Reasoning about Object Systems in VTLoEIan MasonDepartment of Applied Computing and MathematicsUniversity of Tasmania at LauncestonLaunceston, Tasmania 7250, AustraliaandCarolyn TalcottComputer Science Department, Stanford UniversityStanford, CA 94305, USAABSTRACTVTLoE (Variable Type Logic of E�ects) is a logic for reasoning about imperativefunctional programs inspired by the variable type systems of Feferman. The underlyingprogramming language, �mk, extends the call-by-value lambda calculus with primitivesfor arithmetic, pairing, branching, and reference cells (mutable data). In VTLoE onecan reason about program equivalence and termination, input/output relations, programcontexts, and inductively (and co-inductively) de�ne data structures. In this paper wepresent a re�nement of VTLoE. We then introduce a notion of object speci�cation andestablish formal principles for reasoning about object systems within VTLoE. Objectsare self-contained entities with local state. The local state of an object can only bechanged by action of that object in response to a message. In �mk objects are rep-resented as closures with mutable data bound to local variables. A semantic principlecalled simulation induction was introduced in our earlier work as a means of establishingequivalence relations between streams, object behaviors, and other potentially in�nitestructures. These are formulated in VTLoE using the class apparatus. The use of theseprinciples is illustrated by validating a variety of basic tranformation rules.Keywords: functional, imperative, Object, simulation induction, contextual assertion,VTLoE1. IntroductionImperative functional languages are programming languages that combine thehigher-order aspects of functional languages with the ability to manipulate mutabledata and with other facilities that have e�ects. Traditional examples include Lisp,Scheme, ML, and object-oriented languages. More recently there has been muchinterest in enriching functional programming languages with capabilities to manip-ulate state. There is a practical need to interface functional programming languageswith non-functional languages, and to permit functional programs to a�ect their en-vironment. A comprehensive semantic theory is needed to support more advancedimplementation technology both for purely functional languages and for imperativefunctional languages such as ML, Scheme, and Lisp dialogues. It is also importantto develop speci�cation logics for such languages.VTLoE is a logic for reasoning about imperative functional programs, inspiredby the variable type systems of Feferman. These systems are two sorted theories ofoperations and classes initially developed for the formalization of constructive math-ematics [3,4] and later applied to the study of purely functional languages [5,6]. An1

extension incorporating non-local control e�ects was introduced in [23]. In [16] wepresented the �rst-order part of VTLoE, and showed how the Meyer-Sieber examplescan be treated in this logic. The full system [10,11] extends the �rst-order theoryby incorporating a theory of classes. This extension provides a more expressiveformalism including the ability to construct inductively de�ned sets and derive thecorresponding induction principles.VTLoE goes well beyond traditional programming logics, such as Hoare's logic [2]and Dynamic logic [9] by treating a richer language and expressing more proper-ties. It is close in spirit to Speci�cation Logic [21] and to Evaluation Logic [20].These logics all incorporate a full �rst order theory of data, and the ability toexpress program equivalence, and the ability to assert and nest Hoare-like triples(called contextual assertions in VTLoE). In the case of Speci�cation logic, the un-derlying programming languages are quite di�erent: Speci�cation Logic is aboutAlgol-like programs that are strongly typed, can store only �rst-order data, andobey call-by-name semantics. In contrast VTLoE is about untyped ML- or Scheme-like languages that can store arbitrary values, and obey call-by-value semantics.Evaluation logic extends Moggi's metalanguage for computational monads [19] toa full constructive predicate logic which permits formulation of statements aboutevaluation of computations to values, and constitutes a framework for expressingreasoning principles. It is inspired by categorical descriptions of computation pro-cesses. Evaluation logic is a general system which reduces reasoning about programsto reasoning about mathematical structures for programming semantics, which arenot necessarily fully-abstract with respect to a canonical semantics. These systemsare justi�ed by completeness results over classes of categorical interpretations.The underlying programming language of VTLoE, �mk, is based on the call-by-value lambda calculus extended by the reference primitives mk, set, get. Atoms,references and lambda abstractions are all �rst class values { they can be boundto lambda variables, stored, and returned from procedures. The logic combines thefeatures and bene�ts of equational calculi as well as program and speci�cation log-ics. There are three layers. The foundation is the syntax and semantics of �mk, theunderlying term/program language. The second layer is a �rst-order theory builton assertions of program equivalence and program modalities called contextual as-sertions. The third layer extends the logic to include class terms, class membership,and quanti�cation over class variables.A simple contextual assertion has the form letfx := eg[[�]] meaning that afterexecution of e and binding the result to x the formula � holds. One importantprinciple for contextual reasoning is to be able to replace e by any operationallyequivalent expression without changing the semantics of the contextual assertion.This principle fails in the simple semantics of VTLoE [11], which does not fullyprotect private local state from observation. In this paper we present a modi�edsemantics for formulas of VTLoE that solves the privacy problem.Objects are self-contained entities with local state. The local state of an objectcan only be changed by action of that object in response to a message. In �mk-like languages objects are represented as closures with mutable data bound to local2

variables [22,1]. A semantic principle called simulation induction was introducedin [13] for establishing equivalence relations between streams, object behaviors, andother potentially in�nite structures. In [14] informal methods based on simulationinduction are used to derive an optimized specialized window editor from genericspeci�cations of its components. In this paper we introduce a formal notion ofobject speci�cation and establish formal principles based on simulation induction forreasoning about object systems within VTLoE. The formulation of these principlesrelies heavily on the class apparatus of VTLoE.The remainder of this paper is organized as follows. In x2 we summarize thesyntax and semantics of �mk, the same subject matter is treated in far greater detailin [11]. In x3 we give the syntax and modi�ed semantics of �rst-order formulas.Central to the new localized semantics is a notion of a set of visible values. Wediscuss two possible de�nitions of visibility in x4. In x5 we state and prove twotheorems concerning the local semantics. In x6 we introduce and discuss persistenceproperties. In x7 we establish a set of principles for reasoning about behaviors andobjects. In x8 we introduce a notion of object speci�cation and establish a generaltheorem relating speci�ed behaviors and objects. In x9 we give several examplesof object transformations. In x10 we summarize and suggest directions for futureresearch. A useful set of laws established in earlier work are summarized in theappendix.1.1. NotationWe conclude the introduction with a summary of notation. Let X;Y; Y0; Y1 besets. We specify meta-variable conventions in the form: let x range over X, whichshould be read as: the meta-variable x and decorated variants such as x0, x0, : : : ,range over the set X. We use the usual notation for set membership and functionapplication. Y n is the set of sequences of elements of Y of length n. Y � is the setof �nite sequences of elements of Y . �y = [y1; : : : ; yn] is the sequence of length nwith ith element yi. P!(Y ) is the set of �nite subsets of Y . Fmap[Y0; Y1] is the setof �nite maps from Y0 to Y1. [Y0 ! Y1] is the set of total functions f with domainY0 and range contained in Y1. We write Dom(f) for the domain of a function andRng(f) for its range. For any function f , ffy := y0g is the function f 0 such thatDom(f 0) = Dom(f) [ fyg, f 0(y) = y0, and f 0(z) = f(z) for z 6= y; z 2 Dom(f).N = f0; 1; 2; : : :g is the natural numbers and i; j; n; n0; : : : range over N.2. The Syntax and Semantics of Terms2.1. SyntaxThe syntax of the terms of �mk is a simple extension of the lambda calculus to in-clude basic constants or atoms A , (such as the Lisp booleans t and nil as well as theintegers Z), together with a collection of primitive operations, F = Sn2NFn, whereFn is the (possibly empty) set of n-ary operations. The primitive operations includethe memory operations (get; set; mk) and immutable pairs (pr; fst; snd; ispr?), in3

addition to the usual operations for branching and arithmetic. We assume an in-�nite set of variables, Xand use these to de�ne, by mutual induction, the set of�-abstractions, L, the set of value expressions, V, the set of expressions, E, and theset of contexts, C , as the least sets satisfying the following equations:Lambda Expressions L= �X:EImmutable Pairs P= pr(V;V)Value Expressions V=X+ A + L+PValue Substitutions S= Fmap[X;V]Expressions E =V+ app(E; E) + Fn(En)Contexts C = f�g+X+ A + �X:C + app(C ; C ) + Fn(Cn )We let a range over A , x; y; z range over X, v range over V, �x:e range over L,� range over S, e range over E, and C range over C . Note that the structureddata (pairs), P, are taken to be values. � is a binding operator and free and boundvariables of expressions are de�ned as usual. FV(e) is the set of free variables of e.A value substitution is a �nite map � from variables to value expressions, we let �range over value substitutions. e� is the result of simultaneous substitution of freeoccurrences of x 2 Dom(�) in e by �(x). We represent the function which maps xto v by fx := vg. Thus efx:=vg is the result of replacing free occurrences of x ine by v (avoiding the capture of free variables in v). Contexts are expressions withholes. We use � to denote a hole. C [e] denotes the result of replacing any holes inC by e. Free variables of e may become bound in this process. Traps(C ) is the setof variables that can actually be trapped in the process of �lling the holes in C .2.2. Notation and AbbreviationsFor any syntactic domain Y and set of variables X we let YX be the elementsof Y with free variables in X. For example E; is the set of closed expressions, andVfzg is the set of value expressions v such that FV(v) � fzg. Furthermore, for anysyntactic domain Y and set V of values we let YV be those elements of Y of theform y� for some y 2 YZ and � 2 Z ! V where Z is a �nite set of variables. Forexample Vf�x:set(z;x)g is the set of value expressions of the form vfz:=�x:set(z;x)gfor v 2Vfzg.4

