ABSTRACT RELATIONAL SEMANTICS - Université Lavaldesharnais/Recherche/Theses/... · 2014. 1....

ABSTRACT RELATIONAL SEMANTICS

by

Jules Desharnais

School of Computer Science

McGill University

Montreal

July 1989

A thesis submitted to

the Faculty of Graduate Studies and Research

in partial fulfillment of the requirements for the degree of

PHILOSOPHIAE DOCTOR

c©Jules Desharnais, 1989

i

Resume

L’algebre relationnelle abstraite est utilisee pour donner une definition semantique d’un

langage de programmation imperatif simple. A cet effet, divers domaines sont specifies

par des axiomes relationnels. Certaines specifications definissent des relations sur les

types de base du langage (Booleens et entiers non negatifs); leur presentation insiste sur

l’importance de la notion de point. Les autres specifications construisent les domaines

dont les relations sont utilisees pour denoter les fragments de programmes. Les fragments

ainsi traites sont les expressions, les declarations de variables, les instructions (affectation,

sequence, condition et iteration) et les procedures. Les relations qui denotent un frag-

ment dependent seulement de ce fragment et non de son environnement (a l’exception des

procedures), ce qui constitue une approche originale. Enfin, on montre comment prouver

la correction d’un fragment, relativement a une specification, en utilisant sa definition

semantique. Les specifications, la semantique et la derivation de programmes sont donc

traitees uniformement dans le cadre de l’algebre relationnelle abstraite.

ii

Abstract

Abstract relational algebra is used to define the semantics of a simple imperative language.

In order to carry out this task, various domains are specified by relational axioms. Some

specifications define relations on the basic types of the language (Booleans and natural

numbers); their presentation stresses the importance of the concept of point. Other spec-

ifications construct the relational domains whose relations are used to denote programs.

The programming constructs that are defined include expressions, variable declarations,

assignment statements, while-program statements and procedures. A particularity of the

semantic definitions is that the relations denoting a program fragment depend only on

the fragment, and not on its environment (procedure calls excepted). Finally, it is shown

how the semantics of a program fragment can be used to prove its correctness relative

to a specification. The result is a uniform abstract relational setting for specification,

semantics and program derivation.

iii

Remerciements

I am deeply indebted to Professor Nazim H. Madhavji, my supervisor, for his indefectible

enthusiasm and continuous support during these years of research. I have appreciated his

willingness to share his experience and knowledge.

I will keep an excellent souvenir of my colleagues in the MUPE-2 team. They are

Kamel Toubache, Sami Boulos, Luc Pinsonneault, Yuan Xiang Gu and Mingjun Zhang.

Je remercie les Dr. Ali Mili et Fatma Mili pour une interaction aussi agreable que

profitable.

Mon epouse Christiane et mon fils Francis ont droit a toute ma gratitude, non seule-

ment pour leur amour et leurs encouragements, mais aussi pour avoir su creer les diversions

necessaires.

Je remercie aussi mes parents qui ont su me donner le gout et la possibilite d’etudier.

Finalement, je tiens a mentionner que ce doctorat n’aurait pas ete possible sans le

soutien financier de l’Universite Laval et du Conseil de recherches en sciences naturelles

et en genie du Canada.

Contents

Resume i

Abstract ii

Remerciements iii

1 INTRODUCTION 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 What Is New? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.3 Other Approaches to Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.4 Intuitions Behind the Relational Approach . . . . . . . . . . . . . . . . . . . 7

1.5 Reading Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 RELATIONAL ALGEBRA 11

2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2 Definition of Relational Algebra . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.3 Properties of Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.4 Products and Sums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.4.1 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.4.2 Sums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

2.5 The Concept of Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.5.1 Basic Definitions and Properties . . . . . . . . . . . . . . . . . . . . 43

2.5.2 The Point Axiom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

2.5.3 Direct Sums and Direct Products Preserve the Point Axiom . . . . . 49

iv

CONTENTS v

3 SPECIFICATIONS 56

3.1 Natural Numbers and Booleans . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.2 Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3.3 Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

4 SEMANTICS 90

4.1 Syntactic Definition of the Programming Language . . . . . . . . . . . . . . 91

4.2 Semantic Definition of the Programming Language . . . . . . . . . . . . . . 93

4.2.1 Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

4.2.2 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.2.3 Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.2.4 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

4.3 Comments on the Semantic Definitions . . . . . . . . . . . . . . . . . . . . . 106

5 PROGRAM CORRECTNESS 111

6 CONCLUSION 123

Bibliography 127

Chapter 1

INTRODUCTION

1.1 Motivation

Some computer scientists have abandoned the search for rational laws to govern

conventional procedural programming. They tend to recommend the use of

functional programming or logic programming as alternatives. Here we shall

substantiate a claim that conventional procedural programs are mathematical

expressions, and that they are subject to a set of laws as rich and elegant as

those of any other branch of mathematics, engineering, or natural science.

Hoare et al., Laws of programming [Hoare 87].

After setting this challenging goal, Hoare et al. present some algebraic laws that con-

ventional programs should obey. Two of these laws are

P ; (Q;R) = (P ;Q);R

P ; (Q ∪R) = P ;Q ∪ P ;R

In these expressions, the variables P , Q and R stand for programs (more precisely, in this

case, for statements). The first of these laws expresses the associativity of the sequential

composition of programs, and the second one, the distributivity of sequential composition

over nondeterministic choice.

The mathematical model underlying Hoare’s laws is that of binary relations on the

set of states of the program under consideration. A characteristic of these laws is that

the variables appearing in them range over programs (relations), rather than over individ-

ual states. This is similar to what happens in the calculus of binary relations of Tarski

1

CHAPTER 1. INTRODUCTION 2

[Tarski 41], which is a formal theory whose variables range over relations only, rather

than over both relations and the objects that compose them (ordered pairs). Following

[Berghammer 86] and [Schmidt 81], an algebraic structure satisfying the identities of a cal-

culus of relations will be called an (abstract) relational algebra, in contrast to a (concrete)

algebra of relations, consisting of all relations between some sets.

This distinction between concrete and abstract relational algebras is analogous to the

distinction between object level programming and function level programming [Backus 85].

Object level programming is the formation of programs from objects that are not them-

selves programs, e.g., expressions, integer values, variables, etc. Most functional pro-

gramming languages lead to object level programming, because they rely on function

application (to an object) and on lambda abstraction, which combines a variable (ranging

over objects) and an expression to define a function. Function level programming, on the

other hand, combines functions to define other functions; these combinations are made

by using various combining forms, like composition, condition and construction. Accord-

ing to Backus, the lack of useful theorems about programming is due to its object level

orientation, and he affirms that function level programming is a better approach.

Imperative programs are object level. For example, a while loop combines an expression

and a statement to produce a statement, and in the statement x:=2, the object ‘2’ is

explicitly assigned to the variable x. But, even if imperative programs are object level,

reasoning about them need not be so, as is examplified by Hoare’s laws of programming.

By using an abstract relational algebra to define the semantics of languages, one can avoid

the level of objects; by analogy with the term function level used by Backus, we call this

approach a relation level approach [Desharnais 88].

Apart from Hoare, other authors have applied relational algebra to the study of the se-

mantics of programming languages, e.g., [de Bakker 73, de Roever 72, Schmidt 81]. These

papers investigate some properties of programs, such as equivalence and termination. The

study is usually done at the level of program schemes, i.e. the relations corresponding to

the assignment statements are assumed given. Berghammer and Zierer [Berghammer 86]

define the semantics of functional programs and briefly consider concrete programs with

natural numbers as data type.

To our knowledge, relational algebra has never been used to define the semantics of a

concrete imperative programming language, starting at the fundamental level of the basic


types of the language, and including semantic definitions for expressions and assignment

statements. Moreover, with very few exceptions (the ones known to the author being

[Berghammer 86,de Roever 72]), only monadic schemes have been investigated, i.e. states

are not broken down into their cartesian components.

At the other end of the scale [DeRemer 76], large programming constructs, like modules

and supermodules1, have not been studied at all by relational means. Now, programming

in the large should have its laws as much as programming in the small does. Work on

this topic is just beginning. Some operations on modules (or packages) are studied in

[Agnarsson 85, Thorelli 85]; these operations describe the linking of modules into systems.

Another area where structuring large systems is receiving some attention is that of alge-

braic specifications [Ehrig 85, Guttag 78]. A concept of algebraic module (with import

and export interfaces) has recently emerged [Ehrig 85a, Weber 86], together with opera-

tions to combine them, and [Goguen 88] discusses a form of structuring that resembles

supermodules.

We aim at extending the application domain of relational algebra, partly to fol-

low the advice of Backus (to use non object level methods), and partly because pre-

vious use [Desharnais 85, Mili 87] has shown its potential. Our primary goal in doing

so is to contribute to the approaches to formal program design, which is currently an

active research area. Today, the emphasis is on designing a program by refining its

specification step by step, and by ensuring the correctness of each derivation step (see

[Back 88, Josephs 87, Mili 86] for example). This method has propagated down to in-

troductory programming courses [Mills 87]; its early precursors were Wirth [Wirth 71],

Dijkstra [Dijkstra 75] and Gries [Gries 81], amongst others.

Relational algebra has been used infrequently in the past. One consequence is that it

must be developed further to meet the demands of the applications. Another consequence

is that considerable work must be done on the semantics of basic data types and small

constructs (variable declarations, statements) before studying the semantics of large con-

structs (procedures, modules). What also makes it necessary to start with the foundations

is a new approach to semantics that we call bottom-up semantics [Desharnais 88]. For all

these reasons, the thesis does not consider large program constructs; however, in section 1.4

(Intuitions behind the relational approach), we point out a definite resemblance between

1A supermodule [Madhavji 88] is a construct for structuring module interconnections [Prieto-Diaz 86].


our relational view of statements and that of modules. Hence some of the techniques

presented in the thesis should be reusable for the study of modules and supermodules.

1.2 What Is New?

The contributions of this thesis can be classified in four categories, corresponding to the

chapters 2 to 5.

1. In chapter 2, relational algebra is presented and extended. The extensions are the

following:

(a) A distinction is made between the notions of product, quasi direct product and

direct product (direct products are presented in [Berghammer 86, Schmidt 85a,

Schmidt 89]). The thesis shows that the distinction is a useful one.

(b) The notion of point is adapted to the context of heterogeneous algebras. In

[Schmidt 85], the presentation is done for homogeneous algebras, for reasons of

simplicity. But we need this concept for heterogeneous algebras.

(c) We prove that direct sums and direct products preserve the so-called point

axiom.

2. In chapter 3, various domains are specified; they correspond to sets of relations on

sets of natural numbers, Booleans and stacks. We discuss the importance of the

notion of point for specifications and show how it can play a role analogous to that

played by the notion of term in classical algebraic specifications. More precisely, if

the specification of a relational domain is such that the domain satisfies the point

axiom, then there is a natural model for the specification in which the domain is a

set of relations between sets of points.

3. In chapter 4, the domains specified in chapter 3 are used to define the semantics of a

simple language. The approach to semantics itself is original (bottom-up semantics);

the basic idea is that the mathematical objects that are associated to a program

part p depend only on p and not on its environment. The following constructs are

defined:

(a) variable declarations;


(b) expressions and assignment statements;

(c) while-program statements;

(d) procedure definition and procedure call.

Items (a) and (b) represent new applications of abstract relational algebra. Apart

from the bottom-up semantics, the treatment of (c) is different from the classical

one because polyadic schemes are defined. Finally, the treatment of (d) is somewhat

inconsistent, in the sense that bottom-up semantics is not used; this material is

included, however, to contrast it with the other parts and to point out areas for

future research.

4. In chapter 5, the notion of correctness of a program with respect to a specification

is presented; we extend the definition of [Mili 83] by allowing the relation denoting

the program to be a representation of the original specification. This extension,

however, is an adaptation to the abstract relational context of ideas such as those of

[Jones 86].

Finally, the thesis is unique in its uniform treatment of specification, semantics and

program correctness by abstract relational means. The work that comes closest to ours

in this respect is that of Berghammer and Zierer [Berghammer 86]; however, they put the

emphasis on functional programs and nondeterminism, whereas we put it on imperative

programs and specifications of relational domains.

1.3 Other Approaches to Semantics

The approaches to semantics are broadly categorized as operational, axiomatic or denota-

tional.

To provide an operational semantics for a programming language, one invents a simple

abstract computer and describes how programs are run on this computer. Hopefully,

the abstract computer is simple enough that everybody agrees on the meaning of the

program. For example, normal order reduction is an operational semantics for λ-calculus.

See [Lucas 71] for an operational definition of PL/I.

Axiomatic semantics [Hoare 69] is a logic-based formalism. A control construct is

defined by giving a precondition, which is a predicate (about the program variables)


that should hold before the execution begins, and a postcondition, which is a predicate

that should hold after execution. A specification can also be given as a precondition-

postcondition pair. For example, (x ∈ N ∧ x = x0, x ∈ N ∧ x = x0 + 1) is such a pair. A

program can be derived by refining the specification; i.e., if the specification is too complex

to be mapped directly to a statement, then, intermediate predicates and invariant pred-

icates must be found such that the resulting subspecifications are simpler. For example,

the statement x:=x+1 is correct with respect to the above specification.

Denotational semantics has been introduced by Scott and Strachey [Scott 76, Stoy 77].

To give a denotational semantics, one associates to a program or program part a math-

ematical object (function, relation, set, number, ...). One can also view the process of

specification of a denotational semantics for a programming language as a translation into

another formal language for which a fixed semantics is assumed; for example, most de-

notational definitions translate into λ-calculus, with the model given by Scott [Scott 76].

Denotational semantics is more abstract than operational semantics, and for this reason

leaves more freedom to implementers of the defined language.

Denotational semantics is quite successful, to the point that compiler generation from

denotational definitions is being considered [Bodwin 82, Chao 88]. Using the Vienna De-

velopment Method (VDM) [Jones 86], which is the most developed denotational method

in use today, the complete semantic definitions of languages like Pascal and Ada have been

given [Bjørner 83].

VDM is also used for software specification. To quote from [Bjørner 83]:

VDM-based specifications are basically denotational. (...) a VDM-based spec-

ification is a model of the software being architechted. This is in contrast to

e.g. Algebraic Specifications. In a model one is already “interpreting” certain

objects in specific ways. Stack objects e.g., are modelled in terms of avail-

able Domain types, e.g. sequences or recursively defined trees. Operations on

stacks, hence, are expressed in terms of “available” primitive operations on

such sequences, respectively trees. This is in contrast to algebraic specifica-

tions which have no “predefined” (i.e. “available”) Domain types, and hence

no corresponding primitive operations.

It is now accepted [Jones 84] that model oriented specifications of a language are more


convenient as a starting point for the design of compilers, whereas more abstract methods

(axiomatic or algebraic) are better suited to the use of the language.

Algebraic approaches are also denotational, except that a predetermined model is not

given. Algebraic specification methods have been intensively studied [Ehrig 85, Goguen 78,

Guttag 78] and are used for the specification of abstract data types. In [Broy 87], Broy,

Wirsing and Pepper apply the same techniques to the semantic definition of a programming

language. This leads to a coherent algebraic frame for both data and control structures.

Our relational approach is algebraic and denotational. It is intended to be useful for

program derivation. It strives to provide a uniform tool for specification, semantics and

program derivation.

1.4 Intuitions Behind the Relational Approach

The relational approach that we introduce here is denotational; we will associate a relation

to each syntactically well-formed program part (or program fragment [Madhavji 85]). In

this section, to make things intuitive, we will use the intended interpretations of relations,

rather than the formal language of relational algebra, which will be presented in the next

section.

It is natural to denote a statement by a binary relation on the set of states of the

program containing the statement. For example, let the environment of the assignment

statement x:=x+1 consist of the variables x and y, both of type INTEGER; then one

could define the semantics of x:=x+1 to be the relation

Ra = 〈s, s′〉|x(s) ∈ Z∧ x(s′) ∈ Z∧ x(s′) = x(s) + 1∧ y(s) ∈ Z∧ y(s′) ∈ Z∧ y(s′) = y(s)

where x(s) denotes the value of variable x in the initial state s and x(s′) denotes the value

of variable x in the final state s′, and similarly for y. The denotation of a statement by a

binary relation has been used widely, though usually not within the formalism of abstract

relational algebra.

Next, a specification can be given by a relation on the set of program states. For

example, the above relation Ra can be considered as a (simple) specification; a statement

correct with respect to Ra is of course x:=x+1. Relational specifications can be refined into

programs by using rules and strategies such as those presented in [Mili 83, Mili 86, Mili 87].


Though this is rarely mentioned, it is also natural to consider a module (in the Modula-

2 sense [Wirth 85]) as an n-ary relation. For example, let a module M import identifiers

A and B, and export a type T and a procedure P, both possibly defined in terms of A and

B. We can associate to M the 4-ary relation

RM = (A, a), (B, b), (T, t), (P, p)|a, b ∈ V ∧ t ∈ T ∧ p ∈ P ∧ pred(a, b, t, p)

where V is a set of values denoting the objects definable in the language, whereas T and Pare sets of objects denoting types and procedures, respectively, and where pred(a, b, t, p) is

a predicate. That is, RM contains functions (tuples) from the set of identifiers A,B, T, Pto the set V = V ∪ T ∪ P. One can also see the relation RM as a table, similar to the

tables in Codd’s relational algebra [Codd 70, Maier 83].

RM =

A B T P

a1 b1 t1 p1

a2 b2 t2 p2

a3 b3 t3 p3

......

......

In this example, the imported identifiers (A,B) are different from the exported identi-

fiers (T, P ), because this is required by Modula-2. But we are interested in the semantics

of any fragment, not only of modules; what we will do is we will consider that a fragment

can import or export identifiers, in such a way that the set of imported identifiers is not

necessarily disjoint from the set of exported identifiers. We will then associate to each

fragment a binary relation. Let us look at two examples.

Firstly, consider again the module M in the above example. The relation denoting M

will be the binary relation

QM = 〈(A, a), (B, b), (T, t), (P, p)〉|a, b ∈ V ∧ t ∈ T ∧ p ∈ P ∧ pred(a, b, t, p)

or, in tabular form,

QM =

A B T P

a1 b1 t1 p1

a2 b2 t2 p2

a3 b3 t3 p3

......

......


where the vertical bar separates the definition domain (imports) of the relation from its

range (exports).

Secondly, let the program fragment be x:=x+y, and assume that the operator ‘+’ in the

programming language is defined for natural numbers and Booleans, for which it means

disjunction. We then associate to this fragment the relation

Qa = 〈(x, a), (y, b), (x, a+ b), (y, b)〉|a ∈ N ∧ b ∈ N∪〈(x, a), (y, b), (x, a ∨ b), (y, b)〉|a ∈ T, F ∧ b ∈ T, F

or, in tabular form

Qa =

x y x y

F F F F

F T T T

T F T F

T T T T

0 0 0 0

0 1 1 1

0 2 2 2...

......

...

1 0 1 0

1 1 2 1

1 2 3 2...

......

...

Note the similarity between the two examples. In the case of the module, what is

exported is the definition of a type and the definition of a procedure; what is imported is

something about which no assumption is made. In the case of the assignment statement,

the values of x and y are exported. They are computed from the imported values of x and

y. No assumption is made about what the type of an imported identifier is (except that

it must be compatible with the ‘+’ operator). No assumption is made about the other

variables of the environment; this is the first example of bottom-up semantics.

These are the intuitive ideas behind the formal approach that will be developed in

the thesis. The relations (as presented in the above examples: binary relations between

sets of tuples) will be only a model of particular relational domains, to be introduced by

relational axioms.


1.5 Reading Guide

Tutorials on axiomatic definitions of heterogeneous relational algebra being very rare (the

only ones known to the author are [Schmidt 85a] and [Schmidt 89]), we have decided to

give an extensive presentation of it in chapter 2. This presentation will show how the

theory is based on only a few axioms in addition to those of Boolean algebra; it will

also provide some evidence that abstract relational algebra is a good basis for formal

approaches to specification and semantics.

The thesis assumes a basic knowledge of Boolean algebra and of various notions related

to program semantics; this material is briefly reviewed in section 2.1. A knowledge of set

theory and of concrete algebras of relations on sets will be useful to follow the formal

developments and to understand the examples.

Apart from these prerequisites, the presentation assumes no knowledge of relational

algebra. Its definition starts with the basic axioms and continues with the statement and

proof of every property that is used in the thesis. Though this increases the physical

length of the thesis, it should decrease the reading time because familiarity with the basic

concepts of chapter 2 facilitates the reading of the other chapters. Those who are familiar

with the contents of [Berghammer 86, Schmidt 81, Schmidt 85] can skip sections 2.1, 2.2,

2.3 and simply look at definitions and statements of theorems in sections 2.4 and 2.5.

The numbering scheme is the following.

1. Theorems, propositions, lemmas, corollaries, definitions, specifications, remarks and

examples have a single numbering sequence within a chapter, e.g., 3.1, 3.2, . . .They

are referred to as, e.g., theorem 3.2, or as definition 3.3(4) for item 4 of definition

3.3, or as specification 3.4(2a) for sub-item a of item 2 of specification 3.4.

2. Some equations, sets of equations, abbreviations or derivations are numbered, on

the right hand side, by another sequence within a chapter. They are referred to as,

e.g., equation(s) 4.2, or simply as 4.2; often, the page number where the equation

appears is given, for ease of reference.

We use the symbols ,⊆,∪,∩ to denote the empty set and inclusion, union and

intersection of sets. The symbols ⊆,∪,∩ will be overloaded (see definition 2.1 of relational

algebra); however, the context always clearly indicates their meaning.

Chapter 2

RELATIONAL ALGEBRA

In this chapter we introduce relational algebra. We start with a review of the needed facts

about Boolean algebras and continuity of functions. Then, in sections 2.2 and 2.3, the

basic concepts of relational algebra are presented. The properties of relations that are

proved in these two sections are quite classical in the context of algebras of relations on

sets, except maybe for the Schroder rule and the Dedekind rule. What is less classical is

their derivation in the axiomatic framework of abstract relational algebra. In section 2.4

the definitions of products and sums are given, and the properties of these constructions

are studied. Finally, in section 2.5 the concept of point is extensively investigated, as it

will play a central role in the subsequent chapters.

The material of this chapter is extracted mostly from [Berghammer 86, Schmidt 81,

Schmidt 85], although there are the following main contributions:

1. A distinction is made between the notions of product , quasi direct product and di-

rect product (direct products are presented in [Berghammer 86, Schmidt 85a] and

[Schmidt 89]).

2. We adapt the notion of point [Schmidt 85] to the context of heterogeneous algebras.

3. We show that direct sums and direct products preserve the point axiom (see defini-

tion 2.21 later).

At the end of each section, there is a short paragraph (Bibliographic notes) giving

more details about the origin of the results presented in the section.

11

CHAPTER 2. RELATIONAL ALGEBRA 12

2.1 Background

In this section we first review the basic concepts on which the definition of relational

algebra is based: those of Boolean algebra, atomicity and completeness. Then, mono-

tonicity, continuity and the induction principle of Scott are presented in the context of

Boolean algebras; these notions will be useful for the construction of relational domains

by specifications and for the semantic definition of programming language constructs.

A Boolean algebra is a distributive and complemented lattice (B,∪,∩, ) where B is

a nonempty set of elements and (∪,∩, ) are the union, intersection and complement

operations, respectively. The zero (or null) element of B is denoted by ∅ and its unit

(or universal) element by L. The elements of B are ordered by inclusion, denoted by ⊆.

The following laws (where x, y, z ∈ B) are valid in any Boolean algebra. (As usual, the

complement operation has higher priority, followed by intersection, and then union.)

(x ∪ y) ∪ z = x ∪ (y ∪ z) (x ∩ y) ∩ z = x ∩ (y ∩ z) associativity

x ∪ y = y ∪ x x ∩ y = y ∩ x commutativity

x ∪ (x ∩ y) = x x ∩ (x ∪ y) = x absorption

x ∪ x = x x ∩ x = x idempotence

x ∪ (y ∩ z) = (x ∪ y) ∩ (x ∪ z) x ∩ (y ∪ z) = (x ∩ y) ∪ (x ∩ z) distributivity

∅ ∪ x = x ∅ ∩ x = ∅L ∪ x = L L ∩ x = x

x ∪ x = L x ∩ x = ∅x ∪ y = x ∩ y x ∩ y = x ∪ y de Morgan’s laws

x = x x = y ⇔ x ⊆ y ∧ y ⊆ xx ⊆ x x ⊆ y ∧ y ⊆ z ⇒ x ⊆ z∅ ⊆ x ⊆ L x ∩ y ⊆ x ⊆ x ∪ yx ⊆ z ∧ y ⊆ z ⇒ x ∪ y ⊆ z x ⊆ y ∧ x ⊆ z ⇒ x ⊆ y ∩ zx ⊆ y ⇒ x ∪ z ⊆ y ∪ z x ⊆ y ⇒ x ∩ z ⊆ y ∩ z monotonicity

x ⊆ y ⇔ x ∩ y = x⇔ x ∪ y = y ⇔ L = x ∪ y ⇔ x ∩ y = ∅ ⇔ y ⊆ x.

(2.1)

To these laws, we add the axiom ∅ 6= L (as does [Tarski 41]), to get rid of the degenerate

case ∅ = L. Though this restriction is not necessary, it simplifies the presentation of the

relational algebra.


A Boolean algebra can also be viewed as a partial order (B,⊆) where the least upper

bound (greatest lower bound) of x and y is given by x ∪ y (x ∩ y). Let⋃S (⋂S) denote

the least upper bound (greatest lower bound) of the elements in the set S ⊆ B. If⋃S and⋂

S exist for any S ⊆ B, then the Boolean algebra B is said to be complete.

In a complete Boolean algebra, some of the laws in 2.1 can be generalized. Let S and

T be any subsets of B. Then,

x ∪ (⋂S) =

⋂x ∪ s|s ∈ S x ∩ (⋃S) =

⋃x ∩ s|s ∈ S(⋃S) ∩ (

⋃T ) =

⋃s ∩ t|s ∈ S ∧ t ∈ T (⋂S) ∪ (

⋂T ) =

⋂s ∪ t|s ∈ S ∧ t ∈ Tx ∪ (

⋃S) =

⋃x ∪ s|s ∈ S x ∩ (⋂S) =

⋂x ∩ s|s ∈ S⋃S =

⋂s|s ∈ S ⋂S =

⋃s|s ∈ S∅ =

⋂B L =⋃B

s ∈ S ⇒ ⋂S ⊆ s ⊆ ⋃S (∀s ∈ S : x ⊆ s ⊆ y)⇒ x ⊆ ⋂S ∧⋃S ⊆ y

(∀s ∈ S : ∃t ∈ T : s ⊆ t)⇒ ⋃S ⊆ ⋃T (∀s ∈ S : ∃t ∈ T : t ⊆ s)⇒ ⋂

T ⊆ ⋂S.(2.2)

When S = si|i ∈ I for some index set I, the notation⋃i∈I si stands for

⋃S. Another

usual convention is that⋂ = L and

⋃ = ∅.In the sequel, the laws in 2.1 and 2.2 will be referred to collectively as Boolean laws.

An element a of a Boolean algebra B is called an atom iff

∀x ∈ B : ∅ 6= x ⊆ a⇒ x = a.

A Boolean algebra is atomic, iff for every ∅ 6= x ∈ B there is an atom a ⊆ x. Obviously,

a, b atoms ∧ a 6= b⇒ a ∩ b = ∅.

Also,

a atom ∧ a ⊆ x ∪ y ⇒ a ⊆ x ∨ a ⊆ y

and, in general

a atom ∧ a ⊆⋃S ⇒ (∃s ∈ S : a ⊆ s).

In a complete atomic Boolean algebra B, every element is representable as the least

upper bound⋃S of the set S of the atoms that it contains: x =

⋃a|a atom ∧ a ⊆ x.Furthermore, B is isomorphic to the lattice of all subsets of some set T .

Let B and B′ be two Boolean algebras. A function f : B → B′ is monotonic iff

x ⊆ y ⇒ f(x) ⊆ f(y).


The function f is continuous iff

f(⋃k≥0

xk) =⋃k≥0

f(xk)

for any ascending chain x0 ⊆ x1 ⊆ x2 ⊆ · · · of elements of B. A function of several

variables is continuous iff it is continuous in each of its variables separately.

For example, f(x) = x ∪ y and g(x) = x ∩ y are monotonic and continuous (by the

laws given above in 2.1 and 2.2), but f(x) = x is neither.

The composition of continuous functions is continuous; e.g., if f(x, y), g(x, y) and

h(x, y, z) are continuous, then f(g(x, y), h(y, x, y)) and f(x, x) are continuous. All mono-

tonic functions on finite Boolean algebras are continuous. Note that continuity implies

monotonicity.

A fixpoint of a total function f : S → S is an element s ∈ S for which f(s) = s. A

theorem of Tarski [Tarski 55] states that every monotonic function f on a complete lattice

has a complete lattice of fixpoints—and hence has a minimal one. This least fixpoint will

be denoted by µ(f) or by (µx, f(x)). If the function f is continuous, its least fixpoint can

be given under the following form:

µ(f) =∞⋃k=0

fk(∅), (2.3)

where f0(∅) = ∅ and fn+1(∅) = f(fn(∅)). Because f is monotonic and ∅ ⊆ f(∅), one can

show by induction that the sequence ∅, f(∅), f2(∅), f3(∅), . . . is an increasing chain.

A predicate p on a Boolean algebra B is called admissible iff for every increasing chain

C in B the following condition holds:

(∀x ∈ C : p(x))⇒ p(⋃C). (2.4)

If p is an admissible predicate and f : B → B is a continuous function, then one can prove

the Induction Principle of Scott (also called Fixpoint Induction Principle); this principle

states that

p(∅) ∧ (∀n ≥ 0 : p(fn(∅))⇒ p(fn+1(∅)))⇒ p(µ(f)). (2.5)

Bibliographic notes. The material on Boolean algebras and the notion of atomicity is

drawn mainly from [Schmidt 85a] and [Skornjakov 77]. Complete lattices are discussed

in [Loeckx 87, Schmidt 85a, Skornjakov 77, Stoy 77]. Monotonicity, continuity and fix-

point properties are studied in [Loeckx 87, Schmidt 85a, Stoy 77]. Finally, [Loeckx 87]


and [Stoy 77] introduce the induction principle of Scott. We have defined atomicity, com-

pleteness, monotonicity, continuity and Scott’s induction principle for Boolean algebras;

the above mentioned authors usually present these notions in less restricted contexts, like

general lattices or partial orders.

2.2 Definition of Relational Algebra

In this section, we give the definition of a heterogeneous relational algebra and present

two important models of relational algebra that will be used throughout the thesis to give

examples. We then prove some basic laws.

Definition 2.1. An (abstract) relational algebra is a structure (R,∪,∩, , , ) over a non

empty set R of elements, called relations. The following conditions are satisfied.

1. Every relation R belongs to a subset RR of R such that (RR,∪,∩, ) is a complete

atomic Boolean algebra. The set RR|R ∈ R is a partition of R. We will say that

relations Q and R are compatible iff Q ∈ RR. We will call RR a domain; hence, two

relations are compatible iff they belong to the same domain.

2. For every relation R there exists a converse relation R (we will write (R) rather than

(R) for parenthesized expressions). If R ∈ RR, then R is said to be homogeneous.

A non homogeneous relation is heterogeneous.

3. Given two relations Q,R belonging to suitable domains RQ and RR respectively,

a composition operation Q R is defined. The existence of a composition Q Rimplies that P R is defined for all relations P ∈ RQ. Composition has the following

properties:

(a) P (Q R) = (P Q) R (associativity);

(b) there exist right and left identities, both denoted by I, for every set RR of

relations: R I = I R = R;

(c) the compositions Q R and R Q are both defined iff Q ∈ RR (hence R Rand R R are always defined).

4. The Schroder rule P Q ⊆ R⇔ P R ⊆ Q⇔ R Q ⊆ P holds whenever one of the

three expressions is defined.


5. L R L = L holds for every R 6= ∅ (Tarski rule). 2

For simplicity, the universal, null, and identity elements are all denoted by L, ∅, I(respectively), unless we wish to denote a particular one, in which case we attach subscripts

to it. Note that binds more tightly than either ∪ or ∩ and that binds like . From now

on, the composition operator symbol will be omitted (that is, we write QR for Q R);

it will be reintroduced in chapter 3 where we start using relation names that have more

than one character.

