Chapter 7
Module Operations

Specifications and code should be structured in modules of relatively small size to facilitate understandability of large systems, increase reusability of components, and localize the effects of system changes. In Maude, these goals are achieved by means of a module algebra that supports parameterized programming techniques in the OBJ3 style [69] as well as the definition of module hierarchies, i.e., acyclic graphs of module importations; that is, each functional or system module can import other Maude modules as submodules. Since the submodule relation is transitive, we can in this way develop module hierarchies. Mathematically, we can think of such hierarchies as partial orders of theory inclusions, that is, the theory of the importing module contains the theories of its submodules as subtheories.

As in Clear [17], OBJ [69], and other specification languages in that tradition, the abstract syntax for writing specifications in Maude can be seen as given by module expressions, where the notion of module expression is understood as an expression that defines a new module out of previously defined modules by combining and/or modifying them according to a specific set of operations. In fact, structuring is essential in all specification languages, not only to facilitate the construction of specifications from already existing ones—with more or less flexible reusability mechanisms—but also for managing the complexity of understanding and analyzing large specifications. Maude supports module operations for summation, renaming, and instantiation of parameterized modules.

Section 7.1 introduces module importations and the different modes in which such importations can take place. Sections 7.2 and 7.3 discuss, respectively, the summation and renaming module expressions. Section 7.4 introduces parameterized programming, including the use of theories and views, the parameterization of modules, and the instantiation of parameterized modules. We refer to [37, 41, 42] for a deeper discussion on the semantics of the Maude module operations.

7.1 Module importation

Recall that a functional module $M$ specifies a membership equational theory of the form $(\mathrm{\Sigma },E\cup A)$, with $\mathrm{\Sigma }$ its signature, $A$ the equational attributes specified for its operators, and $E$ its set of equations and memberships. A submodule $M^{\prime }$ of $M$ is either a module directly imported by $M$, or a submodule of one of the modules directly imported by $M$. Then $M^{\prime }$ specifies a membership equational subtheory $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$. Specifically, we have three inclusions: ${\mathrm{\Sigma }}^{\prime }\subseteq \mathrm{\Sigma }$, $E^{\prime }\subseteq E$, and $A^{\prime }\subseteq A$. Furthermore, since in Maude subsort-overloaded operators must have the same equational attributes, Maude will enforce that the inclusion $A^{\prime }\subseteq A$ satisfies this property.

In a similar way, a system module $Q$ specifies a rewrite theory $(\mathrm{\Sigma },E\cup A,\varphi ,R)$. A submodule $Q^{\prime }$ of $Q$ will likewise specify a rewrite subtheory $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime },{\varphi }^{\prime },R^{\prime })\subseteq (\mathrm{\Sigma },E\cup A,\varphi ,R)$. This means that we have inclusions ${\mathrm{\Sigma }}^{\prime }\subseteq \mathrm{\Sigma }$, $E^{\prime }\subseteq E$, $A^{\prime }\subseteq A$ (again, with the same equational attributes for subsort-overloaded operators), ${\varphi }^{\prime }\subseteq \varphi$, and $R^{\prime }\subseteq R$, where ${\varphi }^{\prime }\subseteq \varphi$ is an inclusion of functions and means that the freezing function $\varphi$ extends the function ${\varphi }^{\prime }$. Note that $Q^{\prime }$ could be a functional module, which is then understood as the rewrite theory $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime },{\varphi }^{\prime },\varnothing )$, where ${\varphi }^{\prime }$ specifies whatever freezing information has been given to the operators of ${\mathrm{\Sigma }}^{\prime }$ in $Q^{\prime }$. A system module cannot be imported into a functional module.

In Maude, a module—any module expression giving rise to a module—can be imported as a submodule of another in four different modes: protecting, extending, generated-by, or including. This is done with the syntax declarations

protecting $⟨$ModuleExpression$⟩$ . 
extending $⟨$ModuleExpression$⟩$ . 
generated-by $⟨$ModuleExpression$⟩$ . 
including $⟨$ModuleExpression$⟩$ .
     

which can be abbreviated, respectively, to

pr $⟨$ModuleExpression$⟩$ . 
ex $⟨$ModuleExpression$⟩$ . 
gb $⟨$ModuleExpression$⟩$ . 
inc $⟨$ModuleExpression$⟩$ .
     

In addition to being allowed as arguments of a protecting, extending, generated-by, or including importation, module expressions can also appear as the source or target of a view (see Section 7.4.2), or as the parameter of a module, provided the top level is a theory (see Section 7.4.3).

Each of the importation modes places specific semantic constraints on the corresponding inclusion between the theory of the submodule and that of the supermodule. The user must be aware that, as explained later, the Maude system does not check that these constraints are satisfied, that is, the different modes of importation can be understood as promises by the user, which would need to be proved by him/herself. Although those importation modes have no effect operationally, they do crucially affect the interpretation given to a module by the theorem proving tools. If a user is doubtful about the appropriate importation mode the default should be to use the including mode, which places weaker requirements on the importation.

Importation statements take a module expression as argument, which may be a module name, the summation of module expressions, the renaming of a module expression, or the instantiation of a parameterized module expression. Modules are constructed for each subexpression of a module expression, and so each submodule signature must be legal. Modules and module expressions are cached both to save time and so that the same module corresponding to a module expression will not be imported twice via a diamond of imports. Mutually or self recursive imports occurring through module expressions are detected and disallowed. Cached modules generated by module expressions that no longer have any users (if the module(s) containing the module expression have been replaced) are deleted. When a module $M$ used in a module expression is modified, any modules generated for module expressions that depend on $M$ are deleted and any modules that depend on $M$ are reevaluated if you attempt to use them. Here the notion of “depends on" is transitive through arbitrary nesting of importation and module expressions.

In addition to being imported by the explicit importation statements we have just introduced, modules can be imported in an implicit way (also in the three possible modes) by means of commands set protect/extend/generate-by/include module on/off; see more details in Appendix A.15 and the detailed example in Section 8.1.