In order to make programs easier to read, we introduce some abbreviations.letfx := e0ge1 abbreviates app(�x:e1; e0)seq(e) abbreviates eseq(e0; : : : ; en) abbreviates letfd := e0gseq(e1; : : : ; en) d 62 FV(ei) for i � nY abbreviates �f:letfz := mk(nil)gseq(set(z; �x:app(app(f; get(z)); x));get(z))islam? abbreviates �x:and(not(isatom?(x);not(ispr?(x));not(iscell?(x))))cond() abbreviates nilcond([e0 ) e00];[e1 ) e01];: : : ;[en ) e0n]) abbreviates if(e0; e00; cond([e1 ) e01];: : : ;[en ) e0n]))Note that Y is a �xed-point combinator essentially identical to the one suggestedby Landin [12]. When applied to a functional F of the form �f:�x:e, Y creates aprivate local cell, z, with contents G = �x:app(app(F; get(z)); x), and returns G.By privacy of z, G is equivalent to F (G) (cf. [13]).2.3. Operational SemanticsThe operational semantics of expressions is given by a reduction relation �7! on asyntactic representation of the state of an abstract machine, called descriptions. Astate has three components: the current state of memory, the current continuation,and the current instruction. Their syntactic counterparts are memory contexts,reduction contexts and redexes respectively. Redexes describe the primitive compu-tation steps (�-reduction or the application of a primitive operation to a sequenceof value expressions). Reduction contexts, R, (called evaluation contexts in [8])identify the subexpression of an expression that is to be evaluated next.R= f�g+ app(R; E) + app(V;R)+ Fm+n+1(Vm;R; En)R ranges over R. The crucial fact to note is that an arbitrary expression is either avalue expression, or decomposes uniquely into a redex placed in a reduction context.We represent the state of memory using memory contexts. A memory context � isa context of the formletfz1 := mk(nil)g : : :letfzn := mk(nil)gseq(set(z1; v1); : : : ; set(zn; vn); �)where zi 6= zj when i 6= j. We have divided the context into allocation, followedby assignment to allow for the construction of cycles. Thus, any state of memoryis constructible by such an expression. We let � range over memory contexts. We5

can view memory contexts as �nite maps from variables to value expressions. Thuswe refer to their domain, Dom(�); modify them, �fz := mk(v)g, when z 2 Dom(�);and extend them, �fz := mk(v)g, when z 62 Dom(�).A description is a pair, �; e, with �rst component a memory context and sec-ond component an arbitrary expression. Value descriptions are descriptions whoseexpression is a value expression, �; v . If Dom(�) \ Dom(�) = ;, then (�; e)� is(�� ; e�) where �� is the result of applying � to each element in the range of �(replacing vi in the above form by v�i ). The reduction relation �7! is the re exivetransitive closure of 7! (de�ned in [11]). The interesting clauses are:(beta) �;R[app(�x:e; v)] 7! �;R[efx:=vg](mk) �;R[mk(v)] 7! �fz := mk(v)g;R[z] z 62 Dom(�) [ FV(R[v ])(get) �;R[get(z)] 7! �;R[v ] assuming z 2 Dom(�) and �(z) = v(set) �;R[set(z; v)] 7! �fz := mk(v)g;R[nil] assuming z 2 Dom(�)A description, �; e is de�ned (written #�; e) if it evaluates to a value description. Wesay two closed expressions are equide�ned, e0 l e1, to mean that (# e0) i� (# e1)(# e abbreviates #;; e for closed e).2.4. Uniformity of ReductionsSome simple consequences of the computation rules are that reduction is func-tional modulo alpha conversion, memory contexts may be pulled out of reductioncontexts, and computation is uniform in free variables, unreferenced memory andreduction contexts.Lemma (cr [11]):(i) �0[e0] = �1[e1]if �; e 7! �i; ei for i < 2(ii) R[�[e]] �7! �;R[e]if FV(R) \Dom(�) = ;.(iii) �; e 7! �0; e0 ) (�; e)� 7! (�0; e0)�if Dom(�0) \Dom(�) = ; = FV(Rng(�)) \ (Dom(�0)�Dom(�)).(iv) �; e 7! �0; e0 ) (�0 [ �); e 7! (�0 [ �0); e0if Dom(�0) \Dom(�0) = ;.(v) �;R[e] 7! �0;R[e0] ) �;R0[e] 7! �0;R0[e0]if (Dom(�0) \ FV(R0)) � Dom(�)In (cr.i) = is the usual notion of alpha equivalence. It makes explicit the fact thatarbitrary choice in cell allocation is the same phenomenon as arbitrary choice ofnames of bound variables. 6

2.5. Operational EquivalenceTwo expressions are operationally equivalent, written e0 �= e1, if for any closingcontext C , C [e0] is de�ned i� C [e1] is de�ned. In general it is very di�cult toestablish the operational equivalence of expressions. Thus it is desirable to have asimpler characterization of �=, one that limits the class of contexts (or observations)that must be considered. A generalization of Milner's context lemma [18] providesthe desired characterization. This theorem is the key to giving a semantics to VTLoEformulas.Theorem (Generalized Context Lemma [13,11]):e0 �= e1 , (8�; �;R)(i<2FV(�[R[e�i ]]) = ; ) (�[R[e�0 ]] l �[R[e�1 ]]))3. Syntax and Semantics of VTLoEWe �rst present the original semantics for VTLoE, restricting our attention tothe �rst-order fragment, and illustrate the visibility problem of this semantics. Wethen re�ne the notation and semantics to solve the visibility problem.3.1. The Syntax of the First Order FragmentThe �rst order fragment of VTLoE is a minor generalization of classical �rst orderlogic. The atomic formulas assert the operational equivalence of expressions. Inaddition to the usual �rst-order formula constructions, we add contextual assertions:if � is a formula and U is a let context, then U [[�]] is a formula. The formula,U [[�]], expresses the fact that the assertion � holds at the point in the programtext, U , when and if the hole requires evaluation. The set U of let contexts, isde�ned as follows.De�nition (U):U= f�g+ letfX:= EgUNote that each let context has a unique hole (hence the notation U ). The well-formed formulas,W, of (the �rst order part of) our logic are de�ned as follows:De�nition (W { First-Order):W = (E �= E) + (W ) W) + (U[[W]])+ (8X)(W)3.2. Non-Local SemanticsIn the original formulation of VTLoE, the meaning of formulas was given by aTarskian satisfaction relation � j= �[�].De�nition (Non-Local Satisfaction, � j= �[�] { First Order): Assume�; �;�; ej are such that FV(��)[FV(e�j ) � Dom(�) for j < 2. Then we de�ne thesatisfaction relation � j= �[�] by induction on the structure of �:� j= (e0 �= e1)[�] i� (8R 2 RDom(�))(�[R[e�0 ]] l �[R[e�1 ]])7