The algebra of binary relations between various sets is an important model of an

abstract relational algebra. Let S1, . . . , Sn be sets. Then

R def= R|R ⊆ Si × Sj , 1 ≤ i, j ≤ n

is a relational algebra. The relationsQ andR are compatible iffQ ⊆ Si×Sj andR ⊆ Si×Sjfor some i, j. A relation R is homogeneous iff R ⊆ Si × Si for some i. The composition

QR is defined iff Q ⊆ Si×Sj and R ⊆ Sj ×Sk for some i, j, k. Composition, converse and

the constant relations are defined by

QR = 〈x, y〉|∃z : 〈x, z〉 ∈ Q ∧ 〈z, y〉 ∈ R,R = 〈x, y〉|〈y, x〉 ∈ R,∅i,j = ⊆ Si × Sj ,Li,j = Si × Sj ,Ii = 〈x, x〉|x ∈ Si.

The algebra of Boolean matrices is another important model of relational algebra.

We will use as examples matrices whose entries are values from the two-element Boolean

algebra ∅, L. Two matrices are compatible iff they have the same size. The composition

QR is defined iff the number of columns of Q is equal to the number of rows of R. The

homogeneous matrices are the square ones. Let R[i, j] denote the entry of row i, column

j of R. Then, composition, converse and the constant relations are defined by

(QR)[i, j] =⋃kQ[i, k] ∩R[k, j],

(Q)[i, j] = Q[j, i] (this is just matrix transposition),

∅[i, j] = ∅,L[i, j] = L,

I[i, j] =

L if i = j (I must be a square matrix),

∅ otherwise.


We illustrate these definitions with a few examples.

I3×3 =

L ∅ ∅∅ L ∅∅ ∅ L

, ∅2×3 =

∅ ∅ ∅∅ ∅ ∅

, L3×2 =

L L

L L

L L

,L ∅∅ L

∅ L

=

L ∅ ∅∅ L L

, L ∅ ∅∅ L L

L ∅∅ L

L ∅

=

L ∅L L

.From the axioms of definition 2.1, the usual rules of the algebra of relations can be

derived.

Theorem 2.2. The following rules hold in every relational algebra R, provided that the

various expressions are defined; i.e., the relations must belong to the appropriate domains

of R. The index set X used in 3,4,9 and 10 need not be finite.

1. ∅R = R∅ = ∅.2. Monotonicity of :

Q ⊆ R⇒ PQ ⊆ PR,Q ⊆ R⇒ QP ⊆ RP.

3. Subdistributivity of over ∩:

P (Q ∩R) ⊆ PQ ∩ PR,(P ∩Q)R ⊆ PR ∩QR,Q(⋂n∈X Rn) ⊆ ⋂n∈X QRn,

(⋂n∈X Rn)Q ⊆ ⋂n∈X RnQ.

4. Distributivity of over ∪:

P (Q ∪R) = PQ ∪ PR,(P ∪Q)R = PR ∪QR,Q(⋃n∈X Rn) =

⋃n∈X QRn,

(⋃n∈X Rn)Q =

⋃n∈X RnQ.

5. R = R.

6. (QR) = RQ.

7. Monotonicity of :

Q ⊆ R⇔ Q ⊆ R.8. R = R.

9. (Q ∪R) = Q ∪ R,(⋃n∈X Rn) =

⋃n∈X Rn.

10. (Q ∩R) = Q ∩ R,(⋂n∈X Rn) =

⋂n∈X Rn.

11. I = I .

12. ∅ is a null relation,

∅ = ∅ if ∅ is homogeneous.

13. L is an universal relation,

L = L if L is homogeneous.

14. Dedekind rule:

PQ ∩R ⊆ (P ∩RQ)(Q ∩ PR).

Proof.

1. R∅ ⊆ ∅ ⇔ RL ⊆ L Schroder rule (definition 2.1(4)), Boolean laws.

∅R ⊆ ∅ ⇔ LR ⊆ L for the same reasons.


Notice that, as mentioned after definition 2.1, the two symbols ‘∅’ used in the last

equivalence may denote different null relations (and similarly for the two ‘L’ sym-

bols).

2. PR ⊆ PR ⇔ PPR ⊆ R Schroder rule;

⇒ PPR ⊆ Q Boolean laws, hypothesis;

⇔ PQ ⊆ PR Schroder rule.

RP ⊆ RP ⇔ RPP ⊆ R⇒ RPP ⊆ Q⇔ QP ⊆ RP .

3. We will give the proof of the 3rd inclusion only. The other proofs are similar. Note

that the required intersections exist and are unique, by definition of a complete

boolean lattice.

Q(⋂n∈X Rn) ⊆ QRn for all n ∈ X Boolean laws, part 2 of this theorem;

⇒ Q(⋂n∈X Rn) ⊆ ⋂n∈X QRn Boolean laws.

4. We prove the third equation only. Firstly,

QRn ⊆ Q(⋃n∈X Rn) for all n ∈ X Boolean laws, part 2 of this theorem;

⇒ ⋃n∈X QRn ⊆ Q(

⋃n∈X Rn) Boolean laws.

Secondly, by the Schroder rule, QRn ⊆ QRn ⇔ QQRn ⊆ Rn; hence,

Q(⋃n∈X QRn) = Q(

⋂n∈X QRn) Boolean laws;

⊆ ⋂n∈X QQRn part 3;

⊆ ⋂n∈X Rn

=⋃n∈X Rn Boolean laws;

⇔ Q(⋃n∈X Rn) ⊆ ⋃n∈X QRn Schroder rule.

The proofs of 5, 6 and 7 repetitively use the definition of identity, the Schroder rule

and some Boolean laws (in particular R = R and Q ⊆ R⇔ R ⊆ Q).

5. RI ⊆ R⇔ RR ⊆ I ⇔ RI ⊆ R⇔

R ⊆ R;RI ⊆

R⇔ RR ⊆ I ⇔ RI ⊆

R⇔ R ⊆ R.

6. (QR)I ⊆ (QR) ⇔ QR(QR) ⊆ I ⇔ QI ⊆ R(QR) ⇔ R(QR) ⊆ Q⇔ RQ ⊆ (QR);

RQ ⊆ RQ⇔ RRQ ⊆ Q⇔ Q ⊆ RRQ⇔ QI ⊆ RRQ⇔ QRRQ ⊆ I⇔ (QR) ⊆ RQ.


7. RI ⊆ R⇔ RR ⊆ I ⇔ IR ⊆ R⇒ I

R ⊆ Q⇔ QR ⊆ I ⇔ QI ⊆ R⇔ Q ⊆ R;

RI ⊆ R⇔ RR ⊆ I ⇔ IR ⊆ R⇒ IR ⊆ Q⇔ QR ⊆ I ⇔ QI ⊆ R⇔ Q ⊆ R.

8. By the Schroder rule and the definition of identity

RI ⊆ R⇔ RR ⊆ I ⇔ IR ⊆ R⇔ R ⊆ R.

The same derivation with R instead of R yieldsR ⊆ R. But, by parts 5 and 7,

R ⊆ R⇔

R ⊆ R⇔ R ⊆ R.

9. Only the second equation will be proved. Let P =⋃n∈X Rn. Then, by the Schroder

rule, for all n,

IRn ⊆ P ⇔ PRn ⊆ I.

Therefore,

P (⋃n∈X Rn) =

⋃n∈X PRn ⊆ I part 4 of this theorem, Boolean laws;

⇔ I(⋃n∈X Rn) ⊆ P Schroder rule;

⇔ (⋃n∈X Rn) ⊆ ⋃n∈X Rn definition of P and identity.

In the other direction, by part 7 and the Boolean identity (∀n ∈ X : Rn ⊆⋃n∈X Rn),

we have, for all n ∈ X,

Rn ⊆ (⋃n∈X

Rn),from which ⋃

n∈XRn ⊆ (

⋃n∈X

Rn).10. Again, only the proof of the second case is presented.

(⋂n∈X Rn) = (

⋃n∈X Rn) Boolean laws;

= (⋃n∈X Rn) part 8;

=⋃n∈X Rn part 9;

=⋃n∈X Rn part 8;

=⋂n∈X Rn Boolean laws.

11. By the definition of identity, the Schroder rule and the Boolean laws, we derive

II ⊆ I ⇔ II ⊆ I ⇔ I ⊆ I ⇔ I ⊆ I .

Conversion gives I ⊆ I = I, by parts 5 and 7.


12. Let ∅1 ⊆ ∅2; by part 7 this is equivalent to ∅1 ⊆∅2; by part 5, ∅1 ⊆ ∅2 which means

that ∅1 is a null relation. If ∅ is homogeneous, ∅ ⊆ ∅ and ∅ ⊆ ∅, i.e. ∅ = ∅.

13. By the Boolean laws and parts 8 and 12,

L1 = ∅1 = ∅1 = ∅2 = L2.

If L is homogeneous, this implies L = L.

14. By the Boolean laws and part 4,

PQ = [(P ∩RQ) ∪ (P ∩RQ)][(Q ∩ PR) ∪ (Q ∩ PR)]

= (P ∩RQ)(Q ∩ PR) ∪ (P ∩RQ)(Q ∩ PR)∪(P ∩RQ)(Q ∩ PR) ∪ (P ∩RQ)(Q ∩ PR).

By the Schroder rule,

PR ⊆ PR⇔ PPR ⊆ R,

so that for the second term we have (using part 2)

(P ∩RQ)(Q ∩ PR) ⊆ PPR ⊆ R.

Similarly,

RQ ⊆ RQ⇔ RQQ ⊆ R

so that, for the third term

(P ∩RQ)(Q ∩ PR) ⊆ RQQ ⊆ R

and for the fourth term

(P ∩RQ)(Q ∩ PR) ⊆ RQQ ⊆ R.

Because the last 3 terms are bounded by R,

PQ ∩R ⊆ ((P ∩RQ)(Q ∩ PR) ∪R) ∩R ⊆ (P ∩RQ)(Q ∩ PR). 2

In the statement of theorem 2.2, we have explicitly made the validity of the laws

conditional to the definedness of the expressions involved. In the sequel, we take this

restriction for granted and do not usually mention it.


A fact that follows from the above proof is the following. Let R be a homogeneous

relation; thenRR contains an identity relation. This is because, from R = RI and R ∈ RR,

we find that the composition RI is defined. Since (RI) = IR = IR (by parts 6 and 11),

the composition IR is also defined. By definition 2.1(3c) this means that I ∈ RR.

As a consequence of parts 4 and 9 of this theorem, the composition and conversion

operators are continuous. This is also true of union and intersection operators, but not of

complementation, as was noted in the previous section. Let f : RQ → RR be a function

such that the complementation operator is not used on any subexpression containing

the free variable in the expression of f . Then f is continuous, since the (functional)

composition of continuous functions is continuous.

In the sequel, we will often refer to parts 2,3,4,7, and 14 of the above theorem by their

names, e.g. ‘monotonicity of ’ or ‘Dedekind rule’. Moreover, no justifications will be given

for a derivation step that uses the definition of identity or the Boolean laws, since their

use is obvious.

Remark 2.3. Another notational warning is that we will usually not distinguish between

∅ and ∅ and write ∅ for both of them, since both are null relations. Similarly, L is a

universal element and we will denote it by the symbol L.

Finally, let L1 be a universal relation with right identity I2 ⊆ L2. Then, L1 = L1I2 ⊆L1L2 ⊆ L1, whence L1 = L1L2. The result is that we can write an arbitrary L as LL.

The reverse substitution can also be made. That is, one can replace L1L2 by L. In effect,

let I3 ⊆ L3 be the right identity of L2. Then L1L2 = L1L2L3 = L, by the Tarski rule and

the axiom L2 6= ∅ (see section 2.1). 2

The next theorem proves some other useful facts that will be needed later on.

Theorem 2.4.

1. (P ∩QL)R = PR ∩QL and P (Q ∩ LR) = PQ ∩ LR.

2. (P ∩ LQ)R = P (R ∩QL).

3. QL ∩ LR = QLR.

4. PLQ ∩RLS = (PL ∩RL)(LQ ∩ LS).

5. P ⊆ R ∧R = RR⇒ PQ ∩R = P (Q ∩R).


6. (PQ ∩R)L = (PQ ∩R)QL.

7. RL = RLL and LR = LLR.

Proof.

1. (P ∩QL)R ⊆ PR ∩QLR subdistributivity of ∩;

⊆ PR ∩QL LR ⊆ L, monotonicity of ;⊆ (P ∩QLR)(R ∩ PQL) Dedekind rule;

⊆ (P ∩QL)R LR ⊆ L, monotonicity of .P (Q ∩ LR) ⊆ PQ ∩ PLR ⊆ PQ ∩ LR ⊆ (P ∩ LRQ)(Q ∩ PLR) ⊆ P (Q ∩ LR).

2. (P ∩ LQ)R = (P ∩ LQ)R ∩ L⊆ (P ∩ LQ ∩ LR)(R ∩ (P ∩ LQ)L) Dedekind rule;

⊆ P (R ∩ (P ∩QL)L) theorem 2.2(2,5,6,10);

⊆ P (R ∩QLL) monotonicity of ;⊆ P (R ∩QL) = P (R ∩QL) ∩ L LL ⊆ L;

⊆ (P ∩ L(R ∩QL))(R ∩QL ∩ PL) Dedekind rule;

⊆ (P ∩ L(QL))R monotonicity of and ;

⊆ (P ∩ LQ)R theorem 2.2(6), LL ⊆ L .

3. By part 1, QL ∩ LR = (QL ∩ L)R = QLR.

4. From remark 2.3 and parts 1 and 3, we deduce

PLQ ∩RLS = PL ∩ LQ ∩RL ∩ LS = (P ∩RL)L ∩ L(Q ∩ LS)

= (P ∩RL)L(Q ∩ LS) = (P ∩RL)LL(Q ∩ LS)

= (PL ∩RL)(LQ ∩ LS).

5. PQ ∩R ⊆ (P ∩RQ)(Q ∩ PR) Dedekind rule;

⊆ P (Q ∩ RR) hypothesis P ⊆ R, monotonicity of and ;

= P (Q ∩R) ⊆ PQ ∩ PR hypothesis R = RR, ∩-subdistributivity;

⊆ PQ ∩ RR P ⊆ R = RR = R, monotonicity of ;= PQ ∩R.

6. Because QL ⊆ L the inclusion ⊇ holds trivially. In the other direction,


(PQ ∩R)L = (PQ ∩R)(QL ∪ QL)

= (PQ ∩R)QL ∪ (PQ ∩R)QL ∪-distributivity;

⊆ (PQ ∩R)QL ∪ PQQL monotonicity of ;= (PQ ∩R)QL since by the Schroder rule, QL ⊆ QL⇔ QQL ⊆ ∅.

7. The inclusion RL = RLI ⊆ RLL holds by monotonicity of composition. In the

other direction, LL ⊆ L implies RLL ⊆ RL; by the Schroder rule, this is equivalent

to RLL ⊆ RL. The proof of LR = LLR is similar. 2

In terms of relations on sets, the expression P ∩ QL, appearing in part 1 of the last

theorem, can be interpreted as the pre-restriction of P to the definition domain of Q.

In terms of matrices, it can be interpreted as the matrix P with some rows masked, as

determined by Q. Similarly, the expression P ∩ LQ is the post-restriction of P to the

range of Q, or the matrix P with some columns masked.

Because of their relationships with the corresponding set theoretical notions, the rela-

tions RL and RL will be called the definition domain (not to be confused with the domain

RR of R) and the range of R, respectively1. As will be seen in section 2.5, RL and RL

are vectors.

Before closing this section, we recall a standard notation. For n ≥ 0, the n-th power

of a homogeneous relation R is R0 def= I,Rn+1 def=RRn.

Bibliographic notes. Homogeneous abstract relational algebra was introduced by Tarski

who called it a calculus of relations [Tarski 41]. The definition of heterogeneous algebras

given above comes, with minor variations, from [Berghammer 86, Schmidt 81, Schmidt 85].

Most of the statements and proofs related to theorem 2.2 are given in [Schmidt 85]. The

proofs of parts 1 and 2 of theorem 2.4 can be found in [Schmidt 81].

2.3 Properties of Relations

In this section, characterizations of various properties of relations are given (definition 2.5).

They will allow us to distinguish between total and partial relations, between deterministic1Strictly speaking, we should say that RL is a definition domain of R rather than the definition domain

of R, since L is undetermined. This will create no confusion.


and non deterministic ones, etc. Also, different morphisms between domains of a relational

algebra R will be described (definition 2.7).

Definition 2.5. A relation R is deterministic iff RR ⊆ I (by the Schroder rule, this is

equivalent to RI ⊆ R). It is total iff I ⊆ RR (equivalently, L = RL or R ⊆ RI, as is

shown below in theorem 2.6(1)). A mapping is a total and deterministic relation and is

thus characterized by RI = R. A relation R is injective iff R is deterministic (i.e. RR ⊆ I);

it is surjective iff R is total (i.e. I ⊆ RR, or LR = L, or R ⊆ IR); it is bijective iff it is

surjective and injective. 2

When applied to a concrete algebra of relations between sets, these definitions corre-

spond exactly to the usual ones. For instance, a consequence of R being total is that

Q 6= ∅ ⇒ QR 6= ∅.

This is easily shown to be true in the abstract setting: Assume by way of contradiction

that QR = ∅; the following derivation shows that this implies Q = ∅, contrarily to the

premise. The derivation uses the Schroder rule and the totality of R.

QR ⊆ ∅ ⇔ LR ⊆ Q⇔ (RL) ⊆ Q⇔ L ⊆ Q⇔ Q ⊆ ∅.

Boolean matrices help in visualizing these properties. In the next example, P is de-

terministic (at most one L in each row), Q is total (at least one L in each row) and R

is a mapping (exactly one L in each row). By transposing the matrices, one obtains an

example of the dual properties (injectivity, surjectivity, bijectivity).

P =

∅ ∅ ∅∅ L ∅L ∅ ∅∅ ∅ ∅

, Q =

L L ∅∅ L ∅L L L

∅ ∅ L

, R =

L ∅ ∅∅ ∅ L

∅ L ∅∅ L ∅

.

The next theorem indicates how the properties interact when relations are combined.

Theorem 2.6.

1. I ⊆ RR⇔ L = RL⇔ R ⊆ RI.


2. (a) Q,R deterministic ⇒ QR deterministic,

(b) Q,R injective ⇒ QR injective,

(c) Q,R total ⇒ QR total,

(d) Q,R surjective ⇒ QR surjective.

3. (a) P deterministic ⇒ P (Q ∩R) = PQ ∩ PR,

(b) P injective ⇒ (Q ∩R)P = QP ∩RP .

4. (a) Q ⊆ R,R deterministic and RL ⊆ QL⇒ Q = R,

(b) Q ⊆ R,R injective and LR ⊆ LQ⇒ Q = R.

5. (a) P deterministic ⇒ (Q ∩RP )P = QP ∩R,

(b) P injective ⇒ P (PQ ∩R) = Q ∩ PR.

6. (a) Q total ⇔ QR ⊆ QR,

(b) Q deterministic ⇒ QR ⊆ QR,

(c) Q mapping ⇒ QR = QR,

(d) R surjective ⇔ QR ⊆ QR,

(e) R injective ⇒ QR ⊆ QR,

(f) R bijective ⇒ QR = QR.

7. (a) R deterministic ⇒ Q ∩R deterministic,

(b) R injective ⇒ Q ∩R injective,

(c) R total ⇒ Q ∪R total,

(d) R surjective ⇒ Q ∪R surjective.

Proof.

1. I ⊆ RR⇒ R ⊆ RRR composition of each side with R;

⇒ R ⊆ RI Schroder rule: RI ⊆ R⇔ RR ⊆ I;

⇒ L = R ∪R ⊆ RI ∪RI = R(I ∪ I) = RL ∪-distributivity;

⇒ L = RL RL ⊆ L holds trivially;

⇒ I = RL ∩ I ⊆ (R ∩ IL)(L ∩ RI) ⊆ RR Dedekind rule, monotonicity of .


2. (a) (QR)(QR) = RQQR theorem 2.2(6);

⊆ RR Q is deterministic, monotonicity of ;⊆ I R is deterministic.

(b) (QR)(QR) = QRRQ ⊆ QQ ⊆ I.

(c) QRL = QL = L.

(d) LQR = LR = L.

3. (a) P (Q ∩R) ⊆ PQ ∩ PR ∩-subdistributivity;

⊆ (P ∩ PRQ)(Q ∩ PPR) Dedekind rule;

⊆ P (Q ∩R) P is deterministic, monotonicity of .

(b) (Q ∩R)P ⊆ QP ∩RP ⊆ (Q ∩RPP )(P ∩ QRP ) ⊆ (Q ∩R)P .

4. (a) R = RL ∩R ⊆ QL ∩R R = RI ⊆ RL and RL ⊆ QL;

⊆ (Q ∩RL)(L ∩ QR) Dedekind rule;

⊆ QQR ⊆ QRR Q ⊆ R, monotonicity of and ;

⊆ Q R deterministic, monotonicity of .

(b) R = LR ∩R ⊆ LQ ∩R ⊆ (L ∩RQ)(Q ∩ LR) ⊆ RQQ ⊆ RRQ ⊆ Q.

5. (a) (Q ∩RP )P ⊆ QP ∩RPP ∩-subdistributivity;

⊆ QP ∩R P is deterministic, monotonicity of ;⊆ (Q ∩RP )(P ∩ QR) Dedekind rule;

⊆ (Q ∩RP )P monotonicity of .

(b) P (PQ ∩R) ⊆ PPQ ∩ PR ⊆ Q ∩ PR ⊆ (P ∩QR)(R ∩ PQ) ⊆ P (R ∩ PQ).

6. (a) Q total ⇔ L = QL = Q(R ∪R) = QR ∪QR ∪-distributivity;

⇔ ∅ = QR ∩QR by complementing both sides;

⇔ QR ⊆ QR Boolean algebra.

(b) Q deterministic ⇔ QQ ⊆ I ⇒ QQR ⊆ R composition with R on both sides;

⇔ QR ⊆ QR Schroder rule.

(c) Q mapping ⇔ Q total and Q deterministic.

(d) R surjective ⇔ L = LR = (Q ∪Q)R = QR ∪QR⇔ ∅ = QR ∩QR⇔ QR ⊆ QR.

(e) R injective ⇔ RR ⊆ I ⇒ QRR ⊆ Q⇔ QR ⊆ QR.


(f) R bijective ⇔ R surjective and R injective.

7. (a) (Q ∩R)(Q ∩R) ⊆ RR ⊆ I by the monotonicity of and .

(b) (Q ∩R)(Q ∩R) ⊆ RR ⊆ I.(c) (Q ∪R)L = QL ∪RL = L.

(d) L(Q ∪R) = LQ ∪ LR = L. 2

From (3a,b), ∩-distributivity holds at least for restricted cases. By (4a), a relation Q

contained in a deterministic relation R, but having a larger domain than R, is necessarily

equal to R. In (4b) the dual situation occurs.

Definition 2.7. A pair (φ, ψ) of relations is called an isomorphism iff φ and ψ are bijective

mappings; it is a representation morphism iff φ and ψ are total and injective relations (i.e.

φφ = I and ψψ = I). The pair (φ, ψ) is an isomorphism between Q and R iff it is

an isomorphism and R = φQψ (this is equivalent to φR = Qψ, or to φRψ = Q, or to

Rψ = φQ). The relation φQψ, where (φ, ψ) is a representation morphism, is called a

representation of relation Q. 2

By theorem 2.6(2), a composition of isomorphisms (representation morphisms) is again

an isomorphism (representation morphism).

Representation morphisms have an interesting property that will be useful in the se-

quel. That property allows to work with representations of relations rather than with the

relations themselves; the results thus obtained can be interpreted by using the converse of

the representation morphism. This is made more precise by the following theorem.

Theorem 2.8. Let (φ, ψ) and (ψ, ξ) be representation morphisms. Then,

(1) φ(Q ∪R)ψ = φQψ ∪ φRψ, Q ∪R = φ(φQψ ∪ φRψ)ψ,

(2) φ(Q ∩R)ψ = φQψ ∩ φRψ, Q ∩R = φ(φQψ ∩ φRψ)ψ,

(3) φRψ = (ψRφ), R = φ(ψRφ)ψ,(4) φ(QR)ξ = (φQψ)(ψRξ), QR = φ(φQψ)(ψRξ)ψ,

(5) φ, ψ surjective ⇒ φRψ = φRψ, R = φφRψψ.

Proof. For items (1) to (4), we prove the equations in the left column; those in the right

column are direct consequences of these.

1. Use ∪-distributivity.


2. Use theorem 2.6(3), the determinism of φ and the injectivity of ψ.

3. This follows from theorem 2.2(5,6).

4. This is direct from ψψ = I.

5. If φ and ψ are surjective, then φ is a mapping and ψ is bijective; by theorem 2.6(6),

this implies the result in the left column.

We now prove the right hand side equation. Firstly, because φ is deterministic and

ψ is injective, the theorem 2.6(6) can be used to yield

R = φφRψψ ⊆ φφRψψ.

Secondly,

φRψ ⊆ φRψ ⇔ φφRψ ⊆ Rψ Schroder rule;

⇔ Rψ ⊆ φφRψ⇔ φφRψψ ⊆ R Schroder rule. 2

To find the value of (say) Q ∩ R, one can instead calculate the result of φQψ ∩ φRψ.

This last result is a representation of Q ∩ R, as the left hand side of item 2 shows; the

result Q ∩ R can be retrieved by applying the converse of the representation morphism

(right hand side of item 2). The complementation operator behaves differently from the

other ones, unless both φ and ψ are surjective; nevertheless, it is always possible to recover

R by applying the converse of the representation morphism to φRψ (right hand side of

item 5). That the surjectivity of φ and ψ is necessary for the left hand side of 5 to hold

is shown by the following example.

Let B = F, T be the set of Boolean values and N be the set of natural numbers.

The relation φ ⊆ B × N defined by φ = 〈F, 0〉, 〈T, 1〉 is total and injective, but not

surjective. The pair (φ, φ) is a representation morphism. We find that

φ∅φ = φLφ = 〈0, 0〉, 〈0, 1〉, 〈1, 0〉, 〈1, 1〉.

However,

φ∅φ = ∅ = L = N×N 6= φ∅φ.

More will be said about this example in chapter 5.


As usual, isomorphisms are ‘property preserving’ bijective mappings. They satisfy

parts 1 to 4 of theorem 2.8. In addition, φRψ = φRψ.

Bibliographic notes. The material of this section is quite classical in the context of

concrete algebras of relations between sets. Many of the proofs related to theorem 2.6

can be found in [Schmidt 81]. The definition of isomorphism between two relations comes

from [Berghammer 86]. The definition of representation morphism is that of the author.

2.4 Products and Sums

In the chapter entitled Specifications, we give examples of constructions of primitive rela-

tional domains. Non primitive domains can be constructed by using products and sums

to combine the primitive domains. In this section, we define these products and sums and

we explore their basic properties.

2.4.1 Products

Definition 2.9. The pair (π1, π2) of relations is called a 2-fold product iff

(1) π1π1 = I, (2) π2π2 = I, (3) π1π2 = L.

(π1, π2) is a 2-fold quasi direct product iff it is a 2-fold product and

(4) π1π1 ∩ π2π2 ⊆ I.

(π1, π2) is a 2-fold direct product iff it is a 2-fold product and

(4′) π1π1 ∩ π2π2 = I.

For n ≥ 3, let πk, 1 ≤ k ≤ n, be a set of relations. We call (π1, . . . , πn) a n-fold product

(quasi direct product, direct product) iff there are relations ρ, β1, . . . , βn−1 such that

(5) (β1, . . . , βn−1) is a (n− 1)-fold product (quasi direct product, direct product),

(6) ρβk = πk, 1 ≤ k ≤ n− 1,

(7) (ρ, πn) is a 2-fold product (quasi direct product, direct product).

The relations πk are called the projection relations of the product. 2


For example, let S1, S2 and S3 be non empty sets (not necessarily distinct). Then the

pair (β1, β2) with

β1 = 〈(x, y), x〉|x ∈ S1 ∧ y ∈ S2,β2 = 〈(x, y), y〉|x ∈ S1 ∧ y ∈ S2

is a 2-fold direct product, since

β1β1 = 〈x, x〉|x ∈ S1 = IS1 ,

β2β2 = 〈x, x〉|x ∈ S2 = IS2 ,

β1β1 ∩ β2β2 = 〈(x, y), (x, z)〉|x ∈ S1 ∧ y, z ∈ S2∩〈(x, z), (y, z)〉|x, y ∈ S1 ∧ z ∈ S2

= 〈(x, y), (x, y)〉|x ∈ S1 ∧ y ∈ S2 = IS1×S2 ,

β1β2 = 〈x, y〉|x ∈ S1 ∧ y ∈ S2 = LS1×S2 .

Now letρ = 〈(x, y, z), (x, y)〉|x ∈ S1 ∧ y ∈ S2 ∧ z ∈ S3,π3 = 〈(x, y, z), z〉|x ∈ S1 ∧ y ∈ S2 ∧ z ∈ S3.

(ρ, π3) is a 2-fold direct product, so that (π1, π2, π3) with π1 = ρβ1 and π2 = ρβ2 is a

3-fold direct product, according to the definition. In fact,

π1 = 〈(x, y, z), x〉|x ∈ S1 ∧ y ∈ S2 ∧ z ∈ S3,π2 = 〈(x, y, z), y〉|x ∈ S1 ∧ y ∈ S2 ∧ z ∈ S3.

The pair (π1, π2) is a 2-fold product (not direct). In chapter 3, we will encounter more

interesting examples of products and quasi direct products that are not direct products.

Similarly, it is a simple exercise to verify that the pair of matrices

L ∅L ∅L ∅∅ L

∅ L

∅ L

,

L ∅ ∅∅ L ∅∅ ∅ L

L ∅ ∅∅ L ∅∅ ∅ L

is a 2-fold direct product.

The next theorem proves some properties of n-fold products that will often allow us

to use them without resorting to their inductive definition.

Theorem 2.10. Let (π1, . . . , πn) be a product, with n ≥ 2.


1. πkπk = I for 1 ≤ k ≤ n.

2. πjπk = L for 1 ≤ j, k ≤ n and j 6= k.

3. If (π1, . . . , πn) is a quasi direct product,n⋂k=1

πkπk ⊆ I.

If (π1, . . . , πn) is a direct product,n⋂k=1

πkπk = I.

Notice that by (1), the projection relations πk are surjective and deterministic. For direct

products, the projection relations are surjective mappings.

Proof. The proof is by induction on n. For n = 2, (1–3) hold by definition; suppose that

they are valid for all (n − 1)-fold products, n ≥ 3. We verify that they hold for n-fold

products. Let (ρ, πn) and (β1, . . . , βn−1) be the products of definition 2.9.

1. For k = n, (1) holds because (ρ, πn) is a 2-fold product, by definition. Now suppose

that k < n.

πkπk = (ρβk)ρβk definition 2.9(6);

= βkρρβk theorem 2.2(6);

= βkβk (ρ, πn) is a 2-fold product, hence ρρ = I;

= I (β1, . . . , βn−1) is a (n− 1)-fold product, induction hypothesis.

2. If j, k 6= n, then πjπk = (ρβj)ρβk = βj ρρβk = βjβk = L.

If j = n, k 6= n, noting that βk is surjective, πnπk = πnρβk = Lβk = L.

If k = n, j 6= n, because βk is total, πjπn = (ρβj)πn = βj ρπn = βjL = L.

3.⋂nk=1 πkπk = (

⋂n−1k=1 ρβk(ρβk)

) ∩ πnπn= ρ(

⋂n−1k=1 βkβk)ρ ∩ πnπn ρ deterministic, ρ injective, thm. 2.6(3).

If (π1, . . . , πn) is a quasi direct product, the induction hypothesis impliesn⋂k=1

πkπk ⊆ ρIρ ∩ πnπn = ρρ ∩ πnπn = I.

If (π1, . . . , πn) is a direct product,n⋂k=1

πkπk = ρIρ ∩ πnπn = ρρ ∩ πnπn = I. 2


These products allow us to combine relations together. Some combinations occur

frequently; we introduce a special notation for them.

Definition 2.11. Let Π = (π1, . . . , πn),Θ = (θ1, . . . , θn) be products and Rk, 1 ≤ k ≤ n

be relations. The cartesian product of the Rk with respect to Θ,Π is

Θ[[R1, . . . , Rn]]Πdef=

n⋂k=1

θkRkπk.

The tupeling of the Rk with respect to the product Π is

〈R1, . . . , Rn]]Πdef=

n⋂k=1

Rkπk.

Finally, the (anonymous) construction Π[[R1, . . . , Rn〉 stands for⋂nk=1 πkRk.

When the product involved is a quasi direct product or a direct product, we will use

the brackets Π[ and ]Π rather than Π[[ and ]]Π. When there is no risk of confusion, the

subscripts giving the name of the product used will be dropped. Often, the term tupeling

will be used as a generic name for the three constructs just defined. 2

The following laws are easily derived from the definition and theorem 2.2(6,10).

