TAPSOFT'87: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis 249 TAPSOFT '87 Proceedings of the International '...

Author: Hartmut Ehrig | Robert Kowalski | Giorgio Levi | Ugo Montanari

6 downloads 634 Views 16MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis

249 TAPSOFT '87 Proceedings of the International 'Joint Conference on Theory and Practice of Software Development Pisa, Italy, March 23-27, 1987 Volume 1: Advanced Seminar on Foundations of Innovative Software Development I and Colloquium on Trees in Algebra and Programming (CAAP '87) Edited by Hartmut Ehrig, Robert Kowalski, Giorgio Levi and Ugo Montanari

Springer-Verlag Berlin Heidelberg NewYork London Paris Tokyo

Editorial Board D. Barstow W. Brauer R Brinch Hansen D. Gries D. Luckham C. Moler A. Pnueli G. Seegmeller J. Stoer N. Wirth Editors Hartmut Ehrig Technische Universit&t Berlin Fachbereich 20, Informatik, SWT FR5-6 Franktinstr. 28/29, D-1000 Berlin 10 Robert Kowalski Imperial College of Science and Technology 180 Queen's Gate, London SW7 2BZ, England Giorgio Levi Ugo Montanari Dipartimento di Informatica, Universit& di Pisa Corso Italia 40, 1-56100 Pisa

CR Subject Classification (1987): F.0-4 ISBN 3-540-17660-8 Springer-Verlag Berlin Heidelberg New York ISBN 0-387-17660-8 Springer-Verlag New York Berlin Heidelberg

This work is subject to copyright.All rights are reserved, whetherthe whole or part of the material is concerned, specificallythe rights of translation,reprinting,re-useof illustrations,recitation, broadcasting, reproductionon microfilms or in other ways, and storage in data banks. Duplication of this publicationor parts thereof is only permitted underthe provisionsof the German Copyright Law of September 9, 1965, in its versionof .June24, 1985, and a copyrightfee must always be paid. Violationsfall underthe prosecutionact of the German Copyright Law. © Sp~i'nger-VerlagBerlin Heidelberg 1987 Printed in Germany Printing and binding: DruckhausBeltz, Hemsbach/Bergstr. 2145/3140-543210

PREFACE

TAPSOFT '87 is the Second International Joint Conference on Theory and Practice of Software Development. TAPSOFT '87 is being held from March 23 to March 27, 1987 in Pisa. TAPSOFT '87 has been organized by Dipartimento di informatica (Universit& di Pisa), I.E.l. - C.N.R. and CNUCE - C.N.R., and has been supported by AICA and EATCS. TAPSOFT '87 consists of three parts: Advanced Seminar on Foundations of Innovative Software Development

New directions in software development have been proposed, on the basis of recent technological and theoretical advances. Following these trends, the software production process should be made more rigorous, and its result should be expressed in a more abstract and understandable form. The aim of the Advanced Seminar is to bring together leading experts in the various fields which form the foundations of this renovation still in progress and to provide a forum to discuss the possible integration of available theories and methods in view of their applications. The Advanced Seminar will consist of a number of invited talks, two panel discussions and several working groups. The invited talks will be either long, i.e. comprehensive and general, or short, i.e. dedicated to hot topics. Invited Speakers E. Astesiano (Univ. Genova) K. Clark (Imp. C., London) K. Furukawa (ICOT, Tokyo) J. Goguen (SRI, Menlo Park) G. Huet (INRIA, Paris)

R. Milner (Univ.Edinburgh) M. Nivat (LITP, Pads) J. Thatcher (IBM, Yorktown Heights) D. Warren (Univ. Manchester)

Panels • On Industrial Activity and Trends. Chairman: J. Goguen (SRI, Menlo Park) - The Future of Software Engineering. Chairman: D. Bj~rner (Lyngby)

The seminar organizers are H. Ehrig (Tech. Univ. Berlin) G. Levi (Univ. Pisa) R. Kowalski (Imperial College, London) U. Montanari (Univ. Pisa)

iv

Colloquium on Trees in Algebra and Programming Traditionally, the topics of the Colloquium cover a wider area of theoretical Computer Science than that indicated by the title. Actually, topics include the formal aspects and properties of trees and, more generally, of combinatorial and algebraic structures in all fields of Computer Science. Besides the customary topics, in keeping with the overall theme of TAPSOFT, the program will include contributions related to specifications, communicating systems and type theory. The preceding eleven colloquia were held in France and Italy as autonomous conferences, except in Berlin 1985, when for the first time CAAP was integrated into the TAPSOFT Conference. In keeping with the tradition of CAAP as well as with the overall theme of the TAPSOFT conference, the selected papers are presented in the sections listed below. • Algorithms • Proving techniques • Algebraic specifications • Concurrency • Foundations The program committee for CAAP '87 is the following: A. Arnold, Bordeaux J. de Bakker, Amsterdam B. Buchberger, Linz J. Diaz, Barcelona Ph. Flajolet, Paris H. Ganzinger, Dortmund P. Mosses, Aarhus J. Thatcher, Yorktown Heights M. Wirsing, Passau

G. Ausiello, Roma A. Bertoni, Milano M. Dauchet, Lille H. Ehrig, Berlin N. Francez, Haifa U. Montanari, Pisa (Chairman) M. Nivat, Paris G. Winskel, Cambridge

Colloquium on Functional and Logic Programming and Specifications In keeping with the overall theme of the TAPSOFT conferences, CFPL focuses on those aspects of Functional and Logic Programming which are most important in innovative software development. The integration of formal methods and practical aspects of software production is also stressed.

CONTENTS OF VOLUME 1 Session CAAP 1 Chairman: J. Diaz (Barcelona)

Algorithms I. Wegener (J.W. Goethe Univ., Frankfurt a. M.) On the Complexity of Branching Programs and Decision Trees for Clique Functions W. Szpankowski (Purdue Univ.)

Average Complexity of Additive Properties for Multiway Tries: A UnifiedApproach

13

M. Crochemore (LITP, Rouen & Univ. Paris-Nord) Longest Common Factor of Two Words

26

Session CAAP 2 Chairman: B. Buchberger (Linz)

Proving Techniques S. Ronchi della Rocca (Univ. Torino) A Unification Semi~A/gorithm for Intersection Type Schemes

37

B. Steffen (Univ. Kiel) Optima/Run Time Optimization Proved by a New Look at Abstract interpretations

52

F. Bellegarde & P. Lescanne (CRIN, Nancy) Transformation Ordering

69

Session CAAP 3 Chairman: M, Wirsing (Passau)

Algebraic Specifications ! M. Gogolla (Tech. Univ. Braunschweig)

On Parametric Algebraic Specifications with Clean Error Handling

8t

D. Sannella (Univ. Edinburgh) & A. Tartecki (PKiN, Warsaw) Toward Formal Development of Programs From Algebraic Specifications: Implementations Revisited

96

G. Marongiu (Univ. Bologna) & S. Tulipani (Univ. Camerino) Finite Algebraic Specifications of Semicomputable Data Types

111

The selected papers are presented in six sessions covering the following topics. ° Theory and Semantics of Functional Languages • Types, Polymorphism and Abstract Data Type Specifications • Unification of Functional and Logic Programming Languages • Program Proving and Transformation • Language Features and Compilation in Logic Programming • Implementation Techniques The Programme Committee for CFLP is the following C. BShm, Roma K. Furukawa, Tokyo C. Ghezzi, Milano G. Huet, Paris R. Kowalski, London B. Mahr, Berlin R. Milner, Edinburgh E. Sandewall, LinkSping D. Warren, Manchester

K. Clark, London H. Gatlaire, M~3nchen J. Goguen, Menlo Park G. Kahn, Sophia Antipolis G. Levi, Pisa (Chairman) A. Martelli, Torino L. Moniz Pereira, Lisboa E. Shapiro, Rehovot

The TAPSOFT '87 Conference proceedings are published in advance of the conference in two volumes. The first volume includes the final versions of 17 papers from CAAP '87, selected from a total of 51 submitted papers. The second volume includes the final versions of 17 papers from CFLP, selected from a total of 80 submitted papers. Invited papers from the Advanced Seminar are divided between the two volumes. We would like to extend our sincere thanks to all the Program Committee members as well as to the referees listed below for their care in reviewing and selecting the submitted papers: J. Alegria, A. Alfons, S. Anderson, J.L. BalcAzar, F. Barbic, R. Barbuti, M. Bellia, R. Bird, E. BSrger, P.G. Bosco, A. Bossi, G. Boudol, K. Broda, D. Brough, D. Chan, L. Carlucci Aiello, G. Castelli, T. Chikayama, T. Chusho, E. Ciapessoni, N. Cocco, L. Colussi, M. Coppo, T. Coquand, B. Courcelle, G. Cousineau, W. Coy, P.L Curien, A. Davison, P. Degano, R. De Nicola, M. Dezani, M. Dincbas, M Ducass6, P. Dufresne, J. Ebert, B. Eggers, P. van Erode Boas, R. Enders, G. Engels, K. Estenfeld, E. Fachini, A. Fantechi, I. Foster, D. Frutos, J. Gabarro, D. Gabbay, F. Galdbay, G. Gambosi, G. Ghelli, P. Giannini, M. Goldwurm, A. Goto, S. Goto, G. Guida, C. Gunter, T. lato, H. Habel, M. Hagiya, N. Halbwacks, H. Hansen, S. Haqqlund, J. Heering, P. Henderson, R. Hennincker, D. Henry de Villeneuve, C. Hogger, F. Honsell, M. Huntbaok, H. Hussmann, P. Inverardi, R.C.L. Koymans, L Kott, H.J. Kreowski, F. Kriwaczek, S. Kunifuji, Y. Lafont, B. Lang, R. Lasas, A.

VI Lavitte, P. Le Cheradec, K. Leeb, B. Lennartsson, J.J. Levy, M. Undqvist, A. L{amosi, G. Lolli, (3. Longo, J.A. Makowski, V. Manca, P. Mancarella, D. Mandrioli, M. Manny, A. Marchetti Spaccamela, I. Margaria, M. Martelli, L. Mascoet, Y. Matsumoto, G. Mauri, B.H. Mayoh, F. McCabe, J. Meseguer, J.J.Ch. Meyer, C. Moiso, B. MSIler, C. Montangero, K. Moody, A. Mycroft, F. Nickl, M. Nielsen, F. Nielson, F. N0rnberg, M.E. Occhiuto, F.J. Oles, F. Orejas, M. Ornaghi, R. Orsini, P. Padawitz, C. Palamidessi, D. Pedreschi, P. Pepper, A. Pettorossi, A. Poign~, A. Porto, M. Protasi, G. Ringwood, J. Roman, S. Ronchi Della Rocca, G. Rossi, I. Kott, T. Sakurai,D. Sannella, D. Sartini, T. Sato, R. Schuster, M. Sergot, D. Siefkes, M. Smyth, T. Streicher, A. Suarez, Y. Takayama, J. Tanaka, A. Tarlecki, W. Thomas, M. Tofte, S. Tomura, J. Toran, M. Torelli, J.V. Tucker, F. Turini, T. Yuasa, F.W. Vaandrager, B. Vauquelin, B. Venneri, M. Venturini Zilli, H. Wagener, E.G. Wagner, M. Wallace, P. Weis, M. Zacchi, B. Zimmermann

We gratefully acknowledge the financial support provided by the following institutions and Companies: • Comune di Pisa • C.N.R. • Presidenza • Comitato Nazionale per l'lngegneda • Comitato Nazionale per le Scienze Matematiche • CNUCE • I.E.I. ° Dipartimento di Informatica, Universit& di Pisa • Elsag, Genova • Enidata, Milano ° IBM Italia, Roma • List, Pisa • Olivetti, lvrea ° Selenia, Roma • Sipe, Roma o Systems & Management, Torino • Tecsiel, Roma • Universit& di Pisa

vii We wish to express our gratitude to the members of the Local Arrangement Committee: P. Asirelli, R. Barbuti, P. Degano (Chairman), A. Fantechi, P. Mancarella, M. Martelli, F. Tarini and F. Turini. Without their help, the Conference would not have been possible. Pisa, March 1987 Hartmut Ehrig Institut for Software und Theoretische Informatik Technische Universit&t Berlin

Robert A. Kowalski Dept of Computing and Control Imperial College London

Giorgio Levi Dipartimento di Informatica Universit& di Pisa

Ugo Montanari Dipartimento di Informatica Universit& di Pisa

Session CAAP 4 Chairman: G. Winskel (Cambridge)

Concurrency G. Boudol & I. Castellani (INRIA, Sophia Antipolis) On the Semantics of Concurrency: Partial Orders and Transition Systems

123

R. De Nicola (I.E.I., Pisa) & M. Hennessy (Univ. Sussex) CCS without ~'s

138

Ph. Darondeau & B. Gamatie (IRISA, Rennes) A Fully Observational Mode/ for Infinite Behaviours of Communicating Systems

153

Session AS4 Chairman: R. Milner (Edinburgh) E. Astesiano & G. Reggio (Univ. Genova) SMoLCS-Driven Concurrent Ca/curl

169

Session CAAP 5 Chairman: H. Ganzinger (Dortmund) Algebraic Specifications II

M. Navarro (Euskal-Herriko Univ., San Sebastian) & F. Orejas (Univ. Pol. de Catalunya, Barcelona) Parameterized Horn Clause Specifications: Proof Theory and Correctness

202

F. Parisi-Presicce (USC, Los Angeles) Partial Composition and Recu'rsion of Module Specifications

217

Session CAAP 6 Chairman: A. Arnold (Bordeaux)

Foundations (3. (3ambosi, M. Talamo (IASI-CNR, Roma) & J. Nesetril (Charles Univ. Prague) Efficient Representation of Taxonomies

232

J.-J. Ch. Meyer & E. P. de Vink (Free Univ. Amsterdam) Applications of Compactness in the Smyth Powerdomain of Streams

241

M. C. Browne, E, M. Clarke & O. GrQmberg (CMU, Pittsburgh) Characterizing Kfipke Structures in Temporal Logic

256

xt Session AS5 Chairman: G. Levi (Pisa) R. Milner (Univ. Edinburgh) Dialogue with a Proof System

271

G. Huet (INRIA, Paris) Induction Principles Formalized in the Calculus of Constructions

276

Session AS2 Chairman: U. Montanari (Pisa) J. Thatcher (IBM, Yorktown Heights) Algebraic Semantics (Abstract)

287

M. Nivat (LITP, Pads) Tree Codes (Paper not received in time) Author Index

288

CONTENTS OF VOLUME 2 Session AS1 Chairman: H. Ehrig (Berlin) J. A. Goguen & J. Meseguer (SRI, Menlo Park) Models and Equality for Logical Programming

K. Furukawa (ICOT, Tokio) Fifth Generation Computer Project: Current Research Activity and Future Plans

23

Session CFLP 1 Chairman: C, BShm (Roma) Theory and Semantics of Functional Languages A. Piperno (Univ. La Sapienza, Roma) A Compositive Abstraction Algorithm for Combinatory Logic

39

J. Y. Girard (CNRS & Univ. Paris VII) & Y. Lafont (INRIA, Rocquencourt) Linear Logic and Lazy Computation

52

D. CI6ment (SEMA METRA & INRIA, Sophia Antipolis) The Natural Dynamic Semantics of Mini-Standard ML

67

Session CFLP 2 Chairman: K. Clark (London) Language Features and Compilation in Logic Programming Z. Farkas (SZKI, Budapest) Listlog - a Prolog Extension for List Processing

82

R. Barbuti, P. Mancarella, D. Pedreschi & F. Turini (Univ. of Pisa) Intensional Negation of Logic Programs: Examples and Implementation Techniques

96

P. Van Roy (Univ. Leuven, Heverlee), B. Demoen (BIM, Everberg) & Y.D. Willems (Univ. Leuven, Heverlee) Improving the Execution Speed of Compiled Prolog with Modes, Clause Selection, and Determinism

111

Xlll Session CFLP 3 Chairman: D.Warren (Manchester)

Implementation Techniques C. Percebois, I. Fut6, I. Durand, C. Simon & B. Bonhoure (Univ. Toulouse) Simulation Results of a Multiprocessor Prolog Architecture Based on a Distributed AND/OR Graph

126

G. Lindstrom, L. George & D. Yeh (Univ. Utah) Generating Efficient Code from Strictness Annotations

140

S. Finn (Univ. Stirling) Hoisting: Lazy Evaluation in a Cold Climate

155

Session CFLP 4 Chairman: G. Kahn (Sophia Antipolis)

Program Proving and Transformation W. Drabent & J. Maluszynski (Univ. LinkSping) Inductive Assertion Method for Logic Programs

167

A. Pettorossi (IASI-CNR, Roma) & A. Skowron (PKiN, Warsaw) Higher Order Generalization in Program Derivation

182

M. Thomas (Univ. Stirling) Implementing Algebraically Specified Abstract Data Types in an Imperative Programming Language

197

Session AS3 Chairman: R. Kowalski (London) K. L. Clark & I.T. Foster (Imperial College, London) A Declarative Environment for Concurrent Logic Programming

212

D. H. D. Warren (Univ. Manchester) Or-Parallel Execution Models of Prolog

243

Session CFLP 5 Chairman: J. Goguen (Menlo Park)

Unification of Functional and Logic Programming Languages M. Bellia (Univ. of Pisa) Retractions: a Functional Paradigm for Logic Programming

260

P. G. Bosco, E. Giovannetti & C. Moiso (CSELT, Torino) Refined Strategies for Semantic Unification

276

XtV Session CFLP 6 Chairman: B. Mahr (Berlin) Types, Polymorphism

and Abstract Data Type Specifications V. Breazu-Tannen (MIT, Cambridge) & T. Coquand (INRIA, Rocquencourt) Extensional Models for Polymorphism

291

R. Harper, R. Milner & M, Tofte (Univ. Edinburgh) A Type Discipline for Program Modules

308

C. Beierle & A. Voss (Univ. Kaiserslautern) Theory and Practice of Canonical Term Functors in Abstract Data Type Specifications

320

Author Index

335

ON THE C O M P L E X I T Y AND D E C I S I O N

OF B R A N C H I N G

TREES

FOR C L I Q U E

PROGRAMS FUNCTIONS

Ingo W e g e n e r * FB 20-Informatik, Johann W o l f g a n g G o e t h e - U n i v e r s i t i t , 6000 F r a n k f u r t a.M., Fed. Rep. of Germany Abstract Because

of the slow p r o g r e s s

complexity

of B o o l e a n

of B o o l e a n

circuits

branching ching

width-k

of clique

we p r o v e

nally we i n t r o d u c e ces of B o o l e a n progr a m s

functions.

lower

decision

and

branching

large p o l y n o m i a l

BPk(P)

if

w i t h n. Fi-

of all

sequen-

by k - t i m e s - o n l y

We show c o n s t r u c t i v e l y

pro-

lower bounds

for k i n c r e a s i n g

of the classes

bran-

on the d e c i s i o n

For o n e - t i m e - o n l y

bounds

models

trees,

k-times-only

bounds

which may be c o m p u t e d

size.

on the circuit

in r e s t r i c t e d

circuits,

programs

functions

the h i e r a r c h y

functions

of p o l y n o m i a l

subset

is i n t e r e s t e d

restricted

branching

for k - c l i q u e

k is fixed and e x p o n e n t i a l

proper

one

lower bounds

We prove here e x p o n e n t i a l l o w e r

tree c o m p l e x i t y grams

functions

like depth

programs,

programs.

in p r o v i n g

branching

that B P I ( P ) is a

of BP2(P).

I. I N T R O D U C T I O N Until

now one knows

only

bounds

on the c i r c u i t

tions.

Therefore

dels mes

like

(Nechiporuk

monotone

[9])

restricted

and Yao

[15])

(Ajtai et al. Z[k

[11]

fami l i a r

and

Dunne

and W e g e n e r with Boolean

rected,

labelled

Boolean

variables

models

[13],

k-times-only

[14]).

tree where

in part by D F G - g r a n t s

node one tests 1066/I-2

[4],

Pudl~k

[10]

programs

[8], Pudl[k/

tree

One

is

is a di-

are l a b e l l e d

constants.

sche-

programs

that the reader

A decision

the inner nodes

No. We

mo-

[I], B a r r i n g t o n

branching

[7], M a s e k

We assume

by B o o l e a n

an inner

func-

contact

of b r a n c h i n g

(Ajtai et al.

and formulae.

and the leaves reaching

programs,

[3], C h a n d r a / F u r s t / L i p t o n

circuits

of lower

Boolean

a long time r e s t r i c t e d

[5], K r i e g e l / W a a c k

[12],

binary

the root and after * Supported

programs

(depth restricted)

[I],

defined

branching

restricted

branching

[2], B o r o d i n / D o l e v / F i c h / P a u l

since

circuits,

and also

for the proof

of e x p l i c i t l y

one has c o n s i d e r e d

formulae,

like w i d t h

a few poor methods

complexity

by

starts

that v a r i a b l e

and Me 872/I-I

at which

is the label of the node.

If its value

(or right)

label

successor.

the function complexity

program

the c o m p u t a t i o n

outdegree

0. The

that of d e c i s i o n k branching level.

programs

On the other

depth restriction. of c o m p u t a t i o n viously needs

are l e v e l l e d

One

only

ciently

programs

decision

large

[2]).

programs

be c o m p u t e d

grams.

size of BPs called

and A j t a i

(BPkS)

eraser

The p u r p o s e bounds

[11]

boun d

by

iff they can depth.

pro-

[12]. M a s e k

tight r e l a t i o n s

[8],

between

the

(so-

tree

and BP I c o m p l e x i t y

is d e f i n e d

functions.

on N =

of an n - v e r t e x

of B o o l e a n

The c l i q u e

of lower

functions. n fk

function

(~) v a r i a b l e s c o r r e s p o n d i n g to the n fk c o m p u t e s I iff the graph spe-

graph,

contains

2 we consider

for the proof

a k-clique.

decision

trees

and present

some general

lower

techniques.

In C h a p t e r

3 we p r e s e n t

We show w h i c h node

solution

of T u r i n g m a c h i n e s

is to p r e s e n t m e t h o d s

to clique

c i f i e d by the v a r i a b l e s

In C h a p t e r

For w i d t h

branching

to W e g e n e r

effi-

functions

can be c o m p u t e d

for depth r e s t r i c t e d

[I] p r o v e d

of the

Turing machines).

these methods

edges

models.

size and l o g a r i t h m i c

of BPkS we refer

of this paper

3 ~k
poss i b l e

of nodes

width

Ob-

for w i d t h - k

may be c o m p u t e d

size and c o n s t a n t

a

of a BP k

time

and for w h i c h

functions

on each have

is BPk(f).

has a s u r p r i s i n g

and the space c o m p l e x i t y

on the d e c i s i o n

We apply

functions

of to

on each path

measure

in the r e s t r i c t e d

et al.

(BPkS)

A computation

programs

of B o o l e a n

results

than k nodes

programs

size as the number

of p o l y n o m i a l

similar

is similar

is BP(f) . Width-

the c o m p u t a t i o n

this p r o b l e m

of p o l y n o m i a l

For the m o t i v a t i o n

Pudl[k/Z~k

same

lower bounds

by c i r c u i t s

We are far from

are BPlS.

tree

source

2 and sinks

to test each v a r i a b l e

branching

Sequences

measure

branching

is to decide w h i c h

programs

of o u t d e g r e e

of

tree

of a d e c i s i o n

of c o m p u t a t i o n

complexity

left

is the value

g r a p h w i t h one

the c o m p l e x i t y

trees

is of the

branching

(Barrington branching

nodes

of time while

even by r e s t r i c t e d

restricted

acylic

to the

the d e c i s i o n

and have not more

is allowed

for k times,

The p r o b l e m

one can prove

inner

DT(f),

of inner nodes

and the mode

hand k - t i m e s - o n l y

all optimal

program.

number

the proper

at most kn p o i n t s

branching

where

starts,

trees,

tree.

is a d i r e c t e d

labelling

(or I) one goes

of the leaf one reaches

by the d e c i s i o n

of f, is the m i n i m a l

for f.A b r a n c h i n g where

The

computed

is 0

our main method,

computation

in a BP I, since

a BP I

paths

cannot

cannot

a lower b o u n d m e t h o d

lead to the

separate

the

for BP I S.

same c o m p u t a t i o n

situations

by repea-

ting

an old test.

functions.

The largest

for the n u m b e r a preliminary to other used

This m e t h o d

version

functions.

this a p p r o a c h

In C h a p t e r the class nomial i.e.

lower

of v a r i a b l e s

to prove

4 we c o n s i d e r

class

are of size exp{8(N1/2)}

Ajtai

[13].

that

Dunne

et al.

the classes

[5] a p p l i e d

and prove

for BPkS.

computable

classes

[7]

of size exp{e(N)}.

problem

of BPk(P).

in

this m e t h o d

[I] and K r i e g e l / W a a c k

functions

these

for clique

has first been p r e s e n t e d

even lower b o u n d s

subclass

build

Let BPk(P ) be

by BPkS

a proper

We p r e s e n t

of poly-

hierarchy,

candidates

that BPI (P) is a p r o p e r

sub-

of BP2(P).

TREE

Similar

formulae

to B o o l e a n

COMPLEXITY

of the number

of inner

] larger

the d e c i s i o n

than

Definition number

of leaves

is also

depth

shows

nodes

of monoms

the last

trees.

of leaves

This number

(DT0(f),DTI (f)) denote

instead

is only by

in a d e c i s i o n

in a d i s j u n c t i v e

tree

the minimal for f. Let M(f)

form for f.

of f in E 2 - c i r c u i t s , that means

level

that d e c i s i o n

the n u m b e r

of d e c i s i o n

(0-1eaves, 1-1eaves)

number

FUNCTIONS

tree complexity.

the c o m p l e x i t y

2 where

OF CLIQUE

we count here

I: Let DT*(f) :=DT(f)+I

be the m i n i m a l

sult

we obtain

the h i e r a r c h y

2. ON THE D E C I S I O N

M(f)

bounds

of B o o l e a n

We c o n j e c t u r e

separate

lower bounds

of this p a p e r

B P k _ I ( P ) is a p r o p e r

which may

to strong

N. This m e t h o d

Recently

of sequences

size.

leads

consists

trees

of an v-gate.

are less e f f i c i e n t

The

circuits

following

than depth-2

of

re-

cir-

cuits. Theorem ii)

I:

i)

DT*(f)

> DT0(f ) + DTI (f) .

DT I (f) > M(f) .

iii)

DT0(f)

Proof:

> M(~).

i) is obvious.

ii)

Consider

Any

1-1eaf L c o r r e s p o n d s

be the m o n o m must be

a decision

consisting

I if we f o l l o w

tree

to a unique

this path.

a disjunctive

iii)

in a similar

The reader

is a s k e d

the minimal

path

of all v a r i a b l e s

and we o b t a i n follows

for f w i t h

Then

number

l-leaves.

from the root to L. Let m(L) and n e g a t e d

variables

f is the d i s j u n c t i o n

form for f with

which

of all m(L)

DTI (f) monoms.

way.

to c o n v i n c e

of

Q.E.D.

himself

that

the number

of

]-leaves

of

a decision tree for f may be smaller than the number of prime implicants of f. But the following result, whose e a s y proof is left to the reader,

shows that this cannot happen for m o n o t o n e functions.

Proposition

I__.'_ If f is monotone,

implicants of f and M(~)

M(f)

is equal to the number of prime

is equal to the number of prime clauses of f.

In [13] the number of prime clauses of the clique function is estimated. The number of prime implicants o b v i o u s l y equals c o m b i n e d with T h e o r e m I and P r o p o s i t i o n

Theorem 2:

DT(fk) ~

(k) + (k-l) n-k+1

;

(n k ) . These e s t i m a t i o n s

I lead to the following theorem.

DT(f3) ~ 5 n-5

•

In order to obtain larger lower bounds on the d e c i s i o n tree c o m p l e x i t y of clique functions we use another general approach.

We have already

seen that the m o n o m c o r r e s p o n d i n g to a path from the root to a 1-1eaf (0-leaf)

in a decision tree for f is an implicant

(a clause)

label the edges of a decision tree such that edges to left

of f. We

(right)

suc-

cessors get label 0 (I). Then we may identify each node v with the 0-1sequence

(il,...,im)

consisting of the labels of the edges lying on the

path from the root to v. By our c o n s i d e r a t i o n s above we get the following result.

T h e o r e m 3:

Let f be a B o o l e a n f u n c t i o n and let Z I (~0) be the length

of the shortest prime implicant for f contains all nodes

(prime clause)

(il,...,im)

of f. Any d e c i s i o n tree

where the number of ones is less

than ZI and the number of zeros is less than ~0" In p a r t i c u l a r DT(f) >

E 0~m
~

(~).

m-~0+1<J~1-1

We apply this result to clique functions. have length

O b v i o u s l y all prime implicants

(~) c o r r e s p o n d i n g to the edges of a k-clique.

The prime clauses have d i f f e r e n t lengths. responds to a minimal

Thus ~i=(~).

A shortest prime clause cor-

set of edges d e s t r o y i n g any k-clique.

The remai-

ning edges build a maximal edge set of a graph w i t h o u t any k-clique.

By

the w e l l - k n o w n T h e o r e m of Tur&n such a graph consists of k-1 groups of vertices of nearly the same size

(differing at most by I) such that a

v e r t e x is c o n n e c t e d to all v e r t i c e s of other groups. vexity

argument the number of edges is o v e r e s t i m a t e d

By an easy conif we handle

n

as an integer. We have to e s t i m a t e the number of missing edges. There are

~.--~-I m i s s i n g edges incident to each node.

Thus i 0 : : [ n ( ~ _ nI -

1)/2] is

appropriate.

The lower bound of T h e o r e m 3 gives only p o l y n o m i a l

lower bounds for

c o n s t a n t k. For k increasing with n the lower bound improves the bounds of T h e o r e m 2. If for example k(n) :=[n2/3], ! n4/3_o(n4/3) 2 Corollary

I:

DT(f~(n))

> 2 n4/3/2-O(n4/3)

10 as well as 11 are of size

for k(n) :=[n2/3].

In [13] also upper bounds on the d e c i s i o n tree complexity of clique functions are presented.

The e s t i m a t i o n of the size of a d e c i s i o n tree

leads already for very simple algorithms to hard c o m b i n a t o r i a l problems, e.g. one may apply results on the number of c l i q u e - f r e e graphs Kleitman/Rothschild

(Erd~s/

[6]).

3. ON THE B P I - C O M P L E X I T Y OF CLIQUE F U N C T I O N S

As we have seen it is rather easy to prove large lower bounds on the d e c i s i o n tree c o m p l e x i t y of B o o l e a n functions.

D e c i s i o n trees are easy

to describe but they are often puffed up. They may contain the same large subtree at d i f f e r e n t places.

In order to d e c r e a s e the size of the

c o m p u t a t i o n scheme it w o u l d be sufficient to d e s c r i b e the subtree only once and to point from many nodes to the root of the subtree. allowed in b r a n c h i n g programs.

Furthermore

This is

it is obvious that optimal

d e c i s i o n trees have the p r o p e r t y that on each path of c o m p u t a t i o n each variable

is tested only once. This ensures that the depth is bounded by

the number of variables.

In b r a n c h i n g p r o g r a m s a node may have many pre-

d e c e s s o r s and the s u b f u n c t i o n s w h i c h have to be c o m p u t e d if one reaches this node from d i f f e r e n t p r e d e c e s s o r s need not to be equal.

One may se-

parate these situations again by r e p e a t i n g tests one has done before. The a d v a n t a g e of this p r o c e d u r e

is the r e d u c t i o n of the size of the

b r a n c h i n g p r o g r a m at the cost of i n c r e a s i n g the depth. branching programs

(BPlS)

For o n e - t i m e - o n l y

the depth is also b o u n d e d by the number of va-

riables. The size of BPlS for f may be p o l y n o m i a l even if DT(f) nential (see [12]

is expo-

We use the f o l l o w l n g a p p r o a c h for the proof of lower bounds on the BP lc o m p l e x i t y of clique functions.

In the d i s c u s s i o n above we have seen

that in b r a n c h i n g p r o g r a m s it is sometimes n e c e s s a r y to repeat tests in order to separate situations one has merged before.

This is not allowed

in BPIS.

There

we can merge

separate

t h e m by a s k i n g

v a n d w is p o s s i b l e v o_rr w a n d

siderations branching trees.

We prove

again.

of all v a r i a b l e s

show that mergings Therefore

if w e a r e n o t A merging

if t h e k n o w l e d g e

to d e t e r m i n e

program.

only

an o l d q u e s t i o n

if a n d o n l y

the k n o w l e d g e

or w is s u f f i c i e n t

situations

not

the v a l u e

tested

that mergings

near

are p o s s i b l e

near

only

reached

on any path

function.

the

to

of t w o n o d e s

that one has

of the

are not possible

BPIS behave

forced

the

con-

source

source

after

to v

These

like

of t h e

decision

a certain

number

of tests.

Theorem tion

4:

f~.

Let v and w be different

If o n a p a t h

most ki:=(~)-I ables more

variables

negatively

to v o r w.

Proof:

Neither

tested

we h a v e

not tested

length

the

following

each path this

of t h e

fulfil

negatively

fact which

a n d at m o s t

since

k0:=

some

of a p r i m e

, see C h a p t e r

input

funcat

variFurther-

the BP I on

to v or w we h a v e

implicant

for BPIS but not

exists

n-2(~)-k+2

changing

o n some p a t h

clause

tested

of t h e p r o g r a m .

of a p r i m e

all variables

prime

holds

in a B P I t h e r e

of w

a cycle

in t h e

following

the a s s u m p t i o n s

same p a t h

there

gatively)

if w e r e a c h

exists

to all e d g e s ,

Each path existing

(k I <

clause 2).

for BPkS

for which

The edge

not

those paths

(~))and (k0
Here

we n e e d

a n d k ~ 2. F o r

we have

tested

source

has been

e which

The

clique

to f o l l o w

exists

in t h e

w.l.o~g,

some edges

are variable

following

on the p a t h s

is

are

where

forbidden

path

is f o r b i d d e n

We

positively

symmetric

with

t h a t e is the e d g e

(not t e s t e d

way.

nodes

programs.

We

to v a n d w w h i c h

tested

graph

to the c h o s e n

in G I a n d

these

v and w are not on the

function

to a p a r t i a l

corresponding

the c l a i m

from the

an e d g e (w).

merge

for b r a n c h i n g

Since

edges

(1,2)

we cannot

of the Theorem.

(tested positively),

graph

versa)

is f o r b i d d e n

thus we may assume

and the other

We prove

v

(or v i c e which

in a B P I c o r r e s p o n d s

the p a r t i a l

edges

to w w e h a v e

v and w without

all v a r i a b l e s

creating

consider

v(w).

to m e r g e

shortest

If v is a s u c c e s s o r

vely)

in a B P I f o r ~the c l i q u e

path.

without

pect

nodes

on a p a t h

v n o r w m a y be a sink

v or w is a s i n k

positively

the

positively

neither

it is n o t p o s s i b l e

paths

not

to v a n d a l s o

some

edges

(neres(1,2).

are

(tested negati-

yet).

L e t G I {G2)

f r o m the

source

to

in G 2.

show that we can

to v or w in s u c h a w a y

that

fix all

either

one

be

of the

(perhaps

partial)

supplement

may

graph

a k-clique

case

with

we c a n n o t

change

of G 2. O b v i o u s l y with

incident

vertex

exists

contains

at l e a s t

subset

does

not

incident

exist

may

edges

graphs

G~ c o n t a i n s k-clique

allowed

BP I. But The v a l u e not

us n o w

tain

the

same

on A. free

G~ has

The

(i,j)

there

edge

6 E* we

D is still

without

in G 2

and

would

set of

edges

(perhaps

edge

on D.

possible

has

to

of the Either

a n d no

stop

the

which

set

the e x i s t e n c e

violating

we do n o t k n o w

This

E* be the

the o n l y

no f o r b i d d e n

computation

G~.

By the

existence the

same

since

conditions

we are of a

the v a l u e

of the f u n c t i o n .

it m a y be

0 since

we h a v e

be a c o n t r a d i c t i o n

and we may

arguments

G~ has

of a k - c l i q u e

inputs Vertices

with

D.

Since

G 2 does

only

edges

on D p o s i t i v e l y not and

not

contain

this

contain

any

G~ d o e s

any e d g e

does

k-clique

joining

that

degree

graph

not

to con-

to be i m p o s s i b l e .

to G~ and G~.

positive

in G~

the a s s u m p t i o n

as a b o v e

has

corresponding

is f o r b i d d e n

of any k - c l i q u e

(1,2)

a k-clique.

for

G~ d o e s

are

G I and G 2 by d e c i d i n g way.

(1,2)

Finally

above

L e t G~ and G~ be the

D is p o s s i b l e

a k-clique.

Since

the k - c l i q u e afterwards

case

or the

the edge

2. Let D be a k - e l e -

z. L e t

these

in z. For

any v a r i a b l e

I since

sink

way

C:={I,...,n}-A-B

construction

to the n o d e

or the k - c l i q u e

investigate

to c o n t a i n

to D U A.

from

contains

since Thus

I and

following

of G I we add one

on D in G 1 or any e x i s t i n g

otherwise.

any k - c l i q u e .

G~

a k-clique

reach has

that

In any

some e x i s t i n g

B in the edge

is p o s s i b l e

to v or w,

completed.

second

m a y be

completed

assume

Let

to t e s t

i n the

v is on

construct forbidden

2. By our

edge

described

a k-clique

is a l r e a d y

that

in p a r t i c u l a r

starting

arising

in the

not.

in D~

6 D and x i j = 0

of E*

We

This

I and

on any p a t h

on p a t h s

and G~ does

to a

v and w and do not

IBI < n - 2 ( ~ ) - k + 2 .

forbidden vertex

such

each

v and w are m e r g e d

tested

if i,j

partial)

not

any

be t e s t e d

xij=1

to B.

obviously

and

to v or w.

For

k vertices,

some

that

not

set.

f r o m G I and G 2 by this

a k-clique

a k-clique

v { {1,2}

of C c o n t a i n i n g

with

assume

edges

leading

w { {1,2}

without

fkn if we m e r g e

IAI < 2(~)-2.

the e m p t y

in G I. A g a i n

ment

We

correctly

set of v e r t i c e s

starting

G~ or G~ a r i s i n g

to a g r a p h

or G~ c o n t a i n s

compute

some of the p a t h s

Let A be the edge

graphs

be c o m p l e t e d

in G~ b e l o n g

since

we test

any k - c l i q u e

A and D.

we m a y m e r g e

We G~

not contain

and

contain

Thus

Thus

G~

is

v and w leads

to a c o n t r a d i c t i o n . Q.E.D.

8

The reader may convince himself that the parameters be improved

significantly.

of Theorem 4 cannot

If k=3, we have k]=2 and k0= n-7. There

is

a BP I for f3n where two paths on which 2 edges have been tested positively and 4n-13 edges have been tested negatively are merged. Theorem 4 shows that all nodes corresponding

to 0-]-sequences

most k 0 zeros and k I ones exist and are different.

Z

lower bound BPI(f~)

> 0~n
At first we evaluate sum is dominated by

Z

m_k0~J
Hence we get the

this bound for constant k. For m > 2k I the second m (kl . Thus

m E BP I (f~) > 0<m
(~).

of at

mk])

k(k-1)/2) .

For constant k we get only polynomial

lower bounds but the polynomial

grows much faster than the size of the disjunctive

normal

form which

is

8 (nk) •

The bound is large if k 0 and k I have nearly the same size. Let k(n):=[(2n/3)I/2].

Then

fk(n))=n/3-o(n) and k1=' 2 k ( n ) k0=n-2' 2 )-k+2=n/3-o(n). k(n) A BP I for fn

is up to level min

(k0,kl)=n/3-o(n)

a complete binary

tree and we can conclude that n 3-o(n) BP I (fk(n)) =~( 2n/ ). Our bound is worse for larger k(n) . For k(n) negative

and Theorem 4 seems to be useless.

vious fact that the BPl-complexity than the BP]-complexity Proposition ..................... 2: Proof :

of some function

of each subfunction

fn-mk_m is a subfunction

Replace all variables

> n I/2 the parameter k 0 is But then we apply the ob-

xij where

f is not smaller

f' of f.

of fnk. I~i~

and n - m + 1 < j ~

by ones. Q.E.D.

Hence we can conclude for example that n ifn/2+k(n) BPl(fn/2) > BPI' k(n) )" Let

k(n) :=[(n/3)I/2]. Then

we get k1=n/6-o(n)

and k0=n/6-o(n),

thus

9

BP1(f
The following

applications

4.

Theorem

of Theorem

5:

theorem

summarizes

some of the

i) If k is fixed~

BPI (f~)=~(nk(k-1)/2). ii)

If k(n) :=[(2n/3) I/2], BPI (f~(n))=~(2n/3-o(n))

.

iii) BPI (f~/2)=~(2n/6-°(n)).

4. THE BPk(P)-HIERARCHY

We know now that BPIS may be much more efficient but much less efficient

than branching

programs

one has to ask how much one has to increase get efficient functions Definition

branching

efficiently 2:

programs.

by BPk+iS

BPk(P)

of easy problems, size.

of polynomial

namely

those problems

For a sequence

formula

space complexity We can only prove

size

BP I (p) c

clique

consists

[11] proved Bp 2(P)

having branching

to

more

functions p. BP(P)

[12])

BP(P)

function

programs

of

of functions contains

in

all f

n and all f n of logarithmic

machines

inclusion

hierarchy

k such that fn £ BPk(P)

for the complexity

to Turing

that the first

Pudl~k/Z~k

an interesting

is not too small.

(see Wegener

with respect

fied graph on n vertices

6:

of Boolean

for some polynomial

fn the minimum

new measure

Let gn be the exactly-half

Theorem

< p(n)

were proper we would obtain

On the other hand BP(P)

vertices.

one can compute

is the set of all sequences

would be an interesting BP(P).

We ask whether

Therefore

in order

BP1(p)~...~BPk(P)~BPk+1(p)~.o._c_Bp(p).

If all inclusions polynomial

or circuits.

the resources

trees

than by BPkS.

fn:{0,1}n~{0,1} such that BPk(fn) is defined analogously.

Obviously

than decision

(Pudl&k/Z&k

of the hierarchy computing

of an n/2-clique

[11]). is proper.

I iff the speci-

and n/2 isolated

that gn is not in BPI(P ) .

10 Proof:

By the r e s u l t of P u d l [ k / Z & k

for gn a BP 2 of p o l y n o m i a l

gn(X)

: I iff in Gn(X),

vertex

is 0 or n/2-I,

that all v e r t i c e s degree

[11]

the g r a p h

and t h e r e

specified

by x, the d e g r e e

is some v e r t e x

i* of d e g r e e

0 and all v e r t i c e s

a BP I on m v a r i a b l e s inputs with exactly

w h i c h has

T~ f r o m T£ by r e p l a c i n g

the

sinks

£ < j be a BP I of q u a d r a t i c

sinks

way.

and X j m The

and x £ j = 0

i { {0,n/2-2}

are r e p l a c e d

we r e a c h

E~,j

program

This b r a n c h i n g

is s h o w n

program

deg(1):...=deg(£-1)=0 iff for j ~ £ e i t h e r to v e r t e x

from E£,j

in the

are r e p l a c e d by 0-sinks,

F o r the o t h e r

r e a c h the s o u r c e of E l , j + I if j < n and l - s i n k s branching

sink 0

if £=n. L e t El, j for

by a test of x£j.

0-sinks.

the

and the sink n/2-I

the ones a m o n g

(j+1<m
sinks

i 6 {0,n/2-2}

i=n/2-2

size c o u n t i n g

(£<j~iq). We o b t a i n

by 0-sinks,

if £=n,

by the source of E [ , £ + I if £ < n and a 0 - s i n k

(£+1<~m<j-1)

such

size 0(m 2) and m+1

x£,j

i { {0,n/2-I}

by the source of T~+ I if Z < n and a 0 - s i n k

following

n/2-1

of p o s i t i v e

i o n e s r e a c h the i-th sink

(0~i~4n). L e t T£ be such a BP I on the v a r i a b l e s

Xmj

of e a c h

to i*.

It is easy to d e s i g n sinks and w h e r e all

to c o n s t r u c t

size.

i < i* h a v e d e g r e e

are c o n n e c t e d

it is s u f f i c i e n t

the

If i=0 and xij=1

or

two p o s s i b i l i t i e s

we

if j=n.

The r e s u l t i n g

in Fig. 1.

computes

gn" We r e a c h

and d e g ( £ ) = n / 2 - 1 . deg(j):0

the E~ - c h a i n

iff

T h e n we r e a c h a l - s i n k of E~, n

or d e g ( j ) = n / 2 - ]

and v e r t e x

j is c o n n e c t e d

£.

The b r a n c h i n g

program

is a BP 2. A p a t h p a s s e s

at m o s t

T~,..

,T~ E* E* The v a r i a b l e x i , i + j is t e s t e d in "" ' £,£+I' .... £,n" T~ (if i < £) , in E* (if £ < i) and in E ~ , i + j (if £
T~ and E~,j

0(n4),

of s u b p r o g r a m s

since

is N=(~).

the n u m b e r

Hence

has

size 0(n2) . The total in 0(n2).

the BP 2 is of p o l y n o m i a l

The n u m b e r

at

size is

of v a r i a b l e s

size 0(N2) . Q.E.D.

L e t g~ be a f u n c t i o n hyperedges

on

(~) v a r i a b l e s

corresponding

of l e n g t h k in a h y p e r g r a p h

the h y p e r g r a p h

specified

isolated vertices,

by x c o n s i s t s

gkn is a c a n d i d a t e

to the p o s s i b l e

on n v e r t i c e s ,

g~

(x) = I iff

of an n / 2 - h y p e r c l i q u e

to s e p a r a t e

BP k I(P)

and n/2

f r o m BPk(P).

11

f

Figure

I

By the methods of T h e o r e m 6 we can prove that g~ belongs to BPk(P ) . We c o n j e c t u r e that b r a n c h i n g p r o g r a m s of p o l y n o m i a l size for n gk "have to look at many h y p e r e d g e s from all its k vertices".

References

[.t]

Ajtai,M./Babai,L./Hajnal~ ~oml6s,M./Pudl~k,P./R6dl,V./ S z e m e r & d i , E . ~ u r ~ n , G . : Two lower bounds for b r a n c h i n g programs, 18. STOC, 30-38, 1986

[ 2]

Barrington,D.A.: B o u n d e d - w i d t h p o l y n o m i a l - s i z e b r a n c h i n g p r o g r a m s r e c o g n i z e exactly those languages in NC I , 1 8 . S T O C , I - 5 , 1 9 8 6

[ 3]

B o r o d i n , A . / D o l e v , D ° / F i c h , F . E . / P a u l , W . : Bounds for w i d t h two b r a n c h i n g programs, 15.STOC, 87-93, 1983

[4]

Chandra,A.K./Furst,M.L./Lipton,R.J.: 15.STOC, 94-99, 1983

[ 5]

Dunne,P.: programs,

M u l t i p a r t y protocols,

L o w e r bounds on the c o m p l e x i t y of l-time only b r a n c h i n g FCT, LNCS 199, 90-99, !985

12

[6]

Erd~s,P./Kleitman,D.J./Rothschild,B.L.: of Kn-free graphs. Colloq. Intern.sulle Lincei, Rome, 19-27, 1976

[ 7]

Kriegel,K./Waack,S.: Lower bounds on the complexity of real-time branching programs, Techn. Rep.,Akad.d.Wiss{Berlin (GDR), 1986

[8]

Masek,W.: A fast algorithm for the string editing problem and decision graph complexity, M.Sc. Thesis,MIT, 1976

[ 9]

Nechiporuk,E.I.: 999-1000, 1966

[10]

Pudl&k,P.: A lower bound on complexity of branching programs, 11.MFCS,LNCS 176, 480-489, 1984

[11]

Pudl[k,P./Z~k,S.: Space complexity of computations, Preprint, Univ. Prague, 1983

[12]

Wegener,I.: Optimal decision trees and one-time-only branching programs for symmetric Boolean functions, Information and Control 62, 129-143, 1984

[13]

Wegener,I.: On the complexity of branching programs and decision trees for clique functions, Techn. Rep.,Univ. Frankfurt a.M., 1984

[14]

Wegener,I.: Time-space trade-offs for branching programs, Journal of Computer and System Sciences 32, 91-96, 1986

[15]

Yao, A.C.: Lower bounds by probabilistic arguments,24.FOCS, 420-428, 1983

A Boolean function,

Asymptotic enumeration Teorie Comb.,Accad.Naz.

Sov.Math.Dokl.

7,

AVERAGE COMPLEXITY OF ADDITIVE PROPERTIES FOR MULTIWAY TRIES : A UNIIFIED APPROACH ( Extended Abstract )

Wojciech Szpankowski*

Department of Computer Sciences Purdue University West Lafayette, IN 47907, U.S.A. Abstract We study multiway asymmetric tries. Our main interest is to investigate the depth of a leaf and the external path length, however we also formulate and solve a more general problem. We consider a class of properties called additive properties. This class is specified by a common recurrence relation. We give an exact solution of the recurrence, and present an asymptotic approximation. In particular, we derive all ( factorial ) moments of the depth of a leaf and the external path length. In addition, we solve an open problem of Paige and Tarjan about the average case complexity of the improved lexicographical sorting. These results extend previous analyses by Knuth [12], Flajolet and Sedgewick [6], Jacquet and Regnier [10], and Kirschenhofer and Prodinger [1 I].

1. INTRODUCTION Digital searching is a well-known technique for storing and retrieving information using lexicographical (digital) structure of words. Let U be an alphabet containing V elements, and each element may occur with different probability ( asymmetric trie ). A trie or radix search trie is such a V-ary digital search tree that edges are labeled by elements from U and leaves ( external nodes) contain the keys [1],[8], [12]. The access path from the root to a leaf is a minimal prefix of the information contained in the leaf. An important variant of tries is obta'med using a sequential storage algorithm for subtries with the size less than or equal to a fixed bound b. In other words, each external node is capable of storing at most b keys. Such a trie will be called b-trie [3], [5]. This paper presents a thorough analysis of b-tries from the depth of a leaf point of view. Although we focus our attention on the depth and external path length, we consider them as motivating examples for general studies of the average complexity of so called additive properties for tries. Roughly speaking, a trie property is additive if its recurrence description is linear. For example, the depth of a leaf, the external path length, the number of internal nodes are additive properties, while the height of a trie is not. We discuss a class of additive properties which possess a common recurrence equation. The exact solution and asymptotic approximation of the recurrence are obtained. These results are then used in a number of applications. We present all factorial moments of the depth of a leaf and the external path length in a b - trie. In particular, we prove that the m-th factorial moment of the depth of insertion is cdn'nn +~inm-tn +O(lnm-2n), where a and [3 are some constants dependent on the distribution of elements in the alphabet. This implies that the variance of the depth is either equal to a i n n + O ( 1 ) for asymmetric tries or only O(1) for a symmetric trie. We also compute the average number of internal nodes and the number of internal nodes with all sons external nodes. The average external * and TechnicalUniversityof Gdansk,Poland.

14 path length and the average number of internal nodes are used to solve an open problem of Paige and Tarjan [l 7] about the average complexity of the improved lexicographical sorting. Finally, let us mention that the average case complexity for symmetric V-ary tries was discussed [12], [6]. Recently, Iedrschenhofer and Prodinger [11 ] studied the variance of the depth of insertion for symmetric binary tries, while Jacquet and Regnier [10] obtained the limiting distribution for the depth of insertion for binary tries. This paper extends all of these results. We omit here all proofs, and provide them in the final version of the paper. 2. NOTATIONS AND MAIN RESULTS Letus consider a set Tn of all b - t r i e s with n keys over an alphabet U = {at . . . . .

Cv}. We assume that

a key x = {xl, x2 . . . . . xk,...} is a sequence of elements from U which form an independent sequence of Berv noulli trials. That is, for any k the probability Pr (xk = csi } = Pi, ~, Pi = 1, and Pi does not depend on k. Such i=1

an approach is known as Bernoulli model [3], [5], [10]. In many applications such trie properties ( parameters ) as: the depth o f a leaf ( the number of internal nodes in the trie on the path from the root to the leaf), the external path length ( the sum of the depths of all leaves ), the number o f internal nodes, the height ( the maximum

over all depths ) , etc. are of particular interests. We shall study a class of properties called further additive properties which possess a common description through a recurrence equation. We focus our attention on the aver-

age case complexity of such properties. 2.1 Additive properties of b-tries Let us consider an asymmetric b-trie with n records, and let E be a property of such a tile. For example, E might be the depth of a leaf, the external path length, the number of internal nodes, the height, etc. We denote by xn the quantitative value of E . Let an repremnt the value of the property E that is possessed by the root of a trie. Then, in studying the average complexity of the property E we may use the following graphical representation:

/ In other words, the value xn of the property E is a ( recursive ) function of the values xj ...... xjv ( j i + " " " +Jr = n ) of E in all subtries of the wie, and the amount an of the property E possessed by the root. If xn is an additive function ofxj, ..... xjv, then the property E is called additive. More precisely, we need that xn satisfies the following recurrence:

15

given: Xo, Xt , . . . ,

x~,

solve: x n = a . + ~

(t)

j

P{'

. .. py(x:,

+

...

+ xjO,

n > ~,

V

where an is a given sequence ( we also call it additive term ) , Y, Pi = 1, and B is an integer. In (1) we have i=1

used the the following notations: sum o f f ( j 1 . . . . .

j

= L Jl . . . . .

jv

Jl! J2! , • • . , Jr! and j~=n ~ f (Jl . . . . .

Jr) iS a

j r ) over all j such that Jl + Jz + " " " + j v = n. We shall study properties E for which their

quantitative values x~ have the above description, and such properties are called additive. For example, the depth o f a leaf, the external path length, the number of internal nodes are additive properties, while the height of a tile is not. It tums out that a general solution of the recurrence depends on a transformed sequence, d , , o f a , defined as:

k~0

The pair a . and dn is called inverse relations [151, since d~ = a . . Let also fJi = - (xi - ai -

2

P~ . . . .

jz = i

i =1,2 . . . . . B~

P~' Z xj,)/i !, k=l

Zn Note that the generating function o f x , , i.e., X(z)=~.,x,,,,=o n-'-(.' satisfies the following functional equation V

B

X (z ) - ~ X (Pi z) e O-p')~ .-.A (z ) - ~ z i ~i i=1

i=0

Define now ~ ( z ) = X (z) e-z, and transform the above into functional equation on ~(z). Using Taylor expansion of ~)(z) one proves that LEMMA 1. For any n, the recurrence (1) possesses the following solution

dk-

rain{B,~} ]~ (-1)r Irk] r'[3r

i=l

Proof: See [14].

[] Solution (2) simplifies ifxo = xl = " " * = xB = 0. In this case, in fact, we are also able to compute ~. which is necessary to obtain the m-th factorial moment of the depth of a leaf.

COROLLARY 1. Ifxo = xt = . . . .

x~ = 0, then

~6

r=O

(3)

V

k=2

1- ZPf i=l

and

~.

r=O

=

v

(4)

1-Zp/k i=1

Proof'. Eq (3) follows directly from (2), and (4) is a consequence of the definition of the inverse relations.

[]

2.2 Applications of Lemma 1 Factorial moments o f the depth o f a leaf and the external path length

There is a simple relationship between the depth of insertion ( depth of a leaf) and the external path length. Let H~ (z) the external path length be the generating function with the coefficient at z k representing the expected number of external nodes at level k in the family of tries Tn built from n records. Also let L, and D, be random variables representing the external path length and the depth of a leaf in the family T,. The m-th factorial moment d~ of D n is defined as :

dnm-= E {Dn(D n - 1) "'" (D n - m + 1)}

In a similar way we define factorial moments of Ln. However, it is more convenient to introduce a generalized external path length. Let Dn ( i ) denote the path length from the root to the i-th record in the family Tn, where

i = 1,2,...,n. Then, the generalized external path length of order m is defined as n

L ~ = ~ O n ( i ) [ O n ( i ) - I ] " " [Dn(i)-m +1 ] i=1

aef and let l~ = ELm. We call l~ the average of order m of the external path length L~. Note that l~ is not the m-th factorial moment of the external path length Ln, but the moments of Ln are simply related to l~, e.g., the average of L n is equal to 12-, and the variance of the external path length is l~+l~- - 1 establishes a relationship between Hn (z) and the moments. LEMMA 2. For any natural m and n the following holds

Hn(1 ) = n.

d ' H . (z) iz=l = H(r,,)(1) = I~. dz m

(l~-)2. The following lemma

17

d~ = l~/n. Proof. It follows directlyfrom the above definitions. []

There is no explicit formula for H. (z), but a rather nice recurrence,

LEMMA 3. For any natural n and b, H~ (z) satisfies the following recurrence

H.(z)=n

nn(z) = z E

j

p~p~'

for n b .

jz=n

Proof. See Knuth [12]. [] By Lemma 2 to compute all factorial moments of the depth of insertion we need l~. Using Lemma 3 we may prove that l ~ m = 1,2 . . . . .

satisfy a system o f recurrence equations.

THEOREM 1. The average of order m of L ~ is given by the following recurrence

/~=0

for n b,

where l° = n.

Proof: The proof is by induction, and it is left for the reader. []

By Theorem 1 Im satisfies (1) with an = m ! ~ ( - 1 ) m-i (i-1)! " For example, for m = I one immediately obtain i=t

from Lemma 1 and Theorem 1

1 - ZP~

k=2

i~l

and

r=l

V

1 - Zp~ i=1

18

Let now m = 2 Then by Theorem t

a(z)= 2 [ iX- -

hi, and dn(2) = 212-- 28n,l [t 5]. After some algebra, we find

that V

E p~

I~=2 ~(-1)r+'r r=l

~(-l) /~=2

[kr]

n [~]

i='v (1 - Zp/k) 2 i=1

Generalizing the above, and applying recursively Lemma 1 , Corollary 1 and Theorem 1 we obtain the exact solution for the m-th factorial moment of the depth. PROPOSITION 1. For all n the moment of order m. l ~ , of the generalized external path length in a b-tile is given by V

[ E p / ' ] '~-~

l~=m, ~ (-1)r+l r ~ (-1)' [ ~ ] [ kr] , i=l v r=l

k=2

, n > b,

(5)

[ 1 - E P• ]m i=1

and l~ = 0 for n < b. The m -th factorial moment of the depth, d m is

l~/n. []

The average numberof internal nodes and other applications A number of other applications of Lemma 1 is possible. For example, from the storage view point it is

In. Naturally,

important to know the average number of internal nodes, recurrence (1) is satisfied with x0 . . . .

I, is an additive property, hence the

xb =0, and an = 1. Applying Corollary 1 we obtain immediately b

~=2

1-

2p~ i=l

In some other applications we might be interested in the average number of intemal nodes with all sons extemat nodes ( see [12], [6] ). Assume for simplicity that b = l and V=2. Let En denote the average number of such nodes. Then E 0 = E I = 0 , E z = I and for n > 2 the average

En satisfies

the recurrence (1) with an =0. Note that

[3o= 1~1= 0 and ~ = 1 - p 12- p 22. Hence by Lemma 1 and straightforward computations we find

En =

]~(-1)k

2

1--p~--pk

k=2

The generalization for V >2 is simple but need some additional computations. For other applications of (t) see [31 - [81, [131, [141.

19

Asymptotic approximation From the practical view point it is important to know asymptotic approximation of d ~ , I , , E n , etc. However, instead o f computing the approximation for each of the above quantifies we may equivalently determine the asymptotic approximation o f the following:

S ( n , r c n ) = ]~(-1)* k~

k

r

'

(1

- E

(6a)

p~)'~

i=1

where r : 1,2 . . . . .

B and o~ is a parameter. ( Note that S ( n ,r Ca ) is the sum in (2) if a, :

[n]~.).

The

application o f (6a) to the evaluation of l~, I. and E~ is straightforward. For example, the m-th factorial moment,

12. is expressed in terms o f S ( n ,r,m) as follows b l~-I

=

V

where ~ = l'IPJs'. S=l

To evaluate (6a) we may use either Rice's method [6], [7] or Mellin transform technique [6], [7], [9], [13], [16]. We apply here the latter method. We proved in [14] that S ( n + r . r . m ) = T ( n + r , r a n ) + O ( 1 ) ,

n+r T(n+r),r) = (-1) r ~ ~[l+O(n-1)]

S

F(z)(n ct) r-l-'

,,

where

az,

(6b)

('~ - tz-,~+) (1 - ] ~ p : - ' ) " i=1

c+i~

and F(z) is the gamma function [16], a + = min{0,a} and the integral notation 5 f ( ' ) stands for

1

The line of integration is either ( - 3 / 2 - i,~,-3~2 + ioo) for r=0, or ( - 1 / 2 - i ~ , - 1 / 2 + ioo) for r = l or (1/2 - io*, 1/2 + ioo) for r > l . The evaluation o f the counter integral in (6b) is routine: one goes from (c, - iN1) to (c, iN 1) to (N2,/N1) to (N2, - iN1) to (c, - i N 1 ) in a negative sense, where c = ½ - [2-r] +. F o r N t ---) ~ the horizontal parts o f t~he integral vanish since F(t + iN1) = O (1 + / N I I~-"~e-t - ~,/2) [I6]. while the vertical component over (1¥2, - iN1) decays due to the factor n r-i-z [12], [16]. Hence the required integral is minus the sum of residuals of the function under the integral to the right of the vertical line fixed at point c = ½ - [2-r]] +. The details may be found in [14]. For m = 1 a closed form expression for S (n ,r, 1) as n tends to infinity is available. Let us define Y

hn = ( - 1 y

]~Pi fn" pi, i=t

and h o = 0. Then PROPOSITION 2. For any n and r the following holds

n >0.

20 S(n,0,1)) = n c¢{ ln(na) + y--1 h2 hi + 2h 2 + f ( n a ) } + O ( 1 ) S(n ,1,1) = ha{ ln(n-1)a+T h2 hi + 2h21 - f ( ( n - 1 ) a ) } + o ( 1 ) n a { (r-Z)!

S(n,r,1) = (-1) r 7 .

~

+f((n-r)cO} + O(I)

r >2

where -/=0.573 is the Euler constant, and f (n) is a fluctuating function with a very small amplitude [ 12], [8], [6]. ( In practise, the function f (n) may be savely ignored ). Proof: The proof may be found in [13]. [] In particular, using the above we immediately obtain an asymptotic approximation for the average number of internal nodes, In. We find that

I~ =h-~{[ 1 -b ] ~1 r=2

] + f (n)}+O(l)

x

On the other hand, the average number of nodes with beth sons external nodes is given by

~-p?-p~ E n =n

2h~

(l+f(n))+O(1)

To evaluate d~ for large n we need the asymptotic approximation of S ( n,r,m ) for m > 1. This is more difficult, however, we can prove that PROPOSITION 3. For any m, and n large enough

I inrnn + ~hin inrn_ln[7 + Tm ~-1 h2 - (rn-t)hl - H b - I - h ] n F(n)] dnm-= h'-'~

+O(llzrn-2n)

where Hb-1 is the (b-1)-st harmonic number [t2], and F(n) is a fluctuating function with a very small amplitude. Proof: We use extensively (6b). Algebra may be found in [14]. [] Two moments play usually an important role in tries analysis, namely: the average and the variance, c~2, of the depth of insertion. Using the above approach we obtain immediately PROPOSITION 4. (i) The average depth of a leaf is given by

21 1

h2 [~'+ 2 - ' ~ ' t - H b - i ] - F ( n ) + O ( n - l )

d, =-~1 In n +

(7)

(ii) The variance, c 2, of the depth is

h2-h 2

In n +C +F(n)+O(n-1),

h~

(8)

where

_~

2"I

hz

2Hb-1

C -ZCC-~-l-~-~-12"~'--~l (1

-~1 (

112

Hb-t

4 2h12

hi )(1

h2

"[

h~

hi )+ h ~ - +

2eb-1

T

h2

hi

2h? t - ~ )

Hb-1 .

and 1

rcz

?a

~= ~-~? I ~ + T

b nr_l

3h22

~th2

h3

+ -4hl : ~ - + hi - 3hi

n

and eb is defined as eb = ~ - - 7 - ( o=0. and eo=O ). F(n) is a fluctuating function with a small arnplimde. Ln r=l

particular, for V-ary symmetric tries h. =In" V hence (8) implies

x2 c"z=~

1 + 12

(iii) The variance of the extemal path length ~

H~-I + ~ + F ( n ) + O ( n In2V

-1)

(9)

In V

is equal to

oL =n c~ so it is O (n In n ) for asymmetric tries, and O (n) for symmetric tries. B

Proof: Equation (7) follows immediately from l~-= ~ (-1) T M r $(n ,r,1), and Proposition 2. To compute c~ note r=l b

that c~=12 + lnL-[lnl-]2/n, and 12= ]~ (-1) r+l r S (n ,r,2), r=l

[] The table below shows the variance of the depth, c~, for symmetric V-ary b -tries. ( see (9)). Note that by (7) the influence orb on the average depth is of order O(1), and for small values ofb it may be safely ignored in practise. However, the variance critically depends on b, and for larger b we obtain more balanced tries. For example, for V=2 the variance c ,z decreases from 3.507 for b=l to 0.6741 for b=4. But there is a trade-off between b and the average searching time. Note that bigger b implies larger searching time in the sequential file of the external node. The total average searching time is dn+ (b-1)/2, where d, is given by (7). Hence, the searching time is minimized for b optimal equal to boe~= 1/(2h 1)+ 1.

22 Table. Variance of the depth for symmetric b-tries

I V

b=l

2

3.5070

3

I b=2

b=3

b=4

1.4256

0.9053

0.6741

1 A462

0.6177

0.4105

0.3184

4

0.9393

0.4189

0.2888

0.2310

5

0.7183

0.3323

0.2358

0.1929

6

0.5957

0.2842

0.2063

0.1717

3. A P P L I C A T I O N S AND DISCUSSION In this section we show some of the possible applications of the above results. In particular, we offer the average complexity of the improved texicographical sorting algorithm proposed recently by Paige and tarjan [17]. Optimization problems.

Let us consider d 2 as a function of p = (Pl, P2 . . . . . Pv). Then a question arises what is an optimal choice of p? It is intuitively clear that the average depth of insertion is minimized for the symmetric case. However, using Proposition 1 it is easy to notice that t ~ and d 2 are minimized for all n and m if the trie is a symmetrical one, that is, p ~ = P2 = . . . .

Pv = t/V. Naturally, the bigger the V is, the smaller the average depth of

insertion is, however, the data structure becomes more complicated. Moreover, formula (7) shows that the bigger the b is, the smaller the average depth of insertion is, however, the impact of b is of the secondary importance since the leading factor in (7) does not depend on b. A measure of balance for a tree.

The variance of the depth of insertion might be considered as a measure of how welt a tree is balanced. In the height-balanced trees the depth of a leaf is the same ( or almost the same ) for all leaves. Then, the variance of the depth is equal to zero. For other trees the depth is a random variable, however, the smaller the variance is, the more balanced the tree is. Indeed, by Tchebyshev inequality, we know that Pr{[Dn - d~ [ > 5} < o~/82. For example, let 8 = 3~, then P r { I D . - d. I > 3 o . } < 1/9, and it says that with probability 0.11 the depth lies in the interval (tin - 3o~, d n + 3on), hence the smaller ~ is, the smaller the interval is. This also means that for small c the average of the depth of insertion is a good measure of the actual depth, while for larger 6, it is very poor performance issue. Let us apply this to tries. By (8) we see that for symmetric tries h 2 - hx2 = 0, hence ~ = O (1) and does not depend on n. We may claim that symmetric tries are of an order of magnitude better balanced than asymmetric tries. Let V = 2, then f o r p = 0 . 5 (symmetric trie) o~ -- 3.507, while f o r p = 0.1 6~ = t2.64 ha n + O(1) and f o r p = 0.3 o .2 = 0.66 In n + O(1). The Tchebyshev inequality implies that with probability 0A1 the depth of insertion for a symmetric trie with V = 2 lies in (am - 5.5, d. + 5.5), while with the same probability the depth is in the interval ( d ~ - 10 ~',t~n, d. + t0 ~q-~-~-n) for p = 0.I and in

23 ( d n - 2.4 ~ q - ~ , dn + 2.4 ~4-M---n) for p = 0.3 and large n. Note also that bigger the b is, more balanced the trie is. Improved lexicographical sorting

Paige and Tarjan proposed an improved iexicographical sorting algorithm [17]. It works in two steps. The first determines so called significant prefix by building a trie over an alphabet, assuming that the total length of all strings is equal to L. The proposed algorithm runs in O ( L ' ) time where L ' is the total length of all significant prefixes. Aho, Hopcroft and Ullman [1] gave a solution with O ( L ) worst case asymptotic time. Hence, the ration LIL" indicates the improvements over the Aho et al algorithm. To compute the average complexity of the improved lexicographical sorting, and compare it with the Aho's lexicographical sorting, we first introduce some notations. Let S = {x l, x2 . . . . .

x~} be set o f the finite length

strings built randomly over an V-ary alphabet U subject to the total length of all strings L (L is fixed). Let also L" denote the total length of all significant prefixes. Note that L ' is a random variable, and it is equivalent to the external path length in the appropriate tile. Assuming symmetric alphabet by Proposition 4 we find that the average value of the external path length is n lgv n + 0 (1). Note, however, that this does not follow directly from our previous results, since in our model we have assumed unlimited strings. Nevertheless, it is easy to show that for large n, and distinct keys (strings), the above holds. Hence EL" = n lgv n + O(1), and the improved ratio IMP = L/EL" = Ll[n lgv n + O(1)]. Such a formula is not very informative, since there is a relationship

between L and n. Indeed, subject to L the number of strings, n, might be equal to one, or two or ... or nmax, where nmax is the maximum number of finite strings whose total length is L. NaturaLly, n <_ nmax, and if n = nm~ (the trie in that case is almost a complete V-ary tree), t h e n L = n lgv n + O (I), hence LMP = 1 and the improved algorithm runs the same time as the Aho's lexicographical algorithms. The improvement depends on the relationship between n and nmax. Let us first compute n,,~. We obtain the maximum number of strings packed into L if we take V strings of length one, V z strings of tength two . . . . .

V~ strings of length ~ where ~cis such an integer that ~+1

~ l v ~ <_L <_ 5", Iv t. 1=I

(1o)

1=1

Then, the maximum number of strings packed into L, nmax, satisfies ,~+1

~ V~<-n=,, <- ~ V t. g=l

(11)

t=I

Note, that by geometric series formula, (10) and (11) are equivalent to

V ~:V'C+l - (I(+I)V~ + 1 < L <- V (~z+I)V~+2 - 0c+2)VX+l + 1

(V - 1)z

(12)

(V - 1)2

V V~- ! V t+l - 1 • V - 1- < nmax < V - - V - 1

(13)

24 But (12) and (13) imply that

~¢a%aax+ ~

1

I

Oc - nm~) -< L <- OC+I)nmax+ -~_lOC + 1 - nmax),

For, by (13)

~;= tgv nm~

1 V In V

+ O(n2~),

and finally we obtain 1

1

L = nm~xlgv -nrnax ('-~-~'-~ + - ~ i - ) + O(lgv nmax).

(14)

Let now nmax = ~n, [~ > 1. Then, the ratio of improvement, IMP = L/EL' is given by

IMP =L/EL'=I][I + lgv~- l/(V ln V ) - l / ( V - 1 ) ] T, + o(n%

(15)

Note that for [3 = 1 (15) implies that IMP = 1 as expected. 4. CONCLUSIONS In this paper we propose a unified approach to study additive properties of digital tries. This goal was achieved through a solution of a general class of linear recurrences. In particular, we derived all (factorial) moments of the depth of a leaf, we computed the average number of interval nodes, and the average number of nodes with both sons external nodes. Finally, we gave the average complexity of the improved texicographicaI sorting algorithm proposed recently by Paige and Tarjan. ACKNOWLEDGMENT I wish to thank Professors Helmut Prodinger and Peter Kirschenhofer from the Technical University of Vienna for pointing out an error in the computation of the constant C in (8). REFERENCES [1]

Aho, A., Hopcroft, J. and Ullman, J., Data structures and algorithms, Addison-Wesley, 1983.

[2]

Frdelyi, A., Higher transcendental functions, McGraw-Hill Book, 1953.

[3]

Fagin R., Nievergelt, J., Pippenger, N. and Strong H., Extendible hashing: A fast access method for dynamic files, ACM TODS 4, 1979, 315-344.

[4]

Fayolle, Ph., Flajotet, Ph, Hofri, M. and Jacquet, Ph., Analysis of a stack algorithm for random multipleaccess communication, IEEE Tram. on Information Theory, IT-31, 2, 1985, 244-254.

25 [5]

Flajolet, Ph., On the performance evaluation of extendible hashing and trie searching, Acta lnformatica 20, 1983, 345-369.

[6]

Flajolet, Ph. and Sedgewick R,, Digital search trees revisited, SIAM J. Compt. , 15, 1986, pp. 748-767.

[7]

Flajolet, Ph., Mathematical methods in the analysis of algorithms and data structures, INR/A Technical Report, 400, 1985.

[8]

Gonnet G., Handbook of algorithms and data structures, Addison-Wesley, 1984.

[9]

Henrici, P., Applied and computational complex analysis, John Wiley & Sons, New York 1977.

[ 10] Jacquet, Ph. and Regnier, M., Limiting distributions for trie parameters, Proc. of CAAP'86, 1985. [11 ] Kirschenhofer, P. and Pmdinger, H., Some further results on digital trees, tCALP 86, to appear. [I2] Knuth, D., The art of computer programming, Addison-Wesley, 1973. [13] Szpankowski, W., Analysis of a recurrence equation arising in stack-type algorithms for collision-detecting channels, Proc. Intern. seminar on Computer Networking and Performance Evaluation, Tokyo 1985, 9-31-9-3-12. [14] Szpankowski, W., Some results on the V-ary asymmetric tries, Purdue University, CDS-TR-582, 1985. [15] Riordan, J., Combinatorial identities, John Wiley & Sons, 1968. [16] Whittaker, E. and Watson, G., A course of modem analysis, Cambridge Press, 1935. [17] Paige, R., Tarjan, R., Three efficient algorithms based on partition refinement, preprint.

LONGEST COMMON FACTOR OF TWO WORDS,

Maxime CROCHEMORE LITP - ROUEN et CSP - Universit6 de PARIS-NORD Avenue J.B Cl6ment F - 93430 VILLETANEUSE

Abstract : The LCF of two words u and v is the maximal length of a common factor of u and v. A linear time algorithm to compute LCF is given, based on a linear time algorithm to build the minimal suffix automaton of a word. The algorithm naturally turns into a real-time string-matching algorithm.

27

Inside each string-matching algorithm is involved a notion of distance letween words. For instance c lassicalk string-matching algorithms often use a distance related to the longest common prefix of the two strings [KMP 77]. In this paper we show that the use of the f-distance [Ch 83] which is defined from the maximal length of common factors (LCF) of the two strings yields to more powerful algorithms, say, to real-time string-matching algorithms, provided the alphabet is fixed. The basic structure that is used to deal with the above questions is the minimal deterministic automaton which accepts as language all the suffixes of a word. The size of such on automaton is linear in the length of the word as it was first noted by Blumer and al.. The construction of a suffix automaton also takes a linear time. Suffix automata can be complemented to transducers that produce as output the position of the recognized word. The first two sections contain the results on suffix transducers that are needed to compute the LCF of two words. The material of these sections comes essentially from [BBEHCS 85] and [Cr 86]. Suffix transducers (or factor transducers) are an extension of position trees or suffix trees considered, among others, by Weiner, McCreight and Slisenko [Sl 83]. However the construction given in the second section is in the same vein as those of [KMP 77]. Suffix transducers or related structures have a wide range of applications among which are : string-matching problems including inverted file questions, data compression, decipherability, search for repetitions. In each case linear and optimal algorithms are obtained. The two last sections of this paper are concerned with the computation of LCF and a transformation of the algorithm which leads to a real-time string-matching algorithm.

28

MINIMAL SUFFIX TRANSDUCE RS~

Words that are considered here are elements of the free monoid A* which empty word is denoted'by i. The free semi-group A*-{I} is denoted by A +. Given a word x in A*, its set of factors is and its set of suffixes

F (x) ={u£A*/3y,z£A * x=yuz } (or right factors) is

S(x) = {u6A*/3y6A* x=yu}. Being finite S(x) can be recognized by a finite state automaton. We only consider incomplete deterministic automata i.e. deterministic automata without sink state. Then, not all the transitions by letters of the alphabet are defined on a given state. Let ~(x) be the minimal such automaton recognizing S (x)

:

~(X)=(Q×,i,T×,F x , where

Q× is the set of states, Tx is the set of terminal states, Fx is the set

of transitions and i is the initial state. Reading a letter a6A from a state q6 Qx

leads to

a state

q', noted

q.a, if

(q,a,q')6Fx. If u6A*q.u is the state

reached, if any, after u has been read from state q. One of the most important properties satisfied by minimal suffix automata ~(w) is the fact that their size is linear in the length of x, lxl. Exact bounds are known together with those words that reach the upper bounds [CM 86].

PROPOSITION

i:

satisfies : if Ixl ~ 2

then

IQxl = Ixl+l,

if Ixl > 2

then

Ixl+l ~ [Qxl ~ 21xl-l.

Furthermore,

in the second case : IQxI=21xl-i iff x6ab*

The

set

Qx

of

states

of the minimal suffix automaton ~(x)

where a and h are two distinct letters of A.

PROPOSITION 2, The set F x of transitions of the minimal suffix automaton ~(x) satisfies : if Ixt ~< 3 then Ixl ~ IFxl ~ 21xl-l, if Ixl > 3

then

Ixl ~< IFxI ~ IFxl ~ 31xi -4-

Furthermore,

in the second case :

IFx I=3 Ix I-4 iff xqab* c where a,b and c are three distinct letters of A.

29

Automata ~(x) can be transformed in transducers which output positions of the input factor of x. First~ let p be a function defined on F(x) by : p(u) = rain {lyl/3z6A* x = yz et u6F(y) l. The function p is compatible with the right syntactic congruence associated with S(x), which means that, If u and v are factors of x, i.u=i.v implies p(u)=p(v). The function p can thus be defined on states of ~(x) and we get a first transducer where the output associated with a word u is linked to the state i.u. Another more interesting way to get a transducer is to consider the function pos on F(x) : pos(u) = p(u) - !ul. This function is still a sequential function [Be 79]. As p(u) only depends on i.u, with each transition (q,a,q')£F x is associated the output Reading

a word

u =

a a I

2

q*a = p(q') - p(q) - i. ~o. a in ~(x) from its initial state i produces the j

total output : i*a1+(i'al)*a2+'''+(i'ala2"''aj-1 )*aj. When u is a suffix of x its position is Ixu-1 I which is also pos (u) + Ix I-P (u). ~(X) becomes a subsequential transducer [Be 79] if, in addition to outputs on transitions, is defined on terminal states q of ~(x) : out (q) -- Ixl- p(q).

1"7 0

a/O

a/O ~

1

~, 2

b/O ~

3

blO ~

4

a/O ~

5

a/1 b/2

T4 6

a/O b/0 b/1

8

b/0 ,

i0

$3

Figure I.

Minimal suffix transducer for aabbabb (terminal states are 0,6,9 and i0).

b/O --~

7

b/O ----,

~'0 9

30

CONSTRUCTION The second important point concerning minimal suffix automata ~(x) is that their construction can be achieved in time linear in the length of word x. Figure 2 contains an algorithm that builds ~(x). The first 'while' loop is an on-line construction of ~(x) except for the terminal states which are marked with the function 'out' during the last 'while' loop. Note that one or two states are created during each pass through instructions of the first 'while' loop. The main point in the algorithm is the use of a function s defined on states of ~(x) and which is called suffix link. Its role is analogue to the 'failure' function of the Knuth, Morris and Pratt's string-matching algorithm [KMP 77]. Function s is first defined on non empty factors u of x by : s(u)=iongest suffix w of u such that i.u/i.w. This means that s(u) is the longest suffix of u which appears in a different right context inside x.

PROPOSITION

3. Function s is compatible with the right syntactic congruence associated with S(x), i.e. : b~/,vqF(x)-{l} i.u=i.v ~ s(u)=s{v).

the

Proposition initial state

3 shows i. From

that s can be defined on states of ~(x) except on that point of view, s behaves like a default state

function for ~(x). During execution of the algorithm in figure 2, each time a new state q is created (except at initialization) the value of s(q) is computed with the help of function 'suffix'. Its writing has been made simpler by introducing an artificial state on which are defined transitions to the initial state i by all the letters occurring in x. The function 'suffix', called with parameters r and a, climbs up the suffix links starting from r until is encountered a state on which a transition by a is defined. Using side effect, function 'suffix' creates or updates transitions. Tests in the algorithm and function 'suffix' are done by looking at the value of the function 1 defined on states q of ~(x) :

l(q)=max{lwl/w6A* and i.w=q}. One of the properties that brings all its simplicity to the algorithm is the fact that suffix links on words are of maximal length inside their right syntactic congruence class. This partly explains why function 'suffix' does not have to create states.

PROPOSITION

~. Let

y6F(x)-{l} and

q be that state $(x) such that i.y=q-

u=s(y). Then ~v6F(x) i.v=i.u ~ Ivl ~ lul, which may be translated as lul : l ( s ( q ) ) .

Let

31 On a given finite alphabet, all instructions of the algorithm in figure 2 take a constant time, except calls to 'suffix'. To conclude on the 0(Ixl) global time complexity, observe that that each recursive call to suffix strictly decreases l(s(last)) which is increased by at most 1 unit for each new letter.

Theorem 5. The construction of the minimal suffix transducer ~(x) by the algorithm in figure 2 is achieved in time O(Ixl). Almost the same results as those related in this section and the preceeding one remain true when one deals with factor automata instead of suffix automata. But minimal factor automata are of no use to compute LCF because they do not satisfy proposition 5.

32

begin create state 'art'; l(art)~p(art)e-i ; creat state i ; l(i)~p(i)~-O ; s(i)~art ; last e i ; while not end of input do read next letter a ; art.a~i ; create state q ; l(q)el(last)+l; p(q)ep(last)+l ; last.aeq ; last*ae 0 ; resuffix (last,a) ; if l(r.a) > l(r)+l then create state r ; with same transitions

as r.a ;

l(r) e l(r)+l

;

; p(r)~p(r.a)

r.a e r ; r*a e p s(r)esuffix end if ;

(r,a).a

; s(r.a)er

-p(r)-i

;

;

s(q)er.a ; last ~q ; end while ; qelast ; out (q)eO ; while q#i do qes(q) ; out (q)ep(last)-p(q) end while ;

;

end.

function suffix (r,a) ; if s(r).a not defined o_rr l(s(r).a)~l(r.a) s(r).aer.a return

; s(r)*a~p(s(r).a)-p(s(r))-i

(suffix

else return end if ; end function.

(s(r))

(s(r),a))

then ;

;

;

Figure 2 - Construction of minimal suffix tranducers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

F - D I S T A N C E A N D LCF.

This section deals with string-matching questions of the kind : search a text t for an occurrence of a word x. The suffix transducer of text t brings an interesting solution to this problem since any further search for a word x takes a time 0(Ixl). We concentrate on another solution which is more convenient when text t often changes as it is the case under a text editor. This time the suffix transducer ~(x) is used in a particular way by means of its suffix link s and the function 1 which gives, for a state q in ~(x), the length of a longest word that reaches q from i. Given x,tEA*, we introduce the function LCF(x,t)=max{lwl/w6F(x) and w6F(t)}. From LCF is defined a distance d between words of A*, called the f-distance [Oh 83] : d(x, t)= Ix I+ it I-2LCF (x, t). Searching t for an occurrence of x translates to searching for a factor u of t such that lul=Itl and LCF(x,u)=Ix I or d(x,u)=0. The algorithm in figure 3 is the basic algorithm to compute LCF(x,t) or d(x,t). It may readily be adapted to do string-matching or even approximative string-matching. The algorithm uses the suffix automaton ~(x) already built. So, ~(x) can be considered as one of the inputs of the algorithm. The other input is the text t. If t=t t 2 . . . t , where the ti's belongs to A, the output of algorithm in figure 3 is the sequence i0,I i ..... i, defined by Ik=max{lwl/w~F(x) and w~S(t ...tk)}. With this notation we get LCF(x,t)=max{Ik/k=0 ..... n}. The proof that the algorithm works well lies on proposition 5 which contains a property of function I on states that are images by the suffix link s. To see why the time complexity of the algorithm is globally 0(Itl), it is enough to note that the instruction 'qes(q)' of the internal 'while' loop strictly decreases l(q) from its value i k, and besides, this latter quantity increases by at most 1 for each letter of t.

Theorem 6. Algorithm in figure 3 compute the lengthes of the common factors of x and t in time 0(itl) (when ~(x) is already built).

COROLLARY 7. Given two words x and t on a finite alphabet A, LCF(x,t) can be computed in time and space complexities 0(Ixtl).

The use of suffix transducers instead of suffix automata allows to memorize an occurrence of a longest common factor, the first for instance.

34

begin {states (q and i) and transitions are those of ~(x). On states are defined functions s a n s i} keO ; loeO ; qei ; while not end of input t d__oo read next letter a ; k~k+l ; if q.a defined then ikelk_z+l ; q~-q.a ; else while qwi and q.a not defined d__oo qes(q) ; end while ; i_ff q.a not defined then ik@O ; else 1 el(q)+l ; qeq.a ; end if ; end if ; end while ; end.

FIGURE 3. Computing l e n g t h e s of f a c t o r s .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

common to x and t . .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

REAL-TIME STRING-MATCHING~

The algorithm of the preceeding section has a linear time complexity but the delay between the reading of two consecutive letters of the input text t depends on the word x and is even 0(Ix I) in the worst case. By considering a new suffix link, the delay can be bounded to 0(IAI). First define the immediate right context of a factor u of word x to be the set of letters that follow u : C(u)={a6A/ 3y,zqA* x=yuaz}. When v is a suffix of u we get C(u) ~ C(v) and in particular C(u) ~ C(s(u)) when u~l. When C(u)=C(s(u)) and if ub is encountered in the text t which is searched for x, then it is useless to come down to s(u)b. This gives the idea of a new suffix link noted sa and defined on non empty factors u of x : !

sa(u) = Isk (u) if k is the smallest integer > 0

[

1

such that C(s k (q))JC(u) otherwise

Since C(w)~C(s(w)), the test C(sk(u))wC(u) can be done on the cardinalities of the two sets. The condition on immediate right context easily translates on automaton ~(x) in term of output degree de of its states. If q is a state of ~(w), let de(q)=i{a6A/q.a defined} I. Then the new suffix link sa on states of ~(w) (different from initial state i) is

sa(q)=

{ik

(q) if k is the smallest integer > 0 such that de(s k (q))Ide(q), otherwise.

PROPOSITION 8. Replacing instruction 'q,s(q)' by 'qesa(q)' in the algorithm of figure 3 leads to a real-time algorithm on any finite alphabet.

To compute the suffix link sa~ states of ~ ( x ) are visited in a breadth-first-search order and the following formula is applied which yields an 0(Ix I) time complexity algorithm. I sa(q)=

i if s (q)=i, s(q) if de (s (q))/de (q), ~sa(s (q)) otherwise.

Another way to get a real-time string-matching is to complete the transducer ~(x). In fact the aim of the internal 'while' loop of algorithm in figure 3 and the test hereafter is to compute missing transitions. With complete transducers the space complexity becomes 0({Ai.lxl) while it is 0(ix I) in the previous algorithm°

36 MAIN REFERENCES

:

[Be 79] J. BERSTEL,Transductions

and context-free languages, Teubner, 1979.

[BBEHCS 85] A. BLUMER, J. EHRENFEUCHT, D. HAUSSLER, M.T. CHEN & J. SEIFEIRAS, The smallest automaton recognizing the subwords of a text, Theor. Comput. Sci. 40, 1 (1985) 31-56. [Ch 83] C. CHOFFRUT, On some combinatorial properties of metrics over the free monoid, in : [Combinatorics on words, Cumming ed., Academic Press, 1983]. [Cr 86] M. CROCHEMORE, Transducers and repetitions, Theor. Comput. Sci. (1986) to appear. [KMP 77] D.E. KNUTH, J.H. MORRIS & V.R. PRATT, Fast pattern-matching in strings, SIAM J. Compt. 6, 2 (1977) 323-350. [Sl 83] A.O. SLISENKO, Detection of periodicities and string-matching in real time, J. of Soviet Mathematics 22, 3 (1983) 1316-1387.

An unification semi-algorithm for intersection type schemes Simona Ronchi Della Rocca Dipartimento di Informatica - Universita' di Torino corse Svizzera 185 - 10149 Torino

I. Introduction. The intersection type discipline for ~,-calculus (ITD), defined in [Coppo et ai.,1980 b], is an extension of the classical functionality theory of Curry [Curry et 81.,1958] .In Curry type discipline type schemes are built from type variables using the constructor -~ (arrow). In the ITD, type schemes are built from type variables and the type constant (the universal type) using, as constructors, beside the arrow, the intersection (^). The semantics of a type scheme of the shape ~ - ~ is the classical one, the semantics of a type scheme of the shape ~^B is the intersection of the sets representing the meanings of c~ and ~, the semantics of ~ is the whole semantic domain. In the ITD every term has at least one type scheme, and type assignment preserves B-convertibility. In the Curry type discipline, every term X which can be typed has a principal type scheme (pts), from which all and only the type schemes deducible for X can be derived, by means of substitutions. The problem of computing the pts, if it exists, of a term in the Curry type discipline is decidable, and algorithms to solve it have been proposed by Hindley [Hindley,1969] (for terms of Combinatory Logic), and by Milner [Milner, 1978] [Milner et 81.,1982] (for terms of },-calculus). Milner uses this algorithm in the design of the ML type checker. Both these algorithms are based on the classical unification algorithm of Robinson [Robinson,1965]. In the ITD each term X, which has a finite set of 8pproximants, has a pts in an extended meaning. More precisely, every type scheme deducible for X is derived from its pts by means of a sequence of suitable operations, namely the substitution, the expansion and the rise [Ronchi et ai.,1984]. In this paper the unification problem for intersection type scheme is studied. This problem is semi-decidable. The semi-algorithm UNIFY solving it is presented, and it is proved that ,in the case 8 solution exists, it finds the more general one. While UNIFY uses also operations different from substitution, it is conservative with respect to Robinson's unification algorithm. Moreover a semi-algorithm PP is presented, using UNIFY as essential tool, which, given 8 term X, if X is strongly normalizing computes its pts .Since there is a one-one correspondence between a term and its pts (if it exists), PP can be viewed 81so as a reduction machine,using an innermost reduction strategy. The use of unification between type schemes instead of p-reduction in computing the normal form of a term avoids the necessity of ~-conversions.

