On partial-function application in Z

We discuss the application of partial functions to elements outside their domain in the context of the Z language and CADiZ tool. We illustrate some surprising results that can arise, and show that they may be readily justified, but also show that undesirable results can arise that are less readily resolved. We offer two possible resolutions, one that involves a simple change to, for example, free types, and another more contentious approach that involves, in particular, a new semantics for Z. We discuss the advantages and disadvantages of both approaches.


Introduction
Partial functions in Z 8 are simply relations with the property that if they return a value" that value is unique. There is some debate as to the meaning of the application of such functions to arguments outside their domain. Arthan 2 outlines the main options and proposes a classical approach for reasoning purposes in which a function application in a speci cation is assigned an arbitrary value from the function's range in any particular interpretation premodel" for . This semantics explains why, if f and g are partial functions from N to N, then f0 = f0 holds in all models, but f0 = g0 need not even if both f and g are unde ned for 0: f0 and g0 may be assigned di erent values from the carrier set of N. This semantics for partial-function application may o r m a y not be embedded into the standard semantics for Z currently being developed; the standard semantics might assign the same range value to all unde ned" function applications of the same type. Any proof system that is sound with respect to Arthan's proposed semantics is, of course, sound with respect to the more restrictive semantics. CADiZ 9 , a tool developed at the University o f Y ork that supports analysis of Z speci cations, is consistent with Arthan's approach in that it accepts as valid f0 = f0, but not f0 = g0 unless forced to by the axioms of the speci cation. In this paper, we take CADiZ as representative of proof systems for Z such as ProofPower 5 , with regard to the treatment of partiality. Thus, Arthan's approach provides the starting point for our investigation. However, we go a step further, and consider the scenario in which i t is impossible to assign a range value to a function application in any model. In other words, we consider the scenario in which adding a de nedness condition such a s f0 2 N would make a speci cation unsatis able.
Apparently, this scenario has been investigated previously, 1 and there are unpublished notes on the subject, but in each case it was decided that any bene ts accrued are outweighed by anomalous results. We argue that the partialfunction applications of realistic speci cations may h a ve this property, that the apparently anomalous results they produce are not so disconcerting as they might at rst seem, and that there is a major bene t from allowing them in that the speci er is no longer required to know the domain of a partial function in order to avoid contradictions when writing down axioms de ning the function. However, we show that allowing such function applications can make a t ypical Z speci cation inconsistent, and we proceed to o er two possible resolutions to this problem, one involving modi cation of our speci cations, and the other involving modi cation of our inference systems. We discuss the advantages and disadvantages of each approach.
The presentation of the paper is as follows. In the next section we discuss partial functions in a general setting, independently of Z, and describe a simple realistic speci cation in which the de nedness problem arises. In Section 3, we then review partial functions from the Z standpoint, illustrating some surprising and undesirable properties that function application can have i n Z, and show how the surprising results may be readily justi ed. We are then in a position to present in Section 4 our resolutions to the undesirable results. The second of these involves modi cation to the typical laws and inference rules implemented in reasoning systems for Z; we specify the necessary changes for a subset of Z in Section 5, provide a semantics for our Z expressions in Section 6, and justify our proof rules with respect to this semantics in Section 7. We go on to discuss some of the consequences of both our resolutions in Section 8, including those that are apparently anomalous, and argue that these apparent anomalies are in fact reasonable. Finally, w e present some conclusions on what we h a ve done in Section 9, reviewing some of the advantages and disadvantages of our two approaches.
We are concerned almost exclusively with the semantics of function application in this paper, and how i t i n teracts with the semantics of the rest of the system. For this reason, we will consider only a limited subset of Z, omitting discussion of, for instance, schemas; the subset should be su ciently inclusive t o demonstrate our approach in a non-trivial context. For similar reasons, we will also take only a semi-formal approach to the presentation of our semantics in Section 6. Typical current formal approaches translate each Z construct into a core language, and then de ne the semantics of the core language via a mapping into ZF set theory. We map each Z construct of our subset into an informal set-theoretic language with types. Our approach more closely resembles standard semantic de nitions given in text books on logic. This approach w as found not to work for the full Z language, principally due to the inclusion of schemas, 2 but it is adequate for our subset.
While we do not consider in detail Z-like languages such as B 1 , we believe that our semantics should be applicable to them, perhaps with minor modi cations. In the case of B itself, we m ust take account of a distinction that may be made between a well-formed and a well-typed formula. For instance, the formula 8x x + 0 = x is well-formed, but for type-checking purposes we m ust add the constraint x 2 N, s a y, to give 8x x 2 N x+ 0 = x; we m a y s a y that this formula is well-typed. If we consider the well-typed language of B, then the application of our Z semantics to B is quite straightforward, since B has the same type system as Z. On the other hand, we consider later the possibility of including in Z formulae that are not well-typed; it might be argued that, in principle, B already allows such expressions.
2 What are partial functions From the mathematical perspective, independently of Z, we m a y distinguish two types of partiality cf. 11 . Case 1: A function f is partial if it is not explicitly assigned any value for certain arguments. Viewed computationally, that is, viewing the de ning axioms" for f as, say, a set of rewrite rules if the axioms are equations, f may or may not terminate on these arguments.