� j= (�0 ) �1)[�] i� (� j= �0[�]) implies (� j= �1[�])� j= U [[�]][�] i� (8�0; �0)((�;U [[�]] �7! �0; [[�0]]) implies �0 j= �[�0])� j= (8x)�[�] i� (8v 2VDom(�))(� j= �[�fx := vg])In the contextual assertion clause computation involving contexts is de�ned as fol-lows.De�nition (�;U [[�]] �7! �0; [[�0]]): If U = letfxi := eig1�i�k�, � is a memorycontext, � is a value substitution over �, and (Dom(�)[Dom(�))\fx1; : : : ; xkg = ;,then�;U [[�]] �7! �0; [[�0]]means there are �i, vi, �i such that �0 = �, �0 = �, �i+1 = �ifxi+1 := vi+1g,�i; e�ii+1 �7! �i+1; vi+1, and �0; [[�0]] = �k; [[�k]].3.3. ValidityWe say that a formula is valid, written j= �, if � j= �[�] for �; � such thatFV(��) � Dom(�). Following the usual convention we will often write � as anassertion that � is valid, omitting the j= sign. Note that the underlying logic iscompletely classical.Lemma (valid): j= (e0 �= e1) i� the meta-statement (e0 �= e1) is true.Proof (valid): The atomic case asserts that all uses of the expressions (relativeto � and �) are equide�ned. This de�nition is motivated by the fact that if(8�; �)(� j= e0 �= e1[�]) (i.e. j= e0 �= e1)then(8�; �)(8R 2 RDom(�))(�[R[e�0 ]] l �[R[e�1 ]]):By the (ciu) theorem this amounts to(8C )(C [e0] lC [e1]): (i.e. e0 �= e1)validMoreover with this de�nition we have that the natural reading of the hypothet-ical assertion(R) e0 �= e1 ) R[e0]�= R[e1]is valid (i.e. true for all � and �). Also note that if � j= (e0 �= e1)[�], then�[e�0 ]�= �[e�1 ], but not conversely.3.4. Examples and AbbreviationsNegation is de�nable, :� is just � ) False, where False is any unsatis�ableassertion, such as t �= nil. Similarly conjunction, ^ , and disjunction, _ and the8

biconditional,,, are all de�nable in the usual manner. Given a particular U , for ex-ample letfx := mk(v)g�, we will often abuse notation and write letfx := mk(v)g[[�]]rather than (letfx := mk(v)g�)[[�]]. Thus we can express the computational de-�nedness of expressions by the following assertion: :seq(e; [[False]]) rather than:(seq(e; �)[[False]]). We let + e abbreviate :(seq(e; �)[[False]]) and * e abbreviateits negation.Note that the context U will in general bind free variables in �. A simpleexample is the axiom which expresses the e�ects of mk:(8y)(letfx := mk(v)g[[:(x�= y) ^ iscell?(x)�= t ^ get(x)�= v ]])For simplicity we have omitted certain possible contexts from the de�nition of U.However those left out may be considered abbreviations. Two examples are:(1) if(e0; [[�0]]; [[�1]]) abbreviatesletfz := e0g[[(z �= nil ) �1) ^ (:(z �= nil) ) �0)]] z fresh:(2) #(e0; : : : ; en;U [[�]]; en+1; : : :) abbreviates seq(e0; : : : ; en;U [[�]])3.5. Violation of PrivacyOne seemingly desirable logical principle for contextual reasoning is to be ableto replace the e by any operationally equivalent expression without changing thesemantics of the contextual assertion letfx := eg[[�]]. In other words the followingprinciple seems desirable:(Ueq) e0 �= e1 ) (letfx := e0g[[�]] , letfx := e1g[[�]])There are several ways in which this can fail in the above version of VTLoE. Forexample e0 may produce some garbage that e1 does not, and this garbage may bedetectable via �. For example lete0 = seq(mk(0); mk(0))e1 = mk(0)� = (9y0)(9y1)(iscell?(y0) �= t ^ iscell?(y1) �= t ^ eq(y0; y1)�= nil)Then(a) j= e0 �= e1(b) ; j= letfx := e0g[[�]][;](c) :(; j= letfx := e1g[[�]][;])and hence (Ueq) is not valid.Another more troublesome counterexample relies on the fact that e0 and e1 areequivalent due to the privacy of certain cells, however their privacy is not respected9

by the contextual assertion. A simple example of this is:e0 = �x0:x0e1 = letfz := mk(�x0:x0)g�w:app(get(z); w)� = x�= �y:yA simple induction on the length of computations (similar to those found in [13])establishes that e0 and e1 are operationally equivalent, and hence e0 �= e1 is validin VTLoE. The essential observation is that the cell z is local to the value/objectreturned by e1 and thus invisible and its contents unalterable outside this scope.However it is not the case thatj= letfx := e0g[[�]] , letfx := e1g[[�]]Clearly letfx := e0g[[�]] is valid, being an instance of the more general valid prin-ciple: letfx := vg[[x�= v ]]. The problem is that it is not the case that; j= letfx := e1g[[�]][;]:To see this observe that;; letfx := e1g[[;]] �7! letfz := mk(�x0:x0)g�; [[fx := �w:app(get(z); w)g]]:Consequently it su�ces to see that the following fails:letfz := mk(�x0:x0)g� j= x�= �y:y[fx := �w:app(get(z); w)g]:Choosing R to be the context letfu := �gseq(set(z; 1); app(u; 1)) a simple com-putation shows thatletfz := mk(�x0:x0)g[R[�w:app(get(z); w)]]diverges whileletfz := mk(�x0:x0)g[R[�y:y]]converges to letfz := mk(�x0:x0)g�; 1. The crux of the problem is that the privacyof the cell z is violated by the reduction context R. This in turn is traced backto the semantics of the contextual assertion itself: No cell that is newly created(in the course of evaluating the context) is treated as private. Similarly in the �rstcounterexample the problemmay be traced to the ability of the existential quanti�erto range over values that are otherwise invisible.3.6. Visibility and Local Semantics - First OrderOne approach to solving the locality problem is to de�ne a notion of visibilityrelative to a memory context � and a set of values V over that memory (V �VDom(�)). Let Vis(�;V ) denote the visible values relative to � and V , Vis(�;V ) �10

VDom(�). This set should contain V and should be closed under simple constructionsthat do not e�ect (but may read visible parts of the memory) �. We will give twoexamples of possible candidates shortly. The question of whether or not eithercandidate is the correct one remains an open question.Given a suitable de�nition of Vis, we can de�ne a localized satisfaction relation.The key is the atomic case. Here reduction contexts can only mention visible valuesover the memory, not arbitrary values. Also we restrict the quanti�ers to range overvisible values. We de�ne satisfaction relative to a set of visible values.De�nition (Localized Satisfaction, � j=V �[�] { First Order): AssumeV �VDom(�), and � 2 Fmap[X;Vis(�;V )]. Then� j=V (e0 �= e1)[�] i� (8R 2 RVis(�;V ))(�[R[e�0 ]] l �[R[e�1 ]])� j=V U [[�]][�] i�(8�0; �0)((�;U [[�]] �7! �0;�0) implies �0 j=V[Rng(�0) �[�0])� j=V (�0 ) �1)[�] i� (� j=V �0[�]) implies (� j=V �1[�])� j=V (8x)�[�] i� (8v 2 Vis(�;V ))(� j=V �[�fx := vg])where RVis(�;V ) is the set of reduction contexts built from values in Vis(�;V )instead of arbitrary values, and in the U clause we assume Traps(U )\Dom(�) = ;.3.7. The Syntax and Semantics of ClassesUsing methods of [3,6] and [23], we extend our theory to include a general theoryof classi�cations (classes for short).We extend the syntax to include class terms. Class terms are either class vari-ables, Xc, class constants, A c , or comprehension terms, fx �g. We also extendthe set W of formulas to include class membership and quanti�cation over classvariables. The de�nition of expressions remains unchanged.De�nition (K,W): The set K of class terms and W of formulas are de�ned byK =Xc[ A c [ fX WgW = (E �= E) [ (V2 K) [ (W ) W) [ (8X)W[ (8Xc)W [U[[W]]We let A;B;C; : : :X; Y; Z range over Xc and K range over K. We will use identi-�ers beginning with an upper case letter in This font (for example Val) for classconstants.To de�ne the semantics of this extension we �rst have to say what class variablesrange over, i.e. the range of an extended �. The only reasonable interpretationseems to be sets of visible values. These sets should be closed under visibilityrestricted operational equivalence. That is, if v is in the �;V -class, K , and � j=Vv �= v 0, then v 0 is also in K . We let K�;V denote the collection of such sets. Werestrict membership formulas to value expressions. Note that e 2 K can be thoughtof as an abbreviation for letfx := eg[[x 2 K ]].Now we are ready to give the revised class semantics. Note that the valuationof class terms must be indexed by V as well.11

Assume, in the next two de�nitions, that V � VDom(�) and � is a �nite mapwith domain in X[Xc that mapsXto Vis(�;V ) and Xc to K�;V .De�nition ([K ]��;V ):[X]�� = �(X)[fx �g]��;V = fv 2 Vis(�;V ) � j=V �[�fx := vg]gDe�nition (Localized Satisfaction, � j=V �[�] { Classes): The new clausesin the inductive de�nition of satisfaction are:� j=V v 2 K [�] i� v� 2 [K ]��;V� j=V (8X)�[�] i� (8C 2 K�;V )(� j=V �[�fX := Cg])In the localized semantics, we say a formula, �, is valid just if � j=V �[�] for allappropriate �;V ; �.For a full development of the theory of classes in VTLoE the reader is referredto [3,6,23,11]. Here we recall a few properties and classes used in later examples.Lemma (Class [11]):(allE) (8X)�[X] ) �[K ] where � contains no contextual assertions(ca) (8x)(x 2 fx �g , �)Some useful classes are:Val = fx x�= xgNil = fnilgNat = fx isnat?(x)�= tgAtom = fx isatom?(x) �= tgVal! Val = ff (8x 2 X)(9y 2 Y )app(f; x)�= ygAn k�ary class operator (scheme) T [Z1; : : : ; Zk] is a class term T with free variablesamong [Z1; : : : ; Zk]. For exampleX1; : : : ; Xn ! Y = ff (8x1 2 X1; : : : ; xn 2 Xn)(9y 2 Y )app(f; x1; : : : ; xn)�= ygis an n + 1-ary class operator Fn[X1; : : : ; Xn; Y ] whose range is classes that arefunction spaces. Note that Val ! Val = F1[Val;Val]. A class operator [X] ismonotonic if X � Y implies T [X] � T [Y ]. Such operators can be used to de�neclasses inductively (co-inductively) by taking minimal (maximal) �xed points.4. Candidates for VisibilityWe now turn to the problem of de�ning visibility. Given a memory context �and a set of values V over that memory (V � VDom(�)) we want to de�ne the setof visible values relative to � and V , Vis(�;V ).12

