On a semantic definition of data independence

http://wrap.warwick.ac.uk/

Original citation:

Lazic, Ranko and Nowak, D. (2003) On a semantic definition of data independence.

Coventry, UK: Department of Computer Science. (Computer Science Research Report).

(Unpublished) CS-RR-392

Permanent WRAP url:

http://wrap.warwick.ac.uk/61244

Copyright and reuse:

The Warwick Research Archive Portal (WRAP) makes this work by researchers of the

University of Warwick available open access under the following conditions. Copyright ©

and all moral rights to the version of the paper presented here belong to the individual

author(s) and/or other copyright owners. To the extent reasonable and practicable the

material made available in WRAP has been checked for eligibility before being made

available.

Copies of full items can be used for personal research or study, educational, or

not-for-profit purposes without prior permission or charge. Provided that the authors, title and

full bibliographic details are credited, a hyperlink and/or URL is given for the original

metadata page and the content is not changed in any way.

A note on versions:

The version presented in WRAP is the published version or, version of record, and may

be cited as it appears here.For more information, please contact the WRAP Team at:

On a Semanti Denition of Data Independene

RankoLazi 1??

andDavidNowak 2

1

DepartmentofComputerSiene,UniversityofWarwik,UK Ranko.Lazids.warwik.a.u k

2

LSV,CNRS&ENSCahan,Frane David.Nowaklsv.ens-ahan.f r

Abstrat. Avarietyof resultswhihenable modelhekingof impor-tantlassesofinnite-statesystemsarebasedonexploitingtheproperty ofdataindependene.Theliteratureontainsanumberofdenitionsof variantsofdataindependene,whiharegivenbysyntatirestritions inpartiularformalisms.Morereently,dataindependenewasdened for labelled transition systems using logial relations, enabling results about data independent systems to be proved without referene to a partiular syntax. In this paper, we show that the semanti denition issuÆientlystrongforthispurpose.Morepreisely,itwasknownthat anysyntatiallydataindependentsymboliLTSdenotesasemantially dataindependent familyof LTSs,but here weshow that the onverse alsoholds.

Keywords:dataindependene,denability,logialrelations, nondeter-minism

1 Introdution

Informally,asystemis dataindependent withrespetto adatatype X when, apartfrom input, outputand storage,theonly operationthat isperformedon valuesof typeX is testingapair ofthem forequality. Thestrongervariantof data independene where equality on X is notavailable is also studied in the literature,asareweakervariantssuhasallowingonstantsoftypeXandunary prediatesonX.

Avarietyofresultswhihenablemodelheking [5℄ofimportantlassesof innite-statesystemsarebasedonexploitingdataindependene(e.g.[22,12,10, 19,6,14,21,18℄).Althoughtheirproofsarein termsofsemantis,mostofthese results are based on denitions of data independene whih are by means of syntatirestritionsinpartiularformalisms.

?

We aknowledge support from the EPSRC Standard Researh Grant `Exploiting DataIndependene',GR/M32900. A part ofthis researhwas done atthe Oxford UniversityComputingLaboratory.

??

variants with orwithout equality, onstants and prediates was given in [15℄. The semanti entities used are families of labelled transition systems (LTSs), whih onsist of an LTS per instantiation of a signature. A signature is a set of type variables and a term ontext. Logialrelations [20℄ are used to dene whenafamilyofLTSsisparametri,andthedenitionofdataindependene is thespeialasewhenthetermontextofthesignatureonsistsofonlyequality prediates,onstantsandunaryprediates.Itisshownin[15℄thatthesemantis ofanysyntatiallydataindependentUNITYprogram[4℄isadataindependent family of LTSs. The same paper also proves a theorem based on the seman-tidenition whih enablestheproblemof model hekingadataindependent system forall instantiations of X to beredued to model heking fora nite numberof niteinstantiations.Sine itis provedfrom thesemantidenition, thetheoremappliestoanyformalismwhihanbegivensemantisbyLTSsin whihtransitionlabelsreordvaluesoftransition parameters.

Althoughthe denition in [15℄ was suÆientlyrestritiveto provethe par-tiular redution theorem, itwasnotknownwhether that wasan aident.In other words, it was notknown whether the olletion of all data independent familiesofLTSswasequaltoorstritlylargerthantheolletionofthosewhih arise assemantis ofsyntatiallydata independent systems.Inthispaper,we showthat itisequal.

Morepreisely,weshowthat,intheabseneofindutivetypes,any paramet-rifamilyofLTSswhosesignatureonsistsofequalityprediates,uninterpreted prediates of arbitrary arity, and uninterpreted onstants, and whose types of states and transition labels do not ontain funtions, is denable by a sym-boli LTSwith thesamesignature. Dataindependene asin [15℄ isthespeial asewhentheuninterpretedprediatesareonlyunary.Indutivetypesarenot onsideredforsimpliity,beausetheyareorthogonaltodenabilityoffamilies onstrainedbylogialrelations,whihisthetopiofthepaper.Funtionswithin states ortransition labelsare also exluded in the redutiontheorems in [15℄. SymboliLTSs area basiformalism whih ombines simply typed -alulus and nondeterminism. Theyan be seenas agraphial variantof UNITY, and areageneralisationofrst-orderKripkestrutures[2℄.

Comparedwiththeliteratureondenabilityinmodelsbasedonlogial rela-tions(e.g.[17,13,1,7℄),weonsideronlyrst-orderomputationwhihanuse equality testingand prediates ofarbitraryarity, but thenovelty in ourresult isthatitappliesto nondeterministiomputation.