38 2.Tile interse~ti~, type ~Iis~ipli,e. The reader is supposed to have some acquaintance with k-calculus; in any case he c~n refer to [Barendregt,1984], whose notations we will use. D~filIitiml I. i) The set T of intersection type schemesis inductively defined by: ~i,?i,...~T (i~O) (type variables) s~T

(type constant)

6,-~T ~ (~-~'~)~T,(6h~)eT. ii) A statementis of the form 6x with 6aT and x is a variable, x is the subjectand 6 the predicateof 6M. A basis scheme is a (possibly infinite) set of ststements. The notion of subtype of a given type scheme is obtained in 8 straightforward way from Definition I.i). 6 i-~62-~...-~6n -~I; is an abbreviation for 6 i-~(62-~(63-t..(6n-.~d)...)) and

6 i^62h...^6 n

is

on

abbreviation

for

(6 ih(62h_.(6n_lh6n)...)). The simple semantics(for the definition of simple semantics see [Hindley, 1983]) for T can be given in the following way: I)etinitian 2. Let/~ be 8 k-model. i) Let N6A; if l~ is a valuation of variables in D, then ~ N ~ D is the interpretation of N in Mvia ~. ii)Let PD={XIXcD} and V:{~I~ is a type variable}-+PD. Then the interpretation of 6aT in M via V, notation [6~v~PD, is defined as follows: Io~=D

~v=V(~)

•~' J6 II6-~'~'~={deDjYee~6 ~v.d.eelh;~V }

This semantics induces naturally 8 pre-order relation ~ on T, whose intended meaning

is: 6<~ 4=> YMV. ~6~vC_K BV. Definition 3. The relation < (and ~) on T is inductively defined by: i) ~<'~, ~ o , o~w-~, ~<~h~, ~h6~6, ~h6<~, (6-~Q)h(6-~)<6-*(Qh~), 6~'d~ ~ 6~[~, 6~6'8nd~C~1;'~6h~6'^~ ',616' and ~'6' ~ 6-~6'-~,'C. ii)6~'I:<=> 6.(~_(6. II)efiiiitilm 4. Type scheme assignment rules Let B be a basis scheme, ond let A be the set of type free k-terms. (~))BI-oX for all XeA (var) BU{6x}I-6x (hl) BI-6X BI-~X (hE) BI-6h~X BI-6A'CX BI-6^'CX

6X

~6X

3g (~I) BU~6x~*I-~;X' ~

(-~E) BI-6-~X

BI-6Y

BI-~-,~;~,x.X BI-'dXY * where 6x is the unique statement of B ,whose subject is x,used to deduce ~;X. (<) BI--6x 6,<% BI-~X Note that the rule (^E) is redundant, since it can be directly derived from rule (<). I~otati~n. Let be a triple of either two type schemes and a type variable, or two terms and a variable. Z[z/W] denote the type scheme (term) obtained from Z by simultaneous replacing each free occurrence of z with W. If z' is 8 (type) variable, Z[zlz'] is an instenceof Z. Let -~tBdenote the B-reducibility, i.e., C[(~,x.M)N]-~C[M[x/N]J

( where C[] is any context)

iff N is substitutible for x in M (note that a term N can always become substitutible for a given variable in a term M, by means of a renaming of bound variables in M).Let = denote i~-convertibility,i.e.,the transitive and reflexive closure of i~-reducibiMty. We recall that a term X is in normal formiff ~X'.X-,~X', and it is in headnormal form iff X=%XlX2...Xn.~XiX2...Xm (n,m>O), where ~ is any variable and XiEA (1 BI-I;X'. ii) ~B,~.BI-I;X ~ X has a head normal form. iii)~B,s;.BI-~:Xand ~ does not occur neither in B nor in I; 4=> X has a normal form. [] Without less of generality, we can restrict ourselves to consider only finite basis schemes. I)efinition 5.i) A pair, where 8 is a basis scheme and % is a type scheme is suitablefor XEA, iff there exists a deduction D such that D:BI-~X. ii) ~ will denote the synctactical identity between type schemes, basis schemes and pairs. iii)The equvalence relation ~ between pairs is so defined: ~~=>~;~~;'and, if, Yx. 6ix (1 (1
40 distinct type variables and ~Ii are type schemes. Then, for every pair : i) s(~)--~;[~ilPi],s(B)={s(6)xI6x~B} ii)e()--<s(B),s(~)>. Clearly, if D:BI-~;X and s is any substitution,-'ID':s(B)I-s(~;).D' is obtained from D simply applying s to every basis and type scheme occurring in D. Nototion. Let L be ~n ordered list.Then L<>e will denote the extraction of the meximum element of L, whose name is a. Definition 7. An expansione is e monuple ,where ~tis a type scheme. i) Let Le(B,-d) a list of type scheme,ordered by number of symbols (when two type schemes have the same number of symbols their mutual order is unimportant). Le(B,I;) is built in the following way: -Le(B,~)~t -if 6~Le(B,~), end 8 is e proper subtype of 5, Le(B,~;)<<$. -for each type scheme 6, such that 6 is a subtype of either ~d or o predicate in B: -if either 6=v-~8 or 6--v-~(8^c() and 8~Le(B,~;),then Le(B,%)<<6. ii)Let I--{~iI~iis e type varieble occurring in Le(8,~;)}. Let si={<~i,?i>I ~i~I,~i is ~ fresh wriable} (I>~if ~" occurs in 6 then replece ~ in 6 by s1(~')^s2(¥) end

iv)e(B)--{e(~)xI6x~B}-

v)e()--<e(B),e('c)>. An expansion e will be called totalwith respect to e type scheme 6 iff e(6)=e'(6), where e'--<6>. Let D:BI-~;X.Then, if e is 8n expansion, there exists 8 deduction D':e(B)I-e(~;)X,and D' is obtmned from D by dupliceting some subdeductions of D end by odjoining some applications of the rule (^I), as can be seen in the following: Exomple I. Let B--{(~-,~)-~y}.Then is 8 suitable pair for the term y(~,x.x). In fact we can show the deduction D: (-~I) BU{~x}I-~x (-~E) BI-(~-~)-~ocy

BI-~-~x.x

BI-~y(~,x.x). Let e--<~>, e()=<{((~1-~1)^(~2-~2))-~o(Y},~ > is o suitable pair for y(~x.x). In fact there exists e deduction D':

41

(-~I) e(B)U!~IX}I-~1 x (-~I)e(B)U{~2x}I-~2x (^I) e(B)I-~1-*~1 ~'x'x (-,E) e(B)I-((~1-*~ I)^(~°2-~Z ))-*c~y e(B)I-~ y(>,x.x).

e(B)I-~2-*~2 ~x-x

e(B)I-(~ I-~ I)^(~2-%°2 )~xx

The notion of instance can be naturally extended to substitutions and expansions; we will say that e substitution s={<~i,6i>} is an instance of s'={<~'i..d'i>} iff 6 i is an instance of 6'i, and an expansion e=<~> is an instance of e'--%I'>iff ~ is an instance of Definition 8.i) A chain c is e finite sequence of operations of substitutions and expansions. ii) Two chains c I and c 2 are equivalent(notation cl==c 2) iff: -

1~

~

-

- if Sl,...,s n and S'l,..,s' m ere all end only the substitutions occurring respectively in c I and c 2, Ut)=c2(). Netatien. Let opi be an operation of expansion or substitution (lis a suitable pair for X, then c() is also e suitable pair for X. ii)Let c be a chain, such that c()=, where 5' =l~^v. Then -~c' such that: c'=e.c", where e=<6>, c'()= and c==c'. C] It is possible to see the operation of expansion as operation only on type schemes, not necessary on pairs. The expansion e=

, applied on the type scheme 1;, is defined ~s in Definition 7.iii), with Le(B,%) replaced by Le(~,%), where ~ is the empty set. In what follows we w i l l use "expansion" to denote indifferently the two operations, since the meaning will be clear from the context.

3.The unification semi-algorithm. The unification problem for type schemes belonging to T could be stated in the following "syntactic" way: - Given 6,1~T, find, if it exists, a chain c (of expansions and substitutions), such that

c(6)=c('~). But in this formulation of the problem the particular role of the universal type scheme is not taken into account. In fact, it is natural to impose that o can be unified with any type scheme.Then, we can give a "semantic" version of the problem:

42

- Given 5,~eT, find, if it exists, a chein c such that c(6)~c(~;). But this formulation is too generel, ~nd it exels our 8ires. So, we will define e new equiwlence relation between type schemes: Definition 9.i) A (~-type scheme is a type scheme in which only the symbol ~ occurs. ii) ~ is inductively defined as follows: ~,t~ ~-type schemes ~ ~i~

(Note that o~^B~t~A~). We can now try to give a third formulation of the unification problem:, -Given 6,s;eT, find, if it exists, a chain c such that c(6)~c('d). But now the problem has always a solution,the trivial one c(6)~c(i;)~. The correct formulstion of the unification problem must impose thet the trivial solution csn be choosen only in the case no other solution exists. Then the final formuletion of the problem is: -Given 6,1;eT,find, if it exists, 8 ch6in c such that c(6)~c(I;)~. This problem is semi-decidsble. In fsct, in the following section it will be possible to see that it is equivslent to the problem: -~.BI-~;X? which is clearly semi-decidable (by Theorem I.i). The semi-~Igorithm UNIFY we will show solves the problem in the most generel way, i.e.,it finds the most general unifying chein, if it exists, otherwise it does not stop, es will be proved in Theorem 3.

Seml-olgoritflm UNIFY UNIFY(6,1;)=U(6,6,~;,~), where U(6,6,~;,~')--c(if defined) ,.where: I.if 6 is a type variable then if ~--6 then s--~ else if 6 occurs in ~ then c'--s,where s--{<tp,~>,<6,o>I~poccurs in ~} else c'=s,where s={<6,1;>}; 2.if 6-- ~ then c'=s,where s={<~,~>I~ occurs in'(;}; 3.if 6--61-,62 then 3.1.if "d is a verisble then if I; occurs in 6 then c'=s, where s={<~,~>,<1;,~>I~ occurs in 6} else c'--s,where s--{} 3.2. if %=o then c'--s,where s=(<~p,w>I~poccurs in ~} 3.3. if ~--~:i-~I;2then if ci=U(61,6",%1,1;')end c2--U(cI(52),cI(6"),cI(~2),ci(~')) then c'=cl.c2 3.4.ifI;~i;I^~2 then let e=<6>, then if c1=U(e(6'),e(6"),e(Ic?),e(~')) then c'--e.cI

43 4. if 6:6 i^62 then: 4.1. [ identical'topoint 3.1 ] 4.2. [ identical to point 3.2 ] 4.3. if 1;:%1-~%2 then let e,.<1;>then if c l-U(e(5'),e(6'),e(1;'),e(1;')) then c':e.cI 4.4. if I;:%1^%2 then if ci:U(61,6',1;i,%')and ifc2:U(c1(62),c1(6'),c1(%2),c1(%')) then c'-cl.c2.

Example 2. Let o~,[~,~',S,(4,v be type variables. i) If (~-(x-,~-~[~and ~;-(~-,6)-*(14-~v)--~¥,UNIFY(~,%)-C-Sl.S2.S3, where: s1={,<8,o>),Sz:{<14,(~>,},s3={<~,~'>},and c(6)~c(%)~(~-~(~-~'. ii) If 6:C~A(~-*I3)end 1;:((JL^(t4-~v))-~v,UNIFY(6,1;) does not stop. In fact: UNIFY(6,%):UNIFY(e(6),e(%)) (where e:<%>):UNIFY(6,%'A%") (where %' and %" are instances of %):UNIFY(s(oc-~[B),s(%")) (where s--(<(z,%'>}): :UNIFY(1;'-~t~,%"):UNIFY(I;'-~t~,6"-~v')(where ~" is an instance of 6 and v' is a new type variable) : if c:UNIFY(%',6 ")then UNIFY(c(#),c(v')) and this function is undefined since %' and 6' are instances of 6 and %. To prove that this semi-algorithm is correct and (in some sense) complete, we need a further definition: I)efinitIoI~ lO.i) Let 6,1;~T,and let 6" and %' be subtypes respectively of 6 and %. Two occurrences of 6' and I;'in 6 end % are corre~cpandingiff: -6--6' and %--%' -6-~-,t3 and %-~'-~' (6-~^t~ and %-c~'^[s')and the accurrences of ~' end %' are corresponding either in o~ and ~' or in t~and is'. ii) Let c--oPl....op n be a chain such that c(6)~,c(%), c is a praper chainunifying 6 and % iff ¥i (1~i~n). there exist no two corresponding occurrences of subtypes of OPl....oPi(6) and oPl...oPi(%)(say 6 i and "~i) such that: 6i,%i-~(~and 3j>i. OPl..Opj(6i)~OPl...opj(%i)~(~. Roughtly speaking, a proper chain unifying two given type schemes is a chain in which a substitution of a type variable with the constant ~ is used only in order to unify two subtypes one of which is ~. Then we are able to prove: Theorem 3.i) (Correctness) If UNIFY(6,'(;)=c,then c(6)~c(I;). ii) (Completeness) Let 6,%ET be such that there exists a proper chain c unifying 6 and I;.Then UNIFY(6,%)~c', where c' is a proper chain unifying 6 and 1;, and cs~c'.c" for some c"(i.e.,c' is the minimalchain unifying 6 and %,in the sense that every other

44 some c"(i.e.,c' is the minimalchain unifying 6 and ~;,in the sense that every other proper chain unifuing 6 and i; must contain (an instance of) every operation occurring inc'). Proof. i) Easy, by induction on the lenght of c. ii) By induction on the pair (we assume the lexicographical order between pairs), where: l(c) is the lenght of c, i.e.,the sum of the number of expansions occurring in c and the cardinality of the union of all the substitutions occurring in c. - n(6,~;) is the total number of symbols occurring in 6 and "C. The case l(c)=o and I(c)=I are obvious. Let l(c)>1.1n the case 6 is a type variable, we must distinguish two cases, according to ~: contains or not occurrences of 6. In the first case obviously there is no a proper chain unifying 6 and ~;. Otherwise, UNIFY makes the substitution s={<6,~c>}.Obviously this is the minimal between all the proper unifying chains composed only of substitutions ( see [Robinson, 1965]). It easy to see that every proper chain unifying 6 and "d in which some operations of expansion occur is at least of length 2 (it must contain at least one substitution, since the expansion generates new type variables) and it is always equivalent to a chain composed by a single substitution. In the case 6 ~ , UNIFY(d,~;)=s, where s={I~ occurs in "c}. Obviously s is the minimal chain, since every chain unifying 6 and I: is such that c(6)=c(~)~. In the case 6=61^6 2 and ~;=s;i^I;2, the proof follows directly from the induction -

hypothesis. In the case 6=61-~6 2 and ~=~:1-~:2,if c is such

that c(6)=c(61)-~c(62) and

c(I;)=c(%1)-~c(I;2), the proof follows directly from the induction hypothesis. In the case c(6)=c(~;)=B^~, by Theorem 2.ii),there exists Cl--e.c2,where e=<6^I;>, such that ci(6)=ci(I;) and c==c I. So c 2 is e proper unifying chain for e(6) and e('~), and, by induction (since I(c2)
c". So

c1==e.c'.c"==c, and the proof is given, since UNIFY(6,1;)=e.c'. Consider now the case 6=61^62 and ~;=I;i-~I;2. If there exists a proper chain c unifying 6 and "~, c must contain an operation of total expansion with respect to %. Let e=<~;>; by Theorem2.ii) there exists c I such that c1=e.c2 end cI(6)=cI(~) and c1==c. Then c 2 is e proper chain unifying e(6) and e(-c),and l(c2)
Moreover, the semi-algorithm UNIFY is conservative unification algorithm R. More precisely: Property I. Let 6,'c be type schemes without occurrences of the symbols ^ and e. If R(6,~;)=s, where s is some substitution, then UNIFY(6,'C)==s; if R(6,~) fails, then UNIFY(6,~)==s, where s contains only pair~of the shape:<~pi,~>, so s(6)~s(1;)~,(a.

45 Proof. Easy []

4.Principal pairs. Let us introduce the notion of principalpair,as defined in [Ronchi et. aI,1984]. First of all, the notion of approximant of a term must be introduced. Definition 112)The set N of approximate normal formsis defined from the set of variables plus a new constant symbol ~ in the following way: - ~ N , x~Nfor all variable x - if x is a variable and A~N(A~), then ~x.A~N - if x is a variable and A I.....Ap~N(p~O), then xAI...Ap~N ii) Let X be a term and A E N A is on epproxirnant of X (A_~X) iff ~X'=pX such that A matches X" except at occurrences of Q in A. iii) A~X)={AIA_~X}. iv) the type assignment rules of Definition 4 are generalized to elements of N simply by adjoining the following rule: (~') BI-~A for all A ~ N The following theorem holds: Theorem 4.[Ronchi et ei.,1984]. is e suitable peir for M E A iff is 6 suiteble pair for some A~ACM) We con define, for an approximate normal form A, o unique princ.ipalpair (pp(A)) (modulo the relation ~) as follows: Definition 12. Let A ~ N i) if A=~, then pp(A)~ (zp is the empty set) ii) if A=x, then pp(A)~<{~x},~p>, where ~ is 8 type variable iii) if A=~,x.A', end pp(A')~,then: I) if x occurs in A', pp(A)~,where ~ is the intersection of the predicates of B' whose subject is x 2) otherwise, pp(A)~ Iv) if A=xAI...An and pp(Ai)~ (i~i_~n) (we choose a trivial variant of them such that they are pairwise disjoint), then pp(A)~, where ~ is a type variable which does not occurs in Bi6fi(1_ is suitable for A ,then there exists a chain c of operations of substitution, expansion and rise, such that ~c(pp(A)), where the operation of rise is defined as follows: Definition 13.A riser is 8 pair of pairs <,<~1,~2>>, where ~i~2 and B 2 is such

46 that, for every 6x~B I, there exists 6'xEB 2 with 6"~6. Then: i) r(~;)= if ~;~~I then ~2 else r(B)= if Yx.6ix~B (1~i~n) and "Cjx~B I (1~j~m) ~ 61^...^6n~~;1^...'Cm, then 82 else B ii) r()-~. In [Ronchi et ai.,1984] it is proved thet the operation of rise preserves suitable pairs: namely, if is such that there exists D:BI-'~X, and r is any rise, there exists a deduction D':r(B)I-r('~),and D" is obtained from D by adjoining to D some applications of rule (~). Let II(X)--{I3AEA~X).~pp(A)}, and ,~{I3A~N~pp(A)}. On Pis possible to define the following preorder relation: E_~ <=> 3~i...~n. =--IIll(X),where ~P: then is the pp of X. Otherwise, LIll(X)does not exist in P, and then X hes an infinite set of pp's, as shown in the following: T h e o r e m 5.i)A[X) is finite. --LII'I(X)is such that, if is suitable for X, then there exists a chain c such that ~c(). ii)A(X) is infinite. For ever U suitable for X there exists ~II(X) such that ~c(), for some chain c. [] In order to compute the principal pair of a term X, if it exists, the semi-algorithm PP will be shown. PP uses the unification semi-algorithm UNIFY, defined in the preceding section. In this semi-algorithm, the operation ~ between basis schemes, with at least one statement on every subject, is used. ~ is so defined: B~B'={~A6'xl 6x~B ~nd 6'x~B'}U{6xI(6x~_B and B' has no a statement on x) or (6x~B" and B has no a statement on x)}.

Semi-algorithm PP. PP(X)= (if defined), where: I) if X is a variable then --<{~X},~> where ~ is a fresh type variable. 2) if X--~,x.X'the..n if PP(X')= then if B' contains a premise on x,let 6x, then --else _ . 3) if X--XIX2 then if PP(X1)~- and PP(X2)-- ~hen if UNIFY(If16f2-+~)--c (~ is a fresh variable) then --

47 Remember that e term X is called s~'~ronglynormalizingiffX, and every its subterm, possess a normal form. T h e o r e m 6.PP(X)= ~ X is strongly normalizing and pp(X)~. The proof will be given in the following section. It is possible to define e set of unification algorithms UNIFY i (i;~O),each one unifying with o, st every step, ell the subtypes occurring at depth 2i, where the depth of an occurrence of a subtype in a type scheme is defined as follows. Definition 14. Let 6eT. The depthd(o(~),5)of an occurrence o(I;) of I; in 6is: i) if ~; does not occurs in 5 then d(o(~:),6)isundefined ii) if 6--~ then d(o(1;),6)~-O iii) if either 6~-61-~62 or 6---6i^62 then if d(o(~),d i)--ithen d(o(~;),6)--i+1 if d(o(%),62)=i then d(o(~:),6)--i+1.

Algorithms UNIFY i. UNIFYi(6,1;)=Ui(6,6,~,~;,O)where Ui(6,6",1;,1;',j)--cwhere i_!fj >i then c--U(~,6',~,~;')el.se I.if either ~ or I; 8re either a type variable or ~ then c--U(6,6',~,'I;') 2.if 6--6i-+62 then 2.1.if "C--I;i-+"c2 then let Cl--Ui_1(~1,6",~i,1;',j+I)and c2--Ui_1(c1(62),c1(6'),c1(~;2),c1(~;'),j+1)then C=Cl.C2 2.2. ifs;--~;1^~;2 then let e=<6> then let Cl--Ui~ (6),e(6 ),e(~;),e(~;),0) then c=e.c I 3. if 6--EII^62 then 3.1. if "d=~;1-~;2 then let e--<1;>,then let Cl--Ui(e(6"),e(6"),e(1;'),e('C'),O) then c=e.c I 3.2. if'c='c;1^~;2 then let ci=Ui_i(61,6",~:I,'C',j+I)and c2=Ui_1(c1(62),c1(6'),c1(1;2).c1(~'),j+1) then c--cl.c2. Let PPi be the 81gorithm obtained from PP by replacing UNIFY with UNIFY i (i>O). The following theorem holds:

48 Theorem 7.i) PPi(X)=~ ~II(X).

ii) ~ll(X) ~ ~i.PPi(X)=8nd _~. Proof_ Immediste from Theorem 5 8nd from the definition of the 8pproximsnts of term. []

4.Proof of Theorem 6.

(~)By induction on the structure of ×. For X vsriable, obvious. For X=;~.x.X'or X=YZ, where Y does not reduce to ~x.Y',forsome Y',the proof follows directly from the induction hypothesis. For X=(~x.Y)Z, PP(X) =~PP(;k×.Y)= end PP(Z)= and --,where c=UNIFY(6-~6f2~p). It essy too see , by exsmining the

semi-algorithm

PP,

that, if ~~~-,~

and

~If2-,~P

and

UNIFY(~,~)=c',

~.Then the proof is given by induction on the normsl forms of ~x.Y and Z, which exist since X is strongly normalizing by hypothesis. (~) Let B be 8 basis scheme, ~ be 8 type scheme ?g,snd M be 8 ~.- term. Let us define the predicgte: P(B,o~,M)C=>PP(M)is defined and 3c.~c(PP(M))8ridM is strongly normslizing. Let x-M denote xMI...Mn, for n;~O,8ridlet FV(M) denote the set of vsrisbles occurring free inM. Property 3.i) P(B,o~-~,xM) 8nd P(B',oCN) ~ P(SUB',~,xMN). ii) P(BU{o~x},I~,Mx)8nd x~FV(M) 8nd B does not contsin premises on x P(B,oc-~I~,M). iii)P(B,61^e2,M) ¢ P(B,61,M) 8nd P(B,62,M). iv) P(B,6,M) 8nd 6<'~ :=>P(B,I;,M). Proof_ i) Let xi~=xM1...Mm.

P(B',o~,N)~PP(N)= 8rid 3c.~c(PP(N)).

p(8,~-~ts,x~)¢pp(x~)=<{Tf1-~...-~fm-~x}VBiV...VBm,~p>, where ke is 8 fresh wrisble end

PP(Mi)=, and

~c'.~c'(PP(x~))

So

UNIFY(~p,~f'-+~)--s, where

s={<~,~f'-+~>} (~t is fresh),which pp(xi~N)=<{~f1-~...-+~fm-+~f'-~?x}~BI~...VBm~IB',~>.Let c"--c.c'.s', where

impli es s'--{<$,~>}.

-c"(PP(x~N)),smce PP(N) and PP(x~) 8re disjoint,then P(BUB',~,x~N). ii) P(BU{ccx},~,Mx)~PP(M)= ~nd PP(x)=<{~px},~> ~nd UNIFY(~fI,~-+?)=c' end pp(Mx)=where ~tis fresh and B I does not contsin premises on x, and moreover ~c.~c(.Notethst c' does not contsin any expansion involving the type v~riable ?. Then =c()(since B I does not contain premises

on

49 x)=c()=c'.c() , and ~,henP(B,E-~B,M). iii)and iv) ere immediate. Then define by induction on the ~tructure of type 8cheme~ ~, computability predicate:

the follo~ing

Comp(B,~,M) <::>P(B,~,M) Comp(B,6-)%,M) (=> (Comp(B',6,N)~Comp(BUB',%,MN)) Comp(B,d I^62,M) ~=> Comp(B,61,M) and Comp(B,62,M). it is easy to prove, by induction on the structure of M, that Comp is invoriont under B-convertibility. L e m m 8 I. i) P(B,6,xM) ~ Comp(B,~,xM). ii) Comp(B,6,M) =~ P(B,6,M). Proof.i) and ii) by simultaneous induction on 6. 6 is a type variable, i) and ii) follow from the definition of Comp. i) Comp(B',c~,N)~ P(B',E,N) (by induction hypothesis). P(B,~-~Ie,xM) and P(B',~,N) ~ P(BUB',B,xM-'N)(by Property 3) ~ Comp(BUB',B,xMN) (by induction hypothesis). Then Comp(B',o~,N) and Comp(BUB',B,x~IN) ~ Comp(B,c(-~B,x~) (by def. of Comp). ii) Let x~FV(M) and let {o;x}~BL P(B',~,×)~ Comp(B',~,x) (by induction). Comp(B,~-~B,M) and Comp(B',o~,x) ~ Comp(BUB',B,Mx) (by definition) ~ P(BUB',I3,Mx)(by induction) => P(B,(~-*I~,M)(by Property 3). 6=61^62 . ii)by definition of Comp ond by induction hypothesis. i) P(B,61^62,xM) ~ P(B,61,×M) and P(B,62,xM) (by Property 3)0 Comp(B,61,xM) and Comp(B,62,xM) (by induction) ~Comp(B,61^62,xM) (by definition).

EI

Lemmo 2. Let {Xl,...,Xm}DFV(M),and let B be such that {6ixi}~B (1~i~m}.Comp(B',6i,Ni) (1~i<m) and PP(M)= and 3c.~c() ~ Comp(BUB',~;,M[xi/Ni]). ProeLBy induction on M. The only not trivial case is M=~,x.M'. Then PP(M)=<_8,(~-~{3>=> PP(M')~<_BU{Ex},~>,whereB does not contain premises on x. PP(M')~ and 3c.~c()and Comp(B",6,N) and Comp(B',6i,Ni) (1.~i<m)

=>

Comp(BU{6 x}UB'UB",~;,M'[x/N,xi/Ni)

(1~i~m)

(by

induction)

=>

Comp(BU{6x}UB'UB",~;,(;~x.M'[xilNI])N)(since Comp is invoriont under {~-convertibility) Comp(BUB',d-)~;,~x.M'[xI/Ni])(by definition). El Then let PP(M) be defined, ond let {xl,...,Xm}=FV(M),and let ~c(PP(M)) and let {6ix}EB (1
50 5. The intersection type discipline without ~. In [Coppo et ei.,1980 a], for the first time 8n intersection type discipline was introduced, built from 8 set of type variables, without sny constant. More precisely, the type schemes ere defined as in Definition I ,without the constant ~, end the assignment rules are as in Definition 4, without the rule (~). The definition of pairs, equivalence relation ~, and operations of pairs remain unchanged. It is possible to define a principal pair in this discipline, in the following way: Definition 15. Let X be e normal form. pp'(X) is so defined: i)if X=x then pp'(x)~-<{~px},~>where ~ is e fresh type variable ii) if X--~x.X'end pp'(X')~,then: I) if × occurs in X' then pp'(X)~,where 6 is the intersection of the predicates in B' whose subject is x 2) otherwise pp'(X)~,where ~ is fresh. iii) if X=xXI...Xn and pp'(Xi)~then pp'(X)~~px},~>,where is fresh. The proof that pp'(X) is really the principal pair of X, in the sense that ell and only the type scheme deducible for X are obtained from pp'(X) by means of chains of substitutions, expansions and rise, is 8 particular case of the proof that, for A~N, pp(A) is the prlnclpal pelr of A, given in [Ronchl et ai.,1984]. Moreover an algorithm PP" can be define, which differs from PP only in the point 2), which must be replaced by: 2) if X=~,x.X'then if PP'(X')=then if B' contains a premise on x, let ~x, then PP'(X)- else PP'(X)=,where ~ is e fresh type variable. Then we obtain, as corollary of Theorem 6, the following: Theorem 8.1n the intersection type discipline without the constant ~), there exists e polr suitable for X iff X is strongly normalizing. [] This result is stated, but not proved, in [Coppo et el., 1980 o]. Aknoledgments.The author is very grateful to Paolo Busse and Mauro Berta, who gave an essential contribution in designing end implementing the semi-algorithms UNIFY end PP.

51 References.

[Borendregt,1984]

Berendregt H., The Lambdo Calculus: its syntax and semantics, North Holland, (Amsterdam). [Barendregt et ai.,1981]Borendregt H, Coppo M,,Dezeni M., A filter ~,-model and the completeness of type assignment,Journal of Symbolic Logic,84,4. [Coppo et ai.,1980 a] Coppo M., Dezanl M., An extension of the b6sic FL!nctionalityTheory for the L-calculus, Notre Dame Journal of Formal Logic, 21,4. [Coppo et ai.,1980 b] Coppo M., Dszani M.,Vonnori B., Principal type scheme and ~,-celculussemantics,in: J.P.Seldin,J.R.Hindleyads, To N.B.Curry.Essays on Combinatory Logic, ~-celculus end Formalism, Academic Press,London,1980,pp 535-560. [Curry et ai.,1958] Curry H.D., Feys R., Combinetory Logic, vol.1, Nort Holland (Amsterdam). [Hindley,1969] HIndley R.,The principal type scheme as an object in combinatory logic.Trans. Amer. Math. Soc,,146. INindley,1983] Hindle 9 R.~ The completeness theorem for typing A-terms, Theoretical Computer Science, 22. [Milner,1978] Milner R., A theory of type polimorphism in programming, J. Comput. System Sci.,17. [Milner et ai.,1982] Milner R., Domes L,Principal type schemes for functlonal programs, 9-th Syrup. on Prlnciple of programming languages. [Robinson,1965] Robinson J.A., A machine oriented logic based on the resolution principle,Journal of ACM, 12. [Ronchi et 81.,1984] Ronchi Dell8 Rocce S., Venneri B., Principal type scheme for en extended type theory, Theoretical Computer Science, 28.

O P T I M A L

RUN

TIME

O P T I M I Z A T I O N

P R O V E D BY A N E W L O O K A T A B S T R A C T I N T E R P R E T A T I O N S

B e r n h a r d Steffen Institut f~r Informatik U n i v e r s i t ~ t Kiel, D-2300 Kiel

Abstract

A two stage run time optimization algorithm is p r e s e n t e d that combines two w e l l - k n o w n techniques in a Herbrand optimal manner: - Kildall's iterative m e t h o d for data flow analysis and - M o r e l / R e n v o i s e ' s partial redundancy elimination algorithm. To combine these techniques in such an optimal way, we firstly have to elaborate Kildall's approach. This is done by means of a new classification method for abstract interpretations which has to be i n t r o d u c e d before S e c o n d l y we have to extend M o r e l / R e n v o i s e ' s technique, which is only conceived to treat the o c c u r r e n c e s of a single term, to work on the value equivalence classes d e l i v e r e d by the K i l d a l l - l i k e data flow analysis a l g o r i t h m m e n t i o n e d above. Our algorithm being optimal with respect to the Herbrand interpretation, it is a w e l l - f o u n d e d basis for the c o n s t r u c t i o n of further algorithms using special p r o p e r t i e s of a given interpretation. These can be o b t a i n e d by t r a n s f o r m i n g the K i l d a l l - l i k e analysis stage only.

I. P r e f a c e

High-level languages support a convenient and reliable programming, but the r e q u i r e d c o m p i l e r s often produce i n e f f i c i e n t codes. For example the p r o c e d u r e m e c h a n i s m and the macro expansion m e c h a n i s m lead to run time c o m p u t a t i o n s being too c o m p l i c a t e d or even redundant. To avoid this, modern compilers are c o n s t r u c t e d using optimizing techniques. Here the f o l l o w i n g m e t h o d s are very important: - loop invariant - common

code motion

subexpression

and

elimination.

Usually optimizers operate on nondeterministic flow graphs d e l i v e r e d by the compiler front ends. Based on this r e p r e s e n t a t i o n it is p o s s i b l e to combine and to improve the optimization techniques mentioned above in a systematic manner, to receive an algorithm which transforms prog r a m s into a m i n i m a l form w.r.t, the Herbrand interpretation [Gr]. This algorithm mainly consists of a two-stage iterative analysis process:

53 Firstly, we have a data flow analysis algorithm w h i c h is b a s e d on Kildall's iterative analysis technique [Kil and Ki2]. It partitions the o c c u r r e n c e s of the p r o g r a m terms in a Herbrand optimal manner. This optimality is p r o v e d by a new classification approach for abs tra c t in terpre tations. Secondly, we use an algorithm which determines the optimal locations for the c o m p u t a t i o n s of the source program w.r.t, the equivalence relation d e l i v e r e d by the first analysis stage. This algorithm is a g e n e r a l i z a t i o n of the partial redundancy elimination process stated by M o r e l / R e n v o i s e in 1979 [MR]. Our a l g o r i t h m being optimal w.r.t, the Herbrand interpretation, it is a well-founded basis for the c o n s t r u c t i o n of further algorithms using special p r o p e r t i e s of a given interpretation. These can be o b t a i n e d by t r a n s f o r m i n g the first analysis stage only. We now v i s u a l i z e

Here:

basis

and goal

of our algorithm:

(----]

- The arrows denote the n o n d e t e r m i n i s t i c this p r o g r a m part. -

The nodes

characterize

parallel

branching

structure

of

assignments.

This non reducible p r o g r a m part (it is a minimal the g e n e r a l i t y of our concept) has the following

example to d e m o n s t r a t e specific property:

while staying w i t h i n this general loop ( w i t h o u t leaving in the meantime ) the c o m p u t a t i o n s of "a+b" and "x+y" d e l i v e r the same values. This

motivates

the following

optimization:

I h:x+y I

i

i I

i

abc):-<xy h,

1

][ I Xy z :=

I

h )] D i a g r a m

This -

optimization

is r e a l i z e d

R e c o g n i z i n g the "equality" the first analysis stage.

in three of "a+b"

1.2

steps: and

"x+y".

This

is

done

within

- D e t e r m i n i n g the computation points ( see the i n s e r t e d nodes for the i n i t i a l i z a t i o n of h ) and the computation forms ( here "x+y" and "a+b" ). This is realized by solving a Boolean equation system i n i t i a l i z e d by means of the first analysis stage. -

T r a n s f o r m i n g the p r o g r a m on basis of the a n a l y s i s results, i.e. moving the c o m p u t a t i o n s (here "a+b" and "x+y") to the c o m p u t a t i o n points.

54

Previous optimization t e c h n i q u e s fail in t r e a t i n g the s i t u a t i o n m e n tioned above. I n d e e d m e t h o d s e x i s t w h i c h are a b l e to determine the r e d u n d a n c y if the v a r i a b l e h is a l r e a d y i n i t i a l i z e d [Kil, Ki2, KU, F K U and RL], b u t t h e s e m e t h o d s are e i t h e r too w e a k to m o v e any c o m p u t a t i o n at all [Kil, Ki2 a n d KU], or t h e y are r e s t r i c t e d to s p e c i a l l o o p s [FKU and RL]. On the o t h e r given fails

hand,

a technique

exists

which

is c o n c e i v e d

to m o v e

a

term w i t h i n an a r b i t r a r y f l o w g r a p h [MR], but this technique to r e c o g n i z e the " e q u a l i t y " of "a+b" a n d "x+y". Our approach combines and generalizes Kildall's t e c h n i q u e for the

r e d u n d a n c y e l i m i n a t i o n [Kil and Ki2] a n d the m e t h o d to l o c a t e computat i o n s w i t h i n a f l o w g r a p h s t a t e d by M o r e l / R e n v o i s e [MR]. T h e r e s u l t is a u n i f o r m a l g o r i t h m w h i c h d e l i v e r s the o p t i m a l computation points and

computation

forms

the Herbrand

w~r.t,

interpretation.

After presenting the b a s i c c o n c e p t s of this p a p e r in s e c t i o n II, we a n a l y z e the r e l a t i o n s b e t w e e n d i f f e r e n t abstract interpretations [CCI] s e c t i o n Ill. T h e s t u d y of t h e s e r e l a t i o n s d e l i v e r s classification criteria for abstract interpretations w.r.t, a given observational level. T h e s e c r i t e r i a c a n be u s e d to p r o v e the Herbrand optimality of the first analysis stage of o u r o p t i m i z a t i o n a l g o r i t h m as s k e t c h e d in section IV. A f t e r w a r d s , w e s h o r t l y d e s c r i b e the second analysis stage in s e c t i o n V a n d the r e s u l t i n g optimization in s e c t i o n VI.

in

If. Preliminary Definitions We d i r e c t l y introduce graph structure over occurrences G = -

of e l e m e n t a r y

(N, E, s,

(N,E) edge

- s

e )

E ~ N

resp.

LFG =

! G

This

composed

and

structure

allows

flow graphs

as f o l l o w s :

directed

graph

with

node

set

N ~ N

and

× N.

no predecessor write P(G) flow graph

for

of our p r o g r a m m i n g l a n g u a g e as a f l o w w h i c h r e p r e s e n t s the entire set of

statements. are

( start resp.

e

Further, we e of a g i v e n

5F~

which

is a c o n n e c t e d set

possessing

and

the s y n t a x a set N,

end n o d e resp.

I

denotes

a special

element

of

N

nodes.

for the set of all f i n i t e p a t h s f r o m s to G, F G for the s e t of all f l o w g r a p h s o v e r N

linear

the set of all

~ F~

)

successor

IP(G) l =

I

flow graphs

o v e r N,

i.e.

}

Remark II.1 P(G)

characterizes

identify

P(G)

with

a special this

subset

of LFG.

In the

following,

we

subset.

T h e semantics for flow graphs G over N, w i l l n o w be i n t r o d u c e d the MOP-solution in the s e n s e of Kam/Ullman [KU]. For t h a t p u r p o s e n e e d a complete semi-lattice (C, n, ~, ±, T) with bottom element

as we ±

55

and

top

element

T.

The

elements

of

representation of the situations a r b i t r a r y p r o g r a m p o i n t of G. Definition II.l a) Let ~ ~i : N node n c N a V T s C: (~ ~l , C) b)

, (C ~ C~ distributive

~ FG, G

possibly

be a function, function ~n~l

c

I ~nk~i ..... ~n1~l (c),

(~ ~, C) is (~ ~i , C)). delivers semantics

~P~1 (C)

- an i n t e r p r e t a t i o n - a set of s t a t e s the p o w e r s e t (boole,

called

( global )

a

a uniform of state

In

this

~

~

is

the

I =

(D,

~D w i t h

io)

data

lattice

d

(nl .... nk)

c LFG

abstract

semantics

frame, which is appropriate transformations belonging to

the

abstract

complete

to an

semantics

semantics

of a

and ~ D

POT([D)

for C a n d n o d e s

n of

the

form:

instruction)

- V [ ~ [~: ~n~([) =d~ {~ I B o c Zbool, Xbo~le

an

otherwise,

For example, we are a b l e to s i m u l a t e programming language w.r.t.:

- n =dr

and

if G =

imperative programming language as w e l l as the w h i c h is i n d u c e d b y a d a t a f l o w a n a l y s i s a l g o r i t h m .

using

as

at

c C:

] (c) =dr

This approach describe the

goto

serve

occur

w h i c h r e l a t e s to e v e r y from C to C ( i.e.:

local abstract semantics ~ ~l to the d o m a i n FG:

{ PEP(G) then (w.r.t.

semi-lattice

will

~n~! ([~ T) = ~ { ~n~l (c) Ic E T } ). In this case, w e c a l l an abstract interpretation or a local abstract semantics.

When (~ ~l , C) is a f o l l o w i n g e x t e n s i o n of V G

this

which

is the s u b s e t situation,

of we

n [:

~instruction~(m)=sl,

XD l e a v i n g

the

Boolean e x p r e s s i o n

are

to

translate

able

s t a t e m e n t of ~oto programs "if boole s u b f l o w g r a p h of the f o l l o w i n g form:

boole;

then goto

] goto skip [

L1

the

where

boole T R U E .

characteristic

else goto

L2"

in a

L1

predecessor

I goto L2 nboole; T h i s c o n c e p t p r o d u c e s the [Nil, w h i c h is e q u i v a l e n t

skip

~

Diagram

II.l

.

collecting semantics in the s e n s e of Nielson s e m a n t i c s for flow charts.

to t h e u s u a l

It is a l s o p o s s i b l e to s i m u l a t e a v e r y g e n e r a l with formal procedure parameters (see sec. IV). The treatment of semantics induced r i t h m s f o l l o w s i n the n e x t s e c t i o n .

by

procedure concept, e v e n data

flow

analysis

algo-

56

Finally,

we

present

semantics,

which

Definition Let G =

II.2 (N, E,

semantics a)

A

and

s,

Cs

=

V i

c IN

hl :

every

(hl)

induces

b)

Two cs

c)

A

(~

(K

3 nl

if

exists, -

(~i)

is

- a node occurs d)

We

The

~®

=dr

of

node

whereas

fulfils

the

following

sequences

two

(hl)

in

designate

of

=

G

(~i)

of

G

w.r.t. (~i)

Cs

of

is

G

exists,

states

the be

that

every

node

belonging G

~

to ( c~

(~i).

wise)

the

well-known found

in

abstract

(~ ~l , C), G c FG, of G w.r.t, cs Then

we

=

S®

( e

Especially: the end semantics

~®

is

computation

)

(global)

sequence.

n

~ N

end semantics

of

the

(hl).

frameworks

may

so

coincidence ( here [CCI,

the

CC2,

of

MOP- a n d

the

terminology Kil

or

Ki2]

semantics cs c C, and ~®

w.r.t,

results

the

(~,) a f a i r the end

fol). respon-

the

abstract semantics computation sequence

cs

properties:

(component

distributive

Coincidence Theorem L e t (~ ~, C) be the

called

w.r.t,

coincidence

for

w.r.t.

[~0 , fix .... } .

of t h e s e t w o globalization concepts is practical a p p l i c a b i l i t y of t h e theoretical global abstract semantics proved in section III.

The

the

(nl).

sequence

proofs

and

sequence

c NS(SI)

often hl

We

(hl).

(nl)

~

(Si)

{h0 , ~1 .... }

sequence

to

(nl).

sequences.

sequences if

following

theorem for

(~i)

:

(hl)-node

~l , C ) - c o m p u t a t i o n

[KU],

about

NS(~,)

infinitely

following

sible

=

sequence

MFP-solution lows

the

([ ~l , C ) - c o m p u t a t i o n

called

[( [ ] End, ((gi-1 (n))) n ~I-i (n), | n predecessor ~ of n if n = ni | [ ~i - i (n) otherwise.

equivalent

call

(K

is if

(~ ~l , C ) - c o m p u t a t i o n

with

abstract

n = s

equivalent,

a

a local

c N:

~l , C ) - c o m p u t a t i o n

fair,

¢ N

C)-computation

called

(6 ~i , C)

otherwise,

N S ( h i ) as

~L ,

are

graph,

C cs ,

, if

a set

of

flow

N ~ n

T

Sl (n)

elements

the

a

w.r.t,

I Cs

[ ii)

be

G

for

g0 (n)

)

to

(h~) , of

properties

e

globalization of a l o c a l a b s t r a c t MFP-solution of K a m / U l l m a n [KU].

alternative

¢ C.

sequence

sequence

i)

an

corresponds

local

(K ~, ,C)semantics

have: ).

independent

of

the

underlying

(~

El , C ) -

57

III

Levels of Abstract

During

the

- are

two

Interpretations

construction given

terms

of

optimization

representing

the

- is a p r o g r a m p o i n t r e a c h a b l e ? - d o e s a p r o g r a m p a r t c h a n g e the are

of m a i n

able

to

that ~z

interest.

treat

(~ ~z,

C~)

characterize

AI

: CI

and

: C2

describe

ally and

a complete

with

abstract

run

questions

time

some of

special

levels

~i

C3.

abstraction,

variables?

semantics,

of

semantics

are

we

are

abstraction.

For

=

and

(~ ~I , CI)

These

which

like

values?

abstract

semi-lattice

of

three

objects

connected

by

two

abstraction functions:

surjective V n

c N,

c

c CI

: ~n~2 oA~ (c)

~ AI 0~n~1 (c)

.......~ C3.

the

mutual

introduce

the

A2 a d e f i n e d

V c

two

levels

of

concept

on various

take

~ C2,

A2

questions

and

and

values

the

we three

distributive

To

such

purpose,

=

Using

algorithms same

relationship

between

adjoint

two

these

levels

we

addition-

concretization ) functions

or

A~ a

by:

c C,+l : Aia (c)

=dr

I

{ C

I Ai (C)=C

}-

Remark I I I . 1 This

specifies

semantics

~I

the

and

we

following are

semantics

(formalized

determine

automatically.

(iteratively) enough

( typical questions This w.r.t.

completely examples mentioned

section

semantics ~I

and

fixes

- ~2 - C3

this C3

of

abstract

the

inspected the

illustrate

this

properties

of

Cs),

semantics

~z

properties are

to d e c i d e ( i.e.

following

of

are

whether

is

this

want

to

for

an

to s e a r c h

suggested

~2

abstract

we

which we

whether

III.l.(c))

given

which

we h a v e

properties

criteria

the

a

special

purpose

the

property

detailied

interested by

the

a given

in three

abstract

is g l o b a l l y

optimal

) or not°

notations:

treatment.

programming

It

stands

language

for

(compare

the

complete

seo.

iI).

computation level.

question

- A~ and Az characterize l e v e l s of a b s t r a c t i o n . To

that

b a s i c level of o u r the

characterizes identifies

For

(Definition

motivates

the

semantics

elements

for such above ) ~

We h a v e

in s o m e

the

determine

delivers

~2 h a s

Remark I I I . l - ~i

as

computable

to

situation.

interested

situation,

(or

observation)

the

degree

we

~i :

Ci

~ C~

~2 :

C2

~ C2

Cs

C3

use

the

of

level.

abstraction

diagram

below:

Diagram III.1

between

these

58

Furthermore, w e d e n o t e t h e r e l a t i o n b e t w e e n :9~ a n d as :9, )~2 o~ Cs resp. :9~ -----~2 C~ and the and ~z as :gz
a)

case

following

Lemma

following

~G~2 oA,

¢ FG:

In t h i s The

the

:gz -
( ~ Cl ,c~

are called isomorph, iff a function A~ ::9, ~ :92 e x i s t s ,

:91 a n d :gz abstraction

= A, oEG~, . ~

~,

collects

b)

:gz
c)

~

Diagram

and

~

:9~

some

<,x

~ C, : A~ (c~) A,

. A, a • A~

:9~ ~

:9*

i) ii) ^

III.l

~ G ~ G

:9* < ~

suggests

characterized

or o n l y

immediate

by

:91 . T h e n

= A, (c2)

:92 ~ :9~. results:

want

w.r.t.

Definition

Let

= AI (c~))

e FG: e FG: ~

¢==>

:9~

two

~G3z ~At EG~z

_= AI 0~G~, -= A~ o ~ G ~ oA, a .

:92 ~

different

:9* •

functions

to s o l v e

the

question

f o r t h e basic level o p t ( G , c ) = Az oat oKG~, a A 1 a . A 2 ~ (c)

function given by the computation level ) C~ with c o m ( G , c ) = Az 0~G~z oA2a (c).

to a n a l y z e Cs

A, (c~)

Cs :

and secondly, the c o m : F G × Cs We now

we h a v e :

~

= A,°

Firstly, the function optimal o p t : F G × C3 ) C3 with

a)

Cs :9~

III. 1

Let

:91

:92 a n d between

property:

we write lemma

Cs r e s p . relation

( i.e.:

in w h i c h V G

cases

~ FG,

c

:92 is d e t a i l e d e C3 : c o m ( G , c )

enough =

to

simulate

opt(G,c)

).

I I I . 9.

:92 -
and

:92

~-A2 C3.

Then

we

introduce:

RI(:91 ,Ai ,:92 ,A2 ,C3 )=dr {c~C2 13 G e F G ,

C__cC3 : c = AI o~G~, oAt a oA2 a (C__)} ,

RH(:9* ,A* ,:gz ,Az ,C3 )

complete semi-lattice closure

denotes

the

RI(~I ,At ,:92 ,A2 ,C3)

RS(:91 ,A1,:92,A2 ,C3)=df (K h , RH(:91 ,At ,:92 ,A2 ,Cs)), d e f i n e d as f o l l o w s : V c

of

and where

~ h

is

c C2: , if R H ( ~ I ,At ,:92,A2 ,C3) is c l o s e d u n d e r ~ ~2 Ech

b)

=dr

{ I~c~2 IRH(:GI'AI 'CS)otherwise. ':gz 'A2

weakly expressive Cz is called following equation holds for every

for G1 , G2

~, w.r.t. e LFG:

A2 oAi o~G1 ~i gAla oAt o ~ G 2 ~ l o A 1 a oA2 a = Az oAz ~ G ~ 1

C3 ,

if

o~G2~i gAla oAz a .

the

59

c)

~

d)

locally optimal

is c a l l e d V n

~

¢ N:

is

A~ o ~ n ~

Cs.

In t h i s

III.2 trivial

Remark

a)The

following b)The

case,

"l"-case

.

@i,

if w e

have:

. w.r.t.

we w r i t e

~z

%z

in D e f i n i t i o n

and

Cs,

if

~

simulates

~i

¢ g l o b ( ~ i ,C~).

III.2(a)

never

occurs

in

the

considerations.

weakly expressive

term

only

w.r.t

~n~

globally optimal

called

w.r.t.

oA, ~ =

have

to p u t

~

as

is

the

suggested

semantics

by

Hoare Logic

the

induced

by

an

[Co].

We

interpretation

I

sets of states w h i c h are characterized b y first order logic formulas. In t h i s case, we a r e a b l e to d e s c r i b e the expressiveness (of the l o g i c f o r m u l a s ) w.r.t, the p r o g r a m m i n g and

C2

as

language V G That

the

FG

set

and

c FG,

C

means

for

of

the

¢ C2 :

those

interpretation ~G~i gAla (c)

every

program

a strongest postcondition postcondition(G,c)

=

G

[Co]

I

as

= A1a ~A~ 0 ~ G ~ ~ FG

and

exists

A~ o ~ G ~

follows: gAla (C).

precondition

every

( in Cz

c ~ Cz

), here:

oA~ ~ (c) .

~ is locally optimal w.r.t. ~ then ~ ~z is the best upper approximation of ~ ~ in the s e n s e of Cousot/Cousot [CC3].

c)If

Thus

our

considering the d)The but

concept

extends

a third

level

optimality

A first

will

problem

studied

abstraction

( C~

by

Cousot/Cousot

) and

by

by

strengthening

requirements.

global optimality d o e s we

bally

see

optimal

that

property

of

~ glob(~i,

the

C3)

not

this

abstract

Transitivity Theorem Let ~2 ~AI ~2 ~Ai ~s

the

of

semantics

global

~i.

imply

Then

holds

<............ ~..... (B2

for

( Equivalence

optimality

we

local optimality in g e n e r a l ,

the

implication

will

every

Theorem

be

minimal

glo-

).

delivered

by

the

have: c glob(~i,

C3)

^ ~2

¢ glob(~2,

C3))

Proof

"~":

Let

S~

Lemma

I I I . 1 (b) :

c

g l o b ( ~ 1 ,C3)

A2 oA* o ~ G ~ 2 oA* a oAz ~

"~":

Let

~

for

every

c

g l o b ( ~ 1 ,Cs ) G

and

G

E FG.

this

case

we

=-

A2 0 L G ~ z oA2 ~

=

A2 aA* oAt • ~ G ] I 0At a oA, a 0Az ~

-=

A2 oA* o~G~z 0A* a oA2 a

and

~z

E

g l o b ( ~ 2 ,C~) .

get

from

q.e.d. Then

we

have

¢ FG:

A2 .At .At o~G~1 oAt a oAt ~ cA~ a = =

and

In

therefore

~

c

A2 0At o~G~2 oAt a oA~ a Az o ~ G ~ z o A2 a ,

g l o b ( ~ 1 ,C3) .

q.e.d.

60

The local property

optimality ( w.r.t. ~ ) is a v e r y n a t u r a l and e a s y - t o - p r o v e for an a b s t r a c t i n t e r p r e t a t i o n @2 w h i c h is constructed to

simulate ~ . T h u s for the (practical) a p p l i c a t i o n ( in p a r t i c u l a r the a p p l i c a t i o n in s e c t i o n I V ) the f o l l o w i n g c h a r a c t e r i z a t i o n of g l o b a l o p t i m a l i t y is v e r y i m p o r t a n t : Simulation

Let

Theorem

~z be a l o c a l

optimal

~2 is g l o b a l l y C2 The

for the

is w e a k l y

defining

abstract

optimal

expressive

equation

semantics

w.r.t.

~

for

w.r.t.

for the

~

and

w.r.t.

~ . T h e n we have:

C~

¢==>

C~.

global optimality

is too w e a k

for

an

inductive extension, so that we c a n n o t d i r e c t l y p r o v e the Simulation Theorem (by i n d u c t i o n ) . F o r that r e a s o n we i n t r o d u c e a s p e c i a l c l a s s of a b s t r a c t s e m a n t i c s ( the fully abstract models ) to characterize the global proofs

optimality. This by induction.

Definition III. 2 Let ~I , C a n d A f u l f i l

of

~l w . r . t .

~2

-<~

C

and

~i , ~

~

i)

A = A2

ii)

~2 = R S ( ~

iii)

~2 is l o c a l l y

iv)

~ c,,c2 A~ (c~)

We d e n o t e

C~

class

is

restricted

enough

to

allow

easy

~I ---~A C. ~2 is c a l l e d a fully abstract model A, if abstraction functions A, a n d A2 w i t h and the

following

four

properties

exist:

~ A~, ,A~ , ~ ,A~ ,C), optimal

w.r.t.

RS(~

,identity,~

~ RI(~, , i d e n t i t y , ~ , A z oA~ ,C): = A1 (cz) ¢==> ~ G ~ LFG: A2 oA~ 0 ~ G ~

the set of all

those

fully

abstract

,A2 oA~,C),

(c~)

= A~ 0A~ 0KG31 (c~) .

models

as FAM(~I ,A,C).

R e m a r k III. 3 a)Two data flow

informations cI a n d c2 are g e n e r a l l y c a l l e d observably (w.r.t. C) if A(cl ) = A(c2 ). T h e n c o n d i t i o n iv) s t a t e s ~z o p e r a t e s on the largest congruence c o n t a i n e d in this e q u i v a -

equivalent that lence. of

Hence

Milner

~z c h a r a c t e r i z e s

a

fully abstract model

in the

sense

[Mi].

b)A fully abstract model of ~i w.r.t. C and A depends only on RS(%, , i d e n t i t y , ~l ,A2 oat ,C), C and A. This allows us to assume ~i= R S ( ~ , i d e n t i t y , @ 1 ,A2 ~AI ,C) d u r i n g the f o l l o w i n g c o n s i d e r a t i o n s . N o w the d i s t r i b u t i v i t y of all the f u n c t i o n s lity" of the fully abstract models deliver: Lemma Let for

mentioned

and t h e

"minima-

III. 2 ~2 c FAM(~I ,A2 .At ,C3 ) w i t h ~2
AI (cl)

= A1 (c2)

Especially, V GI ,Gz

we have ~ FG:

~

V G

~ FG:

Ai o~G~1 (ci)

as a c o n s e q u e n c e

AI .~G~ ~i o~G2 ~I (cI)

of

= AI ~ G ~ I

AI oAt a pAl

(c2) .

= AI :

= AI oEGI ~i oA~ a oAi oEG2 ~i (Cl) .

holds

61

This

enables

us

to s t a t e

the

E x i s t e n c e and U n i q u e n e s s T h e o r e m Let ~i , C and A fulfil ~t ---~A C. Then ( with = ) a unique fully abstract model i s o m o r p h i s m ..... and A e x i s t s .

the

exception

of

~I

of

w.r.t.

C

Proof To p r o v e the e x i s t e n c e , we only have to c o n s i d e r the l o c a l optimal abstract interpretation induced on the largest congruence b y RS(~I , i d e n t i t y , ~1 ,A2 0Ai ,C) . The u n i q u e n e s s w i l l be derived by using L e m m a I I I . l ( a a n d b), Lemma III.9. a n d R e m a r k . I I I . 2 ( b ) . T h e s e l e m m a t a d e l i v e r the r i g h t h a n d s i d e c o n d i t i o n of L e m m a I I I . l . (c). q.e.d. The next an e a s y

theorem

is a c o n s e q u e n c e

induction

of

Lemma

III.l.

It can be p r o v e d

by

argument.

T h e o r e m III.l L e t ~2 c FAM(~I ,A2 0At ,C3) with ~2 -
Simulation

the a r g u m e n t a t i o n for the the f o l l o w i n g t h e o r e m :

Theorem

con-

T h e o r e m III. 2 Let ~i )A~At C3, ~2 (
this

9~ : A* A

9~ :

result,

C~

,,,

1

II :i~,

we c o n s i d e r

I

'

~

/--

/

~ C~

A~

=af

(~ ~ ,

C~)

~ FAM(~

,A~ 0A, ~A~,C~)

/

C~ Here side

situation:

C~

~

C~

the f o l l o w i n g

C~

Diagram

the i d e a of the a r g u m e n t n e e d e d c o n s i s t s c o n d i t i o n of L e m m a I I I . l ( c ) for ~ and

~ ~ ~ to obtain s e n t e d in [St] ).

the

pre-

After this p r e p a r a t i o n we are a b l e to p r o v e the m a i n t h e o r e m of section. We p r o d u c e this p r o o f in m o r e d e t a i l to g i v e an i n s i g h t s o m e t y p i c a l a r g u m e n t a t i o n s in this c o n t e x t .

this into

~2

¢ glob(~1 , C3)

~I

..........~AOA1

stated

(

a

of d e r i v i n g the l e f t h a n d ~. T h u s we m a y c o n c l u d e is

Equivalence Theorem Let ~2 ~AI ~ and

assertion

IiI. 2

complete

proof

C3 . T h e n we have:

¢==~ FAM(~2,A,C3)

= FAM(~I ,AoAt ,C3)

62

Proof

"~"

follows

To prove with ~ flow

immediately

the converse = (| h , Cz)

graphs

by

applying

Theorem

III.l

twice.

let ~z ~ g ! o b ( ~ ,C3), A = A2 oA, ~ F A M ( ~ z ,A2 oA* ,C3). Then we have

G~ p G2 ~

= =

Az oKGI |2 oEG2 12 oA2 a Az oaf o~G, ~2 oA* a oKGz ~

2)

Az ~Ai 0EG~ ~z oAi a oA* ~A~ oEG~ ~

3)

A~ oA* oA~ o EG~ ~

4)

Az ~A1 oA~ oKG* ~* ~ G ~ requires

get

from G

This

I)

and

equality

yields

I I I . 3 . (b)

"

c_

of

local

is

A~ .A, oA, . Now the Existence

~

(

)

"

)

_~

3)

and

obtain

the

Furthermore

we

oA~ ~ oA* ~ oAz ~ . of

Theorem

~a

w.r.t.

III.2

we

fully abstract model

Uniqueness

we

4).

III.9.(iv):

optimality with

a

and

Therefore

by

Definition

Together )

cases.

oA~ ~ = A* oA~ o ~ G ~

the

).

all

w.r,t.

because

( e F A M ( ~ z ,Az o A , , C s ) and

oA~ ~ oA* ~ oA~ a

in

C~

A* oA* a o K G h

obviously

Remark

of 2)

III.l(b))

~- {

~ ~A* ~ ~Ai ~ oA~ ~

the

¢ FG:

oA~ a

~A~ a 0A, ~ oA* oA~ o ~G~ ~* oA~ a oA* a oA~ a

expressiveness

(glob. o p t . ) (Theo. I I I . l )

_= ( L e m m a

I)

This

~2 -<** ~z arbitrary

FG:

A2 0At oAt o~G1 ~i o ~ G 2 ~ 0A1a oAta 0Az a A2 +A, o~G, ~2 o~G~ ~2 oAf ~ QA2 a

weak

and for

Theorem

~

( notice

obtain

of

~i

delivers

that

w.r.t.

the

assertion

stated, The

q.e.d. Theorem ( which delivers t h e optimality of t h e (sec. IV) ) is c l e a r l y an i m m e d i a t e consequence

Simulation

analysis stage last Our

two

of

frame

three levels of abstract interpretations

the for

illustrate

example

first of

the

theorems.

concept

uniform To

~ Cs

the

the

which

is

classification

meaning

of

concentrated

of

these on

iterative

three

this

delivers

analysis

levels,

we

a

algorithms.

finish

with

an

phenomenon.

Example:

Let

us

have

a look

at

the

following

concretization

of

the

general

situation: -

N

-

~i

-

C3

-

A

This

=

[ nl,

=

(~

n2,

n3

~, , CI)

with:

- CI

=

{ M

-

=

"x:=

=

is

~ni~I { I,

the

3ix,

},

I M

i(3~x),

abstraction

situation

is

s IN },

x+l",

~nz~1

"x:=

2",

~ns~,

=

"x:=

x*3",

},

T

function

suitable

=

for

belonging

studying

the

to

CI

and

question

C3. whether

x is d i v i s i b l e b y 3. In t h i s section we have treated such situations to ria for an abstract semantics ~z to p r o v e w h e t h e r ~z optimal w.r.t. ~, and C3. T h i s m e a n s h e r e , whether

the

value

of

question

of

the

divisibility

of

x by

3.

obtain criteis globally ~ solves the

63 In our

case,

following ~2

=

it is s u f f i c i e n t

choice (E

I12.

C2

=d f

of

C2)

to c o m p u t e

modulo 3 . That

leads

to the

~z : with

Enid2

I0 rood 3.... I

=d~

.

.

.

Ent ~i

.

.

and

"mod 3"

.

/\

It

is

w.r.t.

easy C3

I~ 2 s o d

31 ~

1 mod

to s h o w

that

~z

3~ 11 0 m o d "3

is e v e n

a

fully

abstract

model

of

~I

and A.

Remark III.3 S m a l l c h a n g e s to N, ~, and Cs l e a d to s u b s t a n t i a l a l t e r a t i o n s For example, a l l o w i n g a s t a t e m e n t of the f o r m "i_ff x = 7 then r a i s e s the c o m p l e x i t y of a g l o b a l o p t i m a l a b s t r a c t s e m a n t i c s

to ~2 ° x : = 3" enor-

mously.

IV T h e F i r s t

Analysis

Stage

The data flow analysis of two c o m p o n e n t s :

algorithm

implemented

by

us c o n s i s t s

I) A local d a t a f l o w a n a l y s i s p r o c e s s to a n a l y z e e l e m e n t a r y or basic blocks [He]. This process defines a local s e m a n t i c s (E ~i , C).

as

usual

statements abstract

2) A s c h e d u l e r r e a l i z i n g f a i r n e s s by m e a n s of a w o r k l i s t [Kil, Ki2 or He]. It p r o v i d e s for the i t e r a t i v e g l o b a l i z a t i o n of the local d a t a f l o w p r o c e s s g e n e r a t i n g fair (E ~L , C ) - c o m p u t a t i o n s e q u e n c e s only. T h i s a l g o r i t h m s p e c i f i e s a p r o c e s s for s u c c e s s i v e l y c o n s t r u c t i n g a fair (E 21, C)-computation sequence. Using the Compositionality Theorem (sec. II), we l e a r n that this p r o c e s s a p p r o x i m a t e s the g l o b a l a b s t r a c t semantics ~j b e l o n g i n g to (E ~l, C). To p r o v e the H e r b r a n d o p t i m a l i t y of this p r o c e s s , we o n l y h a v e to s h o w that: - the e n d s e m a n t i c s of steps - ~a is Let

characterizing

~2

is r e a c h e d

in a

finite

number

H e r b r a n d optimal.

therefore:

- T be the H e r b r a n d u n i v e r s e d e t e r m i n e d by the v a r i a b l e s and o p e r a t o r s of the u n d e r l y i n g p r o g r a m m i n g l a n g u a g e , - Part(T)

be the

set of

- Part(T)

=dr { p

I 3 T

all p a r t i t i o n s s T: p

~ Part(T)

over ^

T

ITI

s T, E ~ }.

64

Then

we

have

to

analyze

the

~i :

C~

~ C~

~2 :

C~

~ Cz

~

C,

~ C~

:

C,~ Here:

- Let

~i

Cs

be

the

set

- Let

of

( In

AI :

CI

partition

p

~ Part(T)

p reduces

the

detailed

the

- ~2

be to

is

with

the

any

(data

induced

Ci

states

....... ~ Part(T)

equality

=dr

-

(~ ~z, C2 K ~2

- Let

to

states if

- Let the

{ p

being

A, : C2

relates

by

the "n"

of

=dr

"u"

~

be

~ C2);

......~. P a r t ( T )

be

the

partition the

p

Simulation

in

V n

given

by

Z

to

= p

partition

analogy

Theorem

to

(sec.

III)

we

- ~2

is

optimal

w.r.t.

~z

and

C3 .

p

~n~21 = A I Q ~ n ~ I , A I defined

function

to

of

a set

E Part(T)

are

able

cl

these

a . which

Herbrand

describing

to p r o v e :

and

T r a n s i t i v i t y T h e o r e m (see. III) this ~2 w.r.t. ~I a n d C3. On the other hand, it is p o s s i b l e to s h o w t h a t C2 d e s c e n d i n g chain c o n d i t i o n ( i . e . : f o r e v e r y C~-sequence, with

and

~2 o

Cs

the

optimality

}

exists.

and

globally

c N:

belonging

~i

Combining

the

Partition

of:

partially

~ C2

smallest

a partition formed

I B ~ c CI : Ai (~)

globalization

w.r.t.

c ~:

relates

~ CI.

terms.

optimal

(V i

of

with:

~ (C2

~ E Ci

~

program

is g l o b a l l y

global

lattice

).

which

states

information

- ~2

Together

Herbrand

the

powerset

function,

set flow)

~ Part(T) the

N

any

such

between Cz),

=dr

E ~21:

Applying

case,

viewpoint:

value

[,

IV. 1

semantics

this

Herbrand

all

situation:

Diagram

abstract

interpretation the

following

yields

the

fulfils

the

of

~ two

el÷l)

~

properties

(3 i we

~ ~

V

j

c ~:

cl

=

we

el÷j)

have: ).

get:

Optimality Theorem The implemented algorithm computes exactly the partition of C~, w h i c h is o p t i m a l to d e s c r i b e t h e s e t of Herbrand states related to a given program point. Alternatively: The algorithm determines all value equalities between program terms for every program point valid for every interpretation.

65 R e m a r k IV.I This t h e o r e m d o e s n o t h o l d for the a n a l y s i s a l g o r i t h m s o c c u r r i n g in the l i t e r a t u r e . F o r e x a m p l e m o s t of the computational levels considered there were not even locally optimal w.r.t, the Herbrand

interpretation. As

stated

in

section

If,

our

approach

is q u a l i f i e d

for

the

analysis

of

arbitrary goto programs, but this does not l i m i t its applicability. U s i n g an a d d i t i o n a l p r o c e s s , ( s i m i l a r to our s t a n d a r d p r o c e s s }, we are a b l e to e x t e n d the a n a l y s i s to a n interprocedural level. By this means, source

it is p o s s i b l e to r e a c h the Herbrand optimality even if the p r o g r a m is p r o v i d e d w i t h formal procedure parameters ( to p r o v e

this, it h a s to be a r g u e d b y m e a n s T h e o r e m a g a i n }. The

additional

We

lift

process

the

is b a s e d

functionality

of

the S i m u l a t i o n

on the of o u r

and

following

idea:

standard

process.

Transitivity

That

means,

instead of C, we u s e C =dr { Z ~ Z: C ~ C } as the complete s e m i - l a t t i c e of d a t a f l o w i n f o r m a t i o n s . T o d o this, we h a v e to c h a n g e our semantic function ~ ~ as f o l l o w s : ~ :

N ...... ~ ( C ---~ C

)

with

~ n ~

( Z )

=

~ n ~ 0 Z.

B y this m e a n s , w e a r e a b l e to u s e o u r s t a n d a r d p r o c e s s to approximate the c o m p l e t e state transformation of a p r o c e d u r e . This approximation p r o c e s s is s u p e r p o s e d b y a control iteration d i s t r i b u t i n g the a p p r o x i m a t e state transformations of the d i s t i n c t p r o c e d u r e s .

Remark a)C

IV.2

does

not

fulfil

the

descending

chain

condition.

Nevertheless

we

are able to p r o v e the termination of our interprocedural process, b e c a u s e a g i v e n p r o g r a m G o n l y a l l o w s v e r y s p e c i a l descending chains. Indeed an e f f e c t i v e finite set of terms

construction process exists which delivers T(G), so that Part(T(G)) × Part(T(G))

powerful e n o u g h to e x p r e s s all the e l e m e n t s of o c c u r d u r i n g an i n t e r p r o c e d u r a l a n a l y s i s of G. Thus

our

algorithm

preserves

its

optimality

C even

which in

a is

possibly

the

inter-

procedural c o n t e x t . b)The

c o n c e p t of the superposed control iterations l e a d s to a Herbrand t r e a t m e n t of local variables. T h i s p r o p e r t y d i s t i n g u i s h e s it

optimal

f r o m the p r o c e s s p u b l i s h e d b y B a r t h [Ba], w h e r e it is u n c l e a r h a n d l e l o c a l v a r i a b l e s of r e c u r s i v e p r o c e d u r e s at all. c)Our

process

tation,

allows

we have

first order procedures only.

To r e m o v e

this

how

to

limi-

to u s e

a preprocess which transforms programs with higher order procedures i n t o t h o s e w i t h first order procedures only. S u c h a p r e p r o c e s s e x i s t s w h e n e v e r the g i v e n p r o g r a m G possesses a regular formal call tree [O1] or more specificially, whenever G p o s s e s s e s no global formal procedure parameters [La]. L a n g m a a c k [La] r e s p . O l d e r o g [O1] has s h o w n ( b y u s i n g the t e c h nique of accompanying parameters [La] ) t h a t such programs can e f f e c t i v e l y be t r a n s f o r m e d i n t o e q u i v a l e n t o n e s w i t h o u t a n y procedure

66

nesting. med

into

S u b s e q u e n t l y the r e s u l t i n g p r o g r a m s can be e a s i l y programs w i t h first order procedures only,

transforwhich are

equivalent to the p r o g r a m s Thus

we h a v e s t a r t e d with. to o b t a i n Herbrand optimal

it is p o s s i b l e

whole

class

of

those

programs

which

possess

a

results

for

the

regular formal call

tree.

V.

The

Second

Analysis

Stage

T h e s e c o n d a n a l y s i s s t a g e is a l s o b a s e d o n the g l o b a l i z a t i o n of a l o c a l a b s t r a c t s e m a n t i c s of a g i v e n f l o w g r a p h G, b u t h e r e we use bit vectors r e p r e s e n t i n g the t r u t h v a l u e of s o m e p r e d i c a t e s i n s t e a d of partitions over a s e t of terms. Thus giobaiization means solving a Boolean equation system i n d u c e d b y t h e s e p r e d i c a t e s . The solutions of this equation system d e l i v e r the (optimal) computation points b e l o n g i n g to s p e c i a l systems of value equivalence classes ( these systems represent an abstract value, the computations of w h i c h w e intend to locate optimally

within

the

flow graph

The whole

location process

G

).

abstract value) is o r g a n i z e d

(for o n e

in s i x

steps: l)Insert

a node

potential alence

into

each

computation

e d g e of

points

G

of

{ these

artificial

the d i s t i n c t

systems

nodes

mark

of v a l u e

the

equiv-

classes).

the first analysis stage to d e t e r m i n e for e v e r y n o d e n of G a pre- a n d postpartition to d e s c r i b e the value equivalences between

2)Use

the p r o g r a m

terms

at t h e s e

program

points

of G.

3 ) C o n s t r u c t the value flow graph V F G = (VN,VE). N o d e s e q u i v a l e n c e c l a s s e s of the prea n d postpartitions Edges

e EVE

lence of -

class

G,

fulfilling

preone of

(V,W),

where

V

resp.

W

is a e q u i v a -

postpartition of a n o d e

resp.

the f o l l o w i n g

n

resp.

m

two p r o p e r t i e s :

n = m a n d w h e n e v e r an e l e m e n t v ¢ V has a special value x bef o r e the e x e c u t i o n of n, then every element w c W has the same value x a f t e r the e x e c u t i o n of n ( this r e l a t i o n is a l s o to be determined

-

are t h e p a i r s of the

n E VN are the m e n t i o n e d above.

n

b y the

first analysis stage ).

is a p r e d e c e s s o r

of

m

and

V ~ W.

4)Determine the systems of value equivalence classes which are c h a r a c t e r i z e d as the maximal connected subgraphs (N~E) of V F G w i t h : for all pre- a n d postpartitions V d e t e r m i n e d in s t e p 2: I ~ n { K I K is an e q u i v a l e n c e c l a s s of V } 1 ~ i. Each

system

of

this

kind

Boolean equation system

serves

for a

mentioned

special

initialization

s u c h a system of equivalence classes to i n i t i a l i z e equation system.

5)Choose

6)Solve

the

(already

intialized)

optimal computation points.

of

the

above.

Boolean equation system

the

Boolean

to o b t a i n

the

67

Remark V.1 This a p p r o a c h is b a s e d on the m e t h o d s t a t e d by M o r e l / R e n v o i s e [MR], which is c o n c e i v e d only to treat the o c c u r r e n c e s of a single given term. Our c o n c e p t of the value flow graph leads to an e x t e n s i o n of this m e t h o d w h i c h solves the location problem for a whole class of Herbrand equivalent terms ( i.e. it d e t e r m i n e s the best computation

points

w h i c h are v a l i d for every i n t e r p r e t a t i o n

After having determined

).

optimal computation points

the

in this way,

we

r e c e i v e the optimal computation forms as m i n i m a l r e p r e s e n t a t i v e s of the value e q u i v a l e n c e c l a s s e s b e i n g r e l a t e d to the c o m p u t a t i o n points.

VI. The Optimization Having G

f i n i s h e d the

analysis stage, we are able to o p t i m i z e our p r o g r a m value equivalence classes by the i n s e r t i o n of

for every s y s t e m of

an a u x i l i a r y v a r i a b l e h as follows: we i n i t i a l i z e h at every computation point by means of a computation form b e i n g valid at this point.

Firstly,

- Secondly,

we s u b s t i t u t e

every o c c u r r e n c e of a term b e i n g r e l a t e d

to

the i n s p e c t e d s y s t e m by h. These o p t i m i z a t i o n s i n d u c e d by the v a r i o u s s y s t e m s of value equivalence classes are l a r g e l y i n d e p e n d e n t . This allows us to determine the c o m p u t a t i o n forms and p o i n t s c o m p l e t e l y in parallel. O n l y the program transformations make some d i f f i c u l t i e s b e c a u s e the v a r i o u s systems of value e q u i v a l e n c e c l a s s e s overlap. For that reason, it is a d v a n t a g e o u s to do all the i n i t i l i z a t i o n s in parallel, b e f o r e g o i n g on to s u b s t i t u t e the p r o g r a m terms u s i n g the a u x i l i a r y v a r i a b l e s . these substitutions on the r e s u l t s of an extra

(It is best to base run of the first

analysis

even those o c c u r r i n g

stage

to e l i m i n a t e

all the r e d u n d a n c i e s ,

b e t w e e n the terms we just have inserted.) This procedure transforms a given program form G

w.r.t,

the Herbrand interpretation

G

~ FG

into a m i n i m a l

and the b r a n c h i n g

structure

of G: Every path computations

of G c o n t a i n s a m i n i m a l number of w.r.t, to the b r a n c h i n g s t r u c t u r e

Herbrand

equivalent

of G.

That means that the e x p e n d i t u r e of the c o m p u t a t i o n s of G reducible by c h a n g i n g the b r a n c h i n g s t r u c t u r e or by u t i l i z i n g p r o p e r t i e s of the u n d e r l y i n g i n t e r p r e t a t i o n . Our a p p r o a c h is not q u a l i f i e d program, but it s u p p o r t s the given interpretation.

is only special

to change the b r a n c h i n g s t r u c t u r e of a u t i l i z a t i o n of special p r o p e r t i e s of a

68 VII. Literature

[Ba] [CCl]

Barth, G. "Interprozedurale DatenfluSsysteme", Habilitationsschrift, U n i v e r s i t ~ t K a i s e r s l a u t e r n ~ 1981 C o u s o t , P. a n d C o u s o t , R. '~bstract interpretation: A

unified Lattice Model for static Analysis of Programs by Construction or Approximation of Fixpoints",

[cc2]

[cc3]

[co]

4th POPL, Los A n g e l e s , C a l i f o r n i a ~ 238 - 252, 1977 Cousot, P. a n d C o u s o t , R. '~utomatic Synthesis of Op-

timal Invariant Assertations: Mathematical Foundations", A C M S i g p l a n N o t i c e s 12, 1 - 12, 1977 C o u s o t , P. and C o u s o t , R. "Systematic Design of Program Analysis Frameworks", 6 t h POPL, San A n t o n i o , Texas, 269 -282, Cook, S.

1979 A.

Axiom System for [FKU]

Computing, Fong, A. C.,

of

[Gr]

7 : i, 70 - 90, 1978 Kam, J. B. a n d U l l m a n ,

Lattice Algebra

"Applications

J. D.

to Loop Optimization",

2nd POPL, P a l o Alto, C a l i f o r n i a , 1 - 9, 1975 Greibach, S.A. "Theory of Program Structures: Schemes, Semantics, Verification"~ L N C S 36, Springer-Verlag,

[He]

1975 Hecht,

[KU]

Elsevier, Kam, J.B.

M.

Analysis [Kill

"Soundness and Completeness of an Program Verification", SIAM Journal

1975 Kildall,

"Flow Analysis

S.

of

Computer

Programs",

N o r t h - H o l l a n d , 1977 and Ullman, J.D. "Monotone Frameworks", A c t a I n f o r m a t i c a , 7,

G.

A.

Data 309

"Global Expression Optimization during

Compilation", ty

of

T e c h n i c a l R e p o r t No. 7 2 - 0 6 - 0 2 , Washington, C o m p u t e r S c i e n c e Group,

[Ki2]

Washington, Kildall, G.

[La]

194 - 206, 1973 L a n g m a a c k , H. "On Procedures

[Mi]

A c t a I n f o r m a t i c a 2, 311 - 333, 1973 M i l n e r , R. "Fully Abstract Models of Typed

[MR]

T C S 4, N o r t h H o l l a n d , 1 - 22, Morel, E. and Renvoise, C.

[O1]

[RL]

[st]

UniversiSeattle,

1972 A. "A Unified Approach to Global Program Optimization", ist POPL, Boston, Massachusetts,

Suppression of

[Ni]

Flow - 317,

as Open Subroutines.

I "

~-Calculi",

1977

"Global Partial Redundancies",

Optimization by CACM,

22

: 2,

96 - 103, 1979 Nielson, F. "A Bibliography on Abstract Interpretations", A C M S i g p l a n N o t i c e s 21, 31 - 38, 1 9 8 6 O l d e r o g , E.-R. "Charakterisierung Hoarescher Systeme f~r ALGOL - ~hnliche Programmiersprachen", Dissertation, Christian-Albrechts-Universitat Kiel, 1981 Reif, J.H. a n d Lewis, R. "Symbolic Evaluation and the Global Value Graph" , 4 t h POPL, Los A n g e l e s , California, 238 - 252, 1977 S t e f f e n , B., doctoral dissertation, to a p p e a r , 1987

Transformation ordering F. BELLEGARDE and P. LESCANNE CRIN CENTRE DE RECHERCHE EN INFORMATIQUE DE NANCY BP 239 54506 Vandoeuvre les Nancy CEDEX FRANCE

ABSTRACT We define an ordering called transformation ordering which is useful for proving termination of rewriting systems. A transformation ordering is defined using two relations: a relation which transforms terms and a relation which ensures the well-foundedness of the ordering. A property between these two relations called cooperation is required. Cooperation is similar to confluence and thus may be localized. Therefore, if relations are rewrite relations, it is possible to decide the cooperation by looking at critical pairs. Transformation orderings prove termination of rewriting systems that cannot be proved by the classical methods.

Introduction We describe an ordering called

transformation ordering for proving termination of rewrit-

ing systems. Let ¢ be a transformation, i.e. a mapping of terms onto terms. In order to prove that a rewriting system R terminates one proves that when t l rewrites to t2 , ¢(tl) related to ¢(t2) by a well-founded relation. Other termination proof methods [7] are based on the same idea but the mapping is usually required to be a morphism which is not the case in this paper. Indeed since ¢ is obtained by a rewriting system T many other transformation systems T are

70

allowed usually. The well-founded relation used to prove termination is also a rewriting system S. A similar idea appeared recently in proofs of termination of rewriting modulo equational theories such as associative and commutative theories [1,2,8].

Simple proofs of termination

based on transformation techniques can also be found in [5]. We define transformation orderings in the first section. The transitivity and the wellfoundedness of these orderings come from properties mentioned in [1]. In the second section, we show t h a t the properties t h a t are necessary to have a well-founded ordering may be localized and checked by looking at critical pairs between S and T. We extend the ordering in the fourth section.

Notations We suppose the reader is familiar with the basic features and notations of term rewriting systems [9]. Let 17 be a set of operators symbols and V be a set of variables, T(F,V) is the set of terms with symbols in F and variables in V. The relations on terms _..~-l, or *-- denote the inverse of the relations --~ between two terms. ---~" and --~+ respectively denote respectively the transitive closure and the strict transitive closure of --*. We write

--*Rto--*n2 for the composition of the two relations --*R2 and --~Rt-

We write --*R1C--*R2 if {(x,y)llx--*Rly}C{(x,y)~lx--~RzY} as sets. --~ is

noetherian if and only if there is no infinite sequence of terms tl,t2,..., such t h a t

tl--*t2--~ .... The relation --* is

confluenl if for all terms t, t l and t2 such t h a t t - - * ' t l and

t-+*t2, there exists a term t ' such t h a t tl--**t' and t2--~*t'. In terms of inclusion we have

.--*o---+*C--~*o*---*. If -'*R is noetherian and confluent the normal-form of a t e r m t, written t.[R, exists and is unique. A rewriting system is a set R of rules t h a t are ordered pairs of terms, written 1--~r, such that V(r) C V(1) (V(t) is the set of variables occurring in t). The rewriting relation is written "~R or ~

if there is no ambiguity. We say t h a t the rewriting system R is confluent or noeth-

7] erian when the rewriting relation -'+R is confluent or noetherian. A noetherian ordering which is F-compatible, i.e. s - * t implies f(...s...)-+f(..°t...) for the symbols of F, is called a

reduction

order-

ing. 1. T R A N S F O R M A T I O N

ORDERING

Two relations -'*s and ---~r are considered. -'*s or --*T are not always rewriting relations. This means t h a t when we say --*r is confluent or "-*z is noetherian, we state properties on abstract relations.

Definition 1 [1] = > s , r is the relation

-*~o--*so(--*sU--~r)'O~-- ~, t

Two terms u and v are related by = > s , r if there exists u' such t h a t u --+r u' and v ' such t h a t v --+T v ' which are related by any sequence of --*s and --*T containing at least one --*s-

Definition 2 a:7"s,r is the relation

~---~o---~so(--*sU--~T)*.

As we have seen the confluence of " ~ r is the property ~---~,o--*T C_.--~T0~--T, We now define the

cooperation

of " ~ s with "-+T which is a kind of confluence.

Definition 3 "-+s c o o p e r a t e s w i t h -'~T if and only if ~ s , r

F i g u r e 1:--~ S c o o p e r a t e s w i t h --~T

C

=>s,r

(Fig. I).

72

Basically --*r is noetherian and confluent and -'*s cooperates with T then two terms u and v are related by = > s , r

if their transformations by T, namely U i r and vJ. r are related by

any sequence of -'~s and --~r containing at least one --*s-

Definition 4 >S,T is the relation = > s , r tO --~7~.

Lemma 1 If - * s O - - ~ r is noetherian, "-*r is confluent and "-*s cooperates with --*T then > s , r is a partial ordering on terms. Proof: •

- * s and "-*T are noetherian, thus they are irreflexive. Then --*~ is irreflexive and =>S,T

is irreflexive. Thus >S,T is irrefiexive.

• >S,T is transitive. Recall t h a t a relation --~ is transitive if and only if ~ o - + C_ ---~. We get the result by the confluence of " * r , by the hypothesis of cooperation and by definition of

>S,T" Lemma 2 If -~.gU-"~T is noetherian, --+r is confluent and " * s cooperates with " * T , then >S,T is a w e l l - f o u n d e d partial ordering. Proof: --*~ is noetherian since "-*sU--'*r is noetherian.

Therefore, if an infinite sequence t l > s , r

t2 >S,T ... exists, then an infinite sequence =~>s, T O = ~ s , T O = ~ s , T 0 .,, which is, by definition, an infinite sequence "'+TO"'*sO("'*S[.J""~T) O+'-TO ... exists. Thus we use the confluence of - ' * r and the cooperation of ---~s' with --~T and show (Fig. 3) t h a t an infinite sequence of rewriting with

--*To---*sO('-*sU"+T) 0---~r exists which is a contradiction with the well-foundedness of ---~ s U---~ T .

73

.Figure 3. --'~T 0 -"~S 0 -"~SUT 0 ~-'T 0 "'~T 0 "'+S 0 -"~SUT 0 + ' T 0 "--~T 0 -'+S 0 -'~SuT""

UT

UT"

Lemma 3 If --~r and -'*s are F-compatible and stable by substitutions then >S,T is F-compatible and stable by substitutions. Theorem I If "-'*s cooperates with -'*T, "~SU--*T is noetherian and --*r is confluent then > s , r is a well-founded ordering and moreover when -'~s and " ~ r are F-compatible and stable by substitution, > s , r is F-compatible and stable by substitution. Since rewriting relations on T(F,V) are F-compatible and stable by substitutions, we may state the following result: Corollary 1 Let S and T be two rewriting systems. Suppose S cooperates with T~ SUT is noetherian and T is confluent then >S.T is a reduction ordering stable by substitution. F a c t : With the condition of Theorem 1, a rewriting system that satisfies l>s, T r for all rules 1--~r is noetherian. Example 1 The following example comes from [4,5]. a: (x*y)*z --* x*(y*z)

b: f(~)*f(y)-~ f(~*y) c: f(x)*(f(y)*z) --+ f(x*y)*z. a, b and c are the rules of a rewriting system R. Proving that R is noetherian is not easy since the classical methods namely simplification orderings [7] such as recursive path ordering (RPO) or recursive decomposition ordering (RDO) methods fails. We choose T to be

74 rl: f(x)*y --* f(x*y) r2: x*f(y) --+ f(x*y) a: (x*y)*z --* x*(y*z) in order to push up f and put down *. We choose S to be f(f(x))--~ f(x). T U S is noetherian. S and T satisfy the condition of the forthcoming Theorem 3, we will see that this implies S and T cooperate. Thus we m a y use

>S,T

to prove the termination of R.

W e have l >S,T r for all rules of R: proof

• (x*y)*z ---~fix*(y*z) (by a E T) (x*y)*z >s,~" x*(y*z) (by definition) • f(x)*f(y)JcT=f(f(x*y)) and f(f(x*y))-*s f(x*y). Thus f(x)*f(y) =>S,T f(x*y) (by definition) and f(x)*f(y) >s,r f(x*y) (by definition) • f(x)*(f(y)*z)J.T=f(f(x*(y*z))), f(x*y)*z.[ T=f(x*(y*z)) and f(f(x*(y*z))) -'~s f(x*(y*z)). Thus f(x)*(f(y)*z) =>s,T f(x*y)*z (by definition) and f(x)*(f(y)*z) >S,T f(x*y)*z (by definition) 2. L O C A L I Z A T I O N OF T H E C O O P E R A T I O N Thus if we have two rewriting systems S and T such that S cooperates with T, T is confluent and SDT is noetherian and 1 >s,T r for all rules 1 -+ r of R, then R is noetherian. The confluence of T may be tested using the Knuth-Bendix procedure. The termination of S U T may be tested using other well-founded orderings [7]. Only the cooperation of S with T has to be checked with appropriate methods, for instance using the solution proposed in this section.

75

Like confluence, cooperation may be localized, and we are going to prove a Newman-like theorem for cooperation.

Definitioon 5 " * s l o c a l l y c o o p e r a t e s w i t h -'+T if and only if +-To---~s C =>s,T (Fig. 4). F i g u r e 4: S l o c a l l y c o o p e r a t e s w i t h T

,~

Theorem 2

~

L ~

"~

..........

~ kS"~ ¢~

If "-*sU"~T is noetherian and --*T is confluent then the local cooperation implies the cooperation of -'*s with --*TProof: We use a noetherian induction on "-*SU'*T. Let us have y ~:Ts,T z thus y ~ - ~ x -'*s s (--~sU--~T)* z, we have to show t h a t y =>S,T z* If in = 0, we have y = x --*s s (--+sU'-*T)" z thins y ---->S,T z. o If m > 0 , we have y l such t h a t y +_~-1 y l +-T x. F r o m the local cooperation, we get y l

=>S,T s. Thus we have x l and sl such t h a t y l --*T x l , s --+~ sl and xt --*sO(-.+sU--*T) sl. a

F r o m the confluence of -'+T, there is an y2 such t h a t y "--~T y2 and x l "-+T y2. We notice t h a t (-~5U-~T)" = -~;U-~;O-~sO(-~sU-~)',

and thus we find two subcases. a

(1)

Suppose s (-+sU--*r)* z means s--+Tz. With the confluence of --*T, there is a zl such t h a t sl--+TZl

and

Z--+TZl.

Thus

we

xl--*so(--*sU--+T) O--+TZl

get

X1--+so(--+sU-+T) z l (by "-*T -- (-'~sU-'*T)

and

thus

and transitivity of (--+sU--+T))- Now we

have y2mrs, TZl. So by noetherian induction y 2 = > s , TZl and therefore, by transitivity of --*T, we conclude t h a t y = > s , Tz (Fig. 5). (2)

If

("-+sU--*T)*

= "-*ro-'*sO("*sU-'*T)*,

t

thus

s--+ T z0 --*sO(-+sU-*T)'z

and

the

confluence of --*T provides a zi such t h a t st - * r zl and z0 - * r zl. Now by noetherian

76 induction, we get zl =>S,T z. Moreover by noetherian induction, we get y2 - - > s , r zl. i

Therefore by transitivity of -+s,r, we get y2 =:>S,T z and by transitivity of "*r, we conclude that y =>s,r z (Fig. 5). .Figure 5.