Vis(�;V ) should contain V , and should be closed under simple constructionsthat do not e�ect (but may read) �. There are two obvious candidates for visibility,which we shall callVisu andVise (u for uniformly constructible, and e for evaluationconstructible).4.1. Evaluation ConstructibleThe evaluation constructible values are simply those values which may be con-structed from expressions, parameterized by V , whose evaluation neither modi�esnor enlarges memory. Namley: Vise(�;V ) is the set of values v returned by com-putations of the form �; e� �7! �; v where the range of � is contained in V .De�nition (Vise(�;V )):Vise(�;V ) =fv 2VDom(�) (9X 2 P!(X))(9e 2 EX )(9� 2 [X ! V ])(�; e� �7! �; v)g4.2. Uniformly ConstructibleThe uniformly constructible values form a somewhat smaller set. Namely:Visu(�;V ) is the least set of values containing V and closed under: substitutioninto value expressions containing no variables bound by � (for example atoms);selection of components of pairs; and getting contents of those elements that arecells.De�nition (Visu(�;V )): Visu(�;V ) is the least set of values satisfying thefollowing conditions (1{4):(1) V � Visu(�;V )(2) VVisu(�;V ) � Visu(�;V )(3) pr(v0; v1) 2 Visu(�;V ) implies v0; v1 2 Visu(�;V )(4) v 2 Visu(�;V ) \Dom(�) implies �(v) 2 Visu(�;V )Note that (2) may be expanded to: v 2VX and � 2 [X ! Visu(�;V )] impliesv� 2 Visu(�;V ). To cast this de�nition into a form similar to the de�nition ofevaluation constructible values, de�ne the following collection of expressions:De�nition (EuX ):EuX =VX + fget; fst; sndg(EuX )The following lemma provides an equivalent de�nition of the uniformly con-structible values.Lemma (Visu)):Visu(�;V ) =fv 2VDom(�) (9X 2 P!(X))(9e 2 EuX )(9� 2 [X ! V ])(�; e� �7! �; v)gWe should point out that there is a reasonable amount of leeway in the de�nitionof EuX , we have given the smallest set needed, a larger set would beEuX =VX + Fn((EuX )n) 13

4.3. Simple ConsequencesThe following three lemmas are simple consequences of the two de�nitions above,and so we omit their proofs.Lemma (Vis-1): For both versions of visibility the following conditions hold:(2a) A � Vis(�;V )(2pr) v1; v2 2 Visu(�;V ) implies pr(v1; v2) 2 Vis(�;V )(2lam) �x:e 2 LX and � 2 [X ! Vis(�;V )] implies (�x:e)� 2 Vis(�;V )Lemma (Vis-2): Visu(�;V ) � Vise(�;V ) and in general the containment isproper. For example let � = fz := mk(1)g and letV = f�x:zg. Then z 2 Vise(�;V )but z 62 Visu(�;V ).Lemma (Vis-3): For both versions of visibility, under the conditions of thede�nition of � j=V �[�], the following are equivalent1. (8R 2 RVis(�;V ))(�[R[e�0 ]] l �[R[e�1 ]])2. (8X)(8�0 2 Fmap[X;V ])(8R 2 RX)(�[R�0 [e�0 ]] l �[R�0 [e�1 ]])Thus we could equally well use either as the de�nition of � j=V (e0 �= e1)[�].The theory developed in the remainder of this paper, is independent of whichnotion of visibility we choose. Further investigation is required to determine theright notion of visibility for our purposes.5. Properties of Local SemanticsIn this section we establish two results. The �rst result is a preservation theo-rem which gives su�cient conditions under which a formula valid in the non-localsemantics remains valid in the new local semantics. The second result establishesthat in the new local semantics the desired principle (Ueq) is indeed valid. Bothresults are independent of which de�nition of visibility used.In general the validity of a statement in the non-local semantics does not implyits validity in the local semantics. However for a large class of formulas this inferenceis correct. These formulas correspond to what are traditionally called the �rst orderpositive formulas.De�nition (W+): The set of �rst order positive formulas,W+, is de�ned induc-tively as:W+ = (E �= E) + (W+ ^ W+) + (W+ _ W+) + (U[[W+]]) + (8X)(W+)Theorem (Preservation): Assume that � 2 W+, V � VDom(�), and � 2Fmap[X;Vis(�;V )]. Then(� j= �[�]) implies (� j=V �[�])The proof of this theorem is a simple induction on the complexity of �. Notethat the counterexamples to (Ueq) for the non-local semantics given in x3.5 alsodemonstrate that the converse of (Presevation) and its generalization to arbitraryformulas are both false. In the appendix we have collected a plethora of principlesestablished for the non-local semantics in [11]. Those that are positive remain valid14

for the local semantics in virtue of the above theorem. There are other connec-tions between the two semantics that are not accounted for by (Preservation) forexample if � does not contain any contextual assertions then(� j= �[�]) i� (� j=Dom(�) �[�])is another obviously valid inference. Similarly � j=V �[�] is monotonic in V for�rst order positive formulas, �. The second result of this section is that regardlessof which of the two candidates for the set Vis we choose, the principle (Ueq) isvalid.Theorem (Ueq): For ei 2 E and V �VDom(�)� j=V e0 �= e1 ) (letfx := e0g[[�]] , letfx := e1g[[�]])Before proving (Ueq) we establish some useful notation. Assume that � j=Ve0 �= e1[�], and without loss of generality that �; e�j �7! �j; vj (since if �; e�j isunde�ned the result is vacuously true). Also let �j = �fx := vjg, and Vj = V [fvjgfor j < 2. Under these assumptions we de�ne a notion of similarity� between visiblevalues, sets of visible values, value substitutions (of visible values) in the respectivememories �i as follows:0. v0 � v11. u � u for all u 2 Visfu;eg(�;V )2. �00 � �01 i� Dom(�00) = Dom(�01) and (8x 2 Dom(�0i))(�00(x) � �01(x))3. If �00 � �01, e 2 EDom(�0i) in the Vise case, e 2 EfvgDom(�0i) in the Visu case , and�i; e�0i �7! �i;ui, then u0 � u1.4. X0 � X1 i� (8x0 2 X0)(9x1 2 X1)(x0 � x1) ^ (8x1 2 X1)(9x0 2 X0)(x0 � x1)Note that the only clauses sensitive to the choice of Vis are re exivity, (1.),and generation (3.). Some simple facts concerning this notion of similarity are thefollowing:Lemma (�):0. If �00 � �01, then v�0 � v�1 for v 2VDom(�0i)1. Vis(�0;V0) � Vis(�1;V1)2. If �0 � �1, then �0; e�0 l �1; e�13. If �0 � �1, then [K ]�0�0;V0 � [K ]�1�1;V1Finally we prove the theorem.Proof (Ueq): The proof is by induction on the complexity of �. Pick e0; e1 2 Eand continue with the notation and assumptions above. Assume that �0 j=V0 �[�0].Case: � is ea �= eb. We need to show that �1 j=V1 ea �= eb[�1]. Now by (Vis-3)we need only show that for any �01 2 Fmap[X;V1] and any R 2 RDom(�0)(�1[R�01 [e�1a ]] l �1[R�01 [e�1b ]])15