Wex notationfor thesyntaxand set-theoretisemantisofthe simplytyped -alulus with produt and sum types, for binary logial relations, and for LTSs. Terms ofthe-alulus willbeused toform symboliLTSs. Inaddition to typing the terms, types will be used to struture the semanti entities we shallonsider,suhasfamilies ofLTSs.Logialrelationswillservetoonstrain families indexed by signatureinstantiations, suh asin the semanti denition ofdataindependene.

-alulus syntax. We assume TypeVars is an innite set of names for type variables.

ThesyntaxoftypesT isasfollows:

T ::= X2TypeVarsjT 1

T n

jT 1

++T n

jT 1

!T 2

wherenrangesovernonnegativeintegers.

ForanytypeT,wewriteFree(T)fortheset offreetypevariablesofT. WeassumeTermVarsisaninniteset ofnamesfortermvariables. Atypeontext isasequeneoftheform

hx 1

:T 1

;:::;x n

:T n

i

wherethex i

aredistint termvariables.

Wewrite (x)forthetypeassoiatedtothetermvariablexin .Thetype ontext nxisobtainedbyremovingx: (x)from ifx2Dom( ),otherwise itis .Thetypeontext

0

istheonatenationof and 0

,providedtheir domainsaredisjoint.

Asignatureisanorderedpair(; ),where

{ isanitesubsetofTypeVars ,and

{ isatypeontextsuhthatFree ( (x)) foreahx2Dom( ).

fash-; `x:T if (x)=T

; `t i

:T i

fori=1;:::;n ; `ht

1 ;:::;t

n i:T

1

T n

; `t:T 1

T n

; `

i (t):T

i

fori=1;:::;n

; `t:T i ; `in

T1++Tn i

(t):T 1

++T n

fori=1;:::;n

; `t:T 1

++T n ;( nx)hx:T

i i`t

i

:T fori=1;:::;n ; `mathtwithin

1 (x))t

1

88in n

(x))t n

:T

;( nx)hx:T 1

i`t:T 2 ; `x:T

1 :t:T

1 !T

2

; `t 1

:T 1

!T 2

; `t 2

:T 1 ; `t

1 t

2 :T

2

Wewrite Free(t)forthesetoffreetermvariablesoft.

-alulussemantis. AsetmapisapartialmapfromTypeVarstosets,whose domainisnite.

ForanytypeT,andanyset mapÆ suhthat Free(T)Dom(Æ),wewrite JTK

Æ

forthedenotationalsemantisofT withrespetto Æ:

JXK Æ

=ÆJXK JT

1

T n

K Æ

=JT 1

K Æ

JT n

K Æ JT

1

++T n

K Æ

=f1gJT 1

K Æ

[[fngJT n

K Æ JT

1 !T

2 K

Æ =JT

1 K

Æ !JT

2 K

Æ

Avaluemap isamapwhose domainisanitesubsetofTermVars . Wewrite [x7! v℄ forthe valuemap whose domain is Dom()[fxg, and whihisdenedby[x7!v℄JxK=v and[x7!v℄JyK=JyKify6=x.

Given atype ontext and aset map Æ suh that Free( (x)) Dom(Æ) foreahx2Dom( ),wesaythat avaluemap iswithrespetto andÆi

{ Dom()=Dom( ),and { JxK2J (x)K

Æ

foreahx2Dom( ).

Foranyterm; `t:Tandanyinstantiation(Æ;),wewriteJ; `t:TK (Æ;) forthedenotationalsemantisof ; `t :T withrespetto (Æ;).This is de-nedby

J; `x:TK (Æ;)

=JxK

J; `ht 1

;:::t n

i:T 1 T n K (Æ;) = (J; `t

1 :T

1 K

(Æ;)

;:::;J; `t n :T n K (Æ;) ) J; ` i (t):TK

(Æ;) =v

i

ifJ; `t:TK (Æ;)

=(v 1

;:::;v n

)

J; `in T

1 ++T

n i

(t):T 1

++T n

K (Æ;)

=(i;J; `t:T i

K (Æ;)

)

J; `mathtwithin 1

(x))t 1

88in n

(x))t n

:TK (Æ;)

)= J;( nx)hx:T

i i`t

i :TK

(Æ;[x7!v℄) ifJ; `t:T

1

++T n

K (Æ;)

=(i;v)

J; `x:T 1

:t:T 1

!T 2

K (Æ;)

=f where f(v)=J;( nx)hx:T

1 i`t:T

2 K

(Æ;[x7!v℄)

J; `t 1 t 2 :T 2 K (Æ;)

=J; `t 1 :T 1 !T 2 K (Æ;)

(J; `t 2 :T 1 K (Æ;) )

Some abbreviations. Wedenesomestandardtypes:

Unit=the empty produttype Bool=Unit+Unit

Enum k

=Unit++Unit

| {z }

k

Wealsodenetermsandvalues:

false=in Bool 1

(hi) true=in Bool 2

(hi) false=(1;()) true=(2;())

sothatwehave:

JBoolK fg

=ffalse;trueg JEnum k

K fg

=f(1;());:::;(k;())g

Logial relations. Arelation mapisatriple(;Æ;Æ 0

)suh that

{ isapartialmapfromTypeVars torelations,whosedomainisnite, { ÆandÆ

0

A relation map (;Æ;Æ) determines a logial relation [20℄ indexed by the typesT suhthat Free(T)Dom().ForanysuhtypeT,wewriteJTK

(;Æ;Æ 0

) for the omponent at T of the logial relation. This is arelation between the setsJTK