%z

. . . . .

:::-

:~,

b4.

If S and T are rewriting systems, by looking at critical pairs between S and T it is possible to decide that S locally cooperates with T.

Definition 6 A critical pair p4--ro--* s q between a rule of S and a rule of T is cooperative if and only if p = > s , r q.

Definition 7 A rewriting system is variable preserving if and only if all rules are variable preserving i.e., variables that occur on the lef~hand side 1 do not disappear on the right-hand side r and thus V(1)=V(r).

Definition 8 A rewriting system is left-linear if and only if all rules are left-linear i.e. , variables occur only once on the left-hand side.

Theorem 3 Suppose T is a left-linear rewriting system and a variable preserving rewiting system. A rewriting system S cooperates locally with T if and only if all the critical pairs between S and T

77

are cooperative. The proof looks like the proof of the similar theorem on confluent critical pairs.

3. E X T E N D E D

TRANSFORMATION

ORDERING

Results of Section 1 are useful in many cases like Example 1 and relations T and S can be easily found. In this section we w a n t to go again further and to show t h a t T can be extended by using any ordering t h a t contains S and T. This way, we expect to prove termination of more rewriting systems The problem with T usually arises when both sides of a rewrite rule are transformed by T into the same term. We now use a well-founded ordering > > such t h a t - * s -----> > and - ' * r _C > > to define a relation between terms, written >>

-'+Err(T)" This relation extends -"*r in the sense t h a t - * E r r ( r ) C

and -'*EXr(T} C =T, The last condition is necessary to ensure the confluence of

- ' * r is confluent and the cooperation of

-'~EXT(T) if

"~EXT(T) with -"~s if -"~r cooperates with " * s . There-

fore, we define "*ZXT{r) as = T N >:>.

Definition 9 Let "~T be a confluent and noetherian and let >:> be. a well-founded ordering on terms t h a t contains ---*sU---~r. S--*EXT(T)t if and only if s~ r = t~T and s > > t .

Proposition 1 Suppose -'~s cooperates with a confluent and noetherian relation " * r , > > founded ordering on terms t h a t contains --~sU--~r then

is a well-

-"~EXT(T) i8 confluent, ---~sU---~xr(r) is

noetherian, -'*z cooperates with --*Exr(r). Fact-. Therefore

~S,EXT(T) c a n be used to prove termination.

L~mma ~: Suppose t h a t

-"t'TI~--'~T2 and --',sIC_---+s2 then = > s , r l ----- = > s , r2 and > s , r l C >s, r2,

=>SI,T C -- = > s 2 , r and >Sl,T C -- >S2,T, =>sl,rlC_=>s2,r~ and >S1,TIC_ >S2,TS.

78

Lemma 5: --*r -- --*ZXr(T) F a c t : >S,T C_ >S,EXT(T) (direct consequence of Lemma 4 and 5). Proof of Proposition 1: • --+SU--~E)CT(T) is noetherian: obvious since "-~s _C :>> (by hypothesis) and -'~EXT(T) C_ > > by definition.

• -+EX:P(T)is confluent: If t--+EXT(T)tl and t --+EXT(T)t2, by definition, we have t l S r = t$:r = t2,tT = t'. Since "*T a

"+EXT(~) by Lemma 5, we get t l "*EXT(T) t' and t2 --+EXT(T) t' thus --*EXT(T) is locally confluent. Since --*EXT(T) C ~

by definition, --+EXT(T)is noetherian. Now -'*EX~'(T) is locally

confluent and noetherian. Therefore it is confluent. • "-'~s cooperates with --+EXT(T)" Since "-*E):T(:") is confluent and "~SU--+EXT(r) is noetherian, "*s cooperates with -'*/~XT(I") if it locally cooperates with --+EXT(T) (by Theorem 2). Suppose t h a t tl+--EXT(T)t--+St2. Since tl,[T=tJ, r (by definition of --~EXT(T)) and t~T-----~s, Tt2 (by cooperation of --~s with "+w), we get

tl--*To=)s, Tt2. Then t l = ~ s , Tt2 (by definition) and tl=:>s,ExT(~)t2 (by Lemma 4 and 5).

Example 2 [10] The termination of the rewriting system R rl: f(s(x)) --+ f(p(s(x))) ~2: p(s(o)) ~

o

r3: p(s(s(x))) --~ s(p(s(x))) is not provable by simplification orderings since f(s(x)) is embedded in f(s(p(x))). But with the transformation rule T': p(8(x)) - * x

79

we get a rule S': f(s(x)) --* f(x) T' is confluent, regular and left-linear. S~UT' is noetherian. S' cooperates with T' (there is no critical pair). For the rules r2 and r3, we get l ~

-- rSz~. So let us take a recursive path ord-

ering based on the precedence p > s to extend T'. Then p(s(0) >S.EXT(r') 0 and R terminates.

4. C o n c l u s i o n The transformation orderings allow us to prove termination of rewrite systems where methods based on simplification orderings fail. We are currently looking way to implement it in REVE and to a d a p t it to the proofs of other systems. Reference8 i. L. Bachmair and N. Dershowitz, "Commutation, Transformation, and Termination," in Proc. 8th Conf. on Automated Deduction , Lecture Notes in Computer Science, vol. 230, Springer Verlag, Oxford (England), 1986. 2. L. Bachmair and D. Plaisted, "Associative P a t h Orderings," in Proc. i8t Conference on .Rewriting Techniques and Applications, Lecture Notes in Computer Science, vol. 202, pp. 241254, Springer Verlag, Dijon (France), 1985.

3. J. Backus, "Can Programming Be Liberated From the Von Neumann Style? A Functional Style And Its Algebra of Programs," Comm. o f A C M , vol. 21, no. 8~ pp. 613-641, 1978. 4. F. Bellegarde, "Utilisation des Syst~mes de R~gcriture d'Expressions Fonctionnelles comme outils de Transformation de Programmes Itgratifs," Th~se de doctorat d ~ t a t , Universit~ de Nancy I, Dept. Math~matiques Appliqu~es, 1985. 5. F. Bellegarde, "Rewriting Systems on FP Expressions to reduce the number of Sequences Yielded." Science of Computer Programming, vol. 6. pp. 11-34, North-Holland, 1986.

8O 6. F. Bellegarde and P. Lescanne, "Termination Proofs Based On Transformation Techniques," Submitted To Information and Control, 1986. 7. N. Dershowitz, "Termination," in Proc. lrst Conf. Rewriting Techniques and Applications , Lecture Notes in Computer Science, Vol. 202, pp. 180-224, Springer Verlag, Dijon (France), May 1985. 7. I. Gnaedig and P. Leseanne, "Proving Termination of Associative Commutative Rewriting Systems by Rewriting,"

Proceeding8 8th International Conference on Automated Deduction ,

Oxford (England), 27-31 July 1986. 9. G. Huet and D. Oppen, "Equations and Rewrite Rules: A Survey," in Formal Languages: Perspectives And Open Problems, ed. Book R., Academic Press, 1980.

10. S. Kamin and J.J. Levy, "Attempts for Generalizing the Recursive Path Ordering," Inria, Rocquencourt, 1982, University of Illinois Report.

ON PARAMETRIC ALGEBRAIC SPECIFICATIONS WITH CLEAN ERROR HANDLING

martin gogolla I n f o r m a t i k B, TU Braunschweig P o s t f a c h 3329,

D-3300 Braunschweig

ABSTRACT Usual a l g e b r a i c s p e c i f i c a t i o n partially

ordered s o r t s .

s u p e r s o r t s as w e l l tures

(e.g.

t e c h n i q u e s can be e x t e n d e d t o t r e a t

This a l l o w s t h e i n t r o d u c t i o n of

as o v e r l o a d e d o p e r a t o r s ,

existence

of

initial

a l g e b r a s and

a l g e b r a i c and o p e r a t i o n a l s e m a n t i c s ) o f tion

method

handling is

are preserved. studied.

On t h i s

proach tric

1.

equivalence

of

the equational specifica-

basis error

and

exception

a l g e b r a s which a r e o k / e r r o r -

and o k / e r r o r - c o m p l e t e ) a r e

considered.

a l l o w s t o p r o v e an e x t e n s i o n lemma f o r

specifications

fea-

For each s o r t an ok and an e r r o r s u b s o r t i s

i n t r o d u c e d and c l e a n a l g e b r a s ( i . e . consistent

sub- and

while pleasant

T h i s new

ap-

p e r s i s t e n t parame-

which p e r m i t e r r o r h a n d l i n g .

INTRODUCTION

During

the

promising

last

method f o r

programming approaches

tics

and p h i l o s o p h i e s f o r

final

[ 8 8 M 76,

opment

of

[EFH 8 3 ] ,

Partially treated etc.].

the specification

Among them a r e i n i t i a l [Wa 79, WPPDB 83, Ga 83] ST 8 5 ] .

specification

proved t o

be

There a r e

many such

[ADJ 76, ADJ 81, EKMP 82, and o b s e r v a t i o n a l seman-

Research i n t h e f i e l d languages l i k e

a

a b s t r a c t data types in

the a l g e b r a i c semantics of

led to the

OBJ [FGJM 8 5 ] ,

develACT

ONE

ASL [SW 83] and many o t h e r s .

ordered

sorts first

introduced in

i n a s e r i e s o f p a p e r s EGo 83, They a r e t h e b a s i s f o r

handling,

of

languages and s o f t w a r e e n g i n e e r i n g .

specifications. K1 84]~

years a l g e b r a i c s p e c i f i c a t i o n s

a t o p i c which i s

Po 84,

[Go 78] 8M

84,

have G~M

been 85,

our approach t o e r r o r and e x c e p t i o n

studied extensively in the literature

82 [ADJ 76, etc.].

Go 77, The

clean

Go 78,

BGP 82,

GDLE 82, Bi 84~ Po 84, BBC 8b,

fundamental new n o t i o n s i n t r o d u c e d h e r e a r e t h a t

a l g e b r a s and c l e a n s p e c i f i c a t i o n s ,

ok/error-consistency allows

and

where c l e a n r e f e r s

ok/error-completeness.

t h e use o f pure e r r o r v a r i a b l e s ,

before.

In

the

specifications

literature

o n l y [Po

This

approach possible

84]

considers

i m p o r t a n t because s p e c i a l problems a r i s e h e r e .

to

the

exception

extension

lemma

By t h i s

[Eh 81] and use i t

approach, guaranteeing the w e l l

parametric

which i s q u i t e

[Po 84] works w i t h

whereas we c a r r y o v e r p e r s i s t e n c y

h a n d l i n g case.

of

to

which was n o t

in connection with e r r o r handling,

non p e r s i s t e n t s p e c i f i c a t i o n s ,

of

we can a p p l y

for

definedness of

our

the

clean

R-

algebra

the a p p l i c a t i o n of

parametric specifications.

The paper i s o r g a n i z e d as f o l l o w s . i d e a s by means o f tal

definitions

fications.

some examples.

Chapter 2 i n t r o d u c e s t h e b a s i c Chapter 3 r e v i e w s t h e fundamen-

and f a c t s c o n c e r n i n g s u b s o r t s i n a l g e b r a i c s p e c i -

Chapter

4 t r e a t s c l e a n a l g e b r a s and c l e a n s p e c i f i c a -

tions.

Chapter

5

d i s c u s s e s p a r a m e t r i z a t i o n and

lemma.

Chapter

6

g i v e s some s h o r t c o n c l u d i n g remarks.

space l i m i t a t i o n s

2.

all

our

extension Due

to

p r o o f s are omitted.

THE BASIC IDEA

Our

main new c o n c e p t f o r

a clean algebra. for

the

ok

e r r o r and e x c e p t i o n h a n d l i n g i s

T h i s means t h a t our a l g e b r a s have two

and e r r o r p a r t o f each s o r t and

ok/error-consistent

(there

the

error).

The approach i s e x p l a i n e d b e s t by an example. Here i s our of

t h e n a t u r a l numbers.

s o r t s Nat opns

0 : - > Nat-Ok Succ: Error

Nat-Ok - > Nat-Ok : ->

Nat-Error

ok

and

and

spe~ N a t u r a l N u m b e r s W i t h E r r o r H a n d l i n g =

either

ok

are

error)

specification

( e v e r y element i s

subsorts

carriers

i s no element which i s b o t h

ok/error-complete

t h a t of

or

83

Succ,

Pred

:

Nat - > Nat

Plus,

Times :

Nat N a t - > Nat

vats

n : N a t n+,m+:Nat-Ok n - : N a t - E r r o r

e~

Succ ( n - ) Pred(O)

= n= Error

Pred (Succ ( n + ) ) Pred
= n+

= n-

Plus(O,n+)

= n+

Plus(Succ(n+),m+) = Succ(Plus(n+,m+)) Plus(n-,n)

= Plus(n,n-)

= n-

Times(O,n+) = 0 Times(Succ(n+),m+) = Plus(Times(n+,m+),m+) Times(n-,n) = Times(n,n-) = n-

The

semantics of

riers

for

Nat-Ok t h e n a t u r a l

tinguished

error

specification implicitly Succ

constant.

numbers and f o r

be m e n t i o n e d .

declared twice Succ y i e l d s

in

the signature.

second o c c u r r e n c e i n d i c a t e s

all

Nat v a l u e s , (3)

the three

but

sorts

into

in

kinds of

recovery. (line

functions

(line

4-5 of

Succ(n-)

=

assures error

The

of

(5)

I-3

of

opns bod~ s o r t s o pns

variables

is

-> Entry-Error

Tree :

has

(2)

function

The

The f i r s t

occurrence such

one.

Entry-Ok ->

Tree-Ok

to the

corresponding to

(4)

important to

It

is

= O, o t h e r w i s e t h i s

(6)

and

axiom

for

derived

variable

the function

essential

use

can be c l a s s i -

The e r r o r

propagation for

Entry

Leaf

the

variables

as t h e n e x t e x a m p l e shows.

NoEntry :

in Nat

the opns-part)

~e~ec P a r a m e t r i c B i n a r y T r e e s = parm s o r t s

dis-

The s o r t

The f u n c t i o n s

t h e o~pD_s-part).

pure error

specifications,

one

Succ may a l s o be a p p l i e d

t h e axiom Times(O,n+)

constructors

n-

that

and s u b s o r t s a r e u s e d .

c a u s e an e r r o r

use

(I)

car-

makes no s t a t e m e n t a b o u t t h e n a t u r e o f

Three d i f f e r e n t

an ok v a r i a b l e

fied

Nat-Error

an ok v a l u e when a p p l i e d t o

The

would

an a l g e b r a h a v i n g as

T h e r e a r e some p e c u l i a r i t i e s

above w o r t h t o

that

result.

is

t h e s u b s o r t s N a t - O k and N a t - E r r o r .

is

assures

the specification

in

Suet.

parametric

84 Node :

Tree-Ok Tree-Ok - > Tree-Ok

NoTree : - > T r e e - E r r o r Leaf : E n t r y -> Tree Node : T r e e T r e e - > T r e e GetEntry :

Tree -> Entry

GetRight, GetLeft :

Tree -> Tree

vare

e+:Entry-Ok e-:Entry-Error

e_~ns

Leaf(e-)

t:Tree

tl+,t2+:Tree-Ok

= NoTree

N o d e ( N o T r e e , t > = N o d e ( t , N o T r e e ) = NoTree G e t E n t r y ( L e a f ( e + ) ) = e+ G e t E n t r y ( N o d e ( t l + , t 2 + > ) = NoEntry G e t E n t r y ( N o T r e e ) = NoEntry GetRight(Leaf(e+)) = GetLeft(Leaf(e+)) GetRight(Node(tl+,t2+))

= NoTree

= GetLeft(Node(t2+,tl+))

= t2+

G e t R i g h t ( N o T r e e ) = G e t L e f t ( N o T r e e ) = NoTree end spec The

specification

leaves sists

when it in

function t h e use o f If

is

builds

binary trees with given entries

applied.

the resulting GetEntry is the error

The g i v e n p a r a m e t e r s o r t

specification,

well

defined.

variable

e-

struction

the

T h i s can o n l y be a c h i e v e d by

in

would n o t be p e r s i s t e n t

per-

because

t h e axiom L e a f ( e - )

one would s p e c i f y o n l y L e a f ( N o E n t r y ) = N o T r e e ,

more e x c e p t i o n s t h a n t h e s i n g l e of

especially

the

at

Entry

for

error

=

NoTree.

then the con-

parameter algebras NoEntry.

Again,

having

lines

i-3

t h e 9 ~ D ~ - p a r t can be c o n s i d e r e d as t h e s i g n a t u r e s p e c i f i c a t i o n

for

t h e c o n s t r u c t o r s and l i n e s

ideas

4-7 f o r

the derived functions.

s k e t c h e d above a r e now made p r e c i s e i n

the (ollowing

The

chap-

ters.

3.

REVIEW OF ALGEBRAIC SPECIFICATIONS WITH SUBSORTS

The facts

following

remarks

r e v i e w the fundamental

and o u r n o t a t i o n c o n c e r n i n g a l g e b r a i c

subsorts.

Readers

etc.]

find

will

~amilar with

[Go 78,

many common d e t a i l s .

definitions

and

speci÷ications

Go 83,

Po 84,

and

SM 84,

85 3.1De÷inition A

signature

partial

(S,~,E)

c o n s i s t s of

(1) a s e t S of

sorts,

(2)

a

o r d e r ~ on S and (3) a f a m i l y Z=w~S* ssS of Bets of

function ~:v->r.

(Signature~ Algebra~ Morphism)

symbols Name(E)

such

that

(4) ~:w->s,

v~w

and

r~s

implies

= {~w'sl~eEw~s} denotes t h e f u n c t i o n names and

Symb(Z) = {~Id~Zw, s} the f u n c t i o n symbols of Z. A E - a l g e b r a (A,F) c o n s i s t s of that

(1) a f a m i l y A=s~S of s e t s such

(2) s~r i m p l i e s Asia r and (3) a f a m i l y F-< _ ~A w , s>~W'SsName(Z)

of f u n c t i o n s w i t h ~ ' S : A w - > As such that~

(4) i f

~:w->s,

~:v->r

and a~AwnAv, then ~ ' s ( a ) --~A v'r(a) A

Z-morphism

s~S

of

f:A->B

mappings such t h a t

a~Aw and (2) a~AsnAt

3.2 D e f i n i t i o n The

E-term

seS

of

s1...sn->s

between

E - a l g e b r a s A and B (i)

algebra

and

(I)

least

family

the for

d

:

functions ~:->s

and

f o r ~ : s l . . . s n - > s and t i E T s i .

of the term a l g e b r a )

E-term a l g e b r a TZ i s i n i t i a l

i n t h e c a t e g o r y ALGZ of a l l

E-

Z-morphisms between them.

(Congruence, Q u o t i e n t ) s on a E - a l g e b r a A i s a f a m i l y <~s>seS of

t i o n s ~s on As such t h a t implies

for

d : - > s i m p l i e s ~ T s and (2)

are determined by (3) ~ , s : = ~

(Initiality

Z-congruence

the

t i ~ T s i i m p l i e s d ( t l . . . t n ) ~ T s and

algebras with a l l

A

fs(~'S(a))=~'S(fw(a))

(Tz,F Z) has as c a r r i e r s

sets s a t i s f y i n g

3.4 D e f i n i t i o n

family

implies fs(a)=ft(a).

(4) ~ ? 1 " ' ' s n ' s ( t l . . . t n ) : = ~ ( t l . o . t n )

The

a

(Term a l g e b r a )

K~'S>dw,SEName(Z)

3.3 Fact

is

rela-

(1) ~s = [~EQ n AsXAs ] and (2) ai ~EQ bi

~ l"''sn's(al"''an)

~EQ ~ i ' ' ' u n ' r ( b l " ' ' b n )

for alibi

E

AsinAui ,

d : s l . . . s n - > s and d : u 1 . . . u n - > r , where ~EQ i s the e q u i v a u lence on sasAs generated by ~.

The q u o t i e nt A/~ of a E - a l g e b r a A by a E-congruence ~ has (1) the c a r r i e r s A/E s = { [ a ] l a e A s } ~ the

where [ a ] = { b ~ U-A la~-~b}

f u n c t i o n s <~}~>~w,S~Name(Z)

[~l'''sn's(bl...bn)],

and

(2)

sl"''sn,s([al]...Zan]):= w i t h ~A/~

where [ a i ] ~ A / ~ s i ~ [ a i ] = [ b i ]

and b i ~ A s i .

86 3.5 D e f i n i t i o n

(Equation~ S a t i s f a c t i o n ,

A

L=R i s a p a i r o f

~zeguation

signature Z Z-algebra cide.

Z(V)-terms,

having a d d i t i o n a l l y

A satisfies

A specification

L=R~ (Z,E)

Specification)

if

where

Z(V)

is

the

t h e v a r i a b l e s V as c o n s t a n t s . all

e v a l u a t i o n s o f L and R

A

coin-

c o n s i s t s o f a s i g n a t u r e Z and a s e t E

of E - e q u a t i o n s .

3 . 6 Fact A

(Induced Congruence)

s e t of E - e q u a t i o n s E i n d u c e s u n i q u e l y a s e t o f c o n s t a n t

tions

E(Tz) ,

which

a g a i n i n d u c e s a l e a s t congruence ~E

equaon

TZ

c o n t a i n i n g E(Tz)°

3 . 7 Fact

(Initiality

of

t h e q u o t i e n t term a l g e b r a )

The q u o t i e n t term a l g e b r a TZ/E E i s of a l l

(Z,E)-algebras satisfying

3 . 8 Example ( B i t s t r i n g s The

h a v i n g as s u b s o r t s

and s i n g l e b i t s

i n t h e c a t e g o r y ALGz, E

t h e e q u a t i o n s E.

handling)

error

following lines define bitstrings

String*)

~

avoiding

initial

of

arbitrary

non empty b i t s t r i n g s

length

(sort

( s o r t S t r i n g +)

(sort Bit).

B i t S t r i n g s A v o i d i n g E r r o r H a n d l i n g= sorts Bit

< String+ < String*

opns

: -> B i t

0,1

: -> S t r i n g

.

.l.

: S t r i n g * S t r i n g * -> S t r i n g *

.I.

: Bit

.l.

: String* Bit

First,

S t r i n g * -> S t r i n g + -> S t r i n g +

L a s t : S t r i n g + -> B i t

vats

b:Bit

e~ns

s l l ( s 2 1 s 3 ) = ( s l l s 2 ) Is3

e,sl~s2,s3:String*

sl~ = his = s First(bls)

= Last(slb)

= b

end spec Please

note

t h a t the s p e c i f i c a t i o n

s o r t s and v a t s has n o t r e a l l y determines

p a r t between t h e

t o be a s i g n a t u r e ,

but i t

a s i g n a t u r e i n t h e sense o f our d e f i n i t i o n .

more t h e f u n c t i o n s F i r s t

key

and L a s t r e t u r n i n g t h e f i r s t

words

uniquely Further-

respective-

87 ly

last

cally

bit

are well

defined,

because a l l

a l l o w e d by t h e s i g n a t u r e e i t h e r

applications syntacti-

yield

0 or

1.

3 . 9 Remark ( D e c l a r a t i o n s ) One can a l s o use so c a l l e d d e c l a r a t i o n s i n s p e c i f i c a t i o n s Go

83].

A d e c l a r a t i o n c o n s i s t s of

that

the

term w i l l

sort

(e.g.

a term and a

sort,

a l w a y s e v a l u a t e t o an element o f

i * i : N o n N e g a t i v e ~ where i

is

a v a r i a b l e of

[Go 787 assuring

the sort

given int).

4. CLEAN SPECIFICATIONS

4.1 D e f i n i t i o n A

signature

(Clean, o k / e r r o r - c o n s i s t e n t , (S,~,Z)

S-OKuS-ERROR,

is called

ok/error-complete)

(ok/error-)clean,

S-OK={s-OklsES-MAIN},

if

S=S-MAINu

S-ERROR={s-Error~sES-MAIN}

and ~ = { s ~ s l s s S } u { s - O k ~ s , s - E r r o r ~ s l s s S - M A I N } . A Z - a l g e b r a A w i t h Z a

clean s i g n a t u r e i s c a l l e d

As_Error and (3) A

= 0,

A is

specification is

ok~error-consistent,

(2~ o k / e r r o r - c o m p l e t e ,

clean, if

algebra

(I)

A

eeE(T~) i m p l i e s e i t h e r s u i t a b l e s o r t s.

As_Ok n

As_ok u As_Error

=

As,

o k / e r r o r - c o n s i s t e n t and o k / e r r o r - c o m p l e t e .

(Z,E)

clean.

if

if

is

called clean,

if

the

s e t E of e q u a t i o n s i s

initial

called

(E,E)-

clean,

eeTs_okXTs_Ok o r eeTs_ErrorXTs_Error

ALGz,E,CLEA N d e n o t e s t h e c a t e g o r y o f

(Z,E)-algebras with all

all

if

for

a

clean

morphisms between them.

4 . 2 C h a r a c t e r i s a t i o n ( S p e c i f i c a t i o n s w i t h c l e a n term a l g e b r a s ) Given the

a specification specification

(Z,E)

(~,E)

is

w i t h a c l e a n term a l g e b r a clean,

if

and o n l y i f

TE,

then

the set E

of

equations is clean.

4 . 3 C h a r a c t e r i s a t i o n (Clean s p e c i f i c a t i o n s ) A specification (I)

T~, E i s

(2)

there is

(E,E)

is clean, if

and o n l y i f

o k / e r r o r - c o n s i s t e n t and a subspecification

(a) ZG c o n t a i n i n g a l l ok o r e r r o r

result

(b) EG c o n t a i n i n g a l l

(ZG,EG)~(Z~E)

s o r t s and s u b s o r t s and s o r t s and c l e a n e q u a t i o n s o f E and

with all

operations with

88 (c)

there is

a unique s u r j e c t i v e

morphism f:~G,EG->U~_>EG(T%,E ) .

4 . 4 Remark ( S u r j e c t i v e morphiem i n If

t h e morphism f

of

(~B,EG)

then t h e r e a r e terms t l

that

TZG,EG ~ [ t l ] ~ [ t 2 ]

maximal s e t o f additional ok

is also injective,

above) then

(Z,E)

i s an e n r i c h m e n t

: T~G,ES and U~_>EB(T~, E) a r e i s o m o r p h i c . I f

injective, such

(c)

:

identification

and TZ, E ~ [ t l ] = [ t 2 ] .

in

t3eTs-(Ts_okUTs_Error), can

also

tl=t3

be done c h o o s i n g

involving

o n l y ok o r e r r o r t e r m s . this

establish

not

error

But EG i s

T~, E i s done v i a a term t 3

rule

out

is

a

e q u a t i o n s a p p l i c a b l e t o ok and e r r o r t e r m s , so t h e

identification

nor e r r o r

it

and t 2 b o t h ok o r b o t h

It

is

and

t3=t2.

different

a l s o much

neither

equations

smoother

case from a m e t h o d o l o g i c a l p o i n t o f view

a clear distinction

between ok and e r r o r

This

and

to to

constructors

and d e r i v e d f u n c t i o n s .

4 . 5 Concept ( P r a g m a t i c s f o r A

clean

specification

clean s p e c i f i c a t i o n s )

(Z,E)

should

(ZG,EG) w i t h T~B and EG c l e a n such t h a t

have

a

subspecification

(Z,E)

is

an e n r i c h m e n t o f

(ZG,EG).

4 . 6 Example ( B i t s t r i n g s This

with error handling)

clean s p e c i f i c a t i o n

defines bitstrings

of

arbitrary

E r r o r s a r e i n t r o d u c e d by t h e f u n c t i o n s Head and T a i l t o t h e empty s t r i n g . BitStrings = sorts Bit, cons

0,1

String : -> B i t - O k

NoHead : -> B i t - E r r o r : -> S t r i n g - O k • t.

: S t r i n g - O k B i t - O k -> S t r i n g - O k

NoTail : -> S t r i n g - E r r o r runes . I .

: String Bit

-> S t r i n g

Head : S t r i n g - > B i t Tail

: S t r i n g -> S t r i n g

vats

s:String s+:String-Ok b:Bit

eqns

N o T a i l l b = sINoHead = N o T a i l

length.

when a p p l i e d

b+,b1+,b2+:Bit-Ok

89 H e a d ( s + I b l + I b 2 + ) = He~d(s+Ib1+) Head(~ib+) = b+ Head(~) = Head(NoTail) = NoHead Tail(s+Ibl+lb2+) = Tail(s+Ibl+)ib2+ Tail(~Ib+) = T a i l ( ~ ) = T a i l ( N o T a i l ) = NoTail end spec The

p a r t s f o r t h e ok and e r r o r = o n s t r u c t o r s and f o r t h e

functions general

are

indicated

there will

by t h e keywords cons

be an e q u a t i o n p a r t f o r t h e

and

derived

funcs.

In

constructors

as

w e l l . For t h e s u b s o r t s t h e f o l l o w i n g e q u a t i o n s h o l d : T~,E,Bit_Ok ~{0,1},

T E , E , B i t _ E r r o r ~ { N o H e a d } v TE,E,String_Ok ~ ( { 0 ~ i } ) *

and

T E , E , S t r i n g _ E r r o r ~ { N o T a i l } . On t h i s b a s i s t h e f u n c t i o n s Head and T a i l a r e d e f i n e d such t h a t t h e s u b s o r t s a r e r e s p e c t e d .

5. CLEAN PARAMETRIC SPECIFICATIONS

5.1 D e f i n i t i o n A

( S i g n a t u r e morphism, s p e c i f i c a t i o n morphism)

s i g n a t u r e morphism f : Z 1 - > Z 2 between s i g n a t u r e s ( S I , ~ $ I , [ 1 ) and

($2,~$2,E2) Symb(E2)

consists

implies

forgetful

mappings

f:SI->S2

such t h a t s ~ S l r i m p l i e s f ( s ) ~ s 2 f ( r )

f ( ~ ) e £ 2 f ( w ) , f ( s ). s<Slr

of

A

s i g n a t u r e morphism f

f(s)<s2f(r).

functor

A

Uf:ALG~2->ALGEI.

and d~Elw~s i m p l i e s

is called

strict,

if

induces

A s i g n a t u r e morphi~m

e q u a t i o n o f E l , when t r a n s l a t e d by f , morphism

f:Symb(~l)->

s i g n a t u r e morphism f

c a l l e d s p e c i f i c a t i o n morphism from (Z1,EI) t o

specification

and

(E2,E2),

if

f

a is

every

b e l o n g s t o E2 : f ( E I ) ~ E 2 . A

i s c a l l e d simple,

if

$1~$2,

Symb(El)~

Symb(E2) and f : S I - > S 2 and f:Symb(El)->Symb(E2) a r e i n c l u s i o n s .

5.2 D e f i n i t i o n A

(Parametric s p e c i f i c a t i o n ~ p e r s i s t e n t )

p a r a m e t r i c s p e c i f i c a t i o n c o n e i s t s of a p a r a m e t e r s p e c i f i c a t i o n

{ZP,EP) EP~EB.

and The

a body s p e c i f i c a t i o n

(ZB~EB) such

c o n s t r u c t i o n F:ALGzp,Ep->ALGEB~EB [ADJ 78, specification rally"

that

EP~ZB and

semantics of a p a r a m e t r i c s p e c i f i c a t i o n i s t h e

is called persistent~

[WE 85] i s o m o r p h i c f o r

all

if

Po 8 4 ] .

free

A parametric

A and U(F(A)) a r e " n a t u -

(ZP~EP)-algebras A,

where U i s

90 the f o r g e t f u l

f u n c t o r U:ALGEB->ALGzp induced by t h e s i g n a t u r e s EP

and EB.

5.3 D e f i n i t i o n The

( A p p l i c a t i o n of a p a r a m e t r i c s p e c i f i c a t i o n )

r e s u l t of a p p l y i n g a p a r a m e t r i c s p e c i f i c a t i o n w i t h parameter

(ZP,EP) means

and body (~B,EB) of

a

t o an a c t u a l s p e c i f i c a t i o n

s p e c i f i c a t i o n morphism

specification

(~R,ER),

IF ssSP THEN h(s)

(ZA,EA)

h:(~P,EP)->(~A~EA)

is

by the

where ER=EA+hR(EB), ER=EA+hR(EB), hR(s) =

ELSE s FI

and hR(d) = IF ~sSymb(EP) THEN h(~)

ELSE d F I . (ZP~EP) . . . . ~ - - - >

(EB~EB)

I I h

I I

I

I hR

I

I

(ZA,EA) The

sR

> (ER~ER)

r e s u l t s p e c i f i c a t i o n i s t h e pushout of t h e a c t u a l s p e c i f i c a -

tion the

(ZA~EA) and t h e body s p e c i f i c a t i o n

(ZB~EB) w i t h r e s p e c t

parameter (EP,EP) and t h e s p e c i f i c a t i o n morphisms h

where

s

is

t h e s i m p l e s p e c i f i c a t i o n morphiem

induced

and by

to s, the

i n c l u s i o n of t h e parameter i n t h e body.

5.4 D e f i n i t i o n

(Clean p a r a m e t r i c s p e c i f i c a t i o n )

A

specification

parametric

(ZB,EB) the free

is called clean,

if

with

parameter

(EP~EP) and

f r e e c o n s t r u c t i o n F i s p e r s i s t e n t on ALBEp~EP~CLEAN and construction

i m p l i e s F(A)

body

t h e s i g n a t u r e s ZP and ZB a r e c l e a n ,

F p r e s e r v e s cleanness :

A

~

the

ALSEp,EP,CLEAN

E ALGEB,EB,CLEAN.

5 . 5 E x t e n s i o n Lemma ( f o r c l e a n p a r a m e t r i c s p e c i f i c a t i o n s ) Let

t h e r e be g i v e n a c l e a n p a r a m e t r i c s p e c i f i c a t i o n w i t h parame-

ter

(EP~EP) and body (~B,EB)~

(EA,EA)~

a

strict

actual

clean

specification

s p e c i f i c a t i o n morphism h: (EP~EP)->(EA~EA) and

the r e s u l t s p e c i f i c a t i o n (I)

an

(ER,ER) as d e f i n e d above.

The r e s u l t i n g p a r a m e t r i c s p e c i f i c a t i o n w i t h p a r a m e t e r (EA,EA) and body (ZR,ER) i s c l e a n : FR i s p e r s i s t e n t on ALGEA,EA~CLEAN and i t

preserves cleanness.

91 (2) F o Uh = UhR o FR. . . . . E___> ALG~p,EP,CLEAN ALGZB,EB,CLEAN

t

I

l

Uh ;

i UhR

l i

i I

ALGEA,EA,CLEAN . . . . ~ - - >

ALG~R,ER,CLEAN

5 . 6 Remark ( c o n c e r n i n g t h e e x t e n s i o n lemma) The p r o o f o f [Eh

81].

our e x t e n s i o n lemma a p p l i e s t h e R - e x t e n s i o n lemma o f

The

restriction

of ALBzp,EP t o c l e a n a l g e b r a s can

e x p r e s s e d as p r e d i c a t e f o r m u l a r e q u i r e m e n t s . clean

algebras

method,

because

neither

ok

morphism

the

underlying

The s t r i c t n e s s

o f t h e parameter

i m p l i e s t h a t ok o r e r r o r o p e r a t i o n s will

also

be ok o r e r r o r o p e r a t i o n s

to

specification

one does n o t want t o c a r e a b o u t e l e m e n t s

nor e r r o r .

h

parameter

is essential for

This r e s t r i c t i o n

be

being

passing

of

the

formal

in

the

actual

parameter.

5 . 7 Concept

(Pragmatics f o r

Analogously

to

clean parametric s p e c i f i c a t i o n s )

t h e case w i t h o u t p a r a m e t e r s a c l e a r

distinction

between ok and e r r o r c o n s t r u c t o r s and d e r i v e d f u n c t i o n s s h o u l d be established.

Therefore

parameter (ZP,EP) (ZP,EP)

a

clean parametric

~ (ZB,EG) ~ (ZB,EB)

all

w i t h T~G(A) and EG c l e a n such t h a t G

A~ALGEp,EP,CLEAN,

where G i s

duced by t h e p a r a m e t r i c s p e c i f i c a t i o n body

is

an e n r i c h m e n t o f B(A)

the f r e e c o n s t r u c t i o n w i t h p a r a m e t e r (EP,EP)

inand

(ZG,EG).

5 . 8 Example ( P a r a m e t r i c s t r i n g s

with error handling)

This clean parametric s p e c i f i c a t i o n trary

with

and body (ZB~EB) s h o u l d have a s u b s p e c i f i c a t i o n

i s p e r s i s t e n t on ALGzp,EP,CLEAN and F(A) for

specification

parameter

s o r t Char.

f u n c t i o n s Head and T a i l

o v e r an a r b i -

Again e r r o r s a r e i n t r o d u c e d by

when a p p l i e d t o t h e empty s t r i n g .

s pec P a r a m e t r i c S t r i n g s = parm s o r t s Char o~ons

defines strings

NoHead : -> C h a r - E r r o r

the

92 bod~ s o r t s S t r i n g cons

A : -> S t r i n g - O k .I.

: S t r i n g - O k Char-Ok -> S t r i n g - O k

NoTail : -> S t r i n g - E r r o r funcs

.I.

: S t r i n g Char - > S t r i n g

Head : S t r i n g -> Char Tail vats

: S t r i n g -> S t r i n g

s:String

s+:String-Ok

c:Char c + ~ c l + , c 2 + : C h a r - O k t - : C h a r - E r r o r eqns

NoTaillc = slc-

= NoTail

Head(s+Icl+Ic2+) = Head(s+Icl+) Head(Ale+) = c+ Head(A) = H e a d ( N o T a i l ) = NoHead Tail(s+Icl+Ic2+)

= Tail(s+Icl+)Ic2+

Tail(AIc+) = A Tail(A)

= T a i l ( N o T a i l ) = NoTail

e n d sp,ec The

parts

keywords for

the

it

is

for

the

parameter

p a r m and b o d ~ , parameter

and t h e

essential for

Char-Error algebra

In

and t h e

general

body are

there

constructors

will

indicated

be an e q u a t i o n

as w e l l .

= NoTail.

algebra

F(A)Char_Ok

F(A)

will

have

the

the part that sort

parameter

given~

following

note

c - of

I÷ a c l e a n

A w i t h s e t s AChar_Ok and AChar_Error i s

resulting

Please

p e r s i s t e n c y t o use t h e v a r i a b l e

in the equation s l c -

by

then t h e

carriers

:

~

AChar_Ok, F(A)Char-Error ~ AChar_Error , )* F ( A ) s t r i n g _ Ok ~ (AChar_Ok and F ( A ) s t r i n g _ E r r o r ~ { N o T a i l } . F u r t h e r m o r e t h e c o r r e s p o n d i n g f r e e c o n s t r u c t i o n i s n o t p e r s i s t e n t on ALG~p,Ep,

if

no r e s t r i c t i o n

t o c l e a n a l g e b r a s i s made.

5 . 9 Remark ( P o i n t e d a l g e b r a s and s p e c i f i c a t i o n s ) All

c o n s i d e r a t i o n s p r e s e n t e d here can be s p e c i a l i z e d t o

a l g e b r a s [Go 8 6 ] , sort.

In t h i s

pointed

where t h e r e i s o n l y one e r r o r element f o r

case e r r o r r e c o v e r y i s n o t s u p p o r t e d t o o w e l l ,

e s p e c i a l l y e r r o r p r o p a g a t i o n can be done a u t o m a t i c a l l y .

each but

93 6.

CONCLUSION

The

notion

algebra

of

a

clean algebra i s

satisfying

certain

a special

case

of

s o r t e q u a t i o n s which e s p e c i a l l y

sense i n t h e c o n t e x t o f p a r t i a l l y considered

just

an make

o r d e r e d s o r t s and which can

as a n o t h e r c o n s t r u c t f o r

algebraic specification

guages. For example i n c l e a n a l g e b r a s t h e s o r t

be lan-

equations

s-Ok n ~ - E r r o r = ~ and s-Ok u s - E r r o r = s are v a l i d f o r sort like

all

s o r t s s.

terms b u i l t union,

over the g i v e n s e t of

intersection,

An a l g e b r a s a t i s f i e s u a t i o n s of

A s o r t equation c o n s i s t s of a p a i r of s o r t s and s e t

operations

d i f f e r e n c e ~ complement and empty s e t .

a sort equation,

if

the set theoretic eval-

t h e two e x p r e s s i o n s w i t h r e s p e c t t o t h e g i v e n

coincide. This t o p i c

is

algebra

subject to f u t u r e research.

7. REFERENCES

ADJ 76

J.A.Goguen/3.W.Thatcher/E.S.Wagner : approach t o t h e s p e c i f i c a t i o n , tation

of a b s t r a c t data types.

gramming Hall, ADJ 78

methodology,

Englewood C l i f f s

H. E h r i g

/

R.T.yeh (ed),

tion

:

lOth STOC~ 1978,

/

1982,

C.Choppy :

tions. BGP 82

Proc.

F.Boisson / L.R.I.

/

pp.322-369.

Abstract

r e c o v e r y by means o f llth

ICALP 1984,

types

of

To a p p e a r .

exception handling

e q u a t i o n s and

declara-

LNCS 172, p p . 9 5 - 1 0 9 .

G. Guiho / D.Pavot :

R e p o r t , Orsay 1982.

data

approach based on a

between e x c e p t i o n s and e r r o r s .

M.Bidoit : Algebraic specification error

E.G. Wagner

Parameter p a s s i n g i n a l g e b r a i c s p e c i f i c a -

B . B e r n o t / M. B i d o i t

and

specification

San Diego.

w i t h e x c e p t i o n h a n d l i n g : An i n i t i a l

Bi 84

Prentice

Data t y p e s p e c i f i -

3~W.T h a t c h e r /

languages. LNCS 134, B e r l i n

distinction

pro-

i978~ p p . 8 0 - 1 4 9 .

H.-J.Kreowski /

J.B.Wright

BBC 8b

V o l . IV~

P a r a m e t r i z a t i o n and t h e power o f

t e c h n i q u e s . Proc.

algebra

Current trends in

J.W.Thatcher/E.S.Wagner/~.B.Wright : cation :

ADJ 81

An i n i t i a l

c o r r e c t n e s s and implemen-

Multioperator algebras.

94 Eh 81

H.Ehrig

:

A l g e b r a i c t h e o r y of parametrized

specifica-

t i o n s w i t h r e q u i r e m e n t s . Proc. b t h CAAP 1981, 8enova. EFH 83

H. Ehrig/W.Fey/H.Hansen : ACT ONE : An a l g e b r a i c s p e c i f i cation

language w i t h two l e v e l s

Report No. 8 3 - 0 3 , TU B e r l i n , EKMP 82

of

semantics.

Techn.

1983.

H. E h r i g / H . - J . K r e o w e k i / B . M a h r / PPadawitz . :

A l g e b r a i c im-

p l e m e n t a t i o n o f a b s t r a c t d a t a t y p e s . TCS, V o l . 2 0 1982. FGJM 85

K°Futasugi / J.A.Goguen /

J . - P . Jo u a n n a u d / J.Meseguer :

P r i n c i p l e s o f OBJ2. Proc. POPL 1985, p p . 5 2 - 6 6 . Ga 83

H.Ganzinger

:

Parametrized s p e c i f i c a t i o n

:

Parameter

passing and i m p l e m e n t a t i o n . ACM TOPLAS, V o l . 5 1983. GSM 76

V . G i a r r a t a n a / F . O i m o n a / U . M o n t a n a r i: cepts

in a b s t r a c t data type

Observability

specification.

Proc.

con5th

MFCS 1976, Gdansk, LNCS 45. SDLE 82

M . G o g o l l a / K . D r o s t e n / U . L i p e c k / H . - D . E h r i c h : A l g e b r a i c and operational

semantics o f s p e c i f i c a t i o n s a l l o w i n g e x c e p -

t i o n s and e r r o r s . TCS, V o i . 3 4 1984, pp.289-313. Go 83

M. G o g o l l a

:

specifications. cells Go 86

Partially

ordered

sorts

in

algebraic

Proc. 9 t h CAAP 1984, Bordeaux, B. Cour-

( e d ) , Cambridge U n i v e r s i t y Press, pp.139-153.

M.Gogolla : Ober p a r t i e l l

g e o r d n e t e Sortenmengen und d e -

t e n Anwendung z u r F e h l e r b e h a n d l u n g i n A b s t r a k t e n

Daten-

t y p e n . D i s s e r t a t i o n , TU Braunschweig, 1986. 8o 77

J.A.Goguen Proc.

:

Abstract e r r o r s f o r a b s t r a c t data

Conference

on Formal D e s c r i p t i o n o~

types.

Programming

Concepts 1978, E . J . N e u h o l d ( e d ) , North H o l l a n d . 8o 78

J.A.Goguen : Order s o r t e d a l g e b r a s : E~ception and e r r o r s o r t s , c o e r c i o n s and o v e r l o a d e d o p e r a t o r s . Semantics and Theory of Computation Report No.14, UCLA, 1978.

SM 84

J.A.Goguen/J.Meseguer : Order-sorted a l g e b r a I : P a r t i a l and o v e r l o a d e d o p e r a t o r s ,

e r r o r s and i n h e r i t a n c e . Tech-

n i c a l R e p o r t , SRI I n t e r n a t i o n a l , GJM 85

K1 84

1984.

J.A. Goguen/J.-P.Jouannaud/J.Meseguer :

Operational

m a n t i c s f o r o r d e r - s o r t e d a l g e b r a . Proc.

12th ICALP 1985.

se-

H . K l a e r e n : A c o n s t r u c t i v e method f o r a b s t r a c t a l g e b r a i c software specification.

TCS, V o l . 3 0 , No.2 1984.

95 Po 84

A.Poigne

:

Modularization

specifications ST 85

with subsorts.

D.Sannella/M.Wirsing : specification

Wa 79

M.Wand : sions.

WE 85

for

algebraic

I m p e r i a l C o l l e g e , London.

D . S a n n e l l a / A ~ T a r l e c k i : On o b s e r v a t i o n a l e q u i v a l e n c e and algebraic specification.

SW 83

techniques

l O t h CAAP 1985, B e r l i n .

kernel language f o r

Final

a l g e b r a s e m a n t i c s and d a t a t y p e

~CSS, V o l ~ l g ,

data types.

exten-

No. 1 1979, p p . 2 7 - 4 4 . Canonical constraints

for

parame-

Research R e p o r t RC 11248, IBM, 1985.

WPPDB 83 M . W i r s i n g / P . P e p p e r / H . Partsch/W. Dosch/M.Broy : a r c h i e s of

algebraic

and i m p l e m e n t a t i o n . P r o c . FCT 1983.

E.G.Wagner/H.Ehrig : trized

Proc. A

abstract data types.

On

hier-

A c t a I n f o r m a t i c a 1983~

Toward formal development of programs from algebraic specifications: implementations revisited (Extended abstract) Donald Sannella 1 and Andrzej TarIecki2 Abstract The program development process is viewed as a sequence of implementation steps leading from a specification to a program. Based on an elementary notion of refinement, two notions of implementation are studied: constructor implementations which involve a construction "on top of" the implementing specification, and abstractor implementations which additionally provide for abstraction from some details of the implemented specification. These subsume most formal notions of implementation in the literature. Both kinds of implementations satisfy a vertical composition and a (modified) horizontal composition property. All the definitions and results generalise to the framework of an arbitrary institution.

1

Introduction

There has been a lot of interesting work done on notions of refinement (see e.g. [GTW 78], [GB 80], [Ehr 81,82], [EKMP 82], [SW 82], [GM 82], [Gan 83], [Lip 83]). In [SW 83] and then in [ST 85b,86b] we used a very simple notion of specification refinement which seems appropriate for loose specifications: a specification SP refines to a specification SP', if every model of SP' is a model of SP; this extends to a notion of refinement of parameterised specifications. This looks suspiciously oversimplified, especially in comparison with most previous work in this area. In this paper we elaborate on how this simple notion can provide a basis for realistic and non-trNial program development. Roughly speaking, first we allow an implementation of a specification SP by another specification SP t to consist of a "program" or construction written in terms of SP t to compute the functions specified in SP. This subsumes most previous notions of implementation in the literature, e.g. [GTW 78], [Ehr 82], [EKMP 82] and [SW 82]. Then we incorporate ideas concerning behavioural equivalence of algebras as discussed in [GGM 76], [Rei 81], [GM 82], [ST 86b] (and elsewhere), by allowing the construction to deliver a result which realises SP not "exactly" but only up to an equivalence on algebras. This subsumes the notions of implementation in [Ehr 81], [GM 82], [Sch 82] and [BMPW 86]. These notions extend to parameterised specifications as before. In order to be useful for stepwise and modular program development, implementations should compose vertically and horizontally [GB 80]. The simple notion of refinement enjoys both of these properties. The first extended notion composes vertically and satisfies a (modified) horizontal composition property; similar results for the second notion hold only under certain additional conditions. We present these ideas in the framework of partial algebras [BrW 82]. This is mainly to take advantage of the reader's intuition, since all of the main definitions and results as well as method* ological remarks may be directly restated in the framework of an arbitrary institution [GB 84]. This means that they can be used to develop programs from specifications in a wide variety of logical systems. Thus, a user of the presented program development methodology may choose the logical system which is most suited to his particular task. Moreover, different logical systems may be most suitable at different stages of the development of even a single program, for example when developing an efficient imperative program from a high-level algebraic specification. We enable this by allowing specifications to be implemented by specifications in a different institution using what we call a semi-institution morphism [Tar 86]. 1Department of Artificial Intelligence, Universityof Edinburgh and Laboratory for Foundationsof Computer Science, Department of Computer Seience~ University of Edinburgh 2Institute of Computer Science, Polish Academyof Sciences, Warsaw

97 Unfortunately, for lack of space we are not able to cover this topic here; the interested reader should consult [ST 87] for a detailed treatment of this subject as well as for all the proofs, examples and full discussion which we are forced to omit here.

2

Algebraic preliminaries

Due to lack of space we omit the definitions of the following standard algebraic notions: signature (E), signature morphism (a), the category S i g n of signatures with initial (empty) signature ~.¢; partial E-algebra A, (closed) E-subalgebra, (weak) E-homomorphism, the category P A l g ( E ) of partial E-algebras; the a-reduct functor _[~: P A l g ( E ' ) --* P A l g ( E ) for any signature morphism a: E ~ E; terms t, equations VX.t = t', definedness formulae D(t), partial (first-order) sentences ~, and their translations (a(t), etc.) under signature morphisms. All these definitions may be found in [ST 87] and elsewhere. We write A ,~ ~ to denote that the algebra A satisfies ~, defined in the usual way (generalised to classes of algebras and sets of sentences as usual). For any signature ~ and S C_sorts(E), we say that a E-algebra A is reachable on S if it contains no proper E-subalgebra with carriers of sorts not in S the same as in A. In other words, every element of A is the value of a E-term with variables of sorts not in S (for some valuation). Notice that any E-algebra A contains exactly one ~-subalgebra which is reachable on S and has carriers of sorts not in S the same as in A, denoted ]~s(A). We omit qualification by S in these definitions if S =

sorts(E).

Let A e P A l g ( E ) . A congruence on A is an equivalence relation =- C tA[ × ]A[ such that for any f : s l , . . . , s n --~ s in Z and al,bl E )A)s,,...,a,,,b,, e ]A[,., if al =-s, bl . . . . ,an -=,. b. and fit(a1 . . . . . an) and fA(bl . . . . . bn) are defined, then fA(al . . . . . an) =, fA(bl . . . . . b,,). The quotient of an algebra by a congruence is defined as usual.

3

Specifications and r e f i n e m e n t

We are not going to formally define precisely what specifications are; they are just finite syntactic objects of some kind. Every specification describes a certain signature and a class of algebras over this signature. This semantics is made explicit using two mappings which assign to each specification SP a signature Sig[SP] E [Sign[ and a class Mod[SP] C [PAlg(Sig[SP])] of Sig[SP]-algebras. Algebras in MocI[SP] are called models of SP. We call a specification consistent if it has at least one model. This rather general description covers high-level user-oriented loose specifications admitting nonisomorphic models as well as low-level detailed specifications or even programs which for us are just very tight specifications. We adopt a purely model-theoretic view here and stop the analysis of the notion of a program at this level. Any application of the methodology we outline would require some further syntactic constraints on the notion of a program. D e f i n i t i o n 1 For any signature ~, S p e c ( ~ ) denotes the collection of all E-specifications, i.e. specifications SP such that Sig[SP] = ~,, preordered by the inclusion of model classes. For any two specifications SP1 and SP2, a specification morphism a: SP1 --* SP2 is a signature morphism a: Sig[SP1] --~ Sig[SP2] such that for any model A2 C Mod[SP2], A2I~ e Mod[SPl]. We assume that S p e c ( E ) contains at least basic specifications. That is, given a signature E and a (finite, recursive, r.e.) set ¢ of E-sentences, (E, ¢) is a specification with:

Sig[(E, ~)] = Z Mod[(Z, ~)] = {A e P A l g ( E ) ] A ~ ¢} If the sentences are all (universally quantified) equations or definedness formulae we call (E, ¢) an equational specification.

98

Specification-building operations are used to put together little specifications in nice ways to make progressively bigger ones [BG 77]. Any specification-building operation, given a list of argument specifications, yields a result specification; semantically, a specification-building operation is a function on classes of algebras. The only assumption we make about these functions is that they are monotonic; intuitively, less restrictive argument specifications yield a less restrictive result. Specification languages like CLEAR [BG 77,80] may be viewed just as sets of such operations plus some syntactic sugar. E x a m p l e 1 ( t r a n s l a t e ) [ST 86a] Given a specification SP and signature morphism a: SigISP ] --+ E', t r a n s l a t e SP b y a is a specification with semantics defined as follows:

Sit[translate SP b y a] = ~' Mod[translate SP b y a] = {A' e P A l g ( E ' ) i A'I~ e Mod[SP]}

[]

T r a n s l a t e is actually a family of specification-building operations, t r a n s l a t e = {translateo: z~r.,: S p e e (E) --+ S p e c (E')}oeStgn For any specification-building operation w we will write w: S p e c ( E ) --+ S p e c ( E ' ) , meaning that w takes Z-specifications to E'-specifications. Note that we have tacitly assumed that ~o is a unary operation; to simplify the presentation we make the same assumption throughout when convenient. A specification language usually provides a way for the user to define his own specificationbuilding operations, i.e. a mechanism for constructing parameterised specifications. There are different approaches to parameterised specifications; in this paper we use the approach of [ST 86a]. Semantically, any parameterised specification can be viewed as a function taking any specification over a given parameter signature ~par to a specification over a result signature Er,s- Syntactically, we write a parameterised specification as a )~-expression, ~X: Zpar.SPr,~[X], where X is an identifier and SPr~[X] is a Zr~s-specification built using specification-building operations which may involve X as a variable denoting a Ep~,-specification. For any Epar-specification SP, (~X: Ep~,.SPr~,[X])(SP) is a specification with semantics defined (essentially as 13-conversion) as follows: 5g[(~,X: r~o,.SP, o,[Xl)(SP)] = E~o, Mod[(~X: Ep~.SP,,,[X])(SP)] = Mod[SF~,,[SP/X]] We sometimes write ()~X: ~p~.SP,~[X]): Spec(Zp~) --* Spec(H~,,) to indicate the paxameter and result signatures explicitly. The programming discipline of stepwise refinement suggests that a program (which is a specification) be evolved from a high-level specification by working gradually via a series of successively more detailed lower-level intermediate specifications. A formalisation of this approach requires a precise definition of the concept of refinement. D e f i n i t i o n 2 Given two specifications SP and SP' such that Sig[SP] = Sig[SP'], we say that SP refines to SP', written SP ,.,.,'> SP', if Mod[SP'] C_ Mod[SP].

Given two parameterised specifications P and P' with the same parameter signature Epic, we say that P refines to P', written P ~ P', if for any Epic-specification SP, P(SP) ~ P'(SP). Intuitively~ SP ~ SP' if SP' incorporates more design decisions than SP. An important issue for any notion of refinement is whether refinements can be composed vertically (SP ~ SP' and SP' ~ SP" implies SP ~ SP") and horizontally (P ~ P' and SP ,..-.> SP' implies P(SP) .....> P'(SP')) [GB 80]. The above notion of refinement has both these properties since specification-building operations are monotonic. These properties allow large structured specifications to be refined in a gradual and modular fashion.

99 The development of a program from a specification consists of a series of refinement steps SP1 ~ ... ~ SP~, where SPo is the original high-level specification and SPn is a program. Vertical eomposability guarantees the correctness of SP, with respect to its specification SPo. This views each of the specifications SPo,..., SP, as a single indivisible entity. If, however, we decompose any of them using a parameterised specification, say SP~ = P(SP), then the further developments of P and of SP may proceed separately. Horizontal composability guarantees that the results of these developments may always be combined to give a refinement of SPk and so of SPo as well. Of course, these (sub)developments may themselves involve further decomposition.

SPo ~

4

Constructors and

implementations

The simple notion of refinement is mathematically elegant but perhaps a bit oversimplified from a practical point of view. In the sequel, we wilt develop notions of implementation built on top of this simple notion of refinement which are more suited to practical use. We start with a notion of implementation which involves a construction from the implementing specification to the implemented specification. What is a construction? Model-theoretically, the characteristic feature of a construction is that it transforms an algebra over one signature to yield another algebra over a (possibly different) signature. Thus, we can identify a construction a with a functions a: PAlg(E) -~ PAlg(E'). This determines a specification-building operation denoted (ambiguously) by the same symbol. We call specification-building operations of this kind constructors. D e f i n i t i o n 3 A constructor determined by a/unction ~: PAId(E) ~ PAlg(E') is a specificationbuilding operation ~¢: Spee(~.) --~ Spec(E'), where for any E-specification SP, Sig[~(SP)] -- E' and

Mod[~(SP)] = {~(A) I A e Mod[SP]}. Fact 1 Constructors are monotonic, preserve consistency of specifications, and are closed under

composition.

[]

E x a m p l e 2 (derive) For any E'-specification SP' and signature morphism ~r: E -~ E', the semantics of the specification derive f r o m SP ~b y a is as follows: Sig[derive f r o m SP ~ b y a] = E Mod[derive f r o m SP' b y a] = (A]~ [ A e Mod[SP']) The derive specification-building operations (one for each a: E - , E') are constructors determined by the corresponding reduct functors --In. Intuitively, derive can be used to hide and/or rename some of the sorts and operations of a specification. [] E x a m p l e 3 ( r e s t r i c t ) For any E-specification SP and set S c_ sorts[Z] of sorts, the semantics of the specification r e s t r i c t SP o n S is as follows:

Sig[restrict SP o n S] = E Mod[restriet SP on S] = {)~s(A) t A e Mod[SP]} The r e s t r i c t specification-building opera, ions (one for each E and S C sorts[E]) are constructors determined by the corresponding restrict functors ~s. :Restrict is used to remove "junk", i.e. to restrict to the reachable part of Mgebras. [] aFrom the category-theoretic point of view, it is natural to assume that this is a functor (all our examples are) but since we do not use the morphismpart in this paper we take this simplifiedview here.

100

E x a m p l e 4 ( q u o t i e n t ) For any T-specification S P and congruence ~ on ground ~-terms, the semantics of the specification q u o t i e n t S P w r t ~ is as follows: Sig[quotient S P w r t ~1 = ~ Mod[quotient S P w r t ~] = { A / ~ f A e Mod[SP]} The q u o t i e n t specification-building operations (one for each Z and ~ on Z-terms) are constructors determined by the corresponding quotient functors _ / ~ . Intuitively, q u o t i e n t is used to identify the values of certain terms; usually the congruence ~ is presented via a set of equations. [] E x a m p l e 5 ( e x t e n d ) If we have a signature morphism a: Z --* ~' then constructors from Spec (~) to $ p e c ( ~ ' ) will be called synthesizing constructors along a. The intuition is that they just build new stuff on top of the existing algebras without forgetting anything. One standard way to define such a synthesizing constructor is using the free extension. Namely, for any signature morphism a: Z --+ ~f and equational Et-specification S P ~, there is a free functor F~: P A l g ( ~ ) ~ Mod[SP'] (the left adjoint to the reduct funcLor _In: Mod[SP'] --. PAlg(~,)). That this functor always exists is a well-known fact. For any E-specification SP, e x t e n d SP t o S P ~ v i a a is a specification defined as follows: Sig[extend SP t o SP ° v i a a] = ~' Mod[extend SP t o SP' v i a a] = {Fo(A) ] A e Mod[SP]} Note that S P may be an arbitrary specification here, not necessarily equational. In general F~ does not have to preserve all the properties required by S P (so a was not required to be a specification morphism a: S P --* S P ~) although it does preserve ground equations deducible from SP. [] Non-example ( t r a n s l a t e ) The t r a n s l a t e specification-building operation defined in the last section is not a constructor. Consider for example any a: ~¢ --* ~, where ~ is non-empty or any a': ~ --* ~' which is non-injective on sorts. [] D e f i n i t i o n 4 A synthesizing constructor ~: S p e c ( E ) --* S p e c ( ~ ' ) is persistent along a signature rnorphism a: ~ -+ E', written ~: Spec(r,) -~+ S p e c ( ~ ' ) , if ~: P A l g ( Z ) -+ P A l g ( E ' ) is (strongly) persistent with respect to o, i.e. for any ~.algebra A, to(A)[~ = A. E x a m p l e 6 ( a m a l g a m a t e d u n i o n ) Given two persistent constructors *;1: S p e c ( E ) - - ~ Spec(E1) and ~2: S p e c ( ~ ) - ~ Spec(E2), let ol "El

ty2t be a pushout in Sign. For any E-algebra A, define ~(A) to be the unique E*-algebra such that n(A) J~l, = ~I(A) and n(A)In2, = ~2(A). ~(A) is well-defined since nl(A)In1 = A = n2(A)la~. Thus, we have defined a function ~: P A l g ( E ) --* P A l g ( E ' ) . We denote this function and the corresponding synthesizing constructor (along a l ; a l t = a2;a2 t) by ~;1 + ~2; if any doubts may arise, we add a l , a2 as subscripts to +. Intuitively, ~1+f¢2 "puts together" the constructions n l and ~2. The assumption of persistency guarantees that this is possible. (See the notion of amalgamated sum in [PB 85] and [EM 85].) [] F a c t 2 If a l : S p e c ( Z ) - - ~ S p e e ( ~ l ) and a2: S p e c ( E ) - ~ S p e c ( ~ 2 ) are persistent constructors then ~1 + ~2: S p e c ( E ) - - ~ S p e c ( ~ ' ) is a persistent constructor along a =~el a l ; a l ' = a2;a2'. []

t01

E x a m p l e 7 ( t r a n s l a t i o n o f a c o n s t r u c t o r ) There is another operator on constructors connected with the pushout in Sign. Namely, reconsider the pushout diagram of example 6 and suppose ~;1: S p e c ( E ) - ~ - + S p e c ( ~ l ) is a persistent constructor. Then for any A2 e P A l g ( ~ 2 ) , define ¢2(~1)(A2) to be the unique ~'-algebra such that o2(~1)(A2)In1, = ~l(A2]a2) and a2(~l)(A2)In2, = A2. Thus we have defined a function a2(~:1): P A I g ( ~ 2 ) --+ PAlg(G') which we call the translation of ~1 along a2. We use the same notation and terminology to refer to the corresponding synthesizing constructor (along a2'). Notice that a2(¢~1) is persistent. Intuitively, cr2(~1) performs ~1 on the up. part" of ~2-algebras and leaves the other components unchanged. Notice that the translation of a constructor is a more elementary operation than the amalgamated union. Namely, using the notation of example 6, ~1 + ~2 = t~2;a2(~l) = ¢:1;a1(~2). [] D e f i n i t i o n 5 ( c o n s t r u c t o r i m p l e m e n t a t i o n ) A specification SP is implemented by a specification SP' via a constructor x~: Spec(Sig[SP']) --* Spec(Sfg[SP]), written SP ~ SP', ff SP .....> ~(SP'). Intuitively speaking, if we want to evaluate a function in SP, we are able to do this provided we can evaluate any function in SP' since the constructor ~ puts together functions in SP' to obtain all functions in SP. In this sense, ~ may be viewed as a program parameterised by the (possibly not yet executable) specification SPq Notice that, using the constructors introduced in examples 2-5 above, we can reduce many of the notions of implementation in the literature (e.g. [GTW 78], [Ehr 82], [EKMP 82], [SW 82]) to the one above. For example, the implementation notion of [EKMP 82] assumes that ~: is the composition of e x t e n d , d e r i v e , r e s t r i c t and q u o t i e n t constructors (in that order). Our definition of constructor implementation resembles the notion of implementation given in [Ehr 81] for single algebras. In [Ehr 81], A is implemented by B via a construction F if A is (isomorphic to) a quotient of a subalgebra of F(B). When generalising to loose specifications, the requirement that some quotient of some subalgebra of F(B) be isomorphic to A may be regarded as a construction only if the subalgebra and quotient are taken uniformly on all models B of the implementing specification. If we do not require uniformity then this amounts to a non-constructive step which will be fully subsumed by the notion of abstractor implementation defined in section 5. There are even closer similarities with the notion of implementation of (parameterised) specifications in [Lip 83]; see section 6.1 for details. T h e o r e m 1 ( v e r t i c a l c o m p o s i t i o n ) /f SP ~

SP' and SP' ~

SP" then SP ~

SP".

~ []

Notice that since ~';~: is an acceptable constructor, there is no reason to require that it has (or may be transformed to) the same form as either ~ or ~:'. In general this will not be the case. However, in some special cases it turns out that such normal form theorems may be obtained, often under some additional assumptions about the specifications involved (see e.g. [Ehr 81], [EKMP 82], [8W 82], [EWT 83], [Ore 83]). It seems to us that the requirement that the composition of constructors must be forced into some given normal form corresponds to requiring programs to be written in a rather restrictive programming language which does not provide sufficiently powerful modularisation facilities for the job. In some situations, putting a constructor into a normal form can be viewed as an optimization process. The following simple fact allows us to mechanically strip off outermost constructors if the specification we want to implement happens to be built in this way. F a c t 3 For any constructor ~: S p e c ( ~ ) -+ S p e c ( ~ ' ) and ~-specifieatfon SP, ~(SP) ~., vided that SP ~, SP'. An interesting special case of this is the amalgamated union of specifications.

SP' pro[]

102

D e f i n i t i o n 6 For any two specification morphisms a l : SP ~ SP1 and er2: SP --~ SP2, the amalgamated union of SP1 and SP2, written SP1 + SP2 (decorated with subscripts SP, trl,a2 on + if necessary}, is a specification with semantics defined as follows:

sig[sP1 + sP2] = ~; Mod[SP1 + SP2] = Mad[translate SP1 by al'] U Mad[translate SP2 by aT] where the following diagram is a pushout in S i g n : ol

Sig[SP]

Sig[SP2]

= Sig[SP1]

a2'

" ~'

T h e o r e m 2 If SP1 ~ SP and SP2 ~ SP where both ~1: Spec(Sig[SP]) - ~ Spec(Sig[SP1]) and ~;2: Spec(Sig[SP]) -el+ Spec(Sig[SP2]) are persistent constructors, then SP1 + SP2 ~ SP. D This theorem allows us to implement the independent components of a specification separately and then combine their implementat;.ons provided that they do not affect the common part. In the above theorem we required ~1 and t¢2 to be persistent on all Sig[SP]-algebras as in the definition of the amalgamated union of constructors. However, in this context (as well as in similar situations in the sequel) it is sufficient to require that ~;1 and ~;2 are persistent only on models of SP (which may be easier to achieve in practice). Of course formally, ~I + ~;2 is then only a constructor on Mad[SP] rather than on PAlg(Sig[SP]) since it may be undefined on some Sig[SPl-algebras. T h e o r e m 3 Let E

E2

al

.

a2'

E1

" El

be a pushout in S i g n , tel: S p e c ( E ) -el+ Spec(E1) be a persistent constructor, and SP1,SP2 be E1and E2-speeifications respectively. [f SP1 ~ d e r i v e f r o m SP2 b y a2 then S P I + S P 2 ~ SP2. [] This gives another way of decomposing a specification and implementing the components separately. Namely, we implement one component using (a part of) the other and then we can proceed with the implementation of the other component. Summing up, the development process using this notion of implementation would consist of a sequence of steps SPo ~ SP1 ~ "" ~ SP,. Intuitively, SPo, SP, etc. do not "grow" as happens when we use the simple refinement notion, where this development would look like: SPo ~-~

~l (sP,)

---~

. . . ~.~> ~

(. . .

~.CSP.)...)

Using constructor implementations, we gradually reduce the specification by implementing its parts. Our goal is to end up with an empty specification over the empty signature, i.e. SPn = (T,¢, 0). Then, the composition of constructors to,;-.. ;~I forms a program which implements SPo.

103

5

A b s t r a c t o r s and i m p l e m e n t a t i o n s

It is often possible to abstract away from some of the details of the user's original specification without violating the real intention behind it. This is the idea behind the specification technique known in software engineering as abstract model specification [LB 77], in which the user defines in a more or less concrete fashion a model which gives the desired results with the intention that any program giving the same answers is acceptable. This theme has been discussed in [GGM 76], [Rei 81], [GM 82], [Kam 83], [ST 85a] and elsewhere; the idea goes back (at least) to work on automata theory in the 1950's [Moo 56]. To formalize these ideas we will consider another class of specification-building operations called abstractors. Intuitively, any equivalence relation on Z-algebras determines a specification-building operation which relaxes interpretation of any E-specification SP by admitting as a model any Zalgebra which is equivalent to a model of SP. Definition 7 An abstractor determined by an equivalence relation =_-C PAlg(E) × PAlg(~) is a specification-building operation a~: Spec(~) --* Spec(E) where for any Z-specification SP, S i g [ a ~ ( S p ) ] = r.

Mad[a~(SP)l

=

{A e

PAlg(E) I 3A' e

Mod[SP].A =__A'}

In the sequel we will omit the subscript =- when there is no danger of confusion. Also, if a is known we denote the abstraction equivalence which determines it by =_-~. F a c t 4 Abstractors are monotonic, idempotent, and preserve and reflect consistency of specifications. [] In general, abstractors are not closed under composition. This fact is neither surprising nor disturbing; we will not in fact have occasion to compose abstractors. E x a m p l e 8 ( o b s e r v a t i o n a l a b s t r a c t i o n ) For any E-specification SP and set W of ground Zterms, the semantics of the specification a b s t r a c t SP w r t W is as follows [SW 83]: Sig[abstract SP w r t W] = Z Mad[abstract SP w r t W] = {A E PAlg(Z) I 3A' E Mad[SP].A =w X ) where for any two algebras A , A ' E PAlg(Z), A --=-wA' iff: • for all t e W , A p D(t) iff A' p D(t), and • for all s E 8orts(E) and all t,t' E W,, A ~ t = t' iff A' ~ t = t'. Intuitively, W is the set of G-terms which represent computations the user is allowed to perform. We do not want to distinguish between algebras in which all these computations give the same results. A similar idea in the context of concurrent processes appears in [deNH 84]. [] E x a m p l e 9 ( b e h a v i o u r a l a b s t r a c t i o n ) An important special case of observational abstraction is behavioural abstraction. For any E-specification SP and set OBS C sorts(E) of sorts, the semantics of the specification b e h a v i o u r SP w r t OBS is as follows [SW 83], [ST 86a], [ST 86b]: Sig[behaviour SP w r t OBS] = Z Mad[behaviour SP w r t OBS] = {A E PAlg(Z) I 3A' e Mad[SP].A =OBS A'} where the equivalence =-OBS is just ~-w for W the set of all ground E-terms of sorts in OBS. Intuitively, OBS is the set of external sorts, visible to the user. []

104

D e f i n i t i o n 8 ( a b s t r a c t o r i m p l e m e n t a t i o n ) A E-specification SR is implemented by a E'-spceification SP' wrt an abstraetor a: Spec(E) --* Spec(Z) via a constructor ~: Spec(E') -~ Spec(E),

written SP ~

sP', if ~( sP) ~

~( sP').

If in the above definition, a is behavioural abstraction, then intuitively speaking we are implementing the behaviour of SP rather than SP itself. This subsumes the notions of implementation in [GM 82], [Sch 82] and [BMPW 86]. Notice that the abstractor a cannot be chosen arbitrarily; the choice depends on the specification SP and the context in which it is to be used. If a abstracts too much then the implementation will be useless - - for example if -= is the total equivalence on P A l g ( E ) then SP 2~> SP' for any SP' and constructor ~: Spec(Sig[SP']) ~ Spec(Sig[SP]). Suppose SP ~ SP' and SP r ~ SP". We would like to be able to conclude that SP ~ SP". According to the above argument we assume that a was chosen appropriately for the context in which SP is to be used and so we do not want to change it even when composing implementations. In general, there is no hope for such a result. If a I is too "liberal", there is no reason to expect that transforms any a'(SP')-model to a model of a(SP). However, the following theorem does hold: T h e o r e m 4 ( v e r t i c a l c o m p o s i t i o n ) I] SP ~ SP s and SP' ~ , SP then SP ~ SP" provided preserves the abstraction equivalences, i.e. for any two algebras A1, A2 E P A l g ( Sig[SP']) if A1 =--~, A2 then a(A1) ---~ a(A2). [] A methodological conclusion from this theorem is that the development process should proceed as follows: starting from a specification SP considered in a context for which an abstractor a is appropriate, we (abstractor) implement SP, say ST' ~ SP'. The next step should be to establish the appropriate abstractor up to which SP' may be considered by "pushing ~ through a". Namely, this should be the abstractor determined by the equivalence a - ~ ( - , ) where for A, A' E PAlg(SIg[SP']), A a - l ( ~ a ) A t iff a(A) ----~~(A'). Then, we can proceed with the development of SP' in the context of the abstractor determined by ~-~(-~). (Actually, any equivalence finer than a - ~ ( = , ) will do.) Similar ideas in the context of concurrent processes appear in [Lar 86]. C o r o l l a r y 1 If SPo ~ SPo ~ SP,.

"" ~

SP, and -a2 C _

Ell(-----ai)

and ... and - ~ . C _ a ,-i_ l ( =_a . _ , ) then []

Note that in practice, it is often convenient to sharpen the above results. They hold if the constructors preserve the equivalences between models of the appropriate specifications (e.g. in the vertical composition theorem it is sufficient that ~(A1) ~ ~(A2) for any A1 e PAlg(Sig[SP']) and A2 E Mod[SP'] such that A1 =-~, A2). In the rest of this section, we show that vertical composition and the above methodological remarks may work in practice. On one hand, the constructors we have introduced do preserve appropriate (observational) equivalences; and on the other hand, we show how to push standard observational equivalences in a satisfactory way through the constructors we have defined. L e m m a I ( d e r i v e ) For any signature morphism a: E1 --+ E2 and set W of ground E2-terms, P j l ( - w ) : ---aCW), where P~: Spec(E2) --+ Spec(E1) : d 4 ~X: E2. d e r i v e f r o m X b y a. [] L e m m a 2 ( r e s t r i c t ) For any signature E, S C sorts(E) and set W of ground E-terms, A - w ]~s(A) for all E-algebras A, where Rs: S p e c ( E ) -* Spec(E) =~el AX: E. r e s t r i c t X on S. [] The above lemma gives directly a characterisation of the result of pushing observational equivalence through r e s t r i c t constructors. Moreover, it directly implies that r e s t r i c t steps may be skipped if we use abstractor implementations. C o r o l l a r y 2 Under the assumptions of lemma P, ]~l(=-w) = - w .

[]

105

C o r o l l a r y 3 Under the assumptions of lemma 2, if a is the abstractor determined by n-w, then for any E-specifications SP and SP', SP ~~s SP' implies SP ~t a SP'. [] It is worth pointing out that the above corollary also allows us to throw out r e s t r i c t steps "in the middle" of the development process (provided that the intermediate equivalence used in this step satisfies the assumptions of lemma 2). This means that corollary 2 becomes superfluous since instead of using it to push equivalences through r e s t r i c t steps we can just skip these steps entirely. The situation with q u o t i e n t steps is similar although we need slightly more restrictive assumptions (see [ST 87] for details). Definition 9 For any signature morphism a: Z ---* Z', constructor ~: Spec(~) --~ Spec(Z') and sets W and W' of ground Z- and ground ~'-terms respectively, ~ is observably sufficiently complete (wrt W , W ' ) if for any term t' E W', either for any A E PAlg(Z), ~(A) ~ D(t') or there exists a term t e W such that for any A e PAlg(Z), ~¢(A) ~ t' = or(t). Typically, we will consider sets W and W' such that observable sufficient completeness is a weaker condition than sufficient completeness, which corresponds to the case where W' is the set of all ground }]'-terms of the sorts a(S) for S =a,f sorts(P.) and W is the set of all ground E-terms. Definition 10 For any signature morphism a: ~ --* ~', constructor ~: Spec(Z) --~ Spec(I]') and set W of ground E-terms, ~c is observably persistent {wrt W ) if for all terms tl,t2 E W of the same sort and anu A E PAIg(Z), ~(A) ~ a(tl) = a(t2) iff A ~ tl = t2 and ~(A) ~ D(a(tl)) iff A ~ D(tl). Notice that observable persistency is a weaker condition than the standard persistency. L e m m a 3 (synthesize) For any signature morphism a: Z --* Z' which is injective on sorts, structor t~: Spec(Z) --, Spec(~') and sets W and W' of ground Z- and Zt-terms respectively, is observably sufficiently complete wrt W, W ~ and observably persistent wrt W then ~¢-i(-~w,) 3 Moreover, if in addition W is a minimal set such that observable sufficient completeness holds '~- ~ ( - w , ) = - w .

conif =w. then []

As remarked already, constructor implementation using the derive, restrict, quotient and e x t e n d constructors subsumes many of the notions of implementation in the literature. The above lemmas imply that the extension of any of these notions to a corresponding notion of abstractor implementation goes through smoothly. L e m m a 4 ( a m a l g a m a t e d union) Let ~1: S p e c ( Z ) - - ~ Spee(Z1) ands:2: S p e e ( B ) - ~ Spec(E2) be persistent constructors, W, W 1 , W 2 be sets of ground Z-, ~1- and ~.2-terms respectively such that ~1 is observably sufficiently complete wrt W, W1 and ~2 is observably sufficiently complete wrt W, W 2. Recall that ~ =def ~;1 + ~2: Spee(P,) ~ Spee(Z'), where al Z • ZI

Z2

' P,,'

is a pushout in Sign, is a persistent synthesizing constructor (along a l ; a l ' = a2;a2'} such that for A e PAlg(Z), ~(A) is the unique E'-algebra such that ~;(A)1ol, = ~I(A) and to(A) o~, = ~;2(A). Under these assumptions, ~ is observably sufficiently complete wrt W , W ' where W I =def e l (W1) U ~2' ( w 2 ) .

[]

C o r o l l a r y 4 Under the assumptions of lemma 4, ~c-l(-w ') 2 - w .

[]

106

L e m m a 5 ( t r a n s l a t i o n of a c o n s t r u c t o r ) Consider again the pushout diagram from lamina 4. Let W, W1, W2 be sets of ground E-, E l - and E2-terms respectively, and let s l : Spec(E) _z2+Spec(E1) be a persistent constructor. If ~1 is observably su~ciently complete wrt W, W1 and cr2(W) C_ W2 then o2(~1): Spec(E2) --* Spec(E') is observably sui)~eiently complete wrt W 2 , W ~ where W' =

o1'(w1) u ~2'(w 2).

[]

C o r o l l a r y 5 Under the assumptions of lemma 5, o2(~1)-1(~w ,) ~ ~w2.

[]

6

Parameterisation

and

implementations

In the same way as the simple notion of refinement on specifications gave rise to a notion of refinement for parameterised specifications, the definitions of constructor and abstractor implementation extend to notions of constructor and abstractor implementation for parameterised specifications.

6.1

Parameterisation and constructor implementations

Definition 11 For any parameterised specification P: Spec(Ep~r) --* Spec(Er,~) and specificationbuilding operation w: Spec(E,~,) --~ Spec(E), w(P) is a parameterised specification defined by w(P) ~-def ~X: Ep~.w(P(X)): Spec(Ep,r) ~ Spec(E). Definition 12 ( c o n s t r u c t o r i m p l e m e n t a t i o n ) For any parametcrised specifications with a com-

mon parameter signature P" Spec(r~po,) -- Spec(~) and P': Spat(r po,) -- Spec(~') and constructor ~: Spec(E t) --~ Spec(E), P is implemented by pw via tc, written P ~ g~, if P .....-> tc(P'). This subsumes the notion of implementation of parameterised specifications in [SW 82]. It resembles the one in [Lip 83], where a parameterised specification is a (strongly) persistent functor. According to [Lip 83], P is implemented by P' via a construction F (another persistent functor, obtained by composing certain specification-building operations) if there is some P" and (persistent) natural transformations i: P" -~ P';F and s: P" -~ P such that i and s are componentwise injective and surjective respectively. In our framework, this corresponds roughly to an implementation via the composition of a persistent constructor, a restrict step and a q u o t i e n t step (in that order). Although there are several other definitions of implementation of parameterised specifications in the literature (see e.g. [EK 82], [GM 82] and [Gan 83]) it is difficult to compare them with ours because our definition extends the definition for the non-parameterised ease in the usual way that a relation is extended from elements to functions (that is, pointwise). In contrast, [EK 82] defines implementation of parameterised specifications by comparing their bodies and then proves that this implies our notion of implementation. This is arguably preferable from the point of view of proving correctness of implementations but we prefer to adopt the natural definition and treat the problem of proving correctness separately. T h e o r e m 5 (vertical c o m p o s i t i o n ) For any parameterised specifications P, P t p , parameter signature Epa~, if P ~ P~ and P~ ~ P" then P ~ P'.

with common []

As in fact 3, we can strip off outermost constructors from parameterised specifications: Fact 5 For any parameterised specifications P and P~ and constructor ~ on the result signature of p, ~(p) ~ P~ provided that P ~ P'. [] Constructor implementations do not compose horizontally. In fact, the standard formulation of the horizontal composition property is not even well-formed in this case. Namely, if P: Spec(Ep,r) --* Spec(Ere,) is a parameterised specification, SP is a Ep,r specification and SPitz"> SP', then in general Sig[SP'] ~ Evar and so P(SP') is not even well-defined. However:

107

T h e o r e m 6 ( h o r i z o n t a l c o m p o s i t i o n ) Given a parameterised specification P with parameter signature Ep~r and a Ep~r-speeifieation SP, if P ~ P' and SP ~ SP' then P ( S P ) ~ P'(tt(SP)). [] Although this is not horizontal composition as formulated in [GB 80], it is perfectly adequate for our purposes. It guarantees that in the case of a specification formed by applying a parameterised specification P to a E-specification SP, the developments of P and SP may proceed independently and the results be successfully combined. If P ~ P1 ~ "'" ~ Pn and SP ~ SPx u ~ ... ~ SPa then P ( S P ) ~ P~((#,~;..-;#,)(SP~)). We aim at reducing the parameter specification to the empty specification and the parameterised specification to the identity. If SP~ = <E$,~) and P , = ).X: E . X then the composition of constructors tt,~;..- ; # 1 ; ~ ; " " ;gl implements P(SP). 6.2

Parameterisation

and

abstractor

implementations

D e f i n i t i o n 13 ( a b s t r a c t o r i m p l e m e n t a t i o n ) For any parameterised specifications with a common parameter signature P: S p e c ( ~ p ~ ) -~ S p e c ( E ) and P': Spec(Ep~r) -+ S p e c ( E ' ) , abstractor a: S p e c ( E ) --* S p e c ( E ) and constructor to: S p e c ( E ' ) -+ S p e c ( E ) , P is implemented by P ' wrt a via ~, written P ~ P', if a(P) ~ ~(P'). T h e o r e m 7 ( v e r t i c a l c o m p o s i t i o n ) For any parameterised specifications P, P~, P" with common parameter signature Ep~,, if P ~ P ' and p, ~~' p , then P ~ P" provided that t; preserves the abstraction equivalences. [] Applicability of this result in program development requires proving that the constructors we use preserve the appropriate abstraction equivalences. For this, lemmas 1-5 of section 5 are applicable just as in the non-parameterised case. Unfortunately, the horizontal composition theorem for abstraetor implementations does not hold, even in the form suggested by the horizontal composition theorem for constructor implementations; parameter specifications cannot in general be abstracted from since parameterised specifications can make essential use of non-observable parts of the parameter. One way to circumvent this is to restrict attention to parameterised specifications which use their arguments in an abstract way, so that if we change the argument to an equivalent one we get a result which is equivalent. D e f i n i t i o n 14 Let a: S p e c ( E ) -~ Spec(E) be an abstraetor. We say that two E-specifications SP1 and SP2 are a-equivalent if Mod[a(SP1)] = Mod[a(SP2)]. T h e o r e m 8 ( h o r i z o n t a l c o m p o s i t i o n ) [[ P ~ P , and SP ~~' SP , then P(SP) ~ p,(,~,(SpO ) provided that P preserves a~-equivalenee, i.e. for any specifieatior~ S P 1 , S P 2 over the (common) parameter signature of P and p,, P(SP1) and P(SP2) are a-equivalent whenever SP1 and SP2 are a'-equivalent. [] The requirement that P preserves aLequivalence in the above theorem is guaranteed in either of the following three cases: 1. P has the form ~X: E.SPI[a'(X)], i.e. P abstracts from its argument before using it. 2. P is built entirely from constructors which preserve the relevant abstraction equivalences. 3. The abstractor a' is trivial, i.e. for any specification SP, Mod[a'(SP)] = Mod[SP]. The last c~se amounts to the following: Corollary 6 I/P

~ P ' and SP ~

SP' then P ( S P ) ~

P'(td(SP')).

[]

108

A constructor implementation SP ~ SP ~ is an abstractor implementation SP ~ SP ~ where the abstractor ~ is trivial. Notice however that when we push the corresponding equivalence through ~ and the constructors used in the further implementation of SP ~, the resulting abstraction equivalences may determine non-trivial abstractors again and so the use of techniques of abstractor implementations may be essential further on.

7

Concluding remarks

A number of important problems connected with the ideas presented here remain to be considered. First, we do not discuss here any methods for proving correctness of refinements; methods for proving theorems in specifications, especially in the context of observational abstraction [ST 86a,86b], are relevant to this problem. This would be especially important in the case of parameterised specifications. There is a large body of technical work in the literature on different specific notions of implementation. Viewed in our approach, each of these notions corresponds to a restriction on the choice of constructors and abstractors which may be used. We have tried to unify and generalise the many different notions of implementation in the literature. This quest for generality yields a uniform framework in which we can compare different approaches. We can investigate which of the problems encountered under different notions of implementation are inherent to the very concept of what an implementation should be and which are just technicalities caused by the imposed restrictions, and conversely, which results and properties are consequences of such restrictions and which are inherent to the nature of implementations. We have not yet tried to pursue this line of investigation in a systematic manner. According to our definition, any inconsistent specification refines any specification over the same signature. But if we succeed in refining a specification to a program then the original specification must have been consistent. This means that checking consistency is not necessary to ensure correctness of the development process. However, an inconsistent specification is a blind alley. On the other hand, even a consistent specification may have no computable model and so we cannot in general avoid blind alleys in program development anyway. In what we have presented here, constructors are just functions rather than actual pieces of programs in ~he usual sense. We did not give any particular syntax for defining constructors. It would be interesting to develop a programming language which would provide facilities for defining and composing constructors (this would probably require restricting the notion of constructor we use, as implied in section 3). A good starting point seems to be Standard ML [Mil 85] with modules [MacQ 85 I, where constructors could be defined as Standard ML functors (i.e. parameterlsed modules}. Acknowledgements Many of the ideas in this paper evolved in close collaboration with Martin Wirsing. Thanks to Oliver Schoett for many relevant discussions, to Hartmut Ehrig for his criticism which stimulated us to write these ideas down, and to an anonymous referee who directed our attention to [Lip 83]. Thanks to Teresa for (gastronomic) care. This work was supported by grants from the Alvey Directorate and the Polish Academy of Sciences.

8

References

[ B M P W 86] Broy, M., MSller, B., Pepper, P. and Wirsing, M. Algebraic implementations preserve program correctness. Science o/Computer Programming 7, pp. 35-53. [ B r W 82] Broy, M. and Wirsing, M. Partial abstract types. Acta In/ormatica 18 pp. 47-64.

109

[BG 77] Burstall, R.M. and Goguen, J.A. Putting together theories to make specifications. Proc. 5th Intl. Joint Conf. on Artificial Intelligence, Cambridge. [BG 80] Burstall, R.M. and Goguen, J.A. The semantics of Clear, a specification language. Proc. of Advanced Course on Abstract Software Specifications, Copenhagen. Springer LNCS 86, pp. 292-332. [deNH 84] de Nlcola, R. and Hennessy~ M.C.B. Testing equivalences for processes. Theoretical Computer Science 34, pp. 83-133. [Ehr 81] Ehrich, H.-D. On realization and implementation. Proe. lOth Intl. Syrup. on Mathematical Foundations of Computer Science, Strbske Pleso, Czechoslovakia. Springer LNCS 118. [Ehr 82] Ehrich, H.-D. On the theory of specification, implementation~ and parametrization of abstract data types. Journal of the Assoc. for Computing Machinery 29 pp. 206-227. [ E K M P 82] Ehrig, H., Kreowski, H.-J., Mahr, B. and Padawitz, P. Algebraic implementation of abstract data types. Theoretical Computer Science 20 pp. 209-263. [EM 85] Ehrig, H. and Mahr, B. Fundamentals of Algebraic Specification I: Equations and Initial Semantics. EATCS Monographs on Theoretical Computer Science, Springer. [EWT 83] Ehrig, H., Wagner, E.G. and Thatcher, J.W. Algebraic specifications with generating constraints. Proc. lOth Intl. Colloq. on Automata, Languages and Programming, Barcelona. Springer LNCS 154, pp. 188-202. [Gan 83] Ganzinger, H. Parameterized specifications: parameter passing and implementation with respect to observability. TOPLAS 5, 3pp: 318~354: [GGM 76] Giarratana, V., Gimona, F. and Montanari, U. Observability concepts in abstract data type specification. Proe. 5th Intl. Syrup. on Mathematical Foundations of Computer Science, Gdansk. Springer LNCS 45. [GB 80] Goguen, J.A. and Burstall, R.M. CAT, a system for the structured elaboration of correct programs from structured specifications. Technical report CSL-118, SRI International. [GB 84] Goguen, J.A. and Burstall, R.M. Introducing institutions. Proe. Logics of Programming Workshop (E. Clarke and D. Kozen, eds.), Carnegie-Mellon University. Springer LNCS 164, pp. 221-256. [GM 82] Goguen, J.A. and Meseguer, J. Universal realization, persistent interconnection and implementation of abstract modules. Proe. 9th Intl. Colloq. on Automata, Languages and Programming, Aarhus. Springer LNCS 140, pp. 265-281. [ G T W 78] Goguen, J.A., Thatcher, J.W. and Wagner, E.G. An initiM algebra approach to the specification, correctness, and implementation of abstract data types. Current Trends in Programming Methodology, Vol. 4: Data Structuring (R.T. Yeh, ed.), Prentice-Hall, pp. 80-149. [Kam 83] Kamin, S. Final data types and their specification. TOPLAS 5, 1 pp. 97-121. [Lar 86] Larsen, K. Context-dependent bisimulation between processes. Ph.D. thesis, Dept. of Computer Science, Univ. of Edinburgh. [Lip 83] Lipeck, U. Ein aIgebraischer Kalkiil ffir einer strukturierten Entwurf yon Datenabstraktionen. Ph.D. thesis, Abteilung Informatik, Universit~t Dortmund. [LB 77] Liskov, B.H. and Berzins, V. An appraisal of program specifications. Computation Structures Group memo 141-1, Laboratory for Computer Science, MIT. [MacQ 85] MacQueen, D.B. Modules for Standard ML. Polymorphism 2~ 2. [Mil 85] Milner, R.G. The Standard ML core language. Polymorphism 2, 2. [Moo 56] Moore, E.F. Gedanken-experiments on sequential machines. In: Automata Studies (C.E. Shannon and J. McCarthy, eds.), Princeton Univ. Press, pp. 129-153.

