Document 12549240
advertisement
On a Semanti Denition of Data Independene?
Ranko Lazi1?? and David Nowak2
1
Department of Computer Siene, University of Warwik, UK
2
Ranko.Lazids.warwik.a.uk
LSV, CNRS & ENS Cahan, Frane
David.Nowaklsv.ens-ahan.fr
Abstrat. A variety of results whih enable model heking of important lasses of innite-state systems are based on exploiting the property
of data independene. The literature ontains a number of denitions of
variants of data independene, whih are given by syntati restritions
in partiular formalisms. More reently, data independene was dened
for labelled transition systems using logial relations, enabling results
about data independent systems to be proved without referene to a
partiular syntax. In this paper, we show that the semanti denition
is suÆiently strong for this purpose. More preisely, it was known that
any syntatially data independent symboli LTS denotes a semantially
data independent family of LTSs, but here we show that the onverse
also holds.
Keywords: data independene, denability, logial relations, nondeterminism
1 Introdution
Informally, a system is data independent with respet to a data type X when,
apart from input, output and storage, the only operation that is performed on
values of type X is testing a pair of them for equality. The stronger variant of
data independene where equality on X is not available is also studied in the
literature, as are weaker variants suh as allowing onstants of type X and unary
prediates on X .
A variety of results whih enable model heking [5℄ of important lasses of
innite-state systems are based on exploiting data independene (e.g. [22, 12, 10,
19, 6, 14, 21, 18℄). Although their proofs are in terms of semantis, most of these
results are based on denitions of data independene whih are by means of
syntati restritions in partiular formalisms.
?
??
We aknowledge support from the EPSRC Standard Researh Grant `Exploiting
Data Independene', GR/M32900. A part of this researh was done at the Oxford
University Computing Laboratory.
Also aÆliated to the Mathematial Institute, Belgrade. This author was supported in
part by a grant from the Intel Corporation, a Junior Researh Fellowship from Christ
Churh, Oxford, and previously by a sholarship from Hajrija & Boris Vukobrat and
Copehim Frane SA.
The rst semanti denition of data independene whih aommodates the
variants with or without equality, onstants and prediates was given in [15℄.
The semanti entities used are families of labelled transition systems (LTSs),
whih onsist of an LTS per instantiation of a signature. A signature is a set
of type variables and a term ontext. Logial relations [20℄ are used to dene
when a family of LTSs is parametri, and the denition of data independene is
the speial ase when the term ontext of the signature onsists of only equality
prediates, onstants and unary prediates. It is shown in [15℄ that the semantis
of any syntatially data independent UNITY program [4℄ is a data independent
family of LTSs. The same paper also proves a theorem based on the semanti denition whih enables the problem of model heking a data independent
system for all instantiations of X to be redued to model heking for a nite
number of nite instantiations. Sine it is proved from the semanti denition,
the theorem applies to any formalism whih an be given semantis by LTSs in
whih transition labels reord values of transition parameters.
Although the denition in [15℄ was suÆiently restritive to prove the partiular redution theorem, it was not known whether that was an aident. In
other words, it was not known whether the olletion of all data independent
families of LTSs was equal to or stritly larger than the olletion of those whih
arise as semantis of syntatially data independent systems. In this paper, we
show that it is equal.
More preisely, we show that, in the absene of indutive types, any parametri family of LTSs whose signature onsists of equality prediates, uninterpreted
prediates of arbitrary arity, and uninterpreted onstants, and whose types of
states and transition labels do not ontain funtions, is denable by a symboli LTS with the same signature. Data independene as in [15℄ is the speial
ase when the uninterpreted prediates are only unary. Indutive types are not
onsidered for simpliity, beause they are orthogonal to denability of families
onstrained by logial relations, whih is the topi of the paper. Funtions within
states or transition labels are also exluded in the redution theorems in [15℄.
Symboli LTSs are a basi formalism whih ombines simply typed -alulus
and nondeterminism. They an be seen as a graphial variant of UNITY, and
are a generalisation of rst-order Kripke strutures [2℄.
Compared with the literature on denability in models based on logial relations (e.g. [17, 13, 1, 7℄), we onsider only rst-order omputation whih an use
equality testing and prediates of arbitrary arity, but the novelty in our result
is that it applies to nondeterministi omputation.
Setion 2 is devoted to preliminaries. In Setion 3, we dene families of values, sets, and LTSs, and speify what it means for suh families to be parametri.
In Setion 4, we dene symboli LTSs, and observe that their semantis is parametri. Setion 5 is devoted to the denability result. In Setion 6, we onlude
and remark about future work.
2 Preliminaries
We x notation for the syntax and set-theoreti semantis of the simply typed
-alulus with produt and sum types, for binary logial relations, and for
LTSs. Terms of the -alulus will be used to form symboli LTSs. In addition
to typing the terms, types will be used to struture the semanti entities we
shall onsider, suh as families of LTSs. Logial relations will serve to onstrain
families indexed by signature instantiations, suh as in the semanti denition
of data independene.
-alulus syntax. We assume T ypeV ars is an innite set of names for type
variables.
The syntax of types T is as follows:
T ::= X 2 T ypeV ars j T1 Tn j T1 + + Tn j T1 ! T2
where n ranges over nonnegative integers.
For any type T , we write F ree(T ) for the set of free type variables of T .
We assume T ermV ars is an innite set of names for term variables.
A type ontext is a sequene of the form
hx
1
: T1 ; : : : ; x n : Tn i
where the xi are distint term variables.