Æ

andJTK Æ

0

,andisdened by

JXK (;Æ;Æ

0 )

=JXK JT

1

T n

K (;Æ;Æ

0 )

=f(a;a 0

)j8i2f1;:::;ng: i

(a )JT i

K (;Æ;Æ

0 )

i

(a 0

)g JT

1

++T n

K (;Æ;Æ

0 )

=f((i;a);(i 0

;a 0

))ji=i 0

^ aJT i

K (;Æ;Æ

0 )

a 0

g JT

1 !T

2 K

(;Æ;Æ 0

)

=f(f;f 0

)j8a;a 0

:aJT 1

K (;Æ;Æ

0 )

a 0

) f(a)JT 2

K (;Æ;Æ

0 )

f 0

(a 0

)g

Labelled transition systems. An LTSis atuple S =(A;B;I; !)suh that A andB aresets, IAand !ABA.

Wesaythat A is theset of states,B isthe setof transition labels,I isthe set of initial states, and ! is thetransition relation. Wewrite a

1 b ! a

2 for (a

1 ;b;a

2 )2 !.

3 Parametri Families

If(; )isasignature,thenthesemantisofatermorprogramwhihuses(; ), with respet toalass I ofinstantiations of(; ), anbe seenasafamilyof semanti elements whih is indexed by I. We now dene three kinds of suh families,namelythoseofvalues,setsandLTSs.Inthersttwoases,thereisa typeT suhthat thefamilymemberwhoseindex is(Æ;)isanelement/subset ofJTK

Æ

.Intheaseof LTSs,therearetwotypesT andU whihdeterminethe setsofstatesandtransitionlabelsoffamilymembers.

Denition1 (families).A familyof values,sets, orLTSs (respetively)is of the form(; ;T;I;v), (; ;T;I;N), or(; ;T;U;I;S).

(; )isasignature,T andU aretypessuhthatFree(T)andFree(U) ,andI is alassof instantiationsof (; ).

The vetors v, N andS are indexed by elements of I. For eah (Æ;)2I, wehavev

(Æ;) 2JTK

Æ ,N

(Æ;) JTK

Æ ,andS

(Æ;)

isanLTSwithsetofstatesJTK Æ andset oftransitionlabelsJUK

Æ

. ut

Logialrelationsanbeusedasfollowstodenewhenafamilyisparametri. We shall see below that familiesarisingas semantisof -alulus terms orof symboliLTSshavethisproperty.

Thedetails are as in [15℄,exept that here we treat familiesof values and sets expliitly, beause theywill be used laterin thepaper.The denitions of when two sets/LTSs are related an be seen as liftings of logial relations to powerset/LTS types, although we do not give suh types rst-lass status. A moregeneraltreatmentofsuhliftings oflogialrelationsanbefoundin [8℄.

{ MN andM N .

Wesaythat P relates M andM 0

i

8x2M 9x 0

2M 0

(x;x 0

)2P 8x

0 2M

0

9x2M (x;x 0

)2P ut

Denition3 (universal partialR -bisimulation).Suppose:

{ P isarelationbetween A andA 0

; { Risarelationbetween B andB

0 ; { S=(A;B;I; !) andS

0 =(A 0 ;B 0 ;I 0 ; ! 0

)areLTSs.

Wesaythat P isauniversalpartialR -bisimulationbetween S andS 0

i

(i) wheneveraPa 0

thena2I ia 0

2I 0

,and (ii) whenevera

1 Pa

0 1

andbR b 0

,thenP relates fa 2 ja 1 b !a 2 gand fa 0 2 ja 0 1 b 0 ! 0 a 0 2

g. ut

Denition4 (parametri families). A family (; ;T;I;v), (; ;T;I;N), or(; ;T;U;I;S)(respetively)isparametrii,forany(Æ;);(Æ

0 ;

0

)2I,and any relation map(;Æ;Æ

0

)suhthat

8x2Dom( )JxKJ (x)K (;Æ;Æ 0 ) 0 JxK wehave { v (Æ;) JTK (;Æ;Æ 0 ) v (Æ 0 ; 0 ) , { JTK (;Æ;Æ 0 ) relatesN (Æ;) andN (Æ 0 ; 0 ) ,or { JTK (;Æ;Æ 0 )

is a universal partial JUK (;Æ;Æ

0 )

-bisimulation between S (Æ;) and S (Æ 0 ; 0 )

. ut

WeannowstatetheBasiLemma oflogialrelations[20℄in thefollowing way.

Proposition1. For any term ; ` t : T and lass I of instantiations of (; ), the family(; ;T;I;JtK)isparametri. ut

Signatureswhihonsistofequalityprediates,uninterpretedprediates,and uninterpretedonstantswillbeimportantlaterinthepaper,aswilltypeswhih aresumsofprodutsoftypevariables,andlassesofinstantiationswhoseonly restrition is that equality prediates are interpreted as expeted. These will determinethekindofparametrifamiliesofLTSswhihourmainresultapplies to.

Terminology 1. We say that a signature (; ) is EPC i is of the form E P C

suh that

P k and

{ any C

()isaprodutoftypevariables.

AtypeT isSPiitis asumofprodutsoftypevariables.

ThefulllassofinstantiationsofanEPC-signature(; )onsistsofall(Æ;) suhthat JeKisthe equalityprediateonÆJXKforanye:((XX)!Bool) in

E

. ut

Dataindependenewasdenedsemantiallyin[15℄asparametriityof fami-liesofLTSswhosesignaturesareEPCwithonlyunaryuninterpretedprediates, andwhoselassesofinstantiationsarefull.

