Composing Least-change Lenses Electronic Communications of the EASST Volume 57 (2013) Proceedings of the Second International Workshop on Bidirectional Transformations (BX 2013) Composing Least-change Lenses Nuno Macedo, Hugo Pacheco, Alcino Cunha and José N. Oliveira 19 pages Guest Editors: Perdita Stevens, James F. Terwilliger Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Composing Least-change Lenses Nuno Macedo1, Hugo Pacheco2, Alcino Cunha3 and José N. Oliveira4 1 nfmmacedo@di.uminho.pt 2 hpacheco@di.uminho.pt 3 alcino@di.uminho.pt 4 jno@di.uminho.pt HASLab INESC TEC / Universidade do Minho, Braga, Portugal Abstract: Non-trivial bidirectional transformations (BXs) are inherently ambiguous, as there are in general many different ways to consistently translate an update from one side to the other. Existing BX languages and frameworks typically satisfy fundamental first principles which ensure acceptable and stable (well-behaved) translation. Unfor- tunately, these give little insight about how a particular update translation is chosen among the myriad possible. From the user perspective, such unpredictability may hinder the adoption of BX frameworks. The problem can be remedied by imposing a “principle of least change” which, in a state-based framework, amounts to translating each update in a way such that its result is as close as possible to the original state, according to some distance measure. Starting by formalizing such BXs focusing on the particular framework of lenses, this paper discusses whether such least-change lenses can be defined by composition, an essential construct of BX frameworks. For sequential composition, two (dual) update translation alternatives are presented: a classical deterministic one and a nondeterministic. A key ingredient of the approach is the elegant formalization of the main concepts in relation algebra, which exposes several similarities and dualities. Keywords: Bidirectional transformations, Principle of least change, Compositional- ity, Relational calculus 1 Introduction Consider the bidirectional transformation (BX) framework of lenses [FGM+07]1. Definition 1 (Lens) A lens l : S Q V between a source schema S and a view schema V consists of a total function getl : S → V and a partial function putl : S → V 7→ S. The lens is said to be well-behaved if it satisfies two BX laws: s′ ∈ putl s v ⇒ v = getl s ′ PUTGET v = getl s ⇒ s ∈ putl s v GETPUT 1 Note that we see lenses as a general bidirectional framework, including the particular lens language of [FGM+07]. 1 / 19 Volume 57 (2013) mailto:nfmmacedo@di.uminho.pt mailto:hpacheco@di.uminho.pt mailto:alcino@di.uminho.pt mailto:jno@di.uminho.pt Composing least-change lenses Person * * follows (a) Model M1. popularity : Nat Person (b) Model M2. Person (c) Model M3. Figure 1: Model (M1) and respective views (M2,M3) of a simplified Twitter. Here s′ ∈ putl s v means that putl s v is defined and that s′ = putl s v. The PUTGET law entails that a lens is acceptable, i.e., view updates are translated exactly by put (information in the view is not ignored). Essentially, this law imposes an upper bound on the behavior of put (admissible behaviors). The GETPUT law entails that a lens is stable, i.e., if the view is not changed, then it must be “put back” to the same source. Dually, this law imposes a lower bound on the behavior of put (mandatory behaviors). The classic lens framework is compositional: writing a BX amounts to writing the get trans- formation in a domain-specific language that includes a set of primitive BXs, and combinators that allow us to compose those into complex “correct-by-construction” BXs. This contrasts with other “bidirectionalization” frameworks, that perform syntactic or semantic inversion of a transformation written in a general purpose language, or that derive suitable forward and backward transformations from a declarative consistency relation specified between source and target values. In general, the above BX laws allow multiple valid backward transformations. For instance, consider the class diagram M1 in Figure 1a that models a simplified Twitter: we have people (Person) who may follow other people. We could define a model transformation T1 that keeps the popularity of each person and erases the follows associations, resulting in the model M2 of Figure 1b, with the constraint that popularity cannot be higher than the number of people. A second model transformation T2 could also remove the popularity of each person, ending up with M3 of Figure 1c, where only people that have followers are represented. To satisfy GETPUT, a put for T1 must return the same source when the view is not changed. If the view is changed, then it must satisfy PUTGET, which essentially only requires popularity preservation. For example, should somebody be added to a view with a given popularity, put has freedom to determine who should follow her or him. Unfortunately, it is free to rearrange the followers of all other people too, as long as their popularity remains the same. The lens laws should be taken as first principles: for example, GETPUT “only provides a relatively loose constraint on the behavior of lenses”, as originally remarked by the authors of the lens framework [Fos09]. To understand the behavior of a lens, a user cannot rely solely on the laws and must directly inspect the definition of put. Therefore, laws providing more guarantees about put would provide a better account of its behavior to users: instead of requiring only that the source remains unchanged when the view is unchanged, they could require also that an update translation should be as small as possible. This “principle of least change” has in fact already been proposed by Meertens [Mee98] for the BX framework of constraint maintainers. When applied to lenses, this principle will allow us to tighten the bounds imposed by the traditional laws, thus making the behavior of put more Proc. BX 2013 2 / 19 ECEASST predictable. Returning to our example, and assuming that the “distance” between two source instances increases with the number of people and follow associations not shared by both, the behavior of a put function that when adding a person to the target rearranges the followers of the remaining persons would no longer be acceptable (but different puts can still be defined, reflecting the different choices of followers to be added to the new