We write (x) for the type assoiated to the term variable x in . The type
ontext n x is obtained by removing x : (x) from if x 2 Dom( ), otherwise
0
it is . The type ontext
is the onatenation of and 0 , provided their
domains are disjoint.
A signature is an ordered pair (; ), where
{ is a nite subset of T ypeV ars, and
{ is a type ontext suh that F ree( (x)) for eah x 2 Dom( ).
Terms-in-ontext ; ` t : T are built in the standard well-typed fashion from term variables, tuple formation, projetion, injetion, mathing, -
abstration, and appliation.
`x:T
;
if (x) = T
` ti : Ti for i = 1; : : : ; n
` ht ; : : : ; tn i : T Tn
; ` t : T Tn
for i = 1; : : : ; n
; ` i (t) : Ti
; ` t : Ti
T
Tn (t) : T + + T for i = 1; : : : ; n
; ` ini
n
; ` t : T + + Tn
; ( n x)hx : Ti i ` ti : T for i = 1; : : : ; n
; ` math t with in (x) ) t 8 8 inn (x) ) tn : T
; ( n x)hx : T i ` t : T
; ` x : T :t : T ! T
; ` t : T ! T ; ` t : T
; ` t t : T
;
;
1
1
1
1 ++
1
1
1
1
1
1
1
1
2
1
2
2
1
2
2
1
2
We write F ree(t) for the set of free term variables of t.
-alulus semantis. A set map is a partial map from T ypeV ars to sets, whose
domain is nite.
For any type T , and any set map Æ suh that F ree(T ) Dom(Æ ), we write
JT KÆ for the denotational semantis of T with respet to Æ :
JX KÆ
JT1 Tn KÆ
JT1 + + Tn KÆ
J T1 ! T2 K Æ
= Æ JX K
= JT1 KÆ JTn KÆ
= f1g JT1 KÆ [ [ fng JTn KÆ
= JT1 KÆ ! JT2 KÆ
A value map is a map whose domain is a nite subset of T ermV ars.
We write [x 7! v ℄ for the value map whose domain is Dom( ) [ fxg, and
whih is dened by [x 7! v ℄JxK = v and [x 7! v ℄Jy K = Jy K if y 6= x.
Given a type ontext and a set map Æ suh that F ree( (x)) Dom(Æ )
for eah x 2 Dom( ), we say that a value map is with respet to and Æ i
{ Dom() = Dom( ), and
{ JxK 2 J (x)KÆ for eah x 2 Dom( ).
An instantiation of a signature (; ) is an ordered pair (Æ; ) suh that
{ Æ is a set map whose domain is , and
{ is a value map with respet to
and Æ .
For any term ; ` t : T and any instantiation (Æ; ), we write J; ` t : T K(Æ;)
for the denotational semantis of ; ` t : T with respet to (Æ; ). This is dened by
J;
J;
` x : T K Æ;
(
)
= JxK
` ht ; : : : tn i : T Tn K Æ; =
(J; ` t : T K Æ; ; : : : ; J; ` tn : Tn K Æ; )
1
1
1
1 (
J;
` i (t) : T K Æ;
J;
` inTi
(
)
(
)
)
(
` t : T K Æ;
= vi if J;
Tn (t) : T +
1
1 ++
(
+ TnK Æ;
(
)
)
= (v1 ; : : : ; vn )
= (i; J;
)
` t : Ti K Æ; )
(
)
` math t with in (x) ) t 8 8 inn (x) ) tn : T K Æ; ) =
n x)hx : Ti i ` ti : T K Æ; x v
if J; ` t : T + + Tn K Æ; = (i; v )
J;
(
1
J;
1
1
J; (
(
[
℄)
7!
` x : T :t : T ! T K Æ; = f where
f (v) = J; ( n x)hx : T i ` t : T K Æ; x
1
1
`t
1
)
)
2 (
)
1
J;
(
t2 : T2K(Æ;) = J;
2 (
`t
1
[
v℄)
7!
: T1 ! T2 K(Æ;) (J;
`t
2
: T1 K(Æ;) )
Some abbreviations. We dene some standard types:
U nit = the empty produt type
Bool = U nit + U nit
Enumk = |U nit + {z + U nit}
k
We also dene terms and values:
f alse = inB1 ool (hi)
f alse = (1; ())
true = inB2 ool (hi)
true = (2; ())
so that we have:
JBoolKfg = ff alse; trueg
JEnumk Kfg = f(1; ()); : : : ; (k; ())g
Logial relations. A relation map is a triple (; Æ; Æ ) suh that
0
{ is a partial map from T ypeV ars to relations, whose domain is nite,
{ Æ and Æ are set maps with the same domain as , and
{ JX K is a relation between ÆJX K and Æ JX K, for eah X 2 Dom().
0
0
A relation map (; Æ; Æ 0 ) determines a logial relation [20℄ indexed by the
types T suh that F ree(T ) Dom(). For any suh type T , we write JT K(;Æ;Æ )
for the omponent at T of the logial relation. This is a relation between the
sets JT KÆ and JT KÆ , and is dened by
0
0
JX K(;Æ;Æ0 ) = JX K
JT1 Tn K(;Æ;Æ0 ) = f(a; a0 ) j 8i 2 f1; : : : ; ng:i (a)JTi K(;Æ;Æ0 ) i (a0 )g
JT1 + + Tn K(;Æ;Æ0 ) = f((i; a); (i0 ; a0 )) j i = i0 ^ aJTi K(;Æ;Æ0 ) a0 g
JT1 ! T2 K(;Æ;Æ0 ) = f(f; f 0 ) j 8a; a0 :aJT1 K(;Æ;Æ0 ) a0 ) f (a)JT2 K(;Æ;Æ0 ) f 0 (a0 )g
Labelled transition systems. An LTS is a tuple S = (A; B; I; !) suh that A
and B are sets, I A and ! A B A.
