On a Semanti Denition of Data Independene? Ranko Lazi1?? and David Nowak2 1 Department of Computer Siene, University of Warwik, UK 2 Ranko.Lazids.warwik.a.uk LSV, CNRS & ENS Cahan, Frane David.Nowaklsv.ens-ahan.fr Abstrat. A variety of results whih enable model heking of important lasses of innite-state systems are based on exploiting the property of data independene. The literature ontains a number of denitions of variants of data independene, whih are given by syntati restritions in partiular formalisms. More reently, data independene was dened for labelled transition systems using logial relations, enabling results about data independent systems to be proved without referene to a partiular syntax. In this paper, we show that the semanti denition is suÆiently strong for this purpose. More preisely, it was known that any syntatially data independent symboli LTS denotes a semantially data independent family of LTSs, but here we show that the onverse also holds. Keywords: data independene, denability, logial relations, nondeterminism 1 Introdution Informally, a system is data independent with respet to a data type X when, apart from input, output and storage, the only operation that is performed on values of type X is testing a pair of them for equality. The stronger variant of data independene where equality on X is not available is also studied in the literature, as are weaker variants suh as allowing onstants of type X and unary prediates on X . A variety of results whih enable model heking [5℄ of important lasses of innite-state systems are based on exploiting data independene (e.g. [22, 12, 10, 19, 6, 14, 21, 18℄). Although their proofs are in terms of semantis, most of these results are based on denitions of data independene whih are by means of syntati restritions in partiular formalisms. ? ?? We aknowledge support from the EPSRC Standard Researh Grant `Exploiting Data Independene', GR/M32900. A part of this researh was done at the Oxford University Computing Laboratory. Also aÆliated to the Mathematial Institute, Belgrade. This author was supported in part by a grant from the Intel Corporation, a Junior Researh Fellowship from Christ Churh, Oxford, and previously by a sholarship from Hajrija & Boris Vukobrat and Copehim Frane SA. The rst semanti denition of data independene whih aommodates the variants with or without equality, onstants and prediates was given in [15℄. The semanti entities used are families of labelled transition systems (LTSs), whih onsist of an LTS per instantiation of a signature. A signature is a set of type variables and a term ontext. Logial relations [20℄ are used to dene when a family of LTSs is parametri, and the denition of data independene is the speial ase when the term ontext of the signature onsists of only equality prediates, onstants and unary prediates. It is shown in [15℄ that the semantis of any syntatially data independent UNITY program [4℄ is a data independent family of LTSs. The same paper also proves a theorem based on the semanti denition whih enables the problem of model heking a data independent system for all instantiations of X to be redued to model heking for a nite number of nite instantiations. Sine it is proved from the semanti denition, the theorem applies to any formalism whih an be given semantis by LTSs in whih transition labels reord values of transition parameters. Although the denition in [15℄ was suÆiently restritive to prove the partiular redution theorem, it was not known whether that was an aident. In other words, it was not known whether the olletion of all data independent families of LTSs was equal to or stritly larger than the olletion of those whih arise as semantis of syntatially data independent systems. In this paper, we show that it is equal. More preisely, we show that, in the absene of indutive types, any parametri family of LTSs whose signature onsists of equality prediates, uninterpreted prediates of arbitrary arity, and uninterpreted onstants, and whose types of states and transition labels do not ontain funtions, is denable by a symboli LTS with the same signature. Data independene as in [15℄ is the speial ase when the uninterpreted prediates are only unary. Indutive types are not onsidered for simpliity, beause they are orthogonal to denability of families onstrained by logial relations, whih is the topi of the paper. Funtions within states or transition labels are also exluded in the redution theorems in [15℄. Symboli LTSs are a basi formalism whih ombines simply typed -alulus and nondeterminism. They an be seen as a graphial variant of UNITY, and are a generalisation of rst-order Kripke strutures [2℄. Compared with the literature on denability in models based on logial relations (e.g. [17, 13, 1, 7℄), we onsider only rst-order omputation whih an use equality testing and prediates of arbitrary arity, but the novelty in our result is that it applies to nondeterministi omputation. Setion 2 is devoted to preliminaries. In Setion 3, we dene families of values, sets, and LTSs, and speify what it means for suh families to be parametri. In Setion 4, we dene symboli LTSs, and observe that their semantis is parametri. Setion 5 is devoted to the denability result. In Setion 6, we onlude and remark about future work. 2 Preliminaries We x notation for the syntax and set-theoreti semantis of the simply typed -alulus with produt and sum types, for binary logial relations, and for LTSs. Terms of the -alulus will be used to form symboli LTSs. In addition to typing the terms, types will be used to struture the semanti entities we shall onsider, suh as families of LTSs. Logial relations will serve to onstrain families indexed by signature instantiations, suh as in the semanti denition of data independene. -alulus syntax. We assume T ypeV ars is an innite set of names for type variables. The syntax of types T is as follows: T ::= X 2 T ypeV ars j T1 Tn j T1 + + Tn j T1 ! T2 where n ranges over nonnegative integers. For any type T , we write F ree(T ) for the set of free type variables of T . We assume T ermV ars is an innite set of names for term variables. A type ontext is a sequene of the form hx 1 : T1 ; : : : ; x n : Tn i where the xi are distint term variables. We write (x) for the type assoiated to the term variable x in . The type ontext n x is obtained by removing x : (x) from if x 2 Dom( ), otherwise 0 it is . The type ontext is the onatenation of and 0 , provided their domains are disjoint. A signature is an ordered pair (; ), where { is a nite subset of T ypeV ars, and { is a type ontext suh that F ree( (x)) for eah x 2 Dom( ). Terms-in-ontext ; ` t : T are built in the standard well-typed fashion from term variables, tuple formation, projetion, injetion, mathing, - abstration, and appliation. `x:T ; if (x) = T ` ti : Ti for i = 1; : : : ; n ` ht ; : : : ; tn i : T Tn ; ` t : T Tn for i = 1; : : : ; n ; ` i (t) : Ti ; ` t : Ti T Tn (t) : T + + T for i = 1; : : : ; n ; ` ini n ; ` t : T + + Tn ; ( n x)hx : Ti i ` ti : T for i = 1; : : : ; n ; ` math t with in (x) ) t 8 8 inn (x) ) tn : T ; ( n x)hx : T i ` t : T ; ` x : T :t : T ! T ; ` t : T ! T ; ` t : T ; ` t t : T ; ; 1 1 1 1 ++ 1 1 1 1 1 1 1 1 2 1 2 2 1 2 2 1 2 We write F ree(t) for the set of free term variables of t. -alulus semantis. A set map is a partial map from T ypeV ars to sets, whose domain is nite. For any type T , and any set map Æ suh that F ree(T ) Dom(Æ ), we write JT KÆ for the denotational semantis of T with respet to Æ : JX KÆ JT1 Tn KÆ JT1 + + Tn KÆ J T1 ! T2 K Æ = Æ JX K = JT1 KÆ JTn KÆ = f1g JT1 KÆ [ [ fng JTn KÆ = JT1 KÆ ! JT2 KÆ A value map is a map whose domain is a nite subset of T ermV ars. We write [x 7! v ℄ for the value map whose domain is Dom( ) [ fxg, and whih is dened by [x 7! v ℄JxK = v and [x 7! v ℄Jy K = Jy K if y 6= x. Given a type ontext and a set map Æ suh that F ree( (x)) Dom(Æ ) for eah x 2 Dom( ), we say that a value map is with respet to and Æ i { Dom() = Dom( ), and { JxK 2 J (x)KÆ for eah x 2 Dom( ). An instantiation of a signature (; ) is an ordered pair (Æ; ) suh that { Æ is a set map whose domain is , and { is a value map with respet to and Æ . For any term ; ` t : T and any instantiation (Æ; ), we write J; ` t : T K(Æ;) for the denotational semantis of ; ` t : T with respet to (Æ; ). This is dened by J; J; ` x : T K Æ; ( ) = JxK ` ht ; : : : tn i : T Tn K Æ; = (J; ` t : T K Æ; ; : : : ; J; ` tn : Tn K Æ; ) 1 1 1 1 ( J; ` i (t) : T K Æ; J; ` inTi ( ) ( ) ) ( ` t : T K Æ; = vi if J; Tn (t) : T + 1 1 ++ ( + TnK Æ; ( ) ) = (v1 ; : : : ; vn ) = (i; J; ) ` t : Ti K Æ; ) ( ) ` math t with in (x) ) t 8 8 inn (x) ) tn : T K Æ; ) = n x)hx : Ti i ` ti : T K Æ; x v if J; ` t : T + + Tn K Æ; = (i; v ) J; ( 1 J; 1 1 J; ( ( [ ℄) 7! ` x : T :t : T ! T K Æ; = f where f (v) = J; ( n x)hx : T i ` t : T K Æ; x 1 1 `t 1 ) ) 2 ( ) 1 J; ( t2 : T2K(Æ;) = J; 2 ( `t 1 [ v℄) 7! : T1 ! T2 K(Æ;) (J; `t 2 : T1 K(Æ;) ) Some abbreviations. We dene some standard types: U nit = the empty produt type Bool = U nit + U nit Enumk = |U nit + {z + U nit} k We also dene terms and values: f alse = inB1 ool (hi) f alse = (1; ()) true = inB2 ool (hi) true = (2; ()) so that we have: JBoolKfg = ff alse; trueg JEnumk Kfg = f(1; ()); : : : ; (k; ())g Logial relations. A relation map is a triple (; Æ; Æ ) suh that 0 { is a partial map from T ypeV ars to relations, whose domain is nite, { Æ and Æ are set maps with the same domain as , and { JX K is a relation between ÆJX K and Æ JX K, for eah X 2 Dom(). 