Foundations of Software Science and Computation Structures: First International Conference, FoSSaCS'98, Held as Part of the Joint European Conferences

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen 1378 Maurice Nivat (Ed.) Founda...

Author: Maurice Nivat

15 downloads 708 Views 6MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

1378

Maurice Nivat (Ed.)

Foundations of Software Science and Computation Structures First International Conference, FoSSaCS'98 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS' 98 Lisbon, Portugal, March 28 - April 4, 1998 Proceedings

~ Springer

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands

Volume Editor Maurice Nivat LITP, Universit6 Paris 7 2, Place Jussieu, F-75251 Paris Cedex 05, France E-mail: Maurice.Nivat @litp.liafa.jussieu.fr Cataloging-in-Publication data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme Foundations of software science and computation structures : first international conference ; proceedings / FoSSaCS '98, held as part of the Joint European Conferences on Theory and Practice of Software, ETAPS '98, Lisbon, Portugal, March 28 - April 4, 1998. Maurice Nivat (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Budapest ; Hong Kong ; London Milan ; Paris ; Santa Clara ; Singapore ; Tokyo : Springer, 1998 (Lecture notes in computer science ; Vol. 1378) ISBN 3-540-64300-1

CR Subject Classification (1991):F.3. F.4.2, E l . I , D.3.3-4, D.2.1 ISSN 0302-9743 ISBN 3-540-64300-1 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer -Verlag. Violations are liable for prosecution under the German Copyright Law. 9 Springer-Verlag Berlin Heidelberg 1998 Printed in Germany Typesetting: Camera-ready by author SPIN 10631968 06/3142 - 5 4 3 2 1 0

Printed on acid-free paper

Foreword The European conference situation in the general area of software science has long been considered unsatisfactory. A fairly large number of small and mediumsized conferences and workshops take place on an irregular basis, competing for high-quality contributions and for enough attendees to make them financially viable. Discussions aiming at a consolidation have been underway since at least 1992, with concrete planning beginning in summer 1994 and culminating in a public meeting at TAPSOFT'95 in Aarhus. On the basis of a broad consensus, it was decided to establish a single annual federated spring conference in the slot that was then occupied by TAPSOFT and CAAP/ESOP/CC, comprising a number of existing and new conferences and covering a spectrum from theory to practice. ETAPS'98, the first instance of the European Joint Conferences on Theory and Practice of Software, is taking place this year in Lisbon. It comprises five conferences (FoSSaCS, FASE, ESOP, CC, TACAS), four workshops (ACoS, VISUAL, WADT, CMCS), seven invited lectures, and nine tutorials. The events that comprise ETAPS address various aspects of the system development process, including specification, design, implementation, analysis and improvement. The languages, methodologies and tools which support these activities are all well within its scope. Different blends of theory and practice are represented, with an inclination towards theory with a practical motivation on one hand and soundly-based practice on the other. Many of the issues involved in software design apply to systems in general, including hardware systems, and the emphasis on software is not intended to be exclusive. ETAPS is a natural development from its predecessors. It is a loose confederation in which each event retains its own identity, with a separate programme committee and independent proceedings. Its format is open-ended, allowing it to grow and evolve as time goes by. Contributed talks and system demonstrations are in synchronized parallel sessions, with invited lectures in plenary sessions. Two of the invited lectures are reserved for "unifying" talks on topics of interest to the whole range of ETAPS attendees. The aim of cramming all this activity into a single one-week meeting is to create a strong magnet for academic and industrial researchers working on topics within its scope, giving them the opportunity to learn about research in related areas, and thereby to foster new and existing links between work in areas that have hitherto been addressed in separate meetings. ETAPS'98 has been superbly organized by Josd Luis Fiadeiro and his team at the Department of Informatics of the University of Lisbon. The ETAPS steering committee has put considerable energy into planning for ETAPS'98 and its successors. Its current membership is: Andr~ Arnold (Bordeaux), Egidio Astesiano (Genova), Jan Bergstra (Amsterdam), Ed Brinksma (Ensehede), Rance Cleaveland (Raleigh), Pierpaolo Degano (Pisa), Hartmut Ehrig (Berlin), Jos~ Fiadeiro (Lisbon), Jean-Pierre Finance (Nancy), Marie-Claude Gaudel (Paris), Tibor

yl Gyimothy (Szeged), Chris Hankin (London), Stefan Js (Berlin), Uwe Kastens (Faderborn), Paul Klint (Amsterdam), Kai Koskimies (Tampere), Tom Maibaum (London), Hanne Riis Nielson (Aarhus), Fernando Orejas (Barcelona), Don Sannella (Edinburgh, chair), Bernhard Steffen (Dortmund), Doaitse Swierstra (Utrecht), Wolfgang Thomas (Kiel) Other people were influential in the early stages of planning, including Peter Mosses (Aarhus) and Reinhard Wilhelm (Saarbriicken). ETAPS'98 has received generous sponsorship from: Portugal Telecom TAP Air Portugal the Luso-American Development Foundation the British Council the EU programme "Training and Mobility of Researchers" the University of Lisbon the European Association for Theoretical Computer Science the European Association for Programming Languages and Systems the Gulbenkian Foundation I would like to express my sincere gratitude to all of these people and organizations, and to Jos~ in particular, as well as to Springer-Verlag for agreeing to publish the ETAPS proceedings. Edinburgh, January 1998

Donald Sannella ETAPS Steering Committee chairman

Preface The conference FoSSaCS, Foundations of Software Science and Computation Structures was not created ex nihilo: For 20 years the same group of people has been organizing a conference called CAAP, Colloque sur les Arbres en Alg~bre et en Programmation, whose french acronym is explained by the fact that it was created in France at Lille and held more frequently in France than in any other country. The last CAAP took place in Lille in April 1997. The fact that FoSSaCS appears as part of ETAPS, linked to conferences dedicated to more applied aspects of computer science is not new either: Every two years, CAAP used to join with the conference TAPSOFT, a conference on programming, to form a series of joint conferences which were initiated in Berlin and ended last year also in Lille. The reorganization which led to the new name FoSSaCS and the inclusion of FoSSaCS into ETAPS has been discussed at length by many people including a majority of past organizers and PC chairmen of the former CAAP. The idea which was eventually shared by all is that while remaining a conference for theorists and, say, mathematically trained and minded people, FoSSaCS should focus on the part of theoretical computer science that aims at modeling and understanding phenonema linked with the design and validation of software and descibes and studies structures useful to run actual and effective computations. Our hope is that not only theoretical computer scientists fred some interest in the present collection of 19 papers but also more applied ones. We hope that since participants to the various components of ETAPS will be gathered for one week in Lisbon, some who came for other conferences will listen to talks presented in FoSSaCS and some FoSSaCS participants will listen to talks in the other conferences. Personally, as chairman of the pogram committee of FoSSaCS 1998, I would like to thank the PC members for agreeing to stand in the committee, for their evaluation work, and for helping to select these contributions from the 44 submitted papers. The discussion which led to this choice, which was also a discussion on what FoSSaCS should be and what kind of theories and formalisms are useful to software researchers and engineers, was a courteous, vigorous, and enriching one where each participant made use of good purely scientific arguments. Among the members of the PC, I wish to mention the special role played by Andr6 Arnold and Wolfgang Thomas who are also the 2 theoreticians in the steering committee of ETAPS. January 1998

Maurice Nivat

Table of Contents Generalizing Domain Theory Michael Mislove A Cook' s Tour of Equational Axiomatizations for Prefix Iteration Luca Aceto, Wan Fokkink, and Anna Ingdlfsddttir

20

The WHILE Hierarchy of Program Schemes Is Infinite Can Adam Albayrak and Thomas Noll

35

Analysis of a Guard Condition in Type Theory Roberto M. Amadio and Solange Coupet-Grimal

48

An Event Structure Semantics of P/T Contextual Nets: Asymmetric Event Structures Paolo Baldan, Andrea Corradini, and Ugo Montanari

63

Pumping Lemmas for Timed Automata Danikle Beauquier

81

Asynchronous Observations of Processes Michele Boreale, Rocco De Nicola, and Rosario Pugliese

95

Minor Searching, Normal Forms of Graph Relabelling: Two Applications Based on Enumerations by Graph Relabelling Anne Bottreau and Yves M~tivier

110

Partial Metrics and Co-continuous Valuations Michael A. Bukatin and Svetlana Yu. Shorina

125

Mobile Ambients Luca Cardelli and Andrew D. Gordon

140

Rational Term Rewriting Andrea Corradini and Fabio Gadducci

156

The Appearance of Big Integers in Exact Real Arithmetic Based on Linear Fractional Transformations Reinhold Heckmann

172

Net Refinement by Pullback Rewriting Renate Klempien-Hinrichs

189

On Piecewise Testable, Starfree, and Recognizable Picture Languages Oliver Matz

203

Functor Categories and Two-Level Languages Eugenio Moggi

211

Deciding Properties for Message Sequence Charts Anca Muscholl, Doron Peled, and Zhendong Su

226

The Church-Rosser Languages Are the Deterministic Variants of the Growing Context-Sensitive Languages Gundula Niemann and Friedrich Otto

243

Deterministic Rational Transducers and Random Sequences Sylvain Porrot, Max Dauchet, Bruno Durand, and Nikolai K. Vereshchagin

258

Resource Based Models for Asynchrony Julian Rathke

273

Author Index

289

Generalizing Domain Theory Michael Mislove? Tulane University, New Orleans, LA 70118, USA [email protected] http://www.math.tulane.edu/mislove.html

Abstract. Domain theory began in an attempt to provide mathematical models for high-level programming languages, an area where it has proved to be particularly useful. It is perhaps the most widely-used method for devising semantic models for such languages. This paper is a survey of some generalizations of domain theory that have arisen in efforts to solve related problems. In each case, a description is given of the problem and of the solution generalizing domain theory it inspired. The problems range from the relation of domain theory to other approaches for providing semantic models, particularly in process algebra, to issues surrounding the notion of a computational model, an approach inspired by the recent work of Abbas Edalat.

1

The Basics – How Domain Theory Began

This section is a brief outline of some of the “basic ingredients” of domain theory and the applications that inspired them. 1.1

In the beginning. . .

Domain theory began in an attempt by Dana Scott to find mathematical models for high-level programming languages. Upon his arrival in Oxford in the mid 1960s, Scott found Christopher Strachey and his colleagues at the Programming Research Group using the untyped lambda calculus of Church and Curry as a model for programming, something Scott found disturbing because he regarded it as a “formal and unmotivated” notation (cf. [11]). He thus set out to find alternative models for Strachey and his colleagues to use. Because programs can call other programs, and indeed, can even call themselves, Scott was led to consider objects X in some category or other which satisfy the property that they contain a copy of their space of selfmaps in the category. Of course, Cantor’s Lemma implies the only such objects in the category of sets and functions are degenerate (i.e., they consist of a single point), and so no such objects can be found there. But the reals have only as many continuous selfmaps as ?

This work partially supported by the US Office of Naval Research

M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 1–19, 1998.

2

there are real numbers (because of their having a dense, countable subset on which all continuous selfmaps are completely determined), so it is potentially possible to find such objects X among topological spaces. While attempting to find appropriate models of partially defined maps, Scott realized there had to be T0 spaces isomorphic to their space of continuous selfmaps, and he then constructed such an object in the category of algebraic lattices and so-called Scott continuous maps. In the years since Scott constructed the first model of the untyped lambda calculus, the nature of the construction has become much better understood, and it now is realized that very little of the machinery that is available in the category of algebraic lattices and Scott continuous maps actually is necessary for the construction. In fact, it now is understood that only directed complete partial orders are needed to carry out the construction. Remarkably, despite this much better understanding, the only known models of the calculus are within the category of such partial orders and Scott continuous functions. We now describe this setting. 1.2

Directed Complete Partial Orders

Let’s switch gears for a moment, and consider what we need to model a recursive process. If we are working within some language – let’s not worry about typing issues – and we are confronted with a term rec x.f (x), then the operational rule which allows us to understand this process is given by rec x.f (x) 7→ f [(rec x.f (x))/x]. This unwinding of recursion allows us to deduce that the recursive process rec x.f (x) actually should be a fixed point for the body of the recursion. In any case, if we are to model programs as functions, then the unwinding rule tells us the functions we are interested in must have fixed points. In fact, it would be nice if those fixed points were canonical in some sense, so that their choice is not arbitrary. This is what domain theory offers us. To begin, a partial order (or poset ) is a non-empty set P equipped with a reflexive, symmetric and transitive relation, usually denoted v. A simple example is to take any non-empty set X and equip it with the discrete order, where x v y ⇔ x = y. A subset D ⊆ P of such a set is directed if every finite subset of D has an upper bound in D. In our example, the only directed subsets are the singleton sets. Finally, a partial order P is directed complete if every directed subset has a least upper bound in P . These are called dcpos. Clearly, discrete orders satisfy this condition, since the only directed subsets are singleton sets. A directed complete partial order which has a least element ⊥ (i.e., one which is below all other elements) is sometimes called a cpo. What is important about cpos is that monotone1 selfmaps have least fixed points: 1

A map f : P → Q is monotone if x v y =⇒ f (x) v f (y).

3

Theorem 1 (Tarski). A monotone mapping f : P → P of a cpo has a least fixed point, namely, FIX f = tα∈Ord f α (⊥). t u (Here, Ord stands for the class of ordinals.) Thus, a good place to seek models for recursion is within the category of cpos and monotone mappings. But, if we require our functions to preserve sups of directed sets, we can do better. Definition 1. A mapping f : P → Q between dcpos is Scott continuous if f is monotone2 and f preserves sups of directed sets: (∀D ⊆ P directed) f (tD) = tf (D). Corollary 1 (Scott). A Scott continuous selfmap f : P → P on a cpo has its least fixed point given by FIX f = tn∈N f n (⊥). u t The category of directed complete partial orders and Scott continuous maps has many desirable properties – it is Cartesian closed, for example. We denote the family of continuous maps between (d)cpos P and Q by [P → Q]; this space becomes a dcpo when endowed with the pointwise order, in which f vg

⇔

f (x) v g(x) (∀x ∈ P ).

The full subcategory whose objects are cpos also is Cartesian closed, and it is within these categories where one can find ample support for constructing denotational models of programming languages. We even can conclude more here. Since the least fixed point of a monotone or continuous selfmap always exists, assigning it as the meaning of a recursive process is in some sense canonical. In fact, Theorem 2. The least fixed point operator Y: [P → P ] → P by Yf = FIX f is continuous. t u The implication here is that one has continuous fixed point operators of all orders, so modeling recursion at higher types can be done in the same way it is at the start. There is even a transfer principle available; it tells us that “fixed points are preserved” by certain operators: Proposition 1. Let f : P → P and g: Q → Q be continuous selfmaps of cpos P and Q, and let h: P → Q also be a continuous strict3 map satisfying g ◦ h = h◦ f . Then FIX g = h(FIX f ). t u 2 3

This hypothesis is simply to guarantee that the image of a directed set in P is directed in Q. By strict, we mean h takes the least element of P to the least element of Q.

4

The categories DCPO and CPO of directed complete partial orders (with least element in the second case) and Scott continuous maps thus enjoy several appealing properties. In addition to Cartesian closure, they also are closed under (arbitrary) products and direct sums. In addition, there is a closely-related adjunction. If CPO! denotes the category of cpos and strict Scott continuous maps, then the forgetful functor into DCPO has the lift functor as left adjoint; this functor adds a (new) least element to a dcpo P and extends a continuous mapping to the lifted domains to be strict. 1.3

The Myhill-Sheperdson Theorem

The results described so far make an appealing, if somewhat abstract case for using domain theory to build models for programming languages – well, at least for modeling recursion. We now describe a result which puts more substance to this claim. Perhaps the most natural place to start to model programs is over the natural numbers. In order to invoke a domain-theoretic setting, we can endow N with the discrete order, and clearly we have a dcpo. Our interest is in using domain theory to model computable functions. Functions on N are mappings f : N → N , so we want to start with the cpo [N → N ]. This is not quite right, either. Church’s thesis says the partial recursives are the computable functions, and so we should consider partial mappings f : N * N . Now, the family of such mappings – [N * N ] – is a cpo under the extensional ordering: f vg

⇔

dom f ⊆ dom g & g|dom

f

= f.

Here, a directed family of partial mappings has for its supremum the union of the family. Two convenient facts are that any function from N to itself is monotone – even continuous – with respect to the discrete order, and the extensional order on the space of mappings between two discretely ordered sets is in fact the pointwise order. Thus, the partial mappings on N with the extensional order are just the partial mappings endowed with the pointwise order from the discrete order on N. But how do we distinguish the partial recursives from arbitrary partial selfmaps of N ? A simple and very well-worn example shows how. Consider the factorial function 1 if n = 0, Fac(n) = n · Fac(n − 1) otherwise. This leads us to define a functional F : [N * N ] → [N * N ] by 1 if m = 0 F (f )(m) = m · f (m − 1) if m > 0 & f (m − 1) defined. It is easy to show that this functional is continuous (it only needs to preserve increasing unions of partial functions), and that its least fixed point is the factorial. What is harder is the fact that the effective structure (in the sense of

5

recursion theory) on N can be extended to one on [N * N ] → [N * N ] (using ideas from the next section – see [26] for details), and F can be shown to be effective with respect to this structure. This means F ’s restriction to the partial recursives leaves them invariant; i.e., F (g) is partial recursive if g is. If we let [N * N ]k denote the computable mappings on the natural numbers (i.e., the partial recursives), the following says every partial recursive arises exactly in this way: Theorem 3 (Myhill-Sheperdson). The effective operators on [N * N ]k are exactly the restrictions of the the effective continuous functionals G: [N * N ] → t u [N * N ] to [N * N ]k . 1.4

Algebraicity and Continuity

A second component of domain theory – apart from the ease with which one can model recursion – is that of approximation. The idea is illustrated by the MyhillSheperdson Theorem. For any continuous functional G: [N * N ] → [N * N ], the least fixed point FIX G = tn∈N Gn (∅), since ∅ is the least partial function. In the case of G is effective, Gn (∅) is a finite function. The finite functions play a special role in [N * N ]: they are the compact elements. Definition 2. An element k ∈ P in a dcpo is compact if k v tD implies (∃d ∈ D) k v d for all directed subsets D ⊆ P . The set of compact elements of P is denoted K(P ), and, for each x ∈ P the set of compact elements below x is denoted K(x). Lastly, P is algebraic if K(x) is directed and x = tK(x) for every x ∈ P . Since any partial mapping f : N * N satisfies f = t{f |X | X ⊆ dom f finite}, [N * N ] is algebraic. The compact elements of an algebraic dcpo completely determine the dcpo, since each element of the dcpo is the directed supremum of the compact elements below it. This association can be made more precise. Indeed, if we call a subset I ⊆ Q of a partially ordered set an ideal if I = ↓ I is a lower set which also is directed, then we have the association x 7→ K(x): P → IdlK(P ) which sends each element of P to the ideal of compact elements below it. This association is an isomorphism, where the inverse mapping simply sends an ideal to its supremum (which exists because P is a dcpo). Hence, P ' IdlK(P ) for each algebraic dcpo P . This gives rise to an adjunction between the category ALG of algebraic dcpos and Scott continuous maps and the category POS of posets and monotone mappings. The right adjoint is the forgetful functor from ALG to POS, and the left adjoint is the ideal functor, which sends a partially ordered set to its family of ideals ordered under inclusion. One of the important consequences of this adjunction is that each continuous mapping f : P → Q between algebraic dcpos is completely determined by the restriction of f to the compact elements of

6

P , and, conversely, each monotone mapping f : K(P ) → Q from the compact elements of P to any dcpo Q extends to a unique continuous map from P to Q. All of this has an important extension. The motivating example is the unit interval, which has 0 as its only compact element. Yet there is a clear notion of approximation here: if x < y, then for a directed set to have its supremum above y, some element of the directed set must be above x. Definition 3. The elements x, y ∈ P in a dcpo satisfy x y (read “x is relatively compact in y”) if y v tD implies there is some d ∈ D with x v d, for all directed subsets D of P . The set of elements relatively compact in y is denoted ⇓ y, and the dcpo P is called continuous if ⇓ y is directed and y = t ⇓ y or all y ∈ P . An adjunction similar to the one between ALG and POS is available for continuous dcpos. It involves the notion of an abstract basis originally due to Smyth [21]. Definition 4. An abstract basis is a non-empty set X equipped with a transitive relation ≺ which satisfies the interpolation property: (∀y ∈ X)(∀M ⊆ X finite) M ≺ y

⇒

(∃x ∈ X) M ≺ x ≺ y.

A function f : X → Y between abstract bases is ideal if x ≺ y in X implies that {z ∈ Y | z ≺ f (x)} ⊆ {z ∈ Q | z ≺ f (y)}. For example, in any continuous dcpo P , the pair (P, ) is an abstract basis. Any abstract basis satisfies the property that the family of ideals (defined just as in the partially ordered set case) is a continuous dcpo under the inclusion order. The notion of an ideal mapping is designed precisely to capture those functions between abstract bases which extend to continuous mappings between their ideal completions. The following result generalizes the situation for algebraic domains. Theorem 4 ([17]). The functor which associates to a continuous dcpo P the abstract basis (P, ) and to a continuous mapping f : P → Q the ideal mapping f (I) = {y ∈ Q | (∃z ∈ I) y f (z)} is right adjoint to the ideal functor which associates to an abstract basis its ideal completion and to an ideal mapping the associated continuous mapping on the space of ideals. t u Notes: This completes our rather cursory outline of domain theory. We have left out far more than we have included, but our intention is to provide only the barest of introductions to motivate the generalizations that we describe below. We have not made specific reference to any result. Except for the last results on continuous dcpos (which can be found in [2] for the most part), most of this is folklore now, and can be found in many places. Again, [2] is an excellent source for referencing most of these results. The last theorem, however, appears only in [17]. A survey of a number of the ideas presented here can be found in [18].

7

2

Continuous Posets

A rather successful approach to modeling concurrent computation was devised by the members of the Programming Research Group at Oxford using the language CSP. We briefly outline this approach below, with an eye toward finding the relationship between the CSP models and more standard ones from domain theory. In endeavoring to understand this relationship, it became clear that one of the fundamental principles of domain theory had to be relaxed in order to describe the CSP models in purely domain-theoretic terms. That fundamental property of dcpos is that they are directed complete: all directed subsets have least upper bounds. This property is crucial in assuring that all continuous selfmaps have (least) fixed points. But it turns out that describing the CSP models in domain-theoretic terms requires relaxing this condition in order to relate the models to the world of domains. The model we focus on for this discussion is the failures model for CSP, which we now describe. 2.1

CSP and the Failures Model

CSP is a process algebra for reasoning about concurrent processes. It was originally devised by C. A. R. Hoare and the first, definitive model for the language was presented in [3]. This is the so-called failures model, which models a process in terms of the communication events it can participate in (the traces of the process) together with the events it may refuse to participate in after a given trace (the so-called refusals). A syntax for CSP suitable for our purposes is given by the following BNF-like production rules: P ::= STOP | SKIP | a → P | P \ a | P ; P | PA kB P | P 2P | P u P | x | µx.P In this syntax, STOP denotes immediate abnormal termination, while SKIP denotes immediate normal termination. The actions a range over a set Σ of atomic actions which denote communication events between processes; a → P is a process which first wishes to participate in the action a and then to act like process P . P \ a is the process P with all occurrences of the action a hidden from the environment (but they still occur, and as soon as they are offered). P ; P is the sequential composition of the two component processes; PA kB P is the process which has the two components synchronize on all actions in A ∩ B (A, B ⊆ Σ), but either branch is free to perform actions not in the intersection whenever it wishes. P 2P is the external choice of the two processes, in which the environment is allowed to decide which branch will be chosen on the first action only, while P u P is the internal choice of the branches, in which the machine decides. The term x denotes a process variable, and the last term is recursion. The failures model for CSP as presented, e.g., √ in [3] gives a model for this language based of pairs (s, X), where s ∈ Σ ∗ ∪Σ ∗ √is a finite sequence of actions, possibly ending in the normal termination event 6∈ Σ, and X ⊆ Σ is a set of refusals – events which the process may refuse to participate in after execution of

8

s. The second component is needed in the model in order to distinguish internal and external choice. The failures model F M interprets each process as a set of such pairs, and the sets F that qualify to represent a process in CSP must satisfy the following conditions: 1. 2. 3. 4.

∅= 6 F. (s, X) ∈ F and t a prefix of s imply (t, ∅) ∈ F . (s, X) ∈ F and Y ⊆ X imply (s, Y ) ∈ F . (s, X) ∈ F and (shci, ∅) 6∈ F for all c ∈ Y ⊆ A finite imply (s, X ∪ Y ) ∈ F .

The sets satisfying these conditions are called the failures model for CSP; it is shown in [3] that they form a complete inf-semilattice. This structure is used as the basis for showing this family of sets can be endowed with operations corresponding to each of the CSP operators. This allows an interpretation of √ CSP in the set of subsets of (Σ ∗ ∪ Σ ∗ ) × P(Σ) satisfying 1) – 4) – i.e., it provides the ingredients to show the family F M is a denotational model for CSP. The order on the failures model is reverse containment on sets. So, the smaller the set, the higher it is in the order. Because the inf-operation is used to model nondeterminism, the order on the model is the order of nondeterminism – the higher a set, the more deterministic the process it represents. In fact, the maximal elements of the model are the deterministic processes. These have the property that they cannot be refined by any other process. The order on the model also is used to model recursion, just as in the case of cpos. All the operators from CSP are modeled by operations on the model that are continuous with respect to reverse inclusion, and so Scott’s corollary to Tarski’s Theorem implies that each of the recursive processes can be modeled as the least fixed point of a continuous operator on the model. 2.2

The Failures Model as Closed Sets

All of the above indicates that the failures model is a cpo √ (the least element of the model is the set CHAOS = {(s, X) | s ∈ Σ ∗ ∪ Σ ∗ & X ⊆ Σ}). But the construction is far from “standard”, and it is unclear what relationship this model has to languages other than CSP. The work in [15] resulted from an effort to better understand this relationship. The analysis relies on a closer scrutiny of the properties that define failures sets. The first three conditions imply that the sets F that qualify as process meanings are lower sets from some related partial order, and it was this idea that led to a realization that the conditions listed actually describe certain closed sets from a partial order. By closed, we mean closed with respect to the Scott topology, which we now define. But notice that we relax the situation somewhat, and consider any partial order, not just ones that are directed complete. This is because the partial order that gives rise to the failures model is not directed complete.

9

Definition 5. Let P be a partially ordered set. A subset U ⊆ P is Scott open if 1. U =↑ U = {y ∈ P | (∃x ∈ U ) x v y} is an upper set in P , and 2. tD ∈ U =⇒ D ∩ U 6= ∅ for all directed subsets D of P . It is routine to show that the Scott open sets on any partial order are closed under finite intersections and arbitrary unions, so they do indeed form a topology. This topology is always T0 , which means distinct points can be separated by some open set (containing exactly one of them), but the topology is Hausdorff if and only if the partial order is the discrete order. What is more, the functions we defined earlier as being Scott continuous are in fact exactly those that are continuous with respect to this topology. The Scott closed sets are those whose complements are Scott open, and since we have a description of the latter, we can derive the following characterization of the former. Proposition 2. X ⊆ P is Scott closed if and only if 1. X =↓ X is a lower set in P , and 2. D ⊆ X directed implies tD ∈ X.

t u

Notice that a corollary of this result is that the closure of a point x ∈ P is ↓ x, the principal lower set x defines. This is what makes Scott-closed sets an appealing model for concurrent computation – in the traces setting, they naturally include the history of a process since they are lower sets. As with any topological space, the family of Scott closed sets forms a complete Brouwerian lattice under containment (cf. [11]). But in the case of an algebraic or continuous poset4 , we can say a lot more. Indeed, in this case, the family of Scott-closed sets forms a completely distributive, hence continuous lattice. If the underlying poset P is algebraic, then the family of Scott-closed sets is in fact completely distributive and algebraic, which in turn imply it forms a complete ring of sets. Finally, the relation X Y on the family of Scott-closed sets is completely determined by that of P , and the compact elements in the Scott-closed sets are exactly the closed sets generated by finite sets of compact elements of P . In particular, the family of non-empty Scott-closed subsets of a continuous (resp., algebraic) dcpo is a continuous (resp., algebraic) dcpo semilattice (under union) whose relative compactness relation is completely determined by that of the underlying poset. Moreover, in the case P is algebraic, this family is an algebraic dcpo under reverse containment as well, and the compact elements here are the sets of the form P \ (↑ F ) as F ⊆ K(P ) ranges over the non-empty finite sets of compact elements of P . What all this has to do with CSP and the failures model is explained by the following: 4

By a continuous poset we mean a partial order P in which ⇓ y is directed and y = t ⇓ y for all y ∈ P ; P is an algebraic poset if K(y) is directed and y = tK(y) for all y ∈ P . The point is that we no longer require P to be directed complete.

10

Example 1. Consider the set PF = {(s, X) | s ∈ Σ ∗ ∪ Σ ∗ define a partial order of PF by (s, X) v (t, Y )

⇐⇒

√

& X ⊆ Σ}. We

(s < t & X = ∅) ∨ (s = t & X ⊆ Y ).

It is routine to show this is a partial order, and it also is easy to see that the pairs (s, X) with X finite are compact in this order. Hence PF is an algebraic poset. Theorem 5 ([15]). The failures model consists of Scott-closed sets from the algebraic poset PF , and this family is closed in the family of all Scott-closed sets under filtered intersections. Each of the operators from CSP gives rise to an operation on all the Scott-closed sets that is continuous with respect to usual containment, and all but the hiding operator give rise to operations that are continuous with respect reverse containment. t u The point to note here is that it is the hiding operator that “causes all the problems” with the failures model. More to the point, the approach adopted with the failures model was to use the order of nondeterminism to model a certain type of partial correctness – namely, that deadlock or divergence is catastrophic. That decision required a model in which all the operators are continuous with respect to reverse set containment, and since hiding is the only operation which doesn’t satisfy this property on all Scott-closed sets, it is the reason for the condition 4) in the definition of the sets that comprise the model. In other words, if one were to seek a model for CSP without hiding, then all the Scott closed sets of the poset PF could be used.

3

Local Cpos

From the outset, computation has viewed sequential composition as the “most primitive” operation. When the issue of modeling concurrent computation arose, the reaction was to devise models for nondeterminism using subset-like constructions, and then to model parallel composition in terms of sequential composition and nondeterministic choice. As described in [12], three distinct models for nondeterministic choice emerged in domain theory – the so-called power domains. These three constructs were first defined in terms of ideal completions of three distinct orders that can be defined on the finite subsets of the set K(P ) of compact elements of the underlying domain P . This works for any algebraic dcpo, but more restrictive domains allow for alternative descriptions of these constructions. As described in [22], coherent domains (i.e., those algebraic cpos for which the intersection of any finite family of Scott compact upper sets is again compact in the Scott topology) allow the three power domains to be described in completely topological terms: – The lower power domain is the family of non-empty Scott-closed subsets of the underlying domain equipped with the usual order, and with union as the nondeterministic choice operation. This family is the free sup-semilatiice cpo over P .

11

– the upper power domain is the family of non-empty Scott compact upper sets from P , again with union as the operation, but this time under the reverse containment order. This family is the free inf-semilattice cpo over P . – the convex power domain is the family of non-empty order-convex subsets X =↑ X∩ ↓ X of P whose lower set ↓ X is Scott closed and whose upper set ↑ X is Scott compact. The operation is the convex hull of the union: (X, Y ) 7→ ↓ (X ∪ Y ) ∩ ↑ (X ∪ Y ), and the order is the Egli-Milner order : X v Y ⇔ X ⊆↓ Y & Y ⊆↑ X. This family is the free semilattice cpo over P . Each of these constructions produces a coherent domain from an underlying coherent domain; these are the more-or-less standard constructions for modeling nondeterministic choice within domain theory. Each construct allows operations (such as sequential composition) defined on the underlying domain P to be extended to the power domain. But, these extended operations all distribute over the nondeterministic choice operation, and so modeling bisimulation requires the additional step of solving a domain equation defined in terms of the convex power domain (cf. [1]). All of the above applies to bounded nondeterminism, but unbounded nondeterminism also is useful, especially for specification. For example, consider a process-algebraic setting in which one wants to specify a process that can participate in any finite number of a given action, say a, but which is not supposed to participate in infinitely many a’s. This requires distinguishing the process un∈N (an → STOP ) from the process (un∈N (an → STOP)) u a∞ . But, these two processes must be identified in any of the models described above, and so we have to generalize domain theory and power domains in order to allow these processes to be distinguished. In [24], an approach to modeling unbounded nondeterminism in CSP was presented. This approach added a new component to the meaning of each process – the infinite traces that a process could execute. By actually listing these traces, it became possible to distinguish a process that could execute an infinite trace from one which couldn’t. But the resulting model was no longer a dcpo. Moreover, some selfmaps of the model no longer were continuous, and some of those that were didn’t have any fixed points, let alone least ones. The point is that the new model was not a dcpo. The question then became how to make sure all the processes that could be meanings of recursive CSP processes in this setting actually had well-defined meanings. In other words, the question became one of how to assure that the recursive terms from CSP had meanings given by least fixed points in this new model. The solution that was found was quite inventive. It amounted to using the fact that the model U for unbounded nondeterminism naturally contained a model for CSP with bounded nondeterminism – i.e., a copy of the failures-divergences

12

model F D [4]. This was obtained by sending each CSP process to its meaning in F D together with those infinite traces that the process could execute, and this gave an embedding of F D within U “at the top”: any element of U is the infimum of those elements in F D that are above it. This provided a cpo “at the top” of U , which in turn proved crucial for deriving the results that were needed to show that U actually could serve as a model for unbounded nondeterminism in CSP. The heart of the proof presented in [24] amounts to showing that each of the operations on U from CSP has a corresponding operation on F D from CSP with bounded nondeterminism that “dominates” it in the pointwise order. In terms of selfmaps of the model, the dominating operation leaves F D invariant (as it sits in U). As a result, each term from CSP with bounded nondeterminism has a least fixed point on this submodel, and this fixed point is a pre-fixed point for any corresponding term on U that is dominated by the original term from CSP. But a pre-fixed point for a monotone mapping is all that is necessary to assure the mapping has a least fixed point provided each element of the model satisfies the property that its lower set is a cpo. This indeed is the case, and this is how it is shown that each term from CSP with unbounded nondeterminism actually has a least fixed point on U. We now present a more general description of these results that also is more precise. Inspired by the work in [24] and by related work in [25] on unbounded nondeterminism for Timed CSP, an effort was made to find an underlying mathematical principle for the results that were obtained in these two papers. The resulting principle turned out to be remarkably simple. It hinged on two main ideas: – the notion of a local cpo, and – a dominated fixed point theorem. Definition 6. A partial order P is a local cpo if ↓ x is a cpo for each x ∈ P . Clearly any cpo is a local cpo, but there are local cpos which are not directed complete. For example, consider (N , ≤) the natural numbers in the usual order – the lower set of each point is finite, but N has no upper bound. This is not exactly the example we have in mind for modeling unbounded nondeterminism, however. The dominated fixed point theorem can then be stated as follows: Theorem 6 (Dominated Fixed Point Theorem [19]). Let P be a local cpo and E a space for which there is a mapping ι: E → P . Suppose that f : P → P is monotone and satisfies the property that there is some mapping F : E → E with f ◦ ι v ι ◦ F . If F has a fixed point in E, then f has a least fixed point in P . u t The proof of this result is straightforward. One only has to note that a fixed point x = F (x) for F satisfies ι(x) is a pre-fixed point for f : f (ι(x)) v ι(F (x)) = ι(x) by the hypothesis of the Theorem. Thus, f : ↓ x →↓ x, and this set is a cpo as P is a local cpo. Hence f has a least fixed point by Tarski’s Theorem.

13

In [19] it is shown how this result provides the common mathematical underpinning for the models for unbounded nondeterminism in Timed and untimed CSP. In the former case, the space E is one of the metric space models for Timed CSP with bounded nondeterminism devised by Reed and Roscoe [23], and in the later, the space E is the failures-divergences model for untimed CSP with bounded nondeterminism. One result of [19] was the internalization of the fixed point theory for recursive process meanings in each model; in the first approach devised by Roscoe for untimed CSP, an operational model for unbounded nondeterminism and a congruence theorem were used to justify the existence of meanings for each recursive process; of course, this still is needed to validate that the fixed point meanings defined in the model are the operationally correct ones. Another result of [19] was the realization that the work done in [24] to show that each process meaning in the model is the infimum of meanings in that lie in the subspace E (which is a cpo) is not needed. It is enough to know that each mapping for which a least fixed point is required has a dominating mapping on E in the sense of the Dominated Fixed Point Theorem. As outlined above, for coherent domains, the three power domains are each describable in topological terms. But more generally, they can be defined for any algebraic dcpo in terms of the family of non-empty finite subsets of the set of compact elements of the underlying dcpo. For example, the lower power domain is the ideal completion of the family of non-empty subsets of K(P ) under the quasiorder F v G ⇔ F ⊆↓ G. Similarly, the upper power domain is the ideal completion of the same family, but endowed with the quasiorder F v G ⇔ G ⊆↑ F . In both of these cases, union defines a monotone operation which extends to the ideal completions to define the meaning of nondeterministic choice. Finally, the convex power domain is the ideal completion of the same family, this time ordered by the common refinement of these two quasiorders. In [16], an attempt was made to develop a general theory for modeling unbounded nondeterminism in a domain-theoretic setting based on the results just described. In fact, the goal of that work was to devise analogues for each of the power domains for unbounded nondeterminism. The point of departure was the assumption that the underlying model for sequential composition – P – embeds in the model for unbounded nondeterminism so that elements of P are “free” with respect to unbounded nondeterminism. More precisely, the underlying assumption is that a 6v uX if a 6∈ ↓ X for any subset X ⊆ P . This assumption is what is required if one wants to distinguish processes such as un∈N (an → STOP ) from (un∈N (an → STOP )) u a∞ . We now describe the results obtained. First, it was found that there is no analogue to the lower power domain. The reason is that the order of nondeterminism (x v y ⇔ x u y = x) corresponds to the order used to model recursion as least fixed points in any analogue to the lower power domain, so any element that dominates all of the terms an → STOP also must dominate a∞ . On the other hand, it was shown that there is an analogue to the upper power domain. This is possible because, in the setting of the upper power domain, the order of nondeterminism is opposite to the order of recursion. The model in

14

question is defined simply as the family of all non-empty upper sets {X | ∅ = 6 X = ↑ X ⊆ P } of the underlying domain P with union as the operation. It was shown in [16] that one could construct a Cartesian closed category of local cpos and monotone mappings having least fixed points (via the Dominated Fixed Point Theorem) which is closed under this construction of an unbounded upper power space. By the way, this is the abstract analogue of the model devised to model unbounded nondeterminism for untimed and Timed CSP. Finally, an open question is whether there is an analogue for the convex power domain in this setting. In [16] an example is provided which shows that the analogue for the upper power space just described will not work: it is shown there that the family of all non-empty order-convex subsets of the underlying domain P is not a local cpo in general. (Unfortunately, more is claimed there – that there is no such model – but that claim remains unsettled.) It would be nice to know if this family can be completed into a local cpo which then could serve as the desired model for unbounded nondeterminism. Readers familiar with Plotkin’s work on countable nondeterminism [20] may wonder about the relationship between that work and what has been described here from [16]. Plotkin’s approach was to weaken the continuity properties of the maps under consideration – instead of being continuous, they are only ℵ1 -continuous (so that they preserve sups of directed sets of less than ℵ1 cardinality). Plotkin shows there is a free object supporting countable sums within the category of ℵ1 -complete objects and ℵ1 -continuous maps. This is not at odds with our results, since we studied objects which are not assumed to be directed complete for any cardinality of directed subsets, and the maps we consider are only monotone, and do not satisfy any stronger continuity properties. Our approach is justified by the work in [24,25] which shows that these hypotheses are as strong as can be invoked, at least in the CSP setting.

4

Computational Models

So far the generalizations we have described have been inspired by work in process algebra. In this section, we focus on another area of application of domain theory – models of computation. In the early and mid1990s, Abbas Edalat began producing a number of striking applications of domain theory to areas of mathematics and computation. These began with an application showing how domain theory could provide a simpler approach to modeling fractals and iterated functions systems [5], even providing new algorithms for computing these objects. There followed applications to neural networks [6], and then to integration [7]. This last was notable because it showed how domain theory could be used to devise a new approach to Riemann integration in which the focus shifted from varying the function being integrated to varying measures which approximate Riemann measure, thus allowing domain theory to define the integral. Most recently, Edalat has continued his work by developing real PCF, which contains a real numbers datatype, along with efficient algorithms for exact computations in this datatype using continued fractions [10].

15

In all of this work, an emerging theme has been modeling topological spaces in domain theory, thus allowing the approximation theory of domains to be applied to problems in this setting. A focal point then becomes the question of which topological spaces admit computational (i.e., domain-theoretic) models. The precise statement is: Which topological spaces can be embedded as the set of maximal elements in a domain? An initial answer was provided by Lawson [13] who showed that any Polish space (complete, separable metric space) can be so represented. Shortly thereafter, Edalat and Heckmann [9] produced the formal ball model which shows that any metric space can be embedded as the space of maximal elements in a continuous poset. The model is the family of all pairs {(x, r) | x ∈ X & r ≥ 0} under the order (x, r) v (y, s) ⇐⇒ d(x, y) < r − s. Moreover, they show that the model is a continuous poset whose completion (as described in Section 2) has the completion of the metric space as its space of maximal elements. Both of these results focus on domains which satisfy the property that the Scott topology is weak at the top [8], and indeed under this assumption, the maximal elements of the underlying domain form a separable metric space. We now outline some results that are due to Keye Martin, a PhD student at Tulane, which provide an alternative approach to these and related results. They all will be contained in [14]. To begin, Martin begins with the notion of a measurement on a domain. Definition 7. Let P be a continuous poset. A measurement on P is a Scottcontinuous mapping µ: P → ([0, ∞), ≥) satisfying 1. µ−1 (0) = MAX(P ), and 2. µ induces the Scott topology near the top of P : (∀U ⊆ P open)(∃ > 0) µ−1 ([0, )) ⊆ U. Numerous examples are available here, including: 1. The space IR of compact intervals of real numbers, ordered by reverse inclusion, and with length as the measurement. 2. The family LIST(A) of lists over a set A, again with length of the list as the measurement. In both of these cases – and in most others – the measurement actually induces the Scott topology on the whole domain, not just near the top. Theorem 7 (Martin [14]). Let (P, µ) be a continuous poset with a measurement, and suppose that µ satisfies: (∀x, y ∈ P ) x ↑ y ⇒ (∃z ∈ P ) z v x, y & µ(z) ≤ 2 · max{µ(x), µ(y)}. Then MAX(P ) is metrizable.

t u

16

Notice that the result makes no mention of the weak topology – it holds for any continuous poset with measurement. The converse of this result follows from Edalat’s and Heckmann’s result about the formal ball model [9], since that model has a measurement, the function (x, r) 7→ r. 4.1

Modeling Algorithms

The inspiration for Martin’s results was the intuition that two of the most common algorithms had something domain-theoretic in common. Those algorithms are: 1. The bisection algorithm which seeks a root for a continuous selfmap f : R → R on an interval [a, b] ⊆ R. It proceeds by testing whether the function changes sign, first on the left half of the interval and then on the right, and recursively subdivides the interval. The algorithm can be viewed as a partial mapping splitf : IR * IR. Note that splitf is not monotone, let alone continuous. 2. Any of the searching algorithms on LIST(A), the domain of lists over a set A. Here again, these algorithms give rise to partial selfmaps of LIST(A) that are not generally monotone. These examples inspired the following: Definition 8. Let P be a continuous poset. A partial mapping f : P * P is a splitting at the point x ∈ P if x v f (x). Theorem 8 (Martin [14]). Let f : P → P be a partial selfmap on a continuous dcpo P with measurement µ. If µ ◦ f : P * [0, ∞) is continuous, and if f is a t u splitting at x, then f : ↑ x * ↑ x has tn∈N f n (x) as a fixed point. A corollary of this result is that any continuous selfmap f : R → R has a root on any interval [a, b] for which splitf ([a, b]) ⊆ [a, b]. Similarly, any of the familiar searching algorithms induce splittings on any list, so the same result implies they each have a fixed point. Thus, the theory of continuous posets with measurements and splittings provides a common environment to model both the “discrete” algorithms from searching and the continuous algorithms such as the bisection algorithm. 4.2

Derivatives and Rates of Convergence

Since the setting of continuous posets with measurements includes the interval domain IR, we can use this setting to generalize some results from numerical analysis. Definition 9. Let f : P * R be a partial mapping on a continuous poset P with measurement µ. If p ∈ MAX(P ), then we define the derivative of f at p by µ(f (x)) − µ(f (p)) df (p) = lim . x→p dµ µ(x) − µ(p)

17

For example, for a continuous selfmap f : R → R, if f has a root on the interval [a, b], then the above definition says that splitf has derivative 12 at [a, b], in keeping with the fact that the mapping splits the interval in half on each iteration. The following shows this definition is sensible. Theorem 9 (Martin [14]). If f : R → R is differentiable at x, then dF ({p}) = |f 0 (p)|, dµ where F : IR * IR is F ([a, b]) = f ([a, b]) and µ([a, b]) = b − a. Conversely, if f is locally monotone and F has a derivative at {p}, then so does f and the above equation holds. t u We can use this result to generate a rate of convergence result for such mappings. Proposition 3 (Martin [14]). Let f : P * P be a partial mapping on a continuous poset P with measurement µ. Suppose that limn>0 f n (x) = r ∈ MAX(P ) df µ(f n+1 (x)) = (r). t u is a fixed point for f . Then lim n>0 µ(f n (x)) dµ df (r) gives a rate of convergence for the function f to its fixed point r dµ by providing the number of iterations required to obtain the answer to within “ accuracy.” If the sequence f n (x) converges to a maximal element, then the measures go to 0, so we know there is some finite point in time where we are as close as desired (within ). Thus

5

Summary

We have given three generalizations of domain theory along with outlines of the problems that inspired those generalizations. The applications range from process algebra to models of computation, and include novel ideas that generalize some of the basic tenets of the original theory. Namely, they include – Relaxing the assumption that the objects under study are directed complete, but retain the structure of continuity. The result is a theory that helps explain how the models for CSP relate to standard domain-theoretic constructions, and also makes clear that the hiding operator from CSP is the one operation that requires using a subfamily of the poset of non-empty Scott closed sets. – Relaxing the condition of directed completeness and continuity to consider local cpos and monotone maps. The theory developed provides a general setting for modeling unbounded nondeterminism, and includes using cpos “at the top” of such objects to generate (least) fixed point theorems to assure that process meanings are well-defined.

18

– Considering continuous posets and mapping which are not monotone in order to model examples from computation, but which include the notion of a measurement. The theory provides a rich setting for devising computational models that encompass both the continuous approach =and the discrete approach represented by list searching algorithms. In this setting, it also is possible to generalize standard results from numerical analysis. We believe these applications only serve to scratch the surface in terms of the potential applications for domain theory, and indeed many existing results are not mentioned here. This rather cursory survey is meant only to pique the reader’s interest, and to provide some examples which we believe make a convincing case that domain theory is a rich theory whose potential applications range far from the setting that inspired it.

References 1. Abramsky, S. A domain equation for bisimulation. Information and Computation 92 (1991), 161–218. 2. Abramsky, S., Jung, A. Domain Theory. in: Handbook of Computer Science and Logic, Volume 3 (1994), Clarendon Press 3. Brookes, S. D., Hoare, C. A. R., Roscoe, A. W. A theory of communicating sequential processes. Journal ACM 31 (1984), 560–599. 4. Brookes, S. D., Roscoe, A. W. An improved failures model for communicating processes. Lecture Notes in Computer Science 197 (1985) 281–305. 5. Edalat, A. Dynamical systems, measures and fractals via domain theory. Information and Computation 120 (1995), 32–48. 6. Edalat, A. Domain theory in learning processes. Electronic Notes in Theoretical Computer Science 1 (1995), URL: http://www.elsevier.com/locate/ entcs/volume1.html. 7. Edalat, A. Domain theory and integration. Theoretical Computer Science 151 (1995), 163–193. 8. Edalat, A. When Scott is weak at the top. Mathematical Structures in Computer Science, to appear. 9. Edalat, A., Heckmann, R. A computational model for metric spaces. Theoretical Computer Science, to appear. 10. Edalat, A., Potts, P. A new representation for exact real numbers. Electronic Notes in Theoretical Computer Science 6 (1997), URL: http://www. elsevier.com/locate/entcs/volume6.html. 11. Gierz, G., Hofmann, K. H., Keimel, K., Lawson, J., Mislove, M., Scott, D. “A Compendium of Continuous Lattices.” Springer-Verlag, Berlin, Heidelberg, New York (1980) 326pp. 12. Hennessy, M., Plotkin. G. Full abstraction for a simple parallel programming language. Lecture Notes in Computer Science 74 (1979) Springer-Verlag. 13. Lawson, J. Spaces of maximal points, Mathematical Structures in Computer Science, to appear. 14. Martin, K. Ph.D. thesis, Tulane University, in preparation. 15. Mislove, M. Algebraic posets, algebraic cpo’s and models of concurrency. in: Topology and Category Theory in Computer Science. G. M. Reed, A. W. Roscoe and R. Wachter, editors, Clarendon Press (1991), 75–111.

19 16. Mislove. M. Denotational models for unbounded nondeterminism. Electronic Notes in Theoretical Computer Science 1 (1995), URL: http:// www.elsevier.com/locate/entcs/volume1.html 17. Mislove, M. Using duality to solve domain equations. Electronic Notes in Theoretical Computer Science 6 (1997), URL: http://www.elsevier.nl/ locate/entcs/volume6.html. 18. Mislove, M. Topology, domain theory and theoretical computer science. Topology and Its Applications, to appear. 19. Mislove. M., Roscoe, A. W., Schneider, S. A. Fixed points without completeness. Theoretical Computer Science 138 (1995), 273–314. 20. Plotkin, G. D. A powerdomain for countable nondeterminism. Lecture Notes in Computer Science 140 (1982). 21. Smyth, M. Effectively given domains. Theoretical Computer Science 5 (1977) 257–274. 22. Smyth, M. Power domains and predicate transformers: a topological view. Lecture Notes in Computer Science 154 (1983) Springer-Verlag, 662–675. 23. Reed, G. M., Roscoe, A. W. Metric spaces as models for real-time concurrency. Lecture Notes in Mathematics 298 (1988), 331–343. 24. Roscoe, A. W., Barrett, G. Unbounded nondeterminism in CSP. Lecture Notes in Computer Science 442 (1990). 25. Schneider, S. A. An operational semantics for timed CSP. Information and Computation 116 (1995). 26. Stoltenberg-Hansen, A., Lindstr¨ om, I., Griffor, E. B. “Mathematical Theory of Domains.” Cambridge Tracts in Theoretical Computer Science 22 (1994), Cambridge University Press, 349pp.

Generalizing Domain Theory Michael Mislove* Tulane University, New Orleans, LA 70118, USA e-mail: mmn$math, t u l a n e , edu VCVC-W home page: http://wwg, math. tulane, edu/mislove, html

A b s t r a c t . Domain theory began in an attempt to provide mathemat-

ical models for high-level programming languages, an area where it has proved to be particularly useful. It is perhaps the most widely-used method for devising semantic models for such languages. This paper is a survey of some generalizations of domain theory that have arisen in efforts to solve related problems. In each case, a description is given of the problem and of the solution generalizing domain theory it inspired. The problems range from the relation of domain theory to other approaches for providing semantic models, particularly in process algebra, to issues surrounding the notion of a computational model, an approach inspired by the recent work of Abbas Edalat.

1

The Basics - How Domain

Theory

Began

This section is a brief outline of some of the "basic ingredients" of domain theory and the applications that inspired them. 1.1

I n the beginning...

Domain theory began in an attempt by DANA SCOTT to find mathematical models for high-level programming languages. Upon his arrival in Oxford in the mid 1960s, Scott found CHRISTOPHER STRACHEYand his colleagues at the Programming Research Group using the untyped lambda calculus of Church and Curry as a model for programming, something Scott found disturbing because he regarded it as a "formal and unmotivated" notation (cf. 11). He thus set out to find alternative models for Strachey and his colleagues to use. Because programs can call other programs, and indeed, can even call themselves, Scott was led to consider objects X in some category or other which satisfy the property that they contain a copy of their space of selfmaps in the category. Of course, Cantor's Lemma implies the only such objects in the category of sets and functions are degenerate (i.e., they consist of a single point), and so no such objects can be found there. But the reals have only as many continuous selfmaps as there are real numbers (because of their having a dense, countable subset on which all continuous selfmaps are completely determined), so it is potentially * This work partially supported by the US Office of Naval Research

possible to find such objects X among topological spaces. While attempting to find appropriate models of partially defined maps, Scott realized there had to be To spaces isomorphic to their space of continuous selfmaps, and he then constructed such an object in the category of algebraic lattices and so-called Scott continuous maps. In the years since Scott constructed the first model of the untyped lambda calculus, the nature of the construction has become much better understood, and it now is realized that very little of the machinery that is available in the category of algebraic lattices and Scott continuous maps actually is necessary for the construction. In fact, it now is understood that only directed complete partial orders are needed to carry out the construction. Remarkably, despite this much better understanding, the only known models of the calculus are within the category of such partial orders and Scott continuous functions. We now describe this setting.

1.2

Directed Complete Partial Orders

Let's switch gears for a moment, and consider what we need to model a recursive process. If we are working within some language - let's not worry about typing issues - and we are confronted with a term r e c x.f(x), then the operational rule which allows us to understand this process is given by r e c x.f(x) ~ f ( r e c x.f(x))/x. This unwinding of recursion allows us to deduce that the recursive process r e c x.f(x) actually should be a fixed point for the body of the recursion. In any case, if we are to model programs as functions, then the unwinding rule tells us the functions we are interested in must have fixed points. In fact, it would be nice if those fixed points were canonical in some sense, so that their choice is not arbitrary. This is what domain theory offers us. To begin, a partial order (or poset) is a non-empty set P equipped with a reflexive, symmetric and transitive relation, usually denoted _. A simple example is to take any non-empty set X and equip it with the discrete order, where x E Y r x = y. A subset D C_ P of such a set is directed if every finite subset of D has an upper bound in D. In our example, the only directed subsets are the singleton sets. Finally, a partial order P is directed complete if every directed subset has a least upper bound in P. These are called dcpos. Clearly, discrete orders satisfy this condition, since the only directed subsets are singleton sets. A directed complete partial order which has a least element _1_ (i.e., one which is below all other elements) is sometimes called a cpo. What is important about cpos is that monotone 1 selfmaps have least fixed

points: T h e o r e m 1 ( T a r s k i ) . A monotone mapping f: P --~ P of a cpo has a least

fixed point, namely, FIX f = I Ic~EOrdf(~(-L). I Amapf:P~QismonotoneifxEy ~ f(x) C_f(y).

17

(Here, Ord stands for the class of ordinals.) Thus, a good place to seek models for recursion is within the category of cpos and monotone mappings. But, if we require our functions to preserve sups of directed sets, we can do better. D e f i n i t i o n 1. A mapping f: P -+ Q between dcpos is Scott continuous if f is

monotone 2 and f preserves sups of directed sets: (VD _C P directed) f ( U D ) = Uf(D). C o r o l l a r y 1 ( S c o t t ) , A Scott continuous selfmap f: P -+ P on a cpo has its

least fixed point given by FIX f = Un~N fn(-l-). The category of directed complete partial orders and Scott continuous maps has many desirable properties - it is Cartesian closed, for example. We denote the family of continuous maps between (d)cpos P and Q by P --+ Q; this space becomes a dcpo when endowed with the pointwise order, in which

f Eg

r

f ( x ) E g(x) (Vx E P).

The full subcategory whose objects are cpos also is Cartesian closed, and it is within these categories where one can find ample support for constructing denotational models of programming languages. We even can conclude more here. Since the least fixed point of a monotone or continuous selfmap always exists, assigning it as the meaning of a recursive process is in some sense canonical. In fact, T h e o r e m 2. The least fixed point operator Y: P -+ P ~ P by Y f = FIX f is

continuous. The implication here is that one has continuous fixed point operators of all orders, so modeling recursion at higher types can be done in the same way it is at the start. There is even a transfer principle available; it tells us that "fixed points are preserved" by certain operators: P r o p o s i t i o n 1. Let f: P --~ P and g: Q --r Q be continuous selfmaps of cpos P

and Q, and let h: P --+ Q also be a continuous strict 3 map satisfying goh = ho f . Then FIX g = h(FIX f ) . The categories DCP0 and CP0 of directed complete partial orders (with least element in the second case) and Scott continuous maps thus enjoy several appealing properties. In addition to Cartesian closure, they also axe closed under (arbitrary) products and direct sums. In addition, there is a closely-related adjunction. If CP0! denotes the category of cpos and strict Scott continuous maps, then the forgetful functor into DCPO has the lift functor as left adjoint; this functor adds a (new) least element to a dcpo P and extends a continuous mapping to the lifted domains to be strict. 2 This hypothesis is simply to guarantee that the image of a directed set in P is directed in Q. By strict, we mean h takes the least element of P to the least element of Q.

1.3

T h e Myhill-Sheperdson Theorem

The results described so far make an appealing, if somewhat abstract case for using domain theory to build models for programming languages - well, at least for modeling recursion. We now describe a result which puts more substance to this claim. Perhaps the most natural place to start to model programs is over the natural numbers. In order to invoke a domain-theoretic setting, we can endow N with the discrete order, and clearly we have a dcpo. Our interest is in using domain theory to model computable functions. Functions on N are mappings f : N -+ N, so we want to start with the cpo N -~ l~. This is not quite right, either. Church's thesis says the partial recursives axe the computable functions, and so we should consider partial mappings f : N ~ N. Now, the family of such mappings - IN ~ - is a cpo under the extensional ordering: f _ g

r

d o m f C_ d o m g & gdom f = f.

Here, a directed family of partial mappings has for its supremum the union of the family. Two convenient facts are that any function from N to itself is monotone even continuous - with respect to the discrete order, and the extensional order on the space of mappings between two discretely ordered sets is in fact the pointwise order. Thus, the partial mappings on N with the extensional order are just the partial mappings endowed with the pointwise order from the discrete order on N. But how do we distinguish the partial recursives from arbitrary partial Selfmaps of N?. A simple and very well-worn example shows how. Consider the factorial function { in Fac(n) =

9Fac(n - 1)

if n = 0 , otherwise.

This leads us to define a functional F: N ~ l~ ~ N ~ N by

F(f)(m) =

1 m. f(m-1)

if m = 0 ifm>0&f(m-1)

defined.

It is easy to show that this functional is continuous (it only needs to preserve increasing unions of partial functions), and that its least fixed point is the factorial. W h a t is harder is the fact that the effective structure (in the sense of recursion theory) on N can be extended to one on IN -~ N -~ IN ~ I~ (using ideas from the next section - see 26 for details), and F can be shown to be effective with respect to this structure. This means F ' s restriction to the partial recursives leaves them invariant; i.e., F(g) is partial recursive if g is. If we let N ~ Nk denote the computable mappings on the natural numbers (i.e., the partial recursives), the following says every partial recursive arises exactly in this way:

Theorem 3 ( M y h i l l - S h e p e r d s o n ) . The effective operators on N ---" ~ k are exactly the restrictions of the the effective continuous functionals G: N ~ N --+

IN

to IN

r k.

1.4

Algebraicity and Continuity

A second component of domain theory - apart from the ease with which one can model recursion - is that of approximation. The idea is illustrated by the MyhillSheperdson Theorem. For any continuous functional G: N ---" ~ -+ N ---" N, the least fixed point FIX G = UneN Gn(@), since @is the least partial function. In the case of G is effective, Gn(@) is a finite function. The finite functions play a special role in N ---"N: they are the compact elements.

Definition 2. An element k E P in a dcpo is compact if k E UD implies (3d E D) k E d for all directed subsets D C_ P. The set of compact elements of P is denoted K ( P ) , and, for each x E P the set of compact elements below x is denoted K(x). Lastly, P is algebraic if K(x) is directed and x = UK(x) for every x 9 P. Since any partial mapping f: 5/---" bl satisfies f = II{ylx I X C_dom f finite}, N ~ N is algebraic. The compact elements of an algebraic dcpo completely determine the dcpo, since each element of the dcpo is the directed supremum of the compact elements below it. This association can be made more precise. Indeed, if we call a subset I C_ Q of a partially ordered set an ideal if I = $ I is a lower set which also is directed, then we have the association x ~-~ K(x): P -+ IdlK(P) which sends each element of P to the ideal of compact elements below it. This association is an isomorphism, where the inverse mapping simply sends an ideal to its supremum (which exists because P is a dcpo). Hence, P ~ IdlK(P) for each algebraic dcpo P. This gives rise. to an adjunction between the category At.G of algebraic dcpos and Scott continuous maps and the category POS of posets and monotone mappings. The right adjoint is the forgetful functor from AI_G to PO$, and the left adjoint is the ideal functor, which sends a partially ordered set to its family of ideals ordered under inclusion. One of the important consequences of this adjunction is that each continuous mapping f: P --+ Q between algebraic dcpos is completely determined by the restriction of f to the compact elements of P, and, conversely, each monotone mapping f: K ( P ) -+ Q from the compact elements of P to any dcpo Q extends to a unique continuous map from P to Q. All of this has an important extension. The motivating example is the unit interval, which has 0 as its only compact element. Yet there is a clear notion of approximation here: if x < y, then for a directed set to have its supremum above y, some element of the directed set must be above x.

Definition 3. The elements x, y E P in a depo satisfy x << y (read "x is relatively compact in y ' ) if y E liD implies there is some d E D with x E d, for all directed subsets D of P. The set of elements relatively compact in y is denoted ~ y, and the depo P is called continuous if ~ y is directed and y = li ~ y or all y E P.

An adjunction similar to the one between ALG and POS is available for continuous dcpos. It involves the notion of an abstract basis originally due to SMYTH 21. Definition 4. An abstract basis is a non-empty set X equipped with a transitive relation -~ which satisfies the interpolation property: (VyEX)(VMCXfinite) M-~y

=~

(3xeX) M-~x-~y.

A function f: X --~ Y between abstract bases is ideal if x -~ y in X implies that

{z 9 Y Iz

f(x)} c {z 9 Q I z

f(y)}.

For example, in any continuous dcpo P, the pair (P, <<) is an abstract basis. Any abstract basis satisfies the property that the family of ideals (defined just as in the partially ordered set case) is a continuous dcpo under the inclusion order. The notion of an ideal mapping is designed precisely to capture those functions between abstract bases which extend to continuous mappings between their ideal completions. The following result generalizes the situation for algebraic domains. T h e o r e m 4 (17). The functor which associates to a continuous dcpo P the abstract basis (P, (<) and to a continuous mapping f: P -~ Q the ideal mapping f ( I ) = {y 9 Q (3z 9 I) y << f(z)} is right adjoint to the ideal functor which associates to an abstract basis its ideal completion and to an ideal mapping the associated continuous mapping on the space of ideals. Notes: This completes our rather cursory outline of domain theory. We have left out far more than we have included, but our intention is to provide only the barest of introductions to motivate the generalizations that we describe below. We have not made specific reference to any result. Except for the last results on continuous dcpos (which can be found in 2 for the most part), most of this is folklore now, and can be found in many places. Again, 2 is an excellent source for referencing most of these results. The last theorem, however, appears only in 17. A survey of a number of the ideas presented here can be found in 18. 2

Continuous

Posets

A rather successful approach to modeling concurrent computation was devised by the members of the Programming Research Group at Oxford using the language CSP. We briefly outline this approach below, with an eye toward finding the relationship between the CSP models and more standard ones from domain theory. In endeavoring to understand this relationship, it became clear that one of the fundamental principles of domain theory had to be relaxed in order to describe the CSP models in purely domain-theoretic terms. That fundamental property of dcpos is that they are directed complete: all directed subsets have least upper bounds. This property is crucial in assuring that all continuous selfmaps have (least) fixed points. But it turns out that describing the CSP models in domain-theoretic terms requires relaxing this condition in order to relate the models to the world of domains. The model we focus on for this discussion is the failures model for CSP, which we now describe.

2.1

C S P and the Failures M o d e l

CSP is a process algebra for reasoning about concurrent processes. It was originally devised by C. A. R. HOARE and the first, definitive model for the language was presented in 3. This is the so-called failures model, which models a process in terms of the communication events it can participate in (the traces of the process) together with the events it may refuse to participate in after a given trace (the so-called refusals). A syntax for CSP suitable for our purposes is given by the following BNF-like production rules: P ::= S T O P I SKIP I a ~ P I P \ a

P ; P I PAHBP I P:P

I P3P

I x I~tx.P

In this syntax, S T O P denotes immediate abnormal termination, while SKIP denotes immediate normal termination. The actions a range over a set ~ of atomic actions which denote communication events between processes; a -~ P is a process which first wishes to participate in the action a and then to act like process P. P \ a is the process P with all occurrences of the action a hidden from the environment (but they still occur, and as soon as they are offered). P ; P is the sequential composition of the two component processes; PAIIBP is the process which has the two components synchronize on all actions in A n B (A, B c_ ~ ) , but either branch is free to perform actions not in the intersection whenever it wishes. P D P is the external choice of the two processes, in which the environment is allowed to decide which branch will be chosen on the first action only, while P N P is the internal choice of the branches, in which the machine decides. The term x denotes a process variable, and the last term is recursion. The failures model for CSP as presented, e.g., in 3 gives a model for this language based of pairs (s, X), where s E Z* U ~ * x / i s a finite sequence of actions, possibly ending in the normal termination event ~ / r E , and X C_ E is a set of reusals - events which the process may refuse to participate in after execution of s. The second component is needed in the model in order to distinguish internal and external choice. The failures model 9~M interprets each process as a set of such pairs, and the sets F that qualify to represent a process in CSP must satisfy the following conditions:

1. 0 ~ F . 2. (s, X ) E F and t a prefix of s imply (t, 0) E F . 3. ( s , X ) E F and Y C_ X imply (s,Y) E F. 4. (s,X) E F and (s(c),O) ~ F for all c E Y C_ A finite imply (s, X U Y) E F. The sets satisfying these conditions are called the allures model for CSP; it is shown in 3 that they form a complete inf-semilattice. This structure is used as the basis for showing this family of sets can be endowed with operations corresponding to each of the CSP operators. This allows an interpretation of CSP in the set of subsets of (~* U ~ * v ~ • • ( Z ) satisfying 1) - 4) - i.e., it provides the ingredients to show the family 9rf14 is a denotational model for CSP.

The order on the failures model is reverse containment on sets. So, the smaller the set, the higher it is in the order. Because the inf-operation is used to model nondeterminism, the order on the model is the order of nondeterminism - the higher a set, the more deterministic the process it represents. In fact, the maximal elements of the model are the deterministic processes. These have the property that they cannot be refined by any other process. The order on the model also is used to model recursion, just as in the case of cpos. All the operators from CSP are modeled by operations on the model t h a t are continuous with respect to reverse inclusion, and so Scott's corollary to Tarski's Theorem implies that each of the recursive processes can be modeled as the least fixed point of a continuous operator on the model. 2.2

T h e Failures M o d e l as C l o s e d Sets

All of the above indicates that the failures model is a cpo (the least element of the model is the set CHAOS = {(s,X) I s E E* U E ' x / & ~ X C Z}). But the construction is far from "standard", and it is unclear what relationship this model has to languages other than CSP. The work in 15 resulted from an effort to better understand this relationship. The analysis relies on a closer scrutiny of the properties that define failures sets. The first three conditions imply that the sets F that qualify as process meanings are lower sets from some related partial order, and it was this idea that led to a realization that the conditions listed actually describe certain closed sets from a partial order. By closed, we mean closed with respect to the Scott topology, which we now define. But notice that we relax the situation somewhat, and consider any partial order, not just ones that are directed complete. This is because the partial order that gives rise to the failures model is not directed complete. D e f i n i t i o n 5. Let P be a partially ordered set. A subset U C_ P is Scott open if

1. U = t U = {Y e P i (3x E U) x E y} is an upper set in P, and 2. UD e U ~ D n U ~ 0 for all directed subsets D of P. It is routine to show that the Scott open sets on any partial order are closed under finite intersections and arbitrary unions, so they do indeed form a topology. This topology is always To, which means distinct points can be separated by some open set (containing exactly one of them), but the topology is Hausdorff if and only if the partial order is the discrete order. What is more, the functions we defined earlier as being Scott continuous are in fact exactly those that are continuous with respect to this topology. The Scott closed sets are those whose complements are Scott open, and since we have a description of the latter, we can derive the following characterization of the former. P r o p o s i t i o n 2. X C_ P is Scott closed if and only if

1. X =$ X is a lower set in P, and

2. D C X directed implies UD E X . Notice that a corollary of this result is that the closure of a point x E P is $ x, the principal lower set x defines. This is what makes Scott-closed sets an appealing model for concurrent computation - in the traces setting, they naturally include the history of a process since they are lower sets. As with any topological space, the family of Scott closed sets forms a complete Brouwerian lattice under containment (cf. 11). But in the case of an algebraic or continuous poset 4, we can say a lot more. Indeed, in this case, the family of Scott-closed sets forms a completely distributive, hence continuous lattice. If the underlying poset P is algebraic, then the family of Scott-closed sets is in fact completely distributive and algebraic, which in turn imply it forms a complete ring o/sets. Finally, the relation X << Y on the family of Scott-closed sets is completely determined by that of P , and the compact elements in the Scott-closed sets are exactly the closed sets generated by finite sets of compact elements of P. In particular, the family of non-empty Scott-closed subsets of a continuous (resp., algebraic) dcpo is a continuous (resp., algebraic) dcpo semilattice (under union) whose relative compactness relation << is completely determined by that of the underlying poset. Moreover, in the case P is algebraic, this family is an algebraic dcpo under reverse containment as well, and the compact elements here are the sets of the form P \ (I"F) as F C_ K ( P ) ranges over the non-empty finite sets of compact elements of P. What all this has to do with CSP and the failures model is explained by the following:

Example 1. Consider the set PF = {(s, X ) I s E S* LI S*~/ ~ X C_ S } . We define a partial order of PF by ( s , X ) U_(t,Y)

r

(s
V (s=t&XC_Y).

It is routine to show this is a partial order, and it also is easy to see that the pairs (s, X ) with X finite are compact in this order. Hence PF is an algebraic poset.

T h e o r e m 5 (15). The failures model consists of Scott-closed sets from the algebraic poset PF, and this family is closed in the family of all Scott-closed sets under filtered intersections. Each of the operators from CSP gives rise to an operation on all the Scott-closed sets that is continuous with respect to usual containment, and all but the hiding operator give rise to operations that are continuous with respect reverse containment. 3 The point to note here is that it is the hiding operator that "causes all the problems" with the failures model. More to the point, the approach adopted with

4 By a continuous poset we mean a partial order P in which ~ y is directed and y = t_l ~ y for all y E P; P is an algebraic poser if K(y) is directed and y = l_tK(y) for all y E P. The point is that we no longer require P to be directed complete.

10 the failures model was to use the order of nondeterminism to model a certain type of partial correctness - namely, that deadlock or divergence is catastrophic. That decision required a model in which all the operators are continuous with respect to reverse set containment, and since hiding is the only operation which doesn't satisfy this property on all Scott-closed sets, it is the reason for the condition 4) in the definition of the sets that comprise the model. In other words, if one were to seek a model for CSP without hiding, then all the Scott closed sets of the poset PF could be used. 3

Local Cpos

From the outset, computation has viewed sequential composition as the "most primitive" operation. When the issue of modeling concurrent computation arose, the reaction was to devise models for nondeterminism using subset-like constructions, and then to model parallel composition in terms of sequential composition and nondeterministic choice. As described in 12, three distinct models for nondeterministic choice emerged in domain theory - the so-called power domains. These three constructs were first defined in terms of ideal completions of three distinct orders that can be defined on the finite subsets of the set K ( P ) of compact elements of the underlying domain P. This works for any algebraic dcpo, but more restrictive domains allow for alternative descriptions of these constructions. As described in 22, coherent domains (i.e., those algebraic cpos for which the intersection of any finite family of Scott compact upper sets is again compact in the Scott topology) allow the three power domains to be described in completely topological terms: - The lower power domain is the family of non-empty Scott-closed subsets of the underlying domain equipped with the usual order, and with union as the nondeterministic choice operation. This family is the free sup-semilatiice cpo over P. the upper power domain is the family of non-empty Scott compact upper sets from P, again with union as the operation, but this time under the reverse containment order. This family is the free inf-semilattice cpo over P. the convex power domain is the family of non-empty order-convex subsets X = $ X A S X of P whose lower set SX is Scott closed and whose upper set j~X is Scott compact. The operation is the convex hull of the union:, -

-

(X, Y) ~ $ (X U Y) O $ (X U Y), and the order is the Egli-Milner order:

XGY

r

Xc_$Y&YC_'tX.

This family is the free semilattice cpo over P. Each of these constructions produces a coherent domain from an underlying coherent domain; these are the more-or-less standard constructions for modeling

1 nondeterministic choice within domain theory. Each construct allows operations (such as sequential composition) defined on the underlying domain P to be extended to the power domain. But, these extended operations all distribute over the nondeterministic choice operation, and so modeling bisimulation requires the additional step of solving a domain equation defined in terms of the convex power domain (cf. 1). All of the above applies to bounded nondeterminism, but unbounded nondeterminism also is useful, especially for specification. For example, consider a process-algebraic setting in which one wants to specify a process that can participate in any finite number of a given action, say a, but which is not supposed to participate in infinitely many a's. This requires distinguishing the process nneN (a "~ -~ STOP) from the process (nneN (a n -~ STOP)) ~ a ~176But, these two processes must be identified in any of the models described above, and so we have to generalize domain theory and power domains in order to allow these processes to be distinguished. In 24, an approach to modeling unbounded nondeterminism in CSP was presented. This approach added a new component to the meaning of each process - the infinite traces that a process could execute. By actually listing these traces, it became possible to distinguish a process that could execute an infinite trace from one which couldn't. But the resulting model was no longer a dcpo. Moreover, some selfmaps of the model no longer were continuous, and some of those that were didn't have any fixed points, let alone least ones. The point is t h a t the new model was not a dcpo. The question then became how to make sure all the processes that could be meanings of recursive CSP processes in this setting actually had well-defined meanings. In other words, the question became one of how to assure that the recursive terms from CSP had meanings given by least fixed points in this new model. The solution that was found was quite inventive. It amounted to using the fact that the model U for unbounded nondeterminism naturally contained a model for CSP with bounded nondeterminism - i.e., a copy of the failures-divergences model 5rD 4. This was obtained by sending each CSP process to its meaning in ~'D together with those infinite traces that the process could execute, and this gave an embedding of 5rD within/~ "at the top": any element of U is the infimum of those elements in $'D that are above it. This provided a cpo "at the top" of L/, which in turn proved crucial for deriving the results that were needed to show that L/actually could serve as a model for unbounded nondeterminism in CSP. The heart of the proof presented in 24 amounts to showing t h a t each of the operations o n / g from CSP has a corresponding operation on Y D from CSP with bounded nondeterminism that "dominates" it in the pointwise order. In terms of selfmaps of the model, the dominating operation leaves Y D invariant (as it sits in U). As a result, each term from CSP with bounded nondeterminism has a least fixed point on this submodel, and this fixed point is a pre-fixed point for any corresponding term on U that is dominated by the original term from CSP. But a pre-fixed point for a monotone mapping is all that is necessary to assure

12 the mapping has a least fixed point provided each element of the model satisfies the property that its lower set is a cpo. This indeed is the case, and this is how it is shown that each term from CSP with unbounded nondeterminism actually has a least fixed point on/4. We now present a more general description of these results that also is more precise. Inspired by the work in 24 and by related work in 25 on unbounded nondeterminism for Timed CSP, an effort was made to find an underlying mathematical principle for the results that were obtained in these two papers. The resulting principle turned out to be remarkably simple. It hinged on two main ideas: the notion of a local cpo, and - a dominated fixed point theorem. -

D e f i n i t i o n 6. A partial order P is a local cpo if J~x is a cpo for each x E P. Clearly any cpo is a local cpo, but there are local cpos which are not directed complete. For example, consider (N, <) the natural numbers in the usual order - the lower set of each point is finite, but N has no upper bound. This is not exactly the example we have in mind for modeling unbounded nondeterminism, however. The dominated fixed point theorem can then be stated as follows: T h e o r e m 6 ( D o m i n a t e d F i x e d P o i n t T h e o r e m 19). Let P be a local cpo and E a space for which there is a mapping ~: E -+ P. Suppose that f: P --~ P is monotone and satisfies the property that there is some mapping F: E --+ E with f o L E_ ~ o F. I f F has a fixed point in E , then f has a least fixed point in P. The proof of this result is straightforward. One only has to note that a fixed point x = F ( x ) for F satisfies ~(x) is a pre-fixed point for f: f(~(x)) E ~(F(x)) = L(x) by the hypothesis of the Theorem. Thus, f: Sx --+$x, and this set is a cpo as P is a local cpo. Hence f has a least fixed point by Tarski's Theorem. In 19 it is shown how this result provides the common mathematical underpinning for the models for unbounded nondeterminism in Timed and untimed CSP. In the former case, the space E is one of the metric space models for Timed CSP with bounded nondeterminism devised by REED and ROSCOE 23, and in the later, the space E is the failures-divergences model for untimed CSP with bounded nondeterminism. One result of 19 was the internalization of the fixed point theory for recursive process meanings in each model; in the first approach devised by Roscoe for untimed CSP, an operational model for unbounded nondeterminism and a congruence theorem were used to justify the existence of meanings for each recursive process; of course, this still is needed to validate that the fixed point meanings defined in the model are the operationally correct ones. Another result of 19 was the realization that the work done in 24 to show that each process meaning in the model is the infimum of meanings in that lie in the subspace E (which is a cpo) is not needed. It is enough to know that each mapping for which a least fixed point is required has a dominating mapping on E in the sense of the Dominated Fixed Point Theorem.

13 As outlined above, for coherent domains, the three power domains are each describable in topological terms. But more generally, they can be defined for any algebraic dcpo in terms of the family of non-empty finite subsets of the set of compact elements of the underlying dcpo. For example, the lower power domain is the ideal completion of the family of non-empty subsets of K ( P ) under the quasiorder F _ G r F C_$G. Similarly, the upper power domain is the ideal completion of the same family, but endowed with the quasiorder F _ G r162G C_tF. In both of these cases, union defines a monotone operation which extends to the ideal completions to define the meaning of nondeterministic choice. Finally, the convex power domain is the ideal completion of the same family, this time ordered by the common refinement of these two quasiorders. In 16, an attempt was made to develop a general theory for modeling unbounded nondeterminism in a domain-theoretic setting based on the results just described. In fact, the goal of that work was to devise analogues for each of the power domains for unbounded nondeterminism. The point of departure was the assumption that the underlying model for sequential composition - P - embeds in the model for unbounded nondeterminism so that elements of P are "free" with respect to unbounded nondeterminism. More precisely, the underlying assumption is that a ~ RX if a r $ X for any subset X C P. This assumption is what is required if one wants to distinguish processes such as RneN (a n ~ S T O P ) from (RneN (a n --+ S T O P ) ) n a ~176We now describe the results obtained. First, it was found that there is no analogue to the lower p o w e r domain. The reason is that the order of nondeterminism (x _ y r x N y = x) corresponds to the order used to model recursion as least fixed points in any analogue to the lower power domain, so any element that dominates all of the terms a n ~ S T O P also must dominate a cr On the other hand, it was shown that there is an analogue to the upper power domain. This is possible because, in the setting of the upper power domain, the order of nondeterminism is opposite to the order of recursion. The model in question is defined simply as the family of all non-empty upper sets {X 0 X = t X C_ P} of the underlying domain P with union as the operation. It was shown in 16 that one could construct a Cartesian closed category of local cpos and monotone mappings having least fixed points (via the Dominated Fixed Point Theorem) which is closed under this construction of an unbounded upper power space. By the way, this is the abstract analogue of the model devised to model unbounded nondeterminism for untimed and Timed CSP. Finally, an open question is whether there is an analogue for the convex power domain in this setting. In 16 an example is provided which shows that the analogue for the upper power space just described will not work: it is shown there that t h e family of all non-empty order-convex subsets of the underlying domain P is not a local cpo in general. (Unfortunately, more is claimed there that there is no such model - but that claim remains unsettled.) It would be nice to know if this family can be completed into a local cpo which then could serve as the desired model for unbounded nondeterminism.

-

14

Readers familiar with PLOTKIN's work on countable nondeterminism 20 may wonder about the relationship between that work and what has been described here from 16. Plotkin's approach was to weaken the continuity properties of the maps under consideration - instead of being continuous, they are only Rl-continuous (so that they preserve sups of directed sets of less than R1cardinality). Plotkin shows there is a free object supporting countable sums within the category of Rl-complete objects and Rl-continuous maps. This is not at odds with our results, since we studied objects which are not assumed to be directed complete for any cardinality of directed subsets, and the maps we consider are only monotone, and do not satisfy any stronger continuity properties. Our approach is justified by the work in 24, 25 which shows that these hypotheses are as strong as can be invoked, at least in the CSP setting. 4

Computational

Models

So far the generalizations we have described have been inspired by work in process algebra. In this section, we focus on another area of application of domain theory - models of computation. In the early and mid1990s, ABBAS EDALAT began producing a number of striking applications of domain theory to areas of mathematics and computation. These began with an application showing how domain theory could provide a simpler approach to modeling fractals and iterated functions systems 5, even providing new algorithms for computing these objects. There followed applications to neural networks 6, and then to integration 7. This last was notable because it showed how domain theory could be used to devise a new approach to Riemann integration in which the focus shifted from varying the function being integrated to varying measures which approximate Riemann measure, thus allowing domain theory to define the integral. Most recently, Edalat has continued his work by developing real PCF, which contains a real numbers datatype, along with efficient algorithms for exact computations in this datatype using continued fractions 10. In all of this work, an emerging theme has been modeling topological spaces in domain theory, thus allowing the approximation theory of domains to be applied to problems in this setting. A focal point then becomes the question of which topological spaces admit computational (i.e., domain-theoretic) models. The precise statement is: Which topological spaces can be embedded as the set o maximal elements in a domain?

An initial answer was provided by LAWSON 13 who showed that any Polish space (complete, separable metric space) can be so represented. Shortly thereafter, EDALAT and HECKMANN 9 produced the formal ball model which shows that any metric space can be embedded as the space of maximal elements in a continuous poset. The model is the family of all pairs {(x,r) I x E X & r _> 0} under the order (x, r) U (y, s) ~ d(x, y) <_ r - s. Moreover, they show that the model is a continuous poset whose completion (as described in Section 2)

~5 has the completion of the metric space as its space of maximal elements. Both of these results focus on domains which satisfy the property that the Scott topology is weak at the top 8, and indeed under this assumption, the maximal elements of the underlying domain form a separable metric space. We now outline some results that are due to KEYE MARTIN, a PhD student at Tulane, which provide an alternative approach to these and related results. They all will be contained in 14. To begin, Martin begins with the notion of a measurement on a domain.

Definition 7. Let P be a continuous poser. A measurement on P is a Scottcontinuous mapping #: P --+ (0, co), >) satisfying

1. #-1(0) = MAX(P), and 2. /~ induces the Scott topology near the top of P : (Vx e MAX(P))(VU C P open) x E U =} (Se > 0) Sx n # - l ( 0 , e ) )

C U.

Numerous examples are available here, including: 1. The space 1JRof compact intervals of real numbers, ordered by reverse inclusion, and with length as the measurement. 2. The family LIST(A) of lists over a set A, again with length of the list as the measurement. In both of these cases - and in most others - the measurement actually induces the Scott topology on the whole domain, not just near the top. T h e o r e m 7 ( M a r t i n 14). Let (P,#) be a continuous poset with a measurement, and suppose that # satisfies: (Vx, y E P )

x t y ~

(3z E P ) z U_x , y & p(z) < 2. m a x ( # ( x ) , # ( y ) } .

Then MAX(P) is metrizable.

Notice that the result makes no mention of the weak topology - it holds for any continuous poset with measurement. The converse of this result follows from Edalat's and Heckmann's result about the formal ball model 9, since that model has a measurement, the function

(x, r)

4.1

r.

Modeling Algorithms

The inspiration for Martin's results was the intuition that two of the most common algorithms had something domain-theoretic in common. Those algorithms are: 1. The bisection algorithm which seeks a root for a continuous selfmap f: R -+ ~ on an interval In, b _C ~ It proceeds by testing whether the function changes sign, first on the left half of the interval and then on the right, and recursively subdivides the interval. The algorithm can be viewed as a partial mapping split f: Jill(~ I~ Note that split I is not monotone, let alone continuous.

16 2. Any of the searching algorithms on LIST(A), the domain of lists over a set A. Here again, these algorithms give rise to partial selfmaps of LIST(A) that are not generally monotone. These examples inspired the following: Definition 8. Let P be a continuous poset. A partial mapping f: P ~ P is a splitting if x E f ( x ) (Vx e dom(f)). Theorem 8 (Martin 14).

Let f: P --+ P be a partial selfmap on a continuous dcpo P with measurement #. If # o f: P - - 0, cr is continuous, and if f is a splitting, then UneN fn(X) is a fixed point for f (Vx E dora(f)). :

A corollary of this result is that any continuous selfmap f: R -~ I~ has a root on any interval a, b for which split! (a, b) C_ a, b. Similarly, many of the familiar searching algorithms can be built up from splittings on the domain of lists to which the same result can be applied to do correctness proofs. Thus, the theory of continuous posets with measurements and splittings provides a common environment to model both the "discrete" algorithms from searching and the continuous algorithms such as the bisection algorithm. 4.2

Derivatives and Rates of Convergence

Since the setting of continuous posets with measurements includes the interval domain El(, we can use this setting to generalize some results from numerical analysis. Definition 9. Let f: P --~ P be a partial mapping on a continuous poset P with measurement p. If p E MAX(P) \ K ( P ) , then we define the derivative of f at p by

~-~f(p)

lim p ( f ( x ) ) - # ( f ( p ) )

For example, for a continuous selfmap f: R ~ ~ if f changes sign on the interval a,b, then the above definition says that splitf has derivative 89at a, b, in keeping with the fact that the mapping splits the interval in half on each iteration. The following shows this definition is sensible. Theorem 9 (Martin 14).

If f: I~ --+ I~ is differentiable at x, then

--~({P}) = If'(P)l, where F: mI~ --, imr is F(a, b) = f(a, hi) and #(a, hi) = b - a. Conversely, if f is locally monotone and F has a derivative at (p}, then so does f and the above equation holds.

This result shows that the following theorem generalizes results from numerical analysis.

17

3 ( M a r t i n 14). Let f: P ~ P be a partial mapping on a continuous poset P with measurement #. Suppose that lima>0 f n ( x ) = r E MAX(P)

Proposition

is a fixed point for f . Then lim #(fn+X(x))

.>0

df

= dr(r)"

o

We also can use ~d f ( r ) to give an estimate of how fast f n ( x ) converges to a fixed point r E MAX(P). If limn # ( f n ( x ) ) = 0, then for any given ~ > 0 there is some 1/"

n

for which #(fro(r)) < e, for m _> n. Now ~J.(r) can be used to give an estimate

for the number of iterations of f for which this inequality actually holds - i.e., it provides an estimate for the number of iterations required to obtain the answer to within "e accuracy."

5

Summary

We have given three generalizations of domain theory along with outlines of the problems that inspired those generalizations. The applications range from process algebra to models of computation, and include novel ideas that generalize some of the basic tenets of the original theory. Namely, they include - Relaxing the assumption that the objects under study are directed complete, but retain the structure of continuity. The result is a theory that helps explain how the models for CSP relate to standard domain-theoretic constructions, and also makes clear that the hiding operator from CSP is the one operation that requires using a subfamily of the poset of non-empty Scott closed sets. Relaxing the condition of directed completeness and continuity to consider local cpos and monotone maps. The theory developed provides a general setting for modeling unbounded nondeterminism, and includes using cpos "at the top" of such objects to generate (least) fixed point theorems to assure that process meanings are well-defined. Considering continuous posets and mapping which are not monotone in order to model examples from computation, but which include the notion of a measurement. The theory provides a rich setting for devising computational models that encompass both the continuous approach =and the discrete approach represented by list searching algorithms. In this setting, it also is possible to generalize standard results from numerical analysis. We believe these applications only serve to scratch the surface in terms of the potential applications for domain theory, and indeed many existing results are not mentioned here. This rather cursory survey is meant only to pique the reader's interest, and to provide some examples which we believe make a convincing case that domain theory is a rich theory whose potential applications range far from the setting that inspired it.

18

References 1. Abra.msky, S. A domain equation for bisimulation. Information and Computation 92 (1991), 161-218. 2. Abramsky, S., Jung, A. Domain Theory. in: Handbook of Computer Science and Logic, Volume 3 (1994), Clarendon Press 3. Brookes, S. D., Hoare, C. A. R., Roscoe, A. W. A theory of communicating sequential processes. Journal ACM 31 (1984), 560-599. 4. Brookes, S. D., Roscoe, A. W. An improved failures model for communicating processes. Lecture Notes in Computer Science 197 (1985) 281-305. 5. Edalat, A. Dynamical systems, measures and fractais via domain theory. Information and Computation 120 (1995), 32-48. 6. Edalat, A. Domain theory in learning processes. Electronic Notes in Theoretical Computer Science 1 (1995), URL: h t t p : / / w ~ . e l s e v i e r . c o m / l o c a t e / entcs/volumel, html. 7. Edalat, A. Domain theory and integration. Theoretical Computer Science 151 (1995), 163-193. 8. Edalat, A. When Scott is weak at the top. Mathematical Structures in Computer Science, to appear. 9. Edalat, A., Heckmann, R. A computational model for metric spaces. Theoretical Computer Science, to appear. 10. Edaiat, A., Potts, P. A new representation for exact real numbers. Electronic Notes in Theoretical Computer Science 6 (1997), URL: h t t p : / / ~ . elsevier, com/lo cate/ent cs/volume6, html. II. Gierz, G., Hofmann, K. H., Keimel, K., Lawson, J., Mislove, M., Scott, D. "A Compendium of Continuous Lattices." Springer-Verlag, Berlin, Heidelberg, New York (1980) 326pp. 12. Hennessy, M., Plotkin. G. Full abstraction for a simple parallel programming language. Lecture Notes in Computer Science 74 (1979) Springer-Verlag. 13. Lawson, J. Spaces of maximal points, Mathematical Structures in Computer Science, to appear. 14. Martin, K. Ph.D. thesis, Tulane University, in preparation. 15. Mislove, M. Algebraic posets, algebraic cpo's and models of concurrency, in: Topology and Category Theory in Computer Science. G. M. Reed, A. W. Roscoe and R. Wachter, editors, Clarendon Press (1991), 75-111. 16. Mislove. M. Denotational models for unbounded nondeterminism. Electronic Notes in Theoretical Computer Science 1 (1995), URL: h t t p : / / www.e l s e v i e r , com/locate/ent cs/volumel, html 17. Mislove, M. Using duality to solve domain equations. Electronic Notes in Theoretical Computer Science 6 (1997), URL: h t t p : / / w ~ . e l s e v i e r . n l / l o c a t e / e n t cs/volume6, html. 18. Mislove, M. Topology, domain theory and theoretical computer science. Topology and Its Applications, to appear. 19. Mislove. M., Roscoe, A. W., Schneider, S. A. Fixed points without completeness. Theoretical Computer Science 138 (1995), 273-314. 20. Plotkin, G. D. A powerdomain for countable nondeterminism. Lecture Notes in Computer Science 140 (1982). 21. Smyth, M. Effectively given domains. Theoretical Computer Science 5 (1977) 257-274.

~9 22. Smyth, M. Power domains and predicate transformers: a topological view. Lecture Notes in Computer Science 154 (1983) Springer-Verlag, 662-675. 23. Reed, G. M., Roscoe, A. W. Metric spaces as models for real-time concurrency. Lecture Notes in Mathematics 298 (1988), 331-343. 24. Roscoe, A. W., Barrett, G. Unbounded nondeterminism in CSP. Lecture Notes in Computer Science 442 (1990). 25. Schneider, S. A. An operational semantics for timed CSP. Information and Computation 116 (1995). 26. Stoltenberg-Hansen, A., Lindstr5m, I., Griffor, E. B. "Mathematical Theory of Domains." Cambridge Tracts in Theoretical Computer Science 22 (1994), Cambridge University Press, 349pp.

A Cook's Tour of Equational A x i o m a t i z a t i o n s for Prefix Iteration Luca Aceto 1., Wan Fokkink T M and Anna IngSlfsdSttir 3. * * 1 BRICS (Basic Research in Computer Science), Department of Computer Science, Aalborg University, Fredrik Bajers Vej 7-E, DK-9220 Aalborg O, Denmark. 2 Department of Computer Science, University of Wales Swansea, Singleton Park, Swansea SA2 8PP, Wales. Dipartimento di Sistemi ed Informatica, Universit~ di Firenze, Via Lombroso 6/17, 50134 Firenze, Italy.

A b s t r a c t . Prefix iteration is a variation on the original binary version of the Kleene star operation P* Q, obtained by restricting the first argument to be an atomic action, and yields simple iterative behaviours that can be equationally characterized by means of finite collections of axioms. In this paper, we present axiomatic characterizations for a significant fragment of the notions of equivalence and preorder in van Glabbeek's linear-time/branching-time spectrum over Milner's basic CCS extended with prefix iteration. More precisely, we consider ready simulation, simulation, readiness, trace and language semantics, and provide complete (in)equational axiomatizations for each of these notions over BCCS with prefix iteration. All of the axiom systems we present are finite, if so is the set of atomic actions under consideration.

1

Introduction

Equationally based proof systems play an i m p o r t a n t role in b o t h the practice and the theory of process algebras. From the point of view of practice, these proof systems can be used to perform system verifications in a purely syntactic way, and form the basis of axiomatic verification tools like, e.g., PAM 10. From the theoretical point of view, complete axiomatizations of behavioural equivalences capture the essence of different notions of semantics for processes in terms of a basic collection of identities, and this often allows one to compare semantics which m a y have been defined in very different styles and frameworks. Some researchers also measure the naturalness of a process semantics by using the existence of a finite complete axiomatization for it over, say, finite behaviours as an acid test. * Partially supported by the Human Capital and Mobility project EXPRESS. Email: [email protected]. Fax: +45 9815 9889. ** Email: [email protected]. Fax: +44 1792 295708. * * * Supported by a grant from the Danish National Research Foundation. Emaih [email protected]. Fax: +39 55 4796730.

2 An excellent example of the unifying role played by equational axiomatizations of process semantics may be found in 7. Ibidem van Glabbeek presents the so-called linear time/branching time spectrum, i.e., the lattice of all the known behavioural equivalences over labelled transition systems ordered by inclusion. The different identifications made by these semantic equivalences over finite synchronization trees are beautifully characterized by the author of op. cir. in terms of a few simple axioms. This permits an illuminating comparison of these semantics within a uniform axiomatic framework. However, despite the complete inference systems for bisimulation-based equivalences over regular processes presented in, e.g., 11, 8 and years of intense research, little is still known on the topic of effective complete axiomatizations of the notions of semantics studied in 7 over iterative processes. In this study, we shall present a contribution to this line of research by investigating a significant fragment of the notions of equivalence and preorder from 7 over Milner's basic CCS (henceforth referred to as BCCS) 12 extended with prefix iteration. Prefix iteration 6 is a variation on the original binary version of the Kleene star operation P*Q 9, obtained by restricting the first argument to be an atomic action, and yields simple iterative behaviours that can be equationally characterized by means of finite collections of axioms. Furthermore, prefix iteration combines better with the action prefixing operator of CCS than the more general binary Kleene star. A significant advantage of iteration over recursion, as a means to express infinite processes, is that it does not involve a parametric process definition, because the development of process theory is easier if parameterization does not have to be taken as primitive (see, e.g., Milner 13, page 212). Our study of equational axiomatizations for BCCS with prefix iteration has so far yielded complete equational axiomatizations for all the main notions of bisimulation equivalence 6, 1. In this paper, we continue this research programme by studying axiomatic characterizations for more abstract semantics over this language than those based on variations of bisimulation. More precisely, we consider ready simulation, simulation, readiness, trace and language semantics, and provide complete (in)equational axiomatizations for each of these notions over BCCS with prefix iteration. All of the axiom systems we present are finite, if so is the set of atomic actions under consideration. Although the high level structure of the proofs of our main results follows standard lines in the literature on process theory, the actual details of the arguments are, however, rather subtle (cf., e.g., the proof of Thm. 4.6). To our mind, this shows how the analysis of the collection of valid identities for the semantics considered in this paper already becomes difficult even in the presence of very simple iterative behaviours, like those that can be expressed using prefix iteration. The paper is organized as follows. After a brief review of the basic notions from process theory needed in the remainder of the paper (Sect. 2), we present the language BCCS with prefix iteration and its labelled transition system semantics (Sect. 3). Sect. 4 is devoted to a guided tour of our completeness results. The paper concludes with a mention of further results that will be presented in a full account of this work, and a discussion of ongoing research (Sect. 5).

22

2

Preliminaries

In this section we present the basic notions from process theory t h a t will be needed in the remainder of this study.

2.1

Labelled Transitions Systems

A labelled transition system is a triple

(Proc, Lab, { 41 s E lab)),

where:

- Proc is a set of states, ranged over by s, possibly subscripted or superscripted; - Lab is a set of labels, ranged over by ~, possibly subscripted; - -~C_ Proc • Proc is a

transition relation, for every ~ E Lab. As usual, we shall (s, s') E-~, and write s -~l

use the more suggestive notation s -~ s' in lieu of iff s -~ s' for no state s'.

All the labelled transition systems we shall consider in this p a p e r will have a special label r in their label s e t - - u s e d to represent successful t e r m i n a t i o n - - , and will enjoy the following property: if s -~ # , then s' ~ for every label ~. For n >_ 0 and q = ~ l . . . ~ n E Lab*, we write s -~ # iff there exist states so . . . . ,sn such t h a t s = s o ~ sl ~ . . . s n - 1 ~ s,~ =s'. In t h a t case, we say t h a t ~ is a trace (of length n) of the state s. For a state s E P m c we define:

initials(s)~{e(E Lab l:ls': s4#} 2.2

.

From Ready Simulation to Language Equivalence

Labelled transition systems describe the operational behaviour of processes in great detail. In order to abstract from irrelevant information on the way processes compute, a wealth of notions of behavioural equivalence or approximation have been studied in the literature on process theory. A systematic investigation of these notions is presented in 7, where van Glabbeek studies the so-called linear t i m e / b r a n c h i n g time spectrum, i.e., the lattice of all the known behavioural equivalences over labelled transition systems ordered by inclusion. In this study, we shall investigate a significant fragment of the notions of equivalence and preorder from 7. These we now proceed to present for the sake of completeness.

Definition 2.1 (Simulation, Ready Simulation and Bisimulation). - A binary relation T~ on states is a a label:

simulation iff whenever sl 7~ s2 and ~ is

- if Sl -~ s~, then there is a transition

s2 -~ #2 such t h a t s~ 7~ s~.

23

- A binary relation T~ on states is a ready simulation iff it is a simulation with the property that, whenever Sl T~ s2 and ~ is a label: - if Sl ~ , then s2 ~ . -

A bisimulation is a symmetric simulation.

Two states s and s r are bisimilar, written s ~___s ~, iff there is a bisimulation that relates them. Henceforth the relation ~__ will be referred to as bisimulation equivalence. We write s ~s s ~ (resp. s ~RS s ~) iff there is a simulation (resp. a ready simulation) R with s T~ s ~. Bisimulation equivalence 14 relates two states in a labelled transition system precisely when they have the same branching structure. Simulation (see, e.g., I14) and ready simulation I3 relax this requirement to different degrees. The following notion, which is based on a version of decorated traces, is induced by yet another way of abstracting from the full branching structure of processes.

Definition 2.2 (Readiness S e m a n t i c s ) . For a state s we define:

readies(s) -~ ~( ( q , X ) I ~ E Lab*,X C Lab and S s ' : s -~ s' and initials(s') -- X ~) For states s, s ~ we write s -ER s ~ if readies(s) is included in readies(s~). The classical notion of language equivalence for finite state a u t o m a t a may be readily defined over labelled transition systems. To this end, it is sufficient to consider the states from which a ,/-labelled transition is possible as accept states.

Definition 2.3 (Language and Trace Semantics). - We say that a sequence of labels q is accepted by a state s iff s t_~ s ~ for some state s ~. For states s, s' we write s EL s ~ iff every sequence accepted by s is also accepted by s ~. - For states s, s ~ we write s ~T Sl iff the set of traces of s is included in that of s ~. For O E {S, RS, L, R, T}, the relation To is a preorder over states of an arbitrary labelled transition system; its kernel will be denoted by -~o.

3

BCCS

with

Prefix

Iteration

We begin by presenting the language of Basic CCS (henceforth often abbreviated to BCCS) with prefix iteration 6, together with its operational semantics.

24

3.1

The Syntax

We assume a non-empty alphabet Act of atomic actions, with typical elements a, b, c. The language BCCS p* of Basic CCS with prefix iteration is given by the following BNF grammar:

P : : = O l l l a . P I P + P la*P . We shall use P, Q, R, S, T to range over BCCS v*. In writing terms over the above syntax, we shall always assume that the operator a._ binds stronger than +. We shall use the symbol = to stand for syntactic equality of terms. The expression P+Q will be used to denote the fact that Q is an optional summand. The size of a term is the number of operators occurring in it.

Remark 3.1. The reader might have noticed that the syntax for the language BCCS p* presented above includes two distinguished constants, viz. 0 and 1. Intuitively, the term 0 will stand for a deadlocked process, whereas 1 will stand for a process that can only terminate immediately with success. Our choice of notation is in keeping with a standard one for regular expressions, cf., e.g., 5. 3.2

Operational Semantics

Let 4" be a distinguished symbol not contained in Act. We shall use 4" to stand for the action performed by a process as it reports its successful termination. The meta-variable ~ will range over the set Act O {4"}. The operational semantics for the language BCCS v* is given by the labelled transition system

(BCCSV*,Act U {~'}, {~l ~ E Act U {r where the transition relations ~-~ are the least binary relations over BCCS v* satisfying the rules in Table 1. Intuitively, a transition P 2~ Q means that the system represented by the term P can perform the action a, thereby evolving into Q. On the other hand, P -~ Q means that P can terminate immediately with success; the reader will immediately realize that, in that case, Q - 0. With the above definitions, the language BCCS v* inherits all the notions of equivalence and preorder over processes defined in Sect. 2.2. The following result is standard.

Proposition 3.2. For 0 6 {RS, S, L, R, T}, the relations ~o and ~-o are preserved by the operators in the signature of BCCS p*. The same holds for bisimulation equivalence. 4

Equational

Axiomatizations

The study of equational axiomatizations of behavioural equivalences and preorders over BCCS v* was initiated in the paper 6. In op. cir. it is shown that

25

a.P~P P~P' P+Q~P'

140

Qs P+Q~Q' p~pe

a*P~a*P

a*P~P'

Table 1. Transition Rules

the axiom system in Table 2 completely axiomatizes bisimulation equivalence over the language of 1-free BCCS p* terms. Our aim in the remainder of this study will be to extend this result to the semantics in the linear-time/branchingtime spectrum discussed in Sect. 2.2.

A1 x+y=y+x A2 ( x + y ) + z = x + ( y + z ) A3 x+x=x A4 x+O=x P A l a.(a*x) + x = a*x PA2 a*(a*x)= a*x

Table 2. The axiom system 9v

For an axiom system T, we write T t- P _< Q iff the inequation P < Q is provable from the axioms in T using the rules of inequational logic. An equation P = Q will be used as a short-hand for the pair ofinequations P < Q and Q < P. Whenever we write an inequation of the form P+I < Q+I, we mean that if the 1 summand appears on the left-hand side of the inequation, then it also appears on the right-hand side. P =Ac Q denotes that P and Q are equal modulo associativity and commutativity of +, i.e., that A1,A2 t- P = Q. For a (x)

collection of (in)equations X over the signature of BCCS p*, we write P ~ Q as a short-hand for A1,A2,X t- P _< Q. For I = {Q,... ,in} a finite index set, we write ~'~iel Pi for P~I + " " + Pi.. By convention, )-~e~ Pi stands for 0. Henceforth process terms will be considered modulo associativity and commutativity of the +-operation, i.e., modulo axioms A1-2.

26 We begin the technical developments by noting that the proof of the completeness of the axiom system jc with respect to bisimulation equivalence over the language of 1-free BCCS p* terms applies mutatis mutandis to the whole of the language BCCS p*. P r o p o s i t i o n 4.1. For every P, Q E BCCS p*, P ~ Q iff JZ F- P = Q. The collection of possible transitions of each process term P is finite, say {P -~ Pi I i -- 1, ..., m} U ( P -~ 0 I J = 1 , . . . , n}. We call the term m

exp(P) = '~ ~

ai.Pi + E

i:1

1

j----1

the expansion of P. The terms aiPi and 1 will be referred to as the summands of P. A straightforward structural induction on terms, using axiom PAl, yields: L e m m a 4.2. Each process term is provably equal to its expansion. We aim at identifying a subset of process terms of a special form, which will be convenient in the proof of the completeness results to follow. Following a long-established tradition in the literature on process theory, we shall refer to these terms as normal forms. The set of normal forms we are after is the smallest subset of BCCS p* including process terms having one of the following two forms:

Z

ai.P~+l

a * ( Z a,.P,+ l),

or

iEI

iEI

where the terms Pi are themselves normal forms, and I is a finite index set. (Recall that the empty sum represents 0, and the notation +1 stands for optional inclusion of 1 as a summand.) L e m m a 4.3. Each term in BCCSp* can be proven equal to a normal form using equations A3, A4 and PAl. 4.1

Ready Simulation

We begin our tour of equational axiomatizations for prefix iteration by presenting a complete axiom system for the ready simulation preorder (cf. Defn. 2.1 for the definition of this relation). The axiom system CRs consists of the laws for bisimulation equivalence (cf. Table 2) and of the inequations RS1-2 below: RS1 RS2

a.x a*x

<_ <_

a.x + a.y a*(x + a.y) .

T h e o r e m 4.4. For every P,Q E BCCS p*, P ~ n s Q iff s

t- P <_ Q.

27 Proof. We leave it to the reader to check the soundness of the axiom system s and concentrate on its completeness. In view of Lem. 4.3, it is sufficient to show that if P ~Rs Q holds for normal forms P and Q, then CRS t- P < Q. This we now proceed to prove by induction on the sum of the sizes of P and Q. We proceed by a case analysis on the form the normal forms P and Q may take. --

CASE: P =Ac )-~ie~ ai.Pi+l As P ERS Q, we infer that:

and Q =AC )-~jeJ bj.Qj+I.

1. for every i there exists an index ji such that a~ = bj~ and Pi ~Rs Qj~, 2. 1 is a summand of P iff it is a summand of Q, and 3. the collections of actions {ai 1i E I} and {bj I J e J} are equal. The induction hypothesis and substitutivity yield that, for every i E I,

CRs b a~.Pi < bj, .Qj, . Again using substitutivity, we obtain that ERs ~- P < Z

bj, .Qj, +1

.

i

Note now that, for every index j that is not contained in the set {jl I i E I}, there is an index jt (! E I) such that bj = b~,. We can therefore apply axiom RS1 as necessary to infer that

z.s

bj,.Qj, +1 < Q i

--

The provability of the inequation P < Q from the axiom system Cns now follows immediately by transitivity. CASE: P = A c ~iel ai.Pi+l and Q =AC b * ( ~ j e s bj.Qj+l). To deal with this case, begin by applying PAl to Q to obtain the equality

Q = b.Q + ~_, bj.Q3+l jEJ

.

We can now reason as in the first case of the proof to derive t h a t

P <_ b.Q + ~ bj.Qj+l

.

jEJ Transitivity now yields the inequation CASE: P =Ac a * ( ~ i ai.Pi+l) and Q Apply PAl to P, and reason as in the - CASE: P =Ar a*(Zi ai.Pi+l) and Q As P -~ns Q, we infer that: -

P < Q. =Ac ~ i b~..Qj+l. previous case. =Ac b * ( Z j bj.Qj+l).

1. there exists a Q~ such that Q -st Q~ and P ~RS Qt, 2. for every i there exists a Q(i) such that Q ~ Q(i) and Pi ~Rs Q(i),

28 3. 1 is a summand of P iff it is a summand of Q, and 4. the collections of actions {a~ I i e I} U {a} a n d {bj I J e J} U {b} are equal. Because of the form Q takes, Q* and every Q(i) is either Q itself or one of the Qj's. Therefore we may apply the inductive hypothesis to each of the inequivalences Pi ~Rs Q(i) and substitutivity to infer that

~ns F E a,.P, <_Z ai.Q(i) . i

(1)

i

We proceed with the proof by considering the following two sub-cases: A. There is an index j such that a = bj and P ~ n s Qj; B. For no index j with a = bj it holds that P ~Rs Qj. We consider these two cases in turn. A. Assume that there is an index j such that a = bj and P ~Rs Qi. In this case, we may apply the inductive hypothesis to derive that ~Rs I- P <_ Qi 9

(2)

We can now finish the proof of the inequation P _< Q from the axiom system CRS as follows:

P

(PAl) =

a.P + Z

ai.Pi+l i

(1),(2)

<_

bj.Qj + Z a~.Q(i)+l i

(Rsl)

<_

bj.Qj + Z a~.Q(i) + e x p ( Q ) + l i

(A3),(PA1) = Q.

B. Assume that for no index j with a = bj it holds that P ERs Qj. In this case, we infer that a - b. We can now reason as follows:

P =- a*(~a,.P,+l)

(1)

<

a*(Z a,.Q(i)+ll)

i

i (RSI),(RS2)

<_

(A3),(PA1)

a* ( ~ a,.Q(i) + a.Q + Z bj.Qj+l) i j

<__

a*Q

(PA2)

Q 9

=

This completes the proof of the theorem.

29 4.2

Simulation

The axiom system s and of the axiom

consists of the laws for bisimulation equivalence in Table 2

S

x

<_ x + y

.

Inequation S is well-known to characterize the simulation preorder over finite synchronization trees. Unlike in the case of ready simulation, no extra law is needed to deal with prefix iteration explicitly. T h e o r e m 4.5. For every P,Q E BCCS p*, P ~s Q iff s 4.3

~- P <_Q.

Readiness

In this section we present a complete axiom system for prefix iteration with respect to the readiness preorder. The axiom system ~ consists of the collection of laws for ready simulation and of those listed below: R1 R2 R3

a.(b.x + b.y + v) a.a* (b.x + b.y + v) a*(b.x + b.y + v + a.(b.y + w))

< < =

a.(b.x + v) + a.(b.y + w) a.a*(b.x + v) + a.a*(b.y + w) a*(b.x + v + a.(b.y + w)) + b.y

T h e o r e m 4.6. For every P, Q E BCCS p*, P ~R Q iff CR t- P < Q. We focus on the completeness of s and leave soundness to the reader. Before proving this completeness theorem, we introduce some auxiliary definitions and results. Definition 4.7. A term P is saturated if for each pair of derivations P 2~ Q _~ Q' and P -~ R with b E initials(R) we have R -~ R' with Q' ~R R'. The following lemma stems from 2. L e m m a 4.8. If P ~ R Q and P -~ P~ and ~ is saturated, then Q -~ Q~ with P' ~ R Q'. Definition 4.9. A normal form P is strongly saturated if: 1. P is saturated; 2. if P =AC ~ e l ai.Pi+l, iEI.

then the term Pi is strongly saturated, for every

Axioms R1-R3 play a crucial role in the proof of the following key result. L e m m a 4.10. Each term is provably equal, by the axioms in s to a strongly saturated normal form, in which each subterm of the form a*R occurs in the context a._.

30 Finally we are in a position to prove TAm. 4.6.

Proof. Suppose that P c_R Q; we prove that s F- P < Q. By Lem. 4.10 it is not hard to see that it suffices to establish the claim under the following assumptions: 1. 2. 3. 4.

P and Q are normal forms; Q is strongly saturated; proper subterms of P and Q of the form a*R occur in the context a._; if P =Ac a*R and Q =Ac b'S, then a = b.

(In fact, according to Lem. 4.10, the last two conditions could be replaced by the stronger condition that all subterms of P and Q of the form a*R occur in the context a._. However, we shall need the weaker formulation above to be able to satisfy the induction hypothesis.) We derive the desired inequality P _< Q from CR by induction with respect to the following lexicographic ordering on pairs of process terms: (P, Q) < (R, S) if either size(P) < size(R); - or size(P) = size(R) and size(Q) < size(S). -

The next two cases distinguish the possible syntactic forms of P. - CASE 1: P =Ac ~eiai.Pi+l. Since P ~R Q, P -~ Pi and Q is saturated, Lem. 4.8 implies that for each i E I we have Q -~ Qi for some Qi such that Pi ~R Qi. According to Lem. 4.10, ~R ~- Qi = Ri, with Ri a strongly saturated normal form, in which each subterm of the form c*S occurs in the context c._. Moreover, each Pi is a normal form, in which all proper subterms of the form c*S occur in the context c._, with size(Pi) < size(P). Hence, we can apply induction to Pi ~R Ri to derive s ~" Pi <_R~. Therefore, for each i E I,

s

~- ai.P~ <_ai.Ri = ai.Qi 9

(3)

By substitutivity, we have that P =Ac E

ai.Pi+l

iGI

(~_ E ai.Qi+l

9

(4)

iEl

Since P ~R Q implies initials(P) = initials(Q), it follows that initials(Q)\ {r is equal to {ai I i E I}. Furthermore, P ~R Q implies that P has a summand 1 if and only if Q -~ 0. Hence,

E a,.Qi+l

(~" exp(Q)(,.om.____4.2,Q

iEl

which together with equation (4) yields Ca D- P <_ Q. - CASE 2: P =Ac a*(~ielai.Pi+l). The next two cases distinguish the possible syntactic forms of Q.

31

-- CASE 2 . 1 : Q ----AC

~-~jEJbj.Qj+l.

Suppose that P ~ P~. Since P ~R Q and Q is saturated, Lem. 4.8 implies that there is a j E J such that c = bj and pt ~R Qj. Both P~ and Qj are normal forms, and since Q is strongly saturated, by Defn. 4.9(2) Qj is strongly saturated too. Furthermore, if P~ ----ACd*R and Qj =AC e ' S , then c = d and bj = e, owing to property 3 of P and Q, and so d = c = bj = e. Moreover, it is easy to see that property 3 of P and Q implies that the same property holds for Pt and Qj. Finally, size(P ~) <_ size(P) and size(Qj) < size(Q). Hence, we can apply induction to P~ ~R Qj to derive s i- P~ < Qj. Substitutivity now yields (5)

ER F- c.P' < bj.Qj .

Hence, p (Lem____.4.2)exp(P)(~ Z bj.Qj+l jeJo

(6)

for some J0 C_ J. It is easy to see that P gR Q implies initials(Q) \ {,/} = initials(P) \ {4"} = {bj I J E J0}. Moreover, P -~ 0 if and only if Q has a summand 1. Hence, Z bj.Qj+l jeJo

(~2) Z bj.Qj+l J~J

=AC Q 9

Together with equation (6) this yields s F- P _< Q. - CASE 2.2: Q =Ac a*(Y~3ejbj.Qj+l). Since P ~R Q and P -~ Pi and Q is saturated, Lem. 4.8 implies that for each i E I 1. either ai = a and Pi ~R Q, 2. or there is a j such that ai = bj and Pi ~R Qj. Clearly, each Pi is a normal form in which all proper subterms of the form c*S occur in the context c._, and with size(Pi) < size(P). In the first case, applying induction to Pi ~R Q, we infer that s ~- Pi <_ Q. Therefore, by substitutivity, EI~ F" ai.Pi <_ a.Q .

(7)

In the second case, Lem. 4.10 implies s t- Qj = Rj, with Rj a strongly saturated normal form, in which each subterm of the form c*S occurs in the context c._. Then by induction Pi ~R R j implies ER I- P~ <_ Rj. It follows, by substitutivity, that CR t- ai.Pi <_ ai.Rj = bj.Qj .

(8)

32 Hence, for some Jo C_ J: (RS2)

(s)'(') < a*(a.Q+ ~ b~.Qj+l) jeJo

P <_ a * ( a . Q + ~ a , . p i + l ) i~I

.

(9)

It is easy to see that P ~a Q implies that initials(Q) \ ( ~ ) = {b~ J0} U {a}, and that P -~ 0 if and only if Q -~ 0. Hence

a*(a.Q + Z bj.Qj+l) j~Jo

(~1, a*(a.Q + Z bj.Qj+l) j~J

,PA1).____(PA2)Q .

Together with equation (9) this yields ER F- P < Q. The proof is now complete. 4.4

Traces

The axiom system ~T consists of the laws for bisimulation equivalence in Table 2 and of T1 a.(x + y) = a.x + a.y T2 a*(x + y) = a*x + a*y T3 a*(a.x) = a.(a*x) . Axiom T1 is a well-known equation used to characterize trace equivalence over finite synchronization trees, and axiom T2 is the adaptation of this equation to the case of prefix iteration. Finally, T3 is, to the best of our knowledge, a new axiom. T h e o r e m 4.11. For every P, Q E BCCS p*,

1. P~--TQ iffs 2. P ~ T Q i f f e T U { ( S ) ) } - P < _ Q . 4.5

Language Semantics

The axiom system s consists of the laws for bisimulation equivalence in Table 2, T1-3 and the equations L1 L2

a.0 a*0

= =

0 0 .

Axiom L1 is an adaptation to action prefixing of a well-known equation from regular algebra, and axiom L2 is the generalization of this equation to the case of prefix iteration. T h e o r e m 4.12. For every P,Q E BCCS p*,

1. P~--L Q iff gL t- P = Q ; 2. P ~L Q iff EL U (S) t- P <_Q.

33

Proo. We leave it to the reader to check the soundness of the axiom system EL U iS), and concentrate on the completeness results. 1. Assume that P --L Q- We shall prove that E L ~- P = Q. A simple term rewriting analysis (which is omitted here) shows that each process term is provably equal to a term which is either 0-free, or of the form 0. Suppose that two terms P and Q are language equivalent. We distinguish two cases. CASE 1: P -- 0. Then clearly also Q = 0, so P = 0 ~ Q. CASE 2: P is 0-free. Then clearly Q is also 0-free. Since P and Q are 0-free and language equivalent, it is not hard to see that they are also trace equivalent. So, according to Thm. 4.11, the equation P = Q can be derived from ET, which is included in EL. 2. Note that, for every P, Q E BCCS p*, the following holds:

P ~ L Q iff P + Q --L Q 9 Thus the completeness of the axiom system EL U {iS)} with respect to ~T is an immediate consequence of the first statement of the theorem. 5

Further

Work

The completeness results presented in this paper deal with a significant fragment of the notions of semantics discussed in 7. To our mind, the most important omission is a complete proof system for failures semantics 4 over BCCS with prefix iteration. We conjecture that a complete axiomatization for the failure preorder can be obtained by adding the laws a.(x+y)

a.a*(x + y) a.a*x

<

< a.a*x + a.a*iy -t- z) <_ a*a.(x -b y) <

a*x

<_ a*(x § a.y)

to those for bisimulation equivalence (cf. Table 2), and we are currently working on the details of such a proof. The crux of the argument is a proof to the effect that the suggested inequations are sufficient to convexly saturate each process term, in the sense of 2. We have also obtained irredundancy results for the axioms systems for ready simulation, simulation, trace and language equivalence. These will be presented in the full version of this paper, together with a characterization of the expressive power of BCCS with prefix iteration. A c k n o w l e d g e m e n t s : The research reported in this paper originates from a question posed by Rocco De Nicola. We thank the anonymous referees for their comments.

34

References 1. L. ACETO, W. J. FOKKINK, R. J. VAN GLABBEEK, AND A. ING6LFSD6TTIR, Axiomatizing prefix iteration with silent steps, Information and Computation, 127 (1996), pp. 26-40. 2. J. BEROSTRA, J. W. KLOP, AND E.-R. OLDEROG, Readies and failures in the algebra of communicating processes, SIAM J. Comput., 17 (1988), pp. 1134-1177. 3. B. BLOOM, S. ISTRAIL, AND A. R. MEYER, Bisimulation can't be traced, J. Assoc. Comput. Mach., 42 (1995), pp. 232-268. 4. S. BROOKES, C. HOARE, AND A. ROSCOE, A theory of communicating sequential processes, J. Assoc. Comput. Mach., 31 (1984), pp. 560-599. 5. J. H. CONWAY, Regular Algebra and Finite Machines, Mathematics Series (R. Brown and J. De Wet eds.), Chapman and Hall, London, United Kingdom, 1971. 6. W. J. FOKKINK, A complete equational axiomatization for prefix iteration, Inf. Process. Lett., 52 (1994), pp. 333-337. 7. R. J. v. GLABBEEK, The linear time - branching time spectrum, in Proceedings CONCUR 90, Amsterdam, J. Baeten and J. Klop, eds., vol. 458 of Lecture Notes in Computer Science, Springer-Verlag, 1990, pp. 278-297. 8. - - . , A complete axiomatization for branching bisimulation congruence of finitestate behaviours, in Mathematical Foundations of Computer Science 1993, Gdansk, Poland, A. Borzyszkowski and S. Sokotowski, eds., vol. 711 of Lecture Notes in Computer Science, Springer-Verlag, 1993, pp. 473-484. Available by anonymous ftp from Boole. stanford, edu.

9. S. KLEENE, Representation of events in nerve nets and finite automata, in Automata Studies, C. Shannon and J. McCarthy, eds., Princeton University Press, 1956, pp. 3-41. 10. H. LIN, An interactive proof tool for process algebras, in 9th Annual Symposium on Theoretical Aspects of Computer Science, vol. 577 of Lecture Notes in Computer Science, Cachan, France, 13-15 Feb. 1992, Springer, pp. 617-618. 11. R. MILNER, A complete inference system for a class of regular behaviours, J. Comput. System Sci., 28 (1984), pp. 439-466. 12. , Communication and Concurrency, Prentice-Hall International, Englewood Cliffs, 1989. 13. , The polyadic It-calculus: a tutorial, in Proceedings Marktoberdorf Summer School '91, Logic and Algebra of Specification, NATO ASI Series F94, SpringerVerlag, 1993, pp. 203-246. 14. D. PARK, Concurrency and automata on infinite sequences, in 5th GI Conference, Karlsruhe, Germany, P. Deussen, ed., vol. 104 of Lecture Notes in Computer Science, Springer-Verlag, 1981, pp. 167-183.

The WHILE Hierarchy of Program Schemes Is Infinite Can Adam Albayrak and Thomas Noll RWTH Aachen Ahornstr. 55, 52056 Aachen, Germany e-maih a l b a y r a k 9 noll@informatik, rwth-aachen, de fax: +49 241 8888 217

and

A b s t r a c t . We exhibit a sequence S,~ (n > 0) of WHILE program

schemes, i. e., WHILE programs without interpretation, with the property that the WHILEnesting depth of S,~ is n, and prove that any WHILE program scheme which is scheme equivalent to S,~, i. e., equivalent for all interpretations over arbitrary domains, has WHILE nesting depth at least n. This shows that the WHILEnesting depth imposes a strict hierarchy (the WmL~ hierarchy) when programs are compared with respect to scheme equivalence and contrasts with Kleene's classical result that every program is equivalent to a program of WHILE nesting depth 1 (when interpreted over a fixed domain with arithmetic on non-negative integers). Our proof is based on results from formal language theory; in particular, we make use of the notion of star height of regular languages.

1

Introduction

When comparing programming languages, one often has a vague impression of one language being more powerful than another. However, a basic result of the theory of computability is that even simple models of computation like Turing machines, WHILE programs (with arithmetic), and partial recursive functions are universal in the following sense: They describe exactly the class of computable functions, according to Church's thesis. The proof uses encodings of functions by non-negative integers with the help of zero and successor function. Thus, if the programming language under consideration supports arithmetic on nonnegative integers, then it is capable of simulating any effective control structure. A compiler implementing a programming language could in principle adopt this method. In general, such languages do not only specify computations over non-negative integers but they handle data types like floating-point numbers, character strings, and trees as well. Additionally, modern programming languages allow recursion as means for the description of algorithms. In principle, these extended capabilities could be implemented (1) by embedding them in the setting of non-negative integers using appropriate encodings, (2) by simulating

36 their behavior as a computable function, and (3) by translating the result back into the original context. However, it is clear that this approach is of purely theoretical interest; there is no hope for achieving good efficiency in this way. Instead these concepts are implemented directly: for example recursion is usually translated into iterative algorithms using a run-time stack. Thus a comparison of the computational power of programming languages requires the distinction between the control structures of a program and other aspects like the semantic domains involved in the computations. Therefore we use the approach to decompose a program into a program scheme and an interpretation (which comprises the semantic domain). We study only the scheme part as an abstraction of the family of all programs represented by this scheme. In this generalized approach, two schemes are considered to be equivalent iff the concrete programs obtained by addition of an interpretation are equivalent for all interpretations. It is well-known that the schematic concept of "recursion" is more powerful than that of "iteration" 12, that "recursion" equals "iteration + stack" 2, and that "iteration" equals "while + Boolean variables" 1. Unfortunately the question of scheme equivalence is undecidable in the general case 11. The reason is not, as one might expect, the "large number" of interpretations which one has to apply for deciding scheme equivalence - - it suffices to consider free interpretations (or Herbrand interpretations) only. Instead, the undecidability is caused by the structure of the state space of the program, more precisely the state space has too many components. If we abstract from the state space we obtain simple or monadic schemes for which the question of scheme equivalence becomes decidable in most cases. In this paper we consider the class of Dijkstra schemes which are inductively built up from atomic statements by means of sequential composition, branching instructions, and WHILEloops. A characterization of scheme equivalence via regular languages is exploited: the star height of the regular language associated with a Dijkstra scheme yields a lower bound for the W H I L E nesting depth required. We exhibit a sequence Sn (n > 0) of Dijkstra schemes with the property that the WHILE nesting depth of Sn is n, and prove (via the correspondence to regular languages) that any Dijkstra scheme which is equivalent to Sn has WHILE nesting depth at least n. This shows that the WHILE nesting depth of Dijkstra schemes imposes a strict hierarchy with respect to the computational power of the corresponding class of programs - the W H I L E hierarchy. It contrasts with Kleene's classical result 10 that every program is equivalent to a program of WHILE nesting depth 1 (beside some fixed number of other loops) when interpreted over a fixed domain with arithmetic on non-negative integers.

2

Dijkstra schemes

Here we introduce the class of Dijkstra schemes. The only construction elements for Dijkstra schemes are sequential composition, branching, and conditional it-

37 eration. Thus, Dijkstra schemes can be regarded as interpretations.

WHILE

programs without

Let 12,// be non-empty, finite, and disjoint sets of unary function symbols and unary predicate symbols. (12, H) is called a signature. The set B E x p ( / / ) of Boolean expressions over 7 is the smallest set which c o n t a i n s / / a n d which is closed under the Boolean operations (i. e. A, V and -). The class Dij(12,17) of Dijkstra schemes over 12 and/7 is the smallest set which, for every S, $1, $2 E Dij(12, H) and b E B E x p ( / / ) , satisfies the following conditions: - (2 C_ Dij(12,//) - (S,;Se) e Dij(12,//) - if b t h e n S1 e l s e $2 fi E Dij(12, 7) - w h i l e b do S d o n e E Dij(12,//). We allow to omit braces.

Example 1. Let 12 := {f, g, h} a n d / 7 := {p}. Then

f; w h i l e p do

(g; h) done is a Dijkstra scheme.

A (12, ~7)-interpretation, or interpretation for short, is a pair .A := (A; a) where A is a non-empty set, the domain of the interpretation, and a is a mapping which assigns a predicate a(p) : A ~ {0, 1} to every symbol p E / / a n d a total function a ( f ) : A -+ A to every symbol f E 12. Instead of a ( ) we write fA. The class of all (12,//)-interpretations is denoted by Int(12, H). A pair (S, A) consisting of a Dijkstra scheme S E Dij(12,/7) and an interpretation A E Int(12,/7) is called a Dijkstra program. The semantics of (S, A) is the (partial) mapping SA : A --+ A, given as follows:

IrSll~(a) : =

' fA(a) S2A(~S1A(a)), S1a(a) ~S2A(a) ~s'~k4(a ) undefined

, if S E12 if S = (Sl; S2) , if S = if b t h e n Sl e l s e $2 fi and ~bA(a) = 1 , if S = if b t h e n $1 e l s e $2 fi and ~bA(a) = 0 , if S = w h i l e b do S' d o n e and the W H I L E condition holds else

where bA(a) is the truth value of b on input a which is induced by the interpretation A and where the W H I L E condition depending on b, S and a is given by Vi 6 { 0 , . . . , k - 1}: bA(S'~(a)) = 1 and bA(Stk4(a)) = O.

38 As usual bA(S'~(a)) = 1 means that the ith iteration S'~t of the mapping S~A applied to a is defined and that the results satisfies condition b.

Example 2. Let S the Dijkstra scheme in Example 1 and .4 := (IN2; a) (IN is the set of all non-negative integers) with fA(m, n) := (m, 1), gA(m, n) := (m, m. n), h.a(m,n) := ( m a x { 0 , m - 1 } , n ) a n d p A ( m , n ) = 1 ~ m ~ O. Then S.4 computes the factorial function, more precisely ~SLa(m , n) = (0, m!). As mentioned in the introduction we define: Two Dijkstra schemes $1, $2 E Dij(f2,/1) are (strongly) equivalent iff the equation

is valid for all interpretations A E Int(f2,//). We write $1 .~ $2 iff $1 and $2 are equivalent. Hence scheme equivalence comprises program equivalence which expresses that, under a fixed interpretation, both programs compute the same function.

3

Characterization

of Dijkstra

scheme

equivalence

Now we give a characterization of scheme equivalence in terms of formal languages. The language Ls which we associate with a given Dijkstra scheme S is a regular language capturing the full computation potential of S. To simulate the behaviour of S under arbitrary interpretations, we especially record the decisions which have been taken in the Boolean conditions. The languages we define use Boolean vectors for this protocol; a word of this language consists of function symbols and Boolean vectors in alternation. The central point is the representation of scheme composition by a conditional product 9 of the corresponding languages. It allows two computations to be concatenated only if their adjacent Boolean vectors coincide. For a set f2 of unary function symbols and a set/7 = ( P l , . . . , Pn} of predicate symbols with n elements let B := {0, 1} n

be the set of all Boolean vectors of length n. We associate with each Boolean expression b E B E x p ( / / ) a set of Boolean vectors Lb C_ B by induction: for Pi E / / l e t

Lp,:={(xl,...,xi_l,l,Xi+l,...,Xn)

l X l , . . . , x i _ l , X i + l , . . . , X n e {0,1}},

and Lbl^b2 := Lb~ N Lb2, Lblvb2 := Lb~ U Lb2, and L~b := B \ Lb. Now we are ready to specify the Dijkstra scheme language L s of an arbitrary scheme

39 S E Dij(/2, 11). It is given by the following inductive definition:

Lf ::- B . { f } . B L(sl;s2) := Lsl o Ls2 Lif b then Sl else S2 fi :-'- (Lb o LSl) U ((B \ Lb) o LS2) Lwhne b do 8 done :=

(Lb o LS)'

)

o(B \ Lb)

where L1 o L2 is the conditional product defined by ix o 52 := {w~v I ~ E B, w E (e/2)*, v E (/2B)*, w~ E L1 and ~v E 52} and L ~ := B and L i+1 := L i o L for every i E IN. The class of all Dijkstra scheme languages over 2 and 11 is denoted by s (/2, 11).

Example 3. Let S be the Dijkstra scheme in Example 1, and let B := (0 + 1). Then L8 is the language denoted by the regular expression Bf(lgBh)*O. P r o p o s i t i o n 4. (Characterization o f Dijkstra scheme equivalence) For any two Dijkstra schemes $1, $2 E Dij(/2,11) the following condition holds:

$1"~ $2

r

Ls~ = Ls2.

Proof. It is well-known that every Dijkstra scheme is translatable into an equivalent Ianov scheme, which can be considered as an uninterpreted (monadic) flowchart (see 7, 6, 8, and 13 for further details). For this class of schemes, I. I. Ianov gave a language--theoretic description of equivalence by assigning to every scheme a deterministic finite automaton whose recognized language characterizes the scheme equivalence. The combination of both techniques yields our proof: by induction on the syntactic structure of S E Dij(/2,11) it is possible to show that the language associated with the equivalent Ianov scheme t r a n s ( S ) and the language L s assigned to S coincide.

Example 5. Let S once again be the Dijkstra scheme in Example 1 and S ~ be the Dijkstra scheme

1; if (-~p) t h e n w h i l e p do (g; h) d o n e else

(g; h); w h i l e p do (g; h) d o n e fi Let B := (0+ 1). Then the Dijkstra scheme language Ls, is the language denoted by the regular expression

(BIO) + (BflgBh(lgBh)*O). Since it is the same language as the Dijkstra scheme language for S we can deduce by Proposition 4 that S and S ~ are equivalent.

40 4

The

star

height

of regular

languages

In order to prove the main theorem we use the concept of star height of regular languages. After presenting some known facts concerning the star height, we show that there exists an infinite family of regular languages (L,~)ne~ such that every language Ln of this family has star height n. This knowledge will be exploited in the next section. We use 0 to denote the empty language, ~ to denote the language which consists of the empty word and L(a) for the language denoted by the regular expression a. The set of all regular expressions over a finite alphabet Z is denoted by R E ( Z ) . The star height of a regular expression is the maximal number of nested stars which appear in this expression, and the star height of a regular language is the minimal star height of all regular expressions denoting this language, more formally one defines for a finite alphabet Z sh(0) = sh(r = sh(a) = 0 for all symbols a E Z - sh(afl) = s h ( a + fl) = max{sh(a), sh(fl)} for a, fl E R E ( G ) - sh(a*) = sh(a) + 1 for a E R E ( Z ) ,

-

and for a regular language L C_ Z* sh(L) := min{sh(a) I c~ E R E ( Z ) and L(a) = L} is called the star height of L.

Example 6. ( S t a r h e i g h t 3)

Let Z :-- {a,b}. The regular expression

(ha*b)* has star height 2 but the language L((ba*b)*) denoted by this regular expression has at most star height 1, because

L(~ + b(a + bb)*b) = L((ba*b)*) and sh(s + b(a + bb)*b) = 1. Furthermore it is easy to show that a regular language is finite iff it has zero star height. So we get sh(L((ba*b)*)) = 1. In 1963 L. C. Eggan has raised up the question whether there are languages of arbitrary star height over a two letter alphabet 5. F. Dejean and M. P. Schiitzenberger gave a positive answer to this question by showing that for every n E 1N \ {0) the language Ln over the alphabet {a, b} which is recognized by the deterministic finite automaton A~,

41

a

*

*

,

~

9

~

with 2n states has star height n. We pick up the technique which has been used in 4 for showing that in a special subclass of regular languages, the class s (J?,//) of all Dijkstra scheme languages, there also exist languages of arbitrary star height. The following well-known lemma, which we need in the next section, is easy to prove. L e m m a 7. ( S t a r height o f h o m o m o r p h i c i m a g e s ) Let Z be a finite ah phabet and h : ~* -+ Z* be a homomorphism on Z*. Then for every regular language L C E*: sh(h(L)) < sh(L). The next lemma presents the regular language family by which we are going to establish the connection to Dijkstra schemes. L e m m a 8. ( S t a r height o f a certain f a m i l y of regular languages) Let ((~n)neN be a family of regular expressions over the alphabet ~ := {f, g), defined inductively by OLO

:--~ E

~1

:= (fg)*

(1) (for n e

\ {0}).

Then for all n E 1~ it holds that sh(L(an)) = n. Proof. To identify the star height of a language given by a regular expression, one has to prove the nonexistence of equivalent expressions of lower star height. Here we are forced to give a proof for every parameter n E IN. The technique applied in 4 (cf. also 14 for a similar approach) can be used to obtain this

42 result. Here we only sketch the proof. For every n 9 IN \ {0}, let ~ n be a class of regular languages which satisfies the following three conditions (a), (b), and

(c): (a) For every language L in ~,~ 9zVw 9 L : l w b

=

where Iwlf and Iwlg denote the number of occurrences of f and g, respectively, in the word w. (b) For m, n 9 IN \ {0} let w(~,m) 9 {f, g}* be given by w(1,m) := .fg W(n+i,m ) := f 2n (W(n,m) )m f gg 2~ (W(n,m) )m f g . For every n E IN \ {0}, the n-subword index set of a language L is WL := {m 9 IN \ {0} I (W( n , m ) )

rn

is a subword of a word in L} .

The cardinality of this set, which is called n-subword index of L, must be infinite for each L in (:n: IW l =

i. e. there are (for every index n of Ca) infinitely many subwords of the form (w(~,m)) m in L. (c) Every element L E K:n is minimal with respect to the star height among all languages which satisfy the conditions (a) and (b), i. e. for all regular languages L' over {, g} which also fulfil conditions (a) and (b) it holds that sh(L) < s h ( L ' ) . Thus all languages in En have the same star height. It is easy to see that, for every n E IN\{0}, L(a~) (cf. (1)) has properties (a) and (b). Hence, sh(L) _< n for every L E/(:n. The proof of the reverse inequation is shown by induction on n. For the case where n = I this follows from the fact that every infinite regular language has a star height of at least 1. For the inductive step we consider a decomposition of L E K:,~+I in a finite union of expressions of the form ...

2k-1%

with sh(')'i) < sh(L) and verify that there is an index i0 such that 7~o meets (a) and (b) for the parameter n. With the inductive assumption we conclude sh(L) _> n + 1. O

43 5

Nested

WHILE

loops

in Dijkstra

schemes

We now consider Dijkstra schemes with nested W H I L E loops. We want to know whether it is possible to restrict the number of nested W H I L E loops if we do not use coding mechanisms like in recursion theory, and if we do not require any special data structures. We will show that such a limit does not exist in general. To this aim we exploit our characterization of Dijkstra scheme equivalence by formal languages and the star height property of regular languages. According to our preliminary definitions, the proof must be founded on a fixed finite signature of function and predicate symbols. Before studying this situation we consider the simpler case where the set of predicate symbols may become arbitrarily large. In this case it suffices to consider the value language val(S) of a Dijkstra scheme S to establish the connection to formal language theory. It collects all execution paths of S, represented by the sequence of function symbols as they are applied, and is defined as the homomorphic image of the Dijkstra scheme language Ls under the homomorphism which erases all Boolean vectors. 9. (Value language of a Dijkstra s c h e m e ) Let 12 be a set of unary function symbols and R C 12" be an arbitrary non-empty regular language over 12. Then there exist

Proposition

a set Hn of predicate symbols - and a Dijkstra scheme Sic E Dij(12, IIic) -

such that val(Sic) = R. Proof. The proof is an easy induction on the set RE(12) of all regular expressions over 12, where for the inductive step we assume that the sets of predicate symbols of the constituent schemes are disjoint and where we obtain one of the schemes -

i f p t h e n Sic 1 else Sic2 fi with a new predicate symbol p for the case "R1 t.)

R2" - (Sic~ ; Sic2) for "R1 9R2" - w h i l e p d o Sic 1 d o n e with a new predicate symbol p for the case "//~". Note that the WHILE nesting depth of the resulting scheme coincides with the star height of the regular expression representing R. C o r o l l a r y 10. ( S t a r height of Dijkstra scheme languages with infinite signatures) Let 12 be a set of function symbols with at least two elements and H be an arbitrary large set of predicate symbols. Then for every n E I~ there exists a Dijkstra scheme Sn E Dij(12, H) such that sh(Ls~) = n ,

i. e. the star height of Dijkstra scheme languages over infinite signatures is unbounded.

44

Proof. We use the following result, cited in Section 4: In the class of regular languages over an alphabet with at least two elements there exists, for every number n 6 IN, a regular language Ln such that sh(Ln) = n. Let n 6 IN, and let a be a regular expression with L(a) = Ln and sh(a) = n. According to Proposition 9, there exists (a s e t / / o f predicate symbols and) a Dijkstra schema S with val(S) = Ln, constructed inductively on the structure of a. Because its value language val(S) is a homomorphic image of the scheme language Ls, Lemma 7 yields sh(Ls) _> sh(val(S)) = n.

(2)

As mentioned above, since S has been built up according to a, it contains at most n nested WHILE loops. On the other hand, only WHILE loops yield a contribution to the star height of the scheme language Ls. Thus we obtain sh(Ls) < n and hence, by (2), sh(Ls) = n . The question arises whether it is really necessary to introduce new predicate symbols, as in the proof of Theorem 9. If it was possible to reuse them, then our proof could be based on a fixed signature. The following example illustrates the difficulties.

Example 11. Let H := {p} and f2 := {f,g, h}. We consider the Dijkstra schemes $1 and $2 over this signature where $1 := i f p t h e n f else g fi and

S2:=h. Then we get Ls1 = {l f0, l f l , OgO,Ogl} and Lsl = {0h0,0hl, lh0, l h l } and therefore val(S1) = {f, g} and val(S2) = {h}. If in the case "R1 U R2" of the above construction we would not introduce a new predicate symbol then we would obtain the Dijkstra scheme S = if p t h e n (if p t h e n f else g fi) else h fi, which has the scheme language L s = {l f0, l f l , 0 h 0 , 0hl} and thus the value language val(S) = {f, h}. But then val(S) -- {f, h} ~ {f, g, h} -- val(S1) U val(S2). The reason for this is simply that g becomes never applied in any interpretation because of the repeated use of the predicate symbol p - - S is not free.

45 Now we present our proof of the hierarchy result with a fixed signature. We assume that we have at least one predicate symbol p and at least two function symbols. In the discussion at the end of the paper we will explain why we cannot extend our proof technique to signatures where we have one function symbol only. The set of predicate symbols which we need in the proof of Theorem 9 must contain at least as many symbols as the number of occurrences of + and * in the regular expression where we start from. To restrict the number of predicate symbols we should sparingly use the symbol +, and we should reuse predicate symbols. The above example shows that such a reuse can at best be accomplished by employing free Dijkstra schemes, i. e. Dijkstra schemes where between two condition evaluations a computation (function application) must take place. This can be achieved by appending function symbols after W H I L E loops. An appropriate family (Sn)ncN of Dijkstra schemes over ~2 = {f, g} and 11 := {p} is given as follows. For every n E IN, let f 2~ : :

f;...;f 2~ times

(g 2~ analogously). Then (Sn)neN is defined as So

:= w h i l e (p A-~p) d o f; g d o n e

S1

:= w h i l e p d o f; g d o n e ;

Sn+l : : w h i l e p d o f2~; Sn; f ; g; g2~; Sn; f; g; done;

(3)

(where n > 1). Now the following theorem holds: T h e o r e m 12. (Star height of Dijkstra scheme languages over a fixed signature) Let ~2 := (f, g} and 11 := {p}. For n E IN let Sn E D i j ( ~ , 11) be

the Dijkstra schemes defined in (3). The Dijkstra scheme language Ls. has the following property: sh(L8.) : n.

Proof. An easy induction over n E IN shows for the value language val(Sn): val(Sn) =

where a,~ is the regular expression defined in Lemma 8. According to Proposition 8 we get sh(val(Sn)) = n (for every n E IN). As in the proof of Corollary 10, Lemma 7 on the star height of homomorphic images and the observation that only WHILE loops can contribute to the star height of a Dijkstra scheme language yield n (s) sh(val(Sn)) t_~,sh(L8~) _< n , which implies that sh(Ls~) = n.

46 From this theorem we can deduce a corollary which shows clearly the effect of the different notions of equivalence (program equivalence, scheme equivalence) and of the encodings by means of special data structures. While from the standpoint of recursion theory the number of nested loops can be bounded, such a limit does not exist from the standpoint of program scheme theory (because otherwise there would exist a limit on the star height of Dijkstra scheme languages). We express the main result of this section: C o r o l l a r y 13. (The W H I L E Hierarchy of Dijkstra schemes) The hierarchy of nested WHILE loops in Dijkstra schemes is strict, i. e. or every n E IN there exists a Dijkstra scheme Sn+l such that Sn+l uses n + 1 nested WHILE loops and Sn+l cannot be equivalent to any Dijkstra scheme with less than n + 1 nested WHILE loops.

6

Conclusion and Discussion

Conclusion: By combining two well-known techniques we characterized the equivalence of Dijkstra schemes which respect to the inductive structure of the class of Dijkstra schemes. We have shown, by considering the star height of Dijkstra scheme languages, that the renounce of coding mechanism and special data structures leads to an infinite hierarchy concerning the number of nested WHILE loops. Discussion: Unfortunately Theorem 12 does not express anything about minimal signatures, i. e. signatures with one predicate symbol and one function symbol only. Since value languages of a Dijkstra scheme over such a signature are regular languages over a one-letter alphabet, the star height of the value language can only be 0 or 1. So the technique we used in our proof can not be extended to such a signature, because the inequality sh(val(Sn)) < sh(Ls~) degenerates to 0 _< sh(Ls~) or 1 _< sh(Ls~), respectively. Thus the question is still open in this setting. Since it suffices to identify languages of arbitrary star height in the homomorphic images of the scheme languages, a possible approach might be a homomorphism which erases the function symbols instead of the Boolean vectors, yielding a regular language over the two-letter alphabet of truth values. Acknowledgements: We would like to thank Klaus Indermark for the premise of this work, as well as Markus Mohnen and Thomas Wilke for the effort of reading a draft version of this paper.

References 1.

Corrado BShm and Giuseppe Jacopini. Flow diagrams, Turing machines and languages with only two formation rules. Communications of the ACM, 9(5):366-371, 1966.

47 2. Steven Brown, David Gries, and Thomas Szymanski. Program schemes with pushdown stores. SIAM Journal on Computing, 1:242-268, 1972. 3. Rina S. Cohen and Janusz A. Brzozowski. General properties of star heigt of regular events. Journal of Computer and System Sciences, 4:260-280, 1970. 4. F. Dejean and M. P. Schfitzenberger. On a question of Eggan. Information and Control, 9:23-25, 1966. 5. L. C. Eggan. Transition graphs and the star-height of regular events. The Michigan Mathematical Journal, 10:385-397, 1963. 6. Iu. I. Ianov. On matrix program schemes. Communications of the ACM, 12(1):3-6, 1958. 7. Iu. I. Ianov. On the equivalence and transformation of program schemes. Communications of the ACM, 10(1):8-12, 1958. 8. Iu. I. Ianov. The logical schemes of algorithms. Problems of Cybernetics, 1:82-140, 1960. 9. Klaus Indermark. On a class of schematic languages. In R. Aguilar, editor, Formal

Languages and Programming, Proceedings of a Seminar Organized by UAM-IBM Scientific Center, pages 1-13, 1975. 10. S. C. Kleene. General recursive functions of natural numbers. Mathematische Annalen, 112:727-742, 1936. 11. D. C. Luckham, D. M. R. Park, and M. S. Paterson. On formalised computer programs. Journal of Computer and System Sciences, 4(3):220-249, 1970. 12. Michael S. Paterson and Carl E. Hewitt. Comparative schematology. Technical Report AI memo 201, MIT AI Lab, Publications Office, 545 Technology Sq. Cambridge, MA 02139, 1970. 13. Joseph D. Rutledge. On Ianov's program schemata. Journal of the ACM, 11(1):1-9, 1964. 14. Arto Salomaa. Jewels of formal language theory. Computer Science Press, 1981.

Analysis of a Guard Condition in Type Theory (Extended Abstract) Roberto M. Amadio Solange Coupet-Grimal Universit~ de Provence, Marseille *

Abstract. We present a realizability interpretation of co-inductive types based on partial equivalence relations (per's). We extract from the per's interpretation sound rules to type recursive definitions. These recursive definitions are needed to introduce 'infinite' and 'total' objects of coinductive type such as an infinite stream, a digital transducer, or a nonterminating process. We show that the proposed type system subsumes those studied by Coquand and Gimenez while still enjoying the basic syntactic properties of subject reduction and strong normalization with respect to a confluent rewriting system first put forward by Gimenez.

1 Introduction Coquand proposes in 4 an approach to the representation of infinite objects such as streams and processes in a predicative type theory extended with coinductive types. Related analyses on the role of co-inductive types (or definitions) in logical systems can be found in 14, 11 for the system F, 16 for the system HOL, and 20 for Beeson's Elementary theory of Operations and Numbers. Two important features of Coquand's approach are that: (1) Co-inductive types, and related constructors and destructors, are added to the theory, rather than being represented by second order types and related A-terms, as in 7, 17. (2) Recursive definitions of infinite objects are restricted so that consideration of partial elements is not needed. Thus this work differs from work on the representation of infinite structures in lazy programming languages like Haskell (see, e.g., 21). In his thesis 8, Gimenez has carried on a realization of Coquand's programme in the framework of the calculus of constructions 5. More precisely, he studies a calculus of constructions extended with a type of streams (i.e., finite and infinite lists), and proves subject reduction and strong normalization for a related confluent rewriting system. He also applies co-inductive types to the representation and mechanical verification of concurrent systems by relying on the Coq system 3 extended with co-inductive types (another case study can be found in 6). In this system, processes can be directly represented in the logic as elements of a certain type. This approach differs sharply from those where, say, * CMI, 39 rue Joliot-Curie F-13453, Marseille, France. [email protected] first author was partially supported by CTI-CNET 95-1B.182, Action Incitative INRIA, IFCPAR 150~-1, WG Confer, and HCM Express. A preliminary version of this paper (including proofs) can be found in 1.

49 processes are represented at a syntactic level as elements of an inductively defined type (see, e.g., 15). Clearly the representation based on co-inductive types is more direct because recursion is built-in. This may be a decisive advantage when carrying on formal proofs. Therefore, the issue is whether this representation is flexible enough, that is whether we can type enough objects and whether we can reason about their equality. These questions are solid motivations for our work. The introduction of infinite 'total' objects relies on recursive definitions which are intuitively 'guarded' in a sense frequently arising in formal languages 18. An instance of the new typing rule in this approach is: F, x : a I- M : a M J, x
(1)

This allows for the introduction of 'infinite objects' in a 'co-inductive type', by means of a 'guarded' (recursive) definition. Of course, one would like to have notions of co-inductive type and of guarded definition which are as liberal as possible and that are supported by an intuitive, i.e., semantic, interpretation. In Coquand's proposal, the predicate M $ z is defined by a straightforward analysis of the syntactic structure of the term. This is a syntactic approximation of the main issue, that is to know when the recursive definition fix x . M determines a unique total object. To answer this question we interpret co-inductive types in the category of per's (partial equivalence relations), a category of total computations, and we find that the guard predicate M $ x has a semantic analogy which can be stated as follows:

Va ((d,e) E ~ :

=~" (Md/x,Me/x)

E ~r~+,)

(2)

where ~'a is a monotonic function on per's associated to the co-inductive type a, and ~-~ is its a th iteration, for a ordinal. We propose to represent condition (2) in the syntax by introducing some extra-notation. With the side conditions of rule (1), we introduce two types 6" and 6"+ which are interpreted respectively by 3rff and 3r~ +1. We can then replace the guard condition M $ x by the typing, judgment x : 6" I- M : 6"+ whose interpretation is basically condition (2). The revised typing system also includes: (1) Subtyping rules which relate a co-inductive type ~ to its approximations ~ and ~,+, so that we will have: o" < ~+ _< ~. (2) Rules which overload the constructors of the co-inductive type, e.g., if f : r --+ ~r is a unary constructor over or, then f will also have the type 6" ---r ~,+ (to be understood as Va x E ~ ::~ f(~) e .T~'+1 ). The types a --+ a and ~ --+ #+ will be incomparable with respect to the subtyping relation. The idea of expressing the guard condition via approximating types, subtyping, and overloading can be traced back to Gimenez's system. Our contribution here is to provide a semantic framework which: (1) Justifies and provides an intuition for the typing rules. In particular, we will see how it is possible to understand semantically Gimenez's system. (2) Suggests new typing rules and simplifications of existing ones. In particular, we propose: (i) a rule to type nested recursive definitions, and (ii) a way to type recursive definitions without labelling types. (3) Can be readily adapted to prove strong normalization with respect to the confluent reduction relation introduced by Gimenez.

50 2

A simply

typed

calculus

We will carry on our study in a simply typed )~-calculus extended with coinductive types. 2 Let F be a countable set of constructors. We let fl, f 2 , . . - r a n g e over F. Let tv be the set of type variables t, s , . . . The language of raw types is given by the following (informal) grammar:

r ::= *v I

-+

r') I v,o (f= : . ,

.fk : "rk -+

tv)

(3)

where ri --+ tv stands for rid -+ 999--+ ri,,~, -+ ~v (--+ associates to the right), and Mlfi are distinct. Intuitively, a type of the shape ~t.(fl : r l --+ t . . . f k : r h --~ t) is well-formed if the type variable t occurs positively in the well-formed types r~,j, for i = 1 . . . k , j = 1 . . . n i . Note that the type variable t is bound by ~, and it can be renamed. We call types of this shape co-inductive types, the symbols fl - . . f t represent the constructors of the type. We will denote co-inductive types with the letters or, ~r~, or1,..., and unless specified otherwise, we will suppose that they have the generic form in (3). A precise definition of the well-formed types is given as follows. D e f i n i t i o n 1 t y p e s . If r is a raw type and s is a type variable then the predicates w f ( r ) (well-formed), pos(s,r) (positive occurrence only), and neg(s, r) (negative occurrence only) are the least predicates which satisfy the following conditions. (1) If t e tv then wf(t), pos(s, t), and neg(s, t) provided t r s. (2) If w f ( r ) and w f ( r ' ) then w f ( r -+ r'). Moreover, pos(s, r --+ r') if pos(s, r') and neg(s, r), and neg(s, r --+ r') if neg(s, r') and pos(s, r). (3) If a = yr.(f1 : r l --+ ~ . . . f k : rk --+ t) and t # s (otherwise rename t) then

w f ( r provided wf(ri,j) and pos(t, ri,j) for i = 1 . . . k, j = 1 . . . h i . Moreover, pos(s, ~) if pos(s, rl,j) for i = 1 . . . k, j = 1 . . . ni, and neg(s, ~r) if neg(s, rl,j) for i = 1...k, j = 1...hi. Example 1. Here are a few examples of well-formed co-inductive types where we suppose that the type r is not bound by v. (1) Infinite streams over r:/zs.(cons : r --+ (s --+ s)). (2) Input-output processes over r: vp.(nil : p, ! : r --+ p --+ p, ? : ( r -+ p) -+ p). (3) An involution: vt.(inv : ((t --+ r) -+ r) -+ t). Definition 1 allows mutually recursive definitions. For instance, we can define processes over streams over processes ...: cr = ~,t.(nll : t, ! : ~r' --~ t -+ t, ? : (a' -+ t) -+ t)

o" = ~,s.(cons : t -+ s --+ s) .

2 Per's interpretations support other relevant extensions of the type theory, including second-order types (see, e.g., 13) and inductive types (see, e.g., 12). As expected, an inductive type, e.g., pt.(nil : t, cons: o -+ t ---> t) is interpreted as the least fixpoint of the operator Jr described in section 3. It follows that there is a natural subtyping relation between the inductive type and the corresponding co-inductive type ~,t.(nil : t, cons: o --~ t -~ t).

51 These m u t u a l l y recursive definitions lead to some c o m p l i c a t i o n in the typing of constructors. For instance, the t y p e of cons should be ~/t(t -+ e ' -+ ~r'), and m o r e o v e r we have to m a k e sure t h a t all occurrences of a cons have the s a m e t y p e (after unfolding). To m a k e our analysis clearer, we prefer to gloss over these technical issues by taking a s t r o n g e r definition of positivity. T h u s , in the case (3) of definition 1, we say pos(s, ~r) (or neg(s, ~r)) if s does not occur free in ~r. In this way a type variable which is free in a co-inductive t y p e c a n n o t be b o u n d

byav. Let v be the set of t e r m variables x, y, . . . A context _r' is a possibly e m p t y list xl : v l . . . zn : r , where all xi are distinct. R a w t e r m s are defined by the following g r a m m a r : M ::= v I ( ~ v . M ) i ( M M ) I f a I case ~ I (fix v . M ) .

(4)

We denote with F V ( M ) the set of variables occurring free in the t e r m M . T h e typing rules are defined as follows:

~:rEI ~ F~-x:r

F,x:r~-M:r FFAx.M:r-+r

FbM:r'--~r /~ F" N : r ' FbMN:r

~

= yr.(f1 : r l -+ t . . . f k : r k ~ t) r ' ~ ~r = r; ~ . . . z~, ~ o" ( m > O)

Assuming:

r

~

f;': ,,Itn,,

F'F- c se" i ,, e

'o-pn,,,,

--+ ,,-

--+

.P, az : -r' --~ cr I- M : -r' ---~ ~r M J , z /1 I-fix x . M : -r' -+ T h e guard predicate ' M J, x' is left unspecified. Intuitively, this predicate has to g u a r a n t e e t h a t a recursive definition does d e t e r m i n e a unique ' t o t a l ' object. Before trying a f o r m a l definition, we will consider a few e x a m p l e s of recursive definitions, where we use the n o t a t i o n let z = M in N for ()~x.M)N, and let application associate to the left.

Example ~. Let o be a basic type of n u m e r a l s with c o n s t a n t s 0 : o and suc : o -+ o. Let us first consider the type of infinite s t r e a m s of numerals, with destructors head and tail: ,,~ = v t . ( c o n s

hd = ,~x.case "1 x()~n.)~y.n)

: o -~ (t -~ t))

tl = ,~x.case ul x(~n.)~y.y) .

(1) We can introduce an infinite list of O's as follows: fix x.consal0x. (2) We can also define a function which adds 1 to every element of a stream: fix addl.~x.case ~l

x(.kn.,~x'.cons

a~

( suc n )( addl x') )

.

52

(3) Certain recursive definitions should not type, e.g., fix x.consal0(t/=). The equation does not determine a stream, as all streams of the form cons ~10z' give a solution. (4) The function db doubles every element in the stream: fix db.Ax.let n = (hd x) in cons#'n(cons#'n db(tl x)) .

(5) Next we work over the type as of finite and infinite streams. The function C concatenates two streams. a2 = ~,t.(nil : t, cons : o -+ t -+ t)

C ----fix conc.,kx.Ay.case "~ x y An.Ax'.(cons#~n(conc x' y)) . (6) Finally, we consider the type #3 of infinite binary trees whose nodes may have two colours, and the following recursive definition: # s = ~ t . ( b l n l : t - + t - + t, bin~ : t - ~ t - + t) (fix x.bi,~ ~ x (fix y.bin~ 3 x y)) .

We recall next Coquand's definition 4 of the guard predicate in the case the type theory includes just one co-inductive type, say a = vt.(nil : t, cons : o --+ t --~ t). D e f i n i t i o n 2 . Supposing F, 9 : r ' --+ # t- M : "1"' --+ #, we write M $ m if the judgment F, x : r I --+ 0" I- M ~-'-,a x can be derived by the following rules, where n ranges over {0, 1}. The intuition is that 'x is guarded by at least a constructor in M'. For the sake of readability, we omit in the premisses the conditions that x : ~" -+ cr E 1" and the terms have the right type. x~FV(M) F I- M $~ x 9 ~FV(M~) r F M 2 ~ F ~- cons~MlM2 J~' x

x ~ FV(N)

Fty M1 ~.~ x F I-. M2 $o-.#...,, x 1"~~- case#NM1M~ ~L~,x

F,y:rI-MJ/~"*"x y•x F I- Xy.M ~r.=)~.~,, x

~

FV(M~) r~ M ~ F ~ cons#M1 M2 ~ x

x ~ F V ( M i ) j -- 1 . . . m x M l ... M,~ .l.'J x

Coquand's definition is quite restrictive. In particular: (i) it is unable to traverse fl-redexes as in example 2(4), and (ii) it does not cope with nested recursive definitions as in example 2(6). We present in the next section a simple semantic framework which clarifies the typing issues and suggests a guard condition more powerful than the one above.

3

Interpretation

In this section we present an interpretation of the calculus in the well-known category of partial equivalence relations (per's) over a A-model (cf., e.g., 19). Let (D,., k, s, c) be a Aft-model (cf. 2). We often write de for d. e. We denote with A, B , . . . binary relations over D. We write d A e for (d, e) E A and we set: dA= {e E D d A e } , IAI = { d E D I d A d }, and A = {dA I d E IAI}.

53 D e f i n i t i o n 3 p a r t i a l e q u i v a l e n c e r e l a t i o n s . Let D be a A-model. The category of per's over D (perD) is defined as follows: per D = {A I A _C D x D and A is symmetric and transitive} perDA,B = { f : A --~ B I 3 r E D (r r A ---r B iff Vd e D (d e IAI ~ Cd e f(dA)) 9 We will use the A-notation to denote elements of the A-model D. E.g., Ax.zl~- f stands for Ax.zDl~-f. The category p e r D has a rich structure, in particular it has finite products, finite sums, and exponents, whose construction is recalled below.

d A x • ... • An e iff Vi E { 1 . . . n } (pld)Ai (pie) where: p~ = A u . u ( A x l . . . A x , , . z l ) p~l~Tr~ : //~=x...,Ai ---r Ai : It A, (r . . . f , ) : C3 rZ,=l...,,a, dA1 + . . . + r

An e iff 3 i e { 1 . . . n } (d = (jid'), (e = jie') and d' Aie') where: ji = Au.Ayl ...Ayn.yiu jilFini : Ai ~ Si=l...nAi : A, ~ el =~ A d . d r 1 6 2 . . . f n : ,U,i=I...nA, .-> C dA--.~Be

r

iff Vd',e' ( d ' A e ' ::r (dd')B(ee')) Ad.(pld)(p~d)l-ev : B A • A ~ B C • A --+ B =r Ad.Ad'.r

where:

: C ..-+ BA.

As degenerate cases of empty product and empty sum we get terminal and initial objects: I=DxD

Az.xl~f:A~l

0=1~

Az.xl~-f:0--rA.

We denote with 77 : tv -+ p e r D type environments. The interpretation of type variables and higher types is then given as follows:

As for co-inductive types, given a type r = yr.(f1 : r l -+ t . . . f k : ~'k -'+ t), and a type environment r/, we define a function ~'a,n on p e r D as follows:

.T,,,, 7(A) = 2Yi=l...k (/-/j= 1...hi rij,7A/t)

.

(5)

We then observe that p e r D is a complete lattice with respect to set-inclusion, and that thanks to the positivity condition in the definition of co-inductive type, 5va,n is monotonic on per/9. Therefore we can define (gfp stands for greatest fixpoint): ~o

= U { A I A C_ 2"a,o(A)} (= gfp(.Ta,,7)).

(6)

In general, if f is a monotonic function over a poset with greatest element T and glb's, we define the iteration f a , for a ordinal as follows:

fo = T

f~,+l = f(f~,)

f~ = A~<x f "

(A limit ordinal) .

54 With this notation, we have gfp(.Ta,.) = ~r~. for some ordinal c~. Since p e r D is a CCC there is a canonical interpretation of the simply typed )t-calculus. The interpretation of constructors and case is driven by equation (5). Note that to validate the typing rules it is enough to know that the interpretation of a co-inductive type is a fixpoint of the related functional defined by equation (5) (as a matter of fact, these rules are sound also for inductive types). The interpretation of fix is more problematic (and represents the original contribution of this section as far as semantics is concerned). We proceed as follows: 9 We define an erasure function er from the terms in the language to (pure) untyped )t-terms, and we interpret the untyped ).-terms in the )t-model D. This interpretation, is always well-defined as the )t-model accommodates arbitrary recursive definitions. 9 We see what it takes for the interpretation of (the erasure of) a fixpoint to be in the corresponding type interpretation, and we derive a suitable guard condition which is expressed by additional typing rules in a suitably enriched language. 9 We prove soundness of the interpretation with respect to the enriched typing system. D e f i n i t i o n 4 e r a s u r e . We define an erasure function from terms to (pure) untyped )t-terms, by induction on the structure of the term (assuming a - t~t.(fl : rl ~ t...fk

: rk ~ t)).

er(x) "- z

er()tx.M) -- )tx.er(M)

er(MN) - er(M)er(N)

er(fi a) = )t~gl... )t~n,.)tYl... )tYk.Yi()tu.UZl... Znl) er(case ~) = )tx.Ayl...)tyk . x U ( y l ) . . . U(yk) with U(y~) = A u . y i ( p l u ) . . . (p,,u) er(fix z . M ) - Y ( ) t x . e r ( M ) ) with Y - ) t f . ( ) t x . f ( x z ) ) ( ) t x . f ( x x ) ) . If ni = 0 then we have er(fi a) = Ayl...Ayk.yi(Au.u) and U(yi) = Au.yi. If k = 1 then the definitions simplify to er(fl a) = A x l . . . A x n ~ . A u . u x l . . . z , ~ and er(case = )t .)tYl .Yl (Pl The erasures of fla and c a s e a are designed to fit the per interpretation of coinductive types, in particular they rely on the definition of sum and product in p e r D. We sketch with an informal notation an instance of our semantic analysis. We write ~ P : r if p i p E 7-. The typing rule for recursive definitions is sound if we can establish: Y(),x.er(M)) : a , (7) Given the iterative definitions of the interpretation of the co-inductive type ~, we can try to prove: Va ordinal ~ Y()~x.er(M)): Y:~

(8)

55 by induction on the ordinal a. The case a = 0 is trivial since Sr~ -- 1, and the case a limit ordinal follows by an exchange of universal quantifications. For the case a = a' + 1, it would be enough to know: Va ( ~ Y(Ax.er(M)) : .T~, =e~ ~ Y(Ax.er(M)) : fi~+l) . Since Y(J~x.er(U)) = Y ( , k x . e r ( U ) ) l x U , lowing property: Vot, P ( ~ P : ~ ' ~

(9)

property (9) is implied by the fol-

:=~ ~ P/xer(M)

: ~'~§

.

