ?rhs

(8) APPEND(c. Create) - ?rhs(9) APPI.ND(c. Insert(d, Q) - ?hN

(10) S1ZFACreate) -- ?rhs,,(1) SI ZE(Insert(c. I)) --4i hs,

14J

-78 -

corresponding to a rewrite rule F(g) - At is an equation of the form 3((g ) =- Ct) that

satisfies the following conditions:

(1) X(F(g) -3G(?t) isa theorem of PW

(2) 3G(F(g 1) >- %(?tn). where >- is the termination ordering on expressions.

(3) ?t, contains the implementing function symbols and the permitted operations of the

implementing types.

it is easy to see the justification for the above 'conditions. The first condition

contributes towards ensuring the Homomorphism Condition. The second condition ensures

the unifomi termination property. The third condition is just a syntactic ,-onstraint that any

rule in a preliminary implementation ought to satisfy. The next section describes in detail a

procedure to derive the synthesis equations.

4.4 Deriving the Synthesis Equations

Every synthesis equation of the preliminary implementation is derived with the help

of two inference rules called the synthesis rules. The synthesis rules are designed for

generating theorems of PW that have the same left hand sides, but different right hand sides.

For deriving a synthesis equation, the synthesis rules are invoked repeatedly a finite number

of times to generate a series of theorems until the desired equation is generated. For instance,

the synthesis equation corresponding to the rule ENQUEUE(Insert(c, i), J) -+ ?rhs2 (in the

partially derived preliminary implementation given in Fig. 14) is derived by generating a

series of theorems that have 3(ENQUEUE(Insert(cI),J)) as their left hand side. The

generation continues until a theorem whose right hand side qualifies the theorem to be a

synthesis equation is encountered.

We investigate two ways in which the synthesis rules can be used for deriving a

synthesis equation. The first one derives synthesis equations that are in the equational theory

of PW. The second one derives equations that are in the inductive theory. The second

method is more general than the first one. A system that implements the synthesis procedure

would, therefore, use only the second method. We discuss them separately for pedagogic

- 79-

reasons. First. we formulate the synthesis rules. The subsequent subsections describe the use

of the synthesis niles in deriving the synthesis equations.

4.4.1 The Synthesis Rules

The idea used for generating an equation is to reverse the method of demonstrating

that the equation is a theorem of PW. The central notion used in the generation is

expansion. Expansion is the orposite of reduction. It is the act of applying a rewrite rule to

an expression from right to left.

4.4.1.1 Inrormal Explanation

The basis for the synthesis rules is the result given in the K1-Theorem (sec 3.3.3.1).

The theorem gives rise to the following principle for generating equations that are theorems

of a convergent system. Suppose e, is an expression that we wish to have as the left hand side

of the equation. Then, an expression ?e2 that may appear on the right hand side of any

equation that has e1 as its left hand side should be such that e -" ?e. One way of

ensuring that ?e2 simplifies to e,4 is to obtain ?e2 by applying to y the rewrite rules of the

system from p1 t_.o left a finite number of times. We call the mechanism of applying a rule

to an expression from right to left expand

We will give a formal definition of expand, and discuss its properties later. Here, we

will give an approximate description of what expand does so that we may develop a first

version of the synthesis rule. and illustrate them on the example. 16 Like reduce, performing

expand consists of several steps. Suppose we wish to expand

Add-at-head(Enqueue(G(c), JX()), )G(i)) using the rule

36(ENQUEUE(c,j)) -, Enqueue(xG(c), :G(j)). One way of doing this is to look for a

subexpression (inside the expression to be expanded) that has the form of the right hand side

16. We will generalize the definition of expand later. A, that point one of the synthesis rles needs torevised slightly as well. According to the definition given here, expansion is identical to uctransformation technique folding used by Darlington 17) for synthesis of recursive programs.

-80-

of the rule. Then replace the subexpression by the corresponding instance of the left hand

side of the rule. In the present case, the subexpression that appears as the first argument to

Add-at-head in the given expression matches the right hand side of the rule for the identity

substitution. The result of expanding the expression is then

Add-at-head(JG(ENQUEUE(c,j), G(i)). The result of expanding an expression e in the

occurrence u by a rule -y - 5 is denoted by expand e in u by y --+ 6. We use expand(c) to

denote any expression that is obtained by expanding e in some occurrence u by some rule

-y -- 8 in the rewriting system under consideration.

We are now in a position to give the synthesis rules. The first rule specifies how to )start the generation of a series of theorems; it generates a theorem from a given expression

without the need for any existing theorem.

Rule 1: e is an expression

The second rule specifies a way of generating a new theorem from an existing one using

expand.

Rule 2: e, = e2el = expand(e2)

To firiltarize the reader with the synthesis rules let us invoke each of the synthesis rules to

generate a couple of theorems that have X(ENQUEUE(Insert(c, i),j)) as their left hand. We

use the rewrite rules of PW given in Fig.pwl for expansion and reduction. The normal form

of X(ENQUEUE(Insert(ci),j)) is Enqueue(Add-aticad(H(c), G(i)), G{)), which is

obtained by using the rewrite rule (20) and then (15) for simplification. By invoking synthesis

rule (1) with e = 3G(ENQUEUE(insert(c, 1), j)), we generate the following theorem of PW:

JG(ENQUEUE(Insert(c, i), j) - Enqueue(Addat-head(%(c), 3G(l)), 3G(J))

Let us now invoke synthesis rule (2) on the above equation. Using the rewrite rule (17) to

expand the entire expression on the right hand side of the above theorem, we can generate

the following theorem of PW:

%G(ENQUEUE(insert(c, i), J) s Add-at-head(I(ENQUEUE(c, j)), X1())

-81 -

4.4.1.2 Formal Definition of Expand

Expansion is roughly the reverse of the process of reduction. The relation that

characterizes a single step of expansion is called expand. Expanding an expression using a

rule is close to applying the rule to the expression from right to left.

The motivation for introducing the mechanism of expansion is to solve a common

problem encountered during synthesis: 1his is to find an expression (a desired expression)

that simplifies to given expression (the starting expression). For instance, in the derivation

shown earlier, the starting expression was Enqueue(Add-at-head(JG(c), X(i)), N,(j)), and the

desired expression was 1(Insert(ENQUEUE(e, j), i)).

The definition of expand uses the concept of unification, and the most general

unifier (see Appendix 1). Let t be an expression, and -y -, 8 be a rule. We assume that t and

y have disjoint variable sets. If there are common variables then they have to be renamed

suitably. Let u be an occurrence in t such that /u is unifiable with 8; let 8 be the most

general unifier. Let t' be the expression t[u -- 0(,)]. Then, we say that t expands to t' by

y - 8 in u; we denote this relation by t -- t'. Notice that expanding t by Y --- 8 in u is not

equivalent to reducing t by 8 -- ,y in u. Expand checks if t/u is unifiable with 8. whereas

reduce checks if t/u has the form of S. Therefore, there are situations where an expression is

expandable by -y -- S, but not reducible by 8 --# -y.

The following question arises immediately: Why was expand not defined exactly as

applying a rule in the reverse direction ? The reason is that a rule y ---, 8 may be such that

varset(-y) D varset(8). Applying such a rule from right to left will result in an expression that

contains "new" variables, i.e.. variables that did not exist in the original expression. The use

of such variable dropping rule during reduction represents a situation where the reduction

step caused a "loss" of information: A new variable introduced in an expansion step might

have had in its place an arbitrary expression during the corresponding reduction step. Our

goal is to reconstruct, if possible, this lost information at a later stage in the expansion process.

During expansion, therefore, a variable in an expression has to be treated, in general, as

though an arbitrary expression might be in its place. Using the predicate unifiable to

determine if an expression is expandable enables us to do this.

A

- 82 -

For instance, consider the expansion of Append(q, Nullq) by the rule

Dequeue(Enqueue(Nullq, c)) -- Nullq. The resulting expression is

Append(q, Deqneue(Enqueue(Nullq, e))). The variable e is a new var'ible introduced because

of expansion. Every instance of the latter expression in which e is replaced by any other

expression reduces to the former expression. It might be possible to determine the expression

that has to take the place of e in future expansion steps.

It should be pointed out, however, that not all variables in an expression need be

given such a special treatment during expansion. The variables that appear in the starting

expression must appear as they are in the desired expression we are shooting for. Therefore,

while expanding an expression, it is necessary to distinguish between the variables in the

expression that were introduced by a rule (presumably during earlier steps of expansion) and

the ones that were transferred to tie expression from the starting expression. We classify the

variables involved in expansion into the following two kinds:

(1) The variables appearing in the rewrite rules; we continue to call these variable

(2) The variables appearing in the expressions on the left hand sides of the rewrite rules

in the partially generated preliminary implementation (Fig. 14). We call these

variables terminals. Henceforth, we denote terminals by identifiers that are in

italics.

The definition of an expression remains as before except that it may also contain

terminals in it. The definition of a substitution also remains as before; it is a function from

variables to expressions. Thus, when a substitution is extended to be applicable on an

expression, the terminals in the expression are not substituted for, as we desired.

In the wake of the formal definition of expand, and the preceding discussion about

the introduction of variables into expressions due to expansion, we should reconsider the

formulation of the synthesis rules. The first synthesis rule remains unchanged because it does

not use the relation expand. The second synthesis rule was formulated as below:

Rule 2: el a e2e, - expand(e)

- 83 -

This formulation is not general enough because it does not account for all the theorems that

can be derived from el c 2 in one expansion step. If' expand(c2) has variables in it. then

every instance of it can potentially be the right hand side of a theorem. H-ence. we

re-formulate the rule as follows:

e,~ 1 a - ris asubtitution

Rulee 2: c1 (expand(e,))

4.4.2 Derivation in the Equational Theory

As an illustration, let us derive a synthesis equation that is of the form

%(ENQUEUE(lfiSCrt(C, 1), j)) =- 3(?rhs3) in the partial preliminary implementation shown in

Fig. 14. The equation is derived by generating a series of theorems that have

3G(ENQUEUE(lnsert(c, i)j)) is their left hand side. The generation is begun by invoking

synthesis rule (1) on the left hand side expression. The rest of the theorems in the series are

generated by invoking synthesis rule (2) using the rewrite rules of IPW for expansion. The

rewrite rules for expansion arc chosen with the following ultimate go&t: Obtain a right hand

side that has the form %J(?rhs3) so that X(ENQU EU E(Insert(c, Q), j)) >- %(?rhs), and ?rhs3

contains only the permitted operations of the implementing types. In the illustration given

below, the generation of every theorem in the series is considered as a step. At each step, the

expression expanded, and the rewrite rule used for expansion are indicated.


(1) 36(ENQU FUE~c. j)) -. + Enqueue(KX(c), 360j))

(2) H;(Crcatc) --. Nullq

(4) Add..atheaid(Nullq. i) I nqueue(Nullq, i)

(5) Add-.a-heud(Fnqueuc(q. iQ, 1) --+ Enqucuc(Add-.a-head(q, j), 11

Form or the theorem to bc generated: X(ENQUEUF~lnsert(cj ),j)) * (?rhs3Normal form of C(ENQUEUFAInserI(c. i), j)): Enqueue(Add..acad(3G~c), i). 3C())Rule!r ssed for the normal form: (1), (3)

Step (1) Invoke Synthesis Rule (1) on 3G(EN'QUEUE(lnsert(c, i),j))3G(ENQUEUE(lnscrt(c, I), J)) M Enqueue(Add-at-had(3G(c), i), 36(j))

-84-

Step (2) Expand E-xpression: Enqucue(Add-at-hcad(JG(c), i), %a~))Using Rule: (5)

16(ENQUFUF(Insert(c, i). j)) =-Add-at-head( Enqucu(J(c), %()) )

Step (3) Expand E-xpression: Fnquec(%(c), 3CGj))Using Rulc: (1)

1(ENQUEUE(lnsert(c, i, j)) -=Add..aLhead(3G(ENQUF(c, j)), Q~

Step (4) Expand Expression: Ad&..a~htad(%(ENQUEUE~c,j)W iIUsing Rulc: (3)

3G(FNQUEUFA~nscrt(c, i),j)) =- G(nsert(ENQUFUFjc.j). ij)

nhc theorem generated in step (4) qualifies to be a synthesis equation.Hence the desired rule of the preliminary implementation is:

ENQUEUIA1nsert(c. i). j) I nsert(ENQUEUE.(c,j), Q)

4.4.3 Derivation inl tile Inductive T heory

"A4l. The General Strategy

The method used for deriving a synthesis equation in the inductive theory is based

on the following property that every theorem of PW satisfies: If an equation is a theorem of

PW, then every instance of it is in the equational theory or PW. An instance of an equation

el e2 is an equ.-Aion obtained by' replacing, every variable in e1 and e, by generator

Constants.

We, therefore, take the following approach. Suppose the synthesis equation we

-85-

wish to derive is of the fonn 1G(F(e 11)) -- J,(?e,).17 We first derive an instance of the desired

equation: This is done by selecting an instance of the left hand side, say a(J(F(e11))), for

some substitution a of the terminals in en to generator constants. Then, an instance of the

equation u(1J(F(e 1))) -(,,)) is derived; the method of derivation for the equational

theory described earlier can be used for this purpose. The instance of the equation derived

should be such that a generalization of it JG(F(e,,)) - JG(e,2). which is obtained by replacing

assorted constants by suitable terminals in the instance, is a theorem of PW.

To check if the generalization is a th..orem of PW. we use an automatic procedure

called Is-an-inductive-theorem-of. This procedure is capable of deciding a significant number

of theorems in the inductive theory of a system. The procedure will be described in a

subsequent subsection. Another topic that will be deferred until later is determining a

suitable v. Any substitution that maps all the terminals in the left hand side of the synthesis

equation to arbitrary generator constants will serve our purpose. However. the derivation

would be more efficient if we instantiated as few terminals as possible. A later subsection will

discuss a method of determining a more judicious way of choosing a.

In the rest of this subsection, we formalize the notion of the generalization of an

equation, and then illustrate the general strategy by deriving a synthesis equation

corresponding to the rewrite rule APPEND(c, lnsert(di)) -# ?rhs9 in the partial preliminary

implementation of APPEND given in Fig. 14.

The Generalization of an FAuation

The generalization of an equation e, = e2 with respect to a substitution a is the set of

equations such that e, = e2 is an instance of using a. When the substitution with respect to

which the equation is being generalized is obvious from the context, we denote the

generalization by Genie, - e2]. Formally, every equation el I- e2 E Genie, - e ] is such that

o(e1) = e. and a(e 1) = e,. Note that if e, a e2 has a finite number of function symbols

Genie, e2J is always finite. For instance, suppose a is {d-- Create).

17. Recall that the left hand side of the synthesis equation is already known.

-86-

Then, Gen[IL(Append(c, lnsert(Create, 1))) M ({APPEND(ENQUEUE(c, t), Create))JlD

contains the following equations:

JG(Append(c, Inscrt(Crcate, i))) =- ((APPEND(ENQU EU E(c, t), Crcatc)fl))

3G(Append(c, lnsert(d, ))= 3G(APlEND(ENQUEUE(c, t), d)))

As an illustration let us derive an equation of the form

3G(ArPEND(c, Inscrt(di))) =- (?rhs 9 which gives rise to one of rules in the preliminary

implementation of Append. The derivation begins with the choice of the left hand side of the

instance of the equation to be derived: This has to be an instance of

J(;(APlPEND(c, Insert(di))). Let us suppose a is 16-4 Createl.