Example 1. ConsiderafamilyofLTSsdened asfollows.Thesignature

=fXg

=hp:X !Bool;q:(XX)!Booli

onsists oftypevariable X,unary uninterpretedprediate ponX,and binary uninterpretedprediateq onX.

Thetypeof statesT =X+(XX)anbeseenastwoontrolstates,the rstwith onedataitemof typeX,theseond withtwodataitems oftypeX. ThetypeoftransitionlabelsU =X meansthatanytransitionhasaparameter oftypeX.

I onsistsofallinstantiationsof(; ),andanyS (Æ;)

issuhthat

{ astate is initial i it is the rst ontrol state together with data uwhih satisesp,and

{ atransition isfromtherstontrol stateto theseondprovided eitherthe parameterwsatises pand thetwotargetdata items v

1 and v

2

are set to wandthesouredatau,or(u;w)satisesqandv

1 , v

2

areset tou,w.

Moreformally:

I (Æ;)

=f(1;u)jJpK (u)g !

(Æ;)

=f((1;u);w;(2;(v 1

;v 2

)))j (JpK (w)^v

1

=w^v 2

=u)_ (JqK (u;w)^v

1

=u^v 2

=w)g

It is straightforwardto hek that this family is parametri. Infat, aswe shallseein Example2,itisthesemantisofasymboliLTS.

LetÆJXK=f;|gand Æ 0

JXK=f};~;4g.Let and 0

besuh thatJpK holds onlyon,

0

JpK holdson}and~, andJqKand 0

JqKhold onallpairs. Dene JXK by JXK} and JXK~. Then JTK

(;Æ;Æ 0

)

is a universal partial JUK

(;Æ;Æ 0

)

bisimulation between S (Æ;)

and S (Æ;)

(2;(;)) (2;(~;}))

S (Æ

0 ;

0 )

S (Æ;) (1;})

(1;) ~



u t

4 Symboli Labelled Transition Systems

ThenotionofSLTSswedenebelowisaformalismforexpressing nondetermin-istireativesystems,whihisbasedonthesimplytyped-alulusintrodued in Setion2.

An SLTS Somputeson typesbuiltfrom typevariables from ,using op-erationsfrom , where (; ) isasignature. Shasaset Aof symboli states, andaset Bof symbolilabels.TheelementsofAand Bhaveassoiatedtype ontexts (a) and (b). Symboli states anbe thought of asontrol states, where(a)aredatavariablesat a.Similarly,symbolilabelsanbethoughtof as kindsoftransitions,sothat (b)areparametersfortransitionsofkindb.

TheinitialstatesofSaregivenasasetofpairs(a;t),wheretisa-alulus termoftypeBoolwhihspeieswhihdatavaluesassoiatedwiththesymboli stateaforminitial states.

ThetransitionsofSaregivenbysymbolitransitions.Asymbolitransition hassoureandtargetsymbolistates,asymbolilabel,aguard,andan assign-ment.The guardis a-alulustermof typeBoolwhih determineswhenthe symbolitransition is enabled,in whih asetheationof thesymboli transi-tion is to set eah data variable at the target symboli state aordingto the assignment.In partiular, the lifetime of data variables and transition param-eters is one transition.Nondeterminism is presentwhen Shas morethan one symbolitransitionwiththesamesouresymbolistateandthesamesymboli label.

ThefatthatSLTSsallowdierentsetsofdatavariablesatdierentsymboli states an be used e.g. to model data whih is loal to a part of the system. Observe also that a portion of data in a system (suh as data whih is not treated in a data independent manner) an be modelled non-symbolially by regardingitaspartofontrol.

(; ;A;;B; ;I;R)

suhthat:

{ (; ) isasignature.

{ Aand B aresets. Weall elements of Asymboli states,and elements of Bsymbolilabels.

{ and aresuhthat,foranya2Aandb2B,wehavethat(;(a))and (; (b)) aresignatures, andthat Dom((a)) andDom( (b)) aredisjoint fromDom( ).

{ I is a set of ordered pairs (a;t), where a 2 A and ; (a) ` t : Bool is a term. We say that t is an initial ondition, and that elements of I are symboliinitial states.

{ R is aset of tuples of the form (a 1

;b;g;E;a 2

) where a 1

;a 2

2A, b 2B, Dom((a

1

)) and Dom( (b)) are disjoint, ; (a 1

) (b) ` g : Bool is a term,andE issuhthat,forany x2Dom((a

2

)),; (a 1

) (b)`E(x): (a

2

)(x) isa term. We say that a 1

is the symboli sourestate, a 2

isthe symbolitargetstate,gistheguard,Eistheassignment,Risthesymboli transitionrelationanditselementsaresymbolitransitions.Wewritea

1 [b: g,!Ei

R a

2 for(a

1

;b;g;E;a 2

)2R. ut

Example 2. ThefollowingSLTSisillustratedin thegure.

{ =fXg;

{ =hp:X!Bool;q:(XX)!Booli; { A=fa

1 ;a

2 g; { (a

1

)=hx:Xi,(a 2

)=hy 1

:X;y 2

:Xi; { B=fbg;

{ (b)=hz:Xi; { I=f(a

1 ;px)g; { a

1

[b:pz,!fy 1

7!z;y 2

7!xgia 2

anda 1

[b:qxz,!fy 1

7!x;y 2

a 2 hy

1 :X;y

2 :Xi hz :Xi

pz ,!y 1

;y 2

:=z;x

b hz :Xi qxz ,!y

1 ;y

2 :=x;z a

1 hx:Xi

u t

Givenan SLTSS andaninstantiation (Æ;) ofitssignature (; ),wewill deneaonreteLTSJSK

(Æ;)

.Providedthesetsofsymbolistatesandsymboli labels ofSare nite, andgiven alassof instantiations of(; ), theonrete LTSsJSK

(Æ;)

willform aparametrifamily.

