10 1 1 28 2740

Logics for Databases and Information Systems
Jan Chomicki, Gunter Saake
Edited by
Monmouth University / University of Magdeburg
Boston/Dordrecht/London
Kluwer Academic Publishers
Contents
Jan Chomicki and Gunter Saake
1 Introduction to Logics for Databases and Information Systems
1 4 5 5 6 6 7 10 13 15 16 18 20 21 22 22 24 26 27 31 32 33
References 2 A Logic Primer

Stefan Conrad
2.1 Introduction 2.2 First-Order Logic (FOL) 2.2.1 Syntax 2.2.2 Semantics 2.2.3 Proof Theory 2.3 Modal Logics 2.3.1 Kripke Semantics 2.3.2 Axiomatization of Modal Logics 2.3.3 Temporal Structures 2.4 Logic Programming 2.4.1 Herbrand Models 2.4.2 Fixpoint Semantics 2.4.3 SLD-Resolution 2.4.4 Negation 2.5 Conclusion
References 3 Temporal Logic in Information Systems

Jan Chomicki and David Toman
3.1 Introduction 3.2 Temporal Databases
vi
3.3
LOGICS FOR DATABASES AND INFORMATION SYSTEMS

3.2.1 Abstract Temporal Databases 3.2.2 Relational Database Histories Temporal Queries 3.3.1 Abstract Temporal Query Languages 3.3.2 Expressive Power 3.3.3 Space-e cient Encoding of Temporal Databases 3.3.4 Concrete Temporal Query Languages 3.3.5 Evaluation of Abstract Query Languages using Compilation 3.3.6 SQL and Derived Temporal Query Languages Temporal Integrity Constraints 3.4.1 Notions of constraint satisfaction 3.4.2 Temporal Integrity Maintenance 3.4.3 Temporal Constraint Checking Multidimensional Time 3.5.1 Why Multiple Temporal Dimensions? 3.5.2 Abstract Query Languages for Multi-dimensional Time 3.5.3 Encoding of Multi-dimensional Temporal Databases Beyond First-order Temporal Logic Conclusion 34 36 36 37 41 44 46 47 48 53 53 54 56 58 59 59 61 62 65 65 71 72 72 73 74 76 77 78 79 80 81 83 84 86 87 89 93 93 95 96 97
3.4 3.5 3.6 3.7
References 4 The Role of Deontic Logic in the Speci cation of Information Systems
J.-J. Ch. Meyer, R.J. Wieringa, and F.P.M. Dignum
4.1 Introduction: Soft Constraints and Deontic Logic 4.1.1 Integrity Constraints for Information Systems 4.1.2 Deontic logic and violations of constraints 4.1.3 The Paradoxes of Deontic Logic 4.2 Standard Deontic Logic (SDL) 4.3 The Paradoxes of Deontic Logic 4.3.1 Some Well-Known Paradoxes 4.3.2 The Paradoxes in SDL 4.3.3 Contrary-to-Duty Imperatives 4.4 A Diagnosis of the Problems 4.5 A Solution to the 'Ought-to-Be' Version of the Chisholm Paradox: S5O(n) 4.6 Ought-to-Do: The Dynamic Perspective 4.6.1 A Logic of Ought-to-Do: a Deontic Logic Based on Dynamic Logic 4.6.2 The Paradoxes in PDeL 4.6.3 A Solution to the `Ought-to-Do' Version of the Chisholm Paradox in
4.7 An Integrated Logic of Ought-to-Be and Ought-to-Do Constraints 4.7.1 Anderson's Reduction to Modal Alethic Logic Related to SDL 4.7.2 Integrating S5O(n) with PDeL 4.8 Applications 4.8.1 Modeling norms for the external environment
PDeL
Contents
4.8.2 Modeling norms for the UoD 4.8.3 Modeling norms for the system 4.8.4 Modeling norms for the speci cation 4.8.5 Case study 4.9 Discussion and Conclusion References 5 A Logic for Programming Database Transactions 5.1 Introduction 5.2 Overview and Introductory Examples 5.2.1 Simple Transactions 5.2.2 Rules and Non-deterministic Transactions 5.2.3 Transaction Bases 5.2.4 Constraints 5.3 Syntax 5.4 Elementary Operations 5.4.1 State Data Oracles 5.4.2 State Transition Oracles 5.4.3 Examples 5.4.4 The Pragmatics of Oracles 5.5 Model Theory 5.5.1 Path Structures and Models 5.5.2 Execution as Entailment 5.6 Proof Theory 5.6.1 Inference 5.6.2 Execution as Deduction 5.6.3 Example: Inference with Uni cation 5.7 Related Work 5.7.1 Declarative Languages for Database Transactions 5.7.2 Logics for Reasoning about Programs
vii
98 101 102 103 108 108 117 118 122 124 126 127 129 131 132 132 133 134 136 137 138 141 144 146 148 150 151 151 153 161 167 168 169 172 175 180 184 187
Anthony J. Bonner and Michael Kifer
Hans-Dieter Ehrich, Carlos Caleiro, Amilcar Sernadas, and Grit Denker
References 6 Logics for Specifying Concurrent Information Systems 6.1 6.2 6.3 6.4 6.5 6.6 6.7 Introduction Overview Local Logic L Distributed Logics Reduction Extended Example Related Work
viii

190 192 199 200 202 208 209 210 211 213 215 215 218 219 221 224 225 229 230 232 232 234 235 236 239 242 244 245 247 251 253 253 256 258 259 265
6.8 Concluding Remarks References 7 Evolving Logical Speci cation in Information Systems 7.1 Introduction 7.2 Motivation and Language 7.3 Syntax and Semantics of the Logic 7.3.1 Signatures 7.3.2 Terms and Formulae 7.3.3 Pre-interpretation structures 7.3.4 Satisfaction 7.3.5 Speci cations and Theories 7.4 Translation of Language into Logic 7.5 Using the Logical Framework 7.5.1 A Hilbert calculus 7.5.2 An invariant calculus 7.6 Concluding Remarks
Stefan Conrad, Jaime Ramos, Gunter Saake, and Cristina Sernadas
Diego Calvanese, Maurizio Lenzerini and Daniele Nardi
References 8 Description Logics for Conceptual Data Modeling
8.1 Introduction 8.2 Description Logics 8.2.1 Syntax and Semantics of the Logic ALCQI 8.2.2 Knowledge Bases in ALCQI 8.3 Semantic Data Models 8.3.1 The Entity-Relationship Model 8.3.2 Formalizing Entity-Relationship Schemata in Description Logics 8.3.3 Extending the Expressiveness of the Modeling Language 8.4 Object-Oriented Data Models 8.4.1 An Object-Oriented Data Model 8.4.2 Formalizing Object-Oriented Schemata in Description Logics 8.4.3 Extending the Expressiveness of the Modeling Language 8.5 Support for Data Modeling 8.5.1 Reasoning Tasks in Data Modeling 8.5.2 Realization of Reasoning 8.6 Conclusions
References 9 Integrity Constraints: Semantics and Applications
Contents
P. Godfrey, J. Grant, J. Gryz, and J. Minker
ix
265 268 272 273 275 278 279 280 281 282 285 285 287 291 293 295 297 299 309 309 311 313 314 316 318 320 324 328 333 336 338 341 341 341 342 343 343 344 345 347
9.1 Introduction 9.2 Background 9.3 Semantics of Integrity Constraints 9.3.1 Examples of What Integrity Constraints can Express 9.3.2 Model Semantics 9.3.3 Extensions to the Basic Model 9.4 Reasoning with Integrity Constraints 9.4.1 Eliminating Integrity Constraints 9.4.2 Model Elimination 9.4.3 Residue Method 9.5 Applications of Integrity Constraints 9.5.1 Semantic Query Optimization 9.5.2 Cooperative Answering 9.5.3 Combining Databases and Resolving Inconsistencies 9.5.4 View Updates 9.5.5 Additional Applications 9.6 Conclusion and Future Directions
References 10 Logical Approaches to Incomplete Information: A Survey

Ron van der Meyden
10.1 Introduction 10.2 Sources of Inde niteness 10.3 A Semantic Framework for Incomplete Databases 10.3.1 The Relational Model 10.3.2 Incomplete Database Semantics 10.3.3 Notions of Query Answer 10.4 Algebraic Models of Nulls 10.5 Logical Databases 10.6 Complexity of Queries 10.7 Negative Information 10.8 Integrity Constraints 10.9 Updates of Incomplete Databases 10.10Other Issues 10.10.1 Inapplicable Attributes 10.10.2 Constraints 10.10.3 Object Oriented Databases 10.10.4 Design of inde nite databases 10.10.5 Dealing with Query Complexity 10.10.6 Modal and Non-standard Logics 10.11Incomplete Information in Current Technology
References

359 359 363 363 364 365 369 369 369 372 374 384 387 391 392 392 392 395 395 396 397 398 398 400 401 402 403 404 406 407 409 409 410 413 414 416 418 425
Laks V.S. Lakshmanan and Krishnaprasad Thirunarayan
11 Declarative Frameworks for Inheritance
11.1 Introduction 11.2 Motivation for Inheritance 11.2.1 The AI Perspective 11.2.2 The OO Perspective 11.3 Main Issues and Problems 11.4 Logic-based Approaches to Inheritance 11.4.1 What can a Logic Do for Inheritance? 11.4.2 Overview of Logics for Inheritance 11.4.3 Overview of ORLog 11.4.4 Overview of Inheritance Theories for Knowledge Representation 11.5 Research Directions
References 12 On Logical Foundations of Active Databases
Georg Lausen and Bertram Ludascher and Wolfgang May
12.1 Introduction 12.2 Basics of Active Rules 12.2.1 Terminology 12.2.2 Fundamental Properties 12.3 Research on Foundations of Active Rules 12.3.1 Production Rules 12.3.2 Declarative Rules 12.3.3 Extending Declarative Rules by States 12.3.4 Further Work 12.3.5 Bibliographic Notes 12.4 A Deductive State-Oriented Core Language 12.4.1 Basic Execution Model 12.4.2 Syntax 12.4.3 Semantics 12.4.4 Transitions, Termination and Transactions 12.4.5 Compile-Time vs. Run-Time Properties 12.5 A Framework for Active Rules 12.5.1 Signature 12.5.2 User-De ned vs. System-De ned Rules 12.5.3 Enforcing Termination 12.5.4 Expressive Power and Normal Forms 12.6 Conclusion
References Index
Contributors
University of Toronto Department of Computer Science 10 King's College Road Toronto, ON Canada M5S 3G4 e-mail: bonner@cs.toronto.edu Department of Mathematics Instituto Superior Tecnico Av. Rovisco Pais 1096 Lisboa Portugal e-mail: ccal@math.ist.utl.pt Dip. di Informatica e Sistemistica Universita` di Roma \La Sapienza" Via Salaria 113, I-00198 Roma, Italy e-mail:calvanese@dis.uniroma1.it Department of Computer Science Monmouth University West Long Branch, NJ 07764 U.S.A. e-mail:
LIST OF CONTRIBUTORS
xi
Anthony Bonner
Germany e-mail: s.conrad@acm.org Abteilung Datenbanken Technische Universitat Braunschweig Postfach 3329 D-38023 Braunschweig Germany e-mail: G.Denker@tu-bs.de
Grit Denker
Carlos Caleiro
Frank Dignum
Diego Calvanese
Technical University Faculty of Mathematics and Computer Science P.O. Box 513 5600 MB Eindhoven e-mail: dignum@win.tue.nl
Hans-Dieter Ehrich
Jan Chomicki
Abteilung Datenbanken Technische Universitat Braunschweig Postfach 3329 D-38023 Braunschweig Germany e-mail: HD.Ehrich@tu-bs.de U.S. Army Research Laboratory 2800 Powder Mill Road Adelphi, Maryland 20783-1197 U.S.A. e-mail: godfrey@arl.mil
chomicki@moncol.monmouth.edu
Parke Godfrey
Stefan Conrad
University of Magdeburg Computer Science Postfach 4120 D-39016 Magdeburg
xii
Universita` di Roma \La Sapienza" Computer and Information Sciences Via Salaria 113, I-00198 Roma, Italy Department e-mail: lenzerini@dis.uniroma1.it Towson University Towson, MD 21252 Bertram Ludascher U.S.A. Universitat Freiburg e-mail:jgrant@towson.edu Institut fur Informatik Am Flughafen 17 Jarek Gryz D-79110 Freiburg Department of Computer Science Germany York University e-mail: ludaesch@informatik. North York, Ontario M3J 1P3 uni-freiburg.de Canada e-mail: jarek@cs.yorku.ca Wolfgang May Universitat Freiburg Michael Kifer Institut fur Informatik Department of Computer Science Am Flughafen 17 SUNY at Stony Brook D-79110 Freiburg Stony Brook, NY 11794-4400 Germany U.S.A. e-mail: may@informatik. e-mail: kifer@cs.sunysb.edu uni-freiburg.de Concordia University Department of Computer Science 1400 De Maisonneuve Boulevard West Montreal, Quebec CANADA H3G 1M8 e-mail: laks@cs.concordia.ca
John Grant
Laks V.S. Lakshmanan
John-Jules Ch. Meyer
Utrecht University Dept of Computer Science Padualaan 14, De Uithof P.O. Box 80089, 3508 TB Utrecht The Netherlands e-mail: jj@cs.ruu.nl Department of Computer Science and UMIACS University of Maryland College Park, MD 20742 U.S.A. e-mail: minker@cs.umd.edu
Georg Lausen
Universitat Freiburg Institut fur Informatik Am Flughafen 17 D-79110 Freiburg Germany e-mail: lausen@informatik.
uni-freiburg.de
Jack Minker
Maurizio Lenzerini
Daniele Nardi
Dip. di Informatica e Sistemistica
Dip. di Informatica e Sistemistica Universita` di Roma \La Sapienza"
LIST OF CONTRIBUTORS
xiii
Via Salaria 113, I-00198 Roma, Italy e-mail: nardi@dis.uniroma1.it Department of Mathematics Instituto Superior Tecnico Av. Rovisco Pais 1096 Lisboa Portugal e-mail: jabr@math.ist.utl.pt
Portugal e-mail: css@math.ist.utl.pt
Jaime Ramos
Krishnaprasad Thirunarayan
Dept. of Computer Science and Engineering Wright State University Dayton, OH 45435. U.S.A. e-mail: tkprasad@cs.wright.edu
Gunter Saake
University of Magdeburg Computer Science Postfach 4120 D-39016 Magdeburg Germany e-mail:
saake@iti.cs.uni-magdeburg.de
University of Toronto Department of Computer Science 10 King's College Road Toronto, ON Canada M5S 3G4 e-mail: david@cs.toronto.edu
David Toman
Department of Mathematics Instituto Superior Tecnico Av. Rovisco Pais 1096 Lisboa Portugal e-mail: acs@math.ist.utl.pt Department of Mathematics Instituto Superior Tecnico Av. Rovisco Pais 1096 Lisboa
Am lcar Sernadas
Ron van der Meyden
Computing Sciences, University of Technology, Sydney Australia e-mail: ron@socs.uts.edu.au
Roel Wieringa
Cristina Sernadas
Free University Faculty of Mathematics and Computer Science De Boelelaan 1081 1081 HV Amsterdam The Netherland e-mail: roelw@cs.vu.nl
LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