(10)

In order to represent this condition in the syntax, we parameterize the type interpretation on an ordinal a, and we introduce types ~ and ~+ so that ~|" = ~r~,, and ~+1~ = ~'2+~. Property (10) is then expressed by the judgment z : ~-H M : ~ + . Let T be the set of types specified in definition 1. We define the set T' as the least set such that: (i) T C T', (ii) if r ~ T is a co-inductive type then /~ ~ T' and &+ ~ T', and (iii) if r ~ T ~ and r' ~ T' then r --+ r ~ ~ T'. We also define the set T + as the set of types in T' such that all types of the form & and &+ appear in positive position (the interpretation of these types is going to be anti-monotonic in the ordinal). I f / ' is a context then T ( F ) - {r I x : r ~ F}. The revised typing system contains the typing rules presented in section 2 (applied with the enriched set of types) but for the rule for fix which is replaced by the rules displayed below. Of course, all the rules are applied on the enriched set of types, and under the hypothesis that all types are well-formed. = v t . ( f l : r i --+ t . . . f ~

: r,

- 0 t)

Assuming: -r' ~ r --- r~ - + . . . ~ -o a (m _> O) T(/') U {r~ ... ~n} C T

TiF) U {r~...r~} C T + ,/',x : ~.t _+ ~ F M : ~.e _@~+

F , z : r ' -4 ~1- M : r ! - - ~ + F t- fix x . M : *" - o v

rI-M:r

r v'fi ~ i'~i,n.,

-+...":+'~/t'~.,,-+

~'

r<_r'

FbM:r'

r v C,,e <' ~+-+ (~'fiiT;-+ ~') -->.. "'(~'/d~ --7 ~-) -4,~"

We give some motivation and intuition for these rules. In the first rule, the condition M ~ x is replaced by the typing judgment P, x : v -4 9 b M : v -@ gr+. The second rule for fix is used to type nested fixpoints as in example 2(6). In the rules for fix, the side conditions T(r) u {rl...r~} g T and T(/'} U {r~... r~ } C T + guarantee independence and anti-monotonicity, respectively, of the type interpretation with respect to the ordinal parameter.

56 The additional rule for the constructors fi is needed to introduce terms of type gr+. Note that in this way we overload the constructors fi by giving them two related types (but incomparable with respect to subtyping). There is also a related rule which overloads the destructor case. The following rules just state the subtyping relations between ~r ~r, and b+, and the way this relation is lifted higher-order. The obvious transitivity rule for the subtyping relation < can be derived. Types with the relation < form a quite simple partial order. In particular, if R = < U < - 1 then {r' I rR*r'} is finite. We state some basic properties of the typing system. Lemma5.

(1) Exchange. I f F , x : v l , y : r2,1 ~' t- M rl, F ' t- M : r (with a proof of the s a m e depth).

: r then F , y : r 2 , x :

(2) R e m o v e . I f F, x : 7" F- M : r a n d x ~ B Y ( M ) , then F ~" M : r. (3) W e a k e n i n g (restricted). I f F t- M : r, x fresh, and either r ~ E T or fix does not occur in M then F , x : v ~ t- M : v.

(4) Transitivity. I f k r < r I and t- 7"l < v " then ~" r < v ' . (5) Substitution. I f F, ~: : v' ~- M : r a n d F k N : r' then F F N / x M

: r.

The terms typable using Coquand's guard condition, are strictly contained in the terms typable in the proposed typing system (as a matter of fact, all examples in 2 (but (3) of course) can be typed). This is a consequence of the following lemma. Lemma6.

(1) I f F, x : r -+ q t- M : r, x q~ F V ( M ) ,

a n d M has no occurrence

o f fix, then r', x : v -.4 ~ t- M : v.

(2) l f ' , x

: r---~ ~ l " M J,~'-*~ ~ then l~,x : ~'-+ ~ l - M : ~J--+ ~.

(3) I f F, x : r " ~ ~ " M $~"-*~' x then I~,x : r " + ~ l - M : r~--~ # +. We parameterize the type interpretation on an ordinal ~, and we define for = vt.(fl : r l "-+ t . . . f k : rk --+ t):

IriS' = ,7(t)

#- --,

a~

Y:a,o,a(A) = ,U,i=l...k(IIj=l...n,'~Ait)

= gfP(J:a,o,a)

=

O'jr/~Or

R e m a r k . If r E T then r,~

does not depend on e. In particular, if ~r E T' or h + E T ~ then ~ E T and therefore ~'a,0,~ = 9v-,, 9 If r E T + and e < ~ then r~ ~ IriS', since the types of the shape # and #+ occur in positive position.

Let us now consider the soundness of the typing rules. If P is a pure ,~-term, we w r i t e ~ x : r ~ . . . ~ , : r , # P : r i f Va,~/ ((Vi e { 1 . . . n } di vii, di)

==~ (Pd/x

vgPd'/x)).

P r o p o s i t i o n 7 s o u n d n e s s . I f -P I- M : r then F ~ er(M) : r.

57 It follows from proposition 7 that: ~" M : r ~ e r ( M ) E II~l. This result justifies the interpretation of a typed term as the equivalence class of its erasure (it is straightforward to adapt this interpretation to take into account contexts and environments). Thus, if t- M : r, then we set M = Ier(M) d. Clearly, there is a trade-off between power and simplicity/decidability of the type system. Our contribution here is to offer a framework in which this tradeoff can be studied, and to extract from it one possible type system. We will s e e in section 4 that this 'experimental' type system has some desirable syntactic properties, and we will discuss its relationships with Gimenez's system. We hint here, by example, to limits and possible extensions of the system. (1) The following two definitions 'make sense' but are not typable. Here we work with the type of infinite streams ~ = v t . ( c o n s : o --+ t ---r t): -

If x is a stream of numerals we denote with zl its i th element. We define a function F such that F(=)i = (suc(2~)xi), for i E w: F -- fix f.)~x.conse(suc(hd x ) ) ( f ( f ( t l x ) ) ) .

(11)

- A 'constant' definition which determines the infinite stream of O's. fix x . c a s e =

x(An.Ay.(fix

x'.cons = 0 x'))

.

(2) We can soundly generalize the two rules for fix as follows:

T(F) U {r~ ... ~ } C_T pos(t, r~) F, x : ~r/tl(r' -+ t) t- M : c,/t(r' --+ t) F , x : b/t( r ' -.+ t) I- M : &+ /t(r' --+ t) F I- fix x . M : a/t(r' -o t)

T(F) U {r~ ... 7',~} C_ T + pos(t, r~) F,#/t(~" --+ t) t- M : ~r+/t(f ' --+ t) 1~ t- fix x . M : ~/t(a" --+ t)

(12) where ~ E {&, &+ }. These rules are particularly powerful and will be analysed in a forthcoming paper. For instance, they can be used to type: the representation of a sequential circuit as a function over streams of booleans (we found the rules trying this example), the example (11) above, and a tail append function. (3) One may consider the extension of the type system with a finite or infinite hierarchy of approximating types, say: v < ... < ~+++ < &++ <: &+ < &. Next we turn to equations. We say that an equation M = N : r is valid in the per interpretation, if

VP ( F b M : r a n d F F ' N : r wherezl:rl...x,=:rn

~

~M=N:r,

if

Va, r/ ( ( V i e { 1 . . . n } div~~d~)

=r

/'~M=N:r)

er(M)d/x

r~er(N)d'/x).

Reasoning at the level of erasures, it is easy to derive some valid equations. P r o p o s i t i o n 8 v a l i d e q u a t i o n s . The following equations are valid in the per interpretation: (3) ()~x.M)N = N/xM

:r

(r/) )~x.(Mx) = M : r --+ r'

x ~ FV(M)

(case) (case = (fi=Ma ... Mni)N) = N I M I . . . Mni : 1" (casen) (case" x f ~ . . . f~) = x : r (fix) fix x . M = fix x . M / x M

: ~r --.>a .

58 The following proposition introduces an important principle to prove the equality of terms of co-inductive type.

Proposition9 u n i q u e fixed p o i n t . Suppose F I" N : ~" ~ tr, F I- N ' : I" ~, F, z : T -+ ~ ~- M : r --+ ~+, and T ( F ) U {~} C T. Then I" ~ N / x M - N : Proposition 9 resembles Banach's theorem: contractive functions have a unique fixed point (in our case, 'contractive' is replaced by 'guarded'). Combining with unfolding (fix), one can then prove equivalences such as (cf. 18): fix x.cons

n

(cons

n x) =

fix x . c o n s ,

x.

An interesting question is whether the interpretation identifies as many closed terms of co-inductive type as possible. We consider this question for the type of streams of numerals a = ut.(cons : o --~ t --~ t) (cf. example 2) and leave the generalization to a following paper. Suppose that for M, N closed terms of type o we have: M = g : o iff M = IN where the left equality denotes conversion. We define a simulation relation ,,~'~ over the closed terms of type o, say A~ as ,-,~= Nn<~ " ~ , where: ~ 0 = A0a • A0a ~ - + 1 = { ( M , N ) l ( h d M = h d N and (tiM, t l g ) EN")} . (13) Equivalently, we can characterize ,,,~ as: M~

N iff V n E ~

hd(tlnM)=hd(tlnN).

Clearly N ~ is the largest (sensible) equivalence we can expect on A~ We can show that this equivalence is precisely that induced by the per's interpretation.

Proposition 10. 4

Let M, N E A ~ Then M ,,~ N iff M

- IN.

Reduction

It is easy to see that the equality induced by the per's interpretation on coinductive types is in general undecidable (E.g., let the n :h element of a stream witness the termination of a Turing machine after n steps). In the presence of dependent types (like in the Calculus of Constructions), it is imperative to have a theory of conversion which is decidable. Thus the approach is to: (i) Consider a weaker (but decidable) notion of conversion on terms, and (ii) Define in the logical system a notion of term equivalence which captures the intended meaning, e.g., using a notion of simulation as in (13). A standard way to achieve decidability for an equational theory is to exhibit a rewriting system which is confluent and terminating. In order to achieve termination, the unfolding of fixpoints has to be restricted somehow. Gimenez has proposed a solution in which fix is unfolded only under a case. Intuitively, fix is considered as an additional constructor

59 which can be simplified only when it meets the corresponding destructor. 3 In the following we will simplify the matter by ignoring the extensional rules: ()~x.M)N --r N/xM (f~M)N -'r NiM case ~ ((fix x.M)M)N --+ case ~ ((fix x . M / x M ) M ) N . c a s e '~

We also denote with --r the compatible closure of the rules above. It is easily seen that the resulting rewriting system is locally confluent. Subject reduction is stated as follows. Propositionll.

If F h M : 1" and M -~ M' then I" ~- M' : r.

The strong normalization proof is based on an interpretation of types as reducibility candidates. We outline the construction (which is quite similar to the one for per's) by assuming that there is just one ground type o and one co-inductive type ~r = ~t.(cons : o -+ t --+ t). Let SN be the set of strongly normalizing terms. We say that a term is not neutral if it has the shape (we omit the type labels on cons and case): Ax.M, consM, (fix x.M)M, case, case(consMiM2), case((fix x.M)M) . We note a fundamental property of neutral terms. L e m m a 12. If M is neutral, then for any term N, M N and caseMN are neutral, and they are not redexes.

Therefore a reduction of M N (or caseMN) is either a reduction of M or a reduction of N. Following closely 10, we define the collection of reducibility candidates. D e f i n i t i o n 13. The set of terms X belongs to the collection RC of reducibility candidates if: (C1) X C_ SN. (C~) I f M E X and M -+ M' then M ' E X. (Cs) If M is neutral and V M ' ( M --+ M I =~ M ~ E X ) then M E X. The following are standard properties of reducibility candidates (but for (/)5) and (P6) which mutatis mutandis appear in 8): P r o p o s i t i o n 14. The set RC enjoys the following properties:

(P1) SN ~ RC. (P2) If X E RC then z ~ X . Hence X # ~. (P3) I f X , Y E R C t h e n X - - - r Y = { M I V N E X (P4) I f V i E I Xi E R C t h e n ~ i e x X i E RC. (t)5) If X e ~RC then

(MNeY)}ERC.

Af(X) = {M I V Y E RC VP E SN --+ X -+ Y case MP E Y} E RC . (t'6) If X C X ' then A/'(X) C_H ( X ' ) . s Another possible approach, is to stop unfolding under a constructor. However this leads to a non-confluent system (exactly as in a 'weak' ,\-calculns where reduction stops at )ds).

60

We can then define the type interpretation which is (again) parameterized on an ordinal a (of course, we take Af~ = SN): o ~ = SN

~r" = gfp(Af)

Iv --~ r' a = I" ~ -+ r' #~

= .Af"

~+~

~

= Af~+l .

Wedefinexl :rl...z, :r, ~Rc M:rifVa ( ( V i e { 1 . . . n } P i f i r i a) =~ P1/zl... P,/x,M 6 r~). We can then state the following result from which strong normalization immediately follows by taking Pi = zi. Propositionl5

s t r o n g n o r m a l i z a t i o n . If F b M : r then F ~ n a M : r.

Remark. From these results, we can conclude that it is always better to normalize the body M of a recursive definition fix z . M , before checking the guard condition, e.g., consider: M = (Az.case z(An.Az'.z'))(cons n (cons n x)). This term cannot be typed, but if M I is the normal form of M then fix x . M I can be typed.

In his thesis, Gimenez has studied an extension of the calculus of constructions with the co-inductive type of finite and infinite streams (cf. example 2(5)). In the Coq system, the user can actually introduce other co-inductive types. Among the examples of co-inductive type considered in this paper, the type in example 1(3) is the only one which is rejected. The reason is that Coq relies on a stricter notion of positivity to avoid some consistency problems which arise at higher-order types 9. It should be noted that Coq implementation of coinductive types was developed before the type theory was settled, and cannot be considered as a faithful implementation of it. We sketch a semantic reconstruction of Gimenez's system. In the interpretation studied in section 3, all approximating types are assigned the same ordinal. We might consider a more liberal system in which different ordinals can be assigned to different approximating types. However, to express the guard condition, we still need a linguistic mechanism to say in which cases the ordinal assignment really has to be the same. Following this intuition, we label the approximating types with the intention to assign an ordinal to each label. As before, we restrict our attention to the type of infinite streams, say ~ with constructor c o n s : o --~ o" -+ o'. The collection of types is then defined as follows: r ::= o I ~

I ~ I ~+~

I (" ~ ")-

(14)

Roughly, we replace the type ~ with the types ~ and the type ~+ with the types ~ + ~ , where x is a label which we take for convenience as ranging over the set of term variables x, y , . . . (any other infinite set would do). More precisely, if h denotes an assignment from variables to ordinals then we define a type interpretation parametric in h. oh ah a~h

= 0 (for some chosen per O) -- gfp(.T) = .~.h(~)

Iv -+ r'h = rh -+ r'h •(A) = 0 x A (,7~+~h = yh(~)+l .

6 If P is a pure A-term, we write xl : rl . . . xn : rn ~ P : 1" if Vh ( ( V i e { 1 . . . n } di rihd~)

=:# ( P d / x

vhPd'/x))

.

We now turn to syntax. Let v a t ( r ) be the set of variables which occur in the type r. If F is a context, we also define vat(F) = U{var(r) I x : r E F}. If x is a variable, we define T + (z) as the set of types such that all subtypes of the form ~ or ~z+t occur in positive position. Following the interpretation above, the typing rules for, e.g., fix can be formulated as follows, where ~'~ ---r ~ru = r~ -+ 9.. -~ v~ ---r ~u, m > 0, u can be a label or nothing.

r var( )uU{

r(W)I i = 1 . m }

/~, :c : ,-rl -.-~ o- I- M : ,r~ -..+ aE, z : ~" ---r ~,x t- M : "r' --+ a ~r+l /~ i- fix x.M : ~" --+

T(F) O {r l i = 1 . . . m ) C T+(y) /~, z : ~-' --+ ~Y b- M : ~'~ -+ ~y+l .r' I- fix a:.M : r ' ~ b "y+~

Soundness can be proved as for proposition 7. When Gimenez's system is considered in a simply-typed framework, the following differences appear with respect to the system with labelled types (ignoring some minor notational conventions): (1) Gimenez's typing system is presented in a 'Church' style. More precisely, the variables bound by A and fix carry a type, and this type is used to constraint (in the usual way) the application of the related typing rules. (2) The subtyping rule for functional types r -+ r I is missing. (3) The second rule for typing recursive definitions is missing. Obviously these differences imply that one can give less types to a term in Gimenez's system than in our system. To be fair, one has to notice that the presentation as a Church system and the absence of subtyping at higher-types is essentially justified by the complexity of the calculus of constructions, and by the desire to avoid too many complications at once. On the other hand, the lack of the second rule for fix is, in our opinion, a genuine difference, which moreover has an impact in practice, as the rule is needed to type nested recursive definitions as that of example 2(6) and can be further generalized as shown in (12). A question which should be raised is whether the system with type labels is better in practic e than the simpler system without type labels. So far, we could not find any 'natural' example suggesting a positive answer.

Acknowledgement The first author would like to thank Eduardo Gimenez for providing the simply typed formulation of Iris system and explaining its motivations, and Alexandra Bac for a number of discussions on the type system presented here9 References

1. R. Amadio and S. Coupet-Grimal. Analysis of a guard condition in type theory (preliminary report). Teclmical Report TR 1997.245. Also appeared as RRINRIA 3300, UIfiversit~ de Provence (LIM), 1997. Available at http://protis.univ-

mrs.fr/,,~ arnadio.

62 2. H. Barendregt. The lambda calculus; its syntax and semantics. North-Holland, 1984. 3. Coq-project. The Coq proof assistant reference manual. Available at http://pauillac.inria.fr/coq, 1996. 4. T. Coquand. Infinite objects in type theory. In Types for proofs and programs, Springer Lect. Notes in Comp. Sci. 806, 1993. 5. T. Coquand and G. Huet. A calculus of constructions. Information and Computation, 76:95-120, 1988. 6. S. Coupet-Grimal and L. Jakubiec. Coq and hardware verification: a case study. In Proc. TPHOL, Springer Lect. Notes in Comp. Sci. 11~5, 1996. 7. H. Geuvers. Inductive and coinductive types with iteration and recursion. In Proc. of Workshop on types or p~vofs and programs, NordstrOm et al. (eds.), pages 193-217, 1992. Available electronically. 8. E. Gimenez. Un calcul de constructions infinies et son application d la vgrification de syst~mes communicants. PhD thesis, ENS Lyon, 1996. 9. E. Gimenez. Personal communication. October 1997. 10. J.-Y. Girard, Y..Lafont, and P. Taylor. Proofs and Types. Cambridge University Press, 1989. 11. F. Leclerc and C. Paulin-Morhing. Programming with streams in Coq. A case study: the sieve of Eratosthenes. In Proc. TYPES, Springer Lect. Notes in Comp. Sci. 806, 1993. 12. R. Loader. Equational theories for inductive types. Annals of Pure and Applied Logic, 84:175-218, 1997. 13. G. Longo and E. Moggi. Constructive natural deduction and its modest interpretation. Mathematical Structures in Computer Science, 1:215-254, 1992. 14. N. Mendler. Recursive types and type constraints in second-order lambda calculus. In Proc. IEEE Logic in Comp. Sci., 1987. 15. M. Nesi. A formalization of the process algebra CCS in higher order logic. Technical Report 278, Computer Laboratory, University of Cambridge, December 1992. 16. L. Paulson. Mechanizing coinduction and corecursion in higher-order logic. J. of Logic and Computation, 7(2):175-204, 1997. 17. C. Ratfalli. L'arithmgtique fonctionnelle du second ordre avec point fixes. PhD thesis, Universit~ Paris VII, 1994. 18. A. Salomaa. Two complete systems for the algebra of complete events. Journal of the ACM, 13-1, 1966. 19. D. Scott. Data types as lattices. SIAM J. of Computing, 5:522-587, 1976. 20. M. Tatsuta. Realizability interpretation of coinductive definitions and program synthesis with streams. Theoretical Computer Science, 122:119-136, 1994. 21. S. Thompson. Haskell. The craft of functional programming. Addison-Wesley, 1996.

An Event Structure Semantics for P / T Contextual Nets: Asymmetric Event Structures* Paolo Baldan 1, Andrea Corradini 1, and Ugo Montanari T M 1 Dipartimento di Informatica - University of Pisa Corso Italia, 40, 561~5 Pisa, Italy 2 Computer Science Laboratory - S R I International 333 Ravenswood Ave. Menlo Park, CA 94055 USA E-mail:

{baldan, andrea, ugo}@di.unipi.it

A b s t r a c t . We propose an event based semantics for contextual nets, i.e. an extension of Place/Transition Petri nets where transitions can also have context conditions, modelling resources that can be read without being consumed. The result is a generalization of Winskel's work on safe nets: the event based semantics is given at categorical level via a chain of coreflections leading from the category W S - C N of weakly safe contextual nets to the category Dorn of finitary prime algebraic domains. A fundamental r61e is played by the notion of asymmetric event structures that generalize Winskel's prime event structures, following an idea similar to that of "possible flow" introduced by Pinna and Poign~. Asymmetric event structures have the usual causal relation of traditional prime event structures, but replace the symmetric conflict with a relation modelling asymmetric conflict or weak causality. Such relation allows one to represent the new kind of dependency between events arising in contextual nets, as well as the usual symmetric conflict. Moreover it is used in a non-trivial way in the definition of the ordering of configurations, which is different from the standard set-inclusion.

1

Introduction

Contextual nets, as introduced in 14, extend classical Petri nets, a formalism for the specification of the behaviour of concurrent systems, with the possibility of handling contexts: in a contextual net transitions can have not only preconditions and postconditions, but also context conditions, that, intuitively, specify something which is necessary for the transition to be fired, but is not affected by the firing of the transition. In other words, a context can be thought of as an item which is read but not consumed by the transition, in the same way as preconditions can be considered as being read and consumed and postconditions

* Research partly supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) and by the EC Esprit WG APPLIGRAPH (Applications of Graph Transformation). ** On leave from University of Pisa, Computer Science Department.

64 being simply written. Consistently with this view, the same token can be used as context by many transitions at the same time and with multiplicity greater than one by the same transition. Context conditions of 14 are also called test arcs in 5, activator arcs in 10 or read arcs in 18, 19. The possibility of faithfully representing the "reading of resources" allows contextual nets to model a lot of concrete situations more naturally than classical nets. In recent years they have been used to model concurrent access to shared data (e.g. reading in a database) 17, 7, to provide a concurrent semantics to concurrent constraint (CC) programs 13, to model priorities 9, to specify a net semantics for the lr-caiculus 3. Moreover they have been studied for their connections with another powerful formalism for the representation of concurrent computations, namely graph grammars 14, 6. In this paper we consider marked contextual P I T nets (shortly c-nets), t h a t following the lines suggested in 14 for C / E systems, add contexts to classical P / T nets. The problem of giving a truly concurrent semantics based on (deterministic) processes has been faced by various authors (see, e.g., 9, 14, 4, 19). Each process of a c-net records the events occurring in a single computation of the net and the relations existing between such events.

~ 8O

s

t~ # ti< ti'

(a)

(b)

Fig. 1. A simple contextual net and a prime event structure representing its behaviour. Here we provide (weakly safe) c-nets with a truly concurrent event structure semantics following another classical approach. Generalizing Winskel's construction for safe nets 20, we associate to each c-net an event structure that describes all the possible behaviours of the net. Recall that prime event structures (PES) are a simple event based model of (concurrent) computations in which events are considered as atomic, indivisible and instantaneous steps, which can appear only once in a computation. An event can occur only after some other events (its causes) have taken place and the execution of an event can inhibit the execution of other events. This is formalized via two binary relations: causality, modelled by a partial order relation and conflict, modeled by a symmetric and irreflexive relation, hereditary w.r.t, causality. When working with c-nets the main critical point is represented by the fact that the presence of context conditions leads to asymmetric conflicts or weak dependencies between events. To understand this basic concept, consider two transitions to and tl such that the same place s is

65 a context for to and a precondition for tl. Following 141, such a situation is represented pictorially as in Fig. 1.(a), i.e., non-directed arcs are used to represent context conditions. The possible firing sequences are to, tl and t o ; h , while tl; to is not allowed. This situation cannot be modelled in a direct way within a traditional prime event structure: to and tl are neither in conflict nor concurrent nor causal dependent. Simply, as for a traditional conflict, the firing of tl prevents to to be executed, so that to can never follow tl in a computation. But the converse is not true, since to can fire before tl. This situation can be naturally interpreted as an asymmetric conflict between the two transitions. Equivalently, since to precedes tl in any computation where both are fired, in such computations, to acts as a cause of tl. However, differently from a true cause, to is not necessary for tl to be fired. Therefore we can also think of the relation between the two transitions as a weak form of causal dependency. A reasonable way to encode this situation in a PES is to represent the firing of tl with two distinct mutually exclusive events (as shown in Fig. 1.(b)): t~, representing the execution of tl that prevents to, thus mutually exclusive with to, and t~', representing the execution of tl after to (caused by to). This encoding can be unsatisfactory since it leads to a "duplication" of events (e.g., see 1). The events of the prime event structure associated to a system would not represent the elementary actions of the system, but the possible histories of such actions. Several authors pointed out the inadequacy of event structures for faithfully modeling general concurrent computations and proposed alternative definitions of event structures (flow event structures 2, bundle event structures 11, prioritized event structures 8). Asymmetric conflicts have been specifically treated by Pinna and Poign~ in 15, 16, where the "operational" notion of event automaton suggests an enrichment of prime event structures and flow event structures with possible causes. The basic idea is that if e is a possible cause of e' then e can precede e' or it can be ignored, but the execution of e never follows e ~. This is formalized by introducing an explicit subset of possible events in prime event structures or adding a "possible flow relation" in flow event structures. Similar ideas are developed, under a different perspective, in 8, where PES are enriched with a partial order relation modeling priorities between events. In order to provide a more direct, event based representation of c-nets we introduce a new kind of event structure, called asymmetric event structure (aES). Despite of some differences in the definition and in the related notions, aES's can be seen as a generalization of event structures with possible events and of prioritized event structures. Besides of the usual causal relation (_<) of a traditional prime event structure, an aES has a relation /~, that allows us to specify the new situation analyzed above simply as to/'~ tl. As just remarked, the same relation has two natural interpretations: it can be thought of as an asymmetric version of conflict or as a weak form of causality. We decided to call it asymmetric conflict, but the reader should keep in mind both views, since in some situations it will be preferable to refer to the weak causality interpretation. Configurations of an aES are then introduced and the set of configurations of an aES, ordered in a suitable way using the asymmetric conflict relation, turns

66 out to be a finitary prime algebraic domain. We prove that such a construction extends to a functor from the category a E S of asymmetric event structures to the category D o r a of finitary prime algebraic domain, that establishes a coreflection between a E S and D o r a . Recalling that D o r a is equivalent to the category P E S of prime event structures we can recover a semantics in terms of traditional prime event structures. The seminal work by Winskel presents an adjunction between event structures and a subclass of P / T nets, namely safe nets. Such a result is extended in 12 to the wider category of weakly safe nets, i.e. P / T nets in which the initial marking is a set and transitions can generate at most one token in each post-condition. Similarly, we restrict here to a (full) subcategory of contextual nets, called weakly safe c-nets and we show how, given a weakly-safe c-net N, an unfolding construction allows us to obtain an occurrence c-net ~ a ( N ) . i.e. an "acyclic c-net" that describes in a static way the behaviour of N, by expressing possible events and the dependency relations between them. The unfolding operation can be extended to a functor lla from W S - C N to the category O - C N of occurrence c-net, that is right adjoint of the inclusion functor ~o : O - C N --+ W S - C N . Transitions of an occurrence c-net are related by causal dependency and asymmetric conflict, while mutual exclusion is a derived relation. Thus, the semantics of weakly safe c-nets given in terms of occurrence c-nets can be naturally abstracted to an aES semantics. Again this construction extends, at categorical level, to a coreflection from a E S to O - C N . Finally we exploit the coreflection between a E S and D o r a , to complete the chain of coreflections from W S - C N to D o r a .

2

Asymmetric

event

structures

We stressed in the introduction that PES's (and in general Winskel's event structures) are too poor to model in a direct way the behaviour of models of computation allowing context sensitive firing of events, such as string, term and graph rewriting, and contextual nets. The fact that an event to be fired requires the presence of some resources that are not "consumed", but just read, leads to a new kind of dependency between events that can be seen as an asymmetric version of conflict or a weak form of causality. Technically speaking, the problem is essentially the axiom of event structures (see 20) stating that the enabling relation }- is "monotone" w.r.t, set inclusion:

A ~- e A A C _ B A B c o n s i s t e n t

:~

B t- e.

As a consequence the computational order between configurations is set inclusion, the idea being that if A C B are finite configurations then starting from A we can reach B by performing the events in B - A. This means that the conflict is symmetric, i.e. it cannot be the case that the execution of an event el prevents e0 to be executed but eo can precede el in a computation.

67

To faithfully represent the dependencies existing between events in such models, avoiding the unpleasant phenomenon of duplication of events (see Fig. 1), we generalize prime event structures by replacing the usual symmetric conflict relation with a new binary relation /~, called asymmetric conflict. If e0 /~ el then the firing of el inhibits e0: the execution of e0 may precede the execution of el or eo can be ignored, but e0 cannot follow el. By using the terminology of Pinna and Poign~ 16, we can say that e0 is a "possible" cause of ez. Nicely, the symmetric binary conflict can be represented easily with cycles of asymmetric conflict. Therefore symmetric conflict will be a derived relation. We first introduce some basic notations. Let r C_ X x X be a binary relation and let Y _C X . Then ry denotes the restriction of r to Y x Y, i.e. r ;1 (Y x Y), r + denotes the transitive closure of r and r* denotes the reflexive and transitive closure of r. We say that r is well-founded if it has no infinite descending chains, i.e. (ei)iEJN with ei+l rei, ei ~ ei+l, for all i E ~W. The relation r is acyclic if it has no "cycles" eo r el r ... r en r eo, with ei E X. In particular, if r is wellfounded it has no (non-trivial) cycles. The powerset of X is denoted by 2 x , while 2~n denotes the set of finite subsets of X. D e f i n i t i o n 1 ( a s y m m e t r i c e v e n t s t r u c t u r e ) . An asymmetric event structure (aES) is a tuple G = (E, < , / ~ ) , where E is a set of events and < , / ~ are binary relations on E called causality relation and asymmetric conflict respectively, s.t.: 1. the relation _< is a partial order and leJ = {e' E E : e' < e} is finite for all

eEE; 2. the r e l a t i o n / z satisfies for all e, e I E E: Ca ) e < e I

:=~

e / z~ e ' ; 1

(b) /~LeJ is acyclic; 2 If e / ~ e I, accordingly to the double interpretation o f / ~ , we say that e is prevented by e I or e weakly causes e I. Moreover we say that e is strictly prevented by e I (or e strictly weakly causes e~), written e ~ e I, if e / 7 e' and -~(e < el). The definition can be easily understood by giving a more formal account of the ideas presented at the beginning of the section. Let Fired(e) denote the fact that the event e has been fired in a computation and let prec(e, e I) denote that e precedes e ~ in the computation. Then

e < e' e ,/~ e I

del_ deI

=_

Fired(e') ~

Fired(e) A prec(e,e')

Fired(e) A Fired(e I) ~

prec(e, e I)

Therefore < represents a global order of execution, w h i l e / z determines an order of execution only locally, in each configuration (computation). Thus it is natural to i m p o s e / ~ to be an extension of <. Moreover if a set of events forms an asymmetric conflict cycle e 0 / ~ el //~ ... /~ e n / ~ eo, then such events cannot appear 1 W i t h e < e ~ w e m e a n e < e a n d e ~ e ~. 2 Equivalently, we can require (TL~J)+ irreflexive. This implies that, in particular, 7 is irreflexive.

68 in the same computation, otherwise the execution of each event should precede the execution of the event itself. This explains why we require the acyclicity of /z, restricted to the causes LeJ of an event e. Otherwise not all causes of e can be executed in the same computation and thus e itself cannot be executed. The informal interpretation makes also clear that ,,z is not in general transitive. If e / z e I ,/~ e" it is not true that e must precede e" when both fire. This holds only in a computation where also e' fires. The fact that a set of n events in a weak-cansality cycle can never occur in the same computation can be naturally interpreted as a form of n-cry conflict. More formally, it is useful to associate to each aES an explicit conflict relation (on sets of events) defined in the following way:

Definition 2 (induced conflict relation). Let G = (E, <, ,,z} be an aES. The conflict relation #~ C 2~n associated to G is defined as: e 0 / z e l / z . . . / z e n / z e0 #a{e0, e l , . . . , en}

# a ( A U {e}) e _< e' #~(A O {d})

where A denotes a generic finite subset of E. The superscript a in #~ reminds that this relation is induced by asymmetric conflict. Sometimes we use the infix notation for the "binary version" of the conflict, i.e. we write e#ae ~ for #~{e, e'}. It is worth noticing that the binary version of the conflict relation #a, satisfies all the properties of the conflict relation of traditional PES's, i.e. it is irreflexive, symmetric and hereditary w.r.t, the causal dependency relation. The notion of aES morphism is a quite natural extension of that of PES morphism. Intuitively, it is a (possibly partial) mapping of events that "preserves computations".

Definition 3 (category a E S ) . Let Go = (E0,
Lemma 4 (prime and asymmetric event structures). Let ES -- {E, ~_, #1 be a prime event structure. Then G = (E, <, < O#) is and aES, where the

69

asymmetric conflict relation is defined as the union of the "strict" causality and conflict relations. Moreover, if f : ESo ~ ESx is an event structure morphism then f is an aES-morphism between the corresponding aES's Go and G1, and Jig : Go ~ G1 is an aES morphism then it is also a PES morphism between the original PES's. By the lemma, there is a full embedding functor $ : P E S --+ a E S defined on objects as $((E, <, #}) = (E, <, < t3#) and on arrows as ~(f : ESo --+ ES1 ) = f. A configuration of an event structure is a set of events representing a possible computation of the system modelled by the event structure. The presence of the asymmetric conflict relation makes such definition slightly more involved w.r.t. the traditional one.

Definition 5 ( c o n f i g u r a t i o n ) . Let G = (E, < , / ~ ) be an aES. A configuration of G is a set of events C C E such that 1. / ~ v is well-founded;

2. {e' E C : e ' / ~ e} is finite for all e E C; 3. C is left-closed w.r.t. <, i.e. for all e E C, e ~ E E, e ~ < e implies e ~ E C. The set of all configurations of G is denoted by Conf (G). Condition 1 first ensures that in C there are n o / z cycles, and thus excludes the possibility of having in C a subset of events in conflict (formally, for any A C/~n C, we have -~(#aA)). Moreover it guarantees that /~ has no infinite descending chain in C, that, together with Condition 2, implies that the set {e' E C : e~(/~c)+e} is finite for each event e in C; thus each event has to be preceded only by finitely many other events of the configuration. Finally Condition 3 requires that all the causes of each event are present. If a set of events A satisfies only the first two properties of Definition 5 it is called consistent and we write co(S). Notice that, unlike for traditional event structures, consistency is not a finitary property. 3 For instance, let A = {ei : i E Fr C E be a set of events such that all e~'s are distinct and ei+l /~ ei for all i E Z~r. Then A is not consistent, but each finite subset of A is. A remarkable difference w.r.t, to the classical approach is that the order on configurations is not simply set-inclusion, since a configuration C cannot be extended with an event inhibited by some of the events already present in C.

Definition 6 (extension). Let G = (E, _<,/z) be an aES and let A,A' C_ E be sets of events. We say that A ~ extends A and we write A __UA ~, if 1. A C A ~ ; 2. --(e' ,2 e)

for all e E A, e' E A' - A.

3 A property Q on the subsets of a set X is finitary if given any Y C X, from Q(Z) for all finite subsets Z C Y it follows Q(Y).

"70

An important result is the fact that the set Con (G) of configurations of an aES endowed with the extension relation is a finitary prime algebraic domain, i.e. a coherent, prime algebraic, finitary partial order, in the following simply referred to as domain. Therefore asymmetric event structures, as well as prime 20 and flow 1 event structures, provide a concrete presentation of prime algebraic domains. The proof of such result is technically involved and will appear in the full paper: only a sketch is presented here. The fact that (Conf(G), E) is a partial order immediately follows from the definition. Moreover for pairwise compatible sets of configurations the least upper bound and the greatest lower bound are given by union and intersection. Interestingly, the primes of the domain of configurations turn out to be the possible histories of the various events. We call history of an event e in a configuration C the set of events of C that must be executed before e (together with e itself). Recall that in a prime event structure an event e uniquely determines its history, that is the set eJ of its causes, independently from the configuration at hand. In the case of asymmetric event structures, instead, an event e may have different histories. In fact, given a configuration C, the set of events that must precede e is C~e = (e ~ 9 C : e~(/~e)*e}, and clearly, such a set depends on the configuration C. The set of all possible histories of an event e, namely (Ce~ : C 9 Conf(G)} is denoted by gist(e). T h e o r e m 7. Let G be an aES. Then (Con(G), E) is a (finitary prime algebraic) domain. The primes of Con ( G) are the possible histories of events in G, i.e. the configurations in UeeE Hist(e). Winskel in his seminal work 20 proved the equivalence between the category P E S of prime event structures and the category Dora of domains and additive, stable, immediate precedence-preserving functions. T

PES

~

~ Dom

L

The functor L associates to each PES the domain of its configurations, while the functor T associates to each domain a PES having its prime elements as events. We want now to generalize this result to our framework by showing the existence of a coreflection between aES and Dom. One can prove that aES morphisms preserve configurations and that the natural function between the domains of configurations induced by an aES morphism is a domain morphism. These results, together with Theorem 7, ensure that the functor f~a leading from the category aES of asymmetric event structures to the category Dora of finitary prime algebraic domains is well-defined. The functor Ta performing the backward step is obtained simply by embedding in aES the Winskel's construction. Definition 8. Let La : aES ~ D o m be the functor defined as: - La(G) = (Con(G), E), for any aES-object G;

71

- Lo(f) = f* : Lo(G0) -+ Lo(G1), for any a E S - m o r p h i s m f : Go --~ G1.4 T h e functor T~ : D o r a -~ a E S is defined as ~ o T. The proof of the following main result will a p p e a r in the full paper. 9. The functor To is left adjoint of Lo. The counit of the adjunction e : To o Lo -~ 1 is defined by ev(C) = e, if C E Hist(e).

Theorem

3

Contextual nets

We introduce here marked contextual P I T nets (c-nets), that, following the lines suggested in 14 for C / E systems, add contexts to classical P / T nets. We first recall some notation for multisets. Let A be a set; a multiset of A is a function m : A -~ zW. Such a multiset will be denoted sometimes as a formal sum m = ~ a e A n a .a, where na = re(a). The set of multisets of A is denoted as ~uA. T h e usual operations and relations on multisets of A are used. As an example, multiset union is denoted by + and defined as (m + ml)(a) = re(a) + ml(a); multiset difference (m - m t) is defined as (m - m~)(a) = re(a) - mr(a) if re(a) >_ m~(a) and (m - m~)(a) = 0 otherwise. We write rn ~ m ~ if m(a) <_ m~(a) for all a E A. I f m is a multiset of A, we denote by Ira the multiset ~-~(aeAim(o)>O} 1 .a, obtained by changing all non-zero coefficients of m to 1. Sometimes we will confuse the multisets m with the corresponding subsets {a E A : re(a) > 0} of A, and use on them the usual set operations and relations. A multirelation f : A -+ B is a multiset of A • B. It induces in an obvious way a function # f : #A -+ # B , defined as ~f(~-~aeA no" a) = EbEB ~oEA( no" f(a, b)) . b. If the multirelation f satisfies f(a, b) _< 1 for all a E A and b E B then we sometimes confuse it with the corresponding set-relation and write f(a, b) for f(a, b) = 1. D e f i n i t i o n 10 ( e - n e t ) . A (marked) contextual Petri net (c-net) is a tuple N = {S, T, F, C, m), where S T - F - C - m -

-

is a set of places; is a set of transitions; = (Fpre, Fpost) is a pair of multirelations from T to S; is a multirelation from T to S, called the context relation; is a multiset of S, called the initial marking.

We assume, without loss of generality, that S A T = O. Moreover, we require t h a t for each transition t E T, there exists a place s E S such t h a t Fpre(t, s) > 0. 5 Let N be a c-net. As usual, the functions from p T to # S induced by the multirelations Fpre and Fpost are denoted by "( ) and ( ) ' , respectively. If A E # T is a multiset of transitions, ".4 is called its pre-set, while A ~ is called its post-set. Moreover, by A we denote the context of A, defined as A = pC(A). 4 With f* we denote the natural extension of the function f to the powerset of Eo (i.e., f* (A) = { f ( a ) : a E A}, for A C_ Eo). s This is a weak version of the condition of T-restrictness that requires also Fpost(t, s) > 0, for some s E S.

72 The same notation is used to denote the functions from S to 2 T defined as, for s 9 S, "s = {t E T : Fpost(t,s) > 0}, s" = {t E T : Fpre(t,s) > 0}, s_ = {t 6 T : C(t,s) > 0}. In the following when considering a c-net N , we implicitly assume t h a t N = (S, T, F, C, m). Moreover superscripts and subscripts on the nets names carry over the names of the involved sets, functions and relations. For instance Ni --

(Si, Ti, Fi, Ci, m~). For a finite multiset of transitions A to be enabled by a marking M , it is sufficient t h a t M contains the pre-set of A and at least one additional token in each place of the context of A. This corresponds to the intuition t h a t a token in a place can be used as context by m a n y transitions at the same time and with multiplicity greater t h a n one by the same transition. D e f i n i t i o n 11 ( t o k e n g a m e ) . Let N be a c-net and let M be a marking of N , t h a t is a multiset M 6 #S. Given a finite multiset A 6 # T , we say t h a t A is enabled by M if ",4 + A < M. 6 The transition relation between markings is defined as M A) M '

iff

A is enabled by M and M ' = M - ",4 + A ' .

We call M A ) M ' a step. A simple step or firing is a step involving just one transition. A marking M is called reachable if there exists a finite step sequence m A0) M1 A1) M 2 . . . An) M , starting from the initial marking and leading to M. A c-net morphism is a partial mapping between transitions t h a t "preserves" pre- and post-sets, and also contexts in a weak sense.

D e f i n i t i o n 12 ( c - n e t m o r p h i s m ) . Let No and N1 be c-nets. A c-net morphism h : No -+ N1 is a pair h = (hT, hs), where hT : To --+ T1 is a partial function and h s : So --+ $1 is a multirelation such t h a t (1) #hs(mo) = ml and, for each A 9 #T, (2) #hs('A) = "tthT(A), (3) #hs(A') = #hT(A)" and (4) tthT(A) <_#hs(A) <_#hT(A). We denote by C N the category having c-nets as objects and c-net morphisms as arrows. Conditions (1)-(3) are standard, but condition (4), regarding contexts, deserves some comments. It can be explained by recalling that, since in our model a single token can be used as context with multiplicity greater than one, the firing of a transition t can use as context any multiset X satisfying ~_t _< X _< t. Given any multiset of tokens that can be used as context in a firing of a transition, 6 Other approaches (e.g. 9, 18) allow for the concurrent firing of transitions that use the same token as context and precondition. For instance, in 9 the formal condition for a multiset A of transitions to be enabled by a marking M is ".4 < M and A < M. We do not admit such steps, the idea being that two concurrent transitions should be allowed to fire also in any order.

73 its image should be a set of tokens that can be used as context by the image of the transition. This can be formalized by requiring that #hT(A) <_# h s ( X ) <_ phT(A) for any X E pS0 such that A _~ X _< A_A_,which is equivalent to the above condition (4). The basic result to prove (to check that the definition of morphism is "meaningful") is that the token game is preserved by c-net morphisms.

Theorem 13 (morphisms preserve the token game). Let No and N1 be c-nets, and let h = (hT, hs) : No --~ N1 be a c-net morphism. Then for each M , M ~ E pS and A E p T M A) M'

~

#hs(M) #hT(A)) phs(M').

Therefore c-net morphisms preserve reachable markings, i.e. if Mo is a reachable marking in No then #hs(Mo) is reachable in N1. The seminal work by Winskel 20 presents a coreflection between event structures and a subclass of P / T nets, namely safe nets. In 12 it is shown that essentially the same constructions work for the larger category of "weakly safe nets" as well (while the generalization to the whole category of P / T nets requires some original technical machinery and allows one to obtain a proper adjunction rather than a coreflection). In the next sections we will relate by a coreflection event structures and "weakly safe c-nets".

Definition 14 ( w e a k l y safe c-nets). A weakly safe c-net is a c-net N such that the initial marking m is a set and Fpost is a relation (i.e. t" is a set for all t E T). We denote by W S - C N the full subcategory of C N having weakly safe c-nets as objects. A weakly safe c-net is called safe if also Fp~ and C are relations (i.e., "t and t are sets for all t E T) and each reachable marking is a set. 4

Occurrence c-nets and the unfolding construction

Occurrence c-nets are intended to represent, via an unfolding construction, the behaviour of general c-nets in a static way, by expressing the events (firing of transitions) which can appear in a computation and the dependency relations between them. Occurrence c-nets will be defined as safe c-nets such that the dependency relations between transitions satisfy suitable acyclicity and wellfoundedness requirements. While for traditional occurrence nets one has to take into account the causal dependency and the conflict relations, by the presence of contexts, we have to consider an asymmetric conflict (or weak dependency) relation as well. Interestingly, the conflict relation turns out to be a derived (from asymmetric conflict) relation. Causal dependency is defined as for traditional nets, with an additional clause stating that transition t causes t ~ if it generates a token in a context place of t ~.

Definition 15 (causal d e p e n d e n c y ) . Let N be a safe c-net. The causal dependency relation
?4

1. i f s E I t t h e n s - ~ t ; 2. i f s E t * t h e n t - ~ s ; 3. i f t ~ Given a place or transition x E S U T, we denote with xJ the set of causes of x, defined as LxJ = {t e T : t _
t~Nt'

iff

_tn'v#O or

(t~t'

h

"tn'e#O).

The asymmetric conflict relation//~lv is the union of the strict asymmetric conflict and causal dependency relations: t/~N tI

iff

~
In our informal interpretation, t / ~ N t ~ if t must precede t ~ in each computation in which both fire or, equivalently, t ~ prevents t to be fired:

t / ~ t'

de_l Fired(t) A Fired(t') ~ prec(t, t')

(t)

As noticed in the introduction, this is surely the case when the same place s appears as context for t and as precondition for t'. But (t) is trivially true (with t and t' in interchangeable roles) when t and t' have a common precondition, since they never fire in the same computation. This is apparently a little tricky but corresponds to the clear intuition that a (usual) symmetric (direct) conflict leads to asymmetric conflict in both directions. Finally, since, as noticed for the general model of aES, (~) is weaker than the condition that expresses causality, the condition (T) is satisfied when t causes (in the usual sense) t'. 7 For technical reasons it is convenient to distinguish the first two cases from the last one. The c-net in Fig. 2 shows that, as expected, the relation/~N is not transitive. In fact we have tl /~N t3 /2~N t2 / ~ g tl, but, for instance, it is not true t h a t tl /2IN t2.

I Fig. 2. An occurrence c-net with a cycle of asymmetric conflict.

An occurrence c-net is a safe c-net that exhibits an acyclic behaviour and such that each transition in it can be fired. 7 This is the origin of the weak causality interpretation of/~.

75 D e f i n i t i o n 17 ( o c c u r r e n c e c - n e t s ) . An occurrence c-net is a safe c-net N

such that - each place s E S is in the post-set of at most one transition, i.e. I~ _< 1; - the causal relation
S: "s = 0}; - (/~g)It

is acyclic8 for all transitions t E T.

The full subcategory of W S - C N having occurrence c-nets as objects is denoted by O - C N . The last condition corresponds to the requirement of irreflexivity for the conflict relation in ordinary occurrence nets. In fact, if a transition t has a / ~ N cycle in its causes then it can never fire, since in an occurrence c-net N, the order in which transitions appear in a firing sequence must be compatible with the transitive closure of the (restriction to the transitions in the sequence of the) asymmetric conflict relation. As anticipated, the asymmetric conflict relation induces a symmetric conflict relation (on sets of transitions) defined in the following way: D e f i n i t i o n 18 ( c o n f l i c t ) . Let N be a c-net. The conflict relation # C_ 2~n

associated to N is defined as:

tO /21t1 ~ . . . J~tn /Z~to

#{to, t,,..., t,,}

#(AU{t})

t
#(A u {t'})

where A denotes a generic finite subset of T. As for aES's, we use the infix notation t # t ' for # { t , t'}. For instance, referring to Fig. 2, we have # { t l , t2, t3}, but not # { t i , tj} for any i , j e {1,2,3}. As for traditional occurrence nets, a set of places M is concurrent if there is some reachable marking in which all the places in M contain a token. However for the presence of contexts some places that a transition needs to be fired (contexts) can be concurrent with the places it produces. D e f i n i t i o n 19 ( c o n c u r r e n c y r e l a t i o n ) . Let N be an occurrence c-net. A set

of places M C S is called concurrent, written conc(M), if

1. Vs, s' E M. -~(s < s'); 2. MJ is finite, where MJ = U{sJ : s e M}; 3. /~LM is acyclic (and thus well-founded, since MJ is finite). s We can equivalently require ((/mN)ttj)q- tO be irreflexive. In particular this implies /~n irreflexive.

76 It can be shown that, indeed, the concurrent sets of places of an occurrence c-net coincide with the (subsets of) reachable markings. In particular, for each transition t in an occurrence c-net, since conci't + t), there is a reachable marking M _~ "t + t, in which t is enabled. It is possible to prove that c-net morphisms preserve the concurrency relation. Moreover, they preserve the "amount of concurrency" also on transitions. More precisely, they reflect causal dependency and conflicts, while asymmetric conflict is reflected or becomes conflict. These results are fundamental for establishing a connection between occurrence c-nets and aES's. T h e o r e m 20. Let No and N1 be c-nets and let h : No -~ N1 be a morphism.

Then, for all to, t~o E To 1. 2. 3. 4"

hT(to)J C hT(toj); (hT(to) = hTit~o)) A (to ~ t~o) =~ to#otto; hT(to) /Zl hT(tlo) =t, (to /Zo t~o) V (to#otto); #hT(A) ~ #A.

Given a weakly-safe c-net N , an unolding construction allows us to obtain an occurrence c-net lla (N) that describes the behaviour of N. As for traditional nets, each transition in ~~(N) represents an instance of a precise firing of a transition in N , and places in ~1~(N) represent occurrences of tokens in the places of N. The unfolding operation can be extended to a functor lla : W S - C N O - C N that is right adjoint of the inclusion functor ~o : O - C N -~ W S - C N and thus establishes a coreflection between W S o C N and O - C N . D e f i n i t i o n 21 ( u n f o l d i n g ) . Let N = (S, T, F, C, m) be a weakly safe c-net. The unfolding ~a(N) = ( S ' , T ' , F ' , C ' , m ' ) of the net N and the folding morphism f g : I ~ ( N ) --+ N are the unique occurrence c-net and c-net morphism satisfying the following equations.

m' = {(0, s): s m} S ' = m ' U { i t ~ , s ) : t ' = i M p , Mc, t) E T ' A s e t ' } T ~ = {iMp, M~, t) : Mp, U~ _C S' ^ Mp N M~ = 0 A conc(Mp U M~) ^ t E T A ttys(Up) = "t A t < # f s ( U c ) < t_}

F~reit',s' ) C'(t',s')

t' = IMp,Mc, t) A s' e Mp t' = iMp, Me,t) A s' 9 Me

F~ost(t',s')

iff iff iff

fT(t') = t fs(s', s)

iff iff

t' = (Mp, Me, t) s' = (x, s) (x E T' U {0})

s' = (t',s)

( t e T) (t E T)

(s 9 S)

The unfolding can be effectively constructed by giving an inductive definition. Uniqueness f(~ilows from the fact that to each item in a occurrence c-net we can associate a finite depth. Places and transitions in the unfolding of a c-net represent respectively tokens and firing of transitions in the original net. Each place in the unfolding is a pair

-/? recording the "history" of the token and the corresponding place in the original net. Each transition is a triple recording the precondition and context used in the firing, and the corresponding transition in the original net. A new place with empty history (0, s) is generated for each place s in the initial marking. Moreover a new transition t' = (Mp, Me, t) is inserted in the unfolding whenever we can find a concurrent set of places (precondition Mp and context Me) that corresponds, in the original net, to a marking that enables t. For each place s in the post-set of such t, a new place (t', s) is generated, belonging to the post-set of t'. The folding morphism f maps each place (transition) of the unfolding to the corresponding place (transition) in the original net. We can now state the main result of this section, establishing a coreflection between weakly safe c-nets and occurrence c-nets.

Theorem 22. The unfolding construction extends to a functor I ~ : W S - C N --r O - C N which is right adjoint to the obvious inclusion functor fro : O - C N -+ W S - C N and thus establishes a coreflection between W S - C N and O - C N . The component at an object N in W S - C N of the counit of the adjunction, f : ~o o l~a -5~ 1, is the folding morphism fN : ~ (N) -+ N .

5

Occurrence c-nets and asymmetric event structures

We now show that the semantics of weakly safe c-nets given in terms of occurrence c-nets can be related with event structures and prime algebraic domains semantics. First we show that there exists a coreflection from a E S to O - C N and thus aES's represent a suitable model for giving event based semantics to c-nets. Given an occurrence c-net we obtain an aES simply forgetting the places, but remembering the dependency relations that they induce between transitions, namely causality and asymmetric conflict. In the same way a morphism between occurrence c-nets naturally restricts to a morphism between the corresponding aES's. D e f i n i t i o n 23. Let Ea : O - C N -~ a E S be the functor defined as: - Ea(N) = (T, _
78

-

m = I (O,A,B) : A, B C_ E , Va E A. Vb E B. a /~ b V a#b, l Vb, b~ E B. b ~ b~ ~ b#b ~ A, B C _ E , e E E , V x E A U B . e < x , } S=mU (e,A,B):VaeA. V b e B . a,/~b V a#b, Vb, b~ E B. b 7s b~ ~ b#b ~ T=E;

- f -- (Fpre, Fpo,~), with Fpre = { ( e , s ) : s = ( x , A , B ) e S, e 9 B}, Fpos~ = {(e,s) : s = ( e , A , B ) 9 S};

- C={(e,s):s={x,A,B) 9

e9

The generation process extends to a functor :Na : a E S -+ O - C N The only unexpected thing for the reader could be the fact that we insert a place that gives rise to asymmetric conficts between the transitions of B and A, but we require only that all the transition of B are in asymmetric conflict or in conflict with all the transitions in A. Therefore we add asymmetric conflicts between events that are in conflict. Abstracting from the formal details, this becomes very natural since, being # the symmetric conflict relation, we can think that conceptually t # t ~ implies t / ~ t ~. The next proposition relates the causal dependency and asymmetric conflict relations of an aES with the corresponding relations of the c-net :N~(G). In particular it is useful in proving that :Na (G) is indeed an occurrence c-net.

P r o p o s i t i o n 25. Let G = (E, <,/'~) be an aES and let Na(G) be the net N = {S, T, F, C, m). Then or all e, e' e E: 1. e
iff iff

e < et ; e /~ e' or e#e'.

Let G = (E, < , / ~ ) be an aES. By Proposition 25, Ea(Na(G)) = (E, < , / ~ U#). Therefore the identity on events YG : G --+ Ea(Na(G)), defined by yG(e) = e, for all e E E, is an aES morphism. Moreover y a 1 : Ea(Na(G)) ~ G, again defined as identity on events is clearly a morphism, and r/G and ~ 1 are one the inverse of the other. Therefore YG is an isomorphism. We are now able to state the main result of this section.

T h e o r e m 26. The unctor Na : aES ~ O - C N is left adjoint to Ea : O - C N --+ aES and it establishes a corefleetion from a E S to O - C N . The unit of the the coreflection is r : 1 -2+ Na o Ea. Such a result completes the chain of coreflections leading from W S - C N to D o m . Therefore, as claimed at the beginning, we provide weakly safe c-nets with a truly concurrent semantics, by associating to each weakly safe c-net a finitary prime algebraic domain. The construction works at categorical level and establishes a coreflection between the corresponding categories.

79

Finally, notice that, as an easy extension, Winskel's coreflection between P E S and Dora can be used to provide weakly safe c-nets with a traditional event structure semantics. The PES semantics is obtained from the aES semantics by introducing an event for each possible different history of events in the aES. This reflects the idea of duplication of events discussed in the introduction.

6

Conclusions and future work

We presented a truly concurrent event-based semantics for (weakly safe) P / T contextual nets. The semantics is given at categorical level via a coreflection between the categories W S - C N of weakly safe c-nets and D o m of finitary prime algebraic domains (or equivalently P E S of prime event structures). Such a coreflection factorizes through the following chain of coreflections: Jo

~,~

WS-CN ~-~) O-CN ~

~P~

aES

• ~ Dom

It is worth noticing that such a construction associates to a safe c-net without context places (thus essentially a traditional safe net), the same domain produced by Winskel's construction and therefore can be considered as a consistent extension of Winskel's result. The use of finitary prime algebraic domains, widely accepted as standard semantics models for concurrency, makes our result satisfactory. Moreover the existence of a coreflection provides an abstract semantics (the domain associated to each c-net) and a standard choice in each class of equivalent c-nets (the c-net obtained by embedding the semantics into the category of nets), defined by a universal property. This is one of the more pleasant semantic frameworks one can desire. An immediate future work should be the generalization of these results to general P / T c-nets, based on a suitable extension of the notions of decorated occurrence net and family morphism introduced in 12 to give unfolding semantics to traditional P / T nets. Moreover, notions and results on c-nets can be seen as a first step towards the definition of an unfolding semantics for graph grammars. We think that the work on c-nets could be a guide for the introduction of the notions of non-deterministic occurrence graph grammar and graph grammar unfolding that are still lacking or not consolidated. Apart from the application to c-nets analyzed in this paper, asymmetric event structures seem to be rather promising in the semantic treatment of models of computation, such as string, term and graph rewriting, allowing context sensitive firing of events. Therefore, as suggested in 16, it would be interesting to investigate the possibility of developing a general theory of event structures with asymmetric confict (or weak causality) similar to that in 20. References 1. G. Boudol. Flow Event Structures and Flow Nets. In Semantics o Systera o

Concurrent Processes, volume 469 of LNCS, pages 62-95. Springer Verlag, 1990.

80 2. G. Boudol and I. CasteUani. Permutation of transitions: an event structure semantics for CCS and SCCS. In Linear Time, Branching Time and Partial Order Semantics in Logics and Models for Concurrency, volume 354 of LNCS, pages 411-427. Springer Verlag, 1988. 3. N. Busi and R. Gorrieri. A Petri Nets Semantics for 1r-calculus. In Proceedings CONCUR'95, volume 962 of LNCS, pages 145-159. Springer Verlag, 1995. 4. N. Busi and G. M. Pinna. Non Sequential Semantics for Contextual P / T Nets. In Application and Theory of Petri Nets, volume 1091 of LNCS, pages 113-132. Springer Verlag, 1996. 5. S. Christensen and N. D. Hansen. Coloured Petri nets extended with place capacities, test arcs and inhibitor arcs. In M. Ajmone-Marsan, editor, Applications and Theory of Petri Nets, volume 691 of LNCS, pages 186-205. Springer Verlag, 1993. 6. A. Corradini. Concurrent Graph and Term Graph Rewriting. In U. Montanari and V. Sassone, editors, Proceedings CONCUR'g6, volume 1119 of LNCS, pages 438-464. Springer Verlag, 1996. 7. N. De Francesco, U. Montanari, and G. Ristori. Modeling Concurrent Accesses to Shared Data via Petri Nets. In Programming Concepts, Methods and Calculi, IFIP Transactions A-56, pages 403-422. North Holland, 1994. 8. P. Degano, R. Gorrieri, and S. Vigna. On Relating Some Models for Concurrency. In M. C. Gaudel and J. P. Jouannaud, editors, ,~th Conference on Theory and Practice of Software Development, volume 668 of LNCS, pages 15-30. SpringerVerlag, 1993. 9. R. Janicki and M Koutny. Invariant semantics of nets with inhibitor arcs. In Proceedings CONCUR '91, volume 527 of LNCS. Springer Verlag, 1991. 10. R. Janicki and M. Koutny. Semantics of inhibitor nets. Information and Computation, 123:1-16, 1995. 11. R. Langerak. Bundle Event Structures: A Non-Interleaving Semantics for Lotos. In 5~h Intl. Conf. on Formal Description Techniques (FORTE'92), pages 331-346. North-Holland, 1992. 12. J. Meseguer, U. Montanari, and V. Sassone. On the semantics of Petri nets. In Proceedings CONCUR '92, volume 630 of LNCS, pages 286-301. Springer Verlag, 1992. 13. U. Montanari and F. Rossi. Contextual occurrence nets and concurrent constraint programming. In H.-J. Schneider and H. Ehrig, editors, Proceedings of the Dagstuhl Seminar 9301 on Graph Transformations in Computer Science, volume 776 of LNCS. Springer Verlag, 1994. 14. U. Montanari and F. Rossi. Contextual nets. Acta Informatica, 32, 1995. 15. G. M. Pinna and A. Poign~. On the nature of events. In Mathematical Foundations of Computer Science, volume 629 of LNCS, pages 430-441. Springer Verlag, 1992. 16. G. M. Pinna and A. Poign~. On the nature of events: another perspective in concurrency. Theoretical Computer Science, 138:425-454, 1995. 17. G. Ristori. Modelling Systems with Shared Resources via Petri Nets. PhD thesis, Universith di Pisa, 1994. 18. W. Vogler. Efficiency of asynchronous systems and read arcs in Petri nets. Technical Report 352, Institiit fiir Mathematik, Augsburg University, 1996. 19. W. Vogler. Partial Order Semantics and Read Arcs. In Mathematical Foundations of Computer Science, volume 1295 of LNCS, pages 508-518. Springer Verlag, 1997. 20. G. Winskel. Event Structures. In Petri Nets: Applications and Relationships to Other Models of Concurrency, volume 255 of LNCS, pages 325-392. Springer Verlag, 1987.

Pumping L e m m a s for Timed Automata Dani~le B e a u q u i e r 1

A b s t r a c t . We remark that languages recognized by timed automata in the general case do not satisfy classical Pumping Lemma (PL) well known in the theory of finite automata. In this paper we prove two weaker versions of Pumping Lemma for timed words : a general one (DPL) where iterations preserve the duration of timed word, and another more restricted one, (LPL) when iterations preserve the length of timed word.

1

Introduction

An automata-theoretic approach to verification of timing requirements of realtime systems has been extensively developped in recent years using timed aut o m a t a 1, among recent papers we mention 2, 3 which influenced our work. A timed automaton is a finite automaton with a finite set of real valued clocks. The clocks can be reset to zero within the transitions of the automaton and keep track of the time elapsed since the last reset. Some constraints on the clocks are attached both to locations (analogous to states of usual finite automata) and transitions of the automaton. T i m e d a u t o m a t a recognize finite or infinite timed words which are right-continuous discrete-valued functions having letters as values. SeverM papers study timed a u t o m a t a from the perspective of formal languages theory 1, 4. Closure properties and some decision problems for deterministic and nondeterministic timed a u t o m a t a have been considered. In 4 a version of Kleene theorem for timed a u t o m a t a has been elaborated. The authors prove that it is necessary to include intersection in the operations which define regular expressions. In this paper we are interested in another classic feature of regular languages, namely in properties of iterations usually called Pumping Lemmas. We prove that the general version of Pumping Lemma does not hold for timed automata, giving a counter-example. This negative result underlines the fact that the introduction of dense time provides to languages recognized by timed a u t o m a t a a more complicated structure. Nevertheless we establish a weak version of Pumping L e m m a i Address: University Paris-12, Dept. of Informatics, 61, Av. du Ggn. de Gaulle, 94010 Crdteil, France. ~E-malh [email protected]

82

(DPL) where the iteration preserves the duration of the timed word. The part of this result concerning a positive iteration can be found also in 5 (this was pointed out by referees). The dual version (LPL) where the iteration preserves the length of the timed word is proved for a sub-family of timed automata, the strict timed automata. The paper is organized as follows : in section 2 we recall the definition of timed automata and timed words recognized by timed automata. Section 3 contains a series of lemmas concerning the iteration properties of runs of timed automata which are used in the last section. The last section studies different versions of Pumping Lemma and their status with respect to regular languages. 2

Timed

2.1

Automata:

Definitions

Timed words

Let S be a finite alphabet, and R>0 be the set of non negative reals. A (finite) timed word is a right-continuous piecewise-constant function ~ : 0, k) --+ S for some k E R>0 such that ~ has a finite number of discontinuities. If k is equal to 0, ~ is the empty word denoted by e. Here we slightly deviate from the definition given in 4, because the right-continuity of timed words seems to better reflect the semantics of the runs of timed automata. Every timed word ~ can be written (in many ways) a lrla2r2. .. ant,, where ai E S , ri E R+ and ~ ri = k if ~(t) = ai for t E ri-1, rl). If we impose ai r hi+l, then the representation of ~ is unique and the length of ~ denoted by 1~ is equal to n and its duration denoted by d(~) is equal to k. Length and duration of e are equal to zero. We denote by T ( S ) the set of all finite timed words over the alphabet ,U. For every ~1, ~2 E T ( Z ) with respective durations kl and ks their concatenation ~l~s is the timed word ~ with duration kl + ks such that for t E 0, kl), ~(t) = ~l(t), and for t E kl, kl + ks) ~(t) : ~s(t - tl). Clearly, ~l~sl < I~11+ ~s and d((l~s) = d((1) + d(~s). 1 r~ and a positive integer p, denote by u~ the timed word For u = a r~ I a ~2 s . . . 7 an r--l-

~

r--a-

1

alp a~ . . . a Z 9 We have lull = lul and d(u}) = ~d(u). Note that (u}) p = u iff u is of the form a r for some a E ,U. A timed language over the alphabet 2Y is a subset of the set of timed words T(X:). 2.2

Timed automata

Timed automata were introduced by R. Alur and D. Dill 1. A timed automaton consists of a finite number of locations supplied with clocks and constraints in terms of equalities and inequalities involving clocks. The edges of the automaton now depend on time, and this makes the automaton more powerful than the classical one. The clocks of an automaton constitute a finite set of identifiers. Given a set C of clocks, the set of clock constraints, denoted by guard(C), is the set of formulas of the form:

83

- true, false, c ..~ n where c E C, n E N and -~E {>, <, = } , - f l A f2, f l V f2 where fl and f2 are formulas in guard(C). A timed automaton over ,U is a tuple A = ( S, )~, #, sinit, F, C, E) where: 9 S is a finite set of locations, * C is a finite set of clocks, 9 )~ : S --+ S is an output function, 9 It : S -+ g u a r d ( C ) , assigns to each location a guard called invariant of the location, 9 sinit E S is the initial location, 9 F _C S is a set of final locations, 9 E C S • g u a r d ( C ) x 2 c x S gives the set of edges between locations labeled by sets of clocks and formulas. Let (s, s ~, r 5) be an edge from s to s ~. T h e set r C C gives the set of clocks to be reset and 5 is a clock constraint in g u a r d i C ) to be satisfied when following this edge. A clock assignment for a set of clocks C is a function v f r o m C to R, i. e. v E / / c . A state of the s y s t e m is a triple of the form (s, v , t ) , where s E S, ~, E R c , and t E R>0. B y v + t, where t E R , we denote the clock assignment which assigns to every clock c the value vic ) + t. In the s a m e way if A is a s t a t e {s, v, r), A + t denotes the state (s, ~, + t, v + t). Let ~, be a clock assignment. For X C C, we denote b y / X ) v the clock assignm e n t which assigns 0 to each c in X and agrees with v over the rest of the clocks. A transition is a pair of states c~ = ((s, v, t), is', ~/, t')) of the a u t o m a t o n .4, with an edge (s, s ~, r 5) E E such t h a t 9 z/+ t ~ - t satisfies 5, 9 for all r E 0, t' - t), v + r satisfies It(S), 9 z~' = / r t' - t) and z/ satisfies It(s'). T h e value t I - t is called the delay of the transition. Now let us define a finite run of a t i m e d a u t o m a t o n simply called a run below. A finite run p is a pair of sequences ( S ( p ) , $ ( p ) ) such t h a t S(p) is a sequence of states (Isi, vi, tl))o<_~<_n and E(p) is a sequence of edges (si-1, si, ai, r 5i)0
84

A finite timed word over the alphabet s is recognized or accepted by the automaton ,4 if it is the trace of an accepting run of ,4. The set of finite timed words recognized by the automaton ,4 is denoted by L(,4). E x a m p l e . The language accepted by the automaton of Figure 1 where s2 is the

(x=l), {xl _ ~

(x=l), {x} ~ Q

true. {yl

(Y
final location is:

{ar~176

ql ...arab q~ n > 0, r0 = 1, q0 < 1, for i --- 1 , . . . , n qi-1 q- rl = 1 and ri + qi < 1} U{ar~ q~ r0 = 1, q0 > 0}.

Here the function p is the constant "true". A sample word accepted by the automaton is:

al bO.TaO.3bO.2aO.SbO.1. Every timed word accepted by this automaton has the property that the sequence (qi) of exponents of the letter b is strictly decreasing. Two finite runs Pl and P2 are equivalent if they have the same extremities, i. e. their first and last states are respectively equal: S(pl)(0) = $(p2)(0) and ~q(pi)(k) = 8(p~)(1) where k and l are the lengths of respectively Pi and p~. Clearly, two equivalent runs have the same duration. 2.3

Clock regions

The set of states of a timed automaton is infinite. The set of clock regions is a finite set obtained as a quotient of an equivalence relation among the clock assignments. More details about this notion of region is in 1. Let K0 be the greatest constant appearing in the clock constraints of the automaton. Remind that clock constants are natural numbers. For clock assignments u and v I in R c we say that v -- u I iff the following conditions are met: - For each clock x E C either u~J and ~ J are the same, or both are greater than K0,

85

- For every pair of clocks x, y e C such t h a t t/(z) _< K0 and t/(y) < K0 1. fraet(t/(x)) >_ fraet(t/(y)) iff fract(t/'(x)) >_ f r a e t ( v t ( y ) ) 2. fract(t/(x)) = 0 iff fract(t/'(x)) = O. T h e relation = is an equivalence relation, and t/ will denote the equivalence class of R c to which v belongs. A clock region is such an equivalence class. T h e r e are only finitely m a n y such regions. Note t h a t t / = t/' does not necessarily i m p l y t / + t - t/' + t. 3

Finite

runs

of timed

automata

T h e set of finite runs of a t i m e d a u t o m a t o n has a n a t u r a l structure of partial / I mono~d. Given two runs p = ( ( ~ , t/;,t;);_-0 ..... k) and p I ((~,I ~,~, t&_-0 ..... ,,,) such t h a t the last state of p, (sk, t/k, tk) is equal to the first s t a t e of p', (s0, t/~, t0) we define the run p" = pp' to be as follows: II / p" = ((s IiI ,v iI I ,ti)i=O,...,k+k ) where (s iI I ,t/~I I , t iI I) = (si,vi,ti) for i = 0 , . . . , k and II 1)11 II I I sk+i, k+i,tk+i) = <si,vi,t;) for i = 1 , . . . , k ' . Note t h a t it is a partial law. In p a r t i c u l a r if p is a run with positive length, p2 is never defined because unlike 1, 4 we add the absolute t i m e in the states of the t i m e d a u t o m a t o n . A finite run p = ((si, vi,ti)i=o ..... k) is a pseudo-cycle if sk = so and vk = v0. T h e m a i n notion in this p a r t is the notion of conjugation. i i = O ..... k ) of length k > 0 are T w o runs p = ((si,vi,ti)i=o ..... k) and p' = ((si,v'i, t '\ conjugate if ! E(p) = s vii = u~ for i = 0 , . . . , k , and t;-ti_ 1 = t i - t i - i for i = 1 , . . . , k . Let n be a positive integer and p = ((si, vi, ti)i=o ..... k) and p' = ((8i, l/i; tti)i=O,...,k) be two runs. T h e run p' is a 1-conjugate of the run p if I s = s It/i = u~ for i = 0 , . . . , k, and t; - ti_ 1If n = 1 p' is called s i m p l y a conjugate of p. F r o m the definition of a i - c o n j u g a t e we can deduce:

ti--ti-t

,

for i = 1 , . . . , k.

1 (1) If fi is a I-conjugate of p, then d(p) = I d ( ~ ) . (2) Given a run p with first state (so, vo, to), and a clock assignment t/~, there is at most one !-conjugate of p with its first state equal to (so, t/~,to).

Lemma

(s) Two I-eo%ugates o/a

run p ha~e

the same trace

Given a finite run p there exists at m o s t one run which can be written Pip2 9 9 9Pn, where for i = 1 , . . . , n Pi is a I - c o n j u g a t e o f p and Pz has the s a m e first state as p. This unique run, when it exists is denoted by pn and called the n-iteration of p. It satisfies the following property: L e m m a 2 If p hI exists for some n > 1, then (1) d(pM) = d(p) and Ip"l = nlPl,

(2) p is a pseudo-cycle. Proof. (1) is clear f r o m the definition of a 1/n-conjugate. To prove (2) note t h a t the last state of pl is equal to the first state of p2, and so it implies t h a t p is a pseudo-cycle. D

86 We say t h a t a clock c crosses an integer value during the run p = ((si, vi, ti))i<_n if there is a transition ((si, vi, ti), (si+l, vi+l, ti+l)) and s o m e t E 0, t i + l - t i t h a t vi (c) + t is a positive integer. Clearly we have:

such

L e m m a 3 I f a finite run is such that no clock crosses an integer value during it, the value of the delay of any transition of the run is strictly less than 1. Let X be a subset of clocks. T w o states A = (s, v , t ) and A' = (s, v ' , t ' ) are X-equal if they satisfy : if c E X then v(c) = u'(c), and if e ~ X then u(c) and u'(e) are b o t h strictly less t h a n 1 and u(e) = 0 r u'(e) = O. Transitions where clocks do not cross an integer value have the following basic property: L e m m a 4 Let .A be a timed automaton, X be a subset of clocks, and A = ( s , u , t ) , A' = ( s , u ' , t ' ) be two X-equal states of .A. Suppose there exists a transition from state A to some state B with edge e and delay 7" where the clocks do not cross an integer value. Suppose at last that for c ~ X we have u'(c) + 7" < 1, then there exists a transition from A I to some state B I with the same edge e and the same delay, moreover B and B I are X-equal. P r o o f . Let us consider the transition f r o m state A to state B = (sl, (r t + 7") with edge e = (s, sl, r ~). For an a t o m i c proposition c --. n where "~E {>, <, = } and n E N consider two cases : c belongs to X or not. 9 Case 1: c E X. For every 7"' E 0, 7", (u I + 7"')(c) = (u + 7"')(c). So (u + r ' ) ( c ) satisfies c ,~ n iff (u' + 7"')(c) satisfies c ~ n. 9 Case 2: c ~ X. For every 7"1 E 0, 7", (u + 7")(c) is strictly less t h a n 1 because in the transition the clocks do not cross an integer value and ( u ' + r ' ) ( c ) is also strictly less t h a n 1. So (u' + 7-')(c) satisfies e ... n iff u + 7-' satisfies c ,~ n. At last, for the s a m e reasons, (r + r ) and ( r 7-) satisfy exactly the s a m e set of a t o m i c propositions. So there is a transition with the edge e, the s a m e delay 7", f r o m A I to B ' = (sl, ( r + 7"),t1+ 7"). Clearly, B and B ' are X-equal. By induction on the length of a run we can deduce the following l e m m a : L e m m a 5 Let .A be a timed automaton, X be a subset of clocks, and A = (s, ~,tl, A' -- (s, ~',t') be two X-equal states of M. Suppose there exists a run p from A with duration 7" where the clocks do not cross an integer value. Suppose

87 at last that for c q~ X u'(c) + 7" < 1, then there exists a run p' conjugate of p starting from A'. Moreover the terminal states of p and p' are X.equal. T h e reset of a finite run ((si, ui, ti))i
then pn exists for every positive integer n. Proof. Let R be equal to reset(p). First we prove t h a t there exists a 88 conjugate Pl of p starting in the same state as p. Let p = (Ao,A1,...,Ap), S(p) = ( e l , . . . , ep) and denote by ti the delay of transition (Ai-1, Ai). We prove t h a t there is a transition from state A0 = (s, t~, t) using edge el = (s, s ~, r with delay t l / n , to state A~ = (s ~, (r + tl/n), t + tl/n). Let c > k be an atomic proposition and consider a value 7- E 0, tl. Then A0 + 7satisfies c > k iff Ao + r / n satisfies c > k, because c cannot cross an integer value during the run. The same for an atomic proposition c < k. And a constraint c = k is never satisfied neither by A0 + r nor by Ao + v/n. At last for the s a m e reason (51)(t/+ tl In) and (q~l)(/--~-tl ) satisfy the same atomic propositions. So there is a transition from A0 with delay t l / n , using edge el, and arriving in A~. Moreover we have A~ -- A1. Indeed, clocks in r are equal to 0 in b o t h A1 and A~. Let e, c' two clocks not in r If fract(u(c) + tl) < fraet(v(c') + tl) then fract(u(c) + tl/n) < fract(~,(c') + t l / n ) and fraet(c) is non zero in both A1 and A t. So we have At = g~. Suppose we have proved there exists a run (Ao,A~,...,A~), with some edges (el,...,ei) and delays t l / n , . . . , t l / n such t h a t A~ = Aj for j = 1 , . . . , i . Let c be a clock, and denote by ci its value in Ai and by ci its value in A~. Let r ~ 0, ti+l. 9 If e ~ R or if c has not still been reset to zero between A0 and Ai, then ! c~ = co + )-~-j=l,...,i tj and ci = co + ~ 5 = 1 ....i tffn. States Ai + r and A~ + r / n satisfy the same atomic propositions concerning the clock c again because c cannot cross an integer value during the run. 9 If e E R and c has been reset to zero between A0 and Ai then the values of c in Ai + r and in A~ + r / n are strictly less than 1, thus Ai + r and A~ + r / n satisfy the same constraints relative to c, At last, let r be the reset of the edge ei+l. The same arguments prove that (r -JrtiTx) and (r q - t i + l / n ) satisfy the same atomic propositions. So there is a transition from A~ with edge ei+l and delay ~ and A~ = Ai. We have proved by induction the existence of a I/n-conjugate Pl of p starting in the same state as p. Suppose we have defined p l , . . . , pi some 1/n-conjugates of p such that the product Pl 9 9 Pi exists, with i < n. Let T be the duration ofp. Consider the state Y~ which is the last state of pi. Let c be a clock, and denote by ci its value in Y/. If c ~ R, then ci = co + ~ and if e E R then its values in Y~ and in A0 are less than

88 1. So we can repeat the same reasoning and prove that there is a 1/n-conjugate of p, pi+l starting in ~. Actually, since p is a pseudo-cycle we have A0 -- Av, and on other hand Yi -- Ap so ~ -- A0. And the l e m m a is proved. Note t h a t in general pn

is not equivalent to p. We need some synchronization

to get two equivalent runs. It is done in the l e m m a below. L e m m a 7 Let p be a run with duration strictly less than 1 such that p = plj3p2 where Pl , P2 are pseudo-cycles with the same reset. Suppose that no clock crosses an integer value during the run p, then f o r every positive integer n there exists a conjugate ~P2 of ~P2 such that the run p~n-~2 exists and is equivalent to p. P r o o f . If n = 1 nothing to prove. Suppose n > 1. Let p be a run such that p = pl3p2 where Pl and P2 are pseudo-cycles and reset(p1) = reset(p2) = X . Suppose that px starts in A and finishes in A', and P2 starts in B and finishes in B'. The run Pl satisfies the hypothesis of L e m m a 6. So p~'~ exists and finishes in some state Y. Observe that if A' = < SA,, UA,, tA, >, and Y = < s y , v y , t y > then s y = SA,, t y = tA, and states A' and Y are X-equal, where X is the complement of Z . Moreover, we have vy (c) _< VA, (c) for every clock c. Denote by r the duration of the run ~P2- Since p has a duration strictly less than 1 we can guarantee that for every clock c E X we have ~ z ( c ) + r _< lZA,(C)--T < 1. On the other hand, the run tiP2 is such t h a t no clock crosses an integer value, so applying L e m m a 5, we prove that there exists a run ~'p~, conjugate of j3p2, starting in Y and arriving in some state B". We claim t h a t B " -- B ' . Actually the clocks reset during P2 are also reset during p~ and have the same value in B ' and in B " , because the two runs are conjugate and then the delays are the same. The clocks not reset during P2 were not reset during pl so they have the same value in Y and in A' and then also in B ' and B". And we can conclude t h a t p ~ n ~ exists and is equivalent to p.

L e m m a 8 Let p be a run where no clock crosses an integer value, with duration strictly less than 1, and such that p = plflp2xTp3 where Pl,P2 and P3 are pseudo-cycles with the same reset and JxJ = 1. There exists a transition x' and a conjugate -if-tiff of Tp3 such that pl/~x'T'fiff exists and is equivalent to p. P r o o f . Suppose that p contains three disjoint successive pseudo-cycles Pl, P2, Pa with the same reset. The pseudo-cycle Pl begins in A and finishes in A', P2 begins in B and finishes in B', Pa begins in C and finishes in C'. Let t be the duration of p from B to B' and B~ be the successor of B ' in p. T h e transition (B', B~) has a delay to, and corresponds to some edge e = (s, sl, r (i). Let B = (S, V B , t B ) , B t = (S, VB,,tB,),Btl = (Sl,VB~,tB~). Then tB, -- tB = t and tB,~ - tB, = to. We will prove that from B there is a possible transition using the edge e, with

89 a delay equal to t + to, to some state B~', R-equal to B~, with R being equal to the complement of reset(p2). We have to verify three conditions. (1) For every r E 0,t + to), ~B + r satisfies /a(sB) (2) VB + t + to satisfies r (3) (r + t + to) satisfies p(sl). Condition (1) : Due to the fact that the clocks do not cross an integer value during the run and the run has a duration less than 1, for every clock c there is a unique interval k, k + 1), with k E N to which the value of the clock belongs during the whole run p. Let c be a clock, and r 9 0, t + to). If c 9 reset(p2) = reset(p1) then (~B + r)(c) is less than 1 as ~'B(c). If e q~ reset(p2), then ~B,(c) = PB(c) + t and VB(C), vB,(c), vB,(c) + to belong to the same interval k, k + 1) and (VB + r)(c) belongs to this interval. Since ~B satisfies #(SB) then ~'s + r satisfies also #(sB). Condition (2) : The clocks which do not belong to reset(p~) have the same value in ~B + t + to and in ,B' + to. The clocks which belong to reset(p~) = reset(p1) have a value less than 1 in ~B + t + to and in ~'B' + to. Since ~'B' + t0 satisfies r VB + t + to satisfies also ci. Condition (3) : In the same way, since (r + to) satisfies ~u(sl) then (r + t + to) satisfies also #(Sl). So there is a transition x' from B -" (s,~'B,tB) to B~' =

(81, (r

+ t + to),

And tB,~, = tB + t + to = t'B + to = tB~. The main point is that B~ and B' are R-equal where R is the complement of reset(p2). Indeed - if c 9 r then uB~ (c) and us~, (e) are both equal to 0, - i f c ~ r and e q~ reset(p2) then UBI(C) = UB,(C) + t o = UB(C) + t + t o = UBI,(C ), if C r r and c E reset(p2) then uB,~ (c) and uB'~' (c) are both strictly less than i. Let r be the duration of 7P3. For every clock c 9 reset(p1), we have UB(C) + t + to + r < 1 since the duration of p is strictly less than 1. So uB (c) + t + to + r = ~B:(c) + r < 1 for c 9 reset(pl, and we can apply Lemma 5 to states B~ and B~'. There is a run 7'P'3 starting in B~', conjugate of 7P~, arriving in some state C". Now we prove that C " -- C'. Let C ' - (se,, uc,, to,) and C " = (so,,, uc,,, re,,). Sure, sc,, = sc, = s and tc,, = to,. Compare the values of the clocks in C' and C", that is ~c' and ~'c,,. 9 The clocks which are reset to 0 in 7'P~ between B~' and C " are the same as the clocks reset during the run 7Pa between B~ and C', and since the durations of the transitions are the same, these clocks have the same value in C' and C". 9 The clocks not reset between B~ and C' in 7P3 (and so between B~' and C " in 7'P~) have never been reset between B and B~ in p2z neither between B and B~' in # . So their values are the same in B~ and B~', and then remain the same in C' and C '1.

-

Let .A be a timed automaton, C be its set of clocks, m be the number of regions

90 o f , 4 and K0 be the constant equal to (2 2 Icl +

1)(ISlm +

1).

P r o p o s i t i o n 1 If a run p with duration strictly less than 1 has a length greater than or equal to (ICI + 1)Ko, then p can be written otplflp2xTp3rI with Ixl = 1 such that: (1) there exists some transition x' and some conjugate 7' p~3 of Tp3 with the timed word aplflx~7~ p~l equivalent to p (2) for every positive integer n there is a conjugate xTpz of xTp3 such that apl13p~n~-~Tp3r I is equivalent to p. P r o o f . There are at most ICI m o m e n t s during this run when a clock can cross an integer value because the duration of the run is less than 1, thus a clock can cross an integer part only once. So since p has a length more than (ICl + 1)K0, there is a finite run p', part of p with length at least K0 = (2 21~ + D(ISIm+ 1) where no clock crosses an integer value. This run # contains (2 21ci + 1) disjoint parts which are pseudo-cycles because every run of length ISIm contains a pseudocycle. And a m o n g these pseudo-cycles at least three have the same reset. T h e factor ISIm+1 in K0 instead of ISImensures that the pseudo-cycles are not only disjoint but are separated by at least one transition, what justifies the existence of transition x. Then we apply Lemmas 7 and 8.

4

Pumping

Lemmas

Here we discuss some versions of "Pumping L e m m a " for a given language L C S ( S ) , as a natural extension of the classical one 6. There are two versions according to considering "large words" with respect to their duration or to their length. For timed words the classical P u m p i n g L e m m a could be stated as follows: P u m p i n g L e m m a P r o p e r t y ( P L ) There exists a constant K > 0 such that for every timed word u E L with length (respectively duration) more than K , there exist timed words v, w, z, w ~ c which satisfy:

u = vwz and for every integer n >_ O, vwnz E L. P r o p o s i t i o n 2 There is a timed automaton .A such that L(.A) does not satisfy (PL). Proof. Consider the a u t o m a t o n of Figure 1. Suppose it satisfies P u m p i n g L e m m a Property (PL) for the "duration" version. Let K be a constant for which the property holds. There exists a timed word u in L(.A) with d(u) > K . We can choose u of the form ar~176 ql . . . , arpb qp with p > 0. By our assumption there are words v, w, z such that u = vwz and vw'~z E L for every integer n > 0. Several cases are to be considered for w. If w = a ~, r > 0, there exists an integer n such that nr > 1. So uwnz does not belong to L ( A ) . The same if w = b~, r > 0.

91

If w contains both letters a and b, then w ~ cannot be a factor of a word in L(.A) because the sequence of exponents of the letter b is not decreasing. Thus vw2z ~ L(.A). And L(.A) does not satisfy ( P L ) for the "duration" version. A similar reasoning can be done if u I > K. Thus L(.A) does not satisfy the Pumping Lemma Property (PL) for the "length" version. In 4 it is proved that the family of languages recognized by timed automata satisfies some Kleene property. In their regular expressions the authors include the intersection. It is not surprising, because a classical Kleene theorem without intersection in regular expressions would imply easily the Pumping Lemma (PL) for languages recognized by timed automata. Nevertheless using properties established in section 3 we can elaborate some weak versions which will hold. There is a first version when an iteration can be done increasing the duration of the timed word but conserving its length. We prove that for a sub-family of timed automata, the strict automata, some Pumping Lemma holds. A timed automaton on an alphabet ~ is strict if two adjacent locations have different labellings by A. Strict timed automata are less expressive as it is proved by the following example. The timed language recognized by the automaton of Figure 2 is {arl r E (2,+or

U {1} - {3)}

If a strict automaton recognizes such a language it has a single location and it is easy to prove that no such a strict automaton exists.

(x=l), {x}

(x
Fig. 2. A counter-example

L e m m a 9 If a timed word u is accepted by a strict timed automaton then the lengths of the runs which accept u are equal and equal to the length of u. P r o o f . Due to the fact that the automaton is strict, the length of a run is exactly the length of the word it recognizes.

92 We give first a P u m p i n g L e m m a ( L P L ) which holds for languages recognized by strict timed a u t o m a t a . In this version, the iteration increases the duration of the word but conserves its length. 3 P u m p i n g L e m m a ( L P L ) Let L be a language recognized by a strict timed automaton .4. There exists a constant K > 0 such that for every timed word u E L with duration d(u) > Klul, there exist v, w E T ( S ) , a E S , r > K such that u = varw wzth r > K and var w E L for every r ~ > K .

Proposition

9

I

Proof. Denote by K the greatest integer appearing in the guards and the invariants of the a u t o m a t o n .4. Let u be a word recognized by .4 such that d(u) > Klul, u c a n b e written a ,1 1 a ,~. 2 ..,ap"p , where ai E S , ri E R + , ai # ai+l, and every run which accepts u has length equal to p. There exists some i E { 1 , . . . , p } such that r i > K. Let p be an accepting run which recognizes the word u, it can be written as plzp2 where x is some transition with delay ri from a state A = (s, •, t) to some state (s', u', t + ri), with an edge e = (s, s', r ~) and #(s) = ai. The main point is that K is the greatest integer appearing in the guards and the invariants of the a u t o m a t o n .4. For this reason there is a possible transition x ~ from A using the edge e and with a delay r ~ for every r ~ > K . Let B ~ be the end of this transition. Every clock c has either a value zero in b o t h B and B ~ (if c E ~), or a value greater t h a n K in both B and B ~. Due to this fact, there exists a conjugate p~ of P2 starting in B ~ and since plxp2 was an accepting I ! run, pLx P2 is also an accepting run, and thus v a " w E L for every r ~ > K . 3 One can formulate another version of P u m p i n g L e m m a , when an iteration can be done in a way that increases (in general) the length of the timed word but conserves its duration. P r o p o s i t i o n 4 P u m p i n g L e m m a ( D P L ) Let L be a language recognizable by a timed automaton .4. There exists a constant K > 0 such that the following properties hold. For every word u E L with length greater than (d(u)J + 1)K there exist vl, v2, v3 E T ( E ) , v2 ~ c, a E Z and a real r > 0 such that: (1) u = vlv2arv3 1

(2) v l ( v ( ) n a r v 3 E L for every positive integer n (3) vla'+d(~2)v3 E L.

P r o o f . Let K = (ICI + 1)K0 be the constant of Proposition 1. Consider a run p of the a u t o m a t o n .4 which accepts u. The length of p is at least (d(u)J + 1)K, and its duration is d(u). Thus, there is a finite part p~ of p of length K and with duration strictly less than 1. Then we apply to this run p~ Proposition 1. The run p' can be written apiflp2xTp3~I. So p is some a'apiflp2xTp3rl~'. And p recognizes a timed word Vlv2arv3 where : - vi is the trace of c~'c~pi~ - v2 is the trace of P2 - a" is the trace of x

93 - v3 is the trace of ~/P3~?Y'. ! Now, there is some apl~p2x ! 7 I P3rl which is equivalent to p' so a'c~pl~p2x"/'p~yrf is equivalent to p and recognizes the word v l a r + d ( P 2 ) v 3 . Recall that the delay of transition x' is equal to the delay of x plus the duration of P2. So

Vlar'id(v2)V3 E L. In the same way, there is a conjugate ~ of xTp 3 such that for every positive integer n a p l ~ p ~ ' * ~ y is equivalent to p'. Therefore a'apl~p~'*x-'~-~yy ' is 1

1

equivalent to p and recognizes vl (v~)narv3, and vl (v~)"a~v3 e L. Remarks

In part (3) of Proposition 4 we cannot claim that v~arv3 belongs to L(A). That is we cannot suppress directly the factor v2, we have to increase at the same time the exponent of a. Part (2) of Proposition 4 claims that if a timed word u is large enough compared 1

to its duration, then some factor v2 of u can be replaced by (v~) n. Example We give here an example of application of this Pumping Lemma, to prove that some language cannot be recognized by a timed automaton. Consider the timed language

L - - {a~~

r2~+llro > rl > ... > r2,~+l,n ___0}

Suppose that L is recognized by some timed automaton, and let K be the constant of Proposition 4 for this timed automaton. There exist in L words with an arbitrarily great length and simultaneously an arbitrarily small duration. So there is a timed word u in L such that lul > g(d(u)J § 1). By Proposition 4, u can be written u = VlV2Xrv3, x E {a,b}, 1

v2 r c, and vlxr+d(v2)v3 E L, vl(v~)'~xrv3 E L. But clearly VlXr+~('2)v3 ~ L 1

neither vl(v~)'~xrv3 if n r 1. Therefore L cannot be recognized by a timed automaton. Note that this property cannot be used considering the untimed language associated to L which is (ab) + and so is a regular language. Conclusion We have proved that languages recognized by timed automata do not satisfy classical Pumping Lemma Property, but only weaker versions. This result can be used to prove that a language is not recognizable by a timed automaton by proving that the language does not satisfy this weak Pumping Lemma. We have used also this result to prove that model-checking is decidable for a class of problems formulated in a rather high-level language 7. A c k n o w l e d g m e n t s I thank the anonymous referees for their numerous and sound remarks.

94

References 1. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183-235, 1994. 2. A. Henzinger and O. Kupferman. l~om quantity to quality. In Hybrid and RealTime Systems Proceeding of HART'97, pages 48-62. Springer Verlag, 1997. Lect. Notes in Comput. Sci., vol. 1201. 3. F. Wang. Parametric timing analysis for real-time systems. Information and Computation, 130:131-150, 1996. 4. E. Asarin, P. Caspi, and O. Maler. A kleene theorem for timed automata. In IEEE Computer Society, LICS'97, pages 160-171, 1997. 5. T. Wilke. Automaten und Logiken fur zeitabhangige Systeme. Ph.d. thesis, Kiel University, 1994. 6. J. E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, 1979. 7. D. Beauquier and A. Slissenko. Decidable model checking for a class of timed automata specified in first order logic. Technical Report 97-11, University Paris-12, Department of Informatics, 1997.

Asynchronous Observations of Processes* Michele Boreale 1

Rocco De Nicola 2

Rosario Pugliese 2

1Dipartimento di Scienze dell'Informazione, Universit~ di Roma "La Sapienza" 2Dipartimento di Sistemi e Informatica, Universit~ di Firenze

A b s t r a c t . We study may and must testing-based preorders in an asynchronous setting. In particular, we provide some full abstraction theorems that offer alternative characterizations of these preorders in terms of context closure w.r.t, basic observables and in terms of traces and acceptance sets. These characterizations throw light on the asymmetry between input and output actions in asynchronous interactions and on the difference between synchrony and asynchrony. 1

Introduction

Distributed systems can seldom rely on a global clock, and little assumptions can be made about their relative speed; as a consequence, it is natural to adopt for them an asynchronous communication mechanism. This calls for non-blocking sending primitives that do not oblige producers and consumers to synchronize when exchanging messages, but allow the sender of a message to continue with its task while the message travels to destination. Therefore, for describing distributed systems, a model based on a paradigm that imposes a neat distinction between input and output primitives, in the style of 1 and 17, appears to be a natural choice. In spite of these considerations, the most studied concurrency models in the process algebra community (e.g. 18, 3, 14, 20) are based on synchronous communications and model process interaction as the execution of simultaneous "complementary actions". Only recently, variants of process algebras based on asynchronous communications have been studied. Two main approaches have been followed to this purpose. They differ in the way (non-blocking) output actions are modelled. These actions are rendered either as state transormers or as processes themselves. The asynchronous variants of ACP 9 and CSP 16 follow the first approach and introduce explicit buffers in correspondence of output channels. This makes outputs non-blocking and immediately executable; their executions make messages available for consumption. The asynchronous variants of ~r-calculus 15, 6, 12, 2 and CCS 21, 11, 8 follow the second approach and model outputs by creating new concurrent processes. This amounts to modelling an output prefix ~ . P as a parallel composition a l PWork partially supported by EEC: HCM project EXPRESS, and by CNR: project "Specifica ad alto livello e verifica formale di sistemi digitali". The third author has been supported by a scholarship from CNR - - Comitato Scienza e Tecnologie dell'Informazione.

96 The problem of specifying the abstract behaviour of asynchronous processes, i.e. of defining "good" observational semantics, has not yet been investigated in depth. Only few observational semantics have been considered. The maximal congruence induced by completed trace equivalence has been studied in 9 for asynchronous ACP. Bisimulation 18 for asynchronous ~r-calculus has been investigated in 15, 12, 2. A natural alternative is represented by the testing framework of 10, 13. Testing offers a uniform mechanism to define sensible behavioural equivalences on different process algebras, as it relies on little more than a notion of reduction relation ( ~ ). Moreover, testing has the advantage of identifying only those processes that cannot be differentiated by running observers in parallel with them. No new operator is introduced, as both the parallel composition operator and the observers are taken from the process description language under investigation. The testing approach has been partially followed in 22, where synchronous processes and observers are connected via input/output queues. This permits asynchronously testing synchronous processes. In this paper we investigate the testing theory for a variety of asynchronous process algebras. For the sake of simplicity, the basic theory will be developed for an asynchronous version of CCS 18 (ACCS); we will then see how the obtained results can be extended with little effort to an asynchronous variant of ~r-calculus and to an asynchronous version of CCS with non-injective relabelling. The latter leads to a significantly different theory. We shall study both the may and the must testing preorders. While natural, these preorders rely on a universal quantification over the set of all observers that makes reasoning about processes extremely difficult. This calls for alternative, observers-independent characterizations that permit a full appreciation of the impact of an asynchronous semantics over the considered languages. For each preorder, we will offer two characterizations: one in terms of the traces/acceptances of processes, the other in terms of the context-closure w.r.t, some basic observables, in the same spirit as 5. As far as basic observables are concerned, we will see that, differently from the synchronous case, the only important actions are the output ones. In particular, for capturing the may preorder, we will need, as basic observables, tests about the possibility of processes to perform specific output actions. For capturing the must preorder, we will need, as basic observables, tests about the guarantee that processes offer of performing specific output actions. The other alternative characterizations for the may preorder will be based on sequences of visible actions (traces), while that for the must preorder will rely on pairs (trace, acceptance set) in the same spirit as 13 and 7. However, the usual trace containment for may is not adequate anymore, and the notion of acceptance-set for must is more complicate. We have for both may and must preorders equalities like a.~ -- 0. The underlying reason is that, since no behaviour can causally depend upon outputs, observers cannot fully determine the occurrence of process input actions. As a consequence, both for may and for must, the set of traces will have to be factored via the preorder induced by the

97 three laws below, whose intuition is that whenever a trace s performed by some process is "acceptable" for the environment, then any s ~ ~ s is acceptable as well: - (deletion) e _ a : process inputs cannot be forced; (postponement) sa -~ as : observations of process inputs can be delayed; (annihilation) e __. aa: buffers are not observable. -

-

The extension of the alternative characterizations to the ~r-calculus is relatively straightforward and vindicates the stability of the approach. The extension to a process description language with non-injective relabelling shows that this operator enables external observers to get more precise information about inputs of asynchronous systems. The rest of the paper is organized as follows. Section 2 introduces Asynchronous CCS and the testing preorders. Section 3 presents the alternative characterizations based on traces and acceptance-sets, while the next section presents those based on basic observables. The extensions to ~r-calculus and to CCS with general relabelling are sketched in Section 5. Some concluding remarks are reported in Section 6. Due to space limitations, many proofs will be omitted. 2

Asynchronous

CCS

In this section we present syntax, and operational and testing semantics of asynchronous CCS (ACCS, for short). It differs from standard CCS because only guarded choices are used and output guards are not allowed. The absence of output guards "forces" the asynchrony; it is not possible to have processes that causally depends on output actions. 2.1

Syntax

We let Af, ranged over by a,b,..., be an infinite set of names and ~" = {~ a E .M}, ranged over by ~ , b , . . . , be the set of co-names. AZ and :N" are disjoint and are in bijection via the complementation function (=); we define: (~'--) = a. We let L: = Af u iV" be the set of visible actions, and let l, l~,.., range over it. We let/:~ = L: U {T} for a distinct action T, be the set of all actions or labels, ranged over by #. We shall use A, B, L , . . . , to range over subsets of s M to range over multisets of L: and s to range over L:*. We define L = {l I E L} and similarly for M and s. We let X, ranged over by X, Y,..., be a countable set of process variables. D e f i n i t i o n 1. The set of ACCS terms is generated by the grammar:

E::=-~ I~'~,elgi.E~ B i l E 2

E\L

E{}

X

recX.E

where gi E A f U {r}, I is finite and : Af --~ Af, called relabelling unction, is injective and such that {l f(l) ~ l} is finite. We extend f t o / : by letting E ~ : f(~) = f(a). We let P, ranged over by P, Q, etc., denote the set of closed and guarded terms or processes (i.e. those terms where every occurrence of any agent variable X lies within the scope of some recX._ and ~ operators).

98 N o t a t i o n . In the sequel, ~ie{1,2} gi.Ei will be abbreviated as gl.E1 + g2.E2, ~i~r gi.Ei will be abbreviated as 0; we will also write g for g.O. IIielEi represents the parallel composition of the terms Ei. We write -{l~/ll,...,l~/ln} for the relabelling operator _{f} where f(1) = l~ if I = li, i 6 { 1 , . . . , n}, and f(l) = l otherwise. As usual, we write EF/X for the term obtained by replacing each occurrence of X in E by F (with possibly renaming of bound process variables). Throughout the paper, we will use the structural congruence relation over ACCS processes, - , as defined in, e.g., 19 (the unique change with respect to 19 is the addition of some obvious distribution laws for injective relabelling). 2.2

Operational Semantics

The labelled transition system (P, s ~ ~), which characterizes the operational semantics of the language, is given by the rules in Figure 1.

ARl~-~iezgi.P~ gJ~ Pj AR3

p ._L+ p, p{f} ~ p,{f} AR5 p _9_+ p, P I Q -'~ P' I Q p_~p, Qi_~Q AR7 P I Q - L ~ p'IQ'

j6I

AR2~ - ~ 0 AR4

p _.~ p'

P\L --~ P'\L AR6 PrecX.P/X "~ P'

if z r L U

recX.P --~ P'

Fig. 1. Operational semantics of ACCS (symmetric of rule AR5 omitted) As usual, we use ==~ or :=~ to denote the reflexive and transitive closure s

of

St

r~

and use ~ (resp. 2 ~ ) for ~ l~ ~ (resp. t~ ~) when s = Is'. Moreover, we write P =:~ for 3 P ' : P = ~ P ' (P _L~ and P r+ will be used similarly). We will call sort of P the set sort(P) = {1 6 s Ss 6 s :

P ~ }, input (resp. output) successors of P the set In(P) = {l 6 Af P ~ } (Out(P) = {l 6 ~" I P ~ }), successors of P the set S(P) = In(P) U Out(P) and language generated by P the set L(P) = {s 6 s P ~ }. We say that a process P is stable if P ~ . From now onward, we adopt the following convention: an action declared

fresh in a statement is assumed different from any other name and co-name mentioned in the statement. Note that, since for all relabelling operators f we have that {l I f(l) ~ l} is finite, every ACCS process has a finite sort. The following lemma implies that behaviours do not causally depend on the execution of output actions. L e m m a 2. For any process P and ~ 6 ~', P

~ ~ Q implies p = Q I ~.

99 2.3

Testing Semantics

We are now ready to instantiate the general framework of testing equivalences 10, 13 on ACCS. D e f i n i t i o n 3. Observers are ACCS processes that can also perform a distinct success action w. 0 denotes the set of all the ACCS observers. A computation from a process P and an observer O is sequence of transitions PlO=PoOo

~>PII01 ~>P2IO2...P~IOk

~

...

which is either infinite or such that the last P~ I Ok is stable. The computation is successful iff there exists some n ~ 0 such that On "~> 9 D e f i n i t i o n 4. For every process P and observer O, we say - P m a y 0 iff there exists a successful computation from P I O; - P m u s t 0 iff each computation from P IO is successful.

D e f i n i t i o n 5. We define the following preorders over processes: - P ~ Q iff for every observer 0 E O, P may. 0 implies Q m a y 0 ; - P ~

Q iff for every observer 0 E O, P m u s t O implies Q m u s t O . M

We will use _~ to denote the equivalence obtained as the kernel of a preorder ( i . e . ' ~ = ~ N ~-1).

3

Alternative Characterizations of Testing Semantics

The adaptation of the testing framework to an asynchronous setting discussed in the previous section is straightforward, but, like in the synchronous case, universal quantification on observers makes it difficult to work with the operational definitions of the two preorders. This calls for alternative characterizations that will make it easier to reason about processes. These characterizations will be given in terms of the traces and of the acceptance sets of processes. 3.1

A trace ordering

The following ordering over sequences of actions will be used for defining the alternative characterizations of the testing preorders. D e f i n i t i o n 6. Let _-< be the least preorder over s position and satisfying the laws in Figure 2. I TOI.

e~ a

TO2

preserved under trace com-

ia ~_ al

Fig. 2. Trace Ordering Laws

TO3

e _ a~ i

100

The intuition behind the three laws in Figure 2 is that, whenever a process interacts with its environment by performing a sequence of actions s, an interaction is possible also if the process performs any s ~ _ s. To put it differently, if the environment offers ~, then it also offers any s ~ s.t. s ~ _ s. More specifically, law TO1 (deletion) says that process inputs cannot be forced to take place. For example, we have -bc -~ a'bc: if the environment offers the sequence -db~, then it also offers b~, as there can be no causal dependence of b~ upon the output -d. Law T02 (postponement) says that observations of process inputs can be delayed. For example, we have that bac -~ abc. Indeed, if the environment offers -db~ then it also offers b ~ . Finally, law T03 (annihilation) allows the environment to internally consume pairs of complementary actions, e.g. b _ a ~ . Indeed, if the environment offers "dab it can internally consume and a and offer b. D e f i n i t i o n T. Given s E Z:*, we let ~ s D denote the multiset of actions occurring in s, and ~ s D~ (resp. ~ s Do) denote the multiset of input (resp. output) actions in s. We let s @ s ~ denote the multiset of input actions (~ s Di\~ s' D~)\(t s Do \ ~ s' Do), where \ denotes difference between multisets. Intuitively, if s ~ ___ s then s O s ~ is the multiset of input actions of s which have actually been deleted (law T01), and not annihilated (law T03), in s ~. For instance, if s = ab-~c and s ~ = b then s @ s ~ = ~ c D. N o t a t i o n . If M is a multiset of actions, we will write I I M for denoting J-llEMl, the parallel composition of all actions in M. We shall write " P ==~ P " if P ==% P~ for some sequentialization s of the actions in M. When M is a multiset of input actions, with a slight abuse of notation, we will sometimes denote by M also the trace obtained by arbitrarily ordering the elements of M (remember that we work modulo law T02). We shall write " P =:~ P~/-free" if there exists a sequence of transitions P = Po ul~ PI ~2> ... u.> Pn = P~ such that Pi 7 ~

for 0 < i < n and s is obtained from #1 " " # n by erasing the T'S.

The following is the crucial lemma for the preorder _. Its proof relies on Lemma 2 and proceeds by induction on the number of times the laws in Figure 2 are used. Lemma8.

Let P be a process and l an action and assume s ~ _ s. If P 5 , . pe

/-free then there exists P " such that P = ~ 3.2

The may

P " / - f r e e and P " -- P~ I/-/s O s~. 2

case

By relying on the trace ordering _, we can now define a new preorder that will be proved to be an alternative characterization of the may preorder ~ . m

2 We remind the reader that _~ denotes structural congruence.

101

Definition 9. For processes P and Q, we write P <<,, Q iff whenever P = ~ then there exists s' such that s' ~ s and Q ~ . The difference with respect to the synchronous case (see, e.g., 10, 13) is that we require a weaker condition than trace inclusion by taking advantage of a preorder over single traces. We define below a special class of observers. The observers t(s) are defined inductively as follows: t({~) de~---fW, t(as') d ef a.t(s') and t(as') de-----fa t(8'). Definition 10. Let s E s

The following property can be easily proved relying on Lemma 8. P r o p o s i t i o n 11. For every process P and s E s s' E L(P) such that s' ~ s.

P m a y t(s) iff there exists

T h e o r e m 12. For all processes P and Q, P ~ Q iff P <<,, Q. rn

PROOF: 'Only if' part. Suppose that P ~ Q and that s E L(P). We must show rn that there exists s' E L(Q) such that s' ~ s. The hypothesis s E L(P) implies that Pmayt(s). Since P ~ Q, we infer that Q mayt(s). The thesis follows from ~n Proposition 11. 'If' part. Suppose that P <<,, Q and that P may 0 for an observer O. Then there exists a successful computation with an initial sequence of transitions P I 0 ==~ P' I O' where O' ~ ). This sequence of transitions may be unzipped into two sequences P = ~ P' and O ~

O'. The hypothesis P <<,, Q implies

that there exist s' and Q' such that s' ~ s and Q

8'

)

Qr. By

Lemma 8, there

exists an observer 0 " such that O ~"'" 0 " and 0 " ~_ O' H s (9 s'. Now, O' w ) implies O" - ~ . Hence, the sequence of transitions Q I O ==~ Q' I O" can be extended to a successful computation and the thesis is proved. E

By relying on the alternative characterization <<~ one can easily prove that is a pre-congruence.

~ m

E x a m p l e s . We show some examples of pairs of processes related by the preorder. All of the relationships can be proven by using the alternative characterization of the preorder <<,,. - Since L(P) C_ L(Q) implies P ~ Q, all of the relationships for the synchronous may preorder do hold inour setting. - Since e E LiP) for each process P, from T01 and T03 in Figure 2, we get a ~,~ 0 a n d a . a _~,, 0. In particular, f r o m a ~m 0 w e g e t a ~,~ b a n d a.b ~_~ b.a which imply that all processes containing only input actions are equivalent to 0. - An interesting law is the a.(~lb ) ~_,, b. More generally, we have a.(-~lG) ~ G, where G is an input guarded summation ~,ieI ai.P~ (in fact, a.a ~,, O is just a consequence of this law). Guardedness of G is essential: b ~ a . ( a l b ) does not hold (consider the observer b.w).

102

3.3

The

Definition

must

case

13.

- Let P be a process and s E s We write P 4, and say that P converges, if and only if there is no infinite sequence of internal transitions p r~ P1 T~ P2 T~ . . . s t a r t i n g f r o m P . We write P S s, and say that P I

converges along s if and only if whenever s' is a prefix of s and P - ~ P ' then P ' converges. We write P 1" s, and say that P diverges along s if it is not the case that P $ s. - Let P be a process and s E s

The set of processes P after s is defined by:

P a l t e r s d-----ef{(P' I H ~ )

: s' _ s and P = ~

P'}.

- Let X be a set of processes and L C_fin~'. We write X must L if and only if for each P E X there exists ~ E L s.t. P

u~.

In the sequel, given a set of traces T C / : * , we will let P $ T stand for P $ s for each s E T. Furthermore, we define ~. d___ef{s' : s' -~ s}. Definition

14. We set P <<M Q iff for each s E s

s.t. P $ ~"it holds that:

Q$~', and - for each L C_fin~': (P after s) must L implies (Q after s) must L. -

Note that the above definition is formally similar to that for the synchronous case 10, 13. The difference lies in the definition of the set P a l t e r s: the latter can be seen as the set of possible states that P can reach after an interaction triggered by the environment offering ~. In an asynchronous setting, output actions can be freely performed by the environment, without any involvement of the process under consideration. In the definition of P after s, these particular output actions represent the "difference" between the behaviour of the environment, ~, and the actual behaviour of the process, s I, that i s , / / s • # . Lemmalh.

Let P be any process.

1. If P is stable then In(P) n Out(P) = 0. 2. If P is stable then there exist P~ and a unique multiset M C_fin ~ ' s.t. P =_P ' I H M and Out(P') = 0. 3. If P ~

P ' then S(P') U {~} C_ S(P).

When P is stable, we will use O(P) to denote the unique mnltiset M implicitly defined by part 2 of the above lemma. T h e o r e m 16. If P <<M Q then P ~M Q" PROOF: Let O be any observer and suppose that Q rri/ustO: we show that P infest 0 as well. We make a case analysis on why Q infest O. All cases can be easily reduced to the case of a finite unsuccessful computation, i.e. a sequence

103

of t r a n s i t i o n s Q I O ==~ Q ' i O ~ s u c h t h a t , f o r s o m e s : Q ~ Q~,O = ~ O ~ w-free and Q~ O ~ is stable. Furthermore, we suppose that P $ ~"and Q ~ ~'. From the fact that Q~O ~ is stable and from Lemma 15(1), we deduce that:

(i) Out(Q') n In(O') = 0 (ii) I n ( Q ' ) n Out(O') = r (iii) I n ( O ' ) O Out(O') = O 9 We show now how to build an unsuccessful computation for P O. Let us define the set of output actions L de~ in(O~) and the multiset of input actions M def 0 ( 0 ' ) (note that, since O ~ is stable, this multiset is well defined in virtue of Lemma 15(2)). First, we show that ( Q a f t e r s M ) mf~st L . (1) Indeed, since s -~ s M and Q = ~ Q~, we have that Q~I11 - ~ E ( Q a f t e r s M ) ; furthermore, we have that Q'III -M r/) (from (ii) and Q~--~ ), that O u t ( Q ' ) n L = 0 (from (i)) and that M n L = 0 (from (iii)). From these facts, it follows that Out(Q' / / M ) n L = 0. This proves (1). Now, from (1) and definition of <<M it follows that ( P a f t e r s M ) mlhstL, which means that there are P~ and s ~ ~_ s M such that: 8'

P ~

p,

and O u t ( P ' 111 s M @ s i) n L = 0

(2)

Now, since O ~ is stable, from Lemma 15(2), it follows that there exists O" such that O ~ - O" I11 ~ and Out(O") = 0. Hence O ~ M) ~ O" and therefore O ~

=- O" w-free. Since s ~ ~ s M , from Lemma 8 it then follows that there is

O1 such that O = ~ O1 ~ O" I T / s M @ s ~ w-free. Combining these transitions of O with P ~ P' in (2), we get: P 0 ==v P' I 01 - P' I O ' 1 1 1 s M G s ~

w-free.

(3)

To prove that (3) leads to an unsuccessful computation, it suffices to show that Pt I O" 11 s M @ s t ~ . The latter is a consequence of the following three facts:

1. Out(P' II s M G s i ) N I n ( O ") = 0. This derives from (2) and from I n ( O " ) C_ In(O') = -L (Lemma 15(3) applied to O' _M~ = O"); 2. Out(O") = O; 3. O ' : ~

(Lemma 15(3) applied to O'

M ~ Or,)"

For proving the converse of the above theorem, we will use two families of observers: the first can be used to test for convergence along sequences of a given set ~', and the second to test that a given pair (s, L) is an "acceptance" pair. Definition 17. Let s E /:* and L C_fin~'. The observers e(s) and a(s, L) are defined by induction on s as follows: c(s):

c(e) = T.W a(s,L) : a ( e , i ) = _ ~ e L a.w c(bs') = b I c(s') a(bs', L) = b I a(s', L) e(-bs') = T.w+b.e(s') a(-bs', L) = T.w+b.a(s', L ) .

104

Lemmal8.

Let P be a process, s E s

and L C_fin~ . We have:

I. Pmustc(s) if and only if P ~ ~'. 2. Suppose that P $ ~. Then Pmusta(s,L) if and only if (Palters) must L. PROOF: An easy application of Lemma 8. T h e o r e m 19. P ~M Q implies P <<M Q. PROOF: An easy consequence of Lemma 18. By relying on <<M, it is stralghtforwaxd to show that congruence.

EM

is

a

pre-

E x a m p l e s . We give below some meaningful examples of processes that are related (or unrelated) according to the preorder. All the examples are checked relying on the alternative characterization provided by <<M 9 In the examples, we shall also refer to the asynchronous bisimilarity 3 of 2. - The process 0 represents the top element for the family of terms built using only input actions: a ~M 0, but 0 ~M a; thus a+b ~ a, but a ~;M a+b. - Input prefixes can be distributed over summation, i.e.a.(b+c) ~--M a.b+a.c. This is in sharp contrast with the asynchronous bisimilarity. - Sequences of inputs can absorb their own prefixes, as in a.b+a ~-M a.b This law was also present in 9, but is not valid for asynchronous bisimilarity. - Like in 2, we have a.~ ~M 0. This is an instance of the more general law a.(-51G)+G ~--M G, where G is any guarded summation ~-~iEI gi.Pi. Unlike 2, however, the law does not hold for infinite behaviours: recX.(a.(~X)) :~M 0. This is due to the sensitivity of must to divergence: when put in parallel with ~, recX.(a.('51X)) diverges, while 0 does not. As shown in the examples above, must equivalence and asynchronous bisimilarity are in general incomparable, due to the sensitivity of must to divergence. They are comparable if we consider only strongly convergent processes, i.e. those processes P such that P $ s for each s. The crux is given by the following characterization of ~: P r o p o s i t i o n 20. P ~ Q if and only if whenever P = ~ P~ then there is s ~ _ s s

s.t. Q ~

Q~ and P' ,~ Q~ I / / s @ s ~, and vice-versa for Q and P.

C o r o l l a r y 21. Let P and Q be strongly convergent processes. Then P ~ Q implies P ~M Q" We remind the reader that asynchronous bisimilaxity is defined as the maximal equivalence relation ~ s.t. whenever P ~ Q and P t, ~ p, then: (a) if/z = ~- then there is Q' such that Q ~ Q' and P' ,,~ Q', (b) if # -- ~ then there is Q~ such that Q ~ Q' and P' ~ Q', and (c) if tt = a then there is Q' such that either (i) Q ~ Q' and P' ~ Q', or (ii)

Q ~

Q'andP'~Q''5.

105

4

Basic

Observables

for Asynchronous

Processes

Following 5, we introduce a characterization of the asynchronous may and must preorders in terms of the pre-congruence induced by basic observables. The difference with the synchronous case is that here only output actions are important. D e f i n i t i o n 22. A context is a term C with one free occurrence of a process variable, usually denoted by _. We write CP instead of CP/_. The context closure 7~c of a given binary relation T~ over processes, is defined as: P T~c Q iff for each context C, CP ~ CQ. M e enjoys two important properties: (a) (Rc) c = ~c, and (b) T~ C_ R ' implies T~c C 7~'c. In the following, we will write T~ for the complement of ~ .

4.1

The may case

D e f i n i t i o n 23. Let P be a process and -5 E ~'. We define the following obser-

vation predicate over processes: Px/-5 (P offers -5) iff P = ~ . The observation preorder induced by ~/is defined as follows: P __.,/Q iff for each -5 E ~': P V ~ implies Qv/-5. Of course, the observation preorder is very coarse; a more refined relation can be obtained by closing it under all ACCS contexts. The contextual preorder of ~ / is just its context closure _.~c / ; the latter is another characterization of E m

T h e o r e m 24. For all processes P and Q, P ~

Q iff P -~r Q.

PROOF: We use the alternative characterization <<m of ~-t n 'Only if' part. From the definition, it is easily seen that <<m is contained in __.~/ (note that for each ~ E ~ , s _ ~ implies s = -5). From this fact, by closing under contexts and recalling that .~c is a pre-congruence the thesis follows. 'If' part. Here, we show that -~r is contained in <<,, From this fact and recalling that --~/ .~c is a pre-congruence the thesis will follow. Assume that P ___~/Q and that s E L(P), for some s E s We have to show that there exists s ~ E L(Q) such that s ~ ~ s. Now, let tl(s) be the process defined like the observer t(s) in Definition 10, but with a fresh, standard action U in place of w. The following fact, where R is any process where neither c nor ~ occur, is straightforward to prove by relying on Lemma 8: (t'(s) I R)~/-5 iff there exists s' E L(R) such that s ~ ~ s. The thesis is an immediate consequence of this fact.

106

4.2

T h e m u s t case

We introduce below the guarantee predicate, P!l; informally, this predicate checks whether P will always be able to offer a communication on l; however, differently from 5, we here only consider output actions. Definition 25. Let P be a process and a E ~'. We write P ! -d (P guarantees "~)

if and only if whenever P ~ P~ then P~ ~ . The observation preorder induced by $ and ! is defined as: P,___! Q if and only if for each a: (P $ and P ! ~) implies (Q $ and Q ! ~). T h e o r e m 26. P ~M Q if and only if P , _ C Q.

PROOF: We use the characterization of the must preorder in terms of ( ( M " 'If' part. First, note that P ! ~ if and only if (Pafter e) must {~}. Hence, by definition, <<~r is included in ,-
5

Dealing

with Richer

Languages

In this section we discuss the extensions of our theory to the asynchronous variant of 7r-calculus 15, 6, 12, 2 and to a version of asynchronous CCS of Section 2 with possibly non-injective relabelling. 5.1

1r-calculus

For the sake of simplicity, we confine ourselves to the may preorder. The must preorder requires a more complex notational machinery but also leads to results similar to those for ACCS. A countable set Af of names is ranged over by a, b,.... Processes are ranged over by P, Q and R. The syntax of asynchronous r-calculus contains the operators for output action, input-guarded summation, restriction, parallel composition, matching and replication:

107

P::--ab

I ~ieiai(b).Pi

I yaP

I PIlP2

I a=bP

I !P.

Free names and bound names of a process P, written fn(P) and bn(P) respectively, arise as expected; the names of P, written n(P) are fn(P) U bn(P). Due to lack of space, we omit the definition of operational semantics (see, e.g., 2). Recall that transition labels (actions), ranged over by #, can be of four forms: T (interaction), ab (input), ~b (output) or ~(b) (bound output). Functions bn(.), fn(.) and n(.) are extended to actions as expected: in particular, bn(#) = b if # = ~(b) and bn(#) = 0 otherwise. In the sequel, we will write P a(bl P' if P ab) p, and b ~ fn(P). The new kind of action a(b) is called bound input; we extend bn(.) to bound inputs by letting bn(a(b)) = {b}. Below, we shall use s to denote the set of all visible r-calculus actions, including bound inputs, and let 8 range over it. Given a trace s 6 s we say that s is normal if, whenever s = s'.8.s" (the dot . stands for trace composition), for some s', 8 and s", then bn(8) does not occur in s' and bn(8) is different from any other bound name occurring in s' and s". The set of normal traces over s is denoted by T and ranged over by s. From now on, we shall work with normal traces only. Functions bn(.) and fn(.) are extended to T as expected. A complementation function on T is defined by setting a(b) de f a(b), a'--b de.._fab, ~b d_~_efab and ~(b)" de_f a(b); please notice that ~ = s.

P1 P2 P3

e_~ s.~ ~ O.s e _---g8.~b

if 0 is an input action if ~ is an input action and bn(~) s bn(s) = 0 if 8 = ab or 8 = a(b)

P4 ~c.(s{C/b}) _ "5(b).s Fig. 3. Rules for the preorder _ over T

The definition of <<m remains formally unchanged, but the relation _ is now the least preorder over T closed under composition and generated by the rules in Figure 3. Rules P1, P2, P3 are the natural extensions to asynchronous v-calculus of the rules for ACCS. Here, some extra attention has to be paid to bound names: in the environment, an output declaring a new name (bound output) cannot be postponed after those actions which use the new name (side condition of P2). For an example, consider actions ~(b) and b(c) of v b (~b b(c).P). Rule P4 is specific to v-calculus; it is due to the impossibility for observers to fully discriminate between free and bound outputs. Informally, rule P4 states that if ~(c).s is "acceptable" for an observer (i.e. leads to success), then "Sb.(s{b/y}) would be acceptable as well. Rule P4 would not hold if we extended the language with the mismatching operator a i~ bP, considered e.g. in 4. It is worthwhile to note that ruling out matching from the language would not change the discriminating power of observers. The effect of the test a = bO can be simulated by the parallel composition a l b.O.

108

5.2

A C C S w i t h General RelabeUing

A consequence of the presence of non-injective relabelling functions, is that observers and contexts become more discriminating. For instance, they lead to a.a /Z~M0 and a.~ ~ 0. These can be proved by considering the observer

(-bl a.w){a/b}. We also have 0 ~M a.a, that can be proved by considering the observer (bl (T.w+a))(a/b}. Therefore, the general laws a.(al G1) ~-., G1, where G1 = ~'4eI ai.Pi, and a.(al G2 ) + G2 ~M G2, where G2 = ~'~eigi.Pi, are not sound anymore. By means of general relabelling, observers are able to distinguish between the messages they emit and those emitted by the observed processes. The trace preorder is now defined as the least preorder over L:* closed under trace composition and satisfying the laws T01 and T02 in Figure 2. Notice that if s' ~ s then ~ s Do = ~ s' }o, therefore now we have s e s' = ~ s ~ \ ~ s' ~i. The definition of <<,, remains formally unchanged. Let us now consider the must preorder. In the following we shall write s ~ ,,~ s iffs' ~ s and ~ s' ~ = ~ s ~, and for M finite multiset of Z: and L C_fins we shall write M \ L for the multiset ~ I E M I l • L ~. The alternative characterization of the ~ preorder is now the following. M

Definition 27. We set P <<M Q iff for each s E s

s.t. P $ ~"it holds that:

a) Q $ ~', and b) for each s ~ e ~, for each L C fi, ~':

( P after s' ( s 0 s') ) must L implies ( Q after s' ( s 0 s') ) must L, where for any process R, s E/:* and M multiset of Af, we define R after s M as 8

{P': R ~ 6

t

9

P', s' "~ sM, s' ,~ s(s' @ s), In(P') n (M \ (s' @ s)) = 0}.

Conclusions

We have examined the impact of the testing framework as proposed in 10, 13 on asynchronous CCS. In particular, we have given three equivalent characterizations of asynchronous testing observational semantics. The first one is given in terms of observers and successful computations, the second relies on sets of traces and acceptances, the third one is defined in terms of basic observables and context closures. We have discussed generalizations of the results to asynchronous ~r-calculus and to ACCS with non-injective relabelling. The above mentioned characterizations provide a good starting point for understanding asynchronous semantics and for relating testing semantics to other approaches. The picture would have been more complete with an equational characterization of our semantics; this will be the topic of a forthcoming paper. A c k n o w l e d g m e n t s . Three anonymous referees provided valuable suggestions. We are grateful to the Dipartimento di Scienze dell'Informazione of Universit~ di Roma "La Sapienza" and to Istituto di Elaborazione deU'Informazione in Pisa for making our collaboration possible.

109

References 1. G.Agha. Actors: a model of concurrent computation in Distributed Systems. MitPress, Boston, 1986. 2. R.M. Amadio, I. Castellani, D. Sangiorgi. On Bisimulations for the Asynchronous 1r-calculus. CONCUR'96, LNCS 1119, pp.147-162, Springer, 1996. 3. J. Bergstra, J.W. Klop. Process Algebra for Synchronous Communication. Information and Control, 60:109-137, 1984. 4. M. Boreale, R. De Nicola. Testing Equivalence for Mobile Systems. Information and Computation, 120: 279-303, 1995. 5. M. Boreale, R. De Nicola, R. Pugliese. Basic Observables for Processes. ICALP'97, LNCS 1256, pp.482-492, Springer, 1997. 6. G. Boudol. Asynchrony in the r-calculus (note). Rapport de Recherche 1702, INRIA Sophia-Antipolis, 1992. 7. S.D. Brookes, C.A.R. Hoare, A.W. Roscoe. A theory of communicating sequential processes. Journal of the ACM, 31(3):560-599, 1984. 8. N. Busi, R. Gorrieri, G-L. Zavattaro. A process algebraic view of Linda coordination primitives. Technical Report UBLCS-97-05, University of Bologna, 1997. 9. F.S. de Boer, J.W. Klop, C. Palamidessi. Asynchronous Communication in Process Algebra. LICS'gP, IEEE Computer Society Press, pp. 137-147, 1992. 10. R. De Nicola, M.C.B. Hennessy. Testing Equivalence for Processes. Theoretical Computers Science, 34:83-133, 1984. 11. R. De Nicola, R. Pugliese. A Process Algebra based on Linda. COORDINATION'96, LNCS 1061, pp.160-178, Springer, 1996. 12. M. Hansen, H. Huttel, J. Kleist. Bisimulations for Asynchronous Mobile Processes. In Proc. of the Tblisi Symposium on Language, Logic, and Computation, 1995. 13. M.C.B. Hennessy. Algebraic Theory of Processes. The MIT Press, 1988. 14. C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall Int., 1985. 15. K. Honda, M. Tokoro. An Object Calculus for Asynchronous Communication. ECOOP'91, LNCS 512, pp.133-147, Springer, 1991. 16. H. Jifeng, M.B. Josephs, C.A.R. Hoare. A Theory of Synchrony and Asynchrony. Proc. of the IFIP Working Conf. on Programming Concepts and Methods, pp.446465, 1990. 17. N.A. Lynch, M.R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In 6th ACM Symposium on Principles of Distributed Computing, pp.137151, 1987. 18. R. Milner. Communication and Concurrency. Prentice Hall International, 1989. 19. R. Milner. The Polyadic r-calculus: A Tutorial. Technical Report, University of Edinburgh, 1991. 20. R. Milner, J. Parrow, D. Walker. A calculus of mobile processes, (Part I and II). Information and Computation, 100:1-77, 1992. 21. R. Pugliese. A Process Calculus with Asynchronous Communications. 5th Italian Conference on Theoretical Computer Science, (A. De Santis, ed.), pp.295-310, World Scientific, 1996. 22. J. Tretmans. A formal approach to conformance testing. Ph.D. Thesis, University of Twente, 1992.

Minor Searching, Normal Forms of Graph Relabelling: Two Applications Based on Enumerations by Graph Relabeiling* Anne Bottreau and Yves M~tivier** LaBRI, Universit~ Bordeaux I, ENSERB 351 cours de la Liberation 33405 Talence cedex FRANCE {bot~reau,metivier}~labri.u-bordeaux.fr, fax:(+33) 05 56 84 66 69 A b s t r a c t : Thi~ paper deals with graph relabelling introduced in LMSgS. Our first result coneerns the open problem of searching a graph o~ a minor in a graph with a distinguished verta% by means of graph relabellings. We give and prove a graph renn'iting system which answers to this problem. Secondly we define and study normal forms of graph relabeUings. We prove that any graph re,n'itin9 system can be simulated by a system in k-normal farm (with an integer k depending on the original system). Proofs for both results are linked by the enumeration systems they used. K e y - w o r d s : Local computations, graph relabellin9, enumerations, paths, minor, normal form of graph reun'itings. Introduction Graph rewriting systems have been introduced in LMS95 as a suitable tool for expressing distributed algorithms on a network of communicating processors. In that model a network is considered as a labelled graph whose vertices stand for processors and edges stand for communication links. Vertex labels hold for the states of processors and edge labels for the states of communication links. A computation in a network then corresponds to a sequence of labels transformations leading to a final labelled graph. A computation step on a labelled graph consists in relabelling a connected subgraph, using a graph rewriting rule. Given a vertex in the graph, the computation of its new state depends on its current state and on the states of its neighbours. In that way graph rewritings are an example of local computations. Among models related to our model there are the local computations defined by Rosensthiel and al. RFH72, .Magluin AngS0, and more recently by Yamashita and Kameda YK96a, YK96b. In RFH721 a synchronous model is considered, where vertices represent identical deterministic finite automata. The basic computation step is to compute the next state of each processor according to its state and the states of its neighbours. In Ang80 an asynchronous model is considered. A computation step means that two adjacent vertices exchange their labels and then compute new ones. In YK96a,YK96b an asynchronous model is studied where a basic computation step means that a processor either changes its state and then sends a message or receives a message. Our model is an asynchronous model too. Limitations of our formalism have been discussed in LMZ95 and BM96. Some graph properties have been proved to be unrecognizable by local computations. On the other side, graph rewriting power has been studied in LM93,LMS95. It has more particularly concerned the definition of different classes of graph rewriting systems. Moreover authors dealed with graphs with a distinguished vertex (also called 1-graphs in Cou90), showing that graph rewriting were powerflzl on this kind of graph. In CM941, it has been proved that we can not decide whether or not a fixed graph is included as a minor in a given graph by means of local computations. This problem remained open for 1graphs. In this paper we prove that searching a minor can be done by graph re,wirings on 1-graphs * This work has been supported by the EC TMR. Network GETGR_%.TS (General theory of Graph of Graph Transformation) through the Universit3" of Bordeaux. ~* Member of the Institut uaiversitaire de France.

111

(Theorem 1) : given a graph H, there is a graph rewriting system with priority which verifies if H is a minor of G where G is a 1-graph. We describe a system with a finite number of rules and labels depending on H. Rules number is given by a polynomial function of the edges number and the vertices number of H whereas the labels number is given by an exponential function in the number of vertices of H. Given a positive integer k we define that a rewriting system is in k-normal form if each rule only rewrites a path of length bounded by k - 1. In this paper we prove that graph rewriting systems with priority can be normalized in k-normal form, for a convenient integer k depending on the original system. From any graph rewriting system 7s we use systems of enumeration so as to obtain a graph rewriting system with priority in k-normal form which has the same behaviour as 7~ (Theorem 2). The paper is organized as follows. The first section reviews the definitions related to graph rewriting. In the second part we present systems of enumeration (m-enumeration and enumeration of simple paths). The third part is devoted to the subgraph and minor searchings. Finally, in Section 4, we present the notion of k-normal form and we explain our method for the normalization of graph rewriting system. 1

Graph

rewriting

All graphs considered in this paper are finite, undirected and simple (i.e. without multiple edges and self-loops). A graph G denoted (V(G), E(G)) is defined by a finite vertex-set and a finite edge-set. An edge with end-points v and v' is denoted {v, v }. If v is a vertex of a graph G, the degree of v is denoted degc(v) and the neighbourhood of v in G is denoted NG(v). The subscript G is omitted when there is no ambiguity. 1.1

Labelled graphs

Our work deals with labelled graph over an alphabet usually denoted L. A labelled graph over L is a couple (G, A) where G is a connected graph, and A is a mapping of V(G) U E(G) in L. This function is called the labelling hmction of the graph. Two labelled graphs are isomorphic if the underlying graphs are isomorphic and if the labellings are preserved. An injection 8 of V(G) in V(G') is an occurrence of (G, A) in (G', A') if, for any vertices x and

y of V(G):

{z,y} e ECG) ~

{{9(x),eCy)} e E(G'),

~(z) = ,v(e(~)),

.x({~, ~}) = ,v({e(~), e(~)}). The graph ({9(G),A') having O(V(G)) as vertex-set and {{eCz),eC~)}/{z,~} e E(G)} as edge-set is a subgraph of (G', i'). If the graph ({9(G), A') is an induced subgraph of (G', A'), (9 is an induced occurrence of (G, A)

tn (G', ~'). Let {9 be an occurrence of (G,)~) in (H, u) and {9' an occurrence of (G',)d) in (H, u), {9 and {9' are disjoint if the corresponding subgraph are disjoint, which is denoted E9N {9' = 0. 1. 9` Graph rewriting s y s t e m A rewriting rule r is a couple {(Gr, Ar), (G~,A~)} of two connected labelled graphs having the same underlying graph. Formally we define such a rule as a triplet :

Definition 1 A graph rewriting rule r is a triplet (Gr, At, A') where Gr is a connected graph, Ar the initial labellin9 function and A" the final labellin9 function.

112

A rewriting rule r is applicable to a labelled graph (G, A) if there exists an occurrence (G1, ll) of (G~, AT) in (G, A). This will be denoted by (G, A) ---+ (G, A') with A' equal to A except on G1 where it's equal to A~.

Definition 2 A graph rewriting system 7E (GRS for short) is a triplet 7E = (L, I, P) where L = Lv U Le is a set of labels, I = Iv U Ie is the set of initial labels, (Iv C L~ and Ie C Le), and P the set o/graph rewriting rules. If a rule r of a graph rewriting system 7~ can be applied onto a labelled graph (G, A), then we write (G, A) ~ (G, l ' ) where l ' is equal to A except on the rewritten part of the graph. Consider a GRS 7~ = (L, I, P), a labelled graph (G, lo) where lo is a labelling function over I.

Definition 8 A rewriting sequence of length n, coming from (G, Ao) by means of R is defined as the sequence o/ labelled graphs (G, Ai)o_
same time but we do not demand allof them to be done. Definition 4 Given a rewriting sequence (G, Ai)o
hn(z) =

a ~ (x)a~, (x) . . . X,~ (x).

with io =- O, io
(G,A~)

Given a graph rewriting system 7E, the reflexive and transitive closure of 7~ is denoted --~.

Definition 5 An irreductible graph with respect to a GRS 7~ is a labelled graph to which no rule is applicable. Given a labelled graph (G, A) over I, we denote Irred~((G, A)) the set of irreductible graphs coming from (G, A):

Irred~((G,A)) = {(G, A') / (G, A) - ~ (G, A') and (G, A') irreductiblewith respectto 7~}. Definition 6 A GRS 7~ = (L, I, P) is called noethexian if there doesn't ezist any infinite rewriting sequence coming from a graph labelled over I. A graph rewriting system where the set of rules is given with a partial order is called a graph rewriting system with priority (PGRS for short). The partial order defined on the set of rules is denoted <, the applicability of the rules of such a system is defined in the following way. Let 7E be a PGRS, r a rule of this system, and (G, A) a labelled graph. The rule r is applicable to an occurrence ~9 of (Gr, A,) in (G,A) ff there doesn't exist in (G,A) any occurrence ~9' of (Gr,, AT,) ~Sth r' > r which overlaps O.

113 Example 1 Let us consider the following PGRS with two rules. Rz:

A -

R2:

M --

O

N -

~

M -

O

A --

r

A "_

C

A --

F

With, R1 > R2. The order defined on the set of rules has the following meaning : the rule R2 is applicable to an occurrence ~ if and only if there is no occurrence for Z1 overlapping ~. This system labels vertices and edges in order to form a spanning tree.

A graph rewriting rule with forbidden contexts is a pair (r,~ ) where r is a rewriting rule (Gr,Ar,A~) and ~ is a finitefum!y of pairs {((Gi,Ai),@~)}iel. with (G~,A~) a labelled graph (calledforbidden context) and @i an occurrence of (G~, At) in (G~,Ai). The forbidden contexts of such a rule are used as follows : Let (r,~,) be a graph rewritingrule with fobidden contexts,let ~ be an occurrence of (G~, A,) in a graph (G, A). The rule (r,~ ) is applicableto @ ifthere doesn't exist,for no i,an occurrence ~i of (G,, A,) such t h a t ~ , e l ----~. Such rules define Kraph rewriting system with forbidden contexts (FCGRS for short). 2

Some

enumeration's

problems

s o l v e d b y g r a p h rewriting s y s t e m s

Several graph rewriting systems exist for the computation of a sp~nnlng tree on a labelled graph with a distinguishedvertex. Such a computation is done thanks to labelling.A set of edges is labelled so that it forms a spunning tree of the graph in which the root is the distinguished vertex. Given such a labelled graph, there exists a graph rewriting system with priority which allows depth-firsttraversalsof the tree. Such a P G R S has been introduced in LMS95. In this sectionwe recalla well-known P G R S for the enumeration of m-tuples of verticesand we introduce a new P G R S for the enumeration of simple paths. These graph rewriting systems use a P G R S for the computation of a spanning tree which we call ~ s w n and a P G R S for the traversalof a tree which we call ~rav. 2.1

m-enumeration

In LMS95, it was proved t h a t enumerating all the m-tuples of vertices of a labelled graph can be done by means of a graph rewriting system. Without going into further details, we recall how this system runs. W e considerlabelledgraphs with a distinguishedvertex.Firstly,~,va~ isused on such a labelled graph in order to obtain a sp~n-ing tree (by lab~lllng). This enumeration uses m traversals of the spanning treein order to obtain a m-tuple (zl,z2,--9 xm). Then, given a m-tuple (2~I,3;2," " ",;~m), a new traversalis startedso as to obtain a new m-tuple (zz,~,"., y) with y # x=. This process is repeated until we can't find any vertex I/for this last position.Then we start new traversals by changing the two last verticesof the m-tuple, and so on untilthere is no vertex to be the first vertex of a m-tuple. Thus this graph re~u'itingsystem is based on the system T~=~. The labelsof the enumeration system are made up of three components :

114 a label issued from the traversal system. - a label of the set {Search, Return, Reset, Stop) with the following meaning : 9 Sea~ch : a vertex is searched. 9 R e t u r n : a vertex has been found. 9 R e s e t : the current m-tuple is modified. 9 S t o p : the enumeration is done. - a m-tuple of labels such that the label in position i gives an information about the position of the vertex in the current m-tuple. There are t h r e e different values : 9 0 : the vertex is not the i ~h vertex of the current m-tuple. 9 1 : the vertex is the i th vertex of the current rn-tuple. 9 T : the vertex was the i th vertex of all the rn-tuple having the same first i - 1th components. -

The system has a finite number of rules (#rulese,u,n = O(rn)) and a finite number of labels = O(rn 9 2"~)).

(#labels . . . . 2.2

Enumeration of shnple paths

In a connected labelled graph, we consider t h e simple paths coming from a source vertex to a target vertex. Our aim is to enumerate all these simple p a t h s by means of graph rewritinEs. To this end, we encode a graph rewriting system which labels these paths one by one. Each p a t h is encoded by labels on its ~ r t i c e s and edges. We consider t h a t t h e source vertex is labelled Search and t h e target vertex is labelled Ending. Description We work on a connected labelled graph G. We denote by I t h e Search-labelled vertex of G. We denote by J the Ending-labelled vertex. At t h e beginning, no edge is labelled. We start on I. We mark a simple p a t h from I to J , by labelling the edges and the vertices used in the path (the labels are E I j and Vzj). W h e n we have a path, backtracking is used in order to change the last edge and to look for a new path. So we keep the same prefix of the path, we just change the last edge. We go on until we have tried all t h e possibilities from the vertex I. Let us now describe a graph rewriting system encoding this algorithm. Let Y E {Ending, e} where ~ design t h e e m p t y word t h a t is to say '%o label". Graph rewriting system with priority 7~enu,n,7~( I , J) 9 The first rule allows the traversa/ to go on. We label the vertex and the edge which we put in t h e path we are building.

Rm: "

Search :

:

9

VIj

Search

r

:

(I)

EIZ

If we reach the Ending-labelled vertex, then we have found a simple path coming from I :

Rz2:

Search

Ending

r

r

.

V: j

Found

_

.:

(2)

EIJ

As we have a simple path, we use the backtracking in order to search another path. We label this edge with E'-Ij so that we won't use it in a new path with the same prefix.

RE3:

Vza

Found

r

.

Eta

~

Search

Ending

r

r

79xs

(I)

115

I f there are no unlabelled edges incident to the Search-labelled vertex, then there are no paths with this preSx anymore. We have to change this preSx : Search 9

Rz4:

Clean 9

.

(0)

We erase the labels -EIj from the edges incident to the Clean-labelled vertex :

REs:

Clean

Y

r

~.

~

Clean

Y

r

~.

(2)

When the cleaning mode is done, we start a backtrack : Clean

REg:

9

Back

,

(I)

9

We go back from the vertex labelled Back ( the edge labelled Enr and incident to the Backlabelled vertex changes its label). Then we start a new search of path :

RE~:

VI.T

Back

:

:

.

Search :

:

(I)

When we can no longer backtrack, the enumeration is done. Back

Rzs:

End

9

I,

9

(0)

Invariauts and properties Let G be a connected graph. The initial labelling function of G ~o is defined by :

Xo(I) = Search ~ o ( J ) = Ending Yx E VCG) UE(G) \

{Io}

U {J}, >,o(x)= e.

Let L be the set of labels : L = {Search, Found, E n d i n g , Clean, Back, End}. We say that L is the set of active labels. Let A be the set of labels of the whole system : A = {e, V I j , E I j , - J E I j } U L . From now on we consider a connected graph G with an initial labelling function A0 (as we defined it before). We consider a rewriting sequence (Gi)i>o 1 obtained by the application of ~r~enum,~, on (G, ~o)In order to prove the ending and the validity of our system, we give some properties of ~e.~,~.p. The easy proofs of the fottr following in~axiants will be omitted. 1 G~ stands for (G, A~).

116

I n v a r i a n t 1 Vi > O, there exists only one vertex z in

Gi

such that )~i(X) ~ L \ {Ending}.

We denote this vertex xz. Each unlabelled edge can not receive E I j a~ a label if its end-points are labelled VIa (RE1).

I n v a r i a n t 2 Vi >_O, the set of edges labelled E z j in Gi grins a simple path from I to xL. We denote this simple path Ci(xz).

I n v a r i a n t 3 u >_O, any vertex z labelled V1.r by Jki is on the path Ci(zz). I n v a r i a n t 4 Vi > O, let a be an edge of G such that hi(a) = E H . The edge a is incident to only one vertex of Ci(xz). We denote this vertex by 5~ and we denote by -Ci(a) the prefix of Ci(xL) from I to ~a. Let P be a simple path, e be an edge incident to an end-point of P, (P.e) denotes the path obtained by extending P by the edge e.

I n v a r i a n t 5 Let i > O, let a be an edge of G with hi(a) propositions is true :

=

-EIJ. Vk > i, one of the following

(i) ~k(a) =-gxs;

(il) Xk(a) ~ Exa, and there is a vertex x of'Oi(a) such that X~(x) E {Clean, Back, End); (i~l) Ak(a) # -EIJ, Ci(a) is no longer a prefix of Ch(x$) and there is an edge b of G such that )~(b) = E-'~a and such that (~k(b).b) is a prefix oral(a).

Proof Proof is rather technical and not detailed there. We use an induction on k, starting with k =i. Consider a vertex x, labelled Search after i steps of rewriting, then the vertices, which are labelled Vza, are not concerned by the rewritings until x is not labelled Back. The history of x, hi(z), concerning the sequence of rewriting of length i, is the prefix of all the histories of x concerning any sequence of length j, for j > i. We denote hi(x ) = hi(x)mid(X), and we state that :

Property 1 Let z E V(G) and i > 0 such that hi(x) is ending by Search. For any vertex x' of V(G) which has a history hi(x') ending by Vii, and for all j , j > i, such that mid(z) doesn't contain Back, the vertex x' keeps the same history : hi(x' ) = hi(x'). We denote by S(Gi,z) the subgraph of Gi induced by the vertices labelled e or Ending which are connected to x by simple paths made of ualabelled edges. This connected subgraph contains

L e m m a 1 For any vertex z of G, for any positive integer i such that hi(x) = Search,there is j , j > i, such that the three following propositions are true : i) ~j(z) = Clean and mid(z) doesn't contain Back. ii) The subgraphs S(Gi,x) and S(Gj,x) are isomorphic. iii) The rewriting sequence from Gi to Gj allowed to enumerate all the simple paths of S(Gj, x) starting at x and finishing on the vertex labelled Ending if this vertex is in the subgraph.

Proof By induction on the number of edges of G. Proposition I The graph rewriting system 7~n~,~,7~ is noetherian for any connected graph G given with an initial labelling function )to as it has been previously defined.

117

Proof Consider a connected graph G, with an initiallabelling function A0 such that : 3z e V(G), Ao(z) = Search. Lemma 1 is applicable to G with z and the initial labelling : 3j > 0 such that Aj(x) = Clean, moj(z) doesn't contain Back, and such that the subgraphs S(Go, x) and S(Gj,x) are equal. On Gj, we can apply the rule REs, RE7 and then REs, and we have after these two steps of rewriting : Aj+~ (z) = End, and Vy e (V(G) \ {x}) U E(G), Aj+2 (y) = e. Eventually, no more rules axe applicable to Gj+2. 1:3

Proposition 2 On any connected graph G given with an initial labelling ~nction Ao such that one vertex is Search-labelled and another one is Ending-labelled, the system ~enum,9 enumerates all the simple paths having these two singular vertices as end-paints. Proo The proof directly comes from the Lemma 1 applied to the graph G with the labelling function ~o. Our system ~ e . . m . P has a constant number of rules and a constant number of labels.

3

Subgraph and minor searching

In the previous section we introduced two systems encoding two differentkinds of enumeration. Our purpose is now to present a firstapplication of these two systems : The m-enumeration is used so as to verify if a connected labelled graph contains a connected labelled graph H as a subgraph. The enumeration of simple paths is used in order to verify ifa connected labelledgraph contaln~ a connected labelled graph H as a minor.

3.1

Subgraph searrh;-g

We consider a connected labelled graph H with rn vertices. We know that we are able to enumerate all the m-tuptes of vertices of any graph G with an appropriate labelling function, thanks to a graph rewriting system with priority. Given a rn-tuple of vertices of G, it's rather easy to associate each vertex to a vertex of H. Thus, we just have to check if this mapping is a good one. Our graph rewriting system works into two parts of computation : First part It consists in enumerating all the m-tuples of vertices of G. So, we use the P G R S defined in LMS95 7~n~m. When a m-tuple is found (we use a label Foundm when we find the last vertex of the m-tuple), the second part has to start. If we can't find H as subgraph thanlc~ to this m-tuple, then we have to change it i.e. to resume the m-enumeration. If the end of the m-enumeration is reached, then H isn't a subgraph of G. S e c o n d p a r t It consists in checking t h a t the mapping of the vertex-set V(H) into the m-tuple of G is an isomorphism between H and a subgraph of G having the m-tuple as vertex-set. Let us describe how we solve this problem by means of a graph rewriting system ~ c o , , . First, we use a graph traversal to label the j t h vertex of the m-tuple with the degree of the j t h vertex of H. Then, using another graph traversal, we just have to check if for any edge {i,j} in H there is in G an edge linking the j t h and i t h vertices of the m-tuple. Then we use another graph traversal in order to verify if every edges have been found (partial subgraph) and if there isn't any other edge between vertices of the m-tuple (induced subgraph). Thus at the end of such a traversal, either the last vertex of the rn-tuple is labelled Fail or the root of the spanning tree is labelled Win. In the first case, the m-enumeration has to resume. In the second case, the re~-riting has to be stopped.

118

These parts are realized by means of graph rev,-riting systems with priority. Our general system, called 7"s is the result of the composition of 7"s LMS95 (with a weak modification), and 7~co~t introduced and proved in Bot97. For the sake of brevity we shan't give this system in details. For such a composition we use couples of labels. The first component concerns the m-enumeration. The second component concerns the subgraph's checking. We consider that such a system works on a labelled graph with a distinguished vertex (with a labelling function issued from T~span). In order to prove the termination and the validity of ~bg~aph, we use the fact that each part is noetherian and valid. Moreover the rules used in this system are very simple (the left-hand-side are isomorphic to a single vertex or a single edge). Therefore we state that :

Proposition 8 Given a connected labelled graph H, the graph rewriting system with priority 7~suburaph allows to check on any connected labelled graph with a distinguished vertex if H is one of its subgraph (partial or induced). Our graph rewriting system T~suburaph has a finite number of rules depending of the number of rules of 7~en,rn and linearly depending on m 2 where m is the vertices number of H : #rules,ubg,~ph = O(mZ). The number of labels depends (linearly) on #labels~,z~m and rn : ~labelSsuboraIJh = ~labelsenmn = O(m * 2m). 3.2

M i n o r search;rig

T b a , k.~ to the notion of model defined in RS95,

we are able to prove the following equivalence :

Lernma 2 Given two connected graphs H and G, the ollowin9 statements are equivalent : -

H is a m i n o r of G ;

- There exists a model ~ from H onto G defined by : 9 for any edgee ofH, ~(e) is an edge of G; 9 for any vertex u of H, O(u) is a connected partial subgraph of G (non empty). The model 9 has the following properties : 1) for any u and v of V(H), the intersection of O(u) by ~(v) is empty; 2) for any e E E(H), for any u E V(H), the edge f~(e) doesn't belong to the partial subgraph

~(u);

3) Let e = {u,v} be an edge of H, then ~(e) has an end-point in V(~(u)) and the other in

v(~(~)). - There exists an injextion V from V(H) to V(G) such that for any edge {u, v} of H, there is a simple path in G between 7(u) and 7(v), denoted P(v(u), 7(v)). Moreover these paths are said to be valid i.e. they verify the following properties : 1) For any edges {a, b} and {e, d} of H, with disjoint end-points, the paths P(7(a), 7(b)) and P(7(o),7(d)) are vertex-disjoint. 2) For any edge {a, b} E E(H), the path P(7(a), 7(b)) has at least one edge that is disjoint from any other path P(7(c), 7(d)) for { e, d} E E (H) . Such kind of edge is called own edge. We present a graph rewriting system based on the fact that a minor of graph can be defined tb~mks to particular simp!e paths. Such simple paths (as defined in our lemma 2) will now be called valid simple paths. E x p l a n a t i o n s The connected labelled graph H is known. We assume that we perfectly know its vertex-set 2 and its edge-set E. Let m be the number of vertices of H. We assume that V = {1,2,3,-..,m}. The edges are denoted {i,j} with i < j. Thus an order is defined on E : {i,j} < {l, k} iff (i,j) <2 (l, k) (i.e i < l or i = l and j < k). We denote by succ(i,j) the successor of {i,j} and pred(i,j) the predecessor of {i,j} according to <. We consider that succ(i,j) = {i,j} if it is the greatest edge in E (denoted max(i,j)), pred(i,j) = {i,j} if it is the smallest one (denoted min(i,j) ).

119 The whole system consists of a part of m-enumeration and a part of research of valid paths linking vertices of the m-tuple. We explain the algorithm we used for the second part. The computation starts on a graph G with a m-tuple (xl, z2,-. 9 z~). For any edge {i, j} of H, we mark in G a ~lid simple path between the vertices zi and ~j (starting with the smallest edge). The construction of valid paths is made with the enumeration of simple paths (with a checking of validity) and also backtracking. At the end of this computation, we have two possibilities. If we have found all the valid simple paths, then H is a minor of G. If we haven't succeeded with the current m-tuple, then it means that we have to change the m-tuple i.e. to resume the m-enumeration. If the m-enumeration is done, then H isn't minor of G. Valid p a t h s We are able to mark simple paths th~nk, to the system 7~en~rn,~- In order to mark a simple path concerning the j t h and ith vertices of the m-tuple, we use this previous system with parameter (I, J). We have to check that : - For any couple of vertices (L,K) disjoint from (I,J), any vertex labelled VLK mustn't be labelled VIj by 7~en~m.~(/, J). It must be the same for the edges. Given a path from I to J, there is at least one edge uniquely labelled with EIj. The first condition is easy to realize, we just have to change the two first rules to prevent the labelling. The second one is done by means of a traversal of the simple path in order to check that this path contains at least one own edge, and that all the other valid paths are still valid. The new graph rewriting system obtained is denoted 7ZEv(i,) for the edge {i,}. Such a system is made up of traversals based on a spa.ning tree. S u m up The graph rewriting system Ts consists of the following systems with the following priorities : r~..~ > ~ . ~ > ~sv(i,)~. >''" > 7~sv(i,j) .... With, 9 7Zen~.., enumeration of rn-tuples in G ; 9 ~ / n i t , b%d.ning of the second part ;

9 7ZEv(i,j), D~-~em of enumeration of valid simple path between the vertices i and j in the current m-tuple. These system are made by the system of enumeration of simple paths, a part for the checking of validity, and optionally a part for acknowledgment sending (for {i,j} different from the ml.lm~l edge) and cleaning (if {i,} is the minimal edge). We show on the following example how we use acknowledgment in order to compute valid simple paths according to the order <.

Example 2 Considerthe following graphs H and G. The graph H has three vertices and three edges : {1,2} < {1,3} < {2,3}. The graph G has a distinguished vertex called u, which is the root of a spanning tree (denoted T(G)) computed by a graph rewriting system. The graph H

The ~aph G

120 Given a 3-tuple of vertices labelled on G, we start the construction of valid simple paths for the three edges of H. Firstly, a traversal of the spanning tree is used to label the vertex 1 and 2 by the list of labels. This part is done by the rules of the system T~,it.

Search

T h e s p a n n i n g tree

T(G) r o o t e d

i n ~.

~ / ~ S

/ IS~r~(l, 2)

earc~(1,3)

The smallest edge of H related to < is the edge {1, 2}. Computations start now by the labelling of a valid simple path for this edge, thanks to a system 97~Ev(1,2). As this is the smallest edge, we haven't to wait for an acknowledgment. The following picture shows a computation leading to a valid path : the vertex 2 receives a label of success Valid(l, 2).

As a valid path has been found, an acknowledgment is sent to the vertex 1, smallest end-point of the next edge. A traversal of the spanning tree is used.

v

The vertex 1 has got labels Search(I,3) and Ac~(1,2) : rules of ~ , ( 1 , 3 ) and the enumeration of valid simple paths for this couple of vertices can start.

ExS

E~=/

.7

~.

\ I v~id(1, s)

are thus applicable

121 In this example, a valid simple path has been found for the couple (1, 3). Thus, an acknowledgment is sent to the vertex 2 (smallest end-point of the next edge). This is done by a traversal. The rules of 77-Ev(2, 3) become applicable to the graph because of this acknowledgment. If a valid simple path is found for this couple, then the computation stops (i.e. no more rules are applicable) : H is a minor of 67. In the case where no valid simple path exists, the enumeration of valid simple path is resumed for the previous couple (t, 3), and so on. The last picture gives us successful computations showing that H is a minor of G.

2E

~ v~ C

V1s ~

"-3,

~'~

\

~ Valid(2, 3)

I

Details about this graph rewriting system can be found in Bot97. We recall that h denotes the number of edges of H. The number of rules of T4~i.o~ is a linear function of #rulese.u,n, m and h 2 : # r u l e s . ~ i , ~ = O(h 2 + m). The number of labels is a linear function of #labelse.um, h and h 2 : #1abelsminor = O(m * 2 ra + h2). The system T ~ i . o r satisfies the following theorem : T h e o r e m 1 Given a connected labelled graph H, there exists a graph rewriting system with priority which allows to check onto any connected labelled graph G with a distinguished vertex if H is a minor of G. Thus, given a family of graphs defined with a finite set of forbidden minors, there exists a graph rewriting system with priority which verifies ff a given graph with a distinguished vertex belongs to the fatally. The forbidden minors must be known. We just have to compose a set of systems Timlno~ corresponding to the forbidden minors. C o r o l l a r y I Let 5c be a family of connected graphs, defined by a finite set of forbidden minors. We can check by means of a graph rewritin9 system if a connected graph G with a distinguished vertex belongs to 5r. Therefore we are able to give a graph rewriting system with priority which verifies if a labelled graph with a distinguished vertex is planar or not. 4

Normal

forms for graph

rewriting

systems

In this part we introduce different kinds of normal forms for graph rewritings and more particularly the k-normal form of graph rewriting. Then we prove t h a t for any graph rewriting system there exists a PGRS in k-normal form equivalent to the original system : any GRS can be normali~.ed according to the k-normal form. Our method consists in building the PGRS in k-normal form using systems of enumeration. 4.1

Defimtions

We are interested in the structure of the subgraphs which are rewritten by the rules of our systems. As a first normal form we consider the case where the l d t - h a n d sides of the rules are isomorphic to a vertex or an edge :

122

D e f i n i t i o n 7 A graph rewriting system has a 2-normal form if each rule rewrites one vertex or one edge and the two incident vertices. Most of our graph rewriting systems are in 2-normal form. The computation of a sp~tnnlrlg tree, the traversal of a tree, and of course the subgraph searching can be done thanks to graph rewriting systems in 2-normal form. We can also consider that the left-hand sides axe equal to simple paths of bounded length. D e f i n i t i o n 8 A graph rewriting system has a k-normal form if each rule rewrites a simple path of length bounded by k - 1. 4.2

S i m u l a t i o n of a F C G R S b y a P G R S i n k - n o r m a l f o r m

We want to prove that any GRS without normal form can be simulated by a GRS in 2-normal or k-normal form. To this end, we use the method introduced in LMS95 to simulate any F C G R S by a PGRS. In a first part we recall this method, and then we provide our application.

M e t h o d for the simulation o f a F C G R S b y a P G R S This method is made up of three steps. I The first part concerns the partition of the initial graph into subgraphs of k-bounded diameter where k is the maximal diameter of the graphs in the rules of the FCGRS. This part is called the k-election. The k-election problem (introduced in LMS95) can be explained as follows. Each vertex of the graph stands for a toum. We want to o r g a ~ i ~ the graph by delimiting countr/~, each country having one capita. In each country the distance between town and the capital must at most be k. Moreover, the distance between two different capitals in the graph must be at least k + 1. This part is done by a P G R S in (2k + 1)-normal form. II The second part consists in supervising the activity of the capitals. If a capital is active, it means t h a t we can simulate on its country the application of a rule of the system. This part is done by a P a R S in k + 1-normal form. ITI The third part consists in simulating the application of the rules on a country having an active capital. This part is called the local s i m u l a t i o n . We have to adapt this local simulation to our problem.

Application to the k - n o r m a l f o r m We are able to realize a local simulation by a P G R S in 2-normal form. We consider we are working on a country with an active capital. 1. Using a tree traversal, towns are activated one by one (T~rav). 2. Given an active town, we construct a spanning tree of the ball of center the active town and of radius k (7~s~n(k) with orientation from the root to the leaves). 3. For each rule r with forbidden context, we make a system T~r so as to test the applicability of r on the ball of radius k. We now explain this part of the simulation : (a) We look for a subgraph isomorphic to (Gr, At) in the ball of center this town and of radius k. We can do that by means of 7~,ubg~aph. Then in G, some vertices have label (li,x) and some edges have label (p, x) where z is a symbol holding for the label issued from A~. These vertices and edges form a subgraph isomorphic to (G~, ~ ) . The values of i axe in {1, .--, IV (a,)I. (b) Then, given an occurrence of (Gr: ~r), we search all the forbidden contexts using one P G R S ~8~bg~aph by context. (c) If we find such a forbidden context, then we resume the searchlng of another occurrence.

123

(d) If there aren't any forbidden contexts, then we have to apply the rule r by changing the labels of the edges and then of the vertices. In this way we will realize a rewriting in 2normal form. Let us now introduce the system 7Z,o~me in 2-normal form. We consider we are working on a connected graph having a labelled spanning tree (one vertex is labelled Edge, the others No). Some vertices and edges have labels coming from Ar (as explained before). A first traversal is done in order to change the label for the edges (p,x), a second traversal deals with the vertices. The symbol x' means the label issued from A'. System T4..orm, We walk on a branch of the tree (by using edges o f the tree). Edge al:

r

No C

r

9

W ~

Edge

r

C

:

(3)

I f we meet a vertex labelled Ii, then we change the labels o f all the edges incident to this vertex. Edges could be edges o f the spanning tree, we don't specify it in our rule.

k > Z, a=(l,k):

Edge r

X r p,z

,

Edge r

lk

It

X r p,$t

lz

(2)

1~

When we reach a leaf or when there is nothing else to do, then we come back in the tree.

P~:

W :

C

Edge .~

,

Edge :

C

Nx :

(1)

When we are on the root of the tree, then we start a new traversal in order to rewrite the vertices. Edge 9

1~:

Ve~ez 9

,

(0)

We advance on a branch of the tree. V e~ez

~:

.r

Nx

C

$

W

*

V ert ez

r

C

.r

When we reach a vertex which is an image of a vertex o f V(Gr), then we change its label Vertez

Vertez

li~z

li,z I

The traversal goes on by going back to the root. Wr

Vertex

Vertex

When we reach the root, then the computation is done.

(i)

124

th:

Vertex 9

p

End 9

(0)

This graph rewriting system comes from the traversal of a tree. A system for tree traversals has been proved to be noetherian and valid in LMS95. Thus our system is noetherian and valid because we are sure to reach all the vertices and the edges we have to rewrite. For our simulation we use graph rewriting systems in k + 1-normal form and systems in 2normal form. The k-election problem and the computation of a spanning tree of a ball of radius k are realized by graph rewriting systems in k + 1-normal form (in respect of our notation).

Proposition ~ Any graph reu~itin 9 system with forbidden context can be simulated by a graph rewritin 9 system with priority which is in k + 1-normal form. Moreover any graph rewriting system with priority can be moved into a graph rewriting system with forbidden context as it is explas in LMS95. Thus,

Theorem 2 Any graph re~ri~ing system (with priority or forbidden contc~t) can be normoJizezl into a graph reuniting system with priority in k-normal form with a convenient integer k.