〈θ1R1, . . . , θnRn]]Π = Θ[[R1, . . . , Rn]]Π = Θ[[R1π1, . . . , Rnπn〉,

Θ[[R1, . . . , Rn]]Π = Π[[R1, . . . , Rn]]Θ,

〈R1, . . . , Rn]]Π = Π[[R1, . . . , Rn〉.

(2.6)

[[R1, . . . , ∅, . . . , Rn]] = ∅, 〈R1, . . . , ∅, . . . , Rn]] = ∅, [[R1, . . . , ∅, . . . , Rn〉 = ∅. (2.7)

The next two follow from theorem 2.6(3).

P deterministic⇒ P 〈R1, . . . , Rn]] = 〈PR1, . . . , PRn]],

P injective⇒ [[R1, . . . , Rn〉P = [[R1P, . . . , RnP 〉.(2.8)

The next two laws also hold for the constructs 〈 ]] and [[ 〉. They are consequences of

∪-distributivity, theorem 2.6(3) and of πk, θk being deterministic.

[[R1, . . . , Rk1 ∪Rk2, . . . , Rn]] = [[R1, . . . , Rk1, . . . , Rn]] ∪ [[R1, . . . , Rk2, . . . , Rn]],

[[R1, . . . , Rk1 ∩Rk2, . . . , Rn]] = [[R1, . . . , Rk1, . . . , Rn]] ∩ [[R1, . . . , Rk2, . . . , Rn]].(2.9)

We now give examples that show how these constructions work. At the same time,

this will give a rationale for the choice of symbols denoting the various constructs.


Let Q and R be relations on the set of natural numbers N with Q = 〈x, x−1〉|x ∈ N∧x > 0 (the predecessor function) and R = 〈x, x2〉|x ∈ N (the squaring function). Let

(π1, π2) be the direct product π1 = 〈(x, y), x〉|x, y ∈ N and π2 = 〈(x, y), y〉|x, y ∈ N.Then

〈Q,R] = Qπ1 ∩Rπ2 = 〈x, (x− 1, y)〉|x > 0 ∩ 〈x, (y, x2)〉 = 〈x, (x− 1, x2)〉|x > 0.

Hence, from one ‘input’, 〈Q,R] produces two results (provided that x > 0). Similarly, in

[Q,R] = π1Qπ1 ∩ π2Rπ2 = 〈(x, y), (x− 1, z)〉|x > 0 ∩ 〈(x, y), (z, y2)〉= 〈(x, y), (x− 1, y2)〉|x > 0

Q and R work independently on separate arguments and produce two results. Finally, in

[Q,R〉 = π1Q∩π2R = 〈(x, y), x−1〉|x > 0∩〈(x, y), y2〉 = 〈(x, y), z〉|z = x−1∧z = y2

Q and R collaborate to produce a single result from two separate arguments (and that

collaboration fails most of the time).

We also give an example of cartesian product and tupeling using matrices. Let

π1 =

L ∅L ∅∅ L

∅ L

, π2 =

L ∅∅ L

L ∅∅ L

, Q =

L L

L ∅

, R =

∅ L

L ∅

.

Then,

[Q,R] = π1Qπ1 ∩ π2Rπ2 =

L L L L

L L L L

L L ∅ ∅L L ∅ ∅

∩

∅ L ∅ L

L ∅ L ∅∅ L ∅ L

L ∅ L ∅

=

∅ L ∅ L

L ∅ L ∅∅ L ∅ ∅L ∅ ∅ ∅

and

〈Q,R] = Qπ1 ∩Rπ2 =

L L L L

L L ∅ ∅

∩ ∅ L ∅ L

L ∅ L ∅

=

∅ L ∅ L

L ∅ ∅ ∅

.Because Q = Q and R = R, we have [Q,R〉 = 〈Q, R] = 〈Q,R].

The definition of n-fold products is inductive. This reflects on the structure of tupel-

ings. Let

(π1, . . . , πn−1, πn) = (ρβ1, . . . , ρβn−1, πn)


be a n-fold product where (see definition 2.9)

(β1, . . . , βn−1) and (ρ, πn)

are the appropriate n− 1 and 2-fold products. Then,

〈R1, . . . , Rn]] =⋂nk=1Rkπk

= (⋂n−1k=1 Rkπk) ∩Rnπn

= (⋂n−1k=1 Rk(ρβk)

) ∩Rnπn= (

⋂n−1k=1 Rkβk)ρ ∩Rnπn ρ is injective, theorems 2.2(6) and 2.6(3b);

= 〈〈R1, . . . , Rn−1]], Rn]].(2.10)

Similarly,

[[R1, . . . , Rn]] = [[[[R1, . . . , Rn−1]], Rn]] and [[R1, . . . , Rn〉 = [[[[R1, . . . , Rn−1〉, Rn〉. (2.11)

Tupelings of relations enjoy some remarkable properties.

Theorem 2.12. Let (π1, . . . , πn) be a product or quasi direct product, as indicated by the

notation. Then,

1. R1, . . . , Rn deterministic ⇒ 〈R1, . . . , Rn] deterministic;

2. 〈R1, . . . , Rn]]L =⋂nk=1RkL (from which R1, . . . , Rn total ⇒ 〈R1, . . . , Rn]] total);

3. 〈R1, . . . , Rn]]πj = Rj ∩⋂nk=1k 6=j

RkL.

Proof.

1. 〈R1, . . . , Rn]〈R1, . . . , Rn] = (⋂nk=1Rkπk)

(⋂nk=1Rkπk)

= (⋂nk=1 πkRk)(

⋂nk=1Rkπk) theorem 2.2(6,10);

⊆ ⋂nk=1(

⋂nj=1 πjRj)Rkπk ∩-subdistributivity;

⊆ ⋂nk=1 πkRkRkπk monotonicity of ;

⊆ ⋂nk=1 πkπk Rk is deterministic;

⊆ I theorem 2.10(3).

2. The proof is by induction on n. For the case n = 2, we have

〈R1, R2]]L = (R1π1 ∩R2π2)π1L theorem 2.4(6);

= (R1 ∩R2π2π1)L π1 deterministic, theorem 2.6(5a);

= (R1 ∩R2L)L definition of 2-fold product;

= R1L ∩R2L theorem 2.4(1).


Assume that the property holds for (n− 1)-fold products, i.e.

〈R1, . . . , Rn−1]] =n−1⋂k=1

RkL.

Then, using equation 2.10, the basis of induction and the induction hypothesis,

〈R1, . . . , Rn]]L = 〈〈R1, . . . , Rn−1]], Rn]]L = 〈R1, . . . , Rn−1]]L ∩RnL =n⋂k=1

RkL.

Hence the property holds for all n.

3. Again the proof is by induction on n. For the case n = 2, we have

〈R1, R2]]π1 = (R1π1 ∩R2π2)π1

= (R1 ∩R2π2π1) π1 deterministic, theorem 2.6(5a);

= R1 ∩R2L definition of 2-fold product.

A similar result holds for 〈R1, R2]π2. Now, assume that the property holds for (n−1)-

fold products (n ≥ 3). Let (ρ, πn) and (β1, . . . , βn−1) be the 2-fold and (n− 1)-fold

products of definition 2.9. Then, for j = n,

〈R1, . . . , Rn]]πn = 〈〈R1, . . . , Rn−1]], Rn]]πn equation 2.10;

= 〈R1, . . . , Rn−1]]L ∩Rn basis of induction;

= (⋂n−1k=1 RkL) ∩Rn by part 2.

For j < n, πj = ρβj ; hence,

〈R1, . . . , Rn]]πj = 〈〈R1, . . . , Rn−1]], Rn]]ρβj equation 2.10;

= (〈R1, . . . , Rn−1]] ∩RnL)βj basis of induction;

= 〈R1, . . . , Rn−1]]βj ∩RnL theorem 2.4(1);

= Rj ∩⋂nk=1k 6=j

RkL induction hypothesis.

Consequently the property holds for all n. 2

Corollary 2.13. Let R1, . . . , Rn be relations and assume the existence of the appropriate

products. Then,

1. R1, . . . , Rn deterministic ⇒ [[R1, . . . , Rn] and [[R1, . . . , Rn〉 deterministic;

2. Π direct product and R1, . . . , Rn total ⇒ Π[R1, . . . , Rn]] total;


3. R1, . . . , Rn injective ⇒ [R1, . . . , Rn]] , [R1, . . . , Rn〉 and 〈R1, . . . , Rn]] injective;

4. Π direct product and R1, . . . , Rn surjective ⇒ [[R1, . . . , Rn]Π and [[R1, . . . , Rn〉 sur-

jective;

5. [[R1, . . . , Rn]]L = [[R1L, . . . , RnL〉;

6. [[R1, . . . , Rn]]πj = [[R1L, . . . , Rj−1L,Rj , Rj+1L, . . . , RnL〉.

Proof. Because a projection relation πk is deterministic (and total in the case of direct

products), the results follow directly from theorems 2.12, 2

The next theorem allows the simplification of compositions of tupelings under certain

circumstances.

Theorem 2.14. For n ≥ 2, let Qk, Rk, (k = 1, . . . , n), be relations such that all the Qk

are deterministic or all the Rk are injective. Then,

〈Q1, . . . , Qn][R1, . . . , Rn〉 =n⋂k=1

QkRk,

where the tupelings are with respect to the quasi direct product (π1, . . . , πn). Also,

〈Q1, . . . , Qn][R1, . . . , Rn]] = 〈Q1R1, . . . , QnRn]],

[[Q1, . . . , Qn][R1, . . . , Rn〉 = [[Q1R1, . . . , QnRn〉,[[Q1, . . . , Qn][R1, . . . , Rn]] = [[Q1R1, . . . , QnRn]].

Proof. Assume that Qk is deterministic for k = 1, . . . , n.

〈Q1, . . . , Qn][R1, . . . , Rn〉= 〈Q1, . . . , Qn]

⋂nk=1 πkRk;

by theorem 2.12 the left term is deterministic, hence, by theorem 2.6(3a),

=⋂nk=1〈Q1, . . . , Qn]πkRk

=⋂nk=1(Qk ∩

⋂nj=1j 6=k

QjL)Rk theorem 2.12(3);

=⋂nk=1QkRk ∩ (

⋂nj=1j 6=k

QjL) theorem 2.4(1);

= (⋂nk=1QkRk) ∩ (

⋂nk=1QkL)

=⋂nk=1QkRk QkRk ⊆ QkL for all k.


In the case that the Rk are injective, we have

〈Q1, . . . , Qn][R1, . . . , Rn〉= (〈Q1, . . . , Qn][R1, . . . , Rn〉) theorem 2.2(5);

= (〈R1, . . . , Rn][Q1, . . . , Qn〉) theorem 2.2(6), 2.6 (page 32);

= (⋂nk=1 RkQk)

Rk deterministic;

=⋂nk=1QkRk theorem 2.2(6,10).

The last three equations of the theorem are direct consequences of the first one and of

equations 2.6, together with theorem 2.6(2). 2

We now present an example of a composition [Q1, Q2][R1, R2]. We choose

Q1 = 〈x, x+ 1〉|x ∈ N, Q2 = 〈x, x2〉|x ∈ N,R1 = 〈x, x− 1〉||x ∈ N ∧ x > 0, R2 = 〈x, x+ 3〉|x ∈ N,π1 = 〈(x, y), x〉|x, y ∈ N, π2 = 〈(x, y), y〉|x, y ∈ N.

The composition of the cartesian products is

[Q1, Q2][R1, R2] = 〈(x, y), (x+ 1, y2)〉〈(x, y), (x− 1, y + 3)〉|x > 0= 〈(x, y), (x, y2 + 3)〉= [Q1R1, Q2R2].

Hence, even though the result of [Q1, Q2] is passed to [R1, R2] via relational composition,

the components 1 and 2 do not really interact together. The result is the same as that

obtained by a parallel independent computation.

We give another example, this time of a composition 〈Q1, Q2][R1, R2〉, where the rela-

tions Q1, Q2, R1, R2 are all relations on a non empty set S:

Q1 = 〈x, y〉|q1(x, y), R1 = 〈x, y〉|r1(x, y),Q2 = 〈x, y〉|q2(x, y), R2 = 〈x, y〉|r2(x, y),

(q1, q2, r1, r2 are predicates). As projection relations we choose

π1 = 〈(x, y), x〉|x, y ∈ S,π2 = 〈(x, y), y〉|x, y ∈ S.


The required composition is

〈Q1, Q2][R1, R2〉 = (Q1π1 ∩Q2π2)(π1R1 ∩ π2R2)

= (〈w, (x, y)〉|q1(w, x) ∩ 〈w, (x, y)〉|q2(w, y))(〈(x, y), z〉|r1(x, z) ∩ 〈(x, y), z〉|r2(y, z))

= 〈w, (x, y)〉|q1(w, x) ∧ q2(w, y) 〈(x, y), z〉|r1(x, z) ∧ r2(y, z)= 〈w, z〉|∃x, y : q1(w, x) ∧ r1(x, z) ∧ q2(w, y) ∧ r2(y, z)= 〈w, z〉|∃x : q1(w, x) ∧ r1(x, z) ∩ 〈w, z〉|∃y : q2(w, y) ∧ r2(y, z)= Q1R1 ∩Q2R2.

(2.12)

This is the result predicted by theorem 2.14, but, notice that the predicates q1, q2, r1 and

r2 are not restricted: that is, the relations Q1, Q2, R1, R2 need not satisfy the conditions

of application of the theorem. Are these conditions too restrictive? We will give a partial

answer in the next section.

We are now in a position to prove that the characterization of the n-fold direct products

is monomorphic. That is, given relations Q and R, all tupelings 〈Q,R] (or all cartesian

products [Q,R]) with respect to different direct products are isomorphic. More precisely,

let Π = (π1, . . . , πn) and Θ = (θ1, . . . , θn) be two direct products such that

πkπk = θkθk = Ik for 1 ≤ k ≤ n,⋂nk=1 πkπk = Iπ = Π[I1, . . . , In]Π,⋂nk=1 θkθk = Iθ = Θ[I1, . . . , In]Θ.

(2.13)

Let φ = Π[I1, . . . , In]Θ. Then,

φφ = Π[I1, . . . , In]Θ Π[I1, . . . , In]Θ

= Π[I1, . . . , In]Θ Θ[I1, . . . , In]Π equations 2.6 (page 32);

= Π[I1, . . . , In]Π Ik deterministic, theorem 2.14;

= Iπ,

φφ = Π[I1, . . . , In]Θ Π[I1, . . . , In]Θ = Θ[I1, . . . , In]Π Π[I1, . . . , In]Θ = Θ[I1, . . . , In]Θ = Iθ,

so that φ is a bijective mapping. Furthermore, (φ, Ik) is an isomorphism between πk and

θk, since, by corollary 2.13(6) and the totality of θj (j = 1, . . . , n),

φπkIk = Θ[I1, . . . , In]Ππk = Θ[L1, . . . , Lk−1, Ik, Lk+1, . . . , Ln〉 = θk.

Also, (I, φ) is an isomorphism between 〈R1, . . . , Rn]Π and 〈R1, . . . , Rn]Θ:

I〈R1, . . . , Rn]Π Π[I1, . . . , In]Θ = 〈R1, . . . , Rn]Θ.


It is interesting to note that, even if we require Iπ = Iθ, we need not have πk = θk.

The following relations illustrate this fact.

π1 =

L ∅L ∅∅ L

∅ L

, π2 =

L ∅∅ L

L ∅∅ L

, θ1 =

∅ L

∅ L

L ∅L ∅

, θ2 =

∅ L

L ∅∅ L

L ∅

,

Iθ = Iπ =

L ∅ ∅ ∅∅ L ∅ ∅∅ ∅ L ∅∅ ∅ ∅ L

.

Hence the characterization of direct products is unique, up to isomorphism. Direct

products are useful for constructing non primitive domains from combinations of primitive

ones. The other types of products introduced in this subsection will be used in the next

chapter. Note that, as far as this presentation is concerned, quasi direct products and

direct products have very similar properties (except for monomorphism). There are a few

differences between products and quasi direct products, the most important being that

theorem 2.14 requires a quasi direct product in its premises.

2.4.2 Sums

Direct sums are another important means of constructing non primitive domains from

more primitive ones. In this subsection, we give the definition of n-fold direct sums and

prove some of their basic properties. It will be noticed that these properties are somewhat

similar to those of direct products. The same remark can be made about their proofs; for

that reason, we will omit the justifications of most derivation steps.

Definition 2.15. The pair (σ1, σ2) of relations is called a 2-fold direct sum iff

(1) σ1σ1 = I, (3) σ1σ2 = ∅,(2) σ2σ2 = I, (4) σ1σ1 ∪ σ2σ2 = I.

For n ≥ 3, let σk, 1 ≤ k ≤ n, be a set of relations. We call (σ1, . . . , σn) a n-fold direct

sum iff there are relations τ, θ1, . . . , θn−1 such that


(5) (θ1, . . . , θn−1) is a (n− 1)-fold direct sum,

(6) τθk = σk, 1 ≤ k ≤ n− 1,

(7) (τ, σn) is a 2-fold direct sum.

The relations σk are called the projection relations of the direct sum. Their converses σk

are called injection relations. 2

For example, let S1, S2 and S3 be sets. Then (θ1, θ2) with

θ1 = 〈(1, x), x〉|x ∈ S1, θ2 = 〈(2, x), x〉|x ∈ S2

is a 2-fold sum, since

θ1θ1 = 〈x, x〉|x ∈ S1 = IS1 ,

θ2θ2 = 〈x, x〉|x ∈ S2 = IS2 ,

θ1θ2 = 〈x, y〉|x ∈ S1 ∧ y ∈ S2 ∧ (1, x) = (2, y) = ∅S1×S2 ,

θ1θ1 ∪ θ2θ2 = 〈(1, x), (1, x)〉|x ∈ S1 ∪ 〈(2, x), (2, x)〉|x ∈ S2= 〈x, x〉|∃y : x = (1, y) ∧ y ∈ S1 ∨ x = (2, y) ∧ y ∈ S2 = IS1]S2 .

(The relation IS1]S2 is the identity on the disjoint union of the sets S1 and S2.)

Now letτ = 〈(1, (i, x)), (i, x)〉|i = 1 ∧ x ∈ S1 ∨ i = 2 ∧ x ∈ S2,σ3 = 〈(3, x), x〉|x ∈ S3.

(τ, σ3) is a 2-fold sum, so that (σ1, σ2, σ3) with σ1 = τθ1 and σ2 = τθ2 is a 3-fold sum,

according to definition 2.15. In fact,

σ1 = 〈(1, (1, x)), x〉|x ∈ S1, σ2 = 〈(1, (2, x)), x〉|x ∈ S2.

Similarly, it is a simple exercise to verify that the pair of matrices

σ1 =

L ∅∅ L

∅ ∅∅ ∅∅ ∅

, σ2 =

∅ ∅ ∅∅ ∅ ∅L ∅ ∅∅ L ∅∅ ∅ L

(2.14)

is a 2-fold sum.

As was done for products, the next theorem establishes some properties of n-fold sums

that often allow their use without resorting to their inductive definition.


Theorem 2.16. Let (σ1, . . . , σn) be a direct sum, with n ≥ 2. Then

1. σkσk = I for 1 ≤ k ≤ n,

2. σjσk = ∅ for 1 ≤ j, k ≤ n and j 6= k,

3.⋃nk=1 σkσk = I.

Notice that from (1) and (3), the projection relations σk are bijective and deterministic.

Proof. The proof is by induction on n. For n = 2, (1–3) hold by definition; suppose that

they are valid for all (n− 1)-fold sums, n ≥ 3. We verify that they hold for n-fold sums.

Let (τ, σn) and (θ1, . . . , θn−1) be the direct sums of definition 2.15.

1. For k = n, (1) holds because (τ, σn) is a 2-fold sum. Now suppose that k < n:

σkσk = (τθk)τθk = θkτ τθk = θkθk = I.

2. If j, k 6= n, then σjσk = (τθj)τθk = θj τ τθk = θjθk = ∅.If j = n, k 6= n, then σnσk = σnτθk = ∅θk = ∅.If k = n, j 6= n, then σjσn = (τθj)σn = θj τσn = θj∅ = ∅.

3.⋃nk=1 σkσk = (

⋃n−1k=1 τθk(τθk)

) ∪ σnσn = τ(⋃n−1k=1 θkθk)τ ∪ σnσn = τIτ ∪ σnσn = I.

2

Given Θ = (θ1, . . . , θn),Σ = (σ1, . . . , σn) we call the relation⋃nk=1 θkRkσk the disjoint

union of the Rk with respect to (Θ,Σ). We will not use a special notation for the disjoint

union of relations as we have done for tupelings and cartesian products. The reason is

that direct sums will not be used as much as products, so that a flexible notation is not as

necessary. For the same reason, the study of direct sums will be more limited than that

of products.

We now give examples of disjoint union of relations in concrete algebras.

Let Q and R be relations on the set of natural numbers with

Q = 〈x, x− 1〉|x ∈ N ∧ x > 0 and R = 〈x, x2〉|x ∈ N.

Let Σ = (σ1, σ2) be the direct sum

σ1 = 〈(1, x), x〉|x ∈ N and σ2 = 〈(2, x), x〉|x ∈ N.


Then the disjoint union of Q and R with respect to (Σ,Σ) is

σ1Qσ1 ∪ σ2Rσ2 = 〈(1, x), (1, x− 1)〉|x > 0 ∪ 〈(2, x), (2, x2)〉.

For an example in an algebra of Boolean matrices, we choose Σ = (σ1, σ2), where σ1

and σ2 are the matrices in 2.14 (page 40) and

Q =

L L

L ∅

, R =

∅ L ∅L L L

∅ L ∅

.Then, the disjoint union of Q and R with respect to (Σ,Σ) is

σ1Qσ1 ∪ σ2Rσ2 =

L L ∅ ∅ ∅L ∅ ∅ ∅ ∅∅ ∅ ∅ ∅ ∅∅ ∅ ∅ ∅ ∅∅ ∅ ∅ ∅ ∅

∪

∅ ∅ ∅ ∅ ∅∅ ∅ ∅ ∅ ∅∅ ∅ ∅ L ∅∅ ∅ L L L

∅ ∅ ∅ L ∅

=

L L ∅ ∅ ∅L ∅ ∅ ∅ ∅∅ ∅ ∅ L ∅∅ ∅ L L L

∅ ∅ ∅ L ∅

.

It is quite easy to show the monomorphism of direct sums. Let Σ = (σ1, . . . , σn) and

Θ = (θ1, . . . , θn) be two direct sums such that

σkσk = θkθk = Ik for 1 ≤ k ≤ n,⋃nk=1 σkσk = Iσ,⋃nk=1 θkθk = Iθ.

(2.15)

Let φ =⋃nk=1 σkθk. Then, applying theorems 2.16 and 2.2(4,6,9), we arrive at

φφ = (⋃nk=1 σkθk)(

⋃nk=1 σkθk)

=⋃

1≤j,k≤n σj θjθkσk =⋃nk=1 σkσk = Iσ,

φφ = (⋃nk=1 σkθk)

(⋃nk=1 σkθk) =

⋃1≤j,k≤n θj σjσkθk =

⋃nk=1 θkθk = Iθ.

Hence φ is a bijective mapping. Moreover, (φ, Ik) is an isomorphism between σk and θk,

since, by ∪-distributivity and the definition of n-fold sums,

φσkIk = (n⋃j=1

θj σj)σk = θk.

As was the case for direct products, even if we require Iσ = Iθ, we need not have

σk = θk. This is illustrated by the following matrices.

σ1 =

∅ L

L ∅∅ ∅∅ ∅

, σ2 =

∅ ∅∅ ∅L ∅∅ L

, θ1 =

L ∅∅ L

∅ ∅∅ ∅

, θ2 =

∅ ∅∅ ∅∅ L

L ∅

,


Iθ = Iσ =

L ∅ ∅ ∅∅ L ∅ ∅∅ ∅ L ∅∅ ∅ ∅ L

.

Bibliographic notes. Our definition of direct products comes from [Berghammer 86],

who credits it to [Schmidt 85a] and to [Zierer 83]. In [Berghammer 86], one also finds

the definition of tupeling with direct products, the statement of theorems 2.10 and 2.12

(for direct products), and the statement and proof of theorem 2.14, for 2-fold direct prod-

ucts. When restricted to mappings, the direct tupeling of relations corresponds to the

construction of functions of [Backus 85]. De Roever [de Roever 72] also uses direct rela-

tional products. However, his axiomatisation is slightly different (more on this in the next

section); in particular, his definition of n-fold direct products is not inductive.

The definition of direct sums and the distinction between products, quasi direct prod-

ucts and direct products are those of the author.

2.5 The Concept of Point

In this section, the concept of point in introduced and some properties of points are

proved. This notion will be an important one in the construction of domains for relational

semantics.

2.5.1 Basic Definitions and Properties

Definition 2.17. A relation x is a vector iff x = xL (for that L which includes the right

identity of x); x is a point iff it is a vector, x 6= ∅ and xx ⊆ I (i.e. x is injective). The

converse x of a point is deterministic and total: it is called a constant mapping. 2

We will usually denote vectors and points by lower case letters.

In the subsequent proofs, the equality x = xL characterizing a vector will often be used.

The substitution of x by xL is always possible. Also, it is always the case that xLL = x

(see remark 2.3). However, note that one cannot replace xL by x unless xL ∈ Rx.


We have already met particular vectors in section 2.2, namely the definition domain

RL and the range RL of a relation R. The relation 〈0, n〉|n ∈ N = 0 ×N is a point,

and so is s × T , for a given s ∈ S and any set T 6= . The matrices

∅ ∅ ∅L L L

∅ ∅ ∅L L L

and

∅ ∅ ∅L L L

∅ ∅ ∅∅ ∅ ∅

are examples of a vector and a point, respectively (a vector is a row constant matrix and

a point is a vector with exactly one non vanishing row). Note also that the relation ∅ is a

vector, since ∅L = ∅.As a consequence of the Tarski rule (definition 2.1(5)), a non null vector x is surjective:

Lx = LxL = L. (2.16)

Hence a point is a bijective relation (this is why x is a mapping, as stated in definition 2.17).

Proposition 2.18. For all points x: Q ⊆ Rx ⇔ Qx ⊆ R (special case: x ⊆ Ry ⇔ xy ⊆R, for all points x, y).

Proof. Using the bijectivity of points, theorem 2.6(6f) and the Schroder rule, we find

Q ⊆ Rx⇔ Q ⊆ Rx⇔ Rx ⊆ Q⇔ Qx ⊆ R. 2

Theorem 2.19. Let V denote the set of vectors of a complete Boolean subalgebra B of a

relational algebra R.

1. V constitutes a complete Boolean subalgebra of the Boolean algebra B.

2. Every point of B is an atom in V.

Proof.

1. Consider x, y ∈ V. We prove x ∪ y, x ∩ y, x ∈ V:

(x ∪ y)L = xL ∪ yL = x ∪ y;

(x ∩ y)L ⊆ xL ∩ yL = x ∩ y ⊆ (x ∩ y)L, i.e. (x ∩ y)L = x ∩ y;

By the Schroder rule, xLL ⊆ x⇔ xL ⊆ xL = x; also, x ⊆ xL, i.e. xL = x.


The same argument works for infinite operations. Thus V is a complete Boolean

subalgebra.

2. Now consider a point x of B and y ∈ V and assume ∅ 6= y ⊆ x. Since xx ⊆ I and

Ly = LyL = L = LxL = Lx, theorem 2.6(4b) is applicable and shows y = x. 2

Not only in V but also in R, atoms are closely related to points.

Theorem 2.20. Let x and y be points of a relational algebra R such that the composition

xy is defined.

1. xy is an atom in R.

If x and y are compatible (i.e. belong to the same domain of R), then

2. x 6= y ⇔ x ⊆ y ⇔ xy ⊆ I ⇔ xy = ∅,3. x = y ⇔ x ⊆ y ⇔ xy ⊆ I ⇔ xy = L.

Proof.

1. Assume that ∅ 6= z ⊆ xy. We will prove that z = xy.

(a) xyL ⊆ xL = x yL ⊆ L;

(b) (xyL)(xyL) ⊆ xx ⊆ I (a) and injectivity of points;

(c) L(xyL) ⊆ L = L(zL)⇒ zL = xyL Tarski rule, z ⊆ xy, (b), thm. 2.6(4b);

(d) (xy)(xy) = yxxy ⊆ yLy = yy ⊆ I theorem 2.2(6), xx ⊆ L, yL = y;

(e) z = xy z ⊆ xy, (c), (d), theorem 2.6(4a).

By theorem 2.19(2), two points are either equal or disjoint, so that the first equivalence

of either (2) or (3) is trivial. We proceed with the remaining equivalences.

2. x ⊆ y ⇔ x ⊆ y ⇔ xI ⊆ y ⇔ xy ⊆ I theorem 2.2(7,8), Schroder rule;

x ⊆ y ⇔ xL ⊆ y ⇔ xy ⊆ ∅ ⇔ xy = ∅ x = xL, Schroder rule.

3. x ⊆ y ⇔ x ⊆ Iy ⇔ xy ⊆ I proposition 2.18;

x ⊆ y ⇔ xL ⊆ y ⇔ Lx ⊆ y x = xL, theorem 2.2(6,7);

⇔ L ⊆ yx⇔ L ⊆ xy ⇔ L = xy proposition 2.18, thm 2.2(5,6,7). 2

The relations x0 = 〈0, n〉|n ∈ N = 0 ×N and x1 = 〈1, n〉|n ∈ N = 1 ×N are

points. The relation x0x1 = 〈0, 1〉 is an atom. Similarly, the following matrices x and y


are points, and xy is an atom:

x =

∅ ∅ ∅L L L

∅ ∅ ∅

, y =

∅ ∅ ∅∅ ∅ ∅L L L

, xy =

∅ ∅ ∅∅ ∅ L

∅ ∅ ∅

.

2.5.2 The Point Axiom

We first introduce the point axiom, and then show that a relational algebra that satisfies

this axiom is isomorphic to a concrete algebra of relations between sets.

Definition 2.21. A relational algebra R satisfies the point axiom iff for every R ∈ R

R 6= ∅ ⇒ ∃ points x, y : xy ⊆ R.

By extension, we will say that a domain RQ of R satisfies the point axiom iff for all

R ∈ RQ, R 6= ∅ ⇒ ∃ points x, y : xy ⊆ R. 2

Obviously, every concrete algebra of relations between sets satisfies the axiom, since

for any relation R ⊆ S × T ,

〈s, t〉 ∈ R⇔ (s × T ) (t × T ) ⊆ R(s × T and t × T are points, as noted above).

However, the following set of four Boolean matrices is a relational algebra that does

not satisfy the point axiom (none of its relations is a point): ∅ ∅∅ ∅

, L ∅∅ L

, ∅ L

L ∅

, L L

L L

. (2.17)

Note that this set of matrices cannot be conceived as the set ℘(S × S) of relations on a

set S, since no such set of relations has cardinality 4.

Proposition 2.22. In a relational algebra satisfying the point axiom every non null vector

contains a point.

Proof. Consider ∅ 6= v = vL and let x, y be points with xy ⊆ v. Using monotonicity of

composition and the Tarski rule, we get

xL = xLyL = xyL ⊆ vL = v.

But xL is a point, since xL 6= ∅, xLL = xL and (xL)(xL) = xLLx = xx ⊆ I. 2


Theorem 2.23. (Point insertion.) Let x, y be points of a relational algebra satisfying the

point axiom. For arbitrary relations Q,R,

x ⊆ QRy ⇔ ∃ point z : x ⊆ Qz ∧ z ⊆ Ry.

Note that by proposition 2.18, an equivalent formulation is

xy ⊆ QR⇔ ∃ point z : xz ⊆ Q ∧ zy ⊆ R.

Proof. The proof in the direction ‘⇐’ is trivial. In the other direction, assume that

Qx ∩Ry = ∅. By using the Schroder rule, we find that

Qx ∩Ry = ∅ ⇔ Qx ⊆ Ry ⇔ QRy ⊆ x⇔ x ⊆ QRy.

But x ⊆ QRy, by hypothesis. Hence, Qx ∩Ry 6= ∅. Also, by theorem 2.4(1),

Qx ∩Ry = QxL ∩RyL = (Qx ∩RyL)L = (Qx ∩Ry)L,

so that Qx∩Ry is a non null vector. By proposition 2.22, there exists a point z ⊆ Qx∩Ry,

i.e.

z ⊆ Qx⇔ zx ⊆ Q⇔ xz ⊆ Q⇔ x ⊆ Qz and z ⊆ Ry

where we have used theorem 2.2(5,6,7) and proposition 2.18. 2

We now prove a representation theorem that precisely describes the structure of rela-

tional algebras fulfilling the point axiom.