person). In this paper, we introduce least-change lenses by applying Meertens’ [Mee98] “principle of least change” to regular lenses. Given a preorder (a reflexive and transitive binary relation) on sources that captures the distance to a given source, least-change lenses will require put to return minimal updates according to that preorder. We also discuss whether a compositional approach is viable to build such lenses. Indeed, Meertens did not investigate the composition of least-change maintainers and many authors [Ste10, Dis08, HPW11] view the lack of compositionality as a drawback. Our fundamental (and novel) research question is: given two least-change lenses, is their sequential composition also a least-change lens? Suppose, for instance, that T1 is a least-change lens minimizing updates according to the distance presented above. Can it be safely composed with another least-change lens? In part, the answer depends on the distance measure used for the target model, and we will present some criteria involving this metric that enable us to answer positively the above question. Unfortunately, the framework of deterministic lenses (where put returns at most one source) is too restrictive to allow composition in general. In our example, if the distance on target models ignores popularity, any transformation performed after our transformation (for example, throwing away the popularity field and leaving only people) is free to assign a very high popularity to a new person, which will obviously lead to a non-minimal update of the composed global transformation (T2 after T1). In such situations, some sort of compositionality can sometimes be achieved if we allow put to be nondeterministic and require it to generate all sources at the minimal distance. This will allow the put of the first transformation to consider the different alternatives, and maybe return the desired least-changed sources. This nondeterministic composition is not ideal: when composing two lenses f and g, putf needs to search which intermediate candidate results of putg will generate minimal sources according to its preorder. Nevertheless, it is still far better than trying to discover the least-changed sources of the composed transformation directly, since for reasonable orders the guidance from the inner transformations will greatly limit the search space (indeed, it allows the construction of a search tree by composition). Paper structure. The next section will introduce least-change lenses, both deterministic and nondeterministic. In Section 3 we provide a brief account of the relational calculus, just enough for allowing us to elegantly formalize such lenses. In particular, it will become clear that the traditional lens laws just impose bounds on the behavior of put, which will be tightened by least-change lenses. It will also expose the two variants (deterministic and nondeterministic) as duals of each other, paving the way to easily transcribing properties found about one of them to the other. Section 4 then presents some necessary conditions to attain (sequential) compositionality. Section 5 presents some related work, and Section 6 concludes and discusses several possible directions for future work on this topic, about which this paper aims only to make a small but principled contribution. 3 / 19 Volume 57 (2013) Composing least-change lenses 2 Least-change lenses The concept of least changes requires the definition of a family of total preorders comparing sources relative to their “distance” to some other source2. For any source value s ∈ S we also require the respective total preorder on S, denoted by �s, to be stable. Definition 2 (Stable preorder) For any source s ∈ S, a preorder �s is said to be stable if s is its unique minimal value, i.e., s1 �s s ⇔ s1 = s ORDSTABLE Condition ORDSTABLE ensures that the source s is the single closest value to itself, i.e., s is the universal lower-bound of �s. One possible way to construct such total preorder �s is to rely on a distance measure function dist : S → S →N on sources S, such that [Mee98] s1 �s s2 ⇔ (dist s s1) 6 (dist s s2) where 6 :N→N is the standard order on natural numbers3. The order is stable if the distance is stable, i.e., the closest value to a source s is itself4: dist s s′ = 0 ⇔ s = s′ DISTSTABLE An instance of M1 of our example consists of a tuple (W,F), where W is a set of people and F a follows relation from people to people (a set of pairs F ⊆ W×W). A suitable distance measure for M1 is the size of their symmetric differences: dist1 (W,F) (W′,F′) = #(W ∆ W′)+ #(F ∆ F′) where X ∆ Y = (X−Y) ∪ (Y −X) An instance of M2 can be seen as a tuple (W,P), where W is again a set of people and P is a function from people to popularity P : W → N, which is equivalent to a multi-set of people. Again, a suitable distance measure could be the size of their symmetric differences (generalized to multi-sets with the obvious definition): dist2 (W,P) (W′,P′) = #(W ∆ W′)+ #(P ∆ P′) We could however ignore the popularity of people not contained in both instances: dist′2 (W,P) (W ′,P′) = #(W ∆ W′)+ #((P ⊗ (W ∩ W′)) ∆ (P′ ⊗ (W ∩ W′))) where (X ⊗ Y) x = if x ∈ Y then X x else 0 2 By total preorder we mean a preorder � such that, for any points x, y, either x � y or y � x holds. Anti-symmetry is not required because any two points at the same distance will be comparable in either way and they need not be the same. 3 Instead of natural numbers any well ordered set could be used in the range of the distance function, providing more flexibility when computing distances. Notice also that if, for a given s, dist s is an injective distance function, then the induced preorder � will be anti-symmetric (i.e. a partial order). 