7.1.1 Protecting

Importing a module $M^{\prime }$ into $M$ in protecting mode intuitively means that no junk and no confusion are added to $M^{\prime }$ when we include it in $M$. For example, we may import the module NAT of natural numbers into a module FOO. “Junk” would be added to NAT if in FOO we have new ground terms in canonical form in any of the sorts in NAT, namely Nat and NzNat. For example, FOO may have declared a constant infinity of sort NzNat to which no equations apply. “Confusion” would be added if different natural numbers are now identified. For example, if FOO contains the equation s s 0 = 0, then all even numbers will be identified with 0 and all odd numbers with s 0.

Let us explain the semantics of the protecting relation in more detail for functional modules $M^{\prime }$ and $M$, where $M^{\prime }$ has been imported as a submodule in protecting mode, either by an explicit protecting importation in $M$, or transitively through one of $M$’s submodules. Let $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ be the theory inclusion defined by the module inclusion $M^{\prime }\subseteq M$. Notice that the existence of the inclusions ${\mathrm{\Sigma }}^{\prime }\subseteq \mathrm{\Sigma }$, $E^{\prime }\subseteq E$, and $A^{\prime }\subseteq A$ means that for each sort $s^{\prime }$ in ${\mathrm{\Sigma }}^{\prime }$ there is a well-defined function

mapping the equivalence class ${[t]}_{E^{\prime }\cup A^{\prime }}$ of a ground term $t$ to the equivalence class ${[t]}_{E\cup A}$. By definition, the submodule inclusion $M^{\prime }\subseteq M$ is protecting if and only if for each sort $s^{\prime }$ in ${\mathrm{\Sigma }}^{\prime }$ the above function is bijective. This captures mathematically the “no junk” (surjectivity) and “no confusion” (injectivity) ideas. Under our ground Church-Rosser and termination assumptions for $M^{\prime }$ and $M$ this also means that the canonical form of any ground ${\mathrm{\Sigma }}^{\prime }$-term $t$ in $M^{\prime }$ that has a sort in ${\mathrm{\Sigma }}^{\prime }$ must be the same as its canonical form in $M$. The requirement that $t$ must have a sort is crucial. We do not require that for $k^{\prime }$ a kind the map

is bijective. The reason is that the notion of defined function—that is, an operator that disappears and leaves just a term with constructors—is only meaningful when the result has a sort. The same operator may not disappear for error terms at the kind level. That is, in the module $M$ extending $M^{\prime }$ there may easily be new error terms of kind $k^{\prime }$ created by new operators in $M$. For example, if we import the module NAT into the module RAT of rational numbers, the sorts Nat and Rat belong to the same kind, but there are now new error terms in the kind, such as 3 + 7/0. Therefore, we should not care about “error junk” being added by a supermodule at the kind level, provided that the sorts themselves are protected.

For system modules the protecting requirement is interpreted exactly as before as far as their underlying equational theories are concerned. That is, if $Q$ protects $Q^{\prime }$ and the associated theory inclusion is $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime },{\varphi }^{\prime },R^{\prime })\subseteq (\mathrm{\Sigma },E\cup A,\varphi ,R)$, then the equational theory inclusion $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ must be protecting. We furthermore require that for any two ground ${\mathrm{\Sigma }}^{\prime }$-terms $t$ and $t^{\prime }$ we can reach $t^{\prime }$ from $t$ by a sequence of rewrites in the module $M^{\prime }$if and only if we can do so in the module $M$; that is, for ground terms in $M^{\prime }$ we require that the reachability relation is not altered by the supermodule.

Of course, the protecting assertion cannot be checked by Maude at runtime: it requires inductive theorem proving. Using the proof techniques in [14] together with an inductive theorem prover for membership equational logic and a Church-Rosser checker such as those described in [43, 45, 25] (which are available in the Maude formal tool environment together with other useful tools for termination and sufficient completeness), this can be done for functional modules. Using the fact that initial models of rewrite theories are also models of equational theories [16], similar proof techniques could be developed to prove the protecting relation between rewrite theories.

7.1.2 Extending

A weaker, yet substantial, requirement about a module importation is expressed by the keyword extending. Intuitively, the idea is to allow “junk,” but to rule out confusion. Extending importations may appear naturally in situations in which the data of some sort is extended with new data elements, yet not identifying previously defined data, like adding a new constant infinity to the natural numbers in a module importing NAT. As another example, when defining the semantics of a programming language in Maude, we can have from the beginning a sort Program, and define incrementally the syntax of programs in several modules, say, EXPRESSION, STATEMENT, PROCEDURE, and so on. This will typically give rise to a family of extending module importations as more syntax is added.

For functional modules $M^{\prime }$ and $M$, where $M^{\prime }$ has been imported as a submodule in extending mode, either by an explicit extending importation in $M$, or transitively through one of $M$’s submodules, if $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ is the theory inclusion defined by the module inclusion $M^{\prime }\subseteq M$, the extending requirement means that for each sort $s^{\prime }$ in ${\mathrm{\Sigma }}^{\prime }$ the function

is injective. For system modules the extending requirement is interpreted exactly as before as far as their underlying equational theories are concerned. That is, if $Q$ extends $Q^{\prime }$ and the associated theory inclusion is $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime },{\varphi }^{\prime },R^{\prime })\subseteq (\mathrm{\Sigma },E\cup A,\varphi ,R)$, then the equational theory inclusion $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ must be extending. We furthermore require that for any two ground ${\mathrm{\Sigma }}^{\prime }$-terms $t$ and $t^{\prime }$ we can reach $t^{\prime }$ from $t$ by a sequence of rewrites in the module $M^{\prime }$if and only if we can do so in the module $M$; that is, for ground terms in $M^{\prime }$ the reachability relation is not altered by the supermodule.

Under the Church-Rosser and termination assumptions, the extending $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ requirement is a form of conservative extension requirement, in the sense that it implies that for any ${\mathrm{\Sigma }}^{\prime }$ ground terms $t$ and $t^{\prime }$ that have a sort in $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })$, $E^{\prime }\cup A^{\prime }$ proves $t=t^{\prime }$ if and only if $E\cup A$ proves $t=t^{\prime }$. In addition, for system modules it further implies that for any two ground ${\mathrm{\Sigma }}^{\prime }$-terms $t$ and $t^{\prime }$ the reachability relation is not altered by the extension. In summary, equality and reachability are conservatively preserved for ground terms.