Example: Suppose we are given Spec1 = = f;g;h: N ! N j 8u : nats fsuccu = u 8v : nats gsuccv = g0 8w : nats h0; w = 0 8x; y : nats hsuccx; y = hsuccx , y;y : In Spec1, f is not de ned for 0 and g is not de ned for any v 2 N. The function h is non-terminating for x = 0; y = 0 if its de ning equations are treated as rewrite rules from left to right as presented, and if, for t of type A , t , 0 simpli es to t; since there are no other de ning axioms for hsucc0; 0, h is unde ned over these arguments | hsucc0; 0 could, however, be assigned the value 0, say, without inconsistency with Spec1 arising. Example: Suppose we are given Spec2 = = q : N N ! N j 8w : nats q0; w = 0 8x; y : nats qsuccx; y = succqsuccx , y;y : The partial function q may b e i n terpreted as a quotient" function over N; the important property of Spec2 is that qsucc0; 0, representing 1 0, is assigned no numeric value. Not only is q nonterminating for x = 0; y = 0, but we have qsucc0; 0 = succqsucc0; 0, so if we add the de nedness constraint qsucc0; 0 2 N, then we get 9z : N z = succz contradicting the usual axioms for N. Case 1 is consistent with the standard Z-user view of partial functions in the sense that any function that satis es Case 1 could be declared as partial in 3rd Northern Formal Methods Workshop, 1998 a Z speci cation without any perceived inconsistency arising. This is the case that Arthan accounts for 2 . Case 2 is more contentious. It might be argued that any function in a Z s p eci cation satisfying Case 2 should be rejected as inconsistent with its declaration. According to this view, it should always be possible to assign to any function application some value from the function's range that is, the set S 0 in the declaration f : S ! S 0 for f. However, there are several counterarguments.
Firstly, Spec2 describes what seems to be a reasonable speci cation in which the function q cannot return a numeric value for certain arguments, though its range is N. Secondly, since we cannot bar non-termination, it would seem pointless though not impossible for semi-recursive" functions 6 to bar Case 2. Thirdly, and perhaps most signi cantly of all, barring Case 2 would, from the perspective of function application, make redundant the declaration of functions as partial in Z, since a partial function f : S ! S 0 would have the property 8x : S 9 1 y : S 0 fx = y at least if S 0 is a type expression, exactly as for a total function. We discuss this fourth justi cation for Case 2 further in the next section.

Partial Functions and Z
In Z, a relation r with declaration r : S $ S 0 , for sets S and S 0 , is a subset of S S 0 : r has type PT T 0 , where PT and PT 0 are the types of, respectively, S and S 0 , and the de ning axiom for r is 8p : r p:1 2 S^p:2 2 S 0 . Partial and total functions, with declarations of the form f : S ! S 0 and f : S ! S 0 , respectively, are relations with further restrictions expressed by axioms in the language of Z. A partial function f has the extra property 8p; q : f p:1 = q:1 p = q; while a total function f : S ! S 0 is a partial function with the restriction that its domain is the whole of S. These de nitions raise the question: what happens when a partial function is applied" to an object outside of its domain. In fact, Z allows arbitrary relations to be applied as functions, and thus we cannot rely on the special property of partial functions in de ning application.
The fundamental point to note is that the de nition of relation imposes only the constraint o f w ell-typedness on the application of a relation as a function, and the de nition of partial function is only a little more restrictive. A relation application rs is well-typed if r has type PT T 0 and s has type T; rs then has type T 0 . Partial functions impose the additional constraint that if x; y 2 f is a consequence of the speci cation, then fx = y is a consequence; the converse need not hold. Even total functions may be applied to objects outside their domain without introducing inconsistency. We illustrate these points with the following speci cations. These speci cations are consistent" in Z in the sense that, from the axioms currently associated with relation and function declarations, we cannot derive a contradiction P: P, for some P via the inference rules normally associated with Z as in CADiZ. The rst two speci cations illustrate the facts that a relation may be applied to objects e.g. 1 in SpecA for which it is not uniquely de ned, and a partial function may be applied to or return objects outside its domain or range, as in the rst and second axioms of SpecB. As illustrated by SpecC, even a total function may be consistently applied to objects outside its domain, and, if so, may return an object outside its range. We are not claiming that anybodywould wish to write speci cations such as that above, but if they are consistent in Z, then we should be able to o er, for instance, a semantical justi cation for them.
The justi cation for these surprising properties of function application, that is, the consistency of the above speci cations, is that the axioms given assert properties about each function application, not about the functions themselves.
In particular, fa = b, where fa and b are appropriately typed, does not imply a; b 2 f. Formally, in the models of a speci cation, a function application fa may be assigned a total function App 2 . To account for the fact that, if there is a unique b such that a; b 2 f, then fa = b, w e m ust impose constraints on App as in the following de nition.
