Object Specification Logic

Object Speci�cation LogicAm��lcar Sernadas, Cristina SernadasIST, Department of Mathematics, Lisbon, PortugalJos�e F�elix CostaFaculdade de Ciencias, Department of Informatics, Lisbon, PortugalNovember 2, 1995AbstractA logic for specifying and reasoning about object classes and their in-stances (aspects) is presented and illustrated. This logic is an extensionof a rather standard linear temporal, many-sorted, �rst-order predicatelogic with equality. The extensions where designed to be as simple aspossible while supporting the envisaged locality of arguments, object spe-cialization and object aggregation. Objects are speci�ed through theiraspects. Each aspect establishes a local vocabulary (signature). The logicworks at two levels: �rst, we can specify and prove assertions about agiven object aspect in isolation (local reasoning), eg persons, or patients,or cars; second, we can specify interaction constraints and make inferencesbetween aspects within the same community of objects (global reasoning),eg carry the theorems of persons onto patients (specialization inheritance),or carry the theorems of persons onto the aggregations of persons and cars(incorporation inheritance). Some re ection mechanisms are also shownto be sound: for instance what becomes true of persons because of theinteractions between persons and cars. The proposed logic is given in anaxiomatic style.Key words: System speci�cation and veri�cation, object-orientation, logic of inher-itance, logic of interaction, temporal logic, many-sorted logic.1 IntroductionObject-oriented programming has become increasingly popular thanks to the expectedadvantages in software development and maintenance productivity [Bro90, Cox90].Such advantages are presented as corollaries of the intensive use of the data encapsula-tion and reuse facilities made available by the object-oriented development languagesand systems [DMN67, GR83, Str86, Cox86, Mey88]. Object-orientation seems alsoto pay-o� at the level of software speci�cation and design [Boo86, SFSE89a, Nie89].Taking for granted this thesis, one should ask what kind of object-oriented speci-�cation language should be adopted. Several have been proposed in the literature[SFSE89a, SE91, JSHS91, SRGS91].We defend a formal approach to speci�cation since the price of lower exibility atthe early stages is well counterbalanced by the advantages of a rigourous semantics andcorrectness veri�ability. The latter imposes more than a formal speci�cation language:a deductive system is needed also, making it a speci�cation/veri�cation logic. Indeed,1

object-orientation promises a lot at the level of the deductive system: it should bepossible to carry out \local" proofs and later on assess if and how the resulting theoremscarry over to the \whole".Actually, we defend a temporal logic approach to object speci�cation, in the se-quel of much work in the general direction of using temporal logic for (information)system speci�cation triggered by [Pnu77, Ser80] and later explored for instance in[FS88, SFSE89b, CS91, FSMS91, FM92]. Compared with [FM92] our approach putsan emphasis on object classes (and their instances) and deals with interaction in a dif-ferent way. Instead of using theory morphisms and colimit constructions for describinginteracting objects, we express all constraints (including interaction ones) as formulae(of the same logic but possibly in di�erent vocabulary contexts). Morphisms are usedonly to set-up the relationships between aspects (eg specialization). This approachseems to be more amenable to extension to classes.In a nutshell, we propose and illustrate the use of a logic of \object aspects". Thislogic is an extension of a rather standard linear temporal, many-sorted, �rst-orderpredicate logic with equality. The extensions where designed to be as simple as possiblewhile supporting the envisaged locality of arguments, object specialization and objectaggregation. Objects are speci�ed through their aspects. Each aspect establishes alocal vocabulary (signature). The logic works at two levels: �rst, we can specify andprove assertions about a given object aspect in isolation (local reasoning), eg persons,or patients, or cars; second, we can specify interaction constraints and make inferencesbetween aspects within the same community of objects (global reasoning), eg carry thetheorems of persons onto patients (specialization inheritance), or carry the theorems ofpersons onto the aggregations of persons and cars (incorporation inheritance). Somere ection mechanisms are also shown to be sound: for instance what becomes true ofpersons because of the interactions between persons and cars.The proposed logic is given in an axiomatic style. We decided to refrain fromconsidering in this paper more practical versions, for instance sequent-based as in[SGL92] or tableau-based as in [LS91, GSGA93] where only local reasoning has beenconsidered. Also, we only establish soundness. It should be possible to obtain a(relative) completeness result but that is a topic for further research. The proposedlogic is monotonic, although we recognize that a full account of object specialization(with overriding) will need non-monotonic features [BL91, CSS94].We assume that the reader is conversant with the �eld of temporal logic speci-�cation (for instance at the level of [McA76, Gol87]). For an overview see [Eme90].We also use a little bit of category theory (the reader may �nd all relevant conceptsin the introductory chapters of any textbook on the matter, eg [AHS90]): the moreexotic notion of freely generated cartesian category is reviewed in the Appendix (formore details see [Sza78]). We also assume that the reader is familiar with the use ofmany-sorted formalisms for speci�cation purposes, either in the algebraic abstract datatype setting (see [EM85]), or in the program correctness context (see [TZ88]). For arecent account of many sorted logic and its applications see [MT93].Before entering the presentation of the logic, Section 2 discusses the underlyingobject framework (following [ES91]) and outlines the main requirements for a logicof aspects. The local logic of object aspects is established in Section 3: language,semantics and deductive system. Section 4 presents the auxiliary notions of aspectsignature morphism and aspect speci�cation morphism, needed in the sequel. Finally,Section 5 presents the global logic for reasoning about a communityof objects, includingspecialization and aggregation without and with interaction: language, semantics anddeductive system. Note that the usefulness of some peculiar features of the local logicgiven in Section 3 only become clear in Section 5.2

2 Object and aspectsAt �rst sight, an object is an entity with an internal state (re ected in the values of itsslots or attributes) that may interact with other objects. While so interacting an objectdisplays some behaviour. That is, depending on its internal state, it is not always readyto provide the same services to the others and/or to ask the same services of others.The most basic unit of interaction is the event: for instance, the event open-door maybe shared by a person and a car. Therefore, the behaviour of an object may be seenas corresponding to a state-dependent menu of enabled actions (at each state the setof actions in which the object is \willing" to involve itself).At this naive level of analysis, already proposed in [SFSE89b], the speci�cation ofan object should include the list of its attributes (with the indication of their codomainsorts), the list of its actions (with the indication of their parameter sorts if any) andthe constraints on its behaviour.As an illustration consider books as objects. Among their attributes we may �nd:code (taking values in the set of natural numbers), registered-in (taking values in theset of books), and available (taking boolean values). For instance, available=true issupposed to mean that a book is available for borrowing. If so, in such a state ofthe book under consideration the observation available(true) is possible. Among theactions of books we may consider: is-taken (with a parameter taking values in the setof users) and is-returned (with a similar parameter). For instance, the occurrence ofthe action is-taken(John) is supposed to mean that the book under consideration wasat that point taken out by user John. Clearly, that action may only happen in a statewhere the book is available.Actually, the picture is a little bit more complex: what we have been talking aboutso far is just an object aspect ([ES91]). Indeed, if we consider an object like \Abstractand Concrete Categories" in some library, it may have several aspects: it is a book(having all properties of books in that library), but it may also be a reserved-book(having the added properties of the so called reserved books that may not be takenaway from the library). The other objects may interact with it as a book, disregardingthe additional services of a reserved book if any, unknowing that its behaviour may beconstrained because it is also a reserved book. Of course, they may also interact withit as a reserved book. In short, \Abstract and Concrete Categories" may play the roleof a book although it is a reserved book. Indeed, it might even play other roles likething. This mechanism (polymorphism by inclusion) is essential to reuse, one of thekey features of object-orientation.Therefore, an object is, in general, a collection of aspects consistent with eachother. From a speci�cation point of view, it is clear that we should specify only objectaspects! That is, objects are speci�ed through their aspects. Therefore, we need anobject aspect speci�cation logic for \local" reasoning about a given aspect disregardingthe other aspects.But the interplay between the di�erent aspects of the same object is to be carriedout at the \global" level where we recognize relationships between di�erent aspects: forinstance, the specialization relationship we have been illustrating. Furthermore, at theglobal level we can also impose the interactions that may exist between di�erent aspects:for instance, when a book is-taken we know that a user takes it. Thus, interactionconstraints can be expressed by formulae relating events in di�erent aspects.To this end, it is important to consider aggregation aspects, such as the compositeof a book and an user where the interactions between that book and that user are tobe speci�ed. Then, the same speci�cation and veri�cation techniques can be used forspecifying local and global (interaction) behaviour.Note also that similar aspects constitute aspect types. It makes more sense tospecify aspect types instead of aspects per se. Moreover, we may need attributes that3