110

[Ore 83] Orejas~ F. Characterizing composability of abstract implementations. Proe. Intl. Con/. on Foundations o/ Computation Theory, Borgholm, Sweden. Springer LNCS 158, pp. 335-346. [PB 85] Parisi-Presicce, F. and Blum, E.K. The semantics of shared submodules specifications. Proe. 10th Colloq. on Trees in Algebra and Programming, Joint Conf. on Theory and Practice of Software Development (TAPSOFT), Berlin. Springer LNCS 185, pp. 359-373. [Rei 81] Reichel, H. Behavioural equivalence - a unifying concept for initial and final specification methods. Proc. 3rd Hungarian Computer Science Conference, Budapest, pp. 27-39. [ST 85a] Sannella, D.T. and Tarlecki, A. Some thoughts on algebraic specification. Proc. Srd Workshop on Theory and Applications of Abstract Data Types, Bremen. Springer InformatikFachberichte Vol. 116, pp. 31-38. [ST 85b] Sannella, D.T. and Tarlecki, A. Program specification and development in Standard ML. Proe. 12th ACM Syrup. on Principles o/ Programming Languages, New Orleans, pp. 67-77. [ST 86a] Sannella, D.T. and Tarlecki, A. Specifications in an arbitrary institution. Report CSR184-85, Dept. of Computer Science, Univ. of Edinburgh; to appear in In/ormation and Control. [ST 86b] Sannella, D.T. and Tarlecki, A. On observational equivalence and algebraic specification. Report CSR~172-84, Dept. of Computer Science, Univ. of Edinburgh; to appear in Journal of Computer and Systems Sciences. [ST 87] Sannella, D.T. and Tarlecki, A. Toward formal development of programs from algebraic specifications: implementations revisited (full version). Research report, Dept. of Computer Science, Univ. of Edinburgh (to appear). [SW 82] Sannelta, D.T. and Wirsing, M. Implementation of parameterised specifications (extended abstract). Proc. Oth Intl. Colloq. on Automata, Languages and Programming, Aarhus. Springer LNCS 140, pp. 473-488. [SW 83] Sannella, D.T. and Wirsing, M. A kernel language for algebraic specification and implementation (extended abstract). Proe. Intl. Conf. on Foundations of Computation Theory, Borgholm, Sweden. Springer LNCS 158, pp. 413-427. [Sch 82] Schoett, O. A theory of program modules, their specification and implementation (extended abstract). Report CSR-155-83, Dept. of Computer Science, Univ. of Edinburgh. [Tar 86] Tarlecki, A. Software-system development - - an abstract view. Information Processing '86. North-Holland, pp. 685-688.

FINITE ALGEBRAIC SPECIFICATIONS OF SEMICOMPUTAB-LE DATA TYPES(*) G. Marongiu D p t . o f Mathematics, U n i v e r s i t y of Bologna, Italy S. Tulipani D p t . o f Mathematics and Physics, U n i v e r s i t y of Camerino, Italy

0-I n t r o d u c t i o n For many y e a r s computer s c i e n t i s t s have looked at data objects in terms of axioms which g o v e r n the beilaviour of data s t r u c t u r e s .

Data Type S p e c ~ c ~ o , l .

Such an attempt is called

)~bsL'Lac~

A b s t r a c t i o n is i n v o l v e d in the fact that only p r o p e r t i e s

which are i n d e p e n d e n t of data r e p r e s e n t a t i o n are c o n s i d e r e d . In the a l g e b r a i c a p p r o a c h , initiated in the p a p e r of LISKOV-ZiLLES [1974], data s t r u c t u r e s are t h o u g h t of as algebras in the s e n s e of g e n e r a l a l g e b r a (see also [ Zi 79] and specifications are g i v e n in terms of equations or conditional e q u a t i o n s . But, only p a r t i c u l a r models of the s p e c i f y i n g axioms play a special role. Data s t r u c t u r e s are u s u a l l y finite, sometimes potentially infinite. T h e r e f o r e , the significant models of a data t y p e specification E in a s i g n a t u r e Z a r e g i v e n b y the class Algm(Z,E) whose members are the models of E which are finitely g e n e r a t e d b y elements named as const_ ants in Z. The initial a n d final objects in Aigm(Z,E), which a r e g i v e n up to isomorphism, determine the initial and final a l g e b r a semantics, r e s p e c t i v e l y . More p r e c i s e l y , assuming t h a t two closed terms t , s of s i g n a t u r e

Z are g i v e n , t h e n , the equation

t=s is t r u e when the terms t , s are e v a l u a t e d in the initial a l g e b r a if and only if the formal equation t=s can be p r o v e d from E. Moreover, the equation t=s is c o n s i s t e n t with E if and only if it is t r u e in the final a l g e b r a . Both initial and final a l g e b r a semantical a p p r o a c h e s have been widely d i s c u s s e d (see [ADJ 75,78,82], book

~/a 79], the

~-M 85].

BERGSTRA and TUCKER [1983 ] c~scussed the problem of c h a r a c t e r i z i n g semicom~ utable (cosemicomputable, computable) data t y p e s by means of finite conditional s p ecification with h i d d e n f u n c t i o n s and no additional s o r t s plus initial a l g e b r a semantics (*) R e s e a r c h p e r f o r m e d u n d e r the auspices of the Italian CNR and MPI. This is a r e v i s e d v e r s i o n of p r e v i o u s ( u n p u b l i s h e d ) p a p e r which circulated u n d e r the title: Finite Specification of Data T y p e s with e x t r a Operations.

1t2

(plus final a l g e b r a semantics), plus both semantics, r e s p e c t i v e l y .

However, the

problem is solved only for cosemicomputable and computable data t y p e s . We have t r i e d to solve the problem for semicomputable data t y p e s g i v i n g a c h a r acterization which is weaker than that c o n j e c t u r e d in the p a p e r [B-T 83]. More

prec

isely, let us assume A is an infinite semicomputable a l g e b r a of s i g n a t u r e Z and finite l y g e n e r a t e d b y constants named in its s i g n a t u r e . T h e n , we can determine a finite conditional equation s p e c i f i c a t i o n ( ~ E ) where z ' is a finite s i g n a t u r e e x t e n d i n g z with no additional s o r t s so t h a t : g i v e n two closed terms t , s of s i g n a t u r e (1)

t=s

Z, then

is t r u e in A if and only if t=s is provable from E.

Moreover, our method p r o v i d e s an expansion A' to s i g n a t u r e Z' of the s t r u c t u r e h such that A ~ is a model of E. However, A' in ' o u r theorem is not t h e initial a l g e b r a of Alg m ( Z ' , E ) , as BERGSTRA and TUCKER c o n j e c t u r e d in the semicomputable case. In fact we cannot p r o v e for closed terms, t ' , s ~ of s i g n a t u r e z': (2)

t'=s' is t r u e in ~ if and only if t'=s ~ is pro~able from E.

This means that the specification (Z',E) is a c o n s i s t e n t e x t e n s i o n b u t not an enrichm ent of a specification for A extend

(see [E-M 85, Chap. 6 ]). F u r t h e r m o r e our r e s u l t s also

n a t u r a l l y to cosemicomputable and to computable data t y p e s (see Theorems

B and C). The agility of proof via Combinatory Logic does not consent comparison of the complexity of the s e t of conditional equations E to the complexity of the r e c u r s i v e functions which define A. This problem will be e x p l o r e d in f u t u r e work [M-T 86 ] where it has also b e e n p r o v e d that one single equation is s u f f i c i e n t f o r s p e c i f y i n g a computable a l g e b r a as a h i d d e n enrichment u n d e r both initial and final a l g e b r a semantics ( a c c o r d i n g to BERGSTRA and TUCKER Definition, see [B-T 83] and [B-T 8{)]. To simplify notation, we t r e a t the case of s i g n a t u r e

Z in a single s o r t . However,

the r e s u l t s can be easily e x t e n d e d to m a n y - s o r t e d a l g e b r a s . It is assumed that the r e a d e r is familiar with the p a p e r s of B e r g s t r a and T u c k e r [ B - T 83], [ B - T 86] and with the main p a p e r s on specification t h e o r y ; in p a r t i c u l a r

~ - M 85]. Moreover, the

basic notations of u n i v e r s a l a l g e b r a and r e c u r s i o n t h e o r y a r e assumed (see [Gr 78 ], ~ z 79] ). In p a r t i c u l a r , it is assumed an u n d e r s t a n d i n g of the notions of semicomputable, cosemicomputable and computable a l g e b r a which can be found t r e a t e d in full in MAL'CEV [1961] (see also [Ra 60]).

113

1-Preliminaries and Notations. Let Z be a finite algebraic signature having at least one constant symbol. We shal} denote

~ b Y { f l , . . . , fk' c 1 " " '

Cr} where f l , . . . , f k

are function symbols and cl ,

. . . , c constant symbols. If A is an algebra of carrier A and signature ~ we denote r the i n t e r p r e t a t i o n s of the symbols oi' Z in the a l g e b r a A b y # f~k CA A AS pointed out in the introduction, we shall consider only algebras of finite signature and in addition they are infinite and generated by elements named as constants in their signature. Hence, if an algebra is of signature E it is generated by the elA A ements c 1 , . . . , c r . For s u c h a l g e b r a s the definitions of semicomputable, cosemicomputable and computable can be g i v e n more simply than in the g e n e r a l case along the following lines (see [Ma 61] , [ B - T 86]). Definition 1.1

An a l g e b r a N is a r e c u r s i v e number a l g e b r a if and only if the c a r

t i e r of N is the set

N

of n a t u r a l numbers and the operations of N a r e r e c u r s i v e

functions. Definition 1.2

Let

same s i g n a t u r e and

A be an a l g e b r a and N be a r e c u r s i v e number a l g e b r a of the ~: N -~ A be a morphism. T h e n , ~ is

(i)

a r e c u r s i v e l y enumerable ( r . e ) morphism,

(ii)

a c o r e c u r s i v e l y enumerable ( c o - r . e . ) morphism,

(iii)

a r e c u r s i v e morphism,

if and only if k e r

n = p

is

(i)

a r e c u r s i v e l y enumerable relation,

(it)

a relation whose complement in N 2 is r e c u r s i v e l y enumerable,

(iii)

a r e c u r s i v e relation,

respectively. Definition 1.3

Let A be an a l g e b r a . T h e n ,

(i)

semicomputable,

(it)

cosemicomputable,

(iii)

computable,

A is

if and only if t h e r e e x i s t s a r e c u r s i v e number a l g e b r a N (of t~e same s i g n a t u r e ) and a surjective ~ : N -~ A such that ~ is (i)

a r.e epimorphism,

(it)

a co-r.e, epimorphism,

(iii)

a recursive epimorphism, respectively.

114

F o r t h e f o l l o w i n g d i s c u s s i o n we n e e d some f a c t s a b o u t c o m b i n a t o r y a l g e b r a s a n d c o m b i n a t o r y logic t h a t we r e c a l l i n o r d e r to f i x t e r m i n o l o g y a n d n o t a t i o n 0 f o r a c o m p r ehensive treatment see

[Ba 8 1 ] ,

[H-S 80] ) . L e t cl = { , , K , S }

be a signature

such that

- is a s y m b o l of b i n a r y o p e r a t i o n a n d K , S a r e c o n s t a n t s y m b o l s . A c o m b i n a t o r y a l g e b r a is a s t r u c t u r e

M = (M, • , K M , s M) of s i g n a t u r e

El.

Kox-y = x

E2.

S-xoy.z

= x-z,

(y,z)

cl w h i c h s a t i s f i e s t h e a x i o m s :

,

w h e r e t h e a s s o c i a t i o n f o r t h e o p e r a t i o n s y m b o l • is d o n e a s u s u a l f r o m t h e l e f t so t h a t MlOM {

...o

T(cl),

i.e.

Mk

m e a n s ( . . . ( ( M 1 - M 2 )-M 3) . . . .

a t e r m of s i g n a t u r e

cl w i t h

no

),M k

. A c o m b i n a t o r is a t e r m i n

variables.

Some c o m b i n a t o r s a r e c a l l e d

n u m e r a l s . More s p e c i f i c a l l y , if n is a n e t u r a l n u m b e r we d e n o t e b y rn~ a - c o m b i n a t o r w h i c h is c a l l e d t h e n u m e r a l r e p r e s e n t i n g r0~ = K*I

n a n d is d e f i n e d i n d u c t i v e l y a s follows:

r n + l1 = S , B o r n 7

(1.4)

w h e r e as u s u a l I is t h e c o m b i n a t o r S - K ° K a n d B is t h e c o m b i n a t o r S , ( K o S ) . K . denote the equational theory,

We

w h o s e n o n logical axioms a r e E1 a n d E2 a n d w h i c h is

n a m e d C o m b i n a t o r y L o g i c , b y CL. What we n e e d is t h e f o l l o w i n g ( s e e [ B a 81 ]) Faot 1.5.

F o r e v e r y r e c u r s i v e f u n c t i o n f t h e r e e x i s t s a c o m b i n a t o r F f w h i c h repres_

ents f in CL,

viz. for all natural

numbers

nl,...,n m

CL ~-- Ff

nI

...

m

rf(n I ..... nmf.

2-Semic0mloutable D a t a T y p e s . T h e o r e m A. a finite set all

Let

Main r e s u l t .

A b e a s e m i c o m p u t a b l e a l g e b r a of s i g n a t u r e Z . T h e n , t h e r e e x i s t s

E of c o n d i t i o n a l e q u a t i o n s i n a s i g n a t u r e

t l , t 2 e_ T ( ~ ) :

El--- t l = t 2

if a n d o n l y if

A~

X' e x t n e d i n g

~ such that for

tl=t 2 •

I n o r d e r to p r o v e T h e o r e m A we m u s t c a r r y o u t some c o n s t r u c t i o n s

a n d p r o v e two

Lemmas. Let

A b e a s e m i c o m p u t a b l e i n f i n i t e a l g e b r a of s i g n a t u r e

N be a recursive

n u m b e r a l g e b r a of s i g n a t u r e

Let us suppose that ml,...,m ~(m 1) = c A , . . . , a n d m.=m. 1

]

A A i f f c. = c.

Let p be ker ~

1

]

X and

Z = {fl'""

'fk'Cl"'"c~

~ : N -~ A b e a r . e .

,

epimorphism.

r are natural numbers such that A ~(m r ) = c r

for i,j=l, .... r.

and g be a recursive

f u n c t i o n of t h r e e v a r i a b l e s s u c h t h a t f o r

(2.1)

115

m,n ~ N , (m,n)~

p iff t h e r e is a n a t u r a l n u m b e r p s u c h t h a t g ( m , n , p )

= 0. When

f is a f u n c t i o n sz]mbol which is not c o n s t a n t of s i g n a t u r e Z, t h e c o m b i n a t o r which r e p r esents

in

CL

bet algebra

t h e f u n c t i o n fN w h i c h i n t e r p r e t e s

N is d e n o t e d b y Ff. F i n a l l y ,

t h e symbol f in t h e r e c u r s i v e nu_m

the combinator which represents

the rec

u r s i v e f u n c t i o n g w h i c h e n u m e r a t e s k e r ~ is d e n o t e d b y G. Let now ~' be t h e s i g n a t u r e {fl""'fk'cl i.e.,

Z' is

~ u

'''''cr'

° ,K,S,

Nat, Horn}

cl p l u s two u n a r y o p e r a t i o n symbols Nat,Horn.

list of c o n d i t i o n a l e q u a t i o n s in ~', w h e r e x , y , x l , x

2....

C o n s i d e r t h e following

d e n o t e v a r i a b l e s . To simplify

n o t a t i o n we mention o n l y one of t h e f u n c t i o n symbols f l ' " "

' f k ' s a y it f of m a r g u m e n t s

E l - E 2 axioms of CL. E3

is the conjunction for all f in ~ of

(1 ~ m

N a t ( x i ) = K ) ÷ Hom(Ff* x 1- . . . . Xm) = f ( H o m ( x l ) . . . . . Hom(Xm))

E4

l
E5

N a t ( r 0 ~) = K I, ( N a t ( x ) = K - + N a t ( ( S o B ) , x )

E6

( N a t ( x ) = K ^ N a t ( y ) = K /x Nat(z) = K A G . x o y ° z = r0")--+ H o m ( x ) = H o m ( y ) .

C.

] =K)

T h e s e t of axioms E l - E 6 is d e n o t e d b y E. The i d e a we h a v e e x p l o i d e d f o r w r i t i n g down t h e s e t of axioms E can be r o u g h l y d e s c r i b e d as follows. T h e a l g e b r a A may be e x p a n d e d to a s t r u c t u r e A' w h i c h also becomes a c o m b i n a t o r y a l g e b r a . structure

Therefore,

the

N can be c o d i f i e d in t h e e x p a n s i o n A' of A. T h e u n a r y o p e r a t i o n symbol Nat

is i n t e n d e d to be i n t e r p r e t e d

in t h e " c h a r a c t e r i s t i c f u n c t i o n " of t h e s u b s e t of n a t u r a l

n u m b e r s of A'. In t h i s w a y t h e s t r u c t u r e s

N a n d A a r e g l u e d u p in t h e s t r u c t u r e

A'

a n d t h e u n a r y o p e r a t i o n symbol Horn is i n t e n d e d to be i n t e r p r e t e d in t h e codification of ~ in A'. All t h i s is f o r m a l i z e d in t h e f o l l o w i n g Lemma. Lemma 2.2

S u p p o s e A is t h e a l g e b r a of s i g n a t u r e

Z previously described.

Then,

t h e r e e x i s t s an a l g e b r a A' w h i c h is an e x p a n s i o n of A to Z' a n d is a model of E. Proof.

Since A is i n f i n i t e , we may t a k e a non t r i v i a l c o m b i n a t o r y a l g e b r a

( M , ° , K M , s M)

M =

b i j e c t i v e to A. U s i n g one b i j e c t i o n from A to M we can t r a n s l a t e t h e

o p e r a t i o n s of M in t h e o p e r a t i o n s • , K A , s A on A so t h a t t h e s t r u c t u r e is i s o m o r p h i c to M. Let now Nat A, Hom A be u n a r y o p e r a t i o n s on A s u c h t h a t f o r a ~ A

( A , . , K A , s A)

116

I KA NatA(a) =

SA

HornA(a) =

{ 7 (n) sA

a = rn~A

if there is n ~ N such that otherwise

if there is n ~ N such that a = rnl otherwise

Here r n ' A is the interpretation in the s t r u c t u r e ( A , * , K A , s A) of the numeral rn~. This interpretation will be called the "codification" in the s t r u c t u r e ( A , * , K A , s A) of the natural

number

n.

The expansion A' is now defined as follows A' = (A,°,KA,s A, NatA, HornA) We

will now

show

that

A' is a model

of E. Axioms

E1 and

E2 are

true

in A' because

the reduct of A' to cl is a combinatory algebra being isomorphic to M. To prove E3, assume a l , . . . .

am are elements of A which satisfy

1
By the def_

inition of Nat A there are natural numbers n l , . . . , n m such that al= r n ,1A , . . . . a m=rn~A" m We must now show that a l , . . . ,am also satisfy the second member of the implication in E3.

Now

using

FfA By

Fact

rnlA-

the definition

1.5

• " "

we

have

• rnTA = yfN(nl, m

of Horn A we

have

qA " " ' 'nm)

that

HomA(rfN(nl, • . . , n m ),A ) . ~(fN(nl, . . . fA(HomA(al) . . . . . Since

(2.3)

'

Horn(am )

,nm))

(2.4)

and

= fA( ~(nl ) . . . . . ~(nm)) .

~ is a morphism

fA(HomA(al) . . . . , HomA(am )) = ~ ( f N ( n l , . . . ,nm) ) .

(2.5)

Therefore, from (2.4) and (2.5) we can conclude Hom That

A

E4 is true

A (Ffin

a I ....

• am )) =

A' follows

immediately

fA(HomA(al) from

'°'°'

HomA(am

the definition

))

of Hom A

" and

(2.1).

It is

117

easy

to prove

that E5 is true in A' from

Proof of E6. Assume by a, y by b and

that a,b,c z by

the definition

of numeral

& A satisfy the antecedent

c. This

means

that there

and

of Nat

of E6, when

exist natural

A

•

x is substituted

numbers

m,n,q

such

that a = r m ' A , b = r n ' A , c =rq "A

and

G A - r m ~ A - r n T A r q "A= ;0"A

(2.6)

B u t from Fact 1.5 we h a v e GA Fin~ A . r n l A ~ r q T A = r g ( m , n , q ) n A Since non

the interpretation

of numerals

trivial cembinatory

that g(m,n,q)

algebra

= 0. Hence, HomA(rm~A

Then,

by

(2.6)

Given

a term

ulation that must

2.8

rnTA )

HomA(a)

= HomA(b)

which

t ~ T(Z)

we now

N

For every

the complexity

= ~ (n!.

) = HomA(

Recall that the structure Definition

corresponding

to distinct natural

are distinct elements,

~(m)

be performed

(2.7)

is codified

means

that E6 is true in A'.

in (A,o,KA,s define

if t=f(t I ..... tm) , then ~ is Ff- E l, ...~ "tm For every there

(2.9ii)

n such

the calc-

that ~(n)

= tA.

via M. by induction

on

of t as follows:

(it)

(2.9i)

of Hem A,

describes

a term ~ in T(cl)

if t=c i, then ~ is rm~'1 for i=l~...,r.

2.9

number A)

(i)

Lemma

which

in a

(2.7) we have

by the definition

the natural

t in T(S)

(2.6) and

Therefore,

define a term "t in T(cl)

to obtain

term

from

numbers

term

t of T(z):

exists a natural

E b---Hom(~)

number

n such

that E k--'t = Cnn ,

= t.

Proof of ( 2 . 9 i ) .

B y i n d u c t i o n on t h e complexity of t. If t is the c o n s t a n t symbol c. ] t h e n ~ is ~m.~ . Hence, the n u m b e r m. w o r k s . Let t be f ( t l , . . . , t m ) . By i n d u c t i o n hy]2 ]

]

o{hesis we h a v e n a t u r a l n u m b e r s n l , . . . E F- "tl But Ff

=

rn l~

'""

,n m such that

Eb---~ m = ~n~m a n d ~ is Ff- ^tI.

..

.°~m "

(2.10)

represents f in CL. So w e have a fortiori

E F - - F f • r n ~ ° ...orn~m

= r f N ( n 1 , . . . , n m )~

(2.11)

Hence, w h e n n=f N ( n 1 . . . . . nm) we have (2.9i) from (2.10) a n d ( 2 . 1 1 ) . Proof of (2.9fi). By i n d u c t i o n on the complexity of t. If t is the c o n s t a n t symbol c. ]

118

t h e n ~ is rm7 . H e n c e , from axiom E3 we get E ~ - H o m ( t ) = t . ] Let now t be f ( t l , . . . ,tin). B y i n d u c t i o n h y p o t h e s i s we h a v e E }--- Hom(ti)=t i , for i=l . . . . . m.

(2.12)

T h e r e f o r e , u s i n g (2.9i) a n d axiom ES, we get Et----Nat(ti)=K,

for i = l , . . . , m .

(2.13)

T h e n , from (2.13} a n d axiom E3 we h a v e E F-- Horn(F} tl" . . . . t m ) = f ( H ° m ( t l ) . . . . . H°m(tm) )"

(2.14)

Hence, from (2.12) a n d from the d e f i n i t i o n of t we get Hom(t)=t. Proof of Theorem A. Given terms t l , t 2 in T(~) we have to p r o v e t h a t E~-- t l = t 2

if a n d o n l y if A ~ t l = t 2 .

(2.15)

T h e " o n l y if" d i r e c t i o n follows immediately from Lemma 2.2. To p r o v e t h e "if" d i r e c tion a s s u m e A~tl=t 2

(2.16)

By Lemma 2.9 t h e r e e x i s t n a t u r a l n u m b e r s n l , n 2 s u c h t h a t E ~

t.= rn~. a n d E ~-- Hom(ti)=t i 1 1

for i = i , 2 .

(2.17)

T h e n , from (2.16) a n d (2.17) A'~Hom(rn;

)=Hom(rn~ ) .

(2.18)

Hence, b y t h e d e f i n i t i o n of HornA we get (nl)= ~ (n2). T h e r e f o r e , t h e r e is a n a t u r a l n u m b e r q s u c h t h a t g ( n l , n 2 , q ) = 0 .

(2.19) Since G r e p r e s e n t s

t h e f u n c t i o n g we h a v e E ~ - - - G * r n -~.r I n 2%r q~ = r01

(2.20)

Now, u s i n g axiom E6 a n d ( 2 . 2 0 ) we get E~--Hom( r n ~1 )=Hom(rn~z ). Hence, from (2.17)

3.

E ~ - - t 1 = t 2.

Cosemicomputabte, Computable Data T y p e s a n d r e m a r k s We c a n also a p p l y o u r method to cosemicomputable a n d to computable d a t a t y p e s . S u p p o s e t h a t A is a cosemicomputable a l g e b r a of s i g n a t u r e

Z , N is a r e c u r s i v e

n u m b e r a l g e b r a a n d ~ :N--+ A is a c o - r . e , epimorphism. Let g' b e a r e c u r s i v e f u n c -

tt9

tion of t h r e e v a r i a b l e s which enumerates the complement of p=ker ~. T h e r e f o r e , f o r m,neN,

we have

(m)~ v ( n )

if and only if t h e r e is a n a t u r a l number q such t h a t g r ( m , n , q ) = 0 .

We denote the combinator which r e p r e s e n t s the r e c u r s i v e function g' b y G'. Moreo v e r , we let [' be the s i g n a t u r e c o n s i d e r e d in the semieomputable case, i . e . ~= Z w e l ~ { Horn,Nat } . Now, c o n s i d e r the set E F of conditional equations obtained from E b y r e p l a c i n g E6 with the new (E6) F

axiom = r01/~.Hom(x)~Hom(y))-+K=S.

(Nat(x)=K^Nat(y)=KANat(z)=KAG'.x,y,z

(The s u b s c r i p t F is f o r "final s e m a n t i c s " ) . Then we have Theorem B. Let g be a cosemicomputable a l g e b r a of s i g n a t u r e the finite s e t of conditional e q u a t i o n s in the s i g n a t u r e

E and let EF be

Z' as p r e v i o u s l y d e s c r i b e d .

T h e n , f o r all t l , t 2 ~ T ( Z ) t h e following holds:

A~

7(tl=t2)

if and only ff

EFkJ { t2=t2} }-- K=S

T h e proof of Theorem B can be g i v e n in complete analogy with the p r o o f of Theorem A. Now consider a computable a l g e b r a

A. Assume that N is as before and z :N->A

such that k e r ~ is r e c u r s i v e . T h e n , define the set E C of conditional equations

in

the s i g n a t u r e ~' b y E c = E V E F. We h a v e Theorem C. Let A be a computable a l g e b r a of s i g n a t u r e Z and let EC be the finite set of conditional equations in the s i g n a t u r e f o r all t l , t 2 e T ( Z )

[ ' as p r e v i o u s l y defined. T h e n ,

t h e following holds:

A~

tl=t 2

if and only if

Ec~--tl=t 2

A¢

tl=t 2

if a n d only if

EC•

and

{tl=t 2 } k--K=S.

The p r o o f follows immediately from Theorem A and from T h e o r e m B We conclude with t h e following two r e m a r k s . Remark 1. In the i n t r o d u c t i o n we said that we would t r e a t the case of s i g n a t u r e Z in a single s o r t in o r d e r to simplify notation. We now want to biefly explain how the method e x t e n d s to many s o r t e d a l g e b r a s . Let

[

be a many s o r t e d finite s i g n a -

t u r e with a finite s e t of s o r t s S. A S - s o r t e d a l g e b r a has a c a r r i e r A s of s o r t s f o r

t20

e v e r y s i n S. We s a y t h a t a S - s o r t e d a l g e b r a N is a r e c u r s i v e

n u m b e r a l g e b r a if

e v e r y c a r r i e r of s o r t s is t h e s e t N of n a t u r a l n u m b e r s a n d t h e o p e r a t i o n s of recursive functions (Cf. a l g e b r a of s i g n a t u r e and r.e. f

[ B - T 86 ] ). We s a y t h a t

/q a r e

A is a s e m i c o m p u t a b l e S - s o r t e d

Z if t h e r e e x i s t s a r e c u r s i v e S - s o r t e d a l g e b r a N of s i g n a t u r e

epimorphism

~ : N -+ A. When s ~ S

~

f

l e t ~ b e t h e s - c o m p o n e n t of

~

S

~.

If

c <s/. is a c o n s t a n t s y m b o l of s o r t s l e t m! s ) b e a n a t u r a l n u m b e r s u c h t h a t ]

]

s (m!sl):] (c~s)lAs =

w h e r e t h e r i g h t h a n d s i d e m e m b e r is t h e i n t e r p r e t a t i o n

of t h e s y m b o l c! s ) i n t h e ]

a l g e b r a A. Let ~ ffs b e a r e c u r s i v e f u n c t i o n of t h r e e v a r i a b l e s t h a t e n u m e r a t e s ker'~ and G

s

be a combinator which represents

s y m b o l f is of s o r t s ]m. . . st i o n of d o m a i n A

-+s i f f t h e i n t e r p r e t a t i o n

x...xA s1

sm

of t h a t s y m b o l i n

A is a f u n c -

and range A . s

I f t h e s e m i c o m p u t a b l e a l g e b r a is i n f i n i t e , t h e n t h e r e is So~ S s u c h t h a t A

is

S O

i n f i n i t e . Now t a k e Z' :

s

t h e f u n c t i o n gs" We s a y t h a t a f u n c t i o n

ZU{o

,K.S}U{Nat}U

{ Horns } s e S

where • is a function symbol of sort s s -+ s O o

O

,

K,S are constant symbols of sort So, Nat is a function symbol of sort s

O

-+So,

Horn is a function symbol of sort s -+s. S

O

Now the proof goes on by replacing, in a obvious manner, axioms E3, E4 and E6 of E. Moreover, the expansion A' of A to the signature Z' is constructed by translating a combinatory algebra in the carrier Aso and by interpreting Nat and Horns in order to codify the recursive S-sorted algebra N in A'. Then, Theorem A works also for many-sorted algebras. The same argument holds for Theorem B and Theorem C. Finally, we notice that if we allow s

O

to be a new sort, we get a result which is

analogous to Theorem 5.3 of [B-T 86] . Remark 2. Let E be a set of conditional equations in a signature Z' which extends the signature 2 . Consider the quotient structure T ( Z ' ) ~E , where -=E is the usual congruence defined by: tl-=Et 2 iff E ~--tl=t2.Then there exists an embedding

j:Z ~--~ T(Z')/~EIZ where the first algebra is the subalgebra of T(Z')/- E generated by the operations

121

of Z a n d the second algebra is the reduct of T(~')/~E~to the s i g n a t u r e ~ . The specification ( ~ ',E) is said to be a hidden e ~ c h m e ~ the initial algebra semantics of the a l g e b r a

Au Z

specification with respect to

A if

: T(Z')/-=EI Z

where the isomorphism into A is induced by the natural evaluation of the terms of

85],

T(Z ) in A (see [E-M Our

Theorem

A proves

ding ] is a retraction, this case we could The

term

Chap.

[B-T 86]). that there is such

i.e. there exists a morphism

say that the specification

consistent

extension

is used

6) in quite similar situations

Then,

according

an isomorphism

to Definition

h such

(Z',E)

3.4 of [B-T

that the embed-

that h o j = identity.

is a ao~istemt

in the literature

but involves

and

In

extension ~or A.

(for example

in [E-M 85 ]

two specifications.

86 ]

we

can restate

Theorem

A as

fellows,

Proposition. The specification method (for a b s t r a c t data t y p e s ) b y means of a finite conditional equation c o n s i s t e n t extension with no additional s o r t s , is complete for the class of semicomputable data t y p e s .

References [ADJ 75 ] J.A.

GOGUEN,

J.W.

THATCHER,

E.G.

WAGNER

and

J.B.

WRIGHT,

Abstract data t y p ~ as i n i t i a l (~gebras and correctness of d ~ a representations, i n Proceedings ACM Conference on Computer Graphics, P a t t e r n Recognition a n d Data S t r u c t u r e , NY 1975, 89-93. [A,DJ 78 ] J.A. GOGUEN, J.W. THATCHER a n d E.G. WAGNER,

An inZ~a~ ~gebra approach to the s p e ~ e a t i o n , correctness and implementation of abstract data types, C u r r e n t t r e n d s in Programming Methodology, Vol. 4: Data S t r u c t u r i n g ( R . T . Yeh, e d . ) , Prentice-Hall (1978), 80-149.

[ADJ 82 ] J.W. THATCHER, E.G. WAGNER a n d J . B . WRIGHT, Data type speaL~eation: parametrization and the power of specifAcation technique, TOPLAS 4(4), 1982, 711-732. [Ba 81 ]

H.P. RARENDREGT, The lambda ealcu~as, i$~ s y ~ a x and seman~cs, North-Holland, Amsterdam 1981.

[B-T 80 ] J.A. BERGSTRA a n d J.V. TUCKER,

~L~e

On bounds for the s p e c i ~ c a ~ o n of data types by means of equations and eondi~onal equations, p r e -

p r i n t IW 131/80 Amsterdam 1980. [B-T

83 ]

I ~ t ~ a ~ and ~ n a l a~gebe~ s e m a ~ c s two characterization theorems", SIAM J. of

J . A . BERGSTRA a n d J.V. TUCKER,

for data type s p e ~ c a t i o ~ : Computing 12 (1983), 366-387.

[B-T 8G ] J . A . BERGSTRA a n d J.V. TUCKER,

Algebraic s p e c i ~ c a ~ o ~ of Computable and Semicomputable Data Types, Department Computer Science Re-

122

search Report CS-R8619, Amsterdam (May 1986).

[E-M 85 ] H. EHRIG and B° MAHR, Fundamentals of Algebraic S p e c ~ c a ~ o n 1, Monograph EATCS, S p r i n g e r - V e r l a g 1985.

~Gr 78 ]

G. GRATZER, U~va~a£ Algebra, 2nd ed. S p r i n g e r - V e r l a g , 1979.

[H-S 80 ]

J.R. HINDLEY and J . P . SELDIN ( E d s . ) , To H.B. Curry: Essays on combinatory logic, lambda-calcal~ and fo~aL~m, Academic Press, NY 1980.

[L-Z 74 ]

B.H. LISKOV and S.M. ZILLES, Programming with Abs~act Data Type, Proc. ACM Symp. on v e r y high level l a n g u a g e s , SIGPLAN Notices 9, (1974), 50-59.

[L-Z 75 ]

B. LISKOV and S. ZILLES, S p e c ~ c a ~ o n teahniques for data abs~acL~o~, IEEE T r a n s a c t i o n s on Software E n g i n e e r i n g 1 (1975), 7-19.

[Ma 71 ]

A . I . MAL'CEV, ConsL~uc~ve algebras I, The Metamathemathics of Algebraic Systems, Collected p a p e r s : 1936-1967, North-Holland.

[M-~ S6 ]

G. MARONGIU and S. TULIPANI, computable types, in p r e p a r a t i o n .

[Mz 79 ]

J. MALITZ, I~L~oducA~on to Math~ma~ca£ Logic, S p r i n g e r - V e r l a g , 1979.

IRa 60 ]

M.O. RABIN, Colpu~able algebra, g e n i a l theory and the theory o~ computable ~eld~, T r a n s . Amer. Math. Soc. 95 (1960), 341-360.

[Wa 79 ]

M. WAND, Final algebra s e m a a ~ and data type extensions, J. Computer a n d Ststems Sciences 19 (1979), 27-44.

[Zi 79]

S. ZILLES, An l~Lzoduc~on to data algebras Lect. Notes 86, (1979), 248-270.

R ~ r k s on complexity ~n speai~y£ng

in Comp. Sci.

O n t h e S e m a n t i c s of C o n c u r r e n c y : Partial Orders and Transition Systems

G. Boudol & L Castellani INRIA

Sophia-Antipolis

06560-VALBONNE FRANCE

Abstract. We introduce an algebra of labelled event structures whose operations are sequential composition, sum, and parallel composition. A transition relation is defined on these objects, where at each step a process performs a labelled poser. It is claimed that the bisimulation relative to such transition systems brings out a clean distinction between concurrency and sequential non-determinism. 1. I n t r o d u c t i o n . This paper may be seen as proposing a tentative synthesis of various approaches to the semantics of concurrency. Milner's work on caIcuii of processes ([17,18,19]) provides our main source of inspiration. Let us recall the main features of such calculi (cf [1]): first there is a syntax which describes abstract programs as terms of an algebra; second there are behavioural rules according to which each term may perform some actions and become another term in doing so. This brings in a notion of tabeIled transitions denoted prog

act

~prof

Finally a semantic equality is defined by means of the well-known notion of bislmulation [21,18,33. This gives the scheme of the following technical material. Plotkin has advocated in [23] that labelled transition systems determined by structural operational rules provide a fairly natural setting to describe the operational semantics of programming languages. This is even more true with regard to parallel programming where one wants to program non-terminating processes, which may communicate during the computations: here functions from input to output can no longer be used as the semantical model. A symptom of this need of a more discriminating model is that a process is sometimes thought of as giving rise to a whole domain of computations rather than interpreted as a point in a domain; this point of view is exemplified by Winskel's work [20,32,34]. We shall entirely adopt Milner's standpoint [18,19] according to which any abstract notion of process must be based firmly upon operational semantics. As a matter of fact, one often uses informal behavioural arguments in order to decide whether some processes should or should not be distinguished. For instance (taken from [5]) one can "prove"

124

(at(b + ~)) + (aib) + ((a + c)ib) = (al(b + 4 ) + ((~ + ~)tb) (we use here a CCS-like notation) by saying that if the left-hand side performs a concurrently to the b of (alb), then the right-hand side is able to do the same thing by choosing a in ((a + e)Ib), and so on, so that no behaviour distinguishes the two terms. We shall give here a precise meaning to such a proof, by means of bisimulations. Bisimulations on transition systems provide a powerful concept (see [1,3] ), but many authors argue ([4,6,28], to mention but a few) that this yields an inadequate description of concurrency; specifically what is questioned is Milner's expansion theorem [17,14], expressing a simulation of concurrency by sequential non-determinism. Roughly speaking (a I b) = ab + ba, thus the parallel composition operator can be eliminated (from finite terms), whence it is not primitive. As a contribution to the theory of "true concurrency", our paper aims at solving

concurrency

#

sequentiality + non-determinism

More precisely our thesis is that this can be solved while still dealing with bisimulatlons on transition systems. Evolving from Petri's ideas [22], there is another way to approach the semantics of concurrency; following this way one thinks of sequentiality as causality, that is as prescribing an ordering on events. Dually, two events are concurrent if they are not causally related. Thus here a computation is a partially ordered set of events rather than a mere sequence. This is by now a widely held point of view; it appears in the early work of Mazurkiewicz on traces [15], which have been related to posets and algebraic structures (monoids) in [16] and [29]. Another generalization of words was proposed by Winkowski [30,31]. Grabowski sets up in [12] a theory of "partial words" that are labelled posets, what Pratt and Gischer call pomsets ([26,10,27], see also [29]). These are also the configurations of Winskel's (Iabelled) event s~ruc~ures, which are posets enriched with a notion of conflict [32,33,34] - a kind of object that Montanari & a/. also deal with [4,7,8]. Fairly close is the notion of process suggested by Petri [22], which is a partial unfolding of a net into an occurrence net (cf [9,11]). Reisig studies in [28] what can or cannot be distinguished according to various notions of computations. By the way, we must point out the fact that almost all the works we have just mentioned model more or less explicitely a process as a "language", that is a set of pomsets; this entails the linearity of sequential and parallel composition, that is their distributivity over the sum interpreted as set theoretic union. Roughly speaking, (a[(b + c)) = (a]b) + (alc) and a ; (b + c) = a ; b + a ; c, a kind of property that does not hold in Milner's calculi of processes. Let us now introduce our contribution: first of all, in order to solve ~ we must start with a formalism in which one can talk about sequentiallty, non-determinlsm and concurrency as distinct notions; this is why we adopt Winskel's (labelled) event structures which are built upon the exclusive relations of causal ordering, conflict and concurrency. Each of these relations gives rise to a way of constructing event structures: one simply juxtaposes two such structures and then sets the relation between their events. These operations are sequential composition, sum, and paralIeI composition; they provide us with a syntax for finite event structures (in this paper we shall treat neither infinite structures nor communication; to get some ideas about these subjects see the full version of the paper [2]). Here comes the main idea. We have already mentioned that an event structure determines a set of computations, what Winskel calls configurations. Then, defining "what remains of the structure" after such a computation we get a notion of labelled transition: here the action (= the computation) is a finite pomset and the reached state (= what remains...) is another event structure. The point is that we generalize what usually is "over the arrow"; a similar idea may be found in [5,8] and it seems that it could be applied to Petri nets where computations are processes (in the technical sense of [9,11]). As a matter of fact, we also extend Milner's idea ([18]) that actions should be elements of a commutative monoid (a similar notion is Winskel's synchronization algebra [33,34]): here we get elements of a "dioid", see below.

125

We also give a structural operational semantics (in Plotkin's style [23,24]) for our "abstract programs", and then show an exact correspondence between the semantical and syntactical notions of transition. Next we define our semantic equality, in the same way as Milner defines his strong congruence, and give an axiomatization for it. We claim that this notion of equality solves ~. Note: almost all the proofs are omitted; more details may be found in [2]. 2. A l g e b r a of L a b e l l e d E v e n t S t r u c t u r e s . As previously announced, our first concern is in labelled event structures. For some technical reasons that will become clear later, our definition is a slight variation of Winskel's one. At some points we shall assume knowledge of the work of Nielsen, Plotkin, and Winskel [20] which shows how to derive (labelled) event structures from some kind of (labelled) Petri nets; thus we shall feel free to use standard concepts of net theory (cf [9]) when dealing with such derived event structures. 2.1 Labelled Event S~ructures and Terms. Let as usual {0,1}* be the set of words over the alphabet {0,1}. The concatenation of two words u and v is denoted uv, whereas the product of two languages L and L' is

LL' = {uv/u e L & v E L'}

DEFINITION. Let A be a non-empty set. An A-labelled event structure (A-LES for short) is a structure (E, <, #, l ) where

(i) E c_ {0,1}*

is the set of events,

(ii) < is a partial order on E, the causaiity relation, (iii) #C_ E × E - (<_ U >_) is the symmetric conflict relation, Ov) A: E -+ A is the labelling function. Note that we do not require Winskel's axiom of conflict heredity. Two events in E are concurrent if they are neither comparable nor in conflict, that is ~=a~

ExE-(u#)

This is a symmetric irrefiexive relation. Note that by definition _, #, and .~ set a partition upon E x E. We shall always draw structures up to isomorphism, that is omitting the name of events; in the figures the order < increases downwards and only one of the remaining relations is explicitely shown. For instance a ~-~ b

I

C

is a structure with three events e, er and e'f respectively labelled a, b and c such that e causes e", e and e' are concurrent and e' and er~ are in conflict. In what follows we let a, b, c,... range over A. We use £(A) °° for the set of A-labelled event structures and Z(A) for the set of finite ones. In this paper we shall only take finite structures into consideration (a more general study may be found in [2]). This set is naturally supplied with an algebraic structure: let V be one of _<, --J, # and So, $I be A-LES's; then So(V)S1 is the structure we get by juxtaposing So and $I and setting the V relation between the events of So and $1. When V is _< this is called sequential composition of So and $1 and denoted So ; $1, whereas if V is --~ this is the paralIel composition So ][ $t and

126

in the case V = # this is the sum So + $I. The formal definition is the following: assuming Si = (Ei,
So(V)SI to

for

i E {0,1}

be (E, _<, #, A) where

E = Eo ~ E1 i.e. E = { 0 } E 0 U {1}El ¢~ i = j a n d x < i y o r V = < , i = O a n d j = l ix <_iV ¢~ i = j a n d x # i y o r V = # a n d i # j ix # j y ~(i=) = ~,(=) These operations are naturally defined up to isomorphism. That is, denoting P ~ Q the relation up and Q are isomorphic",

{

P;Q~P';Q' P + Q ~ P' +Q' P li Q ~ P' II Q'

P ,-~ P ' and O ~ O'

Thus £ ( A ) / ~ inherits the algebraic structure. All that means is that we have a syntax to denote finite A-LES's. This abstract syntax is the set T(A) of terms built according to the following rules: (i) ~ is a term and every atom a £ A is a term, (ii) if p and q are terms then so are (p; q), (p [[ q) and (p + q). Let J(p) be the labelled event structure denoted by the term p, defined as follows: J ( ~ ) = (O,0,0,0)

(the empty structure)

j(~) = ({~}, =,0, ~)

with ~(~) =

:(p; q) = (:(p) ; J(q)) ;(p II q) = (:(p)tl :(q)) :(p + q) = (;(p) + :(q)) The symbol ~. wilI be used also for the empty structure and its isomorphism class. Let us see a few examples: the term (a + b) ; (c II d) denotes the structure a

b

IXI --~ d

c

This and the simpler term (a + b) ; c show why we cannot assume Winskel's axiom of conflict

heredity [32]. The term (a tl b) + c is interpreted as a#c#b (where a --- b, and there is no non-trivial causal dependency) and is an example of "symmetric confusion" (see [9,20]). In the next section we shall characterize both the set of structures which are interpretations of terms up to isomorphism and the interpretation equality

p =J q

*~do~

J(v) ~ ;(q)

127

2.2 Characterization. One may remark that in £ ( A ) ° ° / ~ the three operations previously defined axe associative and have 11 as neutral element; moreover the sum and parallel composition are commutative. This suggests the following definition: DEFINITION.

A trloid is an algebra (T, ;, H, +, l) satisfying the axioms

(i) (T, ;, 1) is a monoid:

A0: (v; (q; r)) = ((p; q) ; r) u0: (p; 1) = p = (1 ;p) (ii) (T, H, 1) is a commutative monoid: AI: (p I] (q ]l r)) = ((p ]l q) ]I r) UX: ( p i l l ) = p = ( l i l P )

c r (v II q) = (q I! v) (iii) (T, + , 1) is a commutative monoid: A2: ( p + C q + r ) ) = C ( p + q ) + r )

u2: (v + 1) = v = (1 + v) c2: (p + q) = (q + p) Let (9 be the equational theory whose axioms are A0 to A2, U0 to U2, C1 and C2, and let = e be the congruence on T ( A ) generated by these equations. Then we have an obvious soundness property: P=eq

~

P=jq

We now wish to check whether a converse compIeteness property holds. First we shall see that not all finite labelled event structures are interpretations of terms. As a matter of fact the structure a

b

c

d

(without conflict) is known to be the typical one that cannot be expressed by means of sequential and parallel composition, cf [10,12,27], We thus want to find a class of A-LES's which does not contain N. In order to define this class and state our characterization result we need to introduce some notations. Let R C E × E be a relation on a set E. (i) R e = R U R -1 U R e is the reflexive and symmetric closure of R, what we shall call the R-comparability relation. (ii) $(R) = (E × E) - R ~ is the symmetric, irreflexive R-incomparability relation. (iii) m R = (R U R - l ) * is the equivalence generated by R whose classes are the connected components with respect to the R-comparability relation. For instance the comparability relations determined by # and ,~ are simply their reflexive closure, whereas the <-comparability is _ what we denote (>. In order to avoid many useless repetitions ,he shall name each of the relations <, #~ -~ a connective of a given structure S. The first property we shall require is N-freeness; an A-LES S is N-free if it satisfies

N-freeness

for U a connective of S i[ eo U el and eo ~(U) e~ if e~ U ea and el $(U) e3 then eo U ea ~ e2 U el

128

This property, which is obviously preserved by isomorphism, may be drawn e2

eo

.-I

U

U

t..

U

\1

el

e3

This typically precludes a structure such as a # b # c # d (where a ~ e, b ~ d, and a ~-~ d) which is derived (see [20]) from the Petri net

a

b

e

d

N-freeness is also related to Petri's notion of K-density [22], see [13,25]. N-freeness is not enough by itself to characterize the class of A-LES's denoted by terms. Here we need another requisite which we may call the triangle property: a structure S satisfies this property if it does not contain a configuration A

e Q et # e tt,-~e

This precludes the typical situation of "asymmetric confusion" (cf [9,20] ). In fact the "behavloural" properties of N-freeness and triangle may be combined in a single one - which is less readable but somehow more natural when looking for a property preserved by the operations. LEMMA. An A-labelled event structure S satisfies N-freeness and the triangle property if and only if it satisfies the property

X

for U and V among <,#,~-~ with U • V if eo U ~ el and eo :~(U) e~ if e2 U ~ e3 and el $(U) es then eo V e3 ~ {eo, el} x {e2,e3} C_ V

In the course of the proof (see [2]) we use the fact that N-freeness implies

N'

for U among <>,#,,-, if eo U el and eo $(U) e2 if e2 U ea and el ~(U) es then eo U es ~ e2 U el

This fact will be also used later. We can finally define the intended class of structures as follows: DEFINITION.

The set X (A) is the set of finite A-LES's satisfying the X property.

The set of structures Z (A) is a generalization of Grabowski-Gischer's class of N-free pomsets [12,10]. Clearly the X property is hereditary; this means that if

s'cs

f s =

(~, <,~, ~)

and

3F c E

~,~o~ 1.S'=S[_~=(F, <_n(F×f),#n(F×F),~[F)

thenS'__.S&SCZ(A)

=~ S ' E X ( A ) .

129

We can now state the announced result~ which generalizes Grabowski-Gischer's one.

T~OR~M 1.

The structure (Z (A)/~, ;, it, +, ~ ) is the free trioid generated by A. One especially

has

(3) S E Z ( A ) (ii) p = j q

~, ~

3pET(A) J(p)~-S p =e q

The complete proof is rather long, involving some straightforward parts. Here we only sketch it; more details may be found in [2]. One has to prove that Z ( A ) / ~ - is a trioid isomorphic to T ( A ) / = e . We have already seen that the algebra ~(A)/~---- is a model of the theory ~. Thus the first thing to see is that the operations preserve the X property; an immediate consequence will be that X(A)/~-- is a trioid which contains the interpretation of every term. LEMMA 1.

II So, S 1 E X(A) then So ; S1, So + S1 and SoilS1 are in Z(A)

The proof proceeds by case inspection ,, Next one has to show that each element of f (A)/~-- is denoted by a term of T(A), univocally up to = e . As usual this completeness property lles upon the existence of normal forms for terms. These can be described as follows: let Xt(A) = {~} U ~ ( A ) where ~ ( A ) is the least set of terms built according to the rules

(i) every atom a E A is in ]~ (A) and has no head operator, (ii) i f p E )~(A) does not have ; (resp. II, +) as head operator and if q E ~ ( A ) then ( p ; q ) (resp,

(p II q), (p+ q))is in X(A) and has ; (resp. II, +) as head operator. One gets normal forms by cancelling the unit and using associativity to shift arguments to the right. PROPOSITION. Let F be the theory whose axioms are A0 to A2 and U0 to U2, and T be the theory consisting of A0 to A2, C1 and C2. Then

(i) for each term p C T(A) there exists a normal form t E )¢(A) such that p = r t, (ii) f o r t w o n o r m a I f o r m s t , ff E jg(A) t = o f f ,~ t = T t ' This is a standard result. The proof is omitted. The crux of the characterization theorem's proof is the following property: for every finite nonempty non-atomic labelled event structure satisfying the X property, the set of events is connected for exactly one of the connectives <:, ~ , # (in fact this is a purely graph-theoretical result); this relation gives the head operator of the term which denotes the structure. The existence of such a connective comes from the triangle property, whereas uniqueness comes from N-freeness (or more accurately from 1N'). LEMMA 2.

Let S = (E, <,#,A) be an A-LES in X(A). (i) there exists a connective U o r s for which E is connected, that is ~ ( E / ~ u ) = 1; (ii) moreover if ~ ( E ) > 1 then Z is not connected for the U-incomparability relation $(U), and thus is not connected for any of the other connectives. PROOF. We first show that there is one such relation U, for each S E f (A). Suppose not, and let C be a maximal (w.r.t. inclusion) subset of E connected for some connective. From our assumption C # E, so let e E E - C. Then e is connected in the same way (<>, # or ,--') with all the elements of C, otherwise E would contain a triangle. But then {e} tJ C is, for some connective, a connected subset of E which strictly contains C. Now to prove the second point let us assume that E is connected for both U and ~:(U) for U among <> (since E _<-connected ~=>E <>-connected), # and --~. Let F be a minimal (w.r.t. inclusion) subset of E which is both V and $(U) connected and such that # ( F ) > 1. Then ~ ( F ) > 2 since one cannot build a two element structure which is connected for two exclusive relations. So let

130 ea E F; since F - {ea} is not connected for both U and :~(U), let us assume for instance that F - {es} is not connected for U, that is (F-

{ea})/~u = {FI,...,F,~}

with m > 1

Then

~i (1 < i < m) ~e e F,

ea ~(U) e

otherwise F could not be :~(U)-connected. Similarly

Vi(l
SeEFi

eaUe U Fj. Since

es$(U) eandHbe

iCj 3eEGea:~(U)

e

and

3e I ~ G e a

Ue I

and

Gis U-connected

ODe has

es U e o a n d e o U e l a n d e l $ ( U ) ea

3eoEGSeleG

If we choose an e2 E H such that e3 U e2 we may figure the situation as

F

H

\ U

U e3

By definition of G and H, eo :~(U) e2 and el :~(U) e2, but this contradicts the N t property, which is a consequence of the X property. The proof is the same when F - {ea} is not :~(U)-conneeted a, We can now prove

v s e x(~) 3~ e ~(A)

j(t) ~- s

by induction on the size ¢~(E) of S (in fact the induction hypothesis states t h a t the head operator of the t e r m t corresponds to the unique connective, if it exists, for which E is connected). If • ( E ) < 2 then this is trivial: t is either 11 or an a t o m (given by the labelling function). Otherwise by the previous lemma there exists a connective U for which E is connected and not :~(U)-connected. Let

{ c 1 , . . . , C,,,} = E / - $ ( ~ ) T h e n 1 < m _< # ( E ) . F r o m the definition of the Cg's it cannot be the case that e$(U)e' for some e E Ci and e' E Cj (i ~ j). Suppose now that U is <_ (the other cases where U is # or --~ are similar, and even simpler). Let us see that if e < e I for some e E Ci and e I E C 1 then for all e rr E C a' e < e II whence Ci x Cj C < . Otherwise there would be e0 and el in Cj such that eo < e < el, thus eo < el, and eo # el or eo ~ el, which is a contradiction. Thus we may assume that { C 1 , . . . , C m } is enumerated in such a way that el < "'" < em for some ei E (7/. For all i (1 < i < m) s r o i E Z(A) since the X property is hereditary. Thus by induction hypothesis there are terms t l , . . . , t m of ~ (A) (whose head operators are not ;) such that

Then

s ~ j ( ( t , ; (... ; ~,,)...)) To conclude the proof of the theorem we must show

t,t' e J4(A) The proof of this last point is omitted --

=ez

J(t) ~- J(t') ~g- t =T t'

131

3. O p e r a t i o n a l s e m a n t i c s . 3.1 Transitions on labelled event structures. The interpretation equality = e is too dk~criminating; from a behavioural point of view we would llke to identify the terms p + p and p - in the introduction we have seen another example. Thus we cannot consider equality of event structures to be the equality of their domains of configurations (see [20] ). Nevertheless, the equality we look for is based upon a notion of computation which would be Winsket's notion of finite configuration if we had assumed the axiom of conflict heredity. Note that computations are deterministic: choices (or conflicts) are resolved while a ~program" computes. Computations bear some analogy with processes of Petri nets ([9,11]) or more accurately with l~eisig's abstract processes [28]. DEFINITION. Given an A-labelled event structure S = (E,<,#,A) a computation of S is a structure S [ F where

(i) F is a ~nite subset o r E , (ii) S I R is connict-free: e E F & e' e F ~ -~(e # e') (iii) S [F is closed under non-conflicting causes: eEF&e'<_e&e'¢F

=>

~e"EF

e"#e'

Note that we only allow finite computations, thus we cannot deal with fairness; an idea could be that fair computations are the - possibly infinite, but satisfying an axiom of ~finite causes ~' maximal computations, w.r.t, the ordering C. We shall name action an isomorphism class of computations. In this paper we restrict our attention to A-LES's of f (A). The computations of such structures are rather special: they are finite conflict-free (eiementary in Winskel's terminology) A-LES's satisfying the X property. We denote by 2(A) the set of these computations and by D(A) = ? ( A ) / , ~- the set of actions they determine. In fact D(A) is exactly the set of what Pratt and Gischer [10,27] call finite N-free pomsets. From a theorem of Grabowski-Gischer P(A) is the free "dioid" (Grabowski calls it "double monoid"), which is the same as a trioid but without sum. All that means is that actions are denoted by terms built without sum, up to the equational theory A whose axioms are A0~ A1, U0, U1 and C1. The set of these "deterrninistic" terms will be denoted D(A). For instance, making a confusion between terms and the structure they denote, (a ; c) and (b ; e) are computations of ((a + b) ; c), while ((a ; b) It c) is a computation of (a ; (b + d) IIe ; e). For F C E let

#(F) = {el3e' e F

# e}

From a computation P = S I F of S we build a structure called the residual of S by P which is

(8/P)

S [ ( E - (F u

This structure is "what remains of S after removing P while resolving the conflicts". Clearly S E X(A) implies (S/P) ~ X(A). We are now ready to introduce the main definition which brings a structure of transition system on event structures. Let us recall the terminology: a (labelled) transition system E = (Q, Act, T) is a structure where (1) Q is the set of states, (ii) Act is the set of actions,

(iii) T C_ Q x Act × Q is the transition relation, p ~ DEFINITION. S

-~ S'

p' will denote (p, a, p') E T.

The transition relation ~ between A-tabelled event structures is given by

4~def

P is a computation of S

and S' = (S/P).

Here one can see some analogy with the construction hi b e f o r e h2 g i v e s h of Degano and Montanari ([7]) ifone reads it h hi> h2 •

132

For instance, still using terms in place of the structures, we have

(a;c) '7

((a + b);c)

~l

((~ + b)II ~) ~

One may remark that from the definition a computation of a LES S cannot introduce causal dependencies which would not be already present in S. For instance (a ; b) is not a computation of (a I[ b). We could say that in our behavioural semantics causality =~ temporal ordering

for we have

But the converse is false (consider (a H b) +

b --~ 2-). Thus our semantics makes a strong

distinction between sequence of transitions and "transitions of a sequence" - compare with the CCS "action" a.p. One may also note that the behavioural interpretation of parallel composition is not interleaving, but contains it. This is clue to the fact that an A - L E S may always perform the empty computation; we may interpret 11 as "skip" - when regarded as a computation - or "termination" for instance in a transition S ~

ti. Our semantics of paraIleI composition is

a

generalization

of the MEUE"asynchronous" operator [1] - related to Milner's synchronous product [18] and to the notion of "step" transition of Petri nets [32,28]. 3.2 Transitions on terms. Since we are interested in labelled event structures denoted by terms of T ( A ) an obvious question is: is there any syntactic notion of transition which reflects the semantic one? In fact the (positive) answer is rather simple; let p be the least subset of T ( A ) x D ( A ) x T ( A ) satisfying the following clauses or rules 11 R0: }- p - - - + p RI: a E A

R2:p~v'

~- a a_+ 1]

~ (v;q) u ( / ; q )

(~ ;~),

R3: v ~ v' = e 2., q ~ q' ~ (p;q) R4: p u

p , , q v_+ q, ~_ (pliq)

R6: q v

q, a v ~ 4 e

q'

( u l ] v ) (P'Hq')

2. b ( p + q ) v

qt

(note that r = o 2. can be proved or disproved using only the axioms UO to U2). Since p is the least relation satisfying the given clauses, a transition p ~

p' cannot hold unless it has a proof or

133

construction according to these rules. For instance we have RI : - a

a -?--, 2RI

R5°

:

-

-

C

c72.

P

R3.

((a + b) ;c)

(a;c) P

2.

Now we state the adequation result making the correspondence between transitions on terms and transitions on event structures. THEOREM 2.

(i) p u q p

~

(ii) J(p) U,7 Q

2U J(u) ~ U SQ J(q) ~ Q ~

J(p) U Q 71

3u J(u) ~- U ?q J(ql ~ Q p -~ q

P

/

The proof lies upon an analysis of S --~ S when S is (So ;$1), (So + $1) or (So ][$1) for So # 2. # $1; here one meets a translation of the rules R2 to R6 m 4. S e m a n t i c s .

4.1 Equipoflence. Relative to any transition system ~ = (Q, Act, T) one may define the well-known Park and Milner notion of bisimulation [21,18]. Here we a d a p t Brookes and Rounds terminology (see [3,1]): a relation R C_ Q × Q is

(i) invariant with respect to T if and only if it satisfies pRq

and

p ~p~ T

=~

3q I p ' R q t

and

(ii) a blsimulation (w.r.t. T) if it is a symmetric invariant relation, (iii) an equisirnuIation if it is a bisimuIation and also an equivalence. The invariance property is usually drawn p

--

R

--

q

p~ ...

R

,.-

~

i

q - ~ a q~ T

134

The following fact is standard: LEMMA.

Given a transition system ~ let us define P ×~' q

*~def

3R

bisimulation

pR q

Then x T is an equisimulation and it is the coarsest one. The only point to check is that the composition of invariant relations is itself invariant m We shall call this equisimulation the equipollence with respect to T and sometimes use the alternative notation p × q (T) instead of p x T qWe are in fact interested in transitions labelled by actions, that is classes of structures or terms. Let us ambiguously denote ~PI and IP~ the isomorphism class of the A-LES P and the =e-class of the term p. Then we define the transition relations ~ and

s

s'

, dof

3Q=P

s

[u~ pj P----+

*~def

3v=eu

P V_+pr P

n

s'

We can show that there is an exact correspondence between the "syntactic" and "semantic" equlpoltences:

p × q (#)

¢~

J(p) × J(q) (FI)

(see [2] for a proof). Since isomorphism of A-LES's is an equisimulation a consequence is that P=eq

=ez

p×q(~)

Moreover these equipollences are also congruences with respect to the algebraic structure, that is compatible with the operations ;, + and II. The equipollence ×(~) is what we regard as defining the semantic equality of terms. Thus we just use × to denote it. For instance the three terms (att b), (a; b) + (b ; a) and (a; b) + (a I[b) + (b; a) are pairwise distinct with respect to × since the first cannot perform the action (a; b) whereas the second cannot perform (a ]] b). Another example is

Ca; b LIc)

Ca II ; b + a ; (b II c)

4.2 Axiomatiza$ion. In this section we aim to set up a "proof theory" of ×. It should be clear that F/-equipoltence of elements of P (A) is exactly ~,-~-,for

PeP(A) (P 11 ,Q=P) Thus any intended axiomatization essentially states properties of the sum. As a matter of fact there is a standard way to solve the problem, by means of sumforms as Hennessy and Milner have shown in [14] what we will briefly recall now. For any set Act of actions let K ( A c t ) be the set of terms built according to the following rules: (i) 11 is a term, (ii) for every a E Act if p is a term then a • p is a term, (iii) if p and q are terms then so is (p + q).

135

Let if2 be the theory whose axioms are A2, U2, C2, and I: ( p + p ) = p and g '~he least transition relation on K(Act) given by the rules R01: F a , p a% p

R5": p a_~p, I- ( p + q ) a

p,

R6*: q ~

q'

q' ~- ( p + q ) ~

Then the Hennessy-Milner theorem roughly states THEOREM. Any state of a ~nite acyclic transition system on Act is denoted by a term of K ( Act). For such terms p ×~ q ~ p =e~ q From this result, we just have to find a suitable translation from T(A) to K(Act) (that is an expansion of terms into finite acyclic transition systems) in order to solve our axiomatization problem. A first step is to extend our set of terms to T'(A) which is built as T(A) but with the additional formation rule: (iii) if a e D'(A) and p e T'(A) then (a * p) e T'(A). where D'(A) is the set of terms built from A using ; and ]1 (without ~.). We also extend the transition relation p to p' with the supplementary rule R0' and adopt the previous convention for the meaning of fi'. Axiom A2 allows us to use an ambiguous notation ~ pi for a (finite) sum of terms. Then our axiomatization is as follows: let ~ be the (heterogeneous) theory whose axioms are those of ® plus I and (omitting some parentheses)

BI:

a . ll. =: a for a E A

B2:

(E-,

B4:

J i (a.C~a{.pi));q=a.(Z(ai*pi);q) i i

Bs:

(Ea

i

i

• pi) ; q = E ( @

i

'p

i

• pi) ; q)

IiE*j'qA=Ea

i

J

'(p

IIEZj'qj) + i

E ( ( a ~ II Z~') * (p~ It qi)) + j

i

THEOREM 3. The congruence of algebra -=~ generated by • is invariant with respect to ~t Moreover for each p E T(A) there exists an r e K(D'(A)) such that p = ¢ r. Therefore for p, q E T ( A ) p×q(fi) ¢~ p----¢q The first statement, which implies soundness, namely p = ¢ q =~ p × q (7'), can be shown by a straightforward ease inspection. For the second one, we can prove by induction on p E T'(A) that such a term is convertible by means of the given equations into a "normaI form", which is here either ~. or a term ~-~ial • pi where each Pi is again a "normal form". A consequence is completeness: p × q (fi) =t, p =¢ q (note that ¢ contains the equality theory A for the actions, which is needed to apply Hennessy-Milner theorem) m One could have the idea that this result expresses a reduction of concurrency to sequential non-determinism; however this is not quite right, since actions are posets irreducibly involving parallelism. So the expansion theorem is not so bad. From a semantical point of view, the technique we used is still unsatisfactory since it gives no indication of how one could describe

136

the equipollence classes of A-LES's. Nevertheless our purpose is achieved: we can prove semantic equalities of terms, such as the distributivity properties foreachp~.andq~l~

(p+q);r×p;r+q;r

We can also prove

(a II (b + c)) + (a II b) + ((~ + ~) II b) ~ (~ II (b + c)) + ((~ + ~) II b) or other absorption phenomena (r is absorbed by p if p + r × p, cf [5]). This example can be arbitrarily complicated (see [5] ), so that the existence of a finite axiomatization without extending the syntax or introducing an absorption preorder is doubtful. Note: it can be proved that our equipollence is weaker than the notion of distributed blsimulation of [5]. M. Hennessy has found an example which proves that it is strictly weaker; namely (a IIb + c) + a ; (b + c) --I-(a Nb) + Ca [[ c)

×

(b + ~) + (~ 1tg) + (~ tt c)

but these two equipollent terms are not d-bisimilar. References [1] [2] [3] [4]

[5] [6] [7]

[8] [9]

[10] [11] [12] [13] [14] [15]

G. BOUDOL, Notes on Algebraic Calculi of Processes, in Logics and Models of Concurrent Systems (K. Apt, Ed.) NATO ASI Series F13, Springer-Verlag (1985) 261-303. G. BOUDOL, I. CASTELLANI, Concurrency and Communication, full version of this paper, in preparation (1986). S. BROOKES, W.C. ROUNDS, BehaviouraI Equivalence Relations Induced by Programruing Logics, ICALP 83, Lecture Notes in Comput. Sci. 154 (1983) 9%108. I. CASTELLANI, P. FRANCESCHI, U. MONTANARI, Labelled Event Structures: a Model for Observable Concurrency, in Formal Description of Programming Concepts 2 (D. BjCrner, Ed.), North-Holland (1983) 383-400. I. CASTELLANI, M. HENNESSY, Distributed Bisimulations, to be published (1985). Ph. DARONDEAU, L. KOTT, On the Observational Semantics of Fair Parallelism, ICALP 83, Lecture Notes in Comput. Sci. 154 (1983) 147-159. P. DEGANO, U. MONTANARI, Distributed Systems, Partial Orderings of Events and Event Structures, in Control Flow and Data Flow: Concepts of Distributed Programming (hi Broy, Ed.), NATO ASI Series F14, Springer-Verlag (1985) 7-106. P. DEGANO, 1%.DE NICOLA, U. MONTANARI, Partial Ordering Derivations for CCS, FCT 85, Lecture Notes in Comput. Sci. 199 (1985) 520-533. H.J. GENRICH, E. STANKIEWICZ-WIECHNO, A Dictionary of Some Basic Notions of Net Theory, in Net Theory and Applicatiens (W. Brauer, Ed.) Lecture Notes in Comput. Sci. 84 (198o) 519-531. J.L. GISCHER, Partial Orders and the Axiomatic Theory of Shuffle, Ph.D. Thesis Stanford University (1984). U. GOLTZ, W. REISIG, The Non-sequentialBehavlourofPetriNets, Information and Control 57 (1983) 125-147. J. GRABOWSKI, On Partial Languages, Fundamentae Inforn:mtlcae IV.2 (1981) 427-498. P.A. GRILLET, Maxima1 Chains and Antichains, Fund. Math. 65 (1969) 157-167. M. HENNESSY, R. MILNER, Algebraic Laws for Nondeterminism and Concurrency, JACM 32 (1985) 137-161. A. MAZURKIEWICZ, Concurrent Program Schemes and their Interpretations, Aarhus Workshop on Verification of Parallel Programs, Daimi PB-78, Aarhus University (1977).

137

[16] A. MAZURKIEWICZ, Traces, Histories, Graphs: Instances of a Process Monoid, MFCS 84, Lecture Notes in Comput. Sci. 176 (1984) 115-133. [17] R. MILNER, A Calculus of Communicating Systems, Lecture Notes in Comput. ScL 92

(198o). [18] P~. MILNER, CalcuIi for Synchrony and Asynchrony, Theoret. Comput. Sci. 25 (1983) 267310. [19] R. MILNER, Lectures on a CaIcuIus for Communicating Systems, Seminar on Concurrency, Lecture Notes in Comput. Sci. 197 (1985) 197-220. [20] M. NIELSEN, (3. PLOTKIN, G. WINSKEL, Petri Nets, Event Structures and Domains, Theoret. Comput. Sci. 13 (1981) 85-108. [21] D. PARK, Concurrency and Automata on Infinite Sequences, 5 th GI Conf. ,Lecture Notes in Comput. Sci. 104 (1981) 167-183. [22] C.A. PETRI, Non-sequentiaI Processes, GMD-ISF l~ep. 77-05 (1977). [23] G. PLOTKIN, A Structural Approach to Operational Semantics, Daimi FN-19, Aarhus University (x981). [24] G. PLOTKIN, An Operational Semantics for CSP, in Formal Description of Programming Concepts 2 (D. Bjcrner, Ed.), North-Holland (1983) 199-225. [25] H. PL[INNECKE, K-Density, N-Density and Finiteness Properties, in Advances in Petri Nets 84 (G. Rozenberg, Ed.) Lecture Notes in Comput. Sci. 188 (1984) 392-412. [26] V.R. PRATT, On the Composition of Processes, 9 th POPL (1982) 213-223. [27] V.R.. PRATT, The Pomset Model of ParalleI Processes: Unifying the TemporaI and the Spatial, Seminar on Concurrency, Lecture Notes in Comput. Sci. 197 (1985) 180-196. [28] W. REISIG, On the Semantics of Petri Nets, in Formal Models in Programming ((3. Chroust, E.J. Neuhold, Eds.), North-Holland (1985) 347-372. [29] M.W. SHIELDS, Concurrent Machines, The Computer Journal 28 (1985) 449-465. [30] J. WINKOWSKI, Algebras of Partial Sequences, FCT 77, Lecture Notes in Comput. Sci. 56 (1977) 187-196. [31] J. WINKOWSKI, Behaviours of Concurrent Systems, Theoret. Comput. Sci. 12 (198o) 3960. [32] G. WINSKEL, Events in Computation, Ph.D. Thesis, Edinburgh University (198o). [33] G. WlNSKEL, Event Structure Semantics for CCS and ReIated Languages, Daimi PB-159~ Aarhus University (1983). [34] G. WINSKEL, Categories of h~odels for Concurrency, Seminar on Concurrenc:~5 Lecture Notes in Comput. Sci. 197 (1985) 246-267.

CCS without "o's Rocco De Nicola* and Matthew Hennessy+ * Istituto di Elaborazione delrInformazione, CNR - Pisa +Computer Science Division, University of Sussex - Brighton

Abstract The main point of this paper is that one can develop an adequate version of CCS which does not use the special combinator z ¢br internal actions. Instead, the choice operator +, whose semantics" is somewhat unclear, is replaced by two new choice operators @ and [], representing internal and external nondeterminism respectively. The operational semantics of the resulting language is simpler and the definition of testing preorders is significantly cleaner. The essentialfeatures of the original calculus are kept; this is shown by defining a translationfrom CCS to the new language which preserves testing preorders.

1. Introduction In[MilS0], Milner introduced a calculus of communicating systems which is usually referred to as CCS. It consists of a language for defining communicating systems or processes, a semantic theory for these processes and a calculus for syntactically deriving semantic equivalences. The language is algebraic in nature; it consists of recursive definitions which use a small set of combinators. Each recursive definition or term in the language represents a process and each individual combinator represents an intuitive method for composing existing processes to form new ones. Since its publication CCS has been the focus of a considerable amount of research activity, mainly in the definition of alternative algebraic languages, lAB841, [BK84], [Miln851, [ISO86] and in the development of alternative semantic theories, [BHR841, [DH84], [dBZ82]. In fact these two activities are not unrelated: often the success and elegance of a tractable semantic theory depends on the syntax of the language to which it is applied. The purpose of the present paper is to show that by changing the syntax of CCS slightly, but retaining all of its essential features, we can obtain a much simpler semantic theory than both that originally presented in [MilS0] or in papers such as [DH84]. We start with a review of the language CCS and restrict our attention to the so-called pure version. The most complicated combinator is parallel composition 1: p t q represents a process which has two subprocesses running in parallel, p and q. To explain this construction we need to understand some conventions which are used in CCS. Communication takes place via ports, such ports can be barred, like 13-, or unbarred like t3. These pairs of ports are said to be complementary and processes communicate via

139

complementary ports: a communication or synchronization is taken to be the simultaneous occurrence of two actions: i) accepting a signal at a port such as [5; ~i) sending a signal at a complementary port such as ~-. Thus the combined process above, p I q, can either communicate with the external environment via any one of the ports of its subcomponents or there can be internal synchronizations between the subcomponents, one via the pair of complementary ports such as 13, 13-. There are other combinators which may be used to modify existing processes. For each action, say 15, there is a restriction operator ~ which hides the ports 13and 13% i.e. it makes them unavailable for external communications. There is also a relabeUing operation which simply relabels port names. The combinators we have seen so far do not allow us to define the dynamic behaviour of processes. To do so we have other combinators. For example for each port name a there is a unary combinator ~x.: o~.ris a process which can synchronize via a port labelled (x and then continue to act as process r. Thus processes can be viewed as machines which can perform certain kinds of actions. In pure CCS there is essentially one kind of action, synchronizing at a port. One possible definition of the processes p and q mentioned above, is given by the recursive defmitions: p <== a.lLy-.p

and

q <== l~-.8.y.q.

Conceptually processes can be viewed as black boxes with labelled ports at which they may communicate or synchronize. For example the combined process (p I q)~\y, can be represented by:

!

the only external synchronizations the process can perform are via a and 8. Moreover these are constrained by the internal synchronizations between 15and 15- and y and T- (represented by connected unlabelled ports since they are invisible to the external environment) in such a way that they can only be performed sequentially as in the process r defined by: r <== a.8.r. Indeed the semantics of CCS proposed in [Mil80] is such that these two different processes (p I q)k[]',7 and r are semantically equivalent and the Iaws of the calculus allow one to prove this equivalence using syntactic manipulations. However, two further combinators are needed both for expressiveness and for facilitating these syntactic manipulations. For example the simple process ct.p I 15.q exhibits nondeterministic

behaviour: it can either perform ct or 15. Semantically it is equivalent to the nondeterministic process c~.(p I 13.q) + 13.(cx.p I q). Here we have used the new combinator + : in general p + q can act either like p

140

or like q. So this term represents a process which can either do an o~and then do (p I 13.q), i.e. the residual of c~.p 113.q after performing ~, or do t3 followed by the residual after 13, c~.p I q. This new combinator is not sufficient to express all the forms of nondeterminism which CCS process can exhibit. For example the process (a.x + 13.y) 1(a-.x' + ?.z)\tx can either perform ~ or ? or there can be an internal synchronization between the ports c~ and oc-. To express this, a special action symbol, % is introduced which represents an internal synchronization which can not be influenced by the external world. Then we have the semantic equivalence: (o~.x + ~.y) [ (a-.x' + ?.z)\a = ~ .... + ?.... + z.(x I x'). (Here we have not included the residuals after 1~or 5). The extra term z.(x I x') indicates the possibility" of the process doing an internal move and then acting like the resulting process x I x'. Indeed, these two combinators + and "c play a fundamental role in the theory of CCS. They are used in the

Expansion Theorem of [Mi180] to show that every CCS process is equivalent to a purely nondeterministic process. In general specifications of process are given as nondeterministic processes while their implementations are usually built by combining subcomponents to run in parallel. The Expansion Theorem is used extensively to prove that specifications are equivalent to their implementations. Nevertheless the above mentioned combinators are unsatisfactory from many points of view. The semantic equivalences used in [MilS0] and [DH84], are not preserved by +: they are not congruences. Also + exhibits a rather complicated mixture of intuitively different forms of nondeterministic behaviour, often referred to as internal and external nondeterminism, see [Hoa85] or [OH861. In the process c~.p + J3.q there is external nondeterminism: if the user requests an c( synchronization the process will oblige and subsequently act like p whereas if 13is requested it will also be performed and the process will continue as q. Internal nondeterminism is exhibited in a.p + a.q and o~,p + ~.q. In the first cases the process will oblige when asked to perform an o~ synchronization but the user will have no control over which o f p or q the process will evolve to. The behaviour of processes such as c(p + "¢q is difficult to describe and the operational semantics given in [Mil80] is not very illuminating for such terms. Moreover the need for a special symbol "cto represent internal actions is counterintuitive; if the actions are internal and invisible there should be no need to refer to them in the language or calculus. The laws governing the manipulation of'c in the calculus [HM851 are rather mysterious and to date nobody has been successful in providing an intuitive and acceptable model which explains the nature of 1:. Our suggestion is to replace these two troublesome combinators + and "c with two new combinators [] and q3; intuitively [] represents external nondeterminism and @ internal nondeterminism. Both p[]q and p ~ q act either like p or like q but in the former the environment or the user decides whereas in the latter the decision is made internally and it can not be influenced by the user. The resulting language has all the desirable properties of the original CCS, at least if we base our semantics on the theory of Testing, [DH84], [DeN85b], and not on observational equivalence as in [Mil80]. The equivalence is preserved by all of the combinators, i.e. it is a congruence; we have a modified Expansion Theorem and a complete set of laws and the natural model Strong Acceptance Trees [Hen85b] provides a fully-abstract model. In particular this model gives an intuitive explanation of the two combinators [1 and q3 as functions over trees.

141

We now give an outline of the paper. We stm-t with a basic language BCCS (for Basic CCS) which con'~ins recursive definitions using the main combinators of CCS: * prefixing of actions, parallel composition, restriction and renaming. From this basic language we build two additional languages by adding new combinators. CCS (or more precisely "pure" CCS) is obtained by adding:

nondeterministic choice + and internal action ~. The new version of CCS, which we call TCCS for Testing CCS, is obtained by adding instead: external nondeterminism [] and internal nondeterminism @. For both CCS and TCCS we define a semantic preorder (which generates an equivalence in the natural way) denoted by -< and ~ respectively, In the case of CCS this coincides with the must version of the testing preorders defined in [DH841, and for TCCS it is the natural modification of this preorder. This semantic equivalence is quite different than that employed in [Mi180], observational equivalence, both in its definition and in the kinds of processes it equates. Indeed, to obtain our results it is essential to use testing equivalence rather than observational equivalence as in the latter setting the new operators can not express all the nondetermism expressible in the basic language BCCS. The definitions of the semantic preorders rely on an operational semantics for the languages and that for TCCS is somewhat simpler than the usual one for CCS. All of this is presented in Section 2. In Section 3, we recall the appropriate results for CCS from [DH84], show the modified Expansion Theorem for the new language TCCS and give a complete set of laws for the semantic preorder applied to this language. This last subject is merely sketched as it relies heavily on similar results in papers such as [Hen83], [DeN85b]. In Section 4, we give a translation from CCS to TCCS with the intention of showing that the use of the new operators does not change the essence of CCS. We hope that this is evident from the following properties of the translation , for every process p in the basic language, BCCS, p and its translation 1;r(p) are identical; for every pair of processes in CCS p _
2. Two Languages for Communicating Systems CCS and TCCS In this section we first present the two languages, then discuss the experimental setting for defining testinl equivalences, Both languages consist of a set of operators for constructing new terms from preexisting ones Agents of the languages will be closed terms (i.e. terms without free variables) which can be generated b3 the fotlewing BNF-like schema: ::= x I op(t 1..... tk), op E Y~kl rec x. t

142

where x is a variable and z k is a set of operators of arity k. We use Z to denote u {yk I k >_0}; the set of recursive terms which can be obtained once we have fixed Z will be denoted by REC Z. CREC E is used to denote the set of all closed terms. We will assume an uninterpreted set of elementary (atomic) actions which will be the basic constructors of our processes. In particular we will let • A = {a, 13,7... } be afixedset a n d A - = {cclc~e A }; A = A ~ A- (ranged over by X) be the set of visible actions.

.

The two language we will consider will share a number of constructors listed below together with a short comment on their intended meaning:

Inaction the term NIL is used to represent a process which never performs any action. Undefined the term f2 is used to represent the totally undefined process. Action if p is a term then Xp is a term which represents the process which can perform action ~ and behave like p.

Restriction ff p is a term then p\c~ is a term which represents the process which can perform the same actions as p apart for c~ and c~-.

Renaming if p is a term then p[qb] is a term which represents the process whose actions are renamings via qb of all the actions of p.

Synchronization if p and q are terms then p I q is a term which represents the process which can perform an arbitrary interleaving of the actions of p and q and additionally synchronize their complementary actions. We will call the language consisting of the above operators Basic CCS (BCCS) and use it to build both CCS and the proposed new language which we will call Testing CCS (TCCS). Terms of all the three languages will be built from the BNF-like schema above. In particular, when dealing with BCCS, we will have: ZOBccs = {~q, NIL}; ~;1BCCS = A w{ko~ I o~ e A} w { [~] I d) is a renaming of A which preserves complementation}; ]~2BCCS = [I]; 2 k c c s = 0 if k > 3.

2.1. C C S In this subsection we will give a brief summary of CCS and of the experimental setting and results presented in [DH84]. The resum6 will guide us toward defining experiments, preorders and equivalences on the modified version of CCS. CCS agents are closed terms which can be generated by the syntax above when we take E = ZCCS = EBCCS u [/, +} where z is a distinguished atomic invisible action not in A, and + is the so called choice operator, If t and u are CCS terms then t + u is a CCS term which denotes a process which can behave either like t or like u and the choice depends sometimes on the external environmem some others it is made internally. In the sequel we will let A u {'c} be ranged over by g. Moreover, we will let RECEccs denote the set of all CCS terms generated by the above syntax, ranged

143

over by t, u .... and CRECzccs will be used to denote the set of all closed CCS terms, with p, q .... as metavafiables. CCS has been equipped with an interleaving operational semantics based on labelled transition systems, the transition relation of which is defined by a set of transition rules over agents. A relation ----~--->,catled derivation relation, is defined, in the SOS style [Plo8t], with the intuition that agent t 1 may evolve to become agent t2 either by reacting to a X-stimulus from its environment (tl--X--~t2) or by performing an internal action which is independent of the environment (tl--Z--~t2).

Definltion 2.1.1 Milner's derivation relation tl---g---rt2 is defined as the least relation satisfying the following axiom and inference rules. Act)

ktt---~t---~t

Res)

t 1 ---~t--+ t2

implies t t ~ - - I . t ~ t2x,cx, ~t ~ {~,t~-}

Rel)

t 1 ---ix--> t2

implies tl[~] ---~(~t)---~ t2[qb]

Sum) t 1 ---kt--->t2

implies t l + t - - ~ t ~ t 2

and

t+t 1 ---tl--~ t2

Com) t 1 --Ix--> t2

implies tl!t---kt---~ t21t

and

tit1 ----~--* fit2

tl--X-->t 2 Rec)

and t'l--~.---~t'2

tl[rec x. tl/X]--kt--~t2

implies

implies

tllt'l--~--~t21t'2

rec x. Pl --'#"-> P2'

The derivation relation above completely specifies the operational semantics of CCS; a second level of CCS semantics is defined on top of this to obtain more abstract descriptions of system's behaviours. To this purpose, a notion of testing is introduced in [DH84] which is then used to define equivalence relations on CCS terms which allow one to identify agents which are "behaviourally" equivalent. In [DH84], processes which react in the same way to experiments performed by external observers are considered as equivalent. Observers are just terms over Y'CCS w {w}, where w is a distinguished action symbol, not in A, used as a special action which "reports success" of an experiment. This theory leads to three preorders on processes which are based on the possibilities processes have of always (must) or sometimes (may) satisfying observers. We will concentrate on one of the preorders discussed there, namely on the one which considers as satisfactory only those experiments (sets of interactions between a process and an observer) which always report a success. The outcomes of the interaction between processes and observers are obtained by studying the set of computations which take place because of synchrorfizations between processes and observers or because of silent transitions. To this purpose the notion of complete computation, i.e. of a computation which is either infinite or such that the terminal pair, <state of the process, state of the observer>, can not perform a further synchronization or silent move is very important. Also, to be able to describe the outcomes of experiments on partially specified objects and on terms specified via unguarded recursive definitions, [Mit80], a predicate .t, on CCS terms is also required:

144 Definition 2.1.2. Let $ be the least predicate on terms which satisfies i. 1"~L$, 3.p$, ii. p$ and q$ implies (p + q)$, (Plq)$, (P[q~])$ and (pko~)$ iii. (t[rec x. t/x])$ implies (rec x. t)$ The converse of $ is denoted by ]', i.e. p $ (read p diverges) if not p$ (read p converges). Based on the notions above and on CCS operational semantics we have: Definition 2.1.3 Ifo is an observer in RECEccs u (w} then: p must satisfy o if

whenever plo = Po[Oo-~-*PllOl-X-*.... is a maximal computation then there exists n > 0 such that On--W~ and PklOk]" implies Oh-W---~for some h < k.

¢

This predicate is the basis of the preorder on CCS terms reported below. In its definition and in the rest of the section, 0 is used to denote the set of all the observers in RECzccs u {w}" Definition 2.1.4. p _
2.2. Testing CCS an alternative to CCS The TCCS agents are closed terms which can be generated by the general BNF-like schema above with I; = Y--Tees= YBccs • {[], @} where @ and [] are two new binary operators called internal and external choice respectively. As with p + q we have that if p and q are TCCS terms then p @ q and p [] q are TCCS terms denoting processes which can behave either like p or like q. The choice in the case of p [] q depends on the external

t45

environment while in the case of p @ q is taken internally without the environment having any control over it. We will follow the same notational conventions of CCS also for TCCS terms but we will use capital letters instead of lower case ones. Namely, we will let RECETcC s denote the set of all TCCS agents, T, U .... will be used to range over it, and CRECETcc s will be used to denote the set of all closed TCCS terms, ranged over by P, Q ..... Also TCCS will be given a two level semantics; the first level is given by:

Definition 2.2.1 The n e w derivation relation consists of a pair of arrows, a labelled one, T 1-~N>T 2, and an unlabelled one, T 1 - - > T 2. It is defined as the least pair of relations satisfying the following axioms and inference rules. Act)

XT ~X~> T

Res)

T I ~)~> T 2

implies Tl\Ct -)~-> T2XR, 9~a {a,ot-}

T I - - > T2

implies TI",R - - > T2xR ,

TI-~->T 2

implies T I [~1 -~().)~> T2[~1

t I -~> T 2

implies T 1[~] ~ - > T2[~]

T 1 ~X~>T 2

implies TI[] T -)~~> T 2

and

T [] T 1 -~.-> T 2

T 1 ~~> T 2

implies TI[] TN~> T2 [] T

and

T [1 T 1 ~~> T [1 T 2

and

TIT 1 ~ , ~ > TIT2

Rel)

Ext)

Int)

TI@T 2~~> T 1 and

Com) T 1 -1~~> T2 T 1 N~_> T2 T 1 N~> T 2

Ree)

T 1 @ T 2 ~~> T 2

implies TllT ~)~~> T21T and T' 1 ~~,--> T' 2 implies T l t T - ~ > T21T

implies

T lIT' 1 - - > T21T'2

and TIT 1 - - > TIT2

rec x. T ~~> T[rec x, T/x]

Und) ~ ~ > The operational semantics of the two choice operators and the new invisible move, ~-->, which is different from -'~---~deserve some comments. We have that the two rules for ~ simply say that process P ~ Q could exhibit P's or Q's behaviour since it can perform an invisible move to any of them. In the case of [1 we have that process P [] Q can take a final decision as to which behaviour to exhibit only after performing a visible action; invisible moves leave the choice still open. As for the other operators, the above operational semantics is very similar to the one given in Definition 2.1.1 for CCS. Some differences are however worth noting. There is an axiom also for the undefined process fl and we take a different approach for determining the moves of recursive terms; instead of inferring the moves of a recursively defined term from the moves of their unwindings we simply have an axioms which allows unwinding. Note that they are the particular nature of the nondeterministic operator [] and the different kind of invisible moves which allow us to do this; had we done it for the original CCS and used "~to unwind recursive terms, the resulting semantics would have been very different because unwSnding could preempt occurrences of other actions.