Relevant Rewrite Rules of tlic Perturbed World

(10) Append(q. Nullq) --+ q(14) %G(Create) - Nullq(20) JG(ENQUE(c, i)) --4 Fnqucuc(1G(c), :JG(i))))(22) flG4A PlPN )(c. d)) -* Appcnd(16(c), Xl(d))

Form of thc theorem to be generated: 3(APPENi)(c, lnscrt(Crcatc. r)) 1(?e)Normal form of:G(APlTINl)(c. lnscrt(Crcatc. J))): Fnqucue(M;(c). 1()Rules used for the normal form:

Step (l) Invoke Synthesis Rul (1) on Xl(APPEND(c, lnscrt(Creatc, i)

Step (2) Expand Expression: Enqucuc(1G(c), 3(i))Using Rule: (10)

3(APPENI)(c. lnsert(Create, t))) a Append(Friqueue(36(c), XSO)) Nul~q)

Step (3) Expand Expression: NullqUsing Rule: (14)

3G(APPEND(4, lnsefl(Create. #))) a Append(Enqueue(X(c), 3G(i)), %(Create))

-87-

Step (4) Expand Expression: Enqueue(%(c), %(t))Using Rule: (20)

X(AIPEND(c, insert(Create, t)))-- Append(X(P'NQUEU.c, 1)). J(Create))

Step (5) Expand Expression: Append(3G(FNQUEU F(c, i)), 3G(Creatc))

Using Rule: (22)

X(APPEND(c. Insert(Creae. i)) = X(APPF'NIXFNQUIE'UE(¢, t), Create))

Step (6) Generalize the theorern in step (5) by replacing the constant

Create by the variable d to obtain the following equation:IG(APPEFNi)(c, Insert(dji))) =- 3(APPI'NI)(ENQUFUE~c, t), d))

Apply Is-an-inductive theoren-of on the above equation.

This yields True confirming that the equation is a theorem.

Hence the desired nile (obtained by dropping 3G on both sides) is:APPEND(c, Insert(dji)) -+ AlPENIXENQUEUF~c, i), d)

4.4.3.2 The Predicate Is-an-inductive-theorem-of

Is-an-inductive-theorem-of is a procedure that is used for checking if an equation

el = e is a theorem of a convergent rewriting system S. The procedure is designed so that if

it yields true on e = er then e, = e2 is a theorem of S; if it yields false, then nothing can be

said about e1, e2. While deriving a synthesis equation in the inductive theory, the

procedure is used to check if a generalization of an equation is a theorem of PW. The

procedure is described here.

The procedure is based on a method of using the KB-algorithm (see sec.3.3.3.1) for

checking the convergence for proving inductive properties of a rewriting system. Suppose S

is a convergent rewriting system. To check ifel - e2 is a theorem of S, perform the following

steps:

- 88 -

(1) Form S, = S U le I e (or e2 -- e)1.

(2) Check if Si is convergent. The KB-algorithm of checking convergence (which

consists of checking if every critical pair <a,.az> of SI is such that a I a24) is

used for this.

If the result of step (2) is affirmative, then e = e1 is a theorem; otherwise nothing can be said

about it, in general. Let us assume that there exists a procedure, called

Can-be-made-convergent, that implements this method.

We will first briefly summarize the method, and then describe how

Is-an-inductive-theorem-of is built on top of it.

The result that provides a basis for the above method is proved in Theorem 7 in

Appendix Ill which gives a few useful results about convergent systems. The result is similar

to the one that was first developed by Musser [38], and that hag also been investigated in [22].

Our result is different because the cited works assume that S satisfies a notion of

completeness (similar to the princip'e of definition) besides convergence.

In the present situation PW, whose theorems we are interested in, is convergent but

does not satisfy the principle of definition. Because of this the above method is applicable

only when el (or e2) is such that for every instantiation of the variables by generator constants,

eI simplifies to a generator constant. The left hand side of every equation we wish to check is

of the form 3G(F(g,, g)), where F is an implementing function symbol, and g,', g.

are generator expressions. Note that ,(F(g 1,..., g,)) reduces to tX(g1 ... , g)) by the

)G-rule corresponding to F. The latter expression satisfies the desired condition since land 2G

are well-spanned 18 by PW.

There are several situations when the method described above is not applicable ffr

proving an equation e1 a e2. But there exists another equation e a e such that

18. Note that if a function f is well-spanned by PW, then every term of the form f(t1, ... , t), where

t1,..., are generator terms, .can be simplified ti a generator term using PW.

-89-

(1) e el can be proved using the above method,

(2) el e, is a theorem ife_ e is a theorem, and

(3) e e e, can be dcrived automatically from e, = e2.

In other words, e; -el is serving as a lemma for the theorem e1, ez" The

procedure Is-an-inductive-theorem-ot consists of transforming e = e2 to e; - e , and then

applying Can-be-made-convergent on el - eI . The transfomiation of e, -e 2 to e, - e2 is

performe'i by a function L, called the lemma deriving function. The lemma deriving function

used by Is-an-inductive-theorem-of is defined below:

The Lemma Deriving Function (L)

L is a function on cxpressions. L can be used to derive for a given equation el = e2 a lemma

that the proof of the former is dependent on. The two sides of the lemma are obtained by

applying L to e, and e 2

L: expression -> expression

Usage: L(a,)

Pre: a, is of the form IG(a,), where a2 does not contain the symbol X.

Returns: An expression P that is obtained by replacing in a,4 every subexpression of

the form XG(d), where dis any terminal, by a new terminal d.

We will now illustrate the procedure Is-an-inductive-theorem-of to check if the

equation X(APPEND(c, lnsert(di))) - (APPEND(ENQUEUE(c, t), d) is a theorem of

PW being used in our example. The equation was obtained in step (6) while deriving a

synthesis equation in the previous section.

Fquation to be checked: )G(APl'END(c, lnsert(di)) -- 3G(APPEND(ENQUEUF4c. t), a)).

Step (I) Derive Lemma by applying L:(a) Simplify both sides,(b) Replace X6(c) by q, G(d) by R. 3G(t) by I

-90-

3GC(APPENI~c, Insert(,t ))) IG(AI'I'IFNI)(ENQUFUF~c, i), d))I,.1Append(IG(c), Add-Ltheadd(J(), :G(1))) Apped(Enqueue(:(Glc). JG(t)), %(a))

Lemma to be checked: Append(q. Add-at-head(R. i)) Appeud(Fnqueut(q, i), R)

Step(2) Check if critical pairs are convergent:(a) Critical pair determined by Rnlc (16):

Append(q, add.athead(Nullq, j))

Append(Enqueue(q, j), Nullq) Append(q. Inqueue(Nullq, j))

Enqueuc(q. j) Fnqueue(q, j)

(b) Critical pair determincd by Rule (17):

Appcnd(q, add.at-hJad( Enqueue(r ,. j1). J))

Appcnd(q. Fnqueucadd-at-head(r, j). j,)) Append( Enqueue(. j), Enqueue-jr, ij))

Enque~clA.nd(Enqueuc(q, j). r1), j,) EnqucuelAppendlnqueut(q. j), r1), j)

4.4.3.3 An Instantiation ror the Synthesis Equation

Here, we describe a method of finding a substitution a that determines the left hand

side of the instance of the theorem we wish to generate. Note that the left hand side of the

theorem is already known to us which in the current example is 3(APPEND(c, Insert(4 ))).

a maps the terminals in the left hand side expression to suitable expressions. a should be

chosen so that the equation o(%(APPEND(c, Insert(d, )))) z e(J(?ez)) is in the equational

theory of PW. This implies that o should be such that (3G(APPEND(c, Insert(d, )))) and

o(3(?e,)) have the same normal form. Note that (e 2) is unavailable to us at the moment.

So, a has to be determined from the left hand side expression alone. Since the theorem

%(APPEND(c, Insert(d, #)) * 3;(?e2) is not necessarily in the equational theory of PW, an

arbitrary substitution that maps tc -minals to generator terms cannot be used.

The following fact about our proof method (for inductive properties) serves as the

-91 -

basis for the method of finding c. The basis step of the inductive proof can always be carried

out using the equational logic. So, we choose the a that corresponds to a basis step of the

proof of the lemma. The instantiation corresponding to the basis step can be determined

automatically starting from the left hand side of the theorem alone.

Finding such a a involves two stages because the proof of the theorem, as you may

recall, involves two stages: Converting the theorem to the lemma, and then proving the

lemma itself. We first determine a substitution w' that corresponds to a bsis step of the proof

of the lemma. a is determined from w using the method used by the lemma lelining

function L to convert the theorem to the lenia. We dcscribe the two steps below.

Step (I) Deternination of w

(a) Find the left hand side of the lemma.

This is obtained by applying L. the lemma defining function, to the left hand side of

the theorem. For our example: Left hand side of the theorem is

ll;(AI'PEND(c, Insert(d, t))). To obtain the left hand side of the lemma, we simplify

the expression, and replace every subexpression that has X at the root by a new

terminal: X(APIEND(c, Insert(d, i))) -* AppendtI(c), Add.at-head(CK(0), %(I)).

So the left nand side of the lemma is Append(q, Add-at-head(R, i)).

(b) Find a basis step in the proof of the lemma

For this. compute all the superpositions between the left hand sides of the rules of

PW and the left hand side of the lemma. Simplify the superpositions. A sufficient

condition for a superposition to correspond to a basis step is that its normal form is a

generator expression. The most general unifier that determines such a superposition

is a candidate o. The following table gives the result of performing the above steps

on the current example. The columns, in order, give the rewrite rule in PW

responsible for the superposition, the superposition, and the normal form of the

superposition. The first superposition in the list simplifies to a generator expression.

Therefore, , is the most general unifier corresponding to the first superposition.

which is {R t-, Nullq).

I

-92 -

Rule Superposilion (Superposition)4

(16) Appcnd(q. Add-at-head(Nullq, i)) Enq, cue(q, t)

(17) Append(q. Add-at-head( Enqueue(Append(q,

Enqueue(r,. ji), )) Add-at-head(r. , 1)), j)

Step (2) Determine a from w

w provides instantiations for the terminals in the left hanu side of the lemma. a instantiates

the terminals in tie left hand side of' the theorem. Our objective is to find a a so that when

the left h:?nd sides (of the lemma and the theorem) are instantiated by a and W, respectively,

they simplify to the same expression.

For instance, in the current example, the left hand side of the theorem is

e, = IG(API'ENI(c, Insert(d, i))), whose normal form is

e, = Append(JG(c), Add-at-head(I,(d), (i))). The left hand side of the lemma is

e., = Append(q, Add-at-head(R, i)). which was obtained by replacing 14(d) by r, and JG(c) by

q. ,w maps r to Nullq. and leaves the rest of the terminals unchanged. Therefore, a should

map d to an expression such that Nullq 3G(d) is a theorem in the equational theory of PW.

Therefore, the instantiation for d can be determined using the first two synthesis rules by

generating a theorem that has Nullq on the left hand side. and an expression of the form

%(?e) on the right hand side. The generation sequence is shown below. The first theorem is

obtained by invoking Synthesis Rule (1) for the expression Nullq. The second theorem is

obtained by using Synthesis Rule (2); rewrite rule (14) of PW is used for expand. The right

hand side, X(Create), of the theorem generated determines a as {dt-4 Createl.

Nuliq - Nullq

M 1(Create)

4.5 An Abstract Implementation of the Derivation Procedure

Below, we give an implementation for a procedure Generate-a-rule. The procedure

determines a suitable right hand side expression for a rewrite rule in a partial preliminary

implementation given the left hand side expression. The procedure also expects a Perturbed

World and a termination ordering as inputs. The procedure is implemented in a high level

AD-A12i 520 AUTOMATIC SYNTHESS aF IMPLEMENTA TIDNS FOR-ASTRACTC t

DTYA PES FROM ALGEM ,(U) MASSACHUSETTS N

CAMBRIDGE LAB FOR COMPUTER SCIENCE.- K NS S L

UNCLASS MIT/LCS/TR26 N00014-75-C-066i F/ /

.. E..E....

- -1.0I ii - , |2

1112 JllMBi ll ISO *2

MICROCOPY RESOLUTION TEST CHART

HAT ONAL. BUREAU OF SIANDARDS-I% -A

[N

-93 -

algorithmic language whose semantics is self-explanatory.

The implementation assumes that there exist two procedures

Is-an-inductive-theorem-of and A-suitable-instantiation-for-lhs. The latter finds a suitable

substitution that determines the instance of synthesis equation to be generated.

The procedure performs essentially the theorem generation illustrated before in a

systematic fashion. Roughly, it operates as follows. It finds the instance of the left hand side

of the synthesis equation by applying A-suitable-instantiation-for-lhs to 1(Ihs). It simplifies

this expression to its normal form. The nornial form is then expanded repeatedly using

appropriate rewrite rules of PW until a suitable right hand side is encountered.

The nontrivial aspect of the procedure concerns performing expansion in an

effective fashion. There are two problem areas. Firstly, expansion is not uniformly

terminating. That is, expansion is a potentially nonterminating activity. The procedure uses

the termination ordering >- to circumvent this problem. The right hand side has to be an

expression that is less than the given left hand side. But, expanding an expression always

gives rise to a bigger expression in the ordering >-. Thus, the procedure can be terminated

the moment we encounter an expression that is not less than the left hand side. (Note that the

>- is such that there can only be a finite number of expressions less than any given

expression.)

Secondly, expansion is not uniquely terminating. That is, an expression can be

expanded in several different (but finitely many, because there are only finite number of rules

in PW) ways using the rules in PW. All of them do not necessarily lead to the same final

expression. Some of them may not even lead to a suitable right hand side expression. In the

examples illustrated earlier, the rules of PW were carefully chosen so that they resulted in the

desired right hand side. A working implementation, however, is forced to keep track of all

possible expansions since any one of them can result in the desired right hand side. In the

implementation given below the variable S is used for this purpose.

This chore, in fact, happens to be the main source of inefficiency in the synthesis

procedure. We use the following obvious ways of getting rid of unproductive expansion

paths. Firstly, type information is used to eliminate some of the candidate rewrite rules for

expansion. Secondly, expansions that result in an expression that is not less than the left hand

.°L

-94-

side are not going to be fruitful. Finally, we make a distinction between the variables that

appear in the rewrite rules of PW, and the ones in the given left hand side. The latter. which

are tenninals, are treated as constants. This eliminates several rewrite rules for expansion that

are candidates otherwise.

It should be noted that the procedure given below is only a part of a complete

implementation of the synthesis procedure. The other part is expected to determine the left

hand side of the rules. We have assumed that there exists a procedure to determine the left

hand sides. If the following procedure does not succeed in finding a suitable right h.nd side

for a given left hand side. then another set of left hand sides have to be generated, and the

following proccdbre reexecuted.

Gcncratc-a-rule = proc ( PW: Perturbed WorM. Ihs: F(1. ...>-: orderinl) returns (Rewrite hle)

%l nilializaiion

a: Substitution *- A-suitable-stantlatiowfonlr-lsilhs .- o(gs)S - 136(ilhs)4)

ret

%Test i(expansion can be stoppedIf There-exits--suitublecandlate-i(S)then rhs - Fetch-a-suktable-candate-oa(S)

rcturmhs -4 rhs)

WIfla candidale has not been genenuedyet expand by one more slp

for every t E S doSi - SI U st-or-,ll-expuou-oft by PWenfor

S ..- Si

Wr rop fm SI unproductive expressimforeveryt E S1 do

i -(lhs >- t) then Si-- SI - it)

foreme

IM

SbpwAAI' drwipim

13 74SE .. k) soc %thus Us 1wi o

(2 ( . gWuCsu. andmctb

(3) l ~ ~ g ~ ~ ~ . )*3?h)the. .uas(5rw) ekei ueuraWalme)

4,S4 bprvbr krwIo

uuIchmuhkA-C sudlaeroec saproc MS Sstllmmmcia" own% vii'. 0Pviuh.)