4 In a metric space, this clause is known as identity of indiscernibles. In fact, it could be reasonable to assume that (S,dist) is a metric space, satisfying other properties such as symmetry or triangle inequality, although these are orthogonal to the properties of least-change lenses. Proc. BX 2013 4 / 19 ECEASST 2.1 Deterministic least-change lenses Definition 3 (Least-change lens) Given a family of stable total preorders �s for every s ∈ S, a least-change lens l : S� Q V consists of a forward total transformation getl : S → V , and a partial backward transformation putl : S → V 7→ S. A least-change lens is well-behaved if it satisfies GETPUT and s′ ∈ putl s v ⇒ v = getl s ′ ∧ (∀ s1 . v = getl s1 ⇒ s ′ �s s1) LEASTPUTGET LEASTPUTGET is equivalent to the original least change principle proposed in [Mee98]. It is a refinement of PUTGET, in the sense that the resulting source value is required to be not only acceptable, but also one of closest to the original s among the sources that share the same view v. LEASTPUTGET thus lowers the upper bound for put and reduces the range of valid updates. Although the backward transformation is more restricted, there may still be more than one valid put for the same get and preorder �s, since there may be multiple sources at the same distance. Consider our example transformation T1 with the preorder induced by the distance measure dist1. If we add a person p to the view with popularity n, put is free to choose who will be her followers, since any instance with n followers for p is at the same distance from the original source. However, it is no longer free to change the followers of other people, since this would result in more distant instances. Concerning transformation T2, if we use the preorder induced by dist2, then when a new person is added to the view put must assign him popularity 0. However, if we use the preorder induced by dist′2 instead, put is free to assign the new person any valid popularity. In both cases, put must preserve the popularity of the previously existing people. Obviously, the preorder may not discriminate much, and at one end of the spectrum we may have a preorder induced by the measure that considers all different values at the same distance5: dist s s′ = if s = s′ then 0 else 1 In this case, LEASTPUTGET degenerates into the original PUTGET, allowing the same backward transformations as the regular lens laws, only recovering the original source when the view is not modified. The other extreme case occurs when the preorder is refined to the point where minimal values are unique and there is a single valid put. This will occur when dist s is injective (resulting in a total order �s), since the minimal source will always be unique. 2.2 Nondeterministic least-change lenses As discussed in the introduction, for many pragmatic examples a deterministic put that commits to a particular minimal update will be too restrictive to allow compositionality. Therefore, we will introduce a variant of least-change lenses where put is nondeterministic, and enumerates all possible minimal updates. To distinguish it from the deterministic case it will be denoted as Put. Definition 4 (Nondeterministic least-change lens) Given a family of stable total preorders �s for every s ∈ S, a nondeterministic least-change lens l : S� IQ V consists of a forward total 5 In metric space terminology, this is known as the discrete metric on a set. 5 / 19 Volume 57 (2013) Composing least-change lenses transformation getl : S→V , and a nondeterministic backward transformation Putl : S→V →P(S) The lens is said to be well-behaved if it satisfies PUTGET and v = getl s ′ ∧ (∀ s1 . v = getl s1 ⇒ s ′ �s s1)⇒ s′ ∈ Putl s v LEASTGETPUT In nondeterministic least-change lenses, the LEASTGETPUT law replaces GETPUT as the lower bound of Put and PUTGET is kept as the upper bound. In fact, LEASTGETPUT is the dual of LEASTPUTGET, as it states that, if a source s′ (with view v) is one of the closest to s, then it must be returned by Put s v. This duality will become clear in the next section. Returning to our transformation T2 with distance measure dist ′ 2, when a new person is added to the view, a well-behaved Put will return all instances with all possible popularities for this person. 3 Formalizing least-change lenses in relational algebra In the sequel we use relational algebra [BM97] to formally specify and reason about least-change lenses. Each set-valued function f : A → P(B) is in 1-to-1 correspondence with a relation R ⊆ B×A in the sense that b ∈ f a is equivalent to (b,a) ∈ R, or b R a using infix notation, as in 2 6 3. Infix notation suggests writing R : B ← A (or R : A → B) instead of R ⊆ B×A as the type of relation R, where the arrow captures the flow of information. This makes it easy to type the main operation of relation algebra, sequential composition, as arrow chaining: given relations R : A → B and S : B → C, their composition, denoted by S·R : A → C, such that c (S·R) a means that there is a b such that c S b and b R a. Arrow notation is also meaningful in typing the converse of a relation R : A → B, R◦ : B → A, which is such that a R◦ b means the same as b R a. A function f : A → B is a special case of relation, in that it is deterministic and totally defined. Thus both b f a and a f◦ b mean b = f a. For instance, expression f◦·R·g denotes a preorder if R is another preorder. It compares a and a′ by comparing their images R, (f a) R (g a′). The relational calculus enables a point-free (or quantifier-free) formalization of first-order logic, where atomic formulas are inequations R ⊆ S, meaning b R a ⇒ b S a for all a and b. To obtain the expressive power of first-order logic we also need the split (or fork) of relations R : A → B and S : A → C, denoted by R M S : A → B×C, (b,c) (R M S) a holding whenever b R a and c S a hold. The notation a : B → A is used to denote the constant function that returns the value a ∈ A for every input. Finally, we also use the division combinator between relations R : C → A and S : C → B denoted S / R : A → B (with b (S / R) a holding whenever a R c implies b S c, for any possible c). The domain and range of a relation R : A → B will be denoted by δ R : A → A (a δ R a ⇔∃ b . bRa) and ρ R : B → B (b ρ R b ⇔∃ a . bRa) respectively. These belong to a special kind of relation called coreflexive which, being subsets of the identity, act as a kind of filter. It can be easily checked, for instance, that inequality put s ⊆ get◦ means the same as the PUTGET law: s′ ∈ put s v ⇒ v = get s′. Similar re-statement of PUTGET and GETPUT in relational algebra makes it clear that they establish lower and upper bounds for put, put s ⊆ get◦ PUTGET ρ s·get◦ ⊆ put s GETPUT where ρ s ={(s,s)} filters out values other than s, restricting the output of get◦ to s. As ρ s is at most the identity, such bounds are consistent – the lower bound is smaller than the upper bound. Proc. BX 2013 6 / 19 ECEASST The principle of least change, formalized by the LEASTPUTGET and LEASTGETPUT laws, can be encoded in terms of the so-called shrink operator R � S : A → B [MO11] that minimizes the output of a relation R : A → B in regard to a relation S : B → B, and defined as follows: b (R � S) a ⇔ b R a ∧ (∀ x . b R x ⇒ a S x) In relational notation this equals defining R � S = R ∩ S / R◦. So R � S is at most R and its output is a minimum in regard to S. Using shrink, the least-change laws can be specified as follows: put s ⊆ get◦ ��s LEASTPUTGET get◦ ��s ⊆ Put s LEASTGETPUT Clearly, these laws are dual of each other. Moreover, it can be shown that they refine the original laws in the sense that LEASTPUTGET lowers the upper-bound imposed by PUTGET and LEASTGETPUT raises the lower-bound imposed by GETPUT. Proposition 1 Given a family of stable total preorders �s : S → S, we have ρ s·get◦ ⊆ get◦ ��s ⊆ get◦ Proof. The upper bound is trivial since get◦ ∩ �s /get ⊆ get◦; for the lower bound we have ρ s·get◦ ⊆ get◦ ��s ≡ {-shrink definition -} ρ s·get◦ ⊆ get◦ ∩ �s /get ≡ {-universal-∩ ; division -} ρ s·get◦ ⊆ get◦ ∧ ρ s·get◦·get ⊆ �s ≡ {-ρ s = s·s◦ ; shunting -} s◦·get◦·get ⊆ s◦·�s ≡ {-ORDSTABLE thus s◦·�s => -} s◦·get◦·get ⊆ > Note how ORDSTABLE is required for this proof. This was expected, since the lower bound is only restricting the result of put for the original source s, and ORDSTABLE states precisely that it is a minimum of the preorder. This proposition also shows that LEASTGETPUT and PUTGET are consistent bounds. Wherever dist s is injective (�s is antisymmetric in this case) or get is injective, get◦ ��s will be deterministic6 and put s will also be deterministic. Moreover: Proposition 2 For get surjective and get◦ ��s deterministic, put s = get◦ ��s is the only total backward transformation that gives rise to a well-behaved deterministic least-change lens. It is also the smallest Put that gives rise to a well-behaved nondeterministic least-change lens. 6 Since antisymmetric shrinking criteria ensure determinism [MO11]. 7 / 19 Volume 57 (2013) Composing least-change lenses Proof. Trivial, since �s is reflexive and shrinking deterministic relations by reflexive orderings has no effect [MO11]. We can also prove the expected relationship between regular and least-change lenses. Proposition 3 Every well-behaved deterministic least-change lens l : S� Q V is a well-behaved regular lens l : S Q V . Proof. GETPUT is a requirement for least-change lenses and PUTGET follows from Proposition 1. Proposition 4 Every well-behaved regular lens l : S Q V is a well-behaved deterministic least-change lens l : S� Q V . Proof. Take the total preorder induced by dist s s′ = if s = s′ then 0 else 1. Then LEASTPUTGET degenerates into PUTGET. Finally, any well-behaved lens can also be seen as a well-behaved nondeterministic least-change lens by inferring a preorder such that get◦ ��s is deterministic and equal to put. Proposition 5 Every well-behaved regular lens l : S Q V is a well-behaved nondeterministic least-change lens l : S� IQ V . Proof. For the total preorder s′′ �s s′ ⇔ (s′ ∈ Putl s (getl s′)⇒ s′′ ∈ Putl s (getl s′′)) get◦l ��s is deterministic and equal to the only possible put. LEASTGETPUT follows easily. 4 Criteria for composing least-change lenses Given two well-behaved least-change lenses f : S� Q U and g : Uv Q V , we will now discuss when can they be composed in order to obtain a well-behaved least-change lens g·f : S� Q V using the lens composition combinator (·) [FGM+07]: getg·f s = (getg·getf ) s putg·f s = (putf s)·(putg (get f s)) In general this is not true, because putg·f is not guaranteed to return minimal values. For instance, consider the following example depicting the forward transformations get f and getg, and where dist xi x j = |j−i| for both lenses: s1 get f // u1 getg // v1 s2 // u5 // v2 s9 // u2 99 Proc. BX 2013 8 / 19 ECEASST Consider the backward transformation of the view v2 over the original source s1 of the g·f lens: first, putg v2 (get f s1) = u2, since u2 is closer to u1 (the original intermediate U-view) than u5; then, putf s1 u2 = s9, since it is the only choice for u2. However, this is not the minimal result for the least-change lens g·f , since the source closest to s1 with view v2 is s2 rather than s9. Such issues occur because the U-view generated by the concrete putg selected from the range of valid ones may not result in a minimum S-view when passed through putf . We will see that in order to preserve LEASTPUTGET, the forward transformations will need to somehow preserve the preorders. To be more precise, the goal of this section is to analyze under which conditions LEASTPUTGET is preserved by composition, i.e.: ∀ s . putf s ⊆ get◦f ��s ∧∀ u . putg u ⊆ get ◦ g �vu ⇒∀ s . putg·f s ⊆ (getg·get f )◦ ��s The simplest condition for this to hold is for getg to be injective: since get ◦ g is deterministic, there is a unique valid putg, and thus there is no ambiguity in the choice. Proposition 6 If f : S� Q U and g : Uv Q V are well-behaved least-change lenses and getg is injective, then g·f : S Q� V is a well-behaved least-change lens. However, as the above counter-example also shows, having an injective get f is not enough to preserve LEASTPUTGET. Still, a sufficient condition on get f is for it to be strictly increasing between the preorders �s and vget f s: s1 ≺s s2 ⇒ (get f s1)@get f s (get f s2) A strictly increasing get f reads: if a source s1 is smaller than another source s2 (in distance to the original source s), then its view get f s1 shall be smaller than the view of s2 (in distance to the original view get f s). In point-free notation this can be expressed as follows: get f ·≺s ⊆ @get f s·get f STRICTINC In total preorders, we have s1 ≺s s2 ⇔¬ (s2 �s s1). As such, an equivalent formulation is: (get f s1)vget f s (get f s2)⇒ s1 �s s2 Proposition 7 If f : S� Q U and g : Uv Q V are well-behaved least-change lenses and get f is strictly increasing between �s and vget f s for every s ∈ S, then g·f : S Q� V is a well-behaved least-change lens. Unfortunately this requirement is too restrictive, as it forces get f to be injective, meaning that it cannot abstract information from the source. To help understand why composition succeeds when get f is strictly increasing, Figure 2 shows a possible configuration under this assumption. On the left subfigure, several values of type U spread over concentric circles according to their distance to a hypothetical center denoting get f s (and represented by a star). Similarly for the right