146

As with CCS in the previous section, we can define a set of observers and a set of experiments to define a testing preorder on the new language. Observers are just terms over ZTCCS w{w). The set of all such observers will be denoted by 0 T. Now, the machinery outlined above for the original CCS and the operational semantics for TCCS allow us to have:

Definition 2.2.2. Given an observer O e 0 T we have: P M U S T SATISFY O if whenever PIO = PoIOo ~~> PIlO1 ~~>... is a maximal computation then there exists n _>O such that On--W->

*

Again, by using the above predicate a preorder on TCCS terms can be defined. Note that because of the new semantics for £2 and for recursive terms, we do not need to define any divergence predicate to be able to evaluate the effect of experimentations on underspecified processes or on processes specified via unguarded recursive definition. Indeed in these cases, we will always have an infinite computation from PIO which never reports success, and this means that for any observer O, which does not report success before starting experimentations, we have not( P MUST SATISFY O) whenever P is equal to ~2 or unguarded.

Definition 2.2.3. P <
Proposition 2.2.4. P <_
3. A l g e b r a i c

Characterizations

In [DH84] three sound and complete proof systems for CCS testing precongruences based on testing preorders are introduced which consist essentially of a set of axioms to manipulate process expressions, the usual rules about transitivity and commutativity and a form of m-induction. In [DH84] it is also proved that the set of axioms can be used to obtain three fully abstract models for CCS, i.e. models within which processes are distinguished if and only if they are distinguished by the associated set of tests. Moreover, the models, at first built in a very abstract way from the syntax of the language via a set of axioms [GTWW77], are proved isomorphic to a particular class of trees called Representation Trees. The complete set of axioms relative to the must based precongruence given in [DH84] can be ideally divided in two groups, namely those about the basic processes NIL and £2, the visible actions, the invisible action ~ and the choice operator + and those about restriction, relabeUing and parallel composition. Indeed, the axioms in the second group show that the last three operators are not primitive; every finite CCS term containing I, xt~ or [~] can be reduced to an equivalent one which does not contain these operators.

147

Also for the new language we are able to exhibit a complete proof system, which is based directly on the testing preorder and differs from the previous one only because of the axioms about the parallel composition operators and (obviously) because of the axioms about the new choice operators. Below, we show that the operator for parallel composition can also be expressed in TCCS in terms of more basic operators such as [], @, NIL, f~ and X. First, we fix some notation: If I = [il, i2 ..... in}, we will let o £ [Pi I i E I} denote Pil [] Pi2 [1 ... []Pin ifI ;~{} and denote NIL otherwise. ° I I { P i l i E I} denote PiI ~ P i 2 ~ ... @Pin whenever I e {}The new expansion theorem basically says that a process which can perform an internal communication can be seen as a process which can either perform one of these internal moves to become a new process or stay idle while all potential, visible and invisible, actions are possible. Theorem 3.1 (New Expansion theorem) ffP = ~ {XiPili~ I} andQ = ~ {vjQj Ij ~ J} then P I Q = EXT

if

= (EXT [] IICOM) ® I I COM

COM=~;

otherwise;

where COM= {PiIQj I X i = v j - a n d i e I, j e J))

and

EXT=Y. { ~ ( P i l Q ) l i ~ I}[]Z {vj(plQj Ij e J}

X [] X = X

EXT1

X [] Y = Y [1 X

EXT2

X [1 (Y [] Z) = (X [1 Y) [1 Z

EXT3

X [] NIL = X

EXT4

X@X:X

INTI

X@Y:Y@X

INT2

X@ ( Y @ Z ) : (Xff~Y) ~ Z

INT3

X@Y_<X

INT4

)~X @ IX,Y= X(X @ Y)

MIX1

LX [1 ~,Y = X(X @ Y)

MIX2

X if) (Y [l Z) = (X @Y) [1 (X @ Z) X [] (Y @ Z) = (X [] Y) @ (X [l Z)

MIX3 MIX4

~-~X

UND1

£~ [1X___

UND2 TABLE 3.1.: Axioms for primitive TCCS

148

We are now ready to give the set of axioms for the new language which are sound and complete with respect to the notion of testing defined in Section 2.2. As with CCS, we can define a complete proof system for TCCS and exhibit a concrete fully abstract model based on trees. The tree model turns out to be that of Strong Acceptance Trees discussed in [Hen85a] and [Hen85b]; it is also a subdomain of Strong Representation Trees of [DH84] which is obtained by removing some anomalies of the original domain, namely the dishomogeneity in the treatment of the labels for the root and the other nodes of the trees, which were introduced to deal properly with internal actions. The actual axioms are presented in Table 3.1 and Table 3.2, they have been split to separate those about TCCS primitive operators from those about the derivable operators.

NIL[dp] = NIL

REL1

(X [] Y)[~] = X[dp] [1 y[qb] (X @ Y)[¢] = X[~] q~ Y[q)]

REL2 REL3

~ x [ ~ ] = ~ ( ~)X[~l

I~IA

NILXa = NIL

RES1

(X [1 Y)\a = XXa [] Y'~

RES2

(X @Y)\(z = X~a@ Y'xa

RES3

(pX)Xa = ~(X',a ) NIL

RES4

if p v [ a , a - } otherwise

(X @ Y) 1Z = (X l Z) @ (Y t Z)

PAR1

l f P = E [ ~ i P i l i e I} andQ=Z {vjQj Ij e J} then P IQ= EXT if C O M = O ; = (EXT [] lqCOM) @ 1~ COM

otherwise;

where EXT = Y~ {)t.i(Pil Q) li e I}[] Y. {vj(P [ Qj I j ~ J} and

COM = {Pil Qj I k i = v j - andi ~ I,j E J})

PAR2

f~[¢] = ~

UND3

~\a

= D

UND4

PIg2 = ~

UND5

AlP=

UND6

f~

TABLE 3.2.: Axioms for TCCS derived operators

Indeed we have that the inequations in Table 3.1 are exactly those of [Hen85a], which are there used to characterize the initial algebra isomorphic to the domain of Strong Acceptance Trees. On the other hand we have that the laws in Table 3.2, apart for the expansion theorem, are the same as the ones given in [DH84]. These laws show that the axioms in Table 3.2 are sufficient to reduce every finite TCCS term containing I,

149

\(x or [(1)] to an equivalent one which does not contain these operators. The theorem below states soundness and completeness with respect to testing equivalence of the set of axioms contained in the two tables. We use A I- T _
4. T r a n s l a t i o n :

CCS

-4

TCCS

In this section we present a translation function, i v , which given any CCS term uses induction on its structure to translate it into a TCCS term. The translation leaves most of the language unchanged. In fact, t r , when applied to Basic CCS terms, is just ~ e identity function. It only erases "c actions and translates a term whose main operator is + to a term whose main operator is either [] or ¢ depending on whether + represents internal or external choice. In particular if the term which is translated can perform silent (internal) moves, both the internal and external choice operators are used for the translation; the internal choice operator is however the main one. If' the term to be translated can only perform initial visible moves then only the external choice operator is used to express it. Definition 4.1. t r is a function from RECEccs to RECZTcC s defined by structural induction as follows t r (N~L) = NIL tr(x) = x tr(~) = tr(~p) = ~r(p) t r ( ~ ) = t r (p) t r (p\a) = (tr(p))',a i v ( p i l l ) = (tr(p))[epl t r ( r e c x. p) = rec x. t r ( p ) t r ( p i q) = t r ( p ) I t r ( q ) t r ( p + q) = t r ( p ) [1 t r ( q ) if not ( p - - z - ~ p ' or q - - ~ - ~ p' for some p') t r ( p + q) = (tr(p) [] tr(q)) ¢ I I { t r ( p ' ) l (p--x-~p' or q--~-~ p'}. Some examples should help in understanding how the actual translation works.

150

Example 4.2 i) t r ( a N I L + ~ N m ) = ( a N m [] ~Nm) @ [~NIL; ii) t r ( ( a N I L + ~Nm) I ( a - N m + yqIL)) = ( a N m [] ~NIL) [ (~-NIL[] yNIL); iii) tr(rec x. ~x+ aNIL) = rec x. (x [] aNIL) @ x. Example i) above shows how we translate processes which can perform initial invisible actions. On the other hand, Example ii) shows that the translation of parallel processes is immediate, we simply translate separately the two parallel processes and put them in parallel. Finally, Example iii) shows how recursive terms which contain variables which are guarded by invisible actions are translated into terms defined via unguarded recursion; such terms will lead to diverging computations via infinite applications of the rule rec) of Definition 2.2. I. The translation given above does not change the essence of CCS. In fact, as we have already seen, the two languages share most of their operators, and we also have that the testing preorder defined for CCS and the testing preorder defined for TCCS induce the same identifications when applied to the common sublanguage BCCS. Moreover we can exhibit a theorem which shows that the use of new CCS operators for describing nondeterministic processes does not change the nature of the language whenever testing equivalence is used to describe abstract behaviours. In fact, we have that two CCS terms are identified by a testing equivalence based semantics if and only if also their translations in TCCS via t r are identified. Theorem 4.3. If p, q e CRECzBcC S and o ~ CREC~;BCCS ~ {w} then p must satisfy o if and only if p MUST SATISFY o. Theorem 4.4. If p, q are two CCS agents then p -
5. D i s c u s s i o n The main point of this paper is that one can can develop an adequate version of CCS which does not use the special combinator "~for internal actions. Instead we replace the choice operator +, whose semantics is also somewhat unclear, by two new choice operators @ and [], representing internal and external nondeterminism respectiveIy. The operational semantics for the resulting language is much simpler and the definition of the testing preorder is also significantly cleaner. The reader familiar with [Hoa85] will have already recognised our new operators: [] is the strict version, developed in [DeN85a], oft.he operator with the same name proposed in [BHR84] and @ is the version of fq discussed in [Hoa85] based on the operational semantics given in [Hen83]. In other words the purely nondeterministic part of our language more or less coincides with that of Hoare's language, TCSP. Both languages, TCCS and TCSP share this basis and differ only in the form of parallelism and abstraction they use. So here we have merely employed the theory developed in [Hen83], [Hen85a], [DeN85b] for

151

nondeterministic machines to explain the particular choices of parallelism and abstraction used in CCS (although the transition system on which our new operational semantics is based is somewhat different than that of [Hen831). We believe that this theory of nondeterministic machines is sufficiently powerful to explain many other choices such as those in [BK84], [Hoa85] and [Miln85], at least if one is willing to accept an interleaving semantics. Indeed, the semantics developed in [Hoa85] and [BHR84] for TCSP is entirely denotational and the choice of model has always remained formally unjustified. [Bro83] proposes a set of transition rules for TCSP, however there no account is given of the relationships between the induced operational semantics and the original denotational semantics based on refusal sets. [OH86] proposes another set of transition rules, very similar to ours, and uses the observational equivalence of [Mil80] to abstract from unwanted details, thus obtaining a new operational semantics for TCSP. The denotational semantics based on refusal sets is then proved consistent with respect to the obtained operational semantics, in the sense that it preserves all the operational equivalences between processes. However, no completeness result is given, which guarantees that the denotational equivalences between terms are only those operationally provable. Indeed, we have that the proposed denotational semantics is more abstract than the operational one. The testing preorder developed in Section 2 provides the necessary machinery for defining an operational semantics which is in full agreement with the denotational semantics in the sense that it identifies all and only the processes identified by the denotational approach'based on refusal sets. In fact, it is a simple matter to extend the testing preorder to the form of parallel composition used in TCSP. The domain of Bounded Refusal Sets [DeN85a], a modification of the original model dealing properly with diverging processes which is isomorphic to the Strong, Acceptance Trees of [Hen85b], is then fully abstract (consistent and complete) with respect to this behavioural equivalence. It is worth pointing out that the new operators [] and @ are no longer sufficiently expressive if we use observational equivalence in place of testing equivalence. One can easily argue that the term aNIL + xI3NIL can not be observationally equivalent to any purely nondeterministic process expressible in the language which has • and [1 in place of + and "¢, although we have not explained formally how observational equivalence is defined for the new language.

152

References [AB84] Austry,D. and Boudol,G. Algebre de Processus et Synchronization. Theoret. Comput. Sci. Vol. 30, No. 1 North Holland, Amsterdam, (1984). [dBZ821 de Bakker,J. and Zucker,J., Processes and the Denotational Semantics of Concurrency. Information and Control, Vol 44, Nos. 1-2, pp.136-176, (1982). [BHR83] Brookes,S.D. A Model for Communicating Sequential Processes. Ph.D. Thesis, University of Oxford. Also Carnegie Mellon University Internal Report, CMU-CS-149, (1983). [BHR84] Brookes,S.D,, Hoare,C.A.R. and Roscoe,A.D. A Theory of Communicating Sequential Processes. Journal ofACM, Vol. 31, No. 3, pp. 560-599, (1984). [BK84} Bergstra,J. and Klop,G. Process Algebra for Synchronous Communication, Information and Control, Vol 60, pp.109-137, (1984). [DH84] De Nicola, R. and Hennessy,M. Testing Equivalences for Processes. Theoret. Comput. Sci., Voi.34, pp. 83-133, North Holland, Amsterdam, (1984). [DeN85a] De Nicola, R. Two Complete Set of Axioms for a Theory of Communicating Sequential Processes. Information and Control, Vol 64, Nos. 1-3, pp.136-176, (1985). [DeN85b] De Nicola, R. Fully Abstract Models and Testing Equivalences for Communicating Processes. Ph.D. Thesis, University of Edinburgh CST-36-85, (1985). [GTWW77] Goguen,J.A., Thatcher,J.W., Wagner,E.G. and Wright,LB. Initial Algebra Semantics and Continuous Algebras. Journal ofACM, Vol. 24, No. 1, pp. 68-95, (1977). [Gue81] Guessarian,I. Algebraic Semantics. LNCS 99, (1981). [Hen83J Hennessy,M. Synchronous and Asyncbxonous Experiments on Processes. Information and Control Vol. 59, Nos. 1-3, pp. 36-83, (t983). [Hen85a] Hennessy,M. An Algebraic Theory of Processes. Lecture Notes, Aarhus University, (1985). [Hen85b] Hennessy,M. Acceptance Trees. Journal ofACM, Vol. 32, No 4, pp. 896-928, (1985). [HM85] Hennessy,M., Milner,R. Algebraic Laws for Nondeterminism and Concurrency. Journal of ACM, Vol.32, No. 1, pp. 137-161, (1985). [Hoa85] Hoare,C.A.R. Communicating Sequential Processes. Prentice Hall (1985). [ISO86] International Standard Organization, LOTOS - A Formal Description Technique. Internal Report Twente University of Technology and ISOfFC97/SC21 Draft Proposal 8807, (1986) [Mi180] Milner,R. A Calculus of Communicating Systems, LNCS 92, (1980). [Miln85] Milne,G. CIRCAL and the Representation of Communication, Concurrency and Time. ACM Toplas Vol. 7, No. 2, pp. 270-298, (1985). [OH86] Olderog, E-R, Hoare C.A.R. Specification-Oriented Semantics for Communicating Processes, Acta Informatica Vol. 23, pp. 9-66, (1986). [Plo81] Plotkin,G. A Structural Approach to Operational Semantics, Lecture Notes, Aarhus University, (1981).

A FULLY OBSERVATIONAL MODEL FOR INFINI'IE BEHAVIOURS

OF COMMUNICATING SYSTEMS Ph.

Abstr@~

This p a p e r

Darondeau

is concerned

with

*,

the

B.

Gamatie*

relation

of abstraction

between

operational

and

o b s e r v a t i o n a l m o d e l s for linear time semantics of C.C.S. We construct a compositional and f u l l y abstract model for CCS under infinite (program defined} experiments which gfve maximal power of separation. The construction is in two stages: In the first stage, we use a uniform procedure to translate structural inferential semantics into d e n o t a t i o n a l s e m a n t i c s ; terms a n d o p e r a t o r s a r e i n t e r p r e t e d b y sets of transition sequences and operators on sets of transition sequences. In the second stage, we derive the observational model from the operational model through an adequate homomorphism. The m o r p h i c images of transition sequences, or observations, a r e pairs finite The

<w,R>

or

<W, CO>, where R

(rasp infinite} observational

is a ready

set

sequence of transitions. m e a n i n g s of p r o g r a m s

observations for the order <w, RCYR'> C

<w,R> C

and

w

coincide <w, ~ >

(rasp

~

with

, is

the

visible

trace

of a

the a s s o c i a t e d set of maximal

.

I..~TRODUCTION This paper is concerned with the relation of abstraction between operational and observational models for 'linear' semantics of 'CCS' transition systems [26] [23]. O b s e r v a t i o n a l m o d e l s m e a n here 'fully abstract' m o d e l s for equivalences or preorders induced by (CCS) program defined experiments, such as 'tests' [22] [13,14]. The observational models are naturally homomorphic images of the operational models, but it is not so easy to find out the homomorphism induced by a family of experiments. Indeed, observational models cannot be defined by arbitrary homomorphisms ! A 'concrete' linear model for CCS is the operational model in which programs are rendered by sets of finite and infinite computations. An 'abstract' linear model for CCS is the observational model in which programs are identified if and only if no CCS experiment distinguishes between them. In spite of the effort on models

for testing preorders

[13,20], that very sensitive model has

not yet been worked out, for it has been shown in [10] that some infinite experiments are strictly more sharp than any family of binary tests (finite or infinite). There lays the motivation for the present paper, where we produce the expected model for the full version of pure CCS. Let us proceed to a rapid review of some existing approaches on the side of abstract models, independently of the h o m o m o r p h i s m s which induce them as quotients. First of all, one can distinguish between implicit quotient models and explicit models where explicit representations are dealt with [6] . Further separation may be observed between two classes of explicit models, namely the class of purely order theoretic models and the class of mixed space and order theoretic models. C l a s s i c ~-algebraic domains are most commonly used in models of the first class [7,13,19,20,24]. For the second class of models, the order relation is the reverse inclusion between closed subsets in some metric completion considered

(*)

rR;gA

of languages, trees or tree-languages [11,18,27], and since the spaces have denumerable bases, the resulting complete partial

- Camp,.,s

ae

r~ea.uL~eu

_

F 35o4z

RENNES

CEDEK

154 orders are again ~-algebraic. In the framework of explicit models, it is usually assumed that each element or open set of the denumerable base represents a property that may be tested under finite

finite time

experiments or

fail

[i] , i.e.

under experiments

[13]. Therefore,

identical

which either

meanings

are

succeed

in

necessarily

assigned to CCS programs which differ b y their ~-traces[10]. Notice that this situation is less frequent under the assumption of fairness, since fairness intensifies the separation power of tests, but it arises nevertheless. A possible way out is to work within the bounds of 'uniform' behaviours are then closed sets, and isomorphic semantics infinite streams and from finite observations particular, that property holds for the finite state

concurrency [12] : are obtained from

respectively [ii]. In subset of CCS, obtained

by forbidding the parallel composition and renaming of open terms[8]. There arises from the above review that no well known method is available for associating CCS programs with their compositional meanings under infinite experiments. We think of e x p e r i m e n t i n g on p r o g r a m u as running a maximal computation from the parallel system (t ~C[u]) for some testing program t and program context C. This definition, though a d e q u a t e to de Nicola and Hennessy's notion of testing, departs from it in the definition of the result of experiments. For us, the result of an experiment is the sequence of transitions of the testing program (along that experiment). On that basis, we equip p r o g r a m s with an 'implementation' preorder as follows: u is an implementation of v if and only if no finite or infinite experiment on u tells that it is not v [9,16,21]. The abstract model which we are looking for is the fully abstract model for this implementation preorder. Moreover, we argue that programs identified in that model must be identified in any other observational model, as soon as it relies on the above stated observation principles. Our approach towards the abstract model is progressive and rests entirely on the concrete model which we establish in a preliminary stage. The first stage is to discover the homomorphism which induces the abstract model. The second stage is to construct that model. The first stage amounts essentially to transfer the implementation preorder from programs to sets of computations and then to represent the latters by sets of pairs <w,~> or <w,R> where w is a 'trace' and R is a 'ready set'. On that way, we define an ordered algebra of abstract computations and prove that the abstract meaning of a program is the set of maximal representations of its concrete computations. The second stage amounts to supply a fixpoint characterisation of the abstract meanings of programs in the power algebra of abstract computations. Special difficulties are encountered here, for the 'suitable' fixed points are neither least nor greatest nor optimal fixed points. A plausible explanation for that misfit is the apparent contradiction between two opposite requirements imposed by full abstraction : inobservable actions (e.g.~) must be ignored in the domain of meanings, but they must be accounted for in the fixed point characterization of sets of infinitary traces. To solve the difficulty, we suggest to compute the 'suitable' fixed points as combinations of a least fixed point in the power algebra of abstract computations and of a greatest fixed point in the power algebra of coarse traces (with explicit ~'s). That m e t h o d has the default to split the meanings of open terms in two c o m p l e t e l y disjoint functions, but full abstraction is obtained at the level of closed terms which are given an ordinary compositional m e a n i n g in a single domain. The paper contains nothing about the proof theory for the equivalence in the resulting model. That issue will be considered in forthcoming papers.

155

2...~N OPERATIONALSEMANTICS.~ORPURECCS We p r e s e n t

here

a slightly

augmented

version

of M i l n e r ' s

'pure'

calculus

of

c o m m u n i c a t i n g systems [13,19,23]. The extensions affect u n g u a r d e d recursion and non d e t e r m i n i s t i c choice. As regards syntax, programs are the c l o s e d terms of a r e c u r s i v e t e r m algebra. As regards semantics, the o p e r a t i o n a l m e a n i n g s of p r o g r a m s are sets of t r a n s i t i o n sequences, d e f i n e d by a logical s y s t e m a la Plotkin

[25].

2. I. A syntax of programs We

assume

given

a set

X

(ranged

sets A and ~ of c o m p l e m e n t a r y { ( 1 ) = [ a n d ~ ( ~ ) = ~. A =A

u ~

action partial p(z)=z, The

rasp.

and ~

Throughout

M = Au{z}

(~M)

function

of our

(ranged over by oPi

~0

=

{NIL

Z 1

=

{~ / ~e M}

=

{I,

N

x)

= M~ We

where

call

and

two

almost

is

disjoint

bijections

~ rasp.

~ (~ A )

a renaming

p(9)=D

algebra

) are the following

variables,

we let k rasp.

{~},

such that

term

of

l i n k e d by reciprocal

unless both entities

recursive

Zi

by

names,

the paper,

inaction.

p from N to N

a n d p(~)= ~(p(~))

signature

resp.

is the

over

action

~:

9 range over

the

invisible

function

any

one-one

every-where,

Q(~)=~,

are undefined. is ~ = ~ 0 u

~I ~ ~

sets of i-ary symbols

' where

the

:

},

+,

u {p / p is a renaming

function},

e}.

Binary operators I, +, ~ are the u s u a l a s y n c h r o n o u s composition, choice a n d internal choice. The b i n a r y operators are u s e d in i n f i x e d

external form, the

guarding operators (~) are p r e f i x e d , and the renaming operators (p) are postfixed. O u r set of r e c u r s i v e open terms is the set T E R M with t y p i c a l e l e m e n t s t as follows : t = x In the

I o p i (tl,---t i ) I t wh above

function

D

valuations

line, with

(xl=t I ,...

finite

D(xi)=

ti

domain

(x i = tl,..,

xn

Xn=t n ) stands

= t n ). for

a

'declaration',

dom(D)={Xlt..~x n } ( c X

) and

i.e.for

a

corresponding

(6 TERM).

The o p e r a t i o n (.) wh D, when a p p l i e d to t e r m t, binds the free occurences of the x i to the t i in t and in the tj. R e c u r s i v e open terms are d e f i n e d up to the G - c o n v e r s i o n of t h r o u g h o u t the p a p e r no c o n f l i c t

arises

their bound variables. F o r all terms, that any two d e c l a r a t i o n s have disjoint

between

free v a r i a b l e s

and bound

we shall assume d o m a i n s and that

variables.

Owing

to

that

convention, the set theoretic union (D u D') of two d e c l a r a t i o n s occuring in a given t e r m is always a declaration. Terms without free v a r i a b l e s (i.e. closed terms) are c a l l e d p r o g r a m s . The m e t a v a r i a b l e s s, t, u, v will be u s e d to d e n o t e g e n e r a l terms, i n t e r e s t e d in programs

a n d in p a r t i c u l a r p r o g r a m s and in their computations.

(e

PROG).

We

are

mainly

156

2 . 2 . An operational semantics for programs A computation

is

between

programs.

visible

or

a finite

or

Transitions

invisible

actions

infinite are

sequence

either

(l or ~),

steps

or

of of

transitions

evolution

ti-Vi-gti+l

resulting

self-transformations

of

from

programs

with no a c t i o n involved. In the last case, label ~ appears as a w i t n e s s for the flow of time. According to P l o t k i n ' s method of structural inferential semantics, t r a n s i t i o n s are d e f i n e d b y a finite family of schemes of axioms a n d rules of inference

for relations

u _v_~ v in PROG x N

x PROG.

The set T of transitions

is the least subset of PROG x N x P R O G c l o s e d under f o l l o w i n g system, stated in G e n t z e n like style.

logical

inference

in the

AX I OM$. ~t -~-~ t t @ u -~-9 t ,

t @ u -$-) u

NIL wh D -~-~ N I L x W~ D

_C_+ D (x) w_h D

for D (x) d e f i n e d

(~t) wh D

-(;-+ ~(t wh D)

(tp) wh D

-(;--> (t wh D)

( t o p 2 u) W_h D

-(~-9 (t W_h D) oP2

(u ~th D)

(t w h D) w h D'

-~-~ t W/l (D u D')

RULES ( t+u -~-~ t')

(t -~-+ t')

( tlu

(t -~-~ t') ( (t-~-~

t')

, (u _l_+ u') (tp

(t -~-~ t')

Except

for

) ~

the

u-transitions

axioms are

( tlu -z-+ t'tu')

_p(D)_~ t'p)

( t oP2 u -~-)

(t -~-~ t')

, ( u+t -~-~ t')

-~-+ t'{u ) , ( ult -~-~ ult')

of

meant

i_~ p(~) defined

t'oP2

internal

to

give

u),

choice,

an

all

the

operational

d i v e r g e n c e due to u n g u a r d e d r e c u r s i v i t y are the c h a r a c t e r i s t i c m a r k of u n g u a r d e d

u oP2 t')

( u oP2 t -(~-9

axioms

flavour

to

: infinite sequences divergence.

and

rules

the

notion

for of

of u - t r a n s i t i o n s

2 . 3 . A concrete linear model A denotational c o m p u t a t i o n s can the

full

m o d e l w h e r e p r o g r a m s are i n t e r p r e t e d b y sets of i n f i n i t a r y be d e r i v e d from the above d e f i n i t i o n s (this is a c h i e v e d in

version

of

the

paper) . Such

a

model

is

a

bridge

between

the

o p e r a t i o n a l d e f i n i t i o n a n d the o b s e r v a t i o n a l m o d e l which we are l o o k i n g for, since the latter is n o t h i n g but a morphic image of the former. For the sake of conciseness, necessary

the

p r e s e n t a t i o n of the

description

We d e f i n e

*T

(resp.~)

that y6 .IN (resp. yE ~ u The f i n i t a r y functions,

resp.

operational

of the c o r r e s p o n d i n g as the

{~})

where t -)t means

set of sequences

and V i < y,

infinitary

model

domain

meanings

st or

(ti-Di-~ ti+l) of p r o g r a m s

t = £t or t =

is r e d u c e d

here

to the

of interpretation. (ti-Di-~ti+l)i
such

e T.

are given

(t -~-~ t')t':

by the

following

157

[I I] op : PROG -~ P (*T)

[I I]~ O p

: PROG -+ P

: [I t I] op = {re *T / t -+ t }, ~o

(~)

: [I t I] op = {t e ~ /

In the sequel,we let t range over ~ ,

t-> ~ }.

and we let Q range over P (~°T) .

The set oc~ m a y be o r d e r e d by. the p r e f i x order on sequences ; it may also be c o n s i d e r e d as a c o m p l e t e m e t r i c space, u n d e r the m e t r i c t o p o l o g y i n d u c e d by the u l t r a m e t r i o d i s t a n c e of [5].Limits in the Scott t o p o l o g y i n d u c e d b y the order p r e f i x coincide indeed with limits in that m e t r i c topology. Now, for t in PROG,

[ItN~op is prefix closed and t o p o l o g i c a l l y

closed,

and [Itl]*op is equal

to [Itl]~opc~ *T, whence [Itl]~op is the topological closure of [Itl]*opThe i n t e r p r e t a t i o n s Z-operators

9/~k : P(*T) k-) P(*T)

are the union additive

(*T) k -~ P(*T)

and ~ k

and ~ k

extensions

: (~)k_+p(~)

: p(~)k

of

'elementary*

of

the

convention

o p e r a t o r s are i m p l i c i t l y extended, w h e n e v e r necessary, extensions. However t h e r e is an e x c e p t i o n in the

(u-~-~v)"

:

w.r.t, c_ in the

that

functions

and

along union additive case of the 'funny

d e n o t e d ",", an operation which has a central

model and which is defined as follows

for the

operators D_llk :

(so they are continuous

complete lattices P(*T) and P ( ~ ) ) . In the sequel, we m a k e h e a v y use

concatenation'

_> p ( ~ )

importance

in our

• : T x c~]. __~ p(o~]r) :

~t = {~u' (u-~-+v) }'

(U-D--)V)" (ti-Di--)ti+l)iV) (ti-~)i--gti+!) i<~ / (V=to' ~
-+P(~),

and in the special case Q = O,

we set : (u-D-~v) "Q = {~u' (u-D-+v) }" The i n f i n i t a r y finitary continuous

operations

operations extensions

is as follows,

9-1~k :

~k

:(~)k

of the latter.

letting

CL(Q)

+p(~]-)

(*T) k _9 P ( * T ) , and

are strongly d e p e n d e n t

on the

for

as

The precise

Pref(t)

mean

they

are

statement

defined

the

of the dependence

respectively

the

topological

closure of Q and the set of finite prefixes of t : °P---k(~i' " " "~)

= CL(DIZk (Pref (ti) .... Pref (~)) ) .

The finitary operations 9 ~ k : (*T) k_+p(,][) are d e f i n e d by six families DI-D6 of inductive relations (drawn from the o p e r a t i o n a l d e f i n i t i o n of (2.2)). These r e l a t i o n s are also v a l i d for the i n f i n i t a r y o p e r a t i o n s ~ k , although they do not d e f i n e them. For that reason, the u n d e r l i n i n g or s u r l i n i n g of o p e r a t o r symbols is o m i t t e d from the f o l l o w i n g table. To keep r e a s o n a b l e notations, definitions,

we

let

ts =

(s-9-et)t t and

tu =

with t-+tt and v-->tv. The notation

(u-

"[cond,

cond then Q1 else Q2'" THE INTERPRETATI_Q~ OF E IN *T ~ ; D ~ NIL = {~NIL )

D_2 z(t t) = (~t - ~

t). tt

D-~ (~t)p = {£tp],

(ts) p = [D~ dom(p), D-{ ~t + ev = {~t+v } '

{~sp}~

-~v) tv

(sp _p(D)_~ tp) • (tt)p]

everywhere

in

the

QI, Q2]" reads as : 'if

158 (S+v _D_) t), t t ,

ts + 8v = [D~$, £t + tu = [D' #~, ts + t u = [D#~, u

(s + u _D_~ t)tt ' (s+u _D_~ t+u)°( t t + [~'~,(s

D ~ £t (9 gv = {Etev"

is(9 ~v

(S+V-~]-gt+v)'(tt + £v)],

(t + u _D'_~ v)" tv, (t+u _D'_~ t+v)°(Et + tv)] '

+ u -~'-~ v) tv,

(t(gv-~-9 t),

= {(s (9 v - ~

v}u

tu) ]

is+u -~'-~ s+v)-( ts + tv)]

(t(gv -~-~ v) ),

is (9 v - ~

s)ot s

(s (9 v -~-~ t (9 v)'( ~t(9 £v )' O],

U [ ~ = ~,

St (9 ~U = { (t (9 u -(~-~ t)} <9 (t (9 u -~-~ u)°t u U[D' = ~, t s (9 tu =

u - c o t • v).iete tv), 0],

(t

(s • u - ~

(s (9 u -O-~ s)° ts U U[D

=

u). tu

(s @ u - c ~ t e

C,

U [D' = ~,

(s • u - ~

u).( tt • tu), 0] s • v)o( t s G tv), O]

D6 ~t lev = {etlv}, ts [~v = ((s[vl - ~

itlv)).( ttJ~v~,

Et I ts = ((tlu) -%)'-') (tlv))'(E t I tv), tSl tu = ((S[U) _D__> (tIu))'( tt[ tU))

u

[~'=~eA,

The following propositions proposition [[ oPk(tl,---

hold

V oPk e ~

(is[u) -~-~ it[v)).( tt[tv),O]

:

, V ti6

PROG ,

tk)I]*op = 9/2k([I tl l]*op.... [I tk I]*op )-

DrODositiQn

V OPk e ~k, Vti 6 PROG

,

[[ oPk(tl .... tk)l]~op = ~k([l tl l]~op .... [[ tk l]~op) •

3.

AN OBSERVATIONAL PREORDER_WITH HIQH pOWER OF SEPARATION

Our f o r e t o l d objective was to develop for CCS a model in w h i c h programs identified

if

and

only

difference between them.

if

no

(CCS)

program

where u is said to be an implementation

only if no finite or infinite experiment 'experimenting'

parallel

system

on

program

(t ~C[u]),

result of the experiment

experiment

makes

the

In fact, we construct a model for an 'implementation'

preorder between programs,

of

defined

are

u

as

of v if and

on u tells that it is not v. We think

running

a maximal

for some t e s t i n g p r o g r a m

computation

t and context

on

the

C[?].

The

is the sequence of transitions

of the testing program

(along that experiment).

The introduction of infinitary

results,

the

"classical"

binary

results

of

tests,

is

motivated

by

as opposed to the

fact

that

159 infinitary results yield a strictly higher power of separation, highest possible $o,

any

power of separation

observational

model

quotient

(by some equivalence)

present

section,

implementation

we

give

between

as regards

on

and indeed the

CCS-programmed

CCS-experiments)

is

experiments.

necessarily

of the model which we are looking for. a

precise

definition

and

show

programs,

then

of

how

the

that

In the

relation

relation

a

of

may

be

transferred from programs to their associated sets of computations. We introduce

in this alinea precise terminology about computations.

denote some computation trN(t)

is the word (Di)i< ? of N ~, and the refined trace of t

is the projection on A ~.

If trA(t)

Let t

(ui -Di-) Ui+l)i< ~ in ~T. The coarse trace of t (denoted

~A(trN(~), is £

(denoted trA(t))

where N A is the usual morphism projecting N ~

(the empty

trace),

then

computation

t is said to be

s i l e n t . For t in PROG, we let MSC(t) be the family of M a x i m a l Sileni Commutations from t, that is to say, the set of computations which are maximal w.rot. ~ (the order prefix) a pair

of

minimal

computations

(w.r.t.

notation,

the

extensions, MSC

<2)

( t u ~ v)

in the

operations

is a p a r a l l e l

set

~k

{(~u, tv)

~rE

decomposition (tultv

: (~T) k -~ P ( ~ T ) ,

)).

and

of ~ if it is

(For the

their

union

ease

of

additive

are given the simpler notation oPk in the present section). For tE

(ulv), we let R2(~)

projecti~/l

in {t / t e [It l]~op A trA(t) = ~}. For ~ 6 MSC(ulv),

of

some

denote the set of computations tv which are the second

parallel

decomposition

(tu,tv)

of t.

Finally,

we

let

Twincomp be the set of parallel decompositions of maximal silent computations. definition Let u, v e PROG. Program u is observatienallv

le~_ than program v

(u ~< v) iff ~ t e PROG, ~ 2

(MSC(ult)) ~ H 2 (MSC(vlt)) . Program u is an implementation program

c o n t e x t s C[?]

,

where

Q~ program v a program

(u~v)

context

iff C[u] ~ C[v] is

a

closed

for all

term

with

possible occurences of the dummy constant "?". Examples • (u+v)~

The reader can convince himself that: u ~ u ~u + ~v,

~v+u~(u+v)

+ ~v,

• v,

(x w_hh x = ~x) ~

A natural way to find out a fully abstract model p r e o r d e r from p r o g r a m s to sets of c o m p u t a t i o n s resulting equivalence of sets of computations

u ~ ~ u,

(x w__hh x = x ) .

for_~< is to transfer that and then to analyse the

: the canonical morphism induced

by the equivalence yields the fully abstract model. This program is undertaken in the next series of statements. definition Let t, t' e ~ . Computation t is o b s e r v a % i o n a l l v _ ~ if kft"e ~]-, (t,t") 6 Twincomp

~

than computation t' (t~< t') if and only

(t',t") E Twincomp.

160 We let~< denote also the Hoare like extension of.~< to P(~°T) x P ( ~ T ) , the binary relation Q I ~ proposition 1

Let

of

¢~ (Vt 1 6

V u,v e PROG : u,~< v

definition property

Q2

t be

stabilitv

the

(Stable(t))

Q2, tl ~t2)oo

<=> [I u I] op ~< [I v H~°op

computation

e x t e n d e d b y any silent t r a n s i t i o n t is stable,

QI, 3 t2 e

that is

(ui-~]i-gui+l)i
if it is finite (for all

Then

(It 1= ~#£0)

t has

and cannot

(u-D-+v) e T, u = uy ~

De

A).

the be If

then ~ has a residue Res(t), defined as the ready set of u~{ r i.e.

as the set of labels

{}~6A

/(3 v,

(u?-l-)v)

e T)).

proposition 2 V t, t' e ~ , ~< t ' iff the following relations hold

:

- trA(t ) = trA(~'),

(Stable(t)

A

It' I ~£0)

~

(Stable(~')

^ Res(t')c_ Res(t)) .

The interest of propositions 1 and 2 is to suggest an abstract model for CCS, and a way to derive the semantics in that model from the operational semantics studied in section 2. In fact,

the observational

preorder~<

on programs

is not

p r e s e r v e d by all c o n t e x t o p e r a t i o n s a n d d i f f e r s f r o m the i m p l e m e n t a t i o n p r e o r d e r ~ ( o f course, the d i s c r e p a n c y between ~ a n d ~ s t e m s from the operation of sum (+)). In order to cope with the problem, we shall now try to guess the adequate transposition of the i m p l e m e n t a t i o n computations and sets of computations.

preorder

(from

programs) to

definition Let t, t' 6°~[. (~£t') -

if and only if the following relations hold

:

t~
- (Stable(t) A

Stable(t') A trA(t)

= £) ~

(Hz(trN(~'))

= £

P(~T)x P(=T), that is

We let ~ denote also the Hoare like extension of ~ to the binary relation Q I ~ Q 2

¢~

(Vile QI, 3 t2e Q2, t l ~ )

proposition 3 V u, v e PROG

:

One

the

of

the

main

proposition, that

goals

of

u ~v

i.e. the implication

result,

implementation

we

conclude

preorder

the

~

next

section

languages.

The variation

congruence

present

unguardedness

of

section

studied here coincides

recursive

to

[I v l]~op . establish

induced by

the

d e f i n i t i o n s from

on

a

u~v.

the

reverse

Anticipating

short

with a variant

w h e r e the inclusion

concerns the p h e n o m e n o n

relation

is

•

: [I u l]~op~ [I v I]~op ~

(see also [15] for a s t r o n g e r form), trace languages is r e p l a c e d by an the

[I u I]~op ~

[Iz (trN (t)) = ~).

remark: t h e

of that of

[17]

inclusion betweenfinitary between infinitary trace

of divergence. preorder "pure"

of

More precisely, [17]

divergence,

~eparates i.e.

the

presence of i n f i n i t e sequences of i n t e r n a l actions. This separation c o r r e s p o n d s to a further e x t e n d e d notion of t e s t i n g where t e r m i n a t i o n can be observed.

161

4. ABSTRACTCOMPUTATIONS

The s e c t i o n p r e p a r e s the c o n s t r u c t i o n of a m o d e l for the i m p l e m e n t a t i o n p r e o r d e r on p r o g r a m s . We d e f i n e 'abstract c o m p u t a t i o n s ' , which represent a c t u a l c o m p u t a t i o n s b y pairs e n c o d i n g their p r o p e r t i e s w.r.t, p r e o r d e r ~ . We then c o n s t r u c t an o r d e r e d Z - a l g e b r a of a b s t r a c t c o m p u t a t i o n s a n d lift the operators to the power algebra• We show the m o n o t o n y of the lifted operators, and s t u d y some p r o p e r t i e s of the r e s u l t i n g Z - i n t e r p r e t a t i o n . We then turn o u r s e l v e s to e s t a b l i s h a c o n n e c t i o n b e t w e e n the o p e r a t i o n a l i n t e r p r e t a t i o n (P(~), { ~ k } , E~ ) a n d the a b s t r a c t i n t e r p r e t a t i o n , and settle a morphic c o n n e c t i o n b e t w e e n the two ordered Z-interpretations. ~ e f i n i t i o n An

'abstract computation'

is a pair <w,R> of one of the forms

or or < z , i > or <~,S> where Z 6 A ~, The

set

(A, ~ ) of a b s t r a c t

z e A* and S is a finite subset of A.

computations

is p a r t i a l l y

order relation satisfying the following axioms,

ordered

by the

for z • A * and S " c

least

S'c S ~ A

< z , ± > E ~ E , . <£,S'>E<~,S'>~<~,S">E<£,~>.

The i n t e n t i o n s b e h i n d following statement. proposition follows : Itl = 0)

1 ~

that

(Vt, t' e ~T)

tc~'

$(t) =
Itl ~(0 A ~Stable(t)

~

definition

are

¢~ # ( t ) c @(t'),

^ (trA(t) ~g v

(Stable(t)

A trA(t)

completely

for ~ : ~ T - +

clear

A

in

defined

the

as

(0>

@(t) =
(Stable(t)

made

~(trN(t))

= g m ~%(trN(~))

i>

= £))

~(t) = (~(t) = < % R e s ( t ) >

~£))

PrOO[. The v e r i f i c a t i o n is straightforward, and we leave it to the reader as a useful exercise for a full u n d e r s t a n d i n g of the above definition• In all the sequel, we let a sets of abstract computations). on P ( A ) ,

(resp. A) denote abstract c o m p u t a t i o n s (resp. We also use c to denote the Hoare extension of

i.e. the relation A I ~ A 2 ¢~ ( V a l e

goal is to introduce

a series

OPk6E.

corresponding

Before

the

of e l e m e n t a r y

i n t r o d u c i n g an a u x i l i a r y operator (Q) which we define as follows• Let N = @

: N~x

(N × (£}) k2 ({~} × N)

N ~ -+ P ( N ~)

definitions on words,

<J {(l,~)

: N ~ -~ N ~ x

N~

morphisms ~;i :N*--}N* and ~/2 :N*-) N * X ~ *

• ~2(n) = n

for n e N,

3a 2e

are

n a m e l y the

/ ~ eA

is the function w ' O w "

for ~/i : N ~ -9 N°° and V2

AI,

operations

A2, a l ~ a 2 ) . oPk

Our next

: Ak--~ P ( A ) ,

given,

we

'parallel

}. The p a r a l l e l

need

for still

composition'

composition

= {w / (w',w") 6•2(•i-I(w)) }

defined as the continuous extensions oI as follows

:

162 ~2(nn')

=

(n]n'irn2n'2)

The e l e m e n t a r y

for

operations

of statements,

where

oPk

~;2(n)=(nl,n2}

: A k --> P ( A )

set brackets

and

~2(n')=(n'irn'2)

are given

are o m i t t e d

by the

from s i n g l e t o n

following

table

sets.

OF _~ IN

INTERPRETATION

D'I NIL = <~,~>, D'2 ~<w~R> = [~ E A,
{~}>, ] k)

~

(R 6 ~hen

{±,C0}

v w ~

[~t = ~, <w,R>,

{g,~}) <~w,R>]

[~ =t, <~,R>, <~,R>], D'~ <w,R>p

= /d[ w ~

(dom(p)) ~ then O

else

[R 6 {±,0)}, , <w,R> + <w',R'>

=

[(w ~ e v R = CO), <w,R> [{w' ~ £ v

R' = ~),

, [R = i, <e,±>

<w',R'>,

[(w = £ A W' = £ A {R,R'}C~ D'5 <w,R>

(9 <w',R'>

= {<E,I>,

D'~ <w,R>

] <w',R'>

= ~

else

if

<w,R>,

(R = I v R' = I

{<w",l>

else

{
v

/ w" e[I A R kJ

, 0]]

u

[R' = ±, <e,±>,

{3_,(0} = ~ ) ,

~]]

<J

,

~],

<w',R'>},

(R = CO v R' = (0)

then

p(R • dom(p))>],

Lhen

3%, l e R

{<w",

A

~e

co> / w" elJA(W

O w')

R')

(w O w') }

R'> / w" ellA(W 6) w~)}~

letting h(w")

=

[IIA(W")#£,

IIA

(w"),

[IIg(w")#£,

g, el].

In o r d e r to c o n s t r u c t the i n t e r p r e t a t i o n of the f u l l y a b s t r a c t m o d e l in prospect, we lift the a b o v e d e f i n i t i o n s to sets. However, we put s p e c i a l r e s t r i c t i o n s on the l i f t i n g process, for we care to obtain a complete partial order with m o n o t o n e and continuous operations. D e f i n i t i o n s follow. Our

domain

of

incomparable D=

{A 6 P ( ~ ) /

Thus,

interpretation

elements,

( V a l , a 2 6 A)

/) is the image of P ( ~ ) = {a E A / (Va'£

The

interpretations

formula

:

oPk

oPk(Al,...Ak)

p~oposition

2

set

(al~_a 2 ~ through

A)(ac_a'

of

subsets

possibility increasing chain

(A' is

roof(U that,

O)-ehain

roof

'roof' : P ( A )

((<S,±>)

A / A e D)). some

abstract

can exist by the d e f i n i t i o n

a

e

u

upper

Let's A',

(L9 oPk

-=

on A .

generic

(al,...a k) / a i e Ai)) .

are stated below.

suppose

there

by the

~3

semi-lattice,

computations of

-~'-+ D :

in ~ are g i v e n

~

Z-interpretation

is a complete

for of

pairwise

a'=a) }.

(3i, A i = O)

of the resulting (~, c, O)

function

~

b o u n d of subsets given by ~ D = roof( k)A / A e D). pToof It is e n o u g h to e s t a b l i s h the simpler p r o p o s i t i o n (kfA' 6 D)

of ~ with

a I = a 2) }.

: ~ k __>i] of o p e r a t o r s = if else.

Some p r o p e r t i e s

/) is the

i.e.

is (a i)

with the least upper

:

it is false; in

(LJA/A

with

e

then the only D)

a o = a.

a But

strictly no

such

163

p/Lqp_~sition 3 (D, E ,{oPk} ) is a continuous E-algebra. proo~

The

lemma

given

afterwards

shows

Continuity follows by the implication

that

operations

: aeoP2(~D,

A') ~

OPk

are

monotone.

3 Ae D, aeoP2(A,A')

and variants of it. lemma For any oPk in Z, for any ai, a' i in A , (a ~ < £ , ~ )

A (Vi, a i ~

a' i) ~

proof by systematic examination

and for any a in oPk

(al,..a k) :

(3a' e opk(a'l,...a'k) , a ~ a'). of all the possible cases

(left to the reader).

We finally establish the m o r p h i c connection between the o p e r a t i o n a l E-interpretation of section 2 and the abstract Z-interpretation of the present section. proposition.

4 Let

computations,

and let ~ : P<(~T)

~(Q)=

P~(~T)

roof(U{#(~)/t

(P<(~T),

denote

the

-~ D

and (D,

of

prefix

closed

subsets

of

be the function:

• Q}) . Then $ acts

{ ~ k / OPk e Z}, ~ )

set

like

{oPk},

a morphism

between

structures

~ ).

5. FULL ABSTRACTION AND TRACE_SS Our present goal is to establish full abstractness (w.r.t. the observational A preorder ~<) of the function [l.l]obs : PROG -~ D : NtNobs = ~ [Itl]'opWe recall from equivalence

•-a)

[22]

that

full

abstractness

[lUl]obsc [IVl]ob~ ~

Due to propositions 3.1, property of m o n o t o n v :

~ON)

expressed

by

the

logical

V c[?], C[u] £ C[v].

3.3 and 4.1,

V c[?],

is

FA follows

[lUJ]ob~ =_ NVl]ob~ ~

easily

from the

following

[IC[u]i]obS m [IC[v]1]ob~-

Indeed, the general version of MON follows from the specialized version given below for declaration contexts D[?] : A A ~ A (MON-D) V D[?], ~[lul]~op c_ ~[]vH o p ~ ~[I x wh D[u] l]~op _~ ~[[x W]l D[v] []~op" In the operational

model

sketched in

(2.3),

[Ix wh D[u]

l]~op turns out to be

the p r o j e c t i o n along the x-component of the greatest solution of a parameterized system Gu(~) of Z-equations in P(~T) n. The parameter of that system is Nu I] op and the interpretation

of E is according to the definition

given in (2.3). Now, M O N - D is a direct consequence of the following two implications, where l.f.p. (g.f.p.) is the combinator of least (greatest) fixed point in (P(~T),_c) n, I]x is the projection along x, and k is the componentwise

difference between vectors of sets

:

A A A (MON-LFP) ~[~UN~op C ~[Iv~]~op ~ ¢(l]x(l.f. p. ~ U ( ~ ) ) ) C

A

(MON-GFP)

A ~(l]x(l.f. p. Gv(~))),

A

~[lul]'opm ~[Ivi]~op $(l]x(g.f.p.Gu(~)

k 1.f.p. ~u(~_))) c_ ~(l]x(g.f. p. ~v(~{))).

184 Relation

MON-LEP

fixed points of

the

follows

easily

(of continuous

l.f.p,

eombinator

Relation MON-GFP is not d e v o t e d to that task.

from the usual

operators) (using

the

so e a s i l y

properties

: the trick morphic

proved.

of m o n o t o n y

is to shift

properties

The

remaining

of least

~ on the

of of

~

right

w.r.t.

the

~) .

section

is

Tra~s

We introduce is

the

states which

as

for

omitted.

As

are

valid

operations Omk:

a Z power

same

~k

(N*)k

Z

for

(P(N~)r

algebra

computations

: (N ~ ) k _) p ( N ~) -) P ( N * ) ,

finitary

of ~races

power

regards c o n t i n u i t y

CL(9~Zk(Pref(wl),... The

algebra

the

and

fixed

remain are

the

according

{~k},

~)"

points,

valid

in

the

extensions

of

to

The c o n s t r u c t i o n

computations, bu{

of

the

all

with

the

new

framework.

finitary

formula

~k

program

properties The

operations

(Wl .... Wk)

=

Pref(wk))).

operations

9/Ik are d e f i n e d

by the

also valid for the infinitary

operations~

the function:

(~B) U

DoB = {£,D} u

THE INTERPRETATION

following

inductive

k, where • : N

x P ( N ~)

relations, ~

P ( N ~)

is

(DPref(B)).

OF Z IN N *

AND N ~

D"I NIL = (g} D"2 B(w) D"3

= Bo{w}

(e) p =

{e},

(Dw) p =

[D £ dom(p) , { g } ,

D/Li £ + e =

Dw + S = D e { w } 9w + D'w' = D"5

E~£

=

~w @ S

~ I E=

=

£ + 1]w,

[n=$,$e(w+D'w'),

n°w] U

[D'=G, ~°(gw+w')t 9'°w']

{e,G},

= Co{gw}

9w ~ 9 ' w '

aZl

p(~)-(w)p ]

{£},

= ~gw,

= ~ 0 {gw} u ~°{D'w'}

u

[~ = c, ~ - ( w @ ~ ' w ' ) ,

u

[9' = ~, ~°(9 w @

0]

w'),

0]

{~),

~w!~'w'

= ~.(wI~'w') U

u ~'.(~wlw')

[~ = D ' e A ,

~°(wlw'),

~

]

IZ-VeCSand substitutions We

introduce

denote the

a countable

respectively

set of finite

it has an infinite to

indicate

finite with

that

set

of

variables

by Z ~ the set of finite a n d infinite number

T is

trees

on Z~I.

of operators

a finite

[ITI] in N ~.

A tree

T in Z ~

m a y be

The interpretation

with

typical

A tree

of

syntactic

is c a l l e d

interpreted

by

of finite trees

T', order,

element

Z-trees,

G on each infinite

approximation

and is less than T' in the usual

NIL.

I,

and infinite

a good

branch.

which

a corresponding is defined

We

tree

if

We use T<~T'

means

where ~

i.

and by Z~(1)

that

T is

is identified set

as follows

of words :

165 [! NIL

I] = {e},

[E ~T i] = ~'[l T l], [I oPk(T1 .... Tk)

I] = 9/~k([} T1 I],

The i n t e r p r e t a t i o n

.

o

.

[I Tk i])-

of infinite trees is d e f i n e d by continuous

extension of the

: HTH = CL(k9 [IT'I] / T'<~T).

finitary interpretation

We call ~ u b s t i t u t i o n a m a p p i n g S from I to N =. For T in Z ~ ( I ) , denotes the result of applying substitution S to tree T.

Sub(T,S)

Towards a proof of MON-GFP The following property of the projection operator I]A:P(N ~ ) - ~ P ( A ~) proposition

1 For any finite tree T and for any substitution

~A[ISub(T, S)l]

is useful:

St

= I]A[ISub (T, I]AoS)I].

We state afterwards proposition

2

satisfying

I]AoS(i)

Let

two other propositions T be

a

= S'(i)

good

tree,

which entail MON-GFP. and

let

S

and

S'

be

substitutions

for all i 6 I. Then for any word w 6 [[Sub(T,S)]],

either we [ISub(T',S)H for some finite approximation

T' of T, or [IA(W) = IIA(W')

for some infinite word w' in NSub(T,S')[]. proposition satisfying

3 S(i)

[ISub (T, S) l],

Let

T be

a

good

= I]AoS'(i)

tree,

for all

[IA(W) = ~A(W')

and

i e

let

I. Then

S

and

for

S'

any

be

substitutions

infinite

w o r d w in

for some infinite word w' in [[Sub(T,S')I].

6. H E F U L L Y OBSERVATIONAL MODEL

The

declared

o b j e c t i v e of the p a p e r

was to supply

model,

where the gauge for the c o m p a r i s o n

family

of C C S e x p e r i m e n t s

function

with

[I.l]obs: PROG - + D ,

continuous

algebra

(D,

infinitary

results.

stated in section c

{oPk})

is

CCS with

of programs

the

a fully

abstract

is the largest

possible

The

5, allows

full

abstractness

us to assert

interpretation

of

such

of

that the a model

A

Further,

the

relation

construction the

of the

operational

transposition (X-9

D) . A

replacement

[[tHobs = #[ItN~op suggests

abstract

model

through

is a m e a n i n g simple

model. The m e t h o d the

abstraction

function

optimization

of

Vobs the

us a m e t h o d amounts

for the explicit

to a t r a n s p o s i t i o n

morphism

~. The result

: TERM --> (ENV -9 D ) ,

where ENV =

transposition,

the

of Vobs[It wh ~I] (e) by V obs[Itl](e)

namely

I.

V o b s [~ x l](e) = e(x), Vob s [I oPk(tl,---tk)

uniform

yields the following definition.

THE S~ECIF!CATION OF V o b s

2.

of

of the

~](e) = op k( Vobs[~ t I ~(e),...Vobs[Itkl](e)),

166

3. If D = (x I = Vl,... Let ~ = (Xl,...Xn), For X i •

D

x n = Vn) ' ~ = (Xl,...Xn),

and F i : ENV -9 D

F i (e) = Vobs[~Vi~ (e) , then

given by Vobs[It wh DI] (e) =

VobsNtl] ( e [ f i x D - r ( e [ ~ / ~ ] ) / = ~{rk:

The

everywhere There

specification

] ).

remains

in the d e f i n i t i o n of D

remains

• = (FI,...F n)

to give the

correct

if

<w,l>

is

converted

right d e f i n i t i o n

for the

f i x e d point

fix D , where the notation indicates a possible dependence

= {a e A / Va'e

omega(B)

A, a Ea' ~

= {<w,~> / w= ~A(W')

fixD.~(X)= ~OOF(I.f.p.

F(X

letting ~ = (F~ .... F~) and F~ : ( X

: ) %~ O ~ G A

(g.f.p. ~ ( ~ ) ) ) ,

--)P(N~))

P ( N ~))-9 P ( N ~ ) )

-+ P ( N ~ ) :

Vtr is o b t a i n e d

by

a transposition

However,

in the for

propositions of Vob s at

specification

all

proper

5.2 and 5.3. the

level

auxiliary m e a n i n g

of Vtr(t),

subprograms programs

function

and

operational

That

meaning

~(ti-Di-gti+l)i
we let ~A(Vobs(U))

u of t.

Furthermore,

of

= Vtr[IVil](e)

~w' for some <w',R'> ~A}.

of the

function through the abstraction morphism V: (~T)-gN~:

~([lul]~op)

Fq(e)

the auxiliary m e a n i n g function d e f i n e d

afterwards. Let ~ A : D - 9 P ( N ~) be the 'projection' ~ A ( A ) = { ~ A ( W ) / W function

s.t.:

:

- For closed declarations D, we state

The

functions

a' = a} and

for some w' 6 B ~ N ~ ] .

- For open declarations D, we state f i x D . ~ ( ~ ) = 1.f.p.F(~).

for Vtr: TERM -~ ( ( X - 9

combinator

on declaration D. The

results p r e s e n t e d in section 5 lead us to p r o c e e d as follows. Let roof : P ( A ) --> D and omega : P ( N ~) -9 D be the roof(A)

into

and the related operations.

play the role of

replacement

agrees

with

it affords a compositio]l~

expression

closed

though

declarations,

even

an

is called for. We also p r o c e e d to the optimization

of the transposition by reducing uniformly Vtr[It w h ~I](e)

to

Vtr[Itl](e).

T~E SPECIFICATION OF Vtr

0. If t6 PROG then otherwise

Vtr[It~](e) = [IA(Vobs[Itl](e')) VtrHtl](e)

for arbitrary e ~ •

is defined by relations

1 to 3.

I.

Vtr[IXl](e) = e (x) ,

2.

Vtr[~OPk(t 1 .... tk) l](e) = oPk(Vtr[~tll](e) .... Vtr[Itkl](e)),

3' .If D is a ¢losed declaration

(x I = vl,.., x n = v n),

let HDNob s = ( Vobs[IX1 wh Dl](e') ..... Vobs[IX n wh D] (e')), for arbitrary

e'e

(X-+

D),

and let ~ = (Xl...Xn),

Vtr[It W ~ D ~](e) = VtrHt~( e[[1A([IDnob s) / =]), 3" .If D is an ~ let

declaration

-~ = (Xl, ...Xn) ,

(x I = Vl,... Xn = Vn),

X = (Xl,...Xn),

F = (F I, ...F n)

then

( X -9 D),

167

for X ie

P ( N ~)

and F i : (X

-~ P ( N ~ ) )

g i v e n b y F i (e) = ~,Vtr[IVil] (e) , Vtr[It ~ h D l](e) The outcome 2heorem. and thus

V t e PROG, Vob s

then

= VtrHtl](e[g.f. p.

of the definitions

-9 P ( N ~)

F

(e[~

is t h e f o l l o w i n g

/ s]) result.

Vobs[Itl] (e) = #[Itl] op f o r a r b i t r a r y

is a f u l l y

abstract

model

/ ~])

environments

e

: X

-~ ~ ,

f o r CCS.

BIBLIOGRAPHY

[i]

A b r a m s k y S. Experiments, Power domains, and Fully Abstract Models for Applicative Multiprogramming FCT 83, Borgholm Springer-Verlag, LNCS 158 (83) pp. 1-13

[2]

A r n o l d A., D i c k y A. An Algebraic Characterization of Transition System Equivalence, Report 1-8603, Universit@ de Bordeaux {86)

[3]

B e k i c H. Definable Operations in General Algebras, and the Theory of Automata and Flowcharts, IBM Laboratory Vienna (69) also in: Programming Languages and their Definition, selected papers of H. Beki$ , Springer-Verlag LNCS 177(84)

[4]

B e r g s t r a J.A., K l o p J.W., O l d e r o g E.R. Readies and Failures in the Algebra of Communicating Processes, Report CS-R8523, CWI, ~ s t e r d a m (85)

[5]

Boasson

[6]

B o u d o 1 G. Notes on Algebraic Calculi of Processes, Logics and Models of Concurrent Systems, K. Apt. ed, NATO - ASI -Series, Springer-Verlag (85) pp. 261 - 304

[7]

B r o o k e s S, R o s c o e A. W. An Improved Failures Model for Communicating Processes Seminar on Concurrency, Brookes Roscoe Winskel eds. Springer-Verlag, LNCS 197(85) pp. 281-305

[8] [9]

D a r o n d e a u Ph. K o t t L. On the Observational Semantics of Fair Parallelism, ICALP 83, Barcelona, Springer-Verlag LNCS 154 (83) pp. 147 - 159 D a r o n d e a u Ph. About Fair Asynchrony, TCS 37 (85) pp. 305 - 336

[i0]

"

[ii]

d e B a k k e r J . W . , M e y e r J . J . C h . , O l d e r o g E.R. Infinite Streams and Finite Observations in the Semantics of Uniform Concurrency, ICALP 85, Naflion, Springer-Verlag LNCS 194 (85) pp. 149 - 157

[12]

de Bakker J.W., Meyer J.J.Ch., Olderog E.R., Transition Systems, Infinitary Languages and the 17 TM ACM STOC, Providence (85) pp. 252,262

[13]

d e N i c o l a R., H e n n e s s y M. TCS 34 (84) pp. 83-133

L.,

Nivat

M.

Adherences of Languages,

JCSS 20 (80) pp. 285 -309

Separating and Testing , STACS 86, Orsay, Springer-Verlag LNCS 210 (86) pp. 203 - 212

Z u c k e r J.I. Semantics of Uniform Concurrency

Testing Equivalences for Processes

168 [14]

de

[15]

Gamatie

Nicola R. Testing Equivalences and Fully Abstract Models Processes. Ph. D Thesis, University of Edinburgh (85)

for Communicating

B.

Observational Congruences of Non Determini'stic RR - 254 - IRISA Rennes (85)

and Communicating

Finite Processes

[16] Safe Implementation MFCS 86, Bratislava,

Equivalence

for Asynchronous

Springer-Verlag

LNCS

233

Non Deterministic

Processes

(86)

[17] Towards Specification and Proof of Asynchronous Systems, STACS 86, Orsay, Springer-Verlag LNCS 210 (86) pp. 203 - 212

[Z8]

Golson W., Rounds W. C. Connections Between two Theories Metric Spaces and Synchronization Trees Information and Control 57 ( 8 3 ) pp.102-124

[Z9]

Hennessy M., Plotkin G. A Term Model for CCS Springer-Verlag LNCS 88 ( 8 0 ) pp.261-274

[20]

Hennessy

[21]

Jorrand P h Specification of Communicating Processes and Process Correctness, 5 TM Int. Symposium on Programming, Turin Springer Verlag LNCS 137(82) pp.242-256

[22]

Milner

[23]

"

M.

R.

Acceptance

Trees,

Fully Abstract Models

A Calculus

of Communicating

JACM 32

(85)

pp.

of Typed lambda-calculi

Systems

,

Springer

of Concurrency

896 - 928

,

Implementation

TCS 4 (77) pp. 1 - 23

- Verlag LNCS 92

Hoare C.A.R. Specification Oriented Acta Informatica 23,1 (86) pp. 9-86

[24]

Olderog E. R., Processes ,

[25]

Plotkin G. A Structural Approach to Operational Semantics, Rept. DAIMI - FN - 19, Univ. of Aarhus, Computer Science Department

(81)

Pnueli A. Systems,

[27]

Rounds W. C. On the Relationships Between Scott Domains, Synchronization and Metric Spaces, Information and Control 66 (85) pp. 6 - 28

[28]

Tarski

A.

A Lattice Theoretic Journal

of Mathematics

Structures in the Semantics Springer - Verlag LNCS 194

for Communicating

E26]

Pacific

Linear and Branching ICALP 85, Nafplion,

Semantics

(80)

Fixpoint

Theorem

and Logics of Reactive (85) pp. 15 - 32

and its Applications,

5 (55) pp. 285 - 309.

Trees

SMOLCS-DRIVEN

CONCURRENT

CALCULI

Egidio Astesiano - Gianna Reggio Department of Mathematics, University of Genova Via L.B. Alberti 4, 16132 Genova, Italy Abstract It is shown how to derive, following the principles of the SMoLCS methodology, a family of calculi, suitable for the specification of concurrent systems and languages. A calculus consists basically of a language for expressing behaviours and their parallel composition together with the rewriting rules defining their semantics; formally it is a calculus associated to an algebraic parameterized specification: for every choice of the parameters we fix one calculus in the family. The distinguishing feature of our calculi is that the combinators for behaviours include functional abstraction and application, so that behaviours can be passed as arguments and obtained as results of functions; in general behaviours can be seen just as a data type and in this sense our calculi can be higher order calculi with behaviours as fast class objects. 0 INTRODUCTION 0.1 Generalities on the SMoLCS approach SMoLCS is an integrated methodology for the specification of concurrent systems and languages developed mainly by the authors (JAR1, AR3]), in cooperation with M.Wirsing ([AMRW, ARWl]). The typical fields of application of SMoLCS are large systems, multilevel architectures built from systems with different granularity, complex concurrent languages with modules and interference between sequential and concurrent features. For the specification of concurrent systems, SMoLCS has been applied to specify the internode communication architecture of the project Cnet (a local net of workstations) (see [AMRZ1, AMRZ2]). As a method for the specification of languages, it is the methodology chosen for the formal definition of the dynamic semantics of Ada ® in the CEC-MAP project ([AGMRZ, CRAI-DDC]). The roots of SMoLCS, both for inspiration and technical ideas, are in the work of Milner on CCS and SCCS [M1, M2], of Plotldn [P] on SOS, of Broy and Wirsing on partial data types [BW1, BW2] and of Wirsing and Sannella on algebraic specification languages [W, SW]. On these roots SMoLCS has grown into a precise coherent framework, whose distinguishing features we briefly summarize. The specification of a system is obtained as an instantiation of a parameterized data type, following a schema based on an operational intuition of a process as a labelled transition system and of a concurrent system as resulting from the composition of the component subsystems. The abstraction from the Workpartly fundedby CNR Italy and MP140%. ® Ada is a registeredtrademarkof the U.S. Government,Ada JointProgramOffice.

170

operational intuition is obtained by a schema ensuring the existence of an observational semantics, represented by an algebra. By concurrent system we mean a labelled transition system built from some subcomponents: these subcomponents are of two kinds: active, called process~, and passive, called global objects. Each active subcomponent is in turn modelled as a labelled transition system. A transition represents an action and the difference between the two kinds of subcomponents is that the passive ones cannot perform any transition by themselves; they change their states only as a consequence of a process transition. A state of a concurrent system is modelled as a set of states corresponding to its subcomponents; the transitions are inferred from the transitions of the active subcomponents in three steDs: synchronizatig~, narallelism, monitoring. This SMoLCS schema can be expressed in an algebraic parameterized way so that every instantiation on the appropriate parameters, defining the information for synchronization, parallelism and monitoring, is an abstract data type (see [AMRW, ARW3]). The definition of a SMoLCS specification of a system is modular and hierarchical. More precisely every composition step is a parameterized abstract data type specification: for example the synchronization step STS takes as parameters the specification of a transition system PROC-SYST (representing the processes) and an algebraic specification GOBJ (representing the global objects) and gives a labelled transition system STS(PROC-SYST, GOBJ) whose transitions represent the synchronous interactions between processes. Together with an initial algebra semantics, corresponding to an operational semantics, the SMoLCS approach supports, with explicit linguistic constructs, the definition of an observational semantics again via a parameterized abstract data type specification, where the parameters correspond to a formalization of the observations. Every instantiation of such schema admits a terminal model, called concurrent algebra, in which two states of the concurrent system are equivalent if and only if they satisfy the same observations; moreover every subcomponent of the state gets an observational semantics by closure with respect to state contexts (see [ARWl] for foundations). Note that this is just an existential definition, to guarantee consistency; for any instantiation such observational semantics has to be characterized more explicitly, by suitable equivalences on the derivation trees associated to states and subeomponents. The above schema permits to formalize observationally various semantics as inpuVoutput, streams semantics, strong equivalence, classes of bisimulation equivalences and test semantics. The SMoLCS semantic d..efinition of a langu.a.g~is compositional (i.e. is a homomorphism from a syntax algebra into a semantic algebra). It is done in two steps (see [AR1]): in the first a set of clauses, called denotational clauses, one for each syntactic clause, defines a translation into an intermediate language, with appropriate combinators for handling concurrency; in the second, a SMoLCS specification is given of the abstract concurrent system corresponding to program executions, with its semantics defined by an appropriate concurrent algebra. The denotational clauses can be given both in the Oxford continuation style ([AR1]) and in the VDM-like direct semantic style ([AR2]) also for a comparison; but note that they can be seen just as algebraic axioms, that the general semantic definition is just the specification of an abstract data type.

171

0.2 Concurrent calculi The main aim of SMoLCS is to provide a precise formal framework which can be adapted to the level of the system to be specified. Then, since the overall approach is that of partial abstract data types [BW2], in order to derive the properties of the specified objects we can use an adaptation of the usual machinery of partial abstract data type specifications. This machinery consists mainly of the proof techniques associated to a specification seen as a logical rewriting system and of the associated tools. In particular for the specifications we use in SMoLCS, an initial model always exists where equality and definedness coincide with provable equality and definedness. Hence a calculus is naturally associated to each of our specifications; because of the form of the axioms, it can be seen that this calculus corresponds to an operational semantics for the specified concurrent system. As for the tools a specific rapid prototyping tool has been developed for SMoLCS ([Mo]) which is a variation of the RAP system [H], specially tailored to the structure of SMoLCS. It consists of a concurrent symbolic intepreter, which can derive transitions for a specified concurrent system, and of a translator which, taken the denotational clauses specifying the semantics of a language, can convert a source program into a program written in the intermediate concurrent language. In the above sense a SMoLCS calculus is the one associated to a SMoLCS specification. In the ~ t ~ of the paper we illustrate this point of view by means of an example, which also introduces the use of processes as data types and of functional combinators. Correspondingly to the parameterization principle of SMoLCS, within a schema for defining synchronization, parallelism and monitoring, one can define for each specification appropriate combinators on processes. This possibility enhances flexibility and allows to write high level specifications, without the need of, so to speak, translating into a fixed language. However all this freedom has its own disadvantages, especially for deriving properties of the specified system. Indeed, to this end it is much easier to have a fixed set of combinators, with a well established set of properties. We propose in this paper a balance between these two attitudes, consisting in a family of calculi, where we have a fixed set of combinators for describing a kind of basic processes, called behaviours; but where there is room for fixing some parameters related to various data structures and to decisions about the interactions between processes. The result is a parameterized calculus, which is introduced in the 12~ of the paper. The two essential features of this calculus are the use of functional combinators and the possibility of having processes as data types. One of these calculi has been used as the intermediate language in the two steps SMoLCS definition of Ada [CRAI-DDC], a project where we have learnt, for example, that the use of functional combinators is essential for giving denotations to procedures as functions from values into processes, and for keeping high-level and modular the definition Then in the third Dart we begin to study the properties of our combinators w.r.t, a basic observational equivalence, corresponding to the strong bisimulation equivalence of Milner and Park. Under some restrictions, various properties of combinators are shown, nicely corresponding to our intuition. But all the given properties hold without restrictions for the full calculi and a generalized notion of strong equivalence; the complete theory will appear in a more technical paper.

172

1

SMoLCS S P E C I F I C A T I O N S AND C A L C U L I

Technical

preliminaries. In the following we refer to [BW2] for a precise definition of the concepts

related to abstract data type techniques; but let us give some informal expIanations. By an abstract data type specification we mean a signature and a set of axioms. Since we use a partial data type approach, i.e. the value of an operation can be undefined for some arguments, also definedness predicate symbols are used, one for each sort, to say that an object is defined; all are indicated by D (the sorts can be deduced from the context). Axioms are always first order formulas in positive conditional form, i.e. of the form A e i ~ e, where e can have form either D(t) or t 1 = t 2 and e i can have form either D(t i) or i

(D(ti) A ti = ti'). It is assumed that every axiom is implicitly universally quantified over all variables, but variables can only range over defined values in the interpretation. Terms and axioms are interpreted in partial algebras, which are structures consisting of a set of carriers, one for each sort in the signature, and a set of (.partial) functions corresponding to the interpretations of the operation symbols (including the definedness predicates, which are assumed to be total, i.e. either true or false on every element). There are two other important points about interpretation: first, t 1 = t 2 is true iff either both t 1 and t 2 are defined and equal or both are undefined; second, the functions are strict, i.e. if Op(tl,...,tn) is defined, then all t I .....tn are defined. In the following we will use some notations which we now explain. Let S, O, F be respectively a set of sorts, of operations and of positive conditional axioms and A = (ZA,FA), B = (ZB,FB) be two specifications: then -

sorts S o p n s O axioms F denotes the specification having for signature (S,O) and axioms F;

-

A+B denotes the specification having for signature (Sorts(ZA) u Sorts(ZB),Opns(ZA) u Opns(ZB))

-

enrich A by sorts S opns O axioms F denotes the specification

and for axioms F A U FB; A + ( sorts S u Sorts(ZA) opns O u Opns(Z A) axioms F ); - A[srtTsrt] denotes the specification A where the sort srt is renamed srt'. A r u n n i n g example. By means of a concrete example we first illustrate the main features of a SMoLCS specification, i.e. of a specification of a concurrent system obtained by instantiating the SMoLCS parameterized schema. The example is also meant to show how processes can be considered as data and later will be extended to handle parameterized process types, by introducing an algebraic version of function spaces. Finally we will discuss how a concurrent calculus is associated to the given specification. As an example we consider the formal description of a class of simple concurrent architectures, indicated by PD. Each architecture consists of (a varying number of) processes and (a fixed number) of buffers shared among processes. Each process has a local (private) memory and an instruction part defining its activity. Processes can communicate between them by exchanging messages in a synchronized way through channels (handshaking communication) and by writing and reading the buffers. The exchanged messages and the buffer contents are just values; values are natural numbers and also the processes

173

themselves. Processes execute their instructions in a completely free parallel way, except when they try to communicate between them or to get access to the buffers (several contemporaneous accesses to the same buffer are not allowed). First we define processes and then show how to compose them into concurrent systems representing PD architectures. 1.1 Processes A set of processes is described by an algebraic (labelled) transition system. An algebraic transition system is an algebraic specification with two sorts, state (the states of the system) and flag (the labels), and a boolean operation [] ..... []

> 0 : state x flag x state -~ bool defining the system transitions. In the

following the transitions will be defined by sets of axiom schemata of the form "condDs

f

> s ' = true "

to be interpreted: if the condition cond (a conjunction of equations) is true, then the transition s ,,f -> s' belongs to the system. Notation: s---f--f> s' = true is usually written s

(>

s'.

It is important to note that a transition has the following intuitive meaning: a process in a state s has the capability of moving to a state s' by an action whose interaction with the external environment is represented by the flag f; hence f is conveying both information on the conditions of the environment which allow the capability to become effective and on the transformation of the environment produced by the execution of that action. This meaning of Iabelled transitions has now become classical after its use in CCS [Mt, M2] and in SOS [P]; we will now illustrate it by few examples. A capability of reading the content of a shared buffer by a process pr can be written as pr READBI~(b,v) .>pf where b is a buffer identifier and v a value. Note that, as it will be defined later in the synchronization step, this capability will become effective only in an external environment where the content of the buffer b is exactly the value v. A capability of writing on a shared buffer by a process pr can be written as pr ,,,,WRITEBUF(b,v-)-->pr' where b is a buffer identifier and v a value. Analogously we can express the well known capabilities of handshake communication pr -,,-SEND(c'v) >pr' (sending) and pr ~REC(c'v) >pr' (receiving) where c is a channel identifier and v a value. An example of conditional rule is pr 1 -

f

> pr 1' D pr I ; pr 2----f--f> P r l ' ; pr 2

which defines, inductively, the capabilities of a process executing the concatenation of two statements. Example. As an example of algebraic transition system we give PD-PROC, which describes the PD processes, mentioned before. The s~tes of PD-PROC are defined by the following algebraic specification, which is an example of recursive specification. The use of recursive aigebralc specifications is quite natural, when trying to give specifications in a modular way. For example in the following specification we first say that processes are

t74

couples of instructions and local memories; after that we define local memories as finite maps from locations into values and then we say that values consists of processes as data and of natural numbers. Since we use a recursive definition, we expect that the resulting specification (signature and axioms) is in some sense, a well determinated fixpoint of the transformation associated to the definition. It is not difficult to see that, under some natural conditions, such fixpoint exists. For a more technical discussion we refer to the Appendix 1, where also a non recursive version ( i.e. the explicit fixpoint) of the following specification is given. As it should be clear from the intuitive explanations, given two specifications ELEMI, ELEM2 with main sorts elem 1 and etem2, PROD(ELEM1,ELEM2) indicates the parametric specification of the cartesian products with main sort prod(eleml,elem2) and operations < 71, Fq> (pair constructor) and Sell, Sel 2 (component selectors); MAP(ELEM 1,ELEM2) indicates the parametric specificatiqn of finite maps with main sort map(eleml,elem2) and operations [][ E]/[]] (substitution) and 71(D) (application). LOC (locations), BUFID and CHID (buffer and channel identifiers) are specifications which are not further defined here. The main sort of a specification is just a sort of the specification, used in defining parametric specifications. The use of the D's indicates that some operations have an infix syntax; "all total" stands for the set of axioms having form D(Opn(x I ..... Xn)) requiring the totality of all operations appearing in the opns part. PROC = enrich PROD(INSTR,LMEM)[proc/prod(instr,lmem)] by opns Nil: --> proc axioms •(Nil)

LMEM = MAPfLOC,VALUE)[lmem/map(loc,value)] VALUE = enrich PROC + NAT by sorts value opns Pval: proc --~ value Nval: nat --> value {Op: value x ... × value --->value I Op: nat x ... x nat --> nat ~ Sig(NAT) } a x i o m s D(Pval(pr)) D(Nval(n)) {Op(Nval(nl),...,Nval(nk))-- Nval(Op(nl,...,nk)) lop: nat × ... x nat --) nat ~ Sig(NAT) } INSTR ~ enrich LOC + VALUE + BUFID + CHID by sorts instr opns 1 Writebuf,Readbuf: loc × build 2 Send,Rec: loc × chid 3 Skip: 4 Start:proc 5 [] ; D, [] + E]: instr x instr 6 While D ~ 0 DoI'q: loc x instr 7 Seq-Instrl: ...

~ instr --->instr --) instr ---)inset --) instr --> instr --->instr

7+n Seq-Instrn: ...

--->instr

a x i o m s "all total"

i l ; ( i 2 ; i3) - - ( i l ; i 2 ) ; i 3 i I + i 2 m i 2 + il

Skip; i = i il+(i2 + i3) " (i 1+i2) +i 3.

175

Comments. 1.

Writing the content of a cell of the local memory in a buffer and reading the content of a buffer together with storing it in a cell of the local memory (buffers contain values).

2.

Sending and receiving messages (just values) through channels.

3.

Skip is the usual nuU instruction.

4.

Creation of a new process.

5.

Sequential composition and nondeterministic choice.

6.

While the content of the location is different from 0 execute the given instrucion.

7,.,7~-n. Sequential instruction, i.e. instructions whose executions do not require either interactions with other processes or with the buffers. Note that the processes can store into the buffers or into the local memory and exchange between them other processes because a value can be a process. En¢t of ¢~mments. Now we give the specification of the transition system of PD processes, indicated by PD-PROC. The flags of PD-PROC (specification PFLAG) are in correspondence with the executions of the concurrent instructions, exception made for TAU (Milner's internal action) which corresponds to the execution of sequential instructions. For simplicity we do not report the full specification PFLAG; it can be easily understood by looking at the axioms of PD-PROC. PD-PROC = enrich PROC + PFLAG by opns I:] [] ~ D: proc x pflag x proc --> bool axioms 1 <Writebuf(1,b),Im>WRITEBUF(1/~lkb)><Skip,lm> 2 ~a.F.,ADJ~v~L.I~L><Skip,Italy/t]> 3 <Send(t,e),lm>SEND(lmftkc'~> <Skip,Ira> 4 REC(v,c) > <Skip,lm[v/1]> 5 <Start(l~r~,]m~>S_TART(pr)-> <Skip,lm> 6 Nil ~ > pr 7 Pf > D Pf > 8 Pf > D Pf > 9 Iszero(lm(1))-" true ~ <While 1~0 Do i,lm> TAU > <Skip,lm> !0 Iszero(Im(1))= false ~ <Wh~e t ~ Do i,lm> TAU > { <Seq-Instrj(...),lm> TAU > I 1 _<j _, where i is an input instruction (Readbuf, Rec), can perform nondeterministically an action out of an infinite set, one for every possible value which can be received (axioms 2,4), Axiom 5 defines the capability of a process of creating a new process. Axiom 6 defines the capability of being created, which is represented by a transition of the process Nil into the initial state of the created process and is denoted by the flag CREATED(...). Axioms 7 and 8 completely define the sequential composition and the nondeterminisfic choice, because of Skip is the identity of ; and + is commutative (look at the axioms of INSTR). Axioms 9 and 10 def'me the While instruction. En~t 9f ~omments.

176

1.2 Concurrent systems Now that we have defined processes, we show how to compose them into concurrent systems, of which processes are subcomponents. In a concurrent system a state consists of the states of the processes plus the state of the global object; we choose to represent it as a pair <{Prl,Pr2,...,Prn},go> where go is the global object and {pr 1,pr2,...,prn} is a multiset of states of processes. Now, assuming that a transition system PROC-SYST, representing the subcomponent processes and an algebraic specification GOB J, representing the global object, are given, how do we specify the resulting composed system? Our idea is to split the composition in some steps. First the actions of the processes are composed producing new actions; this step is conveniently subdivided into two other steps: one (synchronization) defines the actions resulting from some synchronized cooperation between processes; another (parallel compo~i~ion) defines which are the synchronous actions that can happen in parallel. Then a third step (monitoring) defines which actions resulting after the second step are allowed to happen as actions of the whole system. PROC~SYST

GO~BJ

i

I

S STS M O L C

I

I PTS

S MONITORING

[

FINAL TRANSITION SYSTEM Example. As an example of concurrent system we report the definition of PD. Following the above schema the definition is split in four parts which are reported and commented in sections: 1.1 (the algebraic transition system given before and corresponding to the process subcomponents), 1.2.1 (synchronization), 1.2.2 (parallelism), 1.2.3 (monitoring). 1.2.1

Synchronization

We define the synchronous actions by giving a new transition system STS, where the transition relation ~ > corresponds to synchronous actions, starting from a transition system PROC-SYST (representing the

177

component processes with transition relation->) and an algebraic specification GOBJ (representing the global object). The states of STS are pairs <prms,go> where ms is a multiset of proces states and go a state of the global object. The synchronous actions are given by the a set of axioms having form ( A prj .Afj_> prj') A cond(sf,{f 1.....fn},go) = <{pr 1.....Prn},go> - s f - > <{Prl',...,Prn'},go'> l<j_ Prl',...,prn -fnf- > pr n' can synchronize. Note that the transformation of the global object associated to a synchronous action can be nondeterministic, i.e. it is possible to have also another axiom similar to the above one except that go' is replaced by a different go". We briefly illustrate the idea referring to the example capabilities of subsection 1.1. The effect of reading a shared buffer can be defined by: pr 1 _ READBUF(b.v~ > pr 1, A go(b) = v ~ <{Prl},go> -READBUF(b,v)-> <{Prl'},go> where in the global object are recorded the states of the shared buffers; note that the flag of the resulting action is still READBUF(b,v) (thus recording the kind of the action) since the effective happening of the action will still depend on the actions of the other processes because two contemporaneous readings of the same buffer are mutually exclusive; we will handle that in the parallet composition step. The effect of writing on a shared buffer is defined by: pr 1 WRITEBUF(b.v) > pr 1, ~ <{Prl},go> -WRITEBUF(b,v)-> <{Prl'},go[v/b]>, go[v/b] represents the state of the global object where the content of the buffer b has been changed in v. The effect of a handshaking communication is defined by pr I SEND(c.v~ > pr t, A pr 2 REC(e.v) > pr 2, ~ <{Prl,Pr2},go> - T A U t > <{Prl',Pr2'},go> where the synchronous flag TAU reminds IVlilner's symbol for an internal action, i.e. an action with no interaction with the external environment. Moreover no other synchronous actions involving SEND(c,v) or REC(c,v) are defined, thus a SEND(c,v) action of a behaviour can be executed only together with a REC(c,v) action of another behaviour. Note that also the process internal actions will become synchronous actions, as defined below pr 1 TA--T-A-U-->pr 1' ~

<{Prl},go> --TAU--> <{Prl'},go>.

Creation and termination of component processes are handled by defining a particular process state Nil with the property <{Nil,pr I .....Prn},go> = <{Prl,-.,Prn},go>, and synchronous actions such as Nfl ~REATED(pr~ > pr A pr 1 ~ > pr 1' ~ <{Nil,Pri},go> - T A U - > <{pr,Prl'},go>. Example. The synchronous interactions between the processes of PD are described by the following algebraic transition system PD-STS. The states of PD-STS are defined by the specification PD-STATE and its transitions are labelled by elements of sort pflag of the specification PFLAG (introduced in subsection 1.1). PD-STATE = enrich PROD(MSET(PROC),BUFFERS)[state/prod(mset(proc),buffers)]by axioms <{Nil}ubhms,bfs> = .

178

The global object records the contents of the shared buffers. MSET(ARG) indicates the parametric specification of multisets with operations { f-l} (singleton multiset constructor) and [] u [] (union). Notation {al} u ... u {an} is simply written {a 1..... an}. BUFFERS= MAP(BUFID,VALUE)[buffers/map(bufid,value)] PD-STS = enrich PD-STATE + PD-PROC by opns [:)=[~> Q: state x pflag x state --> bool axioms

pr TAU > pr' D <{pr},bfs>~TAU=><{pr'},bfs> pr READBUF(v.b) > pr' A bfs(b) - v D <{pr},bfs>-_READBUF(v,b)=><{pr'},bfs> pr WRITEBUF(v.b) > pr' ~ <{pr},bfs>~WRITEBUF(v,b)~><{pr'},bfs[v/b]> pr 1 SE~(~.c) > pr 1, A pr2 REC(v,c) > pr2, D <{prl,pr2},bfs>=TAU=><{Prl',Pr2'},bfs> pr I ~ > pr 1' A Nil ...~REATED(pr) > pr D <{Prl,Nil},bfs>=TAU=><[Prt',Pr},bfs>.

1.2.2 P a r a l l e l i s m Intuitively by means of this composition operation we define whether two actions can be executed in parallel (without synchronization). The actions to be considered for composition are, inductively, the actions of the synchronized system STS and the new actions already obtained by parallel composition. As before for synchronization we can describe the operation of parallel composition as producing a new system PTS from the system STS. PTS is simply given by augmenting the transitions of STS (indicated by ~>) with the new elements, which are given by a set of axioms having the following form <prms 1,g°> - s f l - > <prms l',go 1'> A <prms2,go> --sf2--><prms2',go2'> <prms lkJprms2,go> --sfl//sf2 - > <prms l ' u p r m s 2 ' , g o ' > provided we have given the partial (binary, commutative and associative) operation//on the flags of the synchronous actions. In our previous examples a writing action on a shared buffer and a handshaking communication can be executed together giving a new composed action, which in turn can be executed together with an handshaking communication of some other processes. On the converse a reading or updating action of a shared buffer does exclude whatever other access of the same buffer. Example. The allowed contemporaneous executions of the synchronized interactions between the processes of PD are described by the algebraic transition system PD-FTS. The states of PD-PTS are the same of PD-STS; the transition relation and the flags of PD-PTS are an enrichment of those of PD-STS. The transformation of the buffers associated to a parallel action in the system PD-PTS corresponds to execute the transformations associated to the component synchronous actions in some order; note that the result does not depend on the chosen order. In the specification PD-TS Eq indicates an explicit total equality operation of the specification BUFtD with functionality build x build --> bool.

179

PD-PTS = enrich PD-STS by opns []//[3: pflag x pflag ~ pflag Isacc: pflag x build -¢ bool axioms fl/tf2 = f2//fl (fl I/f2)/If3 = fl//(f2//f3) Isacc(TAU,b)~- false Isacc(READBUF(v,bl),b2)= Eq(bl,b 2) Isacc(WRITEBUF(v,bl),b2)= Eq(bl,b2) Isacc(fl/lf2,b)- Isacc(fl,b)v Isacc(f2,b) <mprl,bfs> =TAU=><mprl',bfs> A <mpr2,bfs>,=pf=><mpr2',bfs'>D <mprlumpr2,bfs> --pf//TAU=> <mprl'umpr2',bfs'> <mprl,bfs> -_READBUF(v,b~_><mprl',bfs> A <mpr2,bfs>=pf= > <mPr2',bfs'>A Isacc(b,pf)- false D <mprlu mPr2,bfs> =READBUF(v,b)//pf=><mprI' u mpr2',bfs'> <mprl,bfs> ~WRITEBUF(v,b)=><mprl',bfs[v/b]>A <mpr2,bfs>=pf=> <mpr2',bfs'> A Isacc(b,pf)- false <mprlu mpr2,bfs>=WRITEBUF(v,b)//pf=><mprl'u mpr2',bfs'[v/b]>. 1.2.3

Monitoring

Here we take into consideration any form of global control, by which only some of the actions which are locally possible in a system (i.e. those obtained by (synchronization and) parallel composition) are allowed to become actions of the overall system. It is at this step that we can, for example, define an interleaving mode, admitting only one synchronized action at time, or a mode in which all actions that can be executed together do so. Here we can also define that the buffer reading actions take precedence over the buffer writing actions (i.e. when in a state it is possible a reading action on a buffer, a writing action on the same buffer will never be allowed). As before we can define the monitoring operation by giving a new transition system MTS (with transition relation ===>) starting from a parallel system PTS (with transition relation -->). The states of MTS are the same of PTS. The transitions of the new system are defined by giving some axioms following this schema: <prms 1,go>-,.sf-> <prmsl',go'> h cond(sf,<prmsluprms2,go>,extf ) <prmslt..)prms2,go> ==exff==> <prmsl'toprms2,go'>. Note that this axiom schema specifies, as it was anticipated informally, that an action of the system is determined by an action of a part of the component processes; here the partial action is <prms 1,go>--sf-><prmsl',go'> and prms 2 is the multiset of the states that do not cooperate to that action. Moreover the monitoring decision must depend only on the action capabilities of the processes present in a system state and not on their states. Example. We specify a parallel mode for the execution of the processes of the PD architectures (i.e. every parallel action is allowed to become an action of the system) defining the concurrent transition system PD.