N 3s 1 S suh ohms3 %4(, ) so 2C?rks) C Goe~ibs a 11 such dthe(1) ?rb, does nt aunn 3 or upevAekmn of Ohw unplememed type

(3)tiaduct-Mvvikvhe PW(36(Fjk .... g.) a (ib

seutesa*Pmuslee(oby: Ezpnmis X Koke -) SOVIAproulmlUwage *Ieud"aICePmwO" I by7 -1 8Renmx Returns the usof alpomiblte panu of agivaemwse a a ive.rule

s5e5-*v pwmr9t-hrr Espiuls X St4Rl-), St4Elsvi*Uwgte- uId-salexp~am tby %Returnr The wet or all tem s suc doe

s = Uset-*a~snpsulm tby R.for adR C

expuaL-0bry NPvIule X Ocuwme X Rule) lzereinlUsage. exind I u by -8

a lmo OffeuUd a "Mm oly- Is )w umw& N tsu rcISal mmo

tNcuOas aM= OL Umqc Wo pWfmuuoui or dw wwnmt IM is 'bccAam. wlima isOw HMm O"WAcv UNA" ot Wm& al wa"t uauqm w*cm MOMWI~ to ft wimdbis oiW MO Sh Ofnd &

Wik A.hj: V%,g.Igg X gVp*g.Ju X OrruWWMO X M&)bo

Viwpr 1 ftlhinb*% s a byPW. vam.p) Ang ,) ma

aRewnsx A prrdaecw wrm ifs w ex p..* o adwc &to um~0/1)a,411od1S.hAI % wfld Is k-uV

5. Extending the Derivation Problem

The defivaskem pi - em - d the dewadw pwamirm~ downW in the 1u dapw

apply i a umum 41ic theb u pmui doom (S) fm the dwud pr.imwV. Op -Iw-is unwwesd Tbu w. S WIdsa die *im of te r~preumwkm Mwp

ThM se smF ca& the I ,11 ,m w she mmr pacr uask,. wbei s is a mbue of the

V us e of the repimuaulm uOpt

S conwo Ow w ( wWtw*A we ,Meabe m b a drm4.w

uplnnm k nftpftuc Ow* wahe a(m i e msipked i~ e e, icW s csarwtcd by~

lke uuacifhk Wcc*264.M Upphd by the OSuppOm A ad I th dW AbWWA

Meac us Wrap Ishe m Owh9 oewnw1 nipd b *oh" #4sk qma it~i~~ 0*

Forw taws' aswao~iwtft Thepsum ~a wm isFt S,sawb am

atubc k f to reprwi w~ due-Ar M* i .dv f cm

MW 1-pkmw4.m of QwwtM 4ft wn aco "so X k ~ X~ The duivgimn

hiNcKMO A as be dwacI emb W a ftt f cm be sepsemtd toy my t"p in

kicb Owh thec onq~ I s Af a Amumpiqueue beie urmiteh by

if OAiP. s ba am ofebw kft~a.IdntS dmew of A queue. OM rdw.

boauwM te ki doulandki, koati IvNA Ip24.both Sum idadhqu. ad

j - Ic the wa - be p r .Wa isfr qf a me eSmw im w equeue The

L~ D a FftASAu'... L j L 01 a 8 * J+IOf %

.he 3FA1. I. ko0

~( bD) SUMrn

kui qahesbowe I lad)

nwcre. c atSI~ .imum (tad in * pu.s ciphe #A So 411 d Swa

ogd oo charemw en 1 i Mpb.w is qrknb*IN dw aSt Obodm as wag, Fmw

Cumvnim. ovwp" Si ca~o bosb. A pft*=&or l ta'is a o a &wa 4"p is

couect sob mwpo o a avcuw q~*m (Ow cdvuuwsm m iuxulm &wM=

(1) Twooor ?pwy E'el -pmu I I- , a'id&cu-4 wo

No m a tpm umt TMis ap i ~ft m h m SM d 0

N S a 0 Abe 0M. 'in OW b N"o a prdb*Ar W-m1-o we

-o* UAW a a t ibm tVa1 of NNI. if "~ a 1S"1 min Pf Ui P

so* q 9w lu iom-o ad -~ uin , We toso dw m bw WN A*, OVi ~w d

pwya~dd~.1Sw"ididmia' TS idwfutWoiflupw

"so*iiiUst~d ft.It101o r *soomaa"w*o owo

p lw~ - are i IPm We Tbb§mibs "pem M dm of

?MMTOUWMW O O b OO 1~ 1O bb1 It tII IROe 1.WO A

pwf f o Od do of "u WW ad vPR Si* sm01 o a doep-a1." Oo1 m be wOW go b" n ibMaa diplo dwi

Cwm. lb us 0. 424 1b. po fi On powi am = be o~a

t0 A *VMmS **put* el0ko soAo f in emiwomm"Of amft...VOt*F6a W 00&O VO dids o.., 6a*PnNiWi

1r. N aW" qin6St *4 11 aPinrT.

12 13vb of a Pehuim medg1

cd4 ffw . Okuimg Imh ad"aof a Fh aodmt m n slooft~

min PS shea oc '4*0 wom Ie *Now "*swim* am WN40140 a

smo *a nu SW .d n u Pw %waftE ow P V-took .uhm *A* wa to

962.5 1he*as6eb cmiw

1) lobs" rat

M 1 Psaw eumm op 0 1 Ohe ren wwqo &*ago)

00 "a" hfta be of *w am ob

oem S a f eam boom wotm pap~p

MVA A AJO 4r6.,. Q XMi. 0 SM0 1GPW.

ff1 bWuwemvfa Pw o t mk Q - I pt o*.ft W of Vd

11 "am a mu *I van oonP d ofue I asm a

a w v e -W " W A of a -0 -S 0# 9 * I w oI g o t es o w O W 1 "

ciWSAWW I he fwak" CrnM mt Idarw UOWN cwm am a 1c and

unt *t t ppaw 1Wy To~ft Cwdvm amw du mewpkw%(q u

atio ad wmwm tu cwn sau a *s reow amam. nic Wqwam

Casdm amwo due s - l ttm - t* a wqw wiw as @WV~ wpmomLIlb 1 k1-1IVi a 0m Cr*.mm. aiA sm* *0 rim wmunw hkim WMA it

~Ip -If .1 pitol am~L.. slw *A) 0 1 be' aol 10-- g*

uaukw *9 ainWXM "t *X Op w4 10OP9% I fbt IMMA C004RAM WVW 0m

a~MaWV vsiNO 00 *, #*XM it V CA *4 C*% ** bnd* i 4. .*t Is

-fam -0 reau -iswm I heI ! gm laI ft 1 s Ilm ow

PeI V M dI Um FS WyMf IMMitt AW * 01, aft I %

MOl f N 0 O*bPd td W

Vo OiNW " %ftt ft am la -1 1 1t pal a dt " O4

fL t U. L. am AV om mot ~I$ wm of ft

- -b m yif n do-O - 6m it * nAo

*Ot*t lme a k~t f 42a ow boom~ ow ft SI amlo to

S" to ft a "M &M I" am " ~a it ft" wo"

no ahwft potaf stow *"m to ft uivim ab a dor wft "a g

ft f" of M1 da aw v t w~ *aaf dm am" it Wlqmm

-al

OW410044ftV4~ -* NI

01,W%*ol 0sm .uw $14 13 1 #*f

~ gn'sw"0 -~ O"11MI

as 3ipssmgswustq 4-'sew "A j

S Wf d% 1W ad IbumuAaveow. .1)t &0- Sum6SC*asuw f I O&4 "

'WW w~ OvWV -.9NMn PMMO MMOd AU *I 0AOON"1 tows AI 0 &. -wa pam iw~m NmkIV.t*4 smi 9WW

0J3osdiW bOb tOMW0Wmo I

1W ws ~u b muu bd i am a b"

ph mV Shomalboso d wwin'm5

poloam - -- e -- -- m-o womkww awnu As b*Aw mewdqwm usA de i~ o & om b@M fw r~w e wm

P 4 PO oom

W4PWPA itO WILM f

W"%o it P.4,00& aP I

%Wd "6opmw e*aospw a O tg 6ow

an mwM Mh o~ bd ** of a s*k ob dumgc b dofte" a sm.m wsm

Ot 0*6 #UA timO sitA *"*6i ft*W#OSrn

fla,. %"' d"wf ft" $06 141f

tioo "* *6 ft i~ W"a we"wow

"A fellbn'4 FA wav *" I* t AM4 sw.ise 9#h@ew*s f m A

wioraeaf t sm at"

V FguW~ md* ~e~ I* w *s 15

***waft i~~mdR m~mq~i6~

~'W* ~ 6 g~~ . qab *6 ~s~*0 a'ump

*6 amm is6 b6 0 of PR ae Sm .w W! all 4r M-

.104-

aQM1tm, umn ha io ufe rewrite na- descrbing this ontexit besies the rewrite rules in PW.

Stkumfib. 71 ha io be detenmincd w that X(71) a Tru is a theorem For thki it is necessary

W ,uc the moewru n the speifiation of(S. These additonal rewrite rnmc which

dncnbe usbwion pmainnmg to the iniant. am nuintained as a separate entity called the

TrpeWowy Wtvid (1W). We isill ad.cuws m about TW its comtpos~ition, and its

minawm - a- It la sulihent io say the Jbillwing at this point: IV onsists of rules that

qpIM.f 9. Ond rub dM aM Bhng,.. S fibfY the inananL The rules in 7V are used

Ciepim a sell a to ensur tat 71 "simie.

It *amiM be filed thin pn of the Temporay World used in the derivation of a

puutbnmw) msmqcwjsk mWil be difretent fr differenit mule in the prcliminary

ompyvicawai I his K beuuse the arunent etpremisons appealing on the k-11 hand side

Isr x,) jot wisull diffacmn fiv dfemla nblm Consequently. the pan of TW* that

eump. "a ie Iw nawid d4b mn te beginnint of the deult ilon of every rule. (The

kvipar~wv bl lowe of. a vi Mf i~s akin pnnpWe s t o nw TW a Tenmpxrry World.)

In the kAom A#. ac ijagm thc dertbak or a syndieuis equaton ciwrspondling to

ib. sisgeil rk ISeQtIE4(.a. A - Tf,~ in t paval pidimmnary implementationibis -n a a . 17, lte *wtu*m pia an Illunaon of how the geatiomn of theoremns

thme 11W mad~ hro do*wam ob dio below. For ca of refercnm Ow aliven

bvk. at rnks cocaped urns PW (fig 16) Oat mko mee~~ te ptmt derivatlon

Rainks es YdIi Wm a pslioof J. Te nule numbered (11) mmerm

*m dW E14UW i hVM(ft 10 1 The fourt rule Is a property of the

w1 A*# arpk(*. iap *A meda 6 m&a Ow ,1. Thb can be pmied a aheore

Ikim Sa ipsk~*(of We m w k Ok obuakd in a su ent section where we

dbe w ffm Apo linpmwOY Was

the 11100111 own of F

_________ A

- 105 -

(1) Y4,, i. D>) -. Nullq

(2) X AS(Sign(v. e.j). ij + D)) -- if i = j+ I then Nullqelse Enqueue(3G((v, i, j>), 36(e))

t3) 4ENQUVI'FAx. e)) -* Fnqucue(:G(x), :1(e))

Ei) WheCM_..l'alsc. vI, v2) -- vZ0) i.fhee..lse('lrue, vl, v2) -- vI0&) 7fibto-elsc~b. vl, v2)) if-then-else(b, 3G(vl1), X(v2))

M%- Y+lI -JWIio(x y)

P) mwrre) -. False

I he TepoWary Worm0)* . L i)) -.* True

10 X Asaign(A.e.e). ij+l)) - i <j4 I A Ii = j+1 V i(<v, i,j>)]

isl) ap)) -. True

Shown below is a generation of a series of theorems by invoking the synthesis rules

*WW the rewrite rules shown above for expansion. The generation results in the derivation

o( a syndhxsis cquatlion of the form we desire. The first theorem in the series is obtained by

invoing Synthesis Rule(l) for the expression 3G(ENQUEUE(<v, ij>, e)); the normal form

9( " expression is Enqucue( ( v, i. J>), :(e)). The rest of the theorems in the series are

chWmic 11v invoking Synthesis Rule (2) using different rules in PW and TW for expansion.

An elplanation about our choice of the rewrite rules for expansion in the following

dcrt;io is in order. Recall that the ultimate objective of expansion is to drive the symbol

X in the nht hand side of the equation in Step (1) to the outermost level of the expression.

b"setlen of the rules of PW reveals two possible sets of rules which could be used for this

pmwupw The fir one is the %-rules. in particular. Rule (3) of PW: however, applying this

tub in Sup (I) will yield an expression identical to the one on the left hand side which is not

septAk The other possibility is applying the rules of the homomorphism specification,

i,.. cow Rule (1) or (2) of PW. Rule (1) is clearly not applicable. Rule (2) is also not

tkabh A closer look. however, reveals that Enqueue(3G(<v, i,Q>), :3(e)) has the form of

*e npIesslin m the d-arm of the conditional expression on tht right hand side of

-106-

Rule (2). Hence, we make an attempt to expand Enqueue(M(<v, iQ>), 3G(e)) to an expression

of" the form ifthen-else( .... ..., Enqucue(G(<v, i, p), DG(e))). The manipulations performed in

Steps (2) through (4) are precisely aimed at this.

Form of synthesis equation to be derived: %(ENQUEUE(<v, ij>, e))Normal form of 3GFNQUEUE(<v, i,j>, e)): Enqueue(%(<v, i, j)), X(e))

Rules used for simplification:

Step (1) Invoke Synthesis Rule (l) on Jf,(ENQUEUE(<v, ,% e))JG(ENQUIUE(( v, i,j), e)) -Enqueue(3G(<v, 4j>), %(e))

Step (2) Expand Expression: Enqueue(3G((v, ij>), 3(e))Using Rule: (4)

.°. ............. ..° .. ... ........ ..............................

JG(ENQUEUE((<v, , J% e)) = if False then vI else Fnqueue(3G(<((, i, J>), X(e))

Step (3) Expand Expression: FalseUsing Rule: (9)

X(FNQUFU FX< v, ij, e)) if -(True) then vI else Enqueue(3(< v, 4)>), 34(e))

Step (4) Expand Expression: TrueUsing Rule: (12)

%(ENQUEUF(<v. 4j>, e)) if not(i J) then vl else Enqueue(3((v, 4j>), 3G(e))

Step (5) Expand Expression: -(i J)Using Rule: (7)

3G(ENQUEUE((v, 4j>, e)) =a if i = j+ I then v1 else Enqueue(X(gv, 4j)>), X(e))

Step (6) Expand Expression: if i = j+ 1 then v else Enqueue(%)( v. 4j)). :G(e))

Using Rule: (2)

)G(ENQUEUE(( v. ,p, e)) a 3G((Assign(v, e, J), 4 j+ 1)

-107-

Note that the right hand side of the List theorem in the above series issuch that

ENQLIEUV(<v, i,j), c) >- <Assign(v, e.j), ij+ l>3(( Assign(', e, j), i, j+ I>) --#* True

Hence, we have the following preliminary implementation for ENQUEUE:

ENQUEUE(<v,,j>, e)-- <Assign(v, e,j), 4 j+l>

Let us, for a moment, draw the attention of the reader back to steps (2) through (4)

in the above derivation. Their aim was mercy to expand Enqueue(X((v, i.j>), 3G(e)) to a

conditional expression that had the former expression as its else-arm. The purpose of such a

transformation was to make it possible to apply (for expanding) a rewrite rule that had a

conditional expression on the right hand side. A situation such as this is encountered

commonly during the generation of theorems. This is especially so when the rules of the

input specifications have conditional expressions in them. Hence it is useful to extend the

definition of the mechanism expand so that rewrite rules with conditional expressions on their

right hand side can be applied directly to an expression that is not a conditional expression.