We say that A is the set of states, B is the set of transition labels, I is the
b
a2 for
set of initial states, and ! is the transition relation. We write a1 !
(a1 ; b; a2 ) 2 !.
3 Parametri Families
If (; ) is a signature, then the semantis of a term or program whih uses (; ),
with respet to a lass I of instantiations of (; ), an be seen as a family of
semanti elements whih is indexed by I . We now dene three kinds of suh
families, namely those of values, sets and LTSs. In the rst two ases, there is a
type T suh that the family member whose index is (Æ; ) is an element/subset
of JT KÆ . In the ase of LTSs, there are two types T and U whih determine the
sets of states and transition labels of family members.
Denition 1 (families). A family of values, sets, or LTSs (respetively) is of
the form (; ; T; I ; v ), (; ; T; I ; N ), or (; ; T; U; I ; S ).
(; ) is a signature, T and U are types suh that F ree(T ) and F ree(U ) , and I is a lass of instantiations of (; ).
The vetors v, N and S are indexed by elements of I . For eah (Æ; ) 2 I ,
we have v(Æ;) 2 JT KÆ , N(Æ;) JT KÆ , and S(Æ;) is an LTS with set of states JT KÆ
and set of transition labels JU KÆ .
ut
Logial relations an be used as follows to dene when a family is parametri.
We shall see below that families arising as semantis of -alulus terms or of
symboli LTSs have this property.
The details are as in [15℄, exept that here we treat families of values and
sets expliitly, beause they will be used later in the paper. The denitions of
when two sets/LTSs are related an be seen as liftings of logial relations to
powerset/LTS types, although we do not give suh types rst-lass status. A
more general treatment of suh liftings of logial relations an be found in [8℄.
Denition 2 (related sets). Suppose:
{ P is a relation between N and N ;
0
{M
N and M N .
0
0
We say that P relates M and M i
0
8x 2 M 9x 2 M (x; x ) 2 P
8x 2 M 9x 2 M (x; x ) 2 P ut
0
0
0
0
0
0
Denition 3 (universal partial R-bisimulation). Suppose:
{ P is a relation between A and A ;
{ R is a relation between B and B ;
{ S = (A; B; I; !) and S = (A ; B ; I ;
0
0
0
0
0
0
! ) are LTSs.
0
We say that P is a universal partial R-bisimulation between S and S i
0
(i) whenever aP a then a 2 I i a 2 I , and
(ii) whenever a1 P a1 and bRb , then P relates fa2 j a1
0
0
0
b
0
0
0
fa j a ! a g.
0
0
2
1
0
b
!
a g and
2
ut
0
2
Denition 4 (parametri families). A family (; ; T; I ; v ), (; ; T; I ; N ),
or (; ; T; U; I ; S ) (respetively) is parametri i, for any (Æ; ); (Æ ; ) 2 I , and
any relation map (; Æ; Æ ) suh that
0
0
0
8x 2 Dom( ) JxKJ
(x)K(;Æ;Æ ) 0 JxK
0
we have
{ v(Æ;) JT K(;Æ;Æ ) v(Æ ; ) ,
{ JT K(;Æ;Æ ) relates N(Æ;) and N(Æ ; ) , or
{ JT K(;Æ;Æ ) is a universal partial JU K(;Æ;Æ ) -bisimulation between S(Æ;) and
S(Æ ; ) .
ut
0
0
0
0
0
0
0
0
0
0
We an now state the Basi Lemma of logial relations [20℄ in the following
way.
Proposition 1. For any term ; ` t : T and lass
(; ), the family (; ; T; I ; JtK) is parametri.
I
of instantiations of
ut
Signatures whih onsist of equality prediates, uninterpreted prediates, and
uninterpreted onstants will be important later in the paper, as will types whih
are sums of produts of type variables, and lasses of instantiations whose only
restrition is that equality prediates are interpreted as expeted. These will
determine the kind of parametri families of LTSs whih our main result applies
to.
Terminology 1. We say that a signature (; ) is EPC i
E P C suh that
{ any
E (e) is of the form (X
X ) ! Bool,
is of the form
P (p) is of the form T ! Enumk where T is a produt of type variables,
and
{ any C () is a produt of type variables.
{ any
A type T is SP i it is a sum of produts of type variables.
The full lass of instantiations of an EPC-signature (; ) onsists of all (Æ; )
suh that JeK is the equality prediate on Æ JX K for any e : ((X X ) ! Bool)
in E .
ut
Data independene was dened semantially in [15℄ as parametriity of families of LTSs whose signatures are EPC with only unary uninterpreted prediates,
and whose lasses of instantiations are full.
Example 1. Consider a family of LTSs dened as follows. The signature
= fX g
= hp : X ! Bool; q : (X X ) ! Booli
onsists of type variable X , unary uninterpreted prediate p on X , and binary
uninterpreted prediate q on X .
The type of states T = X + (X X ) an be seen as two ontrol states, the
rst with one data item of type X , the seond with two data items of type X .
The type of transition labels U = X means that any transition has a parameter
of type X .
I onsists of all instantiations of (; ), and any S(Æ;) is suh that
{ a state is initial i it is the rst ontrol state together with data u whih
satises p, and
{ a transition is from the rst ontrol state to the seond provided either the
parameter w satises p and the two target data items v1 and v2 are set to
w and the soure data u, or (u; w) satises q and v1 , v2 are set to u, w.