Theorem 2.24. An abstract relational algebra R satisfying the point axiom is an algebra

of relations. More precisely, R is isomorphic to an algebra of relations between the sets of

homogeneous points of R.

Proof. The point axiom, in conjunction with theorem 2.20, ensures that all atoms can

be represented as a composition xy of points x, y. Let Q be a relation in R and LQ be the

universal element of RQ. We define the functions l, r : a|a is an atom ∧ a ∈ R → R in

the following way. For each atom a ∈ RQ

l(a) def= aLQ, r(a) def= aLQ.

Obviously, l(xy) and r(xy) are points (l and r associate a pair of points 〈l(xy), r(xy)〉 to

each atom xy of RQ). Let u and v be points such that uv ∈ RQ. We show that

l(xy) = l(uv) ∧ r(xy) = r(uv)⇒ xy = uv,

i.e. l and r assign different pairs of points to different atoms.


l(xy) = l(uv) ∧ r(xy) = r(uv)⇒ l(xy)LQ(r(xy)) = l(uv)LQ(r(uv))⇔ xyLQLQLQxy = uvLQLQLQuv

⇔ xLyLQLQLQxLy = uLvLQLQLQuLv because x = xL and u = uL;

⇒ xLy = uLv Tarski rule;

⇔ xy = uv.

Next, we introduce the function χ which associates to every abstract relation Q in Ra concrete relation between two sets of points:

χ(Q) def= 〈l(xy), r(xy)〉|xy ⊆ Q.

The function χ assigns to every relation the set of all atoms contained in it, given as pairs

of points. As is known in lattice theory such a function establishes an isomorphism so far

as the structure of RQ as a complete atomic Boolean algebra is concerned.

It remains to see that χ preserves composition and converse. By theorem 2.23,

χ(QR) = 〈l(xy), r(xy)〉|xy ⊆ QR = 〈l(xy), r(xy)〉|∃z : xz ⊆ Q ∧ zy ⊆ R.

Observe that r(xy) = yxLQR = yxLQLR and r(zy) = yzLR. Hence r(xy) and r(zy) are

compatible; since both of them are points, and because (r(zy))r(xy) = LRzyyxLQLR =

L, we must have, by theorem 2.20(3), r(xy) = r(zy). Similarly, l(xy) = l(xz). Moreover,

r(xz) = zxLQ = zLxLQ = zL = zLyLR = zyLR = l(zy). From all that, we can conclude

that

χ(QR) = 〈l(xz), r(xz)〉|xz ⊆ Q 〈l(zy), r(zy)〉|zy ⊆ R = χ(Q) χ(R).

Finally,

χ(R) = 〈l(xy), r(xy)〉|xy ⊆ R = 〈r(yx), l(yx)〉|yx ⊆ R = (χ(R)).Let Sl and Sr be the sets of points

Sl = l(xy)|xy ∈ RQ ∧ x, y are points, Sr = r(xy)|xy ∈ RQ ∧ x, y are points.

Both of them are non empty, because LQ 6= ∅ (hence there exist points x and y such that

xy ⊆ LQ). The points in Sl are homogeneous and compatible with the left identity Il of

RQ; similarly, the points in Sr are homogeneous and compatible with the right identity

Ir of RQ. Now let x be a point in RIl ; we show that x ∈ Sl. Choose a point y ∈ Sr.


Because y is homogeneous, y ∈ Sr. Hence xLQy ∈ RQ. But xLQ is a point, so that

l(xLQy) = xLQyLQ = xL = x. Consequently, x ∈ Sl. This means that Sl is exactly

the set of homogeneous points of the domain RIl ; similarly, Sr is the set of homogeneous

points of RIr . 2

2.5.3 Direct Sums and Direct Products Preserve the Point Axiom

Throughout this subsection, lower case relation symbols denote points.

Let P and Q be relations of a relational algebra R such that RP and RQ satisfy

the point axiom. Assume that there exist direct products for constructing the cartesian

product [P,Q]. A question that we answer in this subsection is: Does R[P,Q] satisfy the

point axiom? We also answer to the corresponding question about direct sums.

There is another problem that we investigate. Let L1, L2 and L3 be universal relations

such that L3 = L1L3L2. If the point axiom holds for L1 and L2, does it follow that it also

holds for L3 (and vice versa)?

For example, with L1 = S1 × S1 and L2 = S2 × S2 (for some non empty sets S1 and

S2), we have L3 = S1×S2. If L1 and L2 are the 3×3 and 4×4 unit matrices, respectively,

then L3 is the 3× 4 unit matrix.

The next lemma characterizes the points of the domains constructed with direct sums

and quasi direct products.

Lemma 2.25. Let (σ1, . . . , σn) be a direct sum and (π1, . . . , πn) be a quasi direct product.

If xk (1 ≤ k ≤ n) is a point, then

1. σkxk is a point;

2. [x1, . . . , xn〉 is a point.

Proof. We must show that the three properties of a point (definition 2.17) hold.

1. From the definition of points and direct sums, we get

(a) σkxkL = σkxk.

(b) (σkxk)(σkxk) = σkxkxkσk ⊆ σkσk ⊆ I.

(c) ∅ 6= xk = σkσkxk ⇒ σkxk 6= ∅.


2. (a) [x1, . . . , xn〉L = (⋂nk=1 πkxk)L definition of [ 〉;

= (⋂nk=1 πkxkL)L xk = xkL;

=⋂nk=1 πkxkL repeated applications of theorem 2.4(1);

= [x1, . . . , xn〉 xk = xkL, definition of [ 〉.(b) By corollary 2.13, [x1, . . . , xn〉 is injective.

(c) By theorem 2.12(2), equation 2.6 on page 32 and the fact that xk is total,

[x1, . . . , xn〉L = 〈x1, . . . , xn]L = L⇒ [x1, . . . , xn〉 6= ∅. 2

As a consequence of this lemma,

σjxj y,

σjxj ykσk,

[x1, . . . , xn〉[y1, . . . , yn〉[x1, . . . , xn〉y

(2.18)

are atoms.

We can rewrite the last two as follows:

[x1, . . . , xn〉[y1, . . . , yn〉 = [x1y1, . . . , xnyn],

[x1, . . . , xn〉y = [x1y, . . . , xny〉.(2.19)

In effect,

[x1, . . . , xn〉[y1, . . . , yn〉= (

⋂nk=1 πkxk)L(

⋂nk=1 ykρk) [x1, . . . , xn〉 and [y1, . . . , yn〉 are points;

= (⋂nk=1 πkxk)L ∩ L(

⋂nk=1 ykρk) theorem 2.4(3);

=⋂nk=1 πkxkL ∩ Lykρk theorem 2.4(1), xk = xkL, yk = ykL;

=⋂nk=1 πkxkLykρk theorem 2.4(3);

= [x1y1, . . . , xnyn].

The proof for [x1, . . . , xn〉y is similar.

In a relational algebra R where the point axiom holds, every atom has the form xy.

Hence, by section 2.1, any relation Q can be written as⋃xy|xy ⊆ Q. Because of

theorem 2.20(3), xy ⊆ I ⇔ x = y; consequently, I can be written as I = xx|xx ⊆ I.We can also write I =

⋃xx|x ∈ X, where x is an appropriate set of points. Note that

x ∈ X need not range over the set of all points x such that xx ⊆ I. This is because in an


heterogeneous algebra we might have uu = vv for a point v 6∈ Ru. The following matrices

are an illustration of this fact:

u =

L L

∅ ∅

, u =

L ∅L ∅

, uu =

L ∅∅ ∅

,

v =

L L L

∅ ∅ ∅

, v =

L ∅L ∅L ∅

, vv =

L ∅∅ ∅

= uu.

Suppose that I2×2 is the 2×2 identity matrix. We can express it as I2×2 =⋃xx|x ∈ Ru

or as I2×2 =⋃xx|x ∈ Rv.

Consider a homogeneous relation Lh and let p be a predicate on R. We have

Lh =⋃xy|p(x) ∧ p(y) ⇔ Ih =

⋃xx|p(x). (2.20)

In effect, assume that Lh =⋃xy|p(x)∧ p(y). By theorem 2.20, x = y ⇔ xy ⊆ I, so that

Ih = Ih ∩ Lh =⋃xx|p(x).

Now suppose that Ih =⋃xx|p(x):

Lh = IhLhIh

= (⋃xx|p(x))Lh(

⋃xx|p(x))=⋃xxLhyy|p(x) ∧ p(y) ∪-distributivity;

=⋃xy|p(x) ∧ p(y) x = xL, Tarski rule.

Theorem 2.26. Let R be a relational algebra.

1. Let L1, L2 and L3 be universal elements such that L3 = L1L3L2. The point axiom

holds in RL1 and RL2 iff it holds in RL3.

2. Let (σ1, . . . , σn) be a direct sum such that

σkσk = Ik ⊆ Lk (1 ≤ k ≤ n) andn⋃k=1

σkσk = Iσ ⊆ Lσ.

If the point axiom holds in every RIk then it also holds in RIσ and in each Rσk .

3. Let (π1, . . . , πn) be a direct product such that

πkπk = Ik ⊆ Lk (1 ≤ k ≤ n) andn⋂k=1

πkπk = Iπ ⊆ Lπ.

If the point axiom holds in every RIk then it also holds in RIπ and in each Rπk .


Proof. To show that a domain RQ satisfies the point axiom, it suffices to show that the

unit relation LQ of RQ can be written as

LQ =⋃xy|p(x, y),

where p is a predicate. In effect, let ∅ 6= R ⊆ LQ. Because RQ is atomic, there must be

an atom a ⊆ R. But then a ⊆ LQ, and because two atoms are either equal or disjoint,

we must have a = xy for some points x and y. This means that for any non null relation

R ⊆ LQ there are points x and y such that xy ⊆ R.

If RQ is a homogeneous domain, one can show instead that IQ =⋃xx|p(x), since,

by 2.20, this is equivalent to LQ =⋃xy|p(x) ∧ p(y).

1. (a) Suppose that the point axiom holds in RL1 and RL2 . We will show that L3 is

a union of atoms of the form xy, where x and y are points. By hypothesis,

L1 =⋃xy|xy ⊆ L1 and L2 =

⋃xy|xy ⊆ L2.

Consequently, by ∪-distributivity and the Tarski rule,

L3 = L1L3L2

=⋃xyL3uv|xy ⊆ L1 ∧ uv ⊆ L2

=⋃xLv|∃y, u : xy ⊆ L1 ∧ uv ⊆ L2.

It now suffices to remark that xL and v are points.

(b) Now suppose that RL3 satisfies the point axiom. This implies that L3 =⋃xy|xy ⊆ L3. Also, L3L3 = L1L3L2(L1L3L2) = L1, by the Tarski rule

and the fact that, obviously, L1 is a homogeneous relation. Hence,

L1 = L3L3

=⋃xyuv|xy ⊆ L3 ∧ uv ⊆ L3

=⋃xyuv|xy ⊆ L3 ∧ uv ⊆ L3 ∧ u = y theorem 2.20(2);

=⋃xLv|∃y : xy ⊆ L3 ∧ yv ⊆ L3 by theorem 2.20(3) yy = L.

Again, xL and v are points. The derivation for L2 is alike.

2. By hypothesis, Ik = xx|xx ⊆ Ik, for k = 1, . . . , n. Hence,

Iσ =⋃nk=1 σkσk

=⋃nk=1 σkIkσk

=⋃nk=1 σk(

⋃xx|xx ⊆ Ik)σk=⋃nk=1

⋃σkxxσk|xx ⊆ Ik ∪-distributivity.


By lemma 2.25, σkx is a point. Hence Iσ is a union of atoms of the form (σkx)(σkx)and the point axiom holds in RIσ . That it also holds in each Rσk then follows by

part 1 of the present theorem.

3. By hypothesis, Ik = xkxk|xkxk ⊆ Ik, for k = 1, . . . , n. We can suppose that

xk ⊆ Lk: If it is not the case, it suffices to replace xk by xkxkLk (which is included

in Lk), since, by the Tarski rule, xkxk = xkxkLk(xkxkLk) and xkxkLk is a point.

Hence Ik =⋃xkxk|xk ⊆ Lk and

Iπ = [I1, . . . , In]

= [⋃x1x1|x1 ⊆ L1, . . . ,

⋃xnxn|xn ⊆ Ln]=⋃[x1x1, . . . , xnxn]|xk ⊆ Lk, k = 1, . . . , n 2.9 (page 32);

=⋃[x1, . . . , xn〉[x1, . . . , xn〉|xk ⊆ Lk, k = 1, . . . , n 2.19 (page 50).

But [x1, . . . , xn〉 is a point, as shown by lemma 2.25. Thus RIπ satisfies the point

axiom. Part 1 of the present theorem implies that this is also true of Rπk , for

k = 1, . . . , n. 2

The primitive domains to be specified in the next section will satisfy the point axiom.

Theorem 2.26 guarantees that the sums and products of these domains will also satisfy

the point axiom.

In section 2.4, we remarked that theorem 2.14 was applicable only under certain con-

ditions, whereas it seemed to hold for any concrete relations on sets (see 2.12 page 38).

We will now prove that it holds in relational algebras where the point axiom is valid (like

algebras of relations on sets). Before proving the theorem itself, we prove the following

lemma.

Lemma 2.27. Let π1, π2, Q1, Q2, R1, R2 be relations of a relational algebra satisfying the

point axiom. If

Q1π1π1R1 ⊆ Q1R1,

Q2π2π2R2 ⊆ Q2R2,

Q1Q2 ⊆ π1π2 or R1R2 ⊆ π1π2

then

(Q1π1 ∩Q2π2)(π1R1 ∩ π2R2) = Q1R1 ∩Q2R2.


Proof. The inclusion ‘⊆’ is trivial. In the other direction, we will show that every atom

of the right term must be included in the left term (for the case where Q1Q2 ⊆ π1π2). We

know that these atoms have the form xy for some points x, y. The proof uses the point

insertion theorem (theorem 2.23).

xy ⊆ Q1R1 ∩Q2R2

⇒ ∃u, v : xu ⊆ Q1 ∧ uy ⊆ R1 ∧ xv ⊆ Q2 ∧ vy ⊆ R2 ∧ uv ⊆ Q1Q2 ⊆ π1π2

⇒ ∃u, v, z : xu ⊆ Q1 ∧ uy ⊆ R1 ∧ xv ⊆ Q2 ∧ vy ⊆ R2 ∧ uz ⊆ π1 ∧ zv ⊆ π2

⇒ ∃z : xz ⊆ Q1π1 ∧ xz ⊆ Q2π2 ∧ zy ⊆ π1R1 ∧ zy ⊆ π2R2

⇒ xy ⊆ (Q1π1 ∩Q2π2)(π1R1 ∩ π2R2).

The proof of the case R1R2 ⊆ π1π2 is similar. 2

Theorem 2.28 . For k = 1, . . . , n, let Qk, Rk be relations in a relational algebra that

satisfies the point axiom. Assume that Π = (π1, . . . , πn) is a product, and that the tupelings

below are done with respect to Π. Then,

〈Q1, . . . , Qn]][[R1, . . . , Rn〉 =⋂nk=1QkRk,

〈Q1, . . . , Qn]][[R1, . . . , Rn]] = 〈Q1R1, . . . , QnRn]],

[[Q1, . . . , Qn]][[R1, . . . , Rn〉 = [[Q1R1, . . . , QnRn〉,[[Q1, . . . , Qn]][[R1, . . . , Rn]] = [[Q1R1, . . . , QnRn]].

Proof. We will use lemma 2.27 to give an inductive proof of the first equality. Notice

that the premises of the lemma hold trivially when (π1, π2) is a product.

For n = 2, 〈Q1, Q2]][[R1, R2〉 = Q1R1 ∩Q2R2 follows directly from lemma 2.27.

Assume that the equality holds for (n− 1)-fold products.

〈Q1, . . . , Qn]][[R1, . . . , Rn〉= 〈〈Q1, . . . , Qn−1]], Qn]][[[[R1, . . . , Rn−1〉, Rn〉 2.10 and 2.11 on page 34;

= 〈Q1, . . . , Qn−1]][[R1, . . . , Rn−1〉 ∩QnRn basis of induction;

=⋂nk=1QkRk induction hypothesis.

The last three equations are direct consequences of the first one. 2

Hence the point axiom is sufficient to allow a proof of the theorem for arbitrary relations

Qi, Ri. Moreover this theorem is more general than theorem 2.14 not only because the

relations Qk, Rk are unrestricted, but also because (π1, . . . , πn) need not be a quasi direct


product. Despite much effort, we have not been able to prove the theorem (even for direct

products) without assuming the point axiom. We do not know, however, if this axiom is

necessary. It is interesting to note that 〈Q1, . . . , Qn][R1, . . . , Rn〉 =⋂nk=1QkRk was taken

as an axiom by de Roever [de Roever 72].

Bibliographic notes. The notion of point in relational algebras has been introduced

recently by Schmidt and Strolein [Schmidt 85]. Most of the theorems and propositions of

subsections 2.5.1 and 2.5.2 are reproduced from that paper. However, their presentation

was done for homogeneous algebras and we had to adapt or change some proofs. In

particular, our proofs of theorems 2.23 and 2.24 are substantially different.

The 4 matrices in 2.17 (page 46) come from [Berghammer 83] who gives them as an

example of a relational algebra that is not isomorphic to any concrete algebra of relations

on sets.

The material presented in subsection 2.5.3 has been developed by the author.

Chapter 3

SPECIFICATIONS

In this chapter we present some specifications of relational domains. In section 3.1 we

tackle the case of primitive domains that correspond to the set of relations on the natural

numbers and Boolean values. Then, in section 3.2 we introduce a specification named

STACKS. The domain defined by STACKS is isomorphic to the set of relations on a set

of stacks. Finally, in section 3.3, the specification TABLES defines the domain that will

be used in the next chapter to give the semantics of a programming language.

All the relational domains thus specified satisfy the point axiom. In fact, the presen-

tation will stress the importance of the notion of point. We will see that points can play

a role analoguous to that of terms in the term algebras generated by classical algebraic

specifications [Ehrig 85].

With the introduction of specific domains, we need a means of distinguishing between

them. We will assign to each domain a signature (or type, or name) of the form X→Y ,

where X and Y are identifiers called sorts. We will often add a signature as a subscript

to a relation symbol; e.g., RX→Y indicates that R belongs to the domain named X→Y ,

i.e. R ∈ X→ Y . This notation will be particularly useful to disambiguate null, identity

and universal relations. However, we will not subscript a relation with its signature when

the context or the name of the relation makes it clear.

We will adopt the following conventions. The relationsQU→V and RX→Y are compatible

iff U = X and V = Y . Similarly, the composition QU→V RX→Y is defined iff V = X.

The domain of QU→X RX→Y is U → Y . We will write RX→Y for RX→Y and RY→X for

(RX→Y ) (the domain of (RX→Y ) is Y →X). For universal relations, (LX→Y ) = LY→X .

Finally, the relation RX→X is homogeneous.

56

CHAPTER 3. SPECIFICATIONS 57

Of course, subscripts will have other more standard uses, but a subscript will denote

a signature only if a ‘→’ appears in it.

In the sequel, the relation names will not always be single letters. For that reason,

composition will be explicitly indicated by the ‘’ operator. This will make it clear that,

e.g., OR is the name of a relation and not the composition O R.

3.1 Natural Numbers and Booleans

Our first specification, NAT, constructs a domain named N→N corresponding, as we will

see, to the set of relations on the natural numbers.

Specification 3.1. NAT:

sort: N.

domain: N→N.

relations: 0 ∈ N→N;

S ∈ N→N.

axioms: (1) 0 is a point, i.e.

∅ 6= 0 = 0 L,

0 0 ⊆ I.

(2) S is an injective mapping, i.e.

S S = I,

S S ⊆ I.

(3) L = L.

(4) S 0 = ∅.(5) L = 0 ∪ S L. 2

We first make a comment about the layout of the specification. The section ‘sort’

introduces the identifier appearing in the signature of the domain defined by the specifi-

cation. The section ‘domain’ gives the signature of the domain being defined. The section

‘relations’ lists the constant relations (together with their signature) used in the axioms.

However, null, identity or universal relations are not listed. Finally, the section ‘axioms’

gives the laws relating the constant relations, where of course, ∅, I and L all belong to

N→N.


It is interesting to compare this specification to the ones given in the conventional

algebraic, functional, style [Ehrig 85, Goguen 78, Guttag 78]. Axiom 1 states that 0 is a

point. Hence, 0 is a constant mapping and corresponds to the usual 0 :→ N of algebraic

specifications. Axiom 2 restricts S to be a mapping; this holds by necessity in the func-

tional setting. By axiom 3 the domain specified is homogeneous (this domain is also a

relational algebra). Axiom 4 ensures that ‘0 is not the successor of any number’. We will

come back later on the roles of axiom 4 and of the injectivity of S. For the moment, we

will concentrate on axiom 5, which is a recursive equation.

The specification NAT can be satisfied by many algebras. How are we going to chose

the one(s) that we are interested in? Our first decision concerns (systems of) recursive

equations. We will choose the least solution (inclusion-wise) to these systems (this least

solution will always exist for the specifications to come).

We apply this rule to axiom 5. Because f(X) def= 0 ∪ S X is continuous and total on

N→N, its least fixpoint L is given by (see 2.3, page 14)

L =∞⋃n=0

fn(∅) =∞⋃n=0

Sn 0. (3.1)

We now show, by induction, that Sn 0 is a point. For n = 0, this is just axiom 1. Assume

that Sn 0 is a point; we will show that Sn+1 0 is also a point. Firstly, note that S 6= ∅,since S is total. Because S is surjective, S R 6= ∅ for any R 6= ∅. In particular, by the

induction hypothesis,

Sn+1 0 = S (Sn 0) 6= ∅.

Secondly,

Sn+1 0 (Sn+1 0) = S (Sn 0) (Sn 0) S⊆ S S Sn 0 (Sn 0) ⊆ I;

⊆ I axiom 2.

Finally, Sn+1 0 L = Sn+1 0. This completes the proof that Sn 0 is a point.

This means that LN→N is a union of points. Also, because LN→N is homogeneous,

L = L L = (∞⋃n=0

Sn 0) (∞⋃n=0

0 Sn) =⋃

m,n≥0

Sm 0 0 Sn =⋃

m,n≥0

(Sm 0) (Sn 0)and, by 2.20 (page 51),

I =∞⋃n=0

Sn 0 0 Sn =∞⋃n=0

(Sn 0) (Sn 0).


Hence the domain N→N satisfies the point axiom (see the proof of theorem 2.26).

By theorem 2.24, N→N is isomorphic to the set of relations on the set of points

Sl = Sr = l(x y)|x y ∈ N→N ∧ x, y are points= Sn 0 0 Sm L|m,n ≥ 0= Sn 0|n ≥ 0 S and 0 total, 0 = 0 L.

Hence we have at least one model for the specification. But we do not know yet what

it is exactly, because one question is still unanswered: Are all these points different?

The answer to this question could depend on the semantics that we give to the specifi-

cation. The most popular semantics for algebraic specifications is initial algebra semantics

[Ehrig 85, Goguen 78], where two terms are considered different if they cannot be proved

equal. Another approach is final algebra semantics [Wand 79], where two terms are con-

sidered equal, unless they can be proved to be different.

The attitude that we will take here is that nothing can be proved from the absence of

axioms (as do Guttag and Horning [Guttag 86]). All the domains specified in this thesis

satisfy the point axiom and there are always enough axioms to determine whether two

points are equal or not.

The structure of the possible terms built from the constant relations can be quite

complex, e.g., Sm ∩ Sn, Sm Sn, Sm ∩ (0 ∪ S 0), etc. For that reason, we simply require

to be able to decide whether two terms denoting points are equal or not. Hence the

fundamental role of terms and term algebras in the context of algebraic specifications will

be held here by points and algebras of relations on sets of points. That is, the ‘natural’

model for our specifications will be made up of sets of points rather than sets of terms.

Lemma 3.2. m 6= n⇒ Sm 0 6= Sn 0.

Proof. The proof uses axiom 4 of specification NAT and the injectivity of S. Assume

that m > n and suppose, by way of contradiction, that Sm 0 = Sn 0.

Sm 0 = Sn 0 ⇒ Sm Sm 0 = Sm Sn 0

⇒ 0 = Sm−n 0 S S = I;

⇒ 0 = Sm−(n+1) S 0 m > n;

⇒ 0 = ∅ S 0 = ∅.

But 0 6= ∅, whence Sm 0 6= Sn 0. If m < n, the proof is similar. 2


There is an obvious correspondence between the points of N→N and the natural num-

bers. This justifies the following abbreviations.

ndef= Sn 0 and m+ n

def= Sm+n 0. (3.2)

The unit and identity relations of N→N are then simply

L =⋃n≥0

n =⋃

m,n≥0

m n and I =⋃n≥0

n n. (3.3)

The following properties of points of N→N are direct consequences of: (a) the specifi-

cation NAT, (b) the definition of points (2.17), and (c) theorem 2.20.

L n = L, m n = L if m = n,

n L = n, m n = ∅ if m 6= n,

S n = n+ 1, n S = n+ 1,

m n = m, n S = n− 1 for n 6= 0.

(3.4)

(When using these abbreviations, one must be careful not to confuse natural numbers and

relations in the formulae that use the same symbols for both.)

Before showing that the specification NAT is monomorphic, we introduce another

domain and discuss the notion of extension of a relational algebra.

The next specification is as simple as a specification can be.

Specification 3.3. ONE:

sort: ONE.

domain: ONE→ONE.

axiom: L = I. 2

The unit relation L is a point. The domain of ONE→ONE contains two relations, ∅and L. It is isomorphic to the set of relations on a set of one element.

Our relational algebra is now the union of the domains N→N and ONE→ONE and it

satisfies the point axiom, since both domains do. We can extend it by adding the following

specification.

Specification 3.4. EXTEND: NAT + ONE +

domains: N→ONE, ONE→N.

axioms: (1) LN→ONE = LN→N LN→ONE LONE→ONE.

(2) LONE→N = (LN→ONE). 2


The first line of this specification, ‘NAT + ONE +’, means that the sorts, domains,

relations and axioms of specifications NAT and ONE must be added to EXTEND.

Domains such as those that are introduced by EXTEND are widely used and rather

trivial to define. For that reason, we will assume their existence and not make explicit

specifications for them. Similarly, if we are given X→Y , then we assume that definitions

have also been given for the domains Y → X, X → X and Y → Y that are necessary

to conform to the definition of a relational algebra. Finally, product domains and sum

domains will occasionally be used without explicit specification. The important point to

remember is that all such extensions preserve the point axiom (theorem 2.26).

Now we return to specification NAT to prove its monomorphism.

Theorem 3.5. The specification NAT is monomorphic.

Proof. Let NATM be the same specification as NAT, except that the sort N is renamed

M. We first show that

φM→N =∞⋃n=0

nM→M LM→N nN→N

is a bijective mapping (note here that we assume the existence of the domain M→N).

From ∪-distributivity, we get

φM→N φN→M =∞⋃m=0

∞⋃n=0

mM→M LM→N mN→NnN→N LN→M nM→M.

By lemma 3.2,

∀m,n ∈ N : m 6= n⇒ mN→N 6= nN→N,

hence, by theorem 2.20,

φM→N φN→M =∞⋃n=0

nM→M nM→M = IM→M.

Similarly, φN→M φM→N = IN→N. Thus φM→N is a bijective mapping. Furthermore,

(φM→N, φM→N) is an isomorphism between 0M→M and 0N→N, and between SM→M and SN→N:

φM→N 0N→N = (⋃∞n=0 nM→M LM→N nN→N) 0N→N

=⋃∞n=0 nM→M LM→N nN→N 0N→N ∪-distributivity;

= 0M→M LM→N by 3.4 (page 60);

= 0M→M LM→M φM→N φ surjective;

= 0M→M φM→N 0 L = 0 ;


φM→N SN→N = (⋃∞n=0 nM→M LM→N nN→N) SN→N

=⋃∞n=0 nM→M LM→N nN→N SN→N ∪-distributivity;

=⋃∞n=0 SM→M SM→M nM→M LM→N n+ 1N→N 3.4, S S = I;

= SM→M (⋃∞n=0 n+ 1M→M LM→N n+ 1N→N) ∪-distributivity, 3.4;

= SM→M (⋃∞n=0 nM→M LM→N nN→N) S 0 = ∅;

= SM→M φM→N. 2

It would also be possible to give an inductive proof of the monomorphism of NAT. We

will give an example of the technique when proving the monomorphism of the specification

STACKS in the next section.

The following specification defines the domain B→B that corresponds to the set of

relations on truth values. The compound domain B B→B is also introduced, with three

of its elements, the relations OR, AND and EQ .

Specification 3.6. BOOL:

sort: B.

domains: B→B, B B→B, B→B B, B B→B B.

relations: true, false,NOT ∈ B→B;

π1, π2,AND ,OR,EQ ∈ B B→B.

axioms: (1) true and false are points.

(2) true ∩ false = ∅ (or true false = ∅).(3) L = true ∪ false.

(4) NOT = true false ∪ false true.

(5) (π1, π2) is a direct product.

(6) OR = [false, false〉 false ∪ [false, false〉 true.

(7) AND = [true, true〉 true ∪ [true, true〉 false.

(8) EQ = [I, I〉 true ∪ [I, I〉 false.In the sequel, the product (π1, π2) is denoted by ΠB. In 6, 7 and 8 the construction of [ 〉is done with respect to ΠB. 2

The domain B→B is defined by axioms 1, 2 and 3. It satisfies the point axiom:

L = true ∪ false = true true ∪ true false ∪ false true ∪ false false

and

I = true true ∪ false false.


The domains B B→B and B B→B B are constructed by π1 and π2. By theorem 2.26,

the point axiom also holds in both domains. The axioms 4, 6, 7 and 8 merely introduce

abbreviations for the expressions on the right of the = sign. From the axioms of the

specification, one can prove familiar laws like

AND = [NOT ,NOT ] OR NOT

and show that NOT , OR, AND and EQ are mappings.

If BOOLC is a specification identical to BOOL, except for a renaming of the sort B as

C, then the relation

φB→C = trueB→B LB→C trueC→C ∪ falseB→B LB→C falseC→C

determines an isomorphism (φB→C, φB→C) between B→B and C→C, as is easily shown. By

corollary 2.13, ΠB[φB→C, φB→C]ΠC is a bijective mapping, so that (ΠB

[φB→C, φB→C]ΠC, φB→C)

is an isomorphism between B B→B and C C→C. For example,

ORC C→C = [φC→B, φC→B] ORB B→B φB→C.

The next specification merges NAT and BOOL and defines some of the usual arithmetic

functions.

Specification 3.7.

NATURALS: NAT + BOOL +

domains: N N→N, N→N N, N N→N N, N→B, B→N, N N→B, B→N N.

relations: π1, π2,ADD ,MULT ,EXP ∈ N N→N;

FACT ∈ N→N;

EQ ∈ N N→B.

axioms: (1) (π1, π2) is a direct product.

(2) ADD = [0, I〉 ∪ [S, I] ADD S.

(3) MULT = [0, 0〉 ∪ 〈[S, I] MULT , π2] ADD .

(4) EXP = [0, 1〉 ∪ 〈[S, I] EXP , π2] MULT .

(5) FACT = 0 1 ∪ 〈S FACT , I] MULT .

(6) EQ = [I, I〉 LN→B true ∪ [I, I〉 LN→B false.

We will denote the product (π1, π2) by ΠN . It is this product that is implicitly used in

axioms 2 to 6. 2


Notice that there should be axioms introducing the universal relation on the domain

N N→B, which contains EQ . However, according to the remarks made after specification

EXTEND, we simply list N N→B in the ‘domains’ section.

By using only tupelings (and no cartesian products), the axioms of NATURALS can be

rewritten in a form that might be more readable for those used to the FP-style [Backus 85].

For example,

ADD = π1 0 ∩ π2 ∪ 〈π1 S, π2] ADD S,MULT = π1 0 0 ∪ 〈〈π1 S, π2] MULT , π2] ADD .

The definitions of ADD , MULT and EXP directly mimic those of algebraic specifica-

tions. For example,

ADD = [0, I〉 ∪ [S, I] ADD S

is a translation ofadd(0, n) = n,

add(succ(m), n) = succ(add(m,n)).

There are other equivalent forms, like

ADD = [0, I〉 ∪ [S, S] ADD

or

ADD = [I, 0〉 ∪ [0, I〉 ∪ [S, S] ADD S2

(the last one exhibits a nice symmetry that immediately reveals the commutativity of

ADD). It remains to be seen which of these forms (or some other) is the most useful.