180

The states of PD are still defined by the specification PD-STATE and its transitions are labelled by elements of the following specification EXTFLAG. EXTFLAG = sorts extflag opns TAU: --~ extflag axioms D(TAU) PD = enrich PD-PTS + EXTFLAG by op ns [] == [3==>D: state × extflag × state ~ bool axioms <prmsl,bfs> ~----pf--><prmsl,bfs'> ~ <prrns1 u prms2,bfs> ==TAU==><prmsl~) prms2,bfs'>. 1.3 Semantics and calculi

To the specification of PD we can first associate a semantics, given by its initial model; this model indeed exists and corresponds roughly to an operational semantics modulo the initial congruence on the states of the system. Prooositionl. (see [ARW1]) There exists an initial model IpD of the specification PD such that IpD is term generated and for any t, t 1, t 2 ~ WSig(PD) IpD l= D(t) iff PD I- D(t) and PD I- D(t 1) A D(t2) implies ( IpD 1= t 1 = t 2 iff

PD [- t 1 = t2).

In particular for any st, st' ~ WSig(PD)lstate, pr, pr' ~ WSig(PD)lpro c and pf e WSig(PD)[pflag PD [- st =TAU=> st' iff IpD I= st =TAU=> st' and P D I - pr

Pf >pr' iff IpDl= pr

Pf > p r ' . [ ]

The proposition shows that the specification PD defines an associated calculus, which we indicate by PD, corresponding to an operational semantics, and formally consisting of the equality = and of the transitions, both of processes and architectures, provable in PD. In general for any specification SYST of a system, we will call SYST the corresponding calculus. (These are the calculi to which the rapid prototyping tool ([Mo]) developed for SMoLCS specifications applies). Assume now that we want to consider two architectures to be equivalent iff they have the same input/output relation, where the inputs and the outputs are respectively the initial numeric contents of the buffers and the lists of the intermediate numeric contents of the buffers. Then we have to define an observational semantics of PD. The paradigm under which an observational semantics is defined in SMoLCS for a concurrent system (here applied to PD) consists essentially of: - a specification, defining the observations on the system (here PD-PLUS), by means of boolean relations (here Res) stating that some observation values (here lists of numeric buffer contents) are true of some observed objects (here the states of PD) (see [ARWl]); OBS = enrich MAP(BUFID,NAT)lobs/map(bufid,nat)]by opns D^E]: obs x obs --~ obs axioms D(oblnob2)

181

PD-PLUS = enrich PD +OBS by opns Res: state x obs ~ bool Val: buffers ~ obs axioms Val(Empty_Map) = Empty_,Map Val(bfs[Pval(pr)/b]) = Val(bfSlb) Val(bfs[Nval(n)/b])-- Val(bfs)[Nval(n)/b] Res(<prms,bfs>,Val(bfs))= true <prms,bfs>==TAU==>st A Res(st,ob) = lrue D Res(<prms,bfs>,Val(bfs)^ob)= true. (bfsI b represents the map bfs where every association to b is dropped); -

a definition of a class of observationally equivalent algebras, each one containing the objects to be

observed together with the relations and moreover preserving, as a subtype, a fixed model of the observed values; - the definition of the observational semantics as the minimally defined and term generated algebra (here CALG) terminal in that class; a basic general theorem (in [ARWl]) shows that this algebra has indeed the properties required of an observational semantics. Then we obtain the following result qualifying CALG as the observational semantics of PD w.r.t, the observations, expressed by the operation Res (here we have chosen the initial model of OBS). Proposition 2,([ARWl]) There exists an algebra CALG with the following properties: for any srt ~ Sorts(PD-STATE-Sorts(OBS), ground terms t, t' e WSig(PD_STATE)Isrt 01 CALG t= D(t) iff PD I- D(t) 02

CALG 1= t = t' iff for any ob e WSig(OBS)iobs, any st e WSig(PD_STATE){X}lstate with x of sort srt [PD-PLUS I-Res(st[t/x],ob) = true iff PD-PLUS l-Res(st[t'/x],ob) = true]. []

If Z is a signature and srt a sort of Z, then WXlsrt represents the set of all terms of sort srt built on X. Proper~ 01 says that all the interesting objects of PD-STATE are defined in CALG; by property 02 two terms of sort srt are equivalent if and only if in every context of sort state they satisfy the same observations. It is most important to note that in this way every nonobserved subcomponent of a state gets an observational semantics: in PD, for example, this is true of processes. Hence CALG l= st I = st 2 iff st I and st 2 produce the same outputs. Correspondingly to the above observational semantics we could prove some useful identities between PD processes and architectures. However this may be in general rather unpractical, since it has to be done explicitly ad hoc for the specification PD. That is why in the second part of the paper we will develop a parameterized caIculus starting from a fixed set of combinators, in order to be able to give standard identities w.r.t, a basic observational semantics which is a generalization of Milner and Park's strong equivalence.

1.4

Multilevel

concurrent

systems

In the previous sections we have defined a three steps procedure that, given a transition system, specifying some component processes, and a synchronization, a parallel and a monitoring specification, produces a new transition system, specifying a concurrent system. Clearly the procedure can be iterated;

182

if some subcomponent processes (said .concurrent subcomponents) are themselves concurrent systems, then they can be specified by the same procedure. Consider for example a net of (workstations) nodes, such that in a node many processes can cooperate, possibly using a shared memory, while the nodes can exchange messages in a broadcasting or/and point to point mode. Then we can specify the net applying twice the SMoLCS procedure; in one application the subcomponents are the processes cooperating in a node and the resulting concurrent system specifies a node; in the other one the nodes, specified in the first level, become the new subcomponents and the resulting concurrent system specifies the net (as eg in [AMRZl, AMRZ2]). It can also be shown that the procedure can be applied inductively; hence it is possible to specify systems where a subcomponent process (said inductive cencurrcnt subcomponent) has the same nature of the composed processes, as in CCS, i.e. where states and transitions of the final system are embedded into the states and the transitions of the system describing the processes. 1.5 A specification with parametric process types We describe now an extension of PD, called PPD, obtained by enriching the values handled by PD processes, which already include the processes themselves, with parametric process types. Thus the PPD processes can exchange between them and store in the buffers and in their local memories values corresponding to parametric process types. The purpose of PPD is to introduce, on the top of the already given PD example, the use of functional combinators which will play a relevant role in the rest of the paper. The algebraic specification of functions. A parametric process type is just a function from some parameters into processes. In our algebraic setting it is convenient and feasible to give an algebraic specification of functions from elements of some sorts into the elements of some other sort; in [ARW2] (but see also [BW3]) we study the problem and present several solutions; here we briefly introduce some basic concepts and notations. Let ARG and RES be two algebraic specifications with main sorts arg and res respectively; by FUNCT(ARG,RES) we indicate the algebraic specification of functions from elements of sort arg into elements of sort res. The specification is nothing but an algebraic formalization of the usual rewriting rules of functional calculus with abstraction and application. The only tricky point is the following: in a term like )~ x . x+5, the first occurrence of x is the first argument of 9~and is only a symbol, while in x+5 x stands for a value of sort nat; thus we say that the first occurrence of it is an object of sort nat -var and we provide a merge operation Nat_Vat for considering a variable symbol as an object of type nat. FUNCT(ARG,RES) has sorts -

funct(arg,res) arg-var arg-res-fid

(the functions) (the "variables of type arg") (identifiers for functions from arg into res)

bool

(the boolean values)

--~ funct(arg,res)

(~abs~acfion)

and operations ;Llq, Vq: arg-var x res

183

Arg-Var: arg-var

-4 arg

(this operation embeds the "variables of type arg" into the elements of sort arg) [3(D) : funct(arg,res) x arg -4 res

(application)

if [] t h e n []else []: bool x res x res Arg-Res-Fid: arg-res-fid

-4 res

(conditional)

-4 funct(arg,res)

(this operation embeds the identifiers into the elements of sort funct(arg,res)) tee [ ] , I-l: arg-res-fid x funct(arg,res) -4 funct(arg,res)

(recursive function constructor).

Notation: the terms having form Arg-Var(x), Arg-Res-Fid(y), where x is a term of sort arg-var and y a term of sort arg-var-fid, are simply written x, y. The above framework allows to write the elements of sort funct(arg,res) following the usual ~.-notation; moreover the elements of sort funct(arg,res) have the basic usual properties of a functional calculus, eg cx-rule and 13-rule. For example %x,x+3

= ~.y, y+3

(~x,x+3)(2)

= 5.

Note that all the operations in a partial specifications are strict, i.e. D(Op(t 1..... tn)) D D(tl) A...A D(tn) and hence also the if [] then []else [3 operation is strict, but that does not pose problems in defining functions, because this operation is defined by cond(a) = true D ( ~. x , if cond(x) then r(x) else r'(x))(a) = r(a) cond(a) = false D ( )~ x . if cond(x) then r(x) else r'(x))(a) = r'(a). For example, consider f = ~, x . if x>10 t h e n x-10 else x, which is a term of sort funct(nat,nat) defined in FUNCT(NAT,NAT); then with the usual meaning o f - , the value of 5-10 is undefined; however f(5) is a defined term of sort nat. Functions with several parameters can also be defined using FUNCT and the parameterized specification PROD. For example, FUNCT(PROD(ARG1,ARG2),RES) is the specification of the functions with two arguments of sort argl and arg2 respectively into res. The example PPD. PPD is defined in the same way of PD, exception made for the specification of values; we assume that the process type parameters are just channel and buffer identifiers and, for simplicity, that each type has only one parameter. VALuEPPD= enrich FUNCT(CHID,PROC)+ FUNCT(BUTID,PROC)+ NAT by sorts value opns Pval:proc -~ value Nval: nat ---)value {Op: value × ... x value ~ value i Op: nat x ... × nat ~ nat ~ Sig(NAT) } Ptvalt: funct(chid,proc) --~ value Ptval2: fimct(bufid,proc)

-->value

axioms "all total'

{Op(Nval(nl),...,Nval(nk))= Nval(Op(nl,...,nk)) I Op: nat x ...x nat --~nat e Sig(NAT)}. Let us just to show two examples of the use of these process types. The P P D calculus can be used to describe architectures where several processes perform the same computation on different values (eg an array processor architecture).

184

Let pt = ~ b . , be a process type parameterized on a buffer identifier, where instr 1 ; ... ; instrk corresponds to a complex computation on the content of the local memory location 1. Then the PPD term <{pt(buf 1) ..... pt(bufn)},[bUfl--~Vl..... bufn-->vn] > describes a system where the above computation is performed in parallel on all the contents of the buffers buf 1 ..... bur n. Consider now the process type pt 1 = ~c. parameterized on a channel identifier; then the PPD term <{Po},[ b u f f 0 ] >, where Po = <Start(Ptl(el)) ;Send(ll,Cl) ;"" ;Start(Ptl(Cn)) ; Send(ln'en) ; ReC(Cl,ll) ;1:=1+11 ; ... ;Rec(cn,ll) ;1:=1+11 ;Writebuf(1,buO, [1-->0,11--->Vn,...,ln--+ Vn]> describes a concurrent system where the above complex computation is performed in parallel on the values v 1.....v n and the sum of the results is put into the buffer buf. 2 PARAMETERIZED CONCURRENT CALCULI In this section we restrict the SMoLCS specifications to those where processes are built on a fixed set of combinators; the new processes are called behaviours and are still parameterized on various data structures, but we can give once for aI1 various properties related to the given combinators.

2.1 Behaviours and varieties of calculi The calculi we introduce in this section are based on the notion of behaviours (a name suggested by Milner's behaviours in CCS and in SCCS). The peculiarity of behaviours compared to the models of processes used in the examples of section 1 is that they correspond to processes without local state; they are completely determined by the atomic actions they can perform, i.e. they correspond abstractly to trees only labelled by actions. Then in our approach the processes with a local state are modelled as functions from local states into behaviours; the advantage is that we combine the level of abstraction and the expressive power of behaviours and functions together. This technique is fundamental for giving high level semantic descriptions of languages as we have shown in [AR1, AR2, CRAI-DDC]. For exampIe, if we want to give a denotational value for a procedure, which usually involves some concurrent interaction among processes, (as it is in Ada for example), then we can model it as a function which, taken some values of the parameters, produces a behaviour. The role played by behaviours in practical applications will be illustrated by some later examples. Instead of presenting a single calculus, we will introduce a family of calculi, which may differ fundamentally in two respects: the family is parameterized on some data structures and moreover various families of subealculi are derivable, depending on the combinators used and on the assumptions about the parameters. For every complete choice we have a calculus corresponding to an operational semantics of a (multilevel) concurrent system, where the active subcomponents are behaviours with the corresponding peculiar properties. We can group the parameters as follows.

185

• An algebraic specification DATA will represent the structure of (hence the data recorded in) the global object, the data exchanged between the behaviours, the data elaborated internally by the behaviours, the behaviour atomic actions and the interactions of the concurrent system with the external world. Formally DATA will be an algebraic specification based on BOOL (a specification of boolean values) and such that its sorts include:

- gobj, for the states of the global object -

-

act, for the atomic actions of behaviours extflag, for representing the interactions with the external world.

We assume moreover that DATA is parameterized on an algebraic specification X, which will be in every instantiation the specification of behaviours. • Another parameter defines how the behaviour subcomponents of the system concurrently interact between them; that is described following the SMoLCS methodology as introduced in section 1. Formally this parameter, indicated by SMoLCS-SYST(PROC-SYST), is just a parametric algebraic concurrent transition system (with transition relation [[1==[]==> [[]:state x extflag x state--)bool), where the parameter PROC-SYST corresponds to the algebraic transition system (with transition relation []

[] > []: behaviour x act x behaviour ~bool) defining its active subcomponents (see

subsection 1.2). It will be instantiated with the transition system defining the behaviours. • In general the concurrent system described by the calculus is a multilevel system (see subsection 1.4); thus we need some parameter for describing the noninductive concurrent subcomponents, which are just other concurrent systems. For simplietly we consider only the cases where all the noninductive subcomponents are represented by a unique algebraic transition system (with transition relation []~~ []~~> [2]: sstate x act x sstate---)bool), indicated by SUB-SYST. Obviously SUB-SYST may be also an one-level concurrent system.

2.2 Introducing combinators Here we introduce the combinators for a calculus in our family, indicated by SYST, together with their informal meaning. In the following subsection, the calculus will be formally defined by an algebraic specification named SYST. The syntax of SYST is given as the signature of a specification STATE (the states of the algebraic transition system SYST) whose sorts include state (the terms of the calculus), behaviour and gobj (active and passive subcomponents); the combinators are just the operations of this signature and in what follows we use for them the same notations used for the operations. We use = to indicate the provable equality in a specification. First we give the combinators for expressing global objects and behaviours and then the combinator for composing them into a state of the concurrent system.

fzI,D2ukl.,£2NgA/T •

All the operations of the specification DATA with functionality srt 1 x ... x srtn ---) gobj (n _>0)

are the calculus combinators for expressing the global object.

186

The meaning of these combinators are given by the axioms of DATA. In what follows SORTS indicates Sorts(DATA) u {null}. BEHAVIOURS Drefixin~ of an action_ •

[] A I-1: act x behaviour

~ behaviour

a A bh represents the behaviour which performs the action a and then behaves as specified by bh. Behaviour atomic actions are represented by terms of sort act built on the signature of STATE. We recall that there is a special combinator for representing the action of creation of a new behaviour CREATED: behaviour --4 act. The A combinator is the basic tool for expressing the activity of a behaviour as a sequence of atomic actions; it corresponds to CCS dot. functional combhaators for every srt e SORTS •

)d--1. [-1: srt-var x behaviour ~ funct(srt,behaviour)

(X- abstraction)

The elements of sort funct(srt,behaviour) represent the (partial) functions from elements of sort srt into behaviours; while the elements of sort srt-var represent in some way the "variables of type srt". There is also an operator which embeds these "variables" into the elements of srt •

Srt Vat: srt-var -4 srt

and various combinators for expressing the elements of srt-var. Notation: for every term of sort srt-var x Srt Vat(x) is simply written x; every string of lower case letters corresponds to a term of sort srt-var. •

if []

•

Fl([]i: funct(srt,behaviour) x srt

•

ree V1. []: srt-behaviour-fid x funct(srt,behaviour) ~ funct(srt,behaviour)

then

[] else []: bool x srt x srt

~ srt

(conditional)

--* behaviour

(application) (recursive functions constructor)

The elements of sort srt-behaviour-fid represent in some way identifiers of functions of type funct(srt,behaviour); also in this case there is an embedding operation •

Srt Behaviour Fid: srt-behaviour-fid --4 funct(srt,behaviour)

and various combinators for expressing the elements of sort srt-behaviour-fick Notation: for every term of sort srt-behaviour-fid x Srt B e h a v i o u r F i d ( x ) is simply written x; every string of lower case letters represents a term of sort srt-behaviour-fid. ree f i . funct(fi) represents a function corresponding to a fixpoint of the functional ~.fi. funct(fi); that fixpoint is defined by the usual rewriting rule ree f i , funct(fi) = ( Xfi. funct(fi))( ree f i . funct(fi)). All these combinators are operators of the specification F U N C T ( D A T A < s r t > , B E H A V I O U R ) as introduced in section 1.1. and formally defined in [ARW2]. (If A is a specification and srt a sort of A, then A<srt> indicates that srt is now the main sort of A.)

187

fix•oint combinator~ for every natural number n > 1 *

~Xn: funct(prod(behaviour,...,behaviour), prod(behaviour,...,behaviour)) n tittles

n i-lYrics

-~

prod(behaviour,...,behaviour)

nti~ where the elements of sort prod(behaviour,...,behaviour) are n-tuples of behaviours; moreover on these n UYnes n-tuptes the component selection operations and a constructor operation are defined: 1 behaviour × ._ × behaviour

~ behaviour --rprod(behaviour..... behaviour).

Considering for simplicity the case n = l , fixlbhfunct represents a behaviour whose activity is the same activity of bhfunct(fixlbhfunct). These combinators permit to represent behaviours with nonterminating activities and sets of mutually recursive behaviours. For example, fix 1 ~ x. a zX x represents the behaviour which goes on forever performing the action a. It is important to note that the fix combinators are total and that the above operational characterization allows to define completely the behaviours represented by them; moreover they are truly fixpoints, since we have that fixnbhfunct = bhfunct(fixnbhfunct). For example fix 1 ~. x . x is defined and represents the behaviour unable to perform any activity, which will be indicated also by stop. nondeterministic choice for every srt e SORTS •

choosesr t 13: funct(srt, behaviour) --r behaviour

choosesr t bhfunct represents the behaviours which can nondeterministically behave as specified by bhfunct(to) for every term of sort srt to, The importance and relevance of these combinators for representing behaviour subcomponents of concurrent systems should be clear (see, eg [M1, M2]). Following Milner's notations (see, eg [M2]) we would write these combinators as

+ bh(t) , where SRT is a set and bh(t) is a behaviour expression t ~ SRT

parameterized on t (i.e. an expression of type behaviour with a free variable t of type SRT). Here we are working in a fully algebraic setting, where the elements of SRT are defined by means of an abstract data type with a sort srt and hence

+ must be an algebraic operation. The solution we have adopted is to SRT

consider a combinator ehoosesr t applied to functions from elements of sort srt into behaviours; thus the parameterized dependence of bh(t) on t is formally expressed by means of a term of sort funct(srt,behaviour), whose elements correspond to functions from elements of sort srt into behaviours. Hence

+ bh(t) will be written t e SRT

choosesr t ~.t. bh(t).

Notation: ehoosesr t ~. t . bh(t) is also written choose t : srt in bh(t).

188

Our nondeterministic choice is neither local nor global; it could be local or global depending on the various alternatives: if for every term to of sort sit the first-step actions of bh(to) correspond to interactions with the other behaviours or the global object, then we have global nondeterminism (eg for bh = choose n: nat in RECnFROMpid A stop, where we use an infix notation for the receive action REC VIFROM [], if the behaviour named pid can send the natural number 1, then bh will choose the alternative REC1 FROMpid A stop); if for every term t o of sort srt the fLrst-step actions of bh(to) axe all intemal actions, then we have local nondeterminism (eg if bh = choose n: nat in TAU A SEND(n) A stop, then bh can choose one of the altematives independently from the external context). sequential composition of behaviour~ for every srt e SORTS •

defsr t [] in •: behaviour × funct(srt,behaviour)

--~ behaviour

•

r e t u r n s r t [3: srt

~ behaviour

The activity of defsr t bh in bhfunct consists of the activity of bh until it terminates, followed by the activity of bhfunct(to) ff bh terminates retuming a value to of sort srt and bhfunct(to) is defined; returnsr t to represents the final state of a behaviour which has terminated its activity returning to. The construct defsr t bh in bhfunct is a very general and powerful form of sequential composition because it allows also the preceding behaviour to pass some information to the following one; moreover there is also the possibility of (conditionally) escaping the following behaviour; if bh terminates mtttming a value t I of sort srt 1 ~srt, then the following behaviour represented by bhfunct will not be executed. In subsection 2.4 we show the use of these combinators for defining a variety of derived combinators. Notation: defsr t bh in ~. t . bh'(t) is also written defsr t t = bh in bh'(t); returnnull Null is also written skip (skip represents a null behaviour unable to perform any activity). multilevel structurin~ combinators •

i-enclose: state

--) behaviour

(for enclose concurrent inductive subcomponent)

•

n-enclose: sstate

--* behaviour

(for enclose concurrent noninductive subcomponent)

The elements of sort state represent the states of the system SYST; while the elements of sort sstate represent the states of the concurrent systems SUB-SYST taken as parameter. These two combinators are used for representing multilevel (structured) concurrent systems; the first for the case in which the internal concurrent structure of the behaviours is the same of the whole system (see eg CCS, SCCS), the second when the internal structure is given by means of the parameter SUB-SYST. The term i-enclose(st) represents a behaviour which is internally structured as the concurrent system represented by st and its activity is determinated by the activity of st. Precisely if st can perform some transition labelled by a becoming st', then also i-enclose(st) can perform a transition labelled by a becoming i-enclose(st') and these are all the transitions of i-enclose(st). Thus if the enclosed system st is unable to perform any activity also i-enclose(st) is unable to perform any activity; moreover if st represents a correct final state (all the behaviour subcomponents are equal to skip), then i-encLose(st) = s k i p . Note that this last property allows to compose sequentially concurrent

189

subcomponents with behaviours. Analogously for n - e n c l o s e . If the calculus include the combinator i-enclose, since now some transitions (with external flags) of the system may become also transitions, via i-enclose, at the behaviour level, then the external flags of SYST must coincide with the behaviour atomic actions (extflag = act); clearly also the external flags of SUB-SYST must coincide with the behaviour atomic actions. PAtLM.LEL COMBINATQR The calculus has a combinator which taken some behaviours (a multiset of) and a global object returns a term representing the concurrent system of the class, whose subcomponents are those behaviours and that global object: °

par: mset(behaviour) x gobj --estate

Notation: a term having form par({bh 1..... bhn},go ) is usually written bhll...[bhnlgO to suggest the fact that the various subcomponents are in parallel. 2 . 3 Formal definition of a calculus

First we give the specification of the transition system BH-SYST defining the behaviours and then of the transition system of the whole calculus (SYST). BEHA~OURS Remember that the paramenter SUB-SYST is an algebraic transition system (with transition relation f-l~~ El~~> E]: sstate x act x sstate --->bool) and that [3== [3==> [3: state × act x state --->boo1 wiIl be the transition relation of SYST (here we consider a calculus including the i . e n c l o s e combinator, thus act=exfflag). BEHAVIOUR= enrich + FUNCT~ATA(BEHAVIOU~R)<srt>,BEHAVIOUR) + srt ~ SORTS + FUNCT(PROD(BEHAVIOUR,..,BEHAVIOUR),PROD(BEHAVIOUR,..,BEHAVIOUR)) + n_>l n times

n times

SUB-SYST + NULL + STATE by sorts behaviour opns DA D: act x behaviour

--> behaviour { fiXn: funct(prod(behaviour,...,behaviour),prod(behaviour,_.,behaviour)) --, prod(behaviour..... behaviour)) ]n>l } -

-

%

,

--

-

n times { choosesr t R: funet(srt,behaviour)

-

,

¢

~¢-

n times

n times --> behaviour,

defsrt [] in 13: behaviour x funct(srt,behaviour)

--* behaviour,

returnsr t VI: srt

~ behaviour --->behaviour --> behaviour --> behaviour

i-enclose: state n-enclose: sstate seed: axioms "all total"

I srt E SORTS }

190

where NULL = sorts null opns Null : --* null axioms D(Null) STATE = enrich MSET(BEHAVIOUR) + DATA(BEHAVIOUR) by sorts state opns par: mset(behaviour) × gobj --->state axioms seed[bhmslgo = bhmslgo. Note that B E H A V I O U R and STATE are two algebraic specifications defined in a mutually recursive way (see A p p e n d i x i); note also h o w D A T A ( X ) is recursively instantiated on B E H A V I O U R , so that the behaviours b e c o m e parts o f the data type. The behaviours will be represented by terms o f sort behaviour o f the above specification B E H A V I O U R and their combinators will be operations o f the same specification. Notation: w e recall the abbreviations used: s t o p stands for fix 1 k x . x and skip stands for r e t u r n n u l l N u l l . BH-SYST = enrich BEHAVIOUR + SYST by opns [:3----~-D > D: behaviour × act x behaviour --->bool CREATED: behaviour --> act axioms D(CREATED(bh)) a Abh ..a_> bh { fixn bhprodfunct = bhprodfunct(fix n bhprodfunct) ] n > 1} {

bhfunct(t) __L> bh' D choosesrt bhfunct --~> bh' defsrt (returnsr t t) in bhfunct = bhfunct(t) bh -&-> bh' D defsrt bh in bhfunct ---~-> bh' { defsrt (returnsrtl tl) in bhfunct "" returnsrtl t 1 Isfreesrt(t,bhfunct ) - false D defsrtl (choosesrt ~.t, bh(t)) in bhfunct= choosesrt Xt .(defsrtl bh(t) in bhfunct) Isrtl e SORTS, srtlcsrt)

{

i-enclose(skipl...Iskiplgo) = skip, n-enclose(skipl...lskipibgo) = skip - - V

[srt e SORTS} [n > 0 }

V"

n times

n times

st ==a==>st' D i-enclose(st) ..a_> i-enclose(st') sst ~~a~->sst ' D n-enclose(sst) _0._> n-enclose(sst') seed CREATED(bh~ > bh.

Comments. s e e d is an auxiliary combinator used for allowing dynamic creations o f n e w behaviours. The

functional

combinators

are

defined

by

the

various

specifications

FUNCT(DATABEHAVIOUR<srt>,BEHAVIOUR). The axioms o f B H - S Y S T give the operational semantics o f the various combinators as it was suggested in subsection 2.2. Isfreesrt:Srt-var × funct(srt,behaviour) ~ bool is an operation o f F U N C T ( D A T A < s r t > , B E H A V I O U R ) ; Isfreesrt(x,bhfunct ) freely in bhfunct. T h e condition Isfreesrt(t,bhfunct) -

true iff the "variable o f type srt" x occurs

false in the axiom about d e f and c h o o s e is not

restrictive at all, because on the functions algebraically defined the a - r u l e holds and there exist infinite

191

different elements of sort srt-vart. End 0f~___nunents. THE CALCULUS In order to have a fuU calculus we need to define the synchronization, parallelism and monitoring steps. We recall that this is done by means of a parameterized specification SMoLCS-SYST(PROC-SYST), given as a calculus parameter, where PROC-SYST stands for the algebraic transition system of the component processes. Hence the full calculus will be here the one associated to the algebraic transition system SYST defined as follows: SYST = SMoLCS-SYST(BH-SYST). 2.4

Examples

THE FORMAL DEFINI'ITQN OF ADA Here we show how one of our calculi, denoted by AC, could be used for describing the underlying concurrent model of Ada programs, used in [CRAI-DDC] for giving a formal semantics to Ada. In this case the parameters are defined as follows: • The parameter DATA becomes now ADATA(X) = GLOBAL-INF(X) + ACT(X) + LOCAL-INnE(X), where GLOBAL-INF(X), ACT(X) (with the operations CREATE, CREATED: behaviour --r act) and LOCAL-INF(X) are large and complex specifications representing respectively the global object, the behaviour actions and the data handled locally by behaviours; in this case the sort extflag coincides with act. Recall moreover that X will be instantiated as the specification of behaviours, which corresponds roughly here to Ada tasks. • In AC the behaviours can interact between them only by reading and updating the global object; contemporaneous behaviour accesses to the global object are allowed if and only if they can also be performed sequentially in some order; moreover there is no form of global control on the behaviour actions.

These

assumptions

are

formalized

by

the

following

parametric

system

A-SMoLCS-SYST(PROC-SYST) defined following the SMoLCS three steps schema; where the parameter PROC-SYST will be instantiated with the algebraic transition system giving the operational semantics of behaviours. • AC is a one-level concurrent system, i.e. there are no behaviours which are in turn concurrent systems themselves; thus in this case we do not need other parameters. Here we givew the definition of A-SMoLCS-SYST(PROC-SYST). synchronization A-SSYST(PROC-SYST)= enrich PROC-SYST by opns []==[3==>[:]:state x act x state --~ bool axioms Cond(a,go) = trueA bh-L> bh' ~ bhlgo~a-.~->bh'lTransf(a,go)

bh CREATE(bhl~L.>bh'Aseed CREATED(bh!L>bh1 A Cond(CREATE(bht),go) = true D bh[ seedigo---CREATE(bhl)==>bh'lbhl[Transf(CREATE(bhl),go ). Cond: act × gobj -~ bool and Transf: act x gobj --> gobj are two operations of the specification ACT.

192

t~arallelism A-PSYST(PROC-SYST) = enrich A-SSYST(PROC-SYST) by opns DIID : actx act ~act axioms a 1//a2 = a2//a 1 a 1//(a2//a 3) " (a1//a2)//a 3 ~ai--> A~a~> A ~ a 2 ~

~ ,....,al//a2~> .

The condition part of the above axiom requires that the parallel action labelled by a 2 can be executed after the one labeUed by a 1. monitoring A-SMoLCS-SYST(PROC-SYST)= enrich A-PSYST(PROC-SYST) by opns [3== []==> [] : state x act x state --~ bool Ext: act -9 act axioms st ~---a_~_> st' ~ st ==Ext(a)==> st' Ext(aI//a2) = Ext(aI) /t Ext(a2) Ext-Ax, where Ext-Ax is a set of axioms defining the operation Ext having form cond D Ext(a) = a or cond D Ext(a) = TAU. The functional combinators of AC have been proved very useful in the Ada Formal Definition for expressing, for example, subprograms (Aria procedures and functions), task types and several other kinds of denotations. Moreover, in order to improve readability, other combinators have been introduced and we show how they can be derived from those of AC. ~equentiaI composition without value passing •

[ ] ; []: behaviour x behaviour

--* behaviour

•

nil:

~ behaviour

The activity of bh I ; bh 2 consists of the activity of bh 1 until it terminates followed by the activity of bh 2 if the final state of bh 1 is nil. Formally bh 1 a > b h l , D b h l i b h 2

a >bhl,;bh2

nil ; bh = b h .

These combinators can be derived in AC as follows (we indicate with = equality by definition): bh 1 ;bh 2 --- defnull n = bh 1 in bh 2

nil = skip = returnnull Null

and they have the properties listed above; indeed bh t g > bh 1' D bh t ; b h 2 - defnull n = bh 1 in bh 2 ~ >

defnu u n = bh 1' in bh 2 - bh 1' ;bh 2,

nil ; bh - defnull n = (returnnull Null) in bh = (~ n . bh )(Null) = bh. rec.ree t r a n . e x i t •

trap [] in V]: map(label,behaviour) x behaviour ~ behaviour

•

exit []: label

~ behaviour

where label and map(label,behaviour) are sorts of ADATA. The activity of the behaviour trap lmap in bh consists of the activity of bh; moreover if bh terminates performing an exit to the label 1 and 1 belongs to the domain of lmap, then the activity goes on as specified by Imap(1); otherwise the exit is propagated to some outer trap construct. These combinators are suggested by VDM combinators introduced for giving the so called direct semantics (see [BJ,AR2]).

193

Formally i)

i e dom(tmap) = true D trap lmap in exit 1 = lmap(1)

ii) i e dom(lmap) = false D trap lmap in exit 1 = exit(l) iii) bh a > bh' D trap lmap in bh --g--> trap lmap in b h ' . These combinators can be derived in AC as follows: trap 1map in bh --- deflabe 11 = bh in (if I E dom(lmap) then lmap(1) else returniabe 11) exit 1 -- returnlabe 11. • rec trap [] in [2]: map(label,behaviour) x behaviour ~ behaviour ree trap is similar to the trap, except that axiom i) is replaced by i')

1 s dom(lmap) = true D ree trap 1map in exit 1 = ree trap lmap in lmap(l).

It can be derived in AC as follows rec trap [11 --> bh 1..... 1n -~ bhn] in bh -= trap [11 -~ bhl', .... 1n --~ bhn'] in bh where for every 1_. It is easy to see that the derived combinators have the properties i), ii), iii) and i'), ii), iii) respectively. SEOUENTIAL CONSqNUCTS Here we show how it is possible to enrich our calculi with the usual sequential constructs, deriving them by the calculi combinators. We assume that each process has a local store whose states are represented by elements of sort store = map(loc,value); these processes will be represented by elements of sort proc = funct(store,behaviour) and a system whose subcomponents are the processes proc 1,'",Procn will be represented by procl(Empty_Map)I...iprocn(Empty_Map)[go (Empty_Map represents the initial empty state of the local store). The derived combinators are: •

[]:= [3: loc x expression -÷proc

(1 := exp = ~ st. TAU A returnstor e st[Evai(exp,st)/1]), where Eval: expression x store ---rvalue is an operation of DATA. •

If [] Then [] Else VI: expression x proc x proc --*proc

(If exp Then pr 1 Else pr 2 = )~ st. TAU A if Eval(exp,st) then Prl(st ) else Pr2(st)). Note that for simplicity we consider expressions without side effects. • •

[ ] ; [ ] : p r o c x p r o c - ~ p r o c ( P r l ; P r 2 : ~ s t . defstorePrl(st)inpr2). While [] > 0 Do [3: expression x proc ---~proc

(While exp Do pr -= ree w h , k st, TAU A if Eval(exp,st) > 0 then defstor e pr(st) in wh else returnstor e st). •

•

[]

:

act ~ p r o c

(a ~ 7~st. a A returnstor e st).

Choosesr t []: funct(srt,proc) --~proc (Choosesr t )~ v. pr(v) - ~. st. ehoosesr t )~ v. (pr(v))(st)).

194

3 PROPERTIES OF COMBINATORS Here we study the properties of the combinators introduced in the preceding section. Some of these properties are just equalities provable from the given specification; for other deeper properties we have to consider equivalences with respect to some observations. The most basic form of observation consists in observing the actions of a behaviour, which leads to the well known notion of strong (bisimulation) equivalence of Milner and Park. For our calculi we need to generalize that notion, since our flags may include hehaviours as subterms; moreover we would like to equate functional terms by extensionality. Since at the present stage of our investigation the theory related to such generalization looks a bit complicate we defer the presentation of the full theory to a more technical paper; hence we prefer to present the properties of combinators for subcalculi, in which the flags cannot have behaviours as subterms. But the properties we show do hold in the general unrestricted case and hence they give a rather good understanding of the properties of the calculi.

3.1 Strong equivalence properties of behaviour combinators Let BH-SYST indicate the transition system (with transition relation []

[] > Vl:behaviour x act x behaviour --~bool) defining the behaviours of one of our calculi.

In the following we consider only calculi of behaviours in which the flags do not have behaviour subterms, formally calculi such that the parameter DATA (see section...) is not a specification parameterized on behaviours, and such that BH-SYST is image finite. (A transition system with transition relation - - >

is said image finite iff for all states s and flags f the set {s' I s

f

>s'} is

finite.) By strong eouivalence we mean strong bisimulationequivalence, as introduced in [M2]. From the beginning we have to face an interesting problem: in our calculi of behaviours returnsrt v and

stop are two normal states, i.e. behaviours without action capabilities, and hence they would be equated in the strong equivalence associated to the behaviour transition system. But inserted in the context defsrt Ix] in bhfunct they wuold produce two behaviours which are not strongly equivalent and hence the strong equivalence wuold not be a congruence. Since clearly we are interested in a strong equivalence which is also a congruence, we simply distinguish the two behaviours by considering the strong equivalence associated to a modified behaviour transition system, obtained by BH-SYST by adding a set of (dummy) transitions defined by returnsrt t

~Nsrt

t-(LL->stop.

Thus we indicate by ~ the strong equivalence w.r.t, the new transition system of behaviours obtained by adding the above transitions. We give only some hints to the proofs, that will appear in a full version elsewhere. We can now give a basic result for behaviours without i-enclose and n-enclose combinators; in the next subsection we will extend it to the general ease. As Milner in [M2] extends ~ from agents to expressions, we extend ~ from behaviours to functions returning behaviours; given two terms fl and f2 of sort funct(srt,behaviour) fl ~ f2

fff for all terms tl, t2 of sort srt t 1 = t2 implies fl(tl) ~ f2(t2).

195

Theorem 3. ~ is a congruence on behaviours (without the i-enclose and n-enclose combinators). Pr99f. - bh 1' ~ bh 2' and a I = a 2 implies a 1 A bh 1' ~ a 2 A bh2'. Obvious. - For all srt ~ SORTS, bhfunct 1 ~ bhfunct2 implies choosesr t bhfunct 1 ~ chooses~ bhfunct2. Obvious. - bhfunet 1 ~ bhfunct2 implies fix 1 bhfunct 1 ~ fix 1 bhfunct2. Analogously to the proof of Proposition 4.6 of [M21. - For all sat ~ SORTS, b h l ' ~ bh 2' and bhfunct 1 ~ bhfunct2 implies defsr t bh 1' in bhfunct 1 ~ d e f str bh 2' in bhfunct 2. We show that R = (< defsr t bh' in bhfunct', defsr t bh" in bhfunct"> I bh' ~ bh" and bhfun~t' ~ bhfunct"} u Id, where Id indicates the identity relation, is a bisimulation up to ~ (i.e. ~R ~ is a bisimulation). IfR is a bisimulation up to ~, thenR c ~R ~ c ~. Let be an element of R, we prove, by cases, that if b h l ~ > ° bh'

bhl' , then bh 2

a > bh 2' and bh 1' R ~ bh2'.

a > bhl,, ' bh 1, = defsrt bhl,, in bhfunct' and a ~: RETURNsrt(..).

By the hypothesis bh"

~ > bh2" and bhl" ~ bh2", thus bh2---~--a> bh2',

bh2'= defsr t bh2" in bhfunct" and b h l ' R ~ bh2'. ° bh' = r e t u r n s r t t t and bhfunct'(tl)---~-> bh 1'. By the hypothesis bh" = r e t u r n str t2 and t 1 = t2; bhfunct'(tl) ~ bhfuncf'(t2) implies bhfunct,,(t2)

a > bh 2, and bh 1' ~ bh2'; thus bh 2

~t > bh 2, and bh 1' R ~ bh2'.

° bh' = returnsrtlt 1 with srtl~srt. Thus bh I = returnsrtlt I RETURNsrtl(tl)-> stop. By hypothesis bh" = returnsrtlt 2 with t 1 = t2, thus bh 2 = returnsrtlt 2 RETURNsrtl~2L> stop. Proposition 4, (clef/return properties). For every srt ~ SORTS 1) defsr t ( r e t u r n str t) in bhfunct ~ bhfunct(t). 2) For every srtl e SORTS such that srtl ~ srt defsr t ( returnsrtl tl) in bhfunct ~ returnsrtl t 1. 3) For every srtl e SORTS Isfree(tl,bhfunct) = false D defsr t (choose tl: srtl in bh(tl) ) in bhfunct ~ choose tl: srtl in ( defsr t bh(tl) in bhfunct ). 4) defsr t (a A bh) in bhfunet ~ a A (defsr t bh in bhfunct). Proof, 1), 2) and 3) Obvious, because - implies ~. 4) obvious. [] Proposition ~ (choose properties) 1) For every n,m.~>l, srt 1..... srtn,srtl',...,Srtm'~ SORTS [for all terms t 1..... tn of sort srt 1..... srtn respectively there exist tl',...,t m' terms of sort srtl',...,srtm' respectively such that bhl(t 1..... tn)~ bh2(ti',...,tm')] and [for all terms tl',...,tm' of sort srtl',...,srt m' respectively there exist t 1..... tn terms of sort srt 1..... srt n respectively such that bh2(tl',...,tm' ) ~ bhl(t I ..... tn) ]

196

implies choose tl: srt 1 in ... choose tn: srtnin b h l ( t 1..... tn) ~ choose tl': srt 1' in ... choose tm': srt m' in bh2(ti',...,tm'). 2)(Idempotence) For every srt e SORTS [ for all terms t of sort srt bhfunct(t) ~ bh] implies choosesr t bhfunct ~ bh. Proof. Obvious from the definition of ~. [] For simplicity we consider only the combinator fix 1, i.e. the unary fixpoint combinator. For expressing the properties of the fix 1 combinator we need the following definitions and lemmas. der bh indicates the derivation tree of bh, i.e. the labelled tree associated to bh in the transition system; given a derivation tree tr, ltrtn indicates the truncation of tr at depth n. Given a term f of sort funct(srtl,srt2), fn(t) indicates f applied n times to t. Similarly as in [M1] for CCS, we define that a variable x of type behaviour is guardf~[ in bh (i.e. x is preceded in bh by a A..., for some action a); we omit the trivial definition by induction on the structure of behaviours. Lemma 1. (basic fix lemma) If the variable x is guarded in bh(x), then given A = fix 1 )Lx . bh(x) and for m > 1 Am= ()~ x . hh(x))m(stop), we have that for all n > 1 Ider AIn = tder Anln = Ider An+qln (for all q >_ I), Proof. By arithmetic induction on n. [] Lemma 2. (fix-context lemma) For all terms bh(y) of sort behaviour with a hole of sort behaviour, if bhfunct = )~ x . bhl(X) with x guarded in bhl(X ), A = bh(fix 1 bhfunct) and for all p > 1 Ap = bh(bhfunctP(stop)), then we have that for all n > 1 Ider AIn = Ider A n In. Proof, By structural induction on bh(y). [] Proposition 6, (fix 1 properties) 1) For all terms bhl(Y), bh2(Y) of sort behaviour with a hole of sort behaviour, for all bhfunct = ;Lx. bh(x) with x guarded in bh(x) [for all n > 1 tder (bhl(bhfunctn(stop)))ln = Ider (bh2(bhfunctn(stop)))tn ] implies bhl(fix 1 bhfunct) ~ bh2(fix I bhfunct). 2) If x is guarded in bh(x), then Isfree(x,bhfunct) - false implies defsr t ( fix 1 % x . bh(x)) in bhfunct ~ fix 1 Xx. (defsr t bh(x) in bhfunct). Proof. Obvious, by Lemma 2. [] 3.2

Strong equivalence properties of parallel combinator

Here we use ~ ( ~ bold) to indicate the strong extensional equivalence of the algebraic transition system SYST (with transition relation D== [3==> [:]:state x extflag x state -¢bool) defining one of our calculi

197

and P-SYST and S-SYST indicate respectively the systems defined by the parallel and synchronous steps (recall that SYST has been defined following the three steps SMoLCS methodology ). Also in this case we need to distinguish the normal states of SYST and as in the previous section to do this we add some transitions to SYST; precisely skipl...Iskiplgc CORRECT_> stop[go; which allow to distinguish the correct terminal states from the incorrect ones.. Provosition 7. ( [ properties) 1) For every bh 111""[ bhlnlg °' bh21] ''-1 bh2n]g ° e WSig(SYST)lstate such that bhll ~ bh21 ..... bhln ~ bh2nwe have that bhl-1]...I bh~lnlgO ~ bh21[...I bh2nlgO; 2) for every bhms[go ~ WSig(SYST)lstat e seedlbhmslgo ~ bhmslgo ; 3) for every bhms[go ~ WSig(SYST)Jstat e, for every bh ~ WSig(SYST)Ibehaviou r such that bh ~ skip bhlbhmslgo ~ bhms[go. Proof. 1) By Lemma 3. 2) and 3) Obvious. [] ~mm~3_~(Monitofing step) For every bh111...I bhlnlgO , bh211...I bh2nlgO ~ WSig(SYST)lstat e, for every extf~ WSig(SYST)[extfl, ag such that bhll ~ bh 21,...,bhln ~ bh2n we have that i) for every bhll'l...I bhln'[go a WSig(SYST)lstat e SYST I - b h l l I...I bhlnlgo ==extf==> bhll'[...I bhln'lgo ' implies there exist bh 2 1'1... [b h2 n '[go' a W Slg(SYST) • Istate such that SYST 1- bh211...] bh2nlgo ==extf==> bh21'j...I bh2n'[go ' and bhll ' ~ bh21',...,bhln'~ bh2n'; ii) converse of i). Proof, By Lemma 4, recalling that in a SNIoLCS system the monitoring decision depends only on the possible actions of the behaviours and not on their states. [] Lemma 4, (Parallelism step) For every bh 111-.I bhlnlg o' bh21[-..I bh2n[gO ~ WSig(SYST)lstate' for every a~ WSiglSYST)[ac t such that bh11 ~ bh21 ..... bhln ~ bh2n we have that i) for every bh 1 l'l..-I bhln'lg o' e WSig(SYST)lstate P-SYST [ - b h l l I...I bhln[gO ~ a ~ > bh11'l...I bhl n'[go' implies there exist bh 2 1 '1'" I b h2 n 'lgo' ~ W Slg(SYST) • ]state such that P-SYST I- bh211...I bh2nlgO ~------a~> bh21'l...I bh2n'lgo ' and b h l l ' ~ bh21',...,bhln'~ bh2n'; ii) converse of i). Proof. By Lemma 5. [] Lemma 5. Under the same hypotheses of Lemma 3, we have that i) for every bhll'l...I bhln'lgo ' ~ WSig(SYST)lstate

198

S-SYST l - b h l l I..-I b h l n l g o ~ a ~ >

bhll'l...I bhln'tgo ' implies

there exist bh21't...I bh2n'lgo' ~ WSig(SYST)Istate such that S-SYST t- bh21I.-.I b h 2 n l g o = = = a ~ > bh21 I...I bh2nlgO and b h l l ' ~ bh21',...,bhln'~ bh2n'; ii)

converse of i).

Proof, By cases on the form of a. [] Proposition 8, (i-enclose, n-enclose properties) 1) For every n >--1 i-enclose(skipl...lskiplgo) ~skip n tir~es 2) For srt e SORTS for every n > 0

n-enclose(skipl...lskiplbgo) - skip. "v n times

A Isfree(t,bhi) = false A Isfree(t,go) = false D l
st ~ st' D i-enclose(st) ~ i-enclose(st'), sst ~ sst' D n-enclose(sst) ~ n-enclose(sst') where Z indicates the strong equivalence on the transition system SUB-SYST (parameter of the calculus) representing the noninductive concurrent components.

Proof, Obvious. [] Now we can extend Theorem 3 to all behaviours. Theorem 3,BIS, ~ is a congruence on behaviours. Proof. By Theorem 3, Proposition 7 and Proposition 8. []

Conclusion We have presented a proposal for a family of calculi, which are a partial instantiation of the SMoLCS parameterized schema. The novelties of these calculi lie in their high level of parameterization, in the possibility of defining functional modules and of considering processes just as data types. In this sense we personally see our calculi as a development for high-level specifications of the work started with CCS and SCCS, which we consider basic calculi, much as lambda-calculi are w.r.t, higher level languages. We are well aware that our presentation here is far from being satisfactory in many respects. We plan to come out with a more explanatory paper with full proofs. We are currently pursuing two directions of interesting research: first we are looking at a nice proof techniques for a generalization of strong equivalence handling labels with behaviours as subterms and including extensionality; second, we have already explored in part the possibility of calculi where the behaviour labels include, so to speak, the code for the interactions at synchronization, parallelism and monitoring level, while still keeping the fult expressive power of SMoLCS specifications; but it is not clear whether this calculus can be elegant and simple enough to be really useful. Finally we want to emphasize that the family of calculi AC we have used in the Ada Formal Definition

199

project can be seen as an upgrading of the V D M metalanguage Meta IV to handle concurrency and abstract data types.

Appendix

1:

Recursive specifications

Let SPEC = u {~,, Ax) I A x is a set of positive conditional axioms on Z}, where SIG is the set of all Z ~ SIG (classes o f isomorphic) signatures. A recursive definition of a specification has form (*) ID = S ( D ) , where S is a function f r o m SPEC into SPEC. After h a v i n g defined an ordering ~ on SPEC we can see (*) as defining ]J3 as the least fixpoint of S (if there exists). G i v e n S I = ( Z 1 , A x l ) and S2=(Z2,Ax2),

S 1 , S 2 iff Z 1 is a subsignature o f E 2 and Ax 1 ~ Ax2;

given E 1 = ( S o r t s l , O p n s l ) and E 2 = (Sorts2,Opns2), E 1 is a subsignature of E 2 iff Sorts 1 £2 Sorts 2 and Opns 1 £ 2 0 p n s 2. I f S is continuous, then (*) defines the specification ID in the following way: ID = 1.u.b. s n ( I D ± ) , n~0 where tD_L is equal to the specification with only one sort n a m e d id and neither operations n o r axioms. W h e n e v e r S is g i v e n by c o m p o s i n g constant specifications, the parametric specifications, P R O D , N~a.p, M S E T a n d the "+" and " e n r i c h ... by..." operators, then it is continuous. Clearly also sets o f mutually recursive specifications can be defined in the same way. W h e n e v e r the 1.u.b.of the chain { s n ( I D _ L ) } n > 0 is obtained as the k-th step for s o m e k, then the specification can be given in a n o n recursive way. Here as an example we report a nonrecursive definition of the specification PROC, defined recursively in subsection t.1. PROC = enrich NAT+ LOC + BUFID + CHID by sorts value, proc, instr opns < D, D>: instr × lmem Emptymap: [][D/D]: lmem x loc x value [ ( D ) : lmem x loc Nit: Pval: proc Nval: nat {Op: value x ... × value -~ value I Op: nat x ... × nat --~ nat ~ Writebuf, Readbuf: loc × build Send, Rec: loc × chid Skip: Start: proc ; V1, [] + [ : instr x instr While [] ~ 0 Do ~: loc x instr Seq-Instrl: ... Seq-Instrn: ...

~ proc ~ lmem ~ lmem --~ value -~ proc ~ value ~ value Sig(NAT) } --~ instr ~ instr ~ instr ~ instr --~ instr ~ instr --~ instr ~ instr

200

axioms "all total" {Op(Nval(n1),...,Nval(nk)) = Nval(Op(nl,...,nk)) I Op: nat x .. x nat --~ nat ~ Sig(NAT) } Eq(ll,12)= Irue~ (Im[v/ll])(12)- v Eq(ll,12)= false~ (Im[v/ll])(12)= lm(12) i 1;(i 2; i3) - ( i 1; i2); i3 Skip; i - i il+i 2 = i2+ i 1

i1+(i2+i3)- (il+i2)+i3.

Acknowledgements, We wish to acknowledge the invaluable cooperation of Martin Wirsing in building the foundations of the SMoLCS approach. Moreover we wish to thank all our friends of the Genoa-CRAI group (Alessandro Giovini, Franco Mazzanti, Elena Zucca), who have used, tested and improved our calculi in the Ada FD project. Many thanks also to Ombretta Arvigo for her patient Mac-typing and more generally for her cooperation at any time. REFERENCES (LNCS stands for Lecture Notes in Computer Science, Springer Verlag). [AGMRZ] E.Astesiano, A.Giovini, F.Mazzanti, G.Reggio, E.Zucca, The Ada challenge for new formal semantic techniques, in Proc. of the 1986 Ada International Conference, Edinburgh, Cambridge University Press, UK, 1986. [AMRW] E.Astesiano, G.F.Mascari, G.Reggio, M.Wirsing, On the parameterized algebraic specification of concurrent systems, Proc. CAAP '85 - TAPSOFT Conference, LNCS n. 185, 1985. [AMRZ] E.Astesiano, F.Mazzanti, G.Reggio, E.Zucca, Applying the SMoLCS specification methodology to the CNET architecture, CNET - Distribute Systems on Local Network, vol 2, pp. 255-267, ETS Pisa,1985. [AMRZ1] E.Astesiano, F.Mazzanti, G.Reggio, E.Zucca, Formal specification of a concurrent architecture in a real project, Proc. of ACM-ICS'85, North Holland, 1985. [AR1]

E.Astesiano, G.Reggio, A syntax-directed approach to the semantics of concurrent languages, in Proc. 10th IFIP World Congress (H.J. Kugler ed.), North Holland,p. 571-576, 1986.

[AR2]

E.Astesiano,G. Reggio, Comparing direct and continuation styles for concurrent languages, to appear in Proc. STACS 87', LNCS, 1987.

JAR3]

E.Astesiano, G.Reggio, The SMoLCS approach to the formal semantics of programming languages - A tutorial introduction - to appear in Proc. of CRAI Spring International Conference: Innovative software factories and Ada, 1986.

[ARWl]

E.Astesiano, G.Reggio, M.Wirsing, Relational specifications and observational semantics, in Proc. of MFCS'86, LNCS n. 233, 1986.

[ARW2]

E.Astesiano, G.Reggio, M.Wirsing, On the algebraic specification of function spaces, in preparation.

[ARW3]

E.Astesiano, G.Reggio, M.Wirsing, A modular parameterized algebraic approach to the specification of concurrent systems, in preparation.

[BJ]

D.Bjc~rner, C.B.Jones, The Vienna development method: The Meta-Language, LNCS n. 61, 1978.

201

[BWll

M.Broy, M.Wirsing, On the algebraic specification of finitary infinite communicating sequential processes, in Proc. WIP TC2 Working Conference on "Formal Description of Programming Concepts Ir', (D. BjCrner ed.), North Holland, 1983.

[BW2]

M.Broy, M.Wirsing, Partial abstract types, Acta Informatica 18, 1982.

[BW3]

M.Broy, M.Wirsing, Algebraic definition of a functional programming language and its semantic models, R.A.I.R.O. vok 17,1983.

[CRAI-DDC] E.Astesiano, C.Bendix Nielsen, N.Botta, A.Fantechi, A.Giovini, P.Inverardi, E. Karlsen, F.Mazzanti, J. Storbank Pedersen, G.Reggio, E.Zucca, Deliverable 7 of the CEC MAP project: The Draft Formal Definition of ANSI/MIL-STD 1815 Ada, 1986.

[HI

H.Hussmann, Rapid prototyping for Algebraic Specifications RAP system user's manual, MIP 8502, Universitat Passau, 1985.

[M1]

R.Milner, A calculus of communicating systems, LNCS n. 92, 1980.

[M2]

R.Milner, Calculi for synchrony and asynchrony, TCS 25, 267-310, 1983.

No]

F,Morando, An interpreter for concurrent systems SMoLCS specifications, Thesis (in italian) University of Genova, Italy, 1986.

[P]

G.Plotkin, A structural approach to operational semantics, Lecture notes, Aarhus University, 1981.

[sw]

D.T.Sannella, M.Wirsing, A kernel languagefor algebraic specifications and implementation, in Proc. Int. Conf. on Foundations of Computation Theory, Borgholrn, Sweden, LNCS n.158, 1983.

[W]

M.Wirsing, Structured algebraic specifications: a kernel language, TCS Vol.42 n. 2, 1986.

PARAMETERIZED HORN CLAUSE SPECIFICATIONS: PROOF THEORY AND CORRECTNESS M. Navarre Informatika Fakultatea Euskal-Herdko Unibertsitatea San Sebastian, SPAIN F. Orejas Facultat d'lnform&tica Universitat Polit~cnica de Catalunya Barcelona, SPAIN

Recently, "algebraic" equational Horn clause specifications (or, in some sense, conditional specifications) have been advocated by several authors as the solution to some of the problems of Prolog [see, for instance, 11]. Most of the work done in this field has been dealing only with the operational aspects of such specifications (e.g. rewriting, narrowing, etc.), perhaps assuming that other kind of results will be direct generalizations of those obtained for the equational case. However, there is an aspect that hinders, in many cases, this generalization: working with a (so-called) boolean constraint, i.e. having as admissible models for specifications algebras satisfying that a boolean sort contains only two values: true and false. Specifically, constructions that are almost trivial in the standard framework have to be approached with new techniques. In this paper we study two aspects of parameterized specifications, proof theory and correctness. We characterize the inductive theory of a parameterized specification generalizing some results obtained by P. Padawitz in [15] (in particular some restrictions have been removed, for instance the need to have equality operators explicitly defined for every sort, or the need for persistency: we only ask for "bool-persistency"). Then, we obtain a proof theoretical characterization of three conditions related to the correctness of a parameterized specification: bool~persistency, (i.e. the property that ensures that the booleans are not "destroyed" by the parameterization), persistency (i.e. protection of the actual parameter) and passing compatibility (i.e. the property that assures the compatibility of the functorial and pushout semantics for parameter passing).

203 Other previous work related with our results is [8,5,16,14]. In [8] Ganzinger obtained the proof-theoretical characterization of persistency for the equational case. The characterizations of bool-persistency and persistency presented here are strongly inspired in his, indeed, the only-if part of our proofs is a direct generalization of his, but the if part presented the kind of problems mentioned above. In [5] Ehrig dealt with parameterized specifications with arbitrary constraints (thus his work is more general), some of his results have been used in this paper, however his approach was model-theoretical due to the generality of his framework. In [16] Padawitz obtained conditions for checking persistency of parameterized equational specifications with a boolean constraint. Although the similarity of the framework, the results are quite different, he was mainly involved in obtaining sufficient conditions for persistency that were easily checkable using rewriting techniques. With respect to [14], the characterization of passing compatibility presented here is a straightforward generalization of the one presented there, once the new techniques used in the previous results are applied. The organization of this paper is as follows: In section 1, we introduce briefly the basic concepts. In section two, we characterize the inductive theory defined by a parameterized specification. Finally, in section 3 we obtain the characterization of boot-persistency, persistency and passing compatibility.

ACKNOWLEDGEMENTS The authors would like to thank P. Padawitz for showing us in [I5] the use of the Ultrafilter Theorem. This work has been partially supported by Comisi6n Asesora de Investigaci6n (ref. 2704-83)

1. Preliminaries Familiarity with the usual notions concerning (parameterized) algebraic specifications is assumed (for detail, see [7]).

Given a set of sorts S, an S-sorted signat~r~ ~ is an indexed family of sets of operation symbols, ~ = {~v,s}w*~ S,s~ S"

A z-algebra A consists of a family of sets (carriers or data domains) {As}seS, and a family of operations

204 ~A:AslX...xAsn--->As for every c in Zsl_.sn,s A ;~-homQmQr0hism h: A ---> B, where A and B are ~-atgebras is a family of functions {hs: A s ---> Bs}sc S which commute with the operations. ~-algebras together with their homomorphisms form the category Alga:, having as initial object (up to isomorphism) the term algebra T~:. Tz(X) stands for the _algebra of terms with variables in X, i.e. the free ~:-algebra generated by X. Given an assignment a: X ---> A, there is a unique z;-homomorphism a: T:~(X) ---> A, extending a.

A ~:-algebra A satisfies

a (conditional)

eauation.A I= XX.t=t' if t l = t l ' & ... & tn=tn', with

t,t',tl,tl',...,tn,tn' in Tz.(X), iff for every assignment a: X ---> A, if for every i (l_
A specification SP is a triple (S, z. ,E) formed by a set of sorts, a signature and a set of (conditional) equations. Given a specification SP = (S,~;,E), a ~>algebra satisfying E is called a SP-alaebra. SP-algebras together with their homomorphisms form the category Algsp with initial object TSp = T~/=-E, where ~-E stands for the congruence generated by E. Given a specification SP = (S,z,,E), a combination of SP and SP0 = (S0,~:0,E0), denoted SP+SP0, is defined: SP+SP0 = (S+S0,~;+:T..0,E+E0) where + denotes disjoint union. Note that SP0 does not need to be a specification (for instance, there may be a c~in ~0w,s with ws in (S+S0)+-S0 +, but SP+SP0 does.

A.specification morDhism h: SP1 ---> SP2 consists of a function h:S1--->S2 and a family of functions {hw,s:~;lw,s--->~;2h,(w),h(s)}w, S,seS (where h*(sl-.sn) denotes h(sl)...h(sn)), such that E2 ~_h(E1), i.e. every equation in E1 when translated through h belongs to E2. Specifications together with their morphisms form the category CATSP. Every specification morphism h: SP1 ---> SP2 induces a functor Uh: AIgsP2---> Algsp 1 called the forgetful functor associated to h, defined Uh(A2)=A1 iff

vseSt

A1 s = A2h(s)

205 VceZlw,s dA1 = (hw,s(•))A2

Uh has a left adjoint Fh: AIgsp 1 ~-> AIgsp 2, called the free functor associated to h.

From now on, we shall assume that every specification contains, as a subspecification, the boolean specification. Also, we will not allow non boolean operations having boolean parameters, i.e. if ~E:Se,bool-Z.BOOL, then wE(S-{bool})*. That is, we are considering booleans as special values: we may define boolean-valued functions (predicates) but they may not be parameters.

Moreover, we shall assume that equations take the form ~.X.t=t' if C where C is a Z.(X)-condition, i.e. a z(X)-term of boolean sort. Though the abuse of notation, conditions may denote, as above, boolean sorted equations of the kind: C=true. Equations of the kind:

;~X.t=t' if true will often be abreviated to:

XX.t=t'

Given a specification SP, the category LOGALG(SP) shall denote the full subcategory of Algsp, whose objects are algebras A satisfying that Ubool(A) = B (where bool is the inclusion morphism from the boolean specification BOOL to SP and B is the boolean algebra of two elements).

In [13] two proof systems, t- and I-L, were given satisfying:

SP t- ;~.X.t=t' if C iff vAeAIgsp A i= ;~.X.t=f if C SP I-L ~.X.t=t' if C iff vAe LOGALG(SP) A I= ~.X.t=t' if C

1- is just a generalization to the many sorted case of a proof system given by Selman in [17] using the technique devised by Goguen and Meseguer in [10] to deai with many-sorts. I-L is an adaptation of another proof system given by Selman in the same paper adding rules to cope with the boolean constraint.

Note that SP I- ~.X.t=t' implies SP I-L xX.t=t' but the converse is not true, even if the terms tl and t2

206 contain no variables. For instance, if SP contains the equations:

~.X.t=t' if C ~.X.t=t' if not(C)

then SP I-L ~.X.t=t' but not necessarily SP I- ~.X.t=t'.

A set of conditions COND is non contradictina with respect to a set of equations E iff

E+COND*I-/L true=false

where COND* is the same as COND, but considering its variables as constants. From now on, although the abuse of notation and if there is no possible confusion, we will not distinguish between COND and COND*.

A parameterized data type PDT is a triple (PAR,BODY,H), where PAR = (SPAR,~;PAR,EPAR) is the p~.r~.meter declaration. BODY = (SBODY,:~BODY,EBODY) = PAR + (S2,z2,E2) is called the taraet specification and H is a functor, H: LOGALG(PAR) ---> LOGALG(BODY) (we assume H equipped with a natural family of homomorphisms IA: A ---> Ui(H(A)), where i is the inclusion morphism from PAR to BODY). H is persistent (stronalv oersistent/iff for every A in LOGALG(PAR), IA is an isomorphism (the identity).

A paramet~rized specification PSP is a pair (PAR,BODY), where PAR and BODY are as in the previous definition and satisfy bool-oersistency, i.e. for every A in LOGALG(PAR), Ubooi(Fi(A))= B, where Fi is the free functor associated to the inclusion morphism from PAR to BODY. The semantics of PSP is considered to be the parameterized data type (PAR,BODY,Fi). We shall say that PSP is persistent if Fi is persistent or strongly persistent. Often, parameterized (conditional) specifications are not persistent if we consider as admissible parameter any PAR-algebra, although they are persistent when we do restrict to LOGALG(PAR). This happens with the following example: Example 1.1 Let PAR be the following specification: PAR = BOOL + sorts data ops

eq: data x data ---> bool

207 eqns

1) ~.x. eq(x,x) = true 2) X{x,y}.x=y if eq(x,y)

and let BODY be: BODY = PAR + sorts set ops

empty: set insert: set x data ---> set is in: set x data ---> bool

eqns 3) ;qs,x,y}. insert(insert(s,x),y)=insert(insert(s,y),x) 4) x{s,x}, insert(insert(s,x),x)= insert(s,x) 5) Xx.is_in(empty,x)=false 6) ;qs,x}.is_in(insert(s,x),x)=true 7) ;~{s,x,y}.is_in(insert(s,x),y)=is_in(s,y) if not(eq(x,y))

This parameterization, as we shall see Jater, works perfectly well (it is persistent) if we restrict admissible parameters to those in LOGALG(PAR), i.e. those in which the boolean values are {true,false} and eq is equality, but is not persistent (it may add "junk" to the parameter) if we do not restrict the class of admissible parameters. Changing the specification (for instance, adding more equations) would not help to solve the problem. •

Now, we may define standard parameter passing at the specification level: given a parameterized specification PSP = (PAR,BODY), with PAR = (SPAR,zPAR,EPAR) and BODY = (SBODY,~.BODY,EBODY)= PAR + ($2,~;2,E2), a specification ACT = (SACT,~:ACT,EACT) called actual parameter sDecificafion and a morphism hl : PAR ---> ACT, called oarameter passing morohism, the mechanism of psrameter passing may be described by the following pushout diagram:

PAR

il

ACT

#

B3E)Y

~ VAL i2

208 where il is the inclusion morphism. VAL is called the value soecification. More concretely, VAL = (SVAL,~VAL,EVAL) = ACT + ($4,~:4,E4), with S4 = $2, ,7_.4.= h2(~:2) and E4 = h2(E2), i2 is the inclusion morphism and h2 is defined: h2(s) = if seS2 then s else hl(s) h2w,s(~ ) = if ce;~2 then c else hlw,s(C )

Parameter passing is correct iff the following two conditions hold, for every A in LOGALG(ACT):

1) Actual oarameter orotection: Ui2(Fi2(A)) = A 2) Passina comoatibility: Fil (Uhl (A) = Uh2 ( Fi2(A ) )

A parameterized specification is correct (resp. satisfies passing compatibility) if for all possible actual parameter specifications (and parameter passing morphisms) parameter passing is correct (resp. satisfies passing compatibility). In [5] it is proved that PSP is correct iff it is persistent.

2.

The inductive theory of, e,,,pere, meteri.zed soecification

Given a specification SP, the theory defined by this specification consists of all the equations deducible from SP, which (if the proof system is sound and complete) coincide with the set of equations satisfied by all models of SP. However, often we are not interested in ~ models satisfying SPo For instance if the specification is not parameterized we may be interested only in finitely generated models, or if it is parameterized on models finitely generated from the actual parameter. The set of equations satisfied by all models finitely generated (from the actual parameter) satisfying a (parameterized) specification is called the inductive theory defined by the specification: Definition 2.1 Given a parameterized specification PSP=(PAR,BODY), we define the inductive equational theory defined by PSP: IND(PSP) = { XX.t=t'/vAe LOGALG(PAR) F(A)I = ;~X.t=t'} In Theorem 2.4 we will characterize IND(PSP) in terms of the (non-conditional) equations satisfied by

209 certain free algebras, but before that we have to see two lemmas: NOTE From now on, given two z(X)-terms tl, t2 and a z.(X)-condition C, we shall say that Et-L tl=t2 if C (instead of EI-L ~.X.tl=t2 if C) if from E we may deduce this equation considering the variables as constants, i.e. considering tl and t2 as ground terms and C as a ground condition. Lemma 2.2 Given SP = (S,T_.,E)and a set of :~(X)-conditions COND such that COND is non contradicting w.r.t. E, then there is a set of bool-sorted equations E(COND) such that Tz(X)/---E+E(COND) satisfies every condition in COND and belongsto LOGALG(SP). Proof

Let A = T:s(X)/~-Der(E), where Der(E) denotes the set of equations t=t' such that E I-L ;,~X.t=t'. Obviously, UBooI(A) is a boolean algebra. Let COND' be COND U {not(C)/SPI-L true=false if C}, COND' denotes a set of values in UBooI(A ) satisfying the finite intersection property (i.e. the conjunction of any finite subset of boolean values is not equal to false) since COND is non contradicting w.r.t. E, then, according to a corollary of the Ultrafilter Theorem (cf. [2]). there is an ultrafilter U containing all the vaiues denoted by COND'. Finally, we define E(COND) as {tl=true/tl denote a value inside U} U {tl=false/tl denote a value outside U}. By construction, Tz.(X)/-=E+E(COND) satisfies every C in COND and belongs to LOGALG(SP) since, on one hand, by construction in UbooI(T~,(X)/-~E+E(COND)) there wilt be at most two elements, true and false, and, on the other hand they are different because it may be proved that for any pair of boolean sorted terms, tl and t2 in T~,(X), T:~(X)/~E+E(COND)I= tl=t2 iff there is a ~:PAR(X)-condition C such that El-L xX.tl=t2 if C and e E(COND). But if Et-L ~.X.true=false if C then, by construction, only <not(C)=true> and belong to E(COND). • Lemma 2.3

Given SP = (~:,E), a set of ~:(X)-conditions COND and two ,~(X)-terms tl and t2 such that SP+COND*~/L tl =t2, there is a set of bool-sorted equations E.(COND,tl,t2) such that A=T:~(X)/-=E+E(COND,t1,t2) belongs to LOGALG(SP), A lCtl=t2 and A satisfies every C in COND. Proof

Let COND' be COND U {not(C)/SPI-Ltl=t2 if C}, by assumption COND' is not contradicting w.r.t. SP, thus

210 applying lemma 2.2, there is a set of equations E(COND') such that A=Tz(X)/~E+E(COND,) satisfies every C in COND' (and, thus, in COND) and belongs to LOGALG(SP). On the other hand A I~tl=t2, since otherwise a condition in COND' would be false in A, contradicting one of the two previous statements. • Theorem 2.4 Let PSP be the parameterized specification (PAR,BODY) and let XpA R be an (SPAR-{bool})-sorted denumerable set of variables then: ~.X.tl=t2 e IND(PSP) iff TzBODy(XpAR)/-_-Der(EBODY) I= ~.X.tl=t2.

Proof =>) Suppose T~BODy(XpAR)/=-Der(EBODY) Is a(tl)=a(t2) for a given assignment a: X-->, T;~:BODy(XpAR) then, according to the previous lemma there is a set of bool-sorted equations E(o,a(tt),a(t2)) such that A=T~BODy(XpAR)/-~E+E(o,a(tl),a(t2)) belongs to LOGALG(BODY) and A Is a(tl)=a(t2). Let U(A) be the PAR-algebra obtained after applying the forgetful functor to A. Obviously, U(A) is in LOGALG(PAR), moreover F(U(A)) Is a(tl)=a(t2) since otherwise a(tl) and a(t2) would be equal in A. Note, however, that we do not need F to be persistent (although, it is assumed to be bool-persistent).

<=) If T~:BODy(XpAR)/~-Der(E) I=tl=t2, then for every algebra A in LOGALG(PAR) and every assignment h: X ---> F(A) there is a (unique) homomorphism h : TzBODy(XpAR)/~Der(E) ---> F(A), thus F(A) I=tl=t2. ,

3. Correctness of parameterized specifications As we have seen in the preliminaries, three conditions are asked for the correctness of parameterized specifications: boot-persistency, actual parameter protection (persistency [5]), and passing compatibility. In this section we are going to characterize proof-theoretically bool-persistency (Theorem 3.1) and persistency (Theorem 3.3) in terms of consistency and completeness conditions. After, we will characterize passing compatibility in terms of persistency (Theorem 3.4). Theorem 3.1 PSP = (PAR,BODY) is bool-persistent iff PSP satisfies the following two properties:

1. Bool-consistencv: BODY I~ true=false

211 2. B0oi-comptetene$$: For every t in T~:BODy(XpAR) of boolean sort there are tl ,...,tn in T~:PAR(XpAR) and ~:PAR(X)-conditions C1 ..... Cn, such that BODYI- L ~.X.t=ti if Ci (for every i, l_i_
Proof =>) If PSP is not boot-consistent, obviously, PSP is not persistent w.r.t booleans. Assume PSP is not bool-complete, let t be the boolean sorted ~.BODY(X)-term for which there is not a finite set of terms tl ..... tn and ~:PAR(X)-conditions C1 ..... Cn such that BODYJ- L ;LX.t-ti if Ci (for every i, l_
<=) Let A be in LOGALG(PAR), for every t in T:~BODy(A)bool, since A is a LOGALG(PAR)-algebra and SP is bool-complete, there is a t i in TZ:PAR(A) and a ~PAR(A)-condition C i such that:

(*)

SP I-L t=ti if C i and Af= Ci=true.

This implies F(A)I= t=t i.

Assume F(A)J= t=t', with t,t' in TzPAR(A ), this means that there is a sequence of terms t 1 ..... t n such that t=t 1 , t'=t n, and for every i (lBODY+E A ti+l, we will define a sequence of r.PAR(A)-terms t l',.,.,tn', (with t l'=t 1 and tn'=tn) and of %PAR(A)-conditions C 1 ..... C n such that for every m (0_m
a) BODY I-L tm=tm' if Cm b) EA 1 l Cm=true

c) EA I-L tm'=tm+l'

it should be clear that if such sequences of terms and ~PAR(A)-conditions exist then AJ= t=t'.

212 In the definition of ti+ 1' and Ci+ 1 we have two cases:

case 1: BODY I-L ti=ti+l if C i' and BODY+EA i-L Ci'=true- By booI completeness, there are ~:PAR(A)-conditions Cil,Cil',...,Cik,Cik', such that BODY IL Ci'=Cij if Cij' for every j (l<j _
case 2: EA I-L ti=ti+l. This means that there are terms I,r ETa:PAR(A) and tET:F_.BODy(AU{x}) such that eEA, fl(t)=t i and f2(t)=ti+ 1, where fl and f2 substitute, respectively, x by I and x by r. Now, by sufficient completeness, there is a z;PAR(AU{x})-term t' and a :~PAR(AU{x})-condition C' such that BODY I-L t=t' if C' and AI= fl(C'). Let ti+ 1' and Ci+ 1 be, respectively, f2(t') and f2(C'), obviously

BODY I-L

ti+ l=ti+l' if Ci+ 1 and A[= Ci+l=true, moreover, AI= ti'=ti+ 1' since, by transitivity, BODY+EA I-L ti'=ti+l' if Ci&Ci+ 1 , and thus, by consistency, PAR+EA I'L ti'=ti+l' if Ci&Ci+ 1 . •

Example 3.2 It should be clear that the specification of example 1.1 is bool-consistent, let us see that it is also bool-complete. Every

term

t

in

T~:BODy(XpAR)bool-

is_in(insert(.._(insert(empty,xl),...),xn),y).

Tz. P A R ( X p A R )

We will proceed by induction:

case n=0 Trivial: BODY t-L ~.x.is in(empty,x)=false case n=k+l On one hand we have: BODY I'L ~.{s,x,y}.is_in(insert(s,x),y)=is_in(s,y)

if not(eq(x,y))

On the other using equation 2) and substitutivity: BODY I'L ;qs,x,y}.is_in( insert(s,x),y)= is in(insert(s,x),x) if eq(x,y)

is

of

the

form:

213 and by equation 6) and transitivity: BODY

IL ~{s,x,y}.is_in(

insert(s,x),y)=true if eq(x,y)

Finally, trivially: PAR I-L ~,{x,y} eq(x,y) v not(eq(x,y)= true

Theorem 3.3

PSP = (PAR,BODY) is persistent in LOGALG(PAR) iff PSP satisfies the following two properties:

t..O.9..Q~s'~ency: For every tl ,t2 in T}:PAR(X ) and every ~;PAR(X)-condition C we have PAR l-L ;LX.tl =t2 if C iff BODY I'L ~X.tl=t2 if C.

2. Sufficient comoletengss: For every t in T ~ : B O D y ( X p A R ) of sort in PAR, there are tl ..... tn in T•PAR(XpAR) and ]~PAR(X)-conditions C1 ..... Cn, such that BODY I-L ;~X.t=ti if Ci (for every i, l
Proof

=>) Assume PSP is not consistent, i.e. there are terms tl, t2 and a ~:PAR(X)-condition C such that BODY J'L ;LX.tl=t2 if C and PAR ~L ~.X.tl=t2 if C. Obviously PAR+C }'/'L tl =t2, since otherwise XX.tl=t2 if C would be trivially deducible from PAR. Hence, according to lemma 2.3 T~;PAR(X)/_--EPAR+E(C,t 1,t2) is in LOGALG(PAR), C is true in A and in A I¢ tl=t2. On the other hand, obviously, in F(A) l= tl=t2.

Assume PSP is not sufficiently complete, let t be the ~BODY(X)-term for which there is not a finite set of terms tl ..... tn and ~:PAR(X)-conditions C1 ..... Cn such that BODY I'L ;LX.t=ti if Ci (for every i, 1-
<=) Similar to the same part of theorem 3.1.

214 In [14] it was proved that for the equational case passing compatibility was almost persistency (persistency or trivial inconsistency), here, using similar techniques, we are going to prove that persistency is exactly passing compatibility. The reason is that we are assuming bool-persistency and, thus, avoiding trivial inconsistency. Theorem 3.4

PSP satisfies passing compatibility for every logical parameter iff PSP is persistent.

Proof

=>) Assume PSP is not consistent (but remeber that PSP is assumed to be bool-persistent), then there are two Y.PAR(X)s-terms tl and t2 and a ~:PAR(X)-condition C such that PAR ~L ;~X.tl=t2 if C and BODY I-L ~.X.tl=t2 if C. Let SP' be the specification PAR+(~,~:',E'), where ~;' consists of X (taken as constants of appropriate sorts) plus an operation c: s --> bool, and E" consists of the equations: c(tl) = true c(t2) = false Clearly, C is non contradicting w.r.t. EPAR+E', then, according to Lemma 2.2, there is a set of equations E(C) such that A = T~:PAR+~:,/~-EPAR+E,+E(C) is in LOGALG(SP), AI= C=true and AI~ tl=t2 (otherwise A would not be in LOGALG(SP'). Now, let ACT be SP'+(o, o,E(C)), let the parameter passing morphism hl be the inclusion morphism, then in Fi2(A) true is equal to false, but not in Fil(Uhl(A)).

Assume PSP is not sufficiently complete, let t be the ~BODY(X)-term for which there is not a finite set of terms tl ..... tn and ~:PAR(X)-conditions C1 ..... Cn such that BODY I-L ~.X.t=ti if Ci (for every i, l_ s' and Us: s' --> s, for every s in SPAR-{bool}, and E" consists of the equations:

UsCs(t) = t

for every s in SPAR-{bool} and every t in Tz:PAR+Z;,. Now, let COND be {not(C)/C is a ~;PAR(X)-condition

215 and 3t' in T~:PAR(X) PSP I'L ;~X.t=t' if C}, COND is non contradicting w.r.t EPAR+E' thus according to lemma 2.2 A = T~:PAR+~:,/---EPAR+E,+E(COND)is in LOGALG(SP') and every not(C) in COND is true in A (i.e. every C is false in A). Let ACT=SP'+(o,o,E(COND)), let the parameter passing morphism hl be the inclusion morphism, then Fil(Uhl(TACT) ) ~ Uh2(Fi2(TACT)). The reason is the following: Fil generates some junk on Uhl (TACT) (at least the term t would be junk, if we consider its variables as constant symbols from ~'), but on Uh2(Fi2(TACT) ) we have generated, at least, the double of junk: for every junk element t of sort s generated by Fil, in Fi2(TACT) we have the same element plus UsCs(t).

<=) See [5] • 4. Referenqe~

[1]

Arbib, M.E.; Manes, E.G.: "Arr0w._s. structures and functors: the categ0rics, I imperativQ",

Academic Press 1975. [2]

Bell, J.L.; Slomson, A.B.: "Models and Ultraoroducts: an IntroduqtJPn", North-Holland (1971)

[3]

Burstall, R.M.; Goguen, J.A.: "The semantics of Clear, a specification language",

Copenhaoen Winter Schq01 qn Abstract Software Speqification, Springer LNCS 86, pp. 292-332, 1980. [4]

Ehrich, H.-D.: "On the theory of specification, implementation and parameterization of abstract

data types", JA(~M 29,1 (1982), pp. 206-227. [5]

Ehrig, H.: "Algebraic theory of parameterized specifications with requirements", Pr0c. 6th.

CAAP, Springer LNCS 112, pp. 1-24, 1981. [6]

Ehrig, H.; Kreowski, H.-J.; Thatcher, J.W.; Wagner, E.G.; Wright, J.B.: "Parameter passing in

algebraic specification languages", Prqc. Aarhus Wqrkshoo on Pr0gr~m Specification, Springer LNCS 134, 1981. [7]

Ehdg, H.; Mahr, B.: "Fundamentals of alaebraic specification 1", Springer EATCS Monographs on

Theor. Comp. Sc., 1985. [8]

Ganzinger, H.: "Parameterized specifications: parameter passing and implementation with respect

216 to observability", TOPLA_S_5,3 (1983), pp. 318-354. [9]

Goguen,J.A.; Meseguer, J: "Universal realization, persistent interconnection and implementation

of abstract modules", Prec. IX ICALP, Springer LNCS 140, pp. 265-281, 1982. [10] Goguen, J.A.; Meseguer, J: "Completeness of many-sorted equational logic", ~igplan Notices 16,7 (1981) pp 24-32. [11]

Goguen, J.A.; Meseguer, J: "Equality, types, modules and (why not?) generics for logic

programming", The J.o_urnalof Logic Programming 1,2 (1984), pp. 179-210. [12]

Goguen,J.A.; Thatcher, J.W.; Wagner, E.G.: "An initial algebra approach to the specification,

correctness and implementation of abstract data types", in ' ~ t

Trends in Pr0gramminq Methodoloqy.,

V01 IV: Data Structuring', R.T. Yeh (ed,), Prentice Hall 1978, pp. 80-149. [13] Navarre, M.; Orejas, F.: "Proof rules for conditional equations", Res. Rep., Facultat d'informatica de Barcelona, 1986. [14]

Orejas, F.: "Passing compatibility is almost persistency", in 'Recenl; trend8 on data type

soecification' H.-J. Kreowski (ed.)Springer IFB 114, 1985. [15] Padawitz, P. : "Towards a proof theory of parameterized specifications", in 'Semantics of Data Types', G. Kahn, D.B. MacQueen, G. Ptotkin (eds.), Springer LNCS 173 (1984), pp. 375-391. [16] Padawitz, P. : "Parameter preserving data type specifications", in 'Formal Methods and Software Development, voll', H. Ehrig, Ch. Floyd (eds.) Springer LNCS 186 (1985), pp. 323-341. [17] Selman, A. : "Completeness of calculii for axiomatically defined classes of algebras", Algebra Universalis, 2, 1 (1972), pp. 20-32. [18] Thatcher, J.W.; Wagner, E.G.; Wright, J.B.: "Data type specification: parameterization and the power of specification techniques", Prec. 10th STOC, San Diego, Ca., 1978.

PARTIAL COMPOSITION AND RECURSION OF MODULE SPECIFICATIONS

Francesco Parisi-Presicce Department of Mathematics University of Southern California Los Angeles, California 90089-1113

ABSTRACT The basic interconnections of module specifications (union, composition and actualization) were studied in earlier papers. Here we introduce partial composition and partial actualization of module specifications, describe the connection with their "total" counterpart and prove that the result of successive partial compositions (or actualizations) is independent of the order. We also introduce a recursive construction first of a single module and then of two modules "recursivety calling" each other. A connection between these two recursions is established, along with compatibility properties with the basic constructions and the expected fixed point equation at the semantical level.

1. I N T R O D U C T I O N The algebraic approach to the formal specification of data types has been the most investigated one (fLZ 75/,/GTW 78/,/WPPDB 83/,/Ga 83/and many others), although there have been other interesting approaches in more general settings (/BMM 79/). The module specification introduced in earlier papers (fEW 85/,/BEPP 86/) is a formalization of a notion which is central to the modular approach to the development of large software systems (/qPa72/,/WE 85/). tt combines the main ideas of parametrized specification and of implementation of abstract data types along with the notion of information hiding, treated in/GM 82/by adding an export interface to a data type to represent its visible part. An abstract mc~tfle consists of four parts: an export interface, with the operations visible outside the module, an import interface, representing the operations to be provided to the module, a parameter part, shared by the interfaces, and a body, containing both interfaces and providing an implementation of the sorts and operations of the export interface in terms of those of the import. All four parts are described by algebraic specifications (see/EWT 83/,/EFPB 86/for extensions), the first three with loose semantics, while that of the body is the free consmaction over import algebras. Our notion of module reflects in part the structure of Ada packages and Modula-2 modules, both consisting of a "declarative" part, with the list of sorts and operations visible outside and either the list of those to be imported (Modula-2) or the name of another module

2t8

whose export operations are needed in the body (Ada), and an "implementation" part, with the module's own data type and defined operations. In both languages, the interfaces are purely syntactical, not allowing semantical conditions on the sorts and operations, as we do or as permitted in OBJ2 (/FGJM 85/) and in Extended ML (/ST 85a/). More detailed discussions on the relationship between our module concept and Ada and Modula-2 can be found i n / B E F P 86/, ~ W 86/. The interconnection mechanisms for building modules from other modules are an integral part of a stepwise modular development of software systems (/BG 77/). In previous papers, we have introduced four basic operations on module specifications:

union (/BPP 85/),

composition

(JEW 85/, ]BEPP 86/), actualization (]EW 85], ]PP 85/) and extension (/BEPP 86/). We have also shown that these operations are compatible (/PP 86/,/EFP 86/), guaranteeing that the correctness of a stepwise refinement strategy for module specifications is independent of the order in which the building operations are carried out. In this paper, we introduce two new operations on module specifications: partial composition/actualization, and recursion. Partial composition allows us to compose a module, whose import consists of two distinguishable parts I1 and I2, with another module which provides the data described, say, in I1, postponing the decision for I2 to a later time. This operation is proved to be well defined both syntactically and semantically and to produce the same result regardless of whether the successive partial compositions are carried out first through Ii and then through I2 or vice versa. Similar results are obtained for partial actualization. The single recursion construction defines a new module recf(M) from a given M, when the import of M is intended to be provided by the export of M itself. The mutual recursion operation provides a new module from two module specifications "recursively calling each other". The two constructions are syntactically correct but, unlike the other operations, additional conditions are required to guarantee their semantical correctness. Single recursion is shown to be compatible with union, composition, actualization and the "submodule" partial order. The paper is organized as follows: section 2 contains a review of the basic notions of module specification, its semantics and basic operations, along with a summary of their compatibility. Section 3 introduces partial composition and partial actualization, relates them to their total counterpart and shows how successive partial compositions (or actualizations) are equivalent to a union followed by a total composition (or actualization). Section 4 defines single recursion using coequalizers, and shows how its semantic satisfies a fixed point equation. Mutual recursion, defined independently, is shown to be related in a natural way to single recursion. Some conclusions are drawn in section 5. 2.

MODULE S P E C I F I C A T I O N AND T H E I R BASIC OPERATIONS We assume some familiarity with the basic notions of algebraic snecification SPEC = (S, OP,

E) and of specification morphism f = (fs, fop): SPEC1 --~ SPEC2. We use Atg(SPEC) to denote the category of SPEC-algebras and SPEC-homomorphisms. Any specification morphism f : SPEC1 --~ SPEC2 defines a forgetful functor Vf : Alg(SPEC2) --* Alg(SPEC1) whose left adjoint Ff : Alg(SPEC1) --~ Alg(SPEC2) is called the ~ n c t o r

associated with f.

219

The category CATSPEC of specifications and specification morphisms is dosed under the pushout construction (/EM85/) and SPEC1 + SPEcoSPEC2 denotes the pushout object of fj : SPEC0 --* SPECj, j = 1,2, when the specification morphisms are obvious from the context. For any pushout SPEC3 = SPEC1 + S P E c o S P E C 2 ,

any SPEC3-algebra A3 (resp.

SPEC3-homomorphism h3) is the amalgamated sum A1 + AoA2 (resp., hl + h0h2) of SPECi-algebras Ai (resp., SPECi-homomorphisms hi). Given pushout specifications SPEC3 and SPEC3' and functors Fi : Alg(SPECi) --~ Alg(SPECi'), i = 0,1,2, we use F1 + FoF2 to denote the functor F3: Alg(SPEC3) --~ Alg(SPEC3') defined by F3(A1 + AoA2) = FI(A1) + F0(A0)F2(A2). For more details, see/EM85L 2.1

Definition (Module Specification and Semantics) A module specification M is a four-tuple (PAR, EXP, IMP, BOD) of algebraic specifications

along with four specification morphisms i, v, s and e (s and e injective) making the following syntactical diagram commute e

PAR

--~

$

IMP

s

--~

EXP $

v

BOD

The semantics of M is SEM = V v • F s. The restricted semantics is RSEM = R e" SEM, where R e : Alg(EXP) --~ Alg(EXP) is given by Re(E ) = n {E'E Alg(EXP): g ' c E, Ve(E) = Ve(E)}. A semantical condition is imposed on the free functor Fs, which is required to be strongly persistent, i.e. that V s (Fs(A)) = A for all IMP-algebras A. Sometimes (in particular when dealing with composition of module specifications) we will add the requirement that F s preserves injective morphisms and call it, in this case, strongly conservative. I n t e r o r e t a t i o n The specifications IMP and EXP represent the import and export interfaces, respectively, PAR is the shared parameter part and BOD is the body of the module intented to contain an implementation of the EXP operations using the IMP operations. The semantics SEM is a transformation from IMP-interface algebras to EXP-interface algebras and the strong persistency guarantees that the PAR part of the IMP-algebra is not modified by this transformation. The restriction functor R e reduces the carrier of the EXP-algebra SEM(A) to those data reachable from its parameter part. 2.2

Definition (Submodule and Union) A module specification M0 = (PAR0, EXP0, IMP0, BOD0) is a submodule specification of

M 1 = (PAR 1,EXP 1, IMP 1, B OD 1) if there exists a fo ur-tuple m = (mp, m E, m I, m B ) of inj ective specification morphisms such that i) each square of the following diagram commutes

220

e0 v0 sO i0 PAR0 --> EXP0 --> BOD0 +-- IMP0 +- PAR0 mp

,l,

m E .1.

mB.i.

SmI

Stop

PARt --> EXP1 --> BOD1 +-- IMP1 +-- PAR1 el vl sl il ii) if VQ is the forgetful functor associated with mQ, then V B - F s l = F s 0 - V I a n d V E ' R e l = R e 0 " V E. We write M0 ~ M1 and call m : M0 -+ M1 a Mod-morphism. Given M0 < mj Mj,j = 1,2, the union M1 + MoM2 of M1 and M2 with respect to M0 is the pushout object of the morphisms mj: M0 --> Mj in the category of module specifications and Mod-morphisms (/PP86/).