We describe the extension below. in future illustrations of the derivation of synthesis

equations, we will be rsing the extended version of expand.

Suppose e, --+ ifithenelse(b, er e2) is a rewrite rule, and a is an expression that is

being expanded by using the former rule. According to the existing definition of expand, the

following protocol is used for expanding a:

Protocol 1:

* (1) Check if a (or a subexpression in it) is unifiable with if-thenelse(b. e, e -); if so,

let 9 be the most general unifier.

(2) Replace O(a) (or the subexpression in it) by 9(e,)

Note that according to the above protocol a is expandible only if a (or a subexpression in it)

is of the form Ifthenelse(...). Now, we introduce two additional ways in which the rule can

be used for expansion.

Protocol 2:

-108-

(1) Check if a (or a subexpression in it) is unifiable with e21; if so. let 9 be the most

general unifier.

(2) Check if 8(b) --+ True, or -(O(b)) -+* False.

(3) If so, replace 8(a) (or a subtexpression in it) by 8(e).

Protocol 3:

(1) Check if a (or a subexpression in it) is unifiable with e2; if so. let 8 be the most

general unifier.

(2) Check if 8(b) -* False, or -(P(b)) ---* True.

(3) Ifso, replace 8(a) (or a subxprcssion in it) by 9(e1).

Using Protocol 3, the preliminary implementation of Enqueue derived earlier can be

obtained in just two steps as shown below. The theorem in step (1) is obtained as before. The

theorem in the second step is obtained by using Rule (2) of PW for expansion under

protocol (3). Note that the boolean expression under consideration is i =j+ 1;

i = j+ 1 --,* False by Rules (7), (12) and (8)..

Form of synthesis equation to be derived: %(ENQUEUF( v, ij), e))

Normal form of 1(ENQUEUF4( v,/, j>, e)): Enqueue(3(<v,/ j)), G(e))

Rules used for simplification:

Step (l) Invoke Synthesis Rule (1) on :(ENQUEUE(<v, 4,j% e))

3G(ENQUFUFA(<v, 4, e)) a Enqueiie(%(<v, 4J>), 3G(e))

Step (2) Expand: Occurrence: A

Expression: Enqueue(%((v, 4)), 36(e))

Using Rule: (2), Protocol 3

I(ENQUEUE(< v. 4, e)) a (<Assign, j). 4j+ 1))

It should be pointed that the addition of protocols (2) and (3) does not enhance the

generality of the original definition of expand. In other words, we can show the fIlloing:

-109-

Suppose p can be obtained from a in a finite number of expansion steps using a rewriting

system R under protocols (1). (2) and (3). Then. p can also be obtained from a in a finite

number of expansion steps using only protocol (1). provided R contains the following rules

that specify if-tben-else:

iftbcencL c(True, , , Vz) -,

ifrthen.else(False. VV, v2) -v

The reason for introducing protocols (2) and (3) is to redwe the number of

expansion steps needed in the generation of theorems. The two rules of if-thenelse given

above make expansion uneconomical because the right hand side or each of them is a

variable. This makes each of them a candidate for being used for expansion at every step of

the theorem generation process. Use of protocols (2) and (3) in effect limits the use of the

above two rulcs to cases where there is a rewrite rule with an ifLhenielse in its right hand

side. and which could be used for further expansion.

5.3.2 More on the Temporary World

5.3.2.1 The Purpose of TW

The Temporary World ('fW) serves two purposes: Firstly. it holds information

about the invariant J. Secondly. it provides a means of keeping a log of certain assertions that

are needed for temporary stretches during the course of the derivation of an preliminary

implementation. Some of these assertions are generated automatically by the procedure;

others are supplied by the user.

The information about J and the assertions are entered into TW as rewrite rules.

(The derivation procedure may use the rules in TW for expansion like the rules of PW. the

Perturbed World.) The assertions needed may change during the course of the derivation of a

preliminary implementation. Some of the assertions needed can only be determined during

the course of the derivation. Because of these reasons. TW is treated as a dynamic world. i.e..

a world that changes during the course of the derivation of a preliminary implementation. in

contrast. PW keeps a log of the facts needed through the derivation of the entire preliminary

implementation.

low-

-110-

There are three reasons why temporary amnkrs might be needed during the

derivation. Firstly. the eqition l((g r .... g,))m a (?t) being sarched for s a doorm of

PWV only undcr the hypothesis that the arguinens to F satisfy J. bc sec nd ran arises in

checking if ?rs satisfies J. i.e.. if 3(?rl) i Tre is a theorm. "is check ha to be

performed under the h)pothcsis that the arguments to F satisfy 1. Aho. performing this

check may need the use of the inductive logi. In such cae. it is necear to set up

appropriate hypotheses for the induLtkx.

The third reason for the ned for asseins arisics while one is atlempting to expand

a subexpression of a conditional exprcsion WLthe&-eb(b. e. e). Under such a situation, we

may assume that b is Fake while expanding a subexpreulon in the else-am. or that b is Thm

while expanding a subexprcssion in the beia-arm. For instance. consider the exprmlon

Irtheebeir~::j . je X,(<v. P)),35j(e))). In this case. the subcxpremion

Faquen(%(< v. 4 j)). XeM)) is cxpandible by the rewrite rule

,(<AsjIn(,. e. J). L j + >) -. I 1 n j + I the, Nuil ele E.quwe(X((v. L >). X(e))

only if we make the hypothesis that i - j+ I -- * Fale.

5.3.2.2 Construction of TW

7W consists of two pars: A stalwl and a dywnk pon. The matic pon remains

unchanged for the entire duration of the denvatkn .of the preliminary implementadot. The

dynamic pan may change durng the derivation.

5.3.2.2.1 The Statk Part

The static part consists of information about the invariant J. It honsts of

(1) A set of rewrite rules that constitute the specification of 1. The specification ofr

involves other data types which are among the implementing types. We mume that

the static part contains their specifications also. In the examples we discuss, only the

relevant rules from these specifications are displayed.

(2) A set of rewnt nabs dtk cipe addisimu papenles abut I.

The mwet ruitna nwruioWs in OX) abmce am be wawnhded aukcuaaly (twi111C mAkXViOn SpOAMMwoL The omm in (2) is womtahu the uw t dic the upia(iupphmtn adihusul* &x dmkqwa a ptcdmmauir WlINIwio0 401in the pamwof&nonviv oanan~wu Thi6 ormwu.ti is ace"d kw the filkwhag mum: Iher ame seupcluninauy milemenom whoe denvaum is depeani' on lemma "ha esprem

intoweilut propenksc aboit the inkaimLs Although it might be poMabe to pos dheulemmM (rMM the geilksuio d. the den-mw peoccdur ummsi auknuhc*ll dkvwon

the desired lema The nel rule% in (2) qVco~y thm. kmnwa

he static pun of TW tied for thecuornts etample isptc below Rules () md (2)we cwnut frx wa theq~afmim of) J Sk a pan of die owdsow wmctkation in,

Fig 15. "otc that dhc right kid rd& of rule (2) in a sueulhflc 'uskms of te righ hataskdc of the ocwmsn cquution of the spdfk~om or) Th e mks ued in tsimnphlkatmon au(30).(II). (3). md(4). Rule (3) qidflcs apropeny~ofs) itswu ha itriple (v. Li P usfia). dhei Ig I j The property can be promed from the qoclflcm or 1sfit .1e (B-medthd Rules(4) through (11) belong to m the rimkion NsiW sod btd.

Thes rubs wilt be moed in the cuaples thatfoow.

(2) #(A~~.& )Lj+ ) - 1: J+ I A Pl J+Is V )10. kp)I

(3) )((v. k P) me 15 j Tru,

(4) amyVsj .aj

(3) True Vs- True(6) -x V a In*ru(7) -is A1) - -s V -1

(3) a V (I A a) - (a V 1) A (s V a)(9) (a A Y)- -Tru,11) COMbelmik )-w b V

11I) ,t...theLebsk~ 01. f~i) b'hA e

0h t w pan ow mn dkuip shi. on camw a lk mtlmo a. mmwv

oomikue-WAs k an Mu wo dbe 0w sno ofe am 0 cw PucbmmmWW

fpkmoAbm to .mhea. uA ie &MOMw a( a We I*~r. I ma4 WNW iM O

"tanl " ow &In~am of' a rb inschn pmrdv. a WNw of i Isan 1w PmAim

oft gwin wcm tow diews a us~doe a a dw cwmc c m ia *rp to dW 0otw G

I I PkMsuas dfi Ammmkf (in 0w kWM Of velu e*SW We SW 0 aNd

tvmoed ften Owe dymmuk~ pan a ipoilk ows dmnq 0w dafttAk* a ah l Nao

amoftk ndw i& "" dk-w time wwm ate a* ftn ftwmed bi Oiw ed o(0w diw*'*oM,

Eveugtm an mwmm is ahied io TV. a %n mnWomm o mmam d~a0 im dift m m

OWN& TV 1W aauv'.e To owm ow'ep m' no w pftP1hww

%rugb~wdo hoeuw6ro (MM ~4432)O en W) O~ man - IM sa n bdw W,

(%*ua TV 1W comawom in biius "k, Ie b bwmw lbe oic Pus. *66A on~ Ao

Osuw&mw of 3. en pwamuwal h be amm V) The meb aide 0*k if o0w

ume1WbetiS~fkc; -- b o e mb the afo 11 a MO ma

*mue sd b A"~m af dwe.ib at le. m~I n~i.

aM ibm of. mtiut h VI 1W.~l Etm axno ofatm tip aM ew1m 6mev

T*manwommadramobrd oil o.00wm~cark askIn mba

22 e mm Ow thei nam We ~ w twmvfa at nwto cIMINwa m "on o

to* -l o sod -0~ 6oi~ km 40UkIh *e ft I*b " &WCd u if w ftft

" gdc"WaiiftIht ftR ftn #qt. 11L amc awmt am ,I*r**@d am3ISU

tswa~ AvuKft aN f t 9* Lw I brI4 Am UW 9momE dwo

-.m Ait skwm -0 Is * k uk %m W - aum l*~owINi

ViARV l WN tbsw Oowm aI Wsinhwwwd uui$m. Elm*e

I" q ' s,-0 our, ... i d~ ~1113 Uh atop"*bud OWIU bt.~shaet *0u

~w mw k d *"hi kws* ft Ami r'ciN # wts. mmp h tt *~ awiit bs, t

"*f o A W of We .o. tbto fttin Vaw. outx SWtK*P "~~ ia

~q'swk *A *Ohfo" s t -,..v1 .'" wowu W *t low #â ft"O0 mW

qs.Imwk oftm **"of Km Amirm Ow ar* d "s. 4 "t I I of taW

4~~ skisld ftead MO Odw KV w*~ IOW CM4 IV FI) SW At

op5 ^%ap OW Aft om* I a at . t* iiiww~ Fi-si I. pe u3w lpi~ &A b

mo 0 * POW( Of -* s*d HuM r OW 0AW4 pftWhubM *AdwNi COMM~ 69# 11

-- aybo Oc Ro- 1 oM Am Rig copq dw tato &VuIwm how w

mssA4 ft s~owm mk pom bdo The atouw 9* etpms aW Wri t

FPIk1 At m ft -tfmmod" aI ee iSt --I kum paud osdu" *Not

inota loodouBi. ONte 9* -a be flo a FVow S qpf...3w)

'ft is At rob biq ft! Thw is "'l w ~w . w aw mueo

JMt~r- --%))Rwmy 118 (i "* 9%) Ow I- ) am d " 6 "m"*

A. M~~ Ws toA~ss W~W #. %ie~I i 1AapsWO A~iwum iCe dw 4numew af a %

AMS 'AV~ t 00E ft 00m% fte MWOO 1W 0* 4W OWVO Ofuw *VdU

POO~Ms.n WV406*9^0 IW tW1% %Sffd 09 a*~ 'is* 401 .9O ar IWVOf

tMv, ok Aplom A.mww*. **e imasdk oiv UOW fmwli ft hSW& ow

*ANW vk~ * ogpaf 04VOWU *gi" aftn ~%W4 1. Mh d"e oew~mod

0"06'.0Wa *004ftof

no oi OVA .OAssu me Iui Po b ow Ub ~~am

44"0 T 'A 00 1 vp I of u s dww pormiu w O t p~w a Ow ow of i

~ F0 is.th he 4s ph3W45e

Or 4*Ws Pt ' 1. r

20Mo Aif* pix o.4s popo o ao al5 dwo I **(0

9* -mft *mtd N OPW Of No fts I Ai10 - eI s m mo-d

is ~ ~ ~ ~ ~ ~ ~~ f -111 nowu dacn * ?sw..s-. ws

ow( t*Isa eo $-. .14 - SI IN Twf wew b 00 11 FAd..

"Wrm ** -m *am aw OMAww "oU~w Smpo 0 4b kwa*tIhrpi Abm

ISinbu .i0m 60 s #W* I% OW.d*a

pok9 'U" % , ah

ew~ 4wP~ oftwiee 400*0fmumlowh OhW ~w As 09t% 0 mte~owie 0omm~

ON* eWP o 6 a~fw 9 *A " wo imw Aoas -4W ** t

*pemdmg mskmuuweom iUlk mwwdm * m ouoop**sb.w

wmsm* %WWW TOms *%V 0*~hus 4WAW 00* O 4W est**lmrt

owmwd " to 00 .r u ve O 04" bui oh 40* ft

- mwmd woOLW, rJ1 * or 0. (4 Oft ammw psms 4

Thm on on -VIP - m Infm wakm to u wolww Ow "ft, %

Them.A fml* so j * lkei WVM u, 1 j~o~ 4

40SA o a w pmmm *0 a " oaw k *AwM bt 4"m S amo

wowwu 00 4wo IN S&Mk 6mf 40 ohmo POAO me 4m pm a aumiw

omawme w" usnee'm# at~ * 4 iw~muw~

6ftwoo *r i~N r 4 $ 4 *'r S. 4m* Ufffm (%om~ 4

o"om Ow obvo Or On wuuhm " OW spesoi # o

blbft. VN t rt ~dMA 40 S& OWR 1 tlUP6WAe 410

*0 A" peWO m 4P*M Of .pSO 40 .Vh 00 SWM d0MMO &ft*uu WWO fto 0d Oft*e "Non so -, wr 4wm am oqm

9, twaio a4mg~ %son,

IL*f mbom* aaompwa tqdo a.f~

S-1 4@k CA d

a a. owom~ ftaIt Sa w.s no a ow o~s i

FWNI~k4fd~t4. tO0W 40 IL t~ m6 AROf 9f. Ur

u~~~mumop Ie~ *~ .~1J

AII-

~~s~~~ismm4~ a# or AlSb wh~(u.#, t*a 0.j PAM'WtdM(. Ir ii)

ow* A4 aIs 0*48 m*I* bw vswvmd to ow *WW a# ''yk kwS ~ammir c . c A W^. ow bw

fl0Nb**A #%** ftoma Swm **ow w~I tsumWWskowoe .e"*Qd .mmks4

*Olww :ti 40 4 . mw Or mkw. . ftweawwo op*c a 0 o adw *o

;**m"I* #*Owwwsib2 *mw'4hso . wW*OMAS~ V4#S.AaU

tho * dwmw si aowwwl w P*osit C4 wam kie.overee owwwees *4s

%"a**#dke VOA*FW 0 ft gv~W fwoe (t%".*ewecwq* D~~~~rk~*ac

~ * w v~'wm w *.wb ô~ tk. i A * a"*~ 0 4IW o M.W A*o "fl'%1St..