Notation1. Given asignature (;), where =hx 1

:T 1

;:::;x n

:T n

i, anda set mapÆsuh that Dom(Æ),letJK

Æ

bedenedby

JK Æ

=f(v 1

;:::;v n

)j8i v i

2JT i

K Æ

g

Given atype ontext = hx 1

: T 1

;:::;x n

: T n

i, avalue map suh that Dom()\Dom()=fg,andatuplev=(v

1 ;:::;v

n

),let

v bethemap extendedbyx

i 7!v

i

forallx i

2Dom(). ut

Denition6 (semantisof SLTSs). Givenan SLTS

S=(; ;A;;B; ;I;R)

andaninstantiation(Æ;)of(; ),letJSK (Æ;)

betheLTS(A;B;I; !)dened asfollows:

{ A=f(a;v)ja2A ^ v 2J(a)K Æ

g. { B=f(b;w)jb2B ^ w2J (b)K

Æ g. { I=

S (a;t)2I

J(a;t)K (Æ;)

where

J(a;t)K (Æ;)

=f(a;v)2AjJ; (a)`t:Bool K (Æ;

(a) v)

=trueg:

{ Thetransitionrelation ! istheset oftriples

((a 1

;v 1

);(b;w);(a 2

;v 2

1 2

J; (a

1

) (b)`g:BoolK (Æ;(

(a 1

) v

1 )

(b) w)

=true,and for allx

i

2Dom((a 2

)),

J; (a

1

) (b)`E(x i

):(a 2

)(x i

)K (Æ;(

(a 1

) v

1 )

(b) w)

=v 2 i wherex

i

isthe ithomponent ofDom((a 2

)). ut

Proposition2. SupposeS=(; ;A;;B; ;I;R)isanSLTSsuhthat A= f1;:::;ngandB=f1;:::;mg. Let

T = n X

i=1 Y

x2(a)

(a)(x)

U = m X

j=1 Y

y2 (b)

(b)(y)

Forany lass I of instantiationsof (; ), wehave that (; ;T;U;I;JSK ) isa

parametri familyof LTSs. ut

WhenrestritedtoEPCsignatureswithonlyunaryuninterpretedprediates and to full lassesof instantiations, Proposition 2states that thesemantisof anysyntatiallydata independent SLTS isdataindependent aordingto the semantidenitionin [15℄.

Example 3. TheSLTSinExample2yields(up toisomorphism)theparametri familyofLTSsinExample1,forthelassofallinstantiations. ut

5 Denability

Thissetionontainsthemain resultofthepaper,namelythatanyparametri family of LTSs whose signature is EPC, whose types of states and transition labelsareSP,andwhoselassof instantiationsis full,isdenablebyanSLTS. In partiular, this showsthat the semanti denition of data independene in [15℄issuÆientlystrong.TheSPassumptionisequivalenttoassumingabsene ofthefuntion-typeonstrut,whihisdonein theredutiontheoremsin [15℄. Beforethetheorem,wepresentapropositionandalemmawhihareusedin itsproof.

Proposition3. Foranyparametri family ofvalues (; ;T;I;v)

suhthat (; )isEPC, T isSP,andI isfull, thereexistsaterm ; `s:T

suhthat,for any (Æ;)2I,JsK (Æ;)

=v (Æ;)

,andsuhthats isofthe form

mathhwith 8 H i=1

in i

(x) ) in T Ri

(r i

) where H 2 N, ; ` h : Enum

H

is a term, T = P

n i=1

T i

, and for eah i, R

i

2f1;:::;ngand; C

`r i

:T Ri

to theresultsof allpossibleappliations oftheequalityprediatesandthe un-interpreted prediatesto the uninterpreted onstants.The sublasses havethe propertythattwoinstantiationsanberelatedbyarelationmapitheybelong to thesamesublass.

Theterms an be dened by letting H bethenumberof sublasses. Eah R

i and r

i

are dened by onsidering an instantiation from the orresponding sublasswhih,foranyX2 withoutanequalityprediatein

E

,instantiates anytwouninterpretedonstantomponentsoftypeX bydistintvalues. ut

Example 4. This example(due toPlotkin)showsthat Proposition 3annot be extendedstraightforwardlyto signatureswhih ontaintypessuhasX !X. Itisaparametrifamilyofvalueswhihisnotdenable.

The signature onsists of one type variable X, prediate p : X ! Bool, operation s : X ! X, and onstant z : X. The type of the family is Bool, andforanyinstantiation(Æ;)ofthesignature,thememberv

(Æ;)

isdened to be true i, for alln 2 N, the result of applying n times JsK to JzK satises

JpK . ut

Terminology 2. Wesaythat afamily ofsets is deterministiieah set ofthe familyiseithertheemptysetorasingleton. ut

Notation2. We write (; ;T;I;N) v ( 0

; 0

;T 0

;I 0

;N 0

) i we have = 0

, =

0 ,T =T

0 ,I=I

0

,and N (Æ;)

N

0 (Æ;)

forall(Æ;)2I. Wewrite(; ;T;I;N)t(; ;T;I;N

0

)forthefamilyofsets(; ;T;I;M) where,forany(Æ;)2I,M

(Æ;) =N

(Æ;) [N

0 (Æ;)