subfigure, for values of type S and center s. x−1 denotes the pre-image of x under get f . In this case, we have a one-to-one correspondence since get f , being strictly increasing, must be injective. Another consequence of this property is that all values of U that are at the same distance from 9 / 19 Volume 57 (2013) Composing least-change lenses x y z w u v t x-1 y-1 z -1 w-1 u-1 v-1 t-1 getf Figure 2: Strictly increasing transformation get f s must have their pre-images at the same distance from s. Moreover, the relative distances to the center are preserved, in the sense that, for example, since y vget f s z then y −1 �s z−1. Now, consider the backward transformation, when putting back a given target in the original source s. Being well-behaved, putg will return one of the values that is closest to get f s, in this case either x, y or u; putf must return one of their pre-images which, due to the above assumptions, is guaranteed to be one of the closest to s, whatever choice is made by putg. While a strictly increasing get f suffices to guarantee that any composition g·f is also a well- behaved least-change lens, in order to attain a proper compositional language and be able to compose any sequence of transformations, this property must also be preserved by composition. Proposition 8 If two transformations get f : S� → U and getg : Uv → V are strictly increasing, then getg·get f : S� → V is also strictly increasing. A more interesting requirement is the following more relaxed version of STRICTINC, that does not imply injectivity: (∀ s3 . get f s2 = get f s3 ⇒ s1 ≺s s3)⇒ (get f s1)@get f s (get f s2) In point-free notation this is written (≺s /get f )·ρget f ⊆ get◦f ·@get f s QUASISTRICTINC Now a view get f s1 is required to be smaller than another view get f s2 only when s1 is smaller than all sources that map to the view of s2. An alternative formulation using the less than or equal orders is (get f s1)vget f s (get f s2)⇒ (∃ s3 . get f s1 = get f s3 ∧ s3 �s s2) or ρget f ·vget f s·get f ⊆ get f ·�s in the point-free notation. In other words, when a view v1 is smaller than or equal to another view v2 (in distance to a view get f s), then at least one source with view v1 is smaller than or equal to all the sources with view v2 (in distance to a source s). The Proc. BX 2013 10 / 19 ECEASST x-1 y-1 z-1 w-1 u-1 v-1 t-1 x y z w u v t getf Figure 3: Quasi strictly increasing transformation difference to STRICTINC can easily be seen in Figure 3. Now the pre-image of a target value can contain several sources at different distances from the center. Still, for targets at the same distance to get f s, the minimum values of their pre-images must all be at the same distance from s. Proposition 9 If f : S� Q U and g : Uv Q V are well-behaved least-change lenses and get f is quasi strictly increasing between �s and vget f s for every s ∈ S, then g· f : S Q� V is a well-behaved least-change lens. Figure 3 also helps understanding why this proposition holds. Again, putg is free to choose any value closest to get f s but, whatever the choice made, putg will always return one of the value closest to s. An example of a transformation that is not strictly increasing but is quasi strictly increasing is determining the size of a set, with the obvious distance measures (size of symmetric difference in the source and absolute value of the difference in the target). Unlike with strictly increasing transformations, the composition of two quasi strictly increasing transformations only remains so if get f is surjective. Proposition 10 If two transformations get f : S� → U and getg : Uv → V are quasi strictly increasing and get f is surjective, then getg·get f : S� → V is also quasi strictly increasing. In a lens framework requiring surjectivity is not a big drawback, since it is usually already required due to totality constraints [FGM+07, PC10]. An interesting class of lenses is that obtained from transformations with a perfect complement. A function cpl is said to be a complement of get if getM cpl is injective, i.e., any source can be losslessly represented as a view-complement pair. For view update translation under a constant complement, there is a unique source update for each view update [BS81]. A complement is said to be independent [KU84] when getM cpl is bijective, i.e., any pair corresponds to a source state. If a get has an independent complement (we call it perfect), then there exists a lens with a unique optimal put with perfect updatability, since it is possible to translate all view updates onto source updates while keeping the constant complement. Typical examples of transformations that fall 11 / 19 Volume 57 (2013) Composing least-change lenses under this category are tuple projections, whose perfect complement is exactly the information projected out. Having a perfect complement is not sufficient for a least-change lens to be composable. However, if get is strictly increasing among sources with the same complement, then it is also quasi strictly increasing, and thus can safely be composed. Proposition 11 If get f : S�→Uv has perfect complement and (get s1)vget s (get s2)∧cpl s1 = cpl s2 ⇒ s1 �s s2 for every s,s1,s2 ∈ S, then get f is quasi strictly increasing. Proving that a transformation is quasi strictly increasing is not trivial. This is an example of a useful class of transformations where such proof can be much simplified. Dually to the deterministic case, the necessary condition for two nondeterministic least-change lenses to be composable is the following: ∀ s . get◦f ��s ⊆ Putf s ∧∀ u . get ◦ g ��u ⊆ Putg u ⇒∀ s . (getg·get f )◦ ��s ⊆ Putg·f s Once again, an injective getg guarantees the compositionality. Proposition 12 If f : S� IQ U and g : Uv IQ V are well-behaved nondeterministic least-change lenses and getg is injective, then g·f : S� IQ V is a well-behaved nondeterministic least-change lens. Interestingly, the remaining laws that ensure nondeterministic compositionality are dual to those for the deterministic case: we can either reverse every law from R ⊆ S to S ⊆ R or, equivalently, replace every ≺s by �s. For example, instead of requiring get f to be strictly increasing it suffices to require it to be monotonic: s1 �s s2 ⇒ (get f s1)vget f s (get f s2) Remember that monotonicity reads the same way as the strictly increasing property, by simply replacing “smaller than” by “smaller than or equal