De nition: In a speci cation , let f be an expression representing an n-ary function of type PT 1 T 2 , and let arg be an expression of type T 1 . If, in an interpretation for , T 1 and T 2 are assigned, respectively, the carrier" sets T 1 and T 2 , f is assigned the function f I , and arg is assigned the value a 2 T 1 , then Appf I ; a = = the unique z such that a; z 2 f I if such a z exists = = some z in T 2 otherwise. Thus, the value of a function application is not a value assigned to the function itself that is, the function is not totalised" | cf. 12 , but to the application operator. In fact, what we assign to any Z function symbol partial or total in a model is simply a relation satisfying the constraints imposed by Z's partial and total function axioms.
More problematic are speci cations involving de nitions such as that of q in the previous section. The problem becomes most apparent i f w e reexpress the de nition in terms of a free type, as opposed to N which is de ned as a subset of the type A in standard Z. We t h us introduce the free type nats, and de ne the functions di and quot in terms of nats.
3rd Northern Formal Methods Workshop, 1998 section SpecQ nats ::= o j shhnatsii di ; quot : nats nats ! nats 8x : nats di x; o = x 8x; y : nats di sx; s y = di x; y 8y : nats quoto; y = o 8x; y : nats quotsx; y = squotdi sx; y ; y The rst line of SpecQ introduces a free type: a given set nats together with Peano-style axioms for o denoting zero and s denoting successor. The axioms CADiZ associates with the free type nats have some syntactic di erences from typical Peano axioms for N 4 , but the induction principle is typical, and the property 8x : nats : x = s x is a logical consequence.
The main di culty with SpecQ is that it is provably inconsistent in CADiZ. We discuss a proof of its inconsistency further in the next section. We note here merely that we can prove quots o ; o 2 nats in CADiZ, and therefore that 8x; y : nats quotsx; y = succquotdi succx; y ; y contradicts the property 8x : nats : x = s x of the free type nats.
There are several reasons why the inconsistency of Q is unfortunate. Firstly, the de nition looks reasonable. Secondly, it is correct for the intended set, fx; y : N j x ŷ y 0g; where N denotes the natural numbers. Thirdly, the fact that the de nition for quot is nonterminating for quots o ; o is consistent with our assumption that division of 1 by 0 is unde ned that is, is not a natural number. Fourthly, and perhaps most importantly, i f w e bar this de nition, then this means that the Z speci er must know the domain of quot, before de ning it by a set of equations, in order to avoid inconsistency; but in that case it would seem preferable that quot be de ned as a total function from nats natsnfog to nats. Thus, the utility of partial functions is substantially undermined if de nitions such as that of quot are inconsistent.

Resolving the Inconsistency
We propose two resolutions to the inconsistency issue raised in the preceding section. The rst is the more straightforward, but involves explicitly modifying speci cations, while the second is more contentious, but leaves speci cations unchanged, modifying instead the usual laws and inference rules for Z.

Modifying Free Types
The rst solution is straightforward: the sets introduced by a free type e.g. nats above are not given type status, but are made subsets of types. In particular, we m a y associate with the set nats the type nats . Thus, nats becomes the given set, and nats is declared by nats : P nats . The other declarations and axioms for nats in the original free-type expansion remain unchanged. Now a n y partial function f : nats ! nats may return a v alue from nats when it is not speci ed or is unable consistently to return a value from nats.
If we refer to as nats , the set nats nnats, then nats , may b e viewed as the unde ned values" of nats, though, as we indicate in Section 8 below, it is preferable to view them as super values" of nats.
3rd Northern Formal Methods Workshop, 1998 One incidental bene t of this process is that we m a y reintroduce the intuitive relationship between function application and membership. We m a y add as a property o f a n y partial function over, say, nats, that 8x; y : nats f x = y x; y 2 f: The problem with adding this property i f nats is taken to be a type is that it collapses f into a total function. For if nats is a type, then we h a ve 8x : nats 9 y : nats f x = y; consequently, with the above property, we would have 8x : nats 9 y : nats x; y 2 f, making f total. However, if nats is the type and nats merely a subset, then we do not automatically have 8x : nats 9 y : nats f x = y, and f remains total only over its domain that subset of nats over which its application always returns a value of nats.
The problem with this approach is that the set nats must be explicitly included within the speci cation. Thus, either the speci er must build up the free type from scratch in order to include nats or the analysis tool must automatically add it and the declaration nats : P nats . The rst possibility clearly undermines the bene ts of free types, while the second solution is likely to be disconcerting to the speci er, particularly if no partial functions are involved in the speci cation.

Modifying the Inference Rules
The alternative approach is more contentious in that it involves distinguishing between`having type T' from`being a member of T', in order to allow a w elltyped function application to return a value" not a member of its range type.
For instance, if nats is a given set, f is a partial function from nats to nats, and o 2 nats holds, then fo has type nats, but may o r m a y not be in nats.
The advantage of this approach is that the set nats now becomes the carrier set of nats in a model, and thus becomes a metalogical concept; the speci er is now unable to refer directly to nats , and consequently is unable to make statements about all of its possible members. Moreover, speci ers need not even be aware of nats if they do not have partial functions in their speci cations; the name nats may n o w, of course, be used freely within a speci cation.