References

AngSOl IBM96

Bot97 CM94 Cou90

LM921 LM93 LMS95 LMZ95 Maz87 RFH72 RS95 YK96a

Y-K96b

D. Anghiin. Local and global properties in networks of processors. In 12th STOC, pages 82-93, 1980. A. Bottrean and Y. M~ivier. Kronecker product and local computation in graphs. In CAAP'96, volume 1059 of Lect. N o ~ in Comp. Sci., pages 2-16, 1996. A. Bottrsau. R~critur~ de graphe ~t calcals di.stribu~s. Phi) thesis, Universit~ Bordeaux I, LaBRI, juin 1997. B. Cottrcelle and Y. M~tivier. Coverings and minors : Application to local computations in graphs. Europ. J. Combinatorics, 15:127-138, 1994. B. CourceUe. The monadic second order logic of ~aphs i. recognizable sets of finite graphs. Inform. and Comput., 85:12-75, 1990. I. Litovsky and Y. M~,~ivier. Computing trees with graph rewriting systems with priorities. Tree Automata and LanguageJ, pages 115-139, 1992. I. Litovsky and Y. M~tivier. Computing with graph rewriting systems with priorities. Theoretical Computer Science, 115:191-224, 1993. I. Litovsky, Y. M6tivier, and E. Sopen& Di~erent local controls for graph relabelling systems. Mathematical Systerr~ Theory, 28:41--65, 1995. I. Litovsky, Y. M~tivier, and W. Zielonka. On the recognition of f~rni|iesof graphs with local computations. Information and computation, 115(1):110-119, 1995. A. Maz~kiewicz. Petri nets, applicatior.8 and relationship Goother models of concurrenc~/, volume 255, chapter ~l~ace Theory, pages 279-324. W. Brauer et al., 1987. P. Resensthiel, J.~L Fiksel, and A. Holliger. Intelligent graphs : networks of finite automata capable of solving graph problems. In Graph Theory and Computiny, pages 219-265. Academic Press, 1972. N. Robertson and P.D. Seymour. Graph minors xiii. the disjoint paths problem. Journal of combinatorial theory, SerieJ B, 63:65-110, 1995. M. Yamashita and T. Kameda. Computing on anonymous networks: Part i - characterizing the solvable cases. IEEE 2~an~action~ on parallel and distributed s~xtems, 7(1):69-89, 1996. M. Yamashita and T. Kameda. Computing on anonymous networks: Part ii - decision and membership problems. IEEE Transactions on parallel and distributed systems, 7(1):90-96, 1996.

Partial Metrics and C o - c o n t i n u o u s Valuations* Michael A. Bukatin 1 and Svetlana Yu. Shorina 2 1 Department of Computer Science, Brandeis University, Waltham, MA 02254, USA; b u k a t i n ~ c s . b r a n d e i s . e d u ; http://www.cs.brandeis.edu/,,.bukatin/papers.html 2 Faculty of Mechanics and Mathematics, Moscow State University, Moscow, Russia; sveta~cpm.ru

A b s t r a c t . The existence of deep connections between partial metrics and valuations is well known in domain theory. However, the treatment of non-algebraic continuous Scott domains has been not quite satisfactory so far. In this paper we return to the continuous normalized valuations p on the systems of open sets and introduce notions of co-continuity ({U,~ i E I} is a filtered system of open sets =v p(Int(N,e I U,)) -- inf,ei p(U,)) and strong non-degeneracy (U C V are open sets =~ p(U) < /I(V)) for such valuations. We call the resulting class of valuations CC-valuations. The first central result of this paper is a construction of CC-valuations for Scott topologies on all continuous dcpo:s with countable bases. This is a surprising result because neither co-continuous, nor strongly nondegenerate valuations are usually possible for ordinary Hausdorff topologies. Another central result is a new construction of partial metrics. Given a continuous Scott domain A and a CC-valuation p on the system of Scott open subsets of A, we construct a continuous partial metric on A yielding the Scott topology as u(x, y) = p(A \ (C~ n Cy)) - p(I~ n Iu), where C~ = {y E Ay E x} and I~ = {y E A {x,y} is unbounded}. This construction covers important cases based on the real line and allows to obtain an induced metric on Total(A) without the unpleasant restrictions known from earlier work.

1

Introduction

Recently the theory of partial metrics introduced by Matthews 14 undergoes active development and is used in various applications from c o m p u t a t i o n a l description of metric spaces 9 to the analysis of parallel c o m p u t a t i o n 13. T h e relationship between partial metrics and valuations was first noticed by O'Neill in 15. In 3 Bukatin and Scott generalized this relationship by considering valuations on powersets of bases, instead of valuations on the domains themselves, as in 15. T h e y also explained the c o m p u t a t i o n a l intuition of partial metrics by generalizing t h e m to relaxed metrics, which take values in the interval numbers. * Supported by A p p l i e d C o n t i n u i t y in C o m p u t a t i o n s P r o j e c t .

126

Partial metrics can be considered as taking values in the upper bounds of those interval numbers. However it is often desirable to remove the most restrictive axioms of partial metrics, like small self-distances: u(x, x) <_ u(x, y), and strong Vickers-Matthews triangle inequality: u(x, z) <_ u(x, y)+u(y, z ) - u ( y , y). Thus 3 only requires s y m m e t r y and the ordinary triangle inequality for the upper bounds of relaxed metrics. However: it can be shown (see Section 6) that if the upper bounds u(x, y) of relaxed metrics are based on the idea that common information: or more precisely, measure of common information about x and y, brings negative contribution to u(x, y) - - e.g. in the normalized world we can consider u(x, y) = 1 - p(Info(x) N Info(y)) - - then all axioms of partial metrics should hold for u. In fact, it makes sense to introduce both positive and negative information, and to define u(x, y) = 1 - p(Info(x) n Info(y)) - p(Weginfo(x) n Neginfo(y)), then defining meaningful lower bounds l(x, y) = p(Info(x) n Neginfo(y)) + p(Info (y) n ieginfo(x)) and obtaining an induced metric on Total(A). This is, essentially, the approach of Section 5 of3, where Info(x) and Neginfo(x) can be understood as subsets of a domain basis. However: there was a number of remaining open problems. In particular, while 3 builds partial metrics on all continuous Scott domains with countable bases, the reliance of 3 on finite weights of non-compact basic elements does not allow to obtain some natural partial metrics on real-line based domains: and also introduces some unpleasant restrictions on domains which should be satisfied in order to obtain an induced classical metric on Total(A).

1.1

Co-continuous Valuations

This paper rectifies these particular open problems by defining partial metrics via valuations on the systems of Scott open sets of domains. The theory of valuations on open sets underwent a considerable development recently (see 5, 11, 18:2 l and references therein). However we have found that we need a special condition of co-continuity for our valuations - - for a filtered system of open sets {U/, i E I}, p ( I n t ( n i e / U/)) = infiei(p(U/)). We need this condition to ensure Scott continuity of our partial metrics. The paper starts as follows. In Section 2 we remind the necessary definitions of domain theory. Section 3 defines various properties of valuations and introduces the class of CC-valuations - - continuous, normalized, strongly nondegenerate, co-continuous valuations. Section 4 builds a CC-valuation on the system of Scott open sets of every continuous dcpo with a countable basis. This is the first central result of this paper. It seems that the notion of co-continuity of valuations and this result for the case of continuous Scott domains with countable bases are both new and belong to us. The generalization of this result to continuous dcpo's with countable bases belongs to Klaus Keimel 12. He worked directly with completely distributive lattices of Scott open sets of continuous dcpo's and used the results about completely distributive lattices obtained by Raney in the fifties (see Exercise 2.30

127

on page 204 of 8). Here we present a proof which can be considered a simplification of both our original proof and the proof obtained by Keimel. This proof also works for all continuous dcpo's with countable bases. A part of this proof, as predicted by Keimel, can be considered as a special case of Raney's results mentioned above. However, our construction is very simple and self-contained. Keimel also pointed out in 12 that our results are quite surprising, because both co-continuity and strong non-degeneracy, U C V are open sets ~ p(U) < p(V), seem contradictory, as neither of them can hold for the system of open sets of the ordinary Hausdorff topology on 0, 1. However, if we replace the system of open sets of this Hausdorff topology with the system of open intervals, both conditions would hold. We believe that the reason behind our results is that the Scott topology is coarse enough for its system of open sets to exhibit behaviors similar to the behaviors of typical bases of open sets of Hausdorff topologies.

1.2

A p p l i c a t i o n to Partial Metrics

Section 5 discusses partial and relaxed metrics and their properties. Section 6 describes an approach to partial and relaxed metrics where the upper bounds u(x, y) are based on the idea of common information about x and y bringing negative contribution to u(x,y). We formalize this approach introducing the notion of pInfo-structure. However, we feel that this formalization can be further improved. In particular, Section 6 presents the second central result of this paper - given a CC-valuation on the system of Scott open sets of any continuous Scott domain (no assumptions about the cardinality of the basis are needed here), we build a Scott continuous relaxed metric (l, u) : A x A -+ R I, such that u : A x A ~ R - is a partial metric, the relaxed metric topology coincides with the Scott topology, and if x, y E Total(A), l(x, y) = u(x, y) and the resulting classical metric Total(A) x Total(A) ---+R defines a subspace topology on Total(A). Here R I is the domain of interval numbers, R - is the domain of upper bounds, and Total(A) is the set of m a x i m a l elements of A. Section 7 discusses various examples and possibilities to weaken the strong non-degeneracy condition - - to find a sufficiently general weaker condition is an open problem. A more detailed presentation can be found in 4.

2

Continuous

Scott

Domains

Recall that a non-empty partially ordered set (poset), (S, _C), is directed ifVx, y E S. 3z E S. x C z, y _ff z. A poset, (A, _K), is a dcpo if it has a least element, _L. and for any directed S C_ A, the least upper bound US of S exists in A. A set U C_ A is Scott open if Vx, y E A. x E U,x if_ y ::*- y E U and for any directed poset S C_ A, US E U ~ 3s E S. s E U. The Scott open subsets of a dcpo form the Scott topology.

128

Consider dcpo's (A, EA) and (B, U B) with the respective Scott topologies. f : A ---, B is (Scott) continuous iff it is monotonic (x EA Y ~ f ( x ) U B f ( y ) ) and for any directed poset S C A, f ( U A S ) = I IB{f(s) I s E S}. We define continuous Scott domains in the spirit of 10. Consider a dcpo (A, E). We say that x << y (x is way below y) if for any directed set S C A, Y E US ~ 3s E S. x E s. An element x, such that x << x, is called compact. We say that A is bounded complete ifVB C A. (3a E A. Vb E B.b E a) ~ I-lAB exists. Consider a set K C_ A. Notice that J-A E K . We say that a dcpo A is a continuous dcpo with basis K. if for any a E A, the set Ka = {k E K k << a} is directed and a = UKa. We call elements of K basic elements. A continuous. bounded complete dcpo is called a continuous Scott domain.

3

CC-valuations

Consider a topological space (X, 0 ) , where O consists of all open subsets of X. The following notions of the theory of valuations can be considered standard (for the most available presentation in a regular journal see 5; the fundamental text in the theory of valuations on Scott opens sets is 11). D e f i n i t i o n 3.1. A function p : O ---+0, +oc is called valuation if

1. VU, V E O. U C_ V ~ p(U) <_ p(V); 2. VU, V e O. , ( U ) + ,(V) = ~(U n V) + , ( ~ u V); 3. ~(~) = o. D e f i n i t i o n 3.2. A valuation p is bounded if p ( X ) < +co. A valuation p is

normalized if ~u(X) = 1. R e m a r k : If a valuation ,u is bounded and p ( X ) ~ O. then it is always easy to replace it with a normalized valuation p'(U) = p ( U ) / p ( X ) . D e f i n i t i o n 3.3. Define a direcledsystem of open sets:lJ = {Ui, i E I}, as satisfying the following condition: for any finite number of open sets Uil , Ui2, " " , Ui. E H there is Ui, i E I, such that Uil C_ Ui, . . ., Ui. C_ Ui. D e f i n i t i o n 3.4. A valuation p is called continuous when for any directed system of open sets P ( U i e I Ui) = s u p / e / p ( U i ) . We introduce two new properties of valuations. D e f i n i t i o n 3.5. A valuation p : 0 ---* 0, +oc is strongly non-degenerate if

vu, v E O. u c v ~ ~(u) < ~(v). a This is, obviously, a very strong requirement, and we will see later that it might be reasonable to look for weaker non-degeneracy conditions. Consider a decreasing sequence of open sets U1 _D U2 _D ..., or. more generally, a filtered system of open sets H = {Ui,i E I}, meaning that for any finite system of open sets Uil,'" .Ui. E H there is Ui, i E I, such that Ui C_ 3 We use U C V as an equivalent of U C _ V & U # V .

129

Ui,, 99 Ui C_ Ui,. Consider the interior of the intersection of these sets. It is easy to see that for a valuation p p ( I n t ( N Ui)) < infp(Ui). -

iEI

-

iEI

D e f i n i t i o n 3.6. A valuation p is called co-continuous if for any filtered system of open sets {Ui, i E I} p(Int(r- ~ ui)) = }~f/~(ui). iEI

D e f i n i t i o n 3.7. A continuous, normalized, strongly non-degenerate, co-continuous valuation/2 is called a CC-valnalion. Informally speaking, the strong non-degeneracy provides for non-zero contributions of compact elements and reasonable "pieces of space". The co-continuity provides for single non-compact elements and borders B \ Int(B) of "reasonable" sets B C A to have zero measures. "Reasonable" sets here are Alexandrov open (i.e. upwardly closed) sets. Thus, it is possible to consider co-continuity as a method of dealing with nondiscreteness of Scott topology. We follow here the remarkable definition of a discrete topology given by Alexandrov: a topology is discrete if an intersection of arbitrary family of open sets is open (e.g. see 1). Of course, if one assumes the T1 separation axiom, then the Alexandrov's definition implies that all sets are open - - the trivial (and more standard) version of the definition. In this sense. Alexandrov topology of upwardly closed sets is discrete, but Scott topology is not. We should also notice that since our valuations are bounded, they can be extended onto closed sets via formula p(C) = p ( A ) - p(A \ C), and all definitions of this section can be expressed in the dual form. A bounded valuation p can be uniquely extended to an additive measure defined on the ring of sets generated from the open sets by operations n, u, \ 16. The issues of (r-additivity are not in the scope of this text (interested readers are referred to 11, 2). We deal with the specific infinite systems of sets we need, and mainly focus on quite orthogonal conditions given to us by co-continuity of p. 3.1

E x a m p l e : V a l u a t i o n s B a s e d o n W e i g h t s o f Basic Elements

This example essentially reproduces fi construction in 3. Consider a continuous dcpo A with a countable basis K. Assign a converging system of weights to basic elements: w(k) > O, ~~keK w(k) = 1. Define p ( g ) = ~kECr w(k). It is easy to see that /1 is a continuous, normalized, strongly non-degenerate valuation. However, p is co-continuous if and only if all basic elements are compact (which is possible only if A is algebraic). This is proved in 4 using the following observations.

130

First: observe that arbitrary intersections of Alexandrov open (i.e. upwardly closed) sets are Alexandrov open. Also it is a well-known fact that {yl x << y} is Scott open in a continuous dcpo.

Consider an Alexandrov open set B C A. Then its interior in the Scott topology, Int(B) = {y E A 3x E B. x << y}. Correspondingly, the border of B in the Scott topology, B \ I n t ( B ) = {y E B i--,(3x E B . x <
L e m m a 3.1 ( B o r d e r L e m m a )

3.2

A Vertical Segment of Real Line

Consider the segment 0, 1: - = < . Define p((x, 1) = 1 - x. Unfortunately, to ensure strong non-degeneracy we have to define p(O, 1) = 1 -t- e, e > O. This is the first hint that strong non-degeneracy is too strong in many cases. In order to obtain a normalized valuation we have to consider p'(U) = p(U)/(1 + e). The resulting p~ is a CC-valuation.

4

Constructing

CC-valuations

In this section we build a CC-valuation for all continuous dcpo:s with countable bases. The construction generalizes the one of Subsection 3.1. We are still going to assign weights, w(k) > 0, to compact elements. For non-compact basic elements we proceed as follows. We focus our attention on the pairs of non-compact basic elements, (k ~, k'), which do not have any compact elements between them, and call such elements continuously connected. We observe, that for every such pair we can construct a special kind of vertical chain, which "behaves like a vertical segment 0, 1 of real line". We call such chain a stick. We assign weights, v(k', k") > 0, to sticks as well: in such a way that the sum of all w(k) and all v( k', k") is 1. As in Subsection 3.1, compact elements k contribute w(k) to p(U), if k E U. An intersection of the stick, associated with a continuously connected pair (k', k"): with an open set U "behaves as either (q: 1 or q; 1', where q E 0, 1. Such stick contributes (1 - q). v(k ~, k') to p(U). The resulting p is the desired CC-valuation. It is possible to associate a complete lattice homomorphism from the lattice of Scott open sets to 0, 1 with every compact element and with every stick defined by basic continuously connected elements, k I and k ' . Then, as suggested by Keimel 12, all these homomorphisms together can be thought of as an injective complete lattice homomorphism to 0, 1 J. From this point of view, our construction of p is the same as in 12. Thus the discourse in this section yields the proof of the following: T h e o r e m 4.1 For any continuous dcpo A with a countable basis, there is a

CC-valuation p on the system of its Scott open sets.

131

4.1

Continuous Connectivity and Sticks

D e f i n i t i o n 4.1. Two elements x << y are called continuously connected if the set {k E AIk is compact, x << k << y} is empty. R e m a r k : This implies that x and y are not compact. L e m m a 4.1 If x << y are continuously connected, then {z ix << z << y} has

cardinality of at least continuum. P r o o f . We use the well-known theorem on intermediate values that x << y =~ 3z E A x << z << y (see 10). Applying this theorem again and again we build a countable system of elements between x and y as follows: using rational numbers as indices for intermediate elements: x ~

a l / 2 ( ~ y,

x <(( a l / 4 << a l / 2 ( ~ a3/4 ( ( y , . . .

All these elements are non-compact and hence non-equal. Now consider a directed set {ail i < r}, where r is a real number, 0 < r < 1. Introduce b~ = U{ai I i <_ r}. We prove that if r < s then br << bs, and also that x << br << bs << y: thus obtaining the required cardinality. Indeed it is easy to find such n and numbers qt, q2; q3, q4, that x << aqa/2. E_ b~ ~_ aq~/2. << aqa/2. ~_

b,

<< aq412. << y

D e f i n i t i o n 4.2. We call the set of continuum different non-compact elements {a~ I r E (0; 1)} between continuously connected x << y, built in the proof above, such that x << a~ << aq '(< z r r < q a (vertical) stick. 4.2

P r o o f o f T h e o r e m 4.1

Consider a continuous dcpo A with a countable basis K. As discussed earlier: with every compact k E K we associate weight w(k) > 0, and with every continuously connected pair (k', k"), k', k" E K, we associate weight v(k'~ k") > 0 and a stick {ark''k'' r E (0, 1)}. Since K is countable, we can require ~ w(k) +

E

k")= 1. Whenever we have an upwardly closed (i.e. Alexandrov open) set U, for any k~.k"

stick {a~ ',k'l t r E (0, 1)} there is a number q v k ~ k"

k~.k"

k ~ k tj

a~ : ~ U and q v define

< r ~ ar :

p(U)=

w(k)+

E keuis compact

k ~ k"

E 0, 1, such that r < qu ~

=~

E U. In particular, for a Scott open set U E

k' k" ).v(k,i k") (1-qu'

k',k"EKare continuously connected

It is easy to show that p is a normalized valuation. The rest follows from the following Lemmas. L e m m a 4.2 p is continuous.

132

L e r a m a 4.3 p is strongly

non-degenerate.

P r o o f . Let U and V be Scott open subsets of A and U C V. Let us prove that V \ U contains either a compact element or a stick between basic elements. Take z E V \ U . I f x is compact, then we are fine. Assume that x is not compact. We know that z = UKx, K , = {k E K k ~<: x} is directed set. Since V is open 3k E K~. k E V. Since k E_ z and z ~ U, k E V \ U. If there is k ~ - compact, such that k << k ~ << :e, we are fine, since k ~ E V \ U. Otherwise, since any basis includes all compact elements, k and z are continuously connected. Now, as in the theorem of intermediate values x = tlKx, A', = {k' E K l3k H E K. k ~ << k" << x} is directed set, thus 3k ~k H. k E k ~ << k" << x, thus (k, k H) yields the desired stick. If k E V \ U and k is compact: then p(V) - p(U) >_ w(k) > O. If the stick formed by (k, k') is in V \ U, then p(V) - p(U) > v(k, k') > O.

L e i n m a 4.4 p ~s co-continnous. P r o o f . Recall the development in Subsection 3.1. Consider a filtered system of open sets {Ui, i E I}. By Lemma 3.1 for B = n ~ z Ui, B \ Int(B) = {y E B -~(3x E B. z <~ y)}. Notice that B \ Int(B), in particular, does not contain k ~ k ~1 k l . k I~ compact elements. Another important point is that for any stick, qB ~ = qIni(B)' The further development is essentially dual to the omitted proof of Lemma 4.2. We need to show that for any e > 0, there is such Ui,i E I. that p ( U i ) p(Int(B)) < e. Take enough (a finite number) of compact elements, k t , . . . , kn, and continuously connected pairs of basic elements, (k~, k ~ ) , . . . , (k~,,, k~), so that w(kl) + ... + w(k,~) + v(k~,k~') + . . . + v(k~m,k~) > 1 - e/2. For each kj ~ Int(B), take ,, k~,k;' Uij, ij E I. such that kj ~ Uq. For each (kj, kj ), such that ~/Int(B) > 0, take

., E I, such that ~tInt(B) k; k;' -- ~U,, k'~,*'j < e/(2rn). A lower bound of these Ui~ and Ui,, *j Ui, is the desired Ui.

3

D It should be noted that Bob Flagg suggested and Klaus Keimel showed that Lemma 5.3 of 7 can be adapted to obtain a dual proof of existence of CCvaluations (see 6 for one presentation of this). Klaus Keimel also noted that one can consider all pairs k, k ~ of basic elements, such that k << k ~, instead of considering just continuously connected pairs and compact elements.

5

P a r t i a l a n d R e l a x e d M e t r i c s on D o m a i n s

The motivations behind the notion of relaxed metric, its computational meaning and its relationships with partial metrics 14 were explained in 3. Here we focus

133

on the definitions and basic properties: revisit the issue of specific axioms of partial metrics, and list the relevant open problems. T h e distance d o m a i n consists of pairs (a: b) (also denoted as a, b) of nonnegative reals ( + o c included), such that a < b. We denote this d o m a i n as R . a, b E R, c, d iff a _< c and d _< b. We can also think about R t as a subset o f R + x R - , where E R + = < , E n - = > , and b o t h R + and R - consist of non-negative reals and + c o . We call R + a domain of lower bounds; and R - a domain of upper bounds. T h u s a distance function p : A x A ---+ R I can be thought of as a pair of distance functions (l, u),

I:AxA~R

+ u:AxA~R-.

D e f i n i t i o n 5.1. A s y m m e t r i c function u : A x A ---, R - is called a relaxed metric when it satisfies the triangle inequality. A s y m m e t r i c function p : A • A ---+ R z is called a relaxed metric when its upper part u is a relaxed metric. An open ball with a center x E A and a real radius e is defined as B~,~ = {y E A I u(x; y) < e}. Notice t h a t only upper bounds are Used in this definition - - the ball only includes those points y, about which we are sure t h a t they are not too far from x. We should f o r m u l a t e the notion of a relaxed metric open set m o r e carefully t h a n for ordinary metrics: because it is now possible to have a ball of a non-zero positive radius, which does not contain its own center. D e f i n i t i o n 5.2. A subset U of A is relaxed metric open if for any point x E U, there is an e > u(x,x) such that B~,~ C_ U. It is easy to show that for a continuous relaxed metric on a dcpo all relaxed metric open sets are Scott open and form a topology.

5.1

Partial

Metrics

T h e distances p with p(x, x) ~ 0 were first introduced by M a t t h e w s 14, 13 T h e y are known as partial metrics and obey the following axioms:

1. x = y iffp(x,x) = p ( x , y ) =p(y,y). 3.

=

4. p(x,z) < p ( x , y ) + p ( y , z ) - p ( y , y ) . Whenever partial metrics are used to describe a partially ordered domain, a stronger form of the first two a x i o m s is used: If x E y then p(x, x) = p(x, y), otherwise p(x, x) < p(x, y). We include the stronger form in the definition of partial metrics for the purposes of this paper. Section 8.1 of 3 discusses the issue of whether axioms u(x, x) _< u(x, y) and u(x, z) _< u(x, y) + u(y, z) - u(y, y) should hold for the u p p e r bounds of relaxed metrics. In particular, the a p p r o a c h in this p a p e r is based on u(x, y) = 1 - p ( C o m m o n information between x and y) and thus, as will be explained in details in the next section, the axioms of partial metrics hold. Further discussion of the utilitarian value of these axioms can be found in 4.

134 6

Partial

6.1

and

Relaxed

Metrics

via Information

#Info-struetures

Some of the earlier known constructions of partial metrics can be understood via the mechanism of common information between elements x and y bringing negative contribution to u(x, y) (see 3, Section 8). This can be further formalized as follows. Assume that there is a set 27 representing information about elements of a dcpo A. We choose a ring: .M(2-): of admissible subsets of 27 and introduce a measure-like structure, p, on Ad(I). We associate a set, Info(x) E M(Z), with every x E A. and call Info(x) a set of (positive) information about x. We also would like to consider negative information about x, Neginfo(x) E M(27)~ - - intuitively speaking, this is information which cannot become true about x. when x is arbitrarily increased. D e f i n i t i o n 6.1. Given a dcpo A. the tuple of (A, 27, .h4(27), p, Info, Neginfo) is called a plnfo-structure on A: if M ( Z ) C_ T(Z) - - a ring of subsets closed with respect to f3, U, \ and including I~ and 27: p : .M(Z) ---, 0: 1, Info : A --* M ( Z ) , and Neginfo : A --~ Ad(2-), and the following axioms are satisfied: 1. ( V A L U A T I O N A X I O M S ) (a) p(2-) = 1, p(0) = 0; (b) U C_ V ~ p(U) <_ p(V);

(c) ~(u) + ~(v) = ~(u n v) + ~(u u v); 2. (Info A X I O M S ) (a) x U y r Info(x) C_ Info(y); (b) x f- 9 =r Info(x) C Info(y); 3. (Neginfo A X I O M S ) (a) Info(x) M Neginfo(x) = 0; (b) x U y ~ Neginfo(x) C Neginfo(y); 4. ( S T R O N G

RESPECT

FOR TOTALITY)

x E Total(A) ~ Info(x) U Neginfo(x) = 2-; 5. ( C O N T I N U I T Y O F I N D U C E D R E L A X E D M E T R I C ) if B is a directed subset of A and y E A. then (a) p(Info(l lB) M Info(y)) = sup~eB(p(Info(x) M Info(y)):

(b) Z(~nfo(OB) n Neginfo(y)) = s~p.eB(,(~nfo(x) n Negi,fo(y)), (r , ( N~ginfo(UB) n Info(y)) = s~p.~B(,(N~ginfo(x) n Znfo(y)), (d) ,(N~ginfo(OB) n N~ginfo(y)) = ~ p . e B ( p ( N ~ g i n f o ( , ) n geginfo(y)); 6. (SCOTT O P E N SETS ARE RELAXED METRIC OPEN) for any (basic) Scott open set U _C A and x E U, there is an e > 0: such that

v y ~ A. , ( I n f o ( , ) ) - ~(Info(,) n Info(y)) < , ~ y ~ U. In terms of lattice theory: p is a (normalized) valuation on a lattice .M(2-). The consideration of unbounded measures is beyond the scope of this paper: and p(Z) = 1 is assumed for convenience. Axioms relating U and Info are in the spirit of information systems 17, although we are not considering any inference structure over 2" in this paper.

135

The requirements for negative information are relatively weak, because it is quite natural to have Vx E A. Neginfo(x) = 0 if A has a top element. The axiom that for x E Total(A): Info(x) U Neginfo(x) = 2"; is desirable because indeed, if some i E 2" does not belong to Info(x) and x can not be further increased: then by our intuition behind Neginfo(x), i should belong to Neginfo(x). However, this axiom might be too strong and will be further discussed later. The last two axioms are not quite satisfactory - - they almost immediately imply the properties: after which they are named, but they are complicated and might be difficult to establish. We hope, that these axioms will be replaced by something more tractable in the future. One of the obstacles seems to be the fact in some valuable approaches (in particular: in this paper) it is not correct that Xl C x2 U . . . implies that Info(lliENXi) ----UieN Info(xi). The nature of these set-theoretical representations, 2": of domains m a y vary: one can consider sets of tokens of information systems, powersets of domain bases, or powersets of domains themselves, custom-made sets for specific domains, etc. The approach via powersets of domain bases (see 3) can be thought of as a partial case of the approach via powersets of domains themselves adopted in the present paper.

6.2

Partial and Relaxed Metrics via IJInfo-structures

Define the (upper estimate of the) distance between x and y from A as u : A • A---* R - :

u( x~ y) = 1 - p( Info( x ) A nfo(y) ) - p( Neginfo( x ) A Neginfo(y) ). I.e. the more information x and y have in common the smaller is the distance between them. However a partially defined element might not have too much information at all: so its self-distance u(x, x) -- 1 - p(Info(x)) - p(Neginfo(x)) might be large. It is possible to find information which will never belong to Info(x)f)Info(y) or Neginfo(x)O Neginfo(y) even when x and y are arbitrarily increased. In particular, Info(x) M Neginfo(y) and Info(y) M Neginfo(x) represent such information. Then we can introduce the lower estimate of the distance l : A x A ---* R + :

l( x, y) = p( Info( x ) M Neginfo(y) ) + p( Info(y) n Neginfo( x ) ). The proof of L e m m a 9 of 3 is directly applicable and yields l(x, y) _< u(x; y). Thus we can form an i n d u c e d r e l a x e d m e t r i c , p : A x A ---+ R'r: p = (l; u), with a meaningful lower bound. The following theorem is proved in 4 without using the s t r o n g r e s p e c t f o r t o t a l i t y axiom. T h e o r e m 6.1 Function u is a partial metric. Function p is a continuous relaxed

metric. The relaxed metric topology coincides with the Scott topology.

136

Due to the axiom Yx E Total(A). Info(x) U Neginfo(x) = Z, the proof of Lemma 10 of 3 would go through~ yielding

x, y E Total(A) ~ l(x, y) = u(x, y) and allowing to obtain the following theorem (of. Theorem 8 of 3). T h e o r e m 6.2 For all x and y from Total(A), l(x,y) : ~(x~y). Consider d: Total(A) x Total(A) ~ R, d(x, y) = l(x, y) = u(x, y). Then (Total(A), d) is a metric space, and its metric topology is the s~bspace topology induced by the Scott topology on A. However. in 3 x E Total(A) ~ Info(x) U Neginfo(x) = I holds under an awkward condition, the regularity of the basis. While bases of algebraic Scott domains and of continuous lattices can be made regular, there are important continuous Scott domains, which cannot be given regular bases. In particular~ in a I no element, except for .1_,satisfies the condition of regularity, hence a regular basis cannot be provided for R I. The achievement of the construction to be described in Section 6.4 is that by removing the reliance on the weights of non-compact basic elements~ it eliminates the regularity requirement and implies x E Total(A) ~ Info(x)Ugeginfo(x) = E for all continuous Scott domains equipped with a CC-valuation (which is built above for all continuous Scott domains with countable bases) where Info(x) and Neginfo(z) are as described below in the Subsection 6.4. However, it still might be fruitful to consider replacing the axiom Vx E Total(A). Info(x) U Neginfo(z) = 2: by something like Yx E Total(A). p(E \

(Info(x) tO geginfo(x))) = O. 6.3

A Previously Known Construction

Here we recall a construction from 3 based on a generally non-co-continuous valuation of Subsection 3.1. We will reformulate it in our terms of pInfo-structures. In 3 it was natural to think that E = K. Here we reformulate that construction in terms of Z = A. thus abandoning the condition x E Total(A) Info(x) U Neginfo(z) = Z altogether. Define Ix = {y E A l { x , y } is unbounded}, Px = {y E A Iy << x} (cf. Ix = {le E K l{k, x} is unbounded}, I~'x = {k E / s ' l k << x} in 3). Define Info(x) = P~, Neginfo(x) = I~. Consider a valuation/1 of Subsection 3.1: for any S C Z = A, p(S) = )"~keSnK w(k). p is a continuous strongly non-degenerate valuation, but it is not co-continuous unless K consists only of compact elements. Because of this we cannot replace the inconvenient definition of Info(x)-= Px by Info(x) = Cx = {y E A ly E_ x} ( which would restore the condition x E Total(A) ~ Info(x) U Neginfo(x) = A) as p(Ck) would not be equal to sup~,<
137

Also the reliance on countable systems of finite weights excludes such natural partial metrics as metric u : R~,I x R~,I ---* R - , where R~,I is the set 0, 1 equipped with the dual partial order C = >. and u(z, y) = rnax(~:, y). We rectify all these problems in the next Subsection. 6.4

Partial and Relaxed Metrics via CC-valuations

Assume that there is a CC-valuation p(U) on Scott open sets of a domain A. Then it uniquely extends to an additive measure p on the ring of sets generated by the system of open sets. Define Z = A, Info(z) = Cx, Neginfo(x) = Ix. It is easy to see that valuation, Info, and Neginfo axioms of pInfo-structure hold. We have z E Total(A) ::~ Cx U Ix = A. Thus we only need to establish the axioms of c o n t i n u i t y o f i n d u c e d r e l a x e d m e t r i c s and S c o t t o p e n sets are r e l a x e d m e t r i c o p e n in order to prove theorems 6.1 and 6.2 for our induced relaxed metric ( u ( x , y ) = 1 - p ( C x n C y ) - p ( I x n l y ) , l(x,y) = p ( C x n l y ) + p ( C y n l x ) ) . These axioms are established by the Lemmas below. You will also see that for such bare-bones partial metrics: as u(x, y) -- 1 p(Cz n Cy), which are nevertheless quite sufficient for topological purposes and for domains with T, only co-continuity matters: continuity is not important. Observe also that since the construction in Section 3.1 does form a CCvaluation for algebraic Scott domains with bases of compact elements, the construction in 3 can be considered as a partial case of our current construction if the basis does not contain non-compact elements. L e m m a 6.1 Assume that p is a co-continuous valuation and B is a directed subset of A. Then p(CuB n Q) = supxeB(P(Cx N Q)), where Q is a closed or open subset of A. R e m a r k : Note that continuity of p is not required here. L e m m a 6.2 Assume that p is a continuous valuation and B is a directed subset of A. Then p ( I u s n Q ) = s u p z e B ( p ( I x n Q ) ) , where Q is an open or closed subset of A. R e m a r k : Co-continuity is not needed here. L e m m a 6.3 Assume that p is a strongly non-degenerate valuation. Then the pInfo-structure axiom S c o t t o p e n sets are r e l a x e d m e t r i c o p e n holds. R e m a r k : Neither continuity: nor co-continuity required, and even the strong non-degeneracy condition can probably be made weaker (see the next Section).

7

Examples

and Non-degeneracy

Issues

In this section we show some examples of "nice" partial metrics; based on valuations for vertical and interval domains of real numbers. Some of these valuations

138

are strongly non-degenerate, while others are not, yet all examples are quite natural. Consider the example from Subsection 3.2. The partial metric, based on the strongly non-degenerate valuation/1 ~ of that example would be u'(x, y) = (1 min(x, y))/(1 + e), if x, y > 0, and u'(x,y) = 1, if x or y equals to 0. However. another nice valuation, p", can be defined on the basis of p of Subsection 3.2: p"((x, 1) = p((x, 1) = 1 - x, p"(0, 1) = 1. p " is not strongly non-degenerate, however it yields the nice partial metric u'(x, y) = 1 - min(x, y), yielding the Scott topology. Now we consider several valuations and distances on the domain of interval numbers located within the segment 0, 1. This domain can be thought of as a triangle of pairs (x,y/, 0 < x < y < 1. Various valuations can either be concentrated o n 0 < x < y < 1, o r o n x = 0 , 0 < y < landy= 1,0<x< 1, or, to insure non-degeneracy, on both of these areas with an extra weight at (0: 1). Among all these measures, the classical partial metric u(x,y; x', y') = max(y, y~) - min(x, x ~) results from the valuation accumulated at x = 0, 0 _< y _< 1, and y = 1, 0 _< x < 1, namely p(U) = (Length({x = 0 , 0 _< y < 1} f~ U) + Length({y = 1.0 < x < 1} N U))/2. Partial metrics generated by strongly non-degenerate valuations contain quadratic expressions. It is our current feeling, that instead of trying to formalize weaker nondegeneracy conditions, it is fruitful to build a pInfo-structure based on E = 0, 1 + 0, 1 in situations like this.

8

Conclusion

We introduced notions of co-continuous valuations and CC-valuations, and built CC-valuations for all continuous dcpo's with countable bases. Given such a valuation, we presented a new construction of partial and relaxed metrics for all continuous Scott domains, improving a construction known before. The key open problem is to learn to construct not just topologically correct. but canonical measures and relaxed metrics for higher-order functional domains and reflexive domains, and also to learn how to compute these measures and metrics quickly.

Acknowledgements The authors benefited from discussions with Michael Alekhnovich, Reinhold Heckmann, Klaus Keimel, Harry Mairson, Simon O'Neill, Joshua Scott and from the detailed remarks made by the referees. They thank Gordon Plotkin for helpful references. They are especially thankful to Abbas Edalat for his suggestion to think about continuous valuations instead of measures in this context, and to Alexander Artemyev for his help in organizing this joint research effort.

139

References 1. Aleksandrov P.S. Combinatory Topology, vol.1, Graylock Press, Rochester, NY, 1956. p.28. 2. Alvarez M., Edalat A., Saheb-Djahromi N. An extension result for continuous valuations, 1997, available via URL http://theory, doc. ic. ac. uk/peopl e/Edal at/ext ensionofvaluat ions. ps. Z 3. Bukatin M.A., Scott J.S. Towards computing distances between programs via

Scott domains. In S. Adian, A. Nerode, eds., Logical Foundations of Computer Science, Lecture Notes in Computer Science, 1234, 33-43, Springer, 1997. 4. Bukatin M.A., Shorina S.Yu. Partial Metrics and Co-continuous Valuations (Extended Version}, Unpublished notes, 1997, available via one of the URLs http ://www. cs. brandeis, edu/~-bukat in/coral_draft. {dvi, ps. gz}

5. Edalat A. Domain theory and integration. Theoretical Computer Science, 151 (1995), 163-193. 6. Flagg R. Constructing CC-Valuations, Unpublished notes, 1997. Available via URL

http://macweb.acs.usm.maine.edu/math/archive/flagg/biCts.ps

7. Flagg R., Kopperman R. Continuity spaces: Reconciling domains and metric spaces. Theoretical Computer Science, 177 (1997), 111-138. 8. Gierz G., Hofmann K., Keimel K., Lawson J., Mislove M., Scott D. A Compendium of Continuous Lattices, Springer, 1980. 9. Heckmann R. Approximation of metric spaces by partial metric spaces. To appear in Applied Categorical Structures, 1997. 10. Hoofman R. Continuous information systems. Information and Computation, 105 (1993), 42-71. 11. Jones C. Probabilistic Non-determinism, PhD Thesis, University of Edinburgh~ 1989. Available via URL http ://www. des. ed. ac. uk/l fcsreps/EXPORT/90/ECS-LFCS-90-105/index, html

12. Keimel K. Bi-continuous Valuations, to appear in the Proceedings of the Third Workshop on Computation and Approximation, University of Birmingham: Sept. 1997. Available via URL h t t p : / / t h e o r y . doc. i c . ac. u k / f orum/comprox/data/talk. 3 . 1 . 6 . ps. gz 13. Matthews S.G. An extensional treatment of lazy data flow deadlock. Theoretical Computer Science: 151 (1995), 195-205. 14. Matthews S.C. Partial metric topology. In S. Andima et al., eds., Proc. 8th Summer Conference on General Topology and Applications, Annals of the New York Academy of Sciences, 728, 183-197, New York, 1994. 15. O'Neill S.J. Partial metrics, valuations and domain theory. In S. Andima et al., eds., Proc. l l t h Summer Conference on General Topology and Applications, Annals of the New York Academy of Sciences, 806, 304-315, New York, 1997. 16. Pettis B.J. On the extension of measures. Annals of Mathematics, 54 (1951): 186-197. 17. Scott D.S. Domains for denotational semantics. In M. Nielsen, E. M. Schmidt, eds., Automata, Languages, and Programming, Lecture Notes in Computer Science, 140, 577-613, Springer, 1982. 18. Tix R. Stetige Bewertungen au topologischen Riiumen: (Continuous Valuations on Topological Spaces, in German), Diploma Thesis, Darmstadt Institute of Technology, 1995. Available via URL h t t p ://www. mat hemat ik. th-darmst adt. d e / a g s / a g l 4 / p a p e r s / p a p e r s. html

Mobile Ambients Luca Cardelli*

Andrew D. Gordon*

Digital Equipment Corporation Systems Research Center

University of Cambridge Computer Laboratory

Abstract

We introduce a calculus describing the movement of processes and devices, including movement through administrative domains.

I Introduction There are two distinct areas of work in mobility: mobile computing, concerning computation that is carried out in mobile devices (laptops, personal digital assistants, etc.), and mobile computation, concerning mobile code that moves between devices (applets, agents, etc.). We aim to describe all these aspects of mobility within a single framework that encompasses mobile agents, the ambients where agents interact and the mobility of the ambients themselves. The inspiration for this work comes from the potential for mobile computation over the World-Wide Web. The geographic distribution of the Web naturally calls for mobility of computation, as a way of flexibly managing latency and bandwidth. Because of recent advances in networking and language technology, the basic tenets of mobile computation are now technologically realizable. The high-level software architecture potential, however, is still largely unexplored. The main difficulty with mobile computation on the Web is not in mobility per se, but in the handling of administrative domains. In the early days of the Internet one could rely on a flat name space given by IP addresses; knowing the IP address of a computer would very likely allow one to talk to that computer in some way. This is no longer the case: firewaUs partition the Internet into administrative domains that are isolated from each other except for rigidly controlled pathways. System administrators enforce policies about what can move through firewalls and how. Mobility requires more than the traditional notion of authorization to run or to access information in certain domains: it involves the authorization to enter or exit certain domains. In particular, as far as mobile computation is concerned, it is not realistic to imagine that an agent can migrate from any point A to any point B on the Internet. Rather, an agent must first exit its administrative domain (obtaining permission to do so), enter someone else's administrative domain (again, obtaining permission to do so) and then enter a protected area of some machine where it is allowed to run (after obtaining permission to do so). Access to information is controlled at many levels, thus multiple levels of authorization may be involved. Among these levels we have: local computer, local area network, regional area network, wide-area intranet and internet. Mobile programs must be equipped to navigate this hierarchy of administrative domains, at every * Current affiliation: Microsoft Research.

141

step obtaining authorization to move further. Similarly, laptops must be equipped to access resources depending on their location in the administrative hierarchy. Therefore, at the most fundamental level we need to capture notions of locations, of mobility and of authorization to move. With these motivations, we adopt a paradigm of mobility where computational ambients are hierarchically structured, where agents are confined to ambients and where ambients move under the control of agents. A novelty of this approach is in allowing the movement of self-contained nested environments that include data and live computation, as opposed to the more common techniques that move single agents or individual objects. Our goal is to make mobile computation scale-up to widely distributed, intermittently connected and well administered computational environments. This paper is organized as follows. In the rest of Section 1 we introduce our basic concepts and we compare them to previous and current work. In Section 2 we describe a calculus based exclusively on mobility primitives, and we use it to represent basic notions such as numerals and Turing machines, and to code a firewall-crossing protocol. In Section 3 we extend our calculus with local communication, and we show how we can represent more general communication mechanisms as well as the re-calculus.

1.1 Ambients Ambients have the following main characteristics. An ambient is a bounded placed where computation happens. The interesting property here is the existence of a boundary around an ambient. If we want to move computations easily we must be able to determine what should move; a boundary determines what is inside and what is outside an ambient. Examples of ambients, in this sense, are: a web page (bounded by a file), a virtual address space (bounded by an addressing range), a Unix file system (bounded within a physical volume), a single data object (bounded by "self") and a laptop (bounded by its case and data ports). Non-examples are: threads (where the boundary of what is "reachable" is difficult to determine) and logically related collections of objects. We can already see that a boundary implies some flexible addressing scheme that can denote entities across the boundary; examples are symbolic links, Uniform Resource Locators and Remote Procedure Call proxies. Flexible addressing is what enables, or at least facilitates, mobility. It is also, of course, a cause of problems when the addressing links are "broken". An ambient can be nested within other ambients. As we discussed, administrative domains are (often) organized hierarchically. If we want to move a running application from work to home, the application must be removed from an enclosing (work) ambient and inserted into another enclosing (home) ambient. A laptop may need a removal pass to leave a workplace, and a government pass to leave or enter a country. An ambient can be moved as a whole. If we move a laptop to a different network, all the address spaces and file systems within it move accordingly. If we move an agent from one computer to another, its local data moves accordingly. Each ambient has a name that is used to control access to the ambient. A name is something that can be created and passed around, and from which access capabilities can be extracted. In a realistic situation the true name of an ambient would be guarded very closely, and only specific capabilities would be handed out.

142

1.2 Technical Context: Systems Many software systems have explored and are exploring notions of mobility. Obliq 5 attacks the problems of distribution and mobility for intranet computing. Obliq works well for its intended application, but is not really suitable for computation and mobility over the Web (like other distributed paradigms based on the remote procedure call model) because of the fragility of network proxies over the Web. Our ambient model is partially inspired by Telescript 16, but is almost dual to it. In Telescript, agents move whereas places stay put. Ambients, instead, move whereas agents are confined to ambients. A Telescript agent, however, is itself a little ambient, since it contains a "suitcase" of data. Some nesting of places is allowed in Telescript. Java 11 provides a working framework for mobile computation, as well as a widely available infrastructure on which to base more ambitious mobility efforts. Linda 6 is a "coordination language" where multiple processes interact in a common space (called a tuple space) by exchanging tokens asynchronously. Distributed versions of Linda exist that use multiple tuple spaces and allow remote operations. A dialect of Linda 7 allows nested tuple spaces, but not mobility of the tuple spaces.

1.3 Technical Context: Formalisms Many existing calculi have provided inspiration for our work. The ~z-calculus 15 is a process calculus where channels can "move" along other channels. The movement of processes is represented as the movement of channels that refer to processes. Therefore, there is no clear indication that processes themselves move. For example, if a channel crosses a firewall (that is, if it is communicated to a process meant to represent a firewall), there is no clear sense in which the process has also crossed the firewall. In fact, the channel may cross several independent firewalls, but a process could not be in all those places at once. Nonetheless, many fundamental n-calculus concepts and techniques underlie our work. The spi calculus 1 extends the re-calculus with cryptographic primitives. The need for such extensions does not seem to arise immediately within our ambient calculus. Some of the motivations for the spi calculus extension are already covered by the notion of encapsulation within an ambient. However, we do not know yet how extensively we can use our ambient primitives for cryptographic purposes. The Chemical Abstract Machine 3 is a semantic framework, rather than a specific formalism. Its basic notions of reaction in a solution and of membranes that isolate subsolutions, closely resemble ambient notions. However, membranes are not meant to provide strong protection, and there is no concern for mobility of subsolutions. Still, we adopt a "chemical style" in presenting our calculus. The join-calculus 9 is a reformulation of the re-calculus with a more explicit notion of places of interaction; this greatly helps in building distributed implementations of channel mechanisms. The distributed join-calculus 10 adds a notion of named locations, with essentially the same aims as ours, and a notion of distributed failure. Locations in the distributed join-calculus form a tree, and subtrees can migrate from one part of the tree to another. A main difference with our ambients is that movement may happen directly from any active location to any other known location. LLinda 8 is a formalization of Linda using process calculi techniques. As in dis-

143

tributed versions of Linda, LLinda has multiple distributed tuple spaces. Multiple tuple spaces are very similar in spirit to multiple ambients, but Linda's tuple spaces do not nest, and there are no restrictions about accessing a tuple space from another one. Finally, a growing body of literature is concentrating on the idea of adding discrete locations to a process calculus and considering failure of those locations 2, 10. Our notion of locality is built into our basic calculus. It is induced by a non-trivial and dynamic topology of locations, in the sense that a location that is "far" from the current one can only be reached through multiple individual moves. Failure of ~ilocation can be represented as becoming forever unreachable.

2 Mobility We begin by describing a minimal calculus of ambients that includes only mobility primitives. Still, we shall see that this calculus is quite expressive. In Section 3 we then add communication primitives.

2.1 Mobility Primitives The syntax of the calculus is defined in the following table. The main syntactic categories are processes (including ambients and agents that execute actions) and capabilities.

Mobility Primitives I

P, Q ::= (vn)P 0 P IQ !P nP M.P

processes restriction inactivity composition replication ambient action

n

names

M ::=

capabilities can enter n can exit n can open n

/nn out n open n

I

Syntactic conventions (vn)PI Q = ((vn)P) I Q !PIQ = (!P) IQ M.P I Q = (M.P) I Q

(vnl...nm)P n M

A (Vnl)...(Vnm)P _a n0 a= M.O (where appropriate)

The first four process primitives (restriction, inactivity, composition and replication) have the same meaning as in the re-calculus (see Section 2.3), namely: restriction is used to introduce new names and limit their scope; 0 has no behavior; P I Q is the parallel composition of P and Q; and !P is an unbounded number of parallel replicas of P. The main difference with respect to the re-calculus is that names are used to name ambients instead of channels. To these standard primitives we add ambients, nP, and the exercise of capabilities, M.P. Next we discuss these new primitives in detail.

2.2 Explanations We begin by introducing the semantics of ambients informally. A reduction relation P---,Q describes the evolution of a process P into a new process Q.

144

Ambients

An ambient is written nP, where n is the name of the ambient, and P is the process running inside the ambient. In nP, it is understood that P is actively running, and that P can be the parallel composition of several processes. We emphasize that P is running even when the surrounding ambient is moving. Running while moving may or may not be realistic, depending on the nature of the ambient and of the communication medium through which the ambient moves, but it is consistent to think in those terms. We express the fact that P is running by a rule that says that any reduction of P becomes a reduction of niP: P~Q

~

nP~nQ

In general, an ambient exhibits a tree structure induced by the nesting of ambient brackets. Each node of this tree structure may contain a collection of (non-ambient) processes running in parallel, in addition to subambients. We say that these processes are running in the ambient, in contrast to the ones running in subambients. Nothing prevents the existence o f two or more ambients with the same name, either nested or at the same level. Once a name is created, it can be used to name multiple ambients. Moreover, !nP generates multiple ambients with the same name. This way, for example, one can easily model the replication of services. Actions and Capabilities

Operations that change the hierarchical structure of ambients are sensitive. In particular such operations can be interpreted as the crossing of firewalls or the decoding of ciphertexts. Hence these operations are restricted by capabilities. Thanks to capabilities, an ambient can allow other ambients to perform certain operations without having to reveal its true name. With the communication primitives of Section 3, capabilities can be transmitted as values. The process M. P executes an action regulated by the capability M, and then continues as the process P. The process P does not start running until the action is executed. The reduction rules for M. P depend on the capability M, and are described below case by case. We consider three kinds of capabilities: one for entering an ambient, one for exiting an ambient and one for opening up an ambient. Capabilities are obtained from names; given a name n, the capability in n allows entry into n, the capability out n allows exit out of n and the capability open n allows the opening of n. Implicitly, the possession of one or all of these capabilities for n is insufficient to reconstruct the original name n. An entry capability, in m, can be used in the action in m. P, which instructs the amblent surrounding in m. P to enter a sibling ambient named m. If no sibling m can be found, the operation blocks until a time when such a sibling exists. If more than one m sibling exists, any one of them can be chosen. The reduction rule is: nin m. P I Q I reR

~

mnP

I Q IR

If successful, this reduction transforms a sibling n of an ambient m into a child of m. After the execution, the process in m. P continues with P, and both P and Q find themselves at a lower level in the tree o f ambients.

145

An exit capability, out m, can be used in the action out m. P, which instructs the ambient surrounding out m. P to exit its parent ambient named m. If the parent is not named m, the operation blocks until a time when such a parent exists. The reduction rule is: mnout

m. P I Q I R ~

nP I Q I mR

If successful, this reduction transforms a child n of an ambient m into a sibling of m. After the execution, the process in m. P continues with P, and both P and Q find themselves at a higher level in the tree of ambients. An opening capability, open n, can be used in the action open n. P. This action provides a way of dissolving the boundary of an ambient named n located at the same level as open, according to the rule: open n. P I nQ

~

P IQ

If no ambient n can be found, the operation blocks until a time when such an ambient exists. If more than one ambient n exists, any one of them can be chosen. An open operation may be upsetting to both P and Q above. From the point of view of P, there is no telling in general what Q might do when unleashed. From the point of view of Q, its environment is being ripped open. Still, this operation is relatively wellbehaved because: (1) the dissolution is initiated by the agent open n. P, so that the appearance of Q at the same level as P is not totally unexpected; (2) open n is a capability that is given out by n, so nQ cannot be dissolved if it does not wish to be.

Movement from the Inside or the Outside: Subjective vs. Objective There are two natural kinds of movement primitives for ambients. The distinction is between "I make you move" from the outside (objective move) or "I move" from the inside (subjective move). Subjective moves have been described above. Objective moves (indicated by an my prefix), obey the rules: my in m. P I reR

~

mP I R

remy out m. P I R ~

P I reR

These two kinds of move operations are not trivially interdefinable. The objective moves have simpler rules. However, they operate only on ambients that are not active; they provide no way of moving an existing running ambient. The subjective moves, in contrast, cause active ambients to move and, together with open, can approximate the effect of objective moves (as we discuss later). In evaluating these alternative operations, one should consider who has the authority to move whom. In general, the authority to move rests in the top-level agents of an ambient, which naturally act as control agents. Control agents cannot be injected purely by subjective moves, since these moves handle whole ambients. With objective moves, instead, a control agent can be injected into an ambient simply by possessing an entry capability for it. As a consequence, objective moves and entry capabilities together provide the unexpected power of entrapping an ambient into a location it can never exit: entrap m a_ (v k) (k I m y in m. in k. O) entrap m I mP ----~* (vk) kmP

146

The open capability confers the right to dissolve an ambient from the outside and reveal its contents. It is interesting to consider an operation that dissolves an ambient form the inside, called acid: macid. P I Q ~

P IQ

Acid gives a simple encoding of objective moves: mv in n.P a__ (vq) qin n. acid. P mv out n.P A= (vq) qout n. acid. P

Therefore, acid is as dangerous as objective moves, providing the power to entrap ambients. We shall see that open can be used to define a capability-restricted version of acid that does not lead to entrapment.

2.3 Operational Semantics We now give an operational semantics of the calculus of section 2.1, based on a structural congruence between processes, =, and a reduction relation ----,. This is a semantics in the style of Milner's reaction relation 14 for the n-calculus, which was itself inspired by the Chemical Abstract Machine of Berry and Boudol 3.

Structural Congruence I

P=P P=Q ~ Q=P P=Q,Q=R ~

P=R

P=Q ~ P=Q ~ p =_Q ~

(vn)P=(vn)Q PIR=QIR !p = !Q

P=Q ~ P - Q ~

nP=nQ M.P =- M.Q

PIQ-QIP (PIQ)IR=PI(QIR) !P=PI!P (vn)(vm)P = (vm)(vn)P

(vn)(PIQ)=Pl(vn)Q (vn)(mP) =- m(vn)P

ifnlfn(P) i f n ~:m

PlO=-P (vn)0=0 !0=0

I

I

Processes of the calculus are grouped into equivalence classes by the relation =, which denotes structural congruence (that is, equivalence up to trivial syntactic restructuring). In addition, we identify processes up to renaming of bound names: (vn)P = (vm)P{n<--m} if m r fn(P). By this we mean that these processes are understood to be identical (for example, by choosing an appropriate representation), as opposed to structurally equivalent. Note that the following terms are in general distinct: !(vn)P ~ (vn)!P niP I nQ ~ niP I Q

replication creates new names multiple n ambients have separate identity

The behavior of processes is given by the following reduction relations. The first three rules are the one-step reductions for in, out and open. The next three rules propagate reductions across scopes, ambient nesting and parallel composition. The final rule allows the use of equivalence during reduction. Finally, ---~* is the reflexive and transitive closure of----,.

147

Reduction I

I

nin m. P I Q I mR ~ mnP I Q I R mnout m. P I Q I R ~ nP I Q I mR openn. P l n Q - - - , P Q P'-p,P----~Q,Q-Q'

~

P ~ Q =~ (vn)P ~ (vn)Q P ~ Q ~ nP ---, nQ P---~Q ~ PIR----,QIR

p'--,Q'

I

I

2.4 Example: Locks We can use open to encode locks that are released and acquired: acquire n. P

a_ open n. P

release n. P A= n

IP

This way, two agents can "shake hands" before proceeding with their execution: acquire n. release m. P I release n. acquire m. Q

2.5 Example: Firewall Access In this example, an agent crosses a firewall by means of previously arranged passwords k, k', and k". The agent exhibits the password k' by using a wrapper ambient that has k' as its name. The firewall, which has a secret name w, sends out a pilot ambient, kout w. in k'. in w, to guide the agent inside. The pilot ambient enters an agent by performing in k' (therefore verifying that the agent knows the password), and is given control by being opened. Then, in w transports the agent inside the firewall, where the password wrapper is discarded. The third name, k", is needed to confine the contents Q of the agent and to prevent Q from interfering with the protocol. The final effect is that the agent physically crosses into the firewall; this can be seen below by the fact that Q is finally placed inside w. (For simplicity, this example is written to allow a single agent to enter.) Assume (fn(P) u f n ( Q ) ) n {k, k', k"} = r and w r fn(a): Firewall A= (vw) wkout w. in k'. in w I open k'. open k". P Agent a= k'open k. k"Q There is no guarantee here that any particular agent will make it inside the firewall. Rather, the intended guarantee is that if any agent crosses the firewall, it must be one that knows the passwords. To express the security property of the firewall we introduce a notion of contextual equivalence, --. Let a context C be a process containing zero or more holes, and for any process P, let CP be the process obtained by filling each hole in C with a copy of P (names free in P may become bound). Then define: PJ, n P~n P -~ Q

a= P = ( V m l . . . m i ) ( n P ' l P " ) a= p _...,. Q and Q~n ~ for all n and C, CP~n

w h e r e n ~ {ml...mi} r CQ~n

If (fn(P) wfn(Q)) n {k, k', k"} = ~ and w ~ fn(Q), then we can show that the interaction of the agent with the firewall produces the desired result up to contextual equivalence.

148

(v k k' k") (Agent I Firewall)

--- (vw) wQ I P

Since contextual equivalence takes into account all possible contexts, the equation above states that the firewall crossing protocol works correctly in the presence of any possible attacker (that does not know the passwords) that may try to disrupt it.

2.6 Example: Objective Moves and Dissolution Objective moves are not directly encodable. However, specific ambients can explicitly allow objective moves by using open: allow n a_ !open n my in n.P ~ (vk) kin n. inout k. open k. P my out n.P a_ (vk) kout n. outout k. open k. P n~p a__ nP I allow in (n I allows mv in) ntP & nP I allow out (n t allows my out) n~tp a__ niP I allow in I allow out (n Jt allows both mv in and mv out) These definitions are to be used, for example, as follows: mv in n.P I n~tQ nJtmv out n.P I Q

----~* n~tP I Q ---~* p l nJtQ

Similarly, the acid primitive discussed previously is not encodable via open. However, we can code a form of planned dissolution: acid n. P a= acidout n. open n. P to be used with a helper process open acid as follows: nacid n. P I Q I open acid ---** P I Q This form of acid is sufficient for uses in many encodings where it is necessary to dissolve ambients. Encodings are carefully planned, so it is easy to add the necessary open instructions. The main difference with the liberal form of acid is that acid n must name the ambient it is dissolving. More precisely, the encoding of acid n requires both an exit and an open capability for n.

2.7 Example: External Choice A major feature of CCS 13 is the presence of a non-deterministic choice operator (+). We do not take + as a primitive, in the spirit of the asynchronous n-calculus, but we can approximate some aspects of it by the following definitions. The intent is that n ~ P + m ~ Q reduces to P in the presence of an n ambient, and reduces to Q in the presence of an m ambient. n~P+m~Q

a__ ( v p q r ) ( pin n. out n. qout p. open r. P I pin m. out m. qout p. open r. Q I open q I r)

For example, assuming {p, q, r} n f n ( R ) = r we have:

149

(n==~P+ m=~Q) I nR

----**~" P I nR

where the relation ---~*~- is the relational composition of ---,* and =.

2.8 Example: Numerals We represent the number i by a stack of nested ambients of depth i. For any natural number i, let / be the numeral for i:

0 ~

zero

i+1 A= succopen op l i_

The open op process is needed to allow ambients named op to enter the stack of ambients to operate on it. To show that arithmetic may be programmed on these numerals, we begin with an ifzero operation to tell whether a numeral represents 0 or not. ifzero P Q A= z e r o ~ P + s u c c ~ Q O l ifzero P Q ---,*~- O I P i+ l l ifzero P Q ----,*= ~ I Q Next, we can encode increment and decrement operations.

inc.P a= ifzero (inczero.P) (incsucc.P) inczero.P a_ open zero. ( ! I P) incsucc.P a_ (v p q) (psuccopen op I open q. open p. P I opin succ. in p. in succ. (qout succ. out succ. out p I open op)) dec.P a__ (v p) (opin succ. pout succ I open p. open succ. P) These definitions satisfy:

ilinc.P

----~*~ / + l i P

i+l ldec.P ---~*~ i l P

Given that iterative computations can be programmed with replication, any arithmetic operation can be programmed with inc, dec and iszero.

2.9 Example: Turing Machines We emulate Turing machines in a "mechanical" style. A tape consists of a nested sequence of squares, each initially containing the flag f3'. The first square has a distinguished name to indicate the end of the tape to the left:

endJrff

I sq~rff

I sqJtff

I sq~rff

I ...

The head of the machine is an ambient that inhabits a square. The head moves right by entering the next nested square and moves left by exiting the current square.. The head contains the program of the machine and it can read and write the flag in the current square. The trickiest part of the definition concerns extending the tape. Two tapestretchers are placed at the beginning and end of the tape and continuously add squares.

if tt P, if f f Q a_ tt ~ open tt. P + f f ~ open ff. Q head a= head!open $1.

state #1 (example)

150

mv out head. if tt Of

/fff(tt

I mv in head. in sq. $2), I mv in head. out sq. $3)

I

...

sl stretchRht a_ (vr) r!open it. mv out r. (sqltf~

jump out to read flag head right, state #2 head left, state #3 more state transitions initial state

stretch tape right I mv in r. in sq. it) I it

stretchLfl a= stretch tape left !open it. mv in end. (mv out end. endltsq4t If~ I in end. in sq. mv out end. open end. mv out sq. mv out end. it) I/t machine

a= stretchLfi I endltff

I head l stretchRht

3 Communication Although the pure mobility calculus is powerful enough to be Turing-complete, it has no communication or variable-binding operators. Such operators seem necessary, for example, to comfortably encode other formalisms such as the re-calculus. Therefore, we now have to choose a communication mechanism to be used to exchange messages between ambients. The choice of a particular mechanism is somewhat orthogonal to the mobility primitives. However, we should try not to defeat with communication the restrictions imposed by capabilities. This suggests that a primitive form of communication should be purely local, and that the transmission of non-local messages should be restricted by capabilities. 3.1 Communication Primitives To focus our attention, we pose as a goal the ability to encode the asynchronous ~-calculus. For this it is sufficient to introduce a simple asynchronous communication mechanism that works locally within a single ambient.

Mobility and Communication Primitives t

I

P,Q ::= (vn)P 0 P IQ !P MP M.P (x).P (M)

processes restriction inactivity composition replication ambient capability action input action async output action

M ::= x n in M out M open M M.M'

capabilities variable name can enter into M can exit out of M can open M null path

I

I

We again start by displaying the syntax of a whole calculus. The mobility primi-

151

tives are essentially those of section 2, but the addition of communication variables changes some of the details. More interestingly, we add input ((x).P) and output ((M)) primitives and we enrich the capabilities to include paths. We identify capabilities up to the following equations: L.(M.N) = (L.M).N and M.e = M = E.M. As a new syntactic convention, we have that (x).P I Q = ((x).P) I Q.

3.2 Explanations Communicable Values

The entities that can be communicated are either names or capabilities. In realistic situations, communication of names should be rather rare, since knowing the name of an ambient gives a lot of control over it. Instead, it should be common to communicate restricted capabilities to allow controlled interactions between ambients. It now becomes useful to combine multiple capabilities into paths, especially when one or more of those capabilities are represented by input variables. To this end we introduce a path-formation operation on capabilities (M. M'). For example, (in n. in m). P is interpreted as in n. in m. P. We distinguish between v-bound names and input-bound variables. Variables can be instantiated with names or capabilities. In practice, we do not need to distinguish these two sorts lexically, but we often use n, m, p, q for names and w, x, y, z for variables. Ambient I / 0 The simplest communication mechanism that we can imagine is local anonymous communication within an ambient (ambient I/O, for short): (x).P

input action

(M)

async output action

An output action releases a capability (possibly a name) into the local ether of the surrounding ambient. An input action captures a capability from the local ether and binds it to a variable within a scope. We have the reduction: (x).P I (M) ----, P{x6--M} This local communication mechanism fits well with the ambient intuitions. In particular, long-range communication, like long-range movement, should not happen automatically because messages may have to cross firewalls. Still, this simple mechanism is sufficient, as we shall see, to emulate communication over named channels, and more generally to provide an encoding of the asynchronous n-calculus. Remark

To allow both names and capabilities to be output and input, there is a single syntactic sort that includes both. Then, a meaningless term of the form n. P can then arise, for instance, from the process ((x). x. P) I (n). This anomaly is caused by the desire to denote movement capabilities by variables, as in (x). x. P, and from the desire to denote names by variables, as in (x). xP. We permit n. P to be formed, syntactically, in order to make substitution always well defined. A simple type system distinguishing names from movement capabilities would avoid this anomaly.

152

3.3 Operational Semantics The structural congruence relation is defined as in section 2.3, with the u n d e r s t a n d i n g that P a n d M range n o w over larger classes, and with the addition of the following equivalences: S t r u c t u r a l Congruence r

P - Q =~ MP - MQ P - Q ~ (x).P - (x).Q

e.P- P (M.M').P = M.M'.P

i

I

We now identify processes up to renaming of bound variables: (x).P = (y).Px<--y} if y ~ fv(P). Finally, we have a new reduction rule:

Reduction I

I

(x).P I (M} ---* P{xe--M} I

I

3.4 Example: Cells A cell cell c w stores a value w at a location c, where a value is a capability. The cell is set to output its current contents destructively, and is set to be "refreshed" with either the old contents (by get) or a new contents (by set). Note that set is essentially an output operation, but it is a synchronous one: its sequel P runs only after the cell has been set. Parallel get and set operations do not interfere. c e l l c w ~= clr(w) get c (x). P A= my in c. (x). ((x) I mv out c. P) set c (w). P ~- mv in c. (x). ((w) I mv out c. P) It is possible to code an atomic get-and-set primitive: get-and-set c (x) (w). P A m v

in c. (x). ((w) I mv out c. P)

Named cells can be assembled into ambients that act as record data structures.

3.5 Example: Routable Packets and Active Networks We define packet pkt as an empty packet of name pkt that can be routed repeatedly to various destinations. We also define route pkt with P to M as the act of placing P inside the packetpkt and sending the packet to M; this is to be used in parallel with packet pkt. Note that M can be a compound capability, representing a path to follow. Finally, forward pkt to M is an abbreviation that forwards any packet named pkt that passes by to M. Here we assume that P does not interfere with routing. packet pkt A_ pkt!(x), x I !open route route pkt with P to M A= routein pkt. (M) I P forward pkt to M A= route pkt with 0 to M Since our packets are ambients, they may contain behavior that becomes active within the intermediate routers. Therefore we can naturally model active networks, which are characterized by routers that execute code carried by packets.

153

3.6 Communication Between Ambients Our basic communication primitives operate only within a given ambient. We now discuss one example of communication across ambients. In addition, in section 3.7 we treat the specific case of channel-based communication across ambients. It is not realistic to assume direct long-range communication. Communication, like movement, is subject to access restrictions due to the existence of administrative domains. Therefore, it is convenient to model long-range communication as the movement of "messenger" agents that must cross administrative boundaries. Assume, for simplicity, that the location M allows I/O by !open io. By M -1 we indicate a given return path from M. @M(a) & ioM. (a) @M(x)M-j. P ~ (vn) (ioM. (x). nM -~. PI

open n)

remote output at M remote input at M

To avoid transmitting P all the way there and back, we can write input as: @M(x)M-1. p

a_ (vn) (ioM. (x). nM -1. (x)

I open n) 1 (x). P

To emulate Remote Procedure Call we write (assuming res contains the result):

@M arg(a) res(x) M -l. P ~= (vn) (ioM. ((a) I open res. (x). nM q. (x)) I open n) I (x). P This is essentially an implementation of a synchronous communication (RPC) by two asynchronous communications ((a) and (x)).

3.7 Encoding the n.calculus The encoding of the asynchronous re-calculus is moderately easy, given our I/O primitives. A channel is simply represented by an ambient: the name of the channel is the name of the ambient. This is very similar in spirit to the join-calculus 9 where channels are rooted at a location. Communication on a channel is represented by local communication inside an ambient. The basic technique is a variation on objective moves. A conventional name, io, is used to transport input and output requests into the channel. The channel opens all such requests and lets them interact.

ch n (ch n)P n(x).P n(M)

a= n!open io _a (vn) (ch n I P) _a (vp) (ioin n. (x). pout n. P a= ioin n. (M)

I open p)

a channel a new channel channel input async channel output

These definitions satisfy the expected reduction n(x).P I n(M) ----,* P{x<---M} in the presence of a channel ch n. Therefore, we can write the following encoding of the re-calculus:

Encoding of the Asynchronous ~-ealeulus ~(vn)P~) _a (vn) (nlopen io I ~PD

~n(x).P} a= (vp) (ioin n. (x). pout n. ~P~ (~n(m)~ a= ioin n. (m) I

l open p)

~P I Q~ A_ ~p~ I gQ ~!P~ A_ !~p~ I

154

This encoding includes the choice-free synchronous re-calculus, since it can itself be encoded within the asynchronous n-calculus 4, 12. We can fairly conveniently use these definitions to embed communication on named channels within the ambient calculus (provided the name io is not used for other purposes). Communication on these named channels, though, only works within a single ambient. In other words, from our point of view, a re-calculus process always inhabits a single ambient. Therefore, the notion of mobility in the re-calculus (communication of names over named channels) is different from our notion of mobility.

4 Conclusions and Future Work We have introduced the informal notion of mobile ambients, and we have discussed how this notion captures the structure of complex networks and the behavior of mobile computation. We have then investigated an ambient calculus that formalizes this notion simply and powerfully. Our calculus is no more complex than common process calculi, but supports reasoning about mobility and, at least to some degree, security. This paper concentrates mostly on examples and intuition. In ongoing work we are developing theories of equivalences for the ambient calculus, drawing on earlier work on the re-calculus. These equivalences will allow us to reason about mobile computation, as briefly illustrated in the firewall crossing example. On this foundation, we can envision new programming methodologies, programming libraries and programming languages for global computation.

Acknowledgments Thanks to C~dric Fournet, Paul McJones and Jan Vitek for comments on early drafts. Stuart Wray suggested an improved definition of external choice. Gordon held a Royal Society University Research Fellowship for most of the time we worked on this paper.

References I 2 3 4 5 6 7 8

Abadi, M. and A.D. Gordon, A calculus for cryptographic protocols: the spi calculus. Proc. Fourth A CM Conference on Computer and Communications Security, 36-47, 1997. Amadio, R.M., An asynchronous model of locality, failure, and process mobility. Proc. COORDINATION 97, Berlin, 1997. Berry, G. and G. Boudol, The chemical abstract machine. Theoretical Computer Science 96(1), 217-248, 1992. Boudol, G., Asynchrony and the n-calculus. TR 1702, INRIA, Sophia-Antipolis, 1992. Cardelli, L., A language with distributed scope. Computing Systems, 8(1), 27-59. MIT Press. 1995. Carriero, N. and D. Gelemter, Linda in context. CACM, 32(4), 444-458, 1989. Carriero, N., D. Gelernter, and L. Zuck, Bauhaus Linda, in LNCS 924, 66-76, SpringerVerlag, 1995. De Nicola, R., G.-L. Ferrari and R. Pugliese, Locality based Linda: programming with explicit localities. Proc. TAPSOFT'97. 1997.

155

9 10

11 12 13 14 15 16

Fournet, C. and G. Gonthier, The reflexive CHAM and the join-calculus. Proc. 23rd Annual A CM Symposium on Principles of Programming Languages, 372-385. 1996. Fournet, C., G. Gonthier, J.-J. L6vy, L. Maranget, D. R6my, A calculus of mobile agents. Proc. CONCUR'96, 406-421. 1996. Gosling, J., B. Joy and G. Steele, The Java language specification. Addison-Wesley. 1996. Honda., K. and M. Tokoro, An object calculus for asynchronous communication. Proc. ECOOP'91, LNCS 521,133-147, Springer Verlag, 1991. Milner, R., A calculus of communicating systems. LNCS 92. Springer-Verlag. 1980. Milner, R., Functions as processes. Mathematical Structures in Computer Science 2, 119141. 1992. Milner, R., J. Parrow and D. Walker, A calculus of mobile processes, Parts 1-2. Information and Computation, 100(1), 1-77. 1992 White, J.E., Mobile agents. In Software Agents, J. Bradshaw, ed. AAAI Press / The MIT Press. 1996.

Rational Term Rewriting* A. Corradini I and F. Gadducci 2 1 Universit~ di Pisa, Dipartimento di Informatica, Corso Italia 40, 1-56214 Pisa, Italy

([email protected], it). 2 TUB, Fachbereich 13 Informatik, Franklinstra6e 28/29, D-10587 Berlin, Germany (gfabio~cs. t u - b e r l i n , de).

A b s t r a c t . Rational terms (possibly infinite terms with finitely many

subterms) can be represented in a finite way via/z-terms, that is, terms over a signature extended with self-instantiation operators. For example, f " ----f(f(f(...))) can be represented as/zx.f(x) (or also as/zx.f(f(x)), f(/zx.f(x)), ... ). Now, if we reduce a/z-term t to s via a rewriting rule using standard notions of the theory of Term Rewriting Systems, how are the rational terms corresponding to f and to s related? We answer to this question in a satisfactory way, resorting to the definition of infinite parallel rewriting proposed in 7. We also provide a simple, algebraic description of/z-term rewriting through a variation of Meseguer's Rewriting Logic formalism.

1

Introduction

Rational terms are possibly infinite t e r m s with a finite set of subterms. They show up in a natural way in Theoretical C o m p u t e r Science whenever some finite cyclic structures are of concern (for example d a t a flow diagrams, cyclic t e r m graphs, or process algebras with recursion), and one desires to abstract out from the "degree of folding" of such structures, intuitively identifying those t h a t denote the same infinitary behaviour. For example, the # - t e r m tl = #~.ite(B, seq(Cl,x),C2) can be used as a linear representation of a flow chart intended to model the structure of a while loop using the i-then-else (ire) and the sequentialization (seq) statements, where the boolean condition B and the statements C1 and C2 are left unspecified. As stressed in 20, the intended meaning of the operator #x, when applied to a t e r m tx with x free, is of constraining the instantiation of x in t to #x.t only; thus #~ can be considered as a self-instantiation operator. By performing this selfinstantiation once in tl, we get t2 = ire(B, sea(C1, I~.ite( B, seq( C1, x), C2)), C2). Now, b o t h tl and t2 c a n be seen as a finite representation of the same infinite, rational t e r m ire(B, seq( C1, ire(B, seq( C1, ire(B, seq( C1, . . .), C2)), C2)), C2), which, in turn, can be regarded as a representative of the equivalence class of #-terms containing tl and t2. LFrom a computational viewpoint, rational terms are clearly * Research partly supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) through the Dipartimento di Informatica of Pisa and the Technical University of Berlin.

157

a very interesting subclass of infnite terms, because they have a finitary representation; usually, however, this is not unique. Infinitary extensions of Term Rewriting have been considered by various authors during the last decade 12, 11, 15, 16, 7, 20, 21, 22, 9, 8. Most of those contributions are concerned with the study of the rewriting relation induced by a set of finite term rules on infinite terms, presenting results about the existence of normal forms (possibly reachable after w steps), confluence and so on. Only a few of them, namely 20, 21, 8, focus on the subclass of rational terms, regarded essentially as the semantics of some finite but possibly cyclic structures (term graphs or #-terms). The goal of this paper is to provide a solid mathematical basis for the theory of rational term rewriting. One main requisite for us is that such a theory must provide a "clean" semantics for the rewriting of the finitary representations of rational terms. This is a not completely trivial task, as shown by the following two simple examples which make use of #-terms, the finitary representation of rational terms that we shall use along the paper. Let t be the #-term t = #~.(x), representing the rational term ~ de__/ f(f((...))), and let R : f(y) ~ g(y) be a term rewriting rule. Unlike for example 20, we insist that in our theory it should be possible to apply R to t, obtaining, quite obviously, the reduction #x.(x) -~R #x.g(x). If we consider the associated rational terms, this apparently innocuous rewriting step requires some infinitary extension of the theory of term rewriting, because there are infinitely many occurrences of f in f~, and all of them have to be changed to g: in fact, the #-term #=.g(x) represents g~. There are two possible infinitary extensions of term rewriting that allow to formalize such a phenomenon. Using the theory of transfinite rewriting of 22 (and adopted by most of the papers mentioned above), one obtains g~ as the limit (in the standard complete metric space of infinite terms 1) of the infinite (Cauchy) sequence of reductions f~ -+R g(f~) ~ R g(g(f~)) ~-* g~. Using instead the infinite parallel rewriting of 7, g~ is obtained in a single reduction step by replacing in parallel all the occurrences of f in f~ by g: this kind of reduction is defined using standard completion techniques that exploit the cPo structure of possibly partial, possibly infinite terms 19. And what about the application of the "collapsing" rule R ~ : g(y) -~ y to #~.g(x)? There is no apparent reason to forbid it, and one would expect to obtain the reduction #=-g(x) -~R' #=.x. Considering the corresponding rational terms, by applying the theory of 22 we have that since g~ -~R, g~, the limit of infinitely many such reductions cannot be different from gW,3 which is not related at all to #=.x. Using the infinite parallel rewriting of 7, instead, we have that g~ rewrites to _l_, the bottom element of the cPO of terms, and _L is indeed the canonical interpretation of the #-term #~.x, according to the Iteration Algebras framework 3. An infinite term made of infinitely many nested redexes of collapsing rules (as g~ in this example) will be called a "hypercollapsing 3 Actually such a derivation is not strongly convergent, and thus it is not considered admissible in 22.

158

tower", using the terminology of 22. This discussion motivates our presentation of rational term rewriting in Section 3, which is an adaptation to the rational case of the definitions and results in 7. In the same section we also introduce the rewriting of #-terms, which is as straightforward as possible. The main result of the paper will show the soundness of the (parallel) rewriting of #-terms with respect to the reduction of possibly infinite, rational set of redexes in their unfolded rational term. In Section 4 we provide a logical presentation of #-term rewriting and of rational rewriting. For the logical viewpoint, our starting point is the seminal work of Jos~ Meseguer about Rewriting Logic 25. The basic idea is to consider a rewriting system T~ as a logical theory, and any rewriting as a sequent entailed by that theory. The entailment relation is defined inductively by suitable deduction rules, showing how sequents can be derived from other sequents. Sequents themselves are triples (a,t, s), where a is an element of a so-called algebra of proof terms, encoding a justification of the rewriting of t into s. The original presentation of rewriting logic dealt with the finitary case. We consider here a variation of it, called (one-step) Preiteration Rewriting Logic, by introducing suitable rules for #-terms. The faithfulness of this presentation of #-term rewriting with respect to the original formulation is expressed by a result stating that there is bijection between sequents relating two terms and parallel reductions between them. The advantage of this logical approach is that not only the terms, but also the reductions are now endowed with an algebraic structure (the structure of proof terms), and this allows us to obtain a more precise relationship between #-term and rational rewriting with respect to the results in Section 3. In fact, we obtain a faithful (in the above sense) logical presentation of rational rewriting by considering rational sequents, i.e., equivalence classes of sequents with respect to suitable axioms. Finally, in the concluding section we discuss the relationship with related papers, and we hint at some topics for future work.

2

Rational

Terms

and D-terms

The study of infinite terms is one of the most relevant contribution of computer science to the field of Universal Algebra. The starting point was the midSeventies work of the ADJ group (see e.g. 19, 18) on continuous algebras, which put the basis for the studies on varieties of ordered algebras, that is, algebras where the carrier is a partial order (see also 2). We assume the reader to be familiar with the usual notion of algebra over a signature E (that is, a ranked alphabet of operator symbols ~ = Une~Zn, saying that f is of arity n for f E Zn). We denote by ~ - A I g the category of algebras over E, and of S-hornomorphisms. Continuous algebras are simply algebras where the carrier is not just a set, but rather a complete partial order, and the operators are continuous functions. Correspondingly, since homomorphisms must preserve the algebraic structure, they are required to be strict continuous functions.

159

Definition I (complete p a r t i a l o r d e r s ) . A partial order (D, <) is complete (is a c e o ) if it has an element _L (called bottom) such that _L _~ d for all d E D, and it has least upper bounds (LUB'S) for all w-chains of elements. If {di}i<~ is an w-chain (i.e., dl _~ di+l for all i < w), we denote its LUB by LJi<~{di}. A continuous unction f : (D, ~_D) -~ (D r, ~_D') between c e o ' s is a function f : D -~ D r which preserves LUB's of w-chains, i.e., f(I li<~){di} = I I~<~,{f(di)}; it is strict if f ( I D ) = -LD,. C P O denotes the category of c e o ' s and continuous functions. : We denote with E - C A I g the category of continuous algebras and strict continuous homomorphisms. We recall now the basic definitions and the main results on initial algebras and rational terms that will be used along the paper; these are borrowed from 3, 19, 17, to which we refer the interested reader. It is well-known that, for each signature ,U, the category ~ - A l g has an initial object, often called the word algebra and denoted by TE. Its elements are all the terms freely generated from the constants and the operators of Z, and can be regarded as finite trees whose nodes are labeled by operator symbols. As shown in 19, also the category Z - C A l g has an initial object, denoted CT~. Its elements are possibly infinite, possibly partial terms freely generated from E, and they form a cPo where the ordering relation is given by t _< t ~ iff t ~ is "more defined" than t. We introduce directly CTE, since T~ can be recovered as a suitable sub-algebra: definitions are borrowed from 19, with minor changes. D e f i n i t i o n 2 ( t e r m s as f u n c t i o n s ) . Let w* be the set of all finite strings of positive natural numbers; its elements are called occurrences, and the empty string is denoted by A. Furthermore, let Z be a signature and X be a set of variables such that 2 ? n X = 0. A term over (Z, X) is a partial function t : w* -+ 5? O X such that the domain of definition of t, O(t), satisfies (for w E w* and i ew) wi ~ O(t) ~ w ~ o(t); - wi E O(t) ~ t(w) E Zn for some n _> i.

O(t) is called the set o occurrences of t. A term t is total if t(w) E Zn =~ wi E O(t) for all 0 < i _< n; t is finite if so is O(t); and t is linear if no variable occurs more than once in it. Given an occurrence w E w* and a term t E CTE(X), the subterm of t at (occurrence) w is the term t/w defined as t/w(u) = t(wu) for all u E w*. D The set of terms over (Z, X) is denoted by CTE(X), and CTs stays for CTs For finite, total terms, this description is equivalent to the usual representation of terms as operators applied to other terms. Partial terms are made total in this representation by introducing the undefined term _L, which represents the empty function _L : 0 -+ ,U U X, always undefined. Thus, for example, if x E X , t = f(.l_, g(x)) is the term such that O(t) = {A, 2, 2.1}, t(~) = E ~2, t(2) = g e El, and t ( 2 . 1 ) = x E X. CTE (X) forms a cPo with respect to the "approximation" relation. We say that t approximates t ~ (written t _< t ~) iff t is less defined than t ~ as partial

160

function. The least element of CTE (X) with respect to _< is clearly _L. An wchain {ti}i<~ is an infinite sequence of terms to _ tl _< .... Every w-chain {t~}i<~ in CT~(X) has a LUB Ui<w{ti} characterized as follows: t= U{ti}

~

Vwew,.qi<w.vj>_i.tj(w)=t(w).

i<w

LFrom CT~, TE can be recovered as the subalgebra of finite, total terms. In the paper our main interest is in rational terms.

Definition 3 (rational terms). A term t over (E, X) is rational if the associated set of prefixes P(t) = {(w, t(w)) I w E O(t)} is regular, that is, if it is recognizable from a finite automata. Equivalently, t is rational if the set of all its subterms {t/u I u e O(t)} is finite. The collection of all rational terms over (E, X) is denoted by RTE(X), and it is easily shown to be a subalgebra of CTE(X), but not a continuous one. A different approach to the study of infinite terms, and in particular to the characterization of rational terms, focussed instead on the extension of the notion of signature by means of suitable reeursion operators, and on an axiomatic characterization of unique fixed-points. A seminal stream (with tight links to the categorical notion of algebraic theories 24) started with the paper on algebraic iterative theories by Elgot 13. Here we recall just a few basic results, for which we refer the reader to 4.

Definition 4 ( p - t e r m s ) . Let E be a signature and X be a (countably infinite) set of variables such that ,U n X = 0. The set #TE(X) of #-terms over (Z, X) is defined as the smallest set of expressions satisfying the following clauses:

- xEI~TE(X) ifxEX; - f ( t l , . . . , t,~) E I~TE(X) if E ,~n, ti E #TE(X); - #=.t e I~T~(X) if x E X , t e # T ~ ( X ) . Equivalently, let Z ~ = ~tg{#x x E X} be a signature that extends ,U with one unary operator for each variable in X. Then #-terms over (Z, X) can also be defined as finite terms over ,U~, i.e., elements of the word algebra T ~ (X). D Consistently with the interpretation described in the Introduction, operator #x is a binding operator for variable x. Thus we define the set of free variables FV(t) for a term t in the usual way, we call closed any term with no free variables, and we identify terms up to a-conversion. Substitutions are functions from variables to terms that, by freeness, can be extended in a unique way to operator preserving functions from terms to terms. Since we are dealing with two different kind of terms, we introduce now two types of substitutions which will be used in the sequel.

161

D e f i n i t i o n 5 ( c o n t i n u o u s a n d p a r a m e t e r s u b s t i t u t i o n s ) . Let S be a signature and X, Y be two (countably infinite) sets of variables such that ~ N X = n Y = ~. A (continuous) substitution from X to Y is a function a : X --r CTE(Y) (used in postfix notation). It uniquely determines a strict continuous ~7-homomorphism (also denoted by a) from CTy,(X) to CT.~(Y), which extends a as follows: - .l_a = _L;

- f ( t l , . . . , t n ) c r = /(tla,...,tn~r); -

=

A parameter substitution is a function a : X --+ pTE ( X U Y). It uniquely determines an operator preserving function from p T s to # T E ( X U Y), as follows -

za

= a(z);

- Y(tl,...,tn)cr = f(tl~r,...,tnCr); -

=

where a~(y) = x if x = y, and ax(y) = a(y) otherwise. A substitution is finite if there is only a finite number of variables x such that a(x) ~ x: it will be described as a finite set { x t / t t , . . . , x n / t n } with ti = a(xi) for all 1 < i < n. As for classical algebras, exploiting the syntactical nature of/~-terms one can define suitable structures where operators can be interpreted, called preiteration algebras 4. For our purposes, it is enough to know that the set p T s forms the free preiteration algebra over X in the category E - P I A l g , where objects are preiteration algebras and arrows are preiteration homomorphisms, that is, homomorphisms preserving also the p's. In this framework an equation is a pair (t, s) of #-terms, and the class of preiteration algebras satisfying an equational specification forms a suitable variety, h la Birkhoff. In particular, we are interested in the variety of iteration algebras, and more specifically in the free iteration algebra. Among the many equivalent axiomatizations of this free algebra, we prefer the following one (based actually on conditional equations) for its clarity and conciseness. Other presentations are described in 4, which also presents informal explanations for the rules below. D e f i n i t i o n 6 (free i t e r a t i o n a l g e b r a ) . Given a signature E and a (countably infinite) set X of variables, let ~ be the least congruence relation over # T s ( X ) , closed with respect to parameter substitutions, induced by the following rules

(composition) ,,,.(t{=/s})

(re#

=

t{xh,,.(s{=lt})};

zero) x

~. F V ( t ) . Izx.t = t '

162

- (regularity) u r FV(t),

p,.(t{xl

,ylu}) =

y/u}) =

We define the free iteration algebra over (~, X) as the set pT~(X)/~_, obtained by quotienting the free preiteration algebra #T~(X) by the congruence ~. : As far as we know, Ginali in her Ph.D. thesis (see 17) and independently Elgot, Bloom and Tindell 14 were the first to prove a correspondence result between the class of regular trees and Elgot's free iterative theories. Building on t h a t result, Bloom and l~sik proved in 3 the following theorem.

Theorem 7 (rational terms and free iteration a l g e b r a s ) . For any signature E and set X of variables, there is a preiteration isomorphism between the class RTE(X) of rational trees over (E, X) and the class of elements of the free iteration algebra pTE(X) )/~_. 3 In the rest of the paper for a p-term t we will denote by t the rational term corresponding (via the isomorphism mentioned in the last result) to the equivalence class of t modulo the axioms of Definition 6. Intuitively, It is obtained as the limit of a chain of p-terms starting from t and where at each step a suitable self-instantiation (via a parameter substitution) is applied. The only p-term to which this intuition is not immediately applicable is p~.x: the reader can safely assume that p~.x = J_ by definition.

3

Rewriting of Rational Terms and of p-Terms

The standard definition of term rewriting will be extended in this section to the rewriting of y-terms (i.e., closed elements of pTE(X)) and of infinite terms (elements of CTE) via finite rules. Borrowing from 7, besides the standard sequential derivations we will introduce an infinitary extension called infinite parallel rewriting which allows one to reduce infinitely many redexes of an infinite term in a single reduction step. In particular, we will focus on the subcase of rational rewriting, i.e., the parallel reduction of rational sets of redexes. The main result of the section will show the soundness of y-term rewriting with respect to rational term rewriting. Definitions and results are presented here for the class of orthogonal term rewriting systems only.

Definition8 (term rewriting s y s t e m s (TRS)). Let X be a countably infinite set of variables. A term rewriting system T~ (over X) is a tuple (,U, L, R), where ,U is a signature, 4 L is a set of labels, and R is a function R : L TE(X) • such that for all d E L, if R(d) = (l, r) then var(r) C_ var(l) C_X and l is not a variable. A TRS T~ is orthogonal if all its rules are left-linear and non-overlapping, that is, the left-hand side of each rule does not unify with a non-variable subterm of any other rule in T~, or with a proper, non-variable subterm of itself. 0 4 Often the signature will be understood.

"163

Given a t e r m rewriting system (also TRS) T~, we usually write d : l -+ r E R if d E L and R(d) = (l,r); to make explicit the variables contained in a rule, we write d ( x i , . . . , X n ) : l ( X l , . . . , X n ) -+ r ( X l , . . . , X n ) E R where { X l , . . . , X n } = vat(l). For example, the TRS Z = {d : f ( x , x ) -+ a, di : f ( x , f ( y , z)) --+ a ) is not orthogonal: d is not left-linear, while f ( x , f(y, z)) can unify with its s u b t e r m

S(y,z). The definitions below introduce the rewriting of infinite terms and of/~-terms.

Definition9 (subterm replacement). Given terms t, s E C T E ( X ) and an occurrence w E w*, the replacement of s in t at (occurrence) w, denoted tw +- s, is the t e r m defined as tw +- s(u) = t(u) if w ~ u or t / w = • and tw +s(wu) = s(u) otherwise. The definition of subterm replacement applies as it is to #-terms in # T E ( X ) , simply considering them as finite terms over the extended signature ~ .

Definition 10 ((plain) redexes and #-redexes). Let T~ = (E, L, R) be a TRS over X . A (plain) redex A of a t e r m t E C T s is a pair A = (w, d) where w E w* is an occurrence, d : l -+ r E R is a rule, and there exists a continuous substitution a : vat(1) -+ CTE such t h a t t / w = la. A #-redex A of a closed /z-term t E # T E ( X ) is a pair A = (w, d) where w E w* is an occurrence, d : l -~ r E R is a rule, and there exists a parameter substitution a : var(1) ~ # T E ( X ) such t h a t t / w = la. 0

Definition 11 ( r e d u c t i o n and derivation). Let d : l --+ r E R be a rule and A = (w, d) be a redex of t. The result of its application is s = tw ~-- ra. We also write t --+a s, and we say t h a t t reduces to s (via A). We say t h a t there is a derivation from t to t t if there are redexes A 1 , . . . , An such t h a t t -~zal tl ~z~2 9 .. --~A.

t n = t t.

The last definition applies both to plain and to #-redexes: simply, if A is a #-redex of t, bound variables in t are not affected in some undesirable way thanks to the fact t h a t the matching substitution is required to be a parameter substitution. In this case, sometimes we will denote the corresponding reduction by t - ~ s. Sequential t e r m rewriting, as just defined, can be generalized to parallel t e r m rewriting by allowing for the simultaneous application of two or more redexes to a term. The definitions below summarize those in 6 (see also 23, 7), and are valid for orthogonal TrtS's only: as for subterm replacement, all definitions and results lift smoothly to #-terms.

D e f i n i t i o n l 2 (residuals). Let A = (w,d) and A ~ = (w',d ~ :l' -~ r') be two redexes in a t e r m t. The set of residuals of A by A I, denoted by A \ A I, is defined as: A\A I =

/4} if w ~ w'; I, {(wlw~u,d) I r'/w~ = l'/v~} if w = w'v~u and lilY, is a variable. D

164

Note that A \ N can contain more than one redex, whenever the right-hand side of the rule d is not linear. As an example, consider the TRS )IV = {d : f ( x ) -+ g(x, x), d' : a --+ b} and the redexes A = (1, d~), A' = (A, d) in the term f ( a ) : then A / A ' = {(1, d'), (2, d')}.

Proposition 13 (residual of a reduction). Let r U {A} be a finite set of redexes of t, such that t -+ za s. Then the set ~ \ A of residuals of 9 by A, defined as the union of N \ A for all A' E ~, is a set of redexes in s. The well-definedness of the notions below is based on the previous result.

Definition 14 (residual of a sequence, c o m p l e t e d e v e l o p m e n t ) . Let 9 be a finite set of redexes of t and p = (t --+al tl ... ~ z a . tn) be a reduction sequence. Then ~ \ p is defined as ~/f if n = 0, and as (4i\A1)\p~, where p~ = (tl -~a2 t 2 . . . ~ z a , tn), otherwise. A development of ~ is a reduction sequence such that after each initial segment p, the next reduced redex is an element of ~\p. A complete development of 9 is a development p such that ~ \ p = ~.

Proposition 15 (uniqueness o f c o m p l e t e d e v e l o p m e n t s ) . All complete developments p and p' of a finite set of redexes 9 in a term t are finite, and end with the same term. Moreover, for each redex A of t, it holds A \p = A \p ~. Therefore we can safely denote by A \ ~ the residuals of A by any complete development of (and similarly replacing A with a finite set of redexes ~ of t). Exploiting this result (whose proof can be found in 6), we define the parallel reduction of a finite set of redexes as any complete development of them.

Definition 16 ( p a r a l l e l r e d u c t i o n ) . Given a finite set ~ of redexes in a term t, we write t -+r t' and say that there is a parallel reduction from t to t ~ if there exists a complete development t -~zh tl ... -~A. t' of ~.

D

Thus parallel rewriting allows to reduce a finite set of redexes of a term in a single, parallel step. If we consider an infinite term, there might be infinitely many distinct redexes in it: since the simultaneous rewriting of any finite subset of those redexes is well-defined, by a continuity argument one would expect that also the simultaneous rewriting of infinitely many redexes in an infinite term can be properly defined. We present here a definition which makes use of a suitable limit construction: for details we refer to 7. It is however worth noticing that since #-terms are finite by Definition 4, this infinitary extension is meaningful for plain redexes only.

Definition 17 (infinite parallel reduction). Given an infinite set 9 of redexes in a term t, let to _< tl _< t2 ... be any chain of finite terms such that its LUB is t, and for each i < w, every redex (w, d) E 9 is either a redex of ti or ti (w) = _L (that is, the image of the left-hand side of every redex in 9 is either all in ti, or it is outside, but does not "cross the boundary"). Let ~i be the subset

165

of all redexes in 9 which are also redexes of tl, and let si be the result of the (finite) parallel reduction of ti via ~i (i.e., ti - ~ si). Then we say that there def

is an (infinite) parallel reduction from t to s = {.Ji<,~{si} via ~, and we write t --~~ s. Let us consider the TRS 12 = { d : f ( x ) --+ 9(x), d' : g(x) ~ x}. Then the infinite set of redexes 4~ = 1" • {d} = {($, d), (1, d ) , . . . } can be applied to the infinite term t = f ~ = U i < ~ { f i ( l ) } : a suitable chain of finite approximations is given by ti = fi(-l-), and the associated subset ~i is {(1 j, d) I J < i}. Then ti -~r gi(_l_), and thus t -+~ g~ by definition. Next, the infinite set of redexes 4~' = 1" x {d'} = {()~,d'), (1,d'),...} can be applied to t' = g ' . Now a suitable chain approximating g~ is t~ = gi(_L), the associated subsets ~ are {(1 j, d') j _< i}, and clearly t~ --+~i _L. Therefore g~ - ~ , Ui<~ • = .L, which explains formally the reduction of the hypercollapsing tower described in the introduction. The next result states that the reduction of an infinite set of redexes is a well-given definition.

Proposition 18 (infinite p a r a l l e l reduction is well-defined). In the hypothesea o Definition 17: 1. For each i < w, s~ < Si+x; i.e., {si}i<w is a chain. 2. Definition 17 is well-given; i.e., the result of the infinite parallel reduction of t via 9 does not depend on the choice of the chain approximating t, provided that it satisfies the required conditions. 3. If the set 9 of redexes is finite, then the infinite parallel reduction of Definition 17 yields the same result as the parallel reduction of Definition 16. /.From infinite parallel rewriting, rational rewriting can be easily recovered by suitably restricting the class of infinite sets of redexes which can be applied to a given rational term. D e f i n i t i o n 19 ( r a t i o n a l t e r m r e w r i t i n g ) . Let ~ = (27, L, R) be an orthogonal TrtS over X, and let 27* = 27 ~ {f* I f E 27} be an auxiliary signature. For a set of redexes 9 in a term t, the associated marked term t~ is a term over (S*, X) defined by the following clauses: to(w)=

f* t(w)

if (w, d) E 9 and t(w) = f; otherwise.

A set of redexes # of a rational term t is rational if the associated marked term t~ is rational 21. A parallel reduction t ~ s is rational if so is ~. Thus tv is obtained by marking in t all the operators which are root of a redex in ~. It is rather easy to prove that if 9 is a rational set of redexes of a term t and t ~ v s, then also s is rational. The main result of this section shows t h a t the rewriting of It-terms is sound with respect to the rational rewriting of rational terms.

166

Theorem 20 (soundness of It-rewriting w.r.t, rational rewriting). Let T~ be an orthogonal TRS. (1) If 9 is a finite set of #-redexes of a p-term t and t - ~ s, then there is a rational set of redexes bt(~) such that t ---ru(~) s. (2) If ~ is a rational set of redexes of a term t, then there is a It-term ~ ( t , ~) and a finite set of It-redexes JPI(t, ~) such that ~'(t, ~) = t, ~'(t, ~lf) --%~(t,v) s', and s' = s. Proof outline. (1) The rational set of redexes H(~) is determined by taking the marked It-term tv (in the sense of Definition 19), by unfolding it obtaining the marked rational term t~, and by considering all redexes of t whose root are in correspondence with the marked nodes of t~. Next suppose that t -+u(~) s', i.e., according to Definition 17, that there is a chain of finite terms to _< tl _< t 2 . . . having t as LUB and satisfying suitable conditions with respect to ~, such that ti --+~ si for all i < w, and s' = Ui<w{si}. Then it can be shown by induction that si <_ Is for all i < w, which implies s' < Is. For the converse, it must be shown (by the way in which the approximation ordering is defined) that for every occurrence w such that s'(w) = • also s(w) = _L holds. The only not obvious case here is when a _L is generated in s' by the reduction of a hypercollapsing tower, but this is shown to be possible only if a #-term equivalent to #=.x is generated in s by the reduction of ~, which unfolds to • in s. (2) Since set ~ is rational, so is the marked term re. A marked #-term t I is shown to exist, such that t' = t~, and such that for each marked node there is a redex for its unmarked version, 9e(t, ~), having that node as root. 5 Let then 2,4(t, ~) be the set of such #-redexes of ~'(t, ~): it is a rational set of redexes, and the rest of the statement holds by point (1). 7 C o r o l l a r y 21. For an orthogonal TRS TPt., the rewrite relation induced on rational terms by rational term rewriting of Definition 19 coincides with the rewrite relation induced by p-term rewriting, modulo the axioms of Definition 6. In our opinion, this result provides a completely satisfactory interpretation (or "semantics") of the rewriting of It-terms expressed via a suitable notion of rewriting of the corresponding unfoldings. 4

Rational

Rewriting,

Algebraically

In this section we introduce (one-step) preiteration and rational rewriting logic, exploiting the rewriting logic formalism proposed in 25 for reasoning in logical terms about rewriting. Such logics will be presented in the form of sequent calculi, For example, if t =.f~ d : f(f(y)) --r g(y), and 4f = {(1 9 (1 9 1) i,d) I i < w}, then tv ---- f ( f * ( f ( f * ( . . . ) ) ) ) . In this case we cannot take t' -= it~.f(f*(x)) (even if It' = t~), because there is no redex rooted at f* (indeed, the redex would "cross" the # operator), but we can take instead t' = f(l~=.f*(f(x))).

167

via deduction rules which allow to generate sequents. The one-step preiteration and rational rewriting logics are shown to specify sequents which are in oneto-one correspondence with y-terms and rational reductions, respectively. The added value of this approach is that not only the terms, but also the reductions are now endowed with an algebraic structure (using suitable proof terms), and this allows us to obtain a more precise relationship between y-term and rational rewriting with respect to Corollary 21. Intuitively, using the notation of point (1) of Theorem 20, one would like to identify two sets of p-redexes 9 and ~' in equivalent (but distinct) y-terms t and t' if the induced rational set of redexes coincide, i.e., if//(~) = / / ( ~ ' ) . Interestingly, this can be obtained in the rewriting logic framework by providing the proof terms denoting y-term reductions with a pre-iteration structure, and by imposing on them exactly the same axioms of Definition 6. Space constraints forbid us to introduce the deduction rules for sequential composition, which allow to derive sequents which model many-step reductions (as done for example in 25, 9). This will be included in the full version of the paper: we just discuss in the concluding section the relevance of this extension.

Definition 22 (rewriting s e q u e n t s ) . Let ~ = i S , L , R ) be an orthogonal TrtS over X. Let A = U n A n be the signature containing all the rules d : l ~ r E R with the corresponding arity given by the number of variables in d: more precisely, for each n, An = {d d ( X l , . . . , xn) : l ( x l , . . . , Xn) --~ r ( x l , . . . , xn) E R } . A proof term ~ is a y-term of the preiteration algebra pTr~ (X) = pTEuA ( X ) (we assume that there are no clashes of names between the two sets of operators). A (rewriting) sequent is a triple (a, t, s) (usually written as a : t ~ s) where c~ is a proof term and t, s 6 p T m ( X ) . 0 A sequent is closed if the associated proof term is so. For a given term t and a finite substitution { x l / t l , . . . , X n / t n } , we usually write t ( t l , . . . , tn) for ta.

Definition 23 (one-step preiteration rewriting logic). Let R = i S , L, R) be a TRS over X. We say that 7~ entails the sequent a : t -~ s if it can be obtained by a finite number of applications of the following rules of deduction: (reflexivity) xEX x:x-~x (instantiation} d:l--~rER, d E A,~, ~i : ti "-+ si for i = l, . . . , n dioq,...,O~n):l(tl,...,tn) ~ r(sl,...,Sn) ' (congruence)

fEZn, ai:ti--+sifori=l,...,n f ( o q , . . . , a n ) : f i t l , . . . , t n ) --~ f i s l , . . - , S n ) ;

168

-

(recursion)

a:t--~s, xEX P=.~ : Px. t --~ Px.s" O The class of sequents entailed by ~ induces a set-theoretical rewrite relation over terms, simply obtained by dropping the proof term of a sequent. Rule reflexivity is self-explaining: it allows any variable to be rewritten into itself, that is, to play an idle rSle during a rewriting step. Both recursion and congruence state that the rewrite relation is also compatible with respect to the algebraic structure, since it is closed under contexts. Maybe, the most interesting rule is instantiation: first, it implies that the transition relation is stable, that is, it is closed under substitutions. But the associated sequent describes also the simultaneous execution of nested rewrites: two subterms matching the left-hand sides of two rules can be rewritten simultaneously, in parallel, provided they do not overlap (and this is always the case for orthogonal systems).

Proposition 24 (sequents and parallel p-term rewriting). Let T~ be an orthogonal TRS. (1) If T~ entails a closed sequent ~ : t -+ s, then there is a set of p-redexes ~(a) such that t -+~(~) s (according to the parallel rewriting of Definition 16). (2) Viceversa, if 9 is a set of p-redexes of t and t --~ s, then there is a closed proof term &(~) such that 7"~ entails the sequent &(~) : t -~ s. (3) Functions 9 and & are inverse to each other. Exploiting Theorem 7, we could easily obtain a description of the rewriting of rational terms by considering "abstract" sequents of the form a : It ~ s for each sequent a : t --+ s entailed by a TRS T~. However, using Theorem 20 we could obtain a result relating such sequents with the reduction of rational sets of redexes that is weaker than the last proposition, because the bijective correspondence would not hold. To ensure such a bijection we need to consider proof terms as well modulo the axioms of iteration algebras.

Definition 25 (one-step rational rewriting logic). A rational sequent has the form a : t -~ s, where a is a rational proof term (i.e., a rational term in R T E u A ( X ) ) , and t, s E R T E ( X ) . A TRS T~ entails the rational sequent a : t -~ s if it entails a sequent a ' : t' ~ s' (according to Definition 23) such that a = a', t = t', and s = s'. A sequent is closed if so is its proof term. This definition of rational sequent allows us to lift the result of Proposition 24 to rational rewriting.

Proposition 26 (rational sequents and rational rewriting).

Let ~ be an

orthogonal TRS. (1) If T~ entails a closed rational sequent ~ : t -+ s, then there is a rational set of redexes ~(a) such that t -r~(~) s (according to the rational rewriting of Definition 19).

169

(2) Viceversa, if ~ is a rational set of redexes of t and t --+8 s, then there is a closed rational proof term &(~) such that Tr entails the rational sequent ~ ( ~ ) : t -+

s.

(3) Functions ~ and & are inverse to each other.

5

3

Discussion and Future Work

The main result presented in this paper is the fact that the parallel rewriting of #-terms (defined in a very natural way) provides a faithful implementation for rational term rewriting, i.e., for the parallel reduction of a possibly infinite (but rational) set of redexes in a rational term. Some notions introduced here should be compared with the corresponding ones in 20, even if the focus of the papers is different. The notion of #-term rewriting of 20 is quite different from ours, firstly because rewriting is defined essentially modulo ----equivalence, and secondly, and more importantly, because it is not allowed to rewrite a subterm t' of a #-term t if t' contains a free variable which is bound in t. For example, rule f ( y ) ~ g(y) cannot be applied to the subterm f ( x ) of #=.f(x). Furthermore, #x.x is not considered as a legal #-term. Such restrictions are motivated by the authors by potential problems that collapsing rules could cause. Recalling the discussion in the Introduction about the collapsing rule g(y) ~ y, we can safely claim that such problems are due to the (implicit) use of the infinitary extension of term rewriting proposed in 22 as reference model for theory of #-term rewriting of the mentioned paper. In fact, such problems simply disappear using the theory of infinite parallel rewriting presented in 7, which provides a satisfactory interpretation for the #-term #x.x, as well as for the reduction of hypercollapsing towers. Closer to the soundness result of Section 3 are the adequacy results relating term graph rewriting and rational term rewriting proposed in 21 and 8. In fact, possibly cyclic finite term graphs can be considered as an alternative finite representation of rational terms, where also "horizontal sharing" is allowed. In 21, the notion of adequacy between rewriting systems is introduced, which is essentially equivalent to soundness plus a form of partial completeness. 6 In the same paper, it is presented an adequacy result between term graph rewriting and rational term rewriting defined using 22; however, the result is restricted to the case of systems with at most one collapsing rules, or modulo hypercollapsing towers. In 8 instead, rational rewriting is defined exactly as in this paper, and it is shown that cyclic term graph rewriting using the algebraic approach is adequate for it, even in the presence of collapsing rules. In the last section we showed essentially that the main result of the paper can be rephrased in a very elegant way by making explicit the algebraic structure of the one-step reductions (using proof terms). Recall that, by Theorem 7, rational 6 As a concrete example, the result presented in Theorem 20, which is actually stronger than a soundness result by point (2), could be rephrased as "parallel #-term rewriting is adequate for rational term rewriting".

170

terms are ----equivalence classes of p-terms. Giving to one-step reductions of #terms in an obvious way a p-term structure over a suitable signature, we are able to recover rational rewriting by imposing the congruence ~ on proofs terms as well. In other words, the relationship between p-term and rational one-step rewriting is obtained simply by lifting the relationship between the corresponding class of terms to the level of reductions. And one can go further, by lifting the same relationship to the level of rewriting sequences; due to space limitation the results we sketch here will appear in the full paper only. Full rewriting logic introduces a binary operator modeling sequential composition, and lifts the same algebraic structure of one-step reductions to whole derivations as well. The resulting structure provides a bridge between the standard presentation of rewriting and categorical models based on 2-categories as proposed for example in 26, 27, where arrows represent terms and cells represent rewriting sequences. As in the case of the "one-step" variants, we can consider both (full) preiteration and rational rewriting logic, and the corresponding categorical presentations based on preiteration and iteration 2-categories, respectively 5. Furhtermore, it can be shown that they can be generated via a free construction from a suitable representation of a term rewriting systems as a suitable computad. Finally, we mention that the formal framework just described, consisting in lifting the algebraic structure of terms to the level of reductions and of rewriting sequences and obtaining in this way categorical models, provides one interesting application of the general methodology for the semantics of structured transition systems proposed in 10.

References 1. A. Arnold and M. Nivat. The metric space of infinite trees, algebraic and topological properties. Fundamenta Informaticae, 4:445-476, 1980. 2. S. Bloom. Varieties of ordered algebras. Journal of Computer and System Science, 13:200-210, 1976. 3. S. Bloom and Z. l~sik. Iteration Theories. EATCS Monographs on Theoretical Computer Science. Springer Verlag, 1993. 4. S. Bloom and Z. ~sik. Solving polinomials fixed point equations. In Mathematical Foundations of Computer Science, volume 841 of LNCS, pages 52-67. Springer Verlag, 1994. 5. S.L. Bloom, Z. l~sik, A. Labella, and E.G. Manes. Iteration 2-theories. In Proceedings AMAST'97, 1997. To appear. 6. G. Boudol. Computational semantics of term rewriting systems. In M. Nivat and J. Reynolds, editors, Algebraic Methods in Semantics, pages 170-235. Cambridge University Press, 1985. 7. A. Corradini. Term rewriting in CTv. In Proceedings CAAP '93, volume 668 of LNCS, pages 468-484. Springer Verlag, 1993. 8. A. Corradini and F. Drewes. (Cyclic) term graph rewriting is adequate for rational parallel term rewriting. Technical Report TR-97-14, Dipartimento di Informatica, Pisa, 1997.

171

9. A. Corradini and F. Gaxtducci. CPO Models for infinite term rewriting. In Algebraic Methodology and Software Technology, volume 936 of LNCS, pages 368-384. Springer Verlag, 1995. 10. A. Corradini and U. Montanari. An algebraic semantics for structured transition systems and its application to logic programs. Theoret. Comput. Sci., 103:51-106, 1992. 11. N. Dershowitz and S. Kaplan. Rewrite, rewrite, rewrite, rewrite, rewrite .... In Proc. POPL '89, Austin, pages 250-259, 1989. 12. N. Dershowitz, S. Kaplan, and D.A. Plalsted. Infinite normal forms (plus corrigendum). In Proe. ICALP'89, pages 249-262, 1989. 13. C. C. Elgot. Monadic computations and iterative algebraic theories. In Logic Colloquium 1973, volume 80 of Studies in Logic, pages 153-169. North Holland, 1975. 14. C.C. Elgot, C.C. Bloom, and R. Tindell. The algebraic structure of rooted trees. Journal of Computer and System Science, 16:362-339, 1978. 15. W.M. Farmer, J.D. Ramsdell, and R.J. Watro. A correctness proof for combinator reduction with cycles. ACM Trans. Program. Lang. Syst., 12:123-134, 1990. 16. W.M. Farmer and R.J. Watro. Redex capturing in term graph rewriting. In R.V. Book, editor, Proceedings of the 4th International Conference on Rewriting Techniques and Applications (RTA '91), volume 488 of LNCS, pages 13-24. Springer Verlag, 1991. 17. S Ginali. Regular trees and the free iterative theory. Journal of Computer and System Science, 18:222-242, 1979. 18. J.A. Goguen, J.W. Tatcher, E.G. Wagner, and J.R Wright. Some fundamentals of order-algebraic semantics. In Mathematical Foundations of Computer Science, volume 45 of LNCS, pages 153-168. Springer Verlag, 1976. 19. J.A. Goguen, J.W. Tatcher, E.G. Wagner, and J.R Wright. Initial algebra semantics and continuous algebras. Journal of the ACM, 24:68-95, 1977. 20. P. Inverardi and M. Venturini-Zilli. Rational rewriting. In Mathematical Foundations of Computer Science, volume 841 of LNCS, pages 433-442. Springer Verlag, 1994. 21. J.R. Kennaway, J.W. Klop, M.R. Sleep, and F.J. de Vries. On the adequacy of graph rewriting for simulating term rewriting. ACM Trans. Program. Lang. Syst., 16:493-523, 1994. 22. J.R. Kennaway, J.W. Klop, M.R. Sleep, and F.J. de Vries. Transfinite reductions in orthogonal term rewriting system. Information and Computation, 119:18-38, 1995. 23. C. Laneve and U. Montanari. Axiomatizing permutation equivalence in the ),calculus. Mathematical Structures in Computer Science, 6:219-249, 1996. 24. F.W. Lawvere. Functorial semantics of algebraic theories. Proc. National Academy of Science, 50:869-872, 1963. 25. J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theoret. Comput. Sci., 96:73-155, 1992. 26. A.J. Power. An abstract formulation for rewrite systems. In Proceedings Category Theory in Computer Science, volume 389 of LNCS, pages 300-312. Springer Verlag, 1989. 27. D.E. Rydehard and E.G. Stell. Foundations of equational deductions: A categorical treatment of equational proofs and unification algorithms. In Proceedings Category Theory in Computer Science, volume 283 of LNCS, pages 114-139. Springer Verlag, 1987.

The Appearance of Big Integers in Exact Real Arithmetic Based on.Linear Fractional Transformations* Reinhold Heckmann FB 14 - Informatik, Universits des Saarlandes Postfach 151150, D-66041 Saarbriicken, Germany e-mail: heckmann@cs, uni-sb, de

A b s t r a c t . One possible approach to exact real arithmetic is to use linear fractional transformations to represent real numbers and computations on real numbers. In this paper, we show that the bit sizes of the (integer) parameters of nearly all transformations used in computations are proportional to the number of basic computational steps executed so far. Here, a basic step means consuming one digit of the argument(s) or producing one digit of the result.

1

Introduction

Linear Fractional Transformations (LFT's) provide an elegant approach to real number arithmetic 8, 16, 11, 14, 12,6 9 One-dimensional L F T ' s x ~-* ~bxTd are used as digits and to implement basic functions, while two-dimensional L F T ' s axy+cx+ey+g (X, y) ~-+ b~ +dx+" +h provide binary operations such as addition and multipliY JY . . . . cation, and can be combined to mfimte expresmon trees denoting transcendental functions. In Section 2, we present the details of the L F T approach. This provides the background for understanding the results in the remainder of this paper. L F T ' s can be modelled within linear algebra. If the four parameters of a onedimensional L F T are written as a (2,2)-matrix (shortly called matrix), functional composition becomes matrix multiplication. Likewise, the eight parameters of a two-dimensional L F T can be written as a (2,4)-matrix (called tensor). We refer to matrices and tensors collectively as transforms 9 Basic computational steps such as consuming one digit of the argument(s) (absorption) or producing one digit of the result (emission) can be realised as variants of matrix multiplication applied to a transform and a digit matrix. Usually, all the transforms used in real number arithmetic have integer components. Naively, one may think that these components become bigger by absorptions, and become smaller again by emissions. Technically, the components may decrease by reduction, i.e., division of all components of the transform by * Most of the results in this paper were found during a visiting fellowship of the author at Imperial College, London. This visit was organised by Abbas Edalat and funded by EPSRC.

173

a common factor; as transforms denote rational functions, reduction does not affect their semantics. Practical experiments have shown, however, that in most cases, the potential for reduction is negligible. The greatest common factor of the components of a transform is usually 1, and in nearly all of the remaining cases, it is just 2. In Sections 3 and 4, we show some upper and lower bounds for common factors. The full proof of the practically observed behaviour is obtained later (Corollary 12 in Section 6.4). Practical experiments have also shown that in most cases, the bit size of the entries of a transform is roughly equal to the number of emitted digits. The main contribution of this paper is the formalisation (and of course proof) of these practical observations. First, we derive upper bounds for the sizes of the entries of a transform in Section 5. In Section 6, lower bounds for the determinant and the size of the biggest entry are obtained in the case of matrices. Tensors are handled in Section 7. Finally, we discuss these results and their impact on the complexity of real number computation.

2

Exact Real Arithmetic Transformations

by

Linear

Fractional

In this section, we present the framework of exact real arithmetic by LFT's 8, 16, 11. After a general introduction, we specialise to the version used by the group of Edalat and Potts at Imperial College 14, 12, 13, 15, 6. 2.1

From Digit Streams to Linear Fractional Transformations

There are many ways to represent real numbers as infinite objects 3,2, 4, 5. Here, we are only concerned with representations as infinite streams of "digits". These streams are evaluated incrementally; at any given time, only a finite prefix of the stream is known. There are several different stream representations which can be grouped into two large families: variations of the familiar decimal representation 1, 3, 2, 5, 7, 11, 10, and continued fraction expansions 8, 16, 9. For the first family, consider the usual decimal representation) A number such as 0.142-.. can be unravelled from left to right as follows: 0.142... =

0.42...);

0.42...=

+ 0.2...); 0.2... =

+ 0....)

Thus, every digit d corresponds to an affine map ad with c~8(x) = ~ ( d + x) = =+d A number of the form 0 . . . . can be any element of the closed interval 10 " 0, 1, and so, a number of the form 0.142... can be any element of the interval 1 This representation is not suitable for practical purposes, as it lacks redundancy, and thus, most arithmetic functions are not computable. However, it provides a familiar example.

174

(al o a4 o a2)0, 1 = 0.142, 0.143. In general, the infinite stream O.dld2d3... represents the unique real number in the intersection Nn~ 1 o . . . o ad.)0, 1. In the classical continued fraction expansion, irrational numbers in the interval 0, ~ can be written as a0+ ~ with natural numbers an and bn. Every al+~ pair p = (a, b) corresponds to the rational function pp with pp (z) = a + ~- = a~z+b. Similar to the case above, an infinite continued fraction corresponds to the intersection N,~__l(ppl o . . . o pp,)J0, r The formal similarity between the two approaches presented above leads to the following generalisation 8, 16, 14, 12, 13, 15, 6: Real numbers in some base interval I are represented by infinite streams of digits. Digits are certain Linear Fractional Transformations (LFT's) z ~-* ~b x + d ' parameterised by numbers a, b, c, d (in practical cases usually integers)9 The meaning of an infinite stream OO 7" rl, r2, 9 .. of LFT's is the intersection ~,~=~( ~ o . . . o r,~)(I). This intersection is filtered (decreasing) if rn(I) C I holds for all digits rn.

2.2

LFT's and Matrices

Every 2-2-matrix A = (~ ~) of real numbers denotes an LFT (A), which is given by (A)(z) = ~ . LFT's described by non-singular matrices, i.e., matrices A with determinant det A = ad - bc # O, are considered as endofunctions of IR* = IR U {oc}, the one-point c0mpactification of the real line. The value oc arises as r/O with r # 0, and on the other hand, (A)(c~) is defined to be a/b. For LFT's described by singular matrices, an additional 'number' 1 (undefined) is needed which arises as 0/0. The value of (A)(_L) is defined to be J_. The mapping A ~ (A) is not one-to-one; for, (A) = (rA) holds for all r # 0. We shall write A -~ B if (A) = (B), or equivalently B = rA for some r # 0. Composition of LFT's can be expressed by matrix multiplication: (A) o (B) = (A 9B). The equivalence relation '-~' is a congruence w.r.t, multiplication. The determinant det A is a well-known property of a matrix A. det(~ ~ ) = a d - b c

det(A.B)=detA.detB

det(rA)=r2detA

(1)

By the last equation, the determinant of a matrix is not invariant under equivalence '~', but its sign (1, 0, or - 1 ) is, i.e., the sign of the determinant of A is a well-defined property of the L F T (A/. LFT's with non-zero determinant (non-singular LFT's) are invertible; (A) -1 is given by (A-l). Thus, non-singular LFT's form a group under composition. A rational L F T is an LFT which can be represented by a matrix with rational entries, and therefore even by an integer matrix. As (A) = (kA) for k # 0, there are infinitely many integer matrices denoting the same rational LFT. An integer matrix is called k-reducible if k is a common factor of its four components. Division of a k-reducible matrix by k is called reduction by k. A matrix is in lowest terms if there is no common factor other than 1 and - 1 . All integer matrices different from (0~ 0~ are equivalent to an integer matrix in lowest terms.

175

To obtain an integer representation of (A)- 1 for a non-singular integer matrix A, the pseudo-inverse A* can be used. It is defined by

:).

:c)

Clearly, det(A*) = det A holds. The main property of the pseudo-inverse operation is A-A* =A*.A=detA.E (3) where E = (01 ~) is the identity matrix, and so, A. A* = A*. A Z E if det A # 0, whence (A)-I = (A*). 2.3

The Signed Digit Approach

The group of Edalat and Potts at Imperial College 13, 6 represents the elements of lR* = IR t2 {c~} as infinite streams of matrices S, D1, D 2 , . . . , standing for LFT's. The first matrix is a sign matrix, while the remaining ones are digit matrices. The base interval is 0, oo, and so, the meaning of the stream is oo

A (S. Dl"...'

D~)0, oo .

(4)

rt=l

The base interval 0, oo was chosen because there is a simple check for the inclusion property 14: for a non-singular matrix A, (A)(0, oo) C_ 0, c~ holds iff all four entries of A are >_ 0, or all are < 0. Matrices with entries > 0 are called positive. Digit matrices are positive, and so, the intersection (4) is filtered (decreasing). (x)

The number set JR* can be visualised as a circle. Intervals u, v are counter-clockwise arcs from u to v, e.g., 0,1 = {x E IR 0 _~ x _< 1}, and 1,0 = {x E IR 1 _< x or x _< 0} U {oo}.

-1

1

0 There are four possible sign matrices, corresponding to rotations by 0 ~ 90 ~ 180 ~, and 2700 . They can be explicitly described as follows:

s+ - - ( t D

(s+) 0, oo = 0, ~

s_

(soo)0, oo = 1,-1 (s_) 0, o~ = o~, 0 (So) 0, oo = -1, 1

o 1)

So and Soo are pseudo-inverse to each other; So 9Soo = S ~ 9So = 2E holds. There are many possible sets of digit matrices, one for every base r > 1. Edalat and Potts 6 discuss non-integer bases, but their implementation uses base r = 2. In this paper, we consider integer bases r > 1.

176 Fix an integer r > 1. Every real number in the interval -1, 1 has a representation as ~oo__~ knr_n with integer digits kn satisfying Ik. I < r. (Digits may be negative 1.) As in Section 2.1, these digits correspond to affine maps a~ = (A~) with A~ = (01 ~). Since the base interval is not -1, 1, but 0,oo, the maps c~ have to be transformed into that interval. This can be done by composition with the maps (S~) and (So), which are mutually inverse bijections between -1, 1 and 0, co. Thus, the actual digit matrices are

D~=S

.A~.So= (:+k+l

r+k-1) r-k-F1

-k-1

(5)

Since the two entries in the top row differ by 2, these matrices are either in lowest terms or 2-reducible. The latter case occurs iff the parities of r and k are different. In this case, reduction by 2 may be performed. Hence, we distinguish between unreduced digits D E and reduced digits D~ = ~D 1 k. r Table 1 illustrates the case r - 2. In the column "lowest terms", the first and third matrix (k # 0) are reduced, while the second matrix (k = 0) is unreduced. Table 1. Digit matrices for base 2 k

A~

--1 0

(I (10)

1

2.4

D~

(2 o) (3 3

(I

i)

lowest terms

(D~>(0, col)

o)

0,1

1 (02 ")

1,=1

Computation by LFT's

LFT's can not only be used to represent real numbers, but also to perform computations with real numbers. For the sake of simplicity, we only present computations within the interval 0, oo where real numbers can be represented by a stream of digit matrices without a leading sign matrix. Using suitable LFT's x ~-+ ~b x T d ' basic functions such as x ~-+ x + 1, x ~ 2x, and x ~ ~ can be easily expressed. Recall that an LFT maps 0, oo into itself iff it can be represented by a positive matrix (all components _> 0). Given a positive matrix M, the actual computation of (M)(x) is performed by a sequence of absorptions and emissions. Absorption means that M consumes the first digit D of x, thereby becoming M. D, which is positive again. It corresponds to the equality M.(D1.D2....)

= (M.D1).(D2....)

.

(6)

177

Emission means that M produces one further digit D of the result, thereby becoming D* 9M. It corresponds to the equivalence (D1 . . . . . D n ) . M ~ ( D 1 . . . . . D n . D ) . ( D * . M ) .

(7)

Emission of a digit D is allowed only if D* 9M is positive. Therefore, a possible strategy for the computation of (M)(x) is as follows: emit digits until no further emission is possible, then absorb one digit of x, again emit digits until no longer possible, etc. 2.5

Tensors

To compute sums, products, etc., two-dimensional LFT's are employed. They are characterised by 8 parameters, and thus can be represented by 2-4-matrices, so called tensors. A tensor T = ( ~ cd 3'e h9) denotes the function ( T ) : IR*• X

IR*•

-+ IR*• given by (T)(x, y) = ba=U+e,+~U+g For integer tensors, the notions xyTdx+.fyTh " of reducible, reduction, and lowest terms can be defined analogous to the case of matrices. Likewise for positivity: a two-dimensional L F T maps 0, ~ 2 to 0, oc• iff it can be represented by a positive tensor, i.e., a tensor with components 0. Because of these analogies, we refer to matrices and tensors collectively as

transforms. It is easy to represent addition, subtraction, multiplication, and division by suitable integer tensors 8, 16, 14, 12, 13. Tensors may also be used to represent transcendental functions, e.g., arctan x = (To)(x, (T1)(x, (T2)(x,...))) where T. ( ( n +0l ) 2 0100 2 n0% 1 )+ ' It remains to show how to actually compute (T)(x, Y) \

for a given positive integer tensor T 12, 13. Emissions can be done as in the one-dimensional case: in emitting a digit D, tensor T is replaced by D* 9 T, which is a tensor again. Emission of D is only allowed if D* 9T is positive. Since digits can be absorbed from both arguments, there are two kinds of absorptions: absorption of a digit D from the left argument transforms T into T. L(D), while absorption from the right argument yields T. R(D). Here, L(D) means D | E, and R(D) means E | D. An explicit definition of these operations looks as follows:

b

=

a0 0d b0

Ob

They satisfy the following equations:

L ( A . B ) = L(A). n(B) L(E) = R(E) = E4

R ( A . B) = R(A) . R(B)

L(A) . R(B) = R(B) . L(A)

where E4 denotes the identity 4-4-matrix.

(9) (lO)

178

Right absorption can be easily expressed with block matrices. Observe R ( A ) = (A ~ ) where the four entries are matrices. Likewise, a tensor can be written

as

a row (T L, T a) of two matrices, and so (T L, T a ) . R ( A )

= (TLA, TRA)

(11)

.

Left and right absorption are closely connected. Let T x be T with the two middle columns exchanged. Then ( T . L(D)) • = T x . R ( D )

( T . R(D)) x = T x . L ( D )

.

(12)

Later, we shall see that D-emissions and D-absorptions have many properties in common. Thus, we introduce a common name: a D - t r a n s a c t i o n at a transform is either a D-emission or a D-absorption.

3

Small

Factors

After a transaction at a transform in lowest terms, the entries of the result may have a non-trivial common factor. The most drastic example is D* 9D = det D 9E for a digit matrix D. Yet apart from this, practical experience shows that common factors are usually quite small. The goal of this section is to find bounds for such factors. We start off with a property involving determinants. P r o p o s i t i o n 1. Let A be a matrix, and let B be a t r a n s f o r m in lowest terms. Then every c o m m o n f a c t o r o f the entries o f A . B divides detA. Proof. Let g be a common factor of A 9B, i.e., A 9B = g C for some transform C. We may compute: g . (A* . C) = A* . g C = A* . A . B (3) ( d e t A . E ) . B -- ( d e t A ) . B .

Hence, g divides (det A). B. Since B is in lowest terms, g must divide det A. For magrices, there is a dual statement with an analogous proof so that we obtain: T h e o r e m 2. Let A and B be m a t r i c e s in lowest t e r m s . Then every c o m m o n f a c t o r of A 9 B divides both det A a n d det B. There is a similar statement for the two versions of multiplying a tensor and a matrix: P r o p o s i t i o n 3. Let T be a t e n s o r in lowest terms, and M an arbitrary matrix. Then every c o m m o n f a c t o r o f T . L ( M ) or T . R ( M ) divides det M.

179

Proof. We consider the L case; the other one is analogous. If T . L ( M ) = g C for some tensor C, then g . ( C . L ( M * ) ) = T . L ( M ) . L ( M * ) (9) 7". L ( M . M * ) (3) T . L(det M . E) (1--~ T . (det M . E4) = (det M ) . T Since T is in lowest terms, g divides det M .

U

Now, consider a transform T in lowest terms. Let T I be the result of a Dabsorption at T, i.e., T ' = T . D if T is a m a t r i x , or T ' e { T . L ( D ) , T . R ( D ) } if T is a tensor. By T h e o r e m 2 and Proposition 3, any c o m m o n factor of T ~ divides det D. If T ~ is the result of a D-emission at T, i.e., T t = D* . T, then by Prop. 1 any c o m m o n factor of T ~ divides det D* = det D. Summarising, we obtain: T h e o r e m 4. Let T be a transform in lowest terms, and D a digit matrix. A f t e r a D-transaction at T, any common factor of the result divides det D. How big is det D ? Recall the definition of the digit matrices for base r from Section 2.3. As A~ = ( ~ ) , d e t A ~

is r. Since detS0 = deeSo~ = 2, we have

det D~ = det(SooA~S0) = 4r. Therefore, we o b t a i n d e t / ) ~ = r for reduced digits -~D k . C o r o l l a r y 5. Let T be a transform in lowest terms, and D a digit matrix f o r base r. A f t e r a D-transaction at T, any c o m m o n factor of the result divides 4r if D is unreduced, and even divides r if D is reduced. Specialising to the case r = 2, we see t h a t any c o m m o n factor of the result divides 2 in case of a transaction with a non-zero digit (k ~ 0), and divides 8 in case of k = 0. Corollary 12 in Section 6.4 shows t h a t in m a n y cases, the result of Corollary 5 can be strengthened from 4r (r) to 2 (1), ruling out most reductions.

4

Possibilities

for Reductions

In the last section, we have seen t h a t there is not m u c h potential for reductions. Here, we show a result of opposite flavour: certain reductions are always possible. Consider unreduced digit matrices D~ = SooA~So. We have already mentioned t h a t some of t h e m are in lowest terms, while others are 2-reducible; higher reducibilities do not occur. Multiplying two digit matrices yields: D k" D ~, "' = S ~ A k "S o S ~ A k , S"'o

= 2 S ~ A k"A k ,"'S o = 2D~r,+k,r~'

(13)

Here, the second equality is due to SoSoo = 2E, and the third due to

Ak " Ak' =

0 r

"

0 r~

=

rr I

(14)

180

together with the estimation kr'+ k' I < (r - 1 ) r ' + (r' - 1) = rr' - 1. Iterating (13) leads to D rkx " ' ' " D k .r = 2.-1D~ ~ where k = ~

k.r~-i ,

(15)

i=1

Hence, we obtain: 1. The product of n digit matrices is always 2'~-l-reducible. 2. After 2n-Lreduction, the result is again a digit matrix, and so it is either in lowest terms or 2-reducible. The result of applying nl absorptions and n2 emissions of unreduced digits to a matrix M has form A~ 9M . A1 where Ai is a product of ni digit matrices. Thus, the result has a common factor of 2 nl-I 92 n : - I = 2 nl+n2-2. For a tensor T, we obtain a result of the form A~ 9T . L(A2) 9R(A1), and thus a common factor of

2nl+n~Tn3--3.

T h e o r e m 6. Let To be some initial transform, and T~ the result of applying n transactions with unreduced digits to To. Then Tn is at least 2n-2-reducible in case of matrices, and at least 2n-3-reducible in case of tensors. 5

An

Upper

Bound

for the

Entries

Next, we derive an exponential upper bound for the entries of a transform after n transactions. An estimate for the entries is the maximum of their absolute values: I1(~ ~)ll -- max(Ill, Ibl , M, Idl) for matrices, and analogously for tensors, and vectors (b). Let us consider how this norm is affected by emissions. Recall the definition of the digit matrices for base r (Equation (5) in Section 2.3): D ~ = (;+k+l_k_l

r-k+r+k-l)

(16)

Consider the product of (D~)* with a vector ( : ) : (D~)*(:)

(1-k+r l+k-r

l-k-:) l+k+

(:) =

(1 -k)(u+v)+r(u-v)) (l+k)(u+v)- r(u v)

(17)

Using k < r, we obtain

(18) Since the norm of a transform is the maximum of the norms of its column vectors, we obtain II(D~)*. T H < 2rlIT H - - for unreduced digits. For reduced digits, the right hand side is rllTll.

181

Now, let us study absorption. For the absorption of a digit into a matrix, it suffices to consider products (u, v) 9D E of a row vector and a digit matrix. (u,v)(:+k+l

r-k+

=(r(u+v)+(k+l)(u-v)'

r(u+v)+(k-1)(u-v))

By an estimation as above, we obtain HM.D~II < 2rllMII for matrices M. By (11), the block formula for right absorption into a tensor, an analogous result holds for liT. R(D~)II , and by (12), the formula connecting left and right absorption, the same holds for liT. L(D~)II. Summarising, we obtain: P r o p o s i t i o n 7. Let T be a transform, D a digit matrix for base r, and T ~ the result of a D-transaction at T. Then IIT'II < 2rllTl if D is unreduced, and

IIT'II <_ rlITl if D is reduced. By induction, we see that after n transactions, IIT'II < (2r)~llTII holds if unreduced digits are used. Applying all the reductions that are possible by Theorem 6, we obtain: T h e o r e m 8. Let To be some initial transform, and Tn the result of applying n

transactions in base r to To, and all possible reductions. Then IlTnll < 4rnHToll in case of matrices, and IIT-II _< 8r"llT011 in case of tensors. In the moment, there is some hope that further reductions m a y lead to a much smaller increase. Unfortunately, we shall soon see that this does not work; in most cases, an exponential increase is guaranteed.

6

Big N u m b e r s in Matrices

In this section, we derive lower bounds for the entries of a m a t r i x after n transactions and all possible reductions. This is done by observing how the determinant and another quantity, the column difference, are changed by transactions and reductions, and by deriving a reduction invariant from this. 6.1

Determinant

Determinants are easy because of det(A 9B) = det A 9 det B. The determinants of the digit matrices and their pseudo-inverses are calculated in Section 3 just before Corollary 5. In the following list, let M be a matrix, and let M ~ be the result of applying a transaction to M. - Transaction with an unreduced digit: - Transaction with a reduced digit: - Reduction by k:

det M I = 4r det M , det M / = r det M, det M I = ~ det M.

These facts allow the derivation of an upper bound for the determinant after n transactions. Working with unreduced digits gives a factor of (4r) n, and performing all reductions admitted by Theorem 6 gives a factor of 2 -2(~-2). Together, we get the following:

182

9. Let Mo be some initial matrix, and Mn the result of applying n transactions in base r to Mo, and all possible reductions. Then det Mnl _< lOr'~ldet Mol.

Theorem

6.2

Column Difference

Consider again the explicit formulae for digit matrices of base r and their inverses (Equation ( 5 ) i n Section 2.3):

It is easy to see t h a t in both cases the difference of the two column sums is 0. This motivates the definition of the column difference cd (~ ~) = (a + b) - (c + d) of a matrix. Thus, cd D~ = cd(D~)* = 0. In general, cd A* = - c d A holds. c Let us compute the column difference of the product of A = (ba d) and

::):

( aa ~+ cb' cd(A.B) =Cd\ba,+db,

ac' + cd~ I bc'+dd'

= (a + b)a' + (c + d)b' - (a + b)c' - (c + d)d' = (a + b)(a' - e') - (c + d)(d' - b') I f B = D~, then a ' - c ' = d ' - b ' = 2, and so, c d ( A . D ~ ) = 2 c d A . I f A = (D~)*, then a + b = c + d = 2, and so, cd((D~)*. B) = 2cd B. If reduced digits are used instead, the factor 2 disappears. Thus, we obtain: Transaction with an unreduced digit: - Transaction with a reduced digit: - Reduction by k: -

cd M ' = 2 cd M, cd M ~ = cd M, cd M ' = ~ cd M.

Hence, the properties of having zero or non-zero column difference are transaction invariants. 6.3

The Quotient

Let M be a m a t r i x with cd M r 0. For such a matrix, the quotient qcd M = det M is a well-defined rational number. By a transaction with an unreduced digit, this quotient is multiplied by 4r

:

r; by a transaction with a reduced

digit, the factor is ~ = r; and a k-reduction yields a factor of ~ = 1. Thus, the quotient qcd is invariant under reductions, and is multiplied by r in every transaction. L e m m a 10. Let Mo be some initial matrix with cd Mo ~ O, and Mn the result

of applying n transactions in base r to Mo, and all possible reductions. Then qcd M . = r ~ qcd Mo.

183

6.4

Big D e t e r m i n a n t

The equation in Lemma 10 can be turned into an integer equation by multiplying with the denominators: det U ~ . (cd M0) 2 = r n . det M0. (cd Mn) 2

(20)

If cdM0 r 0, then c d M n 7s O, too. As an integer, (cd M~) 2 is at least 1. Hence, we obtain: I det M~I. (cd M0) 2 _> r ~. I det M01 (21) This gives a lower bound for the determinant; an upper bound was provided by Theorem 9. T h e o r e m 11. Let Mo be some initial matrix with cd Mo 7s O, and M,~ the result of applying n transactions in base r to Mo, and all possible reductions. Then I det M01 r ~ (cdM0)2 " -< d e t M . I

_< 161detM01.r"

The upper bound was obtained by working with unreduced digits and performing the 2"-l-reduction guaranteed by Theorem 6. In case ofdet/140 7s 0, the quotient of upper bound over lower bound shows that only a constant number of further reductions is possible; they combine to a factor of at most 4 cd M0. This implies the promised strengthening of Corollary 5: C o r o l l a r y 12. When working with a matrix with non-zero determinant and column difference, the average maximal reducibility is 2 after a transaction with an unreduced digit, and i after a transaction with a reduced digit. 6.5

L a w o f Big N u m b e r s for M a t r i c e s

A lower bound for the determinant of a matrix M can be turned into a lower bound for the norm NMH using the inequality IMI > ~/89 det M, which follows a

from the definition of the determinant as det (b Cd) = a d - be. Thus, we obtain together with Theorem 8: T h e o r e m 13. Let Mo be some initial matrix with cd Mo 7s O, and Mn the result of applying n transactions in base r to 114o, and all possible reductions. Then i detM0 2-(~-~)o)2" (x/~) n _< Mn

_< 4Mo

.r n

Thus, if in addition det Mo 7s O, even if all possible reductions are performed, the entries of the matrix are bound to grow exponentially in the number of transactions. It sounds a bit more optimistically to speak of the bit sizes of the entries instead of the entries themselves. The bit size of a number m is log m.

184

T h e o r e m 14 ( L a w o f big n u m b e r s ) .

Let M be a matrix with non-zero determinant and non-zero column difference. After n transactions at M, at least one entry of the result has bit size l-2(n), even if all possible reductions are performed. The law of big numbers means that the usage of big integers is unavoidable in exact real arithmetic, at least in the signed digit approach of Edalat's group. It applies even in the simplest cases. For instance, doubling of an unsigned real is effected by the matrix (~ 01) that has determinant 2 and column difference 1, halting by (~ ~) with determinant 2 and column difference - 1 , and addition of 1 by the matrix (~ 11) with determinant 1 and column difference - 1 . The law of big numbers does not apply to matrices with zero column difference. The simplest example is the identity matrix E = (~ 1~ According to (3), after a D-absorption, a subsequent D-emission, and a reduction by det D, the identity matrix is recovered. Repeating this cycle, we see that there are arbitrarily long sequences of transactions at the identity matrix which do not lead to entries bigger than 4r. It is an open problem whether such a fixed bound can be found for any matrix with column difference 0. 7

Big Numbers

in Tensors

In this section, we derive analogues of the results of the previous section for tensors. The proceeding is similar, but a major obstacle is that tensors do not have determinants. Fortunately, a suitable substitute can be found. 7.1

D o u b l e C o l u m n Difference

We start by introducing an analogue to the column difference of a matrix. For a tensor T, the double column difference dcd T is defined by d c d ( ab d fe g ) = ( a + b ) - ( c + d ) - ( e + f ) + ( g + h )

.

(22)

Writing a tensor T as a row ( T L, T R) of two matrices, the double column difference can be reduced to the column differences of the two matrices: dcd(T L, T R) = c d T L - c d T a. Hence, by (11) and the properties of cd, we obtain for all digit matrices D dcd((T L, T a ) 9R(D)) = cd(T L 9 D) - cd(T R. D) = 2 d e d ( T L, T R) . By ( T . R(D)) x = T x 9L(D) (12) and dcd(T • = d c d T , we obtain the corresponding formula d c d ( T . L(D)) = 2 dcd T. We still have to derive a formula for emission. Recall (17)

(D~)*

=

(l+k)(u+v)-r(u

v)

(23)

185

which implies

(:)

=

,,

u'+v'=2(u+v).

(24)

From this, dcd(D* 9T) = 2 dcd T follows for all digit matrices D. Therefore, dcd for tensors behaves exactly as cd for matrices: Transaction with an unreduced digit: - Transaction with a reduced digit: - Reduction by k: -

dcd T ~ = 2 dcd T, d c d T ~ = dcd T, dcd T ~ = ~ dcd T.

Again, the properties of having zero or non-zero double column difference are transaction invariants.

7.2

C o l u m n

D e t e r m i n a n t

A suitable substitute for the determinant of a matrix is the cdet T of a tensor T, defined by cdet

(b de fe gh)

column determinant

--(a+b)(g+h)-(cq-d)(e+f)

.

(25)

Because of (24), cdet(D* 9T) = 4 cdet T holds for all tensors T and digit matrices D. Note that in contrast to the determinant of matrices, the factor is not det D* = 4r, but only 4. On the other side, the column determinant is multiplicative w.r.t, absorptions; for any tensor T and matrix M, cdet(T 9L(M))

=

cdet(T 9R(M))

=

cdet T . det M

(26)

holds. Here, the first equality follows from (12) and cdet(T x) = cdet T, while the proof of the second equality is a straightforward, but tedious exercise in algebraic manipulations. Summarising and specialising to the case of digit matrices, we obtain: Emission of an unreduced digit: - Emission of a reduced digit: Absorption of an unreduced digit: Absorption of a reduced digit: Reduction by k: -

cdet cdet cdet cdet cdet

T ~= T ~= T ~= T ~= T ~=

4 cdet T, cdet T, 4r cdet T, r cdet T, ~ cdet T.

In contrast to matrices, emissions and absorptions behave differently. 7.3

The Quotient

For a tensor T with d c d T r 0, we consider the quotient q d c d T = (dcdT) cdetT 2 . This quotient is invariant under reductions and also invariant under emissions. Every absorption yields a factor of r.

186

L e m m a 15. Let To be some initial tensor with dcd To 7s O, and Tn the result of applying n absorptions, any number of emissions, and all possible reductions to To. Then qdcd Tn = r n qdcd To. As in the case of matrices, a lower b o u n d for the column d e t e r m i n a n t follows: T h e o r e m 16. Let To be some initial tensor with dcd To ~k O, and T , the result of applying n absorptions, any number of emissions, and all possible reductions to To. Then I cdet T01 . r n cdet T,~ > (dcd To) 2 7.4

Law of Big Numbers

f o r Tensors

For tensors T, IITII _> ~1 / ~ l1c d e t gether with T h e o r e m 8:

T

= ~ / ~ l c d e t T I holds. Thus, we obtain to-

T h e o r e m 17. Let To be some initial tensor with dcd To ~ O, and Tn the result of applying n absorptions, any number of emissions, and all possible reductions to To. Then t81 cdet T0t

-(&-ga-~o)=. (vT) ~ < IIT~II < 811Toll "r ~

T h e o r e m 18 ( L a w o f b i g n u m b e r s f o r t e n s o r s ) . Let T be a tensor with non-zero column determinant and non-zero double column difference. After n absorptions and any number of emissions at T, at least one entry of the result has bit size ~2(n), even if all possible reductions are performed. 7.5

Examples

T h e tensors t h a t realise the four basic arithmetic operations satisfy the hypotheses of the law of big numbers: 110

Addition:

(o~ o o 1)

edet = - 1

dcd = - 1

Subtraction:

( ~ o1 O 1 01)

cdet = 1

dcd = 1

Multiplication:

(o1 0 0 1)

cdet = 1

dcd = 2

Division:

(0~ 01 01 o)

cdet = - 1

dcd = - 2

000

Yet the tensor for the m e a n value operation is different: Mean value:

110

(~ 0 0 2)

cdet = - 1

dcd = 0

Does this m e a n t h a t ~x, which leads to big n u m b e r s as shown in Section 6.5, can be c o m p u t e d as ~ avoiding big n u m b e r s ? T h e answer is no, at least in the case r = 2. Let T R be the m a t r i x on the right h a n d side of the tensor T. T h e equations (D* 9 T) R = D* 9 T R and ( T . / ~ ( D ) ) R = T R 9 D hold for all tensors

187

T and digit matrices D. This means that the right half of (00 01 01 0~) behaves exactly as the halting matrix (01 ~) during emissions and absorptions from the right. Since the number 0 is represented by the infinite product (/)~_1)~, and (T. L(/)~_I)) R = 2T R, the correspondence is only changed by a common factor during absorptions from the left. Hence, after any number of transactions, the right half of the resulting tensor is a multiple of the matrix resulting from (~ ~) by the corresponding sequence of transactions. Thus, it has entries which are at least as big as the entries of the matrix, which are big by Theorem 14.

8

Discussion and Conclusion

The laws of big numbers as derived in this paper apply to unsigned reals only. For instance, halting in the zero interval -1, 1 with base r = 2 means putting Do2 in front of the unsigned part of the argument, an operation possible without employing big integers. Of course, our results crucially depend on the choice of the digit matrices. All digit matrices for all bases have zero column difference, and this fact is implicitly used in the derivations of the formulae for the cd and dcd values after transactions. A completely different choice of digit matrices, with non-zero column difference, may change everything. Also, the results may look different if irrational bases are used such as the golden ratio. However, we believe that big numbers cannot be avoided even in these cases, although we do not have a proof. The appearance of big integers affects the complexity of real number arithmetic. Consider an L F T satisfying the hypotheses of the laws of big numbers. If it absorbs and emits digits one by one, then the nth transaction needs time S2(n) since it involves integers of bit size ~2(n). Consequently, the computation of the first n digits of the result of the LFT needs time ~2(n2). This time can only be reduced by replacing the one by one treatment of digits by algorithms absorbing and emitting many digits at once. Of course, the price for this reduction in time are much more involved algorithms.

References 1. A. Avizienis. Signed-digit number representations for fast parallel arithmetic. IRE Transactions on Electronic Computers, 10:389-400, 1961. 2. H.J. Boehm, R. Cartwright, M. Riggle, and M.J. O'Donell. Exact real arithmetic: A case study in higher order programming. In ACM Symposium on Lisp and Functional Programming, 1986. 3. H.J. Boehm and R. Cartwright. Exact real arithmetic: Formulating real numbers as functions. In D. Turner, editor, Research Topics in Functional Programming, pages 43-64. Addison-Wesley, 1990. 4. P. Di Gianantonio. A Functional Approach to Real Number Computation. PhD thesis, University of Pisa, 1993.

188

5. P. Di Gianantonio. Real number computability and domain theory. Information and Computation, 127(1):11-25, May 1996. 6. A. Edalat and P. Potts. A new representation for exact real numbers. In S. Brookes and M. Mislove, editors, MFPS '97, ~r 6 of Electronic Notes in Theoretical Computer Science, 1997. URL: h t t p : / / w w w . e l s e v i o r . n l / l o c a t e / e n t c s / volume6, h~ml.

7. M. H. Escarfl6. P C F extended with real numbers. Theoretical Computer Science, 162(1):79-115, August 1996. 8. W. Gosper. Continued fraction arithmetic. Technical Report HAKMEM Item 101B, MIT Artificial Intelligence Memo 239, MIT, 1972. 9. P. Kornerup and D. W. Matula. Finite precision lexicographic continued fraction number systems. In Proc. 7th IEEE Symposium on Computer Arithmetic, pages 207-214. IEEE Computer Society Press, 1985. 10. V. Menissier-Morain. Arbitrary precision real arithmetic: Design and algorithms. submitted to J. Symbolic Computation, 1996. 11. A. Nielsen and P. Kornerup. MSB-first digit serial arithmetic. J. of Univ. Comp. Scien., 1(7), 1995. 12. P. J. Potts and A. Edalat. Exact real arithmetic based on linear fractional transformations. Draft, Imperial College, available from h t t p ://www-tfm.doc. i c . a c . u k / - p j p , December 1996. 13. P. J. Potts and A. Edalat. Exact real computer arithmetic. Draft, Imperial College, available from h t t p ://www-tfm. doc. i c . ac .uk/~pjp, March 1997. 14. P. J. Potts. Computable real arithmetic using linear fractional transformations. Draft PhD Thesis, Imperial College, available from h t t p : / / www-tfm, doc. i c . ac. u k / ~ p j p , June 1996. 15. P. Potts, A. Edalat, and M. Escard6. Semantics of exact real arithmetic. In Twelfth Annual IEEE Symposium on Logic in Computer Science. IEEE, 1997. 16. J. E. Vuillemin. Exact real computer arithmetic with continued fractions. IEEE Transactions on Computers, 39(8):1087-1105, 1990.

Net Refinement by Pullback Rewriting* Renate Klempien-Hinrichs Universitiit Bremen, Fachbereich 3, Postfach 33 04 40, D-28334 Bremen email: rena~informatik.uni-bremen.de

The theory of graph grammars is concerned with the rulebased transformation of graphs and graph-like structures. As the formalism of Petri nets is founded on a particular type of graphs, the various net refinement methods proposed for their structured design are in particular graph transformations. This paper aims at applying a recently developed technique for graph rewriting, the so-called pullback approach, to describe net refinement. The translation of this technique, which is based on (hyper)graph morphisms, into terms of net morphisms yields a well-defined mechanism closely related to pullback rewriting in hypergraphs. A variant allows to elegantly characterize a particular net refinement operation which modifies the context of the refined transition. Abstract.

1

Introduction

G r a p h g r a m m a r s have been developed as a concept to study the rule-based transformation of graphs and graph-like structures (see Roz97 for a comprehensive overview). One can distinguish between approaches in which arbitrary subgraphs m a y be replaced , and approaches to rewrite elementary subgraphs, i.e. vertices, (hyper)edges, or handles. (Hyper)edge rewriting HK87a, Hab92 is a special case of the double-pushout approach to graph rewriting Ehr79; it has been generalized to handle rewriting in CER93. With the pullback approach introduced in Bau95a, a category theoretical framework for vertex rewriting is being developed. It is based on graph morphisms and can deal with both graphs and hypergraphs BJ97. A Petri net is usually defined as a bipartite graph (the underlying net structure) where a vertex is either a place or a transition, plus a marking of the places (see e.g. Rei85). The marking m a y change by the firing of transitions, thus leading to a notion of behaviour. A number of methods to refine a place or a transition - i.e. to manipulate the underlying net structure - such t h a t the behaviour of the refined net can be inferred from the behaviour of the original and the refinement net in a compositional way m a y be found in the literature (for a survey see BGV91). By viewing the underlying net structure of a Petri net as a hypergraph, place or transition refinement becomes the replacement of an elementary item in * Supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) through the University of Bordeaux I.

190

a hypergraph. In HK87b and Vog87, it has been pointed out that hyperedge rewriting describes some types of net refinement. The operation in GG90 modifies the context of the refined transition by multiplying the places in its preand postset and is thus too complex to be described by hyperedge rewriting. However, it can be seen as a special case of the vertex rewriting technique of Kle96. Handle rewriting has not yet been evaluated under this aspect. Another line of research investigates rule-based refinement in the general setting of algebraic high-level nets PER95, PGE98. The rules which are used there have been developed from the double-pushout approach to graph rewriting of Ehr79. In this paper, the technique of pullback rewriting is translated into terms of net morphisms. The resulting mechanism yields a well-defined notion of net refinement and is closely related to the original pullback rewriting in hypergraphs. Fhrthermore, it also allows an elegant characterization of the refinement operation in GG90. The paper is organized as follows. Section 2 introduces the basic notions of hypergraphs and net structures. The respective categories are studied in Section 3. In Section 4, pullback rewriting in net structures is defined and compared to pullback rewriting in hypergraphs. Section 5 characterizes the net refinement technique of GG90 in terms of pullback rewriting, and Section 6 contains some concluding remarks. 2

Hypergraphs

and

net structures

The basic objects considered in this paper, hypergraphs and net structures, are introduced together with the usual notions of the respective morphisms. D e f i n i t i o n 2.1. (Hypergraph.) A hypergraph H = (V, E, src, trg) consists of a set V of nodes, a set E of hyperedges such that V A E = 0, and two mappings src, trg: E -+ 7)(V) assigning to every hyperedge e E E a set src(e) C_ V of source nodes and a set trg(e) C V of target nodes. Subscripts and superscripts carry over to the components of a hypergraph; for example, H~ = (V~, E~, src~, trg~n). Let H and H I be two hypergraphs. A hypergraph morphism : H --+ H t is a pair of mappings f = (fv, rE) with f v : V --+ V', rE: E -~ E ~ such that fv(src(e)) C_ src'(fE(e)) and fv(trg(e)) C_ trg'(fE(e)) for all e E E. As usual, the subscripts V and E will be omitted in the sequel. If f is bijective and both f and f - 1 are hypergraph morphisms, then f is a hypergraph isomorphism. In this case, H and H ~ are isomorphic. Hypergraphs and hypergraph morphisms form a category which is denoted by ~-/. In a drawing of a hypergraph H , a node v is represented by a circle and a hyperedge e by a square. There is an arrow from v to e if v E s(e) and an arrow from e to v if v C t(e). Thus, Fig. 1 shows a hypergraph. A Petri net consists of a net structure plus a marking. As this paper concentrates on structural aspects, only the former notion is formally defined here; for other notions from net theory see e.g. Rei85.

191

F i g u r e 1. Drawing a hypergraph (or a net structure)

D e f i n i t i o n 2.2. (Net structure.) A net structure N = (P, T, F ) consists of a set P of places, a set T of transitions such that P n T = 0, and a flow relation F C ( P • T) U (T x P ) the elements of which are called arcs. As for graphs, subscripts and superscripts carry over to the components of a net structure. For an item x E P U T, "x = {y E P U T I (Y, x) E F } denotes the preset of x, and x ~ = {y e P U T I (x,y) e F} its postset. Let N and N ~ be two net structures. A net morphism f : N -+ N ~ is a m a p p i n g f : P U T --+ P ' U T ' satisfying ( f ( x ) , f ( y ) ) e F' and x e P r f ( x ) E P' for a l l x , y e P U T with f ( x ) ~ f ( y ) and (x,y) 9 F. I f f is bijective and both and f - 1 are net morphisms, then f is a net isomorphism and N , N ~ are isomorphic. Net structures and net morphisms form a category which is denoted by Af. In a drawing of a net structure N , a place p is represented by a circle, a transition t by a square, and an arc (x, y) by an arrow. Thus, Fig. 1 shows a net structure. The similar representation of hypergraphs and net structures evokes a oneto-one encoding: The hypergraph H is associated with the net structure N if V = P, E = T, src(e) = "e and trg(e) = e ~ for all e E E. With respect to this encoding, every hypergraph morphism is associated with a net morphism. The opposite is not true: a net morphism m a y m a p a transition on a place (or vice versa). But if a substructure is m a p p e d on one item, then its border has to be of the same type as the item (cf. Figs. 2 and 3, where a dashed line encircles the items the respective mapping identifies).

_ g ......~

F i g u r e 2. A net morphism without associated hypergraph morphism

8

F i g u r e 3. Neither a net morphism nor a hypergraph morphism

192

3

The categories

of hypergraphs

and net structures

In this section, the pullback construction for hypergraph morphisms is recalled. The category of hypergraphs is complete and therefore has all pullbacks. The category of net structures does not have all pullbacks, but the pairs of net morphisms for which the pullback exists are characterized, and the pullback construction is given for these cases. As the notion of a pullback is central for pullback rewriting, the section starts with its general definition. For other concepts from category theory see e.g. [HS79]. D e f i n i t i o n 3.1. (Pullback.) Let C be a category and (f~: Y~ --+ Z)i~-I,2 a pair of morphisms in C. The pullback of (fi: Yi -+ Z)i=l,2 is another pair of morphisms (gi: X ~ Y~)i=l,2 such that fl o gl = f2 o g2, and for every pair of morphisms (g~: X ' ~ Yi)i=l,2 with fl o g[ = f2 o g~ there is a unique morphism h: X' --+ X with gi o h = g~ for i = 1, 2. Using a definition of hypergraphs as graphs structured by the smallest complete bipartite graph (2Z~ (i.e. as objects in the comma category of graphs over ) which is equivalent to the one given here, the following fact can be shown analogously to [BJ97]. Fact 3.2. The category ?t is finitely complete and has, in particular, pullbacks. The pullback of a pair of hype~yraph morphisms (fi: Hi -+ H)i=l,2 consists of the projections gi: Hpb -+ Hi with gi((xl, x2)) = xi (i = 1, 2), where Hpb is constructed as follows:

F i g u r e 4. A pullback in 7/

193

--

Vpb

=

{(~)l,V2)

e V1 x V 2

fl(vl)

=

f2(v2)},

Epb = {(el,e~) e E1 x E2 I f l ( e l ) = f2(e2)}, sr%b((el,e2)) = {(Vl,V2) e rpblVl 9 s r o ( e l ) , v2 e src2(e2)} and - trgpb((el,e2)) = {(vl,v2) e Vpb Vl E trgl(el), v2 E trg~(e2)}

-

-

for all (el, e2) e Epb.

,>

An example for a pullback of hypergraph morphisms fl, f2 is given in Fig. 4. The morphisms are indicated by the relative arrangement of the items and their shading. As explained in the next section, this pullback can be interpreted as deriving H2 from H1 by rewriting the node p. Unlike 74, the category of net structures is not finitely complete, but the characterization of Theorem 3.3 allows to easily verify that pullbacks do exist in the cases which will be interpreted as net rewriting in the following section. T h e o r e m 3.3. For i = 1, 2, let Ni and N be net structures and fi: Ni ~ N net morphisms. The pullback of (fl, f2) exists if and only i for every item z E P U T of N , at most one of the sets f l l ( z ) , f ~ l ( z ) contains distinct items x and y such that (x,y) belongs to the flow relation of the corresponding net structure.

Proof. "=~": Let z E P U T and pi, ti E f ~ l ( z ) with (pi,ti) E Fi or (ti,pi) E Fi, for i = 1, 2. Moreover, let N* be a net structure and gl: N* ~ N1, g2: N* -~ N2 net morphisms with gl o fx = g2 o f2Now let N ~ be the net structure with places p~,p~, transitions tl,~ t2,~ and an arc between p~ and t~ mirroring (one of) the arc(s) between pi and ti (i -- 1, 2). Consider the two net morphisms g~: N ' ~ N1, g~: N' --+ N2 with g~(p'~) = p~, l l I I I gl({t,,p2, t~}) = {tl}, g~({Pl, t~,p~}) = {P2}, and !.2(t2) = t2; clearly, g~ o Ix = g~ o f2- Finally, let h: N ~ ~ N* be a net morphisrn such that gi o h = g~. The situation is depicted in Fig. 5. . ..... ............... ......... ...'"

.~

N1 (" pl C ~ " _ ~ t l ::

' .....................: /

5-gl

fl

.:-. J /.' ...,'" ::" Z ""..,

;

plI (X,"..~i: ti

h(tl )

N*

~

:

--..... ..-" ~

h --

9 h(pl) .......... ..

pl C~-:..~ t'~

N f2

/

\

CIp2C : 2

9" " ' " ' " " % " ....... """"'""%'" 9"................................

g2

......... J 9;

""

F i g u r e 5. Illustrating the proof of Theorem 3.3

N~

194

As gi o h = g~ maps p~ to Pi and t~ to ti, h does not identify p~ and t~ (i -- 1,2). Therefore, the arc between p~ and t~ resp. p~ and t~ implies that h(t~) is a transition and h(p~2) a place. Moreover, gi o h = g~ identifying t~ and p~ means that gi identifies h(t~) and h(p~) (i = 1, 2). Hence, for net morphisms giI I .. N I --~ Ni with g~'(P'UT') --- {tl} and g~'(P'UT') = {P2}, the two distinct net morphisms h l , h 2 : N ' ~ N* with hl(P'tA T') = h(t~) and h2(P'U T') = h(p~2) fulfil gi o h i = g~' (i, j 9 {1, 2}). Thus, (gl, g2) cannot be the pullback of (fl, f2). "~" (Outline): Let Zi := {z 9 P U T 3x, y 9 f ~ l ( z ) with (x,y) 9 Fi} for i = 1, 2. By assumption, Z1 and Z2 are disjoint. Let Npb be as follows: - Ppb =

e/i-l(z) • f;l(z) I (z E P \ (Z1 U Z2)) or (z E Zl and xl e P1) or - Tpb = {(Xl,X2) e f l l ( Z ) x f2-1(z) I (z E T \ (Z1 U Z2)) or (z E Z1 and xl C T1) or - Fpb = ( y l , y 2 ) ) 9 (Ppb • Tpb) U (T b • P b) (xi,yi) 9 Fi and (xj = yj or (xj,yj) 9 Fj)

(z E Z2 and x2 E P2)}, (z E Z2 and x2 9 T2)}, I for i , j 9 {1,2},i r j}.

Clearly, Npb is a net structure, and it is not difficult to verify that the projections gi: gpb "~ Ni with g~((xl, x2)) = xi form the pullback of (fl, f2) in Af.

4

Net

rewriting

by pullbacks

In this section, pullback rewriting is defined directly in the category Af of net structures. The basic idea is to achieve the partition of a net structure into three parts - the item to be rewritten, its immediate neighbourhood, and the context of the item - by a net morphism (an unknown) to a special net structure (the alphabet). Another kind of net morphism to the alphabet (a rule) specifies the net structure replacing the item, and its application is modelled by the pullback of the two net morphisms. Thus, pullback rewriting yields a notion of net refinement where items in the pre- and postsets of the refined item can be multiplied. Example 4.1, a place refinement, illustrates the usefulness of such an operation and will be formalized as both net and hypergraph rewriting in this section. The close relationship between pullback rewriting in net structures and in hypergraphs allows to transfer the formalism presented in BJ97 for an arbitrary number of items to be rewritten - possibly of different types - to net structures, too. The same holds for the notion of parallel rewriting as proposed in Bau95b.