1%>w 9.4~ * loe w. w am *dw 44' 'LA i4 *a low a W%"Wa

#*m%$ wo. to". ,.%megow *0 06M ow oqpWo tiaIt a..w-1101ws Oima 0P pwww

NNW *we O MM o..s* OWW* tW W & IA, 00~dI sog 4WftifAt 4 Ow

0e~eI "Ampk 4 w m~e %ve. . -r o t th r otmI lo Sa*w *4 * a

*ip9-& q *g w o"*0*#LAt 1* otow40%a

tIlgv j *I - %

WOW %amatIof teupa" %tu

do. -~ low

c.I. jLki M S)- J *j I A3 0 . I V S('. LPN

%4~~ ~ ~ A.. iv k , o

3K %q s. M ,.o. 4 1~ %v(t 11 v, 4)3 Z1,)R~~~#v ~ ~ 1 u'wd vi s~id~

.6 awvo lonuo 's aWOx~

NO" I~ Aw -awfa"

*4 %*401t CA 't,9i C - l AwIV* q1*40. ma a.Pww .6 jt~ !SW)f

4 %I,%i,' A94 ,4 VftowS4m*4 0' "!r ' 04)1 -- If

%v~w,, #t O' * 1i -lo

C'Tl r~a if 0 aa cawv$4

-119-

WjhLe~ai 3 j+ X~ ((v, 1, ,>),

Is~ **d.PICUM"ic: 3.1AG(I i1 l) G( 1 l j

C-0m16 Rule: (3)

'Lwwup Kuki s u tj, .)(,(.it.j

* ~F S. uc4( A,. a,. 4)). Isuquc avX4 s, 4J>), 3G(e1))

oheft (v. 4.)) is AI"IN1)((v,. i,.j,>, (v,. i,,i,>))

at 's PAWl

of* . Im

R 14(,. ,. A~ I'r 'rwv Jer)) Tm >

- 120 -

whcre(v, i.?> is APPFND)((i 1. i,.j>. <'r I>

Step (5) 1'ransforni: Occurrence:Using Rule: where-nzlc (2)

if-then-elseli, = j,+ I, 1(v 1. i, 1). (<Assign(v. e2j), 1,1+[>))where <(v, i, J> is AIPIND(<v I. 'I-j1A% < "2' IZ..4?)

Step(6) Expand: Occurrence: X

Using Rule: (4)

3G PN1)(< v, ij,>. <Assign(v 2. e1.j1), 119j+)))16(if-then...ClSeCi = j1+ 1, <v1, i,,j1>, (Assigii(v, e2j), 4j1+1D))

where~v <Y,P is AlIPENI)(( i'. i,j,< ve'2 4*?i)

if il= j,+1 then <v,, i,,j1 >

else (Assign(i'. e.,J), i.j+ 1) where <v. 4j> is APPFNI)((v1, i,.j,>, <v1, i2121>)

Definition of APP~END

if i2 = j2 +I then <v,. 119j1)clse (Assign(v, ej,4j+D1 where (v,4j> is APPENI)((v1.il y>' V2' 1i>?

- 121-

6. Stage 2: The Target Implementation

The second stage of the synthesis procedure transformns the preliminary

implementation of the implemented type into a target implementation. For instance. in the

example implementing QueuejInt in terms of Circ-List, the preliminary implementation

derived in the last chapter (shown Fig. 5 of chapter 2) is transformed into a target

implementation such as the one shown in Fig. 0.

There are two dilferentes between a preliminary implementation and a target

implementation. The first one is that in a preliminary implementation the only operations of

the representation type allowed to appear are the generators of the type. The target

implementation may also contain nongenerators of the type. The second difference is in the

function definition methods used by the two forms of implementation. In a preliminary

implementation a function is defined by means of a set of rewrite rules. For example the

preliminary implementation of ENQUEUE (Fig. 5) is:

ENQUFIJE(Create, j) -- lnscrt(Create, j)

ENQUEUE(lnsert(c, iQ,j) -4 Insert(ENQUEUE(c, j),i)

In a target implemetitation a function is defined by means of a single expression. For

example, ENQUEUE is defined as: ENQUEUE(d. k) ::= Rotate(insert(d, k)). The

transformation performed takes into consideration both of these differences.

It should be noted that a preliminary implementation is an executable

Fig. 18. An ImplementationNULLQO)::z Create()

ENOUEIJE(c, 1): Rotate(Insert(c, 1))

FRONT(c) ::= Valu.(c)

DEOUEUE(c):= Remove(c),

APPENDfc, d): = Joln(d, c)

SIZEWc :: zif Empt y(c) then 0else SIZE(Remove(c)).1

- 122-

implementation. It can be executed by an interpreter that simplifies algebraic expressions

using the rewrite rules in the preliminary implementation and the specifications of the

implementing types. The interpreter must have a pattern matching capability to invoke the

appropriate rewrite rule while simplifying an expression. The program verification system

AFFIRM 1391, and the programming system PROLOG [??] provide such an interpreter.

Given the specifications of all the implementing types, the interpreter can execute the

preliminary implementation on any given input. For example, the value returned by the

operation (of Queue-lnt) Front on the queue constructed by Enqueue(Nullq, I) is obtained

by finding the normal form of FRONT(ENQUEUE(NULLQo, I)) using the preliminary

implementation:'The normal form i!s I. Depending on the range type of the operation, the

normal form can, in general, be a generator constant of any ofthe implementing types. The

nornal forem can then be evaluated assuming there exist implementations for the

implementing types.

Our goal is to derive the target implementation in a form that can be compiled by a

compiler for an applicative language. The motivation for this is primarily one of efficiency.

There are two reasons why a target implementation is more efficient than a preliminary

implementation. The first one arises because of the freedom to use nongenerators of the

representation type in a target implementation. This enables one, in some instances, to

eliminate recursion from the preliminary implementation of an operation, and to transform it

into a target implementation which is merely a composition of the operations of the

implementing types. The implementation of ENQUEUE shown above is an instance of such

a situation. The use of the operation Rotate in the target implementation eliminates the

recursion which was essential in the preliminary implementation. The second reason is that

an implementation that can be compiled by means of a conventional compiler is in general

more efficient than interpreting a set of rewrite rules.

We develop two methods of deriving a target implementation from a preliminary

implementation: The Recursion Preserving Method, and the Recursion Eliminating Method.

Both the methods are based upon expansion using rewrite rules. The target implementations

derived by the first method preserve any recursion that may exist in the corresponding

preliminary implementations. The second method can eliminate recursion from a

-123 -

preliminary implementation of an operation if there exists a nonrecursive implcmentation for

the operation. The second method is more general because it can also derive the

implementations derived by the first method. The advantage of the first method is that it is,

in general, faster than the second in situations where the two methods derive the same target

implementation.

6.1 The Recursion Preserving Method

I[his method uses a special set of functions. call6d the inverting functions. on the

implementing types for transforming a preliminary implementation into a target

implementation. To understand what inverting functions are and how they are usefil in

deriving q target implementation, let us take a closer look at the difference in the function

definition methods used by the two forms of implementation. The preliminary

implementation for SIZE is

SIZE(Create) -- 0

SIZE(Insert(c, i)) --4 SIZE(c) + 1,

and a possible target implementation for it is

SIZE(d)": if Empty(d) then 0

else SIZFRcmove(d)) + 1.

In the preliminary implementation, the argument to SIZE on the left hand side of a

rule may be a generator expression. The argument indicates the structure of the expression

that constructs the values for which the rewrite rule is applicable. This freedom serves two

purposes in a preliminary implementation. Firstly, it is used for performing a case analysis

based on the structure of the argument. Secondly, the explicit indication of the structure of

the arguments on the left hand side makes the decomposition of the arguments trivial. For

instance, in the second rewrite rule for SIZE the variable c used on the ight hand side is

actually a component of the argument to SIZE. We were able to access this component

without actually having to generate code to decompose the argument.

In a target implementation, the argument to SIZE on the left hand side of the

- 124-

definition is a variable. This means that the expression on the right hand side of the

definition must have explicit pieces of "code" to perform the case analysis based on the

structure of the argument, and to decompose the argument. For instance, in the target

implementation of SIZE given above, the subexpression Remove(d) extrcts the component

of the argument d that is denoted by the variable c in the preliminary inplenentation. The

subexpression Empty(d) checks if d is a value constructed by Create: the ifjbcenelse

expression performs the desired case analysis. Let us call the subexpressions that perform

these functions mentinned above inrerting expr,ssions.

A preliminary implementation can be systematically transformed into a target

implementation if the inverting expressions can be generated automatically. The inverting

functions of the implementing types serve precisely this purpose. For instance, in the above

example Remove and Empty are two of the inverting functions for CircList. The inverting

expressions can be automatically derived in terms of the inverting functions. Thus, the

transformation of a prelininary implementation into a target implementation according to

this method consists of two steps: First, determine the inverting expressions in terms of the

invcrting functions- second, derive implementations for the inverting functions in terns of

the operations of the implementing types. The two subsections to follow describe the two

steps.

6.1.1 Inverting Functions and Inverting Expressions

Inverting functions23 of a data type are a family of functions on the type that are

inter-related in a special way. Inverting functions are defined with respect to a basis of the

type. The relationship among the inverting functions of a family is such that the functions

can be used to algorithmically invert the process of constructing a value from the generators

of the type. In other words, it is possible to construct algorithmically the inverting

23. lnvcrting functions are related to distinguishedfunctions defined in 124). A family of invertingfunctions for a data type can also serve as a family of distinguished functions. The reverse implicationis not true in general. In (241 distinipuished functions are used to formalize the expressive power of adata type.

-125-

exprcssions as a composition of appropriate inverting functions. The inverting expressions

perform the following functions:

(1) Given a variable v and a gencrator expression t, check if the value denoted by v can

be constructed by a generator expression that has the form oft. Since an inverting

expression that performs this function is normally a boolean expression. we call it a

boolean inverting expression.

(2) Assuming that a gien variable v denotes a value that is constructed by an expression

that has the form of a given generator expression t. determine the various

components oft from v. We call an inverting expression that performs this function

a component inverting expression since it extracts a component or a generator

expression.

For example, the operations Remove. Value. and -(Emply) can serve as a family of

inverting functions for arcist. This is because the inverting expressions for any generator

expression of CireList can be automatically constructed from these operations. For instance.

suppose v is a variable of type CircList. and t = Insert(Iserl(e, i)J) is the generator

expression under consideration. The following are some of the inverting expressions for t:

(1) Not(Empty(Remove(v))) is a boolean inverting expression for t. It checks if v

denotes a value constructed by a generator expression that has the form oft.

(2) Some of the component inverting expressions of t are Value(v) which extracts j.

Remove(Remove(v)) which extracts e. and Value(Remove(v)) which extracts L

Let us now formalize the properties that characterize a family of inverting functions

for an arbitrary data type. We express the properties in the form of rewrite rules. The

properties are such that they do not necessarily characterize a unique set of functions. This is

done deliberately to offer flexibility in choosing an implementation for the inverting

functions. Inverting functions are always defined with respect to a basis for the data type.

Let the basis for the data type be 9 leil IDO). Inverting functions can be classified into

two categories: the component inverting functions and the boolean inverting functions.

,.

- 126-

( t) htfc is As ora component irting rutiom (d6.... . d) ociaed with every

gcneraor 0 in the basis whose arity is a They arm cdartenmfl b he bllowins

property:6014,(, ,... ,. -"A- ... J.e(,, ...... 'PN.- -,,,,...

A gencrator whw arity Is iero does not have any asiaed component inverting

functions The component inverting functlons m iated with v, faco a value

constructed by a,. They return doe arguments used by a, in ooinmucting doe value.

,4i the outst it may appear moce natural to charauvccte ie cmponen inverting

functios a foIkow 1/,,.....))-v r The problem with ach a

characieritation is that it may result in ill-defined omponcnt inverting functions in

situations where the peneraso. can be used in more than one way to conuvnac the

sme alue. For instance. consider the bouis S = 1. . + 1 for NaWaLNwubem

IfdE asociated with + is defined as dl(c+y) - x. then we havea situation where

do(O+ 1) = 0 and d,(I +0) a I. This will conflict with he rest ol di speciflcation

of type NaturuLNumbers which *ould allow us o prove " (0+ 1) - (I +0)

(2) There is a boolean inverting function mocted with every enerator in die hur.

The bookan inverting runction. p,. msociaed with a generator a, returms True on

values that can be constructed by a pmerator expression that has the form*(,,.....,). So. p, is charuceiied by p,,) -. u(d,(v),..., d,(w)) - v. where -

Is the equality operation on the type. Thus, the recursion preservin method in

eneral applies only when each of the implementing types has the equal operation

defined on iX A simpler characterization, which applies only when the bab is such

that every value of the type can be constructed uniquely wing the eratiors is a

followL

V ue IThe bus for (r.Lbt is S - (Crae. lauw). It has two component inverting

functions (d, and d4) both of which we motwed with lmw1, and diracterized by

luaew(d,(iefl(,b . dI i 42 gafr. i)) -, ImuWt(v, i). It has two booleai inverting unctions. p,

WA Pr ame wammctl w" Cmau &Wd te othe nmucW wth Mw*i Ty wt

dhwxuywjc m fkIjqs (Nm w fte perm ofo(Ce a wL*u that evmi aseula he

Caun be amn~wtUtd urnqucly 0 kem ofthe &Ter~wt)

pl(Crwsl - Tin

0p08QmI~. 0) - A

P Is~WA". 0) -~ TIMe

p1(Cueu) - ale

Nabse "w po ai pr in ibis cme me aucmki t o(cm~i oter. So. a4idc dedft

Wqnwntmcne ' for the initlIS funKUOSL sve m*iipemci only p,; ps is obuArood m a

necpeka o(p,

It is nut hard to we two a pftfliafww -fpf~ftf can be ttitanOmnfo us a

ande Mciis a i term of the inven*4 fuco FR& 19 pitat a pnesl prmr

that dun it kw an arbitrau) prelinmoau onplemaiml, In the kaiuni ov Adhare the

pmcedute on the pntouVaqw inq~enwaio o Sil., Te prdhinwaa) lpeesia

SIZE comists of the FUOOMAV restit rui

SlUA4Cmet.- I

517.1 (lsw*. Q)) - SSZE) * I

Suppow te left hoWd "i of the ta lonphnwatm Is SU.") The tesuso on the

rt hoWisis -med EIhelbu . c%;~ i oo, perbms a isa lyils, Thenbs

cmt wvmfepomdtin ki owew rt nil in Ohe pvknkaaury inpkwmob In th e mrom

cutd the rih wd sid *id a the Ow lo~ k but s:

9 bi thoua#

oh.Fb sm te

Th e tpomlims b, Oid of am desmnd ftar ft m wul flak w" te inwell

esprmum amoiuse mil t peru i aPqafn ta a -w the wm w SIZE an

the lft hoti 0&d o(t iewot rok. The esp r wuns b, aid el am demined wimnlaib bum

t ucs rewit rule. We win -%uab h", k W we downund situ, t aft mmr

1 pfqw ol4 o r~usxm d WVM Tub fam obw i w"aecftdw

N1,W 6*0fv of~ MWO *a owpaV owapa a

.*m C b 1.i

*) a 1w PN*am wwmeft vNpmop u .b wpt.bwM d

6 aq*bfeMM

duw a *WI

an #Iwa *m A doU

om ha .b *Wbb n O 1rl f

-

peg ~ ~ Iw omwoaAt& a" m04

bmswp wam b m umd soe

is~n Wu ihmm m skwum Id VAOt6 a of a.sumum ow &am%" 0

64 a hwt %UW* I f.w iw aw bomeq ow~mke tbr we""m ic ow 4,

ofo h aft"pomo ow~b oovw tompowo" a lopNom0 an~m to ow *A

eI 1.2 NOIAM Aw of bawsiq hek

""MfwwW a* mb a L% IN -s "I olwd!a n

Moanow t MA

%%VAN~- % ft 46 msafNs

#11 Ivkww m FRO

MW am~v )-mom ~. ~ m*

%Ott)J h. %4Ifsftnleme

......... .. ...- "..... a..... ...... nn w as~

v S V 0 0*w v w p I ivuaw Id" a

*~~ 4WV "s~ towO o

I uwm* * __

.0 CD Fhm ri~a ~tpIva#m

raw bmgixww4cj)

I hg wu~ *go"= amt-w Ekc L to AIK&d tw P* la, Noc Owdj this falouin aJw sausicssw ww wwto* mk ckovvmu# N. *Aww pleweW 0)) - k. w lile. p, can be

40~ww"Swis ju0 6400%;

I ot so~ %IWhz or or drwh- a Lu~a bmpkmcntaton fur an implementing

( Iw t bewo pWv41wmkar mwpkiwuwnt~ awoub orft te or wreaitc rules given below.

