Structured Swinging Types

Swinging types (STs) provide an axiomatic specification formalism for designing and verifying software in terms of many-sorted logic and canonical models. STs are one-tiered insofar as static and dynamic, structural and behavioral aspects of a system are treated on the same syntactic and semantic level. Canonical models interpret relations as least or greatest fixpoints. All reasoning about a particular ST can be reduced to deductive processes, from built-in simplifications via resolution upon relations, narrowing upon functions, up to interactive proofs employing induction and coinduction rules. In this paper, the different possibilities of building up an ST are clearly separated from each other. The designer of an ST may choose among six specification patterns when extending a given ST by new components. Semantically, this leads to stratified models, similar to those known from the semantics of stratified logic programs. Predicates (relations interpreted as least fixpoints) and functions are axiomatized by Horn clauses, copredicates (relations interpreted as greatest fixpoints) are axiomatized by co-Horn clauses. These notions are generalized in this paper such that quantifiers may now occur at any place and even negation is permitted in axioms. For ensuring monotonicity and thus the existence of fixpoints, each relation preceded by a negation symbol must be axiomatized on a lower specification level. Under this assumption, any ST can be transformed into an equivalent one without negation symbols. When an ST is developed stepwise, particular attention must be paid to the addition of defined functions and behavioral equalities in order to guarantee that they are fully compatible with other signature elements. Here functionality and behavioral consistency are the crucial requirements to an ST. Moreover strong constructors are introduced as a further means for specifying behavioral equalities, which are usually axiomatized only in terms of observers. Provided that the ST is behaviorally consistent, behavioral equations whose sides are dominated by strong constructors may be decomposed, such as structural equations may be splitted if their sides are dominated by (arbitrary) constructors. Moreover, a simple and intuitive notion of refinement for STs is presented along with a powerful and completely deductive criterion for refinement correctness. *** sections 8, 9