The major disadvantage is that we m ust make some changes to the laws of Z and the inference rules of typical proof systems for Z such as CADiZ. However, these changes are not especially contrived; the new laws and rules coincide with our intuitions about the properties of sets. We believe that the changes also highlight some interesting properties of Z and CADiZ, and make the concept of a t ype more than just a way o f a voiding meaningless expressions such as 0,1 = f1,2,3g and Russel-style paradoxes 8 .
The required changes hinge on the fact that we can currently prove fo 2 nats in CADiZ if nats is a given set or free type, if o 2 nats is an axiom, and if f has declaration f : nats ! nats. Analogously we can prove quots o ; o 2 nats, our earlier example. One such proof proceeds as follows.

Sketch of Proof:
Consider the set Q == fx; y : nats j true quotx; yg. First where S; S 0 are sets and P T is their type. Thus, we derive the subgoal 8 u : nats u 2 Q , u 2 nats. u 2 nats reduces via CADiZ's absorption rule to true, and another absorption reduces u 2 Q , true to u 2 Q. We now apply 8 elimination and then membership expansion to derive u : nats9 x; y : nats j true u = quotx; y: We may now instantiate x and y with, respectively, u and s o , and use the de nitions of di and quot and an induction over nats to complete the proof of this step.
Finally, we apply Leibniz to quots o ; o 2 Q via the equality Q = nats to get quots o ; o 2 nats, completing the proof of our original goal.
Since we h a ve a proof that quots o ; o 2 nats holds in CADiZ, we cannot separate the carrier set nats into nats + the elements of nats and nats , the unde ned" values of type nats and argue that the meaning of quots o ; o i n a model is some element o f nats , . Thus, if we are to take this line formalised in Section 6, we m ust nd a aw" in the above proof. We agree that quots o ; o 2 Q holds, and accept the application of Leibniz. This leaves the second part of the proof in which w e apply the expansion rule for sets. We propose the following alternative expansion rule: S = S 0 = 8u : S u 2 S 08 u : S 0 u 2 S: Unfortunately, w e can still prove Q = nats via CADiZ's rule of normalisation: x : x j x 2 tx : t`; where x denotes the type of x. The proof proceeds as follows.

Sketch of Proof:
Expanding Q = nats via the new expansion rule we get 8u : Q u 2 nats8 u : nats u 2 Q. Via^and 8 elimination we derive t wo subgoals: u : Q`u 2 nats, and u : nats`u 2 Q. The proof of the second subgoal proceeds via an inductive proof of 8u : nats u = quotu ; s o , as above, and we do not contend it. The proof of the rst subgoal proceeds via two applications of normalisation: u : nats j u 2 Q`u 2 nats, then 3rd Northern Formal Methods Workshop, 1998 u : nats j u 2 nats; u 2 Q`u 2 nats, which is an axiom.
Thus, in outline, we h a ve proven Q = nats. Consequently, w e m ust change the rule of normalisation to sustain the distinction between nats and nats + : we replace x by t in the hypothesis; see Section 5. We are now unable to prove Q = nats, since we are unable to prove u : Q`u 2 nats, normalisation now reducing this merely to u : Q j u 2 Q`u 2 nats.
We m ust show that these new expansion and inference rules do support the possibility of a term having a value not a member of its type. This may be done via a soundness proof for the rules with respect to an appropriate semantics. We present such a semantics and an outline of the soundness proof in Sections 6 and 7, respectively. First we must describe the syntax of the expressions we allow and present our inference rules more fully.

Syntax and Inference Rules
In this section we describe the subset of Z expressions that we are concerned with, and our expansion and inference rules relating to this subset. We refer to all allowed syntactic objects as`expressions', distinguishing between`predicates' i.e. propositions and`terms', as opposed to`predicates' and`expressions'. T e r m ::= Const j FreeV ar j Tuple j TupleSel j Application j SetExp Const is a name introduced by a declaration within a speci cation, while FreeV ar is a free variable, a name introduced by either a declaration within a sequent or a quanti cation in a predicate e.g. all occurrences of x in the P part of 8x : N P; all occurrences of x are said to be bound in 8x : N P.
Tuple ::= T e r m ; : : : ; T e r m An n-tuple of terms t 1 ; : : : ; t n , where n 2, may be abbreviated t; the type of t 1 ; : : : ; t n i s T 1 T n , where T i is the type of t i .
TupleSel ::= t:i where t a term of type T 1 T n for some n, and i is a value of N between 1 and n.
Application ::= f T e r m where f is a Term of type P T 1 T 2 and Term has type T 1 ; the type of the application is T 2 .
3rd Northern Formal Methods Workshop, 1998 SetExp ::= SetName j f T e r m ; : : : ; T e r m g j f Decl j P r e d g j f Decl j P r e d T e r m g j P SetExp j SetExp SetExp A SetName is a declared name possibly a TypeName o f t ype P T for some Type T. The elements of a set must all have the same type T; the type of the set is then P T. Predicates: P r e d ::= true j f a l s e j R Term j T e r m = T e r m j T e r m 2 T e r m j : P r e d j P r e d P r e d j P r e d _ P r e d j P r e d P r e d j P r e d , P r e d j 8 Decl P r e d j 9 Decl P r e d j 9 1 Decl P r e d where R is a relation symbol|R Term is, of course, not an application. Such relational predicates may be represented with in x notation, as in 2 3.