Note that the extending relation does not destroy protecting importations further down the hierarchy. That is, if $M$ imports $M^{\prime }$ in extending mode, but $M^{\prime }$ imports $M^{″}$ in protecting mode, then $M$ still imports $M^{″}$ in protecting mode, not in extending mode. If we do not want $M$ to protect $M^{″}$ (because this is indeed violated), then we have to say so by explicitly giving an extending importation declaration for $M^{″}$ in $M$.

7.1.3 Generated-by

The protecting keyword requires that submodules are imported with “no junk and no confusion,” whereas the extending keyword just requires that submodules are imported with “no confusion.” The generated-by keyword covers the other alternative weakening of the protecting requirement, namely, requiring that submodules are imported with “no junk.” A simple example is the importation of the NAT module into the module:

fmod NAT/3 is 
 generated-by NAT . 
 eq s(s(s(0)) = 0 . 
endfm
     

which does not add any “junk” to the module NAT, i.e., does not add any new data elements to its Nat sort, although of course it adds considerable “confusion,” since now $3=0$.

The semantics of the generated-by keyword is then easy to explain. For functional modules $M^{\prime }$ and $M$, where $M^{\prime }$ has been imported as a submodule in generated-by mode, either by an explicit generated-by importation in M, or transitively through one of $M$’s submodules, if $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ is the theory inclusion defined by the module inclusion $M^{\prime }\subseteq M$, the generated-by requirement means that for each sort $s^{\prime }$ in ${\mathrm{\Sigma }}^{\prime }$ the function

is surjective. For system modules the generated-by requirement is interpreted exactly as before as far as their underlying equational theories are concerned. That is, if $Q$ extends $Q^{\prime }$ and the associated theory inclusion is $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime },{\varphi }^{\prime },R^{\prime })\subseteq (\mathrm{\Sigma },E\cup A,\varphi ,R)$, then the equational theory inclusion $({\mathrm{\Sigma }}^{\prime },E^{\prime }\cup A^{\prime })\subseteq (\mathrm{\Sigma },E\cup A)$ must satisfy the generated-by requirement.

7.1.4 Including

The most general form of module importation is provided by the including keyword. No requirements are made in an including importation about maps of the form $q_{s^{\prime }}$: there can now be junk (lack of surjectivity) and/or confusion (lack of injectivity). Likewise, for system modules it is not anymore required that the reachability relation between ground terms in the submodule is preserved. The including keyword does however impose some requirements. First of all, there is the requirement that the equational attributes of subsort-overloaded operators must be the same. Furthermore, the including relation does not destroy protecting or extending importations further down the hierarchy. That is, if $M$ imports $M^{\prime }$ in including mode, but $M^{\prime }$ imports $M^{″}$ in protecting (resp. extending) mode, then $M$ still imports $M^{″}$ in protecting (resp. extending) mode, not in including mode. If we do not want $M$ to protect or extend $M^{″}$ (because this is indeed violated), then we have to say so by explicitly giving an including importation declaration for $M^{″}$ in $M$.

Given that, as already mentioned, there is no difference at runtime between the different modes of importation because the Maude system does not check the corresponding requirements, from a pragmatic point of view, when a user is doubtful about the appropriate importation mode, the best idea is to use the including mode so that at least no false assertion is made.

7.1.5 Default conventions in module importations

We have already explained our default convention when a submodule $M_0$ is imported indirectly and transitively into $M$ through the direct importation by $M$ of a module $M_1$ that itself imports $M_0$. Then, whatever was the mode (protecting, extending, generated-by, or including) in which $M_0$ was imported by $M_1$ is also, by default, the mode in which $M_0$ is imported by $M$, unless $M$ contains an explicit declaration importing $M_0$ in a different mode. We now explain what our default convention is in the case of diamond importations.

We talk of a diamond importation of $M_0$ by $M$, when $M_0$ is imported indirectly by $M$ through the direct importation of two or more different modules, say $M_1,M_2,\dots ,M_k$. The problem now is that $M_0$ can be imported by each of the modules $M_1,M_2,\dots ,M_k$ in different modes. For example, $M_1$ could import it in protecting mode, $M_2$ in extending mode, $M_3$ in including mode, and so on. What should now be the default convention for the mode in which $M$ imports $M_0$? We adopt a convention that is consistent with a logical understanding of such importation declarations. Indeed, such declarations impose semantic constraints of decreasing strength; that is, we have:

The default convention consistent with this logical reading is that the strongest mode wins, i.e., protecting prevails over extending and generated-by, which themselves prevail over including. This is because we view the set of all such importing mode declarations as a conjunction, and exploit the logical equivalence between $A\Rightarrow B$ and $(A\wedge B)\iff A$. The importation of a module in both generated-by and extending modes is equivalent to importing it in protecting mode.

Note that this “strongest wins” default mode may not always be the correct or intended mode in which $M$ should import $M_0$. Sometimes it may not be, and then the user should overrule the default convention by declaring explicitly a different mode in which $M$ imports $M_0$. A pragmatic reason why this need for overruling the default mode may arise is that, although a weaker mode of importation (say extending) does not logically preclude such an importation also satisfying a stronger one (say protecting), in practice, when we declare an importation in a weaker mode it can often be because we know or suspect that it fails to satisfy a stronger mode. For example, when we say “extending” we may often mean “extending and not protecting.”

7.1.6 Some module hierarchy examples

Prime numbers sieve

Section 4.4.7 included a functional module specifying the sieve of Eratosthenes to calculate prime numbers.

fmod SIEVE is 
 protecting NAT . 
 sort NatList . 
 subsort Nat < NatList . 
 ... 
endfm
     

The predefined module of natural numbers (see Section 8.3) is imported in protecting mode. This is justified because the elements of sort Nat are used to generate the lists of natural numbers by means of a subsort declaration and also as arguments of other operators. However, no new operator of result sort Nat is added in the SIEVE module, and all the equations in this module identify elements of sort NatList without identifying different natural numbers.