0 0 A relation map (; Æ; Æ 0 ) determines a logial relation [20℄ indexed by the types T suh that F ree(T ) Dom(). For any suh type T , we write JT K(;Æ;Æ ) for the omponent at T of the logial relation. This is a relation between the sets JT KÆ and JT KÆ , and is dened by 0 0 JX K(;Æ;Æ0 ) = JX K JT1 Tn K(;Æ;Æ0 ) = f(a; a0 ) j 8i 2 f1; : : : ; ng:i (a)JTi K(;Æ;Æ0 ) i (a0 )g JT1 + + Tn K(;Æ;Æ0 ) = f((i; a); (i0 ; a0 )) j i = i0 ^ aJTi K(;Æ;Æ0 ) a0 g JT1 ! T2 K(;Æ;Æ0 ) = f(f; f 0 ) j 8a; a0 :aJT1 K(;Æ;Æ0 ) a0 ) f (a)JT2 K(;Æ;Æ0 ) f 0 (a0 )g Labelled transition systems. An LTS is a tuple S = (A; B; I; !) suh that A and B are sets, I A and ! A B A. We say that A is the set of states, B is the set of transition labels, I is the b a2 for set of initial states, and ! is the transition relation. We write a1 ! (a1 ; b; a2 ) 2 !. 3 Parametri Families If (; ) is a signature, then the semantis of a term or program whih uses (; ), with respet to a lass I of instantiations of (; ), an be seen as a family of semanti elements whih is indexed by I . We now dene three kinds of suh families, namely those of values, sets and LTSs. In the rst two ases, there is a type T suh that the family member whose index is (Æ; ) is an element/subset of JT KÆ . In the ase of LTSs, there are two types T and U whih determine the sets of states and transition labels of family members. Denition 1 (families). A family of values, sets, or LTSs (respetively) is of the form (; ; T; I ; v ), (; ; T; I ; N ), or (; ; T; U; I ; S ). (; ) is a signature, T and U are types suh that F ree(T ) and F ree(U ) , and I is a lass of instantiations of (; ). The vetors v, N and S are indexed by elements of I . For eah (Æ; ) 2 I , we have v(Æ;) 2 JT KÆ , N(Æ;) JT KÆ , and S(Æ;) is an LTS with set of states JT KÆ and set of transition labels JU KÆ . ut Logial relations an be used as follows to dene when a family is parametri. We shall see below that families arising as semantis of -alulus terms or of symboli LTSs have this property. The details are as in [15℄, exept that here we treat families of values and sets expliitly, beause they will be used later in the paper. The denitions of when two sets/LTSs are related an be seen as liftings of logial relations to powerset/LTS types, although we do not give suh types rst-lass status. A more general treatment of suh liftings of logial relations an be found in [8℄. Denition 2 (related sets). Suppose: { P is a relation between N and N ; 0 {M N and M N . 0 0 We say that P relates M and M i 0 8x 2 M 9x 2 M (x; x ) 2 P 8x 2 M 9x 2 M (x; x ) 2 P ut 0 0 0 0 0 0 Denition 3 (universal partial R-bisimulation). Suppose: { P is a relation between A and A ; { R is a relation between B and B ; { S = (A; B; I; !) and S = (A ; B ; I ; 0 0 0 0 0 0 ! ) are LTSs. 0 We say that P is a universal partial R-bisimulation between S and S i 0 (i) whenever aP a then a 2 I i a 2 I , and (ii) whenever a1 P a1 and bRb , then P relates fa2 j a1 0 0 0 b 0 0 0 fa j a ! a g. 0 0 2 1 0 b ! a g and 2 ut 0 2 Denition 4 (parametri families). A family (; ; T; I ; v ), (; ; T; I ; N ), or (; ; T; U; I ; S ) (respetively) is parametri i, for any (Æ; ); (Æ ; ) 2 I , and any relation map (; Æ; Æ ) suh that 0 0 0 8x 2 Dom( ) JxKJ (x)K(;Æ;Æ ) 0 JxK 0 we have { v(Æ;) JT K(;Æ;Æ ) v(Æ ; ) , { JT K(;Æ;Æ ) relates N(Æ;) and N(Æ ; ) , or { JT K(;Æ;Æ ) is a universal partial JU K(;Æ;Æ ) -bisimulation between S(Æ;) and S(Æ ; ) . ut 0 0 0 0 0 0 0 0 0 0 We an now state the Basi Lemma of logial relations [20℄ in the following way. Proposition 1. For any term ; ` t : T and lass (; ), the family (; ; T; I ; JtK) is parametri. I of instantiations of ut Signatures whih onsist of equality prediates, uninterpreted prediates, and uninterpreted onstants will be important later in the paper, as will types whih are sums of produts of type variables, and lasses of instantiations whose only restrition is that equality prediates are interpreted as expeted. These will determine the kind of parametri families of LTSs whih our main result applies to. Terminology 1. We say that a signature (; ) is EPC i E P C suh that { any E (e) is of the form (X X ) ! Bool, is of the form P (p) is of the form T ! Enumk where T is a produt of type variables, and { any C () is a produt of type variables. { any A type T is SP i it is a sum of produts of type variables. The full lass of instantiations of an EPC-signature (; ) onsists of all (Æ; ) suh that JeK is the equality prediate on Æ JX K for any e : ((X X ) ! Bool) in E . ut Data independene was dened semantially in [15℄ as parametriity of families of LTSs whose signatures are EPC with only unary uninterpreted prediates, and whose lasses of instantiations are full. Example 1. Consider a family of LTSs dened as follows. The signature = fX g = hp : X ! Bool; q : (X X ) ! Booli onsists of type variable X , unary uninterpreted prediate p on X , and binary uninterpreted prediate q on X . The type of states T = X + (X X ) an be seen as two ontrol states, the rst with one data item of type X , the seond with two data items of type X . The type of transition labels U = X means that any transition has a parameter of type X . I onsists of all instantiations of (; ), and any S(Æ;) is suh that { a state is initial i it is the rst ontrol state together with data u whih satises p, and { a transition is from the rst ontrol state to the seond provided either the parameter w satises p and the two target data items v1 and v2 are set to w and the soure data u, or (u; w) satises q and v1 , v2 are set to u, w. More formally: I(Æ;) = f(1; u) j JpK(u)g !(Æ;) = f((1; u); w; (2; (v1 ; v2 ))) j ( JpK(w) ^ v1 = w ^ v2 = u) _ ( Jq K(u; w) ^ v1 = u ^ v2 = w)g It is straightforward to hek that this family is parametri. In fat, as we shall see in Example 2, it is the semantis of a symboli LTS. Let Æ JX K = f; |g and Æ 0 JX K = f}; ~; 4g. Let and 0 be suh that JpK holds only on , 0 JpK holds on } and ~, and Jq K and 0 Jq K hold on all pairs. Dene JX K by JX K} and JX K~. Then JT K(;Æ;Æ ) is a universal partial JU K(;Æ;Æ ) bisimulation between S(Æ;) and S(Æ;) , and the following gure is a simple illustration. 0 0 (1; (1; } ~ ) ) (2; ( }~ (2; ( ~} ; (2; ( ; )) S(Æ 0 ; 0 ) )) ; )) S(Æ; ) ut 4 Symboli Labelled Transition Systems The notion of SLTSs we dene below is a formalism for expressing nondeterministi reative systems, whih is based on the simply typed -alulus introdued in Setion 2. An SLTS S omputes on types built from type variables from , using operations from , where (; ) is a signature. S has a set A of symboli states, and a set B of symboli labels. The elements of A and B have assoiated type ontexts (a) and (b). Symboli states an be thought of as ontrol states, where (a) are data variables at a. Similarly, symboli labels an be thought of as kinds of transitions, so that (b) are parameters for transitions of kind b. The initial states of S are given as a set of pairs (a; t), where t is a -alulus term of type Bool whih speies whih data values assoiated with the symboli state a form initial states. The transitions of S are given by symboli transitions. A symboli transition has soure and target symboli states, a symboli label, a guard, and an assignment. The guard is a -alulus term of type Bool whih determines when the symboli transition is enabled, in whih ase the ation of the symboli transition is to set eah data variable at the target symboli state aording to the assignment. In partiular, the lifetime of data variables and transition parameters is one transition. Nondeterminism is present when S has more than one symboli transition with the same soure symboli state and the same symboli label. The fat that SLTSs allow dierent sets of data variables at dierent symboli states an be used e.g. to model data whih is loal to a part of the system. Observe also that a portion of data in a system (suh as data whih is not treated in a data independent manner) an be modelled non-symbolially by regarding it as part of ontrol. SLTSs are similar to a number of formalisms in the literature, e.g. [9, 2, 3℄. They an also be seen as a graphial variant of UNITY [4℄. Denition 5 (SLTS). S is an SLTS i it is a tuple (; ; A; ; B; ; I; R) suh that: { (; ) is a signature. { A and B are sets. We all elements of A symboli states, and elements of B symboli labels. { and are suh that, for any a 2 A and b 2 B, we have that (; (a)) and (; (b)) are signatures, and that Dom((a)) and Dom( (b)) are disjoint from Dom( ). { I is a set of ordered pairs (a; t), where a 2 A and ; (a) ` t : Bool is a term. We say that t is an initial ondition, and that elements of I are symboli initial states. { R is a set of tuples of the form (a1 ; b; g; E; a2 ) where a1 ; a2 2 A, b 2 B, Dom((a1 )) and Dom( (b)) are disjoint, ; (a1 ) (b) ` g : Bool is a term, and E is suh that, for any x 2 Dom((a2 )), ; (a1 ) (b) ` E (x) : (a2 )(x) is a term. We say that a1 is the symboli soure state, a2 is the symboli target state, g is the guard, E is the assignment, R is the symboli transition relation and its elements are symboli transitions. We write a1 [b : g ,! E iR a2 for (a1 ; b; g; E; a2 ) 2 R. ut Example 2. The following SLTS