The Inference Rules
We describe our inference rules in terms of sequents, here expressions of the form D j ,` | w e omit generic parameters | where D is a declaration, and ,, called the antecedents, and , called the consequents, are nite lists representing sets of Z predicates separated by commas. Our rules are closely based upon those of CADiZ. However, apart from the necessary modi cations of CADiZ's inference and expansion rules indicated above, we h a ve simpli ed several of CADiZ's rules to take account of our more restricted language; in particular, since we h a ve not included expressions in our subset, we combine into one inference CADiZ's expansion of a function application into a expression and its -tac inference rule.
We omit from our proof system explicit inference rules for ; ,; 9 and 9 1 , making the assumption that predicates involving these logical symbols are merely abbreviations for others involving only :; _;^; 8 and, in the case of 9 1 , = .
As is usual in the descriptions of sequent proof systems for Z, we also omit from the sequents in our rules any information that is not relevant to the inference.
Our inference rules have either the form H C , where H is a collection of sequents referred to as the hypotheses and C is a sequent referred to as the conclusion, or the form C , denoting axioms inference rules without hypotheses.
We denote by Pt the fact that the predicate P contains the term t, and by Ps=t the replacement o f t with s. A substitution of an n-tuple of terms t for an n-tuple of free variables x within a predicate P is denoted Pfx ! tg.
Tautologies: We h a ve as axioms j F a l s è`T r u e j ` where D 0 is D with any v ariables renamed to avoid clashes with names introduced by declarations in the speci cation or in the conclusion. 8 substitution: j 8 D P^Q P 0 fx ! tg j 8 D P`; where x is the n-tuple of variables introduced by Decl, t is an n-tuple of terms, Q is a conjunction of memberships t i 2 S i for each declaration x i : S i in D, and P 0 is P with any bound variables renamed to avoid clashes with names occurring in t. This rule combines CADiZ's quanti cation tac tactic, onepoint rule, and absorption rules.
The inference rules are applied backwards in CADiZ to reduce a goal to subgoals. Thus, in particular, the introduction rules become elimination rules.
Expansions: An expansion rule X = Y i s a l a w that allows any instance of X to be replaced by Y . We assume that these laws are meta-level expressed 3rd Northern Formal Methods Workshop, 1998 outside Z, like the inference rules, but always produce Z expressions. Our expansion rule for memberships are exactly as in CADiZ; for example, S 2 P S 0 , for set expressions S and S 0 , m a y be expanded to 8x : S x 2 S 0 . However, we replace CADiZ's expansion rule for set equality as indicated in Section 4.2.
This new expansion rule is, of course, entirely reasonable, as is our rule of normalisation; it is unfortunate that set equality cannot be de ned as equivalence of membership say, 8x x 2 S , x 2 S 0 , as in classical set theory 4 , but then we w ould need a type for x, and this would take us back to CADiZ's de nition. More importantly, when new concepts | and corresponding expansion rules | are introduced, such a s , w e m ust be careful to ensure that they satisfy the expected properties. For example, should be de ned by a l a w with the same expansion as membership of P. If, instead, it is de ned by S S 0 , 8 x : T x 2 S x 2 S 0 ; where P T is the type of S and S 0 , then we will no longer have S 2 P S 0 , S S 0 as a consequence of our proof system though CADiZ's unchanged normalisation rule would allow this equivalence to be proven. For example, we w ould have trivially ff o g nats assuming f o has type nats, but not necessarily ff o g 2 P nats. We will discuss this issue further in Section 8.

The Semantics of the Subset
In this section we will describe what we believe t o b e a n i n tuitively straightforward and natural semantics for the expressions of our subset of Z. This semantics provides a meaning for terms that may not be assigned a value of their type. We will subsequently show that our expansion and inference rules are sound with respect to this semantics.
As mentioned previously, since our principal goal is merely to describe the meaning of partial-function applications in the context of a substantial subset of Z, our semantic target language" will be an informal set-theoretic one, which itself includes disjoint t ypes" T 1 ; T 2 ; : : : for each Z t ype expression T 1 ; T 2 ; : : : .
We do not concern ourselves with the interpretation of such a language, in particular, the sets T 1 ; T 2 ; : : : , in terms of, say, ZF set theory, this being a problem to be resolved by the Z standards committee. In our semantics, we follow the classical" approach discussed by Arthan 2 , where unde ned expressions are assigned some element of the appropriate type. However, in order to allow a w ell-typed function application to return a value" not a member of the function's range type, we distinguish`having type T' from being a memberofT '. We formalise this as follows. L e t b e a w ell-typed speci cation involving a type T. In an interpretation f o r w e assign a set T to T, constructed according to the form of T as follows.
If T is a given set, then T is the union of two possibly empty disjoint sets T + T , . If T is a power set P T 1 , then T = = PT If T is a product T 1 T n , then T = = T 1 T n .