Vending machine

The vending machine example in Section 5.1 was presented in a modular way, by separating the underlying signature defining the states of the machine from the rules defining the corresponding transitions.

mod VENDING-MACHINE is 
 including VENDING-MACHINE-SIGNATURE . 
 var M : Marking . 
 rl [add-q] : M => M q . 
 ... 
endm
     

It is important to notice that in this example the importation mode cannot be either protecting or extending, because those modes require preservation of the reachability relation, which clearly is not the case when adding (non-identity) rewrite rules to a functional module (where the reachability relation is the identity).

Bank accounts and object configurations

In Section 6.1.4, we presented an object-oriented module ACCOUNT specifying bank accounts. In order to run some tests, the following module introduces three new constants to be used as object identifiers, and a new constant to be used as a test configuration. This configuration constant is identified with a term of sort Configuration in the imported module ACCOUNT by means of an equation whose righthand side is omitted below. However, constants A-001, A-002, and A-003 are new data elements, i.e., junk, of sort Oid. Sorts Oid and Configuration are declared in the predefined module CONFIGURATION (see Section 6.1), which is implicitly imported in including mode in all object-oriented modules. Since imported in including mode in ACCOUNT, and also in ACCOUNT-TEST, it is not necessary to import it in a different mode. However, since junk is being added, the ACCOUNT module should be imported in the ACCOUNT-TEST module in either including or extending modes. Therefore, the appropriate importation mode is extending.

omod ACCOUNT-TEST is 
 ex ACCOUNT . 
 ops A-001 A-002 A-003 : -> Oid . 
 op bankConf : -> Configuration . 
 eq bankConf = ... . 
endom
     

The following example, from Section 7.5, is more interesting, in that it introduces new sorts MsgBody and Request, not just new constants for a sort in the imported module. Still, the appropriate importation mode is extending because there are no new rewrite rules and no equations, and thus no confusion between elements in imported sorts is introduced.

mod DATA-AGENTS-CONF is 
 ex CONFIGURATION . 
 sort MsgBody . 
 op msg : Oid Oid MsgBody -> Msg [ctor message] . 
 sort Request . 
 op w4 : Oid Oid MsgBody -> Request [ctor] . 
endm
     

There are several other modules in Chapter 6.4 illustrating the use of the extending mode in importing modules, like BANK-MANAGER-TEST, TICKER-TEST, TICKER-FACTORY-TEST, and AGENT-TEST; see Figures 6.1, 6.2, and 7.3.

Hierarchy of predefined modules

A more complex acyclic importation graph corresponds to the hierarchy of predefined modules for basic data types, described later in Chapter 8 and shown in Figure 8.1, where all the importations are in protecting mode.

7.2 The summation module expression

The summation module operation creates a new module that includes all the information in its summands. The syntax for a summation of module expressions is

 $⟨$ModuleExpression$⟩$ + $⟨$ModuleExpression$⟩$
     

Summation expressions are flattened before being evaluated, so that A + (B + C) and (C + A) + B both create a single new module A + B + C. The evaluation of a summation module expression results in the creation of a new module, with such a module expression as its name, which imports the module expressions being combined. The new module will be generated having one type or another, depending on the types of the arguments of the summation module expression. A summation is a functional module if all the summands are functional modules and a system module otherwise.

Although the use of the summation module expression is more interesting in combination with other module expressions, let us consider as an example the following module, in which the union of the predefined FLOAT and STRING modules (see Chapter 8) are imported together in protecting mode to illustrate its use.

fmod FLOAT-STRING is 
 protecting FLOAT + STRING . 
 ... 
endfm
     

Notice that a declaration

protecting A + B .
     

protecting A . 
protecting B .
     

including A + B .
     

including A . 
including B .
     

7.3 Module renaming

The syntax of a renaming module expression is

$⟨$ModuleExpression$⟩$ * ( $⟨$Renaming$⟩$ )
     

sort $⟨$identifier$⟩$ to $⟨$identifier$⟩$ 
op $⟨$identifier$⟩$ to $⟨$identifier$⟩$ 
op $⟨$identifier$⟩$ to $⟨$identifier$⟩$ [ $⟨$attribute-set$⟩$ ] 
op $⟨$identifier$⟩$ : $⟨$type-list$⟩$ -> $⟨$type$⟩$ to $⟨$identifier$⟩$ 
op $⟨$identifier$⟩$ : $⟨$type-list$⟩$ -> $⟨$type$⟩$ to $⟨$identifier$⟩$ [ $⟨$attribute-set$⟩$ ] 
label $⟨$identifier$⟩$ to $⟨$identifier$⟩$
     

Note that, in addition to the typical renamings of sorts and operators, renaming of labels is also supported (which may be useful for metalevel applications). For object-oriented modules additional renamings also are available:

class $⟨$identifier$⟩$ to $⟨$identifier$⟩$ 
attr $⟨$attr-identifier$⟩$ to $⟨$attr-identifier$⟩$ 
msg $⟨$identifier$⟩$ to $⟨$identifier$⟩$ 
msg $⟨$identifier$⟩$ to $⟨$identifier$⟩$ [ $⟨$attribute-set$⟩$ ] 
msg $⟨$identifier$⟩$ : $⟨$type-list$⟩$ -> $⟨$type$⟩$ to $⟨$identifier$⟩$ 
msg $⟨$identifier$⟩$ : $⟨$type-list$⟩$ -> $⟨$type$⟩$ to $⟨$identifier$⟩$ [ $⟨$attribute-set$⟩$ ]
     

Renaming (_*(_)) binds tighter than summation (_+_), and it groups to the left. Note how the renaming of operators (and message constructors) allows changing the attributes of the operator being renamed. The only attributes currently allowed in operator maps are prec, gather, and format. The idea is that when you rename an operator, the old syntactic properties may no longer be legal and are reset to defaults, unless you explicitly set them with these attributes; for example, when a change in the syntax of the operator could cause a parsing different from the intended one. Let us see an example in which modifying the grammatical attributes of an operator is useful. Consider the following module defining lists of natural numbers with a max operator returning the greatest of the elements in a list of natural numbers.

fmod NAT-LIST-MAX is 
 pr NAT . 
 sort NeNatList . 
 subsort Nat < NeNatList . 
 op __ : NeNatList NeNatList -> NeNatList [ctor assoc] . 
 op max : NeNatList -> Nat . 
 var N : Nat . 
 var NL : NeNatList . 
 eq max(N) = N . 
 eq max(N NL) = if N > max(NL) then N else max(NL) fi . 
endfm
   

We may obtain the maximum of a list of natural numbers as follows.