take values in aspect types (beside data types). For illustration consider the aspecttype book composed of all books, including \Abstract and Concrete Categories".It is important to stress that we are dealing here with aspect types and not objecttypes (see [ES91]). Indeed, each object may have several related aspects (recall theexample of \Abstract and Concrete Categories" with two aspects: a book aspect and areserved-book aspect). Each of its aspects is an instance of an aspect type. Specializa-tion appears at the aspect type level as follows: for instance we say that reserved-bookis a subtype of book, or book is a supertype of reserved book. Aggregation is re ectedat the type level also. We need aggregation aspect types, such as book-user whoseinstances are the pairs of books and users.En passant note that associated to each aspect type we may have an aspect class,or in the traditional but misleading object-oriented terminology, an object class. Aclass is more than a type: it is itself an aspect with an attribute listing all the existinginstances of that aspect type.Therefore, the envisaged aspect speci�cation logic must provide the means forreferring to individuals of di�erent types (eg integer, book, user, book-user, reserved-book), hence the many-sorted �rst-order approach. This approach should be orderedfor aspect types so that the specialization sub-supertype relationships can be madeexplicit (this idea is also explored in [BHPS93]). The speci�cation logic must alsoprovide the means for describing the behaviour of each individual, hence the temporalapproach. The signature of each aspect should include its attributes and actions. Bothare introduced as (state-dependent) predicates following [FM92].The proposed aspect speci�cation logic includes some generic axioms that re- ect universal properties of aspects, namely: functional constraint on attribute pred-icates; sequentiality of prime (non-aggregation) aspects; frame constraint (locality asin [FM92]).The properties of data types (eg boolean, integer) are assumed to given once andfor all, in order to concentrate on the speci�cation and veri�cation of object aspects.With respect to the interplay between the local and global levels of reasoning, weshould expect some form of inheritance mechanisms, eg for specialization (allowing theinclusion of theorems about a supertype into the set of theorems about a subtype).Less expected are some re ection mechanisms that allow the theorems to be obtainedin an aspect by taking into account its embedding in the community of aspects, eg foraggregation (if we know that every user returns the books that he/she takes away, wecan conclude that every book is returned).3 Object aspect speci�cation3.1 Local languageRecall that a data signature is a pair � = hS;OP i where S is a set and OP is aS� � S-indexed family of sets. The elements of S are said to be sorts and, for each(w; s) 2 S� � S, OPw;s is the set of operation symbols with parameter list w and resultsort s. Given an S-indexed familyZ of sets of variables, for each s 2 S, T�;s(Z) denotesthe set of terms of sort s that may be inductively built with the variables in Z over �.An equation over a signature � is a triple hZ; t; t0i where Z is an S-indexed family ofsets and t; t0 2 T�;s(Z) for some s 2 S. A data speci�cation is a pair spec = h�; Eqiwhere � is a data signature and Eq is a set of equations over �.From now on, we assume as given a �xed data speci�cation specDT = h�DT ; EqDT iwith �DT = hSDT ; OPDT i. This data speci�cation is called the data environment.In the examples below we assume that the data signature �DT contains interalia:SDT = fbool; natg, (OPDT )�;bool = ftrue; falseg and (OPDT )bool;bool = fnotg.4

We are now ready to introduce the notion of aspect signature corresponding to agiven class of objects. Clearly, it should include the attribute observation symbols andthe action symbols of that class. Moreover, since attributes/actions may point to andhave parameters in instances of other classes, we need to include the context of aspectsorts that are visible. Among these aspect sorts, we �nd the underlying aspect sort ofthe individuals of the class at hand. The visible aspect sorts are ordered for depictingthe specialization relationship between them (for a similar approach see [BHPS93]).Finally, we must also consider all possible aggregations of the prime visible aspect sorts.To this end we use a canonical construction described in [Sza78] and summarized in theAppendix. Note that this construction provides symbols for denoting the projectionsfrom an aggregation sort into each of its components.De�nition 3.1 An aspect signature is a tuple � = hSGS;�; �;OBS;ACT i where:� SGS;� is the cartesian category freely generated from a partial order hGS;�iwhere GS is a �nite set;� � is an element of AS = jSGS;�j;� OBS is an (SDT � AS)+-indexed family of �nite sets;� ACT is an (SDT �AS)�-indexed family of �nite sets.In this context, the elements of AS are said to be aspect sorts; the elements of GSare called generator or prime sorts; each product s1�:::�sn is said to be the aggregationsort of s1; :::; sn with sort projections �1 : s1 � :::� sn ! s1,..., �n : s1 � :::� sn ! sn;for each pair s; s0 2 GS such that s � s0, � : s ! s0 is said to be the sort inclusion ofs into s0 (the identity in s when s0 = s); the terminal sort is denoted by 1; the partialorder � on prime sorts is called the inheritance relation: whenever s � s0 we say thats is a subsort of s0 and s0 is a supersort of s; � is the underlying sort; each OBSw sis the set of attribute observation symbols with parameter sort list w and result sorts; and each ACTw is the set of action symbols with parameter sort list w. If � 2 GSthen � is said to be a prime aspect signature. Otherwise, � is called a composite aspectsignature.For illustration purposes consider a library where for the moment we want to haveonly books, users and reserved books. Assume the following object aspect signature�book for books:� GSbook = fbook; userg;� �book= idGSbook;� �book = book;� (OBSbook)bool = favailableg;� (OBSbook)nat = fcodeg;� (OBSbook)book = fregistereding;� (ACTbook)nat book = f?g;� (ACTbook)user = fistaken; isreturnedg.Consider the following object aspect signature �user for users:� GSuser = fbook; userg;� �user= idGSuser ;� �user = user; 5

� (OBSuser)book bool = fborrowedbookg;� (ACTuser)� = ?;� (ACTuser)book = ftakes; returnsg.Finally, consider the following object aspect signature �resbook for reserved-books(whose borrowing may be suspended):� GSresbook = fresbook; book; userg;� �resbook= idGSresbook [ fhresbook; bookig;� �resbook = resbook;� (OBSresbook)bool = favailable; suspendedg;� (OBSresbook)nat = fcodeg;� (OBSresbook)book = fregistereding;� (ACTresbook)nat book = f?g;� (ACTresbook)user = fistaken; isreturnedg;� (ACTresbook)� = fissuspended; isresumedg.Given an aspect signature, we proceed to introduce the terms and formulae thatwe can write over that signature. First, we recognize the available predicate symbols.De�nition 3.2 Given an aspect signature � = hSGS;�; �;OBS;ACT i, PRD is the(SDT �AS)�-indexed family of sets of predicate symbols such that:� PRD� = foccc : c 2 ACT�g;� PRDw = foccc : c 2 ACTwg [ fo : o 2 OBSwg for each w 2 (SDT � AS)+ .The predicate occc refers to the actual occurrence (happening) of c. We refrainto consider here the enabling predicate enbc indicating when the action c is enabledas proposed in [FS88]. Indeed, such a distinction would imply the adoption of a morecomplicated semantics (at least multilinear). We return to this issue in the concludingremarks.Terms are built using the usual constructions found in any many-sorted formalism(eg [TZ88]). Moreover, terms of aspect sort s0 can be built from terms of aspect sort susing any morphism � : s! s0.De�nition 3.3 Let � = hSGS;�; �;OBS;ACT i be an aspect signature and Z an(SDT �AS)-indexed family of sets of variables. The (SDT �AS)-indexed family T�(Z)of sets of terms is inductively built as follows using the family Z of variables with theoperation symbols in OPDT and the sort morphisms in SGS;�:� z 2 T�;s(Z) provided that z 2 Zs;� h(t1; :::; tn) 2 T�;s(Z) provided that h 2 OPDTs1:::sn;s and each ti 2 T�;si(Z);� �(t) 2 T�;s0(Z) provided that � : s! s0 and t 2 T�;s(Z).6

Concerning formulae, we found useful to distinguish between (aspect) schema for-mulae and aspect (instance) formulae. The latter are needed when the reference to theinstance at hand is important, eg in interactions as we shall see later on. The schemalanguage is almost the standard many-sorted, linear temporal �rst-order with equalitylanguage within the context at hand of aspect signatures. For the temporal constructssee for instance [Gol87]: as usual, X is the next operator, F is the sometime operator,G is the always operator and U is the until operator. Note only the unary predicatesallowing the recognition that a term of a given supersort is also of a given subsort.These will be needed when re ecting theorems from the subtype into the supertype,as we shall see later.De�nition 3.4 Let � = hSGS;�; �;OBS;ACT i be an aspect signature and Z an(SDT � AS)-indexed family of sets of variables. The many-sorted, �rst-order, lineartemporal schema language with equality SL�(Z) is inductively built as follows usingthe predicate symbols in PRD and the terms in T�(Z):1. (t1 = t2) 2 SL�(Z) provided that t1; t2 2 T�;s(Z) for some sort s;2. s(t) 2 SL�(Z) provided that t 2 T�;s0(Z) and s � s0;3. p 2 SL�(Z) provided that p 2 PRD�;4. p(t1; :::; tn) 2 SL�(Z) provided that p 2 PRDs1:::sn and each ti 2 T�;si(Z);5. (: f) 2 SL�(Z) provided that f 2 SL�(Z);6. (f ^ g); (f _ g); (f jg); (f ) g); (f , g) 2 SL�(Z) provided that f; g 2 SL�(Z);7. (8xf) 2 SL�(Z) provided that f 2 SL�(Z) and x 2 Zs for some sort s;8. (Xf); (F f) 2 SL�(Z) provided that f 2 SL�(Z);9. (f U g) 2 SL�(Z) provided that f; g 2 SL�(Z).Basically, an aspect (instance) formula is a schema formula instanciated on a givenvariable of the underlying aspect sort.De�nition 3.5 Given an aspect signature � = hSGS;�; �;OBS;ACT i, each elementof the aspect language L� is a pair (Z; z(f)) where:� Z is an (SDT � AS)-indexed family of sets of variables;� z 2 Z�;� f 2 SL�(Z);� f does not contain any quanti�cation on variable z;� z(f) is obtained from f by uniformly replacing each symbol p 2 PRD by z:p.In this context, we say that z is the target variable of the formula.The following expressions are abbreviated formulae (second element z(f) of a for-mula (Z; z(f)) of L�book:� (b:occ?(n; b0)) (X b:available(true)));� (b:occistaken(u)) (X b:available(false)));� (b:occistaken(u)) b:available(true)).7