Note that + and , are operators applied to the set T to produce a subset; it is not strictly necessary to treat + and , as operators | we might h a ve de ned T to be T + T , | but the operator view simpli es the presentation of the meaning of membership`2' below. However, we will often abbreviate T + and T , to, respectively, T + and T , . Informally, T + and T , may b e i n terpreted as, respectively, the de ned values of T and the unde ned values of type T. It is preferable, however, to view elements of T , not as unde ned values, but as, say, super values" of type T, since they may h a ve v arious properties assigned to them; for example, if f0 is an unde ned" expression of type A , and g is a function from A to A , then we m a y h a ve gf0 = 0, without inconsistency arising.
Any set expression S introduced by a speci cation will have a type P T, and will thus be assigned a subset of T in an interpretation. For example, ffog, with type P nats, will be assigned the set consisting of the value of fo whether this value is in nats + or nats , . If S is a non-type set expression whose type is the powerset of a given set G, and S is the set assigned to S in an interpretation, then the application of + to S simply produces S itself; clearly, S + may o r m a y not be a subset of G + . We also de ne P + = = P + and 1 n + = = + 1 + n for any t ypes or sets in the models ; 1 ; : : : ; n , analogously to *. Similarly, for values v 1 ; : : : ; v n , v 1 ; : : : ; v n + = v + 1 ; : : : ; v + n . For any other interpretation value v we de ne v + = = v. In the following, we view any name n introduced by a declaration n : S within a Z speci cation as a constant of the appropriate type, and thus assign a single meaning to it in any i n terpretation. Names introduced by declarations in sequents, on the other hand, are viewed as free variables, and for a sequent to be valid" it must be true" in every interpretation under all well-typed assignments to its free variables.
We are now able to de ne the meaning of our Z expressions in an interpretation I, under an assignment d to any free-variable occurrences. In the following, let S; S i denote set expressions, D i denote a declaration, P;Qdenote predicates, a i denote a free variable or a constant, x; x i denote free variables, c denote a constant, s; t; t i denote terms, f denote a term of type PT T 0 for some T ; T 0 , and R denote a relation symbol. In the language of our models we use the same symbols P; and brackets f; g; ; as are used in Z, since no confusion should arise. However, because the relationship between 2 of Z and membership in the models is not straightforward, we use for membership in the model language. The symbol = = is our metalogical equality. The total function App is de ned as before. In this section we demonstrate that our expansion and inference rules are consistent with the above semantics, via a soundness proof, and contrast this with the CADiZ rules. This should make sense of our semantics from the perspective of a typical Z CADiZ user. We say that an inference rule is sound if, whenever the hypotheses are a consequence of a speci cation, so is the conclusion. By an induction on proof structures we m a y show that soundness of our inference rules implies that our proof system is sound in the sense that, if a sequent X is proven from a speci cation , then X is a consequence of cf. 3 . We t h us concern ourselves merely with the soundness of our rules.
If we translate a conjectural sequent D j ,`, for non-empty , and , into the Z sentence 8 D ,^ _ , then the sequent is a consequence of a speci cation i the sentence is T r u e in every model of . If , and or is empty, w e m a y replace them by, respectively, true and f a l s e in the corresponding sentence. We m a y t h us show that, for each inference rule, if the hypotheses translated into sentences are T r u e in every model of , then so is the conclusion. We signify that a sentence S is T r u e in all models of a speci cation by j = S. Theorem: Our inference rules are sound. Proof: Tautologies: The tautologies are clearly T r u e in all models, and thus sound when viewed as axioms.
Normalisation: This rule is sound if 8x : S x 2 S^ j = 8x : S , for arbitrary Z predicates and , and set or type expression S. With the assignment d omitted for brevity, the meaning of the antecedent i n a n i n terpretation is 8y y I S + y I S +^I I ; but this simpli es to 8y y I S + I I , which is the meaning of the consequent. Appf;a = = the unique z such that a; z 2 r if such a z exists.

The rst hypotheses of each inference rule for function application is concerned
with showing that such a z exists for the function expression f and argument t. If it does exist, then we m a y assume its unique existence, and replace Pf t b y its equivalent 9x : f t F^Px=f t, which is what the second hypotheses of each inference rule does.
Equality reasoning: The inference rules of re ection, commutation, and Leibniz are clearly sound for the equality of non-type terms, since the meaning of such a term of type T is simply some element o f T , and the meaning of equality o ver T in a model is the identity" relation over T . Equality o f t ypes also satis es these rules, since if T + 1 = T + 2 , then T 1 = T 2 by the disjointness of the model 3rd Northern Formal Methods Workshop, 1998 types, and so the interpretation of equality is again the identity relation. The only di cult case is the equality of sets with types. If we have, for instance, S = T in our speci cation, where S is a set expression and T is a type expression, then this implies that the meaning of S in a model is the same as T + , not T ; w e do not have identity in the model. However, commutation clearly holds, and Leibniz holds because the meaning of 2; =, and so on, refer only to the sets S + for any set or type S, so the meaning of any predicate will be unchanged by the replacement o f S by T or vice-versa if IS + and T + are the same.