This specification contains many recursive definitions. As before, we are interested in

the least solution. This least solution exists for all the relations introduced, since every

definition involves only continuous operators, except for one use of the complementation

operator in the definition of EQ . But the relation that is complemented is a constant,

thus preserving continuity. For the relation ADD , we derive

ADD = (µX, [0, I〉 ∪ [S, I] X S)

=⋃∞n=0[S, I]n [0, I〉 Sn by 2.3 on page 14;

=⋃∞n=0[Sn, I] [0, Sn〉 S deterministic, theorems 2.14 and 2.4(1);

=⋃∞n=0[Sn 0, Sn〉 I, Sn deterministic, theorem 2.14;

=⋃∞n=0[n, Sn〉 abbreviation 3.2 on page 60.


By tupeling the constant mappings 2 and 3 we get the constant mapping 〈2, 3] (see

lemma 2.25). Composition with the iterative form of ADD results in

〈2, 3] ADD = 〈2, 3] ⋃∞n=0[n, Sn〉=⋃∞n=0〈2, 3] [n, Sn〉 ∪-distributivity;

=⋃∞n=0 2 n ∩ 3 Sn 3, 2 deterministic, theorem 2.14;

= 3 S2 2 n = ∅ for n 6= 2, 2 2 = L;

= 5 3.4 (page 60).

This result can also be obtained directly from the recursive definition of ADD by using

standard term rewriting techniques:

〈2, 3] ADD = 〈2, 3] ([0, I〉 ∪ [S, I] ADD S)

= 2 0 ∩ 3 ∪ 〈2 S, 3] ADD S ∪-distributivity, theorem 2.14;

= 〈1, 3] ADD S 2 0 = ∅, 3.4 on page 60;

= 〈1, 3] ([0, I〉 ∪ [S, I] ADD S) S= 〈0, 3] ADD S2

= 〈0, 3] ([0, I〉 ∪ [S, I] ADD S) S2

= (0 0 ∩ 3) S2 = 5 0 S = ∅, 0 0 = L.

We could also evaluate ADD [3, 2〉 to get the point 5. In general, if R is a mapping

and x is point, we can evaluate either R x or x R. We can view R x as the application

of R to x (R of x). On the other hand, x R is the composition of two mappings; we can

view x as ‘producing a value’ that is then passed to R. In this thesis we will use the form

x R for the presentation of examples; this is a matter of personal taste, though.

It is possible to show that the usual properties of the relations defined by NATURALS

are valid in this framework. All relations are mappings. Also, ADD and MULT are

commutative, associative and MULT distributes over ADD . We will not prove these

statements here. But because the properties of commutativity and associativity are needed

later, we give their definitions.

Definition 3.8. Let φ be a relation and (π1, π2) be a direct product such that π1, π2 and

φ all belong to the same domain (all tupelings below are relative to (π1, π2)). The relation

φ is associative iff

∀P,Q,R : 〈P, 〈Q,R] φ] φ = 〈〈P,Q] φ,R] φ


(of course, ∀P,Q,R means for all P,Q,R such that the expression is defined). The relation

φ is commutative iff

∀Q,R : 〈Q,R] φ = 〈R,Q] φ.

Let u be a point. We say that u is a neutral element of φ iff

∀R : 〈R,L u] φ = 〈L u, R] φ = R. 2

When φ is a mapping these definitions correspond exactly to the usual ones. It is easy

to verify that 0 and 1 are neutral elements of ADD and MULT respectively.

We close this section with another specification. It simply constructs the disjoint

union of N→N and B→B. The domain thus defined (U→U) will be used for the semantic

definitions of chapter 4.

Specification 3.9.

NATURALS-plus-BOOL: NATURALS +

sort: U.

domains: U→U, U→N, N→U, U→B, B→U.

relations: σU→N, σU→B.

axioms: (σU→N, σU→B) is a direct sum, i.e.

σN→U σU→N = IN→N,

σB→U σU→B = IB→B,

σN→U σU→B = ∅N→B,

σU→N σN→U ∪ σU→B σB→U = IU→U. 2

The first line of the specification is ‘NATURALS +’ instead of ‘NATURALS + BOOL

+’ because BOOL is already incorporated in NATURALS. The domain U→U contains

relations like

σU→N (S ∪ S2) σN→U and σU→N 0 σN→U ∪ σU→B true σB→U.

The specification does not contain any axiom for the construction of product domains like

U U→U and U U→U U. However, in line with the comments following the specification

EXTEND, we assume their existence. This means that our relational algebra contains

relations like

[σU→N, σU→N] ADD σN→U and [σU→B, σU→B] EQ ∪ [σU→N, σU→N] EQ .


Because (σN→U, σN→U) is a representation morphism (definition 2.7), the laws fulfilled by

the relations of the domain N→N are also valid for their representations (except possibly

when the complementation operator is involved: see theorem 2.8). For instance,

(σU→N S σN→U) (σU→N 0 σN→U) = σU→N ∅ σN→U.

This property of injections σN→U and σB→U will be used in the next chapter.

Bibliographic notes. Specifications of domains by relational means do not abound. In

[Berghammer 86], a relational characterization of natural numbers similar to specification

NAT is given. The main difference with our specification is that we have added the

equation L = L which is implicit in [Berghammer 86]. Berghammer and Zierer also give

a proof of monomorphism of their definition of the domain of naturals, using inductive

techniques; their proof assumes the compatibility of the domains that we have named

M→M and N→N (a simple modification suffices to remove that restriction).

In [de Bakker 73], it is shown that one constant, S, is enough to define the natural

numbers. We have found, however, that this characterization admits an infinite number

of non isomorphic models. De Bakker and de Roever also characterize tree structures with

a few simple axioms, and again, with a single constant relation (apart from null, identity

and unit relations, of course). They work with homogenous algebras only.

The definition of associativity of a relation is that of [Berghammer 86].

3.2 Stacks

In this section, the standard example of all specification methods, the stack, is presented.

More precisely, the specification STACKS defines the set of relations on a set of stacks. At

first sight the specification might look odd because of the absence of a PUSH constructor.

This will be discussed below.

The specification has a parameter: E→E; it stands for any homogeneous domain.

When instantiating this formal parameter, the sorts, domains and axioms necessary for

the definition of the actual parameter domain should be added to the specification. For

example, STACKS(N→N) is the following specification with E replaced by N, and aug-


mented by specification NAT.

Specification 3.10.

STACKS(E→E):

sort: S(E).

domains: S(E)→S(E), S(E)→E, E→S(E).

relations: empty ,POP ∈ S(E)→S(E);

TOP ∈ S(E)→E.

axioms: (1) empty is a point.

(2) POP empty = ∅.(3) TOP empty = ∅.(4) POP POP = I.

(5) TOP TOP = I.

(6) POP TOP = L.

(7) empty empty ∪ POP POP ∩ TOP TOP = I. 2

The point empty represents the empty stack. By axiom 2, no stack results from

popping an empty stack. Similarly, by axiom 3, no element can be found on top of an

empty stack. We have chosen POP empty = ∅ as axiom 2, because we wanted that it

be an error to pop an empty stack. We could also choose POP empty = empty (as does

[Ehrig 85]). As far as the contents of this section are concerned, there would be only two

minor consequences:

1. The definition domains of POP and TOP would be different; this would void equa-

tion 3.7 below.

2. Part 5 of the proof of monomorphism of STACKS (theorem 3.11) would have to be

modified. The present proof uses equation 3.7.

By axioms 4 to 7, (POP ,TOP) is a quasi direct product. In fact, if we had introduced

a notion of subdomains and subalgebras, we could show that (POP ,TOP) is a genuine

direct product, constructing the subdomain of relations on non empty stacks. If we had

adopted POP empty = empty as axiom 2, then (POP ,TOP) would still be a quasi direct

product, but not a direct one. Since we will use only the fact that (POP ,TOP) is a quasi

direct product, both versions of axiom 2 could be used in the sequel.


But why is there no PUSH operation? Let us look back at the ADD relation of the

specification NATURALS (specification 3.7).

To add the values produced by the constant mappings m and n (to use object level

terminology), we tuple m and n and compose the tupeling with ADD ; i.e., 〈m, n] ADD

produces ‘m + n’. The tupeling of m and n is done with respect to a direct product

(π1, π2).

Now, let s ∈ S(E)→S(E) and LS(E)→E e ∈ S(E)→E be constant mappings producing

a stack (say s) and an element (say e). Suppose that we have a PUSH operation. Then,

〈s, L e] PUSH would return the stack obtained from s by pushing e on top of it.

But which product should we use to make the tupeling? By economy, we should choose

Π def= (POP ,TOP), which is already defined. But then, 〈s, L e]Π is a constant mapping

(lemma 2.25) that produces the combination of s and e into a single entity that is a stack,

since 〈s, L e]Π ∈ S(E)→S(E). Hence there is no need for a PUSH operation, because

tupeling s and L e produces the desired result. However, we could give the name PUSH

(instead of Π) to the product (POP ,TOP) in order to get formulae that look more like

the classical ones. For example, by theorem 2.12(3)

〈s, L e]PUSH POP = s, 〈s, L e]PUSH TOP = L e.

(This example also shows that by using POP and TOP we retrieve the stack s and the

element e ‘pushed’ on top of it.)

It has been noted by other authors (e.g. [Berghammer 86, Schmidt 81]) that relational

algebra allows a natural treatment of undefinedness in the study of program semantics,

the reason being that there is no need to extend the domains with a ‘bottom’ element.

The same remark can be made about the treatment of partial operations in spec-

ifications. In the functional framework of algebraic specifications, one has to define

top(empty) = error, in order to have a total top function. But then, it becomes possible

to push error elements on the stack, e.g., by push(s, top(empty)). The position taken by

Ehrig and Mahr [Ehrig 85] is to consider these stacks just like the stacks that do not con-

tain error elements (concept of error recovery); for example, pop(push(s, top(empty))) =

pop(push(s, error)) = s. They also define pop(empty) = empty , so that pop is total. The

result is a simple specification, but the stacks behave in a somewhat counter intuitive way.

Goguen [Goguen 78] takes a different position. He defines push(s, error) = error-stack

(concept of error propagation). The resulting behavior is what one would expect from a


stack, but the specification then becomes much more complicated, and many equations

have to be added to propagate the errors.

Because relational algebra allows partial relations, error propagation is easy. For ex-

ample, the relational expression corresponding to pop(push(s, top(empty))) is

〈s, empty TOP ] POP = 〈s, ∅] POP = ∅.

That is, no useful information can be obtained from such a combination of operations.

Employing the product (POP ,TOP), we rewrite axiom 7 of STACKS:

IS(E)→S(E) = empty empty ∪ 〈POP ,TOP ] = empty empty ∪ [IS(E)→S(E), IE→E]. (3.5)

This clearly shows that axiom 7 is a recursive definition. We will solve it later for its least

fixpoint. From axiom 3, we also deduce

〈Q,R]empty = (Q POP ∩R TOP)empty = ∅ and empty [Q,R〉 = ∅. (3.6)

We now show that the definition domains of POP and TOP are the same, i.e.

POP LS(E)→S(E) = TOP LE→S(E). (3.7)

In effect,

POP L = I POP L= (empty empty ∪ 〈POP ,TOP ]) POP L equation 3.5;

= (POP ∩ TOP L) L axiom 2, theorem 2.12(3);

= POP L ∩ TOP L theorem 2.4(1).

Hence POP L ⊆ TOP L. In a similar fashion, TOP L ⊆ POP L can be derived.

The monomorphism of STACKS will be shown by inductive techniques, contrarily to

what was done for the specification NAT (in order to illustrate different methods).

Theorem 3.11. The specification STACKS is monomorphic (given the domain E→E).

Proof. Consider a specification STACKST identical to STACKS, except that the sort

S(E) is renamed T(E). Let

S = (POPS(E)→S(E),TOPS(E)→E) and T = (POPT(E)→T(E),TOPT(E)→E)


be the quasi direct products of the two systems. Define the relation φS(E)→T(E) to be the

least fixpoint of the continuous function on S(E)→T(E)

f(X) def= emptyS(E)→S(E) LS(E)→T(E) emptyT(E)→T(E) ∪ S[X, IE→E]T .

1. We will use the induction principle of Scott (2.5, page 14) to show that φ is deter-

ministic. Let p(X) = X X ⊆ I. The predicate p(X) is admissible (2.4, page 14),

since for any chain R0 ⊆ R1 ⊆ R2 ⊆ · · · ,

(∀k : Rk Rk ⊆ I)⇒ (⋃iRi)

(⋃iRi) =

⋃i,j Ri Rj ∪-distributivity;

⊆ ⋃k=i+j Rk Rk Ri ⊆ Ri+j , Rj ⊆ Ri+j ;

⊆ I ∀k : Rk Rk ⊆ I.

The basis of induction, p(∅), holds trivially. For the induction step, assume that

X X ⊆ I; we will show that f(X) f(X) ⊆ I.

f(X) f(X) = (emptyT(E)→T(E) LT(E)→S(E) emptyS(E)→S(E) ∪ T[X, I]S)(emptyS(E)→S(E) LS(E)→T(E) emptyT(E)→T(E) ∪ S[X, I]T);

by equation 3.6 (page 70) and because empty is a point,

= emptyT(E)→T(E) emptyT(E)→T(E) ∪ T[X, I]S S[X, I]T ;

by the injectivity of empty , the definition of [ ] and ∩-

subdistributivity,

⊆ IT(E)→T(E) ∪ T[X X, I]T

⊆ IT(E)→T(E) ∪ T[I, I]T induction hypothesis: X X ⊆ I;

⊆ IT(E)→T(E) axiom 7.

2. The relation φ is total.

φ φ = (emptyS(E)→S(E) LS(E)→T(E) emptyT(E)→T(E) ∪ S[φ, I]T)(emptyT(E)→T(E) LT(E)→S(E) emptyS(E)→S(E) ∪ T[φ, I]S)

= emptyS(E)→S(E) emptyS(E)→S(E) ∪ S[φ, I]T T[φ, I]S 3.6 (page 70);

= emptyS(E)→S(E) emptyS(E)→S(E) ∪ S[φ φ, I]S part 1, theorem 2.14.

Hence φ φ is a fixpoint of

g(x) def= emptyS(E)→S(E) emptyS(E)→S(E) ∪ S[X, I]S.

But IS(E)→S(E) is the least fixpoint of g(x) (axiom 7 or equation 3.5 on page 70).

Consequently, I ⊆ φ φ, i.e., φ is total.


3. Injectivity and surjectivity of φ are shown in a fashion similar to determinism and

totality, respectively. This means that φ is a bijective mapping. It remains to show

that the constant relations of both specifications are isomorphic.

4. (φ, φ) is an isomorphism between emptyS(E)→S(E) and emptyT(E)→T(E):

φ emptyT(E)→T(E)

= (emptyS(E)→S(E) LS(E)→T(E) emptyT(E)→T(E) ∪ S[φ, I]T) emptyT(E)→T(E)

= emptyS(E)→S(E) LS(E)→T(E) 3.6 (page 70), theorem 2.20(3);

= emptyS(E)→S(E) LS(E)→S(E) φ φ is surjective;

= emptyS(E)→S(E) φ empty is a point.

5. (φ, φ) is an isomorphism between POPS(E)→S(E) and POPT(E)→T(E):

φ POPT(E)→T(E)

= (emptyS(E)→S(E) LS(E)→T(E) emptyT(E)→T(E) ∪ S[φ, I]T) POPT(E)→T(E);

by axiom 2, theorem 2.12(3) and equations 2.6 (page 32),

= POPS(E)→S(E) φS(E)→T(E) ∩ TOPS(E)→E LE→T(E)

= POPS(E)→S(E) φS(E)→T(E) equation 3.7 (page 70), φ ⊆ L.

6. (φ, I) is an isomorphism between TOPS(E)→E and TOPT(E)→E:

φ TOPT(E)→E

= (emptyS(E)→S(E) LS(E)→T(E) emptyT(E)→T(E) ∪ S[φ, I]T) TOPT(E)→E;

by axiom 3, theorem 2.12(3) and equations 2.6 (page 32),

= POPS(E)→S(E) φ LT(E)→E ∩ TOPS(E)→E

= POPS(E)→S(E) LS(E)→E ∩ TOPS(E)→E φ is total;

= TOPS(E)→E equation 3.7 (page 70). 2

We still do not know whether S(E)→S(E) satisfies the point axiom or not. We will

show that it does and find the structure of a point, by solving the equation of axiom 7 for

its least solution. To reach that goal, we need the following proposition.

Proposition 3.12. Let P,Q,R and S be relations such that R is deterministic and S is

injective. The least fixpoint of the function f : RP → RP defined by

f(X) = P ∪R X S ∩Q


is

µ(f) =∞⋃n=0

Rn P Sn ∩n−1⋂k=0

Rk Q Sk.

Proof. Because f is continuous and total on RP , µ(f) =⋃∞n=0 f

n(∅) (by 2.3, page 14).

We will show that for n ≥ 0,

fn+1(∅) = fn(∅) ∪Rn P Sn ∩n−1⋂k=0

Rk Q Sk (3.8)

from which the result follows.

Basis of induction: For n = 0, 3.8 gives f(∅) = f0(∅) ∪ P ∩ L = P , which is correct.

Induction step: Assume that 3.8 holds for n = m. We show that it also holds for

n = m+ 1.

fm+2(∅) = f(fm+1(∅)) = P ∪R fm+1(∅) S ∩Q;

by the induction hypothesis,

= P ∪R (fm(∅) ∪Rm P Sm ∩⋂m−1k=0 R

k Q Sk) S ∩Q= P ∪R fm(∅) S ∩Q ∪R (Rm P Sm ∩⋂m−1

k=0 Rk Q Sk) S ∩Q;

R is deterministic, S is injective, hence by theorem 2.6(3),

= fm+1(∅) ∪Rm+1 P Sm+1 ∩⋂mk=0Rk Q Sk. 2

Axiom 7 of STACKS is

IS(E)→S(E) = empty empty ∪ POP IS(E)→S(E) POP ∩ TOP TOP .

We are looking for its least solution, which, by the previous proposition, is

IS(E)→S(E) =∞⋃n=0

POPn empty empty POPn ∩

n−1⋂k=0

POPk TOP TOP POPk. (3.9)

We now proceed to analyse the structure of this expression.

Lemma 3.13. For n ≥ 1, (POPn,POPn−1 TOP, . . . ,POPTOP,TOP) is a (n+1)-fold

quasi direct product.

Proof. For n = 1, the assertion is true, since (POP ,TOP) is a 2-fold quasi direct

product. Assume the assertion holds for n = m. We show that it holds for n = m + 1.

Because (POP ,TOP) is a 2-fold quasi direct product,

(POP POPm,POP POPm−1 TOP , . . . ,POP POP TOP ,POP TOP ,TOP)


is a (m+ 2)-fold quasi direct product (see definition 2.9). But this just says that

(POPm+1,POPm TOP , . . . ,POP TOP ,TOP)

is a (m+ 2)-fold quasi direct product. 2

We can now prove that if the domain E→E fulfills the point axiom then so does

S(E)→S(E). The next theorem also reveals the structure of points in S(E)→S(E).

Theorem 3.14 . Assume that the point axiom holds in E→E. Then it also holds in

S(E)→S(E), and if x1, . . . , xn are points of E→E (n ≥ 0), then

[empty , xn LE→S(E), . . . , x1 LE→S(E)〉

is a point in S(E)→S(E) (the construction [ 〉 is done with respect to the product

(POPn,POPn−1 TOP, . . . ,TOP),

and for n = 0, we take [R〉 def=R).

Proof. Using the product (POPn,POPn−1 TOP , . . . ,TOP), we rewrite formula 3.9 as

follows:

IS(E)→S(E) =∞⋃n=0

[empty empty , In, . . . , I1], (3.10)

where I1 = · · · = In = IE→E. By argumenting as in the proof of part 3 of theorem 2.26,

we get

IS(E)→S(E)

=⋃∞n=0

⋃[empty empty , xn xn, . . . , x1 x1]|xk ⊆ LE→E ∧ xk point, k = 1, . . . , n=⋃∞n=0

⋃[empty , xn LE→S(E), . . . , x1 LE→S(E)〉[empty , xn LE→S(E), . . . , x1 LE→S(E)〉|xk ⊆ LE→E ∧ xk point, k = 1, . . . , n.

That [empty , xn LE→S(E), . . . , x1 LE→S(E)〉 is a point follows directly from lemma 2.25.

Hence the domain S(E)→S(E) satisfies the point axiom. 2

By this theorem, 〈 empty , L xn, . . . , L x1] is a constant mapping. Let us compose it

with the POP and TOP relations. Using 2.10 (page 34), we find that

〈 empty , L xn, . . . , L x1] = 〈〈 empty , L xn, . . . , L x2], L x1]


where the external tupeling is done with respect to (POP ,TOP). By theorem 2.12(3),

and because x L = L for any point x,

〈 empty , L xn, . . . , L x1] POP = 〈 empty , L xn, . . . , L x2],

〈 empty , L xn, . . . , L x1] TOP = L x1.(3.11)

Obviously, the point [empty , xn L, . . . , x1 L〉 represents a stack of n elements, with

x1 on top. The POP and TOP operations have the expected behavior. It is easy to show

that

[empty , xm L, . . . , x1 L〉 6= [empty , yn L, . . . , y1 L〉

if either xi 6= yi for some i, or if m 6= n. Hence the domain S(E)→S(E) is isomorphic to

the set of relations on the set of points

[empty , xn L, . . . , x1 L〉|n ≥ 0 ∧ xi ⊆ LE→E, i = 1, . . . , n.

Finally, we derive two expressions for the unit element of S(E)→S(E). Directly from

axiom 7 of STACKS,

LS(E)→S(E) = IS(E)→S(E) LS(E)→S(E)

= (empty empty ∪ POP POP ∩ TOP TOP) LS(E)→S(E)

= empty ∪ POP LS(E)→S(E) ∩ TOP LE→S(E) theorem 2.12(2);

= empty ∪ POP LS(E)→S(E) equation 3.7 on page 70.

The least solution of this equation is

LS(E)→S(E) =∞⋃n=0

POPn empty ,

and because LS(E)→S(E) = LS(E)→S(E) LS(E)→S(E), we also have

LS(E)→S(E) =⋃

m,n≥0

POPm empty empty POPn.

In this expression, POPm empty empty POPn

is the largest relation between stacks

with m elements and stacks with n elements. It is the universal relation of the subdomain

containing the relations between stacks of m and n elements.

3.3 Tables

In this section we present the relational domain whose relations will be used to denote pro-

gram fragments. The specification of that domain is a simple extension of STACKS(U→U),

with some renaming done (where U→U is the domain introduced by specification 3.9).


Specification 3.15. TABLES: STACKS(U→U) with T for S(U) + NATURALS +

relations: Πn ∈ T→U, for n ≥ 1.

axioms: Πn = POPn−1 TOP , for n ≥ 1. 2

The specification TABLES extends STACKS by adding the clauses of specification

NATURALS (which includes those of BOOL) and by specializing E→E to U→U. Of

course, TABLES could also be parameterized by E→E, just like STACKS. However, we

have decided to present directly the domain that we need. For notational convenience, we

have renamed the sort S(U) as T. We will view the points of T→T as finite lists, or finite

arrays, rather than as stacks1; the relations in T→T will be considered as tables, whence

the name of the specification.

Note that the newly introduced symbols (Πn) are merely abbreviations for the ex-

pression on the right of the = sign. Hence the domain T→T is still defined by the three

constant relations empty , POP and TOP . The relations Πn have interesting properties,

that we now present.

Proposition 3.16. Let i1, . . . , in ∈ N be such that i1 > · · · > in. Then, (Πi1 , . . . ,Πin) is

a n-fold product.

Proof. We first show that Πm Πn is equal to I if m = n and is equal to L otherwise.

Then, in 3, we check the inductive part of the definition of n-fold products (items 5, 6, 7

of definition 2.9).

1. By axioms 4 and 5 of STACKS (page 68),

Πn Πn = TOP POPn−1 POPn−1 TOP = IU→U.

2. Suppose that m < n.

Πm Πn = TOP POPm−1 POPn−1 TOP

= TOP POPn−m TOP axiom 4 of STACKS;

= L POPn−(m+1) TOP axiom 6 of STACKS;

= LU→U POP and TOP surjective.

If m > n, the proof is similar.1To reflect this change of perspective, we could rename empty , TOP and POP as nil, FIRST and

REST , respectively; we will not do so, in order to simplify the task of referring to the properties derived

in the previous section.


3. The definition of n-fold products is inductive. We will show by induction that

(Πi1 , . . . ,Πin) can be decomposed into a (n−1)-fold product and a 2-fold product, for

n > 2. Suppose that (Πj1 , . . . ,Πjn−1) is a (n− 1)-fold product when j1 > · · · > jn−1

(by parts 1 and 2, this is true for n = 3). Because i1 > · · · > in,

(Πi1 , . . . ,Πin)

= (POP i1−1 TOP , . . . ,POP in−1 TOP)

= (POP in−1−1 POP i1−in−1 TOP , . . .

POP in−1−1 POP in−2−in−1 TOP ,POP in−1−1 TOP ,POP in−1 TOP).

By the induction hypothesis,

(POP i1−in−1 TOP , . . .POP in−2−in−1 TOP ,TOP)

is a (n− 1)-fold product. It remains to see that (POP in−1−1,POP in−1 TOP) is a

2-fold product. This follows from the axioms of STACKS by derivations similar to

those of parts 1 and 2. 2

The points of T→T, which we considered as stacks in the previous section, can now

be viewed as arrays with a finite number of components. The projection relation Πn

‘retrieves’ the value of the n-th component, and its converse, Πn, ‘stores’ a value in the n-

th component. Consider, e.g., that Πn Πn = I, i.e. the value retrieved from a component

is the same as the one that was stored in it. Also, if m 6= n, Πm Πn = L, i.e. the

value retrieved from a component has no relationship with the value stored in another

component (this interpretation of relation level equations uses object level terminology).

Moreover, the quasi direct product (POPn,POPn−1 TOP , . . . ,POP TOP ,TOP) (see

lemma 3.13) can be written as Π def= (POPn,Πn, . . . ,Π1); using theorem 2.12(3), we find

that if 1 ≤ k ≤ n,

〈LU→T empty , xn, . . . , x1]Π Πk = xk

where xj (j = 1, . . . , n) is a point in U→U (hence xj L = L). What happens when k > n?

〈LU→T empty , xn, . . . , x1]Π Πk

= 〈〈LU→T empty , xn, . . . , x2], x1] POPk−1 TOP outside tupeling (POP ,TOP);

= 〈LU→T empty , xn, . . . , x2] POPk−2 TOP...

...

= LU→T empty POPk−(n+1) TOP

= ∅ by axiom 3 of STACKS if k = n+ 1, by axiom 2 otherwise.


That is, Πk returns the k-th component of the array produced by the constant mapping

〈LU→T empty , xn, . . . , x1]Π if k ≤ n and returns no value otherwise. Remark that the

expression R Πk itself is defined for any R in T→T or U→T. In the case that k > n,

the result of 〈L empty , xn, . . . , x1]Π Πk is the null relation; we interpret this result as

meaning that Πk cannot retrieve any value from too small an array.

More generally,

j ≤ n ⇒ 〈LU→T empty , Rn, . . . , R1]Π Πj = Rj ∩⋂nk=1k 6=j

Rk L,

j ≤ n ⇒ [empty empty , Rn, . . . , R1]Π Πj

= [empty LT→U, Rn L, . . . , Rj+1 L,Rj , Rj−1 L, . . . , R1 L〉,j > n ⇒ 〈LU→T empty , Rn, . . . , R1]Π Πj = ∅,j > n ⇒ [empty empty , Rn, . . . , R1]Π Πj = ∅.

(3.12)

In summary, we consider the relations Πn as polymorphic projection relations that can

be applied to arrays (or lists) of different length. This makes them very similar to the

selector functions of the FP language [Backus 85].

The n-fold products (Πi1 , . . . ,Πin) will also be used to make tupelings. The next

theorem investigates what results of the composition of such tupelings (we will not use

the construct 〈 ]] to denote these tupelings).

Theorem 3.17. Let A,B ⊆ N− 0 be finite sets of natural numbers. Then,

(⋂n∈A

Qn Πn) (⋂n∈B

Πn Rn) = (⋂

n∈A∩BQn Rn) ∩ (

⋂n∈A−B

Qn L) ∩ (⋂

n∈B−AL Rn),

where Qn, Rn ∈ U→U. This result holds because the point axiom holds in U→U and T→T.

A particular case of it occurs when A = B (compare with theorems 2.14 and 2.28):

(⋂n∈A

Qn Πn) (⋂n∈A

Πn Rn) =⋂n∈A

Qn Rn.

Proof.

1. We prove the particular case A = B first. Let A = a1, . . . , an, where a1 > · · · > an.

For n = 0 and n = 1, the assertion holds trivially. For n ≥ 2, we know that

(Πa1 , . . . ,Πan) is a product (proposition 3.16). We also know that the point axiom

holds in U→U and T→T, so it holds in T→U and U→T as well (by theorem 2.26(1)).

Now, the union of U→U, T→T, U→T and T→U is a relational algebra and the point

axiom holds in it. Since Qn, Rn ∈ U→U and Πn ∈ T→U for k = 1, . . . , n, we can

apply theorem 2.28 to derive the result directly.


2. We prove the general case.

(⋂n∈AQn Πn) (

⋂n∈B Πn Rn)

⊆ ((⋂n∈A∩B Qn Πn) ∩ (

⋂n∈A−B Qn L))

((⋂n∈A∩B Πn Rn) ∩ (

⋂n∈B−A L Rn)) Πn ⊆ L,monotonicity of ;

⊆ (⋂n∈A∩B Qn Πn) (

⋂n∈A∩B Πn Rn)∩

(⋂n∈A−B Qn L) (

⋂n∈B−A L Rn) ∩-subdistributivity;

= (⋂n∈A∩B Qn Rn)∩

(⋂n∈A−B Qn L) ∩ (

⋂n∈B−A L Rn) part 1, theorem 2.4(1,3);

⊆ ((⋂n∈AQn Πn) ∩ (

⋂n∈B−A L Πn))

((⋂n∈B Πn Rn) ∩ (

⋂n∈A−B Πn L)) part 1;

⊆ (⋂n∈AQn Πn) (

⋂n∈B Πn Rn) monotonicity of . 2

We will give concrete examples of relations in T→T that will show why we consider

these relations as tables. In order to present these examples, we introduce some notational

conventions and terminology that will be used in the rest of the thesis.

Let Id be a countable set of identifiers, called attributes; let att be a total injective

function att : Id → N−0. In order to avoid confusion with other symbols, the identifiers

in Id will be made up of lower case letters only. By Πa, for a ∈ Id , we mean Πatt(a).

Except for a few examples in this section, nothing in the sequel depends on the choice of

a particular function att.

We will subscript some of the relations in T→T with strings of the form

a1, . . . , am; b1, . . . , bn,

where ai, bi ∈ Id and

i 6= j ⇒ ai 6= aj ∧ bi 6= bj .

Only relations in T→T will be subscripted with such strings of identifiers having a ‘;’.

Definition 3.18. Let R ∈ U→U and a, b ∈ Id ; then

Ra;bdef= Πa R Πb.

If (π1, . . . , πm) and (ρ1, . . . , ρn) are direct products and R is a relation such that πjRρk ∈U→U for j = 1, . . . ,m and k = 1, . . . , n, then

Ra1,...,am;b1,...,bndef= 〈Πa1 , . . . ,Πam ] R [Πb1 , . . . , Πbn〉.


Also, Ra1,...,am;b means 〈Πa1 , . . . ,Πam ]R Πb and Ra;b1,...,bn means Πa R [Πb1 , . . . , Πbn〉.A consequence of the definition is that

(Ra1,...,am;b1,...,bn) = Rb1,...,bn;a1,...,am . 2

Now, the relations in U→U or in the product domains are relations that have been

injected from the domains defined by the specifications NAT, NATURALS and BOOL.

These relations are, e.g., σU→N S σN→U, [σU→N, σU→N]ADD σN→U, [σU→B, σU→B]OR σB→U, etc. It would be rather tedious to carry the projections σ all the time; so, when

they are clear from the context, we will drop them. For example,

ADDa,b;c = 〈Πa,Πb] ADD Πc

is in fact

〈Πa,Πb] [σU→N, σU→N] ADD σN→U Πc.

Here, it is clear that, because of the composition with the Π relations, ADD must be in

U U→U; because of its name, it must be injected from N N→N.

By relying on the context to determine the domain which a relation belongs to, we are

guilty of that sin described by Stoy ([Stoy 77], page 95):

It rapidly becomes exceedingly tedious to be continually distinguishing be-

tween a value considered as an element of a sum domain and the same value

considered as an element of a component lattice. Sometimes this leads workers

to omit entirely these operations (“injection” into a sum lattice and “projec-

tion” into a component space), on the grounds that they may be deduced from

the context if required. Such informality in turn leads to difficulties for people

developing programs which accept denotational semantic definitions as input

and process them in some way automatically.

