(************************************************************************* * Copyright (C) * 2019-2023 The University of Exeter * 2018-2023 The University of Paris-Saclay * 2018 The University of Sheffield * * License: * This program can be redistributed and/or modified under the terms * of the 2-clause BSD-style license. * * SPDX-License-Identifier: BSD-2-Clause *************************************************************************) chapter\High-level Class Invariants\ theory Concept_High_Level_Invariants imports "Isabelle_DOF.Isa_DOF" "Isabelle_DOF-Unit-Tests_document" TestKit begin section\Test Purpose.\ text\ Without invariants, ontological classes as such are too liberal in many situations. Similarly to UML constraints, invariants or hand-programmed checking functions can be added in ODL ontologies in order to constrain class instances or (via monitor traces) impose structural constraints over an entire document. While hand-programmed checking functions were tested in test-case \<^verbatim>\Concept_Example_Low_Level_Invariant\, in this text case, we test high-level invariants, i.e. data-constraints speicified as executable HOL-predicates in the @{theory_text \invariant\} clause of ODL definitions. To enable the checking of the invariants, the \invariants_checking\ theory attribute must be set:\ section\The Scenario.\ text\ This is merely an example that shows that the generated invariants fit nicely together; i.e. allow for sensible consistency and invariant preservation proofs related to ontological matchings. \ text\Using HOL, we can define a mapping between two ontologies. It is called ontology matching or ontology alignment. Here is an example which show how to map two classes. HOL also allows us to map the invariants (ontological rules) of the classes!\ text\ Ontological classes as described so far are too liberal in many situations. There is a first high-level syntax implementation for class invariants. These invariants can be checked when an instance of the class is defined. To enable the checking of the invariants, the \invariants_checking\ theory attribute must be set:\ declare[[invariants_strict_checking = true]] text\For example, let's define the following two classes:\ doc_class class_inv1 = int1 :: "int" invariant inv1 :: "int1 \ \ 3" doc_class class_inv2 = class_inv1 + int2 :: "int" invariant inv2 :: "int2 \ < 2" text\The symbol \<^term>\\\ is reserved and references the future instance class. By relying on the implementation of the Records in Isabelle/HOL~@{cite "wenzel:isabelle-isar:2020"}, one can reference an attribute of an instance using its selector function. For example, \<^term>\int1 \\ denotes the value of the \<^term>\int1\ attribute of the future instance of the class @{doc_class class_inv1}. Now let's define two instances, one of each class:\ text*[testinv1::class_inv1, int1=4]\lorem ipsum...\ update_instance*[testinv1::class_inv1, int1:="3"] (* When not commented, should violated the invariant: update_instance*[testinv1::class_inv1, int1:=1] *) text*[testinv2::class_inv2, int1=3, int2=1]\lorem ipsum...\ text\ The value of each attribute defined for the instances is checked against their classes invariants. As the class @{doc_class class_inv2} is a subsclass of the class @{doc_class class_inv1}, it inherits @{doc_class class_inv1} invariants. Hence the \<^term>\int1\ invariant is checked when the instance @{docitem testinv2} is defined.