Hans-Dieter Ehrich, Carlos Caleiro, Amilcar Sernadas, and Grit Denker
Abstract: This chapter concentrates on a challenging problem of information
system speci cation and design, namely how to cope on a high level of abstraction with concurrent behaviour and communication as implied by distribution. Since distributed information systems are reactive and open systems maintaining data bases and applications, it is crucial to develop high-level speci cation techniques that can cope with data and programs as well as with concurrent work ow and communication issues. Techniques from conceptual modeling, abstract data types, concurrent processes and communication protocols are relevant and have to be combined. In the approach presented here, temporal logic is used for specifying sequential object behaviour, and communication facilities are added for specifying interaction between concurrent objects. We study two distributed temporal logics dealing with communication in two di erent ways. D0 adds basic statements that can only express synchronous \calling" of predicates, while D1 adds much richer facilities for making local statements about other objects in their respective local logics. D0 is more operational and can be animated or implemented more easily, while D1 is intuitively more appealing
167
168
and convenient for modeling and speci cation. We demonstrate by example how D1 can be e ectively reduced to D0 in a sound and complete way.
6.1 INTRODUCTION
In the early phases of information systems development, it is essential to work on a high level of abstraction: careful conceptual modeling and speci cation techniques help making the right design decisions and adapting the system to changing needs. The objective is to give the developer the ability to prescribe the properties of a system, and to predict and check its behaviour by reasoning, simulation and animation based on speci cation, and to give a sound reference basis for testing the implementation. This chapter is about high-level speci cation techniques for distributed information systems, giving due attention to concurrency and communication among sites. While implementation platforms like Corba are evolving to facilitate implementation, little is known about how to set up and specify distributed data and behaviour models in a meaningful way. Information systems are reactive systems with the capability of maintaining and utilizing large amounts of data. A crucial point for speci cation is to choose the right logic|or family of logics. Our approach combines ideas and concepts from the object-oriented systems view, and from the traditions of conceptual modeling, behaviour modeling, abstract data type theory, speci cation of reactive systems, and concurrency theory. It is based on experiences with developing the Oblog family of languages and their semantic foundations that started with SSE87], in particular the Troll and Gnome object speci cation languages. References are given in section 6.7, together with an account of related work. The outline of the paper is as follows. In section 6.2, we introduce basic concepts and ideas by means of an example. In section 6.3, we give an account of the local propositional logic L used for specifying single objects in isolation. In section 6.4, two distributed propositional logics are introduced that add communication facilities to L : D0 adds basic statements that can only express synchronous \calling" of predicates, while D1 adds fancy facilities for making local statements about other objects in their respective local logics. D0 is more operational and can be animated or implemented more easily, while D1 is intuitively more appealing and convenient for modeling and speci cation. In section 6.5, we demonstrate by example how D1 can be e ectively reduced to D0 . Thus, D1 does not have more expressive power than D0 , and D1 speci cations may be automatically translated to D0 descriptions. In section 6.6, we give an extended example drawn from a real application that shows how convenient it
169
is to use D1 . Hints to work related to our approach are compiled in section 6.7. The chapter closes with concluding remarks in section 6.8. D1 is especially useful for modeling object behaviour and work ow involving inter-object communication in distributed information systems. Data modeling is captured as an integral part of object modeling. Our speci cation techniques are also useful for coping with interoperability among heterogeneous information systems, and for integrating legacy systems into new products. We do not envisage, however, to use our logics for querying. No method for using D1 and D0 is described in this chapter, and no tools either for working with the logics. Work is in progress for animating and analyzing Troll speci cations that are based on D0 . We conceive to use D1 for specifying properties of distributed information systems, and to validate the design partly by reasoning about the D1 speci cation, partly by generating test cases for validating the implementation against the speci cation, and partly by translation to D0 and using D0 -based tools for animation, reasoning, model checking, or testing. Reasoning may often be done by hand in a semantic, i.e., traditional mathematical way rather than using proof systems. Proof systems may have their value but this is not our current emphasis. The same holds for attempts to generate implementations from speci cations.
6.2 OVERVIEW
In su ciently abstract view, an information system is a collection of objects operating concurrently and interacting by exchanging messages. An object is an encapsulated unit of structure and behaviour. It has an identity which persists through change. The operations of an object are usually called methods . In the object model of object-oriented programming, a method may change state and deliver a value. This model also underlies object speci cation languages like Foops and Etoile (cf. section 6.7), and it corresponds with the core model of ODMG Cat94]. The object model of some object-oriented databases is more restricted; it separates state-changing proper methods from side-e ect free read methods called attributes ; the latter appear in the extended model of ODMG. This model also underlies Troll, we adopt it here. We illustrate the concept by means of an example, namely state variables in the sense of imperative programming. For speci cation, we use an ad-hoc notation that is close in spirit to Troll and Gnome but uses traditional logic notation instead of any of their concrete syntax.
Example 1 Here is the formal speci cation of a class Var s] of state variables
retaining values of data sort s. Let i be such a state variable. i has an attribute i.val of sort s denoting its current value. It has actions i.alloc for
170
allocating memory, i.e., creating the variable, i.assign(s) for assigning values (i.e., an action i.assign(v) for every value v of sort s), and i.free for giving the variable back to free space, i.e., deleting it. In what follows, we specify the class of state variables, i.e., an unnamed generic state variable with attribute val and actions alloc, assign(s) and free. In the axioms, we use the until temporal operator ' U for expressing that ' holds from now on until holds for the next time. If a is an action symbol, we also use a as a predicate symbol expressing that action a has occurred in arriving at the current state. The notation . a means that action a is enabled, i.e., may occur in a transition from the current state. So the . predicate highlights the \menu" of actions that may be chosen to proceed; . a is a precondition for a to occur. Note that in a state transition caused by action a, . a holds before and a holds after the transition.
class Var s]; attribute val:s; actions alloc; assign(s); free; axioms v,w: s; alloc ) (: .alloc ^ .assign(v) ^ end
.alloc free assign(v) val=v
) :
^ : .assign(v) ^ : .free, U (assign(w) _ free )
.free
) U
free,
The axioms say that (1) after allocation and before deletion, another allocation is disabled but value assignment and deletion are enabled; (2) after deletion, no action is enabled; (3) the value after assignment is retained until the next assignment, or until deletion. Let I = fi; j; : : :g be object identities for naming state variables. Each identity i denotes a variable instance, with attribute i.val and actions i.alloc, i.assign(s) and i.free. Its behaviour is given by the local set of axioms obtained from the ones given above by pre xing by i. the corresponding ones of the instance. For instance, i:(assign(v) ) val=v U (assign(w)_free)) is the third local axiom of variable i. For demonstrating communication, let i and j be two integer variables. We would like to specify that, whenever i is assigned some value n, then j is simultaneously set to 0. Such a situation arises, e.g., when counting sections within chapters; in a new chapter, section counting starts from the beginning.
object system CommunicatingVariables; objects i,j : Var int]; axioms n: int; i.(assign(n) ) j .assign(0))
171
end. The axiom is a local condition for i, it is an instance of action calling that is the basic communication mechanism in Troll and other approaches. In section 6.4, we formalize this idea in the logic D0 . Now consider the following communication. We would like to express that, if i's value is changed, then j is set to 0 some time later . Using the action-calling logic indicated above, we have to introduce new communication actions, say send and receive. The system communication axiom then reads i:(send ) j:receive): In the class axioms, we have to relate the send and receive actions to value assignment. We discuss three possibilities to make the above idea precise, depending on when communication should take place. F is the temporal sometime in the future operator. 1 assign(n) ) send , receive ) F assign(0) 2 assign(n) ) F send , receive ) assign(0) 3 assign(n) ) F send , receive ) F assign(0) In the rst solution, communication takes place immediately when the new value is assigned to i; some time later, 0 is assigned to j . In the second solution, communication takes place some time after the new value is assigned to i; immediately at communication time, 0 is assigned to j . In the third solution, communication takes place some time after the new value is assigned to i; some time later, 0 is assigned to j . Of course, the last version covers the other two. In either case, communication is synchronous. In the fancier logic D1 to be described in section 6.4, the situation may be described without introducing extra communication actions send and receive, and with only one axiom for replacing two of the above.
1 i:(assign(n) ) j: F assign(0)) 2 i:(assign(n) ) F j:assign(0)) 3 i:(assign(n) ) F j: F assign(0)) D1 is able to talk about communication in an implicit way, without having to recur to explicit communication actions. In section 6.5, we show that D1 can be e ectively reduced to D0 ; explicit communication actions are introduced systematically in the reduction process from D1 to D0 . This is useful for translating D1 speci cations to more operational D0 speci cations for which analysis and animation tools are easier to implement.
172
Note that all communications mentioned so far are synchronous. Asynchronous communication may be modeled by letting a message be an object that synchronizes with the sender when sent, and with the receiver when received. It is also possible to make asynchronous communication a primitive concept and treat synchronous communication as a special case.
6.3 LOCAL LOGIC L
The syntax of an object speci cation is given by its attribute and action symbols, giving rise to state predicates saying which attributes have which values, which actions have occurred, which actions are enabled, etc. We abstract from details and assume that some set of state predicates is given.
De nition 2 An object signature P is a denumerable set whose elements are called state predicates. An object speci cation Ospec = (P; ) consists of an object signature P and a set of formulae called behaviour axioms.
For the behaviour axioms, we may choose among a wide variety of object logics. Our choice is a propositional temporal logic that goes a little beyond linear time and o ers a weak kind of branching expressiveness via the may operator M . M ' expresses that ' may hold, i.e., ' holds in some state that may have been reached from the previous state, including the current one. So a formula ' may only hold if M ' holds, i.e., we always have ' ) M '. The M operator is useful, among others, for de ning action enabling, cf. example 1: an action is enabled i it may have happened in the next state, formally . a , X M a, where X is the temporal next operator. For the sake of conciseness, we concentrate on future-directed temporal operators. The corresponding past-directed ones o er more speci cation convenience but do not increase speci cation power LS95].
De nition 3 The syntax of L is given by L ::= P j false j (L ) L ) j (L U L ) j ( M L )