Now:�1[R�01 [e�1a ]] l �1[R[ea]�01[�1 ] assuming simple hygiene conditionsl �0[R[ea]�00[�0 ]by (�.2) and �00 is obtained by replacing v1 by v0 in �01l �0[R�00 [e�0a ]]l �0[R�00 [e�0b ]]l �0[R[eb]�00[�0 ]l �1[R[eb]�01[�1 ]l �1[R�01 [e�1b ]]Case: � is �0 ) �1. Assume �1 j=V1 �0[�1] and show �1 j=V1 �1[�1].�1 j=V1 �0[�1] ) �0 j=V0 �0[�0] ) �0 j=V0 �1[�0] ) �1 j=V1 �1[�1]Case: � is (8y)�0. Assume v1 2 Vis(�1;V1) and show �1 j=V1 �0[�1fy := v1g].Now, v1 2 Vis(�1;V1) implies that there is a v0 2 Vis(�0;V0) such that v0 � v1by (�.1). By hypothesis � j=V0 �0[�0fy := v0g] and �0fy := v0g � �1fy := v1g.Thus the result follows by (�.2).Case: � is letfy := eg[[�0]]. In this case we use a simple trick.�0 j=V0 �[�0], � j=V letfx := e0gletfy := eg[[�0]][�], � j=V letfz := letfx := e0gpr(x; e)g[[�00]]where �00 = �fx:=fst(z);y:=snd(z)g0, � j=V letfz := e00g[[�00]] where e00 = letfx := e0gpr(x; e), � j=V letfz := e01g[[�00]] by the IH where e01 = letfx := e1gpr(x; e), � j=V letfx := e1gletfy := eg[[�0]][�], �1 j=V1 �[�1]Case: � is v 2 K . This case is immediate from (�.3)Case: � is (8X)�0. This case is identical to the individual variable case.Ueq6. PersistenceThe contextual assertions allow various modalities to be de�ned. Of interest hereis the modality � � (read true in all reachable memories). � essentially expressesvalidity, and is easily de�ned using contextual assertions as follows.De�nition ( � ): � � abbreviates:(8f; x)seq(app(f; x); [[�]]) where f; x not free in �16

We say a formula � is persistent if � ) � (�). Some examples of persistent atomicformulae are:#(x1; : : : ; xn) �= zwhere # 2 fisatom?; ispr?; iscell?; eq; mkg. The recognizers are easily seen tobe persistent because no operation can change an atom into a pair, or a pair intoan atom. Similarly eq is persistent since no operation can change the identity ofvalues. In fact the only properties of values that can be altered by operations arethe contents of cells. Thus the formula get(x)�= nil is not persistent, since the celldenoted by x may have its contents altered. Note that (free occurences of) x itselfwill always refer to the same cell. Also, get(x) �= y i� set(x; y) �= nil, thus set isnot persistent. The fact that mk(x)�= y is persistent is simply due to the fact thatit is persistently false.Lemma (Sca): Let Traps(U ) � fx1; : : : ; xng. Then(i) � ((8x1 : : :xn)�) ) � (U [[�]])(ii) � ((8x1 : : :xn)(�0 ) �1)) ) (( � (U [[�0]]) ) � (U [[�1]]))(iii) � ((8x1 : : :xn)(�0 , �1)) ) ( � (U [[�0]]) , � (U [[�1]]))Persistence is closed under conjunction.An n-ary relation is a class term S such that S � Valn. WhereValn = fx (9y1; : : : ; yn 2 Val)(x = pr(y1; : : : ; yn))g:If �(x1; : : : ; xn) is a formula, then the n-ary relation S de�ned by the formula is:pr(y1; : : : ; yn) 2 S , �(y1; : : : ; yn)De�nition (Persistent Relation): An n-ary relation, S , is persistent ifS (y1; : : : ; yn) ) � (S (y1; : : : ; yn)):Lemma (Persistent Relation): A relation de�ned by persistent formulas ispersistent.7. Principles for Reasoning about Behaviors and ObjectsWe consider two general principles: one for establishing equivalence of essentiallyfunctional behaviors (abstractions whose application has no visible e�ects), and onefor establishing equivalence of objects. In the latter case we restrict attention toobjects with statically allocated local store and �rst-order interactions. Informally,an object has �rst-order interactions if it handles only �rst order messages, ignor-ing any cell and function components, and returns only �rst-order replies. Theseprinciples formalize simple cases of the general simulation induction principle givenin [13]. Combined with the theorem (b2o) of the next section relating behaviorsand objects these principles provide tools for reasoning about an important class ofobjects and transformations. 17

7.1. Behavior Simulation InductionAn essentially functional behavior is an abstraction whose application has novisible e�ects on memory. The space of essentially functional behaviors is a de�nableclass:ff (8x 2 Val)(# app(f; x) ) (9y 2 Val)(app(f; x)�= y))gand is larger than Val! Val which was de�ned in x3.7. To prove that essentiallyfunctional behaviors are equivalent we introduce the notion of behavior simulationand the corresponding induction principle (BSI). We �rst present these notionsinformally, then we indicate how they can be expressed formally within VTLoE,using classes.De�nition (Similarity - �S ): Let S � L� L. De�ne the induced relation onvalues �S as the least equivalence relation on value expressions such that(1) �0S�1 implies �0 �S �1, for �0; �1 2 L;(2) vi �S v 0i for i < 2 implies pr(v0; v1)�= pr(v 00; v 01); and(3) v0 �S v1 and f 2 Val! Val implies f(v0) �S f(v1).De�nition (Behavior Simulation): A relation S � L� L is a behavior sim-ulation if for any �0; �1; v0; v1 such that S (�0; �1) ^ v0 �S v1 one of the followingtwo conditions holds:(u) * app(�j ; vj) for j < 2(d) there are v 00, v 01 such that v 00 �S v 01, and app(�j ; vj)�= v 0j for j < 2Theorem (BSI): If S � L� L is a behavior simulation, thenS (�0; �1) ) �0 �= �1Observe that �S can be de�ned within VTLoE using class operators (cf. [11]),as follows. We begin by assuming that S is a subclass offx ispr?(x) �= t ^ islam?(fst(x))�= t ^ islam?(fst(snd(x))) �= tg:Then �S will be the smallest class Z which contains S , satis�es the conditions foran equivalence relation, and satis�es:pr(x0; y0) 2 Z ^ pr(x1; y1) 2 Z ) pr(pr(x0; y0); pr(x1; y1)) 2 Zpr(x0; y0) 2 Z ^ f 2 Val! Val ) pr(f(v0); f(v1)) 2 ZSimilarly both the de�nition of behavior simulation, and the theorem (BSI) can beexpressed within VTLoE using the class apparatus. A trivial example of the use ofthis principle is to establish the equivalence of �0 and �1:�0 = �x:app(I; x) and �1 = �x:seq(app(I; x); app(I; x))where I is the identity �z:zIn this case we simply let S = fpr(�0; �1)g and invoke (BSI).18

7.2. First-ordernessA value is �rst-order (written IsFo(x)) if it is an atom or a pair of �rst-ordervalues. Two values have the same �rst-order part (written x =fo y) if they are bothfunctions, both cells, both pairs with the same �rst-order components, or are thesame atom. The �rst-order projection of a value fop(x) is obtained by replacing alloccurrences of cells and functions by the atom nil.De�nition (IsFo(x), x =fo y, fop):isfo? = Y(�f:�x:if(ispr?(x); and(f(fst(x)); f(snd(x))); isatom?(x)))fop = Y(�f:�x:if(ispr?(x); pr(f(fst(x)); f(snd(x))); if(isatom?(x); x; nil)))foeq = Y(�f:�x; y:cond([and(islam?(x); islam?(y))) t];[and(iscell?(x); iscell?(y)) ) t];[and(ispr?(x);ispr?(y);f(fst(x); fst(y));f(snd(x); snd(y))) ) t];[and(isatom?(x); isatom?(y)) ) eq(x; y)];[t) nil]))IsFo(x) , isfo?(x)�= tx =fo y , foeq(x; y)�= tNote that foeq(x; y)�=t implies that fop(x)�=fop(y), however the converse is false,since information concerning whether something is a cell or abstraction is lost.7.3. FO Object Simulation InductionWe begin with a simple version of the object induction principle that treatsobjects with k-ary store. An object with k-ary store is a value O such thatO �= �z1; : : :zk:�m:(O(z1; : : : zk)(m))The idea is that z1; : : : zk name cells of the local store of the object, and m is themessage parameter. Let z be a sequence of distinct variables and let v be a sequenceof value expressions of the same length. We write Azv to abbreviate the memorycontext fzi := mk(vi) 1 � i � kg.Intuitively two objects are equivalent if when started in similar states, theyalways give the same reply to a message and move to similar states, for someappropriate notion of similar state. As a simple case we de�ne First Order Objectsimulation (FOO simulation). Let O0; O1 be objects with kj-ary store for j < 2.Informally we say that a k0 + k1-ary relation S is a FOO simulation for O0; O1 ifwhen started in S -similar stores and sent any message (applied to any argument)19