Each

component of M1 + MoM2 is the pushout specification of the corresponding components of M0, M1 and M2. The operation of actualization of a module specification M= (PAR, EXP, IMP, BOD) consists of "replacing" the parameter part PAR by a (parametrized) specification PS 1 = (Parl, ACT1) with j: Parl --> ACT1 via a parameter passing morphism h: PAR --> ACT1. 2.3 Definition (Actualization) Given a module specification M = (PAR, EXP, IMP, BOD), a parametrized specification PS 1 = (Par1, ACT1) and a parameter passing specification morphism h: PAR --) ACT1, the actualization of M by PS1 via h, denoted by acth (PSI, M), is the module specification (Par1, EXP1, IMP1, BOD1), where EXP1 = ACT1 +PAREXP, IMP1 = ACT1 +PARIMP and BOD1 = IMPI +IMpBOD as in the following diagram PAR

....... "~

Parl IMP

N

ACT1 ....... IMP1

EXP ......,-~

"~

EXP1

BOD >

BOD1

The third basic operation on module specifications is that of composition, where the import interface of a module specification is "matched" with the export interface of another one. The "unused" interfaces will provide two of the components of the composite module specification. 2.4

Definition (Composition) The composition M1 * h M2 of two module specifications Mj = (PARj, EXPj, nVIPj,BODj),

j = 1,2, with interface morphism h = (hp, hE), where hp: PAR1 --~ PAR2 and hE: IMP1 --> EXP2 are specification morphisms such that e2 • hp = hE " il, is the module specification M3 = (PAR3, EXP3, IMP3, BOD3) as in the diagram

221

PAR3 =

PAR1 --+

EXPt = EXP3

h p /

I~MP1 -9

BO~Dt

PAR2 --9 EXP2

IMP3 = IMP2 --)

(1)

BOD2 -~

BOD3

where (1) is a pushout in CATSPEC. For each of the three operations, the semantics of the resulting module s~ecification can be expressed directly in terms of those of the arguments. The semantics and restricted semantics of M1 + MoM2 are SEM1 + SEMOSElVI2 and RSEM1 +RSEMoRSEM2, respectively (/BPP85/). The semantics of acth (PSI, M) is idA + idpSEM, with id the appropriate identity functors, and a similar characterization of the restricted semantics holds if either h factors through Parll(/PP85/) or the semantics of PS 1 is taken into account (/PP86/,/EFPB86/). Denoting by V h the forgetful functor of h E, the semantics of M1 "h M2 is SEMI -Vh -SEM2 while the restricted semantics is RSEM1 • V h • RSEM2, if Fst is strongly conservative (/EW85/,/BEPP86/). The compatibility of these operations on module specifications is necessary to guarantee that the order in which these operations are applied does not effect the final system. This allows the restructuring of large systems fo~ reasons of efficiency and gives more flexibility in updating specifications due to changes in system requirements. The interaction of these module interconnections has been studied elsewhere (/EW85/,/BEPP86/,/PP86/,/EFP86/). 2.5 .Theorem (Compatibility of the Basic Operations) 1)

The operations of union, actualization and composition are monotone in each of their arguments with respect to the "submodule" partial order.

2)

For i = 0, 1, 2, let Mi = (PARi, EXPi, IMPi, BODi) be module specifications, PSi = (Pari, ACTi) with ji: Pari -+ ACTi parametrized specifications and hi: PARi -+ ACTi parameter passing morphisms. If M0 <_miMi and (qip, qiA): PS0 --+ PSi are such that ji • qip = qi A • j0 and qiA " h0 = hi " mip, then aCthl + h0h2 (PSI+PsoPS2, MI+MoM2) = aCthl(PS1, M1)+acth0(PS0,M0)acth2(PS2,M2)

3)

For i = 0, 1,2, let Mi = (PARi, EXPi, IMPi, BODi) and Ni = (PARi', EXPi', IMPi', BODi') be module specifications and hi = (hip, hiE) interface morphisms from Mi to Ni. K M0 -<miMi and NO -
222

4)

Let M1 and M2 be module specifications with an interface morphism h =(hp, h E) from M1 to M2 and PS1 = (Par1, ACT1) a parametrized specification with a parameter passing morphism hi: PAR1 --+ ACT1. Then there exist PS2 =(Parl, ACT2) and h2:PAR2 -+ ACT2 such that aCthl(PS1, M1 *h M2) = aCthl (PSI, M1) *h+ididaCth2(PS2, M2).

3.

PARTIAL COMPOSITION AND ACTUALIZATION

In this section, we are going to investigate two somewhat different ways of combining module specifications. Suppose we have a module specification M, whose import interface can be decomposed as the union IMP1 + IMpoIMP2 of two subspecifications sharing a common part IMP0, and another module specification M1 whose export interface provides the operations described in IMPt. Given such a "matching", is it possible to compose the two modules now, postponing the matching of the remaining part IMP2 of the import interface? Under what conditions is such a composition well defined and how does it relate to the composition defined in the previous section? 3.1 Definition (Partial Composition) Let M = (PAR, EXP, hMP, BOD) be a module specification with PAR = PAR1 + PARoPAR2 and IMP= IMPI+IMP01MP2, M' = (PAR', EXP', IMP', BOD') another module specification and hl = (hip, hiE) an interface morphism with hlp: PAR1 -* PAR' and hl E : IMP1 --> EXP' satisfying e' • hip = hl E" il. If there exists a specification morphism k: IMP0 -~ IMP' such that IMP0 --) IMP' -+ BOD' = IMP0 -+ IMP1 ~ EXP' --> BOD', then the partial composition M • ~IM' of M and M' w.r.t, h! is the module specification (PAR, EXP, IMP' + IMPOIMP2, BOD' + IMP1BOD) as in the foUowing diagram PAR0 PAR 1

PAR2

hip/tie

// /

/

PAR'//--~

a, ~ 1 , IMP' -->

[

vj/

k

IMPI /

IMPO

x.~ IMP2

I/'IMt, ~_

,BOp

EXP' BOD'

~

BOD"

IMP" The condition on hl is exactly the one required in the (Nit) composition of Definition 2.4.

223

The existence and property of the morphism k state that the two "subimports" IMP1 and IMP2 can share only a specification which is preserved basically unchanged, from the import to the export of M'. The pushout property of IMP" guarantees the existence of a specification morphism s" : IMP" -4 BOD" while the universal property of PAR defines i": PAR --~ IMP". This universal property also guarantees the commutafivity v"" e = PAR ~ EXP ~ BOW' = PAR --~ IMP --~ BOW' = s" • i" of the diagram of M e ~ I M ' by proving that PARj ~ PAR ~ EXP --* BOD" = PARj --> PAR --> IMP" --> BOD" forj = 1,2,. The existence of the morphism k is necessary (in the basic algebraic case treated here) to insure a consistent handling of the shared subimport IMP0. The requirement on k could be dropped by allowing constraints along with the basic specifications (see/EFPP86/), thereby restricting subsequent compositions to module specifications not in conflict with the already matched IMP0. Instead of proving that the resulting module specification satisfies the semantical conditions of definition 2.1, we now show how to relate partial composition with the operations defined in the previous section. The basic idea is that leaving IMP2 unchanged is equivalent to composing it with a module specification which behaves like the identity. 3.2

Mitin L e m m a Let M, M', hl and k be as in definition 3.1, MIj = (PARj, IMPj, IMPj, IMPj) a n d

h = h i + idid. Then M .hPlM' = M* h (M' + MIoMI2) The first immediate consequence of the Main Lemma is that partial composition is well defined, that is, that the resulting four-tuples of specifications and specification morphisms satisfy the conditions in 2.1. 3.3 . T h e o r e m Let Mj = (PARj, EXPj, IMPj, BODj), j = 3,4, and M = (PAR, EXP, IMP, BOD) be module specifications with PAR = PAR1 + PARoPAR2 and IMP = IMP1 + IMPOIMP2. For j = 3,4, let hj be an interface morphism and kj: IMP0 ~ IMPj a specification morphism such that the partial composition of M and Mj is defined as in 3.1. Then M* h3+ j d h4 (M3+ MIOM4) = (M,, ~3 M3) *~4 M4. 3.4 C o r o l l a r v

With the notation of the previous Theorem, (M- ~3 M3) .hP4 M4 = (M. ~4 M4) .hP3 M3. We should point out that there are some compatibility properties enjoyed by partial composition, Their formulation and proofs can be reconstructed in a straigthforward manner using Thin. 2.5 and Lemma 3.2. For the remaining part of this section, we investigate the analog of partial composition for actualization. If we are given a module specification whose parameter part is the union of two subspecifications, we can actualize only one of the subspecifications, postponing the choice of the

224 remaining parameter part. The results parallel those of partial composition, including the relationship between partial and "total" actualization and the effect of successive partial actualizations. 3.S Definition

(Partial Actualization)

Let M = (PAR, EXP, IMP,BOD) be a module specification with PAR = PAR1 + PARoPAR2, PS 1 = (Parl,ACT1) a parametrized specification with fl: Parl --~ ACT1 and hlA: PAR1 --~ AC~I a parameter passing specification morphism. If there exists a specification morphism hip: PAR0 --~ Par1 such that PAR0 --~ Parl - , ACT1 = PAR0 --~ PAR1 --~ ACT1, then the partial actualization pacthI (PS1, M) of M byPS 1 w.r~t, h ! is the module specification (PAR', EXP', IMP', BOD') where, in the diagram

hlp / f I Parl

PAR0

~

PAR2

P

--~

PAR --* EXP

1 ~hlm

--~

ACT1

~ IMP --~ BOD

IMP' = IMP + PAR1ACT1,

EXP' = EXP +PAR1ACT1

PAR' = PAR2 +PAROParI,

BOD' = BOD +IMpIMP'

The new import interface is obtained by repIacing PAR1 in IMP with AC~I; similarly for the new export interface. The new parameter is the union of the untouched subparameter PAR2 with the parameter Par1 introduced by the actualization with PS 1. Their shared part PAR0 is not duplicated and could represent basic standard specifications, such as bool and nat, which are going to be shared by every specification and to be left unchanged by every module in the system. The universal property of PAR' induces a unique specification morphism i': PAR ' --~ IMP', compatible with the existing morphisms. Similarly, we can obtain a unique e': PAR' --~ EXP' and it can be shown, using the uniqueness of the induced morphism from PAR' to BOD', that PAR' --~ IMP' --* BOD' = PAR' --~ EXP' --~ BOD'. As was the case for partial composition, we can relate partial actualization to (total) actualization, thereby inferring the semantical correctness of the construction above. 3.6 L e m m a Let M, PSI and hl = (hlp, htA) be as in Definitiion 3.5 and, abusing the notation, let PARj be the parametrized specification (PAR_j,PARj) with id: PARj -~ PARj, j = 0,2. Then pacthl(PS1, M) = aCthl A + idid (PS1 +PARoPAR2, M) Since the free construction of the (totally) actualized module specification is strongly

225 persistent or conservative if the original free construction is, partial actualization is semantical!y correct in view of the above Lemma. The next result shows that successive partial actualizations by PS 1 and PS2 yields the same module as the total actualization by PS 1 + PARoPS2. As a corollary, we obtain the commutativity of repeated partial actualization.

3.7 Theorem Let M = (PAR, EXP, IMP, BOD) be a module specification with PAR = PARt +PARoPAR2, and, forj = t,2, PSj = (Parj, ACYj) a parametrized specification and hj = (hjp, hJA) a parameter passing morphism such that the partial actualization of M by PSj w.r.t hj is defined. Then pacth2 (PS2, pacthl(PS1,M)) = act h l + i d h2 (PS1 + PARoPS2, M). 4.

RECURSION OF MODULE SPECIFICATIONS The operations of union, actualization and composition are the basic mechanisms to build

module specifications from other module specifications. The construction which we are going to introduce next is be motivated by looking at the interface morphism f in the composition Mof M' as a "call" of the export of M' by M. A "recursive call" is then represented by an interface morphism from (part of) the import of a module specification M to the export of the same M, in such a way that the parameter part is left unchanged. The effect of such a recursive call should leave the parameter part and the export interface unchanged, remove the "domain" of the recursive calt f from the import interface and identify within the body each operation op of IMP with its counterpart f(op) of EXP. To make this i~ormal discussion precise, we need to review the notion of coequalizer (/HS 73/). Given two morphisms f,g: A --* B in a category CAT, the coequalizer of f and g, denoted by Coeq(f, g), is a pair (C, k), with k: B --4 C a morphism in CAT, such that k-f = k ' g and for any m: B -4 D in CAT satisfying m ' f = m-g, there is a unique morphism n : C ~ D in CAT such that m = n'k. (We will at times abuse the terminology and refer to the object part C as the coequalizer of f and g). Coequalizers are unique up to isomorphism and k is always an epimorphism (/HS 73/). In the category of sets, C is the set of equivalence classes of B generated by the pairs (f(a), g(a)) for a ~ A and k is the canonical projection sending each element of B into its equivalence class. If f=g, then Coeq(f,g)

= (B, id B). It is not too hard to show that any pair of specification

morphisms f,g: SPEC1 --~ SPEC2 has a coequalizer in CATSPEC. First construct $3 and OP3 in the c/~tegory of sets and then use k = (k s, kop ) to "translate" E2 into E3.

Given a SPEC2 -

algebra A satisfying Vf(A) = Vg(A), there is always a SPEC3 - algebra B such that Vk(B ) = A. The construction of B is similar to that of amalgamation (/BPP 8 5 / , / E M 85/) and can be summarized as follows. Since k is an epimorphism, for any s E $3, there is s' s $2 such that s = k(s'): define B s = As,. There is no ambiguity in the definition, since if"we also have s = k (s") for some s" e $2, then there exists, by definition of coequalizcr, sl e S1 such that f(si)=s' and g(sl)=s". But then, by assumption, As,= (Vf(A))si=(Vg(A))sI=As -. Similarly for op e OP3. Such an algebra B is ~ , of Vf and Vg and thus a monomorphism.

since Vk:AIg(SPEC3)--~Alg(SPEC2) is the equalizer

226

We are now ready to define recursion over a single module specification. Later in this section we will also discuss the case of two modules "recursively calling" each other. 4.1

(Single Recursion)

Definition

Given a module specification M=(PARI+PARoPAR2, EXP, IMPI+IMPOIMP2, BOD) and a specification morphism f : IMP2--,EXP such that (a) PAR2---)IMP2-+ EXP = PAR2-+PARI+ PARoPAR2 ---)EXP and (b) IMP0--)IMP2---)EXP--,BOD = IMP0---~IMPI+IMPOIMP2--~BOD, the recursion of M over f, denoted by re@M), is the module specification M I = (PARI+PARoPAR2, EXP, IMPI+PARoPAR2, BOD1) as in the following diagram PAR1 + PARoPAR2

e

1

i l +idid

>

EXP

vi

IMP1 +PARoPAR2

-+

IMP1 +IMPOIMP2 -+ BOD

-+

BOD1

s'

where (BODI,k) = Coeq(v'f, s-j2), with j2:IMP2-+IMPI+IMPOIMP2 the canonical inclusion. The conditions (a) and (b) are similar to those imposed in the definition of partial composition. It is easy to show that the diagram commutes and that s' is again injective. If f is such that IMP2---~EXP--~BOD=IMP2---rIMP1 + IMPOIMP2 -+ BOD, then the only effect of the construction is to remove from the import interface the part of IMP2 not in PAR2. This agrees with our definition, since if v'f=s-j2, then k=idBo D. The semantical conditions on the new module specification need not be satisfied in general as the following example shows. For simplicity, it is understood that all specifications contain BOOL with the appropriate if-then-else operator. Let M=(PAR, EXP, IMP1 +PARIMP2, BOD) be given by the following PAR =

sort

nat

opns

0: --~ nat SUCC:

IMP1 =.PAR +

opn

nat -+ nat

+ : nat nat --~ nat

eqn O + x = x SUCC(x) + y = SUCC(x+y) IMP2 = PAR +

opn g: nat --~ nat

EXP = PAR +

opn G : nat -+ nat

227

BOD = IMP u EXP +

eqn G(x) = i_fx = 0 then SUCC(0) else g(SUCC (x))

Let f: IMP2 --) EXP be the identity on PAR and fop(g) = G. Then recf(M)= (PAR, EXP, tMPl, BOD 1) where BODI=IMP1 u EXP + eqn G(x) = if x = 0 then SUCC(0) els___eeG~SUCC(x)) and the specification morphisms are the ob'4ous inclusions. Then the free functor associated with s':IMPI-+BOD1 is not strongly persistent. The problem is similar to that of termination of recursively defined functions (completeness). From the point of view of Term Rewriting Systems (fPD85]), persistency of the free functor F s, is equivalent to proving confluency and termination of the expanded TRS obtained by adding (in the above example) the equation G(x)=g(x) and removing terms containing g from the set of normal forms. The following theorem establishes the correspondence between the semantics of M and that of recf(M).

For simplicity, we restrict our attention to the case where PARI=PAR0 and

IMPI=IMP0 in def. 4.1. 4.2 Theorem

(Fixed Point Property)

Let M=(PAR, EXP, IMP, BOD), f:IMP--~EXP a specification morphism satisfying f-i = e and MI=recf(M)=(PAR, EXP, PAR, BODt). a) If F i and Fk are strongly persistent, then the flee functor F s, is strongly persistent b) If F k is strongly persistent, then SEM • Vf- SEMI = SEM1 c) If, in addition, F s is strongly conservative, then RSEM • Vf" RSEM1 = RSEM1 With one additional assumption, the recursive construction preserves the submodule partial order. 4.3 Theorem

(Submodule Compatibility)

Let M = (PAR, EXP, IMP, BOD), M'= (PAR', EXP', IMP', BOD'), M_~ m M', f: IMP --~ EXP and f: IMP' --~ EXP' be such that m E ' f = f ' m I, If Fk and Fk, are strongly persistent and V I • F i, = F i • V p , then r e c f ( M ) _ r e c f ( U ' ) .

We can show that the operation of single recursion is compatible with union, actualization and composition. All three compatibilities are based on different interpretations of the following Lemma. 4.4 L e m m a Let hj : A 0 - - ~ A j , k j : B 0 - - ~ B j , j=l,2, andmj, n j : A j ~ B j , j = 0, 1,2, besuchthat kj'n0=nj"

hjandkj'm0=mj'hj,

j=l,2.

Then

Coeq(ml + m0m2, n 1+ n0n2) = Coeq(m 1,n 1)+Coeq(m0, n0)C°eq(m2,n2)" We now state the compatibility of single recursion with the three basic operations. For simplicity, for union and ~tctualization we restrict our attention to the case considered in Theorems 4.2 and 4.3.

228

4.5 Th¢grem (Compatibility with Union) Let M0 -< Mj, j = 1,2 and fj: IMPj --~ EXPj, j = 0,1,2, compatible specification morphisms which are the identity on PARj. Then recfl +t9 f2 (M1 + MoM2) = recfl(M1 ) + recf0(M0 ) recf2(M2). 4.6 Theorem (Compatibility with Actualization) Let M = (PAR, EXP, IMP, BOD), f:IMP --~ EXP a specification morphism with f • i = e, PS = (Par, ACT) a parametrized specification and h:PAR --~ ACT a parameter passing morphism. Then acth (PS, recf (M)) = rec f + idid (acth (PS, M)). The third compatibility property we have investigated is that with partial composition, in which the IMP2 part of the import interface is matched by f with the export of the same module while the IMP1 part is matched via h with the export interface of another module. The next result states that the order in which these two operations are carried out is immaterial. 4.7 Theorem (Compatibility with Partial Composition) Let M = (PARI+PAROPAR2, EXP, IMPI+IMPOIMP2, BOD) be a module specification and f : IMP2 ~ EXP a specification morphism such that recf(M) is defined. Let M' = (PAR',EXP', IMP', BOD') be another module specification and h=(hp,hE) an interface morphism satisfying the conditions in definition 3.1. Then recf(M .hp M')= recf(M)-~ M' In Theorem 4.5, the single recursion over a union is the union of the corresponding single recursions provided that each specification morphism fj is within the same module. We want to consider next the case of two module specifications recursively "calling" each other as allowed, for example, in Ada (/B184/). Suppose that we have two module specifications M1 and M2 with imports IMPI+IMPOIMP1 ' and IMP2+IMPOIMP2 ', and exports EXP1 and EXP2, respectively, and we want to define a new module consisting of M1 and M2 only, where M2 provides the import IMPt' of M1 and M1 the IMP2' part of the import of M2. In the new module, IMPI' and IMP2' arc no longer in the import interface, while IMP1 and IMP2 are. The new body should contain not only the bodies of M1 and M2, but also the information that part of the import of M1 uses M2 and viceversa. Let us make this precise. 4.8 ~

(Mutual recursion)

Let Mj = (PARj+PAROPAR0, EXPj, IMPJ+IMPOIMPj ', BODj), j=1,2, be module specifications and let fl : IMPI' --~ EXP2 and f2 : IMP2' --~ EXP1 be specification morphisms such that (a) IMP0 ~ IMP1'-+ EXP2 --~ BOD2 = IMP0 --~ IMP2' --~ BOD2 and (b) IMP0 ~ IMP2' --~ EXP1 -~ BODI=IMP0 --> IMPI'-~ BOD1. Then the mutual recursion of M1 and M2 via fl and f2, denoted by recfl,f2(M1,M2), is the module specification (PARI+PAROPAR2, EXPI+IMP0 EXP2, IMPI+IMP0 IMP2, BOD*) where BOD* is the colimit object of

229

IMP1' --+ EXP2 ---~ BOD2 IMP0

BOD*

"a

A IMP2' ---> EXP1 --> BODI

and the specification morphisms are all induced by the appropriate universal properties. The assumption of fl and f2 guarantees that the module specification MI0 = (PAR0, IMP0, IMP0, IMP0) shared by M1 and M2 is not modified by the recursive calls. In particular, it implies that the interface morpliisms (idpAR0, fl) and (idpAR0,f2) provide a well defined partial composition of M I with M2, and of M2 with M1, respectively, in the sense of definition 3.1. The verification that the syntactical diagram of rec fl,f2(M1,M2) commutes is very tedious but direct. The strong persistency of the free functor from Alg(IMPI+IMPOIMP2) to Alg(BOD*) cannot be guaranteed in general for reasons similar to the single recursion case. The construction above can be generalized slightly to allow an arbitrary parameter PAR, the same for both IMPI' and IMP2', in place of PAR0, provided that fl and f2 are compatible with PAR --->EXPj. It is not surprising that mutual and singte recursion are closely related. The situation is similar to that of two recursive definitions, say of functions F and G, where F is defined by a polynomial in G alone and viceversa. The components of the solution of this recursive system can be also obtained by substituting one polynomial in the other one and then solve the single recursive definition in the oniy unknown function variable left. 4.9 Th¢0r¢m (Mutual vs. single recursion) Let Mj and fj be as in definition 4.8 and let MEj=(PARj, EXPj, EXPI+IMPoEXP2, EXPI+ IMP0 EXP2) , j=l,2, with the obvious specification moI~hisms.Tlien MEI • recfl,f2 (MI,M2) = recf2 (M1 • fPl M2) and ME2 • recfl,f2 (M1,M2) = recfl (M2 • fP2 M1) The previous Theorem allows us to exploit Theorems 4.5, 4.6 and 4.7 to obtain the compatibility of mutual recursion with union, composition and actualization. 5.

CONCLUSION In this paper we have introduced two partiat interconnections of module specifications: partial

composition and partial actualization. Although motivated by the intuitive idea of establishing interconnections as other module specifications become available, it is shown that both partial operations can be expressed in terms of their total counterpart and union (3.2, 3.6). Exploiting the algebraic laws expressing the compatibility of the basic operations, we have shown that successive partial compositions (or actualizations) are equivalent to a total composition (or actualization) with a union (3.3, 3.7). As a by product, the order in which partial compositions are carried out becomes immaterial.

230

A more interesting construction mechanism, recursion, was introduced in section 4. Unlike the other operations on module specifications, where the semantical correctness is a direct consequence of that of its arguments, the recursion construction (whether single or mutual) does not guarantee the strong persistency of its free functor, unless additional conditions are imposed on the original module. Lacking these, generating or logical constraints (fEWT 83/, fEFPB 86/) should be used to restrict the class of import algebras. Along the same lines, while the semantics of the basic operations can be proved to be compositional and can be explicitly described in terms of those of the arguments (fEW 85/,/BPP 85/), the semantics of recf(M) is reiated implicitly to that of M by a fixed point equation. Notice that the equation is at a semantical level and not syntactical: in CATSPEC (as in all categories) the emphasis is on. the morphisms, not on the objects. So, by composing M with recf(M) using f, the "information" that the module M is the same is lost. Even though our definition of BOD1 in 4.1 was motivated by an intuitive idea of the effect of "self reference" via f, we can find in fEL 83/that, in order to obtain the fixed point equation 4.2(b), the use of the coequalizer is, more or less, forced. Coequalizers are also used in the approach to the algebraic solution of recursive equations found in /BG 81/.

It should be pointed out that our solution for recursive

interconnections of modules is different than in ~184/, where partial orders within each algebra and on the set of algebras are introduced with the functors required to be monotone. Although the semantical funtors SEM and RSEM can be viewed as an observational behavior of the module specification, other notions of "behavioral" semantics of modules are being analyzed, giving rise to different "levels" of observabitity. We will discuss them in a forthcoming paper, along with comparisons with other observability concepts, such as in/GGM 76/,/Rei 81],/GM 82/,/ST 85b/. ACKNOWLEDGEMENTS I am grateful to E. Astesiano, E.K. Blum, H. Ehrig, W. Fey, H, Hansen, M. Lowe and B. Mahr for many helpful discussions. Many thanks also to Annette Mosley for her excellent job of typing an unreadable manuscript in record time. This research was supported in part by the National Science Foundation under Grant DCR-8406920.

REFERENCES /AMRW85/ /BG 81/ /BMM79/ /B1 84/ ~EPP86/ /BPP 851 /BG 771

Astesiano E., Mascari G.F., Reggio G., Wirsing M., On the Parametrized Algebraic Specification of Concurrent Systems, CAAP 85, LNCS 185(1985) 342-358 Benson D.B., Guessarian I., Algebraic Solutions m Recursion Schemes, LI.T.P. Tech,Rep. 81-66. Univ. Paris VII, Dec. 1981 Bertoni A., Mauri G., Miglioli P.A., A Characterization of Abstract Data as Model-Theoretic Invariants, ICALP 79, LNCS 71(1979) 26-37 Blum, E.K., An Abstract System Model of Ada Semantics, TRW Technical Report, Aug. 1984. Blum E.K., Ehrig H., Parisi-Presicce F., Algebraic Specification of Modules and their Basic Interconnections, to appear in JCSS 86. Blum, E.K., Parisi-Presicce, F., The Semantics of Shared Submodule Specifications, Proc. TAPSOFT 85 Vol. 1, LNCS 185 (1985) 359-373. Burstall R.M., Goguen J.A., Putting Theories together to make Specifications. Proc. 5th Intern. Joint Conf. on Artif. Intell., Cambridge 1977, 1045-1058.

231

Ehrich H.-D., Lipeck U., Algebraic Domain Equations, Theoret. Comp. Sci. 27 (1983) 167-196. Ehrig, H., Fey, W., Parisi-Presicce, F., Distributive Laws for Composition and /EFP 86/ Union of Module Specifications for Software Systems, Proc.IFIP TC2 Work. Conf. on Program Specification and Transformation, Bad Tolz, April 1986. Ehrig, H., Fey, W., Parisi-Presicce, F., Blum, E.K., Algebraic Theory of ~FPB 86/ Module Specifications with Constraints, Proc. Math. Found. of Comp. Sci, LNCS 233 (1986) 59-77. /EKTWW 81/ Ehrig, H., Kreowski, H.-J., Thatcher, J.W., Wagner, E.G., Wright, J.B., Parameter Passing in Algebraic Specification Languages, Proc. Aarhus Workshop on Prog. Spec., 1981, LNCS 134 (1982) 322-369. Ehrig, H., Mabx, B., Fundamentals of Algebraic Specifications 1: Equations and /EM 85/ Initial Semantics, EATCS Monographs on Theoret. Comp. Sci. Vol 6, Springer-Verlag, 1985. Ehrig H., Wagner, E.G., Thatcher, J.W,, Algebraic Specifications with FEWT 83/ Generating Constraints, ICALP 83, LNCS 154 (1983) 188-202. Ehrig, H., Weber, H , Algebraic Specification of Modules, Proc IFIP Working FEW 85/ Conference on Formal Models in Programming, Vienna 1985. Ehrig H., Weber, H., Programming in the Large with Algebraic Module ~ W 86/ Specifications, Proc. IFIP Congress '86, Dublin, Sept 1986. Futatsugi, K., Goguen, J.A., Joannaud, J.-P., Meseguer, J., Principles of OBJ2, /FGJM 85/ 12th ACM POPL, New Orleans, 1985, 52-66. Ganzinger, H., Parametrized Specifications: Parameter Passing and /Ga 83/ Implementation, ACM TOPLAS 5, 3 (1983). Giarratana, V., Gimona, F., Montanari, U., Observability. Concepts in Abstract /GGM 76/ Data Type Specifications, 5th Symp. Math. Found. of Comp. Sci. 1976, LNCS 45 (1976) 576-587. Goguen, J.A., Meseguer, J, Universal Realization, Persistent Interconnection /GM 82/ and Implementation of Abstract Modules, tCALP 82, LNCS 140 (1982) 265-281. Goguen, J.A., Thatcher, J.W., Wagner, E.G., An Initial Algebra Approach to the /GTW 78/ Specification, Correcmess and Implementation of Abstract Data Types, in Current Trends in Prog. Method., IV: Data Structuring (R.T. Yeh, Ed.), Prentice Hall, New Jersey (1978) 80-149. Herrlich, H., Strecker, G.E., Category Theory, Allyn and Bacon Inc., Boston, /t-IS 73/ 1973. Liskov, B.H., Zilles, S.N., Specification Techniques for Data Abstraction, IEEE /LZ 75/ Trans. on Soft. Eng., Vol SE-1, No. 1(1975) 7-19. Padawitz, P., Parameter Preserving Data Type Specifications, Proc. TAPSOFT /PD 85/ 85 Vol i, LNCS 185 (1985) 323 - 341. Parisi-Presicce, F., Union and Actualization of Module Specifications: Some /PP 85/ Compatibility Results, Techn. Report, Univ. of Southern California, 1985, to appear in JCSS. Parisi-Presicce, F., Inner and Mutual Compatibility of Basic Operations on /PP 86/ Module Specifications, Proc. CAAP 86, LNCS 214 (1986) 30-44. Full version: Techn. Rep. 86-06, Techn. Univ. Berlin, April 1986. Parnas, D.L., A Technique for Software Module Specification withExamples, /Par 72/ Comm. ACM 15, 5(1972) 330-336. Reichet, H., Behavioral Equivalence - A unifying concept for initial and final ~ e i 8t/ specification methods, Proc. 3rd Hungarian Comp. Sci. Conf., Budapest, 1981, 27-39. Sannella, D., Tarlecki, A., Program Specification and Development in Standard /ST 85a/ ML, 12th ACM POPL, New Orleans, 1985, 67-77. Sannella, D., Tarlecki, A., On Observational Equi~ alence and Algebraic /ST 85b/ Specification, CAAP 85, LNCS 185 (1985) 308-322. Sannella, D., Wirsing, M., A Kernel Language for Algebraic Specification and /SW 831 Implementation, Internal Report No. CSR-131-83, Univ. Edinburgh, 1-44. Weber, H., Ehrig, H., Specification of Modular Systems, IEEE Trans. Soft. /WE 86/ Eng., June 1986. /WPPDB 83/ Wirsing, M., Pepper, P., Partsch, H., Dosch, W., Broy, M., On Hierarchies of Abstract Data Types, Acta Inform. 20 (1983) 1-33.

/EL 83/

EFFICIENT

REPRESENTATION

OF TAXONOMIES

G. G a m b o s i (*) , J. N e ~ e t g i l (**) , M. T a l a m o (*) (*)

Istituto

(**)

Charles

di A n a l i s i

del C.N.R.~

11600

Viale

Manzoni

University

Prague,

dei S i s t e m i 30,

ed I n f o r m a t i c a

00185,

Malostransk~

Roma,Italy

Namest±

25,

Czechoslovakia

ABSTRACT In this dimension

paper,

representation nodes

the use

of p a r t i a l

(linear

ficiently

orders

of the c o n c e p t s is s t u d i e d

of t a x o n o m i e s . extensions

to such

Under

this

of p a r t i a l

queries

as

of d i m e n s i o n

for w h a t

approach,

orders)

"Is e l e m e n t

and b o o l e a n

concerns

the e f f i c i e n t

labelings

are u s e d

a related

of the

to a n s w e r

to e l e m e n t

efb?".

INTRODUCTION The sets

efficient

of c o n c e p t s ,

ample

in some

to be able (derived)

representation represents

sectors

to a n s w e r

In o r d e r

approach

the

[GNT],

seems both

This

studied

of such

introduced

to be c o n v e n i e n t in terms

In s e c t i o n troduction

a taxonomy

in p o s e t

out

a included

seems

as a p a r t i a l

theory)

and,

of a s t a t i c

(elements)

of p o s e t s

labelings

of u s i n g

[KT]

makes

in some

structure, to be w o r t h

order,

the

the c o n c e p t

of

it p o s s i b l e

to

cases,

I, some

partially

of the c o n c e p t

to o b t a i n

of d i m e n s i o n ,

and e x t e n s i v e l y

studied

to use

to O b t a i n

of q u e r y

time

definitions

of the c o n c e p t

w o r k was

for ex-

it turns

"Is e l e m e n t

in the case

of the n o d e s

a generalization

dimension,

formance

where

as

themselves.

Moreover, boolean

problem

and of d i m e n s i o n

the n u m b e r

labeling

this

If we c o n s i d e r

extensions

determine

as

free-structured

problem,

Intelligence,

to such q u e r i e s

labelings

(extensively

i.e.

interesting

b?".

to t a c k l e

of i n v e s t i g a t i o n .

linear

of A r t i f i c i a l quickly

from element

the use of s u i t a b l e

of t a x o n o m i e s ,

a rather

of b o o l e a n

supported

in o r d e r

in the

denoted full

a better

per-

and of space. are

given

together

with

the

dimension.

by the E S P R I T

Project

ALPES.

as

paper

in-

233

In s e c t i o n presented

2, a l a b e l i n g

which

allows

In s e c t i o n lized

3, s u c h a p p r o a c h

DEFINITIONS

Given lation

number sary

taxonomies

treatment

is e x t e n d e d

of

(rooted

trees)

inclusion

to t w o

types

is

queries. of genera-

ordered

dimension of P

of different

to d e t e r m i n e

linear

and Miller arbitrary

P itself.

a set

Note

have

partial

and can grow

a k-labeling

on

formula

where

N is a n o r d e r

sorting)

P itself,

(dim P)

i.e.

is d e f i n e d

of P w h o s e

re-

o n P JR]

such

that

for e a c h on t h e

shown,

among

i = 1,...,k dimension

others,

for

as n =

(fig.

the

is n e c e s -

k for w h i c h of P such

I).

of posets, dimension

INI

tends

Dushnik

of an

to i n f i n i t y

(*) it is p o s s i b l e

set N:

for e a c h

hence, and,

the m i n i m u m

extensions

theory

that

c a n be u n b o u n d e d

as O(n)

as

intersection

d i m P is the m i n i m u m

if d i m P = k,

~i ( n ) , ~ 2 ( n ) , . . . , I k ( n ) boolean

embeds

Hence,

paper

order

as f a s t

that,

(N,
(topological

i = { L I , L 2 .... ,L k} of l i n e a r

seminal

[DM]

L

extensions

t h a t n I

set P =

if n I

(order)

exists

TERMINOLOGY

a linear extension

ordering

n l , n 2 c N, The

AND

a partially

on s e t N,

is a t o t a l

there

simple

taxonomies.

I. B A S I C

each

of

an efficient

given

node

to represent n E N there

n l , n 2 E N, n I

P introducing

exist

k labels

the

following

is v e r i f i e d : F = xiAx2 A ..°Ax k

where

x i is t r u e

iff

Z i ( n I)

< Zi(n2). P a

d

Fig.

LI

b

L2

c

e

a

c?

b

b

c

a

d

f

e

e

f

f

t .

d

dim P = 2 (*) As u s u a l , = O(g(n))

we will

say

iff t h e r e

that,

exist

given

c,n

o

two

functions

such that

f(n)

f(n),g(n),f(n)

< c.g(n) --

=

for n > n

o

o

234

Moreover, defined

I. A is not of

given

a poset

as a d a g HD(P) transitive,

length

itive 2. The

greater

associated

closure

following, Hasse

Given

iff

there

diagrams

a poset

exists

any

then

there

f r o m n I to n 2 in HD(P)

(*) H D ( P ) * =

P =

refer

(N,A*)

is no p a t h

(HD(P)

of HD(P)

is a t r a n s -

is i s o m o r p h i c

to

variables,

In fig.

we w i l l

d

e

Given (dimBP)

is

a poset

that P is Observe

order

P,

are of the

that,

x i =true

formula

F and a

L4

L3

c

c

b

b

f

c

a

b

d

f

e

e

e

a

f

d

d

2

is given.

let us d e n o t e

k for w h i c h

(x I A x 2 ) A (x 3 A x 4 )

as boolean

there

exists

dimension

a formula

of P [GNT]

F(Xl,.. °,x k)

F-presentable.

that

dimension

L2

such

where

of a b o o l e a n

on a set

F-representable

f

F-presentable

the m i n i m u m

F defined

L = { L I , . . . , L k}

LI

Fig. P which

of the

c

F =

poset

formula

F ( X l , . . . , x k) = true,

2 an e x a m p l e

b

in t e r m s

say t h a t P is

extension

P a

only

characteristics.

and a b o o l e a n

a set of k l i n e a r

< li(n2).

to p o s e t s

and of t h e i r

(N,
n l , n 2 E N, n I

Zi(nl)

such

Hasse diagram of P is

the

that:

if < n l , n 2 > 6 A,

two

we w i l l

{ X l , . . . , x k} of b o o l e a n

given

i.e.

than

(N,
such

(N,
In the

iff

P =

(N,A)

reduction).

transitive

P =

=

such

given

definition above

includes

the u s u a l

as the p a r t i c u l a r

definition

case w h e r e

all

of

formulas

form

(*) G i v e n a d i r e c t e d g r a p h G = (N,A) the t r a n s i t i v e c l o s u r e of G is d e f i n e d as the d i r e c t e d g r a p h G* = (N,A*) s u c h that, g i v e n nl,n 2 E N, ( n l , n 2 ) e A* iff there e x i s t s a p a t h f r o m n I to n 2 in G.

235

=

F(xl ..... Xk) This

makes

it p o s s i b l e

to d e r i v e

A

x.

1
l

immediately

the

following

result:

following

theorem

FACT For

any p o s e t

This

easy

P =

(N,
inequality

Theorem I. For e v e r y

I is b a s e d

n there

2. R O O T E D Let diagram

the

exists

P

= 4 and

standard

by the

such

n

that

d i m ( P n)

example

= n

on Fig.

2.

TREES us d e n o t e

HD(T)

Hence, I. T h e r e

on

~ dim(P).

is c o m p l e m e n t e d

d i m B ( P n)

Theorem

dimB(P)

a poset

is a r o o t e d

T is a r o o t e d

(N,< T)

as a r o o t e d

tree

if its H a s s e

tree

Ti =

r 6 N such

if:

r E <Tin • N}, i.e. nodes i=I l f e r e n t s u b s e t s N i , N j of N - { r } are not r e l a t e d in T. 3. E a c h

exists

T = tree.

(Ni,
that

is a r o o t e d

induced in dif-

tree.

l

F r o m [TM] sion

it is t r i v i a l

As w e l l hence,

known,

in the

"Is e n t i t y

S(n)

= 0(I)

that

a rooted

tree

T has

dimen-

sons Then,

I. Z1(n)

it w i l l

order

of n o d e

such

to a n s w e r

in time

labelings,

by an a r b i t r a r y =

£i (n),i2(n)

traversal

of a p p l i c a t i o n

two

defined

is the r a n k of n o d e

Depth-First

b?"

as r o o t e d

trees:

L I , L 2 of the e n t i t i e s

be p o s s i b l e

in e n t i t y

i in HD(T)

the l a b e l s

can be m o d e l e d

labelings

T(n)

queries = 0(I)

con-

of the

and

space

entity.

to i d e n t i f y

total

taxonomies

suitable

a included

for e a c h

In o r d e r the

two

taxonomy,

type

i E N,

simple

by p r o v i d i n g

sidered

Si of

to d e r i v e

d i m T < 2.

(N,A),

of the DFS

n in the t o t a l to the

permutation

S i = {n • N I ( i , n

of a n o d e

of T, p r o v i d e d

let us d e n o t e

n • N can order

that,

as 0 i , on

> 6 A}.

be d e r i v e d

determined

for e a c h

set of s u b t r e e s

the set

by a

i • N,

induced

as:

the o r d e r

by the

set

236

of i is e x a c t l y 2. Z2(n)

O i-

is the r a n k of node n in the total o r d e r

traversal

of T, p r o v i d e d

that,

for e a c h i e N, the o r d e r of a p p l i c a !

tion of the DFS t o the set of s u b t r e e s ordering

obtained

d e r i v e d by a DFS

i n d u c e d by S i is O i,

by r e v e r s i n g O i (fig.

the

3).

I-I

7-2

13-7 Fig. The

following

3

t h e o r e m holds:

Theorem 2. G i v e n a r o o t e d tree T = (N,< T) and the two l a b e l i n g s L I , L 2 over N defined an a n c e s t o r

Proof

above,

of n 2

the f o l l o w i n g

(i.e. n1< T n 2) iff ~i(nI)

(if). Let us a s s u m e w . l . o . g ,

n o d e n 2. Let us d e n o t e T and let r(n I) containing

Common Ancestor

be the son of n 3 w h i c h

< i2(r(nl))

Z 2 ( r ( n I)) then,

of n I and n 2 in

since r(n 2) < r(n I) in O'n3 ,

by the DFS p r o p e r t i e s

< Z2(nl)

i 2(n 2) < ~2(nI)

2. r ( n 2) < r(nl) a. ~1(n2)

: hence,

in On3

< Zl(r(nl))

and the c o n d i t i o n

then:

of

is r o o t of the s u b t r e e

are p o s s i b l e :

< r(n 2) in On3

a. ~2(n2) b.

< 11 (n 2) and 9~2(nl)
that node n I is not an a n c e s t o r

as n 3 the L o w e s t

(r(n2))

for e a c h n l , n 2 E N, n I is

n I (n 2) .

Two cases I. r(nl)

holds:

is not v e r i f i e d .

237

b,

Z1(r(nl)) hence, (Only

and

i2(i)

tree

< Z1(nl)

it(n2)

if).

containing

to r e p r e s e n t

in o r d e r

a included

ciently

to s u c h

sets

to a n s w e r

by c l a s s

queries

following

local

rooted

how,

under

mies

efficiently.

Loca~

general

rooted Local

of DFS

j e N and

b?"

(generalizations

In the nomies:

i,

traversal,

i
both

again.

i1(i)
(i is the

root

of a sub-

defined

on the

TAXONOMIES

In o r d e r

structures

where

is n o t v e r i f i e d

j). D

3. G E N E R A L I Z E D

class

and the c o n d i t i o n

By the p r o p e r t i e s

< i2(j),

of e l e m e n t s

< i1(nl)

of

taxonomies

efficiently we n e e d

to r e p r e s e n t

of trees)

as

"Is

we w i l l trees

there

in such

and

two

set "Is

to a n s w e r

from node

types

leaf-analgamated it is p o s s i b l e

same

of the type

the'corresponding

a way

any p a t h

consider

condition,

to q u e r i e s

effi-

a to node

of g e n e r a l i z e d forests,

and w i l l

to r e p r e s e n t

such

b?".

taxoshow

taxono-

trees

rooted

trees

introduced,

where

a new

trees

are

among

others,

taxonomy

an e x t e n s i o n

is d e f i n e d

of the d e f i n i t i o n

to r e p r e s e n t among

more

complex

the e l e m e n t s

sons

of r o o t e d taxonomies,

of the

same

element. It is p o s s i b l e - A rooted

tree

- A k-local ing H a s s e A I A A~

to d e f i n e

is a l - l o c a l

rooted

tree

Diagram

T =

HD(T)

a k-local rooted (N,
=

(N,A)

rooted

tree

recursively

as:

tree is a p o s e t

such

is a d i g r a p h

that

such

the c o r r e s p o n d -

that

A = A I u A~

= @, where:

I. The

digraph

RT =

2. Let

us d e n o t e

let us d e n o t e

(N,A I)

as S i the

is the H.D. set of

as A~ (i) ~ A~

the

of a l - l o c a l

s o n s of n o d e subset

of A~

rooted

i E N in RT. induced

tree. Moreover,

by S i on A~.

Then:

iEN

- A~ (i) n A~ (j) = @ if i ~ j, i,j E N.

-

(Si, E~ (i)) at l e a s t

one

is a t - l o c a l node

rooted

n e N such

tree w i t h

that

t < k and

(Sn,E 4 (n))

is a

there

exists

(k-1)-local

,

238

rooted

tree

(fig.

4).

Fig.

tree

It is e a s y

to n o t e

T is equal

to the t r a n s i t i v e

mediately closure lings

implies

that

that,

trees

deleting exists

the t r a n s i t i v e

presented

all

from

rooted

applying

to the

arcs,

closure

i.e.

all

tree,

of

the

rooted

i to j of l e n g t h

of a local

of a r o o t e d

by a c o u p l e

derived

above

transitive

a path

closure

if T is a local

of T can be r e p r e s e n t e d

can be i m m e d i a t e l y

rooted

4

tree: the

labeling T'

Such

than

labe-

procedure

obtained

for

from T

arcs < i,j ) 6 A such

greater

im-

transitive

labelings.

tree

rooted

that

that

there

two.

Leaf amalgamated forests Definition. Let P = (N,
say that

I. E v e r y

I(x)

2. D e n o t i n g I(x), x,y,

given

a minimal

element

x E N

elements)

in

= {y e N Ix < p y } .

is a r o o t e d

as L(x)

I(x) I(x)

P is a leaf a m a l g a m a t e d

and

the

H L(x)

I(y)

Let us n o w p r o v e

set of l e a v e s

A L(y)

intersects the

if:

tree

C I(x)

N I(y)

forest

(x,y E N ) ,

only

following

(maximal i.e.

in a set of l e a v e s

that

all

in-degrees

of n o d e s

exists

Furthermore,

a unique

if C and C'

maximal

then

(fig.

dimB(P)

in N are b o u n d e d

Proof. L e t us first n o t e that, g i v e n a m a x i m a l y

two n o d e s 5).

theorem

Theorem. L e t P = (N,
for any

chain

are m a x i m a l

element

containing chains

which

~

2.d,

by d. x E N,

both

for e a c h

x and y.

intersect

in a

239

Fig. non m a x i m a l e l e m e n t y, then C ~ C' ~

5
Let us c o n s i d e r a d - c o l o r i n g of the maximal chains in such a way that two chains with the same color do not intersect in a leaf.

Then~

the union of chains w i t h the same color turns out to be a forest,

i.e.

a poset w h o s e o r d e r d i m e n s i o n is 2. Let us denote as £I,k ' i2, k the two labels relative to color k: then it is easy to note that the boolean function ~(x I I,x2 2,...,Xltd, t

x2,d)

=

(Xl, 1 A

Xl,2) V (x2,1A x2,2) V ... (Xd,l,Xd,2)

s

(where xi, j = t r u e

iff Zi,j(n I) < ii, j(n2), nl,n 2 E N) describes poset P, hence dimB(P) < 2.d. D

Corollary. It is p o s s i b l e to answer to inclusion queries on leaf-amalgam a t e d forests in time O(k)

and space O(k.n),

where k is the number of

l e a f - a m a l g a m a t e d trees.

Proof. Derives i m m e d i a t e l y from the t h e o r e m above. D Let us denote as L the set of leaves and as R = {xEN i~

x,y) EA,

y ~ L}. In the case where also the f o l l o w i n g hypothesis 3. Wx ~ R, outdegree(x)

is verified:

is a c o n s t a n t it is m o r e o v e r p o s s i b l e to state

the following theorem

Theorem. Given a l e a f - a m a l g a m a t e d f o r e s t F w h i c h verifies c o n d i t i o n 3 above,

then dimBF = O(h), where h = max height(x). xEN Corollary. Given a l e a f - a m a l g a m a t e d forest F w h i c h v e r i f i e s c o n d i t i o n 3, there exists a data structure w h i c h makes it possible to answer to

240

inclusion queries on F in time T(n)

= O(h), where h = max height(x),

and space S(n) = O(n.h).

xEN

From the results above it follows that, given a l e a f - a m a l g a m a t e d forest F, it is p o s s i b l e to manage the p r o b l e m of a n s w e r i n g to inclusion queries in time min(h,k)

and space min(h.n,k.n).

This result is

strongly d e p e n d e n t from the use of boolean dimension;

it is possible

in fact to state the following theorem.

Theorem.

There exists a l e a f - a m a l g a m a t e d forest F which verifies con-

dition 3 above such that dim F = ~(n).

CONCLUSION The concepts of order d i m e n s i o n and boolean dimension of posets have been applied to the r e p r e s e n t a t i o n of mies,

in order to efficiently manage

(generalization of) taxono-

inclusion queries.

This work is

part of a more general study of the concept of boolean d i m e n s i o n of posets developed in the full paper.

REFERENCES

Partially

ordered set~, Amer. J. Math.

[DM]

B. Dushnik, E. Miller: 63 (1941), 600-610.

[GNAT]

G. Gambosi, J. Ne~etril, M. Talamo: On locally s u b m i t t e d to "Theoretical C o m p u t e r Science".

[KT]

D. Kelly, W.T. Trotter: Dimension theory Ordered sets, (I. Rival ed.), D. Reidel,

[R]

I. Rival: Linear extensions of finite Discrete Math. 23 (1984), 355-370.

[TM]

W.T. Trotter, J.I. Moore: Some theorems Discrete Math. 15 (1976), 79-84.

presented posets,

for ordered sets in Dordrecht,

171-211.

ordered sets, Annals of on graphs and posets,

Applications of Compactness in the Smyth Powerdomain of Streams (Extended Abstract)

J. -J. Ch. Meyer & E.P. de Vink Department of Mathematics and Computer Science Free University Amsterdam

Abstract We show in a uniform setting the crucial role of compactness in the theory of the Smyth powerdomain of streams. The topological notion of compactness is characterized in an order-theoretical manner, involving a notion of bounded sets. We obtain general results on the continuity of operators, and consider applications as diverse as interleaving, hiding and stream programming operators.

Section 1 Introduction This paper originated from writing a tutorial for students on (denotational) stream semantics of concurrency, such as used by e.g. Broy ([Brl], [Br2]), Back ([BAD and De Bakker et ai. ([BKMOZ]). in the setting of this tutorial programs are built from atomic actions, sequential composition, alternative composition, parallel composition (interleaving or merge) and recursive constructs. In [Mel], [Me2] it was studied how to develop a uniform semantics for such a language based upon a powerdomain ordered by the Smyth ordering (of. [Sml]), which appeared to be equivalent to an observation-based semantics in the style of Hoare et al., (of. [OH], [BMO]). (A recent application of the Smyth powerdomain to the semantics of more refined concurrency languages can be found in [Ma].) In the framework of [Mel], [Me2] atomic actions are left uninterpreted, so denotations of program statements are sets of streams (traces) of atomic actions. Moreover, it is assumed that the set of atomic actions is finite. Some of the proofs, however, are difficult and not suited for lecture notes for students. In the meantime we found that using the Egli-Milner order instead of the Smyth ordering provided a simplification of the proofs. So when we wrote the tutorial we chose for a stream powerdomain ordered by the Egli-Milner ordering, and as such the material could be viewed as an extension of Back's work [Ba] for concurrent operators such as interleaving. During the elaboration of the material for the lecture notes we discovered that regarding the continuity proofs of the operators, viz. sequential, alternative and parallel composition, the condition of the finiteness of the alphabet of atomic actions could be relaxed to a certain condition of boundedness of the stream-sets that occur as denotations. Informally, a stream-set is bounded if all sets of truncations up to a finite length are finite. The continuity proofs now became very elegant and uniform. After the completion of the lecture notes we felt that it was interesting enough to write an article on the subject. At some moment we realized that the concept of boundedness could also be employed profitably in the case of the Smyth powerdomain. Moreover, we learned that in this case it was even more crucial. Whereas in the study of the Egli-Milner domain the boundedness concept proved to be a useful tool to ease the continuity proofs, in the Smyth powerdomain it is an essential requirement for the continuity of the

242

operators under consideration. After work done in [Mel] we appreciated the fact that the finiteness of the alphabet is not needed when dealing with the Egli-Milner ordering. This was suggest¢d already by the fact that in [Ba] Back uses

the

Egli-Milner ordering in order to obtain a continuous semantics of u n b o u n d e d nondeterminism in

sequential programming. Thus in the Egli-Milner domain also the restriction to bounded sets may not be strictly needed for continuity. (For the tutorial, the condition of boundedness simplified proofs and it held anyway in the case considered.) For continuity in the Smyth powerdomain of stream-sets, however, the restriction to bounded sets proves to be pivotal: for u n b o u n d e d sets continuity simply fails to hold. Since for a research paper it is more interesting to show the extreme cases instead of just the easy cases, we have chosen to treat the topic o f boundedness in the Smyth framework. W e shall give the notion of boundedness, which - in conjunction with closedness - is an alternative characterization o f the well-known topological notion of compactness, (cf.[Du], [En]).

W e shall prove a

fundamental theorem concerning converging sequences in bounded sets, upon which we base the rest of our proofs. It is in fact this theorem that enables us to give a neat and unified treatment of the issue of continuity. W e consider functions on sets of streams that are lifted from continuous functions on streams and establish a result concerning the continuity of these lifted functions. This theorem on lifted functions provides us with a uniform treatment of several diverse applications. W e consider, for example, operators of uniform concurrency (sequential, alternative and parallel composition and hiding, cf. [BKMOZ], [Mel]) and, by interpreting the elements of the alphabet as data elements rather than actions, operators of stream p r o g r a m m i n g such as tail (cf. [dBK]). Furthermore we indicate an application of our theory in the realm of logic programming, (cf. [dV]). Here we use our theory to define a continuous operator that dovetails stream-sets of substitutions in order to obtain a denotational semantics. In

[Sm2] a general domain theoretic characterization of the Smyth powerdomain is given using

advanced topological techniques. In our paper we deal with a concrete domain, viz. that of sets of streams, which fact enables us to prove our results using elementary m e a n s only. Therefore no knowledge is required beyond some elementary metric topology and cpo theory. Finally a word on the organization of this extended abstract. In order to keep our submission within the prescribed length we have omitted m a n y proofs of the more elementary propositions and theorems. These proofs can be found in the full version of our paper [MV].

Section 2 The Smyth Powerdomain of Streams In this section we shall establish some useful properties of the Smyth powerdomain in the special case of streams. This domain is based upon streams of actions: For an (finite or infinite) alphabet A of actions, we define the set A st of streams over A by A s~= A * U A * ' ±

U A ~. Let x E A ~t. x is called finished iff

x ~ A * , x is called unfinished iff x c A * • i and x is called infinite iff x c A ~. We define the function strip :A st ~ A * U A ~ by strip(x) = x' if x = x ' - ± The prefix ordering x.y =defxforxCA

and strip(x) = x otherwise.

-<pr on A * U A ~ is defined as usually. For concatenation we use the convention ~. The length o f a s t r e a m x i s d e n o t e d b y [ x l .

of a stream x is defined by Ilxl[ = Istrip(x)]. x[n] = x' if Ixl->_n and where x' _-<prX s.t.

IfxEA ~'thentxt = ~.

The norm llxl]

For x ~ A st we define x[n] by x[n] = x if l x [ < n

Ix'l = n.

and

For all x E A st and for all n: Ix[n]l_-< n implies

243

x = x[n]. For n < [x[, we denote is the n-th action of x by x(n). W e put the following ordering on streams: ~ i f x is finished or infinite then x = Y (2.1) DEFINITION x <st Y iff [ i f x is unfinished then strip (x) --<prstrip (y), The terminology of unfinished vs. finished is motivated by the view that an element ending with ± m a y approximate another - more defined - element, whereas a finite element without ± cannot approximate any element but itself. (2.2) PROPOSITION ( A st, --<st , ± ) is a cpo. [] T h e ordering

--<st on A st has the following special property: if two streams x I and x 2 have a c o m m o n

upperbound, i.e. both are majorized by the same stream x 3, then x I and x 2 are comparable with respect to <st - This property wilI be frequently used in the sequel. In the languages we are interested in, there are non-deterministic operators.

So in our domain we

must consider sets of streams . The next step is to define a suitable ordering on these sets of streams, W e shall use the Smyth ordering ([Sml]). (2.3) DEFINITION ~ AStiscalledflatiffVx~ x 2 E X : x I < ~ t x 2 ~ x I = x 2 .

(a)

AsubsetX

(a)

Let 6, r(A ~t) be the collection of all flat subsets of 6, (A~t).

(b)

ForX66,(A~t),n>_0,

(c)

The binary relation

X[n] = { x [ n ] i x 6 X

}.

< s on 6' (A st) is for all X I,X 2 e 6" (ASt) defined by:

<=~txz.

X I <sX2iffYx2~X2:lxl~XFx~ (d)

} and X(n) = { x ( n ) I x 6 X

ForXI, X2c6"(A~t):Xt

=-sXziffXl

= < s X ~ a n d X 2__<sX1.

(2.4) LEMMA =<s is a partial ordering on 6"r(A~t). [] W e next prove that ---<s is a compiete partial ordering on 6"¢(ASt). To this end we need a characterization of the least upperbound lub i X i of a chain ( X i )i in 6" f(ASt). (2.5) DEFINITION

Let

(Xi~ i

be

a

chain

in

6"f(ASt).

Then

LUBIX i =def{lublxi [ V i : x i @ X ~ ;

( Xi ) i iS a chain }. (2.6) PROPOSITION

For

X i c 6"f(A ~t)

such

that

(X~)i

is

a

chain,

LUB~X i ~ 6"f(A~).

and

[ubi Xi = LUB i x i. [] (2.7) PROPOSITION (Interpolation) Let X l =<s X2 =<s X3, X i flat and x I e X l, x3 ~ X3 such that x j <~t x3. Then there exists x 2 6 X 2 such that x I <~t x z <st x3, [] (2.8) THEOREM (6"f(ASt),

< s , { ± } ) is a cpo. D

Finally in this section we consider the operator rain, which is used to "flatten" sets within the same Smyth equivalence class: (2.9) DEFINITION Let X ~

A st. Then rain(X) is the set of minimai elements in X, formally given by

rain(X) = { x C X [ ~ 3 x ' c X :

x' < s ~ x A x ' * x

}.

244 If X @ 6 ~ ( A st) then rain(X)

is fiat and rain(X) = s X.

If X I , X 2 ~ ( P ( A ~t) then X l <_sX2 iff

m i n ( X l ) <=s rain(X2), and X l ----s X2 iff rnin(X1) = rain(X2). For X ~ 6~ (A st) and for all n =>0: min (X[n]) = (min (X))[n].

and for any chain ( X i )i in 6~ (A st) it holds

that lub i rain (X i ) = rain ( lubi X i)-

Section 3 Compactness in the Smyth Powerdomain of Streams As was already mentioned in the introduction, the notion of compactness plays an important role in the theory of powerdomains of streams. In this section we shall introduce this concept and characterize it in terms of properties of streams. After this we shall prove a fundamental theorem which enables us to establish several continuity results in section 4.

§3.1 Introduction to Compactness Compactness is a well-known and well-studied notion in topology. (Cf. [Du], [En]). A general topological space M is called compact iff every open cover of M contains a finite subcover. In a metric space, however, we have some equivalent conditions of compactness: (3.1) THEOREM In a metric space M the following three conditions are equivalent: (1)

M is compact;

(2)

M is sequentially compact, i.e. every sequence in M has a converging subsequence;

(3)

M has the Bolzano-Weierstrass property, i.e. every infinite subset of M has a limit point. [] In computer science compactness is used indirectly in papers on bounded nondeterminism (e.g. [dB],

[Ku], [P1]) and more directly in process theory (e.g. [BZ]) and the theory of infinite trees (e.g. [Ni]). Also, in some way, compactness was used in [Mel] and [Me2] in the form of an assumption of having a finite alphabet of atomic actions to ensure continuity of certain semantical operators. In our present paper, however, we shall use a more local kind of compactness to ensure continuity of semantical operators. not

W e do

require the semantical domain as a whole to be compact (as is the case when the alphabet of atomic

actions is assumed to be finite), but only the stream-sets that are to act as denotations, will have to be compact. First of all we want to characterize the notion of a compact set in terms of streams and their orderings. W e shall see that we obtain a kind of "Heine-Borel" characterization: a stream-set is compact iff it is d o s e d and bounded . §3.2 Closedness W e now define the notion of a closed stream-set. (3.2) DEFINITION Let X ~ A st. X is closed i f Y x E A ~ ¥ n 3 x n E X: x[n] <st xn ~ x ~ X. REMARK This notion of closedness is essentially the same as that of [Ba] and can be shown equivalent to the notion of closedness induced by the standard metric on streams. (3.3) DEFINITION The class of closed subsets of A st is denoted by (3)c(ASt). W e note that closedness is preserved by lub (in the context of flat sets).

245

(3.4) THEOREM Let ( X i ) i , Xi c (Pct(ASt), be a chain. Then lubi X i E (Pcf(AS~). D Next, we obtain the following useful properties of closed sets. (3.5) PROPOSITION (a)

For any X c (~cf(ASt), X = lub n X[n].

(b)

For any X c (Pc(ASt), m i n ( X ) 6 (Pcf(ASt), [] Finally, in this subsection on closedness we obtain a basic property of chains of flat, closed sets of

streams, which we shall use in the subsection 3.4 for the proof of our main theorem. (3.6) LEMMA Let ( X i ) i be a chain in (Pcf(A st) and x E A St such that Yi: x [ i ] c Xi[i ]. Then x E lub i X~. []

§3.3 Boundedness W e proceed with the introduction of the central notion of boundedness. Intuitively a stream-set X is bounded if X can be represented by a finitely branching tree. (The streams in the set X correspond to the paths in the tree.) Formally we give a definition based on truncations. (3.7) DEFINITION A set X ~ A st is called bounded iff Vn: X[n] is finite. REMARK Note that if A is finite, any X ~ A st is triviaIly bounded (but obviously not vice versa). Thus this paper can be viewed as a proper extension of the treatment of the Smyth domain in [Mel], [Me2]. (3.8) DEFINITION The class of flat and bounded stream-sets is denoted by (P af(ASt) Next we prove a few properties of a chain of flat and bounded stream-sets that we shall need below. The first one states that the infinite union of the sets in a ---<s- c h a i n in l~bf(A st) lilt still bounded. (Note that this is clearly not generaly the case for an infinite union of arbitrary sets in (Pbf(A st).) (3.9) PROPOSITION Let ( X i ) i be a chain in (~bf(ASt). Then UiX i is bounded. [] The following proposition will be of help when we are dealing with operators in section 4. (Compare with proposition 3.5b.) (3.10) PROPOSITION I f X ~ A st is bounded, then rain(X) is bounded as well. [] The next property we shall prove is rather technical, but plays an essential role in the next subsection where we explore properties of compact sets of streams. But before we shall prove this technical l e m m a we repeat a version of K 6 n i g ' s l e m m a (see [Ni]), which will be of considerable help in our proofs. (3.11) PROPOSITION ( K 6 n i g ' s temma) Let X be a set, ( X n )~ a sequence in P (X) and R _c_ X x X a relation on X such that (i)

X n is non-empty, for all n.

(ii)

X n is finite, for all n.

(iii) VnVxn+ I C X n + l : q x ~ E X n : (iv)

R(xn, xn+i).

U n X , is an infinite set

Then there exists a sequence ( x n ) , in X such that Yn: x , e X , and Yn: R( x ~, x n + l ). []

246

We now arrive at our main, technical lemma on chains of flat and bounded sets of streams: (3.12) LEMMA Let ( X i )i be a chain in (Pbf(ASt), and ( x i )~ an arbitrary sequence such that Vi: x i ~ X i. Then there exists a subsequence ( xio ) n of ( x i ) i such that ( x i [ n ]} n is a chain. PROOF Put X = { xl I i => 0 }. If X is finite, then there is some x ~ X such that x = x i for infinitely many i. Trivially, a subsequence (Xj.j)j with Xij = X, (for all j), satisfies the requirement. Now consider the case that X is infinite. Define Yi = d e f X \ { Xo, . . . ,xi_ L } for i ____0. Note that Yi[i] is non-empty, for all

Yi[i] is finite for all i, since viii] _c_ [ U i x~] [i] and U i Xi is bounded by proposition

i. Furthermore, 3.9.

Moreover, from Y i ~ Y i + i we have that Yi =<s Yi+t and so also Yi[i] -<--sYi+l[ i] ---s Y i + t [ i + l ] .

Consequently: ViVyi+ 1E Y i + t [ i + l ]

3 y i E Yi[i]: Yi =<s~Yi+l-

Next we check that U i I Y iti]l is an infinite set. It is sufficient to prove that k.

VrVi . . . . . .

J

irVy o C Yio[io] . . . . .

Yr ~ Yir[ir] 3 i 3 y C Yi[i]: y e { y ..... Yr }' Suppose this is not true, Then

we may choose r, i o, . . . ,i r, yoE Yio[io] . . . . . Consequently, xi[il e { y . . . . . .

0=<j_-< r,

lyjl--< r e < i ,

Yr } for all i. Put m = max{ i . . . . . .

and

Yrn+l = { Xm+t,Xm+2, " " " } ~ X = Ym+l U { x . . . . . .

yr@ Yi [ir] such that g i V y a Yi[i]: y e { y . . . . . .

thus

txi[i]I
{Yo . . . . .

Consequently,

Yr }"

i t } and let i > m. Then for every xl = xi[i]e {Y . . . . . .

Yr }" Thus Yrn+l is finite,

Yr }"

Hence

which contradicts the fact that

x m }is infinite. Therefore we may conclude that Ui [Yi[i] l is infinite.

Now choose by means of K6nig's lemma a sequence. ( Y i ) i such that Vi: yi @ Y[i] and Vi: Yi -<-stYi+l. We now construct a subsequence ( x l ) . of ( X i ) i such that (xi [ n l ) , is a chain. Put i_ 1 = 1. Choose in+ 1 inductively such that x i . ~ X\{ x o. . . . .

Yi°+l and xi +~[in+l ] = Y i + | Note that in+ l > i , ,

because xkE Y i + t

=

x i } implies k > in, for every k (and consequently for k = in+l).

Now we may check whether ( x i o [ n ] ) , is indeed a chain: from i~_ 1 n) x i [ n ] Ns, x i + l [ n] -<-stxi +t[n+l], []

§3.4 Properties of Compact Stream-sets In this subsection we shall explore some basic properties of fiat and compact sets of streams, combining the facts we have seen already for closed and bounded sets. In particular we shall prove a fundamental though technical - property of chains of those compact stream-sets, on which we shall base further proofs. We show that the Smyth domain of flat and compact stream-sets is a complete partial order. But first we shall prove a "Heine-Borel" characterization of compactness, which enables us to use the result of subsections 3,2 and 3.3. (3.13) THEOREM A set X ~ A st is compact with respect to the standard metric on streams iff it is closed and bounded.

[]

(3.14) DEFINITION The class of fiat, closed and bounded stream-sets is denoted by 6) * (ASt). REMARK By theorem 3.13 we are justified to refer to elements of (P * (A s~) as flat and compact. Next we prove our fundamental theorem on chains of compact, (i.e. closed and bounded) and fiat stream-sets. To this end we use the following easy proposition on fiat sets. (3.15) PROPOSITION Let X be flat, and ( x n ) . a sequence such that ( x % [ k ] ) k is a chain. Moreover, let

247

x E X be such that x = lub k x%[k]. Then it holds that x[k] = Xnk[k] for all k. PROOF

Since xn~[k] <_st lubk I x % [ k ] 3

= x, we

x, ~[kl <st x[k], then t x , k[k] I < k, so x n k[kl = X , .

have that xnk[k] =

xn~[kl[k ] __<~tx[k]. Now

if

Consequently, x, ~ = x, k[kl <~t x[k] __<st x, contradicting

the flatness of X. Hence, xnk[k] = x[k]. [] The lemmas 3.12 and 3.6 and proposition 3.15 can be combined into the following theorem which is an order-theoretical analogue of sequential compactness of compact sets. (3.16) THEOREM (a)

Let ( X i ) i be a chain in (P * (ASt) and ( X i ) i a sequence in A S t s u c h t h a t V i : x i E X i .

Then there is a

subsequence (xik} k of { x i } i such that (xi~[k]) k is a chain with lub k xi~[k] E lub i X i. (b)

Let X ~ (P * (A ~t) and ( x i ) i a sequence in X. Then there exists a subsequence ( x i k ) k of ( x i ) i such that < xik[k ]) k is a chain with lub k xik[k ] ~ X.

PROOF (a) By lemma 3.6 there is a subsequence < xik )k such that (xik[k]> k is a chain. Now consider the (sub-)chain ( X i )

k. By proposition 3.15,

Ilubk xik[k]l [k] = xik[k ] e Xik[k ]. By lemma 3.12 and by

proposition 2.7, lub k xik[k ] E lub k Xik = lub i X i. (b) Directly from (a), since ( X ) i is a (constant) chain. [] By means of this theorem we are able to establish some important facts in the sequel. But first we observe the following: (3.17) LEMMA Let < X l ) i be a chain in 6 > * (ASt). Then tub i X i is bounded. [] (3.18) THEOREM ((P * (ASt), ---s , {.L }) is a complete partial order. PROOF By proposition 2.6, theorems 2.8, 3.4 and 3.16 and lemma 3.17. [] Chains ( X m )m of bounded sets satisfy a curious property: if we take n-truncations Xm[n] of X m, then we know already that ( X m [ n ]) m is also a chain: but in the case of bounded sets this chain stabilises precisely at the n-truncation of the least upperbound tub m X m. In other words,

[lub m X m } [n] can be

approximated in a finite number of steps via the truncations Xm[n]. More formally: (*)

Let(Xm> m bea

Ns-chainin(P*(A~t)

- ThenVn3m:Xm[n]=

[lubkXk][n].

For the proof we need the following lemma, which states the continuity of truncation. (3,19) LEMMA For any n, "[n]:(P * (A ~t) --* (P * (A st) is continuous. [] We proceed with a few additional properties of chains of bounded sets, on which we shall presently base the proof of (*). (3.20) LEMMA Let ( X m ) r n be a chain of bounded sets and tet n < c 0 be fixed. Then =tmVm" ~ m' >= m: X~,[nl ~ Xm,,[nl. [] (3.21) LEMMA Let <Xna> m be a _~-chain of non-empty sets. Let X o be finite. Then there exists an m o such that Ar, Xm = Xr% ~e G . []

248

(3.22) COROLLARY Let ( X m )m be a chain of non-empty, bounded sets of streams and let n < co be fixed. Then 3 m o : lubr~ Xm[n ] = Xmo[n 1. [] (3.23) COROLLARY Let < X m ) m be a chain in ( P * ( A st) such that X m :~ Q , for all m, and let n < w fixed. Then there exists an m o such that lub m Xm[n ] = Xmo[n ] 4: • .

be

[]

REMARK This, by the way, answers a question raised in [BBKM] (Remark 2A0.1), whether for a ___-chain or (more generally,

--<s - c h a i n ) < X n ) n such that X n 4: Q for all n, it holds that N n X n ¢ Q

(or lub n X n ~ O , respectively) under a weaker condition than finiteness of A: the answer is that it also holds under the condition that the X , are bounded , By m e a n s of these results we get: (3.24) THEOREM Let ( X m ) m be a < s - c h a i n in (P * (A~t). Then Y n 3 m : Xm[n ] --- Ilubk X k l in]. From theorem 3.24 we infer a quick corollary which we shall use in section 4. (3.25) COROLLARY Let ( X m ) m be a chain in (P * (Ast). Then V n 3 m V / _ m: Xt[n ] = (lub k Xk)[n].

[]

Finally in this section we show that the properties of flat, compact stream-sets, such as stated in theorems 3.16 and 3.24 do not generally hold for (flat) non-compact sets. EXAMPLES (1) Take A = { a } U { a i I i => 0 }, and X i = { aa k I k => i }. Note X i is not bounded for any i. Since ( X i ) i is a _D-chain, it is also a --=s - c h a i n , with lub i X i = N i X i = O .

{am } for

Note that Xi[l ] =

all i. Hence, for all m, {a.l_ } = X m [ l ] = l u b i [ N i l 1 ] l ~ [lub, X i [ [ l ] = Q [I]= Q. k. J \ J Ilubl X i } [1], thus theorem 3.24 does not hold for u n b o u n d e d sets. Moreover, take the

So * m : Xm[1 ] =

sequence ( x i ) i = { a a i ) i. Now aa i E X i , a l l i , but there is clearly no subsequence { x i ) k o f

( x ~ ) i such

that (Xik[k ]) k is a chain and lub k XikE/Ub i X i = O . (2) T a k e X i = { a k l k > i } ( i _ > - 0 ) . = O , so

IlubiXil \

Note t h a t a ~ E X i , s o X

i is not closed, (all i). A g a i n l u b ~ X i =

NiXi

[1] = ® , but lubiXi[1] = lubi {a.l_ } = {a_t.}. Furthermore, take a i + l c X i ,

for

J

each i _> 0. Now although ( a i+ l[i]} i = ( ai-l- } i ~ a chain, its least upper bound a ~' E lub i X i = Q~.

Section 4 Lifting Stream-Based Functions After having investigated some basic properties of compact (and fiat) sets of streams we now turn to funclions with values in the domain of compact and fiat stream-sets. In particular we will concentrate in this section on functions that are defined originally on streams and that are then lifted to functions defined on compact sets of streams. W e shall see that in this case well-definedness of the functions thus lifted is guaranteed and that, moreover, lifting preserves continuity. This notion of lifted functions can be applied in several cases, as will be shown in section 5. Without loss of generality we shall restrict ourselves to unary' functions only. Let f be a stream-based function, i.e. f : A st --* 6) * (AS~). W e are now interested in a version f of f lifted to (compact and flat) sets as defined in: (4.1) DEFINITION For f : A ~t --+ (P * (A st) we define f['], f: (P * (A ~t) -+ (P * (A st) by fiX] = U x~x f(x)

249 and f(X) = rain(fiX]). REMARKS (1) So ~ is the collection of minimal elements of the collection of (element-wise) applications of f on the elements of its argument.

The operator rain is added in order to guarantee flatness of the result t'(X).

(2) Note that also simple functions f: A ~t ~ A st can be considereA in our treatment by viewing f as the function kx.{f(x)} of functionality A st --* 6" * (ASt). We are now interested in properties of well-definedness and continuity of the function t" lifted from a stream-based function f, where f may be assumed to be continuous already. First we note that the monotonicity of f[-] and f is easy to prove: (4.2) PROPOSITION Let f: A st ~ 6" * (A ~t) be monotonic. Then f['] and f are monotonic as well. [] In order to derive the well-definedness of t" (i.e. f preserves closedness and boundedness) and its continuity we employ the following lemma. (4.3) LEMMA Let f: A st -'~ 6" * (A st) be continuous and let X • 6" * (Art). Then (fiX[ill) i is a chain in 6" (A st) and f[X] -= s lubi f[X[i]]. [] By means of this lemma we obtain: (4.4) THEOREM Let f: A st -* 6" * (A st) be continuous, Then, for all X E 6) * (ASt), f(X) e 6" * (A st) and t:(X) = lubn t'(X[n]), [] To get the continuity of f we use: (4.5) LEMMA Let F: 6" * (A st) ~ 6" * (A st) be monotonic. Then F is continuous iff ¥ X • 6" * (ASt):

F ( X ) = l u b n F(X[n]). PROOF " 4 " Let ( X m ) rn be a chain in 6" * (A st) and let X = lub m X m • 6" * (ASt). By the monotonicity of F, both (F(Xm))rn and ( F ( X [ n ] ) ) n are chains, and, moreover, VmVn: F(Xm[n]) =<s F(Xm), since Xm[n] <=s Xm (all m,n). We now choose inductively on n a subsequence ( X m ) , Yn: X m [ n ] = X[n]: By theorem 3.24, 3mYk>m:

Xk[n+l]=X[n+l];

Xr%jn+l ] = X[n+l].

take

]mo:

Xmo[0] = X; Given m 1. . . . .

m~+~=max{m,m~+l

.....

of ( X m ) m such that m n, by corollary 3.25

m n + l };

then

mn+~>m .

and

So now F(X) = lub~ F(X[n]) = lub~ F(Xr%[n]) _<-s lub~ F(Xr% ) = tubrn F(Xra )

using proposition 2.7. [] REMARK Note that by combining lemma 4.5 with the well-definedness proof of theorem 4.4 we obtain the fact that a continuous function preserves compactness, which is well-known in a purely topological setting. (Cf. [Du], [En].) By means of lemma 4.5 we obtain immediately (4.6) THEOREM Let f: A ~t --* 6' * (A ~t) be continuous. Then t" is continuous. [] REMARK Note that the truncation function .[n]: 6" * (A st) --* 6" * (A st) is a special case of a continuous

function F

rain

f: A ~t"x~ 6" * (A st)

which

is

lifted:

for

X c 6" * (ASt),

X[n] = U xex { x[n] }

=

I U xex { x[n] } / ' (Note that X[n] is fiat already, so X[n] = (minX[n]).) The r e a s o n w h y w e have

250

chosen for a separate proof of the continuity of "[n] on 6~ * (A ~t) in section 3 is that we needed this result for the lemmas leading up to theorem 4.6.

By taking an alternative route (directly via theorem 3.16) it

becomes possible to derive lemma 3.19 from theorem 4.6 without circularity of reasoning. Finally a few words about the role of flatness in our theory. Although the properties of closedness and boundedness have been given the principal part in our work, flatness plays a very important, and perhaps underestimated, subsidiary part. As wilt be clear when checking the proofs, flatness is omnipresent in these proofs, from the most trivial propositions up to the main lemmas and theorems. Whereas the notions of closedness and of boundedness have a topological analogue, flatness is typical for our order-theoretic approach.

It is intrinsic in our domain and without it most of our results would not hold any longer. For

instance, the "unflattened" lifted version f[.] of a continuous function f: A s~ --* (P (A 't) does not preserve compactness, as is shown by the following example. EXAMPLE Let f: A st -'* ( P ( A *t) be defined by

f(x) =

l{x} {±}

if x e A* ifxeA*'±

tOA ~

Clearly, f is monotonic and continuous. However, f': (P (A ~t) ~ (P (A =t) defined by f'(X) = f[X], does not preserve closedness: f'(a*U a ~) =

a*U {± }, which is not closed.

On the other hand, of course

= rain(f[-]) does preserve dosedness (and boundedness), (theorem 4.4).

Section 5 Applications The theory of sections 3 and 4 can be applied fruitfully in a number of areas in denotational semantics of programming languages. We shall briefly touch upon a few examples, viz. uniform imperative concurrency ([BKMOZ], [Brt], [Mi], [BK]), stream programming ([dBK], [Bu], [Tu]) and logic programming ([JM], [Ll], [dV]).

§5.1 Uniform Imperative Concurrency In [BKMOZ]

an outline is given of several approaches to semantics of imperative languages with con-

currency and recursion. In [MO] also hiding is considered. The syntax of the language Luz c we shall concern ourselves with in this example is as follows. (SA) DEFINITION For s e r u m :

s ::= a I sj ;s2 I sl U s2 I sill s2 [ s \ a I s < a 2 / a l >

] x i #x[s] .

REMARKS a @ A is an atomic action in a (possibly infinite) alphabet A; it is left uninterpreted, hence the name "uniform concurrency"; s i ; s z stands for sequential composition; s I U s 2 for nondeterministic choice; sllI s2 for interleaving; s\a for hiding a from s; s < a 2 / a L > for renaming a I into a t and #x[s] is a recursive call of s, (possibly) containing the variable x e Stray, the class of statement variables. [BKMOZ], [MO]). The semantical operators associated with ;, U, I[, \ and < / > (5.2) DEFINITION Let Af = A * UA * - ± . (a)

concatenation o: A f × A f ' °

(P(Af) is given by:

are the following:

(Cf.

251

c o x = {x}, .L oX = {.L} and a x o y = {a(xoy)}. (b) (c)

union + : A f x A f - " * (P(Af) b y x + y

= min{x,y}.

mergel[: A f x A f - - * (P(Ar) and leftmerge ~ : A r x A f - ° (P(Af) by e L x = {x}, .LILy = { ± } , (ax) lt_y = a(x[ly) and xlty = (xlLy)+(ylLx).

(d)

hiding \ a : A r ~

(P(Af) by

e \ a = {e}, ± \ a = { ± } , ( a x ) \ a = x \ a and ( a ' x ) \ a = a ' ( x \ a ) i r a ~ a'. (e)

renaming ( a 2 / a l ) : A f --~ (P(Af) by e ( a z / a 1) = {e}, ± ( a 2 / a t) = { ± } , ( a j x ) ( a 2 / a 1) = a 2 ( x ( a 2 / a ~ ) ) a n d (ax)( a2/a l) = a ( x ( a 2 / a l ) ) if a~ea t. We shall now illustrate our theory by means of these functions. In fact, it is possible to obtain con-

tinuous lifted versions of these functions via two ways. We next describe the first one. (5.3) DEFINITION For ® c {o, + , It}, x,y 6 A s* we define x@y = lub, x[n]®y[n],x\a=lub

n x [ n ] \ a a n d x ( a 2 / a ~) = l u b n x [ n ] ( a z / a l ) .

These functions can be shown to be continuous: (5.4) PROPOSITION o, + , U: A " x A st ~ (P * ( A st) and \a, ( a z / a t ) : A~t ~ (P * (Ast) are continuous. D Furthermore, define lifted versions of o, +, I} and \a as usual: for ® C {o,+, [I} and X,Y E (P * (AS~), X ® A Y = rain ( ® I X , Y ] ) , X ( \ a ) ^ = rain ( ( \ a ) [ X ] )

and X ( a 2 / a 1) " = min ( ( a 2 / a l )

IX]).

These functions are obviously monotonic. Now, by theorems 4.4 and 4.6 we obtain immediately. (5.5) THEOREM o ^, + ^ , II^, \a ^ and ( a2/a x) ^: (P * ( A st) --~ (~ * (A st) are well-defined and continuous. []

The continuity of the operators allows us to give a denotational semantics for LuI c as usual, (cf. e.g. [dB]). REMARKS (1) The synchronization merge of [BKMOZ] can also be treated in this way. Our theory thus provides an alternative and more uniform proof method of the continuity of the semantical operators occurring in [BKMOZ] and [Mel], [MO]. (2) Note again the crucial role of compactness. For instance, consider Xi = { a k I i < k < w }, for i ~ 0 . Then ( X i ) i is a chain of non-dosed, but bounded stream-sets and lub i X i = N i X i = O . take Yi = { a ~ } , f°r all i_>_0. So lub i X i o Y i = lub i {a~} =

Furthermore,

{a~}, whereas ( l u b i X i ) o ( l u b i Y i )

o{a ~} = O . By t a k i n g A = {ao, al, • • • },XI = { a ~ } a n d Y i

= A\{a ......

=

ai}weobtainasimi-

lar example of discontinuity in the ease of non-bounded, but closed sets: l u b i X I o Y I = l u b i {a~} = {a~}, but (ttubi

X I )o(h/bi y~ ) = {a~' } o O = O .

Quite

some

work

is

still

involved

with

the

proof

of

the

continuity

of

the

function

Ji: ASt×A st -'~ 6)* (A~t). Therefore it might be more convenient to take another route for "difficult" functions like [[: Define a version of II~ on the collection 6)ff(A f) of finite and flat subsets of At. This is done as follows: For X,Y e (P f f ( A f), Xlt- Y = rain ( [j { xtJy [ x e X, y E Y } ) .

Extend this {[- to a function t1°

252

on (P * (ASt): for X,Y E (P * (Asl), XII°Y = [ub n X[n]ll~Y[n]. Then we have: for every X,Y c (P * (A~'): XII°Y = lub n X[n]ll°Y[n]. So iI° is continuous by l e m m a 4.5. §5.2 S t r e a m P r o g r a m m i n g By viewing the alphabet A of section 5.1 as a set of data elements rather than uninterpreted actions and adding functions A st ~ A ~t, we obtain a stream p r o g r a m m i n g language in the style of [Br2], [Bu], [Tu] and [dBK]. (5.6) DEHNITION S C Lsp is given by:

s ::= a I s1"s2 I_f(s) !x I ~xts],

s ::= s is1 "s2 t s , u s 2 i sills21 x I ~,xts].

REMARKS (1) a e A is a data element from the (possibly infinite) set A of data elements, (2) Denotations of s are streams in AsL Those of S are stream-sets in (P * (ASt). (3) Since in this subsection we do not consider our language to be imperative, we write the concatenation operator as "•" rather than as "'" (4) The semantical c o u n t e r p a r t s . , U and l[ are as in section 5.2; so we m a y a s s u m e continuous, lifted versions • ^, U ^ and [[^ with the properties desired. (5) Operators _f are meant to denote

--<st - c o n t i n u o u s stream-based functions f: A ~t ~ @ * (A't).

So by

theorems 4.4 and 4.6 they have well-defined and continuous, lifted versions f: (P * ( A st) --~ (P * (ASt). So in a similar way, as in section 5,1 we obtain immediately a denotational semantics o f Lsp based on fixed point theory. EXAMPLE Take A = N, f i ( s ) = s + !; _f2 = tail with meanings fl and f2, given by: fl(e)

=

f2(e) = {e},

f1(.l.)

=

f2(±) = {±},

fl(aX)

=

( a + 1 ) ' f l ( x ) , for x ~ A f

fl(x)

=

lubn f l(x[n]), for x ~ A ~

f2(ax)

=

{x}, for x c A S L

Clearly, fi and f2 are continuous functions A st -~ (~ * (ASt). So by theorems 4.4. and 4.6 their lifted versions fl, f2: (p * (Ast) ~ (p * (Ast) are well-defined and continuous. In this language one can program streams like F i b o n a c c i ' s : / z X [ I ( X + 0 " X ) ] . REMARK Note that, since we do not employ contractive functions as in [dBK], we do not have to bother about the notion of guardedness as in [dBK]. Thus, in our framework we can treat a proper superset of the functions dealt with in [dBK].

However, we still have problems with functions such as p e r m

defined by ~the set of all permutations of x, perm(x) = } p e r m ( x ' ) " ± ,

if x c A * U A ~ ifx = x" ±

t

for two reasons. (1)

perm(x)

is

not

{12± ,21 ± } = p e r m ( 1 2 ± ) .

a

continuous

function

A ~t ~ 6' (A~t):

p e r m ( 1 _L)

=

{1 ± }

;~S

253

(2) p e r m ( x ) is not bounded f o r x e A S t : p e r m ( a l a 2 a

3 " • ") = alX I Ua2X 2Ua3X 3U

- - - for s o m e X ,

(i>_ t) and so ( p e r m ( a l a 2 a 3 ' " " ))[11 = {a],a2,a 3, " " " } is infinite!

§5.3 Logic Programming The notion of bounded stream-sets was originally investigated by one of the authors (EdeV) in the context of infinite logic p r o g r a m m i n g (see [NA], [dV]). In order to give a denotational semantics of infinite logic programs one has to handle infiniteness and non-determinacy. Moreover, the semantics should be compositional. Infiniteness of computations can be modeled by (finite or infinite) streams of substitutions. Thus, the n-th substitution in a stream reflects the resolution of all subgoals of depth n.

Non-determinism can be

embedded in the semantics by the use of sets of streams instead of just streams. Compositionality can be handled by dovetailing the denotations of the conjuncts of a conjunction in order to obtain the denotation of the conjunction itself. To be more specific, let Prog be the collection of logic programs, i.e. the collections of finite sets of program-clauses and let Goal be the collections of goal-clauses. ( W e follow the terminology of [LI].) Let

Subst

be

the

collection

of

Env = Goal ~ (P*(Subst't).

substitutions and

let Env

be

the

collections

(The environments are used to treat recursion.)

of environments,

i.e.

We want a function

D: Prog ~ Env ~ Goal ~ (P*(Subst st) to give m e a n i n g to a logic program and a goal in a certain environment. First we define the dovetailing of streams &o: Subst* U Subst*..L -'* Subst* is defined by x&oe = x and e & o y = y, x & o _t. = x_ &oY = .t. and a x & o 0 y = mgu(o,O)'(X&oy).

(where mgu stands

for a most general unifier) and &: SubstStxSubst s~ -'* (P*(Subst st) by x & y = { lub n x[n]&oy[n ] }. It is easily

verified

that

&

is

well-defined

and

continuous.

So

we

can

lift

&

to

a

map

&^: (P*(Subst st) x (P*(Subst ~t) ~ (P*(SubstS~). If we want to take advantage of the theory of section 4 we must be sure that all stream-sets involved are bounded. Informally this is checked by the observation that the resolution of an atom yields only finitely m a n y subgoals. Then we can derive from theorems 4.4 and 4.6 that &^ is continuous. W e define D(P)(~')(c~ A c2)

=

D(P)(7)(cl) &^ D(P)(7)(c2)

for

PcProg,

TeEny

and

ct,c2~.Goal.

D ( P ) ( 7 ) ( c t A c2) is well-defined, provided that D(P)(7)(c t) and D(P)(7)(c z) are bounded. The continuity of &^ is important, It guarantees that the function D will be a continuous mapping of functionality Prog ~ Env ~ Goal ~ (P*(Subst st) or equivalently Prog ~ Env ~ Env.

Hence for a fixed

program P, D(P) has a least fixed point which will be the main ingredient for the denotation of the logic program P. Further details are given in [dV].

Section 6 Concluding Remarks W e have developed a powerdomain theory for streams around a certain notion of compactness, characterized by notions of closedness and boundedness. These notions appeared to be very useful in order to establish continuity results for functions that are lifted from streams to sets of streams. Moreover, we discovered that compactness is essential for these continuity results in the Smyth powerdomain of streams. Allowing non-compact stream-sets leads to discontinuity. After an investigation of the basic properties of compact stream-sets, we turned to our main problem,

254 viz.

the wetl-definedness and continuity of functions that are lifted versions of continuous stream-based

ones. We proved a theorem which stated that these functions are indeed well-defined and continuous. This general theorem was applied in several diverse areas such as uniform concurrency and stream programming. Our uniform method is amenable in all cases where compactness is available. As was said before, non-compactness leads to discontinuity of the functions concerned in our Smyth framework.