Maude> red max(4 2 5 3) . 
result NzNat: 5
     

Suppose now that we want to change the syntax of the function max in the NAT-LIST-MAX module above to maximum_.

fmod NAIVE-NAT-LIST-MIXFIX-MAX is 
 pr NAT-LIST-MAX * (op max : NeNatList -> Nat to maximum_) . 
endfm
   

We can do the following reduction:

Maude> red maximum 2 3 4 1 . 
result NeNatList: 2 3 4 1
     

Maude> red maximum (2 3 4 1) . 
result NzNat: 4
     

but it is more convenient to change the precedence values of the operators. We can, for example, raise the precedence of maximum_.

fmod NAT-LIST-MIXFIX-MAX is 
 pr NAT-LIST-MAX 
      * (op max : NeNatList -> Nat to maximum_ [prec 41]) . 
endfm
     

having then the following reduction.

Maude> red maximum 2 3 4 1 . 
result NzNat: 4
     

A renaming can be considered as a function that, given a module $M$ and a list of mappings $S$, returns a copy of the module, with such a module expression as its name, in which the names of sorts, operators, etc. are changed as indicated by the mappings. However, renaming a module that has imports is a subtle issue. Given a structured specification, the renaming not only causes the creation of a copy of the top module in the structure, but renames also the part of the submodule structure that is affected by the renaming. For any other submodule $M^{\prime }$ in the structure which is affected by the mappings, a renamed copy of it is generated with name $M^{\prime }\mathtt{\text{ * (}}{S}^{\prime }\mathtt{\text{)}}$, where $S^{\prime }$ is the subset of mappings in $S$ that affect $M^{\prime }$.

A module expression $A\mathtt{\text{ * (}}R\mathtt{\text{)}}$ evaluates to $A$ if $A$ has no content that is affected by the renaming $R$. Otherwise $A\mathtt{\text{ * (}}R\mathtt{\text{)}}$ evaluates to a new module $A\mathtt{\text{ * (}}{R}^{\prime }\mathtt{\text{)}}$ where $R^{\prime }$ is obtained by deleting those renaming items that do not affect $A$, and canonizing the types in operator renamings with respect to $A$ (see below). If $A$ imports modules $B$ and $C$, $A\mathtt{\text{ * (}}{R}^{\prime }\mathtt{\text{)}}$ will import modules obtained by evaluating $B\mathtt{\text{ * (}}{R}^{\prime }\mathtt{\text{)}}$ and $C\mathtt{\text{ * (}}{R}^{\prime }\mathtt{\text{)}}$.

There are some subtle cases. Consider for example the following three modules:

fmod RENAMING-EX-A is 
 sort Foo . 
 op a : -> Foo . 
 op f : Foo -> Foo . 
endfm
   

fmod RENAMING-EX-B is 
 including RENAMING-EX-A . 
 sort Bar . 
 subsort Foo < Bar . 
 op f : Bar -> Bar . 
endfm
   

fmod RENAMING-EX-C is 
 inc RENAMING-EX-B * (op f : Bar -> Bar to g) . 
endfm
   

Here, the operator f in the module RENAMING-EX-A looks as though it is not affected by the renaming in the module RENAMING-EX-C, but because of the subsort declaration Foo < Bar in RENAMING-EX-B, it should be renamed for consistency. This is internally handled by the Maude system by canonizing the type Bar occurring in the renaming

op f : Bar -> Bar to g
     

to the kind expression [Foo,Bar], which includes all of the sorts in the kind [Bar] occurring in RENAMING-EX-B. Thus, the module expression

RENAMING-EX-B * (op f : Bar -> Bar to g)
     

evaluates to a new module

RENAMING-EX-B * (op f : [Foo,Bar] -> [Foo,Bar] to g)
     

which includes the module expression

RENAMING-EX-A * (op f : [Foo,Bar] -> [Foo,Bar] to g)
     

which evaluates to a new module

RENAMING-EX-A * (op f : [Foo] -> [Foo] to g)
     

in which f has been renamed.

In general, * does not distribute over +. Consider this other example:

fmod RENAMING-EX-D is 
 sorts Foo Bar . 
endfm
   

fmod RENAMING-EX-E is 
 inc RENAMING-EX-D . 
 op f : Foo -> Foo . 
endfm
   

fmod RENAMING-EX-F is 
 inc RENAMING-EX-D . 
 subsort Foo < Bar . 
 op f : Bar -> Bar . 
endfm
   

It is not the case that the module expressions

(RENAMING-EX-E + RENAMING-EX-F) * (op f : Bar -> Bar to g)
     

and

(RENAMING-EX-E * (op f : Bar -> Bar to g)) 
 + (RENAMING-EX-F * (op f : Bar -> Bar to g))
     

evaluate to the same module, because in the latter the operator f occurring in RENAMING-EX-E will not be renamed, since f : Bar -> Bar does not occur in RENAMING-EX-E.

Operators with the poly attribute are only affected by operator renamings that do not specify types. Renaming a module does not change its module type, that is, renamed functional modules (resp. system modules) remain functional (resp. system).

7.4 Parameterized programming

Theories, parameterized modules, and views are the basic building blocks of parameterized programming [17, 69]. As in OBJ, a theory defines the interface of a parameterized module, that is, the structure and properties required of an actual parameter.