either both objects diverge, or both objects use only the �rst order part of theargument, and both return the same (�rst-order) value, and their updated storesremain S -similar.De�nition (FOO Simulation): Let Oj be objects with kj-ary store for j < 2.Let yj, zj be sequences of distinct variables of length kj for j < 2. An k0 + k1-aryrelation S is a simulation relation for O0; O1 if S is persistent, and the followingholds (for �rst-order values of any free variables):S (y0;y1) ) (8x)(9y00;y01; r)S (y00;y01)^IsFo(r)^^j<2 * Azjyj [Oj(zj)(x)]_^j<2Azjyj [[Oj(zj)(x) �=Oj(zj)(fop(x))]]^^j<2Azjyj [[Oj(zj)(x) �= seq(set(zj ;y0j); r)]]Theorem (FOO Simulation Induction (FOOSI)): Let Oj be objects withkj-ary store, yj , zj be sequences of distinct variables of length kj for j < 2. Let Sbe an k0 + k1-ary relation. If S is a simulation relation for O0 and O1, then (for�rst-order values of any free variables)S (y0;y1) ) Az0y0 [O0(z0)]�=Az1y1 [O1(z1)]As a simple example of the use of (FOOSI) we establish the equivalence of twodi�erent �bonacci objects, F0 and F1. The �rst �bonacci object F0 has unary storewhile the second �bonacci object has binary store. Their actual de�nitions are:F0 = �z:�m:letfx := get(z)gseq(set(z; x+ 1); fib(x))F1 = �z1; z2�m:letfx1 := get(z1)gletfx2 := get(z2)gseq(set(z1; x2); set(z2; x1 + x2); get(z2))We will show that for n > 2 thatletfz := mk(n)gF0(z)�= letfz1 := mk(fib(n� 2))gletfz2 := mk(fib(n � 1))gF1(z1; z2)where fib is the usual �bonacci operation N! N given byfib(n) = � 1 if 0 � n � 1fib(n� 2) + fib(n� 1) otherwise.The �rst step is to de�ne the the 3-ary relation S :S = fpr(n; fib(n� 2); fib(n� 1)) n 2 N ^ 2 � ng:20

Clearly S is persistent. To see that it is a simulation relation for F0 and F1 observethat:pr(n; n1; n2) 2 S ) pr(n + 1; n2; n1 + n2) 2 SIsFo(n1 + n2)Azn[[F0(z)(x)�= F0(z)(nil) �= F0(z)(fop(x))]]Az1;z2n1;n2 [[F1(z1; z2)(x)�= F1(z)1; z2(nil) �= F1(z1; z2)(fop(x))]]Azn[[F0(z)(x)�= seq(set(z; n+ 1); fib(n))]]Az1;z2n1;n2 [[F1(zj)(x) �= seq(set(z1; n2); set(z2; n1 + n2); n1 + n2)]]Thus the desired result follows from (FOOSI).8. Speci�cations, Behaviors, and ObjectsWe specify an object by a set of local parameters, a message parameter, anda sequence of message handlers. A message handler consists of a test function,a reply function and a list of updating functions (one for each parameter). Thefunctions take as arguments the message and current value of the local parameters.Upon receipt of a message, the �rst handler whose test is true is invoked. Thelocal parameters are updated according to the update expressions and the reply iscomputed by the reply function. A speci�cation S with k local parameters y =y1; : : : ; yk, message parameter m, and ith message handler with test function ti,reply function ri, and updating functions ui;j for 1 � j � k is written in the formS = (y)(m)[: : :ti(y;m)) ri(y;m); ui;1(y;m); : : : ; ui;k(y;m): : :]For this to be an admissible object speci�cation, we require that the test, updating,and reply functions are total and have no (visible) e�ect. For speci�cation of objectswith �rst-order behavior, we further require that these functions depend only onthe �rst-order projection of the message and that the reply function returns �rst-order values. An alternative would be to force �rst-order interpretation by wrappingprojections around messages and return values in the associated programs.We associate to each speci�cation S two programs: the local behavior functionbehS, and the canonical speci�ed object, obj S. The local behavior corresponding toS is purely functional. It is a closure with local parameters corresponding to those ofthe speci�cation. When applied to a message, the behavior function correspondingto the updated local parameters is returned along with the reply to the message. Ifthere is shared behavior then the current state of the shared behavior must be passed21

as an argument along with the message proper, and the updated shared behaviormust be returned as well. The object speci�ed by S has the local parameters storedin its local memory. When applied to a message, the object updates the localparameter memory and returns only the reply.De�nition (behS):behS = Y(�b:�y:�m:cond(: : :[ti(y;m)) pr(b(ui;1(y;m); : : : ; ui;k(y;m)); ri(y;m))]: : :[t) pr(b(y); nil)]))De�nition (obj S):obj S = �z:�m:letfy1 := get(z1)g : : :letfyk := get(zk)gcond(: : :[ti(y;m)) seq(set(z1; ui;1(y;m)); : : : ; set(zk; ui;k(y;m)); ri(y;m))]: : :[t) nil])There is a protocol transforming operation b2o (behavior-to-object) that maps thebehavior corresponding to S to the object speci�ed by S. b2o allocates a cell andstores the behavior function there. When applied to a message it looks up thebehavior, applies it to the message, stores the new behavior, and returns the re-ply. Behavior functions and objects generalize the notions of reusable and onetimestreams studied in [13]. The point of having two forms is that one can often composebehaviors and reason about them more easily than the corresponding objects. Usingthe connections established by the abstract speci�cation and the protocol transfor-mation one can obtain objects corresponding to transformed behaviors. Methodsdeveloped in [13,17] can be extended to further simplify and optimize the resultingobjects. The point is that di�erent representations are better suited for carrying outdi�erent sorts of transformations, and one needs to have appropriate representationsat hand and be able to move from one representation to another in a semanticallysound manner.De�nition (b2o):b2o = �beh :b2ox (mk(beh))b2ox = �z:�m:letfpr(beh ; r) := get(z)(m)gseq(set(z; beh); r)22

where letfpr(beh ; r) := get(z)(m)g is binding by ML-style pattern matching. Therelation between objects and behaviors, corresponding to the same speci�cation, iscaptured by the following theorem.Theorem (B2o): If S is an object speci�cation, as above, thenb2o(behS(y))�= letfz1 := mk(y1)g : : :letfzk := mk(yk)gobj S(z)Proof (B2o): The proof is by (FOOSI). First note that b2o(behS(y))�=letfz0 :=behS(y)gb2ox (z0). The relation S (y0;y) is de�ned to be � (y0 �= behS(y)). The pre-cise assumptions on the test, reply, and updating functions are the following:ti(y;m)�= ti(y; fop(m)) 2 Valri(y;m)�= ri(y; fop(m)) 2 Atomui;j(y;m)�= ui;j(y; fop(m)) 2 ValThese assumptions provide values for the existential variables and assure depen-dence only on the �rst-order part of m. Assume ti(y;m) is true. Let r be (thevalue of) ri(y;m), and y0 be [ui;j(y;m) 1 � j � k]. Then by equational reasoninginside the combined memory contextsb2ox (z0)(m)�= seq(set(z0; behS(y0)); r)obj S(z) �= seq(set(zj ; y0j)1�j�k; r)B2o9. Examples of Object TransformationsIn this section we give examples illustrating a variety of basic transformations onobjects. We have chosen very simple objects, so as not to obscure the mechanismsby a lot of detail. A more substantial example that can be treated by these methodsis composition and specialization of a window editor described in [14].9.1. Constant LiftingBp(d; p) is the behavior of a bounded point, for simplicity we consider the one-dimensional case. Bp maintains the invariants p; d 2 N and 0 � p � d. It acceptsmessages L (move left), R (move right), and any other message is treated as a requestfor the current position. Op de�nes the corresponding object, and Op0 is obtainedfrom Op by the transformation that replaces a local cell with constant contents bythat contents.Bp = Y(�b:�d; p:�m:if(eq(m; L);if(0 < p; pr(b(d; p� 1); t); pr(b(d; p); nil));if(eq(m; R);if(p < d; pr(b(d; p+ 1); t); pr(b(d; p); nil));pr(b(d; p); p)))) 23

Op = �zd; zp:�m:letfd := get(zd)gletfp := get(zp)gif(eq(m; L);if(0 < p; seq(set(zp; p� 1); t); nil);if(eq(m; R);if(p < d; seq(set(zp; p+ 1); t); nil);p))Op0 = �d; zp:�m:letfp := get(zp)gif(eq(m; L);if(0 < p; seq(set(zp; p� 1); t); nil);if(eq(m; R);if(p < d; seq(set(zp; p+ 1); t); nil);p))Theorem (Constant Lifting):b2o(Bp(d; p))�= Azd;zpd;p [Op(zd; zp)]�=Az0pd;p[Op0(d; z0p)]Proof : The �rst equivalence is by (b2o), and simpli�cation using (8m)(e �=e 0) ) �m:e �= �m:e 0. For the second equivalence we can use FOSI-I. De�neS (y0;0; y0;1; y1;0) by d = y0;0 2 N, p = y0;1 2 N, y0;1 = y1;0), and 0 � p � d.The existential variables are determined by cases on m and py00;0 y00;1 y01;0 rm = L ^ p > 0 d p� 1 p� 1 tm = L ^ p = 0 d p p nilm = R ^ p < d d p+ 1 p+ 1 tm = L ^ p = d d p p nilotherwise d p p pNow we must show the following.(1) S is persistent and invariant { S (y0;0; y0;1; y1;0) ) Azd;zp;z0pd;p;p [[S (y00;0; y00;1; y01;0)]](2) �rst-orderness in argumentAzd;zpd;p [[Op(zd; zp)(m) �=Op(zd; zp)(fop(m))]]Az0pd;p[[Op0(d; z0p)(m) �= Op0(d; z0p)(fop(m))]](3) similar e�ects and values { if S (y0;0; y0;1; y1;0), thenAzd;zpd;p [[Op(zd; zp)(m) �= seq(set(zd; y00;0); set(zy; y00;1); r)]]Az0pd;p[[Op0(d; z0p)(m) �= seq(set(z0y; y01;1); r)]]For (1) we use the general property that membership in N and arithmetic relationsare persistent. The case analysis on m gives the invariance of S .For (2) we use x 2 A implies eq(m;x)�=eq(fop(m); x) which is an easy consequenceof pure �= reasoning. 24