Example 4.1. (Cf. the reduction example of GF95.) The (marked) Petri net P N in Fig. 6 models a situation of mutual exclusion, with p as a semaphore. Its refinement to P N t explicitly represents the critical sections and the initialization of their common resources. Moreover, each transition connected with p is split in two to express the entrance into and exit from its associated critical section. O

195

F i g u r e 6. Refining a Petri net

Notation 4.2. For a relation X C S • S on a set S, X ~ = XU { (y, x) (x, y) E X} denotes the symmetric hull. The set of all positive integers is denoted by IN+. The first mechanism to be presented is place rewriting in net structures. The place rewriting alphabet contains a place P-1 (for the place to be rewritten), transitions tj linking it to neighbour places Pi, and a farther context to. D e f i n i t i o n 4.3. (Alphabet.) The place rewriting alphabet is the net structure NA with PA = {P-l} U {Pi I i E IN+}, TA = {to} U {tj I J E IN+}, and

FA=

U {(t~ i,jE~q+

A substructure NA(m,n) of NA with m + 1 places and n + 1 transitions with m, n E IN+ "as required" will be used for finite examples; cf. Fig. 7 for NA(2,3). A place rewriting unknown maps the place to be rewritten on p-1 and identifies those linking transitions resp. neighbour places which will be treated equally during a rewriting step. D e f i n i t i o n 4.4. (Unknown.) Let N be a net structure and p E P. A place rewriting unknown on p is a net morphism Up:N ~ NA such that -- U p l ( p _ l )

= {p},

- for every j E N+, x E upl(tj) implies ((x,p)} ~ M F ~ 0, and - for every i E IN+, y E Upl(Pi) implies that j E IN+ and t E u~-l(tj) exist with ((y,t)} ~ MR ~ 0.

to p

2

~

~

~

t

)P- 1

F i g u r e 7. The place rewriting alphabet

NA(2,3)

196

A place rewriting rule maps what would classically be called the right-hand side of a production on P-1 and fixes its possible connexions to a context through the inverse images of the tj. D e f i n i t i o n 4.5. (Rule.) A net morphism r: N R --4 NA is a place rewriting rule if - for every item x E {t0}O{pi I i E lN+}, r - l ( x ) contains exactly one element, - { ( r - l ( t o ) , r - l ( p i ) ) l i e IN+} ~ C_ FR, and - for every j E IN+, r -1 (tj) contains only transitions. The notions of a rule application and a rewriting step are defined uniformly for all the concrete rewriting mechanisms studied in this and the next section. D e f i n i t i o n 4.6. (Rule application, rewriting step.) Let C be a category with an alphabet object A, an unknown morphism u=: Y -~ A, and a rule morphism r: R -+ A such that A, u=, and r belong to the same rewriting mechanism (e.g. place rewriting in Af). The application of r at u= is the pullback of (u=, r) in C. If Y~ is the object constructed by the application of r at u= (the derived object), then Y ~ ( u ~ , r ) Y~ denotes a rewriting step. Figure 8 formalizes the refinement P N ~ P N ~ of Example 4.1 as the place rewriting step N ~ ( u p , r ) N~- The unknown up distinguishes the "upper" from the "lower" context of p, and the rule r specifies the net structure replacing p as well as the splitting of the transitions connected with p. Note that there are alternative choices for Up and r to derive N ~ from N.

F i g u r e 8. Formalizing Example 4.1 as pullback rewriting

197

In general, the application of a place rewriting rule r at a place rewriting unknown Up produces in the derived net structure exactly one copy of the context Up l(t0) of p. Similarly, the Up l(pi) are reproduced, as is the right-hand side of the rule. Only the linking transitions may be multiplied (the factors being the size of the respective inverse images) and have their arcs of the flow relation altered.

Corollary 4.7. For every place rewriting rule r and unknown up, the application of r at Up is defined,

o

Proof. Of NA, only the item to (resp. P - l ) may contain an arc in its inverse image under Up (resp. r). As to ~ p - l , Theorem 3.3 implies the assertion. O There is a close relationship between place rewriting in Af and node rewriting in 7-/, which differs from that introduced in BJ97 only in that it deals with directed instead of undirected hypergraphs. Thus, the notions of an alphabet, an unknown, and a rule can be gained from those for place rewriting in Af by changing the (terminal) substructures t0,P-1 of NA and their inverse images r -1 (to), Upl(p-1) into copies of the (terminal) hypergraph ( : ~ , and adjusting the involved net morphisms up and r accordingly to hypergraph morphisms (Up) and (r). Figure 4 shows how the place rewriting step N ~ ( ~ p , r ) N ' of Fig. 8 is transformed into the node rewriting step H ~((~p),(r)) H~, where H =/-/1, H t = Hpb, (Up) = fl, and (r) = f2. The example may be explicit enough so that the formal definitions can be omitted. It also illustrates that for the formalization of net refinement, pullback rewriting in net structures is more adequate than pullback rewriting in hypergraphs: In the latter case, one cannot directly take the hypergraph associated with the net to be refined, but has to alter it in order to get the desired result. P r o p o s i t i o n 4.8. Let Up be a place rewriting unknown and r a place rewriting rule. If N ~ ( ~ p , r ) N~ and H ~((u~),(~)) H ~, then H ~ is isomorphic to the hypergraph associated with N ~. To end this section, consider briefly a variant of place rewriting allowing a rule r: NR -+ NA to map places as well as transitions of NR on the transitions ti of NA. (With the concepts of Bau95b, this can be interpreted as a parallel rewriting step.) The application of such a rule to an unknown is still defined and results in the multiplication of the induced substructures of/YR. The idea is illustrated in Fig. 9 by an adaptation of Example 4.1; note how much the rule and its application gain in clarity. Moreover, the same rule can be applied to a net modelling an arbitrary number of processes which share a common resource. 5

A particular

net refinement

technique

By the symmetry of net structures, pullback rewriting of places immediately implies a notion of transition rewriting. In this section, a slightly different instance

198

F i g u r e 9. Application of a more general rewriting rule

of pullback rewriting is used to characterize the transition refinement operation introduced in [GG90] for one-safe nets. Their operation allows to infer the behaviour (in particular liveness properties) of a refined net compositionally from the behaviours of the original and the refinement net, and in contrast to previous studies their refinement nets may display initial or terminal concurrency. Markings and behavioural aspects are not formally considered here; this concerns in particular some additional restrictions for refinement structures.

Notation 5.1. Let N be a net structure. The set ~ = {x E P ] ~ = 0} contains the initial places of N, and N ~ = {x E P [ x ~ = O} its terminal places. G e n e r a l a s s u m p t i o n [GGg0]. In this section, all net structures N are assumed to have arcs (p,t), (t,p') E F and " t n t ~ = 0 for every t E T. D e f i n i t i o n 5.2. (Refinement structure, cf. [GG90].) A net structure NR is a refinement structure if ~ R ~ O ~ NR ~ and ~ n NR ~ = O. Figure 10 shows a refinement structure NR with initial places (a), (b) and terminal place (e). D e f i n i t i o n 5.3. (Net refinement [GGg0].) Let N1 be a net structure and t E Tx. Moreover, let NR be a refinement structure (disjoint from N1). Then the refined net structure N2 = N1 [NR/t] is defined by

- P2 := (P1 \ ('t U t~ U (PR \ (~ U NR~ U Int, where Int := ('t x ~ U (t" x NR~ - T2 := (T1 \ {t}) U TR, and

199

::

(c)

NR G "r-n (b) ....... (.d.)....... F i g u r e 10. A refinement structure GG90 - F2 := ( ( F l U F R ) n (P2 x T 2 U T 2 xP2)) u {((pl,p2),tl)l(px,p2) e Int, tl U {(t,, (p,,p2)) (P,,p2) 9 Int, t, U {((Pl,P2),t2) I (px,p2) e Int, t2 U {(t2, (Pl,P2)) I (Pl,P2) 9 Int, t2

9 9 9 9

T1 \ T, \ TR, TR,

{t}, (Pl,h) 9 FI} {t}, (t,,p,) 9 F,} (p2,t2) 9 Fn} (t2,P2) E FR}.

Figure 11 illustrates the refinement of a transition t with the refinement structure NR of Fig. 10: For every preplace p of t in N1 and every initial place p' in NR, there is a new place (p,p') in N2 with ingoing arcs from each transition in the preset of p and outgoing arcs to each transition in the postsets of p and p', and analogously for the postplaces of t and the terminal places in NR. This refinement technique can be characterized by pullback rewriting as follows. Definition 5.4. (Refinement alphabet, unknown, and rule.) The refinement alphabet is the net structure N~ with P~ = {pl,P2}, T~ = {t0,t-i}, and Fa = {(to,P1), (to,p2)} z U {(Pl, t-l), (t-l,p2)}. Let N1 be a net structure and t E T1. The refinement unknown on t is the net morphism ut: N1 --+ N~ with u~-X(t_l) = {t}, u t l ( p l ) : "t, and utl(p2) = t'. Let NR be a refinement structure and N~ a net structure with P~ = PR, T~ = TR 0 {t'}, and F~ = FR U {(p, t') p E ~ U NR~ The refinement rule induced by NR is the net morphism r: N~ --+ Na with r-l(to) = {t'}, r-l(pl) = ~ and r-l(p2) = NR ~ The conversion of the example above into terms of pullback rewriting is depicted in Fig. 12. Note that the flow relation of Na is not symmetric. Moreover, (3,a) O

NI

_

(2)

)" (4) ~

(6)

,b)':''"

" "

""

"

0

~

~

(2)

- - ~ ~ i 6 - " e ) (4,5)

F i g u r e 11. Transition refinement GG90

"'"

N2

200

F i g u r e 12. Transition refinement as pullback rewriting the refinement unknown ut is a mapping (by the assumption above), and unique for every transition t of a net structure N1. T h e o r e m 5.5. Let NR be a refinement structure, r the induced refinement rule, N1 a net structure with t E T1, and ut: N1 -4 Na the refinement unknown on t. If N1 ~(ut,r) N2, then N2 and NI[NR/t] are isomorphic.

Proof. By construction, N2 and NI[NR/t] only differ in that N2 contains an item (x,t') for each x e (P1 U T1) \ ('t U {t} U t ~ and an item (t,y) for each y e (PR \ (~176 Note that the canonical vicinity respecting morphism f: NI[NR/t] --+ N1 of [GG90] is (modulo isomorphism) exactly the morphism f: N2 --+ N1 generated by the pullback construction. 6

Conclusion

The aim of this work was to investigate an application of the pullback approach to hypergraph transformation by translating the notion of pullback rewriting from terms of hypergraph morphisms into terms of net morphisms. It turned out that unlike the category of hypergraphs, the category of net structures is not complete; in particular, it does not have all pullbacks. Nevertheless, there is an easily verified criterion to determine whether the pullback of two given net morphisms exists. This criterion ensures that net rewriting by pullbacks is

201

indeed well-defined. Moreover, the net refinement operation of GG90 concise characterization in the pullback rewriting approach.

has a

There are two main areas for future research on the issues presented here. On the one hand, pullback rewriting has been introduced but quite recently as a hypergraph rewriting approach. It already appears to be promising as an abstract framework for the known hypergraph transformation techniques. Moreover, this paper shows that the idea of pullback rewriting in net structures has a meaningful interpretation as net refinement. So, the pullback rewriting approach needs further development. On the other hand, the relationship between hypergraph transformations and net refinements (or, conversely, net reductions) should be investigated: As a number of refinement operations correspond to rather restricted types of context-free hypergraph rewriting mechanisms, interpreting more general types of hypergraph rewriting as net refinement will probably lead to new net refinements. Moreover, the well-known results on compatible properties may lead to similar results for net refinement, i.e. to results on the compositionality of net properties. In the setting of high-level nets and refinements based on doublepushout rules, similar ideas have already been investigated in PER95, PGE98; the link to the work presented here remains to be established. Vice versa, finding adequate descriptions of particular types of net refinement as hypergraph rewriting may also lead to extensions of the latter. A c k n o w l e d g e m e n t . I thank Annegret Habel and two anonymous referees for their valuable comments on previous versions of this paper. The pictures have been concocted with Frank Drewes's I_4TEX2~ package for typesetting graphs. Special thanks go to Anne Bottreau for her timely email.

References Ban95a. Michel Bauderon. A uniform approach to graph rewriting: the pullback approach. In Graph-Theoretic Concepts in Computer Science, volume 1017 of Lecture Notes in Computer Science, 101-115, 1995. Bau95b. Michel Bauderon. Parallel rewriting of graphs through the pullback approach. In Proc. SEGRA GRA '95, volume 2 of Electronic Notes in Theoretical Computer Science, 8 pages, 1995. BGV91. Wilfried Brauer, Robert Gold, and Walter Vogler. A survey of behaviour and equivalence preserving refinements of Petri nets. In Advances in Petri Nets, volume 483 of Lecture Notes in Computer Science, 1-46, 1991. B J97. Michel Bauderon and H@l~ne Jacquet. Node rewriting in hypergraphs. In Graph-Theoretic Concepts in Computer Science, volume 1197 of Lecture Notes in Computer Science, 31-43, 1997. CER93. Bruno Courcelle, Joost Engelfriet, and Grzegorz Rozenberg. Handle-rewriting hypergraph grammars. Journal of Computer and System Sciences, 46:218270, 1993. Ehr79. Hartmut Ehrig. Introduction to the algebraic theory of graph grammars. In Graph-Grammars and Their Application to Computer Science and Biology, volume 73 of Lecture Notes in Computer Science, 1-69, 1979.

202 GF95.

GG90.

Hab92.

HK87a.

HK87b.

HS79. Kle96.

PER95. PGE98.

Rei85. Roz97. Vog87.

Anja Gronewold and Hans Fleischhack. Computing Petri net languages by reductions. In Fundamentals of Computation Theory, volume 965 of Lecture Notes in Computer Science, 253-262, 1995. Rob van Glabbeek and Ursula Goltz. Refinement of actions in causality based models. In Stepwise Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, 267-300, 1990. Annegret Habel. Hypergraph grammars: Transformational and algorithmic aspects. Journal of Information Processing and Cybernetics EIK, 28:241-277, 1992. Annegret Habel and Hans-JSrg Kreowski. Characteristics of graph languages generated by edge replacement. Theoretical Computer Science, 51:81-115, 1987. Annegret Habel and Hans-JSrg Kreowski. May we introduce to you: Hyperedge replacement. In Graph Grammars and Their Application to Computer Science, volume 291 of Lecture Notes in Computer Science, 15-26, 1987. Horst Herrlich and George E. Strecker. Category Theory. Sigma Series in Pure Mathematics. Heldermann Verlag, Berlin, 2nd edition, 1979. Renate Klempien-Hinrichs. Node replacement in hypergraphs: Simulation of hyperedge replacement, and decidability of confluence. In Graph Grammars and Their Application to Computer Science, volume 1073 of Lecture Notes in Computer Science, 397-411, 1996. Julia Padberg, Hartmut Ehrig, and Leila Ribeiro. Algebraic high-level net transformation systems. Math. Struct. in Comp. Science, 5:217-256, 1995. Julia Padberg, Magdalena Gajewsky, and Claudia Ermel. Rule-based refinement of high-level nets preserving safety properties. To appear in Proc. FASE, Lecture Notes in Computer Science, 1998. Wolfgang Reisig. Petri Nets, volume 4 of EATCS Monographs on Theoretical Computer Science. Springer-Verlag, Berlin Heidelberg, 1985. Grzegorz Rozenberg, ed. Handbook of Graph Transformations, volume I: Foundations. World Scientific, Singapore, 1997. Walter Vogler. Behaviour preserving refinements of Petri nets. In GraphTheoretic Concepts in Computer Science, volume 246 of Lecture Notes in Computer Science, 82-93, 1987.

On Piecewise Testable, Starfree, and Recognizable Picture Languages Oliver Matz Institut fiir Informatik und Praktische Mathematik Christian-Albrechts-Universit~it Kiel, 24098 Kiel, Germany e-mail: oma@informatik, uni-kiel, de

A b s t r a c t . We isolate a technique for showing that a picture language

(i.e. a "two-dimensional language") is not recognizable. Then we prove the non-recognizability of a picture language that is both starfree (i.e., definable by means of union, concatenation, and complement) and piecewise testable (i.e., definable by means of allowed subpictures), solving an open question in GR96. We also define local, locally testable, and locally threshold testable picture languages and summarize known inclusion results for these classes. The classes of piecewise testable, locally testable, and locally threshold testable picture languages can, as in the word case, be characterized by certain (fragments of) first-order logics.

1

Introduction

In GRST96,GR96, the authors investigated the class of recognizable picture language (as a straightforward generalization of recognizable word languages to two dimensions), and compared it to variants of classes of regular picture languages, defined by "regular expressions" built up by union, row- and columnconcatenation, and, optionally, iterated row-/column- concatenation and/or complement. It turns out that the class of recognizable picture languages is not closed under complement, and the regular expressions without complement do not capture the class of recognizable picture languages, in contrast to the Kleene Theorem for the one-dimensional case. One question that remained open was whether every language defined by regular expressions with all of the above-mentioned operations is recognizable. We answer this question negatively, even for the case that the iterated concatenations are omitted, i.e. the "starfree" expressions. For this aim, we recapitulate and isolate a technique for showing the non-recognizability of a picture language. This technique has also been used in MT97. Besides, we consider some other adaptions of classes of formal languages to the two-dimensional case, namely different versions of first-order definable languages, as well as piecewise testable, locally testable, and locally threshold testable picture languages, and report some known and some simple results about these. For example, it is shown in Wil97 that there is a first-order definable picture language that is not starfree.

204

2

Recognizable Picture Languages

Throughout the paper, we consider a fixed alphabet F. A picture over F is a matrix over F. By picture languages we refer to sets of pictures9 The language of all pictures over F is denoted by F +'+. The language of all pictures of size m • n is denoted by F m'n. There are two different, partial concatenations for pictures: the row

concatenation ~ (column concatenation P Q, respectively) of two pictures

P and Q of the same width (height, respectively) is the picture obtained by appending Q to the bottom (right, respectively) of P. These concatenations can be generalized to languages the straightforward way. Since picture languages are the two-dimensional analogue to word languages, it is somewhat natural to try to transfer definitions of interesting word language classes to these. We will first give a straightforward definition of recognizability9 Definition 1. A picture language L over F is domino-local iff there are local word languages L1, L2 over F such that L is the set of pictures whose columns (considered as words) are in LI and whose rows are in L2. A picture language is recognizable i it is the image o a local picture language under some alphabet projection. This definition is consistent with other equivalent definitions of recognizability given in GRST96,GR96. (Among these, there is the characterization via existential monadic second-order logic over the signature with the two binary relation symbols $1 and $2 for vertical and horizontal successors.) The following fact has recently been proved by Klaus Reinhard.

Example 1. The set of all pictures over {a, b} in which the set of b-positions is connected (where two b-positions are meant to be adjacent iff there are horizontally or vertically next to each other) is recognizable. The complement of the above language is also recognizable, which is much easier to show. Definition 2. For a picture language L C_ F +,+ and an integer m > 1, the fixed-height-m word language of L, denoted by L(m), is the following word language over F re'l:

(o1) L(m) = { \ a m t / " "

all

\amn

aral"

"

9

aln

|

9 " amn

The following lemma is formulated and proven in MT97. As far as the author knows, all arguments against recognizable languages depend on this lemma. 1. Let L C_ F +,+ recognizable9 Then there is a k >_ 1 such that for all m >_ 1 there is an NFA A with k m states that recognizes L(m). Lemma

205

Proo. Assume L1, L2, and /" are as in Definition 1. Let m > 1. The states of the constructed NFA are those columns of height m that are, considered as words, in L1, plus an additional initial state. The transitions and final states are chosen in such a way that each string of corresponding components of a run is in L2. The transition labels are the images of the target states under the alphabet projection. The following simple fact has been stated for example in Bir96,GS96. L e m m a 2. Let n >_ 1, L C_ F* be recognizable by an NFA with n states. Let M C F* x F* such that V(u,v) E M : uv E L, V(u, v), (u', v') E M : {uv', u'v} ~- L. Then IM < n. The preceding two lemmas give the following result. L e m m a 3. Let L C F +,+ be recognizable. Let (Mm) be a sequence with Vm : Mm C_ Fm,+ x Fm'+ and V(P, Q) 6 Mm : P Q e L, V(P, Q), (pt, Q,) E Mm : {PQ~, P ' Q } g L. Then Mini is 2 O(m). Intuitively, this lemma says that for a recognizable picture language, there is no more than exponentially much space to pass information from one side of the picture to the other. We use the above lemma to reformulate the proof of non-recognizability of an example language from GRST96. P r o p o s i t i o n 1. Let L be the set of pictures over {a, b} of the orm P P where P is a square. Then L is not recognizable. Proof. For every m _> 1 let Mm := {(P, P) P E Fro'm}. We have for all squares P, Pt that PP~ E L ~ P = P~, so (Mm) has the property of Lemma 3. But IMm = 2 m2 is not 2 ~ therefore L is not recognizable. In GRST96 the non-recognizability of the above language has been shown using essentially the same argument. The complement of L is recognizable, so a corollary is that the class of recognizable picture languages is not closed under complement. In fact, the author does not know any example for a picture language whose non-recognizability can be shown, but not by this lemma. We consider another example.

206

Proposition 2. Let C O R N E R S be the set o/pictures P over {a, b} such that whenever P(i, j) = P(i', j) = P(i, j') = b then also P(i', j') = b. (Intuitively: Whenever three corners o / a rectangle carry a b, then also the ourth one does.) C O R N E R S is not recognizable. Proo. Let n _> 1. For every partition P of {1,... , 2n} into two-element sets we fix a bijection ~p : / ) -~ {1,... ,n}. (For example, we can choose ap({i,i'}) to be the number of elements {j, jl} of :P for which min{j,j'} < min{i, i'}.) Now we choose a picture P over {a, b} of size 2n • n such that for all (i,j) E

{1,... ,2n}•

,n}: P(i,j) = b ~

3i': {i,i I} e 7~Aj = ~,({i, il}).

Let Mn be the set of all pairs (Pp,Pp) where 7~ is a partition of {1,... ,2n} into two-element sets. Then we have for all partitions/),/)1 that PT~Pp' E C O R N E R S ~ 7~ = 7)~, so (Mn) has the property of Lemma 3. For the number An of partitions of {1,... ,2n} into two-element sets one easily verifies the recursion formula A1 = 1, An+l = (2n + 1)An. We have that IMnl = An > n! is not 2 ~ and hence Lemma 3 implies that C O R N E R S is not recognizable. 3

Piecewise

Testable

Picture

Languages

Definition 3. Let P E F m'n and Q E F +'+. Then P is a subpicture o Q i there are strictly monotoneunctions f : {1,... ,m} --~ N>I andg : {1,... ,n} --~ N>I such that Q ( f ( i ) , g ( j ) ) = P ( i , j ) for all (i,j) E {1,... , m } • ,n}. Let m , n E N>I. Two pictures Q1,Q2 are (m,n)-equivalent (Q1 ~mn Q2 or short) i~ they have the same subpictures of size m • n. A picture language L is piecewise testable if there is some (m, n) such that L is a union o ~mnequivalence classes. Example 2. The picture language C O R N E R S from Proposition 2 is piecewise testable.

The proof is immediate since C O R N E R S is the set of pictures such that no 2 x 2subpicture of P has exactly 3 b's, and this property holds for every or for none element of a (2, 2)-equivalence class. This example shows that, unlike in the theory of formal word languages, not every piecewise testable picture language is recognizable. Remark 1. The class of piecewise testable picture languages is characterized by Boolean combinations of existential first-order formulas with the two binary predicates _<1, _<2.

The proof is similar to the word case.

207

Example 3. Let CROSS be the language of all pictures over {a, b} containing

aba

as a subpicture. CROSS is piecewise testable. 4

Starfree

Picture

Languages

Definition 4. The class o/ starfree picture languages over F is given by the smallest set that contains all finite picture languages over F and is closed under row- and column concatenation, finite union, and complement.

The class of recognizable picture languages is closed under row- and column concatenation and union, but (as mentioned before) not under complement. In GRST96 the authors asked whether, nevertheless, every starfree picture language is recognizable. We answer this question negatively. P r o p o s i t i o n 3. The picture language C O R N E R S from Proposition 2 is starfree. Pro@ Let K := U

0)

\ (y (~ 0) z) /

, where the union ranges over all quadruples

(w, x, y, z) E {a, b) 4 such that w x y z E b*ab*, and ~ denotes complement w. r. t. {a, b}+'+. Then K is the set of all pictures over {a, b} such that exactly one of the corners carries an a. Clearly,

((,-~0~K4~ 0))

is the complement of L, so L is starfree.

The following is shown in Wi197: L e m m a 4. The language CROSS from Example 3 is not starfree. 5

Local, Locally Testable, and Locally Threshold Picture Languages

Testable

We give straightforward adaptions of definitions of languages classes defined by certain "local" properties. These definitions can also be found, for instance, in GRST96. Definition 5. Let P E F m'n and Q E F "~''n' . Then P is a subblock o / Q i/ there are k <_ m' - m and l ~ n' - n such that Q ( i , j ) = P ( k + i,l + j) or all ( i , j ) e {1,... ,re}x{1,... ,n}. For a picture P over F, we denote by P the picture over F U { # } that results from P by surrounding it with the fresh boundary symbol # .

208 A picture language L is local iff there is some set A o 2 • 2-pictures over F U {#} Such that L contains exactly those pictures P or which the (2 x 2)subblocks of P are in A. Let m , n E N>I. Two pictures Q1,Q2 are (m,n)-block-equivalent (Q1 -~mn Q2 for short) iff Q,1 and Q2 have the same set o subblocks o size m x n. A picture language L is locally testable if there is some (m, n) such that L is a union of (m,n)-block-equivalence classes. Let d, t > 1. Two pictures Q1, Q2 are (d, t)-block-threshold-equivalent iZf or every square picture P of size d ~ x d ~ (with d ~ < d), the numbers of occurrences of P as a subblock in Q1 (respectively Q2) are equal or both > t. A picture language is locally threshold testable if there are d, t such that L is a union of (d, t )-block-threshold-equivalence classes.

Since every local language is a union of (2, 2)-block-equivalence classes, and (m, n)-block-equivalence is coarser than (max{m, n}, 0)-block-threshold-equivalence, we have that every domino-local language is local, every local language is locally testable, and every locally testable picture language is locally threshold testable. In GR96 it is shown that the class of recognizable picture languages is the class of those picture languages that can be obtained from a local picture language via alphabet projection. Remark 2. 1. The class of locally threshold testable picture languages is characterized by first-order logic over the signature {$1,$2} with two binary relation symbols $1, $2 for the two successor relations. 2. The class of locally testable picture languages is characterized by Boolean combinations of existential first-order sentences over the signature {$1, $2, /eft, right, top, bottom}, where the latter four predicates are unary and say that a position is at the respective border.

The first statement is shown in GRST96 similarly to the case of word languages.

6

and the second can be proved

An Overview of Language Classes and Open Questions

Let us denote the classes of recognizable, piecewise testable, starfree, local, and first-order definable 1 picture languages by REC, PT, SF, LOC, and FO(
209

FO(-
/\ PT \/

P T N SF

SF

(

REC

LOC (Simple proofs show that every staxfree and every piecewise testable picture language is first-order definable. This infers e.g. FO(_
LOC C LT ~ LTT C FO(_
LOC). One open question is: Is there a natural example for a non-recognizable picture language for which Lemma 3 fails to prove the non-recognizability? One candidate is the language of squares over {a, b} that have as many a's as b's. It is easy to see that Lemma 3 cannot be used to show the non-recognizability of this example language, however we conjecture that it is not recognizable. References Bir96 GR96

Jean-Caxnille Birget. The state complexity of 2~*L. Information Processing Letters, 58:185-188, 1996. D. Giammaxresi and A. Restivo. Two-dimensional languages. In G. Rozenberg and A. Salomaa, editors, Handbook of Formal Language Theory, volume III. Springer-Verlag, New York, 1996.

210

GRST96

GS96 Mat95

Mat97

MT9~

Wi197

D. Giammarresi, A. Restivo, S. Seibert, and W. Thomas. Monadic secondorder logic and recognizability by tiling systems. Information and Computation, 125:32-45, 1996. Ian Glaister and Jeffrey Shallit. A lower bound technique for the size of nondeterministic finite automata. Information Processing Letters, 125:3245, 1996. Oliver Matz. Klassifizierung yon Bildsprachen mit rationalen Ausdriicken, Grammatiken und Logik-Formeln. Diploma thesis, Christia~l-Albrechts-Universit~it Kiel, 1995. (German). Oliver Matz. Regular expressions and context-free grammars for picture languages. In Riidiger Reischuk, editor, STACS'97, volume 1200 of Lect. Notes Comput. Sci., pages 283-294, Liibeck, Germany, 1997. Springer-Verlag. Oliver Matz and Wolfgang Thomas. The monadic quantifier alternation hierarchy over graphs is infinite. In Twelfth Annual IEEE Symposium on Logic in Computer Science, pages 236-244, Warsaw, Poland, 1997. IEEE. Thomas Wilke. Star-free picture expressions are strictly weaker than firstorder logic. In Pierpaolo Degano, Roberto Gorrieri, and Alberto MarchettiSpaccamela, editors, Automata, Languages and Programming, volume 1256 of Lect. Notes Comput. Sci., pages 347-357, Bologna, Italy, 1997. Springer.

Functor Categories and Two-Level Languages E. Moggi DISI - Univ. di Genova, via Dodecaneso 35, 16146 Genova, Italy phone: +39 10 353-6629, fax: +39 10 353-6699, e-mail: moggi~disi.unige.it A b s t r a c t . We propose a denotational semantics for the two-level language of GJ91, Gom92, and prove its correctness w.r.t, a standard denotational semantics. Other researchers (see Gom91, G J91, Gom92, JGS93, HM94) have claimed correctness for lambda-mix (or extensions of it) based on denotational models, but the proofs of such claims rely on imprecise definitions and are basically flawed. At a technical level there are two important differences between our model and more naive models in Cpo: the domain for interpreting dynamic expressions is more abstract (we interpret code as h-terms modulo a-conversion), the semantics of n e w n a m e is handled differently (we exploit functor categories). The key idea is to interpret a two-level language in a suitable functor category C p o v~ rather than Cpo. The semantics of r * e w n a m e follows the ideas pioneered by Oles and Reynolds for modeling the stack discipline of Algol-like languages. Indeed, we can think of the objects of T~ (i.e. the natural numbers) as the states of a name counter, which is incremented when entering the body of a A-abstraction and decremented when coming out. Correctness is proved using Kripke logical relations (see MM91, NN92). Introduction Two-level languages are an important tool for analyzing programs. In the context of partial evaluation they are used to identify those parts of the program that can be reduced statically, and those that have to be evaluated dynamically. We take as representative of these two-level languages that described in G J91, which we call P C F 2 , since it can be considered as the " P C F of two-level languages". The main aims of this paper are: to point out the flaws in the semantics and correctness proof given in Gom92, and to propose an alternative semantics for which one can prove correctness. The interpretation of dynamic A-abstraction given in GJgl, Gom92 uses a n e w n a m e construct "informally". Indeed, Gomard and Jones warn that "the generation of new variable names relies on a side-effect on a global state (a name counter). In principle this could have been avoided by adding an extra parameter to the semantic function, but for the sake of notational simplicity we use a less formal solution". Because of this informality, GJ91, Gom92 are able to use a simplified semantic domain for dynamic expressions, but have to hand wave when it comes to the clause for dynamic A-abstraction. This informality is maintained also in the correctness proof of Gom92. It is possible to fix the informal semantics using a name-counter (as suggested by G o m a r d and Jones), but then

212

it is unclear how to fix the correctness proof. In fact, several experts were unable to propose a patch. Lack of precision in the definition of denotational semantics and consequent flaws in correctness proofs are not confined to Gom92, indeed Chapter 4 of Gom91 and Chapter 8 of JGS93 contain the same definitions, results and proofs - GJ91 quotes the same definitions and results (but without proofs) - while HM94 adapts Gomard's technique to establish correctness for a polymorphic binding-time analysis (and introduces further flaws in the denotational semantics). -

The specific model we propose is based on a functor category. In denotational semantics functor categories have been advocated by Ole85 to model Algollike languages, and more generally they have been used to model locality and dynamic creation (see OT92, PS93, FMS96). For this kind of modeling they outperform the more traditional category C p o of cpos (i.e. posets with lubs of w-chains and w-continuous maps). Therefore, they are a natural candidate for modeling the newname construct of G J91. In the proposed functor category model the domain of residual programs is a bit more abstract than expected, namely a-convertible programs are identified. This identification is necessary for defining the category D of dynamic expressions, but it seems also a desirable abstraction. Functor categories are definitely more complex than Cpo, but one can avoid most of the complexities by working in a metalanguage (with computational types). Indeed, it is only in few critical places, where it is important to know which category (and which monad) is used. The graduate textbook Ten91 gives the necessary background on functor categories for denotational semantics to understand our functor category model. In C p o models the renaming of bound dynamic variables (used in the interpretation of dynamic A-abstraction) is modeled via a side-effect monad with a name-counter as state, on the contrary in the functor category model renaming is handled by the functor category itself (while non-termination at specialization-time is modeled by the lifting monad). The paper is organized as follows: Section 1 recall the two-level language of G J91, Gom92 which we call PCF2; Section 2 describes a general way for interpreting PCF2 via translation into a metalanguage with computational types, and explains what's wrong with previously proposed semantics of PCF2; Section 3 describes our functor category model for PCF2 and proves correctness; Section 4 make a comparison of the semantics.

Acknowledgments. I wish to thank Olivier Danvy and Neil Jones for e-mail discussions, which were very valuable to clarify the intended semantics in G J91, Gom92, and to identify the critical problem in the correctness proof. Neil Jones has kindly provided useful bibliographic references and made available relevant internal reports.

213

1

The

two-level

language

of Gomard

and Jones

In this section we recall the main definitions in GJ91, Gom92, namely: the untyped object language Ao and its semantics, the two-level language PCF2 and its semantics (including with the problematic clause for A). Both semantics are given via a translation into a metalanguage with computational type (see Mog91, Mog97b). In the case of Ao the monad corresponds to dynamic computations, while in the case of PCF2 it corresponds to static computations.

1.1

The untyped object language

The object language Ao is an untyped A-calculus with a set of ground constants e (which includes the truth values) M ::= z l A x . M } M ~ @ M 2

Ifiz MlifMx

M2 M3 Ic

There is a canonical CBN interpretation of Ao in D = (const+(D --+ D))• where coast is the flat cpo of ground constants (ordered by equality). This interpretation can be described via a CBN translation n into a suitable metalanguage with computational types, s.t. a Ao-term M is translated into a meta-term M n of type T V with V = const + ( T V -+ T V ) , or more precisely 9 : T V ~'ML M " : T V when M is a Ao-term with free variables included in the sequence ~: _

Xn--X

-

c-

=

inl(c)

- (Az.M)" = inr(Az: TV.M") - (MI@M2) n = let u ~ M 1 n incase u of Jar(f) ~ f ( M 2 n) _~• where .L : T V is the least element of T V ( i f M M1 M2) n = let uC=M'~incase u of inl(true) ~ M1 n inl(false) ~ M2 n _~l - ( f i x M ) n = let uC=M n incase u of i n r ( f ) ~ Y ( f ) _~• where Y : ( T V --+ T V ) -+ T V is the least fixed-point of T V

-

Note 1. T can be any strong monad on C p o s.t.: (i) each T X has a bottom element _L; (ii) let zr in e = _1_,i.e..1_ is preserved by f* : T X ~ T Y for any f : X --+ T Y . With these properties one can interpret recursive definitions of programs and solve domain equations involving T.

The interpretation by Gomard amounts to take T X = X • and D = T V .

214

1.2

The two-level language PCF2

The two-level language P C F ~ can be described as a simply typed A-calculus over the base types base and code with additional operations. The raw syntax of P C F ~ is given by t y p e s v ::= base code r l - - + r 2 t e r m s e ::= x ~ x : r . e el@e2 f i z ~ e i f r el e2 e3 I v ~.ift e I ~_x.e elf----e2 I f i x e I i f e I e 2 e 3 I c_.

-

-

The well-formed terms of P C F ~ are determined by assigning types to constants: - f i z ~ : (r ~ r) --+ r if~ : base, r, r -+ r c : base - g i f t : base -+ code - A_ : (code -+ code) -

-

- 4 code, following Church we have taken ~ to be a higher order constant rather than a binder (all the binding is done by ~). The two presentations are equivalent: the term ~ x . e of G J91 can be replaced by ~()~x : code.e), while the constant A__can be defined as ~ f : code -+

-

code.~x.f@x. ~_ : code, code - 4 code f i x : code ~ code i f : code, code, code -+ code c : code

R e m a r k . The language P C F 2 corresponds to the well-annotated expressions of Gomard and Jones. For two-level languages with dynamic type constructors (e.g. that in HM94) it is necessary to distinguish between static and dynamic types. In P C F ~ the only dynamic type is code, and there is no need to make this explicit.

2

Models

of PCF2

in C p o

The interpretation of P C F 2 is described by a translation _s into a suitable metalanguage with computational types, s.t. xl : r l s , . . . , xn : rn s ~-ML eS : Ts when xl : r l , . . . , x n : rn F'PCF2 e : r. The translation highlights that static computations take place only at ground types (just like in P C F and Algol). base s = T ( c o n s t ) , where c o n s t is the fiat cpo of ground constants - code s = T ( e x p ) , where e x p is the flat cpo of open Ao-terms with (free and bound) variables included in v a t = {xnn ~ N}. When translating terms of P C F 2 we make use of the following expression-building operations: build_const : c o n s t --~ exp is the inclusion of ground constants into terms b u i l d _ v a t : v a t -+ e x p is the inclusion of variables into terms. 9 build_@ : e z p , e z p -+ e x p is the function 1141, M2 ~-+ M I @ M 2 which builds an application. There are similar definitions for b u i l d _ f i x and b u i l d _ i f . -

9

9

215

: var, e x p --+ e x p is the function x, M ~-+ )~x.M which builds a

9 build~ -

A-abstraction. (rl --+ r ~ ) ~ = r l ' ~

--

x s ~ x

-

e=c

-

:r.e) ' =

r~ ~

:r '.e'

- (el@e2) ~ = el~@e2 ~ - (if~. e el e2)' = let uC=e* incase u of t r u e ==~ 618 f a l s e ~ e2 a _~.L

where 2_ is the least element of r ~ - ( f i x r e) ~ = Y ( e S ) , where Y is the least fixed-point of r* - ( g i f t e) ~ = let xC::e 8 in build_const(x) -

2

= b

ild_eo.st(c)

(op ~)' = let M r in build_op M, where op E { f i x , @, i f } * (A e) ~ = let x ~ n e w n a m e in let M ~ e 8 ( b u i l d _ v a r ( x ) ) i n b u i l d . ~ ( x , M) where n e w n a m e : T ( v a r ) generates a f r e s h variable of the object language.

-

The monad T for static computations should satisfy the same additional properties stated in Note 1. R e m a r k . In the above interpretation/translation the meaning of n e w n a m e (and A) is not fully defined, indeed one should fix first the interpretation of computational types T X . The interpretation of G J91, Gom92 uses simplified semantic domains (which amount to use the lifting monad T X = X • but with these domains there is no way of interpreting n e w n a m e (consistently with the informal description). Therefore, most of the stated results and proofs are inherently faulty. Gomard and Jones are aware of the problem and say that "the generation of new variables names relies on a side effect on a global state (a name-counter).., but for the sake of notational simplicity we have used a less formal solution". Their proposed solution amounts to use a side-effect monad T X = (X • N ) ~ , and to interpret n e w n a m e : T ( v a r ) as n e w n a m e = An : g . u p ( ( x n , n + 1)), where u p x : X --+ X • is the inclusion of X into its lifting. A simpler solution, suggested by Olivier Danvy, uses a state-reader monad T X = X ~ . In this case one can interpret the operation n e w n a m # x : ( T X ) ~ar ~ T X as n e w n a m # x ( f ) = An : N . f x n ( n + 1), and use it for translating h -

(,k e) 8 -- newname~exp()~x: v a t . l e t M ~ e S ( b u i l d _ v a r ( x ) ) i n

build.A(x,

M)).

The only place where a name-counter is really needed is for generating code, so we could use the simpler translation base s = c o n s t • and code ~ = T ( e x p ) . This is similar to what happens in Algol, where expressions cannot have side-effects, while commands can.

216

2.1

Correctness: attempts and failures

Informally speaking, correctness for PCF2 should say that for any 0 "PCF2 e : code if the static evaluation of e terminates and produces a Ao-term M : exp, then Ao-terms M and e r are equivalent, where _r is the translation from PCF2 to Ao erasing types and annotations. In fact, this is an over-simplified statement, since one want to consider PCF2-terms ~ : code ~-PCF~ e : code with free dynamic variables. In a denotational setting one could prove correctness by defining a logical relation (see MW85, Mit96) between two interpretations of PCF2 PCF~

MLT(s

r

-'~

The parameterized logical relation R~ C r ' by Gom92 is defined as follows -

• R - - pbase d and up(b) R - - pbase d r

- • R e~

d and up(M) "'p Roodo d

> Ao

Cpo x D, where p : vat -+ D, proposed

d = up(in1 b) d = l/I;

- f _pRr'-+T2 d * ~ x R~ 1 y D (f@x) Rrp~ (d@~ this is the standard way of defining at higher types a logical relation between typed applicative structures. Gomard interprets types according to the informal semantics, i.e. base s = const• and code s = ezp• According to the fundamental emma of logical relations, if the two interpretations of each operation/constant of PCF2 are logically related, then the two interpretations of each PCF2-term are logically related. It is easy to do this check for all operations/constants except A. In the case of A_ one can only hand wave, since the interpretation is informally given. Therefore, Gomard concludes that he has proved correctness. Remark. Gomard does not mention explicitly logical relations. However, his definition of R is given by induction on the structure of PCF2-types, while correctness is proved by induction of the structure PCF2-terms F ~-PCF2 e : r. This is typical of logical relations. In order to patch the proof one would have to change the definition of R c~ since in the intended semantics code s = exp~ or (exp x N) N, and check the case of A_(which now has an interpretation). We doubt that this can be done, for the following reasons (for simplicity we take code 8 = exp~N):

217

The interpretation of ~ may capture variables that ought to remain free. For instance, consider the interpretation of x : code b'pcF~ ~_y.z : code, which is a function f : exp g --+ ezp N, and the element M = )~n.up(M) of exp N, then f ( M ) = )~n.up()~zn.M) (here there is some overloading in the use of A, since )~n is a semantic lambda while )~z,~ is syntactic). Depending on the choice of n we may bind a variable free in M, therefore the semantics of fails to ensure freshness of xn. The semantic domain ezp N has junk elements in comparison to exp• and so there are several ways of defining u RCp~ d, e.g.

-

-

9 Vn: N.VM: exp.u(n) = up(M) D M~~ = d 9 3n: N.VM: ezp.u(n) = up(M) D M~ = d 9 B M : exp.Vn: Y.u(n) =-a up(M) D M~ = d but none of them works (nor is more canonical than the others). If there is a way to prove correctness using (Kripke) logical relations, it is likely to involve something more subtle than parameterization by p : vat ~ D.

3

A functor

category

model

of PCF2

In this section we define a categorical model of PCF~ in a Cpo-enriched functor category 79 = C p o v~ where 7) is a syntactic category corresponding to ,ko, and the objects of 7) can be viewed as states of a name-counter. The main property of this model is that the hom-set ~(ezp n, exp) is isomorphic to the set of ,ko-terms modulo a-conversion whose free variables are included in { x 0 , . . . , zn-1}. 3.1

The dynamic category

We define 79 like the category associated to an algebraic theory (as proposed by Lawvere in Law63), i.e.: -

-

-

an object of 79 is a natural number; we identify a natural number n with the set { 0 , . . . , n - 1} of its predecessors; an arrow from m to n, which we call s u b s t i t u t i o n , is a function cr : n --+ A(m), where A(m) is the set of Ao-terms modulo a-conversion with free variables included in { z 0 , . . . , z,n-1}; thus 79(m, n) = A(m)n; composition is given by composition of substitutions with renaming of bound variables (which is known to respect a-conversion). Namely, for ~rl : m --+ n and r : n ~ p the substitution (or2 o al) : m --+ p is given by (cr2 o 6q)(i) = Nicq, where i E p, Ni = cry(i) E A(n), Nile1 E A(m) is the result of applying in parallel to Ni the substitutions zj := Mj with j E m. Identities are given by identity substitutions id : n --+ A(n).

It is easy to see that 79 has finite products: the terminal object is 0, and the product of m with n is m -}- n. Therefore, the object n is the product of n copies of the object 1, moreover 79(m, 1) "- A(m).

218

Remark. We can provide an informal justification for the choice ofT). The objects of 7) correspond to the states of a name-counter: state m means that m names, say x 0 , . . . , xm-1, have been created so far. For the choice of morphisms the justification is more technical: it is almost forced when one wants :D(expm, exp) to be isomorphic to the set of Ao-terms whose free variables are included in { x 0 , . . . , xm-1}. In fact, the natural way of interpreting e~:p in ~ is with a functor s.t. exp(m) = the set of Ao-terms with free names among those available at state m. If we require F = Y(1), i.e. the image of 1 E 7) via the Yoneda. embedding, and m to be the product in 2) of m copies of 1, then we have :D(expm, cap) = ~(Y(1) "~, Y(1)) = :D(Y(m), Y(1)) = :D(m, 1) = exp(m). Therefore, we can conclude that :D(m, n) = exp(m) n. Moreover, to define composition in ~ we are forced to take Ao-terms modulo a-conversion. 3.2

The static category

We define ~ as the functor category C p o v~ which is a variant of the more familiar topos of presheaves Set ~~ Categories of the form W (where 141 is a small category) have been used in Ole85 for modeling local variables in Algollike languages. 142 enjoys the following properties: -

-

-

-

it has small limits and colimits (computed pointwise), and exponentials; it is Cpo-enriched, thus one can interpret fix-point combinators and solve recursive domain equations by analogy with Cpo; A there is a full and faithful embedding Y : W -+ W, which preserves limits and exponentials. This is basically the Yoneda embedding Y(w) = W(_, w). the functor A : C p o ~ W s.t. (AX)(_) = X has left and right adjoints.

Since :D has a terminal object, A : C p o - + ~ is full and fai~ful, and its right adjoint is the global section functor F : 7:) --+ C p o s.t. FF = 7)(1, F) = F(0). A description of several constructions in 142 relevant for denotational semantics can be found in Ten91. Here we recall only the definition of exponentials. D e f i n i t i o n 2 . The exponential object G F in W is the functor s.t. - G f ( w ) is the cpo of families s E yIl:w,_~o C p o ( F w ' , and satisfying the c o m p a t i b i l i t y c o n d i t i o n

w < fl f2~

wl

Fwl

- (GFfs)g "-- Slog for

IGginCp O

Fw2 any w"

g

pointwise

sfl > Gwl

lginl4;impliesFg 1 w2

Gw') ordered

sl2

> w'

, > Gw2 f

> w in 141.

We recall also the notion of w-inductive relation in a Cpo-enriched functor category )IV, which is used in the correctness proof.

219

Definition3. Given an object X E W, a (unary) w-inductive relation R C X in )/Y consists of a family (Rw C_ X w l w E W ) of w-inductive relations in Cpo satisfying the monotonicity condition: - f:w ~-4win)/Vandx~Rw CXwimpliesXfxERw,

3.3

Interpretation of

C_Xw I.

P C F 2

By analogy with Section 1, we parameterize the interpretation of PCF2 in 7~ w.r.t, a strong monad T on C p o satisfying the additional properties stated in Note 1. Any such T induces a strong monad T v~ on 7~ satisfying the same additional properties. With some abuse of language we write T for its pointwise extension (T v~ F) (m) = T ( F ( m ) ) . In the proof of correctness we take T X - X• since the monad has to account only for the possibility of non-termination at specialization-time, while the interpretation of A_exploits only the functor category structure (and not the monad, as done for the interpretations in Cpo). Also in this case the interpretation of PCF2 can be described by a standard translation _~ into a suitable metalanguage with computational types (which play only a minor role). The key differences w.r.t, the interpretation/translation of Section 2 are: the interpretation of exp (which is not the image of a cpo via the functor A), and the expression-building operation build_A (which has type (exp -4 exp) -+ exp, as expected in a higher-order syntax encoding of Ao). -

-

base" = T(A(const)), where const is the flat cpo of ground constants. Therefore, base(n) - T(const) and so global elements of base correspond to elements of the cpo T(const). code 8 = T(exp), where exp = Y(1), i.e. the image of 1 E 7) via the Yoneda embedding Y : 7) -4 D. Therefore, exp(n) = A(n) and code(n) = T(A(n)). It is also immediate to show that :D(exp '~, exp) is isomorphic to A(n): 9 ~(Y(1) n, Y(1)) -~ because Y preserves finite products 9 :D(Y(n), Y(1)) ~ because Y is full and faithful 9 :D(n, 1) ~ A(n) by definition of 7). When translating terms of PCF2 we make use of the following expressionbuilding operations (which are interpreted by morphisms in 7), i.e. natural transformation): 9 build.const : A(const) -4 exp s.t. build_constn : const -4 A(n) is the obvious inclusion of ground constants. Alternatively, one can define build_const via the isomorphism ~ ( A(const), exp) "~ Cpo(eonst, A(0)) induced by the adjunction A -t F. 9 build_@ : exp, exp --+ exp s.t. build_@n : A(n), A(n) -4 A(n) is the function M1, M2 ~4 MI@M2 which builds an application. Alternatively, one can define build_@ as the natural transformation corresponding to the term xo@xl E A(2), via the isomorphism ~ ( e x p ~, exp) ~ A(2). There are similar definitions for build_fix and build_if. 9 build_A : exp e~p -4 exp is the trickiest part and is defined below.

220

-

*

the interpretation of static operations/constants is obvious, in particular we have least fixed-points because 13 is Cpo-enriched. (~ift e) s = let z ~ e s in build_const(x) c" = build_const(c) (op ~)s = let Mr in build_op M, where op e { f i x , @, if} ~ : code c~ --4 code is defined in terms ofbuild_~ : exp exp --~ exp as explained below.

To define the components of the natural transformation build.A : exp e~p -+ exp we use the following fact, which is an easy consequence of Yoneda's lemma. A

L e m m a 4. For any u E )IV and F E W there is a natural isomorphism between the functors F Y(u) and F(_ • u). By Lemma 4, build_A amounts to a natural transformation from 7)(_ + 1, 1) to 7)(_, 1). We describe build_A through a diagram:

M E A(m + 1) m build-Arr~ (Axm.M) E A(m) T

m

ev

1)1

in C p o

_o ~r

Me + 1 e A(n + 1) 'build_~2 (Axn'M)M E A(n)

n

Observe that 7)(_, 1) = A(_), the substitution (~ + 1) : m + 1 --+ A(n + 1) is like on m and maps m to xn, while the commutativity of the diagram follows from ( A x n . M e + 1) = a (Axm.M)~. To define h : T(exP) 7"(exp) -+ T(exp) we need the following lemma. L e m m a b . For any functor T : C p o ~ Cpo, u E }IV and F E W there is a natural isomorphism between the functors ( T F ) y(u) and T(FY(u)).

Proof. For any v E W we give an isomorphism between (TF)Y(U)(v) and T(FY(u))(v): - (TF)Y(~)(v) ( T F ) ( u • v) T ( F ( u • v)) T(FY(U)(v)) T(FY(~))(v) -

-

-

= = = =

by L e m m a 4 since T is extended pointwise to W by Lemma 4 since T is extended pointwise to

-

It is immediate to see that this family of isomorphisms is natural in v. By exploiting the isomorphism i : T(exp) ~*p --+ T(exp ~zv) given by Lemma 5, one can define ~ : T(exp) T(exp) --+ T(exp) in a metalanguage with computational types as h ( f ) = let f ' ~ i ( A x : exp.f(x)) in build_A(f')

221

Remark. The category 7) has two full sub-categories 7) and C p o , which have a natural interpretation: 7) corresponds to dynamic types, while C p o corresponds to pure static types, i.e. those producing no residual code at specialization time (e.g. base). A key property of pure static expressions is that they cannot depend on dynamic expressions. Semantically this means that the canonical map (AX) -+ (AX)Y(~), i.e. z ~+ Ay : Y(u).x, is an isomorphism. In fact, by Lemma 4 ( A X ) Y(~) is naturally isomorphic to (AX)(_ x u), which is (AX). 3.4

Correctness

and logical relations

The semantics for the two-level language PCF2 was used in GJ91, Gom92 to prove a correctness theorem for partial evaluation. The correctness theorem relates the interpretation I ~ of the object language Ao in C p o to the interpretation I s of the two-level language PCF2 in 7). The first step is to define a translation _r from PCF2 to Ao, i.e. z : v b-pcF: e : 7- implies ~ ~-,Xo e ~, which erases types and annotations, so (Az : v.e) ~ = Ax.e 4', (opt "d)r = op "~r (opE) r = op -r e and (eift e) r = e ~. By composing the translation r with the interpretation I ~ we get an interpretation of 11 of PCF2 in C p o , where every type is interpreted by the cpo D = (const + (D --~ D))• At this stage we can state two correctness criteria (the first being a special case of the second), which exploit in an essential way the functor category structure: - Given a closed PCF~-e,xpression 0 b- e : code, its I s interpretation is a global element d of ezps E 7), and therefore do E A(0)• Correctness for e means: do = up(M) implies M ~ = er ~ E D, for any M E A(0). - Given an open PCF~-expression 9 : code F- e : code where ~ = z o , . . . , zn-1, its I s interpretation is a morphism f : exp~ --+ ezp• and therefore fn : A(n)~ --~ A(n)• Correctness for e means: f , , ( u p ( z o ) , . . . , u p ( z n - i ) ) = up(M) implies ~ I-- M ~ = ~ I- e e l ~ D n --+ D, for any M e A(n). The proof of correctness requires a stronger result, which amounts to prove that the two interpretations of PCFg~ are logically related. However they live in different categories. Therefore, before one can relate them via a (Kripke) logical relation R between typed applicative structures (see MM91), they have to be moved (via limit preserving functors) to a common category C.

PCF2

I1 > i = Cpo

# - g is the category whose objects are pairs (m E 7), p E Din), while morphisms

from (m, p) -* (n, p') are those ~ : m -+ n in 7) s.t. p' = crl, - ~r : g -+ 7) is the obvious projection functor (rn, p) ~-~ m.

222

The Kripke logical relation R is a family of w-inductive relations (see Definition 3) R ~ in C defined by induction on the structure of types v in PCF2.

base Rba•e (re,p) C constj, x D s.t. -LR(m,p)d and up(c)R(m,p)d ~

d = up(inl c)

code Rcode (re,p) C A(m)j. • D s.t..J-R(m,p)d and up(M)R(m,,)d ~ d = Mp We must check that R ~~ satisfies the monotonicity property of a Kripke relation, i.e. a : (rn, p) --+ (n, p')in g and up(M)R~~ implies up(M~r)R~~ This follows from p~ = c~o, i.e. from the definition of morphism in g, and mc0 = ~MoL, i.e. the substitution lemma for the interpretation of Ao. More diagrammatically this means

D

s

m

(re, p)

n

(~, #)

code

R c~

D Mcrp

up(M) R(n,p,)lMo, = d

The family R on functional types is defined (in the internal language) in the standard way, i.e. fRTl'*r~g r Vx, y.xRrly D f@~xFU2g@ly, where @i is the binary application of the applicative structure used for the interpretation I i. The definition of the Kripke logical relation at types base and code says that partial evaluation is only partially correct, namely if it terminates it gives the expected result. By the fundamental lemma of logical relations, to prove that the interpretations 11 and 12 of PCF2 are logically related it suffices to show that the interpretation of all higher-order constants (besides @ and ,~) are logically related. This is a fairly straightforward check, therefore we consider only few cases, including the critical one of dynamic A-abstraction. Since ~2 is strict, we need to prove only that up(Mi)R(,n,p)d~ (for i = 1, 2) implies up(M1)~2up(M2) = '~ up(Ml@M2)R(m,p)da@ld2 =Ad1~ld2 By definition of R at type code, we have to prove that MI@M2p = dl@ld2 * Mip =di, because up(Mi)R(rn,p)di 9 Ml@m2p = @~(mlp, M2L), by definition of 11 9 therefore ~MI@M2p = d1@ld2 fixr We need to prove that fRr"*rg implies (t3ixi)Rr(L3iyi), where x0 = y0 = _L and Xi+l = f@2xi and y/+l = g@lYi. This follows immediately from w-inductivity of R T, i.e. 9 .LRT_L and 9 (t3ixi)Rr(L3iyi) when x~e~ and Y/e~ are w-chains and Vi.xiRry~ ~-inductiviSy of R r can be proved by a straightforward induction on r.

223

The case of A__: (code -+ code) -4 code is the most delicate one. Suppose that f Rcode-~eode _ we have to prove that ~_m(f)R~~ (re,p) g, D.g@ld)). For this we need an explicit description of ~-,n(f) E A(m)• 9 am(f) = _L when h:m+i-~rn(uP Xm) = .L, where 7r: m + 1 --4 m is the first projection in 7) and we exploit the definition of exponentials in 2); 9 Am(f) : up(Axm.M) when up(M) -- h:ra+l~ra(Up Xrn) E A(m + 1)• We can ignore the first case, since when Am(f) = _L there is nothing to prove. In the second case, we have to prove that Axm.Mp = up(inr(Ad: D.g@Id)), i.e. Mprn~4 = g@l d for any d E D ode 9 u~g F~x rnl~R c(m+l,pm~d)d' by definition of R --. ~ ~Dcode .@IA~, because rr (rn,p) 9 up(M) ,a f ~ r : m + l - + m ( u p .~rnlav(rnTl,prn~.+a~).y !t

9 Mpm~d

4

= g@ld, by definition of R.

Comparisons

In this section we make a comparative analysis of the interpretations of PCF2 in C p o and 7~. In fact, to highlight more clearly the differences in the interpretations of code and dynamic A-abstraction (and ignore orthogonal issues), it is better to work in a simplified setting, where - Ao is the pure untyped A-calculus;

- PCF~ is the simply typed A-calculus with atomic type code, and additional operations ~ : code, code --+ code and A_: (code -+ code) --+ code. With this simplification one can ask for total correctness of the interpretation of PCF2 w.r.t, an interpretation of Ao in C p o (say in the standard model D = (D --+ D)• for the lazy A-calculus). Moreover, the interpretation of PCF2 without fix~. can be given in Set or Set ~~ where the syntactic category 7) has to be changed to reflect the simplifications in Ao. The following table summarizes the key differences between the original interpretation proposed by Gomard (Gomard's naive), its patching (Gomard's patched) and the interpretation in 7~ (functor category).

code code----~code

exp N (expi v)(exp N)

exp expeXp

Rcoae

use counter not defined not stated

not defined

functor category Set v~ A(n) at stage n A(n + 1) at stage n use functorcategory

Rp:N-+ D

Rn:Ntp:n.-+ D

Semantics category

correctness proof

Gomard's patched Gomard's naive Set Set

not meaningful by Kripke log. tel.

Where exp is the set of A-terms with variables in N, A(n) is the set of A-terms modulo s-conversion with free variables in n, and D E C p o is a domain for interpreting the lazy A-calculus, i.e. D = (D --+ D)• When describing the functor in ~ interpreting a certain type of PCF2, we have given only its action on objects. The comparison shows that:

224

- The functor category interpretation is very similar to Gomard's naive interpretation, when it comes to the definition of ~code and R c~ though more care is taken in spelling out what object variables may occur free in an object expression. - The advantage of working in a functor category becomes apparent in the interpretation code -+ code, this explains also why the functor category can handle the interpretation of A. Gomard's patched has strong similarities with the simple-minded semantics in Cpo for modeling local variables in Algol-like languages. In fact, Gomard's patched semantics parameterizes the meaning of expressions, but not that of types, w.r.t, the number of names generated used so far. -

Conclusions a n d f u t u r e work The first part of the paper recalls the main definitions and results in Gom92, points out the problems with the published interpretation of the two-level language PCF2, presents possible ways of fixing the interpretation (these were proposed by Olivier Danvy, Fritz Henglein and Neil Jones during several e-mail exchanges) along the lines hinted by Gomard. After fixing the interpretation of PCF2, there are however problems in fixing the correctness proof in Gom92. In the second part of the paper we propose an alternative semantics, and prove correctness for it. We have also cast doubts on the possibility of giving an interpretation of PCF2 in Cpo and prove its correctness w.r.t, the standard interpretation of Ao using a logical relation. An alternative approach to correctness is proposed in Wan93. This avoids any explicit use of operational or denotational semantics, instead he proves correctness modulo/?-conversion. Wand uses logical relations, and represents dynamic expressions using higher-order abstract syntax (while Gom92 uses concrete syntax, and can distinguish a-convertible expressions). Similar problems to those pointed out in Section 2 are present in other correctness proofs (e.g. HM94), which adapt Gomard's approach to more complex two-level languages. We would like to test whether the functor category approach scales up to these languages.

References FMS96 GJ91 Gom91 Gom92 HM94

M. Fiore, E. Moggi, and D Sangiorgi. A fully-abstract model for the picalculus. In 11th LICS Conerence. IEEE, 1996. K. Gomard and N. Jones. A partial evaluator for the untyped lambda calculus. J. of Func. Program., 1(1), 1991. Carsten Krogh Gomard. Program Analysis Matters. PhD thesis, DIKU, November 1991. DIKU report 91/17. K. Gomard. A self-applicable partial evaluator for the lambda calculus. A CM Trans. on Progr. Lang. and Systems, 14(2), 1992. F. Henglein and C. Mossin. Polymorphic binding-time analysis. In D. Sanella, editor, ESOP'94, volume 788 of LNCS. Springer Verlag, 1994.

225

Nell D. Jones, Carsten K. Gomard, and Peter Sestoft. Partial Evaluation and Automatic Program Generation. Prentice Hall International, 1993. F.W. Lawvere. Functorial semantics of algebraic theories. Proc. Nat. Acad. Law63 Sci. U.S.A., 50, 1963. John C. Mitchell. Foundations of Programming Languages. The MIT Press, Mit96 Cambridge, MA, 1996. J. Mitchell and E. Moggi. Kripke-style models for typed lambda calculus. MM91 Journal of Pure and Applied Algebra, 51, 1991. E. Moggi. Notions of computation and monads. Inormation and ComputaMot91 tion, 93(1), 1991. Mog97a E. Moggi. A categorical account of two-level languages. In MFPS XIII, ENTCS. Elsevier, 1997. Mog97b E. Moggi. Metalanguages and applications. In Semantics and Logics of Computation, Publications of the Newton Institute. CUP, 1997. A. Meyer and M. Wand. Continuation semantics in typed lambda calculus. MW85 In R. Parikh, editor, Logics of Programs '85, volume 193 of LNCS. Springer Verlag, 1985. NN92 F. Nielson and H.R. Nielson. Two-Level Functional Languages. Number 34 in Cambridge Tracts in Theoretical Computer Science. CUP, 1992. OleSS F.J. Oles. Type algebras, functor categories and block structure. In M. Nivat and J.C. Reynolds, editors, Algebraic Methods in Semantics, 1985. OT92 P.W. O'Hearn and R.D. Tennent. Semantics of local variables. In Applications of Categories in Computer Science, number 177 in L.M.S. Lecture Notes Series. CUP, 1992. PS93 A.M. Pitts and I.D.B. Stark. Observable properties of higher order functions that dynamically create local names, or: What's new? In Math. Found. of Comp. Sci. '93, volume 711 of LNCS. Springer Verlag, 1993. R.D. Tennent. Semantics of Programming Languages. Prentice Hall, 1991. Ten91 Wan93 Mitchell Wand. Specifying the correctness of binding-time analysis. Journal of Functional Programming, 3(3):365-387, July 1993. JGS93

Deciding Properties for Message Sequence Charts Anca Muscholl 1, Doron Peled 2 and Zhendong Su 3 1 Institut fiir Informatik, Universit~t Stuttgart, Breitwiesenstr. 20-22, 70565 Stuttgart, Germany 2 Bell Laboratories, Lucent Technologies, 600 Mountain Av., Murray Hill, NJ 07974, and Carnegie Mellon University, School of Computer Science, Pittsburgh, PA, 15213-3891, USA 3 EECS Department, University of California, Berkeley, CA 94710-1776, USA

A b s t r a c t . Message sequence charts (MSC) are commonly used in de-

signing communication systems. They allow describing the communication skeleton of a system and can be used for finding design errors. First, a specification formalism that is based on MSC graphs, combining finite message sequence charts, is presented. We present then an automatic validation algorithm for systems described using the message sequence charts notation. The validation problem is tightly related to a natural language-theoretic problem over semi-traces (a generalization of Mazurkiewicz traces, which represent partially ordered executions). We show that a similar and natural decision problem is undecidable.

1

Introduction

Message sequence charts (MSC) are a notation widely used for the early design of communication protocols. With its graphical representation, it allows to describe the communication skeleton of a protocol by indicating the messages that are sent between its different processes. Using message sequence charts one can document the features of a system, and the way its parts interact. Although MSCs often do not contain the full information that is needed for implementing the described protocols, they can be used for various analysis purposes. For example, one can use MSCs to search for missing features or incorrect behaviors. It is possible to detect mistakes in the design, e.g., the existence of race conditions 1 or nonlocal choice 2. Another task that is often done using MSCs is providing 'feature transparence', namely upgrading a communication system in a way that all the previous services are guaranteed to be supported. In recent years MSCs have gained popularity and interest. An international committee (ITU-Z 120 7) has been working on developping standards for MSCs. Some tools for displaying MSCs and performing simple checks were developed 1,8. We model systems of MSCs, allowing a (possibly infinite) family of (finite or infinite) executions. Each execution consists of a finite or infinite set of send and receive events, together with a partial (causal) order between them. Such a system is denoted using M S C graphs, where individual MSCs are combined to form

227

a branching and possibly looping structure. Thus, an MSC graph describes a way of combining partially ordered executions of events. We suggest in this paper a specification formalism for MSC properties based on directed graphs: each node of the graph consists of a template, which includes a set of communication events, and the causal order between them. We study three alternative semantics for the specification by MSC graphs: - Using the same semantics as for an MSC system. Namely, each maximal sequence corresponds exactly to one execution. - With gaps, i.e., as a template, where only part of the events (and the order between them) is specified. Moreover, choices in the specification graph correspond to different possible ways to continue the execution. - Again with gaps, but with choices corresponding~to conjunctions. Namely an execution matching the specification must include all the events in every possible path of the specification, respecting the associated causal orders. The main focus of this paper is on developping an algorithm for deciding whether there are executions of the checked system of MSCs that match the specification. Such an execution is considered as a 'bad' execution and if exists it should be reported as a counter-example for the correctness of the system. For the first semantics we show in Section 5 that the matching problem is undecidable. For the last two problems we provide algorithms and we show them to be NP-complete, see Section 4. In the special case of matching two single MSCs we provide a deterministic polynomial time algorithm, improving the result of 8, see Section 3. The complexity of related problems has been studied for pomset languages 6. In contrast, in 6 only finite pomset languages are studied (however, over a richer structure). The matching problem can also be represented as a decision problem for semi-traces 4. A semi-trace is a set of words that is obtained from some word by means of (not necessarily symmetric) rewriting rules. These rules allow commuting pairs of adjacent letters. A semi-trace language is a set of words closed under these given rewriting rules. We provide a natural transformation from MSCs to semi-traces. This allows explaining our decidability result as a decision problem on rational languages of semi-traces. One surprising consequence of this translation is that it applies in the same way to two rather different communication semantics for a natural subclass of MSCs: that of asynchronous fifo communication and that of synchronous (handshake) communication. Work is in progress to add the proposed validation framework to a toolset that was developed for manipulating MSCs 1. This paper concludes with several open problems and suggested work.

2

Charts and MSC

Graphs

In this section, we introduce message sequence charts (MSC) and MSC graphs, as well as the matching problem.

228

D e f i n i t i o n 1 ( M S C ) . A message sequence chart M is a quintuple (E, <, L, T, 7~) where E is a set of events, < C_ E x E is an acyclic relation, P is a set of processes, L : E -~ 7) is a m a p p i n g t h a t associates each event with a process, and T : E --+ {s, r} is a mapping that describes the type of each event (send or receive). The order relation < is called the visual ordering of events and it is obtained from the syntactical representation of the chart (e.g. represented according to the standard syntax ITU-Z 120). It is called 'visual' since it reflects the graphical representation of MSCs. We distinguish between two types of visual ordering as follows. W e l e t
-

In general, the visual order provides more ordering t h a n intended by the designer. Therefore we associate with every chart a causal structure providing the intended ordering. Causal structures are related to pomsets 11, event structures 9, and traces 5. A causal structure is obtained from an MSC by means of a given semantics. Formally, the causal structure of an MSC M is a quintuple t r ( M ) = (E,-~, L, T, P ) , where the only component t h a t differs from the definition of an MSC is the relation -~, called the precedence order of events. For two events e and f , we have e -~ f if and only if event e must t e r m i n a t e before event f starts. The transitive closure -~* of -~ is called the causal order. Events which are not causally ordered can occur independently of each other. The precedence order of events is defined by a set of semantic rules. As the semantics used throughout the paper, we give below the set of rules for an architecture with fifo queues. This means t h a t every one-directional communication between two processes is done through a fifo channel. For this architecture we have in the visual order for each message pairs e
T(e) = T ( f ) = s A e < v f for some process P . 2. A m e s s a g e p a i r : T ( e ) = s

A T ( f ) = r A e
229

3. Messages ordered by the fifo queue: T(e) = T ( f ) = r A e < p f for some p r o c e s s P A

3e ~ , f f ( e ~ < c e A f ' < c f

A e ' < p , ff for some processP~).

4. A receive precedes a send on the same process line: T(e) = r A T ( f ) = s A e < p f for some p r o c e s s P . Remark 2. For a causal structure O = (E, -~, L, T, :P) we use the usual notation e $ for the downward closure of an event e E E w.r.t, the partial order of (9, i.e. e $ = { f E E I f -~* e}. The notion of a minimal element e in O is also standard, meaning that e ~ -~* e implies e t -- e. We denote by min(O) the set of minimal elements of the partial order of (9.

Note that the following relation between configurations associated to a message pair holds under the fifo semantics: L e m m a 3. Let e
and

el < c f t for el with et "~ e, T(ez) = s, n ( e l ) = n ( e ) } .

2.1

Templates and the Matching Problem

An MSC M matches an MSC N (or is embedded in N) if the chart N respects the causal order on the events specified by M. (Clearly, matching is defined with respect to a given semantics.) The MSC M is called a template M S C and it represents the specification, whereas the MSC N is called a system MSC. For matching M against N it suffices to consider the reduced partial order of M. Moreover, a template is viewed as a possibly partially specified execution of the system. The actual executions may contain additional messages, which may induce additional ordering. Definition 4 ( M a t c h i n g a t e m p l a t e w i t h a n M S C ) . Under a given semantics, a template M with the causal structure t r ( M ) = (EM, "~M, LM, TM,7~M) matches a chart N with the causal structure t r ( N ) = (EN,-~N, LN,TN,TPN) if and only if ~OM C ~ g and there exists an injective mapping (called embedding) h : EM --4 E N such that

- for each e E E M , we have LN(h(e)) = L M ( e ) and TN(h(e)) = TM(e) (preserving processes and types), and if el -~M e2 then h(el) -~N h(e2) (preserving the causal order). Let P = ( P 1 , . . . ,Pn} denote the set of processes. For an event e E E we are often interested in its 'message type' msg(e) and we let msg(e) = sij, if e is a send event from Pi to Pj, and msg(e) = rij if e is a receive event of Pj from Pi, respectively. Let msg(M) = {msg(e) t e E E M } .

230

Note that under the fifo semantics the injectivity of the embedding is already implied by the two other properties in the definition above. Moreover, under this semantics we have a simpler characterization of embeddings, which takes into account just message types: L e m m a 5. Let M, N denote two MSCs and let h : M ~ N be a mapping. Then h is an embedding from M to N if and only if the following conditions hold for any two events e, f E EM : 1. If (e, f ) is a message pair, then (h(e), h ( f ) ) is also a message pair between the same processes. 2. Let e "~M f such that (e, f ) is not a message pair (thus, e, f are on the same process). Then msg(h(e)) = msg(e), msg(h(f)) = msg(f) and h(e)
In order to distinguish MSC graphs from finite MSCs we denote throughout the paper a finite MSC (not bounded to any MSC graph) as a single MSC. In an MSC graph N = (S, T, SO,C), a path ~ is called maximal if it begins with the starting state so and it is not a proper prefix of another path. Notice that a maximal path can be either infinite or finite. Let also msg(N) = Usesmsg(c(s)). Fig. 1 shows an example of an MSC graph where the state in the upper left corner is the starting state. Note that the executions of this system are either finite or infinite. Also note that the events of receiving messages of fail and report are not causally ordered. D e f i n i t i o n 7 ( M a t c h i n g paths). Let ~1 and ~2 be two finite or infinite paths in some MSC graphs. Then ~z matches ~2 if c(~l) matches c(~2).

231

T

I i

Fig. 1. A system MSC graph.

A strongly connected component C of a directed graph (S, T) is a subset C C_ S such that for any u,v e C, there is a nonempty path from u to v. A maximal strongly connected component is a strongly connected component which is maximal w.r.t, set inclusion.

3

Matching a Template

In this section, we consider the problem of matching a single template MSC with an MSC graph. As a first result, we show that we can check whether a template can be embedded into a single MSC in polynomial time. (Recall that we assume that the fifo semantics is used.) This algorithm refines the result of 8, where a PSPACE algorithm was exhibited without specifying the semantics. The present matching algorithm is based on the simple observation that it suffices to match a suitable minimal send event and the corresponding receive event with the first occurrence of a message pair of the same type.

Proposition 8. Let M = (EM, <M, LM, TM, 7~M), N = (EN,
232

Proof. Note first that all minimal elements of tr(M) are send events. Suppose that M matches N via h : M --~ N, where h(eo) r #(eo) (hence, h(fo) ~ f~). Let e~ :--- #(eo) and let h be given by h(eo) = e~o, h(fo) = f~ and h(g) = h(g) for every g it {e0, f0}. Now, if eo -~M g, then h(eo) -~N h(g)and hence also e~o -~g h(g), since e~o "~N h(eo) and e~, h(eo) have the same message type. A similar argument holds for fo "~M g, which shows that h is again an embedding from M to N. In order to show that M ~ matches N ~ it suffices to show that s n {g' e EN I g' "~*NfO} = {elo, fo}" Assume the contrary, i.e. there exists g E EM such that h(g) "<~v f~ and h(g) it {e~, f~}. Since every receive event is preceded by its corresponding send event, we may assume that TM(g) = s, i.e. g is a send event. Let et e min(tr(M)) be a minimal event with et -<~ g, then s -<~v s -~v f~. By Lemma 3 we obtain that s "~v e~, since el is a send event. By the definition of # we have #(el) "~v h(el), hence #(el) "~v e~. Thus, by the choice of eo we obtain ~(el) -~ e~. Therefore, e~ -<~v h(g) "<~v f~, which yields e~ = h(g) due to Tu(g) = s, contradiction. Suppose finally that M ~ matches N ~ via h ~ and consider some event g in M ~. If e0 "~M g, then we also have e~o "
Definition 10 (Matching a t e m p l a t e w i t h an M S C graph). A template MSC M matches an MSC graph N if M matches some maximal path of N.

233

Matching a template against an MSC graph actually requires only paths of bounded length to be checked: P r o p o s i t i o n 11. Let N be an M S C graph and let M be a single template M S C such that M matches N . Then there is a path in N that embeds M and has length at most rod, where m is the number of messages in M and d is the maximal length of a simple path in N (i.e. of a path where no node appears twice). Proposition 11 yields a non-deterministic algorithm for matching a template with an MSC graph which guesses a path in N and verifies that the template matches the graph. The algorithm is polynomial in the size of the template and the number of nodes in the graph. The proposition below shows that matching is also NP-hard.

Proposition 12. Matching a single template M S C with an M S C graph is NPcomplete, even if the graph is acyclic. Proof. It suffices to show that matching is NP-hard. For this, we reduce the satisfiability problem for formulas in conjunctive normal form (CNF-SAT) to the MSC matching problem. Consider a formula ~=1 Cj with clauses (disjunctions) Cj over the variables x l , . . . ,xl. For each clause Cj we take two processes, Pj and Rj. Let m ( j ) denote a message from Pj to Rj. Note that the events of different messages m ( i ) , m ( j ) , i ~ j, are not causally ordered. Then the template M is given as M = m(1) 999m(k). The system graph N = (S, T, SO, C) contains for each variable xi three states denoted as oi,pi and ni, i.e. S = {oi,pi,ni I 1 < i < l}. Let so = ol. The edge set is given by r = {(oi,pi), (oi,ni), (pj, oj+l), (nj,oj+l) I 1 < i < l, 1 _< j < l}. The assignment of MSC to states is as follows: for every i, c(oi) = 0, c ~ i ) = {re(j) I xi occurs in Cj} and c(ni) = {re(j) ~i occurs in Cj}. That is, c(pi) contains messages associated to all clauses satisfied by xi := true, whereas c(ni) contains messages associated to all clauses satisfied by xl := false. Thus, a maximal path in the MSC graph N corresponds exactly to an assignment of the variables. The single MSC M matches a maximal path of N if and only if the assignment given by the path satisfies all clauses.

4

Matching

MSC

Graphs

In this section, we discuss our extension of the matching algorithm to deal with MSC graphs. Adopting the same convention for matching two single MSCs, we call one of the MSC graphs the template (MSC) graph. The other graph is called the system (MSC) graph. The template graph represents a collection of properties (behaviors), each defined by one of its maximal paths. Then for the or-semantics as defined below, the template corresponds to a non-deterministic choice among these behaviors, so an execution of the system needs to contain at least one of the executions

234

~Fail?

I

I

?ono Fig. 2. A template MSC graph.

described by the template. For the and-semantics an execution of the system matches the template if it contains all the executions of the template MSC graph. Definition 13 ( M a t c h i n g a t e m p l a t e g r a p h w i t h a s y s t e m g r a p h ) . Let M and N be two MSC graphs.

1. M or-matches N if there exists a maximal path ~ of N and a maximal path of M which matches ~. 2. M and-matches N if there exists a maximal path ~ of N such that all maximal paths ~ of M match ~. Consider the and-graph template in Fig. 2. This template matches the system of Fig. 1, since the system may alternate infinitely often between Connect and Fail. The next lemmas present some fundamental properties of matching paths of MSC graphs. A subpath ~ of a path ~ = So, s l , . . , in some graph G is a path of G of the form ~ -- Sio, siz, si2,.., with i0 < il < .... In this case, we denote a superpath of ~. L e m m a 14. Let M, N be two MSC graphs and let ~1, ~2 denote paths in M, N, resp. Let ~1 match ~2. Then for every subpath ~ of ~1 and every superpath ~ of ~2, ~11 matches ~ . P r o p o s i t i o n 15. Let M, N be two MSC graphs and consider an infinite path in M such that every state from ~ occurs infinitely o~en in ~. Let C be the strongly connected component of M induced by the states from ~. Consider also

235

an infinite path X in N and let C ~ denote the strongly connected component of the states occurring infinitely often in X. Then the following holds: 1. ~ matches X if and only if msg(C) c_ msg(C'). 2. Let K denote a simple cycle within C and suppose that ~ matches X. Then K ~ matches X, too (here, K ~ denotes the infinite path K K . . . ) . 3. Let K be a cycle containing all states from C ~. Then ~ matches X if and only if ~ matches K ~ . Proof. Suppose first that ~ matches X- Then, since embeddings preserve message types, it is easily seen that msg(C) c_ msg(C'). For the converse let X = XoX1 . . . , with Xi finite paths such that every Xi, i > 1, contains all states from C ~. Also, consider a linearization e l e 2 . . , of tr(~) satisfying the property that for each i, (e2i-1, e2i) is a message pair. We define an embedding h inductively by mapping (e2i-l,e2i) to events from Xi, i > 1. More precisely, h maps e2i-1 to the first event e ~ occurring in e(Xi) satisfying msg(e2i_l) = msg(e*). Then, e2i is mapped by h to the corresponding receive event of e ~. By Lemma 5 it is easy to check that h preserves the causal order. The second assertion of the proposition is obtained directly from Lemma 14, whereas the last assertion is a consequence of the first one.

4.1

The Complexity of OR-Matching

The next theorem shows that for or-matching two MSC graphs only finite paths have to be considered for an embedding. More precisely, for the recurrent part of a path only the message types of events are relevant. For a strongly connected component C and a state s we denote below a path from s to some node in C as a path from s to C.

Theorem 16. Let M = (S, % So, c) be a template graph and N = (S I, T ~, S~o,c ~) be a system graph. Then M or-matches N if and only if either there exists a finite maximal path of M which matches N , or there exist - a simple cycle K in M and a simple path ~ from so to K , - a strongly connected component C ~ of N and a path X from S~o to C ~, such that ~ matches X and msg(K) C msg(C). Proof. Suppose that M or-matches N via an infinite maximal path. Then, by Lemma 14 and Proposition 15(2) we also obtain a path of M of the form ~ K K . . . which matches N , where K is a simple cycle and ~ is a simple path from So to K . Let p denote a path in N such that ~K ~ matches p. Moreover, let X be a minimal prefix of p such that ~ matches X and the corresponding suffix is a strongly connected component of N. Then, by applying Proposition 15(1), we obtain the result. For the converse we may use again Proposition 15(1) in order to extend the embedding of ~ into X to an embedding of ~K W into a path in N starting with X.

236

First note that in Theorem 16 the path X is in general not simple. But by Proposition 11 its length is bounded by size(~) 9 n, with size(~) denoting the number of messages in ~, and n denoting the number of states in N. Note also that we can require above that C ~ is a maximal strongly connected component, due to Lemma 14. Hence, an algorithm based on Theorem 16 would first compute in linear time all maximal strongly connected components of N. Then, for each maximal strongly connected component C ~ consider the states s of M with msg(c(s)) c_ m s g ( C ) and the subgraph Me, induced by these states. The algorithm checks whether there is some simple path ~ from So to some strongly connected component of Mc, which matches a path X from s~ to C'. (The length of X is bounded by a polynomial in the size of ~ and the size of N.) The complexity of the above algorithm basically derives from two problems: one consists of finding all simple paths from the initial node to a given subgraph, and the second one is the problem of matching a single template MSC with an MSC graph. Clearly, Theorem 16 directly yields an NP-algorithm for ormatching. Moreover, by Proposition 12 already the case where the template graph is a single node is NP-hard. Hence, we obtain: C o r o l l a r y 17. The or-matching problem for MSC graphs is NP-complete.

4.2

The Complexity of A N D - M a t c h i n g

For the and-matching problem we need to deal not only with strongly connected components, but also with states reachable from some strongly connected component. The reason is that some of the events in such states have to be mapped to events belonging to recurrent states in the system graph. For an MSC graph M = (S,T, so,c) let Sc C_ S denote the set of nodes belonging to some strongly connected component of M. For each state s E 8 let us partition the events belonging to the single MSC c(s) associated with s in two sets cf(s),c~(s) as follows. For each event e E e(s) let e e c~(s) if and only if there exist some state s ~ 9 So, some event e t in c(s t) and a path ~ from s t to s with e t - ~ e for the causal order - ~ associated to the execution of ~. We denote by Ew the set of events {e I e 9 co,(s), s 9 $}. The set Eo, can be computed in polynomial time as follows: let E~ := {e' e' 9 c(st), s' 9 So}. Then for every e ~ E~, e 9 c(s), test whether there is some event e t 9 E~,, e t 9 c(s~), such that s is reachable from s t through a path ~ and e ~ - ~ e for the execution of that path. Note that e t - ~ e holds if and only if e ~ -~x e holds for any other path X from s t to s. Moreover, by Lemma 3 the condition e ~ - ~ e can be checked by examining the message types of e, e ~. If the test is positive, then let E~ -- E~, U {e}. This step is repeated until no more events can be added. Note also that for every e 9 e~(s) and e ~ 9 c(s) with e -~*(s) e~, also e ~ 9 co,(s) holds. Moreover, for every message pair el
237

of c(s) is the same as the causal order of cf(s)cw(s). Finally, for s E 8c we have

e(s)

=

T h e o r e m 18. Let M = (S,v, s0, c) be a template graph and N = (St,T',S'o,e ') be a system graph. Define a mapping ~ : S -+ A4 by letting ~(s) = el(s ). Let 1~I = (S, ?, So, ~) denote the M S C graph with states set ~ = {s E S I 5(s) 0} U {So} and (s,s') E ~" if and only if s,s' E S such that -~(s = s' = so) and there is a path s = S l , . . . ,Sk = s t in M satisfying 5(si) = O or all 1 < i < k. Then M and-matches N if and only if there exists a subgraph C' of N and a path X from s'o to C' such that

I. All paths in )~I match X. 2. If M contains cycles then msg(Eo~) C_ msg(C') and C' is a strongly connected component of N . Proo. First, note that the MSC graph 2t7/is acyclic (since the only possible loop would be a self-loop of so, which has been excluded by definition). Suppose that M and-matches N and consider a path p in N such that all maximal paths in M match p. If M is acyclic, hence M = M, then we are done by choosing an appropriate finite prefix X of p. So suppose that 3c ~ 0, then p must be infinite. Let C t be the strongly connected component containing^exactly the states occurring infinitely often in p. Let ~ be a (finite) path from M. Then it is easy to verify that there exists a path a in M such that the causal order of the execution of ~ is a prefix of the causal order of the execution of a. Hence, matches p, too. Let X be a finite prefix of p such that all (finite) paths from M match X and the corresponding suffix is a strongly connected component of N. Finally, consider an event e in some c~(s), for some state s. Then there exists for each n _> 0 a path ~ from so to s such that the configuration e $ of the occurrence of e in the last node of ~ contains at least n events. Hence, there is some state s t occurring in p infinitely often, such that msg(e) = msg(e r) holds for some event e t in s'. This concludes one direction of the proof. Conversely, suppose that M has cycles. Let ~ = so,s1,.., be a maximal (finite or infinite) path in M. Note that the causal order associated to the execution c(~) of ~ is identical to the causal order of ci(~)c~(~), where ci(~) = c l ( s o ) c l ( s i ) . . , and c~(~) = c~(8o)Cw(81) Moreover, c l ( s o ) c l ( s l ) . . , is a finite MSC since there can be only a finite number of nodes si with ei(si ) ~ 0. Also, c(so)c$(sl).., is the execution of a finite path in 2t3/, thus it matches X. Since msg(Ew) C_ msg(C t) we obtain similarly to Proposition 15 that the MSC e~(so)c,~(Sl).., m a t c h e s / ( ~ , for some fixed c y c l e / ~ containing all the states from C'. Thus, ~ matches XK~, which shows the claim. . . . .

^

By the previous theorem we have to consider the problem of and-matching a single MSC against an aeyclic MSC graph. The next proposition shows that for and-matching an acyclic graph it suffices to look for a mapping which is an embedding for all the paths (instead of embedding each path separately).

238

Proposition

19. Let M be an acyclic MSC graph and let N be a single MSC. Then M and-matches N if and only if there exists a mapping g : M --~ N which is an embedding for all paths in M .

Proof. Suppose that M and-matches N and let g~ denote an embedding of a maximal path ~ of M in N. Let ~ denote the set of all maximal paths of M. Define a mapping g : M ~ N by letting g(e) = max{g~(e) I ~ E S , e occurs on ~}. Note that for a fixed event e the set {gr ~ E ~ , e occurs on ~} is totally ordered w.r.t. "~v. This is due to the fifo semantics, since for each e, e ~ with msg(e) = msg(e') we have either e _ e' or e' ~ e. We show that g is an embedding for every path ~ E ~. If e
Proposition

20. Let M = (S, v, so, c) be an acyelic MSC graph and let s E S be a source node, i.e. a node without predecessors. Let N = (EN, < g , LN, TN, 7JN) be a single MSC. Assume that M and-matches N and let h : c(s) -+ N be defined by

h(e) = e ~ if e' is minimal w.r.t. "~*N such that e $ matches e ~ $ Let g : M --~ N be a mapping which is an embedding for all paths from M in N . We define a mapping g~ : M --+ N by letting g'ic(s) = h and g~(e) = g(e) for every e ~ c(s). Then g~ is also a mapping which embeds all paths of M into N . Proof. It can be easily verified that for every event e E c(s) and every mapping g : M --+ N which is an embedding for all paths in M (in particular for c(s)) one has h(e) ~N g(e). Therefore, if e - ~ f holds for the execution of a nonempty path from s to s' for two events e, f with e E s and f E s', then also h(e) "~g g ( f ) holds. Proposition 20 yields a polynomial-time algorithm for matching an acyclic and-graph with an MSC defined by a path. We first determine for each node s and for each event e E c(s) the immediate predecessor events of e (w.r.t. the causal order) located in s and in the nodes preceding s. Then we embed a source node s of M and iterate this procedure with M \ {s}. When processing the

239

current node s events in c(s) are mapped according to the partial order (starting with minimal elements) as suggested by Proposition 8. That is, a suitable event e E min(tr(M)) is mapped to the minimal event e ~ of the same type in N, such t h a t e ~$ contains all events to which the immediate predecessor events of e were mapped to. Together with Theorem 18 we obtain an NP-algorithm for the and-matching problem by first guessing a subgraph C ~ of the system graph N and a path X from the starting node of N to some node in C . Then we verify deterministically that the acyclic MSC graph M defined in Theorem 18 and-matches the single MSC corresponding to X. Note that due to Proposition 19 we can bound the length of X by a polynomial in the number of messages in M and the number of nodes in N. Together with Proposition 12 we obtain: C o r o l l a r y 21. The and-matching problem for MSC graphs is NP-complete. 5

An Undecidable

Problem

The matching problems considered previously were based on the paradigm that templates represent partial specifications of system behaviors. We show below that if we require that templates represent exact behaviors, then the or-matching problem is undecidable. For the fifo semantics considered in this paper we show first that considering a message pair as a single letter we obtain an isomorphism between the causal orders of a natural subclass of message sequence charts and partial orders of semitraces. Semi-traces are objects known from the algebraic study of concurrency (for a survey on semi-traces see Chapter 12 in 5). Formally, assume that 7~ = {P1,... ,Pro} is the set of processes. We associate an alphabet ~ = {mij I 1 <_ i ~ j < m} and a non-commutation relation SD C 2~ x E, SD = {(mij, mik) j ~ i ~ k} U {(mij, mj~) i ~ j ~ k}. The idea underlying SD is to consider in the precedence order the order between sends on the same process and receives ordered by the fifo condition (mij,mik), and receives followed by sends on the same process line (mij, mjk). The complementary relation, SI = (2Y x ~) \ SD, called semi-commutation relation, yields a rewriting system {ab --+ ba (a, b) E SI}, which will be also denoted by SI. A semi-trace w is a set of words, w -- {v e Z* w -5~si v}. The concatenation of two semi-traces u, v is defined as uv = uv. It is an associative operation and the set of all semi-traces over (Z, SI) together with the concatenation is a monoid with identity 1 = e, which is denoted (M(Z, SI),., 1). Note also that the relation SD is reflexive. Moreover, w = w' holds if and only if w can be rewritten into w ~ by using symmetric rules only. In the next proposition we show that a naturally arising subclass of MSCs can be identified with semi-traces. We restrict our consideration to MSCs satisfying the condition that in the visual representation no two message lines intersect. We denote this subclass as ordered MSCs. Clearly, ordered MSCs satisfy the fifo condition on the visual order. Note also that the syntactic concatenation of

240

MSCs induces a concatenation operation for the associated causal orders, which is associative. 22. Let JMo denote the set of ordered MSCs over the set of processes 79 = {P1,... ,Pro} and let ( E , S1) be defined as above. Then the monoid of causal orders over ./M is isomorphic to (M(E, S/),., 1). Proposition

Proof. Let M = (E, < , L , T , 7 9 ) and define a homomorphism h : E ~ --+ E* by letting h(e) = m~j, if e is a send event from Pi to Pj, and h(e) = )~ if e is a receive event. To M we associate a language tM over ,U*:

tM

--~

{h(z) I z E E ~ is a linearization of - ~ }

Then we can show that tM is a semi-trace over (~, SI). For this, we first define a linearization z0 E E ~ of M inductively by choosing some message pair (e, f ) of M satisfying e is minimal w.r.t, the visual order < in M - for every g E EM: g < f r g = e -

and letting z0 = efz~, where z~ is defined accordingly for M ~ := M \ {e, f}. (Note that the existence of e, f as above is due to M being an ordered MSC.) Then we claim that tM = h(z0), i.e. tM is the semi-trace associated to h(zo). We show this by induction on the length of tM. For lack of space, the details are left to the full version of the paper. Traces 5 result from in symmetric rewriting rules, i.e. both SI and SD are symmetric relations. For the trace monoid given by the rules ab = ba, cd = dc it is known that one cannot decide for given regular languages L1, L2 C {a, b, c, d}* whether L1 n L2 is empty 3, where L = UueLU denotes the closure of L under --~sI-

23. Let M, N be two M S C graphs. Then it is undecidable whether there exist two maximal paths ~1 in M , ~2 in N such that the associated MSCs m l , m2 have the same causal order under the fifo semantics. Proposition

Proof. We consider four processes, 79 = {P1, P2, P3, P4} and we denote by Sa, ra a message pair from P1 to P2, resp. by sb,rb a message pair from P2 to P1. Dually, so, rc denotes a message pair from P3 to P4, whereas sd, rd is a message pair from Pa to P3. Then we associate to each letter a, b, c, d an MSC as given by the mapping h, with h(x) = sxr=, for x E {a,b,c,d}. Moreover, h induces a homomorphism from {a, b, c, d}* to A4. Note that for any word u over {a, b, c, d} the partial order tr(h(u)) consists of two totally ordered sequences, one over events between processes P1 and P2, the other over events between P3 and/)4. Moreover, these total orders are completely independent. Viewed as a mapping from M(2~, SI) to tr(Ad), h is injective. This, together with 3, concludes our proof.

241

Let us comment our results in the context of semi-trace languages. One cannot decide the emptiness of the intersection of two MSC graphs since given two regular languages L, K c_ ~w and a semi-commutation relation SI over ~, the question whether the intersection ILl N K is nonempty is undecidable. In contrast, the or-matching problem of Section 4.1 can be expressed as a very particular instance of the above problem. Before going into some details, let us fix notations. For a language L _C ~*, we denote by LUAE* the shuffle of L and ~*, i.e. the language {ulvlu~v2""unvn I ulu2"" "un E L, vi E E*). The shuffle LUAX~ for L C_2Y* U Xo, is defined analogously. Formally, the or-matching problem for the semantics with gaps is equivalent to the question whether the intersection LUA~ ~ N K is empty or not, for regular languages L, K C_ ~ . The crucial point now is that LLU~Uw has a very particular form. Suppose without loss of generality that L = U V ~, with U, V C ~* regular languages such that every element of V has the same alphabet A C ~. Then V Y ~ ~ = (UUA~*) Inf(A), with Inf(A) = {u 9 E ~ ua = oo, Va 9 A}. Moreover, UV~UJE ~ = (UUA~*) Inf(A). But it is easy to check that UUJ~* is a very simple regular language, a finite union of languages of the form E * a l E * a 2 ~ * . . . akZ* for some letters ai 9 ~. (This family of languages corresponds exactly to level '1/2' in the concatenation hierarchy of Straubing-Th~rien 10). Finally, ~*alZ*a2E* 999ak~* = Ua,1...a,k eal...ak,U*ail ~ * " " ai~ ~*. 6

Conclusion

In this paper we presented specification and verification methods for MSCs, which employ languages of partially ordered executions. We were interested in the problem of deciding whether there is an execution of the given MSC system that matches the specification. We considered three alternative semantics and showed that the matching problem under both the or-semantics and the and-semantics is NP-complete. Under a semantics which allows no gaps in the specification the matching problem becomes the intersection of two MSC graphs. We showed that this problem is undecidable. Some open directions for further research include extending the framework by allowing and/or-graphs and negation, expressing the finite occurrence of certain events, and obtaining complementable specification formalisms. References 1. R. Alur, G. Holzmann, and D. Peled. An analyzer for message sequence charts. Software Concepts and Tools, 17(2):70-77, 1996. 2. H. Ben-Abdallah and S. Leue. Syntactic detection of process divergence and nonlocal choice in message sequence charts. In E. Brinksma, editor, Proceedings of theTools and Algorithms for the Construction and Analysis of ~ys~ems, Third International Workshop, TACAS'97, number 1217 in Lecture Notes in Computer Science, pages 259-274, Enschede, The Netherlands, 1997. Springer. 3. J. Berstel. Transductions and context-free languages. Teubner Studienb/icher, Stuttgart, 1979.

242

4. M. Clerbout and M. Latteux. Partial commutations and faithful rational transductions. Theoretical Computer Science, 34:241-254, 1984. 5. V. Diekert and G. Rozenberg, editors. The Book of Traces. World Scientific, Singapore, 1995. 6. J. Feigenbaum, J. Kahn, and C. Lund. Complexity results for pomset languages. SIAM Journal Disc. Math., 6(3):432-442, 1993. 7. ITU-T Recommendation Z.120, Message Sequence Chart (MSC), March 1993. 8. V. Levin and D. Peled. Verification of message sequence charts via template matching. In TAPSOFT (FASE) '97, Theory and Practice of Software Development, volume 1214 of Lecture Notes in Computer Science, pages 652-666, Lille, France, 1997. Springer. 9. M. Nielsen, G. Plotkin, and G. Winskel. Petri nets, event structures and domains, part 1. Theoretical Computer Science, 13:85-108, 1981. 10. J.-E. Pin. Syntactic semigroups. In G. Rozenberg and A. Salomaa, editors, Handbook of Formal Languages, volume 1, pages 679-738. Springer, Berlin-HeidelbergNew York, 1997. 11. V. R. Pratt. Modelling concurrency with partial orders. International Journal of Parallel Programming, 15(1):33-71, 1986.

The Church-Rosser Languages Are the Deterministic Variants of the Growing Context-Sensitive Languages G u n d u l a N i e m a n n and F r i e d r i c h O t t o Fachbereich Mathematik/Informatik, Universitiit Kassel, D-34109 Kassel e-mml: @theory, i n f o r m a t i k , u n i - k a s s e l , de

A b s t r a c t . The growing context-sensitive languages have been classified

through the shrinking two-pushdown automaton, the deterministic version of which characterizes the class of generalized Church-Rosser languages (Buntrock and Otto 1995). Exploiting this characterization we prove that this latter class coincides with the class of Church-Rosser languages that was introduced by McNaughton, Narendran, and Otto (1988). Based on this result several open problems of McNaughton et al can be answered. 1

Introduction

If R is a finite and length-reducing string-rewriting system on some finite alphabet ~, then there exists a linear-time algorithm that, given a string w E ~U* as input, computes an irreducible descendant w0 of w with respect to the reduction relation -+~ that is induced by R 2, 3. If, in addition, the system R is confluent, then the irreducible descendant wo is uniquely determined by w. Hence, in this situation two strings u and v are congruent modulo the Thue congruence +-~ induced by R if and only if their respective irreducible descendants u0 and v0 coincide. Thus, the word problem for a finite, length-reducing, and confluent string-rewriting system is decidable in linear time. Motivated by this result McNaughton, Narendran, and Otto 11 introduced the notion of a Church-Rosser language. A Church-Rosser language L C 2Y* is given through a finite, length-reducing, and confluent string-rewriting system R on some alphabet F properly containing XT, two irreducible strings tl,t2 E ( F \ ~)*, and an irreducible letter Y E F \ Z satisfying the following condition for all strings w E ,U*: w E L if and only if tlWt2 - ~ Y. Hence, the membership problem for a Church-Rosser language is decidable in linear time, and so the class CRL of Church-Rosser languages is contained in the class CSL of contextsensitive languages. On the other hand, the class CRL contains the class OCFL of deterministic context-free languages, and it contains some languages that are not even contextfree 11. Hence, the class CRL can be seen as an extension of the class DCFL t h a t preserves the linear-time decidability of the membership problem. As such it is certainly an interesting language class.

244 Accordingly, McNaughton et al established some closure properties for the class CRL, but it remained open whether the class CRL is closed under the operation of complementation. Accordingly, they introduced the class of ChurchRosser decidable languages CRDL, which still contains the class DCFL and which is closed under complementation. Also it remained open at the time whether or not every context-free language is a Church-Rosser language, although it was conjectured that the linear language Lo := {ww~lw e {a,b}*} is not a ChurchRosser language. Here w ~ denotes the reversal of the string w. After their introduction the Church-Rosser languages did not receive much attention until another, seemingly unrelated development had taken place. Dahlhaus and Warmuth 8 considered the class GCSL of growing context-sensitive languages. These languages are generated by context-sensitive grammars each production rule of which is strictly length-increasing. They proved that these languages have membership problems that are decidable in polynomial time. Although it might appear from the definition that GCSL is not an interesting class of languages, Buntrock and Lory~ showed that GCSL is an abstract family of languages 5, that is, this class of languages is closed under union, concatenation, iteration, intersection with regular languages, ~-free homomorphisms, and inverse homomorphisms. Exploiting these closure properties Buntrock and Lory~ characterized the class GCSL through various other classes of grammars that are less restricted 5, 6. Using these grammars Buntrock and Otto 7 obtained a characterization of the class GCSL by a nondeterministic machine model, the so-called shrinking pushdown automaton with two pushdown stores (sTPDA). The input for such a machine is provided as the initial contents of one of the pushdown stores, and it accepts either by final state or (equivalently) by empty pushdown stores. A positive weight is assigned to each tape symbol and each internal state symbol of the machine. By adding up the weights this gives a weight for each configuration. Now it is required that the weight of the actual configuration decreases with each step of the machine. It is with respect to these weights that the two-pushdown automaton is called shrinking. Since the sTPDA is a nondeterministic device, it was only natural to consider the class of languages that are accepted by the deterministic variant of it. As it turned out the deterministic sTPDA accept exactly the so-called generalized Church-Rosser languages, which are obtained from the Church-Rosser languages by admitting finite, weight-reducing, and confluent string-rewriting systems in the definition 7. Thus, the class GCRL of generalized Church-Rosser languages coincides with the class of 'deterministic growing context-sensitive languages.' In particular, it follows that this class is closed under complementation. Further, Buntrock and Otto concluded from this result that the language classes CFL and GCRL, and therewith the classes CFL and CRL, are indeed incomparable under set inclusion. Since CFL is contained in GCSL, it follows that GCRL is properly contained in the class GCSL, that is, we obtain the following chain of (proper) inclusions:

DCFL c CRDL c_ CRL _c GCRL c GCSL c CSL,

245

where it was left open whether or not the two inclusions CRDL _C CRL C GCRL are proper. Here we show that the three language classes CRDL, CRL, and GCRL coincide. Our proof makes use of the above-mentioned characterization of the generalized Church-Rosser languages through the deterministic sTPDA. We will prove that each language that is accepted by some deterministic sTPDA is actually a Church-Rosser decidable language. Hence, GCRL C_ CRDL implying that the three classes above actually coincide. Hence, the class of Church-Rosser languages can be characterized as the class of deterministic growing contextsensitive languages. It remains to determine the closure properties of this class of languages. The closure under the operation of taking the complement follows from the above characterization. Recently, Otto, Katsura, and Kobayashi 12 proved that the class of Church-Rosser languages is a basis for the recursively enumerable (r.e.) languages. Here, a class of languages C is called a basis for the r.e. languages, if, for each r.e. language L C_ E*, there exists a language C E C on some alphabet F strictly containing ~ such that L = Try(C), where ~-~ denotes the canonical projection from F* onto ~*. It follows that the class CRL is not closed under morphisms. This paper is organized as follows. In Section 2 we introduce the necessary notation regarding string-rewriting systems and restate the definitions of the various classes of Church-Rosser languages. In the next section we introduce the shrinking two-pushdown automaton and restate some results from Buntrock and Otto 7. In addition we prove a technical result for this type of automaton. Then in Section 4 we prove the announced main result, and in the next section we summarize the known closure and non-closure properties of the class CRL. In the final section we review our results and draw some easy consequences.

2

The Church-Rosser Languages

Here we restate the main definitions and establish notation regarding the various classes of Church-Rosser languages. For additional information concerning the notions introduced the reader is asked to consult the literature, where 3 serves as our main reference concerning the theory of string-rewriting systems, and I0 is our main reference for formal language and automata theory. Let ,U be a finite alphabet. Then ,~* denotes the set of strings over ~ including the empty string e, and ~ + := E* \ {e}. A function T : ~ -+ N+ is called a weight-function. Its extension to ,U*, which we will also denote by q0, is defined inductively through ~(e) := 0 and ~o(wa) := ~(w) + ~(a) for all w E ~* and a E E. A particular weight-function is the length-function . : ,U --+ N+, which assigns each letter the weight (length) 1. A string-rewriting system R on ~ is a subset of 5~*x Z*. An element (~, r) E R is called a rewrite rule or simply a rule, and it will usually be written as (g -+ r). A string-rewriting system R induces several binary relations on E*, the simplest

246

of which is the single-step reduction relation

-~n:= {(uev,urv) I u,v 9 ,~*, (e -~ r) 9 R}. Its reflexive and transitive closure is the reduction relation --}*a induced by R, and its reflexive, symmetric, and transitive closure ~t~ is the Thue congruence generated by R. If u --+~ v, then u is an ancestor of v, and v is a descendant of u. If there is no v 9 27* such that u -~u v holds, then the string u is called irreducible (mod R). By IRR(R) we denote the set of all irreducible strings. If R is finite, then IRR(R) is obviously a regular language. The string-rewriting system R is called - length-reducing if Igl > Irl holds for each rule (~ --+ r) 9 R, - weight-reducing if there exists a weight-function qo such that ~0(s > ~o(r) holds for each rule (~ ~ r) 9 R, - confluent if, for all u , v , w 9 27", u -->*Rv and u --+~ w imply that v and w have a common descendant.

If a string-rewriting system R is weight-reducing, then it allows no infinite reduction sequence of the form w0 ~ t t wl --+R ...; indeed, if wo ~ R wl ~ R 9.. ~ R Win, then m < ~(w0). If, in addition, R is confluent, then each string w 9 27* has a unique irreducible descendant wo 9 IRR(R). Actually, in this situation u ~-~ v if and only if Uo -- v0. Since uo can be determined from u in linear time, this shows that the Thue congruence +-rE is decidable in linear time for each finite, weight-reducing, and confluent string-rewriting system.

D e f i n i t i o n 1.

(a) A language L C_ ~* is a Church-Rosser language (CRL) if there exist an alphabet F ~ 27, a finite, length-reducing, confluent string-rewriting system R on F, two strings tl,t2 E (F \ 27)* MIRR(R), and a letter Y e (F \ 27) n IRR(R) such that, for aU w E ~*, tlwt2 -+*R Y if and only if w e L. (b) A language L C 27* is a Church-Rosser decidable language (CRDL) /f it is a Church-Rosser language, and there exists a letter N 9 (F \ E) f3 IRR(R) such that, for all w 9 27", tlwt2 -+*R N if and only if w r L. (c) A language L C_ ~* is a generalized Church-Rosser language (GCRL) if there exist an alphabet F D 27, a finite, weight-reducing, confluent stringrewriting system R on F, two strings tl, t2 9 (F \ 27)* MIRR(R) and a letter Y 9 (F \ 27) n IRR(R) such that, for all w 9 S ' , tlwt2 --~*RY if and only if wEL.

Analogously to (b) the class of generalized Church-Rosser decidable languages could be defined, but the results of Buntrock and Otto 7 imply that this class coincides with the class GCRL of generalized Church-Rosser languages.

247

3

Shrinking Two-Pushdown Automata

In 7 Buntrock and Otto introduce the following type of automaton in order to characterize the class GCSL of growing context-sensitive languages. D e f i n i t i o n 2.

(a) A two-pushdown automaton (TPDA) is a nondeterministic automaton with two pushdown stores. It is defined as a 7-tuple M = ( Q , ~ , F , 6 , q o , I , F ) , where Q is the finite set of states, E is the finite input alphabet, F is the finite tape alphabet with F ~ ~ and F n Q = ~, qo E Q is the initial state, I E F \ E is the bottom marker of pushdown stores, F C Q is the set of final (or accepting) states, and - 6 : Q x F x F -+ 2Qxr*xr" is the transition relation, where 6(q,a,b) is a finite set for each triple (q, a, b) E Q x F x P. M is a deterministic two-pushdown automaton (DTPDA), if6 is a (partial) function from Q x F x F into Q x F* x F*. (b) A configuration of a (D)TPDA M is described as uqv with q E Q and u, v F*, where u is the contents of the first pushdown store with the first letter of u at the bottom and the last letter of u at the top, q is the current state, and v is the contents of the second pushdown store with the last letter of v at the bottom and the first letter of v at the top. M induces a computation relation ~-~ on the set of configurations, which is the reflexive, transitive closure of the single-step computation relation F-M (see, e.g., 10). For an input string w E S*, the corresponding initial configuration is -Lqow• M accepts by empty pushdown stores: -

-

-

-

-

-

N ( M ) := {w E S* 13q ~ Q : •

I-~

q}.

(c) A (D)TPDA M is called shrinking if there exists a weight function qo : Q u F ~ N+ such that, for all q E Q and a, b E F, if (p, u, v) E &(q, a, b), then ~(upv) < qa(aqb). By sTPDA and sDTPDA we denote the corresponding classes of shrinking automata. Thus, if M is a shrinking TPDA with weight-function qa, then ~(ulqlVl) > qo(u2q2v2) holds for all configurations ulqlvl and u2q2v2 of M that satisfiy ulqlVl ~-M ~z2q~v2. Observe that the input is provided to a TPDA as the initial contents of its second pushdown store, and that in order to accept a TPDA is required to empty its pushdown stores. Thus, it is forced to consume the input completely. Using standard techniques from automata theory it can be shown that, for a (shrinking) (D)TPDA M = (Q, S, F, 6, q0, • F), we may require that the special symbol • can only occur at the bottom of a pushdown store, and that no other symbol can occur at that place.

248

From the definition of the transition relation 6 we see that M halts immediately whenever one of its pushdown stores is emptied. Because of the above property this happens if and only if a transition of the form (q, a, • ~+ (q~, a, s) or (q, L, b) ~ (q', s, fl) is performed. Thus, we can assume without loss of generality that, if M does accept on input w E ~U*, then Iqow_l_ F*M q for some q E F, and if M does not accept on input w E Z*, then •177 ~*M • for some q E F, that is, even in this situation M empties its second pushdown store completely and only leaves the bottom marker on its first pushdown store before it halts. Hence, all the halting and accepting configurations of M are of the form q, where q E F, and all the halting and rejecting configurations of M are of the form • where q E F . In addition, we can assume that M only has a single halting state. Buntrock and Otto established the following characterization for the classes of languages that are accepted by nondeterministic or deterministic shrinking TPDAs, respectively. P r o p o s i t i o n 3. 7

(a) A language is accepted by some shrinking TPDA if and only if it is growing context-sensitive. (b) A language is accepted by some shrinking DTPDA if and only if it is a generalized Church-Rosser language. A detailed presentation of the class GCSL of growing context-sensitive languages can be found in Buntrock's Habilitationsschrift 4. The above proposition shows that the generalized Church-Rosser languages can be interpreted as the deterministic variants of the growing context-sensitive languages. We close this section with a technical lemma on shrinking TPDA that we will need in the next section to prove our main result. L e m m a 4. Let M be a TPDA that is shrinking with respect to the weightfunction ~. Then there exists a TPDA M' accepting the same language as M such that M' is deterministic, if M is, and M' is shrinking with respect to a weight-function r that satisfies the following condition:

(*) Whenever ulqlvl and u2q2v2 are configurations of M' such that ulqlvl ~-M' u2q2v2, then ~)(ulqlVl) - ~b(u2q2v2) = 1. Proof. Let M = (Q, S,F,6,qo, • be a TPDA that is shrinking with respect to the weight-function qo : Q LJ F -~ N+, that is, ~(aqb) - ~ ( u p v ) > 0 for all q E Q, a,b E F, and (p,u,v) E 6(q,a,b). We construct a TPDA M t := (Q', ~ , F, 6', q0, • F) and a weight-function r : Q' u F -+ N+ as follows. First we number the instructions of M, that is, the lines in the table describing the transition relation 6, from 1 to m. For each i E {1,... ,m}, let the i-th instruction of M be denoted as (p~,ui,vi) E 6(qi,ai,bi), and let 3'i := ~(aiqib~) - ~(uipivi).

249

IfTi = 1, then take Q~ := ~ and add the transition (qi,ai,bi) -+ (pi,ui,vi) to 5'. IfTi > 1, then take Q~ := {qi,1,... ,qi,.y,-1}, where qi,1,... ,qi,.r,-1 are 7i - 1 new states, and add the following transitions to 6':

(qi, ai, bi)

--r (qi,1, ai, bi),

( q i j , a i , bi) --~ (qi,j+l,ai,bi), j = 1,...,~'i - 2 , (qi,.r,-1, ai, hi) --+ (Pi, ui, vi). m

Finally, let Q' := Q u U Q~, let 6' consist of all the transitions introduced i=1

so far, and define a preliminary weight-function r r r r

: Q' u F --~ Z as follows:

:= ~o(a) for all a e F, := qo(qi) for all qi e Q, := ~o(qi) - j for alli E { 1 , . . . , m } a n d j e {1,...,~/i - 1}.

It is easily verified that ~ b t ( ~ / l q l V l ) - - ~bl(u2q2v2) ---- 1 holds for all configurations u l q l v l and u2q2v2 of M ' that satisfy ulqavl FM, u2q2v~. Unfortunately, r may not be an acceptable weight-function, since r could be a negative number for some choices of i and j. To correct this problem let # := min{r p' E Q'}. If # < 0, then choose r := r + # + 1 for all q' E Q', otherwise, let r := r for all q' E Q'. Also choose r := r for all a E F. Then r : Q' u F ~ N+ is a weight-function such that r (Ulql vl) - r (u2q2v~) = 1 holds for all configurations u l q l v l and u2q2v2 of M ' that satisfy u l q l v l FM, u2q2v2. It is easily seen that N ( M ' ) = N ( M ) and that M' is deterministic, if M is deterministic. Thus, in the following we can always assume that in each step of a sTPDA the weight of the actual configuration decreases by 1. Hence, if uxqlvl and u2q~.v2 are configurations of an sTPDA M with weight-function ~o such that ulqlvl I"kM u2q2v2 for some k E N, then ~(utqlvx) - r = k. 4

The

Main

Result

From the definitions we know that CRDL _ CRL C_ GCRL holds. Here we prove t h a t also GCRL C CRDL holds, thus showing that the three classes actually coincide.

Theorem

5. GCRL C CRDL.

Proof. Let L C_ E* be a generalized Church-Rosser language. By Proposition 3(b) there exist a DTPDA M = (Q,~,F,6,q0,_L,F) and a weight-function ~o such that N ( M ) = L, where M is shrinking with respect to qo. As observed in the previous section we can assume the following:

250

(i) Each non-halting configuration of M is of the form _Luqv_L for some u, v 9 (F \ {J_})* and q G (Q \ F). (ii) F = {q/}, that is, M has a single halting state only. (iii) The only accepting and halting configuration of M that is reachable from an initial configuration is the configuration ql" (iv) The only non-accepting and halting configuration of M that is reachable from an initial configuration is the configuration/qi. (v) If ulqlvl t-M u2q2v2, then r -~p(u2q2v2) = 1 (Lemma 4). Let # be a new symbol. We define a morphism h : (FUQ)* ~ (FUQU{#})* by taking h(a) := a # ~(a)-I for all a 9 F U Q. Then Ih(w)l = ~o(w) for all w 9 (F U Q)*, and h(F U Q) G (F U Q u {#})+ is a prefix code. Thus, the morphism h : (F U Q)* -+ (F U Q u {#})* is an injective mapping. Further, let # := max{~(a) I a 9 FUQ} denote the maximal weight of any letter from FUQ. In order to show that the language L is actually Church-Rosser decidable, we now construct a finite, length-reducing, and confluent string-rewriting system R on some finite alphabet A D ~U that will witness this fact. Essentially R will simulate the computations of the sDTP DAM. However, this cannot be a straightforward simulation, since R is length-reducing, while M is shrinking only with respect to the weight-function ~. Therefore we would like to replace a configuration _Luqvl of M by the string h(luqv.k). Since this replacement increases the length of the string considered, we need to compress the resulting string by combining several letters into a single new letter. This, however, creates another problem. If -J-UlqlVl / ~-M / I t 2 q 2 v 2 / , then by (v) Jh(_kulqlvll)l- 1 = Ih(lu2q2v2), but for the compressed forms of the strings h ( l u l q l v l l ) and h(J-u2q2v2-L) the length might be the same. To overcome this problem we choose the fixed rate of compression 2#, and simulate 2# steps of M through a single application of a rule of 2D R. If l ul ql vl-L ~ M -LIt2q2v2-L' then Ih( J_ul ql vl J-) l - 2# = Ih(_Lu2q2v2l ) l, and hence, if ~'1 and ")'2 are the compressed forms of h(Wulqlull) and h(lu2q2v2l), respectively, then 171l - 1 = Ih('LulqlvlJ')l-21~2#= Ih(-Lu2q2v2"J-)J2/~ ---- 721. To perform this construction we first determine the alphabet A. Let T U {~} be a new alphabet that is in 1-to-1 correspondence to F U {#}, and let - - : F U {#} -+ T U {~} denote this correspondence. Further, define four new alphabets as follows:

A_< := {aT I w e (F u {#})* and 1 < Iwl < ~}, A := {aT I w e ( r u {#})* and Iwl = 2tt}, := {a~ I ~ E (T u {~})* and ~l = 2#}, and AQ := {a~qv l u q (TU {~})*,q e Q, v 9 (FU {•})* and I~qvl = 2#}. Thus, each letter aw E A< U A U -AU....AQ represents a string w of length at most 2#. Finally, we take A := ~ U {q0, _L, _L, Y, N} U A< U A U ~ U AQ, where we assume that all the subalphabets displayed are pairwise disjoint. To simplify the following considerations we define a morphism 7r :

(A<

UA UA U

AQ)* ~ ( F U Q

U {#})*

251

through the following mapping:

a ~,

w, i f a = a w 6A<_UA, w, i f a = a ~ 6A, uqv, if a = a~qv 6 AQ.

Thus, lr replaces each letter a 6 A< U A U ~ U Aq by the string it represents, where in addition each factor ~ 6 (T U {#---})+ is replaced by the corresponding string u 6 (F U {#})+. The string-rewriting system R will consist of four subsystems Ro, R1, R2, and R3. (0) The subsystem Ro is used to take care of those inputs w 6 ~* for the sDTPDA M that are short: R0 := {• U {•

--~ Y I w 6 Z*, qo(w• < 4#, andw 6 L} --+ N I w 6 Z*, ~o(w-k) _< 4#, andw 9f L}.

Obviously, Ro is a finite system containing only length-reducing rules, and there are no non-trivial overlaps between the left-hand sides of the rules of Ro. I

(1) The subsystem R1 transforms the description _Lqow• of an initial configuration i q o w • of M into a compressed form c 6 ~* 9AO 9A*, if w is sufficiently long. It consists of three parts. (1.1) RI,1 := {w_L --+ a'ala2 I w = av 6 iY* for some a 6 ~ such that ~o(v• _< 4# < ~o(w• < 5p, a' 6 A , and al, a 2 6 A satisfying rc(a' al a2) = h(w• Since 4# < %o(w.l_) _< (w + 1) 9#, we see that Iwl > 3. Hence, R1,1 is a finite system of length-reducing rules. The given weight restrictions for w_l_imply that the left-hand side of no rule of R1,1 is a proper suffix of the left-hand side of any other rule of Rz,1. Further, the right-hand side a'ala2 of a rule of R1,1 is uniquely determined by the left-hand side, since the morphism h is injective. Hence, there are no non-trivial overlaps between the left-hand sides of the rules of R1,1. (1.2) R1,2 := {wa~ --+ a~a I w = av 6 Z* for some a 6 Z, a~, a ' 2 6 A < , and a 6 A such that Ih(v)rc(a'l)l <_2# < Ih(w)Tr(a'l)l <_3# and zr(a~a) = h(w)~r(a~)}. Since Ir(a~)l < #, 2# < Ih(w)rr(a'l)l = ~o(w) + lTr(a~)l implies that ~o(w) > p, which in turn yields Iwl > 2. Hence, R1,2 is a finite system containing only length-reducing rules. As above it follows that there are no non-trivial overlaps between the left-hand sides of the rules of R,,2. (1.3) Working from right to left the rules of the subsystems RI,1 and R1,2 replace suffixes v_L of-s177 by the compressed form c 6 A< 9 A* of h(v_l_). The subsystem R1,3 will be used to replace the remaining prefix • such that the resulting string belongs to ~* 9A O 9A*, that is, it is the compressed

252 form of a string x E (F U Q)* satisfying Ih(x) _-- 0 mod 2#. Unfortunately, the initial configuration •177 may not satisfy this requirement. Therefore, if h(•177 --- r mod 2# for some r E { 1 , . . . , 2/~-1}, then instead of compressing this initial configuration, we compress the configuration • 1 7 7 that is obtained from -l-q0w• after r steps of M. Then h(•177 = h(•177 =_ 0 mod 2#, and hence, h(_l_uqv_l_) can be encoded through a string c G ~* 9 AQ 9 A* such that ~r(c) = h(_l_uqv• In each step the sDTPDA M can remove at most one symbol from the top of its second pushdown store. Thus, the first 2# - 1 steps of the computation of M on input w depend only on the prefix u of w of length 2/~ - 1. Hence, the rules of Rx,3 will encode all computations of M of this form. R1,3 := {Tqowa'al " " a n -~ ~1" "'~rn W E x~*,O~I e A < , a l , . . . , a , e A such that Ih(w)~r(a')l < 2#,2 < n <_/~, where n < # implies that ~ r ( a ' a l . . - a , ) 9 ((F \ {• U {#})* 9h(• and 131, . . . , 13m 9 A O AQ O A satisfy the following conditions:

(i) /~l""/?m 9 (ii) h(w)~r(a'al.., an) = h(v)x for some v 9 (F \ {• {__,s} and x 9 (F U {#})* satisfying Ix I < #, and (iii) 7r(131.. "13,n) = h ( u l q l v l ) x for some u l , v l 9 F* and ql 9 Q such that • h~M u l q t v l , where r e { 0 , 1 , . . . , 2 # - 1} satisfies Ih( • -- r mod 2#}. If ( T q o w a ' c q ' " a n --+/31"" "13m) 9 R1,3, then rn 9 { n , n + 1,n + 2}. Hence, Rl,a is a finite system of length-reducing rules. It can easily be checked that there are no non-trivial overlaps between the left-hand sides of the rules of R1,3. The subsystem R1 is now taken as R1 := R1,1 O RI,: U Rl,a. Prom the definitions given it follows immediately that there are no non-trivial overlaps between the left-hand sides of the rules of RI. (2) The subsystem R2 simulates the computations of the sDTPDA M on strings that represent compressed forms of configurations. Each application of a rule of R2 simulates 2/~ steps of M.

R2 := {al"" "an"an+l"" "O~n+m "'-)"I~1 "" "/~n+m I O~1,...,an 9 ~,')' 9 AQ, c~n+l,... ,an+r, E A such that n , m _< # + 1, where 1 < n < p implies that 7r(al) has prefix h(_t_), n = 0 implies that 7r(7) has prefix h(_l_) and m _> 2, 1 _< m _ 2, ~ 1 , . . . ,~n+m 9 ~ O AQ U A such t h a t / 3 1 . - ' B , + m E ~* 9AQ 9A*, 7r(al " "anfan+X " " an+m) = xxh(uqv)x2 for some u , v 9 F*, q 9 Q,

x~ 9 {#--}*,x2 9 r . {#}*, Ix~l, Ix:l < u , z2 r h(r), and ~(131" "t3n+,~) = xlh(U~q~v~)x~ for some u~,v~ 9 F*,ql 9 Q, such t h a t uqv and u~qlv~ are valid subconfigurations of M satisfying uqv ~-~t u~q~v~ }.

253

The conditions on the integers n and m imply that n + m > 2. Further, all rules of R2 are obviously length-reducing. Since uqv and ulqlVl must be valid subconfigurations of M, _L can occur at most as the first a n d / o r the last letter. Hence, the left-hand side of no rule of R2 is contained in the left-hand side of another rule of R2. Finally, the right-hand side of a rule of R2 is uniquely determined by its left-hand side. Thus, there are no non-trivial overlaps between the left-hand side of the rules of R2. (3) The subsystem R3 ends the simulation of computations of M. R3 : : {o~1a2 --+ Y a1,~2 e ~ U A Q U A , ala2 E:~* .AQ .A*, ~r(alas) = h(.kuqv.k) for some u,v e F* and q e Q, and .LuqvA_ b*M ql} U { a l a 2 ~ N a l , a 2 eUAQUA, ala2 e T .AQ .A*, 7r(alaS) = h(_Luqv.L) for some u,v e F* and q e Q, and _Luqv.k b*M .kql }. Obviously, R3 is a finite length-reducing system, and there are no non-trivial overlaps between the left-hand side of the rules of R3. Finally, we take R :-- R0 U R1 U R2 U R3. Then R is indeed a finite stringrewriting system that contains length-reducing rules only. It is easily verified that there are no non-trivial overlaps between the left-hand sides of the rules of R. Hence, we see that R is also confluent. It remains to prove the following statements for all w E E*: (i) If w e L, then _Lq0w• --+~ Y. (ii) If w r L, then _Lq0wA_- ~ N. These statements show that the system R, together with the strings tl := l q 0 and t2 := • and the letters Y and N, witnesses the fact that L is a ChurchRosser decidable language. The proof of the statements above will be divided into several claims and their proofs. The first one follows immediately from the choice of the subsystem/to. C l a i m 1. For all w E 2J* satisfying ~(w) < 4# - ~o(.l_) the statements (i) and (ii) hold. Hence, for the following considerations we can assume that the string w E ,~* satisfies ~(w) > 4# - ~o(• that is, ~(w• > 4#. C l a i m 2. Let w E ,~* such that ~(w_l_) > 4#, and let r E { 0 , 1 , . . . , 2 # - 1} such that ~o(-kq0w.l-) = k 92# + r for some k E N. Then there exist a x , . . . , ak E ~ U AQ U A satisfying the following conditions: (i) a l a s " ' a k e'A* " AQ . A*, (ii) ~r(al . . - a k ) = h(_Luqv_L) for some configuration _l_uqv3_ of M, where • ~-~ l u q v • and (iii) l q 0 w • -+R1 al .." ak.

Proof. Let w E 2~* satisfy ~o(w_L) > 4#, and let k e N and r E {0, 1 , . . . , 2# - 1} such that ~(• --- k 92# + r > 4#. The computation of M starting from

254

the initial configuration •177 either ends with the accepting configuration qf of weight ~o(qf) < # or with the non-accepting configuration • of weight ~o(• < 2#. Hence, this computation consists of more than 2# steps. Thus, there is a (uniquely determined) configuration • 1 7 7 of M such that •177 FrM •177 Since ~p(•177 = ~o(•177 - r = k . 2#, there exist a l , . . . , a & ~ tJ AQ U A such that al a~ . . . ak ~ ~* "AQ . A * and ~-(al "'" a k ) = h( Luqv • ). It follows easily from the definition of the rules of the system R1 that •177 ~,~ wl ~ . ~ w~ -~t%,~ a l a ~ . . , ak holds for some strings wl and w2. C l a i m 3. Let • 1 7 7 be a configuration of M such that ~ ( • 1 7 7 = s- 2# for some s _> 3, and let a l , . . . ,as G A U A Q U A such that a l ". "as E ~* .AQ.A* and 7f(al ... as) = h(•177 If • 1 7 7 is reachable from an initial configuration, then there exist a configuration • 1 7 7 of M and letters i l l , . . . ,;3s-1 E A U AQ O A such that the following conditions are satisfied:

(i) fllfl2""fls-1 6 A*" A Q . A * , (ii) ~(fl1~32 " ' f l , - l ) = h(-l-ulqlv11), (iii) • ~-~ 2-ulqlvl• and (iv) a l a 2 " . . a s ~R2 i l l & "" ";9s-1. Proof. Let l u q v • be a configuration of M such that ~o(• = s 9 2# for some s > 3. If • 1 7 7 is reachable from some initial configuration, that is, i q o w • F*M _Luqv• for some w G Z*, then L u q v • P*M qf or • 1 7 7 t"*M .l_qf, depending on whether w E L or w r L, respectively. Since the weight of the actual configuration decreases by 1 in each step, we see that there exists a unique configuration • 1 7 7 such that • F~ •177 and ~o(.Lulqlvi• = ~o(.l.uqv.l_) - 2H = (s - 1) 9 2#. Hence, there exist (uniquely determined) ill, fl~,-. ,, fls-1 e ~U AQ U A satisfying fll;32 999~s-1 e ~*. AQ. A* and ~r(fll fl2 . " ~s-1) = h ( • u l ql vl • ) . During the computation • 1 7 7 ~-~ •177 a suffix u t of u and a prefix v' of v are involved that satisfy u', v'l _< 2#. Hence, this computation can be described completely by using a window of length 2# + 1 + 2# = 4# + 1 t h a t is placed on • 1 7 7 in such a way that the state symbol q appears in the middle. The corresponding section of h ( • 1 7 7 is contained in a substring a ~ - . . an" ' / ~an+ i 1 . ' ' a n +l m E "A* 9AQ .A* o f a l a ~ 9. ' a s satisfying n , m _< # + 1. From the definition of the subsystem R2 we see that each rule of Rz just simulates 2# steps of M on a substring of this form. Hence, it follows that a l az . . . a s -~n2 /31/32""/3s- 1 holds. D C l a i m 4. Let • be a configuration of M such that ~ ( • 1 7 7 = 4#, and let a l , a 2 G ~ U A Q U A such that a l a 2 E ~* .AQ .A* and 7c(ala2) = h(• If • 1 7 7 is reachable from an initial configuration, then either a l a 2 --+Rs Y or

255

Proof. Let _Luqvl be a configuration of M such that ~o(_Luqv_L) = 4#, and let a~,a~ 6 "AUAQ UA such that a~c~ 6 A-*-AQ-A* and ~r(c~c~) = h(_Luqv_L). If _Luqv_L is reachable from some initial configuration, then _LqowI b*M .Luqv_L for some w 6 ~Y*. I f w 6 L, then _Luqv_L t-~ qI, and i f w r L, then _Luqv_L ~-*M-l-ql" Thus, either ( ~ a 2 --~ Y) 6 R3 or (a~a~ -+ N) 6 Rs. We now verify that R does indeed witness the fact that L is a Church-Rosser decidable language. Let w 6 2Y'. If ~(w) < 4/z - ~p(.l.), then we see from Claim 1 that _Lqow-L -+R Y if w q L, and _Lq0w.l- -+a N, if w r L. Assume therefore t h a t ~(w) > 4/~ - ~ ( • Then by Claim 2 there exist a configuration -Lulqlvl-L of M and a l , a 2 , . . . , ak 6 ~ O AQ U A such that

(i) a l a 2 - - . a ~ 6 ~ * .AQ .A*, (ii) v ( a l a 2 " " ak) = h(•177 (iii) -Lqow-L F-~ -Lulqlvl• and (iv) -Lqow• -+~ a l ' " a k . If k > 2, then Claim 3 applies. Hence, there are configurations J_uiqivil of M and strings 5i 6 ~* 9AQ. A*, i = 2 , . . . , k - 1, such that I u i - l q i - l v i - l - L ~-~

.l_uiqivil, 7r(5~) = h( luiqivi_L), a l . . . a k --~1~ 52 --~a ... --+a tik-1, and

I

I=

k - i + 1 for all i = 2 , . . . , k - 1. Finally, I$k_11 = 2 implies that 6k-i --~R Y or ~ - 1 - ~ a N by Claim 4. From the definition of R3 we see that the former is the case if and only if w 6 L. Thus, for w 6 L, we have _Lq0w_L - ~ c~1 - - - a k --~a 9.. -+a 6a-1 -+a Y, and for w r L, we have _Lqowl -~R al "''ak --+R ... ~ R 6k-1 --~n N. This completes the proof of Theorem 5. From Theorem 5 we obtain our main result.

Corollary

6. The three language classes CRDL, CRL, and GCRL coincide.

Thus, the Church-Rosser languages are indeed the deterministic variants of the growing context-sensitive languages. 5

Closure

Properties

In this section we summarize the known closure and non-closure properties of the class fiRL and we prove two new non-closure properties, which, however, were already announced by Buntrock and Otto 7. From the definition of the class fiRDL we immediately obtain the following result.

Proposition

T. The class of Church-Rosser languages is closed under complementation, that is, if L C_ ~* is a Church-Rosser language, then so is the language L := Z* \ L.

From the characterization of the class GCRL through the shrinking D T P D A we can conclude the following closure properties.

256

Proposition 8. (a) The class C R / i s closed under intersection with regular languages, that is, if L E CRL and L1 is a regular language, then L M L1 E CRL. (b) The class CR/ is closed under inverse morphisms, that is, if L C_ ,~* is in CR/ and h : A* --r ~* is a morphism, then h - l ( L ) e CR/. Finally, from 11 we recall the following closure properties.

Proposition 9. (a) CRI_ is closed under reversal, that is, if L is a Chureh-Rosser language, then so is the language L ~ := {w ~ I w E L}. (b) CRL is closed under left quotient and right quotient with a single string, that is, if L C S " is a Chureh-Rosser language and z E ,~*, then L / { z } = {w E S " I w z E L} and {z} \ L := {w E E" I z w E L} are Chureh-Rosser languages, too. In 12 it is shown that the class CR/is a basis for the recursively enumerable languages. Further, it is shown by Buntrock in 4 that the closure of the class GCRI_ (= CR/) under e-free morphisms yields the class GCSI.. Hence, we obtain the following non-closure properties.

Proposition 10. The class s v-free morphisms.

is neither closed under projections nor under

The Gladkij language LG1 :---- {WCW~r e {a, b}*} is a context-sensitive language that is not growing context-sensitive 9, 1, 7. Now LG1 can be written as LGI = L1 M L2, where nl := {wCw~r w, z E {a, b}*} and L2 := {wCz~z ~ I w, z E {a, b}*}. Obviously, L1 and L2 are both deterministic context-free, and hence, they are both Church-Rosser languages. Since L1 fl L2 t/GCS/, we have L1 fl L2 t/CRL This shows the following.

Proposition 11. The class CRL is neither closed under intersection nor under union. 6

Conclusion

We have shown that the three language classes CRDL and CRL of 11 and GCRL of 7 coincide. Because of the characterization of the latter class through the deterministic variant of the shrinking TPDA 7 this class of languages can be considered as the class of 'deterministic growing context-sensitive languages'. Based on these characterizations we have obtained some closure properties and some non-closure properties for the class of Church-Rosser languages. However, many questions regarding closure and non-closure properties remain open. Also it

257

remains the question of whether or not the language L0 := {ww I w E {a, b}*} is a Church-Rosser language. Finally, based on the fact that the classes CFL and CRL are incomparable under set inclusion, we obtain the following undecidability result from McNaughton et al 11. TM

P r o p o s i t i o n 12.

(a) The emptiness and the finiteness problems for Church-Rosser languages are undecidable in general. (b) It is undecidable in general whether a given context-free language is a ChurchRosser language. (c) It is undecidable in general whether a given Church-Rosser language is context-free.

References 1. R.V. Book. Grammars with Time Functions. PhD thesis, Harvard University, Cambridge, Massachusetts, February 1969. 2. R.V. Book. Confluent and other types of Thue systems. J. Association Computing Machinery, 29:171-182, 1982. 3. R.V. Book and F. Otto. String-Rewriting Systems. Springer-Verlag, New York, 1993. 4. G. Buntrock. Wachsende kontezt-sensitive Sprachen. Habilitationsschrift, Fakultiit fiir Mathematik und Informatik, Universitiit Wfirzburg, July 1996. 5. G. Buntrock and K. Lory~. On growing context-sensitive languages. In W. Kuich, editor, Proc. of i 9th ICALP, Lecture Notes in Computer Science 623, pages 77-88. Springer-Verlag, Berlin, 1992. 6. G. Buntrock and K. Lory~. The variable membership problem: Succinctness versus complexity. In P. Enjalbert, E.W. Mayr, and K.W. Wagner, editors, Proc. of 11th STACS, Lecture Notes in Computer Science 775, pages 595-606. Springer-Verlag, Berlin, 1994. 7. G. Buntroek and F. Otto. Growing context-sensitive languages and Church-Rosser languages. In E.W. Mayr and C. Puech, editors, Proc. of 1~th STAGS, Lecture Notes in Computer Science 900, pages 313-324. Springer-Verlag, Berlin, 1995. 8. E. Dahlhaus and M. Warmuth. Membership for growing context-sensitive grammars is polynomial. J. Computer System Sciences, 33:456-472, 1986. 9. A.W. Glaxtkij. On the complexity of derivations for context-sensitive grammars. Algebri i Logika Sere., 3:29-44, 1964. In Russian. 10. J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, Reading, M.A., 1979. 11. R. McNaughton, P. Narendran, and F. Otto. Chureh-Rosser Thue systems and formal languages. J. Association Computing Machinery, 35:324-344, 1988. 12. F. Otto, M. Katsura, and Y. Kobayashi. Cross-sections for finitely presented monoids with decidable word problems. In H. Comon, editor, Rewriting Techniques and Applications, Lecture Notes in Computer Science 1232, pages 53-67. SpringerVerlag, Berlin, 1997.

Deterministic Rational Transducers and Random Sequences Sylvain Porrot 1, M a x Dauchet 2, B r u n o D u r a n d 3, Nikolai K. Vereshchagin 3'4 1LAIL, URA CNRS 1440 B~timent P2, Universit~ des Sciences et Technologies de Lille 59655 Villeneuve d'Ascq CEDEX, France Tel & Fax : (33) 03 20 43 47 43 - email : porrot~lifl.fr 2LIFL, URA CNRS 369 B~timent M3, Universit~ des Sciences et Technologies de Lille 59655 Villeneuve d'Ascq CEDEX, France Tel : (33) 03 20 43 45 88 - email : [email protected] 3LIP, ENS-Lyon CNRS 46 All~!e d'Italie 69634 Lyon CEDEX 07, France e-mail : Bruno.Durand~ens-lyon.fr 4Dept. of Mathematical Logic and Theory of Algorithms Moscow State University Vorobjevy Gory, Moscow, Russia e-mail : ver~mech.math.msu.su

Abstract This p a p e r presents some results a b o u t transformations of infinite r a n d o m sequences by letter to letter rational transducers.

We show t h a t it is possible by observing ini-

tial segments of a given r a n d o m sequence to decide w h e t h e r two given letter to letter rational transducers have t h e same o u t p u t on t h a t sequence. We use the characterization of r a n d o m sequences by

Kolmogorov Complexity. We

also prove t h a t the image

of a r a n d o m sequence is either random, or n o n - r a n d o m and non-recursive, or periodic, d e p e n d i n g on some t r a n s d u c e r ' s structural properties t h a t we give.

Introduction T h i s p a p e r starts the s t u d y of the deterministic rational transducers behaviour on infinite r a n d o m sequences.

Firstly, we show t h a t it is possible by observing initial

259

segments of a given random sequence to decide whether two given letter to letter rational transducers have the same output on that sequence (we call this problem

equality problem).

The analogous problem is undecidable on the class of all input

sequences. Secondly, we prove that the image of a random sequence is either random or non-random and non-recursive or periodic, depending on the transducer's structural properties. Finally, we derive an arithmetical theorem from the previous result : the image of a 'random real' by a letter to letter rational transducer is either rational or transcendental. This work is a part of a larger study on transformations processes of discrete curves. These processes are 'real time' transformations on random sequences. For us, 'real time' means that the computation time as well as the memory of the processes are bounded. Consequently, these processes are rational transducers PD97. The concept of random sequence has been well defined for the first time by MartinLSf in 1966 ML66.

A sequence is random if and only if it does not belong to any

constructive null set. Theory of

Kolmogorov Complexity provides

a characterization

of such sequences in terms of compressibility. Levin and Schnorr have shown that the notions of random sequences and incompressible sequences are equivalent Lev73 Sch73. LV93,

This theory has enabled to obtain results on regular languages Sei86

CL88

but our aim is different. The originality of this paper lies in the study of the

effect of algebraic objects (rational transducers) on random sequences. This is another approach to Markov chains, which axe probabilistic finite automata : here we consider deterministic automata and it is the input sequence that chooses the transitions. This choice is 'typically r a n d o m ' when the sequence is random. We briefly present in section 1.1 the definition of random sequences due to Martin-L6f, and an equivalent definition in terms of

Kolmogorov Complexity.

variants of this theory (see the foreword of Chaitin in Ca194), only the

Prefix Complexity.

There are several

but here we consider

This variant is more convenient for the study of infinite

sequences. We consider classical rational transducers MS97,

introduced by M. Nivat Niv68,

reading infinite binary sequences in input and, unlike Biichi automata e.g. Tho90, without any particular acceptance conditions. We do not require that for each state and each input letter there exists the corresponding transition. We say that a transducer accepts a sequence if it can read all its letters. In section 1.2, we introduce a classification of transducers' states. Markov chains MT96.

This classification is drawn from the theory of

The main aim of this classification is Lemma 5. It gives a

necessary and sufficient condition of the acceptance of a random sequence. In part 2, we show that the equality problem of two transducers is decidable on the class of random sequence, when it is undecidable on the class of all sequences. In order to

260

accepts an infinite sequence if and only if both initial transducers accept this sequence and have the same output. In part 3, Theorem 2 establishes a classification of the images of random sequences. This classification depends on the transducer's structural properties. On the one hand, the image of a random sequence is random if and only if there are not two paths with the same output linking two recurrent states. On the other hand, the image of a random sequence has finite complexity if and only if all paths starting from a recurrent state have the same output. Moreover, in this case, the image sequence is periodic. Section 3.2 presents an application of the previous result within the frame of arithmetic. We call random real a real number of which the binary expansion is a random sequence. Theorem 3 claims t h a t the image of any random real by a letter to letter rational transducer is either rational or transcendental.

1

Preliminaries

1.1

Random

sequences

and Kolmogorov

Complexity

In this part we briefly present the definition o f random sequences from Martin-LSf and the theory of Kolmogorov Complexity. In the following we call word (respectively

sequence) any finite (respectively any infinite) string over the binary alphabet {0, 1}. 1.1.1

Random

sequences

The first satisfactory definition of a random sequence has been given by Martin-LSf in ML66.

A sequence is random if and only if it does not belong to any constructive

null set. More precisely, a sequence s is non random if and only if there is a recursive function u(i, j), mapping pairs of integers to words, satisfying the following properties :

1. V i ~ ( ~ ) _< 2 -~ ; 2. V i s E ~ i . where ~i = Uj F , ( i j ) , F~(~,j) being the set of all the sequences having the prefix u(i, j), and # denotes uniform measure on the set of all sequences. 1.1.2

Kolmogorov

Complexity

Theory of Kolmogorov Complexity LV97,

also called Algorithmic Information The-

ory, gives rigorous mathematical foundations to the notion of information quantity contained in an object x. This quantity K(x) is the length of a smallest program computing x without any input. The programming language must satisfy the following property : for any computable partial function r mapping words to words there exists

261

a constant C such that for any p in the domain of r there exists a program computing r

of length at most length(p)+ C. We will use the variant of Kolmogorov Complexity

called Prefix Complexity, in which the set of programs must be a prefix set : none of the programs is the prefix of another program. The complexity varies no more than by an additive constant when we change the programming language. Indeed, 3 C V x IK~(x) -

K~(x)I <

c

where K I ( x ) and K s ( x ) are Kolmogorov complexities defined for two different programming languages.

1.1.3

R a n d o m n e s s and incompressibility

Theory of Kolmogorov Complexity provides a characterization of randomness using incompressibility properties. Actually Levin and Schnorr Lev73

Sch73

have shown

t h a t random sequences are exactly those incompressible for some variants of Kolmogorov

Complexity. Their proof can be easily translated in the frame of Prefix Complexity that we use here. More specifically, all prefixes of a random sequence are compressible for less than a constant. Formally, if al:~ is the prefix of length n of a sequence a, then this sequence is random if and only if : 3 c V n K(al:~) > n - c A random sequence is non-recursive, but non-random ones may be either recursive or non-recursive. 9 Assume for example that the sequence 010011010110... is random.

Then the

sequenc e 001100001111 ..., where each letter of the previous sequence appears twice, is non-random and non-recursive. 9 The sequence 010101010101 ... is non-random and recursive. In several proofs we show that a sequence a is non-random building a program t h a t computes a using another sequence a ~ as an input. This program uses at most the An first letters of a ~ to compute the n first letters of a, with A < 1. The following lemma expresses this idea. L e m r n a 1 Let a and a ~ be two sequences. I f there exists a program P such that :

3 (Un)neN 3 (Vn)neN 3 A < 1 such that V n P(a~:~.) = al:v. and u~ _< Av~ then a is non-random. P r o o f We will give an upper bound of the complexity of the prefix words a l : . . of a. T he program < P, a~:u. > computes al:v., but the set of these programs is not a prefix

262 set. In order to obtain such a set we have to use the prefix coding of a~. . . . denoted by a'l:~. 9 For all n we have K(al:~. ) _< la~:~. J + JPJ + O(1). A classical upper b o u n d for the prefix coding of a word w is Iwl + 21og(Iwl) + O(1). Hence we have :

V n K(al:v.,)

<_

la'~:,,,,l+ 21og(la'~,,,,,I)+O(1)

_< Ala,,~. I + 21~

l) + O(1)

Let e > 0 be fixed. There exists nc such t h a t :

v n _> no ~1",:-. I + 2log(lax:.. I) + 0(1) < lal:~. I -- c E v e n t u a l l y we have : V c 3 nc V n >_nc K(al:~.) <_ la~:.. I - c Therefore a is n o n - r a n d o m .

1.2

Transducers

We consider classical transducers without final states since i n p u t s are only infinite sequences. In this first approach we consider only letter to letter transducers : the o u t p u t is a letter at each letter read in input. W h e n the t r a n s d u c e r reaches a state where there is no t r a n s i t i o n labelled by the i n p u t letter, it halts a n d we say t h a t it rejects the i n p u t sequence. Otherwise it accepts the i n p u t sequence. We give now some definitions a n d preliminary results considering only i n p u t s on t r a n sitions. D e f i n i t i o n 1 Let T be a transducer and a be a sequence accepted by T. A state of T is recurrent for a if it is reached an infinity o times with a as an input. Ta denotes the set of recurrent states for a. D e f i n i t i o n 2 Let q be a state of T. Let occ~(q) denote the number of occurences of the state q during the reading of al:~. The frequency fa(q) o q is defined by : f a (q) = lim sup occ~ (q_____~) n--~c~

n

A state q is frequent i l 1a(q) > 0. D e f i n i t i o n 3 Let q be a state oI T and t be a transition from q. Let occa~(t) denote the number of occurences oI the transition t during the n first occurences o1 the state q with a as an input. The frequence I ~ (t) of t is defined by :

I a(t) = lira sup occ~ (t) n - - r oo

n

263

L e m m a 2 Let a be a sequence accepted by T. T contains at least one frequent state. P r o o f Suppose that for each state qi of Ta we have f(qi) = O. Let e = 2A~ where Q is the number of states of T. Therefore we have : 3 n V qi E T

occ~(qi)

<

e

n

Q )-~oc~_(q,) i=1

_< ~Q

n

1

<

1

D e f i n i t i o n 4 A complete state is a state out of which get two transitions labelled by 0 and 1. We say that a set of states is complete if each state of this set is complete. C l a i m 1 Consider the preorder on the set of the states of a transducer defined by : q < q' <=~ we can reach q' from q and the equivalence classes of states. We say that maximal classes are absorbing. There is an algorithm that splits a transducer in sub-automata T1, . . . , TN and Tp (See Figure i. T 1 , . . . , TN are the complete absorbing classes and Tp is the union of the remaining classes.

@ F i g u r e 1: C o m p l e t e a b s o r b i n g classes

L e m m a 3 Let a be a random sequence accepted by T.

Any frequent state of T is

complete. P r o o f Let q be a frequent state. Suppose that q is not complete. Thus, there is only one transition from this state, say the transition labelled by input letter 0 and leading to the state q,. We show this implies that a is non-random. Consider the sequence a r obtained as follows : in the sequence a we delete letters read at each occurence of q. The following program computes a using T and a r.

264

P r o g r a m P(a') Repeat

End

If T is in state q d o Output 0 ; Place T in state q' Else Read a letter b of a' and output b Simulate T on input b E n d if repeat

End

Since q is frequent we have limsup=_,o ~ occ~(q) = a w i t h c~ > 0. T h u s there is a series (v,)~eN and no such t h a t for all n > no we have occUr(q) > ~ Let u~ = v~ - o c c ~ , ( q ) . Vn

For all n > no we h a v e u n < Avn w i t h A = 1 for all n we have P ( a ~ : u , ) = al:v,.

--

7"

~ < 1. The p r o g r a m P is such t h a t

Thus hypothesis of L e m m a 1 are satisfied, w h a t

enables us to conclude t h a t a is non-random. D Lemma

4 Let a be a random sequence accepted by T . Then all states of T~ are frequent

and Ta is a complete absorbing class. Proof

According to L e m m a 2, T contains at least one frequent state q. This state

belongs to Ta and, according to l e m m a 3, is complete. Let to (respectively t l ) be t h e transition accepting 0 (respectively 1) and leading to q0 (respectively q~) from q (q0 and ql can be the same). Step 1 : We show t h a t b o t h transitions to and t~ are frequent. Suppose for example t h a t to is not frequent, i.e.

/ ~ ( t o ) = 0.

Obviously we have / ~ ( t l ) = 1. Consider

t h e sequence a' defined as follows : in the sequence a we delete each 1 read at each occurence of tl and we replace each 0 read at each occurence of to w i t h a prefix code of t h e n u m b e r of occurences of tl before the next occurence of to. T h e following p r o g r a m c o m p u t e s a using a ~. P r o g r a m PCa') Let n be the number o f occurences of tl before next occurence of tO Repeat If T

is in s t a t e q t h e n If n = 0 t h e n Output 0 ; Let n be the prefix coded number appearing from current position in a' Place T in state q0 Else Output I ; Let n = n - - 1 P l a c e T in state ql E n d if

Else Read a letter b of a' and output b

Simulate T on input b E n d if End repeat

End

265

The same arguments as in the proof of Lemma 3 enable us to conclude that a is nonrandom.

Conclusion : Since fa(q) > 0, fa(to) > 0 and fa(tl) > 0 both states q0 and q2 are frequent. Step by step we show that any state reachable from q is frequent and thus, according to Lemma 3, is complete. Such a state is recurrent. Therefore, the class of q is absorbing and complete.

The following lemma is an immediate corollary of Lemma 4 and of the fact that a complete absorbing class accepts any sequence. L e m m a 5 For all random sequence a, T accepts a if and only if T reaches on a one

of its complete absorbing classes.

2

D e c i d a b i l i t y of t h e equality of letter to letter

rational t r a n s d u c e r s on r a n d o m s e q u e n c e s We say that two transducers T1 and T2 are equal on a sequence s if Tl(s) = T2(s). Note the difference between this definition and the definition of the equivalence of transducers : T1 and T2 are equivalent if Tl(w) = T~(w) for all word w. The equality of a class O of rational transducers on a class S of sequences is decidable if there is an algorithm that decides, for any transducers T1 and T2 in O, and any sequence s in S spelled letter by letter, whether T1 (s) = T2 (s), using a finite prefix (of unknown length) of s.

3 A V (T~, T2) 9 0 2 V s 9 S

{ A(T1,T2,s)=yes A(T~, T2, s) no

ifTl(s)=T2(s) otherwise

If O is the set of letter to letter rational transducers and S is the set of all sequences, the equality is not decidable. Consider transducers T1 and T2 defined in Figure 2. Suppose 1/0 ~

) T1

0/o

1/~ ~ ) 0 / 0 T2

F i g u r e 2: T w o t r a n s d u c e r s equal on 0 ~ a n d n o t equal on 0 n l 0 ~176

there is an algorithm A deciding, for any sequence s, whether both transducers T1 and T2 are equal on s. Let sl = 0 ~176Since Tl(Sl) = T2(sl), A(T1,T2,sl) halts having read a prefix of length n of sl and outputs yes. Now, let s2 = 0nl0 ~176Since the n

266

first letters of 81 and s2 are the same, A(T1, T2, s2) halts and o u t p u t s yes, although we obviously have TI(S2) ~ T2(s2). However, t h e equality becomes decidable if we restrict ourselves to r a n d o m sequences. In order to show this result, we need to define t h e notion of p r o d u c t transducer. 5 Let T1 and T2 be two transducers. Their product transducer T -- T1 • T2

Definition

is defined as follows : if we can reach q~ from ql in the transducer T1 and q~2from q2 in the transducer T2, with the same letter bin in input and the same letter bout in output, then T contains a transition between (ql,q:~) and (q~,q~) reading bi,~ and outputting bout 9 T h e p r o d u c t t r a n s d u c e r T : T1 x T2 accepts a sequence a if and only if T1 and T2 accept a and o u t p u t the same sequence. Theorem

1 The equality of letter to letter rational transducers on random sequences

is decidable. P r o o f Let a be a r a n d o m sequence. T1 and T2 accept a and o u t p u t t h e same sequence if and only if their p r o d u c t transducer T accepts a or, according to L e m m a 5, if and only if T reaches on a one of its complete absorbing classes. If T halts, we distinguish there are different cases : 9 T1 and T2 accept a and o u t p u t different sequences and thus T1 and T2 are not equal on a ; 9 one t r a n s d u c e r accepts a and the other rejects a : T1 and T2 are not equal on a ; 9 T1 a n d T2 rejects a : if the o u t p u t words are the same T1 and T2 are equal on a, otherwise t h e y are not. Finally, T1 and T2 axe equal on a if and only if either T reaches on a one of its complete absorbing classes or T, T1, T2 halt simultaneously w i t h the same o u t p u t words. These observations lead to the following decision algorithm : P r o g r a m A(T1,T2, a) Build product transducer T ----TI X T2 Split T in complete absorbing classes as in claim 1 For e 9 letter of a repeat If T reaches one of its complete absorbing classes t h e n Output yes ; H 9 Elseif T halts then If T1 and T2 halt at same pl9 and output same word then Output yes ; Halt Else Output no ; H 9

End if E n d if E n d for End

267

3

Classification of images of random sequences

In this part we are interested in the images of random sequences by letter to letter rational transducers. Theorem 2 shows the influence of the transducer's structure on the sequence we obtain. D e f i n i t i o n 6 A state q is partially indifferent if there are two different input words having the same length, leading to a same state from q and having the same image.

D e f i n i t i o n 7 A state q is discriminating if there exists i > 0 satisfying the following property : from q, the images of two words wl and w2 of length I end with same letter if and only if w l and w2 start with same letter.

T h e o r e m 2 Let T be a letter to letter rational transducer, let a be a random sequence accepted by T and let s denote T(a). 1. if Ta does not contain any partially indifferent state then s is random ; 2. (a) if Ta contains at least one partially indifferent state then s is non-random. Moreover : (b) if Ta contains a discriminating state then s is non-reeursive ; (c) if Ta does not contain any discriminating state, then s is recursive and periodic : s = uv*.

Remark

1 Let Q denote the number of states of a transducer T. We can show t h a t

the existence of a partially indifferent state in T is decidable in a time O(Q 2) and the existence of a discriminating state in T is decidable in a time O(22Q). E x a m p l e 1 Call a transducer one-to-one if it defines an injective mapping on (infinite) sequences.

A one-to-one transducer does not contain any partially indifferent

state. The transducer of Figure 3 is a non-trivial example of a one-to-one transducer, t h a t transforms a sequence a in 0a. It is non-trivial because it is not just a injective morphism of words. 1/0 0/o ~

1/1 0/1

F i g u r e 3: A non t r i v i a l o n e - t o - o n e t r a n s d u c e r

268

Example

2 Injectivity is not a necessary condition to m a p r a n d o m sequences on ran-

d o m sequences. Consider the transducer T of Figure 4. Since sequences 0 ~ and 10 ~176 have t h e s a m e image 01 ~176 T is not a one-to-one transducer. However, T does not contain any partially indifferent state since there is no state reachable from two transitions having same o u t p u t letter.

/•0/1

~

1/o

1/o ~ o / 1

Figure 4: A many-to-one transducer without partially indifferent states 3.1

Proof

P r o o f o f 1. a n d 2. (a) We have to show t h a t s is r a n d o m if and only if Ta does not contain any partially indifferent state.

Only if : W e prove t h a t if Ta contains at least one partially indifferent state q t h e n s is non-random. Since q is a partially indifferent state, there are two words wl and w2 leading to the same state q' from q and o u t p u t t i n g t h e s a m e word u. Let I be t h e length of wl and w2. Let f be a coding function from {0, 1} t to {0, 1} t such t h a t f(wl) and f(w2) differ only in their last letter. For e x a m p l e let f(wl) -- vO and f(w2) = v l , where v is a word of length l - 1. Let a' be defined as follows : in the sequence a we replace each word w of length l read from state q with v if w = wl or w = w2, with f(w) otherwise. T h e following p r o g r a m c o m p u t e s s w i t h a' as an input. Program

P(a') Simulate T on input sequence a'

Each time T reaches state q do Let w be word of length I - 1 from current position in a'

If w = v then Output u Place T in state qt

Else

End

E n d do End

Let iv be word of length I from current position in a p Let iv' be the word such that f(iv')----iv Replace iv with w' in a' Resume simulation of T if

269

T h e s a m e a r g u m e n t s as in the proof of L e m m a 3 enable us to conclude t h a t s is nonrandom.

If : We prove t h a t if T~ does not have any partially indifferent s t a t e t h e n s is random. Suppose t h a t s is non-random. We show t h a t this implies t h a t a is n o n - r a n d o m too. Let u(i, j) denote a recursive function m a p p i n g pairs of integers to words. Let Fu(i,j) d e n o t e t h e set of all sequences having t h e prefix u(i,j), let ~ i denote U j Fu(i,D and let p denotes uniform measure on t h e set of all sequences. Since s is n o n - r a n d o m , s belongs to a constructive null set, i.e. there is a recursive function u(i, j) such t h a t : 1. V i p(12i) <_ 2 - i

2. V i s E l 2 i N o t e t h a t we can suppose that, given i, all sets F ~ ( i j ) , j E N are disjoint.

We will

define a function ~(i,j) m a p p i n g pairs of integers to words such t h a t for all i we have

{T(~(i,j)) I J e N} = {u(i,j) j e N}. T h e following p r o g r a m P ( i , j ) c o m p u t e s ~(i,j) using t h e recursive function u(i, j ) and t h e transducer T. P(i,j) count=O ; k=O

Program

Repeat

k=k+l ; w=u(i,k) For all words ~ of length lwl do I f T ( ~ ) ----w t h e n

count : count + 1 I f count ----j t h e n Output ~ ; Halt E n d if E n d if E n d for End repeat End

Since u(i,j) is recursive, ~(i,j) is recursive too. Let ~i = U j F e ( i j ) .

Since ~(i,j) is

t h e p r e i m a g e of a u(i, k), a belongs to 12i for all i. Moreover we have :

J Let Q be t h e n u m b e r of states of T. Since Ta does not contain any partially indifferent s t a t e t h e r e are at most Q different words having the same image. T h u s we have :

v i ~(fi,)

<

~ Q,(r~(~,j)) J

=

Q~(~)

_

Q2 - i

H e n c e a belongs to a constructive null set defined by fi(i, j ) : a is non-random.

270

P r o o f o f 2. (b) Let q be a discriminating state. There exists l > 0 such that, observing t h e last letter of the image of a n i n p u t word of length ! from q, we can retrieve the first

letter of this i n p u t word. Assume for example t h a t all words of length I starting with 0 (respectively with 1) have their images ending with 0 (respectively with 1). Suppose s is recursive. Let P be a program t h a t computes s. Consider the sequence a' defined as follows : in the sequence a we delete letters read at each occurence of q. T h e following program computes a using P , T a n d a'. Let q0 (respectively qt) denote the state reached when 0 (respectively 1) is read at state q. P r o g r a m P(at) Repeat

I f T is in state q t h e n Compute next n-th letter of s using program P If this letter is 0 t h e n Output 0 ; Place T in state q0

Else Output I ; Place T in state ql

E n d if Else Read a letter b of a' and output b Simulate T on input b

E n d if End repeat End

T h e same a r g u m e n t s as in the proof of L e m m a 3 enable us to conclude t h a t a is nonrandom.

P r o o f o f 2. (e) Firstly we prove the following property : for all state q of T~, for all l,

for all words wl a n d w2 of length l, the images of wl a n d w2 from q are the same. We use a recurrent reasoning on l to show this. W(q, l) denotes the set of image words of length l from q.

Step 1 : T h e property is true for ! = 1. Indeed each state o u t p u t s the same letter whatever the i n p u t letter is, since each state of Ta is n o t discriminating.

Step 2 : Let q be a state of Ta. Let qo (respectively ql) be the state reached from q when 0 (respectively 1) is read. Suppose the property is true for all l < L. T h u s all words of W(qo, L) (respectively W(ql, L)) end with the same letter bo (respectively bl). Since q is not discriminating, we necessarily have bo = bl. T h u s all i n p u t words of length L + 1 have images ending with same letter from q. We prove now t h a t s is periodic, i.e. there are two words u a n d v such t h a t s = uv*. Let a' be the suffLX sequence of a read from the first occurence of a recurrent state q. According to the previous property, we have q(a') = q(0*). Since the a u t o m a t o n is finite a n d deterministic, there is necessary a loop. O

271

3.2

From an arithmetical point of view

The following theorem is an application of Theorem 2 within the frame of arithmetic. We call 'random real' a real of which the binary expansion is a random sequence. We remind of the reader that a real is algebraic if it is the root of a polynomial equation having integer coefficients. A real is transcendental if it is not algebraic. T h e o r e m 3 The image of a random real by a letter to letter rational transducer is

either rational or transcendental. P r o o f Let a be the binary expansion of the image of a random real. If a has a finite complexity then it is periodic and then the real number is rational. If a has an infinite complexity then the real number is transcendental. Indeed, since an algebraic number is a root of a polynomial equation with integer coefficients, it has a finite complexity : we can give more and more accurate approximations of this root using an algorithm.

Open problems In this first approach we have only considered letter to letter rational transducers. We should study whether the results we have obtained remain true in the general case. Moreover we think t h a t links between simple and 'pure' algebraic objects (rational transducers) and 'pure' complex objects (random sequences), and also the links with Markov chains, should be study thoroughly.

References Cal94

C. Calude.

Information and Randomness,

an Algorithmic Perspective.

Springer-Verlag, 1994.

CL88

M. Chrobak and M. Li. k T 1 heads are better than k for PDAs. J. Comput.

Syst. Sci., 37:144-155, 1988. Lev73

L.A. Levin. On the notion of random sequence. Soviet Math. Dokl., 14:14131416, 1973.

LV93

M. Li and P. Vit~nyi. A new approach to formal language theory by Kolmogorov's complexity. SIAM J. Comput., 24:398-410, 1993.

LV9~

M. Li and P. Vit~nyi.

An Introduction to Kolmogorov Complexity and its

Applications. Springer-Verlag, 1997. ML66

P. Martin-LSf. The definition of random sequences. Inform. Contrib., 9 : 6 0 2 619, 1966.

272

MS97

A. Mateescu and A. Salomaa. Aspect of classical language theory. In Handbook

of Formal Languages, volume 1, pages 175-251. Springer-Verlag, 1997. Markov Chains and Stochastic Stability.

MT961

S.P. Meyn and P~.L. Tweedie. Springer-Verlag, 1996.

Niv68

M. Nivat. Transductions de langages de chomsky. Annales de l'Institut Fourier, 18:339-455, 1968.

PD97

S. Porrot and M. Dauchet. Discrete curves complexity. Rapport interne, LAIL, 1997.

Sch73

C.P. Schnorr. Process complexity and effective random tests.

J. Comput.

System Sci., 7:376-388, 1973. Sei86

J. Seiferas. A simplified lower bound for context-free-language recognition.

Inform. Contrib., 69:255-260, 1986. Tho90

W. Thomas. Automata on infinite objects. In Handbook of Theoretical Com-

puter Science, volume B, pages 133-191. Elsevier, 1990.

Resource Based Models for Asynchrony* J. Rathke Dipartimento di Informatica e Scienze dell'Informazione Universit~ degli Studi di Genova via Dodecaneso 35, 16146 Genova, Italy julianr~cogs.susx.ac.uk

Abstract We propose a new graph-based approach to modelling asynchronous languages and show how the new model can be dewed as a collapse of the standard transitionsystem model for asynchronous behaviour by utilisingthe commuting properties of asynchronous transitions. The motivation behind these new models stems from the issue of regularity for asynchronous processes. We note that the class of regular processes failsto contain many useful asynchronous processes and we identify a larger subclass of BPP ~cordingly. We call this new class asynchrononsly

regular processes. Using the new models we provide two appealing abstract chaxacterisatious of asynchronous bisimulation equivalence, namely, as spans of open maps and as a winning strategies for a bisimulation game. Also, by exploiting the coincidence of finite graphs with regular processes we see that bisimulation is polynomial time decidable over our class of asynchronously regular processes.

1

Introduction

It is becoming increasingly clear that the nature of output messages in languages such as the asynchronous It-calculus, 2, 6, Pict 13 and the Join-calculus, 4 is one of persistent resources. Recently, this persistence of output was exposed at the level of transition systems by identifying certain commuting properties guaranteed of asynchronous systems 14. Given such a situation, it would seem reasonable to question whether transition systems afford a good representation of asynchronous processes. After all, the ordering of transitions in a graph is used merely to reflect the precedence of actions which can be performed by the process. The distinguishing feature of output actions is that they cannot preclude other actions; so why model them as transitions? Our approach is to view output messages purely in terms of resources. Our models, resource graphs, have no o u t p u t transitions but instead record t h e availability of o u t p u t resources as computation progreases. This might be achieved by allowing each node to be a pair containing some 'state' of the s y s t e m along with the multiset of resources which are currently available. In fact, we see in Section 3.1 t h a t this is pretty much how the transition system model behaves so little is to be gained from this solution. A m u c h more compact representation is possible if we d o n ' t explicitly record the current resources available b u t simply see how resources become available. We a u g m e n t each input and r transition with the multiset of outputs which become available as a result of performing this transition. It should be clear t h a t we will also need to store the information of which resources are initially available in a system. For example, the process P = c! a?(b! b! Q) + r.(d! R) h a s an initial resource {c!} and two immediate transitions P a_~ and P ~ {b!, b!} and {d!} respectively. We represent these two transitions as

which release the resources

p a,{~b,b}Q and P "{-~} R, where the i n p u t / o u t p u t sense of actions is now implicit. T h i s move to recording resources on edges rather than at nodes allows m a n y more infinite stale processes to be modelled by finite resource graphs. *On leave from the University of Sussex. Supported by the EU-HCM Express network.