A parameterized module is a module with one or more parameters, each of which is expressed by means of one theory, that is, modules can be parameterized by one or more theories. If we want, e.g., to define a list or a set of elements, we may define a module LIST or SET parameterized by a theory expressing the requirements on the type of the elements to store in such data structures. Thus, theories are used to declare the interface requirements for parameterized modules. In the case of lists and sets we do not need any requirement on the data elements, and therefore we may use the trivial theory TRIV, with just a sort Elt, as parameter of such modules; but in other cases, say search trees or sorted lists, we may require, e.g., a particular operator, an order relation, or an equivalence relation, in which cases we shall need to use the appropriate theories describing the specific requirements.

The instantiation of the formal parameters of a parameterized module with actual parameter modules or theories requires a view mapping entities from the formal interface theory to the corresponding entities in the actual parameter module. Views can also be parameterized, which, as we can see in Section 7.4.7, may greatly improve reusability of specifications.

7.4.1 Theories

Theories are used to declare module interfaces, namely the syntactic and semantic properties to be satisfied by the actual parameter modules used in an instantiation. As for modules, Maude supports three different types of theories: functional theories, system theories, and object-oriented theories, with the same structure of their module counterparts, but with a different semantics. Functional theories are declared with the keywords fth ... endfth, system theories with the keywords th ... endth, and object-oriented theories with oth ... endoth.The three of them can have sorts, subsort relationships, operators, variables, membership axioms, and equations, and can import other theories or modules. System theories can also have rules. Object-oriented theories may include as well declarations of classes, inheritance relationships, and messages. Although there is no restriction on the operator attributes that can be used in a theory, there are some subtle restrictions and issues regarding the mapping of such operators (see Section 7.4.2).

Like functional modules, functional theories are membership equational logic theories, but they do not need to be Church-Rosser and terminating, and therefore some or all of their statements may be declared with the nonexec attribute. Theories have a loose semantics, in the sense that any algebra satisfying the equations and membership axioms in the theory is an acceptable model. However, functional theories can be executed in exactly the same way as functional modules; that is, the equations and membership axioms not having the nonexec attribute should be Church-Rosser and terminating, and can be executed by equational simplification, whereas the statements declared as nonexec can be arbitrary and can only be executed in a controlled way at the metalevel. System and object-oriented theories have a similar loose interpretation, but are treated, respectively, just as system or object-oriented modules for executability purposes. Theories are then allowed to contain rules and equations which, if declared with the nonexec attribute, can be arbitrary, that is, can have variables in their righthand sides or conditions that may not appear in their corresponding lefthand sides and do not obey the admissibility conditions in Sections 4.6 and 5.3. Similarly, conditional membership axioms may have variables in their conditions that do not appear in their head membership assertions. Also, the lefthand side may be a single variable.

Constants in theories may be given a pconst attribute. It marks the constant as a parameter constant. For example:

 op c : -> Foo [pconst] .
     

Let us begin by introducing the functional theory TRIV, which requires just a sort.

fth TRIV is 
 sort Elt . 
endfth
     

The theory TRIV is used very often, for instance in the definition of data structures, such as lists, sets, trees, etc., of elements of some type with no specific requirement; in these cases, it is common to define a module, say LIST, SET, TREE, etc., parameterized by the TRIV theory (see Section 7.4.3). The theory TRIV is predefined in Maude, together with several useful views from TRIV to other predefined modules and theories (see Section 8.13.1).

But we can define more interesting theories. For example, the theory of monoids, with an associative binary operator with identity element 1, can be specified as follows:

fth MONOID is 
 including TRIV . 
 op 1 : -> Elt . 
 op __ : Elt Elt -> Elt [assoc id: 1] . 
endfth
   

Notice the importation of the theory TRIV into the MONOID theory. As for modules, it is possible to structure our theories by importing other theories and modules (and in general module expressions involving theories and modules) into theories. However, a theory cannot be imported into a module: theories can only be used as parameters of modules. Also, theories do not have automatic importation as modules do (e.g., BOOL, as described in Section 8.1).

Modules and theories can be combined in module expressions (they can be summed, for example), and modules can be imported into theories. Basically, we have a lattice

where summation corresponds to join, and where a module or theory may only import a submodule or subtheory of lesser or equal type.

Although the importation of a module into a theory can be done in any mode, a theory can only be imported in including mode into another theory. The including importation of a theory into another theory keeps its loose semantics. However, the importation of a theory into another one in protecting, generated-by or extending mode would imply additional semantic requirements; such modes of importation are ruled out.¹ On the other hand, although a module keeps its initial interpretation when imported into a theory in protecting, generated-by or extending modes, it looses it if imported in including mode.

Let us see a few examples illustrating all this.

The theory of commutative monoids can be defined just as the theory of monoids; the binary operator _+_ is now declared associative, commutative, and has 0 as its identity element.

fth +MONOID is 
 including TRIV . 
 op 0 : -> Elt . 
 op _+_ : Elt Elt -> Elt [assoc comm id: 0] . 
endfth
   

The theory of semirings can be expressed as follows.

fth SEMIRING is 
 including MONOID . 
 including +MONOID . 
 vars X Y Z : Elt . 
 eq X (Y + Z) = (X Y) + (X Z) [nonexec] . 
 eq (X + Y) Z = (X Z) + (Y Z) [nonexec] . 
endfth
   

Note the use of the nonexec attribute, and note also that given the semantics of theory inclusions, there is no difference between having a structured theory or one flat theory including all the declarations.² For example, the theory of commutative rings can be defined directly as follows:

fth RING is 
 sort Ring . 
 ops z e : -> Ring . 
 op _+_ : Ring Ring -> Ring [assoc comm id: z] . 
 op _*_ : Ring Ring -> Ring [assoc comm id: e] . 
 op -_ : Ring -> Ring . 
 vars A B C : Ring . 
 eq A + (- A) = z [nonexec] . 
 eq A * (B + C) = (A * B) + (A * C) [nonexec] . 
endfth
   

but could also be defined as a structured theory including the theories of commutative groups and commutative monoids (renamed if necessary), to which the distributivity axiom is added.

As mentioned above, the including importation of a theory into another theory keeps its loose semantics. However, if the imported theory contains a module, which therefore must be interpreted with an initial semantics (see Section 5.3), then that initial semantics is maintained by the importation. For example, in the definition of the TAOSET theory below, the declaration protecting BOOL ensures that the initial semantics of the functional module for the Booleans is preserved, which is in fact a crucial requirement.

