APOSTOLICIDAD DE LA EUCARISTÍA Y DE LA IGLESIA

The fact that we are dealing with shared-variables in a synchronous environment, indicates a so- lution based on the ideas presented in the shared environments from Definition 2.3.126. We first note that the key features of this definition are the clock counter c and the sequences x.in and x.out. Our theory of synchronous programs includes these same variables, but with two main differences: • Global observational variables. c, x.in and x.out are observational variables and no longer take part in the “implicit” lists of variables such as v in the definition of assignment. Like okand ok0, these variables have global scope that is implicitly opened and closed before and after the whole program respectively.

• Implicit initialisation and binding. The new variables are implicitly initialised (c = 0 and x.out = hi) before the beginning of the program , while x.in to x.out0 are implicitly bound by the expression x.in= x.out0at the end of the program.

As with the design theory, we are not interested in all the predicates that can be expressed in the context of the syntax described above. In particular, we are only interested in programs that can advance the clock cycle counter forward, that do not modify the history of each variable x kept in the corresponding x.out sequence and that keep x.in constant as described by the healthiness conditions below:

Definition 3.2.1. Core synchronous healthiness conditions S1 P= P ∧ (c ≤ c0)

S2 P= P ∧ x.out ≤ x.out0 S3 P= P ∧ x.in0= x.in

2_{This same approach was used to solve the limitations of the alphabetised relational calculus when dealing with}

non-termination. In that case, the solution was to introduce the ok and ok0

observations and to incorporate healthiness conditions, leading to the definition of the theory of designs.

Note that operator ≤ is overloaded in the above definition: it denotes the standard ordering for numbers (i.e., “less than or equal to” relation) in S1, yet it stands for “sequence prefix” in S2. On the other hand, it is common practice in the UTP to consider healthiness conditions not only as a predicate (i.e., “is P healthy?”) but also as a function that “makes P healthy”. In this context, we will use the notation S to refer to the simultaneous application of the three healthiness conditions described above:

Definition 3.2.2. Synchronous healthiness condition S= S1 ◦ S2 ◦ S3

All of our healthiness conditions are conjunctive: they are functions from predicates to pre- dicates defined by the form H(P) = P ∧ ψ (i.e., P is a fixed point of H). A large number of healthiness conditions used to characterise UTP theories are defined by a conjunction of this form (e.g., the theory of reactive processes [Hoare and He 1998, Chapter 8] used for giving semantics to ACP [Bergstra and Klop 1985], CSP [Hoare 1983] and its extensions, like the semantics ofCircus

[Woodcock and Cavalcanti 2001] as described in [Woodcock and Cavalcanti 2002]).

In general, a number of properties are satisfied by conjunctive-healthy (CH) predicates, inde- pendently of the particular definition of ψ. Harwood, Woodcock and Cavalcanti [Harwood et al. 2008] explored, among other results, the closure of conjunctive-healthy predicates regarding the programming operators described in the previous sections. Some of the most relevant results of their work that are used in this thesis are presented below. We begin by establishing that the core UTP operators defined in the alphabetised relational calculus (Chapter 2) are closed within the sub- theory delimited by conjunctive healthiness conditions. In particular, the sequential composition of S-healthy predicates is S-healthy.

Theorem 3.2.3. Sequential composition [S(P) ∧ S(Q) ⇒ S(P; Q)]

Furthermore, the conjunction, disjunction and selection of S-healthy predicates are also S-healthy. Theorem 3.2.4. Conjunction, disjunction and selection closure

[S(P) ∧ S(Q) ⇒ S(P ∧ Q) ∧ S(P ∨ Q) ∧ S(P
_{b  Q)]}

Provided the body of a recursive program is S-healthy, then the whole recursive program is S- healthy.