274 a~

i

b? b!

a!

b!

a!

'i

t?

~,{6}

b!

b! B

Figure 1: Transition system and resource graph for a! I (b?(b!

r. nil ))

To contrast the standard transition system models with the resource graph interpretation of a process consider the example process in Figure 1. The redundancy in the transition system model is highlighted well by the uniform shape of asynchronous transition systems imposed by Selinger's axioms 14. We know, owing to the asynchronous nature of the language, that the a! is possible at the initial node and, until it is used, will continue to be available, thus in the resource graph model this information is utilised to create a more compact graph. The models for the process

P = a?(b! I P) are more illuminating. This process will in fact be modelled by an infinite transition system, a?

a? 9

9

~ b!

a? 9

"~ b!

... ~

b!

yet the structure of the process is very simple - - at all times there is an a? action possible and for each a? action performed an additional b! resource becomes available. Initially there are no b! resources available. In fact, this gives us a resource graph with a single node, initial resource set is empty and there is a single looping transition ~,{b}

r

o

So far we have shown how we could tailor transition systems to be more suited to modelling asynchronous processes. But we must consider how this would actually benefit us. The examples show us that we immediately have a more compact representation of systems, so this could clearly be useful when it comes to checking equivalence of processes. Ideally we could check bisimulation between processes by building their resource graphs and checking some kind of bisimulation on these. This would necessitate defining the appropriate notion of bisimulation for resource graphs. Given such a situation, we would easily obtain a decision procedure for checking bisimilarity for the class of processes which receive finite resource graph models. It is well known that finite state transition systems correspond (up to strong bisimulation) to regular processes in CCS, that is processes which make no use of the static operators, parallel composition and restriction underneath recursion 9, 10. If we forbid the use of parallel composition and restriction under recursion from asynchronous CCS we lose a great deal of expressive power, in fact, we lose the ability to perform more than a finite number of output actions. This sorry state of affairs would mean that even the paradigmatic asynchronous buffer process

rer X.a?(a! II X ) is not expressible. This restricted use of parallelism is certainly too strong for asynchronous languages and we must consider a weaker notion of regularity. We propose that a parallel composition p q in the scope of recursion binders be allowed providing that either p or q is merely an output message - we call such processes asynchronously regular. The class of asynchronously regular processes would now include the asynchronous buffet process shown above as well as many other infinite stale processes. Moreover, all such processes will be modelled by finite resource graphs. In order to define bisimulation on resource graphs we appeal to the abstract definition proposed by Joyal, Nielsen, Winskel 7. This definition simply requires us to choose a suitable category in which to observe basic computation paths. Using intuition gleaned from 1 to choose our notion of morphism of resource graphs, we see that the notion of asynchronous bisimulation proposed by 1 exists in an

275

abstract form. The key" to our choice of morphism lies in understanding internal r actions as a pair of unspecified synchronising actions, hidden from the environment. One m a y like to think of r prefixing as syntactic sugar for

.a.(a! Ii a?P). We consider what effects specifying a name, a, for these actions, and allowing them to be seen by the environment, has; call this specified synchronising pair ra, so one might think of ro prefixing as

a! I a?P. To define our notion of m o r p h i s m on resource graphs we discuss general considerations about morp h i s m s of labelled graphs. We think of a m o r p h i s m

f : G----~ G' between two labelled graphs as representing t h a t G ' is a refinement of G. T h a t is to say t h a t G is more specified t h a n G ~. A morphism should refine transitions of t h e graph in some way. We will outline what we understand by refinement. Transitions represent both local communication, r moves, and capacity for interacting in a more global sense, a? and a! moves. Given a process p, we can observe the global computations it can engage in by inducing t h e m using an environment process e situated in parallel with p. We say that e offers a!

an action a!, say, if e --=~, and that p accepts this offer if it synchronises with e to perform an internal reduction or computation. A transition p ~ p~ of some transition system can be understood then as saying that the least offer one need make p to observe s o m e synchronisation and reduction to p~ is ~, where a! = a?, a? = a!, and ~, specified or not, is empty. T h e ordering on offers is simply t h a t the e m p t y offer is less than all other offers, which are incomparable. We will expect that any ra transition can be refined by a r transition because we have information about the computation yielded by ra, the n a m e of the channel on which synchronisation occurs, t h a t we do not have of the computation given by t h e r action. We say that a computation is covert if we do not know the n a m e of the synchronising channel. All computations induced by r prefixes are covert. Using this definition we say t h a t p ~

p~ f-refines q ~

q'

if p m a p s to q and q maps to q' under the m o r p h i s m f , such t h a t the least offer d m a d e to p can also be accepted by q to induce a reduction to q'. If the induced c o m p u t a t i o n of p is covert then the corresponding induced computation of q m u s t also be covert. More precisely we ask that

& IP ~

P' implies dr I1 q i

q'

such t h a t if we don't know the n a m e on which p synchronises t h e n we cannot know the n a m e on which q synchronises. We can see that following refinements hold for transition systems, p ~ p' "rQ p ---* p'

f-refines f-refines

f(p) ~

f(p')

f(p) ~ ~" f(p I ),

and these give rise to a fairly unsurprising definition 16 of m o r p h i s m for asynchronous transition systems. However, we observe a peculiarity in the category of resource graphs. Edges of resource graphs are labelled with pairs, ra a,S -,~ ml" Refinement of these edges will have to take into account the resources which are collected. To spell this out we say m ~

m ' f-refines n #-~' n'

if m m a p s to m ~, and n maps to n t such that the least offer 5 which (covertly) reduces m to state m ' with S extra resources can also be accepted by n so t h a t the (covert) reduction induced takes us to state n ~ with the same extra resources. Under this definition we have the following refinements rll',..'>

/-refines

rf/ ~,S+{a} m'

f-refines

f ( m ) ?~ f(m') f ( m ) r~.~Sf(m')

rn r'L~Sm

f-refines

f(m) r~ f(m').

a,s m '

276

T h e second refinement holds because the least offer a! made to rn can be accepted by f ( m ) to reduce to f ( m ' ) with S extra resources, along with the extra a resource which was unused by the vo. By considering refinement to be transitive we can dispense with the idea of m T~s transitions for resource graphs altogether and simply use m a , S ~ { a Tn I instead. The chief feature of our resource graphs morphisms then is that a morphism from R to Rr allows us to specify in R, a name for an internal synchronisation in R'. We reinforce these intuitions by exploiting the game theoretic characterisation of bisimulation to highlight the rSle of r synchronisations as specified and unspecified pairs of actions. We briefly outline the structure of the remainder. The following short section recalls the category of transition systems and describes the asynchrony axioms. In Section 3 we define our category of resource graphs and relate them to transition systems. Bisimulation equivalence is defined as the span of open maps in this category and we characterise it using bisimulation like relations. The game theoretic description of this equivalence is spelled out in Section 4. We demonstrate the usefulness of our models in Section 5 by giving an enhanced notion of regularity for asynchronous systems and prove that bisimulation equivalence is polynomial time decidable over this class. Section 6 contains our conclusions. A c k n o w l e d g m e n t s : The author(s) would like to thank Catuscia Palamidessi and Guy McCusker for carefully reading a draft of this paper and suggesting many improvements. Thanks also to Colin Stifling for providing some useful pointers in the literature. This work was carried out during research visits at INRIA, Sophia-Antipolis and the University of Genova, which were funded by the EU-HCM Express network. I would sincerely like to thank Catuscia Palamidessi and Ilaria Castellani and their respective institutions for their extreme generosity and for directing me in my research.

2

Asynchronous systems

We recall, from 16, the definition of the category of transition systems, 3"S and describe the subcategory, AT,S, of asynchronous transition systems, as eharacterised by Selinger. Firstly, objects of T S are transition systems, (Jr n0, L, ----~) where no is a specified initial node. Morphisms in 3-S are pairs of morphisms (a, A) : (.h/', no, L, ----*) ~ (Ap, n~, L', ----*) such that ~ : Af --* A/" and A : L ~ L ~ is a partial function with the property that n~n

~implies

{

crn~crn' ~n = crn~

if A n 1 otherwise.

Composition of morphisms is given by pairwise (partial) function composition and the identity morphisms are simply pairs of identity functions on the respective sets. A morphism (a, A) : T ---, T ~ indicates that T' is a refinement o f T in the sense that T is more specified t h a n T ~. Observe that T may have more atomic actions than T' with extra transitions pertaining to these actions. Also, T may have a more specific structure than T', with less non-determinism and fewer transitions. Indeed, when the A component of a morphism is the identity then this morphism is simply an inclusion of T in TL This idea of a morphism being a refinement is examined again in the category of resource graphs. The particular sub-category ..43",.9 of 3"S in which we are interested is described as follows. Objects of the category are transition systems whose label set L is typed, that is LCAx{!,?,r}U{r} where .4 is some set of channel names. That is, each action is either an output, a!, an input a?, the result of a synchronisation of these ra, or an internal, hidden, synchronisation, r. These transition systems are subject to certain axioms, presented in Figure 2 which characterise their asynchronous behaviour 141. Morphisms of .,43",.9 are similar to morphisms in 3-8 except that the relabelling component )~ is now a partial function on A. We write r~ to mean either ra or r and define An! = (An)!, An? = (An)?, Ar = r, and Ar~ = r~,s. Composition and identities are defined as in 3-3.

277

9

n

implies 3n'".

a!,~, n r

1o a! n

)

4

I1t

implies 3n'"-

lo

ol

TIll a!

n

" n ' for a # a ! , ~

4

1o

nH ~

9

n

at

~t ~ t

implies

nI ~

implies

n

for a # to.

~" n '

n ''I ~

n I!

4

.!

n

n tH

n 't

~1 r l t!

9 n

9! 9 n'

a~

~ n'

n tt

"

n

a!

n te

" n'

implies B n ' .

4

n

a!

4

nit

1,.

~H ~

9 n

implies ~n", n'"- n

nt

' n ' if a # b and

nlH

a~

nee: ~

n

a!

,~n ' f f a = b

4S n II

* n"

nt

Figure 2: Axioms for asynchronous transition systems

3

Resource graphs

A resource graph is a graph based model for systems in which there is some notion of resource, that

is, s o m e action which is persistent and not subject to reactive behaviour. A resource's use is never precluded. The particular application we have in m i n d is for modelling asynchronous systems wherein the I actions of the systems are considered as resources. Formally, a resource graph is a quintuple

(.~1,.4, rno,So,"~) where .M is a set of nodes, .A is some set of names, rno is a specified initial node in .M and So is a multiset of resources which are initially available. We write .4 "~ for the set of all multisets over the set ~4. So we see that So 6 ~4"~ The edges of the graph are given by

~C_~•215215 and we write rn ~-~ m' if (m, a, S, m') 6",~. W e will use + and - to denote union and difference where multiset difference S - S ~ is a partial operator and is only defined when S t C S. These operators are extended pointwise to multiset valued functions.

278 We can now describe our category of resource graphs, in fact we describe two. The first,/~G, has m o r p h i s m s similar to the category A T S in t h a t a m o r p h i s m represents refinement by introducing extra atomic actions and embedding. We use this category to relate t h e standard transition system models to resource graph models. The second category we define, ~ A , contains m o r p h i s m s which, following the ideas outlined in the introduction, also allow refinement by specifying on which n a m e a synchronisation takes place. The two categories are such t h a t T ~ is a lluf sub-category of 7~GA. T h e objects of ~ are resource graphs. A m o r p h i s m (o., A, ~2) from

R = (.M,A, mo,So,'~) to

R' = (M',-4', m~, s~,-.4 is a triple where o. is a function A4 --~ .h4', A is a partial function .4 U {r} ~ .4' U {r} which preserves r a n d ~ is a function .M --* -4"* such t h a t the following conditions are satisfied:

(i) ~m0 = rnb (ii) AS0 + ~om0 = S~ (iii) m a ~ m ' implies o.m ,~$1 o.tTl t where S' = AS + ~ m ' - ~ra o.m = o.m' and AS = 0, ~om = ~om'

if Aa l otherwise.

T h e ~ component of a m o r p h i s m allows for a resource graph to be embedded within a larger resource graph containing additional resources available at each node. Identity m o r p h i s m s in 7 ~ are of the form (Id, Id, Ce) where C e denotes the constant e m p t y multiset function. Composition is defined by

Co.,A, ~); (o.', A', #) = (o.; o.', A; A', (~,; A' + o.; #)). It is straightforward enough to check t h a t 7~# is indeed a category.

3.1

R e l a t i n g the transition s y s t e m

and resource graph

models

t~r

W e describe an adjunction -4~r,9~

7~{~ between our category of asynchronous transition systems

and our simple category of resource graphs. The counit of this adjunction is in fact an isomorphism so the adjunction is a reflection. The functor ra :7 ~ --*-4T~9 acts on objects as follows:

ra(~4,.4, ,-,,o,s0,,-~) = (.,~ • A", .4, (too, So), ---*) where ----* is defined by

(m, s + {a}) "-~ (m, s) o,S ~

(m, s) ~ (m', s') (m, S) ~ (m', S') (m, S + {a}) - ~ (m', S')

if m -,.* rn'

and 3" = S + S"

ms

and S' = S + S"

~r,S t l

if m ~

if m a-~" m '

and S' = S % S".

On m o r p h i s m s we have that ra(o., A, ~) = (o.', A) where o.'(m, S) = ( a m , AS + ~pm). In the other direction we need a couple of preliminary definitions before we can describe ar. Firstly, given an asynchronous transition system we let x denote the least equivalence on its nodes such that n a ~ n ' implies n ~ n'. Secondly, we write n s---L-if there exists a (possibly infinite) sequence of transitions n a.fl~ltlt n l

a2!

at,!

.----.} . . . . . - - ~

n k

ak+t! ~

,..

279 S~

such that ~ k ak = S. Define Outs(n) to be the m a x i m u m S such that n ---*. We can now describe our functor at. On objects:

at(H, n0, L, --~) = (~r215

no, Outs(.0),--*)

where ,4 is the first projection of the label set L C_ .A x {!, ?, r} and -.~ is defined by In ~ n'

if n ".-2_,n'

T,S

In ".-* In' if n ~

T

and S = Outs(n') - Outs(n).

n'

The reader is invited to check that the asynchrony axioms guarantee that Outs(n) C Outs(n'), thus ensuring that this does define a resource graph. On morphisms we have that ar(a, ),) = ( H , "~, (t~; Outs(_) - Outs( _); ,~)) where r = Inn and the third component is applied to any representative of the ~. equivalence class. This is a well-defined resource graph morphism because of the asynchrony axioms. T h e o r e m 3.1 ar is left adjoin~ to ra, moreover the counit, ra;ar ~

Id, of lhe adjunction is an

isomorphism. P r o o f : The counit of the adjunction is (~, Id, Co) where E((m, S)) = m. This is easily seen to be natural and universal and it has an inverse (Id, e -1, Co) where r (m) = (m, 0). Dually, the unit of the adjunction is (Id, _ x Ou~s(.)). 1:3 We see that the unit of the adjunction does not necessarily have an inverse. This is because in mapping our resource graph to a transition system we consider all configurations of nodes and multisets. This includes many configurations which don't necessarily arise during computation. Thus, if we restrict our attention to those configurations which are reachable, in some sense, then we can find an inverse for our unit. To this end, define the set of reachable configurations of a resource graph to be Reach(too, So) where Reach is defined inductively as follows:

Reacho(m,S)

=

0

Reach.+x(,-, S)

=

{(,., S') I S' e_ S} U

U

Reachn(m',S" + S).

Let Reach(re, S) = U Reach,(m, S). n>0

We immediately note that all reachable configurations of the resource graph ar(T) are of the form (n, Outs(n)) for some n" E T. Thus, by replacing the set of all configurations .K4 x A ' " by just the reachable ones, Reach(too, So), we can obtain an equivalence between the sub-categories of A T $ and ~ G whose graphs only contain reachable states. 3.2

A larger

category

of resource

graphs

We now consider a slightly more general category 7 ~ A of which T~G is a lluf sub-category, that is, the objects of 7~GA are exactly the objects of ?~G. The extension lies in the notion of morphism. We relax the definition of morphism of resource graphs in accordance with the motivation outlined in the introduction. The generalisation is tantamount to allowing a r action of the target graph to be specified as a synchronisation on a particular name. We argued that a synchronisation on channel a is a refinement of the action a? where an extra a! resource is made available. The new notion of morphism utitises this observation. A morphism of/r is a triple (~, A, ~) as above, however we ask that the following conditions be satisfied instead: (i) ~'mo = m~ as above (ii) ~So + ~mo = S~ as above

280

(iii) m "~ m . i .m p.l i e.s . o '.m

~ s' ~ r n

,

(iv) m "~ m' implies O"rn

Aa,S' -,~ ,s"

o'Fn

"~.

O'rtl' o r

if An 1

o'rl2'

a m = am' and AS -- 0, ~m = ~ m '

otherwise

where S' = AS + ~rn' - ~ m and S" = (A(S - {a})) + ~rn' - ~m. Identities and composition are defined as in R ~ and 7 ~ , 4 is also seen to be a category. 3.3

Bisimulation

on resource

graphs

We propose a definition of bisimulation, suitable for resource graphs, in abstract form. Namely, we use the machinery of open maps, 7, to declare two resource graphs with label the same label set `4, bisimilar if there exists a span of open maps between them in the sub-category 7~`4o of 7 ~ ` 4 . All of this sub-category's objects have label set ,4 and all morphisms have the identity as the A component. Furthermore, edges in the graphs of ~ , 4 o enjoy the following determinacy conditions: m~m' m~

m'

and

ma~'ml

and

m --*

"r, S I m l

implies

S=S I

implies

S = S'

One should note that this determinacy condition is a technical restriction and can easily be enforced in an arbitrary resource graph by simply sending offending pairs of transitions to different targets. We define paths in T~,4o to be resource graphs of the form a2,S:~ ~/~0 u . + ,

Ft21

~

. . .

ak,Sk "-~

F/~k

with initial node m0 and initial resources So. Recall that we call a morphism / : R -* R' open if for all paths P, Q such that the following COlTlmutes

pC

,1

Q<

,R

1'

" R'

then we have a morphism h : Q --* R such that

pC

,R

Qc

, R'

(we use ,-~ to denote inclusion morphisms). Define bisimulation then as R ~o R' iff there exists a

R

R'

with f, g open. It is easy to see that ~o is both reflexive and symmetric, but to prove that it is transitive it is sufficient to check that 7~G`4o has pullbacks 7. P r o p o s i t i o n 3.2 ~ A o

has pullbacks, which makes ~o an equivalence relation.

281

3.4

Characterising

"o

The abstract definition of bisimulation using open maps, while being quite general, is not particularly illuminating. For this reason it is natural to seek simpler characterisations of this relation. To this end we consider the following class of relations. For resource graphs (2,4, A, m0, So, ~ ) and (.M', A, m~, S~,',~) such that So = S~ we call a symmetric relation B on .h4 x r B and whenever (ml, m~) E B then 9 if ml ~ m~ then there exists a rn~ such that m2 ~ 9 if ma ~ m~ then there exists a m~ such that m2 ~ S' + {a} = S.

a resource graph bisimulation if (rn0, m~) E

rn~ with (m~, m~) E B m , or m~

~.~'

m~ with (m~, m~) E B, and

We write R ~ 9 R' if there exists a resource graph bisimulation relating R and R ~. T h e o r e m 3.3 ~ 0

3.5

and ~o coincide.

A m o d e l for a s y n c h r o n o u s C C S

We recall the notion of asynchronous bisimulation, ~ a , , as proposed by Amadio, Castellani, Sangiorgi 1 (albeit for the 7r-calculus and without % actions) and show that the functor ar and the equivalence ~o provide a fully abstract interpretation for ~a,. A symmetric relation B on asynchronous CCS processes is called an asynchronous bisimulation if whenever (p, q) E B we have 9 if p _2~ p, then there exists a q' such that q a_~ q, with (p~, r

E B.

9 i f p .52_.p~ then there exists a q' such that q ~

E B.

r with (p~, r

9 i f p r_..~ p, then there exists a q' such that q r o? , . , ~ 9 i f p - - - * p then thereexasts a q s u c h t h a t q

q~ with (p~,q~) E B. r

~~ . with(p',q')eBorq-~q'w~th(p',a!iq')eB.

Recall that r~ means either ra or r. The largest such relation will be denoted ~a,. By considering asynchronous processes as asynchronous transition systems, via operational semantics, we can interpret processes as resource graphs by means of the functor at. This interpretation is fully abstract for ~a,. T h e o r e m 3.4 For asynchronous processes p and q, p ~a, q if and only if at(p) ~o ar(q). Proof:

Show p ~a, q iff at(p) ~rs at(q) and use Theorem 3.3.

The reader should note that ~o, is an atypical notion of bisimulation for transitions systems and differs from the one in 1 in that r actions must be matched solely by r actions, thereby disallowing the possibility of matching with a ra action. A more standard notion of equivalence is gained by replacing the third matching condition above with if p ----* p' then there exists a ql such that q ----*

with (p', q') E B.

Let ~+j denote the equivalence yielded by this modification. This situation is of course rather unsatisfactory in general, but we can at least console ourselves with the fact that was coincides with the more standard ~+s on the class of transition systems for which Outs is always finite at each node9 In particular ~as and ~+8 coincide on our class of regular processes in Section 5. P r o p o s i t i o n 3.5 ~a, q and ~+~ coincide on the class of transifion systems such that Outs is finite at each node.

282 P r o o f : One inclusion is immediate. For the reverse inclusion we need to show that. ~+, is an asynchronous bisimulation. The only way that ~+, m a y fail to be an asynchronous bisimulation is if, given P ~+s q we have p ~ p' being matched by q ~---~"q' for some q'. We show t h a t there must be a m a t c h i n g r transition in this case. Now, we know that Outs(p) is finite and that each of these output transitions from p m u s t be matched by q. Therefore there exist p0, q0 such t h a t al!

an!

P--'*'"'-"*Po

and

all

q. . . . .

an!

q0,

Outs(po) = Outs(qo) = 0 and P0 ~+, q0. We know t h a t asynchrony ensures P0 - - ~ P~ for some p~ and t h a t this m u s t be matched by q0 ~ q~ because q0 can no longer perform a ra transition as Outs(qo) = 0. Again, by asynchrony we know that q ~ q" for s o m e q". It is easy to check that p' ~+, q" follows from p~ ~+, q~. 3

4

Game

theoretic

description

o f ""o

We extend our characterisation of asynchronous bisimulation further by showing how the notion can be captured as winning strategies of a suitable game. T h e use of g a m e s to characterise bisimulation h a s provided a conceptually powerful tool for u n d e r s t a n d i n g bisimulation as an equivalence which captures interaction 15. In our setting the game characterisation helps us u n d e r s t a n d the rSle of r as a pair of unspecified, complementary actions. We give a general definition of what we m e a n by a game and instantiate this definition later to give us our appropriate equivalence. So, a game F, is a quadruple (C, co, I>, ~) where C is a set of configurations with a specified initial configuration e0. The relation t> C_ C x C comprises the rules of the game. This relation tells us how play m a y continue from one move to the next. T h e function ,X : C --* {O, P} labels moves as either Opponent or Player moves according to who is next to play - we require ~c0 -= O and Ac ~ Ac' whenever c I> d. A play of a g a m e is a sequence e0 l > e l I : > c 2 ~ > - . - D c k { : > - - -

We write P ( F ) for the set of all plays and abuse notation by writing ~cs to m e a n the label of the last move of cs (if it exists). A play, cs, is called m a x i m a l if it is infinite or cannot be extended, t h a t is there is no move c such that cs I> e. We say that O wins the finite play cs if ~cs = P and cs is m a x i m a l . Dually, we say t h a t P wins a (possibly) infinite play if ~cs = O and the play is m a x i m a l . A strategy for O is a partial function from Pos(O) = {cs I ~cs = O} to M ( P ) = {c I ~c = P } . We can define a strategy for P similarly. Given an O-strategy ,%, we write P(ro) for

{cs e P(r) I yes' r- c s

. ~cs' = 0

implies (cs' t> ~ro(cs')) t- cs}

where t" is the prefix ordering on plays. We say t h a t the strategy re is winning if all m a x i m a l plays of P(lro) are finite and labelled P . Dually, we can define PQrp) for player strategies :rp and say t h a t ~rp is winning if all m a x i m a l plays of P(Trp) are infinite or labelled O. 4.1

The

asynchronous

bisimulation

game

We can now describe the game which characterises asynchronous bisimulation simply by describing the configurations of the game and the rules. Before formally defining these however, we give an intuitive explanation of the game. Imagine a table containing a pile of cards, labelled with n a m e s from some set ,4, arranged in such a way as to model a resource graph. In addition to this pile of cards there is a hand of cards kept as a reserve. So, if the resource graph has a m a,$ --~ mt transition, this m e a n s there will be an a card available for play from the pile. If it is played then the cards in S m u s t be picked up and kept in the reserve hand and the pile of cards will now reflect state m'. If the resource graph has a rn ~ rt2t transition then the player has a blank card available. If she wishes to play this blank card she m u s t pencil in a name, play

283 Left Rules: If d E {L, E} Table: ((m, S), (m', S'), .'s, d) t> ((m", S + S"), (,n', S'), a?'.s,

d)

if m o,s~' rn" and d = L implies hd(zs) = a? l:teserve: ((m,S),(m',S'),:s,d)

{a}),(m',S'),a!:s,d)

~ ((m,S -

if d = L implies hd(zs) = a! Blank:

((m, S), (m', S'), zs, d) > ((m", S + S" + {a}), (m', S'), a?zs, d) if m r ~ " m" and d = L implies hd(zs) = a! Right Rules: If d E {R, E} Table:

((m, S), (m', S'), zs, d) > ((m, S), (m", S' + S"), a?--s, _d) a , S Iz

if m' -,-.* m " and d = R implies hd(zs) = a? Reserve:

((m, s), (m', S'),--., d) > ((m, S), (m', S' - {a}), ~!--s, ~) if d = R implies hd(--s) = a! Blank:

((m, s), (m', S'), ~s, d) ~. ((m, S), (m", S' + S" + {.}), a?--s, d) ~-,S H

if m' -.~ m " and d = R implies hd(zs) = a! whereL=E,E=Rand_R=E,E=L. Figure 3: Rules for asynchronous bisimulation game

it, pick up the cards in S for the reserve hand and in addition to these must flu in a blank card with the same name and place it in the reserve hand. A card from the reserve hand may be played irrespective o f the pile of cards representing the resource graph. A configuration of our game is a pair of the above tables, that is, two tables with a pile of cards and a separate reserve hand each. At each turn, Opponent can play a card from either table and Player m u s t play the same card from the other table. The only extra condition is that a card from a reserve hand is played by Player if and only if Opponent has played her card from a reserve hand. Opponent always starts and play continues until one of the players becomes stuck. Opponent wins if Player becomes stuck and Player wins otherwise. To formalise this, given two resource graphs R = ( . M , A , mo,So,.~) and

R' = (.~4',.A, m~,S~,-.-*)

we describe the game Fa(R, R') as the quadruple (C, co, ~>, ),) where C is the set of all

((-,, S), (m', S'), --s, d) such that m E .h4, m' E .A4', S , S ' e A " , zs E (A x {!,?})'" and d e { L , R , E } . Clearly, the nodes of the resource graphs represents the pile of cards on the tables and the respective multisets represent the reserve hands. ~re use the list --s to represent the cards that have already been played and d merely to indicate which table must be played from next, the Left, Right or Either. The cards in zs are tagged with a ! or a ? to indicate whether the card was played from a table or a reserve hand. It should be no surprise then that the initial configuration is co =

((too, So), (~,, SD, ~, ~:).

284

We can label moves by using the last component so that Ac = P if d E {L,R} and Ac = O if d = E. The rules for the game are given in Figure 3 and fall into three pairs of symmetric rules which describe the moves of playing a card from the table, the reserve hand and playing a blank card by penciling in a name. We write R ~ r R' if there exists a winning Player strategy according to the rules of FA(R, R'). It is simple enough to see that this is indeed an equivalence relation, in fact this is exactly resource graph bisimulation. T h e o r e m 4.1 ~rs coincides with ~r. P r o o f : It is easy to see that ~ r g C ~ r . For the reverse inclusion, given a winning strategy, it is sufficient to build a bisimulation relation. This is constructed as pairs of nodes which occur in the configurations of plays according to the winning strategy. We take exactly those pairs which occur after Player moves. To see that this will be a resource graph bisimulation we note that r transitions must be matched by r transitions - - otherwise Opponent could win by choosing a fresh name to pencil in on the blank card given by the r action. Player couldn't hope to match this unless he had also had a r move available. To see that the resources being collected by each graph must be identical we note that, otherwise, Opponent could win by simply playing a move from the larger of the two reserve hands.

5

Regular asynchronous processes

We hinted earlier that our new model would lend itself to providing a notion of regular process for asynchronous calculi whereby regular terms have finite graphs. By finite graph we mean finitely many nodes, finitely many transitions and each resource multiset is finite. So far we have interpreted asynchronous CCS in Tr indirectly by first giving an .AT"S semantics and then applying the functor at. This approach suffices for modelling our language; indeed, to establish a regular term/finite resource graph relationship one need only show that the equivalence relation used by the functor ar has finite index on transition systems generated by regular terms. However, this method is slightly unsatisfactory as it involves building potentially infinite graphs and collapsing them. What would be more pleasing is a direct interpretation of aCCS in 7~.A by which regular terms immediately receive finite graph models. Furthermore, we should require that this interpretation be compositional and coincides (up to equivalence) with the indirect interpretation. In fact, for our purposes it suffices to interpret what we will refer to as (asynchrononsly} regnlar terms of aCCS. These can be characterised by the following grammar

p := nil

X I a! II P I P II a! ~ cq.pl r e e X.p I

where I is a finite indexing set, X is drawn from some set of variables Vat, the ai are either a? or r and all recursions are guarded. We adopt the conventional notions of free and bound variables here. To interpret recursion, we take the approach of 9 and augment resource graphs with an extra component. This new component, <1 is a relation on nodes of the graph and the ambient set of recursion variables, Var. We say that a variable, X, is nngnarded at a node m if m <~ X and we call a resource graph closed if
R= (A~,A, rno, So,~. <) and

(.x~ , A ,mo,So,

,< )

this is defined in the obvious way as R ~ R' = (.h4 x .hal', A + A'. (rn0, rn~), So + S~,-,-*| <~ U ,~')

285

where ,S (re, n) a-..*r (m',n)

"~, i f m a,s

(m, n) %:-~| (m, n')

if n ~

The tensor unit is I = ({*},0,*,0,0,0). The definition of | bifunctor on I~GA. We interpret an output action a! as the resource graph

rr/ ,

n'. easily lifts to morphisms to become a

({.}, {~},., { a } , 0 , 0 ) and we will refer to this graph simply by a!. Similarly, use the name X to refer to the resource graph

({.}, 0,., 0, 0, {(., x ) } ) Another useful operation is that of the lifted sum of resource graphs. Given an I indexed set of graphs R/, an I indexed set of actions ai, and a multiset S, we define

Z(~,,, R.,) = ((U.~,) + {'}, U x, u {,:,, I ,:,, r ~},-, 0, ~ . , U <,)

,,,o,}

where Finally, we describe how we interpret recursion over resource graphs. Given a graph R, we define r e c X . R to be the graph

(~,A, too, S0,H+,<+) where <3+ is just <~ with all pairs (m, X) removed. -,-*+ is defined in two steps. Firstly, define rn~:m' m~176

t

if if

m~m' rn?-~m'

andm'~X a n d r n 1<3X.

Then, let m if m0 m' and m <3 X, or m ~ 1 m'. The informed reader will notice that this definition of recursion differs slightly from that in 9 and is not sufficient to model general recursion, but we exploit the property that regular terms never have more than one unguarded variable to give a simple definition. These operators now allow us to interpret regular terms of a C C S in the desired manner: nil

=

I

Ix a! II pl Ip II a!l

= = =

x a! | p| Iyl e a!

reeX.p

=

r e e X.p.

E Oti.Pi

"~ E(Oti, Pi)

Let ~5 denote the transition system that would model p using the standard SOS semantics of CCS. P r o p o s i t i o n 5.1

(i) The resource graph 2 (ii) If p is closed lhen p

is finite for any regular Serra p. is a closed graph.

(iii) Every fin:re closed graph is ~rg equivalent to p| for some regular p.

(i,,) ar(~)~~ IP. This firmly establishes the correspondence between asynchronously regular terms and finite resource graphs.

286

5.1

Deciding

bisimulation

equivalence

To see the usefulness of having finite models we need only look at the problem of deciding bisimulation equivalence. It is evident that ~a8 will be a decidableequivalence over asynchronously regular terms due to work on infinite state transition systems 3. Specifically, asynchronously regular terms are a small subclass of BPP and bisimulation equivalence is decidable over this class of processes. What is not clear however is the complexity of this decision procedure. The proofs that bisimulation equivalence is decidable over BPP do not provide any upper bounds for the decision procedure 5, 11. The class of asynchronously regular processes are much simpler than BPP and therefore allow us to find such bounds. In fact, because our models for this class are finite then standard techniques apply 8, 12. T h e o r e m 5.2 Asynchronous bisimnlation equivalence, ~as, is decidable in polynomial ~ime for (asyn-

chronously) regular processes. P r o o f : In order to decide P ~a, Q, by Proposition 5.1, Proposition 3.5 and Theorem 3.4 it is sufficient to check P ~r9 Q. We know by Proposition 5.1, (i) that these resource graphs are finite. The decision procedure now follows by first checking the initial resource sets of each graphs, and then solving the partition refinement problem of 12 for the finite set of relations

mE~,sm' mEa,sm I + mt mE~.,s

if if if

m I:~ m, m~m m

I

a , S + { a } Flit

r S m t. or m :~Z

These relations are finite in number because we know that only finitely many names are used and only finitely many different S appear on the edges of our graphs, t: We have now provided a notion of regularity for asynchronous processes which allows much more expressivity than the standard notion of regularity for CCS. We have also shown that a suitable notion of bisimulation equivalence is polynomial time decidable over this class of processes. Unfortunately though, this enhanced notion of regularity is not as robust as we would like. In particular, it is the case that one can form parallel compositions and restrictions of CCS regular terms and stay within the class of regular processes 9, 10. Sadly, this is not the case in the present work. Whilst parallel composition preserves finiteness of the models of regular terms, the restriction of such graphs does not. In fact, using the familiar argument of reducing bisimulation equivalence to the halting problem for two-counter Minsky Machines 11 we can show that allowing restriction of regular terms, unsurprisingly, entails undecidability of our equivalence. We conclude this section by briefly mentioning that the direct interpretation of asynchronously regular CCS terms as resource graphs can be extended to whole of aCCS in such a way as to ensure that Proposition 5.1, (iv) still holds. This extension is non-trivial however and involves defining both the recursion and restriction operators on graphs as the least fixed point of certain functionals so that the resulting resource graphs may become infinite.

6

Conclusion

W e have presented a novel approach to modelling asynchronous systems. The chieffeature of these new models is the treatment of asynchronous transmission as the use of resources. Resource graphs yield a direct presentationof asynchronous behaviour, without recourse to various commutativity axioms. They also provide a compact representationof many infinitestate systems, thereby allowing effectiveprocedures for deciding bisimilarity.W e discovered that the somewhat unorthodox notion of asynchronous bisimilarityarisesnaturally in the category of resource graphs and provided insightfulcharacterisations of this equivalence. The present work is concerned with synchronising processes rather than communicating processes, that is, no information is transmitted by output actions. Therefore a treatment of asynchrony in the ~r-calculus is beyond the scope of resource graphs as presented. An issue worth further investigation is a generalisation of the resource graph model which could cater for name passing and dynamic scoping as can be found in the r-calculus.

287

References 1

R. Amadio, I. Castellani, and D. Sangiorgi. On bisimulations for the asynchronous ~r-calculus. In U. Montanari and V.Sassone, editors, Proceedings CONCUR 96, Pisa, volume 1119 of Lecture Notes in Computer Science, pages 147-162. Springer-Verlag, 1996.

2

G. Boudol. Asynchrony and the ~r-calculus. Technical Report 1702, INRIA, Sophia-Antipolis, 1991.

3

S. Christensen, Y. Hirshfield, and F. MoUer. Bisimulation equivalence is decidable for basic parallel processes. In E. Best, editor, Proceedings CONCUR 93, ttildesheim, volume 715 of Lecture Notes in Computer Science, pages 143-157. Springer-Verlag, 1993.

4

C. Fournet and G. Gonthier. The reflexive CHAM and the join-calculus. In Proc. ACM-POPL, 1996.

5

Y. ttirshfeld, M. Jerrum, and F. Moller. A polynomial algorithm for deciding bisimulation equivalence of normed basic parallel processes. In Proc. Mathematical Strnc~ures in Computer Science, 1996.

6 K. Honda and M. Tokoro. An object calculus for asynchronous communication. In Proc. ECOOP 91, Geneve, 1991. 7 A. :loyal, M. Nielsen, and G. Winskel. Bisimulation and open maps. In Proceedings 8~h Annual Symposium on Logic in Computer Science, pages 418--427. IEEE Computer Society Press, 1993. 8

P.C. Kauellakis and S.A. Smolka. CCS expressions, finite state processes, and three problems of equivalence. Information and Computation, 86:43-68, 1990.

9

K. Milner. A complete inference system for a class of regular behaviours. Journal of Computer and System Sciences, 28:439-466, 1984.

10

R. Milner. Communication and Concurrency. Prentice-Hall International, Englewood Cliffs, 1989.

11

F. Moiler. Infinite results. In U. Montanari and V.Sassone, editors, Proceedings CONCUR 96, Pisa, volume 1119 of Lecture Notes in Computer Science, pages 195-216. Springer-Verlag, 1996.

12

R. Paige and R. Tarjan. Three partition refinement algorithms. SIAM Journal on Computing, 16(6):973-989, 1987.

13

B. Pierce and D. Turner. Pict: A programming language based on the r-calculus, 1996. Univeristy of Cambridge.

14

P. Selinger. First-order axioms for asynchrony. In M. Bednarczyk, editor, Proceedings CONCUR 97, Warsaw, volume 1243 of Lecture Notes in Computer Science, pages 376-390. Springer-Verlag, 1997.

15

C. Stirling. Bisimulation, model checking and other games, 1997. Notes for Mathfit Instructional Meeting on Games and Computation, University of Edinburgh.

16 G. Winskel and M. Nielsen. Models for concurrency. In S. Abramsky, Dov M. Gabbay, and T.S.E. Maibaum, editors, Handbook of Logic in Computer Science, Volume 4, pages 1-148. Oxford University Press, 1995.

A Cook’s Tour of Equational Axiomatizations for Prefix Iteration Luca Aceto1? , Wan Fokkink2 , and Anna Ing´ olfsd´ ottir3?? 1 BRICS (Basic Research in Computer Science), Department of Computer Science, Aalborg University, Fredrik Bajers Vej 7-E, DK-9220 Aalborg Ø, Denmark. [email protected], Fax: +45 9815 9889 2 Department of Computer Science, University of Wales Swansea, Singleton Park, Swansea SA2 8PP, Wales. [email protected], Fax: +44 1792 295708 3 Dipartimento di Sistemi ed Informatica, Universit` a di Firenze, Via Lombroso 6/17, 50134 Firenze, Italy. [email protected], Fax: +39 55 4796730

Abstract. Prefix iteration is a variation on the original binary version of the Kleene star operation P ∗ Q, obtained by restricting the first argument to be an atomic action, and yields simple iterative behaviours that can be equationally characterized by means of finite collections of axioms. In this paper, we present axiomatic characterizations for a significant fragment of the notions of equivalence and preorder in van Glabbeek’s linear-time/branching-time spectrum over Milner’s basic CCS extended with prefix iteration. More precisely, we consider ready simulation, simulation, readiness, trace and language semantics, and provide complete (in)equational axiomatizations for each of these notions over BCCS with prefix iteration. All of the axiom systems we present are finite, if so is the set of atomic actions under consideration.

1

Introduction

Equationally based proof systems play an important role in both the practice and the theory of process algebras. From the point of view of practice, these proof systems can be used to perform system verifications in a purely syntactic way, and form the basis of axiomatic verification tools like, e.g., PAM [10]. From the theoretical point of view, complete axiomatizations of behavioural equivalences capture the essence of different notions of semantics for processes in terms of a basic collection of identities, and this often allows one to compare semantics which may have been defined in very different styles and frameworks. Some researchers also measure the naturalness of a process semantics by using the ? ??

Partially supported by the Human Capital and Mobility project Express. Supported by a grant from the Danish National Research Foundation.

M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 20–34, 1998.

21

existence of a finite complete axiomatization for it over, say, finite behaviours as an acid test. An excellent example of the unifying role played by equational axiomatizations of process semantics may be found in [7]. Ibidem van Glabbeek presents the so-called linear time/branching time spectrum, i.e., the lattice of all the known behavioural equivalences over labelled transition systems ordered by inclusion. The different identifications made by these semantic equivalences over finite synchronization trees are beautifully characterized by the author of op. cit. in terms of a few simple axioms. This permits an illuminating comparison of these semantics within a uniform axiomatic framework. However, despite the complete inference systems for bisimulation-based equivalences over regular processes presented in, e.g., [11,8] and years of intense research, little is still known on the topic of effective complete axiomatizations of the notions of semantics studied in [7] over iterative processes. In this study, we shall present a contribution to this line of research by investigating a significant fragment of the notions of equivalence and preorder from [7] over Milner’s basic CCS (henceforth referred to as BCCS) [12] extended with prefix iteration. Prefix iteration [6] is a variation on the original binary version of the Kleene star operation P ∗ Q [9], obtained by restricting the first argument to be an atomic action, and yields simple iterative behaviours that can be equationally characterized by means of finite collections of axioms. Furthermore, prefix iteration combines better with the action prefixing operator of CCS than the more general binary Kleene star. A significant advantage of iteration over recursion, as a means to express infinite processes, is that it does not involve a parametric process definition, because the development of process theory is easier if parameterization does not have to be taken as primitive (see, e.g., Milner [13, page 212]). Our study of equational axiomatizations for BCCS with prefix iteration has so far yielded complete equational axiomatizations for all the main notions of bisimulation equivalence [6,1]. In this paper, we continue this research programme by studying axiomatic characterizations for more abstract semantics over this language than those based on variations of bisimulation. More precisely, we consider ready simulation, simulation, readiness, trace and language semantics, and provide complete (in)equational axiomatizations for each of these notions over BCCS with prefix iteration. All of the axiom systems we present are finite, if so is the set of atomic actions under consideration. Although the high level structure of the proofs of our main results follows standard lines in the literature on process theory, the actual details of the arguments are, however, rather subtle (cf., e.g., the proof of Thm. 3). To our mind, this shows how the analysis of the collection of valid identities for the semantics considered in this paper already becomes difficult even in the presence of very simple iterative behaviours, like those that can be expressed using prefix iteration. The paper is organized as follows. After a brief review of the basic notions from process theory needed in the remainder of the paper (Sect. 2), we present the language BCCS with prefix iteration and its labelled transition system se-

22

mantics (Sect. 3). Sect. 4 is devoted to a guided tour of our completeness results. The paper concludes with a mention of further results that will be presented in a full account of this work, and a discussion of ongoing research (Sect. 5).

2

Preliminaries

In this section we present the basic notions from process theory that will be needed in the remainder of this study. 2.1

Labelled Transitions Systems

o n ` A labelled transition system is a triple (Proc, Lab, →| ` ∈ Lab ), where: – Proc is a set of states, ranged over by s, possibly subscripted or superscripted; – Lab is a set of labels, ranged over by `, possibly subscripted; ` – →⊆ Proc × Proc is a transition relation, for every ` ∈ Lab. As usual, we shall ` ` ` use the more suggestive notation s → s0 in lieu of (s, s0 ) ∈→, and write s ` iff s → s0 for no state s0 .

9

All the labelled transition systems we shall consider in this paper will have a in their label set—used to represent successful termination—, special label

X

X

9 `

for every label `. and will enjoy the following property: if s → s0 , then s0 ς For n ≥ 0 and ς = `1 . . . `n ∈ Lab∗ , we write s → s0 iff there exist states `1 `2 `n s1 → · · · sn−1 → sn = s0 . In that case, we say that s0 , . . . , sn such that s = s0 → ς is a trace (of length n) of the state s. For a state s ∈ Proc we define: n o ∆ ` initials(s) = ` ∈ Lab | ∃s0 : s → s0 . 2.2

From Ready Simulation to Language Equivalence

Labelled transition systems describe the operational behaviour of processes in great detail. In order to abstract from irrelevant information on the way processes compute, a wealth of notions of behavioural equivalence or approximation have been studied in the literature on process theory. A systematic investigation of these notions is presented in [7], where van Glabbeek studies the so-called linear time/branching time spectrum, i.e., the lattice of all the known behavioural equivalences over labelled transition systems ordered by inclusion. In this study, we shall investigate a significant fragment of the notions of equivalence and preorder from [7]. These we now proceed to present for the sake of completeness. Definition 1 (Simulation, Ready Simulation and Bisimulation). – A binary relation R on states is a simulation iff whenever s1 R s2 and ` is a label: ` ` - if s1 → s01 , then there is a transition s2 → s02 such that s01 R s02 .

23

– A binary relation R on states is a ready simulation iff it is a simulation with the property that, whenever s1 R s2 and ` is a label: - if s1

9, then s 9. `

2

`

– A bisimulation is a symmetric simulation. Two states s and s0 are bisimilar, written s ↔ s0 , iff there is a bisimulation that relates them. Henceforth the relation ↔ will be referred to as bisimulation 0 0 @ equivalence. We write s @ ∼ S s (resp. s ∼ RS s ) iff there is a simulation (resp. a 0 ready simulation) R with s R s . Bisimulation equivalence [14] relates two states in a labelled transition system precisely when they have the same branching structure. Simulation (see, e.g., [14]) and ready simulation [3] relax this requirement to different degrees. The following notion, which is based on a version of decorated traces, is induced by yet another way of abstracting from the full branching structure of processes. Definition 2 (Readiness Semantics). For a state s we define: n o ∆ ς readies(s) = (ς, X) | ς ∈ Lab∗ , X ⊆ Lab and ∃s0 : s → s0 and initials(s0 ) = X 0 0 For states s, s0 we write s @ ∼ R s iff readies(s) is included in readies(s ).

The classical notion of language equivalence for finite state automata may be readily defined over labelled transition systems. To this end, it is sufficient to consider the states from which a -labelled transition is possible as accept states.

X

Definition 3 (Language and Trace Semantics). ς

X

– We say that a sequence of labels ς is accepted by a state s iff s → s0 for 0 some state s0 . For states s, s0 we write s @ ∼ L s iff every sequence accepted by 0 s is also accepted by s . 0 – For states s, s0 we write s @ ∼ T s iff the set of traces of s is included in that 0 of s . For Θ ∈ {S, RS, L, R, T }, the relation @ ∼ Θ is a preorder over states of an arbitrary labelled transition system; its kernel will be denoted by 'Θ .

3

BCCS with Prefix Iteration

We begin by presenting the language of Basic CCS (henceforth often abbreviated to BCCS) with prefix iteration [6], together with its operational semantics.

24

3.1

The Syntax

We assume a non-empty alphabet Act of atomic actions, with typical elements a, b, c. The language BCCSp∗ of Basic CCS with prefix iteration is given by the following BNF grammar: P ::= 0 | 1 | a.P | P + P | a∗ P . We shall use P, Q, R, S, T to range over BCCSp∗ . In writing terms over the above syntax, we shall always assume that the operator a. binds stronger than +. We shall use the symbol ≡ to stand for syntactic equality of terms. The expression P [+Q] will be used to denote the fact that Q is an optional summand. The size of a term is the number of operators occurring in it. Remark 1. The reader might have noticed that the syntax for the language BCCSp∗ presented above includes two distinguished constants, viz. 0 and 1. Intuitively, the term 0 will stand for a deadlocked process, whereas 1 will stand for a process that can only terminate immediately with success. Our choice of notation is in keeping with a standard one for regular expressions, cf., e.g., [5]. 3.2

Operational Semantics

X

X

Let be a distinguished symbol not contained in Act. We shall use to stand for the action performed by a process as it reports its successful termination. The meta-variable ξ will range over the set Act∪{ }. The operational semantics for the language BCCSp∗ is given by the labelled transition system ξ p∗ BCCS , Act ∪ { }, →| ξ ∈ Act ∪ { }

X

X

X

ξ

where the transition relations → are the least binary relations over BCCSp∗ a satisfying the rules in Table 1. Intuitively, a transition P → Q means that the system represented by the term P can perform the action a, thereby evolving

X

into Q. On the other hand, P → Q means that P can terminate immediately with success; the reader will immediately realize that, in that case, Q ≡ 0. With the above definitions, the language BCCSp∗ inherits all the notions of equivalence and preorder over processes defined in Sect. 2.2. The following result is standard. Proposition 1. For Θ ∈ {RS, S, L, R, T }, the relations @ ∼ Θ and 'Θ are preserved by the operators in the signature of BCCSp∗ . The same holds for bisimulation equivalence.

4

Equational Axiomatizations

The study of equational axiomatizations of behavioural equivalences and preorders over BCCSp∗ was initiated in the paper [6]. In op. cit. it is shown that the

25

X

a

a.P → P

1→0

ξ

ξ

P → P0

Q → Q0

P + Q → P0

P + Q → Q0

ξ

ξ

ξ

∗

a

∗

a P →a P

P → P0 ξ

a∗ P → P 0

Table 1. Transition Rules

axiom system in Table 2 completely axiomatizes bisimulation equivalence over the language of 1-free BCCSp∗ terms. Our aim in the remainder of this study will be to extend this result to the semantics in the linear-time/branching-time spectrum discussed in Sect. 2.2.

A1 x+y A2 (x + y) + z A3 x+x A4 x+0 PA1 a.(a∗ x) + x PA2 a∗ (a∗ x)

= = = = = =

y+x x + (y + z) x x a∗ x a∗ x

Table 2. The axiom system F

For an axiom system T , we write T ` P ≤ Q iff the inequation P ≤ Q is provable from the axioms in T using the rules of inequational logic. An equation P = Q will be used as a short-hand for the pair of inequations P ≤ Q and Q ≤ P . Whenever we write an inequation of the form P [+1] ≤ Q[+1], we mean that if the 1 summand appears on the left-hand side of the inequation, then it also appears on the right-hand side. P =AC Q denotes that P and Q are equal modulo associativity and commutativity of +, i.e., that A1,A2 ` P = Q. For a (X)

collection of (in)equations X over the signature of BCCSp∗ , we write P ≤ Q as . . . , in } a finite index set, we a short-hand for A1,A2,X ` P ≤ Q. For I = {i1 ,P P write i∈I Pi for Pi1 + · · · + Pin . By convention, i∈? Pi stands for 0. Henceforth process terms will be considered modulo associativity and commutativity of the +-operation, i.e., modulo axioms A1–2. We begin the technical developments by noting that the proof of the completeness of the axiom system F with respect to bisimulation equivalence over

26

the language of 1-free BCCSp∗ terms applies mutatis mutandis to the whole of the language BCCSp∗ . Proposition 2. For every P, Q ∈ BCCSp∗ , P ↔ Q iff F ` P = Q. a

i The collection of possible transitions of each process term P is finite, say {P → Pi | i = 1, ..., m} ∪ P → 0 | j = 1, . . . , n . We call the term

X

∆

exp(P ) =

m X

ai .Pi +

i=1

n X

1

j=1

the expansion of P . The terms ai Pi and 1 will be referred to as the summands of P . A straightforward structural induction on terms, using axiom PA1, yields: Lemma 1. Each process term is provably equal to its expansion. We aim at identifying a subset of process terms of a special form, which will be convenient in the proof of the completeness results to follow. Following a long-established tradition in the literature on process theory, we shall refer to these terms as normal forms. The set of normal forms we are after is the smallest subset of BCCSp∗ including process terms having one of the following two forms: X

ai .Pi [+1]

X a∗ ( ai .Pi [+1]),

or

i∈I

i∈I

where the terms Pi are themselves normal forms, and I is a finite index set. (Recall that the empty sum represents 0, and the notation [+1] stands for optional inclusion of 1 as a summand.) Lemma 2. Each term in BCCSp∗ can be proven equal to a normal form using equations A3, A4 and PA1. 4.1

Ready Simulation

We begin our tour of equational axiomatizations for prefix iteration by presenting a complete axiom system for the ready simulation preorder (cf. Defn. 1 for the definition of this relation). The axiom system ERS consists of the laws for bisimulation equivalence (cf. Table 2) and of the inequations RS1–2 below: RS1 RS2

a.x a∗ x

≤ ≤

Theorem 1. For every P, Q ∈ BCCSp∗ , P

a.x + a.y a∗ (x + a.y) .

@RS Q iff ERS ` P ∼

≤ Q.

27

Proof. We leave it to the reader to check the soundness of the axiom system ERS , and concentrate on its completeness. In view of Lem. 2, it is sufficient to show that if P @ ∼ RS Q holds for normal forms P and Q, then ERS ` P ≤ Q. This we now proceed to prove by induction on the sum of the sizes of P and Q. We proceed by a case analysis on the form the normal forms P and Q may take. P P – Case: P =AC i∈I ai .Pi [+1] and Q =AC j∈J bj .Qj [+1]. As P @ ∼ RS Q, we infer that: 1. for every i there exists an index ji such that ai = bji and Pi @ ∼ RS Qji , 2. 1 is a summand of P iff it is a summand of Q, and 3. the collections of actions {ai | i ∈ I} and {bj | j ∈ J} are equal. The induction hypothesis and substitutivity yield that, for every i ∈ I, ERS ` ai .Pi ≤ bji .Qji . Again using substitutivity, we obtain that X bji .Qji [+1] . ERS ` P ≤ i

Note now that, for every index j that is not contained in the set {ji | i ∈ I}, there is an index jl (l ∈ I) such that bj = bjl . We can therefore apply axiom RS1 as necessary to infer that X bji .Qji [+1] ≤ Q . ERS ` i

The provability of the inequation P ≤ Q from the axiom system ERS now follows immediately by transitivity. P P – Case: P =AC i∈I ai .Pi [+1] and Q =AC b∗ ( j∈J bj .Qj [+1]). To deal with this case, begin by applying PA1 to Q to obtain the equality X bj .Qj [+1] . Q = b.Q + j∈J

We can now reason as in the first case of the proof to derive that X bj .Qj [+1] . P ≤ b.Q + j∈J

Transitivity now yields the inequation P ≤ P Q. P – Case: P =AC a∗ ( i ai .Pi [+1]) and Q =AC j bj .Qj [+1]. Apply PA1 to P , P and reason as in the previousPcase. – Case: P =AC a∗ ( i ai .Pi [+1]) and Q =AC b∗ ( j bj .Qj [+1]). As P @ ∼ RS Q, we infer that: a 0 1. there exists a Q0 such that Q → Q0 and P @ ∼ RS Q , ai 2. for every i there exists a Q(i) such that Q → Q(i) and Pi

@RS Q(i), ∼

28

3. 1 is a summand of P iff it is a summand of Q, and 4. the collections of actions {ai | i ∈ I} ∪ {a} and {bj | j ∈ J} ∪ {b} are equal. Because of the form Q takes, Q0 and every Q(i) is either Q itself or one of the Qj ’s. Therefore we may apply the inductive hypothesis to each of the inequivalences Pi @ ∼ RS Q(i) and substitutivity to infer that ERS `

X

X

ai .Pi ≤

i

ai .Q(i) .

(1)

i

We proceed with the proof by considering the following two sub-cases: A. There is an index j such that a = bj and P @ ∼ RS Qj ; @ B. For no index j with a = bj it holds that P ∼ RS Qj .

We consider these two cases in turn.

A. Assume that there is an index j such that a = bj and P @ ∼ RS Qj . In this case, we may apply the inductive hypothesis to derive that ERS ` P ≤ Qj .

(2)

We can now finish the proof of the inequation P ≤ Q from the axiom system ERS as follows: P

(PA1)

=

a.P +

X

ai .Pi [+1]

i (1),(2)

≤

bj .Qj +

X

ai .Q(i)[+1]

i

(RS1)

≤

bj .Qj +

X

ai .Q(i) + exp(Q)[+1]

i (A3),(PA1)

=

Q .

B. Assume that for no index j with a = bj it holds that P @ ∼ RS Qj . In this case, we infer that a = b. We can now reason as follows: X ai .Pi [+1]) P ≡ a∗ (

(1)

≤

i

X a∗ ( ai .Q(i)[+1]) i

(RS1),(RS2)

≤

X X a ( ai .Q(i) + a.Q + bj .Qj [+1]) ∗

i (A3),(PA1)

≤

(PA2)

=

a∗ Q Q .

This completes the proof of the theorem.

j

29

4.2

Simulation

The axiom system ES consists of the laws for bisimulation equivalence in Table 2 and of the axiom x

S

≤

x+y .

Inequation S is well-known to characterize the simulation preorder over finite synchronization trees. Unlike in the case of ready simulation, no extra law is needed to deal with prefix iteration explicitly. Theorem 2. For every P, Q ∈ BCCSp∗ , P 4.3

@S Q iff ES ` P ∼

≤ Q.

Readiness

In this section we present a complete axiom system for prefix iteration with respect to the readiness preorder. The axiom system ER consists of the collection of laws for ready simulation and of those listed below: R1 R2 R3

a.(b.x + b.y + v) a.a∗ (b.x + b.y + v) a∗ (b.x + b.y + v + a.(b.y + w))

≤ ≤ =

Theorem 3. For every P, Q ∈ BCCSp∗ , P

a.(b.x + v) + a.(b.y + w) a.a∗ (b.x + v) + a.a∗ (b.y + w) a∗ (b.x + v + a.(b.y + w)) + b.y

@R Q iff ER ` P ∼

≤ Q.

We focus on the completeness of ER , and leave soundness to the reader. Before proving this completeness theorem, we introduce some auxiliary definitions and results. a

b

Definition 4. A term P is saturated if for each pair of derivations P → Q → a b 0 Q0 and P → R with b ∈ initials(R) we have R → R0 with Q0 @ ∼R R . The following lemma stems from [2]. Lemma 3. If P 0 P0 @ ∼R Q .

@R ∼

a

a

Q and P → P 0 and Q is saturated, then Q → Q0 with

Definition 5. A normal form P is strongly saturated if: 1. P is saturated; P 2. if P =AC i∈I ai .Pi [+1], then the term Pi is strongly saturated, for every i ∈ I. Axioms R1–R3 play a crucial role in the proof of the following key result. Lemma 4. Each term is provably equal, by the axioms in ER , to a strongly saturated normal form, in which each subterm of the form a∗ R occurs in the context a. .

30

Finally we are in a position to prove Thm. 3. Proof. Suppose that P @ ∼ R Q; we prove that ER ` P ≤ Q. By Lem. 4 it is not hard to see that it suffices to establish the claim under the following assumptions: 1. 2. 3. 4.

P and Q are normal forms; Q is strongly saturated; proper subterms of P and Q of the form a∗ R occur in the context a. ; if P =AC a∗ R and Q =AC b∗ S, then a = b.

(In fact, according to Lem. 4, the last two conditions could be replaced by the stronger condition that all subterms of P and Q of the form a∗ R occur in the context a. . However, we shall need the weaker formulation above to be able to satisfy the induction hypothesis.) We derive the desired inequality P ≤ Q from ER by induction with respect to the following lexicographic ordering on pairs of process terms: (P, Q) < (R, S) if - either size(P ) < size(R); - or size(P ) = size(R) and size(Q) < size(S). The next two cases distinguish the possible syntactic forms of P . P – Case 1: P =AC i∈I ai .Pi [+1]. ai Since P @ ∼ R Q, P → Pi and Q is saturated, Lem. 3 implies that for each a i ∈ I we have Q →i Qi for some Qi such that Pi @ ∼ R Qi . According to Lem. 4, ER ` Qi = Ri , with Ri a strongly saturated normal form, in which each subterm of the form c∗ S occurs in the context c. . Moreover, each Pi is a normal form, in which all proper subterms of the form c∗ S occur in the context c. , with size(Pi ) < size(P ). Hence, we can apply induction to Pi @ ∼ R Ri to derive ER ` Pi ≤ Ri . Therefore, for each i ∈ I, ER ` ai .Pi ≤ ai .Ri = ai .Qi .

(3)

By substitutivity, we have that P =AC

X

(3)

ai .Pi [+1] ≤

i∈I

X

ai .Qi [+1] .

(4)

i∈I

X

} Since P @ ∼ R Q implies initials(P ) = initials(Q), it follows that initials(Q)\ { is equal to {ai | i ∈ I}. Furthermore, P @ ∼ R Q implies that P has a summand

X

1 if and only if Q → 0. Hence, X

(RS1)

ai .Qi [+1] ≤ exp(Q)

(Lem.1)

=

Q

i∈I

which together withPequation (4) yields ER ` P ≤ Q. – Case 2: P =AC a∗ ( i∈I ai .Pi [+1]). The next two cases distinguish the possible syntactic forms of Q.

31

P – Case 2.1: Q =AC j∈J bj .Qj [+1]. c Suppose that P → P 0 . Since P @ ∼ R Q and Q is saturated, Lem. 3 implies 0 and Qj are that there is a j ∈ J such that c = bj and P 0 @ ∼ R Qj . Both P normal forms, and since Q is strongly saturated, by Defn. 5(2) Qj is strongly saturated too. Furthermore, if P 0 =AC d∗ R and Qj =AC e∗ S, then c = d and bj = e, owing to property 3 of P and Q, and so d = c = bj = e. Moreover, it is easy to see that property 3 of P and Q implies that the same property holds for P 0 and Qj . Finally, size(P 0 ) ≤ size(P ) and size(Qj ) < size(Q). Hence, 0 we can apply induction to P 0 @ ∼ R Qj to derive ER ` P ≤ Qj . Substitutivity now yields ER ` c.P 0 ≤ bj .Qj .

(5)

Hence, P

(Lem.1)

=

(5)

exp(P ) ≤

X

bj .Qj [+1]

(6)

j∈J0

for some J0 ⊆ J. It is easy to see that P

X

@R ∼

X X → 0 if and only if Q has a

Q implies initials(Q) \ { } =

initials(P ) \ { } = {bj | j ∈ J0 }. Moreover, P summand 1. Hence, X (RS1) X bj .Qj [+1] ≤ bj .Qj [+1] =AC Q . j∈J0

j∈J

Together with equation P (6) this yields ER ` P ≤ Q. – Case 2.2: Q =AC a∗ ( j∈J bj .Qj [+1]). ai Since P @ ∼ R Q and P → Pi and Q is saturated, Lem. 3 implies that for each i∈I 1. either ai = a and Pi @ ∼ R Q, 2. or there is a j such that ai = bj and Pi @ ∼ R Qj . Clearly, each Pi is a normal form in which all proper subterms of the form c∗ S occur in the context c. , and with size(Pi ) < size(P ). In the first case, applying induction to Pi @ ∼ R Q, we infer that ER ` Pi ≤ Q. Therefore, by substitutivity, ER ` ai .Pi ≤ a.Q .

(7)

In the second case, Lem. 4 implies ER ` Qj = Rj , with Rj a strongly saturated normal form, in which each subterm of the form c∗ S occurs in the context c. . Then by induction Pi @ ∼ R Rj implies ER ` Pi ≤ Rj . It follows, by substitutivity, that ER ` ai .Pi ≤ ai .Rj = bj .Qj .

(8)

Hence, for some J0 ⊆ J: X X (RS2) (8),(7) ai .Pi [+1]) ≤ a∗ (a.Q + bj .Qj [+1]) . P ≤ a∗ (a.Q + i∈I

j∈J0

(9)

32

@R

It is easy to see that P

a∗ (a.Q +

X

X

Q implies that initials(Q) \ { } = {bj | j ∈

X X J0 } ∪ {a}, and that P → 0 if and only if Q → 0. Hence ∼

(RS1)

bj .Qj [+1]) ≤ a∗ (a.Q +

j∈J0

X

bj .Qj [+1])

(PA1),(PA2)

=

Q .

j∈J

Together with equation (9) this yields ER ` P ≤ Q. The proof is now complete. 4.4

Traces

The axiom system ET consists of the laws for bisimulation equivalence in Table 2 and of T1 a.(x + y) = a.x + a.y T2 a∗ (x + y) = a∗ x + a∗ y T3 a∗ (a.x) = a.(a∗ x) . Axiom T1 is a well-known equation used to characterize trace equivalence over finite synchronization trees, and axiom T2 is the adaptation of this equation to the case of prefix iteration. Finally, T3 is, to the best of our knowledge, a new axiom. Theorem 4. For every P, Q ∈ BCCSp∗ , 1. P 'T Q iff ET ` P = Q; 2. P @ ∼ T Q iff ET ∪ {(S)} ` P ≤ Q. 4.5

Language Semantics

The axiom system EL consists of the laws for bisimulation equivalence in Table 2, T1–3 and the equations L1 L2

a.0 a∗ 0

= =

0 0 .

Axiom L1 is an adaptation to action prefixing of a well-known equation from regular algebra, and axiom L2 is the generalization of this equation to the case of prefix iteration. Theorem 5. For every P, Q ∈ BCCSp∗ , 1. P 'L Q iff EL ` P = Q; 2. P @ ∼ L Q iff EL ∪ (S) ` P ≤ Q. Proof. We leave it to the reader to check the soundness of the axiom system EL ∪ (S), and concentrate on the completeness results.

33

1. Assume that P 'L Q. We shall prove that EL ` P = Q. A simple term rewriting analysis (which is omitted here) shows that each process term is provably equal to a term which is either 0-free, or of the form 0. Suppose that two terms P and Q are language equivalent. We distinguish two cases. - Case 1: P ≡ 0. Then clearly also Q ≡ 0, so P ≡ 0 ≡ Q. - Case 2: P is 0-free. Then clearly Q is also 0-free. Since P and Q are 0-free and language equivalent, it is not hard to see that they are also trace equivalent. So, according to Thm. 4, the equation P = Q can be derived from ET , which is included in EL . 2. Note that, for every P, Q ∈ BCCSp∗ , the following holds: P

@L Q iff P + Q 'L Q ∼

.

Thus the completeness of the axiom system EL ∪ {(S)} with respect to is an immediate consequence of the first statement of the theorem.

5

@T ∼

Further Work

The completeness results presented in this paper deal with a significant fragment of the notions of semantics discussed in [7]. To our mind, the most important omission is a complete proof system for failures semantics [4] over BCCS with prefix iteration. We conjecture that a complete axiomatization for the failure preorder can be obtained by adding the laws a.(x + y) a.a∗ (x + y) a.a∗ x ∗ a (x + y + a.(y + z)) a∗ x

≤ ≤ ≤ ≤ ≤

a.x + a.(y + z) a.a∗ x + a.a∗ (y + z) a∗ a.(x + y) a∗ (x + a.(y + z)) + y a∗ (x + a.y)

to those for bisimulation equivalence (cf. Table 2), and we are currently working on the details of such a proof. The crux of the argument is a proof to the effect that the suggested inequations are sufficient to convexly saturate each process term, in the sense of [2]. We have also obtained irredundancy results for the axioms systems for ready simulation, simulation, trace and language equivalence. These will be presented in the full version of this paper, together with a characterization of the expressive power of BCCS with prefix iteration. Acknowledgements: The research reported in this paper originates from a question posed by Rocco De Nicola. We thank the anonymous referees for their comments.

34

References ´ lfsdo ´ ttir, 1. L. Aceto, W. J. Fokkink, R. J. van Glabbeek, and A. Ingo Axiomatizing prefix iteration with silent steps, Information and Computation, 127 (1996), pp. 26–40. 2. J. Bergstra, J. W. Klop, and E.-R. Olderog, Readies and failures in the algebra of communicating processes, SIAM J. Comput., 17 (1988), pp. 1134–1177. 3. B. Bloom, S. Istrail, and A. R. Meyer, Bisimulation can’t be traced, J. Assoc. Comput. Mach., 42 (1995), pp. 232–268. 4. S. Brookes, C. Hoare, and A. Roscoe, A theory of communicating sequential processes, J. Assoc. Comput. Mach., 31 (1984), pp. 560–599. 5. J. H. Conway, Regular Algebra and Finite Machines, Mathematics Series (R. Brown and J. De Wet eds.), Chapman and Hall, London, United Kingdom, 1971. 6. W. J. Fokkink, A complete equational axiomatization for prefix iteration, Inf. Process. Lett., 52 (1994), pp. 333–337. 7. R. J. v. Glabbeek, The linear time – branching time spectrum, in Proceedings CONCUR 90, Amsterdam, J. Baeten and J. Klop, eds., vol. 458 of Lecture Notes in Computer Science, Springer-Verlag, 1990, pp. 278–297. 8. , A complete axiomatization for branching bisimulation congruence of finitestate behaviours, in Mathematical Foundations of Computer Science 1993, Gdansk, Poland, A. Borzyszkowski and S. Sokolowski, eds., vol. 711 of Lecture Notes in Computer Science, Springer-Verlag, 1993, pp. 473–484. Available by anonymous ftp from Boole.stanford.edu. 9. S. Kleene, Representation of events in nerve nets and finite automata, in Automata Studies, C. Shannon and J. McCarthy, eds., Princeton University Press, 1956, pp. 3–41. 10. H. Lin, An interactive proof tool for process algebras, in 9th Annual Symposium on Theoretical Aspects of Computer Science, vol. 577 of Lecture Notes in Computer Science, Cachan, France, 13–15 Feb. 1992, Springer, pp. 617–618. 11. R. Milner, A complete inference system for a class of regular behaviours, J. Comput. System Sci., 28 (1984), pp. 439–466. 12. , Communication and Concurrency, Prentice-Hall International, Englewood Cliffs, 1989. 13. , The polyadic π-calculus: a tutorial, in Proceedings Marktoberdorf Summer School ’91, Logic and Algebra of Specification, NATO ASI Series F94, SpringerVerlag, 1993, pp. 203–246. 14. D. Park, Concurrency and automata on infinite sequences, in 5th GI Conference, Karlsruhe, Germany, P. Deussen, ed., vol. 104 of Lecture Notes in Computer Science, Springer-Verlag, 1981, pp. 167–183.

The WHILE Hierarchy of Program Schemes Is Infinite Can Adam Albayrak and Thomas Noll RWTH Aachen Ahornstr. 55, 52056 Aachen, Germany [email protected] and [email protected] fax: +49 241 8888 217

Abstract. We exhibit a sequence Sn (n ≥ 0) of while program schemes, i. e., while programs without interpretation, with the property that the while nesting depth of Sn is n, and prove that any while program scheme which is scheme equivalent to Sn , i. e., equivalent for all interpretations over arbitrary domains, has while nesting depth at least n. This shows that the while nesting depth imposes a strict hierarchy (the while hierarchy) when programs are compared with respect to scheme equivalence and contrasts with Kleene’s classical result that every program is equivalent to a program of while nesting depth 1 (when interpreted over a fixed domain with arithmetic on non–negative integers). Our proof is based on results from formal language theory; in particular, we make use of the notion of star height of regular languages.

1

Introduction

When comparing programming languages, one often has a vague impression of one language being more powerful than another. However, a basic result of the theory of computability is that even simple models of computation like Turing machines, while programs (with arithmetic), and partial recursive functions are universal in the following sense: They describe exactly the class of computable functions, according to Church’s thesis. The proof uses encodings of functions by non–negative integers with the help of zero and successor function. Thus, if the programming language under consideration supports arithmetic on non– negative integers, then it is capable of simulating any effective control structure. A compiler implementing a programming language could in principle adopt this method. In general, such languages do not only specify computations over non–negative integers but they handle data types like floating–point numbers, character strings, and trees as well. Additionally, modern programming languages allow recursion as means for the description of algorithms. In principle, M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 35–47, 1998.

36

these extended capabilities could be implemented (1) by embedding them in the setting of non–negative integers using appropriate encodings, (2) by simulating their behavior as a computable function, and (3) by translating the result back into the original context. However, it is clear that this approach is of purely theoretical interest; there is no hope for achieving good efficiency in this way. Instead these concepts are implemented directly: for example recursion is usually translated into iterative algorithms using a run–time stack. Thus a comparison of the computational power of programming languages requires the distinction between the control structures of a program and other aspects like the semantic domains involved in the computations. Therefore we use the approach to decompose a program into a program scheme and an interpretation (which comprises the semantic domain). We study only the scheme part as an abstraction of the family of all programs represented by this scheme. In this generalized approach, two schemes are considered to be equivalent iff the concrete programs obtained by addition of an interpretation are equivalent for all interpretations. It is well–known that the schematic concept of “recursion” is more powerful than that of “iteration” [12], that “recursion” equals “iteration + stack” [2], and that “iteration” equals “while + Boolean variables” [1]. Unfortunately the question of scheme equivalence is undecidable in the general case [11]. The reason is not, as one might expect, the “large number” of interpretations which one has to apply for deciding scheme equivalence — it suffices to consider free interpretations (or Herbrand interpretations) only. Instead, the undecidability is caused by the structure of the state space of the program, more precisely the state space has too many components. If we abstract from the state space we obtain simple or monadic schemes for which the question of scheme equivalence becomes decidable in most cases. In this paper we consider the class of Dijkstra schemes which are inductively built up from atomic statements by means of sequential composition, branching instructions, and while loops. A characterization of scheme equivalence via regular languages is exploited: the star height of the regular language associated with a Dijkstra scheme yields a lower bound for the while nesting depth required. We exhibit a sequence Sn (n ≥ 0) of Dijkstra schemes with the property that the while nesting depth of Sn is n, and prove (via the correspondence to regular languages) that any Dijkstra scheme which is equivalent to Sn has while nesting depth at least n. This shows that the while nesting depth of Dijkstra schemes imposes a strict hierarchy with respect to the computational power of the corresponding class of programs – the while hierarchy. It contrasts with Kleene’s classical result [10] that every program is equivalent to a program of while nesting depth 1 (beside some fixed number of other loops) when interpreted over a fixed domain with arithmetic on non–negative integers.

37

2

Dijkstra schemes

Here we introduce the class of Dijkstra schemes. The only construction elements for Dijkstra schemes are sequential composition, branching, and conditional iteration. Thus, Dijkstra schemes can be regarded as while programs without interpretations. Let Ω, Π be non–empty, finite, and disjoint sets of unary function symbols and unary predicate symbols. (Ω, Π) is called a signature. The set BExp(Π) of Boolean expressions over Π is the smallest set which contains Π and which is closed under the Boolean operations (i. e. ∧, ∨ and ¬). The class Dij(Ω, Π) of Dijkstra schemes over Ω and Π is the smallest set which, for every S, S1 , S2 ∈ Dij(Ω, Π) and b ∈ BExp(Π), satisfies the following conditions: – – – –

Ω ⊆ Dij(Ω, Π) (S1 ; S2 ) ∈ Dij(Ω, Π) if b then S1 else S2 fi ∈ Dij(Ω, Π) while b do S done ∈ Dij(Ω, Π) .

We allow to omit braces. Example 1. Let Ω := {f, g, h} and Π := {p}. Then f; while p do (g; h) done is a Dijkstra scheme. A (Ω, Π)–interpretation, or interpretation for short, is a pair A := hA; αi where A is a non–empty set, the domain of the interpretation, and α is a mapping which assigns a predicate α(p) : A → {0, 1} to every symbol p ∈ Π and a total function α(f ) : A → A to every symbol f ∈ Ω. Instead of α(f ) we write fA . The class of all (Ω, Π)–interpretations is denoted by Int(Ω, Π). A pair (S, A) consisting of a Dijkstra scheme S ∈ Dij(Ω, Π) and an interpretation A ∈ Int(Ω, Π) is called a Dijkstra program. The semantics of (S, A) is the (partial) mapping [[S]]A : A → A, given as follows:  fA (a) , if S ∈ Ω      [[S2 ]]A ([[S1 ]]A (a)) , if S = (S1 ; S2 )      , if S = if b then S1 else S2 fi and [[b]]A (a) = 1 [[S  1 ]]A (a) [[S]]A (a) := [[S2 ]]A (a) , if S = if b then S1 else S2 fi and [[b]]A (a) = 0    0 k  [[S ]]A (a) , if S = while b do S 0 done     and the while condition holds    undefined else

38

where [[b]]A (a) is the truth value of b on input a which is induced by the interpretation A and where the while condition depending on b, S and a is given by ∀i ∈ {0, . . . , k − 1} : [[b]]A ([[S 0 ]]iA (a)) = 1 and [[b]]A ([[S 0 ]]kA (a)) = 0 . As usual [[b]]A ([[S 0 ]]iA (a)) = 1 means that the ith iteration [[S 0 ]]iA of the mapping [[S 0 ]]A applied to a is defined and that the results satisfies condition b. Example 2. Let S the Dijkstra scheme in Example 1 and A := hIN2 ; αi (IN is the set of all non–negative integers) with fA (m, n) := (m, 1), gA (m, n) := (m, m · n), hA (m, n) := (max{0, m − 1}, n) and pA (m, n) = 1 ⇐⇒ m 6= 0. Then [[S]]A computes the factorial function, more precisely [[S]]A (m, n) = (0, m!). As mentioned in the introduction we define: Two Dijkstra schemes S1 , S2 ∈ Dij(Ω, Π) are (strongly) equivalent iff the equation [[S1 ]]A = [[S2 ]]A is valid for all interpretations A ∈ Int(Ω, Π). We write S1 ∼ S2 iff S1 and S2 are equivalent. Hence scheme equivalence comprises program equivalence which expresses that, under a fixed interpretation, both programs compute the same function.

3

Characterization of Dijkstra scheme equivalence

Now we give a characterization of scheme equivalence in terms of formal languages. The language LS which we associate with a given Dijkstra scheme S is a regular language capturing the full computation potential of S. To simulate the behaviour of S under arbitrary interpretations, we especially record the decisions which have been taken in the Boolean conditions. The languages we define use Boolean vectors for this protocol; a word of this language consists of function symbols and Boolean vectors in alternation. The central point is the representation of scheme composition by a conditional product [9] of the corresponding languages. It allows two computations to be concatenated only if their adjacent Boolean vectors coincide. For a set Ω of unary function symbols and a set Π = {p1 , . . . , pn } of predicate symbols with n elements let B := {0, 1}n be the set of all Boolean vectors of length n. We associate with each Boolean expression b ∈ BExp(Π) a set of Boolean vectors Lb ⊆ B by induction: for pi ∈ Π let Lpi := {(x1 , . . . , xi−1 , 1, xi+1 , . . . , xn ) | x1 , . . . , xi−1 , xi+1 , . . . , xn ∈ {0, 1}} ,

39

and Lb1 ∧b2 := Lb1 ∩ Lb2 , Lb1 ∨b2 := Lb1 ∪ Lb2 , and L¬b := B \ Lb . Now we are ready to specify the Dijkstra scheme language LS of an arbitrary scheme S ∈ Dij(Ω, Π). It is given by the following inductive definition: Lf := B · {f } · B Lif

b then

Lwhile

L(S1 ;S2 ) := LS1 ◦ LS2 S1 else S2 fi := (Lb ◦ LS1 ) ∪ ((B \ Lb ) ◦ LS2 ) ! [ i (Lb ◦ LS ) ◦(B \ Lb ) b do S done := i∈IN

where L1 ◦ L2 is the conditional product defined by L1 ◦ L2 := {wβv | β ∈ B, w ∈ (BΩ)∗ , v ∈ (ΩB)∗ , wβ ∈ L1 and βv ∈ L2 } and L0 := B and Li+1 := Li ◦ L for every i ∈ IN. The class of all Dijkstra scheme languages over Ω and Π is denoted by LDij (Ω, Π). Example 3. Let S be the Dijkstra scheme in Example 1, and let B := (0 + 1). Then LS is the language denoted by the regular expression Bf (1gBh)∗ 0 . Proposition 4. (Characterization of Dijkstra scheme equivalence) For any two Dijkstra schemes S1 , S2 ∈ Dij(Ω, Π) the following condition holds: S1 ∼ S2

⇐⇒

L S1 = L S2 .

Proof. It is well–known that every Dijkstra scheme is translatable into an equivalent Ianov scheme, which can be considered as an uninterpreted (monadic) flowchart (see [7], [6], [8], and [13] for further details). For this class of schemes, I. I. Ianov gave a language–theoretic description of equivalence by assigning to every scheme a deterministic finite automaton whose recognized language characterizes the scheme equivalence. The combination of both techniques yields our proof: by induction on the syntactic structure of S ∈ Dij(Ω, Π) it is possible to show that the language associated with the equivalent Ianov scheme trans(S) t u and the language LS assigned to S coincide. Example 5. Let S once again be the Dijkstra scheme in Example 1 and S 0 be the Dijkstra scheme f; if (¬p) then while p do (g; h) done else (g; h); while p do (g; h) done fi

40

Let B := (0+1). Then the Dijkstra scheme language LS 0 is the language denoted by the regular expression Bf 0 + Bf 1gBh(1gBh)∗0 . Since it is the same language as the Dijkstra scheme language for S we can deduce by Proposition 4 that S and S 0 are equivalent.

4

The star height of regular languages

In order to prove the main theorem we use the concept of star height of regular languages. After presenting some known facts concerning the star height, we show that there exists an infinite family of regular languages (Ln )n∈IN such that every language Ln of this family has star height n. This knowledge will be exploited in the next section. We use ∅ to denote the empty language, ε to denote the language which consists of the empty word and L(α) for the language denoted by the regular expression α. The set of all regular expressions over a finite alphabet Σ is denoted by RE(Σ). The star height of a regular expression is the maximal number of nested stars which appear in this expression, and the star height of a regular language is the minimal star height of all regular expressions denoting this language, more formally one defines for a finite alphabet Σ – sh(∅) = sh(ε) = sh(a) = 0 for all symbols a ∈ Σ – sh(αβ) = sh(α + β) = max{sh(α), sh(β)} for α, β ∈ RE(Σ) – sh(α∗ ) = sh(α) + 1 for α ∈ RE(Σ), and for a regular language L ⊆ Σ ∗ sh(L) := min{sh(α) | α ∈ RE(Σ) and L(α) = L} is called the star height of L. Example 6. (Star height [3]) Let Σ := {a, b}. The regular expression (ba∗ b)∗ has star height 2 but the language L((ba∗ b)∗ ) denoted by this regular expression has at most star height 1, because L(ε + b(a + bb)∗ b) = L((ba∗ b)∗ ) and sh(ε + b(a + bb)∗ b) = 1. Furthermore it is easy to show that a regular language is finite iff it has zero star height. So we get sh(L((ba∗ b)∗ )) = 1.

41

In 1963 L. C. Eggan has raised up the question whether there are languages of arbitrary star height over a two letter alphabet [5]. F. Dejean and M. P. Sch¨ utzenberger gave a positive answer to this question by showing that for every n ∈ IN \ 0 the language Ln over the alphabet {a, b} which is recognized by the deterministic finite automaton An

a b

q1

a

a

q0

b

a

b

b

q2n−2

q2

a

q2n−1

b

b q3

a

a

b

with 2n states has star height n. We pick up the technique which has been used in [4] for showing that in a special subclass of regular languages, the class LDij (Ω, Π) of all Dijkstra scheme languages, there also exist languages of arbitrary star height. The following well–known lemma, which we need in the next section, is easy to prove. Lemma 7. (Star height of homomorphic images) Let Σ be a finite alphabet and h : Σ ∗ → Σ ∗ be a homomorphism on Σ ∗ . Then for every regular language L ⊆ Σ ∗ : sh(h(L)) ≤ sh(L) . The next lemma presents the regular language family by which we are going to establish the connection to Dijkstra schemes. Lemma 8. (Star height of a certain family of regular languages) Let (αn )n∈IN be a family of regular expressions over the alphabet Σ := {f, g}, defined inductively by α0 := ε α1 := (f g)∗ n n αn+1 := (f 2 αn f gg 2 αn f g)∗

(for n ∈ IN \ 0 ) .

Then for all n ∈ IN it holds that sh(L(αn )) = n .

(1)

42

Proof. To identify the star height of a language given by a regular expression, one has to prove the nonexistence of equivalent expressions of lower star height. Here we are forced to give a proof for every parameter n ∈ IN. The technique applied in [4] (cf. also [14] for a similar approach) can be used to obtain this result. Here we only sketch the proof. For every n ∈ IN \ 0 , let Kn be a class of regular languages which satisfies the following three conditions (a), (b), and (c): (a) For every language L in Kn ∃z∀w ∈ L : |w|f − |w|g = z , where |w|f and |w|g denote the number of occurrences of f and g, respectively, in the word w. (b) For m, n ∈ IN \ 0 let w(n,m) ∈ {f, g}∗ be given by w(1,m) := f g m m n n w(n+1,m) := f 2 w(n,m) f gg 2 w(n,m) f g . For every n ∈ IN \ 0 , the n–subword index set of a language L is m is a subword of a word in L} . TL n := {m ∈ IN \ 0 | (w(n,m) ) The cardinality of this set, which is called n–subword index of L, must be infinite for each L in Kn : |TL n| = ∞ , i. e. there are (for every index n of Kn ) infinitely many subwords of the form (w(n,m) )m in L. (c) Every element L ∈ Kn is minimal with respect to the star height among all languages which satisfy the conditions (a) and (b), i. e. for all regular languages L0 over {f, g} which also fulfil conditions (a) and (b) it holds that sh(L) ≤ sh(L0 ) . Thus all languages in Kn have the same star height. It is easy to see that, for every n ∈ IN\ 0 , L(αn ) (cf. (1)) has properties (a) and (b). Hence, sh(L) ≤ n for every L ∈ Kn . The proof of the reverse inequation is shown by induction on n. For the case where n = 1 this follows from the fact that every infinite regular language has a star height of at least 1. For the inductive step we consider a decomposition of L ∈ Kn+1 in a finite union of expressions of the form ∗ γ0∗ γ1 γ2∗ γ3 . . . γ2k−1 γ2k with sh(γi ) < sh(L) and verify that there is an index i0 such that γi0 meets (a) and (b) for the parameter n. With the inductive assumption we conclude sh(L) ≥ n + 1. t u

43

5

Nested WHILE loops in Dijkstra schemes

We now consider Dijkstra schemes with nested while loops. We want to know whether it is possible to restrict the number of nested while loops if we do not use coding mechanisms like in recursion theory, and if we do not require any special data structures. We will show that such a limit does not exist in general. To this aim we exploit our characterization of Dijkstra scheme equivalence by formal languages and the star height property of regular languages. According to our preliminary definitions, the proof must be founded on a fixed finite signature of function and predicate symbols. Before studying this situation we consider the simpler case where the set of predicate symbols may become arbitrarily large. In this case it suffices to consider the value language val(S) of a Dijkstra scheme S to establish the connection to formal language theory. It collects all execution paths of S, represented by the sequence of function symbols as they are applied, and is defined as the homomorphic image of the Dijkstra scheme language LS under the homomorphism which erases all Boolean vectors. Proposition 9. (Value language of a Dijkstra scheme) Let Ω be a set of unary function symbols and R ⊆ Ω ∗ be an arbitrary non–empty regular language over Ω. Then there exist – a set ΠR of predicate symbols – and a Dijkstra scheme SR ∈ Dij(Ω, ΠR ) such that val(SR ) = R. Proof. The proof is an easy induction on the set RE(Ω) of all regular expressions over Ω, where for the inductive step we assume that the sets of predicate symbols of the constituent schemes are disjoint and where we obtain one of the schemes – if p then SR1 else SR2 fi with a new predicate symbol p for the case “R1 ∪ R2 ” – (SR1 ; SR2 ) for “R1 · R2 ” – while p do SR1 done with a new predicate symbol p for the case “R1∗ ”. t u Note that the while nesting depth of the resulting scheme coincides with the star height of the regular expression representing R. Corollary 10. (Star height of Dijkstra scheme languages with infinite signatures) Let Ω be a set of function symbols with at least two elements and Π be an arbitrary large set of predicate symbols. Then for every n ∈ IN there exists a Dijkstra scheme Sn ∈ Dij(Ω, Π) such that sh(LSn ) = n , i. e. the star height of Dijkstra scheme languages over infinite signatures is unbounded.

44

Proof. We use the following result, cited in Section 4: In the class of regular languages over an alphabet with at least two elements there exists, for every number n ∈ IN, a regular language Ln such that sh(Ln ) = n. Let n ∈ IN, and let α be a regular expression with L(α) = Ln and sh(α) = n. According to Proposition 9, there exists (a set Π of predicate symbols and) a Dijkstra schema S with val(S) = Ln , constructed inductively on the structure of α. Because its value language val(S) is a homomorphic image of the scheme language LS , Lemma 7 yields sh(LS ) ≥ sh(val(S)) = n .

(2)

As mentioned above, since S has been built up according to α, it contains at most n nested while loops. On the other hand, only while loops yield a contribution to the star height of the scheme language LS . Thus we obtain sh(LS ) ≤ n and hence, by (2), sh(LS ) = n . The question arises whether it is really necessary to introduce new predicate symbols, as in the proof of Theorem 9. If it was possible to reuse them, then our proof could be based on a fixed signature. The following example illustrates the difficulties. Example 11. Let Π := {p} and Ω := {f, g, h}. We consider the Dijkstra schemes S1 and S2 over this signature where S1 := if p then f else g fi and S2 := h . Then we get LS1 = {1f 0, 1f 1, 0g0, 0g1} and LS1 = {0h0, 0h1, 1h0, 1h1} and therefore val(S1 ) = {f, g} and val(S2 ) = {h}. If in the case “R1 ∪ R2 ” of the above construction we would not introduce a new predicate symbol then we would obtain the Dijkstra scheme S = if p then (if p then f else g fi) else h fi , which has the scheme language LS = {1f 0, 1f 1, 0h0, 0h1} and thus the value language val(S) = {f, h}. But then val(S) = {f, h} = 6 {f, g, h} = val(S1 ) ∪ val(S2 ) . The reason for this is simply that g becomes never applied in any interpretation because of the repeated use of the predicate symbol p — S is not free.

45

Now we present our proof of the hierarchy result with a fixed signature. We assume that we have at least one predicate symbol p and at least two function symbols. In the discussion at the end of the paper we will explain why we cannot extend our proof technique to signatures where we have one function symbol only. The set of predicate symbols which we need in the proof of Theorem 9 must contain at least as many symbols as the number of occurrences of + and ∗ in the regular expression where we start from. To restrict the number of predicate symbols we should sparingly use the symbol +, and we should reuse predicate symbols. The above example shows that such a reuse can at best be accomplished by employing free Dijkstra schemes, i. e. Dijkstra schemes where between two condition evaluations a computation (function application) must take place. This can be achieved by appending function symbols after while loops. An appropriate family (Sn )n∈IN of Dijkstra schemes over Ω = {f, g} and Π := {p} is given as follows. For every n ∈ IN, let n

f2

:= f ; . . . ; f | {z } 2n

times

n

(g 2 analogously). Then (Sn )n∈IN is defined as S0 S1

:= while (p ∧ ¬p) do f ; g done := while p do f ; g done;

Sn+1 := while p do n n f 2 ; Sn ; f ; g; g 2 ; Sn ; f ; g; done;

(3)

(where n ≥ 1). Now the following theorem holds: Theorem 12. (Star height of Dijkstra scheme languages over a fixed signature) Let Ω := {f, g} and Π := {p}. For n ∈ IN let Sn ∈ Dij(Ω, Π) be the Dijkstra schemes defined in (3). The Dijkstra scheme language LSn has the following property: sh(LSn ) = n . Proof. An easy induction over n ∈ IN shows for the value language val(Sn ): val(Sn ) = L(αn ) , where αn is the regular expression defined in Lemma 8. According to Proposition 8 we get sh(val(Sn )) = n (for every n ∈ IN). As in the proof of Corollary 10, Lemma 7 on the star height of homomorphic images and the observation that only while loops can contribute to the star height of a Dijkstra scheme language yield (7) (8) n = sh(val(Sn )) ≤ sh(LSn ) ≤ n , which implies that sh(LSn ) = n.

t u

46

From this theorem we can deduce a corollary which shows clearly the effect of the different notions of equivalence (program equivalence, scheme equivalence) and of the encodings by means of special data structures. While from the standpoint of recursion theory the number of nested loops can be bounded, such a limit does not exist from the standpoint of program scheme theory (because otherwise there would exist a limit on the star height of Dijkstra scheme languages). We express the main result of this section: Corollary 13. (The WHILE Hierarchy of Dijkstra schemes) The hierarchy of nested while loops in Dijkstra schemes is strict, i. e. for every n ∈ IN there exists a Dijkstra scheme Sn+1 such that Sn+1 uses n + 1 nested while loops and Sn+1 cannot be equivalent to any Dijkstra scheme with less than n + 1 nested while loops.

6

Conclusion and Discussion

Conclusion: By combining two well–known techniques we characterized the equivalence of Dijkstra schemes which respect to the inductive structure of the class of Dijkstra schemes. We have shown, by considering the star height of Dijkstra scheme languages, that the renounce of coding mechanism and special data structures leads to an infinite hierarchy concerning the number of nested while loops. Discussion: Unfortunately Theorem 12 does not express anything about minimal signatures, i. e. signatures with one predicate symbol and one function symbol only. Since value languages of a Dijkstra scheme over such a signature are regular languages over a one–letter alphabet, the star height of the value language can only be 0 or 1. So the technique we used in our proof can not be extended to such a signature, because the inequality sh(val(Sn )) ≤ sh(LSn ) degenerates to 0 ≤ sh(LSn ) or 1 ≤ sh(LSn ), respectively. Thus the question is still open in this setting. Since it suffices to identify languages of arbitrary star height in the homomorphic images of the scheme languages, a possible approach might be a homomorphism which erases the function symbols instead of the Boolean vectors, yielding a regular language over the two–letter alphabet of truth values. Acknowledgements: We would like to thank Klaus Indermark for the premise of this work, as well as Markus Mohnen and Thomas Wilke for the effort of reading a draft version of this paper.

References 1. Corrado B¨ ohm and Giuseppe Jacopini. Flow diagrams, Turing machines and languages with only two formation rules. Communications of the ACM, 9(5):366–371, 1966.

47 2. Steven Brown, David Gries, and Thomas Szymanski. Program schemes with pushdown stores. SIAM Journal on Computing, 1:242–268, 1972. 3. Rina S. Cohen and Janusz A. Brzozowski. General properties of star heigt of regular events. Journal of Computer and System Sciences, 4:260–280, 1970. 4. F. Dejean and M. P. Sch¨ utzenberger. On a question of Eggan. Information and Control, 9:23–25, 1966. 5. L. C. Eggan. Transition graphs and the star–height of regular events. The Michigan Mathematical Journal, 10:385–397, 1963. 6. Iu. I. Ianov. On matrix program schemes. Communications of the ACM, 12(1):3–6, 1958. 7. Iu. I. Ianov. On the equivalence and transformation of program schemes. Communications of the ACM, 10(1):8–12, 1958. 8. Iu. I. Ianov. The logical schemes of algorithms. Problems of Cybernetics, 1:82–140, 1960. 9. Klaus Indermark. On a class of schematic languages. In R. Aguilar, editor, Formal Languages and Programming, Proceedings of a Seminar Organized by UAM-IBM Scientific Center, pages 1–13, 1975. 10. S. C. Kleene. General recursive functions of natural numbers. Mathematische Annalen, 112:727–742, 1936. 11. D. C. Luckham, D. M. R. Park, and M. S. Paterson. On formalised computer programs. Journal of Computer and System Sciences, 4(3):220–249, 1970. 12. Michael S. Paterson and Carl E. Hewitt. Comparative schematology. Technical Report AI memo 201, MIT AI Lab, Publications Office, 545 Technology Sq. Cambridge, MA 02139, 1970. 13. Joseph D. Rutledge. On Ianov’s program schemata. Journal of the ACM, 11(1):1–9, 1964. 14. Arto Salomaa. Jewels of formal language theory. Computer Science Press, 1981.

Analysis of a guard condition in type theory (extended abstract) Roberto M. Amadio Solange Coupet-Grimal Universite de Provence, Marseille ?

Abstract. We present a realizability interpretation of co-inductive types based on partial equivalence relations (per's). We extract from the per's interpretation sound rules to type recursive de nitions. These recursive de nitions are needed to introduce `in nite' and `total' objects of coinductive type such as an in nite stream, a digital transducer, or a nonterminating process. We show that the proposed type system subsumes those studied by Coquand and Gimenez while still enjoying the basic syntactic properties of subject reduction and strong normalization with respect to a con uent rewriting system rst put forward by Gimenez.

1 Introduction Coquand proposes in [4] an approach to the representation of in nite objects such as streams and processes in a predicative type theory extended with coinductive types. Related analyses on the role of co-inductive types (or de nitions) in logical systems can be found in [14, 11] for the system F, [16] for the system HOL, and [20] for Beeson's Elementary theory of Operations and Numbers. Two important features of Coquand's approach are that: (1) Co-inductive types, and related constructors and destructors, are added to the theory, rather than being represented by second order types and related -terms, as in [7, 17]. (2) Recursive de nitions of in nite objects are restricted so that consideration of partial elements is not needed. Thus this work diers from work on the representation of in nite structures in lazy programming languages like Haskell (see, e.g., [21]). In his thesis [8], Gimenez has carried on a realization of Coquand's programme in the framework of the calculus of constructions [5]. More precisely, he studies a calculus of constructions extended with a type of streams (i.e., nite and in nite lists), and proves subject reduction and strong normalization for a related con uent rewriting system. He also applies co-inductive types to the representation and mechanical veri cation of concurrent systems by relying on the Coq system [3] extended with co-inductive types (another case study can be found in [6]). In this system, processes can be directly represented in the logic as elements of a certain type. This approach diers sharply from those where, say, ? CMI, 39 rue Joliot-Curie F-13453, Marseille, France. [email protected]

rst author was partially supported by CTI-CNET 95-1B-182, Action Incitative INRIA, IFCPAR 1502-1, WG Confer, and HCM Express. A preliminary version of this paper (including proofs) can be found in [1].

processes are represented at a syntactic level as elements of an inductively de ned type (see, e.g., [15]). Clearly the representation based on co-inductive types is more direct because recursion is built-in. This may be a decisive advantage when carrying on formal proofs. Therefore, the issue is whether this representation is

exible enough, that is whether we can type enough objects and whether we can reason about their equality. These questions are solid motivations for our work. The introduction of in nite `total' objects relies on recursive de nitions which are intuitively `guarded' in a sense frequently arising in formal languages [18]. An instance of the new typing rule in this approach is: ,; x : ` M : M # x co-inductive type : (1) , ` x x:M : This allows for the introduction of `in nite objects' in a `co-inductive type', by means of a `guarded' (recursive) de nition. Of course, one would like to have notions of co-inductive type and of guarded de nition which are as liberal as possible and that are supported by an intuitive, i.e., semantic, interpretation. In Coquand's proposal, the predicate M # x is de ned by a straightforward analysis of the syntactic structure of the term. This is a syntactic approximation of the main issue, that is to know when the recursive de nition x x:M determines a unique total object. To answer this question we interpret co-inductive types in the category of per's (partial equivalence relations), a category of total computations, and we nd that the guard predicate M # x has a semantic analogy which can be stated as follows: 8 ((d; e) 2 F ) ([[M ] [d=x]; [ M ] [e=x]) 2 F+1 ) (2) where F is a monotonic function on per's associated to the co-inductive type , and F is its th iteration, for ordinal. We propose to represent condition (2) in the syntax by introducing some extra-notation. With the side conditions of rule (1), we introduce two types and + which are interpreted respectively by F and F+1 . We can then replace the guard condition M # x by the typing judgment x : ` M : + whose interpretation is basically condition (2). The revised typing system also includes: (1) Subtyping rules which relate a co-inductive type to its approximations and + , so that we will have: + . (2) Rules which overload the constructors of the co-inductive type, e.g., if f : ! is a unary constructor over , then f will also have the type ! + (to be understood as 8 x 2 F ) f(x) 2 F+1 ). The types ! and ! + will be incomparable with respect to the subtyping relation. The idea of expressing the guard condition via approximating types, subtyping, and overloading can be traced back to Gimenez's system. Our contribution here is to provide a semantic framework which: (1) Justi es and provides an intuition for the typing rules. In particular, we will see how it is possible to understand semantically Gimenez's system. (2) Suggests new typing rules and simpli cations of existing ones. In particular, we propose: (i) a rule to type nested recursive de nitions, and (ii) a way to type recursive de nitions without labelling types. (3) Can be readily adapted to prove strong normalization with respect to the con uent reduction relation introduced by Gimenez.

2 A simply typed calculus We will carry on our study in a simply typed -calculus extended with coinductive types.2 Let F be a countable set of constructors. We let f1 ; f2 ; : : : range over F. Let tv be the set of type variables t; s; : : : The language of raw types is given by the following (informal) grammar: ::= tv j ( ! 0 ) j tv:(f1 : 1 ! tv : : : fk : k ! tv) (3) where i ! tv stands for i;1 ! ! i;n ! tv (! associates to the right), and all fi are distinct. Intuitively, a type of the shape t:(f1 : 1 ! t : : : fk : k ! t) is well-formed if the type variable t occurs positively in the well-formed types i;j , for i = 1 : : :k, j = 1 : : :ni . Note that the type variable t is bound by and it can be renamed. We call types of this shape co-inductive types, the symbols f1 : : : fk represent the constructors of the type. We will denote co-inductive types with the letters ; 0; 1; : : :, and unless speci ed otherwise, we will suppose that they have the generic form in (3). A precise de nition of the well-formed types is given as follows. De nition1 types. If is a raw type and s is a type variable then the predicates wf() (well-formed), pos(s; ) (positive occurrence only), and neg(s; ) (negative occurrence only) are the least predicates which satisfy the following conditions. (1) If t 2 tv then wf(t), pos(s; t), and neg(s; t) provided t 6= s. (2) If wf() and wf( 0 ) then wf( ! 0). Moreover, pos(s; ! 0) if pos(s; 0 ) and neg(s; ), and neg(s; ! 0 ) if neg(s; 0 ) and pos(s; ). (3) If = t:(f1 : 1 ! t : : : fk : k ! t) and t 6= s (otherwise rename t) then wf() provided wf(i;j ) and pos(t; i;j ) for i = 1 : : :k, j = 1 : : :ni. Moreover, pos(s; ) if pos(s; i;j ) for i = 1 : : :k, j = 1 : : :ni , and neg(s; ) if neg(s; i;j ) for i = 1 : : :k, j = 1 : : :ni . Example 1. Here are a few examples of well-formed co-inductive types where we suppose that the type is not bound by . (1) In nite streams over : s:(cons : ! (s ! s)). (2) Input-output processes over : p:(nil : p; ! : ! p ! p; ? : ( ! p) ! p). (3) An involution: t:(inv : ((t ! ) ! ) ! t). De nition 1 allows mutually recursive de nitions. For instance, we can de ne processes over streams over processes : : :: = t:(nil : t; ! : 0 ! t ! t; ? : (0 ! t) ! t) 0 = s:(cons : t ! s ! s) : i

2

Per's interpretations support other relevant extensions of the type theory, including second-order types (see, e.g., [13]) and inductive types (see, e.g., [12]). As expected, an inductive type, e.g., t:(nil : t; cons : o ! t ! t) is interpreted as the least xpoint of the operator F described in section 3. It follows that there is a natural subtyping relation between the inductive type and the corresponding co-inductive type t:(nil : t; cons : o ! t ! t).

These mutually recursive de nitions lead to some complication in the typing of constructors. For instance, the type of cons should be [=t](t ! 0 ! 0 ), and moreover we have to make sure that all occurrences of a cons have the same type (after unfolding). To make our analysis clearer, we prefer to gloss over these technical issues by taking a stronger de nition of positivity. Thus, in the case (3) of de nition 1, we say pos (s; ) (or neg (s; )) if s does not occur free in . In this way a type variable which is free in a co-inductive type cannot be bound by a . Let v be the set of term variables x; y; : : : A context , is a possibly empty list x1 : 1 : : :xn : n where all xi are distinct. Raw terms are de ned by the following grammar: M ::= v j (v:M) j (MM) j f j case j ( x v:M) :

(4)

We denote with FV (M) the set of variables occurring free in the term M. The typing rules are de ned as follows: x: 2, , `x:

,; x : ` M : 0 , ` x:M : ! 0

, ` M : 0 ! , ` N : 0 , ` MN :

f1 : 1 ! t : : : fk : k ! t) Assuming: =!t:( = 10 ! : : :m0 ! (m 0) 0

, ` fi : [=t]i;1 ! [=t]i;n ! i

, ` case : ! ([=t]1 ! ) ! ([=t]k ! ) ! ,; x : ! ` M : ! M # x , ` x x:M : ! The guard predicate `M # x' is left unspeci ed. Intuitively, this predicate has to guarantee that a recursive de nition does determine a unique `total' object. Before trying a formal de nition, we will consider a few examples of recursive de nitions, where we use the notation let x = M in N for (x:M)N, and let application associate to the left. 0

0

0

Example 2. Let o be a basic type of numerals with constants 0 : o and suc : o ! o.

Let us rst consider the type of in nite streams of numerals, with destructors head and tail: 1 = t:(cons : o ! (t ! t)) hd = x:case 1 x(n:y:n) tl = x:case 1 x(n:y:y) :

(1) We can introduce an in nite list of 0's as follows: x x:cons1 0x. (2) We can also de ne a function which adds 1 to every element of a stream: x add1 :x:case1 x(n:x0 :cons1 (suc n)(add1 x0 )) :

(3) Certain recursive de nitions should not type, e.g., x x:cons1 0(tl x). The equation does not determine a stream, as all streams of the form cons1 0z 0 give a solution. (4) The function db doubles every element in the stream: x) in cons1 n(cons1 n db(tl x)) :

x db :x:let n = (hd

(5) Next we work over the type 2 of nite and in nite streams. The function C concatenates two streams. 2 = t:(nil : t; cons : o ! t ! t) C x conc:x:y:case2 x y n:x0 :(cons2 n(conc x0 y)) : (6) Finally, we consider the type 3 of in nite binary trees whose nodes may have two colours, and the following recursive de nition: 3 = t:(bin1 :t ! t ! t; bin2 : t ! t ! t) ( x x:bin1 3 x ( x y:bin2 3 x y)) :

We recall next Coquand's de nition [4] of the guard predicate in the case the type theory includes just one co-inductive type, say = t:(nil : t; cons : o ! t ! t). De nition2. Supposing ,; x : ! ` M : ! , we write M # x if the judgment ,; x : ! ` M #1 ! x can be derived by the following rules, where n ranges over f0; 1g. The intuition is that `x is guarded by at least a constructor in M'. For the sake of readability, we omit in the premisses the conditions that x : ! 2 , and the terms have the right type. ,; y : ` M #n! x y = 6 x x 2= FV (M ) , ` M #n x , ` y:M #n! ! x 0

0

0

0

0

x 2= FV (M1 ) , ` M2 #0 x , ` cons M1 M2 #1 x

x 2= FV (M1 ) , ` M2 #0 x , ` cons M1 M2 #0 x

x 2= FV (N ) , ` M1 #n x , ` M2 #on!! x x 2= FV (Mj ) j = 1 : : : m : , ` case NM1 M2 #n x xM1 : : : Mm #0 x

Coquand's de nition is quite restrictive. In particular: (i) it is unable to traverse -redexes as in example 2(4), and (ii) it does not cope with nested recursive de nitions as in example 2(6). We present in the next section a simple semantic framework which clari es the typing issues and suggests a guard condition more powerful than the one above.

3 Interpretation In this section we present an interpretation of the calculus in the well-known category of partial equivalence relations (per's) over a -model (cf., e.g., [19]). Let (D; ; k; s; ) be a -model (cf. [2]). We often write de for d e. We denote with A; B; : : : binary relations over D. We write d A e for (d; e) 2 A and we set: [d]A = fe 2 D j d A eg, jAj = fd 2 D j d A dg, and [A] = f[d]A j d 2 jAjg.

De nition3 partial equivalence relations. Let D be a -model. The category of per's over D (perD ) is de ned as follows: perD = fA j A D D and A is symmetric and transitiveg perD [A; B] = ff : [A] ! [B] j 9 2 D (k,f)g k,f : [A] ! [B] i 8 d 2 D (d 2 jAj ) d 2 f([d]A)) : We will use the -notation to denote elements of the -model D. E.g., x:xk,f stands for [ x:x]]Dk,f. The category perD has a rich structure, in particular it has nite products, nite sums, and exponents, whose construction is recalled below. d A1 : : : An e i 8 i 2 f1 : : :ng (pi d) Ai (pie) where: pi = u:u(x1 : : :xn :xi) pi k,i : [i=1:::n Ai ] ! [Ai] ik,fi : [C] ! [Ai ] ) d:u:u(1d) : : :(nd)k,hf1 : : :fn i : [C] ! [i=1:::n Ai ] d A1 + : : : + An e i 9 i 2 f1 : : :ng (d = (ji d0); (e = ji e0 ) and d0 Ai e0 ) where: ji = u:y1 : : :yn :yiu ji k,in i : [Ai] ! [i=1:::n Ai ] ik,fi : [Ai ] ! [C] ) d:d1 : : :n k,[f1 : : :fn ] : [i=1:::nAi ] ! [C] d A ! B e i 8 d0; e0 (d0 A e0 ) (dd0) B (ee0 )) where: d:(p1d)(p2 d)k,ev : [B A A] ! B k,f : [C A] ! [B] ) d:d0:(u:(ud)d0)k,(f) : [C] ! [B A ] : As degenerate cases of empty product and empty sum we get terminal and initial objects: 1 = D D x:xk,f : [A] ! 1 0 = ; x:xk,f : [0] ! [A] : We denote with : tv ! perD type environments. The interpretation of type variables and higher types is then given as follows: [ t]] = (t) [ ! 0 ] = [ ]] ! [ 0] : As for co-inductive types, given a type = t:(f1 : 1 ! t : : : fk : k ! t), and a type environment , we de ne a function F; on perD as follows: F; (A) = i=1:::k (j =1:::n [ i;j ] [A=t] ) : (5) We then observe that perD is a complete lattice with respect to set-inclusion, and that thanks to the positivity condition in the de nition of co-inductive type, F; is monotonic on perD . Therefore we can de ne (gfp stands for greatest xpoint): [ [ ]] = fA j A F; (A)g (= gfp (F; )) : (6) In general, if f is a monotonic function over a poset with greatest element > and glb's, we de ne the iteration f , for ordinal as follows: V f 0 = > f +1 = f(f ) f = < f ( limit ordinal) : i

for some ordinal . With this notation, we have gfp (F; ) = F; Since perD is a CCC there is a canonical interpretation of the simply typed -calculus. The interpretation of constructors and case is driven by equation (5). Note that to validate the typing rules it is enough to know that the interpretation of a co-inductive type is a xpoint of the related functional de ned by equation (5) (as a matter of fact, these rules are sound also for inductive types). The interpretation of x is more problematic (and represents the original contribution of this section as far as semantics is concerned). We proceed as follows: We de ne an erasure function er from the terms in the language to (pure) untyped -terms, and we interpret the untyped -terms in the -model D. This interpretation, is always well-de ned as the -model accommodates arbitrary recursive de nitions. We see what it takes for the interpretation of (the erasure of) a xpoint to be in the corresponding type interpretation, and we derive a suitable guard condition which is expressed by additional typing rules in a suitably enriched language. We prove soundness of the interpretation with respect to the enriched typing system.

De nition4 erasure. We de ne an erasure function from terms to (pure) untyped -terms, by induction on the structure of the term (assuming = t:(f1 : ! t : : : fk : k ! t)). 1

er (x) = x er (x:M) = x:er (M) er (MN) = er (M)er (N) er (fi ) = x1 : : :xn :y1 : : :yk :yi (u:ux1 : : :xn ) i

i

er (case ) = x:y1 : : :yk :xU(y1 ) : : :U(yk ) with U(yi ) = u:yi (p1 u) : : :(pn u) i

er ( x x:M) = Y (x:er (M)) with Y = f:(x:f(xx))(x:f(xx)) : If ni = 0 then we have er (fi ) = y1 : : :yk :yi(u:u) and U(yi ) = u:yi . If k = 1 then the de nitions simplify to er (f1 ) = x1 : : :xn1 :u:ux1 : : :xn1 and er (case ) = x:y1 :y1 (p1x) : : :(pn1 x).

The erasures of fi and case are designed to t the per interpretation of coinductive types, in particular they rely on the de nition of sum and product in perD . We sketch with an informal notation an instance of our semantic analysis. We write j= P : if [ P]]D 2 j[ ]]j. The typing rule for recursive de nitions is sound if we can establish: j= Y (x:er (M )) : : (7) Given the iterative de nitions of the interpretation of the co-inductive type , we can try to prove: 8 ordinal j= Y (x:er (M )) : F (8)

by induction on the ordinal . The case = 0 is trivial since F = 1, and the case limit ordinal follows by an exchange of universal quanti cations. For the case = 0 + 1, it would be enough to know: 8 (j= Y (x:er (M )) : F ) j= Y (x:er (M )) : F+1 ) : (9) Since Y (x:er (M)) = [Y (x:er (M))=x]M, property (9) is implied by the following property: 8 ;P (j= P : F ) j= [P=x]er (M ) : F+1 ) : (10) In order to represent this condition in the syntax, we parameterize the type interpretation on an ordinal , and we introduce types and + so that [ ] = F , and [ + ] = F+1 . Property (10) is then expressed by the judgment x : ` M : + . Let T be the set of types speci ed in de nition 1. We de ne the set T 0 as the least set such that: (i) T T 0 , (ii) if 2 T is a co-inductive type then 2 T 0 and + 2 T 0 , and (iii) if 2 T 0 and 0 2 T 0 then ! 0 2 T 0 . We also de ne the set T + as the set of types in T 0 such that all types of the form and + appear in positive position (the interpretation of these types is going to be anti-monotonic in the ordinal). If , is a context then T (,) = f j x : 2 , g. The revised typing system contains the typing rules presented in section 2 (applied with the enriched set of types) but for the rule for x which is replaced by the rules displayed below. Of course, all the rules are applied on the enriched set of types, and under the hypothesis that all types are well-formed. f1 : 1 ! t : : : fk : k ! t) Assuming: =!t:( = 10 ! : : :m0 ! (m 0) 0

T(,) [ f10 : : :m0 g T ,; x : ! ` M : ! ,; x : ! ` M : ! + , ` x x:M : ! 0

T(, ) [ f10 : : :m0 g T + ,; x : ! ` M : ! + , ` x x:M : ! +

0

0

0

0

0

,

` f i

: [=t]i;1 ! ! [=t]i;n ! i

0

0

+

, ` M : 0 , ` M : 0

, ` case : + ! ([=t]1 ! ) ! ([=t]k ! ) ! 2 1 10 20 + + 1 ! 10 2 ! 20 We give some motivation and intuition for these rules. In the rst rule, the condition M # x is replaced by the typing judgment ,; x : ! ` M : ! + . The second rule for x is used to type nested xpoints as in example 2(6). In the rules for x, the side conditions T(,) [ f10 : : :k0 g T and T(,) [ f10 : : :k0 g T + guarantee independence and anti-monotonicity, respectively, of the type interpretation with respect to the ordinal parameter.

The additional rule for the constructors fi is needed to introduce terms of type + . Note that in this way we overload the constructors fi by giving them two related types (but incomparable with respect to subtyping). There is also a related rule which overloads the destructor case. The following rules just state the subtyping relations between , , and + , and the way this relation is lifted higher-order. The obvious transitivity rule for the subtyping relation can be derived. Types with the relation form a quite simple partial order. In particular, if R = [ ,1 then f 0 j R 0 g is nite. We state some basic properties of the typing system.

Lemma 5. (1) Exchange. If ,; x : ; y : ; , 0 ` M : then ,; y : ; x : ; , 0 ` M : (with a proof of the same depth). (2) Remove. If ,; x : 0 ` M : and x 2= FV (M), then , ` M : . (3) Weakening (restricted). If , ` M : , x fresh, and either 0 2 T or x does not occur in M then ,; x : 0 ` M : . (4) Transitivity. If ` 0 and ` 0 00 then ` 00. (5) Substitution. If ,; x : 0 ` M : and , ` N : 0 then , ` [N=x]M : . 1

2

2

1

The terms typable using Coquand's guard condition, are strictly contained in the terms typable in the proposed typing system (as a matter of fact, all examples in 2 (but (3) of course) can be typed). This is a consequence of the following lemma.

Lemma 6. (1) If ,; x : ! ` M : , x 2= FV (M), and M has no occurrence of x, then ,; x : ! ` M : . (2) If ,; x : ! ` M # ! x then ,; x : ! ` M : ! . (3) If ,; x : ! ` M # ! x then ,; x : ! ` M : ! . 0

0

0

1

0

+

0

We parameterize the type interpretation on an ordinal , and we de ne for = t:(f1 : 1 ! t : : : fk : k ! t): [ t]] = (t) [ ]] = gfp (F;; ) [ ] = F;;

[ ! 0] = [ ]] ! [ 0] F;; (A) = i=1:::k (j =1:::n [ ]][A=t]) +1 : [ + ] = F;; i

Remark. If 2 T then [ ]] does not depend on . In particular, if 2 T 0 or

+ 2 T 0 then 2 T and therefore F;; = F; . If 2 T + and 0 then [ ]] [ ]] , since the types of the shape and + occur in positive position. Let us now consider the soundness of the typing rules. If P is a pure -term, we write x1 : 1 : : :xn : n j= P : if 8 ; ((8 i 2 f1 : : :ng di [ i ] d0i ) ) ([[P]][d=x] [ ]] [ P]][d =x])). 0

0

Proposition7 soundness. If , ` M : then , j= er (M) : .

It follows from proposition 7 that: ` M : ) [ er (M)]] 2 j[ ]]j. This result justi es the interpretation of a typed term as the equivalence class of its erasure (it is straightforward to adapt this interpretation to take into account contexts and environments). Thus, if ` M : , then we set [ M]] = [[[er (M)]]][[ ]] . Clearly, there is a trade-o between power and simplicity/decidability of the type system. Our contribution here is to oer a framework in which this tradeo can be studied, and to extract from it one possible type system. We will see in section 4 that this `experimental' type system has some desirable syntactic properties, and we will discuss its relationships with Gimenez's system. We hint here, by example, to limits and possible extensions of the system. (1) The following two de nitions `make sense' but are not typable. Here we work with the type of in nite streams = t:(cons : o ! t ! t): { If x is a stream of numerals we denote with xi its ith element. We de ne a function F such that F(x)i = (suc (2 ) xi), for i 2 !: F x f:x:cons (suc(hd x))(f (f (tl x))) : (11) { A `constant' de nition which determines the in nite stream of 0's. x x:case x(n:y:( x x0 :cons 0 x0 )) : i

(2) We can soundly generalize the two rules for x as follows: T (, ) [ f10 : : : m0 g T pos (t; i0 ) 0 g T + pos (t; i0 ) 10 : : : m ,; x : [=t]( ! t) ` M : [=t]( ! t) ,;T[(,=t) ]([f! t) ` M : [+ =t]( ! t) ,; x : [=t]( ! t) ` M : [+ =t]( ! t) , ` x x:M : [~=t]( ! t) , ` x x:M : [=t]( ! t) 0

0

0

0

0

0

0

0

(12)

where ~ 2 f ; + g. These rules are particularly powerful and will be analysed in a forthcoming paper. For instance, they can be used to type: the representation of a sequential circuit as a function over streams of booleans (we found the rules trying this example), the example (11) above, and a tail append function. (3) One may consider the extension of the type system with a nite or in nite hierarchy of approximating types, say: +++ ++ + . Next we turn to equations. We say that an equation M = N : is valid in the per interpretation, if 8 , (, ` M : and , ` N : ) , j= M = N : ) where x1 : 1 : : :xn : n j= M = N : , if 8 ; ((8 i 2 f1 : : :ng di [ i] d0i) ) [ er (M)]][d=x] [ ]] [ er (N)]][d =x]) : Reasoning at the level of erasures, it is easy to derive some valid equations. 0

Proposition8 valid equations. The following equations are valid in the per interpretation: ( ) (x:M )N = [N=x]M : () x:(Mx) = M : ! 0 x 2= FV (M ) (case) (case (fi M1 : : : Mn )N) = Ni M1 : : : Mn : (case ) (case x f1 : : : fk ) = x : ( x) x x:M = [ x x:M=x]M : ! : i

i

The following proposition introduces an important principle to prove the equality of terms of co-inductive type.

Proposition9 unique xed point. Suppose , ` N : ! , , ` N 0 : ! , ,; x : ! ` M : ! , and T (,) [ f g T . Then , j= [N=x]M = N : ! and , j= [N 0=x]M = N 0 : ! implies , j= N = N 0 : ! . +

Proposition 9 resembles Banach's theorem: contractive functions have a unique xed point (in our case, `contractive' is replaced by `guarded'). Combining with unfolding ( x), one can then prove equivalences such as (cf. [18]): x x:cons n (cons n

x) = x x:cons n x :

An interesting question is whether the interpretation identi es as many closed terms of co-inductive type as possible. We consider this question for the type of streams of numerals = t:(cons : o ! t ! t) (cf. example 2) and leave the generalization to a following paper. Suppose that for M; N closed terms of type o we have: M = N : o i [ M]] = [ N]] where the left equality denotes conversion. We de ne a simulation relation ! T 0 ! over the closed terms of type o, say as = n
0 = 0 0 n+1 = f(M; N) j (hd M = hd N and (tl M; tl N) 2n )g : (13) Equivalently, we can characterize ! as: M ! N i 8 n 2 ! hd (tl n M) = hd (tl n N) : Clearly ! is the largest (sensible) equivalence we can expect on 0 . We can show that this equivalence is precisely that induced by the per's interpretation.

Proposition10. Let M; N 2 . Then M ! N i [ M]] = [ N]]. 0

4 Reduction It is easy to see that the equality induced by the per's interpretation on coinductive types is in general undecidable (E.g., let the nth element of a stream witness the termination of a Turing machine after n steps). In the presence of dependent types (like in the Calculus of Constructions), it is imperative to have a theory of conversion which is decidable. Thus the approach is to: (i) Consider a weaker (but decidable) notion of conversion on terms, and (ii) De ne in the logical system a notion of term equivalence which captures the intended meaning, e.g., using a notion of simulation as in (13). A standard way to achieve decidability for an equational theory is to exhibit a rewriting system which is con uent and terminating. In order to achieve termination, the unfolding of xpoints has to be restricted somehow. Gimenez has proposed a solution in which x is unfolded only under a case. Intuitively, x is considered as an additional constructor

which can be simpli ed only when it meets the corresponding destructor.3 In the following we will simplify the matter by ignoring the extensional rules: (x:M )N ! [N=x]M case (fi M)N ! Ni M case (( x x:M )M)N ! case (([ x x:M=x]M )M)N : We also denote with ! the compatible closure of the rules above. It is easily seen that the resulting rewriting system is locally con uent. Subject reduction is stated as follows. Proposition11. If , ` M : and M ! M 0 then , ` M 0 : . The strong normalization proof is based on an interpretation of types as reducibility candidates. We outline the construction (which is quite similar to the one for per's) by assuming that there is just one ground type o and one co-inductive type = t:(cons : o ! t ! t). Let SN be the set of strongly normalizing terms. We say that a term is not neutral if it has the shape (we omit the type labels on cons and case): x:M;

consM; ( x x:M )M; case; case(consM1 M2 ); case(( x x:M )M)

:

We note a fundamental property of neutral terms. Lemma 12. If M is neutral, then for any term N , MN and caseMN are neutral, and they are not redexes.

Therefore a reduction of MN (or caseMN) is either a reduction of M or a reduction of N. Following closely [10], we de ne the collection of reducibility candidates. De nition13. The set of terms X belongs to the collection RC of reducibility candidates if: (C1 ) X SN . (C2) If M 2 X and M ! M 0 then M 0 2 X. (C3 ) If M is neutral and 8M 0 (M ! M 0 ) M 0 2 X) then M 2 X. The following are standard properties of reducibility candidates (but for (P5) and (P6 ) which mutatis mutandis appear in [8]):

Proposition14. The set RC enjoys the following properties: (P ) SN 2 RC . (P ) If X 2 RC then x 2 X . Hence X 6= ;. (P ) If X; Y 2 RC then X ! T Y = fM j 8 N 2 X (MN 2 Y )g 2 RC . (P ) If 8 i 2 I Xi 2 RC then i2I Xi 2 RC . (P ) If X 2 RC then 1 2 3 4 5

N (X ) = fM j 8 Y 2 RC 8 P 2 SN ! X ! Y (P6 ) If X X 0 then N (X) N (X 0 ).

3

case

MP 2 Y g 2 RC :

Another possible approach, is to stop unfolding under a constructor. However this leads to a non-con uent system (exactly as in a `weak' -calculus where reduction stops at 's).

We can then de ne the type interpretation which is (again) parameterized on an ordinal (of course, we take N 0 = SN ): [ o]] = SN [ ! 0] = [ ]] ! [ 0] [ ]] = gfp (N ) [ ] = N [ + ] = N +1 : We de ne x1 : 1 : : :xn : n j=RC M : if 8 ((8 i 2 f1 : : :ng Pi 2 [ i] ) ) [P1=x1 : : :Pn=xn]M 2 [ ]]). We can then state the following result from which strong normalization immediately follows by taking Pi xi .

Proposition15 strong normalization. If , ` M : then , j=RC M : . Remark. From these results, we can conclude that it is always better to normalize

the body M of a recursive de nition x x:M, before checking the guard condition, e.g., consider: M (z:case z(n:z 0 :z 0))(cons n (cons n x)). This term cannot be typed, but if M 0 is the normal form of M then x x:M 0 can be typed. In his thesis, Gimenez has studied an extension of the calculus of constructions with the co-inductive type of nite and in nite streams (cf. example 2(5)). In the Coq system, the user can actually introduce other co-inductive types. Among the examples of co-inductive type considered in this paper, the type in example 1(3) is the only one which is rejected. The reason is that Coq relies on a stricter notion of positivity to avoid some consistency problems which arise at higher-order types [9]. It should be noted that Coq implementation of coinductive types was developed before the type theory was settled, and cannot be considered as a faithful implementation of it. We sketch a semantic reconstruction of Gimenez's system. In the interpretation studied in section 3, all approximating types are assigned the same ordinal. We might consider a more liberal system in which dierent ordinals can be assigned to dierent approximatingtypes. However, to express the guard condition, we still need a linguistic mechanism to say in which cases the ordinal assignment really has to be the same. Following this intuition, we label the approximating types with the intention to assign an ordinal to each label. As before, we restrict our attention to the type of in nite streams, say with constructor cons : o ! ! . The collection of types is then de ned as follows: ::= o j j x j x+1 j ( ! ) : (14) Roughly, we replace the type with the types x and the type + with the types x+1 , where x is a label which we take for convenience as ranging over the set of term variables x; y; : : : (any other in nite set would do). More precisely, if h denotes an assignment from variables to ordinals then we de ne a type interpretation parametric in h. [ o]]h = O (for some chosen per O) [ ! 0] h = [ ]]h ! [ 0] h [ ]]h = gfp (F ) F (A) = O A x h (x) [ ]h = F [ x+1] h = F h(x)+1 :

If P is a pure -term, we write x1 : 1 : : :xn : n j= P : if

8 h ((8 i 2 f1 : : :ng di [ i ] h d0i ) ) ([[P]][d=x] [ ]]h [ P]][d =x])) : 0

We now turn to syntax. Let var () be the set ofSvariables which occur in the type . If , is a context, we also de ne var (,) = fvar () j x : 2 , g. If x is a variable, we de ne T + (x) as the set of types such that all subtypes of the form x or x+1 occur in positive position. Following the interpretation above, the typing rules for, e.g., x can be formulated as follows, where ! u 10 ! ! m0 ! u , m 0, u can be a label or nothing. S x 2= var (,) [ fvar (i0 ) j i = 1 : : :mg T(,) [ f 0 j i = 1 : : :mg T + (y) i ,; x : ! ` M : ! ,; x : ! y ` M : ! y+1 : ,; x : ! x ` M : ! x+1 , ` x x:M : ! y+1 , ` x x:M : ! Soundness can be proved as for proposition 7. When Gimenez's system is considered in a simply-typed framework, the following dierences appear with respect to the system with labelled types (ignoring some minor notational conventions): (1) Gimenez's typing system is presented in a `Church' style. More precisely, the variables bound by and x carry a type, and this type is used to constraint (in the usual way) the application of the related typing rules. (2) The subtyping rule for functional types ! 0 is missing. (3) The second rule for typing recursive de nitions is missing. Obviously these dierences imply that one can give less types to a term in Gimenez's system than in our system. To be fair, one has to notice that the presentation as a Church system and the absence of subtyping at higher-types is essentially justi ed by the complexity of the calculus of constructions, and by the desire to avoid too many complications at once. On the other hand, the lack of the second rule for x is, in our opinion, a genuine dierence, which moreover has an impact in practice, as the rule is needed to type nested recursive de nitions as that of example 2(6) and can be further generalized as shown in (12). A question which should be raised is whether the system with type labels is better in practice than the simpler system without type labels. So far, we could not nd any `natural' example suggesting a positive answer. 0

0

0

0

0

0

0

0

0

Acknowledgement The rst author would like to thank Eduardo Gimenez for providing the simply typed formulation of his system and explaining its motivations, and Alexandra Bac for a number of discussions on the type system presented here.

References 1. R. Amadio and S. Coupet-Grimal. Analysis of a guard condition in type theory (preliminary report). Technical Report TR 1997.245. Also appeared as RRINRIA 3300, Universite de Provence (LIM), 1997. Available at http://protis.univmrs.fr/amadio.

2. H. Barendregt. The lambda calculus; its syntax and semantics. North-Holland, 1984. 3. Coq-project. The Coq proof assistant reference manual. Available at http://pauillac.inria.fr/coq, 1996. 4. T. Coquand. In nite objects in type theory. In Types for proofs and programs, Springer Lect. Notes in Comp. Sci. 806, 1993. 5. T. Coquand and G. Huet. A calculus of constructions. Information and Computation, 76:95{120, 1988. 6. S. Coupet-Grimal and L. Jakubiec. Coq and hardware veri cation: a case study. In Proc. TPHOL, Springer Lect. Notes in Comp. Sci. 1125, 1996. 7. H. Geuvers. Inductive and coinductive types with iteration and recursion. In Proc. of Workshop on types for proofs and programs, Nordstrom et al. (eds.), pages 193{ 217, 1992. Available electronically. 8. E. Gimenez. Un calcul de constructions in nies et son application a la veri cation de systemes communicants. PhD thesis, ENS Lyon, 1996. 9. E. Gimenez. Personal communication. October 1997. 10. J.-Y. Girard, Y. Lafont, and P. Taylor. Proofs and Types. Cambridge University Press, 1989. 11. F. Leclerc and C. Paulin-Morhing. Programming with streams in Coq. A case study: the sieve of Eratosthenes. In Proc. TYPES, Springer Lect. Notes in Comp. Sci. 806, 1993. 12. R. Loader. Equational theories for inductive types. Annals of Pure and Applied Logic, 84:175{218, 1997. 13. G. Longo and E. Moggi. Constructive natural deduction and its modest interpretation. Mathematical Structures in Computer Science, 1:215{254, 1992. 14. N. Mendler. Recursive types and type constraints in second-order lambda calculus. In Proc. IEEE Logic in Comp. Sci., 1987. 15. M. Nesi. A formalization of the process algebra CCS in higher order logic. Technical Report 278, Computer Laboratory, University of Cambridge, December 1992. 16. L. Paulson. Mechanizing coinduction and corecursion in higher-order logic. J. of Logic and Computation, 7(2):175{204, 1997. 17. C. Raalli. L'arithmetique fonctionnelle du second ordre avec point xes. PhD thesis, Universite Paris VII, 1994. 18. A. Salomaa. Two complete systems for the algebra of complete events. Journal of the ACM, 13-1, 1966. 19. D. Scott. Data types as lattices. SIAM J. of Computing, 5:522{587, 1976. 20. M. Tatsuta. Realizability interpretation of coinductive de nitions and program synthesis with streams. Theoretical Computer Science, 122:119{136, 1994. 21. S. Thompson. Haskell. The craft of functional programming. Addison-Wesley, 1996.

This article was processed using the LATEX macro package with LLNCS style

An Event Structure Semantics for P/T Contextual Nets: Asymmetric Event Structures? Paolo Baldan1 , Andrea Corradini1, and Ugo Montanari2?? 1 Dipartimento di Informatica - University of Pisa Corso Italia, 40, 56125 Pisa, Italy 2 Computer Science Laboratory - SRI International 333 Ravenswood Ave. Menlo Park, CA 94025 USA

E-mail: fbaldan,

andrea, [email protected]

Abstract. We propose an event based semantics for contextual nets, i.e.

an extension of Place/Transition Petri nets where transitions can also have context conditions, modelling resources that can be read without being consumed. The result is a generalization of Winskel's work on safe nets: the event based semantics is given at categorical level via a chain of core ections leading from the category WS-CN of weakly safe contextual nets to the category Dom of nitary prime algebraic domains. A fundamental r^ole is played by the notion of asymmetric event structures that generalize Winskel's prime event structures, following an idea similar to that of \possible ow" introduced by Pinna and Poigne. Asymmetric event structures have the usual causal relation of traditional prime event structures, but replace the symmetric con ict with a relation modelling asymmetric con ict or weak causality. Such relation allows one to represent the new kind of dependency between events arising in contextual nets, as well as the usual symmetric con ict. Moreover it is used in a non-trivial way in the de nition of the ordering of con gurations, which is dierent from the standard set-inclusion.

1 Introduction Contextual nets, as introduced in [14], extend classical Petri nets, a formalism for the speci cation of the behaviour of concurrent systems, with the possibility of handling contexts: in a contextual net transitions can have not only preconditions and postconditions, but also context conditions, that, intuitively, specify something which is necessary for the transition to be red, but is not aected by the ring of the transition. In other words, a context can be thought of as an item which is read but not consumed by the transition, in the same way as preconditions can be considered as being read and consumed and postconditions ? Research partly supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) and by the EC Esprit WG APPLIGRAPH (Applications of Graph Transformation). ?? On leave from University of Pisa, Computer Science Department.

being simply written. Consistently with this view, the same token can be used as context by many transitions at the same time and with multiplicity greater than one by the same transition. Context conditions of [14] are also called test arcs in [5], activator arcs in [10] or read arcs in [18, 19]. The possibility of faithfully representing the \reading of resources" allows contextual nets to model a lot of concrete situations more naturally than classical nets. In recent years they have been used to model concurrent access to shared data (e.g. reading in a database) [17, 7], to provide a concurrent semantics to concurrent constraint (CC) programs [13], to model priorities [9], to specify a net semantics for the -calculus [3]. Moreover they have been studied for their connections with another powerful formalism for the representation of concurrent computations, namely graph grammars [14, 6]. In this paper we consider marked contextual P/T nets (shortly c-nets), that following the lines suggested in [14] for C/E systems, add contexts to classical P/T nets. The problem of giving a truly concurrent semantics based on (deterministic) processes has been faced by various authors (see, e.g., [9, 14, 4, 19]). Each process of a c-net records the events occurring in a single computation of the net and the relations existing between such events.

8? 9> := ;<

t0

s0 8? 9> := ;<

t01 # t0

s

t001

t1 (a)

(b)

Fig. 1. A simple contextual net and a prime event structure representing its behaviour. Here we provide (weakly safe) c-nets with a truly concurrent event structure semantics following another classical approach. Generalizing Winskel's construction for safe nets [20], we associate to each c-net an event structure that describes all the possible behaviours of the net. Recall that prime event structures (PES) are a simple event based model of (concurrent) computations in which events are considered as atomic, indivisible and instantaneous steps, which can appear only once in a computation. An event can occur only after some other events (its causes) have taken place and the execution of an event can inhibit the execution of other events. This is formalized via two binary relations: causality, modelled by a partial order relation and con ict, modeled by a symmetric and irre exive relation, hereditary w.r.t. causality. When working with c-nets the main critical point is represented by the fact that the presence of context conditions leads to asymmetric con icts or weak dependencies between events. To understand this basic concept, consider two transitions t0 and t1 such that the same place s is 2

a context for t0 and a precondition for t1 . Following [14], such a situation is represented pictorially as in Fig. 1.(a), i.e., non-directed arcs are used to represent context conditions. The possible ring sequences are t0 , t1 and t0 ; t1 , while t1 ; t0 is not allowed. This situation cannot be modelled in a direct way within a traditional prime event structure: t0 and t1 are neither in con ict nor concurrent nor causal dependent. Simply, as for a traditional con ict, the ring of t1 prevents t0 to be executed, so that t0 can never follow t1 in a computation. But the converse is not true, since t0 can re before t1 . This situation can be naturally interpreted as an asymmetric con ict between the two transitions. Equivalently, since t0 precedes t1 in any computation where both are red, in such computations, t0 acts as a cause of t1 . However, dierently from a true cause, t0 is not necessary for t1 to be red. Therefore we can also think of the relation between the two transitions as a weak form of causal dependency. A reasonable way to encode this situation in a PES is to represent the ring of t1 with two distinct mutually exclusive events (as shown in Fig. 1.(b)): t01 , representing the execution of t1 that prevents t0 , thus mutually exclusive with t0 , and t001 , representing the execution of t1 after t0 (caused by t0 ). This encoding can be unsatisfactory since it leads to a \duplication" of events (e.g., see [1]). The events of the prime event structure associated to a system would not represent the elementary actions of the system, but the possible histories of such actions. Several authors pointed out the inadequacy of event structures for faithfully modeling general concurrent computations and proposed alternative de nitions of event structures ( ow event structures [2], bundle event structures [11], prioritized event structures [8]). Asymmetric con icts have been speci cally treated by Pinna and Poigne in [15, 16], where the \operational" notion of event automaton suggests an enrichment of prime event structures and ow event structures with possible causes. The basic idea is that if e is a possible cause of e0 then e can precede e0 or it can be ignored, but the execution of e never follows e0 . This is formalized by introducing an explicit subset of possible events in prime event structures or adding a \possible ow relation" in ow event structures. Similar ideas are developed, under a dierent perspective, in [8], where PES are enriched with a partial order relation modeling priorities between events. In order to provide a more direct, event based representation of c-nets we introduce a new kind of event structure, called asymmetric event structure (aES). Despite of some dierences in the de nition and in the related notions, aES's can be seen as a generalization of event structures with possible events and of prioritized event structures. Besides of the usual causal relation () of a traditional prime event structure, an aES has a relation %, that allows us to specify the new situation analyzed above simply as t0 % t1 . As just remarked, the same relation has two natural interpretations: it can be thought of as an asymmetric version of con ict or as a weak form of causality. We decided to call it asymmetric con ict, but the reader should keep in mind both views, since in some situations it will be preferable to refer to the weak causality interpretation. Con gurations of an aES are then introduced and the set of con gurations of an aES, ordered in a suitable way using the asymmetric con ict relation, turns 3

out to be a nitary prime algebraic domain. We prove that such a construction extends to a functor from the category aES of asymmetric event structures to the category Dom of nitary prime algebraic domain, that establishes a core ection between aES and Dom. Recalling that Dom is equivalent to the category PES of prime event structures we can recover a semantics in terms of traditional prime event structures. The seminal work by Winskel presents an adjunction between event structures and a subclass of P/T nets, namely safe nets. Such a result is extended in [12] to the wider category of weakly safe nets, i.e. P/T nets in which the initial marking is a set and transitions can generate at most one token in each post-condition. Similarly, we restrict here to a (full) subcategory of contextual nets, called weakly safe c-nets and we show how, given a weakly-safe c-net N , an unfolding construction allows us to obtain an occurrence c-net Ua (N ). i.e. an \acyclic c-net" that describes in a static way the behaviour of N , by expressing possible events and the dependency relations between them. The unfolding operation can be extended to a functor Ua from WS-CN to the category O-CN of occurrence c-net, that is right adjoint of the inclusion functor IO : O-CN ! WS-CN. Transitions of an occurrence c-net are related by causal dependency and asymmetric con ict, while mutual exclusion is a derived relation. Thus, the semantics of weakly safe c-nets given in terms of occurrence c-nets can be naturally abstracted to an aES semantics. Again this construction extends, at categorical level, to a core ection from aES to O-CN. Finally we exploit the core ection between aES and Dom, to complete the chain of core ections from WS-CN to Dom.

2 Asymmetric event structures We stressed in the introduction that PES's (and in general Winskel's event structures) are too poor to model in a direct way the behaviour of models of computation allowing context sensitive ring of events, such as string, term and graph rewriting, and contextual nets. The fact that an event to be red requires the presence of some resources that are not \consumed", but just read, leads to a new kind of dependency between events that can be seen as an asymmetric version of con ict or a weak form of causality. Technically speaking, the problem is essentially the axiom of event structures (see [20]) stating that the enabling relation ` is \monotone" w.r.t. set inclusion:

A ` e ^ A B ^ B consistent ) B ` e. As a consequence the computational order between con gurations is set inclusion, the idea being that if A B are nite con gurations then starting from A we can reach B by performing the events in B , A. This means that the con ict is symmetric, i.e. it cannot be the case that the execution of an event e1 prevents e0 to be executed but e0 can precede e1 in a computation. 4

To faithfully represent the dependencies existing between events in such models, avoiding the unpleasant phenomenon of duplication of events (see Fig. 1), we generalize prime event structures by replacing the usual symmetric con ict relation with a new binary relation %, called asymmetric con ict. If e0 % e1 then the ring of e1 inhibits e0 : the execution of e0 may precede the execution of e1 or e0 can be ignored, but e0 cannot follow e1 . By using the terminology of Pinna and Poigne [16], we can say that e0 is a \possible" cause of e1 . Nicely, the symmetric binary con ict can be represented easily with cycles of asymmetric con ict. Therefore symmetric con ict will be a derived relation. We rst introduce some basic notations. Let r X X be a binary relation and let Y X . Then rY denotes the restriction of r to Y Y , i.e. r \ (Y Y ), r+ denotes the transitive closure of r and r denotes the re exive and transitive closure of r. We say that r is well-founded if it has no in nite descending chains, i.e. hei ii2IN with ei+1 r ei , ei 6= ei+1 , for all i 2 IN . The relation r is acyclic if it has no \cycles" e0 r e1 r : : : r en r e0, with ei 2 X . In particular, if r is wellfounded it has no (non-trivial) cycles. The powerset of X is denoted by 2X , while 2X n denotes the set of nite subsets of X .

De nition 1 (asymmetric event structure). An asymmetric event structure (aES) is a tuple G = hE; ; %i, where E is a set of events and , % are binary relations on E called causality relation and asymmetric con ict respectively, s.t.: 1. the relation is a partial order and bec = fe0 2 E : e0 eg is nite for all e 2 E; 2. the relation % satis es for all e; e0 2 E : (a) e < e0 ) e % e0 ;1 (b) %bec is acyclic;2 If e % e0 , accordingly to the double interpretation of %, we say that e is prevented by e0 or e weakly causes e0 . Moreover we say that e is strictly prevented by e0 (or e strictly weakly causes e0 ), written e e0, if e % e0 and :(e < e0 ). The de nition can be easily understood by giving a more formal account of the ideas presented at the beginning of the section. Let Fired (e) denote the fact that the event e has been red in a computation and let prec (e; e0 ) denote that e precedes e0 in the computation. Then

e < e0 def Fired (e0 ) ) Fired (e) ^ prec (e; e0 ) e % e0 def Fired (e) ^ Fired (e0 ) ) prec (e; e0 ) Therefore < represents a global order of execution, while % determines an order

of execution only locally, in each con guration (computation). Thus it is natural to impose % to be an extension of <. Moreover if a set of events forms an asymmetric con ict cycle e0 % e1 % : : : % en % e0 , then such events cannot appear 1 With e < e0 we mean e e and e 6= e0 . 2 Equivalently, we can require (%bec )+ irre exive. This implies that, in particular, %

is irre exive.

5

in the same computation, otherwise the execution of each event should precede the execution of the event itself. This explains why we require the acyclicity of %, restricted to the causes bec of an event e. Otherwise not all causes of e can be executed in the same computation and thus e itself cannot be executed. The informal interpretation makes also clear that % is not in general transitive. If e % e0 % e00 it is not true that e must precede e00 when both re. This holds only in a computation where also e0 res. The fact that a set of n events in a weak-causality cycle can never occur in the same computation can be naturally interpreted as a form of n-ary con ict. More formally, it is useful to associate to each aES an explicit con ict relation (on sets of events) de ned in the following way:

De nition 2 (induced con ict relation). Let G = hE; ; %i be an aES. The con ict relation #a 2E n associated to G is de ned as: e % e % : : : % en % e #a (A [ feg) e e0 a # fe ; e ; : : : ; en g #a (A [ fe0 g) 0

1

0

0

1

where A denotes a generic nite subset of E . The superscript a in #a reminds that this relation is induced by asymmetric con ict. Sometimes we use the in x notation for the \binary version" of the con ict, i.e. we write e#a e0 for #a fe; e0g. It is worth noticing that the binary version of the con ict relation #a , satis es all the properties of the con ict relation of traditional PES's, i.e. it is irre exive, symmetric and hereditary w.r.t. the causal dependency relation. The notion of aES morphism is a quite natural extension of that of PES morphism. Intuitively, it is a (possibly partial) mapping of events that \preserves computations".

De nition 3 (category aES). Let G = hE ; ; % i and G = hE ; ; % i be two aES. An aES-morphism f : G ! G is a partial function f : E ! E 0

0

0

1

0

0

such that: 1. for all e0 2 E0 , if f (e0 ) is de ned then bf (e0)c f (be0 c); 2. for all e0; e00 2 E0 (a) (f (e0 ) = f (e00 )) ^ (e0 6= e00 ) ) e0 #a0 e00 ; (b) f (e0 ) %1 f (e00 ) ) (e0 %0 e00) _ (e0 #a0 e00).

1

1

1

0

1

1

We denote with aES the category of asymmetric event structures and aES morphisms. It can be shown that aES morphisms are closed under composition and thus category aES is well-de ned. Moreover, analogously to what happens for PES's, one can prove that aES morphisms re ect the (n-ary derived) con ict relation.

Lemma 4 (prime and asymmetric event structures). Let ES = hE; ; #i be a prime event structure. Then G = hE; ; < [#i is and aES, where the 6

asymmetric con ict relation is de ned as the union of the \strict" causality and con ict relations. Moreover, if f : ES 0 ! ES 1 is an event structure morphism then f is an aES-morphism between the corresponding aES's G0 and G1 , and if g : G0 ! G1 is an aES morphism then it is also a PES morphism between the original PES's.

By the lemma, there is a full embedding functor J : PES ! aES de ned on objects as J(hE; ; #i) = hE; ; < [#i and on arrows as J(f : ES0 ! ES1 ) = f . A con guration of an event structure is a set of events representing a possible computation of the system modelled by the event structure. The presence of the asymmetric con ict relation makes such de nition slightly more involved w.r.t. the traditional one.

De nition 5 (con guration). Let G = hE; ; %i be an aES. A con guration of G is a set of events C E such that 1. %C is well-founded; 2. fe0 2 C : e0 % eg is nite for all e 2 C ; 3. C is left-closed w.r.t. , i.e. for all e 2 C , e0 2 E , e0 e implies e0 2 C . The set of all con gurations of G is denoted by Conf (G ). Condition 1 rst ensures that in C there are no % cycles, and thus excludes the possibility of having in C a subset of events in con ict (formally, for any A n C , we have :(#a A)). Moreover it guarantees that % has no in nite descending chain in C , that, together with Condition 2, implies that the set fe0 2 C : e0 (%C )+ eg is nite for each event e in C ; thus each event has to be preceded only by nitely many other events of the con guration. Finally Condition 3 requires that all the causes of each event are present. If a set of events A satis es only the rst two properties of De nition 5 it is called consistent and we write co (S ). Notice that, unlike for traditional event structures, consistency is not a nitary property.3 For instance, let A = fei : i 2 IN g E be a set of events such that all ei 's are distinct and ei+1 % ei for all i 2 IN . Then A is not consistent, but each nite subset of A is. A remarkable dierence w.r.t. to the classical approach is that the order on con gurations is not simply set-inclusion, since a con guration C cannot be extended with an event inhibited by some of the events already present in C .

De nition 6 (extension). Let G = hE; ; %i be an aES and let A; A0 E be sets of events. We say that A0 extends A and we write A v A0 , if 1. A A0 ; 2. :(e0 % e) for all e 2 A; e0 2 A0 , A. 3 A property Q on the subsets of a set X is nitary if given any Y

for all nite subsets Z Y it follows Q(Y ).

7

X , from Q(Z )

An important result is the fact that the set Conf (G ) of con gurations of an aES endowed with the extension relation is a nitary prime algebraic domain, i.e. a coherent, prime algebraic, nitary partial order, in the following simply referred to as domain. Therefore asymmetric event structures, as well as prime [20] and ow [1] event structures, provide a concrete presentation of prime algebraic domains. The proof of such result is technically involved and will appear in the full paper: only a sketch is presented here. The fact that hConf (G ); vi is a partial order immediately follows from the de nition. Moreover for pairwise compatible sets of con gurations the least upper bound and the greatest lower bound are given by union and intersection. Interestingly, the primes of the domain of con gurations turn out to be the possible histories of the various events. We call history of an event e in a con guration C the set of events of C that must be executed before e (together with e itself). Recall that in a prime event structure an event e uniquely determines its history, that is the set bec of its causes, independently from the con guration at hand. In the case of asymmetric event structures, instead, an event e may have dierent histories. In fact, given a con guration C , the set of events that must precede e is C [ e] = fe0 2 C : e0 (%C ) eg, and clearly, such a set depends on the con guration C . The set of all possible histories of an event e, namely fC [ e] : C 2 Conf (G )g is denoted by Hist (e).

Theorem 7. Let G be an aES. Then hConf (G ); vi is a ( nitary prime algebraic) domain. The primesS of Conf (G ) are the possible histories of events in G, i.e. the con gurations in e2E Hist (e). Winskel in his seminal work [20] proved the equivalence between the category

PES of prime event structures and the category Dom of domains and additive, stable, immediate precedence-preserving functions.

PES

o P

/ Dom L

The functor L associates to each PES the domain of its con gurations, while the functor P associates to each domain a PES having its prime elements as events. We want now to generalize this result to our framework by showing the existence of a core ection between aES and Dom. One can prove that aES morphisms preserve con gurations and that the natural function between the domains of con gurations induced by an aES morphism is a domain morphism. These results, together with Theorem 7, ensure that the functor La leading from the category aES of asymmetric event structures to the category Dom of nitary prime algebraic domains is well-de ned. The functor Pa performing the backward step is obtained simply by embedding in aES the Winskel's construction.

De nition 8. Let La : aES ! Dom be the functor de ned as: - La (G ) = hConf (G ); vi, for any aES-object G ; 8

- La (f ) = f : La (G0 ) ! La (G1 ), for any aES-morphism f : G0 ! G1 .4 The functor Pa : Dom ! aES is de ned as J P. The proof of the following main result will appear in the full paper. Theorem 9. The functor Pa is left adjoint of La. The counit of the adjunction : Pa La ! 1 is de ned by G (C ) = e, if C 2 Hist (e).

3 Contextual nets We introduce here marked contextual P/T nets (c-nets), that, following the lines suggested in [14] for C/E systems, add contexts to classical P/T nets. We rst recall some notation for multisets. Let A be a set; a multiset of A is a function m P : A ! IN . Such a multiset will be denoted sometimes as a formal sum m = a2A na a, where na = m(a). The set of multisets of A is denoted as A. The usual operations and relations on multisets of A are used. As an example, multiset union is denoted by + and de ned as (m + m0 )(a) = m(a) + m0 (a); multiset dierence (m , m0) is de ned as (m , m0)(a) = m(a) , m0 (a) if m(a) m0 (a) and (m , m0 )(a) = 0 otherwise. We write m m0 if mP(a) m0 (a) for all a 2 A. If m is a multiset of A, we denote by [ m] the multiset fa2Ajm(a)>0g 1 a, obtained by changing all non-zero coecients of m to 1. Sometimes we will confuse the multisets [ m] with the corresponding subsets fa 2 A : m(a) > 0g of A, and use on them the usual set operations and relations. A multirelation f : A ! B is a multiset of AP B . It induces an obvious way a function P in P f : A ! B , de ned as f ( a2A na a) = b2B a2A (na f (a; b)) b. If the multirelation f satis es f (a; b) 1 for all a 2 A and b 2 B then we sometimes confuse it with the corresponding set-relation and write f (a; b) for f (a; b) = 1. De nition 10 (c-net). A (marked) contextual Petri net (c-net) is a tuple N = hS; T; F; C; mi, where { S is a set of places; { T is a set of transitions; { F = hFpre ; Fpost i is a pair of multirelations from T to S ; { C is a multirelation from T to S , called the context relation; { m is a multiset of S , called the initial marking. We assume, without loss of generality, that S \ T = ;. Moreover, we require that for each transition t 2 T , there exists a place s 2 S such that Fpre (t; s) > 0.5 Let N be a c-net. As usual, the functions from T to S induced by the multirelations Fpre and Fpost are denoted by ( ) and ( ) , respectively. If A 2 T is a multiset of transitions, A is called its pre-set, while A is called its post-set. Moreover, by A we denote the context of A, de ned as A = C (A). 4 With f we denote the natural extension of the function f to the powerset of E0 (i.e., f (A) = ff (a) : a 2 Ag, for A E0 ). 5 This is a weak version of the condition of T-restrictness that requires also

Fpost(t; s) > 0, for some s 2 S .

9

The same notation is used to denote the functions from S to 2T de ned as, for s 2 S , s = ft 2 T : Fpost (t; s) > 0g, s = ft 2 T : Fpre (t; s) > 0g, s = ft 2 T : C (t; s) > 0g. In the following when considering a c-net N , we implicitly assume that N =

hS; T; F; C; mi. Moreover superscripts and subscripts on the nets names carry over the names of the involved sets, functions and relations. For instance Ni = hSi ; Ti ; Fi ; Ci ; mi i. For a nite multiset of transitions A to be enabled by a marking M , it is sucient that M contains the pre-set of A and at least one additional token in each place of the context of A. This corresponds to the intuition that a token in a place can be used as context by many transitions at the same time and with multiplicity greater than one by the same transition.

De nition 11 (token game). Let N be a c-net and let M be a marking of N , that is a multiset M 2 S . Given a nite multiset A 2 T , we say that A is enabled by M if A + [ A] M . The transition relation between markings is 6

de ned as M [Ai M 0 i A is enabled by M and M 0 = M , A + A . We call M [Ai M 0 a step. A simple step or ring is a step involving just one transition. A marking M is called reachable if there exists a nite step sequence m [A0 i M1 [A1 i M2 : : : [An i M , starting from the initial marking and leading to M. A c-net morphism is a partial mapping between transitions that \preserves" pre- and post-sets, and also contexts in a weak sense.

De nition 12 (c-net morphism). Let N and N be c-nets. A c-net morphism h : N ! N is a pair h = hhT ; hS i, where hT : T ! T is a partial function and hS : S ! S is a multirelation such that (1) hS (m ) = m and, for each A 2 T , (2) hS (A) = hT (A), (3) hS (A ) = hT (A) and (4) [ hT (A)]] hS (A) hT (A). We denote by CN the category having c-nets as objects and c-net morphisms 0

0

1

0

1

0

1

1 0

1

as arrows.

Conditions (1)-(3) are standard, but condition (4), regarding contexts, deserves some comments. It can be explained by recalling that, since in our model a single token can be used as context with multiplicity greater than one, the ring of a transition t can use as context any multiset X satisfying [ t] X t. Given any multiset of tokens that can be used as context in a ring of a transition, 6 Other approaches (e.g. [9, 18]) allow for the concurrent ring of transitions that use

the same token as context and precondition. For instance, in [9] the formal condition for a multiset A of transitions to be enabled by a marking M is A M and A M . We do not admit such steps, the idea being that two concurrent transitions should be allowed to re also in any order.

10

its image should be a set of tokens that can be used as context by the image of the transition. This can be formalized by requiring that [ hT (A)]] hS (X ) hT (A) for any X 2 S0 such that [ A] X A, which is equivalent to the above condition (4). The basic result to prove (to check that the de nition of morphism is \meaningful") is that the token game is preserved by c-net morphisms. Theorem 13 (morphisms preserve the token game). Let N0 and N1 be c-nets, and let h = hhT ; hS i : N0 ! N1 be a c-net morphism. Then for each M; M 0 2 S and A 2 T M [Ai M 0 ) hS (M ) [hT (A)i hS (M 0 ). Therefore c-net morphisms preserve reachable markings, i.e. if M0 is a reachable marking in N0 then hS (M0 ) is reachable in N1 . The seminal work by Winskel [20] presents a core ection between event structures and a subclass of P/T nets, namely safe nets. In [12] it is shown that essentially the same constructions work for the larger category of \weakly safe nets" as well (while the generalization to the whole category of P/T nets requires some original technical machinery and allows one to obtain a proper adjunction rather than a core ection). In the next sections we will relate by a core ection event structures and \weakly safe c-nets". De nition 14 (weakly safe c-nets). A weakly safe c-net is a c-net N such that the initial marking m is a set and Fpost is a relation (i.e. t is a set for all t 2 T ). We denote by WS-CN the full subcategory of CN having weakly safe c-nets as objects. A weakly safe c-net is called safe if also Fpre and C are relations (i.e., t and t are sets for all t 2 T ) and each reachable marking is a set.

4 Occurrence c-nets and the unfolding construction Occurrence c-nets are intended to represent, via an unfolding construction, the behaviour of general c-nets in a static way, by expressing the events ( ring of transitions) which can appear in a computation and the dependency relations between them. Occurrence c-nets will be de ned as safe c-nets such that the dependency relations between transitions satisfy suitable acyclicity and wellfoundedness requirements. While for traditional occurrence nets one has to take into account the causal dependency and the con ict relations, by the presence of contexts, we have to consider an asymmetric con ict (or weak dependency) relation as well. Interestingly, the con ict relation turns out to be a derived (from asymmetric con ict) relation. Causal dependency is de ned as for traditional nets, with an additional clause stating that transition t causes t0 if it generates a token in a context place of t0 . De nition 15 (causal dependency). Let N be a safe c-net. The causal dependency relation
1. if s 2 t then s t; 2. if s 2 t then t s; 3. if t \ t0 6= ; then t t0 . Given a place or transition x 2 S [ T , we denote with bxc the set of causes of x, de ned as bxc = ft 2 T : t N xg T , where N is the re exive closure of
t % t0

def

Fired (t) ^ Fired (t0 ) ) prec (t; t0 )

(y) As noticed in the introduction, this is surely the case when the same place s appears as context for t and as precondition for t0 . But (y) is trivially true (with t and t0 in interchangeable roles) when t and t0 have a common precondition, since they never re in the same computation. This is apparently a little tricky but corresponds to the clear intuition that a (usual) symmetric (direct) con ict leads to asymmetric con ict in both directions. Finally, since, as noticed for the general model of aES, (y) is weaker than the condition that expresses causality, the condition (y) is satis ed when t causes (in the usual sense) t0 .7 For technical reasons it is convenient to distinguish the rst two cases from the last one. The c-net in Fig. 2 shows that, as expected, the relation %N is not transitive. In fact we have t1 %N t3 %N t2 %N t1 , but, for instance, it is not true that t1 %N t2 . GF

@A

8? 9> := ;<

t1

8? 9> := ;<

E D @A

t2

E CD 8? 9> =: ;<

E D @A

t3

Fig. 2. An occurrence c-net with a cycle of asymmetric con ict. An occurrence c-net is a safe c-net that exhibits an acyclic behaviour and such that each transition in it can be red. 7 This is the origin of the weak causality interpretation of %.

12

De nition 17 (occurrence c-nets). An occurrence c-net is a safe c-net N such that

{ { { {

each place s 2 S is in the post-set of at most one transition, i.e. jsj 1; the causal relation
The full subcategory of WS-CN having occurrence c-nets as objects is denoted by O-CN. The last condition corresponds to the requirement of irre exivity for the con ict relation in ordinary occurrence nets. In fact, if a transition t has a %N cycle in its causes then it can never re, since in an occurrence c-net N , the order in which transitions appear in a ring sequence must be compatible with the transitive closure of the (restriction to the transitions in the sequence of the) asymmetric con ict relation. As anticipated, the asymmetric con ict relation induces a symmetric con ict relation (on sets of transitions) de ned in the following way:

De nition 18 (con ict). Let N be a c-net. The con ict relation # 2T n associated to N is de ned as:

#(A [ ftg) t t0 #(A [ ft0 g)

t0 % t1 % : : : % tn % t0 #ft0 ; t1 ; : : : ; tn g

where A denotes a generic nite subset of T . As for aES's, we use the in x notation t#t0 for #ft; t0 g. For instance, referring to Fig. 2, we have #ft1 ; t2 ; t3 g, but not #fti ; tj g for any i; j 2 f1; 2; 3g. As for traditional occurrence nets, a set of places M is concurrent if there is some reachable marking in which all the places in M contain a token. However for the presence of contexts some places that a transition needs to be red (contexts) can be concurrent with the places it produces.

De nition 19 (concurrency relation). Let N be an occurrence c-net. A set of places M S is called concurrent, written conc (M ), if 1. 8s; s0 2 M: :(s < s0 ); S 2. bM c is nite, where bM c = fbsc : s 2 M g; 3. %bM c is acyclic (and thus well-founded, since bM c is nite).

8 We can equivalently require ((%N )btc)+ to be irre exive. In particular this implies %N

irre exive.

13

It can be shown that, indeed, the concurrent sets of places of an occurrence c-net coincide with the (subsets of) reachable markings. In particular, for each transition t in an occurrence c-net, since conc (t + t), there is a reachable marking M t + t, in which t is enabled. It is possible to prove that c-net morphisms preserve the concurrency relation. Moreover, they preserve the \amount of concurrency" also on transitions. More precisely, they re ect causal dependency and con icts, while asymmetric con ict is re ected or becomes con ict. These results are fundamental for establishing a connection between occurrence c-nets and aES's.

Theorem 20. Let N and N be c-nets and let h : N ! N be a morphism. Then, for all t ; t0 2 T 1. bhT (t )c hT (bt c); 2. (hT (t ) = hT (t0 )) ^ (t = 6 t0 ) ) t # t0 ; 0 3. hT (t ) % hT (t ) ) (t % t0 ) _ (t # t0 ); 4. #hT (A) ) #A. 0

0

0

0

1

0

0

0

1

0

0

0

1

0

0

0

0

0

0

0 0

0

0

0 0

Given a weakly-safe c-net N , an unfolding construction allows us to obtain an occurrence c-net Ua (N ) that describes the behaviour of N . As for traditional nets, each transition in Ua (N ) represents an instance of a precise ring of a transition in N , and places in Ua (N ) represent occurrences of tokens in the places of N . The unfolding operation can be extended to a functor Ua : WS-CN ! O-CN that is right adjoint of the inclusion functor IO : O-CN ! WS-CN and thus establishes a core ection between WS-CN and O-CN.

De nition 21 (unfolding). Let N = hS; T; F; C; mi be a weakly safe c-net. The unfolding Ua (N ) = hS 0 ; T 0; F 0 ; C 0 ; m0 i of the net N and the folding morphism fN : Ua (N ) ! N are the unique occurrence c-net and c-net morphism satisfying the following equations. m0 = fh;; si : s 2 mg S 0 = m0 [ fht0 ; si : t0 = hMp ; Mc; ti 2 T 0 ^ s 2 t g T 0 = fhMp ; Mc; ti : Mp ; Mc S 0 ^ Mp \ Mc = ; ^ conc (Mp [ Mc ) ^ t 2 T ^ fS (Mp ) = t ^ [ t] fS (Mc ) tg 0 (t0 ; s0 ) Fpre C 0 (t0 ; s0 ) 0 (t0 ; s0 ) Fpost fT (t0 ) = t fS (s0 ; s)

i i i i i

t0 = hMp ; Mc; ti ^ s0 2 Mp (t 2 T ) t0 = hMp ; Mc; ti ^ s0 2 Mc (t 2 T ) s0 = ht0 ; si (s 2 S ) t0 = hMp ; Mc; ti s0 = hx; si (x 2 T 0 [ f;g)

The unfolding can be eectively constructed by giving an inductive de nition. Uniqueness follows from the fact that to each item in a occurrence c-net we can associate a nite depth. Places and transitions in the unfolding of a c-net represent respectively tokens and ring of transitions in the original net. Each place in the unfolding is a pair 14

recording the \history" of the token and the corresponding place in the original net. Each transition is a triple recording the precondition and context used in the ring, and the corresponding transition in the original net. A new place with empty history h;; si is generated for each place s in the initial marking. Moreover a new transition t0 = hMp ; Mc ; ti is inserted in the unfolding whenever we can nd a concurrent set of places (precondition Mp and context Mc) that corresponds, in the original net, to a marking that enables t. For each place s in the post-set of such t, a new place ht0 ; si is generated, belonging to the post-set of t0 . The folding morphism f maps each place (transition) of the unfolding to the corresponding place (transition) in the original net. We can now state the main result of this section, establishing a core ection between weakly safe c-nets and occurrence c-nets. Theorem 22. The unfolding construction extends to a functor Ua : WS-CN ! O-CN which is right adjoint to the obvious inclusion functor IO : O-CN ! WS-CN and thus establishes a core ection between WS-CN and O-CN. The component at an object N in WS-CN of the counit of the adjunction, f : IO Ua ! 1, is the folding morphism fN : Ua (N ) ! N .