Whether in the case of unbounded but closed stream-sets the problem of discontinuity can be

evaded by adopting the Egli-Milner ordering instead, remains an unsolved question for the present. Although it is clear to us that certain specific operators such as sequential composition and interleaving do allow such an escape route, we have serious doubts, whether this can be done in general for all lifted functions. The situation of non-closed (but possibly bounded) sets of streams seems to be even less clear. This is the area of issues of fairness (cf. [Me2]) and it is also an interesting object of future study. Perhaps lemmas 3.6 and 3.12 are still of some use in these situations.

Section 7 References [Ba].

R.J.R. Back, "A Continuous Semantics for Unbounded Nondeterminism," Theoretical Computer

Science 23, pp. 187-210 (1983). [dBl.

J.W. de Bakker, Mathematical Theory of Program Correctness, Prentice-Hall (1980).

[BBKM]. J.W. de Bakker, J.A. Bergstra, J.W. Klop, and J.-J.Ch. Meyer, "'Linear Time and Branching Time Semantics for Recursion with Merge," Theoretical Computer Science 34, pp. 135-t56 (1984). [dBK].

J.W. de Bakker and J.N. Kok, "'Towards a Uniform Topological Treatment of Streams and Functions on Streams," Proceedings of the 12th ICALP, pp. 140-148, Springer, LNCS I94 (1985).

[BKMOZ]. J.W. de Bakker, J.N. Kok, J.-J.Ch. Meyer, E.-R. Olderog and J.I. Zucker, "Contrasting Themes in the Semantics of Imperative Concurrency," in Current Trends in Concurrency: Over-

views and Tutorials, pp. 51-121, Springer, LNCS 224 (1986). [BMO].

J.W. de Bakker, J.-J.Ch, Meyer, and E.-R. Olderog, "Infinite Streams and Finite Observations in the Semantics of Uniform Concurrency," Proceedings of the 12th ICALP, pp. t49-t57, Springer, LNCS 194 (t985).

[BZ].

J.W. de Bakker and J.I. Zucker, "Compactnes in Semantics for Merge and Fair Merge,"

Proceedings Workshop Logics of Programs, Pittsburgh, pp. 18-33, Springer, LNCS 154 (1983). [BK].

J.A. Bergstra and J.W. Klop, "Process Algebra for Synchronous Communication," Information

and Control 60, pp. 109-137 (1984). [Brl].

M. Broy, "Fixed Point Theory for Communication and Concurrency," Proceedings of the IFIP

TC2 Working Conference '82, Garmisch-Partenkirchen, North-Holland (1983). [Br2].

M. Broy, "Extensional Behaviour of Concurrent, Nondetermininstic, Communicating Systems," pp. 229-276 in Control Flow and Data Flow: Concepts of Distributed Programming, ed. M. Broy, Springer (t 985).

[Bu].

W.H. Burge, "Stream Processing Functions," IBM Journal of Research and Development 19, pp. 12-25 (1975).

[Du].

J. Dugundji, Topology, Allyn and Bacon (1966).

255

[En].

R. Engelking, General Topology, Polish Scientific Publishers (1977).

[JM].

N.D. Jones and A. Mycroft, "Stepwise Development of Operational and Denotationat Semantics for Prolog," 1984 International Symposium on Logic Programming, Atlantic City, pp. 281-288

[Ku].

(1984). R. Kuiper, "*An Operational Semantics for Bounded Nondeterminism Equivalent to a Denotaional One," IFIP TC2 - MC Symposium on Algorithmic Languages, Amsterdam, pp. 373-398, North-Holland (I981).

[Ll].

J.W. Lloyd, Foundations of Logic Programming. Springer (1984).

[Ma].

M. Maine, "Demons, Chaos and Communicating Processes: A Model Theory for Milner's CCS in Terms of Smyth Powerdomains," Proceedings of the Workshop on Mathematical Foundations of Programming Semantics (1986).

[Ivlel].

J.-J.Ch. Meyer, Programming Calculi Based on Fired Point Transformations: Semantics and Applications, Free University, Dissertation, Amsterdam (1985).

[Me2].

J.-J.Ch. Meyer, "Merging Regular Processes by Means of Fixed Point Theory," Theoretical Computer Science, to appear.

[MO].

J.-J.Ch. Meyer and E.-R. Olderog, "Hiding in Stream Semantics of Uniform Concurrency," Technical Report, Free University, Amsterdam. In preparation.

[MV].

J.-J.Ch. Meyer and E.P. de Vink, "Applications of Compactness in the Smyth Powerdomain of Streams," Technical Report IR-110, Free University, Amsterdam (t986).

[Mi].

R. Milner, A Calculus for Communicating Processes, Springer, LNCS 92 (1980).

[NA].

M.A. Nait Abdallah, "On the Interpretation of Infinite Computations in Logic Programming," Proceedings of the 11th International Colloqium on Automata Languages and Programming ,

Antwerp, pp. 358-370, Springer, LNCS 172 (1984). [Nil.

M. Nivat, "Infinite Words, Infinite Trees, Infinite Computations," pp. 1-52 in Foundations of Computer Science Ili, ed. J.W. de Bakker & J. van Leeuwen, Mathematical Centre, Amsterdam

(1979).

[OH],

E.-R. Olderog and C.A.R. Hoare, "'Specificaton-Oriented Semantics for Communicating Processes," Acta Informatica 23, pp. 9-66 (1986).

[Pt].

G.D. Ptotkin, "A Power Domain Construction," SIAM Journal on Computing 5, pp. 452-487 (1976).

[Sml]. [Sm2].

M.B. Smyth, "Power Domains," Journal of Computer and System Sciences 16, pp. 23-36 (1978). M.B. Smyth, "Power Domains and Predicate Transformers: A Topological View," Proceeding of the lOth ICALP, pp. 662-675, Springer, LNCS 154 (1983).

[Tu].

D.A. Turner, "Recursion Equations as a Programming Language," pp. 1-28 in Functional Programming and Its Applications, ed, J. Darlington, P. Henderson & D.A. Turner, Cambridge

University Press (1982).

[dV].

E.P. de Vink, "Stream Semantics for Infinite Logic Programming," Technical Report, Free University, Amsterdam. In preparation.

Characterizing Kripke Structures in Temporal Logic M. C. Browne

E. M. Clarke

O.GNmberg Carnegie Mellon University, Pittsburgh 1. I n t r o d u c t i o n rllae question of whether branching-time temporal logic or linear-time temporal logic is best for reasoning about concurrent programs is one of the most controversial issues in logics of programs. Concurrent programs are usually modelled by labelled state-transition graphs in which some state is designated as the initial state. For histmical reasons such graphs are called Kripke structures [8]. In linear temporal logic, operators are provided for desclibing events along a single time path (i.e., along a single path in a Kripke structure). In a branching-time logic the temporal operators quantify over the futures that me possible from a given stato (i.e., over the possible paths that lead from a state). It is well known that the two types of temporal logic have different expressive powet~ ( [4], [91). Linear temporal logic, for example, can express certain fairness properties that cannot be expressed in branching-time temporal logic. On the other hand, certain practical decision problems like mo&'l checking ( [.-31,[16]) are easier for branching-time temporal logic than for linear temporal logic. In this paper we provide further insight on which type of logic is besL We show that if two finite Kripke structures can be distinguished by some fonmula that contains both branching-time and linear-time operators, then the structures can be distinguished by a formula that contains only branching time operators. Specifically, we show that if two finite Kripke structures can be distinguished by some formula of the logic CTL* (i.e., if there is some CTL* formula that is true in one but not in the other), then they can be distinguished by some formula of the logic CTL. The logic CTL* ( [3], [4]) is a very powerful temporal logic that combines both branching-time and linear-time operators; a path quantifier, either A ("for all paths") or E ("for some paths") can prefix an assertion composed of arbitrary combinations of the ususal linear time operators G ("always"), F ("sometimes"), X ("nexttime"), and U ("until"). CTL ( [1], [2]) is a restricted subset of CTL* that permits only branching-time operators--each path quantifier must be immediately followed by exactly one of the operators G, F, X, or U. Our goal is to show that for any finite Kripke structure M, it is possible to construct a CTL formula FM that uniquely characterizes M. Since one Kripke structure may be a trivial unrolling of another, we use a notion of equivalence between Kripke structures that is similar to the notion of bisimulation studied by Milner [12]. We say that states s and s t are equivalent if they have the same labelling of atomic propositions and for each transition from one of the two states to some state t there is a corresponding transition from the other state to a state t' that is equivalent to t. Two Kripke structures are equivalent if their initial states are equivalent. It is not difficult to prove that if two Kripke structures are equivalent, then their initial states must satisfy the same CTL*.

This researchwas partially supportedby NSF Grant Iv1CS-82-16706. The third author, O. Griimberg,is currentlyoa leave from Technion, Haifaand is partiallysupportedby a Weizrnannpostdoctoralfellowship.

257 An obvious fi~t attempt to construct/,~t is simply to write a Crl. formula that specifies the transition relation of M. l:or each state s in M we include in FM a conjunct of the form A G ( Z ( s ) ~ AEXL(st) A A X ( V L(si))) t

I

where sl . . . . . sn are the successors o r s and L(t) is the labelling of atomic propositions associated with state {, It is e~sy to see, however, that this simple approach cannot work in general: several states in M may have exactly the same labelling of atomic propositions, Instead, we first show that it is possible to write a CTL formula that will distinguish between two states in the same structure that are not equivalent according to the above definition. Two inequivalent states may have exactly the same labelling of atomic prbpositions, they may even have corresponding successors, but the computation trees rooted at those states must differ at some finite depth. The difference in the computation trees can be exploited to give a CI'L formula that distinguishes between the states. Since equivalent states satisfy the same CTL* formulas, it follows that if two states can he distinguished by a CI'L ° formula, they can be distinguished by a CI'L formula. Once we can distinguish between inequivalent states in the same structure, we can write a single CI'L formula that encodes the entire Kripke structure; this formula is the FM that we seek. The above construction requires the use of the nexttime operator in specifying FM. In reasoning about concurrent systems, however, the nexttime operator may be dangerous, since it refers to the global next state instead of the local next state within a process [i0]. What happens if we disallow the nexttime operator in CTL formulas? llle proof, in this case, requires another notion of equivalence--equivalence

with respect to stuttering.

We say that two state

sequences correspond if each can be partitioned into finite blocks of identically labelled states such that each state in the i-th block in one sequence is equivalent to each state in the Fth block of the other sequence. Thus, duplicating some state in a sequence any finite number of times will always result in a corresponding sequence. We say that two states are equivalent if for each state sequence starting at one there is a corresponding state sequence that starts at the other. Under this second notion of equivalence the proof of the characterization theorem becomes much more complicated, since it is possible for two inequivalent states m have exactly the same finite behaviors (modulo stuttering), but different infinite behaviors. Equivalence under stuttering turns out to be quite useful for reasoning about hierarchically constructed concurrent systems. In determining the correctness of such a system by using a technique like temporal logic model checking ( [2], [3], [11], [13], [16], [171), it is often desirable to replace a low level module by an equivalent structure with fewer states. Our results show how this can be done while preserving all of those properties that are invadant under stuttering. We give polynomial algorithms both for determining if two structures are equivalent with respect to stuttering and for minimizing the number of states in a given structure under this notion of equivalence. Finally, our results have some interesting implications for the problem of synthesizing finite state concurrent systems from temporal logic specifications ([2], [14]). In order to guarantee that any Kripke structure can be synthesized from a specification in linear temporal logic, Wolper [18] was forced to introduce more complicated operators based on regular expressions. Our results show that (at least in theory) no such extension is necessary for branching-time temporal logic. Any Kripke structure can be specified directly by a formula of branching-time logic.

258 The expl~essive power of various temporal kgics has been dL'~cussed in several papc~; sec ( [4], [9]) for example. tienncssy and tvlilner 17], Graf and Sifakis [6]. ar, d Pnucli 1151 have all discussed the relationship between temporal logic and various notions of equivalence between models of concurrent programs. However, wc believe that we are the first to show that it is possthle to characterize Kripke models within branching-time logic and to investigate the consequences o f th is result. Our paper is organized as follows: In Section 2 we describe the logics C r L and C~'L*. ]n Section 3, we state form,ally what it means for two states h a Kripke strttcture to be equivalent and prove that equivalent states satisfy exactly the same CTI." formulas. Section 3 also contains the first of the two main results of the paper: we show how to characterize Kripke structures using CTL formulas with the nexttime operator. Section 4 introduces the second notion of equivalence (equivalence with respect to stuttering) and shows that if the nexttime operator is disallowed, then equivalent states again satisfy exactly the same CI'L* formulas. We also extend the characterization theorem of Section 3 to Kripke structures with th2 new notion of equivalence. In Section 5 we give a polynomial algorithm for determining if two states are equivalent up to stuttering. The paper concludes in Section 6 with a discussion of some remaining open problems like fl~e possibility of extending our results to Kripke structures with fairness constraints (i.e., Bfichi Automata).

2. Th e l_opies t23"1 and CTL* There are two types of formulas in CTL': statefonnulas (which are true in a specific state) and path formulas (which are true along a specific path). Let AP be rite set of atomic proposition names. A state formula is either:

• A, ifA~AP. • If f and g are state formulas, then - , f and f V g are state formulas. • If f is a path formula, then E ( f ) is a state formula. A path formula is either: ,* A state formula. • If f and g are path formulas, then -~f f v g , X f a n d f U g are path formulas. CqL Is the set of state formulas generated by the above rules. CTL is a subset of CTL* in which we restrict the path formulas to be: • If f and g are state formulas, then X f a n d f U g are path formulas. • If f is a path formula, then so is --,fi We define the semantics of both logics with respect to a structure M = <S, R, L>, where • Sis a set of states.

• RC_S×S is the transition relation, which must be total. We write sI --~ s2 to indicate that (sl,s2) ~ R. • L: S ~ ~(AP) is the proposition labeling. Unless otherwise stated, all of our results apply only to finite Kripke structures.

259 We only consider tr.'msition relations where every state is reachable from the initial state. We define a path ht M to ~e a sequence ofstates, or = so,~). . . . such that for every i_>0, st-* st+ ~. i will denote the suJfix of ~t starting at sv We use the standard notation to indicate that a state fommla f holds in a structure: M , s ~ f m e a n s that f holds at state s in structure M. Similarly, if f is a path formula, M,n ~ f m e a n s that f holds along path rt in structure M. The relation ~

is defined inductively as follows (assuming that ft and f2 are state formulas and g ~ and g 2 are path

formulas): I. s ~ A

~

AeL(s).

2. s ~ - ¢ ~

~

s~ fr

3. s ~ f l v f ~

~

s~fors~f

4. s ~ E(gl)

=

there exists a path ~r starting with s such that 71 ~ gv

v

5. w ~ f l

~

s is the first state of ~r and s ~ f v

6. ~r I== -,&

~

~r~g v

7.~r~&vg 2

~

n~&or~r~g

8. ~ ~ X &

~

~r~~ gr

v

9.~t~&Ug~

~=

there exists a k>0such that ~rk~g~ and for alt 0 < j < k, ¢ r / ~ g r

We will also use the following abbreviations in writing C]?L ° (and CTL) formulas: , f A g .-~ -~(-~fV-~g)

* Ff ~

trueUf

° Cf =

~V',f.

3. Equivalence of Kripke S t r u c t u r e s Given two structures M and M ~ with the same set of atomic propositions AP, we define a sequence of equivalence relations Eo,E 1. . . . on S × S I as follows: • sEos' if and only if L ( s ) = L ( s ' ). • sEn+is ~ if and only if

o L(s)= £(s' ),

o Vs,[s--. s , = 3~[s' --, s~ ^sl e. ~]1, ~ d

Now, we define our notion of equivalence between states: s E s ~ if and only i f s E l s ~ for all i_>0. Furthermore, we say that M with initial state so is equivalent to M ~ with initial state s~ iff sOE ~ . Lemma 1: Let s E s ~, then for every path, s,s~. . . . . there exists a path, s ~,s~. . . . such that V i [siEs~]. Proof: Note first that En+ 1 C E n. Since Eo is finite, there must be a k such that Ek+ ~ = E k = E. Thus, we can substitute E for E k in the definition of Ek+ 1 giving s E s ~ if and only if

• £(s)= L(s' ),

• V s , [ s - , s~ ~ 3.,~ Is' - , ~ ^s~ E n s Ill, and

The remainder oft,he proof is a straightforward induction on thc length of the path. [] *

Theorem 2: l f s E s ' , then ~ f ~ C T L [ s ~ f ~

/

s ~ f].

This theorem is a consequence of the following lemma: Lemma 3: Let h be either a state formula or a path fimnula. Let ?r = s,sI. . . . be a path in 3t and ~r J = s j ,s[,. be a path in M ~ such that s E J and V i [siE~]. Then s ~ h ~ s r I= h, if h is a state formula and ~r ~ h ~ ~r~~ h, if h is a path fommla. Proof: We pro~e the theorem by induction on the structure of h. Base: h : A. By the definition of E, s l = A ~ s t ~ A. Induction: There are several cases. L h = "-,hi, a state formula. s ~ h ~ s ~ h1

s r V# h~ (induction hypothesis) ~s ~~h The same reasoning holds if h is a path formula.

2. h = h J / h , a state formula.

Without loss of generality, s ~ h ~ s ~ hl or s ~ ha

= s ~ h1 ~=~s t ~ h 1 (induction hypothesis) =s t ~h

The argument is the same in the other direction. We can also use this argument if h is a path formula.

3. h=E(hl), a state formula.

Suppose that s ~ h. Then there is a path, ~r1 starting with s such that ~rl ~ hv By Lemma 1, there is a corresponding path ~r~ in M ' starting with s ' . Therefore, s ~ E ( h l )

= st ~E(hl).

So by the induction hypothesis, ~11==/h ~ r ~

l==ha.

We can use the same argument in the other direction, so the lemma

holds.

4. h = h 1, where h is a path formula and h I is a state formula.

261

Although the lengths o f h and h t are the ~amc, ~e can imagine that h = palh(h~), Matte path is an operator which converts a state formula into a path fimnula. Theretbre, we are simplifying h by dropping this p;~tlz operator, So now:

~r ~ h ¢~ s ~ h~ s~

~r

I:= h I (induction hypothesis)

I ~h.

The reverse direction is similar,

5. h = X h 1, a path formula.

By the definition of the next-time operau)r, 7r1~ h1. Since ~r and ~r~ correspond, so do ~rl and ~rtl. Therefore, by the inductive hypothesis, ~r~l ~ h2 so ~r~ ~ h.

We can use the same argument in the other direction.

6. h= h y t½, apath formula.

Suppose that ~r ~ hlUh 2. By the definition of the until operator, there is a k such that ~ r k ~ h2 and for all

O<j
We can use the same argument in the other direction. [] Another property of two equivalent states is that they both have corresponding computation trees. For every s¢ S, Trn(s) is the computation tree of depth n rooted at s. Formally. Tr0(s ) consists of a single node which has the same label as s. Trn+l(s) has as its root a node m with the same label as s. If s has successors s1. . . . . sp in the Kripke structure, then node m wiI1 have subtrees Trn(s l) . . . . . Trn(sp), Two trees Trn(s) and Trn(s') correspond(denoted Trn(s ) ~ Trn(J)) if and only if both of their roots have the same 1abel and for every subtree of depth n - 1 o f the root of one, it is possible to find a corresponding subtree of the root o f the other. Lemma 4: sEns' if and only if T r j ( s ) ~ T r j ( J ) for all j_< n. Lemma 5: Given a finite set of states s~. . . . . sn there exists a c such that if two states s i and sj are not E-equivalent r.hen Trc(si) and Trc(S]) will not correspond. We will call the value o f c for S the characteristic number of the structure. We associate a C r L formula with a tree Trn(s ) as follows: * ~J[Tr0(s)]= (Pl ^ - . - ^Pu) ^ ('~ql ^ . . . . qv), where L(s) = {Pl . . . . ,Pu } and A P - L(s) = {ql . . . . . qv}.

262

• 9:[Tr,+,(,)] = (At ~:X 9:['rr,,(.,',)l) ^ Ax(y's['r,,,(.,',~]) ^ ~l'rr0~s)], who~e ,,, ~.~,, suece,~so~ors. Lemma 6: s ~

9:['rr.(s )] ~br all n_> 0.

Lemma 7: I f s l = 9:[Trn(s') ], then T r n ( s ) ~

Tr.(st).

Proof: The proof is by induction on n. The basis case is trivial Thus, we assume that n > 0. Let sl,s2. . . . . sp be the sons o r s in Trn(s ) and ~ .~ . . . . . ~ be the sons of s' in 'l'rn(st ). It is easy to see that sand s ~ have the same labelling of atomic propositions. We must show that Trn_l(s~0) corresponds to some Trn_l(~). Since s ~ 9:[ Tr,(s~)]. s ~ AX ( y f f [ Tr,_~(s~) ]). Since s/0 is a successor of s, s~ ~ 9:[Trn_~(s~)] for some A. Hence, Tr,_~(s~) ~ Trn_~(s~ ) by our inductive hypothesis. Finally, we must show that Tr,_~(~o) corresponds to some Trn_~(si). Since s ~ f f [ T r n ( s ' ) ] , s[== AEXg:[Trn_t(~)]. 3

Since s~o is a successor of s t, s ~ E X ~ T r . _ ~ ( ~ ) ] . Therefore, there exists an ~ such that s/o I==ff[Trn_~(s~o)]. Hence, 'l?rn_~(s~) ~ Trn_l(~o) by our inductive hypothesis. [] Lemma 8: If s is a state in a Kripke structure M, then there is a CTL formula, ¢(M,s) that determines s up to E-equivalence within M, i.e. ¢(M,s) is true in s and every state in hi that is E-equivalent to s but false in every state in M that is not equivalent to s. Proof: We choose ¢(M,s)=9:[Trc(S)] where c is the characteristic number of M. C(M,s) is true in s and hence in all states E-equivalent to s. Let s t be a state that is not E-equivalent to s; then Trc(s)~Trc(st). Hence, by lemma 7,

s' ~ ¢(M,s). [] Theorem 9: Given a Kripke structure M with initial state so, there is a C I L formula F(M,so~ that characterizes that structure up to E-equivalence, i,e. h4"t,~ ~ F(M, sO) ~ soEs~. Proof: For any state s in M, let s~. . . . . sp be the successors ofs. We define

a(M,~) = A~(e(M,~)=. A E X ¢(M,~) ^ AXVC(M,~-~)

G(M,s) describes all of the possible transitions from s. F(M,so) is the formula ¢(M, SO)A AG(M,s). If two structures $ M,soand M t,s~ are equivalent then by theorem 2 they satisfy the same formulas. Since M, SO~ F(M,se), so does M t ,s~. For the other direction we show by induction on n that if M' ,~ ~ F(M,so) then Trn(so) ~ Trn(s~) for all n >_0. By lemma 4, the two structures are then E-equivalent. [] Corollary 10: Given two structures M and M t with initial states so and ~ respectively, s0Es ~ if and only if

Vf~ CTL "[M,SO~ f¢=~M',s~ ~J]. Corollary 11: Given two structures M and M ~ with initial states so and ~ respectively, if there is a formula of CTL* that is true in one and false in the other, then there is also a formula of CTL that is true in the one and false in the other.

263

We illustrate our method of characterizing Kripke structures with the example in figure 3-1. so

sl

s2

Figure 3-1: A Kripke structure in which every other state is labelled A

The characteristic number of this structure is 1, since Tr0(so) ~ Tr0(s2), Tro(s1)~ Tro(s2), and Tr~(~ ~ Tq(sl). Let • C(M, SO)= a A "-,b A EX(a A -~b) A EX(-,a A b) A AX(a A -,b V "~a A b) • C(M,s~)=a A ~ b A gX(a A -',b) A aX(a A -~b) •

C(M,s2)='~a A b A EX(aA "-,b) A AX(a ^ -,b)

We can now state the formula that characterizes this structure: F(M, so) = ¢(M, so) ^ AG(e(M, s0) = EXE(M,s~) A EXE(M, s2) ^ AX(e(M,sx) v C(M,sg)) ^ AG(e(M,s~) = EXC(M,© ^ AXe(M, so)) ^ AG(C(M,s2) = EXC(M,so) A AXC(M, sa))

4. Equivalence With Respect To Stuttering We first define what it means for two Kripke structures to be equivalent with respect to stuttering. Given two structures M and M ' with the same set of atomic propositions, we define a sequence of equivalence relations

Eo,E1.... on SXS' as follows: • sets' if and only i l L ( s ) = L(s' ). • sEn+is' if and only if 1. for every path ~r in M that starts in s there is a path ~r ~ in M ' that starts in s', a partition B1B2... of ~r, and a palXition B~ B~ . . . of ~r ' such that for all j~IN, Bj and BJ are both non-empty and finite, and every state in Bjis En-related to every state in BJ, and 2. for every path ~r t in M ' starting in s ' there is a path ~r in M starting in s that satisfies the same condition as in 1. Our notion of equivalence with respect to stuttering is defined as follows: sEs' if and only if s E i J for all i>_0. Furthermore, we say that M with initial state so is equivalent to M ' with initial state ~0 if soE~-

264 l,t,nuna lZ: Given two Kripke stnlc|urcs M and M ~, there exists an / such that ~ s ~ s t [sE S Proof: By the dellnition of El.+a. set+ 1s j

=

iff sEs'].

~Ets', so ,r~o.~ h~ ~ If2 . . . . Since M and M ' arc both finite, Eo

must be finite as welt, so only a finite number of these containments can be proper. Let ~ be the last relat}on that is properly included in El_ ~. By the definition of proper cxmtainment, ~ m ~ I [ Fq = Ern]. so slfls ~ = sE,ns ~, for m>_ L Since sEls' = sEl_ ~s' = sEt_2J . . . . we have sets I = ~ m [sb.~,s'], so sEls' = sEsC

The other direction is

trivial [] Theorem 13: l f s E s ~, then for every CTL* formula f without the nexttime operator, s ~ f i f f

s ~~f.

The proof is similar to that of theorem 2. ]xmma 14:

Given a Kripke structure M, for every state sEM, there is a CFL fonv.ula C(M,s) such that

~ t E M [t ~ E(M,s) iff sEt]. Proof: We will prove by induction on 1:

* If-~(sElO, then there is a C17+ formula dl(S,t ) such that VvE M[sElv~ v ~ dl(s,t)] and t ~ d(s,t). . For every state sE hi, there is a CTL formula Ct(M,s) such that for every t¢ M, t ~ Ct(M,s) iffsEtt.

dt(s,t) is a formula that distinguishes between t and states equivalent to s within the structure M, and CI(M,s) is a formula that characterizes E l-equivalence to state s within M. If we let ¢t(M,s) be a conjunction of Cl_~(M,s) and dt(s,l) for every l that is not El-related to z the second asset~on follows easily, By lemma t2, this condition implies that the lemma is true. Now it is necessary to show how to construct cll(s,t) by induction on L

Basis (l=0): Let {Pi} be the set of atomic propositions in L(s) and {qi} be the set of atomic propositions in A P - L(s). Now, let

A p,^A.+j It is clear that this formula is only true in states with the same labelling of atomic propositions as s. Therefore, the base case is established.

Induction: Assume that the result is true for L We will show it for I + 1. Since -+(sEt+ 1 t), either there is a path from s without a corresponding path from t, or vice versa. In the latter case. we will use the argument below to find a dl+l(t,s) such that t~dt+l(t,s) and s~dt+l(t,s).

We can negate this

formula to get the desired dt+~(s,t). tf there is a path from s without a corresponding path from t, we can divide this path into blocks (BIB2...) such that:

V i [x E B ~ x ~ Ct( M, first( Bi ))and firsffB/+ t)I~ Ct( M, first( Bi))].

265

Now, there are two cases: either there is a finite t~ath from one state without a corresponding path from the other, or there is an in fnitc path without a ct~rresponding path, but cycle/finite prefix of this path has a corresponding path, In the first case, the path from s is finite, so d~e b i l k s are fnite and there are only a finite number of them (say n). Consider the CFL formula:

at+its, t)= Cl(M, first(B ~))A EtC,,(M, first(~ )) U Cl(M, first(B2)) A ~ . . . U Cl(M, firsi(B n))] . . . ] It is clear that s~dt+~(s,t ) along the path B~B,... B e. However. if t~dl+l(s.t ) then there is a path that can be partitioned into blocks B~B~ ...B~n such that Vi[v¢B~=v~Cl(liLfirst(B~.)) 1. Since every state in Bi satisfies

el(M, first(Bt)), the inductive hypothesis and the definition of El gives BiEtB ~. Therefore, this path from t corresponds to the path from s, acontradiction. We conclude t h a t / l ~ d~.~(s,t). In the second case, we start by showing that the path from s has only a finite number of blocks by using an argument based on KSnig's lemma, We can construct a tree rooted at t such that tt~,., tn is a path through the tree if and only if there is a path in the Kripke structure tu~.., upttv~ ,.. vqta.., tn that corresponds to a prefix of the path from s with

B~ = ( t u i . , . up>, B~ =, and so on. Now, if the path fi'om s has an infinite number of blocks, this tree must have an infinite number of nodes, Otherwise, if the tree had n nodes, there could be no path of length n + 1, so • e first n + ] blocks of the path from s would have no corresponding path from t. Since the Kripke structure is finite, we also know that this tree must be finitely branching. Therefore, bY KSnig's lemma, there must be an infinite path through the tree. But this implies that there is an infinite path from t that can be divided into an infinite number of blocks that correspond to the blocks of the path from s. so there is a path from t corresponding to the path from s, violating our assumption. Therefore. the path from shas only a finite number o f blocks. So, suppose that there are n blocks, all of which are finite except the last. Consider the CFL formula:

all+its, t) = Ct(M, first(B1)) A E[Ct(M, first( B ~)) U C:(M, first(B= )) A E l . . . U EG Cl(M, first(B ~))1... ] It is clear that s~dt+l(s,t) along the path B1Bz... B.. However, if t~dl+~(s,t) then there is a path that can be partitioned

into

blocks

1 B~B 2/ . . . B ~

such

that

all

of

the

blocks

are

finite

except

B~

and

~ i [v~ B} = v ~ Cl(M, first(B~))]. Since every state in B i satisfies gl(M, first(Bi)), the inductive hypothesis and the definition of E l gives BiEIB }. We can also divide the infinite blocks B n and B~ into an infinite set o f blocks containing one state each. Therefore, this path from t corresponds to the path from s, so we have a contradiction, We conclude that t I~ dl+ l (s,t), Now, these dl+l(s,t) describe the existence or nonexistence of a single path along which some C/formulas hold. By the definition of s El+ ~v, every path from s has a corresponding path from v along which the same e l formulas hold and vice versa. Therefore, s El+ ~v ~ v ~ d l+ ~(s, t ). Therefore, the lemma is true. [] Theorem 15: Given a Kripke structure M with initial state so, there is a CTL formula F(M,so) that characterizes that structure up to E-equivalence with respect m stuttering, i.e. M',s~ ~ F(M, so) =, soEYo. Proof: For any state s in M, let s~. . . . . sp be the extended successors of s, where an extended successor is a state that

266

is not/'.'-related to s and is reachable from s along a path consisting entirely of suites that are E-equivalent to s. Next, we c(mstruct (;(hi,s), which de.,~ribes all of the transilions from s in M. In this co~slruction, it is convenient to use the

weak lttttil operator, A[fWg]= ~l,~gU-'~fA ~g], which diffcrs from the ordinary until in that it permits an infinite path along which every state satisfies the first argument. So now:

G(M,s)= {AE[E(M,~')U C(M,s,)] A A[C(M,s)WXft C(M, si)] A EG O_.(lff,s)

AE[¢(M,s) U ¢(M,s~)]^

A[C(M,s) WVC(M,s/)] A

1

EG C(M,s)

ifsl = EG C(M,s) otherwise

1

Let F(M, so) be the formula

c(m,so) ^/kAG (e(M,s) ~ G(lff,s)). G

The correctness of F(M,so) is an easy consequence of the next two lemmas and theorem 13.12 Lemma 16: s ~ F(M,s). lxmma 17: t f s ~ F(M,t) and s t ~ F(M,t), then sEs'. Proof of Lemma ]16: Since every state is trivially equivalent to itself, sl= C(M,s) is true by lemma 14. Therefore, if

s ~ F(M,s) then there is a t e M such that s ~ EF(C(M,t)A-,G(M,t)). Let v be the state reachable from s that satisfies C(M,t)A",G(M,t), By lemma 14, this condition implies tEv, so t and v must satisfy the same CTL formulas (theorem 13). We will show that t ~ -~G(M,t), giving a contradiction. There are four cases. 1. t ~ E[C(M,t)U C(M,w)], for some extended successor of t, w. By the definition of extended successor, there is a paLh from t to w and the states on this path are E-related to t. By lemma 14, these states must satisfy ¢(M,t). Since w ~ ¢(M,w) is trivial, this path satisfies C(M,t) U ¢(M,w). which is a conh-adiction. 2. tk#EG C(M,t). Since EG C(M,t) is a conjunct of G(M,t) if and only if t ~ E G C(M,t), we have an immediate contradiction. 3. t ~ -~EG C(M,t). Since EG -,C(M,t) is a conjunct of G(M,t) if and only if t ~ EG C(M,t), we have an immediate contradiction. 4. t t ~ A[C(M,t)WVg(M, wi)]. In this case, t ~ E[C(M,t)U(-,C(M,t)A/~/-~C(M, wi))]. Let tt~.., tn be this t

path, where t n ~ C ( M , t ) A t~i ~C(M, wi) and Vi
By lemma 14, "~(tnEt) and

Vi< n [tiEt]. Therefore, tn is an extended successor of t. But since tn ~ C(M.tn) is trivially true, tn ~ / ~ / ~C(M, wi) cannot be true, so we have a contradiction. Therefore, the lemma is true. [] Proof of Lemma 17: Since sEs t if and only if SEl st for all l> 0, we will prove s ~ F(M,I) and s t ~ F(M,t) implies sEts I by induction on L

Basis (I=0): Since s~F(M,t), L(s)= L(O=L(J). Therefore, sets t.

s~C(M,t)

and therefore s~Co(M,t).

Similarly, s ~ C o ( M , t ) ,

so

267

hlducfion: Assume that the result is true tbr L 'We will now show it for 1+ 1. We want to show that every path, ~r+ from s has a corresponding path, ~r~ from s ~. (The proof of the dual is identical.) We will use induction on the length of ~r to pruve the slightly stronger result: If I~r J <--n, then there is a correspondi~g path ~ ~ such that for some ve M, last(~r) ~ F(M,v) and

last(~') ~ F(M,v). Basis (1~1=1):

In this ease, ~r=<s>.

Let B~=<s> and ~r~=B~=<s~>.

By the outer inductive hypothesis,

s ~ F(M,I) and s ~ ~ F(M,t) imply sEts ~, so B~ EIB ~. Therefore. the paths correspond. Since thc last states of each path satisfy F(M,t), the base case is true. Induction: Assume the result for l~r J < n. Suppose that ~r =ss~sl . .. sn, a path of length n + 1. Now, ssls2 . ,. sn_ 1 is a path of length n, so by the inner inductive hypothesis, there is a corresponding path rt ~ such that last(~r t) ~ F(M,v) ! t t and s n _ t ~ F(M,v) for some v¢M. Let B~B2.,. B m and B~B~ . . . Bra be the partitions that show that these paths

correspond. There are three cases. 1. sn I~--C(M,v). Since sn_ ~~ F(M,v), we can infer that sn_ I ~ A[C(M,v) W y C ( M , wi)]. where wi are the extended successors of v. Since sn_ls n is a path and sn that doesn't satisfy C(M,v). we conclude that there must be an extended successor of v, x, such that s n ~ C(M,x). Since sn ~s a successor of sn_ ~, it must satisfy all of the AG formulas that sn_~ satisfies, so sn ~ F(M,x). From last(~r') ~ F(M,v) we can infer that last(~r ~) ~ e(M,v)AE[C(M,v) U C(M,x)]. Therefore, there is a path gls~...s~

where ~=last(~r'),

/ ~ = B~ . . .Bm_z .
Vi
and s ~ e ( M , x ) .

Now let ~r=B1...Bm<sn> and

t Sk_ 1 X s tk >. Since sn and s~ both saris@ F(M,x), the outer induction hypothesis gives

<sn>El<s~k>. Similarly, since the ~dl the states in Bm,Btm, and <~ . . . s~_ x> satisfy F(M,v), they are all E l related to each other. Therefore, ~r and 7r~ correspond with lastOr) ~ F(M,x) and last(~r ~) ~ F(M,x). 2. s n ~ C ( M , v ) and v ~ E G C(M,v). Since sn must satisfy the same AG formulas as sn_ 1, s n ~ F ( M , v ). NOW, last0r I) ~ F ( M , v ) , so last0r ~) ~EGC(M,v).

qherefore, last(~J) must have a successor, ~ , which also satisfies

C(M,v). Since this state must also satisfy all of the AG formulas, s( ~ F(M,v). Therefore, by the outer induction hypothesis, s n E l l . So if we let Bm+l=<Sn> and B~n+l =<~>, the paths correspond. 3. s n ~ C ( M , v ) and v ~ E G C ( M , v ) .

By the reasoning above, s n ~ F ( M , v ) , so snEllast(B~m).

Therefore, ~t

corresponds to ~r~ with the same partition except that sn is added to Bra. We must also show that the blocks of the partitions are finite. The only problem is case 3, in which we might add an infinite number of states to a block of~r. In this case, each of the states added to B m satisfy F(M,v), so if we add an infinite number of states to this block first(Bm)~EGC(M,v ) must be true.

But since first(B,n)~F(M,v),

first(Bin) ~ "~EGE(M,v), so we have a contradiction. Therefore, all of the blocks of the partition must be finite. Therefore, the lemma is true. [] Corollary 18: Given two structures M and M ~ with initial states so and s~ respectively, sOEs~ if and only if for all CI'L" formulasfwithout the nextrime operator, M.sO~ f ~

M ~,s~ ~ f .

268

('ornllary 19: Given two structures M and a l ~ witi~ initial states s0 and .,~ respectively, if there is a formula of Cl'l.* without the ncxttimc open, tot that is true in one and false in the other, then there is also a formula of CTI~ without file nextlime operator that is truc in the one and false in the other.

5. Algorithm For Stuttering Equivalence In this Section we show how to compute thc relation for equiwdencc with respect to stuttering for states within a single Kripke Structnre M. The method that we suggest is polynomial in the number of states of M. To determine equivalence between states in two different Kripke structures M~ and M v we form a Kripke structure M12 that is the disjoint union of these structures and check equivalence between the corresponding states in the combined structure, We construct a retation C on S x S that is identical to thc relation E defined in Scction 4. C= g C n where

C n is

defined as follows: • co =

t(s,s') { *.(s)=*.(s')}

• In order to define Cn+ ~ we must first define the set NEXTn+~(s) of extended successors ofs. We define this set in temps of the set STn+I(s) of stuttering states ofs. STn+l(s) = UST~n+l(s) where, o S~+~(s)

= {st

o STn+~(s ) k + ~ = STnk+l(s) U { s ' l s ' ¢ S T ~ + z ( s ) ^ 3 s " ~ S T ~ + ~ ( s ) [ s " ~ s ' l ^ s ' G s } NEXTn+I(s ) = {s t ] s ' ¢STn+I(s)A 3 s " ¢ STn+I(s)[s" -* s']}. We will also use a pi'edicate LOOPn(s) that is true iffthere is a cycle containing only states in STn(s). Now we can define Cn+ 1 as follows: Cn+ 1 = {(s,s' ) ] LOOPn+I(s)=LOOPn+I(s' ) A sCns' A V S i 6NEXTn+~(s)~s~ ¢ NEXTn+~( st ) i s 1 G < I ^ V s I ¢ YEXTn+~(s' ) 3 s 1~ NEXTn+I(s)[s 1C n ~l Proof that the relation C constructed above is actually equal to the relation E defined in Section 4 will be given in the journal version of this paper. Since the inductive structures of the definitions of the two relations are different, it is necessary to split the proof into two parts: the first part shows that E ~ C i for every i; the second part shows that C G E i for every i. Computing ST n requires time O(ISI2). Computing Cn+ ~ given C n requires time

o(Isl"),

since at most Is[ 2 pairs of

states must be checked and each pair requires O(IS[ 2) time to check. The algorithm terminates as soon as C n = Cn+ ~. Since at any previous step k, [Ck+a[ < Ifk[ and since COhas at most

IsI ~ pairs of states, there are at most ]SI2 steps in

the construction of C. It follows that the complexity of the entire algorithm is o(IsI6). If we replace each equivalence class of C by a single state, this algorithm can also be used to minimize the number of states in the structure.

269

6. C o n c l u s i o n The results of our paper have a number of snri~rising implications. Forexamptc. if ;~ specification of a finite state concurrent program in CFL° is sufficiently derailed so that lhere is only one program (modulo one of our notions of equivalence) that meets the specification, then an equivalent specification could have been written in C'H. instead. Another surprising consequence is that ifa CI'I .* formula is not equivalent u) any c r L formula, then it must have an infinite number of mutually inequivalent finite models. 1"o see that this result is true, we first observe that since CfL* has the finite model property, it must be the case that if two C]-L" formulas have the same finite models, they must have the same infinite models as well. Other~'ise. i f f had an infinite model M that was not a model off~, fl A --,f~ would have an infinite model, but no finite models, contradicting the finite model property of C'F[.* [5]. Therefore, we can characterize a CFL* formula by the set offinite models in which it is satisfied. Ira CTL* formula is satisfied by only a finite number of equivalence classes of finite models, then the formula is equivalent to the disjuction of the CTL formulas that characterize the individual equivalence classes. There are a number of directions for further research. First, from our construction, it appears that the characteristic formula ofa Kfipke structure might be quite large. It would be nice to have a lower bound on the size oft,his formula in terms of the size of the Kripke structure. Also, we conjecture that the O(]S]~) algofittun in Section 5 can be improved significantly. Finally, it would be interesting to see which of our results carry over to Kripke structures with fairness constraints, i.e. Biichi automata.

Refe r e n c e s 1. M. Ben-Aft, A. Pneuli, Z. Manna. "]-'he Temporal Logic of Branching Time". Acta Informatica 20 (1983), 207-226. 2. E.M. Clarke, E.A. Emerson. Design and Synthesis of Synchronization Skeletons using Branching Time Temporal Logic. Proceedings of the Workshop on Logic of Programs,Yorktown-HeiSts, NY, lecture Notes in Computer Science # 131, 1981. 3. EM. Clarke, E.A. Emerson, A.P. Sistla. Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications: A Practical Approach. Tenth ACM Symposium on Principles of Programming Languages, Austin,Texas, 1983, pp. 117-126. 4. E.A. Emerson, J.Y. Halpern, "Sometimes" and "Not Never" Revisited: On Branching versus Linear Time Temporal Logic. Proceedings of the ACM Symposium on Principles of Programming Languages, Association for Computing Machinery, Austin, Texas, January, 1982. to appear in JACM. 5. E. A. Emerson and P. Sisfla. Deciding Full Branching-time Logic. The Sixteenth Annual ACM Symposium on Theory of Computing, Association for Computing Machinery, Washington, D.C., May, 1984. 6. S. Grafand J. Sifakis. From Synchronization Tree Logic to Acceptance Model Logic. LNCS Vol. 193, Logics of Programs, 1985. 7. M. Hennessy and R. Milner. On Observing Nondeterminism and Concurrency. LNCS Vol. 85, ?th ICAI2, 1980. 8. G.E. Hughes and MJ. Creswell. An Inlroduction to Modal Logic. Methuen and Co., IT/?. 9. L. Lamport. "Sometimes" is Sometimes "Not Never". Seventh Annual ACM Symposium on Principles of Programming Languages, Association for Computing Machinery. Las Vegas, January, 1980, pp. 174-185. 10. L. Lamport. What Good is Temporal Logic? Proceedings of the International Federation for Information Processing, 1983, pp. 657-668.

270

| 1. O. 1Jchtenstein and A. Pnueli. O~ecking d~at Finite State Cemcor~'catPrograms Satisfy 'llleir 1Jnear Specification. Conference Record of the Twelth Annual ACM Symposium on Principles of Programming l.~nguages, New Orleans, l.a., January, 1985. 12. R. Milner, Lecture Notes in Computer Science. Volume 92: A Calculus ofCommunhvting 5),stem~ SpJingerVerlag, 1979, 13. B. Mishra and E. Clarke. "Hierarchical Verification of Asynchronous Circuits using Temporal Logic". Theoretical ComputerScience 38 ([985), 269-291. 14. Z. Manna, P. Wolper. "Synthesis &Communicating Processes from Temporal I.ogic Specifications". ACM Transactions on Programming Languages and Systems 6 (1984), 68-93. 15. A. PnuelL 1Jnear and Branching Structures in the Semantics and Logics of Reactive Systems. Proceedings of the 12th ICALP, 1985. 16. A.P. Sistla. E.M. Clarke. "Complexity of Propositional Linear Temporal Logics". Journalofthe Associationfor Computing Machinery32, 3 (July 1985), 733-749. 17. M.Y. Vardi, P. Wolper. An automata-theoretic approach to automatic program verification. Logic In Computer Science, Cambrideg, Massachusetts, June, 1986. 18. P. Wolpcr. Specification and Synthesis of Communicating Processes Using an Extended Temporal Logic. Ninth Annual ACM Symposium on Principles of Programming Languages, Association for Computing Machinery, Albuquerque, New Mexico, January, 1982,pp. 20-33.

Dialogue with a Proof System Robin Milner Laboratory for Foundations of Computer Science Computer Science Dept, University of Edinburgh Edinburgh EH9 3JZ UNITED K I N G D O M

T~is short essay attempts to identify the ontology of the dialogue between a user and a machine in building or performing a formal proof. an assumption:

Our starting point is

that however non-rigorous, friendly and flexible is the interface

between user and machine, the objects discussed are themselves precise - and that however loosely and summarily a proof is presented by either party to the other, the intended object is indeed a proof in the most formal sense.

Under this assumption

the interactive proof system may - and should - amplify the user's power to discover proofs and new results, and at the same time it must by its very construction be unable to assent to a theorem without also being able, if requested, to present its formal proof. The view of computer-assisted reasoning expressed here arises partly f r o m the author's own experience with proof systems, but has been greatly modified and enriched by the experience and ideas of many logicians and computer scientists, in particular Constable, Martin-L~f, Paulson, Plotkin and Schroeder-Heister.

In fact many of

the ideas informally expressed here have already been realised in the work on a unified Logical Framework by the current Edinburgh project on computer-assisted formal reasoning;

for some of the ideas, however, it is not clear how best to incorporate

them in the Logical Framework, so the ideas must be regarded as tentative to this extent. Formalism is deliberately avoided in this essay. justified.

This appears to be strongly

If future proof systems are to be understood at all, then it must be

possible to discuss them clearly but informally;

the essay is therefore literally a

~trial' of how such a discussion should go. It has become increasingly clear that the interface between user and machine must not only consist of powerful graphical and textual aids, but must - even m o r e importantly - employ an ontology which is both large and well defined.

This ontol-

ogy, the objects of discussion, must include obvious things like formulae and proofs; it must also include more complex objects like strategies and logics.

We take for

granted that the graphical and textual medium must be very highly developed if the machine is to be of any assistance in difficult work, such as proving the correctness of large programs (indeed if the work is not difficult then a machine is probably redundant!).

Our main focus is therefore upon the objects of discussion, and

as we proceed we hope to show that they can be classified, b y a type discipline, in

272

such a w a y as to f o r m an i n t e l l e c t u a l l y essential

containing

The u s e r wishes

to b u i l d proofs

to see his proof d i s p l a y e d

other p o s s i b i l i t i e s

assertion

w e shall c o n s i d e r

assertion9

is inferred

from the assertions

axiom

sequent;

what

follows

"assertion"

Thus proofs machine

to u s e r

w o u l d b e just a is not d e p e n d e n t

(i.e. proof

for each schematic

stands

Partial

(e.g.

for a f a m i l y of proofs;

p r o o f s of the a s s u m e d assertion.

(the n a m e of)

a partial

n o d e b y the p a r t i a l

is g r e a t l y inference; labelling schema,

enriched.

assertion

Further,

proof;

schemata,

the leaf.

more

tee that the u l t i m a t e

to talk of a

o v e r terms

- or p e r h a p s

schemata

proof,

and

proof schema. as a p r o o f

o v e r individuals.) assertion.

by labelling

each

ranges o v e r all p o s s i b l e

this idea allows proofs

to b e p r e s e n t e d

a n o d e n o t w i t h a rule i n s t a n c e b u t w i t h

then one can "zoom in" on the n o d e b y r e p l a c i n g

n o t just proofs,

as objects

of d i s c u s s i o n

schema m a y n o t o n l y b e e x t e n d e d

By progressive

orderly

variables)

the

indicated.

F o r a proof

the u s e r can proceed

a parameter

rule schema.

can be c o n s i d e r e d

it m a y a l s o b e e x t e n d e d a t a leaf b y i n s t a n t i a t i o n

will be all the

formed.

(e.g. formula

i.e. a v a r i a b l e w h i c h

by labelling

proof thus

B y taking proof

supplying

- that is, we n e e d s o m e t h i n g

u n d e r the h e a d i n g of proof

proof variable,

at a c o a r s e level o f detail,

i.e.

from

In a

is to c o n s t r u c t a n e w

in the i n f e r e n c e

it is t h e n b e t t e r

variable

T h e y are p a s s e d

user to machine.

a leaf m a y be l a b e l l e d b y an a s s u m e d

proofs m a y be b r o u g h t leaf b y a

rule,

variables

quantified

an u n i n s t a n t i a t e d

m a y also be partial;

from

activity

than a proof

schematic

the

it w o u l d b e a

content of an assertion.

of discussion.

elementary

systems,

systems

"judgment".

and a l s o

formula variable)

m o r e general

uninstantiated

of an e x i s t e n t i a l l y

schema c o n t a i n i n g

assumption

are objects

uses

b y i n v o k i n g an i n f e r e n c e

variable

b y w h i c h the

The root of the tree

for G e n t z e n

upon the p r e c i s e

p r o g r a m the u s e r ' s

But we need s o m e t h i n g w h i c h m a y contain

A "proof"

its sons.

F o r H i l b e r t proof

formula;

(via screen or h a r d medium),

root f r o m given subtrees

(The "proof"

trees)

each node is

inference ~ l e

each leaf is l a b e l l e d b y an a x i o m instance,

in the sense t h a t M a r t i n - L o f

simple proof b u i l d i n g

thereby

labelling

helps

F o r the p r e s e n t

to be a tree in w h i c h

is j u s t a rule w i t h no hypotheses.

c o n t e n t of an a s s e r t i o n

We use

proved;

that he

there are

supposition

discussion.)

and w i t h the i n s t a n c e of the

is labelled b y the a s s e r t i o n w h e r e an

proof

a

to suppose

(Certainly

b u t the p r e s e n t

to y i e l d a u n i f y i n g

and others.

it is natural

on the screen as it grows.

for w h a t should be displayed,

for simplicity,

l a b e l l e d w i t h an

in some logic;

is

in an e n v i r o n m e n t

the fruits of e a r l i e r work by h i m s e l f

to focus o u r ideas a n d appears paper,

This classification

for a u s e r to c o n d u c t his p r o o f w o r k incrementally,

(stored on files)

wishes

c o h e r e n t whole.

instantiation

f r o m schema

at the root, b y

of the proof v a r i a b l e variables

to proof in an o r d e r l y manner.

if all schematic and all proof

In the case of proof variables,

of s c h e m a t i c

variables

schemata

the d i a l o g u e

are typed;

used to a c h i e v e

in a proof The m a n n e r

this will guaranit, are w e l l -

the key idea is to take an a s s e r t i o n

to be

273

the t y p e of all its proofs, proofs

over which

Proof

schemata

ass~ption consisting

include,

as n o r m a l l y

for example, in logic

as a f u n c t i o n

functions,

which

uninstantiated formulae,

variables, assertions

proofs.

just b e c a u s e

a partial

proof,

if instead we label

An i n t e r e s t i n g

then w e r e p r e s e n t

a proof which

to a l l o w proofs

the n o d e w i t h a

is i n c o m p l e t e

N o t e that this

in",

the v a r i a b l e

stands.

still p r e s e r v e s

For the w i d e r class of proof or at least unhelpful. than a proof argument partial

function

and yields proof

heavily

An

dependent

in general.)

in general;

rem proving

programs,

though

usable methodology,

usable methodology

ive r e f i n e m e n t

plays

of tactics

ignored

the

can

"missing"

together

schema.

for example, takes

is n o t h i n g m o r e

an a s s e r t i o n

h a v e proofs,

of this proof

form of the r e s u l t i n g

play a significant

A as an

it is a

f u n c t i o n as a

proof w i l l be functions

role?

into a

E a r l y theo-

and w e r e an i n d i s p e n s a b l e

this question.

We speculate

a user i n c r e m e n t a l l y

w a y of a c h i e v i n g

step

that a

to d e v e l o p

the

this is via p r o g r e s s -

schemata.

it appears

that the n o t i o n of

the vital m e d i a t i n g

role.

proof tactic,

The original

rather

or

considerable

methodological

as assumptions.

tactics,

the a r g u m e n t

Even w i t h this crude

p o w e r was a t t a i n e d

in a v a r i e t y of ways to y i e l d m o r e p o w e r f u l

partial proof

crude n o t i o n of proof

as p a r t of its result a "way of proving"

f r o m the list o f result a s s e r t i o n s

n o t i o n o f tactic,

instantiation,

which

they were often powerful largely

and w h i c h

supplying

H o w do we fit such p r o o f

schemata

and that the m o s t p r o m i s i n g

of proof

tactic, w h i c h also p r o v i d e d assertion

proof

proofs,

d e p i c t i o n m a y be impossible,

B u t the d e p i c t i o n

the t r e e - l i k e

at a coarse

over partial

thus

(Since n o t all assertions

m u s t take a form w h i c h allows

A t this point,

strategy~

tree-like

t h e o r e m prover"

u p o n A, the argument.

in w h i c h d i s p l a y e d

shape of a proof,

functions,

of A.

schema can be lab-

form of the m a i n proof

(also c a l l e d proof procedure)

methodology

towards

the gross

"automatic

a proof

function

tree is i m p o s s i b l e

as a tree c o n t a i n i n g

at this node,

inference

proof

is rather a

to b e p r e s e n t e d

or p a r t i a l

it m a y be

case is the use of var-

variable

the variable,

for w h i c h

thus

led to c o n s i d e r

A proof schema

be rendered more complete by instantiating

"zooming

ranging o v e r a v a r i e t y of and proofs;

We saw above that a node in a proof

level of detail;

with

schema

schematic

in the rule schema

it can be d e p i c t e d

to be instantiazed.

(the name of}

its o t h e r

appearing

An

and b y a

is a p r o o f

leaves;

We are t h e r e f o r e

which produce

proofs.

of discussion.

inference rule

the formula v a r i a b l e s

terms,

function

remain

iables o v e r p a r t i a l elled b y

of the objects

l a b e l l e d b y an a s s e r t i o n An

of such arguments.

that is functions

k i n d o f proof

variables

is the type of the

text-books.

schema m a y contain

such as individuals,

regarded

just a root,

type is the assertion.

presented

A proof

special

whose

a classification

schema w i t h

just o f a root and zero or m o r e a s s u m p t i o n

variables

objects

also induce

is a proof

proof v a r i a b l e

so that the type of a proof v a r i a b l e

it ranges.

b y the c o m p o s i t i o n and b y s u c c e s s i v e

274

application

of tactics

list of u n p r o v e d invoked

to the subgoals

subgoals was empty;

to y i e l d a proof.

schema,

i.e.

W i t h i n the p r e s e n t t h a t is n e c e s s a r y schemata;

framework,

yields

then,

the total could be at no point

indeed a fully in-

from assertions

o r "automatic

t h a t the

is a function w h i c h given

a tactic

takes as a r g u m e n t

root is l a b e l l e d A.

"way of p r o v i n g "

as a special

(Note t h a t this does m a k e

schema

More precisely,

of t a c t i c s

an

T h e strong

A f r o m the leaf a s s u m p t i o n s

in the s c h e m a - it exists b y v i r t u e of the schema's the invocation

All

to proof

t h e o r e m power",

is fully instantiated.

its result proof

as r e s u l t a schema w h o s e

ensures

is m a n i f e s t

schema since

a proof.)

assertion A and produces

subgoals)

is now clear;

- and then it was

to b e a f u n c t i o n

proof procedure,

a tactic a proof function,

t y p i n g of s c h e m a t a

until

it is a l s o c l e a r h o w to remove the defect.

is to take a tactic

case in w h i c h the r e s u l t i n g

B y this means,

schema v i s i b l e

tactics

"way of p r o v i n g "

a proof.

this includes

further a r g u m e n t s

the

T h e d e f e c t of this m e t h o d o l o g y

until the v e r y end was a proof stantiated

generated by previous at this point,

is p r e c i s e l y

(the

existence.

the p r o g r e s s i v e

refine-

m e n t of proof s c h e m a t a w h i c h w e sought above. It is m o s t important we have introduced

to e m p h a s i z e

a distinction

that the tactic

between

w h i c h a u s e r m a y treat as d a t a objects them and "zooming

Droof s c h e m a t a

- analysing

in" on them - and m o r e general

proof

objects

of still h i g h e r

functionality

in LCF, w h i c h w e r e w a y s of c o m p o s i n g

tactics,

is n o t a proof schema;

as those c o n c r e t e o b j e c t s

them,

treat in this w a v b u t w h i a h are none the less o b j e c t s Further,

itself

editing

functions

them,

w h i c h he cannot

of d i s c u s s i o n

arise naturally;

displaying

w i t h a machine.

the

are again d e f i n a b l e

t~ctica~8

used

as proof functions

of h i g h e r type. In all o f the p r e c e d i n g d i s c u s s i o n language of assertions. ian's

(Here the term "object-language"

sense of the syntactic

material

implied

that the user and machine,

express

a w i d e range of e n t i t i e s

functions guage

seems to be ideal,

in m a n i p u l a t i n ~

types.

is intended

in the logic-

assertions,

F o r this,

particularly

We h a v e also

the o b j e c t - l a n g u a g e ,

and it should also p r o v i d e

w h i c h can be built,

a s s u m e d a fixed o b j e c t -

from which a loaic is built.)

s u c h as formulae,

of r a t h e r s o p h i s t i c a t e d

that the objects

we h a v e i m p l i c i t l y

trees,

a functional

schemata,

lists,

which

to

and

programming

a type d i s c i p l i n e

proof

require

lan-

ensures

are w e l l - f o r m e d

even though t h e y m a y be incomplete. O n c e s u c h a functional

meta-language

it to h a n d l e a v a r i e t y of logics~ type in this m e t a - l a n g u a g e . and then of a collection al i n f e r e n c e exploit

rules.

Indeed,

It consists

To i n t r o d u c e

Whatever

a

logic

it is a short s t e p to a l l o w i n g

is just an o b j e c t of a p a r t i c u l a r

first of an o b j e c t

of basic proof schemata

language

o v e r these formulae,

a n e w logic to the machine,

the p o w e r of the m e t a - l a n g u a g e

these types.

is employed,

to introduce

i.e.

the logic-

a user must therefore

n e w data types

rich class of proof functions

of assertions,

a n d functions

may be definable

over

in the m e t a -

275

language, a truly useful proof methodology will not emerge until the user is enabled to work in different logics at different times;

further, he must even by allowed to

compose logics via inference rules whose assumptions and conclusions are assertions of different logics, i.e. assertions of different types. To meet this requirement, an interactive proof system must not only provide the user with such a meta-language;

it must also provide a fixed set of elementary oper-

ations in this language by which inference rules are invoked.

These operations

exactly represent the uniform notion of inference which obtains in any logic which can be presented.

At the present level of discussion it is not possible to say what

these operations should be;

the question is not simple, since it is crucially affect-

ed by the uniform way in which logics are presented.

Another difficult question is

whether tactics and strategies should indeed be expressed in the object language (as implied by our discussion), or whether they should be expressed in the functional meta-language as for example in the LCF proof system. These questions constitute the frontier of research into proof systems.

Once

a good answer is obtained, it will be possible to integrate all computer-assisted reasoning within a single framework;

thereafter, increasing power and convenience

will be a matter of designing particular tools - graphic aids and proof strategies for particular domains of reasoning within the framework.

This specialised re-

search will be lengthy and difficult, but will not suffer the same fate as most present proof systems which - because they have inherent limitations of formalism - reach a point where further extension requires total re-design.

Induction Principles Formalized in t h e C a l c u l u s o f C o n s t r u c t i o n s 1 C~rard Huet INRIA France

Abstract The Calculus of Constructions is a higher-order formalism for writing constructive proofs in a natural deduction style, inspired from work of de Sruijn [2,3], Girard [12], Martin-LSf [14] and Scott [18]. The calculus and its syntactic theory were presented in Coquand's thesis [7], and an implementation by the author was used to mechanically verify a substantial number of proofs demonstrating the power of expression of the formalism [9]. The Calculus of Constructions is proposed as a foundation for the design of programming environments where programs are developed consistently with formal specifications. The current paper shows how to define inductive concepts in the calculus. A very general induction schema is obtained by postulating all elements of the type of interest to belong to the standard interpretation associated with a predicate map. This is similar to the treatment of D. Park [16], but the power of expression of the formalism permits a very direct treatment, in a language that is formalized enough to be actuMly implemented on computer. Special instances of the induction schema specialize to Ncetherian induction and Structural induction over any algebraic type. Computational Induction is treated in an axiomatization of Domain Theory in Constructions. It is argued that the resulting principle is more powerful than LCF's [13], since the restriction on admissibility is expressible in the object language.

Notations We assume the reader is familiar with the Calculus of Constructions, as presented in [7,9,10,11]. More precisely, we shall use in the present paper the extended system defined in Section 11 of [8]. The notation [z : A] B stands for the algorithm with formal parameter x of type A and body B, whereas (z : A)B stands for the product of types B indexed by z ranging over A. Thus square brackets are used for ,k-abstraction, whereas parentheses stand for product formation. The atom Prop is the type of logical propositions. The atom Type stands for the first level in the predicative hierarchy of types (and thus we have Prop : Type). We abbreviate (z : A)B into A --~ B whenever x does not occur in B. When B : Prop, we think of (z : A)B as the universally quantified proposition Vx : A • B. When z does not occur in B and A : Prop, we write it rather as an implication A ==~ B. We assume known the logical constructions V (absurdity), A (conjunction), ÷ (intuitionistic disjunction), v (classical disjunction) and 3 (existential quantification). We use the symbol :---- for definitional equality of constants.

1This research, done during a sabbatical at Carnegie ~.~ellonUniverslty~ was supported in part by the Office of Naval Research under contract N00014-84-K-0415 and in part by the Defense Advanced Research Projects Agency (DOD), ARPA Order No. 5404, monitored by the Office of Naval Research under the same contract. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of DARPA or the U.S. Government.

277

1

A constructive set theory

We assume a global context where we have declared: [U : Type]. We may think of U as the current universe, or as the domain of interpretation, in the sense of predicate calculus. Sets defined over U are represented as predicates of type U --* Prop, which we abbreviate from now on as Serif, or even as Set when U is clear from the context. This may be formally justified by the type synthesis algorithm described in [11]. If A : Setu and x : U, we define x E A as the proposition (A x). That is, the elements of U-sets are of type U. We abbreviate the quantification (x : U)E as Vx. E, and the abstraction Ix : U] E as {x I E}. For successive bindings, we use respectively Yx, y . E and

{~,y[E}. We define inclusion of sets A and B by:

ACB

:= V x . x E A = > x E B

and set equality by:

A=B

:= A C C B A B C _ A .

Note that this equality is extensional equality of sets. We could also define intensional equality between two elements x and y of type U, as:

x-y

:-- (A:Set) x C A = ~ y C A .

If we decided to give a primitive equality = on type U this would complicate matters quite a bit, since we would have to state that sets are predicates compatible with this equality, i.e. such that ( P x) and x -- y imply ( P y), and iterate this condition with classes, etc... The empty U-set is defined as:

0 := {~Iv}. The usual set operations are available through the corresponding logical connectives:

ANB

:= { x ] x E A A x e B }

AuB

:= { x I x E A v x c B

HA

}

:= { z ] - ~ x e A } .

R e m a r k . If we were completely formal, we should index all our notations with U, and write for instance x ~ v A, ~v, etc. We assume here no ambiguity arises as to which universe we are into. Our sets resemble ordinary sets, except that the inclusion relation is defined constructively. Thus, we have A C_,,,,., A, but the converse in not true in general. That is, our sets behave more like open sets of a topological space, and classical sets are the analogue of closed sets, i.e. double-negation closed. The complement ~ A of A is closed, and for every A we get its closure as We now define classes as set predicates. That is, a U-class is of type (Setv --~ Prop), abbreviated Classy or simply Class. For instance, the class of subsets of A is defined as: (PA)

:-- [ B : S e t ] B C A .

Class inclusion may be defined in the same way as set inclusion. Actually, all sets operations above extend to class operations, since U may be instantiated with Setc~. If C is a U-class, we define the intersection of C as the U-set defined as follows: C~C := {x i (A : Set) (C A) =V. x e A } . For instance, we may define the singleton {z} as follows: {x} :---- 7 / ( [ A : S e t ] x c A ) .

278

We say that set A is universal if it contains all the objects of the universe:

(Universal A) := Vx. x • A. A mapping maps a set to a set. More precisely, a U-map has type Satyr --* Setv, abbreviated Mapg or simply Map. If t~ is a U-map, we define: (Stable ~) := [ A : Set] (~ A) _C A and

(Fixpt ~) := [ A : S e t ] ( ~ A ) = A . Note that these two constructions are of type Classy. We now define the standard interpretation of map ~ as the intersection of the class of sets for which ~ is stable:

(Initial ~) :-- r~(Stable ~o) that is, in expanded form: {u I ( A : Set)(Vx.x • (~ A) ~ x • A) ~ u • A}.

2

Induction

We get an induction principle by restricting ourselves to the standard interpretation:

(Induction ~) := ( A : Set)(StabIe ~ A) ~ (Universal A), or, in an equivalent expanded formulation: ( A : Set)(V~. x • (~ A) ~ x • A) ~ Vu. u • A. Note that Initial and Induction are really the same construction, up to permutation of independent hypotheses: the binding on u migrated from the outermost abstraction in (Initial ~) to the innermost quantification in (Induction ~). This notion is especially important when ~o is an increasing map:

(Incr p) := ( A : S e t ) ( B : S e t ) A C C _ B ~ ( p A ) C

(p B)

since then we may apply Tarski's theorem, and thus consider (Initial ~) as the least solution to considered as a recursive definition. Let us check out the details. Tarski's theorem may be stated in the constructions calculus as follows. Consider the followint context F:

[T : Type] [Eq : T --* T --* Prop] [ Leq : T --~ T --+ Prop] [Leqtrans : (x : T ) ( y : T ) ( z : T)(Leq x y) ~ (Leq y z) ~ (Leq x z)] [Leqantisym : (x : T ) ( y : T)(Leq x y) ~ (Leq y z) ~ (Eq x y)] [Lub : (T --* Prop) --~ T] [Upperb : (P : T --* Prop)(y : T ) ( P y) ~ (Leq y (Lub f ) ) ] [Least: (P : T --~ Prop)(y : T)((z : T ) ( P z) ~ (Leq z y)) ~ (Leq (nub P) y)] [[:T--~T] [Incr : (x: T ) ( y : T)(Leq x y) ~ (Leq (f x) (f y))]. In the context F, we consider the set Po defined as: Po := [ u : T ] ( L e q u (/u)),

279

and its least upper bound xo : T: x0 :=

(Lub Po)-

We first prove a few lemmas. We leave it to the reader to check that r F L e m m a l : ( x : T)(neq x (Z x)) ~ (Leq x ( f x0)), with:

Lemmal := I x : T] [h : (Leq x (f x))] (Leqtrans x (f x) (f xo) h (Incr x xo (Upperb Pox h))). Similarly, we get F F

nemma2: (Leq z0 ( f x0)), with Lemma2 := (Least Po (f :co) Lemmai),

and also 1" t-

Lemrnaa: (Leq (f xo) xo), with Lemrnaa :-- (Upperb Po (f xo) (Incr xo (f xo) Lemma2)).

Now the proof is concluded easily, that is F }- Tarskl

: (Eq (f xo) xo)), with

Tarskl := (Leqantisym (f xo) xo Lemma2 Lemrnas). The careful reader will check that this is the traditional proof of Tarski's theorem [20]. We may now use Tarski's theorem in the particular case of the subset relation. That is, we instantiate the type variable T with Set, (Leq x y) becomes y _. x, and Eq is set equality. The hypotheses Leqtrans and Leqantisym are easy to fulfill. We take for Lub the intersection operation, for which it is immediate to show Upperb and Least. Note that it is essential here that Tarski's theorem be expressed over an arbitrary type. This allows us to instantiate T over the type of sets given with the inclusion relation, obtaining thus what is usually called the theorem of Knaster-Tarski. Hence we get: ( p : Map)(Incr ~) ~ (rixpt fo (Initial ~)). (FIX) Actually it is possible to refine Tarski's theorem and prove that the fixpoint obtained in the proof is actually the Lub of the set of all fixpoints. Here this shows that (Initial ~o) is the smallest fixpoint: ( ~ : M a p ) ( r n e r ~) ~ (Initial ~) = n(Fi~pt ~). (MIN) Note the similarity of our approach with the treatment in Park[16], where

Induction is called

a convergence formula.

3

Noetherian induction

Let us use the abbreviation Rely, or simply Rel, for the type U --+ U --+ Prop. Rel[r is the type of binary relations on U. Note that every relation may be seen as an indexed family of sets. Thus if _> is a preorder, (> x) is the set of elements below x. Let R : Rel. We define the

adjoint map associated with R as the U-map: (Adjolnt R) := [ A : S e t ] {x l (R x) C A}.

It is a simple exercise (left to the reader) to prove that this map is always increasing: (R:

Rel) (Incr (Adjoint R))

(Adjoint_[ncr).

280 The class of

R-inductive sets is defined

as:

(Inductive R) := (Stable (Adjoint R)). The induction associated with the adjoint map states that the inductive sets are -universal. This is just what is usually called N0etherian induction[5]:

(Noetherian R) := (Induction (Adyoint R)) or, in expanded form: ( A : Set) (Vx. (Vy.

(R x y) =>y e A) :=>x e A) =:>Vu. u e A.

We recognize the definition used in [9] to prove Newman's lemma:

(R: ReZ)(Noethe~ian R) ~ (Loc_Con/luent R) ~ (Con/l~ent R). Thus we see that this very powerful transfinite induction principle is but a special case of the very general Induction above. Usual complete induction principles are in turn obtained by further specialization. For instance, we shall see below that complete induction over the naturals is simply ( Noetherian >).

4

Structural

Induction

It is now time to introduce some further notation. Let A be a U-set, and E be any construction expression. We let Vz E A . E to stand for an abbreviation of Vx- x E A =~ E, and similarly we let {x e A t E} stand for {x I x e A A E}. We shall also use the notation ~x E A . E to stand for 3 I x : U ] ( x e A A E). We shall now show how to express structural induction[4] in the calculus. First we define the relation " f preserves A ' , when / is a U-function (i.e. f : U --+ U) and A is a U-set:

(Preserve f A ) := V x E A . ( f Now we define what it means for the element y : U to be function f . This notion is axiomatized by the relation:

(Iter f) ::- (x, y l ( A : S e t ) ( P r e s e r v e

x) e A .

reachable from element x : U using

f A)=~zxeA~yeA}.

The general method consists in defining, in the structure under consideration, the suitable generalization of reachability expressing what are the elements expressible using the operations of the structure. The expressibility predicate may then be seen as a set (the initial algebra, or standard model). Similarly to above we get an induction principle by postulating that every element of type U is in this set. Let us consider for instance arithmetic. The structure is given here by a successor operation S : U --~ U and a zero constant 0 : U. A universe presented with this structure we call a Peano algebra. On any Peano algebra, we may define a relation < :--

(Iter S)

and it is easy ~o show that _< is reflexive and transitive (using as proofs respectively identity and composition of the proper type). Now the set

(n I0 _
28t

is the characteristic predicate of the standard model A/:

)4 :=- { n l ( A : S e t ) ( V m e A . ( S m )

EA)~OeA~neA}.

The corresponding universally quantified sentence is Peano's induction principle:

Peano :-- ( A : S e t ) ( V m E A . ( S m) E A ) : = ~ 0 E A = = ~ V n . n E A . Note how the binding on n migrated from ~/ to Peano, similarly to the transformation between Initial and Induction. Let us now indicate the relationship with our general induction principle above. The map W needed here may be defined as sending A to: {n 13m E A. n - (S m) + n -- 0}, or equivalently, we define:

(Nat_mapA) := { n l ( P : S e t ) V u ' ( u e A ~ ( S u ) e P ) ~ 0 E P ~ n E P } . It is easy to prove that Nat_map is increasing, and that:

(Stable Nat_map A) ¢~ (Nat_stable A) with

(Nat_stableA) :-= ( V n e A . ( S n ) EA) A ( 0 e A ) and thus we get that

(Induction Nat_map) ¢V Peano. Indeed, a simple Curryfication suffices to show that:

.~[ = NNat_stable. R e m a r k . The equivalence between (Stable Nat_map) and Nat_stable boils down to recognizing the following propositional equivalence: (Q: Prop)((P ~ Q) ~ Q) ~ P. Intuitively, it means that every proposition is equivalent to its operational contents. Actually Peano is only one half of initlality. What it says is that the universe contains only elements which are definable with the algebra operators. The other half is to postulate that different operators give rise to distinct elements. In the case of arithmetic, for instance, this amounts to adding the following two postulates:

Peanol :-= Vn.-~(S n) =- 0 Psano2 := Vm, n . ( S m ) _= ( S n) ~ m -- n.

A standard model of arithmetic is thus any universe verifying Peano, Peanol and Peano2. R e m a r k . We recall that the natural numbers may be expressed logically by the second-order proposition: Nat := ( X : P r o p ) ( X ~ X ) o X ~ X , with the successor function, of type Nat ~ Nat, defined as:

S :-= [ n : N a t ] [ X : P r o p ] [ s : X = : > X ] [ z : X ] ( s and the zero, of type Nat~ defined as:

0 :=- [ X : P r o p ] [ s : X ~ X ] [ z : X ] z .

(nXsz))

282 It is possible to apply the whole theory above, with Nat standing for the universe U. However, even in N a t we need to postulate the Peano axioms. This is a bit puzzling, since we know that the normal forms of constructions (with r/conversion allowed) of type N a t are isomorphic to the standard model of natural numbers. But this knowledge is from meta-theoretic analysis, and cannot be internalized in the system. However, it is a simple matter to define in the meta-language of constructions appropriate macros, so that the Peano axioms are automatically generated from the signature Nat. The method above is of course generalizable in a straightforward way to any algebraic type, leading to structural induction over a wide variety of structures. Finally, complete induction is easily seen a direct application of Ncetherian induction. For instance, over integers, with z>y

:=

(Sy)<_z

we get complete induction (course-of-values induction) as (Noetherian >). 5

Computational

Induction

We now show how to imbed in Constructions Scott's computational induction method, as presented for instance in LCF[13]. 5.1

The domain

postulates

We assume axioms on the universe U giving it the structure of a pre-ordering:

[ E_: Rel] [ R e f l : Vu. u E u] [Trans : Vu, v, w . u E v ::~ v [- w ~ u E w]. We define - as the associated equivalence:

-.-

Vu, v . u E v A v E

u.

We say that the U-set A is directed whenever:

(Directed A) := V x E A - V y E A - 3 z C A - x V - z A y E z . Now we postulate the partial order U to be compIete, in the sense that every directed set possesses a limit, its lub: ( A : Set) (Directed A) ~ 3u. u E (Lub A), with:

(nub A) := {u I V~ e A . x E u A Vv. (Vx • A . x E v) ~ u E v}. For ease of application, we shall Skolemize the limit u as a function (lira A). We could have lira depend on an extra argument of type (Directed A), but this extra generality is not needed; this is an application of the principle of "proof irrelevance". Thus we postulate:

[lira : S e t v --+ U] [Complete: ( A : Set) (Directed A) ~ (lira A) • (Lub A)]. It is easy to show that the elements of (Lab A) are equivalent:

Vu • (Lub A ) . V v • (Lab A ) . u "- v. The empty set t3 is directed, and thus every complete pre-order possesses a minimum element:

± :=

(urn 0).

It is straightforward to prove that £ is indeed minimum:

Vu. ± E u.

(Bot)

283 5.2

Computational

induction

Let f : U --* U. We define the set of (finite) f-approximants as:

(Approx f) := (Iter f _L) that is:

{u I ( A : Set) (Preserve f A) :=~_L e A --~ u • A}. Remark the similarity with the definition of the standard model $/above. Similarly to maps above, we define the notion of increasing function: (Increasing f) := Vu, v . u ~ v ~ ( f u )

:(Iv)

and we may show that: ( f : V ---* U) (Increasing f) ~ (Directed (Approx f)).

(Dir_Approx)

The proof of this proposition, left as an exercise, is analogous to defining inductively the function computing the maximum of two naturM numbers. We may now define, for any increasing f: (Y f) := (lira (Approx f)). The limit of finite approximants (Y f) is intuitively Un fn(±). We now define an admissible U-set as one which contains all the limits of its directed subsets:

(AdmA) := ( B : S e t ) BC_ A ~ ( D i r e c t e d B ) ~ ( l i m B ) e A . The restriction of A to admissible sets in the definition of approximant permits to iterate f in the transfinite, which gives the notion of transfinite f-approximation: (c~ f) := {u] ( A : S e t ) ( A d m A ) = = ~ ( V x E A . ( f x) E A ) ~ u ~ A } . Note that (oo f) is the intersection of the class of admissible sets preserved by f, whereas (Approx f) is the intersection of the class of sets containing ± and preserved by f. In some sense (co f) is to (Approx f) what ordinals are to natural numbers. Let us now show that (oo f ) is admissible: [f : U --* U] [B : Set] [hl : S c_ (co f)] [hz : (Directed B)] ~- ll : (lira B) E (oo f) where 11 is proved by: [C : Set] [h3: (Adm C)] [h4 : (Stable C)] (hz B l~ h~) where lz : B _CC is proved by: [u:U][hb:u~B](hl uhsChzh4). Discharging all this temporary context, we get: ( f : U --* U)(Adm (oo f)).

(Adm_~)

Now it is a simple matter to prove: [f : U --+ U] [i : (Increasing f)] ~- (Adm_c~ f (Approx f) incl (Dir_Approx f)) : (Y f) E ( ~ f), where the proof of incI : (Approx f) C (co f) is left to the reader. Thus we get finally:

(f: u -, u)(Inc~asi~g/)

~ (r/)

c ( ~ y).

By unwinding this proposition it is easy to see that this is precisely Scott's computational induction principle. Writing it in tong form: ( f : U --~ U)(Increasing f) =~(A : Set) (Adm A) =¢.(Vx e A.(f x) e A) :=~(Y f) • A. (Comp_Ind)

284

Two remarks are in order. Firstly, note that this principle is provabte from our postulates on the domain U (i.e., the complete partial ordering axioms). Secondly, the notion of admissible set is axiomatized inside the calculus, and thus we can use all the power of the logical system to prove that a given set is indeed admissible, whereas in LCF[t3] the notion of admissible predicate is weakened to a syntactic check of the recta-linguistic support. Finally note that the hypothesis ± E A is not needed above, since it is implicit from the hypothesis (Adm A). 5.3

Continuity

and fixpoints

It may seem curious that it is not necessary in the justification of computational induction to assume that f is continuous. But this assumption is indeed needed for recursion. Let us now make this point precise. First, let us define the image by ] of a U-set A:

(Image/A)

:=

{yl3xeA.y-~(f

x)}.

It is easy to show that:

(Directed A) ~ (Increasing f) =~ (Directed (Image f A)).

(Dir_Im)

Thus, for every increasing f and directed set A, we may define:

(Lira f A) Now let us call

diagram any

:=

(lira (Image f A)).

non-empty directed set:

(Diagram A)

:=

3u E A. (Directed A).

Next we define what it means for an increasing f to be continuous:

(Continuous f)

:= ( A :

Set) (Diagram A) ==>(Lira f A) "- (f (lirn A)).

Note that we must restrict A to be a non-empty directed set, since we do not demand our functions to be strict. E x e r c i s e . Prove that for

all f, (Continuous f) ==~(Increasing f).

Now, defining the fixpoints of f in a similar way as for maps:

(rizpoints f)

:= (u I (f u) ~ u},

we can prove:

( f : u --, v)(Continuo~s /) ~ ( r f) e (ri~point, /) and:

( / : u -~ y)(Contin~o~,s/) :~ w e (?i~voint~ f ) . (r y) E x. In other words,

(Y f) E (Min (Fixpolnts (MinA)

:=

f)), with

(ueAlVxeA.uGz}.

This is analogous to Tarski's theorem, but still signk~cantly different. A variant of Tarski's theorem would say here is that if f is increasing (and not necessarily continuous), then (Z f) is the minimum fixpoint of f , where

(Z f) := (lira (c~ f)).

285

P r o b l e m . Show the above statement. In particular, you will need to prove that (oo / ) is itself directed. Thus, continuity is needed for finiteness, i.e. computability. This concludes our incursion into domain theory.

6

Noetherian

as a well-foundedness

principle

We are going to show in this section that (Noetherian R) implies that there are no infinite R-chains~ relating induction to well-foundedness. Let A be a U-set. We say that A is R-eternM iff:

(Eternal R A) := 3 x E A A V x E A . 3 y E A . ( R x y ) . It is straightforward to show, with the definition of Ncetherian given above, that:

(Eternal R A) l (Noetherian R ~ A) where ~he incompatibility connective ! is Sheffer's stroke. Thus (Noetherian R) implies (classically) that R is well-[ounded, in the sense that there are no infinite R-chains: (WFR) := ( A : Set) -~(EternaI R A). Intuitively, the set (Initial (Adjoint R)) contains all elements which have only finite R-chains issued from them, and (Noetherian R) says that this set is universal.

Acknowledgements We thank Thierry Coquand for many stimulating discussions.

References [I] R. Boyer~ J Moore. ~A Computational Logic." Academic Press (1979). [2] N.G. de Bruijn. ~Automath a language for mathematics." Les Presses de l'Universit4 de Montr4al, (1973). 13] N~G. de Bruijn. ~A survey of the project Automath." (1980) in to H. B. Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism, Eds Seldin J. P. and Hindley J. R., Academic Press (1980). [4] R. Burstall. "Proving Properties of Programs by Structural Induction." Comp. J. 12 (1969), 41-48. [5] P. M. Cohn. "Universal Algebra?' Reidel, 1965. [6] R.L. Constable, N.P. Mendler. "Recursive Definitions in Type Theory." Private Communication (1985). [7] Th. Coquand. "Une th4orie des constructions." Th~se de troisi~me cycle, Universit~ Paris VII, Janvier 85. [8] Th. Coquand. "An analysis of Girard's paradox." First IEEE Symposium on Logic in Computer Science, Boston (June 1986), 227-236.

286

[9] Th. Coquand and G. Huet. "Constructions: A Higher Order Proof System for Mechanizing Mathematics." EUROCAL85, Linz, Springer-Verlag LNCS 203 (1985). [10] Th. Coquand and G. Huet. "The Calculus of Constructions." To appear, Information and Control. [11] Th. Coquand and G. Huet. "Concepts Math~matiques et Informatiques Formalis~s dans le Calcul des Constructions." Logic Colloquium, Orsay (July 85). To appear, North-Holland. [12] J.Y. Girard. "Interpretation fonctionnelle et ~limination des coupures dans l'arithm~tique d'ordre sup~rieure." Th~se d'Etat, Universit~ Paris VII (1972). [13] M. Gordon, R. Milner and C. Wadsworth. "Edinburgh LCF." Springer-Verlag LNCS 78 (1979). [14] P. Martin-LSf. "A theory of types." Report 71-3, Dept. of Mathematics, University of Stockholm, Feb. 1971, revised (Oct. 1971). [15] N.P. Mendler. "First and Second-Order Lambda Calculi with Recursive Types." Technical Report TR 86-764, Dept. of Computer Science, Cornell University (July 1986). [16] D. Park. "Fixpoint Induction and Proofs of Program Properties." Machine Intelligence 5, Eds. B. Meltzer & D. Michie, 59-77, Edinburgh University Press. [17] L. C. Paulson. "Constructing Recursion Operators in Intuitionistic Type Theory." Tech. Report 57, Computer Laboratory, University of Cambridge (Oct. 1984). To appear, J. of Symbolic Computation. [18] D. Scott. "Constructive validity." Symposium on Automatic Demonstration, Springer-Verlag Lecture Notes in Mathematics, 125 (1970). [19] D. Scott. "Data Types as Lattices." SIAM Journal of Computing 5 (1976) 522-587. [20] A. Tarski. "A Lattice-Theoretical Fixpoint Theorem and its Applications." Pacific J. Math. 5

(1955),

285-209.

ALGEBRAIC SEMANTICS

Jim Thatcher IBM Thomas J. Watson Research Center Yorktown Heights, N.Y. USA

Abstract Algebraic

semantics

is a methodology

discipline

and concepts

from universal

in theoretical and categorical

computer

science

that draws

algebra. This approach

roots in a research activity, known as ADJ, which started at IBM Research,

has its

Yorktown

Heights in the mid Seventies. In this talk I will discuss the ADJ effort and some of the concepts that have emerged and proved to be important mathematically

and for computer science applications.

ideas that span diverse

subjects

I will stress

the common

algebraic

like factorization

programming

language semantics, continuous algebras and abstract data types.

systems,

AUTHOR INDEX

(I, ff indicate the volumes) E. R. C. M. F. B. P.G. G. V. M.C. I. K.L. E.M. D. T. M. Ph. B. R. W. 1. Z. S. I.T. K. I. B. G. L. E. J.Y. M. J. O. R. M. G. Yo

Astesiano Barbuti Beierle Bellia Bellegarde Bonhoure Bosco Boudol Breazu-Tannen Browne Castellani Clark Clarke Clement Coquand Crochemore Darondeau Demoen De Nicola Drabent Durand Farkas Finn Foster Furukawa Fut6 Gamatie Gambosi George Giovannetti Girard Gogolla Goguen Grfimberg Harper Hennessy Huet Lafont

I H ]l H I ti II I ]] I [ ]I

169 96 320 260 69 126 276 123 291 256 123 212

I

256

H

67

H

ff II II l I II H II I 1I I

291 26 153 111 138 t67 126 82 155 212 23 126 153 232 140 276 52 81 1 256

H

308

[ l ]I

138 276 52

I I H [ ]I ff 1] H

289 P. Lescanne G. Lindstrom J. Maluszynski P. Mancarella G. Marongiu J, Meseguer J.J.ChMeyer

I ~ ff ]] I H I

69 140 167 96 111 1 241

R.

Milner

I

271, II 308

C. M. J. F. F. D. C. A. A. G. S. D. C. A. B. W. M A. J. M. M S. F. P. E.P. A. D. I. Y.D. D.

Moiso Navarro Nesetril Orejas Parisi-Presicce Pedreschi Percebois Pettorossi Piperno Reggio Ronchi della Rocca Sannella Simon Skowron Steffen Szpankowski Talamo Tarlecki Thatcher Thomas Tofte Tulipani Turini Van Roy de Vink Voss Warren Wegener Willems Yeh

II I I ! I ]I IT ]~ ff ! I ! ~] ]] I I I ! I ]] ff ! ff u I l] ]ff I [[ ff

276 202 232 202 217 96 126 182 39 169 37 96 126 182 52 13 232 96 287 197 308 111 96 111 241 320 243 1 111 140

TAPSOFT'91: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Read more

TAPSOFT'89: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Read more

Knowledge-Based Software Engineering: Proceedings of the Fifth Joint Conference on Knowledge-Based Software Engineering

Read more

Foundations of software science and computational structures 12th international conference; proceedings FOSSACS, Joint European Conferences on Theory and Practice of Software 12. 2009

Read more

Proceedings of a Conference on Operator Theory

Read more

Graph theory: proceedings of the Conference on Graph Theory

Read more

Proceedings of the International Conference on Colloid and Surface Science

Read more

TAPSOFT'97: Theory and Practice of Software Development 7 conf

Read more

TAPSOFT'95: Theory and Practice of Software Development 6 conf

Read more

TAPSOFT'93: Theory and Practice of Software Development

Read more

Commutative ring theory: proceedings of the Fès international conference

Read more

Commutative ring theory: proceedings of the II international conference

Read more

Proceedings of the 20th International Conference on Fluidized Bed Combustion

Read more

Proceedings of the 6th SIAM International Conference on Data Mining

Read more

Proceedings of the International Conference on Experimental Fluid Mechanics (2nd)

Read more

Proceedings of the International Conference on Chinese Enterprise Research 2007

Read more

Proceedings of the Sixth SIAM International Conference on Data Mining

Read more

Proceedings of the 4th International Conference on Southeast Asia

Read more

Proceedings of the Fourth SIAM International Conference on Data Mining

Read more

Proceedings of the 20th International Conference on Fluidized Bed Combustion

Read more

Qualitative and Quantitative Methods in Libraries: Theory and Applications: Proceedings of the International Conference on QQML2009

Read more

Proceedings of the Second International Conference on The Theory of Groups

Read more

Recent Development in Theories and Numerics: Proceedings of the International Conference on Inverse Problems

Read more

Foundations of Software Science and Computational Structures: 6th International Conference, FOSSACS 2003 Held as Part of the Joint European Conference

Read more

Elements of Development Administration: Theory and Practice

Read more

7th International Conference on Automated Deduction: Proceedings

Read more

Systematic Biology: Proceedings of an International Conference

Read more

Proceedings of International Science Education Conference 2009

Read more

Graph Theory: Conference Proceedings

Read more

Symmetry and Perturbation Theory: Proceedings of the International Conference on SPT 2002

Read more

Recommend Documents

TAPSOFT'91: Proceedings of the International Joint Conference on Theory and Practice of Software Development

TAPSOFT'89: Proceedings of the International Joint Conference on Theory and Practice of Software Development

Knowledge-Based Software Engineering: Proceedings of the Fifth Joint Conference on Knowledge-Based Software Engineering

KNOWLEDGE-BASED SOFTWARE ENGINEERING Frontiers in Artificial Intelligence and Applications Series Editors: J. Breuker...

Foundations of software science and computational structures 12th international conference; proceedings FOSSACS, Joint European Conferences on Theory and Practice of Software 12. 2009

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris ...

Proceedings of a Conference on Operator Theory

Graph theory: proceedings of the Conference on Graph Theory

GRAPH THEORY General Editor Peter L. HAMMER, University of Waterloo, Ont., Canada Advisory Editors C. BERGE, Univer...

Proceedings of the International Conference on Colloid and Surface Science

Studies in Surface Science and Catalysis 132 PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON COLLOID AND SURFACE SCIENCE...

TAPSOFT'97: Theory and Practice of Software Development 7 conf

TAPSOFT'95: Theory and Practice of Software Development 6 conf

TAPSOFT'93: Theory and Practice of Software Development