Connectives: The soundness of these is straightforward.
8 quanti er: 8 introduction is sound, since 8 D true P is equivalent to true 8 D P. The soundness of 8 substitution holds because Q P 0 fx ! tg j = 8 D P , where D;P;Q, x and t are as in the inference rule, and is any predicate.
Membership Expansion: We justify only the expansion of powerset membership, leaving the other cases to the reader. Essentially, S 1 2 P S 2 means S + 1 P S + 2 , while 8x : S 1 x 2 S 2 means 8x x S + 1 x S + 2 . These are clearly equivalent according to the usual meanings of ; P, and so on.
Set-Equality Expansion: Essentially, S 1 = S 2 means S + 1 = S + 2 , while the meaning of 8x : S 1 x 2 S 2 is as above, and similarly for 8x : S 2 x 2 S 1 . Clearly, the meanings of the two sides of the expansion are equivalent.
The original CADiZ normalisation rule is unsound with respect to our semantics, since t 2 S t 2 t m a y be false. The original CADiZ set-expansion rule is unsound with respect to our semantics, since S and S 0 , with type P T, may have the same elements from T, and thus be the same according to the CADiZ rule, but may h a ve di erent elements of type T; for example, S might

Properties of the Semantics
In our semantics, t = t always holds, but a conjecture such a s 9x : A f0 = x, where f has the declaration f : A ! A , may not hold. Applying existential instantiation with x bound to f0 results in an identity, f0 = f0, apparently proving the conjecture. However, there is a side condition to be proven, namely, f0 2 A , and this membership may not hold according to our semantics, since the fact that f0 has type A does not imply that f0 2 A .
As an example where non-terminating" functions are involved, consider the following speci cation, based upon an example given by Smolka and Nutt 7 : f : N ! N j 8 n : N fn = succfn If f had been declared to be a total function, then it would be possible to provè f0 f0: f0 f0, a contradiction, but this is not surprising since a consequence of the axiom de ning" f is that f has no numeric value for any natural-number argument. This is a problem for Smolka and Nutt since they have only total functions; to 3rd Northern Formal Methods Workshop, 1998 solve the problem they introduce an error element and make f total on the set ?N = N +ferrorg. However, since f is de ned as partial, no contradiction arises in our semantics. The reason the attempted proof of the contradiction fails is that again a membership constraint arises, f0 2 N.
These properties of our semantics seem reasonable, but there are other properties that may appear anomalous. Firstly, our unde ned" values may have properties, apparently contradicting their unde ned status. For example, we might h a ve gf0 = 0 as an axiom, though f0 has no value in its range i.e., is unde ned". However, this holds for function applications that are undened merely in the sense that they have not been explicitly assigned a value.
For example, we might h a ve f0 3 as an axiom, though f0 has no explicit value according to the speci cation; that is, a model might assign any element of Nnf0; 1; 2; 3g to f0. We preempted this argument b y pointing out that our unde ned" values should more accurately be referred to as super" values. A second, more disconcerting, aspect of our semantics is that our super values may h a ve counterintuitive properties.
Example: Suppose we h a ve a relation : PN N, a function f : N ! N, and the usual axiom for , 8x : N : x x . No contradiction arises if we add to a speci cation with just these declarations and axiom, the properties f0 0 and f0 0, the reason being that, to contradict the given axiom, f0 must be assigned a value in N and there are models in which it is not assigned such a v alue.
Our rst justi cation for this apparently anomalous result is that f0 has the unexpected properties only because it has been assigned them by the speci cation. Of course, even if the axioms f0 0 and f0 0 had not been added to the speci cation, there would still be models of the original speci cation in which they hold, but, in that case, we w ould not be able to prove that they hold as a consequence of the speci cation.
Secondly, we argue that the counter-intuitive nature of this result partly arises from the choice of the symbol for our relation. Consider a speci cation in which we have a relation R : PA A , and the axiom 8x : N : Rx; x; clearly no contradiction arises formally or intuitively if we add R12; 1 2, where`' denotes division: a model for this speci cation is one in which R is assigned the relation 8x; y : A x y x . If R had been called , h o wever, 1 2 1 2 w ould have been disconcerting. Of course, Z users will typically wish to use suggestive names and symbols such as for their relation and function symbols; the point is that, since a relation is always declared over a set of, for example, pairs, the speci er cannot expect all de ned properties of the relation to hold over objects not in that set, and these objects include the super values in our semantics.
All these properties of our semantics have a counterpart in the alternative approach t o partiality i n which we modify, for instance, the concept of a free type within Z. For example, if we de ne nats as a subset of the given type nats , and include the axiom 8x : nats : x x , then we m a y o r m a y not have f o f o in any model in which f o is assigned some value from nats nnats. Similarly, the reinstatement, in the type-change approach, of the property 8x : T 9 y : T 0 f x = y x; y 2 f, where T ; T 0 are types, and f has type PT T 0 , as suggested in Section 4.1, is also possible in the semantic approach.
