6 A Strategy Language and its Semantics

A rewrite theory can be highly nondeterministic. In order to guide and control its executions, one can use a strategy language, indicating which computations, among the many different ones possible, should be executed for a given purpose. The semantics of such a strategy lan- guage can typically be understood as a function assigning to each strategy expression in the strategy language a set of finite computations. I define below a simple strategy language that shares some features with Maude’s strategy language13 _{[12]. The strategy language guides}

the execution of a rewrite theory and has two parameters: the set SP (Ω, L) of spatial actions, and the set Π of state predicates of the given rewrite theory R ∈ RWTh0. The three main

linguistic categories are: Test (Π), Strat (SP (Ω, L), Π), and StratForm(SP (Ω, L), Π), corre- sponding, respectively, to tests, strategy expressions, and universally and existentially quanti- fied strategy formulas. Using variables δ ∈ SP (Ω, L), p : Prop(Π), e, e0: Strat (SP (Ω, L), Π), and b, b0: Test (Π) one can give the following BNF-like syntax definition:

– Test (Π) : > | ⊥ | p | ¬b | b ∨ b0| b ∧ b0

– Strat (SP (Ω, L), Π) : idle | δ | ¬δ | any | e ∧ e0| (e | e0_{) | e; e}0_{| e}+_{| e U e}0_{| e.b}

– StratForm(SP (Ω, L), Π) : Ae | Ee

One can slightly extend this language by the definitional extensions e∗= idle | e+_{, e}0_{= idle,}

and en+1 = e; en. The intuitive meaning of these strategy expressions, made fully precise below, is as follows. The most basic strategies are action patterns δ, with the obvious meaning of a one-step rewrite that satisfies the action pattern δ, and idle, which is the strategy that does not do anything and remains in the current state. The strategies e | e0, e; e0, and e+are regular expressions with the obvious meaning of disjunction, sequential composition, and iteration. The strategy any allows us to give one step of rewriting without specifying which rule label to use. Therefore, if R has labels l1, . . . , ln, then any is semantically equivalent to

the strategy l1 | . . . | ln. The strategy e ∧ e0 has a conjunctive meaning. However, given a

finite computation (w, u), we do not insist that both e and e0hold for the whole of (w, u): it is enough for one of them, e or e0, to hold for the whole of (w, u), and for the other to hold for an initial segment of (w, u). The strategy e U e0 is an until operator with the expected meaning: either e0 holds for the whole computation, or the strategy e holds for subcomputations beginning at the first step, at the second, and so on, until a subcomputation beginning at

13

state n, and then e holds for a subcomputation beginning at state n + 1. However, as in the case for e ∧ e0, all these subcomputations beginning at different stages need not end exactly when the entire computation (u, w) for which e U e0 holds does: they could end before. It is enough to require that at least one of them ends when (u, w) does. We can neatly capture this by saying that if n + 1 is the stage at which e0 begins to hold, then in such a case e U e0 becomes equivalent to the conjunctive strategy (V

0≤j<nany

j_{; e) ∧ (any}n_{; e}0_{). The strategy}

e.b combines e with a test b. It holds of a computation (w, u) iff e does and the test b succeeds for the last state in w.

Given a rewrite theory R ∈ RWTh0, a state [t] in it, and a finite computation (w, u)

in R, the semantics of tests, strategy expressions, and strategy formulas is defined by three satisfaction relations: one for tests b, of the form R, [t] |= b, another for strategy expressions e, of the form R, (w, u) |= e, and a third for strategy formulas Ae or Ee of the form either R, [t] |= Ae, or R, [t] |= Ee. Using juxtaposition for string concatenation, and the notational convention that (w[t]w0, uu0) always denotes a well-formed decomposition of the sequence of states at a midpoint state [t] (which could be the first or the last), and of the sequence of proof terms uu0 in the computation (w[t]w0, uu0), i.e., a decomposition such that |w0| = |u0_|,

and therefore (w[t], u) and ([t]w0, u0) are also computations, we can define inductively these three satisfaction relations as follows:

– R, [t] |= > – R, [t] 6|= ⊥ – R, [t] |= p ⇔ p ∈ LR([t]) – R, [t] |= ¬b ⇔ R, [t] 6|= b – R, [t] |= b ∨ b0 ⇔ R, [t] |= b or R, [t] |= b0 – R, [t] |= b ∧ b0 ⇔ R, [t] |= b and R, [t] |= b0 – R, ([t], nil) |= idle – R, ([t][t0], γ) |= δ ⇔ γ vAδ – R, ([t][t0], γ) |= ¬δ ⇔ γ 6vAδ – R, ([t][t0], γ) |= any – R, (w[t]w0_{, uu}0_{) |= e ∧ e}0 _{⇔ either (R, (w[t]w}0_{, uu}0_{) |= e and R, (w[t], u) |= e}0_{) or} (R, (w[t]w0, uu0) |= e0 and R, (w[t], u) |= e) – R, (w, u) |= e | e0 ⇔ R, (w, u) |= e or R, (w, u) |= e0 – R, (w[t]w0, uu0) |= e; e0 ⇔ R, (w[t], u) |= e and R, ([t]w0_{, u}0_{) |= e}0 – R, (w[t]w0, uu0) |= e+ ⇔ either R, (w[t]w0_{, uu}0_{) |= e or (R, (w[t], u) |= e and} R, ([t]w0_{, u}0_{) |= e}+₎