The predicates in P are exible , i.e., we intend to give them time-dependent meanings. The other symbols are rigid , i.e., we intend to give them time-independent meanings. false is the usual logical constant, ) denotes logical implication, U is the until temporal operator, and M is the may temporal operator. ' U means that ' will always be true from the next moment on until becomes true for the next time; ' need not be true any more as soon as holds; must eventually become true. M ' means that ' may be true in the sense that it is
173
true in the current state or an alternative state that might have been entered from the previous state. As usual, we introduce derived connectives, e.g., : ' for ' ) false, true for : false, ' _ for : ' ) , etc. We also make use of derived temporal operators like X ' for false U ' expressing next , F ' for ' _ true U ' expressing sometime , G ' for :(F (: ')) expressing always , and ' U for ' ^ ' U expressing from now on : : : until : : : As suggested by action enabling, we may introduce a general form of formula enabling by de ning that . ' holds i X M ' holds. Furthermore, we apply the usual rules for omitting brackets. For interpreting L , we need a model of sequential computation that smoothly extends to a full model of concurrency. Our choice is based on the simple fact that the execution of an object's sequential program leads to a nite or in nite sequence of events. Events are occurrences of actions that change the object's state. At each state, the execution may proceed in several ways. So the set of all possible executions has a natural branching or tree structure. Allowing for several start states, we arrive at a set of trees: a forest or grove . The nodes are events, and the edges represent sequencing: e1 ! e2 means that event e1 occurs immediately before event e2 . Another way to put it is that e1 is a precondition for e2 . The model we envisage may be described as an unfolded state transition system. Let Ev be a set of elements called events, and let ! be a binary relation on Ev .
De nition 4 An event grove is an acyclic graph G = (Ev; !) such that, for all events e ; e 2 Ev, if there is an event e 2 Ev such that e ! e and e ! e , then e ! e or e ! e . A trace in G is a backward-closed totally ordered set T Ev i.e., e 2 T and e0 ! e imply e0 2 T . The set of traces in G is denoted by T (G). A life cycle in G is a maximal trace in G in the sense that it is not properly contained in another trace. The set of life cycles in G is denoted by L(G).
1 2 3 1 3 2 3 1 2 2 1
As a graph, an event grove is a set of rooted trees. A trace is a linear path starting from a root. A life cycle is a trace that is in nite or ends at a leaf. Traces are pre xes of life cycles. For those who are familiar with event structures as a model of concurrency Win87; WN95], we note that an event grove G = (Ev; !) determines a prime event structure E (G) = (Ev; ! ; #) in a canonical way: causality is given by the re exive and transitive closure ! of !, and all causally unrelated events are in con ict. Thus, the concurrency relation is empty|which is equivalent to saying that E (G) is sequential.
174
Event groves may also be seen as Kripke structures, the standard interpretation structures for modal logics. If G = (Ev; !) is an event grove, then Ev is the set of possible worlds, ! is an accessibility relation corresponding to next , and the re exive and transitive closure ! is an accessibility relation corresponding to eventually . In order to provide for interpretation structures, each event is labelled by an object state represented by the set of propositions that hold true at that state.
De nition 5 Let G = (Ev; !) be an event grove and P an object signature. A labelling for G is a total function : Ev ! 2P .
Our denotational models for objects and object classes are labelled event groves. In fact, at this level of abstraction, there is no di erence between an object instance and an object class: an object is an isomorphic copy of its class. In order to emphasize the abstract view, we speak of object behaviours as generalizations of objects and classes.
De nition 6 An object behaviour is a labelled event grove, i.e., a triple B = (G; ; P ) where G = (Ev; !) is an event grove, and : Ev ! 2P is a labelling for G.
Formulae of the local logic L are interpreted at events in object life cycles.
De nition 7 Let B = (G; ; P ) be an object behaviour and L 2 L(G) a life cycle in G. Let e 2 L be an event and p 2 P a state predicate.
The satisfaction relation
B; L; e B; L; e B; L; e B; L; e p
is inductively de ned as follows.
i p 2 (e); false does not hold; (' ) ) i B; L; e ' implies B; L; e ; (' U ) i there is a future event e0 2 L, e !+ e0, where B; L; e0 , and B; L; e00 ' for every event e00 2 L such that e !+ e00 !+ e0 ; B; L; e ( M ') i B; L; e ' or there are a previous event e0 2 L, e0 ! e, a life cycle L0 in G such that e0 2 L0 , and a successor event e00 2 L0 , e0 ! e00 , where B; L0 ; e00 '.
Note that the last rule is not redundant: M ' must be true at the beginning of a life cycle if ' is true there, otherwise the intended tautology ' ) M ' would not hold there.
175
Note that, given an object behaviour B , a formula ' may be true in a life cycle L at an event e but may be not true in another life cycle L0 at the same event e. By the abbreviations introduced above, we may derive satisfaction conditions for other connectives and temporal operators, e.g., B; L; e (X ') holds i there is a next event e0 2 L, e ! e0 , where B; L; e0 ' holds. A formula ' is said to be valid in life cycle L in B , in symbols B; L ', i B; L; e ' holds for all events e in L. We cannot elaborate on the semantics of object speci cation. Roughly speaking, given an object speci cation Ospec = (P; ) and an object behaviour B = (G; ; P ), the semantics of Ospec is given by the substructure Ospec] B consisting of all life cycles in B in which all axioms in are valid. The question is how to de ne a canonical object behaviour B from the speci cation. The interested reader may nd some hints in ES95]. A system is a collection of interacting objects. In what follows, we assume that we have a xed nite set of objects, represented by their identities I = f1; : : : ; ng. In order to emphasize distribution of objects, the identities in I are also called localities . Each object i 2 I has its own local logic Li with its own local set of state predicates Pi .
6.4 DISTRIBUTED LOGICS
De nition 8 A system signature is a pair P = (I; P ) such that P = fP ; : : : ; Pn g is an I -indexed family of sets of local state predicates. A system speci cation Sspec = (P ; ) consists of a system signature P and a set of formulae in a distributed logic.
1
In this section, we introduce two distributed logics, D0 o ering only poor communication facilities but being operational, and D1 o ering fancy facilities for expressing communication in an implicit way. Both logics are propositional. For interpreting both logics, distributed event groves provide suitable structures. Informally speaking, a distributed event grove is a family of event groves that may share events, i.e., the local event sets need not be disjoint. This is our denotational system model.
De nition 9 Let I and Ev be given sets of identities and (global) events, respectively. A distributed event grove over I is an I -indexed family G = fG ; : : : ; Gn g where Gi = (Evi ; !i ) is an event grove, and Evi Ev for every i 2 I .
1
176
For readers familiar with event structures Win87; WN95], we note that a distributed event grove may be considered as aS presentation of a prime event structure E (G) = (Ev; ! ; #) where Ev = i2I Evi , ! is the re S S exive and transitive closure of != i2I !i , and con ict is given by # = i2I #i where #i is the con ict relation at locality i. Thus, any two events at di erent localities that are not in causal relationship are concurrent. Note that E (G) is in general not sequential but truly concurrent. In fact, any labelled prime event structure can be presented as a distributed event grove. De nition 10 Let G = fG1; : : : ; Gng be a distributed event grove over I . A distributed trace in G is a set T Ev such that Ti = fe 2 T j e 2 Evi g is a trace in Gi for every i 2 I . A distributed life cycle in G is a set L Ev such that Li = fe 2 L j e 2 Evi g is a life cycle in Gi for every i 2 I . Intuitively, a distributed trace is a web of local traces glued together at interaction events. The same holds for distributed life cycles. A distributed life cycle is a maximal distributed trace in the sense that it is not properly contained in another distributed trace. Our denotational model for an object system is a labelled distributed event grove called system behaviour. De nition 11 A system behaviour over P is a triple B = (G; ; P ) where G = fG1 ; : : : ; Gn g is a distributed event grove over I , and = f 1 ; : : : ; n g is an I -indexed family of labellings such that Bi = (Gi ; i ; Pi ) is an object behaviour for every i 2 I . Note that shared events have several labels, one for each object sharing the event. Interpretation structures for both D0 and D1 are pairs (B; L) where B = (G; ; P ) is a system behaviour and L 2 L(G) is a distributed life cycle in G. Let P = (I; P ) be a system signature, P = fP1 ; : : : ; Pn g. In each of the local sets of state predicates Pi , we distinguish a subset Ci Pi of communication predicates . The intuitive meaning is that communication predicates are \visible by other objects". For instance, in the Troll and Gnome languages, an action occurrence may have a global e ect by calling an action in another object, whereas action enablings and values of attributes are not seen by other objects. De nition 12 The syntax of D0 is given by n D0 ::= D1 0 j : : : j D0
Distributed logic D
177
For each object i 2 I , we have i i Di 0 ::= i:L0 j i:CC0 i i i i i Li 0 ::= @I j Pi j false j (L0 ) L0 ) j (L0 U L0 ) j ( M L0 ) CCi 0 ::= (Ci ) 1:C1 ) j : : : j (Ci ) n:Cn )
localities, and the only formulae across localities are action callings. The predicates @I in the local logics need explanation. The intuitive meaning of i:@j is that i \talks to" j , i.e., i synchronizes with j and shares an event with j . This expresses that there is some communication, as opposed to the speci c communications described by the communication formulae: i:(c ) j:c0 ) says that whenever c is true for i, then i synchronizes with j at an event where c0 is true for j . Here are the formal details. De nition 13 Let I be a set of object identities, B = (G; ; P ) a system behaviour with local behaviours Bi = (Gi ; i ; Pi ), i 2 I , and L 2 L(G) a distributed life cycle in G with local life cycles Li L, i 2 I . Let e 2 L be an event, p 2 P a state predicate, i; j 2 I identities, and c 2 Ci , c0 2 Cj communication predicates. The satisfaction relation 0 for D0 is de ned by B; L 0 i:' i B; L; e i 0 ' holds for every e 2 Li . i For each i 2 I , the relation 0 is inductively de ned as follows B; L; e i i e 2 Lj ; 0 @j B; L; e i p i p 2 i (e); 0 B; L; e i false does not hold; 0 i i B; L; e 0 (' ) ) i B; L; e i ; 0 ' implies B; L; e 0 i 0 0 B; L; e 0 (' U ) i there is a future event e 2 Li , e !+ i e, i i 0 00 where B; L; e 0 , and B; L; e 0 ' + 0 00 for every event e00 2 Li such that e !+ i e !i e ; i i B; L; e 0 ( M ') i B; L; e 0 ' or there are a previous event e0 2 Li , e0 !i e, a distributed life cycle L0 in G such that e0 2 L0 , and a successor event e00 2 L0i , e0 !i e00 , where B; L0 ; e00 i 0 '; i i 0 0 B; L; e 0 (c ) j:c ) i B; L; e 0 c implies e 2 Evj and B; L; e j 0 c . Except for the rst and last rules, local satisfaction i0 of D0 formulae in distributed life cycles is de ned the same way as satisfaction of L in local life cycles, cf. de nition 7: just replace there by i0 .
Di 0 is the logic at locality i with callings to other localities. This is the operational distributed logic underlying Troll3: local axioms are labelled by
178
The rst rule de nes the locality predicate @j that has been intuitively explained above: communication is modelled by shared events. The last rule formalizes the basic communication mechanism of \predicate calling": i:(c ) j:c0 ) holds i validity of c in i at event e implies validity of c0 in j at the same shared event e. Example 1 in section 6.2 illustrates the use of D0 :
i:(assign(n) ) j:assign(0))
means that if value n is assigned to variable i, then value 0 is assigned to variable j at the same time. More examples of D0 formulae are given in the next section. For D1 , no special communication predicates are introduced because all local formulae of an object are \visible by other objects". The idea is that local statements about another object in the local language of the latter can be made in any object.
Distributed logic D
De nition 14 The syntax of D is given by D ::= D j : : : j Dn For each object i 2 I , we have