More formally:
I(Æ;) = f(1; u) j JpK(u)g
!(Æ;) = f((1; u); w; (2; (v1 ; v2 ))) j
( JpK(w) ^ v1 = w ^ v2 = u) _
( Jq K(u; w) ^ v1 = u ^ v2 = w)g
It is straightforward to hek that this family is parametri. In fat, as we
shall see in Example 2, it is the semantis of a symboli LTS.
Let Æ JX K = f; |g and Æ 0 JX K = f}; ~; 4g. Let and 0 be suh that JpK
holds only on , 0 JpK holds on } and ~, and Jq K and 0 Jq K hold on all pairs.
Dene JX K by JX K} and JX K~. Then JT K(;Æ;Æ ) is a universal partial
JU K(;Æ;Æ ) bisimulation between S(Æ;) and S(Æ;) , and the following gure is a
simple illustration.
0
0
(1;
(1;
} ~
)
)
(2; (
}~
(2; (
~}
;
(2; (
;
))
S(Æ 0 ; 0 )
))
;
))
S(Æ; )
ut
4 Symboli Labelled Transition Systems
The notion of SLTSs we dene below is a formalism for expressing nondeterministi reative systems, whih is based on the simply typed -alulus introdued
in Setion 2.
An SLTS S omputes on types built from type variables from , using operations from , where (; ) is a signature. S has a set A of symboli states,
and a set B of symboli labels. The elements of A and B have assoiated type
ontexts (a) and (b). Symboli states an be thought of as ontrol states,
where (a) are data variables at a. Similarly, symboli labels an be thought of
as kinds of transitions, so that (b) are parameters for transitions of kind b.
The initial states of S are given as a set of pairs (a; t), where t is a -alulus
term of type Bool whih speies whih data values assoiated with the symboli
state a form initial states.
The transitions of S are given by symboli transitions. A symboli transition
has soure and target symboli states, a symboli label, a guard, and an assignment. The guard is a -alulus term of type Bool whih determines when the
symboli transition is enabled, in whih ase the ation of the symboli transition is to set eah data variable at the target symboli state aording to the
assignment. In partiular, the lifetime of data variables and transition parameters is one transition. Nondeterminism is present when S has more than one
symboli transition with the same soure symboli state and the same symboli
label.
The fat that SLTSs allow dierent sets of data variables at dierent symboli
states an be used e.g. to model data whih is loal to a part of the system.
Observe also that a portion of data in a system (suh as data whih is not
treated in a data independent manner) an be modelled non-symbolially by
regarding it as part of ontrol.
SLTSs are similar to a number of formalisms in the literature, e.g. [9, 2, 3℄.
They an also be seen as a graphial variant of UNITY [4℄.
Denition 5 (SLTS). S is an SLTS i it is a tuple
(; ; A; ; B; ; I; R)
suh that:
{ (; ) is a signature.
{ A and B are sets. We all elements of A symboli states, and elements of
B symboli labels.
{ and are suh that, for any a 2 A and b 2 B, we have that (; (a)) and
(; (b)) are signatures, and that Dom((a)) and Dom( (b)) are disjoint
from Dom( ).
{ I is a set of ordered pairs (a; t), where a 2 A and ; (a) ` t : Bool is
a term. We say that t is an initial ondition, and that elements of I are
symboli initial states.
{ R is a set of tuples of the form (a1 ; b; g; E; a2 ) where a1 ; a2 2 A, b 2 B,
Dom((a1 )) and Dom( (b)) are disjoint, ; (a1 ) (b) ` g : Bool is a
term, and E is suh that, for any x 2 Dom((a2 )), ; (a1 ) (b) ` E (x) :
(a2 )(x) is a term. We say that a1 is the symboli soure state, a2 is the
symboli target state, g is the guard, E is the assignment, R is the symboli
transition relation and its elements are symboli transitions. We write a1 [b :
g ,! E iR a2 for (a1 ; b; g; E; a2 ) 2 R.
ut
Example 2. The following SLTS is illustrated in the gure.
{
{
{
{
{
{
{
{
= fX g;
= hp : X ! Bool; q : (X X ) ! Booli;
A = fa1 ; a2 g;
(a1 ) = hx : X i, (a2 ) = hy1 : X; y2 : X i;
B = fbg;
(b) = hz : X i;
I = f(a1 ; p x)g;
a1 [b : p z ,! fy1 7! z; y2 7! xgi a2 and a1 [b : q x z ,! fy1 7! x; y2 7! z gi a2
are the symboli transitions.
h
!
b
z
h
a1
x
:
X
:
X
i
y1 ; y2 :=z; x
p z ,
h
i
a2
y1
:
X; y2
:
X
i
b
h i
!
z
:
X
ut
y1 ; y2 :=x; z
q x z ,
Given an SLTS S and an instantiation (Æ; ) of its signature (; ), we will
dene a onrete LTS JSK(Æ;) . Provided the sets of symboli states and symboli
labels of S are nite, and given a lass of instantiations of (; ), the onrete
LTSs JSK(Æ;) will form a parametri family.