\ text\Test invariant for attributes of attributes: \ doc_class inv_test1 = a :: int doc_class inv_test2 = b :: "inv_test1" c:: int invariant inv_test2 :: "c \ = 1" invariant inv_test2' :: "a (b \) = 2" doc_class inv_test3 = inv_test1 + b :: "inv_test1" c:: int invariant inv_test3 :: "a \ = 2" invariant inv_test3' :: "a (b \) = 2" doc_class inv_test4 = inv_test2 + d :: "inv_test3" invariant inv_test4 :: "a (inv_test2.b \) = 2" invariant inv_test4' :: "a (d \) = 2" text*[inv_test1_instance::inv_test1, a=2]\\ text*[inv_test3_instance::inv_test3, a=2, b="@{inv-test1 \inv_test1_instance\}" ]\\ text*[inv_test4_instance::inv_test4, b="@{inv-test1 \inv_test1_instance\}" , c=1, d="@{inv-test3 \inv_test3_instance\}"]\\ text\To support invariant on attributes in attributes and invariant on attributes of the superclasses, we check that the type of the attribute of the subclass is ground:\ ML\ val Type(st, [ty]) = \<^typ>\inv_test1\ val Type(st', [ty']) = \<^typ>\'a inv_test1_scheme\ val t = ty = \<^typ>\unit\ \ text\Now assume the following ontology:\ doc_class title = short_title :: "string option" <= "None" doc_class Author = email :: "string" <= "''''" datatype classification = SIL0 | SIL1 | SIL2 | SIL3 | SIL4 doc_class abstract = keywordlist :: "string list" <= "[]" safety_level :: "classification" <= "SIL3" doc_class text_section = authored_by :: "Author set" <= "{}" level :: "int option" <= "None" type_synonym notion = string doc_class Introduction = text_section + authored_by :: "Author set" <= "UNIV" uses :: "notion set" invariant author_finite :: "finite (authored_by \)" and force_level :: "(level \) \ None \ the (level \) > 1" doc_class claim = Introduction + based_on :: "notion list" doc_class technical = text_section + formal_results :: "thm list" doc_class "definition" = technical + is_formal :: "bool" property :: "term list" <= "[]" datatype kind = expert_opinion | argument | "proof" doc_class result = technical + evidence :: kind property :: "thm list" <= "[]" invariant has_property :: "evidence \ = proof \ property \ \ []" doc_class example = technical + referring_to :: "(notion + definition) set" <= "{}" doc_class conclusion = text_section + establish :: "(claim \ result) set" invariant establish_defined :: "\ x. x \ Domain (establish \) \ (\ y \ Range (establish \). (x, y) \ establish \)" text\Next we define some instances (docitems): \ declare[[invariants_checking_with_tactics = true]] text*[church::Author, email="\church@lambda.org\"]\\ text*[resultProof::result, evidence = "proof", property="[@{thm \HOL.refl\}]"]\\ text*[resultArgument::result, evidence = "argument"]\\ text\The invariants \<^theory_text>\author_finite\ and \<^theory_text>\establish_defined\ can not be checked directly and need a little help. We can set the \invariants_checking_with_tactics\ theory attribute to help the checking. It will enable a basic tactic, using unfold and auto:\ declare[[invariants_checking_with_tactics = true]] text*[curry::Author, email="\curry@lambda.org\"]\\ text*[introduction2::Introduction, authored_by = "{@{Author \church\}}", level = "Some 2"]\\ (* When not commented, should violated the invariant: update_instance*[introduction2::Introduction , authored_by := "{@{Author \church\}}" , level := "Some 1"] *) text*[introduction3::Introduction, authored_by = "{@{Author \church\}}", level = "Some 2"]\\ text*[introduction4::Introduction, authored_by = "{@{Author \curry\}}", level = "Some 4"]\\ text*[resultProof2::result, evidence = "proof", property="[@{thm \HOL.sym\}]"]\\ text\Then we can evaluate expressions with instances:\ term*\authored_by @{Introduction \introduction2\} = authored_by @{Introduction \introduction3\}\ value*\authored_by @{Introduction \introduction2\} = authored_by @{Introduction \introduction3\}\ value*\authored_by @{Introduction \introduction2\} = authored_by @{Introduction \introduction4\}\ value*\@{Introduction \introduction2\}\ value*\{@{Author \curry\}} = {@{Author \church\}}\ term*\property @{result \resultProof\} = property @{result \resultProof2\}\ value*\property @{result \resultProof\} = property @{result \resultProof2\}\ value*\evidence @{result \resultProof\} = evidence @{result \resultProof2\}\ declare[[invariants_checking_with_tactics = false]] declare[[invariants_strict_checking = false]] end