is illustrated in the gure. { { { { { { { { = fX g; = hp : X ! Bool; q : (X X ) ! Booli; A = fa1 ; a2 g; (a1 ) = hx : X i, (a2 ) = hy1 : X; y2 : X i; B = fbg; (b) = hz : X i; I = f(a1 ; p x)g; a1 [b : p z ,! fy1 7! z; y2 7! xgi a2 and a1 [b : q x z ,! fy1 7! x; y2 7! z gi a2 are the symboli transitions. h ! b z h a1 x : X : X i y1 ; y2 :=z; x p z , h i a2 y1 : X; y2 : X i b h i ! z : X ut y1 ; y2 :=x; z q x z , Given an SLTS S and an instantiation (Æ; ) of its signature (; ), we will dene a onrete LTS JSK(Æ;) . Provided the sets of symboli states and symboli labels of S are nite, and given a lass of instantiations of (; ), the onrete LTSs JSK(Æ;) will form a parametri family. Notation 1. Given a signature (; ), where = hx1 : T1 ; : : : ; xn : Tn i, and a set map Æ suh that Dom(Æ ), let JKÆ be dened by JKÆ = f(v1 ; : : : ; vn ) j 8i vi 2 JTi KÆ g Given a type ontext = hx1 : T1 ; : : : ; xn : Tn i, a value map suh that Dom( ) \ Dom() = fg, and a tuple v = (v1 ; : : : ; vn ), let v be the map extended by xi 7! vi for all xi 2 Dom(). ut Denition 6 (semantis of SLTSs). Given an SLTS S = (; ; A; ; B; ; I; R) and an instantiation (Æ; ) of (; ), let JSK(Æ;) be the LTS (A; B; I; as follows: !) dened { A = f(a; v) j a 2 A ^ v 2 J(a)KÆ g. { B =Sf(b; w) j b 2 B ^ w 2 J (b)KÆ g. { I = (a;t) I J(a; t)K(Æ;) where 2 J(a; t)K(Æ;) = f(a; v ) 2 A j J; (a) ` t : BoolK(Æ; (a) ! is the set of triples ((a ; v ); (b; w ); (a ; v )) 2 A B A { The transition relation 1 1 suh that for some g and E we have 2 2 g: v) = true (a ; b; g; E; a ) 2 R, J; (a ) (b) ` g : BoolK Æ; a v b w for all xi 2 Dom((a )), J; (a ) (b) ` E (xi ) : (a )(xi )K Æ; 1 2 1 ( ( 1 ) ( 1) = true, and ( ) ) ( ( (a ) 1 ) 1 2 1 2 v (b) w) = vi2 where xi is the ith omponent of Dom((a2 )). ut Proposition 2. Suppose S = (; ; A; ; B; ; I; R) is an SLTS suh that A = f1; : : : ; ng and B = f1; : : : ; mg. Let T= U= n Y X i=1 x2(a) m Y X j =1 y2 (b) (a)(x) (b)(y) For any lass I of instantiations of (; ), we have that (; ; T; U; I ; JSK) is a parametri family of LTSs. ut When restrited to EPC signatures with only unary uninterpreted prediates and to full lasses of instantiations, Proposition 2 states that the semantis of any syntatially data independent SLTS is data independent aording to the semanti denition in [15℄. Example 3. The SLTS in Example 2 yields (up to isomorphism) the parametri family of LTSs in Example 1, for the lass of all instantiations. ut 5 Denability This setion ontains the main result of the paper, namely that any parametri family of LTSs whose signature is EPC, whose types of states and transition labels are SP, and whose lass of instantiations is full, is denable by an SLTS. In partiular, this shows that the semanti denition of data independene in [15℄ is suÆiently strong. The SP assumption is equivalent to assuming absene of the funtion-type onstrut, whih is done in the redution theorems in [15℄. Before the theorem, we present a proposition and a lemma whih are used in its proof. Proposition 3. For any parametri family of values (; ; T; I ; v ) suh that (; ) is EPC, T is SP, and I is full, there exists a term ; ` s : T suh that, for any (Æ; ) 2 I , JsK(Æ;) = v(Æ;) , and suh that s is of the form T math h with 8H i=1 ini (x) ) inRi (ri ) P where H 2 N , ; ` h : Enum H is a term, T = ni=1 Ti , and for eah i, Ri 2 f1; : : : ; ng and ; C ` ri : TRi is a term. Proof outline. The lass I an be split into nitely many sublasses aording to the results of all possible appliations of the equality prediates and the uninterpreted prediates to the uninterpreted onstants. The sublasses have the property that two instantiations an be related by a relation map i they belong to the same sublass. The term s an be dened by letting H be the number of sublasses. Eah Ri and ri are dened by onsidering an instantiation from the orresponding sublass whih, for any X 2 without an equality prediate in E , instantiates any two uninterpreted onstant omponents of type X by distint values. ut Example 4. This example (due to Plotkin) shows that Proposition 3 annot be extended straightforwardly to signatures whih ontain types suh as X ! X . It is a parametri family of values whih is not denable. The signature onsists of one type variable X , prediate p : X ! Bool, operation s : X ! X , and onstant z : X . The type of the family is Bool, and for any instantiation (Æ; ) of the signature, the member v(Æ;) is dened to be true i, for all n 2 N , the result of applying n times JsK to Jz K satises JpK. ut Terminology 2. We say that a family of sets is deterministi i eah set of the ut family is either the empty set or a singleton. Notation 2. We write (; ; T; I ; N ) v ( ; ; T ; I ; N ) i we have = , = , T = T , I = I , and N(Æ;) N(Æ;) for all (Æ; ) 2 I . We write (; ; T; I ; N ) t (; ; T; I ; N ) for the family of sets (; ; T; I ; M ) where, for any (Æ; ) 2 I , M(Æ;) = N(Æ;) [ N(Æ;) . ut 0 0 0 0 0 0 0 0 0 0 0 0 Lemma 1. Given any parametri family of sets N = (; ; T; I ; N ) suh that (; ) is EPC, T is SP, and I is full, there are parametri families of sets M1 , . . . , Mm suh that: (i) Mi v N for eah i; (ii) Mi is deterministi for eah i; (iii) given any parametri family of sets M suh that deterministi, it is equal to Mi for some i; F (iv) m i=1 Mi = N . 