Still, we will rely on the context, because we feel this makes it easier for the human readers

(and the writer) of this thesis. However, some relations, like the identity and universal

relations, do not carry much information in their name; when it is neccessary, or simply

useful, to disambiguate the domain to which they belong, we will overload their subscripts


a bit more and write,

RU:N→U:N

RU:N→U:B

Ra:N;b:N

Rd:N;c:B

for

σU→N RN→N σN→U,

σU→N RN→B σB→U,

Πa RU:N→U:N Πb,

Πd RU:N→U:B Πc,

(3.13)

and similarly for other variations of subscripts depending on the original domain of the

injected relation.

Using these conventions, we have that Sa;a ∩La:N;a:N = Sa;a whereas Sa;a ∩La:B;a:B = ∅(where S is the function defined in specification NAT); also, ADDa,b;c Ic;c = ADDa,b;c (Ic:N;c:N ∪ Ic:B;c:B) = ADDa,b;c Ic:N;c:N = ADDa,b;c, and so on.

What kind of relation is, e.g., Sb;b? Suppose that att(b) = 2. Then,

Sb;b = Π2 S Π2 = IT→T Π2 SU:N→U:N Π2 IT→T.

Using the product (POPn,Πn, . . . ,Π1), equation 3.10 (page 74) and equations 3.12 (page

78), we have

IT→T Π2 =⋃∞n=0[empty empty , In, . . . , I1] Π2 where Ik = IU→U, k = 1, . . . , n;

=⋃∞n=2[empty LT→U, Ln, . . . , L3, I2, L1〉 where Lk = LU→U, k = 1, . . . , n.

Also, using in turn the fact that N→N satisfies the point axiom, ∪-distributivity and

equations 3.4 (page 60), we get

SU:N→U:N = σU→N IN→N SN→N σN→U

= σU→N (⋃x x|x ⊆ LN→N ∧ x is a point) SN→N σN→U

=⋃σU→N x x+ 1 σN→U|x ⊆ LN→N ∧ x is a point

=⋃σU→N x LN→U LU→N

x+ 1 σN→U|x ⊆ LN→N ∧ x is a point;because σU→N x LN→U is a point included in LU:N→U,

=⋃x x+ 1|x ⊆ LU:N→U ∧ x is a point.

Putting all this together, we get, by ∪-distributivity and theorem 2.4(1),

Sb;b =∞⋃m=2

∞⋃n=2

⋃x⊆LU:N→Ux point

[empty LT→U, Lm, . . . , L3, x, L1〉〈LU→T empty , Ln, . . . , L3, x+ 1, L1].

(3.14)

In the same manner, assuming that att(c) = 3 and att(d) = 4, we find that

Ic;d = Πc Πd

=⋃∞m=3

⋃∞n=4

⋃y⊆LU→Uy point

[empty LT→U, Lm, . . . , L4, y, L2, L1〉〈LU→T empty , Ln, . . . , L5, y, L3, L2, L1].

(3.15)


Note how the contents of the component named c (i.e. 3) are moved to the component

named d (i.e. 4). We can also view Ic;d as a relation that renames the component c as d.

We join the two relations Sb;b and Ic;d by intersecting them.

Sb;b ∩ Ic;d=⋃∞m=3

⋃∞n=4



[empty LT→U, Lm, . . . , L4, y, x, L1〉〈LU→T empty , Ln, . . . , L5, y, L3, x+ 1, L1].

(3.16)

The relation Sb;b ∩ Ic;d can be viewed as a table containing an infinite number of

subtables with a different number of columns. For example, the subtable corresponding

to m = 3 and n = 4 isc b a d c b a

true 0 ∗ true ∗ 1 ∗true 1 ∗ true ∗ 2 ∗true 2 ∗ true ∗ 3 ∗

......

......

......

...

false 0 ∗ false ∗ 1 ∗false 1 ∗ false ∗ 2 ∗false 2 ∗ false ∗ 3 ∗

......

......

......

...

0 0 ∗ 0 ∗ 1 ∗0 1 ∗ 0 ∗ 2 ∗0 2 ∗ 0 ∗ 3 ∗...

......

......

......

1 0 ∗ 1 ∗ 1 ∗1 1 ∗ 1 ∗ 2 ∗1 2 ∗ 1 ∗ 3 ∗...

......

......

......

The stars can be replaced by any value; they correspond to the relations Li in 3.16.

The columns containing the point empty LT→U have not been included since they are

constant. The useful information of relation Sb;b ∩ Ic;d is contained in the components b

and c (2 and 3) of its definition domain and in the components b and d (2 and 4) of its

range. All the other components contain ‘don’t care’ cases, as indicated by the L relations


in 3.16 or by the stars in the above table. Furthermore, the useful information is repeated

infinitely often (once for each assignment of natural numbers to m and n, m ≥ 3 and

n ≥ 4).

The relations that we will use in the next chapter are relations such as Sb;b, Ic;d and

Sb;b ∩ Ic;d. Viewing them as tables whose columns are named by attributes is a useful

picture, even though the tables themselves are rather unwieldy. It is easy to define a

reduced relation R that contains only one copy of the useful information of relation Sb;b ∩Ic;d; R would be represented by a table like the one above, minus the columns containing

the stars. Such reduced relations could be used to give semantic definitions. But the

formal use of these reduced relations is more difficult than the use of the unreduced ones,

despite the fact that they correspond to simpler tables. This is why we will not use them

in the thesis.

In the remainder of this section, we will study the notion of scheme of a relation

(similar to the corresponding notion in Codd’s algebra [Codd 70, Maier 83]). The next

two definitions introduce it.

Definition 3.19. Let A and B be finite subsets of Id. Then

IAdef=⋂a∈A Πa Πa (=

⋂a∈A Ia;a, by definition 3.18);

LA;B

def=⋂a∈Ab∈B

Πa L ∩ L Πb (=⋂a∈Ab∈B

Πa L Πb, by theorem 2.4(3)). 2

GivenA andB, the relations IA and LA;B are constant relations in T→T (only uppercase

letters will be used as subscripts denoting sets of identifiers). The relation IA is not an

identity relation; in fact, it mixes up every component not in A (i.e., if b 6∈ A, then a value

in the component b of the definition domain of IA is related to any other value of the b

component of the range). However, it acts as an identity on the components in A. For

example, with A = b, c, B = b, att(b) = 2 and att(c) = 3, we have (compare with Ic,d

in equation 3.15, page 81),

IA =⋃∞m=3

⋃∞n=3

⋃x⊆LU→Ux point


[empty LT→U, Lm, . . . , L4, x, y, L1〉〈LU→T empty , Ln, . . . , L4, x, y, L1],

LA;B =⋃∞m=3

⋃∞n=2[empty LT→U, Lm, . . . , L1〉〈LU→T empty , Ln, . . . , L1].


It is easy to verify the following properties (the first one follows from theorem 3.17).

A ∩B = ⇒ IA IB = LA;B,

IA ⊆ LA;A,

IA = (IA) and LA;B = (LB;A),A = ⇒ IA = LA;A = LT→T.

(3.17)

Moreover, if A = a1, . . . , am and B = b1, . . . , bn, then

La1,...,am;b1,...,bn = 〈Πa1 , . . . ,Πam ] L [Πb1 , . . . , Πbn〉 definition 3.18;

= 〈Πa1 , . . . ,Πam ] L ∩ L [Πb1 , . . . , Πbn〉 theorem 2.4(3);

= (⋂mk=1 Πak L) ∩ (

⋂nk=1 L Πbk) theorem 2.12(2);

= LA;B.

(3.18)

This result does not depend on the particular ordering of the ak, bk. This justifies the

introduction of the notation LA;B, where A and B are sets of identifiers rather than strings

of identifiers.

The relation LA;B is the universal relation of T→T only if A = B = . But of course,

Ra1,...,am;b1,...,bn ⊆ La1,...,am;b1,...,bn , for any R from the same domain as L.

Definition 3.20. Let A and B be finite subsets of Id and R ∈ T→T. Then A;B is a

scheme of R iff

IA R ⊆ R and R IB ⊆ R. 2

According to the definition, a relation R does not have a unique scheme. But whatever

scheme we assign to R must satisfy the definition. Because IA mixes up every component

not in A, if IA R ⊆ R is to hold, then R must not usefully relate these components.

For the same reason, R does not usefully relate the components not in B. This means

that the interesting information of R must be in the definition domain components A and

the range components B. That is, a scheme of a relation contains at least the interesting

components.

If we know a scheme for the relations Q and R, then what scheme can we assign to

Q ∪R,Q ∩R, etc.? The next proposition gives a simple answer.

Proposition 3.21.

1. IA = IA IA, hence A;A is a scheme of IA.


2. Let A = a1, . . . , am and B = b1, . . . , bn. Then

IA Ra1,...,am;b1,...,bn IB = Ra1,...,am;b1,...,bn ,

so that A;B is a scheme of Ra1,...,am;b1,...,bn.

3. LA;B = IA LA;B IB, hence A;B is a scheme of LA;B.

4. If A;B is a scheme of Q and C;D is a scheme of R, then

(a) A;B is a scheme of Q;

(b) B;A is a scheme of Q;

(c) A;D is a scheme of Q R;

(d) A ∪ C;B ∪D is a scheme of Q ∪R;

(e) A ∪ C;B ∪D is a scheme of Q ∩R.

Proof.

1. By theorem 3.17, IA IA = (⋂a∈A Πa Πa) (

⋂a∈A Πa Πa) =

⋂a∈A Πa Πa = IA.

2. IA Ra1,...,am;b1,...,bn

= (⋂mk=1 Πak Πak) (

⋂mk=1 Πak πk) R (

⋂nk=1 ρk Πbk) definition 3.18;

= (⋂mk=1 Πak πk) R (

⋂nk=1 ρk Πbk) theorem 3.17;

= Ra1,...,am;b1,...,bn definition 3.18.The proof of Ra1,...,am;b1,...,bn IB = Ra1,...,am;b1,...,bn is similar.

3. This is direct from part 2 and equation 3.18 on page 84.

4. We will show only half of the proposition; the other half can be derived in the same

manner. Recall that IA = (IA).

(a) By the Schroder rule, IA Q ⊆ Q⇔ IA Q ⊆ Q.

(b) Taking the converse on each side of IA Q ⊆ Q, we obtain Q IA ⊆ Q.

(c) Because composition is monotonic, IA Q ⊆ Q⇒ IA Q R ⊆ Q R.

(d) IA Q ⊆ Q ∧ IC R ⊆ R⇒ IA∪C (Q ∪R) = (IA ∩ IC) Q ∪ (IA ∩ IC) R definition 3.19;

⊆ IA Q ∪ IC R monotonicity of ;⊆ Q ∪R.


(e) IA Q ⊆ Q ∧ IC R ⊆ R⇒ IA∪C (Q ∩R) = (IA ∩ IC) (Q ∩R) definition 3.19;

⊆ IA Q ∩ IC R ∩-subdistributivity;

⊆ Q ∩R. 2

In Codd’s algebra [Codd 70], the union or intersection of relations with different

schemes is not possible. Here, the union and intersection of two relations in T→T is

always defined. However, the resulting relation may not be very interesting. To make this

more precise, we investigate the following problem: If A;B is a scheme of a relation R,

when is it the case that R ⊆ LA;B? To show that the question makes sense, we give an

example.

For ease of reference, we reproduce here the expansions of Sb;b and Ic;d given by 3.14

and 3.15 (page 81).

Sb;b =⋃∞m=2

⋃∞n=2


[empty LT→U, Lm, . . . , L3, x, L1〉〈LU→T empty , Ln, . . . , L3, x+ 1, L1],

Ic;d =⋃∞m=3

⋃∞n=4


[empty LT→U, Lm, . . . , L4, y, L2, L1〉〈LU→T empty , Ln, . . . , L5, y, L3, L2, L1].

By the previous proposition, b; b is a scheme of both Sb;b and Sb;b. Now, it is easy

to see that (still with att(b) = 2)

Lb;b = Lb;b =∞⋃m=2

∞⋃n=2

[empty LT→U, Lm, . . . , L1〉〈LU→T empty , Ln, . . . , L1].

Hence, Sb;b ⊆ Lb;b, but Sb;b 6⊆ Lb;b, since, e.g.,

[empty LT→U〉〈LT→U empty ]

⊆ Sb;b6⊆ Lb;b.

By the previous proposition, b, c; b, d is a scheme of Sb;b ∪ Ic;d. But again, even

though b, c; b, d is also a scheme of Lb,c;b,d = Lb,c;b,d, we find that Sb;b∪Ic;d 6⊆ Lb,c;b,dsince the term with m = n = 2 in the expansion of Sb;b is not included in

Lb,c;b,d =∞⋃m=3

∞⋃n=4

[empty LT→U, Lm, . . . , L1〉〈LU→T empty , Ln, . . . , L1].


The following lemma gives more details.

Lemma 3.22.

1. Let Q and R be relations with schemes A;B and C;D respectively, such that Q ⊆ LA;B

and R ⊆ LC;D. Then,

(a) we cannot conclude that Q ⊆ LA;B unless A = B = ;

(b) Q ⊆ LB;A;

(c) Q R ⊆ LA;D;

(d) we cannot conclude that Q ∪R ⊆ LA∪C;B∪D, except if A = C and B = D;

(e) Q ∩R ⊆ LA∪C;B∪D.

2. Ra1,...,am;b1,...,bn ⊆ La1,...,am;b1,...,bn.

3. If A;B is a scheme of R and R ⊆ LA;B, then IA R IB = R.

Proof.

1. (a) See the counter example preceding the lemma. If A = B = , then LA;B =

LT→T, hence Q ⊆ LA;B.

(b) Q ⊆ LA;B ⇔ Q ⊆ (LA;B) = LB;A.

(c) Q R ⊆ LA;B LC;D

= (⋂a∈Ab∈B

Πa L Πb) (⋂c∈Cd∈D

Πc L Πd) definition 3.19;

⊆ ⋂a∈A,b∈Bc∈C,d∈D

Πa L Πb Πc L Πd ∩-subdistributivity;

=⋂a∈Ad∈D

Πa L Πd Πb Πc 6= ∅, Tarski rule;

= LA;D.

(d) As the counter example before this lemma shows, we cannot conclude that

Q ∪R ⊆ LA∪C;B∪D. However,

A = C ∧B = D ⇒ Q ∪R ⊆ LA;B ∪ LC;D = LA∪C;B∪D.

(e) Q ∩R ⊆ LA;B ∩ LC;D = (⋂a∈Ab∈B

Πa L ∩ L Πb) ∩ (⋂c∈Cd∈D

Πc L ∩ L Πd)

=⋂a∈A∪Cb∈B∪D

Πa L ∩ L Πb = LA∪C;B∪D.

2. This follows from definition 3.18 and equation 3.18 (page 84).


3. IA R ⊆ R A;B is a scheme of R;

= R ∩ LA;B = R ∩ IA LA;B proposition 3.21(3);

⊆ (IA ∩R LB;A) (LA;B ∩ IA R) Dedekind rule, 3.17 (page 84);

⊆ IA (LA;B ∩R) A;B is a scheme of R;

= IA R.The proof of R = R IB is similar. 2

We have stated above that the union or intersection of two relations in T→T might

give a not very interesting result. The relations in T→T that we find interesting are those

that satisfy the preconditions of part 3 of the lemma, i.e. those relations R with a scheme

A;B such that R ⊆ LA;B. The reason is that these relations have the property

IA R IB = R, (3.19)

as shown by the lemma; this property will contribute to the simplification and transfor-

mation of the expressions involved in the semantic definitions (the next theorem gives an

example). By part 2 of the lemma, the elementary relations used in the semantic defini-

tions will have property 3.19. We will not use the complementation operator, and we will

take the union of two relations only if they have the same scheme. Hence, by the previous

lemma, property 3.19 will be maintained.

Consider the relations Sb;b and ADDa,b;c. To speak in operational terms, the relation

Sb;b adds 1 to the b component and the relation ADDa,b;c adds the values of the a and

b components and returns the result in c. Now, the relation ADDa,b;c ∩ Sb;b does both

in parallel. Because the Pascal-like language that we will define does not allow parallel

constructs, we will have to sequentialize such expressions. The next theorem gives sufficient

conditions allowing this transformation.

Theorem 3.23. Let A;B be a scheme of Q and C;D be a scheme of R. If Q ⊆ LA;B,

R ⊆ LC;D and B ∩ C = , then

Q ∩R = (Q ∩ IC) (R ∩ IB).

Proof. Firstly,

Q IC ⊆ LB;A IC⊆ LB;C IC ⊆ LC;C, lemma 3.22(1c);

= IB IC 3.17 (page 84).


Secondly,

Q IB IB IB = Q IB proposition 3.21(1), equations 3.17 (page 84);

IC IC IC R = IC R proposition 3.21(1), equations 3.17 (page 84).

Quite surprisingly, we now apply lemma 2.27 ((IB, IC) acts almost like a 2-fold product):

(Q ∩ IC) (R ∩ IB)

= (Q IB ∩ IC IC) (IB IB ∩ IC R) Q ⊆ LA;B, R ⊆ LC;D, lemma 3.22(3);

= (Q IB ∩ IC IC) (IB IB ∩ IC R)

= Q IB ∩ IC R lemma 2.27;

= Q ∩R Q ⊆ LA;B, R ⊆ LC;D, lemma 3.22(3). 2

We apply the theorem to ADDa,b;c ∩ Sb;b. By proposition 3.21, a, b; c is a scheme

of ADDa,b;c and b; b is a scheme of Sb;b. By lemma 3.22(2), ADDa,b;c ⊆ La,b;c and

Sb;b ⊆ Lb;b. Because c ∩ b = , we can apply the theorem:

ADDa,b;c ∩ Sb;b = (ADDa,b;c ∩ Ib;b) (Sb;b ∩ Ic;c)

(we have used the fact that Ib;b = Ib and Ic;c = Ic). That is, instead of ‘computing’

ADDa,b;c and Sb;b in parallel, one can compute ADDa,b;c first, while keeping the value of

b constant, and then compute Sb;b while keeping the value of c constant.

Because b ∩ a, b 6= , the theorem cannot be applied to do the sequentialization

in reverse order (indeed we know it would not be equivalent to the parallel computation).

Bibliographic notes. We have borrowed some terminology related to tables (attribute,

scheme, join) from [Maier 83].

Chapter 4

SEMANTICS

The goal of this chapter is the definition of a sequential, deterministic, Pascal-like language

with strong typing. In the usual denotational style, the definitions of the simpler constructs

(expressions, declarations) are given first. Compound constructs (statements, procedures)

are then defined in terms of the definitions of their subparts.

To a program fragment p we will associate a set of identifiers and one or two relations,

depending on whether p is a declaration or another type of fragment (expression, state-

ment, procedure). We will use three semantic functions, T , E and S, of which we give a

brief overview.

1. T (p) is a relation in T→U when p is an expression, and it is a relation in T→T

when p is a statement, a declaration or a procedure. T (p) is the ‘typing’ relation:

it relates the pairs of states between which a transition is possible in so far as only

the typing aspect is concerned. In particular, T (p) = ∅ if there is a type error.

2. E(p) is a relation in T→U when p is an expression and in T→T when p is a statement

or a procedure. E(p) is the ‘execution’ relation: it relates the pairs of states between

which a transition is possible at run-time.

3. S(p) is the set of identifiers appearing in p. The scheme of relations T (p) and E(p),

when p is a statement, a declaration or a procedure, is S(p);S(p).

Even though all the developments in this thesis are done at relation level, in this chapter

we will use some object level terminology to explain the semantic definitions (and in fact

we have already done that in the preceding paragraphs, and even in the previous chapters).

90

CHAPTER 4. SEMANTICS 91

We already know that the set of relations in T→T is isomorphic to the set of relations

between lists (or tuples) of points of U→U, which can themselves be considered as Boolean

values or natural numbers. In combination with a set of identifiers (the attributes), such

a tuple defines what is usually called a state of a program (i.e. an association between

the identifiers of the program and their values). That is why we will say that a relation

Q ∈ T→T is a relation between sets of states, or that applying a relation R ∈ T→U:N to

a state returns a natural number.

The semantic definitions will be illustrated by examples. The main one is that of a

procedure computing the factorial of its parameter (another classic). In the next chapter,

we will show that this procedure is indeed correct with respect to the relation FACT

introduced in specification NATURALS.

As mentioned in the introduction, the semantics is bottom-up, i.e. the set S(p) and

the relations T (p) and E(p) denoting a program fragment depend only on the fragment

and not on its environment. There is an exception to our bottom-up approach, however.

It concerns procedures. This unaesthetic (and hopefully temporary) state of affairs is

commented in section 4.3.

4.1 Syntactic Definition of the Programming Language

The syntactic categories of our language are the following:

x ∈ Id (identifiers for variables and procedures),

D ∈ Dec (declarations),

E ∈ Exp (expressions),

C ∈ Com (commands, i.e. statements),

P ∈ Proc (procedure declarations).

The abstract syntax is

(1) D ::= dummy | var x: natural | var x: boolean | D1;D2

(2) E ::= 0 | true| false| x | succ(E) | pred(E) |E1 + E2 | E1 = E2 | not(E) | E1 or E2

(3) C ::= skip | x := E | C1;C2 | if E then C1 else C2 endif |while E do C endwhile | x(x11 → x12, . . . , xn1 → xn2)

(4) P ::= procedure x(D1);D2;C endproc


This is a very simple language, but it is complex enough to allow a discussion of many

features found in modern programming languages.

Because it has two types, natural and Boolean, we will be able to discuss type checking;

this will pave the way for the addition of more complex types. There is only one numeric

constant, namely 0; the other ones can be obtained by repeated applications of the succ

operator. It is a simple extension to introduce the usual literals ‘0’ to ‘9’, then to define

numerals made up of them, and then to associate a unique natural number to each numeral.

The language has no operators for subtraction, multiplication or logical conjunction, but

these could be defined in the same manner as addition or disjunction; they could also be

programmed as procedures in the present language (a procedure for multiplication is given

in the following example).

The command x(x11 → x12, . . . , xn1 → xn2) is a call to procedure x, with the xk1’s

being the formal parameters and the xk2’s the actual ones. This is a restricted form of

procedure call, since the actual parameters cannot be general expressions; but it suffices

to assign to the appropriate variables the results of the expressions that one would like

to pass as parameters and then to use these variables as parameters. In the procedure

declaration P , D1 is the declaration of the parameters and D2 is the declaration of the

local variables. Note that the syntax does not define what a program is; the highest level

construct is the procedure (and they cannot be nested). We will assume that there exists

a collection of procedures, such that a given procedure can call any other.

We give an example of two legal procedure declarations. They will be used all along

this chapter to illustrate the semantic definitions.

Example 4.1.

procedure multiply (var a: natural; var b: natural);

var c: natural;

c:=a;

a:=0;

while not(c=0) do c:=pred(c); a:=a+b endwhile

endproc


procedure factorial (var n: natural);

var f: natural;

f:=succ(0);

while not(n=0) do multiply(a→f, b→n); n:=pred(n) endwhile;

n:=f

endproc 2

4.2 Semantic Definition of the Programming Language

The definition of declaration fragments will be given first, followed by that of expressions

and then by that of statements, excluding procedure calls. Finally, in subsection 4.2.4, we

will study procedure definitions and procedure calls.

For the set Id of attributes of relations in T→T we choose the set Id of the identifiers

of the programming language. We assume the existence of a total injective function

att : Id → N; however, no reference will be made to it. Three semantic functions will be

employed. The S function maps a program fragment to a set of identifiers; the T and Efunctions map a fragment to a relation in the algebra that we have defined in the previous

chapters. More precisely, the semantic functions have the following functionalities (where

℘(Id) is the power set of Id):

S : Dec ∪ Exp ∪ Com ∪ Proc →℘(Id),

T : Exp → (T→U),

T : Dec ∪ Com ∪ Proc → (T→T),

E : Exp → (T→U),

E : Com ∪ Proc → (T→T).

4.2.1 Declarations

We immediately define the class of declaration fragments.

1. S(dummy) = , T (dummy) = LT→T.

2. S(var x: natural) = x, T (var x: natural) = Lx:N;x:N.

3. S(var x: boolean) = x, T (var x: boolean) = Lx:B;x:B.

4. S(D1;D2) = S(D1) ∪ S(D2), T (D1;D2) = T (D1) ∩ T (D2).


These definitions can be understood as follows. To the relation T (D) we assign the

scheme S(D);S(D). Notice that S(D);S(D) is effectively a scheme of T (D), according to

proposition 3.21. This will be true of every definition to come. Because T (dummy) has

an empty scheme, it carries no useful type information. The situation is different for the

declaration var x: natural; its scheme is x; x. This means that no type information is

available for components other than x. For the x component, however, T (var x: natural)

prescribes that it can only contain natural numbers, both before and after execution of the

statements to which the declaration will be attached (see subsection 4.2.4 for the definition

of the sequence D;C). Because Lx:N;x:N = Πx LU:N→U:N Πx = Πx LU:N→T∩LT→U:N Πx,

we see that Lx:N;x:N can be viewed as the conjunction of two conditions:

precondition : x is a natural number,

postcondition : x is a natural number.

By the definition of T (D1;D2), the condition imposed to the identifiers of D1;D2 is a

conjunction of the conditions imposed to those of each declaration separately. Thus

T (var a: natural; var a: boolean)

= La:N;a:N ∩ La:B;a:B

= Πa LU:N→U:N Πa ∩Πa LU:B→U:B Πa 3.13 (page 81);

= Πa (LU:N→U:N ∩ LU:B→U:B) Πa Πa deterministic, theorem 2.6(3);

= ∅ 3.13 (page 81), specification 3.9.

In words, there is a type error.

According to the definitions given above, it is possible for a program fragment to con-

tain two identical declarations of the same variable. This could be prevented by requiring

S(D1) ∩ S(D2) = .

Example 4.2. For the declarations in the procedures of example 4.1, we have

S(var a: natural) = a, T (var a: natural) = La:N;a:N,

and similarly for the declarations of b, c, f and n. Also,

S(var a: natural; var b: natural) = a, b,T (var a: natural; var b: natural) = La:N;a:N ∩ Lb:N;b:N. 2


4.2.2 Expressions

For the definition of expressions, we use one more semantic function than for declarations,

namely E : Exp → (T→U). The relation E(E) ‘evaluates’ the expression E (whose result

is either a Boolean or a natural number). The relation T (E) also belongs to T→U.

1. S(0) = , T (0) = LT→U:N, E(0) = LT→U 0.

2. S(true) = , T (true) = LT→U:B, E(true) = LT→U true.

3. S(false) = , T (false) = LT→U:B, E(false) = LT→U false.

4. S(x) = x, T (x) = Πx (LU:N→U:N ∪ LU:B→U:B), E(x) = Πx.

5. S(succ(E)) = S(E), T (succ(E)) = T (E)LU:N→U:N, E(succ(E)) = E(E)S.

6. S(pred(E)) = S(E), T (pred(E)) = T (E)LU:N→U:N, E(pred(E)) = E(E)S.

7. S(not(E)) = S(E), T (not(E)) = T (E) LU:B→U:B,

E(not(E)) = E(E) NOT .

8. S(E1 + E2) = S(E1) ∪ S(E2), T (E1 + E2) = (T (E1) ∩ T (E2)) LU:N→U:N,

E(E1 + E2) = 〈E(E1), E(E2)] ADD .

9. S(E1 = E2) = S(E1) ∪ S(E2), T (E1 = E2) = (T (E1) ∩ T (E2)) LU→U:B,

E(E1 = E2) = 〈E(E1), E(E2)] EQ , where EQ = EQU:N U:N→U:B∪EQU:B U:B→U:B.

10. S(E1 or E2) = S(E1) ∪ S(E2), T (E1 or E2) = (T (E1) ∩ T (E2)) LU:B→U:B,

E(E1 or E2) = 〈E(E1), E(E2)] OR.

In these definitions, as in section 3.3, unsubscripted relation symbols (like S and ADD)

denote relations injected in U→U (or a product domain) from N→N or B→B (or product

domains). The relation EQ used in the definition of E1 = E2 is a polymorphic equality

relation that can compare either a Boolean value with a Boolean value or a natural number

with a natural number (but not a Boolean value with a natural number); it is the disjoint

union of the relations EQN N→B (specification NATURALS) and EQB B→B (specification

BOOL).

The S function is rather simple: S(E) contains the identifiers appearing in expression

E. Though we have not defined what is a scheme for a relation in T→U, it is obvious that


S(E) identifies the useful components in the definition domain of both T (E) and E(E).

For the expression ‘0’, neither T (0) nor E(0) contain useful information about the state in

which ‘0’ is evaluated. But, according to T (0), the result is a natural number, and E(0)

associates the constant mapping LT→U 0 to the expression ‘0’.

The relation T (x) relates a value in component x to any value of the same type. It

might seem that T (x) = Πx would be a suitable definition. But the idea behind all the

type definitions is the following: the relation T (p) denoting a fragment p is the largest

relation enforcing the typing rules of the programming language. In fact, note that we

have E(E) ⊆ T (E) for any expression E; this will also be true for the other syntactic

categories. Hence the relation T (p) can be viewed as a first crude approximation to the

relation E(p). The information collected in T (E) may be useless in the present context,

but it will be useful for the definition of statements.

An equation like T (E1 = E2) = (T (E1) ∩ T (E2)) LU→U:B simply means that the

results of the evaluation of E1 and E2 must have the same type, but are otherwise uncon-

strained, and that the result of the evaluation of E1 = E2 has type Boolean. The equation

T (E1 or E2) = (T (E1) ∩ T (E2)) LU:B→U:B means that both E1 and E2 must evaluate to

Booleans, and that the result has type Boolean.

The other definitions are rather straightforward. The following example illustrates

some of them.

Example 4.3. We find the values of the S, T and E functions for the expressions in our

demonstration programs (example 4.1).

1. S(a) = a, T (a) = Πa (LU:N→U:N ∪ LU:B→U:B), E(a) = Πa.

The expressions ‘b’, ‘c’, ‘f’ and ‘n’ are treated in the same manner.

2. S(c=0) = c,T (c=0) = (T (c) ∩ T (0)) LU→U:B

= (Πc (LU:N→U:N ∪ LU:B→U:B) ∩ LT→U:N) LU→U:B = Πc LU:N→U:B,

E(c=0) = 〈E(c), E(0)] EQ = 〈Πc, LT→U 0] EQ

= 〈Πc, LT→U 0] (EQU:N U:N→U:B ∪ EQU:B U:B→U:B)

= Πc 0 L true ∪Πc S L false.The last line follows from a relatively tedious derivation involving the definition of

the EQ relation, the axioms 8 and 6 of the specifications BOOL and NATURALS,

respectively, and the direct sum defined in specification NATURALS-plus-BOOL.


The denotations of the expression ‘n=0’ are similar.

3. S(not(c=0)) = c,T (not(c=0)) = T (c = 0) LU:B→U:B = Πc LU:N→U:B,

E(not(c=0)) = E(c = 0) NOT = Πc 0 L false ∪Πc S L true.

4. S(pred(c)) = c,T (pred(c)) = T (c) LU:N→U:N = Πc (LU:N→U:N ∪ LU:B→U:B) LU:N→U:N

= Πc LU:N→U:N,

E(pred(c)) = E(c) S = Πc S.The definition of ‘pred(n)’ is similar.

5. S(succ(0)) = , T (succ(0)) = LT→U:N,

E(succ(0)) = LT→U 0 S = LT→U 1.

6. S(a+b) = a, b, T (a+b) = Πa LU:N→U:N ∩Πb LU:N→U:N,

E(a+b) = 〈Πa,Πb] ADD .

7. The last example is not drawn from the demonstration programs. It illustrates a type

error. The derivation uses the fact that by specification NATURALS-plus-BOOL

(page 66), LT→U:N ∩ LT→U:B = ∅.

T (0 + true) = (LT→U:N ∩ LT→U:B) LU:N→U:N = ∅,E(0 + true) ⊆ T (0 + true) = ∅. 2

As indicated in part 2 of this example, some derivations aiming at the simplification

of fragment denotations can be relatively tedious, and what is worse, rather uninteresting.

Most of all, this is true of the proofs involving the direct sum (σU→N, σU→B) of specifica-

tion NATURALS-plus-BOOL. Fortunately, these proofs can be shortened by using simple

arguments. For example,

ADDa,b;c ∩ Ib;b = ADDa,b;c ∩ Ib:N;b:N and

(0a;a ∩ Ib;b) (ADDa,b;c ∩ Id;d) = (0a;a ∩ Ib:N;b:N) (ADDa,b;c ∩ Id;d)(4.1)

both follow from the fact that ADDa,b;c forces the b component of its definition domain to

contain natural numbers (to use object level terminology); the operators ∩ and propagate

this restriction to Ib;b. Using the conventions established in pages 79 and following, we


give a detailed proof of the first equation.