The variables are mnemonic of their sorts (b; b0 : book; u : user; n : nat). Forinstance, the last of these formulae states that if the action istaken(u) occurs in theinstance b of book then the observation available(true) holds in that same instance b.The notion of aspect speci�cation as a theory presentation is as usual (see for instance[GB92]).De�nition 3.6 An aspect speci�cation is a pair spec = h�; Axi where � is an objectaspect signature and Ax � L�. In this context, the elements of Ax are called (local)aspect axioms.Example 3.7 Consider the aspect speci�cationspecbook = h�book; Axbookiwhere Axbook includes the following axioms:1. (b:occ?(n; b0)) (X(G(: b:occ?(n0; b00)))));2. (b:occ?(n; b0)) (X b:available(true)));3. (b:occ?(n; b0)) (X(G b:code(n))));4. (b:occ?(n; b0)) (X(G b:registeredin(b0))));5. (b:occistaken(u)) b:available(true));6. (b:occisreturned(u)) b:available(false));7. (b:occistaken(u)) (X(b:available(false)));8. (b:occisreturned(u)) (X(b:available(true))).Axiom 1 states that no ?-action of b may occur after a ?-action of b. Axiom 4imposes that the book b0 where b is registered is indicated by the second parameterof the birth-action of b. Axiom 5 states that if the action istaken(u) occurs thenavailable(true) must hold. Finally, axiom7 states the e�ects of the occurrence of actionistaken(u): immediately afterwards the value of the attribute available becomes true.Example 3.8 Consider the aspect speci�cationspecuser = h�user; Axuseriwhere Axuser includes the following axioms:1. (u:occ?) (X(G(:u:?))));2. (u:occ?) (X(:(9b u:borrowedbook(b; true)))));3. (u:occtakes(b)) u:borrowedbook(b; false));4. (u:occreturns(b)) u:borrowedbook(b; true));5. (u:occtakes(b)) (Xu:borrowedbook(b; true)));6. (u:occreturns(b)) (Xu:borrowedbook(b; false)));7. (u:occtakes(b)) (u:borrowedbook(b; true)U u:occreturns(b))).Axiom 7 states that the occurrence of action takes(b) implies that book b is bor-rowed until the occurrence of the action returns(b).8

Example 3.9 Consider the aspect speci�cationspecreservedbook = h�reservedbook; Axreservedbookiwhere Axreservedbook includes the following axioms:1. (r:occ?(n; b)) (X r:suspended(false)));2. (r:occistaken(u)) r:suspended(false));3. (r:occissuspended) (r:available(true) ^ r:suspended(false)));4. (r:occisresumed) r:suspended(true));5. (r:occissuspended) (X r:suspended(true)));6. (r:occisresumed) (X r:suspended(false)));7. (:(r:occissuspended ^ r:occistaken(u)));8. (X(F r:occissuspended)).Clearly, we also expect to bring in the properties of book. Such a mechanism forinheritance into subtypes is an essential piece of the envisaged deductive system (see5.3 below).In the sequel we work with the following basic sublanguage BSL�(Z):1. (t1 = t2) 2 BSL�(Z) provided that t1; t2 2 T�;s(Z) for some sort s;2. p 2 BSL�(Z) provided that p 2 PRD�;3. p(t1; :::; tn) 2 BSL�(Z) provided that p 2 PRDs1:::sn and each ti 2 T�;si(Z);4. (: f) 2 BSL�(Z) provided that f 2 BSL�(Z);5. (f ) g) 2 BSL�(Z) provided that f; g 2 BSL�(Z);6. (8xf) 2 BSL�(Z) provided that f 2 BSL�(Z) and x 2 Zs for some sort s;7. (Xf); (G f) 2 BSL�(Z) provided that f 2 BSL�(Z);8. (f U g) 2 BSL�(Z) provided that f; g 2 BSL�(Z).We recover the full SL�(Z) with the standard abbreviations: (f _g) is ((: f))g);(f ^g) is (:(f) (:g))); (f jg) is ((f ^(: g))_ ((: f)^g)); (f,g) is ((f)g)^ (g)f));and, �nally, (F f) is (:(G(: f))).3.2 Local semanticsWe assume as given some �xed specDT -algebra dt that we call data environment algebra,or, simply, data algebra (see [EM85]). For each data sort s 2 SDT , dts is the carrier setof sort s. For each operation symbol h 2 (OPDT )w;s, [[h]]dt is the interpretation givenby the algebra dt to h.We are now ready to introduce the notion of interpretation structure for a givenaspect signature. It is composed of two parts. The �rst part provides the carriers for theaspect sorts, generalizing the usual many-sorted family of carriers to the aggregationsorts and subsorts. In the sequel Set denotes the category of sets and total maps. Thesecond part is a linear Kripke structure, traditional for linear temporal logic semantics(see [Gol87]) with some necessary adaptations and constraints.De�nition 3.10 Given an aspect signature � = hSGS;�; �;OBS;ACT i, an interpre-tation structure over � is a pair asp = hU; �i where:9

� U : SGS;� ! Set is a cartesian functor such that U (s) � U (s0) whenever s � s0(in the sequel we may write U (s) instead of dts for each s 2 SDT );� � : IN ! IB whereIB = }fu:p(v1; :::; vn) : u 2 U (�); p 2 PRDs1;:::;sn ; vi 2 U (si) for i = 1; :::; nwith n � 0g such that1. if fu:o(v1; :::; vn) 2 �k+1g 6= fu:o(v1; :::; vn) 2 �kg then there is an actionsymbol c such that u:occc(v1; :::; vn) 2 �k for suitable v1; :::; vn;2. for each observation symbol o, if u:o(v1; :::; vn); u:o(v01; :::; v0n) 2 �k andvi = v0i for i = 1; :::; n� 1 then vn = v0n;3. for each action symbol c, if u:occo(v1; :::; vn); u:occo(v01; :::; v0n) 2 �k thenvi = v0i for i = 1; :::; n.Clause (1) states that changes in the set of observations are made only by actions:similar to the locality concept in [FM92]. Clause (2) states that attributes are func-tional. Clause (3) states the mutual exclusion of actions of the same kind, that is, itimposes the sequentiality of each basic component of the object aspect.We may want to extract from an interpretation structure the life-cycle (sequenceof observations and action occurences) of a particular instance of the underlying aspectsort, as follows:De�nition 3.11 Let asp = hU; �i be an interpretation structure over the signature� = hSGS;�; a; OBS;ACT i. For each u 2 U (�), we extract from � the sequence (calledthe life cycle of instance u) �u : IN ! SB whereSB = }fp(v1; :::; vn) : p 2 PRDs1;:::;sn; vi 2 U (si) for i = 1; :::; n with n � 0gsuch that�u;k = fo(v1; :::; vn) : u:o(v1; :::; vn) 2 �kg [ foccc(v1; :::; vn) : u:occc(v1; :::; vn) 2 �kg.We proceed now to establish the interpretation of terms and satisfaction of formu-lae, after introducing the necessary notion of assignment of values to variables. Thesede�nitions are quite standard in a many-sorted, linear temporal, �rst-order environ-ment, barring some peculiarities raised by the relationships between aspect sorts. Forthe temporal operators see for instance [Gol87]. For the many-sorted issues see forinstance [End72, Man93].De�nition 3.12 Given an interpretation structure asp = hU; �i over the signature� = hSGS;�; �;OBS;ACT i and an (SDT � AS)-indexed family Z of variables, anassignment to Z is an (SDT � AS)-indexed family asg of maps such that asgs : Zs !U (s).De�nition 3.13 Given an interpretation structure asp = hU; �i over the signature� = hSGS;�; �;OBS;ACT i, an (SDT � AS)-indexed family Z of variables and anassignment asg to Z, the interpretation over asp of terms in T�(Z) is de�ned as follows:� [[z]]asp;asg = asgs(z) for z 2 Zs;� [[h(t1; :::; tn)]]asp;asg = [[h]]dt([[t1]]asp;asg; :::; [[tn]]asp;asg) for h 2 OPDTs1;:::;sn ;� [[�(t)]]asp;asg = U (�)([[t]]asp;asg) for t 2 T�;s(Z), for each � : s! s0.The interpretation of terms built with sort morphisms is de�ned using the inter-pretation (a total map in Set) of the morphism given by the functor U .10

De�nition 3.14 Given an interpretation structure asp = hU; �i over the signature� = hSGS;�; a; OBS;ACT i, an (SDT � AS)-indexed family Z of variables, an assign-ment asg to Z and a position k 2 IN , the satisfaction by asp for asg at k is inductivelyde�ned for all formulae on Z with target z as follows:� asp �asg;k (Z; (t1 = t2)) i� [[t1]]asp;asg = [[t2]]asp;asg;� asp �asg;k (Z; s(t)) i� [[t]]asp;asg 2 U (s);� asp �asg;k (Z; z:p) i� asg(z):p 2 �k for p 2 PRD�;� asp �asg;k (Z; z:p(t1; :::; tn))i� asg(z):p([[t1]]asp;asg; :::; [[tn]]asp;asg) 2 �k for p 2 PRDs1;:::;sn ;� asp �asg;k (Z; z(: f)) i� not asp �asg;k (Z; z(f));� asp �asg;k (Z; z(f ) g)) i� asp �asg;k (Z; z(f)) implies asp �asg;k (Z; z(g));� asp �asg;k (Z; z(8xf))i� asp �asg0;k (Z; z(f)) for every assignment asg0 x-equivalent to asg;� asp �asg;k (Z; z(Xf)) i� asp �asg;k+1 (Z; z(f));� asp �asg;k (Z; z(Gf)) i� asp �asg;k0 (Z; z(f)) for every k0 � k;� asp �asg;k (Z; z(f U g))i� asp �asg;k (Z; z(g)) for some k0 � k andasp �asg;k (Z; z(f)) for every k00 such that k � k00 � k0.De�nition 3.15 Let asp = hU; �i be an interpretation structure over the signature� = hSGS;�; a; OBS;ACT i. We say that asp satis�es a formula (Z; z(f)) 2 L�,written asp � (Z; z(f)), i� asp �asg;k (Z; z(f)) for every assignment asg to Z andevery position k 2 IN . We say that asp satis�es a speci�cation spec = h�; Axi, writtenasp � spec i� asp � (Z; z(f)) for every formula (Z; z(f)) 2 Ax.Validity and semantic closure are as expected: a formula is valid i� it is satis�edby every interpretation structure; the semantic closure of a speci�cation includes allformulae that are satis�ed by all interpretation structures that satisfy the axioms (seefor instance [GB92]).De�nition 3.16 Let � = hSGS;�; �;OBS;ACT i be an aspect signature. We say thata formula (Z; z(f)) 2 L� is valid, written �� (Z; z(f)), i� asp � (Z; z(f)) for everyinterpretation structure asp over �.De�nition 3.17 Let spec = h�; Axi be a speci�cation. The semantic closure of specis the following set of formulae in L�:Ax�� = f(Z; z(f)) : asp � (Z; z(f)) for each interpretation structure asp such thatasp � specg.Whenever (Z; z(f)) 2 Ax�� we write �spec (Z; z(f)).We also need the following notion of semantic entailment within the context of agiven speci�cation.De�nition 3.18 Let spec = h�; Axi be a speci�cation and H a set of formulae of L�.The set of formulae semantically entailed by H within spec is as follows:AxH�� = f(Z; z(f)) : asp � (Z; z(f)) for each interpretation structure asp such thatasp � (�; Ax[H).Whenever (Z; z(f)) 2 AxH�� we write H �spec (Z; z(f)).It is not worthwhile to illustrate these concepts at this stage since they have theircounterparts in the deductive system. 11