Notation 1. Given a signature (; ), where = hx1 : T1 ; : : : ; xn : Tn i, and a
set map Æ suh that Dom(Æ ), let JKÆ be dened by
JKÆ = f(v1 ; : : : ; vn ) j 8i
vi 2 JTi KÆ g
Given a type ontext = hx1 : T1 ; : : : ; xn : Tn i, a value map suh that
Dom( ) \ Dom() = fg, and a tuple v = (v1 ; : : : ; vn ), let v be the map extended by xi 7! vi for all xi 2 Dom().
ut
Denition 6 (semantis of SLTSs). Given an SLTS
S = (; ; A; ; B; ; I; R)
and an instantiation (Æ; ) of (; ), let JSK(Æ;) be the LTS (A; B; I;
as follows:
!) dened
{ A = f(a; v) j a 2 A ^ v 2 J(a)KÆ g.
{ B =Sf(b; w) j b 2 B ^ w 2 J (b)KÆ g.
{ I = (a;t) I J(a; t)K(Æ;) where
2
J(a; t)K(Æ;) = f(a; v ) 2 A j J;
(a) ` t : BoolK(Æ;
(a)
! is the set of triples
((a ; v ); (b; w ); (a ; v )) 2 A B A
{ The transition relation
1
1
suh that for some g and E we have
2
2
g:
v) = true
(a ; b; g; E; a ) 2 R,
J; (a ) (b) ` g : BoolK Æ; a v b w
for all xi 2 Dom((a )),
J; (a ) (b) ` E (xi ) : (a )(xi )K Æ; 1
2
1
( (
1 )
(
1)
= true, and
( )
)
( (
(a ) 1 )
1
2
1
2
v
(b) w)
= vi2
where xi is the ith omponent of Dom((a2 )).
ut
Proposition 2. Suppose S = (; ; A; ; B; ; I; R) is an SLTS suh that A =
f1; : : : ; ng and B = f1; : : : ; mg. Let
T=
U=
n Y
X
i=1 x2(a)
m Y
X
j =1 y2 (b)
(a)(x)
(b)(y)
For any lass I of instantiations of (; ), we have that (; ; T; U; I ; JSK) is a
parametri family of LTSs.
ut
When restrited to EPC signatures with only unary uninterpreted prediates
and to full lasses of instantiations, Proposition 2 states that the semantis of
any syntatially data independent SLTS is data independent aording to the
semanti denition in [15℄.
Example 3. The SLTS in Example 2 yields (up to isomorphism) the parametri
family of LTSs in Example 1, for the lass of all instantiations.
ut
5 Denability
This setion ontains the main result of the paper, namely that any parametri
family of LTSs whose signature is EPC, whose types of states and transition
labels are SP, and whose lass of instantiations is full, is denable by an SLTS.
In partiular, this shows that the semanti denition of data independene in
[15℄ is suÆiently strong. The SP assumption is equivalent to assuming absene
of the funtion-type onstrut, whih is done in the redution theorems in [15℄.
Before the theorem, we present a proposition and a lemma whih are used in
its proof.
Proposition 3. For any parametri family of values
(; ; T; I ; v )
suh that (; ) is EPC, T is SP, and I is full, there exists a term
; ` s : T
suh that, for any (Æ; ) 2 I , JsK(Æ;) = v(Æ;) , and suh that s is of the form
T
math h with 8H
i=1 ini (x) ) inRi (ri )
P
where H 2 N , ; ` h : Enum H is a term, T = ni=1 Ti , and for eah i,
Ri 2 f1; : : : ; ng and ; C ` ri : TRi is a term.
Proof outline. The lass I an be split into nitely many sublasses aording
to the results of all possible appliations of the equality prediates and the uninterpreted prediates to the uninterpreted onstants. The sublasses have the
property that two instantiations an be related by a relation map i they belong
to the same sublass.
The term s an be dened by letting H be the number of sublasses. Eah
Ri and ri are dened by onsidering an instantiation from the orresponding
sublass whih, for any X 2 without an equality prediate in E , instantiates
any two uninterpreted onstant omponents of type X by distint values.
ut
Example 4. This example (due to Plotkin) shows that Proposition 3 annot be
extended straightforwardly to signatures whih ontain types suh as X ! X .
It is a parametri family of values whih is not denable.
The signature onsists of one type variable X , prediate p : X ! Bool,
operation s : X ! X , and onstant z : X . The type of the family is Bool,
and for any instantiation (Æ; ) of the signature, the member v(Æ;) is dened to
be true i, for all n 2 N , the result of applying n times JsK to Jz K satises
JpK.
ut
Terminology 2. We say that a family of sets is deterministi i eah set of the
ut
family is either the empty set or a singleton.
Notation 2. We write (; ; T; I ; N ) v ( ; ; T ; I ; N ) i we have = ,
= , T = T , I = I , and N(Æ;) N(Æ;) for all (Æ; ) 2 I .
We write (; ; T; I ; N ) t (; ; T; I ; N ) for the family of sets (; ; T; I ; M )
where, for any (Æ; ) 2 I , M(Æ;) = N(Æ;) [ N(Æ;) .
ut
0
0
0
0
0
0
0
0
0
0
0
0
Lemma 1. Given any parametri family of sets
N = (;
; T; I ; N )
suh that (; ) is EPC, T is SP, and I is full, there are parametri families of
sets M1 , . . . , Mm suh that:
(i) Mi v N for eah i;
(ii) Mi is deterministi for eah i;
(iii) given any parametri family of sets M suh that
deterministi, it is equal to Mi for some i;
F
(iv) m
i=1 Mi = N .
0
M vN
0
and
M
0
is
ut
The proof of Lemma 1 has similar struture to the proof of Proposition 3,
whih means that the denability of families of sets an be shown somewhat
more diretly than by ombining the two results. However, Lemma 1 is of wider
interest, sine it shows that denability of parametri nondeterministi families
an be redued to denability of nitely many parametri deterministi families.