ADDa,b;c ∩ Ib;b = ADDa,b;c ∩Πb IU→U Πb

= ADDa,b;c ∩Πb (IU:N→U:N ∪ IU:B→U:B) Πb

= ADDa,b;c ∩ Ib:N;b:N ∪ADDa,b;c ∩ Ib:B;b:B.

We show that the second term is ∅, which implies the result.

ADDa,b;c ∩ Ib:B;b:B

= 〈Πa,Πb] [σU→N, σU→N] ADD σN→U Πc ∩Πb σU→B σB→U Πb;

by definition 2.11 and ∩-subdistributivity,

⊆ 〈Πa σU→N,Πb σU→N] ADD LN→T ∩Πb σU→B LB→T;

by definition of 〈 ] and specification NATURALS (page 63),

⊆ Πb σU→N π2 ADD LN→T ∩Πb σU→B LB→T

⊆ Πb σU→N LN→T ∩Πb σU→B LB→T;

because Πb is deterministic, we have, by theorem 2.6(3a),

= Πb (σU→N LN→T ∩ σU→B LB→T)

= ∅ by specification 3.9.

In the sequel, we will usually assume that equalities like those in 4.1 above are obvious

and use them without mention.

4.2.3 Statements

For statements (commands), the functionalities of T and E are T : Com → (T→T) and

E : Com → (T→T).

1. S(skip) = , T (skip) = LT→T, E(skip) = LT→T.

2. S(x := E) = x ∪ S(E),

T (x := E) = T (E) Πx ∩⋂a∈S(x:=E)(La:N;a:N ∪ La:B;a:B),

E(x := E) = E(E) Πx ∩ IA ∩ T (x := E) where A = S(E)− x.

The definition of T ensures that all identifiers in x := E have the same type before

and after execution of x := E; it also indicates that after execution, the type of x

is that of E. In the definition of E , the factor IA requires that the identifiers other

than x appearing in expression E do not change.


3. S(C1;C2) = S(C1) ∪ S(C2), T (C1;C2) = T (C1) ∩ T (C2),

E(C1;C2) = (E(C1) ∩ IA) (E(C2) ∩ IB) where A = S(C2)− S(C1),

B = S(C1)− S(C2).

By the definition of E , the command C1 must not modify any identifier appearing

in C2 but not in C1, and the command C2 must not modify any identifier appearing

in C1 but not in C2. Note that this also ensures that C1;C2 does not change the

type of any identifier in S(C1;C2) (assuming that C1 and C2 individually preserve

the types).

4. S(if E then C1 else C2 endif) = S(E) ∪ S(C1) ∪ S(C2),

T (if E then C1 else C2 endif) = T (E) LU:B→T ∩ (⋂a∈S(E) La:N;a:N ∪ La:B;a:B)∩

T (C1) ∩ T (C2),

E(if E then C1 else C2 endif) = E(E) true LU→T ∩ E(C1) ∩ IA ∩ T (C2)∪E(E) false LU→T ∩ E(C2) ∩ IB ∩ T (C1),

whereA = (S(E) ∪ S(C2))− S(C1)

B = (S(E) ∪ S(C1))− S(C2).

The type of E must be boolean, as required by T . The type of an identifier must be

the same in both branches of the statement. If C1 is executed, then the identifiers in

A must not be modified; if C2 is executed, the identifiers in B must be kept constant.

5. S(while E do C endwhile) = S(E) ∪ S(C),

T (while E do C endwhile) = T (E) LU:B→T ∩ (⋂a∈S(E) La:N;a:N ∪ La:B;a:B) ∩ T (C),

E(while E do C endwhile) = (µX, E(E) false LU→T ∩ IA ∩ T (C)∪(E(E) true LU→T ∩ E(C) ∩ IB) X),

where A = S(E) ∪ S(C) and B = S(E)− S(C).

Most features here are like those of the conditional statement. As usual, the iteration

statement is defined recursively.

For any command C, S(C);S(C) is a scheme of the relations T (C) and E(C) (see

proposition 3.21). Moreover, E(C) ⊆ T (C) ⊆ LS(C);S(C) (see lemma 3.22); remark how

this property is maintained in the definition of the E function for conditionals and iterations

by taking the union of relations that have the same scheme. This property is a prerequisite

to the application of theorem 3.23 in the example that follows (parts 3 and 6).


Example 4.4. We first give the denotations of the statements in the procedures of ex-

ample 4.1, using the results of example 4.3. We will conclude with an example involving

a type error. We omit the description of the S function, since S(p) is simply the set of

identifiers appearing in the program fragment p.

1. T (c:=a) = Πa (LU:N→U:N ∪ LU:B→U:B) Πc∩(La:N;a:N ∪ La:B;a:B) ∩ (Lc:N;c:N ∪ Lc:B;c:B)

= La:N;a:N ∩ Lc:N;c:N ∪ La:B;a:B ∩ Lc:B;c:B,

E(c:=a) = Πa Πc ∩ Ia;a ∩ (La:N;a:N ∩ Lc:N;c:N ∪ La:B;a:B ∩ Lc:B;c:B)

= Ia;c ∩ Ia;a ∩ (Lc:N;c:N ∪ Lc:B;c:B).

The treatment of ‘n:=f’ is similar.

2. T (a:=0) = LT→U:N Πa ∩ (La:N;a:N ∪ La:B;a:B) = La:N;a:N,

E(a:=0) = LT→U 0 Πa ∩ La:N;a:N = 0a;a.

3. By parts 1 and 2,

T (c:=a; a:=0) = La:N;a:N ∩ Lc:N;c:N,

E(c:=a; a:=0) = (Ia;c ∩ Ia;a ∩ (Lc:N;c:N ∪ Lc:B;c:B)) (0a;a ∩ Ic;c).

Now use theorem 3.23 with

Q = Ia;c ∩ (Lc:N;c:N ∪ Lc:B;c:B), R = 0a;a,

A = a, c, B = c, C = D = a.

The result is

E(c:=a; a:=0) = Ia;c ∩ (Lc:N;c:N ∪ Lc:B;c:B) ∩ 0a;a = Ia;c ∩ Lc:N;c:N ∩ 0a;a.

4. T (c:=pred(c)) = Lc:N;c:N,

E(c:=pred(c)) = Πc S Πc ∩ Lc:N;c:N = Sc;c.

The statement ‘n:=pred(n)’ is treated in the same way.

5. T (a:=a+b) = (Πa LU:N→U:N ∩Πb LU:N→U:N) Πa∩(La:N;a:N ∪ La:B;a:B) ∩ (Lb:N;b:N ∪ Lb:B;b:B)

= La:N;a:N ∩ Lb:N;b:N,

E(a:=a+b) = 〈Πa,Πb] ADD Πa ∩ Ib;b ∩ La:N;a:N ∩ Lb:N;b:N = ADDa,b;a ∩ Ib;b.


6. We use the results of parts 4 and 5:

T (c:=pred(c); a:=a+b) = La:N;a:N ∩ Lb:N;b:N ∩ Lc:N;c:N,

E(c:=pred(c); a:=a+b) = (E(c:=pred(c)) ∩ Ia;a ∩ Ib;b) (E(a:=a+b) ∩ Ic;c)= (Sc;c ∩ Ia;a ∩ Ib;b) (ADDa,b;a ∩ Ib;b ∩ Ic;c).

We use theorem 3.23 with

Q = Sc;c, R = ADDa,b;a ∩ Ib;b, A = B = c, C = D = a, b

to find

E(c:=pred(c); a:=a+b) = Sc;c ∩ADDa,b;a ∩ Ib;b.

7. Let

Wmult = while not(c=0) do c:=pred(c); a:=a+b endwhile

and substitute the results of part 3 of example 4.3 and part 6 of the present example

in the definition of the T and E functions for a while loop. Firstly,

T (Wmult) = La:N;a:N ∩ Lb:N;b:N ∩ Lc:N;c:N.

Secondly, because

E(not(c=0)) false LU→T = Πc 0 LU→T,

E(not(c=0)) true LU→T = Πc S LU→T,

we get

E(Wmult) = (µX,Πc 0 LU→T ∩ Ia:N;a:N ∩ Ib:N;b:N ∩ Ic:N;c:N∪(Πc S LU→T ∩ Sc;c ∩ADDa,b;a ∩ Ib;b) X).

By theorem 2.20 and the definition of ADD (specification 3.7), this can be simplified

into

E(Wmult) = (µX, 0c;c 0c;c ∩ Ia:N;a:N ∩ Ib:N;b:N ∪ (Sc;c ∩ADDa,b;a ∩ Ib;b) X).

8. T (f:=succ(0)) = Lf :N;f :N, E(f:=succ(0)) = 1f ;f .


9. By parts 3 and 7,

T (c:=a; a:=0; Wmult) = La:N;a:N ∩ Lb:N;b:N ∩ Lc:N;c:N,

E(c:=a; a:=0; Wmult)

= (E(c:=a; a:=0) ∩ Ib;b) E(Wmult)

= (Ia;c ∩ Lc:N;c:N ∩ 0a;a ∩ Ib;b)(µX, 0c;c 0c;c ∩ Ia:N;a:N ∩ Ib:N;b:N ∪ (Sc;c ∩ADDa,b;a ∩ Ib;b) X).

10. Here is a simple example of type error. We use the value of T (c=0) found in exam-

ple 4.3(2).

T (c := c=0) = T (c=0) Πc ∩ (Lc:N;c:N ∪ Lc:B;c:B)

= Πc LU:N→U:B Πc ∩ (Lc:N;c:N ∪ Lc:B;c:B)

⊆ Πc LU:N→T ∩ LT→U:B Πc ∩ (LT→U:N Πc ∪Πc LU:B→T)

= ∅ by specification 3.9, LU:N→T ∩ LU:B→T = ∅. 2

4.2.4 Procedures

In this subsection we examine the procedure declaration and the procedure call. The

procedure declaration has the form

procedure x(D1);D2;C endproc.

Though its denotation could be given directly, we first look at the subpart D2;C consisting

of a declaration sequenced with a command. The reason is that the definition of D;C will

be useful in the subsequent discussion (section 4.3).

1. S(D;C) = S(D) ∪ S(C), T (D;C) = T (D) ∩ T (C),

E(D;C) = T (D) ∩ E(C) ∩ IA where A = S(D)− S(C).

The definition simply ensures that the types derived from the analysis of C conform

to the types declared in D and that the execution of C does not change variables

that are declared in D but do not appear in C.

2. We now look at the procedure declaration. For the declaration to be legal, we require

S(C)− (S(D1) ∪ S(D2)) = and S(D1) ∩ S(D2) = . (4.2)

The first clause means that we will consider only procedures without global variables;

the second one that no identifier can be both a parameter and a local variable. In


the case that these conditions are not satisfied, we define S(procedure x . . .) = and T (procedure x . . .) = E(procedure x . . .) = ∅; otherwise,

S(procedure x(D1);D2;C endproc) = S(D1),

T (procedure x(D1);D2;C endproc) = IF (T (D1) ∩ T (D2;C)) IF ,

E(procedure x(D1);D2;C endproc) = IF (T (D1) ∩ E(D2;C) ∩ IA) IF ,

where F = S(D1) is the set of formal parameters and A = S(D1) − S(D2;C) =

S(D1)− S(C).

The relation IF act as a kind of projection, since, for any R ∈ T→T, all the useful

information of the relation IF RIF is contained in the components whose attributes

belong to the set F (see proposition 3.21(1,4c)).

3. Let Pcall = x(x11 → x12, . . . , xn1 → xn2) be a call to the procedure x. We assume

the existence of a declaration Pdecl def= procedure x(D1);D2;C endproc. Let F =

x11, . . . , xn1 and A = x12, . . . , xn2 be the sets of formal and actual parameters,

respectively. For the call to be legal, we require

(a) i 6= j ⇒ xi1 6= xj1,

(b) i 6= j ⇒ xi2 6= xj2,

(c) F = S(D1).

(4.3)

By (a), all the identifiers denoting formal parameters are different; by (b), all actual

parameters are different; by (c), the set of identifiers denoting formal parameters

in the procedure call is exactly the set of formal parameters declared in Pdecl. If

these conditions are not met, we define S(Pcall) = and T (Pcall) = E(Pcall) = ∅;otherwise, let

RENAME =n⋂k=1

Πxk1 Πxk2

=n⋂k=1

Ixk1;xk2.

Then,

S(Pcall) = A,

T (Pcall) = RENAME T (Pdecl) RENAME,

E(Pcall) = RENAME E(Pdecl) RENAME.

Before presenting an example illustrating these definitions, we prove a proposition that

will be used in the example.


Proposition 4.5. Let f : RQ → RQ and g : RQP → RQP be the functions defined by

f(X) = Q ∪R X and g(X) = Q P ∪R X. Then µ(g) = µ(f) P.

Proof. Both f and g are continuous and total on the domains that contain Q and Q Prespectively. By 2.3, page 14,

µ(g) =∞⋃k=0

Rk Q P = (∞⋃k=0

Rk Q) P = µ(f) P. 2

Example 4.6.

1. Let Dmult = procedure multiply (var a: natural; var b: natural);

var c: natural;

c:=a; a:=0; Wmult

endprocwhere Wmult is as in example 4.4(7). The conditions 4.2 in the definition of proce-

dure declarations are obviously satisfied. We use the results obtained in examples 4.2

and 4.4(9).

S(Dmult) = S(var a: natural; var b: natural) = a, b (= F ).

T (Dmult) = IF (T (var a: natural; var b: natural) ∩ T (var c: natural)∩T (c:=a; a:=0; Wmult)) IF

= (Ia;a ∩ Ib;b) (La:N;a:N ∩ Lb:N;b:N ∩ Lc:N;c:N) (Ia;a ∩ Ib;b)= La:N;a:N ∩ Lb:N;b:N by theorem 3.17.

E(Dmult)

= IF (T (var a: natural; var b: natural) ∩ T (var c: natural)∩E(c:=a; a:=0; Wmult)) IF

= (Ia;a ∩ Ib;b) (La:N;a:N ∩ Lb:N;b:N ∩ Lc:N;c:N∩(Ia;c ∩ Lc:N;c:N ∩ 0a;a ∩ Ib;b)(µX, 0c;c 0c;c ∩ Ia:N;a:N ∩ Ib:N;b:N ∪ (Sc;c ∩ADDa,b;a ∩ Ib;b) X))

(Ia;a ∩ Ib;b)= (Ia;a ∩ Ib;b) (Ia;c ∩ Lc:N;c:N ∩ 0a;a ∩ Ib;b)

(µX, 0c;c 0c;c ∩ Ia:N;a:N ∩ Ib:N;b:N ∪ (Sc;c ∩ADDa,b;a ∩ Ib;b) X)(Ia;a ∩ Ib;b);by proposition 4.5 and theorem 3.17,

= (Ia;c ∩ 0a;a ∩ Ib;b)(µX,Πc 0 LU→T ∩ Ia:N;a:N ∩ Ib:N;b:N ∪ (Sc;c ∩ADDa,b;a ∩ Ib;b) X).


We will show in the next chapter that this expression can be reduced further. The

final result (which is used in part 2 of this example) will be

E(Dmult) = MULT a,b;a ∩ Ib;b.

2. Let us now find the denotations of the procedure call multiply(a→f, b→n). It is

easily seen that the conditions 4.3 are satisfied.

S(multiply(a→f, b→n)) = f, n.T (multiply(a→f, b→n)) = (Ia;f ∩ Ib;n) T (Dmult) (Ia;f ∩ Ib;n)

= (If ;a ∩ In;b) (La:N;a:N ∩ Lb:N;b:N) (Ia;f ∩ Ib;n)

= Lf :N;f :N ∩ Ln:N;n:N by theorem 3.17.

E(multiply(a→f, b→n))

= (Ia;f ∩ Ib;n) E(Dmult) (Ia;f ∩ Ib;n)

= (If ;a ∩ In;b) (MULT a,b;a ∩ Ib;b) (Ia;f ∩ Ib;n) part 1;

= (If ;a ∩ In;b) (MULT a,b;f ∩ Ib;n) theorem 3.17;

= (Πf Πa ∩Πn Πb) (〈Πa,Πb] MULT Πf ∩Πb Πn) definition 3.18;

= 〈Πf ,Πn] [Πa, Πb〉 (〈Πa,Πb] MULT Πf ∩Πb Πn) theorem 2.14;

= 〈Πf ,Πn] (MULT Πf ∩ [Πa, Πb〉 Πb Πn) theorem 2.6(5b);

= MULT f,n;f ∩ (Πf Πa ∩Πn Πb) Πb Πn) theorem 2.6(3a);

= MULT f,n;f ∩Πf L ∩ In;n theorem 3.17;

= MULT f,n;f ∩ In;n because MULT f,n;f ⊆ Πf L. 2

By employing the results of this example, we can progress further in the analysis of

the procedure factorial. This is done in the next example. To avoid repeating derivations

similar to those of the preceding examples, we simply give the value of the E function for

the relevant fragments.

Example 4.7. Let

Wfact = while not(n=0) do multiply(a→f, b→n); n:=pred(n) endwhile,

Dfact = procedure factorial (var n: natural);

var f: natural;

f:=succ(0); Wfact; n:=f

endproc.

1. E(multiply(a→f, b→n); n:=pred(n)) = MULT f,n;f ∩ Sn;n.


2. E(Wfact) = (µX, 0n;n 0n;n ∩ If :N;f :N ∪ (MULT f,n;f ∩ Sn;n) X).

3. E(Wfact; n:=f) = (µX, 0n;n ∩ If ;f ∩ If ;n ∪ (MULT f,n;f ∩ Sn;n) X).

4. E(f:=succ(0); Wfact; n:=f)

= (1f ;f ∩ In;n) (µX, 0n;n ∩ If ;f ∩ If ;n ∪ (MULT f,n;f ∩ Sn;n) X).

5. E(Dfact) = (1n;f ∩ In;n) (µX, 0n;n ∩ If ;n ∪ (MULT f,n;f ∩ Sn;n) X). 2

4.3 Comments on the Semantic Definitions

The set S(p) and the relations T (p) and E(p) assigned to a program fragment p do not

depend on the environment of p (except for procedure calls). Rather, the environment is

built bottom-up. There are four main aspects to this treatment of environments.

1. Only the necessary components of the environment are assumed. For example,

S(c:=pred(c)) contains only one identifer, ‘c’.

2. The set of components of a composite fragment is the accumulation of the compo-

nents of its subparts. E.g.,

S(c:=pred(c); a:=a+b) = S(c:=pred(c)) ∪ S(a:=a+b) = a, b, c.

3. The possible types of a component are inferred. Thus, T (a:=0) = La:N;a:N and

T (c:=a) = La:N;a:N ∩ Lc:N;c:N ∪ La:B;a:B ∩ Lc:B;c:B (example 4.4); in the first case, we

know that a must have type natural, whereas, in the second case, all we know is

that a and c must have the same type.

4. Conflicting assumptions are eliminated by the intersection or composition operators.

For example,

T (a:=true; a:=0) = La:B;a:B ∩ La:N;a:N = ∅,E(a:=true; a:=0) = truea;a 0a;a = ∅.

The classical denotational approach [Stoy 77] is different in that respect. The environ-

ment explicitly appears in most of its semantic definitions. For example, the definition of

a sequence of statements is

C(C1;C2)ε = C(C2)ε C(C1)ε


where C is a semantic function and ε : identifiers → denotable values is the environment.

Our bottom-up semantics can also be contrasted with typical relational approaches. For

example, in [Mili 83], a sequence has the simple definition

E(C1;C2) = E(C1) E(C2).

There is no mention of the environment because all its components (and their types) are

known; that is, the definition assumes a predetermined, fixed, set of states.

A benefit of our approach is that it is possible to denote an isolated fragment p by

a fixed set S(p) and two fixed relations T (p) and E(p) that can be used in any context

where the fragment appears.

Procedure calls have been treated differently: when fragment p calls procedure x, no

x component containing all possible procedure values is created in E(p). Rather, we have

assumed the existence of a procedure declaration P = procedure x(D1);D2;C endproc,

and E(P ) (with some renaming of its attributes) has been substituted for the call to

x. A system of mutually recursive procedures is thus denoted by a system of recursive

equations which must then be solved. We will not discuss this subject here, but we refer

to [de Bakker 73] for an example of such a recursive relational system and its solution.

We are currently investigating ways to provide a more consistent definition of pro-

cedures. In particular, we are focusing our research on the specification of a relational

domain whose points are procedure values.

Notice how the relational approach allows a natural treatment of uninitialized variables.

There is no need to give them a special value indicating that they are not initialized (though

of course it is possible to do so). The use of such an unitialized variable in a procedure

propagates multiple values, and the results of the procedure are unpredictable. This is

what happens in many imperative languages.

It is an interesting exercise to examine laws of programming in the light of the relational

semantics of the previous section. Some identities that can be easily derived are

E(var a: t1; var b: t2; C) = E(var b: t2; var a: t1; C),

E(skip; C) = E(C; skip) = E(C),

where C is any command and t1, t2 ∈ natural, boolean.Some laws that are valid when a fixed program space (set of states) is assumed are not

valid any more when the above semantics is used. For example, the commands ‘a:=a’ and


‘skip’ are usually considered to be equivalent [Hoare 87]. But

E(a:=a) = Ia;a 6= LT→T = E(skip).

However, in the presence of a suitable declaration, these two fragments become equivalent.

E.g.,

E(var a: natural; a:=a) = Ia:N;a:N = E(var a: natural; skip).

The statements ‘if true then C1 else C2’ and ‘C1’ are also considered to be equivalent

under the assumption of a fixed program space. But

E(if true then C1 else C2 endif) = E(C1) ∩ IA ∩ T (C2),

where A = S(C2)−S(C1). In general, this will be different from E(C1) unless A = and

T (C1) ⊆ T (C2) (e.g. E(if true then a:=1 else a:=2 endif) = E(a:=1)). But if there is a

declaration D such that S(C2) ⊆ S(D), T (D) ⊆ T (C2), then

E(D; if true then C1 else C2 endif) = T (D) ∩ E(C1) ∩ IA = E(D;C1)

with A = S(D) − S(C1). This means that provided that D declares all the variables

appearing in C2 and that there is no type conflict between D and C2, then the two

statements are equivalent (the values of S and T for the two statements are also equal).

Hence one gets the usual laws concerning statements, provided that these statements

are accompanied by the appropriate declarations.

The only prerequisite to our relational bottom-up analysis of programs is that the

programs must be syntactically correct. Adding some assumptions results in a simpler

treatment. Let P = p0, p1, p2, . . . be a set of program fragments.

1. Let V = v1, . . . , vn ⊆ Id be a finite set of identifiers and assume that every variable

identifier appearing in the fragments in set P belongs to V . Define (ρv1 , . . . , ρvn) to

be a direct product such that ρvi ρvi = IU→U for i = 1, . . . , n. This direct product

can be used to define the semantics of the fragments in P pretty much in the same

way that the Π relations of the specification TABLES have been used.

2. If the type of each variable is known, the direct product of 1 could be such that

ρvi ρvi = IN→N or ρvi ρvi = IB→B depending on the type of variable vi.


3. Let Vi = vi1, . . . , vini be the set of variable identifiers appearing in fragment pi. For

each fragment pi define (ρvi1 , . . . , ρvini ) to be a direct product with ρvij ρvij = IU→U

for j = 1, . . . , ni. This direct product can be used to associate relations T (pi) and

E(pi) to pi. The difference with case 1 above is that the direct product used to define

a fragment depends only on that fragment.

4. If the type of each variable is known, the direct products of 3 can be defined by

ρvij ρvij = IN→N or ρvij ρvij = IB→B depending on the type of variable vi. This

approach is the one used by [de Roever 72] to describe the call by value and call by

name parameter passing mechanisms.

With these four different approaches there is a first gain in simplicity due to the fact

that most of the development carried out in sections 3.2 and 3.3 becomes unnecessary.

With methods 2 and 4 there is no need for a sum domain U→U; this results in another

simplification. However, with methods 3 and 4, there is an increase in complexity due to

the need to distinguish between the numerous direct products.

What is lost is some generality. With the four approaches the specifications of the

relational domains used for the semantic definitions depend on the fragments under con-

sideration. In our approach, these domains are fixed beforehand. A consideration of all

legal program fragments at once is not possible with methods 1 and 2, because the set V

must be finite (to allow the definition of the associated direct product). With methods 3

and 4, such a study requires the definition of an infinite number of domain constructors

(the ρvij ). With our approach only three such constructors are necessary (empty , POP ,

TOP). Which method is better suited to practical use remains to be seen.

In connection with this discussion on the choice of relational domains for program

semantics, we mention the following research topics.

The notion of scheme defined in section 3.3 is in a sense a meta-feature since it is not

expressed totally in relational terms. In particular, S(p) is a set, not a relation. Would it

be useful to define relational domains for identifiers and schemes? A scheme could then

be attached (using direct products?) to a relation and would become the scheme of the

relation.

Also, because schemes are defined to be sets of identifiers, it seems difficult to describe

nested constructs (procedures within procedures or modules, record fields within records,


etc.). This seems to require that schemes be sets of trees whose nodes are labeled with

identifiers (structured schemes).

Chapter 5

PROGRAM CORRECTNESS

In the introduction, we have mentioned that our relational semantics was intended to be

useful for program derivation. To reach this goal, we must have some criteria for comparing

a program and a specification, i.e. for showing that a program is an implementation of a

specification. We give such a criterion in definition 5.1. In accordance with the modern

trend [Back 88, Dijkstra 75, Gries 81, Jones 86, Mili 83, Mills 87], we define what is a

refinement step, and show that a correct program results from a sequence of refinement

steps (theorem 5.2).

We will prove that the procedures multiply and factorial of the last chapter are imple-

mentations of the relations MULT and FACT of the specification NATURALS. In order

to carry out these proofs of correctness, we will have to prove a theorem (5.4) allowing the

transformation of a certain type of recursive equations. This theorem is analogous to the

recursion removal theorem of Backus [Backus 85] which is used for the transformation of

some recursive definitions involving the functional form ‘condition’.

Definition 5.1. A relation R2 is said to be more defined [Mili 87] than a relation R1 iff

(1) R1 L ⊆ R2 L,(2) R2 ∩R1 L ⊆ R1.

A relation R2 is a refinement of a relation R1 (also: R2 is correct with respect to R1)

iff there exists a representation morphism (φ, ψ) such that R2 is more defined than the

representation of R1, i.e. R2 is more defined than φ R1 ψ.

A program fragment p is an implementation of a relation R (also: p is correct with

respect to R) iff E(p) is a refinement of R. 2

111

CHAPTER 5. PROGRAM CORRECTNESS 112

We recall that (φ, ψ) is a representation morphism (definition 2.7) when φ φ = I and

ψ ψ = I (φ and ψ are total and injective). A particular case of refinement occurs when

φ = I and ψ = I; that is, if R2 is more defined than R1, then it is a refinement of R1. In

that case, R1 L ⊆ R2 L, meaning that the definition domain of R2 is larger than that

of R1; also R2 ∩ R1 L ⊆ R1, which means that on the definition domain of R1, R2 is

included in R1.

A second particular case of refinement occurs when R2 = φ R1 ψ, i.e. when R2

is a representation of R1. As was shown in theorem 2.8, the interest of representation

morphisms is that the value of a relational expression E1 can be obtained by first evaluating

a similar expression E2 involving suitable representations of the relations used in E1, and

then by retrieving the result of E1 by applying the converse of the representation morphism

to the result of E2 (φ and ψ are what Jones [Jones 86] calls retrieve functions).

As an example, we give two different representations of the domain B→B of specifica-

tion BOOL (page 62) by the domain N→N of specification NATURALS (page 63).

Let φ = false LB→N 0∪ true LB→N 1. The relation φ associates false to 0 and true

to 1. It is easily verified that φ φ = IB→B and that

0 (0 ∪ 1) = φ false φ,1 (0 ∪ 1) = φ true φ,

0 1 ∪ 1 0 = φ NOT φ;

that is, the relations on the left hand side are representations of false, true and NOT , by

the representation morphism (φ, φ).

A more interesting representation morphism is (ψ,ψ), with

ψ = false LB→N 0 ∪ true LB→N S.

The relation ψ associates false to 0 and true to any other number. The condition ψ ψ =

IB→B is satisfied and

0 = ψ false ψ,S L = ψ true ψ,

0 S ∪ S 0 = ψ NOT ψ;

the relations 0, SL and 0S∪S0 are representations of false, true and NOT , respectively.

By corollary 2.13, [ψ,ψ] is total and injective, whence ([ψ,ψ], ψ) is a representation

morphism. Furthermore, ψ is surjective, so that [ψ,ψ] is also surjective. By theorem 2.8,


it suffices to replace the relations appearing in the definitions of OR and AND by their

representation to get representations for OR and AND . This gives

ORNAT def= [0, 0〉 0 ∪ [0, 0〉 L S = ψ OR ψ,ANDNAT def= [S L, S L〉 L S ∪ [S L, S L〉 0 = ψ AND ψ.

The relation ORNAT returns 0 if its two arguments are 0 and returns any non zero number

in the other cases. The relation ANDNAT returns a positive number if its two arguments

are positive and returns 0 otherwise.

One can show that the relations ADD and MULT (specification NATURALS) are

more defined than the relations ORNAT and ANDNAT respectively. Hence ADD is a

refinement of OR and MULT is a refinement of AND .

This simple exercise shows how a refinement has been broken in two steps. In the first

step, Booleans were represented by natural numbers (we could speak of data refinement),

resulting in the representation of OR by ORNAT. In the second step, a relation more

defined than ORNAT (the relation ADD) was found (refinement of algorithm).

Now, the derivation of a program may consist of many such steps. We will show that

indeed a sequence of refinement steps produces a relation which is a refinement of any

relation produced in a previous step. That is, the relation ‘is a refinement of’ is transitive.

Theorem 5.2. Let R2 be a refinement of R1 and R3 be a refinement of R2. Then R3 is

a refinement of R1.

Proof. Let (φ1, ψ1) be the representation morphism used in the refinement of R1 and

(φ2, ψ2) be the one used in the refinement of R2. The hypotheses are

R2 is more defined than φ1 R1 ψ1,

R3 is more defined than φ2 R2 ψ2,

that is, noting that ψ1 L = L and ψ2 L = L,

(i) φ1 R1 L ⊆ R2 L,

(ii) R2 ∩ φ1 R1 L ⊆ φ1 R1 ψ1,

(iii) φ2 R2 L ⊆ R3 L,

(iv) R3 ∩ φ2 R2 L ⊆ φ2 R2 ψ2.


We will show that

(1) φ2 φ1 R1 L ⊆ R3 L,(2) R3 ∩ φ2 φ1 R1 L ⊆ φ2 φ1 R1 ψ1 ψ2.

Because (φ1 φ2, ψ1 ψ2) is a representation morphism (theorem 2.6(2)), (1) and (2) mean

that R3 is a refinement of R1. This also means that we can refine R1 directly into R3 by

a representation step (φ1 φ2, ψ1 ψ2) followed by a step where a more defined relation is

found.

1. By (i) and (iii), φ2 φ1 R1 L ⊆ φ2 R2 L ⊆ R3 L.

2. R3 ∩ φ2 φ1 R1 L= R3 ∩ φ2 (φ1 R1 L ∩R2 L) by (i);

⊆ R3 ∩ φ2 φ1 R1 L ∩ φ2 R2 L ∩-subdistributivity;

⊆ φ2 φ1 R1 L ∩ φ2 R2 ψ2 by (iv);

= φ2 (φ1 R1 L ∩R2) ψ2 theorems 2.6(3a) and 2.4(1);

⊆ φ2 φ1 R1 ψ1 ψ2 by (ii). 2

Let R1, . . . , Rn be a sequence of relations such that Ri+1 is a refinement of Ri (i =

1, . . . , n− 1). By the theorem, Rn is a refinement of R1. As particular cases, we note that

if Ri+1 is a representation of Ri (i = 1, . . . , n− 1), then Rn is a representation of R1, and

if Ri+1 is more defined than Ri (i = 1, . . . , n− 1), then Rn is more defined than R1.

We already know that if R2 is the representation of R1 by the morphism (φ, ψ), then

we can retrieve R1 by applying the converse of the representation morphism: R1 = φ R2 ψ; this is the process of abstraction [Jones 86]. But if R2 is more defined than

than the representation of R1, what can we say about φ R2 ψ? The next theorem

shows that the abstraction φ R2 ψ of R2 is more defined than R1. This simply means

that refinements carried out in a representation domain correspond to refinements in the

represented domain. If it were not the case, the definition of refinement given above would

be unacceptable.

Theorem 5.3. Let (φ, ψ) be a representation morphism and assume that relation R2 is

more defined than φ R1 ψ. Then φ R2 ψ is more defined than R1.