– R, (w[t]w0, uu0) |= e U e0 ⇔ either R, (w[t]w0_{, uu}0_{) |= e}0_{or the following conditions hold:}

• |w| = n ≥ 1

• there exist k0, . . . , kn−1, k, satisfying inequalities 1 ≤ ki ≤ (|w[t]w0| − i), (i =

0, . . . , n − 1), and 1 ≤ k ≤ |[t]w0|, with at least one of those inequalities an ac- tual equality,

and we have R, (w[t]w0, uu0)|≤k0 |= e and . . . and R, (w[t]w

0_{, uu}0₎n_| ≤kn−1 |= e and R, ([t]w0, u0)|≤k|= e0 – R, (w[t], u) |= e.b ⇔ R, (w[t], u) |= e and R, [t] |= b – R, [t] |= Ae ⇔ ∀ (π, γ) ∈ Comp(R)∞_[t]∃ k(π,γ)∈ N s.t. R, (π, γ)|≤k(π,γ)|= e – R, [t] |= Ee ⇔ ∃ (π, γ) ∈ Comp(R)∞_[t] ∃ k ∈ N s.t. R, (π, γ)|≤k|= e

The above semantics defines a relation e ≡ e0 of semantic equivalence between strategy expressions, namely, e ≡ e0 iff for all rewrite theories R sharing Ω, L and Π and for all finite computations (w, u) in such an R we have the equivalence:

Since e ≡ e0is defined by a logical equivalence, the relation ≡ is obviously an equivalence relation. It is also relatively easy to see that it is a congruence with respect to the operators of the strategy language. For example, we can show the implication

e ≡ r ∧ e0 ≡ r0 ⇒ (e; e0) ≡ (r; r0) by the chain of equivalences

R, (w[t]w0, uu0) |= e; e0 ⇔ (R, (w[t], u) |= e ∧ R, ([t]w0, u0) |= e0 ⇔ ⇔ (R, (w[t], u) |= r ∧ R, ([t]w0, u0) |= r0 ⇔ R, (w[t]w0, uu0) |= r; r0

It is well-known that finding a finitary equational axiomatization of semantic equivalences of this kind, even just for regular expressions, is quite a subtle matter see, e.g., [44,42]. However, it is not difficult to use the above semantic definitions to prove, among many others, some useful algebraic equalities such as the following:

Lemma 4. The congruence between strategy expressions generated by the equations below, together with the equations of the theory of Boolean algebras for the elements of sort Test (Π), is contained in the semantic congruence relation ≡.

e ∧ e0= e0∧ e (e ∧ e0) ∧ e00= e ∧ (e0∧ e00) idle ∧ e = e e ∧ e = e e | e0= e0 | e (e | e0) | e00= e | (e0 | e00) e | e = e (e; e0); e00= e; (e0; e00) e; idle = e idle; e = e idle.b | idle = idle

idle+= idle (idle.b)+= idle.b idle.b ∧ idle.b0= idle.(b ∧ b0)

idle.b; idle.b0= idle.(b ∧ b0) idle.b; (idle.b0; e) = idle.(b ∧ b0); e

idle.b | idle.b0= idle.(b ∨ b0) any.b ∧ any.b0= any.(b ∧ b0)

any ∧ any.b = any.b any.b | any.b0= any.(b ∨ b0)

any | any.b = any e.> = e

Proof. That if b and b0 are equivalent modulo the Boolean algebra equations then e.b ≡ e.b0 follows easily from the semantics of tests and the semantics of strategies of the form e.b. I

exemplify the method of proof for the equations e; (e0; e00) = (e; e0); e00and idle+= idle and leave the remaining equations as an exercise. For e; (e0; e00) = (e; e0); e00, we have to show that e; (e0; e00) ≡ (e; e0); e00. This follows from the following chain of equivalences:

R, (w[t]w0, uu0) |= e; (e0| e00) ⇔ (R, (w[t], u) |= e ∧ R, ([t]w0, u0) |= (e0 | e00) ⇔ ⇔ R, (w[t], u) |= e ∧ (R, ([t]w0, u0) |= e0 ∨ R, ([t]w0, u0) |= e00)