5 Occurrence c-nets and asymmetric event structures We now show that the semantics of weakly safe c-nets given in terms of occurrence c-nets can be related with event structures and prime algebraic domains semantics. First we show that there exists a core ection from aES to O-CN and thus aES's represent a suitable model for giving event based semantics to c-nets. Given an occurrence c-net we obtain an aES simply forgetting the places, but remembering the dependency relations that they induce between transitions, namely causality and asymmetric con ict. In the same way a morphism between occurrence c-nets naturally restricts to a morphism between the corresponding aES's. De nition 23. Let Ea : O-CN ! aES be the functor de ned as: { Ea (N ) = hT; N ; %N i, for each occurrence c-net N ; { Ea (h : N0 ! N1) = hT , for each morphism h : N0 ! N1. Notice that the induced con ict relation #a in the aES Ea (N ), given by De nition 2, is the restriction to transitions of the induced con ict relation in the net N , given by De nition 18. Therefore in the following we will confuse the two relations and simply write #. An aES can be identi ed with a canonical occurrence c-net, via a free construction that mimics Winskel's: for each set of events related in a certain way by causal dependency or asymmetric con ict relations we generate a unique place that induces such kind of relation on the events. De nition 24. Let G = hE; ; %i be an aES. Then Na(G) is the net N = hS; T; F; C; mi de ned as follows: 15

{ { { { {

A; B E; 8 a 2 A: 8 b 2 B: a % b _ a # b; m = h;; A; B i : 8b; b0 2 B: b 6= b0 ) b#b0 ; 8 9 A; B E; e 2 E; 8x 2 A [ B: e < x; = < S = m [ :he; A; B i : 8a 2 A: 8b 2 B: a % b _ a#b; ;; 8b; b0 2 B: b 6= b0 ) b#b0 T = E; F = hFpre ; Fpost i, with Fpre = f(e; s) : s = hx; A; B i 2 S; e 2 B g, Fpost = f(e; s) : s = he; A; B i 2 S g; C = f(e; s) : s = hx; A; B i 2 S; e 2 Ag.

The generation process extends to a functor Na : aES ! O-CN The only unexpected thing for the reader could be the fact that we insert a place that gives rise to asymmetric con icts between the transitions of B and A, but we require only that all the transition of B are in asymmetric con ict or in con ict with all the transitions in A. Therefore we add asymmetric con icts between events that are in con ict. Abstracting from the formal details, this becomes very natural since, being # the symmetric con ict relation, we can think that conceptually t#t0 implies t % t0 . The next proposition relates the causal dependency and asymmetric con ict relations of an aES with the corresponding relations of the c-net Na(G). In particular it is useful in proving that Na(G) is indeed an occurrence c-net.

Proposition 25. Let G = hE; ; %i be an aES and let Na(G) be the net N = hS; T; F; C; mi. Then for all e; e0 2 E : 1. e
Let G = hE; ; %i be an aES. By Proposition 25, Ea (Na (G)) = hE; ; % [#i. Therefore the identity on events G : G ! Ea (,Na (G)), de ned by G (e) = e, for all e 2 E , is an aES morphism. Moreover G : Ea (Na (G)) ! G, again , 1

de ned as identity on events is clearly a morphism, and G and G1 are one the inverse of the other. Therefore G is an isomorphism. We are now able to state the main result of this section.

Theorem 26. The functor Na : aES ! O-CN is left adjoint to Ea : O-CN ! aES and it establishes a core ection from aES to O-CN. The unit of the the core ection is : 1 ! Na Ea . Such a result completes the chain of core ections leading from WS-CN to Dom. Therefore, as claimed at the beginning, we provide weakly safe c-nets with a truly concurrent semantics, by associating to each weakly safe c-net a nitary prime algebraic domain. The construction works at categorical level and establishes a core ection between the corresponding categories. 16

Finally, notice that, as an easy extension, Winskel's core ection between PES and Dom can be used to provide weakly safe c-nets with a traditional event structure semantics. The PES semantics is obtained from the aES semantics by introducing an event for each possible dierent history of events in the aES. This re ects the idea of duplication of events discussed in the introduction.

6 Conclusions and future work We presented a truly concurrent event-based semantics for (weakly safe) P/T contextual nets. The semantics is given at categorical level via a core ection between the categories WS-CN of weakly safe c-nets and Dom of nitary prime algebraic domains (or equivalently PES of prime event structures). Such a core ection factorizes through the following chain of core ections:

WS-CN

o IO

?_

o Na

o Pa

Ea

La

? / O-CN ? / aES

Ua

? / Dom

It is worth noticing that such a construction associates to a safe c-net without context places (thus essentially a traditional safe net), the same domain produced by Winskel's construction and therefore can be considered as a consistent extension of Winskel's result. The use of nitary prime algebraic domains, widely accepted as standard semantics models for concurrency, makes our result satisfactory. Moreover the existence of a core ection provides an abstract semantics (the domain associated to each c-net) and a standard choice in each class of equivalent c-nets (the c-net obtained by embedding the semantics into the category of nets), de ned by a universal property. This is one of the more pleasant semantic frameworks one can desire. An immediate future work should be the generalization of these results to general P/T c-nets, based on a suitable extension of the notions of decorated occurrence net and family morphism introduced in [12] to give unfolding semantics to traditional P/T nets. Moreover, notions and results on c-nets can be seen as a rst step towards the de nition of an unfolding semantics for graph grammars. We think that the work on c-nets could be a guide for the introduction of the notions of non-deterministic occurrence graph grammar and graph grammar unfolding that are still lacking or not consolidated. Apart from the application to c-nets analyzed in this paper, asymmetric event structures seem to be rather promising in the semantic treatment of models of computation, such as string, term and graph rewriting, allowing context sensitive ring of events. Therefore, as suggested in [16], it would be interesting to investigate the possibility of developing a general theory of event structures with asymmetric con ict (or weak causality) similar to that in [20].

References 1. G. Boudol. Flow Event Structures and Flow Nets. In Semantics of System of Concurrent Processes, volume 469 of LNCS, pages 62{95. Springer Verlag, 1990.

17

2. G. Boudol and I. Castellani. Permutation of transitions: an event structure semantics for CCS and SCCS. In Linear Time, Branching Time and Partial Order Semantics in Logics and Models for Concurrency, volume 354 of LNCS, pages 411{427. Springer Verlag, 1988. 3. N. Busi and R. Gorrieri. A Petri Nets Semantics for -calculus. In Proceedings CONCUR'95, volume 962 of LNCS, pages 145{159. Springer Verlag, 1995. 4. N. Busi and G. M. Pinna. Non Sequential Semantics for Contextual P/T Nets. In Application and Theory of Petri Nets, volume 1091 of LNCS, pages 113{132. Springer Verlag, 1996. 5. S. Christensen and N. D. Hansen. Coloured Petri nets extended with place capacities, test arcs and inhibitor arcs. In M. Ajmone-Marsan, editor, Applications and Theory of Petri Nets, volume 691 of LNCS, pages 186{205. Springer Verlag, 1993. 6. A. Corradini. Concurrent Graph and Term Graph Rewriting. In U. Montanari and V. Sassone, editors, Proceedings CONCUR'96, volume 1119 of LNCS, pages 438{464. Springer Verlag, 1996. 7. N. De Francesco, U. Montanari, and G. Ristori. Modeling Concurrent Accesses to Shared Data via Petri Nets. In Programming Concepts, Methods and Calculi, IFIP Transactions A-56, pages 403{422. North Holland, 1994. 8. P. Degano, R. Gorrieri, and S. Vigna. On Relating Some Models for Concurrency. In M. C. Gaudel and J. P. Jouannaud, editors, 4th Conference on Theory and Practice of Software Development, volume 668 of LNCS, pages 15{30. SpringerVerlag, 1993. 9. R. Janicki and M Koutny. Invariant semantics of nets with inhibitor arcs. In Proceedings CONCUR '91, volume 527 of LNCS. Springer Verlag, 1991. 10. R. Janicki and M. Koutny. Semantics of inhibitor nets. Information and Computation, 123:1{16, 1995. 11. R. Langerak. Bundle Event Structures: A Non-Interleaving Semantics for Lotos. In 5th Intl. Conf. on Formal Description Techniques (FORTE'92), pages 331{346. North-Holland, 1992. 12. J. Meseguer, U. Montanari, and V. Sassone. On the semantics of Petri nets. In Proceedings CONCUR '92, volume 630 of LNCS, pages 286{301. Springer Verlag, 1992. 13. U. Montanari and F. Rossi. Contextual occurrence nets and concurrent constraint programming. In H.-J. Schneider and H. Ehrig, editors, Proceedings of the Dagstuhl Seminar 9301 on Graph Transformations in Computer Science, volume 776 of LNCS. Springer Verlag, 1994. 14. U. Montanari and F. Rossi. Contextual nets. Acta Informatica, 32, 1995. 15. G. M. Pinna and A. Poigne. On the nature of events. In Mathematical Foundations of Computer Science, volume 629 of LNCS, pages 430{441. Springer Verlag, 1992. 16. G. M. Pinna and A. Poigne. On the nature of events: another perspective in concurrency. Theoretical Computer Science, 138:425{454, 1995. 17. G. Ristori. Modelling Systems with Shared Resources via Petri Nets. PhD thesis, Universita di Pisa, 1994. 18. W. Vogler. Eciency of asynchronous systems and read arcs in Petri nets. Technical Report 352, Institut fur Mathematik, Augsburg University, 1996. 19. W. Vogler. Partial Order Semantics and Read Arcs. In Mathematical Foundations of Computer Science, volume 1295 of LNCS, pages 508{518. Springer Verlag, 1997. 20. G. Winskel. Event Structures. In Petri Nets: Applications and Relationships to Other Models of Concurrency, volume 255 of LNCS, pages 325{392. Springer Verlag, 1987.

18

Pumping Lemmas for Timed Automata Dani`ele Beauquier University Paris-12, Dept. of Informatics, 61, Av. du G´en. de Gaulle, 94010 Cr´eteil, France [email protected]

Abstract. We remark that languages recognized by timed automata in the general case do not satisfy classical Pumping Lemma (PL) well known in the theory of finite automata. In this paper we prove two weaker versions of Pumping Lemma for timed words : a general one (DPL) where iterations preserve the duration of timed word, and another more restricted one, (LPL) when iterations preserve the length of timed word.

1

Introduction

An automata-theoretic approach to verification of timing requirements of realtime systems has been extensively developped in recent years using timed automata [1], among recent papers we mention [2,3] which influenced our work. A timed automaton is a finite automaton with a finite set of real valued clocks. The clocks can be reset to zero within the transitions of the automaton and keep track of the time elapsed since the last reset. Some constraints on the clocks are attached both to locations (analogous to states of usual finite automata) and transitions of the automaton. Timed automata recognize finite or infinite timed words which are right-continuous discrete-valued functions having letters as values. Several papers study timed automata from the perspective of formal languages theory [1,4]. Closure properties and some decision problems for deterministic and nondeterministic timed automata have been considered. In [4] a version of Kleene theorem for timed automata has been elaborated. The authors prove that it is necessary to include intersection in the operations which define regular expressions. In this paper we are interested in another classic feature of regular languages, namely in properties of iterations usually called Pumping Lemmas. We prove that the general version of Pumping Lemma does not hold for timed automata, giving a counter-example. This negative result underlines the fact that the introduction of dense time provides to languages recognized by timed automata a more complicated structure. Nevertheless we establish a weak version of Pumping Lemma (DPL) where the iteration preserves the duration of the timed word. The part of this result concerning a positive iteration can be found also in [5] (this was M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 81–94, 1998.

82

pointed out by referees). The dual version (LPL) where the iteration preserves the length of the timed word is proved for a sub-family of timed automata, the strict timed automata. The paper is organized as follows : in section 2 we recall the definition of timed automata and timed words recognized by timed automata. Section 3 contains a series of lemmas concerning the iteration properties of runs of timed automata which are used in the last section. The last section studies different versions of Pumping Lemma and their status with respect to regular languages.

2 2.1

Timed Automata: Definitions Timed words

Let Σ be a finite alphabet, and R≥0 be the set of non negative reals. A (finite) timed word is a right-continuous piecewise-constant function ξ : [0, k) → Σ for some k ∈ R≥0 such that ξ has a finite number of discontinuities. If k is equal to 0, ξ is the empty word denoted by . Here we slightly deviate from the definition given in [4], because the right-continuity of timed words seems to better reflect the semantics of the runs of timed automata. r1 r2 rn Every timed word Pξ can be written (in many ways) a1 a2 . . . an , where ai ∈ ri = k if ξ(t) = ai for t ∈ [ri−1 , ri ). If we impose ai 6= ai+1 , Σ, ri ∈ R+ and then the representation of ξ is unique and the length of ξ denoted by |ξ| is equal to n and its duration denoted by d(ξ) is equal to k. Length and duration of are equal to zero. We denote by T (Σ) the set of all finite timed words over the alphabet Σ. For every ξ1 , ξ2 ∈ T (Σ) with respective durations k1 and k2 their concatenation ξ1 ξ2 is the timed word ξ with duration k1 + k2 such that for t ∈ [0, k1 ), ξ(t) = ξ1 (t), and for t ∈ [k1 , k1 + k2 ) ξ(t) = ξ2 (t − t1 ). Clearly, |ξ1 ξ2 | ≤ |ξ1 | + |ξ2 | and d(ξ1 ξ2 ) = d(ξ1 ) + d(ξ2 ). 1 For u = ar11 ar22 . . . , arnn and a positive integer p, denote by u p the timed word r1

r2

rn

1

1

1

a1p a2p . . . anp . We have |u p | = |u| and d(u p ) = p1 d(u). Note that (u p )p = u iff u is of the form ar for some a ∈ Σ. A timed language over the alphabet Σ is a subset of the set of timed words T (Σ). 2.2

Timed automata

Timed automata were introduced by R. Alur and D. Dill [1]. A timed automaton consists of a finite number of locations supplied with clocks and constraints in terms of equalities and inequalities involving clocks. The edges of the automaton now depend on time, and this makes the automaton more powerful than the classical one. The clocks of an automaton constitute a finite set of identifiers. Given a set C of clocks, the set of clock constraints, denoted by guard(C), is the set of formulas of the form:

83

- true, f alse, c ∼ n where c ∈ C, n ∈ N and ∼∈ {>, <, =}, - f1 ∧ f2 , f1 ∨ f2 where f1 and f2 are formulas in guard(C). A timed automaton over Σ is a tuple A = (S, λ, µ, sinit , F, C, E) where: • S is a finite set of locations, • C is a finite set of clocks, • λ : S → Σ is an output function, • µ : S → guard(C), assigns to each location a guard called invariant of the location, • sinit ∈ S is the initial location, • F ⊆ S is a set of final locations, • E ⊆ S × guard(C) × 2C × S gives the set of edges between locations labeled by sets of clocks and formulas. Let (s, s0 , φ, δ) be an edge from s to s0 . The set φ ⊂ C gives the set of clocks to be reset and δ is a clock constraint in guard(C) to be satisfied when following this edge. A clock assignment for a set of clocks C is a function ν from C to R, i. e. ν ∈ RC . A state of the system is a triple of the form hs, ν, ti, where s ∈ S, ν ∈ RC , and t ∈ R≥0 . By ν + t, where t ∈ R, we denote the clock assignment which assigns to every clock c the value ν(c) + t. In the same way if A is a state hs, ν, τ i, A + t denotes the state hs, ν + t, τ + ti. Let ν be a clock assignment. For X ⊂ C, we denote by hXiν the clock assignment which assigns 0 to each c in X and agrees with ν over the rest of the clocks. A transition is a pair of states σ = (hs, ν, ti, hs0 , ν 0 , t0 i) of the automaton A, with an edge (s, s0 , φ, δ) ∈ E such that • ν + t0 − t satisfies δ, • for all τ ∈ [0, t0 − t), ν + τ satisfies µ(s), • ν 0 = hφi(ν + t0 − t) and ν 0 satisfies µ(s0 ). The value t0 − t is called the delay of the transition. Now let us define a finite run of a timed automaton simply called a run below. A finite run ρ is a pair of sequences (S(ρ), E(ρ)) such that S(ρ) is a sequence of states (hsi , νi , ti i)0≤i≤n and E(ρ) is a sequence of edges (si−1 , si , ai , φi , δi )0
84

A finite timed word over the alphabet Σ is recognized or accepted by the automaton A if it is the trace of an accepting run of A. The set of finite timed words recognized by the automaton A is denoted by L(A). Example. The language accepted by the automaton of Figure 1 where s2 is the

(x=1), {x}

s0

(x=1), {x}

a

s1 b

true, {y}

s3

s2

b

a

(y<1), {y}

Fig. 1. A timed automaton final location is: {ar0 bq0 ar1 bq1 . . . arn bqn | n > 0, r0 = 1, q0 < 1, for i = 1, . . . , n qi−1 + ri = 1 and ri + qi < 1} ∪{ar0 bq0 | r0 = 1, q0 > 0}. Here the function µ is the constant “true”. A sample word accepted by the automaton is: a1 b0.7 a0.3 b0.2 a0.8 b0.1 . Every timed word accepted by this automaton has the property that the sequence (qi ) of exponents of the letter b is strictly decreasing. Two finite runs ρ1 and ρ2 are equivalent if they have the same extremities, i. e. their first and last states are respectively equal: S(ρ1 )(0) = S(ρ2 )(0) and S(ρ1 )(k) = S(ρ2 )(l) where k and l are the lengths of respectively ρ1 and ρ2 . Clearly, two equivalent runs have the same duration. 2.3

Clock regions

The set of states of a timed automaton is infinite. The set of clock regions is a finite set obtained as a quotient of an equivalence relation among the clock assignments. More details about this notion of region is in [1]. Let K0 be the greatest constant appearing in the clock constraints of the automaton. Remind that clock constants are natural numbers. For clock assignments ν and ν 0 in RC we say that ν ≡ ν 0 iff the following conditions are met: – For each clock x ∈ C either bνx c and bνx0 c are the same, or both are greater than K0 , – For every pair of clocks x, y ∈ C such that ν(x) ≤ K0 and ν(y) ≤ K0 1. f ract(ν(x)) ≥ f ract(ν(y)) iff f ract(ν 0 (x)) ≥ f ract(ν 0 (y)) 2. f ract(ν(x)) = 0 iff f ract(ν 0 (x)) = 0.

85

The relation ≡ is an equivalence relation, and [ν] will denote the equivalence class of RC to which ν belongs. A clock region is such an equivalence class. There are only finitely many such regions. Note that ν ≡ ν 0 does not necessarily imply ν + t ≡ ν 0 + t.

3

Finite runs of timed automata

The set of finite runs of a timed automaton has a natural structure of partial mono¨ıd. Given two runs ρ = (hsi , νi , ti ii=0,...,k ) and ρ0 (hs0i , νi0 , t0i ii=0,...,k0 ) such that the last state of ρ, hsk , νk , tk i is equal to the first state of ρ0 , hs00 , ν00 , t00 i we define the run ρ00 = ρρ0 to be as follows: ρ00 = (hs00i , νi00 , t00i ii=0,...,k+k0 ) where hs00i , νi00 , t00i i = hsi , νi , ti i for i = 0, . . . , k and 00 , t00k+i i = hs0i , νi0 , t0i i for i = 1, . . . , k 0 . hs00k+i , νk+i Note that it is a partial law. In particular if ρ is a run with positive length, ρ2 is never defined because unlike [1,4] we add the absolute time in the states of the timed automaton. A finite run ρ = (hsi , νi , ti ii=0,...,k ) is a pseudo-cycle if sk = s0 and [νk ] = [ν0 ]. The main notion in this part is the notion of conjugation. Two runs ρ = (hsi , νi , ti ii=0,...,k ) and ρ0 = (hsi , νi0 , t0i ii=0,...,k ) of length k > 0 are conjugate if E(ρ) = E(ρ0 ), [νi ] = [νi0 ] for i = 0, . . . , k, and t0i − t0i−1 = ti − ti−1 for i = 1, . . . , k. Let n be a positive integer and ρ = (hsi , νi , ti ii=0,...,k ) and ρ0 = (hsi , νi0 , t0i ii=0,...,k ) be two runs. The run ρ0 is a n1 -conjugate of the run ρ if E(ρ) = E(ρ0 ), [νi ] = [νi0 ] for i = 0, . . . , k, and t0i − t0i−1 = ti −tni−1 for i = 1, . . . , k. If n = 1 ρ0 is called simply a conjugate of ρ. From the definition of a n1 -conjugate we can deduce: ρ). Lemma 1 (1) If ρ¯ is a n1 -conjugate of ρ, then d(ρ) = n1 d(¯ (2) Given a run ρ with first state hs0 , ν0 , t0 i, and a clock assignment ν00 , there is at most one n1 -conjugate of ρ with its first state equal to hs0 , ν00 , t0 i. (3) Two n1 -conjugates of a run ρ have the same trace. Given a finite run ρ there exists at most one run which can be written ρ1 ρ2 . . . ρn , where for i = 1, . . . , n ρi is a n1 -conjugate of ρ and ρ1 has the same first state as ρ. This unique run, when it exists is denoted by ρ[n] and called the n-iteration of ρ. It satisfies the following property: Lemma 2 If ρ[n] exists for some n > 1, then (1) d(ρ[n] ) = d(ρ) and |ρ[n] | = n|ρ|, (2) ρ is a pseudo-cycle. Proof. (1) is clear from the definition of a 1/n-conjugate. To prove (2) note that the last state of ρ1 is equal to the first state of ρ2 , and so it implies that ρ is a pseudo-cycle.

2

86

We say that a clock c crosses an integer value during the run ρ = (hsi , νi , ti i)i≤n if there is a transition (hsi , νi , ti i, hsi+1 , νi+1 , ti+1 i) and some t ∈ [0, ti+1 −ti ] such that νi (c) + t is a positive integer. Clearly we have: Lemma 3 If a finite run is such that no clock crosses an integer value during it, the value of the delay of any transition of the run is strictly less than 1. Let X be a subset of clocks. Two states A = hs, ν, ti and A0 = hs, ν 0 , t0 i are X-equal if they satisfy : if c ∈ X then ν(c) = ν 0 (c), and if c 6∈ X then ν(c) and ν 0 (c) are both strictly less than 1 and ν(c) = 0 ⇔ ν 0 (c) = 0. Transitions where clocks do not cross an integer value have the following basic property: Lemma 4 Let A be a timed automaton, X be a subset of clocks, and A = hs, ν, ti, A0 = hs, ν 0 , t0 i be two X-equal states of A. Suppose there exists a transition from state A to some state B with edge e and delay τ where the clocks do not cross an integer value. Suppose at last that for c 6∈ X we have ν 0 (c) + τ < 1, then there exists a transition from A0 to some state B 0 with the same edge e and the same delay, moreover B and B 0 are X-equal. Proof. Let us consider the transition from state A to state B = hs1 , hφiν, t + τ i with edge e = (s, s1 , φ, δ). For an atomic proposition c ∼ n where ∼∈ {>, <, =} and n ∈ N consider two cases : c belongs to X or not. • Case 1: c ∈ X. For every τ 0 ∈ [0, τ ], (ν 0 + τ 0 )(c) = (ν + τ 0 )(c). So (ν + τ 0 )(c) satisfies c ∼ n iff (ν 0 + τ 0 )(c) satisfies c ∼ n. • Case 2: c 6∈ X. For every τ 0 ∈ [0, τ ], (ν + τ 0 )(c) is strictly less than 1 because in the transition the clocks do not cross an integer value and (ν 0 + τ 0 )(c) is also strictly less than 1. So (ν 0 + τ 0 )(c) satisfies c ∼ n iff ν + τ 0 satisfies c ∼ n. At last, for the same reasons, hφi(ν + τ ) and hφi(ν 0 + τ ) satisfy exactly the same set of atomic propositions. So there is a transition with the edge e, the same delay τ , from A0 to B 0 = hs1 , hφi(ν 0 + τ ), t0 + τ i. Clearly, B and B 0 are X-equal.

2

By induction on the length of a run we can deduce the following lemma:

Lemma 5 Let A be a timed automaton, X be a subset of clocks, and A = hs, ν, ti, A0 = hs, ν 0 , t0 i be two X-equal states of A. Suppose there exists a run ρ from A with duration τ where the clocks do not cross an integer value. Suppose at last that for c 6∈ X ν 0 (c) + τ < 1, then there exists a run ρ0 conjugate of ρ starting from A0 . Moreover the terminal states of ρ and ρ0 are X-equal.

87

The reset of a finite run (hsi , νi , ti i)i≤k is the set of clocks which are reset to 0 during the run, i. e. the union of sets φi where E(ρ) = (si−1 , si , φi , δi )0 k be an atomic proposition and consider a value τ ∈ [0, t1 ]. Then A0 + τ satisfies c > k iff A0 + τ /n satisfies c > k, because c cannot cross an integer value during the run. The same for an atomic proposition c < k. And a constraint c = k is never satisfied neither by A0 + τ nor by A0 + τ /n. At last for the same reason hφ1 i(ν +t1 /n) and hφ1 i(ν +t1 ) satisfy the same atomic propositions. So there is a transition from A0 with delay t1 /n, using edge e1 , and arriving in A01 . Moreover we have [A01 ] = [A1 ]. Indeed, clocks in φ1 are equal to 0 in both A1 and A01 . Let c, c0 two clocks not in φ1 . If f ract(ν(c) + t1 ) ≤ f ract(ν(c0 ) + t1 ) then f ract(ν(c) + t1 /n) ≤ f ract(ν(c0 ) + t1 /n) and f ract(c) is non zero in both A1 and A01 . So we have [A01 ] = [A1 ]. Suppose we have proved there exists a run (A0 , A01 , . . . , A0i ), with some edges (e1 , . . . , ei ) and delays t1 /n, . . . , ti /n such that [A0j ] = [Aj ] for j = 1, . . . , i. Let c be a clock, and denote by ci its value in Ai and by c0i its value in A0i . Let τ ∈ [0, ti+1 ]. • If c 6∈ R P or if c has not still been P reset to zero between A0 and Ai , then ci = c0 + j=1,...,i tj and c0i = c0 + j=1,...,i tj /n. States Ai + τ and A0i + τ /n satisfy the same atomic propositions concerning the clock c again because c cannot cross an integer value during the run. • If c ∈ R and c has been reset to zero between A0 and Ai then the values of c in Ai + τ and in A0i + τ /n are strictly less than 1, thus Ai + τ and A0i + τ /n satisfy the same constraints relative to c. At last, let φi+1 be the reset of the edge ei+1 . The same arguments prove that hφi+1 i(Ai + ti+1 ) and hφi+1 i(A0i + ti+1 /n) satisfy the same atomic propositions. 0 So there is a transition from A0i with edge ei+1 and delay ti+1 n and [Ai ] = [Ai ]. We have proved by induction the existence of a 1/n-conjugate ρ1 of ρ starting in the same state as ρ. Suppose we have defined ρ1 , . . . , ρi some 1/n-conjugates of ρ such that the product ρ1 . . . , ρi exists, with i < n. Let T be the duration of ρ. Consider the state Yi which is the last state of ρi . Let c be a clock, and denote by ci its value in Yi . If c 6∈ R, then ci = c0 + iT n and if c ∈ R then its values in Yi and in A0 are less than 1. So we can repeat the same reasoning and prove that there is a 1/n-conjugate of ρ, ρi+1 starting in Yi . Actually, since ρ is a pseudo-cycle we have [A0 ] = [Ap ], and on other hand [Yi ] = [Ap ] so [Yi ] = [A0 ]. And the lemma is proved.

2

88

Note that in general ρ[n] is not equivalent to ρ. We need some synchronization to get two equivalent runs. It is done in the lemma below. Lemma 7 Let ρ be a run with duration strictly less than 1 such that ρ = ρ1 βρ2 where ρ1 , ρ2 are pseudo-cycles with the same reset. Suppose that no clock crosses an integer value during the run ρ, then for every positive integer n there exists [n] a conjugate βρ2 of βρ2 such that the run ρ1 βρ2 exists and is equivalent to ρ. Proof. If n = 1 nothing to prove. Suppose n > 1. Let ρ be a run such that ρ = ρ1 βρ2 where ρ1 and ρ2 are pseudo-cycles and reset(ρ1 ) = reset(ρ2 ) = X. Suppose that ρ1 starts in A and finishes in A0 , and ρ2 starts in B and finishes in B 0 . The run ρ1 satisfies the hypothesis of Lemma 6. [n] So ρ1 exists and finishes in some state Y . Observe that if A0 =< sA0 , νA0 , tA0 >, and Y =< sY , νY , tY > then sY = sA0 , tY = tA0 and states A0 and Y are X-equal, where X is the complement of X. Moreover, we have νY (c) ≤ νA0 (c) for every clock c. Denote by τ the duration of the run βρ2 . Since ρ has a duration strictly less than 1 we can guarantee that for every clock c ∈ X we have νY (c)+τ ≤ νA0 (c)+τ < 1. On the other hand, the run βρ2 is such that no clock crosses an integer value, so applying Lemma 5, we prove that there exists a run β 0 ρ02 , conjugate of βρ2 , starting in Y and arriving in some state B 00 . We claim that B 00 = B 0 . Actually the clocks reset during ρ2 are also reset during ρ02 and have the same value in B 0 and in B 00 , because the two runs are conjugate and then the delays are the same. The clocks not reset during ρ2 were not reset during ρ1 so they have the same value in Y and in A0 and then also in B 0 and B 00 . And we can conclude [n] that ρ1 βρ2 exists and is equivalent to ρ.

2

Lemma 8 Let ρ be a run where no clock crosses an integer value, with duration strictly less than 1, and such that ρ = ρ1 βρ2 xγρ3 where ρ1 , ρ2 and ρ3 are pseudo-cycles with the same reset and |x| = 1. There exists a transition x0 and a conjugate γρ3 of γρ3 such that ρ1 βx0 γρ3 exists and is equivalent to ρ. Proof. Suppose that ρ contains three disjoint successive pseudo-cycles ρ1 , ρ2 , ρ3 with the same reset. The pseudo-cycle ρ1 begins in A and finishes in A0 , ρ2 begins in B and finishes in B 0 , ρ3 begins in C and finishes in C 0 . Let t be the duration of ρ from B to B 0 and B10 be the successor of B 0 in ρ. The transition (B 0 , B10 ) has a delay t0 , and corresponds to some edge e = (s, s1 , φ, δ). Let B = (s, νB , tB ), B 0 = (s, νB 0 , tB 0 ), B10 = (s1 , νB10 , tB10 ). Then tB 0 − tB = t and tB10 − tB 0 = t0 . We will prove that from B there is a possible transition using the edge e, with a delay equal to t + t0 , to some state B100 , R-equal to B10 , with R being equal to the complement of reset(ρ2 ). We have to verify three conditions. (1) For every τ ∈ [0, t + t0 ), νB + τ satisfies µ(sB ) (2) νB + t + t0 satisfies δ (3) hφi(νB + t + t0 ) satisfies µ(s1 ).

89

Condition (1) : Due to the fact that the clocks do not cross an integer value during the run and the run has a duration less than 1, for every clock c there is a unique interval [k, k + 1), with k ∈ N to which the value of the clock belongs during the whole run ρ. Let c be a clock, and τ ∈ [0, t + t0 ). If c ∈ reset(ρ2 ) = reset(ρ1 ) then (νB + τ )(c) is less than 1 as νB (c). If c 6∈ reset(ρ2 ), then νB 0 (c) = νB (c) + t and νB (c), νB 0 (c), νB 0 (c) + t0 belong to the same interval [k, k + 1) and (νB + τ )(c) belongs to this interval. Since νB satisfies µ(sB ) then νB + τ satisfies also µ(sB ). Condition (2) : The clocks which do not belong to reset(ρ2 ) have the same value in νB + t + t0 and in νB 0 + t0 . The clocks which belong to reset(ρ2 ) = reset(ρ1 ) have a value less than 1 in νB + t + t0 and in νB 0 + t0 . Since νB 0 + t0 satisfies δ, νB + t + t0 satisfies also δ. Condition (3) : In the same way, since hφi(νB 0 + t0 ) satisfies µ(s1 ) then hφi(νB + t + t0 ) satisfies also µ(s1 ). So there is a transition x0 from B = hs, νB , tB i to B100 = hs1 , hφi(νB + t + t0 ), tB100 i. And tB100 = tB + t + t0 = t0B + t0 = tB10 . The main point is that B10 and B100 are R-equal where R is the complement of reset(ρ2 ). Indeed - if c ∈ φ then νB10 (c) and νB100 (c) are both equal to 0, - if c 6∈ φ and c 6∈ reset(ρ2 ) then νB10 (c) = νB 0 (c) + t0 = νB (c) + t + t0 = νB100 (c), - if c 6∈ φ and c ∈ reset(ρ2 ) then νB10 (c) and νB100 (c) are both strictly less than 1. Let τ be the duration of γρ3 . For every clock c ∈ reset(ρ1 ), we have νB (c) + t + t0 + τ < 1 since the duration of ρ is strictly less than 1. So νB (c) + t + t0 + τ = νB100 (c) + τ < 1 for c ∈ reset(ρ1 , and we can apply Lemma 5 to states B10 and B100 . There is a run γ 0 ρ03 starting in B100 , conjugate of γρ3 , arriving in some state C 00 . Now we prove that C 00 = C 0 . Let C 0 = hsC 0 , νC 0 , tC 0 i and C 00 = hsC 00 , νC 00 , tC 00 i. Sure, sC 00 = sC 0 = s and tC 00 = tC 0 . Compare the values of the clocks in C 0 and C 00 , that is νC 0 and νC 00 . • The clocks which are reset to 0 in γ 0 ρ03 between B100 and C 00 are the same as the clocks reset during the run γρ3 between B10 and C 0 , and since the durations of the transitions are the same, these clocks have the same value in C 0 and C 00 . • The clocks not reset between B10 and C 0 in γρ3 (and so between B100 and C 00 in γ 0 ρ03 ) have never been reset between B and B10 in ρ2 x neither between B and B100 in x0 . So their values are the same in B10 and B100 , and then remain the same in C 0 and C 00 .

2

Let A be a timed automaton, C be its set of clocks, m be the number of regions

of A and K0 be the constant equal to (2 2|C| + 1)(|S|m + 1). Proposition 1 If a run ρ with duration strictly less than 1 has a length greater than or equal to (|C| + 1)K0 , then ρ can be written αρ1 βρ2 xγρ3 η with |x| = 1 such that:

90

(1) there exists some transition x0 and some conjugate γ 0 ρ03 of γρ3 with the timed word αρ1 βx0 γ 0 ρ03 η equivalent to ρ (2) for every positive integer n there is a conjugate xγρ3 of xγρ3 such that [n] αρ1 βρ2 xγρ3 η is equivalent to ρ. Proof. There are at most |C| moments during this run when a clock can cross an integer value because the duration of the run is less than 1, thus a clock can cross an integer part only once. So since ρ has a length more than (|C| + 1)K0 , there is a finite run ρ0 , part of ρ with length at least K0 = (2 2|C| + 1)(|S|m + 1) where no clock crosses an integer value. This run ρ0 contains (2 2|C| + 1) disjoint parts which are pseudo-cycles because every run of length |S|m contains a pseudocycle. And among these pseudo-cycles at least three have the same reset. The factor |S|m+ 1 in K0 instead of |S|m ensures that the pseudo-cycles are not only disjoint but are separated by at least one transition, what justifies the existence of transition x. Then we apply Lemmas 7 and 8.

2 4

Pumping Lemmas

Here we discuss some versions of “Pumping Lemma” for a given language L ⊂ S(Σ), as a natural extension of the classical one [6]. There are two versions according to considering “large words” with respect to their duration or to their length. For timed words the classical Pumping Lemma could be stated as follows: Pumping Lemma Property (PL) There exists a constant K > 0 such that for every timed word u ∈ L with length (respectively duration) more than K, there exist timed words v, w, z, w 6= which satisfy: u = vwz and for every integer n ≥ 0, vwn z ∈ L. Proposition 2 There is a timed automaton A such that L(A) does not satisfy (PL). Proof. Consider the automaton of Figure 1. Suppose it satisfies Pumping Lemma Property (PL) for the ”duration” version. Let K be a constant for which the property holds. There exists a timed word u in L(A) with d(u) > K. We can choose u of the form ar0 bq0 ar1 bq1 . . . , arp bqp with p > 0. By our assumption there are words v, w, z such that u = vwz and vwn z ∈ L for every integer n ≥ 0. Several cases are to be considered for w. If w = ar , r > 0, there exists an integer n such that nr > 1. So uwn z does not belong to L(A). The same if w = br , r > 0. If w contains both letters a and b, then w2 cannot be a factor of a word in L(A) because the sequence of exponents of the letter b is not decreasing. Thus vw2 z 6∈ L(A). And L(A) does not satisfy (PL) for the ”duration” version. A similar reasoning can be done if |u| > K. Thus L(A) does not satisfy the Pumping Lemma Property (PL) for the ”length” version.

2

91

In [4] it is proved that the family of languages recognized by timed automata satisfies some Kleene property. In their regular expressions the authors include the intersection. It is not surprising, because a classical Kleene theorem without intersection in regular expressions would imply easily the Pumping Lemma (PL) for languages recognized by timed automata. Nevertheless using properties established in section 3 we can elaborate some weak versions which will hold. There is a first version when an iteration can be done increasing the duration of the timed word but conserving its length. We prove that for a sub-family of timed automata, the strict automata, some Pumping Lemma holds. A timed automaton on an alphabet Σ is strict if two adjacent locations have different labellings by λ. Strict timed automata are less expressive as it is proved by the following example. The timed language recognized by the automaton of Figure 2 is {ar | r ∈ (2, +∞) ∪ {1} − {3}} If a strict automaton recognizes such a language it has a single location and it is easy to prove that no such a strict automaton exists.

(x=1), {x}

s1

s0

a

a

(x<1), {x}

Fig. 2. A counter-example

Lemma 9 If a timed word u is accepted by a strict timed automaton then the lengths of the runs which accept u are equal and equal to the length of u. Proof. Due to the fact that the automaton is strict, the length of a run is exactly the length of the word it recognizes.

2

We give first a Pumping Lemma (LPL) which holds for languages recognized

by strict timed automata. In this version, the iteration increases the duration of the word but conserves its length. Proposition 3 Pumping Lemma (LPL) Let L be a language recognized by a strict timed automaton A. There exists a constant K > 0 such that for every

92

timed word u ∈ L with duration d(u) > K|u|, there exist v, w ∈ T (Σ), a ∈ Σ, 0 r > K such that u = var w with r > K and var w ∈ L for every r0 > K. Proof. Denote by K the greatest integer appearing in the guards and the invariants of the automaton A. Let u be a word recognized by A such that r d(u) > K|u|, u can be written ar11 ar22 . . . , app , where ai ∈ Σ, ri ∈ R+ , ai 6= ai+1 , and every run which accepts u has length equal to p. There exists some i ∈ {1, . . . , p} such that ri > K. Let ρ be an accepting run which recognizes the word u, it can be written as ρ1 xρ2 where x is some transition with delay ri from a state A = hs, ν, ti to some state hs0 , ν 0 , t + ri i, with an edge e = (s, s0 , φ, δ) and µ(s) = ai . The main point is that K is the greatest integer appearing in the guards and the invariants of the automaton A. For this reason there is a possible transition x0 from A using the edge e and with a delay r0 for every r0 > K. Let B 0 be the end of this transition. Every clock c has either a value zero in both B and B 0 (if c ∈ δ), or a value greater than K in both B and B 0 . Due to this fact, there exists a conjugate ρ02 of ρ2 starting in B 0 and since ρ1 xρ2 was an accepting 0 run, ρ1 x0 ρ02 is also an accepting run, and thus var w ∈ L for every r0 > K.

2

One can formulate another version of Pumping Lemma, when an iteration can

be done in a way that increases (in general) the length of the timed word but conserves its duration. Proposition 4 Pumping Lemma (DPL) Let L be a language recognizable by a timed automaton A. There exists a constant K > 0 such that the following properties hold. For every word u ∈ L with length greater than (bd(u)c + 1)K there exist v1 , v2 , v3 ∈ T (Σ), v2 6= , a ∈ Σ and a real r > 0 such that: (1) u = v1 v2 ar v3 1

(2) v1 (v2n )n ar v3 ∈ L for every positive integer n (3) v1 ar+d(v2 ) v3 ∈ L. Proof. Let K = (|C| + 1)K0 be the constant of Proposition 1. Consider a run ρ of the automaton A which accepts u. The length of ρ is at least (bd(u)c + 1)K, and its duration is d(u). Thus, there is a finite part ρ0 of ρ of length K and with duration strictly less than 1. Then we apply to this run ρ0 Proposition 1. The run ρ0 can be written αρ1 βρ2 xγρ3 η. So ρ is some α0 αρ1 βρ2 xγρ3 ηη 0 . And ρ recognizes a timed word v1 v2 ar v3 where : – v1 is the trace of α0 αρ1 β – v2 is the trace of ρ2 – ar is the trace of x – v3 is the trace of γρ3 ηη 0 . Now, there is some αρ1 βρ2 x0 γ 0 ρ03 η which is equivalent to ρ0 so α0 αρ1 βρ2 x0 γ 0 ρ03 ηη 0 is equivalent to ρ and recognizes the word v1 ar+d(ρ2 ) v3 . Recall that the delay of transition x0 is equal to the delay of x plus the duration of ρ2 . So v1 ar+d(v2 ) v3 ∈ L.

93

In the same way, there is a conjugate xγρ3 of xγρ3 such that for every posi[n] [n] tive integer n αρ1 βρ2 xγρ3 η is equivalent to ρ0 . Therefore α0 αρ1 βρ2 xγρ3 ηη 0 is 1

1

equivalent to ρ and recognizes v1 (v2n )n ar v3 , and v1 (v2n )n ar v3 ∈ L.

2

Remarks

In part (3) of Proposition 4 we cannot claim that v1 ar v3 belongs to L(A). That is we cannot suppress directly the factor v2 , we have to increase at the same time the exponent of a. Part (2) of Proposition 4 claims that if a timed word u is large enough compared 1

to its duration, then some factor v2 of u can be replaced by (v2n )n . Example We give here an example of application of this Pumping Lemma, to prove that some language cannot be recognized by a timed automaton. Consider the timed language L = {ar0 br1 ar2 br3 . . . ar2n br2n+1 |r0 > r1 > . . . > r2n+1 , n ≥ 0} Suppose that L is recognized by some timed automaton, and let K be the constant of Proposition 4 for this timed automaton. There exist in L words with an arbitrarily great length and simultaneously an arbitrarily small duration. So there is a timed word u in L such that |u| > K(bd(u)c + 1). By Proposition 4, u can be written u = v1 v2 xr v3 , x ∈ {a, b}, 1

v2 6= , and v1 xr+d(v2 ) v3 ∈ L, v1 (v2n )n xr v3 ∈ L. But clearly v1 xr+d(v2 ) v3 6∈ L 1

neither v1 (v2n )n xr v3 if n 6= 1. Therefore L cannot be recognized by a timed automaton. Note that this property cannot be used considering the untimed language associated to L which is (ab)+ and so is a regular language. Conclusion We have proved that languages recognized by timed automata do not satisfy classical Pumping Lemma Property, but only weaker versions. This result can be used to prove that a language is not recognizable by a timed automaton by proving that the language does not satisfy this weak Pumping Lemma. We have used also this result to prove that model-checking is decidable for a class of problems formulated in a rather high-level language [7]. Acknowledgments I thank the anonymous referees for their numerous and sound remarks.

94

References 1. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235, 1994. 2. A. Henzinger and O. Kupferman. From quantity to quality. In Hybrid and RealTime Systems Proceeding of HART’97, pages 48–62. Springer Verlag, 1997. Lect. Notes in Comput. Sci., vol. 1201. 3. F. Wang. Parametric timing analysis for real-time systems. Information and Computation, 130:131–150, 1996. 4. E. Asarin, P. Caspi, and O. Maler. A kleene theorem for timed automata. In IEEE Computer Society, LICS’97, pages 160–171, 1997. 5. T. Wilke. Automaten und Logiken fur zeitabhangige Systeme. Ph.d. thesis, Kiel University, 1994. 6. J. E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, 1979. 7. D. Beauquier and A. Slissenko. Decidable model checking for a class of timed automata specified in first order logic. Technical Report 97–11, University Paris-12, Department of Informatics, 1997.

Asynchronous Observations of Processes? Michele Boreale1

Rocco De Nicola2

Rosario Pugliese2

1 Dipartimento di Scienze dell'Informazione, Universita di Roma \La Sapienza" 2 Dipartimento di Sistemi e Informatica, Universita di Firenze

Abstract. We study may and must testing{based preorders in an asyn-

chronous setting. In particular, we provide some full abstraction theorems that oer alternative characterizations of these preorders in terms of context closure w.r.t. basic observables and in terms of traces and acceptance sets. These characterizations throw light on the asymmetry between input and output actions in asynchronous interactions and on the dierence between synchrony and asynchrony.

1 Introduction Distributed systems can seldom rely on a global clock, and little assumptions can be made about their relative speed; as a consequence, it is natural to adopt for them an asynchronous communication mechanism. This calls for non{blocking sending primitives that do not oblige producers and consumers to synchronize when exchanging messages, but allow the sender of a message to continue with its task while the message travels to destination. Therefore, for describing distributed systems, a model based on a paradigm that imposes a neat distinction between input and output primitives, in the style of [1] and [17], appears to be a natural choice. In spite of these considerations, the most studied concurrency models in the process algebra community (e.g. [18, 3, 14, 20]) are based on synchronous communications and model process interaction as the execution of simultaneous \complementary actions". Only recently, variants of process algebras based on asynchronous communications have been studied. Two main approaches have been followed to this purpose. They dier in the way (non{blocking) output actions are modelled. These actions are rendered either as state transformers or as processes themselves. The asynchronous variants of ACP [9] and CSP [16] follow the rst approach and introduce explicit buers in correspondence of output channels. This makes outputs non{blocking and immediately executable; their executions make messages available for consumption. The asynchronous variants of -calculus [15, 6, 12, 2] and CCS [21, 11, 8] follow the second approach and model outputs by creating new concurrent processes. This amounts to modelling an output pre x a:P as a parallel composition a j P . ?

Work partially supported by EEC: HCM project EXPRESS, and by CNR: project \Speci ca ad alto livello e veri ca formale di sistemi digitali". The third author has been supported by a scholarship from CNR | Comitato Scienza e Tecnologie dell'Informazione.

The problem of specifying the abstract behaviour of asynchronous processes, i.e. of de ning \good" observational semantics, has not yet been investigated in depth. Only few observational semantics have been considered. The maximal congruence induced by completed trace equivalence has been studied in [9] for asynchronous ACP. Bisimulation [18] for asynchronous -calculus has been investigated in [15, 12, 2]. A natural alternative is represented by the testing framework of [10, 13]. Testing oers a uniform mechanism to de ne sensible behavioural equivalences on dierent process algebras, as it relies on little more than a notion of reduc tion relation ( ,! ). Moreover, testing has the advantage of identifying only those processes that cannot be dierentiated by running observers in parallel with them. No new operator is introduced, as both the parallel composition operator and the observers are taken from the process description language under investigation. The testing approach has been partially followed in [22], where synchronous processes and observers are connected via input/output queues. This permits asynchronously testing synchronous processes. In this paper we investigate the testing theory for a variety of asynchronous process algebras. For the sake of simplicity, the basic theory will be developed for an asynchronous version of CCS [18] (ACCS); we will then see how the obtained results can be extended with little eort to an asynchronous variant of -calculus and to an asynchronous version of CCS with non{injective relabelling. The latter leads to a signi cantly dierent theory. We shall study both the may and the must testing preorders. While natural, these preorders rely on a universal quanti cation over the set of all observers that makes reasoning about processes extremely dicult. This calls for alternative, observers{independent characterizations that permit a full appreciation of the impact of an asynchronous semantics over the considered languages. For each preorder, we will oer two characterizations: one in terms of the traces/acceptances of processes, the other in terms of the context{closure w.r.t. some basic observables, in the same spirit as [5]. As far as basic observables are concerned, we will see that, dierently from the synchronous case, the only important actions are the output ones. In particular, for capturing the may preorder, we will need, as basic observables, tests about the possibility of processes to perform speci c output actions. For capturing the must preorder, we will need, as basic observables, tests about the guarantee that processes oer of performing speci c output actions. The other alternative characterizations for the may preorder will be based on sequences of visible actions (traces), while that for the must preorder will rely on pairs htrace, acceptance seti in the same spirit as [13] and [7]. However, the usual trace containment for may is not adequate anymore, and the notion of acceptance{set for must is more complicate. We have for both may and must preorders equalities like a:a = 0. The underlying reason is that, since no behaviour can causally depend upon outputs, observers cannot fully determine the occurrence of process input actions. As a consequence, both for may and for must, the set of traces will have to be factored via the preorder induced by the

three laws below, whose intuition is that whenever a trace s performed by some process is \acceptable" for the environment, then any s0 s is acceptable as well: { (deletion) a : process inputs cannot be forced; { (postponement) sa as : observations of process inputs can be delayed; { (annihilation) aa: buers are not observable. The extension of the alternative characterizations to the -calculus is relatively straightforward and vindicates the stability of the approach. The extension to a process description language with non{injective relabelling shows that this operator enables external observers to get more precise information about inputs of asynchronous systems. The rest of the paper is organized as follows. Section 2 introduces Asynchronous CCS and the testing preorders. Section 3 presents the alternative characterizations based on traces and acceptance{sets, while the next section presents those based on basic observables. The extensions to -calculus and to CCS with general relabelling are sketched in Section 5. Some concluding remarks are reported in Section 6. Due to space limitations, many proofs will be omitted.

2 Asynchronous CCS In this section we present syntax, and operational and testing semantics of asynchronous CCS (ACCS, for short). It diers from standard CCS because only guarded choices are used and output guards are not allowed. The absence of output guards \forces" the asynchrony; it is not possible to have processes that causally depends on output actions.

2.1 Syntax We let N , ranged over by a; b; : : :, be an in nite set of names and N = fa j a 2 Ng, ranged over by a; b; : : :, be the set of co{names. N and N are disjoint and are in bijection via the complementation function (); we de ne: (a) = a. We let L = N [ N be the set of visible actions, and let l; l0; : : : range over it. We let L = L [ f g for a distinct action , be the set of all actions or labels, ranged over by . We shall use A; B; L; : : :, to range over subsets of L, M to range over multisets of L and s to range over L . We de ne L = fl j l 2 Lg and similarly for M and s. We let X , ranged over by X; Y; : : :, be a countable

set of process variables. De nition 1. The set of ACCS terms is generated by the grammar: P E ::= a i2I gi :Ei E1 j E2 E nL E ff g X recX:E where gi 2 N [ f g, I is nite and f : N ! N , called relabelling function, is injective and such that fl j f (l) 6= lg is nite. We extend f to L by letting 8a 2 N : f (a) = f (a). We let P , ranged over by P , Q, etc., denote the set of closed and guarded terms or processes (i.e. those terms where every occurrence P of any agent variable X lies within the scope of some recX: and operators).

P Notation. In the sequel, i2f1;2g gi :Ei will be abbreviated as g1:E1 + g2 :E2 , P i2; gi :Ei will be abbreviated as 0; we will also write g for g:0. i2I Ei represents the parallel composition of the terms Ei . We write fl10 =l1 ; : : : ; ln0 =lng for the relabelling operator ff g where f (l) = li0 if l = li , i 2 f1; : : : ; ng, and f (l) = l

otherwise. As usual, we write E [F=X ] for the term obtained by replacing each occurrence of X in E by F (with possibly renaming of bound process variables).

Throughout the paper, we will use the structural congruence relation over ACCS processes, , as de ned in, e.g., [19] (the unique change with respect to [19] is the addition of some obvious distribution laws for injective relabelling).

2.2 Operational Semantics The labelled transition system (P ; L ; ,! ), which characterizes the operational semantics of the language, is given by the rules in Figure 1. AR1

P

i i2I gi :P

gj ,!

Pj

,! P f () P ff g ,! P ff g P ,! P AR5 P j Q ,! P j Q l l ,! AR7 P ,! P , Q P j Q ,! P j Q AR3

P

j

0

0 0

0

a ,! 0 P ,! AR4 P nL ,!

AR2

a

if 62 L [ L

P0

nL P [recX:P=X ] ,! AR6 recX:P ,! P

0

0

2I

P

0

P

0

0

Q

0

Fig. 1. Operational semantics of ACCS (symmetric of rule AR5 omitted)

As usual, we use =) or =) to denote the re exive and transitive closure s s l s0 l s0 of ,! and use =) (resp. ,! ) for =) ,! =) (resp. ,! ,! ) when s s = ls0 . Moreover, we write P =s) for 9P 0 : P =s) P 0 (P ,! and P ,! will be used similarly). We will call sort of P the set sort(P ) = fl 2 L j 9s 2 L : l P =sl) g, input (resp. output) successors of P the set In(P ) = fl 2 N j P =) g l (Out(P ) = fl 2 N j P =) g), successors of P the set S (P )s= In(P ) [ Out(P ) and language generated by P the set L(P ) = fs 2 L j P =) g. We say that a process P is stable if P ,! 6 . From now onward, we adopt the following convention: an action declared fresh in a statement is assumed dierent from any other name and co{name mentioned in the statement. Note that, since for all relabelling operators f we have that fl j f (l) 6= lg is nite, every ACCS process has a nite sort. The following lemma implies that behaviours do not causally depend on the execution of output actions. a Lemma2. For any process P and a 2 N , P ,! Q implies P Q j a.

2.3 Testing Semantics We are now ready to instantiate the general framework of testing equivalences [10, 13] on ACCS.

De nition 3. Observers are ACCS processes that can also perform a distinct success action !. O denotes the set of all the ACCS observers. A computation from a process P and an observer O is sequence of transitions P j O = P0 j O0 ,! P1 j O1 ,! P2 j O2 Pk j Ok ,! which is either in nite or such that the last Pk j Ok is stable. The computation ! is successful i there exists some n 0 such that On ,! . De nition 4. For every process P and observer O, we say { P may O i there exists a successful computation from P j O; { P must O i each computation from P j O is successful. De nition 5. We de ne the following preorders over processes: { P <m Q i for every observer O 2 O, P may O implies Q may O ; { P <M Q i for every observer O 2 O, P must O implies Q must O . We will use ' to denote the equivalence obtained as the kernel of a preorder ,1 < (i.e. '= < \ < ).

3 Alternative Characterizations of Testing Semantics The adaptation of the testing framework to an asynchronous setting discussed in the previous section is straightforward, but, like in the synchronous case, universal quanti cation on observers makes it dicult to work with the operational de nitions of the two preorders. This calls for alternative characterizations that will make it easier to reason about processes. These characterizations will be given in terms of the traces and of the acceptance sets of processes.

3.1 A trace ordering The following ordering over sequences of actions will be used for de ning the alternative characterizations of the testing preorders.

De nition 6. Let be the least preorder over L preserved under trace composition and satisfying the laws in Figure 2. TO1

a

TO2

la

al

Fig. 2. Trace Ordering Laws

TO3

aa

The intuition behind the three laws in Figure 2 is that, whenever a process interacts with its environment by performing a sequence of actions s, an interaction is possible also if the process performs any s0 s. To put it dierently, if the environment oers s, then it also oers any s0 s.t. s0 s. More speci cally, law TO1 (deletion) says that process inputs cannot be forced to take place. For example, we have bc abc: if the environment oers the sequence abc, then it also oers bc, as there can be no causal dependence of bc upon the output a. Law TO2 (postponement) says that observations of process inputs can be delayed. For example, we have that bac abc. Indeed, if the environment oers abc then it also oers bac. Finally, law TO3 (annihilation) allows the environment to internally consume pairs of complementary actions, e.g. b aab. Indeed, if the environment oers aab it can internally consume a and a and oer b.

De nition 7. Given s 2 L, we let fj s jg denote the multiset of actions occurring in s, and fj s jgi (resp. fj s jgo) denote the multiset of input (resp. output) actions in s. We let s s0 denote the multiset of input actions (fj s jgi nfj s0 jgi )n(fj s jgo n fj s0 jgo ), where n denotes dierence between multisets. Intuitively, if s0 s then s s0 is the multiset of input actions of s which have actually been deleted (law TO1), and not annihilated (law TO3), in s0 . For instance, if s = abac and s0 = b then s s0 = fj c jg. Notation. If M is a multiset of actions, we will write M for denoting l2M l, the parallel composition of all actions in M . We shall write \P =M) P 0 " if s 0 P =) P for some sequentialization s of the actions in M . When M is a multiset of input actions, with a slight abuse of notation, we will sometimes denote by M also the trace obtained by arbitrarily ordering theselements of M (remember that we work modulo law TO2). We shall write \P =) P 0 l{free" if n 2 1 Pn = P 0 such ,! P1 ,! there exists a sequence of transitions P = P0 ,! l that Pi ,! 6 for 0 i n and s is obtained from 1 n by erasing the 's. The following is the crucial lemma for the preorder . Its proof relies on Lemma 2 and proceeds by induction on the number of times the laws in Figure 2 are used.

Lemma8. Let P be a process and l an action and assume s0 s. If P =s) P 0 0 l{free then there exists P 00 such that P =s) P 00 l{free and P 00 P 0 j s s0 .2 3.2 The may case By relying on the trace ordering , we can now de ne a new preorder that will be proved to be an alternative characterization of the may preorder < m . 2

We remind the reader that denotes structural congruence.

De nition 9. For processes P and Q, we write0 P m Q i whenever P =s) then there exists s0 such that s0 s and Q =s) .

The dierence with respect to the synchronous case (see, e.g., [10, 13]) is that we require a weaker condition than trace inclusion by taking advantage of a preorder over single traces. We de ne below a special class of observers. De nition 10. Let s 2 L. The observers t(s) are de ned inductively as follows: t() def = !, t(as0 ) def = a:t(s0 ) and t(as0 ) def = a j t(s0 ). The following property can be easily proved relying on Lemma 8. Proposition 11. For every process P and s 2 L, P may t(s) i there exists s0 2 L(P ) such that s0 s. Theorem 12. For all processes P and Q, P <m Q i P m Q.

`Only if' part. Suppose that P < 0 m Q and that s 2 L(P ). We must show 0 that there exists s 2 L(Q) such that s s. The hypothesis s 2 L(P ) implies that P may t(s). Since P < m Q, we infer that Q mayt(s). The thesis follows from Proposition 11. `If' part. Suppose that P m Q and that P may O for an observer O. Then there exists a successful !computation with an initial sequence of transitions P j O =) P 0 j O0 where O0 ,! . This sequence of transitions may be unzipped into two sequences P =s) P 0 and O =s) O0 . The hypothesis P m Q implies s0 that there exist s0 and Q0 such that s0 s and Q ,! Q0 . By Lemma 8, there 0 s ! exists an observer O00 such that O =) O00 and O00 O0 j s s0 . Now, O0 ,! ! implies O00 ,! . Hence, the sequence of transitions Q j O =) Q0 j O00 can be extended to a successful computation and the thesis is proved. 2 By relying on the alternative characterization m one can easily prove that < m is a pre{congruence. Proof:

Examples. We show some examples of pairs of processes related by the preorder. All of the relationships can be proven by using the alternative characterization of the preorder m . { Since L(P ) L(Q) implies P <m Q, all of the relationships for the synchronous may preorder do hold in our setting. { Since 2 L(P ) for each process P , from TO1 and TO3 in Figure 2, we get a 'm 0 and a:a 'm 0. In particular, from a 'm 0 we get a 'm b and a:b 'm b:a which imply that all processes containing only input actions are equivalent to 0. { An interesting law is the a:(ajb) 'm b. MorePgenerally, we have a:(ajG) <m G, where G is an input guarded summation i2I ai :Pi (in fact, a:a 'm 0 is just a consequence of this law). Guardedness of G is essential: b < m a:(a j b) does not hold (consider the observer b:!).

3.3 The must case De nition 13. { Let P be a process and s 2 L. We write P #, and say that P converges , if and only if there is no in nite sequence of internal transitions P ,! P1 ,! P2 ,! starting from P . We write P # s, and say that P s0 0 converges along s if and only if whenever s is a pre x of s and P =) P 0 then P 0 converges. We write P " s, and say that P diverges along s if it is not the case that P # s. { Let P be a process and s 2 L. The set of processes P after s is de ned by: 0 P after s def = f(P 0 j s s0 ) : s0 s and P =s) P 0 g: { Let X be a set of processes and L n N . We write X must L if and only if for each P 2 X there exists a 2 L s.t. P =a) . In the sequel, given a set of traces T L , we will let P # T stand for P # s for each s 2 T . Furthermore, we de ne sb def = fs0 : s0 sg. De nition 14. We set P M Q i for each s 2 L s.t. P # sb it holds that: { Q # sb, and { for each L n N : (P after s) must L implies (Q after s) must L. Note that the above de nition is formally similar to that for the synchronous case [10, 13]. The dierence lies in the de nition of the set P after s: the latter can be seen as the set of possible states that P can reach after an interaction triggered by the environment oering s. In an asynchronous setting, output actions can be freely performed by the environment, without any involvement of the process under consideration. In the de nition of P after s, these particular output actions represent the \dierence" between the behaviour of the environment, s, and the actual behaviour of the process, s0 , that is, s s0 .

Lemma15. Let P be any process. 1. If P is stable then In(P ) \ Out(P ) = ; . 2. If P is stable then there exist P 0 and a unique multiset M n N s.t. P P 0 j M and Out(P 0 ) = ; . 3. If P =a) P 0 then S (P 0 ) [ fag S (P ). When P is stable, we will use O(P ) to denote the unique multiset M implicitly de ned by part 2 of the above lemma.

Theorem16. If P M Q then P <M Q.

Proof: Let O be any observer and suppose that Q must 6 O: we show that P must 6 O as well. We make a case analysis on why Q must 6 O. All cases can be

easily reduced to the case of a nite unsuccessful computation, i.e. a sequence

s of transitions Q j O =) Q0 j O0 such that, for some s: Q =) Q0 , O =s) O0 0 0 !{free and Q j O is stable. Furthermore, we suppose that P # sb and Q # sb. From the fact that Q0 j O0 is stable and from Lemma 15(1), we deduce that: (i) Out(Q0 ) \ In(O0 ) = ; (ii) In(Q0 ) \ Out(O0 ) = ; (iii) In(O0 ) \ Out(O0 ) = ; : We show now how to build an unsuccessful computation for P j O. Let us de ne the set of output actions L def = In(O0 ) and the multiset of input actions M def = O(O0 ) (note that, since O0 is stable, this multiset is well de ned in virtue of Lemma 15(2)). First, we show that (Q after sM ) must 6 L: (1) s 0 0 Indeed, since s sM and Q =) Q , we have that Q j M 2 (Q after sM ); furthermore, we have that Q0 j M,! 6 (from (ii) and Q0,! 6 ), that Out(Q0 )\L = ; (from (i)) and that M \ L = ; (from (iii)). From these facts, it follows that Out(Q0 j M ) \ L = ; . This proves (1). Now, from (1) and de nition of M it follows that (P after sM ) mustL 6 , 0 and s0 sM such that: which means that there are P 0 P =s) P 0 and Out(P 0 j sM s0 ) \ L = ; : (2) Now, since O0 is stable, from Lemma 15(2), it follows that there exists O00 M O00 and therefore such that O0 O00 j M and Out(O00 ) = ; . Hence O0 ,! sM O =) O00 !{free. Since s0 sM , from Lemma 8 it then follows that there is 0 O1 such that O0 =s) O1 O00 j sM s0 !{free. Combining these transitions of O with P =s) P 0 in (2), we get: P j O =) P 0 j O1 P 0 j O00 j sM s0 !{free. (3) To prove that (3) leads to an unsuccessful computation, it suces to show that P 0 j O00 j sM s0 =6 !) . The latter is a consequence of the following three facts: 1. Out(P 0 j sM s0 ) \ In(O00 ) = ; . This derives from (2) and from In(O00 ) M In(O0 ) = L (Lemma 15(3) applied to O0 ,! O00 ); 2. Out(O00 ) = ; ; M 3. O00 =6 !) (Lemma 15(3) applied to O0 ,! O00 ). 2 For proving the converse of the above theorem, we will use two families of observers: the rst can be used to test for convergence along sequences of a given set sb, and the second to test that a given pair (s; L) is an \acceptance" pair. De nition 17. Let s 2 L and L n N . The observers c(s) and a(s; L) are de ned by induction on s as follows: P c(s) : c() = :! a(s; L) : a(; L) = a2L a:! c(bs0 ) = b j c(s0 ) a(bs0 ; L) = b j a(s0 ; L) 0 0 c(bs ) = :!+b:c(s ) a(bs0 ; L) = :!+b:a(s0 ; L) :

Lemma18. Let P be a process, s 2 L and L n N . We have: 1. P must c(s) if and only if P # sb. 2. Suppose that P # sb. Then P must a(s; L) if and only if (P after s) must L. Proof:

2

An easy application of Lemma 8.

Theorem19. P <M Q implies P M Q.

An easy consequence of Lemma 18. 2 By relying on M , it is straightforward to show that < M is a pre{ congruence. Proof:

Examples. We give below some meaningful examples of processes that are related (or unrelated) according to the preorder. All the examples are checked relying on the alternative characterization provided by M . In the examples,

we shall also refer to the asynchronous bisimilarity3 of [2]. { The process 0 represents the top element for the family of terms built using only input actions: a < M a+b. M a, but a 6 < M a; thus a+b < M 0, but 0 6 < { Input pre xes can be distributed over summation, i.e. a:(b+c) 'M a:b+a:c. This is in sharp contrast with the asynchronous bisimilarity. { Sequences of inputs can absorb their own pre xes, as in a:b+a 'M a:b This law was also present in [9], but is not valid for asynchronous bisimilarity. { Like in [2], we have a:a 'M 0. This is an instance of thePmore general law a:(a j G)+G 'M G, where G is any guarded summation i2I gi :Pi . Unlike [2], however, the law does not hold for in nite behaviours: recX:(a:(a j X )) 6'M 0. This is due to the sensitivity of must to divergence: when put in parallel with a, recX:(a:(a j X )) diverges, while 0 does not. As shown in the examples above, must equivalence and asynchronous bisimilarity are in general incomparable, due to the sensitivity of must to divergence. They are comparable if we consider only strongly convergent processes, i.e. those processes P such that P # s for each s. The crux is given by the following characterization of : Proposition 20. P Q if and only if whenever P =s) P 0 then there is s0 s 0 s.t. Q =s) Q0 and P 0 Q0 j s s0 , and vice{versa for Q and P . Corollary 21. Let P and Q be strongly convergent processes. Then P Q implies P < M Q. 3

We remind the reader that asynchronous bisimilarity is de ned as the maximal equiv alence relation s.t. whenever P Q and P ,! P then: (a) if = then there is Q such that Q =) Q and P Q , (b) if = a then there is Q such that Q =a) Q and P Q , and (c) if = a then there is Q such that either (i) Q =a) Q and P Q , or (ii) Q =) Q and P Q j a. 0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

4 Basic Observables for Asynchronous Processes Following [5], we introduce a characterization of the asynchronous may and must preorders in terms of the pre{congruence induced by basic observables. The difference with the synchronous case is that here only output actions are important.

De nition 22. A context is a term C with one free occurrence of a process variable, usually denoted by . We write C [P ] instead of C [P= ].

The context closure Rc of a given binary relation R over processes, is de ned as: P Rc Q i for each context C , C [P ] R C [Q]. Rc enjoys two important properties: (a) (Rc )c = Rc , and (b) R R0 implies Rc R0 c. In the following, we will write R 6 for the complement of R.

4.1 The may case De nition 23. Let P be a process p and a 2 N . We de ne the following observation predicate over processes: P a (P poers a) i P =a) . The observation p preorderpinduced by is de ned as follows: P p Q i for each a 2 N : P a implies Q a. Of course, the observation preorder is very coarse; a more re ned relation can be obtained by closing it under all ACCS contexts. The contextual preorder of p is just its context closure cp ; the latter is another characterization of < m .

Theorem 24. For all processes P and Q, P <m Q i P cp Q. We use the alternative characterization m of < m . `Only if' part. From the de nition, it is easily seen that m is contained in p (note that for each a 2 N , s a implies s = a). From this fact, by closing under contexts and recalling that cp is a pre{congruence the thesis follows. `If' part. Here, we show that cp is contained in m . From this fact and recalling that cp is a pre{congruence the thesis will follow. Assume that P cp Q and that s 2 L(P ), for some s 2 L . We have to show that there exists s0 2 L(Q) such that s0 s. Now, let t0 (s) be the process de ned like the observer t(s) in De nition 10, but with a fresh, standard action c in place of !. The following fact, where R is any process where neither p c nor c occur, is straightforward to prove by relying on Lemma 8: (t0 (s) j R) c i there exists s0 2 L(R) such that s0 s. The thesis is an immediate consequence of this fact. 2 Proof:

4.2 The must case We introduce below the guarantee predicate, P ! l; informally, this predicate checks whether P will always be able to oer a communication on l; however, dierently from [5], we here only consider output actions.

De nition 25. Let P be a process and a 2 N . We write P ! a (P guarantees a) if and only if whenever P =) P 0 then P 0 =a) . The observation preorder induced by # and ! is de ned as: P #! Q if and only if for each a: (P # and P ! a) implies (Q # and Q ! a). Theorem26. P <M Q if and only if P #c! Q. We use the characterization of the must preorder in terms of M . `If' part. First, note that P ! a if and only if (P after ) must fag. Hence, by de nition, M is included in #! . The thesis then follows by closing under contexts and recalling that < M is a pre{congruence. `Only if' part. Fix any s and L and suppose that P # sb and (P after s) must L. We have to show that Q # sb and (Q after s) must L. Proof:

Now, let c0 (s) and a0 (s; L) be the observers de ned like in De nition 17, but with a fresh, standard action c in place of !. The following two facts, where R is any process where neither c nor c occur, are straightforward to prove relying on Lemma 8: { R # sb if and only if R j c0(s) #. { Suppose that R # sb. Then R j a0(s; L) # and furthermore (R after s) must L if and only if R j a0 (s; L) ! c. Then Q # sb and (Q after s) must L follow from the de nition of #c! and from the above two facts. 2

5 Dealing with Richer Languages In this section we discuss the extensions of our theory to the asynchronous variant of -calculus [15, 6, 12, 2] and to a version of asynchronous CCS of Section 2 with possibly non{injective relabelling.

5.1 -calculus For the sake of simplicity, we con ne ourselves to the may preorder. The must preorder requires a more complex notational machinery but also leads to results similar to those for ACCS. A countable set N of names is ranged over by a; b; : : :. Processes are ranged over by P , Q and R. The syntax of asynchronous {calculus contains the operators for output action, input{guarded summation, restriction, parallel composition, matching and replication:

P ::= ab j

P

2 ai (b):Pi

i I

j a P j P1 j P2 j [a = b]P j ! P:

Free names and bound names of a process P , written fn(P ) and bn(P ) respectively, arise as expected; the names of P , written n(P ) are fn(P ) [ bn(P ). Due to lack of space, we omit the de nition of operational semantics (see, e.g., [2]). Recall that transition labels (actions), ranged over by , can be of four forms: (interaction), ab (input), ab (output) or a(b) (bound output). Functions bn(), fn() and n() are extended to actions as expected: in particular, bn() = b if = a(b) and bn() = ; otherwise. a(b) ab In the sequel, we will write P ,! P 0 if P ,! P 0 and b 2= fn(P ). The new kind of action a(b) is called bound input; we extend bn() to bound inputs by letting bn(a(b)) = fbg. Below, we shall use L to denote the set of all visible -calculus actions, including bound inputs, and let range over it. Given a trace s 2 L , we say that s is normal if, whenever s = s0 ::s00 (the dot : stands for trace composition), for some s0 , and s00 , then bn() does not occur in s0 and bn() is dierent from any other bound name occurring in s0 and s00 . The set of normal traces over L is denoted by T and ranged over by s. From now on, we shall work with normal traces only. Functions bn() and fn() are extended to T = a(b), as expected. A complementation function on T is de ned by setting a(b) def ab def = ab, ab def = ab and a(b) def = a(b); please notice that s = s. P1 P2 P3 P4

if is an input action :s if is an input action and bn() \ bn(s) = ; :ab if = ab or = a(b) ( f g) a(b):s

s: ac: s c=b

Fig. 3. Rules for the preorder over T The de nition of m remains formally unchanged, but the relation is now the least preorder over T closed under composition and generated by the rules in Figure 3. Rules P1, P2, P3 are the natural extensions to asynchronous -calculus of the rules for ACCS. Here, some extra attention has to be paid to bound names: in the environment, an output declaring a new name (bound output) cannot be postponed after those actions which use the new name (side condition of P2). For an example, consider actions a(b) and b(c) of b (ab j b(c):P ). Rule P4 is speci c to -calculus; it is due to the impossibility for observers to fully discriminate between free and bound outputs. Informally, rule P4 states that if a(c):s is \acceptable" for an observer (i.e. leads to success), then ab:(sfb=yg) would be acceptable as well. Rule P4 would not hold if we extended the language with the mismatching operator [a 6= b]P , considered e.g. in [4]. It is worthwhile to note that ruling out matching from the language would not change the discriminating power of observers. The eect of the test [a = b]O can be simulated by the parallel composition a j b:O.

5.2 ACCS with General Relabelling

A consequence of the presence of non{injective relabelling functions, is that observers and contexts become more discriminating. For instance, they lead to a:a 6 < M 0 and a:a 6 < m 0. These can be proved by considering the observer (b j a:!)fa=bg. We also have 0 6 < M a:a, that can be proved by considering the observer (b j (:!+a))fa=bg. Therefore, the general laws a:(a j G ) 'm G1 , where P P1 G1 = i2I ai :Pi , and a:(a j G2 ) + G2 'M G2 , where G2 = i2I gi :Pi , are not sound anymore. By means of general relabelling, observers are able to distinguish between the messages they emit and those emitted by the observed processes. The trace preorder is now de ned as the least preorder over L closed under trace composition and satisfying the laws TO1 and TO2 in Figure 2. Notice that if s0 s then fj s jgo = fj s0 jgo, therefore now we have s s0 = fj s jgi n fj s0 jgi . The de nition of m remains formally unchanged. Let us now consider the must preorder. In the following we shall write s0 s i s0 s and fj s0 jg = fj s jg, and for M nite multiset of L and L n L we shall write M n L for the multiset fj l 2 M j l 62 L jg. The alternative characterization of the < M preorder is now the following.

De nition 27. We set P M Q i for each s 2 L s.t. P # sb it holds that: a) Q # sb, and b) for each s0 2 sb, for each L n N : (P after s0 (s s0 )) must L implies (Q after s0 (s s0 )) must L, where for any process R, s 2 L and M multiset of N , we de ne R after sM as 0 fP 0 : R =s) P 0 ; s0 sM; s0 s(s0 s); In(P 0 ) \ (M n (s0 s)) = ;g.

6 Conclusions We have examined the impact of the testing framework as proposed in [10, 13] on asynchronous CCS. In particular, we have given three equivalent characterizations of asynchronous testing observational semantics. The rst one is given in terms of observers and successful computations, the second relies on sets of traces and acceptances, the third one is de ned in terms of basic observables and context closures. We have discussed generalizations of the results to asynchronous -calculus and to ACCS with non{injective relabelling. The above mentioned characterizations provide a good starting point for understanding asynchronous semantics and for relating testing semantics to other approaches. The picture would have been more complete with an equational characterization of our semantics; this will be the topic of a forthcoming paper.

Acknowledgments. Three anonymous referees provided valuable suggestions. We are grateful to the Dipartimento di Scienze dell'Informazione of Universita di Roma \La Sapienza" and to Istituto di Elaborazione dell'Informazione in Pisa for making our collaboration possible.

References 1. G.Agha. Actors: a model of concurrent computation in Distributed Systems. Mit{ Press, Boston, 1986. 2. R.M. Amadio, I. Castellani, D. Sangiorgi. On Bisimulations for the Asynchronous {calculus. CONCUR'96, LNCS 1119, pp.147-162, Springer, 1996. 3. J. Bergstra, J.W. Klop. Process Algebra for Synchronous Communication. Information and Control, 60:109-137, 1984. 4. M. Boreale, R. De Nicola. Testing Equivalence for Mobile Systems. Information and Computation, 120: 279-303, 1995. 5. M. Boreale, R. De Nicola, R. Pugliese. Basic Observables for Processes. ICALP'97, LNCS 1256, pp.482-492, Springer, 1997. 6. G. Boudol. Asynchrony in the {calculus (note). Rapport de Recherche 1702, INRIA Sophia{Antipolis, 1992. 7. S.D. Brookes, C.A.R. Hoare, A.W. Roscoe. A theory of communicating sequential processes. Journal of the ACM, 31(3):560-599, 1984. 8. N. Busi, R. Gorrieri, G-L. Zavattaro. A process algebraic view of Linda coordination primitives. Technical Report UBLCS-97-05, University of Bologna, 1997. 9. F.S. de Boer, J.W. Klop, C. Palamidessi. Asynchronous Communication in Process Algebra. LICS'92, IEEE Computer Society Press, pp. 137-147, 1992. 10. R. De Nicola, M.C.B. Hennessy. Testing Equivalence for Processes. Theoretical Computers Science, 34:83-133, 1984. 11. R. De Nicola, R. Pugliese. A Process Algebra based on Linda. COORDINATION'96, LNCS 1061, pp.160-178, Springer, 1996. 12. M. Hansen, H. Huttel, J. Kleist. Bisimulations for Asynchronous Mobile Processes. In Proc. of the Tblisi Symposium on Language, Logic, and Computation, 1995. 13. M.C.B. Hennessy. Algebraic Theory of Processes. The MIT Press, 1988. 14. C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall Int., 1985. 15. K. Honda, M. Tokoro. An Object Calculus for Asynchronous Communication. ECOOP'91, LNCS 512, pp.133-147, Springer, 1991. 16. H. Jifeng, M.B. Josephs, C.A.R. Hoare. A Theory of Synchrony and Asynchrony. Proc. of the IFIP Working Conf. on Programming Concepts and Methods, pp.446465, 1990. 17. N.A. Lynch, M.R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In 6th ACM Symposium on Principles of Distributed Computing, pp.137{ 151, 1987. 18. R. Milner. Communication and Concurrency. Prentice Hall International, 1989. 19. R. Milner. The Polyadic -calculus: A Tutorial. Technical Report, University of Edinburgh, 1991. 20. R. Milner, J. Parrow, D. Walker. A calculus of mobile processes, (Part I and II). Information and Computation, 100:1-77, 1992. 21. R. Pugliese. A Process Calculus with Asynchronous Communications. 5th Italian Conference on Theoretical Computer Science, (A. De Santis, ed.), pp.295-310, World Scienti c, 1996. 22. J. Tretmans. A formal approach to conformance testing. Ph.D. Thesis, University of Twente, 1992. This article was processed using the LATEX macro package with LLNCS style

Minor searching, normal forms of graph relabelling : two applications based on enumerations by graph relabelling? Anne Bottreau and Yves Métivier?? LaBRI, Université Bordeaux I, ENSERB 351 cours de la Libération 33405 Talence cedex FRANCE {bottreau,metivier}@labri.u-bordeaux.fr, fax:(+33) 05 56 84 66 69

Abstract:

This paper deals with graph relabelling introduced in [LMS95]. Our rst result concerns the open problem of searching a graph as a minor in a graph with a distinguished vertex, by means of graph relabellings. We give and prove a graph rewriting system which answers to this problem. Secondly we dene and study normal forms of graph relabellings. We prove that any graph rewriting system can be simulated by a system in k-normal form (with an integer k depending on the original system). Proofs for both results are linked by the enumeration systems they used.

Key-words: Local computations, graph relabelling, enumerations, paths, minor, normal form of graph rewritings.

Introduction Graph rewriting systems have been introduced in [LMS95] as a suitable tool for expressing distributed algorithms on a network of communicating processors. In that model a network is considered as a labelled graph whose vertices stand for processors and edges stand for communication links. Vertex labels hold for the states of processors and edge labels for the states of communication links. A computation in a network then corresponds to a sequence of labels transformations leading to a nal labelled graph. A computation step on a labelled graph consists in relabelling a connected subgraph, using a graph rewriting rule. Given a vertex in the graph, the computation of its new state depends on its current state and on the states of its neighbours. In that way graph rewritings are an example of local computations. Among models related to our model there are the local computations dened by Rosensthiel and al. [RFH72], Angluin [Ang80], and more recently by Yamashita and Kameda [YK96a,YK96b]. In [RFH72] a synchronous model is considered, where vertices represent identical deterministic nite automata. The basic computation step is to compute the next state of each processor according to its state and the states of its neighbours. In [Ang80] an asynchronous model is considered. A computation step means that two adjacent vertices exchange their labels and then compute new ones. In [YK96a,YK96b] an asynchronous model is studied where a basic computation step means that a processor either changes its state and then sends a message or receives a message. Our model is an asynchronous model too. Limitations of our formalism have been discussed in [LMZ95] and [BM96]. Some graph properties have been proved to be unrecognizable by local computations. On the other side, graph rewriting power has been studied in [LM93,LMS95]. It has more particularly concerned the denition of dierent classes of graph rewriting systems. Moreover authors dealed with graphs with a distinguished vertex (also called 1-graphs in [Cou90]), showing that graph rewriting were powerful on this kind of graph. In [CM94], it has been proved that we can not decide whether or not a xed graph is included as a minor in a given graph by means of local computations. This problem remained open for 1graphs. In this paper we prove that searching a minor can be done by graph rewritings on 1-graphs ? This work has been supported by the EC TMR Network GETGRATS (General theory of Graph of

Graph Transformation) through the University of Bordeaux.

?? Member of the Institut universitaire de France.

(Theorem 1) : given a graph H , there is a graph rewriting system with priority which veries if H is a minor of G where G is a 1-graph. We describe a system with a nite number of rules and labels depending on H . Rules number is given by a polynomial function of the edges number and the vertices number of H whereas the labels number is given by an exponential function in the number of vertices of H . Given a positive integer k we dene that a rewriting system is in k-normal form if each rule only rewrites a path of length bounded by k , 1. In this paper we prove that graph rewriting systems with priority can be normalized in k-normal form, for a convenient integer k depending on the original system. From any graph rewriting system R we use systems of enumeration so as to obtain a graph rewriting system with priority in k-normal form which has the same behaviour as R (Theorem 2). The paper is organized as follows. The rst section reviews the denitions related to graph rewriting. In the second part we present systems of enumeration (m-enumeration and enumeration of simple paths). The third part is devoted to the subgraph and minor searchings. Finally, in Section 4, we present the notion of k-normal form and we explain our method for the normalization of graph rewriting system.

1 Graph rewriting All graphs considered in this paper are nite, undirected and simple (i.e. without multiple edges and self-loops). A graph G denoted (V (G); E (G)) is dened by a nite vertex-set and a nite edge-set. An edge with end-points v and v is denoted fv; v g. If v is a vertex of a graph G, the degree of v is denoted degG(v) and the neighbourhood of v in G is denoted NG (v). The subscript G is omitted when there is no ambiguity. 0

0

1.1 Labelled graphs Our work deals with labelled graph over an alphabet usually denoted L. A labelled graph over L is a couple (G; ) where G is a connected graph, and is a mapping of V (G) [ E (G) in L. This function is called the labelling function of the graph. Two labelled graphs are isomorphic if the underlying graphs are isomorphic and if the labellings are preserved. An injection of V (G) in V (G0 ) is an occurrence of (G; ) in (G0 ; 0 ) if, for any vertices x and y of V (G):

fx; yg 2 E (G) =) f(x); (y)g 2 E (G0 );

(x) = 0 ((x)); (fx; yg) = 0 (f(x); (y)g): The graph ((G); 0 ) having (V (G)) as vertex-set and ff(x); (y)g=fx; yg 2 E (G)g as edge-set is a subgraph of (G0 ; 0 ). If the graph ((G); 0 ) is an induced subgraph of (G0 ; 0 ), is an induced occurrence of (G; ) in (G0 ; 0 ). Let be an occurrence of (G; ) in (H; ) and 0 an occurrence of (G0 ; 0 ) in (H; ), and 0 are disjoint if the corresponding subgraph are disjoint, which is denoted \ 0 = ;.

1.2 Graph rewriting system A rewriting rule r is a couple f(Gr ; r ); (Gr ; 0r )g of two connected labelled graphs having the same underlying graph. Formally we dene such a rule as a triplet :

Denition 1 A graph rewriting rule r is a triplet (Gr ; r ; 0r ) where Gr is a connected graph, r the initial labelling function and 0r the nal labelling function.

A rewriting rule r is applicable to a labelled graph (G; ) if there exists an occurrence (G1 ; l1 ) of (Gr ; r ) in (G; ). This will be denoted by (G; ) ,! (G; 0 ) with 0 equal to except on G1 r where it's equal to 0r .

Denition 2 A graph rewriting system R (GRS for short) is a triplet R = (L; I; P ) where L = Lv [ Le is a set of labels, I = Iv [ Ie is the set of initial labels, (Iv Lv and Ie Le ), and

P the set of graph rewriting rules. If a rule r of a graph rewriting system R can be applied onto a labelled graph (G; ), then we write (G; ) ,! (G; 0 ) where 0 is equal to except on the rewritten part of the graph. R Consider a GRS R = (L; I; P ), a labelled graph (G; 0 ) where 0 is a labelling function over I.

Denition 3 A rewriting sequence of length n, coming from (G; ) by means of R is dened as the sequence of labelled graphs (G; i ) in where 8i; i < n, (G; i ) ,! (G; i ). R 0

0

+1

Our notion of rewriting sequence corresponds to a notion of sequential computation. We can dene a distributed way of computing by saying that two consecutive relabelling steps concerning non-overlapping occurrencies may be applied in any order. Then they may be applied concurrently. Our notion of relabelling sequence may be regarded as a serialization [Maz87] of some distributed computation. This model is clearly asynchronous : several relabelling steps may be done at the same time but we do not demand all of them to be done.

Denition 4 Given a rewriting sequence (G; i ) in and x in V (G) [ E (G), the history of x 0

linked to the rewriting sequence (G; i )0in is the word hn (x) dened by: with i0 = 0,

hn (x) = i0 (x)i1 (x) ij (x):

i0 < i1 < < ij n 8k 2 f1; ; ng, k 2 fi0 ; ; ij g i x belongs to the rewritten occurrence in the rewriting step (G; k,1 ) ,! (G; k ) R . Given a graph rewriting system R, the reexive and transitive closure of R is denoted ,! R

Denition 5 An irreductible graph with respect to a GRS R is a labelled graph to which no rule is applicable.

Given a labelled graph (G; ) over I , we denote IrredR ((G; )) the set of irreductible graphs coming from (G; ): (G; 0 ) and (G; 0 ) irreductible with respect to Rg. IrredR ((G; )) = f(G; 0 ) = (G; ) ,! R

Denition 6 A GRS R = (L; I; P ) is called noetherian if there doesn't exist any innite rewriting sequence coming from a graph labelled over I .

A graph rewriting system where the set of rules is given with a partial order is called a graph rewriting system with priority (PGRS for short). The partial order dened on the set of rules is denoted <, the applicability of the rules of such a system is dened in the following way. Let R be a PGRS, r a rule of this system, and (G; ) a labelled graph. The rule r is applicable to an occurrence of (Gr ; r ) in (G; ) if there doesn't exist in (G; ) any occurrence 0 of (Gr ; r ) with r0 > r which overlaps . 0

0

Example 1 Let us consider the following PGRS with two rules. R1 R2

A

u

:

:

M

u

N

-

M

A

-

A

u

e

u

u

e

u

e

A

u

F

u

With, R1 > R2 . The order dened on the set of rules has the following meaning : the rule R2 is applicable to an occurrence if and only if there is no occurrence for R1 overlapping . This system labels vertices and edges in order to form a spanning tree.

A graph rewriting rule with forbidden contexts is a pair (r; Hr ) where r is a rewriting rule (Gr ; r ; 0r ) and Hr is a nite family of pairs f((Gi ; i ); i )gi2I with (Gi ; i ) a labelled graph (called forbidden context) and i an occurrence of (Gr ; r ) in (Gi ; i ). The forbidden contexts of r

such a rule are used as follows :

Let (r; Hr ) be a graph rewriting rule with fobidden contexts, let be an occurrence of (Gr ; r ) in a graph (G; ). The rule (r; Hr ) is applicable to if there doesn't exist, for no i, an occurrence i of (Gi ; i ) such that i i = . Such rules dene graph rewriting system with forbidden contexts (FCGRS for short).

2 Some enumeration's problems solved by graph rewriting systems Several graph rewriting systems exist for the computation of a spanning tree on a labelled graph with a distinguished vertex. Such a computation is done thanks to labelling. A set of edges is labelled so that it forms a spanning tree of the graph in which the root is the distinguished vertex. Given such a labelled graph, there exists a graph rewriting system with priority which allows depth-rst traversals of the tree. Such a PGRS has been introduced in [LMS95]. In this section we recall a well-known PGRS for the enumeration of m-tuples of vertices and we introduce a new PGRS for the enumeration of simple paths. These graph rewriting systems use a PGRS for the computation of a spanning tree which we call Rspan and a PGRS for the traversal of a tree which we call Rtrav .

2.1 m-enumeration

In [LMS95], it was proved that enumerating all the m-tuples of vertices of a labelled graph can be done by means of a graph rewriting system. Without going into further details, we recall how this system runs. We consider labelled graphs with a distinguished vertex. Firstly, Rspan is used on such a labelled graph in order to obtain a spanning tree (by labelling). This enumeration uses m traversals of the spanning tree in order to obtain a m-tuple (x1 ; x2 ; ; xm ). Then, given a m-tuple (x1 ; x2 ; ; xm ), a new traversal is started so as to obtain a new m-tuple (x1 ; x2 ; ; y) with y 6= xm . This process is repeated until we can't nd any vertex y for this last position. Then we start new traversals by changing the two last vertices of the m-tuple, and so on until there is no vertex to be the rst vertex of a m-tuple. Thus this graph rewriting system is based on the system Rtrav . The labels of the enumeration system are made up of three components :

a label issued from the traversal system. a label of the set fSearch; Return; Reset; Stopg with the following meaning : Search : a vertex is searched. Return : a vertex has been found. Reset : the current m-tuple is modied. Stop : the enumeration is done. a m-tuple of labels such that the label in position i gives an information about the position of the vertex in the current m-tuple. There are three dierent values : 0 : the vertex is not the ith vertex of the current m-tuple. 1 : the vertex is the ith vertex of the current m-tuple. 1 : the vertex was the ith vertex of all the m-tuple having the same rst i , 1th components. The system has a nite number of rules (#rulesenum = O(m)) and a nite number of labels (#labelsenum = O(m 2m )). 2.2 Enumeration of simple paths In a connected labelled graph, we consider the simple paths coming from a source vertex to a target vertex. Our aim is to enumerate all these simple paths by means of graph rewritings. To this end, we encode a graph rewriting system which labels these paths one by one. Each path is encoded by labels on its vertices and edges. We consider that the source vertex is labelled Search and the target vertex is labelled Ending.

Description

We work on a connected labelled graph G. We denote by I the Search-labelled vertex of G. We denote by J the Ending-labelled vertex. At the beginning, no edge is labelled. We start on I . We mark a simple path from I to J , by labelling the edges and the vertices used in the path (the labels are EIJ and VIJ ). When we have a path, backtracking is used in order to change the last edge and to look for a new path. So we keep the same prex of the path, we just change the last edge. We go on until we have tried all the possibilities from the vertex I . Let us now describe a graph rewriting system encoding this algorithm. Let Y 2 fEnding; g where design the empty word that is to say no label. Graph rewriting system with priority Renum;P (I; J ) H The rst rule allows the traversal to go on. We label the vertex and the edge which we put in the path we are building.

RE1 :

Search u

u

-

VIJ u

Search EIJ

u

(1)

If we reach the Ending-labelled vertex, then we have found a simple path coming from I :

RE2 :

Ending

Search u

u

-

VIJ u

Found EIJ

u

(1)

As we have a simple path, we use the backtracking in order to search another path. We label this edge with E IJ so that we won't use it in a new path with the same prex.

RE3 :

VIJ u

Found EIJ

u

-

Ending

Search u

E IJ

u

(1)

If there are no unlabelled edges incident to the Search-labelled vertex, then there are no paths with this prex anymore. We have to change this prex :

Search

RE4 :

Clean

-

u

u

(0)

We erase the labels E IJ from the edges incident to the Clean-labelled vertex :

RE5 :

Y

Clean u

u

E IJ

-

Clean

Y

u

u

(2)

When the cleaning mode is done, we start a backtrack :

Clean

RE6 :

Back

-

u

u

(1)

We go back from the vertex labelled Back ( the edge labelled EIJ and incident to the Backlabelled vertex changes its label ). Then we start a new search of path :

RE7 :

VIJ

Back

u

u

EIJ

-

Search u

EIJ

u

(1)

When we can no longer backtrack, the enumeration is done.

Back

RE8 :

u

-

End u

(0)

N

Invariants and properties

Let G be a connected graph. The initial labelling function of G 0 is dened by :

0 (I ) = Search 0 (J ) = Ending 8x 2 V (G) [ E (G) n fI0 g [ fJ g; 0 (x) = :

Let L be the set of labels :

L = fSearch; Found; Ending; Clean; Back; Endg:

We say that L is the set of active labels. Let A be the set of labels of the whole system :

A = f; VIJ ; EIJ ; E IJ g [ L: From now on we consider a connected graph G with an initial labelling function 0 (as we dened it before). We consider a rewriting sequence (Gi )i0 1 obtained by the application of Renum;P on (G; 0 ).

In order to prove the ending and the validity of our system, we give some properties of Renum;P . The easy proofs of the four following invariants will be omitted. 1 Gi stands for (G; i ).

Invariant 1 8i 0, there exists only one vertex x in Gi such that i (x) 2 L n fEndingg. We denote this vertex xL . Each unlabelled edge can not receive EIJ as a label if its end-points are labelled VIJ (RE1 ).

Invariant 2 8i 0, the set of edges labelled EIJ in Gi forms a simple path from I to xL . We denote this simple path Ci (xL ).

Invariant 3 8i 0, any vertex x labelled VIJ by i is on the path Ci (xL ). Invariant 4 8i 0, let a be an edge of G such that i (a) = E IJ . The edge a is incident to only

one vertex of Ci (xL ). We denote this vertex by xa and we denote by C i (a) the prex of Ci (xL ) from I to xa . Let P be a simple path, e be an edge incident to an end-point of P , (P:e) denotes the path obtained by extending P by the edge e.

Invariant 5 Let i 0, let a be an edge of G with i (a) = E IJ . 8k i, one of the following

propositions is true : (i) k (a) = E IJ ; (ii) k (a) 6= E IJ , and there is a vertex x of C i (a) such that k (x) 2 fClean; Back; Endg; (iii) k (a) 6= E IJ , C i (a) is no longer a prex of Ck (xL) and there is an edge b of G such that k (b) = E IJ and such that (C k (b):b) is a prex of C i (a). Proof Proof is rather technical and not detailed there. We use an induction on k, starting with k = i. 2

Consider a vertex x, labelled Search after i steps of rewriting, then the vertices, which are labelled VIJ , are not concerned by the rewritings until x is not labelled Back. The history of x, hi (x), concerning the sequence of rewriting of length i, is the prex of all the histories of x concerning any sequence of length j , for j > i. We denote hj (x) = hi (x)mi;j (x), and we state that :

Property 1 Let x 2 V (G) and i 0 such that hi (x) is ending by Search. For any vertex x0 of

V (G) which has a history hi (x0 ) ending by VIJ , and for all j , j > i, such that mi;j (x) doesn't contain Back, the vertex x0 keeps the same history : hj (x0 ) = hi (x0 ). We denote by S (Gi ; x) the subgraph of Gi induced by the vertices labelled or Ending which are connected to x by simple paths made of unlabelled edges. This connected subgraph contains x.

Lemma 1 For any vertex x of G, for any positive integer i such that i (x) = Search,there is j , j > i, such that the three following propositions are true : i) j (x) = Clean and mi;j (x) doesn't contain Back. ii) The subgraphs S (Gi ; x) and S (Gj ; x) are isomorphic. iii) The rewriting sequence from Gi to Gj allowed to enumerate all the simple paths of S (Gj ; x) starting at x and nishing on the vertex labelled Ending if this vertex is in the subgraph. Proof By induction on the number of edges of G. 2

Proposition 1 The graph rewriting system Renum;P is noetherian for any connected graph G given with an initial labelling function 0 as it has been previously dened.

Proof Consider a connected graph G, with an initial labelling function 0 such that :

9x 2 V (G); (x) = Search: 0

Lemma 1 is applicable to G with x and the initial labelling : 9j > 0 such that j (x) = Clean, m0;j (x) doesn't contain Back, and such that the subgraphs S (G0 ; x) and S (Gj ; x) are equal. On Gj , we can apply the rule RE6 , RE7 and then RE8 , and we have after these two steps of rewriting : j+2 (x) = End, and 8y 2 (V (G) n fxg) [ E (G); j+2 (y) = . Eventually, no more rules are applicable to Gj+2 . 2

Proposition 2 On any connected graph G given with an initial labelling function such that one vertex is Search-labelled and another one is Ending-labelled, the system Renum;P enumerates 0

all the simple paths having these two singular vertices as end-points. Proof The proof directly comes from the Lemma 1 applied to the graph G with the labelling function 0 . 2

Our system Renum;P has a constant number of rules and a constant number of labels.

3 Subgraph and minor searching In the previous section we introduced two systems encoding two dierent kinds of enumeration. Our purpose is now to present a rst application of these two systems : The m-enumeration is used so as to verify if a connected labelled graph contains a connected labelled graph H as a subgraph. The enumeration of simple paths is used in order to verify if a connected labelled graph contains a connected labelled graph H as a minor.

3.1 Subgraph searching We consider a connected labelled graph H with m vertices. We know that we are able to enumerate all the m-tuples of vertices of any graph G with an appropriate labelling function, thanks to a graph rewriting system with priority. Given a m-tuple of vertices of G, it's rather easy to associate each vertex to a vertex of H . Thus, we just have to check if this mapping is a good one. Our graph rewriting system works into two parts of computation : First part It consists in enumerating all the m-tuples of vertices of G. So, we use the PGRS dened in [LMS95] Renum . When a m-tuple is found (we use a label Foundm when we nd the last vertex of the m-tuple), the second part has to start. If we can't nd H as subgraph thanks to this m-tuple, then we have to change it i.e. to resume the m-enumeration. If the end of the m-enumeration is reached, then H isn't a subgraph of G. Second part It consists in checking that the mapping of the vertex-set V (H ) into the m-tuple of G is an isomorphism between H and a subgraph of G having the m-tuple as vertex-set. Let us describe how we solve this problem by means of a graph rewriting system Rconst . First, we use a graph traversal to label the j th vertex of the m-tuple with the degree of the j th vertex of H . Then, using another graph traversal, we just have to check if for any edge fi; j g in H there is in G an edge linking the j th and ith vertices of the m-tuple. Then we use another graph traversal in order to verify if every edges have been found (partial subgraph) and if there isn't any other edge between vertices of the m-tuple (induced subgraph). Thus at the end of such a traversal, either the last vertex of the m-tuple is labelled Fail or the root of the spanning tree is labelled Win. In the rst case, the m-enumeration has to resume. In the second case, the rewriting has to be stopped.

These parts are realized by means of graph rewriting systems with priority. Our general system, called Rsubgraph , is the result of the composition of Renum [LMS95] (with a weak modication), and Rconst introduced and proved in [Bot97]. For the sake of brevity we shan't give this system in details. For such a composition we use couples of labels. The rst component concerns the m-enumeration. The second component concerns the subgraph's checking. We consider that such a system works on a labelled graph with a distinguished vertex (with a labelling function issued from Rspan ). In order to prove the termination and the validity of Rsubgraph , we use the fact that each part is noetherian and valid. Moreover the rules used in this system are very simple (the left-hand-side are isomorphic to a single vertex or a single edge). Therefore we state that :

Proposition 3 Given a connected labelled graph H , the graph rewriting system with priority Rsubgraph allows to check on any connected labelled graph with a distinguished vertex if H is one of its subgraph (partial or induced). Our graph rewriting system Rsubgraph has a nite number of rules depending of the number of rules of Renum and linearly depending on m2 where m is the vertices number of H : #rulessubgraph = O(m2 ). The number of labels depends (linearly) on #labelsenum and m : #labelssubgraph = #labelsenum = O(m 2m).

3.2 Minor searching Thanks to the notion of model dened in [RS95], we are able to prove the following equivalence :

Lemma 2 Given two connected graphs H and G, the following statements are equivalent : H is a minor of G ; There exists a model from H onto G dened by : for any edge e of H , (e) is an edge of G; for any vertex u of H , (u) is a connected partial subgraph of G (non empty). The model has the following properties : 1) for any u and v of V (H ), the intersection of (u) by (v) is empty; 2) for any e 2 E (H ), for any u 2 V (H ), the edge (e) doesn't belong to the partial subgraph

(u); 3) Let e = fu; vg be an edge of H , then (e) has an end-point in V ((u)) and the other in V ((v)). There exists an injection from V (H ) to V (G) such that for any edge fu; vg of H , there is a simple path in G between (u) and (v), denoted P ( (u); (v)). Moreover these paths are said to be valid i.e. they verify the following properties : 1) For any edges fa; bg and fc; dg of H , with disjoint end-points, the paths P ( (a); (b)) and P ( (c); (d)) are vertex-disjoint. 2) For any edge fa; bg 2 E (H ), the path P ( (a); (b)) has at least one edge that is disjoint from any other path P ( (c); (d)) for fc; dg 2 E (H ). Such kind of edge is called own edge.

We present a graph rewriting system based on the fact that a minor of graph can be dened thanks to particular simple paths. Such simple paths (as dened in our lemma 2) will now be called valid simple paths.

Explanations The connected labelled graph H is known. We assume that we perfectly know its vertex-set V and its edge-set E . Let m be the number of vertices of H . We assume that V = f1; 2; 3; ; mg. The edges are denoted fi; j g with i < j . Thus an order is dened on E : fi; j g < fl; kg i (i; j ) < (l; k) (i.e i < l or i = l and j < k). We denote by succ(i; j ) the successor of fi; j g and pred(i; j ) the predecessor of fi; j g according to <. We consider that succ(i; j ) = fi; j g if it is the greatest edge in E (denoted max(i; j )), pred(i; j ) = fi; j g if it is the smallest one (denoted min(i; j )). 2

The whole system consists of a part of m-enumeration and a part of research of valid paths linking vertices of the m-tuple. We explain the algorithm we used for the second part. The computation starts on a graph G with a m-tuple (x1 ; x2 ; ; xm ). For any edge fi; j g of H , we mark in G a valid simple path between the vertices xi and xj (starting with the smallest edge). The construction of valid paths is made with the enumeration of simple paths (with a checking of validity) and also backtracking. At the end of this computation, we have two possibilities. If we have found all the valid simple paths, then H is a minor of G. If we haven't succeeded with the current m-tuple, then it means that we have to change the m-tuple i.e. to resume the m-enumeration. If the m-enumeration is done, then H isn't minor of G.

Valid paths We are able to mark simple paths thanks to the system Renum;P . In order to mark a simple path concerning the j th and ith vertices of the m-tuple, we use this previous system with parameter (I; J ). We have to check that : For any couple of vertices (L; K ) disjoint from (I; J ), any vertex labelled VLK mustn't be labelled VIJ by Renum;P (I; J ). It must be the same for the edges. Given a path from I to J , there is at least one edge uniquely labelled with EIJ . The rst condition is easy to realize, we just have to change the two rst rules to prevent the labelling. The second one is done by means of a traversal of the simple path in order to check that this path contains at least one own edge, and that all the other valid paths are still valid. The new graph rewriting system obtained is denoted REV (i; j ) for the edge fi; j g. Such a system is made up of traversals based on a spanning tree.

Sum up The graph rewriting system Rminor consists of the following systems with the following priorities :

Renum > Rinit > REV (i; j )min > > REV (i; j )max:

With,

Renum , enumeration of m-tuples in G ; Rinit , beginning of the second part ; REV (i; j ), system of enumeration of valid simple path between the vertices i and j in the

current m-tuple. These system are made by the system of enumeration of simple paths, a part for the checking of validity, and optionally a part for acknowledgment sending (for fi; j g dierent from the minimal edge) and cleaning (if fi; j g is the minimal edge).

We show on the following example how we use acknowledgment in order to compute valid simple paths according to the order <.

Example 2 Consider the following graphs H and G. The graph H has three vertices and three edges : f1; 2g < f1; 3g < f2; 3g. The graph G has a distinguished vertex called v, which is the root of a spanning tree (denoted T (G)) computed by a graph rewriting system. The graph H

The graph G

1 2

3

v

Given a 3-tuple of vertices labelled on G, we start the construction of valid simple paths for the three edges of H . Firstly, a traversal of the spanning tree is used to label the vertex 1 and 2 by the list of Search labels. This part is done by the rules of the system Rinit . The spanning tree T (G) rooted in v.

S earch(1; 2)

1

S earch(1; 3)

v

2 Search(2; 3)

3

The smallest edge of H related to < is the edge f1; 2g. Computations start now by the labelling of a valid simple path for this edge, thanks to a system REV (1; 2). As this is the smallest edge, we haven't to wait for an acknowledgment. The following picture shows a computation leading to a valid path : the vertex 2 receives a label of success V alid(1; 2). E12 E12 2

Search(1; 3)

1

V12

Search(2; 3) V alid(1; 2)

3

As a valid path has been found, an acknowledgment is sent to the vertex 1, smallest end-point of the next edge. A traversal of the spanning tree is used. Search(1; 3) Acq(1; 2)

1

v

Search(2; 3)

2

3

The vertex 1 has got labels Search(1; 3) and Acq(1; 2) : rules of REV (1; 3) are thus applicable and the enumeration of valid simple paths for this couple of vertices can start. E12 E12 2

V12

1

E13 V13 E13

Search(2; 3) 3

V alid(1; 3)

In this example, a valid simple path has been found for the couple (1; 3). Thus, an acknowledgment is sent to the vertex 2 (smallest end-point of the next edge). This is done by a traversal. The rules of REV (2; 3) become applicable to the graph because of this acknowledgment. If a valid simple path is found for this couple, then the computation stops (i.e. no more rules are applicable) : H is a minor of G. In the case where no valid simple path exists, the enumeration of valid simple path is resumed for the previous couple (1; 3), and so on. The last picture gives us successful computations showing that H is a minor of G. E12 E12 2

1

V12 E23 V23

E13

V23

V13

E23 E23

E13 3

V alid(2; 3)

Details about this graph rewriting system can be found in [Bot97]. We recall that h denotes the number of edges of H . The number of rules of Rminor is a linear function of #rulesenum , m and h2 : #rulesminor = O(h2 + m). The number of labels is a linear function of #labelsenum, h and h2 : #labelsminor = O(m 2m + h2 ). The system Rminor satises the following theorem :

Theorem 1 Given a connected labelled graph H , there exists a graph rewriting system with priority

which allows to check onto any connected labelled graph G with a distinguished vertex if H is a minor of G. Thus, given a family of graphs dened with a nite set of forbidden minors, there exists a graph rewriting system with priority which veries if a given graph with a distinguished vertex belongs to the family. The forbidden minors must be known. We just have to compose a set of systems Rminor corresponding to the forbidden minors.

Corollary 1 Let F be a family of connected graphs, dened by a nite set of forbidden minors.

We can check by means of a graph rewriting system if a connected graph G with a distinguished vertex belongs to F . Therefore we are able to give a graph rewriting system with priority which veries if a labelled graph with a distinguished vertex is planar or not.

4 Normal forms for graph rewriting systems In this part we introduce dierent kinds of normal forms for graph rewritings and more particularly the k-normal form of graph rewriting. Then we prove that for any graph rewriting system there exists a PGRS in k-normal form equivalent to the original system : any GRS can be normalized according to the k-normal form. Our method consists in building the PGRS in k-normal form using systems of enumeration.

4.1 Denitions

We are interested in the structure of the subgraphs which are rewritten by the rules of our systems. As a rst normal form we consider the case where the left-hand sides of the rules are isomorphic to a vertex or an edge :

Denition 7 A graph rewriting system has a 2-normal form if each rule rewrites one vertex or one edge and the two incident vertices.

Most of our graph rewriting systems are in 2-normal form. The computation of a spanning tree, the traversal of a tree, and of course the subgraph searching can be done thanks to graph rewriting systems in 2-normal form. We can also consider that the left-hand sides are equal to simple paths of bounded length.

Denition 8 A graph rewriting system has a k-normal form if each rule rewrites a simple path of length bounded by k , 1.

4.2 Simulation of a FCGRS by a PGRS in k-normal form We want to prove that any GRS without normal form can be simulated by a GRS in 2-normal or

k-normal form. To this end, we use the method introduced in [LMS95] to simulate any FCGRS by a PGRS. In a rst part we recall this method, and then we provide our application.

Method for the simulation of a FCGRS by a PGRS This method is made up of three steps.

I The rst part concerns the partition of the initial graph into subgraphs of k-bounded diameter where k is the maximal diameter of the graphs in the rules of the FCGRS. This part is called the k-election. The k-election problem (introduced in [LMS95]) can be explained as follows. Each vertex of the graph stands for a town. We want to organize the graph by delimiting countries, each country having one capital. In each country the distance between town and the capital must at most be k. Moreover, the distance between two dierent capitals in the graph must be at least k + 1. This part is done by a PGRS in (2k + 1)-normal form. II The second part consists in supervising the activity of the capitals. If a capital is active, it means that we can simulate on its country the application of a rule of the system. This part is done by a PGRS in k + 1-normal form. III The third part consists in simulating the application of the rules on a country having an active capital. This part is called the local simulation. We have to adapt this local simulation to our problem.

Application to the k-normal form

We are able to realize a local simulation by a PGRS in 2-normal form. We consider we are working on a country with an active capital.

1. Using a tree traversal, towns are activated one by one (Rtrav ). 2. Given an active town, we construct a spanning tree of the ball of center the active town and of radius k (Rspan (k) with orientation from the root to the leaves). 3. For each rule r with forbidden context, we make a system Rr so as to test the applicability of r on the ball of radius k. We now explain this part of the simulation : (a) We look for a subgraph isomorphic to (Gr ; r ) in the ball of center this town and of radius k. We can do that by means of Rsubgraph . Then in G, some vertices have label (1i ; x) and some edges have label (p; x) where x is a symbol holding for the label issued from r . These vertices and edges form a subgraph isomorphic to (Gr ; r ). The values of i are in f1; ; jV (Gr )jg. (b) Then, given an occurrence of (Gr ; r ), we search all the forbidden contexts using one PGRS Rsubgraph by context. (c) If we nd such a forbidden context, then we resume the searching of another occurrence.

(d) If there aren't any forbidden contexts, then we have to apply the rule r by changing the labels of the edges and then of the vertices. In this way we will realize a rewriting in 2normal form. Let us now introduce the system Rnorme in 2-normal form. We consider we are working on a connected graph having a labelled spanning tree (one vertex is labelled Edge, the others N0 ). Some vertices and edges have labels coming from r (as explained before). A rst traversal is done in order to change the label for the edges (p; x), a second traversal deals with the vertices. The symbol x0 means the label issued from 0r . System Rnorme We walk on a branch of the tree (by using edges of the tree).

Edge

R1 :

u

N0

e

u

H

W

-

u

e

Edge u

(3)

If we meet a vertex labelled 1l , then we change the labels of all the edges incident to this vertex. Edges could be edges of the spanning tree, we don't specify it in our rule.

k > l; R2 (l; k):

Edge u

1l

X

u

p;x

1k

-

Edge

X

u

p;x

1l

0

u

(2)

1k

When we reach a leaf or when there is nothing else to do, then we come back in the tree.

R3 :

W

u

Edge

e

u

-

Edge u

e

N1

u

(1)

When we are on the root of the tree, then we start a new traversal in order to rewrite the vertices.

Edge

R4 :

V ertex

-

u

u

(0)

We advance on a branch of the tree.

R5 :

V ertex u

N1

e

u

W

-

u

e

V ertex u

(3)

When we reach a vertex which is an image of a vertex of V (Gr ), then we change its label.

V ertex

R6 :

1i

V ertex

-

u

;x

u

1i

(2)

;x

0

The traversal goes on by going back to the root.

R7 :

W

u

e

V ertex u

-

V ertex

When we reach the root, then the computation is done.

u

e

N0

u

(1)

R4 :

V ertex u

-

End u

(0)

N This graph rewriting system comes from the traversal of a tree. A system for tree traversals has been proved to be noetherian and valid in [LMS95]. Thus our system is noetherian and valid because we are sure to reach all the vertices and the edges we have to rewrite. For our simulation we use graph rewriting systems in k + 1-normal form and systems in 2normal form. The k-election problem and the computation of a spanning tree of a ball of radius k are realized by graph rewriting systems in k + 1-normal form (in respect of our notation).

Proposition 4 Any graph rewriting system with forbidden context can be simulated by a graph

rewriting system with priority which is in k + 1-normal form. Moreover any graph rewriting system with priority can be moved into a graph rewriting system with forbidden context as it is explained in [LMS95]. Thus,

Theorem 2 Any graph rewriting system (with priority or forbidden context) can be normalized into a graph rewriting system with priority in k-normal form with a convenient integer k.

References [Ang80] D. Angluin. Local and global properties in networks of processors. In 12th STOC, pages 8293, 1980. [BM96] A. Bottreau and Y. Métivier. Kronecker product and local computation in graphs. In CAAP'96, volume 1059 of Lect. Notes in Comp. Sci., pages 216, 1996. [Bot97] A. Bottreau. Réécritures de graphe et calculs distribués. PhD thesis, Université Bordeaux I, LaBRI, juin 1997. [CM94] B. Courcelle and Y. Métivier. Coverings and minors : Application to local computations in graphs. Europ. J. Combinatorics, 15:127138, 1994. [Cou90] B. Courcelle. The monadic second order logic of graphs i. recognizable sets of nite graphs. Inform. and Comput., 85:1275, 1990. [LM92] I. Litovsky and Y. Métivier. Computing trees with graph rewriting systems with priorities. Tree Automata and Languages, pages 115139, 1992. [LM93] I. Litovsky and Y. Métivier. Computing with graph rewriting systems with priorities. Theoretical Computer Science, 115:191224, 1993. [LMS95] I. Litovsky, Y. Métivier, and E. Sopena. Dierent local controls for graph relabelling systems. Mathematical Systems Theory, 28:4165, 1995. [LMZ95] I. Litovsky, Y. Métivier, and W. Zielonka. On the recognition of families of graphs with local computations. Information and computation, 115(1):110119, 1995. [Maz87] A. Mazurkiewicz. Petri nets, applications and relationship to other models of concurrency, volume 255, chapter Trace Theory, pages 279324. W. Brauer et al., 1987. [RFH72] P. Rosensthiel, J.R. Fiksel, and A. Holliger. Intelligent graphs : networks of nite automata capable of solving graph problems. In Graph Theory and Computing, pages 219265. Academic Press, 1972. [RS95] N. Robertson and P.D. Seymour. Graph minors xiii. the disjoint paths problem. Journal of combinatorial theory, Series B, 63:65110, 1995. [YK96a] M. Yamashita and T. Kameda. Computing on anonymous networks: Part i - characterizing the solvable cases. IEEE Transactions on parallel and distributed systems, 7(1):6989, 1996. [YK96b] M. Yamashita and T. Kameda. Computing on anonymous networks: Part ii - decision and membership problems. IEEE Transactions on parallel and distributed systems, 7(1):9096, 1996.

Partial Metrics and Co-continuous Valuations? Michael A. Bukatin1 and Svetlana Yu. Shorina2 1

2

Department of Computer Science, Brandeis University, Waltham, MA 02254, USA; [email protected] http://www.cs.brandeis.edu/∼bukatin/papers.html Faculty of Mechanics and Mathematics, Moscow State University, Moscow, Russia; [email protected]

Abstract. The existence of deep connections between partial metrics and valuations is well known in domain theory. However, the treatment of non-algebraic continuous Scott domains has been not quite satisfactory so far. In this paper we return to the continuous normalized valuations µ on the systems of open sets and introduce notionsT of co-continuity ({Ui , i ∈ I} is a filtered system of open sets ⇒ µ(Int( i∈I Ui )) = inf i∈I µ(Ui )) and strong non-degeneracy (U ⊂ V are open sets ⇒ µ(U ) < µ(V )) for such valuations. We call the resulting class of valuations CC-valuations. The first central result of this paper is a construction of CC-valuations for Scott topologies on all continuous dcpo’s with countable bases. This is a surprising result because neither co-continuous, nor strongly nondegenerate valuations are usually possible for ordinary Hausdorff topologies. Another central result is a new construction of partial metrics. Given a continuous Scott domain A and a CC-valuation µ on the system of Scott open subsets of A, we construct a continuous partial metric on A yielding the Scott topology as u(x, y) = µ(A \ (Cx ∩ Cy )) − µ(Ix ∩ Iy ), where Cx = {y ∈ A | y v x} and Ix = {y ∈ A | {x, y} is unbounded}. This construction covers important cases based on the real line and allows to obtain an induced metric on T otal(A) without the unpleasant restrictions known from earlier work.

1

Introduction

Recently the theory of partial metrics introduced by Matthews [14] undergoes active development and is used in various applications from computational description of metric spaces [9] to the analysis of parallel computation [13]. The relationship between partial metrics and valuations was first noticed by O’Neill in [15]. In [3] Bukatin and Scott generalized this relationship by considering valuations on powersets of bases, instead of valuations on the domains themselves, ?

Supported by Applied Continuity in Computations Project.

M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 125–139, 1998.

126

as in [15]. They also explained the computational intuition of partial metrics by generalizing them to relaxed metrics, which take values in the interval numbers. Partial metrics can be considered as taking values in the upper bounds of those interval numbers. However it is often desirable to remove the most restrictive axioms of partial metrics, like small self-distances, u(x, x) ≤ u(x, y), and strong Vickers-Matthews triangle inequality, u(x, z) ≤ u(x, y)+u(y, z)−u(y, y). Thus [3] only requires symmetry and the ordinary triangle inequality for the upper bounds of relaxed metrics. However, it can be shown (see Section 6) that if the upper bounds u(x, y) of relaxed metrics are based on the idea that common information, or more precisely, measure of common information about x and y, brings negative contribution to u(x, y) — e.g. in the normalized world we can consider u(x, y) = 1 − µ(Info(x) ∩ Info(y)) — then all axioms of partial metrics should hold for u. In fact, it makes sense to introduce both positive and negative information, and to define u(x, y) = 1 − µ(Info(x ) ∩ Info(y)) − µ(Neginfo(x) ∩ Neginfo(y)), then defining meaningful lower bounds l(x, y) = µ(Info(x) ∩ Neginfo(y)) + µ(Info(y) ∩ Neginfo(x)) and obtaining an induced metric on T otal(A). This is, essentially, the approach of Section 5 of [3], where Info(x) and Neginfo(x) can be understood as subsets of a domain basis. However, there was a number of remaining open problems. In particular, while [3] builds partial metrics on all continuous Scott domains with countable bases, the reliance of [3] on finite weights of non-compact basic elements does not allow to obtain some natural partial metrics on real-line based domains, and also introduces some unpleasant restrictions on domains which should be satisfied in order to obtain an induced classical metric on T otal(A). 1.1

Co-continuous Valuations

This paper rectifies these particular open problems by defining partial metrics via valuations on the systems of Scott open sets of domains. The theory of valuations on open sets underwent a considerable development recently (see [5,11,18,2] and references therein). However we have found that we need a special condition of co-continuity T for our valuations — for a filtered system of open sets {Ui , i ∈ I}, µ(Int( i∈I Ui )) = inf i∈I (µ(Ui )). We need this condition to ensure Scott continuity of our partial metrics. The paper starts as follows. In Section 2 we remind the necessary definitions of domain theory. Section 3 defines various properties of valuations and introduces the class of CC-valuations — continuous, normalized, strongly nondegenerate, co-continuous valuations. Section 4 builds a CC-valuation on the system of Scott open sets of every continuous dcpo with a countable basis. This is the first central result of this paper. It seems that the notion of co-continuity of valuations and this result for the case of continuous Scott domains with countable bases are both new and belong to us. The generalization of this result to continuous dcpo’s with countable bases belongs to Klaus Keimel [12]. He worked directly with completely distributive lattices of Scott open sets of continuous dcpo’s and used the results about

127

completely distributive lattices obtained by Raney in the fifties (see Exercise 2.30 on page 204 of [8]). Here we present a proof which can be considered a simplification of both our original proof and the proof obtained by Keimel. This proof also works for all continuous dcpo’s with countable bases. A part of this proof, as predicted by Keimel, can be considered as a special case of Raney’s results mentioned above. However, our construction is very simple and self-contained. Keimel also pointed out in [12] that our results are quite surprising, because both co-continuity and strong non-degeneracy, U ⊂ V are open sets ⇒ µ(U ) < µ(V ), seem contradictory, as neither of them can hold for the system of open sets of the ordinary Hausdorff topology on [0, 1]. However, if we replace the system of open sets of this Hausdorff topology with the system of open intervals, both conditions would hold. We believe that the reason behind our results is that the Scott topology is coarse enough for its system of open sets to exhibit behaviors similar to the behaviors of typical bases of open sets of Hausdorff topologies. 1.2

Application to Partial Metrics

Section 5 discusses partial and relaxed metrics and their properties. Section 6 describes an approach to partial and relaxed metrics where the upper bounds u(x, y) are based on the idea of common information about x and y bringing negative contribution to u(x, y). We formalize this approach introducing the notion of µInfo-structure. However, we feel that this formalization can be further improved. In particular, Section 6 presents the second central result of this paper — given a CC-valuation on the system of Scott open sets of any continuous Scott domain (no assumptions about the cardinality of the basis are needed here), we build a Scott continuous relaxed metric hl, ui : A × A → RI , such that u : A×A → R− is a partial metric, the relaxed metric topology coincides with the Scott topology, and if x, y ∈ T otal(A), l(x, y) = u(x, y) and the resulting classical metric T otal(A) × T otal(A) → R defines a subspace topology on T otal(A). Here RI is the domain of interval numbers, R− is the domain of upper bounds, and T otal(A) is the set of maximal elements of A. Section 7 discusses various examples and possibilities to weaken the strong non-degeneracy condition — to find a sufficiently general weaker condition is an open problem. A more detailed presentation can be found in [4].

2

Continuous Scott Domains

Recall that a non-empty partially ordered set (poset), (S, v), is directed if ∀x, y ∈ S. ∃z ∈ S. x v z, y v z. A poset, (A, v), is a dcpo if it has a least element, ⊥, and for any directed S ⊆ A, the least upper bound tS of S exists in A. A set U ⊆ A is Scott open if ∀x, y ∈ A. x ∈ U, x v y ⇒ y ∈ U and for any directed poset S ⊆ A, tS ∈ U ⇒ ∃s ∈ S. s ∈ U . The Scott open subsets of a dcpo form the Scott topology.

128

Consider dcpo’s (A, vA ) and (B, vB ) with the respective Scott topologies. f : A → B is (Scott) continuous iff it is monotonic (x vA y ⇒ f (x) vB f (y)) and for any directed poset S ⊆ A, f (tA S) = tB {f (s) | s ∈ S}. We define continuous Scott domains in the spirit of [10]. Consider a dcpo (A, v). We say that x y (x is way below y) if for any directed set S ⊆ A, y v tS ⇒ ∃s ∈ S. x v s. An element x, such that x x, is called compact. We say that A is bounded complete if ∀B ⊆ A. (∃a ∈ A. ∀b ∈ B.b v a) ⇒ tA B exists. Consider a set K ⊆ A. Notice that ⊥A ∈ K. We say that a dcpo A is a continuous dcpo with basis K, if for any a ∈ A, the set Ka = {k ∈ K | k a} is directed and a = tKa . We call elements of K basic elements. A continuous, bounded complete dcpo is called a continuous Scott domain.

3

CC-valuations

Consider a topological space (X, O), where O consists of all open subsets of X. The following notions of the theory of valuations can be considered standard (for the most available presentation in a regular journal see [5]; the fundamental text in the theory of valuations on Scott opens sets is [11]). Definition 3.1. A function µ : O → [0, +∞] is called valuation if 1. ∀U, V ∈ O. U ⊆ V ⇒ µ(U ) ≤ µ(V ); 2. ∀U, V ∈ O. µ(U ) + µ(V ) = µ(U ∩ V ) + µ(U ∪ V ); 3. µ(∅) = 0. Definition 3.2. A valuation µ is bounded if µ(X) < +∞. A valuation µ is normalized if µ(X) = 1. Remark: If a valuation µ is bounded and µ(X) 6= 0, then it is always easy to replace it with a normalized valuation µ0 (U ) = µ(U )/µ(X). Definition 3.3. Define a directed system of open sets, U = {Ui , i ∈ I}, as satisfying the following condition: for any finite number of open sets Ui1 , Ui2 , · · · , Uin ∈ U there is Ui , i ∈ I, such that Ui1 ⊆ Ui , · · · , Uin ⊆ Ui . Definition 3.4. ASvaluation µ is called continuous when for any directed system of open sets µ( i∈I Ui ) = supi∈I µ(Ui ). We introduce two new properties of valuations. Definition 3.5. A valuation µ : O → [0, +∞] is strongly non-degenerate if ∀U, V ∈ O. U ⊂ V ⇒ µ(U ) < µ(V ).1 This is, obviously, a very strong requirement, and we will see later that it might be reasonable to look for weaker non-degeneracy conditions. Consider a decreasing sequence of open sets U1 ⊇ U2 ⊇ . . ., or, more generally, a filtered system of open sets U = {Ui , i ∈ I}, meaning that for any finite system of open sets Ui1 , · · · Uin ∈ U there is Ui , i ∈ I, such that Ui ⊆ 1

We use U ⊂ V as an equivalent of U ⊆ V & U 6= V .

129

Ui1 , · · · , Ui ⊆ Uin . Consider the interior of the intersection of these sets. It is easy to see that for a valuation µ \ µ(Int( Ui )) ≤ inf µ(Ui ). i∈I

i∈I

Definition 3.6. A valuation µ is called co-continuous if for any filtered system of open sets {Ui , i ∈ I} µ(Int(

\

i∈I

Ui )) = inf µ(Ui ). i∈I

Definition 3.7. A continuous, normalized, strongly non-degenerate, co-continuous valuation µ is called a CC-valuation. Informally speaking, the strong non-degeneracy provides for non-zero contributions of compact elements and reasonable “pieces of space”. The co-continuity provides for single non-compact elements and borders B \ Int(B) of “reasonable” sets B ⊆ A to have zero measures. “Reasonable” sets here are Alexandrov open (i.e. upwardly closed) sets. Thus, it is possible to consider co-continuity as a method of dealing with nondiscreteness of Scott topology. We follow here the remarkable definition of a discrete topology given by Alexandrov: a topology is discrete if an intersection of arbitrary family of open sets is open (e.g. see [1]). Of course, if one assumes the T1 separation axiom, then the Alexandrov’s definition implies that all sets are open — the trivial (and more standard) version of the definition. In this sense, Alexandrov topology of upwardly closed sets is discrete, but Scott topology is not. We should also notice that since our valuations are bounded, they can be extended onto closed sets via formula µ(C) = µ(A)−µ(A\C), and all definitions of this section can be expressed in the dual form. A bounded valuation µ can be uniquely extended to an additive measure defined on the ring of sets generated from the open sets by operations ∩, ∪, \ [16]. The issues of σ-additivity are not in the scope of this text (interested readers are referred to [11,2]). We deal with the specific infinite systems of sets we need, and mainly focus on quite orthogonal conditions given to us by cocontinuity of µ. 3.1

Example: Valuations Based on Weights of Basic Elements

This example essentially reproduces a construction in [3]. Consider a continuous dcpo A with a countable of weights to basic P P basis K. Assign a converging system elements: w(k) > 0, k∈K w(k) = 1. Define µ(U ) = k∈U w(k). It is easy to see that µ is a continuous, normalized, strongly non-degenerate valuation. However, µ is co-continuous if and only if all basic elements are compact (which is possible only if A is algebraic). This is proved in [4] using the following observations.

130

First, observe that arbitrary intersections of Alexandrov open (i.e. upwardly closed) sets are Alexandrov open. Also it is a well-known fact that {y | x y} is Scott open in a continuous dcpo. Lemma 31 (Border Lemma) Consider an Alexandrov open set B ⊆ A. Then its interior in the Scott topology, Int(B) = {y ∈ A | ∃x ∈ B. x y}. Correspondingly, the border of B in the Scott topology, B \ Int(B) = {y ∈ B | ¬(∃x ∈ B. x y)} 3.2

A Vertical Segment of Real Line

Consider the segment [0, 1], v=≤. Define µ((x, 1]) = 1 − x. Unfortunately, to ensure strong non-degeneracy we have to define µ([0, 1]) = 1 + , > 0. This is the first hint that strong non-degeneracy is too strong in many cases. In order to obtain a normalized valuation we have to consider µ0 (U ) = µ(U )/(1 + ). The resulting µ0 is a CC-valuation.

4

Constructing CC-valuations

In this section we build a CC-valuation for all continuous dcpo’s with countable bases. The construction generalizes the one of Subsection 3.1. We are still going to assign weights, w(k) > 0, to compact elements. For non-compact basic elements we proceed as follows. We focus our attention on the pairs of non-compact basic elements, (k 0 , k 00 ), which do not have any compact elements between them, and call such elements continuously connected. We observe, that for every such pair we can construct a special kind of vertical chain, which “behaves like a vertical segment [0, 1] of real line”. We call such chain a stick. We assign weights, v(k 0 , k 00 ) > 0, to sticks as well, in such a way that the sum of all w(k) and all v(k 0 , k 00 ) is 1. As in Subsection 3.1, compact elements k contribute w(k) to µ(U ), if k ∈ U . An intersection of the stick, associated with a continuously connected pair (k 0 , k 00 ), with an open set U “behaves as either (q, 1] or [q, 1]”, where q ∈ [0, 1]. Such stick contributes (1 − q) · v(k 0 , k 00 ) to µ(U ). The resulting µ is the desired CC-valuation. It is possible to associate a complete lattice homomorphism from the lattice of Scott open sets to [0, 1] with every compact element and with every stick defined by basic continuously connected elements, k 0 and k 00 . Then, as suggested by Keimel [12], all these homomorphisms together can be thought of as an injective complete lattice homomorphism to [0, 1]J . ¿From this point of view, our construction of µ is the same as in [12]. Thus the discourse in this section yields the proof of the following: Theorem 41 For any continuous dcpo A with a countable basis, there is a CCvaluation µ on the system of its Scott open sets.

131

4.1

Continuous Connectivity and Sticks

Definition 4.1. Two elements x y are called continuously connected if the set {k ∈ A|k is compact, x k y} is empty. Remark: This implies that x and y are not compact. Lemma 41 If x y are continuously connected, then {z | x z y} has cardinality of at least continuum. Proof. We use the well-known theorem on intermediate values that x y ⇒ ∃z ∈ A x z y (see [10]). Applying this theorem again and again we build a countable system of elements between x and y as follows, using rational numbers as indices for intermediate elements: x a1/2 y, x a1/4 a1/2 a3/4 y, . . . All these elements are non-compact and hence non-equal. Now consider a directed set {ai | i ≤ r}, where r is a real number, 0 < r < 1. Introduce br = t{ai | i ≤ r}. We prove that if r < s then br bs , and also that x br bs y, thus obtaining the required cardinality. Indeed it is easy to find such n and numbers q1 , q2 , q3 , q4 , that x aq1 /2n v br v aq2 /2n aq3 /2n v bs aq4 /2n y

2 Definition 4.2. We call the set of continuum different non-compact elements {ar | r ∈ (0, 1)} between continuously connected x y, built in the proof above, such that x ar aq z ⇔ r < q a (vertical) stick. 4.2

Proof of Theorem 41

Consider a continuous dcpo A with a countable basis K. As discussed earlier, with every compact k ∈ K we associate weight w(k) > 0, and with every con0 , k 00 ) > 0 tinuously connected pair (k 0 , k 00 ), k 0 , k 00 ∈ K, we associate weight v(kP k0 ,k00 | r ∈ (0, 1)}. Since K is countable, we can require w(k) + and {ar P a 0stick v(k , k 00 ) = 1. Whenever we have an upwardly closed (i.e. Alexandrov open) set U , for any 0 00 k0 ,k00 k0 ,k00 ∈ [0, 1], such that r < qU ⇒ stick {akr ,k | r ∈ (0, 1)} there is a number qU k0 ,k00 k0 ,k00 k0 ,k00 6∈ U and qU < r ⇒ ar ∈ U . In particular, for a Scott open set U ar define X X k0 ,k00 w(k) + (1−qU )·v(k 0 , k 00 ) µ(U ) = k∈U is

compact

k0 ,k00 ∈K are

continuously connected

It is easy to show that µ is a normalized valuation. The rest follows from the following Lemmas. Lemma 42 µ is continuous.

132

Lemma 43 µ is strongly non-degenerate. Proof. Let U and V be Scott open subsets of A and U ⊂ V . Let us prove that V \ U contains either a compact element or a stick between basic elements. Take x ∈ V \ U . If x is compact, then we are fine. Assume that x is not compact. We know that x = tKx , Kx = {k ∈ K | k x} is directed set. Since V is open ∃k ∈ Kx . k ∈ V . Since k v x and x 6∈ U , k ∈ V \ U . If there is k 0 – compact, such that k k 0 x, we are fine, since k 0 ∈ V \ U . Otherwise, since any basis includes all compact elements, k and x are continuously connected. e x = {k 0 ∈ e x, K Now, as in the theorem of intermediate values x = tK 00 0 00 0 00 0 K | ∃k ∈ K. k k x} is directed set, thus ∃k k . k v k k 00 x, thus (k, k 00 ) yields the desired stick. If k ∈ V \ U and k is compact, then µ(V ) − µ(U ) ≥ w(k) > 0. If the stick formed by (k, k 0 ) is in V \ U , then µ(V ) − µ(U ) ≥ v(k, k 0 ) > 0.

2 Lemma 44 µ is co-continuous. Proof. Recall the development in Subsection 3.1. T Consider a filtered system of open sets {Ui , i ∈ I}. By Lemma 31 for B = i∈I Ui , B \ Int(B) = {y ∈ B | ¬(∃x ∈ B. x y)}. Notice that B \ Int(B), in particular, does not contain k0 ,k00 k0 ,k00 = qInt(B) . compact elements. Another important point is that for any stick, qB The further development is essentially dual to the omitted proof of Lemma 42. We need to show that for any > 0, there is such Ui , i ∈ I, that µ(Ui ) − µ(Int(B)) < . Take enough (a finite number) of compact elements, k1 , . . . , kn , and contin0 00 , km ), so that w(k1 ) + uously connected pairs of basic elements, (k10 , k100 ), . . . , (km 0 00 0 00 . . . + w(kn ) + v(k1 , k1 ) + . . . + v(km , km ) > 1 − /2. For each kj 6∈ Int(B), take k0 ,k00

j j > 0, take Uij , ij ∈ I, such that kj 6∈ Uij . For each (kj0 , kj00 ), such that qInt(B)

k0 ,k00

k0 ,kj00

j j − qUj 0 Ui0j , i0j ∈ I, such that qInt(B)

i j

< /(2m). A lower bound of these Uij and

Ui0j is the desired Ui .

2 It should be noted that Bob Flagg suggested and Klaus Keimel showed that Lemma 5.3 of [7] can be adapted to obtain a dual proof of existence of CCvaluations (see [6] for one presentation of this). Klaus Keimel also noted that one can consider all pairs k, k 0 of basic elements, such that k k 0 , instead of considering just continuously connected pairs and compact elements.

5

Partial and Relaxed Metrics on Domains

The motivations behind the notion of relaxed metric, its computational meaning and its relationships with partial metrics [14] were explained in [3]. Here we

133

focus on the definitions and basic properties, revisit the issue of specific axioms of partial metrics, and list the relevant open problems. The distance domain consists of pairs ha, bi (also denoted as [a, b]) of nonnegative reals (+∞ included), such that a ≤ b. We denote this domain as RI . [a, b] vRI [c, d] iff a ≤ c and d ≤ b. We can also think about RI as a subset of R+ ×R− , where vR+ =≤, vR− =≥, and both R+ and R− consist of non-negative reals and +∞. We call R+ a domain of lower bounds, and R− a domain of upper bounds. Thus a distance function ρ : A × A → RI can be thought of as a pair of distance functions hl, ui, l : A × A → R+ , u : A × A → R− . Definition 5.1. A symmetric function u : A × A → R− is called a relaxed metric when it satisfies the triangle inequality. A symmetric function ρ : A×A → RI is called a relaxed metric when its upper part u is a relaxed metric. An open ball with a center x ∈ A and a real radius is defined as Bx, = {y ∈ A | u(x, y) < }. Notice that only upper bounds are used in this definition — the ball only includes those points y, about which we are sure that they are not too far from x. We should formulate the notion of a relaxed metric open set more carefully than for ordinary metrics, because it is now possible to have a ball of a non-zero positive radius, which does not contain its own center. Definition 5.2. A subset U of A is relaxed metric open if for any point x ∈ U , there is an > u(x, x) such that Bx, ⊆ U . It is easy to show that for a continuous relaxed metric on a dcpo all relaxed metric open sets are Scott open and form a topology. 5.1

Partial Metrics

The distances p with p(x, x) 6= 0 were first introduced by Matthews [14,13]. They are known as partial metrics and obey the following axioms: 1. 2. 3. 4.

x = y iff p(x, x) = p(x, y) = p(y, y). p(x, x) ≤ p(x, y). p(x, y) = p(y, x). p(x, z) ≤ p(x, y) + p(y, z) − p(y, y).

Whenever partial metrics are used to describe a partially ordered domain, a stronger form of the first two axioms is used: If x v y then p(x, x) = p(x, y), otherwise p(x, x) < p(x, y). We include the stronger form in the definition of partial metrics for the purposes of this paper. Section 8.1 of [3] discusses the issue of whether axioms u(x, x) ≤ u(x, y) and u(x, z) ≤ u(x, y) + u(y, z) − u(y, y) should hold for the upper bounds of relaxed metrics. In particular, the approach in this paper is based on u(x, y) = 1 − µ(Common information between x and y) and thus, as will be explained in details in the next section, the axioms of partial metrics hold. Further discussion of the utilitarian value of these axioms can be found in [4].

134

6 6.1

Partial and Relaxed Metrics via Information µInfo-structures

Some of the earlier known constructions of partial metrics can be understood via the mechanism of common information between elements x and y bringing negative contribution to u(x, y) (see [3, Section 8]). This can be further formalized as follows. Assume that there is a set I representing information about elements of a dcpo A. We choose a ring, M(I), of admissible subsets of I and introduce a measure-like structure, µ, on M(I). We associate a set, Info(x) ∈ M(I), with every x ∈ A, and call Info(x) a set of (positive) information about x. We also would like to consider negative information about x, Neginfo(x) ∈ M(I), — intuitively speaking, this is information which cannot become true about x, when x is arbitrarily increased. Definition 6.1. Given a dcpo A, the tuple of (A, I, M(I), µ, Info, Neginfo) is called a µInfo-structure on A, if M(I) ⊆ P(I) — a ring of subsets closed with respect to ∩, ∪, \ and including ∅ and I, µ : M(I) → [0, 1], Info : A → M(I), and Neginfo : A → M(I), and the following axioms are satisfied: 1. (VALUATION AXIOMS) (a) µ(I) = 1, µ(∅) = 0; (b) U ⊆ V ⇒ µ(U ) ≤ µ(V ); (c) µ(U ) + µ(V ) = µ(U ∩ V ) + µ(U ∪ V ); 2. (Info AXIOMS) (a) x v y ⇔ Info(x) ⊆ Info(y); (b) x < y ⇒ Info(x) ⊂ Info(y); 3. (Neginfo AXIOMS) (a) Info(x) ∩ Neginfo(x) = ∅; (b) x v y ⇒ Neginfo(x) ⊆ Neginfo(y); 4. (STRONG RESPECT FOR TOTALITY) x ∈ T otal(A) ⇒ Info(x) ∪ Neginfo(x) = I; 5. (CONTINUITY OF INDUCED RELAXED METRIC) if B is a directed subset of A and y ∈ A, then (a) µ(Info(tB) ∩ Info(y)) = supx∈B (µ(Info(x) ∩ Info(y)), (b) µ(Info(tB) ∩ Neginfo(y)) = supx∈B (µ(Info(x) ∩ Neginfo(y)), (c) µ(Neginfo(tB) ∩ Info(y)) = supx∈B (µ(Neginfo(x) ∩ Info(y)), (d) µ(Neginfo(tB) ∩ Neginfo(y)) = supx∈B (µ(Neginfo(x) ∩ Neginfo(y)); 6. (SCOTT OPEN SETS ARE RELAXED METRIC OPEN) for any (basic) Scott open set U ⊆ A and x ∈ U , there is an > 0, such that ∀y ∈ A. µ(Info(x)) − µ(Info(x) ∩ Info(y)) < ⇒ y ∈ U . In terms of lattice theory, µ is a (normalized) valuation on a lattice M(I). The consideration of unbounded measures is beyond the scope of this paper, and µ(I) = 1 is assumed for convenience. Axioms relating v and Info are in the spirit of information systems [17], although we are not considering any inference structure over I in this paper.

135

The requirements for negative information are relatively weak, because it is quite natural to have ∀x ∈ A. Neginfo(x) = ∅ if A has a top element. The axiom that for x ∈ T otal(A), Info(x) ∪ Neginfo(x) = I, is desirable because indeed, if some i ∈ I does not belong to Info(x) and x can not be further increased, then by our intuition behind Neginfo(x), i should belong to Neginfo(x). However, this axiom might be too strong and will be further discussed later. The last two axioms are not quite satisfactory — they almost immediately imply the properties, after which they are named, but they are complicated and might be difficult to establish. We hope, that these axioms will be replaced by something more tractable in the future. One of the obstacles seems to be the fact in some valuable approaches (in particular,Sin this paper) it is not correct that x1 v x2 v · · · implies that Info(ti∈N xi ) = i∈N Info(xi ). The nature of these set-theoretical representations, I, of domains may vary: one can consider sets of tokens of information systems, powersets of domain bases, or powersets of domains themselves, custom-made sets for specific domains, etc. The approach via powersets of domain bases (see [3]) can be thought of as a partial case of the approach via powersets of domains themselves adopted in the present paper. 6.2

Partial and Relaxed Metrics via µInf o-structures

Define the (upper estimate of the) distance between x and y from A as u : A × A → R− : u(x, y) = 1 − µ(Info(x) ∩ Info(y)) − µ(Neginfo(x) ∩ Neginfo(y)). I.e. the more information x and y have in common the smaller is the distance between them. However a partially defined element might not have too much information at all, so its self-distance u(x, x) = 1 − µ(Info(x)) − µ(Neginfo(x)) might be large. It is possible to find information which will never belong to Info(x) ∩ Info(y) or Neginfo(x)∩Neginfo (y) even when x and y are arbitrarily increased. In particular, Info(x) ∩ Neginfo(y) and Info(y) ∩ Neginfo(x) represent such information. Then we can introduce the lower estimate of the distance l : A × A → R+ : l(x, y) = µ(Info(x) ∩ Neginfo(y)) + µ(Info(y) ∩ Neginfo(x)). The proof of Lemma 9 of [3] is directly applicable and yields l(x, y) ≤ u(x, y). Thus we can form an induced relaxed metric, ρ : A × A → RI , ρ = hl, ui, with a meaningful lower bound. The following theorem is proved in [4] without using the strong respect for totality axiom. Theorem 61 Function u is a partial metric. Function ρ is a continuous relaxed metric. The relaxed metric topology coincides with the Scott topology.

136

Due to the axiom ∀x ∈ T otal(A). Info(x) ∪ Neginfo(x) = I, the proof of Lemma 10 of [3] would go through, yielding x, y ∈ T otal(A) ⇒ l(x, y) = u(x, y) and allowing to obtain the following theorem (cf. Theorem 8 of [3]). Theorem 62 For all x and y from T otal(A), l(x, y) = u(x, y). Consider d : T otal(A) × T otal(A) → R, d(x, y) = l(x, y) = u(x, y). Then (T otal(A), d) is a metric space, and its metric topology is the subspace topology induced by the Scott topology on A. However, in [3] x ∈ T otal(A) ⇒ Info(x) ∪ Neginfo(x) = I holds under an awkward condition, the regularity of the basis. While bases of algebraic Scott domains and of continuous lattices can be made regular, there are important continuous Scott domains, which cannot be given regular bases. In particular, in RI no element, except for ⊥, satisfies the condition of regularity, hence a regular basis cannot be provided for RI . The achievement of the construction to be described in Section 6.4 is that by removing the reliance on the weights of non-compact basic elements, it eliminates the regularity requirement and implies x ∈ T otal(A) ⇒ Info(x)∪Neginfo(x) = I for all continuous Scott domains equipped with a CC-valuation (which is built above for all continuous Scott domains with countable bases) where Info(x) and Neginfo(x) are as described below in the Subsection 6.4. However, it still might be fruitful to consider replacing the axiom ∀x ∈ T otal(A). Info(x) ∪ Neginfo(x) = I by something like ∀x ∈ T otal(A). µ(I \ (Info(x) ∪ Neginfo(x))) = 0. 6.3

A Previously Known Construction

Here we recall a construction from [3] based on a generally non-co-continuous valuation of Subsection 3.1. We will reformulate it in our terms of µInfo-structures. In [3] it was natural to think that I = K. Here we reformulate that construction in terms of I = A, thus abandoning the condition x ∈ T otal(A) ⇒ Info(x) ∪ Neginfo(x) = I altogether. Define Ix = {y ∈ A | {x, y} is unbounded}, Px = {y ∈ A | y x} (cf. Ix = {k ∈ K | {k, x} is unbounded}, Kx = {k ∈ K | k x} in [3]). Define Info(x) = Px , Neginfo(x) P = Ix . Consider a valuation µ of Subsection 3.1: for any S ⊂ I = A, µ(S) = k∈S∩K w(k). µ is a continuous strongly non-degenerate valuation, but it is not co-continuous unless K consists only of compact elements. Because of this we cannot replace the inconvenient definition of Info(x) = Px by Info(x) = Cx = {y ∈ A | y v x} ( which would restore the condition x ∈ T otal(A) ⇒ Info(x) ∪ Neginfo(x) = A) as µ(Ck ) would not be equal to supk0 k µ(Ck0 ) if k is a non-compact basic element, leading to the non-continuity of the partial metric u(x, y).

137

Also the reliance on countable systems of finite weights excludes such natural − − − partial metrics as metric u : R− [0,1] × R[0,1] → R , where R[0,1] is the set [0, 1] equipped with the dual partial order v = ≥, and u(x, y) = max(x, y). We rectify all these problems in the next Subsection. 6.4

Partial and Relaxed Metrics via CC-valuations

Assume that there is a CC-valuation µ(U ) on Scott open sets of a domain A. Then it uniquely extends to an additive measure µ on the ring of sets generated by the system of open sets. Define I = A, Info(x) = Cx , Neginfo(x) = Ix . It is easy to see that valuation, Info, and Neginfo axioms of µInfo-structure hold. We have x ∈ T otal(A) ⇒ Cx ∪ Ix = A. Thus we only need to establish the axioms of continuity of induced relaxed metrics and Scott open sets are relaxed metric open in order to prove theorems 61 and 62 for our induced relaxed metric (u(x, y) = 1 − µ(Cx ∩ Cy ) − µ(Ix ∩ Iy ), l(x, y) = µ(Cx ∩ Iy ) + µ(Cy ∩ Ix )). These axioms are established by the Lemmas below. You will also see that for such bare-bones partial metrics, as u(x, y) = 1 − µ(Cx ∩ Cy ), which are nevertheless quite sufficient for topological purposes and for domains with >, only co-continuity matters, continuity is not important. Observe also that since the construction in Section 3.1 does form a CCvaluation for algebraic Scott domains with bases of compact elements, the construction in [3] can be considered as a partial case of our current construction if the basis does not contain non-compact elements. Lemma 61 Assume that µ is a co-continuous valuation and B is a directed subset of A. Then µ(CtB ∩ Q) = supx∈B (µ(Cx ∩ Q)), where Q is a closed or open subset of A. Remark: Note that continuity of µ is not required here. Lemma 62 Assume that µ is a continuous valuation and B is a directed subset of A. Then µ(ItB ∩Q) = supx∈B (µ(Ix ∩Q)), where Q is an open or closed subset of A. Remark: Co-continuity is not needed here. Lemma 63 Assume that µ is a strongly non-degenerate valuation. Then the µInf o-structure axiom Scott open sets are relaxed metric open holds. Remark: Neither continuity, nor co-continuity required, and even the strong non-degeneracy condition can probably be made weaker (see the next Section).

7

Examples and Non-degeneracy Issues

In this section we show some examples of “nice” partial metrics, based on valuations for vertical and interval domains of real numbers. Some of these valuations

138

are strongly non-degenerate, while others are not, yet all examples are quite natural. Consider the example from Subsection 3.2. The partial metric, based on the strongly non-degenerate valuation µ0 of that example would be u0 (x, y) = (1−min(x, y))/(1+), if x, y > 0, and u0 (x, y) = 1, if x or y equals to 0. However, another nice valuation, µ00 , can be defined on the basis of µ of Subsection 3.2: µ00 ((x, 1]) = µ((x, 1]) = 1 − x, µ00 ([0, 1]) = 1. µ00 is not strongly non-degenerate, however it yields the nice partial metric u00 (x, y) = 1 − min(x, y), yielding the Scott topology. Now we consider several valuations and distances on the domain of interval numbers located within the segment [0, 1]. This domain can be thought of as a triangle of pairs hx, yi, 0 ≤ x ≤ y ≤ 1. Various valuations can either be concentrated on 0 < x ≤ y < 1, or on x = 0, 0 ≤ y ≤ 1 and y = 1, 0 ≤ x ≤ 1, or, to insure non-degeneracy, on both of these areas with an extra weight at h0, 1i. Among all these measures, the classical partial metric u([x, y], [x0 , y 0 ]) = max(y, y 0 ) − min(x, x0 ) results from the valuation accumulated at x = 0, 0 ≤ y ≤ 1, and y = 1, 0 ≤ x ≤ 1, namely µ(U ) = (Length({x = 0, 0 ≤ y ≤ 1} ∩ U ) + Length({y = 1, 0 ≤ x ≤ 1} ∩ U ))/2. Partial metrics generated by strongly non-degenerate valuations contain quadratic expressions. It is our current feeling, that instead of trying to formalize weaker nondegeneracy conditions, it is fruitful to build a µInf o-structure based on I = [0, 1] + [0, 1] in situations like this.

8

Conclusion

We introduced notions of co-continuous valuations and CC-valuations, and built CC-valuations for all continuous dcpo’s with countable bases. Given such a valuation, we presented a new construction of partial and relaxed metrics for all continuous Scott domains, improving a construction known before. The key open problem is to learn to construct not just topologically correct, but canonical measures and relaxed metrics for higher-order functional domains and reflexive domains, and also to learn how to compute these measures and metrics quickly.

Acknowledgements The authors benefited from discussions with Michael Alekhnovich, Reinhold Heckmann, Klaus Keimel, Harry Mairson, Simon O’Neill, Joshua Scott and from the detailed remarks made by the referees. They thank Gordon Plotkin for helpful references. They are especially thankful to Abbas Edalat for his suggestion to think about continuous valuations instead of measures in this context, and to Alexander Artemyev for his help in organizing this joint research effort.

139

References 1. Aleksandrov P.S. Combinatory Topology, vol.1, Graylock Press, Rochester, NY, 1956, p.28. 2. Alvarez M., Edalat A., Saheb-Djahromi N. An extension result for continuous valuations, 1997, available via URL http://theory.doc.ic.ac.uk/people/Edalat/extensionofvaluations.ps.Z 3. Bukatin M.A., Scott J.S. Towards computing distances between programs via Scott domains. In S. Adian, A. Nerode, eds., Logical Foundations of Computer Science, Lecture Notes in Computer Science, 1234, 33–43, Springer, 1997. 4. Bukatin M.A., Shorina S.Yu. Partial Metrics and Co-continuous Valuations (Extended Version), Unpublished notes, 1997, available via one of the URLs http://www.cs.brandeis.edu/∼bukatin/ccval draft.{dvi,ps.gz} 5. Edalat A. Domain theory and integration. Theoretical Computer Science, 151 (1995), 163–193. 6. Flagg R. Constructing CC-Valuations, Unpublished notes, 1997. Available via URL http://macweb.acs.usm.maine.edu/math/archive/flagg/biCts.ps 7. Flagg R., Kopperman R. Continuity spaces: Reconciling domains and metric spaces. Theoretical Computer Science, 177 (1997), 111–138. 8. Gierz G., Hofmann K., Keimel K., Lawson J., Mislove M., Scott D. A Compendium of Continuous Lattices, Springer, 1980. 9. Heckmann R. Approximation of metric spaces by partial metric spaces. To appear in Applied Categorical Structures, 1997. 10. Hoofman R. Continuous information systems. Information and Computation, 105 (1993), 42–71. 11. Jones C. Probabilistic Non-determinism, PhD Thesis, University of Edinburgh, 1989. Available via URL http://www.dcs.ed.ac.uk/lfcsreps/EXPORT/90/ECS-LFCS-90-105/index.html 12. Keimel K. Bi-continuous Valuations, to appear in the Proceedings of the Third Workshop on Computation and Approximation, University of Birmingham, Sept. 1997. Available via URL http://theory.doc.ic.ac.uk/forum/comprox/data/talk.3.1.6.ps.gz 13. Matthews S.G. An extensional treatment of lazy data flow deadlock. Theoretical Computer Science, 151 (1995), 195–205. 14. Matthews S.G. Partial metric topology. In S. Andima et al., eds., Proc. 8th Summer Conference on General Topology and Applications, Annals of the New York Academy of Sciences, 728, 183–197, New York, 1994. 15. O’Neill S.J. Partial metrics, valuations and domain theory. In S. Andima et al., eds., Proc. 11th Summer Conference on General Topology and Applications, Annals of the New York Academy of Sciences, 806, 304–315, New York, 1997. 16. Pettis B.J. On the extension of measures. Annals of Mathematics, 54 (1951), 186-197. 17. Scott D.S. Domains for denotational semantics. In M. Nielsen, E. M. Schmidt, eds., Automata, Languages, and Programming, Lecture Notes in Computer Science, 140, 577–613, Springer, 1982. 18. Tix R. Stetige Bewertungen auf topologischen R¨ aumen, (Continuous Valuations on Topological Spaces, in German), Diploma Thesis, Darmstadt Institute of Technology, 1995. Available via URL http://www.mathematik.th-darmstadt.de/ags/ag14/papers/papers.html

Mobile Ambients Luca Cardelli*

Andrew D. Gordon*

Digital Equipment Corporation Systems Research Center

University of Cambridge Computer Laboratory

Abstract We introduce a calculus describing the movement of processes and devices, including movement through administrative domains.

1 Introduction There are two distinct areas of work in mobility: mobile computing, concerning computation that is carried out in mobile devices (laptops, personal digital assistants, etc.), and mobile computation, concerning mobile code that moves between devices (applets, agents, etc.). We aim to describe all these aspects of mobility within a single framework that encompasses mobile agents, the ambients where agents interact and the mobility of the ambients themselves. The inspiration for this work comes from the potential for mobile computation over the World-Wide Web. The geographic distribution of the Web naturally calls for mobility of computation, as a way of flexibly managing latency and bandwidth. Because of recent advances in networking and language technology, the basic tenets of mobile computation are now technologically realizable. The high-level software architecture potential, however, is still largely unexplored. The main difficulty with mobile computation on the Web is not in mobility per se, but in the handling of administrative domains. In the early days of the Internet one could rely on a flat name space given by IP addresses; knowing the IP address of a computer would very likely allow one to talk to that computer in some way. This is no longer the case: firewalls partition the Internet into administrative domains that are isolated from each other except for rigidly controlled pathways. System administrators enforce policies about what can move through firewalls and how. Mobility requires more than the traditional notion of authorization to run or to access information in certain domains: it involves the authorization to enter or exit certain domains. In particular, as far as mobile computation is concerned, it is not realistic to imagine that an agent can migrate from any point A to any point B on the Internet. Rather, an agent must first exit its administrative domain (obtaining permission to do so), enter someone else’s administrative domain (again, obtaining permission to do so) and then enter a protected area of some machine where it is allowed to run (after obtaining permission to do so). Access to information is controlled at many levels, thus multiple levels of authorization may be involved. Among these levels we have: local computer, local area network, regional area network, wide-area intranet and internet. Mobile programs must be equipped to navigate this hierarchy of administrative domains, at every *

Current affiliation: Microsoft Research.

1

step obtaining authorization to move further. Similarly, laptops must be equipped to access resources depending on their location in the administrative hierarchy. Therefore, at the most fundamental level we need to capture notions of locations, of mobility and of authorization to move. With these motivations, we adopt a paradigm of mobility where computational ambients are hierarchically structured, where agents are confined to ambients and where ambients move under the control of agents. A novelty of this approach is in allowing the movement of self-contained nested environments that include data and live computation, as opposed to the more common techniques that move single agents or individual objects. Our goal is to make mobile computation scale-up to widely distributed, intermittently connected and well administered computational environments. This paper is organized as follows. In the rest of Section 1 we introduce our basic concepts and we compare them to previous and current work. In Section 2 we describe a calculus based exclusively on mobility primitives, and we use it to represent basic notions such as numerals and Turing machines, and to code a firewall-crossing protocol. In Section 3 we extend our calculus with local communication, and we show how we can represent more general communication mechanisms as well as the π-calculus. 1.1 Ambients Ambients have the following main characteristics. An ambient is a bounded placed where computation happens. The interesting property here is the existence of a boundary around an ambient. If we want to move computations easily we must be able to determine what should move; a boundary determines what is inside and what is outside an ambient. Examples of ambients, in this sense, are: a web page (bounded by a file), a virtual address space (bounded by an addressing range), a Unix file system (bounded within a physical volume), a single data object (bounded by “self”) and a laptop (bounded by its case and data ports). Non-examples are: threads (where the boundary of what is “reachable” is difficult to determine) and logically related collections of objects. We can already see that a boundary implies some flexible addressing scheme that can denote entities across the boundary; examples are symbolic links, Uniform Resource Locators and Remote Procedure Call proxies. Flexible addressing is what enables, or at least facilitates, mobility. It is also, of course, a cause of problems when the addressing links are “broken”. An ambient can be nested within other ambients. As we discussed, administrative domains are (often) organized hierarchically. If we want to move a running application from work to home, the application must be removed from an enclosing (work) ambient and inserted into another enclosing (home) ambient. A laptop may need a removal pass to leave a workplace, and a government pass to leave or enter a country. An ambient can be moved as a whole. If we move a laptop to a different network, all the address spaces and file systems within it move accordingly. If we move an agent from one computer to another, its local data moves accordingly. Each ambient has a name that is used to control access to the ambient. A name is something that can be created and passed around, and from which access capabilities can be extracted. In a realistic situation the true name of an ambient would be guarded very closely, and only specific capabilities would be handed out.

2

1.2 Technical Context: Systems Many software systems have explored and are exploring notions of mobility. Obliq [5] attacks the problems of distribution and mobility for intranet computing. Obliq works well for its intended application, but is not really suitable for computation and mobility over the Web (like other distributed paradigms based on the remote procedure call model) because of the fragility of network proxies over the Web. Our ambient model is partially inspired by Telescript [16], but is almost dual to it. In Telescript, agents move whereas places stay put. Ambients, instead, move whereas agents are confined to ambients. A Telescript agent, however, is itself a little ambient, since it contains a “suitcase” of data. Some nesting of places is allowed in Telescript. Java [11] provides a working framework for mobile computation, as well as a widely available infrastructure on which to base more ambitious mobility efforts. Linda [6] is a “coordination language” where multiple processes interact in a common space (called a tuple space) by exchanging tokens asynchronously. Distributed versions of Linda exist that use multiple tuple spaces and allow remote operations. A dialect of Linda [7] allows nested tuple spaces, but not mobility of the tuple spaces. 1.3 Technical Context: Formalisms Many existing calculi have provided inspiration for our work. The π-calculus [15] is a process calculus where channels can “move” along other channels. The movement of processes is represented as the movement of channels that refer to processes. Therefore, there is no clear indication that processes themselves move. For example, if a channel crosses a firewall (that is, if it is communicated to a process meant to represent a firewall), there is no clear sense in which the process has also crossed the firewall. In fact, the channel may cross several independent firewalls, but a process could not be in all those places at once. Nonetheless, many fundamental π-calculus concepts and techniques underlie our work. The spi calculus [1] extends the π-calculus with cryptographic primitives. The need for such extensions does not seem to arise immediately within our ambient calculus. Some of the motivations for the spi calculus extension are already covered by the notion of encapsulation within an ambient. However, we do not know yet how extensively we can use our ambient primitives for cryptographic purposes. The Chemical Abstract Machine [3] is a semantic framework, rather than a specific formalism. Its basic notions of reaction in a solution and of membranes that isolate subsolutions, closely resemble ambient notions. However, membranes are not meant to provide strong protection, and there is no concern for mobility of subsolutions. Still, we adopt a “chemical style” in presenting our calculus. The join-calculus [9] is a reformulation of the π-calculus with a more explicit notion of places of interaction; this greatly helps in building distributed implementations of channel mechanisms. The distributed join-calculus [10] adds a notion of named locations, with essentially the same aims as ours, and a notion of distributed failure. Locations in the distributed join-calculus form a tree, and subtrees can migrate from one part of the tree to another. A main difference with our ambients is that movement may happen directly from any active location to any other known location. LLinda [8] is a formalization of Linda using process calculi techniques. As in dis-

3

tributed versions of Linda, LLinda has multiple distributed tuple spaces. Multiple tuple spaces are very similar in spirit to multiple ambients, but Linda’s tuple spaces do not nest, and there are no restrictions about accessing a tuple space from another one. Finally, a growing body of literature is concentrating on the idea of adding discrete locations to a process calculus and considering failure of those locations [2, 10]. Our notion of locality is built into our basic calculus. It is induced by a non-trivial and dynamic topology of locations, in the sense that a location that is “far” from the current one can only be reached through multiple individual moves. Failure of a location can be represented as becoming forever unreachable.

2 Mobility We begin by describing a minimal calculus of ambients that includes only mobility primitives. Still, we shall see that this calculus is quite expressive. In Section 3 we then add communication primitives. 2.1 Mobility Primitives The syntax of the calculus is defined in the following table. The main syntactic categories are processes (including ambients and agents that execute actions) and capabilities. Mobility Primitives P,Q ::= (νn)P 0 P|Q !P n[P] M.P

processes restriction inactivity composition replication ambient action

Syntactic conventions (νn)P | Q = ((νn)P) | Q !P | Q = (!P) | Q M.P | Q = (M.P) | Q

n

names

M ::= in n out n open n

capabilities can enter n can exit n can open n

(νn1...nm)P n[] M

$ $ $

(νn1)...(νnm)P n[0] M.0 (where appropriate)

The first four process primitives (restriction, inactivity, composition and replication) have the same meaning as in the π-calculus (see Section 2.3), namely: restriction is used to introduce new names and limit their scope; 0 has no behavior; P | Q is the parallel composition of P and Q; and !P is an unbounded number of parallel replicas of P. The main difference with respect to the π-calculus is that names are used to name ambients instead of channels. To these standard primitives we add ambients, n[P], and the exercise of capabilities, M.P. Next we discuss these new primitives in detail. 2.2 Explanations We begin by introducing the semantics of ambients informally. A reduction relation PxyyzQ describes the evolution of a process P into a new process Q.

4

Ambients

An ambient is written n[P], where n is the name of the ambient, and P is the process running inside the ambient. In n[P], it is understood that P is actively running, and that P can be the parallel composition of several processes. We emphasize that P is running even when the surrounding ambient is moving. Running while moving may or may not be realistic, depending on the nature of the ambient and of the communication medium through which the ambient moves, but it is consistent to think in those terms. We express the fact that P is running by a rule that says that any reduction of P becomes a reduction of n[P]: P xyyz Q ⇒ n[P] xyyz n[Q] In general, an ambient exhibits a tree structure induced by the nesting of ambient brackets. Each node of this tree structure may contain a collection of (non-ambient) processes running in parallel, in addition to subambients. We say that these processes are running in the ambient, in contrast to the ones running in subambients. Nothing prevents the existence of two or more ambients with the same name, either nested or at the same level. Once a name is created, it can be used to name multiple ambients. Moreover, !n[P] generates multiple ambients with the same name. This way, for example, one can easily model the replication of services. Actions and Capabilities

Operations that change the hierarchical structure of ambients are sensitive. In particular such operations can be interpreted as the crossing of firewalls or the decoding of ciphertexts. Hence these operations are restricted by capabilities. Thanks to capabilities, an ambient can allow other ambients to perform certain operations without having to reveal its true name. With the communication primitives of Section 3, capabilities can be transmitted as values. The process M. P executes an action regulated by the capability M, and then continues as the process P. The process P does not start running until the action is executed. The reduction rules for M. P depend on the capability M, and are described below case by case. We consider three kinds of capabilities: one for entering an ambient, one for exiting an ambient and one for opening up an ambient. Capabilities are obtained from names; given a name n, the capability in n allows entry into n, the capability out n allows exit out of n and the capability open n allows the opening of n. Implicitly, the possession of one or all of these capabilities for n is insufficient to reconstruct the original name n. An entry capability, in m, can be used in the action in m. P, which instructs the ambient surrounding in m. P to enter a sibling ambient named m. If no sibling m can be found, the operation blocks until a time when such a sibling exists. If more than one m sibling exists, any one of them can be chosen. The reduction rule is: n[in m. P | Q] | m[R] xyyz m[n[P | Q] | R] If successful, this reduction transforms a sibling n of an ambient m into a child of m. After the execution, the process in m. P continues with P, and both P and Q find themselves at a lower level in the tree of ambients.