to” in the text. An equivalent formulation in the opposite direction is: (get f s1)@get f s (get f s2)⇒ s1 ≺s s2 In the point-free notation we have get f ·�s ⊆ vget f s·get f MONOT Proposition 13 If f : S� IQ U and g : Uv IQ V are well-behaved nondeterministic least-change lenses and get f is surjective and monotonic between �s and vget f s for every s∈S, then g·f : S� IQ V is a well-behaved nondeterministic least-change lens. Unlike the strictly increasing property, monotonicity no longer implies that get f is injective. Unlike in Proposition 7, here we require get f to be surjective: note that surjectivity is the dual property of being deterministic, which get f always satisfies. Figure 4 helps understanding the differences between being strictly increasing and monotonic, and why this property ensures a Proc. BX 2013 12 / 19 ECEASST x-1 y-1 z-1 w-1 u-1 t-1 v-1 x y z w u v t getf Figure 4: Monotonic transformation well-behaved nondeterministic composition. Unlike in Figure 2, the pre-images of the values of type U at the same distance from get f s are allowed to be at different distances from s. However, we have the restriction that, for example, when y @get f s z then y −1 ≺s z−1, forcing the pre-images of targets at different distances from get f s to also be at different distances from s (respecting the relative orders). This ensures that when putg returns all values at the minimum distance from get f s, all sources at the minimum distance from s are contained in their pre-image. An interesting fact is that, unlike in total partial-orders, a strictly increasing transformation is not necessarily monotonic. This means that we can can have transformations whose composition is well-behaved in the deterministic scenario, but not well-behaved in the nondeterministic one. Figure 2 helps understanding why: even if putf returns all values closest to get f s, there is no chance for putf to return all values closest to s, since some of the pre-images closest to s originate from targets further away from get f s (namely, v and z). As with strictly increasing transformations, monotonicity is preserved by composition. Proposition 14 If two transformations get f : S� → U and getg : Uv → V are monotonic, then getg·get f : S� → V is also monotonic. Again, monotonicity can be relaxed to (∀ s3 . get f s2 = get f s3 ⇒ s1 �s s3)⇒ (get f s1)vget f s (get f s2) or with the point-free notation: (�s /get f )·ρget f ⊆ get◦f ·vget f s QUASIMONOT Quasi monotonicity states that if a source s1 is smaller than or equal to all the sources with view v (in distance to a source s), then its view get f s1 shall be at most v (in distance to a view get f s). Alternatively, when a view v1 is smaller than another view v2 (in distance to a view get f s), then at least one source with view v1 is smaller than all sources with view v2 (in distance to a source s): (get f s1)@get f s (get f s2)⇒ (∃ s3 . get f s1 = get f s3 ⇒ s3 ≺s s2) 13 / 19 Volume 57 (2013) Composing least-change lenses x y z w u v t x-1 y-1 z-1 w-1 t-1 v-1 u-1 getf Figure 5: Quasi monotonic transformation Proposition 15 If f : S� IQ U and g : Uv IQ V are well-behaved nondeterministic least-change lenses and get f is surjective and quasi monotonic between �s and vget f s for every s ∈ S, then g·f : S� IQ V is a well-behaved nondeterministic least-change lens. Figure 5 illustrates this property. The difference to monotonicity is that only the minimum pre-images of each target are required to respect the relative orders. This suffices for putf to able to return all closest sources to s given all closest targets to get f s. Likewise to quasi strictly increasing transformations, preservation of quasi monotonicity by composition requires the surjectivity of the first transformation. Proposition 16 If two transformations get f : S� → U and getg : Uv → V are quasi monotonic and get f is surjective, then getg·get f : S� → V is also quasi monotonic. Finally, regarding lenses with perfect complement, nondeterministic compositionality is ensured by a monotonic get among sources with the same complement, since this ensures that get is quasi monotonic. Proposition 17 If get f : S� → Uv has perfect complement and s1 �s s2 ∧ cpl s1 = cpl s2 ⇒ (get s1)vget s (get s2) for every s,s1,s2 ∈ S, then get f is quasi monotonic. 5 Related work Most modern BX languages (see references [FGM+07, BFP+08, PC10, HHI+10, HEO+11] among others) do not consider the difficult problem of minimizing view updates. In pioneering work, Meertens [Mee98] proposes a framework of constraint maintainers according to a “principle of least change” stating that the action taken by a transformation operation to restore a constraint should be minimal. He then proposes to formalize this notion by introducing a preorder on values and studies the construction of maintainers for particular constraints over sets. However, no Proc. BX 2013 14 / 19 ECEASST linguistic mechanisms to combine maintainers following the principle of least change, including composition, are proposed. Much existing work in the context of database view updating is concerned with, given a view function, deriving an update strategy that translates view updates into source updates according to some minimization criteria. [Heg04] introduces a notion of order on sources (�S) and on views (�V ) and postulates, among other properties, that view updating shall be order-compatible (get s �V v ⇒ s �S put s v). Note that his notion of order is only between two values of the same type (hence �S, for a type S), and the above property formalizes that if an updated view is at most an original view, then the updated source shall be at most the original source7. In the context of database tables, his particular orders imply the reflection of view insertions as source insertions, and similarly for deletions. He then establishes that, under particular conditions and for monotonic get functions, there is a unique translation of insertion and deletion view updates under a constant complement approach [BS81]. More recently, [JRW10] shows the connection between the constant complement update translators of [Heg04] and lenses, by demonstrating that they arise from very well-behaved lenses in a category of ordered sets. [Kel86] acknowledges the ambiguity of view-update translation for non-constant complement approaches (well-behaved lenses), and proposes an interactive algorithm that runs