Let us consider now a hierarchy of theories for partially and totally ordered sets. The most basic theory specifies a transitive and antisymmetric order _<_ on a set:

fth TAOSET is 
 protecting BOOL . 
 sort Elt . 
 op _<_ : Elt Elt -> Bool . 
 vars X Y Z : Elt . 
 ceq X < Z = true if X < Y /\ Y < Z [nonexec label transitive] . 
 ceq X = Y if X < Y /\ Y < X [nonexec label antisymmetric] . 
endfth
   

By adding irreflexivity to TAOSET we get a theory specifying a strict partial order:

fth SPOSET is 
 including TAOSET . 
 var X : Elt . 
 eq X < X = false [nonexec label irreflexive] . 
endfth
   

Notice that in this case antisymmetry is implied by irreflexivity and transitivity. Of course, there are different ways of presenting a theory, and in particular one can always write the corresponding flat theory with only the axioms for irreflexivity and transitivity. In the presentation above, the initial semantics of BOOL when it is imported in protecting mode in TAOSET is preserved when the latter is included in SPOSET. The same will hold in further importations in this hierarchy of order theories.

On the other hand, by adding reflexivity to TAOSET we get a theory specifying a non-strict partial order. Notice the renaming in the importation, so that the name of the order _<=_ reflects its reflexivity.

fth NSPOSET is 
 including TAOSET * (op _<_ to _<=_) . 
 var X : Elt . 
 eq X <= X = true [nonexec label reflexive] . 
endfth
   

Having both _<_ and _<=_ available together is useful in some applications. There are standard ways of associating a strict partial order with a non-strict partial order and the other way around:

• from $a<b$, one can define $a\le b$ as equivalent to $a<b$ or $a=b$; and

• from $a\le b$, one can define $a<b$ as equivalent to $a\le b$ and $a\ne b$.

These equivalences can be expressed as Maude theories as follows, where we use the same name for both theories because they are equivalent, that is, we have two different presentations of the same theory and in what follows we will not care about which version of POSET is used.

fth POSET is 
 including SPOSET . 
 op _<=_ : Elt Elt -> Bool . 
 vars X Y : Elt . 
 eq X <= X = true [nonexec] . 
 ceq X <= Y = true if X < Y [nonexec] . 
 ceq X = Y if X <= Y /\ X < Y = false [nonexec] . 
endfth
   

fth POSET is 
 including NSPOSET . 
 op _<_ : Elt Elt -> Bool . 
 vars X Y : Elt . 
 eq X < X = false [nonexec] . 
 ceq X <= Y = true if X < Y [nonexec] . 
 ceq X = Y if X <= Y /\ X < Y = false [nonexec] . 
endfth
     

To each of the previous theories we can add an axiom requiring the order to be total (or linear), that is, two different elements have to be related one way or the other. In this way, we have the following theories for a strict total order, a non-strict total order, and a total order with both operations.

fth STOSET is 
 including SPOSET . 
 vars X Y : Elt . 
 ceq X = Y if X < Y = false /\ Y < X = false [nonexec label total] . 
endfth
   

fth NSTOSET is 
 including NSPOSET . 
 vars X Y : Elt . 
 ceq X <= Y = true if Y <= X = false [nonexec label total] . 
endfth
   

fth TOSET is 
 including POSET . 
 vars X Y : Elt . 
 ceq X <= Y = true if Y <= X = false [nonexec label total] . 
endfth
   

As already mentioned above, the requirement ensuring the initial semantics of BOOL when it is protected in TAOSET is then preserved by the remaining theories when TAOSET is included in them via a chain of including importations. In fact, we are dealing with structures in which part of them, not only the top theory, has a loose semantics, while other parts contain modules with an initial semantics.

This hierarchy of order theories is displayed in Figure 7.1, where we represent by boxes the modules (with initiality constraints), by ovals the theories (with loose semantics), by triple arrows the protecting importations, and by single arrows the including importations.

Finally, as an example of a system theory, let us consider the theory CHOICE of bags of elements with a choice operator defined on the bags by a rewrite rule that nondeterministically picks up one of the elements in the bag. We can specify this theory as follows, where we have a sort Bag declared as a supersort of the sort Elt.

th CHOICE is 
 sorts Bag Elt . 
 subsort Elt < Bag . 
 op empty : -> Bag . 
 op __ : Bag Bag -> Bag [assoc comm id: empty] . 
 op choice : Bag -> Elt . 
 var E : Elt . 
 var B : Bag . 
 rl [choice] : choice(E B) => E . 
endth
   

Let us conclude this section with a word on object-oriented theories. As already explained, their structure is the same as that of object-oriented modules. Object-oriented theories can have classes, subclass relationships, and messages. These object-oriented notions may be useful for the definition of theories; for example, the following theory CELL specifies the theory of classes with at least one attribute of any sort.

oth CELL is 
 sort Elt . 
 class Cell | contents : Elt . 
endoth
   

7.4.2 Views

In Maude, views are used to specify how a particular target module or theory is claimed to satisfy a source theory. In general, there may be several ways in which such requirements might be satisfied, if at all, by the target module or theory; that is, there can be different views, each specifying a particular interpretation of the source theory in the target. Each view declaration has an associated set of proof obligations, namely, for each axiom in the source theory it should be the case that the axiom’s translation by the view holds true in the target. Since the target can be a module interpreted initially, verifying such proof obligations may in general require inductive proof techniques of the style supported for Maude’s logic in [25], and for which tools in the Maude formal environment can be used. Such proof obligations are not discharged or checked by the system.

In the definition of a view we have to indicate its name, the source theory, the target module or theory, and the mapping of each sort and operator in the source theory. The name space of views is separate from the name space of modules and theories, which means that, e.g., a view and a module could have the same name. In fact, we shall see below how we recommend naming inclusion views as the target theory. The source and target of a view can be any module expression, with the source module expression evaluating to a theory and the target module expression evaluating to a module or a theory.