. ut

Lemma1. Given anyparametri familyof sets

N =(; ;T;I;N)

suhthat(; )isEPC,T isSP, andI isfull,thereare parametrifamilies of setsM

1

,...,M m

suhthat:

(i) M i

vN foreah i; (ii) M

i

isdeterministifor eah i;

(iii) given any parametri family of sets M 0

suh that M 0

v N and M 0

is deterministi, itisequal toM

i

for somei; (iv)

F m i=1

M i

=N. ut

Theproof of Lemma 1 hassimilar struture to the proof of Proposition 3, whih means that the denability of families of sets an be shown somewhat morediretlythanbyombiningthetworesults.However,Lemma1isofwider interest,sineitshowsthat denabilityofparametrinondeterministifamilies anbereduedtodenabilityofnitelymanyparametrideterministifamilies.

putation at symbolistatea 1

and symbolilabelb. Its signature is =fXg and

=hp:X !Bool ;q:(XX)!Bool;x:X;z:Xi

The typeof N is XX,and the lass onsists ofall instantiationsof (; ). Forany (Æ;), N

(Æ;)

is theset of all outomesof thetwosymbolitransitions whenp,q,x andz havethevaluesgivenby.Ifneithersymbolitransition is enabled,N

(Æ;) =fg. Similarly, wean letM

1

and M 2

be familiesof sets orresponding to the twosymbolitransitionsrespetively.

Parametriityofthesefamiliesofsetsfollowsfromparametriityofthefamily of LTSs. Also,M

1

and M 2

are deterministi,and M 1

tM 2

=N. Therefore, M

1

and M 2

are twoof the families orresponding to N in the statement of Lemma1.Thereareothers,e.g.theemptyfamily. ut

Theorem1. ForanyparametrifamilyofLTSs(; ;T;U;I;S)suhthat(; ) is EPC, T and U are SP, and I is full, there exists a nite SLTS S with the samesignatureandsuhthat,for any(Æ;)2I,JSK

(Æ;) =S

(Æ;) .

Proofoutline. SymbolistatesandsymbolilabelsofSaredenedtoorrespond to thesumomponentsofT andU.

Foreah symboli statea, thesets of initial states of S (Æ;)

restritedto a form aparametrifamilyofprediates,sothatProposition3anbeapplied to obtaintheinitial onditionata.

Foreahsymbolistateaandsymbolilabela,thetransitionsoftheonrete LTSsS

(Æ;)

form aparametrifamilyofsets whosetypeisT.Lemma 1anbe appliedtothisfamilytoyieldanitenumberofdeterministifamilies.Symboli transitionsofSarethenobtainedbyapplyingProposition3tofamiliesofvalues whihorrespondtothedeterministifamiliesofsets. ut

Example 6. Theorem1appliestothefamilyofLTSsinExample1.Wealready sawthatthisfamilyisdenable(uptoisomorphism)bytheSLTSinExample2. u t

6 Conlusions

Thispaperanswersnegativelythequestionofwhetherthere areanydata inde-pendentfamiliesofLTSs[15℄whihdonotariseassemantisofanysyntatially dataindependentsystem.Thusweonrmthat thesemantidenition ofdata independeneissuitableforreasoningaboutdataindependentsystemswithout beingtiedto apartiularsyntax.

tionsare extendedto nondeterministi omputation bymeans ofbisimulation, theyanbeused toensurethat anyparametrifamilyisdenable.

Futureworkshouldinvestigatedenabilityofparametrifamiliesinsettings wherepowersettypeshaverst-lassstatus[16,11,8℄.

Aknowledgements

We are grateful to Samson Abramsky, Brian Dunphy, Andrew Pitts, Gordon Plotkin,UdayReddy, BillRosoeandAlexSimpsonforusefuldisussions,and totheanonymousrefereesfortheirhelpfulomments.

Referenes

1. M. Alimohamed. Aharaterization oflambdadenability inategorial models ofimpliitpolymorphism. TheoretialComputerSiene,146:5{23, 1995.

2. J. Bohn,W. Damm,O.Grumberg, H.Hungar, and K.Laster. First-order-CTL modelheking.InFoundationsofSoftwareTehnologyandTheoretialComputer Siene(FST&TCS'98),volume1530ofLetureNotesinComputerSiene,pages 283{294.Springer-Verlag,1998.

3. M. Calder and C. Shankland. A symboli semantis and bisimulation for full LOTOS. InInternationalConferene onFormalDesription Tehniquesfor Net-worked and Distributed Systems (FORTE'01), pages 184{200. KluwerAademi Publishers,2001.

4. K.M. Chandy andJ. Misra. Parallel Program Design: A Foundation. Addison-Wesley,1988.

5. E.M.Clarke,O.Grumberg,andD.A.Peled. ModelCheking. MITPress,1999. 6. D.Dill,R.Hojati,andR.K.Brayton. Verifyinglineartemporalpropertiesofdata

intensiveontrollersusingniteinstantiations.InHardwareDesriptionLanguages andtheirAppliations(CHDL'97).ChapmanandHall,1997.

7. M.FioreandA.Simpson.LambdadenabilitywithsumsviaGrothendieklogial relations. In Proeedings of the 4th International Conferene on Typed Lambda Caluli andAppliations(TLCA'99), volume1581 ofLeture Notesin Computer Siene,pages147{161.Springer-Verlag,1999.