1,) -if

FuV I's

We so *A f ot a~ vw~k *'W*b Aamctin fm awwweme Mh gccra dm,ion or

*a Ow*W fi boosi~ "m be 'e nded ey 10 a "W~liataf runct&,a In a mmiet

ww~*u*a w' thum~m F ft ddlrwd a ~v e. where v is a raah and e is an

c Fsma " 9c~w .a w of the kamft funcshm symbob:

La es tmvf, & Ph) whuom 96 - wmpaoidmof the uncion symbols timed

abw TV* dvtisa of a wgus- Iftmuumion cl we~ of flndinj a sukable P. Thve

nw p n irh-190*m e m& do t bnar-f Aef by F(w):: = Mwv) has Ohe ame

kheeks ath dww 0Amu bywm otret natesgivus bow.

To duramtae Owe pubem bildy. we defin the FaUowing concpi. A

~i~enP u.,a wwtftnateofF iV shecqmaon obMaine by subsutig P for F on

boo she Oh of thu ueovutw ml b a 2 n of Owe vewlit swtf cWft of the

*0sdMwift *Vmwwi5. -od *e wipak-oan otthe implemienting types. For example,145 b.(mut~d &) aitisles the rule

tIt "~,*#WW-& khvaPW IFMQtC.j96) ir the equation

IemU~s. NO - 16 i)V N411a~aw~.J 1) is3 theoram.