Theorem 3.2.5. Recursive S-healthy programs [S(P) ⇒ µX • (P; X)
_{b  II]}

It is important to notice that any theory of conjunctive-healthy predicates is disjoint from the theory of designs: on abortion, a design provides no guarantees while a conjunctive-healthy pre-

dicate requires ψ to hold. Furthermore, it is possible to link the theory of designs with a theory of CH-healthy predicates by taking CH as the approximate relationship between designs and CH- healthy predicates. In the context of S-healthy predicates, we can instantiate this general result to the following theorem:

Theorem 3.2.6. Galois connection with the theory of designs P v H1 ◦ H2(Q) if and only if S(P) v Q

where P is a design and Q is S-healthy

A direct consequence of this result is that predicates in the design theory can be used to find their approximated counterparts in the synchronous designs lattice. For example, the skip pro- gramming construct in the synchronous theory is just IIDmade S-healthy:

Definition 3.2.7. Synchronous skip II =df S(IID)

In addition to the general results that can be derived from S being a CH healthiness condition, our formulation also satisfies other properties that proved very useful later on in this chapter. Theorem 3.2.8. II ⇒ S(true)

It is also straightforward to conclude that II is S-healthy. Theorem 3.2.9. S(II)= II

The healthiness conditions are transitive when combined by means of the sequential composition operator.

Theorem 3.2.10. S is transitive S(true); S(true)= S(true)

The healthiness conditions preserve the refinement ordering: they are monotonic regarding v. Theorem 3.2.11. S is monotonic

(P v Q) ⇒ (S(P) v S(Q)) provided P and Q are UTP designs.

S distributes over conjunction and disjunction. Theorem 3.2.12. S distributes over conjunction

Theorem 3.2.13. S distributes over disjunction S(P ∨ Q)= S(P) ∨ S(Q)

If we have the conjunction of an S-healthy predicate with another predicate, then the whole predi- cate is S-healthy.

Theorem 3.2.14. S extends over conjunction P ∧ S(Q)= S(P ∧ Q)

3.2.1 H3 in the synchronous theory

As mentioned in Section 2.3, H3 is satisfied only by those designs where the precondition does not mention dashed variables (i.e., the precondition is a condition instead of a more general predi- cate). Algebraically, H3-healthy predicates have the design skip as their right unit for sequential composition.

In the context of S-healthy designs, the conjunctive healthiness conditions mentioning dashed variables makes it impossible to eliminate all after variables from the preconditions. On the other hand, the healthiness conditions only restrict the values of c0, x.in0 and x.out0. Thus, it should be possible to formulate a notion similar to H3 provided the observational variables in the precondi- tion can be “ignored”. As in the case of H3, the notion can be precisely captured by having the theory’s skip construct as right unit for sequential composition. More formally, the notion of H3 has its equivalent notion in the lattice of S-healthy designs by means of SH3 defined as follows. Definition 3.2.15. Lifted H3

SH3 P= P; II provided P is S-healthy.

As expressed before, the precondition of SH3-healthy designs does not mention dashed va- riables other than c0, x.in0and x.out0. The following theorem captures this notion more precisely. Theorem 3.2.16.

An S healthy design S(P1 ` P2) is SH3 if and only if its precondition does not mention dashed variables other than the observations c, x.out and x.in.

As with the design theory, we need to show that SH3 is closed under the basic operators of the language (i.e., sequential composition, selection and recursion). Regarding sequential compo- sition, provided P and Q are SH3-healthy, then P; Q is SH3-healthy.

Theorem 3.2.17. SH3 sequential composition closure P; Q= SH3(P; Q)

Similarly, provided P and Q are SH3-healthy, the selection of either of them is also SH3- healthy.

Theorem 3.2.18. SH3 conditional closure P
_{b  Q = SH3(P
b  Q)} provided P and Q are SH3-healthy.

To show that recursion is also closed under SH3, we take the same approach used by Hoare and He [1998, Chapter 3.1] to show that the least fixed point of a design is also a design. The programming operators defined so far are monotonic and closed within the SH3 lattice. The fact that all operators map SH3-healthy designs to SH3-healthy designs and that recursion is solely built up from constructs with this property, is enough to show that recursion preserves SH3.