1 1 1 1 1
i Di 1 ::= i:L1 i i i Li 1 ::= Pi j false j (L0 ) L0 ) j (L0 CC1 ::= D1
U Li ) j ( M Li ) j CC
0 0
Di 1 is the logic at locality i which allows for local statements about any other locality j in its local logic Dj 1 . Note that D1 does not have an explicit locality predicate, it is de nable by @i i i: true. Taking this into account, every D0 formula is a D1 formula, i.e., D0 is a sublogic of D1 , D0 D1 .
De nition 15 Let I be a set of object identities, B = (G; ; P ) a system behaviour with local behaviours Bi = (Gi ; i ; Pi ), and L 2 L(G) a distributed life cycle in G with local life cycles Li L. Let e 2 L be an event, p 2 P a state predicate, and i; j 2 I identities.
for D1 is de ned by B; L 1 i:' i B; L; e i 1 ' holds for every e 2 Li . For each i 2 I , the relation i 1 is inductively de ned as follows B; L; e i i p 2 i (e); 1 p
1
The satisfaction relation

B; L; e B; L; e B; L; e B; L; e
i
1
179
false 1 (' ) ) i ) 1 (' U

i i
1
( M ')
j:'
B; L; e
does not hold; i i B; L; e i ; 1 ' implies B; L; e 1 0 0 i there is a future event e 2 Li , e !+ i e, i i 0 00 where B; L; e 1 , and B; L; e 1 ' + 0 00 for every event e00 2 Li such that e !+ i e !i e ; i i B; L; e 1 ' or there are a previous event e0 2 Li , e0 !i e, a distributed life cycle L0 in G such that e0 2 L0 , and a successor event e00 2 L0i , e0 !i e00 , where B; L0 ; e00 i 1 '; i e 2 Evj and B; L; e j 1 '.
Local satisfaction i1 of D1 formulae in distributed life cycles is de ned in the same way as satisfaction of L in local life cycles, cf. de nition 7: just replace there by i1 to obtain the rst ve of the above rules. So these rules also correspond closely with D0 satisfaction, i.e., rules two to six in de nition 13. The last rule de nes all the convenience that D1 o ers, namely to include arbitrary statements about other objects. These statements may refer to other objects in turn, i.e., references to other objects may be nested in an arbitrary way. The following examples demonstrate some of the convenience to express communication patterns; we give D1 formulae along with informal natural language translations where the time unit for the temporal next operator is assumed to be one day.
Example 16 Let i; u; j 2 I (\I, you, Jim").

i:( @ u ^ u.X ') i:u.X '
I talk to you and you tell me that you expect ' tomorrow. you tell me that you expect ' tomorrow (equivalent to previous one). i:(@u ^ u.X @ j ) I talk to you and you tell me that you will contact Jim tomorrow. i:u.X @ j you tell me that you will contact Jim tomorrow (equivalent to previous one). i: G ( @ u ) X ') whenever I talk to you, I have ' the next day. i:(' ) X @ u) if ' holds, then I talk to you the next day. i:(' ) u.X ) if ' holds, then you tell me that will hold for you tomorrow. i: X u.F ' tomorrow you will tell me that you will sometime enjoy '.
180

i:( @ u ^ u: X ')
That the rst two formulae have the same meaning can be derived as follows.
, i:(u:true ^ u: X ') ,
i:u:(true ^ X ')
i:u: X '
A similar argument demonstrates equivalence of the third and fourth formulae. We show by a more elaborate and illustrative example that D1 can deal with intricate high level interaction requirements in a rather simple way. We then illustrate how any D1 speci cation can be translated into an equivalent D0 speci cation. The details as well as a proof of soundness and completeness can be found in CE98].
receiver (r) such that
6.5 REDUCTION
Example 17 Consider a system consisting of two objects,
sender (s) and
(1) sender has an attribute val which determines the value v it may send; (2) receiver has an attribute var which is updated with the value v received; (3) if sender sends a value v, then v will eventually be communicated to receiver who will then eventually receive v; (4) if receiver receives v, then it will eventually communicate to sender an acknowledgment of receipt. Concentrating on interactions between sender and receiver, the situation is illustrated in gure 6.1.
sender receiver

receive(v) send(v) ackn(v)
O /
Figure 6.1 Communication between sender and receiver.
The system signature is P = (fs; rg; fPs ; Pr g) where the sender and receiver parts are given as follows. V is a given set of values.
sender receiver
Ps ::= send(V ) j ackn(V ) j val = V Pr ::= receive(V ) j var := V
Here is a D1 speci cation of the system.
181
s11 s:(val = v ^ val = w) ) v = w, for any v; w 2 V ; s12 s:(. send(v) ) val = v), for each v 2 V ; s13 s:(send(v) ) (F r:(F receive(v)))), for each v 2 V ; Axiom s11 says that the sender's value is unique; axiom s12 is an enabling condition: only the current value may be sent; axiom s13 speci es that the actual communication takes place sometime between the sender's send action and the receiver's receive action. receiver behaviour r11 r:(var := v ^ var := w) ) v = w, for any v; w 2 V ; r12 r:(receive(v) ) var := v), for each v 2 V ; r13 r:(receive(v) ) (F s:ackn(v))), for each v 2 V . Axiom r11 says that only one value may be assigned at a time; axiom r12 says that value v is assigned to var as soon as it is received; axiom r13 says that on receiving v, the receiver expects a communication with the sender acknowledging receipt of v. The situation is illustrated in gure 6.1. It is easy to see that the axioms entail s:(send(v) ) (F ackn(v))), i.e., when sending a value, sender will receive an acknowledgment some time later. Note that this style of interaction speci cation does not mention the communication actions explicitly. Now we show that such communication patterns are speci able in D0 action calling style. In fact, introducing new action symbols c1(v) and c2(v), corresponding with the two communication points identi ed in gure 6.1, we arrive at the following speci cation. The idea is to introduce new communication predicates to both objects and use them to specify the communication pattern explicitly, cf. gure 6.2. From
s:(send(v ) ) (F r:(F receive(v ))));
sender behaviour
by introducing the new communication predicate c1 (v) for r:(F receive(v)), we obtain
s:(send(v ) ) (F c1 (v ))), s:(c1 (v ) ) r:c1 (v )), r:(c1 (v ) ) s:c1 (v )), r:(c1 (v ) , (@s ^ (F receive(v )))).
The second and third formulae ensure that c1 (v) expresses a communication. More precisely, for each value v, there are two communication actions s:c1 (v)
182
sender

send(v)
c1(v)
c2(v) ackn(v)
O
c1(v) receive(v) c2(v)
/ /
receiver
Figure 6.2 Communication between enriched sender and receiver.
and r:c1 (v) but only one kind of communication event when both happen together. This expresses synchronous \handshaking" communication. The last formula makes precise that c1 (v) stands for subformula r:(F receive(v)) in the context of an s-formula. Note that the @s term is necessary here: without it, the formula would describe unintended behaviour where permanent c1 (v) communication has to hold all the time until receive(v) eventually happens. Analogously, from r:(receive(v ) ) (F s:ackn(v ))); by introducing the new communication predicate c2 (v) for s:ackn(v), we obtain r:(receive(v ) ) (F c2 (v ))), r:(c2 (v ) ) s:c2 (v )), s:(c2 (v ) ) r:c2 (v )), s:(c2 (v ) , (@r ^ ackn(v ))). The system signature is P = (fs; rg; fPs Cs ; Pr Cr g) where the communication predicates are given as follows.
sender receiver
Cs ::= c1 (V ) j c2 (V ); Cr ::= c1 (V ) j c2 (V ).
Summing up what has been discussed above, and integrating the unchanged parts of the D1 speci cation, the D0 speci cation of the system is as follows. s01 s:(val = v ^ val = w) ) v = w, for any v; w 2 V ; s02 s:(. send(v) ) val = v), for each v 2 V ; s03 s:(send(v) ) (F c1 (v))), for each v 2 V ; s04 s:(c2 (v) , (@r ^ ackn(v))), for each v 2 V ; sender calls s05 s:(c1 (v) ) r:c1 (v)), for each v 2 V ;
sender local behaviour
183
s06 s:(c2 (v) ) r:c2 (v)), for each v 2 V ; receiver behaviour r01 r:(var := v ^ var := w) ) v = w, for any v; w 2 V ; r02 r:(receive(v) ) var := v), for each v 2 V ; r03 r:(receive(v) ) (F c2 (v))), for each v 2 V ; r04 r:(c1 (v) , (@s ^ (F receive(v)))), for each v 2 V ; receiver calls r05 r:(c1 (v) ) s:c1 (v)), for each v 2 V ; r06 r:(c2 (v) ) s:c2 (v)), for each v 2 V . The idea is quite general: for both sender and receiver, the rst three D0 behaviour axioms result from uniformly replacing subformulae of another locality in the D1 axioms by explicit communication symbols. Axioms s04 and r04 give de nitions for these new symbols. Note that communication symbols are introduced pairwise, one for each of the two communicating objects. Each pair of new communication symbols is synchronized by de ning mutual calling in the sender and receiver calls axiom pairs s05-r05 and s06-r06. The reader is invited to convince himself that axioms s01 to s06 and r01 to r06 indeed entail s:(send(v) ) (F ackn(v))).
By repeatedly applying steps as suggested by the example, we obtain a D0 speci cation from any D1 speci cation. Therefore, although D1 looks more powerful than D0 at rst glance, this is not really true. Indeed, D1 and D0 have the same expressive power. Let # : D1 ! D0 be the translation outlined above. We extend # to system signatures: #(P ) denotes the system signature obtained from P by adding the extra communication predicates as introduced in the translation process. Let (P ; ) be a D1 system speci cation and ' 2 D1 . Let 1 denote logical entailment: (P ; ) 1 ' means that ' holds in every system behaviour over signature P that satis es all formulae in . The main result is that # : D1 ! D0 is a sound and complete reduction. More precisely, we have the following.
Theorem 18 With the items as de ned above, we have

(P ; )
1
' i
(#(P ); #( ))
':
The if part formalizes soundness, and the only-if part formalizes completeness. The reader is referred to CE98] for a detailed account of the reduction
184
and a full worked proof. Note that the formula ' is not translated and entailment is in D1 throughout. Here we use the fact that D0 D1 . Theorem 18 is a corollary of the fact that the reduction from D0 to D1 ful ls the condition of a simple map of logics Mes92] whose semantic translation is a natural isomorphism.
6.6 EXTENDED EXAMPLE
The example is about business process modeling and is extracted from a national German project in which the rst and last authors are involved. A brief description of this real-life project is necessary in order to get a feeling how useful D1 is. In this project, an information system is being designed and implemented using formal object-oriented techniques from the very beginning (see KKH+96; HDK+ 97]). The project is located in the area of computer-aided testing and certifying (CATC) of physical devices. The objective of the information system is to support the various activities of user groups in the PTB (Physikalisch Technische Bundesanstalt) in Braunschweig, the German federal institute of weights and measures. This application is distributed in a natural way because it involves several persons acting concurrently and communicating with each other. About 100 employees will use the system. Thus, the complexity of the organization and the system that is supposed to support this organization is rather high. In order to understand the complex communication structure between the persons involved in the overall business process, we have to build an abstract model of the data ow and the work ow. In what follows, we brie y introduce the problem domain and then turn to a formal speci cation of the work ow and communication patterns between the persons. We use D1 as our speci cation logic. The project is a cooperation with group 3.5 within PTB, named `explosion protected electrical equipment'. This group is concerned with testing and certifying explosion proof electrical equipment such as motors, switches, etc., so that it is allowed to be operated in hazardous areas. The assessment procedure consists of testing the formal and informal documents, checking the design papers (mostly technical drawings), and the tests which are carried out. The group is divided into three subgroups dealing with experimental tests in the laboratories, basic administration work, and design approval, respectively (cf. gure 6.3). Clients contact group 3.5 and ask for the certi cation of a speci c electrical device. Such an application triggers a business process in group 3.5 which involves people from all subgroups. The overall procedure is established due to certain communication constraints. Administration employees talk to peo-
185
Experimental Test - test procedures - test reports
Basic administration - submission of data - granting of certificate - fees of the test
Design approval - conformity with Standards
PTB/ GROUP 3.5
CLIENT
Figure 6.3 Communication structure inside of group 3.5 and with client
ple from both other subgroups, employees in the laboratory and o cers in charge of the design approval. They also communicate with the client when a certi cation query is issued to group 3.5. In some cases, employees from the design approval subgroup directly contact the client to ask for missing formal documents, technical drawings, etc. Figure 6.3 gives an overview of the communication relations. In particular, the following actions take place during the business process of certifying an electrical device. A client may request the certi cation of an electrical device (cert-req). This implies that the administration o cer orders sometime later appropriate tests at the laboratories (test-ord) and design approvals (appr-ord). The corresponding subgroups answer these queries by returning the results of the tests (test-res(b)) and design approvals (appr-res(b)), respectively. Depending on the results, the administration o cer decides whether a certi cate is issued (cert-dec). Often it is the case that some formal documents are missing. In such a case the design approval o cer clari es the situation by asking the client for the missing papers (clar-req). The approval o cer informs the administration in doing so. No tests will be carried out as long as the design approval papers are not complete. The approval o cer informs the administration o cer about the completeness of the application papers (comp-res(b)). The business process is formalized using D1 in the following way. The system consists of four objects, a CLIENT (c), an ADMINISTRATION o cer (a), a
186
LABORATORY o cer (l), and a DESIGN APPROVAL o cer (d). Thus, the
obvious system signature is
P ::= (fc; a; l; dg; fPc; Pa ; Pl ; Pd g):
The sets of local state predicates are given as follows. Let b be a boolean variable, i.e., b 2 ftrue; falseg.
CLIENT ADMINISTRATION LABORATORY DESIGN APPROVAL
Pc ::= cert-req Pa ::= test-ord j appr-ord j cert-dec(b) j dec=b j
answers=0 j answers=1 j answers=2 Pl ::= test-res(b) Pd ::= clar-req j comp-res(b) j appr-res(b)
The administration o cer has an attribute dec which determines the certi cation decision made by him. Moreover, he has an attribute answers to store how many results he already received. I.e., this attribute determines whether both laboratory and design approval o cers delivered their results to him (answers= 2), only one of them (answers= 1), or none (answers= 0). The system speci cation is Sspec = (P; ) where = f i gi2I is given as follows.
client behaviour
c1 c:(cert-req ) (F a:cert-dec(b))), for some b 2 B .
If the client asks for certifying an item, then the administration o cer will eventually communicate the decision of the procedure to the client.
administration behaviour a1 a:(test-ord ) (F l:test-res(b))), for any b 2 B ;
a2 a3 a4 a5 a6
a:((: test-ord) U d:comp-res(true)); a:((: cert-dec(b)) U (d:appr-res(b ))), for any b; b 2 B ; a:((: cert-dec(b)) U (l:test-res(b ))), for any b; b 2 B ; a:((c:cert-req) ) (dec = true ^ answers = 0)); a:((l:test-res(b)) ) ((dec = dec ^ b) ^ (answers = answers + 1))), for any b 2 B ; a7 a:((d:appr-res(b)) ) ((dec = dec ^ b) ^ (answers = answers + 1))), for any b 2 B ; a8 a:((answers = 2) ) (F cert-dec(dec))); a9 a:((: cert-dec(b)) U (answers = 2)), for any b 2 B ;
0 0 0 0