3.3 Local reasoningOur objective at this stage is to introduce a deductive system for reasoning about objectaspects in isolation, that is not taking into account the community where they maybe inserted. The deductive system must include the usual axioms for a many-sorted,�rst-order, linear temporal logic with equality (see [End72, Gol87]) plus some speci�caxioms related to the general properties of object aspects. The inference rules shouldbe the traditional ones.We adopt the following conventions: (8f); (9f) stand for the universal, existen-tial closure of f , respectively; x; x0; x1; :::; xn are suitable tuples of variables; equalitybetween tuples stand for conjunction of equalities between the corresponding pairs ofvariables.De�nition 3.19 Let spec = h�; Axi be a speci�cation. The theory generated by specis the least set of formulae of L�, denoted Ax`�, satisfying the following requirements:1. (Z; z(f)) 2 Ax`�provided that f is a tautological formula: TautA;2. (Z; z((8xf)) g)) 2 Ax`�provided that g is is obtained from f by uniformly replacing all free occurrencesof x by t where t is free for x in f : QA1;3. (Z; z((8x(f ) g))) ((8xf)) (8xg)))) 2 Ax`� : QA2;4. (Z; z(f ) (8xf))) 2 Ax`�provided that x does not occur free in f : QA3;5. (Z; (x = x)) 2 Ax`� : RefA;6. (Z; ((x = y)) z(f ) g))) 2 Ax`�where f; g are atomic and g is obtained from f by replacing zero or more occur-rences of x by y: CongA;7. (Z; z((G(f ) g))) ((G f)) (Gg)))) 2 Ax`�: GA;8. (Z; z((X(f ) g))) ((X f)) (Xg)))) 2 Ax`�: XA;9. (Z; z((X(: f)), (:(X f)))) 2 Ax`�: XNA;10. (Z; z((Gf)) (f ^ (X(G f))))) 2 Ax`�: GXA;11. (Z; z((G(f ) (X f)))) (f ) (G f)))) 2 Ax`�: IndA;12. (Z; z((f U g)) (F g))) 2 Ax`�: UFA;13. (Z; z((f U g)) (g _ (f ^ (X(f U g)))))) 2 Ax`� :UXA;14. (Z; z((8x(Gf))) (G(8xf)))) 2 Ax`� : GBarcA;15. (Z; z((8x(Xf))) (X(8xf)))) 2 Ax`� : XBarcA;16. Ax � Ax`�: ASA;17. (Z; (8(t = t0))) 2 Ax`�provided that the data sort terms t and t0 have the same value in dt for everyassignment: PDtA;18. (Z; (:(8(t = t0)))) 2 Ax`�provided that the data sort terms t and t0 do not have the same value in dt forsome assignment: NDtA;19. x:(�n(:::(�1(y):::) = �(y)) 2 Ax`cprovided that � = �n � ::: � �1: MorA;12

20. (Z; z((9(:(o(x), (Xo(x)))))) ((9occc1(x1)) _ :::_ occcn(xn))))) 2 Ax`�for each observation symbol symbol o, assuming that fc1; :::; cng is the set of allaction symbols of �: FrmAo;21. (Z; z((o(x; x)^ o(x; x0))) (x = x0))) 2 Ax`�for each observation symbol o: FuncAo;22. (Z; z((occc(x) ^ occc(x0))) (x = x0))) 2 Ax`�for each action symbol c: ExcAc;23. If (Z; z(f)); (Z; z(f ) g)) 2 Ax`� then (Z; z(g)) 2 Ax`�: DetR;24. If (Z; z(f)) 2 Ax`� then (Z; z(8xf)) 2 Ax`� : GenR;25. If (Z; z(f)) 2 Ax`� then (Z; z(Gf)) 2 Ax`�: GNecR;26. If (Z; z(f)) 2 Ax`� then (Z; z(Xf)) 2 Ax`�: XNecR.The speci�c axioms concerning the underlying data structure (PDtA;NDtA) re- ect for the sake of simplicity all assertions valid in dt. We adopt this high handedapproach because we do not want to concern ourselves with the reasoning about datavalues. The axioms related to sort morphisms MorA are straightforward. The frameaxiom schema (FrmAo) re ects the fact that observations may be modi�ed only byactions. This axiom plays the role of the locality rule in [FM92]. The functionalityaxiom schema (FuncAo) re ects the functionality of attributes. The exclusion axiomschema (ExcAc) re ects the mutual exclusion of similar actions.The notions of theorem and derivation follow as expected.De�nition 3.20 Let spec = h�; Axi be a speci�cation. Each element (Z; z(f)) ofAx`� is said to be a theorem of spec, written `spec (Z; z(f)).De�nition 3.21 Let spec = h�; Axi be a speci�cation and H � L�. The set offormulae derived fromH within spec is the least set of formulae of L�, denoted AxH`�,satisfying the following requirements:� Ax`� � AxH`� ;� H � AxH`� ;� If (Z; z(f)); (Z; z(f ) g)) 2 AxH`�then (Z; z(g)) 2 AxH`� : DetR.We write H `spec (Z; z(f)) whenever (Z; z(f)) 2 AxH`� .It is straightforward to establish by induction the soundness of the proposed de-ductive system:Theorem 3.22 (Soundness Theorem)Let spec = h�; Axi be a speci�cation, H � L� and (Z; z(f)) 2 L�. If H `spec (Z; z(f))then H �spec (Z; z(f)).Note the careful usage of the inference rules (only detachment is used when makingderivations) so that we can obtain the metatheorems in their simplest formulation.Indeed:Theorem 3.23 Let spec = h�; Axi be a speci�cation and (Z; z(f)); (Z 0; z0(f 0)) 2 L�.Then:� If (Z; z(f)) `spec (Z 0; z0(f 0))) then `spec ((Z; z(f))) (Z 0; z0(f 0))): DED;13

� If (Z; z(f)) `spec (Z 0; z0(f 0)) and (Z; z(f)) `spec (Z 0; z0(: f 0))then `spec (Z; z(: f)): ABS.Example 3.24`specbook (:((9u b:occistaken(u)) ^ (9u b:occisreturned(u))))Derivation:0. ((9u b:occistaken(u)) ^ (9u: b:occisreturned(u))) Hyp1. (9u b:occistaken(u)) TautA;DetR : 02. (b:occistaken(u)) b:available(true)) ASA3. ((9u b:occistaken(u))) b:available(true)) FOT;DetR : 24. (9u b:occisreturned(u)) TautA;DetR : 05. (b:occisreturned(u)) b:available(false)) ASA6. ((9u b:occisreturned(u))) b:available(false)) FOT;DetR : 57. (b:available(true) ^ b:available(false)) TautA;DetR : 1; 3; 4; 68. ((b:available(x) ^ b:available(x0))) (x = x0)) FuncAavailable9. ((b:available(true) ^ b:available(false)) )(true = false)) QA1; DetR : 810. (true = false) DetR : 7; 911. (:(true = false)) NDtA12. (:((9u b:occistaken(u)) ^ (9u b:occisreturned(u)))) ABS : 0; 10; 11By FOT we mean a well known theorem of the �rst-order predicate calculus.Example 3.25 `specresbook (X(F r:available(true)))Derivation:0. (X(F r:occissuspended)) ASA1. (r:occissuspended) (r:available(true) ^ r:suspended(false))) ASA2. (r:occissuspended) r:available(true)) TauTA;DetR : 13. (X(F r:available(true))) TLT;DetR : 0; 2By TLT we mean a well known theorem of the linear temporal calculus.The latter result although trivial will be used later on for illustrating the re ectionmechanism of the global deductive system.4 Object aspect morphismsIn order to explain inheritance and aggregation we need to be able to relate aspect spec-i�cations. This objective is achieved by introducing the notion of aspect speci�cationmorphism. But �rst we have to consider aspect signature morphisms.4.1 Signature morphismAn aspect signature morphism should map aspect sorts into aspect sorts, observationsymbols into observation symbols and action symbols into action symbols, preservingthe (transformed) parameter sorts (as already described in [FM92] capitalizing in thetradition of many-sorted formalisms [EM85]).14