For (3) we consider the case m = L and p > 0. The remaining cases are similar. Weuse persistence of S to move it inside the memory context, and facts about memoryoperations, (ca,R), to evaluate lets, and ifs inside the memory context.9.2. First-Order StreamsA �rst-order stream is a behavior that, for any message returns a pair consistingof a �rst-order stream and a �rst-order element. This can be formalized in VTLoEusing the maximal �xed point operator. De�neFOV = fx IsFo(x)g:The class of �rst-order streams is the largest class satisfyingFoStr � Nil! [FoStr�FOV]:More precisely, using the maximum-�xed-point operator.De�nition (First Order Streams):K0 ! K1 = fo (8x 2 K0)(o(x) 2 K1)gTFoStr[X] = [Nil! [X � FOV]]FoStr = TFoStr[X][Where T [X][ is the maximal�xed point of the monotonic class operator T [X] [23,11].9.3. Protocol TransformationBc is the behavior of an object that increments a counter for each non-nilmessage, then sends nil to its local object, assumed to be a stream. It treats nilas a request for the current value of the local counter. Oc is the correspondingobject code. Ocx is obtained from Oc by a protocol transformation { replacing abehavior by a corresponding object. Having carried out this transformation, theobject parameter can be replaced by any equivalent object.Bc = Y(�b:�q; s:�m:if(m;letfpr(s; r) := app(s; nil)gpr(b(q + 1; s); r);pr(b(q; s); q)))Oc = �zq; zs:�m:letfq := get(zq)gletfs := get(zs)gif(m;letfpr(s; r) := app(s; nil)gseq(set(zq ; q+ 1); set(zs; s); r);q) 25

Ocx = �zq ; os:�m:letfq := get(zq)gif(m;seq(set(zq ; q + 1); app(os; nil));q)Theorem (Protox): If s is (persistently) a �rst-order stream, and q 2 N thenb2o(Bc(q; s))�= letfzq := mk(q)gletfzs := mk(s)gOc(zq ; zs)�= letfzq := mk(q)gletfos := b2o(s)gOcx(zq ; os)Note that, we could omit the FO requirement on the stream if we apply fop toanswer returned.Proof : Again the �rst equivalence is by (b2o) and for the second equivalence wecan use FOSI-I. De�ne S (y0;0; y0;1; y1;0; y1;1) by q = y0;0 = y1;0 2 N, s = y0;1 = y1;1is persistently a �rst-order stream.9.4. SpecializationContinuing with the Bc example, we specialize the stream s to the stream,f2b(f; n), generated by a function f . Bce is the specialized behavior and Oce is thespecialized object description.f2b = �f:Y(�b:�n:�m:pr(b(n+ 1); f(n)))Bce = �f; d:Y(�b:�n:�m:if(m;pr(b(n+ 1); f(n));pr(b(n); d+ n)))Oce = �f; d:�zn:�m:letfn := get(zn)gif(m;seq(set(zn; n+ 1); f(n));d+ n)Theorem (Specialize): If f is a pure function on N and q; n 2 N thenb2o(Bc(q; f2b(f; n))) �= letfzn := mk(n)gOce(f; q � n)(zn)Proof : This can be proved directly by (FOOSI). A simpler proof is by estab-lishing the followingBc(q; f2b(f; n)) �= Bce(f; q � n)(n) using (BSI)b2o(Bce(f; q � n)(n)) �= letfzn := mk(n)gOce(f; q � n)(zn) using (FOOSI)26

9.5. RerepresentationThe following examples illustrate transformations on the shape of memory usedby an object. Dj stores a pair of atoms. The left or right atom can be set orretrieved. We assume putL; putR; getL; getR are message type recognizers thatmap arbitrary values to booleans without any e�ect on memory. atof maps a valueto an atom. D0 stores the pair as a cons cell contained in its local store z, D1 storesthe pair simply as a cons cell c, D2 stores the pair as a pair of cells, p, D3 storesthe pair in two local variables zl; zr. The Lisp operations cons, car, cdr, setcar,setcdr used in these examples are de�ned as follows:cons = �x; y:mk(pr(mk(x); mk(y)))car = �x:fst(get(x))cdr = �x:snd(get(x))setcar = �x; y:set(x; pr(y; cdr(x)))setcdr = �x; y:set(x; pr(car(x); y))D0 = �z:�m:letfc := get(z)gcond([putL(m) ) seq(setcar(c; atof(m)); nil)][putR(m) ) seq(setcdr(c; atof(m)); nil)][getL(m) ) car(c)][getR(m) ) cdr(c)][t) nil] )D1 = �c:�m:cond([putL(m)) seq(setcar(c; atof(m)); nil)][putR(m)) seq(setcdr(c; atof(m)); nil)][getL(m)) car(c)][getR(m)) cdr(c)][t) nil] )D2 = �p:�m:cond([putL(m)) seq(set(fst(p); atof(m)); nil)][putR(m)) seq(set(snd(p); atof(m)); nil)][getL(m)) get(fst(p))][getR(m)) get(snd(p))][t) nil] ) 27

D3 = �zl; zr:�m:cond([putL(m)) seq(set(zl; atof(m)); nil)][putR(m)) seq(set(zr ; atof(m)); nil)][getL(m)) get(zl)][getR(m)) get(zr)][t) nil] )Theorem (Xcons):letfz := mk(cons(x; y))gD0(z)�= letfc := cons(x; y)gD1(c)�= letfp := pr(mk(x); mk(y)))gD2(p)�= letfzl := mk(x)gletfzr := mk(y)gD3(zl; zr)To prove this theorem we generalize the FOO simulation induction principleto objects with arbitrary, but static store shape. A memory shape M is a triple(y)(z;v) where y; z are sequences of distinct variables, v is a sequence of valuesexpressions inVy;z of the same length as z. If w is a sequence of value expressionsof the same length as y, not containing any elements of z, then M (w) denotes thememory context fz := v�g where � maps elements of y to corresponding elementsof w.De�nition (Generalized FOO Simulation): Let yj be sequences of distinctvariables of length kj for j < 2. Let Mj = (yj)(zj ;vj) be memory shapes. Let Ojbe objects with mj-ary store for j < 2 and let cj be subsequences of zj of lengthmj for j < 2. An k0+k1-ary relation S is a simulation relation for Mj(yj)Oj(cj) ifS is persistent, and the following holds (for �rst-order values of any free variables):S (y0;y1) ) (8m)(9y00;y01; r)S (y00;y01)^IsFo(r)^^j<2 *Mj(yj)Oj(cj)(m)_^j<2Mj(yj)[[Oj(cj)(m) �= Oj(cj)(fop(m))]]^^j<2Mj(yj)[[Oj(cj)(m) �= seq(set(zj ;vfyj :=y0jgj ); r)]]Theorem (Generalized FOO Object Simulation Induction (GFOOSI)):Let Mj , Oj be as in the de�nition of generalized FOO simulation. Let S be ank0 + k1-ary relation. If S is a simulation relation for Mj(yj)Oj(cj) then (for �rst-order values of any free variables)S (y0;y1) ) M0(y0)O0(c0) �=M1(y1)O1(c1)Proof : The proof now is a simple application of (GFOOSI). The four memoryshapes are: 28