bl IMv 0*VS*fi*,mW lk -fam o1 V~ Mist ei the foflowing equations should be

'40"Olft wRR IN 91 99e* Oct evftum obtainct! by replacing F~ by 10 in

Sit

P% . 9

"W *"w'we 4 Mv Ow%* &oImW**- (o Ow oaicmid~~ " a sIution for 9S is

4IwI*w *itti 0 * *0w 'oo.w wo #m Okon pmsrd~m #AIUq,), Oilanr to the one used4,*# itoj * 90twql~ww* O4wwrmUS Via Vft a *etw wf uamn of0 the above

~~~oooo mom*** *4~s dstosoue ft ke~ww un am al'. 01he Unias equatIon

Oww . "m*w.U4S %P P a ow* qme w9 " 0 Mcomw am ami cu~didmc for

'* 40OW lwMM %wo Owi re"'t0ft at A" doe %Ah kave rflit ,. The

twitaiehs mp- 4* Nisommw ww o UMai Or9 Mom-,~ eli 11t,.de wumplas

OOAsg pir * * ,tw m *O 9 VMMm so we 604 Ow Sic kms 0( SicO~l

mom" % *~ Owt m* Ow O uw wi Ow As o o de qih in d th

U.~~M sews at amwu %ON"a is dmtvft in

4,#W~i~lOw weSmuqw~e ft "f in 00 m. Sq *,f &.if OfI~ AGlbs,7

14POPq~ fit' 4*MV Ob wss 40 * Ow es~s Ott~f low 0 ' os01.at(pl o d's

*glsn'W .we@** 4"VwguR Swfewm ?bw1 SiR&,t wooe "Ms doi 6

V* m"ftsmm #1001w 0466 ON". 04 twe ftmm aiom6 1* VrpwwV

-000~.~ .w Ow usmo 4 *0 400%wemf "M 16 MM. ft OewI

'man ~ *~4s 9~6 01*1 e~eliW, ~g ~ u~ 0 dA

-134-

specifications of the implemented type and the association specification. Note that the

preliminary implementation did not exist at that time. Checking if a candidate for * satisfies

the rewrite rules essentially involves checking if an equation is a theorem.

Let us illustrate the method on the derivation of the target implementation for

ENQUEUE shown earlier. T'he preliminary implementation of ENQUEUE is repeated

below for case of reference.

ENQUEUE(Create, j) --+ Insert(Create, j)

ENQUEUE(Insert(c, i),j) -# tnsert(ENQUEUE(c,j), I)

The f* to be derived should be such that the following equations are theorems. (Note that the

equations are obtained by replacing ENQUEUE by P in the rewrite rules, and then

interchanging the two sides. The reason for interchanging the sides will be explained shortly.)

(1) Insert(Create, J) -*(Create, j)

(2) lnsert(f*(c, j), I) -*(Insert(c, I), j)

We use equation (1) as the template equation. The nature of our synthesis rules imposes

certain restrictions on the equations that can be used as template. The synthesis rules are

formulated to generate theorems with a known left hand side, but an unknown right hand

side. So. the template equation should be such that the unknown entity f* appears only on

the right hand side. In equation (2) both sides are unknown since l* occurs on both the sides.

This was also the reason behind interchanging the two sides of the rewrite rules while

obtaining the above equations. Note that there always exists at least one equation with a

known igt hand side. This corresponds to the rewrite rule in the preliminary

implementation of F that represents the basis case.

Shown below is a sequence of steps that generates a theorem that gives rise to a

£wget implementation.

bko Rcwme Rules ued br Eqm.m

(3) R11141 mte) -. CMW(4) fhls ,,tt'mse, ) - 1mwftCumte, i)(5) RIaUMCMw(Ims*. It, 211) -- Isurt(Rl(ltmne( Ii)), i )

- 135 -

Form of the theormn to be generated: Insert(Create, j) f*(Create, j)Nonnal fomi of lnsert(Creatc j): Insert(Create. j)

Rules used for the normal form: None

Step (1) Invoke Synthesis Rule (1) on Inscrt(Create, j)Inscrt(Create, j) - Insert(Create. j)

Step (2) ".xpand -xpression" Insrt(Create, j)Using Rule: (4)

°......... ............. .......... °... ....... . °°°................

Insert(Creatc, j) = Rotatc(Insert(Create, j)

The right hand side of the last theorem generated in the above series has the form of

[*(Create, j), and hence can be used to generate a set of candidate compositions. A candidate

composition is determined from three expressions:

(1) the left hand side of the target implementation, say F(v Q.... i)

(2) the right hand side of the theorem generated, say a, and

(3) the right hand side of the template equation, say *(g," ", g)"

It is obtained by replacing zero or more occurrences of g. for every 1 < i < n, in a by a

variable v, 1 < j < n. The replacement of g by v. is made so that type consistency is

preserved.

For the current example, the left hand side of the target implementation is

ENQUEUE(d. k) ::= ?; the right hand side of the theorem generated is Rotate(Insert(Create,

j): the right hand side of the template equation is P(Create, j). So, there are two candidates

for I*(d. k): (1) Rotate(Insert(d, k)) and (2) Rotate(Insert(Create, k).

The second candidate does not satisfy equation (2). The equation obtained by

replacing 11 in the equation by the candidate is

Insert(Rotate(Insert(Create, j)), ) . Rotate(lnsert(Creste, j)). This is not a theorem of

CireList because (for every I and j) both the sides of the equation remain simplified, but will

not be identical. (This can be checked by Is-an-inductive-theorem-of.)

- 136 -

Let us considcr the first candidate. The equation obtained by substituting it for P in

equation (2) is Rotate(Insert(lnsert(c, ), j))= lnscrt(Rotate(lnsert(cj)), ), and this is a

theorem of Circ-List. (The left hand side of the equation reduces to the right hand side by

the rewrite rule (5).) Hence Rotate(insert(d, k)) satisfies equation (2). The second candidate

does not satisfy equation (2). Hence the target implementation is:

ENQUEUE(d, k)::= Rotate(lnscrt(d, k))

6.3 An Illustration of a Complete Synthesis

In the following. we illustrate the complete synthesis, i.e.. an illustration of both the

stages, of two examples. The first one derives a target implementation for the operation

Append of Qucuejunt using the association specification that specifies the Circ-ist

representation. The second example derives a target implementation for the Front using the

association specification that specifies the (Array-Int X Integer X Integer> representation

(see chapter 5).

Illustration 1Stage 1:

Partial Preliminary Implementation of Append at Hand

APPEND(c, Create) -4 ?hs,APPEND(c, Insert(di)) -. ?rhu,


(10) Appcnd(q, Nullq) --# q(14) %(Create) - Nuilq(20) %(ENQUEUE(c. Q)) - Enqueuc(3G(c), %G(i))))(22) 3G(APPEND~c, Q) --# Appead(1C(c), 2C(d))

Derivation of the first rewrite nih

Form of the theorem to be generated: 3G4APPEND(c, Crete)) a 3G(?rhs,)Normal form of :G(APPEND(c, Create)): 2G(c)Rules used for the normal fbnn: (22), (14), (10)

Step (1) Invoke Synthesis Rule-(I) on 3(APPEND(c, Crete))

'l'he above theorem is such that APPENI)(c. Create) >- c. T1hcreforc the desired rewrite rule is:

APPI~lc, Create) --+ c

Derivation of the second rewrite rule

Form of the theorem to be generated: JG(AIPPNI)(clnsert(Crentc.,t)))= JG(?hs,)

Normal form of X(APPlENi)(c, lnscrt(Create. j))): Enqueue(JG(c). 3G(i))

Rulcs uscd for thc normnal form:

Step (1) Invoke Synthesis Rule (1)on 3G(AlPl'ENI(c, lnsert(Create, t)))JG(APPEND(c, hiasert(Create, i))) =- nquece('JG(c, 3%(,))

Step (2) Expand Expression: Enqueuc(JG(c), JG(t))

Using Rule: (10)

X(AI'PEND~c, Insert(Create, i)))= Append(Enqueut(IG(c), 3GVi)., Nulq)

Step (3) Expand Expression: Nullq

Using Rule: (14)

X(AI'PENl)(c, lnsert(Crcate, t)))= Append(Enqucue(%G(c), ()), X(Crcate))

Step (4) Expand Expression: Enqucue()G(c), XGV))

Using Rule: (20)

X(APPENI)(c, Insert(Create, t))) =-Appcnd(IG(i.NQUEUE(c, i)). X(Crcate))

Step (5) Expand Expression: Append(16(ENQUEUE(c, i)), X(Crcate))

Using Rule: (22)

JX(APPFNL)(c, lnsert(Crcate, i))) =- (APPFND(FNQ UEUFAc, i), Create))

- 138 -

Step (6) Generalize the theorem in step (5) by replacing tie constant

Create by the variable d to obtain the following equation:X(APIPENI)(c, insert(dji))) =_ %(API'ENi(ENQUEUF~c, t), a))

Apply Is-an-inductive theorem-of on the above equation.

This yields'l're confintring ihai the equation is a theorem.

Hence the desired rule (obtained by dropping 36 on both sides) is:

APPFNI)(c, Insert(di)) -- APl'ENI'F (NQUEUF4c, i), a)

Stage 2:

Preliminary Implementation at Hand

APPENI(c; Create) -+ c

APPENI(c, Insert(dj )) -4 APPEND(ENQUEUFAc, i), d)

Desired Form of Target Implementation

APPENI)(v1, ' ) :: =??

Relevant Rules of Circ-list

(10) Join(e, Create) --+ c

(11) Join(c. Insert(d, i)) - Insert(Join(c, d),

Template Equation Chosen: c =- APPENI)(c, Create)

lonn of the theorem to be generated: c -0(c. Create)

Normal form of c: c

Rules used for the normal form: None

Step (1) Invoke Synthesis Rule (1) on c

Coc

Step (2) Expand Expression: c

Using Rule: (10)

c m Join(c, Create)

Step (3) Find a suitable candidate composition.

-4(

-139-

The right hand side of the above theorem has the form of f(c. Create). So, find a suitable candidatecomposition. T'lore arc two possibilities: (1) Join(v,, v,). and (2) Join(vz, vn)I. Tie second candidatesatisfics the second rule of the preliminary implcmentation. but the first does not. So. a pos.ble target

implcmcntation is:A PPEN IDv, TI) ::- Join(v2, v,)

- 1

-140-

Ithuiratom 2Stage 1:

Partial Preliminary Implementation 01 Append

FRONI((v. a. M --* ?rhis3FRONl((Assi&*(. e. s). 4.i+ I>) --4 ?fbs,,FROrfl'((AsVqts~vej~. Aerj+ I) a. p12)) - b

Relevant Rewrite Rules oflthe Perturbed Worl

(2) 3G((Assl*. e,j A I. j+ M) --- II-bel-e~Is( = j + 1. Nuflq lAjeu(7C(V. k, J)) X (e))

(3) :)(FRONT(%)) - Front(74(i))(4) 2X(VRROR) --. lier

Derivation of the firs rewrite rob

Form or thc theorem to be generated: %(FRONT(<, Y. 4 t)) a (vb 1

3G4PRONT((i,. i>b))4: FurorRules uscd ror simplification:

Step (I) Invoke Syntheses Rule(i)on X(IZRONT((v. 40))XNFRONT(< v. . #>)) a Furor

Step (2) E~xpand Exipression: ErrorUsing Rule: (4)

%4FRONT(v M.a)) m M~ERROR)

FRONT((v, a4a)) --s ERROR

Derivation of the wood rewrite rob

Form of thedthorem to begcrncrated: XC(FRONT(<Ainlga e,#4 .0+1>))).n&?s)

Rules used for simplifiation:

Slep(l) Invoke Synhm Rule (l)on, r4'O(3(' . .1+ )

IKOU$A~~.r. . + a) -. e

Lie ti.*j+ . i.IAheh1.j+. ()Fnwsslqueu(x((w. .)e))

Ruks used for 'ampliflcadon:

.Scp(l) Invoke Syntohesis Rule (1)34F RONl~svA~,, e,.j I. J+D)

.9*e.dqi4 - + . Inst. ifAu..rb4 - + 1. YAPA)

Siep(2) hxpawidFliprmim: PisusFuqne0(.A.k). )Uing Kule: (2). Proca 3

TW Ugdur.

einj+ -4 #Pub,)I

iLobasteds *j+ 1. lnw. NVlaeba -J+l. y(e~l

Using Rale: (3)

tAdw@jbaij -1. Cuiw. Kl~m...i a j4+ 1. M~e,).

Z4PROKI$Av.r J, .+ 3)

Skup (4) FPi #-svtiwms aVmUvq Ruw (4)

EA..*la * 4 .IWL aliku.ab*o a 1+ I. Y*%lSjIEAmk. r#. A 0., J+M

Sb,~~~~~~~"M ($1-c" F-m izrma Ebjmiwj 2I3W)(A.@w* I. 71(t).74130fTl(t **-fA 0- 1 I2M

10 3Nr((w~IaI.~'Ar 1* DO~J3 a

lL~bmvM* ot Ln,,133IREM Ifab*& ,* I*L e

homim 1. 4/* I2R

FfW30% ft* A.c & 16 # '# D) i )

SjRu.ww1i e 133 It mb~ *LI n I

1U0WT4I r A . U2P

Le pRO w pl a bOwkbatooftwmpiowa4*

L~~oN00 Om~T~v aI Z)~ A~ ,d uu Wd mov~fem~ Wes b aw "w

d 6w~ pm~ ~- aid6w "ebsing wd allot a%I orp i -o "em~E e lw intern rl e in$ d cap *A VWb m b ow o

wwtat coo!f!, w w a it-v * a piol pal Trftfa 44 anWd him of 6wWWap WkwfMeinis e a bft. r e --v 00 w6wO p~m oda d is to be

OEkd urn of ok faup I Il No

aSas'm biuiur Roo d UMh A oxhw XAMWr

"~etow tvv 4t AV, * aomOf* 0,a 04 wulmo ar Wow mI

*S)ubO-M"0q.

t*l I iW %. e -E I ~

W ~ ~ ~ ~~b wv 45uow4 of PAAOI0 %ww* # )

INk wwd tmw be ihdi0 1 %%eww

L~I t~~~ i

lb ~4I~~N t.4 MW A*# **Ut- 4ShVASW IW R4 ,4* 1k4S)

* ,*.JkA* omewtmeis -*0 , pwC ptbt po0 It OAW 44*C WWO m.40d

*allu~S low* 4-oidwuSm a tw mto40AIMO 4 " ike Ot IP W ~

p4 sZ~ * poS * psi a.. .mea*S 6*0 w

7. ('.eckma sad Fulwe Rmnsab

*44 k 4p"A "* So V.b4 * 1 4pX*& *0 *cWs OS W0 IPPL

AW*s 4" ksg *$t"s flbus AW #P*A *&^4140M IM "h~ 4%4 W OWAWgWg

5.0 IPAJ 0** A MO01 I. A*s~m~i %~P ftlW sil

00w Ow a"* Ali*w Ow " 04" Sd~*0* * w

*.~~***~ON# A itlvokoft aw 4S9""1 so Ehe 4004% pwkste 6 46 wt wqw"w fa

t* tt 0*l 4f4klOk** adl 00WV*.W~Mt4 Itg~*%.s OW 4 4W%r~t C4 0 O

"*wPWV WtovvSk Mb bo4eww 4 v O0 %, *' ee Ow 00~ Ii~w *001% 00"O

40Rwwuilo4 $ 4l*ftO* .. *I5 04 4*01~0 OU*rw% Ilk tU45W4 t 4 w*l 080

06OWiWN w 44010"1 pt -.g04gg6 MAO** *WAN*u 40 iowwo 9~ hs ~pm

Ot Ne "o~ fWSlo f 4*" " 4 Oliwlk 1o ste uuihe Aft wt *4 WOMs 'Pws 00

400IMAA OrOO VWPt OWWd 4W Olt~s w * ^1e 3 dW 4ek"*Wb lb &VkW ORt ~e~qWW

Is * *# 00 4M idN 4wwNktiI &

0*04 alivniri "a 0Us1 "Olm '"dabi psall " Ubitd

-ws ew *vinwmoo dei 0o 4m wa #wh e "W groom "O uen

*W worm ie ft MWO Fa own* iu aw fot 9f pue-Wst Ow ofa

wMPAm"Isawak kkrnet5) ft Akto ~q ime n

An wpinum cominham of the Oksa n, the dwkpmnn of a Pxmuat basis for the

metb vid ~,dii~sseia nzeuiethe dc~tkjpmcnt %s inilmme.~d 4iplcantly by the

ledummm q fix w w t die ctejirine of unpicmcnwions of acbaic-aIy specified

4bu pc Itw '"wuhwn mWb hA too donhbing features. The ArN is that it is based

ve l psucw4 potiU. ok 4% wctww the wtednqucs of pmrrm wtiflkam. 'Me second is

te daihm~.lSi ot ob pomcdw uiv ito gm

the ovvow "n g tiain *m pnncipl lad us to ,vcw the synthesis problem

4(sm ckqke A) a am of pstris a wt of aheorcm "at%()sf the s~nthcsis cotiditions.

lbs moc- im&Mwm c~raume the ~kttm m a .hi a wt o( howms of the input

Vwi#4*v a poveed to wIdM a mw *te sm The %)nhcs rules provide a

mgwwm dA pgm#,*ui tbewwm fttw a ipmitk*mthis approah to %1nibcsis has two

audo,*ap I im.i am~m she InmAI smi(auon of the axxvocnls of the synthesis

swudwid wWk hg~aiesh to nhek "N csaulum ame bad an a crncnosi of wrrectncss rord~m hvv% SmmaI Wisi mis to beid t Ow mwjkb. in the &a of proprarn vcrirlcaion -

" am wqfe a fatuese fl,* maturaf vjgp an sea mh stoi pursue fuure m-arch. It

eawiw cikeshq Ow umml inmd b e Ow mhmu pwoodure operame. Currently it

ieev% a *a pwn of owuinut Omml at the gifka th" is decidled b, t Muuer/K B

muwed w chps 4) of pomvg opuwa and indktae proertis or rewriting sysem

t m wmW . Muld di e mwe~ui r s)nthes rules and new ways of using the

'ls bs % w Powrot~ 0" One mq. fix eansple. Wok inoo wayn or

maf Ow pnx% Wwwlaeui uwd b# 'as wflfro 15. 27) kmt out frameworlL

Ame ~ % Seew~ iii prcxmdure uit two saga is dut it makes

Se powadw. mots mWel It kAm Oe pan ibm b depeidest on doe tinet luiguqe. So

wmad~kap dy S" wgs me cm be Oak *%wb druttal) Affecting the synthesis

pem~tfs A pummbl e*wm to tem Ow~ slmW be cussiderwd is to incororate mor

"Moam poe u-ermol intow se wond 9tq The grmfonsfifu amo be

I*dik sp cloarawtain Ow Wqo ami W4pctmt cmtribution of the dmft s

44h$ *ism %4&~a "WOp , los.w .'*. OWAmt .* ft' 41vwsk w 41 tow 40du~mft

sf* k, % 14t 4* fv*bft"*- 10%1 .a.. t* #4w& af $A~f a. aI . f.WwN*

.44'. f 4.4% wi, m9 10' 0beg) l *#w 44N 010 U.' &*44 OwS OKAe1Ig W4ai4 t*4~m

9....g *044 40-m4~g ;*# it**se. "9 *'q. #, 4op.' ft lip.OM W

i~o 0 0, As is. bi 004*~g ort o * swism Jlw4#4^ 40, mIwI wedl*l# %

.w * 1.01 #*fewoolf ~$Ra#*46 boams "*W~ owv4* 4'*sw It,4 4440 1 N *WIg

* w'6.S 00 OV~ 4I Usews WH '-Owl IwqV* 4.1 .kiwil &lt 40 ft

1 1. te.Us's* 0 -, 49-a . "* 4*004 **' , 'Awso.W *mww two

* #Ows* 1*0 *o *eIS.4 P.AW f+ fol$ O1U'tI 1~ wo

ftiwP ft* No~ "Omm ft $moi ObeiOple #1#. 0*~ *9* 00,#~*~4.

mamw pctkmmmie mna1hii of the unp lentations. There is som recet work being

bane a dkis afra a 15" din is cornpatibiwish algebraic theory of data types. It would be

mkfv-,om to iucgmupw hemscrxtt bet~ our toAt and that of 150t

The mam mame b1 choostn an equasiona Lvaga to eaprem the inputs was

hwumw of ac baiehs a offcrt trim a pqWeocimlt point or view. Fquational

Vnskm~ kaiu Spomfl boas bnd hard so ariac. Tbis is one of the ramtrs that reduces

ft po*%Wu *ht sf die pomvihue It amuid be mufut to cauend the synthesis procodure to

as~ 69 ipiA&dm in a oWdi La a eo, *Aw

W* beWe ** *diPa of die taa*d in psqpm synthsis (and Program

*oPImmmi) *4aM am ad cam to ebet ve d propuc cnmplcdy or the burden of

114W.i R. *aM he i a aa boas t l km he wience of

pw amf Mb -mf Smd tobe uasd im wwer wni dais am pr.atlc*l relevmt.

anew ~ ~ ~ ~ ~ ~ 8 *.S ksofm mad idiedmekmemtof pirm

mW40W"m ad PWpM &WftWMa 119. 49. L 4 ~wmWe bdrv thism owwat amI* "M W wo a onWam

-149-

REFERENCES

1. Balzer, R., Automatic Programming. Technical Memo 1. ISI, Sept. 1972.

2. Balzer. R.. Goldman, N., Wile, D.. On the Transformational ImplemcntationApproach to Programming. Second International Sofi ire EngineeringConference. Oct. 1976. San Francisco, CA, PP. 337.

3. Bauer. F.L. Partsch. H.. Pepper, P., Wossner, H., Notes On The ojcct CIP:Outline of a rransformation System. Tcchnische Univcrsitat Munchcn,TUM-INFO-7729. July 1977.

4. Bosyj, M.. A Program for the Design of Procurement Systems, TR-160, Lab.for Computer Science, M.I.T., May 1976.

5. Boyer. R.S., Moore. J.S.. A Computatinal Logic. ACM Monograph Series,Acadcmic Press, Inc.. 1979

6. On Automating the construction of Programs, AI-236. Stanford Al Project,Stanford. CA. (March 1974).