00 00 0
187
a10 a:((answers = n ^ dec = b ) ) ((answers = n ^ dec = b ) U (l:test-res(b ) _ d:appr-res(b)))), for any b; b ; b 2 B ; The rst two axioms assure that the administration o cer will get a result from the laboratory after he ordered tests, but those tests cannot be carried out unless the design approval o cer reported completeness of the application papers. A decision about the application cannot be made until both results, from design approval and laboratory, have been given (a3 and a4). The fth axiom assures that the attributes have the right initialization values. a6 and a7 formalize which e ects the results from laboratory or design approval, respectively, have on attributes answers and dec. They are abbreviations of syntactically correct D1 formulae. E.g., formula a6 is an abbreviation of the following D1 formula : a:((dec = b ^ answers = n) ) (X (l:test-res(b) ) (dec = b ^ b) ^ answers = n + 1))): Axioms a8 and a9 state that the administration o cer will eventually make the decision after he received all results, but not earlier. The last axiom expresses that only the results from the laboratory or the design approval can change the decision. Thus, only two actions can change the value of that attribute. We assume overall frame axioms like, e.g., attributes can only be altered if an action takes place. design approval behaviour d1 d:(appr-res(b) ) G :clar-req), for any b 2 B ; d2 d:(clar-req ) @a). The design approval o cer cannot ask for a clari cation request after he decided the approval procedure. If a clari cation request is necessary, he has to \inform" the administration o cer. By \inform" we mean that there will be a communication between the approval o cer and the administration o cer as stated in axiom d2. Given this speci cation, it can be shown, e.g., that a client will not be contacted by a design approval o cer for a clari cation after he has received the certi cation decision from the administration o cer, c:(:(a:cert-dec(b) ^ F d:clar-req)):
0 00 0 0
Information systems modeling and design above the abstraction level of relational databases was largely in uenced by the Entity-Relationship approach
6.7 RELATED WORK
188
originated by Chen Che76], and the study of aggregation and generalization structures by Smith and Smith SS77]. These ideas found their way into many semantic data models, among them quite a few extensions of the ER model. An excellent recent overview of systems development methods, albeit with an emphasis on requirements engineering, is Wie96]. Recently there has been considerable activity in the area of object-oriented analysis, modeling and design. The Booch Boo94], OMT RBP+ 91] and OOSE methods Jac92] merged into the universal modeling language UML FS97] that has been submitted to the Object Management Group to be considered as a standard. Another successful OO analysis method is Fusion CAB+ 94]. These methods are informal or semiformal at best. However, they come along with methodological guidelines and graphical notations. They help to make formal languages t for use, so they do have their bene ts in early modeling and design stages. But they are too unprecise and ambiguous when it comes to animation, veri cation and forecasting of system properties, and when it comes to generating test cases or even implementations from speci cations. And they are limited in scope: concurrency and communication issues are not explicitly treated in these methods. Among the logic-based formal methods, the work reported here is based on experiences with developing the Oblog family of languages and their semantic foundations. Oblog is being developed into a commercial product Esp93]. In the academic realm, there are several related developments: Troll HSJ+ 94; JSHS96; SJH93; SHJE94; HJ95; EH96; Har97], Gnome SR94], Lcm FW93] and Albert DDPW94]. There are other approaches to formal object speci cation with a sound theoretical basis. The ones most closely related to ours are Foops GM87; RS92; GS95] and Maude Mes93]. Foops is based on Obj3 GW88] which is in turn based on equational logic. Maude is based on rewriting logic that is a uniform model of concurrency Mes92]. Other language projects working on related ideas are Ooze AG91] and Etoile AB95]. In the Oblog family, Troll3 EH96; Har97] is the rst to address problems of concurrency and communication, and to integrate bene ts from the informal methods mentioned above. So there is a graphical notation for Troll3 called omTroll that adopts elements from OMT JWH+ 94]. Theoretical foundations of concurrency as applied to this approach have been explored in ES95; Ehr97]. EH96] gives a brief overview of Troll3 and omTroll and their logic foundations. In order to model the sequential behavior of objects and the concurrent behavior of object systems, many models of concurrency may be adopted, see WN95] for an excellent overview. Our model for denotational semantics is based on labelled event structures because they provide an abstract, powerful
189
and elegant approach. The relationship between event structures and other models of concurrency like labelled transition systems and Petri nets is well investigated WN95]. Two major approaches have been advocated for specifying and reasoning about concurrent and distributed systems. On one hand, there was a systematic study of the relations and equivalences between behaviours of systems that started in Mil80] and was subsequently pursued by many people working in process algebra BK84; Hoa85; HM85; BW90; vG90]. On the other hand, the use of modal logics Gol92] for characterizing properties of systems has evolved from the early works of Floyd Flo67] and Hoare Hoa69] on reasoning about programs. Among them we stress dynamic logics FL79; Har79; Pel87], temporal logics Pnu77] and, more recently, logics of knowledge HM90; HZ92]. The distributed logics de ned in this paper are based on temporal logic and an extension towards concurrency called n-agent logic. Temporal logic has been succesfully applied to a number of reactive systems speci cation problems MP92], it is the simplest logic that can not only deal with safety properties but also with liveness properties Lam77]. n-agent logic was introduced and developed in LT87; LMRT91; LRT92; Thi94; Ram96]. An agent corresponds to an object that may be thought of as a site in a distributed system. There are several distinct approaches to reasoning about concurrency within the framework of temporal logic. The rst and simplest accepts the naive view of a concurrent system modelled by nondeterministic interleaving together with adequate assumptions of fairness GPSS80; Fra86] on the execution of its components. The use of branching temporal logics like UB BAMP81], CTL CE81] or CTL EH83] and even of linear temporal logic for such purposes has been deeply studied Pnu77; MP92; Wol95; Pen95]. In particular, most of the work on temporal logics for information systems and object orientation we rely on has been developed in this setting (e.g. Ser80; SFSE89; FSMS91; FM92; SCS94; SSC95; SSR96]). However, certain \subtleties" of concurrent systems are lost under such simpli cations (see, for instance, Pra86] for a discussion on the subject). The need for a precise notion of causality as re ected by the time structures adopted for the logics led to the study of partial order temporal logics PW84; KP87; Pen95]. The basic di erence is that the assumption of an omnipresent observer of the entire system being considered is dropped and replaced by a local causal perspective. It is the case of the logics for partially ordered computations introduced by Pinter and Wolper PW84], of interleaving set temporal logics KP87] and of temporal logics for reasoning about distributed transition systems LPRT95], systems with product state spaces Thi95], occurrence nets Rei92] and event structures Pen88].
190
n-agent temporal logics can be found within the latter. They adopt event structures Win87] enriched with information about its sequential agents LT87] as models of concurrent systems. This approach already complies with the fact that the view each individual agent may have of the whole distributed system at a particular instant in time is partially due to the relative autonomy and spatial separation between agents, and has to be supported by communication LRT92]. n-agent logics can explicitly distinguish sequential agents (localities) in the system, refer to the local viewpoint of each agent, and express communication between agents (the major feature of distribution) LT87; LRT92; Ram96]. Several versions of n-agent logics can be found, still re ecting di erent perspectives on how non-local information can be accessed by each agent Ram96]. The logics D0 and D1 we propose assume that an assertion about another agent is only possible at a communication point. But for instance, the logics in LMRT91] assume that, at each instant, the actual information about another agent is the one corresponding to the last communication with it. These have already been addressed in the context of object orientation ES95] and used to axiomatize a signi cant subset of the Gnome language Cal96]. Other n-agent logics Ram96] do even consider the existence of a \present knowledge" modality allowing reference to non-local properties of agents, cf. KR94]. For a detailed account on logics of knowledge see FHMV95].
6.8 CONCLUDING REMARKS
Most of the alternative versions of distributed temporal logics referred to above have been found to have sound and complete axiomatizations. Also decidability results are available for most of them LMRT91; LRT92; Pen95; Ram96]. Therefore, although no e ort has been done yet in that direction, there is good hope for the development of a robust proof system for logics such as D0 and D1 . As pointed out by Emerson in Eme90], such \exogenous" logics with multiple time frames are specially well suited for compositional or modular speci cation and veri cation BKP84]. This has already been identi ed by Ram96] for several n-agent logics. For the sake of simplicity, we adopt a very elementary system view in this chapter: just sets of objects operating concurrently and interacting synchronously. In real systems, objects will often be structured: they may be aggregated into complex objects, related by inheritance, or related in many other ways. For an e ective speci cation method and its underlying logic, inthe-large mechanisms are indispensable for putting such structures together. Ehr97] gives an approach how to treat these issues in a way compatible with the ideas developed in this chapter.
191
One of the most important object relationships is inheritance. Inheritance describes how a class reuses features from another one. On a speci cation level, the inheriting class adopts attributes and actions and possibly adds some. On an implementation level, the inheriting class reuses code, i.e., it implements inherited attributes and actions in the same way as in the original class. Most inheritance approaches allow for overriding of inherited actions: the name is kept but the implementation is replaced by a new one. It is not trivial to capture this in a logically clean and still manageable way. Structuring may go further. What we have in mind is a module concept that re ects generic building blocks of software. In particular, parameterization and instantiation as well as horizontal and vertical composition of modules must be supported. For the latter, a module must incorporate a rei cation step between an external interface on a higher level of abstraction and an internal interface on a lower level of abstraction DE95; Den96b; Den96a]. Other issues under investigation are real-time constraints and deductive capabilities. Real-time constraints are an important practical issue, a useful approach may be found in DDPW94]. Deductive capabilities and default handling are harder to cope with but must eventually be better understood and incorporated. Along with these theoretical developments, experimental languages, methods and systems have to be developed, supported by tools and tested in application case and eld studies. The Troll project has proceeded in this direction. A Troll3/omTroll method has been designed that supports four views: system, object, behaviour and communication, along with advice how to proceed step by step. A Troll3/ omTroll workbench is under construction where a set of tools is being designed for developing and validating Troll3/omTroll speci cations. Besides textual and graphical editors and their parsers, an animator is envisaged for validating speci cations against user requirements, and to give support for exploring actual states by a variety of means. Finally, a Troll3/omTroll application study is being performed for developing an information system within the German national institute for weights and measures, cf. section 6.6 above, and also KKH+ 96; HDK+ 97]. Results and experiences are encouraging, but logics as discussed in this chapter may still take some time to nd their way into practice. More research, both fundamental and experimental, is needed for understanding their intricacies and to nd out how to incorporate them into a speci cation methodology.
Acknowledgments
This work was partially supported by the PRAXIS XXI Program and JNICT, as well as by PRAXIS XXI Projects 2/2.1/MAT/262/94 SitCalc,
192
PCEX/P/MAT/46/96 ACL plus 2/2.1/TIT/1658/95 LogComp, and ESPRIT IV Working Groups 22704 ASPIRE and 23531 FIREworks. We gratefully acknowledge inspirations from the editors, an unknown referee, members of our groups in Braunschweig and Lisbon, and Narciso Marti-Oliet.
References