The syntax for views is as follows:

view $⟨$ViewName$⟩$ from $⟨$Source$⟩$ to $⟨$Target$⟩$ is 
 $⟨$Mappings$⟩$ 
endv
     

View names are simple identifiers (a single token), as defined in Section 3.1, but they cannot contain neither underscores nor escaped parentheses or commas (‘_’, ‘(’, ‘)’, ‘[’, ‘]’, ‘’, ‘’, ‘,’). As we will see in Section 7.4.4, when a parameterized constant c{X}, is instantiated with a view V, it becomes c{V}. Since constant operator names cannot contain underscores, this restriction must also be applied to views. Moving up and down the metalevel may cause problems with parentheses and commas. These restrictions are enforced during the analysis phase after surface parsing.

The mapping of a sort in the source theory to a sort in the target module or theory is expressed with syntax

sort $⟨$identifier$⟩$ to $⟨$identifier$⟩$ .
     

For each sort $S$ in the source theory, there must exist a sort $S^{\prime }$ in the target module or theory which is its mapping under the view; unmentioned sorts get the identity mapping. Furthermore, if sorts $S$ and $T$ in the source theory are in the same kind, then their mappings $S^{\prime }$ and $T^{\prime }$ under the view must be in the same kind in the target module or theory. Finally, if $S$ is a subsort of $T$, then it must be true that $S^{\prime }$ is a subsort of $T^{\prime }$.

The mapping of operators is expressed with syntax

op $⟨$identifier$⟩$ to $⟨$identifier$⟩$ . 
op $⟨$identifier$⟩$ : $⟨$type-list$⟩$ -> $⟨$type$⟩$ to $⟨$identifier$⟩$ . 
op $⟨$op-expr$⟩$ to term $⟨$term$⟩$ .
     

Views with object-oriented theories as sources and object-oriented modules or object-oriented theories as targets can also be defined. For a view having an object-oriented theory as its source, the mapping of a class in the source theory to a class in the target is expressed with syntax

class $⟨$identifier$⟩$ to $⟨$identifier$⟩$ .
     

Attribute maps have the form

attr $⟨$identifier$⟩$ to $⟨$identifier$⟩$ .
     

The mapping of message constructors is expressed with syntax

msg $⟨$identifier$⟩$ to $⟨$identifier$⟩$ . 
msg $⟨$identifier$⟩$ : $⟨$type-list$⟩$ -> $⟨$type$⟩$ to $⟨$identifier$⟩$ .
     

Maps must preserve the arities and the types of operators and message constructors, and sort maps, and operator and message constructor maps must be compatible. For each operator $f\mathtt{\text{:}}{S}_1\dots S_n\mathtt{\text{->}}T$ in the source theory there must exist an operator $f^{\prime }\mathtt{\text{:}}{S}_1^{\prime }\dots S_n^{\prime }\mathtt{\text{->}}{T}^{\prime }$ in the target module or theory, where $S_i^{\prime }$ is the mapping of sort $S_i$ under such a view.

Unmentioned operators and message constructors also get the identity mapping. Thus, “obvious” parts of a mapping do not need to be explicitly given, namely, any identical mapping of a sort or class, or operator or message constructor such that its arity and coarity are mapped to those of an operator or message constructor with the same name in the target can be omitted.

As a first example, the following view StringAsToset defines a view from the theory TOSET, presented in Section 7.4.1, to the predefined functional module STRING, described in Section 8.9.

view StringAsToset from TOSET to STRING is 
 sort Elt to String . 
endv
   

Notice that the identity maps op _<_ to _<_ and op _<=_ to _<=_ have been omitted.

The maps sending operators to derived operators, that is, terms with variables, allow us to map an operator, not only to another operator, but also to an expression. The view RingToRat below is a view from the theory RING, presented in Section 7.4.1, to the predefined functional module RAT, described in Section 8.7.

view RingToRat from RING to RAT is 
 sort Ring to Rat . 
 op e to term 1 . 
 op z to 0 . 
endv
   

Notice that we have followed the convention of omitting the “obvious” parts of the map concerning the operators _+_ and _*_. Furthermore, we have used an operator map sending the operator e to the term 1, due to the fact that in RAT 1 is not a constant, but the term s_^1(0) (see Sections 4.4.2, 8.3, and 8.7 for details). Note that the map op e to term 1 cannot be expressed with the other forms of operator maps, because 1 is not an operator, but just syntactic sugar for the term s_^1(0).

As another example, consider the view from the theory NSPOSET, in which we have a sort Elt and a non-strict “less or equal” operator _<=_ : Elt Elt -> Bool, to a module defining the integers with no such operator but instead with a strict operator “less than” _<_ : Int Int -> Bool. Then, we can define a view with maps

sort Elt to Int . 
op X:Elt <= Y:Elt to term X:Int < Y:Int or X:Int == Y:Int .
     

Also, the righthand side, X:Int < Y:Int or X:Int == Y:Int in this case, must parse to a unique term in the target module or theory. The only variables that may occur in the target term are those appearing in the source term; however, they may occur multiple times or not at all. If the source term parses to a sort $S$ or kind $[S]$, then the target term must parse to sort $T$ or kind $[T]$ such that $T$ and the mapping of $S$ under the view $S^{\prime }$ belong to the same kind.

Views may also contain variable declarations. The syntax is identical to that in modules and theories. However, its semantics is subtly different. Instead of declaring a single variable, a declaration

 var X : $S$ .
     

now declares two aliases with the same name; in the lefthand side of an operator mapping, X is an alias for X:$S$ while in the righthand side of an operator mapping, X is an alias for X:$S^{\prime }$, with $S^{\prime }$ the mapping of $S$ under the view.

For example, we can define a view from the theory SPOSET with a strict order operation _<_ to the predefined functional module INT of integers (see Section 8.5) in such a way that the _<_ order relation of a poset is mapped to an expression using the “less than or equal” operator _<=_ on sort Int and the predefined inequality operator _=/=_ in BOOL (see Sections 8.5 and 8.1) as follows:

view SPosetToInt from SPOSET to INT is 
 sort Elt to Int . 
 vars X Y : Elt . 
 op X < Y to term X <= Y and X =/= Y . 
endv