7. Burstall. R.M. and Darlington, J., A Transformation System for DevelopingRccursive Programs. Journal of the Association for Computing Machinety, Vol. 24.No. 1. Jan. 1977. pp. 44-67.

&. Darlington. J.. A semantic approach to automatic program improvement,Ph.D. Th.. Artif. Ind., U. of Edinburgh, Edinburgh, 1972.

9. Dadington. J.. Application of program transformation to program synthesis,Proc. IRI A Symp. Proving and Improving Programs, Arc-et-Senans France,pp.133-144.

IL Defshowitz. N. Orderings for term-rewriting Sytems. Department ofCumputer Science. U. of Illinois at Urbuna-Champaign, Urbana. Illinois,UIUCDCS-R-79-987. Aug. 1979.

II. Diksm. EW., Notes on Structured Programming. In Structured• "iwwiq (DamL OJ, DMj m. LW.. Hoare. C.A.R.). Academic Pres.London and New York, 1972 PP. 1-81.

IL 2 D w EW., A Dixipilne ofPmgmvnmn& Prentice Hall, Englewood CliflkNJ., 197x.

1. Flapd. R.W.. Amlnipng Merninp to Progran Proceedinps of& Symposium

-150-

in Applied Mathematics, Vol. 19 as Mathematical Aspects of Computer Science(Ed Schwartz J. 1".), American Mathematical Society, Providence. R.L., 1967, PP.1-32.

14. Goguen, J.A., Thatcher, J.W., Wagner. E.G., "Initial Algebra Approach tothe Specification, Correctness, and Implementation of Abstract Data Types,"Current Trends in Programming Methodology, Vol. IV, Data Structuring, (Ed.Yeh, R.T.), Prentice Hall (Automatic Computation Series), Englewo Kd Cliffs,New Jersey, 1978.

15. Good, D., London, R., and Blesoe, W., An Interactive Program VerificationSystem. Proceedings of 1975 Internationai Conference on Reliable Software, April1975.

16. Guttag, J.V., The specification and Application to Programming of AbstractData Types. Ph. D. Thesis, University of Toronto, CSRG-59, 1975.

17. Guttag, J.V., Horowitz. E., and Musser, D.R., The Design of Data TypeSpecifications, ISI, USC, Marina del Rey, CA, ISIRR-76-49, Nov. 1976.

18. Guttag, J.V., Homing, J.J., The Algebraic Specification of Abstract DataTypes., Acta Informatica Vol. 10, No. 1, 1978, pp.27-52

19. Hewitt, C.E. and Smith, B., Towards a Programming Apprentice, IEEETransactions on Software Engg., Vol. SE-1, No.1, March 1975, PP. 26-45.

20. Hoare, C.A.R.. Procedures and Parameters: An Axiomatic Approach, InSymposium on Semantics of Algorithmic Languages (ed. Engeler, E.) as LectureNotes in Mathematics, No. 188, Springer VerlAg, 1971, PP. 102-115.

21. Hoare, C.A.R., Proof of Correctness of Data Representations, ActaInformatica Vol. 1, No. 4, pp 271-281, 1972.

22. Huet, G., Hullot, J.M., Proofs by induction in equational theories withconstructors, in 21st IEEE Symposium on Foundations of Computer Science(1980), 11, pp. 96-107.

23. Jouannaud J-P., Lescanne P., and Reinig F., Recursive DecompositionOrdering, Conference on Formal Description of Programming Concepts,Garmisch, (1982).

24. Kapur, D., Srivas, M.K., Expressiveness of the Operation Set of A DataAbstraction, Computation Structures Group Memo 179-1, Lab. for ComputerScience, M.I.T., Cambridge, MA, June, 1979, Revised Nov.. 1979.

- 151 -

25. Kapur, D., Towards a Theory for Abstract Data Types, TR-237, Lab. forComputer Science, M.I.T, Camb., MA 02139.

26. Kamin. S. An Informal Note on Extensions to recursive path OrderingsINRIA. (Obtained Via Personal Communication with Pierre Lescanne.)

27. King. A Program Verifier, Ph.D. Thesis. Carnegie-Melon University, 1969.

28. Knuth, D.E., Bendix, P.B., Simple Word Problems in Universal Algebras, InComputational Algebra (Ed Leach, J.). Pcrgamon Press, 1970. pp. 263-297.

29. Lampson, B.W., Horning. J.J. London, R.I., Mitchell, J.G.. Popek, G.L.,Report on the Programming Language Euclid, SIGPLAN Notices, Vol. 12, No. 2,Feb. 1977..

30. Feather M.S., A System for Assisting Program Transformation, Transactionson Programming Languages and Systems, Vol. 4, No. 1, January 1982.

31. Liskov. B.H., A Design Methodology for Reliable Software Systems, FallJoint Computer Conference, 1972.

32. Liskov, B.H., Snyder, A., Atkinson. R., Schaffert, C., AbstractionMechanisms in CLU, CACM Vol. 20 No. 8, pp. 564-576, 1977.

33. Liskov, B.L.. Snyder, A.S., Exception Handling In CLU. ComputationStructures Group Memo 155-2, Lab. for Computer Science, M.I.T., Cambridge,MA, Dec., 1977, Revised March 1979. To appear in IEEE Trans on SoftwareEngineering.

34. Liskov, B.H., et. al., CLU Reference Manual, CSG Memo 160-1, Lab. forComputer Science, M.I.T, Oct. 1979.

35. Manna, Z., Ness, S., On the Termination of Markov Algorithms, Proceedingsof The Conference on Theoritical Computer Science, Univ. of Waterloo, Waterloo,Ontario, pp.43-46.

36. Manna, Z. and Waldinger, R., A Deductive Approach to Program Synthesis,TOPLAS, Vol. 2, No. 1, Jan. 1980. PP. 90-121.

37. McCarthy, J., Recursive Functions of Symbolic Expressions and theirComputation by Mahine, Part 1, CACM, Vol. 3, No. 4, April 1960

38. Musser, D.R., On Proving Inductive Properties of Abstract Data Types,Conference Record of the Seventh Annual ACM Symposium on Principles of

-152-

Programming Languages, Las Vegas, Nevada, Jan. 28-30., pp.154-162.

39. Musser, D.R., Abstract Data Type Specification in the AFFIRM System,Proceedings of the Specification of Reliable Software Conference. Boston, April3-5, 1979, pp.47-57.

40. Okrent, H.F., Synthesis of Data Structures from Their AlgebraicDescriptions, Ph.D. Thesis, Dept. of Electrical Fngg. and Computer Science.M.I.T., Cambridge, MA 02139, Feb. 1977.

41. Parnas, D.L, Infomiation Distribution Aspects of Design Methodology,feciinical Report, Dept. of Computer Science, Carnndgie-Melon University,1977.

42. Clark. K.L., McCabe, F.G.. The Control Facilities of IC-PROLOG,Published in Expert Systems in the Micro Electronic Age, Ed. Michie, D.,Edinburgh University Press, 1979.

43. Proceedings of ACM Conference on Language Design for Reliable Soft warSIGPLAN Notices 12, 3.

44. Robinson, J.A.. A machine-oriented logic based on the resolution principle,JACM 12, 1 (Jan. 1965). pp.23-41

45. Rogers. H., Jr.. Theory of Recursive Functions and Effective Computability.McGraw-Hill Series in Higher Mathematics, McGraw-Hill, Inc., 1%7.

46. Rovner, P.. Automatic Representation Selection for Associative DataStructures, Computer Science Department, University of Rochester, Tech.Rep.10, Sept. 1976.

47. Rowe. L.A. and Tonge. F.M.. Automating the Selection of ImplementationStructures, IEEE Transactions on Software Engg., Vol. SE-4, No. 6, Nov. 1978

48. standish. T., Kibler, D.. Neighbors, J., Improving and Refining Programs byProgram Manipulation, Proceedings of the 1976 ACM National Conference.Houston, Texas, Oct. 1976, PP. 509-516.

49. Standish, T., Harriman, D.. Kibler. D, and Neighbors, J., The Irvine ProgramTransformation Catalogue, Computer Science Department, U.C. Irvine, Irvine,CA Jan. 1976.

50. Subrahmanyam, P.A. An Automatic/Interactive Software DevelopmentSystem, Department of Computer Science, University Utah. Salt Lake City, Utah

. . .. . .. .. . . . . . . . - -- . . .

- 153-

84112

51. Tompa, F. and Gotlieb. C.. Choosing a Storage Schema, University ofToronto. Computer Scicnce Report No. 54, May 1973

52. Wulf, W., London, R.L., and Shaw, M.. Abstraction and Verification inALPHARD: Introduction to Languige and Methodology. Carnegie-MellonUniversity Technical Rcport, also USC Infonnation Sciences Institute ResearchReport, 1976.

-154-

Appendix I - Equations as Rewrite Rules

Automatic vcrification of data types that are specificd equationally is often based on treating theequations in the specifications as rules for rewriting c%prcssions that have certain patterns. 1beautomation of our synthesis method also relies on such a treatment of the speeiflcaions. *Ibis appendixdescribes the basic concepts about rewrite rules, and some useful properties of sets of rewrite rules.

We assume a dcnumerablc sct (') of elements called variables. and a flnite set z of function symbols.We define expressions and constants over 2 as follows. (Ibe formal definition is similar to theinformal one given back in scc.3.3.1.)

Expressiom

An expression is either (1) a variable. or (2) a function symbol f followed by a sequence of n : 0expressions e, ... , ea. f is called the (main) function of this expression. and el,..., en arm called the

arguments. Such an expression is written f(ep.... e). An expression with no arguments is writtenas fA). Wcdenote the set of expressions defined over -as E(Z).

We assume it is possible to test variables and function symbols fiw equality. Two expressions a and Jare regarded as identically equal (written a - p) ifand only if they areboth the same variable ordthyhave the sime main function symbol and the same number of identically equal arguments. in the sameorder.

The variable set of an expression a isl{) I ra is a variable, otherwise is the union of the variable Setof the arguments ofa.

The subexpressions of an expression are (1) the entire expression, and (2) the subexpressions of'thearguments (if any) of he expression. Expressions which are variables have no expressions other thanthemselves.

C0oedais

A constant is an expression that does not contain any variables. We denote th set of constants over Zas T(M). The mabconstants of a constant are (1) the entire constant, and (2) the sumbcosants of thearguments (if any) of the constait.

OCcaImce

An expression can be repesented natualv as a tre sucture: The main function symbol of die

expression is the root of the tee: the arguments of the expression ar the branches of the tree. Thisanalogy can be used to devise a notation to identify unamblluously the nubexpreulons of anexpreulim

An accuurence in an expression s a sequence (possibly empty) of positive Inselersl a demote bepath inside the tree e eponding so the expremom the rum Ihtm the rot of th tre to the rot ofthe tree correspnding o one of the mabexpreulams. We denote the e of all occummaes in anexpression a by O(e). We use the Hulow nS notatim for denotinl an ocurrece: J\ is dhe empty

oc~urreceK. .uth if v is an occurreceC and A isan iaxvif. then LU is Owi tcvurrencc dim has I a is headand it as ms ail

'I'e subexprewm otf an expresson e at te a Icuirece v. denoted by e/ak is defteed as fcdkswrIrv = ,.hcntl?4 =e

For cxmupl. %uppow e - Eme(Deem(NvIq( )k 0). 1then e/ I = Dequem(NuWq 0)C/2 = keI cl1 - NYflq( .

Suppose s an EcurIcncC f e. The. o we wthe nouuuo el&--- ell to denot the eqwcaomobtained by replang in 0 the wubcapre'.son e/u by c' 1. v naoce. %uppc e t% the "mn ewpuesska.asmin Oheexample Vpcn aboe.ande't Nu~t ).thenel I - e II% Awm we " ~) )

S1110111111M

I et a be a mapping from iratubles to epev~o5 such that oft) = v Ie all but a Antc number of%jrubki . Ixtcnd the 6uonwn o(e so die seat of Al espenaua by dofning e#ft@ ... , C*)) to beleee, -.... Oe')). Such a mapping. as a lle a Substiuaiea for CsP.Ksmon 6Wt vmihes). Therkt~kin o l* - e'r.. 1180-0 tj vein be wecd to dcmise the uibMtiukm # luch dim vCe61 = -foI -i g n. and vi) m .

We say thtan exptesiW f Aw iho ~ ii te or f "(a CSptIWIa e hee a fkwcmaSubuucuume a f dwitOf*) Is Fo. CuvsmPle. AWedN14611 FAWM*411 Q)) ha te form orApcendill. Eaqsuuel? 12)) by Ow mbswuin a Iq I- Nola q - q. I- Q Noticethhis the flm of v% 1141 a s)mmuinc idadm.

ReWise his

A rewnrar m ian odered pmtrof esprekns 11, Rt sictadwa dOw wrdblewt of Rt is ontaboad isthe vanable wt oft U- ufly(It.R) *10be wflsan 1.-. A klueswt o~r %W rulesovea Moffuartim symb1ols XZi cAked a rawrit sysum our L. Lat f be such a "~Miag sytem

An exprein ais'vsh*wh Mmpm ot if 6em a le L- R inIanda aone&of&suh tha a/v has the formn of L IA. be a wbmhionh sch that @0(m a1L. andit *I& - @IR* Mhen w yam & Awdy aeh to P (uwqROttmd %0 aes a - (usftRI, Whlerei WIk pa larR in uwiclea trm ditCMM tOb wibe, wmaOaflO As a. If.ais ot rcdhaible with me to Rt. then we my a bs &Uiid** 1u 10~ I t

Let -0* be the umallms reacao on -* of wwumsichi m ylsse mun os of -

lion0 a-- P if and o0uI if 0C Clgr'Pr Ohmin a su ch Ow0 a a,-. 814 for i = .....a*- md a ai. We m ad a -#isa u~Ef i.

Suppo a * it. sad Pb is tdecML Thae m y *ia a mW~wio ita. it is riled a nobnof a. We demoe dwie n alrm a of enO. A weeuln $Ie It han d ipe N os kNO3t0~pety (UtfP) if the 9Mpt ls lto defined by At i a hucika; *A iL " Pwe eopmdPom ha a

mm aft ouansil m in haIL t mt.D f FP)V i obfsmaeo

A~~~ jet "m hdeltfgON oel~~fS laifan14l

A reofrnS Sivc R a toWrgrW i ho VIP a ega UIP. toow a caw mni eingm aAbc SiaU ka n%40y UK good bmn

App i 11 -Checkiag Flae Temude

*0m a f" 4e~i 0# vw** W . 4 *~ ad pumnd Plowq %xi e W *#au-

S O OOM SA-W %t POMOM is WW VAS We **44.S OW6 POWI

"**No No pmvc VIV

Ikuuo V% kvoo"u ,gwqw so *6* vim p 01 *iu # W.s bemdo Pat"

ftq~r~i bdh1'.W# gMfoWW~ * itIUU I & NW OW %I.Wm gs #AMC OW '00ww#J wo A ft4WWskIU wo It

951 UNSt*Um kw qet * I s-It * 4 be (eV*w ibb 4 #A#OtStt

low&"e% s% ) * a @a)

0-1 Sbbadob I~.3srf. *1m* a I'iom~ebI i)

INV 4 NowW ON No~t ia vods"'o ft* Nodmw" ow %oft" to *A 4* ow"W i #*vo 41S w~se*#d $**Of f~ **oft"*h to%&* ofawm &au sw mawe am

is ~ *~ s~es* tis~ieeW0w u Se owwmII ft *Um m !O If

A4 ~~' " 6 I s rI~ ~

a A~ v I- X-ft or..., V AF

M'' iIVE~ %.APsiqa

*w."toa O "twtplsitwo"bot*I--.blftese

V or 5 --)- - r V .AS)tl%

so% A (v 14

LW* P*" I9.*Aj tA jw* *A ;b, .. WguV4g.~ 440ft tAO IV 406 ON M4A *00*A 0 0 18*.wSAI %0 *000 OW A16w N,-s

Ibeen 4,% V#woqft *mv tw w*wNts v- Ab &~ e*N* *w 0d 44 4 *N*,~B

wu'~p4Of twili tw Wv. M a~m eawh 4 'lWW4W*f to 0wi 4. t~w~Am" d4 4

v~w-00" * of~o WNhW4 so~ q 40 00WO -- S WA40* W .4, V 4W0I itwm000*kW * 0 %%PRW'~ IWV*Ae 4*WA h6s4 Qepw. vWd f boeiW* .4 k' %OftO 0

'V44"IVW *WkW4*40 k N61 10 W"V w~4wS O W~* %.WAHVeft4 kWp*4w*.v~~AWqft

Of *0 Aw~b6#w*w~w

VJWP4A *AW4 1PWO* SWIP i00 00 A*hekeU OW*W* 44 0% :1 A~i .eWW0*blv" lwba*po~44.9 . 4 w#0S3 ~m~eI'O w*s*4 .gn~ioSU A WS(fBM~' w

sw~ 04 0940*0 e fwwW v'00 S. OWN dke 0 W"k ON.~' 5W4* 004%N% 40 4 0O OM o'.10

h~a wl Wea 4v ~ a"OrawI Sam IMp Onsaft~'ms

I*O 4*400gg webI

t1t* 00 00144 *mmoft. Oft! U MA"s'5W5W*(I* iNOeW 00W 0 1~I A PM dRf. OWÔW

31 a wft ao" 00 or

*1 a~ o bmmui do 600 E Aao a & W"ao N&# &ao Oo

%A S(!,A &*#*0)0

oift 9A at2w

Iva & aia.e owen w ewambo a .aa *A"$" u40~ a"" *1 t

*rp.'m wS *04o w of3*10 uOIWv* SwwNI. .wa*w

1)*0 V~ Sa * 0h4 W ese Ot 4* 4~wa Ssiueesimu

'40* P*k w ww o0g New a* * 40wawow eam flW ko z .u0 400sw a.oh.wiqas

ep~e*# S*4 It"'o 0 0A 4"#$* o%,fl* itJ Vi* 406" w*Io* n*nI 4o'o O4* 41W

R~W.~%PIww O * W4ow. rwnw It*4O4 00 q*WPe #Wt~o tOPWw of "Vo

kWMWO a %4*% IN 0* O 40MW A*SWOW0 *Oft* RWAQ*OWI$A 0*WA 4WIOWAWl

4Aoe4 #A# *~m wegd w a* 5 oso p - Sw .ee*qww -w wawov tow *4k'wwo *~w

.* A~w"a $rortl dk" OP 1 tod )ft oWe*t %ON*w S mod *1t a'r iwao 9.0

Oft*l sw0d lj ,E1* WOKW SWfll$ UUSMS0** MWNS im mwfwME -W* an&.to die *wca

,pOme#oft* ews*et AisftI Aswe P94~ ik Iaodudev 4ww Hew 'U % * h OS WnWWoW 00w4ww at*m .4 W4ee qVinMM

Apsiedix inI- Proofs orT orm

1 vt, S bw s I't-f a %MI" Owl~ti ptwvI OdefdlMiu I u1e e bcn cquatmn i Uue and @1E'* *" wwJ ftC 4 faftt*U v1Utbw a dim,. thmel a el i A (hetMl Of S if

Pon#.Ft Vrogu * , im bp fvn' A u, C1 t &%A OWW S U 19 1 " ell iju'fcw the pouiciple of'kAOOMO %iAS to* I*a*MOM i

of #I * es a~ " uA Ocomt S . tmel ictcz e 4 usbmiuItio the mapi vanables toOvwto wm"&x**w s,) wid @400,) 4NUMO .imwnn wi m MS. Since S uuKflcs dhejwsy*~v4 &Aw'S isfe) 40sd .4eo b'nc ,sac aiwul fwi "i wc orner" constint: let theMAWe O 1, I t9~ tvvtic of I I isnFwtd Nc tk @(C an ?a dp.'.t humt and t

dk '.kf S u ii ofI Ov " &'% Wui O idw *MML

QR1D.

Fee a M~Wtkd WOwM sepomw

11 to i *q"q I *A Ax "C"W "bttm 0 c4 wanAbk .0 .Cwraw Canuai - (el)a ft*I&Abbi w~ PW an

hows PR.0 ~Wnwot TwORM t*a& am aelisa OWMofPW. Ohav to dkMOw~

aed oW m *Avt ft wra tamThe pmst a by cowwAte I as upp Owt PW U (at - all b coincrern. but

&0Itel a go fto1010of PW, w rf 1 .owe M a 0 wm ug a ve4 and t2 a .4@e)4an-it Aptoal ptise of dw wem. SOONe uehwt amfAowift Owladoe M PW Li

Thqfw.. PR u e -~ ell ~ u aak " lMWO seed Wv li e id powis. If*tams bha.. pef 1WO&i bie -A m OpeichCMePWUIC,-.*el) I i"

twI

'$w;

Art, 94*nn4 aus o 'q. ,n ' a * % Ww? * v A# 49#~h . w,*W0*, wo i ., * ,~ fl

%$" -4o"O0,N-*O .000.4

*9~~~* sowy *41.9'.~ *g*%W' '

tit ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~~~) WI. 47..t$4m 1 *tb,*t*+ **4*4.'wn 60'*

'l ';'t'"494 1* *4 dW* 4*44W044 WuS~.*04W4*tNo.wfS. 6

Documents

mmhhhhhhhhmmlm - Defense Technical Information · PDF fileofUw *mooe n 3 Cpie AM Ma~: mwtm bmlsft. ... FS af lbehgse baboiln Polkm 97 ... The mns significant contribution of this approah