0 M vN 0 and M 0 is ut The proof of Lemma 1 has similar struture to the proof of Proposition 3, whih means that the denability of families of sets an be shown somewhat more diretly than by ombining the two results. However, Lemma 1 is of wider interest, sine it shows that denability of parametri nondeterministi families an be redued to denability of nitely many parametri deterministi families. Example 5. Reall the SLTS in Example 2 and its semantis (up to isomorphism) in Example 1. Take N to be the family of sets orresponding to the nondeterministi omputation at symboli state a1 and symboli label b. Its signature is = fX g and = hp : X ! Bool; q : (X X ) ! Bool; x : X; z : X i The type of N is X X , and the lass onsists of all instantiations of (; ). For any (Æ; ), N(Æ;) is the set of all outomes of the two symboli transitions when p, q , x and z have the values given by . If neither symboli transition is enabled, N(Æ;) = fg. Similarly, we an let M1 and M2 be families of sets orresponding to the two symboli transitions respetively. Parametriity of these families of sets follows from parametriity of the family of LTSs. Also, M1 and M2 are deterministi, and M1 t M2 = N . Therefore, M1 and M2 are two of the families orresponding to N in the statement of Lemma 1. There are others, e.g. the empty family. ut Theorem 1. For any parametri family of LTSs (; ; T; U; I ; S ) suh that (; ) is EPC, T and U are SP, and I is full, there exists a nite SLTS S with the same signature and suh that, for any (Æ; ) 2 I , JSK(Æ;) = S(Æ;) . Proof outline. Symboli states and symboli labels of S are dened to orrespond to the sum omponents of T and U . For eah symboli state a, the sets of initial states of S(Æ;) restrited to a form a parametri family of prediates, so that Proposition 3 an be applied to obtain the initial ondition at a. For eah symboli state a and symboli label a, the transitions of the onrete LTSs S(Æ;) form a parametri family of sets whose type is T . Lemma 1 an be applied to this family to yield a nite number of deterministi families. Symboli transitions of S are then obtained by applying Proposition 3 to families of values whih orrespond to the deterministi families of sets. ut Example 6. Theorem 1 applies to the family of LTSs in Example 1. We already saw that this family is denable (up to isomorphism) by the SLTS in Example 2. ut 6 Conlusions This paper answers negatively the question of whether there are any data independent families of LTSs [15℄ whih do not arise as semantis of any syntatially data independent system. Thus we onrm that the semanti denition of data independene is suitable for reasoning about data independent systems without being tied to a partiular syntax. More preisely, we showed that any parametri family of LTSs whose signature onsists of equality prediates, uninterpreted prediates of arbitrary arity, and uninterpreted onstants, and whose types of states and transition labels do not ontain funtions, is denable by a symboli LTS. Data independene is the speial ase with only unary uninterpreted prediates. From another point of view, we demonstrated that when binary logial relations are extended to nondeterministi omputation by means of bisimulation, they an be used to ensure that any parametri family is denable. Future work should investigate denability of parametri families in settings where powerset types have rst-lass status [16, 11, 8℄. Aknowledgements We are grateful to Samson Abramsky, Brian Dunphy, Andrew Pitts, Gordon Plotkin, Uday Reddy, Bill Rosoe and Alex Simpson for useful disussions, and to the anonymous referees for their helpful omments. Referenes 1. M. Alimohamed. A haraterization of lambda denability in ategorial models of impliit polymorphism. Theoretial Computer Siene, 146:5{23, 1995. 2. J. Bohn, W. Damm, O. Grumberg, H. Hungar, and K. Laster. First-order-CTL model heking. In Foundations of Software Tehnology and Theoretial Computer Siene (FST&TCS'98), volume 1530 of Leture Notes in Computer Siene, pages 283{294. Springer-Verlag, 1998. 