Furthermore, we must be careful concerning the cartesian category of aspect sorts:its structure (aggregation sorts and subsorts) should be preserved by the signaturemorphism. Finally, note that we should allow the change of the underlying sort notaccording to the sort map. For instance, in the inclusion morphism from the aspectsignature of book into the aspect signature of reserved-book, the aspect sort book ismapped onto itself by the sort map, but we want the underlying aspect sort to beresbook in the latter signature! However, we should be able to relate the instancesof the latter underlying sort with the instances of the former underlying sort. In theexample at hand, the sort inclusion morphism from resbook into book does the trick.The usage of this subtle mechanism for aggregation will be illustrated later on.De�nition 4.1 An aspect signature morphism� : hSGS;�; �;OBS;ACT i ! hSGS0 ;�0 ; �0; OBS0; ACT 0iis a quadruple h�AS ; ��; �OBS ; �ACT i where� �AS : SGS;� ! SGS0;�0 is a cartesian functor such that�AS(s) �0 �AS(s0) whenever s � s0;� �� : �0 ! �AS(�) is a morphism of SGS0;�0 ;� �OBS is an (SDT�AS)+-indexed family of maps: each map is �OBS;w : OBSw !OBS0�+AS (w);� �ACT is an (SDT �AS)�-indexed family of maps: each map is �ACT;w : ACTw !ACT 0��AS(w).The aspect signature morphism is said to be an inclusion when the functor �AS is aninclusion, �� is a sort inclusion and the maps �OBS ; �ACT are inclusions. The aspectsignature morphism is said to be an injection when the functor �AS is an embedding,�� is a sort projection and the maps �OBS ; �ACT are injections.We have an inclusion signature morphism � : �book ! �resbook from the signatureof book into the signature of reserved book and injection signature morphisms �i :�book ! �book�book, i=1,2 from book and book into the aggregation of the two books.Given a signature morphism � : � ! �0, we should be able to translate formulaeof � into formulae of �0. Clearly, observation and action symbols must be replacedaccording to their maps of the signature morphism, as already used in [FM92].However, we must be careful with the sorts of the variables. All variables changesorts according to the sort map of the signature morphism, with the exception of thetarget variable since this must become of the underlying sort of the aspect signature�0. Therefore, in order to keep sort consistency, we must replace occurrences of thetarget variable z in parameters by the term of the correct sort ��(z).De�nition 4.2 Given an aspect signature morphism � : �! �0, the translation of aformula (Z; z(f)) 2 L� by � is the formula (Z� ; z(�(f))) 2 L�0 such that:� �(f) 2 SL�0 (Z�) is obtained from the schema f by replacing each o 2 (OBS�)wby �OBS;w(o), each c 2 (ACT�)w by �ACT;w(c) and z by the term ��(z);� Z� is the (SDT � AS0)-indexed family of sets of variables de�ned as follows:x 2 (Z�)s0 whenever either x is not z and x 2 Zs and s0 = �AS(s), or x is z ands0 = �0. 15

Consider the inclusion aspect signature morphism � : �book ! �resbook. Thetranslation of the book axiom(b:occistaken(u)) b:available(true))is (b:occistaken(u)) b:available(true))but where b becomes of sort resbook. The translation of(b:occ?(n; b0)) (X(G b:registeredin(b0))))is the formula (b:occ?(n; b0)) (X(G b:registeredin(b0))))where b is of sort resbook but b0 remains of sort book. The translation ofb:registeredin(b)is b:registeredin(�book;resbook(b)):Consider the injection aspect signature morphism � : �book ! �book�user. Assum-ing that � is an inclusion on observations and actions, the translation of(b:occistaken(u)) b:available(true))is (b:occistaken(u)) b:available(true))but where b becomes of sort book � user. The translation of(b:occ?(n; b0)) (X(G b:registeredin(b0))))is (b:occ?(n; b0)) (X(G b:registeredin(b0))))where b is of sort book � user but b0 remains of sort book. And(b:registeredin(b))is translated onto (b:registeredin(�1(b))):Consider an injection aspect signature morphism � : �book ! �book�book. Thetranslation of (b:occistaken(u)) b:available(true))is (b:occ�ACT (istaken(u))) b:�OBS (available(true)))with b of sort book � book. 16

4.2 Speci�cation morphisms: specialization and incorporationThe notion of speci�cation morphism follows as usual (see [GB92]). We also identifytwo special cases: one useful when describing specialization and the other useful fordealing with aggregation.De�nition 4.3 An aspect speci�cation morphism � : h�; Axi ! h�0; Ax0i is an aspectsignature morphism � : �! �0 such that�(AX) = f(Z�; z(�(f))) : (Z; z(f)) 2 AXg � (Ax0)��0 .De�nition 4.4 An aspect speci�cation morphism � : h�; Axi ! h�0; Ax0i is said tobe a specialization i� the underlying signature morphism is an inclusion.Specialization morphisms are important to explain inheritance. We want the in-clusion aspect signature morphism � : book ! resbook to induce a specializationmorphism. Thus, the translation of every axiom on books is to be entailed by thespeci�cation of reserved books.De�nition 4.5 An aspect speci�cation morphism � : h�; Axi ! h�0; Ax0i is said tobe an incorporation i� the underlying signature morphism is an injection.Incorporation morphisms are important to explain the relationship between anaggregation and its components. We want the injection aspect signature morphism�i : �book ! �book�book, for i=1,2, to induce an incorporation morphism. Thus, thetranslation of every axiom on books is to be entailed (twice) by the speci�cation ofbook � book.4.3 The category of aspect speci�cationsHaving aspect signature and aspect speci�cation morphisms we can de�ne a categoryof aspect signatures and a category of aspect speci�cations. In both cases we needcoproducts as we shall see in the next Section.Theorem 4.6 Aspect signatures and their aspect signature morphisms constitute acategory: ASig.Theorem 4.7 The category ASig is cocartesian.Proof:� The aspect signature hS;;;; 1; ;; ;i is initial;� The coproduct hSGS;�; �;OBS;ACT iof hSGS0 ;�0 ; �0; OBS0; ACT 0i and hSGS00 ;�00 ; �00; OBS00; ACT 00i is as follows:{ GS = GS0 +GS00 with injections i0 and i00;{ s � r providing that either s �0 r when s; r 2 GS0 or s �00 r whens; r 2 GS00;{ � is i0e(�0)� i00e (�00) where i0e; i00e are the canonical extensions of i0; i00 to AS0and AS00, respectively;{ OBS is the (SDT � AS)+-indexed family of the least sets such that ifo0 2 OBS0w then j0(o0) 2 OBSi0x+(w) and if o00 2 OBS00w then j00(o00) 2OBSi00x+(w), where i0x; i00x are the extensions of i0e; i00e to (SDT � AS0) and(SDT � AS00), respectively, such that i0x(s) = i00x(s) = iDT (s) for everys 2 sDT ; 17

{ ACT is the (SDT � AS)�-indexed family obtained in a similar way fromthe families ACT 0 and ACT 00.Theorem 4.8 Aspect speci�cations and their aspect speci�cation morphisms consti-tute a category: ASpec.Theorem 4.9 The category ASpec is cocartesian.Proof:� The aspect speci�cation hhS;;;; 1; ;; ;i; ;i is initial;� The coproduct hhSGS;�; �;OBS;ACT i; Axiof hhSGS0;�0 ; �0; OBS0; ACT 0i; Ax0i and hhSGS00;�00 ; �00; OBS00; ACT 00i; Ax00i is asfollows:{ hSGS;�; �;OBS;ACT i is the coproduct of hSGS0;�0 ; �0; OBS0; ACT 0i andhSGS00;�00 ; �00; OBS00; ACT 00i with the signature injections �0 and �00;{ Ax = �0(Ax0) [ �00(Ax00).We might expect the cocompleteness of these categories but since we only needcoproducts in the sequel we refrain from considering colimits in general herein.5 Object community speci�cationWe want to de�ne the concept of community speci�cation. For this purpose we muststart by introducing a global language.5.1 Global languageThe alphabet of the language for specifying communities of aspects should include therelevant aspect signatures with constraints re ecting the specialization and incorpora-tion relationships.De�nition 5.1 A community signature is a pair = hSGS;�; f�rgr2AS i where:� SGS ;� is the cartesian category freely generated from a partial order (GS;�)where GS is a �nite set;� AS = jSGS ;� j;� for each r 2 GS, �r = hSGSr ;�r ; �r; OBSr ; ACT ri is an aspect signature suchthat{ SGSr ;�r is a cartesian full subcategory of SGS;�;{ whenever r � r0, there is an inclusion aspect signature morphism �r0;r :�r0 ! �r;{ �1 = hS;;;; 1; ;; ;i is the initial aspect signature;{ for each aggregation sort r = r1 � :::� rn with r1; :::; rn 2 GS, �r is thecoproduct of �r1 ; :::;�rn endowed with injections �1 : �r1 ! �r; :::; �n :�rn ! �r (called the prime injection morphisms of the aggregation).That is, a community signature is a family of consistent aspect signatures in thesense that the required specialization and incorporation morphisms are present.As an illustration consider the following community signature library :18

� GSlibrary = fbook; user; resbook; librariang;� �library= idGSlibrary [ fhresbook; bookig;� �booklibrary;�userlibrary;�resbooklibrary are as given before;� �librarianlibrary is not detailed here.A community speci�cation is a community signature endowed with axioms for eachof its aspect sorts.De�nition 5.2 A community speci�cation is a pair cspec = h; fAxrgr2ASi with = hSGS;�; f�rgr2ASi such that:� specr = h�r ; Axri constitutes an aspect speci�cation for each r 2 AS;� Ax1 = ;.Example 5.3 As an illustration, consider the following speci�cation of the interactionbetween books and users using formulae of L�book�user :1. z:occtakes(�1(z)), z:occistaken(�2(z));2. z:occreturns(�1(z)), z:occisreturned(�2(z)).Axiom 1 imposes that the occurrence of the action takes(�1(z)) in the user �2(z)implies the occurrence of the action istaken(�2(z)) in the book �1(z), and vice-versa.Clearly, the speci�er must be careful when adding interaction axioms (on the ag-gregation sorts). The examples above are typical. Also typical are mutual exclusionconstraints. The decision on which kinds of interaction axioms to allow is a method-ological one.For instance, one should expect the formulaz:occtakes(�1(z)), z:occistaken(�3(z))to be entailed by Axbook�librarian�user. Indeed, the interaction between books andusers should carry through to the aggregation aspect of books, users and librarianstogether. Moreover, one should expect the formulaez:occ�2(takes)(�1(z)), z:occistaken(�2(z))and z:occ�3(takes)(�1(z)), z:occistaken(�3(z))to be entailed by Axbook�user�user.5.2 Global semanticsIn the global semantics we must state how the local (aspect) interpretation structuresare related. For this purpose we need to know what is �(B) for any B 2 SBr1 whenever� : �r1 ! �r2 is either an inclusion or an injection aspect signature morphism:�(B) = f�(p)(v1; :::; vn) : p(v1; :::; vn) 2 Bgwhere �(occe) = occ�(e).De�nition 5.4 Given a community signature = hSGS;�; f�rgr2AS i where for eachr 2 AS �r = hSGSr ;�r ; �r; OBSr ; ACT ri, an interpretation structure over is a paircom = hcU; fasprgr2AS i where: 19