a dialog with the view programmer to choose a particular put function that obeys 5 minimization criteria. [LS91] claims that the view information is not sufficient to disambiguate view updates, and proposes to consider not only a dialog with the view programmer but also a dialog with the view user, obeying similar minimization criteria. Their minimization criteria can be seen as an order on sources and their algorithms as a nondeterministic least-change lens, whereas the dialog is an additional mechanism to allow choosing a minimal source from the various possible. Nevertheless, these approaches consider whole get functions and do not allow reasoning by composition. [BKT02] studies the complexity of minimizing view updates for a monotonic fragment of relational algebra, for two kinds of deletion and annotation updates, and conclude that this problem is NP-hard for queries including both projection-join or join-union. The authors consider two measures for minimality: first the number of changes in the source, and second the number of side effects in the view caused by the view update. Although our notion of order is more natural with the former measure (since the lens laws disallow view side effects), our framework of least-change lenses is general in the sense that it does not assume any particular order on states nor language of updates. Also, while they study the problem of inverting an individual lens in a minimal way, we consider the orthogonal problem of composing “minimized” lenses. In previous work [MPC12], we claim that nondeterminism is necessary to support non- surjective BX languages and propose a language of nondeterministic lenses whose put func- tions are the largest nondeterministic ones satisfying the BX laws. Nevertheless, as we noted in [MPC12], such nondeterminism needs to be controlled to be useful in practice and this paper proposes such an approach by selecting only the minimal values according to a known order. A solver-based bidirectional model transformation tool is proposed by [CREP10], that intro- duces the declarative JTL language inspired by a QVT-like syntax. A JTL BX is nondeterministic 7 These order-based lenses are significantly distinct from least-change lenses: our notion of order �s is “triangular”, as it relates two updated values according to their distance to an original value s, and our least-change properties entail that an updated source must be at most any other possible source with the same updated view. 15 / 19 Volume 57 (2013) Composing least-change lenses because: if a modified target model has a trace to a source model, such source model is modified, otherwise all possible source model candidates are returned. In a similar approach, we propose the bidirectionalization of QVT-Relational programs using the Alloy language [MC13]. A BX in our tool is a nondeterministic least-change maintainer that finds all possible source models that are at a minimal distance to the source (and vice-versa), according to user-specified distance metrics. Still, none of these languages nor the QVT standard support composition. Stevens [Ste10] argues that transformations should always be deterministic in order to be predictable for users, in the sense that users should not observe different results for similar executions. In our perspective, a certain degree of nondeterminism is inescapable in BXs, as predictability also requires allowing users to control the particular semantics of the transformations that the BX language is not able to capture. Notwithstanding, although we reason about composing nondeterministic lenses, we still agree that the final transformations should be deterministic, either by fixing a default choice or by providing a dialog-like mechanism to users. 6 Conclusions and future work In this paper, we have introduced a framework of least-change lenses that is characterized by two dual scenarios: a deterministic one that only requires that transformations return minimal updates, and a nondeterministic one that requires them to return all minimal updates. We have then presented several sufficient conditions that enable composition of least-change lenses. The properties for well-behavedness and for composition arise naturally from the duality between both scenarios, which has become apparent by formalizing them using the relational calculus notation. Our criteria are still not general enough to encompass least-change lenses we believe can be composed, although more relaxed criteria will most likely not be independent of the composed transformation, denying the advantages of a truly compositional approach. This issue raises the interesting question of completeness: is there a limit on the expressiveness of a least-change lens that can be composed safely with any other such lens? Our (still unproved) conjecture is that such limit is set precisely at quasi strictly increasing transformations for the deterministic scenario, and quasi monotonic transformations for the nondeterministic one. A problem with some of the proposed criteria is that it is also rather tedious (and unintuitive) to verify if a transformation satisfies them, and we are working on providing better intuitive explanations and proof methods to perform such task. For example, we expected our example transformation T1 to be quasi monotonic (with distance measures dist1 and dist2), but have found that such is not the case. We are currently investigating if other subtle redefinitions of dist1 and dist2, namely using distance functions to lexicographic orders, would satisfy any of the criteria. Our work shows the usefulness of nondeterminism in BXs, namely, by enabling a composi- tional approach for a wider class of transformations, but still supporting precise and predictable bidirectional laws. We advocate the principle of least change as a tool to trim down nondeter- minism to reasonable bounds. In contrast with traditional BX approaches, whose criteria for update translation (besides the regular well-behavedness laws) are usually vague or non-existent, least-change BXs come equipped with an order on sources plus least-change well-behavedness laws that constitute a formal and explicit documentation of the criteria used for update translation. Therefore, reimplementing existing BX approaches in our framework could bring to light their Proc. BX 2013 16 / 19 ECEASST underlying update translation semantics. To