AB95] M. Aiguier and G. Bernot. Algebraic speci cation of object type speci cations. In R.J. Wieringa and R.B. Feenstra, editors, Information Systems|Correctness and Reusability, Selected Papers from the IS-CORE Workshop'94, pages 16{32, 1995. AG91] A.J. Alencar and J.A. Goguen. Ooze: An object-oriented Z environment. In P. America, editor, Proc. ECOOP'91, pages 180{199. Springer, Berlin, 1991. AGM92] S. Abramsky, D.M. Gabbay, and T.S.E. Maibaum. Handbook of Logic in Computer Science, Vols. 1-6. Clarendon Press, Oxford, 1992. BAMP81] M. Ben-Ari, Z. Manna, and A. Pnueli. The temporal logic of branching time. 8th ACM Symposium on Principles of Programming Languages, Williamsburg, VA, pages 164{176, 1981. Also, Acta Informatica, 20(3):207-226, 1983. BK84] J. Bergstra and J. Klop. Process algebra for synchronous communication. Information and Control, 60(1{3):109{137, 1984. BKP84] H. Barringer, R. Kuiper, and A. Pnueli. Now you may compose temporal logic speci cations. In Proceedings of the 16th ACM Symposium on the Theory of Computing, pages 51{63. ACM Press, 1984. Boo94] G. Booch. Object-Oriented Analysis and Design with Applications. Benjamin/Cummings, Redwood City, CA, 2nd edition, 1994. BW90] J. Baeten and W. Weijland. Process Algebra. Cambridge University Press, 1990. + CAB 94] D. Coleman, P. Arnold, S. Bodo , S. Dollin, H. Gilchrist, F. Hayes, and P. Jeremes. Object-oriented Development - The Fusion Method. Prentice-Hall, 1994. Cal96] Caleiro, C. Distributed object communities. Master's thesis, Instituto Superior Tecnico, Lisboa, 1996. In Portuguese. Cat94] R.G.G. Cattell. Object Database Standard. Morgan Kaufmann Publishers, San Mateo, 1994. CE81] E. Clarke and E. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Workshop on Logics of Programs, pages 52{71. LNCS 131, 1981.
REFERENCES
193
CE98]
C. Caleiro and H.-D. Ehrich. Temporal speci cation of distributed systems: The power of event calling. Technical Report, Dept. de Matematica, Instituto Superior Tecnico, Lisbon 1998. To appear. Che76] P.P. Chen. The Entity-Relationship Model { Toward a Uni ed View of Data. Communications of the ACM, 1:9{36, 1976. DDPW94] E. Dubois, Ph. Du Bois, M. Petit, and S. Wu. ALBERT: A formal agent-oriented requirements language for distributed composite systems. In P. Hartel und G. Saake E. Dubois, editor, Proc. Workshop on Formal Methods for Information System Dynamics (CAiSE'94), pages 25{39, 1994. DE95] G. Denker and H.-D. Ehrich. An Event-Based Semantics for Transactions. In G. Bernot and M. Aiguier, editors, Proc. Int. Workshop on Information Systems { Correctness and Reusability (ISCORE'95), pages 57{72. Universite d'Evry Val d'Essonne, Laboratoire de Mathematiques et d'Informatique, Technical Report, 1995. Den96a] G. Denker. Semantic Refinement of Concurrent Object Systems Based on Serializability. In B. Freitag, C. B. Jones, C. Lengauer, and H.-J. Schek, editors, Object Orientation with Parallelism and Persistence, pages 105{126. Kluwer Academic Publ., 1996. Den96b] G. Denker. Verfeinerung in objektorientierten Spezi kationen: Von Aktionen zu Transaktionen. Reihe DISDBIS, Band 6. in x-Verlag, Sankt Augustin, 1996. EH83] E. Emerson and J. Halpern. \sometimes" and \not never" revisited: on branching versus linear time temporal logic. 10th ACM Symposium on Principles of Programming Languages, Austin, pages 127{140, 1983. Also, Journal of the ACM, 33(1):151-178, 1986. EH96] H.-D. Ehrich and P. Hartel. Temporal speci cation of information systems. In A. Pnueli and H. Lin, editors, Proc. Int. Workshop in Honor of Chih-Sung Tang, World Scienti c, Singapore, pages 43{ 70, 1996. Ehr97] H.-D. Ehrich. Object Speci cation. In H.-J. Kreowski et al, editor, IFIP 14.3 Volume on Foundations of System Speci cation, Chapter 11. To appear in Springer LNCS, 1997. Eme90] E. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, pages 997{1072. Elsevier, 1990. ES95] H.-D. Ehrich and A. Sernadas. Local Speci cation of Distributed Families of Sequential Objects. In E. Astesiano, G. Reggio, and A. Tarlecki, editors, Recent Trends in Data Types Speci cation, Proc. 10th ADT Workshop/5th COMPASS Workshop, Selected papers, pages 219{235. Springer, Berlin, LNCS 906, 1995.
194 Esp93]
Esp rito Santo Data Informatica (ESDI), Lisbon. OBLOG Users Manual, 1993. Supplied with OBLOG-CASE v1.0 product kit. FHMV95] R. Fagin, J. Halpern, Y. Moses, and M. Vardi. Reasoning about knowledge. MIT Press, 1995. FL79] M. Fischer and R. Ladner. Propositional dynamic logic of regular programs. Journal of Computation and System Sciences, 18:194{ 211, 1979. Flo67] R. Floyd. Assigning meanings to programs. In J. Schwartz, editor, Mathematical Aspects of Computer Science - Proceedings of the Symposium on Applied Mathematics, volume 19, pages 19{32. American Mathematical Society, 1967. FM92] J. Fiadeiro and T. Maibaum. Temporal theories as modularization units for concurrent systems speci cation. Formal Aspects of Computing, 4:239{272, 1992. Fra86] N. Francez. Fairness. Springer-Verlag, 1986. FS97] M. Fowler and K. Scott. UML Distilled: Applying the Standard Object Modeling Language. Addison-Wesley, New York, 1997. FSMS91] J. Fiadeiro, C. Sernadas, T. Maibaum, and G. Saake. Prooftheoretic semantics of object oriented constructs. In R. Meersman, W. Kent, and S. Khosla, editors, Object Oriented Databases: Analysis, Design and Construction, North-Holland, pages 243{284, 1991. FW93] R.B. Feenstra and R. Wieringa. Lcm 3.0: A language for describing conceptual models { syntax de nition. Technical report, Vrije Universiteit Amsterdam, 1993. GM87] J.A. Goguen and J. Meseguer. Unifying functional, object{oriented and relational programming with logical semantics. In P. Wegner B. Shriver, editor, Research Direction in Object-Oriented Programming, pages 417{477. MIT Press, 1987. Gol92] R. Goldblatt. Logics of Time and Computation. CSLI, 1992. GPSS80] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness. In Proceedings of the 7th ACM Symposium on Principles of Programming Languages, 1980. GS95] J.A. Goguen and A. Socorro. Module composition and system design for the object paradigm. Journal of Object oriented Programming, 7(14), 1995. GW88] J.A. Goguen and T. Winkler. Introducing OBJ3. Technical report, SRI International, 1988. Har79] D. Harel. First-Order Dynamic Logic. Springer Verlag, LNCS 68, 1979.
REFERENCES
195
Har97]
P. Hartel. Konzeptionelle Modellierung von Informationssystemen als verteilte Objektsysteme. Reihe DISDBIS. in x-Verlag, Sankt Augustin, 1997. + HDK 97] P. Hartel, G. Denker, M. Kowsari, M. Krone, and H.-D. Ehrich. Information systems modelling with TROLL formal methods at work. Information Systems, 22(2-3):79{99, 1997. HJ95] P. Hartel and R. Jungclaus. Modeling Business Processes over Objects. Int. Journal of Cooperative Information Systems, 4(2):165{ 188, 1995. HM85] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. Journal of the ACM, 32(1):137{161, 1985. HM90] J. Halpern and Y. Moses. Knowledge and common knowledge in a distributed environment. Journal of the ACM, 37(3):549{587, 1990. Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10):576{580, 1969. Hoa85] C: A. R. Hoare. Communicating sequential processes. Prentice-Hall, 1985. + HSJ 94] T. Hartmann, G. Saake, R. Jungclaus, P. Hartel, and J. Kusch. Revised Version of the Modelling Language Troll (Version 2.0). Informatik-Bericht 94{03, Technische Universitat Braunschweig, 1994. HZ92] J. Halpern and L. Zuck. A little knowledge goes a long way: knowledge-based derivations and correctness proofs for a family of protocols. Journal of the ACM, 39(3):449{478, 1992. Jac92] I. Jacobson. Object-Oriented Software Engineering. AddisonWesley, Reading, MA, 1992. JSHS96] R. Jungclaus, G. Saake, T. Hartmann, and C. Sernadas. Troll { A Language for Object-Oriented Speci cation of Information Systems. ACM Transactions on Information Systems, 14(2):175{211, April 1996. + JWH 94] R. Jungclaus, R. J. Wieringa, P. Hartel, G. Saake, and T. Hartmann. Combining Troll with the Object Modeling Technique. In B. Wol nger, editor, Innovationen bei Rechen- und Kommunikationssystemen. GI-Fachgesprach FG 1: Integration von semiformalen und formalen Methoden fur die Spezi kation von Software, pages 35{42. Informatik aktuell, Springer-Verlag, 1994. KKH+96] M. Krone, M. Kowsari, P. Hartel, G. Denker, and H.-D. Ehrich. Developing an Information System Using Troll: an Application Field Study. In P. Constantopoulos, J. Mylopoulos, and Y. Vassiliou, editors, Proc. 8th Int. Conf. on Advanced Information Systems
196
Engineering (CAiSE'96), pages 136{159. Springer, Berlin, LNCS 1080, 1996. KP87] S. Katz and D. Peled. Interleaving set temporal logic. In 6th ACM Symposium on Principles of Distributed Computing, pages 178{190. 1987. KR94] P. Krasucki and R. Ramanujam. Knowledge and the ordering of events in distributed systems. In Proc. Theoretical Aspects of Reasoning About Knowledge, pages 267{283. Morgan Kaufmann, 1994. Lam77] L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125{143, 1977. LMRT91] K. Lodaya, M. Mukund, R. Ramanujam, and P.S. Thiagarajan. Models and logics for true concurrency. In P.S. Thiagarajan, editor, Some Models and Logics for Concurrency, Advanced School on the Algebraic, Logical and Categorical Foundations of Concurrency. Gargnano del Garda, 1991. LPRT95] K. Lodaya, R. Parikh, R. Ramanujam, and P. Thiagarajan. A logical study of distributed transition systems. Information and Computation, 119(1):91{118, 1995. LRT92] K. Lodaya, R. Ramanujam, and P.S. Thiagarajan. Temporal logics for communicating sequential agents: I. International Journal of Foundations of Computer Science, 3:117{159, 1992. LS95] F. Laroussinie and Ph. Schnoebelen. A hierarchy of temporal logics with past. Theoretical Computer Science, 148:303{324, 1995. LT87] K. Lodaya and P.S. Thiagarajan. A modal logic for a subclass of event structures. In Th. Ottmann, editor, Proc. 14th Int. Colloq. on Automata, Languages and Programming, pages 290{303. LNCS 267, Springer-Verlag, Berlin, 1987. Mes92] J. Meseguer. Conditional rewriting as a uni ed model of concurrency. Theoretical Computer Science, 96(1):73{156, 1992. Mes93] J. Meseguer. A Logical Theory of Concurrent Objects and its Realization in the Maude Language. In G. Agha, P. Wegner, and A. Yonezawa, editors, Research Directions in Concurrent ObjectOriented Programming, pages 314{390. The MIT Press, 1993. Mil80] R. Milner. A calculus of communicating systems. Springer Verlag, LNCS 92, 1980. MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag, New York, 1992. Pel87] D. Peleg. Concurrent dynamic logic. Journal of the ACM, 34(2):450{479, 1987. Pen88] W. Penczek. A temporal logic for event structures. Fundamenta Informaticae, 11(3):297{326, 1988.
REFERENCES
197
Pen95] Pnu77] Pra86] PW84] Ram96] RBP+91] Rei92] RS92] SCS94] Ser80] SFSE89] SHJE94]
SJH93]
W. Penczek. Branching time and partial order in temporal logics. In L. Bolc and A. Szalas, editors, Time and Logic: A Computational Approach, pages 179{228. UCL Press, 1995. A. Pnueli. The temporal logic of programs. In Proc. 19th Annual Symposium on Foundations of Computer Science, pages 46{57. IEEE Computer Society. New York, 1977. V.R. Pratt. Modeling Concurrency with Partial Orders. International Journal of Parallel Programming, 15(1):33{71, 1986. S. Pinter and P. Wolper. A temporal logic for reasoning about partially ordered computations. In 3rd ACM Symposium on Principles of Distributed Computing, pages 28{37. 1984. R. Ramanujam. Locally linear time temporal logic. In Proc. 11th Annual IEEE Symposium on Logics in Computer Science, pages 118{127. IEEE Computer Society. New York, 1996. J. Rumbaugh, M. Blaha, W. Premerlani, F. Eddy, and W. Lorensen. Object-Oriented Modeling and Design. Prentice-Hall, Englewood Cli s, NJ, 1991. W. Reisig. Elements of a temporal logic coping with concurrency. Technical report, Institut fur Informatik, Technische Universitat Munchen, Arcisstr. 21, Postfach 202420, D-8000 Munchen 2, Germany, 1992. L. Rapanotti and A. Socorro. Introducing FOOPS. Technical report, PRG-TR-28-92, Programming Research Group, Oxford University Computing Laboratory, 1992. A. Sernadas, J. F. Costa, and C. Sernadas. An institution of object behaviour. In H. Ehrig and F. Orejas, editors, Recent trends in data type speci cation, pages 337{350. Springer Verlag, LNCS 785, 1994. A. Sernadas. Temporal aspects of logical procedure de nition. Information systems, 5:167{187, 1980. A. Sernadas, J. Fiadeiro, C. Sernadas, and H.-D. Ehrich. The basic building blocks of information systems. In E. Falkenberg and P. Lindgreen, editors, Information Systems Concepts: An In-Depth Analysis, pages 225{246. North-Holland, 1989. G. Saake, T. Hartmann, R. Jungclaus, and H.-D. Ehrich. Objectoriented design of information systems: TROLL language features. In J. Paredaens and L. Tenenbaum, editors, Advances in Database Systems, Implementations and Applications. Springer Verlag, Wien, CISM Courses and Lectures no. 347, 1994. G. Saake, R. Jungclaus, and T. Hartmann. Application Modelling in Heterogeneous Environments using an Object Speci cation Language. In M. Huhns, M.P. Papazoglou, and G. Schlageter, editors,
198 SR94] SS77]
SSC95] SSE87] SSR96] Thi94] Thi95] vG90] Wie96] Win87]
WN95] Wol95]
Int. Conf. on Intelligent & Cooperative Information Systems (ICICIS'93), pages 309{318. IEEE Computer Society Press, 1993. A. Sernadas and J. Ramos. The GNOME language: Syntax, semantics and calculus. Technical report, Tech. Report, Instituto Superior Tecnico, Lisboa, 1994. J.M. Smith and D.C.P. Smith. Database abstractions: Aggregation and generalization. ACM Transactions on Database Systems, 2:105{ 133, 1977. A. Sernadas, C. Sernadas, and J.F. Costa. Object speci cation logic. Journal of Logic and Computation, 5:603{630, 1995. A. Sernadas, C. Sernadas, and H.-D. Ehrich. Object-oriented speci cation of databases: An algebraic approach. In P. Hammerslay, editor, Proc. 13th Int. Conf. on Very Large Databases, VLDB'87, pages 107{116, Brighton, 1987. Morgan{Kaufmann, Palo Alto, 1987. A. Sernadas, C. Sernadas, and J. Ramos. A temporal logic approach to object certi cation. Data and Knowledge Engineering, 19:267{ 294, 1996. P.S. Thiagarajan. A Trace Based Extension of Linear Time Temporal Logic. In Proc. 9th annual IEEE Symposium on Logic in Computer Science, pages 438{447. IEEE Computer Society Press, 1994. P. Thiagarajan. Ptl over product state spaces. Technical report, School of Mathematics, SPIC Science Foundation, Madras, India, 1995. R. van Glabeek. Comparative Concurrency Semantics and Re nement of Actions. PhD thesis, Free University of Amsterdam, 1990. R. Wieringa. Requirements Engineering. John Wiley & Sons, Chichester, 1996. G. Winskel. Event Structures. In W. Brauer, W. Reisig, and G. Rozenberg, editors, Petri Nets: Applications and Relationships to Other Models of Concurrency, Advances in Petri Nets 1986, Part II, Proc. Advanced Course, Bad Honnef, September 1986, pages 325{ 392. Springer, 1987. LNCS 255. G. Winskel and M. Nielsen. Models for concurrency. AGM92], 4:1{148, 1995. P. Wolper. On the relation of programs and computations to models of temporal logic. In L. Bolc and A. Szalas, editors, Time and Logic: A Computational Approach, pages 131{178. UCL Press, 1995.