M0 = (x; y)([z; c][c; pr(x; y)])M1 = (x; y)([c][pr(x; y)])M2 = (x; y)([zl; zr][x; y])M3 = (x; y)([zl; zr][x; y])The simulation relation for equivalence of Dj ; Dk, S (xj ; yj; xk; yk), is equivalent toxj �= xk, yj �= yk, and xj; yj 2 A . The proof that S is a simulation is similar to theargument used in (constant lifting). Note that the usual equational properties ofLisp operations can be derived from the corresponding properties of mk, get, setand properties of pairing.10. ConclusionsIn this paper we have continued our development of a logic for reasoning aboutimperative functional programs. The main results of this paper are1. The re�nement of the semantics given in [10,11] so as to be more faithful to thelocal nature of portions of memory. One criteria for a semantic theory is that itprovides an accurate notion of program equivalence. A key issue in the case ofimperative functional programs is the correct treatment of access to both privateand shared mutable data. In this paper we give several notions of visibility orprivacy that provide a logical semantics faithful to the underlying operationalone.2. The use of classes to express similarity relations, which in turn are used to ex-press powerful proof principles for establishing equivalences between imperativefunctional programs.Even though the work presented here is at an early stage of development, we feelthat much progress has been made towards practical application of formal methodsto program development. Future work includes: applying these methods to moresubstantial programming examples that arise in practice; development of a proofcalculus for VTLoE and establishing completeness results for the zero-order fragmentin the spirit of [15]; and formalization of VTLoE in a proof development system.11. Collected Laws of VTLoE11.1. Lambda Laws, Equational and De�nednessLemma (letc [11]):(i) app(�x:e; v)�= efx:=vg �= letfx := vge(ii) R[e]�= letfx := egR[x](iii) R[letfx := e0ge1]�= letfx := e0gR[e1]where in (ii) and (iii) we require x not free in R.Lemma (* [11]):(i) * e0 ) (* e1 , e0 �= e1) 29

(ii) * e ) *U [e] e closed(iii) * Y(�y:�x:app(y; x))(nil)11.2. Contextual AssertionsThe theorem (ca) provides several principles for reasoning about contextualassertions: a simple principle concerning reduction contexts; a general principle forintroducing contextual assertions (akin to the rule of necessitation in modal logic);a principle for propagating contextual assertions through equations; and a principlefor composing contexts (or collapsing nested contextual assertions); a principle formanipulating contexts; three principles demonstrating that contextual assertionsinteract nicely with the propositional connectives, if we take proper account ofassertions that are true for the trivial reason that during execution, the point in theprogram text marked by the context hole is never reached; and a principle (whoseconverse is false) concerning the quanti�er. Finally a lemma demonstrating thatcontextual assertions interact nicely with evaluation.Theorem (ca [11]):(i) � ) R[[�]](ii) j= � implies j= U [[�]](iii) U [[e0 �= e1]] ) U [e0]�=U [e1](iiii) j= U0[[U1[[�]]]] , (U0[U1])[[�]](iv) letfx := R[e]gU [[�]] , letfy := egletfx := R[y]gU [[�]] y fresh(v) U [[False]] ) U [[�]](vii) U [[:�]] , (U [[False]] _ :U [[�]])(viii) U [[�0 ) �1]] , (U [[�0]] ) U [[�1]])(viiii) U [[8x�]] ) 8xU [[�]] where x not free in U11.3. Memory OperationsThe contextual assertions and laws involving mk, set and get are given below.The assertion, (mk.i), describes the allocation e�ect of a call to mk, while (mk.ii)expresses what is una�ected by a call to mk. The assertion, (mk.iii), expresses thetotality of mk. The mk delay law, (mk.iv), asserts that the time of allocation has nodiscernable e�ect on the resulting cell. In a world with control e�ects evaluationof e0 must be free of them for this principle to be valid [7]. The �rst three con-textual assertions regarding set are analogous to those of mk. They describe whatis returned and what is altered, what is not altered as well as when the operationis de�ned. The remaining three principles involve the commuting, cancellation,absorption of calls to set. For example the set absorption principle, (set.vi), ex-presses that under certain simple conditions allocation followed by assignment may30

be replaced by a suitably altered allocation. The contextual assertions regardingget follow the above pattern. They describe what is altered and returned, what isnot altered as well as when the operation is de�ned.Lemma (Memory operation laws [11]):(mk.i) letfx := mk(v)g[[:(x�= y) ^ iscell?(x)�= t ^ get(x)�= v ]]x fresh(mk.ii) y �= get(z) ) letfx := mk(v)g[[y �= get(z)]](mk.iii) + mk(z)(mk.iv) letfy := e0gletfx := mk(v)ge1 �= letfx := mk(v)gletfy := e0ge1x 62 FV(e0), y 62 FV(v)(set.i) iscell?(z) ) letfx := set(z; y)g[[get(z)�= y ^ x�= nil]])(set.ii) (y �= get(z) ^ :(w �= z)) ) letfx := set(w; v)g[[y �= get(z)]](set.iii) iscell?(z) ) + set(z; x)(set.iv) :(x0 �= x2) )seq(set(x0; x1); set(x2; x3)) �= seq(set(x2; x3); set(x0; x1))(set.v) seq(set(x; y0); set(x; y1))�= set(x; y1)(set.vi) get(y) �= z ) set(y; z) �= nil z not free in w(get.i) letfx := get(y)g[[x�= get(y)]](get.ii) y �= get(z) ) letfx := get(w)g[[y �= get(z)]](get.iii) iscell?(x) , (9y)(get(x) �= y)AcknowledgementsWe would like to thank four anonymous referees for helpful comments on anearlier draft. This research was partially supported by DARPA contract NAG2-703, and NSF grants CCR-8917606, and CCR-8915663.References1. H. Abelson and G. J. Sussman. Structure and Interpretation of Computer Programs.The MIT Press, McGraw-Hill Book Company, 1985.2. K.R. Apt. Ten years of Hoare's logic: A survey{part I. ACM Transactions onProgramming Languages and Systems, 4:431{483, 1981.3. S. Feferman. A language and axioms for explicit mathematics. In Algebra andLogic, volume 450 of Springer Lecture Notes in Mathematics, pages 87{139. SpringerVerlag, 1975.4. S. Feferman. Constructive theories of functions and classes. In Logic Colloquium'78, pages 159{224. North-Holland, 1979.31

5. S. Feferman. A theory of variable types. Revista Colombiana de Mat�ematicas,19:95{105, 1985.6. S. Feferman. Polymorphic typed lambda-calculi in a type-free axiomatic framework.In Logic and Computation, volume 106 of Contemporary Mathematics, pages 101{136. A.M.S., Providence R. I., 1990.7. M. Felleisen, 1993. Personal communication.8. M. Felleisen and D.P. Friedman. Control operators, the SECD-machine, and the�-calculus. In M. Wirsing, editor, Formal Description of Programming ConceptsIII, pages 193{217. North-Holland, 1986.9. D. Harel. Dynamic logic. In D. Gabbay and G. Guenthner, editors, Handbook ofPhilosophical Logic, Vol. II, pages 497{604. D. Reidel, 1984.10. F. Honsell, I. A. Mason, S. F. Smith, and C. L. Talcott. A theory of classes for afunctional language with e�ects. In Proceedings of CSL92, volume 702 of LectureNotes in Computer Science, pages 309{326. Springer, Berlin, 1993.11. F. Honsell, I. A. Mason, S. F. Smith, and C. L. Talcott. A Variable Typed Logic ofE�ects. Information and Computation, 1994. to appear.12. P. J. Landin. The mechanical evaluation of expressions. Computer Journal, 6:308{320, 1964.13. I. A. Mason and C. L. Talcott. Equivalence in functional languages with e�ects.Journal of Functional Programming, 1:287{327, 1991.14. I. A. Mason and C. L. Talcott. Program transformation for con�guring components.In ACM/IFIP Symposium on Partial Evaluation and Semantics-based Program Ma-nipulation, 1991.15. I. A. Mason and C. L. Talcott. Inferring the equivalence of functional programs thatmutate data. Theoretical Computer Science, 105(2):167{215, 1992.16. I. A. Mason and C. L. Talcott. References, local variables and operational reasoning.In Seventh Annual Symposium on Logic in Computer Science, pages 186{197. IEEE,1992.17. I. A. Mason and C. L. Talcott. Program transformation via contextual assertions.In N. D. Jones, M. Hagiya, and M. Sato, editors, Logic, Language, and Computation:Festschrift in Honor of Satoru Takasu, number 792 in Lecture Notes in ComputerScience, pages 225{254. Springer-Verlag, 1994.18. R. Milner. Fully abstract models of typed �-calculi. Theoretical Computer Science,4:1{22, 1977.19. E. Moggi. Notions of computation and monads. Information and Computation,93(1), 1991.20. A. M. Pitts. Evaluation logic. In IVth Higher-Order Workshop, Ban�, volume 283of Workshops in Computing. Springer-Verlag, 1990.21. J.C. Reynolds. Idealized ALGOL and its speci�cation logic. In D. N�eel, editor,Tools and Notions for Program Construction, pages 121{161. Cambridge UniversityPress, 1982.22. G. L. Steele and G. J. Sussman. Scheme, an interpreter for extended lambda calcu-lus. Technical Report Technical Report 349, Massachusetts Institute of Technology,Arti�cial Intelligence Laboratory, 1975.23. C. L. Talcott. A theory for program and data type speci�cation. Theoretical Com-puter Science, 104:129{159, 1992. 32