Proof. The hypotheses are

(i) φ R1 L ⊆ R2 L,(ii) R2 ∩ φ R1 L ⊆ φ R1 ψ,(iii) φ φ = I, ψ ψ = I.

We must show that(1) R1 L ⊆ φ R2 ψ L,(2) φ R2 ψ ∩R1 L ⊆ R1.

1. (a) Composing φ with both sides of (i) results in R1 L ⊆ φ R2 L.

(b) Composing φ with both sides of (ii) produces

φ R2 ∩R1 L ⊆ R1 ψ,

where we have used (iii) and theorem 2.6(5b).

(c) By the Schroder rule, ψ R1 L ⊆ ψ L⇔ R1 ψ ψ L ⊆ ∅.

(d) R1 L = R1 L ∩ φ R2 L (a);

= R1 L ∩ φ R2 (ψ L ∪ ψ L)

= R1 L ∩ φ R2 ψ L ∪R1 L ∩ φ R2 ψ L ∪-distributivity;

⊆ φ R2 ψ L ∪ (R1 L ∩ φ R2) ψ L theorem 2.4(1);

⊆ φ R2 ψ L ∪R1 ψ ψ L (b);

= φ R2 ψ L (c).

2. By (ii), φ (R2 ∩ φ R1 L) ψ ⊆ φ (φ R1 ψ) ψ. By (iii) and theorems 2.6(5b)

and 2.4(1), this is equivalent to

φ R2 ψ ∩R1 L ⊆ R1. 2

Of course, there is much more to correct refinement of specifications than what has

been presented above. In particular, one must investigate the conditions under which a

divide and conquer approach can be used. For example, it is possible to refine a relation

R = R1 ∪ R2 by refining R1 and R2 separately, provided that certain conditions are

met. We will not do this investigation here, because the proofs of correctness of the

procedures multiply and factorial do not require it. We refer to [Mili 83] for a relational

formulation of some of the conditions that allow the divide and conquer approach (in


[Mili 83], refinement proceeds from a specification to a program by a sequence of more

and more defined relations).

Before we can show the correctness of the procedures of the previous chapter, we

have to prove a theorem that allows the transformation of the recursive definitions of

the relations MULT and FACT into a recursive form that will be more suitable to our

needs. The definitions of MULT and FACT both have the form X = P ∪ 〈Q X,R] S.

To be able to implement MULT and FACT by a while loop, we need a recursion of the

form X = P ∪ R X (see section 4.2.3). The next theorem shows how this can be done;

it corresponds to the recursion removal theorem of [Backus 85], which is used for the

transformation of certain recursive expressions involving the functional form ‘condition’.

Theorem 5.4 . Let Θ = (θ1, θ2) and Π = (π1, π2) be direct products. Let f : RP →RP and f ′ : R

Θ[P,I]ΠS → RΘ[P,I]ΠS be the total functions (on the relational domains

containing P and Θ[P, I]Π S, respectively) defined by

f(X) = P ∪ 〈Q X,R]Π S,f ′(X) = Θ[P, I]Π S ∪ 〈θ1 Q,Θ[R, I]Π S]Θ X.

If

(i) S is associative,

(ii) S has neutral element u,

(iii) Q,R, S are deterministic,

then(1) µ(f ′) = Θ[µ(f), I]Π S,(2) µ(f) = 〈I, L u]Θ µ(f ′).

Proof. We recall that the definitions of associativity and neutral element are given in

definition 3.8.

1. It suffices to show that for all n ≥ 0

f ′n(∅) = Θ[fn(∅), I]Π S,

since this implies∞⋃n=0

f ′n(∅) =∞⋃n=0

Θ[fn(∅), I]Π S,


from which µ(f ′) = Θ[µ(f), I]Π S, by the continuity of h(X) def= [X, I] S and that

of f and f ′.

The proof is done by induction.

Basis of induction: For n = 0, ∅ = Θ[∅, I]Π S.

Induction step: Assume that Y = Θ[X, I]Π S. We will show that

f ′(Y ) = Θ[f(X), I]Π S,

from which the result follows.

f ′(Y ) = Θ[P, I]Π S ∪ 〈θ1 Q,Θ[R, I]Π S]Θ Y ;

by the induction hypothesis and the definition of [ ],

= Θ[P, I]Π S ∪ 〈θ1 Q, 〈θ1 R, θ2]Π S]Θ Θ[X, I]Π S;

by(iii), theorems 2.14, 2.12(1) and 2.6(2a),

= Θ[P, I]Π S ∪ 〈θ1 Q X, 〈θ1 R, θ2]Π S]Π S= Θ[P, I]Π S ∪ 〈〈θ1 Q X, θ1 R]Π S, θ2]Π S by (i);

by definition of [ ] and equation 2.8 on page 32,

= Θ[P, I]Π S ∪ Θ[〈Q X,R]Π S, I]Π S= Θ[P ∪ 〈Q X,R]Π S, I]Π S 2.9 (page 32);

= Θ[f(X), I]Π S.

2. µ(f) = 〈µ(f), L u]Π S by (ii);

= 〈I, L u]Θ Θ[µ(f), I]Π S L u deterministic, theorem 2.14;

= 〈I, L u]Θ µ(f ′) by part 1. 2

We apply this theorem to the relations FACT and MULT . We begin by the simpler

FACT relation. From specification NATURALS (page 63), its definition is

FACT = 0 1 ∪ 〈S FACT , I]Π MULT ,

where Π is the direct product (π1, π2) (called ΠN in specification NATURALS). We have

chosen the least solution

FACT = (µX, 0 1 ∪ 〈S X, I]Π MULT ).

The relation MULT is associative and has neutral element 1; also, S, I and MULT are

deterministic. The application of the previous theorem yields

FACT = 〈I, L 1]Θ FACT ′ (5.1)


where

FACT ′ = (µX,Θ[0 1, I]Π MULT ∪ 〈θ1 S,Θ[I, I]Π MULT ]Θ X).

Because of the presence of the sub-expression Θ[I, I]Π, we see that we can take Θ = Π, so

that we suppress explicit mention of the product in the subscripts of tupelings:

FACT = 〈I, 1] FACT ′,

FACT ′ = (µX, [0 1, I] MULT ∪ 〈π1 S,MULT ] X)

(because Θ = Π, the L in 5.1 is homogeneous, and [I, I] = I). We simplify the first term

in the expression of FACT ′; the simplification uses the definitions of MULT and ADD of

specification NATURALS.

[0 1, I] MULT

= [0 1, I] ([0, 0〉 ∪ 〈[S, I] MULT , π2] ADD) definition of MULT ;

= [0 1, I] 〈[S, I] MULT , π2] ADD theorem 2.14, 1 0 = ∅;0 1 and I are deterministic, so by corollary 2.13 and equations 2.8 (page 32),

= 〈[0 1, I] [S, I] MULT , [0 1, I] π2] ADD ;

by theorem 2.14 and corollary 2.13(6), and because 1 S = 0,

= 〈[0 0, I] MULT , [0, I〉] ADD

= 〈[0 0, I] [0, 0〉, [0, I〉] ADD definition of MULT , 0 S = ∅;= 〈[0, 0〉, [0, I〉] ADD theorem 2.14, 0 0 = L;

= 〈[0, 0〉, [0, I〉] ([0, I〉 ∪ [S, I] ADD S) definition of ADD ;

= 〈[0, 0〉, [0, I〉] [0, I〉 theorem 2.14, 0 S = ∅;= [0, 0〉 0 ∩ [0, I〉 0 and I injective, theorem 2.14;

= [0, L〉 ∩ [0, I〉 0 injective, 2.8 (page 32);

= [0, I〉 2.9 (page 32).

Hence the final result is

FACT = 〈I, 1] FACT ′,

FACT ′ = (µX, [0, I〉 ∪ 〈π1 S,MULT ] X).(5.2)


We now turn our attention to the MULT relation. Its definition is

MULT = (µX,Π[0, 0〉 ∪ 〈Π[S, I]Π X,π2]Π ADD).

The relation ADD is associative and has neutral element 0; also, Π[S, I]Π, π2 and ADD are

deterministic. Hence theorem 5.4 can be applied:

MULT = 〈I, L 0]Θ MULT ′,

MULT ′ = (µX,Θ[Π[0, 0〉, I]Π ADD ∪ 〈θ1 Π[S, I]Π,Θ[π2, I]Π ADD ]Θ X).

The expression of MULT ′ is totally unreadable, but it can be simplified. First note that

the presence of the sub-expression θ1 Π[S, I]Π indicates that the compositions θ1 π1 and

θ1 π2 are defined. Hence (θ1 π1, θ1 π2, θ2) is a 3-fold direct product (see definition 2.9).

That is why we pose

Ω def= (ω1, ω2, ω3) def= (θ1 π1, θ1 π2, θ2).

Using Ω, we get rid of the product Θ. Firstly,

〈I, L 0]Θ = (θ1 ∩ L 0 θ2)

= ((π1 π1 ∩ π2 π2) θ1 ∩ L 0 θ2) since π1 π1 ∩ π2 π2 = I;

= (π1 ω1 ∩ π2 ω2 ∩ L 0 ω3) theorem 2.6(3b), definition of Ω;

= 〈π1, π2, L 0]Ω definition of 〈 ].(5.3)

Secondly, by definition of the constructs 〈 ] and [ ],

MULT ′ = (µX, 〈θ1(π10∩π20), θ2]ΠADD∪〈θ1〈π1S, π2]Π, 〈θ1π2, θ2]ΠADD ]ΘX).

This expression is then simplified using the definitions of ADD and Ω:

MULT ′ = (µX,ω1 0 ∩ ω3 ∪ 〈ω1 S, ω2, 〈ω2, ω3]Π ADD ]Ω X).

Because tupelings with 2 components are made with the product Π and those with 3

components are made with Ω, we can drop the explicit mention of these products as

subscripts of tupelings. Using 5.3 above, the expressions of MULT and MULT ′ become

MULT = 〈π1, π2, L 0] MULT ′,

MULT ′ = (µX,ω1 0 ∩ ω3 ∪ 〈ω1 S, ω2, 〈ω2, ω3] ADD ] X).(5.4)


The following proposition presents two simple results that will be used shortly.

Proposition 5.5.

1. Let (φ, ψ) be a representation morphism and let f : RQ → RQ and g : RφQψ →

RφQψ be the functions

f(X) = Q ∪R X,g(X) = φ Q ψ ∪ φ R φ X.

Then µ(g) = φ µ(f) ψ (the least fixpoint of g is a representation of the least

fixpoint of f).

2. Let f : RQ → RQ and g : RQ∩P → RQ∩P be the functions defined by

f(X) = Q ∪R X,g(X) = Q ∩ P ∪R X.

If R ⊆ P and P = P P , then µ(g) = µ(f) ∩ P .

Proof.

1. Because f and g are continuous and total on RQ and RφQψ, respectively, equa-

tion 2.3 (page 14) yields

µ(g) =⋃∞n=0(φ R φ)n φ Q ψ

=⋃∞n=0 φ Rn φ φ Q ψ =

⋃∞n=0 φ Rn Q ψ since φ φ = I;

= φ (⋃∞n=0R

n Q) ψ= φ µ(f) ψ.

2. Again f and g are continuous; f is total onRQ and g is total onRQ∩P . By induction,

Rn ⊆ P for n ≥ 1, since R ⊆ P and Rn ⊆ P ⇒ Rn+1 = RRn ⊆ P P = P P = P .

Consequently,

µ(g) =⋃∞n=0R

n (Q ∩ P )

=⋃∞n=0R

n Q ∩ P theorem 2.4(5);

= (⋃∞n=0R

n Q) ∩ P= µ(f) ∩ P. 2


We now show that the procedure factorial of chapter 4 is an implementation of FACT .

Let relations φ, ψ, ξ satisfy φ φ = I, ψ ψ = I, ξ ξ = I and be such that the expression

φ 〈I, 1] ξ ξ FACT ′ ψ is defined. φ FACT ψ is a representation of FACT and

φ FACT ψ= φ 〈I, 1] FACT ′ ψ 5.2 page 118;

= φ 〈I, 1] ξ ξ FACT ′ ψ ξ ξ = I;

= φ 〈I, 1] ξ ξ (µX, [0, I〉 ∪ 〈π1 S,MULT ] X) ψ by 5.2;

by proposition 5.5(1),

= φ 〈I, 1] ξ (µX, ξ [0, I〉 ψ ∪ ξ 〈π1 S,MULT ] ξ X).

(5.5)

In this equation substitute σN→U Πn for φ and ψ, and [σN→U, σN→U] [Πn, Πf 〉 for ξ (it is

easily verified that these relations satisfy φφ = ψψ = IN→N and ξξ = [IN→N, IN→N] = I).

After some reductions, and using the commutativity of MULT , we obtain

FACTn;n = Πn σU→N FACT σN→U Πn

= (In;n ∩ 1n;f ) (µX, 0n;n ∩ If ;n ∪ (Sn;n ∩MULT f,n;f ) X).

Hence FACTn;n is a representation of FACT in the domain T→T. Furthermore, the

expression of FACTn;n is just that of E(Dfact) found in example 4.7. By definition 5.1,

this means that the procedure factorial is an implementation of FACT .

We now consider the relation MULT . Using equations 5.4 and proceeding as for FACT

in equation 5.5,

φMULTψ = φ〈π1, π2, L0]ξ(µX, ξ(ω10∩ω3)ψ∪ξ〈ω1S, ω2, 〈ω2, ω3]ADD ]ξX)

is obtained. In this equation we substitute

φ = [σN→U, σN→U] [Πa, Πb〉,ψ = σN→U Πa,

ξ = [σN→U, σN→U, σN→U] [Πc, Πb, Πa〉

(again it is easy to verify that φ φ = I, ψ ψ = I and ξ ξ = I). The result of the

substitution is

MULT a,b;a

= 〈Πa,Πb] [σU→N, σU→N] MULT σN→U Πa

= (Ia:N;c:N ∩ Ib:N;b:N ∩ LT→U 0 Πa)(µX,Πc 0 LU→T ∩Πb LU:N→T ∩ Ia:N;a:N ∪ (Sc;c ∩ Ib:N;b:N ∩ADDa,b;a) X),

(5.6)


where the commutativity of ADD has been used.

The relation MULT a,b;a is a representation of MULT in the domain T→T. Next, we

show that MULT a,b;a ∩ Ib;b is more defined than MULT a,b;a.

1. MULT a,b;a and MULT a,b;a ∩ Ib;b have the same definition domain:

MULT a,b;a LT→T

= 〈Πa,Πb] [σU→N, σU→N] MULT σN→U Πa LT→T;

because Πa and σN→U are total,

= 〈Πa,Πb] [σU→N, σU→N] MULT LN→T

= 〈Πa,Πb] [σU→N, σU→N] MULT LN→T ∩Πb LU→T;

by theorem 2.12(2), proposition 3.16 and the totality of σN→U,

= (〈Πa,Πb] [σU→N, σU→N] MULT σN→U Πa ∩Πb Πb) LT→T

= (MULT a,b;a ∩ Ib;b) LT→T.

2. Condition (2) of definition 5.1 is obviously met since MULT a,b;a ∩ Ib;b ⊆ MULT a,b;a.

Hence the relation MULT a,b;a ∩ Ib;b is a refinement of MULT (definition 5.1). Using

equation 5.6 and theorem 2.4(5), we find

MULT a,b;a ∩ Ib;b= (Ia:N;c:N ∩ Ib:N;b:N ∩ LT→U 0 Πa)

((µX,Πc 0 LU→T ∩Πb LU:N→T ∩ Ia:N;a:N ∪ (Sc;c ∩ Ib:N;b:N ∩ADDa,b;a) X)∩Ib;b);

by proposition 5.5(2),

= (Ia:N;c:N ∩ Ib:N;b:N ∩ LT→U 0 Πa)(µX,Πc 0 LU→T ∩ Ib:N;b:N ∩ Ia:N;a:N ∪ (Sc;c ∩ Ib:N;b:N ∩ADDa,b;a) X)

= (Ia;c ∩ 0a;a ∩ Ib;b)(µX,Πc 0 LU→T ∩ Ia:N;a:N ∩ Ib:N;b:N ∪ (Sc;c ∩ Ib;b ∩ADDa,b;a) X)

= E(Dmult) see example 4.6(1).

Thus we have shown that E(Dmult) is a refinement of MULT . By definition 5.1,

the procedure multiply is an implementation of MULT . We have considered here that

MULT was the specification and that the procedure multiply is correct with respect to

that specification. But the relation MULT a,b;a ∩ Ib;b can also be a specification; in that

case our proof also shows that multiply is an implementation of that specification.

Chapter 6

CONCLUSION

We have defined the semantics of a simple imperative programming language using ab-

stract relational algebra as a tool. In order to carry out this task, we have specified

relational domains for the data types of that language (Booleans and natural numbers);

the presentation has stressed the importance of the notion of points. We have also specified

relational domains whose relations have been used to denote programs. The programming

constructs that have been defined include expressions, variable declarations, assignment

statements, while-program statements and procedures. A particularity of the semantic

definitions is that the relations denoting a program fragment depend only on the program

fragment, and not on its environment (denotations for procedure calls excepted). Finally,

we have shown how the semantics of a program fragment can be used to prove its cor-

rectness relative to a specification. The result is a uniform abstract relational setting for

specification, semantics and program derivation.

Before practical program development can be carried out in this setting, however,

many points need to be investigated. We discuss the following four.

1. Notation.

Jones ([Jones 86], p. 205) notes that working with relations, rather than functions,

can lead to rather heavy notation. Some parts of our development (in particular the

proofs of correctness in chapter 5) clearly show that this is the case. We examine

what we think are the main sources of notational complexity.

(a) Relations can be non deterministic and non total. The impact on specifications

is that supplementary axioms are needed when determinacy or totality is de-

123

CHAPTER 6. CONCLUSION 124

sired (e.g., see specification 3.1). Also, the properties of deterministic relations

are easier to prove. For example, theorem 2.14 always holds for deterministic

relations; for unrestricted relations, the point axiom is required (theorem 2.14).

These difficulties, however, are more than compensated by the following advan-

tages.

i. Because partiality is allowed, there is no need to work with domains ex-

tended by a ‘bottom’ element; therefore, nondefinedness can be easily han-

dled in program semantics [Berghammer 86, Schmidt 81]. We have also re-

marked in section 3.2 that the treatment of errors due to partial operations

greatly complicates functional specifications. In contrast to a functional

specification of stacks with error propagation [Goguen 78], our specifica-

tion 3.10, with its partial POP and TOP operations, is relatively simple.

ii. Since relations are ordered by inclusion, a fixed-point approach to semantics

is natural and the induction principle of Scott can be used.

iii. Relational algebra is a more natural tool for the study of non determin-

ism (see, e.g., [Berghammer 86]), as there is no need to use set returning

functions.

(b) Dealing with heterogeneous algebras forces the introduction of a special no-

tation to distinguish the specific domains generated by specifications. Here,

part of the solution is probably to use the methods that have been developed

for functional algebraic specifications [Ehrig 85, Goguen 78], where the same

problem was encountered.

Object level functional approaches use a positional notation for the arguments

of functions. In the relational approach, we have used direct products to make

tupelings of relations; different products must be used to make tupelings with

a different number of relations, and thus they must be distinguished. Here,

we can look at the the function level FP language [Backus 85] to find hints for

improvement.

Finally, the problem caused by the need to distinguish a relation from its in-

jection in a sum domain has been discussed in section 3.3. This problem is of

course not particular to the relational approach.


One way to improve the situation is by proving a repertoire of higher level theorems,

such as theorems 3.23 and 5.4. Then it suffices to recognize an instance of application

of a theorem, and the recourse to first principles is avoided. This can save a lot of

tedious formal manipulations. Backus [Backus 85] argues strongly for this approach.

2. Specification.

The relational approach to specifications must be explored further. Questions like

consistency and completeness must be investigated. One fascinating question is what

could be the role of domains that do not satisfy the point axiom?

We plan to build a catalogue of relational specifications such as that of Larch

[Guttag 86]. Though we have made our presentation for imperative languages, such a

catalogue of relation level specifications could also be useful for function level use, in

conjunction with a relational semantics for FP such as the one of [Berghammer 86].

3. Program derivation.

In [Mili 87], relation level strategies for program design are presented. However, the

concrete specifications to which these strategies are applied are object level; e.g.,

SQUARE = 〈n, n′〉|n′ = n2

is such a specification. It will be interesting to apply the strategies to relation level

specifications and see what the result is.

Hoare and He [Hoare 86] have introduced the notion of prespecification. Their pre-

sentation uses the calculus of relations of Tarski [Tarski 41] and is thus in a form

directly usable on our relation level specifications. Here also we expect some inter-

esting developments.

These investigations should result in the possibility to derive an imperative program

from a specification in a unified framework, just like Backus [Backus 85] derives an

efficient FP program from a high level inefficient one.

4. Large constructs.

As a last research topic, we mention the extension of the range of constructs covered

in the thesis. We are particularly interested in giving a bottom-up semantics to

procedure calls (see section 4.3). We are also planning a relational investigation


of laws of modules interconnections, by building on the ideas of Agnarsson and

Krishnamoorthy [Agnarsson 85].

Abstract relational algebra has been rather neglected in the past and the following

citation, taken from [Tarski 41], is as true today as it was 48 years ago.

I do believe that the calculus of relations deserves much more attention than it

receives. For, aside from the fact that the concepts occurring in this calculus

possess an objective importance and are in these times almost indispensable

in any scientific discussion, the calculus of relations has an intrinsic charm

and beauty which makes it a source of intellectual delight to all who become

acquainted with it.

We hope that the thesis conveys some of the charm and beauty of this calculus.

Bibliography

[Agnarsson 85] S. Agnarsson and M.S. Krishnamoorthy. Towards a theory of packages.

Proc. ACM SIGPLAN symp. on Language Issues in Programming Environments,

Seattle, Washington, June 1985. In SIGPLAN Not. 20, 7, July 1985, pp. 117-130.

[Back 88] R. J. R. Back. A calculus of refinements for program derivations. Acta Inform.

25, 1988, pp. 593-624.

[Backus 85] J. Backus. From function level semantics to program transformation and op-

timization. In Mathematical Foundations of Software development. Proc. Int. Joint

Conf. on Theory and Practice of Software Development (TAPSOFT), Berlin, March

1985, Vol. 1, Lecture Notes in Comp. Sci. 185, Springer-Verlag, 1985, pp. 60-91.

[de Bakker 73] J. W. de Bakker and W. P. de Roever. A calculus for recursive program

schemes. Automata, Languages and Programming. Proceedings of a symposium orga-

nized by IRIA, Rocquencourt, France, July 1972, North-Holland, Amsterdam, 1973,

pp. 167-196.

[Berghammer 83] R. Berghammer and G. Schmidt. Discrete ordering relations. Discrete

Math. 43, 1, 1983, pp. 1-7.

[Berghammer 86] R. Berghammer and H. Zierer. Relational algebraic semantics of deter-

ministic and nondeterministic programs. Theor. Comput. Sci. 43, 1986, pp. 123-147.

[Bjørner 83] D. Bjørner and S. Prehn. Software engineering aspects of VDM. Theory and

Practice of Software Technology, D. Ferrari, M. Bolognani and J. Goguen (eds.),

North-Holland, 1983, pp. 85-134.

[Bodwin 82] J. Bodwin, L. Bradley, K. Kanda, D. Litle and U. Pleban. Experience with an

experimental compiler generator based on denotational semantics. Proc. SIGPLAN

127

BIBLIOGRAPHY 128

Symp. on Compiler Construction, Boston, MA, June 1982. SIGPLAN Not. 17, 6,

June 1982, pp. 216-229.

[Broy 87] M. Broy, M. Wirsing and P. Pepper. On the algebraic definition of programming

languages. ACM Trans. Program. Lang. Syst. 9, 1, Jan. 1987, pp. 54-99.

[Chao 88] S.-J. Chao and B. R. Bryant. Denotational semantics for program analysis.

SIGPLAN Not. 23, 1, Jan. 1988, pp. 83-91.

[Codd 70] E. F. Codd. A relational model of data for large shared data banks. Commun.

ACM 13, 6, June 1970, pp. 377-387.

[DeRemer 76] F. DeRemer and H. H. Kron. Programming-in-the-large versus program-

ming-in-the-small. IEEE Trans. Softw. Eng. SE-2, 2, June 1976, pp. 80-86.

[Desharnais 85] J. Desharnais. Conception de programmes par decomposition relation-

nelle: Proposition de quelques heuristiques. M. Sc. Thesis, Universite Laval, Quebec,

1985.

[Desharnais 88] J. Desharnais and N. H. Madhavji. Relation level semantics. Proc. 8th

Conf. on Foundations of Software Technology and Theoretical Computer Science,

Pune, India, Dec. 1988, Lecture Notes in Comp. Sci. 338, Springer-Verlag, Berlin,

1988, pp. 304-328.

[Dijkstra 75] E. W. Dijkstra. Guarded commands, nondeterminacy, and formal derivation

of programs. Commun. ACM 18, Aug. 1975, pp. 453-457.

[Ehrig 85] H. Ehrig and B. Mahr. Fundamentals of Algebraic Specification 1: Equations

and Initial Semantics. EATCS Monographs on Theoretical Computer Science, Vol. 6,

Springer-Verlag, 1985.

[Ehrig 85a] H. Ehrig and H. Weber. Algebraic specification of modules. Formal Models in

Programming, E. J. Neuhold and G. Chroust (eds.), Elsevier Science Publishers B.V.

(North-Holland), 1985, pp.231-258.

[Goguen 78] J. A. Goguen, J. W. Thatcher and E. G. Wagner. An initial algebra approach

to the specification, correctness, and implementation of abstract data types. Current

Trends in Programming Methodology IV: Data Structuring, R. Yeh (ed.), Prentice-

Hall, Englewood Cliffs, NJ, 1978, pp. 80-149.

BIBLIOGRAPHY 129

[Goguen 88] J. A. Goguen. Modular algebraic specification of some basic geometrical con-

structions. Artif. Intell. 37, 1-3, Dec. 1988, pp. 123-153.

[Gries 81] D. Gries. The Science of Programming. Springer-Verlag, New York, 1981.

[Guttag 78] J. V. Guttag and J. J. Horning. The algebraic specification of abstract data

types. Acta Inform. 10, 1, 1978, pp. 27-52.

[Guttag 86] J. V. Guttag and J. J. Horning. Report on the Larch shared language. Sci.

Comput. Program. 6, 1986, pp. 103-134.

[Hoare 69] C. A. R. Hoare. An axiomatic basis for computer programming. Commun.

ACM 12, 10, Oct. 1969, pp. 576-580, 583.

[Hoare 86] C. A. R. Hoare and J. He. The weakest prespecification. Fundam. Inform. IX,

1986, Part I: pp. 51-84, Part II: pp. 217-252.

[Hoare 87] C. A. R. Hoare, I. J. Hayes, J. He, C. C. Morgan, A. W. Roscoe, J. W. Sanders,

I. H. Sorensen, J. M. Spivey and B. A. Sufrin. Laws of programming. Commun. ACM

30, 8, Aug. 1987, pp. 672-686. Plus Corrigendum: Commun. ACM 30, 9, Sept. 1987,

p. 770.

[Jones 84] C. B. Jones. Foreword to the special section on specification and verification.

IEEE Trans. Softw. Eng. SE-10, 2, March 1984, pp. 126-127.

[Jones 86] C. B. Jones. Systematic Software Development Using VDM. Prentice/Hall Int.,

UK, London, 1986.

[Josephs 87] M. B. Josephs. An introduction to the theory of specification and refinement.

IBM research report RC 12993, July 1987.

[Loeckx 87] J. Loeckx, K. Sieber and R. D. Stansifer. The Foundations of Program Veri-

fication (2nd ed.). John Wiley & Sons, Inc., New York, 1987.

[Lucas 71] P. Lucas and K. Walk. On the formal description of PL/I. Annual Review in

Automatic Programming 6, M. I. Halpern and C. J. Shaw (eds.), Pergamon Press,

Oxford, 1971, pp. 105-182.

BIBLIOGRAPHY 130

[Madhavji 85] N. H. Madhavji, N. Leoutsarakos and D. Vouliouris. Software construction

using typed fragments. Proc. Int. Joint Conf. on Theory and Practice of Software

Development (TAPSOFT), Berlin, March 1985, Lecture Notes in Comp. Sci. 186,

Springer-Verlag, 1985, pp. 163-178.

[Madhavji 88] N. H. Madhavji, J. Desharnais, L. Pinsonneault and K. Toubache. Adapting

modules to an integrated programming environment. Proc. IEEE 8th Int. Conf. on

Computer Languages, Miami Beach, Oct. 1988, pp. 364-371.

[Maier 83] D. Maier. The Theory of Relational Databases. Computer Science Press, Inc.,

Rockville, MD, 1983.

[Mili 83] A. Mili. A relational approach to the design of deterministic programs. Acta

Inform. 20, Dec. 1983, pp. 315-328.

[Mili 86] A. Mili, J. Desharnais and J.-R. Gagne. Formal models of stepwise refinement

of programs. Comput. Surv. 18, 3, Sept. 1986, pp. 231-276.

[Mili 87] A. Mili, J. Desharnais and F. Mili. Relational heuristics for the design of deter-

ministic programs. Acta Inform. 24, 3, 1987, pp. 239-276.

[Mills 87] H. D. Mills, V. R. Basili, J. D. Gannon, R. G. Hamlet. Principles of Computer

Programming. A Mathematical Approach. Allyn and Bacon, Inc., 1987.

[Prieto-Diaz 86] R. Prieto-Diaz and J. M. Neighbors. Module interconnection languages.

J. Syst. Softw. 6, 1986, pp. 307-334.

[de Roever 72] W. P. de Roever. A formalization of various parameter mechanisms as

products of relations within a calculus of recursive program schemes. Seminaires

IRIA, Theorie des Algorithmes, des Langages et de la Programmation, Le Chesnay,

France, 1972, pp. 55-88.

[Schmidt 81] G. Schmidt. Programs as partial graphs I: Flow equivalence and correctness.

Theor. Comput. Sci. 15, 1981, pp. 1-25.

[Schmidt 81a] G. Schmidt. Programs as partial graphs II: Recursion. Theor. Comput. Sci.

15, 1981, pp. 159-179.

BIBLIOGRAPHY 131

[Schmidt 85] G. Schmidt and T. Strohlein. Relation algebras: Concept of points and rep-

resentability. Discrete Math. 54, 1, March 1985, pp. 83-92.

[Schmidt 85a] G. Schmidt and T. Strohlein. Discrete Mathematik - Relationen, Graphen

und Programme. Technical report, Institut fur Mathematik und Informatik, Technis-

che Universitat Munchen, Vol. 1, March 1985, Vol. 2, Oct. 1986.

[Schmidt 89] G. Schmidt and T. Strohlein. Relationen und Graphen. Springer-Verlag,

Berlin, 1989.

[Scott 76] D. Scott. Data types as lattices. SIAM J. Comput. 5, 3, Sept. 1976, pp. 522-587.

[Skornjakov 77] L. A. Skornjakov. Elements of Lattice Theory. Hindustan Publishing Cor-

poration, India, 1977.

[Stoy 77] J. E. Stoy. Denotational Semantics: The Scott-Strachey Approach to Program-

ming Language Theory. MIT Press, Cambridge, MA., 1977.

[Tarski 41] A. Tarski. On the calculus of relations. J. Symb. Log. 6, 3, Sept. 1941, pp.

73-89.

[Tarski 55] A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Pacific

J. Math. 5, 1955, pp. 285-309.

[Thorelli 85] L.-E. Thorelli. A language for linking modules into systems. BIT 25, 2, 1985,

pp. 358-378.

[Wand 79] M. Wand. Final algebra semantics and data type extensions. J. Comput. Syst.

Sci. 19, 1979, pp. 27-44.

[Weber 86] H. Weber and H. Ehrig. Specification of modular systems. IEEE Trans. Softw.

Eng. SE-12, 7, July 1986, pp. 784-798.

[Wirth 71] N. Wirth. Program development by stepwise refinement. Commun. ACM 14,

April 1971, pp. 221-227.

[Wirth 85] N. Wirth. Programming in Modula-2 (3rd ed.). Springer-Verlag, New York,

1985.

BIBLIOGRAPHY 132

[Zierer 83] H. Zierer. Relationale Semantik. Diplomarbeit, Institut fur Informatik, Tech-

nische Universitat Munchen, 1983.

ABSTRACT RELATIONAL SEMANTICS - Université Lavaldesharnais/Recherche/Theses/... · 2014. 1....

Documents

Transcript of ABSTRACT RELATIONAL SEMANTICS - Université Lavaldesharnais/Recherche/Theses/... · 2014. 1....