Index
accessibility relation, 15 action, 169, 202, 392 calling, 171, 176, 177, 181 enabling, 172, 176 external, 410 internal, 393 occurrence, 173, 176 symbol, 170, 172, 181 action sort, 209 action symbol, 209 active database, 392 active rule, 392, 409 agent, 189 logic, 189 aggregation, 275 Albert, 188, 200 ALCQI , 232 concept, role, 232 knowledge base, 234 reasoning, 257 always operator, 210 Anderson's reduction, 86, 93 answer approximation, 343 assignment, 213 atom, 7 ATSQL, 50 attribute, 169, 202, 209, 236, 245 alteration, 187 inherited, 191 symbol, 172, 209 value, 172, 176, 187 auto-epistemic logic, 345 automated deduction, 10 axiom, 170
behaviour, 172, 183 class, 171 communication, 171 frame, 187 inherited, 191 local, 177 non-rigid, 205 rigid, 202, 204 system, 171 axiom attribute, 205
B, 17
base formula in dyOSL, 210 base sort, 209 base term in dyOSL, 210 base variable in dyOSL, 210 behaviour, 167 axiom, 172, 183 concurrent, 167 model, 168 object, 174 of objects, 200 system, 176 belief revision, 338 biquanti ed formula, 56 branching time logic, 19 business policy, 97
c-table, 322, 327 calling, 202 cardinality constraint, 233, 236, 237, 252 certain answer, 318 Chisholm set, 75, 80, 84, 89 class, 169, 170, 174, 245 axiom, 171
425
426
LOGICS FOR DATABASES AND INFORMATION SYSTEMS potential, 54, 56 context function, 373 contrapositive reasoning, 378 cooperative answering, 287{291 coupling mode, 394, 400, 412 credulous semantics, 376, 378 CWA, 24, 270, 294 cycle local, 405 negative, 405 data complexity, 329 data domain, 33 data modeling, 253 data signature, 209 database deductive, 266, 270{272, 278, 279, 291, 293, 294, 296, 297, 299 de nite, 269, 277, 281 disjunctive, 269, 277{279, 281, 282, 291, 294, 299 distributed, 291 extensional (EDB), 270, 272 extensional (EDB), 293 heterogeneous, 291, 295 intensional (IDB), 270, 272 logic, 266, 268, 270, 275 multimedia, 298 normal, 270, 271, 274, 279, 281, 299 object-oriented, 267, 287, 296 object-relational, 267 relational, 265{267, 269, 272, 287, 293, 296, 299 stable, 271 strati ed, 271, 292, 294 database evolution, 402{404, 406 database schema, 33 Datalog, 266, 269, 270, 275, 277, 291, 396 Datalog: , 396 Datalog:: , 396, 397, 415 Datalog1S , 64, 398, 402, 404, 413 in ationary Datalog: , 396, 415 nonin ationary Datalog: , 397, 415 strati ed Datalog: , 408, 416 XY-Datalog, 402, 416, 417 DB, 17 deduction, 266, 267 Deduction Theorem, 12 default, 325, 344 defeasible reasoning, 81
D, 17 D4, 17
inheritance, 191 class-subclass hierarchy, 363 clause, 268{270, 273, 276, 278, 281{284 de nite, 269 ground, 283 null, 283, 284 closed world assumption, 24, 270, 294, 334 closure by consequence, 219 by entailment, 215 coalescing, 50 Codd table, 320, 326 combined complexity, 329 communication, 167, 168, 170, 177, 178, 184, 188 action, 171, 181 asynchronous, 172 axiom, 171 constraints, 184 event, 182 formula, 177 predicate, 176, 178, 181 protocol, 167 symbol, 183 synchronous, 171, 172 compilation of temporal queries, 47 completeness, 12, 220 completion, 221, 270 completion axiom, 325, 334 complex object, 342 complexity, 395, 399, 413 composite event, 393, 410, 413 concept, 232 conclusion, 9 concurrency, 168, 188 model, 173, 188, 190 concurrent behaviour, 167, 188 events, 176 objects, 167 process, 167 system, 189 work ow, 167 condition, 392, 393 con uence, 395, 397, 409 conjunctive formula, 316 consequence, 220 logical, 9 consistency, 9, 254, 255 constant symbol, 6 constraint, 341 constraint satisfaction, 53, 57
REFERENCES de nite answer property, 318 delta relation, 393, 398, 399, 405, 409, 410 deontic logic, 17, 73 Deontic S5, 94 derivation, 13 Description Logic, 232 description logic, 342 disjunctive answer, 319 disjunctive Datalog, 327 disjunctive logic program, 327 distribution, 167, 175, 190 domain, 8 domain closure, 324 dynamic action logic, 102 dynamic behaviour, 200 dynamic logic, 84, 86 dynamic OSL, 201 dynamics, 199 dyOSL, 201, 208 ECA rule, 392 encoding, 44 constraint, 48 interval-based, 44 entailment, 9 entity, 236 Entity-Relationship model, 236 epistemic logic, 344 equivalence, 255 evolution, 406, 414 transaction, 406, 414 transition, 406, 414 Etoile, 188 event, 173, 392 algebra, 393 composite, 393, 410, 413 external, 392, 393, 409{411 interaction, 176 internal, 392, 393 sharing, 177 event consumption mode, 393 event grove, 173 distributed, 175 labelling, 174 event structure, 173, 176, 188 evolution, 199, 202 evolving algebra, 200 evolving temporal speci cation, 201 exception, 364 existential axioms, 11 Existential Generalization, 11 expression complexity, 330 expressive power, 41, 395, 414 extended relational theory, 325, 343 external environment, 98 F-Logic, 370 fact, 20 false presupposition, 290 nite model property, 235 rst-order logic, 6 interval-based, 46 two-sorted, 40 xpoint languages, 63 xpoint semantics, 22 oating conclusion problem, 383 FOL, 6 Foops, 188 formula, 7 atomic, 7, 269 clausal, see clause closed, 7, 275 function-free, 268 ground, 268 query, see query frame, 15 idealized, 17 re exive, 16 symmetric, 17 transitive, 16 frame rule, 404, 405, 407, 411, 416 function symbol, 6
427
general subsumption, 382 generalized closed world assumption, 334 global invariant, 221 global invariant rule, 222 Gnome, 168, 169, 188, 200 goal, 23 goal clause, 23 ground term, 21 GuLog, 370 hard integrity constraints, 99 Herbrand base, 21, 404 Herbrand interpretation, 21 Herbrand model, 21 Herbrand universe, 21 Hilbert calculus for dyOSL, 219 Hilbert system, 11 history, 36, 54 Horn table, 323 Horn-clause, 20 hypothesis, 9
428
LOGICS FOR DATABASES AND INFORMATION SYSTEMS L&O, 371 Lcm, 188 leap, 403, 405 LIFE, 370 life cycle, 173 distributed, 176 linear temporal logic, 18 literal, 20 liveness, 56 local invariant rule, 223 local strati cation, 405 locality, 382 logic default, 292 rst-order, 6, 266, 268, 270, 271, 275, 292, 299 higher order, 299 many-sorted, 10 modal, 271, 279 non-classical, 267 non-monotonic, 271, 275, 294 temporal, 271 logic of knowledge, 17, 344 logic program, 20 logic programming, 20 logical consequence, 9, 256 logical database, 324 LOGIN, 370 many-sorted logic, 10 many-valued logic, 345 marked null, 321 Maude, 188 message, 172 meta formula, 211 meta sort, 209 meta term in dyOSL, 211 meta variables in dyOSL, 211 method, 169 blocking, 365 method inheritance, 371 method overloading, 387 mgu, 23 misconception, 287{291 mixed net, 364 modal of rst-order logic, 9 modal logic, 13, 76, 344 modal operator, 13 model, 235, 282 canonical, 281
hypothetical query, 340 idle action, 210 implication, 235 inapplicable null, 341 incomplete information, 309 inde nite information, 309 information system, 167 concurrent, 167 distributed, 167, 169 inheritability, 373 of methods, 383 with negative links, 383 inheritance, 359, 363 formalization, 379 logics, 369 method, 371 multiple, 364 nonmonotonic, 366 structural, 370 inheritance net, 360, 364 integrity constraint, 72, 99, 265{308, 336, 343 denial, 274{276, 278{282, 294 domain, 273 functional dependency, 266, 273, 288, 296 inclusion dependency, 266, 274, 296 preference, 279 referential, 274 security, 296, 297 state, 278, 290 static, 279 temporal, 279 universal, 278 user, 279, 289, 297 interaction, 167, 180, 181 interpretation, 8, 233, 247 interpretation structure, 214 invariant, 218 global, 221 is-a, 235, 237, 243, 245 is-a, 360 is-not-a, 360
K, 16 K4, 16 KB, 17
knowledge base, 234 knowledge discovery, 290 Kripke frame, see frame Kripke semantics, 15
REFERENCES Herbrand, 276 minimal, 276{279, 281, 282, 291, 294, 295 of modal logic, 15 perfect, 271, 294 stable, 278, 281, 294 unique, 271, 276 modeling behaviour, 168 business process, 184 conceptual, 167, 168 data, 169 information systems, 187 object, 169 object-oriented, 188 Modus Ponens, 11, 16, 220 monotonic net, 364, 374 multi-modal logic, 20 multiple temporal dimensions, 58 mutation, 205 mutation action symbol, 209 mutation attribute symbol, 209 mutation event, 205 mutation sort, 209 mutator, 205 natural deduction, 12 necessitation, 16 negation, 270{272 as nite failure, 24 default, 270, 274, 275, 277, 278, 280, 281 in logic programs, 24 logical, 270, 278 negative information, 333 net e ect, 410, 411 next operator, 18 non- rst normal form, 342 non-monotonicity, 325, 335, 344 non-rigid axiom, 205 non-standard logic, 344 nonmonotonic net, 364, 375 normative position, 97 null value, 311, 320, 337, 341 object, 169 behaviour, 167, 174 class, 174 communication, 183 identity, 175 instance, 174 locality, 175 logic, 172 model, 169 modeling, 169 reference, 179 semantics, 175 signature, 172, 209 speci cation, 172, 175, 188 speci cation language, 168, 169 system, 171, 175, 176, 188, 190 object behaviour, 200 object identi er, 209, 246 object oriented database, 342 object speci cation, 200 Object Speci cation Logic, 201 object-oriented data model, 245 obligation, 73 Oblog, 168, 188, 200 observation in dyOSL, 212 observation symbol, 212 o -path preemption, 382 OOLP+, 371 Ooze, 188 open world assumption, 326 OR-object, 324, 327, 342 ordered logic programs, 371 ORLog, 371, 372 OSL, 201, 208 dynamic, 201 ought-to-be, 81, 93 ought-to-do, 81, 84, 93 overriding, 365
429
paradoxes (of deontic logic), 74, 77{79, 87 parameter context, 393, 413 parameterized complexity, 330 past formula, 56 PDeL, 87, 89, 95 PDeL, 86 PDeL( ), 89 performative document, 101 permission, 73 polymorphism, 361 population, 211 positive existential formula, 316 possible answer, 318 possible world, 15 pre-interpretation structure, 211, 212 predicate, 172 calling, 167, 168, 178 communication, 176, 178, 181 enabling, 170 local, 175
430
LOGICS FOR DATABASES AND INFORMATION SYSTEMS guarded, 413, 416 head of, 269 empty, 269 Horn, 269 local, 404, 415, 416 normal, 270 progressive, 404 range-restricted, 269, 275
S4, 16 S5, 17 S5O(n) , 83, 95
locality, 177, 178 state, 172 symbol, 170 predicate logic, 6 predicate symbol, 6 premise, 9 process algebra, 85 production rule, 393, 394, 396, 415 program completion, 24 progressiveness, 403, 414 prohibition, 73 Prolog, 273, 299 proof, 11 in dyOSL, 221 proof theory, 10 quanti cational axioms, 11 query, 268, 269, 289 answer to, 268, 287, 289, 291 empty, 288, 291 intensional, 289 caching, 299 closed, 265 folding, 295, 299 optimization, 295 semantic, 285{288, 290, 297 reasoning, 253 in ALCQI , 257 in data models, 257 recursion, 269, 271, 287 recursively inde nite database, 327 refutation, 10 relation control, 410 delta, 393, 398, 399, 405, 409, 410 protocol, 410, 411 relation symbol, 6 relational model, 314 relationship, 236 residue, 280{285, 288, 289 rigid axiom, 202, 204 role, 232, 236 rule, 266{270, 272, 273, 275, 276, 279{ 282, 286, 287, 293 -monotonic, 413, 416 1-progressive, 404, 415, 416 body of empty, 269 deductive, 279 de nite, 269, 280 disjunctive, 271, 294, 299
safety, 55 satisfaction, 9, 15, 213 D0 , 177 D1 , 178 L , 174 local, 177, 179 satis ability, 9, 235 sceptical semantics, 375, 377 schema evolution, 225 scope, 27 SDL, 74, 76, 93 semantic mapping, 45 semantics, 265{267, 270, 272{279, 281, 282, 287{289, 291, 296 xpoint, 396 Herbrand, 294 model, 271, 272, 275{278 stable, 271 well-supported, 271 stable, 25, 397 state-strati ed, 405 strati ed, 397 well-founded, 26, 271, 397 sentence, 7 set-oriented, 394, 397, 409 signature, 6 dyOSL, 209 SLD-resolution, 22 SLDNF refutation, 281 SLI refutation, 282 slot symbol, 209 snapshot, 404, 406 view, 404 soft integrity constraints, 73, 99 sometime operator, 210 sort, 10 soundness, 12, 220 speci cation, 200 speci cation attribute symbol, 209 speci cation sort, 209
REFERENCES speci ty, 382 speech act, 100 SQL/Temporal, 50 SQL/TP, 52 stable model, 25, 335 stable semantics, 25 state nal, 402, 406 initial, 402 intermediate, 402 object, 174 predicate, 172, 175, 186 term, 403 transition, 170 transition system, 173 variable, 169, 403 state formula, 211 state meta formula, 211 Statelog, 403 -Statelog, 416 G-Statelog, 416 I-Statelog, 416 interpretation, 404 NF-Statelog, 414 normal form, 414 P-Statelog, 415 strati cation, 24 strati ed program, 335 stratum, 24 strict inheritance path, 374 strong dependency system, 337 strong representation system, 321 structural inheritance, 370 substitution, 23, 268, 282 ground, 268 inverse, 268 subsumption, 255, 282, 289 partial, 282, 284, 288 Switch Theorem, 12 synchronization, 213 system, 175 axiom, 171 behaviour, 176 concurrent, 189 denotational model, 175 development method, 188 distributed, 169, 189, 190 heterogeneous, 169 legacy, 169 object, 171, 188 object-oriented, 168 open, 167
431
properties, 188 reactive, 167, 168 signature, 175, 180, 182, 183, 186 speci cation, 175, 186 transition, 173, 189
T, 16 Tarskian semantics, 7 tautology, 9 taxonomic hierarchy, 363 Templog, 64 temporal connective rst-order, 37 future, 38 multidimensional, 59 past, 38 second-order, 62 temporal data, 341 temporal database, 33 abstract, 34 concrete, 45 snapshot, 34 timestamp, 34 temporal domain, 403 interval-based, 44 point-based, 33 temporal logic, 18, 32, 39, 167, 189 anchored version, 214 branching, 189 D0 , 167, 176 D1 , 167, 178 distributed, 167, 175, 190 for information systems, 189 L , 168, 172 linear, 189 local, 172 multidimensional, 60 n-agent, 190 partial order, 189 propositional, 172 reduction, 180, 183 temporal logic programming, 63 temporal ontology, 32 temporal query, 36 generic, 47 with explicit time, 40 with implicit time, 39 temporal relational algebra, 43 temporal trigger, 54 temporal unfolding, 51 term, 6 termination, 395, 406{408, 413
432
LOGICS FOR DATABASES AND INFORMATION SYSTEMS Universe of Discourse, 72, 98 until operator, 18 UoD, see Universe of Discourse update, 338
v-table, 322, 327 vacuous axioms, 11 valuation for rst-order logic, 8 for modal logic, 15 variable, 6 bound occurrence, 7 free occurrence, 7 view, 266{269 update, 281, 293{295 view update, 312, 339
terminological logic, 342 theory in dyOSL, 215 timestamp view, 404 TQuel, 51 trace, 173 distributed, 176 transaction, 402, 406 transition, 402, 406 transition system, 173 distributed, 189 translation LP to LI , 47 L to LI with coalescing, 47 FOTL to 2-FOL, 41 trigger, 393, 401 Troll, 168, 169, 188, 200, 202 TSQL2, 51 tuple-oriented, 394, 397, 409 type, 245 uni cation, 23 uni er, 23 unique names assumption, 325 universal relation assumption, 341 universe, 8
weak dependency system, 338 weak representation system, 323 weak until operator, 210 well-founded model, 26, 335 well-founded semantics, 26 zombie path, 383