8. J. Goubault-Larreq, S. Lasota, and D. Nowak. Logial relations for monadi types. InProeedingsofthe 11thAnnual Confereneof theEuropeanAssoiation forComputerSiene Logi(CSL'02),volume2471ofLetureNotesinComputer Siene,pages553{568.Springer-Verlag,2002.

9. M. HennessyandH.Lin. Symbolibisimulations. TheoretialComputer Siene, 138(2):353{389,1995.

10. C.N.IpandD.L.Dill.Betterveriationthroughsymmetry.FormalMethodsin System Design:AnInternationalJournal,9(1/2):41{75, 1996.

non-ingsofthe1stInternationalConfereneonTypedLambdaCaluliandAppliations (TLCA'93), volume 664 of Leture Notes in Computer Siene, pages 245{257. Springer-Verlag,1993.

14. R. Lazi. A Semanti Study of Data Independene with Appliations to Model Cheking. DPhilthesis,OxfordUniversityComputingLaboratory,1999.

15. R. Lazi and D. Nowak. A unifying approah to data-independene. In Pro-eedingsof the11thInternationalConferene onConurrenyTheory(CONCUR 2000),volume1877ofLetureNotesinComputerSiene,pages581{595. Springer-Verlag,2000.

16. T. Nipkow. Non-deterministi data types: models and implementations. Ata Informatia,22(6):629{661,1986.

17. G.D.Plotkin. Lambda-denabilityinthefull typehierarhy. InToH.B.Curry: Essays on Combinatory Logi, Lambda Calulusand Formalism, pages 363{373. AademiPress,1980.

18. S.Qadeer. Verifyingsequentialonsistenyonshared-memorymultiproessorsby modelheking.ResearhReport176, Compaq,2001.

19. R. Hojatiand R.K.Brayton. Automatidatapathabstrationinhardware sys-tems.InProeedingsofthe7thInternationalConfereneOnComputerAided Veri-ation,volume939ofLetureNotesinComputerSiene,pages98{113.Springer Verlag,1995.

20. J. C. Reynolds. Types, abstration and parametri polymorphism. In Proeed-ingsof the9thIFIPWorldComputer Congress (IFIP'83),pages513{523. North-Holland,1983.

21. A.W.RosoeandP.J.Broadfoot. Provingseurityprotoolswithmodelhekers by data independene tehniques. Journal of Computer Seurity, Speial Issue on the 11th IEEE Computer Seurity Foundations Workshop (CSFW11), pages 147{190,1999.

22. P.Wolper.Expressinginterestingpropertiesofprogramsinpropositionaltemporal logi. InConfereneReordofthe13thAnnualACMSymposiumonPriniples of ProgrammingLanguages, pages184{193.ACM, 1986.

A Proofs

Proof (Proposition2). Suppose

{ (Æ;)and(Æ 0

; 0

)aretwoinstantiationsfromI, { (;Æ;Æ

0

)isarelationmap suhthat

8x2Dom( )JxK J (x)K (;Æ;Æ

0 )

0

JxK

{ S (Æ;)

=(A;B;I; !)andS (Æ

0 ;

0 )

=(A 0

;B 0

;I 0

; ! 0

).

Inordertoprovethat(; ;T;U;I;JSK )isparametri,wehavetoprovethat JTK

(;Æ;Æ 0

)

isauniversalpartialJUK (;Æ;Æ

0 )

-bisimulationbetweenS (Æ;)

andS (Æ

0 ;

0 )

:

{ Let(i;v)2Aand(i 0

;v 0

)2A 0

bestatesrelatedbyJTK 0

.Theni=i 0

that(i;t)2Iand

J; (i)`t:BoolK (Æ;

(i) v)

=true

ByProposition1,wehave

J; (i)`t:BoolK (Æ 0 ; 0 (i) v 0 ) =true

sothat(i;v 0

)2I 0

. Inthesameway,(i;v

0 )2I

0

implies(i;v)2I. { Let (i

1 ;v

1

) 2 A and (i 0 1

;v 01

) 2 A 0

be states related by JTK (;Æ;Æ

0 )

, and let (j;w)2B and(j

0 ;w

0 )2B

0

betransitionlabelsrelatedbyJUK (;Æ;Æ 0 ) .Then i 1 =i 0 1

andj=j 0 . Suppose (i 1 ;v 1 ) (j;w ) ! (i 2 ;v 2

). ByDenition 6,there exist aguardg andan assignmentEsuhthat (i

1

;j;g;E;i 2

)2Rand

J; (i 1

) (j)`g:BoolK (Æ;( (i 1 ) v 1 ) (j) w ) =true

and,foranyx k

2Dom((i 2

)),

J; (i 1

) (j)`E(x k

):(i 2 )(x k )K (Æ;( (i 1 ) v 1 ) (j) w) =v 2 k where x k

is the kth omponent of Dom((i 2

)). Letting v 02

be the tuple denedby

J; (i 1

) (j)`E(x k

):(i 2 )(x k )K (Æ 0 ;( 0 (i 1 ) v 01 ) (j) w 0 ) =v 02 k

it follows by Proposition 1 that (i 2 ;v 2 )JTK (;Æ;Æ 0 ) (i 2 ;v 0 2

) and (i 1 ;v 01 ) (j;w 0 ) ! 0 (i 2 ;v 02 ).