3. M. Calder and C. Shankland. A symboli semantis and bisimulation for full LOTOS. In International Conferene on Formal Desription Tehniques for Networked and Distributed Systems (FORTE'01), pages 184{200. Kluwer Aademi Publishers, 2001. 4. K. M. Chandy and J. Misra. Parallel Program Design: A Foundation. AddisonWesley, 1988. 5. E. M. Clarke, O. Grumberg, and D. A. Peled. Model Cheking. MIT Press, 1999. 6. D. Dill, R. Hojati, and R.K. Brayton. Verifying linear temporal properties of data intensive ontrollers using nite instantiations. In Hardware Desription Languages and their Appliations (CHDL '97). Chapman and Hall, 1997. 7. M. Fiore and A. Simpson. Lambda denability with sums via Grothendiek logial relations. In Proeedings of the 4th International Conferene on Typed Lambda Caluli and Appliations (TLCA'99), volume 1581 of Leture Notes in Computer Siene, pages 147{161. Springer-Verlag, 1999. 8. J. Goubault-Larreq, S. Lasota, and D. Nowak. Logial relations for monadi types. In Proeedings of the 11th Annual Conferene of the European Assoiation for Computer Siene Logi (CSL'02), volume 2471 of Leture Notes in Computer Siene, pages 553{568. Springer-Verlag, 2002. 9. M. Hennessy and H. Lin. Symboli bisimulations. Theoretial Computer Siene, 138(2):353{389, 1995. 10. C. N. Ip and D. L. Dill. Better veriation through symmetry. Formal Methods in System Design: An International Journal, 9(1/2):41{75, 1996. 11. A. Jerey. A fully abstrat semantis for a higher-order funtional language with nondeterministi omputation. Theoretial Computer Siene, 228:105{150, 1999. 12. B. Jonsson and J. Parrow. Deiding bisimulation equivalenes for a lass of nonnite-state programs. Information and Computation, 107(2):272{302, 1993. 13. A. Jung and J. Tiuryn. A new haraterization of lambda denability. In Proeedings of the 1st International Conferene on Typed Lambda Caluli and Appliations (TLCA'93), volume 664 of Leture Notes in Computer Siene, pages 245{257. Springer-Verlag, 1993. 14. R. Lazi. A Semanti Study of Data Independene with Appliations to Model Cheking. DPhil thesis, Oxford University Computing Laboratory, 1999. 15. R. Lazi and D. Nowak. A unifying approah to data-independene. In Proeedings of the 11th International Conferene on Conurreny Theory (CONCUR 2000), volume 1877 of Leture Notes in Computer Siene, pages 581{595. SpringerVerlag, 2000. 16. T. Nipkow. Non-deterministi data types: models and implementations. Ata Informatia, 22(6):629{661, 1986. 17. G. D. Plotkin. Lambda-denability in the full type hierarhy. In To H. B. Curry: Essays on Combinatory Logi, Lambda Calulus and Formalism, pages 363{373. Aademi Press, 1980. 18. S. Qadeer. Verifying sequential onsisteny on shared-memory multiproessors by model heking. Researh Report 176, Compaq, 2001. 19. R. Hojati and R. K. Brayton. Automati datapath abstration in hardware systems. In Proeedings of the 7th International Conferene On Computer Aided Veriation, volume 939 of Leture Notes in Computer Siene, pages 98{113. Springer Verlag, 1995. 20. J. C. Reynolds. Types, abstration and parametri polymorphism. In Proeedings of the 9th IFIP World Computer Congress (IFIP'83), pages 513{523. NorthHolland, 1983. 21. A. W. Rosoe and P. J. Broadfoot. Proving seurity protools with model hekers by data independene tehniques. Journal of Computer Seurity, Speial Issue on the 11th IEEE Computer Seurity Foundations Workshop (CSFW11), pages 147{190, 1999. 22. P. Wolper. Expressing interesting properties of programs in propositional temporal logi. In Conferene Reord of the 13th Annual ACM Symposium on Priniples of Programming Languages, pages 184{193. ACM, 1986. A Proofs Proof (Proposition 2). Suppose { (Æ; ) and (Æ ; ) are two instantiations from I , { (; Æ; Æ ) is a relation map suh that 0 0 0 8x 2 Dom( ) JxKJ { S(Æ;) = (A; B; I; !) and S Æ ; 0 ( 0) (x)K(;Æ;Æ ) 0 JxK = (A0 ; B 0 ; I 0 ; 0 ! ). 0 In order to prove that (; ; T; U; I ; JSK) is parametri, we have to prove that JT K(;Æ;Æ0 ) is a universal partial JU K(;Æ;Æ0 ) -bisimulation between S(Æ;) and S(Æ0 ;0 ) : { Let (i; v) 2 A and (i ; v ) 2 A be states related by JT K(;Æ;Æ ) . Then i = i . 0 0 0 0 0 Suppose (i; v ) 2 I . By Denition 6, there exists an initial ondition t suh that (i; t) 2 I and J; (i) ` t : BoolK(Æ; = true i v) ( ) By Proposition 1, we have J; (i) ` t : BoolK(Æ ; 0 0 (i) v0 ) = true so that (i; v 0 ) 2 I 0 . In the same way, (i; v 0 ) 2 I 0 implies (i; v ) 2 I . { Let (i1 ; v1 ) 2 A and (i01 ; v01 ) 2 A0 be states related by JT K(;Æ;Æ ) , and let (j; w ) 2 B and (j 0 ; w0 ) 2 B 0 be transition labels related by JU K(;Æ;Æ ) . Then i1 = i01 and j = j 0 . (j;w) Suppose (i1 ; v 1 ) ! (i2 ; v 2 ). By Denition 6, there exist a guard g and an assignment E suh that (i1 ; j; g; E; i2 ) 2 R and 0 0 (i1 ) (j ) ` g : BoolK(Æ;( J; 2 Dom((i )), (i ) (j ) ` E (xk ) : (i )(xk )K Æ; and, for any xk J; i v ( ) 1 ) 1 (j) w) = true 2 1 2 ( ( i v1 ) (j) w) ( ) 1 = vk2 where xk is the k th omponent of Dom((i2 )). Letting v 02 be the tuple dened by J; (i1 ) (j ) ` E (xk ) : (i2 )(xk )K(Æ ;( 0 (i1 ) v01 ) (j) w0 ) 0 = vk02 (j;w ) 0 it follows by Proposition 1 that (i2 ; v )JT K(;Æ;Æ ) (i2 ; v2 ) and (i1 ; v ) (i2 ; v 02 ). 