� cU : SGS;� ! Set is a cartesian functor such that cU (s) � cU (s0) whenevers � s0 (in the sequel, we may write cU (s) instead of dts for each s 2 SDT );� each aspr = hU r; �ri is an interpretation structure for �r such that1. U r(s) = cU (s) for each s 2 ASr , U r(�) = cU (�) for every� 2MorSGSr ;�r (s; s0);2. (�ru;k) #�r0;r(SBr0 )= �r0;r(�r0cU(�r0;r� )(u);k), whenever r � r0;3. (�r1�:::�rnu;k ) #�i(SBri )= �i(�ricU(�i� )(u);k) for i = 1; :::; n.Clause (2) states that whenever r � r0 we obtain from the life cycle of an instanceu of sort r the image of the life cycle of the instance u of sort r0 when we only keep ateach point predicates in the image of SBr0 . Clause (3) states a similar constraint foraggregations.We now proceed to establish the notions of interpretation of terms, satisfactionof formulae, validity, semantic closure, and semantic entailment within the context ofa community interpretation structure. These de�nitions parallel what we did beforefor aspects, with the necessary adaptations, namely concerning the indexing on aspectsignatures throughout.De�nition 5.5 Given an interpretation structure com = hcU; fasprgr2AS i over thesignature = hSGS;�; f�rgr2AS i and an (SDT � AS)-indexed family Z of variables,an assignment to Z is an (SDT � AS)-indexed family asg of maps such that asgs :Zs ! cU (s).De�nition 5.6 Given an interpretation structure com = hcU; fasprgr2AS i over thesignature = hSGS;�; f�rgr2AS i, an (SDT � AS)-indexed family Z of variables andan assignment asg to Z, the restriction asgr of asg to �r is an (SDT � ASr)-indexedfamily of maps such that (asgr )s = asgs for each s 2 SDT �ASr .De�nition 5.7 Given an interpretation structure com = hcU; fasprgr2AS i over thesignature = hSGS;�; f�rgr2AS i, an (SDT � AS)-indexed family Z of variables andan assignment asg to Z, the interpretation over com through asg of terms in T�r (Z) isde�ned as follows: [[t]]com;asg = [[t]]aspr;asgr .De�nition 5.8 Given an interpretation structure com = hcU; fasprgr2AS i over thesignature = hSGS;�; f�rgr2ASi, an (SDT � AS)-indexed family Z of variables, anassignment asg to Z, a formula (Z; z(f)) 2 L�r and k 2 IN , com satis�es (Z; z(f)) forassignment asg at position k, written com �asg;k (Z; z(f)), i� aspr �asgr ;k (Z; z(f)).De�nition 5.9 Let com = hcU; fasprgr2ASi be an interpretation structure over thesignature = hSGS;�; f�rgr2ASi. We say that com satis�es a formula (Z; z(f)) 2 L�r ,written com � (Z; z(f)), i� com �asg;k (Z; z(f)) for every assignment asg to Z and ev-ery position k 2 IN . We say that com satis�es a speci�cation cspec = h; fAxrgr2ASi,written com � cspec, i� com � (Z; z(f)) for every formula (Z; z(f)) of Axr for everyr 2 AS.De�nition 5.10 Let = hSGS;�; f�rgr2ASi be a community signature. We say thata formula (Z; z(f)) 2 L�r is valid, written � (Z; z(f)), i� com � (Z; z(f)) for everyinterpretation structure com over .De�nition 5.11 Let cspec = h; fAxrgr2ASi be a community speci�cation with sig-nature = hSGS;�; f�rgr2ASi. The semantic closure of cspec is the family Ax� =fAx�rgr2AS such that each Ax�r is the following subset of the language L�r :f(Z; z(f)) : com � (Z; z(f)) for each interpretation com such that com � cspecg.Whenever (Z; z(f)) 2 Ax�r we write �cspecr (Z; z(f)).20

De�nition 5.12 Let cspec = h; fAxrgr2ASi be a community speci�cation with sig-nature = hSGS;�; f�rgr2AS i and H = fHrgr2AS where each Hr is a set of formulaeof L�r . Each element AxH�r � L�r of the AS-indexed family AxH�� of sets of for-mulae semantically entailed by H within cspec is as follows:f(Z; z(f)) : com � (Z; z(f)) for each interpretation com such that com � h; fAxr [Hrgr2AS ig.Whenever (Z; z(f)) 2 AxH�r we write H �cspecr (Z; z(f)).The following results depict the three main forms of inheritance imposed by aglobal speci�cation on its local theories. Although interesting in themselves, theyappear herein as lemmas for the soundness result presented in the next section. It isstraightforward to prove them taking into account the tight binding between life cyclesof a community interpretation structure (clauses (2) and (3) of de�nition 5.4). Thethird result deserves some attention because it might easily be overlooked: interactionsare also inherited via specialization!Theorem 5.13 Let cspec = h; fAxrgr2ASi be a community speci�cation with sig-nature = hSGS;�; f�rgr2AS i. For each pair r; r0 2 GS, if r � r0 then �r0;r :h�r0 ; Axr0i ! h�r ; Ax�r i is an aspect specialization morphism.Theorem 5.14 Let cspec = h; fAxrgr2ASi be a community speci�cation with sig-nature = hSGS;�; f�rgr2AS i. If r = r1 � ::: � rn with r1; :::; rn 2 GS then�i : h�ri ; Axrii ! h�r; Ax�r i is an aspect incorporation morphism for each i = 1; ::; n.Theorem 5.15 Let cspec = h; fAxrgr2ASi be a community speci�cation with sig-nature = hSGS;�; f�rgr2AS i. If r = r1� :::�rn and r0 = r01� :::�r0n with ri � r0i fori = 1; :::; n then �r01;r1�:::��r0n;rn : h�r0 ; Axr0i ! h�r ; Ax�r i is an aspect speci�cationmorphism.5.3 Global reasoningThe objective now is to introduce a deductive system for reasoning about a communitytaking into account inheritance and interaction. Note again the indexing on aspectsorts throughout.De�nition 5.16 Let cspec = h; Axi be a community speci�cation with signature = hSGS;�; f�rgr2ASi and Ax = fAxrgr2AS . The theory generated by cspec is thefamily Ax` = fAx`rgr2AS such that Ax`r is the least set of formulae of L�rsatisfying the following requirements:1. (Z; z(f)) 2 Ax`rwhenever `specr (Z; z(f)) where specr = h�r ; Axri: LocA;2. If (Z; z(f)); (Z; z(f ) g)) 2 Ax`r then (Z; z(g)) 2 Ax`r : DetR;3. If (Z; z(f)) 2 Ax`r then (Z; z(8xf)) 2 Ax`r : GenR;4. If (Z; z(f)) 2 Ax`r then (Z; z(Gf)) 2 Ax`r : GNecR;5. If (Z; z(f)) 2 Ax`r then (Z; z(Xf)) 2 Ax`r : XNecR;6. �r0;r(Z; z(f)) 2 Ax`rprovided that (Z; z(f)) 2 Ax`r0 whenever r � r0: SpcR;7. �i(Z; z(f)) 2 Ax`rprovided that (Z; z(f)) 2 Ax`ri for some i = 1; :::; n whenever r = r1 � :::� rnwith r1; :::; rn 2 GS: IncR; 21

8. �r01;r1 � :::� �r0n;rn (Z; z(f)) 2 Ax`rprovided that (Z; z(f)) 2 Ax`r0 whenever r = r1� :::� rn and r0 = r01� :::� r0nwith ri � r0i for i = 1; :::; n: IntR;9. (Z; (r(z)) z(f))) 2 Ax`r0provided that r � r0 and (Z�r0;r ; z(�r0;r(f))) 2 Ax`r : SRefR;10. (Z; z(f)) 2 Ax`r0provided that r = r0 � ::: � rn, the set of free aspect sort variables in z(f) isfz; x1; :::; xng, the sort of xi is ri for i = 1; :::; n and (Z�0 ; z(g)) 2 Ax`r whereg is obtained from �0(f) by replacing xi by �i(z) for i = 1; :::; n: IRefR.De�nition 5.17 Let cspec = h; Axi be a community speci�cation. Each element(Z; z(f)) of Ax`r for each r 2 AS is said to be a r-theorem of cspec, written `cspecr(Z; z(f)).The axiom schema LocA brings in all local theorems. Inference rule SpcR imposesthat the r0-theorems are mapped onto r-theorems whenever r � r0. Inference rule IncRimposes that, for i = 1; :::; n, the ri-theorems are mapped onto r-theorems whenever r =r1 � :::� rn with r1; :::; rn 2 GS. Inference rule IntR makes sure that interactions arealso inherited. On the other hand, SrefR imposes that some r-theorems are re ectedas r0-theorems for r � r0. Rule IRefR imposes a similar re ection for components ofaggregations.De�nition 5.18 Let cspec = h; fAxrgr2ASi be a community speci�cation with sig-nature = hSGS;�; f�rgr2AS i and H = fHrgr2AS where each Hr is a set of formulaeof L�r . The set of formulae derived from H within cspec is the least set of formulae ofL�r , denoted AxH`r , satisfying the following requirements:� Ax`r � AxH`r ;� Hr � AxH`r ;� If (Z; z(f)); (Z; z(f ) g)) 2 AxH`r then (Z; z(g)) 2 AxH`r : DetR.We write H `cspecr (Z; z(f)) whenever (Z; z(f)) 2 AxH`r .The soundness of the proposed global deductive system should not be too di�cultto establish since the speci�c inference rules mirror the tight relationships imposed inthe interpretation structures between the di�erent life cycles:Theorem 5.19 (Soundness Theorem)Let cspec = h; Axi be a community speci�cation, H = fHrgr2AS where each Hr isa set of formulae of L�r and (Z; z(f)) 2 L�r . If H `cspecr (Z; z(f)) then H �cspecr(Z; z(f)).Proof: The result is obtained by induction following the inductive de�nition ofthe set AxH`r . The soundness of the inheritance rules SpcR, IncR and IntR is animmediate consequence of the three results stated at the end of the previous sec-tion. The re ection rules SRefR and IRefR deserve some attention. But sincethe former is much easier to establish than the latter we outline herein only theproof of the soundness of IRefR. We have to prove that if (Z�0 ; z(g)) 2 Ax`rthen (Z; z(f)) 2 Ax`r0 (provided that r = r0 � ::: � rn, the set of free aspectsort variables in z(f) is fz; x1; :::; xng, the sort of xi is ri for i = 1; :::; n, and gis obtained from �0(f) by replacing xi by �i(z) for i = 1; :::n). For the sake of22