5

An exit capability, out m, can be used in the action out m. P, which instructs the ambient surrounding out m. P to exit its parent ambient named m. If the parent is not named m, the operation blocks until a time when such a parent exists. The reduction rule is: m[n[out m. P | Q] | R] xyyz n[P | Q] | m[R] If successful, this reduction transforms a child n of an ambient m into a sibling of m. After the execution, the process in m. P continues with P, and both P and Q find themselves at a higher level in the tree of ambients. An opening capability, open n, can be used in the action open n. P. This action provides a way of dissolving the boundary of an ambient named n located at the same level as open, according to the rule: open n. P | n[Q] xyyz P | Q If no ambient n can be found, the operation blocks until a time when such an ambient exists. If more than one ambient n exists, any one of them can be chosen. An open operation may be upsetting to both P and Q above. From the point of view of P, there is no telling in general what Q might do when unleashed. From the point of view of Q, its environment is being ripped open. Still, this operation is relatively wellbehaved because: (1) the dissolution is initiated by the agent open n. P, so that the appearance of Q at the same level as P is not totally unexpected; (2) open n is a capability that is given out by n, so n[Q] cannot be dissolved if it does not wish to be. Movement from the Inside or the Outside: Subjective vs. Objective

There are two natural kinds of movement primitives for ambients. The distinction is between “I make you move” from the outside (objective move) or “I move” from the inside (subjective move). Subjective moves have been described above. Objective moves (indicated by an mv prefix), obey the rules: mv in m. P | m[R] xyyz m[P | R]

m[mv out m. P | R] xyyz P | m[R]

These two kinds of move operations are not trivially interdefinable. The objective moves have simpler rules. However, they operate only on ambients that are not active; they provide no way of moving an existing running ambient. The subjective moves, in contrast, cause active ambients to move and, together with open, can approximate the effect of objective moves (as we discuss later). In evaluating these alternative operations, one should consider who has the authority to move whom. In general, the authority to move rests in the top-level agents of an ambient, which naturally act as control agents. Control agents cannot be injected purely by subjective moves, since these moves handle whole ambients. With objective moves, instead, a control agent can be injected into an ambient simply by possessing an entry capability for it. As a consequence, objective moves and entry capabilities together provide the unexpected power of entrapping an ambient into a location it can never exit: entrap m $ (ν k) (k[] | mv in m. in k. 0) entrap m | m[P] xyyz* (νk) k[m[P]]

6

The open capability confers the right to dissolve an ambient from the outside and reveal its contents. It is interesting to consider an operation that dissolves an ambient form the inside, called acid: m[acid. P | Q] xyyz P | Q Acid gives a simple encoding of objective moves: mv in n.P $ (νq) q[in n. acid. P] mv out n.P $ (νq) q[out n. acid. P]] Therefore, acid is as dangerous as objective moves, providing the power to entrap ambients. We shall see that open can be used to define a capability-restricted version of acid that does not lead to entrapment. 2.3 Operational Semantics We now give an operational semantics of the calculus of section 2.1, based on a structural congruence between processes, , and a reduction relation xyyz. This is a semantics in the style of Milner’s reaction relation [14] for the π-calculus, which was itself inspired by the Chemical Abstract Machine of Berry and Boudol [3]. Structural Congruence PP PQ ⇒ QP P Q, Q R ⇒ P R PQ PQ PQ PQ PQ

⇒ ⇒ ⇒ ⇒ ⇒

(νn)P (νn)Q P|RQ|R !P !Q n[P] n[Q] M.P M.Q

P|QQ|P (P | Q) | R P | (Q | R) !P P | !P (νn)(νm)P (νm)(νn)P (νn)(P | Q) P | (νn)Q if n Ñ fn(P) (νn)(m[P]) m[(νn)P] if n ≠ m P|0P (νn)0 0 !0 0

Processes of the calculus are grouped into equivalence classes by the relation , which denotes structural congruence (that is, equivalence up to trivial syntactic restructuring). In addition, we identify processes up to renaming of bound names: (νn)P = (νm)P{n←m} if m Ñ fn(P). By this we mean that these processes are understood to be identical (for example, by choosing an appropriate representation), as opposed to structurally equivalent. Note that the following terms are in general distinct: !(νn)P # (νn)!P n[P] | n[Q] # n[P | Q]

replication creates new names multiple n ambients have separate identity

The behavior of processes is given by the following reduction relations. The first three rules are the one-step reductions for in, out and open. The next three rules propagate reductions across scopes, ambient nesting and parallel composition. The final rule allows the use of equivalence during reduction. Finally, xyyz* is the reflexive and transitive closure of xyyz.

7

Reduction n[in m. P | Q] | m[R] xyyz m[n[P | Q] | R] m[n[out m. P | Q] | R] xyyz n[P | Q] | m[R] open n. P | n[Q] xyyz P | Q

P xyyz Q ⇒ (νn)P xyyz (νn)Q P xyyz Q ⇒ n[P] xyyz n[Q] P xyyz Q ⇒ P | R xyyz Q | R

P’ P, P xyyz Q, Q Q’ ⇒ P’ xyyz Q’ 2.4 Example: Locks We can use open to encode locks that are released and acquired: acquire n. P

$

open n. P

release n. P

$

n[] | P

This way, two agents can “shake hands” before proceeding with their execution: acquire n. release m. P | release n. acquire m. Q 2.5 Example: Firewall Access In this example, an agent crosses a firewall by means of previously arranged passwords k, k’, and k”. The agent exhibits the password k’ by using a wrapper ambient that has k’ as its name. The firewall, which has a secret name w, sends out a pilot ambient, k[out w. in k’. in w], to guide the agent inside. The pilot ambient enters an agent by performing in k’ (therefore verifying that the agent knows the password), and is given control by being opened. Then, in w transports the agent inside the firewall, where the password wrapper is discarded. The third name, k”, is needed to confine the contents Q of the agent and to prevent Q from interfering with the protocol. The final effect is that the agent physically crosses into the firewall; this can be seen below by the fact that Q is finally placed inside w. (For simplicity, this example is written to allow a single agent to enter.) Assume (fn(P) ∪ fn(Q)) ∩ {k, k’, k”} = Ô and w Ñ fn(Q): Firewall $ (νw) w[k[out w. in k’. in w] | open k’. open k”. P] Agent $ k’[open k. k”[Q]] There is no guarantee here that any particular agent will make it inside the firewall. Rather, the intended guarantee is that if any agent crosses the firewall, it must be one that knows the passwords. To express the security property of the firewall we introduce a notion of contextual equivalence, . Let a context C[] be a process containing zero or more holes, and for any process P, let C[P] be the process obtained by filling each hole in C with a copy of P (names free in P may become bound). Then define: Pn PÈn PQ

$ $ $

P (ν m 1...mi) (n[P’] | P”) P xyyz* Q and Qn for all n and C[], C[P]Èn ⇔ C[Q]Èn

where n Ñ {m1...mi}

If (fn(P) ∪ fn(Q)) ∩ {k, k’, k”} = Ô and w Ñ fn(Q), then we can show that the interaction of the agent with the firewall produces the desired result up to contextual equivalence.

8

(ν k k’ k”) (Agent | Firewall)

(νw) w[Q | P]

Since contextual equivalence takes into account all possible contexts, the equation above states that the firewall crossing protocol works correctly in the presence of any possible attacker (that does not know the passwords) that may try to disrupt it. 2.6 Example: Objective Moves and Dissolution Objective moves are not directly encodable. However, specific ambients can explicitly allow objective moves by using open: allow n $ !open n mv in n.P $ (νk) k[in n. in[out k. open k. P]] mv out n.P $ (νk) k[out n. out[out k. open k. P] (nÌ allows mv in) nÌ[P] $ n[P | allow in] (nË allows mv out) nË[P] $ n[P] | allow out ÌË n [P] $ n[P | allow in] | allow out (nÌË allows both mv in and mv out) These definitions are to be used, for example, as follows: mv in n.P | nÌË[Q ] nÌË[mv out n.P | Q]

xyyz* xyyz*

nÌË[P | Q] P | nÌË[Q]

Similarly, the acid primitive discussed previously is not encodable via open. However, we can code a form of planned dissolution: acid n. P

$

acid[out n. open n. P]

to be used with a helper process open acid as follows: n[acid n. P | Q] | open acid

xyyz*

P|Q

This form of acid is sufficient for uses in many encodings where it is necessary to dissolve ambients. Encodings are carefully planned, so it is easy to add the necessary open instructions. The main difference with the liberal form of acid is that acid n must name the ambient it is dissolving. More precisely, the encoding of acid n requires both an exit and an open capability for n. 2.7 Example: External Choice A major feature of CCS [13] is the presence of a non-deterministic choice operator (+). We do not take + as a primitive, in the spirit of the asynchronous π-calculus, but we can approximate some aspects of it by the following definitions. The intent is that n⇒P + m⇒Q reduces to P in the presence of an n ambient, and reduces to Q in the presence of an m ambient. n⇒P + m ⇒Q

$

(ν p q r) ( p[in n. out n. q[out p. open r. P]] | p[in m. out m. q[out p. open r. Q]] | open q | r[])

For example, assuming {p, q, r} ∩ fn(R) = Ô, we have:

9

(n⇒P + m ⇒Q) | n[R]

xyyz*

P | n[R]

where the relation xyyz* is the relational composition of xyyz* and . 2.8 Example: Numerals We represent the number i by a stack of nested ambients of depth i. For any natural number i, let i be the numeral for i: 0

$

zero[]

i+1

$

succ[open op | i]

The open op process is needed to allow ambients named op to enter the stack of ambients to operate on it. To show that arithmetic may be programmed on these numerals, we begin with an ifzero operation to tell whether a numeral represents 0 or not. ifzero P Q $ zero⇒P + succ⇒Q 0 | ifzero P Q xyyz* 0 | P i+1 | ifzero P Q xyyz* i+1 | Q Next, we can encode increment and decrement operations. inc.P $ ifzero (inczero.P) (incsucc.P) inczero.P $ open zero. (1 | P) incsucc.P $ (ν p q) (p[succ[open op]] | open q. open p. P | op[in succ. in p. in succ. (q[out succ. out succ. out p] | open op)]) dec.P $ (ν p) (op[in succ. p[out succ]] | open p. open succ. P) These definitions satisfy: i | inc.P

xyyz*

i+1 | P

i+1 | dec.P

xyyz*

i|P

Given that iterative computations can be programmed with replication, any arithmetic operation can be programmed with inc, dec and iszero. 2.9 Example: Turing Machines We emulate Turing machines in a “mechanical” style. A tape consists of a nested sequence of squares, each initially containing the flag ff[]. The first square has a distinguished name to indicate the end of the tape to the left: endÌË[ff[] | sqÌË[ff[] | sq ÌË[ff[] | sqÌË[ff[] | ... ]]]] The head of the machine is an ambient that inhabits a square. The head moves right by entering the next nested square and moves left by exiting the current square. The head contains the program of the machine and it can read and write the flag in the current square. The trickiest part of the definition concerns extending the tape. Two tapestretchers are placed at the beginning and end of the tape and continuously add squares. if tt P, if ff Q

$

tt ⇒ open tt. P + ff ⇒ open ff. Q

head $ head[!open S1.

10

state #1 (example)

mv out head. if tt (ff[] | mv in head. in sq. S2[]), if ff (tt[] | mv in head. out sq. S3[]) | ... | S1[]]

jump out to read flag head right, state #2 head left, state #3 more state transitions initial state

stretchRht $ stretch tape right (νr) r[!open it. mv out r. (sqÌË[ff[]] | mv in r. in sq. it[]) | it[]] stretchLft $ stretch tape left !open it. mv in end. (mv out end. end ÌË[sqÌË[] | ff[]] | in end. in sq. mv out end. open end. mv out sq. mv out end. it[]) | it[] machine

$

stretchLft | endÌË[ff[] | head | stretchRht]

3 Communication Although the pure mobility calculus is powerful enough to be Turing-complete, it has no communication or variable-binding operators. Such operators seem necessary, for example, to comfortably encode other formalisms such as the π-calculus. Therefore, we now have to choose a communication mechanism to be used to exchange messages between ambients. The choice of a particular mechanism is somewhat orthogonal to the mobility primitives. However, we should try not to defeat with communication the restrictions imposed by capabilities. This suggests that a primitive form of communication should be purely local, and that the transmission of non-local messages should be restricted by capabilities. 3.1 Communication Primitives To focus our attention, we pose as a goal the ability to encode the asynchronous π-calculus. For this it is sufficient to introduce a simple asynchronous communication mechanism that works locally within a single ambient. Mobility and Communication Primitives P,Q ::= (νn)P 0 P|Q !P M[P] M.P (x).P jMk

processes restriction inactivity composition replication ambient capability action input action async output action

M ::= x n in M out M open M ε M.M’

capabilities variable name can enter into M can exit out of M can open M null path

We again start by displaying the syntax of a whole calculus. The mobility primi-

11

tives are essentially those of section 2, but the addition of communication variables changes some of the details. More interestingly, we add input ((x).P) and output (jMk) primitives and we enrich the capabilities to include paths. We identify capabilities up to the following equations: L.(M.N) = (L.M).N and M.ε = M = ε.M. As a new syntactic convention, we have that (x).P | Q = ((x).P) | Q. 3.2 Explanations Communicable Values

The entities that can be communicated are either names or capabilities. In realistic situations, communication of names should be rather rare, since knowing the name of an ambient gives a lot of control over it. Instead, it should be common to communicate restricted capabilities to allow controlled interactions between ambients. It now becomes useful to combine multiple capabilities into paths, especially when one or more of those capabilities are represented by input variables. To this end we introduce a path-formation operation on capabilities (M. M’). For example, (in n. in m). P is interpreted as in n. in m. P. We distinguish between ν-bound names and input-bound variables. Variables can be instantiated with names or capabilities. In practice, we do not need to distinguish these two sorts lexically, but we often use n, m, p, q for names and w, x, y, z for variables. Ambient I/O

The simplest communication mechanism that we can imagine is local anonymous communication within an ambient (ambient I/O, for short): (x).P

input action

jMk

async output action

An output action releases a capability (possibly a name) into the local ether of the surrounding ambient. An input action captures a capability from the local ether and binds it to a variable within a scope. We have the reduction: (x).P | jMk xyyz P{x←M} This local communication mechanism fits well with the ambient intuitions. In particular, long-range communication, like long-range movement, should not happen automatically because messages may have to cross firewalls. Still, this simple mechanism is sufficient, as we shall see, to emulate communication over named channels, and more generally to provide an encoding of the asynchronous π-calculus. Remark

To allow both names and capabilities to be output and input, there is a single syntactic sort that includes both. Then, a meaningless term of the form n. P can then arise, for instance, from the process ((x). x. P) | jnk. This anomaly is caused by the desire to denote movement capabilities by variables, as in (x). x. P, and from the desire to denote names by variables, as in (x). x[P]. We permit n. P to be formed, syntactically, in order to make substitution always well defined. A simple type system distinguishing names from movement capabilities would avoid this anomaly.

12

3.3 Operational Semantics The structural congruence relation is defined as in section 2.3, [MXL XLI YRHIVWXERHMRK XLEX

4

ERH

1

VERKI RS[ SZIV PEVKIV GPEWWIW ERH [MXL XLI EHHMXMSR SJ XLI JSPPS[MRK

IUYMZEPIRGIW

Structural Congruence P Q ⇒ M[P] M[Q] P Q ⇒ (x).P (x).Q

ε.P P (M.M’).P M.M’.P

We now identify processes up to renaming of bound variables: (x).P = (y).P{x←y} if y Ñ fv(P). Finally, we have a new reduction rule: Reduction (x).P | jMk xyyz P{x←M} 3.4 Example: Cells A cell cell c w stores a value w at a location c, where a value is a capability. The cell is set to output its current contents destructively, and is set to be “refreshed” with either the old contents (by get) or a new contents (by set). Note that set is essentially an output operation, but it is a synchronous one: its sequel P runs only after the cell has been set. Parallel get and set operations do not interfere. cell c w $ cÌË[jwk] get c (x). P $ mv in c. (x). (jxk | mv out c. P) set c jwk. P $ mv in c. (x). (jwk | mv out c. P) It is possible to code an atomic get-and-set primitive: get-and-set c (x) jwk. P

$

mv in c. (x). (jwk | mv out c. P)

Named cells can be assembled into ambients that act as record data structures. 3.5 Example: Routable Packets and Active Networks We define packet pkt as an empty packet of name pkt that can be routed repeatedly to various destinations. We also define route pkt with P to M as the act of placing P inside the packet pkt and sending the packet to M; this is to be used in parallel with packet pkt. Note that M can be a compound capability, representing a path to follow. Finally, forward pkt to M is an abbreviation that forwards any packet named pkt that passes by to M. Here we assume that P does not interfere with routing. packet pkt $ pkt[!(x). x | !open route] route pkt with P to M $ route[in pkt. jMk | P] forward pkt to M $ route pkt with 0 to M Since our packets are ambients, they may contain behavior that becomes active within the intermediate routers. Therefore we can naturally model active networks, which are characterized by routers that execute code carried by packets.

13

3.6 Communication Between Ambients Our basic communication primitives operate only within a given ambient. We now discuss one example of communication across ambients. In addition, in section 3.7 we treat the specific case of channel-based communication across ambients. It is not realistic to assume direct long-range communication. Communication, like movement, is subject to access restrictions due to the existence of administrative domains. Therefore, it is convenient to model long-range communication as the movement of “messenger” agents that must cross administrative boundaries. Assume, for simplicity, that the location M allows I/O by !open io. By M–1 we indicate a given return path from M. @Mjak $ io[M. jak] @M(x)M–1. P $ (νn) (io[M. (x). n[M–1. P]] | open n)

remote output at M remote input at M

To avoid transmitting P all the way there and back, we can write input as: @M(x)M–1. P

$

(νn) (io[M. (x). n[M–1. jxk]] | open n) | (x). P

To emulate Remote Procedure Call we write (assuming res contains the result): @M argjak res(x) M–1. P $ (νn) (io[M. (jak | open res. (x). n[M–1. jxk])] | open n) | (x). P This is essentially an implementation of a synchronous communication (RPC) by two asynchronous communications (jak and jxk). 3.7 Encoding the π-calculus The encoding of the asynchronous π-calculus is moderately easy, given our I/O primitives. A channel is simply represented by an ambient: the name of the channel is the name of the ambient. This is very similar in spirit to the join-calculus [9] where channels are rooted at a location. Communication on a channel is represented by local communication inside an ambient. The basic technique is a variation on objective moves. A conventional name, io, is used to transport input and output requests into the channel. The channel opens all such requests and lets them interact. ch n (ch n)P n(x).P njMk

$ $ $ $

n[!open io] (νn) (ch n | P) (νp) (io[in n. (x). p[out n. P]] | open p) io[in n. jMk]

a channel a new channel channel input async channel output

These definitions satisfy the expected reduction n(x).P | njMk xyyz* P{x←M} in the presence of a channel ch n. Therefore, we can write the following encoding of the π-calculus: Encoding of the Asynchronous π-calculus

n(νn)Po $ nn(x).Po $ nnjmko $

14

(νn) (n[!open io] | nPo) (νp) (io[in n. (x). p[out n. nPo]] | open p) io[in n. jmk]

nP | Qo $ nPo | nQo n!Po $ !nPo

This encoding includes the choice-free synchronous π-calculus, since it can itself be encoded within the asynchronous π-calculus [4, 12]. We can fairly conveniently use these definitions to embed communication on named channels within the ambient calculus (provided the name io is not used for other purposes). Communication on these named channels, though, only works within a single ambient. In other words, from our point of view, a π-calculus process always inhabits a single ambient. Therefore, the notion of mobility in the π-calculus (communication of names over named channels) is different from our notion of mobility.

4 Conclusions and Future Work We have introduced the informal notion of mobile ambients, and we have discussed how this notion captures the structure of complex networks and the behavior of mobile computation. We have then investigated an ambient calculus that formalizes this notion simply and powerfully. Our calculus is no more complex than common process calculi, but supports reasoning about mobility and, at least to some degree, security. This paper concentrates mostly on examples and intuition. In ongoing work we are developing theories of equivalences for the ambient calculus, drawing on earlier work on the π-calculus. These equivalences will allow us to reason about mobile computation, as briefly illustrated in the firewall crossing example. On this foundation, we can envision new programming methodologies, programming libraries and programming languages for global computation.

Acknowledgments Thanks to Cédric Fournet, Paul McJones and Jan Vitek for comments on early drafts. Stuart Wray suggested an improved definition of external choice. Gordon held a Royal Society University Research Fellowship for most of the time we worked on this paper.

References [1] Abadi, M. and A.D. Gordon, A calculus for cryptographic protocols: the spi calculus. Proc. Fourth ACM Conference on Computer and Communications Security, 36-47, 1997. [2] Amadio, R.M., An asynchronous model of locality, failure, and process mobility. Proc. COORDINATION 97, Berlin, 1997. [3] Berry, G. and G. Boudol, The chemical abstract machine. Theoretical Computer Science 96(1), 217-248, 1992. [4] Boudol, G., Asynchrony and the π-calculus. TR 1702, INRIA, Sophia-Antipolis, 1992. [5] Cardelli, L., A language with distributed scope. Computing Systems, 8(1), 27-59. MIT Press. 1995. [6] Carriero, N. and D. Gelernter, Linda in context. CACM, 32(4), 444-458, 1989. [7] Carriero, N., D. Gelernter, and L. Zuck, Bauhaus Linda, in LNCS 924, 66-76, SpringerVerlag, 1995. [8] De Nicola, R., G.-L. Ferrari and R. Pugliese, Locality based Linda: programming with explicit localities. Proc. TAPSOFT’97. 1997.

15

[9] Fournet, C. and G. Gonthier, The reflexive CHAM and the join-calculus. Proc. 23rd Annual ACM Symposium on Principles of Programming Languages, 372-385. 1996. [10] Fournet, C., G. Gonthier, J.-J. Lévy, L. Maranget, D. Rémy, A calculus of mobile agents. Proc. CONCUR'96, 406-421. 1996. [11] Gosling, J., B. Joy and G. Steele, The Java language specification. Addison-Wesley. 1996. [12] Honda., K. and M. Tokoro, An object calculus for asynchronous communication. Proc. ECOOP’91, LNCS 521, 133-147, Springer Verlag, 1991. [13] Milner, R., A calculus of communicating systems. LNCS 92. Springer-Verlag. 1980. [14] Milner, R., Functions as processes. Mathematical Structures in Computer Science 2, 119141. 1992. [15] Milner, R., J. Parrow and D. Walker, A calculus of mobile processes, Parts 1-2. Information and Computation, 100(1), 1-77. 1992 [16] White, J.E., Mobile agents. In Software Agents, J. Bradshaw, ed. AAAI Press / The MIT Press. 1996.

16

Rational Term Rewriting? A. Corradini1 and F. Gadducci2 1

Universita di Pisa, Dipartimento di Informatica, Corso Italia 40, I-56214 Pisa, Italy ([email protected]). 2 TUB, Fachbereich 13 Informatik, Franklinstrae 28/29, D-10587 Berlin, Germany ([email protected]).

Abstract. Rational terms (possibly in nite terms with nitely many subterms) can be represented in a nite way via -terms, that is, terms over a signature extended with self-instantiation operators. For example, f ! = f (f (f (: : :))) can be represented as x :f (x) (or also as x :f (f (x)), f (x :f (x)), . . . ). Now, if we reduce a -term t to s via a rewriting rule using standard notions of the theory of Term Rewriting Systems, how are the rational terms corresponding to t and to s related? We answer to this question in a satisfactory way, resorting to the definition of in nite parallel rewriting proposed in [7]. We also provide a simple, algebraic description of -term rewriting through a variation of Meseguer's Rewriting Logic formalism.

1 Introduction Rational terms are possibly in nite terms with a nite set of subterms. They show up in a natural way in Theoretical Computer Science whenever some nite cyclic structures are of concern (for example data ow diagrams, cyclic term graphs, or process algebras with recursion), and one desires to abstract out from the \degree of folding" of such structures, intuitively identifying those that denote the same in nitary behaviour. For example, the -term t1 = x :ite(B; seq(C1 ; x); C2 ) can be used as a linear representation of a ow chart intended to model the structure of a while loop using the if-then-else (ite) and the sequentialization (seq) statements, where the boolean condition B and the statements C1 and C2 are left unspeci ed. As stressed in [20], the intended meaning of the operator x , when applied to a term t[x] with x free, is of constraining the instantiation of x in t to x:t only; thus x can be considered as a self-instantiation operator. By performing this selfinstantiation once in t1 , we get t2 = ite(B; seq(C1 ; x :ite(B; seq(C1 ; x); C2 )); C2 ). Now, both t1 and t2 can be seen as a nite representation of the same in nite, rational term ite(B; seq(C1 ; ite(B; seq(C1 ; ite(B; seq(C1 ; : : :); C2 )); C2 )); C2 ), which, in turn, can be regarded as a representative of the equivalence class of -terms containing t1 and t2 . >From a computational viewpoint, rational terms are clearly ? Research partly supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) through the Dipartimento di Informatica of Pisa and the Technical University of Berlin.

a very interesting subclass of in nite terms, because they have a nitary representation; usually, however, this is not unique. In nitary extensions of Term Rewriting have been considered by various authors during the last decade [12, 11, 15, 16, 7, 20, 21, 22, 9, 8]. Most of those contributions are concerned with the study of the rewriting relation induced by a set of nite term rules on in nite terms, presenting results about the existence of normal forms (possibly reachable after ! steps), con uence and so on. Only a few of them, namely [20, 21, 8], focus on the subclass of rational terms, regarded essentially as the semantics of some nite but possibly cyclic structures (term graphs or -terms). The goal of this paper is to provide a solid mathematical basis for the theory of rational term rewriting. One main requisite for us is that such a theory must provide a \clean" semantics for the rewriting of the nitary representations of rational terms. This is a not completely trivial task, as shown by the following two simple examples which make use of -terms, the nitary representation of rational terms that we shall use along the paper. Let t be the -term t = x :f (x), representing the rational term f ! def = f (f (f (: : :))), and let R : f (y) g(y) be a term rewriting rule. Unlike for example [20], we insist that in our theory it should be possible to apply R to t, obtaining, quite obviously, the reduction x :f (x) R x :g(x). If we consider the associated rational terms, this apparently innocuous rewriting step requires some in nitary extension of the theory of term rewriting, because there are in nitely many occurrences of f in f ! , and all of them have to be changed to g: in fact, the -term x :g(x) represents g! . There are two possible in nitary extensions of term rewriting that allow to formalize such a phenomenon. Using the theory of trans nite rewriting of [22] (and adopted by most of the papers mentioned above), one obtains g! as the limit (in the standard complete metric space of in nite terms [1]) of the in nite (Cauchy) sequence of reductions f ! R g(f ! ) R g(g(f ! )) ; g! . Using instead the in nite parallel rewriting of [7], g! is obtained in a single reduction step by replacing in parallel all the occurrences of f in f ! by g: this kind of reduction is de ned using standard completion techniques that exploit the cpo structure of possibly partial, possibly in nite terms [19]. And what about the application of the \collapsing" rule R0 : g(y) y to x:g(x)? There is no apparent reason to forbid it, and one would expect to obtain the reduction x :g(x) R x :x. Considering the corresponding rational terms, by applying the theory of [22] we have that since g! R g! , the limit of in nitely many such reductions cannot be dierent from g! ,3 which is not related at all to x :x. Using the in nite parallel rewriting of [7], instead, we have that g! rewrites to , the bottom element of the cpo of terms, and is indeed the canonical interpretation of the -term x :x, according to the Iteration Algebras framework [3]. An in nite term made of in nitely many nested redexes of collapsing rules (as g! in this example) will be called a \hypercollapsing !

!

!

!

!

!

0

!

?

3

0

?

Actually such a derivation is not strongly convergent, and thus it is not considered admissible in [22].

tower", using the terminology of [22]. This discussion motivates our presentation of rational term rewriting in Section 3, which is an adaptation to the rational case of the de nitions and results in [7]. In the same section we also introduce the rewriting of -terms, which is as straightforward as possible. The main result of the paper will show the soundness of the (parallel) rewriting of -terms with respect to the reduction of possibly in nite, rational set of redexes in their unfolded rational term. In Section 4 we provide a logical presentation of -term rewriting and of rational rewriting. For the logical viewpoint, our starting point is the seminal work of Jose Meseguer about Rewriting Logic [25]. The basic idea is to consider a rewriting system as a logical theory, and any rewriting as a sequent entailed by that theory. The entailment relation is de ned inductively by suitable deduction rules, showing how sequents can be derived from other sequents. Sequents themselves are triples ; t; s , where is an element of a so-called algebra of proof terms, encoding a justi cation of the rewriting of t into s. The original presentation of rewriting logic dealt with the nitary case. We consider here a variation of it, called (one-step) Preiteration Rewriting Logic, by introducing suitable rules for -terms. The faithfulness of this presentation of -term rewriting with respect to the original formulation is expressed by a result stating that there is bijection between sequents relating two terms and parallel reductions between them. The advantage of this logical approach is that not only the terms, but also the reductions are now endowed with an algebraic structure (the structure of proof terms), and this allows us to obtain a more precise relationship between -term and rational rewriting with respect to the results in Section 3. In fact, we obtain a faithful (in the above sense) logical presentation of rational rewriting by considering rational sequents, i.e., equivalence classes of sequents with respect to suitable axioms. Finally, in the concluding section we discuss the relationship with related papers, and we hint at some topics for future work. R

h

i

2 Rational Terms and -terms The study of in nite terms is one of the most relevant contribution of computer science to the eld of Universal Algebra. The starting point was the midSeventies work of the ADJ group (see e.g. [19, 18]) on continuous algebras, which put the basis for the studies on varieties of ordered algebras, that is, algebras where the carrier is a partial order (see also [2]). We assume the reader to be familiar with the usual notion of algebra over a signature (that is, a ranked alphabet of operator symbols = n2INl n , saying that f is of arity n for f n ). We denote by -Alg the category of algebras over , and of -homomorphisms. Continuous algebras are simply algebras where the carrier is not just a set, but rather a complete partial order, and the operators are continuous functions. Correspondingly, since homomorphisms must preserve the algebraic structure, they are required to be strict continuous functions. [

2

De nition 1 (complete partial orders). A partial order D; is complete (is a cpo) if it has an element (called bottom) such that d for all d D, and it has least upper bounds (lub's) for all !-chains of elements. IfF di i
?

i

?

2

f

h

i ! h

f

?

g

0i

!

?

g

f

+1

g

f

g

0

functions. We denote with -CAlg the category of continuous algebras and strict continuous homomorphisms. We recall now the basic de nitions and the main results on initial algebras and rational terms that will be used along the paper; these are borrowed from [3, 19, 17], to which we refer the interested reader. It is well-known that, for each signature , the category -Alg has an initial object, often called the word algebra and denoted by T . Its elements are all the terms freely generated from the constants and the operators of , and can be regarded as nite trees whose nodes are labeled by operator symbols. As shown in [19], also the category -CAlg has an initial object, denoted CT . Its elements are possibly in nite, possibly partial terms freely generated from , and they form a cpo where the ordering relation is given by t t0 i t0 is \more de ned" than t. We introduce directly CT , since T can be recovered as a suitable sub-algebra: de nitions are borrowed from [19], with minor changes. De nition 2 (terms as functions). Let ! be the set of all nite strings of positive natural numbers; its elements are called occurrences, and the empty string is denoted by . Furthermore, let be a signature and X be a set of variables such that X = . A term over ( , X ) is a partial function t : ! X such that the domain of de nition of t, (t), satis es (for w ! and i !) { wi (t) w (t); { wi (t) t(w) n for some n i. (t) is called the set of occurrences of t. A term t is total if t(w) n wi (t) for all 0 < i n; t is nite if so is (t); and t is linear if no variable occurs more than once in it. Given an occurrence w ! and a term t CT (X ), the subterm of t at (occurrence) w is the term t=w de ned as t=w(u) = t(wu) for all u ! . The set of terms over ( , X ) is denoted by CT (X ), and CT stays for CT ( ). For nite, total terms, this description is equivalent to the usual representation of terms as operators applied to other terms. Partial terms are made total in this representation by introducing the unde ned term , which represents the empty function : X , always unde ned. Thus, for example, if x X , t = f ( ; g(x)) is the term such that (t) = ; 2; 2 1 , t() = f 2 , t(2) = g 1, and t(2 1) = x X . CT (X ) forms a cpo with respect to the \approximation" relation. We say that t approximates t0 (written t t0 ) i t is less de ned than t0 as partial t u

\

;

!

[

O

2

2

2 O

)

2 O

2 O

)

2

O

2

O

)

2

2

2

t u

;

?

?

2

; !

[

?

2

2

O

O

2

f

g

2

function. The least element of CT (X ) with respect to is clearly . An !chain ti i
f

g

f

t=

[

i
ti

f

g

,

?

f

g

g

8

w ! : i < ! : j i : tj (w) = t(w): 2

9

8

>From CT , T can be recovered as the subalgebra of nite, total terms. In the paper our main interest is in rational terms.

De nition 3 (rational terms). A term t over (; X ) is rational if the associated set of pre xes (t) = w; t(w) w (t) is regular, that is, if it is recognizable from a nite automata. Equivalently, t is rational if the set of all its subterms t=u u (t) is nite. The collection of all rational terms over (; X ) is denoted by RT (X ), and it is easily shown to be a subalgebra of CT (X ), but not a continuous one. P

f

j

fh

2 O

i j

2 O

g

g

t u

A dierent approach to the study of in nite terms, and in particular to the characterization of rational terms, focussed instead on the extension of the notion of signature by means of suitable recursion operators, and on an axiomatic characterization of unique xed-points. A seminal stream (with tight links to the categorical notion of algebraic theories [24]) started with the paper on algebraic iterative theories by Elgot [13]. Here we recall just a few basic results, for which we refer the reader to [4].

De nition 4 (-terms). Let be a signature and X be a (countably in nite) set of variables such that X = . The set T (X ) of -terms over (; X ) is \

;

de ned as the smallest set of expressions satisfying the following clauses:

{ x T (X ) if x X ; { f (t ; : : : ; tn) T (X ) if f n; ti T (X ); { x:t T (X ) if x X; t T (X ). 2

2

2

1

2

2

2

2

2

Equivalently, let X = x x X be a signature that extends with one unary operator for each variable in X . Then -terms over (; X ) can also be de ned as nite terms over X , i.e., elements of the word algebra TX (X ). ]f

j

2

g

t u

Consistently with the interpretation described in the Introduction, operator

x is a binding operator for variable x. Thus we de ne the set of free variables FV (t) for a term t in the usual way, we call closed any term with no free variables, and we identify terms up to -conversion.

Substitutions are functions from variables to terms that, by freeness, can be extended in a unique way to operator preserving functions from terms to terms. Since we are dealing with two dierent kind of terms, we introduce now two types of substitutions which will be used in the sequel.

De nition 5 (continuous and parameter substitutions). Let be a signature and X , Y be two (countably in nite) sets of variables such that X = Y = . A (continuous) substitution from X to Y is a function : X CT (Y ) (used in post x notation). It uniquely determines a strict continuous -homomorphism (also denoted by ) from CT (X ) to CT (Y ), which extends as follows: { = ; { f,S(t ; : : :; tn) = Sf (t ; : : : ; tn); { i
\

;

?

!

?

1

1

f

g

f

g

!

[

[

1

1

6

f

1

g

1

t u

h

i

iteration algebras satisfying an equational speci cation forms a suitable variety, a la Birkho. In particular, we are interested in the variety of iteration algebras, and more speci cally in the free iteration algebra. Among the many equivalent axiomatizations of this free algebra, we prefer the following one (based actually on conditional equations) for its clarity and conciseness. Other presentations are described in [4], which also presents informal explanations for the rules below.

De nition 6 (free iteration algebra). Given a signature and a (countably in nite) set X of variables, let = be the least congruence relation over T (X ),

closed with respect to parameter substitutions, induced by the following rules

{ (composition) { (left zero)

x:(t x=s ) = t x=x:(s x=t ) ; f

g

f

x FV (t) ; x:t = t 62

f

g g

{ (regularity)

u FV (t); u:(t x=u; y=u ) = u:(s x=u; y=u ) : u:(t x=u; y=u ) = y :(s x=x:t ) We de ne the free iteration algebra over (; X ) as the set T (X )= , obtained by quotienting the free preiteration algebra T (X ) by the congruence =. 62

f

f

g

f

g

f

g

g

=

t u

As far as we know, Ginali in her Ph.D. thesis (see [17]) and independently Elgot, Bloom and Tindell [14] were the rst to prove a correspondence result between the class of regular trees and Elgot's free iterative theories. Building on that result, Bloom and E sik proved in [3] the following theorem. Theorem 7 (rational terms and free iteration algebras). For any signature and set X of variables, there is a preiteration isomorphism between the class RT (X ) of rational trees over (; X ) and the class of elements of the free iteration algebra T (X ))== . In the rest of the paper for a -term t we will denote by [t] the rational term corresponding (via the isomorphism mentioned in the last result) to the equivalence class of t modulo the axioms of De nition 6. Intuitively, [t] is obtained as the limit of a chain of -terms starting from t and where at each step a suitable self-instantiation (via a parameter substitution) is applied. The only -term to which this intuition is not immediately applicable is x :x: the reader can safely assume that [x :x] = by de nition. t u

?

3 Rewriting of Rational Terms and of -Terms The standard de nition of term rewriting will be extended in this section to the rewriting of -terms (i.e., closed elements of T (X )) and of in nite terms (elements of CT ) via nite rules. Borrowing from [7], besides the standard sequential derivations we will introduce an in nitary extension called in nite parallel rewriting which allows one to reduce in nitely many redexes of an in nite term in a single reduction step. In particular, we will focus on the subcase of rational rewriting, i.e., the parallel reduction of rational sets of redexes. The main result of the section will show the soundness of -term rewriting with respect to rational term rewriting. De nitions and results are presented here for the class of orthogonal term rewriting systems only. De nition 8 (term rewriting systems (trs)). Let X be a countably in nite set of variables. A term rewriting system (over X ) is a tuple (; L; R), where is a signature,4 L is a set of labels, and R is a function R : L T (X ) T (X ), such that for all d L, if R(d) = l; r then var(r) var(l) X and l is not a variable. A trs is orthogonal if all its rules are left-linear and non-overlapping, that is, the left-hand side of each rule does not unify with a non-variable subterm of any other rule in , or with a proper, non-variable subterm of itself. R

!

2

h

i

R

R

4

Often the signature will be understood.

t u

Given a term rewriting system (also trs) , we usually write d : l r R if d L and R(d) = l; r ; to make explicit the variables contained in a rule, we write d(x1 ; : : :; xn ) : l(x1 ; : : :; xn ) r(x1 ; : : : ; xn ) R where x1 ; : : : ; xn = var(l). For example, the trs = d : f (x; x) a; d1 : f (x; f (y; z)) a is not orthogonal: d is not left-linear, while f (x; f (y; z )) can unify with its subterm f (y; z). The de nitions below introduce the rewriting of in nite terms and of -terms. R

2

h

!

2

i

!

Z

2

f

f

g

!

!

g

De nition 9 (subterm replacement). Given terms t; s CT (X ) and an occurrence w ! , the replacement of s in t at (occurrence) w, denoted t[w s], is the term de ned as t[w s](u) = t(u) if w u or t=w = , and t[w s](wu) = s(u) otherwise. The de nition of subterm replacement applies as it is to -terms in T (X ), simply considering them as nite terms over the extended signature X . De nition 10 ((plain) redexes and -redexes). Let = ; L; R be a trs over X . A (plain) redex of a term t CT is a pair = (w; d) where w ! is an occurrence, d : l r R is a rule, and there exists a continuous substitution : var(l) CT such that t=w = l. A -redex of a closed -term t T (X ) is a pair = (w; d) where w ! is an occurrence, d : l r R is a rule, and there exists a parameter substitution : var(l) T (X ) such that t=w = l. De nition 11 (reduction and derivation). Let d : l r R be a rule and = (w; d) be a redex of t. The result of its application is s = t[w r]. We also write t s, and we say that t reduces to s (via ). We say that there is a derivation from t to t0 if there are redexes ; : : : ; n such that t 1 t 2 : : : n tn = t0. The last de nition applies both to plain and to -redexes: simply, if is a -redex of t, bound variables in t are not aected in some undesirable way 2

2

6

?

t u

R

h

i

2

2

!

2

!

2

2

!

2

!

t u

!

2

!

!

1

!

1 !

t u

thanks to the fact that the matching substitution is required to be a parameter substitution. In this case, sometimes we will denote the corresponding reduction by t s. Sequential term rewriting, as just de ned, can be generalized to parallel term rewriting by allowing for the simultaneous application of two or more redexes to a term. The de nitions below summarize those in [6] (see also [23, 7]), and are valid for orthogonal trs's only: as for subterm replacement, all de nitions and results lift smoothly to -terms. !

De nition 12 (residuals). Let = (w; d) and 0 = (w0 ; d0 : l0 r0 ) be two redexes in a term t. The set of residuals of by 0 , denoted by 0 , is de ned as: 8 if = 0 ; < 0 =: 0 if w > w0 ; 0 0 (w wx u; d) r =wx = l =vx if w = w0 vx u and l0=vx is a variable. !

n

;

n

f f

g

6

j

g

t u

Note that 0 can contain more than one redex, whenever the right-hand side of the rule d0 is not linear. As an example, consider the trs = d : f (x) g(x; x); d0 0 : a b0 and 0the redexes = (1; d0 ), 0 = (; d) in the term f (a): then = = (1; d ); (2; d ) . n

W

!

!

f

g

f

g

Proposition 13 (residual of a reduction). Let be a nite set of redexes of t, such that t s. Then the set of residuals of by , de ned as the union of 0 for all 0 , is a set of redexes in s. [f

!

g

n

n

2

t u

The well-de nedness of the notions below is based on the previous result.

De nition 14 (residual of a sequence, complete development). Let be a nite set of redexes of t and = (t 1 t : : : n tn ) be a reduction sequence. Then is de ned as if n = 0, and as ( ) 0 , where 0 = (t 2 t : : : n tn ), otherwise. A development of is a reduction sequence such that after each initial segment , the next reduced redex is an element of . A complete development of is a development such that = . Proposition 15 (uniqueness of complete developments). All complete developments and 0 of a nite set of redexes in a term t are nite, and end with the same term. Moreover, for each redex of t, it holds = 0 . Therefore we can safely denote by the residuals of by any complete development of (and similarly replacing with a nite set of redexes 0 of t). !

1

!

n

1 !

2

n

1 n

!

n

n

;

t u

n

n

n

t u

Exploiting this result (whose proof can be found in [6]), we de ne the parallel reduction of a nite set of redexes as any complete development of them.

De nition 16 (parallel reduction). Given a nite set of redexes in a term t, we write t t0 and say that there is a parallel 0reduction from t to t0 if there exists a complete development t 1 t : : : n t of . !

!

1

t u

!

Thus parallel rewriting allows to reduce a nite set of redexes of a term in a single, parallel step. If we consider an in nite term, there might be in nitely many distinct redexes in it: since the simultaneous rewriting of any nite subset of those redexes is well-de ned, by a continuity argument one would expect that also the simultaneous rewriting of in nitely many redexes in an in nite term can be properly de ned. We present here a de nition which makes use of a suitable limit construction: for details we refer to [7]. It is however worth noticing that since -terms are nite by De nition 4, this in nitary extension is meaningful for plain redexes only.

De nition 17 (in nite parallel reduction). Given an in nite set of redexes in a term t, let t t t : : : be any chain of nite terms such that its lub is t, and for each i < ! , every redex (w; d) is either a redex of ti or ti (w) = (that is, the image of the left-hand side of every redex in is either all in ti , or it is outside, but does not \cross the boundary"). Let i be the subset 0

1

2

2

?

of all redexes in which are also redexes of ti , and let si be the result of the ( nite) parallel reduction of ti via i (i.e., ti i si ). Then we say that there S is an (in nite) parallel reduction from t to s def = i
f

g

!

t u

Let us consider the trs = d : f (x) g(x); d0 : g(x) x . Then the in nite set of redexes S= 1 d = (; d); (1; d); : : : can be applied to the in nite term t = f ! = i
f

!

f g

f

!

f

? g

?

!

?

f

g

g

f

j

g

!

g

f

g

?

g

!

0

?

f

!

?

0

j

?

Proposition 18 (in nite parallel reduction is well-de ned). In the hypotheses of De nition 17: 1. For each i < !, si si+1 ; i.e., fsi gi
>From in nite parallel rewriting, rational rewriting can be easily recovered by suitably restricting the class of in nite sets of redexes which can be applied to a given rational term.

De nition 19 (rational term rewriting). Let = ; L; R be an orthogonal trs over X , and let = f f be an auxiliary signature. For a set of redexes in a term t, the associated marked term t is a term over ( ; X ) de ned by the following clauses: if (w; d) and t(w) = f ; t(w) = ft(w) otherwise. A set of redexes of a rational term t is rational if the associated marked term t is rational [21]. A parallel reduction t s is rational if so is . Thus t is obtained by marking in t all the operators which are root of a redex in . It is rather easy to prove that if is a rational set of redexes of a term t and t s, then also s is rational. The main result of this section shows that the rewriting of -terms is sound R

] f

j

2

h

i

g

2

!

!

with respect to the rational rewriting of rational terms.

t u

Theorem 20 (soundness of -rewriting w.r.t. rational rewriting). Let

R

be an orthogonal trs. s, then there is a (1) If is a nite set of -redexes of a -term t and t ! rational set of redexes U () such that [t] !U () [s]. (2) If is a rational set of redexes of a term t, then there is a -term F (t; ) 0 and a nite set of -redexes M(t; ) such that [F (t; )] = t, F (t; ) ! M(t;) s , and [s0 ] = s.

Proof outline. (1) The rational set of redexes U () is determined by taking the marked -term t (in the sense of De nition 19), by unfolding it obtaining the marked rational term [t ], and by considering all redexes of [t] whose root are in correspondence with the marked nodes of [t ]. Next suppose that [t] !U () s0 , i.e., according to De nition 17, that there is a chain of nite terms t0 t1 t2 : : : having [t] as lub and satisfying suitable conditions with respect to , such that ti !i si for all i < !, and s0 = S i
Corollary 21. For an orthogonal trs , the rewrite relation induced on rational terms by rational term rewriting of De nition 19 coincides with the rewrite relation induced by -term rewriting, modulo the axioms of De nition 6. R

t u

In our opinion, this result provides a completely satisfactory interpretation (or \semantics") of the rewriting of -terms expressed via a suitable notion of rewriting of the corresponding unfoldings.

4 Rational Rewriting, Algebraically In this section we introduce (one-step) preiteration and rational rewriting logic, exploiting the rewriting logic formalism proposed in [25] for reasoning in logical terms about rewriting. Such logics will be presented in the form of sequent calculi, 5

For example, if t = f ! , d : f (f (y)) g(y), and = (1 (1 1)i ; d) i < ! , then t = f (f (f (f (: : :)))). In this case we cannot take t0 = x :f (f (x)) (even if [t0 ] = t), because there is no redex rooted at f (indeed, the redex would \cross" the operator), but we can take instead t0 = f (x :f (f (x))). !

f

j

g

via deduction rules which allow to generate sequents. The one-step preiteration and rational rewriting logics are shown to specify sequents which are in oneto-one correspondence with -terms and rational reductions, respectively. The added value of this approach is that not only the terms, but also the reductions are now endowed with an algebraic structure (using suitable proof terms), and this allows us to obtain a more precise relationship between -term and rational rewriting with respect to Corollary 21. Intuitively, using the notation of point (1) of Theorem 20, one would like to identify two sets of -redexes and 0 in equivalent (but distinct) -terms t and t0 if the induced rational set of redexes coincide, i.e., if () = (0 ). Interestingly, this can be obtained in the rewriting logic framework by providing the proof terms denoting -term reductions with a pre-iteration structure, and by imposing on them exactly the same axioms of De nition 6. Space constraints forbid us to introduce the deduction rules for sequential composition, which allow to derive sequents which model many-step reductions (as done for example in [25, 9]). This will be included in the full version of the paper: we just discuss in the concluding section the relevance of this extension. U

U

De nition 22 (rewriting sequents). Let = ; L; R be an orthogonal trs over X . Let = n n be the signature containing all the rules d : l r R with the corresponding arity given by the number of variables in d: more precisely, for each n, n = d d(x ; : : : ; xn ) : l(x ; : : : ; xn ) r(x ; : : : ; xn ) R . A proof term is a -term of the preiteration algebra TR (X ) = T[ (X ) (we assume that there are no clashes of names between the two sets of operators). A (rewriting) sequent is a triple ; t; s (usually written as : t s) where is a proof term and t; s T (X ). A sequent is closed if the associated proof term is so. For a given term t and a nite substitution x =t ; : : : ; xn =tn , we usually write t(t ; : : : ; tn ) for t. De nition 23 (one-step preiteration rewriting logic). Let = ; L; R be a trs over X . We say that entails the sequent : t s if it can be R

h

i

[

!

f

j

1

!

1

h

2

1

i

1

g

!

2

f

2

t u

g

1

1

R

R

!

h

i

obtained by a nite number of applications of the following rules of deduction:

{ (re exivity)

x X ; x:x x 2

!

{ (instantiation) d : l r R; d n; i : ti si for i = 1; : : : ; n ; d( ; : : : ; n) : l(t ; : : : ; tn) r(s ; : : :; sn) { (congruence) f n; i : ti si for i = 1; : : :; n f ( ; : : : ; n) : f (t ; : : : ; tn) f (s ; : : : ; sn) ; !

2

1

2

!

1

2

1

!

1

!

1

!

1

{ (recursion)

: t s; x X x: : x:t x:s : !

2

!

t u

The class of sequents entailed by induces a set-theoretical rewrite relation over terms, simply obtained by dropping the proof term of a sequent. Rule re exivity is self-explaining: it allows any variable to be rewritten into itself, that is, to play an idle r^ole during a rewriting step. Both recursion and congruence state that the rewrite relation is also compatible with respect to the algebraic structure, since it is closed under contexts. Maybe, the most interesting rule is instantiation: rst, it implies that the transition relation is stable, that is, it is closed under substitutions. But the associated sequent describes also the simultaneous execution of nested rewrites: two subterms matching the left-hand sides of two rules can be rewritten simultaneously, in parallel, provided they do not overlap (and this is always the case for orthogonal systems). R

Proposition 24 (sequents and parallel -term rewriting). Let be an orthogonal trs. (1) If entails a closed sequent : t s, then there is a set of -redexes ^() such that t s (according to the parallel rewriting of De R

R

!

!^

( )

nition 16). (2) Viceversa, if is a set of -redexes of t and t ! s, then there is a closed proof term ^() such that R entails the sequent ^() : t ! s. (3) Functions ^ and ^ are inverse to each other. t u

Exploiting Theorem 7, we could easily obtain a description of the rewriting of rational terms by considering \abstract" sequents of the form : [t] [s] for each sequent : t s entailed by a trs . However, using Theorem 20 we could obtain a result relating such sequents with the reduction of rational sets of redexes that is weaker than the last proposition, because the bijective correspondence would not hold. To ensure such a bijection we need to consider proof terms as well modulo the axioms of iteration algebras. !

!

R

De nition 25 (one-step rational rewriting logic). A rational sequent has the form : t s, where is a rational proof term (i.e., a rational term in RT[(X )), and t; s 0 RT0 (X ).0 A trs entails the rational sequent : t 0 s if it entails a sequent : t s (according to De nition 23) such that = [ ], t = [t0], and s = [s0]. A sequent is closed if so is its proof term. !

2

R

!

!

t u

This de nition of rational sequent allows us to lift the result of Proposition 24 to rational rewriting.

Proposition 26 (rational sequents and rational rewriting). Let be an orthogonal trs. (1) If entails a closed rational sequent : t s, then there is a rational set of redexes ^() such that t s (according to the rational R

R

rewriting of De nition 19).

!

!^

( )

(2) Viceversa, if is a rational set of redexes of t and t s, then there is a closed rational proof term ^() such that entails the rational sequent ^() : t s. (3) Functions ^ and ^ are inverse to each other. !

R

!

t u

5 Discussion and Future Work The main result presented in this paper is the fact that the parallel rewriting of -terms (de ned in a very natural way) provides a faithful implementation for rational term rewriting, i.e., for the parallel reduction of a possibly in nite (but rational) set of redexes in a rational term. Some notions introduced here should be compared with the corresponding ones in [20], even if the focus of the papers is dierent. The notion of -term rewriting of [20] is quite dierent from ours, rstly because rewriting is de ned essentially modulo =-equivalence, and secondly, and more importantly, because it is not allowed to rewrite a subterm t0 of a -term t if t0 contains a free variable which is bound in t. For example, rule f (y) g(y) cannot be applied to the subterm f (x) of x :f (x). Furthermore, x :x is not considered as a legal -term. Such restrictions are motivated by the authors by potential problems that collapsing rules could cause. Recalling the discussion in the Introduction about the collapsing rule g(y) y, we can safely claim that such problems are due to the (implicit) use of the in nitary extension of term rewriting proposed in [22] as reference model for theory of -term rewriting of the mentioned paper. In fact, such problems simply disappear using the theory of in nite parallel rewriting presented in [7], which provides a satisfactory interpretation for the -term x:x, as well as for the reduction of hypercollapsing towers. Closer to the soundness result of Section 3 are the adequacy results relating term graph rewriting and rational term rewriting proposed in [21] and [8]. In fact, possibly cyclic nite term graphs can be considered as an alternative nite representation of rational terms, where also \horizontal sharing" is allowed. In [21], the notion of adequacy between rewriting systems is introduced, which is essentially equivalent to soundness plus a form of partial completeness.6 In the same paper, it is presented an adequacy result between term graph rewriting and rational term rewriting de ned using [22]; however, the result is restricted to the case of systems with at most one collapsing rules, or modulo hypercollapsing towers. In [8] instead, rational rewriting is de ned exactly as in this paper, and it is shown that cyclic term graph rewriting using the algebraic approach is adequate for it, even in the presence of collapsing rules. In the last section we showed essentially that the main result of the paper can be rephrased in a very elegant way by making explicit the algebraic structure of the one-step reductions (using proof terms). Recall that, by Theorem 7, rational

!

!

6

As a concrete example, the result presented in Theorem 20, which is actually stronger than a soundness result by point (2), could be rephrased as \parallel -term rewriting is adequate for rational term rewriting".

terms are =-equivalence classes of -terms. Giving to one-step reductions of terms in an obvious way a -term structure over a suitable signature, we are able to recover rational rewriting by imposing the congruence = on proofs terms as well. In other words, the relationship between -term and rational one-step rewriting is obtained simply by lifting the relationship between the corresponding class of terms to the level of reductions. And one can go further, by lifting the same relationship to the level of rewriting sequences; due to space limitation the results we sketch here will appear in the full paper only. Full rewriting logic introduces a binary operator modeling sequential composition, and lifts the same algebraic structure of one-step reductions to whole derivations as well. The resulting structure provides a bridge between the standard presentation of rewriting and categorical models based on 2-categories as proposed for example in [26, 27], where arrows represent terms and cells represent rewriting sequences. As in the case of the \one-step" variants, we can consider both (full) preiteration and rational rewriting logic, and the corresponding categorical presentations based on preiteration and iteration 2-categories, respectively [5]. Furhtermore, it can be shown that they can be generated via a free construction from a suitable representation of a term rewriting systems as a suitable computad . Finally, we mention that the formal framework just described, consisting in lifting the algebraic structure of terms to the level of reductions and of rewriting sequences and obtaining in this way categorical models, provides one interesting application of the general methodology for the semantics of structured transition systems proposed in [10].

References 1. A. Arnold and M. Nivat. The metric space of in nite trees. algebraic and topological properties. Fundamenta Informaticae, 4:445{476, 1980. 2. S. Bloom. Varieties of ordered algebras. Journal of Computer and System Science, 13:200{210, 1976. 3. S. Bloom and Z. E sik. Iteration Theories. EATCS Monographs on Theoretical Computer Science. Springer Verlag, 1993. 4. S. Bloom and Z. E sik. Solving polinomials xed point equations. In Mathematical Foundations of Computer Science, volume 841 of LNCS, pages 52{67. Springer Verlag, 1994. 5. S.L. Bloom, Z. E sik, A. Labella, and E.G. Manes. Iteration 2-theories. In Proceedings AMAST'97, 1997. To appear. 6. G. Boudol. Computational semantics of term rewriting systems. In M. Nivat and J. Reynolds, editors, Algebraic Methods in Semantics, pages 170{235. Cambridge University Press, 1985. 7. A. Corradini. Term rewriting in CT . In Proceedings CAAP '93, volume 668 of LNCS, pages 468{484. Springer Verlag, 1993. 8. A. Corradini and F. Drewes. (Cyclic) term graph rewriting is adequate for rational parallel term rewriting. Technical Report TR-97-14, Dipartimento di Informatica, Pisa, 1997.

9. A. Corradini and F. Gadducci. CPO Models for in nite term rewriting. In Algebraic Methodology and Software Technology, volume 936 of LNCS, pages 368{384. Springer Verlag, 1995. 10. A. Corradini and U. Montanari. An algebraic semantics for structured transition systems and its application to logic programs. Theoret. Comput. Sci., 103:51{106, 1992. 11. N. Dershowitz and S. Kaplan. Rewrite, rewrite, rewrite, rewrite, rewrite: : :. In Proc. POPL'89, Austin, pages 250{259, 1989. 12. N. Dershowitz, S. Kaplan, and D.A. Plaisted. In nite normal forms (plus corrigendum). In Proc. ICALP'89, pages 249{262, 1989. 13. C. C. Elgot. Monadic computations and iterative algebraic theories. In Logic Colloquium 1973, volume 80 of Studies in Logic, pages 153{169. North Holland, 1975. 14. C.C. Elgot, C.C. Bloom, and R. Tindell. The algebraic structure of rooted trees. Journal of Computer and System Science, 16:362{339, 1978. 15. W.M. Farmer, J.D. Ramsdell, and R.J. Watro. A correctness proof for combinator reduction with cycles. ACM Trans. Program. Lang. Syst., 12:123{134, 1990. 16. W.M. Farmer and R.J. Watro. Redex capturing in term graph rewriting. In R.V. Book, editor, Proceedings of the 4th International Conference on Rewriting Techniques and Applications (RTA'91), volume 488 of LNCS, pages 13{24. Springer Verlag, 1991. 17. S Ginali. Regular trees and the free iterative theory. Journal of Computer and System Science, 18:222{242, 1979. 18. J.A. Goguen, J.W. Tatcher, E.G. Wagner, and J.R Wright. Some fundamentals of order-algebraic semantics. In Mathematical Foundations of Computer Science, volume 45 of LNCS, pages 153{168. Springer Verlag, 1976. 19. J.A. Goguen, J.W. Tatcher, E.G. Wagner, and J.R Wright. Initial algebra semantics and continuous algebras. Journal of the ACM, 24:68{95, 1977. 20. P. Inverardi and M. Venturini-Zilli. Rational rewriting. In Mathematical Foundations of Computer Science, volume 841 of LNCS, pages 433{442. Springer Verlag, 1994. 21. J.R. Kennaway, J.W. Klop, M.R. Sleep, and F.J. de Vries. On the adequacy of graph rewriting for simulating term rewriting. ACM Trans. Program. Lang. Syst., 16:493{523, 1994. 22. J.R. Kennaway, J.W. Klop, M.R. Sleep, and F.J. de Vries. Trans nite reductions in orthogonal term rewriting system. Information and Computation, 119:18{38, 1995. 23. C. Laneve and U. Montanari. Axiomatizing permutation equivalence in the calculus. Mathematical Structures in Computer Science, 6:219{249, 1996. 24. F.W. Lawvere. Functorial semantics of algebraic theories. Proc. National Academy of Science, 50:869{872, 1963. 25. J. Meseguer. Conditional rewriting logic as a uni ed model of concurrency. Theoret. Comput. Sci., 96:73{155, 1992. 26. A.J. Power. An abstract formulation for rewrite systems. In Proceedings Category Theory in Computer Science, volume 389 of LNCS, pages 300{312. Springer Verlag, 1989. 27. D.E. Rydehard and E.G. Stell. Foundations of equational deductions: A categorical treatment of equational proofs and uni cation algorithms. In Proceedings Category Theory in Computer Science, volume 283 of LNCS, pages 114{139. Springer Verlag, 1987.

The Appearance of Big Integers in Exact Real Arithmetic Based on Linear Fractional Transformations ? Reinhold Heckmann FB 14 - Informatik, Universit¨ at des Saarlandes Postfach 151150, D-66041 Saarbr¨ ucken, Germany [email protected]

Abstract. One possible approach to exact real arithmetic is to use linear fractional transformations to represent real numbers and computations on real numbers. In this paper, we show that the bit sizes of the (integer) parameters of nearly all transformations used in computations are proportional to the number of basic computational steps executed so far. Here, a basic step means consuming one digit of the argument(s) or producing one digit of the result.

1

Introduction

Linear Fractional Transformations (LFT’s) provide an elegant approach to real number arithmetic [8,16,11,14,12,6]. One-dimensional LFT’s x 7→ ax+c bx+d are used as digits and to implement basic functions, while two-dimensional LFT’s (x, y) 7→ axy+cx+ey+g bxy+dx+f y+h provide binary operations such as addition and multiplication, and can be combined to infinite expression trees denoting transcendental functions. In Section 2, we present the details of the LFT approach. This provides the background for understanding the results in the remainder of this paper. LFT’s can be modelled within linear algebra. If the four parameters of a onedimensional LFT are written as a (2,2)-matrix (shortly called matrix ), functional composition becomes matrix multiplication. Likewise, the eight parameters of a two-dimensional LFT can be written as a (2,4)-matrix (called tensor ). We refer to matrices and tensors collectively as transforms. Basic computational steps such as consuming one digit of the argument(s) (absorption) or producing one digit of the result (emission) can be realised as variants of matrix multiplication applied to a transform and a digit matrix. Usually, all the transforms used in real number arithmetic have integer components. Naively, one may think that these components become bigger by absorptions, and become smaller again by emissions. Technically, the components ?

Most of the results in this paper were found during a visiting fellowship of the author at Imperial College, London. This visit was organised by Abbas Edalat and funded by EPSRC.

M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 172–188, 1998.

173

may decrease by reduction, i.e., division of all components of the transform by a common factor; as transforms denote rational functions, reduction does not affect their semantics. Practical experiments have shown, however, that in most cases, the potential for reduction is negligible. The greatest common factor of the components of a transform is usually 1, and in nearly all of the remaining cases, it is just 2. In Sections 3 and 4, we show some upper and lower bounds for common factors. The full proof of the practically observed behaviour is obtained later (Corollary 2 in Section 6.4). Practical experiments have also shown that in most cases, the bit size of the entries of a transform is roughly equal to the number of emitted digits. The main contribution of this paper is the formalisation (and of course proof) of these practical observations. First, we derive upper bounds for the sizes of the entries of a transform in Section 5. In Section 6, lower bounds for the determinant and the size of the biggest entry are obtained in the case of matrices. Tensors are handled in Section 7. Finally, we discuss these results and their impact on the complexity of real number computation.

2

Exact Real Arithmetic by Linear Fractional Transformations

In this section, we present the framework of exact real arithmetic by LFT’s [8,16], [11]. After a general introduction, we specialise to the version used by the group of Edalat and Potts at Imperial College [14,12,13,15,6]. 2.1

From Digit Streams to Linear Fractional Transformations

There are many ways to represent real numbers as infinite objects [3,2,4,5]. Here, we are only concerned with representations as infinite streams of “digits”. These streams are evaluated incrementally; at any given time, only a finite prefix of the stream is known. There are several different stream representations which can be grouped into two large families: variations of the familiar decimal representation [1,3,2,5,7,11], [10], and continued fraction expansions [8,16,9]. For the first family, consider the usual decimal representation.1 A number such as 0.142 · · · can be unravelled from left to right as follows: 0.142 · · · =

1 10 (1

+ 0.42 · · ·); 0.42 · · · =

1 10 (4

+ 0.2 · · ·); 0.2 · · · =

1 10 (2

+ 0. · · ·)

1 (d + x) = Thus, every digit d corresponds to an affine map αd with αd (x) = 10 x+d . A number of the form 0. · · · can be any element of the closed interval 10 [0, 1], and so, a number of the form 0.142 · · · can be any element of the interval 1

This representation is not suitable for practical purposes, as it lacks redundancy, and thus, most arithmetic functions are not computable. However, it provides a familiar example.

174

(α1 ◦ α4 ◦ α2 )[0, 1] = [0.142, 0.143]. In general, the infinite T∞ stream 0.d1 d2 d3 · · · represents the unique real number in the intersection n=1 (αd1 ◦ · · · ◦ αdn )[0, 1]. In the classical continued fraction expansion, irrational numbers in the interb0 with natural numbers an and bn . Every val [0, ∞] can be written as a0 + b1 a1 + a

2 +···

pair p = (a, b) corresponds to the rational function ρp with ρp (x) = a+ xb = ax+b x . Similar to T the case above, an infinite continued fraction corresponds to the in∞ tersection n=1 (ρp1 ◦ · · · ◦ ρpn )[0, ∞]. The formal similarity between the two approaches presented above leads to the following generalisation [8,16,14,12,13,15,6]: Real numbers in some base interval I are represented by infinite streams of digits. Digits are certain Linear Fractional Transformations (LFT’s) x 7→ ax+c bx+d , parameterised by numbers a, b, c, d (in practical cases usually integers). T∞ The meaning of an infinite stream τ1 , τ2 , . . . of LFT’s is the intersection n=1 (τ1 ◦ · · · ◦ τn )(I). This intersection is filtered (decreasing) if τn (I) ⊆ I holds for all digits τn . 2.2

LFT’s and Matrices

Every 2-2-matrix A = ab dc of real numbers denotes an LFT hAi, which is given by hAi(x) = ax+c bx+d . LFT’s described by non-singular matrices, i.e., matrices A with determinant det A = ad − bc 6= 0, are considered as endofunctions of IR? = IR ∪ {∞}, the one-point compactification of the real line. The value ∞ arises as r/0 with r 6= 0, and on the other hand, hAi(∞) is defined to be a/b. For LFT’s described by singular matrices, an additional ‘number’ ⊥ (undefined) is needed which arises as 0/0. The value of hAi(⊥) is defined to be ⊥. The mapping A 7→ hAi is not one-to-one; for, hAi = hrAi holds for all r 6= 0. We shall write A ∼ = B if hAi = hBi, or equivalently B = rA for some r 6= 0. Composition of LFT’s can be expressed by matrix multiplication: hAi ◦ hBi = hA · Bi. The equivalence relation ‘∼ =’ is a congruence w.r.t. multiplication. The determinant det A is a well-known property of a matrix A. det

a c b d

= ad − bc

det(A · B) = det A · det B

det(rA) = r2 det A

(1)

By the last equation, the determinant of a matrix is not invariant under equivalence ‘∼ =’, but its sign (1, 0, or −1) is, i.e., the sign of the determinant of A is a well-defined property of the LFT hAi. LFT’s with non-zero determinant (non-singular LFT’s) are invertible; hAi−1 is given by hA−1 i. Thus, non-singular LFT’s form a group under composition. A rational LFT is an LFT which can be represented by a matrix with rational entries, and therefore even by an integer matrix. As hAi = hkAi for k 6= 0, there are infinitely many integer matrices denoting the same rational LFT. An integer matrix is called k-reducible if k is a common factor of its four components. Division of a k-reducible matrix by k is called reduction by k. A matrix is in lowest terms if there is no common factor other than 1 and −1. All integer matrices different from 00 00 are equivalent to an integer matrix in lowest terms.

175

To obtain an integer representation of hAi−1 for a non-singular integer matrix A, the pseudo-inverse A∗ can be used. It is defined by ∗ d −c a c = (2) −b a b d Clearly, det(A∗ ) = det A holds. The main property of the pseudo-inverse operation is (3) A · A∗ = A∗ · A = det A · E 1 0 ∗ ∗ ∼ where E = 0 1 is the identity matrix, and so, A · A = A · A = E if det A 6= 0, whence hAi−1 = hA∗ i. 2.3

The Signed Digit Approach

The group of Edalat and Potts at Imperial College [13,6] represents the elements of IR? = IR ∪ {∞} as infinite streams of matrices S, D1 , D2 , . . ., standing for LFT’s. The first matrix is a sign matrix, while the remaining ones are digit matrices. The base interval is [0, ∞], and so, the meaning of the stream is ∞ \

hS · D1 · . . . · Dn i[0, ∞] .

(4)

n=1

The base interval [0, ∞] was chosen because there is a simple check for the inclusion property [14]: for a non-singular matrix A, hAi([0, ∞]) ⊆ [0, ∞] holds iff all four entries of A are ≥ 0, or all are ≤ 0. Matrices with entries ≥ 0 are called positive. Digit matrices are positive, and so, the intersection (4) is filtered (decreasing). ∞ The number set IR? can be visualised as a circle. Intervals [u, v] are counter-clockwise arcs from u −1 1 to v, e.g., [0, 1] = {x ∈ IR | 0 ≤ x ≤ 1}, and [1, 0] = {x ∈ IR | 1 ≤ x or x ≤ 0} ∪ {∞}. 0 There are four possible sign matrices, corresponding to rotations by 0◦ , 90◦ , 180◦ , and 270◦ . They can be explicitly described as follows: hS+ i [0, ∞] = [0, ∞] S+ = 10 01 1 1 hS∞ i[0, ∞] = [1, −1] S∞ = −1 1 0 −1 hS− i [0, ∞] = [∞, 0] S− = 1 0 1 −1 hS0 i [0, ∞] = [−1, 1] S0 = 1 1

'$ &%

S0 and S∞ are pseudo-inverse to each other; S0 · S∞ = S∞ · S0 = 2E holds. There are many possible sets of digit matrices, one for every base r > 1. Edalat and Potts [6] discuss non-integer bases, but their implementation uses base r = 2. In this paper, we consider integer bases r > 1.

176

Fix anP integer r > 1. Every real number in the interval [−1, 1] has a represen∞ tation as n=1 kn r−n with integer digits kn satisfying |kn | < r. (Digits may be r r negative [1].) Asin Section 2.1, these digits correspond to affine maps αk = hAk i

with Ark = 10 kr . Since the base interval is not [−1, 1], but [0, ∞], the maps αrk have to be transformed into that interval. This can be done by composition with the maps hS∞ i and hS0 i, which are mutually inverse bijections between [−1, 1] and [0, ∞]. Thus, the actual digit matrices are r+k+1 r+k−1 . (5) Dkr = S∞ · Ark · S0 = r−k−1 r−k+1

Since the two entries in the top row differ by 2, these matrices are either in lowest terms or 2-reducible. The latter case occurs iff the parities of r and k are different. In this case, reduction by 2 may be performed. Hence, we distinguish ˜ r = 1 Dr . Table 1 illustrates between unreduced digits Dkr and reduced digits D k 2 k the case r = 2. In the column “lowest terms”, the first and third matrix (k 6= 0) are reduced, while the second matrix (k = 0) is unreduced. Table 1. Digit matrices for base 2 k −1

2.4

A2k 1 −1 0 2

0

1 0 0 2

1

1 1 0 2

Dk2 2 0 2 4 3 1 1 3 4 2 0 2

lowest terms

1 0 1 2 3 1 1 3 2 1 0 1

hDk2 i([0, ∞]) [0, 1] [ 13 , 3] [1, ∞]

Computation by LFT’s

LFT’s can not only be used to represent real numbers, but also to perform computations with real numbers. For the sake of simplicity, we only present computations within the interval [0, ∞] where real numbers can be represented by a stream of digit matrices without a leading sign matrix. Using suitable LFT’s x 7→ ax+c bx+d , basic functions such as x 7→ x + 1, x 7→ 2x, and x 7→ x1 can be easily expressed. Recall that an LFT maps [0, ∞] into itself iff it can be represented by a positive matrix (all components ≥ 0). Given a positive matrix M , the actual computation of hM i(x) is performed by a sequence of absorptions and emissions. Absorption means that M consumes the first digit D of x, thereby becoming M ·D, which is positive again. It corresponds to the equality M · (D1 · D2 · . . .) = (M · D1 ) · (D2 · . . .) .

(6)

177

Emission means that M produces one further digit D of the result, thereby becoming D∗ · M . It corresponds to the equivalence (D1 · . . . · Dn ) · M ∼ = (D1 · . . . · Dn · D) · (D∗ · M ) .

(7)

Emission of a digit D is allowed only if D∗ · M is positive. Therefore, a possible strategy for the computation of hM i(x) is as follows: emit digits until no further emission is possible, then absorb one digit of x, again emit digits until no longer possible, etc. 2.5

Tensors

To compute sums, products, etc., two-dimensional LFT’s are employed. They are characterised by 8 parameters,and thus can be represented by 2-4-matrices, so called tensors. A tensor T = ab dc fe hg denotes the function hT i : IR? ⊥ × axy+cx+ey+g IR? ⊥ → IR? ⊥ given by hT i(x, y) = bxy+dx+f y+h . For integer tensors, the notions of reducible, reduction, and lowest terms can be defined analogous to the case of matrices. Likewise for positivity: a two-dimensional LFT maps [0, ∞]2 to [0, ∞]⊥ iff it can be represented by a positive tensor, i.e., a tensor with components ≥ 0. Because of these analogies, we refer to matrices and tensors collectively as transforms. It is easy to represent addition, subtraction, multiplication, and division by suitable integer tensors [8,16,14,12,13]. Tensors may also be used to represent transcendental functions, e.g., arctan x = hT0 i(x, hT1 i(x, hT2 i(x, . . .))) where 0 1 0 0 Tn = (n+1) 2 0 0 2n+1 . It remains to show how to actually compute hT i(x, y) for a given positive integer tensor T [12,13]. Emissions can be done as in the one-dimensional case: in emitting a digit D, tensor T is replaced by D∗ · T , which is a tensor again. Emission of D is only allowed if D∗ · T is positive. Since digits can be absorbed from both arguments, there are two kinds of absorptions: absorption of a digit D from the left argument transforms T into T · L(D), while absorption from the right argument yields T · R(D). Here, L(D) means D ⊗ E, and R(D) means E ⊗ D. An explicit definition of these operations looks as follows:     a 0 c 0 a c 0 0 0 a 0 c b d 0 0 a c a c   L = R = (8)  b 0 d 0 0 0 a c b d b d 0 b 0 d 0 0 b d

They satisfy the following equations: L(A · B) = L(A) · L(B) L(E) = R(E) = E4

R(A · B) = R(A) · R(B) L(A) · R(B) = R(B) · L(A)

where E4 denotes the identity 4-4-matrix.

(9) (10)

178

Rightabsorption can be easily expressed with block matrices. Observe R(A) = A 0 0 A where the four entries are matrices. Likewise, a tensor can be written as a row (T L , T R ) of two matrices, and so (T L , T R ) · R(A) = (T L A, T R A) .

(11)

Left and right absorption are closely connected. Let T × be T with the two middle columns exchanged. Then ×

(T · L(D)) = T × · R(D)

×

(T · R(D)) = T × · L(D) .

(12)

Later, we shall see that D-emissions and D-absorptions have many properties in common. Thus, we introduce a common name: a D-transaction at a transform is either a D-emission or a D-absorption.

3

Small Factors

After a transaction at a transform in lowest terms, the entries of the result may have a non-trivial common factor. The most drastic example is D∗ · D = det D · E for a digit matrix D. Yet apart from this, practical experience shows that common factors are usually quite small. The goal of this section is to find bounds for such factors. We start off with a property involving determinants. Proposition 1. Let A be a matrix, and let B be a transform in lowest terms. Then every common factor of the entries of A · B divides det A. Proof. Let g be a common factor of A · B, i.e., A · B = gC for some transform C. We may compute: (3 ) g · (A∗ · C) = A∗ · gC = A∗ · A · B = (det A · E) · B = (det A) · B .

Hence, g divides (det A) · B. Since B is in lowest terms, g must divide det A.

t u

For matrices, there is a dual statement with an analogous proof so that we obtain: Theorem 1. Let A and B be matrices in lowest terms. Then every common factor of A · B divides both det A and det B. There is a similar statement for the two versions of multiplying a tensor and a matrix: Proposition 2. Let T be a tensor in lowest terms, and M an arbitrary matrix. Then every common factor of T · L(M ) or T · R(M ) divides det M . Proof. We consider the L case; the other one is analogous. If T · L(M ) = gC for some tensor C, then (9) g · (C · L(M ∗ )) = T · L(M ) · L(M ∗ ) = T · L(M · M ∗ ) (3) (10) = T · L(det M · E) = T · (det M · E4 ) = (det M ) · T

Since T is in lowest terms, g divides det M .

t u

179

Now, consider a transform T in lowest terms. Let T 0 be the result of a Dabsorption at T , i.e., T 0 = T · D if T is a matrix, or T 0 ∈ {T · L(D), T · R(D)} if T is a tensor. By Theorem 1 and Proposition 2, any common factor of T 0 divides det D. If T 0 is the result of a D-emission at T , i.e., T 0 = D∗ · T , then by Prop. 1 any common factor of T 0 divides det D∗ = det D. Summarising, we obtain: Theorem 2. Let T be a transform in lowest terms, and D a digit matrix. After a D-transaction at T , any common factor of the result divides det D. How big is det D? Recall the definition of the digit matrices for base r from r Section 2.3. As Ak = 10 kr , det Ark is r. Since det S0 = det S∞ = 2, we have ˜ r = r for reduced digits det Dkr = det(S∞ Ark S0 ) = 4r. Therefore, we obtain det D k 1 r r ˜ D = D . k

2

k

Corollary 1. Let T be a transform in lowest terms, and D a digit matrix for base r. After a D-transaction at T , any common factor of the result divides 4r if D is unreduced, and even divides r if D is reduced. Specialising to the case r = 2, we see that any common factor of the result divides 2 in case of a transaction with a non-zero digit (k 6= 0), and divides 8 in case of k = 0. Corollary 2 in Section 6.4 shows that in many cases, the result of Corollary 1 can be strengthened from 4r (r) to 2 (1), ruling out most reductions.

4

Possibilities for Reductions

In the last section, we have seen that there is not much potential for reductions. Here, we show a result of opposite flavour: certain reductions are always possible. Consider unreduced digit matrices Dkr = S∞ Ark S0 . We have already mentioned that some of them are in lowest terms, while others are 2-reducible; higher reducibilities do not occur. Multiplying two digit matrices yields: 0

0

0

0

rr Dkr Dkr 0 = S∞ Ark S0 S∞ Ark0 S0 = 2S∞ Ark Ark0 S0 = 2Dkr 0 +k0

Here, the second equality is due to S0 S∞ = 2E, and the third due to 1 k 1 k0 1 k 0 + kr0 r r0 · = Ak · Ak0 = 0 r0 0 rr0 0 r

(13)

(14)

together with the estimation |kr0 + k 0 | ≤ (r − 1)r0 + (r0 − 1) = rr0 − 1. Iterating (13) leads to n

Dkr1 · . . . · Dkrn = 2n−1 Dkr where k =

n X

ki rn−i .

i=1

Hence, we obtain: 1. The product of n digit matrices is always 2n−1 -reducible.

(15)

180

2. After 2n−1 -reduction, the result is again a digit matrix, and so it is either in lowest terms or 2-reducible. The result of applying n1 absorptions and n2 emissions of unreduced digits to a matrix M has form A∗2 · M · A1 where Ai is a product of ni digit matrices. Thus, the result has a common factor of 2n1 −1 · 2n2 −1 = 2n1 +n2 −2 . For a tensor T , we obtain a result of the form A∗3 · T · L(A2 ) · R(A1 ), and thus a common factor of 2n1 +n2 +n3 −3 . Theorem 3. Let T0 be some initial transform, and Tn the result of applying n transactions with unreduced digits to T0 . Then Tn is at least 2n−2 -reducible in case of matrices, and at least 2n−3 -reducible in case of tensors.

5

An Upper Bound for the Entries

Next, we derive an exponential upper bound for the entries of a transform after n transactions.

An estimate for the entries is the maximum of their absolute

values: ( ab dc ) = max(|a|, |b|, |c|, |d|) for matrices, and analogously for tensors, and vectors ab . Let us consider how this norm is affected by emissions. Recall the definition of the digit matrices for base r (Equation (5) in Section 2.3): r+k+1 r+k−1 . (16) Dkr = r−k−1 r−k+1 Consider the product of (Dkr )∗ with a vector uv : u 1−k+r 1−k−r u (1 − k)(u + v) + r(u − v) r ∗ = = (Dk ) v 1+k−r 1+k+r v (1 + k)(u + v) − r(u − v) (17) Using |k| < r, we obtain

r ∗ u

≤ (1 + |k| + r)(|u| + |v|) ≤ 2r u

(D ) (18)

k v v Since the norm of a transform is the maximum of the norms of its column vectors, we obtain k(Dkr )∗ · T k ≤ 2rkT k — for unreduced digits. For reduced digits, the right hand side is rkT k. Now, let us study absorption. For the absorption of a digit into a matrix, it suffices to consider products (u, v) · Dkr of a row vector and a digit matrix. r+k+1 r+k−1 (u, v) = (r(u+v)+(k+1)(u−v), r(u+v)+(k−1)(u−v)) r−k−1 r−k+1 By an estimation as above, we obtain kM ·Dkr k ≤ 2rkM k for matrices M . By (11), the block formula for right absorption into a tensor, an analogous result holds for kT · R(Dkr )k, and by (12), the formula connecting left and right absorption, the same holds for kT · L(Dkr )k. Summarising, we obtain:

181

Proposition 3. Let T be a transform, D a digit matrix for base r, and T 0 the result of a D-transaction at T . Then kT 0 k ≤ 2rkT k if D is unreduced, and kT 0 k ≤ rkT k if D is reduced. By induction, we see that after n transactions, kT 0 k ≤ (2r)n kT k holds if unreduced digits are used. Applying all the reductions that are possible by Theorem 3, we obtain: Theorem 4. Let T0 be some initial transform, and Tn the result of applying n transactions in base r to T0 , and all possible reductions. Then kTn k ≤ 4rn kT0 k in case of matrices, and kTn k ≤ 8rn kT0 k in case of tensors. In the moment, there is some hope that further reductions may lead to a much smaller increase. Unfortunately, we shall soon see that this does not work; in most cases, an exponential increase is guaranteed.

6

Big Numbers in Matrices

In this section, we derive lower bounds for the entries of a matrix after n transactions and all possible reductions. This is done by observing how the determinant and another quantity, the column difference, are changed by transactions and reductions, and by deriving a reduction invariant from this.

6.1

Determinant

Determinants are easy because of det(A · B) = det A · det B. The determinants of the digit matrices and their pseudo-inverses are calculated in Section 3 just before Corollary 1. In the following list, let M be a matrix, and let M 0 be the result of applying a transaction to M . – Transaction with an unreduced digit: – Transaction with a reduced digit: – Reduction by k:

det M 0 = 4r det M , det M 0 = r det M , det M 0 = k12 det M .

These facts allow the derivation of an upper bound for the determinant after n transactions. Working with unreduced digits gives a factor of (4r)n , and performing all reductions admitted by Theorem 3 gives a factor of 2−2(n−2) . Together, we get the following: Theorem 5. Let M0 be some initial matrix, and Mn the result of applying n transactions in base r to M0 , and all possible reductions. Then | det Mn | ≤ 16rn | det M0 |.

182

6.2

Column Difference

Consider again the explicit formulae for digit matrices of base r and their inverses (Equation (5) in Section 2.3): Dkr =

r+k+1 r−k−1

r+k−1 r−k+1

(Dkr )∗ =

1−k+r 1+k−r

1−k−r 1+k+r

(19)

It is easy to see that in both cases the difference of the two column sums is 0. This motivates the definition of the column difference cd ab dc = (a + b) − (c + d) of a matrix. Thus, cd Dkr = cd(Dkr )∗ = 0. In general, cd A∗ = − cd A holds. Let compute the column difference of the product of A = ab dc and us B=

a0 c0 b0 d0

: cd(A · B) = cd

aa0 + cb0 ba0 + db0

ac0 + cd0 bc0 + dd0

= (a + b)a0 + (c + d)b0 − (a + b)c0 − (c + d)d0 = (a + b)(a0 − c0 ) − (c + d)(d0 − b0 ) If B = Dkr , then a0 − c0 = d0 − b0 = 2, and so, cd(A · Dkr ) = 2 cd A. If A = (Dkr )∗ , then a + b = c + d = 2, and so, cd((Dkr )∗ · B) = 2 cd B. If reduced digits are used instead, the factor 2 disappears. Thus, we obtain: – Transaction with an unreduced digit: – Transaction with a reduced digit: – Reduction by k:

cd M 0 = 2 cd M , cd M 0 = cd M , cd M 0 = k1 cd M .

Hence, the properties of having zero or non-zero column difference are transaction invariants.

6.3

The Quotient

Let M be a matrix with cd M 6= 0. For such a matrix, the quotient qcd M = det M (cd M)2 is a well-defined rational number. By a transaction with an unreduced digit, this quotient is multiplied by 4r 22 = r; by a transaction with a reduced 2

1/k digit, the factor is 1r2 = r; and a k-reduction yields a factor of (1/k) 2 = 1. Thus, the quotient qcd is invariant under reductions, and is multiplied by r in every transaction.

Lemma 1. Let M0 be some initial matrix with cd M0 6= 0, and Mn the result of applying n transactions in base r to M0 , and all possible reductions. Then qcd Mn = rn qcd M0 .

183

6.4

Big Determinant

The equation in Lemma 1 can be turned into an integer equation by multiplying with the denominators: det Mn · (cd M0 )2 = rn · det M0 · (cd Mn )2

(20)

If cd M0 6= 0, then cd Mn 6= 0, too. As an integer, (cd Mn )2 is at least 1. Hence, we obtain: (21) | det Mn | · (cd M0 )2 ≥ rn · | det M0 | This gives a lower bound for the determinant; an upper bound was provided by Theorem 5. Theorem 6. Let M0 be some initial matrix with cd M0 6= 0, and Mn the result of applying n transactions in base r to M0 , and all possible reductions. Then | det M0 | n · r ≤ | det Mn | ≤ 16| det M0 | · rn . (cd M0 )2 The upper bound was obtained by working with unreduced digits and performing the 2n−1 -reduction guaranteed by Theorem 3. In case of det M0 6= 0, the quotient of upper bound over lower bound shows that only a constant number of further reductions is possible; they combine to a factor of at most 4 cd M0 . This implies the promised strengthening of Corollary 1: Corollary 2. When working with a matrix with non-zero determinant and column difference, the average maximal reducibility is 2 after a transaction with an unreduced digit, and 1 after a transaction with a reduced digit. 6.5

Law of Big Numbers for Matrices

A lower bound for the determinant of a matrix M can q be turned into a lower bound for the norm kM k using the inequality kM k ≥ 12 | det M |, which follows from the definition of the determinant as det ab dc = ad − bc. Thus, we obtain together with Theorem 4: Theorem 7. Let M0 be some initial matrix with cd M0 6= 0, and Mn the result of applying n transactions in base r to M0 , and all possible reductions. Then s √ n | det M0 | · r ≤ kMn k ≤ 4kM0 k · rn . 2 2(cd M0 ) Thus, if in addition det M0 6= 0, even if all possible reductions are performed, the entries of the matrix are bound to grow exponentially in the number of transactions. It sounds a bit more optimistically to speak of the bit sizes of the entries instead of the entries themselves. The bit size of a number m is log m.

184

Theorem 8 (Law of big numbers). Let M be a matrix with non-zero determinant and non-zero column difference. After n transactions at M , at least one entry of the result has bit size Ω(n), even if all possible reductions are performed. The law of big numbers means that the usage of big integers is unavoidable in exact real arithmetic, at least in the signed digit approach of Edalat’s group. It applies even in the simplest cases. For instance, doubling of an unsigned real is effected by the matrix 20 01 that has determinant 2 and column difference 1, halfing by 10 02 with determinant 2 and column difference −1, and addition of 1 by the matrix 10 11 with determinant 1 and column difference −1. The law of big numbers does not apply to matrices withzero column difference. The simplest example is the identity matrix E = 10 01 . According to (3), after a D-absorption, a subsequent D-emission, and a reduction by det D, the identity matrix is recovered. Repeating this cycle, we see that there are arbitrarily long sequences of transactions at the identity matrix which do not lead to entries bigger than 4r. It is an open problem whether such a fixed bound can be found for any matrix with column difference 0.

7

Big Numbers in Tensors

In this section, we derive analogues of the results of the previous section for tensors. The proceeding is similar, but a major obstacle is that tensors do not have determinants. Fortunately, a suitable substitute can be found. 7.1

Double Column Difference

We start by introducing an analogue to the column difference of a matrix. For a tensor T , the double column difference dcd T is defined by a c e g dcd = (a + b) − (c + d) − (e + f ) + (g + h) . (22) b d f h Writing a tensor T as a row (T L , T R ) of two matrices, the double column difference can be reduced to the column differences of the two matrices: dcd(T L , T R ) = cd T L − cd T R . Hence, by (11) and the properties of cd, we obtain for all digit matrices D dcd((T L , T R ) · R(D)) = cd(T L · D) − cd(T R · D) = 2 dcd(T L , T R ) . ×

By (T · R(D)) = T × · L(D) (12) and dcd(T × ) = dcd T , we obtain the corresponding formula dcd(T · L(D)) = 2 dcd T . We still have to derive a formula for emission. Recall (17) u (1 − k)(u + v) + r(u − v) = (23) (Dkr )∗ v (1 + k)(u + v) − r(u − v)

185

which implies (Dkr )∗

0 u u = =⇒ u0 + v 0 = 2(u + v) . v0 v

(24)

From this, dcd(D∗ · T ) = 2 dcd T follows for all digit matrices D. Therefore, dcd for tensors behaves exactly as cd for matrices: – Transaction with an unreduced digit: – Transaction with a reduced digit: – Reduction by k:

dcd T 0 = 2 dcd T , dcd T 0 = dcd T , dcd T 0 = k1 dcd T .

Again, the properties of having zero or non-zero double column difference are transaction invariants. 7.2

Column Determinant

A suitable substitute for the determinant of a matrix is the column determinant cdet T of a tensor T , defined by a c e g cdet = (a + b)(g + h) − (c + d)(e + f ) . (25) b d f h Because of (24), cdet(D∗ · T ) = 4 cdet T holds for all tensors T and digit matrices D. Note that in contrast to the determinant of matrices, the factor is not det D∗ = 4r, but only 4. On the other side, the column determinant is multiplicative w.r.t. absorptions; for any tensor T and matrix M , cdet(T · L(M )) = cdet(T · R(M )) = cdet T · det M

(26)

holds. Here, the first equality follows from (12) and cdet(T × ) = cdet T , while the proof of the second equality is a straightforward, but tedious exercise in algebraic manipulations. Summarising and specialising to the case of digit matrices, we obtain: – – – – –

Emission of an unreduced digit: Emission of a reduced digit: Absorption of an unreduced digit: Absorption of a reduced digit: Reduction by k:

cdet T 0 cdet T 0 cdet T 0 cdet T 0 cdet T 0

= 4 cdet T , = cdet T , = 4r cdet T , = r cdet T , = k12 cdet T .

In contrast to matrices, emissions and absorptions behave differently. 7.3

The Quotient

cdet T For a tensor T with dcd T 6= 0, we consider the quotient qdcd T = (dcd T )2 . This quotient is invariant under reductions and also invariant under emissions. Every absorption yields a factor of r.

186

Lemma 2. Let T0 be some initial tensor with dcd T0 6= 0, and Tn the result of applying n absorptions, any number of emissions, and all possible reductions to T0 . Then qdcd Tn = rn qdcd T0 . As in the case of matrices, a lower bound for the column determinant follows: Theorem 9. Let T0 be some initial tensor with dcd T0 6= 0, and Tn the result of applying n absorptions, any number of emissions, and all possible reductions to T0 . Then | cdet T0 | n ·r . cdet Tn ≥ (dcd T0 )2 7.4

Law of Big Numbers for Tensors q q 1 For tensors T , kT k ≥ 12 12 | cdet T | = 8 | cdet T | holds. Thus, we obtain together with Theorem 4: Theorem 10. Let T0 be some initial tensor with dcd T0 6= 0, and Tn the result of applying n absorptions, any number of emissions, and all possible reductions to T0 . Then s √ n | cdet T0 | · r ≤ kTn k ≤ 8kT0 k · rn . 2 8(dcd T0 ) Theorem 11 (Law of big numbers for tensors). Let T be a tensor with non-zero column determinant and non-zero double column difference. After n absorptions and any number of emissions at T , at least one entry of the result has bit size Ω(n), even if all possible reductions are performed. 7.5

Examples

The tensors that realise the four basic arithmetic operations satisfy the hypotheses of the law of big numbers: 0 1 1 0 cdet = −1 dcd = −1 Addition: 0 0 0 1 0 1 −1 0 cdet = 1 dcd = 1 Subtraction: 0 0 0 1 1 0 0 0 cdet = 1 dcd = 2 Multiplication: 0 0 0 1 0 1 0 0 cdet = −1 dcd = −2 Division: 0 0 1 0 Yet the tensor for the mean value operation is different: 0 1 1 0 cdet = −1 dcd = 0 Mean value: 0 0 0 2 Does this mean that 12 x, which leads to big numbers as shown in Section 6.5, can be computed as 0+x 2 avoiding big numbers? The answer is no, at least in the case r = 2. Let T R be the matrix on the right hand side of the tensor T . The equations (D∗ · T )R = D∗ · T R and (T · R(D))R = T R · D hold for all tensors

187

T and digit matrices D. This means that the right half of 00 10 10 02 behaves exactly as the halfing matrix 10 02 during emissions and absorptions from the 2 ω ˜ −1 ) , and right. Since the number 0 is represented by the infinite product (D R 2 R ˜ (T · L(D−1 )) = 2T , the correspondence is only changed by a common factor during absorptions from the left. Hence, after any number of transactions, the right half of the resulting tensor is a multiple of the matrix resulting from 10 02 by the corresponding sequence of transactions. Thus, it has entries which are at least as big as the entries of the matrix, which are big by Theorem 8.

8

Discussion and Conclusion

The laws of big numbers as derived in this paper apply to unsigned reals only. For instance, halfing in the zero interval [−1, 1] with base r = 2 means putting D02 in front of the unsigned part of the argument, an operation possible without employing big integers. Of course, our results crucially depend on the choice of the digit matrices. All digit matrices for all bases have zero column difference, and this fact is implicitly used in the derivations of the formulae for the cd and dcd values after transactions. A completely different choice of digit matrices, with non-zero column difference, may change everything. Also, the results may look different if irrational bases are used such as the golden ratio. However, we believe that big numbers cannot be avoided even in these cases, although we do not have a proof. The appearance of big integers affects the complexity of real number arithmetic. Consider an LFT satisfying the hypotheses of the laws of big numbers. If it absorbs and emits digits one by one, then the nth transaction needs time Ω(n) since it involves integers of bit size Ω(n). Consequently, the computation of the first n digits of the result of the LFT needs time Ω(n2 ). This time can only be reduced by replacing the one by one treatment of digits by algorithms absorbing and emitting many digits at once. Of course, the price for this reduction in time are much more involved algorithms.

References 1. A. Avizienis. Signed-digit number representations for fast parallel arithmetic. IRE Transactions on Electronic Computers, 10:389–400, 1961. 2. H.J. Boehm, R. Cartwright, M. Riggle, and M.J. O’Donell. Exact real arithmetic: A case study in higher order programming. In ACM Symposium on Lisp and Functional Programming, 1986. 3. H.J. Boehm and R. Cartwright. Exact real arithmetic: Formulating real numbers as functions. In D. Turner, editor, Research Topics in Functional Programming, pages 43–64. Addison-Wesley, 1990. 4. P. Di Gianantonio. A Functional Approach to Real Number Computation. PhD thesis, University of Pisa, 1993.

188 5. P. Di Gianantonio. Real number computability and domain theory. Information and Computation, 127(1):11–25, May 1996. 6. A. Edalat and P. Potts. A new representation for exact real numbers. In S. Brookes and M. Mislove, editors, MFPS ’97, volume 6 of Electronic Notes in Theoretical Computer Science, 1997. URL: http://www.elsevier.nl/locate/entcs/ volume6.html. 7. M. H. Escard´ o. PCF extended with real numbers. Theoretical Computer Science, 162(1):79–115, August 1996. 8. W. Gosper. Continued fraction arithmetic. Technical Report HAKMEM Item 101B, MIT Artificial Intelligence Memo 239, MIT, 1972. 9. P. Kornerup and D. W. Matula. Finite precision lexicographic continued fraction number systems. In Proc. 7th IEEE Symposium on Computer Arithmetic, pages 207–214. IEEE Computer Society Press, 1985. 10. V. Menissier-Morain. Arbitrary precision real arithmetic: Design and algorithms. submitted to J. Symbolic Computation, 1996. 11. A. Nielsen and P. Kornerup. MSB-first digit serial arithmetic. J. of Univ. Comp. Scien., 1(7), 1995. 12. P. J. Potts and A. Edalat. Exact real arithmetic based on linear fractional transformations. Draft, Imperial College, available from http://www-tfm.doc.ic.ac.uk/ ~pjp, December 1996. 13. P. J. Potts and A. Edalat. Exact real computer arithmetic. Draft, Imperial College, available from http://www-tfm.doc.ic.ac.uk/~pjp, March 1997. 14. P. J. Potts. Computable real arithmetic using linear fractional transformations. Draft PhD Thesis, Imperial College, available from http:// www-tfm.doc.ic.ac.uk/~pjp, June 1996. 15. P. Potts, A. Edalat, and M. Escard´ o. Semantics of exact real arithmetic. In Twelfth Annual IEEE Symposium on Logic in Computer Science. IEEE, 1997. 16. J. E. Vuillemin. Exact real computer arithmetic with continued fractions. IEEE Transactions on Computers, 39(8):1087–1105, 1990.

Net Refinement by Pullback Rewriting? Renate Klempien-Hinrichs Universit¨ at Bremen, Fachbereich 3, Postfach 33 04 40, D–28334 Bremen [email protected]

Abstract. The theory of graph grammars is concerned with the rulebased transformation of graphs and graph-like structures. As the formalism of Petri nets is founded on a particular type of graphs, the various net refinement methods proposed for their structured design are in particular graph transformations. This paper aims at applying a recently developed technique for graph rewriting, the so-called pullback approach, to describe net refinement. The translation of this technique, which is based on (hyper)graph morphisms, into terms of net morphisms yields a well-defined mechanism closely related to pullback rewriting in hypergraphs. A variant allows to elegantly characterize a particular net refinement operation which modifies the context of the refined transition.

1

Introduction

Graph grammars have been developed as a concept to study the rule-based transformation of graphs and graph-like structures (see [Roz97] for a comprehensive overview). One can distinguish between approaches in which arbitrary subgraphs may be replaced, and approaches to rewrite elementary subgraphs, i.e. vertices, (hyper)edges, or handles. (Hyper)edge rewriting [HK87a,Hab92] is a special case of the double-pushout approach to graph rewriting [Ehr79]; it has been generalized to handle rewriting in [CER93]. With the pullback approach introduced in [Bau95a], a category theoretical framework for vertex rewriting is being developed. It is based on graph morphisms and can deal with both graphs and hypergraphs [BJ97]. A Petri net is usually defined as a bipartite graph (the underlying net structure) where a vertex is either a place or a transition, plus a marking of the places (see e.g. [Rei85]). The marking may change by the firing of transitions, thus leading to a notion of behaviour. A number of methods to refine a place or a transition – i.e. to manipulate the underlying net structure – such that the behaviour of the refined net can be inferred from the behaviour of the original and the refinement net in a compositional way may be found in the literature (for a survey see [BGV91]). ?

Supported by the EC TMR Network GETGRATS (General Theory of Graph Transformation Systems) through the University of Bordeaux I.

M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 189–202, 1998.

190

By viewing the underlying net structure of a Petri net as a hypergraph, place or transition refinement becomes the replacement of an elementary item in a hypergraph. In [HK87b] and [Vog87], it has been pointed out that hyperedge rewriting describes some types of net refinement. The operation in [GG90] modifies the context of the refined transition by multiplying the places in its preand postset and is thus too complex to be described by hyperedge rewriting. However, it can be seen as a special case of the vertex rewriting technique of [Kle96]. Handle rewriting has not yet been evaluated under this aspect. Another line of research investigates rule-based refinement in the general setting of algebraic high-level nets [PER95,?]. The rules which are used there have been developed from the double-pushout approach to graph rewriting of [Ehr79]. In this paper, the technique of pullback rewriting is translated into terms of net morphisms. The resulting mechanism yields a well-defined notion of net refinement and is closely related to the original pullback rewriting in hypergraphs. Furthermore, it also allows an elegant characterization of the refinement operation in [GG90]. The paper is organized as follows. Section 2 introduces the basic notions of hypergraphs and net structures. The respective categories are studied in Section 3. In Section 4, pullback rewriting in net structures is defined and compared to pullback rewriting in hypergraphs. Section 5 characterizes the net refinement technique of [GG90] in terms of pullback rewriting, and Section 6 contains some concluding remarks.

2

Hypergraphs and net structures

The basic objects considered in this paper, hypergraphs and net structures, are introduced together with the usual notions of the respective morphisms. Definition 1. (Hypergraph.) A hypergraph H = (V, E, src, trg) consists of a set V of nodes, a set E of hyperedges such that V ∩ E = ∅, and two mappings src, trg: E → P(V ) assigning to every hyperedge e ∈ E a set src(e) ⊆ V of source nodes and a set trg(e) ⊆ V of target nodes. Subscripts and superscripts carry over to the components of a hypergraph; for example, Hn0 = (Vn0 , En0 , src 0n , trg 0n ). Let H and H 0 be two hypergraphs. A hypergraph morphism f : H → H 0 is a pair of mappings f = (fV , fE ) with fV : V → V 0 , fE : E → E 0 such that fV (src(e)) ⊆ src 0 (fE (e)) and fV (trg(e)) ⊆ trg 0 (fE (e)) for all e ∈ E. As usual, the subscripts V and E will be omitted in the sequel. If f is bijective and both f and f −1 are hypergraph morphisms, then f is a hypergraph isomorphism. In this case, H and H 0 are isomorphic. Hypergraphs and hypergraph morphisms form a category which is denoted by H. In a drawing of a hypergraph H, a node v is represented by a circle and a hyperedge e by a square. There is an arrow from v to e if v ∈ s(e) and an arrow from e to v if v ∈ t(e). Thus, Fig. 1 shows a hypergraph.

191

Fig. 1. Drawing a hypergraph (or a net structure)

A Petri net consists of a net structure plus a marking. As this paper concentrates on structural aspects, only the former notion is formally defined here; for other notions from net theory see e.g. [Rei85]. Definition 2. (Net structure.) A net structure N = (P, T, F ) consists of a set P of places, a set T of transitions such that P ∩ T = ∅, and a flow relation F ⊆ (P × T ) ∪ (T × P ) the elements of which are called arcs. As for graphs, subscripts and superscripts carry over to the components of a net structure. For an item x ∈ P ∪ T , •x = {y ∈ P ∪ T | (y, x) ∈ F } denotes the preset of x, and x• = {y ∈ P ∪ T | (x, y) ∈ F } its postset. Let N and N 0 be two net structures. A net morphism f : N → N 0 is a mapping f : P ∪ T → P 0 ∪ T 0 satisfying (f (x), f (y)) ∈ F 0 and x ∈ P ⇔ f (x) ∈ P 0 for all x, y ∈ P ∪ T with f (x) 6= f (y) and (x, y) ∈ F . If f is bijective and both f and f −1 are net morphisms, then f is a net isomorphism and N , N 0 are isomorphic. Net structures and net morphisms form a category which is denoted by N . In a drawing of a net structure N , a place p is represented by a circle, a transition t by a square, and an arc (x, y) by an arrow. Thus, Fig. 1 shows a net structure. The similar representation of hypergraphs and net structures evokes a oneto-one encoding: The hypergraph H is associated with the net structure N if V = P , E = T , src(e) = •e and trg(e) = e• for all e ∈ E. With respect to this encoding, every hypergraph morphism is associated with a net morphism. The opposite is not true: a net morphism may map a transition on a place (or vice versa). But if a substructure is mapped on one item, then its border has to be of the same type as the item (cf. Figs. 2 and 3, where a dashed line encircles the items the respective mapping identifies).

f

Fig. 2. A net morphism without associated hypergraph morphism

g

Fig. 3. Neither a net morphism nor a hypergraph morphism

192

3

The categories of hypergraphs and net structures

In this section, the pullback construction for hypergraph morphisms is recalled. The category of hypergraphs is complete and therefore has all pullbacks. The category of net structures does not have all pullbacks, but the pairs of net morphisms for which the pullback exists are characterized, and the pullback construction is given for these cases. As the notion of a pullback is central for pullback rewriting, the section starts with its general definition. For other concepts from category theory see e.g. [HS79]. Definition 3. (Pullback.) Let C be a category and (fi : Yi → Z)i=1,2 a pair of morphisms in C. The pullback of (fi : Yi → Z)i=1,2 is another pair of morphisms (gi : X → Yi )i=1,2 such that f1 ◦ g1 = f2 ◦ g2 , and for every pair of morphisms (gi0 : X 0 → Yi )i=1,2 with f1 ◦ g10 = f2 ◦ g20 there is a unique morphism h: X 0 → X with gi ◦ h = gi0 for i = 1, 2. Using a definition of hypergraphs as graphs structured by the smallest com(i.e. as objects in the comma category of graphs over plete bipartite graph ) which is equivalent to the one given here, the following fact can be shown analogously to [BJ97]. Fact 1 The category H is finitely complete and has, in particular, pullbacks. The pullback of a pair of hypergraph morphisms (fi : Hi → H)i=1,2 consists of the projections gi : Hpb → Hi with gi ((x1 , x2 )) = xi (i = 1, 2), where Hpb is constructed as follows:

f2

H2

H

g2

f1 Hpb

H1

p

g1

Fig. 4. A pullback in H

193

– – – –

Vpb = {(v1 , v2 ) ∈ V1 × V2 | f1 (v1 ) = f2 (v2 )}, Epb = {(e1 , e2 ) ∈ E1 × E2 | f1 (e1 ) = f2 (e2 )}, src pb ((e1 , e2 )) = {(v1 , v2 ) ∈ Vpb | v1 ∈ src 1 (e1 ), v2 ∈ src 2 (e2 )} and trg pb ((e1 , e2 )) = {(v1 , v2 ) ∈ Vpb | v1 ∈ trg 1 (e1 ), v2 ∈ trg 2 (e2 )} for all (e1 , e2 ) ∈ Epb .

An example for a pullback of hypergraph morphisms f1 , f2 is given in Fig. 4. The morphisms are indicated by the relative arrangement of the items and their shading. As explained in the next section, this pullback can be interpreted as deriving H2 from H1 by rewriting the node p. Unlike H, the category of net structures is not finitely complete, but the characterization of Theorem 2 allows to easily verify that pullbacks do exist in the cases which will be interpreted as net rewriting in the following section. Theorem 2. For i = 1, 2, let Ni and N be net structures and fi : Ni → N net morphisms. The pullback of (f1 , f2 ) exists if and only if for every item z ∈ P ∪ T of N , at most one of the sets f1−1 (z), f2−1 (z) contains distinct items x and y such that (x, y) belongs to the flow relation of the corresponding net structure. Proof. “⇒”: Let z ∈ P ∪ T and pi , ti ∈ fi−1 (z) with (pi , ti ) ∈ Fi or (ti , pi ) ∈ Fi , for i = 1, 2. Moreover, let N ? be a net structure and g1 : N ? → N1 , g2 : N ? → N2 net morphisms with g1 ◦ f1 = g2 ◦ f2 . Now let N 0 be the net structure with places p01 , p02 , transitions t01 , t02 , and an arc between p0i and t0i mirroring (one of) the arc(s) between pi and ti (i = 1, 2). Consider the two net morphisms g10 : N 0 → N1 , g20 : N 0 → N2 with g10 (p01 ) = p1 , g10 ({t01 , p02 , t02 }) = {t1 }, g20 ({p01 , t01 , p02 }) = {p2 }, and g20 (t02 ) = t2 ; clearly, g10 ◦ f1 = g20 ◦ f2 . Finally, let h: N 0 → N ? be a net morphism such that gi ◦ h = gi0 . The situation is depicted in Fig. 5.

p1

N1

t1

g10 g1

f1 z

N

N

h(t01 )

h

h(p02 )

p2

t2

p01

t01

p02

t02 N0

g2

f2

N2

?

g20

Fig. 5. Illustrating the proof of Theorem 2

194

As gi ◦ h = gi0 maps p0i to pi and t0i to ti , h does not identify p0i and t0i (i = 1, 2). Therefore, the arc between p01 and t01 resp. p02 and t02 implies that h(t01 ) is a transition and h(p02 ) a place. Moreover, gi ◦ h = gi0 identifying t01 and p02 means that gi identifies h(t01 ) and h(p02 ) (i = 1, 2). Hence, for net morphisms gi00 : N 0 → Ni with g100 (P 0 ∪T 0 ) = {t1 } and g200 (P 0 ∪T 0 ) = {p2 }, the two distinct net morphisms h1 , h2 : N 0 → N ? with h1 (P 0 ∪ T 0 ) = h(t01 ) and h2 (P 0 ∪ T 0 ) = h(p02 ) fulfil gi ◦ hj = gi00 (i, j ∈ {1, 2}). Thus, (g1 , g2 ) cannot be the pullback of (f1 , f2 ). “⇐” (Outline): Let Zi := {z ∈ P ∪ T | ∃x, y ∈ fi−1 (z) with (x, y) ∈ Fi } for i = 1, 2. By assumption, Z1 and Z2 are disjoint. Let Npb be as follows: – Ppb = {(x1 , x2 ) ∈ f1−1 (z) × f2−1 (z) | (z ∈ P \ (Z1 ∪ Z2 )) or (z ∈ Z1 and x1 ∈ P1 ) or (z ∈ Z2 and x2 ∈ P2 )}, – Tpb = {(x1 , x2 ) ∈ f1−1 (z) × f2−1 (z) | (z ∈ T \ (Z1 ∪ Z2 )) or (z ∈ Z1 and x1 ∈ T1 ) or (z ∈ Z2 and x2 ∈ T2 )}, – Fpb = {((x1 , x2 ), (y1 , y2 )) ∈ (Ppb × Tpb ) ∪ (Tpb × Ppb ) | (xi , yi ) ∈ Fi and (xj = yj or (xj , yj ) ∈ Fj ) for i, j ∈ {1, 2}, i 6= j}. Clearly, Npb is a net structure, and it is not difficult to verify that the projections t u gi : Npb → Ni with gi ((x1 , x2 )) = xi form the pullback of (f1 , f2 ) in N .

4

Net rewriting by pullbacks

In this section, pullback rewriting is defined directly in the category N of net structures. The basic idea is to achieve the partition of a net structure into three parts – the item to be rewritten, its immediate neighbourhood, and the context of the item – by a net morphism (an unknown) to a special net structure (the alphabet). Another kind of net morphism to the alphabet (a rule) specifies the net structure replacing the item, and its application is modelled by the pullback of the two net morphisms. Thus, pullback rewriting yields a notion of net refinement where items in the pre- and postsets of the refined item can be multiplied. Example 1, a place refinement, illustrates the usefulness of such an operation and will be formalized as both net and hypergraph rewriting in this section. The close relationship between pullback rewriting in net structures and in hypergraphs allows to transfer the formalism presented in [BJ97] for an arbitrary number of items to be rewritten – possibly of different types – to net structures, too. The same holds for the notion of parallel rewriting as proposed in [Bau95b]. Example 1. (Cf. the reduction example of [GF95].) The (marked) Petri net PN in Fig. 6 models a situation of mutual exclusion, with p as a semaphore. Its refinement to PN 0 explicitly represents the critical sections and the initialization of their common resources. Moreover, each transition connected with p is split in two to express the entrance into and exit from its associated critical section. Notation 3 For a relation X ⊆ S×S on a set S, X σ = X ∪{(y, x) | (x, y) ∈ X} denotes the symmetric hull. The set of all positive integers is denoted by IN+ .

195

=⇒

• p

•

•

•

PN 0

PN

Fig. 6. Refining a Petri net

The first mechanism to be presented is place rewriting in net structures. The place rewriting alphabet contains a place p−1 (for the place to be rewritten), transitions tj linking it to neighbour places pi , and a farther context t0 . Definition 4. (Alphabet.) The place rewriting alphabet is the net structure NA with PA = {p−1 } ∪ {pi | i ∈ IN+ }, TA = {t0 } ∪ {tj | j ∈ IN+ }, and [ {(t0 , pi ), (pi , tj ), (tj , p−1 )}σ . FA = i,j∈IN+

A substructure NA(m,n) of NA with m + 1 places and n + 1 transitions with m, n ∈ IN+ “as required” will be used for finite examples; cf. Fig. 7 for NA(2,3) . A place rewriting unknown maps the place to be rewritten on p−1 and identifies those linking transitions resp. neighbour places which will be treated equally during a rewriting step. Definition 5. (Unknown.) Let N be a net structure and p ∈ P . A place rewriting unknown on p is a net morphism up : N → NA such that – u−1 p (p−1 ) = {p}, σ – for every j ∈ IN+ , x ∈ u−1 p (tj ) implies {(x, p)} ∩ F 6= ∅, and −1 – for every i ∈ IN+ , y ∈ up (pi ) implies that j ∈ IN+ and t ∈ u−1 p (tj ) exist with {(y, t)}σ ∩ F 6= ∅. A place rewriting rule maps what would classically be called the right-hand side of a production on p−1 and fixes its possible connexions to a context through the inverse images of the tj . p1

t1 t2

t0 p2

p−1 t3

Fig. 7. The place rewriting alphabet NA(2,3)

196

Definition 6. (Rule.) A net morphism r: NR → NA is a place rewriting rule if – for every item x ∈ {t0 }∪{pi | i ∈ IN+ }, r−1 (x) contains exactly one element, – {(r−1 (t0 ), r−1 (pi )) | i ∈ IN+ }σ ⊆ FR , and – for every j ∈ IN+ , r−1 (tj ) contains only transitions. The notions of a rule application and a rewriting step are defined uniformly for all the concrete rewriting mechanisms studied in this and the next section. Definition 7. (Rule application, rewriting step.) Let C be a category with an alphabet object A, an unknown morphism ux : Y → A, and a rule morphism r: R → A such that A, ux , and r belong to the same rewriting mechanism (e.g. place rewriting in N ). The application of r at ux is the pullback of (ux , r) in C. If Y 0 is the object constructed by the application of r at ux (the derived object), then Y =⇒(ux ,r) Y 0 denotes a rewriting step. Figure 8 formalizes the refinement PN =⇒ PN 0 of Example 1 as the place rewriting step N =⇒(up ,r) N 0 . The unknown up distinguishes the “upper” from the “lower” context of p, and the rule r specifies the net structure replacing p as well as the splitting of the transitions connected with p. Note that there are alternative choices for up and r to derive N 0 from N . In general, the application of a place rewriting rule r at a place rewriting unknown up produces in the derived net structure exactly one copy of the context −1 u−1 p (t0 ) of p. Similarly, the up (pi ) are reproduced, as is the right-hand side of the rule. Only the linking transitions may be multiplied (the factors being the size of the respective inverse images) and have their arcs of the flow relation altered.

r p−1

t0

NA(2,2)

NR

up N

N0

p

Fig. 8. Formalizing Example 1 as pullback rewriting

197

p−1

t0

r0

NA(1,1)

0 NR

N

N0

u0p

p

Fig. 9. Application of a more general rewriting rule Corollary 1. For every place rewriting rule r and unknown up , the application of r at up is defined. Proof. Of NA , only the item t0 (resp. p−1 ) may contain an arc in its inverse t u image under up (resp. r). As t0 6= p−1 , Theorem 2 implies the assertion. There is a close relationship between place rewriting in N and node rewriting in H, which differs from that introduced in [BJ97] only in that it deals with directed instead of undirected hypergraphs. Thus, the notions of an alphabet, an unknown, and a rule can be gained from those for place rewriting in N by changing the (terminal) substructures t0 , p−1 of NA and their inverse images , and adjusting r−1 (t0 ), u−1 p (p−1 ) into copies of the (terminal) hypergraph the involved net morphisms up and r accordingly to hypergraph morphisms hup i and hri. Figure 4 shows how the place rewriting step N =⇒(up ,r) N 0 of Fig. 8 is transformed into the node rewriting step H =⇒(hup i,hri) H 0 , where H = H1 , H 0 = Hpb , hup i = f1 , and hri = f2 . The example may be explicit enough so that the formal definitions can be omitted. It also illustrates that for the formalization of net refinement, pullback rewriting in net structures is more adequate than pullback rewriting in hypergraphs: In the latter case, one cannot directly take the hypergraph associated with the net to be refined, but has to alter it in order to get the desired result. Proposition 1. Let up be a place rewriting unknown and r a place rewriting rule. If N =⇒(up ,r) N 0 and H =⇒(hup i,hri) H 0 , then H 0 is isomorphic to the hypergraph associated with N 0 . To end this section, consider briefly a variant of place rewriting allowing a rule r: NR → NA to map places as well as transitions of NR on the transitions

198

ti of NA . (With the concepts of [Bau95b], this can be interpreted as a parallel rewriting step.) The application of such a rule to an unknown is still defined and results in the multiplication of the induced substructures of NR . The idea is illustrated in Fig. 9 by an adaptation of Example 1; note how much the rule and its application gain in clarity. Moreover, the same rule can be applied to a net modelling an arbitrary number of processes which share a common resource.

5

A particular net refinement technique

By the symmetry of net structures, pullback rewriting of places immediately implies a notion of transition rewriting. In this section, a slightly different instance of pullback rewriting is used to characterize the transition refinement operation introduced in [GG90] for one-safe nets. Their operation allows to infer the behaviour (in particular liveness properties) of a refined net compositionally from the behaviours of the original and the refinement net, and in contrast to previous studies their refinement nets may display initial or terminal concurrency. Markings and behavioural aspects are not formally considered here; this concerns in particular some additional restrictions for refinement structures. Notation 4 Let N be a net structure. The set ◦N = {x ∈ P | •x = ∅} contains the initial places of N , and N ◦ = {x ∈ P | x• = ∅} its terminal places. General assumption [GG90]. In this section, all net structures N are assumed to have arcs (p, t), (t, p0 ) ∈ F and •t ∩ t• = ∅ for every t ∈ T . Definition 8. (Refinement structure, cf. [GG90].) A net structure NR is a re6 NR ◦ and ◦NR ∩ NR ◦ = ∅. finement structure if ◦NR 6= ∅ = Figure 10 shows a refinement structure NR with initial places (a), (b) and terminal place (e). (a)

(c) (e)

NR (b)

(d)

Fig. 10. A refinement structure [GG90]

Definition 9. (Net refinement [GG90].) Let N1 be a net structure and t ∈ T1 . Moreover, let NR be a refinement structure (disjoint from N1 ). Then the refined net structure N2 = N1 [NR /t] is defined by – P2 := (P1 \ (•t ∪ t• )) ∪ (PR \ (◦NR ∪ NR ◦ )) ∪ Int, where Int := (•t × ◦NR ) ∪ (t• × NR ◦ ),

199

– T2 := (T1 \ {t}) ∪ TR , and – F2 := ((F1 ∪ FR ) ∩ (P2 × T2 ∪ T2 × P2 )) ∪ {((p1 , p2 ), t1 ) | (p1 , p2 ) ∈ Int, t1 ∪ {(t1 , (p1 , p2 )) | (p1 , p2 ) ∈ Int, t1 ∪ {((p1 , p2 ), t2 ) | (p1 , p2 ) ∈ Int, t2 ∪ {(t2 , (p1 , p2 )) | (p1 , p2 ) ∈ Int, t2

∈ T1 \ {t}, (p1 , t1 ) ∈ F1 } ∈ T1 \ {t}, (t1 , p1 ) ∈ F1 } ∈ TR , (p2 , t2 ) ∈ FR } ∈ TR , (t2 , p2 ) ∈ FR }.

Figure 11 illustrates the refinement of a transition t with the refinement structure NR of Fig. 10: For every preplace p of t in N1 and every initial place p0 in NR , there is a new place (p, p0 ) in N2 with ingoing arcs from each transition in the preset of p and outgoing arcs to each transition in the postsets of p and p0 , and analogously for the postplaces of t and the terminal places in NR . This refinement technique can be characterized by pullback rewriting as follows. Definition 10. (Refinement alphabet, unknown, and rule.) The refinement alphabet is the net structure Nα with Pα = {p1 , p2 }, Tα = {t0 , t−1 }, and Fα = {(t0 , p1 ), (t0 , p2 )}σ ∪ {(p1 , t−1 ), (t−1 , p2 )}. Let N1 be a net structure and t ∈ T1 . The refinement unknown on t is the net −1 −1 • • morphism ut : N1 → Nα with u−1 t (t−1 ) = {t}, ut (p1 ) = t, and ut (p2 ) = t . 0 0 Let NR be a refinement structure and NR a net structure with PR = PR , . TR0 = TR ∪ {t0 }, and FR0 = FR ∪ {(p, t0 ) | p ∈ ◦NR ∪ NR ◦ }σ . The refinement rule induced by NR is the net morphism r: NR0 → Nα with r−1 (t0 ) = {t0 }, r−1 (p1 ) = ◦NR , and r−1 (p2 ) = NR ◦ . The conversion of the example above into terms of pullback rewriting is depicted in Fig. 12. Note that the flow relation of Nα is not symmetric. Moreover, the refinement unknown ut is a mapping (by the assumption above), and unique for every transition t of a net structure N1 . Theorem 5. Let NR be a refinement structure, r the induced refinement rule, N1 a net structure with t ∈ T1 , and ut : N1 → Nα the refinement unknown on t. If N1 ⇒(ut ,r) N2 , then N2 and N1 [NR /t] are isomorphic. (3,a) (1)

(3)

N1

(5)

(2)

(4)

(3,b)

=⇒

t

(6)

(5,e)

(1)

N2

(4,a) (2)

(6,e) (4,b)

Fig. 11. Transition refinement [GG90]

200 p1

(a) (c)

t0

t−1

r

t0

p2 Nα

0 NR

N1

N2

(b)

(d)

(e)

ut (5) (1) (3) (4)

t

(2) (6)

Fig. 12. Transition refinement as pullback rewriting Proof. By construction, N2 and N1 [NR /t] only differ in that N2 contains an item (x, t0 ) for each x ∈ (P1 ∪ T1 ) \ (•t ∪ {t} ∪ t• ) and an item (t, y) for each t u y ∈ (PR \ (◦NR ∪ NR ◦ )) ∪ TR . Note that the canonical vicinity respecting morphism f : N1 [NR /t] → N1 of [GG90] is (modulo isomorphism) exactly the morphism f : N2 → N1 generated by the pullback construction.

6

Conclusion

The aim of this work was to investigate an application of the pullback approach to hypergraph transformation by translating the notion of pullback rewriting from terms of hypergraph morphisms into terms of net morphisms. It turned out that unlike the category of hypergraphs, the category of net structures is not complete; in particular, it does not have all pullbacks. Nevertheless, there is an easily verified criterion to determine whether the pullback of two given net morphisms exists. This criterion ensures that net rewriting by pullbacks is indeed well-defined. Moreover, the net refinement operation of [GG90] has a concise characterization in the pullback rewriting approach. There are two main areas for future research on the issues presented here. On the one hand, pullback rewriting has been introduced but quite recently as a hypergraph rewriting approach. It already appears to be promising as an

201

abstract framework for the known hypergraph transformation techniques. Moreover, this paper shows that the idea of pullback rewriting in net structures has a meaningful interpretation as net refinement. So, the pullback rewriting approach needs further development. On the other hand, the relationship between hypergraph transformations and net refinements (or, conversely, net reductions) should be investigated: As a number of refinement operations correspond to rather restricted types of context-free hypergraph rewriting mechanisms, interpreting more general types of hypergraph rewriting as net refinement will probably lead to new net refinements. Moreover, the well-known results on compatible properties may lead to similar results for net refinement, i.e. to results on the compositionality of net properties. In the setting of high-level nets and refinements based on doublepushout rules, similar ideas have already been investigated in [PER95,?]; the link to the work presented here remains to be established. Vice versa, finding adequate descriptions of particular types of net refinement as hypergraph rewriting may also lead to extensions of the latter. Acknowledgement. I thank Annegret Habel and two anonymous referees for their valuable comments on previous versions of this paper. The pictures have been concocted with Frank Drewes’s LATEX2ε package for typesetting graphs. Special thanks go to Anne Bottreau for her timely email.

References Bau95a. Michel Bauderon. A uniform approach to graph rewriting: the pullback approach. In Graph-Theoretic Concepts in Computer Science, volume 1017 of Lecture Notes in Computer Science, 101–115, 1995. Bau95b. Michel Bauderon. Parallel rewriting of graphs through the pullback approach. In Proc. SEGRAGRA’95, volume 2 of Electronic Notes in Theoretical Computer Science, 8 pages, 1995. BGV91. Wilfried Brauer, Robert Gold, and Walter Vogler. A survey of behaviour and equivalence preserving refinements of Petri nets. In Advances in Petri Nets, volume 483 of Lecture Notes in Computer Science, 1–46, 1991. BJ97. Michel Bauderon and H´el`ene Jacquet. Node rewriting in hypergraphs. In Graph-Theoretic Concepts in Computer Science, volume 1197 of Lecture Notes in Computer Science, 31–43, 1997. CER93. Bruno Courcelle, Joost Engelfriet, and Grzegorz Rozenberg. Handle-rewriting hypergraph grammars. Journal of Computer and System Sciences, 46:218– 270, 1993. Ehr79. Hartmut Ehrig. Introduction to the algebraic theory of graph grammars. In Graph-Grammars and Their Application to Computer Science and Biology, volume 73 of Lecture Notes in Computer Science, 1–69, 1979. GF95. Anja Gronewold and Hans Fleischhack. Computing Petri net languages by reductions. In Fundamentals of Computation Theory, volume 965 of Lecture Notes in Computer Science, 253–262, 1995. GG90. Rob van Glabbeek and Ursula Goltz. Refinement of actions in causality based models. In Stepwise Refinement of Distributed Systems, volume 430 of Lecture Notes in Computer Science, 267–300, 1990.

202 Hab92. Annegret Habel. Hypergraph grammars: Transformational and algorithmic aspects. Journal of Information Processing and Cybernetics EIK, 28:241–277, 1992. HK87a. Annegret Habel and Hans-J¨ org Kreowski. Characteristics of graph languages generated by edge replacement. Theoretical Computer Science, 51:81–115, 1987. HK87b. Annegret Habel and Hans-J¨ org Kreowski. May we introduce to you: Hyperedge replacement. In Graph Grammars and Their Application to Computer Science, volume 291 of Lecture Notes in Computer Science, 15–26, 1987. HS79. Horst Herrlich and George E. Strecker. Category Theory. Sigma Series in Pure Mathematics. Heldermann Verlag, Berlin, 2nd edition, 1979. Kle96. Renate Klempien-Hinrichs. Node replacement in hypergraphs: Simulation of hyperedge replacement, and decidability of confluence. In Graph Grammars and Their Application to Computer Science, volume 1073 of Lecture Notes in Computer Science, 397–411, 1996. PER95. Julia Padberg, Hartmut Ehrig, and Leila Ribeiro. Algebraic high-level net transformation systems. Math. Struct. in Comp. Science, 5:217–256, 1995. PGE98. Julia Padberg, Magdalena Gajewsky, and Claudia Ermel. Rule-based refinement of high-level nets preserving safety properties. To appear in Proc. FASE, Lecture Notes in Computer Science, 1998. Rei85. Wolfgang Reisig. Petri Nets, volume 4 of EATCS Monographs on Theoretical Computer Science. Springer-Verlag, Berlin Heidelberg, 1985. Roz97. Grzegorz Rozenberg, ed. Handbook of Graph Transformations, volume I: Foundations. World Scientific, Singapore, 1997. Vog87. Walter Vogler. Behaviour preserving refinements of Petri nets. In GraphTheoretic Concepts in Computer Science, volume 246 of Lecture Notes in Computer Science, 82–93, 1987.

On Piecewise Testable, Starfree, and Recognizable Picture Languages Oliver Matz Institut f¨ ur Informatik und Praktische Mathematik Christian-Albrechts-Universit¨ at Kiel, 24098 Kiel, Germany [email protected]

Abstract. We isolate a technique for showing that a picture language (i.e. a “two-dimensional language”) is not recognizable. Then we prove the non-recognizability of a picture language that is both starfree (i.e., definable by means of union, concatenation, and complement) and piecewise testable (i.e., definable by means of allowed subpictures), solving an open question in [GR96]. We also define local, locally testable, and locally threshold testable picture languages and summarize known inclusion results for these classes. The classes of piecewise testable, locally testable, and locally threshold testable picture languages can, as in the word case, be characterized by certain (fragments of) first-order logics.

1

Introduction

In [GRST96,GR96], the authors investigated the class of recognizable picture language (as a straightforward generalization of recognizable word languages to two dimensions), and compared it to variants of classes of regular picture languages, defined by “regular expressions” built up by union, row- and columnconcatenation, and, optionally, iterated row-/column- concatenation and/or complement. It turns out that the class of recognizable picture languages is not closed under complement, and the regular expressions without complement do not capture the class of recognizable picture languages, in contrast to the Kleene Theorem for the one-dimensional case. One question that remained open was whether every language defined by regular expressions with all of the above-mentioned operations is recognizable. We answer this question negatively, even for the case that the iterated concatenations are omitted, i.e. the “starfree” expressions. For this aim, we recapitulate and isolate a technique for showing the non-recognizability of a picture language. This technique has also been used in [MT97]. Besides, we consider some other adaptions of classes of formal languages to the two-dimensional case, namely different versions of first-order definable languages, as well as piecewise testable, locally testable, and locally threshold testable picture languages, and report some known and some simple results about M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 203–210, 1998.

204

these. For example, it is shown in [Wil97] that there is a first-order definable picture language that is not starfree.

2

Recognizable Picture Languages

Throughout the paper, we consider a fixed alphabet Γ . A picture over Γ is a matrix over Γ . By picture languages we refer to sets of pictures. The language of all pictures over Γ is denoted by Γ +,+ . The language of all pictures of size m×n is denoted by Γ m,n . There are two different, partial concatenations for pictures: the row concatenation P Q (column concatenation P Q, respectively) of two pictures P and Q of the same width (height, respectively) is the picture obtained by appending Q to the bottom (right, respectively) of P . These concatenations can be generalized to languages the straightforward way. Since picture languages are the two-dimensional analogue to word languages, it is somewhat natural to try to transfer definitions of interesting word language classes to these. We will first give a straightforward definition of recognizability. Definition 1. A picture language L over Γ is domino-local iff there are local word languages L1 , L2 over Γ such that L is the set of pictures whose columns (considered as words) are in L1 and whose rows are in L2 . A picture language is recognizable if it is the image of a local picture language under some alphabet projection. This definition is consistent with other equivalent definitions of recognizability given in [GRST96,GR96]. (Among these, there is the characterization via existential monadic second-order logic over the signature with the two binary relation symbols S1 and S2 for vertical and horizontal successors.) The following fact has recently been proved by Klaus Reinhard. Example 1. The set of all pictures over {a, b} in which the set of b-positions is connected (where two b-positions are meant to be adjacent iff there are horizontally or vertically next to each other) is recognizable. The complement of the above language is also recognizable, which is much easier to show. Definition 2. For a picture language L ⊆ Γ +,+ and an integer m ≥ 1, the fixed-height-m word language of L, denoted by L(m), is the following word language over Γ m,1 :        a11 a1n a11 · · · a1n .. ∈ L . L(m) =  ...  · · ·  ...  ... .   a amn am1 · · · amn m1 The following lemma is formulated and proven in [MT97]. As far as the author knows, all arguments against recognizable languages depend on this lemma.

205

Lemma 1. Let L ⊆ Γ +,+ recognizable. Then there is a k ≥ 1 such that for all m ≥ 1 there is an NFA A with k m states that recognizes L(m). Proof. Assume L1 , L2 , and Γ are as in Definition 1. Let m ≥ 1. The states of the constructed NFA are those columns of height m that are, considered as words, in L1 , plus an additional initial state. The transitions and final states are chosen in such a way that each string of corresponding components of a run is in L2 . The transition labels are the images of the target states under the alphabet projection. The following simple fact has been stated for example in [Bir96,GS96]. Lemma 2. Let n ≥ 1, L ⊆ Γ ∗ be recognizable by an NFA with n states. Let M ⊆ Γ ∗ × Γ ∗ such that ∀(u, v) ∈ M : uv ∈ L, ∀(u, v), (u0 , v 0 ) ∈ M : {uv 0 , u0 v} 6⊆ L. Then |M | ≤ n. The preceding two lemmas give the following result. Lemma 3. Let L ⊆ Γ +,+ be recognizable. Let (Mm ) be a sequence with ∀m : Mm ⊆ Γ m,+ × Γ m,+ and ∀(P, Q) ∈ Mm : P Q ∈ L, ∀(P, Q), (P 0 , Q0 ) ∈ Mm : {P Q0 , P 0 Q} 6⊆ L. Then |Mm | is 2O(m) . Intuitively, this lemma says that for a recognizable picture language, there is no more than exponentially much space to pass information from one side of the picture to the other. We use the above lemma to reformulate the proof of non-recognizability of an example language from [GRST96]. Proposition 1. Let L be the set of pictures over {a, b} of the form P P where P is a square. Then L is not recognizable. Proof. For every m ≥ 1 let Mm := {(P, P ) | P ∈ Γ m,m }. We have for all squares P, P 0 that P P 0 ∈ L ⇐⇒ P = P 0 , so (Mm ) has the property of Lemma 3. But 2 |Mm | = 2m is not 2O(m) , therefore L is not recognizable. In [GRST96] the non-recognizability of the above language has been shown using essentially the same argument. The complement of L is recognizable, so a corollary is that the class of recognizable picture languages is not closed under complement. In fact, the author does not know any example for a picture language whose non-recognizability can be shown, but not by this lemma. We consider another example.

206

Proposition 2. Let CORNERS be the set of pictures P over {a, b} such that whenever P (i, j) = P (i0 , j) = P (i, j 0 ) = b then also P (i0 , j 0 ) = b. (Intuitively: Whenever three corners of a rectangle carry a b, then also the fourth one does.) CORNERS is not recognizable. Proof. Let n ≥ 1. For every partition P of {1, . . . , 2n} into two-element sets we fix a bijection αP : P → {1, . . . , n}. (For example, we can choose αP ({i, i0 }) to be the number of elements {j, j 0 } of P for which min{j, j 0 } ≤ min{i, i0 }.) Now we choose a picture P over {a, b} of size 2n × n such that for all (i, j) ∈ {1, . . . , 2n}×{1, . . . , n}: P (i, j) = b ⇐⇒ ∃i0 : {i, i0 } ∈ P ∧ j = αP ({i, i0 }). Let Mn be the set of all pairs (PP , PP ) where P is a partition of {1, . . . , 2n} into two-element sets. Then we have for all partitions P, P 0 that PP PP 0 ∈ CORNERS ⇐⇒ P = 0 P , so (Mn ) has the property of Lemma 3. For the number An of partitions of {1, . . . , 2n} into two-element sets one easily verifies the recursion formula A1 = 1, An+1 = (2n + 1)An . We have that |Mn | = An ≥ n! is not 2O(n) and hence Lemma 3 implies that CORNERS is not recognizable.

3

Piecewise Testable Picture Languages

Definition 3. Let P ∈ Γ m,n and Q ∈ Γ +,+ . Then P is a subpicture of Q if there are strictly monotone functions f : {1, . . . , m} → N ≥1 and g : {1, . . . , n} → N ≥1 such that Q(f (i), g(j)) = P (i, j) for all (i, j) ∈ {1, . . . , m}×{1, . . . , n}. Let m, n ∈ N ≥1 . Two pictures Q1 , Q2 are (m, n)-equivalent (Q1 ∼mn Q2 for short) iff they have the same subpictures of size m × n. A picture language L is piecewise testable iff there is some (m, n) such that L is a union of ∼mn equivalence classes. Example 2. The picture language CORNERS from Proposition 2 is piecewise testable. The proof is immediate since CORNERS is the set of pictures such that no 2× 2subpicture of P has exactly 3 b’s, and this property holds for every or for none element of a (2, 2)-equivalence class. This example shows that, unlike in the theory of formal word languages, not every piecewise testable picture language is recognizable. Remark 1. The class of piecewise testable picture languages is characterized by Boolean combinations of existential first-order formulas with the two binary predicates ≤1 , ≤2 . The proof is similar to the word case.

207

Example 3. Let CROSS be the language of all pictures over {a, b} containing aba bbb aba as a subpicture. CROSS is piecewise testable.

4

Starfree Picture Languages

Definition 4. The class of starfree picture languages over Γ is given by the smallest set that contains all finite picture languages over Γ and is closed under row- and column concatenation, finite union, and complement. The class of recognizable picture languages is closed under row- and column concatenation and union, but (as mentioned before) not under complement. In [GRST96] the authors asked whether, nevertheless, every starfree picture language is recognizable. We answer this question negatively. Proposition 3. The picture language CORNERS from Proposition 2 is starfree.   S (w (∼ ∅) x) Proof. Let K :=  (∼ ∅)  , where the union ranges over all quadruples (y (∼ ∅) z) (w, x, y, z) ∈ {a, b}4 such that wxyz ∈ b∗ ab∗ , and ∼ denotes complement w. r. t. {a, b}+,+. Then K is the set of all pictures over {a, b} such that exactly one of the corners  carries an a.  (∼ ∅) Clearly, ((∼ ∅) K (∼ ∅)) is the complement of L, so L is starfree. (∼ ∅) The following is shown in [Wil97]: Lemma 4. The language CROSS from Example 3 is not starfree.

5

Local, Locally Testable, and Locally Threshold Testable Picture Languages

We give straightforward adaptions of definitions of languages classes defined by certain “local” properties. These definitions can also be found, for instance, in [GRST96]. 0

0

Definition 5. Let P ∈ Γ m,n and Q ∈ Γ m ,n . Then P is a subblock of Q if there are k ≤ m0 − m and l ≤ n0 − n such that Q(i, j) = P (k + i, l + j) for all (i, j) ∈ {1, . . . , m}×{1, . . . , n}. For a picture P over Γ , we denote by Pˆ the picture over Γ ∪ {#} that results from P by surrounding it with the fresh boundary symbol #.

208

A picture language L is local iff there is some set ∆ of 2 × 2-pictures over Γ ∪ {#} such that L contains exactly those pictures P for which the (2 × 2)subblocks of Pˆ are in ∆. Let m, n ∈ N ≥1 . Two pictures Q1 , Q2 are (m, n)-block-equivalent (Q1 ∼ =mn ˆ ˆ Q2 for short) iff Q1 and Q2 have the same set of subblocks of size m × n. A picture language L is locally testable iff there is some (m, n) such that L is a union of (m, n)-block-equivalence classes. Let d, t ≥ 1. Two pictures Q1 , Q2 are (d, t)-block-threshold-equivalent iff for every square picture P of size d0 × d0 (with d0 ≤ d), the numbers of occurrences of P as a subblock in Qˆ1 (respectively Qˆ2 ) are equal or both > t. A picture language is locally threshold testable iff there are d, t such that L is a union of (d, t)-block-threshold-equivalence classes. Since every local language is a union of (2, 2)-block-equivalence classes, and (m, n)-block-equivalence is coarser than (max{m, n}, 0)-block-threshold-equivalence, we have that every domino-local language is local, every local language is locally testable, and every locally testable picture language is locally threshold testable. In [GR96] it is shown that the class of recognizable picture languages is the class of those picture languages that can be obtained from a local picture language via alphabet projection. Remark 2. 1. The class of locally threshold testable picture languages is characterized by first-order logic over the signature {S1 , S2 } with two binary relation symbols S1 , S2 for the two successor relations. 2. The class of locally testable picture languages is characterized by Boolean combinations of existential first-order sentences over the signature {S1 , S2 , left, right, top, bottom}, where the latter four predicates are unary and say that a position is at the respective border. The first statement is shown in [GRST96] and the second can be proved similarly to the case of word languages.

6

An Overview of Language Classes and Open Questions

Let us denote the classes of recognizable, piecewise testable, starfree, local, and first-order definable1 picture languages by REC, PT, SF, LOC, and FO(≤1 , ≤2 ), respectively. We have the inclusion diagram presented in the following figure, where lines indicate proper inclusions and non-connected classes are incomparable for non-trivial alphabets. 1

in the sense of [Wil97], i.e., over the signature with binary relation symbols ≤1 and ≤2 for vertical and horizontal orderings

209

FO(≤1 , ≤2 )

, @@ , PT SF REC @@ ,, , , PT ∩ SF aaaa ,, aLOC, (Simple proofs show that every starfree and every piecewise testable picture language is first-order definable. This infers e.g. FO(≤1 , ≤2 ) 6⊆ REC, correcting a mistake in [Mat95]. The non-inclusion results REC 6⊆ FO(≤1 , ≤2 ) and FO(≤1 , ≤2 ) 6⊆ PT, and SF 6⊆ PT carry over from the theory of formal word languages because when restricted to pictures of height one, each of these classes equals the respective class of word languages.) If we denote the classes of locally testable and locally threshold testable picture languages by LT and LTT, respectively, we have the following inclusion chain LOC ( LT ( LTT ( FO(≤1 , ≤2 ). Here, the non-inclusions are again witnessed by the well-known examples from word language theory, and the last inclusion is trivially inferred by the logical characterizations of Remark 2. Since REC is not closed under complement (as mentioned after Proposition 1) whereas the classes FO(≤1 , ≤2 ), PT, and SF are, the class co-REC of complements of recognizable picture languages is incomparable to all of these classes, too. Concluding, one could say that in the world of picture languages, only trivial language class inclusions hold. (Unlike in the theory of word languages, where we have PT ( SF = FO ( REC.) Another justification for this statement is the fact that also the class of context-free picture languages (as defined in [Mat97]) is incomparable to every other class of picture languages mentioned here (including LOC). One open question is: Is there a natural example for a non-recognizable picture language for which Lemma 3 fails to prove the non-recognizability? One candidate is the language of squares over {a, b} that have as many a’s as b’s. It is easy to see that Lemma 3 cannot be used to show the non-recognizability of this example language, however we conjecture that it is not recognizable.

References Bir96. GR96.

Jean-Carnille Birget. The state complexity of Σ ∗ L. Information Processing Letters, 58:185–188, 1996. D. Giammarresi and A. Restivo. Two-dimensional languages. In G. Rozenberg and A. Salomaa, editors, Handbook of Formal Language Theory, volume III. Springer-Verlag, New York, 1996.

210 GRST96. D. Giammarresi, A. Restivo, S. Seibert, and W. Thomas. Monadic secondorder logic and recognizability by tiling systems. Information and Computation, 125:32–45, 1996. GS96. Ian Glaister and Jeffrey Shallit. A lower bound technique for the size of nondeterministic finite automata. Information Processing Letters, 125:32– 45, 1996. Mat95. Oliver Matz. Klassifizierung von Bildsprachen mit rationalen Ausdr¨ ucken, Grammatiken und Logik-Formeln. Diploma thesis, Christian-Albrechts-Universit¨ at Kiel, 1995. (German). Mat97. Oliver Matz. Regular expressions and context-free grammars for picture languages. In R¨ udiger Reischuk, editor, STACS’97, volume 1200 of Lect. Notes Comput. Sci., pages 283–294, L¨ ubeck, Germany, 1997. Springer-Verlag. MT97. Oliver Matz and Wolfgang Thomas. The monadic quantifier alternation hierarchy over graphs is infinite. In Twelfth Annual IEEE Symposium on Logic in Computer Science, pages 236–244, Warsaw, Poland, 1997. IEEE. Wil97. Thomas Wilke. Star-free picture expressions are strictly weaker than firstorder logic. In Pierpaolo Degano, Roberto Gorrieri, and Alberto MarchettiSpaccamela, editors, Automata, Languages and Programming, volume 1256 of Lect. Notes Comput. Sci., pages 347–357, Bologna, Italy, 1997. Springer.

Functor categories and two-level languages

E. Moggi DISI - Univ. di Genova, via Dodecaneso 35, 16146 Genova, Italy phone: +39 10 353-6629, fax: +39 10 353-6699, email: [email protected]

Abstract. We propose a denotational semantics for the two-level lan-

guage of [GJ91, Gom92], and prove its correctness w.r.t. a standard denotational semantics. Other researchers (see [Gom91, GJ91, Gom92, JGS93, HM94]) have claimed correctness for lambda-mix (or extensions of it) based on denotational models, but the proofs of such claims rely on imprecise de nitions and are basically awed. At a technical level there are two important dierences between our model and more naive models in Cpo: the domain for interpreting dynamic expressions is more abstract (we interpret code as -terms modulo -conversion), the semantics of newname is handled dierently (we exploit functor categories). The key idea isopto interpret a two-level language in a suitable functor category CpoD rather than Cpo. The semantics of newname follows the ideas pioneered by Oles and Reynolds for modeling the stack discipline of Algol-like languages. Indeed, we can think of the objects of D (i.e. the natural numbers) as the states of a name counter, which is incremented when entering the body of a -abstraction and decremented when coming out. Correctness is proved using Kripke logical relations (see [MM91, NN92]).

Introduction Two-level languages are an important tool for analyzing programs. In the context of partial evaluation they are used to identify those parts of the program that can be reduced statically, and those that have to be evaluated dynamically. We take as representative of these two-level languages that described in [GJ91], which we call PCF2, since it can be considered as the \PCF of two-level languages". The main aims of this paper are: to point out the aws in the semantics and correctness proof given in [Gom92], and to propose an alternative semantics for which one can prove correctness. The interpretation of dynamic -abstraction given in [GJ91, Gom92] uses a newname construct \informally". Indeed, Gomard and Jones warn that \the generation of new variable names relies on a side-eect on a global state (a name counter). In principle this could have been avoided by adding an extra parameter to the semantic function, but for the sake of notational simplicity we use a less formal solution". Because of this informality, [GJ91, Gom92] are able to use a simpli ed semantic domain for dynamic expressions, but have to hand wave when it comes to the clause for dynamic -abstraction. This informality is maintained also in the correctness proof of [Gom92]. It is possible to x the informal semantics using a name-counter (as suggested by Gomard and Jones),

but then it is unclear how to x the correctness proof. In fact, several experts were unable to propose a patch. Lack of precision in the de nition of denotational semantics and consequent aws in correctness proofs are not con ned to [Gom92], indeed

{ Chapter 4 of [Gom91] and Chapter 8 of [JGS93] contain the same de nitions, results and proofs { [GJ91] quotes the same de nitions and results (but without proofs) { while [HM94] adapts Gomard's technique to establish correctness for a polymorphic binding-time analysis (and introduces further aws in the denotational semantics).

The speci c model we propose is based on a functor category. In denotational semantics functor categories have been advocated by [Ole85] to model Algollike languages, and more generally they have been used to model locality and dynamic creation (see [OT92, PS93, FMS96]). For this kind of modeling they outperform the more traditional category Cpo of cpos (i.e. posets with lubs of !-chains and !-continuous maps). Therefore, they are a natural candidate for modeling the newname construct of [GJ91]. In the proposed functor category model the domain of residual programs is a bit more abstract than expected, namely -convertible programs are identi ed. This identi cation is necessary for de ning the category D of dynamic expressions, but it seems also a desirable abstraction. Functor categories are de nitely more complex than Cpo, but one can avoid most of the complexities by working in a metalanguage (with computational types). Indeed, it is only in few critical places, where it is important to know which category (and which monad) is used. The graduate textbook [Ten91] gives the necessary background on functor categories for denotational semantics to understand our functor category model. In Cpo models the renaming of bound dynamic variables (used in the interpretation of dynamic -abstraction) is modeled via a side-eect monad with a name-counter as state, on the contrary in the functor category model renaming is handled by the functor category itself (while non-termination at specialization-time is modeled by the lifting monad). The paper is organized as follows: Section 1 recall the two-level language of [GJ91, Gom92] which we call PCF2; Section 2 describes a general way for interpreting PCF2 via translation into a metalanguage with computational types, and explains what's wrong with previously proposed semantics of PCF2; Section 3 describes our functor category model for PCF2 and proves correctness; Section 4 make a comparison of the semantics. Acknowledgments. I wish to thank Olivier Danvy and Neil Jones for e-mail

discussions, which were very valuable to clarify the intended semantics in [GJ91, Gom92], and to identify the critical problem in the correctness proof. Neil Jones has kindly provided useful bibliographic references and made available relevant internal reports. We have used Paul Taylor's package for commutative diagrams.

1 The two-level language of Gomard and Jones In this section we recall the main de nitions in [GJ91, Gom92], namely: the untyped object language o and its semantics, the two-level language PCF2 and its semantics (including with the problematic clause for ). Both semantics are given via a translation into a metalanguage with computational type (see [Mog91, Mog97b]). In the case of o the monad corresponds to dynamic computations, while in the case of PCF2 it corresponds to static computations.

1.1 The untyped object language The object language o is an untyped -calculus with a set of ground constants c (which includes the truth values) M ::= x j x:M j M1@M2 j fix M j if M1 M2 M3 j c There is a canonical CBN interpretation of o in D = (const + (D ! D))? , where const is the at cpo of ground constants (ordered by equality). This interpretation can be described via a CBN translation n into a suitable metalanguage with computational types, s.t. a o -term M is translated into a meta-term M n of type TV with V = const+(TV ! TV ), or more precisely x : TV `ML M n : TV when M is a o -term with free variables included in the sequence x:

{ { { {

xn = x cn = [inl(c)] (x:M)n = [inr(x : TV:M n)] (M1 @M2 )n = let u(M1 n in case u of inr(f) ) f(M2 n )

)?

where ? : TV is the least element of TV { (if M M1 M2)n = let u(M n in case u of inl(true) ) M1nn inl(false) ) M2

{ (fix

M)n = let u(M n incase

u of inr(f) ) Y (f)

)?

)?

where Y : (TV ! TV ) ! TV is the least xed-point of TV Note 1. T can be any strong monad on Cpo s.t.: (i) each TX has a bottom

element ?; (ii) let x(? in e = ?, i.e. ? is preserved by f : TX ! TY for any f : X ! TY . With these properties one can interpret recursive de nitions of programs and solve domain equations involving T. The interpretation by Gomard amounts to take TX = X? and D = TV .

1.2 The two-level language P CF2

The two-level language PCF2 can be described as a simply typed -calculus over the base types base and code with additional operations. The raw syntax of PCF2 is given by { types ::= base j code j 1 ! 2 { terms e ::= x j x : :e j e1 @e2 j fix e j if e1 e2 e3 j c j `ift e j x:e j e1 @e2 j fix e j if e1 e2 e3 j c The well-formed terms of PCF2 are determined by assigning types to constants: { fix : ( ! ) ! { if : base; ; ! { c : base { `ift : base ! code { : (code ! code) ! code, following Church we have taken to be a higher order constant rather than a binder (all the binding is done by ). The two presentations are equivalent: the term x:e of [GJ91] can be replaced by (x : code:e), while the constant can be de ned as f : code ! code:x:f@x. { @ : code; code ! code { fix : code ! code { if : code; code; code ! code { c : code Remark. The language PCF2 corresponds to the well-annotated expressions of Gomard and Jones. For two-level languages with dynamic type constructors (e.g. that in [HM94]) it is necessary to distinguish between static and dynamic types. In PCF2 the only dynamic type is code, and there is no need to make this explicit.

2 models of PCF2 in Cpo The interpretation of PCF2 is described by a translation s into a suitable metalanguage with computational types, s.t. x1 : 1 s ; : : :; xn : ns `ML es : s when x1 : 1 ; : : :; xn : n `PCF2 e : . The translation highlights that static computations take place only at ground types (just like in PCF and Algol). { basess = T (const), where const is the at cpo of ground constants { code = T (exp), where exp is the at cpo of open o -terms with (free and bound) variables included in var = fxnjn 2 N g. When translating terms of PCF2 we make use of the following expression-building operations: build const : const ! exp is the inclusion of ground constants into terms build var : var ! exp is the inclusion of variables into terms. build @ : exp; exp ! exp is the function M1 ; M2 7! M1 @M2 which builds an application. There are similar de nitions for build fix and build if.

build : var; exp ! exp is the function x; M 7! x:M which builds a

{ { { { { {

-abstraction. (1 ! 2)s = 1s ! 2 s xs = x cs = [c] (x : :e)s = x : s :es (e1 @e2 )s = e1 s@e2 s (if e e1 e2)s = let u(es in case u of true ) e1 s false ) e2 s

{ { { {

where ? is the least element of s (fix e)s = Y (es ), where Y is the least xed-point of s (`ift e)s = let x(es in [build const(x)] cs = [build const(c)] (op e)s = let M (es in [build op M], where op 2 ffix; @; if g ( e)s = let x(newname in let M (es ([build var(x)]) in [build (x; M)] where newname : T (var) generates a fresh variable of the object language.

)?

*

The monad T for static computations should satisfy the same additional properties stated in Note 1. Remark. In the above interpretation/translation the meaning of newname (and

) is not fully de ned, indeed one should x rst the interpretation of computational types TX. The interpretation of [GJ91, Gom92] uses simpli ed semantic domains (which amount to use the lifting monad TX = X? ), but with these domains there is no way of interpreting newname (consistently with the informal description). Therefore, most of the stated results and proofs are inherently faulty. Gomard and Jones are aware of the problem and say that \the generation of new variables names relies on a side eect on a global state (a name-counter).. .but for the sake of notational simplicity we have used a less formal solution". Their proposed solution amounts to use a side-eect monad TX = (X N)N? , and to interpret newname : T (var) as newname = n : N:up(hxn ; n + 1i), where upX : X ! X? is the inclusion of X into its lifting. A simpler solution, suggested by Olivier Danvy, uses a state-reader monad TX = X?N . In this case one can interpret the operation newname0X : (TX)var ! TX as newname0X (f) = n : N:fxn (n + 1), and use it for translating

{ ( e)s = newname0exp (x : var:let M (es ([build var(x)]) in[build (x; M)]). The only place where a name-counter is really needed is for generating code, so we could use the simpler translation bases = const? and codes = T(exp). This is similar to what happens in Algol, where expressions cannot have side-eects, while commands can.

2.1 Correctness: attempts and failures Informally speaking, correctness for PCF2 should say that for any ; `PCF2 e : code if the static evaluation of e terminates and produces a o -term M : exp, then o -terms M and e are equivalent, where is the translation from PCF2 to o erasing types and annotations. In fact, this is an over-simpli ed statement, since one want to consider PCF2-terms x : code `PCF2 e : code with free dynamic variables. In a denotational setting one could prove correctness by de ning a logical relation (see [MW85, Mit96]) between two interpretations of PCF2

- o ,, I o s R ?,, - ?

PCF2

MLT ()

I

Cpo

The parameterized logical relation R [ s] D, where : var ! D, proposed by [Gom92] is de ned as follows base { ? Rbase d and up(b) R d () d = up(in b) code o { ? Rcode d and up(M) R d () d = [ M]] x R1 y (f@x) R2 (d@o y), this is the standard way of { f R1!2 d () 1

de ning at higher types a logical relation between typed applicative structures.

Gomard interprets types according to the informal semantics, i.e. [ bases ] = const? and [ codes ] = exp? . According to the fundamental lemma of logical relations, if the two interpretations of each operation/constant of PCF2 are logically related, then the two interpretations of each PCF2-term are logically related. It is easy to do this check for all operations/constants except . In the case of one can only hand wave, since the interpretation is informally given. Therefore, Gomard concludes that he has proved correctness. Remark. Gomard does not mention explicitly logical relations. However, his def-

inition of R is given by induction on the structure of PCF2-types, while correctness is proved by induction of the structure PCF2-terms , `PCF2 e : . This is typical of logical relations. In order to patch the proof one would have to change the de nition of Rcode , since in the intended semantics [ codes] = expN? or (exp N)N? , and check the case of (which now has an interpretation). We doubt that this can be done, for the following reasons (for simplicity we take [ codes ] = expN? ):

{ The interpretation of may capture variables that ought to remain free. For instance, consider the interpretation of x : code `PCF2 y:x : code, which is a function f : expN? ! expN? , and the element [M] = n:up(M) of expN? ,

then f([M]) = n:up(xn:M) (here there is some overloading in the use of , since n is a semantic lambda while xn is syntactic). Depending on the choice of n we may bind a variable free in M, therefore the semantics of fails to ensure freshness of xn. { The semantic domain expN? has junk elements in comparison to exp? , and so there are several ways of de ning u Rcode d, e.g. 8n : N:8M : exp:u(n) = up(M) [ M]]o = d 9n : N:8M : exp:u(n) = up(M) [ M]]o = d 9M : exp:8n : N:u(n) up(M) [ M]]o = d but none of them works (nor is more canonical than the others). If there is a way to prove correctness using (Kripke) logical relations, it is likely to involve something more subtle than parameterization by : var ! D.

3 A functor category model of PCF2 In this section we de ne a categorical model of PCF2 in a Cpo-enriched functor op category Db = CpoD , where D is a syntactic category corresponding to o , and the objects of D can be viewed as states of a name-counter. The main property of this model is that the hom-set Db (expn; exp) is isomorphic to the set of o -terms modulo -conversion whose free variables are included in fx0; : : :; xn,1g.

3.1 The dynamic category We de ne D like the category associated to an algebraic theory (as proposed by

Lawvere in [Law63]), i.e.: { an object of D is a natural number; we identify a natural number n with the set f0; : : :; n , 1g of its predecessors; { an arrow from m to n, which we call substitution, is a function : n ! (m), where (m) is the set of o -terms modulo -conversion with free variables included in fx0; : : :; xm,1g; thus D(m; n) = (m)n ; { composition is given by composition of substitutions with renaming of bound variables (which is known to respect -conversion). Namely, for 1 : m ! n and 2 : n ! p the substitution (2 1) : m ! p is given by (2 1 )(i) = Ni [1], where i 2 p, Ni = 2(i) 2 (n), Ni [1] 2 (m) is the result of applying in parallel to Ni the substitutions xj := Mj with j 2 m. Identities are given by identity substitutions id : n ! (n). It is easy to see that D has nite products: the terminal object is 0, and the product of m with n is m + n. Therefore, the object n is the product of n copies of the object 1, moreover D(m; 1) = (m).

Remark. We can provide an informaljusti cation for the choice of D. The objects

of D correspond to the states of a name-counter: state m means that m names, say x0; : : :; xm,1, have been created so far. For the choice of morphisms the justi cation is more technical: it is almost forced when one wants Db (expm ; exp) to be isomorphic to the set of o -terms whose free variables are included in fx0; : : :; xm,1 g. In fact, the natural way of interpreting exp in Db is with a functor s.t. exp(m) = the set of o -terms with free names among those available at state m. If we require F = Y (1), i.e. the image of 1 2 D via the Yoneda embedding, and m to be the product in D of m copies of 1, then we have Db (expm ; exp) = Db (Y (1)m ; Y (1)) = Db (Y (m); Y (1)) = D(m; 1) = exp(m). Therefore, we can conclude that D(m; n) = exp(m)n . Moreover, to de ne composition in D we are forced to take o -terms modulo -conversion.

3.2 The static category We de ne Db as the functor category CpoDop , which is a variant of the more op D c (where W is a familiar topos of presheaves Set . Categories of the form W

small category) have been used in [Ole85] for modeling local variables in Algolc enjoys the following properties: like languages. W { it has small limits and colimits (computed pointwise), and exponentials; { it is Cpo-enriched, thus one can interpret x-point combinators and solve recursive domain equations by analogy with Cpo; c, which preserves limits { there is a full and faithful embedding Y : W ! W and exponentials. This is basically the Yoneda embedding Y (w) = W ( ; w). c s.t. (X)( ) = X has left and right adjoints. { the functor : Cpo ! W Since D has a terminal object, : Cpo ! Db is full and faithful, and its right adjoint is the global section functor , : Db ! Cpo s.t. ,F = Db (1; F) = F (0). c relevant for denotational semantics A description of several constructions in W can be found in [Ten91]. Here we recall only the de nition of exponentials. c is the functor s.t. De nition2. The exponential object GF in W Q { GF (w) is the cpo of families s 2 f :w !w Cpo(Fw0; Gw0) ordered pointwise and satisfying the compatibility condition w f1 w1 Fw1 sf1 - Gw1 0

6 I@ @ g in W implies Fg Gg in Cpo f @@ @ ? - ? Fw w Gw sf { (GF fs)g = sf g for any w00 g - w0 f - w in W . 2

2

2

2

2

We recall also the notion of !-inductive relation in a Cpo-enriched functor c, which is used in the correctness proof. category W

c, a (unary) !-inductive relation R X De nition3. Given an object X 2 W c in W consists of a family hRw Xwjw 2 Wi of !-inductive relations in Cpo satisfying the monotonicity condition: { f : w0 ! w in W and x 2 Rw Xw implies Xfx 2 Rw Xw0 . 0

3.3 Interpretation of P CF2

By analogy with Section 1, we parameterize the interpretation of PCF2 in Db w.r.t. a strong monad T on Cpo satisfying the additional properties stated in Note 1. Any such T induces a strong monad T Dop on Db satisfying the same additional properties. With some abuse of language we write T for its pointwise extension (T Dop F)(m) = T(F(m)). In the proof of correctness we take TX = X? , since the monad has to account only for the possibility of non-termination at specialization-time, while the interpretation of exploits only the functor category structure (and not the monad, as done for the interpretations in Cpo). Also in this case the interpretation of PCF2 can be described by a standard translation s into a suitable metalanguage with computational types (which play only a minor role). The key dierences w.r.t. the interpretation/translation of Section 2 are: the interpretation of exp (which is not the image of a cpo via the functor ), and the expression-building operation build (which has type (exp ! exp) ! exp, as expected in a higher-order syntax encoding of o ). { bases = T ((const)), where const is the at cpo of ground constants. Therefore, base(n) = T (const) and so global elements of base correspond to elements of the cpo T (const). { codes = T (exp), where exp = Y (1), i.e. the image of 1 2 D via the Yoneda embedding Y : D ! Db . Therefore, exp(n) = (n) and code(n) = T((n)). It is also immediate to show that Db (expn ; exp) is isomorphic to (n): Db (Y (1)n ; Y (1)) = because Y preserves nite products b D(Y (n); Y (1)) = because Y is full and faithful D(n; 1) = (n) by de nition of D. When translating terms of PCF2 we make use of the following expressionbuilding operations (which are interpreted by morphisms in Db , i.e. natural transformation): build const : (const) ! exp s.t. build constn : const ! (n) is the obvious inclusion of ground constants. Alternatively, one can de ne build const via the isomorphism Db((const); exp) = Cpo(const; (0)) induced by the adjunction a ,. build @ : exp; exp ! exp s.t. build @n : (n); (n) ! (n) is the function M1; M2 7! M1 @M2 which builds an application. Alternatively, one can de ne build @ as the natural transformation corresponding to the term x0@x1 2 (2), via the isomorphism Db(exp2 ; exp) = (2). There are similar de nitions for build fix and build if. build : expexp ! exp is the trickiest part and is de ned below.

{ the interpretation of static operations/constants is obvious, in particular we have least xed-points because Db is Cpo-enriched. { (`ift e)s = let x(es in [build const(x)] { cs = [build const(c)] { (op e)s = let M (es in[build op M], where op 2 ffix; @; if g * : codecode ! code is de ned in terms of build : expexp ! exp as explained

below. To de ne the components of the natural transformation build : expexp ! exp we use the following fact, which is an easy consequence of Yoneda's lemma. c there is a natural isomorphism between Lemma 4. For any u 2 W and F 2 W the functors F Y (u) and F( u). By Lemma 4, build amounts to a natural transformation from D( + 1; 1) to D( ; 1). We describe build through a diagram: m M 2 (m + 1) build m- (x :M) 2 (m)

6

2D

m

( + 1)

?

in Cpo

?

M[ + 1] 2 (n + 1) build - (xn :M)[] 2 (n) n Observe that D( ; 1) = ( ), the substitution ( + 1) : m + 1 ! (n + 1) is like on m and maps m to xn, while the commutativity of the diagram follows from (xn :M[ + 1]) (xm :M)[]. To de ne : T(exp)T (exp) ! T (exp) we need the following lemma. n

c there is a Lemma 5. For any functor T : Cpo ! Cpo, u 2 W and F 2 W natural isomorphism between the functors (TF)Y (u) and T (F Y (u) ).