Inthesameway,whenever(i 1 ;v 01 ) (j;w 0 ) ! 0 (i 0 2 ;v 02

),there exists v 2 suh that (i 0 2 ;v 2 )JTK (;Æ;Æ 0 ) (i 0 2 ;v 0 2

)and(i 1 ;v 1 ) (j;w) !(i 0 2 ;v 2

). ut

Proof (Proposition 3). Without lossof generality, we anassume C

is of the form h i j :Z i

ji=1;:::;l ^ j=1;:::;l 0 i i wheretheZ

i

aremutuallydistintand =fZ 1

;:::;Z l

g. Letussaythattwoinstantiations(Æ;)and(Æ

0 ;

0

)in I arerelatedbyRi they are related by some relation map (;Æ;Æ

0

). It is straightforwardto hek that Risanequivalenerelation.

LetI betheset ofall(Æ;)2I suhthat:

{ ifthereisanequalityprediateonZ i

in E

,thenÆJZ i

Kistheset of equiva-lenelassesof anequivalenerelationonf

i

jj =1;:::;l 0

{ otherwise,ÆJZ i

K=ff j

gjj=1;:::;l i

g; { foranyp2Dom(

P

),JpK isarbitrary;

{ J

i j

Kistheequivalenelassof i j .

ItisroutinetoshowthatanyequivalenelassofRontainsexatlyonemember ofI.

SineI isaniteset,letH beitsardinality,andletf beabijetionfrom f1;:::;Hgto I. Itisstraightforwardtodeneaterm

; `h:Enum H suhthat,forany(Æ;)2I andi2f1;:::;Hg,

JhK (Æ;)

=(i;()) , (Æ;)Rf(i)

Foranyi2f1;:::;Hg,let (R

i ;(w

i 1

;:::;w i n

0 R

i ))=v

f(i)

anddener i

as(d i 1

;:::;d i n

0 R

i

),whered i j

2w i j

forallj.

Wehave now dened H, h, and for eah i 2f1;:::;Hg, R i

and r i

, whih providesa denition of s. Given (Æ;)inI, by onsidering i 2 f1;:::;Hgsuh that (Æ;)Rf(i),itfollowsthatJsK

(Æ;) =v

(Æ;)

. ut

Proof (Lemma1). LetusxnotationforomponentsofT by

T = n X i=1 n 0 i Y j=1 X i;j

We use the same assumption about C

as in the proof of Proposition 3, withoutlossofgenerality.

WedeneR,I,H andf asintheproofofProposition3. Foranyi2f1;:::;Hg,N

f(i)

isoftheform

f(R i;j

;(w i;j 1

;:::;w i;j n

0 R

i;j

))jj 2f1;:::;H 0 i

gg

Let G be the set of all maps g on f1;:::;Hgsuh that,for any i, g(i) 2 f0;1;:::;H

0 i

g.

Wedene m as theardinality of G, and for any g 2 G, we dene M g

as follows.Suppose(Æ;)2I,leti2f1;:::;Hgbesuh that(Æ;)Rf(i),andlet

JXK=f(JK ; 0

JK )j(:X)2 C g where(Æ 0 ; 0

)=f(i).Then(Æ;)and (Æ 0

; 0

)arerelatedby(;Æ;Æ 0

).Wedene

M g (Æ;)

= (

fg; ifg(i)=0 f(R

i;g(i) ;(u

i;g(i) 1

;:::;u i;g(i) n

0 R

i;g (i)

))g; if g(i)6=0

wheretheu i;g(i) k

areuniquelydeterminedbyu i;g(i) k JX R i;g (i) ;k K w i;g(i) k . ItisstraightforwardtohekthateahM

g

=(; ;T;I;M g

T = n X

i=1 n

0 i Y

j=1 X

i;j

U = m X

i=1 m

0 i Y

j=1 Y

i;j

S (Æ;)

=(JTK (Æ;)

;JUK (Æ;)

;I (Æ;)

; ! (Æ;)

)

WedeneanSLTS

S=(; ;A;;B; ;I;R)

asfollows.

A=f1;:::;ng (i)=hx

i;j :X

i;j

jj =1;:::;n 0 i i B=f1;:::;mg

(i)=hy i;j

:Y i;j

jj=1;:::;m 0 i i

wherethex i;j

andy i;j

donotappearin . Supposei2A.Let

V=(; (i);Bool;J;v)

bethefamilyofvaluessuhthat J isfull and

v (Æ;)

=

true; if(i;(i))2I (Æ; ) false; otherwise

ThenV isparametri,soProposition3givesusaterm; (i)`t i

:Boolsuh that Jt

i K

(Æ;) =v

(Æ;)

forall(Æ;)2J. WedeneI=f(i;t

i

)ji2Ag. Supposei2Aandj2B.Let

N =(; (i) (j);T;K ;N)

bethefamilyofsetssuhthatK isfulland

N (Æ;)

=faj(i;(i))

(j; (j)) !

(Æ; ) ag

ThenN isparametri,soweanapplyLemma 1toobtainM 1

, ...,M G

w (Æ;)

= (

a; ifM k (Æ;)

=fag (n+1;()); if M

k (Æ;)

=fg

W isparametribyparametriityofM k

,soProposition3givesusaterm

; (i) (j)`s:T +Unit

whihdenesW andwhih isoftheform

mathhwith 8 H l=1

in l

(x) ) in T+Unit Rl

(r l

)

Foranyl2f1;:::;Hgsuh thatR l

2f1;:::;ng,let

g i;j;k ;l

=if h=lthentrueelsefalse E

i;j;k ;l (x

Rl;j 0

)= j

0 (r

l ) i

0 i;j;k ;l

=R l

Risdened tobetheset ofall(i;j;g i;j;k ;l

;E i;j;k ;l

;i 0 i;j;k ;l

)asabove. Itisroutineto hekthat,forany(Æ;)2I,JSK

(Æ;) =S

(Æ;)