simplicity we consider f to be an atomic formula p(z; x1; ::::; xn): there is no trou-ble in retaining the result in the general case. Therefore, we need to verify that ifcom � z:�0(p)(�0(z); �1(z); :::; �n(z)) for every structure com satisfying cspec thencom � z:p(z; x1; :::; xn) for every structure com satisfying cspec. Actually, we ver-ify that if com � z:�0(p)(�0(z); �1(z); :::; �n(z)) then com � z:p(z; x1; :::; xn). In-deed, from the former we successively conclude: com �asg;k z:�0(p)(�0; �1(z); :::; �n(z))for every assignment asg and position k; aspr �asgr ;k z:�0(p)(�0(z); �1(z); :::; �n(z))for every asg and k; asgr(z):�0(p)(asgr (z)0; asgr(z)1; :::; asgr(z)n) 2 �rk for everyasg and k; �0(p)(asgr(z)0; asgr(z)1; :::; asgr(z)n) 2 �rasgr(z);k for every asg and k;�0(p)(a0; a1; :::; an) 2 �r(a0 ;a1;:::;an);k for every a0; a1; :::; an and k; p(a0; a1; :::; an) 2�r0a0;k for every a0; a1; :::; an and k (using clause (3) in the de�nition of community in-terpretation structure); p(asgr0 (z)0; asgr0 (x1); :::; asgr(xn)) 2 �r0asgr0 (z);k for every asgand k; aspr0 �asgr0 ;k z:p(z; x1; :::; xn) for every asg and k; com � z:p(z; x1; :::; xn).Again, the following metatheorems are useful:Theorem 5.20 (Metatheorems)Let cspec = h; Axi be a community speci�cation and (Z; z(f)); (Z 0; z0(f 0)) 2 L�r .Then:� If (Z; z(f)) `cspecr (Z 0; z0(f 0)) then `cspecr ((Z; z(f))) (Z 0; z0(f 0))): DED;� If (Z; z(f)) `cspecr (Z 0; z0(f 0)) and (Z; z(f)) `cspecr (Z 0; z0(:f 0)) then `cspecr(Z; z(: f)): ABS.Example 5.21`book�usercspeclibrary (z:occistaken(�2(z))) (F z:occisreturned(�2(z))))Derivation:0. z:occistaken(�2(z)) Hyp1. (z:occistaken(�2(z))) z:occtakes(�1(z))) LocAbook�user2. z:occtakes(�1(z)) DetR : 0; 13. (z:occtakes(�1(z)))(z:borrowedbook(�1(z); true) U z:occreturns(�1(z)))) IncRuser4. (z:borrowedbook(�1(z); true) U z:occreturns(�1(z))) DetR : 2; 35. ((z:borrowedbook(�1(z); true) U z:occreturns(�1(z))))(F z:occreturns(�1(z)))) UFA6. (F z:occreturns(�1(z))) DetR : 4; 57. (G(z:occreturns(�1(z))) z:occisreturned(�2(z)))) LocAbook�user; GNecR8. ((F(z:occreturns(�1(z)))) (F z:occisreturned(�2(z)))) TLT;DetR : 79. (F z:occisreturned(�2(z))) DetR : 6; 810. (z:occistaken(�2(z))) (F z:occisreturned(�2(z)))) DED : 0; 9Example 5.22`bookcspeclibrary (b:occistaken(u)) (F b:occisreturned(u)))Derivation:0. (z:occistaken(u)) (F z:occisreturned(u))) IRefR : example 5:211. (b:occistaken(u)) (F b:occisreturned(u))) FOT;Det : 023

Example 5.23 Assuming that resbook �book book,`bookcspeclibrary (resbook(b)) (X(F b:available(true))))Derivation:0. (resbook(r)) (X(F r:available(true)))) SRefR : example 3:251. (resbook(b)) (X(F b:available(true)))) FOT;Det : 0These examples illustrate the main features of the proposed logic for reasoningglobally about a community of object aspects: namely, importing local theorems, in-heritance into specializations and aggregations, as well as re ection.6 Concluding remarksAn object aspect speci�cation logic was presented that provides the means for rea-soning about communities of aspects, dealing with their aggregation without and withinteraction plus specialization. The semantics is a straightforward extension of thetraditional Kripke semantics for a many-sorted, �rst-order, linear temporal predicatelogic. The extension includes:1. the treatment of the non-rigid attributes as predicates (with the expected func-tionality constraint);2. a rather weak constraint on sequentiality of components (mutual exclusion ofsimilar actions) allowing simultaneous actions in aggregations;3. a frame constraint (observations do not change attributes);4. incorporation of the theorems about the underlying data structure;5. inheritance of theorems into specializations;6. inheritance of theorems into aggregations;7. re ection of theorems from specializations;8. re ection of theorems from aggregations.The proposed re ection rules show that both specialization and aggregation inducein general non-conservative extensions of the original aspects (cf Examples 5.22 and5.23). This is not unexpected and we consider it an essential feature of the proposedlogic.The inheritance rules clearly show that we have here a rather simple approach tospecialization (and aggregation) of a purely monotonic nature: specialization (and ag-gregation) may only add new theorems. We are aware that such a monotonic approachmay not be su�cient. For instance, specialization with overriding is non-monotonic.This question should be addressed in subsequent work, maybe along the lines proposedfor semantic domains in [CSS94] using the notion of partial morphism. However, it doesnot seem trivial to lift such a notion to the level of theories. Work in this directionis already presented in [BLR93] based upon an earlier version of the logic presentedherein.Another limitation of the proposed logic is the impossibility of having consistentspecializations with side-e�ects (that is, where a new action a�ects the value of anattribute of the original aspect). Indeed, the logic as it stands imposes a \no sidee�ects constraint" (cf the tight relationship between the life-cycles of a specializationand its original aspect). The same applies to aggregations but in this case that is24

precisely what we want: in an aggregation we should not expect that an action ofa component may a�ect the value of an attribute of another component. Providinga mechanism for supporting side e�ects in specializations seems to require a minorrevision of the proposed logic in the direction of treating in a rather di�erent wayobservations and actions (in the global semantics and in the corresponding rules of thedeductive system).The question of fairness was completely disregarded in this paper. Indeed, weassume that the task of imposing fairness or justice requirements is left to the speci�er(to the point of inconsistency if by mistake too much is required). Further work isneeded on this topic, adapting to the proposed framework the ideas already presentin the literature (see for instance [Fra86, Jon90, MP92]). Some interesting resultsconcerning fair aggregation are presented in [SS93], where an institution of objects isestablished for any given temporal logic of speci�cation. In the institutional front seealso [SCS94, FCSM93]. To this end it seems useful to bring in the distinction betweenaction enabling and action occurrence.The problem of the (relative) completeness of the axiomatic system we proposewas also ignored in the paper. Indeed, given that we accept as theorems all that isknown about data types and since the relative completeness of the temporal and �rst-order fragments was already established in the literature, what remains at stake is thecompleteness of the object aspect and community speci�c axioms and rules. This is aninteresting topic for further research, maybe by coding �rst the entire logic into a puremany-sorted, �rst-order logic (see [Man93]).Notwithstanding these limitations, the proposed logic does provide a useful settingfor specifying and reasoning about object classes, their aggregations and specializa-tions. We have been experimenting with practical examples within the context of alarge-scale application and we are now working towards a more machine-oriented de-ductive system with automatic (or at least computer-aided) theorem proving in mind(see [GSGA93]). A prototype is running for a signi�cant fragment of the proposedlogic. Concerning reasoning about numbers the prototype uses the simplex algorithm(following [NO79]). The proposed logic has been shown to be useful for providing a(proof-theoretic) semantics of object-oriented speci�cation languages: see for instance[Jun93].7 Appendix: Freely generated cartesian categoriesWe shortly describe the functor Fcc : PO! Cat that maps each partial order into itscanonical cartesian extension. Let P = hjP j;�i be a partial order. Then Fcc(P ) is thecartesian category such that:1. hjFcc(P )j;�; 1i is the monoid freely generated from jP j;2. the set MorFcc(P ) is the quocient set induced on the set inductively de�ned asfollows:� (� : s! s0) 2MorFcc(P ) provided that s � s0;� (� : s! s) 2MorFcc(P ) provided that s 2 (jFcc(P )j n jP j);� (� : s! 1) 2MorFcc(P ) provided that s 2 jFcc(P )j;� (�1 : s0 � s00 ! s0) 2MorFcc(P ) provided that s0; s00 2 jFcc(P )j;� (�2 : s0 � s00 ! s00) 2MorFcc(P ) provided that s0; s00 2 jFcc(P )j;� ((� : s! s0); (� 0 : s0 ! s00) : s! s00) 2MorFcc(P )provided that � : s! s0; � 0 : s0 ! s00 2MorFcc(P );25