Proof. For any v 2 W we give an isomorphismbetween (TF)Y (u)(v) and T (F Y (u))(v):

{ { { { {

(TF)Y (u) (v) = by Lemma 4 c (TF)(u v) = since T is extended pointwise to W T (F(u v)) = by Lemma 4 c T (F Y (u) (v)) = since T is extended pointwise to W Y (u) T (F )(v) It is immediate to see that this family of isomorphisms is natural in v. By exploiting the isomorphism i : T(exp)exp ! T(expexp ) given by Lemma 5, one can de ne : T(exp)T (exp) ! T(exp) in a metalanguage with computational types as (f) = let f 0 (i(x : exp:f([x])) in[build (f 0 )]

Remark. The category Db has two full sub-categories D and Cpo, which have a natural interpretation: D corresponds to dynamic types, while Cpo corresponds to pure static types, i.e. those producing no residual code at specialization time (e.g. base). A key property of pure static expressions is that they cannot depend on dynamic expressions. Semantically this means that the canonical map (X) ! (X)Y (u) , i.e. x 7! y : Y (u):x, is an isomorphism. In fact, by Lemma 4 (X)Y (u) is naturally isomorphic to (X)( u), which is (X).

3.4 Correctness and logical relations

The semantics for the two-level language PCF2 was used in [GJ91, Gom92] to prove a correctness theorem for partial evaluation. The correctness theorem relates the interpretation I o of the object language o in Cpo to the interpretation I 2 of the two-level language PCF2 in Db . The rst step is to de ne a translation from PCF2 to o , i.e. x : `PCF2 e : implies x `o e , which erases types and annotations, so (x : :e) = x:e, (op e) = op e , (op e) = op e and (`ift e) = e . By composing the translation with the interpretation I o we get an interpretation of I 1 of PCF2 in Cpo, where every type is interpreted by the cpo D = (const + (D ! D))? . At this stage we can state two correctness criteria (the rst being a special case of the second), which exploit in an essential way the functor category structure: { Given a closed PCF2-expression ; ` e : code, its I 2 interpretation is a global element d of exp? 2 Db, and therefore d0 2 (0)? . Correctness for e means: d0 = up(M) implies [ M]]o = [ e ] o 2 D, for any M 2 (0). { Given an open PCF2-expression x : code ` e : code where x = x0; : : :; xn,1, its I 2 interpretation is a morphism f : expn? ! exp? , and therefore fn : (n)n? ! (n)? . Correctness for e means: fn (up(x0); : : :; up(xn,1)) = up(M) implies [ x ` M]]o = [ x ` e ] o : Dn ! D, for any M 2 (n). The proof of correctness requires a stronger result, which amounts to prove that the two interpretations of PCF2 are logically related. However they live in dierent categories. Therefore, before one can relate them via a (Kripke) logical relation R between typed applicative structures (see [MM91]), they have to be moved (via limit preserving functors) to a common category Eb. 1 PCF I- ^1 = Cpo 2

I2

,

R,

^! =

?,, ? b Db E ^

{ E is the category whose objects are pairs hm 2 D; 2 Dm i, while morphisms from hm; i ! hn; 0i are those : m ! n in D s.t. 0 = [ ]] { : E ! D is the obvious projection functor hm; i 7! m.

the Kripke logical relation R is a family of !-inductive relations (see De nition 3) R in Eb de ned by induction on the structure of types in PCF2. base code

Rbase hm;i const? D s.t. ?Rhm;i d and up(c)Rhm;i d () d = up(inl c) Rcode hm;i (m)? D s.t. ?Rhm;i d and up(M)Rhm;i d () d = [ M]] We must check that Rcode satis es the monotonicity property of a Kripke recode lation, i.e. : hm; i ! hn; 0i in E and up(M)Rcode hn; i d implies up(M[])Rhm;i d. 0 This follows from = [ ]], i.e. from the de nition of morphism in E , and [ M[]]] = [ M]][[]] , i.e. the substitution lemma for the interpretation of o . More diagrammatically this means 0

D

E

m hm; i

? ?

n hn; 0 i

code Rcode

D

up(M[])Rhm;i [ M[]] w ]

www www ww

6

code()

up(M) Rhn; i [ M]] = d 0

0

The family R on functional types is de ned (in the internal language) in the 8x; y:xR1 y f@2 xR2 g@1 y, where @i is the standard way, i.e. fR1 !2 g () binary application of the applicative structure used for the interpretation I i . The de nition of the Kripke logical relation at types base and code says that partial evaluation is only partially correct, namely if it terminates it gives the expected result. By the fundamental lemma of logical relations, to prove that the interpretations I 1 and I 2 of PCF2 are logically related it suces to show that the interpretation of all higher-order constants (besides @ and ) are logically related. This is a fairly straightforward check, therefore we consider only few cases, including the critical one of dynamic -abstraction. @ Since @2 is strict, we need to prove only that up(Mi )Rhm;i di (for i = 1; 2) d @1 d implies up(M1 )@2 up(M2) = up(M1@M2 )Rhm;i d1@1 d2 = 1 2 By de nition of R at type code, we have to prove that [ M1@M2 ] = d1@1 d2 [ Mi] = di, because up(Mi )Rhm;i di [ M1@M2 ] = @1([[M1 ] ; [ M2] ), by de nition of I 1 therefore [ M1@M2 ] = d1@1 d2 fix We need to prove that fR ! g implies (ti xi)R (ti yi ), where x0 = y0 = ? and xi+1 = f@2 xi and yi+1 = g@1 yi . This follows immediately from !-inductivity of R , i.e. ?R ? and (tixi )R (ti yi ) when xi2! and yi2! are !-chains and 8i:xi R yi !-inductivity of R can be proved by a straightforward induction on .

The case of : (code ! code) ! code is the most delicate one. Suppose that !code g, we have to prove that m (f)Rcode up(inr(d : D:g@1 d)). fRcode hm;i hm;i For this we need an explicit description of m (f) 2 (m)? m (f) = ? when f:m+1!m (up xm ) = ?, where : m + 1 ! m is the rst projection in D and we exploit the de nition of exponentials in Db ; m (f) = up(xm :M) when up(M) = f:m+1!m (up xm ) 2 (m + 1)? . We can ignore the rst case, since when m (f) = ? there is nothing to prove. In the second case, we have to prove that [ xm:M]] = up(inr(d : D:g@1 d)), i.e. [ M]][m7!d] = g@1 d for any d 2 D up(xm )Rcode hm+1;[m7!d]i d, by de nition of R 1 code!code g up(M) = f:m+1!m (up xm )Rcode hm+1;[m7!d]i g@ d, because fRhm;i [ M]][m7!d] = g@1 d, by de nition of R.

4 Comparisons In this section we make a comparative analysis of the interpretations of PCF2 in Cpo and Db. In fact, to highlight more clearly the dierences in the interpretations of code and dynamic -abstraction (and ignore orthogonal issues), it is better to work in a simpli ed setting, where { o is the pure untyped -calculus; { PCF2 is the simply typed -calculus with atomic type code, and additional operations @ : code; code ! code and : (code ! code) ! code. With this simpli cation one can ask for total correctness of the interpretation of PCF2 w.r.t. an interpretation of o in Cpo (say in the standard model D = (D ! D)? for the lazy -calculus). Moreover, the interpretation of PCF2 op D without fix can be given in Set or Set , where the syntactic category D has to be changed to re ect the simpli cations in o . The following table summarizes the key dierences between the original interpretation proposed by Gomard (Gomard's naive), its patching (Gomard's patched) and the interpretation in Db (functor category). Semantics Gomard's patched Gomard's naive functor category category Set Set SetDop [ code]] expN exp (n) at stage n [ code ! code]] (expN )(expN ) expexp (n + 1) at stage n [ ]] use counter not de ned use functor category code R not de ned R:N !D Rn:N;:n!D correctness proof not stated not meaningful by Kripke log. rel. Where exp is the set of -terms with variables in N, (n) is the set of -terms modulo -conversion with free variables in n, and D 2 Cpo is a domain for interpreting the lazy -calculus, i.e. D = (D ! D)? . When describing the functor in Db interpreting a certain type of PCF2, we have given only its action on objects. The comparison shows that:

{ The functor category interpretation is very similar to Gomard's naive in-

terpretation, when it comes to the de nition of [ code]] and Rcode , though more care is taken in spelling out what object variables may occur free in an object expression. { The advantage of working in a functor category becomes apparent in the interpretation code ! code, this explains also why the functor category can handle the interpretation of . { Gomard's patched has strong similarities with the simple-minded semantics in Cpo for modeling local variables in Algol-like languages. In fact, Gomard's patched semantics parameterizes the meaning of expressions, but not that of types, w.r.t. the number of names generated used so far.

Conclusions and future work The rst part of the paper recalls the main de nitions and results in [Gom92], points out the problems with the published interpretation of the two-level language PCF2, presents possible ways of xing the interpretation (these were proposed by Olivier Danvy, Fritz Henglein and Neil Jones during several e-mail exchanges) along the lines hinted by Gomard. After xing the interpretation of PCF2, there are however problems in xing the correctness proof in [Gom92]. In the second part of the paper we propose an alternative semantics, and prove correctness for it. We have also cast doubts on the possibility of giving an interpretation of PCF2 in Cpo and prove its correctness w.r.t. the standard interpretation of o using a logical relation. An alternative approach to correctness is proposed in [Wan93]. This avoids any explicit use of operational or denotational semantics, instead he proves correctness modulo -conversion. Wand uses logical relations, and represents dynamic expressions using higher-order abstract syntax (while [Gom92] uses concrete syntax, and can distinguish -convertible expressions). Similar problems to those pointed out in Section 2 are present in other correctness proofs (e.g. [HM94]), which adapt Gomard's approach to more complex two-level languages. We would like to test whether the functor category approach scales up to these languages.

References [FMS96] M. Fiore, E. Moggi, and D Sangiorgi. A fully-abstract model for the picalculus. In 11th LICS Conference. IEEE, 1996. [GJ91] K. Gomard and N. Jones. A partial evaluator for the untyped lambda calculus. J. of Func. Program., 1(1), 1991. [Gom91] Carsten Krogh Gomard. Program Analysis Matters. PhD thesis, DIKU, November 1991. DIKU report 91/17. [Gom92] K. Gomard. A self-applicable partial evaluator for the lambda calculus. ACM Trans. on Progr. Lang. and Systems, 14(2), 1992. [HM94] F. Henglein and C. Mossin. Polymorphic binding-time analysis. In D. Sanella, editor, ESOP'94, volume 788 of LNCS. Springer Verlag, 1994.

[JGS93] Neil D. Jones, Carsten K. Gomard, and Peter Sestoft. Partial Evaluation and Automatic Program Generation. Prentice Hall International, 1993. [Law63] F.W. Lawvere. Functorial semantics of algebraic theories. Proc. Nat. Acad. Sci. U.S.A., 50, 1963. [Mit96] John C. Mitchell. Foundations of Programming Languages. The MIT Press, Cambridge, MA, 1996. [MM91] J. Mitchell and E. Moggi. Kripke-style models for typed lambda calculus. Journal of Pure and Applied Algebra, 51, 1991. [Mog91] E. Moggi. Notions of computation and monads. Information and Computation, 93(1), 1991. [Mog97a] E. Moggi. A categorical account of two-level languages. In MFPS XIII, ENTCS. Elsevier, 1997. [Mog97b] E. Moggi. Metalanguages and applications. In Semantics and Logics of Computation, Publications of the Newton Institute. CUP, 1997. [MW85] A. Meyer and M. Wand. Continuation semantics in typed lambda calculus. In R. Parikh, editor, Logics of Programs '85, volume 193 of LNCS. Springer Verlag, 1985. [NN92] F. Nielson and H.R. Nielson. Two-Level Functional Languages. Number 34 in Cambridge Tracts in Theoretical Computer Science. CUP, 1992. [Ole85] F.J. Oles. Type algebras, functor categories and block structure. In M. Nivat and J.C. Reynolds, editors, Algebraic Methods in Semantics, 1985. [OT92] P.W. O'Hearn and R.D. Tennent. Semantics of local variables. In Applications of Categories in Computer Science, number 177 in L.M.S. Lecture Notes Series. CUP, 1992. [PS93] A.M. Pitts and I.D.B. Stark. Observable properties of higher order functions that dynamically create local names, or: What's new? In Math. Found. of Comp. Sci. '93, volume 711 of LNCS. Springer Verlag, 1993. [Ten91] R.D. Tennent. Semantics of Programming Languages. Prentice Hall, 1991. [Wan93] Mitchell Wand. Specifying the correctness of binding-time analysis. Journal of Functional Programming, 3(3):365{387, July 1993.

Deciding Properties for Message Sequence Charts Anca Muscholl1 , Doron Peled2 , and Zhendong Su3

2

1 Institut f¨ ur Informatik, Universit¨ at Stuttgart, Breitwiesenstr. 20-22, 70565 Stuttgart, Germany Bell Laboratories, Lucent Technologies, 600 Mountain Av., Murray Hill, NJ 07974, and Carnegie Mellon University, School of Computer Science, Pittsburgh, PA, 15213-3891, USA 3 EECS Department, University of California, Berkeley, CA 94710-1776, USA

Abstract. Message sequence charts (MSC) are commonly used in designing communication systems. They allow describing the communication skeleton of a system and can be used for finding design errors. First, a specification formalism that is based on MSC graphs, combining finite message sequence charts, is presented. We present then an automatic validation algorithm for systems described using the message sequence charts notation. The validation problem is tightly related to a natural language-theoretic problem over semi-traces (a generalization of Mazurkiewicz traces, which represent partially ordered executions). We show that a similar and natural decision problem is undecidable.

1

Introduction

Message sequence charts (MSC) are a notation widely used for the early design of communication protocols. With its graphical representation, it allows to describe the communication skeleton of a protocol by indicating the messages that are sent between its different processes. Using message sequence charts one can document the features of a system, and the way its parts interact. Although MSCs often do not contain the full information that is needed for implementing the described protocols, they can be used for various analysis purposes. For example, one can use MSCs to search for missing features or incorrect behaviors. It is possible to detect mistakes in the design, e.g., the existence of race conditions [1] or nonlocal choice [2]. Another task that is often done using MSCs is providing ‘feature transparence’, namely upgrading a communication system in a way that all the previous services are guaranteed to be supported. In recent years MSCs have gained popularity and interest. An international committee (ITU-Z 120 [7]) has been working on developping standards for MSCs. Some tools for displaying MSCs and performing simple checks were developed [1], [8]. We model systems of MSCs, allowing a (possibly infinite) family of (finite or infinite) executions. Each execution consists of a finite or infinite set of send M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 226–242, 1998.

227

and receive events, together with a partial (causal) order between them. Such a system is denoted using MSC graphs, where individual MSCs are combined to form a branching and possibly looping structure. Thus, an MSC graph describes a way of combining partially ordered executions of events. We suggest in this paper a specification formalism for MSC properties based on directed graphs: each node of the graph consists of a template, which includes a set of communication events, and the causal order between them. We study three alternative semantics for the specification by MSC graphs: – Using the same semantics as for an MSC system. Namely, each maximal sequence corresponds exactly to one execution. – With gaps, i.e., as a template, where only part of the events (and the order between them) is specified. Moreover, choices in the specification graph correspond to different possible ways to continue the execution. – Again with gaps, but with choices corresponding to conjunctions. Namely an execution matching the specification must include all the events in every possible path of the specification, respecting the associated causal orders. The main focus of this paper is on developping an algorithm for deciding whether there are executions of the checked system of MSCs that match the specification. Such an execution is considered as a ‘bad’ execution and if exists it should be reported as a counter-example for the correctness of the system. For the first semantics we show in Section 5 that the matching problem is undecidable. For the last two problems we provide algorithms and we show them to be NP-complete, see Section 4. In the special case of matching two single MSCs we provide a deterministic polynomial time algorithm, improving the result of [8], see Section 3. The complexity of related problems has been studied for pomset languages [6]. In contrast, in [6] only finite pomset languages are studied (however, over a richer structure). The matching problem can also be represented as a decision problem for semi-traces [4]. A semi-trace is a set of words that is obtained from some word by means of (not necessarily symmetric) rewriting rules. These rules allow commuting pairs of adjacent letters. A semi-trace language is a set of words closed under these given rewriting rules. We provide a natural transformation from MSCs to semi-traces. This allows explaining our decidability result as a decision problem on rational languages of semi-traces. One surprising consequence of this translation is that it applies in the same way to two rather different communication semantics for a natural subclass of MSCs: that of asynchronous fifo communication and that of synchronous (handshake) communication. Work is in progress to add the proposed validation framework to a toolset that was developed for manipulating MSCs [1]. This paper concludes with several open problems and suggested work.

2

Charts and MSC Graphs

In this section, we introduce message sequence charts (MSC) and MSC graphs, as well as the matching problem.

228

Definition 1 (MSC). A message sequence chart M is a quintuple hE, <, L, T, Pi where E is a set of events, < ⊆ E × E is an acyclic relation, P is a set of processes, L : E → P is a mapping that associates each event with a process, and T : E → {s, r} is a mapping that describes the type of each event (send or receive). The order relation < is called the visual ordering of events and it is obtained from the syntactical representation of the chart (e.g. represented according to the standard syntax ITU-Z 120). It is called ‘visual’ since it reflects the graphical representation of MSCs. We distinguish between two types of visual ordering as follows. We let
229

2. A message pair: T (e) = s ∧ T (f ) = r ∧ e
Templates and the Matching Problem

An MSC M matches an MSC N (or is embedded in N ) if the chart N respects the causal order on the events specified by M . (Clearly, matching is defined with respect to a given semantics.) The MSC M is called a template MSC and it represents the specification, whereas the MSC N is called a system MSC. For matching M against N it suffices to consider the reduced partial order of M . Moreover, a template is viewed as a possibly partially specified execution of the system. The actual executions may contain additional messages, which may induce additional ordering. Definition 2 (Matching a template with an MSC). Under a given semantics, a template M with the causal structure tr(M ) = hEM , ≺M , LM , TM , PM i matches a chart N with the causal structure tr(N ) = hEN , ≺N , LN , TN , PN i if and only if PM ⊆ PN and there exists an injective mapping (called embedding) h : EM → EN such that – for each e ∈ EM , we have LN (h(e)) = LM (e) and TN (h(e)) = TM (e) (preserving processes and types), and – if e1 ≺M e2 then h(e1 ) ≺N h(e2 ) (preserving the causal order).

230

Let P = {P1 , . . . , Pn } denote the set of processes. For an event e ∈ E we are often interested in its ‘message type’ msg(e) and we let msg(e) = sij , if e is a send event from Pi to Pj , and msg(e) = rij if e is a receive event of Pj from Pi , respectively. Let msg(M ) = {msg(e) | e ∈ EM }. Note that under the fifo semantics the injectivity of the embedding is already implied by the two other properties in the definition above. Moreover, under this semantics we have a simpler characterization of embeddings, which takes into account just message types: Lemma 2. Let M, N denote two MSCs and let h : M → N be a mapping. Then h is an embedding from M to N if and only if the following conditions hold for any two events e, f ∈ EM : 1. If (e, f ) is a message pair, then (h(e), h(f )) is also a message pair between the same processes. 2. Let e ≺M f such that (e, f ) is not a message pair (thus, e, f are on the same process). Then msg(h(e)) = msg(e), msg(h(f )) = msg(f ) and h(e)
denoted M1 M2 , is defined by letting M1 M2 = hE1 ∪ E2 , <, L, T, P1 ∪ P2 i with L|Ei = Li , T |Ei = Ti and < = <1 ∪ <2 ∪{(e, e0 ) | e ∈ E1 , e0 ∈ E2 , L(e) = L(e0 )}. ·

Here, E1 ∪ E2 means the disjoint union of the event sets of M1 and M2 . The concatenation of an infinite sequence M1 , M2 , . . . is defined in an analogous way. Message sequence graphs (MSC graphs, sometimes called high-level MSCs [7]), are used to compose MSCs to larger systems. Equivalently, one can compose MSCs using rational operations, i.e. union, concatenation and iteration. MSC graphs are finite directed graphs where each node of the graph is associated with a finite MSC [1]. Definition 3 (MSC graph). An MSC graph N is a quadruple hS, τ, s0 , ci where hS, τ, s0 i is a finite, directed graph with states set S, transition relation τ ⊆ S × S and starting state s0 ∈ S. The mapping c : S → M assigns to each node a finite MSC. Let ξ = s1 , s2 , . . . be a (possibly infinite) path in N , i.e. (si , si+1 ) ∈ τ for every i. The execution (MSC) defined by ξ is given by c(ξ) = c(s1 )c(s2 ) . . . . In order to distinguish MSC graphs from finite MSCs we denote throughout the paper a finite MSC (not bounded to any MSC graph) as a single MSC. In an MSC graph N = hS, τ, s0 , ci, a path ξ is called maximal if it begins with the starting state s0 and it is not a proper prefix of another path. Notice that a maximal path can be either infinite or finite. Let also msg(N ) = ∪s∈S msg(c(s)). Fig. 1 shows an example of an MSC graph where the state in the upper left corner is the starting state. Note that the executions of this system are either finite or infinite. Also note that the events of receiving messages of fail and report are not causally ordered.

231

P1

P2

P3

Connect

P1

P1

P2

P3

Approve

P2

P3

Fail Report

P1

P2

P3

Req service

Fig. 1. A system MSC graph.

Definition 4 (Matching paths). Let ξ1 and ξ2 be two finite or infinite paths in some MSC graphs. Then ξ1 matches ξ2 if c(ξ1 ) matches c(ξ2 ). A strongly connected component C of a directed graph hS, τ i is a subset C ⊆ S such that for any u, v ∈ C, there is a nonempty path from u to v. A maximal strongly connected component is a strongly connected component which is maximal w.r.t. set inclusion.

3

Matching a Template

In this section, we consider the problem of matching a single template MSC with an MSC graph. As a first result, we show that we can check whether a template can be embedded into a single MSC in polynomial time. (Recall that we assume that the fifo semantics is used.) This algorithm refines the result of [8], where a PSPACE algorithm was exhibited without specifying the semantics. The present matching algorithm is based on the simple observation that it suffices to match a suitable minimal send event and the corresponding receive event with the first occurrence of a message pair of the same type. Proposition 1. Let M = hEM , <M , LM , TM , PM i, N = hEN ,
232

an embedding of M 0 into N 0 , then h0 ∪ {e0 7→ µ(e0 ), f0 7→ f00 } is an embedding of M into N . Proof. Note first that all minimal elements of tr(M ) are send events. Suppose that M matches N via h : M → N , where h(e0 ) 6= µ(e0 ) (hence, h(f0 ) 6= f00 ). ˆ be given by h(e ˆ 0 ) = e0 , ˆh(f0 ) = f 0 and h(g) ˆ = h(g) Let e00 := µ(e0 ) and let h 0 0 for every g ∈ / {e0 , f0 }. Now, if e0 ≺M g, then h(e0 ) ≺N h(g) and hence also e00 ≺N h(g), since e00 ≺N h(e0 ) and e00 , h(e0 ) have the same message type. A ˆ is again an embedding similar argument holds for f0 ≺M g, which shows that h 0 0 from M to N . In order to show that M matches N it suffices to show that ˆ M ) ∩ {g 0 ∈ EN | g 0 ≺∗ f 0 } = {e0 , f 0 }. Assume the contrary, i.e. there exists h(E 0 0 N 0 ˆ ≺∗N f00 and ˆh(g) ∈ / {e00 , f00 }. Since every receive event is g ∈ EM such that h(g) preceded by its corresponding send event, we may assume that TM (g) = s, i.e. g is a send event. Let e1 ∈ min(tr(M )) be a minimal event with e1 ≺∗M g, then ∗ 0 ∗ 0 ˆ ˆ 1 ) ≺∗ ˆ h(e N h(g) ≺N f0 . By Lemma 1 we obtain that h(e1 ) ≺N e0 , since e1 is a ∗ ˆ send event. By the definition of µ we have µ(e1 ) ≺N h(e1 ), hence µ(e1 ) ≺∗N e00 . Thus, by the choice of e0 we obtain µ(e1 ) = e00 . Therefore, e00 ≺∗N ˆh(g) ≺∗N f00 , which yields e00 = ˆ h(g) due to TM (g) = s, contradiction. Suppose finally that M 0 matches N 0 via h0 and consider some event g in M 0 . If e0 ≺M g, then we also have e00 ≺N h0 (g), since h0 preserves message types and h0 (g) ∈ EN 0 . Similarly, f0 ≺M g implies e00 ≺N h0 (g), which shows that h0 ∪ {e0 7→ e00 , f0 7→ f00 } is an embedding of M into N . Remark 2. Proposition 1 yields an embedding algorithm, mapping the events of M in such a way that minimal events are mapped first, to the first event with the same type. This algorithm is of linear complexity if we keep min(tr(M )), resp. {µ(e) | e ∈ min(tr(M ))} in two lists. More precisely, note that on each process of M , resp. N , there is at most one event e ∈ min(tr(M )), resp. µ(e). Moreover, we will record for each process of N the event on that process line which is of the form µ(e) for some e ∈ min(tr(M )), if there is one on that process. This additional information is needed in order to update the set of minimal elements of {µ(e) | e ∈ min(tr(M ))} in constant time. For the complexity of our algorithm note first that min(tr(M 0 )) can be updated in constant time, since at most two new minimal events can occur on L(e0 ) and L(f0 ). Moreover, for e1 ∈ min(tr(M 0 )) \ min(tr(M )) we can check whether µ(e1 ) is minimal in {µ(e) | e ∈ min(tr(M 0 ))} in constant time, using the additional information mentioned above. This suffices, since µ(e1 ) is a send event and every event preceding it in the visual order is a predecessor in the causal order, too. Hence, µ(e1 ) is not minimal within {µ(e) | e ∈ min(tr(M 0 ))} if and only if its process contains an event µ(e2 ), e2 ∈ min(tr(M 0 )), such that µ(e2 )
233

Definition 5 (Matching a template with an MSC graph). A template MSC M matches an MSC graph N if M matches some maximal path of N . Matching a template against an MSC graph actually requires only paths of bounded length to be checked: Proposition 2. Let N be an MSC graph and let M be a single template MSC such that M matches N . Then there is a path in N that embeds M and has length at most md, where m is the number of messages in M and d is the maximal length of a simple path in N (i.e. of a path where no node appears twice). Proposition 2 yields a non-deterministic algorithm for matching a template with an MSC graph which guesses a path in N and verifies that the template matches the graph. The algorithm is polynomial in the size of the template and the number of nodes in the graph. The proposition below shows that matching is also NP-hard. Proposition 3. Matching a single template MSC with an MSC graph is NPcomplete, even if the graph is acyclic. Proof. It suffices to show that matching is NP-hard. For this, we reduce the satisfiability problem for formulas in conjunctive normal form (CNF-SAT) to the MSC matching problem. Vk Consider a formula j=1 Cj with clauses (disjunctions) Cj over the variables x1 , . . . , xl . For each clause Cj we take two processes, Pj and Rj . Let m(j) denote a message from Pj to Rj . Note that the events of different messages m(i), m(j), i 6= j, are not causally ordered. Then the template M is given as M = m(1) · · · m(k). The system graph N = hS, τ, s0 , ci contains for each variable xi three states denoted as oi , pi and ni , i.e. S = {oi , pi , ni | 1 ≤ i ≤ l}. Let s0 = o1 . The edge set is given by τ = {(oi , pi ), (oi , ni ), (pj , oj+1 ), (nj , oj+1 ) | 1 ≤ i ≤ l, 1 ≤ j < l}. The assignment of MSC to states is as follows: for every i, c(oi ) = ∅, c(pi ) = {m(j) | xi occurs in Cj } and c(ni ) = {m(j) | x¯i occurs in Cj }. That is, c(pi ) contains messages associated to all clauses satisfied by xi := true, whereas c(ni ) contains messages associated to all clauses satisfied by xi := false. Thus, a maximal path in the MSC graph N corresponds exactly to an assignment of the variables. The single MSC M matches a maximal path of N if and only if the assignment given by the path satisfies all clauses.

4

Matching MSC Graphs

In this section, we discuss our extension of the matching algorithm to deal with MSC graphs. Adopting the same convention for matching two single MSCs, we call one of the MSC graphs the template (MSC) graph. The other graph is called the system (MSC) graph. The template graph represents a collection of properties (behaviors), each defined by one of its maximal paths. Then for the or-semantics as defined below,

234

P1

P2

P3

Fail

and P1

P2

P3

Connect

Fig. 2. A template MSC graph.

the template corresponds to a non-deterministic choice among these behaviors, so an execution of the system needs to contain at least one of the executions described by the template. For the and-semantics an execution of the system matches the template if it contains all the executions of the template MSC graph. Definition 6 (Matching a template graph with a system graph). Let M and N be two MSC graphs. 1. M or-matches N if there exists a maximal path ξ 0 of N and a maximal path ξ of M which matches ξ 0 . 2. M and-matches N if there exists a maximal path ξ 0 of N such that all maximal paths ξ of M match ξ 0 . Consider the and-graph template in Fig. 2. This template matches the system of Fig. 1, since the system may alternate infinitely often between Connect and Fail. The next lemmas present some fundamental properties of matching paths of MSC graphs. A subpath ξ 0 of a path ξ = s0 , s1 , . . . in some graph G is a path of G of the form ξ 0 = si0 , si1 , si2 , . . . with i0 < i1 < . . . . In this case, we denote ξ a superpath of ξ 0 . Lemma 3. Let M, N be two MSC graphs and let ξ1 , ξ2 denote paths in M , N , resp. Let ξ1 match ξ2 . Then for every subpath ξ10 of ξ1 and every superpath ξ20 of ξ2 , ξ10 matches ξ20 .

235

Proposition 4. Let M, N be two MSC graphs and consider an infinite path ξ in M such that every state from ξ occurs infinitely often in ξ. Let C be the strongly connected component of M induced by the states from ξ. Consider also an infinite path χ in N and let C 0 denote the strongly connected component of the states occurring infinitely often in χ. Then the following holds: 1. ξ matches χ if and only if msg(C) ⊆ msg(C 0 ). 2. Let K denote a simple cycle within C and suppose that ξ matches χ. Then K ω matches χ, too (here, K ω denotes the infinite path KK . . . ). ˆ be a cycle containing all states from C 0 . Then ξ matches χ if and only 3. Let K ˆ ω. if ξ matches K Proof. Suppose first that ξ matches χ. Then, since embeddings preserve message types, it is easily seen that msg(C) ⊆ msg(C 0 ). For the converse let χ = χ0 χ1 . . . , with χi finite paths such that every χi , i ≥ 1, contains all states from C 0 . Also, consider a linearization e1 e2 . . . of tr(ξ) satisfying the property that for each i, (e2i−1 , e2i ) is a message pair. We define an embedding h inductively by mapping (e2i−1 , e2i ) to events from χi , i ≥ 1. More precisely, h maps e2i−1 to the first event e0 occurring in c(χi ) satisfying msg(e2i−1 ) = msg(e0 ). Then, e2i is mapped by h to the corresponding receive event of e0 . By Lemma 2 it is easy to check that h preserves the causal order. The second assertion of the proposition is obtained directly from Lemma 3, whereas the last assertion is a consequence of the first one. 4.1

The Complexity of OR-Matching

The next theorem shows that for or-matching two MSC graphs only finite paths have to be considered for an embedding. More precisely, for the recurrent part of a path only the message types of events are relevant. For a strongly connected component C and a state s we denote below a path from s to some node in C as a path from s to C. Theorem 1. Let M = hS, τ, s0 , ci be a template graph and N = hS 0 , τ 0 , s00 , c0 i be a system graph. Then M or-matches N if and only if either there exists a finite maximal path of M which matches N , or there exist – a simple cycle K in M and a simple path ξ from s0 to K, – a strongly connected component C 0 of N and a path χ from s00 to C 0 , such that ξ matches χ and msg(K) ⊆ msg(C 0 ). Proof. Suppose that M or-matches N via an infinite maximal path. Then, by Lemma 3 and Proposition 4(2) we also obtain a path of M of the form ξKK . . . which matches N , where K is a simple cycle and ξ is a simple path from s0 to K. Let ρ denote a path in N such that ξK ω matches ρ. Moreover, let χ be a minimal prefix of ρ such that ξ matches χ and the corresponding suffix is a strongly connected component of N . Then, by applying Proposition 4(1), we obtain the result.

236

For the converse we may use again Proposition 4(1) in order to extend the embedding of ξ into χ to an embedding of ξK ω into a path in N starting with χ. First note that in Theorem 1 the path χ is in general not simple. But by Proposition 2 its length is bounded by size(ξ)·n, with size(ξ) denoting the number of messages in ξ, and n denoting the number of states in N . Note also that we can require above that C 0 is a maximal strongly connected component, due to Lemma 3. Hence, an algorithm based on Theorem 1 would first compute in linear time all maximal strongly connected components of N . Then, for each maximal strongly connected component C 0 consider the states s of M with msg(c(s)) ⊆ msg(C 0 ) and the subgraph MC 0 induced by these states. The algorithm checks whether there is some simple path ξ from s0 to some strongly connected component of MC 0 which matches a path χ from s00 to C 0 . (The length of χ is bounded by a polynomial in the size of ξ and the size of N .) The complexity of the above algorithm basically derives from two problems: one consists of finding all simple paths from the initial node to a given subgraph, and the second one is the problem of matching a single template MSC with an MSC graph. Clearly, Theorem 1 directly yields an NP-algorithm for or-matching. Moreover, by Proposition 3 already the case where the template graph is a single node is NP-hard. Hence, we obtain: Corollary 1. The or-matching problem for MSC graphs is NP-complete. 4.2

The Complexity of AND-Matching

For the and-matching problem we need to deal not only with strongly connected components, but also with states reachable from some strongly connected component. The reason is that some of the events in such states have to be mapped to events belonging to recurrent states in the system graph. For an MSC graph M = hS, τ, s0 , ci let Sc ⊆ S denote the set of nodes belonging to some strongly connected component of M . For each state s ∈ S let us partition the events belonging to the single MSC c(s) associated with s in two sets cf (s), cω (s) as follows. For each event e ∈ c(s) let e ∈ cω (s) if and only if there exist some state s0 ∈ Sc , some event e0 in c(s0 ) and a path ξ from s0 to s with e0 ≺∗ξ e for the causal order ≺∗ξ associated to the execution of ξ. We denote by Eω the set of events {e | e ∈ cω (s), s ∈ S}. The set Eω can be computed in polynomial time as follows: let Eω := {e0 | e0 ∈ c(s0 ), s0 ∈ Sc }. Then for every e∈ / Eω , e ∈ c(s), test whether there is some event e0 ∈ Eω , e0 ∈ c(s0 ), such that s is reachable from s0 through a path ξ and e0 ≺ξ e for the execution of that path. Note that e0 ≺ξ e holds if and only if e0 ≺χ e holds for any other path χ from s0 to s. Moreover, by Lemma 1 the condition e0 ≺ξ e can be checked by examining the message types of e, e0 . If the test is positive, then let Eω = Eω ∪ {e}. This step is repeated until no more events can be added. Note also that for every e ∈ cω (s) and e0 ∈ c(s) with e ≺∗c(s) e0 , also e0 ∈ cω (s) holds. Moreover, for every message pair e1
237

(this is easily checked using Lemma 1.) The set cf (s) together with the visual order inherited from c(s) is thus a single MSC which we also denote by cf (s) (analogously for cω (s)). By the previous remarks we have that the causal order of c(s) is the same as the causal order of cf (s)cω (s). Finally, for s ∈ Sc we have c(s) = cω (s). Theorem 2. Let M = hS, τ, s0 , ci be a template graph and N = hS 0 , τ 0 , s00 , c0 i be ˆ = a system graph. Define a mapping cˆ : S → M by letting cˆ(s) = cf (s). Let M ˆ ˆ hS, τˆ, s0 , cˆi denote the MSC graph with states set S = {s ∈ S | cˆ(s) 6= ∅} ∪ {s0 } and (s, s0 ) ∈ τˆ if and only if s, s0 ∈ Sˆ such that ¬(s = s0 = s0 ) and there is a path s = s1 , . . . , sk = s0 in M satisfying cˆ(si ) = ∅ for all 1 < i < k. Then M and-matches N if and only if there exists a subgraph C 0 of N and a path χ from s00 to C 0 such that ˆ match χ. 1. All paths in M 2. If M contains cycles then msg(Eω ) ⊆ msg(C 0 ) and C 0 is a strongly connected component of N . ˆ is acyclic (since the only possible loop Proof. First, note that the MSC graph M would be a self-loop of s0 , which has been excluded by definition). Suppose that M and-matches N and consider a path ρ in N such that all ˆ , then we are done maximal paths in M match ρ. If M is acyclic, hence M = M by choosing an appropriate finite prefix χ of ρ. So suppose that Sc 6= ∅, then ρ must be infinite. Let C 0 be the strongly connected component containing exactly ˆ . Then the states occurring infinitely often in ρ. Let ξ be a (finite) path from M it is easy to verify that there exists a path σ in M such that the causal order of the execution of ξ is a prefix of the causal order of the execution of σ. Hence, ξ ˆ matches ρ, too. Let χ be a finite prefix of ρ such that all (finite) paths from M match χ and the corresponding suffix is a strongly connected component of N . Finally, consider an event e in some cω (s), for some state s. Then there exists for each n ≥ 0 a path ξ from s0 to s such that the configuration e ↓ of the occurrence of e in the last node of ξ contains at least n events. Hence, there is some state s0 occurring in ρ infinitely often, such that msg(e) = msg(e0 ) holds for some event e0 in s0 . This concludes one direction of the proof. Conversely, suppose that M has cycles. Let ξ = s0 , s1 , . . . be a maximal (finite or infinite) path in M . Note that the causal order associated to the execution c(ξ) of ξ is identical to the causal order of cf (ξ)cω (ξ), where cf (ξ) = cf (s0 )cf (s1 ) . . . and cω (ξ) = cω (s0 )cω (s1 ) . . . . Moreover, cf (s0 )cf (s1 ) . . . is a finite MSC since there can be only a finite number of nodes si with cf (si ) 6= ∅. ˆ , thus it matches χ. Also, cf (s0 )cf (s1 ) . . . is the execution of a finite path in M Since msg(Eω ) ⊆ msg(C 0 ) we obtain similarly to Proposition 4 that the MSC ˆ ω , for some fixed cycle K ˆ containing all the states cω (s0 )cω (s1 ) . . . matches K 0 ˆ ω , which shows the claim. from C . Thus, ξ matches χK By the previous theorem we have to consider the problem of and-matching a single MSC against an acyclic MSC graph. The next proposition shows that

238

for and-matching an acyclic graph it suffices to look for a mapping which is an embedding for all the paths (instead of embedding each path separately). Proposition 5. Let M be an acyclic MSC graph and let N be a single MSC. Then M and-matches N if and only if there exists a mapping g : M → N which is an embedding for all paths in M . Proof. Suppose that M and-matches N and let gξ denote an embedding of a maximal path ξ of M in N . Let Ξ denote the set of all maximal paths of M . Define a mapping g : M → N by letting g(e) = max{gξ (e) | ξ ∈ Ξ, e occurs on ξ}. Note that for a fixed event e the set {gξ (e) | ξ ∈ Ξ, e occurs on ξ} is totally ordered w.r.t. ≺∗N . This is due to the fifo semantics, since for each e, e0 with msg(e) = msg(e0 ) we have either e e0 or e0 e. We show that g is an embedding for every path ξ ∈ Ξ. If e
239

causal order) located in s and in the nodes preceding s. Then we embed a source node s of M and iterate this procedure with M \ {s}. When processing the current node s events in c(s) are mapped according to the partial order (starting with minimal elements) as suggested by Proposition 1. That is, a suitable event e ∈ min(tr(M )) is mapped to the minimal event e0 of the same type in N , such that e0 ↓ contains all events to which the immediate predecessor events of e were mapped to. Together with Theorem 2 we obtain an NP-algorithm for the and-matching problem by first guessing a subgraph C 0 of the system graph N and a path χ from the starting node of N to some node in C 0 . Then we verify deterministically that ˆ defined in Theorem 2 and-matches the single MSC the acyclic MSC graph M corresponding to χ. Note that due to Proposition 5 we can bound the length of ˆ and the number of nodes in χ by a polynomial in the number of messages in M N . Together with Proposition 3 we obtain: Corollary 2. The and-matching problem for MSC graphs is NP-complete.

5

An Undecidable Problem

The matching problems considered previously were based on the paradigm that templates represent partial specifications of system behaviors. We show below that if we require that templates represent exact behaviors, then the or-matching problem is undecidable. For the fifo semantics considered in this paper we show first that considering a message pair as a single letter we obtain an isomorphism between the causal orders of a natural subclass of message sequence charts and partial orders of semitraces. Semi-traces are objects known from the algebraic study of concurrency (for a survey on semi-traces see Chapter 12 in [5]). Formally, assume that P = {P1 , . . . , Pm } is the set of processes. We associate an alphabet Σ = {mij | 1 ≤ i 6= j ≤ m} and a non-commutation relation SD ⊆ Σ × Σ, SD = {(mij , mik ) | j 6= i 6= k} ∪ {(mij , mjk ) | i 6= j 6= k}. The idea underlying SD is to consider in the precedence order the order between sends on the same process and receives ordered by the fifo condition (mij , mik ), and receives followed by sends on the same process line (mij , mjk ). The complementary relation, SI = (Σ × Σ) \ SD, called semi-commutation relation, yields a rewriting system {ab → ba | (a, b) ∈ SI}, which will be also denoted by SI. A ∗ semi-trace [w] is a set of words, [w] = {v ∈ Σ ∗ | w →SI v}. The concatenation of two semi-traces [u], [v] is defined as [u][v] = [uv]. It is an associative operation and the set of all semi-traces over (Σ, SI) together with the concatenation is a monoid with identity 1 = [], which is denoted (M (Σ, SI), ·, 1). Note also that the relation SD is reflexive. Moreover, [w] = [w0 ] holds if and only if w can be rewritten into w0 by using symmetric rules only. In the next proposition we show that a naturally arising subclass of MSCs can be identified with semi-traces. We restrict our consideration to MSCs satisfying the condition that in the visual representation no two message lines intersect.

240

We denote this subclass as ordered MSCs. Clearly, ordered MSCs satisfy the fifo condition on the visual order. Note also that the syntactic concatenation of MSCs induces a concatenation operation for the associated causal orders, which is associative. Proposition 7. Let Mo denote the set of ordered MSCs over the set of processes P = {P1 , . . . , Pm } and let (Σ, SI) be defined as above. Then the monoid of causal orders over M is isomorphic to (M (Σ, SI), ·, 1). ∗ → Σ ∗ by Proof. Let M = hE, <, L, T, Pi and define a homomorphism h : EM letting h(e) = mij , if e is a send event from Pi to Pj , and h(e) = λ if e is a receive event. To M we associate a language tM over Σ ∗ : ∗ is a linearization of ≺∗M } tM = {h(z) | z ∈ EM

Then we can show that tM is a semi-trace over (Σ, SI). For this, we first define ∗ of M inductively by choosing some message pair (e, f ) a linearization z0 ∈ EM of M satisfying – e is minimal w.r.t. the visual order < in M – for every g ∈ EM : g < f ⇔ g = e and letting z0 = ef z00 , where z00 is defined accordingly for M 0 := M \ {e, f }. (Note that the existence of e, f as above is due to M being an ordered MSC.) Then we claim that tM = [h(z0 )], i.e. tM is the semi-trace associated to h(z0 ). We show this by induction on the length of tM . For lack of space, the details are left to the full version of the paper. Traces [5] result from in symmetric rewriting rules, i.e. both SI and SD are symmetric relations. For the trace monoid given by the rules ab = ba, cd = dc it is known that one cannot decide for given regular languages L1 , L2 ⊆ {a, b, c, d}∗ whether [L1 ] ∩ [L2 ] is empty [3], where [L] = ∪u∈L [u] denotes the closure of L ∗ under →SI . Proposition 8. Let M, N be two MSC graphs. Then it is undecidable whether there exist two maximal paths ξ1 in M , ξ2 in N such that the associated MSCs m1 , m2 have the same causal order under the fifo semantics. Proof. We consider four processes, P = {P1 , P2 , P3 , P4 } and we denote by sa , ra a message pair from P1 to P2 , resp. by sb , rb a message pair from P2 to P1 . Dually, sc , rc denotes a message pair from P3 to P4 , whereas sd , rd is a message pair from P4 to P3 . Then we associate to each letter a, b, c, d an MSC as given by the mapping h, with h(x) = sx rx , for x ∈ {a, b, c, d}. Moreover, h induces a homomorphism from {a, b, c, d}∗ to M. Note that for any word u over {a, b, c, d} the partial order tr(h(u)) consists of two totally ordered sequences, one over events between processes P1 and P2 , the other over events between P3 and P4 . Moreover, these total orders are completely independent. Viewed as a mapping from M (Σ, SI) to tr(M), h is injective. This, together with [3], concludes our proof.

241

Let us comment our results in the context of semi-trace languages. One cannot decide the emptiness of the intersection of two MSC graphs since given two regular languages L, K ⊆ Σ ω and a semi-commutation relation SI over Σ, the question whether the intersection [L] ∩ [K] is nonempty is undecidable. In contrast, the or-matching problem of Section 4.1 can be expressed as a very particular instance of the above problem. Before going into some details, let us fix notations. For a language L ⊆ Σ ∗ , we denote by LttΣ ∗ the shuffle of L and Σ ∗ , i.e. the language {u1 v1 u2 v2 · · · un vn | u1 u2 · · · un ∈ L, vi ∈ Σ ∗ }. The shuffle LttΣ ω for L ⊆ Σ ∗ ∪ Σ ω is defined analogously. Formally, the or-matching problem for the semantics with gaps is equivalent to the question whether the intersection [LttΣ ω ] ∩ [K] is empty or not, for regular languages L, K ⊆ Σ ω . The crucial point now is that [LttΣ ω ] has a very particular form. Suppose without loss of generality that L = U V ω , with U, V ⊆ Σ ∗ regular languages such that every element of V has the same alphabet A ⊆ Σ. Then U V ω ttΣ ω = (U ttΣ ∗ ) Inf(A), with Inf(A) = {u ∈ Σ ω | |u|a = ∞, ∀a ∈ A}. Moreover, [U V ω ttΣ ω ] = [(U ttΣ ∗ )] Inf(A). But it is easy to check that U ttΣ ∗ is a very simple regular language, a finite union of languages of the form Σ ∗ a1 Σ ∗ a2 Σ ∗ · · · ak Σ ∗ for some letters ai ∈ Σ. (This family of languages corresponds exactly to level ‘1/2’ in the concatenation hierarchy of Straubing-Th´erien [10]). Finally, [Σ ∗ a1 Σ ∗ a2 Σ ∗ · · · ak Σ ∗ ] = ∪ai1 ···aik ∈[a1 ···ak ] Σ ∗ ai1 Σ ∗ · · · aik Σ ∗ .

6

Conclusion

In this paper we presented specification and verification methods for MSCs, which employ languages of partially ordered executions. We were interested in the problem of deciding whether there is an execution of the given MSC system that matches the specification. We considered three alternative semantics and showed that the matching problem under both the or-semantics and the and-semantics is NP-complete. Under a semantics which allows no gaps in the specification the matching problem becomes the intersection of two MSC graphs. We showed that this problem is undecidable. Some open directions for further research include extending the framework by allowing and/or-graphs and negation, expressing the finite occurrence of certain events, and obtaining complementable specification formalisms.

References 1. R. Alur, G. Holzmann, and D. Peled. An analyzer for message sequence charts. Software Concepts and Tools, 17(2):70–77, 1996. 2. H. Ben-Abdallah and S. Leue. Syntactic detection of process divergence and nonlocal choice in message sequence charts. In E. Brinksma, editor, Proceedings of theTools and Algorithms for the Construction and Analysis of Systems, Third International Workshop, TACAS’97, number 1217 in Lecture Notes in Computer Science, pages 259–274, Enschede, The Netherlands, 1997. Springer. 3. J. Berstel. Transductions and context-free languages. Teubner Studienb¨ ucher, Stuttgart, 1979.

242 4. M. Clerbout and M. Latteux. Partial commutations and faithful rational transductions. Theoretical Computer Science, 34:241–254, 1984. 5. V. Diekert and G. Rozenberg, editors. The Book of Traces. World Scientific, Singapore, 1995. 6. J. Feigenbaum, J. Kahn, and C. Lund. Complexity results for pomset languages. SIAM Journal Disc. Math., 6(3):432–442, 1993. 7. ITU-T Recommendation Z.120, Message Sequence Chart (MSC), March 1993. 8. V. Levin and D. Peled. Verification of message sequence charts via template matching. In TAPSOFT (FASE)’97, Theory and Practice of Software Development, volume 1214 of Lecture Notes in Computer Science, pages 652–666, Lille, France, 1997. Springer. 9. M. Nielsen, G. Plotkin, and G. Winskel. Petri nets, event structures and domains, part 1. Theoretical Computer Science, 13:85–108, 1981. 10. J.-E. Pin. Syntactic semigroups. In G. Rozenberg and A. Salomaa, editors, Handbook of Formal Languages, volume 1, pages 679–738. Springer, Berlin-HeidelbergNew York, 1997. 11. V. R. Pratt. Modelling concurrency with partial orders. International Journal of Parallel Programming, 15(1):33–71, 1986.

The Church-Rosser Languages Are the Deterministic Variants of the Growing Context-Sensitive Languages Gundula Niemann and Friedrich Otto Fachbereich Mathematik/Informatik, Universit¨ at Kassel, D–34109 Kassel @theory.informatik.uni-kassel.de

Abstract. The growing context-sensitive languages have been classified through the shrinking two-pushdown automaton, the deterministic version of which characterizes the class of generalized Church-Rosser languages (Buntrock and Otto 1995). Exploiting this characterization we prove that this latter class coincides with the class of Church-Rosser languages that was introduced by McNaughton, Narendran, and Otto (1988). Based on this result several open problems of McNaughton et al can be answered.

1

Introduction

If R is a finite and length-reducing string-rewriting system on some finite alphabet Σ, then there exists a linear-time algorithm that, given a string w ∈ Σ ∗ as input, computes an irreducible descendant w0 of w with respect to the reduction relation →∗R that is induced by R [2,3]. If, in addition, the system R is confluent, then the irreducible descendant w0 is uniquely determined by w. Hence, in this situation two strings u and v are congruent modulo the Thue congruence ↔∗R induced by R if and only if their respective irreducible descendants u0 and v0 coincide. Thus, the word problem for a finite, length-reducing, and confluent string-rewriting system is decidable in linear time. Motivated by this result McNaughton, Narendran, and Otto [11] introduced the notion of a Church-Rosser language. A Church-Rosser language L ⊆ Σ ∗ is given through a finite, length-reducing, and confluent string-rewriting system R on some alphabet Γ properly containing Σ, two irreducible strings t1 , t2 ∈ (Γ \ Σ)∗ , and an irreducible letter Y ∈ Γ \ Σ satisfying the following condition for all strings w ∈ Σ ∗ : w ∈ L if and only if t1 wt2 →∗R Y . Hence, the membership problem for a Church-Rosser language is decidable in linear time, and so the class CRL of Church-Rosser languages is contained in the class CSL of contextsensitive languages. On the other hand, the class CRL contains the class DCFL of deterministic context-free languages, and it contains some languages that are not even contextfree [11]. Hence, the class CRL can be seen as an extension of the class DCFL M. Nivat (Ed.): FoSSaCS 98 c Springer–Verlag Berlin Heidelberg 1998 LNCS 1378, pp. 243–257, 1998.

244

that preserves the linear-time decidability of the membership problem. As such it is certainly an interesting language class. Accordingly, McNaughton et al established some closure properties for the class CRL, but it remained open whether the class CRL is closed under the operation of complementation. Accordingly, they introduced the class of ChurchRosser decidable languages CRDL, which still contains the class DCFL and which is closed under complementation. Also it remained open at the time whether or not every context-free language is a Church-Rosser language, although it was conjectured that the linear language L0 := {ww∼ |w ∈ {a, b}∗ } is not a ChurchRosser language. Here w∼ denotes the reversal of the string w. After their introduction the Church-Rosser languages did not receive much attention until another, seemingly unrelated development had taken place. Dahlhaus and Warmuth [8] considered the class GCSL of growing context-sensitive languages. These languages are generated by context-sensitive grammars each production rule of which is strictly length-increasing. They proved that these languages have membership problems that are decidable in polynomial time. Although it might appear from the definition that GCSL is not an interesting class of languages, Buntrock and Lory´s showed that GCSL is an abstract family of languages [5], that is, this class of languages is closed under union, concatenation, iteration, intersection with regular languages, ε-free homomorphisms, and inverse homomorphisms. Exploiting these closure properties Buntrock and Lory´s characterized the class GCSL through various other classes of grammars that are less restricted [5,6]. Using these grammars Buntrock and Otto [7] obtained a characterization of the class GCSL by a nondeterministic machine model, the so-called shrinking pushdown automaton with two pushdown stores (sTPDA). The input for such a machine is provided as the initial contents of one of the pushdown stores, and it accepts either by final state or (equivalently) by empty pushdown stores. A positive weight is assigned to each tape symbol and each internal state symbol of the machine. By adding up the weights this gives a weight for each configuration. Now it is required that the weight of the actual configuration decreases with each step of the machine. It is with respect to these weights that the two-pushdown automaton is called shrinking. Since the sTPDA is a nondeterministic device, it was only natural to consider the class of languages that are accepted by the deterministic variant of it. As it turned out the deterministic sTPDA accept exactly the so-called generalized Church-Rosser languages, which are obtained from the Church-Rosser languages by admitting finite, weight-reducing, and confluent string-rewriting systems in the definition [7]. Thus, the class GCRL of generalized Church-Rosser languages coincides with the class of ‘deterministic growing context-sensitive languages.’ In particular, it follows that this class is closed under complementation. Further, Buntrock and Otto concluded from this result that the language classes CFL and GCRL, and therewith the classes CFL and CRL, are indeed incomparable under set inclusion. Since CFL is contained in GCSL, it follows that GCRL is properly

245

contained in the class GCSL, that is, we obtain the following chain of (proper) inclusions: DCFL ⊂ CRDL ⊆ CRL ⊆ GCRL ⊂ GCSL ⊂ CSL, where it was left open whether or not the two inclusions CRDL ⊆ CRL ⊆ GCRL are proper. Here we show that the three language classes CRDL, CRL, and GCRL coincide. Our proof makes use of the above-mentioned characterization of the generalized Church-Rosser languages through the deterministic sTPDA. We will prove that each language that is accepted by some deterministic sTPDA is actually a Church-Rosser decidable language. Hence, GCRL ⊆ CRDL implying that the three classes above actually coincide. Hence, the class of Church-Rosser languages can be characterized as the class of deterministic growing contextsensitive languages. It remains to determine the closure properties of this class of languages. The closure under the operation of taking the complement follows from the above characterization. Recently, Otto, Katsura, and Kobayashi [12] proved that the class of Church-Rosser languages is a basis for the recursively enumerable (r.e.) languages. Here, a class of languages C is called a basis for the r.e. languages, if, for each r.e. language L ⊆ Σ ∗ , there exists a language C ∈ C on some alphabet Γ strictly containing Σ such that L = πΣ (C), where πΣ denotes the canonical projection from Γ ∗ onto Σ ∗ . It follows that the class CRL is not closed under morphisms. This paper is organized as follows. In Section 2 we introduce the necessary notation regarding string-rewriting systems and restate the definitions of the various classes of Church-Rosser languages. In the next section we introduce the shrinking two-pushdown automaton and restate some results from Buntrock and Otto [7]. In addition we prove a technical result for this type of automaton. Then in Section 4 we prove the announced main result, and in the next section we summarize the known closure and non-closure properties of the class CRL. In the final section we review our results and draw some easy consequences.

2

The Church-Rosser Languages

Here we restate the main definitions and establish notation regarding the various classes of Church-Rosser languages. For additional information concerning the notions introduced the reader is asked to consult the literature, where [3] serves as our main reference concerning the theory of string-rewriting systems, and [10] is our main reference for formal language and automata theory. Let Σ be a finite alphabet. Then Σ ∗ denotes the set of strings over Σ including the empty string ε, and Σ + := Σ ∗ \ {ε}. A function ϕ : Σ → N + is called a weight-function. Its extension to Σ ∗ , which we will also denote by ϕ, is defined inductively through ϕ(ε) := 0 and ϕ(wa) := ϕ(w) + ϕ(a) for all w ∈ Σ ∗ and a ∈ Σ. A particular weight-function is the length-function | . | : Σ → N + , which assigns each letter the weight (length) 1.

246

A string-rewriting system R on Σ is a subset of Σ ∗ ×Σ ∗ . An element (`, r) ∈ R is called a rewrite rule or simply a rule, and it will usually be written as (` → r). A string-rewriting system R induces several binary relations on Σ ∗ , the simplest of which is the single-step reduction relation →R := {(u`v, urv) | u, v ∈ Σ ∗ , (` → r) ∈ R}. Its reflexive and transitive closure is the reduction relation →∗R induced by R, and its reflexive, symmetric, and transitive closure ↔∗R is the Thue congruence generated by R. If u →∗R v, then u is an ancestor of v, and v is a descendant of u. If there is no v ∈ Σ ∗ such that u →R v holds, then the string u is called irreducible (mod R). By IRR(R) we denote the set of all irreducible strings. If R is finite, then IRR(R) is obviously a regular language. The string-rewriting system R is called – length-reducing if |`| > |r| holds for each rule (` → r) ∈ R, – weight-reducing if there exists a weight-function ϕ such that ϕ(`) > ϕ(r) holds for each rule (` → r) ∈ R, – confluent if, for all u, v, w ∈ Σ ∗ , u →∗R v and u →∗R w imply that v and w have a common descendant. If a string-rewriting system R is weight-reducing, then it allows no infinite reduction sequence of the form w0 →R w1 →R . . .; indeed, if w0 →R w1 →R . . . →R wm , then m ≤ ϕ(w0 ). If, in addition, R is confluent, then each string w ∈ Σ ∗ has a unique irreducible descendant w0 ∈ IRR(R). Actually, in this situation u ↔∗R v if and only if u0 = v0 . Since u0 can be determined from u in linear time, this shows that the Thue congruence ↔∗R is decidable in linear time for each finite, weight-reducing, and confluent string-rewriting system. Definition 1. (a) A language L ⊆ Σ ∗ is a Church-Rosser language (CRL) if there exist an alphabet Γ ) Σ, a finite, length-reducing, confluent string-rewriting system R on Γ , two strings t1 , t2 ∈ (Γ \ Σ)∗ ∩ IRR(R), and a letter Y ∈ (Γ \ Σ) ∩ IRR(R) such that, for all w ∈ Σ ∗ , t1 wt2 →∗R Y if and only if w ∈ L. (b) A language L ⊆ Σ ∗ is a Church-Rosser decidable language (CRDL) if it is a Church-Rosser language, and there exists a letter N ∈ (Γ \ Σ) ∩ IRR(R) such that, for all w ∈ Σ ∗ , t1 wt2 →∗R N if and only if w 6∈ L. (c) A language L ⊆ Σ ∗ is a generalized Church-Rosser language (GCRL) if there exist an alphabet Γ ) Σ, a finite, weight-reducing, confluent stringrewriting system R on Γ , two strings t1 , t2 ∈ (Γ \ Σ)∗ ∩ IRR(R) and a letter Y ∈ (Γ \ Σ) ∩ IRR(R) such that, for all w ∈ Σ ∗ , t1 wt2 →∗R Y if and only if w ∈ L. Analogously to (b) the class of generalized Church-Rosser decidable languages could be defined, but the results of Buntrock and Otto [7] imply that this class coincides with the class GCRL of generalized Church-Rosser languages.

247

3

Shrinking Two-Pushdown Automata

In [7] Buntrock and Otto introduce the following type of automaton in order to characterize the class GCSL of growing context-sensitive languages. Definition 2. (a) A two-pushdown automaton (TPDA) is a nondeterministic automaton with two pushdown stores. It is defined as a 7-tuple M = (Q, Σ, Γ, δ, q0 , ⊥, F ), where – Q is the finite set of states, – Σ is the finite input alphabet, – Γ is the finite tape alphabet with Γ ) Σ and Γ ∩ Q = ∅, – q0 ∈ Q is the initial state, – ⊥ ∈ Γ \ Σ is the bottom marker of pushdown stores, – F ⊆ Q is the set of final (or accepting) states, and ∗ ∗ – δ : Q × Γ × Γ → 2Q×Γ ×Γ is the transition relation, where δ(q, a, b) is a finite set for each triple (q, a, b) ∈ Q × Γ × Γ . M is a deterministic two-pushdown automaton (DTPDA), if δ is a (partial) function from Q × Γ × Γ into Q × Γ ∗ × Γ ∗ . (b) A configuration of a (D)TPDA M is described as uqv with q ∈ Q and u, v ∈ Γ ∗ , where u is the contents of the first pushdown store with the first letter of u at the bottom and the last letter of u at the top, q is the current state, and v is the contents of the second pushdown store with the last letter of v at the bottom and the first letter of v at the top. M induces a computation relation `∗M on the set of configurations, which is the reflexive, transitive closure of the single-step computation relation `M (see,e.g., [10]). For an input string w ∈ Σ ∗ , the corresponding initial configuration is ⊥q0 w⊥. M accepts by empty pushdown stores: N (M ) := {w ∈ Σ ∗ | ∃q ∈ Q : ⊥q0 w⊥ `∗M q}. (c) A (D)TPDA M is called shrinking if there exists a weight function ϕ : Q ∪ Γ → N + such that, for all q ∈ Q and a, b ∈ Γ , if (p, u, v) ∈ δ(q, a, b), then ϕ(upv) < ϕ(aqb). By sTPDA and sDTPDA we denote the corresponding classes of shrinking automata. Thus, if M is a shrinking TPDA with weight-function ϕ, then ϕ(u1 q1 v1 ) > ϕ(u2 q2 v2 ) holds for all configurations u1 q1 v1 and u2 q2 v2 of M that satisfiy u1 q1 v1 `M u2 q2 v2 . Observe that the input is provided to a TPDA as the initial contents of its second pushdown store, and that in order to accept a TPDA is required to empty its pushdown stores. Thus, it is forced to consume the input completely. Using standard techniques from automata theory it can be shown that, for a (shrinking) (D)TPDA M = (Q, Σ, Γ, δ, q0 , ⊥, F ), we may require that the special symbol ⊥ can only occur at the bottom of a pushdown store, and that no other symbol can occur at that place.

248

From the definition of the transition relation δ we see that M halts immediately whenever one of its pushdown stores is emptied. Because of the above property this happens if and only if a transition of the form (q, a, ⊥) 7→ (q 0 , α, ε) or (q, ⊥, b) 7→ (q 0 , ε, β) is performed. Thus, we can assume without loss of generality that, if M does accept on input w ∈ Σ ∗ , then ⊥q0 w⊥ `∗M q for some q ∈ F , and if M does not accept on input w ∈ Σ ∗ , then ⊥q0 w⊥ `∗M ⊥q for some q ∈ F , that is, even in this situation M empties its second pushdown store completely and only leaves the bottom marker on its first pushdown store before it halts. Hence, all the halting and accepting configurations of M are of the form q, where q ∈ F , and all the halting and rejecting configurations of M are of the form ⊥q, where q ∈ F . In addition, we can assume that M only has a single halting state. Buntrock and Otto established the following characterization for the classes of languages that are accepted by nondeterministic or deterministic shrinking TPDAs, respectively. Proposition 3. [7] (a) A language is accepted by some shrinking TPDA if and only if it is growing context-sensitive. (b) A language is accepted by some shrinking DTPDA if and only if it is a generalized Church-Rosser language. A detailed presentation of the class GCSL of growing context-sensitive languages can be found in Buntrock’s Habilitationsschrift [4]. The above proposition shows that the generalized Church-Rosser languages can be interpreted as the deterministic variants of the growing context-sensitive languages. We close this section with a technical lemma on shrinking TPDA that we will need in the next section to prove our main result. Lemma 4. Let M be a TPDA that is shrinking with respect to the weightfunction ϕ. Then there exists a TPDA M 0 accepting the same language as M such that M 0 is deterministic, if M is, and M 0 is shrinking with respect to a weight-function ψ that satisfies the following condition: (∗) Whenever u1 q1 v1 and u2 q2 v2 are configurations of M 0 such that u1 q1 v1 `M 0 u2 q2 v2 , then ψ(u1 q1 v1 ) − ψ(u2 q2 v2 ) = 1. Proof. Let M = (Q, Σ, Γ, δ, q0 , ⊥, F ) be a TPDA that is shrinking with respect to the weight-function ϕ : Q ∪ Γ → N + , that is, ϕ(aqb) − ϕ(upv) > 0 for all q ∈ Q, a, b ∈ Γ , and (p, u, v) ∈ δ(q, a, b). We construct a TPDA M 0 := (Q0 , Σ, Γ, δ 0 , q0 , ⊥, F ) and a weight-function ψ : Q0 ∪ Γ → N + as follows. First we number the instructions of M , that is, the lines in the table describing the transition relation δ, from 1 to m. For each i ∈ {1, . . . , m}, let the i-th instruction of M be denoted as (pi , ui , vi ) ∈ δ(qi , ai , bi ), and let γi := ϕ(ai qi bi ) − ϕ(ui pi vi ).

249

If γi = 1, then take Q0i := ∅ and add the transition (qi , ai , bi ) → (pi , ui , vi ) to δ . If γi > 1, then take Q0i := {qi,1 , . . . , qi,γi −1 }, where qi,1 , . . . , qi,γi −1 are γi − 1 new states, and add the following transitions to δ 0 : 0

→ (qi,1 , ai , bi ), (qi , ai , bi ) → (qi,j+1 , ai , bi ), j = 1, . . . , γi − 2, (qi,j , ai , bi ) (qi,γi −1 , ai , bi ) → (pi , ui , vi ). Finally, let Q0 := Q ∪

m S i=1

Q0i , let δ 0 consist of all the transitions introduced

so far, and define a preliminary weight-function ψ 0 : Q0 ∪ Γ → Z as follows: for all a ∈ Γ, ψ 0 (a) := ϕ(a) for all qi ∈ Q, ψ 0 (qi ) := ϕ(qi ) ψ 0 (qi,j ) := ϕ(qi ) − j for all i ∈ {1, . . . , m} and j ∈ {1, . . . , γi − 1}.

It is easily verified that ψ 0 (u1 q1 v1 ) − ψ 0 (u2 q2 v2 ) = 1 holds for all configurations u1 q1 v1 and u2 q2 v2 of M 0 that satisfy u1 q1 v1 `M 0 u2 q2 v2 . Unfortunately, ψ 0 may not be an acceptable weight-function, since ψ 0 (qi,j ) could be a negative number for some choices of i and j. To correct this problem let µ := min{ψ 0 (p0 ) | p0 ∈ Q0 }. If µ < 0, then choose ψ(q 0 ) := ψ 0 (q 0 ) + |µ| + 1 for all q 0 ∈ Q0 , otherwise, let ψ(q 0 ) := ψ 0 (q 0 ) for all q 0 ∈ Q0 . Also choose ψ(a) := ψ 0 (a) for all a ∈ Γ . Then ψ : Q0 ∪ Γ → N + is a weight-function such that ψ(u1 q1 v1 ) − ψ(u2 q2 v2 ) = 1 holds for all configurations u1 q1 v1 and u2 q2 v2 of M 0 that satisfy u1 q1 v1 `M 0 u2 q2 v2 . It is easily seen that N (M 0 ) = N (M ) and that M 0 is deterministic, if M is deterministic. t u Thus, in the following we can always assume that in each step of a sTPDA the weight of the actual configuration decreases by 1. Hence, if u1 q1 v1 and u2 q2 v2 are configurations of an sTPDA M with weight-function ϕ such that u1 q1 v1 `kM u2 q2 v2 for some k ∈ N , then ϕ(u1 q1 v1 ) − ϕ(u2 q2 v2 ) = k.

4

The Main Result

From the definitions we know that CRDL ⊆ CRL ⊆ GCRL holds. Here we prove that also GCRL ⊆ CRDL holds, thus showing that the three classes actually coincide. Theorem 5. GCRL ⊆ CRDL. Proof. Let L ⊆ Σ ∗ be a generalized Church-Rosser language. By Proposition 3(b) there exist a DTPDA M = (Q, Σ, Γ, δ, q0 , ⊥, F ) and a weight-function ϕ such that N (M ) = L, where M is shrinking with respect to ϕ. As observed in the previous section we can assume the following:

250

(i) Each non-halting configuration of M is of the form ⊥uqv⊥ for some u, v ∈ (Γ \ {⊥})∗ and q ∈ (Q \ F ). (ii) F = {qf }, that is, M has a single halting state only. (iii) The only accepting and halting configuration of M that is reachable from an initial configuration is the configuration qf . (iv) The only non-accepting and halting configuration of M that is reachable from an initial configuration is the configuration ⊥qf . (v) If u1 q1 v1 `M u2 q2 v2 , then ϕ(u1 q1 v1 ) − ϕ(u2 q2 v2 ) = 1 (Lemma 4). Let # be a new symbol. We define a morphism h : (Γ ∪Q)∗ → (Γ ∪Q∪{#})∗ by taking h(a) := a#ϕ(a)−1 for all a ∈ Γ ∪ Q. Then |h(w)| = ϕ(w) for all w ∈ (Γ ∪ Q)∗ , and h(Γ ∪ Q) ⊆ (Γ ∪ Q ∪ {#})+ is a prefix code. Thus, the morphism h : (Γ ∪ Q)∗ → (Γ ∪ Q ∪ {#})∗ is an injective mapping. Further, let µ := max{ϕ(a) | a ∈ Γ ∪Q} denote the maximal weight of any letter from Γ ∪Q. In order to show that the language L is actually Church-Rosser decidable, we now construct a finite, length-reducing, and confluent string-rewriting system R on some finite alphabet ∆ ) Σ that will witness this fact. Essentially R will simulate the computations of the sDTPDA M . However, this cannot be a straightforward simulation, since R is length-reducing, while M is shrinking only with respect to the weight-function ϕ. Therefore we would like to replace a configuration ⊥uqv⊥ of M by the string h(⊥uqv⊥). Since this replacement increases the length of the string considered, we need to compress the resulting string by combining several letters into a single new letter. This, however, creates another problem. If ⊥u1 q1 v1 ⊥ `M ⊥u2 q2 v2 ⊥, then by (v) |h(⊥u1 q1 v1 ⊥)|− 1 = |h(⊥u2 q2 v2 )|, but for the compressed forms of the strings h(⊥u1 q1 v1 ⊥) and h(⊥u2 q2 v2 ⊥) the length might be the same. To overcome this problem we choose the fixed rate of compression 2µ, and simulate 2µ steps of M through a single application of a rule of R. If ⊥u1 q1 v1 ⊥ `2µ M ⊥u2 q2 v2 ⊥, then |h(⊥u1 q1 v1 ⊥)| − 2µ = |h(⊥u2 q2 v2 ⊥)|, and hence, if γ1 and γ2 are the compressed forms of h(⊥u1 q1 u1 ⊥) and h(⊥u2 q2 v2 ⊥), v1 ⊥)|−2µ q2 v2 ⊥)| = |h(⊥u22µ = |γ2 |. respectively, then |γ1 | − 1 = |h(⊥u1 q12µ

To perform this construction we first determine the alphabet ∆. Let Γ ∪ {#} :Γ∪ be a new alphabet that is in 1-to-1 correspondence to Γ ∪ {#}, and let {#} → Γ ∪ {#} denote this correspondence. Further, define four new alphabets as follows: A≤ A A AQ

:= {aw | w ∈ (Γ := {aw | w ∈ (Γ := {aw | w ∈ (Γ := {auqv | u ∈ (Γ

∪ {#})∗ and 1 ≤ |w| ≤ µ}, ∪ {#})∗ and |w| = 2µ}, ∪ {#})∗ and |w| = 2µ}, and ∪ {#})∗ , q ∈ Q, v ∈ (Γ ∪ {#})∗ and |uqv| = 2µ}.

Thus, each letter aw ∈ A≤ ∪ A ∪ A ∪ AQ represents a string w of length at most 2µ. Finally, we take ∆ := Σ ∪ {q0 , ⊥, ⊥, Y, N } ∪ A≤ ∪ A ∪ A ∪ AQ , where we assume that all the subalphabets displayed are pairwise disjoint. To simplify the following considerations we define a morphism π : (A≤ ∪ A ∪ A ∪ AQ )∗ → (Γ ∪ Q ∪ {#})∗

251

through the following mapping:   w, if a = aw ∈ A≤ ∪ A, a 7→ w, if a = aw ∈ A,  uqv, if a = auqv ∈ AQ . Thus, π replaces each letter a ∈ A≤ ∪ A ∪ A ∪ AQ by the string it represents, where in addition each factor u ∈ (Γ ∪ {#})+ is replaced by the corresponding string u ∈ (Γ ∪ {#})+ . The string-rewriting system R will consist of four subsystems R0 , R1 , R2 , and R3 . (0) The subsystem R0 is used to take care of those inputs w ∈ Σ ∗ for the sDTPDA M that are short: R0 := {⊥q0 w⊥ → Y | w ∈ Σ ∗ , ϕ(w⊥) ≤ 4µ, and w ∈ L} ∪ {⊥q0 w⊥ → N | w ∈ Σ ∗ , ϕ(w⊥) ≤ 4µ, and w 6∈ L}. Obviously, R0 is a finite system containing only length-reducing rules, and there are no non-trivial overlaps between the left-hand sides of the rules of R0 . (1) The subsystem R1 transforms the description ⊥q0 w⊥ of an initial configu∗ ration ⊥q0 w⊥ of M into a compressed form c ∈ A · AQ · A∗ , if w is sufficiently long. It consists of three parts. (1.1) R1,1 := {w⊥ → α0 α1 α2 | w = av ∈ Σ ∗ for some a ∈ Σ such that ϕ(v⊥) ≤ 4µ < ϕ(w⊥) ≤ 5µ, α0 ∈ A≤ , and α1 , α2 ∈ A satisfying π(α0 α1 α2 ) = h(w⊥)}. Since 4µ < ϕ(w⊥) ≤ (|w| + 1) · µ, we see that |w| > 3. Hence, R1,1 is a finite system of length-reducing rules. The given weight restrictions for w⊥ imply that the left-hand side of no rule of R1,1 is a proper suffix of the left-hand side of any other rule of R1,1 . Further, the right-hand side α0 α1 α2 of a rule of R1,1 is uniquely determined by the left-hand side, since the morphism h is injective. Hence, there are no non-trivial overlaps between the left-hand sides of the rules of R1,1 . (1.2) R1,2 := {wα01 → α02 α | w = av ∈ Σ ∗ for some a ∈ Σ, α01 , α02 ∈ A≤ , and α ∈ A such that |h(v)π(α01 )| ≤ 2µ < |h(w)π(α01 )| ≤ 3µ and π(α02 α) = h(w)π(α01 )}. Since |π(α01 )| ≤ µ, 2µ < |h(w)π(α01 )| = ϕ(w) + |π(α01 )| implies that ϕ(w) > µ, which in turn yields |w| ≥ 2. Hence, R1,2 is a finite system containing only length-reducing rules. As above it follows that there are no non-trivial overlaps between the left-hand sides of the rules of R1,2 . (1.3) Working from right to left the rules of the subsystems R1,1 and R1,2 replace suffixes v⊥ of ⊥q0 w⊥ by the compressed form c ∈ A≤ · A∗ of h(v⊥). The subsystem R1,3 will be used to replace the remaining prefix ⊥q0 u such ∗ that the resulting string belongs to A · AQ · A∗ , that is, it is the compressed

252

form of a string x ∈ (Γ ∪ Q)∗ satisfying |h(x)| ≡ 0 mod 2µ. Unfortunately, the initial configuration ⊥q0 w⊥ may not satisfy this requirement. Therefore, if |h(⊥q0 w⊥)| ≡ r mod 2µ for some r ∈ {1, . . . , 2µ−1}, then instead of compressing this initial configuration, we compress the configuration ⊥uqv⊥ that is obtained from ⊥q0 w⊥ after r steps of M . Then |h(⊥uqv⊥)| = |h(⊥q0 w⊥)|−r ≡ 0 mod 2µ, ∗ and hence, h(⊥uqv⊥) can be encoded through a string c ∈ A · AQ · A∗ such that π(c) = h(⊥uqv⊥). In each step the sDTPDA M can remove at most one symbol from the top of its second pushdown store. Thus, the first 2µ − 1 steps of the computation of M on input w depend only on the prefix u of w of length 2µ − 1. Hence, the rules of R1,3 will encode all computations of M of this form. R1,3 := {⊥q0 wα0 α1 · · · αn → β1 · · · βm | w ∈ Σ ∗ , α0 ∈ A≤ , α1 , . . . , αn ∈ A such that |h(w)π(α0 )| ≤ 2µ, 2 ≤ n ≤ µ, where n < µ implies that π(α0 α1 · · · αn ) ∈ ((Γ \ {⊥}) ∪ {#})∗ · h(⊥), and β1 , . . . , βm ∈ A ∪ AQ ∪ A satisfy the following conditions: ∗ (i) β1 · · · βm ∈ A · AQ · A∗ , (ii) h(w)π(α0 α1 · · · αn ) = h(v)x for some v ∈ (Γ \ {⊥})∗ · {⊥, ε} and x ∈ (Γ ∪ {#})∗ satisfying |x| < µ, and (iii) π(β1 · · · βm ) = h(u1 q1 v1 )x for some u1 , v1 ∈ Γ ∗ and q1 ∈ Q such that ⊥q0 v `rM u1 q1 v1 , where r ∈ {0, 1, . . . , 2µ − 1} satisfies |h(⊥q0 w)π(α0 )| ≡ r mod 2µ}. If (⊥q0 wα0 α1 · · · αn → β1 · · · βm ) ∈ R1,3 , then m ∈ {n, n + 1, n + 2}. Hence, R1,3 is a finite system of length-reducing rules. It can easily be checked that there are no non-trivial overlaps between the left-hand sides of the rules of R1,3 . The subsystem R1 is now taken as R1 := R1,1 ∪ R1,2 ∪ R1,3 . From the definitions given it follows immediately that there are no non-trivial overlaps between the left-hand sides of the rules of R1 . (2) The subsystem R2 simulates the computations of the sDTPDA M on strings that represent compressed forms of configurations. Each application of a rule of R2 simulates 2µ steps of M . R2 := {α1 · · · αn γαn+1 · · · αn+m → β1 · · · βn+m | α1 , . . . , αn ∈ A, γ ∈ AQ , αn+1 , . . . , αn+m ∈ A such that n, m ≤ µ + 1, where 1 ≤ n ≤ µ implies that π(α1 ) has prefix h(⊥), n=0 implies that π(γ) has prefix h(⊥) and m ≥ 2, 1 ≤ m ≤ µ implies that π(αn+m ) has suffix h(⊥), and m=0 implies that π(γ) has suffix h(⊥) and n ≥ 2, ∗ β1 , . . . , βn+m ∈ A ∪ AQ ∪ A such that β1 · · · βn+m ∈ A · AQ · A∗ , π(α1 · · · αn γαn+1 · · · αn+m ) = x1 h(uqv)x2 for some u, v ∈ Γ ∗ , q ∈ Q, x1 ∈ {#}∗ , x2 ∈ Γ · {#}∗ , |x1 |, |x2 | < µ, x2 6∈ h(Γ ), and π(β1 · · · βn+m ) = x1 h(u1 q1 v1 )x2 for some u1 , v1 ∈ Γ ∗ , q1 ∈ Q, such that uqv and u1 q1 v1 are valid subconfigurations of M satisfying uqv `2µ M u1 q1 v1 }.

253

The conditions on the integers n and m imply that n + m ≥ 2. Further, all rules of R2 are obviously length-reducing. Since uqv and u1 q1 v1 must be valid subconfigurations of M , ⊥ can occur at most as the first and/or the last letter. Hence, the left-hand side of no rule of R2 is contained in the left-hand side of another rule of R2 . Finally, the right-hand side of a rule of R2 is uniquely determined by its left-hand side. Thus, there are no non-trivial overlaps between the left-hand side of the rules of R2 . (3) The subsystem R3 ends the simulation of computations of M . ∗

R3 := {α1 α2 → Y | α1 , α2 ∈ A ∪ AQ ∪ A, α1 α2 ∈ A · AQ · A∗ , π(α1 α2 ) = h(⊥uqv⊥) for some u, v ∈ Γ ∗ and q ∈ Q, and ⊥uqv⊥ `∗M qf } ∗ ∪ {α1 α2 → N | α1 , α2 ∈ A ∪ AQ ∪ A, α1 α2 ∈ A · AQ · A∗ , π(α1 α2 ) = ∗ h(⊥uqv⊥) for some u, v ∈ Γ and q ∈ Q, and ⊥uqv⊥ `∗M ⊥qf }. Obviously, R3 is a finite length-reducing system, and there are no non-trivial overlaps between the left-hand side of the rules of R3 . Finally, we take R := R0 ∪ R1 ∪ R2 ∪ R3 . Then R is indeed a finite stringrewriting system that contains length-reducing rules only. It is easily verified that there are no non-trivial overlaps between the left-hand sides of the rules of R. Hence, we see that R is also confluent. It remains to prove the following statements for all w ∈ Σ ∗ : (i) If w ∈ L, then ⊥q0 w⊥ →∗R Y . (ii) If w 6∈ L, then ⊥q0 w⊥ →∗R N . These statements show that the system R, together with the strings t1 := ⊥q0 and t2 := ⊥ and the letters Y and N , witnesses the fact that L is a ChurchRosser decidable language. The proof of the statements above will be divided into several claims and their proofs. The first one follows immediately from the choice of the subsystem R0 . Claim 1. For all w ∈ Σ ∗ satisfying ϕ(w) ≤ 4µ − ϕ(⊥) the statements (i) and (ii) hold. Hence, for the following considerations we can assume that the string w ∈ Σ ∗ satisfies ϕ(w) > 4µ − ϕ(⊥), that is, ϕ(w⊥) > 4µ. Claim 2. Let w ∈ Σ ∗ such that ϕ(w⊥) > 4µ, and let r ∈ {0, 1, . . . , 2µ − 1} such that ϕ(⊥q0 w⊥) = k · 2µ + r for some k ∈ N . Then there exist α1 , . . . , αk ∈ A ∪ AQ ∪ A satisfying the following conditions: ∗

(i) α1 α2 · · · αk ∈ A · AQ · A∗ , (ii) π(α1 · · · αk ) = h(⊥uqv⊥) for some configuration ⊥uqv⊥ of M , where ⊥q0 w⊥ `rM ⊥uqv⊥, and (iii) ⊥q0 w⊥ →∗R1 α1 · · · αk . Proof. Let w ∈ Σ ∗ satisfy ϕ(w⊥) > 4µ, and let k ∈ N and r ∈ {0, 1, . . . , 2µ − 1} such that ϕ(⊥q0 w⊥) = k · 2µ + r > 4µ. The computation of M starting from

254

the initial configuration ⊥q0 w⊥ either ends with the accepting configuration qf of weight ϕ(qf ) ≤ µ or with the non-accepting configuration ⊥qf of weight ϕ(⊥qf ) ≤ 2µ. Hence, this computation consists of more than 2µ steps. Thus, there is a (uniquely determined) configuration ⊥uqv⊥ of M such that ⊥q0 w⊥ `rM ⊥uqv⊥. Since ϕ(⊥uqv⊥) = ϕ(⊥q0 w⊥) − r = k · 2µ, there exist α1 , . . . , αk ∈ ∗ A ∪ AQ ∪ A such that α1 α2 · · · αk ∈ A · AQ · A∗ and π(α1 · · · αk ) = h(⊥uqv⊥). It follows easily from the definition of the rules of the system R1 that ⊥q0 w⊥ →R1,1 w1 →∗R1,2 w2 →R1,3 α1 α2 · · · αk holds for some strings w1 and w2 . t u Claim 3. Let ⊥uqv⊥ be a configuration of M such that ϕ(⊥uqv⊥) = s · 2µ for ∗ some s ≥ 3, and let α1 , . . . , αs ∈ A∪AQ ∪A such that α1 · · · αs ∈ A ·AQ ·A∗ and π(α1 · · · αs ) = h(⊥uqv⊥). If ⊥uqv⊥ is reachable from an initial configuration, then there exist a configuration ⊥u1 q1 v1 ⊥ of M and letters β1 , . . . , βs−1 ∈ A ∪ AQ ∪ A such that the following conditions are satisfied: (i) (ii) (iii) (iv)

∗

β1 β2 · · · βs−1 ∈ A · AQ · A∗ , π(β1 β2 · · · βs−1 ) = h(⊥u1 q1 v1 ⊥), ⊥uqv⊥ `2µ M ⊥u1 q1 v1 ⊥, and α1 α2 · · · αs →R2 β1 β2 · · · βs−1 .

Proof. Let ⊥uqv⊥ be a configuration of M such that ϕ(⊥uqv⊥) = s · 2µ for some s ≥ 3. If ⊥uqv⊥ is reachable from some initial configuration, that is, ⊥q0 w⊥ `∗M ⊥uqv⊥ for some w ∈ Σ ∗ , then ⊥uqv⊥ `∗M qf or ⊥uqv⊥ `∗M ⊥qf , depending on whether w ∈ L or w 6∈ L, respectively. Since the weight of the actual configuration decreases by 1 in each step, we see that there exists a unique configuration ⊥u1 q1 v1 ⊥ such that ⊥uqv⊥ `2µ M ⊥u1 q1 v1 ⊥ and ϕ(⊥u1 q1 v1 ⊥) = ϕ(⊥uqv⊥) − 2µ = (s − 1) · 2µ. Hence, there exist (uniquely ∗ determined) β1 , β2 , . . . , βs−1 ∈ A ∪ AQ ∪ A satisfying β1 β2 · · · βs−1 ∈ A · AQ · A∗ and π(β1 β2 · · · βs−1 ) = h(⊥u1 q1 v1 ⊥). 0 During the computation ⊥uqv⊥ `2µ M ⊥u1 q1 v1 ⊥ a suffix u of u and a prefix 0 0 0 v of v are involved that satisfy |u |, |v | ≤ 2µ. Hence, this computation can be described completely by using a window of length 2µ + 1 + 2µ = 4µ + 1 that is placed on ⊥uqv⊥ in such a way that the state symbol q appears in the middle. The corresponding section of h(⊥uqv⊥) is contained in a substring ∗ α01 · · · α0n γ 0 α0n+1 · · · α0n+m ∈ A · AQ · A∗ of α1 α2 · · · αs satisfying n, m ≤ µ + 1. From the definition of the subsystem R2 we see that each rule of R2 just simulates 2µ steps of M on a substring of this form. Hence, it follows that α1 α2 · · · αs →R2 β1 β2 · · · βs−1 holds. t u Claim 4. Let ⊥uqv⊥ be a configuration of M such that ϕ(⊥uqv⊥) = 4µ, and ∗ let α1 , α2 ∈ A ∪ AQ ∪ A such that α1 α2 ∈ A · AQ · A∗ and π(α1 α2 ) = h(⊥uqv⊥). If ⊥uqv⊥ is reachable from an initial configuration, then either α1 α2 →R3 Y or α1 α2 →R3 N .

255

Proof. Let ⊥uqv⊥ be a configuration of M such that ϕ(⊥uqv⊥) = 4µ, and let ∗ α1 , α2 ∈ A ∪ AQ ∪ A such that α1 α2 ∈ A · AQ · A∗ and π(α1 α2 ) = h(⊥uqv⊥). If ⊥uqv⊥ is reachable from some initial configuration, then ⊥q0 w⊥ `∗M ⊥uqv⊥ for some w ∈ Σ ∗ . If w ∈ L, then ⊥uqv⊥ `∗M qf , and if w 6∈ L, then ⊥uqv⊥ `∗M ⊥qf . t u Thus, either (α1 α2 → Y ) ∈ R3 or (α1 α2 → N ) ∈ R3 . We now verify that R does indeed witness the fact that L is a Church-Rosser decidable language. Let w ∈ Σ ∗ . If ϕ(w) ≤ 4µ − ϕ(⊥), then we see from Claim 1 that ⊥q0 w⊥ →R Y if w ∈ L, and ⊥q0 w⊥ →R N , if w 6∈ L. Assume therefore that ϕ(w) > 4µ − ϕ(⊥). Then by Claim 2 there exist a configuration ⊥u1 q1 v1 ⊥ of M and α1 , α2 , . . . , αk ∈ A ∪ AQ ∪ A such that (i) (ii) (iii) (iv)

∗

α1 α2 · · · αk ∈ A · AQ · A∗ , π(α1 α2 · · · αk ) = h(⊥u1 q1 v1 ⊥), ⊥q0 w⊥ `∗M ⊥u1 q1 v1 ⊥, and ⊥q0 w⊥ →∗R α1 · · · αk .

If k > 2, then Claim 3 applies. Hence, there are configurations ⊥ui qi vi ⊥ of ∗ M and strings δi ∈ A · AQ · A∗ , i = 2, . . . , k − 1, such that ⊥ui−1 qi−1 vi−1 ⊥ `2µ M ⊥ui qi vi ⊥, π(δi ) = h(⊥ui qi vi ⊥), α1 · · · αk →R δ2 →R . . . →R δk−1 , and | δi |= k − i + 1 for all i = 2, . . . , k − 1. Finally, |δk−1 | = 2 implies that δk−1 →R Y or δk−1 →R N by Claim 4. From the definition of R3 we see that the former is the case if and only if w ∈ L. Thus, for w ∈ L, we have ⊥q0 w⊥ →∗R α1 · · · αk →R . . . →R δk−1 →R Y , and for w 6∈ L, we have ⊥q0 w⊥ →∗R α1 · · · αk →R . . . →R δk−1 →R N . This completes the proof of Theorem 5. t u From Theorem 5 we obtain our main result. Corollary 6. The three language classes CRDL, CRL, and GCRL coincide. Thus, the Church-Rosser languages are indeed the deterministic variants of the growing context-sensitive languages.

5

Closure Properties

In this section we summarize the known closure and non-closure properties of the class CRL and we prove two new non-closure properties, which, however, were already announced by Buntrock and Otto [7]. From the definition of the class CRDL we immediately obtain the following result. Proposition 7. The class of Church-Rosser languages is closed under complementation, that is, if L ⊆ Σ ∗ is a Church-Rosser language, then so is the language L := Σ ∗ \ L. From the characterization of the class GCRL through the shrinking DTPDA we can conclude the following closure properties.

256

Proposition 8. (a) The class CRL is closed under intersection with regular languages, that is, if L ∈ CRL and L1 is a regular language, then L ∩ L1 ∈ CRL. (b) The class CRL is closed under inverse morphisms, that is, if L ⊆ Σ ∗ is in CRL and h : ∆∗ → Σ ∗ is a morphism, then h−1 (L) ∈ CRL. Finally, from [11] we recall the following closure properties. Proposition 9. (a) CRL is closed under reversal, that is, if L is a Church-Rosser language, then so is the language L∼ := {w∼ | w ∈ L}. (b) CRL is closed under left quotient and right quotient with a single string, that is, if L ⊆ Σ ∗ is a Church-Rosser language and z ∈ Σ ∗ , then L/{z} = {w ∈ Σ ∗ | wz ∈ L} and {z} \ L := {w ∈ Σ ∗ | zw ∈ L} are Church-Rosser languages, too. In [12] it is shown that the class CRL is a basis for the recursively enumerable languages. Further, it is shown by Buntrock in [4] that the closure of the class GCRL (= CRL) under ε-free morphisms yields the class GCSL. Hence, we obtain the following non-closure properties. Proposition 10. The class CRL is neither closed under projections nor under ε-free morphisms. The Gladkij language LGl := {wc| w∼ c| w | w ∈ {a, b}∗ } is a context-sensitive language that is not growing context-sensitive [9,1,7]. Now LGl can be written as LGl = L1 ∩ L2 , where L1 := {wc| w∼ c| z | w, z ∈ {a, b}∗} and L2 := {wc| zc| z ∼ | w, z ∈ {a, b}∗ }. Obviously, L1 and L2 are both deterministic context-free, and hence, they are both Church-Rosser languages. Since L1 ∩ L2 6∈ GCSL, we have L1 ∩ L2 6∈ CRL. This shows the following. Proposition 11. The class CRL is neither closed under intersection nor under union.

6

Conclusion

We have shown that the three language classes CRDL and CRL of [11] and GCRL of [7] coincide. Because of the characterization of the latter class through the deterministic variant of the shrinking TPDA [7] this class of languages can be considered as the class of ‘deterministic growing context-sensitive languages’. Based on these characterizations we have obtained some closure properties and some non-closure properties for the class of Church-Rosser languages. However, many questions regarding closure and non-closure properties remain open. Also it

257

remains the question of whether or not the language L0 := {ww∼ | w ∈ {a, b}∗} is a Church-Rosser language. Finally, based on the fact that the classes CFL and CRL are incomparable under set inclusion, we obtain the following undecidability result from McNaughton et al [11]. Proposition 12. (a) The emptiness and the finiteness problems for Church-Rosser languages are undecidable in general. (b) It is undecidable in general whether a given context-free language is a ChurchRosser language. (c) It is undecidable in general whether a given Church-Rosser language is context-free.

References 1. R.V. Book. Grammars with Time Functions. PhD thesis, Harvard University, Cambridge, Massachusetts, February 1969. 2. R.V. Book. Confluent and other types of Thue systems. J. Association Computing Machinery, 29:171–182, 1982. 3. R.V. Book and F. Otto. String-Rewriting Systems. Springer-Verlag, New York, 1993. 4. G. Buntrock. Wachsende kontext-sensitive Sprachen. Habilitationsschrift, Fakult¨ at f¨ ur Mathematik und Informatik, Universit¨ at W¨ urzburg, July 1996. 5. G. Buntrock and K. Lory´s. On growing context-sensitive languages. In W. Kuich, editor, Proc. of 19th ICALP, Lecture Notes in Computer Science 623, pages 77–88. Springer-Verlag, Berlin, 1992. 6. G. Buntrock and K. Lory´s. The variable membership problem: Succinctness versus complexity. In P. Enjalbert, E.W. Mayr, and K.W. Wagner, editors, Proc. of 11th STACS, Lecture Notes in Computer Science 775, pages 595–606. Springer-Verlag, Berlin, 1994. 7. G. Buntrock and F. Otto. Growing context-sensitive languages and Church-Rosser languages. In E.W. Mayr and C. Puech, editors, Proc. of 12th STACS, Lecture Notes in Computer Science 900, pages 313–324. Springer-Verlag, Berlin, 1995. 8. E. Dahlhaus and M. Warmuth. Membership for growing context-sensitive grammars is polynomial. J. Computer System Sciences, 33:456–472, 1986. 9. A.W. Gladkij. On the complexity of derivations for context-sensitive grammars. Algebri i Logika Sem., 3:29–44, 1964. In Russian. 10. J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, Reading, M.A., 1979. 11. R. McNaughton, P. Narendran, and F. Otto. Church-Rosser Thue systems and formal languages. J. Association Computing Machinery, 35:324–344, 1988. 12. F. Otto, M. Katsura, and Y. Kobayashi. Cross-sections for finitely presented monoids with decidable word problems. In H. Comon, editor, Rewriting Techniques and Applications, Lecture Notes in Computer Science 1232, pages 53–67. SpringerVerlag, Berlin, 1997.

Deterministic rational transducers and random sequences Sylvain Porrot1 , Max Dauchet2 , Bruno Durand3 , Nikolai K. Vereshchagin3;4 LAIL, URA CNRS 1440 B^atiment P2, Universite des Sciences et Technologies de Lille 59655 Villeneuve d'Ascq CEDEX, France Tel & Fax : (33) 03 20 43 47 43 - email : porrot@li .fr 2 LIFL, URA CNRS 369 B^atiment M3, Universite des Sciences et Technologies de Lille 59655 Villeneuve d'Ascq CEDEX, France Tel : (33) 03 20 43 45 88 - email : dauchet@li .fr 3 LIP, ENS-Lyon CNRS 46 Allee d'Italie 69634 Lyon CEDEX 07, France e-mail : [email protected] 4 Dept. of Mathematical Logic and Theory of Algorithms Moscow State University Vorobjevy Gory, Moscow, Russia e-mail : [email protected] 1

Abstract This paper presents some results about transformations of in nite random sequences by letter to letter rational transducers. We show that it is possible by observing initial segments of a given random sequence to decide whether two given letter to letter rational transducers have the same output on that sequence. We use the characterization of random sequences by Kolmogorov Complexity. We also prove that the image of a random sequence is either random, or non-random and non-recursive, or periodic, depending on some transducer's structural properties that we give.

Introduction This paper starts the study of the deterministic rational transducers behaviour on in nite random sequences. Firstly, we show that it is possible by observing initial

1

segments of a given random sequence to decide whether two given letter to letter rational transducers have the same output on that sequence (we call this problem equality problem). The analogous problem is undecidable on the class of all input sequences. Secondly, we prove that the image of a random sequence is either random or non-random and non-recursive or periodic, depending on the transducer's structural properties. Finally, we derive an arithmetical theorem from the previous result : the image of a `random real' by a letter to letter rational transducer is either rational or transcendental. This work is a part of a larger study on transformations processes of discrete curves. These processes are `real time' transformations on random sequences. For us, `real time' means that the computation time as well as the memory of the processes are bounded. Consequently, these processes are rational transducers [PD97]. The concept of random sequence has been well de ned for the rst time by MartinLof in 1966 [ML66]. A sequence is random if and only if it does not belong to any constructive null set. Theory of Kolmogorov Complexity provides a characterization of such sequences in terms of compressibility. Levin and Schnorr have shown that the notions of random sequences and incompressible sequences are equivalent [Lev73] [Sch73]. This theory has enabled to obtain results on regular languages [Sei86] [CL88] [LV93], but our aim is dierent. The originality of this paper lies in the study of the eect of algebraic objects (rational transducers) on random sequences. This is another approach to Markov chains, which are probabilistic nite automata : here we consider deterministic automata and it is the input sequence that chooses the transitions. This choice is `typically random' when the sequence is random. We brie y present in section 1.1 the de nition of random sequences due to Martin-Lof, and an equivalent de nition in terms of Kolmogorov Complexity. There are several variants of this theory (see the foreword of Chaitin in [Cal94]), but here we consider only the Pre x Complexity. This variant is more convenient for the study of in nite sequences. We consider classical rational transducers [MS97], introduced by M. Nivat [Niv68], reading in nite binary sequences in input and, unlike Buchi automata e.g. [Tho90], without any particular acceptance conditions. We do not require that for each state and each input letter there exists the corresponding transition. We say that a transducer accepts a sequence if it can read all its letters. In section 1.2, we introduce a classi cation of transducers' states. This classi cation is drawn from the theory of Markov chains [MT96]. The main aim of this classi cation is Lemma 5. It gives a necessary and sucient condition of the acceptance of a random sequence. In part 2, we show that the equality problem of two transducers is decidable on the class of random sequence, when it is undecidable on the class of all sequences. In order to

2

prove this result, we de ne the transducer product of two transducers. This transducer accepts an in nite sequence if and only if both initial transducers accept this sequence and have the same output. In part 3, Theorem 2 establishes a classi cation of the images of random sequences. This classi cation depends on the transducer's structural properties. On the one hand, the image of a random sequence is random if and only if there are not two paths with the same output linking two recurrent states. On the other hand, the image of a random sequence has nite complexity if and only if all paths starting from a recurrent state have the same output. Moreover, in this case, the image sequence is periodic. Section 3.2 presents an application of the previous result within the frame of arithmetic. We call random real a real number of which the binary expansion is a random sequence. Theorem 3 claims that the image of any random real by a letter to letter rational transducer is either rational or transcendental.

1 Preliminaries 1.1 Random sequences and Kolmogorov Complexity In this part we brie y present the de nition of random sequences from Martin-Lof and the theory of Kolmogorov Complexity. In the following we call word (respectively sequence) any nite (respectively any in nite) string over the binary alphabet f0; 1g.

1.1.1 Random sequences The rst satisfactory de nition of a random sequence has been given by Martin-Lof in [ML66]. A sequence is random if and only if it does not belong to any constructive null set. More precisely, a sequence s is non random if and only if there is a recursive function u(i; j ), mapping pairs of integers to words, satisfying the following properties : 1. 8 i ( i ) 2,i ; 2. 8 i s 2 i . S where i = j ,u(i;j) , ,u(i;j) being the set of all the sequences having the pre x u(i; j ), and denotes uniform measure on the set of all sequences.

1.1.2 Kolmogorov Complexity Theory of Kolmogorov Complexity [LV97], also called Algorithmic Information Theory, gives rigorous mathematical foundations to the notion of information quantity contained in an object x. This quantity K (x) is the length of a smallest program computing x without any input. The programming language must satisfy the following

3

property : for any computable partial function mapping words to words there exists a constant C such that for any p in the domain of there exists a program computing (p) of length at most length(p)+ C . We will use the variant of Kolmogorov Complexity called Pre x Complexity, in which the set of programs must be a pre x set : none of the programs is the pre x of another program. The complexity varies no more than by an additive constant when we change the programming language. Indeed,

9 C 8 x jK (x) , K (x)j < C 1

2

where K1 (x) and K2 (x) are Kolmogorov complexities de ned for two dierent programming languages.

1.1.3 Randomness and incompressibility Theory of Kolmogorov Complexity provides a characterization of randomness using incompressibility properties. Actually Levin and Schnorr [Lev73] [Sch73] have shown that random sequences are exactly those incompressible for some variants of Kolmogorov Complexity. Their proof can be easily translated in the frame of Pre x Complexity that we use here. More speci cally, all pre xes of a random sequence are compressible for less than a constant. Formally, if a1:n is the pre x of length n of a sequence a, then this sequence is random if and only if :

9 c 8 n K (a n ) n , c 1:

A random sequence is non-recursive, but non-random ones may be either recursive or non-recursive. Assume for example that the sequence 010011010110 : : : is random. Then the sequence 001100001111 : : :, where each letter of the previous sequence appears twice, is non-random and non-recursive. The sequence 010101010101 : : : is non-random and recursive. In several proofs we show that a sequence a is non-random building a program that computes a using another sequence a0 as an input. This program uses at most the n rst letters of a0 to compute the n rst letters of a, with < 1. The following lemma expresses this idea.

Lemma 1 Let a and a0 be two sequences. If there exists a program P such that : 9 (un )n2N 9 (vn )n2N 9 < 1 such that 8 n P (a0 un ) = a 1:

then a is non-random.

4

vn

1:

and un vn

Proof We will give an upper bound of the complexity of the pre x words a

1:vn of a. The program < P; a01:un > computes a1:vn , but the set of these programs is not a pre x set. In order to obtain such a set we have to use the pre x coding of a01:un , denoted by a01:un . For all n we have K (a1:vn ) ja01:un j + jP j + O(1). A classical upper bound for the pre x coding of a word w is jwj + 2 log(jwj) + O(1). Hence we have : 8 n K (a1:vn ) ja01:un j + 2 log(ja01:un j) + O(1) ja1:vn j + 2 log(ja1:vn j) + O(1) Let c > 0 be xed. There exists nc such that : 8 n nc ja1:vn j + 2 log(ja1:vn j) + O(1) ja1:vn j , c Eventually we have : 8 c 9 nc 8 n nc K (a1:vn ) ja1:vn j , c Therefore a is non-random. 2

1.2 Transducers We consider classical transducers without nal states since inputs are only in nite sequences. In this rst approach we consider only letter to letter transducers : the output is a letter at each letter read in input. When the transducer reaches a state where there is no transition labelled by the input letter, it halts and we say that it rejects the input sequence. Otherwise it accepts the input sequence. We give now some de nitions and preliminary results considering only inputs on transitions. De nition 1 Let T be a transducer and a be a sequence accepted by T . A state of T is recurrent for a if it is reached an in nity of times with a as an input. Ta denotes the set of recurrent states for a. De nition 2 Let q be a state of T . Let occan (q) denote the number of occurences of the state q during the reading of a1:n . The frequency f a (q) of q is de ned by : a f a (q) = lim sup occn (q) n!1

n

n!1

n

A state q is frequent if f a (q) > 0. De nition 3 Let q be a state of T and t be a transition from q. Let occan (t) denote the number of occurences of the transition t during the n rst occurences of the state q with a as an input. The frequence f a (t) of t is de ned by : a f a (t) = lim sup occn (t)

5

Lemma 2 Let a be a sequence accepted by T . T contains at least one frequent state. Proof Suppose that for each state qi of Ta we have f (qi ) = 0. Let = Q where Q is

the number of states of T . Therefore we have :

1 2

9 n 8 qi 2 T occnn(qi ) Q X occan (qi ) Q n i 1 12 a

=1

2

De nition 4 A complete state is a state out of which get two transitions labelled by 0 and 1. We say that a set of states is complete if each state of this set is complete.

Claim 1 Consider the preorder on the set of the states of a transducer de ned by : q < q0 , we can reach q0 from q and the equivalence classes of states. We say that maximal classes are absorbing. There is an algorithm that splits a transducer in sub-automata T1 ; : : : ; TN and TP (See Figure 1. T1 ; : : : ; TN are the complete absorbing classes and TP is the union of the remaining classes. T1 TP TN

Figure 1: Complete absorbing classes

Lemma 3 Let a be a random sequence accepted by T . Any frequent state of T is complete.

Proof Let q be a frequent state. Suppose that q is not complete. Thus, there is only one transition from this state, say the transition labelled by input letter 0 and leading to the state q0 . We show this implies that a is non-random. Consider the sequence a0 obtained as follows : in the sequence a we delete letters read at each occurence of q. The following program computes a using T and a0 .

6

Program P (a0 ) Repeat If T is in state q do Output 0 ; Place T in state q 0 Else Read a letter b of a0 and output b Simulate T on input b End if End repeat End a Since q is frequent we have lim supn!1 occnn(q) = awith > 0. Thus there is a series (vn )n2N and n0 such that for all n > n0 we have occvvnn (q) 2 . Let un = vn , occavn (q). For all n > n0 we have un vn with = 1 , 2 < 1. The program P is such that for all n we have P (a01:un ) = a1:vn . Thus hypothesis of Lemma 1 are satis ed, what enables us to conclude that a is non-random. 2 Lemma 4 Let a be a random sequence accepted by T . Then all states of Ta are frequent and Ta is a complete absorbing class. Proof According to Lemma 2, T contains at least one frequent state q. This state belongs to Ta and, according to lemma 3, is complete. Let t0 (respectively t1 ) be the transition accepting 0 (respectively 1) and leading to q0 (respectively q1 ) from q (q0 and q1 can be the same). Step 1 : We show that both transitions t0 and t1 are frequent. Suppose for example that t0 is not frequent, i.e. f a (t0 ) = 0. Obviously we have f a (t1 ) = 1. Consider the sequence a0 de ned as follows : in the sequence a we delete each 1 read at each occurence of t1 and we replace each 0 read at each occurence of t0 with a pre x code of the number of occurences of t1 before the next occurence of t0 . The following program computes a using a0 . Program P (a0 ) Let n be the number of occurences of t1 before next occurence of t0 Repeat If T is in state q then If n = 0 then n

Else Else End

Output 0 ; Let be the prefix coded number appearing from current position in Place in state 0

T

q

n=n,1 q1

Output 1 ; Let Place in state

T

End if

b

a0

Read a letter of Simulate on input

End if End repeat

a0

T

b

and output

7

b

The same arguments as in the proof of Lemma 3 enable us to conclude that a is nonrandom. Conclusion : Since f a (q) > 0, f a (t0 ) > 0 and f a (t1 ) > 0 both states q0 and q2 are frequent. Step by step we show that any state reachable from q is frequent and thus, according to Lemma 3, is complete. Such a state is recurrent. Therefore, the class of q is absorbing and complete. 2 The following lemma is an immediate corollary of Lemma 4 and of the fact that a complete absorbing class accepts any sequence.

Lemma 5 For all random sequence a, T accepts a if and only if T reaches on a one of its complete absorbing classes.

2 Decidability of the equality of letter to letter rational transducers on random sequences We say that two transducers T1 and T2 are equal on a sequence s if T1 (s) = T2 (s). Note the dierence between this de nition and the de nition of the equivalence of transducers : T1 and T2 are equivalent if T1 (w) = T2 (w) for all word w. The equality of a class of rational transducers on a class S of sequences is decidable if there is an algorithm that decides, for any transducers T1 and T2 in , and any sequence s in S spelled letter by letter, whether T1 (s) = T2 (s), using a nite pre x (of unknown length) of s. ( 2 9 A 8 (T1 ; T2 ) 2 8 s 2 S A(T1 ; T2 ; s) = yes if T1 (s) = T2 (s) A(T1 ; T2 ; s) = no otherwise If is the set of letter to letter rational transducers and S is the set of all sequences, the equality is not decidable. Consider transducers T1 and T2 de ned in Figure 2. Suppose =

=

1 0

=

0 0

=

1 1

T1

0 0

T2

Figure 2: Two transducers equal on 01 and not equal on 0n101 there is an algorithm A deciding, for any sequence s, whether both transducers T1 and T2 are equal on s. Let s1 = 01 . Since T1 (s1 ) = T2 (s1 ), A(T1 ; T2 ; s1 ) halts having read a pre x of length n of s1 and outputs yes. Now, let s2 = 0n 101 . Since the n

8

rst letters of s1 and s2 are the same, A(T1 ; T2 ; s2 ) halts and outputs yes, although we obviously have T1 (s2 ) 6= T2 (s2 ). However, the equality becomes decidable if we restrict ourselves to random sequences. In order to show this result, we need to de ne the notion of product transducer. De nition 5 Let T1 and T2 be two transducers. Their product transducer T = T1 T2 is de ned as follows : if we can reach q10 from q1 in the transducer T1 and q20 from q2 in the transducer T2 , with the same letter bin in input and the same letter bout in output, then T contains a transition between (q1 ; q2 ) and (q10 ; q20 ) reading bin and outputting bout. The product transducer T = T1 T2 accepts a sequence a if and only if T1 and T2 accept a and output the same sequence. Theorem 1 The equality of letter to letter rational transducers on random sequences is decidable. Proof Let a be a random sequence. T1 and T2 accept a and output the same sequence if and only if their product transducer T accepts a or, according to Lemma 5, if and only if T reaches on a one of its complete absorbing classes. If T halts, we distinguish there are dierent cases : T1 and T2 accept a and output dierent sequences and thus T1 and T2 are not equal on a ; one transducer accepts a and the other rejects a : T1 and T2 are not equal on a ; T1 and T2 rejects a : if the output words are the same T1 and T2 are equal on a, otherwise they are not. Finally, T1 and T2 are equal on a if and only if either T reaches on a one of its complete absorbing classes or T , T1 , T2 halt simultaneously with the same output words. These observations lead to the following decision algorithm : Program A(T1 ; T2 ; a) Build product transducer T = T1 T2 Split T in complete absorbing classes as in claim 1 For each letter of a repeat If T reaches one of its complete absorbing classes then Output yes ; Halt Elseif T halts then If T1 and T2 halt at same place and output same word then Output yes ; Halt Else Output no ; Halt

End

End if End if End for

2

9

3 Classi cation of images of random sequences In this part we are interested in the images of random sequences by letter to letter rational transducers. Theorem 2 shows the in uence of the transducer's structure on the sequence we obtain.

De nition 6 A state q is partially indierent if there are two dierent input words having the same length, leading to a same state from q and having the same image.

De nition 7 A state q is discriminating if there exists l > 0 satisfying the following property : from q, the images of two words w1 and w2 of length l end with same letter if and only if w1 and w2 start with same letter.

Theorem 2 Let T be a letter to letter rational transducer, let a be a random sequence accepted by T and let s denote T (a).

1. if Ta does not contain any partially indierent state then s is random ; 2. (a) if Ta contains at least one partially indierent state then s is non-random. Moreover : (b) if Ta contains a discriminating state then s is non-recursive ; (c) if Ta does not contain any discriminating state, then s is recursive and periodic : s = uv .

Remark 1 Let Q denote the number of states of a transducer T . We can show that the existence of a partially indierent state in T is decidable in a time O(Q ) and the existence of a discriminating state in T is decidable in a time O(2 Q ). Example 1 Call a transducer one-to-one if it de nes an injective mapping on (in 2

2

nite) sequences. A one-to-one transducer does not contain any partially indierent state. The transducer of Figure 3 is a non-trivial example of a one-to-one transducer, that transforms a sequence a in 0a. It is non-trivial because it is not just a injective morphism of words. =

1 0

=

=

0 0

1 1

=

0 1

Figure 3: A non trivial one-to-one transducer

10

Example 2 Injectivity is not a necessary condition to map random sequences on random sequences. Consider the transducer T of Figure 4. Since sequences 01 and 101 have the same image 011 , T is not a one-to-one transducer. However, T does not contain any partially indierent state since there is no state reachable from two transitions having same output letter. =

0 1

=

0 0

=

1 0

=

1 1

=

1 0

=

0 1

Figure 4: A many-to-one transducer without partially indierent states

3.1 Proof

Proof of 1. and 2.(a) We have to show that s is random if and only if Ta does not contain any partially indierent state. Only if : We prove that if Ta contains at least one partially indierent state q then s is non-random. Since q is a partially indierent state, there are two words w1 and w2 leading to the same state q0 from q and outputting the same word u. Let l be the length of w1 and w2 . Let f be a coding function from f0; 1gl to f0; 1gl such that f (w1 ) and f (w2 ) dier only in their last letter. For example let f (w1 ) = v0 and f (w2 ) = v1, where v is a word of length l , 1. Let a0 be de ned as follows : in the sequence a we replace each word w of length l read from state q with v if w = w1 or w = w2 , with f (w) otherwise. The following program computes s with a0 as an input. Program P (a0 ) Simulate T on input sequence a0 Each time T reaches state q do Let w be word of length l , 1 from current position in a0 If w = v then Output u Place T in state q 0 Else Let w be word of length l from current position in a0 Let w 0 be the word such that f (w 0 ) = w Replace w with w 0 in a0 Resume simulation of T

End

End if End do

11

The same arguments as in the proof of Lemma 3 enable us to conclude that s is nonrandom. If : We prove that if Ta does not have any partially indierent state then s is random. Suppose that s is non-random. We show that this implies that a is non-random too. Let u(i; j ) denote a recursive function mapping pairs of integers to words. Let ,u(i;j) S denote the set of all sequences having the pre x u(i; j ), let i denote j ,u(i;j) and let denotes uniform measure on the set of all sequences. Since s is non-random, s belongs to a constructive null set, i.e. there is a recursive function u(i; j ) such that : 1. 8 i ( i ) 2,i 2. 8 i s 2 i Note that we can suppose that, given i, all sets ,u(i;j) ; j 2 N are disjoint. We will de ne a function u^(i; j ) mapping pairs of integers to words such that for all i we have fT (^u(i; j )) j j 2 Ng = fu(i; j ) j j 2 Ng. The following program P (i; j ) computes u^(i; j ) using the recursive function u(i; j ) and the transducer T . Program P (i; j ) count = 0 ; k = 0 Repeat k = k + 1 ; w = u(i; k) For all words w^ of length jwj do If T (w^) = w then count = count + 1 If count = j then Output w ^ ; Halt

End if End if End for End repeat

End S Since u(i; j ) is recursive, u^(i; j ) is recursive too. Let ^ i = j ,u^(i;j) . Since u^(i; j ) is the preimage of a u(i; k), a belongs to ^ i for all i. Moreover we have :

8 i ( ^ i )

X j

(,u^(i;j) )

Let Q be the number of states of T . Since Ta does not contain any partially indierent state there are at most Q dierent words having the same image. Thus we have :

8 i ( ^ i )

X j

Q(,u(i;j) )

= Q( i ) Q2,i Hence a belongs to a constructive null set de ned by u^(i; j ) : a is non-random.

2

12

Proof of 2.(b) Let q be a discriminating state. There exists l > 0 such that, observing

the last letter of the image of an input word of length l from q, we can retrieve the rst letter of this input word. Assume for example that all words of length l starting with 0 (respectively with 1) have their images ending with 0 (respectively with 1). Suppose s is recursive. Let P be a program that computes s. Consider the sequence a0 de ned as follows : in the sequence a we delete letters read at each occurence of q. The following program computes a using P , T and a0 . Let q0 (respectively q1 ) denote the state reached when 0 (respectively 1) is read at state q. Program P (a0 ) Repeat If T is in state q then Compute next n-th letter of s using program P If this letter is 0 then Output 0 ; Place T in state q0 Else Output 1 ; Place T in state q1

Else End

End if

a0

b

Read a letter of Simulate on input

End if End repeat

T

b

and output

b

The same arguments as in the proof of Lemma 3 enable us to conclude that a is nonrandom. 2 Proof of 2.(c) Firstly we prove the following property : for all state q of Ta , for all l, for all words w1 and w2 of length l, the images of w1 and w2 from q are the same. We use a recurrent reasoning on l to show this. W (q; l) denotes the set of image words of length l from q. Step 1 : The property is true for l = 1. Indeed each state outputs the same letter whatever the input letter is, since each state of Ta is not discriminating. Step 2 : Let q be a state of Ta. Let q0 (respectively q1 ) be the state reached from q when 0 (respectively 1) is read. Suppose the property is true for all l L. Thus all words of W (q0 ; L) (respectively W (q1 ; L)) end with the same letter b0 (respectively b1 ). Since q is not discriminating, we necessarily have b0 = b1 . Thus all input words of length L + 1 have images ending with same letter from q. We prove now that s is periodic, i.e. there are two words u and v such that s = uv . Let a0 be the sux sequence of a read from the rst occurence of a recurrent state q. According to the previous property, we have q(a0 ) = q(0 ). Since the automaton is nite and deterministic, there is necessary a loop. 2

13

3.2 From an arithmetical point of view The following theorem is an application of Theorem 2 within the frame of arithmetic. We call `random real' a real of which the binary expansion is a random sequence. We remind of the reader that a real is algebraic if it is the root of a polynomial equation having integer coecients. A real is transcendental if it is not algebraic. Theorem 3 The image of a random real by a letter to letter rational transducer is either rational or transcendental. Proof Let a be the binary expansion of the image of a random real. If a has a nite complexity then it is periodic and then the real number is rational. If a has an in nite complexity then the real number is transcendental. Indeed, since an algebraic number is a root of a polynomial equation with integer coecients, it has a nite complexity : we can give more and more accurate approximations of this root using an algorithm. 2

Open problems In this rst approach we have only considered letter to letter rational transducers. We should study whether the results we have obtained remain true in the general case. Moreover we think that links between simple and `pure' algebraic objects (rational transducers) and `pure' complex objects (random sequences), and also the links with Markov chains, should be study thoroughly.

References [Cal94] C. Calude. Information and Randomness, an Algorithmic Perspective. Springer-Verlag, 1994. [CL88] M. Chrobak and M. Li. k + 1 heads are better than k for PDAs. J. Comput. Syst. Sci., 37 :144{155, 1988. [Lev73] L.A. Levin. On the notion of random sequence. Soviet Math. Dokl., 14 :1413{ 1416, 1973. [LV93] M. Li and P. Vitanyi. A new approach to formal language theory by Kolmogorov's complexity. SIAM J. Comput., 24 :398{410, 1993. [LV97] M. Li and P. Vitanyi. An Introduction to Kolmogorov Complexity and its Applications. Springer-Verlag, 1997. [ML66] P. Martin-Lof. The de nition of random sequences. Inform. Contrib., 9 :602{ 619, 1966.

14

[MS97] A. Mateescu and A. Salomaa. Aspect of classical language theory. In Handbook of Formal Languages, volume 1, pages 175{251. Springer-Verlag, 1997. [MT96] S.P. Meyn and R.L. Tweedie. Markov Chains and Stochastic Stability. Springer-Verlag, 1996. [Niv68] M. Nivat. Transductions de langages de chomsky. Annales de l'Institut Fourier, 18 :339{455, 1968. [PD97] S. Porrot and M. Dauchet. Discrete curves complexity. Rapport interne, LAIL, 1997. [Sch73] C.P. Schnorr. Process complexity and eective random tests. J. Comput. System Sci., 7 :376{388, 1973. [Sei86] J. Seiferas. A simpli ed lower bound for context-free-language recognition. Inform. Contrib., 69 :255{260, 1986. [Tho90] W. Thomas. Automata on in nite objects. In Handbook of Theoretical Computer Science, volume B, pages 133{191. Elsevier, 1990.

15

Resource Based Models for Asynchrony J. Rathke

Dipartimento di Informatica e Scienze dell'Informazione Universita degli Studi di Genova via Dodecaneso 35, 16146 Genova, Italy [email protected]

Abstract

We propose a new graph-based approach to modelling asynchronous languages and show how the new model can be viewed as a collapse of the standard transition system model for asynchronous behaviour by utilising the commuting properties of asynchronous transitions. The motivation behind these new models stems from the issue of regularity for asynchronous processes. We note that the class of regular processes fails to contain many useful asynchronous processes and we identify a larger subclass of BPP accordingly. We call this new class asynchronously regular processes. Using the new models we provide two appealing abstract characterisations of asynchronous bisimulation equivalence, namely, as spans of open maps and as a winning strategies for a bisimulation game. Also, by exploiting the coincidence of nite graphs with regular processes we see that bisimulation is polynomial time decidable over our class of asynchronously regular processes.

1 Introduction It is becoming increasingly clear that the nature of output messages in languages such as the asynchronous -calculus, [2, 6], Pict [13] and the Join-calculus, [4] is one of persistent resources. Recently, this persistence of output was exposed at the level of transition systems by identifying certain commuting properties guaranteed of asynchronous systems [14]. Given such a situation, it would seem reasonable to question whether transition systems aord a good representation of asynchronous processes. After all, the ordering of transitions in a graph is used merely to re ect the precedence of actions which can be performed by the process. The distinguishing feature of output actions is that they cannot preclude other actions; so why model them as transitions? Our approach is to view output messages purely in terms of resources. Our models, resource graphs, have no output transitions but instead record the availability of output resources as computation progresses. This might be achieved by allowing each node to be a pair containing some `state' of the system along with the multiset of resources which are currently available. In fact, we see in Section 3.1 that this is pretty much how the transition system model behaves so little is to be gained from this solution. A much more compact representation is possible if we don't explicitly record the current resources available but simply see how resources become available. We augment each input and transition with the multiset of outputs which become available as a result of performing this transition. It should be clear that we will also need to store the information of which resources are initially available in a system. For example, the process P = c! k a?(b! k b! k Q) + :(d! k R) a? and P ,! which release the resources has an initial resource fc!g and two immediate transitions P ,! fb!; b!g and fd!g respectively. We represent these two transitions as fdg P a;f;b;bg Q and P ;; R; where the input/output sense of actions is now implicit. This move to recording resources on edges rather than at nodes allows many more in nite state processes to be modelled by nite resource graphs. On

leave from the University of Sussex. Supported by the EU-HCM Express network.

1

o

o

b! b!

b?

a!

a!

a!

/

fag b?

/

b!

/

b!

/

/

b;fbg

;;

Figure 1: Transition system and resource graph for a! k (b?(b! k : nil )) To contrast the standard transition system models with the resource graph interpretation of a process consider the example process in Figure 1. The redundancy in the transition system model is highlighted well by the uniform shape of asynchronous transition systems imposed by Selinger's axioms [14]. We know, owing to the asynchronous nature of the language, that the a! is possible at the initial node and, until it is used, will continue to be available, thus in the resource graph model this information is utilised to create a more compact graph. The models for the process P = a?(b! k P) are more illuminating. This process will in fact be modelled by an in nite transition system,

a?

o

b!

/

a?

o

/

b!

a?

o

b!

/

yet the structure of the process is very simple | at all times there is an a? action possible and for each a? action performed an additional b! resource becomes available. Initially there are no b! resources available. In fact, this gives us a resource graph with a single node, initial resource set is empty and there is a single looping transition a;fbg

So far we have shown how we could tailor transition systems to be more suited to modelling asynchronous processes. But we must consider how this would actually bene t us. The examples show us that we immediately have a more compact representation of systems, so this could clearly be useful when it comes to checking equivalence of processes. Ideally we could check bisimulation between processes by building their resource graphs and checking some kind of bisimulation on these. This would necessitate de ning the appropriate notion of bisimulation for resource graphs. Given such a situation, we would easily obtain a decision procedure for checking bisimilarity for the class of processes which receive nite resource graph models. It is well known that nite state transition systems correspond (up to strong bisimulation) to regular processes in CCS, that is processes which make no use of the static operators, parallel composition and restriction underneath recursion [9, 10]. If we forbid the use of parallel composition and restriction under recursion from asynchronous CCS we lose a great deal of expressive power, in fact, we lose the ability to perform more than a nite number of output actions. This sorry state of aairs would mean that even the paradigmatic asynchronous buer process

rec X:a?(a! k X) is not expressible. This restricted use of parallelism is certainly too strong for asynchronous languages and we must consider a weaker notion of regularity. We propose that a parallel composition p k q in the scope of recursion binders be allowed providing that either p or q is merely an output message { we call such processes asynchronously regular. The class of asynchronously regular processes would now include the asynchronous buer process shown above as well as many other in nite state processes. Moreover, all such processes will be modelled by nite resource graphs. In order to de ne bisimulation on resource graphs we appeal to the abstract de nition proposed by Joyal, Nielsen, Winskel [7]. This de nition simply requires us to choose a suitable category in which to observe basic computation paths. Using intuition gleaned from [1] to choose our notion of morphism of resource graphs, we see that the notion of asynchronous bisimulation proposed by [1] exists in an

abstract form. The key to our choice of morphism lies in understanding internal actions as a pair of unspeci ed synchronising actions, hidden from the environment. One may like to think of pre xing as syntactic sugar for a:(a! k a?P): We consider what eects specifying a name, a, for these actions, and allowing them to be seen by the environment, has; call this speci ed synchronising pair a , so one might think of a pre xing as a! k a?P: To de ne our notion of morphism on resource graphs we discuss general considerations about morphisms of labelled graphs. We think of a morphism f : G ,! G0 between two labelled graphs as representing that G0 is a re nement of G. That is to say that G is more speci ed than G0 . A morphism should re ne transitions of the graph in some way. We will outline what we understand by re nement. Transitions represent both local communication, moves, and capacity for interacting in a more global sense, a? and a! moves. Given a process p, we can observe the global computations it can engage in by inducing them using an environment process e situated in parallel with p. We say that e oers a! , and that p accepts this oer if it synchronises with e to perform an internal an action a!, say, if e ,! p0 of some transition system can be understood then as reduction or computation. A transition p ,! saying that the least oer one need make p to observe some synchronisation and reduction to p0 is ^, where ^a! = a?, a^? = a!, and ^, speci ed or not, is empty. The ordering on oers is simply that the empty oer is less than all other oers, which are incomparable. We will expect that any a transition can be re ned by a transition because we have information about the computation yielded by a , the name of the channel on which synchronisation occurs, that we do not have of the computation given by the action. We say that a computation is covert if we do not know the name of the synchronising channel. All computations induced by pre xes are covert. Using this de nition we say that 0 p0 f-re nes q ,! p ,! q if p maps to q and q maps to q0 under the morphism f, such that the least oer ^ made to p can also be accepted by q to induce a reduction to q0 . If the induced computation of p is covert then the corresponding induced computation of q must also be covert. More precisely we ask that ^ k p ,! p0 implies ^ k q ,! q0 such that if we don't know the name on which p synchronises then we cannot know the name on which q synchronises. We can see that following re nements hold for transition systems, p0 f-re nes f(p) ,! f(p0 ) p ,! a p0 f-re nes f(p) ,! f(p0 ); p ,! and these give rise to a fairly unsurprising de nition [16] of morphism for asynchronous transition systems. However, we observe a peculiarity in the category of resource graphs. Edges of resource graphs are labelled with pairs, m ;S ; m0 . Re nement of these edges will have to take into account the resources which are collected. To spell this out we say

m ;S ; m0 f-re nes n ;S ; n0 if m maps to m0 , and n maps to n0 such that the least oer ^ which (covertly) reduces m to state m0 with S extra resources can also be accepted by n so that the (covert) reduction induced takes us to state n0 with the same extra resources. Under this de nition we have the following re nements 0

m ;S ; m0 +fag 0 m a;S; m a ;S m;m

f-re nes f-re nes f-re nes

f(m) ;S ; f(m0 ) a ;S f(m) ; f(m0 ) f(m) ;S ; f(m0 ):

The second re nement holds because the least oer a! made to m can be accepted by f(m) to reduce to f(m0 ) with S extra resources, along with the extra a resource which was unused by the a . a ;S By considering re nement to be transitive we can dispense with the idea of m ; transitions a;S +fag 0 for resource graphs altogether and simply use m ; m instead. The chief feature of our resource graphs morphisms then is that a morphism from R to R0 allows us to specify in R, a name for an internal synchronisation in R0 . We reinforce these intuitions by exploiting the game theoretic characterisation of bisimulation to highlight the r^ole of synchronisations as speci ed and unspeci ed pairs of actions. We brie y outline the structure of the remainder. The following short section recalls the category of transition systems and describes the asynchrony axioms. In Section 3 we de ne our category of resource graphs and relate them to transition systems. Bisimulation equivalence is de ned as the span of open maps in this category and we characterise it using bisimulation like relations. The game theoretic description of this equivalence is spelled out in Section 4. We demonstrate the usefulness of our models in Section 5 by giving an enhanced notion of regularity for asynchronous systems and prove that bisimulation equivalence is polynomial time decidable over this class. Section 6 contains our conclusions. Acknowledgments: The author(s) would like to thank Catuscia Palamidessi and Guy McCusker for carefully reading a draft of this paper and suggesting many improvements. Thanks also to Colin Stirling for providing some useful pointers in the literature. This work was carried out during research visits at INRIA, Sophia-Antipolis and the University of Genova, which were funded by the EU-HCM Express network. I would sincerely like to thank Catuscia Palamidessi and Ilaria Castellani and their respective institutions for their extreme generosity and for directing me in my research.

2 Asynchronous systems

We recall, from [16], the de nition of the category of transition systems, T S and describe the subcategory, AT S , of asynchronous transition systems, as characterised by Selinger. Firstly, objects of T S are transition systems, (N ; n0; L; ,!) where n0 is a speci ed initial node. Morphisms in T S are pairs of morphisms (; ) : (N ; n0 ; L; ,!) ! (N 0 ; n00; L0 ; ,!) such that : N ! N 0 and : L * L0 is a partial function with the property that n0 n ,!

implies

(

n0 if # n ,! n = n0 otherwise.

Composition of morphisms is given by pairwise (partial) function composition and the identity morphisms are simply pairs of identity functions on the respective sets. A morphism (; ) : T ! T 0 indicates that T 0 is a re nement of T in the sense that T is more speci ed than T 0. Observe that T may have more atomic actions than T 0 with extra transitions pertaining to these actions. Also, T may have a more speci c structure than T 0 , with less non-determinism and fewer transitions. Indeed, when the component of a morphism is the identity then this morphism is simply an inclusion of T in T 0. This idea of a morphism being a re nement is examined again in the category of resource graphs. The particular sub-category AT S of T S in which we are interested is described as follows. Objects of the category are transition systems whose label set L is typed, that is L A f!; ?; g[ f g where A is some set of channel names. That is, each action is either an output, a!, an input a?, the result of a synchronisation of these a , or an internal, hidden, synchronisation, . These transition systems are subject to certain axioms, presented in Figure 2 which characterise their asynchronous behaviour [14]. Morphisms of AT S are similar to morphisms in T S except that the relabelling component is now a partial function on A. We write ao to mean either a or and de ne a! = (a)!, a? = (a)?, o . Composition and identities are de ned as in T S . = , and a = a

n

a!

implies 9n000

n0 /

n00 a!

n000 a! n00

/

n0 /

/

n

n0 for 6= a .

a!

n

implies 9n000

a!

n

n0 for 6= a!; b /

n00 a! n000

n00

/

n

a!

n0 /

implies

n0 = n00

implies

n @@ a! n0

a!

n00

n

a! /

n0 a?

/

@@ @ a @@@

n00

n

a! /

b

n0

implies 9n000

n

a?

n00

a!

n0 if a 6= b and n a! } n0 if a = b /

/

b

b

n00

n00 a! n000

n@ @

implies 9n00 ; n000 n C a! n00 C

@@a @@ @

/

} }} }} a? } }

b

n00

~

/

a?

n0

CC a CC CC

a?

n000 a! n0

!

/

Figure 2: Axioms for asynchronous transition systems

3 Resource graphs A resource graph is a graph based model for systems in which there is some notion of resource, that is, some action which is persistent and not subject to reactive behaviour. A resource's use is never precluded. The particular application we have in mind is for modelling asynchronous systems wherein the ! actions of the systems are considered as resources. Formally, a resource graph is a quintuple (M; A; m0; S0; ;) where M is a set of nodes, A is some set of names, m0 is a speci ed initial node in M and S0 is a multiset of resources which are initially available. We write A for the set of all multisets over the set A. So we see that S0 2 A . The edges of the graph are given by

; M (A [ f g) A M and we write m a;S ; m0 if (m; a; S; m0) 2;. We will use + and , to denote union and dierence where multiset dierence S , S 0 is a partial operator and is only de ned when S 0 S. These operators are extended pointwise to multiset valued functions.

We can now describe our category of resource graphs, in fact we describe two. The rst, RG , has morphisms similar to the category AT S in that a morphism represents re nement by introducing extra atomic actions and embedding. We use this category to relate the standard transition system models to resource graph models. The second category we de ne, RGA, contains morphisms which, following the ideas outlined in the introduction, also allow re nement by specifying on which name a synchronisation takes place. The two categories are such that RG is a lluf sub-category of RGA. The objects of RG are resource graphs. A morphism (; ; ') from R = (M; A; m0; S0 ; ;) to R0 = (M0 ; A0; m00 ; S00 ; ;) is a triple where is a functionM ! M0, is a partial function A [ f g * A0 [ f g which preserves and ' is a function M ! A0 such that the following conditions are satis ed: (i) m0 = m00 (ii) S0 + 'm0 = S00 (iii) m ;S ; m0 implies

(

m ;S ; m0 where S 0 = S + 'm0 , 'm if # m = m0 and S = ;; 'm = 'm0 otherwise. 0

The ' component of a morphism allows for a resource graph to be embedded within a larger resource graph containing additional resources available at each node. Identity morphisms in RG are of the form (Id; Id; C; ) where C; denotes the constant empty multiset function. Composition is de ned by (; ; '); (0; 0; '0 ) = (; 0 ; ; 0; ('; 0 + ; '0)): It is straightforward enough to check that RG is indeed a category.

3.1 Relating the transition system and resource graph models

We describe an adjunction AT S ara RG between our category of asynchronous transition systems ra and our simple category of resource graphs. The counit of this adjunction is in fact an isomorphism so the adjunction is a re ection. The functor ra : RG ! AT S acts on objects as follows: ra(M; A; m0; S0 ; ;) = (M A ; A; (m0 ; S0); ,!) where ,! is de ned by /

o

a! (m; S) (m; S + fag) ,! a? (m0 ; S 0 ) (m; S) ,! if m a;S ; m0 and S 0 = S + S 00 ;S (m; S) ,! (m0 ; S 0 ) if m ; m0 and S 0 = S + S 00 a (m; S + fag) ,! (m0 ; S 0 ) if m a;S ; m0 and S 0 = S + S 00 : On morphisms we have that ra(; ; ') = (0; ) where 0 (m; S) = (m; S + 'm). In the other direction we need a couple of preliminary de nitions before we can describe ar. Firstly, given an asynchronous transition system we let denote the least equivalence on its nodes such that 00

00

00

a! n0 implies n n0: n ,! S ! if there exists a (possibly in nite) sequence of transitions Secondly, we write n ,! a1 ! n ,! a2 ! : : : ,! ak ! n a,! k+1 ! n ,! ::: 1 k

P

S! . such that k ak = S. De ne Outs(n) to be the maximum S such that n ,! We can now describe our functor ar. On objects:

ar(N ; n0; L; ,!) = (N = ; A; [n0]; Outs(n0); ;) where A is the rst projection of the label set L A f!; ?; g and ; is de ned by a? n0 [n] a;S ; [n0 ] if n ,! and S = Outs(n0 ) , Outs(n): ;S 0 0 [n] ; [n ] if n ,! n

The reader is invited to check that the asynchrony axioms guarantee that Outs(n) Outs(n0 ), thus ensuring that this does de ne a resource graph. On morphisms we have that ar(; ) = ([]; ; (; Outs( ) , Outs( ); )) where [][n] = [n] and the third component is applied to any representative of the equivalence class. This is a well-de ned resource graph morphism because of the asynchrony axioms. " Id, of the adjunction is an Theorem 3.1 ar is left adjoint to ra, moreover the counit, ra; ar ,!

isomorphism.

Proof: The counit of the adjunction is ("; Id; C;) where "([(m; S)]) = m. This is easily seen to be natural and universal and it has an inverse (Id; ",1 ; C;) where ",1 (m) = [(m; ;)]. Dually, the unit of 2 the adjunction is (Id; [ ] Outs( )). We see that the unit of the adjunction does not necessarily have an inverse. This is because in mapping our resource graph to a transition system we consider all con gurations of nodes and multisets. This includes many con gurations which don't necessarily arise during computation. Thus, if we restrict our attention to those con gurations which are reachable, in some sense, then we can nd an inverse for our unit. To this end, de ne the set of reachable con gurations of a resource graph to be Reach(m0 ; S0) where Reach is de ned inductively as follows: Reach0(m; S) = ; S Reach (m0 ; S 00 + S): Reachn+1(m; S) = f(m; S 0 ) j S 0 S g [ n m;S ;m 00

S Let Reach(m; S) = Reachn (m; S).

0

n0

We immediately note that all reachable con gurations of the resource graph ar(T ) are of the form ([n]; Outs(n)) for some n 2 T . Thus, by replacing the set of all con gurations M A by just the reachable ones, Reach(m0 ; S0 ), we can obtain an equivalence between the sub-categories of AT S and RG whose graphs only contain reachable states.

3.2 A larger category of resource graphs

We now consider a slightly more general category RGA of which RG is a lluf sub-category, that is, the objects of RGA are exactly the objects of RG . The extension lies in the notion of morphism. We relax the de nition of morphism of resource graphs in accordance with the motivation outlined in the introduction. The generalisation is tantamount to allowing a action of the target graph to be speci ed as a synchronisation on a particular name. We argued that a synchronisation on channel a is a re nement of the action a? where an extra a! resource is made available. The new notion of morphism utilises this observation. A morphism of RGA is a triple (; ; ') as above, however we ask that the following conditions be satis ed instead: (i) m0 = m00 as above (ii) S0 + 'm0 = S00 as above

(iii) m ;S ; m0 implies m ;S ; m0 0

(iv) m a;S ; m0 implies

8 > ; m0 or < m a;S if a # ;S 0 m ; m > : m = m0 and S = ;; 'm = 'm0 otherwise where S 0 = S + 'm0 , 'm and S 00 = ((S , fag)) + 'm0 , 'm: Identities and composition are de ned as in RG and RGA is also seen to be a category. 0

00

3.3 Bisimulation on resource graphs

We propose a de nition of bisimulation, suitable for resource graphs, in abstract form. Namely, we use the machinery of open maps, [7], to declare two resource graphs with label the same label set A, bisimilar if there exists a span of open maps between them in the sub-category RGAo of RGA. All of this sub-category's objects have label set A and all morphisms have the identity as the component. Furthermore, edges in the graphs of RGAo enjoy the following determinacy conditions: m ;S ; m0 and m ;S ; m0 implies S = S 0 a;S +fag 0 ;S 0 m ; m and m ; m implies S = S 0 One should note that this determinacy condition is a technical restriction and can easily be enforced in an arbitrary resource graph by simply sending oending pairs of transitions to dierent targets. We de ne paths in RGAo to be resource graphs of the form 0

0

;Sk 1;S1 m ; 2 ;S2 k; m0 ; mk 1

with initial node m0 and initial resources S0 . Recall that we call a morphism f : R ! R0 open if for all paths P; Q such that the following commutes R P

/

g

f

Q then we have a morphism h : Q ! R such that P

R0

/

/

~ h ~~~ ~ ~ ~~ >

g

Q

/

R f

R0

(we use ,! to denote inclusion morphisms). De ne bisimulation then as R o R0 i there exists a R^ ? f ,,,

,, ,,

?? ??g ?? ?

R R0 with f; g open. It is easy to see that o is both re exive and symmetric, but to prove that it is transitive it is sucient to check that RGAo has pullbacks [7].

Proposition 3.2 RGAo has pullbacks, which makes o an equivalence relation.

3.4 Characterising o

The abstract de nition of bisimulation using open maps, while being quite general, is not particularly illuminating. For this reason it is natural to seek simpler characterisations of this relation. To this end we consider the following class of relations. For resource graphs (M; A; m0; S0; ;) and (M0 ; A; m00; S00 ; ;) such that S0 = S00 we call a symmetric relation B on MM0 a resource graph bisimulation if (m0 ; m00) 2 B and whenever (m1 ; m2 ) 2 B then

if m1 ;S ; m01 then there exists a m02 such that m2 ;S ; m02 with (m01 ; m02 ) 2 B if m1 a;S ; m01 then there exists a m02 such that m2 a;S ; m02 or m2 ;S ; m02 with (m01 ; m02 ) 2 B, and 0 S + fag = S. We write R rg R0 if there exists a resource graph bisimulation relating R and R0. Theorem 3.3 rg and o coincide. 0

3.5 A model for asynchronous CCS

We recall the notion of asynchronous bisimulation, as , as proposed by Amadio, Castellani, Sangiorgi [1] (albeit for the -calculus and without a actions) and show that the functor ar and the equivalence o provide a fully abstract interpretation for as . A symmetric relation B on asynchronous CCS processes is called an asynchronous bisimulation if whenever (p; q) 2 B we have a! p0 then there exists a q0 such that q ,! a! q0 with (p0; q0) 2 B. if p ,! o

a 0 a p0 then there exists a q0 such that q ,! if p ,! q with (p0; q0) 2 B. p0 then there exists a q0 such that q ,! q0 with (p0; q0) 2 B. if p ,! o

a 0 a? p0 then there exists a q0 such that q ,! a? q0 with (p0 ; q0) 2 B or q ,! if p ,! q with (p0; a! k q0 ) 2 B. Recall that ao means either a or . The largest such relation will be denoted as .

By considering asynchronous processes as asynchronous transition systems, via operational semantics, we can interpret processes as resource graphs by means of the functor ar. This interpretation is fully abstract for as . Theorem 3.4 For asynchronous processes p and q, p as q if and only if ar(p) o ar(q).

Proof: Show p as q i ar(p) rg ar(q) and use Theorem 3.3.

2

The reader should note that as is an atypical notion of bisimulation for transitions systems and diers from the one in [1] in that actions must be matched solely by actions, thereby disallowing the possibility of matching with a a action. A more standard notion of equivalence is gained by replacing the third matching condition above with o

a 0 p0 then there exists a q0 such that q ,! if p ,! q with (p0 ; q0) 2 B: Let +as denote the equivalence yielded by this modi cation. This situation is of course rather unsatisfactory in general, but we can at least console ourselves with the fact that as coincides with the more standard +as on the class of transition systems for which Outs is always nite at each node. In particular as and +as coincide on our class of regular processes in Section 5. Proposition 3.5 as q and +as coincide on the class of transition systems such that Outs is nite at

each node.

Proof: One inclusion is immediate. For the reverse inclusion we need to show that +as is an asynchronous bisimulation. The only way that +as may fail to be an asynchronous bisimulation is if, given p0 being matched by q ,! a q0 for some q0 . We show that there must be a matching p +as q we have p ,! transition in this case. Now, we know that Outs(p) is nite and that each of these output transitions from p must be matched by q. Therefore there exist p0 ; q0 such that a1 ! ,! an ! p and q ,! a1 ! ,! an ! q ; p ,! 0 0

p0 for some p0 and Outs(p0 ) = Outs(q0) = ; and p0 +as q0. We know that asynchrony ensures p0 ,! 0 0 0 that this must be matched by q0 ,! q0 because q0 can no longer perform a a transition as Outs(q0) = ;. q00 for some q00. It is easy to check that p0 + q00 follows Again, by asynchrony we know that q ,! as from p00 +as q00 . 2

4 Game theoretic description of o We extend our characterisation of asynchronous bisimulation further by showing how the notion can be captured as winning strategies of a suitable game. The use of games to characterise bisimulation has provided a conceptually powerful tool for understanding bisimulation as an equivalence which captures interaction [15]. In our setting the game characterisation helps us understand the r^ole of as a pair of unspeci ed, complementary actions. We give a general de nition of what we mean by a game and instantiate this de nition later to give us our appropriate equivalence. So, a game ,, is a quadruple (C ; c0 ; ; ) where C is a set of con gurations with a speci ed initial con guration c0 . The relation C C comprises the rules of the game. This relation tells us how play may continue from one move to the next. The function : C ! fO; P g labels moves as either Opponent or Player moves according to who is next to play - we require c0 = O and c 6= c0 whenever c c0. A play of a game is a sequence c0 c1 c2 ck We write P(,) for the set of all plays and abuse notation by writing cs to mean the label of the last move of cs (if it exists). A play, cs, is called maximal if it is in nite or cannot be extended, that is there is no move c such that cs c. We say that O wins the nite play cs if cs = P and cs is maximal. Dually, we say that P wins a (possibly) in nite play if cs = O and the play is maximal. A strategy for O is a partial function from Pos(O) = fcs j cs = Og to M(P ) = fc j c = P g. We can de ne a strategy for P similarly. Given an O-strategy o , we write P(o) for

fcs 2 P (,) j 8cs0 < cs cs0 = O implies (cs0 o (cs0 )) < csg where < is the pre x ordering on plays. We say that the strategy o is winning if all maximal plays of P(o ) are nite and labelled P . Dually, we can de ne P (p) for player strategies p and say that p is winning if all maximal plays of P(p) are in nite or labelled O.

4.1 The asynchronous bisimulation game

We can now describe the game which characterises asynchronous bisimulation simply by describing the con gurations of the game and the rules. Before formally de ning these however, we give an intuitive explanation of the game. Imagine a table containing a pile of cards, labelled with names from some set A, arranged in such a way as to model a resource graph. In addition to this pile of cards there is a hand of cards kept as a reserve. So, if the resource graph has a m a;S ; m0 transition, this means there will be an a card available for play from the pile. If it is played then the cards in S must be picked up and kept in the reserve hand and the pile of cards will now re ect state m0 . If the resource graph has a m ;S ; m0 transition then the player has a blank card available. If she wishes to play this blank card she must pencil in a name, play

Left Rules: If d 2 fL; E g Table: ((m; S); (m0 ; S 0 ); zs; d) ((m00 ; S + S 00 ); (m0; S 0 ); a?zs; d) if m a;S ; m00 and d = L implies hd(zs) = a? 00

Reserve: ((m; S); (m0 ; S 0 ); zs; d) ((m; S , fag); (m0 ; S 0 ); a!zs; d) if d = L implies hd(zs) = a! Blank: ((m; S); (m0 ; S 0 ); zs; d) ((m00 ; S + S 00 + fag); (m0 ; S 0 ); a?zs; d) if m ;S ; m00 and d = L implies hd(zs) = a! 00

Right Rules: If d 2 fR; E g Table: ((m; S); (m0 ; S 0 ); zs; d) ((m; S); (m00 ; S 0 + S 00 ); a?zs; d) if m0 a;S ; m00 and d = R implies hd(zs) = a? 00

Reserve: ((m; S); (m0 ; S 0 ); zs; d) ((m; S); (m0 ; S 0 , fag); a!zs; d) if d = R implies hd(zs) = a! Blank: ((m; S); (m0 ; S 0 ); zs; d) ((m; S); (m00 ; S 0 + S 00 + fag); a?zs; d) if m0 ;S ; m00 and d = R implies hd(zs) = a! 00

where L = E, E = R and R = E, E = L. Figure 3: Rules for asynchronous bisimulation game it, pick up the cards in S for the reserve hand and in addition to these must ll in a blank card with the same name and place it in the reserve hand. A card from the reserve hand may be played irrespective of the pile of cards representing the resource graph. A con guration of our game is a pair of the above tables, that is, two tables with a pile of cards and a separate reserve hand each. At each turn, Opponent can play a card from either table and Player must play the same card from the other table. The only extra condition is that a card from a reserve hand is played by Player if and only if Opponent has played her card from a reserve hand. Opponent always starts and play continues until one of the players becomes stuck. Opponent wins if Player becomes stuck and Player wins otherwise. To formalise this, given two resource graphs R = (M; A; m0; S0 ; ;) and R0 = (M0 ; A; m00; S00 ; ;) we describe the game ,A (R; R0) as the quadruple (C ; c0 ; ; ) where C is the set of all ((m; S); (m0 ; S 0 ); zs; d) such that m 2 M, m0 2 M0, S; S 0 2 A , zs 2 (A f!; ?g) and d 2 fL; R; E g. Clearly, the nodes of the resource graphs represents the pile of cards on the tables and the respective multisets represent the reserve hands. We use the list zs to represent the cards that have already been played and d merely to indicate which table must be played from next, the Left, Right or Either. The cards in zs are tagged with a ! or a ? to indicate whether the card was played from a table or a reserve hand. It should be no surprise then that the initial con guration is c0 = ((m0 ; S0 ); (m00 ; S00 ); "; E):

We can label moves by using the last component so that c = P if d 2 fL; Rg and c = O if d = E. The rules for the game are given in Figure 3 and fall into three pairs of symmetric rules which describe the moves of playing a card from the table, the reserve hand and playing a blank card by penciling in a name. We write R , R0 if there exists a winning Player strategy according to the rules of ,A (R; R0). It is simple enough to see that this is indeed an equivalence relation, in fact this is exactly resource graph bisimulation.

Theorem 4.1 rg coincides with ,. Proof: It is easy to see that rg , . For the reverse inclusion, given a winning strategy, it is sucient

to build a bisimulation relation. This is constructed as pairs of nodes which occur in the con gurations of plays according to the winning strategy. We take exactly those pairs which occur after Player moves. To see that this will be a resource graph bisimulation we note that transitions must be matched by transitions | otherwise Opponent could win by choosing a fresh name to pencil in on the blank card given by the action. Player couldn't hope to match this unless he had also had a move available. To see that the resources being collected by each graph must be identical we note that, otherwise, Opponent could win by simply playing a move from the larger of the two reserve hands. 2

5 Regular asynchronous processes We hinted earlier that our new model would lend itself to providing a notion of regular process for asynchronous calculi whereby regular terms have nite graphs. By nite graph we mean nitely many nodes, nitely many transitions and each resource multiset is nite. So far we have interpreted asynchronous CCS in RG indirectly by rst giving an AT S semantics and then applying the functor ar. This approach suces for modelling our language; indeed, to establish a regular term/ nite resource graph relationship one need only show that the equivalence relation used by the functor ar has nite index on transition systems generated by regular terms. However, this method is slightly unsatisfactory as it involves building potentially in nite graphs and collapsing them. What would be more pleasing is a direct interpretation of aCCS in RGA by which regular terms immediately receive nite graph models. Furthermore, we should require that this interpretation be compositional and coincides (up to equivalence) with the indirect interpretation. In fact, for our purposes it suces to interpret what we will refer to as (asynchronously) regular terms of aCCS. These can be characterised by the following grammar p := nil j X j a! k p j p k a! j

X I

i:pi j rec X:p

where I is a nite indexing set, X is drawn from some set of variables V ar, the i are either a? or and all recursions are guarded. We adopt the conventional notions of free and bound variables here. To interpret recursion, we take the approach of [9] and augment resource graphs with an extra component. This new component, is a relation on nodes of the graph and the ambient set of recursion variables, V ar. We say that a variable, X, is unguarded at a node m if m X and we call a resource graph closed if is the empty relation. We make use of the following operators on resource graphs: rstly, we note that resource graphs have a tensor product structure, , with unit I. Given graphs R = (M; A; m0; S0 ; ;; ) and this is de ned in the obvious way as

R0 = (M0 ; A0; m00 ; S00 ; ;; 0 )

R R0 = (M M0; A + A0 ; (m0 ; m00); S0 + S00 ; ; ; [ 0 )

where

(m; n) ;S ; (m0 ; n) if m ;S ; m0 ;S ;S 0 0 (m; n) ; (m; n ) if n ; n : The tensor unit is I = (fg ; ;; ; ;; ;; ;). The de nition of easily lifts to morphisms to become a bifunctor on RGA. We interpret an output action a! as the resource graph (fg ; fag ; ; fag ; ;; ;) and we will refer to this graph simply by a!. Similarly, use the name X to refer to the resource graph (fg ; ;; ; ;; ;; f(; X)g): Another useful operation is that of the lifted sum of resource graphs. Given an I indexed set of graphs Ri, an I indexed set of actions i, and a multiset S, we de ne

X

[

[

[

(i; Ri) = (( Mi ) + fg ; Ai [ fi j i 6= g ; ; ;; ;? ; i )

S

n

o

;S0 i where ;? = i ;i [ i; m0 i . Finally, we describe how we interpret recursion over resource graphs. Given a graph R, we de ne rec X:R to be the graph (M; A; m0; S0; ;+ ; + ) where + is just with all pairs (m; X) removed. ;+ is de ned in two steps. Firstly, de ne

m ;S ; 1 m0 if m ;S ; m0 and m0 6 X ;S +S0 0 ;S 0 m ; 1 m if m ; m and m0 X: Then, let m ;S ; + m0 if m0 ;S ; 1 m0 and m X, or m ;S ; 1 m0 . The informed reader will notice that this de nition of recursion diers slightly from that in [9] and is not sucient to model general recursion, but we exploit the property that regular terms never have more than one unguarded variable to give a simple de nition. These operators now allow us to interpret regular terms of aCCS in the desired manner: [ nil ] = I [ X]] = X [ a! k p]] = a! [ p]] [ pPk a!]] = [Pp]] a! [ i:pi] = (i ; [ pi] ) [ rec X:p]] = rec X:[[p]]: Let p^ denote the transition system that would model p using the standard SOS semantics of CCS.

Proposition 5.1 (i) (ii) (iii) (iv)

The resource graph [ p]] is nite for any regular term p. If p is closed then [ p]] is a closed graph. Every nite closed graph is rg equivalent to [ p]] for some regular p. ar(^p) rg [ p]].

This rmly establishes the correspondence between asynchronously regular terms and nite resource graphs.

5.1 Deciding bisimulation equivalence

To see the usefulness of having nite models we need only look at the problem of deciding bisimulation equivalence. It is evident that as will be a decidable equivalence over asynchronously regular terms due to work on in nite state transition systems [3]. Speci cally, asynchronously regular terms are a small subclass of BPP and bisimulation equivalence is decidable over this class of processes. What is not clear however is the complexity of this decision procedure. The proofs that bisimulation equivalence is decidable over BPP do not provide any upper bounds for the decision procedure [5, 11]. The class of asynchronously regular processes are much simpler than BPP and therefore allow us to nd such bounds. In fact, because our models for this class are nite then standard techniques apply [8, 12].

Theorem 5.2 Asynchronous bisimulation equivalence, as , is decidable in polynomial time for (asynchronously) regular processes.

Proof: In order to decide P as Q, by Proposition 5.1, Proposition 3.5 and Theorem 3.4 it is sucient to check [ P]] rg [ Q]]. We know by Proposition 5.1, (i) that these resource graphs are nite. The decision procedure now follows by rst checking the initial resource sets of each graphs, and then solving the partition re nement problem of [12] for the nite set of relations

mE;S m0 if m ;S ; m0 a;S 0 0 mEa;S m if m ; m +fag 0 + m0 if m a;S; mEa;S m or m ;S ; m0 : These relations are nite in number because we know that only nitely many names are used and only nitely many dierent S appear on the edges of our graphs. 2 We have now provided a notion of regularity for asynchronous processes which allows much more expressivity than the standard notion of regularity for CCS. We have also shown that a suitable notion of bisimulation equivalence is polynomial time decidable over this class of processes. Unfortunately though, this enhanced notion of regularity is not as robust as we would like. In particular, it is the case that one can form parallel compositions and restrictions of CCS regular terms and stay within the class of regular processes [9, 10]. Sadly, this is not the case in the present work. Whilst parallel composition preserves niteness of the models of regular terms, the restriction of such graphs does not. In fact, using the familiar argument of reducing bisimulation equivalence to the halting problem for two-counter Minsky Machines [11] we can show that allowing restriction of regular terms, unsurprisingly, entails undecidability of our equivalence. We conclude this section by brie y mentioning that the direct interpretation of asynchronously regular CCS terms as resource graphs can be extended to whole of aCCS in such a way as to ensure that Proposition 5.1, (iv) still holds. This extension is non-trivial however and involves de ning both the recursion and restriction operators on graphs as the least xed point of certain functionals so that the resulting resource graphs may become in nite.

6 Conclusion We have presented a novel approach to modelling asynchronous systems. The chief feature of these new models is the treatment of asynchronous transmission as the use of resources. Resource graphs yield a direct presentation of asynchronous behaviour, without recourse to various commutativity axioms. They also provide a compact representation of many in nite state systems, thereby allowing eective procedures for deciding bisimilarity. We discovered that the somewhat unorthodox notion of asynchronous bisimilarity arises naturally in the category of resource graphs and provided insightful characterisations of this equivalence. The present work is concerned with synchronising processes rather than communicating processes, that is, no information is transmitted by output actions. Therefore a treatment of asynchrony in the -calculus is beyond the scope of resource graphs as presented. An issue worth further investigation is a generalisation of the resource graph model which could cater for name passing and dynamic scoping as can be found in the -calculus.

References [1] R. Amadio, I. Castellani, and D. Sangiorgi. On bisimulations for the asynchronous -calculus. In U. Montanari and V.Sassone, editors, Proceedings CONCUR 96, Pisa, volume 1119 of Lecture Notes in Computer Science, pages 147{162. Springer-Verlag, 1996. [2] G. Boudol. Asynchrony and the -calculus. Technical Report 1702, INRIA, Sophia-Antipolis, 1991. [3] S. Christensen, Y. Hirsh eld, and F. Moller. Bisimulation equivalence is decidable for basic parallel processes. In E. Best, editor, Proceedings CONCUR 93, Hildesheim, volume 715 of Lecture Notes in Computer Science, pages 143{157. Springer-Verlag, 1993. [4] C. Fournet and G. Gonthier. The re exive CHAM and the join-calculus. In Proc. ACM-POPL, 1996. [5] Y. Hirshfeld, M. Jerrum, and F. Moller. A polynomial algorithm for deciding bisimulation equivalence of normed basic parallel processes. In Proc. Mathematical Structures in Computer Science, 1996. [6] K. Honda and M. Tokoro. An object calculus for asynchronous communication. In Proc. ECOOP 91, Geneve, 1991. [7] A. Joyal, M. Nielsen, and G. Winskel. Bisimulation and open maps. In Proceedings 8th Annual Symposium on Logic in Computer Science, pages 418{427. IEEE Computer Society Press, 1993. [8] P.C. Kanellakis and S.A. Smolka. CCS expressions, nite state processes, and three problems of equivalence. Information and Computation, 86:43{68, 1990. [9] R. Milner. A complete inference system for a class of regular behaviours. Journal of Computer and System Sciences, 28:439{466, 1984. [10] R. Milner. Communication and Concurrency. Prentice-Hall International, Englewood Clis, 1989. [11] F. Moller. In nite results. In U. Montanari and V.Sassone, editors, Proceedings CONCUR 96, Pisa, volume 1119 of Lecture Notes in Computer Science, pages 195{216. Springer-Verlag, 1996. [12] R. Paige and R. Tarjan. Three partition re nement algorithms. SIAM Journal on Computing, 16(6):973{989, 1987. [13] B. Pierce and D. Turner. Pict: A programming language based on the -calculus, 1996. Univeristy of Cambridge. [14] P. Selinger. First-order axioms for asynchrony. In M. Bednarczyk, editor, Proceedings CONCUR 97, Warsaw, volume 1243 of Lecture Notes in Computer Science, pages 376{390. Springer-Verlag, 1997. [15] C. Stirling. Bisimulation, model checking and other games, 1997. Notes for Math t Instructional Meeting on Games and Computation, University of Edinburgh. [16] G. Winskel and M. Nielsen. Models for concurrency. In S. Abramsky, Dov M. Gabbay, and T.S.E. Maibaum, editors, Handbook of Logic in Computer Science, Volume 4, pages 1{148. Oxford University Press, 1995.

Foundations of Software Science and Computation Structures: 4th International Conference, FOSSACS 2001 Held as Part of the Joint European Conferences

Read more

Foundation of Software Science and Computation Structures: Third International Conference, FOSSACS 2000 Held as Part of the Joint European Conferences

Read more

Foundations of Software Science and Computation Structures: Second International Conference, FOSSACS'99, Held as Part of the Joint European

Read more

Foundations of Software Science and Computational Structures: 6th International Conference, FOSSACS 2003 Held as Part of the Joint European Conference

Read more

Foundations of Software Science and Computational Structures: 10th International Conference, FOSSACS 2007, Held as Part of the Joint European

Read more

Foundations of Software Science and Computational Structures: 14th International Conference, FOSSACS 2011, Held as Part of the Joint European ... Computer Science and General Issues)

Read more

Foundations of software science and computational structures 12th international conference; proceedings FOSSACS, Joint European Conferences on Theory and Practice of Software 12. 2009

Read more

Foundations of software science and computational structures: 15th international conference, FOSSACS 2012, held as part of the European joint conferences on theory and practice of software, ETAPS 2012, Tallinn, Estonia, March 24 – April 1, 2012. Proceedin

Read more

Tools and Algorithms for the Construction and Analysis of Systems: 10th International Conference, TACAS 2004, Held as Part of the Joint European Conferences ... (Lecture Notes in Computer Science)

Read more

Fundamental Approaches to Software Engineering: 5th International Conference, FASE 2002, Held as Part of the Joint European Conferences on Theory and Practice

Read more

Fundamental Approaches to Software Engineering: Second International Conference, FASE'99, Held as Part of the Joint European Conferences on Theory and

Read more

Fundamental Approaches to Software Engineering: 9th International Conference, FASE 2006, Held as Part of the Joint European Conferences on Theory and Practice

Read more

Tools and Algorithms for the Construction and Analysis of Systems: 16th International Conference, TACAS 2010, Held as Part of the Joint European ... Computer Science and General Issues)

Read more

Programming Languages and Systems: 19th European Symposium on Programming, ESOP 2010, Held as Part of the Joint European Conferences on Theory and Practice ... Computer Science and General Issues)

Read more

Tools and Algorithms for the Construction and Analysis of Systems: 16th International Conference, TACAS 2010, Held as Part of the Joint European ... Computer Science and General Issues)

Read more

Programming Languages and Systems: 13th European Symposium on Programming, ESOP 2004, Held as Part of the Joint European Conferences on Theory and Practice ... (Lecture Notes in Computer Science)

Read more

Programming Languages and Systems: 20th European Symposium on Programming, ESOP 2011, Held as Part of the Joint European Conference on Theory and ... Computer Science and General Issues)

Read more

Modern Bamboo Structures: Proceedings of the First International Conference

Read more

Modern Bamboo Structures: Proceedings of the First International Conference

Read more

Compiler construction: 18th international conference, CC 2009, held as part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22-29, 2009: procAuthor: Oege de Moor; Michael I Schwartzbach''

Read more

TAPSOFT'91: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Read more

TAPSOFT'89: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Read more

TAPSOFT'87: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Read more

Foundations of computation

Read more

Foundations of Secure Computation

Read more

Multimedia, Computer Graphics and Broadcasting: First International Conference, MulGraB 2009, Held as Part of the Furture Generation Information Technology ... in Computer and Information Science)

Read more

Computation structures

Read more

Control and Automation: International Conference, CA 2009, Held as Part of the Future Generation Information Technology Conference, CA 2009, Jeju Island, ... in Computer and Information Science)

Read more

Computation Structures

Read more

Foundations of Computation, Second edition

Read more

Recommend Documents

Foundations of Software Science and Computation Structures: 4th International Conference, FOSSACS 2001 Held as Part of the Joint European Conferences

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen 2030 3 Berlin Heidelberg New Yo...

Foundation of Software Science and Computation Structures: Third International Conference, FOSSACS 2000 Held as Part of the Joint European Conferences

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen 1784 3 Berlin Heidelberg New Yo...

Foundations of Software Science and Computation Structures: Second International Conference, FOSSACS'99, Held as Part of the Joint European

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen 1578 3 Berlin Heidelberg New Yo...

Foundations of Software Science and Computational Structures: 6th International Conference, FOSSACS 2003 Held as Part of the Joint European Conference

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 2620 3 Berlin Heidelberg New Y...

Foundations of Software Science and Computational Structures: 10th International Conference, FOSSACS 2007, Held as Part of the Joint European

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris ...

Foundations of Software Science and Computational Structures: 14th International Conference, FOSSACS 2011, Held as Part of the Joint European ... Computer Science and General Issues)

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris...

Foundations of software science and computational structures 12th international conference; proceedings FOSSACS, Joint European Conferences on Theory and Practice of Software 12. 2009

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris ...

Foundations of software science and computational structures: 15th international conference, FOSSACS 2012, held as part of the European joint conferences on theory and practice of software, ETAPS 2012, Tallinn, Estonia, March 24 – April 1, 2012. Proceedin

Lecture Notes in Computer Science 7213 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos...

Tools and Algorithms for the Construction and Analysis of Systems: 10th International Conference, TACAS 2004, Held as Part of the Joint European Conferences ... (Lecture Notes in Computer Science)

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 2988 Springer Berlin Heidelber...

Fundamental Approaches to Software Engineering: 5th International Conference, FASE 2002, Held as Part of the Joint European Conferences on Theory and Practice

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 2306 3 Berlin Heidelberg New Y...