10 1 1 28 2740

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

10 1 1 28 2740

Încărcat de

Drepturi de autor:

Formate disponibile

Logics for Databases and Information Systems

Jan Chomicki, Gunter Saake

Monmouth University / University of Magdeburg

Kluwer Academic Publishers

Jan Chomicki and Gunter Saake

1 Introduction to Logics for Databases and Information Systems

References 2 A Logic Primer

References 3 Temporal Logic in Information Systems

3.1 Introduction 3.2 Temporal Databases

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

3.4 3.5 3.6 3.7

Anthony J. Bonner and Michael Kifer

Hans-Dieter Ehrich, Carlos Caleiro, Amilcar Sernadas, and Grit Denker

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

Stefan Conrad, Jaime Ramos, Gunter Saake, and Cristina Sernadas

Diego Calvanese, Maurizio Lenzerini and Daniele Nardi

References 8 Description Logics for Conceptual Data Modeling

References 9 Integrity Constraints: Semantics and Applications

References 10 Logical Approaches to Incomplete Information: A Survey

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

Laks V.S. Lakshmanan and Krishnaprasad Thirunarayan

11 Declarative Frameworks for Inheritance

References 12 On Logical Foundations of Active Databases

Georg Lausen and Bertram Ludascher and Wolfgang May

University of Magdeburg Computer Science Postfach 4120 D-39016 Magdeburg

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

Laks V.S. Lakshmanan

John-Jules Ch. Meyer

Dip. di Informatica e Sistemistica

Dip. di Informatica e Sistemistica Universita` di Roma \La Sapienza"

Portugal e-mail: css@math.ist.utl.pt

Ron van der Meyden

Computing Sciences, University of Technology, Sydney Australia e-mail: ron@socs.uts.edu.au

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

Abstract: This chapter concentrates on a challenging problem of information

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

^ : .assign(v) ^ : .free, U (assign(w) _ free )

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

6.3 LOCAL LOGIC L

De nition 3 The syntax of L is given by L ::= P j false j (L ) L ) j (L U L ) j ( M L )

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

is inductively de ned as follows.

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

6.4 DISTRIBUTED LOGICS

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

De nition 14 The syntax of D is given by D ::= D j : : : j Dn For each object i 2 I , we have

i Di 1 ::= i:L1 i i i Li 1 ::= Pi j false j (L0 ) L0 ) j (L0 CC1 ::= D1

The satisfaction relation

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS

false 1 (' ) ) i ) 1 (' U

Example 16 Let i; u; j 2 I (\I, you, Jim").

LOGICS FOR DATABASES AND INFORMATION SYSTEMS

Example 17 Consider a system consisting of two objects,

sender (s) and

Figure 6.1 Communication between sender and receiver.

Here is a D1 speci cation of the system.

LOGICS FOR SPECIFYING CONCURRENT INFORMATION SYSTEMS