� ((� 0 : s! s0) � (� 00 : s! s00) : s! s0 � s00) 2MorFcc(P )provided that � 0 : s! s0; � 00 : s! s00 2MorFcc(P );by the least equivalence relation induced by the equations:� ((� : s! s); (� : s! s0) : s! s0) = (� : s! s0);� ((� : s! s0); (� : s0 ! s0) : s! s0) = (� : s! s0);� ((� : s! s0); (�0 : s0 ! s00) : s! s00) = (� : s! s00);� (((� : s! s0); (� 0 : s0 ! s00) : s! s00); (� 00 : s00 ! s000) : s! s000)= ((� : s! s0); ((� 0 : s0 ! s00); ((� 00 : s00 ! s000) : s! s000) : s! s000);� (((� 0 : s! s0)� (� 00 : s! s00) : s! s0 � s00); (�1 : s0 � s00 ! s0) : s! s0) =� 0 : s! s0);� (((� 0 : s ! s0) � (� 00 : s ! s00) : s ! s0 � s00); (�2 : s0 � s00 ! s00) : s !s00) = � 0 : s! s00);� (((� : s! s0 � s00); (�1 : s0 � s00 ! s0) : s! s0)� ((� : s! s0 � s00);(�2 : s0 � s00 ! s00) : s! s00) : s! s0 � s00) = � : s! s0 � s00);� (� : s! 1) = (� : s! 1);3. the identity in each s 2 jFcc(P )j is (� : s! s);4. the composition of (� : s! s0) and (� 0 : s0 ! s00) is ((� : s! s0); (� 0 : s0 ! s00) :s! s00).AcknowledgmentsThis work was partially supported by the JNICT Projects PMCT/C/TIT/177-178/90(OBCALC and FAC3), the ESPRIT Basic Research Actions 6071-6112 (IS-CORE andCOMPASS), and, last but not least, by the ESDI Project OBLOG. The authors aregrateful to their many colleagues in these �ve projects for many rewarding interactions,specially to Jos�e Fiadeiro, TomMaibaumand Udo Lipeck. The authors are also gratefulto the anonymous referees for many suggestions towards improving the readability ofthe paper for a wider audience.References[AHS90] J. Ad�amek, H. Herrlich, and G. Strecker. Abstract and Concrete Categories.John-Wiley, 1990.[BHPS93] C. Beierle, U. Hedtstuck, U. Pletat, and J. Siekmann. An order-sortedpredicate logic with closely coupled taxonomic information. In K. Meinkeand J. Tucker, editors, Many-sorted Logic and its Applications, pages 179{211. John Wiley, 1993.[BL91] S. Brass and U. Lipeck. Semantics of inheritance in logical object speci�-cations. In Proceedings of the 2nd International Conference on Deductiveand Object-oriented Databases, 1991.[BLR93] S. Brass, U. Lipeck, and P. Resende. Speci�cation of object behaviour withdefaults. In U. Lipeck and G. Koschorreck, editors, Proceedings of the Inter-national Workshop on Information Systems { Correctness and Reusability,pages 155{177. University of Hannover, 1993.26

[Boo86] G. Booch. Object oriented development. IEEE Transactions on SoftwareEngineering, 12(2), 1986.[Bro90] F. Brooks. No silver bullet. In T. DeMarco and T. Lister, editors, Softwarestate-of-the-art, pages 14{29. Dorset House Publishing, 1990.[Cox86] B. Cox. Object Oriented Programming: an Evolutionary Approach.Addison-Wesley, 1986.[Cox90] B. Cox. There is a silver bullet. Byte, pages 209{218, 1990.[CS91] J. Carmo and A. Sernadas. Formal techniques for systems speci�cation andveri�cation. Information Systems, 16:245{272, 1991.[CSS94] J. Costa, A. Sernadas, and C. Sernadas. Object inheritance beyond sub-typing. Acta Informatica, 31:5{26, 1994.[DMN67] O.-J. Dahl, B. Myhrhaug, and K. Nygaard. Simula 67: Common baselanguage. Research report, Norwegian Computer Centre, 1967.[EM85] H. Ehrig and B. Mahr. Fundamentals of Algebraic Speci�cation I. Springer-Verlag, 1985.[Eme90] E. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Hand-book of Theoretical Computer Science B: Formal Models and Semantics,pages 995{1072. Elsevier, 1990.[End72] H. Enderton. A Mathematical Introduction to Logic. Academic Press, 1972.[ES91] H.-D. Ehrich and A. Sernadas. Object concepts and constructions. InG. Saake and A. Sernadas, editors, Proceedings of the IS-CORE Workshop91, pages 1{24. Technical University of Braunschweig, 1991.[FCSM93] J. Fiadeiro, J. Costa, A. Sernadas, and T. Maibaum. Process semantics oftemporal logic speci�cation. In M. Bidoit and C. Choppy, editors, RecentTrends in Data Type Speci�cation: 8th Workshop on Speci�cation of Ab-stract Data Types { Selected papers, pages 236{253. Springer-Verlag, 1993.[FM92] J. Fiadeiro and T. Maibaum. Temporal theories as modularization units forconcurrent system speci�cation. Formal Aspects of Computing, 4:239{272,1992.[Fra86] N. Francez. Fairness. Springer-Verlag, 1986.[FS88] J. Fiadeiro and A. Sernadas. Speci�cation and veri�cation of databasedynamics. Acta Informatica, 25:625{661, 1988.[FSMS91] J. Fiadeiro, C. Sernadas, T. Maibaum, and G. Saake. Proof-theoreticsemantics of object-oriented speci�cation constructs. In R. Meersman,W. Kent, and S. Khosla, editors, Object-oriented Databases: Analysis, De-sign and Construction, pages 243{284. North-Holland, 1991.[GB92] J. Goguen and R. Burstall. Institutions: Abstract model theory for speci-�cation and programming. Journal of the ACM, 39(1):95{146, 1992.[Gol87] R. Goldblatt. Logics of Time and Computation. CSLI, 1987.[GR83] A. Goldberg and D. Robson. SmallTalk80: The Language and its Imple-mentation. Addison-Wesley, 1983.[GSGA93] P. Gouveia, C. Sernadas, J. Gomes, and J. Apolin�ario. Tableaux for reason-ing about objects. In Theorem Proving with Analytic Tableaux and RelatedMethods, pages 113{125, 1993. Max Plank Institut fur Informatik.27

[Jon90] B. Jonsson. Modular veri�cation of asynchronous networks. In Proceedingsof Symposium on Mathematical Foundations of Computer Science, pages347{354. Springer-Verlag, 1990.[JSHS91] R. Jungclaus, G. Saake, T. Hartmann, and C. Sernadas. Object-orientedspeci�cation of information systems: The TROLL language. Technical Uni-versity of Braunschweig, 1991.[Jun93] R. Jungclaus. Modeling of Dynamic Object Systems: A Logic-based Ap-proach. Vieweg, 1993.[LS91] R. Li and A. Sernadas. Reasoning about objects using tableau method.Journal of Logic and Computation, 1:575{611, 1991.[Man93] M. Manzano. Introduction to many-sorted logic. In K. Meinke andJ. Tucker, editors, Many-sorted Logic and its Applications, pages 3{86.John Wiley, 1993.[McA76] R. McArthur. Tense Logic. Reidel, 1976.[Mey88] B. Meyer. Object Oriented Software Construction. Prentice Hall, 1988.[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and ConcurrentSystems. Springer-Verlag, 1992.[MT93] K. Meinke and J. Tucker. Many-sorted Logic and its Applications. JohnWiley, 1993.[Nie89] O. Nierstrasz. Process semantics of temporal logic speci�cation. In W. Kimand F. Lochovski, editors, Object oriented concepts, pages 3{22. ACMPress,1989.[NO79] G. Nelson and D. Oppen. Simpli�cationby cooperating decision procedures.ACM Transactions on Programming Languages and Systems, 1:245{257,1979.[Pnu77] A. Pnueli. The temporal logic of programs. In Proceedings of the 18th IEEESymposium on Foundations of Computer Science, pages 45{57, 1977.[SCS94] A. Sernadas, J. Costa, and C. Sernadas. An institution of object behaviour.In H. Ehrig and F. Orejas, editors, Recent Trends in Data Type Speci�-cation: 9th Workshop on Speci�cation of Abstract Data Types { Selectedpapers, pages 337{350. Springer-Verlag, 1994.[SE91] A. Sernadas and H.-D. Ehrich. What is an object after all? In R. Meers-man,W. Kent, and S. Khosla, editors, Object-oriented Databases: Analysis,Design and Construction, pages 39{69. North-Holland, 1991.[Ser80] A. Sernadas. Temporal aspects of logical procedure de�nition. InformationSystems, 5:167{187, 1980.[SFSE89a] A. Sernadas, J. Fiadeiro, C. Sernadas, and H.-D. Ehrich. Abstract ob-ject types: A temporal perspective. In B. Banieqbal, H. Barringer, andA. Pnueli, editors, Temporal Logic in Speci�cation, pages 324{350. Springer-Verlag, 1989.[SFSE89b] A. Sernadas, J. Fiadeiro, C. Sernadas, and H.-D. Ehrich. The basic build-ing blocks of information systems. In E. Falkenberg and P. Lindgreen, edi-tors, Information Systems Concepts: An In-depth Analysis, pages 225{246.North-Holland, 1989. 28

[SGL92] C. Sernadas, P. Gouveia, and A. Lopes. Gentzen-type system for veri�ca-tion in conceptual modeling. In J. Goers, A. Hever, and G. Saake, editors,Foundations of Models and Languages, pages 215{228. 1992.[SRGS91] C. Sernadas, P. Resende, P. Gouveia, and A. Sernadas. In-the-large object-oriented design of information systems. In F. van Assche, B. Moulin, andC. Rolland, editors, The Object-oriented Approach in Information Systems,pages 209{232. North-Holland, 1991.[SS93] A. Sernadas and C. Sernadas. Denotational semantics of object speci�ca-tion within an arbitrary temporal logic institution. Research report, Sec-tion of Computer Science, Department of Mathematics, Instituto SuperiorT�ecnico, 1096 Lisboa, Portugal, 1993. Presented at IS-CORE Workshop 93- Submitted for publication.[Str86] B. Stroustrup. The C++ Programming Language. Addison-Wesley, 1986.[Sza78] M. Szabo. Algebra of Proofs. North-Holland, 1978.[TZ88] J. Tucker and J. Zucker. Program Correctness over Abstract Data Typeswith Error-state Semantics. North-Holland, 1988.

29