Example 5. Reall the SLTS in Example 2 and its semantis (up to isomorphism)
in Example 1.
Take N to be the family of sets orresponding to the nondeterministi omputation at symboli state a1 and symboli label b. Its signature is = fX g
and
= hp : X ! Bool; q : (X X ) ! Bool; x : X; z : X i
The type of N is X X , and the lass onsists of all instantiations of (; ).
For any (Æ; ), N(Æ;) is the set of all outomes of the two symboli transitions
when p, q , x and z have the values given by . If neither symboli transition is
enabled, N(Æ;) = fg.
Similarly, we an let M1 and M2 be families of sets orresponding to the
two symboli transitions respetively.
Parametriity of these families of sets follows from parametriity of the family
of LTSs. Also, M1 and M2 are deterministi, and M1 t M2 = N . Therefore,
M1 and M2 are two of the families orresponding to N in the statement of
Lemma 1. There are others, e.g. the empty family.
ut
Theorem 1. For any parametri family of LTSs (; ; T; U; I ; S ) suh that (; )
is EPC, T and U are SP, and I is full, there exists a nite SLTS S with the
same signature and suh that, for any (Æ; ) 2 I , JSK(Æ;) = S(Æ;) .
Proof outline. Symboli states and symboli labels of S are dened to orrespond
to the sum omponents of T and U .
For eah symboli state a, the sets of initial states of S(Æ;) restrited to a
form a parametri family of prediates, so that Proposition 3 an be applied to
obtain the initial ondition at a.
For eah symboli state a and symboli label a, the transitions of the onrete
LTSs S(Æ;) form a parametri family of sets whose type is T . Lemma 1 an be
applied to this family to yield a nite number of deterministi families. Symboli
transitions of S are then obtained by applying Proposition 3 to families of values
whih orrespond to the deterministi families of sets.
ut
Example 6. Theorem 1 applies to the family of LTSs in Example 1. We already
saw that this family is denable (up to isomorphism) by the SLTS in Example 2.
ut
6 Conlusions
This paper answers negatively the question of whether there are any data independent families of LTSs [15℄ whih do not arise as semantis of any syntatially
data independent system. Thus we onrm that the semanti denition of data
independene is suitable for reasoning about data independent systems without
being tied to a partiular syntax.
More preisely, we showed that any parametri family of LTSs whose signature onsists of equality prediates, uninterpreted prediates of arbitrary arity,
and uninterpreted onstants, and whose types of states and transition labels do
not ontain funtions, is denable by a symboli LTS. Data independene is the
speial ase with only unary uninterpreted prediates.
From another point of view, we demonstrated that when binary logial relations are extended to nondeterministi omputation by means of bisimulation,
they an be used to ensure that any parametri family is denable.
Future work should investigate denability of parametri families in settings
where powerset types have rst-lass status [16, 11, 8℄.
Aknowledgements
We are grateful to Samson Abramsky, Brian Dunphy, Andrew Pitts, Gordon
Plotkin, Uday Reddy, Bill Rosoe and Alex Simpson for useful disussions, and
to the anonymous referees for their helpful omments.
Referenes
1. M. Alimohamed. A haraterization of lambda denability in ategorial models
of impliit polymorphism. Theoretial Computer Siene, 146:5{23, 1995.
2. J. Bohn, W. Damm, O. Grumberg, H. Hungar, and K. Laster. First-order-CTL
model heking. In Foundations of Software Tehnology and Theoretial Computer
Siene (FST&TCS'98), volume 1530 of Leture Notes in Computer Siene, pages
283{294. Springer-Verlag, 1998.
3. M. Calder and C. Shankland. A symboli semantis and bisimulation for full
LOTOS. In International Conferene on Formal Desription Tehniques for Networked and Distributed Systems (FORTE'01), pages 184{200. Kluwer Aademi
Publishers, 2001.
4. K. M. Chandy and J. Misra. Parallel Program Design: A Foundation. AddisonWesley, 1988.
5. E. M. Clarke, O. Grumberg, and D. A. Peled. Model Cheking. MIT Press, 1999.
6. D. Dill, R. Hojati, and R.K. Brayton. Verifying linear temporal properties of data
intensive ontrollers using nite instantiations. In Hardware Desription Languages
and their Appliations (CHDL '97). Chapman and Hall, 1997.
7. M. Fiore and A. Simpson. Lambda denability with sums via Grothendiek logial
relations. In Proeedings of the 4th International Conferene on Typed Lambda
Caluli and Appliations (TLCA'99), volume 1581 of Leture Notes in Computer
Siene, pages 147{161. Springer-Verlag, 1999.
8. J. Goubault-Larreq, S. Lasota, and D. Nowak. Logial relations for monadi
types. In Proeedings of the 11th Annual Conferene of the European Assoiation
for Computer Siene Logi (CSL'02), volume 2471 of Leture Notes in Computer
Siene, pages 553{568. Springer-Verlag, 2002.
9. M. Hennessy and H. Lin. Symboli bisimulations. Theoretial Computer Siene,
138(2):353{389, 1995.
10. C. N. Ip and D. L. Dill. Better veriation through symmetry. Formal Methods in
System Design: An International Journal, 9(1/2):41{75, 1996.
11. A. Jerey. A fully abstrat semantis for a higher-order funtional language with
nondeterministi omputation. Theoretial Computer Siene, 228:105{150, 1999.