⇔ (R, (w[t], u) |= e ∧ R, ([t]w0, u0) |= e0) ∨ (R, (w[t], u) |= e ∧ R, ([t]w0, u0) |= e00) ⇔ ⇔ R, (w[t]w0, uu0) |= (e; e0) | (e; e00)

Regarding idle+= idle, first notice that (w[t]w, uu0) |= idle+implies w = w0= u = u0= nil , since the first clause cannot be met unless this requirement holds, and the second clause could never be met unless its first conjunct satisfies w = u = nil and its second conjunct satisfies w0= u0 = nil (otherwise, because of the recursive call with the same computation when evaluated again, we are guaranteed to loop forever). Now observe that on computations of the form ([t], nil), the strategy idle always holds; and idle+does also hold always, because of the first disjunct in the clause defining the satisfaction of e+_.2

The set of equations obtained by adding to the equations in the above lemma a confluent and terminating set of equations for Boolean algebras (typically modulo associativity and commutativity: see [41] for four different such specifications) are confluent and terminat- ing modulo the associativity and commutativity of ∧ and | , plus the associativity and commutativity of the Boolean operations. This can be checked using automatic confluence and termination tools supporting rewriting modulo associativity and commutativity. I will always assume in what follows that strategy expressions are in canonical form with respect to these equations, so that they cannot be simplified any further.

The following lemma has an easy proof by structural induction and is left as an exercise. Lemma 5. If a strategy e is in canonical form under the equations in Lemma 4, plus a set of confluent and terminating equations for Boolean algebras having > as a constructor, then e 6= idle ⇒ e 6≡ idle.2

6.1 Guarantee TLR∗ Formulas as Strategies

We can define a translation from guarantee formulas to strategy expressions by means of a function σ : GR(SP (Ω, L), Π) −→ Strat (SP (Ω, L), Π) defined inductively as follows.

– σ(λ) = λ – σ(α) = idle.α – σ( ∨ 0) = σ() | σ(0) – σ( ∧ 0) = σ() ∧ σ(0) – σ(X) = any; σ() – σ(U0) = σ() U σ(0) – σ(F) = any∗; σ()

The following theorem then reduces the satisfaction of guarantee formulas to that of their corresponding strategy expressions.

Theorem 3. Given a rewrite theory R ∈ RWTh0, a formula  ∈ GR(SP (Ω, L), Π), and an

infinite computation (π, γ) ∈ Comp(R)∞, we have the equivalence: R, (π, γ) |=  ⇔ ∃ k ∈ N s.t. R, (π, γ)|≤k|= σ()

Proof. The proof is by structural induction on the structure of the formula . Most cases are easy and can be left as exercises. The case of conjunction is slightly tricky, since one has to use the semantics of the (associative-commutative) conjunction operator for strategy expressions, where only one of the conjuncts has to satisfy the entire finite computation (w, u) (the other only has to satisfy a nonempty prefix of (w, u)). In such a case we have (by definition of TLR∗ satisfaction) R, (π, γ) |=  ∧ 0 _{iff R, (π, γ) |=  and R, (π, γ) |= }0

iff (by the induction hypothesis) there exist k, k0 _{∈ N such that R, (π, γ)|}≤k |= σ() and

R, (π, γ)|≤k0 |= σ(0) iff (by the definition of strategy satisfaction) R, (π, γ)|_≤max(k,k0₎ |=

σ() ∧ σ(0). The only nontrivial remaining case is that of U0 formulas. The key point is to reformulate the definition of the TLR∗ satisfaction R, (π, γ) |= U0 as a disjunction of either R, (π, γ) |= 0, or there is an n ≥ 1 such that

R, (π, γ)n _{|= }0 _{∧ ∀0 ≤ i < n R, (π, γ)}i _{|=  (4)}

We then have disjuncts in both the semantics of U and U , and can prove the equivalence by proving the equivalence of each disjunct. The equivalence of the first disjuncts is trivial by the induction hypothesis. To see the equivalence of the second disjuncts, note that, by the induction hypothesis, (4) holds iff there are numbers k, k0, . . . , kn−1≥ 1, such that

R, (π, γ)n_|

≤k|= σ(0) ∧ ∀0 ≤ i < n R, (π, γ)i|≤ki|= σ() (♥)

But choosing m = max(k0, . . . , kn−1+ (n − 1), k + n), the existence of k, k0, . . . , kn−1≥ 1,

such that (♥) holds is equivalent to the second clause for the satisfaction of R, (π, γ)|≤m|=

σ() U σ(0_).2

Corollary 1. Given a rewrite theory R ∈ RWTh0, for each state a and formula  ∈

GR(SP (Ω, L), Π) we have the following equivalences:

R, [t] |= A ⇔ R, [t] |= Aσ() R, [t] |= E ⇔ R, [t] |= Eσ()