2 0 0 01 ! 0 (j;w 0 ) In the same way, whenever (i1 ; v 01 ) !0 (i02 ; v 02 ), there exists v 2 suh that (j;w ) (i02 ; v 2 )JT K(;Æ;Æ ) (i02 ; v20 ) and (i1 ; v 1 ) ! (i02 ; v 2 ). ut 0 Proof (Proposition 3). Without loss of generality, we an assume form C is of the hij : Zi j i = 1; : : : ; l ^ j = 1; : : : ; li i where the Zi are mutually distint and = fZ ; : : : ; Zl g. 0 1 Let us say that two instantiations (Æ; ) and (Æ 0 ; 0 ) in I are related by R i they are related by some relation map (; Æ; Æ 0 ). It is straightforward to hek that R is an equivalene relation. Let I be the set of all (Æ; ) 2 I suh that: { if there is an equality prediate on Zi in E , then Æ JZi K is the set of equivalene lasses of an equivalene relation on fij j j = 1; : : : ; li0 g; { otherwise, ÆJZi K = ffij g j j = 1; : : : ; li g; { for any p 2 Dom( P ), JpK is arbitrary; { Jij K is the equivalene lass of ij . 0 It is routine to show that any equivalene lass of R ontains exatly one member of I . Sine I is a nite set, let H be its ardinality, and let f be a bijetion from f1; : : : ; H g to I . It is straightforward to dene a term ` h : Enum H suh that, for any (Æ; ) 2 I and i 2 f1; : : : ; H g, JhK Æ; = (i; ()) , (Æ; )Rf (i) For any i 2 f1; : : : ; H g, let ; ( ) (Ri ; (w1i ; : : : ; wni R )) = vf (i) 0 i 2 wji for all j . We have now dened H , h, and for eah i 2 f1; : : : ; H g, Ri and ri , whih provides a denition of s. Given (Æ; )inI , by onsidering i 2 f1; : : : ; H g suh that (Æ; )Rf (i), it follows that JsK Æ; = v Æ; . ut and dene ri as (di1 ; : : : ; din0R ), where dij i ( ( ) ) Proof (Lemma 1). Let us x notation for omponents of T by ni n Y X 0 T= i=1 j =1 Xi;j We use the same assumption about C as in the proof of Proposition 3, without loss of generality. We dene R, I , H and f as in the proof of Proposition 3. For any i 2 f1; : : : ; H g, Nf (i) is of the form f(Ri;j ; (wi;j ; : : : ; wni;jRi;j )) j j 2 f1; : : : ; Hi gg Let G be the set of all maps g on f1; : : : ; H g suh that, for any i, g (i) 2 f0; 1; : : : ; Hi g. We dene m as the ardinality of G, and for any g 2 G, we dene Mg as follows. Suppose (Æ; ) 2 I , let i 2 f1; : : : ; H g be suh that (Æ; )Rf (i), and let JX K = f(JK; JK) j ( : X ) 2 C g 1 0 0 0 0 where (Æ 0 ; 0 ) = f (i). Then (Æ; ) and (Æ 0 ; 0 ) are related by (; Æ; Æ 0 ). We dene M(gÆ;) = ( fg; if g(i) = 0 (i) (i) f(Ri;g(i) ; (ui;g ; : : : ; ui;g 1 nR 0 ))g; if g (i) 6= 0 i;g(i) i;g(i) i;g(i) where the uk are uniquely determined by uk JXRi;g(i) ;k Kwki;g(i) . It is straightforward to hek that eah g = (; ; T; ; M g ) is a parametri M I family of sets, and that (i){(iv) in the statement of the lemma hold. ut Proof (Theorem 1). Let us rst x some notation: ni n Y X 0 T= i=1 j =1 m0i m Y X Xi;j Yi;j i=1 j =1 S(Æ;) = (JT K(Æ;); JU K(Æ;) ; I(Æ;) ; U= ! Æ; ) ( ) We dene an SLTS S = (; ; A; ; B; ; I; R) as follows. A = f1; : : : ; ng (i) = hxi;j : Xi;j j j = 1; : : : ; ni i B = f1; : : : ; mg (i) = hyi;j : Yi;j j j = 1; : : : ; mi i 0 0 where the xi;j and yi;j do not appear in . Suppose i 2 A. Let V = (; (i); Bool; J ; v) be the family of values suh that J is full and true; if (i; (i)) 2 I v(Æ;) = f alse; otherwise (Æ; ) Then V is parametri, so Proposition 3 gives us a term ; (i) ` ti : Bool suh that Jti K(Æ;) = v(Æ;) for all (Æ; ) 2 J . We dene I = f(i; ti ) j i 2 Ag. Suppose i 2 A and j 2 B. Let N = (; (i) (j ); T; K; N ) be the family of sets suh that K is full and N(Æ; ) = fa j (i; (i)) (j; (j )) (Æ; ) ! ag Then N is parametri, so we an apply Lemma 1 to obtain M1 , . . . , MG . Consider k 2 f1; : : : ; Gg. Let W = (; (i) (j ); T + U nit; K; w) be the family of values suh that ( a; if M(kÆ; ) = fag w(Æ; ) = (n + 1; ()) ; if M(kÆ; ) = fg W is parametri by parametriity of Mk , so Proposition 3 gives us a term ; (i) (j ) ` s : T + U nit whih denes W and whih is of the form math h with 8H inl (x) ) inRT l U nit (rl ) l For any l 2 f1; : : : ; H g suh that Rl 2 f1; : : : ; ng, let =1 + gi;j;k;l = if h = l then true else f alse Ei;j;k;l (xRl ;j ) = j (rl ) ii;j;k;l = Rl 0 0 0 R is dened to be the set of all (i; j; gi;j;k;l ; Ei;j;k;l ; ii;j;k;l ) as above. It is routine to hek that, for any (Æ; ) 2 I , JSK(Æ;) = S(Æ;) . 0 ut