12. B. Jonsson and J. Parrow. Deiding bisimulation equivalenes for a lass of nonnite-state programs. Information and Computation, 107(2):272{302, 1993.
13. A. Jung and J. Tiuryn. A new haraterization of lambda denability. In Proeedings of the 1st International Conferene on Typed Lambda Caluli and Appliations
(TLCA'93), volume 664 of Leture Notes in Computer Siene, pages 245{257.
Springer-Verlag, 1993.
14. R. Lazi. A Semanti Study of Data Independene with Appliations to Model
Cheking. DPhil thesis, Oxford University Computing Laboratory, 1999.
15. R. Lazi and D. Nowak. A unifying approah to data-independene. In Proeedings of the 11th International Conferene on Conurreny Theory (CONCUR
2000), volume 1877 of Leture Notes in Computer Siene, pages 581{595. SpringerVerlag, 2000.
16. T. Nipkow. Non-deterministi data types: models and implementations. Ata
Informatia, 22(6):629{661, 1986.
17. G. D. Plotkin. Lambda-denability in the full type hierarhy. In To H. B. Curry:
Essays on Combinatory Logi, Lambda Calulus and Formalism, pages 363{373.
Aademi Press, 1980.
18. S. Qadeer. Verifying sequential onsisteny on shared-memory multiproessors by
model heking. Researh Report 176, Compaq, 2001.
19. R. Hojati and R. K. Brayton. Automati datapath abstration in hardware systems. In Proeedings of the 7th International Conferene On Computer Aided Veriation, volume 939 of Leture Notes in Computer Siene, pages 98{113. Springer
Verlag, 1995.
20. J. C. Reynolds. Types, abstration and parametri polymorphism. In Proeedings of the 9th IFIP World Computer Congress (IFIP'83), pages 513{523. NorthHolland, 1983.
21. A. W. Rosoe and P. J. Broadfoot. Proving seurity protools with model hekers
by data independene tehniques. Journal of Computer Seurity, Speial Issue
on the 11th IEEE Computer Seurity Foundations Workshop (CSFW11), pages
147{190, 1999.
22. P. Wolper. Expressing interesting properties of programs in propositional temporal
logi. In Conferene Reord of the 13th Annual ACM Symposium on Priniples of
Programming Languages, pages 184{193. ACM, 1986.
A Proofs
Proof (Proposition 2). Suppose
{ (Æ; ) and (Æ ; ) are two instantiations from I ,
{ (; Æ; Æ ) is a relation map suh that
0
0
0
8x 2 Dom( ) JxKJ
{ S(Æ;) = (A; B; I;
!) and S Æ ;
0
(
0)
(x)K(;Æ;Æ ) 0 JxK
= (A0 ; B 0 ; I 0 ;
0
! ).
0
In order to prove that (; ; T; U; I ; JSK) is parametri, we have to prove that
JT K(;Æ;Æ0 ) is a universal partial JU K(;Æ;Æ0 ) -bisimulation between S(Æ;) and S(Æ0 ;0 ) :
{ Let (i; v) 2 A and (i ; v ) 2 A be states related by JT K(;Æ;Æ ) . Then i = i .
0
0
0
0
0
Suppose (i; v ) 2 I . By Denition 6, there exists an initial ondition t suh
that (i; t) 2 I and
J;
(i) ` t : BoolK(Æ;
= true
i v)
( )
By Proposition 1, we have
J;
(i) ` t : BoolK(Æ ;
0
0
(i) v0 )
= true
so that (i; v 0 ) 2 I 0 .
In the same way, (i; v 0 ) 2 I 0 implies (i; v ) 2 I .
{ Let (i1 ; v1 ) 2 A and (i01 ; v01 ) 2 A0 be states related by JT K(;Æ;Æ ) , and let
(j; w ) 2 B and (j 0 ; w0 ) 2 B 0 be transition labels related by JU K(;Æ;Æ ) . Then
i1 = i01 and j = j 0 .
(j;w)
Suppose (i1 ; v 1 ) ! (i2 ; v 2 ). By Denition 6, there exist a guard g and an
assignment E suh that (i1 ; j; g; E; i2 ) 2 R and
0
0
(i1 ) (j ) ` g : BoolK(Æ;(
J;
2 Dom((i )),
(i ) (j ) ` E (xk ) : (i )(xk )K Æ; and, for any xk
J;
i v
( ) 1 )
1
(j) w)
= true
2
1
2
( (
i v1 ) (j) w)
( )
1
= vk2
where xk is the k th omponent of Dom((i2 )). Letting v 02 be the tuple
dened by
J;
(i1 ) (j ) ` E (xk ) : (i2 )(xk )K(Æ ;(
0
(i1 ) v01 ) (j) w0 )
0
= vk02
(j;w )
0
it follows by Proposition 1 that (i2 ; v )JT K(;Æ;Æ ) (i2 ; v2 ) and (i1 ; v )
(i2 ; v 02 ).
2
0
0
01
!
0
(j;w 0 )
In the same way, whenever (i1 ; v 01 ) !0 (i02 ; v 02 ), there exists v 2 suh that
(j;w )
(i02 ; v 2 )JT K(;Æ;Æ ) (i02 ; v20 ) and (i1 ; v 1 ) ! (i02 ; v 2 ).
ut
0
Proof (Proposition 3). Without loss of generality, we an assume
form
C is of the
hij : Zi j i = 1; : : : ; l ^ j = 1; : : : ; li i
where the Zi are mutually distint and = fZ ; : : : ; Zl g.