better suit that goal, we are studying if the composition of least-change lenses should be more flexible, by allowing different orders for different lenses over the same source type: one would write f : S Q� U to state that lens f is well-behaved for order �. By doing so, the order could specify more precisely the behavior of a lens, and given two least-change lenses f : S Q� U and g : U Qv V , an interesting research direction is to infer an order - such that g· f : S Q- V is a well-behaved least-change lens. Obviously, one could always default to the discrete metric referred in Section 2, but the goal would be to derive a more precise (i.e. more predictive) order. In the future we also intend to tackle other combinators to compose BXs besides sequential composition. For example, we are currently researching whether recursive patterns for algebraic data types (like folds or unfolds) can be used to build least-change lenses from simpler ones. A final interesting direction for future work would be to generalize our theory to symmetric BX frameworks like maintainers. We have modeled our framework in Alloy [Jac12], a lightweight formal specification language with support for automatic model finding via SAT solving. This model has proved very useful in the early stages of this research to rapidly explore and verify/discard different propositions8. Of course, such automatic verification is necessarily bounded, and full unbounded calculational proofs for all our propositions were then conducted in Isabelle/HOL [NPW12] proof assistant9. Acknowledgements This work is funded by ERDF - European Regional Development Fund through the COMPETE Programme (operational programme for competitiveness) and by national funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project FCOMP-01-0124-FEDER-020532. The first author is also sponsored by FCT grant SFRH/BD/69585/2010. Bibliography [BFP+08] A. Bohannon, J. N. Foster, B. C. Pierce, A. Pilkiewicz, A. Schmitt. Boomerang: resourceful lenses for string data. In POPL 2008. Pp. 407–419. ACM, 2008. [BKT02] P. Buneman, S. Khanna, W.-C. Tan. On propagation of deletions and annotations through views. In PODS 2002. Pp. 150–158. ACM, 2002. [BM97] R. Bird, O. de Moor. Algebra of Programming. Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1997. [BS81] F. Bancilhon, N. Spyratos. Update semantics of relational views. ACM T. Database Syst. 6(4):557–575, 1981. 8 The Alloy model can be downloaded from http://wiki.di.uminho.pt/twiki/pub/Research/ FATBIT/Publications/lc-lenses.als. 9 The Isabelle/HOL theory can be downloaded from http://wiki.di.uminho.pt/twiki/pub/Research/ FATBIT/Publications/lc-lenses.thy. 17 / 19 Volume 57 (2013) http://wiki.di.uminho.pt/twiki/pub/Research/FATBIT/Publications/lc-lenses.als http://wiki.di.uminho.pt/twiki/pub/Research/FATBIT/Publications/lc-lenses.als http://wiki.di.uminho.pt/twiki/pub/Research/FATBIT/Publications/lc-lenses.thy http://wiki.di.uminho.pt/twiki/pub/Research/FATBIT/Publications/lc-lenses.thy Composing least-change lenses [CREP10] A. Cicchetti, D. D. Ruscio, R. Eramo, A. Pierantonio. JTL: a bidirectional and change propagating transformation language. In SLE 2010. LNCS 6563, pp. 183–202. Springer, 2010. [Dis08] Z. Diskin. Algebraic models for bidirectional model synchronization. In MoDELS 2008. LNCS 5301, pp. 21–36. Springer, 2008. [FGM+07] J. Foster, M. Greenwald, J. Moore, B. Pierce, A. Schmitt. Combinators for bidirec- tional tree transformations: a linguistic approach to the view-update problem. ACM T. Progr. Lang. Sys. 29(3), 2007. [Fos09] J. Foster. Bidirectional Programming Languages. PhD thesis, University of Pennsyl- vania, December 2009. [Heg04] S. J. Hegner. An order-based theory of updates for closed database views. Annals of Mathematics and Artificial Intelligence 40:63–125, 2004. [HEO+11] F. Hermann, H. Ehrig, F. Orejas, K. Czarnecki, Z. Diskin, Y. Xiong. Correct- ness of model synchronization based on triple graph grammars. In MoDELS 2011. LNCS 6981, pp. 668–682. Springer, 2011. [HHI+10] S. Hidaka, Z. Hu, K. Inaba, H. Kato, K. Matsuda, K. Nakano. Bidirectionalizing graph transformations. In ICFP 2010. Pp. 205–216. ACM, 2010. [HPW11] M. Hofmann, B. Pierce, D. Wagner. Symmetric lenses. In POPL 2011. Pp. 371–384. ACM, 2011. [Jac12] D. Jackson. Software Abstractions: Logic, Language, and Analysis. MIT Press, London, England, revised edition, 2012. [JRW10] M. Johnson, R. Rosebrugh, R. Wood. Algebras and update strategies. Journal of Universal Computer Science 16(5):729–748, 2010. [Kel86] A. Keller. Choosing a view update translator by dialog at view definition time. In VLDB 1986. Pp. 467–474. Morgan Kaufmann Publishers, 1986. [KU84] A. Keller, J. D. Ullman. On complementary and independent mappings on databases. In SIGMOD 1984. Pp. 143–148. ACM, 1984. [LS91] J. A. Larson, A. P. Sheth. Updating relational views using knowledge at view defini- tion and view update time. Information Systems 16(2):145–168, 1991. [MC13] N. Macedo, A. Cunha. Implementing QVT-R bidirectional model transformations using Alloy. In FASE 2013. Volume 7793, pp. 297–311. 2013. [Mee98] L. Meertens. Designing constraint maintainers for user interaction. 1998. Manuscript available at http://www.kestrel.edu/home/people/meertens. [MO11] S.-C. Mu, J. N. Oliveira. Programming from Galois connections. In RAMiCS 2011. LNCS 6663, pp. 294–313. Springer, 2011. Proc. BX 2013 18 / 19 http://www. kestrel. edu/home/people/meertens ECEASST [MPC12] N. Macedo, H. Pacheco, A. Cunha. Relations as executable specifications: taming partiality and non-determinism using invariants. In RAMiCS 2012. LNCS 7560, pp. 146–161. Springer, 2012. [NPW12] T. Nipkow, L. C. Paulson, M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher- Order Logic. Springer, 2012. [Pac12] H. Pacheco. Bidirectional Data Transformation by Calculation. PhD thesis, Univer- sity of Minho, July 2012. [PC10] H. Pacheco, A. Cunha. Generic Point-free Lenses. In MPC 2010. LNCS 6120, pp. 331–352. Springer, 2010. [Ste10] P. Stevens. Bidirectional model transformations in QVT: semantic issues and open questions. Software and System Modeling 9(1):7–20, 2010. 19 / 19 Volume 57 (2013) Introduction Least-change lenses Deterministic least-change lenses Nondeterministic least-change lenses Formalizing least-change lenses in relational algebra Criteria for composing least-change lenses Related work Conclusions and future work