3rd Northern Formal Methods Workshop, 1998 The relationship between the two approaches to partiality m a y be formalised as follows. Let be a speci cation with exactly the given types T 1 ; : : : ; T n , and in which there is no use of the names T i ; T i or T + i for any i. We derive from the speci cation by replacing the introduction of each given type T i with the introduction of the given type T i , and by adding the declaration T i : P T i for each T i . We also modify our semantics I to J by deleting all occurrences of +' | our subset of Z thus becomes virtually its own semantics. If we represent logical consequence in our I semantics with j = I and logical consequence in the J semantics with j = J , then for any Z predicate in the language of , we h a ve j = I i j = J : The reason for this is that, since neither nor makes reference to either the T i ; T i or T + i , w e m a y correlate each T i with the J interpretation of each T i , and correlate, for each set expression S in or , the I-set S + with the J interpretation of S. We then have a correspondence between the two semantics for and the expressions in . This does not mean, however, that the approaches are, for all practical purposes, identical. One major di erence is the relative di culty in de ning certain concepts, such a s , e v en if we suppose they are de ned via expansion laws. In the rst approach, we m a y de ne the union of any t wo arbitrary set expressions S and S 0 by fx : T j x 2 S _ x 2 S 0 g; where P T is the type of S and S 0 . This de nition will not always produce the full union in the second approach, but only the union of the de ned" subsets. On the other hand, for practical applications we may wish to construct only the union of these de ned subsets. For example, in the process of re nement, where we wish to construct a function satisfying our speci cation, it is likely that the desired domain for our function will be the maximal set over which the function's speci cation is total 10 . There seems to be no practical reason for constructing the full union of sets with unde ned elements; the construction of such sets in this paper was purely for theoretical considerations.
One, as yet unresolved, di culty with our semantic approach to partialfunction application is that we cannot always simplify expressions involving unde ned terms as we w ould like. For example, we cannot simplify the expression s o o + o via the equation 8x : nats x+o = x, because we cannot show that s o o is in the type nats; the principal bene t of Arthan's approach 2 is that such expressions may be simpli ed, since s o o would be assumed to be in nats. One possible resolution to this problem is to allow u n typed quanti ers 3 .
For example, we might allow equations such as 8x x + o = x. Any applied instance of predicates with untyped quanti ers must have appropriate types.
For example, any applied instance, t + 0 = t, of the equation 8x x + o = x, must be such that t + 0 and t are both well-typed T e r m s and have the same type. This constraint on the application of predicates with untyped quanti ers should ensure that untyped quanti ers do not introduce the sort of problems e.g. paradoxes typing is designed to eliminate 8 . Consequently, w e are not advocating that all expressions be untyped.

Conclusions
We h a ve argued that it is advantageous to be able to include in our speci cations functions applications that do not always return a value of the function's range, but have shown that this can make t ypical Z speci cations inconsistent according to the usual intuitive, if not yet formalised semantics of Z. We have also presented two possible resolutions to this inconsistency problem, one involving a modi cation to our speci cations, and the other a modi cation to our proof systems.
We h a ve shown that the two approaches are closely related, and thus have some bene ts in common. Neither imposes constraints on the meaning of a function itself; in particular, partial functions are not totalised". Also, we d o not have a bottom" object, and do not have the problem of deciding whether or not our functions should be strict: the value of a function application to a super value is simply an element of the set assigned to the type of the function application. Perhaps most importantly, partial functions are not total from the perspective of function application.
The major disadvantage of the speci cation-change approach is that it is an imposition on the speci er, even if automated tools make the necessary changes. The inference-change approach a voids this problem, for the most part, but deviates from the classical view of and approach to reasoning about Z 8, 2 , 9 . If either of these approaches are to be used in practice, preference will probably depend upon the perceived utility and pervasiveness in real speci cations of non-total function application.
Irrespective of the acceptability of non-total function application, it is hoped that this paper has clari ed the meaning of application in general, including the application of relations that are neither total nor partial functions. With respect to partial functions, Arthan 2 and Valentine 10 have argued that we m a y assign some member of their range types to any application to objects outside their domains. In this paper, we h a ve shown further that this possibility is implicitly built in to current reasoning systems for Z such as CADiZ: while it is not immediately apparent that f o is an element of the type nats if f is a partial function from nats to nats, w e h a ve shown that it is possible to prove i n CADiZ that fx : nats j true f x g is a subset of nats. Thus, any other approach to partial-function application, such as the introduction of a bottom object ? or the one we h a ve proposed, will entail modi cation of the inference rules of reasoners such as CADiZ.
There are several possible directions for future research. We have c o vered only a fairly small subset of Z, omitting, most prominently, s c hemas and generics; inclusion of these is paramount for the utility of our work to Z users. There is also more work to be done on the e ects of non-total function application on the issues of re nement and inductive proof; recently, w e h a ve been developing an approach to proving inductive properties of partial functions that utilises the distinction our semantics makes between de ned and unde ned function applications. Completeness results for our proof rules with respect to the described semantics might also be developed: we should be able to show that our rules support the proof of all possible properties of partial functions, at least for subsets of Z. In addition, we need to consider further the problem of simplifying rewriting expressions involving unde ned terms.