0
1
Let us say that two instantiations (Æ; ) and (Æ 0 ; 0 ) in I are related by R i
they are related by some relation map (; Æ; Æ 0 ). It is straightforward to hek
that R is an equivalene relation.
Let I be the set of all (Æ; ) 2 I suh that:
{ if there is an equality prediate on Zi in
E , then Æ JZi K is the set of equivalene lasses of an equivalene relation on fij j j = 1; : : : ; li0 g;
{ otherwise, ÆJZi K = ffij g j j = 1; : : : ; li g;
{ for any p 2 Dom( P ), JpK is arbitrary;
{ Jij K is the equivalene lass of ij .
0
It is routine to show that any equivalene lass of R ontains exatly one member
of I .
Sine I is a nite set, let H be its ardinality, and let f be a bijetion from
f1; : : : ; H g to I . It is straightforward to dene a term
` h : Enum H
suh that, for any (Æ; ) 2 I and i 2 f1; : : : ; H g,
JhK Æ; = (i; ()) , (Æ; )Rf (i)
For any i 2 f1; : : : ; H g, let
;
(
)
(Ri ; (w1i ; : : : ; wni R )) = vf (i)
0
i
2 wji for all j .
We have now dened H , h, and for eah i 2 f1; : : : ; H g, Ri and ri , whih
provides a denition of s. Given (Æ; )inI , by onsidering i 2 f1; : : : ; H g suh
that (Æ; )Rf (i), it follows that JsK Æ; = v Æ; .
ut
and dene ri as (di1 ; : : : ; din0R ), where dij
i
(
(
)
)
Proof (Lemma 1). Let us x notation for omponents of T by
ni
n Y
X
0
T=
i=1 j =1
Xi;j
We use the same assumption about C as in the proof of Proposition 3,
without loss of generality.
We dene R, I , H and f as in the proof of Proposition 3.
For any i 2 f1; : : : ; H g, Nf (i) is of the form
f(Ri;j ; (wi;j ; : : : ; wni;jRi;j )) j j 2 f1; : : : ; Hi gg
Let G be the set of all maps g on f1; : : : ; H g suh that, for any i, g (i) 2
f0; 1; : : : ; Hi g.
We dene m as the ardinality of G, and for any g 2 G, we dene Mg as
follows. Suppose (Æ; ) 2 I , let i 2 f1; : : : ; H g be suh that (Æ; )Rf (i), and let
JX K = f(JK; JK) j ( : X ) 2 C g
1
0
0
0
0
where (Æ 0 ; 0 ) = f (i). Then (Æ; ) and (Æ 0 ; 0 ) are related by (; Æ; Æ 0 ). We dene
M(gÆ;) =
( fg; if g(i) = 0
(i)
(i)
f(Ri;g(i) ; (ui;g
; : : : ; ui;g
1
nR
0
))g; if g (i) 6= 0
i;g(i)
i;g(i)
i;g(i)
where the uk
are uniquely determined by uk JXRi;g(i) ;k Kwki;g(i) .
It is straightforward to hek that eah g = (; ; T; ; M g ) is a parametri
M
I
family of sets, and that (i){(iv) in the statement of the lemma hold.
ut
Proof (Theorem 1). Let us rst x some notation:
ni
n Y
X
0
T=
i=1 j =1
m0i
m Y
X
Xi;j
Yi;j
i=1 j =1
S(Æ;) = (JT K(Æ;); JU K(Æ;) ; I(Æ;) ;
U=
! Æ; )
(
)
We dene an SLTS
S = (; ; A; ; B; ; I; R)
as follows.
A = f1; : : : ; ng
(i) = hxi;j : Xi;j j j = 1; : : : ; ni i
B = f1; : : : ; mg
(i) = hyi;j : Yi;j j j = 1; : : : ; mi i
0
0
where the xi;j and yi;j do not appear in .
Suppose i 2 A. Let
V = (; (i); Bool; J ; v)
be the family of values suh that J is full and
true; if (i; (i)) 2 I
v(Æ;) = f alse; otherwise
(Æ; )
Then V is parametri, so Proposition 3 gives us a term ; (i) ` ti : Bool suh
that Jti K(Æ;) = v(Æ;) for all (Æ; ) 2 J .
We dene I = f(i; ti ) j i 2 Ag.
Suppose i 2 A and j 2 B. Let
N = (; (i) (j ); T; K; N )
be the family of sets suh that K is full and
N(Æ; ) = fa j (i; (i))
(j; (j ))
(Æ; )
!
ag
Then N is parametri, so we an apply Lemma 1 to obtain M1 , . . . , MG .
Consider k 2 f1; : : : ; Gg. Let
W = (;
(i) (j ); T + U nit; K; w)
be the family of values suh that
(
a; if M(kÆ; ) = fag
w(Æ; ) = (n + 1; ())
; if M(kÆ; ) = fg
W is parametri by parametriity of Mk , so Proposition 3 gives us a term
; (i) (j ) ` s : T + U nit
whih denes W and whih is of the form
math h with 8H
inl (x) ) inRT l U nit (rl )
l
For any l 2 f1; : : : ; H g suh that Rl 2 f1; : : : ; ng, let
=1
+
gi;j;k;l = if h = l then true else f alse
Ei;j;k;l (xRl ;j ) = j (rl )
ii;j;k;l = Rl
0
0
0
R is dened to be the set of all (i; j; gi;j;k;l ; Ei;j;k;l ; ii;j;k;l ) as above.
It is routine to hek that, for any (Æ; ) 2 I , JSK(Æ;) = S(Æ;) .
0
ut
